CoCalc -- aria-aesni-avx2-asm

GitHub Repository: torvalds/linux
Path: blob/master/arch/x86/crypto/aria-aesni-avx2-asm_64.S
²⁶⁴⁵¹ views
1
/* SPDX-License-Identifier: GPL-2.0-or-later */
2
/*
3
 * ARIA Cipher 32-way parallel algorithm (AVX2)
4
 *
5
 * Copyright (c) 2022 Taehee Yoo <[email protected]>
6
 *
7
 */
8

9
#include <linux/linkage.h>
10
#include <asm/frame.h>
11
#include <asm/asm-offsets.h>
12
#include <linux/cfi_types.h>
13

14
/* register macros */
15
#define CTX %rdi
16

17
#define ymm0_x xmm0
18
#define ymm1_x xmm1
19
#define ymm2_x xmm2
20
#define ymm3_x xmm3
21
#define ymm4_x xmm4
22
#define ymm5_x xmm5
23
#define ymm6_x xmm6
24
#define ymm7_x xmm7
25
#define ymm8_x xmm8
26
#define ymm9_x xmm9
27
#define ymm10_x xmm10
28
#define ymm11_x xmm11
29
#define ymm12_x xmm12
30
#define ymm13_x xmm13
31
#define ymm14_x xmm14
32
#define ymm15_x xmm15
33

34
#define BV8(a0, a1, a2, a3, a4, a5, a6, a7)		\
35
	( (((a0) & 1) << 0) |				\
36
	  (((a1) & 1) << 1) |				\
37
	  (((a2) & 1) << 2) |				\
38
	  (((a3) & 1) << 3) |				\
39
	  (((a4) & 1) << 4) |				\
40
	  (((a5) & 1) << 5) |				\
41
	  (((a6) & 1) << 6) |				\
42
	  (((a7) & 1) << 7) )
43

44
#define BM8X8(l0, l1, l2, l3, l4, l5, l6, l7)		\
45
	( ((l7) << (0 * 8)) |				\
46
	  ((l6) << (1 * 8)) |				\
47
	  ((l5) << (2 * 8)) |				\
48
	  ((l4) << (3 * 8)) |				\
49
	  ((l3) << (4 * 8)) |				\
50
	  ((l2) << (5 * 8)) |				\
51
	  ((l1) << (6 * 8)) |				\
52
	  ((l0) << (7 * 8)) )
53

54
#define inc_le128(x, minus_one, tmp)			\
55
	vpcmpeqq minus_one, x, tmp;			\
56
	vpsubq minus_one, x, x;				\
57
	vpslldq $8, tmp, tmp;				\
58
	vpsubq tmp, x, x;
59

60
#define filter_8bit(x, lo_t, hi_t, mask4bit, tmp0)	\
61
	vpand x, mask4bit, tmp0;			\
62
	vpandn x, mask4bit, x;				\
63
	vpsrld $4, x, x;				\
64
							\
65
	vpshufb tmp0, lo_t, tmp0;			\
66
	vpshufb x, hi_t, x;				\
67
	vpxor tmp0, x, x;
68

69
#define transpose_4x4(x0, x1, x2, x3, t1, t2)		\
70
	vpunpckhdq x1, x0, t2;				\
71
	vpunpckldq x1, x0, x0;				\
72
							\
73
	vpunpckldq x3, x2, t1;				\
74
	vpunpckhdq x3, x2, x2;				\
75
							\
76
	vpunpckhqdq t1, x0, x1;				\
77
	vpunpcklqdq t1, x0, x0;				\
78
							\
79
	vpunpckhqdq x2, t2, x3;				\
80
	vpunpcklqdq x2, t2, x2;
81

82
#define byteslice_16x16b(a0, b0, c0, d0,		\
83
			 a1, b1, c1, d1,		\
84
			 a2, b2, c2, d2,		\
85
			 a3, b3, c3, d3,		\
86
			 st0, st1)			\
87
	vmovdqu d2, st0;				\
88
	vmovdqu d3, st1;				\
89
	transpose_4x4(a0, a1, a2, a3, d2, d3);		\
90
	transpose_4x4(b0, b1, b2, b3, d2, d3);		\
91
	vmovdqu st0, d2;				\
92
	vmovdqu st1, d3;				\
93
							\
94
	vmovdqu a0, st0;				\
95
	vmovdqu a1, st1;				\
96
	transpose_4x4(c0, c1, c2, c3, a0, a1);		\
97
	transpose_4x4(d0, d1, d2, d3, a0, a1);		\
98
							\
99
	vbroadcasti128 .Lshufb_16x16b(%rip), a0;	\
100
	vmovdqu st1, a1;				\
101
	vpshufb a0, a2, a2;				\
102
	vpshufb a0, a3, a3;				\
103
	vpshufb a0, b0, b0;				\
104
	vpshufb a0, b1, b1;				\
105
	vpshufb a0, b2, b2;				\
106
	vpshufb a0, b3, b3;				\
107
	vpshufb a0, a1, a1;				\
108
	vpshufb a0, c0, c0;				\
109
	vpshufb a0, c1, c1;				\
110
	vpshufb a0, c2, c2;				\
111
	vpshufb a0, c3, c3;				\
112
	vpshufb a0, d0, d0;				\
113
	vpshufb a0, d1, d1;				\
114
	vpshufb a0, d2, d2;				\
115
	vpshufb a0, d3, d3;				\
116
	vmovdqu d3, st1;				\
117
	vmovdqu st0, d3;				\
118
	vpshufb a0, d3, a0;				\
119
	vmovdqu d2, st0;				\
120
							\
121
	transpose_4x4(a0, b0, c0, d0, d2, d3);		\
122
	transpose_4x4(a1, b1, c1, d1, d2, d3);		\
123
	vmovdqu st0, d2;				\
124
	vmovdqu st1, d3;				\
125
							\
126
	vmovdqu b0, st0;				\
127
	vmovdqu b1, st1;				\
128
	transpose_4x4(a2, b2, c2, d2, b0, b1);		\
129
	transpose_4x4(a3, b3, c3, d3, b0, b1);		\
130
	vmovdqu st0, b0;				\
131
	vmovdqu st1, b1;				\
132
	/* does not adjust output bytes inside vectors */
133

134
#define debyteslice_16x16b(a0, b0, c0, d0,		\
135
			   a1, b1, c1, d1,		\
136
			   a2, b2, c2, d2,		\
137
			   a3, b3, c3, d3,		\
138
			   st0, st1)			\
139
	vmovdqu d2, st0;				\
140
	vmovdqu d3, st1;				\
141
	transpose_4x4(a0, a1, a2, a3, d2, d3);		\
142
	transpose_4x4(b0, b1, b2, b3, d2, d3);		\
143
	vmovdqu st0, d2;				\
144
	vmovdqu st1, d3;				\
145
							\
146
	vmovdqu a0, st0;				\
147
	vmovdqu a1, st1;				\
148
	transpose_4x4(c0, c1, c2, c3, a0, a1);		\
149
	transpose_4x4(d0, d1, d2, d3, a0, a1);		\
150
							\
151
	vbroadcasti128 .Lshufb_16x16b(%rip), a0;	\
152
	vmovdqu st1, a1;				\
153
	vpshufb a0, a2, a2;				\
154
	vpshufb a0, a3, a3;				\
155
	vpshufb a0, b0, b0;				\
156
	vpshufb a0, b1, b1;				\
157
	vpshufb a0, b2, b2;				\
158
	vpshufb a0, b3, b3;				\
159
	vpshufb a0, a1, a1;				\
160
	vpshufb a0, c0, c0;				\
161
	vpshufb a0, c1, c1;				\
162
	vpshufb a0, c2, c2;				\
163
	vpshufb a0, c3, c3;				\
164
	vpshufb a0, d0, d0;				\
165
	vpshufb a0, d1, d1;				\
166
	vpshufb a0, d2, d2;				\
167
	vpshufb a0, d3, d3;				\
168
	vmovdqu d3, st1;				\
169
	vmovdqu st0, d3;				\
170
	vpshufb a0, d3, a0;				\
171
	vmovdqu d2, st0;				\
172
							\
173
	transpose_4x4(c0, d0, a0, b0, d2, d3);		\
174
	transpose_4x4(c1, d1, a1, b1, d2, d3);		\
175
	vmovdqu st0, d2;				\
176
	vmovdqu st1, d3;				\
177
							\
178
	vmovdqu b0, st0;				\
179
	vmovdqu b1, st1;				\
180
	transpose_4x4(c2, d2, a2, b2, b0, b1);		\
181
	transpose_4x4(c3, d3, a3, b3, b0, b1);		\
182
	vmovdqu st0, b0;				\
183
	vmovdqu st1, b1;				\
184
	/* does not adjust output bytes inside vectors */
185

