162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Support for Intel AES-NI instructions. This file contains glue 462306a36Sopenharmony_ci * code, the real AES implementation is in intel-aes_asm.S. 562306a36Sopenharmony_ci * 662306a36Sopenharmony_ci * Copyright (C) 2008, Intel Corp. 762306a36Sopenharmony_ci * Author: Huang Ying <ying.huang@intel.com> 862306a36Sopenharmony_ci * 962306a36Sopenharmony_ci * Added RFC4106 AES-GCM support for 128-bit keys under the AEAD 1062306a36Sopenharmony_ci * interface for 64-bit kernels. 1162306a36Sopenharmony_ci * Authors: Adrian Hoban <adrian.hoban@intel.com> 1262306a36Sopenharmony_ci * Gabriele Paoloni <gabriele.paoloni@intel.com> 1362306a36Sopenharmony_ci * Tadeusz Struk (tadeusz.struk@intel.com) 1462306a36Sopenharmony_ci * Aidan O'Mahony (aidan.o.mahony@intel.com) 1562306a36Sopenharmony_ci * Copyright (c) 2010, Intel Corporation. 1662306a36Sopenharmony_ci */ 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ci#include <linux/hardirq.h> 1962306a36Sopenharmony_ci#include <linux/types.h> 2062306a36Sopenharmony_ci#include <linux/module.h> 2162306a36Sopenharmony_ci#include <linux/err.h> 2262306a36Sopenharmony_ci#include <crypto/algapi.h> 2362306a36Sopenharmony_ci#include <crypto/aes.h> 2462306a36Sopenharmony_ci#include <crypto/ctr.h> 2562306a36Sopenharmony_ci#include <crypto/b128ops.h> 2662306a36Sopenharmony_ci#include <crypto/gcm.h> 2762306a36Sopenharmony_ci#include <crypto/xts.h> 2862306a36Sopenharmony_ci#include <asm/cpu_device_id.h> 2962306a36Sopenharmony_ci#include <asm/simd.h> 3062306a36Sopenharmony_ci#include <crypto/scatterwalk.h> 3162306a36Sopenharmony_ci#include <crypto/internal/aead.h> 3262306a36Sopenharmony_ci#include <crypto/internal/simd.h> 3362306a36Sopenharmony_ci#include <crypto/internal/skcipher.h> 3462306a36Sopenharmony_ci#include <linux/jump_label.h> 3562306a36Sopenharmony_ci#include <linux/workqueue.h> 3662306a36Sopenharmony_ci#include <linux/spinlock.h> 3762306a36Sopenharmony_ci#include <linux/static_call.h> 3862306a36Sopenharmony_ci 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_ci#define AESNI_ALIGN 16 4162306a36Sopenharmony_ci#define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN))) 4262306a36Sopenharmony_ci#define AES_BLOCK_MASK (~(AES_BLOCK_SIZE - 1)) 4362306a36Sopenharmony_ci#define RFC4106_HASH_SUBKEY_SIZE 16 4462306a36Sopenharmony_ci#define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1)) 4562306a36Sopenharmony_ci#define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA) 4662306a36Sopenharmony_ci#define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA) 4762306a36Sopenharmony_ci 4862306a36Sopenharmony_ci/* This data is stored at the end of the crypto_tfm struct. 4962306a36Sopenharmony_ci * It's a type of per "session" data storage location. 5062306a36Sopenharmony_ci * This needs to be 16 byte aligned. 5162306a36Sopenharmony_ci */ 5262306a36Sopenharmony_cistruct aesni_rfc4106_gcm_ctx { 5362306a36Sopenharmony_ci u8 hash_subkey[16] AESNI_ALIGN_ATTR; 5462306a36Sopenharmony_ci struct crypto_aes_ctx aes_key_expanded AESNI_ALIGN_ATTR; 5562306a36Sopenharmony_ci u8 nonce[4]; 5662306a36Sopenharmony_ci}; 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_cistruct generic_gcmaes_ctx { 5962306a36Sopenharmony_ci u8 hash_subkey[16] AESNI_ALIGN_ATTR; 6062306a36Sopenharmony_ci struct crypto_aes_ctx aes_key_expanded AESNI_ALIGN_ATTR; 6162306a36Sopenharmony_ci}; 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_cistruct aesni_xts_ctx { 6462306a36Sopenharmony_ci u8 raw_tweak_ctx[sizeof(struct crypto_aes_ctx)] AESNI_ALIGN_ATTR; 6562306a36Sopenharmony_ci u8 raw_crypt_ctx[sizeof(struct crypto_aes_ctx)] AESNI_ALIGN_ATTR; 6662306a36Sopenharmony_ci}; 6762306a36Sopenharmony_ci 6862306a36Sopenharmony_ci#define GCM_BLOCK_LEN 16 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_cistruct gcm_context_data { 7162306a36Sopenharmony_ci /* init, update and finalize context data */ 7262306a36Sopenharmony_ci u8 aad_hash[GCM_BLOCK_LEN]; 7362306a36Sopenharmony_ci u64 aad_length; 7462306a36Sopenharmony_ci u64 in_length; 7562306a36Sopenharmony_ci u8 partial_block_enc_key[GCM_BLOCK_LEN]; 7662306a36Sopenharmony_ci u8 orig_IV[GCM_BLOCK_LEN]; 7762306a36Sopenharmony_ci u8 current_counter[GCM_BLOCK_LEN]; 7862306a36Sopenharmony_ci u64 partial_block_len; 7962306a36Sopenharmony_ci u64 unused; 8062306a36Sopenharmony_ci u8 hash_keys[GCM_BLOCK_LEN * 16]; 8162306a36Sopenharmony_ci}; 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_ciasmlinkage int aesni_set_key(struct crypto_aes_ctx *ctx, const u8 *in_key, 8462306a36Sopenharmony_ci unsigned int key_len); 8562306a36Sopenharmony_ciasmlinkage void aesni_enc(const void *ctx, u8 *out, const u8 *in); 8662306a36Sopenharmony_ciasmlinkage void aesni_dec(const void *ctx, u8 *out, const u8 *in); 8762306a36Sopenharmony_ciasmlinkage void aesni_ecb_enc(struct crypto_aes_ctx *ctx, u8 *out, 8862306a36Sopenharmony_ci const u8 *in, unsigned int len); 8962306a36Sopenharmony_ciasmlinkage void aesni_ecb_dec(struct crypto_aes_ctx *ctx, u8 *out, 9062306a36Sopenharmony_ci const u8 *in, unsigned int len); 9162306a36Sopenharmony_ciasmlinkage void aesni_cbc_enc(struct crypto_aes_ctx *ctx, u8 *out, 9262306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 9362306a36Sopenharmony_ciasmlinkage void aesni_cbc_dec(struct crypto_aes_ctx *ctx, u8 *out, 9462306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 9562306a36Sopenharmony_ciasmlinkage void aesni_cts_cbc_enc(struct crypto_aes_ctx *ctx, u8 *out, 9662306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 9762306a36Sopenharmony_ciasmlinkage void aesni_cts_cbc_dec(struct crypto_aes_ctx *ctx, u8 *out, 9862306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 9962306a36Sopenharmony_ci 10062306a36Sopenharmony_ci#define AVX_GEN2_OPTSIZE 640 10162306a36Sopenharmony_ci#define AVX_GEN4_OPTSIZE 4096 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_ciasmlinkage void aesni_xts_encrypt(const struct crypto_aes_ctx *ctx, u8 *out, 10462306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 10562306a36Sopenharmony_ci 10662306a36Sopenharmony_ciasmlinkage void aesni_xts_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, 10762306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ci#ifdef CONFIG_X86_64 11062306a36Sopenharmony_ci 11162306a36Sopenharmony_ciasmlinkage void aesni_ctr_enc(struct crypto_aes_ctx *ctx, u8 *out, 11262306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv); 11362306a36Sopenharmony_ciDEFINE_STATIC_CALL(aesni_ctr_enc_tfm, aesni_ctr_enc); 11462306a36Sopenharmony_ci 11562306a36Sopenharmony_ci/* Scatter / Gather routines, with args similar to above */ 11662306a36Sopenharmony_ciasmlinkage void aesni_gcm_init(void *ctx, 11762306a36Sopenharmony_ci struct gcm_context_data *gdata, 11862306a36Sopenharmony_ci u8 *iv, 11962306a36Sopenharmony_ci u8 *hash_subkey, const u8 *aad, 12062306a36Sopenharmony_ci unsigned long aad_len); 12162306a36Sopenharmony_ciasmlinkage void aesni_gcm_enc_update(void *ctx, 12262306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 12362306a36Sopenharmony_ci const u8 *in, unsigned long plaintext_len); 12462306a36Sopenharmony_ciasmlinkage void aesni_gcm_dec_update(void *ctx, 12562306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 12662306a36Sopenharmony_ci const u8 *in, 12762306a36Sopenharmony_ci unsigned long ciphertext_len); 12862306a36Sopenharmony_ciasmlinkage void aesni_gcm_finalize(void *ctx, 12962306a36Sopenharmony_ci struct gcm_context_data *gdata, 13062306a36Sopenharmony_ci u8 *auth_tag, unsigned long auth_tag_len); 13162306a36Sopenharmony_ci 13262306a36Sopenharmony_ciasmlinkage void aes_ctr_enc_128_avx_by8(const u8 *in, u8 *iv, 13362306a36Sopenharmony_ci void *keys, u8 *out, unsigned int num_bytes); 13462306a36Sopenharmony_ciasmlinkage void aes_ctr_enc_192_avx_by8(const u8 *in, u8 *iv, 13562306a36Sopenharmony_ci void *keys, u8 *out, unsigned int num_bytes); 13662306a36Sopenharmony_ciasmlinkage void aes_ctr_enc_256_avx_by8(const u8 *in, u8 *iv, 13762306a36Sopenharmony_ci void *keys, u8 *out, unsigned int num_bytes); 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ciasmlinkage void aes_xctr_enc_128_avx_by8(const u8 *in, const u8 *iv, 14162306a36Sopenharmony_ci const void *keys, u8 *out, unsigned int num_bytes, 14262306a36Sopenharmony_ci unsigned int byte_ctr); 14362306a36Sopenharmony_ci 14462306a36Sopenharmony_ciasmlinkage void aes_xctr_enc_192_avx_by8(const u8 *in, const u8 *iv, 14562306a36Sopenharmony_ci const void *keys, u8 *out, unsigned int num_bytes, 14662306a36Sopenharmony_ci unsigned int byte_ctr); 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ciasmlinkage void