1 // SPDX-License-Identifier: GPL-2.0-only 2 /** 3 * AES CCM routines supporting the Power 7+ Nest Accelerators driver 4 * 5 * Copyright (C) 2012 International Business Machines Inc. 6 * 7 * Author: Kent Yoder <yoder1@us.ibm.com> 8 */ 9 10 #include <crypto/internal/aead.h> 11 #include <crypto/aes.h> 12 #include <crypto/algapi.h> 13 #include <crypto/scatterwalk.h> 14 #include <linux/module.h> 15 #include <linux/types.h> 16 #include <linux/crypto.h> 17 #include <asm/vio.h> 18 19 #include "nx_csbcpb.h" 20 #include "nx.h" 21 22 23 static int ccm_aes_nx_set_key(struct crypto_aead *tfm, 24 const u8 *in_key, 25 unsigned int key_len) 26 { 27 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&tfm->base); 28 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; 29 struct nx_csbcpb *csbcpb_aead = nx_ctx->csbcpb_aead; 30 31 nx_ctx_init(nx_ctx, HCOP_FC_AES); 32 33 switch (key_len) { 34 case AES_KEYSIZE_128: 35 NX_CPB_SET_KEY_SIZE(csbcpb, NX_KS_AES_128); 36 NX_CPB_SET_KEY_SIZE(csbcpb_aead, NX_KS_AES_128); 37 nx_ctx->ap = &nx_ctx->props[NX_PROPS_AES_128]; 38 break; 39 default: 40 return -EINVAL; 41 } 42 43 csbcpb->cpb.hdr.mode = NX_MODE_AES_CCM; 44 memcpy(csbcpb->cpb.aes_ccm.key, in_key, key_len); 45 46 csbcpb_aead->cpb.hdr.mode = NX_MODE_AES_CCA; 47 memcpy(csbcpb_aead->cpb.aes_cca.key, in_key, key_len); 48 49 return 0; 50 51 } 52 53 static int ccm4309_aes_nx_set_key(struct crypto_aead *tfm, 54 const u8 *in_key, 55 unsigned int key_len) 56 { 57 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(&tfm->base); 58 59 if (key_len < 3) 60 return -EINVAL; 61 62 key_len -= 3; 63 64 memcpy(nx_ctx->priv.ccm.nonce, in_key + key_len, 3); 65 66 return ccm_aes_nx_set_key(tfm, in_key, key_len); 67 } 68 69 static int ccm_aes_nx_setauthsize(struct crypto_aead *tfm, 70 unsigned int authsize) 71 { 72 switch (authsize) { 73 case 4: 74 case 6: 75 case 8: 76 case 10: 77 case 12: 78 case 14: 79 case 16: 80 break; 81 default: 82 return -EINVAL; 83 } 84 85 return 0; 86 } 87 88 static int ccm4309_aes_nx_setauthsize(struct crypto_aead *tfm, 89 unsigned int authsize) 90 { 91 switch (authsize) { 92 case 8: 93 case 12: 94 case 16: 95 break; 96 default: 97 return -EINVAL; 98 } 99 100 return 0; 101 } 102 103 /* taken from crypto/ccm.c */ 104 static int set_msg_len(u8 *block, unsigned int msglen, int csize) 105 { 106 __be32 data; 107 108 memset(block, 0, csize); 109 block += csize; 110 111 if (csize >= 4) 112 csize = 4; 113 else if (msglen > (unsigned int)(1 << (8 * csize))) 114 return -EOVERFLOW; 115 116 data = cpu_to_be32(msglen); 117 memcpy(block - csize, (u8 *)&data + 4 - csize, csize); 118 119 return 0; 120 } 121 122 /* taken from crypto/ccm.c */ 123 static inline int crypto_ccm_check_iv(const u8 *iv) 124 { 125 /* 2 <= L <= 8, so 1 <= L' <= 7. */ 126 if (1 > iv[0] || iv[0] > 7) 127 return -EINVAL; 128 129 return 0; 130 } 131 132 /* based on code from crypto/ccm.c */ 133 static int generate_b0(u8 *iv, unsigned int assoclen, unsigned int authsize, 134 unsigned int cryptlen, u8 *b0) 135 { 136 unsigned int l, lp, m = authsize; 137 int rc; 138 139 memcpy(b0, iv, 16); 140 141 lp = b0[0]; 142 l = lp + 1; 143 144 /* set m, bits 3-5 */ 145 *b0 |= (8 * ((m - 2) / 2)); 146 147 /* set adata, bit 6, if associated data is used */ 148 if (assoclen) 149 *b0 |= 64; 150 151 rc = set_msg_len(b0 + 16 - l, cryptlen, l); 152 153 return rc; 154 } 155 156 static int generate_pat(u8 *iv, 157 struct aead_request *req, 158 struct nx_crypto_ctx *nx_ctx, 159 unsigned int authsize, 160 unsigned int nbytes, 161 unsigned int assoclen, 162 u8 *out) 163 { 164 struct nx_sg *nx_insg = nx_ctx->in_sg; 165 struct nx_sg *nx_outsg = nx_ctx->out_sg; 166 unsigned int iauth_len = 0; 167 u8 tmp[16], *b1 = NULL, *b0 = NULL, *result = NULL; 168 int rc; 169 unsigned int max_sg_len; 170 171 /* zero the ctr value */ 172 memset(iv + 15 - iv[0], 0, iv[0] + 1); 173 174 /* page 78 of nx_wb.pdf has, 175 * Note: RFC3610 allows the AAD data to be up to 2^64 -1 bytes 176 * in length. If a full message is used, the AES CCA implementation 177 * restricts the maximum AAD length to 2^32 -1 bytes. 178 * If partial messages are used, the implementation supports 179 * 2^64 -1 bytes maximum AAD length. 180 * 181 * However, in the cryptoapi's aead_request structure, 182 * assoclen is an unsigned int, thus it cannot hold a length 183 * value greater than 2^32 - 1. 184 * Thus the AAD is further constrained by this and is never 185 * greater than 2^32. 186 */ 187 188 if (!assoclen) { 189 b0 = nx_ctx->csbcpb->cpb.aes_ccm.in_pat_or_b0; 190 } else if (assoclen <= 14) { 191 /* if associated data is 14 bytes or less, we do 1 GCM 192 * operation on 2 AES blocks, B0 (stored in the csbcpb) and B1, 193 * which is fed in through the source buffers here */ 194 b0 = nx_ctx->csbcpb->cpb.aes_ccm.in_pat_or_b0; 195 b1 = nx_ctx->priv.ccm.iauth_tag; 196 iauth_len = assoclen; 197 } else if (assoclen <= 65280) { 198 /* if associated data is less than (2^16 - 2^8), we construct 199 * B1 differently and feed in the associated data to a CCA 200 * operation */ 201 b0 = nx_ctx->csbcpb_aead->cpb.aes_cca.b0; 202 b1 = nx_ctx->csbcpb_aead->cpb.aes_cca.b1; 203 iauth_len = 14; 204 } else { 205 b0 = nx_ctx->csbcpb_aead->cpb.aes_cca.b0; 206 b1 = nx_ctx->csbcpb_aead->cpb.aes_cca.b1; 207 iauth_len = 10; 208 } 209 210 /* generate B0 */ 211 rc = generate_b0(iv, assoclen, authsize, nbytes, b0); 212 if (rc) 213 return rc; 214 215 /* generate B1: 216 * add control info for associated data 217 * RFC 3610 and NIST Special Publication 800-38C 218 */ 219 if (b1) { 220 memset(b1, 0, 16); 221 if (assoclen <= 65280) { 222 *(u16 *)b1 = assoclen; 223 scatterwalk_map_and_copy(b1 + 2, req->src, 0, 224 iauth_len, SCATTERWALK_FROM_SG); 225 } else { 226 *(u16 *)b1 = (u16)(0xfffe); 227 *(u32 *)&b1[2] = assoclen; 228 scatterwalk_map_and_copy(b1 + 6, req->src, 0, 229 iauth_len, SCATTERWALK_FROM_SG); 230 } 231 } 232 233 /* now copy any remaining AAD to scatterlist and call nx... */ 234 if (!assoclen) { 235 return rc; 236 } else if (assoclen <= 14) { 237 unsigned int len = 16; 238 239 nx_insg = nx_build_sg_list(nx_insg, b1, &len, nx_ctx->ap->sglen); 240 241 if (len != 16) 242 return -EINVAL; 243 244 nx_outsg = nx_build_sg_list(nx_outsg, tmp, &len, 245 nx_ctx->ap->sglen); 246 247 if (len != 16) 248 return -EINVAL; 249 250 /* inlen should be negative, indicating to phyp that its a 251 * pointer to an sg list */ 252 nx_ctx->op.inlen = (nx_ctx->in_sg - nx_insg) * 253 sizeof(struct nx_sg); 254 nx_ctx->op.outlen = (nx_ctx->out_sg - nx_outsg) * 