1d2912cb1SThomas Gleixner // SPDX-License-Identifier: GPL-2.0-only 21abee99eSArd Biesheuvel /* 31abee99eSArd Biesheuvel * Bit sliced AES using NEON instructions 41abee99eSArd Biesheuvel * 5ec808bbeSArd Biesheuvel * Copyright (C) 2016 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 61abee99eSArd Biesheuvel */ 71abee99eSArd Biesheuvel 81abee99eSArd Biesheuvel #include <asm/neon.h> 9ec808bbeSArd Biesheuvel #include <asm/simd.h> 101abee99eSArd Biesheuvel #include <crypto/aes.h> 11ff6f4115SArd Biesheuvel #include <crypto/ctr.h> 121abee99eSArd Biesheuvel #include <crypto/internal/simd.h> 131abee99eSArd Biesheuvel #include <crypto/internal/skcipher.h> 14*67cfa5d3SArd Biesheuvel #include <crypto/scatterwalk.h> 151abee99eSArd Biesheuvel #include <crypto/xts.h> 161abee99eSArd Biesheuvel #include <linux/module.h> 171abee99eSArd Biesheuvel 181abee99eSArd Biesheuvel MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 191abee99eSArd Biesheuvel MODULE_LICENSE("GPL v2"); 201abee99eSArd Biesheuvel 211abee99eSArd Biesheuvel MODULE_ALIAS_CRYPTO("ecb(aes)"); 221abee99eSArd Biesheuvel MODULE_ALIAS_CRYPTO("cbc(aes)"); 231abee99eSArd Biesheuvel MODULE_ALIAS_CRYPTO("ctr(aes)"); 241abee99eSArd Biesheuvel MODULE_ALIAS_CRYPTO("xts(aes)"); 251abee99eSArd Biesheuvel 261abee99eSArd Biesheuvel asmlinkage void aesbs_convert_key(u8 out[], u32 const rk[], int rounds); 271abee99eSArd Biesheuvel 281abee99eSArd Biesheuvel asmlinkage void aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[], 291abee99eSArd Biesheuvel int rounds, int blocks); 301abee99eSArd Biesheuvel asmlinkage void aesbs_ecb_decrypt(u8 out[], u8 const in[], u8 const rk[], 311abee99eSArd Biesheuvel int rounds, int blocks); 321abee99eSArd Biesheuvel 331abee99eSArd Biesheuvel asmlinkage void aesbs_cbc_decrypt(u8 out[], u8 const in[], u8 const rk[], 341abee99eSArd Biesheuvel int rounds, int blocks, u8 iv[]); 351abee99eSArd Biesheuvel 361abee99eSArd Biesheuvel asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[], 3788a3f582SArd Biesheuvel int rounds, int blocks, u8 iv[], u8 final[]); 381abee99eSArd Biesheuvel 391abee99eSArd Biesheuvel asmlinkage void aesbs_xts_encrypt(u8 out[], u8 const in[], u8 const rk[], 401abee99eSArd Biesheuvel int rounds, int blocks, u8 iv[]); 411abee99eSArd Biesheuvel asmlinkage void aesbs_xts_decrypt(u8 out[], u8 const in[], u8 const rk[], 421abee99eSArd Biesheuvel int rounds, int blocks, u8 iv[]); 431abee99eSArd Biesheuvel 4412fcd923SArd Biesheuvel /* borrowed from aes-neon-blk.ko */ 4512fcd923SArd Biesheuvel asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[], 4668338174SArd Biesheuvel int rounds, int blocks); 4712fcd923SArd Biesheuvel asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[], 4868338174SArd Biesheuvel int rounds, int blocks, u8 iv[]); 49*67cfa5d3SArd Biesheuvel asmlinkage void neon_aes_xts_encrypt(u8 out[], u8 const in[], 50*67cfa5d3SArd Biesheuvel u32 const rk1[], int rounds, int bytes, 51*67cfa5d3SArd Biesheuvel u32 const rk2[], u8 iv[], int first); 52*67cfa5d3SArd Biesheuvel asmlinkage void neon_aes_xts_decrypt(u8 out[], u8 const in[], 53*67cfa5d3SArd Biesheuvel u32 const rk1[], int rounds, int bytes, 54*67cfa5d3SArd Biesheuvel u32 const rk2[], u8 iv[], int first); 551abee99eSArd Biesheuvel 561abee99eSArd Biesheuvel struct aesbs_ctx { 571abee99eSArd Biesheuvel u8 rk[13 * (8 * AES_BLOCK_SIZE) + 32]; 581abee99eSArd Biesheuvel int rounds; 591abee99eSArd Biesheuvel } __aligned(AES_BLOCK_SIZE); 601abee99eSArd Biesheuvel 611abee99eSArd Biesheuvel struct aesbs_cbc_ctx { 621abee99eSArd Biesheuvel struct aesbs_ctx key; 631abee99eSArd Biesheuvel u32 enc[AES_MAX_KEYLENGTH_U32]; 641abee99eSArd