From: Ard Biesheuvel <ardb@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org,
linux-riscv@lists.infradead.org,
"Ard Biesheuvel" <ardb@kernel.org>,
"Paul Walmsley" <paul.walmsley@sifive.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Christoph Müllner" <christoph.muellner@vrull.eu>,
"Heiko Stuebner" <heiko.stuebner@vrull.eu>
Subject: [PATCH] crypto: riscv/aes - Implement scalar Zkn version for RV32
Date: Wed, 26 Jul 2023 19:29:58 +0200 [thread overview]
Message-ID: <20230726172958.1215472-1-ardb@kernel.org> (raw)
The generic AES implementation we rely on if no architecture specific
one is available relies on lookup tables that are relatively large with
respect to the typical L1 D-cache size, which not only affects
performance, it may also result in timing variances that correlate with
the encryption keys.
So we tend to avoid the generic code if we can, usually by using a
driver that makes use of special AES instructions which supplant most of
the logic of the table based implementation the AES algorithm.
The Zkn RISC-V extension provides another interesting take on this: it
defines instructions operating on scalar registers that implement the
table lookups without relying on tables in memory. Those tables carry
32-bit quantities, making them a natural fit for a 32-bit architecture.
And given the use of scalars, we don't have to rely in in-kernel SIMD,
which is a bonus.
So let's use the instructions to implement the core AES cipher for RV32.
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Christoph Müllner <christoph.muellner@vrull.eu>
Cc: Heiko Stuebner <heiko.stuebner@vrull.eu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/riscv/crypto/Kconfig | 12 ++
arch/riscv/crypto/Makefile | 3 +
arch/riscv/crypto/aes-riscv32-glue.c | 75 ++++++++++++
arch/riscv/crypto/aes-riscv32-zkned.S | 119 ++++++++++++++++++++
4 files changed, 209 insertions(+)
diff --git a/arch/riscv/crypto/Kconfig b/arch/riscv/crypto/Kconfig
index 7542330916079447..fa3917859c2bbbc3 100644
--- a/arch/riscv/crypto/Kconfig
+++ b/arch/riscv/crypto/Kconfig
@@ -2,6 +2,18 @@
menu "Accelerated Cryptographic Algorithms for CPU (riscv)"
+config CRYPTO_AES_RISCV32
+ tristate "Scalar AES using the Zkn extension"
+ depends on !64BIT
+ select CRYPTO_LIB_AES
+ help
+ Implement scalar AES using the RV32 instructions specified by the Zkn
+ extension. These instructions replace the table lookups used by the
+ generic implementation, making this implementation time invariant
+ (provided that the instructions themselves are). It also reduces the
+ D-cache footprint substantially, as the AES lookup tables are quite
+ large.
+
config CRYPTO_AES_RISCV
tristate "Ciphers: AES (RISCV)"
depends on 64BIT && RISCV_ISA_V
diff --git a/arch/riscv/crypto/Makefile b/arch/riscv/crypto/Makefile
index f7faba6c12c9d863..d073b18d2a0bbba3 100644
--- a/arch/riscv/crypto/Makefile
+++ b/arch/riscv/crypto/Makefile
@@ -3,6 +3,9 @@
# linux/arch/riscv/crypto/Makefile
#
+obj-$(CONFIG_CRYPTO_AES_RISCV32) += aes-riscv32.o
+aes-riscv32-y := aes-riscv32-glue.o aes-riscv32-zkned.o
+
obj-$(CONFIG_CRYPTO_AES_RISCV) += aes-riscv.o
aes-riscv-y := aes-riscv-glue.o aes-riscv64-zvkned.o
diff --git a/arch/riscv/crypto/aes-riscv32-glue.c b/arch/riscv/crypto/aes-riscv32-glue.c
new file mode 100644
index 0000000000000000..2055213304e21829
--- /dev/null
+++ b/arch/riscv/crypto/aes-riscv32-glue.c
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Scalar AES core transform
+ *
+ * Copyright (C) 2023 Google, LLC.
