162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * AMD Cryptographic Coprocessor (CCP) AES XTS crypto API support 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Copyright (C) 2013,2017 Advanced Micro Devices, Inc. 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Author: Gary R Hook <gary.hook@amd.com> 862306a36Sopenharmony_ci * Author: Tom Lendacky <thomas.lendacky@amd.com> 962306a36Sopenharmony_ci */ 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci#include <linux/module.h> 1262306a36Sopenharmony_ci#include <linux/sched.h> 1362306a36Sopenharmony_ci#include <linux/delay.h> 1462306a36Sopenharmony_ci#include <linux/scatterlist.h> 1562306a36Sopenharmony_ci#include <crypto/aes.h> 1662306a36Sopenharmony_ci#include <crypto/xts.h> 1762306a36Sopenharmony_ci#include <crypto/internal/skcipher.h> 1862306a36Sopenharmony_ci#include <crypto/scatterwalk.h> 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci#include "ccp-crypto.h" 2162306a36Sopenharmony_ci 2262306a36Sopenharmony_cistruct ccp_aes_xts_def { 2362306a36Sopenharmony_ci const char *name; 2462306a36Sopenharmony_ci const char *drv_name; 2562306a36Sopenharmony_ci}; 2662306a36Sopenharmony_ci 2762306a36Sopenharmony_cistatic const struct ccp_aes_xts_def aes_xts_algs[] = { 2862306a36Sopenharmony_ci { 2962306a36Sopenharmony_ci .name = "xts(aes)", 3062306a36Sopenharmony_ci .drv_name = "xts-aes-ccp", 3162306a36Sopenharmony_ci }, 3262306a36Sopenharmony_ci}; 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_cistruct ccp_unit_size_map { 3562306a36Sopenharmony_ci unsigned int size; 3662306a36Sopenharmony_ci u32 value; 3762306a36Sopenharmony_ci}; 3862306a36Sopenharmony_ci 3962306a36Sopenharmony_cistatic struct ccp_unit_size_map xts_unit_sizes[] = { 4062306a36Sopenharmony_ci { 4162306a36Sopenharmony_ci .size = 16, 4262306a36Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_16, 4362306a36Sopenharmony_ci }, 4462306a36Sopenharmony_ci { 4562306a36Sopenharmony_ci .size = 512, 4662306a36Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_512, 4762306a36Sopenharmony_ci }, 4862306a36Sopenharmony_ci { 4962306a36Sopenharmony_ci .size = 1024, 5062306a36Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_1024, 5162306a36Sopenharmony_ci }, 5262306a36Sopenharmony_ci { 5362306a36Sopenharmony_ci .size = 2048, 5462306a36Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_2048, 5562306a36Sopenharmony_ci }, 5662306a36Sopenharmony_ci { 5762306a36Sopenharmony_ci .size = 4096, 5862306a36Sopenharmony_ci .value = CCP_XTS_AES_UNIT_SIZE_4096, 5962306a36Sopenharmony_ci }, 6062306a36Sopenharmony_ci}; 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_cistatic int ccp_aes_xts_complete(struct crypto_async_request *async_req, int ret) 6362306a36Sopenharmony_ci{ 6462306a36Sopenharmony_ci struct skcipher_request *req = skcipher_request_cast(async_req); 6562306a36Sopenharmony_ci struct ccp_aes_req_ctx *rctx = skcipher_request_ctx_dma(req); 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ci if (ret) 6862306a36Sopenharmony_ci return ret; 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_ci memcpy(req->iv, rctx->iv, AES_BLOCK_SIZE); 7162306a36Sopenharmony_ci 7262306a36Sopenharmony_ci return 0; 7362306a36Sopenharmony_ci} 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_cistatic int ccp_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key, 7662306a36Sopenharmony_ci unsigned int key_len) 7762306a36Sopenharmony_ci{ 7862306a36Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx_dma(tfm); 7962306a36Sopenharmony_ci unsigned int ccpversion = ccp_version(); 8062306a36Sopenharmony_ci int ret; 8162306a36Sopenharmony_ci 8262306a36Sopenharmony_ci ret = xts_verify_key(tfm, key, key_len); 