186
/* load blocks to registers and apply pre-whitening */
187
#define inpack16_pre(x0, x1, x2, x3,			\
188
		     x4, x5, x6, x7,			\
189
		     y0, y1, y2, y3,			\
190
		     y4, y5, y6, y7,			\
191
		     rio)				\
192
	vmovdqu (0 * 32)(rio), x0;			\
193
	vmovdqu (1 * 32)(rio), x1;			\
194
	vmovdqu (2 * 32)(rio), x2;			\
195
	vmovdqu (3 * 32)(rio), x3;			\
196
	vmovdqu (4 * 32)(rio), x4;			\
197
	vmovdqu (5 * 32)(rio), x5;			\
198
	vmovdqu (6 * 32)(rio), x6;			\
199
	vmovdqu (7 * 32)(rio), x7;			\
200
	vmovdqu (8 * 32)(rio), y0;			\
201
	vmovdqu (9 * 32)(rio), y1;			\
202
	vmovdqu (10 * 32)(rio), y2;			\
203
	vmovdqu (11 * 32)(rio), y3;			\
204
	vmovdqu (12 * 32)(rio), y4;			\
205
	vmovdqu (13 * 32)(rio), y5;			\
206
	vmovdqu (14 * 32)(rio), y6;			\
207
	vmovdqu (15 * 32)(rio), y7;
208

209
/* byteslice pre-whitened blocks and store to temporary memory */
210
#define inpack16_post(x0, x1, x2, x3,			\
211
		      x4, x5, x6, x7,			\
212
		      y0, y1, y2, y3,			\
213
		      y4, y5, y6, y7,			\
214
		      mem_ab, mem_cd)			\
215
	byteslice_16x16b(x0, x1, x2, x3,		\
216
			 x4, x5, x6, x7,		\
217
			 y0, y1, y2, y3,		\
218
			 y4, y5, y6, y7,		\
219
			 (mem_ab), (mem_cd));		\
220
							\
221
	vmovdqu x0, 0 * 32(mem_ab);			\
222
	vmovdqu x1, 1 * 32(mem_ab);			\
223
	vmovdqu x2, 2 * 32(mem_ab);			\
224
	vmovdqu x3, 3 * 32(mem_ab);			\
225
	vmovdqu x4, 4 * 32(mem_ab);			\
226
	vmovdqu x5, 5 * 32(mem_ab);			\
227
	vmovdqu x6, 6 * 32(mem_ab);			\
228
	vmovdqu x7, 7 * 32(mem_ab);			\
229
	vmovdqu y0, 0 * 32(mem_cd);			\
230
	vmovdqu y1, 1 * 32(mem_cd);			\
231
	vmovdqu y2, 2 * 32(mem_cd);			\
232
	vmovdqu y3, 3 * 32(mem_cd);			\
233
	vmovdqu y4, 4 * 32(mem_cd);			\
234
	vmovdqu y5, 5 * 32(mem_cd);			\
235
	vmovdqu y6, 6 * 32(mem_cd);			\
236
	vmovdqu y7, 7 * 32(mem_cd);
237

238
#define write_output(x0, x1, x2, x3,			\
239
		     x4, x5, x6, x7,			\
240
		     y0, y1, y2, y3,			\
241
		     y4, y5, y6, y7,			\
242
		     mem)				\
243
	vmovdqu x0, 0 * 32(mem);			\
244
	vmovdqu x1, 1 * 32(mem);			\
245
	vmovdqu x2, 2 * 32(mem);			\
246
	vmovdqu x3, 3 * 32(mem);			\
247
	vmovdqu x4, 4 * 32(mem);			\
248
	vmovdqu x5, 5 * 32(mem);			\
249
	vmovdqu x6, 6 * 32(mem);			\
250
	vmovdqu x7, 7 * 32(mem);			\
251
	vmovdqu y0, 8 * 32(mem);			\
252
	vmovdqu y1, 9 * 32(mem);			\
253
	vmovdqu y2, 10 * 32(mem);			\
254
	vmovdqu y3, 11 * 32(mem);			\
255
	vmovdqu y4, 12 * 32(mem);			\
256
	vmovdqu y5, 13 * 32(mem);			\
257
	vmovdqu y6, 14 * 32(mem);			\
258
	vmovdqu y7, 15 * 32(mem);			\
259

260
#define aria_store_state_8way(x0, x1, x2, x3,		\
261
			      x4, x5, x6, x7,		\
262
			      mem_tmp, idx)		\
263
	vmovdqu x0, ((idx + 0) * 32)(mem_tmp);		\
264
	vmovdqu x1, ((idx + 1) * 32)(mem_tmp);		\
265
	vmovdqu x2, ((idx + 2) * 32)(mem_tmp);		\
266
	vmovdqu x3, ((idx + 3) * 32)(mem_tmp);		\
267
	vmovdqu x4, ((idx + 4) * 32)(mem_tmp);		\
268
	vmovdqu x5, ((idx + 5) * 32)(mem_tmp);		\
269
	vmovdqu x6, ((idx + 6) * 32)(mem_tmp);		\
270
	vmovdqu x7, ((idx + 7) * 32)(mem_tmp);
271

272
#define aria_load_state_8way(x0, x1, x2, x3,		\
273
			     x4, x5, x6, x7,		\
274
			     mem_tmp, idx)		\
275
	vmovdqu ((idx + 0) * 32)(mem_tmp), x0;		\
276
	vmovdqu ((idx + 1) * 32)(mem_tmp), x1;		\
277
	vmovdqu ((idx + 2) * 32)(mem_tmp), x2;		\
278
	vmovdqu ((idx + 3) * 32)(mem_tmp), x3;		\
279
	vmovdqu ((idx + 4) * 32)(mem_tmp), x4;		\
280
	vmovdqu ((idx + 5) * 32)(mem_tmp), x5;		\
281
	vmovdqu ((idx + 6) * 32)(mem_tmp), x6;		\
282
	vmovdqu ((idx + 7) * 32)(mem_tmp), x7;
283

284
#define aria_ark_8way(x0, x1, x2, x3,			\
285
		      x4, x5, x6, x7,			\
286
		      t0, rk, idx, round)		\
287
	/* AddRoundKey */                               \
288
	vpbroadcastb ((round * 16) + idx + 3)(rk), t0;	\
289
	vpxor t0, x0, x0;				\
290
	vpbroadcastb ((round * 16) + idx + 2)(rk), t0;	\
291
	vpxor t0, x1, x1;				\
292
	vpbroadcastb ((round * 16) + idx + 1)(rk), t0;	\
293
	vpxor t0, x2, x2;				\
294
	vpbroadcastb ((round * 16) + idx + 0)(rk), t0;	\
295
	vpxor t0, x3, x3;				\
296
	vpbroadcastb ((round * 16) + idx + 7)(rk), t0;	\
297
	vpxor t0, x4, x4;				\
298
	vpbroadcastb ((round * 16) + idx + 6)(rk), t0;	\
299
	vpxor t0, x5, x5;				\
300
	vpbroadcastb ((round * 16) + idx + 5)(rk), t0;	\
301
	vpxor t0, x6, x6;				\
302
	vpbroadcastb ((round * 16) + idx + 4)(rk), t0;	\
303
	vpxor t0, x7, x7;
304

305
#ifdef CONFIG_AS_GFNI
306
#define aria_sbox_8way_gfni(x0, x1, x2, x3,		\
307
			    x4, x5, x6, x7,		\
308
			    t0, t1, t2, t3,		\
309
			    t4, t5, t6, t7)		\
310
	vpbroadcastq .Ltf_s2_bitmatrix(%rip), t0;	\
311
	vpbroadcastq .Ltf_inv_bitmatrix(%rip), t1;	\
312
	vpbroadcastq .Ltf_id_bitmatrix(%rip), t2;	\
313
	vpbroadcastq .Ltf_aff_bitmatrix(%rip), t3;	\
314
	vpbroadcastq .Ltf_x2_bitmatrix(%rip), t4;	\
315
	vgf2p8affineinvqb $(tf_s2_const), t0, x1, x1;	\
316
	vgf2p8affineinvqb $(tf_s2_const), t0, x5, x5;	\
317
	vgf2p8affineqb $(tf_inv_const), t1, x2, x2;	\
318
	vgf2p8affineqb $(tf_inv_const), t1, x6, x6;	\
319
	vgf2p8affineinvqb $0, t2, x2, x2;		\
320
	vgf2p8affineinvqb $0, t2, x6, x6;		\
321
	vgf2p8affineinvqb $(tf_aff_const), t3, x0, x0;	\
322
	vgf2p8affineinvqb $(tf_aff_const), t3, x4, x4;	\
323
	vgf2p8affineqb $(tf_x2_const), t4, x3, x3;	\
324
	vgf2p8affineqb $(tf_x2_const), t4, x7, x7;	\
325
	vgf2p8affineinvqb $0, t2, x3, x3;		\
326
	vgf2p8affineinvqb $0, t2, x7, x7
327

