[thirdparty/openssl.git] / crypto / aes / asm / aes-riscv64-zkn.pl

#! /usr/bin/env perl
# This file is dual-licensed, meaning that you can use it under your
# choice of either of the following two licenses:
#
# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You can obtain
# a copy in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
#
# or
#
# Copyright (c) 2022, Hongren (Zenithal) Zheng <i@zenithal.me>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

use strict;
use warnings;

use FindBin qw($Bin);
use lib "$Bin";
use lib "$Bin/../../perlasm";
use riscv;

# $output is the last argument if it looks like a file (it has an extension)
# $flavour is the first argument if it doesn't look like a file
my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;

$output and open STDOUT,">$output";

################################################################################
# Utility functions to help with keeping track of which registers to stack/
# unstack when entering / exiting routines.
################################################################################
{
    # Callee-saved registers
    my @callee_saved = map("x$_",(2,8,9,18..27));
    # Caller-saved registers
    my @caller_saved = map("x$_",(1,5..7,10..17,28..31));
    my @must_save;
    sub use_reg {
        my $reg = shift;
        if (grep(/^$reg$/, @callee_saved)) {
            push(@must_save, $reg);
        } elsif (!grep(/^$reg$/, @caller_saved)) {
            # Register is not usable!
            die("Unusable register ".$reg);
        }
        return $reg;
    }
    sub use_regs {
        return map(use_reg("x$_"), @_);
    }
    sub save_regs {
        my $ret = '';
        my $stack_reservation = ($#must_save + 1) * 8;
        my $stack_offset = $stack_reservation;
        if ($stack_reservation % 16) {
            $stack_reservation += 8;
        }
        $ret.="    addi    sp,sp,-$stack_reservation\n";
        foreach (@must_save) {
            $stack_offset -= 8;
            $ret.="    sd      $_,$stack_offset(sp)\n";
        }
        return $ret;
    }
    sub load_regs {
        my $ret = '';
        my $stack_reservation = ($#must_save + 1) * 8;
        my $stack_offset = $stack_reservation;
        if ($stack_reservation % 16) {
            $stack_reservation += 8;
        }
        foreach (@must_save) {
            $stack_offset -= 8;
            $ret.="    ld      $_,$stack_offset(sp)\n";
        }
        $ret.="    addi    sp,sp,$stack_reservation\n";
        return $ret;
    }
    sub clear_regs {
        @must_save = ();
    }
}

################################################################################
# Register assignment for rv64i_zkne_encrypt and rv64i_zknd_decrypt
################################################################################

# Registers to hold AES state (called s0-s3 or y0-y3 elsewhere)
my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9);

# Function arguments (x10-x12 are a0-a2 in the ABI)
# Input block pointer, output block pointer, key pointer
my ($INP,$OUTP,$KEYP) = use_regs(10..12);

# Temporaries
my ($T0,$T1) = use_regs(13..14);

# Loop counter
my ($loopcntr) = use_regs(30);

################################################################################
# void rv64i_zkne_encrypt(const unsigned char *in, unsigned char *out,
#   const AES_KEY *key);
################################################################################
my $code .= <<___;
.text
.balign 16
.globl rv64i_zkne_encrypt
.type   rv64i_zkne_encrypt,\@function
rv64i_zkne_encrypt:
___

$code .= save_regs();

$code .= <<___;

    # Load input to block cipher
    ld      $Q0,0($INP)
    ld      $Q1,8($INP)

    # Load key
    ld      $T0,0($KEYP)
    ld      $T1,8($KEYP)

    # Load number of rounds
    lwu     $loopcntr,240($KEYP)

    # initial transformation
    xor     $Q0,$Q0,$T0
    xor     $Q1,$Q1,$T1

    # The main loop only executes the first N-1 rounds.
    add     $loopcntr,$loopcntr,-1

    # Do Nr - 1 rounds (final round is special)
1:
    @{[aes64esm $Q2,$Q0,$Q1]}
    @{[aes64esm $Q3,$Q1,$Q0]}

    # Update key ptr to point to next key in schedule
    add     $KEYP,$KEYP,16

    # Grab next key in schedule
    ld      $T0,0($KEYP)
    ld      $T1,8($KEYP)
    xor     $Q0,$Q2,$T0
    xor     $Q1,$Q3,$T1

    add     $loopcntr,$loopcntr,-1
    bgtz    $loopcntr,1b

    # final round
    @{[aes64es $Q2,$Q0,$Q1]}
    @{[aes64es $Q3,$Q1,$Q0]}

    # since not added 16 before
    ld      $T0,16($KEYP)
    ld      $T1,24($KEYP)
    xor     $Q0,$Q2,$T0
    xor     $Q1,$Q3,$T1

    sd      $Q0,0($OUTP)
    sd      $Q1,8($OUTP)