Biesheuvel }; 651abee99eSArd Biesheuvel 66ec808bbeSArd Biesheuvel struct aesbs_ctr_ctx { 67ec808bbeSArd Biesheuvel struct aesbs_ctx key; /* must be first member */ 68ec808bbeSArd Biesheuvel struct crypto_aes_ctx fallback; 69ec808bbeSArd Biesheuvel }; 70ec808bbeSArd Biesheuvel 711abee99eSArd Biesheuvel struct aesbs_xts_ctx { 721abee99eSArd Biesheuvel struct aesbs_ctx key; 731abee99eSArd Biesheuvel u32 twkey[AES_MAX_KEYLENGTH_U32]; 74*67cfa5d3SArd Biesheuvel struct crypto_aes_ctx cts; 751abee99eSArd Biesheuvel }; 761abee99eSArd Biesheuvel 771abee99eSArd Biesheuvel static int aesbs_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 781abee99eSArd Biesheuvel unsigned int key_len) 791abee99eSArd Biesheuvel { 801abee99eSArd Biesheuvel struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm); 811abee99eSArd Biesheuvel struct crypto_aes_ctx rk; 821abee99eSArd Biesheuvel int err; 831abee99eSArd Biesheuvel 84f68df543SArd Biesheuvel err = aes_expandkey(&rk, in_key, key_len); 851abee99eSArd Biesheuvel if (err) 861abee99eSArd Biesheuvel return err; 871abee99eSArd Biesheuvel 881abee99eSArd Biesheuvel ctx->rounds = 6 + key_len / 4; 891abee99eSArd Biesheuvel 901abee99eSArd Biesheuvel kernel_neon_begin(); 911abee99eSArd Biesheuvel aesbs_convert_key(ctx->rk, rk.key_enc, ctx->rounds); 921abee99eSArd Biesheuvel kernel_neon_end(); 931abee99eSArd Biesheuvel 941abee99eSArd Biesheuvel return 0; 951abee99eSArd Biesheuvel } 961abee99eSArd Biesheuvel 971abee99eSArd Biesheuvel static int __ecb_crypt(struct skcipher_request *req, 981abee99eSArd Biesheuvel void (*fn)(u8 out[], u8 const in[], u8 const rk[], 991abee99eSArd Biesheuvel int rounds, int blocks)) 1001abee99eSArd Biesheuvel { 1011abee99eSArd Biesheuvel struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1021abee99eSArd Biesheuvel struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm); 1031abee99eSArd Biesheuvel struct skcipher_walk walk; 1041abee99eSArd Biesheuvel int err; 1051abee99eSArd Biesheuvel 10678ad7b08SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 1071abee99eSArd Biesheuvel 1081abee99eSArd Biesheuvel while (walk.nbytes >= AES_BLOCK_SIZE) { 1091abee99eSArd Biesheuvel unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; 1101abee99eSArd Biesheuvel 1111abee99eSArd Biesheuvel if (walk.nbytes < walk.total) 1121abee99eSArd Biesheuvel blocks = round_down(blocks, 1131abee99eSArd Biesheuvel walk.stride / AES_BLOCK_SIZE); 1141abee99eSArd Biesheuvel 11578ad7b08SArd Biesheuvel kernel_neon_begin(); 1161abee99eSArd Biesheuvel fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk, 1171abee99eSArd Biesheuvel ctx->rounds, blocks); 11878ad7b08SArd Biesheuvel kernel_neon_end(); 1191abee99eSArd Biesheuvel err = skcipher_walk_done(&walk, 1201abee99eSArd Biesheuvel walk.nbytes - blocks * AES_BLOCK_SIZE); 1211abee99eSArd Biesheuvel } 1221abee99eSArd Biesheuvel 1231abee99eSArd Biesheuvel return err; 1241abee99eSArd Biesheuvel } 1251abee99eSArd Biesheuvel 1261abee99eSArd Biesheuvel static int ecb_encrypt(struct skcipher_request *req) 1271abee99eSArd Biesheuvel { 1281abee99eSArd Biesheuvel return __ecb_crypt(req, aesbs_ecb_encrypt); 1291abee99eSArd Biesheuvel } 1301abee99eSArd Biesheuvel 1311abee99eSArd Biesheuvel static int ecb_decrypt(struct skcipher_request *req) 1321abee99eSArd Biesheuvel { 1331abee99eSArd Biesheuvel return __ecb_crypt(req, aesbs_ecb_decrypt); 1341abee99eSArd Biesheuvel } 1351abee99eSArd Biesheuvel 1361abee99eSArd Biesheuvel static int aesbs_cbc_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 1371abee99eSArd Biesheuvel unsigned int key_len) 1381abee99eSArd Biesheuvel { 1391abee99eSArd Biesheuvel struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 1401abee99eSArd Biesheuvel struct crypto_aes_ctx rk; 1411abee99eSArd Biesheuvel int err; 1421abee99eSArd Biesheuvel 143f68df543SArd Biesheuvel err = aes_expandkey(&rk, in_key, key_len); 1441abee99eSArd Biesheuvel if (err) 1451abee99eSArd Biesheuvel return err; 1461abee99eSArd Biesheuvel 1471abee99eSArd Biesheuvel ctx->key.rounds = 6 + key_len / 4; 1481abee99eSArd Biesheuvel 1491abee99eSArd Biesheuvel memcpy(ctx->enc, rk.key_enc, sizeof(ctx->enc)); 1501abee99eSArd Biesheuvel 1511abee99eSArd Biesheuvel kernel_neon_begin(); 1521abee99eSArd Biesheuvel aesbs_convert_key(ctx->key.rk, rk.key_enc, ctx->key.rounds); 1531abee99eSArd Biesheuvel kernel_neon_end(); 1541abee99eSArd Biesheuvel 1551abee99eSArd Biesheuvel return 0; 1561abee99eSArd Biesheuvel } 1571abee99eSArd Biesheuvel 1581abee99eSArd Biesheuvel static int cbc_encrypt(struct skcipher_request *req) 1591abee99eSArd Biesheuvel { 16012fcd923SArd Biesheuvel struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 16112fcd923SArd Biesheuvel struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 16212fcd923SArd Biesheuvel struct skcipher_walk walk; 16368338174SArd Biesheuvel int err; 16412fcd923SArd Biesheuvel 16578ad7b08SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 16612fcd923SArd Biesheuvel 16712fcd923SArd Biesheuvel while (walk.nbytes >= AES_BLOCK_SIZE) { 16812fcd923SArd Biesheuvel unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; 16912fcd923SArd Biesheuvel 17012fcd923SArd Biesheuvel /* fall back to the non-bitsliced NEON implementation */ 17178ad7b08SArd Biesheuvel kernel_neon_begin(); 17212fcd923SArd Biesheuvel neon_aes_cbc_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 17368338174SArd Biesheuvel ctx->enc, ctx->key.rounds, blocks, 17468338174SArd Biesheuvel walk.iv); 17578ad7b08SArd Biesheuvel kernel_neon_end(); 17612fcd923SArd Biesheuvel err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); 17712fcd923SArd Biesheuvel } 17812fcd923SArd Biesheuvel return err; 1791abee99eSArd Biesheuvel } 1801abee99eSArd Biesheuvel 1811abee99eSArd Biesheuvel static int cbc_decrypt(struct skcipher_request *req) 1821abee99eSArd Biesheuvel { 1831abee99eSArd Biesheuvel struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1841abee99eSArd Biesheuvel struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 1851abee99eSArd Biesheuvel struct skcipher_walk walk; 1861abee99eSArd Biesheuvel int err; 1871abee99eSArd Biesheuvel 18878ad7b08SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 1891abee99eSArd Biesheuvel 1901abee99eSArd Biesheuvel while (walk.nbytes >= AES_BLOCK_SIZE) { 1911abee99eSArd Biesheuvel unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; 1921abee99eSArd Biesheuvel 1931abee99eSArd Biesheuvel if (walk.nbytes < walk.total) 1941abee99eSArd Biesheuvel blocks = round_down(blocks, 1951abee99eSArd Biesheuvel walk.stride / AES_BLOCK_SIZE); 1961abee99eSArd Biesheuvel 19778ad7b08SArd Biesheuvel kernel_neon_begin(); 1981abee99eSArd Biesheuvel aesbs_cbc_decrypt(walk.dst.virt.addr, walk.src.virt.addr, 1991abee99eSArd Biesheuvel ctx->key.rk, ctx->key.rounds, blocks, 2001abee99eSArd Biesheuvel walk.iv); 20178ad7b08SArd Biesheuvel kernel_neon_end(); 2021abee99eSArd Biesheuvel err = skcipher_walk_done(&walk, 2031abee99eSArd Biesheuvel walk.nbytes - blocks * AES_BLOCK_SIZE); 2041abee99eSArd Biesheuvel } 2051abee99eSArd Biesheuvel 2061abee99eSArd Biesheuvel return err; 2071abee99eSArd Biesheuvel } 2081abee99eSArd Biesheuvel 209ec808bbeSArd Biesheuvel static int aesbs_ctr_setkey_sync(struct crypto_skcipher *tfm, const u8 *in_key, 210ec808bbeSArd Biesheuvel