Contributors: 5
Author Tokens Token Proportion Commits Commit Proportion
Danny Tsen 2333 99.45% 2 33.33%
Michael Ellerman 9 0.38% 1 16.67%
Gustavo A. R. Silva 2 0.09% 1 16.67%
Michal Suchanek 1 0.04% 1 16.67%
Al Viro 1 0.04% 1 16.67%
Total 2346 6

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438
// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Glue code for accelerated AES-GCM stitched implementation for ppc64le.
 *
 * Copyright 2022- IBM Inc. All rights reserved
 */

#include <linux/unaligned.h>
#include <asm/simd.h>
#include <asm/switch_to.h>
#include <crypto/gcm.h>
#include <crypto/aes.h>
#include <crypto/algapi.h>
#include <crypto/b128ops.h>
#include <crypto/gf128mul.h>
#include <crypto/internal/simd.h>
#include <crypto/internal/aead.h>
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/scatterwalk.h>
#include <linux/cpufeature.h>
#include <linux/crypto.h>
#include <linux/module.h>
#include <linux/types.h>

#define	PPC_ALIGN		16
#define GCM_IV_SIZE		12
#define RFC4106_NONCE_SIZE	4

MODULE_DESCRIPTION("PPC64le AES-GCM with Stitched implementation");
MODULE_AUTHOR("Danny Tsen <dtsen@linux.ibm.com");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS_CRYPTO("aes");

asmlinkage int aes_p10_set_encrypt_key(const u8 *userKey, const int bits,
				       void *key);
asmlinkage void aes_p10_encrypt(const u8 *in, u8 *out, const void *key);
asmlinkage void aes_p10_gcm_encrypt(u8 *in, u8 *out, size_t len,
				    void *rkey, u8 *iv, void *Xi);
asmlinkage void aes_p10_gcm_decrypt(u8 *in, u8 *out, size_t len,
				    void *rkey, u8 *iv, void *Xi);
asmlinkage void gcm_init_htable(unsigned char htable[], unsigned char Xi[]);
asmlinkage void gcm_ghash_p10(unsigned char *Xi, unsigned char *Htable,
			      unsigned char *aad, unsigned int alen);
asmlinkage void gcm_update(u8 *iv, void *Xi);

struct aes_key {
	u8 key[AES_MAX_KEYLENGTH];
	u64 rounds;
};

struct gcm_ctx {
	u8 iv[16];
	u8 ivtag[16];
	u8 aad_hash[16];
	u64 aadLen;
	u64 Plen;	/* offset 56 - used in aes_p10_gcm_{en/de}crypt */
	u8 pblock[16];
};
struct Hash_ctx {
	u8 H[16];	/* subkey */
	u8 Htable[256];	/* Xi, Hash table(offset 32) */
};

struct p10_aes_gcm_ctx {
	struct aes_key enc_key;
	u8 nonce[RFC4106_NONCE_SIZE];
};

static void vsx_begin(void)
{
	preempt_disable();
	pagefault_disable();
	enable_kernel_vsx();
}

static void vsx_end(void)
{
	disable_kernel_vsx();
	pagefault_enable();
	preempt_enable();
}

static void set_subkey(unsigned char *hash)
{
	*(u64 *)&hash[0] = be64_to_cpup((__be64 *)&hash[0]);
	*(u64 *)&hash[8] = be64_to_cpup((__be64 *)&hash[8]);
}

