1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-or-later
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * Support for Intel AES-NI instructions. This file contains glue
4*4882a593Smuzhiyun * code, the real AES implementation is in intel-aes_asm.S.
5*4882a593Smuzhiyun *
6*4882a593Smuzhiyun * Copyright (C) 2008, Intel Corp.
7*4882a593Smuzhiyun * Author: Huang Ying <ying.huang@intel.com>
8*4882a593Smuzhiyun *
9*4882a593Smuzhiyun * Added RFC4106 AES-GCM support for 128-bit keys under the AEAD
10*4882a593Smuzhiyun * interface for 64-bit kernels.
11*4882a593Smuzhiyun * Authors: Adrian Hoban <adrian.hoban@intel.com>
12*4882a593Smuzhiyun * Gabriele Paoloni <gabriele.paoloni@intel.com>
13*4882a593Smuzhiyun * Tadeusz Struk (tadeusz.struk@intel.com)
14*4882a593Smuzhiyun * Aidan O'Mahony (aidan.o.mahony@intel.com)
15*4882a593Smuzhiyun * Copyright (c) 2010, Intel Corporation.
16*4882a593Smuzhiyun */
17*4882a593Smuzhiyun
18*4882a593Smuzhiyun #include <linux/hardirq.h>
19*4882a593Smuzhiyun #include <linux/types.h>
20*4882a593Smuzhiyun #include <linux/module.h>
21*4882a593Smuzhiyun #include <linux/err.h>
22*4882a593Smuzhiyun #include <crypto/algapi.h>
23*4882a593Smuzhiyun #include <crypto/aes.h>
24*4882a593Smuzhiyun #include <crypto/ctr.h>
25*4882a593Smuzhiyun #include <crypto/b128ops.h>
26*4882a593Smuzhiyun #include <crypto/gcm.h>
27*4882a593Smuzhiyun #include <crypto/xts.h>
28*4882a593Smuzhiyun #include <asm/cpu_device_id.h>
29*4882a593Smuzhiyun #include <asm/simd.h>
30*4882a593Smuzhiyun #include <crypto/scatterwalk.h>
31*4882a593Smuzhiyun #include <crypto/internal/aead.h>
32*4882a593Smuzhiyun #include <crypto/internal/simd.h>
33*4882a593Smuzhiyun #include <crypto/internal/skcipher.h>
34*4882a593Smuzhiyun #include <linux/workqueue.h>
35*4882a593Smuzhiyun #include <linux/spinlock.h>
36*4882a593Smuzhiyun #ifdef CONFIG_X86_64
37*4882a593Smuzhiyun #include <asm/crypto/glue_helper.h>
38*4882a593Smuzhiyun #endif
39*4882a593Smuzhiyun
40*4882a593Smuzhiyun
41*4882a593Smuzhiyun #define AESNI_ALIGN 16
42*4882a593Smuzhiyun #define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN)))
43*4882a593Smuzhiyun #define AES_BLOCK_MASK (~(AES_BLOCK_SIZE - 1))
44*4882a593Smuzhiyun #define RFC4106_HASH_SUBKEY_SIZE 16
45*4882a593Smuzhiyun #define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1))
46*4882a593Smuzhiyun #define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA)
47*4882a593Smuzhiyun #define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA)
48*4882a593Smuzhiyun
49*4882a593Smuzhiyun /* This data is stored at the end of the crypto_tfm struct.
50*4882a593Smuzhiyun * It's a type of per "session" data storage location.
51*4882a593Smuzhiyun * This needs to be 16 byte aligned.
52*4882a593Smuzhiyun */
53*4882a593Smuzhiyun struct aesni_rfc4106_gcm_ctx {
54*4882a593Smuzhiyun u8 hash_subkey[16] AESNI_ALIGN_ATTR;
55*4882a593Smuzhiyun struct crypto_aes_ctx aes_key_expanded AESNI_ALIGN_ATTR;
56*4882a593Smuzhiyun u8 nonce[4];
57*4882a593Smuzhiyun };
58*4882a593Smuzhiyun
59*4882a593Smuzhiyun struct generic_gcmaes_ctx {
60*4882a593Smuzhiyun u8 hash_subkey[16] AESNI_ALIGN_ATTR;
61*4882a593Smuzhiyun struct crypto_aes_ctx aes_key_expanded AESNI_ALIGN_ATTR;
62*4882a593Smuzhiyun };
63*4882a593Smuzhiyun
64*4882a593Smuzhiyun struct aesni_xts_ctx {
65*4882a593Smuzhiyun u8 raw_tweak_ctx[sizeof(struct crypto_aes_ctx)] AESNI_ALIGN_ATTR;
66*4882a593Smuzhiyun u8 raw_crypt_ctx[sizeof(struct crypto_aes_ctx)] AESNI_ALIGN_ATTR;
67*4882a593Smuzhiyun };
68*4882a593Smuzhiyun
69*4882a593Smuzhiyun #define GCM_BLOCK_LEN 16
70*4882a593Smuzhiyun
71*4882a593Smuzhiyun struct gcm_context_data {
72*4882a593Smuzhiyun /* init, update and finalize context data */
73*4882a593Smuzhiyun u8 aad_hash[GCM_BLOCK_LEN];
74*4882a593Smuzhiyun u64 aad_length;
75*4882a593Smuzhiyun u64 in_length;
76*4882a593Smuzhiyun u8 partial_block_enc_key[GCM_BLOCK_LEN];
77*4882a593Smuzhiyun u8 orig_IV[GCM_BLOCK_LEN];
78*4882a593Smuzhiyun u8 current_counter[GCM_BLOCK_LEN];
79*4882a593Smuzhiyun u64 partial_block_len;
80*4882a593Smuzhiyun u64 unused;
81*4882a593Smuzhiyun u8 hash_keys[GCM_BLOCK_LEN * 16];
82*4882a593Smuzhiyun };
83*4882a593Smuzhiyun
84*4882a593Smuzhiyun asmlinkage int aesni_set_key(struct crypto_aes_ctx *ctx, const u8 *in_key,
85*4882a593Smuzhiyun unsigned int key_len);
86*4882a593Smuzhiyun asmlinkage void aesni_enc(const void *ctx, u8 *out, const u8 *in);
87*4882a593Smuzhiyun asmlinkage void aesni_dec(const void *ctx, u8 *out, const u8 *in);
88*4882a593Smuzhiyun asmlinkage void aesni_ecb_enc(struct crypto_aes_ctx *ctx, u8 *out,
89*4882a593Smuzhiyun const u8 *in, unsigned int len);
90*4882a593Smuzhiyun asmlinkage void aesni_ecb_dec(struct crypto_aes_ctx *ctx, u8 *out,
91*4882a593Smuzhiyun const u8 *in, unsigned int len);
92*4882a593Smuzhiyun asmlinkage void aesni_cbc_enc(struct crypto_aes_ctx *ctx, u8 *out,
93*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
94*4882a593Smuzhiyun asmlinkage void aesni_cbc_dec(struct crypto_aes_ctx *ctx, u8 *out,
95*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
96*4882a593Smuzhiyun
97*4882a593Smuzhiyun #define AVX_GEN2_OPTSIZE 640
98*4882a593Smuzhiyun #define AVX_GEN4_OPTSIZE 4096
99*4882a593Smuzhiyun
100*4882a593Smuzhiyun asmlinkage void aesni_xts_encrypt(const struct crypto_aes_ctx *ctx, u8 *out,
101*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
102*4882a593Smuzhiyun
103*4882a593Smuzhiyun asmlinkage void aesni_xts_decrypt(const struct crypto_aes_ctx *ctx, u8 *out,
104*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
105*4882a593Smuzhiyun
106*4882a593Smuzhiyun #ifdef CONFIG_X86_64
107*4882a593Smuzhiyun
108*4882a593Smuzhiyun static void (*aesni_ctr_enc_tfm)(struct crypto_aes_ctx *ctx, u8 *out,
109*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
110*4882a593Smuzhiyun asmlinkage void aesni_ctr_enc(struct crypto_aes_ctx *ctx, u8 *out,
111*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv);
112*4882a593Smuzhiyun
113*4882a593Smuzhiyun /* asmlinkage void aesni_gcm_enc()
114*4882a593Smuzhiyun * void *ctx, AES Key schedule. Starts on a 16 byte boundary.
115*4882a593Smuzhiyun * struct gcm_context_data. May be uninitialized.
116*4882a593Smuzhiyun * u8 *out, Ciphertext output. Encrypt in-place is allowed.
117*4882a593Smuzhiyun * const u8 *in, Plaintext input
118*4882a593Smuzhiyun * unsigned long plaintext_len, Length of data in bytes for encryption.
119*4882a593Smuzhiyun * u8 *iv, Pre-counter block j0: 12 byte IV concatenated with 0x00000001.
120*4882a593Smuzhiyun * 16-byte aligned pointer.
121*4882a593Smuzhiyun * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary.
122*4882a593Smuzhiyun * const u8 *aad, Additional Authentication Data (AAD)
123*4882a593Smuzhiyun * unsigned long aad_len, Length of AAD in bytes.
124*4882a593Smuzhiyun * u8 *auth_tag, Authenticated Tag output.
