1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Accelerated GHASH implementation with ARMv8 PMULL instructions.
4  *
5  * Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
6  */
7 
8 #include <asm/neon.h>
9 #include <asm/simd.h>
10 #include <asm/unaligned.h>
11 #include <crypto/aes.h>
12 #include <crypto/algapi.h>
13 #include <crypto/b128ops.h>
14 #include <crypto/gf128mul.h>
15 #include <crypto/internal/aead.h>
16 #include <crypto/internal/hash.h>
17 #include <crypto/internal/simd.h>
18 #include <crypto/internal/skcipher.h>
19 #include <crypto/scatterwalk.h>
20 #include <linux/cpufeature.h>
21 #include <linux/crypto.h>
22 #include <linux/module.h>
23 
24 MODULE_DESCRIPTION("GHASH and AES-GCM using ARMv8 Crypto Extensions");
25 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
26 MODULE_LICENSE("GPL v2");
27 MODULE_ALIAS_CRYPTO("ghash");
28 
29 #define GHASH_BLOCK_SIZE	16
30 #define GHASH_DIGEST_SIZE	16
31 #define GCM_IV_SIZE		12
32 
33 struct ghash_key {
34 	u64			h[2];
35 	u64			h2[2];
36 	u64			h3[2];
37 	u64			h4[2];
38 
39 	be128			k;
40 };
41 
42 struct ghash_desc_ctx {
43 	u64 digest[GHASH_DIGEST_SIZE/sizeof(u64)];
44 	u8 buf[GHASH_BLOCK_SIZE];
45 	u32 count;
46 };
47 
48 struct gcm_aes_ctx {
49 	struct crypto_aes_ctx	aes_key;
50 	struct ghash_key	ghash_key;
51 };
52 
53 asmlinkage void pmull_ghash_update_p64(int blocks, u64 dg[], const char *src,
54 				       struct ghash_key const *k,
55 				       const char *head);
56 
57 asmlinkage void pmull_ghash_update_p8(int blocks, u64 dg[], const char *src,
58 				      struct ghash_key const *k,
59 				      const char *head);
60 
61 asmlinkage void pmull_gcm_encrypt(int blocks, u64 dg[], u8 dst[],
62 				  const u8 src[], struct ghash_key const *k,
63 				  u8 ctr[], u32 const rk[], int rounds,
64 				  u8 ks[]);
65 
66 asmlinkage void pmull_gcm_decrypt(int blocks, u64 dg[], u8 dst[],
67 				  const u8 src[], struct ghash_key const *k,
68 				  u8 ctr[], u32 const rk[], int rounds);
69 
70 asmlinkage void pmull_gcm_encrypt_block(u8 dst[], u8 const src[],
71 					u32 const rk[], int rounds);
72 
73 asmlinkage void __aes_arm64_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
74 
75 static int ghash_init(struct shash_desc *desc)
76 {
77 	struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
78 
79 	*ctx = (struct ghash_desc_ctx){};
80 	return 0;
81 }
82 
83 static void ghash_do_update(int blocks, u64 dg[], const char *src,
84 			    struct ghash_key *key, const char *head,
85 			    void (*simd_update)(int blocks, u64 dg[],
86 						const char *src,
87 						struct ghash_key const *k,
88 						const char *head))
89 {
90 	if (likely(crypto_simd_usable())) {
91 		kernel_neon_begin();
92 		simd_update(blocks, dg, src, key, head);
93 		kernel_neon_end();
94 	} else {
95 		be128 dst = { cpu_to_be64(dg[1]), cpu_to_be64(dg[0]) };
96 
97 		do {
98 			const u8 *in = src;
99 
100 			if (head) {
101 				in = head;
102 				blocks++;
103 				head = NULL;
104 			} else {
105 				src += GHASH_BLOCK_SIZE;
106 			}
107 