328
#endif /* CONFIG_AS_GFNI */
329
#define aria_sbox_8way(x0, x1, x2, x3,			\
330
		       x4, x5, x6, x7,			\
331
		       t0, t1, t2, t3,			\
332
		       t4, t5, t6, t7)			\
333
	vpxor t7, t7, t7;				\
334
	vpxor t6, t6, t6;				\
335
	vbroadcasti128 .Linv_shift_row(%rip), t0;	\
336
	vbroadcasti128 .Lshift_row(%rip), t1;		\
337
	vbroadcasti128 .Ltf_lo__inv_aff__and__s2(%rip), t2; \
338
	vbroadcasti128 .Ltf_hi__inv_aff__and__s2(%rip), t3; \
339
	vbroadcasti128 .Ltf_lo__x2__and__fwd_aff(%rip), t4; \
340
	vbroadcasti128 .Ltf_hi__x2__and__fwd_aff(%rip), t5; \
341
							\
342
	vextracti128 $1, x0, t6##_x;			\
343
	vaesenclast t7##_x, x0##_x, x0##_x;		\
344
	vaesenclast t7##_x, t6##_x, t6##_x;		\
345
	vinserti128 $1, t6##_x, x0, x0;			\
346
							\
347
	vextracti128 $1, x4, t6##_x;			\
348
	vaesenclast t7##_x, x4##_x, x4##_x;		\
349
	vaesenclast t7##_x, t6##_x, t6##_x;		\
350
	vinserti128 $1, t6##_x, x4, x4;			\
351
							\
352
	vextracti128 $1, x1, t6##_x;			\
353
	vaesenclast t7##_x, x1##_x, x1##_x;		\
354
	vaesenclast t7##_x, t6##_x, t6##_x;		\
355
	vinserti128 $1, t6##_x, x1, x1;			\
356
							\
357
	vextracti128 $1, x5, t6##_x;			\
358
	vaesenclast t7##_x, x5##_x, x5##_x;		\
359
	vaesenclast t7##_x, t6##_x, t6##_x;		\
360
	vinserti128 $1, t6##_x, x5, x5;			\
361
							\
362
	vextracti128 $1, x2, t6##_x;			\
363
	vaesdeclast t7##_x, x2##_x, x2##_x;		\
364
	vaesdeclast t7##_x, t6##_x, t6##_x;		\
365
	vinserti128 $1, t6##_x, x2, x2;			\
366
							\
367
	vextracti128 $1, x6, t6##_x;			\
368
	vaesdeclast t7##_x, x6##_x, x6##_x;		\
369
	vaesdeclast t7##_x, t6##_x, t6##_x;		\
370
	vinserti128 $1, t6##_x, x6, x6;			\
371
							\
372
	vpbroadcastd .L0f0f0f0f(%rip), t6;		\
373
							\
374
	/* AES inverse shift rows */			\
375
	vpshufb t0, x0, x0;				\
376
	vpshufb t0, x4, x4;				\
377
	vpshufb t0, x1, x1;				\
378
	vpshufb t0, x5, x5;				\
379
	vpshufb t1, x3, x3;				\
380
	vpshufb t1, x7, x7;				\
381
	vpshufb t1, x2, x2;				\
382
	vpshufb t1, x6, x6;				\
383
							\
384
	/* affine transformation for S2 */		\
385
	filter_8bit(x1, t2, t3, t6, t0);		\
386
	/* affine transformation for S2 */		\
387
	filter_8bit(x5, t2, t3, t6, t0);		\
388
							\
389
	/* affine transformation for X2 */		\
390
	filter_8bit(x3, t4, t5, t6, t0);		\
391
	/* affine transformation for X2 */		\
392
	filter_8bit(x7, t4, t5, t6, t0);		\
393
							\
394
	vpxor t6, t6, t6;				\
395
	vextracti128 $1, x3, t6##_x;			\
396
	vaesdeclast t7##_x, x3##_x, x3##_x;		\
397
	vaesdeclast t7##_x, t6##_x, t6##_x;		\
398
	vinserti128 $1, t6##_x, x3, x3;			\
399
							\
400
	vextracti128 $1, x7, t6##_x;			\
401
	vaesdeclast t7##_x, x7##_x, x7##_x;		\
402
	vaesdeclast t7##_x, t6##_x, t6##_x;		\
403
	vinserti128 $1, t6##_x, x7, x7;			\
404

405
#define aria_diff_m(x0, x1, x2, x3,			\
406
		    t0, t1, t2, t3)			\
407
	/* T = rotr32(X, 8); */				\
408
	/* X ^= T */					\
409
	vpxor x0, x3, t0;				\
410
	vpxor x1, x0, t1;				\
411
	vpxor x2, x1, t2;				\
412
	vpxor x3, x2, t3;				\
413
	/* X = T ^ rotr(X, 16); */			\
414
	vpxor t2, x0, x0;				\
415
	vpxor x1, t3, t3;				\
416
	vpxor t0, x2, x2;				\
417
	vpxor t1, x3, x1;				\
418
	vmovdqu t3, x3;
419

420
#define aria_diff_word(x0, x1, x2, x3,			\
421
		       x4, x5, x6, x7,			\
422
		       y0, y1, y2, y3,			\
423
		       y4, y5, y6, y7)			\
424
	/* t1 ^= t2; */					\
425
	vpxor y0, x4, x4;				\
426
	vpxor y1, x5, x5;				\
427
	vpxor y2, x6, x6;				\
428
	vpxor y3, x7, x7;				\
429
							\
430
	/* t2 ^= t3; */					\
431
	vpxor y4, y0, y0;				\
432
	vpxor y5, y1, y1;				\
433
	vpxor y6, y2, y2;				\
434
	vpxor y7, y3, y3;				\
435
							\
436
	/* t0 ^= t1; */					\
437
	vpxor x4, x0, x0;				\
438
	vpxor x5, x1, x1;				\
439
	vpxor x6, x2, x2;				\
440
	vpxor x7, x3, x3;				\
441
							\
442
	/* t3 ^= t1; */					\
443
	vpxor x4, y4, y4;				\
444
	vpxor x5, y5, y5;				\
445
	vpxor x6, y6, y6;				\
446
	vpxor x7, y7, y7;				\
447
							\
448
	/* t2 ^= t0; */					\
449
	vpxor x0, y0, y0;				\
450
	vpxor x1, y1, y1;				\
451
	vpxor x2, y2, y2;				\
452
	vpxor x3, y3, y3;				\
453
							\
454
	/* t1 ^= t2; */					\
455
	vpxor y0, x4, x4;				\
456
	vpxor y1, x5, x5;				\
457
	vpxor y2, x6, x6;				\
458
	vpxor y3, x7, x7;
459

460
#define aria_fe(x0, x1, x2, x3,				\
461
		x4, x5, x6, x7,				\
462
		y0, y1, y2, y3,				\
463
		y4, y5, y6, y7,				\
464
		mem_tmp, rk, round)			\
465
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
466
		      y0, rk, 8, round);		\
467
							\
468
	aria_sbox_8way(x2, x3, x0, x1, x6, x7, x4, x5,	\
469
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
470
							\
471
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
472
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
473
	aria_store_state_8way(x0, x1, x2, x3,		\
474
			      x4, x5, x6, x7,		\
475
			      mem_tmp, 8);		\
476
							\
477
	aria_load_state_8way(x0, x1, x2, x3,		\
478
			     x4, x5, x6, x7,		\
479
			     mem_tmp, 0);		\
480
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
481
		      y0, rk, 0, round);		\
482
							\
483
	aria_sbox_8way(x2, x3, x0, x1, x6, x7, x4, x5,	\
484
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
485
							\
486
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
487
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
488
	aria_store_state_8way(x0, x1, x2, x3,		\
489
			      x4, x5, x6, x7,		\
490
			      mem_tmp, 0);		\
491
	aria_load_state_8way(y0, y1, y2, y3,		\
492
			     y4, y5, y6, y7,		\
493
			     mem_tmp, 8);		\
494
	aria_diff_word(x0, x1, x2, x3,			\
495
		       x4, x5, x6, x7,			\
496
		       y0, y1, y2, y3,			\
497
		       y4, y5, y6, y7);			\
498
	/* aria_diff_byte()				\
499
	 * T3 = ABCD -> BADC				\
500
	 * T3 = y4, y5, y6, y7 -> y5, y4, y7, y6	\
501
	 * T0 = ABCD -> CDAB				\
502
	 * T0 = x0, x1, x2, x3 -> x2, x3, x0, x1	\
503
	 * T1 = ABCD -> DCBA				\
504
	 * T1 = x4, x5, x6, x7 -> x7, x6, x5, x4	\
505
	 */						\
506
	aria_diff_word(x2, x3, x0, x1,			\
507
		       x7, x6, x5, x4,			\
508
		       y0, y1, y2, y3,			\
509
		       y5, y4, y7, y6);			\
510
	aria_store_state_8way(x3, x2, x1, x0,		\
511
			      x6, x7, x4, x5,		\
512
			      mem_tmp, 0);
513

