chacha-neon-core.S 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643
  1. /*
  2. * ChaCha/HChaCha NEON helper functions
  3. *
  4. * Copyright (C) 2016 Linaro, Ltd. <ard.biesheuvel@linaro.org>
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License version 2 as
  8. * published by the Free Software Foundation.
  9. *
  10. * Based on:
  11. * ChaCha20 256-bit cipher algorithm, RFC7539, x64 SSE3 functions
  12. *
  13. * Copyright (C) 2015 Martin Willi
  14. *
  15. * This program is free software; you can redistribute it and/or modify
  16. * it under the terms of the GNU General Public License as published by
  17. * the Free Software Foundation; either version 2 of the License, or
  18. * (at your option) any later version.
  19. */
  20. /*
  21. * NEON doesn't have a rotate instruction. The alternatives are, more or less:
  22. *
  23. * (a) vshl.u32 + vsri.u32 (needs temporary register)
  24. * (b) vshl.u32 + vshr.u32 + vorr (needs temporary register)
  25. * (c) vrev32.16 (16-bit rotations only)
  26. * (d) vtbl.8 + vtbl.8 (multiple of 8 bits rotations only,
  27. * needs index vector)
  28. *
  29. * ChaCha has 16, 12, 8, and 7-bit rotations. For the 12 and 7-bit rotations,
  30. * the only choices are (a) and (b). We use (a) since it takes two-thirds the
  31. * cycles of (b) on both Cortex-A7 and Cortex-A53.
  32. *
  33. * For the 16-bit rotation, we use vrev32.16 since it's consistently fastest
  34. * and doesn't need a temporary register.
  35. *
  36. * For the 8-bit rotation, we use vtbl.8 + vtbl.8. On Cortex-A7, this sequence
  37. * is twice as fast as (a), even when doing (a) on multiple registers
  38. * simultaneously to eliminate the stall between vshl and vsri. Also, it
  39. * parallelizes better when temporary registers are scarce.
  40. *
  41. * A disadvantage is that on Cortex-A53, the vtbl sequence is the same speed as
  42. * (a), so the need to load the rotation table actually makes the vtbl method
  43. * slightly slower overall on that CPU (~1.3% slower ChaCha20). Still, it
  44. * seems to be a good compromise to get a more significant speed boost on some
  45. * CPUs, e.g. ~4.8% faster ChaCha20 on Cortex-A7.
  46. */
  47. #include <linux/linkage.h>
  48. #include <asm/cache.h>
  49. .text
  50. .fpu neon
  51. .align 5
  52. /*
  53. * chacha_permute - permute one block
  54. *
  55. * Permute one 64-byte block where the state matrix is stored in the four NEON
  56. * registers q0-q3. It performs matrix operations on four words in parallel,
  57. * but requires shuffling to rearrange the words after each round.
  58. *
  59. * The round count is given in r3.
  60. *
  61. * Clobbers: r3, ip, q4-q5
  62. */
  63. chacha_permute:
  64. adr ip, .Lrol8_table
  65. vld1.8 {d10}, [ip, :64]
  66. .Ldoubleround:
  67. // x0 += x1, x3 = rotl32(x3 ^ x0, 16)
  68. vadd.i32 q0, q0, q1
  69. veor q3, q3, q0
  70. vrev32.16 q3, q3
  71. // x2 += x3, x1 = rotl32(x1 ^ x2, 12)
  72. vadd.i32 q2, q2, q3
  73. veor q4, q1, q2
  74. vshl.u32 q1, q4, #12
  75. vsri.u32 q1, q4, #20
  76. // x0 += x1, x3 = rotl32(x3 ^ x0, 8)
  77. vadd.i32 q0, q0, q1
  78. veor q3, q3, q0
  79. vtbl.8 d6, {d6}, d10
  80. vtbl.8 d7, {d7}, d10
  81. // x2 += x3, x1 = rotl32(x1 ^ x2, 7)
  82. vadd.i32 q2, q2, q3
  83. veor q4, q1, q2