108 			crypto_xor((u8 *)&dst, in, GHASH_BLOCK_SIZE);
109 			gf128mul_lle(&dst, &key->k);
110 		} while (--blocks);
111 
112 		dg[0] = be64_to_cpu(dst.b);
113 		dg[1] = be64_to_cpu(dst.a);
114 	}
115 }
116 
117 /* avoid hogging the CPU for too long */
118 #define MAX_BLOCKS	(SZ_64K / GHASH_BLOCK_SIZE)
119 
120 static int __ghash_update(struct shash_desc *desc, const u8 *src,
121 			  unsigned int len,
122 			  void (*simd_update)(int blocks, u64 dg[],
123 					      const char *src,
124 					      struct ghash_key const *k,
125 					      const char *head))
126 {
127 	struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
128 	unsigned int partial = ctx->count % GHASH_BLOCK_SIZE;
129 
130 	ctx->count += len;
131 
132 	if ((partial + len) >= GHASH_BLOCK_SIZE) {
133 		struct ghash_key *key = crypto_shash_ctx(desc->tfm);
134 		int blocks;
135 
136 		if (partial) {
137 			int p = GHASH_BLOCK_SIZE - partial;
138 
139 			memcpy(ctx->buf + partial, src, p);
140 			src += p;
141 			len -= p;
142 		}
143 
144 		blocks = len / GHASH_BLOCK_SIZE;
145 		len %= GHASH_BLOCK_SIZE;
146 
147 		do {
148 			int chunk = min(blocks, MAX_BLOCKS);
149 
150 			ghash_do_update(chunk, ctx->digest, src, key,
151 					partial ? ctx->buf : NULL,
152 					simd_update);
153 
154 			blocks -= chunk;
155 			src += chunk * GHASH_BLOCK_SIZE;
156 			partial = 0;
157 		} while (unlikely(blocks > 0));
158 	}
159 	if (len)
160 		memcpy(ctx->buf + partial, src, len);
161 	return 0;
162 }
163 
164 static int ghash_update_p8(struct shash_desc *desc, const u8 *src,
165 			   unsigned int len)
166 {
167 	return __ghash_update(desc, src, len, pmull_ghash_update_p8);
168 }
169 
170 static int ghash_update_p64(struct shash_desc *desc, const u8 *src,
171 			    unsigned int len)
172 {
173 	return __ghash_update(desc, src, len, pmull_ghash_update_p64);
174 }
175 
176 static int ghash_final_p8(struct shash_desc *desc, u8 *dst)
177 {
178 	struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
179 	unsigned int partial = ctx->count % GHASH_BLOCK_SIZE;
180 
181 	if (partial) {
182 		struct ghash_key *key = crypto_shash_ctx(desc->tfm);
183 
184 		memset(ctx->buf + partial, 0, GHASH_BLOCK_SIZE - partial);
185 
186 		ghash_do_update(1, ctx->digest, ctx->buf, key, NULL,
187 				pmull_ghash_update_p8);
188 	}
189 	put_unaligned_be64(ctx->digest[1], dst);
190 	put_unaligned_be64(ctx->digest[0], dst + 8);
191 
192 	*ctx = (struct ghash_desc_ctx){};
193 	return 0;
194 }
195 
196 static int ghash_final_p64(struct shash_desc *desc, u8 *dst)
197 {
198 	struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
199 	unsigned int partial = ctx->count % GHASH_BLOCK_SIZE;
200 
201 	if (partial) {
202 		struct ghash_key *key = crypto_shash_ctx(desc->tfm);
203 
204 		memset(ctx->buf + partial, 0, GHASH_BLOCK_SIZE - partial);
205 
206 		ghash_do_update(1, ctx->digest, ctx->buf, key, NULL,
207 				pmull_ghash_update_p64);
208 	}
209 	put_unaligned_be64(ctx->digest[1], dst);
210 	put_unaligned_be64(ctx->digest[0], dst + 8);
211 
212 	*ctx = (struct ghash_desc_ctx){};
213 	return 0;