514
#define aria_fo(x0, x1, x2, x3,				\
515
		x4, x5, x6, x7,				\
516
		y0, y1, y2, y3,				\
517
		y4, y5, y6, y7,				\
518
		mem_tmp, rk, round)			\
519
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
520
		      y0, rk, 8, round);		\
521
							\
522
	aria_sbox_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
523
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
524
							\
525
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
526
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
527
	aria_store_state_8way(x0, x1, x2, x3,		\
528
			      x4, x5, x6, x7,		\
529
			      mem_tmp, 8);		\
530
							\
531
	aria_load_state_8way(x0, x1, x2, x3,		\
532
			     x4, x5, x6, x7,		\
533
			     mem_tmp, 0);		\
534
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
535
		      y0, rk, 0, round);		\
536
							\
537
	aria_sbox_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
538
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
539
							\
540
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
541
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
542
	aria_store_state_8way(x0, x1, x2, x3,		\
543
			      x4, x5, x6, x7,		\
544
			      mem_tmp, 0);		\
545
	aria_load_state_8way(y0, y1, y2, y3,		\
546
			     y4, y5, y6, y7,		\
547
			     mem_tmp, 8);		\
548
	aria_diff_word(x0, x1, x2, x3,			\
549
		       x4, x5, x6, x7,			\
550
		       y0, y1, y2, y3,			\
551
		       y4, y5, y6, y7);			\
552
	/* aria_diff_byte()				\
553
	 * T1 = ABCD -> BADC				\
554
	 * T1 = x4, x5, x6, x7 -> x5, x4, x7, x6	\
555
	 * T2 = ABCD -> CDAB				\
556
	 * T2 = y0, y1, y2, y3, -> y2, y3, y0, y1	\
557
	 * T3 = ABCD -> DCBA				\
558
	 * T3 = y4, y5, y6, y7 -> y7, y6, y5, y4	\
559
	 */						\
560
	aria_diff_word(x0, x1, x2, x3,			\
561
		       x5, x4, x7, x6,			\
562
		       y2, y3, y0, y1,			\
563
		       y7, y6, y5, y4);			\
564
	aria_store_state_8way(x3, x2, x1, x0,		\
565
			      x6, x7, x4, x5,		\
566
			      mem_tmp, 0);
567

568
#define aria_ff(x0, x1, x2, x3,				\
569
		x4, x5, x6, x7,				\
570
		y0, y1, y2, y3,				\
571
		y4, y5, y6, y7,				\
572
		mem_tmp, rk, round, last_round)		\
573
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
574
		      y0, rk, 8, round);		\
575
							\
576
	aria_sbox_8way(x2, x3, x0, x1, x6, x7, x4, x5,	\
577
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
578
							\
579
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
580
		      y0, rk, 8, last_round);		\
581
							\
582
	aria_store_state_8way(x0, x1, x2, x3,		\
583
			      x4, x5, x6, x7,		\
584
			      mem_tmp, 8);		\
585
							\
586
	aria_load_state_8way(x0, x1, x2, x3,		\
587
			     x4, x5, x6, x7,		\
588
			     mem_tmp, 0);		\
589
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
590
		      y0, rk, 0, round);		\
591
							\
592
	aria_sbox_8way(x2, x3, x0, x1, x6, x7, x4, x5,	\
593
		       y0, y1, y2, y3, y4, y5, y6, y7);	\
594
							\
595
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
596
		      y0, rk, 0, last_round);		\
597
							\
598
	aria_load_state_8way(y0, y1, y2, y3,		\
599
			     y4, y5, y6, y7,		\
600
			     mem_tmp, 8);
601
#ifdef CONFIG_AS_GFNI
602
#define aria_fe_gfni(x0, x1, x2, x3,			\
603
		     x4, x5, x6, x7,			\
604
		     y0, y1, y2, y3,			\
605
		     y4, y5, y6, y7,			\
606
		     mem_tmp, rk, round)		\
607
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
608
		      y0, rk, 8, round);		\
609
							\
610
	aria_sbox_8way_gfni(x2, x3, x0, x1,		\
611
			    x6, x7, x4, x5,		\
612
			    y0, y1, y2, y3,		\
613
			    y4, y5, y6, y7);		\
614
							\
615
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
616
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
617
	aria_store_state_8way(x0, x1, x2, x3,		\
618
			      x4, x5, x6, x7,		\
619
			      mem_tmp, 8);		\
620
							\
621
	aria_load_state_8way(x0, x1, x2, x3,		\
622
			     x4, x5, x6, x7,		\
623
			     mem_tmp, 0);		\
624
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
625
		      y0, rk, 0, round);		\
626
							\
627
	aria_sbox_8way_gfni(x2, x3, x0, x1,		\
628
			    x6, x7, x4, x5,		\
629
			    y0, y1, y2, y3,		\
630
			    y4, y5, y6, y7);		\
631
							\
632
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
633
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
634
	aria_store_state_8way(x0, x1, x2, x3,		\
635
			      x4, x5, x6, x7,		\
636
			      mem_tmp, 0);		\
637
	aria_load_state_8way(y0, y1, y2, y3,		\
638
			     y4, y5, y6, y7,		\
639
			     mem_tmp, 8);		\
640
	aria_diff_word(x0, x1, x2, x3,			\
641
		       x4, x5, x6, x7,			\
642
		       y0, y1, y2, y3,			\
643
		       y4, y5, y6, y7);			\
644
	/* aria_diff_byte()				\
645
	 * T3 = ABCD -> BADC				\
646
	 * T3 = y4, y5, y6, y7 -> y5, y4, y7, y6	\
647
	 * T0 = ABCD -> CDAB				\
648
	 * T0 = x0, x1, x2, x3 -> x2, x3, x0, x1	\
649
	 * T1 = ABCD -> DCBA				\
650
	 * T1 = x4, x5, x6, x7 -> x7, x6, x5, x4	\
651
	 */						\
652
	aria_diff_word(x2, x3, x0, x1,			\
653
		       x7, x6, x5, x4,			\
654
		       y0, y1, y2, y3,			\
655
		       y5, y4, y7, y6);			\
656
	aria_store_state_8way(x3, x2, x1, x0,		\
657
			      x6, x7, x4, x5,		\
658
			      mem_tmp, 0);
659

660
#define aria_fo_gfni(x0, x1, x2, x3,			\
661
		     x4, x5, x6, x7,			\
662
		     y0, y1, y2, y3,			\
663
		     y4, y5, y6, y7,			\
664
		     mem_tmp, rk, round)		\
665
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
666
		      y0, rk, 8, round);		\
667
							\
668
	aria_sbox_8way_gfni(x0, x1, x2, x3,		\
669
			    x4, x5, x6, x7,		\
670
			    y0, y1, y2, y3,		\
671
			    y4, y5, y6, y7);		\
672
							\
673
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
674
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
675
	aria_store_state_8way(x0, x1, x2, x3,		\
676
			      x4, x5, x6, x7,		\
677
			      mem_tmp, 8);		\
678
							\
679
	aria_load_state_8way(x0, x1, x2, x3,		\
680
			     x4, x5, x6, x7,		\
681
			     mem_tmp, 0);		\
682
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
683
		      y0, rk, 0, round);		\
684
							\
685
	aria_sbox_8way_gfni(x0, x1, x2, x3,		\
686
			    x4, x5, x6, x7,		\
687
			    y0, y1, y2, y3,		\
688
			    y4, y5, y6, y7);		\
689
							\
690
	aria_diff_m(x0, x1, x2, x3, y0, y1, y2, y3);	\
691
	aria_diff_m(x4, x5, x6, x7, y0, y1, y2, y3);	\
692
	aria_store_state_8way(x0, x1, x2, x3,		\
693
			      x4, x5, x6, x7,		\
694
			      mem_tmp, 0);		\
695
	aria_load_state_8way(y0, y1, y2, y3,		\
696
			     y4, y5, y6, y7,		\
697
			     mem_tmp, 8);		\
698
	aria_diff_word(x0, x1, x2, x3,			\
699
		       x4, x5, x6, x7,			\
700
		       y0, y1, y2, y3,			\
701
		       y4, y5, y6, y7);			\
702
	/* aria_diff_byte()				\
703
	 * T1 = ABCD -> BADC				\
704
	 * T1 = x4, x5, x6, x7 -> x5, x4, x7, x6	\
705
	 * T2 = ABCD -> CDAB				\
706
	 * T2 = y0, y1, y2, y3, -> y2, y3, y0, y1	\
707
	 * T3 = ABCD -> DCBA				\
708
	 * T3 = y4, y5, y6, y7 -> y7, y6, y5, y4	\
709
	 */						\
710
	aria_diff_word(x0, x1, x2, x3,			\
711
		       x5, x4, x7, x6,			\
712
		       y2, y3, y0, y1,			\
713
		       y7, y6, y5, y4);			\
714
	aria_store_state_8way(x3, x2, x1, x0,		\
715
			      x6, x7, x4, x5,		\
716
			      mem_tmp, 0);
717

718
#define aria_ff_gfni(x0, x1, x2, x3,			\
719
		x4, x5, x6, x7,				\
720
		y0, y1, y2, y3,				\
721
		y4, y5, y6, y7,				\
722
		mem_tmp, rk, round, last_round)		\
723
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
724
		      y0, rk, 8, round);		\
725
							\
726
	aria_sbox_8way_gfni(x2, x3, x0, x1,		\
727
			    x6, x7, x4, x5,		\
728
			    y0, y1, y2, y3,		\
729
			    y4, y5, y6, y7);		\
730
							\
731
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
732
		      y0, rk, 8, last_round);		\
733
							\
734
	aria_store_state_8way(x0, x1, x2, x3,		\
735
			      x4, x5, x6, x7,		\
736
			      mem_tmp, 8);		\
737
							\
738
	aria_load_state_8way(x0, x1, x2, x3,		\
739
			     x4, x5, x6, x7,		\
740
			     mem_tmp, 0);		\
741
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
742
		      y0, rk, 0, round);		\
743
							\
744
	aria_sbox_8way_gfni(x2, x3, x0, x1,		\
745
			    x6, x7, x4, x5,		\
746
			    y0, y1, y2, y3,		\
747
			    y4, y5, y6, y7);		\
748
							\
749
	aria_ark_8way(x0, x1, x2, x3, x4, x5, x6, x7,	\
750
		      y0, rk, 0, last_round);		\
751
							\
752
	aria_load_state_8way(y0, y1, y2, y3,		\
753
			     y4, y5, y6, y7,		\
754
			     mem_tmp, 8);
755
#endif /* CONFIG_AS_GFNI */
756