    # Pop registers and return
___

$code .= load_regs();

$code .= <<___;
    ret
___

################################################################################
# void rv64i_zknd_decrypt(const unsigned char *in, unsigned char *out,
#   const AES_KEY *key);
################################################################################
$code .= <<___;
.text
.balign 16
.globl rv64i_zknd_decrypt
.type   rv64i_zknd_decrypt,\@function
rv64i_zknd_decrypt:
___

$code .= save_regs();

$code .= <<___;

    # Load input to block cipher
    ld      $Q0,0($INP)
    ld      $Q1,8($INP)

    # Load number of rounds
    lwu     $loopcntr,240($KEYP)

    # Load the last key
    slli    $T0,$loopcntr,4
    add     $KEYP,$KEYP,$T0
    ld      $T0,0($KEYP)
    ld      $T1,8($KEYP)

    xor     $Q0,$Q0,$T0
    xor     $Q1,$Q1,$T1

    # The main loop only executes the first N-1 rounds.
    add     $loopcntr,$loopcntr,-1

    # Do Nr - 1 rounds (final round is special)
1:
    @{[aes64dsm $Q2,$Q0,$Q1]}
    @{[aes64dsm $Q3,$Q1,$Q0]}

    # Update key ptr to point to next key in schedule
    add     $KEYP,$KEYP,-16

    # Grab next key in schedule
    ld      $T0,0($KEYP)
    ld      $T1,8($KEYP)
    xor     $Q0,$Q2,$T0
    xor     $Q1,$Q3,$T1

    add     $loopcntr,$loopcntr,-1
    bgtz    $loopcntr,1b

    # final round
    @{[aes64ds $Q2,$Q0,$Q1]}
    @{[aes64ds $Q3,$Q1,$Q0]}

    add     $KEYP,$KEYP,-16
    ld      $T0,0($KEYP)
    ld      $T1,8($KEYP)
    xor     $Q0,$Q2,$T0
    xor     $Q1,$Q3,$T1

    sd      $Q0,0($OUTP)
    sd      $Q1,8($OUTP)
    # Pop registers and return
___

$code .= load_regs();

$code .= <<___;
    ret
___

clear_regs();

################################################################################
# Register assignment for rv64i_zkn[e/d]_set_[en/de]crypt_key
################################################################################

# Function arguments (x10-x12 are a0-a2 in the ABI)
# Pointer to user key, number of bits in key, key pointer
my ($UKEY,$BITS,$KEYP) = use_regs(10..12);

# Temporaries
my ($T0,$T1,$T2,$T3,$T4) = use_regs(6..8,13..14);

################################################################################
# utility functions for rv64i_zkne_set_encrypt_key
################################################################################
sub ke128enc {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
___
    while($rnum < 10) {
$ret .= <<___;
    @{[aes64ks1i   $T2,$T1,$rnum]}
    @{[aes64ks2    $T0,$T2,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
    add         $KEYP,$KEYP,16
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
___
        $rnum++;
    }
    return $ret;
}

sub ke192enc {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    ld      $T2,16($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
    sd      $T2,16($KEYP)
___
    while($rnum < 8) {
$ret .= <<___;
    @{[aes64ks1i   $T3,$T2,$rnum]}
    @{[aes64ks2    $T0,$T3,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
___
        if ($rnum != 7) {
        # note that (8+1)*24 = 216, (12+1)*16 = 208
        # thus the last 8 bytes can be dropped
$ret .= <<___;
    @{[aes64ks2    $T2,$T1,$T2]}
___
        }
$ret .= <<___;
    add         $KEYP,$KEYP,24
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
___
        if ($rnum != 7) {
$ret .= <<___;
    sd          $T2,16($KEYP)
___
        }
        $rnum++;
    }
    return $ret;
}

sub ke256enc {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    ld      $T2,16($UKEY)
    ld      $T3,24($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
    sd      $T2,16($KEYP)
    sd      $T3,24($KEYP)
___
    while($rnum < 7) {
$ret .= <<___;
    @{[aes64ks1i   $T4,$T3,$rnum]}
    @{[aes64ks2    $T0,$T4,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
    add         $KEYP,$KEYP,32
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
___
        if ($rnum != 6) {
        # note that (7+1)*32 = 256, (14+1)*16 = 240
        # thus the last 16 bytes can be dropped
$ret .= <<___;
    @{[aes64ks1i   $T4,$T1,0xA]}
    @{[aes64ks2    $T2,$T4,$T2]}
    @{[aes64ks2    $T3,$T2,$T3]}
    sd          $T2,16($KEYP)
    sd          $T3,24($KEYP)
___
        }
        $rnum++;
    }
    return $ret;
}

