1666 // z/Architecture provides instructions for full cipher/decipher complexity. 1667 // Therefore, we need the original, not the expanded key here. 1668 // Luckily, the first n bits of an AES-<n> expanded key are formed 1669 // by the original key itself. That takes us out of trouble. :-) 1670 // The key length (in bytes) relation is as follows: 1671 // original expanded rounds key bit keylen 1672 // key bytes key bytes length in words 1673 // 16 176 11 128 44 1674 // 24 208 13 192 52 1675 // 32 240 15 256 60 1676 // 1677 // The crypto instructions used in the AES* stubs have some specific register requirements. 1678 // Z_R0 holds the crypto function code. Please refer to the KM/KMC instruction 1679 // description in the "z/Architecture Principles of Operation" manual for details. 1680 // Z_R1 holds the parameter block address. The parameter block contains the cryptographic key 1681 // (KM instruction) and the chaining value (KMC instruction). 1682 // dst must designate an even-numbered register, holding the address of the output message. 1683 // src must designate an even/odd register pair, holding the address/length of the original message 1684 1685 // Helper function which generates code to 1686 // - load the function code in register fCode (== Z_R0) 1687 // - load the data block length (depends on cipher function) into register srclen if requested. 1688 // - is_decipher switches between cipher/decipher function codes 1689 // - set_len requests (if true) loading the data block length in register srclen 1690 void generate_load_AES_fCode(Register keylen, Register fCode, Register srclen, bool is_decipher) { 1691 1692 BLOCK_COMMENT("Set fCode {"); { 1693 Label fCode_set; 1694 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher; 1695 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) 1696 && (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk); 1697 // Expanded key length is 44/52/60 * 4 bytes for AES-128/AES-192/AES-256. 1698 __ z_cghi(keylen, 52); 1699 1700 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode); 1701 if (!identical_dataBlk_len) { 1702 __ z_lghi(srclen, VM_Version::Cipher::_AES256_dataBlk); 1703 } 1704 __ z_brh(fCode_set); // keyLen > 52: AES256 1705 1706 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode); 1707 if (!identical_dataBlk_len) { 1708 __ z_lghi(srclen, VM_Version::Cipher::_AES192_dataBlk); 1709 } 1710 __ z_bre(fCode_set); // keyLen == 52: AES192 1711 1712 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode); 1713 if (!identical_dataBlk_len) { 1714 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk); 1715 } 1716 // __ z_brl(fCode_set); // keyLen < 52: AES128 // fallthru 1717 1718 __ bind(fCode_set); 1719 if (identical_dataBlk_len) { 1720 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk); 1721 } 1722 } 1723 BLOCK_COMMENT("} Set fCode"); 1724 } 1725 1726 // Push a parameter block for the cipher/decipher instruction on the stack. 1727 // NOTE: 1728 // Before returning, the stub has to copy the chaining value from 1729 // the parmBlk, where it was updated by the crypto instruction, back 1730 // to the chaining value array the address of which was passed in the cv argument. 1731 // As all the available registers are used and modified by KMC, we need to save 1732 // the key length across the KMC instruction. We do so by spilling it to the stack, 1733 // just preceding the parmBlk (at (parmBlk - 8)). 1734 void generate_push_parmBlk(Register keylen, Register fCode, Register parmBlk, Register key, Register cv, bool is_decipher) { 1735 const int AES_parmBlk_align = 32; 1736 const int AES_parmBlk_addspace = AES_parmBlk_align; // Must be multiple of AES_parmblk_align. 1737 int cv_len, key_len; 1738 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher; 1739 Label parmBlk_128, parmBlk_192, parmBlk_256, parmBlk_set; 1740 1741 BLOCK_COMMENT("push parmBlk {"); 1742 if (VM_Version::has_Crypto_AES() ) { __ z_cghi(keylen, 52); } 1743 if (VM_Version::has_Crypto_AES256()) { __ z_brh(parmBlk_256); } // keyLen > 52: AES256 1744 if (VM_Version::has_Crypto_AES192()) { __ z_bre(parmBlk_192); } // keyLen == 52: AES192 1745 if (VM_Version::has_Crypto_AES128()) { __ z_brl(parmBlk_128); } // keyLen < 52: AES128 1746 1747 // Security net: requested AES function not available on this CPU. 1748 // NOTE: 1749 // As of now (March 2015), this safety net is not required. JCE policy files limit the 1750 // cryptographic strength of the keys used to 128 bit. If we have AES hardware support 1751 // at all, we have at least AES-128. 