Add helper support for the Octeon Camellia ROUND, FL, and FLINV selectors. The engine reuses the AES RESINP bank, and guest-managed key schedules drive the Camellia F-function and FL layers through these COP2 operations.
Implement the Camellia F-function and FL layers directly from RFC 3713. Signed-off-by: James Hilliard <[email protected]> --- Changes v8 -> v9: - Split Camellia operation selectors into their own COP2 helper patch. - Replace generic selector dispatch with per-operation Camellia helpers. - Add matching helper.h declarations with the helper implementation. Changes v1 -> v2: - Drop the Octeon prefix from generic Camellia helper routines. (suggested by Philippe Mathieu-Daudé) - Add selector dispatch updates in octeon_translate.c after moving COP2 decode out of translate.c. (suggested by Philippe Mathieu-Daudé) Changes v5 -> v6: - Use RESINP wording for the Camellia shared selector aliases. --- target/mips/helper.h | 3 + target/mips/tcg/octeon_crypto.c | 124 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) diff --git a/target/mips/helper.h b/target/mips/helper.h index 9a13f00de8..23c712cfb7 100644 --- a/target/mips/helper.h +++ b/target/mips/helper.h @@ -80,6 +80,9 @@ DEF_HELPER_2(octeon_cp2_mt_des3_enc, void, env, i64) DEF_HELPER_2(octeon_cp2_mt_kas_enc, void, env, i64) DEF_HELPER_2(octeon_cp2_mt_des3_dec_cbc, void, env, i64) DEF_HELPER_2(octeon_cp2_mt_des3_dec, void, env, i64) +DEF_HELPER_2(octeon_cp2_mt_camellia_fl, void, env, i64) +DEF_HELPER_2(octeon_cp2_mt_camellia_flinv, void, env, i64) +DEF_HELPER_2(octeon_cp2_mt_camellia_round, void, env, i64) /* microMIPS functions */ DEF_HELPER_4(lwm, void, env, tl, tl, i32) diff --git a/target/mips/tcg/octeon_crypto.c b/target/mips/tcg/octeon_crypto.c index 851a3cbdea..d26dd2924d 100644 --- a/target/mips/tcg/octeon_crypto.c +++ b/target/mips/tcg/octeon_crypto.c @@ -1283,6 +1283,116 @@ static void octeon_aes_store_block(uint64_t regs[2], const uint8_t *block) regs[0] = ldq_be_p(block); regs[1] = ldq_be_p(block + 8); } +static const uint8_t camellia_sbox1[256] = { + 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, + 174, 65, 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, + 29, 101, 146, 189, 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, + 220, 95, 94, 197, 11, 26, 166, 225, 57, 202, 213, 71, 93, 61, + 217, 1, 90, 214, 81, 86, 108, 77, 139, 13, 154, 102, 251, 204, + 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, 223, 76, 203, 194, + 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, 20, 88, + 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, + 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, + 105, 80, 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, + 224, 255, 100, 210, 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, + 230, 218, 9, 63, 221, 148, 135, 92, 131, 2, 205, 74, 144, 51, + 115, 103, 246, 243, 157, 127, 191, 226, 82, 155, 216, 38, 200, 55, + 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, 233, 121, 167, 140, + 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, 120, 152, + 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, + 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, + 241, 164, 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, + 119, 199, 128, 158, +}; + +static