Aes Amnesia.S

aes-amnesia.S.
txt
1 // Amnesia Security AES Implementation
2 // Based on code (c) Jari Ruusu 2004 and (c) Dr. Brian Gladman 2001
3 // Modifications (c) Patrick Simmons 2010
4
5 //This is designed to work with loop-aes
6
7 // void aes_set_key(aes_context *cx, const unsigned char key[], const int
key_len, const int f)
8 // void aes_encrypt(const aes_context *cx, const unsigned char in_blk[],
unsigned char out_blk[])
9 // void aes_decrypt(const aes_context *cx, const unsigned char in_blk[],
unsigned char out_blk[])
10
11 #if defined(USE_UNDERLINE)
12 # define aes_set_key _aes_set_key
13 # define aes_encrypt _aes_encrypt
14 # define aes_decrypt _aes_decrypt
15 #endif
16 #if !defined(ALIGN64BYTES)
17 # define ALIGN64BYTES 64
18 #endif
19
20
.file
"aes-amnesia.S"
21
.globl aes_set_key
22
.globl aes_encrypt
23
.globl aes_decrypt
24
25 .section .rodata
26
27 copyright:
28
.ascii "
\000"
29
.ascii "Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>,
Worcester, UK.\000"
30
.ascii "All rights reserved.\000"
31
.ascii "
\000"
32
.ascii "TERMS\000"
33
.ascii "
\000"
34
.ascii " Redistribution and use in source and binary forms, with or
without\000"
35
.ascii " modification, are permitted subject to the following
conditions:\000"
36
.ascii "
\000"
37
.ascii " 1. Redistributions of source code must retain the above
copyright\000"
38
.ascii "
notice, this list of conditions and the following
disclaimer.\000"
39
.ascii "
\000"
40
.ascii " 2. Redistributions in binary form must reproduce the above
Page 1
aes-amnesia.S.txt
" 2. Redistributions in binary form must reproduce the above
copyright\000"
41
.ascii "
notice, this list of conditions and the following disclaimer
in the\000"
42
.ascii "
documentation and/or other materials provided with the
distribution.\000"
43
.ascii "
\000"
44
.ascii " 3. The copyright holder's name must not be used to endorse or
promote\000"
45
.ascii "
any products derived from this software without his specific
prior\000"
46
.ascii "
written permission.\000"
47
.ascii "
\000"
48
.ascii " This software is provided 'as is' with no express or implied
warranties\000"
49
.ascii " of correctness or fitness for purpose.\000"
50
.ascii "
\000"
51
52 #define tlen
1024
// length of each of 4 'xor' arrays (256 32-bit
words)
53
54 // offsets in context structure
55
56 #define nkey
0
// key length, size 4
57 #define nrnd
4
// number of rounds, size 4
58 #define ekey
8
// encryption key schedule base address, size 256
59 #define dkey
264 // decryption key schedule base address, size 256
60
61 //#define DEBUG_HARNESS
62
63 #ifdef DEBUG_HARNESS
64 .extern dummy_wrmsr
65 .extern dummy_rdmsr
66
67 harness_wrmsr:
68
RET
69
PUSHQ %RAX
70
PUSHQ %RCX
71
PUSHQ %RDX
72
PUSHQ %RSI
73
PUSHQ %RDI
74
PUSHQ %R8
75
PUSHQ %R9
76
PUSHQ %R10
77
PUSHQ %R11
78
MOVL %ECX, %EDI
79
MOVL %EDX, %ESI
80
MOVL %EAX, %EDX
81
CALL dummy_wrmsr
Page 2
aes-amnesia.S.txt
82
POPQ %R11
83
POPQ %R10
84
POPQ %R9
85
POPQ %R8
86
POPQ %RDI
87
POPQ %RSI
88
POPQ %RDX
89
POPQ %RCX
90
POPQ %RAX
91
RET
92
93 harness_rdmsr:
94
RET
95
PUSHQ %RCX
96
PUSHQ %RSI
97
PUSHQ %RDI
98
PUSHQ %R8
99
PUSHQ %R9
100
PUSHQ %R10
101
PUSHQ %R11
102
MOVL %ECX, %EDI
103
CALL dummy_rdmsr
104
MOVQ %RAX, %RDX
105
SHRQ $32, %RDX
106
ADDL $0, %EAX
107
POPQ %R11
108
POPQ %R10
109
POPQ %R9
110
POPQ %R8
111
POPQ %RDI
112
POPQ %RSI
113
POPQ %RCX
114
RET
115 #endif
116
117 // This macro performs a forward encryption cycle. It is entered with
118 // the first previous round column values in I1E, I2E, I3E and I4E and
119 // exits with the final values OU1, OU2, OU3 and OU4 registers.
120 //Directly uses RDI, RSI, R8, and R13
121
122 #define fwd_rnd
(p1,I1E,I1B,I1H,I2E,I2B,I2H,I3E,I3B,I3R,I4E,I4B,I4R,OU1,OU2,OU3,OU4) \
123
movzbl I1B,%edi
;\
124
movzbl I2B,%esi
;\
125
movzbl I3B,%r8d
;\
126
movzbl I4B,%r13d
;\
127
shrl
$8,I3E
;\
128
shrl
$8,I4E
;\
Page 3
aes-amnesia.S.txt
129
xorl
p1(,%rdi,4),OU1
;\
130
xorl
p1(,%rsi,4),OU2
;\
131
xorl
p1(,%r8,4),OU3
;\
132
xorl
p1(,%r13,4),OU4
;\
133
movzbl I2H,%esi
;\
134
movzbl I3B,%r8d
;\
135
movzbl I4B,%r13d
;\
136
movzbl I1H,%edi
;\
137
shrl
$8,I3E
;\
138
shrl
$8,I4E
;\
139
xorl
p1+tlen(,%rsi,4),OU1
;\
140
xorl
p1+tlen(,%r8,4),OU2 ;\
141
xorl
p1+tlen(,%r13,4),OU3
;\
142
xorl
p1+tlen(,%rdi,4),OU4
;\
143
shrl
$16,I1E
;\
144
shrl
$16,I2E
;\
145
movzbl I3B,%r8d
;\
146
movzbl I4B,%r13d
;\
147
movzbl I1B,%edi
;\
148
movzbl I2B,%esi
;\
149
xorl
p1+2*tlen(,%r8,4),OU1
;\
150
xorl
p1+2*tlen(,%r13,4),OU2 ;\
151
xorl
p1+2*tlen(,%rdi,4),OU3 ;\
152
xorl
p1+2*tlen(,%rsi,4),OU4 ;\
153
shrl
$8,I4E
;\
154
movzbl I1H,%edi
;\
155
movzbl I2H,%esi
;\
156
shrl
$8,I3E
;\
157
xorl
p1+3*tlen(,I4R,4),OU1
;\
158
xorl
159
xorl
160
xorl
161
162 // This macro performs an inverse encryption cycle. It is entered with
163 // the first previous round column values in I1E, I2E, I3E and I4E and
164 // exits with the final values OU1, OU2, OU3 and OU4 registers.
165 //Directly uses RDI, RSI, R8, and R13
166
167 #define inv_rnd
(p1,I1E,I1B,I1R,I2E,I2B,I2R,I3E,I3B,I3H,I4E,I4B,I4H,OU1,OU2,OU3,OU4) \
168
movzbl I4B,%edi
;\
169
movzbl I3B,%esi
;\
170
movzbl I2B,%r8d
;\
171
movzbl I1B,%r13d
;\
172
shrl
$8,I2E
;\
173
shrl
$8,I1E
;\
174
xorl
p1(,%rdi,4),OU4
;\
175
xorl
p1(,%rsi,4),OU3
