chacha-ssse3-x86_64.S source code [linux/arch/x86/crypto/chacha-ssse3-x86_64.S]

1	/ SPDX-License-Identifier: GPL-2.0-or-later /
2	/*
3	* ChaCha 256-bit cipher algorithm, x64 SSSE3 functions
4	*
5	* Copyright (C) 2015 Martin Willi
6	*/
7
8	#include <linux/linkage.h>
9	#include <asm/frame.h>
10
11	.section .rodata.cst16.ROT8, "aM", @progbits, `16`
12	.align `16`
13	ROT8: .octa `0x0e0d0c0f0a09080b0605040702010003`
14	.section .rodata.cst16.ROT16, "aM", @progbits, `16`
15	.align `16`
16	ROT16: .octa `0x0d0c0f0e09080b0a0504070601000302`
17	.section .rodata.cst16.CTRINC, "aM", @progbits, `16`
18	.align `16`
19	CTRINC: .octa `0x00000003000000020000000100000000`
20
21	.text
22
23	/*
24	* chacha_permute - permute one block
25	*
26	* Permute one 64-byte block where the state matrix is in %xmm0-%xmm3. This
27	* function performs matrix operations on four words in parallel, but requires
28	* shuffling to rearrange the words after each round. 8/16-bit word rotation is
29	* done with the slightly better performing SSSE3 byte shuffling, 7/12-bit word
30	* rotation uses traditional shift+OR.
31	*
32	* The round count is given in %r8d.
33	*
34	* Clobbers: %r8d, %xmm4-%xmm7
35	*/
36	SYM_FUNC_START_LOCAL(chacha_permute)
37
38	movdqa ROT8(%rip),%xmm4
39	movdqa ROT16(%rip),%xmm5
40
41	.Ldoubleround:
42	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
43	paddd %xmm1,%xmm0
44	pxor %xmm0,%xmm3
45	pshufb %xmm5,%xmm3
46
47	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
48	paddd %xmm3,%xmm2
49	pxor %xmm2,%xmm1
50	movdqa %xmm1,%xmm6
51	pslld $`12`,%xmm6
52	psrld $`20`,%xmm1
53	por %xmm6,%xmm1
54
55	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
56	paddd %xmm1,%xmm0
57	pxor %xmm0,%xmm3
58	pshufb %xmm4,%xmm3
59
60	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
61	paddd %xmm3,%xmm2
62	pxor %xmm2,%xmm1
63	movdqa %xmm1,%xmm7
64	pslld $`7`,%xmm7
65	psrld $`25`,%xmm1
66	por %xmm7,%xmm1
67
68	# x1 = shuffle32(x1, MASK(0, 3, 2, 1))
69	pshufd $`0x39`,%xmm1,%xmm1
70	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
71	pshufd $`0x4e`,%xmm2,%xmm2
72	# x3 = shuffle32(x3, MASK(2, 1, 0, 3))
73	pshufd $`0x93`,%xmm3,%xmm3
74
75	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
76	paddd %xmm1,%xmm0
77	pxor %xmm0,%xmm3
78	pshufb %xmm5,%xmm3
79
80	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
81	paddd %xmm3,%xmm2
82	pxor %xmm2,%xmm1
83	movdqa %xmm1,%xmm6
84	pslld $`12`,%xmm6
85	psrld $`20`,%xmm1
86	por %xmm6,%xmm1
87
88	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
89	paddd %xmm1,%xmm0
90	pxor %xmm0,%xmm3
91	pshufb %xmm4,%xmm3
92
93	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
94	paddd %xmm3,%xmm2
95	pxor %xmm2,%xmm1
96	movdqa %xmm1,%xmm7
97	pslld $`7`,%xmm7
98	psrld $`25`,%xmm1
99	por %xmm7,%xmm1
100
101	# x1 = shuffle32(x1, MASK(2, 1, 0, 3))
102	pshufd $`0x93`,%xmm1,%xmm1
103	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
104	pshufd $`0x4e`,%xmm2,%xmm2
105	# x3 = shuffle32(x3, MASK(0, 3, 2, 1))
106	pshufd $`0x39`,%xmm3,%xmm3
107
108	sub $`2`,%r8d
109	jnz .Ldoubleround
110
111	RET
112	SYM_FUNC_END(chacha_permute)
113
114	SYM_FUNC_START(chacha_block_xor_ssse3)