/*
 * Compute aad if any.
 *   - Hash aad and copy to Xi.
 */
static void set_aad(struct gcm_ctx *gctx, struct Hash_ctx *hash,
		    unsigned char *aad, int alen)
{
	int i;
	u8 nXi[16] = {0, };

	gctx->aadLen = alen;
	i = alen & ~0xf;
	if (i) {
		gcm_ghash_p10(nXi, hash->Htable+32, aad, i);
		aad += i;
		alen -= i;
	}
	if (alen) {
		for (i = 0; i < alen; i++)
			nXi[i] ^= aad[i];

		memset(gctx->aad_hash, 0, 16);
		gcm_ghash_p10(gctx->aad_hash, hash->Htable+32, nXi, 16);
	} else {
		memcpy(gctx->aad_hash, nXi, 16);
	}

	memcpy(hash->Htable, gctx->aad_hash, 16);
}

static void gcmp10_init(struct gcm_ctx *gctx, u8 *iv, unsigned char *rdkey,
			struct Hash_ctx *hash, u8 *assoc, unsigned int assoclen)
{
	__be32 counter = cpu_to_be32(1);

	aes_p10_encrypt(hash->H, hash->H, rdkey);
	set_subkey(hash->H);
	gcm_init_htable(hash->Htable+32, hash->H);

	*((__be32 *)(iv+12)) = counter;

	gctx->Plen = 0;

	/*
	 * Encrypt counter vector as iv tag and increment counter.
	 */
	aes_p10_encrypt(iv, gctx->ivtag, rdkey);

	counter = cpu_to_be32(2);
	*((__be32 *)(iv+12)) = counter;
	memcpy(gctx->iv, iv, 16);

	gctx->aadLen = assoclen;
	memset(gctx->aad_hash, 0, 16);
	if (assoclen)
		set_aad(gctx, hash, assoc, assoclen);
}

static void finish_tag(struct gcm_ctx *gctx, struct Hash_ctx *hash, int len)
{
	int i;
	unsigned char len_ac[16 + PPC_ALIGN];
	unsigned char *aclen = PTR_ALIGN((void *)len_ac, PPC_ALIGN);
	__be64 clen = cpu_to_be64(len << 3);
	__be64 alen = cpu_to_be64(gctx->aadLen << 3);

	if (len == 0 && gctx->aadLen == 0) {
		memcpy(hash->Htable, gctx->ivtag, 16);
		return;
	}

	/*
	 * Len is in bits.
	 */
	*((__be64 *)(aclen)) = alen;
	*((__be64 *)(aclen+8)) = clen;

	/*
	 * hash (AAD len and len)
	 */
	gcm_ghash_p10(hash->Htable, hash->Htable+32, aclen, 16);

	for (i = 0; i < 16; i++)
		hash->Htable[i] ^= gctx->ivtag[i];
}

static int set_authsize(struct crypto_aead *tfm, unsigned int authsize)
{
	switch (authsize) {
	case 4:
	case 8:
	case 12:
	case 13:
	case 14:
	case 15:
	case 16:
		break;
	default:
		return -EINVAL;
	}

	return 0;
}

static int p10_aes_gcm_setkey(struct crypto_aead *aead, const u8 *key,
			      unsigned int keylen)
{
	struct crypto_tfm *tfm = crypto_aead_tfm(aead);
	struct p10_aes_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
	int ret;

	vsx_begin();
	ret = aes_p10_set_encrypt_key(key, keylen * 8, &ctx->enc_key);
	vsx_end();

	return ret ? -EINVAL : 0;
}

static int p10_aes_gcm_crypt(struct aead_request *req, u8 *riv,
			     int assoclen, int enc)
{
	struct crypto_tfm *tfm = req->base.tfm;
	struct p10_aes_gcm_ctx *ctx = crypto_tfm_ctx(tfm);
	u8 databuf[sizeof(struct gcm_ctx) + PPC_ALIGN];
	struct gcm_ctx *gctx = PTR_ALIGN((void *)databuf, PPC_ALIGN);
	u8 hashbuf[sizeof(struct Hash_ctx) + PPC_ALIGN];
	struct Hash_ctx *hash = PTR_ALIGN((void *)hashbuf, PPC_ALIGN);
	struct scatter_walk assoc_sg_walk;
	struct skcipher_walk walk;
	u8 *assocmem = NULL;
	u8 *assoc;
	unsigned int cryptlen = req->cryptlen;
	unsigned char ivbuf[AES_BLOCK_SIZE+PPC_ALIGN];
	unsigned char *iv = PTR_ALIGN((void *)ivbuf, PPC_ALIGN);
	int ret;
	unsigned long auth_tag_len = crypto_aead_authsize(__crypto_aead_cast(tfm));
	u8 otag[16];
	int total_processed = 0;
	int nbytes;

	memset(databuf, 0, sizeof(databuf));
	memset(hashbuf, 0, sizeof(hashbuf));
	memset(ivbuf, 0, sizeof(ivbuf));
	memcpy(iv, riv, GCM_IV_SIZE);

