crypto: implement naive ARM AES backend for simple rounds

kwvg · kwvg · commit 76bd23671476 · 2025-09-22T09:52:06.000Z
diff --git a/configure.ac b/configure.ac
@@ -535,6 +535,7 @@ dnl https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111843. To work around that, se
 dnl -fstack-reuse=none for all gcc builds. (Only gcc understands this flag)
 AX_CHECK_COMPILE_FLAG([-fstack-reuse=none], [CORE_CXXFLAGS="$CORE_CXXFLAGS -fstack-reuse=none"])
 
+enable_arm_aes=no
 enable_arm_crc=no
 enable_arm_shani=no
 enable_ssse3=no
@@ -677,7 +678,22 @@ CXXFLAGS="$TEMP_CXXFLAGS"
 
 # ARM
 AX_CHECK_COMPILE_FLAG([-march=armv8-a+crc+crypto], [ARM_CRC_CXXFLAGS="-march=armv8-a+crc+crypto"], [], [$CXXFLAG_WERROR])
-AX_CHECK_COMPILE_FLAG([-march=armv8-a+crypto], [ARM_SHANI_CXXFLAGS="-march=armv8-a+crypto"], [], [$CXXFLAG_WERROR])
+AX_CHECK_COMPILE_FLAG([-march=armv8-a+crypto], [ARM_AES_CXXFLAGS="-march=armv8-a+crypto"; ARM_SHANI_CXXFLAGS="-march=armv8-a+crypto"], [], [$CXXFLAG_WERROR])
+
+TEMP_CXXFLAGS="$CXXFLAGS"
+CXXFLAGS="$ARM_AES_CXXFLAGS $CXXFLAGS"
+AC_MSG_CHECKING([for ARMv8 AES intrinsics])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+    #include <arm_neon.h>
+  ]],[[
+    uint8x16_t a, b;
+    vaesmcq_u8(vaeseq_u8(a, b));
+    return 0;
+  ]])],
+ [ AC_MSG_RESULT([yes]); enable_arm_aes=yes; AC_DEFINE([ENABLE_ARM_AES], [1], [Define this symbol to build code that uses ARMv8 AES intrinsics]) ],
+ [ AC_MSG_RESULT([no])]
+)
+CXXFLAGS="$TEMP_CXXFLAGS"
 
 TEMP_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS="$ARM_CRC_CXXFLAGS $CXXFLAGS"
@@ -1861,6 +1877,7 @@ AM_CONDITIONAL([ENABLE_SSE41], [test "$enable_sse41" = "yes"])
 AM_CONDITIONAL([ENABLE_AVX2], [test "$enable_avx2" = "yes"])
 AM_CONDITIONAL([ENABLE_X86_AESNI], [test "$enable_x86_aesni" = "yes"])
 AM_CONDITIONAL([ENABLE_X86_SHANI], [test "$enable_x86_shani" = "yes"])
+AM_CONDITIONAL([ENABLE_ARM_AES], [test "$enable_arm_aes" = "yes"])
 AM_CONDITIONAL([ENABLE_ARM_CRC], [test "$enable_arm_crc" = "yes"])
 AM_CONDITIONAL([ENABLE_ARM_SHANI], [test "$enable_arm_shani" = "yes"])
 AM_CONDITIONAL([WORDS_BIGENDIAN], [test "$ac_cv_c_bigendian" = "yes"])
@@ -1922,6 +1939,7 @@ AC_SUBST(CLMUL_CXXFLAGS)
 AC_SUBST(AVX2_CXXFLAGS)
 AC_SUBST(X86_AESNI_CXXFLAGS)
 AC_SUBST(X86_SHANI_CXXFLAGS)
+AC_SUBST(ARM_AES_CXXFLAGS)
 AC_SUBST(ARM_CRC_CXXFLAGS)
 AC_SUBST(ARM_SHANI_CXXFLAGS)
 AC_SUBST(LIBTOOL_APP_LDFLAGS)
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -95,6 +95,10 @@ if ENABLE_AVX2
 LIBBITCOIN_CRYPTO_AVX2 = crypto/libbitcoin_crypto_avx2.la
 LIBBITCOIN_CRYPTO += $(LIBBITCOIN_CRYPTO_AVX2)
 endif
+if ENABLE_ARM_AES
+LIBBITCOIN_CRYPTO_ARM_AES = crypto/libbitcoin_crypto_arm_aes.la
+LIBBITCOIN_CRYPTO += $(LIBBITCOIN_CRYPTO_ARM_AES)
+endif
 if ENABLE_ARM_SHANI
 LIBBITCOIN_CRYPTO_ARM_SHANI = crypto/libbitcoin_crypto_arm_shani.la
 LIBBITCOIN_CRYPTO += $(LIBBITCOIN_CRYPTO_ARM_SHANI)
@@ -773,6 +777,16 @@ crypto_libbitcoin_crypto_sph_la_SOURCES = \
   crypto/x11/util/consts_aes.hpp \
   crypto/x11/util/util.hpp
 
