nx-aes-xcbc.c source code [linux/drivers/crypto/nx/nx-aes-xcbc.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* AES XCBC routines supporting the Power 7+ Nest Accelerators driver
4	*
5	* Copyright (C) 2011-2012 International Business Machines Inc.
6	*
7	* Author: Kent Yoder <yoder1@us.ibm.com>
8	*/
9
10	#include <crypto/internal/hash.h>
11	#include <crypto/aes.h>
12	#include <crypto/algapi.h>
13	#include <linux/module.h>
14	#include <linux/types.h>
15	#include <linux/crypto.h>
16	#include <asm/vio.h>
17
18	#include "nx_csbcpb.h"
19	#include "nx.h"
20
21
22	struct xcbc_state {
23	u8 state[AES_BLOCK_SIZE];
24	unsigned int count;
25	u8 buffer[AES_BLOCK_SIZE];
26	};
27
28	static int nx_xcbc_set_key(struct crypto_shash *desc,
29	const u8 *in_key,
30	unsigned int key_len)
31	{
32	struct nx_crypto_ctx *nx_ctx = crypto_shash_ctx(tfm: desc);
33	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
34
35	switch (key_len) {
36	case AES_KEYSIZE_128:
37	nx_ctx->ap = &nx_ctx->props[NX_PROPS_AES_128];
38	break;
39	default:
40	return -EINVAL;
41	}
42
43	memcpy(csbcpb->cpb.aes_xcbc.key, in_key, key_len);
44
45	return `0`;
46	}
47
48	/*
49	* Based on RFC 3566, for a zero-length message:
50	*
51	* n = 1
52	* K1 = E(K, 0x01010101010101010101010101010101)
53	* K3 = E(K, 0x03030303030303030303030303030303)
54	* E[0] = 0x00000000000000000000000000000000
55	* M[1] = 0x80000000000000000000000000000000 (0 length message with padding)
56	* E[1] = (K1, M[1] ^ E[0] ^ K3)
57	* Tag = M[1]
58	*/
59	static int nx_xcbc_empty(struct shash_desc desc, u8 out)
60	{
61	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm: &desc->tfm->base);
62	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
63	struct nx_sg in_sg, out_sg;
64	u8 keys[`2`][AES_BLOCK_SIZE];
65	u8 key[`32`];
66	int rc = `0`;
67	int len;
68
69	/ Change to ECB mode /
70	csbcpb->cpb.hdr.mode = NX_MODE_AES_ECB;
71	memcpy(key, csbcpb->cpb.aes_xcbc.key, AES_BLOCK_SIZE);
72	memcpy(csbcpb->cpb.aes_ecb.key, key, AES_BLOCK_SIZE);
73	NX_CPB_FDM(csbcpb) \|= NX_FDM_ENDE_ENCRYPT;
74
75	/ K1 and K3 base patterns /
76	memset(keys[`0`], `0x01`, sizeof(keys[`0`]));
77	memset(keys[`1`], `0x03`, sizeof(keys[`1`]));
78
79	len = sizeof(keys);
80	/ Generate K1 and K3 encrypting the patterns /
81	in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) keys, &len,
82	nx_ctx->ap->sglen);
83
84	if (len != sizeof(keys))
85	return -EINVAL;
86
87	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *) keys, &len,
88	nx_ctx->ap->sglen);
89
90	if (len != sizeof(keys))
91	return -EINVAL;
92
93	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
94	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
95
96	rc = nx_hcall_sync(ctx: nx_ctx, op: &nx_ctx->op, may_sleep: `0`);
97	if (rc)
98	goto out;
99	atomic_inc(v: &(nx_ctx->stats->aes_ops));
100
101	/ XOr K3 with the padding for a 0 length message /
102	keys[`1`][`0`] ^= `0x80`;
103
104	len = sizeof(keys[`1`]);
105
106	/ Encrypt the final result /
107	memcpy(csbcpb->cpb.aes_ecb.key, keys[`0`], AES_BLOCK_SIZE);
108	in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) keys[`1`], &len,