;\
Page 4
aes-amnesia.S.txt
176
xorl
p1(,%r8,4),OU2
;\
177
xorl
p1(,%r13,4),OU1
;\
178
movzbl I3H,%esi
;\
179
movzbl I2B,%r8d
;\
180
movzbl I1B,%r13d
;\
181
movzbl I4H,%edi
;\
182
shrl
$8,I2E
;\
183
shrl
$8,I1E
;\
184
xorl
p1+tlen(,%rsi,4),OU4
;\
185
xorl
p1+tlen(,%r8,4),OU3 ;\
186
xorl
p1+tlen(,%r13,4),OU2
;\
187
xorl
p1+tlen(,%rdi,4),OU1
;\
188
shrl
$16,I4E
;\
189
shrl
$16,I3E
;\
190
movzbl I2B,%r8d
;\
191
movzbl I1B,%r13d
;\
192
movzbl I4B,%edi
;\
193
movzbl I3B,%esi
;\
194
xorl
p1+2*tlen(,%r8,4),OU4
;\
195
xorl
p1+2*tlen(,%r13,4),OU3 ;\
196
xorl
197
xorl
198
shrl
$8,I1E
;\
199
movzbl I4H,%edi
;\
200
movzbl I3H,%esi
;\
201
shrl
$8,I2E
;\
202
xorl
;\
203
xorl
204
xorl
205
xorl
206
207 //--------------208
209
.bss
210
211
.lcomm intel_or_amd, 4
212
213
.text
214
.align ALIGN64BYTES
215
216 #define mix_col(p1, r4d, r4l, r4h, t1d, t2d, t2r)
217
movzbl %r4l,%t2d
;\
218
movl
p1(,%t2r,4),%t1d
;\
219
movzbl %r4h,%t2d
;\
220
ror $16,%r4d
;\
221
xorl
p1+tlen(,%t2r,4),%t1d
;\
222
movzbl %r4l,%t2d
;\
223
xorl
p1+2*tlen(,%t2r,4),%t1d ;\
Page 5
aes-amnesia.S.txt
224
movzbl %r4h,%t2d
;\
225
xorl
p1+3*tlen(,%t2r,4),%t1d
226
227 // Key Schedule Macros
228
229 #define ksc4(p1, r1d, r2d, r3d, r4d, r4l, r4h, t1d, t2d, t2r)
\
230
rol $24,%r4d
;\
231
mix_col(aes_fl_tab, r4d, r4l, r4h, t1d, t2d, t2r)
;\
232
ror $8,%r4d
;\
233
xorl
4*p1+aes_rcon_tab,%t1d ;\
234
xorl
%t1d,%r1d
;\
235
xorl
%r1d,%r2d
;\
236
xorl
%r2d,%r3d
;\
237
xorl
%r3d,%r4d
238
239 // This macro generates the previous forward round key given the current one
240 // and the round number of the PREVIOUS round.
241 // To use this for decryption, you still need to do the
242 // inverse mix column operation.
243 // T3D and T3B must be at least tier 2 registers.
244 #define inv4(P1, R1D, R1B, R2D, R2B, R3D, R3L, R3H, R4D, R4L, R4H, T1D, T1B,
T2D, T2B, T2R, T3D, T3B) \
245
MOVZBL %R4H, %T2D /*B1*/; \
246
MOVZBL %R3H, %T3D
; \
247
XORB %T3B, %T2B
; \
248
MOVL aes_fl_tab(,%T2R,4), %T1D ; \
249
XORL 4*P1+aes_rcon_tab, %T1D ; \
250
XORB %R1B, %T1B
; \
251
ROLL $8, %T1D
; \
252
; \
253
ROLL $8, %R1D
/*B4*/ ; \
254
MOVB %R4L, %T2B
; \
255
XORB %R3L, %T2B
; \
256
257
XORB %R1B, %T2B
; \
258
ADDL %T2D, %T1D
; \
259
ROLL $8, %T1D
; \
260
; \
261
ROLL $8, %R1D
/*B3*/ ; \
262
ROLL $16, %R3D
; \
263
ROLL $16, %R4D
; \
264
MOVZBL %R4H, %T2D
; \
265
MOVZBL %R3H, %T3D
; \
266
XORB %T3B, %T2B
; \
267
268
XORB %R1B, %T2B
; \
269
ADDL %T2D, %T1D
; \
270
ROLL $8, %T1D
; \
Page 6
aes-amnesia.S.txt
271
; \
272
ROLL $8, %R1D
/*B2*/ ; \
273
MOVB %R4L, %T2B
; \
274
XORB %R3L, %T2B
; \
275
276
XORB %R1B, %T2B
; \
277
ADDL %T2D, %T1D
; \
278
ROLL $8, %T1D
; \
279
; \
280
ROLL $8, %R1D
; \
281
ROLL $16, %R3D
; \
282
ROLL $16, %R4D
; \
283
/*Take care of the trailing three bytes*/ \
284
/*Must be in this order due to dependencies.*/ \
285
XORL %R3D, %R4D
; \
286
XORL %R2D, %R3D
; \
287
XORL %R1D, %R2D
; \
288
/*Overwrite high input word with high output word, and we're done.*/ \
289
MOVL %T1D, %R1D
290
291 #define backup_key(r1, r2, r3, r4, r5, r6) \
292
MOVQ %r1, %r5 ;\
293
MOVQ %r3, %r6 ;\
294
SALQ $32, %r5 ;\
295
SALQ $32, %r6 ;\
296
ADDQ %r2, %r5 ;\
297
ADDQ %r4, %r6
298
299 #define restore_key(r1d, r1, r2d, r2, r3d, r4d, r5d, r6d) \
300
MOVL %r1d, %r4d ;\
301
MOVL %r2d, %r6d ;\
302
SHRQ $32, %r1 ;\
303
SHRQ $32, %r2 ;\
304
MOVL %r1d, %r3d ;\
305
MOVL %r2d, %r5d
306
308 .globl test_ksc4
309 .globl test_inv4
310
311 //RDI,RSI,RDX,RCX,R8
312
313 test_ksc4:
314
ksc4(0,EDI,ESI,EDX,ECX,CL,CH,R9D,EAX,RAX)
315
MOVL %EDI, (%R8)
316
MOVL %ESI, 4(%R8)
317
MOVL %EDX, 8(%R8)
318
MOVL %ECX, 12(%R8)
Page 7
aes-amnesia.S.txt
319
RET
320
321 test_inv4:
322
PUSHQ %RBX
323
inv4(0,EDI,DIL,ESI,SIL,EDX,DL,DH,ECX,CL,CH,R9D,R9B,EAX,AL,RAX,EBX,BL)
324
POPQ %RBX
325
MOVL %EDI, (%R8)
326
MOVL %ESI, 4(%R8)
327
MOVL %EDX, 8(%R8)
328
MOVL %ECX, 12(%R8)
329
RET
330
331 #endif
332
333 //Called with key in EBX EDX R14D R15D
334 //
plaintext in EAX ECX R10D R11D
335 //Consumes plaintext and outputs ciphertext to EAX ECX R10D R11D
336 //Uses temporary registers RDI, RSI, R8, R13, R9, R12
337 aes_encrypt_internal:
338
//Simultaneous key expansion and encryption
339
//Input plaintext: EAX ECX R10D R11D
340
//Input key: EBX EDX R14D R15D (input key is OU1 ... OU4)
341
//Registers used by fwd_rnd: RDI, RSI, R8, and R13
342
//Registers used by ksc4: (four registers of previous round key)
343
//
(two temporary registers)
344
345
//XOR in first round key
346
XORL %EBX, %EAX
347
XORL %EDX, %ECX
348
XORL %R14D, %R10D
349
XORL %R15D, %R11D
350
351
XCHG %EDX, %R15D
352
ksc4(0, EBX, R15D, R14D, EDX, DL, DH, EDI, ESI, RSI)
353
XCHG %EDX, %R15D
354
backup_key(RBX, RDX, R14, R15, R9, R12)
355
fwd_rnd(aes_ft_tab,%eax,%al,%ah,%ecx,%cl,%ch,%r10d,%r10b,%r10,%r11d,%
r11b,%r11,%ebx,%edx,%r14d,%r15d)
356
357
restore_key(R9D, R9, R12D, R12, EAX, R11D, R10D, ECX)
358
ksc4(1, EAX, R11D, R10D, ECX, CL, CH, EDI, ESI, RSI)
359
XCHG %ECX, %R11D
360
backup_key(RAX, RCX, R10, R11, R9, R12)
361
fwd_rnd(aes_ft_tab, %ebx,%bl,%bh,%edx,%dl,%dh,%r14d,%r14b,%r14,%r15d,%
r15b,%r15,%eax,%ecx,%r10d,%r11d)
362
363
restore_key(R9D, R9, R12D, R12, EBX, R15D, R14D, EDX)
364
Page 8
aes-amnesia.S.txt
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
XCHG %EDX, %R15D

