1666 // z/Architecture provides instructions for full cipher/decipher complexity.
1667 // Therefore, we need the original, not the expanded key here.
1668 // Luckily, the first n bits of an AES-<n> expanded key are formed
1669 // by the original key itself. That takes us out of trouble. :-)
1670 // The key length (in bytes) relation is as follows:
1671 // original expanded rounds key bit keylen
1672 // key bytes key bytes length in words
1673 // 16 176 11 128 44
1674 // 24 208 13 192 52
1675 // 32 240 15 256 60
1676 //
1677 // The crypto instructions used in the AES* stubs have some specific register requirements.
1678 // Z_R0 holds the crypto function code. Please refer to the KM/KMC instruction
1679 // description in the "z/Architecture Principles of Operation" manual for details.
1680 // Z_R1 holds the parameter block address. The parameter block contains the cryptographic key
1681 // (KM instruction) and the chaining value (KMC instruction).
1682 // dst must designate an even-numbered register, holding the address of the output message.
1683 // src must designate an even/odd register pair, holding the address/length of the original message
1684
1685 // Helper function which generates code to
1686 // - load the function code in register fCode (== Z_R0)
1687 // - load the data block length (depends on cipher function) into register srclen if requested.
1688 // - is_decipher switches between cipher/decipher function codes
1689 // - set_len requests (if true) loading the data block length in register srclen
1690 void generate_load_AES_fCode(Register keylen, Register fCode, Register srclen, bool is_decipher) {
1691
1692 BLOCK_COMMENT("Set fCode {"); {
1693 Label fCode_set;
1694 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher;
1695 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk)
1696 && (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk);
1697 // Expanded key length is 44/52/60 * 4 bytes for AES-128/AES-192/AES-256.
1698 __ z_cghi(keylen, 52);
1699
1700 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode);
1701 if (!identical_dataBlk_len) {
1702 __ z_lghi(srclen, VM_Version::Cipher::_AES256_dataBlk);
1703 }
1704 __ z_brh(fCode_set); // keyLen > 52: AES256
1705
1706 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode);
1707 if (!identical_dataBlk_len) {
1708 __ z_lghi(srclen, VM_Version::Cipher::_AES192_dataBlk);
1709 }
1710 __ z_bre(fCode_set); // keyLen == 52: AES192
1711
1712 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode);
1713 if (!identical_dataBlk_len) {
1714 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk);
1715 }
1716 // __ z_brl(fCode_set); // keyLen < 52: AES128 // fallthru
1717
1718 __ bind(fCode_set);
1719 if (identical_dataBlk_len) {
1720 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk);
1721 }
1722 }
1723 BLOCK_COMMENT("} Set fCode");
1724 }
1725
1726 // Push a parameter block for the cipher/decipher instruction on the stack.
1727 // NOTE:
1728 // Before returning, the stub has to copy the chaining value from
1729 // the parmBlk, where it was updated by the crypto instruction, back
1730 // to the chaining value array the address of which was passed in the cv argument.
1731 // As all the available registers are used and modified by KMC, we need to save
1732 // the key length across the KMC instruction. We do so by spilling it to the stack,
1733 // just preceding the parmBlk (at (parmBlk - 8)).
1734 void generate_push_parmBlk(Register keylen, Register fCode, Register parmBlk, Register key, Register cv, bool is_decipher) {
1735 const int AES_parmBlk_align = 32;
1736 const int AES_parmBlk_addspace = AES_parmBlk_align; // Must be multiple of AES_parmblk_align.
1737 int cv_len, key_len;
1738 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher;
1739 Label parmBlk_128, parmBlk_192, parmBlk_256, parmBlk_set;
1740
1741 BLOCK_COMMENT("push parmBlk {");
1742 if (VM_Version::has_Crypto_AES() ) { __ z_cghi(keylen, 52); }
1743 if (VM_Version::has_Crypto_AES256()) { __ z_brh(parmBlk_256); } // keyLen > 52: AES256
1744 if (VM_Version::has_Crypto_AES192()) { __ z_bre(parmBlk_192); } // keyLen == 52: AES192
1745 if (VM_Version::has_Crypto_AES128()) { __ z_brl(parmBlk_128); } // keyLen < 52: AES128
1746
1747 // Security net: requested AES function not available on this CPU.