+# See explanation for -static in crypto_libbitcoin_crypto_base_la's LDFLAGS and
+# CXXFLAGS above
+crypto_libbitcoin_crypto_arm_aes_la_LDFLAGS = $(AM_LDFLAGS) -static
+crypto_libbitcoin_crypto_arm_aes_la_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS) -static
+crypto_libbitcoin_crypto_arm_aes_la_CPPFLAGS = $(AM_CPPFLAGS)
+crypto_libbitcoin_crypto_arm_aes_la_CXXFLAGS += $(ARM_AES_CXXFLAGS)
+crypto_libbitcoin_crypto_arm_aes_la_CPPFLAGS += -DENABLE_ARM_AES
+crypto_libbitcoin_crypto_arm_aes_la_SOURCES = \
+  crypto/x11/arm_crypto/aes.cpp
+
 # See explanation for -static in crypto_libbitcoin_crypto_base_la's LDFLAGS and
 # CXXFLAGS above
 crypto_libbitcoin_crypto_ssse3_la_LDFLAGS = $(AM_LDFLAGS) -static
diff --git a/src/crypto/x11/arm_crypto/aes.cpp b/src/crypto/x11/arm_crypto/aes.cpp
@@ -0,0 +1,31 @@
+// Copyright (c) 2025 The Dash Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#if defined(ENABLE_ARM_AES)
+#include <crypto/x11/util/util.hpp>
+
+#include <cstdint>
+
+#include <arm_neon.h>
+
+namespace sapphire {
+namespace arm_crypto_aes {
+void Round(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3,
+           uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3,
+           uint32_t& y0, uint32_t& y1, uint32_t& y2, uint32_t& y3)
+{
+    uint8x16_t block = util::aes_round(util::pack_le(x0, x1, x2, x3), util::pack_le(k0, k1, k2, k3));
+    util::unpack_le(block, y0, y1, y2, y3);
+}
+
+void RoundKeyless(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3,
+                  uint32_t& y0, uint32_t& y1, uint32_t& y2, uint32_t& y3)
+{
+    uint8x16_t block = util::aes_round_nk(util::pack_le(x0, x1, x2, x3));
+    util::unpack_le(block, y0, y1, y2, y3);
+}
+} // namespace arm_crypto_aes
+} // namespace sapphire
+
+#endif // ENABLE_ARM_AES
diff --git a/src/crypto/x11/dispatch.cpp b/src/crypto/x11/dispatch.cpp
@@ -10,12 +10,39 @@
 
 #if !defined(DISABLE_OPTIMIZED_SHA256)
 #include <compat/cpuid.h>
+
+#if defined(ENABLE_ARM_AES)
+#if defined(__APPLE__)
+#include <sys/sysctl.h>
+#include <sys/types.h>
+#endif // __APPLE__
+
+#if defined(__linux__)
+#include <asm/hwcap.h>
+#include <sys/auxv.h>
+#endif // __linux__
+
+#if defined(_WIN32)
+#include <processthreadsapi.h>
+#include <winnt.h>
+#endif // _WIN32
+#endif // ENABLE_ARM_AES
 #endif // !DISABLE_OPTIMIZED_SHA256
 