255 sizeof(struct nx_sg); 256 257 NX_CPB_FDM(nx_ctx->csbcpb) |= NX_FDM_ENDE_ENCRYPT; 258 NX_CPB_FDM(nx_ctx->csbcpb) |= NX_FDM_INTERMEDIATE; 259 260 result = nx_ctx->csbcpb->cpb.aes_ccm.out_pat_or_mac; 261 262 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 263 req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP); 264 if (rc) 265 return rc; 266 267 atomic_inc(&(nx_ctx->stats->aes_ops)); 268 atomic64_add(assoclen, &nx_ctx->stats->aes_bytes); 269 270 } else { 271 unsigned int processed = 0, to_process; 272 273 processed += iauth_len; 274 275 /* page_limit: number of sg entries that fit on one page */ 276 max_sg_len = min_t(u64, nx_ctx->ap->sglen, 277 nx_driver.of.max_sg_len/sizeof(struct nx_sg)); 278 max_sg_len = min_t(u64, max_sg_len, 279 nx_ctx->ap->databytelen/NX_PAGE_SIZE); 280 281 do { 282 to_process = min_t(u32, assoclen - processed, 283 nx_ctx->ap->databytelen); 284 285 nx_insg = nx_walk_and_build(nx_ctx->in_sg, 286 nx_ctx->ap->sglen, 287 req->src, processed, 288 &to_process); 289 290 if ((to_process + processed) < assoclen) { 291 NX_CPB_FDM(nx_ctx->csbcpb_aead) |= 292 NX_FDM_INTERMEDIATE; 293 } else { 294 NX_CPB_FDM(nx_ctx->csbcpb_aead) &= 295 ~NX_FDM_INTERMEDIATE; 296 } 297 298 299 nx_ctx->op_aead.inlen = (nx_ctx->in_sg - nx_insg) * 300 sizeof(struct nx_sg); 301 302 result = nx_ctx->csbcpb_aead->cpb.aes_cca.out_pat_or_b0; 303 304 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op_aead, 305 req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP); 306 if (rc) 307 return rc; 308 309 memcpy(nx_ctx->csbcpb_aead->cpb.aes_cca.b0, 310 nx_ctx->csbcpb_aead->cpb.aes_cca.out_pat_or_b0, 311 AES_BLOCK_SIZE); 312 313 NX_CPB_FDM(nx_ctx->csbcpb_aead) |= NX_FDM_CONTINUATION; 314 315 atomic_inc(&(nx_ctx->stats->aes_ops)); 316 atomic64_add(assoclen, &nx_ctx->stats->aes_bytes); 317 318 processed += to_process; 319 } while (processed < assoclen); 320 321 result = nx_ctx->csbcpb_aead->cpb.aes_cca.out_pat_or_b0; 322 } 323 324 memcpy(out, result, AES_BLOCK_SIZE); 325 326 return rc; 327 } 328 329 static int ccm_nx_decrypt(struct aead_request *req, 330 struct blkcipher_desc *desc, 331 unsigned int assoclen) 332 { 333 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); 334 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; 335 unsigned int nbytes = req->cryptlen; 336 unsigned int authsize = crypto_aead_authsize(crypto_aead_reqtfm(req)); 337 struct nx_ccm_priv *priv = &nx_ctx->priv.ccm; 338 unsigned long irq_flags; 339 unsigned int processed = 0, to_process; 340 int rc = -1; 341 342 spin_lock_irqsave(&nx_ctx->lock, irq_flags); 343 344 nbytes -= authsize; 345 346 /* copy out the auth tag to compare with later */ 347 scatterwalk_map_and_copy(priv->oauth_tag, 348 req->src, nbytes + req->assoclen, authsize, 349 SCATTERWALK_FROM_SG); 350 351 rc = generate_pat(desc->info, req, nx_ctx, authsize, nbytes, assoclen, 352 csbcpb->cpb.aes_ccm.in_pat_or_b0); 353 if (rc) 354 goto out; 355 356 do { 357 358 /* to_process: the AES_BLOCK_SIZE data chunk to process in this 359 * update. This value is bound by sg list limits. 