1752 __ stop_static("AES key strength not supported by CPU. Use -XX:-UseAES as remedy.", 0); 1753 1754 if (VM_Version::has_Crypto_AES128()) { 1755 __ bind(parmBlk_128); 1756 cv_len = VM_Version::Cipher::_AES128_dataBlk; 1757 key_len = VM_Version::Cipher::_AES128_parmBlk_C - cv_len; 1758 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES128_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP); 1759 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // align parameter block 1760 1761 // Resize the frame to accommodate for the aligned parameter block and other stuff. 1762 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk). 1763 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use. 1764 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert. 1765 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc.. 1766 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP. 1767 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address. 1768 1769 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv. 1770 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key. 1771 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode); 1772 if (VM_Version::has_Crypto_AES192() || VM_Version::has_Crypto_AES256()) { 1773 __ z_bru(parmBlk_set); // Fallthru otherwise. 1774 } 1775 } 1776 1777 if (VM_Version::has_Crypto_AES192()) { 1778 __ bind(parmBlk_192); 1779 cv_len = VM_Version::Cipher::_AES192_dataBlk; 1780 key_len = VM_Version::Cipher::_AES192_parmBlk_C - cv_len; 1781 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES192_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP); 1782 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block. 1783 1784 // Resize the frame to accommodate for the aligned parameter block and other stuff. 1785 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk). 1786 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use. 1787 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert. 1788 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc.. 1789 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP. 1790 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address. 1791 1792 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv. 1793 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key. 1794 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode); 1795 if (VM_Version::has_Crypto_AES256()) { 1796 __ z_bru(parmBlk_set); // Fallthru otherwise. 1797 } 1798 } 1799 1800 if (VM_Version::has_Crypto_AES256()) { 1801 __ bind(parmBlk_256); 1802 cv_len = VM_Version::Cipher::_AES256_dataBlk; 1803 key_len = VM_Version::Cipher::_AES256_parmBlk_C - cv_len; 1804 __ z_lay(parmBlk, -(VM_Version::Cipher::_AES256_parmBlk_C+AES_parmBlk_align)+(AES_parmBlk_align-1), Z_SP); 1805 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block. 1806 1807 // Resize the frame to accommodate for the aligned parameter block and other stuff. 1808 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace, parmBlk). 1809 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use. 1810 __ z_stg(Z_SP, -16, parmBlk); // Spill SP for easy revert. 1811 __ z_aghi(parmBlk, -AES_parmBlk_addspace); // Additional space for keylen, etc.. 1812 __ resize_frame_absolute(parmBlk, keylen, true); // Resize frame with parmBlk being the new SP. 1813 __ z_aghi(parmBlk, AES_parmBlk_addspace); // Restore parameter block address. 1814 1815 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv. 1816 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key. 1817 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode); 1818 // __ z_bru(parmBlk_set); // fallthru 1819 } 1820 1821 __ bind(parmBlk_set); 1822 BLOCK_COMMENT("} push parmBlk"); 1823 } 1824 1825 // Pop a parameter block from the stack. The chaining value portion of the parameter block 1826 // is copied back to the cv array as it is needed for subsequent cipher steps. 