115	# %rdi: Input state matrix, s
116	# %rsi: up to 1 data block output, o
117	# %rdx: up to 1 data block input, i
118	# %rcx: input/output length in bytes
119	# %r8d: nrounds
120	FRAME_BEGIN
121
122	# x0..3 = s0..3
123	movdqu `0x00`(%rdi),%xmm0
124	movdqu `0x10`(%rdi),%xmm1
125	movdqu `0x20`(%rdi),%xmm2
126	movdqu `0x30`(%rdi),%xmm3
127	movdqa %xmm0,%xmm8
128	movdqa %xmm1,%xmm9
129	movdqa %xmm2,%xmm10
130	movdqa %xmm3,%xmm11
131
132	mov %rcx,%rax
133	call chacha_permute
134
135	# o0 = i0 ^ (x0 + s0)
136	paddd %xmm8,%xmm0
137	cmp $`0x10`,%rax
138	jl .Lxorpart
139	movdqu `0x00`(%rdx),%xmm4
140	pxor %xmm4,%xmm0
141	movdqu %xmm0,`0x00`(%rsi)
142	# o1 = i1 ^ (x1 + s1)
143	paddd %xmm9,%xmm1
144	movdqa %xmm1,%xmm0
145	cmp $`0x20`,%rax
146	jl .Lxorpart
147	movdqu `0x10`(%rdx),%xmm0
148	pxor %xmm1,%xmm0
149	movdqu %xmm0,`0x10`(%rsi)
150	# o2 = i2 ^ (x2 + s2)
151	paddd %xmm10,%xmm2
152	movdqa %xmm2,%xmm0
153	cmp $`0x30`,%rax
154	jl .Lxorpart
155	movdqu `0x20`(%rdx),%xmm0
156	pxor %xmm2,%xmm0
157	movdqu %xmm0,`0x20`(%rsi)
158	# o3 = i3 ^ (x3 + s3)
159	paddd %xmm11,%xmm3
160	movdqa %xmm3,%xmm0
161	cmp $`0x40`,%rax
162	jl .Lxorpart
163	movdqu `0x30`(%rdx),%xmm0
164	pxor %xmm3,%xmm0
165	movdqu %xmm0,`0x30`(%rsi)
166
167	.Ldone:
168	FRAME_END
169	RET
170
171	.Lxorpart:
172	# xor remaining bytes from partial register into output
173	mov %rax,%r9
174	and $`0x0f`,%r9
175	jz .Ldone
176	and $~`0x0f`,%rax
177
178	mov %rsi,%r11
179
180	lea `8`(%rsp),%r10
181	sub $`0x10`,%rsp
182	and $~`31`,%rsp
183
184	lea (%rdx,%rax),%rsi
185	mov %rsp,%rdi
186	mov %r9,%rcx
187	rep movsb
188
189	pxor `0x00`(%rsp),%xmm0
190	movdqa %xmm0,`0x00`(%rsp)
191
192	mov %rsp,%rsi
193	lea (%r11,%rax),%rdi
194	mov %r9,%rcx
195	rep movsb
196
197	lea -`8`(%r10),%rsp
198	jmp .Ldone
199
200	SYM_FUNC_END(chacha_block_xor_ssse3)
201
202	SYM_FUNC_START(hchacha_block_ssse3)
203	# %rdi: Input state matrix, s
204	# %rsi: output (8 32-bit words)
205	# %edx: nrounds
206	FRAME_BEGIN
207
208	movdqu `0x00`(%rdi),%xmm0
209	movdqu `0x10`(%rdi),%xmm1
210	movdqu `0x20`(%rdi),%xmm2
211	movdqu `0x30`(%rdi),%xmm3
212
213	mov %edx,%r8d
214	call chacha_permute
215
216	movdqu %xmm0,`0x00`(%rsi)
217	movdqu %xmm3,`0x10`(%rsi)
218
219	FRAME_END
220	RET
221	SYM_FUNC_END(hchacha_block_ssse3)
222
223	SYM_FUNC_START(chacha_4block_xor_ssse3)
224	# %rdi: Input state matrix, s
225	# %rsi: up to 4 data blocks output, o
226	# %rdx: up to 4 data blocks input, i
227	# %rcx: input/output length in bytes
228	# %r8d: nrounds
229
230	# This function encrypts four consecutive ChaCha blocks by loading the
231	# the state matrix in SSE registers four times. As we need some scratch
232	# registers, we save the first four registers on the stack. The
233	# algorithm performs each operation on the corresponding word of each
234	# state matrix, hence requires no word shuffling. For final XORing step
235	# we transpose the matrix by interleaving 32- and then 64-bit words,
236	# which allows us to do XOR in SSE registers. 8/16-bit word rotation is
237	# done with the slightly better performing SSSE3 byte shuffling,
238	# 7/12-bit word rotation uses traditional shift+OR.