125*4882a593Smuzhiyun * unsigned long auth_tag_len), Authenticated Tag Length in bytes.
126*4882a593Smuzhiyun * Valid values are 16 (most likely), 12 or 8.
127*4882a593Smuzhiyun */
128*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc(void *ctx,
129*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
130*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len, u8 *iv,
131*4882a593Smuzhiyun u8 *hash_subkey, const u8 *aad, unsigned long aad_len,
132*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
133*4882a593Smuzhiyun
134*4882a593Smuzhiyun /* asmlinkage void aesni_gcm_dec()
135*4882a593Smuzhiyun * void *ctx, AES Key schedule. Starts on a 16 byte boundary.
136*4882a593Smuzhiyun * struct gcm_context_data. May be uninitialized.
137*4882a593Smuzhiyun * u8 *out, Plaintext output. Decrypt in-place is allowed.
138*4882a593Smuzhiyun * const u8 *in, Ciphertext input
139*4882a593Smuzhiyun * unsigned long ciphertext_len, Length of data in bytes for decryption.
140*4882a593Smuzhiyun * u8 *iv, Pre-counter block j0: 12 byte IV concatenated with 0x00000001.
141*4882a593Smuzhiyun * 16-byte aligned pointer.
142*4882a593Smuzhiyun * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary.
143*4882a593Smuzhiyun * const u8 *aad, Additional Authentication Data (AAD)
144*4882a593Smuzhiyun * unsigned long aad_len, Length of AAD in bytes. With RFC4106 this is going
145*4882a593Smuzhiyun * to be 8 or 12 bytes
146*4882a593Smuzhiyun * u8 *auth_tag, Authenticated Tag output.
147*4882a593Smuzhiyun * unsigned long auth_tag_len) Authenticated Tag Length in bytes.
148*4882a593Smuzhiyun * Valid values are 16 (most likely), 12 or 8.
149*4882a593Smuzhiyun */
150*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec(void *ctx,
151*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
152*4882a593Smuzhiyun const u8 *in, unsigned long ciphertext_len, u8 *iv,
153*4882a593Smuzhiyun u8 *hash_subkey, const u8 *aad, unsigned long aad_len,
154*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
155*4882a593Smuzhiyun
156*4882a593Smuzhiyun /* Scatter / Gather routines, with args similar to above */
157*4882a593Smuzhiyun asmlinkage void aesni_gcm_init(void *ctx,
158*4882a593Smuzhiyun struct gcm_context_data *gdata,
159*4882a593Smuzhiyun u8 *iv,
160*4882a593Smuzhiyun u8 *hash_subkey, const u8 *aad,
161*4882a593Smuzhiyun unsigned long aad_len);
162*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc_update(void *ctx,
163*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
164*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len);
165*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec_update(void *ctx,
166*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
167*4882a593Smuzhiyun const u8 *in,
168*4882a593Smuzhiyun unsigned long ciphertext_len);
169*4882a593Smuzhiyun asmlinkage void aesni_gcm_finalize(void *ctx,
170*4882a593Smuzhiyun struct gcm_context_data *gdata,
171*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
172*4882a593Smuzhiyun
173*4882a593Smuzhiyun static const struct aesni_gcm_tfm_s {
174*4882a593Smuzhiyun void (*init)(void *ctx, struct gcm_context_data *gdata, u8 *iv,
175*4882a593Smuzhiyun u8 *hash_subkey, const u8 *aad, unsigned long aad_len);
176*4882a593Smuzhiyun void (*enc_update)(void *ctx, struct gcm_context_data *gdata, u8 *out,
177*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len);
178*4882a593Smuzhiyun void (*dec_update)(void *ctx, struct gcm_context_data *gdata, u8 *out,
179*4882a593Smuzhiyun const u8 *in, unsigned long ciphertext_len);
180*4882a593Smuzhiyun void (*finalize)(void *ctx, struct gcm_context_data *gdata,
181*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
182*4882a593Smuzhiyun } *aesni_gcm_tfm;
183*4882a593Smuzhiyun
184*4882a593Smuzhiyun static const struct aesni_gcm_tfm_s aesni_gcm_tfm_sse = {
185*4882a593Smuzhiyun .init = &aesni_gcm_init,
186*4882a593Smuzhiyun .enc_update = &aesni_gcm_enc_update,
187*4882a593Smuzhiyun .dec_update = &aesni_gcm_dec_update,
188*4882a593Smuzhiyun .finalize = &aesni_gcm_finalize,
189*4882a593Smuzhiyun };
190*4882a593Smuzhiyun
191*4882a593Smuzhiyun asmlinkage void aes_ctr_enc_128_avx_by8(const u8 *in, u8 *iv,
192*4882a593Smuzhiyun void *keys, u8 *out, unsigned int num_bytes);
193*4882a593Smuzhiyun asmlinkage void aes_ctr_enc_192_avx_by8(const u8 *in, u8 *iv,
194*4882a593Smuzhiyun void *keys, u8 *out, unsigned int num_bytes);
195*4882a593Smuzhiyun asmlinkage void aes_ctr_enc_256_avx_by8(const u8 *in, u8 *iv,
196*4882a593Smuzhiyun void *keys, u8 *out, unsigned int num_bytes);
197*4882a593Smuzhiyun /*
198*4882a593Smuzhiyun * asmlinkage void aesni_gcm_init_avx_gen2()
199*4882a593Smuzhiyun * gcm_data *my_ctx_data, context data
200*4882a593Smuzhiyun * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary.
201*4882a593Smuzhiyun */
202*4882a593Smuzhiyun asmlinkage void aesni_gcm_init_avx_gen2(void *my_ctx_data,
203*4882a593Smuzhiyun struct gcm_context_data *gdata,
204*4882a593Smuzhiyun u8 *iv,
205*4882a593Smuzhiyun u8 *hash_subkey,
206*4882a593Smuzhiyun const u8 *aad,
207*4882a593Smuzhiyun unsigned long aad_len);
208*4882a593Smuzhiyun
209*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc_update_avx_gen2(void *ctx,
210*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
211*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len);
212*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec_update_avx_gen2(void *ctx,
213*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
214*4882a593Smuzhiyun const u8 *in,
215*4882a593Smuzhiyun unsigned long ciphertext_len);
216*4882a593Smuzhiyun asmlinkage void aesni_gcm_finalize_avx_gen2(void *ctx,
217*4882a593Smuzhiyun struct gcm_context_data *gdata,
218*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
219*4882a593Smuzhiyun
220*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc_avx_gen2(void *ctx,
221*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
222*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len, u8 *iv,
223*4882a593Smuzhiyun const u8 *aad, unsigned long aad_len,
224*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
225*4882a593Smuzhiyun
226*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec_avx_gen2(void *ctx,
227*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
228*4882a593Smuzhiyun const u8 *in, unsigned long ciphertext_len, u8 *iv,
229*4882a593Smuzhiyun const u8 *aad, unsigned long aad_len,
230*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
231*4882a593Smuzhiyun
232*4882a593Smuzhiyun static const struct aesni_gcm_tfm_s aesni_gcm_tfm_avx_gen2 = {
233*4882a593Smuzhiyun .init = &aesni_gcm_init_avx_gen2,
234*4882a593Smuzhiyun .enc_update = &aesni_gcm_enc_update_avx_gen2,
235*4882a593Smuzhiyun .dec_update = &aesni_gcm_dec_update_avx_gen2,
236*4882a593Smuzhiyun .finalize = &aesni_gcm_finalize_avx_gen2,
237*4882a593Smuzhiyun };
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun /*
240*4882a593Smuzhiyun * asmlinkage void aesni_gcm_init_avx_gen4()
241*4882a593Smuzhiyun * gcm_data *my_ctx_data, context data
242*4882a593Smuzhiyun * u8 *hash_subkey, the Hash sub key input. Data starts on a 16-byte boundary.