214 }
215 
216 static void ghash_reflect(u64 h[], const be128 *k)
217 {
218 	u64 carry = be64_to_cpu(k->a) & BIT(63) ? 1 : 0;
219 
220 	h[0] = (be64_to_cpu(k->b) << 1) | carry;
221 	h[1] = (be64_to_cpu(k->a) << 1) | (be64_to_cpu(k->b) >> 63);
222 
223 	if (carry)
224 		h[1] ^= 0xc200000000000000UL;
225 }
226 
227 static int __ghash_setkey(struct ghash_key *key,
228 			  const u8 *inkey, unsigned int keylen)
229 {
230 	be128 h;
231 
232 	/* needed for the fallback */
233 	memcpy(&key->k, inkey, GHASH_BLOCK_SIZE);
234 
235 	ghash_reflect(key->h, &key->k);
236 
237 	h = key->k;
238 	gf128mul_lle(&h, &key->k);
239 	ghash_reflect(key->h2, &h);
240 
241 	gf128mul_lle(&h, &key->k);
242 	ghash_reflect(key->h3, &h);
243 
244 	gf128mul_lle(&h, &key->k);
245 	ghash_reflect(key->h4, &h);
246 
247 	return 0;
248 }
249 
250 static int ghash_setkey(struct crypto_shash *tfm,
251 			const u8 *inkey, unsigned int keylen)
252 {
253 	struct ghash_key *key = crypto_shash_ctx(tfm);
254 
255 	if (keylen != GHASH_BLOCK_SIZE) {
256 		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
257 		return -EINVAL;
258 	}
259 
260 	return __ghash_setkey(key, inkey, keylen);
261 }
262 
263 static struct shash_alg ghash_alg[] = {{
264 	.base.cra_name		= "ghash",
265 	.base.cra_driver_name	= "ghash-neon",
266 	.base.cra_priority	= 100,
267 	.base.cra_blocksize	= GHASH_BLOCK_SIZE,
268 	.base.cra_ctxsize	= sizeof(struct ghash_key),
269 	.base.cra_module	= THIS_MODULE,
270 
271 	.digestsize		= GHASH_DIGEST_SIZE,
272 	.init			= ghash_init,
273 	.update			= ghash_update_p8,
274 	.final			= ghash_final_p8,
275 	.setkey			= ghash_setkey,
276 	.descsize		= sizeof(struct ghash_desc_ctx),
277 }, {
278 	.base.cra_name		= "ghash",
279 	.base.cra_driver_name	= "ghash-ce",
280 	.base.cra_priority	= 200,
281 	.base.cra_blocksize	= GHASH_BLOCK_SIZE,
282 	.base.cra_ctxsize	= sizeof(struct ghash_key),
283 	.base.cra_module	= THIS_MODULE,
284 
285 	.digestsize		= GHASH_DIGEST_SIZE,
286 	.init			= ghash_init,
287 	.update			= ghash_update_p64,
288 	.final			= ghash_final_p64,
289 	.setkey			= ghash_setkey,
290 	.descsize		= sizeof(struct ghash_desc_ctx),
291 }};
292 
293 static int num_rounds(struct crypto_aes_ctx *ctx)
294 {
295 	/*
296 	 * # of rounds specified by AES:
297 	 * 128 bit key		10 rounds
298 	 * 192 bit key		12 rounds
299 	 * 256 bit key		14 rounds
300 	 * => n byte key	=> 6 + (n/4) rounds
301 	 */
302 	return 6 + ctx->key_length / 4;
303 }
304 
305 static int gcm_setkey(struct crypto_aead *tfm, const u8 *inkey,
306 		      unsigned int keylen)
307 {
308 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(tfm);
309 	u8 key[GHASH_BLOCK_SIZE];
310 	int ret;
311 
312 	ret = crypto_aes_expand_key(&ctx->aes_key, inkey, keylen);
313 	if (ret) {
314 		tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
315 		return -EINVAL;
316 	}
317 
318 	__aes_arm64_encrypt(ctx->aes_key.key_enc, key, (u8[AES_BLOCK_SIZE]){},
319 			    num_rounds(&ctx->aes_key));
320 
321 	return __ghash_setkey(&ctx->ghash_key, key, sizeof(be128));
322 }
323 