239
240	lea `8`(%rsp),%r10
241	sub $`0x80`,%rsp
242	and $~`63`,%rsp
243	mov %rcx,%rax
244
245	# x0..15[0-3] = s0..3[0..3]
246	movq `0x00`(%rdi),%xmm1
247	pshufd $`0x00`,%xmm1,%xmm0
248	pshufd $`0x55`,%xmm1,%xmm1
249	movq `0x08`(%rdi),%xmm3
250	pshufd $`0x00`,%xmm3,%xmm2
251	pshufd $`0x55`,%xmm3,%xmm3
252	movq `0x10`(%rdi),%xmm5
253	pshufd $`0x00`,%xmm5,%xmm4
254	pshufd $`0x55`,%xmm5,%xmm5
255	movq `0x18`(%rdi),%xmm7
256	pshufd $`0x00`,%xmm7,%xmm6
257	pshufd $`0x55`,%xmm7,%xmm7
258	movq `0x20`(%rdi),%xmm9
259	pshufd $`0x00`,%xmm9,%xmm8
260	pshufd $`0x55`,%xmm9,%xmm9
261	movq `0x28`(%rdi),%xmm11
262	pshufd $`0x00`,%xmm11,%xmm10
263	pshufd $`0x55`,%xmm11,%xmm11
264	movq `0x30`(%rdi),%xmm13
265	pshufd $`0x00`,%xmm13,%xmm12
266	pshufd $`0x55`,%xmm13,%xmm13
267	movq `0x38`(%rdi),%xmm15
268	pshufd $`0x00`,%xmm15,%xmm14
269	pshufd $`0x55`,%xmm15,%xmm15
270	# x0..3 on stack
271	movdqa %xmm0,`0x00`(%rsp)
272	movdqa %xmm1,`0x10`(%rsp)
273	movdqa %xmm2,`0x20`(%rsp)
274	movdqa %xmm3,`0x30`(%rsp)
275
276	movdqa CTRINC(%rip),%xmm1
277	movdqa ROT8(%rip),%xmm2
278	movdqa ROT16(%rip),%xmm3
279
280	# x12 += counter values 0-3
281	paddd %xmm1,%xmm12
282
283	.Ldoubleround4:
284	# x0 += x4, x12 = rotl32(x12 ^ x0, 16)
285	movdqa `0x00`(%rsp),%xmm0
286	paddd %xmm4,%xmm0
287	movdqa %xmm0,`0x00`(%rsp)
288	pxor %xmm0,%xmm12
289	pshufb %xmm3,%xmm12
290	# x1 += x5, x13 = rotl32(x13 ^ x1, 16)
291	movdqa `0x10`(%rsp),%xmm0
292	paddd %xmm5,%xmm0
293	movdqa %xmm0,`0x10`(%rsp)
294	pxor %xmm0,%xmm13
295	pshufb %xmm3,%xmm13
296	# x2 += x6, x14 = rotl32(x14 ^ x2, 16)
297	movdqa `0x20`(%rsp),%xmm0
298	paddd %xmm6,%xmm0
299	movdqa %xmm0,`0x20`(%rsp)
300	pxor %xmm0,%xmm14
301	pshufb %xmm3,%xmm14
302	# x3 += x7, x15 = rotl32(x15 ^ x3, 16)
303	movdqa `0x30`(%rsp),%xmm0
304	paddd %xmm7,%xmm0
305	movdqa %xmm0,`0x30`(%rsp)
306	pxor %xmm0,%xmm15
307	pshufb %xmm3,%xmm15
308
309	# x8 += x12, x4 = rotl32(x4 ^ x8, 12)
310	paddd %xmm12,%xmm8
311	pxor %xmm8,%xmm4
312	movdqa %xmm4,%xmm0
313	pslld $`12`,%xmm0
314	psrld $`20`,%xmm4
315	por %xmm0,%xmm4
316	# x9 += x13, x5 = rotl32(x5 ^ x9, 12)
317	paddd %xmm13,%xmm9
318	pxor %xmm9,%xmm5
319	movdqa %xmm5,%xmm0
320	pslld $`12`,%xmm0
321	psrld $`20`,%xmm5
322	por %xmm0,%xmm5
323	# x10 += x14, x6 = rotl32(x6 ^ x10, 12)