	/* Linearize assoc, if not already linear */
	if (req->src->length >= assoclen && req->src->length) {
		scatterwalk_start(&assoc_sg_walk, req->src);
		assoc = scatterwalk_map(&assoc_sg_walk);
	} else {
		gfp_t flags = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
			      GFP_KERNEL : GFP_ATOMIC;

		/* assoc can be any length, so must be on heap */
		assocmem = kmalloc(assoclen, flags);
		if (unlikely(!assocmem))
			return -ENOMEM;
		assoc = assocmem;

		scatterwalk_map_and_copy(assoc, req->src, 0, assoclen, 0);
	}

	vsx_begin();
	gcmp10_init(gctx, iv, (unsigned char *) &ctx->enc_key, hash, assoc, assoclen);
	vsx_end();

	if (!assocmem)
		scatterwalk_unmap(assoc);
	else
		kfree(assocmem);

	if (enc)
		ret = skcipher_walk_aead_encrypt(&walk, req, false);
	else
		ret = skcipher_walk_aead_decrypt(&walk, req, false);
	if (ret)
		return ret;

	while ((nbytes = walk.nbytes) > 0 && ret == 0) {
		u8 *src = walk.src.virt.addr;
		u8 *dst = walk.dst.virt.addr;
		u8 buf[AES_BLOCK_SIZE];

		if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
			src = dst = memcpy(buf, src, nbytes);

		vsx_begin();
		if (enc)
			aes_p10_gcm_encrypt(src, dst, nbytes,
					    &ctx->enc_key, gctx->iv, hash->Htable);
		else
			aes_p10_gcm_decrypt(src, dst, nbytes,
					    &ctx->enc_key, gctx->iv, hash->Htable);

		if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
			memcpy(walk.dst.virt.addr, buf, nbytes);

		vsx_end();

		total_processed += walk.nbytes;
		ret = skcipher_walk_done(&walk, 0);
	}

	if (ret)
		return ret;

	/* Finalize hash */
	vsx_begin();
	gcm_update(gctx->iv, hash->Htable);
	finish_tag(gctx, hash, total_processed);
	vsx_end();

	/* copy Xi to end of dst */
	if (enc)
		scatterwalk_map_and_copy(hash->Htable, req->dst, req->assoclen + cryptlen,
					 auth_tag_len, 1);
	else {
		scatterwalk_map_and_copy(otag, req->src,
					 req->assoclen + cryptlen - auth_tag_len,
					 auth_tag_len, 0);

		if (crypto_memneq(otag, hash->Htable, auth_tag_len)) {
			memzero_explicit(hash->Htable, 16);
			return -EBADMSG;
		}
	}

	return 0;
}

static int rfc4106_setkey(struct crypto_aead *tfm, const u8 *inkey,
			  unsigned int keylen)
{
	struct p10_aes_gcm_ctx *ctx = crypto_aead_ctx(tfm);
	int err;

	keylen -= RFC4106_NONCE_SIZE;
	err = p10_aes_gcm_setkey(tfm, inkey, keylen);
	if (err)
		return err;

	memcpy(ctx->nonce, inkey + keylen, RFC4106_NONCE_SIZE);
	return 0;
}

static int rfc4106_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
{
	return crypto_rfc4106_check_authsize(authsize);
}

static int rfc4106_encrypt(struct aead_request *req)
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	struct p10_aes_gcm_ctx *ctx = crypto_aead_ctx(aead);
	u8 iv[AES_BLOCK_SIZE];