324 static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
325 {
326 	switch (authsize) {
327 	case 4:
328 	case 8:
329 	case 12 ... 16:
330 		break;
331 	default:
332 		return -EINVAL;
333 	}
334 	return 0;
335 }
336 
337 static void gcm_update_mac(u64 dg[], const u8 *src, int count, u8 buf[],
338 			   int *buf_count, struct gcm_aes_ctx *ctx)
339 {
340 	if (*buf_count > 0) {
341 		int buf_added = min(count, GHASH_BLOCK_SIZE - *buf_count);
342 
343 		memcpy(&buf[*buf_count], src, buf_added);
344 
345 		*buf_count += buf_added;
346 		src += buf_added;
347 		count -= buf_added;
348 	}
349 
350 	if (count >= GHASH_BLOCK_SIZE || *buf_count == GHASH_BLOCK_SIZE) {
351 		int blocks = count / GHASH_BLOCK_SIZE;
352 
353 		ghash_do_update(blocks, dg, src, &ctx->ghash_key,
354 				*buf_count ? buf : NULL,
355 				pmull_ghash_update_p64);
356 
357 		src += blocks * GHASH_BLOCK_SIZE;
358 		count %= GHASH_BLOCK_SIZE;
359 		*buf_count = 0;
360 	}
361 
362 	if (count > 0) {
363 		memcpy(buf, src, count);
364 		*buf_count = count;
365 	}
366 }
367 
368 static void gcm_calculate_auth_mac(struct aead_request *req, u64 dg[])
369 {
370 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
371 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
372 	u8 buf[GHASH_BLOCK_SIZE];
373 	struct scatter_walk walk;
374 	u32 len = req->assoclen;
375 	int buf_count = 0;
376 
377 	scatterwalk_start(&walk, req->src);
378 
379 	do {
380 		u32 n = scatterwalk_clamp(&walk, len);
381 		u8 *p;
382 
383 		if (!n) {
384 			scatterwalk_start(&walk, sg_next(walk.sg));
385 			n = scatterwalk_clamp(&walk, len);
386 		}
387 		p = scatterwalk_map(&walk);
388 
389 		gcm_update_mac(dg, p, n, buf, &buf_count, ctx);
390 		len -= n;
391 
392 		scatterwalk_unmap(p);
393 		scatterwalk_advance(&walk, n);
394 		scatterwalk_done(&walk, 0, len);
395 	} while (len);
396 
397 	if (buf_count) {
398 		memset(&buf[buf_count], 0, GHASH_BLOCK_SIZE - buf_count);
399 		ghash_do_update(1, dg, buf, &ctx->ghash_key, NULL,
400 				pmull_ghash_update_p64);
401 	}
402 }
403 
404 static void gcm_final(struct aead_request *req, struct gcm_aes_ctx *ctx,
405 		      u64 dg[], u8 tag[], int cryptlen)
406 {
407 	u8 mac[AES_BLOCK_SIZE];
408 	u128 lengths;
409 
410 	lengths.a = cpu_to_be64(req->assoclen * 8);
411 	lengths.b = cpu_to_be64(cryptlen * 8);
412 
413 	ghash_do_update(1, dg, (void *)&lengths, &ctx->ghash_key, NULL,
414 			pmull_ghash_update_p64);
415 
416 	put_unaligned_be64(dg[1], mac);
417 	put_unaligned_be64(dg[0], mac + 8);
418 
419 	crypto_xor(tag, mac, AES_BLOCK_SIZE);
420 }
421 
422 static int gcm_encrypt(struct aead_request *req)
423 {
424 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
425 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
426 	struct skcipher_walk walk;
427 	u8 iv[AES_BLOCK_SIZE];
428 	u8 ks[2 * AES_BLOCK_SIZE];
429 	u8 tag[AES_BLOCK_SIZE];
430 	u64 dg[2] = {};
431 	int nrounds = num_rounds(&ctx->aes_key);
432 	int err;
433 
434 	if (req->assoclen)
435 		gcm_calculate_auth_mac(req, dg);
436 
437 	memcpy(iv, req->iv, GCM_IV_SIZE);