1748 // NOTE:
1749 // As of now (March 2015), this safety net is not required. JCE policy files limit the
1750 // cryptographic strength of the keys used to 128 bit. If we have AES hardware support
1751 // at all, we have at least AES-128.
1752 __ stop_static("AES key strength not supported by CPU. Use -XX:-UseAES as remedy.", 0);
1753
1754 if (VM_Version::has_Crypto_AES128()) {
1755 __ bind(parmBlk_128);
1756 cv_len = VM_Version::Cipher::_AES128_dataBlk;
1757 key_len = VM_Version::Cipher::_AES128_parmBlk_C - cv_len;
1758 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES128_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP);
1759 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // align parameter block
1760
1761 // Resize the frame to accommodate for the aligned parameter block and other stuff.
1762 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk).
1763 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use.
1764 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert.
1765 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc..
1766 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP.
1767 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address.
1768
1769 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv.
1770 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key.
1771 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode);
1772 if (VM_Version::has_Crypto_AES192() || VM_Version::has_Crypto_AES256()) {
1773 __ z_bru(parmBlk_set); // Fallthru otherwise.
1774 }
1775 }
1776
1777 if (VM_Version::has_Crypto_AES192()) {
1778 __ bind(parmBlk_192);
1779 cv_len = VM_Version::Cipher::_AES192_dataBlk;
1780 key_len = VM_Version::Cipher::_AES192_parmBlk_C - cv_len;
1781 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES192_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP);
1782 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block.
1783
1784 // Resize the frame to accommodate for the aligned parameter block and other stuff.
1785 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk).
1786 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use.
1787 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert.
1788 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc..
1789 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP.
1790 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address.
1791
1792 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv.
1793 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key.
1794 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode);
1795 if (VM_Version::has_Crypto_AES256()) {
1796 __ z_bru(parmBlk_set); // Fallthru otherwise.
1797 }
1798 }
1799
1800 if (VM_Version::has_Crypto_AES256()) {
1801 __ bind(parmBlk_256);
1802 cv_len = VM_Version::Cipher::_AES256_dataBlk;
1803 key_len = VM_Version::Cipher::_AES256_parmBlk_C - cv_len;
1804 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES256_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP);
1805 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block.
1806
1807 // Resize the frame to accommodate for the aligned parameter block and other stuff.
1808 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk).
1809 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use.
1810 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert.
1811 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc..
1812 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP.
1813 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address.
1814
1815 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv.
1816 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key.
1817 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode);
1818 // __ z_bru(parmBlk_set); // fallthru
1819 }
1820
1821 __ bind(parmBlk_set);
1822 BLOCK_COMMENT("} push parmBlk");
1823 }
1824
1825 // Pop a parameter block from the stack. The chaining value portion of the parameter block
1826 // is copied back to the cv array as it is needed for subsequent cipher steps.
1827 // The keylen value as well as the original SP (before resizing) was pushed to the stack
1828 // when pushing the parameter block.
1829 void generate_pop_parmBlk(Register keylen, Register parmBlk, Register key, Register cv) {
1830
1831 BLOCK_COMMENT("pop parmBlk {");
1832 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) &&
1833 (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk);
1834 if (identical_dataBlk_len) {
1835 int cv_len = VM_Version::Cipher::_AES128_dataBlk;
1836 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1837 } else {
1838 int cv_len;
1854 }
1855 }
1856
1857 if (VM_Version::has_Crypto_AES192()) {
1858 __ bind(parmBlk_192);
1859 cv_len = VM_Version::Cipher::_AES192_dataBlk;
1860 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1861 if (VM_Version::has_Crypto_AES256()) {
1862 __ z_bru(parmBlk_set);
1863 }
1864 }
1865
1866 if (VM_Version::has_Crypto_AES256()) {
1867 __ bind(parmBlk_256);
1868 cv_len = VM_Version::Cipher::_AES256_dataBlk;
1869 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1870 // __ z_bru(parmBlk_set); // fallthru
1871 }
1872 __ bind(parmBlk_set);
1873 }
1874 __ z_lg(Z_SP, -16, parmBlk); // Revert resize_frame_absolute.
