Loading...
1//
2// Accelerated CRC-T10DIF using ARM NEON and Crypto Extensions instructions
3//
4// Copyright (C) 2016 Linaro Ltd <ard.biesheuvel@linaro.org>
5// Copyright (C) 2019 Google LLC <ebiggers@google.com>
6//
7// This program is free software; you can redistribute it and/or modify
8// it under the terms of the GNU General Public License version 2 as
9// published by the Free Software Foundation.
10//
11
12// Derived from the x86 version:
13//
14// Implement fast CRC-T10DIF computation with SSE and PCLMULQDQ instructions
15//
16// Copyright (c) 2013, Intel Corporation
17//
18// Authors:
19// Erdinc Ozturk <erdinc.ozturk@intel.com>
20// Vinodh Gopal <vinodh.gopal@intel.com>
21// James Guilford <james.guilford@intel.com>
22// Tim Chen <tim.c.chen@linux.intel.com>
23//
24// This software is available to you under a choice of one of two
25// licenses. You may choose to be licensed under the terms of the GNU
26// General Public License (GPL) Version 2, available from the file
27// COPYING in the main directory of this source tree, or the
28// OpenIB.org BSD license below:
29//
30// Redistribution and use in source and binary forms, with or without
31// modification, are permitted provided that the following conditions are
32// met:
33//
34// * Redistributions of source code must retain the above copyright
35// notice, this list of conditions and the following disclaimer.
36//
37// * Redistributions in binary form must reproduce the above copyright
38// notice, this list of conditions and the following disclaimer in the
39// documentation and/or other materials provided with the
40// distribution.
41//
42// * Neither the name of the Intel Corporation nor the names of its
43// contributors may be used to endorse or promote products derived from
44// this software without specific prior written permission.
45//
46//
47// THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
48// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
50// PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
51// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
52// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
53// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
54// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
55// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
56// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
57// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
58//
59// Reference paper titled "Fast CRC Computation for Generic
60// Polynomials Using PCLMULQDQ Instruction"
61// URL: http://www.intel.com/content/dam/www/public/us/en/documents
62// /white-papers/fast-crc-computation-generic-polynomials-pclmulqdq-paper.pdf
63//
64
65#include <linux/linkage.h>
66#include <asm/assembler.h>
67
68#ifdef CONFIG_CPU_ENDIAN_BE8
69#define CPU_LE(code...)
70#else
71#define CPU_LE(code...) code
72#endif
73
74 .text
75 .arch armv8-a
76 .fpu crypto-neon-fp-armv8
77
78 init_crc .req r0
79 buf .req r1
80 len .req r2
81
82 fold_consts_ptr .req ip
83
84 q0l .req d0
85 q0h .req d1
86 q1l .req d2
87 q1h .req d3
88 q2l .req d4
89 q2h .req d5
90 q3l .req d6
91 q3h .req d7
92 q4l .req d8
93 q4h .req d9
94 q5l .req d10
95 q5h .req d11
96 q6l .req d12
97 q6h .req d13
98 q7l .req d14
99 q7h .req d15
100 q8l .req d16
101 q8h .req d17
102 q9l .req d18
103 q9h .req d19
104 q10l .req d20
105 q10h .req d21
106 q11l .req d22
107 q11h .req d23
108 q12l .req d24
109 q12h .req d25
110
111 FOLD_CONSTS .req q10
112 FOLD_CONST_L .req q10l
113 FOLD_CONST_H .req q10h
114
115 /*
116 * Pairwise long polynomial multiplication of two 16-bit values
117 *
118 * { w0, w1 }, { y0, y1 }
119 *
120 * by two 64-bit values
121 *
122 * { x0, x1, x2, x3, x4, x5, x6, x7 }, { z0, z1, z2, z3, z4, z5, z6, z7 }
123 *
124 * where each vector element is a byte, ordered from least to most
125 * significant. The resulting 80-bit vectors are XOR'ed together.
126 *
127 * This can be implemented using 8x8 long polynomial multiplication, by
128 * reorganizing the input so that each pairwise 8x8 multiplication
129 * produces one of the terms from the decomposition below, and
130 * combining the results of each rank and shifting them into place.