inline uint8_t camellia_rotl8(uint8_t v, unsigned int shift) +{ + return (v << shift) | (v >> (8 - shift)); +} + +static inline uint8_t camellia_sbox2(uint8_t x) +{ + return camellia_rotl8(camellia_sbox1[x], 1); +} + +static inline uint8_t camellia_sbox3(uint8_t x) +{ + return camellia_rotl8(camellia_sbox1[x], 7); +} + +static inline uint8_t camellia_sbox4(uint8_t x) +{ + return camellia_sbox1[camellia_rotl8(x, 1)]; +} + +static uint64_t camellia_f(uint64_t input, uint64_t key) +{ + uint64_t x = input ^ key; + uint8_t t1 = camellia_sbox1[x >> 56]; + uint8_t t2 = camellia_sbox2((x >> 48) & 0xff); + uint8_t t3 = camellia_sbox3((x >> 40) & 0xff); + uint8_t t4 = camellia_sbox4((x >> 32) & 0xff); + uint8_t t5 = camellia_sbox2((x >> 24) & 0xff); + uint8_t t6 = camellia_sbox3((x >> 16) & 0xff); + uint8_t t7 = camellia_sbox4((x >> 8) & 0xff); + uint8_t t8 = camellia_sbox1[x & 0xff]; + uint8_t y1 = t1 ^ t3 ^ t4 ^ t6 ^ t7 ^ t8; + uint8_t y2 = t1 ^ t2 ^ t4 ^ t5 ^ t7 ^ t8; + uint8_t y3 = t1 ^ t2 ^ t3 ^ t5 ^ t6 ^ t8; + uint8_t y4 = t2 ^ t3 ^ t4 ^ t5 ^ t6 ^ t7; + uint8_t y5 = t1 ^ t2 ^ t6 ^ t7 ^ t8; + uint8_t y6 = t2 ^ t3 ^ t5 ^ t7 ^ t8; + uint8_t y7 = t3 ^ t4 ^ t5 ^ t6 ^ t8; + uint8_t y8 = t1 ^ t4 ^ t5 ^ t6 ^ t7; + + return ((uint64_t)y1 << 56) | ((uint64_t)y2 << 48) | + ((uint64_t)y3 << 40) | ((uint64_t)y4 << 32) | + ((uint64_t)y5 << 24) | ((uint64_t)y6 << 16) | + ((uint64_t)y7 << 8) | y8; +} + +static uint64_t camellia_fl(uint64_t input, uint64_t key) +{ + uint32_t x1 = input >> 32; + uint32_t x2 = input; + uint32_t k1 = key >> 32; + uint32_t k2 = key; + + x2 ^= rol32(x1 & k1, 1); + x1 ^= x2 | k2; + return ((uint64_t)x1 << 32) | x2; +} + +static uint64_t camellia_flinv(uint64_t input, uint64_t key) +{ + uint32_t y1 = input >> 32; + uint32_t y2 = input; + uint32_t k1 = key >> 32; + uint32_t k2 = key; + + y1 ^= y2 | k2; + y2 ^= rol32(y1 & k1, 1); + return ((uint64_t)y1 << 32) | y2; +} + +static void octeon_camellia_round(MIPSOcteonCryptoState *crypto, uint64_t key) +{ + uint64_t left = crypto->aes_result[0]; + uint64_t right = crypto->aes_result[1]; + + crypto->aes_result[0] = right ^ camellia_f(left, key); + crypto->aes_result[1] = left; +} + +static void octeon_camellia_fl_layer(MIPSOcteonCryptoState *crypto, + uint64_t key, bool inverse) +{ + uint64_t state = crypto->aes_result[inverse ? 1 : 0]; + + crypto->aes_result[inverse ? 1 : 0] = inverse ? + camellia_flinv(state, key) : + camellia_fl(state, key); +} static void octeon_sms4_crypt_common(MIPSOcteonCryptoState *crypto, bool encrypt, bool cbc) { @@ -1577,6 +1687,20 @@ void helper_octeon_cp2_mt_aes_dec1(CPUMIPSState *env, uint64_t value) crypto->aes_input[1] = value; octeon_aes_decrypt_common(crypto, false); } +void helper_octeon_cp2_mt_camellia_fl(CPUMIPSState *env, uint64_t value) +{ + octeon_camellia_fl_layer(&env->octeon_crypto, value, false); +} + +void helper_octeon_cp2_mt_camellia_flinv(CPUMIPSState *env, uint64_t value) +{ + octeon_camellia_fl_layer(&env->octeon_crypto, value, true); +} + +void helper_octeon_cp2_mt_camellia_round(CPUMIPSState *env, uint64_t value) +{ + octeon_camellia_round(&env->octeon_crypto, value); +} void helper_octeon_cp2_mt_des3_enc_cbc(CPUMIPSState *env, uint64_t value) { octeon_3des_crypt_common(&env->octeon_crypto, value, true, true); -- 2.54.0
