On 5/30/23 09:58, Ard Biesheuvel wrote:
On Tue, 30 May 2023 at 18:43, Richard Henderson
wrote:
On 5/30/23 06:52, Ard Biesheuvel wrote:
+#ifdef __x86_64__
+if (have_aes()) {
+__m128i *d = (__m128i *)rd;
+
+*d = decrypt ? _mm_aesdeclast_si128(rk.vec ^ st.vec, (__m128i){})
+
On Tue, 30 May 2023 at 18:45, Peter Maydell wrote:
>
> On Tue, 30 May 2023 at 14:52, Ard Biesheuvel wrote:
> >
> > ARM intrinsics for AES deviate from the x86 ones in the way they cover
> > the different stages of each round, and so mapping one to the other is
> > not entirely straight-forward. H
On Tue, 30 May 2023 at 18:43, Richard Henderson
wrote:
>
> On 5/30/23 06:52, Ard Biesheuvel wrote:
> > +#ifdef __x86_64__
> > +if (have_aes()) {
> > +__m128i *d = (__m128i *)rd;
> > +
> > +*d = decrypt ? _mm_aesdeclast_si128(rk.vec ^ st.vec, (__m128i){})
> > +
On Tue, 30 May 2023 at 14:52, Ard Biesheuvel wrote:
>
> ARM intrinsics for AES deviate from the x86 ones in the way they cover
> the different stages of each round, and so mapping one to the other is
> not entirely straight-forward. However, with a bit of care, we can still
> use the x86 ones to e
On 5/30/23 06:52, Ard Biesheuvel wrote:
+#ifdef __x86_64__
+if (have_aes()) {
+__m128i *d = (__m128i *)rd;
+
+*d = decrypt ? _mm_aesdeclast_si128(rk.vec ^ st.vec, (__m128i){})
+ : _mm_aesenclast_si128(rk.vec ^ st.vec, (__m128i){});
Do I correctly understa
On 5/30/23 06:52, Ard Biesheuvel wrote:
ARM intrinsics for AES deviate from the x86 ones in the way they cover
the different stages of each round, and so mapping one to the other is
not entirely straight-forward. However, with a bit of care, we can still
use the x86 ones to emulate the ARM ones,
Hi Ard,
On 30/5/23 15:52, Ard Biesheuvel wrote:
ARM intrinsics for AES deviate from the x86 ones in the way they cover
the different stages of each round, and so mapping one to the other is
not entirely straight-forward. However, with a bit of care, we can still
use the x86 ones to emulate the A
ARM intrinsics for AES deviate from the x86 ones in the way they cover
the different stages of each round, and so mapping one to the other is
not entirely straight-forward. However, with a bit of care, we can still
use the x86 ones to emulate the ARM ones, which makes them constant time
(which is a