+ * Author: Ard Biesheuvel <ardb@kernel.org>
+ */
+
+#include <crypto/aes.h>
+#include <crypto/algapi.h>
+#include <linux/module.h>
+
+asmlinkage void __aes_riscv32_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
+asmlinkage void __aes_riscv32_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
+
+static int aes_riscv32_set_key(struct crypto_tfm *tfm, const u8 *in_key,
+ unsigned int key_len)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+
+ return aes_expandkey(ctx, in_key, key_len);
+}
+
+static void aes_riscv32_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+ int rounds = 6 + ctx->key_length / 4;
+
+ __aes_riscv32_encrypt(ctx->key_enc, out, in, rounds);
+}
+
+static void aes_riscv32_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+ int rounds = 6 + ctx->key_length / 4;
+
+ __aes_riscv32_decrypt(ctx->key_dec, out, in, rounds);
+}
+
+static struct crypto_alg aes_alg = {
+ .cra_name = "aes",
+ .cra_driver_name = "aes-riscv32",
+ .cra_priority = 200,
+ .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct crypto_aes_ctx),
+ .cra_module = THIS_MODULE,
+
+ .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE,
+ .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE,
+ .cra_cipher.cia_setkey = aes_riscv32_set_key,
+ .cra_cipher.cia_encrypt = aes_riscv32_encrypt,
+ .cra_cipher.cia_decrypt = aes_riscv32_decrypt
+};
+
+static int __init riscv32_aes_init(void)
+{
+ if (!riscv_isa_extension_available(NULL, ZKNE) ||
+ !riscv_isa_extension_available(NULL, ZKND))
+ return -ENODEV;
+ return crypto_register_alg(&aes_alg);
+}
+
+static void __exit riscv32_aes_fini(void)
+{
+ crypto_unregister_alg(&aes_alg);
+}
+
+module_init(riscv32_aes_init);
+module_exit(riscv32_aes_fini);
+
+MODULE_DESCRIPTION("Scalar AES cipher for riscv32");
+MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_CRYPTO("aes");
diff --git a/arch/riscv/crypto/aes-riscv32-zkned.S b/arch/riscv/crypto/aes-riscv32-zkned.S
new file mode 100644
index 0000000000000000..89276bdc57b0045f
--- /dev/null
+++ b/arch/riscv/crypto/aes-riscv32-zkned.S
@@ -0,0 +1,119 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Scalar AES core transform
+ *
+ * Copyright (C) 2023 Google, LLC.
+ * Author: Ard Biesheuvel <ardb@kernel.org>
+ */
+
+#include <linux/linkage.h>
+
+ .irpc r, 23456789
+ .set .Ls\r, \r + 16
+ .endr
+
+ // Zkn RV32 opcodes
+ .macro aes32esmi, rd, rs1, rs2, bs
+ .long 0x26000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32esi, rd, rs1, rs2, bs
+ .long 0x22000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32dsmi, rd, rs1, rs2, bs
+ .long 0x2e000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32dsi, rd, rs1, rs2, bs
+ .long 0x2a000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ // AES quarter round
+ .macro qround, op, o0, o1, o2, o3, i0, i1, i2, i3, bs
+ aes32\op \o0, \o0, \i0, \bs
+ aes32\op \o1, \o1, \i1, \bs
+ aes32\op \o2, \o2, \i2, \bs
+ aes32\op \o3, \o3, \i3, \bs
+ .endm
+
+ // One AES round
+ .macro round, ed, op, o0, o1, o2, o3, i0, i1, i2, i3
+ .ifc \ed,e
+ qround e\op, \o0, \o1, \o2, \o3, \i0, \i1, \i2, \i3, 0
+ qround e\op, \o0, \o1, \o2, \o3, \i1, \i2, \i3, \i0, 1
+ qround e\op, \o0, \o1, \o2, \o3, \i2, \i3, \i0, \i1, 2
+ qround e\op, \o0, \o1, \o2, \o3, \i3, \i0, \i1, \i2, 3
+ .else
+ qround d\op, \o0, \o1, \o2, \o3, \i0, \i1, \i2, \i3, 0
+ qround d\op, \o0, \o1, \o2, \o3, \i3, \i0, \i1, \i2, 1
+ qround d\op, \o0, \o1, \o2, \o3, \i2, \i3, \i0, \i1, 2
+ qround d\op, \o0, \o1, \o2, \o3, \i1, \i2, \i3, \i0, 3
+ .endif
+ .endm
+
+ // Load next round key and advance round key pointer
+ .macro next_rk, rk, out0, out1, out2, out3
+ lw \out0, 0(\rk)
+ lw \out1, 4(\rk)
+ lw \out2, 8(\rk)