757
.section        .rodata.cst32.shufb_16x16b, "aM", @progbits, 32
758
.align 32
759
#define SHUFB_BYTES(idx) \
760
	0 + (idx), 4 + (idx), 8 + (idx), 12 + (idx)
761
.Lshufb_16x16b:
762
	.byte SHUFB_BYTES(0), SHUFB_BYTES(1), SHUFB_BYTES(2), SHUFB_BYTES(3)
763
	.byte SHUFB_BYTES(0), SHUFB_BYTES(1), SHUFB_BYTES(2), SHUFB_BYTES(3)
764

765
.section	.rodata.cst16, "aM", @progbits, 16
766
.align 16
767
/* For isolating SubBytes from AESENCLAST, inverse shift row */
768
.Linv_shift_row:
769
	.byte 0x00, 0x0d, 0x0a, 0x07, 0x04, 0x01, 0x0e, 0x0b
770
	.byte 0x08, 0x05, 0x02, 0x0f, 0x0c, 0x09, 0x06, 0x03
771
.Lshift_row:
772
	.byte 0x00, 0x05, 0x0a, 0x0f, 0x04, 0x09, 0x0e, 0x03
773
	.byte 0x08, 0x0d, 0x02, 0x07, 0x0c, 0x01, 0x06, 0x0b
774
/* For CTR-mode IV byteswap */
775
.Lbswap128_mask:
776
	.byte 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08
777
	.byte 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00
778

779
/* AES inverse affine and S2 combined:
780
 *      1 1 0 0 0 0 0 1     x0     0
781
 *      0 1 0 0 1 0 0 0     x1     0
782
 *      1 1 0 0 1 1 1 1     x2     0
783
 *      0 1 1 0 1 0 0 1     x3     1
784
 *      0 1 0 0 1 1 0 0  *  x4  +  0
785
 *      0 1 0 1 1 0 0 0     x5     0
786
 *      0 0 0 0 0 1 0 1     x6     0
787
 *      1 1 1 0 0 1 1 1     x7     1
788
 */
789
.Ltf_lo__inv_aff__and__s2:
790
	.octa 0x92172DA81A9FA520B2370D883ABF8500
791
.Ltf_hi__inv_aff__and__s2:
792
	.octa 0x2B15FFC1AF917B45E6D8320C625CB688
793

794
/* X2 and AES forward affine combined:
795
 *      1 0 1 1 0 0 0 1     x0     0
796
 *      0 1 1 1 1 0 1 1     x1     0
797
 *      0 0 0 1 1 0 1 0     x2     1
798
 *      0 1 0 0 0 1 0 0     x3     0
799
 *      0 0 1 1 1 0 1 1  *  x4  +  0
800
 *      0 1 0 0 1 0 0 0     x5     0
801
 *      1 1 0 1 0 0 1 1     x6     0
802
 *      0 1 0 0 1 0 1 0     x7     0
803
 */
804
.Ltf_lo__x2__and__fwd_aff:
805
	.octa 0xEFAE0544FCBD1657B8F95213ABEA4100
806
.Ltf_hi__x2__and__fwd_aff:
807
	.octa 0x3F893781E95FE1576CDA64D2BA0CB204
808

809
#ifdef CONFIG_AS_GFNI
810
.section	.rodata.cst8, "aM", @progbits, 8
811
.align 8
812
/* AES affine: */
813
#define tf_aff_const BV8(1, 1, 0, 0, 0, 1, 1, 0)
814
.Ltf_aff_bitmatrix:
815
	.quad BM8X8(BV8(1, 0, 0, 0, 1, 1, 1, 1),
816
		    BV8(1, 1, 0, 0, 0, 1, 1, 1),
817
		    BV8(1, 1, 1, 0, 0, 0, 1, 1),
818
		    BV8(1, 1, 1, 1, 0, 0, 0, 1),
819
		    BV8(1, 1, 1, 1, 1, 0, 0, 0),
820
		    BV8(0, 1, 1, 1, 1, 1, 0, 0),
821
		    BV8(0, 0, 1, 1, 1, 1, 1, 0),
822
		    BV8(0, 0, 0, 1, 1, 1, 1, 1))
823

824
/* AES inverse affine: */
825
#define tf_inv_const BV8(1, 0, 1, 0, 0, 0, 0, 0)
826
.Ltf_inv_bitmatrix:
827
	.quad BM8X8(BV8(0, 0, 1, 0, 0, 1, 0, 1),
828
		    BV8(1, 0, 0, 1, 0, 0, 1, 0),
829
		    BV8(0, 1, 0, 0, 1, 0, 0, 1),
830
		    BV8(1, 0, 1, 0, 0, 1, 0, 0),
831
		    BV8(0, 1, 0, 1, 0, 0, 1, 0),
832
		    BV8(0, 0, 1, 0, 1, 0, 0, 1),
833
		    BV8(1, 0, 0, 1, 0, 1, 0, 0),
834
		    BV8(0, 1, 0, 0, 1, 0, 1, 0))
835

836
/* S2: */
837
#define tf_s2_const BV8(0, 1, 0, 0, 0, 1, 1, 1)
838
.Ltf_s2_bitmatrix:
839
	.quad BM8X8(BV8(0, 1, 0, 1, 0, 1, 1, 1),
840
		    BV8(0, 0, 1, 1, 1, 1, 1, 1),
841
		    BV8(1, 1, 1, 0, 1, 1, 0, 1),
842
		    BV8(1, 1, 0, 0, 0, 0, 1, 1),
843
		    BV8(0, 1, 0, 0, 0, 0, 1, 1),
844
		    BV8(1, 1, 0, 0, 1, 1, 1, 0),
845
		    BV8(0, 1, 1, 0, 0, 0, 1, 1),
846
		    BV8(1, 1, 1, 1, 0, 1, 1, 0))
847

848
/* X2: */
849
#define tf_x2_const BV8(0, 0, 1, 1, 0, 1, 0, 0)
850
.Ltf_x2_bitmatrix:
851
	.quad BM8X8(BV8(0, 0, 0, 1, 1, 0, 0, 0),
852
		    BV8(0, 0, 1, 0, 0, 1, 1, 0),
853
		    BV8(0, 0, 0, 0, 1, 0, 1, 0),
854
		    BV8(1, 1, 1, 0, 0, 0, 1, 1),
855
		    BV8(1, 1, 1, 0, 1, 1, 0, 0),
856
		    BV8(0, 1, 1, 0, 1, 0, 1, 1),
857
		    BV8(1, 0, 1, 1, 1, 1, 0, 1),
858
		    BV8(1, 0, 0, 1, 0, 0, 1, 1))
859

860
/* Identity matrix: */
861
.Ltf_id_bitmatrix:
862
	.quad BM8X8(BV8(1, 0, 0, 0, 0, 0, 0, 0),
863
		    BV8(0, 1, 0, 0, 0, 0, 0, 0),
864
		    BV8(0, 0, 1, 0, 0, 0, 0, 0),
865
		    BV8(0, 0, 0, 1, 0, 0, 0, 0),
866
		    BV8(0, 0, 0, 0, 1, 0, 0, 0),
867
		    BV8(0, 0, 0, 0, 0, 1, 0, 0),
868
		    BV8(0, 0, 0, 0, 0, 0, 1, 0),
869
		    BV8(0, 0, 0, 0, 0, 0, 0, 1))
870

871
#endif /* CONFIG_AS_GFNI */
872

873
/* 4-bit mask */
874
.section	.rodata.cst4.L0f0f0f0f, "aM", @progbits, 4
875
.align 4
876
.L0f0f0f0f:
877
	.long 0x0f0f0f0f
878

879
.text
880

881
SYM_FUNC_START_LOCAL(__aria_aesni_avx2_crypt_32way)
882
	/* input:
883
	 *      %r9: rk
884
	 *      %rsi: dst
885
	 *      %rdx: src
886
	 *      %ymm0..%ymm15: byte-sliced blocks
887
	 */
888