1875 BLOCK_COMMENT("} pop parmBlk");
1876 }
1877
1878 // Compute AES encrypt function.
1879 address generate_AES_encryptBlock(const char* name) {
1880 __ align(CodeEntryAlignment);
1881 StubCodeMark mark(this, "StubRoutines", name);
1882 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1883
1884 Register from = Z_ARG1; // source byte array
1885 Register to = Z_ARG2; // destination byte array
1886 Register key = Z_ARG3; // expanded key array
1887
1888 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length.
1889 const Register fCode = Z_R0; // crypto function code
1890 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
1891 const Register src = Z_ARG1; // is Z_R2
1892 const Register srclen = Z_ARG2; // Overwrites destination address.
1893 const Register dst = Z_ARG3; // Overwrites expanded key address.
1894
1895 // Read key len of expanded key (in 4-byte words).
1896 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
1897
1898 // Copy arguments to registers as required by crypto instruction.
1899 __ z_lgr(parmBlk, key); // crypto key (in T_INT array).
1900 // __ z_lgr(src, from); // Copy not needed, src/from are identical.
1901 __ z_lgr(dst, to); // Copy destination address to even register.
1902
1903 // Construct function code in Z_R0, data block length in Z_ARG2.
1904 generate_load_AES_fCode(keylen, fCode, srclen, false);
1905
1906 __ km(dst, src); // Cipher the message.
1907
1908 __ z_br(Z_R14);
1909
1910 return __ addr_at(start_off);
1911 }
1912
1913 // Compute AES decrypt function.
1914 address generate_AES_decryptBlock(const char* name) {
1915 __ align(CodeEntryAlignment);
1916 StubCodeMark mark(this, "StubRoutines", name);
1917 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1918
1919 Register from = Z_ARG1; // source byte array
1920 Register to = Z_ARG2; // destination byte array
1921 Register key = Z_ARG3; // expanded key array, not preset at entry!!!
1922
1923 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length.
1924 const Register fCode = Z_R0; // crypto function code
1925 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
1926 const Register src = Z_ARG1; // is Z_R2
1927 const Register srclen = Z_ARG2; // Overwrites destination address.
1928 const Register dst = Z_ARG3; // Overwrites key address.
1929
1930 // Read key len of expanded key (in 4-byte words).
1931 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
1932
1933 // Copy arguments to registers as required by crypto instruction.
1934 __ z_lgr(parmBlk, key); // Copy crypto key address.
1935 // __ z_lgr(src, from); // Copy not needed, src/from are identical.
1936 __ z_lgr(dst, to); // Copy destination address to even register.
1937
1938 // Construct function code in Z_R0, data block length in Z_ARG2.
1939 generate_load_AES_fCode(keylen, fCode, srclen, true);
1940
1941 __ km(dst, src); // Cipher the message.
1942
1943 __ z_br(Z_R14);
1944
1945 return __ addr_at(start_off);
1946 }
1947
1948 // These stubs receive the addresses of the cryptographic key and of the chaining value as two separate
1949 // arguments (registers "key" and "cv", respectively). The KMC instruction, on the other hand, requires
1950 // chaining value and key to be, in this sequence, adjacent in storage. Thus, we need to allocate some
1951 // thread-local working storage. Using heap memory incurs all the hassles of allocating/freeing.
1952 // Stack space, on the contrary, is deallocated automatically when we return from the stub to the caller.
1953 // *** WARNING ***
1954 // Please note that we do not formally allocate stack space, nor do we
1955 // update the stack pointer. Therefore, no function calls are allowed
1956 // and nobody else must use the stack range where the parameter block
1957 // is located.