+ lw \out3, 12(\rk)
+ add \rk, \rk, 16
+ .endm
+
+ .macro crypt, ed
+ add sp, sp, -32
+ sw s2, 0(sp)
+ sw s3, 4(sp)
+ sw s4, 8(sp)
+ sw s5, 12(sp)
+ sw s6, 16(sp)
+ sw s7, 20(sp)
+ sw s8, 24(sp)
+ sw s9, 28(sp)
+
+ lw s2, 0(a2)
+ lw s3, 4(a2)
+ lw s4, 8(a2)
+ lw s5, 12(a2)
+
+ next_rk a0, s6, s7, s8, s9
+
+ xor s2, s2, s6
+ xor s3, s3, s7
+ xor s4, s4, s8
+ xor s5, s5, s9
+
+0: add a3, a3, -2
+ next_rk a0, s6, s7, s8, s9
+ round \ed, smi, s6, s7, s8, s9, s2, s3, s4, s5
+ next_rk a0, s2, s3, s4, s5
+ beqz a3, 1f
+ round \ed, smi, s2, s3, s4, s5, s6, s7, s8, s9
+ j 0b
+1: round \ed, si, s2, s3, s4, s5, s6, s7, s8, s9
+
+ sw s2, 0(a1)
+ sw s3, 4(a1)
+ sw s4, 8(a1)
+ sw s5, 12(a1)
+
+ lw s2, 0(sp)
+ lw s3, 4(sp)
+ lw s4, 8(sp)
+ lw s5, 12(sp)
+ lw s6, 16(sp)
+ lw s7, 20(sp)
+ lw s8, 24(sp)
+ lw s9, 28(sp)
+ add sp, sp, 32
+ ret
+ .endm
+
+SYM_FUNC_START(__aes_riscv32_encrypt)
+ crypt e
+SYM_FUNC_END(__aes_riscv32_encrypt)
+
+SYM_FUNC_START(__aes_riscv32_decrypt)
+ crypt d
+SYM_FUNC_END(__aes_riscv32_decrypt)
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ardb@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org,
linux-riscv@lists.infradead.org,
"Ard Biesheuvel" <ardb@kernel.org>,
"Paul Walmsley" <paul.walmsley@sifive.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Christoph Müllner" <christoph.muellner@vrull.eu>,
"Heiko Stuebner" <heiko.stuebner@vrull.eu>
Subject: [PATCH] crypto: riscv/aes - Implement scalar Zkn version for RV32
Date: Wed, 26 Jul 2023 19:29:58 +0200 [thread overview]
Message-ID: <20230726172958.1215472-1-ardb@kernel.org> (raw)
The generic AES implementation we rely on if no architecture specific
one is available relies on lookup tables that are relatively large with
respect to the typical L1 D-cache size, which not only affects
performance, it may also result in timing variances that correlate with
the encryption keys.
So we tend to avoid the generic code if we can, usually by using a
driver that makes use of special AES instructions which supplant most of
the logic of the table based implementation the AES algorithm.
The Zkn RISC-V extension provides another interesting take on this: it
defines instructions operating on scalar registers that implement the
table lookups without relying on tables in memory. Those tables carry
32-bit quantities, making them a natural fit for a 32-bit architecture.
And given the use of scalars, we don't have to rely in in-kernel SIMD,
which is a bonus.
So let's use the instructions to implement the core AES cipher for RV32.
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Christoph Müllner <christoph.muellner@vrull.eu>
Cc: Heiko Stuebner <heiko.stuebner@vrull.eu>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/riscv/crypto/Kconfig | 12 ++
arch/riscv/crypto/Makefile | 3 +
arch/riscv/crypto/aes-riscv32-glue.c | 75 ++++++++++++
arch/riscv/crypto/aes-riscv32-zkned.S | 119 ++++++++++++++++++++
4 files changed, 209 insertions(+)
diff --git a/arch/riscv/crypto/Kconfig b/arch/riscv/crypto/Kconfig
index 7542330916079447..fa3917859c2bbbc3 100644
--- a/arch/riscv/crypto/Kconfig
+++ b/arch/riscv/crypto/Kconfig
@@ -2,6 +2,18 @@
menu "Accelerated Cryptographic Algorithms for CPU (riscv)"
+config CRYPTO_AES_RISCV32
+ tristate "Scalar AES using the Zkn extension"
+ depends on !64BIT
+ select CRYPTO_LIB_AES
+ help
+ Implement scalar AES using the RV32 instructions specified by the Zkn
+ extension. These instructions replace the table lookups used by the
+ generic implementation, making this implementation time invariant
+ (provided that the instructions themselves are). It also reduces the
+ D-cache footprint substantially, as the AES lookup tables are quite
+ large.
