1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * aes-ce-cipher.c - core AES cipher using ARMv8 Crypto Extensions |
4 | * |
5 | * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> |
6 | */ |
7 | |
8 | #include <asm/neon.h> |
9 | #include <asm/simd.h> |
10 | #include <asm/unaligned.h> |
11 | #include <crypto/aes.h> |
12 | #include <crypto/algapi.h> |
13 | #include <crypto/internal/simd.h> |
14 | #include <linux/cpufeature.h> |
15 | #include <linux/module.h> |
16 | |
17 | #include "aes-ce-setkey.h" |
18 | |
19 | MODULE_DESCRIPTION("Synchronous AES cipher using ARMv8 Crypto Extensions" ); |
20 | MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>" ); |
21 | MODULE_LICENSE("GPL v2" ); |
22 | |
23 | struct aes_block { |
24 | u8 b[AES_BLOCK_SIZE]; |
25 | }; |
26 | |
27 | asmlinkage void __aes_ce_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds); |
28 | asmlinkage void __aes_ce_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds); |
29 | |
30 | asmlinkage u32 __aes_ce_sub(u32 l); |
31 | asmlinkage void __aes_ce_invert(struct aes_block *out, |
32 | const struct aes_block *in); |
33 | |
34 | static int num_rounds(struct crypto_aes_ctx *ctx) |
35 | { |
36 | /* |
37 | * # of rounds specified by AES: |
38 | * 128 bit key 10 rounds |
39 | * 192 bit key 12 rounds |
40 | * 256 bit key 14 rounds |
41 | * => n byte key => 6 + (n/4) rounds |
42 | */ |
43 | return 6 + ctx->key_length / 4; |
44 | } |
45 | |
46 | static void aes_cipher_encrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[]) |
47 | { |
48 | struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); |
49 | |
50 | if (!crypto_simd_usable()) { |
51 | aes_encrypt(ctx, out: dst, in: src); |
52 | return; |
53 | } |
54 | |
55 | kernel_neon_begin(); |
56 | __aes_ce_encrypt(rk: ctx->key_enc, out: dst, in: src, rounds: num_rounds(ctx)); |
57 | kernel_neon_end(); |
58 | } |
59 | |
60 | static void aes_cipher_decrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[]) |
61 | { |
62 | struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); |
63 | |
64 | if (!crypto_simd_usable()) { |
65 | aes_decrypt(ctx, out: dst, in: src); |
66 | return; |
67 | } |
68 | |
69 | kernel_neon_begin(); |
70 | __aes_ce_decrypt(rk: ctx->key_dec, out: dst, in: src, rounds: num_rounds(ctx)); |
71 | kernel_neon_end(); |
72 | } |
73 | |
74 | int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, |
75 | unsigned int key_len) |
76 | { |
77 | /* |
78 | * The AES key schedule round constants |
79 | */ |
80 | static u8 const rcon[] = { |
81 | 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, |
82 | }; |
83 | |
84 | u32 kwords = key_len / sizeof(u32); |
85 | struct aes_block *key_enc, *key_dec; |
86 | int i, j; |
87 | |
88 | if (key_len != AES_KEYSIZE_128 && |
89 | key_len != AES_KEYSIZE_192 && |
90 | key_len != AES_KEYSIZE_256) |
91 | return -EINVAL; |
92 | |
93 | ctx->key_length = key_len; |
94 | for (i = 0; i < kwords; i++) |
95 | ctx->key_enc[i] = get_unaligned_le32(p: in_key + i * sizeof(u32)); |
96 | |
97 | kernel_neon_begin(); |
98 | for (i = 0; i < sizeof(rcon); i++) { |
99 | u32 *rki = ctx->key_enc + (i * kwords); |
100 | u32 *rko = rki + kwords; |
101 | |
102 | rko[0] = ror32(word: __aes_ce_sub(l: rki[kwords - 1]), shift: 8) ^ rcon[i] ^ rki[0]; |
103 | rko[1] = rko[0] ^ rki[1]; |
104 | rko[2] = rko[1] ^ rki[2]; |
105 | rko[3] = rko[2] ^ rki[3]; |
106 | |
107 | if (key_len == AES_KEYSIZE_192) { |
108 | if (i >= 7) |
109 | break; |
110 | rko[4] = rko[3] ^ rki[4]; |
111 | rko[5] = rko[4] ^ rki[5]; |
112 | } else if (key_len == AES_KEYSIZE_256) { |
113 | if (i >= 6) |
114 | break; |
115 | rko[4] = __aes_ce_sub(l: rko[3]) ^ rki[4]; |
116 | rko[5] = rko[4] ^ rki[5]; |
117 | rko[6] = rko[5] ^ rki[6]; |
118 | rko[7] = rko[6] ^ rki[7]; |
119 | } |
120 | } |
121 | |
122 | /* |
123 | * Generate the decryption keys for the Equivalent Inverse Cipher. |
124 | * This involves reversing the order of the round keys, and applying |
125 | * the Inverse Mix Columns transformation on all but the first and |
126 | * the last one. |
127 | */ |
128 | key_enc = (struct aes_block *)ctx->key_enc; |
129 | key_dec = (struct aes_block *)ctx->key_dec; |
130 | j = num_rounds(ctx); |
131 | |
132 | key_dec[0] = key_enc[j]; |
133 | for (i = 1, j--; j > 0; i++, j--) |
134 | __aes_ce_invert(out: key_dec + i, in: key_enc + j); |
135 | key_dec[i] = key_enc[0]; |
136 | |
137 | kernel_neon_end(); |
138 | return 0; |
139 | } |
140 | EXPORT_SYMBOL(ce_aes_expandkey); |
141 | |
142 | int ce_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, |
143 | unsigned int key_len) |
144 | { |
145 | struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); |
146 | |
147 | return ce_aes_expandkey(ctx, in_key, key_len); |
148 | } |
149 | EXPORT_SYMBOL(ce_aes_setkey); |
150 | |
151 | static struct crypto_alg aes_alg = { |
152 | .cra_name = "aes" , |
153 | .cra_driver_name = "aes-ce" , |
154 | .cra_priority = 250, |
155 | .cra_flags = CRYPTO_ALG_TYPE_CIPHER, |
156 | .cra_blocksize = AES_BLOCK_SIZE, |
157 | .cra_ctxsize = sizeof(struct crypto_aes_ctx), |
158 | .cra_module = THIS_MODULE, |
159 | .cra_cipher = { |
160 | .cia_min_keysize = AES_MIN_KEY_SIZE, |
161 | .cia_max_keysize = AES_MAX_KEY_SIZE, |
162 | .cia_setkey = ce_aes_setkey, |
163 | .cia_encrypt = aes_cipher_encrypt, |
164 | .cia_decrypt = aes_cipher_decrypt |
165 | } |
166 | }; |
167 | |
168 | static int __init aes_mod_init(void) |
169 | { |
170 | return crypto_register_alg(alg: &aes_alg); |
171 | } |
172 | |
173 | static void __exit aes_mod_exit(void) |
174 | { |
175 | crypto_unregister_alg(alg: &aes_alg); |
176 | } |
177 | |
178 | module_cpu_feature_match(AES, aes_mod_init); |
179 | module_exit(aes_mod_exit); |
180 | |