1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AES XCBC routines supporting the Power 7+ Nest Accelerators driver
4 *
5 * Copyright (C) 2011-2012 International Business Machines Inc.
6 *
7 * Author: Kent Yoder <yoder1@us.ibm.com>
8 */
9
10 #include <crypto/internal/hash.h>
11 #include <crypto/aes.h>
12 #include <crypto/algapi.h>
13 #include <linux/module.h>
14 #include <linux/types.h>
15 #include <linux/crypto.h>
16 #include <asm/vio.h>
17
18 #include "nx_csbcpb.h"
19 #include "nx.h"
20
21
22 struct xcbc_state {
23 u8 state[AES_BLOCK_SIZE];
24 unsigned int count;
25 u8 buffer[AES_BLOCK_SIZE];
26 };
27
nx_xcbc_set_key(struct crypto_shash * desc,const u8 * in_key,unsigned int key_len)28 static int nx_xcbc_set_key(struct crypto_shash *desc,
29 const u8 *in_key,
30 unsigned int key_len)
31 {
32 struct nx_crypto_ctx *nx_ctx = crypto_shash_ctx(desc);
33 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
34
35 switch (key_len) {
36 case AES_KEYSIZE_128:
37 nx_ctx->ap = &nx_ctx->props[NX_PROPS_AES_128];
38 break;
39 default:
40 return -EINVAL;
41 }
42
43 memcpy(csbcpb->cpb.aes_xcbc.key, in_key, key_len);
44
45 return 0;
46 }
47
48 /*
49 * Based on RFC 3566, for a zero-length message:
50 *
51 * n = 1
52 * K1 = E(K, 0x01010101010101010101010101010101)
53 * K3 = E(K, 0x03030303030303030303030303030303)
54 * E[0] = 0x00000000000000000000000000000000
55 * M[1] = 0x80000000000000000000000000000000 (0 length message with padding)
56 * E[1] = (K1, M[1] ^ E[0] ^ K3)
57 * Tag = M[1]
58 */
nx_xcbc_empty(struct shash_desc * desc,u8 * out)59 static int nx_xcbc_empty(struct shash_desc *desc, u8 *out)
60 {
61 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
62 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
63 struct nx_sg *in_sg, *out_sg;
64 u8 keys[2][AES_BLOCK_SIZE];
65 u8 key[32];
66 int rc = 0;
67 int len;
68
69 /* Change to ECB mode */
70 csbcpb->cpb.hdr.mode = NX_MODE_AES_ECB;
71 memcpy(key, csbcpb->cpb.aes_xcbc.key, AES_BLOCK_SIZE);
72 memcpy(csbcpb->cpb.aes_ecb.key, key, AES_BLOCK_SIZE);
73 NX_CPB_FDM(csbcpb) |= NX_FDM_ENDE_ENCRYPT;
74
75 /* K1 and K3 base patterns */
76 memset(keys[0], 0x01, sizeof(keys[0]));
77 memset(keys[1], 0x03, sizeof(keys[1]));
78
79 len = sizeof(keys);
80 /* Generate K1 and K3 encrypting the patterns */
81 in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) keys, &len,
82 nx_ctx->ap->sglen);
83
84 if (len != sizeof(keys))
85 return -EINVAL;
86
87 out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *) keys, &len,
88 nx_ctx->ap->sglen);
89
90 if (len != sizeof(keys))
91 return -EINVAL;
92
93 nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
94 nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
95
96 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 0);
97 if (rc)
98 goto out;
99 atomic_inc(&(nx_ctx->stats->aes_ops));
100
101 /* XOr K3 with the padding for a 0 length message */
102 keys[1][0] ^= 0x80;
103
104 len = sizeof(keys[1]);
105
106 /* Encrypt the final result */
107 memcpy(csbcpb->cpb.aes_ecb.key, keys[0], AES_BLOCK_SIZE);
108 in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *) keys[1], &len,