aes_xctr_enc_256_avx_by8(const u8 *in, const u8 *iv, 14962306a36Sopenharmony_ci const void *keys, u8 *out, unsigned int num_bytes, 15062306a36Sopenharmony_ci unsigned int byte_ctr); 15162306a36Sopenharmony_ci 15262306a36Sopenharmony_ci/* 15362306a36Sopenharmony_ci * asmlinkage void aesni_gcm_init_avx_gen2() 15462306a36Sopenharmony_ci * gcm_data *my_ctx_data, context data 15562306a36Sopenharmony_ci * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary. 15662306a36Sopenharmony_ci */ 15762306a36Sopenharmony_ciasmlinkage void aesni_gcm_init_avx_gen2(void *my_ctx_data, 15862306a36Sopenharmony_ci struct gcm_context_data *gdata, 15962306a36Sopenharmony_ci u8 *iv, 16062306a36Sopenharmony_ci u8 *hash_subkey, 16162306a36Sopenharmony_ci const u8 *aad, 16262306a36Sopenharmony_ci unsigned long aad_len); 16362306a36Sopenharmony_ci 16462306a36Sopenharmony_ciasmlinkage void aesni_gcm_enc_update_avx_gen2(void *ctx, 16562306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 16662306a36Sopenharmony_ci const u8 *in, unsigned long plaintext_len); 16762306a36Sopenharmony_ciasmlinkage void aesni_gcm_dec_update_avx_gen2(void *ctx, 16862306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 16962306a36Sopenharmony_ci const u8 *in, 17062306a36Sopenharmony_ci unsigned long ciphertext_len); 17162306a36Sopenharmony_ciasmlinkage void aesni_gcm_finalize_avx_gen2(void *ctx, 17262306a36Sopenharmony_ci struct gcm_context_data *gdata, 17362306a36Sopenharmony_ci u8 *auth_tag, unsigned long auth_tag_len); 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_ci/* 17662306a36Sopenharmony_ci * asmlinkage void aesni_gcm_init_avx_gen4() 17762306a36Sopenharmony_ci * gcm_data *my_ctx_data, context data 17862306a36Sopenharmony_ci * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary. 17962306a36Sopenharmony_ci */ 18062306a36Sopenharmony_ciasmlinkage void aesni_gcm_init_avx_gen4(void *my_ctx_data, 18162306a36Sopenharmony_ci struct gcm_context_data *gdata, 18262306a36Sopenharmony_ci u8 *iv, 18362306a36Sopenharmony_ci u8 *hash_subkey, 18462306a36Sopenharmony_ci const u8 *aad, 18562306a36Sopenharmony_ci unsigned long aad_len); 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_ciasmlinkage void aesni_gcm_enc_update_avx_gen4(void *ctx, 18862306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 18962306a36Sopenharmony_ci const u8 *in, unsigned long plaintext_len); 19062306a36Sopenharmony_ciasmlinkage void aesni_gcm_dec_update_avx_gen4(void *ctx, 19162306a36Sopenharmony_ci struct gcm_context_data *gdata, u8 *out, 19262306a36Sopenharmony_ci const u8 *in, 19362306a36Sopenharmony_ci unsigned long ciphertext_len); 19462306a36Sopenharmony_ciasmlinkage void aesni_gcm_finalize_avx_gen4(void *ctx, 19562306a36Sopenharmony_ci struct gcm_context_data *gdata, 19662306a36Sopenharmony_ci u8 *auth_tag, unsigned long auth_tag_len); 19762306a36Sopenharmony_ci 19862306a36Sopenharmony_cistatic __ro_after_init DEFINE_STATIC_KEY_FALSE(gcm_use_avx); 19962306a36Sopenharmony_cistatic __ro_after_init DEFINE_STATIC_KEY_FALSE(gcm_use_avx2); 20062306a36Sopenharmony_ci 20162306a36Sopenharmony_cistatic inline struct 20262306a36Sopenharmony_ciaesni_rfc4106_gcm_ctx *aesni_rfc4106_gcm_ctx_get(struct crypto_aead *tfm) 20362306a36Sopenharmony_ci{ 20462306a36Sopenharmony_ci unsigned long align = AESNI_ALIGN; 20562306a36Sopenharmony_ci 20662306a36Sopenharmony_ci if (align <= crypto_tfm_ctx_alignment()) 20762306a36Sopenharmony_ci align = 1; 20862306a36Sopenharmony_ci return PTR_ALIGN(crypto_aead_ctx(tfm), align); 20962306a36Sopenharmony_ci} 21062306a36Sopenharmony_ci 21162306a36Sopenharmony_cistatic inline struct 21262306a36Sopenharmony_cigeneric_gcmaes_ctx *generic_gcmaes_ctx_get(struct crypto_aead *tfm) 21362306a36Sopenharmony_ci{ 21462306a36Sopenharmony_ci unsigned long align = AESNI_ALIGN; 21562306a36Sopenharmony_ci 21662306a36Sopenharmony_ci if (align <= crypto_tfm_ctx_alignment()) 21762306a36Sopenharmony_ci align = 1; 21862306a36Sopenharmony_ci return PTR_ALIGN(crypto_aead_ctx(tfm), align); 21962306a36Sopenharmony_ci} 22062306a36Sopenharmony_ci#endif 22162306a36Sopenharmony_ci 22262306a36Sopenharmony_cistatic inline struct crypto_aes_ctx *aes_ctx(void *raw_ctx) 22362306a36Sopenharmony_ci{ 22462306a36Sopenharmony_ci unsigned long addr = (unsigned long)raw_ctx; 22562306a36Sopenharmony_ci unsigned long align = AESNI_ALIGN; 22662306a36Sopenharmony_ci 22762306a36Sopenharmony_ci if (align <= crypto_tfm_ctx_alignment()) 22862306a36Sopenharmony_ci align = 1; 22962306a36Sopenharmony_ci return (struct crypto_aes_ctx *)ALIGN(addr, align); 23062306a36Sopenharmony_ci} 23162306a36Sopenharmony_ci 23262306a36Sopenharmony_cistatic int aes_set_key_common(struct crypto_aes_ctx *ctx, 23362306a36Sopenharmony_ci const u8 *in_key, unsigned int key_len) 23462306a36Sopenharmony_ci{ 23562306a36Sopenharmony_ci int err; 23662306a36Sopenharmony_ci 23762306a36Sopenharmony_ci if (key_len != AES_KEYSIZE_128 && key_len != AES_KEYSIZE_192 && 23862306a36Sopenharmony_ci key_len != AES_KEYSIZE_256) 23962306a36Sopenharmony_ci return -EINVAL; 24062306a36Sopenharmony_ci 24162306a36Sopenharmony_ci if (!crypto_simd_usable()) 24262306a36Sopenharmony_ci err = aes_expandkey(ctx, in_key, key_len); 24362306a36Sopenharmony_ci else { 24462306a36Sopenharmony_ci kernel_fpu_begin(); 24562306a36Sopenharmony_ci err = aesni_set_key(ctx, in_key, key_len); 24662306a36Sopenharmony_ci kernel_fpu_end(); 24762306a36Sopenharmony_ci } 24862306a36Sopenharmony_ci 24962306a36Sopenharmony_ci return err; 25062306a36Sopenharmony_ci} 25162306a36Sopenharmony_ci 25262306a36Sopenharmony_cistatic int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 25362306a36Sopenharmony_ci unsigned int key_len) 25462306a36Sopenharmony_ci{ 25562306a36Sopenharmony_ci return aes_set_key_common(aes_ctx(crypto_tfm_ctx(tfm)), in_key, 25662306a36Sopenharmony_ci key_len); 25762306a36Sopenharmony_ci} 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_cistatic void aesni_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 26062306a36Sopenharmony_ci{ 26162306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm)); 26262306a36Sopenharmony_ci 26362306a36Sopenharmony_ci if (!crypto_simd_usable()) { 26462306a36Sopenharmony_ci aes_encrypt(ctx, dst, src); 26562306a36Sopenharmony_ci } else { 26662306a36Sopenharmony_ci kernel_fpu_begin(); 26762306a36Sopenharmony_ci aesni_enc(ctx, dst, src); 26862306a36Sopenharmony_ci kernel_fpu_end(); 26962306a36Sopenharmony_ci } 27062306a36Sopenharmony_ci} 27162306a36Sopenharmony_ci 27262306a36Sopenharmony_cistatic void aesni_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 27362306a36Sopenharmony_ci{ 27462306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm)); 27562306a36Sopenharmony_ci 27662306a36Sopenharmony_ci if (!crypto_simd_usable()) { 27762306a36Sopenharmony_ci aes_decrypt(ctx, dst, src); 27862306a36Sopenharmony_ci } else { 27962306a36Sopenharmony_ci kernel_fpu_begin(); 28062306a36Sopenharmony_ci aesni_dec(ctx, dst, src); 28162306a36Sopenharmony_ci kernel_fpu_end(); 28262306a36Sopenharmony_ci } 28362306a36Sopenharmony_ci} 28462306a36Sopenharmony_ci 28562306a36Sopenharmony_cistatic int aesni_skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, 28662306a36Sopenharmony_ci unsigned int len) 28762306a36Sopenharmony_ci{ 28862306a36Sopenharmony_ci return aes_set_key_common(aes_ctx(crypto_skcipher_ctx(tfm)), key, len); 28962306a36Sopenharmony_ci} 29062306a36Sopenharmony_ci 29162306a36Sopenharmony_cistatic int ecb_encrypt(struct skcipher_request *req) 29262306a36Sopenharmony_ci{ 29362306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 29462306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 29562306a36Sopenharmony_ci struct skcipher_walk walk; 29662306a36Sopenharmony_ci unsigned int nbytes; 29762306a36Sopenharmony_ci int err; 29862306a36Sopenharmony_ci 29962306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 30062306a36Sopenharmony_ci 30162306a36Sopenharmony_ci while ((nbytes = walk.nbytes)) { 30262306a36Sopenharmony_ci kernel_fpu_begin(); 30362306a36Sopenharmony_ci aesni_ecb_enc(ctx, walk.dst.virt.addr, walk.src.virt.addr, 30462306a36Sopenharmony_ci nbytes & AES_BLOCK_MASK); 30562306a36Sopenharmony_ci kernel_fpu_end(); 30662306a36Sopenharmony_ci nbytes &= AES_BLOCK_SIZE - 1; 30762306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 30862306a36Sopenharmony_ci } 30962306a36Sopenharmony_ci 31062306a36Sopenharmony_ci return err; 31162306a36Sopenharmony_ci} 31262306a36Sopenharmony_ci 31362306a36Sopenharmony_cistatic int ecb_decrypt(struct skcipher_request *req) 31462306a36Sopenharmony_ci{ 31562306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 31662306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 