These symbols will avoid the indirection through memory
when fully unrolling some new primitives.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 crypto/aes.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 48 insertions(+), 2 deletions(-)

diff --git a/crypto/aes.c b/crypto/aes.c
index 67bb74b8e3..cdf937883d 100644
--- a/crypto/aes.c
+++ b/crypto/aes.c
@@ -108,12 +108,58 @@ const uint8_t AES_isbox[256] = {
     0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
 };
 
+/* AES ShiftRows, for complete unrolling. */
+enum {
+    AES_SH_0 = 0x0,
+    AES_SH_1 = 0x5,
+    AES_SH_2 = 0xa,
+    AES_SH_3 = 0xf,
+    AES_SH_4 = 0x4,
+    AES_SH_5 = 0x9,
+    AES_SH_6 = 0xe,
+    AES_SH_7 = 0x3,
+    AES_SH_8 = 0x8,
+    AES_SH_9 = 0xd,
+    AES_SH_A = 0x2,
+    AES_SH_B = 0x7,
+    AES_SH_C = 0xc,
+    AES_SH_D = 0x1,
+    AES_SH_E = 0x6,
+    AES_SH_F = 0xb,
+};
+
 const uint8_t AES_shifts[16] = {
-    0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11
+    AES_SH_0, AES_SH_1, AES_SH_2, AES_SH_3,
+    AES_SH_4, AES_SH_5, AES_SH_6, AES_SH_7,
+    AES_SH_8, AES_SH_9, AES_SH_A, AES_SH_B,
+    AES_SH_C, AES_SH_D, AES_SH_E, AES_SH_F,
+};
+
+/* AES InvShiftRows, for complete unrolling. */
+enum {
+    AES_ISH_0 = 0x0,
+    AES_ISH_1 = 0xd,
+    AES_ISH_2 = 0xa,
+    AES_ISH_3 = 0x7,
+    AES_ISH_4 = 0x4,
+    AES_ISH_5 = 0x1,
+    AES_ISH_6 = 0xe,
+    AES_ISH_7 = 0xb,
+    AES_ISH_8 = 0x8,
+    AES_ISH_9 = 0x5,
+    AES_ISH_A = 0x2,
+    AES_ISH_B = 0xf,
+    AES_ISH_C = 0xc,
+    AES_ISH_D = 0x9,
+    AES_ISH_E = 0x6,
+    AES_ISH_F = 0x3,
 };
 
 const uint8_t AES_ishifts[16] = {
-    0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3
+    AES_ISH_0, AES_ISH_1, AES_ISH_2, AES_ISH_3,
+    AES_ISH_4, AES_ISH_5, AES_ISH_6, AES_ISH_7,
+    AES_ISH_8, AES_ISH_9, AES_ISH_A, AES_ISH_B,
+    AES_ISH_C, AES_ISH_D, AES_ISH_E, AES_ISH_F,
 };
 
 /*
-- 
2.34.1

On Fri, 9 Jun 2023 at 04:24, Richard Henderson
<richard.henderson@linaro.org> wrote:
>
> These symbols will avoid the indirection through memory
> when fully unrolling some new primitives.
>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
>  crypto/aes.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 48 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/aes.c b/crypto/aes.c
> index 67bb74b8e3..cdf937883d 100644
> --- a/crypto/aes.c
> +++ b/crypto/aes.c
> @@ -108,12 +108,58 @@ const uint8_t AES_isbox[256] = {
>      0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
>  };
>
> +/* AES ShiftRows, for complete unrolling. */
> +enum {
> +    AES_SH_0 = 0x0,
> +    AES_SH_1 = 0x5,
> +    AES_SH_2 = 0xa,
> +    AES_SH_3 = 0xf,
> +    AES_SH_4 = 0x4,
> +    AES_SH_5 = 0x9,
> +    AES_SH_6 = 0xe,
> +    AES_SH_7 = 0x3,
> +    AES_SH_8 = 0x8,
> +    AES_SH_9 = 0xd,
> +    AES_SH_A = 0x2,
> +    AES_SH_B = 0x7,
> +    AES_SH_C = 0xc,
> +    AES_SH_D = 0x1,
> +    AES_SH_E = 0x6,
> +    AES_SH_F = 0xb,
> +};
> +