8362306a36Sopenharmony_ci if (ret) 8462306a36Sopenharmony_ci return ret; 8562306a36Sopenharmony_ci 8662306a36Sopenharmony_ci /* Version 3 devices support 128-bit keys; version 5 devices can 8762306a36Sopenharmony_ci * accommodate 128- and 256-bit keys. 8862306a36Sopenharmony_ci */ 8962306a36Sopenharmony_ci switch (key_len) { 9062306a36Sopenharmony_ci case AES_KEYSIZE_128 * 2: 9162306a36Sopenharmony_ci memcpy(ctx->u.aes.key, key, key_len); 9262306a36Sopenharmony_ci break; 9362306a36Sopenharmony_ci case AES_KEYSIZE_256 * 2: 9462306a36Sopenharmony_ci if (ccpversion > CCP_VERSION(3, 0)) 9562306a36Sopenharmony_ci memcpy(ctx->u.aes.key, key, key_len); 9662306a36Sopenharmony_ci break; 9762306a36Sopenharmony_ci } 9862306a36Sopenharmony_ci ctx->u.aes.key_len = key_len / 2; 9962306a36Sopenharmony_ci sg_init_one(&ctx->u.aes.key_sg, ctx->u.aes.key, key_len); 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_ci return crypto_skcipher_setkey(ctx->u.aes.tfm_skcipher, key, key_len); 10262306a36Sopenharmony_ci} 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_cistatic int ccp_aes_xts_crypt(struct skcipher_request *req, 10562306a36Sopenharmony_ci unsigned int encrypt) 10662306a36Sopenharmony_ci{ 10762306a36Sopenharmony_ci struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 10862306a36Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx_dma(tfm); 10962306a36Sopenharmony_ci struct ccp_aes_req_ctx *rctx = skcipher_request_ctx_dma(req); 11062306a36Sopenharmony_ci unsigned int ccpversion = ccp_version(); 11162306a36Sopenharmony_ci unsigned int fallback = 0; 11262306a36Sopenharmony_ci unsigned int unit; 11362306a36Sopenharmony_ci u32 unit_size; 11462306a36Sopenharmony_ci int ret; 11562306a36Sopenharmony_ci 11662306a36Sopenharmony_ci if (!ctx->u.aes.key_len) 11762306a36Sopenharmony_ci return -EINVAL; 11862306a36Sopenharmony_ci 11962306a36Sopenharmony_ci if (!req->iv) 12062306a36Sopenharmony_ci return -EINVAL; 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci /* Check conditions under which the CCP can fulfill a request. The 12362306a36Sopenharmony_ci * device can handle input plaintext of a length that is a multiple 12462306a36Sopenharmony_ci * of the unit_size, bug the crypto implementation only supports 12562306a36Sopenharmony_ci * the unit_size being equal to the input length. This limits the 12662306a36Sopenharmony_ci * number of scenarios we can handle. 12762306a36Sopenharmony_ci */ 12862306a36Sopenharmony_ci unit_size = CCP_XTS_AES_UNIT_SIZE__LAST; 12962306a36Sopenharmony_ci for (unit = 0; unit < ARRAY_SIZE(xts_unit_sizes); unit++) { 13062306a36Sopenharmony_ci if (req->cryptlen == xts_unit_sizes[unit].size) { 13162306a36Sopenharmony_ci unit_size = unit; 13262306a36Sopenharmony_ci break; 13362306a36Sopenharmony_ci } 13462306a36Sopenharmony_ci } 13562306a36Sopenharmony_ci /* The CCP has restrictions on block sizes. Also, a version 3 device 13662306a36Sopenharmony_ci * only supports AES-128 operations; version 5 CCPs support both 13762306a36Sopenharmony_ci * AES-128 and -256 operations. 13862306a36Sopenharmony_ci */ 13962306a36Sopenharmony_ci if (unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) 14062306a36Sopenharmony_ci fallback = 1; 14162306a36Sopenharmony_ci if ((ccpversion < CCP_VERSION(5, 0)) && 14262306a36Sopenharmony_ci (ctx->u.aes.key_len != AES_KEYSIZE_128)) 14362306a36Sopenharmony_ci fallback = 1; 14462306a36Sopenharmony_ci if ((ctx->u.aes.key_len != AES_KEYSIZE_128) && 14562306a36Sopenharmony_ci (ctx->u.aes.key_len != AES_KEYSIZE_256)) 14662306a36Sopenharmony_ci fallback = 1; 14762306a36Sopenharmony_ci if (fallback) { 14862306a36Sopenharmony_ci /* Use the fallback to process