324	paddd %xmm14,%xmm10
325	pxor %xmm10,%xmm6
326	movdqa %xmm6,%xmm0
327	pslld $`12`,%xmm0
328	psrld $`20`,%xmm6
329	por %xmm0,%xmm6
330	# x11 += x15, x7 = rotl32(x7 ^ x11, 12)
331	paddd %xmm15,%xmm11
332	pxor %xmm11,%xmm7
333	movdqa %xmm7,%xmm0
334	pslld $`12`,%xmm0
335	psrld $`20`,%xmm7
336	por %xmm0,%xmm7
337
338	# x0 += x4, x12 = rotl32(x12 ^ x0, 8)
339	movdqa `0x00`(%rsp),%xmm0
340	paddd %xmm4,%xmm0
341	movdqa %xmm0,`0x00`(%rsp)
342	pxor %xmm0,%xmm12
343	pshufb %xmm2,%xmm12
344	# x1 += x5, x13 = rotl32(x13 ^ x1, 8)
345	movdqa `0x10`(%rsp),%xmm0
346	paddd %xmm5,%xmm0
347	movdqa %xmm0,`0x10`(%rsp)
348	pxor %xmm0,%xmm13
349	pshufb %xmm2,%xmm13
350	# x2 += x6, x14 = rotl32(x14 ^ x2, 8)
351	movdqa `0x20`(%rsp),%xmm0
352	paddd %xmm6,%xmm0
353	movdqa %xmm0,`0x20`(%rsp)
354	pxor %xmm0,%xmm14
355	pshufb %xmm2,%xmm14
356	# x3 += x7, x15 = rotl32(x15 ^ x3, 8)
357	movdqa `0x30`(%rsp),%xmm0
358	paddd %xmm7,%xmm0
359	movdqa %xmm0,`0x30`(%rsp)
360	pxor %xmm0,%xmm15
361	pshufb %xmm2,%xmm15
362
363	# x8 += x12, x4 = rotl32(x4 ^ x8, 7)
364	paddd %xmm12,%xmm8
365	pxor %xmm8,%xmm4
366	movdqa %xmm4,%xmm0
367	pslld $`7`,%xmm0
368	psrld $`25`,%xmm4
369	por %xmm0,%xmm4
370	# x9 += x13, x5 = rotl32(x5 ^ x9, 7)
371	paddd %xmm13,%xmm9
372	pxor %xmm9,%xmm5
373	movdqa %xmm5,%xmm0
374	pslld $`7`,%xmm0
375	psrld $`25`,%xmm5
376	por %xmm0,%xmm5
377	# x10 += x14, x6 = rotl32(x6 ^ x10, 7)
378	paddd %xmm14,%xmm10
379	pxor %xmm10,%xmm6
380	movdqa %xmm6,%xmm0
381	pslld $`7`,%xmm0
382	psrld $`25`,%xmm6
383	por %xmm0,%xmm6
384	# x11 += x15, x7 = rotl32(x7 ^ x11, 7)
385	paddd %xmm15,%xmm11
386	pxor %xmm11,%xmm7
387	movdqa %xmm7,%xmm0
388	pslld $`7`,%xmm0
389	psrld $`25`,%xmm7
390	por %xmm0,%xmm7
391
392	# x0 += x5, x15 = rotl32(x15 ^ x0, 16)
393	movdqa `0x00`(%rsp),%xmm0
394	paddd %xmm5,%xmm0
395	movdqa %xmm0,`0x00`(%rsp)
396	pxor %xmm0,%xmm15
397	pshufb %xmm3,%xmm15
398	# x1 += x6, x12 = rotl32(x12 ^ x1, 16)
399	movdqa `0x10`(%rsp),%xmm0
400	paddd %xmm6,%xmm0
401	movdqa %xmm0,`0x10`(%rsp)
402	pxor %xmm0,%xmm12
403	pshufb %xmm3,%xmm12
404	# x2 += x7, x13 = rotl32(x13 ^ x2, 16)
405	movdqa `0x20`(%rsp),%xmm0
406	paddd %xmm7,%xmm0
407	movdqa %xmm0,`0x20`(%rsp)
408	pxor %xmm0,%xmm13
409	pshufb %xmm3,%xmm13
410	# x3 += x4, x14 = rotl32(x14 ^ x3, 16)
411	movdqa `0x30`(%rsp),%xmm0