  84. vshl.u32 q1, q4, #7
  85. vsri.u32 q1, q4, #25
  86. // x1 = shuffle32(x1, MASK(0, 3, 2, 1))
  87. vext.8 q1, q1, q1, #4
  88. // x2 = shuffle32(x2, MASK(1, 0, 3, 2))
  89. vext.8 q2, q2, q2, #8
  90. // x3 = shuffle32(x3, MASK(2, 1, 0, 3))
  91. vext.8 q3, q3, q3, #12
  92. // x0 += x1, x3 = rotl32(x3 ^ x0, 16)
  93. vadd.i32 q0, q0, q1
  94. veor q3, q3, q0
  95. vrev32.16 q3, q3
  96. // x2 += x3, x1 = rotl32(x1 ^ x2, 12)
  97. vadd.i32 q2, q2, q3
  98. veor q4, q1, q2
  99. vshl.u32 q1, q4, #12
  100. vsri.u32 q1, q4, #20
  101. // x0 += x1, x3 = rotl32(x3 ^ x0, 8)
  102. vadd.i32 q0, q0, q1
  103. veor q3, q3, q0
  104. vtbl.8 d6, {d6}, d10
  105. vtbl.8 d7, {d7}, d10
  106. // x2 += x3, x1 = rotl32(x1 ^ x2, 7)
  107. vadd.i32 q2, q2, q3
  108. veor q4, q1, q2
  109. vshl.u32 q1, q4, #7
  110. vsri.u32 q1, q4, #25
  111. // x1 = shuffle32(x1, MASK(2, 1, 0, 3))
  112. vext.8 q1, q1, q1, #12
  113. // x2 = shuffle32(x2, MASK(1, 0, 3, 2))
  114. vext.8 q2, q2, q2, #8
  115. // x3 = shuffle32(x3, MASK(0, 3, 2, 1))
  116. vext.8 q3, q3, q3, #4
  117. subs r3, r3, #2
  118. bne .Ldoubleround
  119. bx lr
  120. ENDPROC(chacha_permute)
  121. ENTRY(chacha_block_xor_neon)
  122. // r0: Input state matrix, s
  123. // r1: 1 data block output, o
  124. // r2: 1 data block input, i
  125. // r3: nrounds
  126. push {lr}
  127. // x0..3 = s0..3
  128. add ip, r0, #0x20
  129. vld1.32 {q0-q1}, [r0]
  130. vld1.32 {q2-q3}, [ip]
  131. vmov q8, q0
  132. vmov q9, q1
  133. vmov q10, q2
  134. vmov q11, q3
  135. bl chacha_permute
  136. add ip, r2, #0x20
  137. vld1.8 {q4-q5}, [r2]
  138. vld1.8 {q6-q7}, [ip]
  139. // o0 = i0 ^ (x0 + s0)
  140. vadd.i32 q0, q0, q8
  141. veor q0, q0, q4
  142. // o1 = i1 ^ (x1 + s1)
  143. vadd.i32 q1, q1, q9
  144. veor q1, q1, q5
  145. // o2 = i2 ^ (x2 + s2)
  146. vadd.i32 q2, q2, q10
  147. veor q2, q2, q6
  148. // o3 = i3 ^ (x3 + s3)
  149. vadd.i32 q3, q3, q11
  150. veor q3, q3, q7
  151. add ip, r1, #0x20
  152. vst1.8 {q0-q1}, [r1]
  153. vst1.8 {q2-q3}, [ip]
  154. pop {pc}
  155. ENDPROC(chacha_block_xor_neon)
  156. ENTRY(hchacha_block_neon)
  157. // r0: Input state matrix, s
  158. // r1: output (8 32-bit words)
  159. // r2: nrounds
  160. push {lr}
  161. vld1.32 {q0-q1}, [r0]!
  162. vld1.32 {q2-q3}, [r0]
  163. mov r3, r2
  164. bl chacha_permute
  165. vst1.32 {q0}, [r1]!
  166. vst1.32 {q3}, [r1]
  167. pop {pc}
  168. ENDPROC(hchacha_block_neon)
  169. .align 4
  170. .Lctrinc: .word 0, 1, 2, 3
  171. .Lrol8_table: .byte 3, 0, 1, 2, 7, 4, 5, 6
  172. .align 5
  173. ENTRY(chacha_4block_xor_neon)
  174. push {r4, lr}
  175. mov r4, sp // preserve the stack pointer
  176. sub ip, sp, #0x20 // allocate a 32 byte buffer
  177. bic ip, ip, #0x1f // aligned to 32 bytes
  178. mov sp, ip
  179. // r0: Input state matrix, s
  180. // r1: 4 data blocks output, o
  181. // r2: 4 data blocks input, i
  182. // r3: nrounds
  183. //
  184. // This function encrypts four consecutive ChaCha blocks by loading
  185. // the state matrix in NEON registers four times. The algorithm performs
  186. // each operation on the corresponding word of each state matrix, hence
  187. // requires no word shuffling. The words are re-interleaved before the
  188. // final addition of the original state and the XORing step.
