xref: /openbmc/linux/drivers/crypto/bcm/spu.c (revision ff148d8a)
1 /*
2  * Copyright 2016 Broadcom
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License, version 2, as
6  * published by the Free Software Foundation (the "GPL").
7  *
8  * This program is distributed in the hope that it will be useful, but
9  * WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
11  * General Public License version 2 (GPLv2) for more details.
12  *
13  * You should have received a copy of the GNU General Public License
14  * version 2 (GPLv2) along with this source code.
15  */
16 
17 #include <linux/kernel.h>
18 #include <linux/string.h>
19 
20 #include "util.h"
21 #include "spu.h"
22 #include "spum.h"
23 #include "cipher.h"
24 
25 char *hash_alg_name[] = { "None", "md5", "sha1", "sha224", "sha256", "aes",
26 	"sha384", "sha512", "sha3_224", "sha3_256", "sha3_384", "sha3_512" };
27 
28 char *aead_alg_name[] = { "ccm(aes)", "gcm(aes)", "authenc" };
29 
30 /* Assumes SPU-M messages are in big endian */
31 void spum_dump_msg_hdr(u8 *buf, unsigned int buf_len)
32 {
33 	u8 *ptr = buf;
34 	struct SPUHEADER *spuh = (struct SPUHEADER *)buf;
35 	unsigned int hash_key_len = 0;
36 	unsigned int hash_state_len = 0;
37 	unsigned int cipher_key_len = 0;
38 	unsigned int iv_len;
39 	u32 pflags;
40 	u32 cflags;
41 	u32 ecf;
42 	u32 cipher_alg;
43 	u32 cipher_mode;
44 	u32 cipher_type;
45 	u32 hash_alg;
46 	u32 hash_mode;
47 	u32 hash_type;
48 	u32 sctx_size;   /* SCTX length in words */
49 	u32 sctx_pl_len; /* SCTX payload length in bytes */
50 
51 	packet_log("\n");
52 	packet_log("SPU Message header %p len: %u\n", buf, buf_len);
53 
54 	/* ========== Decode MH ========== */
55 	packet_log("  MH 0x%08x\n", be32_to_cpu(*((u32 *)ptr)));
56 	if (spuh->mh.flags & MH_SCTX_PRES)
57 		packet_log("    SCTX  present\n");
58 	if (spuh->mh.flags & MH_BDESC_PRES)
59 		packet_log("    BDESC present\n");
60 	if (spuh->mh.flags & MH_MFM_PRES)
61 		packet_log("    MFM   present\n");
62 	if (spuh->mh.flags & MH_BD_PRES)
63 		packet_log("    BD    present\n");
64 	if (spuh->mh.flags & MH_HASH_PRES)
65 		packet_log("    HASH  present\n");
66 	if (spuh->mh.flags & MH_SUPDT_PRES)
67 		packet_log("    SUPDT present\n");
68 	packet_log("    Opcode 0x%02x\n", spuh->mh.op_code);
69 
70 	ptr += sizeof(spuh->mh) + sizeof(spuh->emh);  /* skip emh. unused */
71 
72 	/* ========== Decode SCTX ========== */
73 	if (spuh->mh.flags & MH_SCTX_PRES) {
74 		pflags = be32_to_cpu(spuh->sa.proto_flags);
75 		packet_log("  SCTX[0] 0x%08x\n", pflags);
76 		sctx_size = pflags & SCTX_SIZE;
77 		packet_log("    Size %u words\n", sctx_size);
78 
79 		cflags = be32_to_cpu(spuh->sa.cipher_flags);
80 		packet_log("  SCTX[1] 0x%08x\n", cflags);
81 		packet_log("    Inbound:%lu (1:decrypt/vrfy 0:encrypt/auth)\n",
82 			   (cflags & CIPHER_INBOUND) >> CIPHER_INBOUND_SHIFT);
83 		packet_log("    Order:%lu (1:AuthFirst 0:EncFirst)\n",
84 			   (cflags & CIPHER_ORDER) >> CIPHER_ORDER_SHIFT);
85 		packet_log("    ICV_IS_512:%lx\n",
86 			   (cflags & ICV_IS_512) >> ICV_IS_512_SHIFT);
87 		cipher_alg = (cflags & CIPHER_ALG) >> CIPHER_ALG_SHIFT;
88 		cipher_mode = (cflags & CIPHER_MODE) >> CIPHER_MODE_SHIFT;
89 		cipher_type = (cflags & CIPHER_TYPE) >> CIPHER_TYPE_SHIFT;
90 		packet_log("    Crypto Alg:%u Mode:%u Type:%u\n",
91 			   cipher_alg, cipher_mode, cipher_type);
92 		hash_alg = (cflags & HASH_ALG) >> HASH_ALG_SHIFT;
93 		hash_mode = (cflags & HASH_MODE) >> HASH_MODE_SHIFT;
94 		hash_type = (cflags & HASH_TYPE) >> HASH_TYPE_SHIFT;
95 		packet_log("    Hash   Alg:%x Mode:%x Type:%x\n",
96 			   hash_alg, hash_mode, hash_type);
97 		packet_log("    UPDT_Offset:%u\n", cflags & UPDT_OFST);
98 
99 		ecf = be32_to_cpu(spuh->sa.ecf);
100 		packet_log("  SCTX[2] 0x%08x\n", ecf);
101 		packet_log("    WriteICV:%lu CheckICV:%lu ICV_SIZE:%u ",
102 			   (ecf & INSERT_ICV) >> INSERT_ICV_SHIFT,
103 			   (ecf & CHECK_ICV) >> CHECK_ICV_SHIFT,
104 			   (ecf & ICV_SIZE) >> ICV_SIZE_SHIFT);
105 		packet_log("BD_SUPPRESS:%lu\n",
106 			   (ecf & BD_SUPPRESS) >> BD_SUPPRESS_SHIFT);
107 		packet_log("    SCTX_IV:%lu ExplicitIV:%lu GenIV:%lu ",
108 			   (ecf & SCTX_IV) >> SCTX_IV_SHIFT,
109 			   (ecf & EXPLICIT_IV) >> EXPLICIT_IV_SHIFT,
110 			   (ecf & GEN_IV) >> GEN_IV_SHIFT);
111 		packet_log("IV_OV_OFST:%lu EXP_IV_SIZE:%u\n",
112 			   (ecf & IV_OFFSET) >> IV_OFFSET_SHIFT,
113 			   ecf & EXP_IV_SIZE);
114 
115 		ptr += sizeof(struct SCTX);
116 
117 		if (hash_alg && hash_mode) {
118 			char *name = "NONE";
119 
120 			switch (hash_alg) {
121 			case HASH_ALG_MD5:
122 				hash_key_len = 16;
123 				name = "MD5";
124 				break;
125 			case HASH_ALG_SHA1:
126 				hash_key_len = 20;
127 				name = "SHA1";
128 				break;
129 			case HASH_ALG_SHA224:
130 				hash_key_len = 28;
131 				name = "SHA224";
132 				break;
133 			case HASH_ALG_SHA256:
134 				hash_key_len = 32;
135 				name = "SHA256";
136 				break;
137 			case HASH_ALG_SHA384:
138 				hash_key_len = 48;
139 				name = "SHA384";
140 				break;
141 			case HASH_ALG_SHA512:
142 				hash_key_len = 64;
143 				name = "SHA512";
144 				break;
145 			case HASH_ALG_AES:
146 				hash_key_len = 0;
147 				name = "AES";
148 				break;
149 			case HASH_ALG_NONE:
150 				break;
151 			}
152 