360 */ 361 to_process = nbytes - processed; 362 363 if ((to_process + processed) < nbytes) 364 NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE; 365 else 366 NX_CPB_FDM(csbcpb) &= ~NX_FDM_INTERMEDIATE; 367 368 NX_CPB_FDM(nx_ctx->csbcpb) &= ~NX_FDM_ENDE_ENCRYPT; 369 370 rc = nx_build_sg_lists(nx_ctx, desc, req->dst, req->src, 371 &to_process, processed + req->assoclen, 372 csbcpb->cpb.aes_ccm.iv_or_ctr); 373 if (rc) 374 goto out; 375 376 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 377 req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP); 378 if (rc) 379 goto out; 380 381 /* for partial completion, copy following for next 382 * entry into loop... 383 */ 384 memcpy(desc->info, csbcpb->cpb.aes_ccm.out_ctr, AES_BLOCK_SIZE); 385 memcpy(csbcpb->cpb.aes_ccm.in_pat_or_b0, 386 csbcpb->cpb.aes_ccm.out_pat_or_mac, AES_BLOCK_SIZE); 387 memcpy(csbcpb->cpb.aes_ccm.in_s0, 388 csbcpb->cpb.aes_ccm.out_s0, AES_BLOCK_SIZE); 389 390 NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION; 391 392 /* update stats */ 393 atomic_inc(&(nx_ctx->stats->aes_ops)); 394 atomic64_add(csbcpb->csb.processed_byte_count, 395 &(nx_ctx->stats->aes_bytes)); 396 397 processed += to_process; 398 } while (processed < nbytes); 399 400 rc = crypto_memneq(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag, 401 authsize) ? -EBADMSG : 0; 402 out: 403 spin_unlock_irqrestore(&nx_ctx->lock, irq_flags); 404 return rc; 405 } 406 407 static int ccm_nx_encrypt(struct aead_request *req, 408 struct blkcipher_desc *desc, 409 unsigned int assoclen) 410 { 411 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); 412 struct nx_csbcpb *csbcpb = nx_ctx->csbcpb; 413 unsigned int nbytes = req->cryptlen; 414 unsigned int authsize = crypto_aead_authsize(crypto_aead_reqtfm(req)); 415 unsigned long irq_flags; 416 unsigned int processed = 0, to_process; 417 int rc = -1; 418 419 spin_lock_irqsave(&nx_ctx->lock, irq_flags); 420 421 rc = generate_pat(desc->info, req, nx_ctx, authsize, nbytes, assoclen, 422 csbcpb->cpb.aes_ccm.in_pat_or_b0); 423 if (rc) 424 goto out; 425 426 do { 427 /* to process: the AES_BLOCK_SIZE data chunk to process in this 428 * update. This value is bound by sg list limits. 429 */ 430 to_process = nbytes - processed; 431 432 if ((to_process + processed) < nbytes) 433 NX_CPB_FDM(csbcpb) |= NX_FDM_INTERMEDIATE; 434 else 435 NX_CPB_FDM(csbcpb) &= ~NX_FDM_INTERMEDIATE; 436 437 NX_CPB_FDM(csbcpb) |= NX_FDM_ENDE_ENCRYPT; 438 439 rc = nx_build_sg_lists(nx_ctx, desc, req->dst, req->src, 440 &to_process, processed + req->assoclen, 441 csbcpb->cpb.aes_ccm.iv_or_ctr); 442 if (rc) 443 goto out; 444 445 rc = nx_hcall_sync(nx_ctx, &nx_ctx->op, 446 req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP); 447 if (rc) 448 goto out; 449 450 /* for partial completion, copy following for next 451 * entry into loop... 452 */ 453 memcpy(desc->info, csbcpb->cpb.aes_ccm.out_ctr, AES_BLOCK_SIZE); 454 memcpy(csbcpb->cpb.aes_ccm.in_pat_or_b0, 455 csbcpb->cpb.aes_ccm.out_pat_or_mac, AES_BLOCK_SIZE); 456 memcpy(csbcpb->cpb.aes_ccm.in_s0, 457 csbcpb->cpb.aes_ccm.out_s0, AES_BLOCK_SIZE); 458 459 NX_CPB_FDM(csbcpb) |= NX_FDM_CONTINUATION; 460 461 /* update stats */ 462 atomic_inc(&(nx_ctx->stats->aes_ops)); 463 atomic64_add(csbcpb->csb.processed_byte_count, 464 &(nx_ctx->stats->aes_bytes)); 465 466 processed += to_process; 467 468 } while (processed < nbytes); 469 470 /* copy out the auth tag */ 471 