18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * AMD Cryptographic Coprocessor (CCP) AES XTS crypto API support 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (C) 2013,2017 Advanced Micro Devices, Inc. 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Author: Gary R Hook <gary.hook@amd.com> 88c2ecf20Sopenharmony_ci * Author: Tom Lendacky <thomas.lendacky@amd.com> 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci#include <linux/module.h> 128c2ecf20Sopenharmony_ci#include <linux/sched.h> 138c2ecf20Sopenharmony_ci#include <linux/delay.h> 148c2ecf20Sopenharmony_ci#include <linux/scatterlist.h> 158c2ecf20Sopenharmony_ci#include <crypto/aes.h> 168c2ecf20Sopenharmony_ci#include <crypto/xts.h> 178c2ecf20Sopenharmony_ci#include <crypto/internal/skcipher.h> 188c2ecf20Sopenharmony_ci#include <crypto/scatterwalk.h> 198c2ecf20Sopenharmony_ci 208c2ecf20Sopenharmony_ci#include "ccp-crypto.h" 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_cistruct ccp_aes_xts_def { 238c2ecf20Sopenharmony_ci const char *name; 248c2ecf20Sopenharmony_ci const char *drv_name; 258c2ecf20Sopenharmony_ci}; 268c2ecf20Sopenharmony_ci 278c2ecf20Sopenharmony_cistatic const struct ccp_aes_xts_def aes_xts_algs[] = { 288c2ecf20Sopenharmony_ci { 298c2ecf20Sopenharmony_ci .name = "xts(aes)", 308c2ecf20Sopenharmony_ci .drv_name = "xts-aes-ccp", 318c2ecf20Sopenharmony_ci }, 328c2ecf20Sopenharmony_ci}; 338c2ecf20Sopenharmony_ci 348c2ecf20Sopenharmony_cistruct ccp_unit_size_map { 358c2ecf20Sopenharmony_ci unsigned int size; 368c2ecf20Sopenharmony_ci u32 value; 378c2ecf20Sopenharmony_ci}; 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_cistatic struct ccp_unit_size_map xts_unit_sizes[] = { 408c2ecf20Sopenharmony_ci { 418c2ecf20Sopenharmony_ci .size = 16, 428c2ecf20Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_16, 438c2ecf20Sopenharmony_ci }, 448c2ecf20Sopenharmony_ci { 458c2ecf20Sopenharmony_ci .size = 512, 468c2ecf20Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_512, 478c2ecf20Sopenharmony_ci }, 488c2ecf20Sopenharmony_ci { 498c2ecf20Sopenharmony_ci .size = 1024, 508c2ecf20Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_1024, 518c2ecf20Sopenharmony_ci }, 528c2ecf20Sopenharmony_ci { 538c2ecf20Sopenharmony_ci .size = 2048, 548c2ecf20Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_2048, 558c2ecf20Sopenharmony_ci }, 568c2ecf20Sopenharmony_ci { 578c2ecf20Sopenharmony_ci .size = 4096, 588c2ecf20Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_4096, 598c2ecf20Sopenharmony_ci }, 608c2ecf20Sopenharmony_ci}; 618c2ecf20Sopenharmony_ci 628c2ecf20Sopenharmony_cistatic int ccp_aes_xts_complete(struct crypto_async_request *async_req, int ret) 638c2ecf20Sopenharmony_ci{ 648c2ecf20Sopenharmony_ci struct skcipher_request *req = skcipher_request_cast(async_req); 658c2ecf20Sopenharmony_ci struct ccp_aes_req_ctx *rctx = skcipher_request_ctx(req); 668c2ecf20Sopenharmony_ci 