the request for any 14962306a36Sopenharmony_ci * unsupported unit sizes or key sizes 15062306a36Sopenharmony_ci */ 15162306a36Sopenharmony_ci skcipher_request_set_tfm(&rctx->fallback_req, 15262306a36Sopenharmony_ci ctx->u.aes.tfm_skcipher); 15362306a36Sopenharmony_ci skcipher_request_set_callback(&rctx->fallback_req, 15462306a36Sopenharmony_ci req->base.flags, 15562306a36Sopenharmony_ci req->base.complete, 15662306a36Sopenharmony_ci req->base.data); 15762306a36Sopenharmony_ci skcipher_request_set_crypt(&rctx->fallback_req, req->src, 15862306a36Sopenharmony_ci req->dst, req->cryptlen, req->iv); 15962306a36Sopenharmony_ci ret = encrypt ? crypto_skcipher_encrypt(&rctx->fallback_req) : 16062306a36Sopenharmony_ci crypto_skcipher_decrypt(&rctx->fallback_req); 16162306a36Sopenharmony_ci return ret; 16262306a36Sopenharmony_ci } 16362306a36Sopenharmony_ci 16462306a36Sopenharmony_ci memcpy(rctx->iv, req->iv, AES_BLOCK_SIZE); 16562306a36Sopenharmony_ci sg_init_one(&rctx->iv_sg, rctx->iv, AES_BLOCK_SIZE); 16662306a36Sopenharmony_ci 16762306a36Sopenharmony_ci memset(&rctx->cmd, 0, sizeof(rctx->cmd)); 16862306a36Sopenharmony_ci INIT_LIST_HEAD(&rctx->cmd.entry); 16962306a36Sopenharmony_ci rctx->cmd.engine = CCP_ENGINE_XTS_AES_128; 17062306a36Sopenharmony_ci rctx->cmd.u.xts.type = CCP_AES_TYPE_128; 17162306a36Sopenharmony_ci rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT 17262306a36Sopenharmony_ci : CCP_AES_ACTION_DECRYPT; 17362306a36Sopenharmony_ci rctx->cmd.u.xts.unit_size = unit_size; 17462306a36Sopenharmony_ci rctx->cmd.u.xts.key = &ctx->u.aes.key_sg; 17562306a36Sopenharmony_ci rctx->cmd.u.xts.key_len = ctx->u.aes.key_len; 17662306a36Sopenharmony_ci rctx->cmd.u.xts.iv = &rctx->iv_sg; 17762306a36Sopenharmony_ci rctx->cmd.u.xts.iv_len = AES_BLOCK_SIZE; 17862306a36Sopenharmony_ci rctx->cmd.u.xts.src = req->src; 17962306a36Sopenharmony_ci rctx->cmd.u.xts.src_len = req->cryptlen; 18062306a36Sopenharmony_ci rctx->cmd.u.xts.dst = req->dst; 18162306a36Sopenharmony_ci 18262306a36Sopenharmony_ci ret = ccp_crypto_enqueue_request(&req->base, &rctx->cmd); 18362306a36Sopenharmony_ci 18462306a36Sopenharmony_ci return ret; 18562306a36Sopenharmony_ci} 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_cistatic int ccp_aes_xts_encrypt(struct skcipher_request *req) 18862306a36Sopenharmony_ci{ 18962306a36Sopenharmony_ci return ccp_aes_xts_crypt(req, 1); 19062306a36Sopenharmony_ci} 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_cistatic int ccp_aes_xts_decrypt(struct skcipher_request *req) 19362306a36Sopenharmony_ci{ 19462306a36Sopenharmony_ci return ccp_aes_xts_crypt(req, 0); 19562306a36Sopenharmony_ci} 19662306a36Sopenharmony_ci 19762306a36Sopenharmony_cistatic int ccp_aes_xts_init_tfm(struct crypto_skcipher *tfm) 19862306a36Sopenharmony_ci{ 19962306a36Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx_dma(tfm); 20062306a36Sopenharmony_ci struct crypto_skcipher *fallback_tfm; 20162306a36Sopenharmony_ci 20262306a36Sopenharmony_ci ctx->complete = ccp_aes_xts_complete; 20362306a36Sopenharmony_ci ctx->u.aes.key_len = 0; 20462306a36Sopenharmony_ci 20562306a36Sopenharmony_ci fallback_tfm = crypto_alloc_skcipher("xts(aes)", 0, 20662306a36Sopenharmony_ci CRYPTO_ALG_NEED_FALLBACK); 20762306a36Sopenharmony_ci if (IS_ERR(fallback_tfm)) { 20862306a36Sopenharmony_ci pr_warn("could not load fallback driver xts(aes)\n"); 20962306a36Sopenharmony_ci return PTR_ERR(fallback_tfm); 21062306a36Sopenharmony_ci } 21162306a36Sopenharmony_ci ctx->u.aes.tfm_skcipher = fallback_tfm; 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_ci crypto_skcipher_set_reqsize_dma(tfm, 21462306a36Sopenharmony_ci sizeof(struct ccp_aes_req_ctx) + 