  189. //
  190. // x0..15[0-3] = s0..15[0-3]
  191. add ip, r0, #0x20
  192. vld1.32 {q0-q1}, [r0]
  193. vld1.32 {q2-q3}, [ip]
  194. adr lr, .Lctrinc
  195. vdup.32 q15, d7[1]
  196. vdup.32 q14, d7[0]
  197. vld1.32 {q4}, [lr, :128]
  198. vdup.32 q13, d6[1]
  199. vdup.32 q12, d6[0]
  200. vdup.32 q11, d5[1]
  201. vdup.32 q10, d5[0]
  202. vadd.u32 q12, q12, q4 // x12 += counter values 0-3
  203. vdup.32 q9, d4[1]
  204. vdup.32 q8, d4[0]
  205. vdup.32 q7, d3[1]
  206. vdup.32 q6, d3[0]
  207. vdup.32 q5, d2[1]
  208. vdup.32 q4, d2[0]
  209. vdup.32 q3, d1[1]
  210. vdup.32 q2, d1[0]
  211. vdup.32 q1, d0[1]
  212. vdup.32 q0, d0[0]
  213. adr ip, .Lrol8_table
  214. b 1f
  215. .Ldoubleround4:
  216. vld1.32 {q8-q9}, [sp, :256]
  217. 1:
  218. // x0 += x4, x12 = rotl32(x12 ^ x0, 16)
  219. // x1 += x5, x13 = rotl32(x13 ^ x1, 16)
  220. // x2 += x6, x14 = rotl32(x14 ^ x2, 16)
  221. // x3 += x7, x15 = rotl32(x15 ^ x3, 16)
  222. vadd.i32 q0, q0, q4
  223. vadd.i32 q1, q1, q5
  224. vadd.i32 q2, q2, q6
  225. vadd.i32 q3, q3, q7
  226. veor q12, q12, q0
  227. veor q13, q13, q1
  228. veor q14, q14, q2
  229. veor q15, q15, q3
  230. vrev32.16 q12, q12
  231. vrev32.16 q13, q13
  232. vrev32.16 q14, q14
  233. vrev32.16 q15, q15
  234. // x8 += x12, x4 = rotl32(x4 ^ x8, 12)
  235. // x9 += x13, x5 = rotl32(x5 ^ x9, 12)
  236. // x10 += x14, x6 = rotl32(x6 ^ x10, 12)
  237. // x11 += x15, x7 = rotl32(x7 ^ x11, 12)
  238. vadd.i32 q8, q8, q12
  239. vadd.i32 q9, q9, q13
  240. vadd.i32 q10, q10, q14
  241. vadd.i32 q11, q11, q15
  242. vst1.32 {q8-q9}, [sp, :256]
  243. veor q8, q4, q8
  244. veor q9, q5, q9
  245. vshl.u32 q4, q8, #12
  246. vshl.u32 q5, q9, #12
  247. vsri.u32 q4, q8, #20
  248. vsri.u32 q5, q9, #20
  249. veor q8, q6, q10
  250. veor q9, q7, q11
  251. vshl.u32 q6, q8, #12
  252. vshl.u32 q7, q9, #12
  253. vsri.u32 q6, q8, #20
  254. vsri.u32 q7, q9, #20
  255. // x0 += x4, x12 = rotl32(x12 ^ x0, 8)
  256. // x1 += x5, x13 = rotl32(x13 ^ x1, 8)
  257. // x2 += x6, x14 = rotl32(x14 ^ x2, 8)
  258. // x3 += x7, x15 = rotl32(x15 ^ x3, 8)
  259. vld1.8 {d16}, [ip, :64]
  260. vadd.i32 q0, q0, q4
  261. vadd.i32 q1, q1, q5
  262. vadd.i32 q2, q2, q6
  263. vadd.i32 q3, q3, q7
  264. veor q12, q12, q0
  265. veor q13, q13, q1
  266. veor q14, q14, q2
  267. veor q15, q15, q3
  268. vtbl.8 d24, {d24}, d16
  269. vtbl.8 d25, {d25}, d16
  270. vtbl.8 d26, {d26}, d16
  271. vtbl.8 d27, {d27}, d16
  272. vtbl.8 d28, {d28}, d16
  273. vtbl.8 d29, {d29}, d16
  274. vtbl.8 d30, {d30}, d16
  275. vtbl.8 d31, {d31}, d16
  276. vld1.32 {q8-q9}, [sp, :256]
  277. // x8 += x12, x4 = rotl32(x4 ^ x8, 7)
  278. // x9 += x13, x5 = rotl32(x5 ^ x9, 7)
  279. // x10 += x14, x6 = rotl32(x6 ^ x10, 7)
  280. // x11 += x15, x7 = rotl32(x7 ^ x11, 7)
