1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * SM4-GCM AEAD Algorithm using ARMv8 Crypto Extensions
4  * as specified in rfc8998
5  * https://datatracker.ietf.org/doc/html/rfc8998
6  *
7  * Copyright (C) 2022 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
8  */
9 
10 #include <linux/module.h>
11 #include <linux/crypto.h>
12 #include <linux/kernel.h>
13 #include <linux/cpufeature.h>
14 #include <asm/neon.h>
15 #include <crypto/b128ops.h>
16 #include <crypto/scatterwalk.h>
17 #include <crypto/internal/aead.h>
18 #include <crypto/internal/skcipher.h>
19 #include <crypto/sm4.h>
20 #include "sm4-ce.h"
21 
22 asmlinkage void sm4_ce_pmull_ghash_setup(const u32 *rkey_enc, u8 *ghash_table);
23 asmlinkage void pmull_ghash_update(const u8 *ghash_table, u8 *ghash,
24 				   const u8 *src, unsigned int nblocks);
25 asmlinkage void sm4_ce_pmull_gcm_enc(const u32 *rkey_enc, u8 *dst,
26 				     const u8 *src, u8 *iv,
27 				     unsigned int nbytes, u8 *ghash,
28 				     const u8 *ghash_table, const u8 *lengths);
29 asmlinkage void sm4_ce_pmull_gcm_dec(const u32 *rkey_enc, u8 *dst,
30 				     const u8 *src, u8 *iv,
31 				     unsigned int nbytes, u8 *ghash,
32 				     const u8 *ghash_table, const u8 *lengths);
33 
34 #define GHASH_BLOCK_SIZE	16
35 #define GCM_IV_SIZE		12
36 
37 struct sm4_gcm_ctx {
38 	struct sm4_ctx key;
39 	u8 ghash_table[16 * 4];
40 };
41 
42 
43 static int gcm_setkey(struct crypto_aead *tfm, const u8 *key,
44 		      unsigned int key_len)
45 {
46 	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(tfm);
47 
48 	if (key_len != SM4_KEY_SIZE)
49 		return -EINVAL;
50 
51 	kernel_neon_begin();
52 
53 	sm4_ce_expand_key(key, ctx->key.rkey_enc, ctx->key.rkey_dec,
54 			  crypto_sm4_fk, crypto_sm4_ck);
55 	sm4_ce_pmull_ghash_setup(ctx->key.rkey_enc, ctx->ghash_table);
56 
57 	kernel_neon_end();
58 	return 0;
59 }
60 
61 static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
62 {
63 	switch (authsize) {
64 	case 4:
65 	case 8:
66 	case 12 ... 16:
67 		return 0;
68 	default:
69 		return -EINVAL;
70 	}
71 }
72 
73 static void gcm_calculate_auth_mac(struct aead_request *req, u8 ghash[])
74 {
75 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
76 	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
77 	u8 __aligned(8) buffer[GHASH_BLOCK_SIZE];
78 	u32 assoclen = req->assoclen;
79 	struct scatter_walk walk;
80 	unsigned int buflen = 0;
81 
82 	scatterwalk_start(&walk, req->src);
83 
84 	do {
85 		u32 n = scatterwalk_clamp(&walk, assoclen);
86 		u8 *p, *ptr;
87 
88 		if (!n) {
89 			scatterwalk_start(&walk, sg_next(walk.sg));
90 			n = scatterwalk_clamp(&walk, assoclen);
91 		}
92 
93 		p = ptr = scatterwalk_map(&walk);
94 		assoclen -= n;
95 		scatterwalk_advance(&walk, n);
96 
97 		if (n + buflen < GHASH_BLOCK_SIZE) {
98 			memcpy(&buffer[buflen], ptr, n);
99 			buflen += n;
100 		} else {
101 			unsigned int nblocks;
102 
103 			if (buflen) {
104 				unsigned int l = GHASH_BLOCK_SIZE - buflen;
105 
106 				memcpy(&buffer[buflen], ptr, l);
107 				ptr += l;
108 				n -= l;
109 
110 				pmull_ghash_update(ctx->ghash_table, ghash,
111 						   buffer, 1);
112 			}
113 
114 			nblocks = n / GHASH_BLOCK_SIZE;
115 			if (nblocks) {
116 				pmull_ghash_update(ctx->ghash_table, ghash,
117 						   ptr, nblocks);
118 				ptr += nblocks * GHASH_BLOCK_SIZE;
119 			}
120 
121 			buflen = n % GHASH_BLOCK_SIZE;
122 			if (buflen)
123 				memcpy(&buffer[0], ptr, buflen);
124 		}
125 
126 		scatterwalk_unmap(p);
127 		scatterwalk_done(&walk, 0, assoclen);
128 	} while (assoclen);
129 
130 	/* padding with '0' */
131 	if (buflen) {
132 		memset(&buffer[buflen], 0, GHASH_BLOCK_SIZE - buflen);
133 		pmull_ghash_update(ctx->ghash_table, ghash, buffer, 1);
134 	}
135 }
136 
137 static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk,
138 		     u8 ghash[], int err,
139 		     void (*sm4_ce_pmull_gcm_crypt)(const u32 *rkey_enc,
140 				u8 *dst, const u8 *src, u8 *iv,
141 				unsigned int nbytes, u8 *ghash,
142 				const u8 *ghash_table, const u8 *lengths))
143 {
144 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