131 *
132 * Rank
133 * 0 w0*x0 ^ | y0*z0 ^
134 * 1 (w0*x1 ^ w1*x0) << 8 ^ | (y0*z1 ^ y1*z0) << 8 ^
135 * 2 (w0*x2 ^ w1*x1) << 16 ^ | (y0*z2 ^ y1*z1) << 16 ^
136 * 3 (w0*x3 ^ w1*x2) << 24 ^ | (y0*z3 ^ y1*z2) << 24 ^
137 * 4 (w0*x4 ^ w1*x3) << 32 ^ | (y0*z4 ^ y1*z3) << 32 ^
138 * 5 (w0*x5 ^ w1*x4) << 40 ^ | (y0*z5 ^ y1*z4) << 40 ^
139 * 6 (w0*x6 ^ w1*x5) << 48 ^ | (y0*z6 ^ y1*z5) << 48 ^
140 * 7 (w0*x7 ^ w1*x6) << 56 ^ | (y0*z7 ^ y1*z6) << 56 ^
141 * 8 w1*x7 << 64 | y1*z7 << 64
142 *
143 * The inputs can be reorganized into
144 *
145 * { w0, w0, w0, w0, y0, y0, y0, y0 }, { w1, w1, w1, w1, y1, y1, y1, y1 }
146 * { x0, x2, x4, x6, z0, z2, z4, z6 }, { x1, x3, x5, x7, z1, z3, z5, z7 }
147 *
148 * and after performing 8x8->16 bit long polynomial multiplication of
149 * each of the halves of the first vector with those of the second one,
150 * we obtain the following four vectors of 16-bit elements:
151 *
152 * a := { w0*x0, w0*x2, w0*x4, w0*x6 }, { y0*z0, y0*z2, y0*z4, y0*z6 }
153 * b := { w0*x1, w0*x3, w0*x5, w0*x7 }, { y0*z1, y0*z3, y0*z5, y0*z7 }
154 * c := { w1*x0, w1*x2, w1*x4, w1*x6 }, { y1*z0, y1*z2, y1*z4, y1*z6 }
155 * d := { w1*x1, w1*x3, w1*x5, w1*x7 }, { y1*z1, y1*z3, y1*z5, y1*z7 }
156 *
157 * Results b and c can be XORed together, as the vector elements have
158 * matching ranks. Then, the final XOR can be pulled forward, and
159 * applied between the halves of each of the remaining three vectors,
160 * which are then shifted into place, and XORed together to produce the
161 * final 80-bit result.
162 */
163 .macro pmull16x64_p8, v16, v64
164 vext.8 q11, \v64, \v64, #1
165 vld1.64 {q12}, [r4, :128]
166 vuzp.8 q11, \v64
167 vtbl.8 d24, {\v16\()_L-\v16\()_H}, d24
168 vtbl.8 d25, {\v16\()_L-\v16\()_H}, d25
169 bl __pmull16x64_p8
170 veor \v64, q12, q14
171 .endm
172
173__pmull16x64_p8:
174 vmull.p8 q13, d23, d24
175 vmull.p8 q14, d23, d25
176 vmull.p8 q15, d22, d24
177 vmull.p8 q12, d22, d25
178
179 veor q14, q14, q15
180 veor d24, d24, d25
181 veor d26, d26, d27
182 veor d28, d28, d29
183 vmov.i32 d25, #0
184 vmov.i32 d29, #0
185 vext.8 q12, q12, q12, #14
186 vext.8 q14, q14, q14, #15
187 veor d24, d24, d26
188 bx lr
189ENDPROC(__pmull16x64_p8)
190
191 .macro pmull16x64_p64, v16, v64
192 vmull.p64 q11, \v64\()l, \v16\()_L
193 vmull.p64 \v64, \v64\()h, \v16\()_H
194 veor \v64, \v64, q11
195 .endm
196
197 // Fold reg1, reg2 into the next 32 data bytes, storing the result back
198 // into reg1, reg2.
199 .macro fold_32_bytes, reg1, reg2, p
200 vld1.64 {q8-q9}, [buf]!
201
202 pmull16x64_\p FOLD_CONST, \reg1
203 pmull16x64_\p FOLD_CONST, \reg2
204
205CPU_LE( vrev64.8 q8, q8 )
206CPU_LE( vrev64.8 q9, q9 )
207 vswp q8l, q8h
208 vswp q9l, q9h
209
210 veor.8 \reg1, \reg1, q8
211 veor.8 \reg2, \reg2, q9
212 .endm
213
214 // Fold src_reg into dst_reg, optionally loading the next fold constants
215 .macro fold_16_bytes, src_reg, dst_reg, p, load_next_consts
216 pmull16x64_\p FOLD_CONST, \src_reg
217 .ifnb \load_next_consts
218 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
219 .endif
220 veor.8 \dst_reg, \dst_reg, \src_reg
221 .endm
222
223 .macro crct10dif, p
224 // For sizes less than 256 bytes, we can't fold 128 bytes at a time.