1958 // We align the parameter block to the next available octoword.
1959 //
1960 // Compute chained AES encrypt function.
1961 address generate_cipherBlockChaining_AES_encrypt(const char* name) {
1962 __ align(CodeEntryAlignment);
1963 StubCodeMark mark(this, "StubRoutines", name);
1964 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1965
1966 Register from = Z_ARG1; // source byte array (clear text)
1967 Register to = Z_ARG2; // destination byte array (ciphered)
1968 Register key = Z_ARG3; // expanded key array.
1969 Register cv = Z_ARG4; // chaining value
1970 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned
1971 // in Z_RET upon completion of this stub. Is 32-bit integer.
1972
1973 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only.
1974 const Register fCode = Z_R0; // crypto function code
1975 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
1976 const Register src = Z_ARG1; // is Z_R2
1977 const Register srclen = Z_ARG2; // Overwrites destination address.
1978 const Register dst = Z_ARG3; // Overwrites key address.
1979
1980 // Read key len of expanded key (in 4-byte words).
1981 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
1982
1983 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block.
1984 // Construct function code in Z_R0.
1985 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, false);
1986
1987 // Prepare other registers for instruction.
1988 // __ z_lgr(src, from); // Not needed, registers are the same.
1989 __ z_lgr(dst, to);
1990 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required.
1991
1992 __ kmc(dst, src); // Cipher the message.
1993
1994 generate_pop_parmBlk(keylen, parmBlk, key, cv);
1995
1996 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required.
1997 __ z_br(Z_R14);
1998
1999 return __ addr_at(start_off);
2000 }
2001
2002 // Compute chained AES encrypt function.
2003 address generate_cipherBlockChaining_AES_decrypt(const char* name) {
2004 __ align(CodeEntryAlignment);
2005 StubCodeMark mark(this, "StubRoutines", name);
2006 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
2007
2008 Register from = Z_ARG1; // source byte array (ciphered)
2009 Register to = Z_ARG2; // destination byte array (clear text)
2010 Register key = Z_ARG3; // expanded key array, not preset at entry!!!
2011 Register cv = Z_ARG4; // chaining value
2012 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned
2013 // in Z_RET upon completion of this stub.
2014
2015 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only.
2016 const Register fCode = Z_R0; // crypto function code
2017 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
2018 const Register src = Z_ARG1; // is Z_R2
2019 const Register srclen = Z_ARG2; // Overwrites destination address.
2020 const Register dst = Z_ARG3; // Overwrites key address.
2021
2022 // Read key len of expanded key (in 4-byte words).
2023 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
2024
2025 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block.
2026 // Construct function code in Z_R0.
2027 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, true);
2028
2029 // Prepare other registers for instruction.
2030 // __ z_lgr(src, from); // Not needed, registers are the same.
2031 __ z_lgr(dst, to);
2032 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required.
2033
2034 __ kmc(dst, src); // Decipher the message.
2035
2036 generate_pop_parmBlk(keylen, parmBlk, key, cv);
2037
2038 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required.
2039 __ z_br(Z_R14);
2040
2041 return __ addr_at(start_off);
2042 }
2043
2044
2045 // Call interface for all SHA* stubs.
2046 //
2047 // Z_ARG1 - source data block. Ptr to leftmost byte to be processed.
2048 // Z_ARG2 - current SHA state. Ptr to state area. This area serves as
2049 // parameter block as required by the crypto instruction.
2050 // Z_ARG3 - current byte offset in source data block.
2051 // Z_ARG4 - last byte offset in source data block.
2052 // (Z_ARG4 - Z_ARG3) gives the #bytes remaining to be processed.
2053 //
2054 // Z_RET - return value. First unprocessed byte offset in src buffer.
2055 //
2056 // A few notes on the call interface:
2057 // - All stubs, whether they are single-block or multi-block, are assumed to
2058 // digest an integer multiple of the data block length of data. All data
2059 // blocks are digested using the intermediate message digest (KIMD) instruction.
|
1666 // z/Architecture provides instructions for full cipher/decipher complexity.
