Google Git
Sign in
linux / linux / kernel / git / torvalds / linux.git / ef3330b99c01bda53f2a189b58bed8f6b7397f28 / . / lib / crypto / riscv / poly1305-riscv.pl
blob: e25e6338a9ac104b5018981fe91b9c3a83dc9c72 [file] [log] [blame]
#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
#
# ====================================================================
# Written by Andy Polyakov, @dot-asm, initially for use with OpenSSL.
# ====================================================================
#
# Poly1305 hash for RISC-V.
#
# February 2019
#
# In the essence it's pretty straightforward transliteration of MIPS
# module [without big-endian option].
#
# 1.8 cycles per byte on U74, >100% faster than compiler-generated
# code. 1.9 cpb on C910, ~75% improvement. 3.3 on Spacemit X60, ~69%
# improvement.
#
# June 2024.
#
# Add CHERI support.
#
######################################################################
#
($zero,$ra,$sp,$gp,$tp)=map("x$_",(0..4));
($t0,$t1,$t2,$t3,$t4,$t5,$t6)=map("x$_",(5..7,28..31));
($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("x$_",(10..17));
($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("x$_",(8,9,18..27));
#
######################################################################
$flavour = shift || "64";
for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); }
open STDOUT,">$output";
$code.=<<___;
#ifdef __KERNEL__
# ifdef __riscv_zicfilp
# undef __riscv_zicfilp // calls are expected to be direct
# endif
#endif
#if defined(__CHERI_PURE_CAPABILITY__) && !defined(__riscv_misaligned_fast)
# define __riscv_misaligned_fast 1
#endif
___
if ($flavour =~ /64/) {{{
######################################################################
# 64-bit code path...
#
my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
my ($in0,$in1,$tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = ($a4,$a5,$a6,$a7,$t0,$t1,$t2);
$code.=<<___;
#if __riscv_xlen == 64
# if __SIZEOF_POINTER__ == 16
# define PUSH csc
# define POP clc
# else
# define PUSH sd
# define POP ld
# endif
#else
# error "unsupported __riscv_xlen"
#endif
.option pic
.text
.globl poly1305_init
.type poly1305_init,\@function
poly1305_init:
#ifdef __riscv_zicfilp
lpad 0
#endif
sd $zero,0($ctx)
sd $zero,8($ctx)
sd $zero,16($ctx)
beqz $inp,.Lno_key
#ifndef __riscv_misaligned_fast
andi $tmp0,$inp,7 # $inp % 8