412	paddd %xmm4,%xmm0
413	movdqa %xmm0,`0x30`(%rsp)
414	pxor %xmm0,%xmm14
415	pshufb %xmm3,%xmm14
416
417	# x10 += x15, x5 = rotl32(x5 ^ x10, 12)
418	paddd %xmm15,%xmm10
419	pxor %xmm10,%xmm5
420	movdqa %xmm5,%xmm0
421	pslld $`12`,%xmm0
422	psrld $`20`,%xmm5
423	por %xmm0,%xmm5
424	# x11 += x12, x6 = rotl32(x6 ^ x11, 12)
425	paddd %xmm12,%xmm11
426	pxor %xmm11,%xmm6
427	movdqa %xmm6,%xmm0
428	pslld $`12`,%xmm0
429	psrld $`20`,%xmm6
430	por %xmm0,%xmm6
431	# x8 += x13, x7 = rotl32(x7 ^ x8, 12)
432	paddd %xmm13,%xmm8
433	pxor %xmm8,%xmm7
434	movdqa %xmm7,%xmm0
435	pslld $`12`,%xmm0
436	psrld $`20`,%xmm7
437	por %xmm0,%xmm7
438	# x9 += x14, x4 = rotl32(x4 ^ x9, 12)
439	paddd %xmm14,%xmm9
440	pxor %xmm9,%xmm4
441	movdqa %xmm4,%xmm0
442	pslld $`12`,%xmm0
443	psrld $`20`,%xmm4
444	por %xmm0,%xmm4
445
446	# x0 += x5, x15 = rotl32(x15 ^ x0, 8)
447	movdqa `0x00`(%rsp),%xmm0
448	paddd %xmm5,%xmm0
449	movdqa %xmm0,`0x00`(%rsp)
450	pxor %xmm0,%xmm15
451	pshufb %xmm2,%xmm15
452	# x1 += x6, x12 = rotl32(x12 ^ x1, 8)
453	movdqa `0x10`(%rsp),%xmm0
454	paddd %xmm6,%xmm0
455	movdqa %xmm0,`0x10`(%rsp)
456	pxor %xmm0,%xmm12
457	pshufb %xmm2,%xmm12
458	# x2 += x7, x13 = rotl32(x13 ^ x2, 8)
459	movdqa `0x20`(%rsp),%xmm0
460	paddd %xmm7,%xmm0
461	movdqa %xmm0,`0x20`(%rsp)
462	pxor %xmm0,%xmm13
463	pshufb %xmm2,%xmm13
464	# x3 += x4, x14 = rotl32(x14 ^ x3, 8)
465	movdqa `0x30`(%rsp),%xmm0
466	paddd %xmm4,%xmm0
467	movdqa %xmm0,`0x30`(%rsp)
468	pxor %xmm0,%xmm14
469	pshufb %xmm2,%xmm14
470
471	# x10 += x15, x5 = rotl32(x5 ^ x10, 7)
472	paddd %xmm15,%xmm10
473	pxor %xmm10,%xmm5
474	movdqa %xmm5,%xmm0
475	pslld $`7`,%xmm0
476	psrld $`25`,%xmm5
477	por %xmm0,%xmm5
478	# x11 += x12, x6 = rotl32(x6 ^ x11, 7)
479	paddd %xmm12,%xmm11
480	pxor %xmm11,%xmm6
481	movdqa %xmm6,%xmm0
482	pslld $`7`,%xmm0
483	psrld $`25`,%xmm6
484	por %xmm0,%xmm6
485	# x8 += x13, x7 = rotl32(x7 ^ x8, 7)
486	paddd %xmm13,%xmm8
487	pxor %xmm8,%xmm7
488	movdqa %xmm7,%xmm0
489	pslld $`7`,%xmm0
490	psrld $`25`,%xmm7
491	por %xmm0,%xmm7
492	# x9 += x14, x4 = rotl32(x4 ^ x9, 7)
493	paddd %xmm14,%xmm9
494	pxor %xmm9,%xmm4
495	movdqa %xmm4,%xmm0
496	pslld $`7`,%xmm0
497	psrld $`25`,%xmm4
498	por %xmm0,%xmm4
499
500	sub $`2`,%r8d
501	jnz .Ldoubleround4
502
503	# x0[0-3] += s0[0]
