RISC-V ASM unaligned read/writes: alternative assembly

Not all RISC-V chips allow unaligned reads and writes with basic
assembly instructions like lw/sw.
Add alternative assembly that is turned on with:
WOLFSSL_RISCV_ASM_NO_UNALIGNED.

Author: SparkiDev

.wolfssl_known_macro_extras

@@ -887,6 +887,7 @@ WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
 WOLFSSL_RENESAS_TSIP_IAREWRX
 WOLFSSL_REQUIRE_TCA
+WOLFSSL_RISCV_ASM_NO_UNALIGNED
 WOLFSSL_RNG_USE_FULL_SEED
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN

configure.ac

@@ -3859,7 +3859,7 @@ do
     # FSL, FSR, FSRI, CMOV, CMIX - QEMU doesn't know about these instructions
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_BIT_MANIPULATION_TERNARY"
     ;;
-  zkn|zkned)
+  zkned)
     # AES encrypt/decrpyt, SHA-2
     ENABLED_RISCV_ASM=yes
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RISCV_SCALAR_CRYPTO_ASM"

wolfcrypt/src/port/riscv/riscv-64-aes.c

@@ -1871,8 +1871,13 @@ int wc_AesSetKey(Aes* aes, const byte* key, word32 keyLen, const byte* iv,
 static void wc_AesEncrypt(Aes* aes, const byte* in, byte* out)
 {
     __asm__ __volatile__ (
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "ld          t2, 0(%[in])\n\t"
         "ld          t3, 8(%[in])\n\t"
+#else
+        UNALIGNED_LD(t2, 0, %[in], t0)
+        UNALIGNED_LD(t3, 8, %[in], t0)
+#endif
         "ld          a3, 0(%[key])\n\t"
         "ld          a4, 8(%[key])\n\t"
         "ld          a5, 16(%[key])\n\t"
@@ -1897,8 +1902,13 @@ static void wc_AesEncrypt(Aes* aes, const byte* in, byte* out)
         AESENC_2_ROUNDS(208, 216, 224, 232)
       "L_aes_encrypt_done:\n\t"
         AESENC_LAST_ROUND()
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd          t2, 0(%[out])\n\t"
         "sd          t3, 8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t2, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
         :
         : [in] "r" (in), [out] "r" (out), [key] "r" (aes->key),
           [rounds] "r" (aes->rounds)
@@ -1918,8 +1928,13 @@ static void wc_AesEncrypt(Aes* aes, const byte* in, byte* out)
 static void wc_AesDecrypt(Aes* aes, const byte* in, byte* out)
 {
     __asm__ __volatile__ (
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "ld          t2, 0(%[in])\n\t"
         "ld          t3, 8(%[in])\n\t"
+#else
+        UNALIGNED_LD(t2, 0, %[in], t0)
+        UNALIGNED_LD(t3, 8, %[in], t0)
+#endif
         "ld          a3, 0(%[key])\n\t"
         "ld          a4, 8(%[key])\n\t"
         "ld          a5, 16(%[key])\n\t"
@@ -1944,8 +1959,13 @@ static void wc_AesDecrypt(Aes* aes, const byte* in, byte* out)
         AESDEC_2_ROUNDS(208, 216, 224, 232)
       "L_aes_decrypt_done:\n\t"
         AESDEC_LAST_ROUND()
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd          t2, 0(%[out])\n\t"
         "sd          t3, 8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t2, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
         :
         : [in] "r" (in), [out] "r" (out), [key] "r" (aes->key),
           [rounds] "r" (aes->rounds)
@@ -3209,8 +3229,13 @@ static void wc_AesEncrypt(Aes* aes, const byte* in, byte* out)
         LOAD_WORD_REV(t2, 8, %[in])
         LOAD_WORD_REV(t3, 12, %[in])
 #else
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "ld         t1,  0(%[in])\n\t"
         "ld         t3,  8(%[in])\n\t"
+#else
+        UNALIGNED_LD(t1, 0, %[in], t0)
+        UNALIGNED_LD(t3, 8, %[in], t0)
+#endif
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         "srli       t0, t1, 32\n\t"
@@ -3376,16 +3401,26 @@ static void wc_AesEncrypt(Aes* aes, const byte* in, byte* out)
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         /* Write encrypted block to output. */
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd         t1,  0(%[out])\n\t"
         "sd         t3,  8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t1, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
 #else
         PACK(REG_T1, REG_A5, REG_A4)
         PACK(REG_T3, REG_A7, REG_A6)
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         /* Write encrypted block to output. */
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd         t1,  0(%[out])\n\t"
         "sd         t3,  8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t1, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
 #endif
 