243*4882a593Smuzhiyun */
244*4882a593Smuzhiyun asmlinkage void aesni_gcm_init_avx_gen4(void *my_ctx_data,
245*4882a593Smuzhiyun struct gcm_context_data *gdata,
246*4882a593Smuzhiyun u8 *iv,
247*4882a593Smuzhiyun u8 *hash_subkey,
248*4882a593Smuzhiyun const u8 *aad,
249*4882a593Smuzhiyun unsigned long aad_len);
250*4882a593Smuzhiyun
251*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc_update_avx_gen4(void *ctx,
252*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
253*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len);
254*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec_update_avx_gen4(void *ctx,
255*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
256*4882a593Smuzhiyun const u8 *in,
257*4882a593Smuzhiyun unsigned long ciphertext_len);
258*4882a593Smuzhiyun asmlinkage void aesni_gcm_finalize_avx_gen4(void *ctx,
259*4882a593Smuzhiyun struct gcm_context_data *gdata,
260*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
261*4882a593Smuzhiyun
262*4882a593Smuzhiyun asmlinkage void aesni_gcm_enc_avx_gen4(void *ctx,
263*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
264*4882a593Smuzhiyun const u8 *in, unsigned long plaintext_len, u8 *iv,
265*4882a593Smuzhiyun const u8 *aad, unsigned long aad_len,
266*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
267*4882a593Smuzhiyun
268*4882a593Smuzhiyun asmlinkage void aesni_gcm_dec_avx_gen4(void *ctx,
269*4882a593Smuzhiyun struct gcm_context_data *gdata, u8 *out,
270*4882a593Smuzhiyun const u8 *in, unsigned long ciphertext_len, u8 *iv,
271*4882a593Smuzhiyun const u8 *aad, unsigned long aad_len,
272*4882a593Smuzhiyun u8 *auth_tag, unsigned long auth_tag_len);
273*4882a593Smuzhiyun
274*4882a593Smuzhiyun static const struct aesni_gcm_tfm_s aesni_gcm_tfm_avx_gen4 = {
275*4882a593Smuzhiyun .init = &aesni_gcm_init_avx_gen4,
276*4882a593Smuzhiyun .enc_update = &aesni_gcm_enc_update_avx_gen4,
277*4882a593Smuzhiyun .dec_update = &aesni_gcm_dec_update_avx_gen4,
278*4882a593Smuzhiyun .finalize = &aesni_gcm_finalize_avx_gen4,
279*4882a593Smuzhiyun };
280*4882a593Smuzhiyun
281*4882a593Smuzhiyun static inline struct
aesni_rfc4106_gcm_ctx_get(struct crypto_aead * tfm)282*4882a593Smuzhiyun aesni_rfc4106_gcm_ctx *aesni_rfc4106_gcm_ctx_get(struct crypto_aead *tfm)
283*4882a593Smuzhiyun {
284*4882a593Smuzhiyun unsigned long align = AESNI_ALIGN;
285*4882a593Smuzhiyun
286*4882a593Smuzhiyun if (align <= crypto_tfm_ctx_alignment())
287*4882a593Smuzhiyun align = 1;
288*4882a593Smuzhiyun return PTR_ALIGN(crypto_aead_ctx(tfm), align);
289*4882a593Smuzhiyun }
290*4882a593Smuzhiyun
291*4882a593Smuzhiyun static inline struct
generic_gcmaes_ctx_get(struct crypto_aead * tfm)292*4882a593Smuzhiyun generic_gcmaes_ctx *generic_gcmaes_ctx_get(struct crypto_aead *tfm)
293*4882a593Smuzhiyun {
294*4882a593Smuzhiyun unsigned long align = AESNI_ALIGN;
295*4882a593Smuzhiyun
296*4882a593Smuzhiyun if (align <= crypto_tfm_ctx_alignment())
297*4882a593Smuzhiyun align = 1;
298*4882a593Smuzhiyun return PTR_ALIGN(crypto_aead_ctx(tfm), align);
299*4882a593Smuzhiyun }
300*4882a593Smuzhiyun #endif
301*4882a593Smuzhiyun
aes_ctx(void * raw_ctx)302*4882a593Smuzhiyun static inline struct crypto_aes_ctx *aes_ctx(void *raw_ctx)
303*4882a593Smuzhiyun {
304*4882a593Smuzhiyun unsigned long addr = (unsigned long)raw_ctx;
305*4882a593Smuzhiyun unsigned long align = AESNI_ALIGN;
306*4882a593Smuzhiyun
307*4882a593Smuzhiyun if (align <= crypto_tfm_ctx_alignment())
308*4882a593Smuzhiyun align = 1;
309*4882a593Smuzhiyun return (struct crypto_aes_ctx *)ALIGN(addr, align);
310*4882a593Smuzhiyun }
311*4882a593Smuzhiyun
aes_set_key_common(struct crypto_tfm * tfm,void * raw_ctx,const u8 * in_key,unsigned int key_len)312*4882a593Smuzhiyun static int aes_set_key_common(struct crypto_tfm *tfm, void *raw_ctx,
313*4882a593Smuzhiyun const u8 *in_key, unsigned int key_len)
314*4882a593Smuzhiyun {
315*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(raw_ctx);
316*4882a593Smuzhiyun int err;
317*4882a593Smuzhiyun
318*4882a593Smuzhiyun if (key_len != AES_KEYSIZE_128 && key_len != AES_KEYSIZE_192 &&
319*4882a593Smuzhiyun key_len != AES_KEYSIZE_256)
320*4882a593Smuzhiyun return -EINVAL;
321*4882a593Smuzhiyun
322*4882a593Smuzhiyun if (!crypto_simd_usable())
323*4882a593Smuzhiyun err = aes_expandkey(ctx, in_key, key_len);
324*4882a593Smuzhiyun else {
325*4882a593Smuzhiyun kernel_fpu_begin();
326*4882a593Smuzhiyun err = aesni_set_key(ctx, in_key, key_len);
327*4882a593Smuzhiyun kernel_fpu_end();
328*4882a593Smuzhiyun }
329*4882a593Smuzhiyun
330*4882a593Smuzhiyun return err;
331*4882a593Smuzhiyun }
332*4882a593Smuzhiyun
aes_set_key(struct crypto_tfm * tfm,const u8 * in_key,unsigned int key_len)333*4882a593Smuzhiyun static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
334*4882a593Smuzhiyun unsigned int key_len)
335*4882a593Smuzhiyun {
336*4882a593Smuzhiyun return aes_set_key_common(tfm, crypto_tfm_ctx(tfm), in_key, key_len);
337*4882a593Smuzhiyun }
338*4882a593Smuzhiyun
aesni_encrypt(struct crypto_tfm * tfm,u8 * dst,const u8 * src)339*4882a593Smuzhiyun static void aesni_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
340*4882a593Smuzhiyun {
341*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm));
342*4882a593Smuzhiyun
343*4882a593Smuzhiyun if (!crypto_simd_usable()) {
344*4882a593Smuzhiyun aes_encrypt(ctx, dst, src);
345*4882a593Smuzhiyun } else {
346*4882a593Smuzhiyun kernel_fpu_begin();
347*4882a593Smuzhiyun aesni_enc(ctx, dst, src);
348*4882a593Smuzhiyun kernel_fpu_end();
349*4882a593Smuzhiyun }
350*4882a593Smuzhiyun }
351*4882a593Smuzhiyun
aesni_decrypt(struct crypto_tfm * tfm,u8 * dst,const u8 * src)352*4882a593Smuzhiyun static void aesni_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
353*4882a593Smuzhiyun {
354*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm));
355*4882a593Smuzhiyun
356*4882a593Smuzhiyun if (!crypto_simd_usable()) {
357*4882a593Smuzhiyun aes_decrypt(ctx, dst, src);
358*4882a593Smuzhiyun } else {
359*4882a593Smuzhiyun kernel_fpu_begin();
360*4882a593Smuzhiyun aesni_dec(ctx, dst, src);
361*4882a593Smuzhiyun kernel_fpu_end();
362*4882a593Smuzhiyun }
363*4882a593Smuzhiyun }
364*4882a593Smuzhiyun
aesni_skcipher_setkey(struct crypto_skcipher * tfm,const u8 * key,unsigned int len)365*4882a593Smuzhiyun static int aesni_skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key,
366*4882a593Smuzhiyun unsigned int len)
367*4882a593Smuzhiyun {
368*4882a593Smuzhiyun return aes_set_key_common(crypto_skcipher_tfm(tfm),
369*4882a593Smuzhiyun crypto_skcipher_ctx(tfm), key, len);
370*4882a593Smuzhiyun }
371*4882a593Smuzhiyun
ecb_encrypt(struct skcipher_request * req)372*4882a593Smuzhiyun static int ecb_encrypt(struct skcipher_request *req)
373*4882a593Smuzhiyun {
374*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
375*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm));
376*4882a593Smuzhiyun struct skcipher_walk walk;
