arch/x86/crypto/sha1_ssse3_asm.S - linux - Git at Google

 /* SPDX-License-Identifier: GPL-2.0-or-later */
 /*
  * This is a SIMD SHA-1 implementation. It requires the Intel(R) Supplemental
  * SSE3 instruction set extensions introduced in Intel Core Microarchitecture
  * processors. CPUs supporting Intel(R) AVX extensions will get an additional
  * boost.
  *
  * This work was inspired by the vectorized implementation of Dean Gaudet.
  * Additional information on it can be found at:
  *    http://www.arctic.org/~dean/crypto/sha1.html
  *
  * It was improved upon with more efficient vectorization of the message
  * scheduling. This implementation has also been optimized for all current and
  * several future generations of Intel CPUs.
  *
  * See this article for more information about the implementation details:
  *   http://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1/
  *
  * Copyright (C) 2010, Intel Corp.
  *   Authors: Maxim Locktyukhin <maxim.locktyukhin@intel.com>
  *            Ronen Zohar <ronen.zohar@intel.com>
  *
  * Converted to AT&T syntax and adapted for inclusion in the Linux kernel:
  *   Author: Mathias Krause <minipli@googlemail.com>
  */

 #include <linux/linkage.h>
 #include <linux/cfi_types.h>

 #define CTX	%rdi	// arg1
 #define BUF	%rsi	// arg2
 #define CNT	%rdx	// arg3

 #define REG_A	%ecx
 #define REG_B	%esi
 #define REG_C	%edi
 #define REG_D	%r12d
 #define REG_E	%edx

 #define REG_T1	%eax
 #define REG_T2	%ebx

 #define K_BASE		%r8
 #define HASH_PTR	%r9
 #define BUFFER_PTR	%r10
 #define BUFFER_END	%r11

 #define W_TMP1	%xmm0
 #define W_TMP2	%xmm9

 #define W0	%xmm1
 #define W4	%xmm2
 #define W8	%xmm3
 #define W12	%xmm4
 #define W16	%xmm5
 #define W20	%xmm6
 #define W24	%xmm7
 #define W28	%xmm8

 #define XMM_SHUFB_BSWAP	%xmm10

 /* we keep window of 64 w[i]+K pre-calculated values in a circular buffer */
 #define WK(t)	(((t) & 15) * 4)(%rsp)
 #define W_PRECALC_AHEAD	16

 /*
  * This macro implements the SHA-1 function's body for single 64-byte block
  * param: function's name
  */
 .macro SHA1_VECTOR_ASM  name
 	SYM_TYPED_FUNC_START(\name)

 	push	%rbx
 	push	%r12
 	push	%rbp
 	mov	%rsp, %rbp

 	sub	$64, %rsp		# allocate workspace
 	and	$~15, %rsp		# align stack

 	mov	CTX, HASH_PTR
 	mov	BUF, BUFFER_PTR

 	shl	$6, CNT			# multiply by 64
 	add	BUF, CNT
 	mov	CNT, BUFFER_END

 	lea	K_XMM_AR(%rip), K_BASE
 	xmm_mov	BSWAP_SHUFB_CTL(%rip), XMM_SHUFB_BSWAP

 	SHA1_PIPELINED_MAIN_BODY

 	# cleanup workspace
 	mov	$8, %ecx
 	mov	%rsp, %rdi
 	xor	%eax, %eax
 	rep stosq

 	mov	%rbp, %rsp		# deallocate workspace
 	pop	%rbp
 	pop	%r12
 	pop	%rbx
 	RET

 	SYM_FUNC_END(\name)
 .endm

 /*
  * This macro implements 80 rounds of SHA-1 for one 64-byte block
  */
 .macro SHA1_PIPELINED_MAIN_BODY
 	INIT_REGALLOC

 	mov	  (HASH_PTR), A
 	mov	 4(HASH_PTR), B
 	mov	 8(HASH_PTR), C
 	mov	12(HASH_PTR), D
 	mov	16(HASH_PTR), E