109 nx_ctx->ap->sglen);
110
111 if (len != sizeof(keys[1]))
112 return -EINVAL;
113
114 len = AES_BLOCK_SIZE;
115 out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
116 nx_ctx->ap->sglen);
117
118 if (len != AES_BLOCK_SIZE)
119 return -EINVAL;
120
121 nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
122 nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
123
124 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 0);
125 if (rc)
126 goto out;
127 atomic_inc(&(nx_ctx->stats->aes_ops));
128
129 out:
130 /* Restore XCBC mode */
131 csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
132 memcpy(csbcpb->cpb.aes_xcbc.key, key, AES_BLOCK_SIZE);
133 NX_CPB_FDM(csbcpb) &= ~NX_FDM_ENDE_ENCRYPT;
134
135 return rc;
136 }
137
nx_crypto_ctx_aes_xcbc_init2(struct crypto_tfm * tfm)138 static int nx_crypto_ctx_aes_xcbc_init2(struct crypto_tfm *tfm)
139 {
140 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
141 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
142 int err;
143
144 err = nx_crypto_ctx_aes_xcbc_init(tfm);
145 if (err)
146 return err;
147
148 nx_ctx_init(nx_ctx, HCOP_FC_AES);
149
150 NX_CPB_SET_KEY_SIZE(csbcpb, NX_KS_AES_128);
151 csbcpb->cpb.hdr.mode = NX_MODE_AES_XCBC_MAC;
152
153 return 0;
154 }
155
nx_xcbc_init(struct shash_desc * desc)156 static int nx_xcbc_init(struct shash_desc *desc)
157 {
158 struct xcbc_state *sctx = shash_desc_ctx(desc);
159
160 memset(sctx, 0, sizeof *sctx);
161
162 return 0;
163 }
164
nx_xcbc_update(struct shash_desc * desc,const u8 * data,unsigned int len)165 static int nx_xcbc_update(struct shash_desc *desc,
166 const u8 *data,
167 unsigned int len)
168 {
169 struct xcbc_state *sctx = shash_desc_ctx(desc);
170 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
171 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
172 struct nx_sg *in_sg;
173 struct nx_sg *out_sg;
174 u32 to_process = 0, leftover, total;
175 unsigned int max_sg_len;
176 unsigned long irq_flags;
177 int rc = 0;
178 int data_len;
179
180 spin_lock_irqsave(&nx_ctx->lock, irq_flags);
181
182
183 total = sctx->count + len;
184
185 /* 2 cases for total data len:
186 * 1: <= AES_BLOCK_SIZE: copy into state, return 0
187 * 2: > AES_BLOCK_SIZE: process X blocks, copy in leftover
188 */
189 if (total <= AES_BLOCK_SIZE) {
190 memcpy(sctx->buffer + sctx->count, data, len);
191 sctx->count += len;
192 goto out;
193 }
194
195 in_sg = nx_ctx->in_sg;
196 max_sg_len = min_t(u64, nx_driver.of.max_sg_len/sizeof(struct nx_sg),
197 nx_ctx->ap->sglen);
198 max_sg_len = min_t(u64, max_sg_len,
199 nx_ctx->ap->databytelen/NX_PAGE_SIZE);
200
201 data_len = AES_BLOCK_SIZE;
202 out_sg = nx_build_sg_list(nx_ctx->out_sg, (u8 *)sctx->state,
203 &len, nx_ctx->ap->sglen);
204
205 if (data_len != AES_BLOCK_SIZE) {
206 rc = -EINVAL;
207 goto out;
208 }
209
210 nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
211
212 do {
213 to_process = total - to_process;
214 to_process = to_process & ~(AES_BLOCK_SIZE - 1);
215
216 leftover = total - to_process;
217
218 /* the hardware will not accept a 0 byte operation for this
219 * algorithm and the operation MUST be finalized to be correct.