31762306a36Sopenharmony_ci struct skcipher_walk walk; 31862306a36Sopenharmony_ci unsigned int nbytes; 31962306a36Sopenharmony_ci int err; 32062306a36Sopenharmony_ci 32162306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 32262306a36Sopenharmony_ci 32362306a36Sopenharmony_ci while ((nbytes = walk.nbytes)) { 32462306a36Sopenharmony_ci kernel_fpu_begin(); 32562306a36Sopenharmony_ci aesni_ecb_dec(ctx, walk.dst.virt.addr, walk.src.virt.addr, 32662306a36Sopenharmony_ci nbytes & AES_BLOCK_MASK); 32762306a36Sopenharmony_ci kernel_fpu_end(); 32862306a36Sopenharmony_ci nbytes &= AES_BLOCK_SIZE - 1; 32962306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 33062306a36Sopenharmony_ci } 33162306a36Sopenharmony_ci 33262306a36Sopenharmony_ci return err; 33362306a36Sopenharmony_ci} 33462306a36Sopenharmony_ci 33562306a36Sopenharmony_cistatic int cbc_encrypt(struct skcipher_request *req) 33662306a36Sopenharmony_ci{ 33762306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 33862306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 33962306a36Sopenharmony_ci struct skcipher_walk walk; 34062306a36Sopenharmony_ci unsigned int nbytes; 34162306a36Sopenharmony_ci int err; 34262306a36Sopenharmony_ci 34362306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 34462306a36Sopenharmony_ci 34562306a36Sopenharmony_ci while ((nbytes = walk.nbytes)) { 34662306a36Sopenharmony_ci kernel_fpu_begin(); 34762306a36Sopenharmony_ci aesni_cbc_enc(ctx, walk.dst.virt.addr, walk.src.virt.addr, 34862306a36Sopenharmony_ci nbytes & AES_BLOCK_MASK, walk.iv); 34962306a36Sopenharmony_ci kernel_fpu_end(); 35062306a36Sopenharmony_ci nbytes &= AES_BLOCK_SIZE - 1; 35162306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 35262306a36Sopenharmony_ci } 35362306a36Sopenharmony_ci 35462306a36Sopenharmony_ci return err; 35562306a36Sopenharmony_ci} 35662306a36Sopenharmony_ci 35762306a36Sopenharmony_cistatic int cbc_decrypt(struct skcipher_request *req) 35862306a36Sopenharmony_ci{ 35962306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 36062306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 36162306a36Sopenharmony_ci struct skcipher_walk walk; 36262306a36Sopenharmony_ci unsigned int nbytes; 36362306a36Sopenharmony_ci int err; 36462306a36Sopenharmony_ci 36562306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 36662306a36Sopenharmony_ci 36762306a36Sopenharmony_ci while ((nbytes = walk.nbytes)) { 36862306a36Sopenharmony_ci kernel_fpu_begin(); 36962306a36Sopenharmony_ci aesni_cbc_dec(ctx, walk.dst.virt.addr, walk.src.virt.addr, 37062306a36Sopenharmony_ci nbytes & AES_BLOCK_MASK, walk.iv); 37162306a36Sopenharmony_ci kernel_fpu_end(); 37262306a36Sopenharmony_ci nbytes &= AES_BLOCK_SIZE - 1; 37362306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 37462306a36Sopenharmony_ci } 37562306a36Sopenharmony_ci 37662306a36Sopenharmony_ci return err; 37762306a36Sopenharmony_ci} 37862306a36Sopenharmony_ci 37962306a36Sopenharmony_cistatic int cts_cbc_encrypt(struct skcipher_request *req) 38062306a36Sopenharmony_ci{ 38162306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 38262306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 38362306a36Sopenharmony_ci int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; 38462306a36Sopenharmony_ci struct scatterlist *src = req->src, *dst = req->dst; 38562306a36Sopenharmony_ci struct scatterlist sg_src[2], sg_dst[2]; 38662306a36Sopenharmony_ci struct skcipher_request subreq; 38762306a36Sopenharmony_ci struct skcipher_walk walk; 38862306a36Sopenharmony_ci int err; 38962306a36Sopenharmony_ci 39062306a36Sopenharmony_ci skcipher_request_set_tfm(&subreq, tfm); 39162306a36Sopenharmony_ci skcipher_request_set_callback(&subreq, skcipher_request_flags(req), 39262306a36Sopenharmony_ci NULL, NULL); 39362306a36Sopenharmony_ci 39462306a36Sopenharmony_ci if (req->cryptlen <= AES_BLOCK_SIZE) { 39562306a36Sopenharmony_ci if (req->cryptlen < AES_BLOCK_SIZE) 39662306a36Sopenharmony_ci return -EINVAL; 39762306a36Sopenharmony_ci cbc_blocks = 1; 39862306a36Sopenharmony_ci } 39962306a36Sopenharmony_ci 40062306a36Sopenharmony_ci if (cbc_blocks > 0) { 40162306a36Sopenharmony_ci skcipher_request_set_crypt(&subreq, req->src, req->dst, 40262306a36Sopenharmony_ci cbc_blocks * AES_BLOCK_SIZE, 40362306a36Sopenharmony_ci req->iv); 40462306a36Sopenharmony_ci 40562306a36Sopenharmony_ci err = cbc_encrypt(&subreq); 40662306a36Sopenharmony_ci if (err) 40762306a36Sopenharmony_ci return err; 40862306a36Sopenharmony_ci 40962306a36Sopenharmony_ci if (req->cryptlen == AES_BLOCK_SIZE) 41062306a36Sopenharmony_ci return 0; 41162306a36Sopenharmony_ci 41262306a36Sopenharmony_ci dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen); 41362306a36Sopenharmony_ci if (req->dst != req->src) 41462306a36Sopenharmony_ci dst = scatterwalk_ffwd(sg_dst, req->dst, 41562306a36Sopenharmony_ci subreq.cryptlen); 41662306a36Sopenharmony_ci } 41762306a36Sopenharmony_ci 41862306a36Sopenharmony_ci /* handle ciphertext stealing */ 41962306a36Sopenharmony_ci skcipher_request_set_crypt(&subreq, src, dst, 42062306a36Sopenharmony_ci req->cryptlen - cbc_blocks * AES_BLOCK_SIZE, 42162306a36Sopenharmony_ci req->iv); 42262306a36Sopenharmony_ci 42362306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, &subreq, false); 42462306a36Sopenharmony_ci if (err) 42562306a36Sopenharmony_ci return err; 42662306a36Sopenharmony_ci 42762306a36Sopenharmony_ci kernel_fpu_begin(); 42862306a36Sopenharmony_ci aesni_cts_cbc_enc(ctx, walk.dst.virt.addr, walk.src.virt.addr, 42962306a36Sopenharmony_ci walk.nbytes, walk.iv); 43062306a36Sopenharmony_ci kernel_fpu_end(); 43162306a36Sopenharmony_ci 43262306a36Sopenharmony_ci return skcipher_walk_done(&walk, 0); 43362306a36Sopenharmony_ci} 43462306a36Sopenharmony_ci 43562306a36Sopenharmony_cistatic int cts_cbc_decrypt(struct skcipher_request *req) 43662306a36Sopenharmony_ci{ 43762306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 43862306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 43962306a36Sopenharmony_ci int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; 44062306a36Sopenharmony_ci struct scatterlist *src = req->src, *dst = req->dst; 44162306a36Sopenharmony_ci struct scatterlist sg_src[2], sg_dst[2]; 44262306a36Sopenharmony_ci struct skcipher_request subreq; 44362306a36Sopenharmony_ci struct skcipher_walk walk; 44462306a36Sopenharmony_ci int err; 44562306a36Sopenharmony_ci 44662306a36Sopenharmony_ci skcipher_request_set_tfm(&subreq, tfm); 44762306a36Sopenharmony_ci skcipher_request_set_callback(&subreq, skcipher_request_flags(req), 44862306a36Sopenharmony_ci NULL, NULL); 44962306a36Sopenharmony_ci 45062306a36Sopenharmony_ci if (req->cryptlen <= AES_BLOCK_SIZE) { 45162306a36Sopenharmony_ci if (req->cryptlen < AES_BLOCK_SIZE) 45262306a36Sopenharmony_ci return -EINVAL; 45362306a36Sopenharmony_ci cbc_blocks = 1; 45462306a36Sopenharmony_ci } 45562306a36Sopenharmony_ci 45662306a36Sopenharmony_ci if (cbc_blocks > 0) { 45762306a36Sopenharmony_ci skcipher_request_set_crypt(&subreq, req->src, req->dst, 45862306a36Sopenharmony_ci cbc_blocks * AES_BLOCK_SIZE, 45962306a36Sopenharmony_ci req->iv); 46062306a36Sopenharmony_ci 46162306a36Sopenharmony_ci err = cbc_decrypt(&subreq); 46262306a36Sopenharmony_ci if (err) 46362306a36Sopenharmony_ci return err; 46462306a36Sopenharmony_ci 46562306a36Sopenharmony_ci if (req->cryptlen == AES_BLOCK_SIZE) 46662306a36Sopenharmony_ci return 0; 46762306a36Sopenharmony_ci 46862306a36Sopenharmony_ci dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen); 46962306a36Sopenharmony_ci if (req->dst != req->src) 47062306a36Sopenharmony_ci dst = scatterwalk_ffwd(sg_dst, req->dst, 47162306a36Sopenharmony_ci subreq.cryptlen); 47262306a36Sopenharmony_ci } 47362306a36Sopenharmony_ci 47462306a36Sopenharmony_ci /* handle ciphertext stealing */ 47562306a36Sopenharmony_ci skcipher_request_set_crypt(&subreq, src, dst, 47662306a36Sopenharmony_ci req->cryptlen - cbc_blocks * AES_BLOCK_SIZE, 47762306a36Sopenharmony_ci req->iv); 47862306a36Sopenharmony_ci 47962306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, &subreq, false); 48062306a36Sopenharmony_ci if (err) 48162306a36Sopenharmony_ci return err; 48262306a36Sopenharmony_ci 48362306a36Sopenharmony_ci kernel_fpu_begin(); 48462306a36Sopenharmony_ci aesni_cts_cbc_dec(ctx, walk.dst.virt.addr, walk.src.virt.addr, 48562306a36Sopenharmony_ci walk.nbytes, walk.iv); 48662306a36Sopenharmony_ci kernel_fpu_end(); 48762306a36Sopenharmony_ci 48862306a36Sopenharmony_ci return skcipher_walk_done(&walk, 0); 48962306a36Sopenharmony_ci} 49062306a36Sopenharmony_ci 49162306a36Sopenharmony_ci#ifdef CONFIG_X86_64 