889
	FRAME_BEGIN
890

891
	movq %rsi, %rax;
892
	leaq 8 * 32(%rax), %r8;
893

894
	inpack16_post(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
895
		      %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
896
		      %ymm15, %rax, %r8);
897
	aria_fo(%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
898
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
899
		%rax, %r9, 0);
900
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
901
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
902
		%ymm15, %rax, %r9, 1);
903
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
904
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
905
		%rax, %r9, 2);
906
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
907
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
908
		%ymm15, %rax, %r9, 3);
909
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
910
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
911
		%rax, %r9, 4);
912
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
913
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
914
		%ymm15, %rax, %r9, 5);
915
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
916
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
917
		%rax, %r9, 6);
918
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
919
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
920
		%ymm15, %rax, %r9, 7);
921
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
922
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
923
		%rax, %r9, 8);
924
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
925
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
926
		%ymm15, %rax, %r9, 9);
927
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
928
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
929
		%rax, %r9, 10);
930
	cmpl $12, ARIA_CTX_rounds(CTX);
931
	jne .Laria_192;
932
	aria_ff(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
933
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
934
		%ymm15, %rax, %r9, 11, 12);
935
	jmp .Laria_end;
936
.Laria_192:
937
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
938
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
939
		%ymm15, %rax, %r9, 11);
940
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
941
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
942
		%rax, %r9, 12);
943
	cmpl $14, ARIA_CTX_rounds(CTX);
944
	jne .Laria_256;
945
	aria_ff(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
946
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
947
		%ymm15, %rax, %r9, 13, 14);
948
	jmp .Laria_end;
949
.Laria_256:
950
	aria_fe(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
951
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
952
		%ymm15, %rax, %r9, 13);
953
	aria_fo(%ymm9, %ymm8, %ymm11, %ymm10, %ymm12, %ymm13, %ymm14, %ymm15,
954
		%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
955
		%rax, %r9, 14);
956
	aria_ff(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
957
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
958
		%ymm15, %rax, %r9, 15, 16);
959
.Laria_end:
960
	debyteslice_16x16b(%ymm8, %ymm12, %ymm1, %ymm4,
961
			   %ymm9, %ymm13, %ymm0, %ymm5,
962
			   %ymm10, %ymm14, %ymm3, %ymm6,
963
			   %ymm11, %ymm15, %ymm2, %ymm7,
964
			   (%rax), (%r8));
965

966
	FRAME_END
967
	RET;
968
SYM_FUNC_END(__aria_aesni_avx2_crypt_32way)
969

970
SYM_TYPED_FUNC_START(aria_aesni_avx2_encrypt_32way)
971
	/* input:
972
	 *      %rdi: ctx, CTX
973
	 *      %rsi: dst
974
	 *      %rdx: src
975
	 */
976

977
	FRAME_BEGIN
978

979
	leaq ARIA_CTX_enc_key(CTX), %r9;
980

981
	inpack16_pre(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
982
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
983
		     %ymm15, %rdx);
984

985
	call __aria_aesni_avx2_crypt_32way;
986

987
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
988
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
989
		     %ymm15, %rax);
990

991
	FRAME_END
992
	RET;
993
SYM_FUNC_END(aria_aesni_avx2_encrypt_32way)
994

995
SYM_TYPED_FUNC_START(aria_aesni_avx2_decrypt_32way)
996
	/* input:
997
	 *      %rdi: ctx, CTX
998
	 *      %rsi: dst
999
	 *      %rdx: src
1000
	 */
1001

1002
	FRAME_BEGIN
1003

1004
	leaq ARIA_CTX_dec_key(CTX), %r9;
1005

1006
	inpack16_pre(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
1007
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1008
		     %ymm15, %rdx);
1009

1010
	call __aria_aesni_avx2_crypt_32way;
1011

1012
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1013
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1014
		     %ymm15, %rax);
1015

1016
	FRAME_END
1017
	RET;
1018
SYM_FUNC_END(aria_aesni_avx2_decrypt_32way)
1019

1020
SYM_FUNC_START_LOCAL(__aria_aesni_avx2_ctr_gen_keystream_32way)
1021
	/* input:
1022
	 *      %rdi: ctx
1023
	 *      %rsi: dst
1024
	 *      %rdx: src
1025
	 *      %rcx: keystream
1026
	 *      %r8: iv (big endian, 128bit)
1027
	 */
1028

1029
	FRAME_BEGIN
1030
	movq 8(%r8), %r11;
1031
	bswapq %r11;
1032

1033
	vbroadcasti128 .Lbswap128_mask (%rip), %ymm6;
1034
	vpcmpeqd %ymm0, %ymm0, %ymm0;
1035
	vpsrldq $8, %ymm0, %ymm0;   /* ab: -1:0 ; cd: -1:0 */
1036
	vpaddq %ymm0, %ymm0, %ymm5; /* ab: -2:0 ; cd: -2:0 */
1037

1038
	/* load IV and byteswap */
1039
	vmovdqu (%r8), %xmm7;
1040
	vpshufb %xmm6, %xmm7, %xmm7;
1041
	vmovdqa %xmm7, %xmm3;
1042
	inc_le128(%xmm7, %xmm0, %xmm4);
1043
	vinserti128 $1, %xmm7, %ymm3, %ymm3;
1044
	vpshufb %ymm6, %ymm3, %ymm8; /* +1 ; +0 */
1045

1046
	/* check need for handling 64-bit overflow and carry */
1047
	cmpq $(0xffffffffffffffff - 32), %r11;
1048
	ja .Lhandle_ctr_carry;
1049

1050
	/* construct IVs */
1051
	vpsubq %ymm5, %ymm3, %ymm3; /* +3 ; +2 */
1052
	vpshufb %ymm6, %ymm3, %ymm9;
1053
	vpsubq %ymm5, %ymm3, %ymm3; /* +5 ; +4 */
1054
	vpshufb %ymm6, %ymm3, %ymm10;
1055
	vpsubq %ymm5, %ymm3, %ymm3; /* +7 ; +6 */
1056
	vpshufb %ymm6, %ymm3, %ymm11;
1057
	vpsubq %ymm5, %ymm3, %ymm3; /* +9 ; +8 */
1058
	vpshufb %ymm6, %ymm3, %ymm12;
1059
	vpsubq %ymm5, %ymm3, %ymm3; /* +11 ; +10 */
1060
	vpshufb %ymm6, %ymm3, %ymm13;
1061
	vpsubq %ymm5, %ymm3, %ymm3; /* +13 ; +12 */
1062
	vpshufb %ymm6, %ymm3, %ymm14;
1063
	vpsubq %ymm5, %ymm3, %ymm3; /* +15 ; +14 */
1064
	vpshufb %ymm6, %ymm3, %ymm15;
1065
	vmovdqu %ymm8, (0 * 32)(%rcx);
1066
	vmovdqu %ymm9, (1 * 32)(%rcx);
1067
	vmovdqu %ymm10, (2 * 32)(%rcx);
1068
	vmovdqu %ymm11, (3 * 32)(%rcx);
1069
	vmovdqu %ymm12, (4 * 32)(%rcx);
1070
	vmovdqu %ymm13, (5 * 32)(%rcx);
1071
	vmovdqu %ymm14, (6 * 32)(%rcx);
1072
	vmovdqu %ymm15, (7 * 32)(%rcx);
1073

1074
	vpsubq %ymm5, %ymm3, %ymm3; /* +17 ; +16 */
1075
	vpshufb %ymm6, %ymm3, %ymm8;
1076
	vpsubq %ymm5, %ymm3, %ymm3; /* +19 ; +18 */
1077
	vpshufb %ymm6, %ymm3, %ymm9;
1078
	vpsubq %ymm5, %ymm3, %ymm3; /* +21 ; +20 */
1079
	vpshufb %ymm6, %ymm3, %ymm10;
1080
	vpsubq %ymm5, %ymm3, %ymm3; /* +23 ; +22 */
1081
	vpshufb %ymm6, %ymm3, %ymm11;
1082
	vpsubq %ymm5, %ymm3, %ymm3; /* +25 ; +24 */
1083
	vpshufb %ymm6, %ymm3, %ymm12;
1084
	vpsubq %ymm5, %ymm3, %ymm3; /* +27 ; +26 */
1085
	vpshufb %ymm6, %ymm3, %ymm13;
1086
	vpsubq %ymm5, %ymm3, %ymm3; /* +29 ; +28 */
1087
	vpshufb %ymm6, %ymm3, %ymm14;
1088
	vpsubq %ymm5, %ymm3, %ymm3; /* +31 ; +30 */
1089
	vpshufb %ymm6, %ymm3, %ymm15;
1090
	vpsubq %ymm5, %ymm3, %ymm3; /* +32 */
1091
	vpshufb %xmm6, %xmm3, %xmm3;
1092
	vmovdqu %xmm3, (%r8);
1093
	vmovdqu (0 * 32)(%rcx), %ymm0;
1094
	vmovdqu (1 * 32)(%rcx), %ymm1;
1095
	vmovdqu (2 * 32)(%rcx), %ymm2;
1096
	vmovdqu (3 * 32)(%rcx), %ymm3;
1097
	vmovdqu (4 * 32)(%rcx), %ymm4;
1098
	vmovdqu (5 * 32)(%rcx), %ymm5;
1099
	vmovdqu (6 * 32)(%rcx), %ymm6;
1100
	vmovdqu (7 * 32)(%rcx), %ymm7;
1101
	jmp .Lctr_carry_done;
1102