438 	put_unaligned_be32(1, iv + GCM_IV_SIZE);
439 
440 	err = skcipher_walk_aead_encrypt(&walk, req, false);
441 
442 	if (likely(crypto_simd_usable() && walk.total >= 2 * AES_BLOCK_SIZE)) {
443 		u32 const *rk = NULL;
444 
445 		kernel_neon_begin();
446 		pmull_gcm_encrypt_block(tag, iv, ctx->aes_key.key_enc, nrounds);
447 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
448 		pmull_gcm_encrypt_block(ks, iv, NULL, nrounds);
449 		put_unaligned_be32(3, iv + GCM_IV_SIZE);
450 		pmull_gcm_encrypt_block(ks + AES_BLOCK_SIZE, iv, NULL, nrounds);
451 		put_unaligned_be32(4, iv + GCM_IV_SIZE);
452 
453 		do {
454 			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
455 
456 			if (rk)
457 				kernel_neon_begin();
458 
459 			pmull_gcm_encrypt(blocks, dg, walk.dst.virt.addr,
460 					  walk.src.virt.addr, &ctx->ghash_key,
461 					  iv, rk, nrounds, ks);
462 			kernel_neon_end();
463 
464 			err = skcipher_walk_done(&walk,
465 					walk.nbytes % (2 * AES_BLOCK_SIZE));
466 
467 			rk = ctx->aes_key.key_enc;
468 		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
469 	} else {
470 		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
471 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
472 
473 		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
474 			const int blocks =
475 				walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
476 			u8 *dst = walk.dst.virt.addr;
477 			u8 *src = walk.src.virt.addr;
478 			int remaining = blocks;
479 
480 			do {
481 				__aes_arm64_encrypt(ctx->aes_key.key_enc,
482 						    ks, iv, nrounds);
483 				crypto_xor_cpy(dst, src, ks, AES_BLOCK_SIZE);
484 				crypto_inc(iv, AES_BLOCK_SIZE);
485 
486 				dst += AES_BLOCK_SIZE;
487 				src += AES_BLOCK_SIZE;
488 			} while (--remaining > 0);
489 
490 			ghash_do_update(blocks, dg,
491 					walk.dst.virt.addr, &ctx->ghash_key,
492 					NULL, pmull_ghash_update_p64);
493 
494 			err = skcipher_walk_done(&walk,
495 						 walk.nbytes % (2 * AES_BLOCK_SIZE));
496 		}
497 		if (walk.nbytes) {
498 			__aes_arm64_encrypt(ctx->aes_key.key_enc, ks, iv,
499 					    nrounds);
500 			if (walk.nbytes > AES_BLOCK_SIZE) {
501 				crypto_inc(iv, AES_BLOCK_SIZE);
502 				__aes_arm64_encrypt(ctx->aes_key.key_enc,
503 					            ks + AES_BLOCK_SIZE, iv,
504 						    nrounds);
505 			}
506 		}
507 	}
508 
509 	/* handle the tail */
510 	if (walk.nbytes) {
511 		u8 buf[GHASH_BLOCK_SIZE];
512 		unsigned int nbytes = walk.nbytes;
513 		u8 *dst = walk.dst.virt.addr;
514 		u8 *head = NULL;
515 
516 		crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr, ks,
517 			       walk.nbytes);
518 
519 		if (walk.nbytes > GHASH_BLOCK_SIZE) {
520 			head = dst;
521 			dst += GHASH_BLOCK_SIZE;
522 			nbytes %= GHASH_BLOCK_SIZE;
523 		}
524 
525 		memcpy(buf, dst, nbytes);
526 		memset(buf + nbytes, 0, GHASH_BLOCK_SIZE - nbytes);
527 		ghash_do_update(!!nbytes, dg, buf, &ctx->ghash_key, head,
528 				pmull_ghash_update_p64);
529 
530 		err = skcipher_walk_done(&walk, 0);
531 	}
532 
533 	if (err)
534 		return err;
535 