   .set i, 0
   .rept W_PRECALC_AHEAD
 	W_PRECALC i
     .set i, (i+1)
   .endr

 .align 4
 1:
 	RR F1,A,B,C,D,E,0
 	RR F1,D,E,A,B,C,2
 	RR F1,B,C,D,E,A,4
 	RR F1,E,A,B,C,D,6
 	RR F1,C,D,E,A,B,8

 	RR F1,A,B,C,D,E,10
 	RR F1,D,E,A,B,C,12
 	RR F1,B,C,D,E,A,14
 	RR F1,E,A,B,C,D,16
 	RR F1,C,D,E,A,B,18

 	RR F2,A,B,C,D,E,20
 	RR F2,D,E,A,B,C,22
 	RR F2,B,C,D,E,A,24
 	RR F2,E,A,B,C,D,26
 	RR F2,C,D,E,A,B,28

 	RR F2,A,B,C,D,E,30
 	RR F2,D,E,A,B,C,32
 	RR F2,B,C,D,E,A,34
 	RR F2,E,A,B,C,D,36
 	RR F2,C,D,E,A,B,38

 	RR F3,A,B,C,D,E,40
 	RR F3,D,E,A,B,C,42
 	RR F3,B,C,D,E,A,44
 	RR F3,E,A,B,C,D,46
 	RR F3,C,D,E,A,B,48

 	RR F3,A,B,C,D,E,50
 	RR F3,D,E,A,B,C,52
 	RR F3,B,C,D,E,A,54
 	RR F3,E,A,B,C,D,56
 	RR F3,C,D,E,A,B,58

 	add	$64, BUFFER_PTR		# move to the next 64-byte block
 	cmp	BUFFER_END, BUFFER_PTR	# if the current is the last one use
 	cmovae	K_BASE, BUFFER_PTR	# dummy source to avoid buffer overrun

 	RR F4,A,B,C,D,E,60
 	RR F4,D,E,A,B,C,62
 	RR F4,B,C,D,E,A,64
 	RR F4,E,A,B,C,D,66
 	RR F4,C,D,E,A,B,68

 	RR F4,A,B,C,D,E,70
 	RR F4,D,E,A,B,C,72
 	RR F4,B,C,D,E,A,74
 	RR F4,E,A,B,C,D,76
 	RR F4,C,D,E,A,B,78

 	UPDATE_HASH   (HASH_PTR), A
 	UPDATE_HASH  4(HASH_PTR), B
 	UPDATE_HASH  8(HASH_PTR), C
 	UPDATE_HASH 12(HASH_PTR), D
 	UPDATE_HASH 16(HASH_PTR), E

 	RESTORE_RENAMED_REGS
 	cmp	K_BASE, BUFFER_PTR	# K_BASE means, we reached the end
 	jne	1b
 .endm

 .macro INIT_REGALLOC
   .set A, REG_A
   .set B, REG_B
   .set C, REG_C
   .set D, REG_D
   .set E, REG_E
   .set T1, REG_T1
   .set T2, REG_T2
 .endm

 .macro RESTORE_RENAMED_REGS
 	# order is important (REG_C is where it should be)
 	mov	B, REG_B
 	mov	D, REG_D
 	mov	A, REG_A
 	mov	E, REG_E
 .endm

 .macro SWAP_REG_NAMES  a, b
   .set _T, \a
   .set \a, \b
   .set \b, _T
 .endm

 .macro F1  b, c, d
 	mov	\c, T1
 	SWAP_REG_NAMES \c, T1
 	xor	\d, T1
 	and	\b, T1
 	xor	\d, T1
 .endm

 .macro F2  b, c, d
 	mov	\d, T1
 	SWAP_REG_NAMES \d, T1
 	xor	\c, T1
 	xor	\b, T1
 .endm

 .macro F3  b, c ,d
 	mov	\c, T1
 	SWAP_REG_NAMES \c, T1
 	mov	\b, T2
 	or	\b, T1
 	and	\c, T2
 	and	\d, T1
 	or	T2, T1
 .endm

 .macro F4  b, c, d
 	F2 \b, \c, \d
 .endm

 .macro UPDATE_HASH  hash, val
 	add	\hash, \val
 	mov	\val, \hash
 .endm

 /*
  * RR does two rounds of SHA-1 back to back with W[] pre-calc
  *   t1 = F(b, c, d);   e += w(i)
  *   e += t1;           b <<= 30;   d  += w(i+1);
  *   t1 = F(a, b, c);
  *   d += t1;           a <<= 5;
  *   e += a;
  *   t1 = e;            a >>= 7;
  *   t1 <<= 5;
  *   d += t1;
  */
 .macro RR  F, a, b, c, d, e, round
 	add	WK(\round), \e
 	\F   \b, \c, \d		# t1 = F(b, c, d);
 	W_PRECALC (\round + W_PRECALC_AHEAD)
 	rol	$30, \b
 	add	T1, \e
 	add	WK(\round + 1), \d