49262306a36Sopenharmony_cistatic void aesni_ctr_enc_avx_tfm(struct crypto_aes_ctx *ctx, u8 *out, 49362306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv) 49462306a36Sopenharmony_ci{ 49562306a36Sopenharmony_ci /* 49662306a36Sopenharmony_ci * based on key length, override with the by8 version 49762306a36Sopenharmony_ci * of ctr mode encryption/decryption for improved performance 49862306a36Sopenharmony_ci * aes_set_key_common() ensures that key length is one of 49962306a36Sopenharmony_ci * {128,192,256} 50062306a36Sopenharmony_ci */ 50162306a36Sopenharmony_ci if (ctx->key_length == AES_KEYSIZE_128) 50262306a36Sopenharmony_ci aes_ctr_enc_128_avx_by8(in, iv, (void *)ctx, out, len); 50362306a36Sopenharmony_ci else if (ctx->key_length == AES_KEYSIZE_192) 50462306a36Sopenharmony_ci aes_ctr_enc_192_avx_by8(in, iv, (void *)ctx, out, len); 50562306a36Sopenharmony_ci else 50662306a36Sopenharmony_ci aes_ctr_enc_256_avx_by8(in, iv, (void *)ctx, out, len); 50762306a36Sopenharmony_ci} 50862306a36Sopenharmony_ci 50962306a36Sopenharmony_cistatic int ctr_crypt(struct skcipher_request *req) 51062306a36Sopenharmony_ci{ 51162306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 51262306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 51362306a36Sopenharmony_ci u8 keystream[AES_BLOCK_SIZE]; 51462306a36Sopenharmony_ci struct skcipher_walk walk; 51562306a36Sopenharmony_ci unsigned int nbytes; 51662306a36Sopenharmony_ci int err; 51762306a36Sopenharmony_ci 51862306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 51962306a36Sopenharmony_ci 52062306a36Sopenharmony_ci while ((nbytes = walk.nbytes) > 0) { 52162306a36Sopenharmony_ci kernel_fpu_begin(); 52262306a36Sopenharmony_ci if (nbytes & AES_BLOCK_MASK) 52362306a36Sopenharmony_ci static_call(aesni_ctr_enc_tfm)(ctx, walk.dst.virt.addr, 52462306a36Sopenharmony_ci walk.src.virt.addr, 52562306a36Sopenharmony_ci nbytes & AES_BLOCK_MASK, 52662306a36Sopenharmony_ci walk.iv); 52762306a36Sopenharmony_ci nbytes &= ~AES_BLOCK_MASK; 52862306a36Sopenharmony_ci 52962306a36Sopenharmony_ci if (walk.nbytes == walk.total && nbytes > 0) { 53062306a36Sopenharmony_ci aesni_enc(ctx, keystream, walk.iv); 53162306a36Sopenharmony_ci crypto_xor_cpy(walk.dst.virt.addr + walk.nbytes - nbytes, 53262306a36Sopenharmony_ci walk.src.virt.addr + walk.nbytes - nbytes, 53362306a36Sopenharmony_ci keystream, nbytes); 53462306a36Sopenharmony_ci crypto_inc(walk.iv, AES_BLOCK_SIZE); 53562306a36Sopenharmony_ci nbytes = 0; 53662306a36Sopenharmony_ci } 53762306a36Sopenharmony_ci kernel_fpu_end(); 53862306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 53962306a36Sopenharmony_ci } 54062306a36Sopenharmony_ci return err; 54162306a36Sopenharmony_ci} 54262306a36Sopenharmony_ci 54362306a36Sopenharmony_cistatic void aesni_xctr_enc_avx_tfm(struct crypto_aes_ctx *ctx, u8 *out, 54462306a36Sopenharmony_ci const u8 *in, unsigned int len, u8 *iv, 54562306a36Sopenharmony_ci unsigned int byte_ctr) 54662306a36Sopenharmony_ci{ 54762306a36Sopenharmony_ci if (ctx->key_length == AES_KEYSIZE_128) 54862306a36Sopenharmony_ci aes_xctr_enc_128_avx_by8(in, iv, (void *)ctx, out, len, 54962306a36Sopenharmony_ci byte_ctr); 55062306a36Sopenharmony_ci else if (ctx->key_length == AES_KEYSIZE_192) 55162306a36Sopenharmony_ci aes_xctr_enc_192_avx_by8(in, iv, (void *)ctx, out, len, 55262306a36Sopenharmony_ci byte_ctr); 55362306a36Sopenharmony_ci else 55462306a36Sopenharmony_ci aes_xctr_enc_256_avx_by8(in, iv, (void *)ctx, out, len, 55562306a36Sopenharmony_ci byte_ctr); 55662306a36Sopenharmony_ci} 55762306a36Sopenharmony_ci 55862306a36Sopenharmony_cistatic int xctr_crypt(struct skcipher_request *req) 55962306a36Sopenharmony_ci{ 56062306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 56162306a36Sopenharmony_ci struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm)); 56262306a36Sopenharmony_ci u8 keystream[AES_BLOCK_SIZE]; 56362306a36Sopenharmony_ci struct skcipher_walk walk; 56462306a36Sopenharmony_ci unsigned int nbytes; 56562306a36Sopenharmony_ci unsigned int byte_ctr = 0; 56662306a36Sopenharmony_ci int err; 56762306a36Sopenharmony_ci __le32 block[AES_BLOCK_SIZE / sizeof(__le32)]; 56862306a36Sopenharmony_ci 56962306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 57062306a36Sopenharmony_ci 57162306a36Sopenharmony_ci while ((nbytes = walk.nbytes) > 0) { 57262306a36Sopenharmony_ci kernel_fpu_begin(); 57362306a36Sopenharmony_ci if (nbytes & AES_BLOCK_MASK) 57462306a36Sopenharmony_ci aesni_xctr_enc_avx_tfm(ctx, walk.dst.virt.addr, 57562306a36Sopenharmony_ci walk.src.virt.addr, nbytes & AES_BLOCK_MASK, 57662306a36Sopenharmony_ci walk.iv, byte_ctr); 57762306a36Sopenharmony_ci nbytes &= ~AES_BLOCK_MASK; 57862306a36Sopenharmony_ci byte_ctr += walk.nbytes - nbytes; 57962306a36Sopenharmony_ci 58062306a36Sopenharmony_ci if (walk.nbytes == walk.total && nbytes > 0) { 58162306a36Sopenharmony_ci memcpy(block, walk.iv, AES_BLOCK_SIZE); 58262306a36Sopenharmony_ci block[0] ^= cpu_to_le32(1 + byte_ctr / AES_BLOCK_SIZE); 58362306a36Sopenharmony_ci aesni_enc(ctx, keystream, (u8 *)block); 58462306a36Sopenharmony_ci crypto_xor_cpy(walk.dst.virt.addr + walk.nbytes - 58562306a36Sopenharmony_ci nbytes, walk.src.virt.addr + walk.nbytes 58662306a36Sopenharmony_ci - nbytes, keystream, nbytes); 58762306a36Sopenharmony_ci byte_ctr += nbytes; 58862306a36Sopenharmony_ci nbytes = 0; 58962306a36Sopenharmony_ci } 59062306a36Sopenharmony_ci kernel_fpu_end(); 59162306a36Sopenharmony_ci err = skcipher_walk_done(&walk, nbytes); 59262306a36Sopenharmony_ci } 59362306a36Sopenharmony_ci return err; 59462306a36Sopenharmony_ci} 59562306a36Sopenharmony_ci 59662306a36Sopenharmony_cistatic int 59762306a36Sopenharmony_cirfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len) 59862306a36Sopenharmony_ci{ 59962306a36Sopenharmony_ci struct crypto_aes_ctx ctx; 60062306a36Sopenharmony_ci int ret; 60162306a36Sopenharmony_ci 60262306a36Sopenharmony_ci ret = aes_expandkey(&ctx, key, key_len); 60362306a36Sopenharmony_ci if (ret) 60462306a36Sopenharmony_ci return ret; 60562306a36Sopenharmony_ci 60662306a36Sopenharmony_ci /* Clear the data in the hash sub key container to zero.*/ 60762306a36Sopenharmony_ci /* We want to cipher all zeros to create the hash sub key. */ 60862306a36Sopenharmony_ci memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE); 60962306a36Sopenharmony_ci 61062306a36Sopenharmony_ci aes_encrypt(&ctx, hash_subkey, hash_subkey); 61162306a36Sopenharmony_ci 61262306a36Sopenharmony_ci memzero_explicit(&ctx, sizeof(ctx)); 61362306a36Sopenharmony_ci return 0; 61462306a36Sopenharmony_ci} 61562306a36Sopenharmony_ci 61662306a36Sopenharmony_cistatic int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key, 61762306a36Sopenharmony_ci unsigned int key_len) 61862306a36Sopenharmony_ci{ 61962306a36Sopenharmony_ci struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(aead); 62062306a36Sopenharmony_ci 62162306a36Sopenharmony_ci if (key_len < 4) 62262306a36Sopenharmony_ci return -EINVAL; 62362306a36Sopenharmony_ci 62462306a36Sopenharmony_ci /*Account for 4 byte nonce at the end.*/ 62562306a36Sopenharmony_ci key_len -= 4; 62662306a36Sopenharmony_ci 62762306a36Sopenharmony_ci memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce)); 62862306a36Sopenharmony_ci 62962306a36Sopenharmony_ci return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: 63062306a36Sopenharmony_ci rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); 63162306a36Sopenharmony_ci} 63262306a36Sopenharmony_ci 63362306a36Sopenharmony_ci/* This is the Integrity Check Value (aka the authentication tag) length and can 63462306a36Sopenharmony_ci * be 8, 12 or 16 bytes long. */ 63562306a36Sopenharmony_cistatic int common_rfc4106_set_authsize(struct crypto_aead *aead, 63662306a36Sopenharmony_ci unsigned int authsize) 63762306a36Sopenharmony_ci{ 63862306a36Sopenharmony_ci switch (authsize) { 63962306a36Sopenharmony_ci case 8: 64062306a36Sopenharmony_ci case 12: 64162306a36Sopenharmony_ci case 16: 64262306a36Sopenharmony_ci break; 64362306a36Sopenharmony_ci default: 64462306a36Sopenharmony_ci return -EINVAL; 64562306a36Sopenharmony_ci } 64662306a36Sopenharmony_ci 64762306a36Sopenharmony_ci return 0; 64862306a36Sopenharmony_ci} 64962306a36Sopenharmony_ci 65062306a36Sopenharmony_cistatic int generic_gcmaes_set_authsize(struct crypto_aead *tfm, 65162306a36Sopenharmony_ci unsigned int authsize) 65262306a36Sopenharmony_ci{ 65362306a36Sopenharmony_ci switch (authsize) { 65462306a36Sopenharmony_ci case 4: 65562306a36Sopenharmony_ci case 8: 65662306a36Sopenharmony_ci case 12: 65762306a36Sopenharmony_ci case 13: 65862306a36Sopenharmony_ci case 14: 65962306a36Sopenharmony_ci case 15: 