################################################################################
# void rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits,
#   AES_KEY *key)
################################################################################
sub AES_set_common {
    my ($ke128, $ke192, $ke256) = @_;
    my $ret = '';
$ret .= <<___;
    bnez    $UKEY,1f        # if (!userKey || !key) return -1;
    bnez    $KEYP,1f
    li      a0,-1
    ret
1:
    # Determine number of rounds from key size in bits
    li      $T0,128
    bne     $BITS,$T0,1f
    li      $T1,10          # key->rounds = 10 if bits == 128
    sw      $T1,240($KEYP)  # store key->rounds
$ke128
    j       4f
1:
    li      $T0,192
    bne     $BITS,$T0,2f
    li      $T1,12          # key->rounds = 12 if bits == 192
    sw      $T1,240($KEYP)  # store key->rounds
$ke192
    j       4f
2:
    li      $T1,14          # key->rounds = 14 if bits == 256
    li      $T0,256
    beq     $BITS,$T0,3f
    li      a0,-2           # If bits != 128, 192, or 256, return -2
    j       5f
3:
    sw      $T1,240($KEYP)  # store key->rounds
$ke256
4:  # return 0
    li      a0,0
5:  # return a0
___
    return $ret;
}
$code .= <<___;
.text
.balign 16
.globl rv64i_zkne_set_encrypt_key
.type   rv64i_zkne_set_encrypt_key,\@function
rv64i_zkne_set_encrypt_key:
___
$code .= save_regs();
$code .= AES_set_common(ke128enc(), ke192enc(),ke256enc());
$code .= load_regs();
$code .= <<___;
    ret
___

################################################################################
# utility functions for rv64i_zknd_set_decrypt_key
################################################################################
sub ke128dec {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
___
    while($rnum < 10) {
$ret .= <<___;
    @{[aes64ks1i   $T2,$T1,$rnum]}
    @{[aes64ks2    $T0,$T2,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
    add         $KEYP,$KEYP,16
___
    # need to aes64im for [1:N-1] round keys
    # this is from the fact that aes64dsm subwords first then mix column
    # intuitively decryption needs to first mix column then subwords
    # however, for merging datapaths (encryption first subwords then mix column)
    # aes64dsm chooses to inverse the order of them, thus
    # transform should then be done on the round key
        if ($rnum < 9) {
$ret .= <<___;
    @{[aes64im     $T2,$T0]}
    sd          $T2,0($KEYP)
    @{[aes64im     $T2,$T1]}
    sd          $T2,8($KEYP)
___
        } else {
$ret .= <<___;
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
___
        }
        $rnum++;
    }
    return $ret;
}

sub ke192dec {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    ld      $T2,16($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
    @{[aes64im $T3,$T2]}
    sd      $T3,16($KEYP)
___
    while($rnum < 8) {
$ret .= <<___;
    @{[aes64ks1i   $T3,$T2,$rnum]}
    @{[aes64ks2    $T0,$T3,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
    add         $KEYP,$KEYP,24
___
        if ($rnum < 7) {
$ret .= <<___;
    @{[aes64im     $T3,$T0]}
    sd          $T3,0($KEYP)
    @{[aes64im     $T3,$T1]}
    sd          $T3,8($KEYP)
    # the reason is in ke192enc
    @{[aes64ks2    $T2,$T1,$T2]}
    @{[aes64im     $T3,$T2]}
    sd          $T3,16($KEYP)
___
        } else { # rnum == 7
$ret .= <<___;
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
___
        }
        $rnum++;
    }
    return $ret;
}

sub ke256dec {
    my $rnum = 0;
    my $ret = '';
$ret .= <<___;
    ld      $T0,0($UKEY)
    ld      $T1,8($UKEY)
    ld      $T2,16($UKEY)
    ld      $T3,24($UKEY)
    sd      $T0,0($KEYP)
    sd      $T1,8($KEYP)
    @{[aes64im $T4,$T2]}
    sd      $T4,16($KEYP)
    @{[aes64im $T4,$T3]}
    sd      $T4,24($KEYP)
___
    while($rnum < 7) {
$ret .= <<___;
    @{[aes64ks1i   $T4,$T3,$rnum]}
    @{[aes64ks2    $T0,$T4,$T0]}
    @{[aes64ks2    $T1,$T0,$T1]}
    add         $KEYP,$KEYP,32
___
        if ($rnum < 6) {
$ret .= <<___;
    @{[aes64ks1i   $T4,$T1,0xA]}
    @{[aes64ks2    $T2,$T4,$T2]}
    @{[aes64ks2    $T3,$T2,$T3]}
    @{[aes64im     $T4,$T0]}
    sd          $T4,0($KEYP)
    @{[aes64im     $T4,$T1]}
    sd          $T4,8($KEYP)
    @{[aes64im     $T4,$T2]}
    sd          $T4,16($KEYP)
    @{[aes64im     $T4,$T3]}
    sd          $T4,24($KEYP)
___
        } else {
$ret .= <<___;
    sd          $T0,0($KEYP)
    sd          $T1,8($KEYP)
    # last two one dropped
___
        }
        $rnum++;
    }
    return $ret;
}