1103
	.Lhandle_ctr_carry:
1104
	/* construct IVs */
1105
	inc_le128(%ymm3, %ymm0, %ymm4);
1106
	inc_le128(%ymm3, %ymm0, %ymm4);
1107
	vpshufb %ymm6, %ymm3, %ymm9; /* +3 ; +2 */
1108
	inc_le128(%ymm3, %ymm0, %ymm4);
1109
	inc_le128(%ymm3, %ymm0, %ymm4);
1110
	vpshufb %ymm6, %ymm3, %ymm10; /* +5 ; +4 */
1111
	inc_le128(%ymm3, %ymm0, %ymm4);
1112
	inc_le128(%ymm3, %ymm0, %ymm4);
1113
	vpshufb %ymm6, %ymm3, %ymm11; /* +7 ; +6 */
1114
	inc_le128(%ymm3, %ymm0, %ymm4);
1115
	inc_le128(%ymm3, %ymm0, %ymm4);
1116
	vpshufb %ymm6, %ymm3, %ymm12; /* +9 ; +8 */
1117
	inc_le128(%ymm3, %ymm0, %ymm4);
1118
	inc_le128(%ymm3, %ymm0, %ymm4);
1119
	vpshufb %ymm6, %ymm3, %ymm13; /* +11 ; +10 */
1120
	inc_le128(%ymm3, %ymm0, %ymm4);
1121
	inc_le128(%ymm3, %ymm0, %ymm4);
1122
	vpshufb %ymm6, %ymm3, %ymm14; /* +13 ; +12 */
1123
	inc_le128(%ymm3, %ymm0, %ymm4);
1124
	inc_le128(%ymm3, %ymm0, %ymm4);
1125
	vpshufb %ymm6, %ymm3, %ymm15; /* +15 ; +14 */
1126
	vmovdqu %ymm8, (0 * 32)(%rcx);
1127
	vmovdqu %ymm9, (1 * 32)(%rcx);
1128
	vmovdqu %ymm10, (2 * 32)(%rcx);
1129
	vmovdqu %ymm11, (3 * 32)(%rcx);
1130
	vmovdqu %ymm12, (4 * 32)(%rcx);
1131
	vmovdqu %ymm13, (5 * 32)(%rcx);
1132
	vmovdqu %ymm14, (6 * 32)(%rcx);
1133
	vmovdqu %ymm15, (7 * 32)(%rcx);
1134

1135
	inc_le128(%ymm3, %ymm0, %ymm4);
1136
	inc_le128(%ymm3, %ymm0, %ymm4);
1137
	vpshufb %ymm6, %ymm3, %ymm8; /* +17 ; +16 */
1138
	inc_le128(%ymm3, %ymm0, %ymm4);
1139
	inc_le128(%ymm3, %ymm0, %ymm4);
1140
	vpshufb %ymm6, %ymm3, %ymm9; /* +19 ; +18 */
1141
	inc_le128(%ymm3, %ymm0, %ymm4);
1142
	inc_le128(%ymm3, %ymm0, %ymm4);
1143
	vpshufb %ymm6, %ymm3, %ymm10; /* +21 ; +20 */
1144
	inc_le128(%ymm3, %ymm0, %ymm4);
1145
	inc_le128(%ymm3, %ymm0, %ymm4);
1146
	vpshufb %ymm6, %ymm3, %ymm11; /* +23 ; +22 */
1147
	inc_le128(%ymm3, %ymm0, %ymm4);
1148
	inc_le128(%ymm3, %ymm0, %ymm4);
1149
	vpshufb %ymm6, %ymm3, %ymm12; /* +25 ; +24 */
1150
	inc_le128(%ymm3, %ymm0, %ymm4);
1151
	inc_le128(%ymm3, %ymm0, %ymm4);
1152
	vpshufb %ymm6, %ymm3, %ymm13; /* +27 ; +26 */
1153
	inc_le128(%ymm3, %ymm0, %ymm4);
1154
	inc_le128(%ymm3, %ymm0, %ymm4);
1155
	vpshufb %ymm6, %ymm3, %ymm14; /* +29 ; +28 */
1156
	inc_le128(%ymm3, %ymm0, %ymm4);
1157
	inc_le128(%ymm3, %ymm0, %ymm4);
1158
	vpshufb %ymm6, %ymm3, %ymm15; /* +31 ; +30 */
1159
	inc_le128(%ymm3, %ymm0, %ymm4);
1160
	vextracti128 $1, %ymm3, %xmm3;
1161
	vpshufb %xmm6, %xmm3, %xmm3; /* +32 */
1162
	vmovdqu %xmm3, (%r8);
1163
	vmovdqu (0 * 32)(%rcx), %ymm0;
1164
	vmovdqu (1 * 32)(%rcx), %ymm1;
1165
	vmovdqu (2 * 32)(%rcx), %ymm2;
1166
	vmovdqu (3 * 32)(%rcx), %ymm3;
1167
	vmovdqu (4 * 32)(%rcx), %ymm4;
1168
	vmovdqu (5 * 32)(%rcx), %ymm5;
1169
	vmovdqu (6 * 32)(%rcx), %ymm6;
1170
	vmovdqu (7 * 32)(%rcx), %ymm7;
1171

1172
	.Lctr_carry_done:
1173

1174
	FRAME_END
1175
	RET;
1176
SYM_FUNC_END(__aria_aesni_avx2_ctr_gen_keystream_32way)
1177

1178
SYM_TYPED_FUNC_START(aria_aesni_avx2_ctr_crypt_32way)
1179
	/* input:
1180
	 *      %rdi: ctx
1181
	 *      %rsi: dst
1182
	 *      %rdx: src
1183
	 *      %rcx: keystream
1184
	 *      %r8: iv (big endian, 128bit)
1185
	 */
1186
	FRAME_BEGIN
1187

1188
	call __aria_aesni_avx2_ctr_gen_keystream_32way;
1189

1190
	leaq (%rsi), %r10;
1191
	leaq (%rdx), %r11;
1192
	leaq (%rcx), %rsi;
1193
	leaq (%rcx), %rdx;
1194
	leaq ARIA_CTX_enc_key(CTX), %r9;
1195

1196
	call __aria_aesni_avx2_crypt_32way;
1197

1198
	vpxor (0 * 32)(%r11), %ymm1, %ymm1;
1199
	vpxor (1 * 32)(%r11), %ymm0, %ymm0;
1200
	vpxor (2 * 32)(%r11), %ymm3, %ymm3;
1201
	vpxor (3 * 32)(%r11), %ymm2, %ymm2;
1202
	vpxor (4 * 32)(%r11), %ymm4, %ymm4;
1203
	vpxor (5 * 32)(%r11), %ymm5, %ymm5;
1204
	vpxor (6 * 32)(%r11), %ymm6, %ymm6;
1205
	vpxor (7 * 32)(%r11), %ymm7, %ymm7;
1206
	vpxor (8 * 32)(%r11), %ymm8, %ymm8;
1207
	vpxor (9 * 32)(%r11), %ymm9, %ymm9;
1208
	vpxor (10 * 32)(%r11), %ymm10, %ymm10;
1209
	vpxor (11 * 32)(%r11), %ymm11, %ymm11;
1210
	vpxor (12 * 32)(%r11), %ymm12, %ymm12;
1211
	vpxor (13 * 32)(%r11), %ymm13, %ymm13;
1212
	vpxor (14 * 32)(%r11), %ymm14, %ymm14;
1213
	vpxor (15 * 32)(%r11), %ymm15, %ymm15;
1214
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1215
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1216
		     %ymm15, %r10);
1217

1218
	FRAME_END
1219
	RET;
1220
SYM_FUNC_END(aria_aesni_avx2_ctr_crypt_32way)
1221

1222
#ifdef CONFIG_AS_GFNI
1223
SYM_FUNC_START_LOCAL(__aria_aesni_avx2_gfni_crypt_32way)
1224
	/* input:
1225
	 *      %r9: rk
1226
	 *      %rsi: dst
1227
	 *      %rdx: src
1228
	 *      %ymm0..%ymm15: 16 byte-sliced blocks
1229
	 */
1230