andi $inp,$inp,-8 # align $inp
slli $tmp0,$tmp0,3 # byte to bit offset
#endif
ld $in0,0($inp)
ld $in1,8($inp)
#ifndef __riscv_misaligned_fast
beqz $tmp0,.Laligned_key
ld $tmp2,16($inp)
neg $tmp1,$tmp0 # implicit &63 in sll
srl $in0,$in0,$tmp0
sll $tmp3,$in1,$tmp1
srl $in1,$in1,$tmp0
sll $tmp2,$tmp2,$tmp1
or $in0,$in0,$tmp3
or $in1,$in1,$tmp2
.Laligned_key:
#endif
li $tmp0,1
slli $tmp0,$tmp0,32 # 0x0000000100000000
addi $tmp0,$tmp0,-63 # 0x00000000ffffffc1
slli $tmp0,$tmp0,28 # 0x0ffffffc10000000
addi $tmp0,$tmp0,-1 # 0x0ffffffc0fffffff
and $in0,$in0,$tmp0
addi $tmp0,$tmp0,-3 # 0x0ffffffc0ffffffc
and $in1,$in1,$tmp0
sd $in0,24($ctx)
srli $tmp0,$in1,2
sd $in1,32($ctx)
add $tmp0,$tmp0,$in1 # s1 = r1 + (r1 >> 2)
sd $tmp0,40($ctx)
.Lno_key:
li $a0,0 # return 0
ret
.size poly1305_init,.-poly1305_init
___
{
my ($h0,$h1,$h2,$r0,$r1,$rs1,$d0,$d1,$d2) =
($s0,$s1,$s2,$s3,$t3,$t4,$in0,$in1,$t2);
my ($shr,$shl) = ($t5,$t6); # used on R6
$code.=<<___;
.globl poly1305_blocks
.type poly1305_blocks,\@function
poly1305_blocks:
#ifdef __riscv_zicfilp
lpad 0
#endif
andi $len,$len,-16 # complete blocks only
beqz $len,.Lno_data
caddi $sp,$sp,-4*__SIZEOF_POINTER__
PUSH $s0,3*__SIZEOF_POINTER__($sp)
PUSH $s1,2*__SIZEOF_POINTER__($sp)
PUSH $s2,1*__SIZEOF_POINTER__($sp)
PUSH $s3,0*__SIZEOF_POINTER__($sp)
#ifndef __riscv_misaligned_fast
andi $shr,$inp,7
andi $inp,$inp,-8 # align $inp
slli $shr,$shr,3 # byte to bit offset
neg $shl,$shr # implicit &63 in sll
#endif
ld $h0,0($ctx) # load hash value
ld $h1,8($ctx)
ld $h2,16($ctx)
ld $r0,24($ctx) # load key
ld $r1,32($ctx)
ld $rs1,40($ctx)
add $len,$len,$inp # end of buffer
.Loop:
ld $in0,0($inp) # load input
ld $in1,8($inp)
#ifndef __riscv_misaligned_fast
beqz $shr,.Laligned_inp
ld $tmp2,16($inp)
srl $in0,$in0,$shr
sll $tmp3,$in1,$shl
srl $in1,$in1,$shr
sll $tmp2,$tmp2,$shl
or $in0,$in0,$tmp3
or $in1,$in1,$tmp2
.Laligned_inp:
#endif
caddi $inp,$inp,16
andi $tmp0,$h2,-4 # modulo-scheduled reduction
srli $tmp1,$h2,2
andi $h2,$h2,3
add $d0,$h0,$in0 # accumulate input
add $tmp1,$tmp1,$tmp0
sltu $tmp0,$d0,$h0
add $d0,$d0,$tmp1 # ... and residue
sltu $tmp1,$d0,$tmp1
add $d1,$h1,$in1
add $tmp0,$tmp0,$tmp1
sltu $tmp1,$d1,$h1
add $d1,$d1,$tmp0
add $d2,$h2,$padbit
sltu $tmp0,$d1,$tmp0
mulhu $h1,$r0,$d0 # h0*r0
mul $h0,$r0,$d0
add $d2,$d2,$tmp1
add $d2,$d2,$tmp0
mulhu $tmp1,$rs1,$d1 # h1*5*r1
mul $tmp0,$rs1,$d1