145 	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
146 	u8 __aligned(8) iv[SM4_BLOCK_SIZE];
147 	be128 __aligned(8) lengths;
148 
149 	memset(ghash, 0, SM4_BLOCK_SIZE);
150 
151 	lengths.a = cpu_to_be64(req->assoclen * 8);
152 	lengths.b = cpu_to_be64(walk->total * 8);
153 
154 	memcpy(iv, req->iv, GCM_IV_SIZE);
155 	put_unaligned_be32(2, iv + GCM_IV_SIZE);
156 
157 	kernel_neon_begin();
158 
159 	if (req->assoclen)
160 		gcm_calculate_auth_mac(req, ghash);
161 
162 	while (walk->nbytes) {
163 		unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE;
164 		const u8 *src = walk->src.virt.addr;
165 		u8 *dst = walk->dst.virt.addr;
166 
167 		if (walk->nbytes == walk->total) {
168 			sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
169 					       walk->nbytes, ghash,
170 					       ctx->ghash_table,
171 					       (const u8 *)&lengths);
172 
173 			kernel_neon_end();
174 
175 			return skcipher_walk_done(walk, 0);
176 		}
177 
178 		sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
179 				       walk->nbytes - tail, ghash,
180 				       ctx->ghash_table, NULL);
181 
182 		kernel_neon_end();
183 
184 		err = skcipher_walk_done(walk, tail);
185 
186 		kernel_neon_begin();
187 	}
188 
189 	sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, NULL, NULL, iv,
190 			       walk->nbytes, ghash, ctx->ghash_table,
191 			       (const u8 *)&lengths);
192 
193 	kernel_neon_end();
194 
195 	return err;
196 }
197 
198 static int gcm_encrypt(struct aead_request *req)
199 {
200 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
201 	u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
202 	struct skcipher_walk walk;
203 	int err;
204 
205 	err = skcipher_walk_aead_encrypt(&walk, req, false);
206 	err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_enc);
207 	if (err)
208 		return err;
209 
210 	/* copy authtag to end of dst */
211 	scatterwalk_map_and_copy(ghash, req->dst, req->assoclen + req->cryptlen,
212 				 crypto_aead_authsize(aead), 1);
213 
214 	return 0;
215 }
216 
217 static int gcm_decrypt(struct aead_request *req)
218 {
219 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
220 	unsigned int authsize = crypto_aead_authsize(aead);
221 	u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
222 	u8 authtag[SM4_BLOCK_SIZE];
223 	struct skcipher_walk walk;
224 	int err;
225 
226 	err = skcipher_walk_aead_decrypt(&walk, req, false);
227 	err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_dec);
228 	if (err)
229 		return err;
230 
231 	/* compare calculated auth tag with the stored one */
232 	scatterwalk_map_and_copy(authtag, req->src,
233 				 req->assoclen + req->cryptlen - authsize,
234 				 authsize, 0);
235 
236 	if (crypto_memneq(authtag, ghash, authsize))
237 		return -EBADMSG;
238 
239 	return 0;
240 }
241 
242 static struct aead_alg sm4_gcm_alg = {
243 	.base = {
244 		.cra_name		= "gcm(sm4)",
245 		.cra_driver_name	= "gcm-sm4-ce",
246 		.cra_priority		= 400,
247 		.cra_blocksize		= 1,
248 		.cra_ctxsize		= sizeof(struct sm4_gcm_ctx),
249 		.cra_module		= THIS_MODULE,
250 	},
251 	.ivsize		= GCM_IV_SIZE,
252 	.chunksize	= SM4_BLOCK_SIZE,
253 	.maxauthsize	= SM4_BLOCK_SIZE,
254 	.setkey		= gcm_setkey,
255 	.setauthsize	= gcm_setauthsize,
256 	.encrypt	= gcm_encrypt,
257 	.decrypt	= gcm_decrypt,
258 };
259 
260 static int __init sm4_ce_gcm_init(void)
261 {
262 	if (!cpu_have_named_feature(PMULL))
263 		return -ENODEV;
264 
265 	return crypto_register_aead(&sm4_gcm_alg);
266 }
267 
268 static void __exit sm4_ce_gcm_exit(void)
269 {
270 	crypto_unregister_aead(&sm4_gcm_alg);
271 }
272 
273 static const struct cpu_feature __maybe_unused sm4_ce_gcm_cpu_feature[] = {
274 	{ cpu_feature(PMULL) },
275 	{}
276 };
277 MODULE_DEVICE_TABLE(cpu, sm4_ce_gcm_cpu_feature);
278 
279 module_cpu_feature_match(SM4, sm4_ce_gcm_init);
280 module_exit(sm4_ce_gcm_exit);
281 
282 MODULE_DESCRIPTION("Synchronous SM4 in GCM mode using ARMv8 Crypto Extensions");
283 MODULE_ALIAS_CRYPTO("gcm(sm4)");
284 MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
285 MODULE_LICENSE("GPL v2");
286