1827 // The keylen value as well as the original SP (before resizing) was pushed to the stack 1828 // when pushing the parameter block. 1829 void generate_pop_parmBlk(Register keylen, Register parmBlk, Register key, Register cv) { 1830 1831 BLOCK_COMMENT("pop parmBlk {"); 1832 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) && 1833 (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk); 1834 if (identical_dataBlk_len) { 1835 int cv_len = VM_Version::Cipher::_AES128_dataBlk; 1836 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1837 } else { 1838 int cv_len; 1854 } 1855 } 1856 1857 if (VM_Version::has_Crypto_AES192()) { 1858 __ bind(parmBlk_192); 1859 cv_len = VM_Version::Cipher::_AES192_dataBlk; 1860 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1861 if (VM_Version::has_Crypto_AES256()) { 1862 __ z_bru(parmBlk_set); 1863 } 1864 } 1865 1866 if (VM_Version::has_Crypto_AES256()) { 1867 __ bind(parmBlk_256); 1868 cv_len = VM_Version::Cipher::_AES256_dataBlk; 1869 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1870 // __ z_bru(parmBlk_set); // fallthru 1871 } 1872 __ bind(parmBlk_set); 1873 } 1874 __ z_lg(Z_SP, -16, parmBlk); // Revert resize_frame_absolute. 1875 BLOCK_COMMENT("} pop parmBlk"); 1876 } 1877 1878 // Compute AES encrypt function. 1879 address generate_AES_encryptBlock(const char* name) { 1880 __ align(CodeEntryAlignment); 1881 StubCodeMark mark(this, "StubRoutines", name); 1882 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1883 1884 Register from = Z_ARG1; // source byte array 1885 Register to = Z_ARG2; // destination byte array 1886 Register key = Z_ARG3; // expanded key array 1887 1888 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length. 1889 const Register fCode = Z_R0; // crypto function code 1890 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 1891 const Register src = Z_ARG1; // is Z_R2 1892 const Register srclen = Z_ARG2; // Overwrites destination address. 1893 const Register dst = Z_ARG3; // Overwrites expanded key address. 1894 1895 // Read key len of expanded key (in 4-byte words). 1896 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 1897 1898 // Copy arguments to registers as required by crypto instruction. 1899 __ z_lgr(parmBlk, key); // crypto key (in T_INT array). 1900 // __ z_lgr(src, from); // Copy not needed, src/from are identical. 1901 __ z_lgr(dst, to); // Copy destination address to even register. 1902 1903 // Construct function code in Z_R0, data block length in Z_ARG2. 1904 generate_load_AES_fCode(keylen, fCode, srclen, false); 1905 1906 __ km(dst, src); // Cipher the message. 1907 1908 __ z_br(Z_R14); 1909 1910 return __ addr_at(start_off); 1911 } 1912 1913 // Compute AES decrypt function. 1914 address generate_AES_decryptBlock(const char* name) { 1915 __ align(CodeEntryAlignment); 1916 StubCodeMark mark(this, "StubRoutines", name); 1917 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1918 1919 Register from = Z_ARG1; // source byte array 1920 Register to = Z_ARG2; // destination byte array 1921 Register key = Z_ARG3; // expanded key array, not preset at entry!!! 1922 1923 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length. 1924 const Register fCode = Z_R0; // crypto function code 1925 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 1926 const Register src = Z_ARG1; // is Z_R2 1927 const Register srclen = Z_ARG2; // Overwrites destination address. 1928 const Register dst = Z_ARG3; // Overwrites key address. 1929 1930 // Read key len of expanded key (in 4-byte words). 1931 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 1932 1933 // Copy arguments to registers as required by crypto instruction. 1934 __ z_lgr(parmBlk, key); // Copy crypto key address. 1935 // __ z_lgr(src, from); // Copy not needed, src/from are identical. 1936 __ z_lgr(dst, to); // Copy destination address to even register. 1937 1938 // Construct function code in Z_R0, data block length in Z_ARG2. 1939 generate_load_AES_fCode(keylen, fCode, srclen, true); 1940 1941 __ km(dst, src); // Cipher the message. 