         :
@@ -3641,8 +3676,13 @@ static void wc_AesDecrypt(Aes* aes, const byte* in, byte* out)
         LOAD_WORD_REV(t2, 8, %[in])
         LOAD_WORD_REV(t3, 12, %[in])
 #else
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "ld         t1,  0(%[in])\n\t"
         "ld         t3,  8(%[in])\n\t"
+#else
+        UNALIGNED_LD(t1, 0, %[in], t0)
+        UNALIGNED_LD(t3, 8, %[in], t0)
+#endif
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         "srli       t0, t1, 32\n\t"
@@ -3793,16 +3833,26 @@ static void wc_AesDecrypt(Aes* aes, const byte* in, byte* out)
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         /* Write encrypted block to output. */
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd         t1,  0(%[out])\n\t"
         "sd         t3,  8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t1, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
 #else
         PACK(REG_T1, REG_A5, REG_A4)
         PACK(REG_T3, REG_A7, REG_A6)
         REV8(REG_T1, REG_T1)
         REV8(REG_T3, REG_T3)
         /* Write encrypted block to output. */
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "sd         t1,  0(%[out])\n\t"
         "sd         t3,  8(%[out])\n\t"
+#else
+        UNALIGNED_SD(t1, 0, %[out], t0)
+        UNALIGNED_SD(t3, 8, %[out], t0)
+#endif
 #endif
 
         :
@@ -4113,7 +4163,7 @@ static WC_INLINE void IncrementAesCounter(byte* inOutCtr)
  */
 int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 {
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     word32 processed;
     int ret = 0;
 
@@ -4563,8 +4613,8 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz,
     byte* s, word32 sSz)
 {
     if (gcm != NULL) {
-        byte x[WC_AES_BLOCK_SIZE];
-        byte scratch[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte x[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
         byte* h = gcm->H;
 
         __asm__ __volatile__ (
@@ -4896,8 +4946,8 @@ static void GMULT(byte* x, byte* y)
 void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz,
     byte* s, word32 sSz)
 {
-    byte x[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte x[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     word32 blocks, partial;
     byte* h;
 
@@ -5163,8 +5213,13 @@ static void ghash_blocks(byte* x, byte* y, const byte* in, word32 blocks)
 
     "L_ghash_loop:\n\t"
         /* Load input block. */
+#ifndef WOLFSSL_RISCV_ASM_NO_UNALIGNED
         "ld          t5, 0(%[in])\n\t"
         "ld          a5, 8(%[in])\n\t"
+#else
+        UNALIGNED_LD(t5, 0, %[in], t4)
+        UNALIGNED_LD(a5, 8, %[in], t4)
+#endif
         /* Reverse bits to match x. */
 #ifdef WOLFSSL_RISCV_BIT_MANIPULATION
         BREV8(REG_T5, REG_T5)
@@ -5307,8 +5362,8 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz,
     byte* s, word32 sSz)
 {
     if (gcm != NULL) {
-        byte x[WC_AES_BLOCK_SIZE];
-        byte scratch[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte x[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
         word32 blocks, partial;
         byte* h = gcm->H;
 
@@ -5388,8 +5443,8 @@ static void Aes128GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* nonce, word32 nonceSz, byte* tag, word32 tagSz,
     const byte* aad, word32 aadSz)
 {
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -5886,8 +5941,8 @@ static void Aes192GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* nonce, word32 nonceSz, byte* tag, word32 tagSz,
     const byte* aad, word32 aadSz)
 {
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -6398,8 +6453,8 @@ static void Aes256GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* nonce, word32 nonceSz, byte* tag, word32 tagSz,
     const byte* aad, word32 aadSz)
 {
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -7003,8 +7058,8 @@ static int Aes128GcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* aad, word32 aadSz)
 {
     int ret = 0;
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -7512,8 +7567,8 @@ static int Aes192GcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* aad, word32 aadSz)
 {
     int ret = 0;
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -8035,8 +8090,8 @@ static int Aes256GcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     const byte* aad, word32 aadSz)
 {
     int ret = 0;
-    byte counter[WC_AES_BLOCK_SIZE];
-    byte scratch[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte counter[WC_AES_BLOCK_SIZE];
+    ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
     /* Noticed different optimization levels treated head of array different.
      * Some cases was stack pointer plus offset others was a register containing
      * address. To make uniform for passing in to inline assembly code am using
@@ -8733,8 +8788,8 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz,
     byte* s, word32 sSz)
 {
     if (gcm != NULL) {
-        byte x[WC_AES_BLOCK_SIZE];
-        byte scratch[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte x[WC_AES_BLOCK_SIZE];
+        ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
         word32 blocks, partial;
 
         XMEMSET(x, 0, WC_AES_BLOCK_SIZE);