We might simplify this further by doing

#define AES_SH(n)  (((n) * 5) % 16)
#define AES_ISH(n)  (((n) * 13) % 16)

>  const uint8_t AES_shifts[16] = {
> -    0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11
> +    AES_SH_0, AES_SH_1, AES_SH_2, AES_SH_3,
> +    AES_SH_4, AES_SH_5, AES_SH_6, AES_SH_7,
> +    AES_SH_8, AES_SH_9, AES_SH_A, AES_SH_B,
> +    AES_SH_C, AES_SH_D, AES_SH_E, AES_SH_F,
> +};
> +
> +/* AES InvShiftRows, for complete unrolling. */
> +enum {
> +    AES_ISH_0 = 0x0,
> +    AES_ISH_1 = 0xd,
> +    AES_ISH_2 = 0xa,
> +    AES_ISH_3 = 0x7,
> +    AES_ISH_4 = 0x4,
> +    AES_ISH_5 = 0x1,
> +    AES_ISH_6 = 0xe,
> +    AES_ISH_7 = 0xb,
> +    AES_ISH_8 = 0x8,
> +    AES_ISH_9 = 0x5,
> +    AES_ISH_A = 0x2,
> +    AES_ISH_B = 0xf,
> +    AES_ISH_C = 0xc,
> +    AES_ISH_D = 0x9,
> +    AES_ISH_E = 0x6,
> +    AES_ISH_F = 0x3,
>  };
>
>  const uint8_t AES_ishifts[16] = {
> -    0, 13, 10, 7, 4, 1, 14, 11, 8, 5, 2, 15, 12, 9, 6, 3
> +    AES_ISH_0, AES_ISH_1, AES_ISH_2, AES_ISH_3,
> +    AES_ISH_4, AES_ISH_5, AES_ISH_6, AES_ISH_7,
> +    AES_ISH_8, AES_ISH_9, AES_ISH_A, AES_ISH_B,
> +    AES_ISH_C, AES_ISH_D, AES_ISH_E, AES_ISH_F,
>  };
>
>  /*
> --
> 2.34.1
>

On 6/29/23 12:21, Ard Biesheuvel wrote:
>> +/* AES ShiftRows, for complete unrolling. */
>> +enum {
>> +    AES_SH_0 = 0x0,
>> +    AES_SH_1 = 0x5,
>> +    AES_SH_2 = 0xa,
>> +    AES_SH_3 = 0xf,
>> +    AES_SH_4 = 0x4,
>> +    AES_SH_5 = 0x9,
>> +    AES_SH_6 = 0xe,
>> +    AES_SH_7 = 0x3,
>> +    AES_SH_8 = 0x8,
>> +    AES_SH_9 = 0xd,
>> +    AES_SH_A = 0x2,
>> +    AES_SH_B = 0x7,
>> +    AES_SH_C = 0xc,
>> +    AES_SH_D = 0x1,
>> +    AES_SH_E = 0x6,
>> +    AES_SH_F = 0xb,
>> +};
>> +
> 
> We might simplify this further by doing
> 
> #define AES_SH(n)  (((n) * 5) % 16)
> #define AES_ISH(n)  (((n) * 13) % 16)

Thanks.  I should have noticed, but

   s'_{r,c} = s_{r,(c+r)%4}

didn't make an impression and I assumed the table was non-regular.


r~

On Thu, Jun 08, 2023 at 07:23:28PM -0700, Richard Henderson wrote:
> These symbols will avoid the indirection through memory
> when fully unrolling some new primitives.
> 
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
>  crypto/aes.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 48 insertions(+), 2 deletions(-)

Acked-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|