1942 1943 __ z_br(Z_R14); 1944 1945 return __ addr_at(start_off); 1946 } 1947 1948 // These stubs receive the addresses of the cryptographic key and of the chaining value as two separate 1949 // arguments (registers "key" and "cv", respectively). The KMC instruction, on the other hand, requires 1950 // chaining value and key to be, in this sequence, adjacent in storage. Thus, we need to allocate some 1951 // thread-local working storage. Using heap memory incurs all the hassles of allocating/freeing. 1952 // Stack space, on the contrary, is deallocated automatically when we return from the stub to the caller. 1953 // *** WARNING *** 1954 // Please note that we do not formally allocate stack space, nor do we 1955 // update the stack pointer. Therefore, no function calls are allowed 1956 // and nobody else must use the stack range where the parameter block 1957 // is located. 1958 // We align the parameter block to the next available octoword. 1959 // 1960 // Compute chained AES encrypt function. 1961 address generate_cipherBlockChaining_AES_encrypt(const char* name) { 1962 __ align(CodeEntryAlignment); 1963 StubCodeMark mark(this, "StubRoutines", name); 1964 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1965 1966 Register from = Z_ARG1; // source byte array (clear text) 1967 Register to = Z_ARG2; // destination byte array (ciphered) 1968 Register key = Z_ARG3; // expanded key array. 1969 Register cv = Z_ARG4; // chaining value 1970 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned 1971 // in Z_RET upon completion of this stub. Is 32-bit integer. 1972 1973 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only. 1974 const Register fCode = Z_R0; // crypto function code 1975 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 1976 const Register src = Z_ARG1; // is Z_R2 1977 const Register srclen = Z_ARG2; // Overwrites destination address. 1978 const Register dst = Z_ARG3; // Overwrites key address. 1979 1980 // Read key len of expanded key (in 4-byte words). 1981 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 1982 1983 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block. 1984 // Construct function code in Z_R0. 1985 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, false); 1986 1987 // Prepare other registers for instruction. 1988 // __ z_lgr(src, from); // Not needed, registers are the same. 1989 __ z_lgr(dst, to); 1990 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required. 1991 1992 __ kmc(dst, src); // Cipher the message. 1993 1994 generate_pop_parmBlk(keylen, parmBlk, key, cv); 1995 1996 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required. 1997 __ z_br(Z_R14); 1998 1999 return __ addr_at(start_off); 2000 } 2001 2002 // Compute chained AES encrypt function. 2003 address generate_cipherBlockChaining_AES_decrypt(const char* name) { 2004 __ align(CodeEntryAlignment); 2005 StubCodeMark mark(this, "StubRoutines", name); 2006 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 2007 2008 Register from = Z_ARG1; // source byte array (ciphered) 2009 Register to = Z_ARG2; // destination byte array (clear text) 2010 Register key = Z_ARG3; // expanded key array, not preset at entry!!! 2011 Register cv = Z_ARG4; // chaining value 2012 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned 2013 // in Z_RET upon completion of this stub. 2014 2015 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only. 2016 const Register fCode = Z_R0; // crypto function code 2017 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 2018 const Register src = Z_ARG1; // is Z_R2 2019 const Register srclen = Z_ARG2; // Overwrites destination address. 2020 const Register dst = Z_ARG3; // Overwrites key address. 2021 2022 // Read key len of expanded key (in 4-byte words). 2023 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 2024 2025 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block. 2026 // Construct function code in Z_R0. 2027 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, true); 2028 2029 // Prepare other registers for instruction. 2030 // __ z_lgr(src, from); // Not needed, registers are the same. 2031 __ z_lgr(dst, to); 2032 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required. 2033 2034 __ kmc(dst, src); // Decipher the message. 2035 2036 generate_pop_parmBlk(keylen, parmBlk, key, cv); 2037 2038 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required. 