153 			packet_log("    Auth Key Type:%s Length:%u Bytes\n",
154 				   name, hash_key_len);
155 			packet_dump("    KEY: ", ptr, hash_key_len);
156 			ptr += hash_key_len;
157 		} else if ((hash_alg == HASH_ALG_AES) &&
158 			   (hash_mode == HASH_MODE_XCBC)) {
159 			char *name = "NONE";
160 
161 			switch (cipher_type) {
162 			case CIPHER_TYPE_AES128:
163 				hash_key_len = 16;
164 				name = "AES128-XCBC";
165 				break;
166 			case CIPHER_TYPE_AES192:
167 				hash_key_len = 24;
168 				name = "AES192-XCBC";
169 				break;
170 			case CIPHER_TYPE_AES256:
171 				hash_key_len = 32;
172 				name = "AES256-XCBC";
173 				break;
174 			}
175 			packet_log("    Auth Key Type:%s Length:%u Bytes\n",
176 				   name, hash_key_len);
177 			packet_dump("    KEY: ", ptr, hash_key_len);
178 			ptr += hash_key_len;
179 		}
180 
181 		if (hash_alg && (hash_mode == HASH_MODE_NONE) &&
182 		    (hash_type == HASH_TYPE_UPDT)) {
183 			char *name = "NONE";
184 
185 			switch (hash_alg) {
186 			case HASH_ALG_MD5:
187 				hash_state_len = 16;
188 				name = "MD5";
189 				break;
190 			case HASH_ALG_SHA1:
191 				hash_state_len = 20;
192 				name = "SHA1";
193 				break;
194 			case HASH_ALG_SHA224:
195 				hash_state_len = 32;
196 				name = "SHA224";
197 				break;
198 			case HASH_ALG_SHA256:
199 				hash_state_len = 32;
200 				name = "SHA256";
201 				break;
202 			case HASH_ALG_SHA384:
203 				hash_state_len = 48;
204 				name = "SHA384";
205 				break;
206 			case HASH_ALG_SHA512:
207 				hash_state_len = 64;
208 				name = "SHA512";
209 				break;
210 			case HASH_ALG_AES:
211 				hash_state_len = 0;
212 				name = "AES";
213 				break;
214 			case HASH_ALG_NONE:
215 				break;
216 			}
217 
218 			packet_log("    Auth State Type:%s Length:%u Bytes\n",
219 				   name, hash_state_len);
220 			packet_dump("    State: ", ptr, hash_state_len);
221 			ptr += hash_state_len;
222 		}
223 
224 		if (cipher_alg) {
225 			char *name = "NONE";
226 
227 			switch (cipher_alg) {
228 			case CIPHER_ALG_DES:
229 				cipher_key_len = 8;
230 				name = "DES";
231 				break;
232 			case CIPHER_ALG_3DES:
233 				cipher_key_len = 24;
234 				name = "3DES";
235 				break;
236 			case CIPHER_ALG_RC4:
237 				cipher_key_len = 260;
238 				name = "ARC4";
239 				break;
240 			case CIPHER_ALG_AES:
241 				switch (cipher_type) {
242 				case CIPHER_TYPE_AES128:
243 					cipher_key_len = 16;
244 					name = "AES128";
245 					break;
246 				case CIPHER_TYPE_AES192:
247 					cipher_key_len = 24;
248 					name = "AES192";
249 					break;
250 				case CIPHER_TYPE_AES256:
251 					cipher_key_len = 32;
252 					name = "AES256";
253 					break;
254 				}
255 				break;
256 			case CIPHER_ALG_NONE:
257 				break;
258 			}
259 
260 			packet_log("    Cipher Key Type:%s Length:%u Bytes\n",
261 				   name, cipher_key_len);
262 
263 			/* XTS has two keys */
264 			if (cipher_mode == CIPHER_MODE_XTS) {
265 				packet_dump("    KEY2: ", ptr, cipher_key_len);
266 				ptr += cipher_key_len;
267 				packet_dump("    KEY1: ", ptr, cipher_key_len);
268 				ptr += cipher_key_len;
269 
270 				cipher_key_len *= 2;
271 			} else {
272 				packet_dump("    KEY: ", ptr, cipher_key_len);
273 				ptr += cipher_key_len;
274 			}
275 
276 			if (ecf & SCTX_IV) {
277 				sctx_pl_len = sctx_size * sizeof(u32) -
278 					sizeof(struct SCTX);
279 				iv_len = sctx_pl_len -
280 					(hash_key_len + hash_state_len +
281 					 cipher_key_len);
282 				packet_log("    IV Length:%u Bytes\n", iv_len);
283 				packet_dump("    IV: ", ptr, iv_len);
284 				ptr += iv_len;
285 			}
286 		}
287 	}
288 
289 	/* ========== Decode BDESC ========== */
290 	if (spuh->mh.flags & MH_BDESC_PRES) {
291 #ifdef DEBUG
292 		struct BDESC_HEADER *bdesc = (struct BDESC_HEADER *)ptr;
293 #endif
294 		packet_log("  BDESC[0] 0x%08x\n", be32_to_cpu(*((u32 *)ptr)));
295 		packet_log("    OffsetMAC:%u LengthMAC:%u\n",
296 			   be16_to_cpu(bdesc->offset_mac),
297 			   be16_to_cpu(bdesc->length_mac));
298 		ptr += sizeof(u32);
299 
300 		packet_log("  BDESC[1] 0x%08x\n", be32_to_cpu(*((u32 *)ptr)));
301 		packet_log("    OffsetCrypto:%u LengthCrypto:%u\n",
302 			   be16_to_cpu(bdesc->offset_crypto),
303 			   be16_to_cpu(bdesc->length_crypto));
304 		ptr += sizeof(u32);
305 
306 		packet_log("  BDESC[2] 0x%08x\n", be32_to_cpu(*((u32 *)ptr)));
307 		packet_log("    OffsetICV:%u OffsetIV:%u\n",
308 			   be16_to_cpu(bdesc->offset_icv),
309 			   be16_to_cpu(bdesc->offset_iv));
310 		ptr += sizeof(u32);
311 	}
312 
313 	/* ========== Decode BD ========== */
314 	if (spuh->mh.flags & MH_BD_PRES) {
315 #ifdef DEBUG
316 		struct BD_HEADER *bd = (struct BD_HEADER *)ptr;
317 #endif
318 		packet_log("  BD[0] 0x%08x\n", be32_to_cpu(*((u32 *)ptr)));
319 		packet_log("    Size:%ubytes PrevLength:%u\n",
320 			   be16_to_cpu(bd->size), be16_to_cpu(bd->prev_length));
321 		ptr += 4;
322 	}
323 
324 	/* Double check sanity */
325 	if (buf + buf_len != ptr) {
326 		packet_log(" Packet parsed incorrectly. ");
327 		packet_log("buf:%p buf_len:%u buf+buf_len:%p ptr:%p\n",
328 			   buf, buf_len, buf + buf_len, ptr);
329 	}
330 
331 	packet_log("\n");
332 }
333 
334 /**
335  * spum_ns2_ctx_max_payload() - Determine the max length of the payload for a
336  * SPU message for a given cipher and hash alg context.