678c2ecf20Sopenharmony_ci if (ret) 688c2ecf20Sopenharmony_ci return ret; 698c2ecf20Sopenharmony_ci 708c2ecf20Sopenharmony_ci memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE); 718c2ecf20Sopenharmony_ci 728c2ecf20Sopenharmony_ci return 0; 738c2ecf20Sopenharmony_ci} 748c2ecf20Sopenharmony_ci 758c2ecf20Sopenharmony_cistatic int ccp_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key, 768c2ecf20Sopenharmony_ci unsigned int key_len) 778c2ecf20Sopenharmony_ci{ 788c2ecf20Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx(tfm); 798c2ecf20Sopenharmony_ci unsigned int ccpversion = ccp_version(); 808c2ecf20Sopenharmony_ci int ret; 818c2ecf20Sopenharmony_ci 828c2ecf20Sopenharmony_ci ret = xts_verify_key(tfm, key, key_len); 838c2ecf20Sopenharmony_ci if (ret) 848c2ecf20Sopenharmony_ci return ret; 858c2ecf20Sopenharmony_ci 868c2ecf20Sopenharmony_ci /* Version 3 devices support 128-bit keys; version 5 devices can 878c2ecf20Sopenharmony_ci * accommodate 128- and 256-bit keys. 888c2ecf20Sopenharmony_ci */ 898c2ecf20Sopenharmony_ci switch (key_len) { 908c2ecf20Sopenharmony_ci case AES_KEYSIZE_128 * 2: 918c2ecf20Sopenharmony_ci memcpy(ctx->u.aes.key, key, key_len); 928c2ecf20Sopenharmony_ci break; 938c2ecf20Sopenharmony_ci case AES_KEYSIZE_256 * 2: 948c2ecf20Sopenharmony_ci if (ccpversion > CCP_VERSION(3, 0)) 958c2ecf20Sopenharmony_ci memcpy(ctx->u.aes.key, key, key_len); 968c2ecf20Sopenharmony_ci break; 978c2ecf20Sopenharmony_ci } 988c2ecf20Sopenharmony_ci ctx->u.aes.key_len = key_len / 2; 998c2ecf20Sopenharmony_ci sg_init_one(&ctx->u.aes.key_sg, ctx->u.aes.key, key_len); 1008c2ecf20Sopenharmony_ci 1018c2ecf20Sopenharmony_ci return crypto_skcipher_setkey(ctx->u.aes.tfm_skcipher, key, key_len); 1028c2ecf20Sopenharmony_ci} 1038c2ecf20Sopenharmony_ci 1048c2ecf20Sopenharmony_cistatic int ccp_aes_xts_crypt(struct skcipher_request *req, 1058c2ecf20Sopenharmony_ci unsigned int encrypt) 1068c2ecf20Sopenharmony_ci{ 1078c2ecf20Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1088c2ecf20Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx(tfm); 1098c2ecf20Sopenharmony_ci struct ccp_aes_req_ctx *rctx = skcipher_request_ctx(req); 1108c2ecf20Sopenharmony_ci unsigned int ccpversion = ccp_version(); 1118c2ecf20Sopenharmony_ci unsigned int fallback = 0; 1128c2ecf20Sopenharmony_ci unsigned int unit; 1138c2ecf20Sopenharmony_ci u32 unit_size; 1148c2ecf20Sopenharmony_ci int ret; 1158c2ecf20Sopenharmony_ci 1168c2ecf20Sopenharmony_ci if (!ctx->u.aes.key_len) 1178c2ecf20Sopenharmony_ci return -EINVAL; 1188c2ecf20Sopenharmony_ci 1198c2ecf20Sopenharmony_ci if (!req->iv) 1208c2ecf20Sopenharmony_ci return -EINVAL; 1218c2ecf20Sopenharmony_ci 1228c2ecf20Sopenharmony_ci /* Check conditions under which the CCP can fulfill a request. The 1238c2ecf20Sopenharmony_ci * device can handle input plaintext of a length that is a multiple 1248c2ecf20Sopenharmony_ci * of the unit_size, bug the crypto implementation only supports 1258c2ecf20Sopenharmony_ci * the unit_size being equal to the input length. This limits the 1268c2ecf20Sopenharmony_ci * number of scenarios we can handle. 