66062306a36Sopenharmony_ci case 16: 66162306a36Sopenharmony_ci break; 66262306a36Sopenharmony_ci default: 66362306a36Sopenharmony_ci return -EINVAL; 66462306a36Sopenharmony_ci } 66562306a36Sopenharmony_ci 66662306a36Sopenharmony_ci return 0; 66762306a36Sopenharmony_ci} 66862306a36Sopenharmony_ci 66962306a36Sopenharmony_cistatic int gcmaes_crypt_by_sg(bool enc, struct aead_request *req, 67062306a36Sopenharmony_ci unsigned int assoclen, u8 *hash_subkey, 67162306a36Sopenharmony_ci u8 *iv, void *aes_ctx, u8 *auth_tag, 67262306a36Sopenharmony_ci unsigned long auth_tag_len) 67362306a36Sopenharmony_ci{ 67462306a36Sopenharmony_ci u8 databuf[sizeof(struct gcm_context_data) + (AESNI_ALIGN - 8)] __aligned(8); 67562306a36Sopenharmony_ci struct gcm_context_data *data = PTR_ALIGN((void *)databuf, AESNI_ALIGN); 67662306a36Sopenharmony_ci unsigned long left = req->cryptlen; 67762306a36Sopenharmony_ci struct scatter_walk assoc_sg_walk; 67862306a36Sopenharmony_ci struct skcipher_walk walk; 67962306a36Sopenharmony_ci bool do_avx, do_avx2; 68062306a36Sopenharmony_ci u8 *assocmem = NULL; 68162306a36Sopenharmony_ci u8 *assoc; 68262306a36Sopenharmony_ci int err; 68362306a36Sopenharmony_ci 68462306a36Sopenharmony_ci if (!enc) 68562306a36Sopenharmony_ci left -= auth_tag_len; 68662306a36Sopenharmony_ci 68762306a36Sopenharmony_ci do_avx = (left >= AVX_GEN2_OPTSIZE); 68862306a36Sopenharmony_ci do_avx2 = (left >= AVX_GEN4_OPTSIZE); 68962306a36Sopenharmony_ci 69062306a36Sopenharmony_ci /* Linearize assoc, if not already linear */ 69162306a36Sopenharmony_ci if (req->src->length >= assoclen && req->src->length) { 69262306a36Sopenharmony_ci scatterwalk_start(&assoc_sg_walk, req->src); 69362306a36Sopenharmony_ci assoc = scatterwalk_map(&assoc_sg_walk); 69462306a36Sopenharmony_ci } else { 69562306a36Sopenharmony_ci gfp_t flags = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ? 69662306a36Sopenharmony_ci GFP_KERNEL : GFP_ATOMIC; 69762306a36Sopenharmony_ci 69862306a36Sopenharmony_ci /* assoc can be any length, so must be on heap */ 69962306a36Sopenharmony_ci assocmem = kmalloc(assoclen, flags); 70062306a36Sopenharmony_ci if (unlikely(!assocmem)) 70162306a36Sopenharmony_ci return -ENOMEM; 70262306a36Sopenharmony_ci assoc = assocmem; 70362306a36Sopenharmony_ci 70462306a36Sopenharmony_ci scatterwalk_map_and_copy(assoc, req->src, 0, assoclen, 0); 70562306a36Sopenharmony_ci } 70662306a36Sopenharmony_ci 70762306a36Sopenharmony_ci kernel_fpu_begin(); 70862306a36Sopenharmony_ci if (static_branch_likely(&gcm_use_avx2) && do_avx2) 70962306a36Sopenharmony_ci aesni_gcm_init_avx_gen4(aes_ctx, data, iv, hash_subkey, assoc, 71062306a36Sopenharmony_ci assoclen); 71162306a36Sopenharmony_ci else if (static_branch_likely(&gcm_use_avx) && do_avx) 71262306a36Sopenharmony_ci aesni_gcm_init_avx_gen2(aes_ctx, data, iv, hash_subkey, assoc, 71362306a36Sopenharmony_ci assoclen); 71462306a36Sopenharmony_ci else 71562306a36Sopenharmony_ci aesni_gcm_init(aes_ctx, data, iv, hash_subkey, assoc, assoclen); 71662306a36Sopenharmony_ci kernel_fpu_end(); 71762306a36Sopenharmony_ci 71862306a36Sopenharmony_ci if (!assocmem) 71962306a36Sopenharmony_ci scatterwalk_unmap(assoc); 72062306a36Sopenharmony_ci else 72162306a36Sopenharmony_ci kfree(assocmem); 72262306a36Sopenharmony_ci 72362306a36Sopenharmony_ci err = enc ? skcipher_walk_aead_encrypt(&walk, req, false) 72462306a36Sopenharmony_ci : skcipher_walk_aead_decrypt(&walk, req, false); 72562306a36Sopenharmony_ci 72662306a36Sopenharmony_ci while (walk.nbytes > 0) { 72762306a36Sopenharmony_ci kernel_fpu_begin(); 72862306a36Sopenharmony_ci if (static_branch_likely(&gcm_use_avx2) && do_avx2) { 72962306a36Sopenharmony_ci if (enc) 73062306a36Sopenharmony_ci aesni_gcm_enc_update_avx_gen4(aes_ctx, data, 73162306a36Sopenharmony_ci walk.dst.virt.addr, 73262306a36Sopenharmony_ci walk.src.virt.addr, 73362306a36Sopenharmony_ci walk.nbytes); 73462306a36Sopenharmony_ci else 73562306a36Sopenharmony_ci aesni_gcm_dec_update_avx_gen4(aes_ctx, data, 73662306a36Sopenharmony_ci walk.dst.virt.addr, 73762306a36Sopenharmony_ci walk.src.virt.addr, 73862306a36Sopenharmony_ci walk.nbytes); 73962306a36Sopenharmony_ci } else if (static_branch_likely(&gcm_use_avx) && do_avx) { 74062306a36Sopenharmony_ci if (enc) 74162306a36Sopenharmony_ci aesni_gcm_enc_update_avx_gen2(aes_ctx, data, 74262306a36Sopenharmony_ci walk.dst.virt.addr, 74362306a36Sopenharmony_ci walk.src.virt.addr, 74462306a36Sopenharmony_ci walk.nbytes); 74562306a36Sopenharmony_ci else 74662306a36Sopenharmony_ci aesni_gcm_dec_update_avx_gen2(aes_ctx, data, 74762306a36Sopenharmony_ci walk.dst.virt.addr, 74862306a36Sopenharmony_ci walk.src.virt.addr, 74962306a36Sopenharmony_ci walk.nbytes); 75062306a36Sopenharmony_ci } else if (enc) { 75162306a36Sopenharmony_ci aesni_gcm_enc_update(aes_ctx, data, walk.dst.virt.addr, 75262306a36Sopenharmony_ci walk.src.virt.addr, walk.nbytes); 75362306a36Sopenharmony_ci } else { 75462306a36Sopenharmony_ci aesni_gcm_dec_update(aes_ctx, data, walk.dst.virt.addr, 75562306a36Sopenharmony_ci walk.src.virt.addr, walk.nbytes); 75662306a36Sopenharmony_ci } 75762306a36Sopenharmony_ci kernel_fpu_end(); 75862306a36Sopenharmony_ci 75962306a36Sopenharmony_ci err = skcipher_walk_done(&walk, 0); 76062306a36Sopenharmony_ci } 76162306a36Sopenharmony_ci 76262306a36Sopenharmony_ci if (err) 76362306a36Sopenharmony_ci return err; 76462306a36Sopenharmony_ci 76562306a36Sopenharmony_ci kernel_fpu_begin(); 76662306a36Sopenharmony_ci if (static_branch_likely(&gcm_use_avx2) && do_avx2) 76762306a36Sopenharmony_ci aesni_gcm_finalize_avx_gen4(aes_ctx, data, auth_tag, 76862306a36Sopenharmony_ci auth_tag_len); 76962306a36Sopenharmony_ci else if (static_branch_likely(&gcm_use_avx) && do_avx) 77062306a36Sopenharmony_ci aesni_gcm_finalize_avx_gen2(aes_ctx, data, auth_tag, 77162306a36Sopenharmony_ci auth_tag_len); 77262306a36Sopenharmony_ci else 77362306a36Sopenharmony_ci aesni_gcm_finalize(aes_ctx, data, auth_tag, auth_tag_len); 77462306a36Sopenharmony_ci kernel_fpu_end(); 77562306a36Sopenharmony_ci 77662306a36Sopenharmony_ci return 0; 77762306a36Sopenharmony_ci} 77862306a36Sopenharmony_ci 77962306a36Sopenharmony_cistatic int gcmaes_encrypt(struct aead_request *req, unsigned int assoclen, 78062306a36Sopenharmony_ci u8 *hash_subkey, u8 *iv, void *aes_ctx) 78162306a36Sopenharmony_ci{ 78262306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 78362306a36Sopenharmony_ci unsigned long auth_tag_len = crypto_aead_authsize(tfm); 78462306a36Sopenharmony_ci u8 auth_tag[16]; 78562306a36Sopenharmony_ci int err; 78662306a36Sopenharmony_ci 78762306a36Sopenharmony_ci err = gcmaes_crypt_by_sg(true, req, assoclen, hash_subkey, iv, aes_ctx, 78862306a36Sopenharmony_ci auth_tag, auth_tag_len); 78962306a36Sopenharmony_ci if (err) 79062306a36Sopenharmony_ci return err; 79162306a36Sopenharmony_ci 79262306a36Sopenharmony_ci scatterwalk_map_and_copy(auth_tag, req->dst, 79362306a36Sopenharmony_ci req->assoclen + req->cryptlen, 79462306a36Sopenharmony_ci auth_tag_len, 1); 79562306a36Sopenharmony_ci return 0; 79662306a36Sopenharmony_ci} 79762306a36Sopenharmony_ci 79862306a36Sopenharmony_cistatic int gcmaes_decrypt(struct aead_request *req, unsigned int assoclen, 79962306a36Sopenharmony_ci u8 *hash_subkey, u8 *iv, void *aes_ctx) 80062306a36Sopenharmony_ci{ 80162306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 80262306a36Sopenharmony_ci unsigned long auth_tag_len = crypto_aead_authsize(tfm); 80362306a36Sopenharmony_ci u8 auth_tag_msg[16]; 80462306a36Sopenharmony_ci u8 auth_tag[16]; 80562306a36Sopenharmony_ci int err; 80662306a36Sopenharmony_ci 80762306a36Sopenharmony_ci err = gcmaes_crypt_by_sg(false, req, assoclen, hash_subkey, iv, aes_ctx, 80862306a36Sopenharmony_ci auth_tag, auth_tag_len); 80962306a36Sopenharmony_ci if (err) 81062306a36Sopenharmony_ci return err; 81162306a36Sopenharmony_ci 81262306a36Sopenharmony_ci /* Copy out original auth_tag */ 81362306a36Sopenharmony_ci scatterwalk_map_and_copy(auth_tag_msg, req->src, 81462306a36Sopenharmony_ci req->assoclen + req->cryptlen - auth_tag_len, 81562306a36Sopenharmony_ci auth_tag_len, 0); 81662306a36Sopenharmony_ci 81762306a36Sopenharmony_ci /* Compare generated tag with passed in tag. */ 81862306a36Sopenharmony_ci if (crypto_memneq(auth_tag_msg, auth_tag, auth_tag_len)) { 81962306a36Sopenharmony_ci memzero_explicit(auth_tag, sizeof(auth_tag)); 82062306a36Sopenharmony_ci return -EBADMSG; 82162306a36Sopenharmony_ci } 82262306a36Sopenharmony_ci return 0; 82362306a36Sopenharmony_ci} 82462306a36Sopenharmony_ci 82562306a36Sopenharmony_cistatic int helper_rfc4106_encrypt(struct aead_request *req) 82662306a36Sopenharmony_ci{ 