################################################################################
# void rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits,
#   AES_KEY *key)
################################################################################
$code .= <<___;
.text
.balign 16
.globl rv64i_zknd_set_decrypt_key
.type   rv64i_zknd_set_decrypt_key,\@function
rv64i_zknd_set_decrypt_key:
___
$code .= save_regs();
$code .= AES_set_common(ke128dec(), ke192dec(),ke256dec());
$code .= load_regs();
$code .= <<___;
    ret
___

print $code;
close STDOUT or die "error closing STDOUT: $!";
Commit	Line	Data
608cadfb	1	#! /usr/bin/env perl
3e76b388 HS	2	# This file is dual-licensed, meaning that you can use it under your
	3	# choice of either of the following two licenses:
	4	#
da1c088f	5	# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
608cadfb	6	#
3e76b388 HS	7	# Licensed under the Apache License 2.0 (the "License"). You can obtain
3e76b388 HS	8	# a copy in the file LICENSE in the source distribution or at
608cadfb	9	# https://www.openssl.org/source/license.html
3e76b388 HS	10	#
3e76b388 HS	11	# or
6181a333 HS	12	#
	13	# Copyright (c) 2022, Hongren (Zenithal) Zheng <i@zenithal.me>
	14	# All rights reserved.
	15	#
	16	# Redistribution and use in source and binary forms, with or without
	17	# modification, are permitted provided that the following conditions
	18	# are met:
	19	# 1. Redistributions of source code must retain the above copyright
	20	# notice, this list of conditions and the following disclaimer.
	21	# 2. Redistributions in binary form must reproduce the above copyright
	22	# notice, this list of conditions and the following disclaimer in the
	23	# documentation and/or other materials provided with the distribution.
	24	#
	25	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	26	# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	27	# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
	28	# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
	29	# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	30	# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
	31	# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	32	# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	33	# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	34	# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	35	# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	36
c8a641c3 CM	37	use strict;
	38	use warnings;
	39
	40	use FindBin qw($Bin);
	41	use lib "$Bin";
	42	use lib "$Bin/../../perlasm";
	43	use riscv;
	44
608cadfb HZZ	45	# $output is the last argument if it looks like a file (it has an extension)
608cadfb HZZ	46	# $flavour is the first argument if it doesn't look like a file
c8a641c3 CM	47	my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m\|\.\w+$\| ? pop : undef;
c8a641c3 CM	48	my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m\|\.\| ? shift : undef;
608cadfb HZZ	49
	50	$output and open STDOUT,">$output";
	51
	52	################################################################################
	53	# Utility functions to help with keeping track of which registers to stack/
	54	# unstack when entering / exiting routines.
	55	################################################################################
	56	{
	57	# Callee-saved registers
	58	my @callee_saved = map("x$_",(2,8,9,18..27));
	59	# Caller-saved registers
	60	my @caller_saved = map("x$_",(1,5..7,10..17,28..31));