1278c2ecf20Sopenharmony_ci */ 1288c2ecf20Sopenharmony_ci unit_size = CCP_XTS_AES_UNIT_SIZE__LAST; 1298c2ecf20Sopenharmony_ci for (unit = 0; unit < ARRAY_SIZE(xts_unit_sizes); unit++) { 1308c2ecf20Sopenharmony_ci if (req->cryptlen == xts_unit_sizes[unit].size) { 1318c2ecf20Sopenharmony_ci unit_size = unit; 1328c2ecf20Sopenharmony_ci break; 1338c2ecf20Sopenharmony_ci } 1348c2ecf20Sopenharmony_ci } 1358c2ecf20Sopenharmony_ci /* The CCP has restrictions on block sizes. Also, a version 3 device 1368c2ecf20Sopenharmony_ci * only supports AES-128 operations; version 5 CCPs support both 1378c2ecf20Sopenharmony_ci * AES-128 and -256 operations. 1388c2ecf20Sopenharmony_ci */ 1398c2ecf20Sopenharmony_ci if (unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) 1408c2ecf20Sopenharmony_ci fallback = 1; 1418c2ecf20Sopenharmony_ci if ((ccpversion < CCP_VERSION(5, 0)) && 1428c2ecf20Sopenharmony_ci (ctx->u.aes.key_len != AES_KEYSIZE_128)) 1438c2ecf20Sopenharmony_ci fallback = 1; 1448c2ecf20Sopenharmony_ci if ((ctx->u.aes.key_len != AES_KEYSIZE_128) && 1458c2ecf20Sopenharmony_ci (ctx->u.aes.key_len != AES_KEYSIZE_256)) 1468c2ecf20Sopenharmony_ci fallback = 1; 1478c2ecf20Sopenharmony_ci if (fallback) { 1488c2ecf20Sopenharmony_ci /* Use the fallback to process the request for any 1498c2ecf20Sopenharmony_ci * unsupported unit sizes or key sizes 1508c2ecf20Sopenharmony_ci */ 1518c2ecf20Sopenharmony_ci skcipher_request_set_tfm(&rctx->fallback_req, 1528c2ecf20Sopenharmony_ci ctx->u.aes.tfm_skcipher); 1538c2ecf20Sopenharmony_ci skcipher_request_set_callback(&rctx->fallback_req, 1548c2ecf20Sopenharmony_ci req->base.flags, 1558c2ecf20Sopenharmony_ci req->base.complete, 1568c2ecf20Sopenharmony_ci req->base.data); 1578c2ecf20Sopenharmony_ci skcipher_request_set_crypt(&rctx->fallback_req, req->src, 1588c2ecf20Sopenharmony_ci req->dst, req->cryptlen, req->iv); 1598c2ecf20Sopenharmony_ci ret = encrypt ? crypto_skcipher_encrypt(&rctx->fallback_req) : 1608c2ecf20Sopenharmony_ci crypto_skcipher_decrypt(&rctx->fallback_req); 1618c2ecf20Sopenharmony_ci return ret; 1628c2ecf20Sopenharmony_ci } 1638c2ecf20Sopenharmony_ci 1648c2ecf20Sopenharmony_ci memcpy(rctx->iv, req->iv, AES_BLOCK_SIZE); 1658c2ecf20Sopenharmony_ci sg_init_one(&rctx->iv_sg, rctx->iv, AES_BLOCK_SIZE); 1668c2ecf20Sopenharmony_ci 1678c2ecf20Sopenharmony_ci memset(&rctx->cmd, 0, sizeof(rctx->cmd)); 1688c2ecf20Sopenharmony_ci INIT_LIST_HEAD(&rctx->cmd.entry); 1698c2ecf20Sopenharmony_ci rctx->cmd.engine = CCP_ENGINE_XTS_AES_128; 1708c2ecf20Sopenharmony_ci rctx->cmd.u.xts.type = CCP_AES_TYPE_128; 1718c2ecf20Sopenharmony_ci rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT 1728c2ecf20Sopenharmony_ci : CCP_AES_ACTION_DECRYPT; 