337  * @cipher_alg:		The cipher algorithm
338  * @cipher_mode:	The cipher mode
339  * @blocksize:		The size of a block of data for this algo
340  *
341  * The max payload must be a multiple of the blocksize so that if a request is
342  * too large to fit in a single SPU message, the request can be broken into
343  * max_payload sized chunks. Each chunk must be a multiple of blocksize.
344  *
345  * Return: Max payload length in bytes
346  */
347 u32 spum_ns2_ctx_max_payload(enum spu_cipher_alg cipher_alg,
348 			     enum spu_cipher_mode cipher_mode,
349 			     unsigned int blocksize)
350 {
351 	u32 max_payload = SPUM_NS2_MAX_PAYLOAD;
352 	u32 excess;
353 
354 	/* In XTS on SPU-M, we'll need to insert tweak before input data */
355 	if (cipher_mode == CIPHER_MODE_XTS)
356 		max_payload -= SPU_XTS_TWEAK_SIZE;
357 
358 	excess = max_payload % blocksize;
359 
360 	return max_payload - excess;
361 }
362 
363 /**
364  * spum_nsp_ctx_max_payload() - Determine the max length of the payload for a
365  * SPU message for a given cipher and hash alg context.
366  * @cipher_alg:		The cipher algorithm
367  * @cipher_mode:	The cipher mode
368  * @blocksize:		The size of a block of data for this algo
369  *
370  * The max payload must be a multiple of the blocksize so that if a request is
371  * too large to fit in a single SPU message, the request can be broken into
372  * max_payload sized chunks. Each chunk must be a multiple of blocksize.
373  *
374  * Return: Max payload length in bytes
375  */
376 u32 spum_nsp_ctx_max_payload(enum spu_cipher_alg cipher_alg,
377 			     enum spu_cipher_mode cipher_mode,
378 			     unsigned int blocksize)
379 {
380 	u32 max_payload = SPUM_NSP_MAX_PAYLOAD;
381 	u32 excess;
382 
383 	/* In XTS on SPU-M, we'll need to insert tweak before input data */
384 	if (cipher_mode == CIPHER_MODE_XTS)
385 		max_payload -= SPU_XTS_TWEAK_SIZE;
386 
387 	excess = max_payload % blocksize;
388 
389 	return max_payload - excess;
390 }
391 
392 /** spum_payload_length() - Given a SPU-M message header, extract the payload
393  * length.
394  * @spu_hdr:	Start of SPU header
395  *
396  * Assumes just MH, EMH, BD (no SCTX, BDESC. Works for response frames.
397  *
398  * Return: payload length in bytes
399  */
400 u32 spum_payload_length(u8 *spu_hdr)
401 {
402 	struct BD_HEADER *bd;
403 	u32 pl_len;
404 
405 	/* Find BD header.  skip MH, EMH */
406 	bd = (struct BD_HEADER *)(spu_hdr + 8);
407 	pl_len = be16_to_cpu(bd->size);
408 
409 	return pl_len;
410 }
411 
412 /**
413  * spum_response_hdr_len() - Given the length of the hash key and encryption
414  * key, determine the expected length of a SPU response header.
415  * @auth_key_len:	authentication key length (bytes)
416  * @enc_key_len:	encryption key length (bytes)
417  * @is_hash:		true if response message is for a hash operation
418  *
419  * Return: length of SPU response header (bytes)
420  */
421 u16 spum_response_hdr_len(u16 auth_key_len, u16 enc_key_len, bool is_hash)
422 {
423 	if (is_hash)
424 		return SPU_HASH_RESP_HDR_LEN;
425 	else
426 		return SPU_RESP_HDR_LEN;
427 }
428 
429 /**
430  * spum_hash_pad_len() - Calculate the length of hash padding required to extend
431  * data to a full block size.
432  * @hash_alg:   hash algorithm
433  * @hash_mode:       hash mode
434  * @chunksize:  length of data, in bytes
435  * @hash_block_size:  size of a block of data for hash algorithm
436  *
437  * Reserve space for 1 byte (0x80) start of pad and the total length as u64
438  *
439  * Return:  length of hash pad in bytes
440  */
441 u16 spum_hash_pad_len(enum hash_alg hash_alg, enum hash_mode hash_mode,
442 		      u32 chunksize, u16 hash_block_size)
443 {
444 	unsigned int length_len;
445 	unsigned int used_space_last_block;
446 	int hash_pad_len;
447 
448 	/* AES-XCBC hash requires just padding to next block boundary */
449 	if ((hash_alg == HASH_ALG_AES) && (hash_mode == HASH_MODE_XCBC)) {
450 		used_space_last_block = chunksize % hash_block_size;
451 		hash_pad_len = hash_block_size - used_space_last_block;
452 		if (hash_pad_len >= hash_block_size)
453 			hash_pad_len -= hash_block_size;
454 		return hash_pad_len;
455 	}
456 
457 	used_space_last_block = chunksize % hash_block_size + 1;
458 	if ((hash_alg == HASH_ALG_SHA384) || (hash_alg == HASH_ALG_SHA512))
459 		length_len = 2 * sizeof(u64);
460 	else
461 		length_len = sizeof(u64);
462 
463 	used_space_last_block += length_len;
464 	hash_pad_len = hash_block_size - used_space_last_block;
465 	if (hash_pad_len < 0)
466 		hash_pad_len += hash_block_size;
467 
468 	hash_pad_len += 1 + length_len;
469 	return hash_pad_len;
470 }
471 
472 /**
473  * spum_gcm_ccm_pad_len() - Determine the required length of GCM or CCM padding.