 	\F   \a, \b, \c
 	W_PRECALC (\round + W_PRECALC_AHEAD + 1)
 	rol	$5, \a
 	add	\a, \e
 	add	T1, \d
 	ror	$7, \a		# (a <<r 5) >>r 7) => a <<r 30)

 	mov	\e, T1
 	SWAP_REG_NAMES \e, T1

 	rol	$5, T1
 	add	T1, \d

 	# write:  \a, \b
 	# rotate: \a<=\d, \b<=\e, \c<=\a, \d<=\b, \e<=\c
 .endm

 .macro W_PRECALC  r
   .set i, \r

   .if (i < 20)
     .set K_XMM, 0
   .elseif (i < 40)
     .set K_XMM, 16
   .elseif (i < 60)
     .set K_XMM, 32
   .elseif (i < 80)
     .set K_XMM, 48
   .endif

   .if ((i < 16) || ((i >= 80) && (i < (80 + W_PRECALC_AHEAD))))
     .set i, ((\r) % 80)	    # pre-compute for the next iteration
     .if (i == 0)
 	W_PRECALC_RESET
     .endif
 	W_PRECALC_00_15
   .elseif (i<32)
 	W_PRECALC_16_31
   .elseif (i < 80)   // rounds 32-79
 	W_PRECALC_32_79
   .endif
 .endm

 .macro W_PRECALC_RESET
   .set W,          W0
   .set W_minus_04, W4
   .set W_minus_08, W8
   .set W_minus_12, W12
   .set W_minus_16, W16
   .set W_minus_20, W20
   .set W_minus_24, W24
   .set W_minus_28, W28
   .set W_minus_32, W
 .endm

 .macro W_PRECALC_ROTATE
   .set W_minus_32, W_minus_28
   .set W_minus_28, W_minus_24
   .set W_minus_24, W_minus_20
   .set W_minus_20, W_minus_16
   .set W_minus_16, W_minus_12
   .set W_minus_12, W_minus_08
   .set W_minus_08, W_minus_04
   .set W_minus_04, W
   .set W,          W_minus_32
 .endm

 .macro W_PRECALC_SSSE3

 .macro W_PRECALC_00_15
 	W_PRECALC_00_15_SSSE3
 .endm
 .macro W_PRECALC_16_31
 	W_PRECALC_16_31_SSSE3
 .endm
 .macro W_PRECALC_32_79
 	W_PRECALC_32_79_SSSE3
 .endm

 /* message scheduling pre-compute for rounds 0-15 */
 .macro W_PRECALC_00_15_SSSE3
   .if ((i & 3) == 0)
 	movdqu	(i*4)(BUFFER_PTR), W_TMP1
   .elseif ((i & 3) == 1)
 	pshufb	XMM_SHUFB_BSWAP, W_TMP1
 	movdqa	W_TMP1, W
   .elseif ((i & 3) == 2)
 	paddd	(K_BASE), W_TMP1
   .elseif ((i & 3) == 3)
 	movdqa  W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 /* message scheduling pre-compute for rounds 16-31
  *
  * - calculating last 32 w[i] values in 8 XMM registers
  * - pre-calculate K+w[i] values and store to mem, for later load by ALU add
  *   instruction
  *
  * some "heavy-lifting" vectorization for rounds 16-31 due to w[i]->w[i-3]
  * dependency, but improves for 32-79
  */
 .macro W_PRECALC_16_31_SSSE3
   # blended scheduling of vector and scalar instruction streams, one 4-wide
   # vector iteration / 4 scalar rounds
   .if ((i & 3) == 0)
 	movdqa	W_minus_12, W
 	palignr	$8, W_minus_16, W	# w[i-14]
 	movdqa	W_minus_04, W_TMP1
 	psrldq	$4, W_TMP1		# w[i-3]
 	pxor	W_minus_08, W
   .elseif ((i & 3) == 1)
 	pxor	W_minus_16, W_TMP1
 	pxor	W_TMP1, W
 	movdqa	W, W_TMP2
 	movdqa	W, W_TMP1
 	pslldq	$12, W_TMP2
   .elseif ((i & 3) == 2)
 	psrld	$31, W
 	pslld	$1, W_TMP1
 	por	W, W_TMP1
 	movdqa	W_TMP2, W
 	psrld	$30, W_TMP2
 	pslld	$2, W
   .elseif ((i & 3) == 3)
 	pxor	W, W_TMP1
 	pxor	W_TMP2, W_TMP1
 	movdqa	W_TMP1, W
 	paddd	K_XMM(K_BASE), W_TMP1
 	movdqa	W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 /* message scheduling pre-compute for rounds 32-79
  *
  * in SHA-1 specification: w[i] = (w[i-3] ^ w[i-8]  ^ w[i-14] ^ w[i-16]) rol 1
  * instead we do equal:    w[i] = (w[i-6] ^ w[i-16] ^ w[i-28] ^ w[i-32]) rol 2
  * allows more efficient vectorization since w[i]=>w[i-3] dependency is broken
  */
 .macro W_PRECALC_32_79_SSSE3
   .if ((i & 3) == 0)
 	movdqa	W_minus_04, W_TMP1
 	pxor	W_minus_28, W		# W is W_minus_32 before xor
 	palignr	$8, W_minus_08, W_TMP1
   .elseif ((i & 3) == 1)
 	pxor	W_minus_16, W
 	pxor	W_TMP1, W
 	movdqa	W, W_TMP1
   .elseif ((i & 3) == 2)
 	psrld	$30, W
 	pslld	$2, W_TMP1
 	por	W, W_TMP1
   .elseif ((i & 3) == 3)
 	movdqa	W_TMP1, W
 	paddd	K_XMM(K_BASE), W_TMP1
 	movdqa	W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 .endm		// W_PRECALC_SSSE3