unsigned int key_len) 211ec808bbeSArd Biesheuvel { 212ec808bbeSArd Biesheuvel struct aesbs_ctr_ctx *ctx = crypto_skcipher_ctx(tfm); 213ec808bbeSArd Biesheuvel int err; 214ec808bbeSArd Biesheuvel 215f68df543SArd Biesheuvel err = aes_expandkey(&ctx->fallback, in_key, key_len); 216ec808bbeSArd Biesheuvel if (err) 217ec808bbeSArd Biesheuvel return err; 218ec808bbeSArd Biesheuvel 219ec808bbeSArd Biesheuvel ctx->key.rounds = 6 + key_len / 4; 220ec808bbeSArd Biesheuvel 221ec808bbeSArd Biesheuvel kernel_neon_begin(); 222ec808bbeSArd Biesheuvel aesbs_convert_key(ctx->key.rk, ctx->fallback.key_enc, ctx->key.rounds); 223ec808bbeSArd Biesheuvel kernel_neon_end(); 224ec808bbeSArd Biesheuvel 225ec808bbeSArd Biesheuvel return 0; 226ec808bbeSArd Biesheuvel } 227ec808bbeSArd Biesheuvel 2281abee99eSArd Biesheuvel static int ctr_encrypt(struct skcipher_request *req) 2291abee99eSArd Biesheuvel { 2301abee99eSArd Biesheuvel struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 2311abee99eSArd Biesheuvel struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm); 2321abee99eSArd Biesheuvel struct skcipher_walk walk; 23388a3f582SArd Biesheuvel u8 buf[AES_BLOCK_SIZE]; 2341abee99eSArd Biesheuvel int err; 2351abee99eSArd Biesheuvel 23678ad7b08SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 2371abee99eSArd Biesheuvel 2381abee99eSArd Biesheuvel while (walk.nbytes > 0) { 2391abee99eSArd Biesheuvel unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; 24088a3f582SArd Biesheuvel u8 *final = (walk.total % AES_BLOCK_SIZE) ? buf : NULL; 2411abee99eSArd Biesheuvel 2421abee99eSArd Biesheuvel if (walk.nbytes < walk.total) { 2431abee99eSArd Biesheuvel blocks = round_down(blocks, 2441abee99eSArd Biesheuvel walk.stride / AES_BLOCK_SIZE); 24588a3f582SArd Biesheuvel final = NULL; 2461abee99eSArd Biesheuvel } 2471abee99eSArd Biesheuvel 24878ad7b08SArd Biesheuvel kernel_neon_begin(); 2491abee99eSArd Biesheuvel aesbs_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 2501abee99eSArd Biesheuvel ctx->rk, ctx->rounds, blocks, walk.iv, final); 25178ad7b08SArd Biesheuvel kernel_neon_end(); 2521abee99eSArd Biesheuvel 2531abee99eSArd Biesheuvel if (final) { 2541abee99eSArd Biesheuvel u8 *dst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE; 2551abee99eSArd Biesheuvel u8 *src = walk.src.virt.addr + blocks * AES_BLOCK_SIZE; 2561abee99eSArd Biesheuvel 25745fe93dfSArd Biesheuvel crypto_xor_cpy(dst, src, final, 25845fe93dfSArd Biesheuvel walk.total % AES_BLOCK_SIZE); 2591abee99eSArd Biesheuvel 2601abee99eSArd Biesheuvel err = skcipher_walk_done(&walk, 0); 2611abee99eSArd Biesheuvel break; 2621abee99eSArd Biesheuvel } 2631abee99eSArd Biesheuvel err = skcipher_walk_done(&walk, 2641abee99eSArd Biesheuvel walk.nbytes - blocks * AES_BLOCK_SIZE); 2651abee99eSArd Biesheuvel } 2661abee99eSArd Biesheuvel return err; 2671abee99eSArd Biesheuvel } 2681abee99eSArd Biesheuvel 2691abee99eSArd Biesheuvel static int aesbs_xts_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 2701abee99eSArd Biesheuvel unsigned int key_len) 2711abee99eSArd Biesheuvel { 2721abee99eSArd Biesheuvel struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 2731abee99eSArd Biesheuvel struct crypto_aes_ctx rk; 2741abee99eSArd Biesheuvel int err; 2751abee99eSArd Biesheuvel 2761abee99eSArd Biesheuvel err = xts_verify_key(tfm, in_key, key_len); 2771abee99eSArd Biesheuvel if (err) 2781abee99eSArd Biesheuvel return err; 2791abee99eSArd Biesheuvel 2801abee99eSArd Biesheuvel key_len /= 2; 281*67cfa5d3SArd Biesheuvel err = aes_expandkey(&ctx->cts, in_key, key_len); 282*67cfa5d3SArd Biesheuvel if (err) 283*67cfa5d3SArd Biesheuvel return err; 