	61	my @must_save;
	62	sub use_reg {
	63	my $reg = shift;
	64	if (grep(/^$reg$/, @callee_saved)) {
	65	push(@must_save, $reg);
	66	} elsif (!grep(/^$reg$/, @caller_saved)) {
	67	# Register is not usable!
	68	die("Unusable register ".$reg);
	69	}
	70	return $reg;
	71	}
	72	sub use_regs {
	73	return map(use_reg("x$_"), @_);
	74	}
	75	sub save_regs {
	76	my $ret = '';
	77	my $stack_reservation = ($#must_save + 1) * 8;
	78	my $stack_offset = $stack_reservation;
	79	if ($stack_reservation % 16) {
	80	$stack_reservation += 8;
	81	}
	82	$ret.=" addi sp,sp,-$stack_reservation\n";
	83	foreach (@must_save) {
	84	$stack_offset -= 8;
	85	$ret.=" sd $_,$stack_offset(sp)\n";
	86	}
	87	return $ret;
	88	}
	89	sub load_regs {
	90	my $ret = '';
	91	my $stack_reservation = ($#must_save + 1) * 8;
	92	my $stack_offset = $stack_reservation;
	93	if ($stack_reservation % 16) {
	94	$stack_reservation += 8;
	95	}
	96	foreach (@must_save) {
	97	$stack_offset -= 8;
	98	$ret.=" ld $_,$stack_offset(sp)\n";
	99	}
	100	$ret.=" addi sp,sp,$stack_reservation\n";
	101	return $ret;
	102	}
	103	sub clear_regs {
	104	@must_save = ();
	105	}
	106	}
	107
608cadfb HZZ	108	################################################################################
	109	# Register assignment for rv64i_zkne_encrypt and rv64i_zknd_decrypt
	110	################################################################################
	111
	112	# Registers to hold AES state (called s0-s3 or y0-y3 elsewhere)
	113	my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9);
	114
	115	# Function arguments (x10-x12 are a0-a2 in the ABI)
	116	# Input block pointer, output block pointer, key pointer
	117	my ($INP,$OUTP,$KEYP) = use_regs(10..12);
	118
	119	# Temporaries
	120	my ($T0,$T1) = use_regs(13..14);
	121
	122	# Loop counter
	123	my ($loopcntr) = use_regs(30);
	124
	125	################################################################################
	126	# void rv64i_zkne_encrypt(const unsigned char in, unsigned char out,
	127	# const AES_KEY *key);
	128	################################################################################
	129	my $code .= <<___;
	130	.text
	131	.balign 16
	132	.globl rv64i_zkne_encrypt
	133	.type rv64i_zkne_encrypt,\@function
	134	rv64i_zkne_encrypt:
	135	___
	136
	137	$code .= save_regs();
	138
	139	$code .= <<___;
	140
	141	# Load input to block cipher
	142	ld $Q0,0($INP)
	143	ld $Q1,8($INP)
	144
	145	# Load key
	146	ld $T0,0($KEYP)
	147	ld $T1,8($KEYP)
	148
	149	# Load number of rounds
	150	lwu $loopcntr,240($KEYP)
	151
	152	# initial transformation
	153	xor $Q0,$Q0,$T0
	154	xor $Q1,$Q1,$T1
	155
	156	# The main loop only executes the first N-1 rounds.
	157	add $loopcntr,$loopcntr,-1
	158
	159	# Do Nr - 1 rounds (final round is special)
	160	1:
c8a641c3 CM	161	@{[aes64esm $Q2,$Q0,$Q1]}
c8a641c3 CM	162	@{[aes64esm $Q3,$Q1,$Q0]}
608cadfb HZZ	163
	164	# Update key ptr to point to next key in schedule
	165	add $KEYP,$KEYP,16
	166
	167	# Grab next key in schedule
	168	ld $T0,0($KEYP)
	169	ld $T1,8($KEYP)
	170	xor $Q0,$Q2,$T0
	171	xor $Q1,$Q3,$T1
	172
	173	add $loopcntr,$loopcntr,-1
	174	bgtz $loopcntr,1b
	175
	176	# final round
c8a641c3 CM	177	@{[aes64es $Q2,$Q0,$Q1]}
c8a641c3 CM	178	@{[aes64es $Q3,$Q1,$Q0]}
608cadfb HZZ	179
	180	# since not added 16 before
	181	ld $T0,16($KEYP)
	182	ld $T1,24($KEYP)
	183	xor $Q0,$Q2,$T0
	184	xor $Q1,$Q3,$T1
	185
	186	sd $Q0,0($OUTP)
	187	sd $Q1,8($OUTP)
	188
	189	# Pop registers and return