504	# x1[0-3] += s0[1]
505	movq `0x00`(%rdi),%xmm3
506	pshufd $`0x00`,%xmm3,%xmm2
507	pshufd $`0x55`,%xmm3,%xmm3
508	paddd `0x00`(%rsp),%xmm2
509	movdqa %xmm2,`0x00`(%rsp)
510	paddd `0x10`(%rsp),%xmm3
511	movdqa %xmm3,`0x10`(%rsp)
512	# x2[0-3] += s0[2]
513	# x3[0-3] += s0[3]
514	movq `0x08`(%rdi),%xmm3
515	pshufd $`0x00`,%xmm3,%xmm2
516	pshufd $`0x55`,%xmm3,%xmm3
517	paddd `0x20`(%rsp),%xmm2
518	movdqa %xmm2,`0x20`(%rsp)
519	paddd `0x30`(%rsp),%xmm3
520	movdqa %xmm3,`0x30`(%rsp)
521
522	# x4[0-3] += s1[0]
523	# x5[0-3] += s1[1]
524	movq `0x10`(%rdi),%xmm3
525	pshufd $`0x00`,%xmm3,%xmm2
526	pshufd $`0x55`,%xmm3,%xmm3
527	paddd %xmm2,%xmm4
528	paddd %xmm3,%xmm5
529	# x6[0-3] += s1[2]
530	# x7[0-3] += s1[3]
531	movq `0x18`(%rdi),%xmm3
532	pshufd $`0x00`,%xmm3,%xmm2
533	pshufd $`0x55`,%xmm3,%xmm3
534	paddd %xmm2,%xmm6
535	paddd %xmm3,%xmm7
536
537	# x8[0-3] += s2[0]
538	# x9[0-3] += s2[1]
539	movq `0x20`(%rdi),%xmm3
540	pshufd $`0x00`,%xmm3,%xmm2
541	pshufd $`0x55`,%xmm3,%xmm3
542	paddd %xmm2,%xmm8
543	paddd %xmm3,%xmm9
544	# x10[0-3] += s2[2]
545	# x11[0-3] += s2[3]
546	movq `0x28`(%rdi),%xmm3
547	pshufd $`0x00`,%xmm3,%xmm2
548	pshufd $`0x55`,%xmm3,%xmm3
549	paddd %xmm2,%xmm10
550	paddd %xmm3,%xmm11
551
552	# x12[0-3] += s3[0]
553	# x13[0-3] += s3[1]
554	movq `0x30`(%rdi),%xmm3
555	pshufd $`0x00`,%xmm3,%xmm2
556	pshufd $`0x55`,%xmm3,%xmm3
557	paddd %xmm2,%xmm12
558	paddd %xmm3,%xmm13
559	# x14[0-3] += s3[2]
560	# x15[0-3] += s3[3]
561	movq `0x38`(%rdi),%xmm3
562	pshufd $`0x00`,%xmm3,%xmm2
563	pshufd $`0x55`,%xmm3,%xmm3
564	paddd %xmm2,%xmm14
565	paddd %xmm3,%xmm15
566
567	# x12 += counter values 0-3
568	paddd %xmm1,%xmm12
569
570	# interleave 32-bit words in state n, n+1
571	movdqa `0x00`(%rsp),%xmm0
572	movdqa `0x10`(%rsp),%xmm1
573	movdqa %xmm0,%xmm2
574	punpckldq %xmm1,%xmm2
575	punpckhdq %xmm1,%xmm0
576	movdqa %xmm2,`0x00`(%rsp)
577	movdqa %xmm0,`0x10`(%rsp)
578	movdqa `0x20`(%rsp),%xmm0
579	movdqa `0x30`(%rsp),%xmm1
580	movdqa %xmm0,%xmm2
581	punpckldq %xmm1,%xmm2
582	punpckhdq %xmm1,%xmm0
583	movdqa %xmm2,`0x20`(%rsp)
584	movdqa %xmm0,`0x30`(%rsp)
585	movdqa %xmm4,%xmm0
586	punpckldq %xmm5,%xmm4
587	punpckhdq %xmm5,%xmm0
588	movdqa %xmm0,%xmm5
589	movdqa %xmm6,%xmm0
590	punpckldq %xmm7,%xmm6