1667 // Therefore, we need the original, not the expanded key here.
1668 // Luckily, the first n bits of an AES-<n> expanded key are formed
1669 // by the original key itself. That takes us out of trouble. :-)
1670 // The key length (in bytes) relation is as follows:
1671 // original expanded rounds key bit keylen
1672 // key bytes key bytes length in words
1673 // 16 176 11 128 44
1674 // 24 208 13 192 52
1675 // 32 240 15 256 60
1676 //
1677 // The crypto instructions used in the AES* stubs have some specific register requirements.
1678 // Z_R0 holds the crypto function code. Please refer to the KM/KMC instruction
1679 // description in the "z/Architecture Principles of Operation" manual for details.
1680 // Z_R1 holds the parameter block address. The parameter block contains the cryptographic key
1681 // (KM instruction) and the chaining value (KMC instruction).
1682 // dst must designate an even-numbered register, holding the address of the output message.
1683 // src must designate an even/odd register pair, holding the address/length of the original message
1684
1685 // Helper function which generates code to
1686 // - load the function code in register fCode (== Z_R0).
1687 // - load the data block length (depends on cipher function) into register srclen if requested.
1688 // - is_decipher switches between cipher/decipher function codes
1689 // - set_len requests (if true) loading the data block length in register srclen
1690 void generate_load_AES_fCode(Register keylen, Register fCode, Register srclen, bool is_decipher) {
1691
1692 BLOCK_COMMENT("Set fCode {"); {
1693 Label fCode_set;
1694 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher;
1695 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk)
1696 && (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk);
1697 // Expanded key length is 44/52/60 * 4 bytes for AES-128/AES-192/AES-256.
1698 __ z_cghi(keylen, 52); // Check only once at the beginning. keylen and fCode may share the same register.
1699
1700 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode);
1701 if (!identical_dataBlk_len) {
1702 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk);
1703 }
1704 __ z_brl(fCode_set); // keyLen < 52: AES128
1705
1706 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode);
1707 if (!identical_dataBlk_len) {
1708 __ z_lghi(srclen, VM_Version::Cipher::_AES192_dataBlk);
1709 }
1710 __ z_bre(fCode_set); // keyLen == 52: AES192
1711
1712 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode);
1713 if (!identical_dataBlk_len) {
1714 __ z_lghi(srclen, VM_Version::Cipher::_AES256_dataBlk);
1715 }
1716 // __ z_brh(fCode_set); // keyLen < 52: AES128 // fallthru
1717
1718 __ bind(fCode_set);
1719 if (identical_dataBlk_len) {
1720 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk);
1721 }
1722 }
1723 BLOCK_COMMENT("} Set fCode");
1724 }
1725
1726 // Push a parameter block for the cipher/decipher instruction on the stack.
1727 // Layout of the additional stack space allocated for AES_cipherBlockChaining:
1728 //
1729 // | |
1730 // +--------+ <-- SP before expansion
1731 // | |
1732 // : : alignment loss, 0..(AES_parmBlk_align-8) bytes
1733 // | |
1734 // +--------+
1735 // | |
1736 // : : space for parameter block, size VM_Version::Cipher::_AES*_parmBlk_C
1737 // | |
1738 // +--------+ <-- parmBlk, octoword-aligned, start of parameter block
1739 // | |
1740 // : : additional stack space for spills etc., size AES_parmBlk_addspace, DW @ Z_SP not usable!!!
1741 // | |
1742 // +--------+ <-- Z_SP after expansion
1743
1744 void generate_push_Block(int dataBlk_len, int parmBlk_len, int crypto_fCode,
1745 Register parmBlk, Register keylen, Register fCode, Register cv, Register key) {
1746 const int AES_parmBlk_align = 32; // octoword alignment.
1747 const int AES_parmBlk_addspace = 24; // Must be sufficiently large to hold all spilled registers
1748 // (currently 2) PLUS 1 DW for the frame pointer.