-#include <cstdint>
+#include <cstddef>
 
 namespace sapphire {
 #if !defined(DISABLE_OPTIMIZED_SHA256)
+#if defined(ENABLE_ARM_AES)
+namespace arm_crypto_aes {
+void Round(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3,
+           uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3,
+           uint32_t& y0, uint32_t& y1, uint32_t& y2, uint32_t& y3);
+void RoundKeyless(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3,
+                  uint32_t& y0, uint32_t& y1, uint32_t& y2, uint32_t& y3);
+} // namespace arm_crypto_aes
+#endif // ENABLE_ARM_AES
+
 #if defined(ENABLE_SSSE3)
 namespace ssse3_echo {
 void ShiftAndMix(uint64_t W[16][2]);
@@ -92,5 +119,34 @@ void SapphireAutoDetect()
     }
 #endif // ENABLE_SSSE3
 #endif // HAVE_GETCPUID
+
+#if defined(ENABLE_ARM_AES)
+    bool have_arm_aes = false;
+#if defined(__APPLE__)
+    int val = 0;
+    size_t len = sizeof(val);
+    if (::sysctlbyname("hw.optional.arm.FEAT_AES", &val, &len, nullptr, 0) == 0) {
+        have_arm_aes = val != 0;
+    }
+#endif // __APPLE__
+
+#if defined(__linux__)
+#if defined(__arm__)
+    have_arm_aes = (::getauxval(AT_HWCAP2) & HWCAP2_AES);
+#endif // __arm__
+#if defined(__aarch64__)
+    have_arm_aes = (::getauxval(AT_HWCAP) & HWCAP_AES);
+#endif // __aarch64__
+#endif // __linux__
+
+#if defined(_WIN32)
+    have_arm_aes = ::IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE);
+#endif // _WIN32
+
+    if (have_arm_aes) {
+        aes_round = sapphire::arm_crypto_aes::Round;
+        aes_round_nk = sapphire::arm_crypto_aes::RoundKeyless;
+    }
+#endif // ENABLE_ARM_AES
 #endif // !DISABLE_OPTIMIZED_SHA256
 }
diff --git a/src/crypto/x11/util/util.hpp b/src/crypto/x11/util/util.hpp
@@ -10,6 +10,10 @@
 #if !defined(DISABLE_OPTIMIZED_SHA256)
 #include <attributes.h>
 
+#if defined(ENABLE_ARM_AES)
+#include <arm_neon.h>
+#endif // ENABLE_ARM_AES
+
 #if defined(ENABLE_SSSE3) || (defined(ENABLE_SSE41) && defined(ENABLE_X86_AESNI))
 #include <immintrin.h>
 #endif // ENABLE_SSSE3 || (ENABLE_SSE41 && ENABLE_X86_AESNI)
@@ -26,6 +30,37 @@ constexpr inline uint32_t pack_le(uint8_t b3, uint8_t b2, uint8_t b1, uint8_t b0
 }
 
 #if !defined(DISABLE_OPTIMIZED_SHA256)
+#if defined(ENABLE_ARM_AES)
+uint8x16_t ALWAYS_INLINE Xor(const uint8x16_t& x, const uint8x16_t& y) { return veorq_u8(x, y); }
+
+uint8x16_t ALWAYS_INLINE pack_le(const uint32_t& w0, const uint32_t& w1, const uint32_t& w2, const uint32_t& w3)
+{
+    return vreinterpretq_u8_u32(uint32x4_t{w0, w1, w2, w3});
+}
+
+void ALWAYS_INLINE unpack_le(const uint8x16_t& i, uint32_t& w0, uint32_t& w1, uint32_t& w2, uint32_t& w3)
+{
+    const uint32x4_t r = vreinterpretq_u32_u8(i);
+    w0 = vgetq_lane_u32(r, 0);
+    w1 = vgetq_lane_u32(r, 1);
+    w2 = vgetq_lane_u32(r, 2);
+    w3 = vgetq_lane_u32(r, 3);
+}
+
+uint8x16_t ALWAYS_INLINE aes_round(const uint8x16_t& input, const uint8x16_t& key)
+{
+    // See "Emulating x86 AES Intrinsics on ARMv8-A" by Michael Brase for _mm_aesenc_si128
+    // https://blog.michaelbrase.com/2018/05/08/emulating-x86-aes-intrinsics-on-armv8-a/
+    return Xor(vaesmcq_u8(vaeseq_u8(input, vmovq_n_u8(0))), key);
+}
+
+uint8x16_t ALWAYS_INLINE aes_round_nk(const uint8x16_t& input)
+{
+    // We can skip the XOR when we don't have a key
+    return vaesmcq_u8(vaeseq_u8(input, vmovq_n_u8(0)));
+}
+#endif // ENABLE_ARM_AES
+
 #if defined(ENABLE_SSSE3) || (defined(ENABLE_SSE41) && defined(ENABLE_X86_AESNI))
 __m128i ALWAYS_INLINE Xor(const __m128i& x, const __m128i& y) { return _mm_xor_si128(x, y); }
 