474  * @cipher_mode:	Algo type
475  * @data_size:		Length of plaintext (bytes)
476  *
477  * @Return: Length of padding, in bytes
478  */
479 u32 spum_gcm_ccm_pad_len(enum spu_cipher_mode cipher_mode,
480 			 unsigned int data_size)
481 {
482 	u32 pad_len = 0;
483 	u32 m1 = SPU_GCM_CCM_ALIGN - 1;
484 
485 	if ((cipher_mode == CIPHER_MODE_GCM) ||
486 	    (cipher_mode == CIPHER_MODE_CCM))
487 		pad_len = ((data_size + m1) & ~m1) - data_size;
488 
489 	return pad_len;
490 }
491 
492 /**
493  * spum_assoc_resp_len() - Determine the size of the receive buffer required to
494  * catch associated data.
495  * @cipher_mode:	cipher mode
496  * @assoc_len:		length of associated data (bytes)
497  * @iv_len:		length of IV (bytes)
498  * @is_encrypt:		true if encrypting. false if decrypting.
499  *
500  * Return: length of associated data in response message (bytes)
501  */
502 u32 spum_assoc_resp_len(enum spu_cipher_mode cipher_mode,
503 			unsigned int assoc_len, unsigned int iv_len,
504 			bool is_encrypt)
505 {
506 	u32 buflen = 0;
507 	u32 pad;
508 
509 	if (assoc_len)
510 		buflen = assoc_len;
511 
512 	if (cipher_mode == CIPHER_MODE_GCM) {
513 		/* AAD needs to be padded in responses too */
514 		pad = spum_gcm_ccm_pad_len(cipher_mode, buflen);
515 		buflen += pad;
516 	}
517 	if (cipher_mode == CIPHER_MODE_CCM) {
518 		/*
519 		 * AAD needs to be padded in responses too
520 		 * for CCM, len + 2 needs to be 128-bit aligned.
521 		 */
522 		pad = spum_gcm_ccm_pad_len(cipher_mode, buflen + 2);
523 		buflen += pad;
524 	}
525 
526 	return buflen;
527 }
528 
529 /**
530  * spu_aead_ivlen() - Calculate the length of the AEAD IV to be included
531  * in a SPU request after the AAD and before the payload.
532  * @cipher_mode:  cipher mode
533  * @iv_ctr_len:   initialization vector length in bytes
534  *
535  * In Linux ~4.2 and later, the assoc_data sg includes the IV. So no need
536  * to include the IV as a separate field in the SPU request msg.
537  *
538  * Return: Length of AEAD IV in bytes
539  */
540 u8 spum_aead_ivlen(enum spu_cipher_mode cipher_mode, u16 iv_len)
541 {
542 	return 0;
543 }
544 
545 /**
546  * spum_hash_type() - Determine the type of hash operation.
547  * @src_sent:  The number of bytes in the current request that have already
548  *             been sent to the SPU to be hashed.
549  *
550  * We do not use HASH_TYPE_FULL for requests that fit in a single SPU message.
551  * Using FULL causes failures (such as when the string to be hashed is empty).
552  * For similar reasons, we never use HASH_TYPE_FIN. Instead, submit messages
553  * as INIT or UPDT and do the hash padding in sw.
554  */
555 enum hash_type spum_hash_type(u32 src_sent)
556 {
557 	return src_sent ? HASH_TYPE_UPDT : HASH_TYPE_INIT;
558 }
559 
560 /**
561  * spum_digest_size() - Determine the size of a hash digest to expect the SPU to
562  * return.
563  * alg_digest_size: Number of bytes in the final digest for the given algo
564  * alg:             The hash algorithm
565  * htype:           Type of hash operation (init, update, full, etc)
566  *
567  * When doing incremental hashing for an algorithm with a truncated hash
568  * (e.g., SHA224), the SPU returns the full digest so that it can be fed back as
569  * a partial result for the next chunk.
570  */
571 u32 spum_digest_size(u32 alg_digest_size, enum hash_alg alg,
572 		     enum hash_type htype)
573 {
574 	u32 digestsize = alg_digest_size;
575 
576 	/* SPU returns complete digest when doing incremental hash and truncated
577 	 * hash algo.
578 	 */
579 	if ((htype == HASH_TYPE_INIT) || (htype == HASH_TYPE_UPDT)) {
580 		if (alg == HASH_ALG_SHA224)
581 			digestsize = SHA256_DIGEST_SIZE;
582 		else if (alg == HASH_ALG_SHA384)
583 			digestsize = SHA512_DIGEST_SIZE;
584 	}
585 	return digestsize;
586 }
587 
588 /**
589  * spum_create_request() - Build a SPU request message header, up to and
590  * including the BD header. Construct the message starting at spu_hdr. Caller
591  * should allocate this buffer in DMA-able memory at least SPU_HEADER_ALLOC_LEN
592  * bytes long.
593  * @spu_hdr: Start of buffer where SPU request header is to be written
594  * @req_opts: SPU request message options
595  * @cipher_parms: Parameters related to cipher algorithm
596  * @hash_parms:   Parameters related to hash algorithm
597  * @aead_parms:   Parameters related to AEAD operation
598  * @data_size:    Length of data to be encrypted or authenticated. If AEAD, does
599  *		  not include length of AAD.
600 
601  * Return: the length of the SPU header in bytes. 0 if an error occurs.