536 	gcm_final(req, ctx, dg, tag, req->cryptlen);
537 
538 	/* copy authtag to end of dst */
539 	scatterwalk_map_and_copy(tag, req->dst, req->assoclen + req->cryptlen,
540 				 crypto_aead_authsize(aead), 1);
541 
542 	return 0;
543 }
544 
545 static int gcm_decrypt(struct aead_request *req)
546 {
547 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
548 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
549 	unsigned int authsize = crypto_aead_authsize(aead);
550 	struct skcipher_walk walk;
551 	u8 iv[2 * AES_BLOCK_SIZE];
552 	u8 tag[AES_BLOCK_SIZE];
553 	u8 buf[2 * GHASH_BLOCK_SIZE];
554 	u64 dg[2] = {};
555 	int nrounds = num_rounds(&ctx->aes_key);
556 	int err;
557 
558 	if (req->assoclen)
559 		gcm_calculate_auth_mac(req, dg);
560 
561 	memcpy(iv, req->iv, GCM_IV_SIZE);
562 	put_unaligned_be32(1, iv + GCM_IV_SIZE);
563 
564 	err = skcipher_walk_aead_decrypt(&walk, req, false);
565 
566 	if (likely(crypto_simd_usable() && walk.total >= 2 * AES_BLOCK_SIZE)) {
567 		u32 const *rk = NULL;
568 
569 		kernel_neon_begin();
570 		pmull_gcm_encrypt_block(tag, iv, ctx->aes_key.key_enc, nrounds);
571 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
572 
573 		do {
574 			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
575 			int rem = walk.total - blocks * AES_BLOCK_SIZE;
576 
577 			if (rk)
578 				kernel_neon_begin();
579 
580 			pmull_gcm_decrypt(blocks, dg, walk.dst.virt.addr,
581 					  walk.src.virt.addr, &ctx->ghash_key,
582 					  iv, rk, nrounds);
583 
584 			/* check if this is the final iteration of the loop */
585 			if (rem < (2 * AES_BLOCK_SIZE)) {
586 				u8 *iv2 = iv + AES_BLOCK_SIZE;
587 
588 				if (rem > AES_BLOCK_SIZE) {
589 					memcpy(iv2, iv, AES_BLOCK_SIZE);
590 					crypto_inc(iv2, AES_BLOCK_SIZE);
591 				}
592 
593 				pmull_gcm_encrypt_block(iv, iv, NULL, nrounds);
594 
595 				if (rem > AES_BLOCK_SIZE)
596 					pmull_gcm_encrypt_block(iv2, iv2, NULL,
597 								nrounds);
598 			}
599 
600 			kernel_neon_end();
601 
602 			err = skcipher_walk_done(&walk,
603 					walk.nbytes % (2 * AES_BLOCK_SIZE));
604 
605 			rk = ctx->aes_key.key_enc;
606 		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
607 	} else {
608 		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
609 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
610 
611 		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
612 			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
613 			u8 *dst = walk.dst.virt.addr;
614 			u8 *src = walk.src.virt.addr;
615 
616 			ghash_do_update(blocks, dg, walk.src.virt.addr,
617 					&ctx->ghash_key, NULL,
618 					pmull_ghash_update_p64);
619 
620 			do {
621 				__aes_arm64_encrypt(ctx->aes_key.key_enc,
622 						    buf, iv, nrounds);
623 				crypto_xor_cpy(dst, src, buf, AES_BLOCK_SIZE);
624 				crypto_inc(iv, AES_BLOCK_SIZE);
625 
626 				dst += AES_BLOCK_SIZE;
627 				src += AES_BLOCK_SIZE;
628 			} while (--blocks > 0);
629 
630 			err = skcipher_walk_done(&walk,
631 						 walk.nbytes % (2 * AES_BLOCK_SIZE));
632 		}
633 		if (walk.nbytes) {