1749
1750 const int cv_len = dataBlk_len;
1751 const int key_len = parmBlk_len - cv_len;
1752 // This len must be known at JIT compile time. Only then are we able to recalc the SP before resize.
1753 // We buy this knowledge by wasting some (up to AES_parmBlk_align) bytes of stack space.
1754 const int resize_len = cv_len + key_len + AES_parmBlk_align + AES_parmBlk_addspace;
1755
1756 // Use parmBlk as temp reg here to hold the frame pointer.
1757 __ resize_frame(-resize_len, parmBlk, true);
1758
1759 // calculate parmBlk address from updated (resized) SP.
1760 __ add2reg(parmBlk, resize_len - (cv_len + key_len), Z_SP);
1761 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block.
1762
1763 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace+8, parmBlk).
1764 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use.
1765
1766 // calculate (SP before resize) from updated SP.
1767 __ add2reg(keylen, resize_len, Z_SP); // keylen holds prev SP for now.
1768 __ z_stg(keylen, -16, parmBlk); // Spill prev SP for easy revert.
1769
1770 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv.
1771 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key.
1772 __ z_lghi(fCode, crypto_fCode);
1773 }
1774
1775 // NOTE:
1776 // Before returning, the stub has to copy the chaining value from
1777 // the parmBlk, where it was updated by the crypto instruction, back
1778 // to the chaining value array the address of which was passed in the cv argument.
1779 // As all the available registers are used and modified by KMC, we need to save
1780 // the key length across the KMC instruction. We do so by spilling it to the stack,
1781 // just preceding the parmBlk (at (parmBlk - 8)).
1782 void generate_push_parmBlk(Register keylen, Register fCode, Register parmBlk, Register key, Register cv, bool is_decipher) {
1783 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher;
1784 Label parmBlk_128, parmBlk_192, parmBlk_256, parmBlk_set;
1785
1786 BLOCK_COMMENT("push parmBlk {");
1787 if (VM_Version::has_Crypto_AES() ) { __ z_cghi(keylen, 52); }
1788 if (VM_Version::has_Crypto_AES128()) { __ z_brl(parmBlk_128); } // keyLen < 52: AES128
1789 if (VM_Version::has_Crypto_AES192()) { __ z_bre(parmBlk_192); } // keyLen == 52: AES192
1790 if (VM_Version::has_Crypto_AES256()) { __ z_brh(parmBlk_256); } // keyLen > 52: AES256
1791
1792 // Security net: requested AES function not available on this CPU.
1793 // NOTE:
1794 // As of now (March 2015), this safety net is not required. JCE policy files limit the
1795 // cryptographic strength of the keys used to 128 bit. If we have AES hardware support
1796 // at all, we have at least AES-128.
1797 __ stop_static("AES key strength not supported by CPU. Use -XX:-UseAES as remedy.", 0);
1798
1799 if (VM_Version::has_Crypto_AES256()) {
1800 __ bind(parmBlk_256);
1801 generate_push_Block(VM_Version::Cipher::_AES256_dataBlk,
1802 VM_Version::Cipher::_AES256_parmBlk_C,
1803 VM_Version::Cipher::_AES256 + mode,
1804 parmBlk, keylen, fCode, cv, key);
1805 if (VM_Version::has_Crypto_AES128() || VM_Version::has_Crypto_AES192()) {
1806 __ z_bru(parmBlk_set); // Fallthru otherwise.
1807 }
1808 }
1809
1810 if (VM_Version::has_Crypto_AES192()) {
1811 __ bind(parmBlk_192);
1812 generate_push_Block(VM_Version::Cipher::_AES192_dataBlk,
1813 VM_Version::Cipher::_AES192_parmBlk_C,
1814 VM_Version::Cipher::_AES192 + mode,
1815 parmBlk, keylen, fCode, cv, key);
1816 if (VM_Version::has_Crypto_AES128()) {
1817 __ z_bru(parmBlk_set); // Fallthru otherwise.