	190	___
	191
	192	$code .= load_regs();
	193
	194	$code .= <<___;
	195	ret
	196	___
	197
	198	################################################################################
	199	# void rv64i_zknd_decrypt(const unsigned char in, unsigned char out,
	200	# const AES_KEY *key);
	201	################################################################################
	202	$code .= <<___;
	203	.text
	204	.balign 16
	205	.globl rv64i_zknd_decrypt
	206	.type rv64i_zknd_decrypt,\@function
	207	rv64i_zknd_decrypt:
	208	___
	209
	210	$code .= save_regs();
	211
	212	$code .= <<___;
	213
	214	# Load input to block cipher
	215	ld $Q0,0($INP)
	216	ld $Q1,8($INP)
	217
	218	# Load number of rounds
	219	lwu $loopcntr,240($KEYP)
	220
	221	# Load the last key
	222	slli $T0,$loopcntr,4
	223	add $KEYP,$KEYP,$T0
	224	ld $T0,0($KEYP)
	225	ld $T1,8($KEYP)
	226
	227	xor $Q0,$Q0,$T0
	228	xor $Q1,$Q1,$T1
	229
	230	# The main loop only executes the first N-1 rounds.
	231	add $loopcntr,$loopcntr,-1
	232
	233	# Do Nr - 1 rounds (final round is special)
	234	1:
c8a641c3 CM	235	@{[aes64dsm $Q2,$Q0,$Q1]}
c8a641c3 CM	236	@{[aes64dsm $Q3,$Q1,$Q0]}
608cadfb HZZ	237
	238	# Update key ptr to point to next key in schedule
	239	add $KEYP,$KEYP,-16
	240
	241	# Grab next key in schedule
	242	ld $T0,0($KEYP)
	243	ld $T1,8($KEYP)
	244	xor $Q0,$Q2,$T0
	245	xor $Q1,$Q3,$T1
	246
	247	add $loopcntr,$loopcntr,-1
	248	bgtz $loopcntr,1b
	249
	250	# final round
c8a641c3 CM	251	@{[aes64ds $Q2,$Q0,$Q1]}
c8a641c3 CM	252	@{[aes64ds $Q3,$Q1,$Q0]}
608cadfb HZZ	253
	254	add $KEYP,$KEYP,-16
	255	ld $T0,0($KEYP)
	256	ld $T1,8($KEYP)
	257	xor $Q0,$Q2,$T0
	258	xor $Q1,$Q3,$T1
	259
	260	sd $Q0,0($OUTP)
	261	sd $Q1,8($OUTP)
	262	# Pop registers and return
	263	___
	264
	265	$code .= load_regs();
	266
	267	$code .= <<___;
	268	ret
	269	___
	270
	271	clear_regs();
	272
	273	################################################################################
	274	# Register assignment for rv64i_zkn[e/d]_set_[en/de]crypt_key
	275	################################################################################
	276
	277	# Function arguments (x10-x12 are a0-a2 in the ABI)
	278	# Pointer to user key, number of bits in key, key pointer
	279	my ($UKEY,$BITS,$KEYP) = use_regs(10..12);
	280
	281	# Temporaries
	282	my ($T0,$T1,$T2,$T3,$T4) = use_regs(6..8,13..14);
	283
	284	################################################################################
	285	# utility functions for rv64i_zkne_set_encrypt_key
	286	################################################################################
	287	sub ke128enc {
	288	my $rnum = 0;
	289	my $ret = '';
	290	$ret .= <<___;
	291	ld $T0,0($UKEY)
	292	ld $T1,8($UKEY)
	293	sd $T0,0($KEYP)
	294	sd $T1,8($KEYP)
	295	___
	296	while($rnum < 10) {
	297	$ret .= <<___;
c8a641c3 CM	298	@{[aes64ks1i $T2,$T1,$rnum]}
	299	@{[aes64ks2 $T0,$T2,$T0]}
	300	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	301	add $KEYP,$KEYP,16
	302	sd $T0,0($KEYP)
	303	sd $T1,8($KEYP)
	304	___
	305	$rnum++;
	306	}
	307	return $ret;
	308	}
	309
	310	sub ke192enc {
	311	my $rnum = 0;
	312	my $ret = '';
	313	$ret .= <<___;
	314	ld $T0,0($UKEY)
	315	ld $T1,8($UKEY)
	316	ld $T2,16($UKEY)
	317	sd $T0,0($KEYP)
	318	sd $T1,8($KEYP)
	319	sd $T2,16($KEYP)
	320	___
	321	while($rnum < 8) {
	322	$ret .= <<___;
c8a641c3 CM	323	@{[aes64ks1i $T3,$T2,$rnum]}
	324	@{[aes64ks2 $T0,$T3,$T0]}
	325	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	326	___