scatterwalk_map_and_copy(csbcpb->cpb.aes_ccm.out_pat_or_mac, 472 req->dst, nbytes + req->assoclen, authsize, 473 SCATTERWALK_TO_SG); 474 475 out: 476 spin_unlock_irqrestore(&nx_ctx->lock, irq_flags); 477 return rc; 478 } 479 480 static int ccm4309_aes_nx_encrypt(struct aead_request *req) 481 { 482 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); 483 struct nx_gcm_rctx *rctx = aead_request_ctx(req); 484 struct blkcipher_desc desc; 485 u8 *iv = rctx->iv; 486 487 iv[0] = 3; 488 memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3); 489 memcpy(iv + 4, req->iv, 8); 490 491 desc.info = iv; 492 493 return ccm_nx_encrypt(req, &desc, req->assoclen - 8); 494 } 495 496 static int ccm_aes_nx_encrypt(struct aead_request *req) 497 { 498 struct blkcipher_desc desc; 499 int rc; 500 501 desc.info = req->iv; 502 503 rc = crypto_ccm_check_iv(desc.info); 504 if (rc) 505 return rc; 506 507 return ccm_nx_encrypt(req, &desc, req->assoclen); 508 } 509 510 static int ccm4309_aes_nx_decrypt(struct aead_request *req) 511 { 512 struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(req->base.tfm); 513 struct nx_gcm_rctx *rctx = aead_request_ctx(req); 514 struct blkcipher_desc desc; 515 u8 *iv = rctx->iv; 516 517 iv[0] = 3; 518 memcpy(iv + 1, nx_ctx->priv.ccm.nonce, 3); 519 memcpy(iv + 4, req->iv, 8); 520 521 desc.info = iv; 522 523 return ccm_nx_decrypt(req, &desc, req->assoclen - 8); 524 } 525 526 static int ccm_aes_nx_decrypt(struct aead_request *req) 527 { 528 struct blkcipher_desc desc; 529 int rc; 530 531 desc.info = req->iv; 532 533 rc = crypto_ccm_check_iv(desc.info); 534 if (rc) 535 return rc; 536 537 return ccm_nx_decrypt(req, &desc, req->assoclen); 538 } 539 540 /* tell the block cipher walk routines that this is a stream cipher by 541 * setting cra_blocksize to 1. Even using blkcipher_walk_virt_block 542 * during encrypt/decrypt doesn't solve this problem, because it calls 543 * blkcipher_walk_done under the covers, which doesn't use walk->blocksize, 544 * but instead uses this tfm->blocksize. */ 545 struct aead_alg nx_ccm_aes_alg = { 546 .base = { 547 .cra_name = "ccm(aes)", 548 .cra_driver_name = "ccm-aes-nx", 549 .cra_priority = 300, 550 .cra_flags = CRYPTO_ALG_NEED_FALLBACK, 551 .cra_blocksize = 1, 552 .cra_ctxsize = sizeof(struct nx_crypto_ctx), 553 .cra_module = THIS_MODULE, 554 }, 555 .init = nx_crypto_ctx_aes_ccm_init, 556 .exit = nx_crypto_ctx_aead_exit, 557 .ivsize = AES_BLOCK_SIZE, 558 .maxauthsize = AES_BLOCK_SIZE, 559 .setkey = ccm_aes_nx_set_key, 560 .setauthsize = ccm_aes_nx_setauthsize, 561 .encrypt = ccm_aes_nx_encrypt, 562 .decrypt = ccm_aes_nx_decrypt, 563 }; 564 565 struct aead_alg nx_ccm4309_aes_alg = { 566 .base = { 567 .cra_name = "rfc4309(ccm(aes))", 568 .cra_driver_name = "rfc4309-ccm-aes-nx", 569 .cra_priority = 300, 570 .cra_flags = CRYPTO_ALG_NEED_FALLBACK, 571 .cra_blocksize = 1, 572 .cra_ctxsize = sizeof(struct nx_crypto_ctx), 573 .cra_module = THIS_MODULE, 574 }, 575 .init = nx_crypto_ctx_aes_ccm_init, 576 .exit = nx_crypto_ctx_aead_exit, 577 .ivsize = 8, 578 .maxauthsize = AES_BLOCK_SIZE, 579 .setkey = ccm4309_aes_nx_set_key, 580 .setauthsize = ccm4309_aes_nx_setauthsize, 581 .encrypt = ccm4309_aes_nx_encrypt, 582 .decrypt = ccm4309_aes_nx_decrypt, 583 }; 584