 #define K1	0x5a827999
 #define K2	0x6ed9eba1
 #define K3	0x8f1bbcdc
 #define K4	0xca62c1d6

 .section .rodata
 .align 16

 K_XMM_AR:
 	.long K1, K1, K1, K1
 	.long K2, K2, K2, K2
 	.long K3, K3, K3, K3
 	.long K4, K4, K4, K4

 BSWAP_SHUFB_CTL:
 	.long 0x00010203
 	.long 0x04050607
 	.long 0x08090a0b
 	.long 0x0c0d0e0f


 .section .text

 W_PRECALC_SSSE3
 .macro xmm_mov a, b
 	movdqu	\a,\b
 .endm

 /*
  * SSSE3 optimized implementation:
  *
  * extern "C" void sha1_transform_ssse3(struct sha1_state *state,
  *					const u8 *data, int blocks);
  *
  * Note that struct sha1_state is assumed to begin with u32 state[5].
  */
 SHA1_VECTOR_ASM     sha1_transform_ssse3

 .macro W_PRECALC_AVX

 .purgem W_PRECALC_00_15
 .macro  W_PRECALC_00_15
     W_PRECALC_00_15_AVX
 .endm
 .purgem W_PRECALC_16_31
 .macro  W_PRECALC_16_31
     W_PRECALC_16_31_AVX
 .endm
 .purgem W_PRECALC_32_79
 .macro  W_PRECALC_32_79
     W_PRECALC_32_79_AVX
 .endm

 .macro W_PRECALC_00_15_AVX
   .if ((i & 3) == 0)
 	vmovdqu	(i*4)(BUFFER_PTR), W_TMP1
   .elseif ((i & 3) == 1)
 	vpshufb	XMM_SHUFB_BSWAP, W_TMP1, W
   .elseif ((i & 3) == 2)
 	vpaddd	(K_BASE), W, W_TMP1
   .elseif ((i & 3) == 3)
 	vmovdqa	W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 .macro W_PRECALC_16_31_AVX
   .if ((i & 3) == 0)
 	vpalignr $8, W_minus_16, W_minus_12, W	# w[i-14]
 	vpsrldq	$4, W_minus_04, W_TMP1		# w[i-3]
 	vpxor	W_minus_08, W, W
 	vpxor	W_minus_16, W_TMP1, W_TMP1
   .elseif ((i & 3) == 1)
 	vpxor	W_TMP1, W, W
 	vpslldq	$12, W, W_TMP2
 	vpslld	$1, W, W_TMP1
   .elseif ((i & 3) == 2)
 	vpsrld	$31, W, W
 	vpor	W, W_TMP1, W_TMP1
 	vpslld	$2, W_TMP2, W
 	vpsrld	$30, W_TMP2, W_TMP2
   .elseif ((i & 3) == 3)
 	vpxor	W, W_TMP1, W_TMP1
 	vpxor	W_TMP2, W_TMP1, W
 	vpaddd	K_XMM(K_BASE), W, W_TMP1
 	vmovdqu	W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 .macro W_PRECALC_32_79_AVX
   .if ((i & 3) == 0)
 	vpalignr $8, W_minus_08, W_minus_04, W_TMP1
 	vpxor	W_minus_28, W, W		# W is W_minus_32 before xor
   .elseif ((i & 3) == 1)
 	vpxor	W_minus_16, W_TMP1, W_TMP1
 	vpxor	W_TMP1, W, W
   .elseif ((i & 3) == 2)
 	vpslld	$2, W, W_TMP1
 	vpsrld	$30, W, W
 	vpor	W, W_TMP1, W
   .elseif ((i & 3) == 3)
 	vpaddd	K_XMM(K_BASE), W, W_TMP1
 	vmovdqu	W_TMP1, WK(i&~3)
 	W_PRECALC_ROTATE
   .endif
 .endm