225 cmp len, #256
226 blt .Lless_than_256_bytes\@
227
228 mov_l fold_consts_ptr, .Lfold_across_128_bytes_consts
229
230 // Load the first 128 data bytes. Byte swapping is necessary to make
231 // the bit order match the polynomial coefficient order.
232 vld1.64 {q0-q1}, [buf]!
233 vld1.64 {q2-q3}, [buf]!
234 vld1.64 {q4-q5}, [buf]!
235 vld1.64 {q6-q7}, [buf]!
236CPU_LE( vrev64.8 q0, q0 )
237CPU_LE( vrev64.8 q1, q1 )
238CPU_LE( vrev64.8 q2, q2 )
239CPU_LE( vrev64.8 q3, q3 )
240CPU_LE( vrev64.8 q4, q4 )
241CPU_LE( vrev64.8 q5, q5 )
242CPU_LE( vrev64.8 q6, q6 )
243CPU_LE( vrev64.8 q7, q7 )
244 vswp q0l, q0h
245 vswp q1l, q1h
246 vswp q2l, q2h
247 vswp q3l, q3h
248 vswp q4l, q4h
249 vswp q5l, q5h
250 vswp q6l, q6h
251 vswp q7l, q7h
252
253 // XOR the first 16 data *bits* with the initial CRC value.
254 vmov.i8 q8h, #0
255 vmov.u16 q8h[3], init_crc
256 veor q0h, q0h, q8h
257
258 // Load the constants for folding across 128 bytes.
259 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
260
261 // Subtract 128 for the 128 data bytes just consumed. Subtract another
262 // 128 to simplify the termination condition of the following loop.
263 sub len, len, #256
264
265 // While >= 128 data bytes remain (not counting q0-q7), fold the 128
266 // bytes q0-q7 into them, storing the result back into q0-q7.
267.Lfold_128_bytes_loop\@:
268 fold_32_bytes q0, q1, \p
269 fold_32_bytes q2, q3, \p
270 fold_32_bytes q4, q5, \p
271 fold_32_bytes q6, q7, \p
272 subs len, len, #128
273 bge .Lfold_128_bytes_loop\@
274
275 // Now fold the 112 bytes in q0-q6 into the 16 bytes in q7.
276
277 // Fold across 64 bytes.
278 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
279 fold_16_bytes q0, q4, \p
280 fold_16_bytes q1, q5, \p
281 fold_16_bytes q2, q6, \p
282 fold_16_bytes q3, q7, \p, 1
283 // Fold across 32 bytes.
284 fold_16_bytes q4, q6, \p
285 fold_16_bytes q5, q7, \p, 1
286 // Fold across 16 bytes.
287 fold_16_bytes q6, q7, \p
288
289 // Add 128 to get the correct number of data bytes remaining in 0...127
290 // (not counting q7), following the previous extra subtraction by 128.
291 // Then subtract 16 to simplify the termination condition of the
292 // following loop.
293 adds len, len, #(128-16)
294
295 // While >= 16 data bytes remain (not counting q7), fold the 16 bytes q7
296 // into them, storing the result back into q7.
297 blt .Lfold_16_bytes_loop_done\@
298.Lfold_16_bytes_loop\@:
299 pmull16x64_\p FOLD_CONST, q7
300 vld1.64 {q0}, [buf]!
301CPU_LE( vrev64.8 q0, q0 )
302 vswp q0l, q0h
303 veor.8 q7, q7, q0
304 subs len, len, #16
305 bge .Lfold_16_bytes_loop\@
306
307.Lfold_16_bytes_loop_done\@:
308 // Add 16 to get the correct number of data bytes remaining in 0...15
309 // (not counting q7), following the previous extra subtraction by 16.
310 adds len, len, #16
311 beq .Lreduce_final_16_bytes\@
312
313.Lhandle_partial_segment\@:
314 // Reduce the last '16 + len' bytes where 1 <= len <= 15 and the first
315 // 16 bytes are in q7 and the rest are the remaining data in 'buf'. To
316 // do this without needing a fold constant for each possible 'len',
317 // redivide the bytes into a first chunk of 'len' bytes and a second
318 // chunk of 16 bytes, then fold the first chunk into the second.
319
320 // q0 = last 16 original data bytes
321 add buf, buf, len
322 sub buf, buf, #16
323 vld1.64 {q0}, [buf]
324CPU_LE( vrev64.8 q0, q0 )
325 vswp q0l, q0h
326
327 // q1 = high order part of second chunk: q7 left-shifted by 'len' bytes.