377*4882a593Smuzhiyun unsigned int nbytes;
378*4882a593Smuzhiyun int err;
379*4882a593Smuzhiyun
380*4882a593Smuzhiyun err = skcipher_walk_virt(&walk, req, true);
381*4882a593Smuzhiyun
382*4882a593Smuzhiyun kernel_fpu_begin();
383*4882a593Smuzhiyun while ((nbytes = walk.nbytes)) {
384*4882a593Smuzhiyun aesni_ecb_enc(ctx, walk.dst.virt.addr, walk.src.virt.addr,
385*4882a593Smuzhiyun nbytes & AES_BLOCK_MASK);
386*4882a593Smuzhiyun nbytes &= AES_BLOCK_SIZE - 1;
387*4882a593Smuzhiyun err = skcipher_walk_done(&walk, nbytes);
388*4882a593Smuzhiyun }
389*4882a593Smuzhiyun kernel_fpu_end();
390*4882a593Smuzhiyun
391*4882a593Smuzhiyun return err;
392*4882a593Smuzhiyun }
393*4882a593Smuzhiyun
ecb_decrypt(struct skcipher_request * req)394*4882a593Smuzhiyun static int ecb_decrypt(struct skcipher_request *req)
395*4882a593Smuzhiyun {
396*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
397*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm));
398*4882a593Smuzhiyun struct skcipher_walk walk;
399*4882a593Smuzhiyun unsigned int nbytes;
400*4882a593Smuzhiyun int err;
401*4882a593Smuzhiyun
402*4882a593Smuzhiyun err = skcipher_walk_virt(&walk, req, true);
403*4882a593Smuzhiyun
404*4882a593Smuzhiyun kernel_fpu_begin();
405*4882a593Smuzhiyun while ((nbytes = walk.nbytes)) {
406*4882a593Smuzhiyun aesni_ecb_dec(ctx, walk.dst.virt.addr, walk.src.virt.addr,
407*4882a593Smuzhiyun nbytes & AES_BLOCK_MASK);
408*4882a593Smuzhiyun nbytes &= AES_BLOCK_SIZE - 1;
409*4882a593Smuzhiyun err = skcipher_walk_done(&walk, nbytes);
410*4882a593Smuzhiyun }
411*4882a593Smuzhiyun kernel_fpu_end();
412*4882a593Smuzhiyun
413*4882a593Smuzhiyun return err;
414*4882a593Smuzhiyun }
415*4882a593Smuzhiyun
cbc_encrypt(struct skcipher_request * req)416*4882a593Smuzhiyun static int cbc_encrypt(struct skcipher_request *req)
417*4882a593Smuzhiyun {
418*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
419*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm));
420*4882a593Smuzhiyun struct skcipher_walk walk;
421*4882a593Smuzhiyun unsigned int nbytes;
422*4882a593Smuzhiyun int err;
423*4882a593Smuzhiyun
424*4882a593Smuzhiyun err = skcipher_walk_virt(&walk, req, true);
425*4882a593Smuzhiyun
426*4882a593Smuzhiyun kernel_fpu_begin();
427*4882a593Smuzhiyun while ((nbytes = walk.nbytes)) {
428*4882a593Smuzhiyun aesni_cbc_enc(ctx, walk.dst.virt.addr, walk.src.virt.addr,
429*4882a593Smuzhiyun nbytes & AES_BLOCK_MASK, walk.iv);
430*4882a593Smuzhiyun nbytes &= AES_BLOCK_SIZE - 1;
431*4882a593Smuzhiyun err = skcipher_walk_done(&walk, nbytes);
432*4882a593Smuzhiyun }
433*4882a593Smuzhiyun kernel_fpu_end();
434*4882a593Smuzhiyun
435*4882a593Smuzhiyun return err;
436*4882a593Smuzhiyun }
437*4882a593Smuzhiyun
cbc_decrypt(struct skcipher_request * req)438*4882a593Smuzhiyun static int cbc_decrypt(struct skcipher_request *req)
439*4882a593Smuzhiyun {
440*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
441*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm));
442*4882a593Smuzhiyun struct skcipher_walk walk;
443*4882a593Smuzhiyun unsigned int nbytes;
444*4882a593Smuzhiyun int err;
445*4882a593Smuzhiyun
446*4882a593Smuzhiyun err = skcipher_walk_virt(&walk, req, true);
447*4882a593Smuzhiyun
448*4882a593Smuzhiyun kernel_fpu_begin();
449*4882a593Smuzhiyun while ((nbytes = walk.nbytes)) {
450*4882a593Smuzhiyun aesni_cbc_dec(ctx, walk.dst.virt.addr, walk.src.virt.addr,
451*4882a593Smuzhiyun nbytes & AES_BLOCK_MASK, walk.iv);
452*4882a593Smuzhiyun nbytes &= AES_BLOCK_SIZE - 1;
453*4882a593Smuzhiyun err = skcipher_walk_done(&walk, nbytes);
454*4882a593Smuzhiyun }
455*4882a593Smuzhiyun kernel_fpu_end();
456*4882a593Smuzhiyun
457*4882a593Smuzhiyun return err;
458*4882a593Smuzhiyun }
459*4882a593Smuzhiyun
460*4882a593Smuzhiyun #ifdef CONFIG_X86_64
ctr_crypt_final(struct crypto_aes_ctx * ctx,struct skcipher_walk * walk)461*4882a593Smuzhiyun static void ctr_crypt_final(struct crypto_aes_ctx *ctx,
462*4882a593Smuzhiyun struct skcipher_walk *walk)
463*4882a593Smuzhiyun {
464*4882a593Smuzhiyun u8 *ctrblk = walk->iv;
465*4882a593Smuzhiyun u8 keystream[AES_BLOCK_SIZE];
466*4882a593Smuzhiyun u8 *src = walk->src.virt.addr;
467*4882a593Smuzhiyun u8 *dst = walk->dst.virt.addr;
468*4882a593Smuzhiyun unsigned int nbytes = walk->nbytes;
469*4882a593Smuzhiyun
470*4882a593Smuzhiyun aesni_enc(ctx, keystream, ctrblk);
471*4882a593Smuzhiyun crypto_xor_cpy(dst, keystream, src, nbytes);
472*4882a593Smuzhiyun
473*4882a593Smuzhiyun crypto_inc(ctrblk, AES_BLOCK_SIZE);
474*4882a593Smuzhiyun }
475*4882a593Smuzhiyun
aesni_ctr_enc_avx_tfm(struct crypto_aes_ctx * ctx,u8 * out,const u8 * in,unsigned int len,u8 * iv)476*4882a593Smuzhiyun static void aesni_ctr_enc_avx_tfm(struct crypto_aes_ctx *ctx, u8 *out,
477*4882a593Smuzhiyun const u8 *in, unsigned int len, u8 *iv)
478*4882a593Smuzhiyun {
479*4882a593Smuzhiyun /*
480*4882a593Smuzhiyun * based on key length, override with the by8 version
481*4882a593Smuzhiyun * of ctr mode encryption/decryption for improved performance
482*4882a593Smuzhiyun * aes_set_key_common() ensures that key length is one of
483*4882a593Smuzhiyun * {128,192,256}
484*4882a593Smuzhiyun */
485*4882a593Smuzhiyun if (ctx->key_length == AES_KEYSIZE_128)
486*4882a593Smuzhiyun aes_ctr_enc_128_avx_by8(in, iv, (void *)ctx, out, len);
487*4882a593Smuzhiyun else if (ctx->key_length == AES_KEYSIZE_192)
488*4882a593Smuzhiyun aes_ctr_enc_192_avx_by8(in, iv, (void *)ctx, out, len);
489*4882a593Smuzhiyun else
490*4882a593Smuzhiyun aes_ctr_enc_256_avx_by8(in, iv, (void *)ctx, out, len);
491*4882a593Smuzhiyun }
492*4882a593Smuzhiyun
ctr_crypt(struct skcipher_request * req)493*4882a593Smuzhiyun static int ctr_crypt(struct skcipher_request *req)
494*4882a593Smuzhiyun {
495*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
496*4882a593Smuzhiyun struct crypto_aes_ctx *ctx = aes_ctx(crypto_skcipher_ctx(tfm));
497*4882a593Smuzhiyun struct skcipher_walk walk;
498*4882a593Smuzhiyun unsigned int nbytes;
499*4882a593Smuzhiyun int err;
500*4882a593Smuzhiyun
501*4882a593Smuzhiyun err = skcipher_walk_virt(&walk, req, true);
502*4882a593Smuzhiyun
503*4882a593Smuzhiyun kernel_fpu_begin();
504*4882a593Smuzhiyun while ((nbytes = walk.nbytes) >= AES_BLOCK_SIZE) {
505*4882a593Smuzhiyun aesni_ctr_enc_tfm(ctx, walk.dst.virt.addr, walk.src.virt.addr,
506*4882a593Smuzhiyun nbytes & AES_BLOCK_MASK, walk.iv);
507*4882a593Smuzhiyun nbytes &= AES_BLOCK_SIZE - 1;
508*4882a593Smuzhiyun err = skcipher_walk_done(&walk, nbytes);
509*4882a593Smuzhiyun }
510*4882a593Smuzhiyun if (walk.nbytes) {
511*4882a593Smuzhiyun ctr_crypt_final(ctx, &walk);
512*4882a593Smuzhiyun err = skcipher_walk_done(&walk, 0);
513*4882a593Smuzhiyun }
514*4882a593Smuzhiyun kernel_fpu_end();
515*4882a593Smuzhiyun
516*4882a593Smuzhiyun return err;
517*4882a593Smuzhiyun }
518*4882a593Smuzhiyun
xts_aesni_setkey(struct crypto_skcipher * tfm,const u8 * key,unsigned int keylen)519*4882a593Smuzhiyun static int xts_aesni_setkey(struct crypto_skcipher *tfm, const u8 *key,