2039 __ z_br(Z_R14); 2040 2041 return __ addr_at(start_off); 2042 } 2043 2044 2045 // Call interface for all SHA* stubs. 2046 // 2047 // Z_ARG1 - source data block. Ptr to leftmost byte to be processed. 2048 // Z_ARG2 - current SHA state. Ptr to state area. This area serves as 2049 // parameter block as required by the crypto instruction. 2050 // Z_ARG3 - current byte offset in source data block. 2051 // Z_ARG4 - last byte offset in source data block. 2052 // (Z_ARG4 - Z_ARG3) gives the #bytes remaining to be processed. 2053 // 2054 // Z_RET - return value. First unprocessed byte offset in src buffer. 2055 // 2056 // A few notes on the call interface: 2057 // - All stubs, whether they are single-block or multi-block, are assumed to 2058 // digest an integer multiple of the data block length of data. All data 2059 // blocks are digested using the intermediate message digest (KIMD) instruction. | 1666 // z/Architecture provides instructions for full cipher/decipher complexity. 1667 // Therefore, we need the original, not the expanded key here. 1668 // Luckily, the first n bits of an AES-<n> expanded key are formed 1669 // by the original key itself. That takes us out of trouble. :-) 1670 // The key length (in bytes) relation is as follows: 1671 // original expanded rounds key bit keylen 1672 // key bytes key bytes length in words 1673 // 16 176 11 128 44 1674 // 24 208 13 192 52 1675 // 32 240 15 256 60 1676 // 1677 // The crypto instructions used in the AES* stubs have some specific register requirements. 1678 // Z_R0 holds the crypto function code. Please refer to the KM/KMC instruction 1679 // description in the "z/Architecture Principles of Operation" manual for details. 1680 // Z_R1 holds the parameter block address. The parameter block contains the cryptographic key 1681 // (KM instruction) and the chaining value (KMC instruction). 1682 // dst must designate an even-numbered register, holding the address of the output message. 1683 // src must designate an even/odd register pair, holding the address/length of the original message 1684 1685 // Helper function which generates code to 1686 // - load the function code in register fCode (== Z_R0). 1687 // - load the data block length (depends on cipher function) into register srclen if requested. 1688 // - is_decipher switches between cipher/decipher function codes 1689 // - set_len requests (if true) loading the data block length in register srclen 1690 void generate_load_AES_fCode(Register keylen, Register fCode, Register srclen, bool is_decipher) { 1691 1692 BLOCK_COMMENT("Set fCode {"); { 1693 Label fCode_set; 1694 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher; 1695 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) 1696 && (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk); 1697 // Expanded key length is 44/52/60 * 4 bytes for AES-128/AES-192/AES-256. 1698 __ z_cghi(keylen, 52); // Check only once at the beginning. keylen and fCode may share the same register. 1699 1700 __ z_lghi(fCode, VM_Version::Cipher::_AES128 + mode); 1701 if (!identical_dataBlk_len) { 1702 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk); 1703 } 1704 __ z_brl(fCode_set); // keyLen < 52: AES128 1705 1706 __ z_lghi(fCode, VM_Version::Cipher::_AES192 + mode); 1707 if (!identical_dataBlk_len) { 1708 __ z_lghi(srclen, VM_Version::Cipher::_AES192_dataBlk); 1709 } 1710 __ z_bre(fCode_set); // keyLen == 52: AES192 1711 1712 __ z_lghi(fCode, VM_Version::Cipher::_AES256 + mode); 1713 if (!identical_dataBlk_len) { 1714 __ z_lghi(srclen, VM_Version::Cipher::_AES256_dataBlk); 1715 } 1716 // __ z_brh(fCode_set); // keyLen < 52: AES128 // fallthru 1717 1718 __ bind(fCode_set); 1719 if (identical_dataBlk_len) { 1720 __ z_lghi(srclen, VM_Version::Cipher::_AES128_dataBlk); 1721 } 1722 } 1723 BLOCK_COMMENT("} Set fCode"); 1724 } 1725 1726 // Push a parameter block for the cipher/decipher instruction on the stack. 1727 // Layout of the additional stack space allocated for AES_cipherBlockChaining: 1728 // 1729 // | | 1730 // +--------+ <-- SP before expansion 1731 // | | 1732 // : : alignment loss, 0..