82762306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 82862306a36Sopenharmony_ci struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(tfm); 82962306a36Sopenharmony_ci void *aes_ctx = &(ctx->aes_key_expanded); 83062306a36Sopenharmony_ci u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8); 83162306a36Sopenharmony_ci u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN); 83262306a36Sopenharmony_ci unsigned int i; 83362306a36Sopenharmony_ci __be32 counter = cpu_to_be32(1); 83462306a36Sopenharmony_ci 83562306a36Sopenharmony_ci /* Assuming we are supporting rfc4106 64-bit extended */ 83662306a36Sopenharmony_ci /* sequence numbers We need to have the AAD length equal */ 83762306a36Sopenharmony_ci /* to 16 or 20 bytes */ 83862306a36Sopenharmony_ci if (unlikely(req->assoclen != 16 && req->assoclen != 20)) 83962306a36Sopenharmony_ci return -EINVAL; 84062306a36Sopenharmony_ci 84162306a36Sopenharmony_ci /* IV below built */ 84262306a36Sopenharmony_ci for (i = 0; i < 4; i++) 84362306a36Sopenharmony_ci *(iv+i) = ctx->nonce[i]; 84462306a36Sopenharmony_ci for (i = 0; i < 8; i++) 84562306a36Sopenharmony_ci *(iv+4+i) = req->iv[i]; 84662306a36Sopenharmony_ci *((__be32 *)(iv+12)) = counter; 84762306a36Sopenharmony_ci 84862306a36Sopenharmony_ci return gcmaes_encrypt(req, req->assoclen - 8, ctx->hash_subkey, iv, 84962306a36Sopenharmony_ci aes_ctx); 85062306a36Sopenharmony_ci} 85162306a36Sopenharmony_ci 85262306a36Sopenharmony_cistatic int helper_rfc4106_decrypt(struct aead_request *req) 85362306a36Sopenharmony_ci{ 85462306a36Sopenharmony_ci __be32 counter = cpu_to_be32(1); 85562306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 85662306a36Sopenharmony_ci struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(tfm); 85762306a36Sopenharmony_ci void *aes_ctx = &(ctx->aes_key_expanded); 85862306a36Sopenharmony_ci u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8); 85962306a36Sopenharmony_ci u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN); 86062306a36Sopenharmony_ci unsigned int i; 86162306a36Sopenharmony_ci 86262306a36Sopenharmony_ci if (unlikely(req->assoclen != 16 && req->assoclen != 20)) 86362306a36Sopenharmony_ci return -EINVAL; 86462306a36Sopenharmony_ci 86562306a36Sopenharmony_ci /* Assuming we are supporting rfc4106 64-bit extended */ 86662306a36Sopenharmony_ci /* sequence numbers We need to have the AAD length */ 86762306a36Sopenharmony_ci /* equal to 16 or 20 bytes */ 86862306a36Sopenharmony_ci 86962306a36Sopenharmony_ci /* IV below built */ 87062306a36Sopenharmony_ci for (i = 0; i < 4; i++) 87162306a36Sopenharmony_ci *(iv+i) = ctx->nonce[i]; 87262306a36Sopenharmony_ci for (i = 0; i < 8; i++) 87362306a36Sopenharmony_ci *(iv+4+i) = req->iv[i]; 87462306a36Sopenharmony_ci *((__be32 *)(iv+12)) = counter; 87562306a36Sopenharmony_ci 87662306a36Sopenharmony_ci return gcmaes_decrypt(req, req->assoclen - 8, ctx->hash_subkey, iv, 87762306a36Sopenharmony_ci aes_ctx); 87862306a36Sopenharmony_ci} 87962306a36Sopenharmony_ci#endif 88062306a36Sopenharmony_ci 88162306a36Sopenharmony_cistatic int xts_aesni_setkey(struct crypto_skcipher *tfm, const u8 *key, 88262306a36Sopenharmony_ci unsigned int keylen) 88362306a36Sopenharmony_ci{ 88462306a36Sopenharmony_ci struct aesni_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 88562306a36Sopenharmony_ci int err; 88662306a36Sopenharmony_ci 88762306a36Sopenharmony_ci err = xts_verify_key(tfm, key, keylen); 88862306a36Sopenharmony_ci if (err) 88962306a36Sopenharmony_ci return err; 89062306a36Sopenharmony_ci 89162306a36Sopenharmony_ci keylen /= 2; 89262306a36Sopenharmony_ci 89362306a36Sopenharmony_ci /* first half of xts-key is for crypt */ 89462306a36Sopenharmony_ci err = aes_set_key_common(aes_ctx(ctx->raw_crypt_ctx), key, keylen); 89562306a36Sopenharmony_ci if (err) 89662306a36Sopenharmony_ci return err; 89762306a36Sopenharmony_ci 89862306a36Sopenharmony_ci /* second half of xts-key is for tweak */ 89962306a36Sopenharmony_ci return aes_set_key_common(aes_ctx(ctx->raw_tweak_ctx), key + keylen, 90062306a36Sopenharmony_ci keylen); 90162306a36Sopenharmony_ci} 90262306a36Sopenharmony_ci 90362306a36Sopenharmony_cistatic int xts_crypt(struct skcipher_request *req, bool encrypt) 90462306a36Sopenharmony_ci{ 90562306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 90662306a36Sopenharmony_ci struct aesni_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 90762306a36Sopenharmony_ci int tail = req->cryptlen % AES_BLOCK_SIZE; 90862306a36Sopenharmony_ci struct skcipher_request subreq; 90962306a36Sopenharmony_ci struct skcipher_walk walk; 91062306a36Sopenharmony_ci int err; 91162306a36Sopenharmony_ci 91262306a36Sopenharmony_ci if (req->cryptlen < AES_BLOCK_SIZE) 91362306a36Sopenharmony_ci return -EINVAL; 91462306a36Sopenharmony_ci 91562306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 91662306a36Sopenharmony_ci if (!walk.nbytes) 91762306a36Sopenharmony_ci return err; 91862306a36Sopenharmony_ci 91962306a36Sopenharmony_ci if (unlikely(tail > 0 && walk.nbytes < walk.total)) { 92062306a36Sopenharmony_ci int blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; 92162306a36Sopenharmony_ci 92262306a36Sopenharmony_ci skcipher_walk_abort(&walk); 92362306a36Sopenharmony_ci 92462306a36Sopenharmony_ci skcipher_request_set_tfm(&subreq, tfm); 92562306a36Sopenharmony_ci skcipher_request_set_callback(&subreq, 92662306a36Sopenharmony_ci skcipher_request_flags(req), 92762306a36Sopenharmony_ci NULL, NULL); 92862306a36Sopenharmony_ci skcipher_request_set_crypt(&subreq, req->src, req->dst, 92962306a36Sopenharmony_ci blocks * AES_BLOCK_SIZE, req->iv); 93062306a36Sopenharmony_ci req = &subreq; 93162306a36Sopenharmony_ci 93262306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, req, false); 93362306a36Sopenharmony_ci if (!walk.nbytes) 93462306a36Sopenharmony_ci return err; 93562306a36Sopenharmony_ci } else { 93662306a36Sopenharmony_ci tail = 0; 93762306a36Sopenharmony_ci } 93862306a36Sopenharmony_ci 93962306a36Sopenharmony_ci kernel_fpu_begin(); 94062306a36Sopenharmony_ci 94162306a36Sopenharmony_ci /* calculate first value of T */ 94262306a36Sopenharmony_ci aesni_enc(aes_ctx(ctx->raw_tweak_ctx), walk.iv, walk.iv); 94362306a36Sopenharmony_ci 94462306a36Sopenharmony_ci while (walk.nbytes > 0) { 94562306a36Sopenharmony_ci int nbytes = walk.nbytes; 94662306a36Sopenharmony_ci 94762306a36Sopenharmony_ci if (nbytes < walk.total) 94862306a36Sopenharmony_ci nbytes &= ~(AES_BLOCK_SIZE - 1); 94962306a36Sopenharmony_ci 95062306a36Sopenharmony_ci if (encrypt) 95162306a36Sopenharmony_ci aesni_xts_encrypt(aes_ctx(ctx->raw_crypt_ctx), 95262306a36Sopenharmony_ci walk.dst.virt.addr, walk.src.virt.addr, 95362306a36Sopenharmony_ci nbytes, walk.iv); 95462306a36Sopenharmony_ci else 95562306a36Sopenharmony_ci aesni_xts_decrypt(aes_ctx(ctx->raw_crypt_ctx), 95662306a36Sopenharmony_ci walk.dst.virt.addr, walk.src.virt.addr, 95762306a36Sopenharmony_ci nbytes, walk.iv); 95862306a36Sopenharmony_ci kernel_fpu_end(); 95962306a36Sopenharmony_ci 96062306a36Sopenharmony_ci err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 96162306a36Sopenharmony_ci 96262306a36Sopenharmony_ci if (walk.nbytes > 0) 96362306a36Sopenharmony_ci kernel_fpu_begin(); 96462306a36Sopenharmony_ci } 96562306a36Sopenharmony_ci 96662306a36Sopenharmony_ci if (unlikely(tail > 0 && !err)) { 96762306a36Sopenharmony_ci struct scatterlist sg_src[2], sg_dst[2]; 96862306a36Sopenharmony_ci struct scatterlist *src, *dst; 96962306a36Sopenharmony_ci 97062306a36Sopenharmony_ci dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen); 97162306a36Sopenharmony_ci if (req->dst != req->src) 97262306a36Sopenharmony_ci dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); 97362306a36Sopenharmony_ci 97462306a36Sopenharmony_ci skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, 97562306a36Sopenharmony_ci req->iv); 97662306a36Sopenharmony_ci 97762306a36Sopenharmony_ci err = skcipher_walk_virt(&walk, &subreq, false); 97862306a36Sopenharmony_ci if (err) 97962306a36Sopenharmony_ci return err; 98062306a36Sopenharmony_ci 98162306a36Sopenharmony_ci kernel_fpu_begin(); 98262306a36Sopenharmony_ci if (encrypt) 98362306a36Sopenharmony_ci aesni_xts_encrypt(aes_ctx(ctx->raw_crypt_ctx), 98462306a36Sopenharmony_ci walk.dst.virt.addr, walk.src.virt.addr, 98562306a36Sopenharmony_ci walk.nbytes, walk.iv); 98662306a36Sopenharmony_ci else 98762306a36Sopenharmony_ci aesni_xts_decrypt(aes_ctx(ctx->raw_crypt_ctx), 98862306a36Sopenharmony_ci walk.dst.virt.addr, walk.src.virt.addr, 98962306a36Sopenharmony_ci walk.nbytes, walk.iv); 99062306a36Sopenharmony_ci kernel_fpu_end(); 99162306a36Sopenharmony_ci 99262306a36Sopenharmony_ci err = skcipher_walk_done(&walk, 