21562306a36Sopenharmony_ci crypto_skcipher_reqsize(fallback_tfm)); 21662306a36Sopenharmony_ci 21762306a36Sopenharmony_ci return 0; 21862306a36Sopenharmony_ci} 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_cistatic void ccp_aes_xts_exit_tfm(struct crypto_skcipher *tfm) 22162306a36Sopenharmony_ci{ 22262306a36Sopenharmony_ci struct ccp_ctx *ctx = crypto_skcipher_ctx_dma(tfm); 22362306a36Sopenharmony_ci 22462306a36Sopenharmony_ci crypto_free_skcipher(ctx->u.aes.tfm_skcipher); 22562306a36Sopenharmony_ci} 22662306a36Sopenharmony_ci 22762306a36Sopenharmony_cistatic int ccp_register_aes_xts_alg(struct list_head *head, 22862306a36Sopenharmony_ci const struct ccp_aes_xts_def *def) 22962306a36Sopenharmony_ci{ 23062306a36Sopenharmony_ci struct ccp_crypto_skcipher_alg *ccp_alg; 23162306a36Sopenharmony_ci struct skcipher_alg *alg; 23262306a36Sopenharmony_ci int ret; 23362306a36Sopenharmony_ci 23462306a36Sopenharmony_ci ccp_alg = kzalloc(sizeof(*ccp_alg), GFP_KERNEL); 23562306a36Sopenharmony_ci if (!ccp_alg) 23662306a36Sopenharmony_ci return -ENOMEM; 23762306a36Sopenharmony_ci 23862306a36Sopenharmony_ci INIT_LIST_HEAD(&ccp_alg->entry); 23962306a36Sopenharmony_ci 24062306a36Sopenharmony_ci alg = &ccp_alg->alg; 24162306a36Sopenharmony_ci 24262306a36Sopenharmony_ci snprintf(alg->base.cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); 24362306a36Sopenharmony_ci snprintf(alg->base.cra_driver_name, CRYPTO_MAX_ALG_NAME, "%s", 24462306a36Sopenharmony_ci def->drv_name); 24562306a36Sopenharmony_ci alg->base.cra_flags = CRYPTO_ALG_ASYNC | 24662306a36Sopenharmony_ci CRYPTO_ALG_ALLOCATES_MEMORY | 24762306a36Sopenharmony_ci CRYPTO_ALG_KERN_DRIVER_ONLY | 24862306a36Sopenharmony_ci CRYPTO_ALG_NEED_FALLBACK; 24962306a36Sopenharmony_ci alg->base.cra_blocksize = AES_BLOCK_SIZE; 25062306a36Sopenharmony_ci alg->base.cra_ctxsize = sizeof(struct ccp_ctx) + 25162306a36Sopenharmony_ci crypto_dma_padding(); 25262306a36Sopenharmony_ci alg->base.cra_priority = CCP_CRA_PRIORITY; 25362306a36Sopenharmony_ci alg->base.cra_module = THIS_MODULE; 25462306a36Sopenharmony_ci 25562306a36Sopenharmony_ci alg->setkey = ccp_aes_xts_setkey; 25662306a36Sopenharmony_ci alg->encrypt = ccp_aes_xts_encrypt; 25762306a36Sopenharmony_ci alg->decrypt = ccp_aes_xts_decrypt; 25862306a36Sopenharmony_ci alg->min_keysize = AES_MIN_KEY_SIZE * 2; 25962306a36Sopenharmony_ci alg->max_keysize = AES_MAX_KEY_SIZE * 2; 26062306a36Sopenharmony_ci alg->ivsize = AES_BLOCK_SIZE; 26162306a36Sopenharmony_ci alg->init = ccp_aes_xts_init_tfm; 26262306a36Sopenharmony_ci alg->exit = ccp_aes_xts_exit_tfm; 26362306a36Sopenharmony_ci 26462306a36Sopenharmony_ci ret = crypto_register_skcipher(alg); 26562306a36Sopenharmony_ci if (ret) { 26662306a36Sopenharmony_ci pr_err("%s skcipher algorithm registration error (%d)\n", 26762306a36Sopenharmony_ci alg->base.cra_name, ret); 26862306a36Sopenharmony_ci kfree(ccp_alg); 26962306a36Sopenharmony_ci return ret; 27062306a36Sopenharmony_ci } 27162306a36Sopenharmony_ci 27262306a36Sopenharmony_ci list_add(&ccp_alg->entry, head); 27362306a36Sopenharmony_ci 27462306a36Sopenharmony_ci return 0; 27562306a36Sopenharmony_ci} 27662306a36Sopenharmony_ci 27762306a36Sopenharmony_ciint ccp_register_aes_xts_algs(struct list_head *head) 27862306a36Sopenharmony_ci{ 27962306a36Sopenharmony_ci int i, ret; 28062306a36Sopenharmony_ci 28162306a36Sopenharmony_ci for (i = 0; i < ARRAY_SIZE(aes_xts_algs); i++) { 28262306a36Sopenharmony_ci ret = ccp_register_aes_xts_alg(head, &aes_xts_algs[i]); 28362306a36Sopenharmony_ci if (ret) 28462306a36Sopenharmony_ci return ret; 28562306a36Sopenharmony_ci } 28662306a36Sopenharmony_ci 28762306a36Sopenharmony_ci return 0; 28862306a36Sopenharmony_ci} 289