xref: /openbmc/linux/drivers/crypto/vmx/ghash.c (revision 132db935)
1 // SPDX-License-Identifier: GPL-2.0
2 /**
3  * GHASH routines supporting VMX instructions on the Power 8
4  *
5  * Copyright (C) 2015, 2019 International Business Machines Inc.
6  *
7  * Author: Marcelo Henrique Cerri <mhcerri@br.ibm.com>
8  *
9  * Extended by Daniel Axtens <dja@axtens.net> to replace the fallback
10  * mechanism. The new approach is based on arm64 code, which is:
11  *   Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
12  */
13 
14 #include <linux/types.h>
15 #include <linux/err.h>
16 #include <linux/crypto.h>
17 #include <linux/delay.h>
18 #include <asm/simd.h>
19 #include <asm/switch_to.h>
20 #include <crypto/aes.h>
21 #include <crypto/ghash.h>
22 #include <crypto/scatterwalk.h>
23 #include <crypto/internal/hash.h>
24 #include <crypto/internal/simd.h>
25 #include <crypto/b128ops.h>
26 
27 void gcm_init_p8(u128 htable[16], const u64 Xi[2]);
28 void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]);
29 void gcm_ghash_p8(u64 Xi[2], const u128 htable[16],
30 		  const u8 *in, size_t len);
31 
32 struct p8_ghash_ctx {
33 	/* key used by vector asm */
34 	u128 htable[16];
35 	/* key used by software fallback */
36 	be128 key;
37 };
38 
39 struct p8_ghash_desc_ctx {
40 	u64 shash[2];
41 	u8 buffer[GHASH_DIGEST_SIZE];
42 	int bytes;
43 };
44 
45 static int p8_ghash_init(struct shash_desc *desc)
46 {
47 	struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
48 
49 	dctx->bytes = 0;
50 	memset(dctx->shash, 0, GHASH_DIGEST_SIZE);
51 	return 0;
52 }
53 
54 static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key,
55 			   unsigned int keylen)
56 {
57 	struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm));
58 
59 	if (keylen != GHASH_BLOCK_SIZE)
60 		return -EINVAL;
61 
62 	preempt_disable();
63 	pagefault_disable();
64 	enable_kernel_vsx();
65 	gcm_init_p8(ctx->htable, (const u64 *) key);
66 	disable_kernel_vsx();
67 	pagefault_enable();
68 	preempt_enable();
69 
70 	memcpy(&ctx->key, key, GHASH_BLOCK_SIZE);
71 
72 	return 0;
73 }
74 
75 static inline void __ghash_block(struct p8_ghash_ctx *ctx,
76 				 struct p8_ghash_desc_ctx *dctx)
77 {
78 	if (crypto_simd_usable()) {
79 		preempt_disable();
80 		pagefault_disable();
81 		enable_kernel_vsx();
82 		gcm_ghash_p8(dctx->shash, ctx->htable,
83 				dctx->buffer, GHASH_DIGEST_SIZE);
84 		disable_kernel_vsx();
85 		pagefault_enable();
86 		preempt_enable();
87 	} else {
88 		crypto_xor((u8 *)dctx->shash, dctx->buffer, GHASH_BLOCK_SIZE);
89 		gf128mul_lle((be128 *)dctx->shash, &ctx->key);
90 	}
91 }
92 
93 static inline void __ghash_blocks(struct p8_ghash_ctx *ctx,
94 				  struct p8_ghash_desc_ctx *dctx,
95 				  const u8 *src, unsigned int srclen)
96 {
97 	if (crypto_simd_usable()) {
98 		preempt_disable();
99 		pagefault_disable();
100 		enable_kernel_vsx();
101 		gcm_ghash_p8(dctx->shash, ctx->htable,
102 				src, srclen);
103 		disable_kernel_vsx();
104 		pagefault_enable();
105 		preempt_enable();
106 	} else {
107 		while (srclen >= GHASH_BLOCK_SIZE) {
108 			crypto_xor((u8 *)dctx->shash, src, GHASH_BLOCK_SIZE);
109 			gf128mul_lle((be128 *)dctx->shash, &ctx->key);
110 			srclen -= GHASH_BLOCK_SIZE;
111 			src += GHASH_BLOCK_SIZE;
112 		}
113 	}
114 }
115 
116 static int p8_ghash_update(struct shash_desc *desc,
117 			   const u8 *src, unsigned int srclen)
118 {
119 	unsigned int len;
120 	struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
121 	struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
122 
123 	if (dctx->bytes) {
124 		if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
125 			memcpy(dctx->buffer + dctx->bytes, src,
126 				srclen);
127 			dctx->bytes += srclen;
128 			return 0;
129 		}
130 		memcpy(dctx->buffer + dctx->bytes, src,
131 			GHASH_DIGEST_SIZE - dctx->bytes);
132 
133 		__ghash_block(ctx, dctx);
134 
135 		src += GHASH_DIGEST_SIZE - dctx->bytes;
136 		srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
137 		dctx->bytes = 0;
138 	}
139 	len = srclen & ~(GHASH_DIGEST_SIZE - 1);
140 	if (len) {
141 		__ghash_blocks(ctx, dctx, src, len);
142 		src += len;
143 		srclen -= len;
144 	}
145 	if (srclen) {
146 		memcpy(dctx->buffer, src, srclen);
147 		dctx->bytes = srclen;
148 	}
149 	return 0;
150 }
151 
152 static int p8_ghash_final(struct shash_desc *desc, u8 *out)
153 {
154 	int i;
155 	struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
156 	struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
157 
158 	if (dctx->bytes) {
159 		for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
160 			dctx->buffer[i] = 0;
161 		__ghash_block(ctx, dctx);
162 		dctx->bytes = 0;
163 	}
164 	memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
165 	return 0;
166 }
167 
168 struct shash_alg p8_ghash_alg = {
169 	.digestsize = GHASH_DIGEST_SIZE,
170 	.init = p8_ghash_init,
171 	.update = p8_ghash_update,
172 	.final = p8_ghash_final,
173 	.setkey = p8_ghash_setkey,
174 	.descsize = sizeof(struct p8_ghash_desc_ctx)
175 		+ sizeof(struct ghash_desc_ctx),
176 	.base = {
177 		 .cra_name = "ghash",
178 		 .cra_driver_name = "p8_ghash",
179 		 .cra_priority = 1000,
180 		 .cra_blocksize = GHASH_BLOCK_SIZE,
181 		 .cra_ctxsize = sizeof(struct p8_ghash_ctx),
182 		 .cra_module = THIS_MODULE,
183 	},
184 };
185