634 			if (walk.nbytes > AES_BLOCK_SIZE) {
635 				u8 *iv2 = iv + AES_BLOCK_SIZE;
636 
637 				memcpy(iv2, iv, AES_BLOCK_SIZE);
638 				crypto_inc(iv2, AES_BLOCK_SIZE);
639 
640 				__aes_arm64_encrypt(ctx->aes_key.key_enc, iv2,
641 						    iv2, nrounds);
642 			}
643 			__aes_arm64_encrypt(ctx->aes_key.key_enc, iv, iv,
644 					    nrounds);
645 		}
646 	}
647 
648 	/* handle the tail */
649 	if (walk.nbytes) {
650 		const u8 *src = walk.src.virt.addr;
651 		const u8 *head = NULL;
652 		unsigned int nbytes = walk.nbytes;
653 
654 		if (walk.nbytes > GHASH_BLOCK_SIZE) {
655 			head = src;
656 			src += GHASH_BLOCK_SIZE;
657 			nbytes %= GHASH_BLOCK_SIZE;
658 		}
659 
660 		memcpy(buf, src, nbytes);
661 		memset(buf + nbytes, 0, GHASH_BLOCK_SIZE - nbytes);
662 		ghash_do_update(!!nbytes, dg, buf, &ctx->ghash_key, head,
663 				pmull_ghash_update_p64);
664 
665 		crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr, iv,
666 			       walk.nbytes);
667 
668 		err = skcipher_walk_done(&walk, 0);
669 	}
670 
671 	if (err)
672 		return err;
673 
674 	gcm_final(req, ctx, dg, tag, req->cryptlen - authsize);
675 
676 	/* compare calculated auth tag with the stored one */
677 	scatterwalk_map_and_copy(buf, req->src,
678 				 req->assoclen + req->cryptlen - authsize,
679 				 authsize, 0);
680 
681 	if (crypto_memneq(tag, buf, authsize))
682 		return -EBADMSG;
683 	return 0;
684 }
685 
686 static struct aead_alg gcm_aes_alg = {
687 	.ivsize			= GCM_IV_SIZE,
688 	.chunksize		= 2 * AES_BLOCK_SIZE,
689 	.maxauthsize		= AES_BLOCK_SIZE,
690 	.setkey			= gcm_setkey,
691 	.setauthsize		= gcm_setauthsize,
692 	.encrypt		= gcm_encrypt,
693 	.decrypt		= gcm_decrypt,
694 
695 	.base.cra_name		= "gcm(aes)",
696 	.base.cra_driver_name	= "gcm-aes-ce",
697 	.base.cra_priority	= 300,
698 	.base.cra_blocksize	= 1,
699 	.base.cra_ctxsize	= sizeof(struct gcm_aes_ctx),
700 	.base.cra_module	= THIS_MODULE,
701 };
702 
703 static int __init ghash_ce_mod_init(void)
704 {
705 	int ret;
706 
707 	if (!cpu_have_named_feature(ASIMD))
708 		return -ENODEV;
709 
710 	if (cpu_have_named_feature(PMULL))
711 		ret = crypto_register_shashes(ghash_alg,
712 					      ARRAY_SIZE(ghash_alg));
713 	else
714 		/* only register the first array element */
715 		ret = crypto_register_shash(ghash_alg);
716 
717 	if (ret)
718 		return ret;
719 
720 	if (cpu_have_named_feature(PMULL)) {
721 		ret = crypto_register_aead(&gcm_aes_alg);
722 		if (ret)
723 			crypto_unregister_shashes(ghash_alg,
724 						  ARRAY_SIZE(ghash_alg));
725 	}
726 	return ret;
727 }
728 
729 static void __exit ghash_ce_mod_exit(void)
730 {
731 	if (cpu_have_named_feature(PMULL))
732 		crypto_unregister_shashes(ghash_alg, ARRAY_SIZE(ghash_alg));
733 	else
734 		crypto_unregister_shash(ghash_alg);
735 	crypto_unregister_aead(&gcm_aes_alg);
736 }
737 
738 static const struct cpu_feature ghash_cpu_feature[] = {
739 	{ cpu_feature(PMULL) }, { }
740 };
741 MODULE_DEVICE_TABLE(cpu, ghash_cpu_feature);
742 
743 module_init(ghash_ce_mod_init);
744 module_exit(ghash_ce_mod_exit);
745