  281. vadd.i32 q8, q8, q12
  282. vadd.i32 q9, q9, q13
  283. vadd.i32 q10, q10, q14
  284. vadd.i32 q11, q11, q15
  285. vst1.32 {q8-q9}, [sp, :256]
  286. veor q8, q4, q8
  287. veor q9, q5, q9
  288. vshl.u32 q4, q8, #7
  289. vshl.u32 q5, q9, #7
  290. vsri.u32 q4, q8, #25
  291. vsri.u32 q5, q9, #25
  292. veor q8, q6, q10
  293. veor q9, q7, q11
  294. vshl.u32 q6, q8, #7
  295. vshl.u32 q7, q9, #7
  296. vsri.u32 q6, q8, #25
  297. vsri.u32 q7, q9, #25
  298. vld1.32 {q8-q9}, [sp, :256]
  299. // x0 += x5, x15 = rotl32(x15 ^ x0, 16)
  300. // x1 += x6, x12 = rotl32(x12 ^ x1, 16)
  301. // x2 += x7, x13 = rotl32(x13 ^ x2, 16)
  302. // x3 += x4, x14 = rotl32(x14 ^ x3, 16)
  303. vadd.i32 q0, q0, q5
  304. vadd.i32 q1, q1, q6
  305. vadd.i32 q2, q2, q7
  306. vadd.i32 q3, q3, q4
  307. veor q15, q15, q0
  308. veor q12, q12, q1
  309. veor q13, q13, q2
  310. veor q14, q14, q3
  311. vrev32.16 q15, q15
  312. vrev32.16 q12, q12
  313. vrev32.16 q13, q13
  314. vrev32.16 q14, q14
  315. // x10 += x15, x5 = rotl32(x5 ^ x10, 12)
  316. // x11 += x12, x6 = rotl32(x6 ^ x11, 12)
  317. // x8 += x13, x7 = rotl32(x7 ^ x8, 12)
  318. // x9 += x14, x4 = rotl32(x4 ^ x9, 12)
  319. vadd.i32 q10, q10, q15
  320. vadd.i32 q11, q11, q12
  321. vadd.i32 q8, q8, q13
  322. vadd.i32 q9, q9, q14
  323. vst1.32 {q8-q9}, [sp, :256]
  324. veor q8, q7, q8
  325. veor q9, q4, q9
  326. vshl.u32 q7, q8, #12
  327. vshl.u32 q4, q9, #12
  328. vsri.u32 q7, q8, #20
  329. vsri.u32 q4, q9, #20
  330. veor q8, q5, q10
  331. veor q9, q6, q11
  332. vshl.u32 q5, q8, #12
  333. vshl.u32 q6, q9, #12
  334. vsri.u32 q5, q8, #20
  335. vsri.u32 q6, q9, #20
  336. // x0 += x5, x15 = rotl32(x15 ^ x0, 8)
  337. // x1 += x6, x12 = rotl32(x12 ^ x1, 8)
  338. // x2 += x7, x13 = rotl32(x13 ^ x2, 8)
  339. // x3 += x4, x14 = rotl32(x14 ^ x3, 8)
  340. vld1.8 {d16}, [ip, :64]
  341. vadd.i32 q0, q0, q5
  342. vadd.i32 q1, q1, q6
  343. vadd.i32 q2, q2, q7
  344. vadd.i32 q3, q3, q4
  345. veor q15, q15, q0
  346. veor q12, q12, q1
  347. veor q13, q13, q2
  348. veor q14, q14, q3
  349. vtbl.8 d30, {d30}, d16
  350. vtbl.8 d31, {d31}, d16
  351. vtbl.8 d24, {d24}, d16
  352. vtbl.8 d25, {d25}, d16
  353. vtbl.8 d26, {d26}, d16
  354. vtbl.8 d27, {d27}, d16
  355. vtbl.8 d28, {d28}, d16
  356. vtbl.8 d29, {d29}, d16
  357. vld1.32 {q8-q9}, [sp, :256]
  358. // x10 += x15, x5 = rotl32(x5 ^ x10, 7)
  359. // x11 += x12, x6 = rotl32(x6 ^ x11, 7)
  360. // x8 += x13, x7 = rotl32(x7 ^ x8, 7)
  361. // x9 += x14, x4 = rotl32(x4 ^ x9, 7)
  362. vadd.i32 q10, q10, q15
  363. vadd.i32 q11, q11, q12
  364. vadd.i32 q8, q8, q13
  365. vadd.i32 q9, q9, q14
  366. vst1.32 {q8-q9}, [sp, :256]
  367. veor q8, q7, q8
  368. veor q9, q4, q9
  369. vshl.u32 q7, q8, #7
  370. vshl.u32 q4, q9, #7