284*67cfa5d3SArd Biesheuvel 285f68df543SArd Biesheuvel err = aes_expandkey(&rk, in_key + key_len, key_len); 2861abee99eSArd Biesheuvel if (err) 2871abee99eSArd Biesheuvel return err; 2881abee99eSArd Biesheuvel 2891abee99eSArd Biesheuvel memcpy(ctx->twkey, rk.key_enc, sizeof(ctx->twkey)); 2901abee99eSArd Biesheuvel 2911abee99eSArd Biesheuvel return aesbs_setkey(tfm, in_key, key_len); 2921abee99eSArd Biesheuvel } 2931abee99eSArd Biesheuvel 294ff6f4115SArd Biesheuvel static void ctr_encrypt_one(struct crypto_skcipher *tfm, const u8 *src, u8 *dst) 295ff6f4115SArd Biesheuvel { 296ff6f4115SArd Biesheuvel struct aesbs_ctr_ctx *ctx = crypto_skcipher_ctx(tfm); 297ff6f4115SArd Biesheuvel unsigned long flags; 298ff6f4115SArd Biesheuvel 299ff6f4115SArd Biesheuvel /* 300ff6f4115SArd Biesheuvel * Temporarily disable interrupts to avoid races where 301ff6f4115SArd Biesheuvel * cachelines are evicted when the CPU is interrupted 302ff6f4115SArd Biesheuvel * to do something else. 303ff6f4115SArd Biesheuvel */ 304ff6f4115SArd Biesheuvel local_irq_save(flags); 305ff6f4115SArd Biesheuvel aes_encrypt(&ctx->fallback, dst, src); 306ff6f4115SArd Biesheuvel local_irq_restore(flags); 307ff6f4115SArd Biesheuvel } 308ff6f4115SArd Biesheuvel 309ec808bbeSArd Biesheuvel static int ctr_encrypt_sync(struct skcipher_request *req) 310ec808bbeSArd Biesheuvel { 311e52b7023SEric Biggers if (!crypto_simd_usable()) 312ff6f4115SArd Biesheuvel return crypto_ctr_encrypt_walk(req, ctr_encrypt_one); 313ec808bbeSArd Biesheuvel 314ec808bbeSArd Biesheuvel return ctr_encrypt(req); 315ec808bbeSArd Biesheuvel } 316ec808bbeSArd Biesheuvel 317*67cfa5d3SArd Biesheuvel static int __xts_crypt(struct skcipher_request *req, bool encrypt, 3181abee99eSArd Biesheuvel void (*fn)(u8 out[], u8 const in[], u8 const rk[], 3191abee99eSArd Biesheuvel int rounds, int blocks, u8 iv[])) 3201abee99eSArd Biesheuvel { 3211abee99eSArd Biesheuvel struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 3221abee99eSArd Biesheuvel struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 323*67cfa5d3SArd Biesheuvel int tail = req->cryptlen % (8 * AES_BLOCK_SIZE); 324*67cfa5d3SArd Biesheuvel struct scatterlist sg_src[2], sg_dst[2]; 325*67cfa5d3SArd Biesheuvel struct skcipher_request subreq; 326*67cfa5d3SArd Biesheuvel struct scatterlist *src, *dst; 3271abee99eSArd Biesheuvel struct skcipher_walk walk; 328*67cfa5d3SArd Biesheuvel int nbytes, err; 329*67cfa5d3SArd Biesheuvel int first = 1; 330*67cfa5d3SArd Biesheuvel u8 *out, *in; 331*67cfa5d3SArd Biesheuvel 332*67cfa5d3SArd Biesheuvel if (req->cryptlen < AES_BLOCK_SIZE) 333*67cfa5d3SArd Biesheuvel return -EINVAL; 334*67cfa5d3SArd Biesheuvel 335*67cfa5d3SArd Biesheuvel /* ensure that the cts tail is covered by a single step */ 336*67cfa5d3SArd Biesheuvel if (unlikely(tail > 0 && tail < AES_BLOCK_SIZE)) { 337*67cfa5d3SArd Biesheuvel int xts_blocks = DIV_ROUND_UP(req->cryptlen, 338*67cfa5d3SArd Biesheuvel AES_BLOCK_SIZE) - 2; 339*67cfa5d3SArd Biesheuvel 340*67cfa5d3SArd Biesheuvel skcipher_request_set_tfm(&subreq, tfm); 341*67cfa5d3SArd Biesheuvel skcipher_request_set_callback(&subreq, 342*67cfa5d3SArd Biesheuvel skcipher_request_flags(req), 343*67cfa5d3SArd Biesheuvel NULL, NULL); 344*67cfa5d3SArd Biesheuvel skcipher_request_set_crypt(&subreq, req->src, req->dst, 345*67cfa5d3SArd Biesheuvel xts_blocks * AES_BLOCK_SIZE, 346*67cfa5d3SArd Biesheuvel req->iv); 347*67cfa5d3SArd Biesheuvel req = &subreq; 348*67cfa5d3SArd Biesheuvel } else { 349*67cfa5d3SArd Biesheuvel tail = 0; 350*67cfa5d3SArd Biesheuvel } 3511abee99eSArd Biesheuvel 35278ad7b08SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 3534a8108b7SEric