XCHG %ECX, %R11D
XCHG %EDX, %R15D
XCHG %ECX, %R11D
XCHG %EDX, %R15D
XCHG %ECX, %R11D
XCHG %EDX, %R15D
Page 9
aes-amnesia.S.txt
406
407
408
XCHG %ECX, %R11D
fwd_rnd(aes_fl_tab, %ebx,%bl,%bh,%edx,%dl,%dh,%r14d,%r14b,%r14,%r15d,%
409
410
RET
411
412 //Called with key in EBX EDX R14D R15D
413 //
ciphertext in EAX ECX R10D R11D
414 //Consumes ciphertext and outputs plaintext to EAX ECX R10D R11D
415 //Uses temporary registers RDI, RSI, R8, R13, R9, R12
416 aes_decrypt_internal:
417
//Simultaneous key expansion and encryption
418
//Input ciphertext: EAX ECX R10D R11D
419
//Input key: EBX EDX R14D R15D (input key is OU1 ... OU4)
420
//Registers used by inv_rnd: RDI, RSI, R8, and R13
421
//Registers used by inv4: (four registers of previous round key)
422
//
(two temporary registers)
423
424
//Swap input registers
425
XCHG %R11D, %EAX
426
XCHG %R10D, %ECX
427
XCHG %EBX, %R15D
428
XCHG %EDX, %R14D
429
430
//XOR in first round key
431
XORL %R15D, %R11D
432
XORL %R14D, %R10D
433
XORL %EDX, %ECX
434
XORL %EBX, %EAX
435
436
inv4
(9,R15D,R15B,R14D,R14B,EDX,DL,DH,EBX,BL,BH,R8D,R8B,ESI,SIL,RSI,EDI,DIL)
437
backup_key(R15, R14, RDX, RBX, R9, R12)
438
XCHG %R15D, %EAX
439
XCHG %R14D, %ECX
440
mix_col(aes_im_tab,EAX,AL,AH,EDI,ESI,RSI)
441
MOVL %EDI, %EAX
442
mix_col(aes_im_tab,EBX,BL,BH,EDI,ESI,RSI)
443
MOVL %EDI, %EBX
444
mix_col(aes_im_tab,ECX,CL,CH,EDI,ESI,RSI)
445
MOVL %EDI, %ECX
446
mix_col(aes_im_tab,EDX,DL,DH,EDI,ESI,RSI)
447
MOVL %EDI, %EDX
448
XCHG %R15D, %EAX
449
XCHG %R14D, %ECX
450
inv_rnd(aes_it_tab,%r11d,%r11b,%r11,%r10d,%r10b,%r10,%ecx,%cl,%ch,%eax,%
al,%ah,%r15d,%r14d,%edx,%ebx)
Page 10
aes-amnesia.S.txt
451
452
453
restore_key(R9D,R9,R12D,R12,R11D,R10D,ECX,EAX)
inv4
(8,R11D,R11B,R10D,R10B,ECX,CL,CH,EAX,AL,AH,R8D,R8B,ESI,SIL,RSI,EDI,DIL)
454
backup_key(R11,R10,RCX,RAX,R9,R12)
455
XCHG %R11D, %EBX
456
XCHG %R10D, %EDX
457
458
MOVL %EDI, %EAX
459
460
MOVL %EDI, %EBX
461
462
MOVL %EDI, %ECX
463
464
MOVL %EDI, %EDX
465
XCHG %R11D, %EBX
466
XCHG %R10D, %EDX
467
inv_rnd(aes_it_tab,%r15d,%r15b,%r15,%r14d,%r14b,%r14,%edx,%dl,%dh,%ebx,%
bl,%bh,%r11d,%r10d,%ecx,%eax)
468
469
restore_key(R9D,R9,R12D,R12,R15D,R14D,EDX,EBX)
470
inv4
471
472
XCHG %R15D, %EAX
473
XCHG %R14D, %ECX
474
475
MOVL %EDI, %EAX
476
477
MOVL %EDI, %EBX
478
479
MOVL %EDI, %ECX
480
481
MOVL %EDI, %EDX
482
XCHG %R15D, %EAX
483
XCHG %R14D, %ECX
484
485
486
487
inv4
488
489
XCHG %R11D, %EBX
490
XCHG %R10D, %EDX
491
492
MOVL %EDI, %EAX
493
Page 11
aes-amnesia.S.txt
494
495
496
497
498
499
500
501
MOVL %EDI, %EBX