1738c2ecf20Sopenharmony_ci rctx->cmd.u.xts.unit_size = unit_size; 1748c2ecf20Sopenharmony_ci rctx->cmd.u.xts.key = &ctx->u.aes.key_sg; 1758c2ecf20Sopenharmony_ci rctx->cmd.u.xts.key_len = ctx->u.aes.key_len; 1768c2ecf20Sopenharmony_ci rctx->cmd.u.xts.iv = &rctx->iv_sg; 1778c2ecf20Sopenharmony_ci rctx->cmd.u.xts.iv_len = AES_BLOCK_SIZE; 1788c2ecf20Sopenharmony_ci rctx->cmd.u.xts.src = req->src; 1798c2ecf20Sopenharmony_ci rctx->cmd.u.xts.src_len = req->cryptlen; 1808c2ecf20Sopenharmony_ci rctx->cmd.u.xts.dst = req->dst; 1818c2ecf20Sopenharmony_ci 1828c2ecf20Sopenharmony_ci ret = ccp_crypto_enqueue_request(&req->base, &rctx->cmd); 1838c2ecf20Sopenharmony_ci 1848c2ecf20Sopenharmony_ci return ret; 1858c2ecf20Sopenharmony_ci} 1868c2ecf20Sopenharmony_ci 1878c2ecf20Sopenharmony_cistatic int ccp_aes_xts_encrypt(struct skcipher_request *req) 1888c2ecf20Sopenharmony_ci{ 1898c2ecf20Sopenharmony_ci return ccp_aes_xts_crypt(req, 1); 1908c2ecf20Sopenharmony_ci} 1918c2ecf20Sopenharmony_ci 1928c2ecf20Sopenharmony_cistatic int ccp_aes_xts_decrypt(struct skcipher_request *req) 1938c2ecf20Sopenharmony_ci{ 1948c2ecf20Sopenharmony_ci return ccp_aes_xts_crypt(req, 0); 1958c2ecf20Sopenharmony_ci} 1968c2ecf20Sopenharmony_ci 1978c2ecf20Sopenharmony_cistatic int ccp_aes_xts_init_tfm(struct crypto_skcipher *tfm) 1988c2ecf20Sopenharmony_ci{ 1998c2ecf20Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx(tfm); 2008c2ecf20Sopenharmony_ci struct crypto_skcipher *fallback_tfm; 2018c2ecf20Sopenharmony_ci 2028c2ecf20Sopenharmony_ci ctx->complete = ccp_aes_xts_complete; 2038c2ecf20Sopenharmony_ci ctx->u.aes.key_len = 0; 2048c2ecf20Sopenharmony_ci 2058c2ecf20Sopenharmony_ci fallback_tfm = crypto_alloc_skcipher("xts(aes)", 0, 2068c2ecf20Sopenharmony_ci CRYPTO_ALG_NEED_FALLBACK); 2078c2ecf20Sopenharmony_ci if (IS_ERR(fallback_tfm)) { 2088c2ecf20Sopenharmony_ci pr_warn("could not load fallback driver xts(aes)\n"); 2098c2ecf20Sopenharmony_ci return PTR_ERR(fallback_tfm); 2108c2ecf20Sopenharmony_ci } 2118c2ecf20Sopenharmony_ci ctx->u.aes.tfm_skcipher = fallback_tfm; 2128c2ecf20Sopenharmony_ci 2138c2ecf20Sopenharmony_ci crypto_skcipher_set_reqsize(tfm, sizeof(struct ccp_aes_req_ctx) + 2148c2ecf20Sopenharmony_ci crypto_skcipher_reqsize(fallback_tfm)); 2158c2ecf20Sopenharmony_ci 2168c2ecf20Sopenharmony_ci return 0; 2178c2ecf20Sopenharmony_ci} 2188c2ecf20Sopenharmony_ci 2198c2ecf20Sopenharmony_cistatic void ccp_aes_xts_exit_tfm(struct crypto_skcipher *tfm) 2208c2ecf20Sopenharmony_ci{ 2218c2ecf20Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx(tfm); 2228c2ecf20Sopenharmony_ci 2238c2ecf20Sopenharmony_ci crypto_free_skcipher(ctx->u.aes.tfm_skcipher); 2248c2ecf20Sopenharmony_ci} 2258c2ecf20Sopenharmony_ci 2268c2ecf20Sopenharmony_cistatic int ccp_register_aes_xts_alg(struct list_head *head, 2278c2ecf20Sopenharmony_ci const struct ccp_aes_xts_def *def) 2288c2ecf20Sopenharmony_ci{ 2298c2ecf20Sopenharmony_ci