(AES_parmBlk_align-8) bytes 1733 // | | 1734 // +--------+ 1735 // | | 1736 // : : space for parameter block, size VM_Version::Cipher::_AES*_parmBlk_C 1737 // | | 1738 // +--------+ <-- parmBlk, octoword-aligned, start of parameter block 1739 // | | 1740 // : : additional stack space for spills etc., size AES_parmBlk_addspace, DW @ Z_SP not usable!!! 1741 // | | 1742 // +--------+ <-- Z_SP after expansion 1743 1744 void generate_push_Block(int dataBlk_len, int parmBlk_len, int crypto_fCode, 1745 Register parmBlk, Register keylen, Register fCode, Register cv, Register key) { 1746 const int AES_parmBlk_align = 32; // octoword alignment. 1747 const int AES_parmBlk_addspace = 24; // Must be sufficiently large to hold all spilled registers 1748 // (currently 2) PLUS 1 DW for the frame pointer. 1749 1750 const int cv_len = dataBlk_len; 1751 const int key_len = parmBlk_len - cv_len; 1752 // This len must be known at JIT compile time. Only then are we able to recalc the SP before resize. 1753 // We buy this knowledge by wasting some (up to AES_parmBlk_align) bytes of stack space. 1754 const int resize_len = cv_len + key_len + AES_parmBlk_align + AES_parmBlk_addspace; 1755 1756 // Use parmBlk as temp reg here to hold the frame pointer. 1757 __ resize_frame(-resize_len, parmBlk, true); 1758 1759 // calculate parmBlk address from updated (resized) SP. 1760 __ add2reg(parmBlk, resize_len - (cv_len + key_len), Z_SP); 1761 __ z_nill(parmBlk, (~(AES_parmBlk_align-1)) & 0xffff); // Align parameter block. 1762 1763 // There is room for stuff in the range [parmBlk-AES_parmBlk_addspace+8, parmBlk). 1764 __ z_stg(keylen, -8, parmBlk); // Spill keylen for later use. 1765 1766 // calculate (SP before resize) from updated SP. 1767 __ add2reg(keylen, resize_len, Z_SP); // keylen holds prev SP for now. 1768 __ z_stg(keylen, -16, parmBlk); // Spill prev SP for easy revert. 1769 1770 __ z_mvc(0, cv_len-1, parmBlk, 0, cv); // Copy cv. 1771 __ z_mvc(cv_len, key_len-1, parmBlk, 0, key); // Copy key. 1772 __ z_lghi(fCode, crypto_fCode); 1773 } 1774 1775 // NOTE: 1776 // Before returning, the stub has to copy the chaining value from 1777 // the parmBlk, where it was updated by the crypto instruction, back 1778 // to the chaining value array the address of which was passed in the cv argument. 1779 // As all the available registers are used and modified by KMC, we need to save 1780 // the key length across the KMC instruction. We do so by spilling it to the stack, 1781 // just preceding the parmBlk (at (parmBlk - 8)). 1782 void generate_push_parmBlk(Register keylen, Register fCode, Register parmBlk, Register key, Register cv, bool is_decipher) { 1783 int mode = is_decipher ? VM_Version::CipherMode::decipher : VM_Version::CipherMode::cipher; 1784 Label parmBlk_128, parmBlk_192, parmBlk_256, parmBlk_set; 1785 1786 BLOCK_COMMENT("push parmBlk {"); 1787 if (VM_Version::has_Crypto_AES() ) { __ z_cghi(keylen, 52); } 1788 if (VM_Version::has_Crypto_AES128()) { __ z_brl(parmBlk_128); } // keyLen < 52: AES128 1789 if (VM_Version::has_Crypto_AES192()) { __ z_bre(parmBlk_192); } // keyLen == 52: AES192 1790 if (VM_Version::has_Crypto_AES256()) { __ z_brh(parmBlk_256); } // keyLen > 52: AES256 1791 1792 // Security net: requested AES function not available on this CPU. 1793 // NOTE: 1794 // As of now (March 2015), this safety net is not required. JCE policy files limit the 1795 // cryptographic strength of the keys used to 128 bit. If we have AES hardware support 1796 // at all, we have at least AES-128. 1797 __ stop_static("AES key strength not supported by CPU. Use -XX:-UseAES as remedy.", 0); 1798 1799 if (VM_Version::has_Crypto_AES256()) { 1800 __ bind(parmBlk_256); 1801 generate_push_Block(VM_Version::Cipher::_AES256_dataBlk, 1802 VM_Version::Cipher::_AES256_parmBlk_C, 1803 VM_Version::Cipher::_AES256 + mode, 1804 parmBlk, keylen, fCode, cv, key); 1805 if (VM_Version::has_Crypto_AES128() || VM_Version::has_Crypto_AES192()) { 1806 __ z_bru(parmBlk_set); // Fallthru otherwise. 1807 } 1808 } 1809 1810 if (VM_Version::has_Crypto_AES192()) { 1811 __ bind(parmBlk_192); 1812 generate_push_Block(VM_Version::Cipher::_AES192_dataBlk, 1813 VM_Version::Cipher::_AES192_parmBlk_C, 1814 VM_Version::Cipher::_AES192 + mode, 1815 parmBlk, keylen, fCode, cv, key); 1816 if (VM_Version::has_Crypto_AES128()) { 1817 __ z_bru(parmBlk_set); // Fallthru otherwise. 