602  */
603 u32 spum_create_request(u8 *spu_hdr,
604 			struct spu_request_opts *req_opts,
605 			struct spu_cipher_parms *cipher_parms,
606 			struct spu_hash_parms *hash_parms,
607 			struct spu_aead_parms *aead_parms,
608 			unsigned int data_size)
609 {
610 	struct SPUHEADER *spuh;
611 	struct BDESC_HEADER *bdesc;
612 	struct BD_HEADER *bd;
613 
614 	u8 *ptr;
615 	u32 protocol_bits = 0;
616 	u32 cipher_bits = 0;
617 	u32 ecf_bits = 0;
618 	u8 sctx_words = 0;
619 	unsigned int buf_len = 0;
620 
621 	/* size of the cipher payload */
622 	unsigned int cipher_len = hash_parms->prebuf_len + data_size +
623 				hash_parms->pad_len;
624 
625 	/* offset of prebuf or data from end of BD header */
626 	unsigned int cipher_offset = aead_parms->assoc_size +
627 		aead_parms->iv_len + aead_parms->aad_pad_len;
628 
629 	/* total size of the DB data (without STAT word padding) */
630 	unsigned int real_db_size = spu_real_db_size(aead_parms->assoc_size,
631 						 aead_parms->iv_len,
632 						 hash_parms->prebuf_len,
633 						 data_size,
634 						 aead_parms->aad_pad_len,
635 						 aead_parms->data_pad_len,
636 						 hash_parms->pad_len);
637 
638 	unsigned int auth_offset = 0;
639 	unsigned int offset_iv = 0;
640 
641 	/* size/offset of the auth payload */
642 	unsigned int auth_len;
643 
644 	auth_len = real_db_size;
645 
646 	if (req_opts->is_aead && req_opts->is_inbound)
647 		cipher_len -= hash_parms->digestsize;
648 
649 	if (req_opts->is_aead && req_opts->is_inbound)
650 		auth_len -= hash_parms->digestsize;
651 
652 	if ((hash_parms->alg == HASH_ALG_AES) &&
653 	    (hash_parms->mode == HASH_MODE_XCBC)) {
654 		auth_len -= hash_parms->pad_len;
655 		cipher_len -= hash_parms->pad_len;
656 	}
657 
658 	flow_log("%s()\n", __func__);
659 	flow_log("  in:%u authFirst:%u\n",
660 		 req_opts->is_inbound, req_opts->auth_first);
661 	flow_log("  %s. cipher alg:%u mode:%u type %u\n",
662 		 spu_alg_name(cipher_parms->alg, cipher_parms->mode),
663 		 cipher_parms->alg, cipher_parms->mode, cipher_parms->type);
664 	flow_log("    key: %d\n", cipher_parms->key_len);
665 	flow_dump("    key: ", cipher_parms->key_buf, cipher_parms->key_len);
666 	flow_log("    iv: %d\n", cipher_parms->iv_len);
667 	flow_dump("    iv: ", cipher_parms->iv_buf, cipher_parms->iv_len);
668 	flow_log("  auth alg:%u mode:%u type %u\n",
669 		 hash_parms->alg, hash_parms->mode, hash_parms->type);
670 	flow_log("  digestsize: %u\n", hash_parms->digestsize);
671 	flow_log("  authkey: %d\n", hash_parms->key_len);
672 	flow_dump("  authkey: ", hash_parms->key_buf, hash_parms->key_len);
673 	flow_log("  assoc_size:%u\n", aead_parms->assoc_size);
674 	flow_log("  prebuf_len:%u\n", hash_parms->prebuf_len);
675 	flow_log("  data_size:%u\n", data_size);
676 	flow_log("  hash_pad_len:%u\n", hash_parms->pad_len);
677 	flow_log("  real_db_size:%u\n", real_db_size);
678 	flow_log(" auth_offset:%u auth_len:%u cipher_offset:%u cipher_len:%u\n",
679 		 auth_offset, auth_len, cipher_offset, cipher_len);
680 	flow_log("  aead_iv: %u\n", aead_parms->iv_len);
681 
682 	/* starting out: zero the header (plus some) */
683 	ptr = spu_hdr;
684 	memset(ptr, 0, sizeof(struct SPUHEADER));
685 
686 	/* format master header word */
687 	/* Do not set the next bit even though the datasheet says to */
688 	spuh = (struct SPUHEADER *)ptr;
689 	ptr += sizeof(struct SPUHEADER);
690 	buf_len += sizeof(struct SPUHEADER);
691 
692 	spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC;
693 	spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES);
694 
695 	/* Format sctx word 0 (protocol_bits) */
696 	sctx_words = 3;		/* size in words */
697 
698 	/* Format sctx word 1 (cipher_bits) */
699 	if (req_opts->is_inbound)
700 		cipher_bits |= CIPHER_INBOUND;
701 	if (req_opts->auth_first)
702 		cipher_bits |= CIPHER_ORDER;
703 
704 	/* Set the crypto parameters in the cipher.flags */
705 	cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT;
706 	cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT;
707 	cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT;
708 
709 	/* Set the auth parameters in the cipher.flags */
710 	cipher_bits |= hash_parms->alg << HASH_ALG_SHIFT;
711 	cipher_bits |= hash_parms->mode << HASH_MODE_SHIFT;
712 	cipher_bits |= hash_parms->type << HASH_TYPE_SHIFT;
713 
714 	/*
715 	 * Format sctx extensions if required, and update main fields if
716 	 * required)
717 	 */
718 	if (hash_parms->alg) {
719 		/* Write the authentication key material if present */
720 		if (hash_parms->key_len) {
721 			memcpy(ptr, hash_parms->key_buf, hash_parms->key_len);
722 			ptr += hash_parms->key_len;
723 			buf_len += hash_parms->key_len;
724 			sctx_words += hash_parms->key_len / 4;
725 		}
726 
727 		if ((cipher_parms->mode == CIPHER_MODE_GCM) ||
728 		    (cipher_parms->mode == CIPHER_MODE_CCM))
729 			/* unpadded length */
730 			offset_iv = aead_parms->assoc_size;
731 
732 		/* if GCM/CCM we need to write ICV into the payload */
733 		if (!req_opts->is_inbound) {
734 			if ((cipher_parms->mode == CIPHER_MODE_GCM) ||
735 			    (cipher_parms->mode == CIPHER_MODE_CCM))
736 				ecf_bits |= 1 << INSERT_ICV_SHIFT;
737 		} else {
738 			ecf_bits |= CHECK_ICV;
739 		}
740 
741 		/* Inform the SPU of the ICV size (in words) */
742 		if (hash_parms->digestsize == 64)
743 			cipher_bits |= ICV_IS_512;
744 		else
745 			ecf_bits |=
746 			(hash_parms->digestsize / 4) << ICV_SIZE_SHIFT;
747 	}
748 
749 	if (req_opts->bd_suppress)
750 		ecf_bits |= BD_SUPPRESS;
751 
752 	/* copy the encryption keys in the SAD entry */
753 	if (cipher_parms->alg) {
754 		if (cipher_parms->key_len) {
755 			memcpy(ptr, cipher_parms->key_buf,
756 			       cipher_parms->key_len);
757 			ptr += cipher_parms->key_len;
758 			buf_len += cipher_parms->key_len;
759 			sctx_words += cipher_parms->key_len / 4;
760 		}
761 
762 		/*
763 		 * if encrypting then set IV size, use SCTX IV unless no IV
764 		 * given here
765 		 */
766 		if (cipher_parms->iv_buf && cipher_parms->iv_len) {
767 			/* Use SCTX IV */
768 			ecf_bits |= SCTX_IV;
769 
770 			/* cipher iv provided so put it in here */
771 			memcpy(ptr, cipher_parms->iv_buf, cipher_parms->iv_len);
772 
773 			ptr += cipher_parms->iv_len;
774 			buf_len += cipher_parms->iv_len;
775 			sctx_words += cipher_parms->iv_len / 4;
776 		}
777 	}
778 
779 	/*
780 	 * RFC4543 (GMAC/ESP) requires data to be sent as part of AAD
781 	 * so we need to override the BDESC parameters.