	327	if ($rnum != 7) {
	328	# note that (8+1)24 = 216, (12+1)16 = 208
	329	# thus the last 8 bytes can be dropped
	330	$ret .= <<___;
c8a641c3	331	@{[aes64ks2 $T2,$T1,$T2]}
608cadfb HZZ	332	___
	333	}
	334	$ret .= <<___;
	335	add $KEYP,$KEYP,24
	336	sd $T0,0($KEYP)
	337	sd $T1,8($KEYP)
	338	___
	339	if ($rnum != 7) {
	340	$ret .= <<___;
	341	sd $T2,16($KEYP)
	342	___
	343	}
	344	$rnum++;
	345	}
	346	return $ret;
	347	}
	348
	349	sub ke256enc {
	350	my $rnum = 0;
	351	my $ret = '';
	352	$ret .= <<___;
	353	ld $T0,0($UKEY)
	354	ld $T1,8($UKEY)
	355	ld $T2,16($UKEY)
	356	ld $T3,24($UKEY)
	357	sd $T0,0($KEYP)
	358	sd $T1,8($KEYP)
	359	sd $T2,16($KEYP)
	360	sd $T3,24($KEYP)
	361	___
	362	while($rnum < 7) {
	363	$ret .= <<___;
c8a641c3 CM	364	@{[aes64ks1i $T4,$T3,$rnum]}
	365	@{[aes64ks2 $T0,$T4,$T0]}
	366	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	367	add $KEYP,$KEYP,32
	368	sd $T0,0($KEYP)
	369	sd $T1,8($KEYP)
	370	___
	371	if ($rnum != 6) {
	372	# note that (7+1)32 = 256, (14+1)16 = 240
	373	# thus the last 16 bytes can be dropped
	374	$ret .= <<___;
c8a641c3 CM	375	@{[aes64ks1i $T4,$T1,0xA]}
	376	@{[aes64ks2 $T2,$T4,$T2]}
	377	@{[aes64ks2 $T3,$T2,$T3]}
608cadfb HZZ	378	sd $T2,16($KEYP)
	379	sd $T3,24($KEYP)
	380	___
	381	}
	382	$rnum++;
	383	}
	384	return $ret;
	385	}
	386
	387	################################################################################
	388	# void rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits,
	389	# AES_KEY *key)
	390	################################################################################
	391	sub AES_set_common {
	392	my ($ke128, $ke192, $ke256) = @_;
	393	my $ret = '';
	394	$ret .= <<___;
	395	bnez $UKEY,1f # if (!userKey \|\| !key) return -1;
	396	bnez $KEYP,1f
	397	li a0,-1
	398	ret
	399	1:
	400	# Determine number of rounds from key size in bits
	401	li $T0,128
	402	bne $BITS,$T0,1f
	403	li $T1,10 # key->rounds = 10 if bits == 128
	404	sw $T1,240($KEYP) # store key->rounds
	405	$ke128
	406	j 4f
	407	1:
	408	li $T0,192
	409	bne $BITS,$T0,2f
	410	li $T1,12 # key->rounds = 12 if bits == 192
	411	sw $T1,240($KEYP) # store key->rounds
	412	$ke192
	413	j 4f
	414	2:
	415	li $T1,14 # key->rounds = 14 if bits == 256
	416	li $T0,256
	417	beq $BITS,$T0,3f
	418	li a0,-2 # If bits != 128, 192, or 256, return -2
	419	j 5f
	420	3:
	421	sw $T1,240($KEYP) # store key->rounds
	422	$ke256
	423	4: # return 0
	424	li a0,0
	425	5: # return a0
	426	___
	427	return $ret;
	428	}
	429	$code .= <<___;
	430	.text
	431	.balign 16
	432	.globl rv64i_zkne_set_encrypt_key
	433	.type rv64i_zkne_set_encrypt_key,\@function
	434	rv64i_zkne_set_encrypt_key:
	435	___
	436	$code .= save_regs();
	437	$code .= AES_set_common(ke128enc(), ke192enc(),ke256enc());
	438	$code .= load_regs();
	439	$code .= <<___;
	440	ret
	441	___
442
443	################################################################################
444	# utility functions for rv64i_zknd_set_decrypt_key
445	################################################################################
446	sub ke128dec {
447	my $rnum = 0;
448	my $ret = '';
449	$ret .= <<___;
450	ld $T0,0($UKEY)
451	ld $T1,8($UKEY)
452	sd $T0,0($KEYP)
453	sd $T1,8($KEYP)
454	___
455	while($rnum < 10) {
456	$ret .= <<___;
c8a641c3 CM	457	@{[aes64ks1i $T2,$T1,$rnum]}
	458	@{[aes64ks2 $T0,$T2,$T0]}
	459	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	460	add $KEYP,$KEYP,16
	461	___
	462	# need to aes64im for [1:N-1] round keys