MOVL %EDI, %ECX
MOVL %EDI, %EDX
XCHG %R11D, %EBX
XCHG %R10D, %EDX
502
503
504
inv4
505
506
XCHG %R15D, %EAX
507
XCHG %R14D, %ECX
508
509
MOVL %EDI, %EAX
510
511
MOVL %EDI, %EBX
512
513
MOVL %EDI, %ECX
514
515
MOVL %EDI, %EDX
516
XCHG %R15D, %EAX
517
XCHG %R14D, %ECX
518
519
520
521
inv4
522
523
XCHG %R11D, %EBX
524
XCHG %R10D, %EDX
525
526
MOVL %EDI, %EAX
527
528
MOVL %EDI, %EBX
529
530
MOVL %EDI, %ECX
531
532
MOVL %EDI, %EDX
533
XCHG %R11D, %EBX
534
XCHG %R10D, %EDX
535
536
Page 12
aes-amnesia.S.txt
537
538
inv4
539
540
XCHG %R15D, %EAX
541
XCHG %R14D, %ECX
542
543
MOVL %EDI, %EAX
544
545
MOVL %EDI, %EBX
546
547
MOVL %EDI, %ECX
548
549
MOVL %EDI, %EDX
550
XCHG %R15D, %EAX
551
XCHG %R14D, %ECX
552
553
554
555
inv4
556
557
XCHG %R11D, %EBX
558
XCHG %R10D, %EDX
559
560
MOVL %EDI, %EAX
561
562
MOVL %EDI, %EBX
563
564
MOVL %EDI, %ECX
565
566
MOVL %EDI, %EDX
567
XCHG %R11D, %EBX
568
XCHG %R10D, %EDX
569
570
571
572
inv4
573
574
XCHG %R15D, %EAX
575
XCHG %R14D, %ECX
576
577
MOVL %EDI, %EAX
578
579
MOVL %EDI, %EBX
Page 13
aes-amnesia.S.txt
580
581
582
583
584
585
586
MOVL %EDI, %ECX
MOVL %EDI, %EDX
XCHG %R15D, %EAX
XCHG %R14D, %ECX
587
588
589
inv4
590
inv_rnd(aes_il_tab,%r15d,%r15b,%r15,%r14d,%r14b,%r14,%edx,%dl,%dh,%ebx,%
591
592
//Swap order of ciphertext
593
XCHG %R11D, %EAX
594
XCHG %R10D, %ECX
595
596
RET
597
598 aes_encrypt:
599
PUSHQ %RBP
600
LEAQ (aes_encrypt_internal), %RBP
601
LEAQ ekey(%RDI), %RDI
602
CALL aes_cipher
603
POPQ %RBP
604
RET
605
606 aes_decrypt:
607
PUSHQ %RBP
608
LEAQ (aes_decrypt_internal), %RBP
609
LEAQ dkey(%RDI), %RDI
610
CALL aes_cipher
611
POPQ %RBP
612
RET
613
614 //void aes_encrypt/aes_decrypt(const aes_context *cx, const unsigned char
in_blk[], unsigned char out_blk[])
615 //
rdi
rsi
rdx
616 // in_blk and out_blk are both 16-byte buffers
617 aes_cipher:
618
//Push rFLAGS on stack
619
PUSHFQ
620
621
//Push all callee-saved registers except RBP (which was pushed by our
caller and contains an argument we care about). Optimize this later.
622
PUSHQ %RBX
Page 14
aes-amnesia.S.txt
623
PUSHQ %R12
624
PUSHQ %R13
625
PUSHQ %R14
626
PUSHQ %R15
627
628
//Also push RSI and RDX since they contain arguments we care about
629
PUSHQ %RDX
630
PUSHQ %RSI
631
632
//Disable interrupts.
633 #ifndef DEBUG_HARNESS
634
CLI
635 #endif
636
637
//Copy the secret XOR quantity into a register.
638
//We need to switch on whether we are an Intel or AMD processor.
639
MOVL (intel_or_amd), %R9D
640
SUBL $1, %R9D
641
JE use_intel
642
643
//We are AMD: C0010004 C0010005 C0010006 C0010007
644
MOVL $0xC0010004, %ECX
646
CALL harness_rdmsr
647 #else
648
RDMSR
649 #endif
650
MOVL %EAX, %EBX
651
653
CALL harness_rdmsr
654 #else
655
RDMSR
656 #endif
657
MOVL %EAX, %R12D
658
660
CALL harness_rdmsr
661 #else
662
RDMSR
663 #endif
664
MOVL %EAX, %R14D
665
667
CALL harness_rdmsr
668 #else
669
RDMSR
670 #endif
Page 15
aes-amnesia.S.txt
671
MOVL %EAX, %R15D
672
673
JMP master_copied
674
675 use_intel:
676
//We are Intel: C1 C2 309 30A
677
MOVL $0xC1, %ECX
679
CALL harness_rdmsr
680 #else
681
RDMSR
682 #endif
683
MOVL %EAX, %EBX
684
MOVL $0xC2, %ECX
686
CALL harness_rdmsr
687 #else
688
RDMSR
689 #endif
690
MOVL %EAX, %R12D
691
MOVL $0x309, %ECX
693
CALL harness_rdmsr
694 #else
695
RDMSR
696 #endif
697
MOVL %EAX, %R14D
698
MOVL $0x30A, %ECX
700
CALL harness_rdmsr
701 #else
702
RDMSR
703 #endif
704
MOVL %EAX, %R15D
705
706 master_copied:
707
//Shuffle master key into proper registers
708
MOVL %R12D, %EDX
709
710
//Load encrypted key value
711
MOVL (%RDI), %EAX
712
MOVL 4(%RDI), %ECX
713
MOVL 8(%RDI), %R10D
714
MOVL 12(%RDI), %R11D
715
716
//Decrypt key (use encryption function because it's faster)
717
CALL aes_encrypt_internal
718
Page 16
aes-amnesia.S.txt
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
//Get our input plaintext pointer back off the stack

POPQ %RSI
//Shuffle decrypted key into appropriate registers
MOVL %EAX, %EBX
MOVL %ECX, %EDX
MOVL %R10D, %R14D
MOVL %R11D, %R15D
//Read in plaintext
MOVL (%RSI), %EAX
MOVL 4(%RSI), %ECX
MOVL 8(%RSI), %R10D
MOVL 12(%RSI), %R11D
//Do actual encryption or decryption
CALL %RBP
//Get our output ciphertext pointer back off the stack
POPQ %RDX
//Output ciphertext
MOVL %EAX, (%RDX)
MOVL %ECX, 4(%RDX)
MOVL %R10D, 8(%RDX)
MOVL %R11D, 12(%RDX)
//Pop callee-save registers
POPQ %R15
POPQ %R14
POPQ %R13
POPQ %R12
POPQ %RBX
//Zero callee-save registers!!! We MUST do this before enabling