109	nx_ctx->ap->sglen);
110
111	if (len != sizeof(keys[`1`]))
112	return -EINVAL;
113
114	len = AES_BLOCK_SIZE;
115	out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
116	nx_ctx->ap->sglen);
117
118	if (len != AES_BLOCK_SIZE)
119	return -EINVAL;
120
121	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
122	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
123
124	rc = nx_hcall_sync(ctx: nx_ctx, op: &nx_ctx->op, may_sleep: `0`);
125	if (rc)
126	goto out;
127	atomic_inc(v: &(nx_ctx->stats->aes_ops));
128
129	out:
130	/ Restore XCBC mode /
131	csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
132	memcpy(csbcpb->cpb.aes_xcbc.key, key, AES_BLOCK_SIZE);
133	NX_CPB_FDM(csbcpb) &= ~NX_FDM_ENDE_ENCRYPT;
134
135	return rc;
136	}
137
138	static int nx_crypto_ctx_aes_xcbc_init2(struct crypto_tfm *tfm)
139	{
140	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
141	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
142	int err;
143
144	err = nx_crypto_ctx_aes_xcbc_init(tfm);
145	if (err)
146	return err;
147
148	nx_ctx_init(nx_ctx, HCOP_FC_AES);
149
150	NX_CPB_SET_KEY_SIZE(csbcpb, NX_KS_AES_128);
151	csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
152
153	return `0`;
154	}
155
156	static int nx_xcbc_init(struct shash_desc *desc)
157	{
158	struct xcbc_state *sctx = shash_desc_ctx(desc);
159
160	memset(sctx, `0`, sizeof *sctx);
161
162	return `0`;
163	}
164
165	static int nx_xcbc_update(struct shash_desc *desc,
166	const u8 *data,
167	unsigned int len)
168	{
169	struct xcbc_state *sctx = shash_desc_ctx(desc);
170	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm: &desc->tfm->base);
171	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
172	struct nx_sg *in_sg;
173	struct nx_sg *out_sg;
174	u32 to_process = `0`, leftover, total;
175	unsigned int max_sg_len;
176	unsigned long irq_flags;
177	int rc = `0`;
178	int data_len;
179
180	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
181
182
183	total = sctx->count + len;
184
185	/ 2 cases for total data len:*
186	* 1: <= AES_BLOCK_SIZE: copy into state, return 0
187	* 2: > AES_BLOCK_SIZE: process X blocks, copy in leftover
188	*/
189	if (total <= AES_BLOCK_SIZE) {
190	memcpy(sctx->buffer + sctx->count, data, len);
191	sctx->count += len;
192	goto out;
193	}
194
195	in_sg = nx_ctx->in_sg;
196	max_sg_len = min_t(u64, nx_driver.of.max_sg_len/sizeof(struct nx_sg),
197	nx_ctx->ap->sglen);
198	max_sg_len = min_t(u64, max_sg_len,
199	nx_ctx->ap->databytelen/NX_PAGE_SIZE);
200
201	data_len = AES_BLOCK_SIZE;
202	out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
203	&len, nx_ctx->ap->sglen);
204
205	if (data_len != AES_BLOCK_SIZE) {
206	rc = -EINVAL;
207	goto out;
208	}
209
210	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
211
212	do {
213	to_process = total - to_process;
214	to_process = to_process & ~(AES_BLOCK_SIZE - `1`);
215
216	leftover = total - to_process;
217
218	/ the hardware will not accept a 0 byte operation for this*
219	* algorithm and the operation MUST be finalized to be correct.