591	punpckhdq %xmm7,%xmm0
592	movdqa %xmm0,%xmm7
593	movdqa %xmm8,%xmm0
594	punpckldq %xmm9,%xmm8
595	punpckhdq %xmm9,%xmm0
596	movdqa %xmm0,%xmm9
597	movdqa %xmm10,%xmm0
598	punpckldq %xmm11,%xmm10
599	punpckhdq %xmm11,%xmm0
600	movdqa %xmm0,%xmm11
601	movdqa %xmm12,%xmm0
602	punpckldq %xmm13,%xmm12
603	punpckhdq %xmm13,%xmm0
604	movdqa %xmm0,%xmm13
605	movdqa %xmm14,%xmm0
606	punpckldq %xmm15,%xmm14
607	punpckhdq %xmm15,%xmm0
608	movdqa %xmm0,%xmm15
609
610	# interleave 64-bit words in state n, n+2
611	movdqa `0x00`(%rsp),%xmm0
612	movdqa `0x20`(%rsp),%xmm1
613	movdqa %xmm0,%xmm2
614	punpcklqdq %xmm1,%xmm2
615	punpckhqdq %xmm1,%xmm0
616	movdqa %xmm2,`0x00`(%rsp)
617	movdqa %xmm0,`0x20`(%rsp)
618	movdqa `0x10`(%rsp),%xmm0
619	movdqa `0x30`(%rsp),%xmm1
620	movdqa %xmm0,%xmm2
621	punpcklqdq %xmm1,%xmm2
622	punpckhqdq %xmm1,%xmm0
623	movdqa %xmm2,`0x10`(%rsp)
624	movdqa %xmm0,`0x30`(%rsp)
625	movdqa %xmm4,%xmm0
626	punpcklqdq %xmm6,%xmm4
627	punpckhqdq %xmm6,%xmm0
628	movdqa %xmm0,%xmm6
629	movdqa %xmm5,%xmm0
630	punpcklqdq %xmm7,%xmm5
631	punpckhqdq %xmm7,%xmm0
632	movdqa %xmm0,%xmm7
633	movdqa %xmm8,%xmm0
634	punpcklqdq %xmm10,%xmm8
635	punpckhqdq %xmm10,%xmm0
636	movdqa %xmm0,%xmm10
637	movdqa %xmm9,%xmm0
638	punpcklqdq %xmm11,%xmm9
639	punpckhqdq %xmm11,%xmm0
640	movdqa %xmm0,%xmm11
641	movdqa %xmm12,%xmm0
642	punpcklqdq %xmm14,%xmm12
643	punpckhqdq %xmm14,%xmm0
644	movdqa %xmm0,%xmm14
645	movdqa %xmm13,%xmm0
646	punpcklqdq %xmm15,%xmm13
647	punpckhqdq %xmm15,%xmm0
648	movdqa %xmm0,%xmm15
649
650	# xor with corresponding input, write to output
651	movdqa `0x00`(%rsp),%xmm0
652	cmp $`0x10`,%rax
653	jl .Lxorpart4
654	movdqu `0x00`(%rdx),%xmm1
655	pxor %xmm1,%xmm0
656	movdqu %xmm0,`0x00`(%rsi)
657
658	movdqu %xmm4,%xmm0
659	cmp $`0x20`,%rax
660	jl .Lxorpart4
661	movdqu `0x10`(%rdx),%xmm1
662	pxor %xmm1,%xmm0
663	movdqu %xmm0,`0x10`(%rsi)
664
665	movdqu %xmm8,%xmm0
666	cmp $`0x30`,%rax
667	jl .Lxorpart4
668	movdqu `0x20`(%rdx),%xmm1
669	pxor %xmm1,%xmm0
670	movdqu %xmm0,`0x20`(%rsi)
671
672	movdqu %xmm12,%xmm0
673	cmp $`0x40`,%rax
674	jl .Lxorpart4
675	movdqu `0x30`(%rdx),%xmm1
676	pxor %xmm1,%xmm0
677	movdqu %xmm0,`0x30`(%rsi)
678
679	movdqa `0x20`(%rsp),%xmm0
680	cmp $`0x50`,%rax
681	jl .Lxorpart4
682	movdqu `0x40`(%rdx),%xmm1