328 mov_l r1, .Lbyteshift_table + 16
329 sub r1, r1, len
330 vld1.8 {q2}, [r1]
331 vtbl.8 q1l, {q7l-q7h}, q2l
332 vtbl.8 q1h, {q7l-q7h}, q2h
333
334 // q3 = first chunk: q7 right-shifted by '16-len' bytes.
335 vmov.i8 q3, #0x80
336 veor.8 q2, q2, q3
337 vtbl.8 q3l, {q7l-q7h}, q2l
338 vtbl.8 q3h, {q7l-q7h}, q2h
339
340 // Convert to 8-bit masks: 'len' 0x00 bytes, then '16-len' 0xff bytes.
341 vshr.s8 q2, q2, #7
342
343 // q2 = second chunk: 'len' bytes from q0 (low-order bytes),
344 // then '16-len' bytes from q1 (high-order bytes).
345 vbsl.8 q2, q1, q0
346
347 // Fold the first chunk into the second chunk, storing the result in q7.
348 pmull16x64_\p FOLD_CONST, q3
349 veor.8 q7, q3, q2
350 b .Lreduce_final_16_bytes\@
351
352.Lless_than_256_bytes\@:
353 // Checksumming a buffer of length 16...255 bytes
354
355 mov_l fold_consts_ptr, .Lfold_across_16_bytes_consts
356
357 // Load the first 16 data bytes.
358 vld1.64 {q7}, [buf]!
359CPU_LE( vrev64.8 q7, q7 )
360 vswp q7l, q7h
361
362 // XOR the first 16 data *bits* with the initial CRC value.
363 vmov.i8 q0h, #0
364 vmov.u16 q0h[3], init_crc
365 veor.8 q7h, q7h, q0h
366
367 // Load the fold-across-16-bytes constants.
368 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
369
370 cmp len, #16
371 beq .Lreduce_final_16_bytes\@ // len == 16
372 subs len, len, #32
373 addlt len, len, #16
374 blt .Lhandle_partial_segment\@ // 17 <= len <= 31
375 b .Lfold_16_bytes_loop\@ // 32 <= len <= 255
376
377.Lreduce_final_16_bytes\@:
378 .endm
379
380//
381// u16 crc_t10dif_pmull(u16 init_crc, const u8 *buf, size_t len);
382//
383// Assumes len >= 16.
384//
385ENTRY(crc_t10dif_pmull64)
386 crct10dif p64
387
388 // Reduce the 128-bit value M(x), stored in q7, to the final 16-bit CRC.
389
390 // Load 'x^48 * (x^48 mod G(x))' and 'x^48 * (x^80 mod G(x))'.
391 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
392
393 // Fold the high 64 bits into the low 64 bits, while also multiplying by
394 // x^64. This produces a 128-bit value congruent to x^64 * M(x) and
395 // whose low 48 bits are 0.
396 vmull.p64 q0, q7h, FOLD_CONST_H // high bits * x^48 * (x^80 mod G(x))
397 veor.8 q0h, q0h, q7l // + low bits * x^64
398
399 // Fold the high 32 bits into the low 96 bits. This produces a 96-bit
400 // value congruent to x^64 * M(x) and whose low 48 bits are 0.
401 vmov.i8 q1, #0
402 vmov s4, s3 // extract high 32 bits
403 vmov s3, s5 // zero high 32 bits
404 vmull.p64 q1, q1l, FOLD_CONST_L // high 32 bits * x^48 * (x^48 mod G(x))
405 veor.8 q0, q0, q1 // + low bits
406
407 // Load G(x) and floor(x^48 / G(x)).
408 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]
409
410 // Use Barrett reduction to compute the final CRC value.
411 vmull.p64 q1, q0h, FOLD_CONST_H // high 32 bits * floor(x^48 / G(x))
412 vshr.u64 q1l, q1l, #32 // /= x^32
413 vmull.p64 q1, q1l, FOLD_CONST_L // *= G(x)
414 vshr.u64 q0l, q0l, #48
415 veor.8 q0l, q0l, q1l // + low 16 nonzero bits
416 // Final CRC value (x^16 * M(x)) mod G(x) is in low 16 bits of q0.