782 	 */
783 	if (req_opts->is_rfc4543) {
784 		if (req_opts->is_inbound)
785 			data_size -= hash_parms->digestsize;
786 		offset_iv = aead_parms->assoc_size + data_size;
787 		cipher_len = 0;
788 		cipher_offset = offset_iv;
789 		auth_len = cipher_offset + aead_parms->data_pad_len;
790 	}
791 
792 	/* write in the total sctx length now that we know it */
793 	protocol_bits |= sctx_words;
794 
795 	/* Endian adjust the SCTX */
796 	spuh->sa.proto_flags = cpu_to_be32(protocol_bits);
797 	spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
798 	spuh->sa.ecf = cpu_to_be32(ecf_bits);
799 
800 	/* === create the BDESC section === */
801 	bdesc = (struct BDESC_HEADER *)ptr;
802 
803 	bdesc->offset_mac = cpu_to_be16(auth_offset);
804 	bdesc->length_mac = cpu_to_be16(auth_len);
805 	bdesc->offset_crypto = cpu_to_be16(cipher_offset);
806 	bdesc->length_crypto = cpu_to_be16(cipher_len);
807 
808 	/*
809 	 * CCM in SPU-M requires that ICV not be in same 32-bit word as data or
810 	 * padding.  So account for padding as necessary.
811 	 */
812 	if (cipher_parms->mode == CIPHER_MODE_CCM)
813 		auth_len += spum_wordalign_padlen(auth_len);
814 
815 	bdesc->offset_icv = cpu_to_be16(auth_len);
816 	bdesc->offset_iv = cpu_to_be16(offset_iv);
817 
818 	ptr += sizeof(struct BDESC_HEADER);
819 	buf_len += sizeof(struct BDESC_HEADER);
820 
821 	/* === no MFM section === */
822 
823 	/* === create the BD section === */
824 
825 	/* add the BD header */
826 	bd = (struct BD_HEADER *)ptr;
827 	bd->size = cpu_to_be16(real_db_size);
828 	bd->prev_length = 0;
829 
830 	ptr += sizeof(struct BD_HEADER);
831 	buf_len += sizeof(struct BD_HEADER);
832 
833 	packet_dump("  SPU request header: ", spu_hdr, buf_len);
834 
835 	return buf_len;
836 }
837 
838 /**
839  * spum_cipher_req_init() - Build a SPU request message header, up to and
840  * including the BD header.
841  * @spu_hdr:      Start of SPU request header (MH)
842  * @cipher_parms: Parameters that describe the cipher request
843  *
844  * Construct the message starting at spu_hdr. Caller should allocate this buffer
845  * in DMA-able memory at least SPU_HEADER_ALLOC_LEN bytes long.
846  *
847  * Return: the length of the SPU header in bytes. 0 if an error occurs.
848  */
849 u16 spum_cipher_req_init(u8 *spu_hdr, struct spu_cipher_parms *cipher_parms)
850 {
851 	struct SPUHEADER *spuh;
852 	u32 protocol_bits = 0;
853 	u32 cipher_bits = 0;
854 	u32 ecf_bits = 0;
855 	u8 sctx_words = 0;
856 	u8 *ptr = spu_hdr;
857 
858 	flow_log("%s()\n", __func__);
859 	flow_log("  cipher alg:%u mode:%u type %u\n", cipher_parms->alg,
860 		 cipher_parms->mode, cipher_parms->type);
861 	flow_log("  cipher_iv_len: %u\n", cipher_parms->iv_len);
862 	flow_log("    key: %d\n", cipher_parms->key_len);
863 	flow_dump("    key: ", cipher_parms->key_buf, cipher_parms->key_len);
864 
865 	/* starting out: zero the header (plus some) */
866 	memset(spu_hdr, 0, sizeof(struct SPUHEADER));
867 	ptr += sizeof(struct SPUHEADER);
868 
869 	/* format master header word */
870 	/* Do not set the next bit even though the datasheet says to */
871 	spuh = (struct SPUHEADER *)spu_hdr;
872 
873 	spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC;
874 	spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES);
875 
876 	/* Format sctx word 0 (protocol_bits) */
877 	sctx_words = 3;		/* size in words */
878 
879 	/* copy the encryption keys in the SAD entry */
880 	if (cipher_parms->alg) {
881 		if (cipher_parms->key_len) {
882 			ptr += cipher_parms->key_len;
883 			sctx_words += cipher_parms->key_len / 4;
884 		}
885 
886 		/*
887 		 * if encrypting then set IV size, use SCTX IV unless no IV
888 		 * given here
889 		 */
890 		if (cipher_parms->iv_len) {
891 			/* Use SCTX IV */
892 			ecf_bits |= SCTX_IV;
893 			ptr += cipher_parms->iv_len;
894 			sctx_words += cipher_parms->iv_len / 4;
895 		}
896 	}
897 
898 	/* Set the crypto parameters in the cipher.flags */
899 	cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT;
900 	cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT;
901 	cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT;
902 
903 	/* copy the encryption keys in the SAD entry */
904 	if (cipher_parms->alg && cipher_parms->key_len)
905 		memcpy(spuh + 1, cipher_parms->key_buf, cipher_parms->key_len);
906 
907 	/* write in the total sctx length now that we know it */
908 	protocol_bits |= sctx_words;
909 
910 	/* Endian adjust the SCTX */
911 	spuh->sa.proto_flags = cpu_to_be32(protocol_bits);
912 
913 	/* Endian adjust the SCTX */
914 	spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
915 	spuh->sa.ecf = cpu_to_be32(ecf_bits);
916 
917 	packet_dump("  SPU request header: ", spu_hdr,
918 		    sizeof(struct SPUHEADER));
919 
920 	return sizeof(struct SPUHEADER) + cipher_parms->key_len +
921 		cipher_parms->iv_len + sizeof(struct BDESC_HEADER) +
922 		sizeof(struct BD_HEADER);
923 }
924 
925 /**
926  * spum_cipher_req_finish() - Finish building a SPU request message header for a
927  * block cipher request. Assumes much of the header was already filled in at
928  * setkey() time in spu_cipher_req_init().
929  * @spu_hdr:         Start of the request message header (MH field)
930  * @spu_req_hdr_len: Length in bytes of the SPU request header
931  * @isInbound:       0 encrypt, 1 decrypt
932  * @cipher_parms:    Parameters describing cipher operation to be performed
933  * @update_key:      If true, rewrite the cipher key in SCTX
934  * @data_size:       Length of the data in the BD field
935  *
936  * Assumes much of the header was already filled in at setkey() time in
937  * spum_cipher_req_init().
938  * spum_cipher_req_init() fills in the encryption key. For RC4, when submitting
939  * a request for a non-first chunk, we use the 260-byte SUPDT field from the
940  * previous response as the key. update_key is true for this case. Unused in all
941  * other cases.