683	pxor %xmm1,%xmm0
684	movdqu %xmm0,`0x40`(%rsi)
685
686	movdqu %xmm6,%xmm0
687	cmp $`0x60`,%rax
688	jl .Lxorpart4
689	movdqu `0x50`(%rdx),%xmm1
690	pxor %xmm1,%xmm0
691	movdqu %xmm0,`0x50`(%rsi)
692
693	movdqu %xmm10,%xmm0
694	cmp $`0x70`,%rax
695	jl .Lxorpart4
696	movdqu `0x60`(%rdx),%xmm1
697	pxor %xmm1,%xmm0
698	movdqu %xmm0,`0x60`(%rsi)
699
700	movdqu %xmm14,%xmm0
701	cmp $`0x80`,%rax
702	jl .Lxorpart4
703	movdqu `0x70`(%rdx),%xmm1
704	pxor %xmm1,%xmm0
705	movdqu %xmm0,`0x70`(%rsi)
706
707	movdqa `0x10`(%rsp),%xmm0
708	cmp $`0x90`,%rax
709	jl .Lxorpart4
710	movdqu `0x80`(%rdx),%xmm1
711	pxor %xmm1,%xmm0
712	movdqu %xmm0,`0x80`(%rsi)
713
714	movdqu %xmm5,%xmm0
715	cmp $`0xa0`,%rax
716	jl .Lxorpart4
717	movdqu `0x90`(%rdx),%xmm1
718	pxor %xmm1,%xmm0
719	movdqu %xmm0,`0x90`(%rsi)
720
721	movdqu %xmm9,%xmm0
722	cmp $`0xb0`,%rax
723	jl .Lxorpart4
724	movdqu `0xa0`(%rdx),%xmm1
725	pxor %xmm1,%xmm0
726	movdqu %xmm0,`0xa0`(%rsi)
727
728	movdqu %xmm13,%xmm0
729	cmp $`0xc0`,%rax
730	jl .Lxorpart4
731	movdqu `0xb0`(%rdx),%xmm1
732	pxor %xmm1,%xmm0
733	movdqu %xmm0,`0xb0`(%rsi)
734
735	movdqa `0x30`(%rsp),%xmm0
736	cmp $`0xd0`,%rax
737	jl .Lxorpart4
738	movdqu `0xc0`(%rdx),%xmm1
739	pxor %xmm1,%xmm0
740	movdqu %xmm0,`0xc0`(%rsi)
741
742	movdqu %xmm7,%xmm0
743	cmp $`0xe0`,%rax
744	jl .Lxorpart4
745	movdqu `0xd0`(%rdx),%xmm1
746	pxor %xmm1,%xmm0
747	movdqu %xmm0,`0xd0`(%rsi)
748
749	movdqu %xmm11,%xmm0
750	cmp $`0xf0`,%rax
751	jl .Lxorpart4
752	movdqu `0xe0`(%rdx),%xmm1
753	pxor %xmm1,%xmm0
754	movdqu %xmm0,`0xe0`(%rsi)
755
756	movdqu %xmm15,%xmm0
757	cmp $`0x100`,%rax
758	jl .Lxorpart4
759	movdqu `0xf0`(%rdx),%xmm1
760	pxor %xmm1,%xmm0
761	movdqu %xmm0,`0xf0`(%rsi)
762
763	.Ldone4:
764	lea -`8`(%r10),%rsp
765	RET
766
767	.Lxorpart4:
768	# xor remaining bytes from partial register into output
769	mov %rax,%r9
770	and $`0x0f`,%r9
771	jz .Ldone4
772	and $~`0x0f`,%rax
773
774	mov %rsi,%r11
775
776	lea (%rdx,%rax),%rsi
777	mov %rsp,%rdi
778	mov %r9,%rcx
779	rep movsb
780
781	pxor `0x00`(%rsp),%xmm0
782	movdqa %xmm0,`0x00`(%rsp)
783
784	mov %rsp,%rsi
785	lea (%r11,%rax),%rdi
786	mov %r9,%rcx
787	rep movsb
788
789	jmp .Ldone4
790
791	SYM_FUNC_END(chacha_4block_xor_ssse3)
792

source code of linux/arch/x86/crypto/chacha-ssse3-x86_64.S