+
config CRYPTO_AES_RISCV
tristate "Ciphers: AES (RISCV)"
depends on 64BIT && RISCV_ISA_V
diff --git a/arch/riscv/crypto/Makefile b/arch/riscv/crypto/Makefile
index f7faba6c12c9d863..d073b18d2a0bbba3 100644
--- a/arch/riscv/crypto/Makefile
+++ b/arch/riscv/crypto/Makefile
@@ -3,6 +3,9 @@
# linux/arch/riscv/crypto/Makefile
#
+obj-$(CONFIG_CRYPTO_AES_RISCV32) += aes-riscv32.o
+aes-riscv32-y := aes-riscv32-glue.o aes-riscv32-zkned.o
+
obj-$(CONFIG_CRYPTO_AES_RISCV) += aes-riscv.o
aes-riscv-y := aes-riscv-glue.o aes-riscv64-zvkned.o
diff --git a/arch/riscv/crypto/aes-riscv32-glue.c b/arch/riscv/crypto/aes-riscv32-glue.c
new file mode 100644
index 0000000000000000..2055213304e21829
--- /dev/null
+++ b/arch/riscv/crypto/aes-riscv32-glue.c
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Scalar AES core transform
+ *
+ * Copyright (C) 2023 Google, LLC.
+ * Author: Ard Biesheuvel <ardb@kernel.org>
+ */
+
+#include <crypto/aes.h>
+#include <crypto/algapi.h>
+#include <linux/module.h>
+
+asmlinkage void __aes_riscv32_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
+asmlinkage void __aes_riscv32_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
+
+static int aes_riscv32_set_key(struct crypto_tfm *tfm, const u8 *in_key,
+ unsigned int key_len)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+
+ return aes_expandkey(ctx, in_key, key_len);
+}
+
+static void aes_riscv32_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+ int rounds = 6 + ctx->key_length / 4;
+
+ __aes_riscv32_encrypt(ctx->key_enc, out, in, rounds);
+}
+
+static void aes_riscv32_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
+{
+ struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
+ int rounds = 6 + ctx->key_length / 4;
+
+ __aes_riscv32_decrypt(ctx->key_dec, out, in, rounds);
+}
+
+static struct crypto_alg aes_alg = {
+ .cra_name = "aes",
+ .cra_driver_name = "aes-riscv32",
+ .cra_priority = 200,
+ .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct crypto_aes_ctx),
+ .cra_module = THIS_MODULE,
+
+ .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE,
+ .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE,
+ .cra_cipher.cia_setkey = aes_riscv32_set_key,
+ .cra_cipher.cia_encrypt = aes_riscv32_encrypt,
+ .cra_cipher.cia_decrypt = aes_riscv32_decrypt
+};
+
+static int __init riscv32_aes_init(void)
+{
+ if (!riscv_isa_extension_available(NULL, ZKNE) ||
+ !riscv_isa_extension_available(NULL, ZKND))
+ return -ENODEV;
+ return crypto_register_alg(&aes_alg);
+}
+
+static void __exit riscv32_aes_fini(void)
+{
+ crypto_unregister_alg(&aes_alg);
+}
+
+module_init(riscv32_aes_init);
+module_exit(riscv32_aes_fini);
+
+MODULE_DESCRIPTION("Scalar AES cipher for riscv32");
+MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_CRYPTO("aes");
diff --git a/arch/riscv/crypto/aes-riscv32-zkned.S b/arch/riscv/crypto/aes-riscv32-zkned.S
new file mode 100644
index 0000000000000000..89276bdc57b0045f
--- /dev/null
+++ b/arch/riscv/crypto/aes-riscv32-zkned.S
@@ -0,0 +1,119 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Scalar AES core transform
+ *
+ * Copyright (C) 2023 Google, LLC.