520*4882a593Smuzhiyun unsigned int keylen)
521*4882a593Smuzhiyun {
522*4882a593Smuzhiyun struct aesni_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
523*4882a593Smuzhiyun int err;
524*4882a593Smuzhiyun
525*4882a593Smuzhiyun err = xts_verify_key(tfm, key, keylen);
526*4882a593Smuzhiyun if (err)
527*4882a593Smuzhiyun return err;
528*4882a593Smuzhiyun
529*4882a593Smuzhiyun keylen /= 2;
530*4882a593Smuzhiyun
531*4882a593Smuzhiyun /* first half of xts-key is for crypt */
532*4882a593Smuzhiyun err = aes_set_key_common(crypto_skcipher_tfm(tfm), ctx->raw_crypt_ctx,
533*4882a593Smuzhiyun key, keylen);
534*4882a593Smuzhiyun if (err)
535*4882a593Smuzhiyun return err;
536*4882a593Smuzhiyun
537*4882a593Smuzhiyun /* second half of xts-key is for tweak */
538*4882a593Smuzhiyun return aes_set_key_common(crypto_skcipher_tfm(tfm), ctx->raw_tweak_ctx,
539*4882a593Smuzhiyun key + keylen, keylen);
540*4882a593Smuzhiyun }
541*4882a593Smuzhiyun
542*4882a593Smuzhiyun
aesni_xts_enc(const void * ctx,u8 * dst,const u8 * src,le128 * iv)543*4882a593Smuzhiyun static void aesni_xts_enc(const void *ctx, u8 *dst, const u8 *src, le128 *iv)
544*4882a593Smuzhiyun {
545*4882a593Smuzhiyun glue_xts_crypt_128bit_one(ctx, dst, src, iv, aesni_enc);
546*4882a593Smuzhiyun }
547*4882a593Smuzhiyun
aesni_xts_dec(const void * ctx,u8 * dst,const u8 * src,le128 * iv)548*4882a593Smuzhiyun static void aesni_xts_dec(const void *ctx, u8 *dst, const u8 *src, le128 *iv)
549*4882a593Smuzhiyun {
550*4882a593Smuzhiyun glue_xts_crypt_128bit_one(ctx, dst, src, iv, aesni_dec);
551*4882a593Smuzhiyun }
552*4882a593Smuzhiyun
aesni_xts_enc32(const void * ctx,u8 * dst,const u8 * src,le128 * iv)553*4882a593Smuzhiyun static void aesni_xts_enc32(const void *ctx, u8 *dst, const u8 *src, le128 *iv)
554*4882a593Smuzhiyun {
555*4882a593Smuzhiyun aesni_xts_encrypt(ctx, dst, src, 32 * AES_BLOCK_SIZE, (u8 *)iv);
556*4882a593Smuzhiyun }
557*4882a593Smuzhiyun
aesni_xts_dec32(const void * ctx,u8 * dst,const u8 * src,le128 * iv)558*4882a593Smuzhiyun static void aesni_xts_dec32(const void *ctx, u8 *dst, const u8 *src, le128 *iv)
559*4882a593Smuzhiyun {
560*4882a593Smuzhiyun aesni_xts_decrypt(ctx, dst, src, 32 * AES_BLOCK_SIZE, (u8 *)iv);
561*4882a593Smuzhiyun }
562*4882a593Smuzhiyun
563*4882a593Smuzhiyun static const struct common_glue_ctx aesni_enc_xts = {
564*4882a593Smuzhiyun .num_funcs = 2,
565*4882a593Smuzhiyun .fpu_blocks_limit = 1,
566*4882a593Smuzhiyun
567*4882a593Smuzhiyun .funcs = { {
568*4882a593Smuzhiyun .num_blocks = 32,
569*4882a593Smuzhiyun .fn_u = { .xts = aesni_xts_enc32 }
570*4882a593Smuzhiyun }, {
571*4882a593Smuzhiyun .num_blocks = 1,
572*4882a593Smuzhiyun .fn_u = { .xts = aesni_xts_enc }
573*4882a593Smuzhiyun } }
574*4882a593Smuzhiyun };
575*4882a593Smuzhiyun
576*4882a593Smuzhiyun static const struct common_glue_ctx aesni_dec_xts = {
577*4882a593Smuzhiyun .num_funcs = 2,
578*4882a593Smuzhiyun .fpu_blocks_limit = 1,
579*4882a593Smuzhiyun
580*4882a593Smuzhiyun .funcs = { {
581*4882a593Smuzhiyun .num_blocks = 32,
582*4882a593Smuzhiyun .fn_u = { .xts = aesni_xts_dec32 }
583*4882a593Smuzhiyun }, {
584*4882a593Smuzhiyun .num_blocks = 1,
585*4882a593Smuzhiyun .fn_u = { .xts = aesni_xts_dec }
586*4882a593Smuzhiyun } }
587*4882a593Smuzhiyun };
588*4882a593Smuzhiyun
xts_encrypt(struct skcipher_request * req)589*4882a593Smuzhiyun static int xts_encrypt(struct skcipher_request *req)
590*4882a593Smuzhiyun {
591*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
592*4882a593Smuzhiyun struct aesni_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
593*4882a593Smuzhiyun
594*4882a593Smuzhiyun return glue_xts_req_128bit(&aesni_enc_xts, req, aesni_enc,
595*4882a593Smuzhiyun aes_ctx(ctx->raw_tweak_ctx),
596*4882a593Smuzhiyun aes_ctx(ctx->raw_crypt_ctx),
597*4882a593Smuzhiyun false);
598*4882a593Smuzhiyun }
599*4882a593Smuzhiyun
xts_decrypt(struct skcipher_request * req)600*4882a593Smuzhiyun static int xts_decrypt(struct skcipher_request *req)
601*4882a593Smuzhiyun {
602*4882a593Smuzhiyun struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
603*4882a593Smuzhiyun struct aesni_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
604*4882a593Smuzhiyun
605*4882a593Smuzhiyun return glue_xts_req_128bit(&aesni_dec_xts, req, aesni_enc,
606*4882a593Smuzhiyun aes_ctx(ctx->raw_tweak_ctx),
607*4882a593Smuzhiyun aes_ctx(ctx->raw_crypt_ctx),
608*4882a593Smuzhiyun true);
609*4882a593Smuzhiyun }
610*4882a593Smuzhiyun
611*4882a593Smuzhiyun static int
rfc4106_set_hash_subkey(u8 * hash_subkey,const u8 * key,unsigned int key_len)612*4882a593Smuzhiyun rfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len)
613*4882a593Smuzhiyun {
614*4882a593Smuzhiyun struct crypto_aes_ctx ctx;
615*4882a593Smuzhiyun int ret;
616*4882a593Smuzhiyun
617*4882a593Smuzhiyun ret = aes_expandkey(&ctx, key, key_len);
618*4882a593Smuzhiyun if (ret)
619*4882a593Smuzhiyun return ret;
620*4882a593Smuzhiyun
621*4882a593Smuzhiyun /* Clear the data in the hash sub key container to zero.*/
622*4882a593Smuzhiyun /* We want to cipher all zeros to create the hash sub key. */
623*4882a593Smuzhiyun memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE);
624*4882a593Smuzhiyun
625*4882a593Smuzhiyun aes_encrypt(&ctx, hash_subkey, hash_subkey);
626*4882a593Smuzhiyun
627*4882a593Smuzhiyun memzero_explicit(&ctx, sizeof(ctx));
628*4882a593Smuzhiyun return 0;
629*4882a593Smuzhiyun }
630*4882a593Smuzhiyun
common_rfc4106_set_key(struct crypto_aead * aead,const u8 * key,unsigned int key_len)631*4882a593Smuzhiyun static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key,
632*4882a593Smuzhiyun unsigned int key_len)
633*4882a593Smuzhiyun {
634*4882a593Smuzhiyun struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(aead);
635*4882a593Smuzhiyun
636*4882a593Smuzhiyun if (key_len < 4)
637*4882a593Smuzhiyun return -EINVAL;
638*4882a593Smuzhiyun
639*4882a593Smuzhiyun /*Account for 4 byte nonce at the end.*/
640*4882a593Smuzhiyun key_len -= 4;
641*4882a593Smuzhiyun
642*4882a593Smuzhiyun memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce));
643*4882a593Smuzhiyun
644*4882a593Smuzhiyun return aes_set_key_common(crypto_aead_tfm(aead),
645*4882a593Smuzhiyun &ctx->aes_key_expanded, key, key_len) ?:
646*4882a593Smuzhiyun rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
647*4882a593Smuzhiyun }
648*4882a593Smuzhiyun
649*4882a593Smuzhiyun /* This is the Integrity Check Value (aka the authentication tag) length and can
650*4882a593Smuzhiyun * be 8, 12 or 16 bytes long. */
common_rfc4106_set_authsize(struct crypto_aead * aead,unsigned int authsize)651*4882a593Smuzhiyun static int common_rfc4106_set_authsize(struct crypto_aead *aead,
652*4882a593Smuzhiyun unsigned int authsize)
653*4882a593Smuzhiyun {
654*4882a593Smuzhiyun switch (authsize) {
655*4882a593Smuzhiyun case 8:
656*4882a593Smuzhiyun case 12:
657*4882a593Smuzhiyun case 16:
658*4882a593Smuzhiyun break;
659*4882a593Smuzhiyun default:
660*4882a593Smuzhiyun return -EINVAL;
661*4882a593Smuzhiyun }
662*4882a593Smuzhiyun
663*4882a593Smuzhiyun return 0;
664*4882a593Smuzhiyun }
665*4882a593Smuzhiyun
generic_gcmaes_set_authsize(struct crypto_aead * tfm,unsigned int authsize)666*4882a593Smuzhiyun static int generic_gcmaes_set_authsize(struct crypto_aead *tfm,
667*4882a593Smuzhiyun unsigned int authsize)
668*4882a593Smuzhiyun {
669*4882a593Smuzhiyun switch (authsize) {
670*4882a593Smuzhiyun case 4:
671*4882a593Smuzhiyun case 8:
672*4882a593Smuzhiyun case 12:
673*4882a593Smuzhiyun case 13:
674*4882a593Smuzhiyun case 14:
675*4882a593Smuzhiyun case 15:
676*4882a593Smuzhiyun case 16:
677*4882a593Smuzhiyun break;
678*4882a593Smuzhiyun default:
679*4882a593Smuzhiyun return -EINVAL;
680*4882a593Smuzhiyun }
681*4882a593Smuzhiyun
682*4882a593Smuzhiyun return 0;
683*4882a593Smuzhiyun }
684*4882a593Smuzhiyun
gcmaes_crypt_by_sg(bool enc,struct aead_request * req,unsigned int assoclen,u8 * hash_subkey,u8 * iv,void * aes_ctx)685*4882a593Smuzhiyun static int gcmaes_crypt_by_sg(bool enc, struct aead_request *req,
686*4882a593Smuzhiyun unsigned int assoclen, u8 *hash_subkey,
687*4882a593Smuzhiyun u8 *iv, void *aes_ctx)
688*4882a593Smuzhiyun {
689*4882a593Smuzhiyun struct crypto_aead *tfm = crypto_aead_reqtfm(req);
690*4882a593Smuzhiyun unsigned long auth_tag_len = crypto_aead_authsize(tfm);
691*4882a593Smuzhiyun const struct aesni_gcm_tfm_s *gcm_tfm = aesni_gcm_tfm;
692*4882a593Smuzhiyun u8 databuf[sizeof(struct gcm_context_data) + (AESNI_ALIGN - 8)] __aligned(8);
693*4882a593Smuzhiyun struct gcm_context_data *data = PTR_ALIGN((void *)databuf, AESNI_ALIGN);
694*4882a593Smuzhiyun struct scatter_walk dst_sg_walk = {};
695*4882a593Smuzhiyun unsigned long left = req->cryptlen;
696*4882a593Smuzhiyun unsigned long len, srclen, dstlen;
697*4882a593Smuzhiyun struct scatter_walk assoc_sg_walk;
698*4882a593Smuzhiyun struct scatter_walk src_sg_walk;
699*4882a593Smuzhiyun struct scatterlist src_start[2];
700*4882a593Smuzhiyun struct scatterlist dst_start[2];
701*4882a593Smuzhiyun struct scatterlist *src_sg;
702*4882a593Smuzhiyun struct scatterlist *dst_sg;
703*4882a593Smuzhiyun u8 *src, *dst, *assoc;
704*4882a593Smuzhiyun u8 *assocmem = NULL;
705*4882a593Smuzhiyun u8 authTag[16];
706*4882a593Smuzhiyun
707*4882a593Smuzhiyun if (!enc)
708*4882a593Smuzhiyun left -= auth_tag_len;
709*4882a593Smuzhiyun
710*4882a593Smuzhiyun if (left < AVX_GEN4_OPTSIZE && gcm_tfm == &aesni_gcm_tfm_avx_gen4)
711*4882a593Smuzhiyun gcm_tfm = &aesni_gcm_tfm_avx_gen2;
712*4882a593Smuzhiyun if (left < AVX_GEN2_OPTSIZE && gcm_tfm == &aesni_gcm_tfm_avx_gen2)
713*4882a593Smuzhiyun gcm_tfm = &aesni_gcm_tfm_sse;
714*4882a593Smuzhiyun
715*4882a593Smuzhiyun /* Linearize assoc, if not already linear */
716*4882a593Smuzhiyun if (req->src->length >= assoclen && req->src->length &&
717*4882a593Smuzhiyun (!PageHighMem(sg_page(req->src)) ||
718*4882a593Smuzhiyun req->src->offset + req->src->length <= PAGE_SIZE)) {
719*4882a593Smuzhiyun scatterwalk_start(&assoc_sg_walk, req->src);
720*4882a593Smuzhiyun assoc = scatterwalk_map(&assoc_sg_walk);
721*4882a593Smuzhiyun } else {
722*4882a593Smuzhiyun /* assoc can be any length, so must be on heap */
723*4882a593Smuzhiyun assocmem = kmalloc(assoclen, GFP_ATOMIC);
724*4882a593Smuzhiyun if (unlikely(!assocmem))
725*4882a593Smuzhiyun return -ENOMEM;
726*4882a593Smuzhiyun assoc = assocmem;
727*4882a593Smuzhiyun
728*4882a593Smuzhiyun scatterwalk_map_and_copy(assoc, req->src, 0, assoclen, 0);
729*4882a593Smuzhiyun }
730*4882a593Smuzhiyun
731*4882a593Smuzhiyun if (left) {
732*4882a593Smuzhiyun src_sg = scatterwalk_ffwd(src_start, req->src, req->assoclen);
733*4882a593Smuzhiyun scatterwalk_start(&src_sg_walk, src_sg);
734*4882a593Smuzhiyun if (req->src != req->dst) {
735*4882a593Smuzhiyun dst_sg = scatterwalk_ffwd(dst_start, req->dst,
736*4882a593Smuzhiyun req->assoclen);
737*4882a593Smuzhiyun scatterwalk_start(&dst_sg_walk, dst_sg);
738*4882a593Smuzhiyun }
739*4882a593Smuzhiyun }
740*4882a593Smuzhiyun
741*4882a593Smuzhiyun kernel_fpu_begin();
742*4882a593Smuzhiyun gcm_tfm->init(aes_ctx, data, iv, hash_subkey, assoc, assoclen);
743*4882a593Smuzhiyun if (req->src != req->dst) {
744*4882a593Smuzhiyun while (left) {
745*4882a593Smuzhiyun src = scatterwalk_map(&src_sg_walk);
746*4882a593Smuzhiyun dst = scatterwalk_map(&dst_sg_walk);
747*4882a593Smuzhiyun srclen = scatterwalk_clamp(&src_sg_walk, left);
748*4882a593Smuzhiyun dstlen = scatterwalk_clamp(&dst_sg_walk, left);
749*4882a593Smuzhiyun len = min(srclen, dstlen);
750*4882a593Smuzhiyun if (len) {
751*4882a593Smuzhiyun if (enc)
752*4882a593Smuzhiyun gcm_tfm->enc_update(aes_ctx, data,
753*4882a593Smuzhiyun dst, src, len);
754*4882a593Smuzhiyun else
755*4882a593Smuzhiyun gcm_tfm->dec_update(aes_ctx, data,
756*4882a593Smuzhiyun dst, src, len);
757*4882a593Smuzhiyun }
758*4882a593Smuzhiyun left -= len;
759*4882a593Smuzhiyun
760*4882a593Smuzhiyun scatterwalk_unmap(src);
761*4882a593Smuzhiyun scatterwalk_unmap(dst);
762*4882a593Smuzhiyun scatterwalk_advance(&src_sg_walk, len);
763*4882a593Smuzhiyun scatterwalk_advance(&dst_sg_walk, len);
764*4882a593Smuzhiyun scatterwalk_done(&src_sg_walk, 0, left);
765*4882a593Smuzhiyun scatterwalk_done(&dst_sg_walk, 1, left);
766*4882a593Smuzhiyun }
767*4882a593Smuzhiyun } else {
768*4882a593Smuzhiyun while (left) {
769*4882a593Smuzhiyun dst = src = scatterwalk_map(&src_sg_walk);
770*4882a593Smuzhiyun len = scatterwalk_clamp(&src_sg_walk, left);
771*4882a593Smuzhiyun if (len) {
772*4882a593Smuzhiyun if (enc)
773*4882a593Smuzhiyun gcm_tfm->enc_update(aes_ctx, data,
774*4882a593Smuzhiyun src, src, len);
775*4882a593Smuzhiyun else
776*4882a593Smuzhiyun gcm_tfm->dec_update(aes_ctx, data,
777*4882a593Smuzhiyun src, src, len);
778*4882a593Smuzhiyun }
779*4882a593Smuzhiyun left -= len;
780*4882a593Smuzhiyun scatterwalk_unmap(src);
781*4882a593Smuzhiyun scatterwalk_advance(&src_sg_walk, len);
782*4882a593Smuzhiyun scatterwalk_done(&src_sg_walk, 1, left);
783*4882a593Smuzhiyun }
784*4882a593Smuzhiyun }
785*4882a593Smuzhiyun gcm_tfm->finalize(aes_ctx, data, authTag, auth_tag_len);
786*4882a593Smuzhiyun kernel_fpu_end();
787*4882a593Smuzhiyun
788*4882a593Smuzhiyun if (!assocmem)
789*4882a593Smuzhiyun scatterwalk_unmap(assoc);
790*4882a593Smuzhiyun else
791*4882a593Smuzhiyun kfree(assocmem);
792*4882a593Smuzhiyun
793*4882a593Smuzhiyun if (!enc) {
794*4882a593Smuzhiyun u8 authTagMsg[16];
795*4882a593Smuzhiyun
796*4882a593Smuzhiyun /* Copy out original authTag */
797*4882a593Smuzhiyun scatterwalk_map_and_copy(authTagMsg, req->src,
798*4882a593Smuzhiyun req->assoclen + req->cryptlen -
799*4882a593Smuzhiyun auth_tag_len,
800*4882a593Smuzhiyun auth_tag_len, 0);
801*4882a593Smuzhiyun
802*4882a593Smuzhiyun /* Compare generated tag with passed in tag. */
803*4882a593Smuzhiyun return crypto_memneq(authTagMsg, authTag, auth_tag_len) ?