mulhu $h2,$r1,$d0 # h0*r1
mul $tmp2,$r1,$d0
add $h0,$h0,$tmp0
add $h1,$h1,$tmp1
sltu $tmp0,$h0,$tmp0
add $h1,$h1,$tmp0
add $h1,$h1,$tmp2
mulhu $tmp1,$r0,$d1 # h1*r0
mul $tmp0,$r0,$d1
sltu $tmp2,$h1,$tmp2
add $h2,$h2,$tmp2
mul $tmp2,$rs1,$d2 # h2*5*r1
add $h1,$h1,$tmp0
add $h2,$h2,$tmp1
mul $tmp3,$r0,$d2 # h2*r0
sltu $tmp0,$h1,$tmp0
add $h2,$h2,$tmp0
add $h1,$h1,$tmp2
sltu $tmp2,$h1,$tmp2
add $h2,$h2,$tmp2
add $h2,$h2,$tmp3
bne $inp,$len,.Loop
sd $h0,0($ctx) # store hash value
sd $h1,8($ctx)
sd $h2,16($ctx)
POP $s0,3*__SIZEOF_POINTER__($sp) # epilogue
POP $s1,2*__SIZEOF_POINTER__($sp)
POP $s2,1*__SIZEOF_POINTER__($sp)
POP $s3,0*__SIZEOF_POINTER__($sp)
caddi $sp,$sp,4*__SIZEOF_POINTER__
.Lno_data:
ret
.size poly1305_blocks,.-poly1305_blocks
___
}
{
my ($ctx,$mac,$nonce) = ($a0,$a1,$a2);
$code.=<<___;
.globl poly1305_emit
.type poly1305_emit,\@function
poly1305_emit:
#ifdef __riscv_zicfilp
lpad 0
#endif
ld $tmp2,16($ctx)
ld $tmp0,0($ctx)
ld $tmp1,8($ctx)
andi $in0,$tmp2,-4 # final reduction
srl $in1,$tmp2,2
andi $tmp2,$tmp2,3
add $in0,$in0,$in1
add $tmp0,$tmp0,$in0
sltu $in1,$tmp0,$in0
addi $in0,$tmp0,5 # compare to modulus
add $tmp1,$tmp1,$in1
sltiu $tmp3,$in0,5
sltu $tmp4,$tmp1,$in1
add $in1,$tmp1,$tmp3
add $tmp2,$tmp2,$tmp4
sltu $tmp3,$in1,$tmp3
add $tmp2,$tmp2,$tmp3
srli $tmp2,$tmp2,2 # see if it carried/borrowed
neg $tmp2,$tmp2
xor $in0,$in0,$tmp0
xor $in1,$in1,$tmp1
and $in0,$in0,$tmp2
and $in1,$in1,$tmp2
xor $in0,$in0,$tmp0
xor $in1,$in1,$tmp1
lwu $tmp0,0($nonce) # load nonce
lwu $tmp1,4($nonce)
lwu $tmp2,8($nonce)
lwu $tmp3,12($nonce)
slli $tmp1,$tmp1,32
slli $tmp3,$tmp3,32
or $tmp0,$tmp0,$tmp1
or $tmp2,$tmp2,$tmp3
add $in0,$in0,$tmp0 # accumulate nonce
add $in1,$in1,$tmp2
sltu $tmp0,$in0,$tmp0
add $in1,$in1,$tmp0
#ifdef __riscv_misaligned_fast
sd $in0,0($mac) # write mac value
sd $in1,8($mac)
#else
srli $tmp0,$in0,8 # write mac value
srli $tmp1,$in0,16
srli $tmp2,$in0,24
sb $in0,0($mac)
srli $tmp3,$in0,32
sb $tmp0,1($mac)
srli $tmp0,$in0,40
sb $tmp1,2($mac)
srli $tmp1,$in0,48
sb $tmp2,3($mac)
srli $tmp2,$in0,56
sb $tmp3,4($mac)
srli $tmp3,$in1,8
sb $tmp0,5($mac)
srli $tmp0,$in1,16
sb $tmp1,6($mac)
srli $tmp1,$in1,24
sb $tmp2,7($mac)
sb $in1,8($mac)
srli $tmp2,$in1,32
sb $tmp3,9($mac)
srli $tmp3,$in1,40
sb $tmp0,10($mac)
srli $tmp0,$in1,48
sb $tmp1,11($mac)
srli $tmp1,$in1,56
sb $tmp2,12($mac)