 .endm    // W_PRECALC_AVX

 W_PRECALC_AVX
 .purgem xmm_mov
 .macro xmm_mov a, b
 	vmovdqu	\a,\b
 .endm


 /* AVX optimized implementation:
  *  extern "C" void sha1_transform_avx(struct sha1_state *state,
  *				       const u8 *data, int blocks);
  */
 SHA1_VECTOR_ASM     sha1_transform_avx
	/* SPDX-License-Identifier: GPL-2.0-or-later */
	/*
	* This is a SIMD SHA-1 implementation. It requires the Intel(R) Supplemental
	* SSE3 instruction set extensions introduced in Intel Core Microarchitecture
	* processors. CPUs supporting Intel(R) AVX extensions will get an additional
	* boost.
	*
	* This work was inspired by the vectorized implementation of Dean Gaudet.
	* Additional information on it can be found at:
	* http://www.arctic.org/~dean/crypto/sha1.html
	*
	* It was improved upon with more efficient vectorization of the message
	* scheduling. This implementation has also been optimized for all current and
	* several future generations of Intel CPUs.
	*
	* See this article for more information about the implementation details:
	* http://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1/
	*
	* Copyright (C) 2010, Intel Corp.
	* Authors: Maxim Locktyukhin <maxim.locktyukhin@intel.com>
	* Ronen Zohar <ronen.zohar@intel.com>
	*
	* Converted to AT&T syntax and adapted for inclusion in the Linux kernel:
	* Author: Mathias Krause <minipli@googlemail.com>
	*/

	#include <linux/linkage.h>
	#include <linux/cfi_types.h>

	#define CTX %rdi // arg1
	#define BUF %rsi // arg2
	#define CNT %rdx // arg3

	#define REG_A %ecx
	#define REG_B %esi
	#define REG_C %edi
	#define REG_D %r12d
	#define REG_E %edx

	#define REG_T1 %eax
	#define REG_T2 %ebx

	#define K_BASE %r8
	#define HASH_PTR %r9
	#define BUFFER_PTR %r10
	#define BUFFER_END %r11

	#define W_TMP1 %xmm0
	#define W_TMP2 %xmm9

	#define W0 %xmm1
	#define W4 %xmm2
	#define W8 %xmm3
	#define W12 %xmm4
	#define W16 %xmm5
	#define W20 %xmm6
	#define W24 %xmm7
	#define W28 %xmm8

	#define XMM_SHUFB_BSWAP %xmm10

	/* we keep window of 64 w[i]+K pre-calculated values in a circular buffer */
	#define WK(t) (((t) & 15) * 4)(%rsp)
	#define W_PRECALC_AHEAD 16

	/*
	* This macro implements the SHA-1 function's body for single 64-byte block
	* param: function's name
	*/
	.macro SHA1_VECTOR_ASM name
	SYM_TYPED_FUNC_START(\name)

	push %rbx
	push %r12
	push %rbp
	mov %rsp, %rbp

	sub $64, %rsp # allocate workspace
	and $~15, %rsp # align stack

	mov CTX, HASH_PTR
	mov BUF, BUFFER_PTR

	shl $6, CNT # multiply by 64
	add BUF, CNT
	mov CNT, BUFFER_END

	lea K_XMM_AR(%rip), K_BASE
	xmm_mov BSWAP_SHUFB_CTL(%rip), XMM_SHUFB_BSWAP

	SHA1_PIPELINED_MAIN_BODY

	# cleanup workspace
	mov $8, %ecx
	mov %rsp, %rdi
	xor %eax, %eax
	rep stosq

	mov %rbp, %rsp # deallocate workspace
	pop %rbp
	pop %r12
	pop %rbx
	RET

	SYM_FUNC_END(\name)
	.endm

	/*
	* This macro implements 80 rounds of SHA-1 for one 64-byte block
	*/
	.macro SHA1_PIPELINED_MAIN_BODY
	INIT_REGALLOC

	mov (HASH_PTR), A
	mov 4(HASH_PTR), B
	mov 8(HASH_PTR), C
	mov 12(HASH_PTR), D
	mov 16(HASH_PTR), E