1818 } 1819 } 1820 1821 if (VM_Version::has_Crypto_AES128()) { 1822 __ bind(parmBlk_128); 1823 generate_push_Block(VM_Version::Cipher::_AES128_dataBlk, 1824 VM_Version::Cipher::_AES128_parmBlk_C, 1825 VM_Version::Cipher::_AES128 + mode, 1826 parmBlk, keylen, fCode, cv, key); 1827 // Fallthru 1828 } 1829 1830 __ bind(parmBlk_set); 1831 BLOCK_COMMENT("} push parmBlk"); 1832 } 1833 1834 // Pop a parameter block from the stack. The chaining value portion of the parameter block 1835 // is copied back to the cv array as it is needed for subsequent cipher steps. 1836 // The keylen value as well as the original SP (before resizing) was pushed to the stack 1837 // when pushing the parameter block. 1838 void generate_pop_parmBlk(Register keylen, Register parmBlk, Register key, Register cv) { 1839 1840 BLOCK_COMMENT("pop parmBlk {"); 1841 bool identical_dataBlk_len = (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES192_dataBlk) && 1842 (VM_Version::Cipher::_AES128_dataBlk == VM_Version::Cipher::_AES256_dataBlk); 1843 if (identical_dataBlk_len) { 1844 int cv_len = VM_Version::Cipher::_AES128_dataBlk; 1845 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1846 } else { 1847 int cv_len; 1863 } 1864 } 1865 1866 if (VM_Version::has_Crypto_AES192()) { 1867 __ bind(parmBlk_192); 1868 cv_len = VM_Version::Cipher::_AES192_dataBlk; 1869 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1870 if (VM_Version::has_Crypto_AES256()) { 1871 __ z_bru(parmBlk_set); 1872 } 1873 } 1874 1875 if (VM_Version::has_Crypto_AES256()) { 1876 __ bind(parmBlk_256); 1877 cv_len = VM_Version::Cipher::_AES256_dataBlk; 1878 __ z_mvc(0, cv_len-1, cv, 0, parmBlk); // Copy cv. 1879 // __ z_bru(parmBlk_set); // fallthru 1880 } 1881 __ bind(parmBlk_set); 1882 } 1883 __ z_lg(Z_SP, -16, parmBlk); // Revert resize_frame_absolute. Z_SP saved by push_parmBlk. 1884 BLOCK_COMMENT("} pop parmBlk"); 1885 } 1886 1887 // Compute AES encrypt/decrypt function. 1888 void generate_AES_cipherBlock(bool is_decipher) { 1889 // Incoming arguments. 1890 Register from = Z_ARG1; // source byte array 1891 Register to = Z_ARG2; // destination byte array 1892 Register key = Z_ARG3; // expanded key array 1893 1894 const Register keylen = Z_R0; // Temporarily (until fCode is set) holds the expanded key array length. 1895 1896 // Register definitions as required by KM instruction. 1897 const Register fCode = Z_R0; // crypto function code 1898 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 1899 const Register src = Z_ARG1; // Must be even reg (KM requirement). 1900 const Register srclen = Z_ARG2; // Must be odd reg and pair with src. Overwrites destination address. 1901 const Register dst = Z_ARG3; // Must be even reg (KM requirement). Overwrites expanded key address. 1902 1903 // Read key len of expanded key (in 4-byte words). 1904 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 1905 1906 // Copy arguments to registers as required by crypto instruction. 1907 __ z_lgr(parmBlk, key); // crypto key (in T_INT array). 1908 __ lgr_if_needed(src, from); // Copy src address. Will not emit, src/from are identical. 1909 __ z_lgr(dst, to); // Copy dst address, even register required. 1910 1911 // Construct function code into fCode(Z_R0), data block length into srclen(Z_ARG2). 1912 generate_load_AES_fCode(keylen, fCode, srclen, is_decipher); 1913 1914 __ km(dst, src); // Cipher the message. 1915 1916 __ z_br(Z_R14); 1917 } 1918 1919 // Compute AES encrypt function. 1920 address generate_AES_encryptBlock(const char* name) { 1921 __ align(CodeEntryAlignment); 1922 StubCodeMark mark(this, "StubRoutines", name); 1923 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1924 1925 generate_AES_cipherBlock(false); 1926 1927 return __ addr_at(start_off); 1928 } 1929 1930 // Compute AES decrypt function. 1931 address generate_AES_decryptBlock(const char* name) { 1932 __ align(CodeEntryAlignment); 1933 StubCodeMark mark(this, "StubRoutines", name); 1934 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1935 1936 generate_AES_cipherBlock(true); 1937 1938 return __ addr_at(start_off); 1939 } 1940 1941 // These stubs receive the addresses of the cryptographic key and of the chaining value as two separate 1942 // arguments (registers "key" and "cv", respectively). The KMC instruction, on the other hand, requires 1943 // chaining value and key to be, in this sequence, adjacent in storage. Thus, we need to allocate some 1944 // thread-local working storage. Using heap memory incurs all the hassles of allocating/freeing. 