0); 99362306a36Sopenharmony_ci } 99462306a36Sopenharmony_ci return err; 99562306a36Sopenharmony_ci} 99662306a36Sopenharmony_ci 99762306a36Sopenharmony_cistatic int xts_encrypt(struct skcipher_request *req) 99862306a36Sopenharmony_ci{ 99962306a36Sopenharmony_ci return xts_crypt(req, true); 100062306a36Sopenharmony_ci} 100162306a36Sopenharmony_ci 100262306a36Sopenharmony_cistatic int xts_decrypt(struct skcipher_request *req) 100362306a36Sopenharmony_ci{ 100462306a36Sopenharmony_ci return xts_crypt(req, false); 100562306a36Sopenharmony_ci} 100662306a36Sopenharmony_ci 100762306a36Sopenharmony_cistatic struct crypto_alg aesni_cipher_alg = { 100862306a36Sopenharmony_ci .cra_name = "aes", 100962306a36Sopenharmony_ci .cra_driver_name = "aes-aesni", 101062306a36Sopenharmony_ci .cra_priority = 300, 101162306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 101262306a36Sopenharmony_ci .cra_blocksize = AES_BLOCK_SIZE, 101362306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 101462306a36Sopenharmony_ci .cra_module = THIS_MODULE, 101562306a36Sopenharmony_ci .cra_u = { 101662306a36Sopenharmony_ci .cipher = { 101762306a36Sopenharmony_ci .cia_min_keysize = AES_MIN_KEY_SIZE, 101862306a36Sopenharmony_ci .cia_max_keysize = AES_MAX_KEY_SIZE, 101962306a36Sopenharmony_ci .cia_setkey = aes_set_key, 102062306a36Sopenharmony_ci .cia_encrypt = aesni_encrypt, 102162306a36Sopenharmony_ci .cia_decrypt = aesni_decrypt 102262306a36Sopenharmony_ci } 102362306a36Sopenharmony_ci } 102462306a36Sopenharmony_ci}; 102562306a36Sopenharmony_ci 102662306a36Sopenharmony_cistatic struct skcipher_alg aesni_skciphers[] = { 102762306a36Sopenharmony_ci { 102862306a36Sopenharmony_ci .base = { 102962306a36Sopenharmony_ci .cra_name = "__ecb(aes)", 103062306a36Sopenharmony_ci .cra_driver_name = "__ecb-aes-aesni", 103162306a36Sopenharmony_ci .cra_priority = 400, 103262306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 103362306a36Sopenharmony_ci .cra_blocksize = AES_BLOCK_SIZE, 103462306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 103562306a36Sopenharmony_ci .cra_module = THIS_MODULE, 103662306a36Sopenharmony_ci }, 103762306a36Sopenharmony_ci .min_keysize = AES_MIN_KEY_SIZE, 103862306a36Sopenharmony_ci .max_keysize = AES_MAX_KEY_SIZE, 103962306a36Sopenharmony_ci .setkey = aesni_skcipher_setkey, 104062306a36Sopenharmony_ci .encrypt = ecb_encrypt, 104162306a36Sopenharmony_ci .decrypt = ecb_decrypt, 104262306a36Sopenharmony_ci }, { 104362306a36Sopenharmony_ci .base = { 104462306a36Sopenharmony_ci .cra_name = "__cbc(aes)", 104562306a36Sopenharmony_ci .cra_driver_name = "__cbc-aes-aesni", 104662306a36Sopenharmony_ci .cra_priority = 400, 104762306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 104862306a36Sopenharmony_ci .cra_blocksize = AES_BLOCK_SIZE, 104962306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 105062306a36Sopenharmony_ci .cra_module = THIS_MODULE, 105162306a36Sopenharmony_ci }, 105262306a36Sopenharmony_ci .min_keysize = AES_MIN_KEY_SIZE, 105362306a36Sopenharmony_ci .max_keysize = AES_MAX_KEY_SIZE, 105462306a36Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 105562306a36Sopenharmony_ci .setkey = aesni_skcipher_setkey, 105662306a36Sopenharmony_ci .encrypt = cbc_encrypt, 105762306a36Sopenharmony_ci .decrypt = cbc_decrypt, 105862306a36Sopenharmony_ci }, { 105962306a36Sopenharmony_ci .base = { 106062306a36Sopenharmony_ci .cra_name = "__cts(cbc(aes))", 106162306a36Sopenharmony_ci .cra_driver_name = "__cts-cbc-aes-aesni", 106262306a36Sopenharmony_ci .cra_priority = 400, 106362306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 106462306a36Sopenharmony_ci .cra_blocksize = AES_BLOCK_SIZE, 106562306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 106662306a36Sopenharmony_ci .cra_module = THIS_MODULE, 106762306a36Sopenharmony_ci }, 106862306a36Sopenharmony_ci .min_keysize = AES_MIN_KEY_SIZE, 106962306a36Sopenharmony_ci .max_keysize = AES_MAX_KEY_SIZE, 107062306a36Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 107162306a36Sopenharmony_ci .walksize = 2 * AES_BLOCK_SIZE, 107262306a36Sopenharmony_ci .setkey = aesni_skcipher_setkey, 107362306a36Sopenharmony_ci .encrypt = cts_cbc_encrypt, 107462306a36Sopenharmony_ci .decrypt = cts_cbc_decrypt, 107562306a36Sopenharmony_ci#ifdef CONFIG_X86_64 107662306a36Sopenharmony_ci }, { 107762306a36Sopenharmony_ci .base = { 107862306a36Sopenharmony_ci .cra_name = "__ctr(aes)", 107962306a36Sopenharmony_ci .cra_driver_name = "__ctr-aes-aesni", 108062306a36Sopenharmony_ci .cra_priority = 400, 108162306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 108262306a36Sopenharmony_ci .cra_blocksize = 1, 108362306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 108462306a36Sopenharmony_ci .cra_module = THIS_MODULE, 108562306a36Sopenharmony_ci }, 108662306a36Sopenharmony_ci .min_keysize = AES_MIN_KEY_SIZE, 108762306a36Sopenharmony_ci .max_keysize = AES_MAX_KEY_SIZE, 108862306a36Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 108962306a36Sopenharmony_ci .chunksize = AES_BLOCK_SIZE, 109062306a36Sopenharmony_ci .setkey = aesni_skcipher_setkey, 109162306a36Sopenharmony_ci .encrypt = ctr_crypt, 109262306a36Sopenharmony_ci .decrypt = ctr_crypt, 109362306a36Sopenharmony_ci#endif 109462306a36Sopenharmony_ci }, { 109562306a36Sopenharmony_ci .base = { 109662306a36Sopenharmony_ci .cra_name = "__xts(aes)", 109762306a36Sopenharmony_ci .cra_driver_name = "__xts-aes-aesni", 109862306a36Sopenharmony_ci .cra_priority = 401, 109962306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 110062306a36Sopenharmony_ci .cra_blocksize = AES_BLOCK_SIZE, 110162306a36Sopenharmony_ci .cra_ctxsize = XTS_AES_CTX_SIZE, 110262306a36Sopenharmony_ci .cra_module = THIS_MODULE, 110362306a36Sopenharmony_ci }, 110462306a36Sopenharmony_ci .min_keysize = 2 * AES_MIN_KEY_SIZE, 110562306a36Sopenharmony_ci .max_keysize = 2 * AES_MAX_KEY_SIZE, 110662306a36Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 110762306a36Sopenharmony_ci .walksize = 2 * AES_BLOCK_SIZE, 110862306a36Sopenharmony_ci .setkey = xts_aesni_setkey, 110962306a36Sopenharmony_ci .encrypt = xts_encrypt, 111062306a36Sopenharmony_ci .decrypt = xts_decrypt, 111162306a36Sopenharmony_ci } 111262306a36Sopenharmony_ci}; 111362306a36Sopenharmony_ci 111462306a36Sopenharmony_cistatic 111562306a36Sopenharmony_cistruct simd_skcipher_alg *aesni_simd_skciphers[ARRAY_SIZE(aesni_skciphers)]; 111662306a36Sopenharmony_ci 111762306a36Sopenharmony_ci#ifdef CONFIG_X86_64 111862306a36Sopenharmony_ci/* 111962306a36Sopenharmony_ci * XCTR does not have a non-AVX implementation, so it must be enabled 112062306a36Sopenharmony_ci * conditionally. 112162306a36Sopenharmony_ci */ 112262306a36Sopenharmony_cistatic struct skcipher_alg aesni_xctr = { 112362306a36Sopenharmony_ci .base = { 112462306a36Sopenharmony_ci .cra_name = "__xctr(aes)", 112562306a36Sopenharmony_ci .cra_driver_name = "__xctr-aes-aesni", 112662306a36Sopenharmony_ci .cra_priority = 400, 112762306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 112862306a36Sopenharmony_ci .cra_blocksize = 1, 112962306a36Sopenharmony_ci .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 113062306a36Sopenharmony_ci .cra_module = THIS_MODULE, 113162306a36Sopenharmony_ci }, 113262306a36Sopenharmony_ci .min_keysize = AES_MIN_KEY_SIZE, 113362306a36Sopenharmony_ci .max_keysize = AES_MAX_KEY_SIZE, 113462306a36Sopenharmony_ci .ivsize = AES_BLOCK_SIZE, 113562306a36Sopenharmony_ci .chunksize = AES_BLOCK_SIZE, 113662306a36Sopenharmony_ci .setkey = aesni_skcipher_setkey, 113762306a36Sopenharmony_ci .encrypt = xctr_crypt, 113862306a36Sopenharmony_ci .decrypt = xctr_crypt, 113962306a36Sopenharmony_ci}; 114062306a36Sopenharmony_ci 114162306a36Sopenharmony_cistatic struct simd_skcipher_alg *aesni_simd_xctr; 114262306a36Sopenharmony_ci#endif /* CONFIG_X86_64 */ 114362306a36Sopenharmony_ci 114462306a36Sopenharmony_ci#ifdef CONFIG_X86_64 114562306a36Sopenharmony_cistatic int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key, 114662306a36Sopenharmony_ci unsigned int key_len) 114762306a36Sopenharmony_ci{ 114862306a36Sopenharmony_ci struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead); 114962306a36Sopenharmony_ci 115062306a36Sopenharmony_ci return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?: 115162306a36Sopenharmony_ci rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len); 115262306a36Sopenharmony_ci} 115362306a36Sopenharmony_ci 115462306a36Sopenharmony_cistatic int generic_gcmaes_encrypt(struct aead_request *req) 115562306a36Sopenharmony_ci{ 115662306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 115762306a36Sopenharmony_ci struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(tfm); 