Biggers if (err) 3544a8108b7SEric Biggers return err; 3551abee99eSArd Biesheuvel 3561abee99eSArd Biesheuvel while (walk.nbytes >= AES_BLOCK_SIZE) { 3571abee99eSArd Biesheuvel unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; 3581abee99eSArd Biesheuvel 359*67cfa5d3SArd Biesheuvel if (walk.nbytes < walk.total || walk.nbytes % AES_BLOCK_SIZE) 3601abee99eSArd Biesheuvel blocks = round_down(blocks, 3611abee99eSArd Biesheuvel walk.stride / AES_BLOCK_SIZE); 3621abee99eSArd Biesheuvel 363*67cfa5d3SArd Biesheuvel out = walk.dst.virt.addr; 364*67cfa5d3SArd Biesheuvel in = walk.src.virt.addr; 365*67cfa5d3SArd Biesheuvel nbytes = walk.nbytes; 366*67cfa5d3SArd Biesheuvel 36778ad7b08SArd Biesheuvel kernel_neon_begin(); 368*67cfa5d3SArd Biesheuvel if (likely(blocks > 6)) { /* plain NEON is faster otherwise */ 369*67cfa5d3SArd Biesheuvel if (first) 370*67cfa5d3SArd Biesheuvel neon_aes_ecb_encrypt(walk.iv, walk.iv, 371*67cfa5d3SArd Biesheuvel ctx->twkey, 372*67cfa5d3SArd Biesheuvel ctx->key.rounds, 1); 373*67cfa5d3SArd Biesheuvel first = 0; 374*67cfa5d3SArd Biesheuvel 375*67cfa5d3SArd Biesheuvel fn(out, in, ctx->key.rk, ctx->key.rounds, blocks, 376*67cfa5d3SArd Biesheuvel walk.iv); 377*67cfa5d3SArd Biesheuvel 378*67cfa5d3SArd Biesheuvel out += blocks * AES_BLOCK_SIZE; 379*67cfa5d3SArd Biesheuvel in += blocks * AES_BLOCK_SIZE; 380*67cfa5d3SArd Biesheuvel nbytes -= blocks * AES_BLOCK_SIZE; 3811abee99eSArd Biesheuvel } 382*67cfa5d3SArd Biesheuvel 383*67cfa5d3SArd Biesheuvel if (walk.nbytes == walk.total && nbytes > 0) 384*67cfa5d3SArd Biesheuvel goto xts_tail; 385*67cfa5d3SArd Biesheuvel 386*67cfa5d3SArd Biesheuvel kernel_neon_end(); 387*67cfa5d3SArd Biesheuvel skcipher_walk_done(&walk, nbytes); 388*67cfa5d3SArd Biesheuvel } 389*67cfa5d3SArd Biesheuvel 390*67cfa5d3SArd Biesheuvel if (err || likely(!tail)) 3911abee99eSArd Biesheuvel return err; 392*67cfa5d3SArd Biesheuvel 393*67cfa5d3SArd Biesheuvel /* handle ciphertext stealing */ 394*67cfa5d3SArd Biesheuvel dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen); 395*67cfa5d3SArd Biesheuvel if (req->dst != req->src) 396*67cfa5d3SArd Biesheuvel dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); 397*67cfa5d3SArd Biesheuvel 398*67cfa5d3SArd Biesheuvel skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, 399*67cfa5d3SArd Biesheuvel req->iv); 400*67cfa5d3SArd Biesheuvel 401*67cfa5d3SArd Biesheuvel err = skcipher_walk_virt(&walk, req, false); 402*67cfa5d3SArd Biesheuvel if (err) 403*67cfa5d3SArd Biesheuvel return err; 404*67cfa5d3SArd Biesheuvel 405*67cfa5d3SArd Biesheuvel out = walk.dst.virt.addr; 406*67cfa5d3SArd Biesheuvel in = walk.src.virt.addr; 407*67cfa5d3SArd Biesheuvel nbytes = walk.nbytes; 408*67cfa5d3SArd Biesheuvel 409*67cfa5d3SArd Biesheuvel kernel_neon_begin(); 410*67cfa5d3SArd Biesheuvel xts_tail: 411*67cfa5d3SArd Biesheuvel if (encrypt) 412*67cfa5d3SArd Biesheuvel neon_aes_xts_encrypt(out, in, ctx->cts.key_enc, ctx->key.rounds, 413*67cfa5d3SArd Biesheuvel nbytes, ctx->twkey, walk.iv, first ?: 2); 414*67cfa5d3SArd Biesheuvel else 415*67cfa5d3SArd Biesheuvel neon_aes_xts_decrypt(out, in, ctx->cts.key_dec, ctx->key.rounds, 416*67cfa5d3SArd Biesheuvel nbytes, ctx->twkey, walk.iv, first ?: 2); 417*67cfa5d3SArd Biesheuvel kernel_neon_end(); 418*67cfa5d3SArd Biesheuvel 419*67cfa5d3SArd Biesheuvel return skcipher_walk_done(&walk, 0); 4201abee99eSArd Biesheuvel } 4211abee99eSArd Biesheuvel 4221abee99eSArd Biesheuvel static int xts_encrypt(struct skcipher_request *req) 4231abee99eSArd Biesheuvel { 424*67cfa5d3SArd Biesheuvel return __xts_crypt(req, true, aesbs_xts_encrypt); 4251abee99eSArd Biesheuvel } 4261abee99eSArd