  371. vsri.u32 q7, q8, #25
  372. vsri.u32 q4, q9, #25
  373. veor q8, q5, q10
  374. veor q9, q6, q11
  375. vshl.u32 q5, q8, #7
  376. vshl.u32 q6, q9, #7
  377. vsri.u32 q5, q8, #25
  378. vsri.u32 q6, q9, #25
  379. subs r3, r3, #2
  380. bne .Ldoubleround4
  381. // x0..7[0-3] are in q0-q7, x10..15[0-3] are in q10-q15.
  382. // x8..9[0-3] are on the stack.
  383. // Re-interleave the words in the first two rows of each block (x0..7).
  384. // Also add the counter values 0-3 to x12[0-3].
  385. vld1.32 {q8}, [lr, :128] // load counter values 0-3
  386. vzip.32 q0, q1 // => (0 1 0 1) (0 1 0 1)
  387. vzip.32 q2, q3 // => (2 3 2 3) (2 3 2 3)
  388. vzip.32 q4, q5 // => (4 5 4 5) (4 5 4 5)
  389. vzip.32 q6, q7 // => (6 7 6 7) (6 7 6 7)
  390. vadd.u32 q12, q8 // x12 += counter values 0-3
  391. vswp d1, d4
  392. vswp d3, d6
  393. vld1.32 {q8-q9}, [r0]! // load s0..7
  394. vswp d9, d12
  395. vswp d11, d14
  396. // Swap q1 and q4 so that we'll free up consecutive registers (q0-q1)
  397. // after XORing the first 32 bytes.
  398. vswp q1, q4
  399. // First two rows of each block are (q0 q1) (q2 q6) (q4 q5) (q3 q7)
  400. // x0..3[0-3] += s0..3[0-3] (add orig state to 1st row of each block)
  401. vadd.u32 q0, q0, q8
  402. vadd.u32 q2, q2, q8
  403. vadd.u32 q4, q4, q8
  404. vadd.u32 q3, q3, q8
  405. // x4..7[0-3] += s4..7[0-3] (add orig state to 2nd row of each block)
  406. vadd.u32 q1, q1, q9
  407. vadd.u32 q6, q6, q9
  408. vadd.u32 q5, q5, q9
  409. vadd.u32 q7, q7, q9
  410. // XOR first 32 bytes using keystream from first two rows of first block
  411. vld1.8 {q8-q9}, [r2]!
  412. veor q8, q8, q0
  413. veor q9, q9, q1
  414. vst1.8 {q8-q9}, [r1]!
  415. // Re-interleave the words in the last two rows of each block (x8..15).
  416. vld1.32 {q8-q9}, [sp, :256]
  417. mov sp, r4 // restore original stack pointer
  418. ldr r4, [r4, #8] // load number of bytes
  419. vzip.32 q12, q13 // => (12 13 12 13) (12 13 12 13)
  420. vzip.32 q14, q15 // => (14 15 14 15) (14 15 14 15)
  421. vzip.32 q8, q9 // => (8 9 8 9) (8 9 8 9)
  422. vzip.32 q10, q11 // => (10 11 10 11) (10 11 10 11)
  423. vld1.32 {q0-q1}, [r0] // load s8..15
  424. vswp d25, d28
  425. vswp d27, d30
  426. vswp d17, d20
  427. vswp d19, d22
  428. // Last two rows of each block are (q8 q12) (q10 q14) (q9 q13) (q11 q15)
  429. // x8..11[0-3] += s8..11[0-3] (add orig state to 3rd row of each block)
  430. vadd.u32 q8, q8, q0
  431. vadd.u32 q10, q10, q0
  432. vadd.u32 q9, q9, q0
  433. vadd.u32 q11, q11, q0
  434. // x12..15[0-3] += s12..15[0-3] (add orig state to 4th row of each block)
  435. vadd.u32 q12, q12, q1
  436. vadd.u32 q14, q14, q1
  437. vadd.u32 q13, q13, q1
  438. vadd.u32 q15, q15, q1
  439. // XOR the rest of the data with the keystream
  440. vld1.8 {q0-q1}, [r2]!