	.set i, 0
	.rept W_PRECALC_AHEAD
	W_PRECALC i
	.set i, (i+1)
	.endr

	.align 4
	1:
	RR F1,A,B,C,D,E,0
	RR F1,D,E,A,B,C,2
	RR F1,B,C,D,E,A,4
	RR F1,E,A,B,C,D,6
	RR F1,C,D,E,A,B,8

	RR F1,A,B,C,D,E,10
	RR F1,D,E,A,B,C,12
	RR F1,B,C,D,E,A,14
	RR F1,E,A,B,C,D,16
	RR F1,C,D,E,A,B,18

	RR F2,A,B,C,D,E,20
	RR F2,D,E,A,B,C,22
	RR F2,B,C,D,E,A,24
	RR F2,E,A,B,C,D,26
	RR F2,C,D,E,A,B,28

	RR F2,A,B,C,D,E,30
	RR F2,D,E,A,B,C,32
	RR F2,B,C,D,E,A,34
	RR F2,E,A,B,C,D,36
	RR F2,C,D,E,A,B,38

	RR F3,A,B,C,D,E,40
	RR F3,D,E,A,B,C,42
	RR F3,B,C,D,E,A,44
	RR F3,E,A,B,C,D,46
	RR F3,C,D,E,A,B,48

	RR F3,A,B,C,D,E,50
	RR F3,D,E,A,B,C,52
	RR F3,B,C,D,E,A,54
	RR F3,E,A,B,C,D,56
	RR F3,C,D,E,A,B,58

	add $64, BUFFER_PTR # move to the next 64-byte block
	cmp BUFFER_END, BUFFER_PTR # if the current is the last one use
	cmovae K_BASE, BUFFER_PTR # dummy source to avoid buffer overrun

	RR F4,A,B,C,D,E,60
	RR F4,D,E,A,B,C,62
	RR F4,B,C,D,E,A,64
	RR F4,E,A,B,C,D,66
	RR F4,C,D,E,A,B,68

	RR F4,A,B,C,D,E,70
	RR F4,D,E,A,B,C,72
	RR F4,B,C,D,E,A,74
	RR F4,E,A,B,C,D,76
	RR F4,C,D,E,A,B,78

	UPDATE_HASH (HASH_PTR), A
	UPDATE_HASH 4(HASH_PTR), B
	UPDATE_HASH 8(HASH_PTR), C
	UPDATE_HASH 12(HASH_PTR), D
	UPDATE_HASH 16(HASH_PTR), E

	RESTORE_RENAMED_REGS
	cmp K_BASE, BUFFER_PTR # K_BASE means, we reached the end
	jne 1b
	.endm

	.macro INIT_REGALLOC
	.set A, REG_A
	.set B, REG_B
	.set C, REG_C
	.set D, REG_D
	.set E, REG_E
	.set T1, REG_T1
	.set T2, REG_T2
	.endm

	.macro RESTORE_RENAMED_REGS
	# order is important (REG_C is where it should be)
	mov B, REG_B
	mov D, REG_D
	mov A, REG_A
	mov E, REG_E
	.endm

	.macro SWAP_REG_NAMES a, b
	.set _T, \a
	.set \a, \b
	.set \b, _T
	.endm

	.macro F1 b, c, d
	mov \c, T1
	SWAP_REG_NAMES \c, T1
	xor \d, T1
	and \b, T1
	xor \d, T1
	.endm

	.macro F2 b, c, d
	mov \d, T1
	SWAP_REG_NAMES \d, T1
	xor \c, T1
	xor \b, T1
	.endm

	.macro F3 b, c ,d
	mov \c, T1
	SWAP_REG_NAMES \c, T1
	mov \b, T2
	or \b, T1
	and \c, T2
	and \d, T1
	or T2, T1
	.endm

	.macro F4 b, c, d
	F2 \b, \c, \d
	.endm

	.macro UPDATE_HASH hash, val
	add \hash, \val
	mov \val, \hash
	.endm

	/*
	* RR does two rounds of SHA-1 back to back with W[] pre-calc
	* t1 = F(b, c, d); e += w(i)
	* e += t1; b <<= 30; d += w(i+1);
	* t1 = F(a, b, c);
	* d += t1; a <<= 5;
	* e += a;
	* t1 = e; a >>= 7;
	* t1 <<= 5;
	* d += t1;
	*/
	.macro RR F, a, b, c, d, e, round
	add WK(\round), \e
	\F \b, \c, \d # t1 = F(b, c, d);
	W_PRECALC (\round + W_PRECALC_AHEAD)
	rol $30, \b
	add T1, \e
	add WK(\round + 1), \d