804*4882a593Smuzhiyun -EBADMSG : 0;
805*4882a593Smuzhiyun }
806*4882a593Smuzhiyun
807*4882a593Smuzhiyun /* Copy in the authTag */
808*4882a593Smuzhiyun scatterwalk_map_and_copy(authTag, req->dst,
809*4882a593Smuzhiyun req->assoclen + req->cryptlen,
810*4882a593Smuzhiyun auth_tag_len, 1);
811*4882a593Smuzhiyun
812*4882a593Smuzhiyun return 0;
813*4882a593Smuzhiyun }
814*4882a593Smuzhiyun
gcmaes_encrypt(struct aead_request * req,unsigned int assoclen,u8 * hash_subkey,u8 * iv,void * aes_ctx)815*4882a593Smuzhiyun static int gcmaes_encrypt(struct aead_request *req, unsigned int assoclen,
816*4882a593Smuzhiyun u8 *hash_subkey, u8 *iv, void *aes_ctx)
817*4882a593Smuzhiyun {
818*4882a593Smuzhiyun return gcmaes_crypt_by_sg(true, req, assoclen, hash_subkey, iv,
819*4882a593Smuzhiyun aes_ctx);
820*4882a593Smuzhiyun }
821*4882a593Smuzhiyun
gcmaes_decrypt(struct aead_request * req,unsigned int assoclen,u8 * hash_subkey,u8 * iv,void * aes_ctx)822*4882a593Smuzhiyun static int gcmaes_decrypt(struct aead_request *req, unsigned int assoclen,
823*4882a593Smuzhiyun u8 *hash_subkey, u8 *iv, void *aes_ctx)
824*4882a593Smuzhiyun {
825*4882a593Smuzhiyun return gcmaes_crypt_by_sg(false, req, assoclen, hash_subkey, iv,
826*4882a593Smuzhiyun aes_ctx);
827*4882a593Smuzhiyun }
828*4882a593Smuzhiyun
helper_rfc4106_encrypt(struct aead_request * req)829*4882a593Smuzhiyun static int helper_rfc4106_encrypt(struct aead_request *req)
830*4882a593Smuzhiyun {
831*4882a593Smuzhiyun struct crypto_aead *tfm = crypto_aead_reqtfm(req);
832*4882a593Smuzhiyun struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(tfm);
833*4882a593Smuzhiyun void *aes_ctx = &(ctx->aes_key_expanded);
834*4882a593Smuzhiyun u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8);
835*4882a593Smuzhiyun u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN);
836*4882a593Smuzhiyun unsigned int i;
837*4882a593Smuzhiyun __be32 counter = cpu_to_be32(1);
838*4882a593Smuzhiyun
839*4882a593Smuzhiyun /* Assuming we are supporting rfc4106 64-bit extended */
840*4882a593Smuzhiyun /* sequence numbers We need to have the AAD length equal */
841*4882a593Smuzhiyun /* to 16 or 20 bytes */
842*4882a593Smuzhiyun if (unlikely(req->assoclen != 16 && req->assoclen != 20))
843*4882a593Smuzhiyun return -EINVAL;
844*4882a593Smuzhiyun
845*4882a593Smuzhiyun /* IV below built */
846*4882a593Smuzhiyun for (i = 0; i < 4; i++)
847*4882a593Smuzhiyun *(iv+i) = ctx->nonce[i];
848*4882a593Smuzhiyun for (i = 0; i < 8; i++)
849*4882a593Smuzhiyun *(iv+4+i) = req->iv[i];
850*4882a593Smuzhiyun *((__be32 *)(iv+12)) = counter;
851*4882a593Smuzhiyun
852*4882a593Smuzhiyun return gcmaes_encrypt(req, req->assoclen - 8, ctx->hash_subkey, iv,
853*4882a593Smuzhiyun aes_ctx);
854*4882a593Smuzhiyun }
855*4882a593Smuzhiyun
helper_rfc4106_decrypt(struct aead_request * req)856*4882a593Smuzhiyun static int helper_rfc4106_decrypt(struct aead_request *req)
857*4882a593Smuzhiyun {
858*4882a593Smuzhiyun __be32 counter = cpu_to_be32(1);
859*4882a593Smuzhiyun struct crypto_aead *tfm = crypto_aead_reqtfm(req);
860*4882a593Smuzhiyun struct aesni_rfc4106_gcm_ctx *ctx = aesni_rfc4106_gcm_ctx_get(tfm);
861*4882a593Smuzhiyun void *aes_ctx = &(ctx->aes_key_expanded);
862*4882a593Smuzhiyun u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8);
863*4882a593Smuzhiyun u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN);
864*4882a593Smuzhiyun unsigned int i;
865*4882a593Smuzhiyun
866*4882a593Smuzhiyun if (unlikely(req->assoclen != 16 && req->assoclen != 20))
867*4882a593Smuzhiyun return -EINVAL;
868*4882a593Smuzhiyun
869*4882a593Smuzhiyun /* Assuming we are supporting rfc4106 64-bit extended */
870*4882a593Smuzhiyun /* sequence numbers We need to have the AAD length */
871*4882a593Smuzhiyun /* equal to 16 or 20 bytes */
872*4882a593Smuzhiyun
873*4882a593Smuzhiyun /* IV below built */
874*4882a593Smuzhiyun for (i = 0; i < 4; i++)
875*4882a593Smuzhiyun *(iv+i) = ctx->nonce[i];
876*4882a593Smuzhiyun for (i = 0; i < 8; i++)
877*4882a593Smuzhiyun *(iv+4+i) = req->iv[i];
878*4882a593Smuzhiyun *((__be32 *)(iv+12)) = counter;
879*4882a593Smuzhiyun
880*4882a593Smuzhiyun return gcmaes_decrypt(req, req->assoclen - 8, ctx->hash_subkey, iv,
881*4882a593Smuzhiyun aes_ctx);
882*4882a593Smuzhiyun }
883*4882a593Smuzhiyun #endif
884*4882a593Smuzhiyun
885*4882a593Smuzhiyun static struct crypto_alg aesni_cipher_alg = {
886*4882a593Smuzhiyun .cra_name = "aes",
887*4882a593Smuzhiyun .cra_driver_name = "aes-aesni",
888*4882a593Smuzhiyun .cra_priority = 300,
889*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
890*4882a593Smuzhiyun .cra_blocksize = AES_BLOCK_SIZE,
891*4882a593Smuzhiyun .cra_ctxsize = CRYPTO_AES_CTX_SIZE,
892*4882a593Smuzhiyun .cra_module = THIS_MODULE,
893*4882a593Smuzhiyun .cra_u = {
894*4882a593Smuzhiyun .cipher = {
895*4882a593Smuzhiyun .cia_min_keysize = AES_MIN_KEY_SIZE,
896*4882a593Smuzhiyun .cia_max_keysize = AES_MAX_KEY_SIZE,
897*4882a593Smuzhiyun .cia_setkey = aes_set_key,
898*4882a593Smuzhiyun .cia_encrypt = aesni_encrypt,
899*4882a593Smuzhiyun .cia_decrypt = aesni_decrypt
900*4882a593Smuzhiyun }
901*4882a593Smuzhiyun }
902*4882a593Smuzhiyun };
903*4882a593Smuzhiyun
904*4882a593Smuzhiyun static struct skcipher_alg aesni_skciphers[] = {
905*4882a593Smuzhiyun {
906*4882a593Smuzhiyun .base = {
907*4882a593Smuzhiyun .cra_name = "__ecb(aes)",
908*4882a593Smuzhiyun .cra_driver_name = "__ecb-aes-aesni",
909*4882a593Smuzhiyun .cra_priority = 400,
910*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
911*4882a593Smuzhiyun .cra_blocksize = AES_BLOCK_SIZE,
912*4882a593Smuzhiyun .cra_ctxsize = CRYPTO_AES_CTX_SIZE,
913*4882a593Smuzhiyun .cra_module = THIS_MODULE,
914*4882a593Smuzhiyun },
915*4882a593Smuzhiyun .min_keysize = AES_MIN_KEY_SIZE,
916*4882a593Smuzhiyun .max_keysize = AES_MAX_KEY_SIZE,
917*4882a593Smuzhiyun .setkey = aesni_skcipher_setkey,
918*4882a593Smuzhiyun .encrypt = ecb_encrypt,
919*4882a593Smuzhiyun .decrypt = ecb_decrypt,
920*4882a593Smuzhiyun }, {
921*4882a593Smuzhiyun .base = {
922*4882a593Smuzhiyun .cra_name = "__cbc(aes)",
923*4882a593Smuzhiyun .cra_driver_name = "__cbc-aes-aesni",
924*4882a593Smuzhiyun .cra_priority = 400,
925*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
926*4882a593Smuzhiyun .cra_blocksize = AES_BLOCK_SIZE,
927*4882a593Smuzhiyun .cra_ctxsize = CRYPTO_AES_CTX_SIZE,
928*4882a593Smuzhiyun .cra_module = THIS_MODULE,