sb $tmp3,13($mac)
sb $tmp0,14($mac)
sb $tmp1,15($mac)
#endif
ret
.size poly1305_emit,.-poly1305_emit
.string "Poly1305 for RISC-V, CRYPTOGAMS by \@dot-asm"
___
}
}}} else {{{
######################################################################
# 32-bit code path
#
my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
my ($in0,$in1,$in2,$in3,$tmp0,$tmp1,$tmp2,$tmp3) =
($a4,$a5,$a6,$a7,$t0,$t1,$t2,$t3);
$code.=<<___;
#if __riscv_xlen == 32
# if __SIZEOF_POINTER__ == 8
# define PUSH csc
# define POP clc
# else
# define PUSH sw
# define POP lw
# endif
# define MULX(hi,lo,a,b) mulhu hi,a,b; mul lo,a,b
# define srliw srli
# define srlw srl
# define sllw sll
# define addw add
# define addiw addi
# define mulw mul
#elif __riscv_xlen == 64
# if __SIZEOF_POINTER__ == 16
# define PUSH csc
# define POP clc
# else
# define PUSH sd
# define POP ld
# endif
# define MULX(hi,lo,a,b) slli b,b,32; srli b,b,32; mul hi,a,b; addiw lo,hi,0; srai hi,hi,32
#else
# error "unsupported __riscv_xlen"
#endif
.option pic
.text
.globl poly1305_init
.type poly1305_init,\@function
poly1305_init:
#ifdef __riscv_zicfilp
lpad 0
#endif
sw $zero,0($ctx)
sw $zero,4($ctx)
sw $zero,8($ctx)
sw $zero,12($ctx)
sw $zero,16($ctx)
beqz $inp,.Lno_key
#ifndef __riscv_misaligned_fast
andi $tmp0,$inp,3 # $inp % 4
sub $inp,$inp,$tmp0 # align $inp
sll $tmp0,$tmp0,3 # byte to bit offset
#endif
lw $in0,0($inp)
lw $in1,4($inp)
lw $in2,8($inp)
lw $in3,12($inp)
#ifndef __riscv_misaligned_fast
beqz $tmp0,.Laligned_key
lw $tmp2,16($inp)
sub $tmp1,$zero,$tmp0
srlw $in0,$in0,$tmp0
sllw $tmp3,$in1,$tmp1
srlw $in1,$in1,$tmp0
or $in0,$in0,$tmp3
sllw $tmp3,$in2,$tmp1
srlw $in2,$in2,$tmp0
or $in1,$in1,$tmp3
sllw $tmp3,$in3,$tmp1
srlw $in3,$in3,$tmp0
or $in2,$in2,$tmp3
sllw $tmp2,$tmp2,$tmp1
or $in3,$in3,$tmp2
.Laligned_key:
#endif
lui $tmp0,0x10000
addi $tmp0,$tmp0,-1 # 0x0fffffff
and $in0,$in0,$tmp0
addi $tmp0,$tmp0,-3 # 0x0ffffffc
and $in1,$in1,$tmp0
and $in2,$in2,$tmp0
and $in3,$in3,$tmp0
sw $in0,20($ctx)
sw $in1,24($ctx)
sw $in2,28($ctx)
sw $in3,32($ctx)
srlw $tmp1,$in1,2
srlw $tmp2,$in2,2
srlw $tmp3,$in3,2
addw $in1,$in1,$tmp1 # s1 = r1 + (r1 >> 2)
addw $in2,$in2,$tmp2
addw $in3,$in3,$tmp3
sw $in1,36($ctx)
sw $in2,40($ctx)
sw $in3,44($ctx)
.Lno_key:
li $a0,0
ret
.size poly1305_init,.-poly1305_init
___
{
my ($h0,$h1,$h2,$h3,$h4, $r0,$r1,$r2,$r3, $rs1,$rs2,$rs3) =