	\F \a, \b, \c
	W_PRECALC (\round + W_PRECALC_AHEAD + 1)
	rol $5, \a
	add \a, \e
	add T1, \d
	ror $7, \a # (a <<r 5) >>r 7) => a <<r 30)

	mov \e, T1
	SWAP_REG_NAMES \e, T1

	rol $5, T1
	add T1, \d

	# write: \a, \b
	# rotate: \a<=\d, \b<=\e, \c<=\a, \d<=\b, \e<=\c
	.endm

	.macro W_PRECALC r
	.set i, \r

	.if (i < 20)
	.set K_XMM, 0
	.elseif (i < 40)
	.set K_XMM, 16
	.elseif (i < 60)
	.set K_XMM, 32
	.elseif (i < 80)
	.set K_XMM, 48
	.endif

	.if ((i < 16) \|\| ((i >= 80) && (i < (80 + W_PRECALC_AHEAD))))
	.set i, ((\r) % 80) # pre-compute for the next iteration
	.if (i == 0)
	W_PRECALC_RESET
	.endif
	W_PRECALC_00_15
	.elseif (i<32)
	W_PRECALC_16_31
	.elseif (i < 80) // rounds 32-79
	W_PRECALC_32_79
	.endif
	.endm

	.macro W_PRECALC_RESET
	.set W, W0
	.set W_minus_04, W4
	.set W_minus_08, W8
	.set W_minus_12, W12
	.set W_minus_16, W16
	.set W_minus_20, W20
	.set W_minus_24, W24
	.set W_minus_28, W28
	.set W_minus_32, W
	.endm

	.macro W_PRECALC_ROTATE
	.set W_minus_32, W_minus_28
	.set W_minus_28, W_minus_24
	.set W_minus_24, W_minus_20
	.set W_minus_20, W_minus_16
	.set W_minus_16, W_minus_12
	.set W_minus_12, W_minus_08
	.set W_minus_08, W_minus_04
	.set W_minus_04, W
	.set W, W_minus_32
	.endm

	.macro W_PRECALC_SSSE3

	.macro W_PRECALC_00_15
	W_PRECALC_00_15_SSSE3
	.endm
	.macro W_PRECALC_16_31
	W_PRECALC_16_31_SSSE3
	.endm
	.macro W_PRECALC_32_79
	W_PRECALC_32_79_SSSE3
	.endm

	/* message scheduling pre-compute for rounds 0-15 */
	.macro W_PRECALC_00_15_SSSE3
	.if ((i & 3) == 0)
	movdqu (i*4)(BUFFER_PTR), W_TMP1
	.elseif ((i & 3) == 1)
	pshufb XMM_SHUFB_BSWAP, W_TMP1
	movdqa W_TMP1, W
	.elseif ((i & 3) == 2)
	paddd (K_BASE), W_TMP1
	.elseif ((i & 3) == 3)
	movdqa W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	/* message scheduling pre-compute for rounds 16-31
	*
	* - calculating last 32 w[i] values in 8 XMM registers
	* - pre-calculate K+w[i] values and store to mem, for later load by ALU add
	* instruction
	*
	* some "heavy-lifting" vectorization for rounds 16-31 due to w[i]->w[i-3]
	* dependency, but improves for 32-79
	*/
	.macro W_PRECALC_16_31_SSSE3
	# blended scheduling of vector and scalar instruction streams, one 4-wide
	# vector iteration / 4 scalar rounds
	.if ((i & 3) == 0)
	movdqa W_minus_12, W
	palignr $8, W_minus_16, W # w[i-14]
	movdqa W_minus_04, W_TMP1
	psrldq $4, W_TMP1 # w[i-3]
	pxor W_minus_08, W
	.elseif ((i & 3) == 1)
	pxor W_minus_16, W_TMP1
	pxor W_TMP1, W
	movdqa W, W_TMP2
	movdqa W, W_TMP1
	pslldq $12, W_TMP2
	.elseif ((i & 3) == 2)
	psrld $31, W
	pslld $1, W_TMP1
	por W, W_TMP1
	movdqa W_TMP2, W
	psrld $30, W_TMP2
	pslld $2, W
	.elseif ((i & 3) == 3)
	pxor W, W_TMP1
	pxor W_TMP2, W_TMP1
	movdqa W_TMP1, W
	paddd K_XMM(K_BASE), W_TMP1
	movdqa W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	/* message scheduling pre-compute for rounds 32-79
	*
	* in SHA-1 specification: w[i] = (w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16]) rol 1
	* instead we do equal: w[i] = (w[i-6] ^ w[i-16] ^ w[i-28] ^ w[i-32]) rol 2
	* allows more efficient vectorization since w[i]=>w[i-3] dependency is broken
	*/
	.macro W_PRECALC_32_79_SSSE3
	.if ((i & 3) == 0)
	movdqa W_minus_04, W_TMP1
	pxor W_minus_28, W # W is W_minus_32 before xor
	palignr $8, W_minus_08, W_TMP1
	.elseif ((i & 3) == 1)
	pxor W_minus_16, W
	pxor W_TMP1, W
	movdqa W, W_TMP1
	.elseif ((i & 3) == 2)
	psrld $30, W
	pslld $2, W_TMP1
	por W, W_TMP1
	.elseif ((i & 3) == 3)
	movdqa W_TMP1, W
	paddd K_XMM(K_BASE), W_TMP1
	movdqa W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	.endm // W_PRECALC_SSSE3