1818 }
1819 }
1820
1821 if (VM_Version::has_Crypto_AES128()) {
1822 __ bind(parmBlk_128);
1823 generate_push_Block(VM_Version::Cipher::_AES128_dataBlk,
1824 VM_Version::Cipher::_AES128_parmBlk_C,
1825 VM_Version::Cipher::_AES128 + mode,
1826 parmBlk, keylen, fCode, cv, key);
1827 // Fallthru
1828 }
1829
1830 __ bind(parmBlk_set);
1831 BLOCK_COMMENT("} push parmBlk");
1832 }
1833
1834 // Pop a parameter block from the stack. The chaining value portion of the parameter block
1835 // is copied back to the cv array as it is needed for subsequent cipher steps.
1836 // The keylen value as well as the original SP (before resizing) was pushed to the stack
1837 // when pushing the parameter block.
1838 void generate_pop_parmBlk(Register keylen, Register parmBlk, Register key, Register cv) {
1839
1840 BLOCK_COMMENT("pop parmBlk {");
1841 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) &&
1842 (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk);
1843 if (identical_dataBlk_len) {
1844 int cv_len = VM_Version::Cipher::_AES128_dataBlk;
1845 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1846 } else {
1847 int cv_len;
1863 }
1864 }
1865
1866 if (VM_Version::has_Crypto_AES192()) {
1867 __ bind(parmBlk_192);
1868 cv_len = VM_Version::Cipher::_AES192_dataBlk;
1869 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1870 if (VM_Version::has_Crypto_AES256()) {
1871 __ z_bru(parmBlk_set);
1872 }
1873 }
1874
1875 if (VM_Version::has_Crypto_AES256()) {
1876 __ bind(parmBlk_256);
1877 cv_len = VM_Version::Cipher::_AES256_dataBlk;
1878 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv.
1879 // __ z_bru(parmBlk_set); // fallthru
1880 }
1881 __ bind(parmBlk_set);
1882 }
1883 __ z_lg(Z_SP, -16, parmBlk); // Revert resize_frame_absolute. Z_SP saved by push_parmBlk.
1884 BLOCK_COMMENT("} pop parmBlk");
1885 }
1886
1887 // Compute AES encrypt/decrypt function.
1888 void generate_AES_cipherBlock(bool is_decipher) {
1889 // Incoming arguments.
1890 Register from = Z_ARG1; // source byte array
1891 Register to = Z_ARG2; // destination byte array
1892 Register key = Z_ARG3; // expanded key array
1893
1894 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length.
1895
1896 // Register definitions as required by KM instruction.
1897 const Register fCode = Z_R0; // crypto function code
1898 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
1899 const Register src = Z_ARG1; // Must be even reg (KM requirement).
1900 const Register srclen = Z_ARG2; // Must be odd reg and pair with src. Overwrites destination address.
1901 const Register dst = Z_ARG3; // Must be even reg (KM requirement). Overwrites expanded key address.
1902
1903 // Read key len of expanded key (in 4-byte words).
1904 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
1905
1906 // Copy arguments to registers as required by crypto instruction.
1907 __ z_lgr(parmBlk, key); // crypto key (in T_INT array).
1908 __ lgr_if_needed(src, from); // Copy src address. Will not emit, src/from are identical.
1909 __ z_lgr(dst, to); // Copy dst address, even register required.
1910
1911 // Construct function code into fCode(Z_R0), data block length into srclen(Z_ARG2).
1912 generate_load_AES_fCode(keylen, fCode, srclen, is_decipher);
1913
1914 __ km(dst, src); // Cipher the message.
1915
1916 __ z_br(Z_R14);
1917 }
1918
1919 // Compute AES encrypt function.
1920 address generate_AES_encryptBlock(const char* name) {
1921 __ align(CodeEntryAlignment);
1922 StubCodeMark mark(this, "StubRoutines", name);
1923 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1924
1925 generate_AES_cipherBlock(false);
1926
1927 return __ addr_at(start_off);
1928 }
1929
1930 // Compute AES decrypt function.