1231
	FRAME_BEGIN
1232

1233
	movq %rsi, %rax;
1234
	leaq 8 * 32(%rax), %r8;
1235

1236
	inpack16_post(%ymm0, %ymm1, %ymm2, %ymm3,
1237
		      %ymm4, %ymm5, %ymm6, %ymm7,
1238
		      %ymm8, %ymm9, %ymm10, %ymm11,
1239
		      %ymm12, %ymm13, %ymm14,
1240
		      %ymm15, %rax, %r8);
1241
	aria_fo_gfni(%ymm8, %ymm9, %ymm10, %ymm11,
1242
		     %ymm12, %ymm13, %ymm14, %ymm15,
1243
		     %ymm0, %ymm1, %ymm2, %ymm3,
1244
		     %ymm4, %ymm5, %ymm6, %ymm7,
1245
		     %rax, %r9, 0);
1246
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1247
		     %ymm4, %ymm5, %ymm6, %ymm7,
1248
		     %ymm8, %ymm9, %ymm10, %ymm11,
1249
		     %ymm12, %ymm13, %ymm14,
1250
		     %ymm15, %rax, %r9, 1);
1251
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1252
		     %ymm12, %ymm13, %ymm14, %ymm15,
1253
		     %ymm0, %ymm1, %ymm2, %ymm3,
1254
		     %ymm4, %ymm5, %ymm6, %ymm7,
1255
		     %rax, %r9, 2);
1256
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1257
		     %ymm4, %ymm5, %ymm6, %ymm7,
1258
		     %ymm8, %ymm9, %ymm10, %ymm11,
1259
		     %ymm12, %ymm13, %ymm14,
1260
		     %ymm15, %rax, %r9, 3);
1261
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1262
		     %ymm12, %ymm13, %ymm14, %ymm15,
1263
		     %ymm0, %ymm1, %ymm2, %ymm3,
1264
		     %ymm4, %ymm5, %ymm6, %ymm7,
1265
		     %rax, %r9, 4);
1266
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1267
		     %ymm4, %ymm5, %ymm6, %ymm7,
1268
		     %ymm8, %ymm9, %ymm10, %ymm11,
1269
		     %ymm12, %ymm13, %ymm14,
1270
		     %ymm15, %rax, %r9, 5);
1271
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1272
		     %ymm12, %ymm13, %ymm14, %ymm15,
1273
		     %ymm0, %ymm1, %ymm2, %ymm3,
1274
		     %ymm4, %ymm5, %ymm6, %ymm7,
1275
		     %rax, %r9, 6);
1276
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1277
		     %ymm4, %ymm5, %ymm6, %ymm7,
1278
		     %ymm8, %ymm9, %ymm10, %ymm11,
1279
		     %ymm12, %ymm13, %ymm14,
1280
		     %ymm15, %rax, %r9, 7);
1281
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1282
		     %ymm12, %ymm13, %ymm14, %ymm15,
1283
		     %ymm0, %ymm1, %ymm2, %ymm3,
1284
		     %ymm4, %ymm5, %ymm6, %ymm7,
1285
		     %rax, %r9, 8);
1286
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1287
		     %ymm4, %ymm5, %ymm6, %ymm7,
1288
		     %ymm8, %ymm9, %ymm10, %ymm11,
1289
		     %ymm12, %ymm13, %ymm14,
1290
		     %ymm15, %rax, %r9, 9);
1291
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1292
		     %ymm12, %ymm13, %ymm14, %ymm15,
1293
		     %ymm0, %ymm1, %ymm2, %ymm3,
1294
		     %ymm4, %ymm5, %ymm6, %ymm7,
1295
		     %rax, %r9, 10);
1296
	cmpl $12, ARIA_CTX_rounds(CTX);
1297
	jne .Laria_gfni_192;
1298
	aria_ff_gfni(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1299
		%ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1300
		%ymm15, %rax, %r9, 11, 12);
1301
	jmp .Laria_gfni_end;
1302
.Laria_gfni_192:
1303
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1304
		     %ymm4, %ymm5, %ymm6, %ymm7,
1305
		     %ymm8, %ymm9, %ymm10, %ymm11,
1306
		     %ymm12, %ymm13, %ymm14,
1307
		     %ymm15, %rax, %r9, 11);
1308
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1309
		     %ymm12, %ymm13, %ymm14, %ymm15,
1310
		     %ymm0, %ymm1, %ymm2, %ymm3,
1311
		     %ymm4, %ymm5, %ymm6, %ymm7,
1312
		     %rax, %r9, 12);
1313
	cmpl $14, ARIA_CTX_rounds(CTX);
1314
	jne .Laria_gfni_256;
1315
	aria_ff_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1316
		     %ymm4, %ymm5, %ymm6, %ymm7,
1317
		     %ymm8, %ymm9, %ymm10, %ymm11,
1318
		     %ymm12, %ymm13, %ymm14,
1319
		     %ymm15, %rax, %r9, 13, 14);
1320
	jmp .Laria_gfni_end;
1321
.Laria_gfni_256:
1322
	aria_fe_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1323
		     %ymm4, %ymm5, %ymm6, %ymm7,
1324
		     %ymm8, %ymm9, %ymm10, %ymm11,
1325
		     %ymm12, %ymm13, %ymm14,
1326
		     %ymm15, %rax, %r9, 13);
1327
	aria_fo_gfni(%ymm9, %ymm8, %ymm11, %ymm10,
1328
		     %ymm12, %ymm13, %ymm14, %ymm15,
1329
		     %ymm0, %ymm1, %ymm2, %ymm3,
1330
		     %ymm4, %ymm5, %ymm6, %ymm7,
1331
		     %rax, %r9, 14);
1332
	aria_ff_gfni(%ymm1, %ymm0, %ymm3, %ymm2,
1333
		     %ymm4, %ymm5, %ymm6, %ymm7,
1334
		     %ymm8, %ymm9, %ymm10, %ymm11,
1335
		     %ymm12, %ymm13, %ymm14,
1336
		     %ymm15, %rax, %r9, 15, 16);
1337
.Laria_gfni_end:
1338
	debyteslice_16x16b(%ymm8, %ymm12, %ymm1, %ymm4,
1339
			   %ymm9, %ymm13, %ymm0, %ymm5,
1340
			   %ymm10, %ymm14, %ymm3, %ymm6,
1341
			   %ymm11, %ymm15, %ymm2, %ymm7,
1342
			   (%rax), (%r8));
1343

1344
	FRAME_END
1345
	RET;
1346
SYM_FUNC_END(__aria_aesni_avx2_gfni_crypt_32way)
1347

1348
SYM_TYPED_FUNC_START(aria_aesni_avx2_gfni_encrypt_32way)
1349
	/* input:
1350
	 *      %rdi: ctx, CTX
1351
	 *      %rsi: dst
1352
	 *      %rdx: src
1353
	 */
1354

1355
	FRAME_BEGIN
1356

1357
	leaq ARIA_CTX_enc_key(CTX), %r9;
1358

1359
	inpack16_pre(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
1360
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1361
		     %ymm15, %rdx);
1362

1363
	call __aria_aesni_avx2_gfni_crypt_32way;
1364

1365
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1366
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1367
		     %ymm15, %rax);
1368

1369
	FRAME_END
1370
	RET;
1371
SYM_FUNC_END(aria_aesni_avx2_gfni_encrypt_32way)
1372

1373
SYM_TYPED_FUNC_START(aria_aesni_avx2_gfni_decrypt_32way)
1374
	/* input:
1375
	 *      %rdi: ctx, CTX
1376
	 *      %rsi: dst
1377
	 *      %rdx: src
1378
	 */
1379

1380
	FRAME_BEGIN
1381

1382
	leaq ARIA_CTX_dec_key(CTX), %r9;
1383

1384
	inpack16_pre(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
1385
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1386
		     %ymm15, %rdx);
1387

1388
	call __aria_aesni_avx2_gfni_crypt_32way;
1389

1390
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1391
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1392
		     %ymm15, %rax);
1393

1394
	FRAME_END
1395
	RET;
1396
SYM_FUNC_END(aria_aesni_avx2_gfni_decrypt_32way)
1397

1398
SYM_TYPED_FUNC_START(aria_aesni_avx2_gfni_ctr_crypt_32way)
1399
	/* input:
1400
	 *      %rdi: ctx
1401
	 *      %rsi: dst
1402
	 *      %rdx: src
1403
	 *      %rcx: keystream
1404
	 *      %r8: iv (big endian, 128bit)
1405
	 */
1406
	FRAME_BEGIN
1407

1408
	call __aria_aesni_avx2_ctr_gen_keystream_32way
1409

1410
	leaq (%rsi), %r10;
1411
	leaq (%rdx), %r11;
1412
	leaq (%rcx), %rsi;
1413
	leaq (%rcx), %rdx;
1414
	leaq ARIA_CTX_enc_key(CTX), %r9;
1415

1416
	call __aria_aesni_avx2_gfni_crypt_32way;
1417

1418
	vpxor (0 * 32)(%r11), %ymm1, %ymm1;
1419
	vpxor (1 * 32)(%r11), %ymm0, %ymm0;
1420
	vpxor (2 * 32)(%r11), %ymm3, %ymm3;
1421
	vpxor (3 * 32)(%r11), %ymm2, %ymm2;
1422
	vpxor (4 * 32)(%r11), %ymm4, %ymm4;
1423
	vpxor (5 * 32)(%r11), %ymm5, %ymm5;
1424
	vpxor (6 * 32)(%r11), %ymm6, %ymm6;
1425
	vpxor (7 * 32)(%r11), %ymm7, %ymm7;
1426
	vpxor (8 * 32)(%r11), %ymm8, %ymm8;
1427
	vpxor (9 * 32)(%r11), %ymm9, %ymm9;
1428
	vpxor (10 * 32)(%r11), %ymm10, %ymm10;
1429
	vpxor (11 * 32)(%r11), %ymm11, %ymm11;
1430
	vpxor (12 * 32)(%r11), %ymm12, %ymm12;
1431
	vpxor (13 * 32)(%r11), %ymm13, %ymm13;
1432
	vpxor (14 * 32)(%r11), %ymm14, %ymm14;
1433
	vpxor (15 * 32)(%r11), %ymm15, %ymm15;
1434
	write_output(%ymm1, %ymm0, %ymm3, %ymm2, %ymm4, %ymm5, %ymm6, %ymm7,
1435
		     %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
1436
		     %ymm15, %r10);
1437

1438
	FRAME_END
1439
	RET;
1440
SYM_FUNC_END(aria_aesni_avx2_gfni_ctr_crypt_32way)
1441
#endif /* CONFIG_AS_GFNI */
1442

1443
Product

Resources

Company