417
418 vmov.u16 r0, q0l[0]
419 bx lr
420ENDPROC(crc_t10dif_pmull64)
421
422ENTRY(crc_t10dif_pmull8)
423 push {r4, lr}
424 mov_l r4, .L16x64perm
425
426 crct10dif p8
427
428CPU_LE( vrev64.8 q7, q7 )
429 vswp q7l, q7h
430 vst1.64 {q7}, [r3, :128]
431 pop {r4, pc}
432ENDPROC(crc_t10dif_pmull8)
433
434 .section ".rodata", "a"
435 .align 4
436
437// Fold constants precomputed from the polynomial 0x18bb7
438// G(x) = x^16 + x^15 + x^11 + x^9 + x^8 + x^7 + x^5 + x^4 + x^2 + x^1 + x^0
439.Lfold_across_128_bytes_consts:
440 .quad 0x0000000000006123 // x^(8*128) mod G(x)
441 .quad 0x0000000000002295 // x^(8*128+64) mod G(x)
442// .Lfold_across_64_bytes_consts:
443 .quad 0x0000000000001069 // x^(4*128) mod G(x)
444 .quad 0x000000000000dd31 // x^(4*128+64) mod G(x)
445// .Lfold_across_32_bytes_consts:
446 .quad 0x000000000000857d // x^(2*128) mod G(x)
447 .quad 0x0000000000007acc // x^(2*128+64) mod G(x)
448.Lfold_across_16_bytes_consts:
449 .quad 0x000000000000a010 // x^(1*128) mod G(x)
450 .quad 0x0000000000001faa // x^(1*128+64) mod G(x)
451// .Lfinal_fold_consts:
452 .quad 0x1368000000000000 // x^48 * (x^48 mod G(x))
453 .quad 0x2d56000000000000 // x^48 * (x^80 mod G(x))
454// .Lbarrett_reduction_consts:
455 .quad 0x0000000000018bb7 // G(x)
456 .quad 0x00000001f65a57f8 // floor(x^48 / G(x))
457
458// For 1 <= len <= 15, the 16-byte vector beginning at &byteshift_table[16 -
459// len] is the index vector to shift left by 'len' bytes, and is also {0x80,
460// ..., 0x80} XOR the index vector to shift right by '16 - len' bytes.
461.Lbyteshift_table:
462 .byte 0x0, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87
463 .byte 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f
464 .byte 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7
465 .byte 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe , 0x0
466
467.L16x64perm:
468 .quad 0x808080800000000, 0x909090901010101
1//
2// Accelerated CRC-T10DIF using ARM NEON and Crypto Extensions instructions
3//
4// Copyright (C) 2016 Linaro Ltd <ard.biesheuvel@linaro.org>
5// Copyright (C) 2019 Google LLC <ebiggers@google.com>
6//
7// This program is free software; you can redistribute it and/or modify
8// it under the terms of the GNU General Public License version 2 as
9// published by the Free Software Foundation.
10//
11
12// Derived from the x86 version:
13//
14// Implement fast CRC-T10DIF computation with SSE and PCLMULQDQ instructions
15//
16// Copyright (c) 2013, Intel Corporation
17//
18// Authors:
19// Erdinc Ozturk <erdinc.ozturk@intel.com>
20// Vinodh Gopal <vinodh.gopal@intel.com>
21// James Guilford <james.guilford@intel.com>
22// Tim Chen <tim.c.chen@linux.intel.com>
23//
24// This software is available to you under a choice of one of two
25// licenses. You may choose to be licensed under the terms of the GNU
26// General Public License (GPL) Version 2, available from the file
27// COPYING in the main directory of this source tree, or the
28// OpenIB.org BSD license below:
29//
30// Redistribution and use in source and binary forms, with or without
31// modification, are permitted provided that the following conditions are
32// met:
33//
34// * Redistributions of source code must retain the above copyright
35// notice, this list of conditions and the following disclaimer.
36//
37// * Redistributions in binary form must reproduce the above copyright
38// notice, this list of conditions and the following disclaimer in the
39// documentation and/or other materials provided with the
40// distribution.
41//
42// * Neither the name of the Intel Corporation nor the names of its
43// contributors may be used to endorse or promote products derived from
44// this software without specific prior written permission.
45//
46//
47// THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
48// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
49// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
50// PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
51// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
52// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
53// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
54// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
55// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
56// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
57// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
58//
59// Reference paper titled "Fast CRC Computation for Generic
60// Polynomials Using PCLMULQDQ Instruction"
61// URL: http://www.intel.com/content/dam/www/public/us/en/documents
62// /white-papers/fast-crc-computation-generic-polynomials-pclmulqdq-paper.pdf
63//
64
65#include <linux/linkage.h>
66#include <asm/assembler.h>
67
68#ifdef CONFIG_CPU_ENDIAN_BE8
69#define CPU_LE(code...)