interrupts,
754
//or we risk leaking information!
755
//Optimize this later.
756
XORQ %RAX, %RAX
757
XORQ %RCX, %RCX
758
XORQ %RDX, %RDX
759
XORQ %R8, %R8
760
XORQ %R9, %R9
761
XORQ %R10, %R10
762
XORQ %R11, %R11
763
XORQ %RDI, %RDI
764
XORQ %RSI, %RSI
765
Page 17
aes-amnesia.S.txt
766
//Pop the flags, which will (probably) reenable interrupts
767
POPFQ
768
769
//Return to caller
770
RET
771
772
773 .extern get_random_bytes
774
775 // rdi = pointer to AES context
776 // rsi = pointer to key bytes
777 // rdx = key length, bytes or bits
778 // rcx = ed_flag, 1=encrypt only, 0=both encrypt and decrypt
779
780
.align ALIGN64BYTES
781 aes_set_key:
782
783
//Push flags, disable interrupts
784
PUSHFQ
785 #ifndef DEBUG_HARNESS
786
CLI
787 #endif
788
789
//Key-setting routine here
790
//Return value of a function call stored in %RAX
791
792
//Initial register pushes
793
XORL %EAX, %EAX
794
XORL %EDX, %EDX
795
PUSHQ %RBX
796
PUSHQ %R12
797
PUSHQ %R13
798
PUSHQ %R14
799
PUSHQ %R15
800
PUSHQ %RDI
801
PUSHQ %RSI
802
803
//See if we are the very first keyset method called
804
MOVL (intel_or_amd), %EAX
805
CMPL $0, %EAX
806
JE create_master_key
807
808
//Determine whether we are Intel or AMD
809
//Key in registers: EBX EDX R14D R15D
810
SUBL $1, %EAX
811
JE load_intel
812
813
//We are AMD: C0010004 C0010005 C0010006 C0010007
Page 18
aes-amnesia.S.txt
814
816
CALL harness_rdmsr
817 #else
818
RDMSR
819 #endif
820
MOVL %EAX, %EBX
821
822
824
CALL harness_rdmsr
825 #else
826
RDMSR
827 #endif
828
MOVL %EAX, %R8D
829
830
832
CALL harness_rdmsr
833 #else
834
RDMSR
835 #endif
836
MOVL %EAX, %R14D
837
838
840
CALL harness_rdmsr
841 #else
842
RDMSR
843 #endif
844
MOVL %EAX, %R15D
845
846
MOVL %R8D, %EDX
847
JMP set_key_vendor_independent
848
849 load_intel:
850
851
MOVL $0xC1, %ECX
853
CALL harness_rdmsr
854 #else
855
RDMSR
856 #endif
857
MOVL %EAX, %EBX
858
859
MOVL $0xC2, %ECX
861
CALL harness_rdmsr
Page 19
aes-amnesia.S.txt
862 #else
863
RDMSR
864 #endif
865
MOVL %EAX, %R8D
866
867
MOVL $0x309, %ECX
869
CALL harness_rdmsr
870 #else
871
RDMSR
872 #endif
873
MOVL %EAX, %R14D
874
875
MOVL $0x30A, %ECX
877
CALL harness_rdmsr
878 #else
879
RDMSR
880 #endif
881
MOVL %EAX, %R15D
882
883
MOVL %R8D, %EDX
884
885
886 create_master_key:
887
//Use the cryptographically secure get_random_bytes to get 16 bytes of
true random data
888
SUBQ $16, %RSP
889
MOVQ %RSP, %RDI
890
MOVQ $16, %RSI
891
CALL get_random_bytes
892
MOVQ %RSP, %RDI
893
ADDQ $16, %RSP
894
895
//We need to get the CPU ID string
896
XORL %EAX, %EAX
897
CPUID
898
RORL $8, %EBX
899
SHRL $24, %EBX
900
CMPL $0x47, %EBX
901
JE set_intel
902
903
//We are AMD: C0010004 C0010005 C0010006 C0010007
904
MOVL $2, intel_or_amd
905
XORL %EDX, %EDX
906
MOVL (%RDI), %EAX
907
MOVL %EAX, %EBX
908
MOVL $0, (%RDI)
Page 20
aes-amnesia.S.txt
909
911
CALL harness_wrmsr
912 #else
913
WRMSR
914 #endif
915
XORL %EDX, %EDX
916
MOVL 4(%RDI), %EAX
917
MOVL %EAX, %R8D
918
MOVL $0, 4(%RDI)
919
921
CALL harness_wrmsr
922 #else
923
WRMSR
924 #endif
925
XORL %EDX, %EDX
926
MOVL 8(%RDI), %EAX
927
MOVL %EAX, %R14D
928
MOVL $0, 8(%RDI)
929
931
CALL harness_wrmsr
932 #else
933
WRMSR
934 #endif
935
XORL %EDX, %EDX
936
MOVL 12(%RDI), %EAX
937
MOVL %EAX, %R15D
938
MOVL $0, 12(%RDI)
939
941
CALL harness_wrmsr
942 #else
943
WRMSR
944 #endif
945
946
MOVL %R8D, %EDX
947
948
949 set_intel:
950
951
MOVL $1, intel_or_amd
952
XORL %EDX, %EDX
953
MOVL (%RDI), %EAX
954
MOVL %EAX, %EBX
955
MOVL $0, (%RDI)
956
MOVL $0xC1, %ECX
Page 21
aes-amnesia.S.txt
958
CALL harness_wrmsr
959 #else
960
WRMSR
961 #endif
962
XORL %EDX, %EDX
963
MOVL 4(%RDI), %EAX
964
MOVL %EAX, %R8D
965
MOVL $0, 4(%RDI)
966
MOVL $0xC2, %ECX
968
CALL harness_wrmsr
969 #else
970
WRMSR
971 #endif
972
XORL %EDX, %EDX
973
MOVL 8(%RDI), %EAX
974
MOVL %EAX, %R14D
975
MOVL $0, 8(%RDI)
976
MOVL $0x309, %ECX
978
CALL harness_wrmsr
979 #else
980
WRMSR
981 #endif
982
XORL %EDX, %EDX
983
MOVL 12(%RDI), %EAX
984
MOVL %EAX, %R15D
985
MOVL $0, 12(%RDI)
986
MOVL $0x30A, %ECX
988
CALL harness_wrmsr
989 #else
990
WRMSR
991 #endif
992
993
MOVL %R8D, %EDX
994
995
996 set_key_vendor_independent:
997
//We now need to "decrypt" the context keys.
998
//Run the master key through ksc4
999
XCHG %EDX, %R15D
1000
ksc4(0, EBX, R15D, R14D, EDX, DL, DH, EDI, ESI,
1001
1002
1003
1004
Page 22
RSI)
RSI)
RSI)
RSI)
RSI)
aes-amnesia.S.txt
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
ksc4(5, EBX, R15D,