+ * Author: Ard Biesheuvel <ardb@kernel.org>
+ */
+
+#include <linux/linkage.h>
+
+ .irpc r, 23456789
+ .set .Ls\r, \r + 16
+ .endr
+
+ // Zkn RV32 opcodes
+ .macro aes32esmi, rd, rs1, rs2, bs
+ .long 0x26000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32esi, rd, rs1, rs2, bs
+ .long 0x22000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32dsmi, rd, rs1, rs2, bs
+ .long 0x2e000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ .macro aes32dsi, rd, rs1, rs2, bs
+ .long 0x2a000033 | (\bs << 30) | (.L\rd << 7) | (.L\rs1 << 15) | (.L\rs2 << 20)
+ .endm
+
+ // AES quarter round
+ .macro qround, op, o0, o1, o2, o3, i0, i1, i2, i3, bs
+ aes32\op \o0, \o0, \i0, \bs
+ aes32\op \o1, \o1, \i1, \bs
+ aes32\op \o2, \o2, \i2, \bs
+ aes32\op \o3, \o3, \i3, \bs
+ .endm
+
+ // One AES round
+ .macro round, ed, op, o0, o1, o2, o3, i0, i1, i2, i3
+ .ifc \ed,e
+ qround e\op, \o0, \o1, \o2, \o3, \i0, \i1, \i2, \i3, 0
+ qround e\op, \o0, \o1, \o2, \o3, \i1, \i2, \i3, \i0, 1
+ qround e\op, \o0, \o1, \o2, \o3, \i2, \i3, \i0, \i1, 2
+ qround e\op, \o0, \o1, \o2, \o3, \i3, \i0, \i1, \i2, 3
+ .else
+ qround d\op, \o0, \o1, \o2, \o3, \i0, \i1, \i2, \i3, 0
+ qround d\op, \o0, \o1, \o2, \o3, \i3, \i0, \i1, \i2, 1
+ qround d\op, \o0, \o1, \o2, \o3, \i2, \i3, \i0, \i1, 2
+ qround d\op, \o0, \o1, \o2, \o3, \i1, \i2, \i3, \i0, 3
+ .endif
+ .endm
+
+ // Load next round key and advance round key pointer
+ .macro next_rk, rk, out0, out1, out2, out3
+ lw \out0, 0(\rk)
+ lw \out1, 4(\rk)
+ lw \out2, 8(\rk)
+ lw \out3, 12(\rk)
+ add \rk, \rk, 16
+ .endm
+
+ .macro crypt, ed
+ add sp, sp, -32
+ sw s2, 0(sp)
+ sw s3, 4(sp)
+ sw s4, 8(sp)
+ sw s5, 12(sp)
+ sw s6, 16(sp)
+ sw s7, 20(sp)
+ sw s8, 24(sp)
+ sw s9, 28(sp)
+
+ lw s2, 0(a2)
+ lw s3, 4(a2)
+ lw s4, 8(a2)
+ lw s5, 12(a2)
+
+ next_rk a0, s6, s7, s8, s9
+
+ xor s2, s2, s6
+ xor s3, s3, s7
+ xor s4, s4, s8
+ xor s5, s5, s9
+
+0: add a3, a3, -2
+ next_rk a0, s6, s7, s8, s9
+ round \ed, smi, s6, s7, s8, s9, s2, s3, s4, s5
+ next_rk a0, s2, s3, s4, s5
+ beqz a3, 1f
+ round \ed, smi, s2, s3, s4, s5, s6, s7, s8, s9
+ j 0b
+1: round \ed, si, s2, s3, s4, s5, s6, s7, s8, s9
+
+ sw s2, 0(a1)
+ sw s3, 4(a1)
+ sw s4, 8(a1)
+ sw s5, 12(a1)
+
+ lw s2, 0(sp)
+ lw s3, 4(sp)
+ lw s4, 8(sp)
+ lw s5, 12(sp)
+ lw s6, 16(sp)
+ lw s7, 20(sp)
+ lw s8, 24(sp)
+ lw s9, 28(sp)
+ add sp, sp, 32
+ ret
+ .endm
+
+SYM_FUNC_START(__aes_riscv32_encrypt)
+ crypt e
+SYM_FUNC_END(__aes_riscv32_encrypt)
+
+SYM_FUNC_START(__aes_riscv32_decrypt)
+ crypt d
+SYM_FUNC_END(__aes_riscv32_decrypt)
--
2.39.2
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next reply other threads:[~2023-07-26 17:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-26 17:29 Ard Biesheuvel [this message]
2023-07-26 17:29 ` [PATCH] crypto: riscv/aes - Implement scalar Zkn version for RV32 Ard Biesheuvel
2023-08-04 8:21 ` Herbert Xu
2023-08-04 8:21 ` Herbert Xu
2023-08-04 8:31 ` Ard Biesheuvel
2023-08-04 8:31 ` Ard Biesheuvel
2023-08-31 17:10 ` Ard Biesheuvel
2023-08-31 17:10 ` Ard Biesheuvel
[not found] ` <mhng-ff1fe914-36e9-42e8-88ac-44c7f6976e3d@palmer-ri-x1c9>
2023-10-29 11:12 ` Herbert Xu
2023-10-29 11:12 ` Herbert Xu
[not found] ` <20231027-stage-cable-022844c2567d@spud>
2023-11-01 10:10 ` Ard Biesheuvel
2023-11-01 10:10 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230726172958.1215472-1-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=aou@eecs.berkeley.edu \
--cc=christoph.muellner@vrull.eu \
--cc=ebiggers@kernel.org \
--cc=heiko.stuebner@vrull.eu \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.