Biesheuvel 4271abee99eSArd Biesheuvel static int xts_decrypt(struct skcipher_request *req) 4281abee99eSArd Biesheuvel { 429*67cfa5d3SArd Biesheuvel return __xts_crypt(req, false, aesbs_xts_decrypt); 4301abee99eSArd Biesheuvel } 4311abee99eSArd Biesheuvel 4321abee99eSArd Biesheuvel static struct skcipher_alg aes_algs[] = { { 4331abee99eSArd Biesheuvel .base.cra_name = "__ecb(aes)", 4341abee99eSArd Biesheuvel .base.cra_driver_name = "__ecb-aes-neonbs", 4351abee99eSArd Biesheuvel .base.cra_priority = 250, 4361abee99eSArd Biesheuvel .base.cra_blocksize = AES_BLOCK_SIZE, 4371abee99eSArd Biesheuvel .base.cra_ctxsize = sizeof(struct aesbs_ctx), 4381abee99eSArd Biesheuvel .base.cra_module = THIS_MODULE, 4391abee99eSArd Biesheuvel .base.cra_flags = CRYPTO_ALG_INTERNAL, 4401abee99eSArd Biesheuvel 4411abee99eSArd Biesheuvel .min_keysize = AES_MIN_KEY_SIZE, 4421abee99eSArd Biesheuvel .max_keysize = AES_MAX_KEY_SIZE, 4431abee99eSArd Biesheuvel .walksize = 8 * AES_BLOCK_SIZE, 4441abee99eSArd Biesheuvel .setkey = aesbs_setkey, 4451abee99eSArd Biesheuvel .encrypt = ecb_encrypt, 4461abee99eSArd Biesheuvel .decrypt = ecb_decrypt, 4471abee99eSArd Biesheuvel }, { 4481abee99eSArd Biesheuvel .base.cra_name = "__cbc(aes)", 4491abee99eSArd Biesheuvel .base.cra_driver_name = "__cbc-aes-neonbs", 4501abee99eSArd Biesheuvel .base.cra_priority = 250, 4511abee99eSArd Biesheuvel .base.cra_blocksize = AES_BLOCK_SIZE, 4521abee99eSArd Biesheuvel .base.cra_ctxsize = sizeof(struct aesbs_cbc_ctx), 4531abee99eSArd Biesheuvel .base.cra_module = THIS_MODULE, 4541abee99eSArd Biesheuvel .base.cra_flags = CRYPTO_ALG_INTERNAL, 4551abee99eSArd Biesheuvel 4561abee99eSArd Biesheuvel .min_keysize = AES_MIN_KEY_SIZE, 4571abee99eSArd Biesheuvel .max_keysize = AES_MAX_KEY_SIZE, 4581abee99eSArd Biesheuvel .walksize = 8 * AES_BLOCK_SIZE, 4591abee99eSArd Biesheuvel .ivsize = AES_BLOCK_SIZE, 4601abee99eSArd Biesheuvel .setkey = aesbs_cbc_setkey, 4611abee99eSArd Biesheuvel .encrypt = cbc_encrypt, 4621abee99eSArd Biesheuvel .decrypt = cbc_decrypt, 4631abee99eSArd Biesheuvel }, { 4641abee99eSArd Biesheuvel .base.cra_name = "__ctr(aes)", 4651abee99eSArd Biesheuvel .base.cra_driver_name = "__ctr-aes-neonbs", 4661abee99eSArd Biesheuvel .base.cra_priority = 250, 4671abee99eSArd Biesheuvel .base.cra_blocksize = 1, 4681abee99eSArd Biesheuvel .base.cra_ctxsize = sizeof(struct aesbs_ctx), 4691abee99eSArd Biesheuvel .base.cra_module = THIS_MODULE, 4701abee99eSArd Biesheuvel .base.cra_flags = CRYPTO_ALG_INTERNAL, 4711abee99eSArd Biesheuvel 4721abee99eSArd Biesheuvel .min_keysize = AES_MIN_KEY_SIZE, 4731abee99eSArd Biesheuvel .max_keysize = AES_MAX_KEY_SIZE, 4741abee99eSArd Biesheuvel .chunksize = AES_BLOCK_SIZE, 4751abee99eSArd Biesheuvel .walksize = 8 * AES_BLOCK_SIZE, 4761abee99eSArd Biesheuvel .ivsize = AES_BLOCK_SIZE, 4771abee99eSArd Biesheuvel .setkey = aesbs_setkey, 4781abee99eSArd Biesheuvel .encrypt = ctr_encrypt, 4791abee99eSArd Biesheuvel .decrypt = ctr_encrypt, 4801abee99eSArd Biesheuvel }, { 4811abee99eSArd Biesheuvel .base.cra_name = "ctr(aes)", 4821abee99eSArd Biesheuvel .base.cra_driver_name = "ctr-aes-neonbs", 4831abee99eSArd Biesheuvel .base.cra_priority = 250 - 1, 4841abee99eSArd Biesheuvel .base.cra_blocksize = 1, 485ec808bbeSArd Biesheuvel .base.cra_ctxsize = sizeof(struct aesbs_ctr_ctx), 4861abee99eSArd Biesheuvel .base.cra_module = THIS_MODULE, 4871abee99eSArd Biesheuvel 4881abee99eSArd Biesheuvel .min_keysize = AES_MIN_KEY_SIZE, 4891abee99eSArd Biesheuvel .max_keysize = AES_MAX_KEY_SIZE, 4901abee99eSArd Biesheuvel .chunksize = AES_BLOCK_SIZE, 4911abee99eSArd Biesheuvel .walksize = 8 * AES_BLOCK_SIZE, 4921abee99eSArd