220	* So if we happen to get an update that falls on a block sized
221	* boundary, we must save off the last block to finalize with
222	* later. */
223	if (!leftover) {
224	to_process -= AES_BLOCK_SIZE;
225	leftover = AES_BLOCK_SIZE;
226	}
227
228	if (sctx->count) {
229	data_len = sctx->count;
230	in_sg = nx_build_sg_list(nx_ctx->in_sg,
231	(u8 *) sctx->buffer,
232	&data_len,
233	max_sg_len);
234	if (data_len != sctx->count) {
235	rc = -EINVAL;
236	goto out;
237	}
238	}
239
240	data_len = to_process - sctx->count;
241	in_sg = nx_build_sg_list(in_sg,
242	(u8 *) data,
243	&data_len,
244	max_sg_len);
245
246	if (data_len != to_process - sctx->count) {
247	rc = -EINVAL;
248	goto out;
249	}
250
251	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) *
252	sizeof(struct nx_sg);
253
254	/ we've hit the nx chip previously and we're updating again,*
255	* so copy over the partial digest */
256	if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
257	memcpy(csbcpb->cpb.aes_xcbc.cv,
258	csbcpb->cpb.aes_xcbc.out_cv_mac,
259	AES_BLOCK_SIZE);
260	}
261
262	NX_CPB_FDM(csbcpb) \|= NX_FDM_INTERMEDIATE;
263	if (!nx_ctx->op.inlen \|\| !nx_ctx->op.outlen) {
264	rc = -EINVAL;
265	goto out;
266	}
267
268	rc = nx_hcall_sync(ctx: nx_ctx, op: &nx_ctx->op, may_sleep: `0`);
269	if (rc)
270	goto out;
271
272	atomic_inc(v: &(nx_ctx->stats->aes_ops));
273
274	/ everything after the first update is continuation /
275	NX_CPB_FDM(csbcpb) \|= NX_FDM_CONTINUATION;
276
277	total -= to_process;
278	data += to_process - sctx->count;
279	sctx->count = `0`;
280	in_sg = nx_ctx->in_sg;
281	} while (leftover > AES_BLOCK_SIZE);
282
283	/ copy the leftover back into the state struct /
284	memcpy(sctx->buffer, data, leftover);
285	sctx->count = leftover;
286
287	out:
288	spin_unlock_irqrestore(lock: &nx_ctx->lock, flags: irq_flags);
289	return rc;
290	}
291
292	static int nx_xcbc_final(struct shash_desc desc, u8 out)
293	{
294	struct xcbc_state *sctx = shash_desc_ctx(desc);
295	struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm: &desc->tfm->base);
296	struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
297	struct nx_sg in_sg, out_sg;
298	unsigned long irq_flags;
299	int rc = `0`;
300	int len;
301
302	spin_lock_irqsave(&nx_ctx->lock, irq_flags);
303
304	if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
305	/ we've hit the nx chip previously, now we're finalizing,*
306	* so copy over the partial digest */
307	memcpy(csbcpb->cpb.aes_xcbc.cv,
308	csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
309	} else if (sctx->count == `0`) {
310	/*
311	* we've never seen an update, so this is a 0 byte op. The
312	* hardware cannot handle a 0 byte op, so just ECB to
313	* generate the hash.
314	*/
315	rc = nx_xcbc_empty(desc, out);
316	goto out;
317	}
318
319	/ final is represented by continuing the operation and indicating that*
320	* this is not an intermediate operation */
321	NX_CPB_FDM(csbcpb) &= ~NX_FDM_INTERMEDIATE;
322
323	len = sctx->count;
324	in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *)sctx->buffer,
325	&len, nx_ctx->ap->sglen);
326
327	if (len != sctx->count) {
328	rc = -EINVAL;
329	goto out;
330	}
331
332	len = AES_BLOCK_SIZE;
333	out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
334	nx_ctx->ap->sglen);
335
336	if (len != AES_BLOCK_SIZE) {
337	rc = -EINVAL;
338	goto out;
339	}
340
341	nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
342	nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
343
344	if (!nx_ctx->op.outlen) {
345	rc = -EINVAL;
346	goto out;
347	}
348
349	rc = nx_hcall_sync(ctx: nx_ctx, op: &nx_ctx->op, may_sleep: `0`);
350	if (rc)
351	goto out;
352
353	atomic_inc(v: &(nx_ctx->stats->aes_ops));
354
355	memcpy(out, csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
356	out:
357	spin_unlock_irqrestore(lock: &nx_ctx->lock, flags: irq_flags);
358	return rc;
359	}
360
361	struct shash_alg nx_shash_aes_xcbc_alg = {
362	.digestsize = AES_BLOCK_SIZE,
363	.init = nx_xcbc_init,
364	.update = nx_xcbc_update,
365	.final = nx_xcbc_final,
366	.setkey = nx_xcbc_set_key,
367	.descsize = sizeof(struct xcbc_state),
368	.statesize = sizeof(struct xcbc_state),
369	.base = {
370	.cra_name = "xcbc(aes)",
371	.cra_driver_name = "xcbc-aes-nx",
372	.cra_priority = `300`,
373	.cra_blocksize = AES_BLOCK_SIZE,
374	.cra_module = THIS_MODULE,
375	.cra_ctxsize = sizeof(struct nx_crypto_ctx),
376	.cra_init = nx_crypto_ctx_aes_xcbc_init2,
377	.cra_exit = nx_crypto_ctx_exit,
378	}
379	};
380

source code of linux/drivers/crypto/nx/nx-aes-xcbc.c