ksc4(6, EBX, R15D,
ksc4(7, EBX, R15D,
ksc4(8, EBX, R15D,
ksc4(9, EBX, R15D,
XCHG %EDX, %R15D
R14D,
R14D,
R14D,
R14D,
R14D,
EDX,
EDX,
EDX,
EDX,
EDX,
DL,
DL,
DL,
DL,
DL,
DH,
DH,
DH,
DH,
DH,
EDI,
EDI,
EDI,
EDI,
EDI,
ESI,
ESI,
ESI,
ESI,
ESI,
RSI)
RSI)
RSI)
RSI)
RSI)
//Back the 10th round master key up

MOVQ %R9, %MM0
MOVQ %R12, %MM1
//Read zero-round context key into appropriate registers
POPQ %RSI
MOVL (%RSI), %EAX
MOVL 4(%RSI), %ECX
MOVL 8(%RSI), %R10D
MOVL 12(%RSI), %R11D
//Call decryption routine
PUSHQ %RSI
CALL aes_decrypt_internal
POPQ %RSI
//Re-read zero-round context key into available registers
MOVL (%RSI), %EBX
MOVL 4(%RSI), %R15D
MOVL 8(%RSI), %R14D
MOVL 12(%RSI), %EDX
//Write encrypted zero-round context key
POPQ %RDI
LEAQ ekey(%RDI), %RSI
MOVL %EAX, (%RSI)
MOVL %ECX, 4(%RSI)
MOVL %R10D, 8(%RSI)
MOVL %R11D, 12(%RSI)
//Calculate pointer to 10th-round context key, push to stack
LEAQ dkey(%RDI), %RSI
PUSHQ %RSI
//Calculate 10th-round context key
ksc4(0,EBX,R15D,R14D,EDX,DL,DH,EAX,ECX,RCX)
Page 23
aes-amnesia.S.txt
1053
1054
1055
1056
1057
1058
1059
//Move 10th-round context key into appropriate registers
1060
MOVL %EBX, %EAX
1061
MOVL %R15D, %ECX
1062
MOVL %R14D, %R10D
1063
MOVL %EDX, %R11D
1064
1065
//Restore 10th round master key
1066
MOVQ %MM0, %R9
1067
MOVQ %MM1, %R12
1068
XORQ %RBX, %RBX
1069
MOVQ %RBX, %MM0 //kill the master key from MMX regs
1070
MOVQ %RBX, %MM1 //kill the master key from MMx regs
1071
restore_key(R9D,R9,R12D,R12,EBX,EDX,R14D,R15D)
1072
1073
//Call encryption function
1074
CALL aes_decrypt_internal
1075
1076
//Restore dkey pointer
1077
POPQ %RSI
1078
1079
MOVL %EAX, (%RSI)
1080
MOVL %ECX, 4(%RSI)
1081
MOVL %R10D, 8(%RSI)
1082
MOVL %R11D, 12(%RSI)
1083
1084
//Restore callee-save registers
1085
POPQ %R15
1086
POPQ %R14
1087
POPQ %R13
1088
POPQ %R12
1089
POPQ %RBX
1090
POPFQ
1091
RET
1092
1093 // finite field multiplies by {02}, {04} and {08}
1094
1095 #define f2(x)
((x<<1)^(((x>>7)&1)*0x11b))
1096 #define f4(x)
((x<<2)^(((x>>6)&1)*0x11b)^(((x>>6)&2)*0x11b))
1097 #define f8(x)
((x<<3)^(((x>>5)&1)*0x11b)^(((x>>5)&2)*0x11b)^
(((x>>5)&4)*0x11b))
1098
1099 // finite field multiplies required in table generation
Page 24
aes-amnesia.S.txt
1100
1101 #define f3(x)
(f2(x) ^ x)
1102 #define f9(x)
(f8(x) ^ x)
1103 #define fb(x)
(f8(x) ^ f2(x) ^ x)
1104 #define fd(x)
(f8(x) ^ f4(x) ^ x)
1105 #define fe(x)
(f8(x) ^ f4(x) ^ f2(x))
1106
1107 // These defines generate the forward table entries
1108
1109 #define u0(x)
((f3(x) << 24) | (x << 16) | (x << 8) | f2(x))
1110 #define u1(x)
((x << 24) | (x << 16) | (f2(x) << 8) | f3(x))
1111 #define u2(x)
((x << 24) | (f2(x) << 16) | (f3(x) << 8) | x)
1112 #define u3(x)
((f2(x) << 24) | (f3(x) << 16) | (x << 8) | x)
1113
1114 // These defines generate the inverse table entries
1115
1116 #define v0(x)
((fb(x) << 24) | (fd(x) << 16) | (f9(x) << 8) | fe(x))
1117 #define v1(x)
((fd(x) << 24) | (f9(x) << 16) | (fe(x) << 8) | fb(x))
1118 #define v2(x)
((f9(x) << 24) | (fe(x) << 16) | (fb(x) << 8) | fd(x))
1119 #define v3(x)
((fe(x) << 24) | (fb(x) << 16) | (fd(x) << 8) | f9(x))
1120
1121 // These defines generate entries for the last round tables
1122
1123 #define w0(x)
(x)
1124 #define w1(x)
(x << 8)
1125 #define w2(x)
(x << 16)
1126 #define w3(x)
(x << 24)
1127
1128 // macro to generate inverse mix column tables (needed for the key schedule)
1129
1130 #define im_data0(p1) \
1131
.long
p1(0x00),p1(0x01),p1(0x02),p1(0x03),p1(0x04),p1(0x05),p1
(0x06),p1(0x07) ;\
1132
.long
p1(0x08),p1(0x09),p1(0x0a),p1(0x0b),p1(0x0c),p1(0x0d),p1
(0x0e),p1(0x0f) ;\
1133
.long
p1(0x10),p1(0x11),p1(0x12),p1(0x13),p1(0x14),p1(0x15),p1
(0x16),p1(0x17) ;\
1134
.long
(0x1e),p1(0x1f)
1136
.long
p1(0x20),p1(0x21),p1(0x22),p1(0x23),p1(0x24),p1(0x25),p1
(0x26),p1(0x27) ;\
1137
.long
(0x2e),p1(0x2f) ;\
1138
.long
p1(0x30),p1(0x31),p1(0x32),p1(0x33),p1(0x34),p1(0x35),p1
(0x36),p1(0x37) ;\
1139
.long
(0x3e),p1(0x3f)
Page 25
aes-amnesia.S.txt
1141
.long
p1(0x40),p1(0x41),p1(0x42),p1(0x43),p1(0x44),p1(0x45),p1
(0x46),p1(0x47) ;\
1142
.long
(0x4e),p1(0x4f) ;\
1143
.long
p1(0x50),p1(0x51),p1(0x52),p1(0x53),p1(0x54),p1(0x55),p1
(0x56),p1(0x57) ;\
1144
.long
(0x5e),p1(0x5f)
1146
.long
p1(0x60),p1(0x61),p1(0x62),p1(0x63),p1(0x64),p1(0x65),p1
(0x66),p1(0x67) ;\
1147
.long
(0x6e),p1(0x6f) ;\
1148
.long
p1(0x70),p1(0x71),p1(0x72),p1(0x73),p1(0x74),p1(0x75),p1
(0x76),p1(0x77) ;\
1149
.long
(0x7e),p1(0x7f)
1151
.long
p1(0x80),p1(0x81),p1(0x82),p1(0x83),p1(0x84),p1(0x85),p1
(0x86),p1(0x87) ;\
1152
.long
(0x8e),p1(0x8f) ;\
1153
.long
p1(0x90),p1(0x91),p1(0x92),p1(0x93),p1(0x94),p1(0x95),p1
(0x96),p1(0x97) ;\
1154
.long
(0x9e),p1(0x9f)
1156
.long
p1(0xa0),p1(0xa1),p1(0xa2),p1(0xa3),p1(0xa4),p1(0xa5),p1
(0xa6),p1(0xa7) ;\
1157
.long
p1(0xa8),p1(0xa9),p1(0xaa),p1(0xab),p1(0xac),p1(0xad),p1
(0xae),p1(0xaf) ;\
1158
.long
p1(0xb0),p1(0xb1),p1(0xb2),p1(0xb3),p1(0xb4),p1(0xb5),p1
(0xb6),p1(0xb7) ;\
1159
.long
p1(0xb8),p1(0xb9),p1(0xba),p1(0xbb),p1(0xbc),p1(0xbd),p1
(0xbe),p1(0xbf)
1161
.long
p1(0xc0),p1(0xc1),p1(0xc2),p1(0xc3),p1(0xc4),p1(0xc5),p1
(0xc6),p1(0xc7) ;\
1162
.long
p1(0xc8),p1(0xc9),p1(0xca),p1(0xcb),p1(0xcc),p1(0xcd),p1
(0xce),p1(0xcf) ;\
1163
.long
p1(0xd0),p1(0xd1),p1(0xd2),p1(0xd3),p1(0xd4),p1(0xd5),p1
(0xd6),p1(0xd7) ;\
1164
.long
p1(0xd8),p1(0xd9),p1(0xda),p1(0xdb),p1(0xdc),p1(0xdd),p1
(0xde),p1(0xdf)
1166
.long