70#else
71#define CPU_LE(code...) code
72#endif
73
74 .text
75 .arch armv8-a
76 .fpu crypto-neon-fp-armv8
77
78 init_crc .req r0
79 buf .req r1
80 len .req r2
81
82 fold_consts_ptr .req ip
83
84 q0l .req d0
85 q0h .req d1
86 q1l .req d2
87 q1h .req d3
88 q2l .req d4
89 q2h .req d5
90 q3l .req d6
91 q3h .req d7
92 q4l .req d8
93 q4h .req d9
94 q5l .req d10
95 q5h .req d11
96 q6l .req d12
97 q6h .req d13
98 q7l .req d14
99 q7h .req d15
100 q8l .req d16
101 q8h .req d17
102 q9l .req d18
103 q9h .req d19
104 q10l .req d20
105 q10h .req d21
106 q11l .req d22
107 q11h .req d23
108 q12l .req d24
109 q12h .req d25
110
111 FOLD_CONSTS .req q10
112 FOLD_CONST_L .req q10l
113 FOLD_CONST_H .req q10h
114
115 // Fold reg1, reg2 into the next 32 data bytes, storing the result back
116 // into reg1, reg2.
117 .macro fold_32_bytes, reg1, reg2
118 vld1.64 {q11-q12}, [buf]!
119
120 vmull.p64 q8, \reg1\()h, FOLD_CONST_H
121 vmull.p64 \reg1, \reg1\()l, FOLD_CONST_L
122 vmull.p64 q9, \reg2\()h, FOLD_CONST_H
123 vmull.p64 \reg2, \reg2\()l, FOLD_CONST_L
124
125CPU_LE( vrev64.8 q11, q11 )
126CPU_LE( vrev64.8 q12, q12 )
127 vswp q11l, q11h
128 vswp q12l, q12h
129
130 veor.8 \reg1, \reg1, q8
131 veor.8 \reg2, \reg2, q9
132 veor.8 \reg1, \reg1, q11
133 veor.8 \reg2, \reg2, q12
134 .endm
135
136 // Fold src_reg into dst_reg, optionally loading the next fold constants
137 .macro fold_16_bytes, src_reg, dst_reg, load_next_consts
138 vmull.p64 q8, \src_reg\()l, FOLD_CONST_L
139 vmull.p64 \src_reg, \src_reg\()h, FOLD_CONST_H
140 .ifnb \load_next_consts
141 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
142 .endif
143 veor.8 \dst_reg, \dst_reg, q8
144 veor.8 \dst_reg, \dst_reg, \src_reg
145 .endm
146
147 .macro __adrl, out, sym
148 movw \out, #:lower16:\sym
149 movt \out, #:upper16:\sym
150 .endm
151
152//
153// u16 crc_t10dif_pmull(u16 init_crc, const u8 *buf, size_t len);
154//
155// Assumes len >= 16.
156//
157ENTRY(crc_t10dif_pmull)
158
159 // For sizes less than 256 bytes, we can't fold 128 bytes at a time.
160 cmp len, #256
161 blt .Lless_than_256_bytes
162
163 __adrl fold_consts_ptr, .Lfold_across_128_bytes_consts
164
165 // Load the first 128 data bytes. Byte swapping is necessary to make
166 // the bit order match the polynomial coefficient order.
167 vld1.64 {q0-q1}, [buf]!
168 vld1.64 {q2-q3}, [buf]!
169 vld1.64 {q4-q5}, [buf]!
170 vld1.64 {q6-q7}, [buf]!
171CPU_LE( vrev64.8 q0, q0 )
172CPU_LE( vrev64.8 q1, q1 )
173CPU_LE( vrev64.8 q2, q2 )
174CPU_LE( vrev64.8 q3, q3 )
175CPU_LE( vrev64.8 q4, q4 )
176CPU_LE( vrev64.8 q5, q5 )
177CPU_LE( vrev64.8 q6, q6 )
178CPU_LE( vrev64.8 q7, q7 )
179 vswp q0l, q0h
180 vswp q1l, q1h
181 vswp q2l, q2h
182 vswp q3l, q3h
183 vswp q4l, q4h
184 vswp q5l, q5h
185 vswp q6l, q6h
186 vswp q7l, q7h
187
188 // XOR the first 16 data *bits* with the initial CRC value.
189 vmov.i8 q8h, #0
190 vmov.u16 q8h[3], init_crc
191 veor q0h, q0h, q8h
192
193 // Load the constants for folding across 128 bytes.