	463	# this is from the fact that aes64dsm subwords first then mix column
	464	# intuitively decryption needs to first mix column then subwords
	465	# however, for merging datapaths (encryption first subwords then mix column)
	466	# aes64dsm chooses to inverse the order of them, thus
	467	# transform should then be done on the round key
	468	if ($rnum < 9) {
	469	$ret .= <<___;
c8a641c3	470	@{[aes64im $T2,$T0]}
608cadfb	471	sd $T2,0($KEYP)
c8a641c3	472	@{[aes64im $T2,$T1]}
608cadfb HZZ	473	sd $T2,8($KEYP)
	474	___
	475	} else {
	476	$ret .= <<___;
	477	sd $T0,0($KEYP)
	478	sd $T1,8($KEYP)
	479	___
	480	}
	481	$rnum++;
	482	}
	483	return $ret;
	484	}
	485
	486	sub ke192dec {
	487	my $rnum = 0;
	488	my $ret = '';
	489	$ret .= <<___;
	490	ld $T0,0($UKEY)
	491	ld $T1,8($UKEY)
	492	ld $T2,16($UKEY)
	493	sd $T0,0($KEYP)
	494	sd $T1,8($KEYP)
c8a641c3	495	@{[aes64im $T3,$T2]}
608cadfb HZZ	496	sd $T3,16($KEYP)
	497	___
	498	while($rnum < 8) {
	499	$ret .= <<___;
c8a641c3 CM	500	@{[aes64ks1i $T3,$T2,$rnum]}
	501	@{[aes64ks2 $T0,$T3,$T0]}
	502	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	503	add $KEYP,$KEYP,24
	504	___
	505	if ($rnum < 7) {
	506	$ret .= <<___;
c8a641c3	507	@{[aes64im $T3,$T0]}
608cadfb	508	sd $T3,0($KEYP)
c8a641c3	509	@{[aes64im $T3,$T1]}
608cadfb HZZ	510	sd $T3,8($KEYP)
608cadfb HZZ	511	# the reason is in ke192enc
c8a641c3 CM	512	@{[aes64ks2 $T2,$T1,$T2]}
c8a641c3 CM	513	@{[aes64im $T3,$T2]}
608cadfb HZZ	514	sd $T3,16($KEYP)
	515	___
	516	} else { # rnum == 7
	517	$ret .= <<___;
	518	sd $T0,0($KEYP)
	519	sd $T1,8($KEYP)
	520	___
	521	}
	522	$rnum++;
	523	}
	524	return $ret;
	525	}
	526
	527	sub ke256dec {
	528	my $rnum = 0;
	529	my $ret = '';
	530	$ret .= <<___;
	531	ld $T0,0($UKEY)
	532	ld $T1,8($UKEY)
	533	ld $T2,16($UKEY)
	534	ld $T3,24($UKEY)
	535	sd $T0,0($KEYP)
	536	sd $T1,8($KEYP)
c8a641c3	537	@{[aes64im $T4,$T2]}
608cadfb	538	sd $T4,16($KEYP)
c8a641c3	539	@{[aes64im $T4,$T3]}
608cadfb HZZ	540	sd $T4,24($KEYP)
	541	___
	542	while($rnum < 7) {
	543	$ret .= <<___;
c8a641c3 CM	544	@{[aes64ks1i $T4,$T3,$rnum]}
	545	@{[aes64ks2 $T0,$T4,$T0]}
	546	@{[aes64ks2 $T1,$T0,$T1]}
608cadfb HZZ	547	add $KEYP,$KEYP,32
	548	___
	549	if ($rnum < 6) {
	550	$ret .= <<___;
c8a641c3 CM	551	@{[aes64ks1i $T4,$T1,0xA]}
	552	@{[aes64ks2 $T2,$T4,$T2]}
	553	@{[aes64ks2 $T3,$T2,$T3]}
	554	@{[aes64im $T4,$T0]}
608cadfb	555	sd $T4,0($KEYP)
c8a641c3	556	@{[aes64im $T4,$T1]}
608cadfb	557	sd $T4,8($KEYP)
c8a641c3	558	@{[aes64im $T4,$T2]}
608cadfb	559	sd $T4,16($KEYP)
c8a641c3	560	@{[aes64im $T4,$T3]}
608cadfb HZZ	561	sd $T4,24($KEYP)
	562	___
	563	} else {
	564	$ret .= <<___;
	565	sd $T0,0($KEYP)
	566	sd $T1,8($KEYP)
	567	# last two one dropped
	568	___
	569	}
	570	$rnum++;
	571	}
	572	return $ret;
	573	}
	574
	575	################################################################################
	576	# void rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits,
	577	# AES_KEY *key)
	578	################################################################################
	579	$code .= <<___;
	580	.text
	581	.balign 16
	582	.globl rv64i_zknd_set_decrypt_key
	583	.type rv64i_zknd_set_decrypt_key,\@function
	584	rv64i_zknd_set_decrypt_key:
	585	___
	586	$code .= save_regs();
	587	$code .= AES_set_common(ke128dec(), ke192dec(),ke256dec());
	588	$code .= load_regs();
	589	$code .= <<___;
	590	ret
	591	___
	592
	593	print $code;
	594	close STDOUT or die "error closing STDOUT: $!";