	memcpy(iv, ctx->nonce, RFC4106_NONCE_SIZE);
	memcpy(iv + RFC4106_NONCE_SIZE, req->iv, GCM_RFC4106_IV_SIZE);

	return crypto_ipsec_check_assoclen(req->assoclen) ?:
	       p10_aes_gcm_crypt(req, iv, req->assoclen - GCM_RFC4106_IV_SIZE, 1);
}

static int rfc4106_decrypt(struct aead_request *req)
{
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
	struct p10_aes_gcm_ctx *ctx = crypto_aead_ctx(aead);
	u8 iv[AES_BLOCK_SIZE];

	memcpy(iv, ctx->nonce, RFC4106_NONCE_SIZE);
	memcpy(iv + RFC4106_NONCE_SIZE, req->iv, GCM_RFC4106_IV_SIZE);

	return crypto_ipsec_check_assoclen(req->assoclen) ?:
	       p10_aes_gcm_crypt(req, iv, req->assoclen - GCM_RFC4106_IV_SIZE, 0);
}

static int p10_aes_gcm_encrypt(struct aead_request *req)
{
	return p10_aes_gcm_crypt(req, req->iv, req->assoclen, 1);
}

static int p10_aes_gcm_decrypt(struct aead_request *req)
{
	return p10_aes_gcm_crypt(req, req->iv, req->assoclen, 0);
}

static struct aead_alg gcm_aes_algs[] = {{
	.ivsize			= GCM_IV_SIZE,
	.maxauthsize		= 16,

	.setauthsize		= set_authsize,
	.setkey			= p10_aes_gcm_setkey,
	.encrypt		= p10_aes_gcm_encrypt,
	.decrypt		= p10_aes_gcm_decrypt,

	.base.cra_name		= "__gcm(aes)",
	.base.cra_driver_name	= "__aes_gcm_p10",
	.base.cra_priority	= 2100,
	.base.cra_blocksize	= 1,
	.base.cra_ctxsize	= sizeof(struct p10_aes_gcm_ctx)+
				  4 * sizeof(u64[2]),
	.base.cra_module	= THIS_MODULE,
	.base.cra_flags		= CRYPTO_ALG_INTERNAL,
}, {
	.ivsize			= GCM_RFC4106_IV_SIZE,
	.maxauthsize		= 16,
	.setkey			= rfc4106_setkey,
	.setauthsize		= rfc4106_setauthsize,
	.encrypt		= rfc4106_encrypt,
	.decrypt		= rfc4106_decrypt,

	.base.cra_name		= "__rfc4106(gcm(aes))",
	.base.cra_driver_name	= "__rfc4106_aes_gcm_p10",
	.base.cra_priority	= 2100,
	.base.cra_blocksize	= 1,
	.base.cra_ctxsize	= sizeof(struct p10_aes_gcm_ctx) +
				  4 * sizeof(u64[2]),
	.base.cra_module	= THIS_MODULE,
	.base.cra_flags		= CRYPTO_ALG_INTERNAL,
}};

static struct simd_aead_alg *p10_simd_aeads[ARRAY_SIZE(gcm_aes_algs)];

static int __init p10_init(void)
{
	int ret;

	if (!cpu_has_feature(CPU_FTR_ARCH_31))
		return 0;

	ret = simd_register_aeads_compat(gcm_aes_algs,
					 ARRAY_SIZE(gcm_aes_algs),
					 p10_simd_aeads);
	if (ret) {
		simd_unregister_aeads(gcm_aes_algs, ARRAY_SIZE(gcm_aes_algs),
				      p10_simd_aeads);
		return ret;
	}
	return 0;
}

static void __exit p10_exit(void)
{
	simd_unregister_aeads(gcm_aes_algs, ARRAY_SIZE(gcm_aes_algs),
			      p10_simd_aeads);
}

module_init(p10_init);
module_exit(p10_exit);