194 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
195
196 // Subtract 128 for the 128 data bytes just consumed. Subtract another
197 // 128 to simplify the termination condition of the following loop.
198 sub len, len, #256
199
200 // While >= 128 data bytes remain (not counting q0-q7), fold the 128
201 // bytes q0-q7 into them, storing the result back into q0-q7.
202.Lfold_128_bytes_loop:
203 fold_32_bytes q0, q1
204 fold_32_bytes q2, q3
205 fold_32_bytes q4, q5
206 fold_32_bytes q6, q7
207 subs len, len, #128
208 bge .Lfold_128_bytes_loop
209
210 // Now fold the 112 bytes in q0-q6 into the 16 bytes in q7.
211
212 // Fold across 64 bytes.
213 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
214 fold_16_bytes q0, q4
215 fold_16_bytes q1, q5
216 fold_16_bytes q2, q6
217 fold_16_bytes q3, q7, 1
218 // Fold across 32 bytes.
219 fold_16_bytes q4, q6
220 fold_16_bytes q5, q7, 1
221 // Fold across 16 bytes.
222 fold_16_bytes q6, q7
223
224 // Add 128 to get the correct number of data bytes remaining in 0...127
225 // (not counting q7), following the previous extra subtraction by 128.
226 // Then subtract 16 to simplify the termination condition of the
227 // following loop.
228 adds len, len, #(128-16)
229
230 // While >= 16 data bytes remain (not counting q7), fold the 16 bytes q7
231 // into them, storing the result back into q7.
232 blt .Lfold_16_bytes_loop_done
233.Lfold_16_bytes_loop:
234 vmull.p64 q8, q7l, FOLD_CONST_L
235 vmull.p64 q7, q7h, FOLD_CONST_H
236 veor.8 q7, q7, q8
237 vld1.64 {q0}, [buf]!
238CPU_LE( vrev64.8 q0, q0 )
239 vswp q0l, q0h
240 veor.8 q7, q7, q0
241 subs len, len, #16
242 bge .Lfold_16_bytes_loop
243
244.Lfold_16_bytes_loop_done:
245 // Add 16 to get the correct number of data bytes remaining in 0...15
246 // (not counting q7), following the previous extra subtraction by 16.
247 adds len, len, #16
248 beq .Lreduce_final_16_bytes
249
250.Lhandle_partial_segment:
251 // Reduce the last '16 + len' bytes where 1 <= len <= 15 and the first
252 // 16 bytes are in q7 and the rest are the remaining data in 'buf'. To
253 // do this without needing a fold constant for each possible 'len',
254 // redivide the bytes into a first chunk of 'len' bytes and a second
255 // chunk of 16 bytes, then fold the first chunk into the second.
256
257 // q0 = last 16 original data bytes
258 add buf, buf, len
259 sub buf, buf, #16
260 vld1.64 {q0}, [buf]
261CPU_LE( vrev64.8 q0, q0 )
262 vswp q0l, q0h
263
264 // q1 = high order part of second chunk: q7 left-shifted by 'len' bytes.
265 __adrl r3, .Lbyteshift_table + 16
266 sub r3, r3, len
267 vld1.8 {q2}, [r3]
268 vtbl.8 q1l, {q7l-q7h}, q2l
269 vtbl.8 q1h, {q7l-q7h}, q2h
270
271 // q3 = first chunk: q7 right-shifted by '16-len' bytes.
272 vmov.i8 q3, #0x80
273 veor.8 q2, q2, q3
274 vtbl.8 q3l, {q7l-q7h}, q2l
275 vtbl.8 q3h, {q7l-q7h}, q2h
276
277 // Convert to 8-bit masks: 'len' 0x00 bytes, then '16-len' 0xff bytes.
278 vshr.s8 q2, q2, #7
279
280 // q2 = second chunk: 'len' bytes from q0 (low-order bytes),
281 // then '16-len' bytes from q1 (high-order bytes).
282 vbsl.8 q2, q1, q0
283
284 // Fold the first chunk into the second chunk, storing the result in q7.
285 vmull.p64 q0, q3l, FOLD_CONST_L
286 vmull.p64 q7, q3h, FOLD_CONST_H
287 veor.8 q7, q7, q0
288 veor.8 q7, q7, q2
289
290.Lreduce_final_16_bytes:
291 // Reduce the 128-bit value M(x), stored in q7, to the final 16-bit CRC.
292
293 // Load 'x^48 * (x^48 mod G(x))' and 'x^48 * (x^80 mod G(x))'.