1931 address generate_AES_decryptBlock(const char* name) {
1932 __ align(CodeEntryAlignment);
1933 StubCodeMark mark(this, "StubRoutines", name);
1934 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1935
1936 generate_AES_cipherBlock(true);
1937
1938 return __ addr_at(start_off);
1939 }
1940
1941 // These stubs receive the addresses of the cryptographic key and of the chaining value as two separate
1942 // arguments (registers "key" and "cv", respectively). The KMC instruction, on the other hand, requires
1943 // chaining value and key to be, in this sequence, adjacent in storage. Thus, we need to allocate some
1944 // thread-local working storage. Using heap memory incurs all the hassles of allocating/freeing.
1945 // Stack space, on the contrary, is deallocated automatically when we return from the stub to the caller.
1946 // *** WARNING ***
1947 // Please note that we do not formally allocate stack space, nor do we
1948 // update the stack pointer. Therefore, no function calls are allowed
1949 // and nobody else must use the stack range where the parameter block
1950 // is located.
1951 // We align the parameter block to the next available octoword.
1952 //
1953 // Compute chained AES encrypt function.
1954 void generate_AES_cipherBlockChaining(bool is_decipher) {
1955
1956 Register from = Z_ARG1; // source byte array (clear text)
1957 Register to = Z_ARG2; // destination byte array (ciphered)
1958 Register key = Z_ARG3; // expanded key array.
1959 Register cv = Z_ARG4; // chaining value
1960 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned
1961 // in Z_RET upon completion of this stub. Is 32-bit integer.
1962
1963 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only.
1964 const Register fCode = Z_R0; // crypto function code
1965 const Register parmBlk = Z_R1; // parameter block address (points to crypto key)
1966 const Register src = Z_ARG1; // is Z_R2
1967 const Register srclen = Z_ARG2; // Overwrites destination address.
1968 const Register dst = Z_ARG3; // Overwrites key address.
1969
1970 // Read key len of expanded key (in 4-byte words).
1971 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT)));
1972
1973 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block.
1974 // Construct function code in fCode (Z_R0).
1975 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, is_decipher);
1976
1977 // Prepare other registers for instruction.
1978 __ lgr_if_needed(src, from); // Copy src address. Will not emit, src/from are identical.
1979 __ z_lgr(dst, to);
1980 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required.
1981
1982 __ kmc(dst, src); // Cipher the message.
1983
1984 generate_pop_parmBlk(keylen, parmBlk, key, cv);
1985
1986 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required.
1987 __ z_br(Z_R14);
1988 }
1989
1990 // Compute chained AES encrypt function.
1991 address generate_cipherBlockChaining_AES_encrypt(const char* name) {
1992 __ align(CodeEntryAlignment);
1993 StubCodeMark mark(this, "StubRoutines", name);
1994 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
1995
1996 generate_AES_cipherBlockChaining(false);
1997
1998 return __ addr_at(start_off);
1999 }
2000
2001 // Compute chained AES encrypt function.
2002 address generate_cipherBlockChaining_AES_decrypt(const char* name) {
2003 __ align(CodeEntryAlignment);
2004 StubCodeMark mark(this, "StubRoutines", name);
2005 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value).
2006
2007 generate_AES_cipherBlockChaining(true);
2008
2009 return __ addr_at(start_off);
2010 }
2011
2012
2013 // Call interface for all SHA* stubs.
2014 //
2015 // Z_ARG1 - source data block. Ptr to leftmost byte to be processed.
2016 // Z_ARG2 - current SHA state. Ptr to state area. This area serves as
2017 // parameter block as required by the crypto instruction.
2018 // Z_ARG3 - current byte offset in source data block.
2019 // Z_ARG4 - last byte offset in source data block.
2020 // (Z_ARG4 - Z_ARG3) gives the #bytes remaining to be processed.
2021 //
2022 // Z_RET - return value. First unprocessed byte offset in src buffer.
2023 //
2024 // A few notes on the call interface:
2025 // - All stubs, whether they are single-block or multi-block, are assumed to
2026 // digest an integer multiple of the data block length of data. All data
2027 // blocks are digested using the intermediate message digest (KIMD) instruction.
|