942  */
943 void spum_cipher_req_finish(u8 *spu_hdr,
944 			    u16 spu_req_hdr_len,
945 			    unsigned int is_inbound,
946 			    struct spu_cipher_parms *cipher_parms,
947 			    bool update_key,
948 			    unsigned int data_size)
949 {
950 	struct SPUHEADER *spuh;
951 	struct BDESC_HEADER *bdesc;
952 	struct BD_HEADER *bd;
953 	u8 *bdesc_ptr = spu_hdr + spu_req_hdr_len -
954 	    (sizeof(struct BD_HEADER) + sizeof(struct BDESC_HEADER));
955 
956 	u32 cipher_bits;
957 
958 	flow_log("%s()\n", __func__);
959 	flow_log(" in: %u\n", is_inbound);
960 	flow_log(" cipher alg: %u, cipher_type: %u\n", cipher_parms->alg,
961 		 cipher_parms->type);
962 	if (update_key) {
963 		flow_log(" cipher key len: %u\n", cipher_parms->key_len);
964 		flow_dump("  key: ", cipher_parms->key_buf,
965 			  cipher_parms->key_len);
966 	}
967 
968 	/*
969 	 * In XTS mode, API puts "i" parameter (block tweak) in IV.  For
970 	 * SPU-M, should be in start of the BD; tx_sg_create() copies it there.
971 	 * IV in SPU msg for SPU-M should be 0, since that's the "j" parameter
972 	 * (block ctr within larger data unit) - given we can send entire disk
973 	 * block (<= 4KB) in 1 SPU msg, don't need to use this parameter.
974 	 */
975 	if (cipher_parms->mode == CIPHER_MODE_XTS)
976 		memset(cipher_parms->iv_buf, 0, cipher_parms->iv_len);
977 
978 	flow_log(" iv len: %d\n", cipher_parms->iv_len);
979 	flow_dump("    iv: ", cipher_parms->iv_buf, cipher_parms->iv_len);
980 	flow_log(" data_size: %u\n", data_size);
981 
982 	/* format master header word */
983 	/* Do not set the next bit even though the datasheet says to */
984 	spuh = (struct SPUHEADER *)spu_hdr;
985 
986 	/* cipher_bits was initialized at setkey time */
987 	cipher_bits = be32_to_cpu(spuh->sa.cipher_flags);
988 
989 	/* Format sctx word 1 (cipher_bits) */
990 	if (is_inbound)
991 		cipher_bits |= CIPHER_INBOUND;
992 	else
993 		cipher_bits &= ~CIPHER_INBOUND;
994 
995 	/* update encryption key for RC4 on non-first chunk */
996 	if (update_key) {
997 		spuh->sa.cipher_flags |=
998 			cipher_parms->type << CIPHER_TYPE_SHIFT;
999 		memcpy(spuh + 1, cipher_parms->key_buf, cipher_parms->key_len);
1000 	}
1001 
1002 	if (cipher_parms->alg && cipher_parms->iv_buf && cipher_parms->iv_len)
1003 		/* cipher iv provided so put it in here */
1004 		memcpy(bdesc_ptr - cipher_parms->iv_len, cipher_parms->iv_buf,
1005 		       cipher_parms->iv_len);
1006 
1007 	spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
1008 
1009 	/* === create the BDESC section === */
1010 	bdesc = (struct BDESC_HEADER *)bdesc_ptr;
1011 	bdesc->offset_mac = 0;
1012 	bdesc->length_mac = 0;
1013 	bdesc->offset_crypto = 0;
1014 
1015 	/* XTS mode, data_size needs to include tweak parameter */
1016 	if (cipher_parms->mode == CIPHER_MODE_XTS)
1017 		bdesc->length_crypto = cpu_to_be16(data_size +
1018 						  SPU_XTS_TWEAK_SIZE);
1019 	else
1020 		bdesc->length_crypto = cpu_to_be16(data_size);
1021 
1022 	bdesc->offset_icv = 0;
1023 	bdesc->offset_iv = 0;
1024 
1025 	/* === no MFM section === */
1026 
1027 	/* === create the BD section === */
1028 	/* add the BD header */
1029 	bd = (struct BD_HEADER *)(bdesc_ptr + sizeof(struct BDESC_HEADER));
1030 	bd->size = cpu_to_be16(data_size);
1031 
1032 	/* XTS mode, data_size needs to include tweak parameter */
1033 	if (cipher_parms->mode == CIPHER_MODE_XTS)
1034 		bd->size = cpu_to_be16(data_size + SPU_XTS_TWEAK_SIZE);
1035 	else
1036 		bd->size = cpu_to_be16(data_size);
1037 
1038 	bd->prev_length = 0;
1039 
1040 	packet_dump("  SPU request header: ", spu_hdr, spu_req_hdr_len);
1041 }
1042 
1043 /**
1044  * spum_request_pad() - Create pad bytes at the end of the data.
1045  * @pad_start:		Start of buffer where pad bytes are to be written
1046  * @gcm_ccm_padding:	length of GCM/CCM padding, in bytes
1047  * @hash_pad_len:	Number of bytes of padding extend data to full block
1048  * @auth_alg:		authentication algorithm
1049  * @auth_mode:		authentication mode
1050  * @total_sent:		length inserted at end of hash pad
1051  * @status_padding:	Number of bytes of padding to align STATUS word
1052  *
1053  * There may be three forms of pad:
1054  *  1. GCM/CCM pad - for GCM/CCM mode ciphers, pad to 16-byte alignment
1055  *  2. hash pad - pad to a block length, with 0x80 data terminator and
1056  *                size at the end
1057  *  3. STAT pad - to ensure the STAT field is 4-byte aligned
1058  */
1059 void spum_request_pad(u8 *pad_start,
1060 		      u32 gcm_ccm_padding,
1061 		      u32 hash_pad_len,
1062 		      enum hash_alg auth_alg,
1063 		      enum hash_mode auth_mode,
1064 		      unsigned int total_sent, u32 status_padding)
1065 {
1066 	u8 *ptr = pad_start;
1067 
1068 	/* fix data alignent for GCM/CCM */
1069 	if (gcm_ccm_padding > 0) {
1070 		flow_log("  GCM: padding to 16 byte alignment: %u bytes\n",
1071 			 gcm_ccm_padding);
1072 		memset(ptr, 0, gcm_ccm_padding);
1073 		ptr += gcm_ccm_padding;
1074 	}
1075 
1076 	if (hash_pad_len > 0) {
1077 		/* clear the padding section */
1078 		memset(ptr, 0, hash_pad_len);
1079 
1080 		if ((auth_alg == HASH_ALG_AES) &&
1081 		    (auth_mode == HASH_MODE_XCBC)) {
1082 			/* AES/XCBC just requires padding to be 0s */
1083 			ptr += hash_pad_len;
1084 		} else {
1085 			/* terminate the data */
1086 			*ptr = 0x80;
1087 			ptr += (hash_pad_len - sizeof(u64));
1088 
1089 			/* add the size at the end as required per alg */
1090 			if (auth_alg == HASH_ALG_MD5)
1091 				*(u64 *)ptr = cpu_to_le64((u64)total_sent * 8);
1092 			else		/* SHA1, SHA2-224, SHA2-256 */
1093 				*(u64 *)ptr = cpu_to_be64((u64)total_sent * 8);
1094 			ptr += sizeof(u64);
1095 		}
1096 	}
1097 
1098 	/* pad to a 4byte alignment for STAT */
1099 	if (status_padding > 0) {
1100 		flow_log("  STAT: padding to 4 byte alignment: %u bytes\n",
1101 			 status_padding);
1102 
1103 		memset(ptr, 0, status_padding);
1104 		ptr += status_padding;
1105 	}
1106 }
1107 
1108 /**
1109  * spum_xts_tweak_in_payload() - Indicate that SPUM DOES place the XTS tweak
1110  * field in the packet payload (rather than using IV)
1111  *
1112  * Return: 1
1113  */
1114 u8 spum_xts_tweak_in_payload(void)
1115 {
1116 	return 1;
1117 }
1118 
1119 /**
1120  * spum_tx_status_len() - Return the length of the STATUS field in a SPU
1121  * response message.