294 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
295
296 // Fold the high 64 bits into the low 64 bits, while also multiplying by
297 // x^64. This produces a 128-bit value congruent to x^64 * M(x) and
298 // whose low 48 bits are 0.
299 vmull.p64 q0, q7h, FOLD_CONST_H // high bits * x^48 * (x^80 mod G(x))
300 veor.8 q0h, q0h, q7l // + low bits * x^64
301
302 // Fold the high 32 bits into the low 96 bits. This produces a 96-bit
303 // value congruent to x^64 * M(x) and whose low 48 bits are 0.
304 vmov.i8 q1, #0
305 vmov s4, s3 // extract high 32 bits
306 vmov s3, s5 // zero high 32 bits
307 vmull.p64 q1, q1l, FOLD_CONST_L // high 32 bits * x^48 * (x^48 mod G(x))
308 veor.8 q0, q0, q1 // + low bits
309
310 // Load G(x) and floor(x^48 / G(x)).
311 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]
312
313 // Use Barrett reduction to compute the final CRC value.
314 vmull.p64 q1, q0h, FOLD_CONST_H // high 32 bits * floor(x^48 / G(x))
315 vshr.u64 q1l, q1l, #32 // /= x^32
316 vmull.p64 q1, q1l, FOLD_CONST_L // *= G(x)
317 vshr.u64 q0l, q0l, #48
318 veor.8 q0l, q0l, q1l // + low 16 nonzero bits
319 // Final CRC value (x^16 * M(x)) mod G(x) is in low 16 bits of q0.
320
321 vmov.u16 r0, q0l[0]
322 bx lr
323
324.Lless_than_256_bytes:
325 // Checksumming a buffer of length 16...255 bytes
326
327 __adrl fold_consts_ptr, .Lfold_across_16_bytes_consts
328
329 // Load the first 16 data bytes.
330 vld1.64 {q7}, [buf]!
331CPU_LE( vrev64.8 q7, q7 )
332 vswp q7l, q7h
333
334 // XOR the first 16 data *bits* with the initial CRC value.
335 vmov.i8 q0h, #0
336 vmov.u16 q0h[3], init_crc
337 veor.8 q7h, q7h, q0h
338
339 // Load the fold-across-16-bytes constants.
340 vld1.64 {FOLD_CONSTS}, [fold_consts_ptr, :128]!
341
342 cmp len, #16
343 beq .Lreduce_final_16_bytes // len == 16
344 subs len, len, #32
345 addlt len, len, #16
346 blt .Lhandle_partial_segment // 17 <= len <= 31
347 b .Lfold_16_bytes_loop // 32 <= len <= 255
348ENDPROC(crc_t10dif_pmull)
349
350 .section ".rodata", "a"
351 .align 4
352
353// Fold constants precomputed from the polynomial 0x18bb7
354// G(x) = x^16 + x^15 + x^11 + x^9 + x^8 + x^7 + x^5 + x^4 + x^2 + x^1 + x^0
355.Lfold_across_128_bytes_consts:
356 .quad 0x0000000000006123 // x^(8*128) mod G(x)
357 .quad 0x0000000000002295 // x^(8*128+64) mod G(x)
358// .Lfold_across_64_bytes_consts:
359 .quad 0x0000000000001069 // x^(4*128) mod G(x)
360 .quad 0x000000000000dd31 // x^(4*128+64) mod G(x)
361// .Lfold_across_32_bytes_consts:
362 .quad 0x000000000000857d // x^(2*128) mod G(x)
363 .quad 0x0000000000007acc // x^(2*128+64) mod G(x)
364.Lfold_across_16_bytes_consts:
365 .quad 0x000000000000a010 // x^(1*128) mod G(x)
366 .quad 0x0000000000001faa // x^(1*128+64) mod G(x)
367// .Lfinal_fold_consts:
368 .quad 0x1368000000000000 // x^48 * (x^48 mod G(x))
369 .quad 0x2d56000000000000 // x^48 * (x^80 mod G(x))
370// .Lbarrett_reduction_consts:
371 .quad 0x0000000000018bb7 // G(x)
372 .quad 0x00000001f65a57f8 // floor(x^48 / G(x))
373
374// For 1 <= len <= 15, the 16-byte vector beginning at &byteshift_table[16 -
375// len] is the index vector to shift left by 'len' bytes, and is also {0x80,
376// ..., 0x80} XOR the index vector to shift right by '16 - len' bytes.
377.Lbyteshift_table:
378 .byte 0x0, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87
379 .byte 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f
380 .byte 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7
381 .byte 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe , 0x0