Biesheuvel .ivsize = AES_BLOCK_SIZE, 493ec808bbeSArd Biesheuvel .setkey = aesbs_ctr_setkey_sync, 494ec808bbeSArd Biesheuvel .encrypt = ctr_encrypt_sync, 495ec808bbeSArd Biesheuvel .decrypt = ctr_encrypt_sync, 4961abee99eSArd Biesheuvel }, { 4971abee99eSArd Biesheuvel .base.cra_name = "__xts(aes)", 4981abee99eSArd Biesheuvel .base.cra_driver_name = "__xts-aes-neonbs", 4991abee99eSArd Biesheuvel .base.cra_priority = 250, 5001abee99eSArd Biesheuvel .base.cra_blocksize = AES_BLOCK_SIZE, 5011abee99eSArd Biesheuvel .base.cra_ctxsize = sizeof(struct aesbs_xts_ctx), 5021abee99eSArd Biesheuvel .base.cra_module = THIS_MODULE, 5031abee99eSArd Biesheuvel .base.cra_flags = CRYPTO_ALG_INTERNAL, 5041abee99eSArd Biesheuvel 5051abee99eSArd Biesheuvel .min_keysize = 2 * AES_MIN_KEY_SIZE, 5061abee99eSArd Biesheuvel .max_keysize = 2 * AES_MAX_KEY_SIZE, 5071abee99eSArd Biesheuvel .walksize = 8 * AES_BLOCK_SIZE, 5081abee99eSArd Biesheuvel .ivsize = AES_BLOCK_SIZE, 5091abee99eSArd Biesheuvel .setkey = aesbs_xts_setkey, 5101abee99eSArd Biesheuvel .encrypt = xts_encrypt, 5111abee99eSArd Biesheuvel .decrypt = xts_decrypt, 5121abee99eSArd Biesheuvel } }; 5131abee99eSArd Biesheuvel 5141abee99eSArd Biesheuvel static struct simd_skcipher_alg *aes_simd_algs[ARRAY_SIZE(aes_algs)]; 5151abee99eSArd Biesheuvel 5161abee99eSArd Biesheuvel static void aes_exit(void) 5171abee99eSArd Biesheuvel { 5181abee99eSArd Biesheuvel int i; 5191abee99eSArd Biesheuvel 5201abee99eSArd Biesheuvel for (i = 0; i < ARRAY_SIZE(aes_simd_algs); i++) 5211abee99eSArd Biesheuvel if (aes_simd_algs[i]) 5221abee99eSArd Biesheuvel simd_skcipher_free(aes_simd_algs[i]); 5231abee99eSArd Biesheuvel 5241abee99eSArd Biesheuvel crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs)); 5251abee99eSArd Biesheuvel } 5261abee99eSArd Biesheuvel 5271abee99eSArd Biesheuvel static int __init aes_init(void) 5281abee99eSArd Biesheuvel { 5291abee99eSArd Biesheuvel struct simd_skcipher_alg *simd; 5301abee99eSArd Biesheuvel const char *basename; 5311abee99eSArd Biesheuvel const char *algname; 5321abee99eSArd Biesheuvel const char *drvname; 5331abee99eSArd Biesheuvel int err; 5341abee99eSArd Biesheuvel int i; 5351abee99eSArd Biesheuvel 536aaba098fSAndrew Murray if (!cpu_have_named_feature(ASIMD)) 5371abee99eSArd Biesheuvel return -ENODEV; 5381abee99eSArd Biesheuvel 5391abee99eSArd Biesheuvel err = crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs)); 5401abee99eSArd Biesheuvel if (err) 5411abee99eSArd Biesheuvel return err; 5421abee99eSArd Biesheuvel 5431abee99eSArd Biesheuvel for (i = 0; i < ARRAY_SIZE(aes_algs); i++) { 5441abee99eSArd Biesheuvel if (!(aes_algs[i].base.cra_flags & CRYPTO_ALG_INTERNAL)) 5451abee99eSArd Biesheuvel continue; 5461abee99eSArd Biesheuvel 5471abee99eSArd Biesheuvel algname = aes_algs[i].base.cra_name + 2; 5481abee99eSArd Biesheuvel drvname = aes_algs[i].base.cra_driver_name + 2; 5491abee99eSArd Biesheuvel basename = aes_algs[i].base.cra_driver_name; 5501abee99eSArd Biesheuvel simd = simd_skcipher_create_compat(algname, drvname, basename); 5511abee99eSArd Biesheuvel err = PTR_ERR(simd); 5521abee99eSArd Biesheuvel if (IS_ERR(simd)) 5531abee99eSArd Biesheuvel goto unregister_simds; 5541abee99eSArd Biesheuvel 5551abee99eSArd Biesheuvel aes_simd_algs[i] = simd; 5561abee99eSArd Biesheuvel } 5571abee99eSArd Biesheuvel return 0; 5581abee99eSArd Biesheuvel 5591abee99eSArd Biesheuvel unregister_simds: 5601abee99eSArd Biesheuvel aes_exit(); 5611abee99eSArd Biesheuvel return err; 5621abee99eSArd Biesheuvel } 5631abee99eSArd Biesheuvel 5641abee99eSArd Biesheuvel module_init(aes_init); 5651abee99eSArd Biesheuvel module_exit(aes_exit); 566