p1(0xe0),p1(0xe1),p1(0xe2),p1(0xe3),p1(0xe4),p1(0xe5),p1
(0xe6),p1(0xe7) ;\
Page 26
aes-amnesia.S.txt
1167
.long
p1(0xe8),p1(0xe9),p1(0xea),p1(0xeb),p1(0xec),p1(0xed),p1
(0xee),p1(0xef) ;\
1168
.long
p1(0xf0),p1(0xf1),p1(0xf2),p1(0xf3),p1(0xf4),p1(0xf5),p1
(0xf6),p1(0xf7) ;\
1169
.long
p1(0xf8),p1(0xf9),p1(0xfa),p1(0xfb),p1(0xfc),p1(0xfd),p1
(0xfe),p1(0xff)
1170
1171 // S-box data - 256 entries
1172
1173 #define sb_data0(p1) \
1174
.long
p1(0x63),p1(0x7c),p1(0x77),p1(0x7b),p1(0xf2),p1(0x6b),p1
(0x6f),p1(0xc5) ;\
1175
.long
p1(0x30),p1(0x01),p1(0x67),p1(0x2b),p1(0xfe),p1(0xd7),p1
(0xab),p1(0x76) ;\
1176
.long
p1(0xca),p1(0x82),p1(0xc9),p1(0x7d),p1(0xfa),p1(0x59),p1
(0x47),p1(0xf0) ;\
1177
.long
p1(0xad),p1(0xd4),p1(0xa2),p1(0xaf),p1(0x9c),p1(0xa4),p1
(0x72),p1(0xc0)
1179
.long
p1(0xb7),p1(0xfd),p1(0x93),p1(0x26),p1(0x36),p1(0x3f),p1
(0xf7),p1(0xcc) ;\
1180
.long
p1(0x34),p1(0xa5),p1(0xe5),p1(0xf1),p1(0x71),p1(0xd8),p1
(0x31),p1(0x15) ;\
1181
.long
p1(0x04),p1(0xc7),p1(0x23),p1(0xc3),p1(0x18),p1(0x96),p1
(0x05),p1(0x9a) ;\
1182
.long
p1(0x07),p1(0x12),p1(0x80),p1(0xe2),p1(0xeb),p1(0x27),p1
(0xb2),p1(0x75)
1184
.long
p1(0x09),p1(0x83),p1(0x2c),p1(0x1a),p1(0x1b),p1(0x6e),p1
(0x5a),p1(0xa0) ;\
1185
.long
p1(0x52),p1(0x3b),p1(0xd6),p1(0xb3),p1(0x29),p1(0xe3),p1
(0x2f),p1(0x84) ;\
1186
.long
p1(0x53),p1(0xd1),p1(0x00),p1(0xed),p1(0x20),p1(0xfc),p1
(0xb1),p1(0x5b) ;\
1187
.long
p1(0x6a),p1(0xcb),p1(0xbe),p1(0x39),p1(0x4a),p1(0x4c),p1
(0x58),p1(0xcf)
1189
.long
p1(0xd0),p1(0xef),p1(0xaa),p1(0xfb),p1(0x43),p1(0x4d),p1
(0x33),p1(0x85) ;\
1190
.long
p1(0x45),p1(0xf9),p1(0x02),p1(0x7f),p1(0x50),p1(0x3c),p1
(0x9f),p1(0xa8) ;\
1191
.long
p1(0x51),p1(0xa3),p1(0x40),p1(0x8f),p1(0x92),p1(0x9d),p1
(0x38),p1(0xf5) ;\
1192
.long
p1(0xbc),p1(0xb6),p1(0xda),p1(0x21),p1(0x10),p1(0xff),p1
(0xf3),p1(0xd2)
1194
.long
p1(0xcd),p1(0x0c),p1(0x13),p1(0xec),p1(0x5f),p1(0x97),p1
(0x44),p1(0x17) ;\
Page 27
aes-amnesia.S.txt
1195
.long
p1(0xc4),p1(0xa7),p1(0x7e),p1(0x3d),p1(0x64),p1(0x5d),p1
(0x19),p1(0x73) ;\
1196
.long
p1(0x60),p1(0x81),p1(0x4f),p1(0xdc),p1(0x22),p1(0x2a),p1
(0x90),p1(0x88) ;\
1197
.long
p1(0x46),p1(0xee),p1(0xb8),p1(0x14),p1(0xde),p1(0x5e),p1
(0x0b),p1(0xdb)
1199
.long
p1(0xe0),p1(0x32),p1(0x3a),p1(0x0a),p1(0x49),p1(0x06),p1
(0x24),p1(0x5c) ;\
1200
.long
p1(0xc2),p1(0xd3),p1(0xac),p1(0x62),p1(0x91),p1(0x95),p1
(0xe4),p1(0x79) ;\
1201
.long
p1(0xe7),p1(0xc8),p1(0x37),p1(0x6d),p1(0x8d),p1(0xd5),p1
(0x4e),p1(0xa9) ;\
1202
.long
p1(0x6c),p1(0x56),p1(0xf4),p1(0xea),p1(0x65),p1(0x7a),p1
(0xae),p1(0x08)
1204
.long
p1(0xba),p1(0x78),p1(0x25),p1(0x2e),p1(0x1c),p1(0xa6),p1
(0xb4),p1(0xc6) ;\
1205
.long
p1(0xe8),p1(0xdd),p1(0x74),p1(0x1f),p1(0x4b),p1(0xbd),p1
(0x8b),p1(0x8a) ;\
1206
.long
p1(0x70),p1(0x3e),p1(0xb5),p1(0x66),p1(0x48),p1(0x03),p1
(0xf6),p1(0x0e) ;\
1207
.long
p1(0x61),p1(0x35),p1(0x57),p1(0xb9),p1(0x86),p1(0xc1),p1
(0x1d),p1(0x9e)
1209
.long
p1(0xe1),p1(0xf8),p1(0x98),p1(0x11),p1(0x69),p1(0xd9),p1
(0x8e),p1(0x94) ;\
1210
.long
p1(0x9b),p1(0x1e),p1(0x87),p1(0xe9),p1(0xce),p1(0x55),p1
(0x28),p1(0xdf) ;\
1211
.long
p1(0x8c),p1(0xa1),p1(0x89),p1(0x0d),p1(0xbf),p1(0xe6),p1
(0x42),p1(0x68) ;\
1212
.long
p1(0x41),p1(0x99),p1(0x2d),p1(0x0f),p1(0xb0),p1(0x54),p1
(0xbb),p1(0x16)
1213
1214 // Inverse S-box data - 256 entries
1215
1216 #define ib_data0(p1) \
1217
.long
p1(0x52),p1(0x09),p1(0x6a),p1(0xd5),p1(0x30),p1(0x36),p1
(0xa5),p1(0x38) ;\
1218
.long
p1(0xbf),p1(0x40),p1(0xa3),p1(0x9e),p1(0x81),p1(0xf3),p1
(0xd7),p1(0xfb) ;\
1219
.long
p1(0x7c),p1(0xe3),p1(0x39),p1(0x82),p1(0x9b),p1(0x2f),p1
(0xff),p1(0x87) ;\
1220
.long
p1(0x34),p1(0x8e),p1(0x43),p1(0x44),p1(0xc4),p1(0xde),p1
(0xe9),p1(0xcb)
1222
.long
p1(0x54),p1(0x7b),p1(0x94),p1(0x32),p1(0xa6),p1(0xc2),p1
(0x23),p1(0x3d) ;\
Page 28
aes-amnesia.S.txt
1223
.long
p1(0xee),p1(0x4c),p1(0x95),p1(0x0b),p1(0x42),p1(0xfa),p1
(0xc3),p1(0x4e) ;\
1224
.long
p1(0x08),p1(0x2e),p1(0xa1),p1(0x66),p1(0x28),p1(0xd9),p1
(0x24),p1(0xb2) ;\
1225
.long
p1(0x76),p1(0x5b),p1(0xa2),p1(0x49),p1(0x6d),p1(0x8b),p1
(0xd1),p1(0x25)
1227
.long
p1(0x72),p1(0xf8),p1(0xf6),p1(0x64),p1(0x86),p1(0x68),p1
(0x98),p1(0x16) ;\
1228
.long
p1(0xd4),p1(0xa4),p1(0x5c),p1(0xcc),p1(0x5d),p1(0x65),p1
(0xb6),p1(0x92) ;\
1229
.long
p1(0x6c),p1(0x70),p1(0x48),p1(0x50),p1(0xfd),p1(0xed),p1
(0xb9),p1(0xda) ;\
1230
.long
p1(0x5e),p1(0x15),p1(0x46),p1(0x57),p1(0xa7),p1(0x8d),p1
(0x9d),p1(0x84)
1232
.long
p1(0x90),p1(0xd8),p1(0xab),p1(0x00),p1(0x8c),p1(0xbc),p1
(0xd3),p1(0x0a) ;\
1233
.long
p1(0xf7),p1(0xe4),p1(0x58),p1(0x05),p1(0xb8),p1(0xb3),p1
(0x45),p1(0x06) ;\
1234
.long
p1(0xd0),p1(0x2c),p1(0x1e),p1(0x8f),p1(0xca),p1(0x3f),p1
(0x0f),p1(0x02) ;\
1235
.long
p1(0xc1),p1(0xaf),p1(0xbd),p1(0x03),p1(0x01),p1(0x13),p1
(0x8a),p1(0x6b)
1237
.long
p1(0x3a),p1(0x91),p1(0x11),p1(0x41),p1(0x4f),p1(0x67),p1
(0xdc),p1(0xea) ;\
1238
.long
p1(0x97),p1(0xf2),p1(0xcf),p1(0xce),p1(0xf0),p1(0xb4),p1
(0xe6),p1(0x73) ;\
1239
.long
p1(0x96),p1(0xac),p1(0x74),p1(0x22),p1(0xe7),p1(0xad),p1
(0x35),p1(0x85) ;\
1240
.long
p1(0xe2),p1(0xf9),p1(0x37),p1(0xe8),p1(0x1c),p1(0x75),p1
(0xdf),p1(0x6e)
1242
.long
p1(0x47),p1(0xf1),p1(0x1a),p1(0x71),p1(0x1d),p1(0x29),p1
(0xc5),p1(0x89) ;\
1243
.long
p1(0x6f),p1(0xb7),p1(0x62),p1(0x0e),p1(0xaa),p1(0x18),p1
(0xbe),p1(0x1b) ;\
1244
.long
p1(0xfc),p1(0x56),p1(0x3e),p1(0x4b),p1(0xc6),p1(0xd2),p1
(0x79),p1(0x20) ;\
1245
.long
p1(0x9a),p1(0xdb),p1(0xc0),p1(0xfe),p1(0x78),p1(0xcd),p1