	#define K1 0x5a827999
	#define K2 0x6ed9eba1
	#define K3 0x8f1bbcdc
	#define K4 0xca62c1d6

	.section .rodata
	.align 16

	K_XMM_AR:
	.long K1, K1, K1, K1
	.long K2, K2, K2, K2
	.long K3, K3, K3, K3
	.long K4, K4, K4, K4

	BSWAP_SHUFB_CTL:
	.long 0x00010203
	.long 0x04050607
	.long 0x08090a0b
	.long 0x0c0d0e0f


	.section .text

	W_PRECALC_SSSE3
	.macro xmm_mov a, b
	movdqu \a,\b
	.endm

	/*
	* SSSE3 optimized implementation:
	*
	* extern "C" void sha1_transform_ssse3(struct sha1_state *state,
	* const u8 *data, int blocks);
	*
	* Note that struct sha1_state is assumed to begin with u32 state[5].
	*/
	SHA1_VECTOR_ASM sha1_transform_ssse3

	.macro W_PRECALC_AVX

	.purgem W_PRECALC_00_15
	.macro W_PRECALC_00_15
	W_PRECALC_00_15_AVX
	.endm
	.purgem W_PRECALC_16_31
	.macro W_PRECALC_16_31
	W_PRECALC_16_31_AVX
	.endm
	.purgem W_PRECALC_32_79
	.macro W_PRECALC_32_79
	W_PRECALC_32_79_AVX
	.endm

	.macro W_PRECALC_00_15_AVX
	.if ((i & 3) == 0)
	vmovdqu (i*4)(BUFFER_PTR), W_TMP1
	.elseif ((i & 3) == 1)
	vpshufb XMM_SHUFB_BSWAP, W_TMP1, W
	.elseif ((i & 3) == 2)
	vpaddd (K_BASE), W, W_TMP1
	.elseif ((i & 3) == 3)
	vmovdqa W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	.macro W_PRECALC_16_31_AVX
	.if ((i & 3) == 0)
	vpalignr $8, W_minus_16, W_minus_12, W # w[i-14]
	vpsrldq $4, W_minus_04, W_TMP1 # w[i-3]
	vpxor W_minus_08, W, W
	vpxor W_minus_16, W_TMP1, W_TMP1
	.elseif ((i & 3) == 1)
	vpxor W_TMP1, W, W
	vpslldq $12, W, W_TMP2
	vpslld $1, W, W_TMP1
	.elseif ((i & 3) == 2)
	vpsrld $31, W, W
	vpor W, W_TMP1, W_TMP1
	vpslld $2, W_TMP2, W
	vpsrld $30, W_TMP2, W_TMP2
	.elseif ((i & 3) == 3)
	vpxor W, W_TMP1, W_TMP1
	vpxor W_TMP2, W_TMP1, W
	vpaddd K_XMM(K_BASE), W, W_TMP1
	vmovdqu W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	.macro W_PRECALC_32_79_AVX
	.if ((i & 3) == 0)
	vpalignr $8, W_minus_08, W_minus_04, W_TMP1
	vpxor W_minus_28, W, W # W is W_minus_32 before xor
	.elseif ((i & 3) == 1)
	vpxor W_minus_16, W_TMP1, W_TMP1
	vpxor W_TMP1, W, W
	.elseif ((i & 3) == 2)
	vpslld $2, W, W_TMP1
	vpsrld $30, W, W
	vpor W, W_TMP1, W
	.elseif ((i & 3) == 3)
	vpaddd K_XMM(K_BASE), W, W_TMP1
	vmovdqu W_TMP1, WK(i&~3)
	W_PRECALC_ROTATE
	.endif
	.endm

	.endm // W_PRECALC_AVX

	W_PRECALC_AVX
	.purgem xmm_mov
	.macro xmm_mov a, b
	vmovdqu \a,\b
	.endm


	/* AVX optimized implementation:
	* extern "C" void sha1_transform_avx(struct sha1_state *state,
	* const u8 *data, int blocks);
	*/
	SHA1_VECTOR_ASM sha1_transform_avx