($s0,$s1,$s2,$s3,$s4, $s5,$s6,$s7,$s8, $t0,$t1,$t2);
my ($d0,$d1,$d2,$d3) =
($a4,$a5,$a6,$a7);
my $shr = $ra; # used on R6
$code.=<<___;
.globl poly1305_blocks
.type poly1305_blocks,\@function
poly1305_blocks:
#ifdef __riscv_zicfilp
lpad 0
#endif
andi $len,$len,-16 # complete blocks only
beqz $len,.Labort
#ifdef __riscv_zcmp
cm.push {ra,s0-s8}, -48
#else
caddi $sp,$sp,-__SIZEOF_POINTER__*12
PUSH $ra, __SIZEOF_POINTER__*11($sp)
PUSH $s0, __SIZEOF_POINTER__*10($sp)
PUSH $s1, __SIZEOF_POINTER__*9($sp)
PUSH $s2, __SIZEOF_POINTER__*8($sp)
PUSH $s3, __SIZEOF_POINTER__*7($sp)
PUSH $s4, __SIZEOF_POINTER__*6($sp)
PUSH $s5, __SIZEOF_POINTER__*5($sp)
PUSH $s6, __SIZEOF_POINTER__*4($sp)
PUSH $s7, __SIZEOF_POINTER__*3($sp)
PUSH $s8, __SIZEOF_POINTER__*2($sp)
#endif
#ifndef __riscv_misaligned_fast
andi $shr,$inp,3
andi $inp,$inp,-4 # align $inp
slli $shr,$shr,3 # byte to bit offset
#endif
lw $h0,0($ctx) # load hash value
lw $h1,4($ctx)
lw $h2,8($ctx)
lw $h3,12($ctx)
lw $h4,16($ctx)
lw $r0,20($ctx) # load key
lw $r1,24($ctx)
lw $r2,28($ctx)
lw $r3,32($ctx)
lw $rs1,36($ctx)
lw $rs2,40($ctx)
lw $rs3,44($ctx)
add $len,$len,$inp # end of buffer
.Loop:
lw $d0,0($inp) # load input
lw $d1,4($inp)
lw $d2,8($inp)
lw $d3,12($inp)
#ifndef __riscv_misaligned_fast
beqz $shr,.Laligned_inp
lw $t4,16($inp)
sub $t5,$zero,$shr
srlw $d0,$d0,$shr
sllw $t3,$d1,$t5
srlw $d1,$d1,$shr
or $d0,$d0,$t3
sllw $t3,$d2,$t5
srlw $d2,$d2,$shr
or $d1,$d1,$t3
sllw $t3,$d3,$t5
srlw $d3,$d3,$shr
or $d2,$d2,$t3
sllw $t4,$t4,$t5
or $d3,$d3,$t4
.Laligned_inp:
#endif
srliw $t3,$h4,2 # modulo-scheduled reduction
andi $t4,$h4,-4
andi $h4,$h4,3
addw $d0,$d0,$h0 # accumulate input
addw $t4,$t4,$t3
sltu $h0,$d0,$h0
addw $d0,$d0,$t4 # ... and residue
sltu $t4,$d0,$t4
addw $d1,$d1,$h1
addw $h0,$h0,$t4 # carry
sltu $h1,$d1,$h1
addw $d1,$d1,$h0
sltu $h0,$d1,$h0
addw $d2,$d2,$h2
addw $h1,$h1,$h0 # carry
sltu $h2,$d2,$h2
addw $d2,$d2,$h1
sltu $h1,$d2,$h1
addw $d3,$d3,$h3
addw $h2,$h2,$h1 # carry
sltu $h3,$d3,$h3
addw $d3,$d3,$h2
MULX ($h1,$h0,$r0,$d0) # d0*r0
sltu $h2,$d3,$h2
addw $h3,$h3,$h2 # carry
MULX ($t4,$t3,$rs3,$d1) # d1*s3
addw $h4,$h4,$padbit
caddi $inp,$inp,16
addw $h4,$h4,$h3
MULX ($t6,$a3,$rs2,$d2) # d2*s2
addw $h0,$h0,$t3
addw $h1,$h1,$t4
sltu $t3,$h0,$t3
addw $h1,$h1,$t3
MULX ($t4,$t3,$rs1,$d3) # d3*s1
addw $h0,$h0,$a3
addw $h1,$h1,$t6
sltu $a3,$h0,$a3