220 * So if we happen to get an update that falls on a block sized
221 * boundary, we must save off the last block to finalize with
222 * later. */
223 if (!leftover) {
224 to_process -= AES_BLOCK_SIZE;
225 leftover = AES_BLOCK_SIZE;
226 }
227
228 if (sctx->count) {
229 data_len = sctx->count;
230 in_sg = nx_build_sg_list(nx_ctx->in_sg,
231 (u8 *) sctx->buffer,
232 &data_len,
233 max_sg_len);
234 if (data_len != sctx->count) {
235 rc = -EINVAL;
236 goto out;
237 }
238 }
239
240 data_len = to_process - sctx->count;
241 in_sg = nx_build_sg_list(in_sg,
242 (u8 *) data,
243 &data_len,
244 max_sg_len);
245
246 if (data_len != to_process - sctx->count) {
247 rc = -EINVAL;
248 goto out;
249 }
250
251 nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) *
252 sizeof(struct nx_sg);
253
254 /* we've hit the nx chip previously and we're updating again,
255 * so copy over the partial digest */
256 if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
257 memcpy(csbcpb->cpb.aes_xcbc.cv,
258 csbcpb->cpb.aes_xcbc.out_cv_mac,
259 AES_BLOCK_SIZE);
260 }
261
262 NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE;
263 if (!nx_ctx->op.inlen || !nx_ctx->op.outlen) {
264 rc = -EINVAL;
265 goto out;
266 }
267
268 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 0);
269 if (rc)
270 goto out;
271
272 atomic_inc(&(nx_ctx->stats->aes_ops));
273
274 /* everything after the first update is continuation */
275 NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION;
276
277 total -= to_process;
278 data += to_process - sctx->count;
279 sctx->count = 0;
280 in_sg = nx_ctx->in_sg;
281 } while (leftover > AES_BLOCK_SIZE);
282
283 /* copy the leftover back into the state struct */
284 memcpy(sctx->buffer, data, leftover);
285 sctx->count = leftover;
286
287 out:
288 spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
289 return rc;
290 }
291
nx_xcbc_final(struct shash_desc * desc,u8 * out)292 static int nx_xcbc_final(struct shash_desc *desc, u8 *out)
293 {
294 struct xcbc_state *sctx = shash_desc_ctx(desc);
295 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&desc->tfm->base);
296 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb;
297 struct nx_sg *in_sg, *out_sg;
298 unsigned long irq_flags;
299 int rc = 0;
300 int len;
301
302 spin_lock_irqsave(&nx_ctx->lock, irq_flags);
303
304 if (NX_CPB_FDM(csbcpb) & NX_FDM_CONTINUATION) {
305 /* we've hit the nx chip previously, now we're finalizing,
306 * so copy over the partial digest */
307 memcpy(csbcpb->cpb.aes_xcbc.cv,
308 csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
309 } else if (sctx->count == 0) {
310 /*
311 * we've never seen an update, so this is a 0 byte op. The
312 * hardware cannot handle a 0 byte op, so just ECB to
313 * generate the hash.
314 */
315 rc = nx_xcbc_empty(desc, out);
316 goto out;
317 }
318
319 /* final is represented by continuing the operation and indicating that
320 * this is not an intermediate operation */
321 NX_CPB_FDM(csbcpb) &= ~NX_FDM_INTERMEDIATE;
322
323 len = sctx->count;
324 in_sg = nx_build_sg_list(nx_ctx->in_sg, (u8 *)sctx->buffer,
325 &len, nx_ctx->ap->sglen);
326
327 if (len != sctx->count) {
328 rc = -EINVAL;
329 goto out;
330 }
331
332 len = AES_BLOCK_SIZE;
333 out_sg = nx_build_sg_list(nx_ctx->out_sg, out, &len,
334 nx_ctx->ap->sglen);
335
336 if (len != AES_BLOCK_SIZE) {
337 rc = -EINVAL;
338 goto out;
339 }
340
341 nx_ctx->op.inlen = (nx_ctx->in_sg - in_sg) * sizeof(struct nx_sg);
342 nx_ctx->op.outlen = (nx_ctx->out_sg - out_sg) * sizeof(struct nx_sg);
343
344 if (!nx_ctx->op.outlen) {
345 rc = -EINVAL;
346 goto out;
347 }
348
349 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 0);
350 if (rc)
351 goto out;
352
353 atomic_inc(&(nx_ctx->stats->aes_ops));
354
355 memcpy(out, csbcpb->cpb.aes_xcbc.out_cv_mac, AES_BLOCK_SIZE);
356 out:
357 spin_unlock_irqrestore(&nx_ctx->lock, irq_flags);
358 return rc;
359 }
360
361 struct shash_alg nx_shash_aes_xcbc_alg = {
362 .digestsize = AES_BLOCK_SIZE,
363 .init = nx_xcbc_init,
364 .update = nx_xcbc_update,
365 .final = nx_xcbc_final,
366 .setkey = nx_xcbc_set_key,
367 .descsize = sizeof(struct xcbc_state),
368 .statesize = sizeof(struct xcbc_state),
369 .base = {
370 .cra_name = "xcbc(aes)",
371 .cra_driver_name = "xcbc-aes-nx",
372 .cra_priority = 300,
373 .cra_blocksize = AES_BLOCK_SIZE,
374 .cra_module = THIS_MODULE,
375 .cra_ctxsize = sizeof(struct nx_crypto_ctx),
376 .cra_init = nx_crypto_ctx_aes_xcbc_init2,
377 .cra_exit = nx_crypto_ctx_exit,
378 }
379 };
380