struct ccp_crypto_skcipher_alg *ccp_alg; 2308c2ecf20Sopenharmony_ci struct skcipher_alg *alg; 2318c2ecf20Sopenharmony_ci int ret; 2328c2ecf20Sopenharmony_ci 2338c2ecf20Sopenharmony_ci ccp_alg = kzalloc(sizeof(*ccp_alg), GFP_KERNEL); 2348c2ecf20Sopenharmony_ci if (!ccp_alg) 2358c2ecf20Sopenharmony_ci return -ENOMEM; 2368c2ecf20Sopenharmony_ci 2378c2ecf20Sopenharmony_ci INIT_LIST_HEAD(&ccp_alg->entry); 2388c2ecf20Sopenharmony_ci 2398c2ecf20Sopenharmony_ci alg = &ccp_alg->alg; 2408c2ecf20Sopenharmony_ci 2418c2ecf20Sopenharmony_ci snprintf(alg->base.cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); 2428c2ecf20Sopenharmony_ci snprintf(alg->base.cra_driver_name, CRYPTO_MAX_ALG_NAME, "%s", 2438c2ecf20Sopenharmony_ci def->drv_name); 2448c2ecf20Sopenharmony_ci alg->base.cra_flags = CRYPTO_ALG_ASYNC | 2458c2ecf20Sopenharmony_ci CRYPTO_ALG_ALLOCATES_MEMORY | 2468c2ecf20Sopenharmony_ci CRYPTO_ALG_KERN_DRIVER_ONLY | 2478c2ecf20Sopenharmony_ci CRYPTO_ALG_NEED_FALLBACK; 2488c2ecf20Sopenharmony_ci alg->base.cra_blocksize = AES_BLOCK_SIZE; 2498c2ecf20Sopenharmony_ci alg->base.cra_ctxsize = sizeof(struct ccp_ctx); 2508c2ecf20Sopenharmony_ci alg->base.cra_priority = CCP_CRA_PRIORITY; 2518c2ecf20Sopenharmony_ci alg->base.cra_module = THIS_MODULE; 2528c2ecf20Sopenharmony_ci 2538c2ecf20Sopenharmony_ci alg->setkey = ccp_aes_xts_setkey; 2548c2ecf20Sopenharmony_ci alg->encrypt = ccp_aes_xts_encrypt; 2558c2ecf20Sopenharmony_ci alg->decrypt = ccp_aes_xts_decrypt; 2568c2ecf20Sopenharmony_ci alg->min_keysize = AES_MIN_KEY_SIZE * 2; 2578c2ecf20Sopenharmony_ci alg->max_keysize = AES_MAX_KEY_SIZE * 2; 2588c2ecf20Sopenharmony_ci alg->ivsize = AES_BLOCK_SIZE; 2598c2ecf20Sopenharmony_ci alg->init = ccp_aes_xts_init_tfm; 2608c2ecf20Sopenharmony_ci alg->exit = ccp_aes_xts_exit_tfm; 2618c2ecf20Sopenharmony_ci 2628c2ecf20Sopenharmony_ci ret = crypto_register_skcipher(alg); 2638c2ecf20Sopenharmony_ci if (ret) { 2648c2ecf20Sopenharmony_ci pr_err("%s skcipher algorithm registration error (%d)\n", 2658c2ecf20Sopenharmony_ci alg->base.cra_name, ret); 2668c2ecf20Sopenharmony_ci kfree(ccp_alg); 2678c2ecf20Sopenharmony_ci return ret; 2688c2ecf20Sopenharmony_ci } 2698c2ecf20Sopenharmony_ci 2708c2ecf20Sopenharmony_ci list_add(&ccp_alg->entry, head); 2718c2ecf20Sopenharmony_ci 2728c2ecf20Sopenharmony_ci return 0; 2738c2ecf20Sopenharmony_ci} 2748c2ecf20Sopenharmony_ci 2758c2ecf20Sopenharmony_ciint ccp_register_aes_xts_algs(struct list_head *head) 2768c2ecf20Sopenharmony_ci{ 2778c2ecf20Sopenharmony_ci int i, ret; 2788c2ecf20Sopenharmony_ci 2798c2ecf20Sopenharmony_ci for (i = 0; i < ARRAY_SIZE(aes_xts_algs); i++) { 2808c2ecf20Sopenharmony_ci ret = ccp_register_aes_xts_alg(head, &aes_xts_algs[i]); 2818c2ecf20Sopenharmony_ci if (ret) 2828c2ecf20Sopenharmony_ci return ret; 2838c2ecf20Sopenharmony_ci } 2848c2ecf20Sopenharmony_ci 2858c2ecf20Sopenharmony_ci return 0; 2868c2ecf20Sopenharmony_ci} 287