addw $h1,$h1,$a3
MULX ($h2,$a3,$r1,$d0) # d0*r1
addw $h0,$h0,$t3
addw $h1,$h1,$t4
sltu $t3,$h0,$t3
addw $h1,$h1,$t3
MULX ($t4,$t3,$r0,$d1) # d1*r0
addw $h1,$h1,$a3
sltu $a3,$h1,$a3
addw $h2,$h2,$a3
MULX ($t6,$a3,$rs3,$d2) # d2*s3
addw $h1,$h1,$t3
addw $h2,$h2,$t4
sltu $t3,$h1,$t3
addw $h2,$h2,$t3
MULX ($t4,$t3,$rs2,$d3) # d3*s2
addw $h1,$h1,$a3
addw $h2,$h2,$t6
sltu $a3,$h1,$a3
addw $h2,$h2,$a3
mulw $a3,$rs1,$h4 # h4*s1
addw $h1,$h1,$t3
addw $h2,$h2,$t4
sltu $t3,$h1,$t3
addw $h2,$h2,$t3
MULX ($h3,$t3,$r2,$d0) # d0*r2
addw $h1,$h1,$a3
sltu $a3,$h1,$a3
addw $h2,$h2,$a3
MULX ($t6,$a3,$r1,$d1) # d1*r1
addw $h2,$h2,$t3
sltu $t3,$h2,$t3
addw $h3,$h3,$t3
MULX ($t4,$t3,$r0,$d2) # d2*r0
addw $h2,$h2,$a3
addw $h3,$h3,$t6
sltu $a3,$h2,$a3
addw $h3,$h3,$a3
MULX ($t6,$a3,$rs3,$d3) # d3*s3
addw $h2,$h2,$t3
addw $h3,$h3,$t4
sltu $t3,$h2,$t3
addw $h3,$h3,$t3
mulw $t3,$rs2,$h4 # h4*s2
addw $h2,$h2,$a3
addw $h3,$h3,$t6
sltu $a3,$h2,$a3
addw $h3,$h3,$a3
MULX ($t6,$a3,$r3,$d0) # d0*r3
addw $h2,$h2,$t3
sltu $t3,$h2,$t3
addw $h3,$h3,$t3
MULX ($t4,$t3,$r2,$d1) # d1*r2
addw $h3,$h3,$a3
sltu $a3,$h3,$a3
addw $t6,$t6,$a3
MULX ($a3,$d3,$r0,$d3) # d3*r0
addw $h3,$h3,$t3
addw $t6,$t6,$t4
sltu $t3,$h3,$t3
addw $t6,$t6,$t3
MULX ($t4,$t3,$r1,$d2) # d2*r1
addw $h3,$h3,$d3
addw $t6,$t6,$a3
sltu $d3,$h3,$d3
addw $t6,$t6,$d3
mulw $a3,$rs3,$h4 # h4*s3
addw $h3,$h3,$t3
addw $t6,$t6,$t4
sltu $t3,$h3,$t3
addw $t6,$t6,$t3
mulw $h4,$r0,$h4 # h4*r0
addw $h3,$h3,$a3
sltu $a3,$h3,$a3
addw $t6,$t6,$a3
addw $h4,$t6,$h4
li $padbit,1 # if we loop, padbit is 1
bne $inp,$len,.Loop
sw $h0,0($ctx) # store hash value
sw $h1,4($ctx)
sw $h2,8($ctx)
sw $h3,12($ctx)
sw $h4,16($ctx)
#ifdef __riscv_zcmp
cm.popret {ra,s0-s8}, 48
#else
POP $ra, __SIZEOF_POINTER__*11($sp)
POP $s0, __SIZEOF_POINTER__*10($sp)
POP $s1, __SIZEOF_POINTER__*9($sp)
POP $s2, __SIZEOF_POINTER__*8($sp)
POP $s3, __SIZEOF_POINTER__*7($sp)
POP $s4, __SIZEOF_POINTER__*6($sp)
POP $s5, __SIZEOF_POINTER__*5($sp)
POP $s6, __SIZEOF_POINTER__*4($sp)
POP $s7, __SIZEOF_POINTER__*3($sp)
POP $s8, __SIZEOF_POINTER__*2($sp)
caddi $sp,$sp,__SIZEOF_POINTER__*12
#endif
.Labort:
ret
.size poly1305_blocks,.-poly1305_blocks
___
}
{
my ($ctx,$mac,$nonce,$tmp4) = ($a0,$a1,$a2,$a3);
$code.=<<___;
.globl poly1305_emit
.type poly1305_emit,\@function
poly1305_emit:
#ifdef __riscv_zicfilp
lpad 0
#endif
lw $tmp4,16($ctx)