1122  *
1123  * Return: Length of STATUS field in bytes.
1124  */
1125 u8 spum_tx_status_len(void)
1126 {
1127 	return SPU_TX_STATUS_LEN;
1128 }
1129 
1130 /**
1131  * spum_rx_status_len() - Return the length of the STATUS field in a SPU
1132  * response message.
1133  *
1134  * Return: Length of STATUS field in bytes.
1135  */
1136 u8 spum_rx_status_len(void)
1137 {
1138 	return SPU_RX_STATUS_LEN;
1139 }
1140 
1141 /**
1142  * spum_status_process() - Process the status from a SPU response message.
1143  * @statp:  start of STATUS word
1144  * Return:
1145  *   0 - if status is good and response should be processed
1146  *   !0 - status indicates an error and response is invalid
1147  */
1148 int spum_status_process(u8 *statp)
1149 {
1150 	u32 status;
1151 
1152 	status = __be32_to_cpu(*(__be32 *)statp);
1153 	flow_log("SPU response STATUS %#08x\n", status);
1154 	if (status & SPU_STATUS_ERROR_FLAG) {
1155 		pr_err("%s() Warning: Error result from SPU: %#08x\n",
1156 		       __func__, status);
1157 		if (status & SPU_STATUS_INVALID_ICV)
1158 			return SPU_INVALID_ICV;
1159 		return -EBADMSG;
1160 	}
1161 	return 0;
1162 }
1163 
1164 /**
1165  * spum_ccm_update_iv() - Update the IV as per the requirements for CCM mode.
1166  *
1167  * @digestsize:		Digest size of this request
1168  * @cipher_parms:	(pointer to) cipher parmaeters, includes IV buf & IV len
1169  * @assoclen:		Length of AAD data
1170  * @chunksize:		length of input data to be sent in this req
1171  * @is_encrypt:		true if this is an output/encrypt operation
1172  * @is_esp:		true if this is an ESP / RFC4309 operation
1173  *
1174  */
1175 void spum_ccm_update_iv(unsigned int digestsize,
1176 			struct spu_cipher_parms *cipher_parms,
1177 			unsigned int assoclen,
1178 			unsigned int chunksize,
1179 			bool is_encrypt,
1180 			bool is_esp)
1181 {
1182 	u8 L;		/* L from CCM algorithm, length of plaintext data */
1183 	u8 mprime;	/* M' from CCM algo, (M - 2) / 2, where M=authsize */
1184 	u8 adata;
1185 
1186 	if (cipher_parms->iv_len != CCM_AES_IV_SIZE) {
1187 		pr_err("%s(): Invalid IV len %d for CCM mode, should be %d\n",
1188 		       __func__, cipher_parms->iv_len, CCM_AES_IV_SIZE);
1189 		return;
1190 	}
1191 
1192 	/*
1193 	 * IV needs to be formatted as follows:
1194 	 *
1195 	 * |          Byte 0               | Bytes 1 - N | Bytes (N+1) - 15 |
1196 	 * | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | Bits 7 - 0  |    Bits 7 - 0    |
1197 	 * | 0 |Ad?|(M - 2) / 2|   L - 1   |    Nonce    | Plaintext Length |
1198 	 *
1199 	 * Ad? = 1 if AAD present, 0 if not present
1200 	 * M = size of auth field, 8, 12, or 16 bytes (SPU-M) -or-
1201 	 *                         4, 6, 8, 10, 12, 14, 16 bytes (SPU2)
1202 	 * L = Size of Plaintext Length field; Nonce size = 15 - L
1203 	 *
1204 	 * It appears that the crypto API already expects the L-1 portion
1205 	 * to be set in the first byte of the IV, which implicitly determines
1206 	 * the nonce size, and also fills in the nonce.  But the other bits
1207 	 * in byte 0 as well as the plaintext length need to be filled in.
1208 	 *
1209 	 * In rfc4309/esp mode, L is not already in the supplied IV and
1210 	 * we need to fill it in, as well as move the IV data to be after
1211 	 * the salt
1212 	 */
1213 	if (is_esp) {
1214 		L = CCM_ESP_L_VALUE;	/* RFC4309 has fixed L */
1215 	} else {
1216 		/* L' = plaintext length - 1 so Plaintext length is L' + 1 */
1217 		L = ((cipher_parms->iv_buf[0] & CCM_B0_L_PRIME) >>
1218 		      CCM_B0_L_PRIME_SHIFT) + 1;
1219 	}
1220 
1221 	mprime = (digestsize - 2) >> 1;  /* M' = (M - 2) / 2 */
1222 	adata = (assoclen > 0);  /* adata = 1 if any associated data */
1223 
1224 	cipher_parms->iv_buf[0] = (adata << CCM_B0_ADATA_SHIFT) |
1225 				  (mprime << CCM_B0_M_PRIME_SHIFT) |
1226 				  ((L - 1) << CCM_B0_L_PRIME_SHIFT);
1227 
1228 	/* Nonce is already filled in by crypto API, and is 15 - L bytes */
1229 
1230 	/* Don't include digest in plaintext size when decrypting */
1231 	if (!is_encrypt)
1232 		chunksize -= digestsize;
1233 
1234 	/* Fill in length of plaintext, formatted to be L bytes long */
1235 	format_value_ccm(chunksize, &cipher_parms->iv_buf[15 - L + 1], L);
1236 }
1237 
1238 /**
1239  * spum_wordalign_padlen() - Given the length of a data field, determine the
1240  * padding required to align the data following this field on a 4-byte boundary.
1241  * @data_size: length of data field in bytes
1242  *
1243  * Return: length of status field padding, in bytes
1244  */
1245 u32 spum_wordalign_padlen(u32 data_size)
1246 {
1247 	return ((data_size + 3) & ~3) - data_size;
1248 }
1249