(0x5a),p1(0xf4)
1247
.long
p1(0x1f),p1(0xdd),p1(0xa8),p1(0x33),p1(0x88),p1(0x07),p1
(0xc7),p1(0x31) ;\
1248
.long
p1(0xb1),p1(0x12),p1(0x10),p1(0x59),p1(0x27),p1(0x80),p1
(0xec),p1(0x5f) ;\
1249
.long
p1(0x60),p1(0x51),p1(0x7f),p1(0xa9),p1(0x19),p1(0xb5),p1
Page 29
aes-amnesia.S.txt
.long
p1(0x60),p1(0x51),p1(0x7f),p1(0xa9),p1(0x19),p1(0xb5),p1
(0x4a),p1(0x0d) ;\
1250
.long
p1(0x2d),p1(0xe5),p1(0x7a),p1(0x9f),p1(0x93),p1(0xc9),p1
(0x9c),p1(0xef)
1252
.long
p1(0xa0),p1(0xe0),p1(0x3b),p1(0x4d),p1(0xae),p1(0x2a),p1
(0xf5),p1(0xb0) ;\
1253
.long
p1(0xc8),p1(0xeb),p1(0xbb),p1(0x3c),p1(0x83),p1(0x53),p1
(0x99),p1(0x61) ;\
1254
.long
p1(0x17),p1(0x2b),p1(0x04),p1(0x7e),p1(0xba),p1(0x77),p1
(0xd6),p1(0x26) ;\
1255
.long
p1(0xe1),p1(0x69),p1(0x14),p1(0x63),p1(0x55),p1(0x21),p1
(0x0c),p1(0x7d)
1256
1257 // The rcon_table (needed for the key schedule)
1258 //
1259 // Here is original Dr Brian Gladman's source code:
1260 // _rcon_tab:
1261 // %assign x
1
1262 // %rep 29
1263 //
dd x
1264 // %assign x f2(x)
1265 // %endrep
1266 //
1267 // Here is precomputed output (it's more portable this way):
1268
1269
.section .rodata
1270
.align ALIGN64BYTES
1271 aes_rcon_tab:
1272
.long
0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80
1273
.long
0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f
1274
.long
0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4
1275
.long
0xb3,0x7d,0xfa,0xef,0xc5
1276
1277 // The forward xor tables
1278
1279
.align ALIGN64BYTES
1280 aes_ft_tab:
1281
sb_data0(u0)
1282
sb_data1(u0)
1283
sb_data2(u0)
1284
sb_data3(u0)
1285
sb_data4(u0)
1286
sb_data5(u0)
1287
sb_data6(u0)
1288
sb_data7(u0)
1289
1290
sb_data0(u1)
1291
sb_data1(u1)
Page 30
aes-amnesia.S.txt
1292
sb_data2(u1)
1293
sb_data3(u1)
1294
sb_data4(u1)
1295
sb_data5(u1)
1296
sb_data6(u1)
1297
sb_data7(u1)
1298
1299
sb_data0(u2)
1300
sb_data1(u2)
1301
sb_data2(u2)
1302
sb_data3(u2)
1303
sb_data4(u2)
1304
sb_data5(u2)
1305
sb_data6(u2)
1306
sb_data7(u2)
1307
1308
sb_data0(u3)
1309
sb_data1(u3)
1310
sb_data2(u3)
1311
sb_data3(u3)
1312
sb_data4(u3)
1313
sb_data5(u3)
1314
sb_data6(u3)
1315
sb_data7(u3)
1316
1317
.align ALIGN64BYTES
1318 aes_fl_tab:
1319
sb_data0(w0)
1320
sb_data1(w0)
1321
sb_data2(w0)
1322
sb_data3(w0)
1323
sb_data4(w0)
1324
sb_data5(w0)
1325
sb_data6(w0)
1326
sb_data7(w0)
1327
1328
sb_data0(w1)
1329
sb_data1(w1)
1330
sb_data2(w1)
1331
sb_data3(w1)
1332
sb_data4(w1)
1333
sb_data5(w1)
1334
sb_data6(w1)
1335
sb_data7(w1)
1336
1337
sb_data0(w2)
1338
sb_data1(w2)
1339
sb_data2(w2)
Page 31
aes-amnesia.S.txt
1340
sb_data3(w2)
1341
sb_data4(w2)
1342
sb_data5(w2)
1343
sb_data6(w2)
1344
sb_data7(w2)
1345
1346
sb_data0(w3)
1347
sb_data1(w3)
1348
sb_data2(w3)
1349
sb_data3(w3)
1350
sb_data4(w3)
1351
sb_data5(w3)
1352
sb_data6(w3)
1353
sb_data7(w3)
1354
1355 // The inverse xor tables
1356
1357
.align ALIGN64BYTES
1358 aes_it_tab:
1359
ib_data0(v0)
1360
ib_data1(v0)
1361
ib_data2(v0)
1362
ib_data3(v0)
1363
ib_data4(v0)
1364
ib_data5(v0)
1365
ib_data6(v0)
1366
ib_data7(v0)
1367
1368
ib_data0(v1)
1369
ib_data1(v1)
1370
ib_data2(v1)
1371
ib_data3(v1)
1372
ib_data4(v1)
1373
ib_data5(v1)
1374
ib_data6(v1)
1375
ib_data7(v1)
1376
1377
ib_data0(v2)
1378
ib_data1(v2)
1379
ib_data2(v2)
1380
ib_data3(v2)
1381
ib_data4(v2)
1382
ib_data5(v2)
1383
ib_data6(v2)
1384
ib_data7(v2)
1385
1386
ib_data0(v3)
1387
ib_data1(v3)
Page 32
aes-amnesia.S.txt
1388
ib_data2(v3)
1389
ib_data3(v3)
1390
ib_data4(v3)
1391
ib_data5(v3)
1392
ib_data6(v3)
1393
ib_data7(v3)
1394
1395
.align ALIGN64BYTES
1396 aes_il_tab:
1397
ib_data0(w0)
1398
ib_data1(w0)
1399
ib_data2(w0)
1400
ib_data3(w0)
1401
ib_data4(w0)
1402
ib_data5(w0)
1403
ib_data6(w0)
1404
ib_data7(w0)
1405
1406
ib_data0(w1)
1407
ib_data1(w1)
1408
ib_data2(w1)
1409
ib_data3(w1)
1410
ib_data4(w1)
1411
ib_data5(w1)
1412
ib_data6(w1)
1413
ib_data7(w1)
1414
1415
ib_data0(w2)
1416
ib_data1(w2)
1417
ib_data2(w2)
1418
ib_data3(w2)
1419
ib_data4(w2)
1420
ib_data5(w2)
1421
ib_data6(w2)
1422
ib_data7(w2)
1423
1424
ib_data0(w3)
1425
ib_data1(w3)
1426
ib_data2(w3)
1427
ib_data3(w3)
1428
ib_data4(w3)
1429
ib_data5(w3)
1430
ib_data6(w3)
1431
ib_data7(w3)
1432
1433 // The inverse mix column tables
1434
1435
.align ALIGN64BYTES
Page 33
aes-amnesia.S.txt
1436 aes_im_tab:
1437
im_data0(v0)
1438
im_data1(v0)
1439
im_data2(v0)
1440
im_data3(v0)
1441
im_data4(v0)
1442
im_data5(v0)
1443
im_data6(v0)
1444
im_data7(v0)
1445
1446
im_data0(v1)
1447
im_data1(v1)
1448
im_data2(v1)
1449
im_data3(v1)
1450
im_data4(v1)
1451
im_data5(v1)
1452
im_data6(v1)
1453
im_data7(v1)
1454
1455
im_data0(v2)
1456
im_data1(v2)
1457
im_data2(v2)
1458
im_data3(v2)
1459
im_data4(v2)
1460
im_data5(v2)
1461
im_data6(v2)
1462
im_data7(v2)
1463
1464
im_data0(v3)
1465
im_data1(v3)
1466
im_data2(v3)
1467
im_data3(v3)
1468
im_data4(v3)
1469
im_data5(v3)
1470
im_data6(v3)
1471
im_data7(v3)
1472
1473 #if defined(__ELF__) && defined(SECTION_NOTE_GNU_STACK)
1474 .section .note.GNU-stack,"",@progbits
1475 #endif
1476
Page 34

Aes Amnesia.S

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Aes Amnesia.S

Caricato da

Copyright:

Formati disponibili

aes-amnesia.S.

XCHG %EDX, %R15D

MOVL %EDI, %EBX

//Get our input plaintext pointer back off the stack

//Zero callee-save registers!!! We MUST do this before enabling

ksc4(5, EBX, R15D,

//Back the 10th round master key up

Potrebbero piacerti anche