lw $tmp0,0($ctx)
lw $tmp1,4($ctx)
lw $tmp2,8($ctx)
lw $tmp3,12($ctx)
srliw $ctx,$tmp4,2 # final reduction
andi $in0,$tmp4,-4
andi $tmp4,$tmp4,3
addw $ctx,$ctx,$in0
addw $tmp0,$tmp0,$ctx
sltu $ctx,$tmp0,$ctx
addiw $in0,$tmp0,5 # compare to modulus
addw $tmp1,$tmp1,$ctx
sltiu $in1,$in0,5
sltu $ctx,$tmp1,$ctx
addw $in1,$in1,$tmp1
addw $tmp2,$tmp2,$ctx
sltu $in2,$in1,$tmp1
sltu $ctx,$tmp2,$ctx
addw $in2,$in2,$tmp2
addw $tmp3,$tmp3,$ctx
sltu $in3,$in2,$tmp2
sltu $ctx,$tmp3,$ctx
addw $in3,$in3,$tmp3
addw $tmp4,$tmp4,$ctx
sltu $ctx,$in3,$tmp3
addw $ctx,$ctx,$tmp4
srl $ctx,$ctx,2 # see if it carried/borrowed
sub $ctx,$zero,$ctx
xor $in0,$in0,$tmp0
xor $in1,$in1,$tmp1
xor $in2,$in2,$tmp2
xor $in3,$in3,$tmp3
and $in0,$in0,$ctx
and $in1,$in1,$ctx
and $in2,$in2,$ctx
and $in3,$in3,$ctx
xor $in0,$in0,$tmp0
xor $in1,$in1,$tmp1
xor $in2,$in2,$tmp2
xor $in3,$in3,$tmp3
lw $tmp0,0($nonce) # load nonce
lw $tmp1,4($nonce)
lw $tmp2,8($nonce)
lw $tmp3,12($nonce)
addw $in0,$in0,$tmp0 # accumulate nonce
sltu $ctx,$in0,$tmp0
addw $in1,$in1,$tmp1
sltu $tmp1,$in1,$tmp1
addw $in1,$in1,$ctx
sltu $ctx,$in1,$ctx
addw $ctx,$ctx,$tmp1
addw $in2,$in2,$tmp2
sltu $tmp2,$in2,$tmp2
addw $in2,$in2,$ctx
sltu $ctx,$in2,$ctx
addw $ctx,$ctx,$tmp2
addw $in3,$in3,$tmp3
addw $in3,$in3,$ctx
#ifdef __riscv_misaligned_fast
sw $in0,0($mac) # write mac value
sw $in1,4($mac)
sw $in2,8($mac)
sw $in3,12($mac)
#else
srl $tmp0,$in0,8 # write mac value
srl $tmp1,$in0,16
srl $tmp2,$in0,24
sb $in0, 0($mac)
sb $tmp0,1($mac)
srl $tmp0,$in1,8
sb $tmp1,2($mac)
srl $tmp1,$in1,16
sb $tmp2,3($mac)
srl $tmp2,$in1,24
sb $in1, 4($mac)
sb $tmp0,5($mac)
srl $tmp0,$in2,8
sb $tmp1,6($mac)
srl $tmp1,$in2,16
sb $tmp2,7($mac)
srl $tmp2,$in2,24
sb $in2, 8($mac)
sb $tmp0,9($mac)
srl $tmp0,$in3,8
sb $tmp1,10($mac)
srl $tmp1,$in3,16
sb $tmp2,11($mac)
srl $tmp2,$in3,24
sb $in3, 12($mac)
sb $tmp0,13($mac)
sb $tmp1,14($mac)
sb $tmp2,15($mac)
#endif
ret
.size poly1305_emit,.-poly1305_emit
.string "Poly1305 for RISC-V, CRYPTOGAMS by \@dot-asm"
___
}
}}}
foreach (split("\n", $code)) {
if ($flavour =~ /^cheri/) {
s/\(x([0-9]+)\)/(c$1)/ and s/\b([ls][bhwd]u?)\b/c$1/;
s/\b(PUSH|POP)(\s+)x([0-9]+)/$1$2c$3/ or
s/\b(ret|jal)\b/c$1/;
s/\bcaddi?\b/cincoffset/ and s/\bx([0-9]+,)/c$1/g or
m/\bcmove\b/ and s/\bx([0-9]+)/c$1/g;
} else {
s/\bcaddi?\b/add/ or
s/\bcmove\b/mv/;
}
print $_, "\n";
}
close STDOUT;