1945 // Stack space, on the contrary, is deallocated automatically when we return from the stub to the caller. 1946 // *** WARNING *** 1947 // Please note that we do not formally allocate stack space, nor do we 1948 // update the stack pointer. Therefore, no function calls are allowed 1949 // and nobody else must use the stack range where the parameter block 1950 // is located. 1951 // We align the parameter block to the next available octoword. 1952 // 1953 // Compute chained AES encrypt function. 1954 void generate_AES_cipherBlockChaining(bool is_decipher) { 1955 1956 Register from = Z_ARG1; // source byte array (clear text) 1957 Register to = Z_ARG2; // destination byte array (ciphered) 1958 Register key = Z_ARG3; // expanded key array. 1959 Register cv = Z_ARG4; // chaining value 1960 const Register msglen = Z_ARG5; // Total length of the msg to be encrypted. Value must be returned 1961 // in Z_RET upon completion of this stub. Is 32-bit integer. 1962 1963 const Register keylen = Z_R0; // Expanded key length, as read from key array. Temp only. 1964 const Register fCode = Z_R0; // crypto function code 1965 const Register parmBlk = Z_R1; // parameter block address (points to crypto key) 1966 const Register src = Z_ARG1; // is Z_R2 1967 const Register srclen = Z_ARG2; // Overwrites destination address. 1968 const Register dst = Z_ARG3; // Overwrites key address. 1969 1970 // Read key len of expanded key (in 4-byte words). 1971 __ z_lgf(keylen, Address(key, arrayOopDesc::length_offset_in_bytes() - arrayOopDesc::base_offset_in_bytes(T_INT))); 1972 1973 // Construct parm block address in parmBlk (== Z_R1), copy cv and key to parm block. 1974 // Construct function code in fCode (Z_R0). 1975 generate_push_parmBlk(keylen, fCode, parmBlk, key, cv, is_decipher); 1976 1977 // Prepare other registers for instruction. 1978 __ lgr_if_needed(src, from); // Copy src address. Will not emit, src/from are identical. 1979 __ z_lgr(dst, to); 1980 __ z_llgfr(srclen, msglen); // We pass the offsets as ints, not as longs as required. 1981 1982 __ kmc(dst, src); // Cipher the message. 1983 1984 generate_pop_parmBlk(keylen, parmBlk, key, cv); 1985 1986 __ z_llgfr(Z_RET, msglen); // We pass the offsets as ints, not as longs as required. 1987 __ z_br(Z_R14); 1988 } 1989 1990 // Compute chained AES encrypt function. 1991 address generate_cipherBlockChaining_AES_encrypt(const char* name) { 1992 __ align(CodeEntryAlignment); 1993 StubCodeMark mark(this, "StubRoutines", name); 1994 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 1995 1996 generate_AES_cipherBlockChaining(false); 1997 1998 return __ addr_at(start_off); 1999 } 2000 2001 // Compute chained AES encrypt function. 2002 address generate_cipherBlockChaining_AES_decrypt(const char* name) { 2003 __ align(CodeEntryAlignment); 2004 StubCodeMark mark(this, "StubRoutines", name); 2005 unsigned int start_off = __ offset(); // Remember stub start address (is rtn value). 2006 2007 generate_AES_cipherBlockChaining(true); 2008 2009 return __ addr_at(start_off); 2010 } 2011 2012 2013 // Call interface for all SHA* stubs. 2014 // 2015 // Z_ARG1 - source data block. Ptr to leftmost byte to be processed. 2016 // Z_ARG2 - current SHA state. Ptr to state area. This area serves as 2017 // parameter block as required by the crypto instruction. 2018 // Z_ARG3 - current byte offset in source data block. 2019 // Z_ARG4 - last byte offset in source data block. 2020 // (Z_ARG4 - Z_ARG3) gives the #bytes remaining to be processed. 2021 // 2022 // Z_RET - return value. First unprocessed byte offset in src buffer. 2023 // 2024 // A few notes on the call interface: 2025 // - All stubs, whether they are single-block or multi-block, are assumed to 2026 // digest an integer multiple of the data block length of data. All data 2027 // blocks are digested using the intermediate message digest (KIMD) instruction. |