115862306a36Sopenharmony_ci void *aes_ctx = &(ctx->aes_key_expanded); 115962306a36Sopenharmony_ci u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8); 116062306a36Sopenharmony_ci u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN); 116162306a36Sopenharmony_ci __be32 counter = cpu_to_be32(1); 116262306a36Sopenharmony_ci 116362306a36Sopenharmony_ci memcpy(iv, req->iv, 12); 116462306a36Sopenharmony_ci *((__be32 *)(iv+12)) = counter; 116562306a36Sopenharmony_ci 116662306a36Sopenharmony_ci return gcmaes_encrypt(req, req->assoclen, ctx->hash_subkey, iv, 116762306a36Sopenharmony_ci aes_ctx); 116862306a36Sopenharmony_ci} 116962306a36Sopenharmony_ci 117062306a36Sopenharmony_cistatic int generic_gcmaes_decrypt(struct aead_request *req) 117162306a36Sopenharmony_ci{ 117262306a36Sopenharmony_ci __be32 counter = cpu_to_be32(1); 117362306a36Sopenharmony_ci struct crypto_aead *tfm = crypto_aead_reqtfm(req); 117462306a36Sopenharmony_ci struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(tfm); 117562306a36Sopenharmony_ci void *aes_ctx = &(ctx->aes_key_expanded); 117662306a36Sopenharmony_ci u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8); 117762306a36Sopenharmony_ci u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN); 117862306a36Sopenharmony_ci 117962306a36Sopenharmony_ci memcpy(iv, req->iv, 12); 118062306a36Sopenharmony_ci *((__be32 *)(iv+12)) = counter; 118162306a36Sopenharmony_ci 118262306a36Sopenharmony_ci return gcmaes_decrypt(req, req->assoclen, ctx->hash_subkey, iv, 118362306a36Sopenharmony_ci aes_ctx); 118462306a36Sopenharmony_ci} 118562306a36Sopenharmony_ci 118662306a36Sopenharmony_cistatic struct aead_alg aesni_aeads[] = { { 118762306a36Sopenharmony_ci .setkey = common_rfc4106_set_key, 118862306a36Sopenharmony_ci .setauthsize = common_rfc4106_set_authsize, 118962306a36Sopenharmony_ci .encrypt = helper_rfc4106_encrypt, 119062306a36Sopenharmony_ci .decrypt = helper_rfc4106_decrypt, 119162306a36Sopenharmony_ci .ivsize = GCM_RFC4106_IV_SIZE, 119262306a36Sopenharmony_ci .maxauthsize = 16, 119362306a36Sopenharmony_ci .base = { 119462306a36Sopenharmony_ci .cra_name = "__rfc4106(gcm(aes))", 119562306a36Sopenharmony_ci .cra_driver_name = "__rfc4106-gcm-aesni", 119662306a36Sopenharmony_ci .cra_priority = 400, 119762306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 119862306a36Sopenharmony_ci .cra_blocksize = 1, 119962306a36Sopenharmony_ci .cra_ctxsize = sizeof(struct aesni_rfc4106_gcm_ctx), 120062306a36Sopenharmony_ci .cra_alignmask = 0, 120162306a36Sopenharmony_ci .cra_module = THIS_MODULE, 120262306a36Sopenharmony_ci }, 120362306a36Sopenharmony_ci}, { 120462306a36Sopenharmony_ci .setkey = generic_gcmaes_set_key, 120562306a36Sopenharmony_ci .setauthsize = generic_gcmaes_set_authsize, 120662306a36Sopenharmony_ci .encrypt = generic_gcmaes_encrypt, 120762306a36Sopenharmony_ci .decrypt = generic_gcmaes_decrypt, 120862306a36Sopenharmony_ci .ivsize = GCM_AES_IV_SIZE, 120962306a36Sopenharmony_ci .maxauthsize = 16, 121062306a36Sopenharmony_ci .base = { 121162306a36Sopenharmony_ci .cra_name = "__gcm(aes)", 121262306a36Sopenharmony_ci .cra_driver_name = "__generic-gcm-aesni", 121362306a36Sopenharmony_ci .cra_priority = 400, 121462306a36Sopenharmony_ci .cra_flags = CRYPTO_ALG_INTERNAL, 121562306a36Sopenharmony_ci .cra_blocksize = 1, 121662306a36Sopenharmony_ci .cra_ctxsize = sizeof(struct generic_gcmaes_ctx), 121762306a36Sopenharmony_ci .cra_alignmask = 0, 121862306a36Sopenharmony_ci .cra_module = THIS_MODULE, 121962306a36Sopenharmony_ci }, 122062306a36Sopenharmony_ci} }; 122162306a36Sopenharmony_ci#else 122262306a36Sopenharmony_cistatic struct aead_alg aesni_aeads[0]; 122362306a36Sopenharmony_ci#endif 122462306a36Sopenharmony_ci 122562306a36Sopenharmony_cistatic struct simd_aead_alg *aesni_simd_aeads[ARRAY_SIZE(aesni_aeads)]; 122662306a36Sopenharmony_ci 122762306a36Sopenharmony_cistatic const struct x86_cpu_id aesni_cpu_id[] = { 122862306a36Sopenharmony_ci X86_MATCH_FEATURE(X86_FEATURE_AES, NULL), 122962306a36Sopenharmony_ci {} 123062306a36Sopenharmony_ci}; 123162306a36Sopenharmony_ciMODULE_DEVICE_TABLE(x86cpu, aesni_cpu_id); 123262306a36Sopenharmony_ci 123362306a36Sopenharmony_cistatic int __init aesni_init(void) 123462306a36Sopenharmony_ci{ 123562306a36Sopenharmony_ci int err; 123662306a36Sopenharmony_ci 123762306a36Sopenharmony_ci if (!x86_match_cpu(aesni_cpu_id)) 123862306a36Sopenharmony_ci return -ENODEV; 123962306a36Sopenharmony_ci#ifdef CONFIG_X86_64 124062306a36Sopenharmony_ci if (boot_cpu_has(X86_FEATURE_AVX2)) { 124162306a36Sopenharmony_ci pr_info("AVX2 version of gcm_enc/dec engaged.\n"); 124262306a36Sopenharmony_ci static_branch_enable(&gcm_use_avx); 124362306a36Sopenharmony_ci static_branch_enable(&gcm_use_avx2); 124462306a36Sopenharmony_ci } else 124562306a36Sopenharmony_ci if (boot_cpu_has(X86_FEATURE_AVX)) { 124662306a36Sopenharmony_ci pr_info("AVX version of gcm_enc/dec engaged.\n"); 124762306a36Sopenharmony_ci static_branch_enable(&gcm_use_avx); 124862306a36Sopenharmony_ci } else { 124962306a36Sopenharmony_ci pr_info("SSE version of gcm_enc/dec engaged.\n"); 125062306a36Sopenharmony_ci } 125162306a36Sopenharmony_ci if (boot_cpu_has(X86_FEATURE_AVX)) { 125262306a36Sopenharmony_ci /* optimize performance of ctr mode encryption transform */ 125362306a36Sopenharmony_ci static_call_update(aesni_ctr_enc_tfm, aesni_ctr_enc_avx_tfm); 125462306a36Sopenharmony_ci pr_info("AES CTR mode by8 optimization enabled\n"); 125562306a36Sopenharmony_ci } 125662306a36Sopenharmony_ci#endif /* CONFIG_X86_64 */ 125762306a36Sopenharmony_ci 125862306a36Sopenharmony_ci err = crypto_register_alg(&aesni_cipher_alg); 125962306a36Sopenharmony_ci if (err) 126062306a36Sopenharmony_ci return err; 126162306a36Sopenharmony_ci 126262306a36Sopenharmony_ci err = simd_register_skciphers_compat(aesni_skciphers, 126362306a36Sopenharmony_ci ARRAY_SIZE(aesni_skciphers), 126462306a36Sopenharmony_ci aesni_simd_skciphers); 126562306a36Sopenharmony_ci if (err) 126662306a36Sopenharmony_ci goto unregister_cipher; 126762306a36Sopenharmony_ci 126862306a36Sopenharmony_ci err = simd_register_aeads_compat(aesni_aeads, ARRAY_SIZE(aesni_aeads), 126962306a36Sopenharmony_ci aesni_simd_aeads); 127062306a36Sopenharmony_ci if (err) 127162306a36Sopenharmony_ci goto unregister_skciphers; 127262306a36Sopenharmony_ci 127362306a36Sopenharmony_ci#ifdef CONFIG_X86_64 127462306a36Sopenharmony_ci if (boot_cpu_has(X86_FEATURE_AVX)) 127562306a36Sopenharmony_ci err = simd_register_skciphers_compat(&aesni_xctr, 1, 127662306a36Sopenharmony_ci &aesni_simd_xctr); 127762306a36Sopenharmony_ci if (err) 127862306a36Sopenharmony_ci goto unregister_aeads; 127962306a36Sopenharmony_ci#endif /* CONFIG_X86_64 */ 128062306a36Sopenharmony_ci 128162306a36Sopenharmony_ci return 0; 128262306a36Sopenharmony_ci 128362306a36Sopenharmony_ci#ifdef CONFIG_X86_64 128462306a36Sopenharmony_ciunregister_aeads: 128562306a36Sopenharmony_ci simd_unregister_aeads(aesni_aeads, ARRAY_SIZE(aesni_aeads), 128662306a36Sopenharmony_ci aesni_simd_aeads); 128762306a36Sopenharmony_ci#endif /* CONFIG_X86_64 */ 128862306a36Sopenharmony_ci 128962306a36Sopenharmony_ciunregister_skciphers: 129062306a36Sopenharmony_ci simd_unregister_skciphers(aesni_skciphers, ARRAY_SIZE(aesni_skciphers), 129162306a36Sopenharmony_ci aesni_simd_skciphers); 129262306a36Sopenharmony_ciunregister_cipher: 129362306a36Sopenharmony_ci crypto_unregister_alg(&aesni_cipher_alg); 129462306a36Sopenharmony_ci return err; 129562306a36Sopenharmony_ci} 129662306a36Sopenharmony_ci 129762306a36Sopenharmony_cistatic void __exit aesni_exit(void) 129862306a36Sopenharmony_ci{ 129962306a36Sopenharmony_ci simd_unregister_aeads(aesni_aeads, ARRAY_SIZE(aesni_aeads), 130062306a36Sopenharmony_ci aesni_simd_aeads); 130162306a36Sopenharmony_ci simd_unregister_skciphers(aesni_skciphers, ARRAY_SIZE(aesni_skciphers), 130262306a36Sopenharmony_ci aesni_simd_skciphers); 130362306a36Sopenharmony_ci crypto_unregister_alg(&aesni_cipher_alg); 130462306a36Sopenharmony_ci#ifdef CONFIG_X86_64 130562306a36Sopenharmony_ci if (boot_cpu_has(X86_FEATURE_AVX)) 130662306a36Sopenharmony_ci simd_unregister_skciphers(&aesni_xctr, 1, &aesni_simd_xctr); 130762306a36Sopenharmony_ci#endif /* CONFIG_X86_64 */ 130862306a36Sopenharmony_ci} 130962306a36Sopenharmony_ci 131062306a36Sopenharmony_cilate_initcall(aesni_init); 131162306a36Sopenharmony_cimodule_exit(aesni_exit); 131262306a36Sopenharmony_ci 131362306a36Sopenharmony_ciMODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, Intel AES-NI instructions optimized"); 131462306a36Sopenharmony_ciMODULE_LICENSE("GPL"); 131562306a36Sopenharmony_ciMODULE_ALIAS_CRYPTO("aes"); 1316