  441. subs r4, r4, #96
  442. veor q0, q0, q8
  443. veor q1, q1, q12
  444. ble .Lle96
  445. vst1.8 {q0-q1}, [r1]!
  446. vld1.8 {q0-q1}, [r2]!
  447. subs r4, r4, #32
  448. veor q0, q0, q2
  449. veor q1, q1, q6
  450. ble .Lle128
  451. vst1.8 {q0-q1}, [r1]!
  452. vld1.8 {q0-q1}, [r2]!
  453. subs r4, r4, #32
  454. veor q0, q0, q10
  455. veor q1, q1, q14
  456. ble .Lle160
  457. vst1.8 {q0-q1}, [r1]!
  458. vld1.8 {q0-q1}, [r2]!
  459. subs r4, r4, #32
  460. veor q0, q0, q4
  461. veor q1, q1, q5
  462. ble .Lle192
  463. vst1.8 {q0-q1}, [r1]!
  464. vld1.8 {q0-q1}, [r2]!
  465. subs r4, r4, #32
  466. veor q0, q0, q9
  467. veor q1, q1, q13
  468. ble .Lle224
  469. vst1.8 {q0-q1}, [r1]!
  470. vld1.8 {q0-q1}, [r2]!
  471. subs r4, r4, #32
  472. veor q0, q0, q3
  473. veor q1, q1, q7
  474. blt .Llt256
  475. .Lout:
  476. vst1.8 {q0-q1}, [r1]!
  477. vld1.8 {q0-q1}, [r2]
  478. veor q0, q0, q11
  479. veor q1, q1, q15
  480. vst1.8 {q0-q1}, [r1]
  481. pop {r4, pc}
  482. .Lle192:
  483. vmov q4, q9
  484. vmov q5, q13
  485. .Lle160:
  486. // nothing to do
  487. .Lfinalblock:
  488. // Process the final block if processing less than 4 full blocks.
  489. // Entered with 32 bytes of ChaCha cipher stream in q4-q5, and the
  490. // previous 32 byte output block that still needs to be written at
  491. // [r1] in q0-q1.
  492. beq .Lfullblock
  493. .Lpartialblock:
  494. adr lr, .Lpermute + 32
  495. add r2, r2, r4
  496. add lr, lr, r4
  497. add r4, r4, r1
  498. vld1.8 {q2-q3}, [lr]
  499. vld1.8 {q6-q7}, [r2]
  500. add r4, r4, #32
  501. vtbl.8 d4, {q4-q5}, d4
  502. vtbl.8 d5, {q4-q5}, d5
  503. vtbl.8 d6, {q4-q5}, d6
  504. vtbl.8 d7, {q4-q5}, d7
  505. veor q6, q6, q2
  506. veor q7, q7, q3
  507. vst1.8 {q6-q7}, [r4] // overlapping stores
  508. vst1.8 {q0-q1}, [r1]
  509. pop {r4, pc}
  510. .Lfullblock:
  511. vmov q11, q4
  512. vmov q15, q5
  513. b .Lout
  514. .Lle96:
  515. vmov q4, q2
  516. vmov q5, q6
  517. b .Lfinalblock
  518. .Lle128:
  519. vmov q4, q10
  520. vmov q5, q14
  521. b .Lfinalblock
  522. .Lle224:
  523. vmov q4, q3
  524. vmov q5, q7
  525. b .Lfinalblock
  526. .Llt256:
  527. vmov q4, q11
  528. vmov q5, q15
  529. b .Lpartialblock
  530. ENDPROC(chacha_4block_xor_neon)
  531. .align L1_CACHE_SHIFT
  532. .Lpermute:
  533. .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
  534. .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
  535. .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
  536. .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
  537. .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
  538. .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
  539. .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
  540. .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f