929*4882a593Smuzhiyun },
930*4882a593Smuzhiyun .min_keysize = AES_MIN_KEY_SIZE,
931*4882a593Smuzhiyun .max_keysize = AES_MAX_KEY_SIZE,
932*4882a593Smuzhiyun .ivsize = AES_BLOCK_SIZE,
933*4882a593Smuzhiyun .setkey = aesni_skcipher_setkey,
934*4882a593Smuzhiyun .encrypt = cbc_encrypt,
935*4882a593Smuzhiyun .decrypt = cbc_decrypt,
936*4882a593Smuzhiyun #ifdef CONFIG_X86_64
937*4882a593Smuzhiyun }, {
938*4882a593Smuzhiyun .base = {
939*4882a593Smuzhiyun .cra_name = "__ctr(aes)",
940*4882a593Smuzhiyun .cra_driver_name = "__ctr-aes-aesni",
941*4882a593Smuzhiyun .cra_priority = 400,
942*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
943*4882a593Smuzhiyun .cra_blocksize = 1,
944*4882a593Smuzhiyun .cra_ctxsize = CRYPTO_AES_CTX_SIZE,
945*4882a593Smuzhiyun .cra_module = THIS_MODULE,
946*4882a593Smuzhiyun },
947*4882a593Smuzhiyun .min_keysize = AES_MIN_KEY_SIZE,
948*4882a593Smuzhiyun .max_keysize = AES_MAX_KEY_SIZE,
949*4882a593Smuzhiyun .ivsize = AES_BLOCK_SIZE,
950*4882a593Smuzhiyun .chunksize = AES_BLOCK_SIZE,
951*4882a593Smuzhiyun .setkey = aesni_skcipher_setkey,
952*4882a593Smuzhiyun .encrypt = ctr_crypt,
953*4882a593Smuzhiyun .decrypt = ctr_crypt,
954*4882a593Smuzhiyun }, {
955*4882a593Smuzhiyun .base = {
956*4882a593Smuzhiyun .cra_name = "__xts(aes)",
957*4882a593Smuzhiyun .cra_driver_name = "__xts-aes-aesni",
958*4882a593Smuzhiyun .cra_priority = 401,
959*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
960*4882a593Smuzhiyun .cra_blocksize = AES_BLOCK_SIZE,
961*4882a593Smuzhiyun .cra_ctxsize = XTS_AES_CTX_SIZE,
962*4882a593Smuzhiyun .cra_module = THIS_MODULE,
963*4882a593Smuzhiyun },
964*4882a593Smuzhiyun .min_keysize = 2 * AES_MIN_KEY_SIZE,
965*4882a593Smuzhiyun .max_keysize = 2 * AES_MAX_KEY_SIZE,
966*4882a593Smuzhiyun .ivsize = AES_BLOCK_SIZE,
967*4882a593Smuzhiyun .setkey = xts_aesni_setkey,
968*4882a593Smuzhiyun .encrypt = xts_encrypt,
969*4882a593Smuzhiyun .decrypt = xts_decrypt,
970*4882a593Smuzhiyun #endif
971*4882a593Smuzhiyun }
972*4882a593Smuzhiyun };
973*4882a593Smuzhiyun
974*4882a593Smuzhiyun static
975*4882a593Smuzhiyun struct simd_skcipher_alg *aesni_simd_skciphers[ARRAY_SIZE(aesni_skciphers)];
976*4882a593Smuzhiyun
977*4882a593Smuzhiyun #ifdef CONFIG_X86_64
generic_gcmaes_set_key(struct crypto_aead * aead,const u8 * key,unsigned int key_len)978*4882a593Smuzhiyun static int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key,
979*4882a593Smuzhiyun unsigned int key_len)
980*4882a593Smuzhiyun {
981*4882a593Smuzhiyun struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead);
982*4882a593Smuzhiyun
983*4882a593Smuzhiyun return aes_set_key_common(crypto_aead_tfm(aead),
984*4882a593Smuzhiyun &ctx->aes_key_expanded, key, key_len) ?:
985*4882a593Smuzhiyun rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
986*4882a593Smuzhiyun }
987*4882a593Smuzhiyun
generic_gcmaes_encrypt(struct aead_request * req)988*4882a593Smuzhiyun static int generic_gcmaes_encrypt(struct aead_request *req)
989*4882a593Smuzhiyun {
990*4882a593Smuzhiyun struct crypto_aead *tfm = crypto_aead_reqtfm(req);
991*4882a593Smuzhiyun struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(tfm);
992*4882a593Smuzhiyun void *aes_ctx = &(ctx->aes_key_expanded);
993*4882a593Smuzhiyun u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8);
994*4882a593Smuzhiyun u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN);
995*4882a593Smuzhiyun __be32 counter = cpu_to_be32(1);
996*4882a593Smuzhiyun
997*4882a593Smuzhiyun memcpy(iv, req->iv, 12);
998*4882a593Smuzhiyun *((__be32 *)(iv+12)) = counter;
999*4882a593Smuzhiyun
1000*4882a593Smuzhiyun return gcmaes_encrypt(req, req->assoclen, ctx->hash_subkey, iv,
1001*4882a593Smuzhiyun aes_ctx);
1002*4882a593Smuzhiyun }
1003*4882a593Smuzhiyun
generic_gcmaes_decrypt(struct aead_request * req)1004*4882a593Smuzhiyun static int generic_gcmaes_decrypt(struct aead_request *req)
1005*4882a593Smuzhiyun {
1006*4882a593Smuzhiyun __be32 counter = cpu_to_be32(1);
1007*4882a593Smuzhiyun struct crypto_aead *tfm = crypto_aead_reqtfm(req);
1008*4882a593Smuzhiyun struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(tfm);
1009*4882a593Smuzhiyun void *aes_ctx = &(ctx->aes_key_expanded);
1010*4882a593Smuzhiyun u8 ivbuf[16 + (AESNI_ALIGN - 8)] __aligned(8);
1011*4882a593Smuzhiyun u8 *iv = PTR_ALIGN(&ivbuf[0], AESNI_ALIGN);
1012*4882a593Smuzhiyun
1013*4882a593Smuzhiyun memcpy(iv, req->iv, 12);
1014*4882a593Smuzhiyun *((__be32 *)(iv+12)) = counter;
1015*4882a593Smuzhiyun
1016*4882a593Smuzhiyun return gcmaes_decrypt(req, req->assoclen, ctx->hash_subkey, iv,
1017*4882a593Smuzhiyun aes_ctx);
1018*4882a593Smuzhiyun }
1019*4882a593Smuzhiyun
1020*4882a593Smuzhiyun static struct aead_alg aesni_aeads[] = { {
1021*4882a593Smuzhiyun .setkey = common_rfc4106_set_key,
1022*4882a593Smuzhiyun .setauthsize = common_rfc4106_set_authsize,
1023*4882a593Smuzhiyun .encrypt = helper_rfc4106_encrypt,
1024*4882a593Smuzhiyun .decrypt = helper_rfc4106_decrypt,
1025*4882a593Smuzhiyun .ivsize = GCM_RFC4106_IV_SIZE,
1026*4882a593Smuzhiyun .maxauthsize = 16,
1027*4882a593Smuzhiyun .base = {
1028*4882a593Smuzhiyun .cra_name = "__rfc4106(gcm(aes))",
1029*4882a593Smuzhiyun .cra_driver_name = "__rfc4106-gcm-aesni",
1030*4882a593Smuzhiyun .cra_priority = 400,
1031*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
1032*4882a593Smuzhiyun .cra_blocksize = 1,
1033*4882a593Smuzhiyun .cra_ctxsize = sizeof(struct aesni_rfc4106_gcm_ctx),
1034*4882a593Smuzhiyun .cra_alignmask = AESNI_ALIGN - 1,
1035*4882a593Smuzhiyun .cra_module = THIS_MODULE,
1036*4882a593Smuzhiyun },
1037*4882a593Smuzhiyun }, {
1038*4882a593Smuzhiyun .setkey = generic_gcmaes_set_key,
1039*4882a593Smuzhiyun .setauthsize = generic_gcmaes_set_authsize,
1040*4882a593Smuzhiyun .encrypt = generic_gcmaes_encrypt,
1041*4882a593Smuzhiyun .decrypt = generic_gcmaes_decrypt,
1042*4882a593Smuzhiyun .ivsize = GCM_AES_IV_SIZE,
1043*4882a593Smuzhiyun .maxauthsize = 16,
1044*4882a593Smuzhiyun .base = {
1045*4882a593Smuzhiyun .cra_name = "__gcm(aes)",
1046*4882a593Smuzhiyun .cra_driver_name = "__generic-gcm-aesni",
1047*4882a593Smuzhiyun .cra_priority = 400,
1048*4882a593Smuzhiyun .cra_flags = CRYPTO_ALG_INTERNAL,
1049*4882a593Smuzhiyun .cra_blocksize = 1,
1050*4882a593Smuzhiyun .cra_ctxsize = sizeof(struct generic_gcmaes_ctx),
1051*4882a593Smuzhiyun .cra_alignmask = AESNI_ALIGN - 1,
1052*4882a593Smuzhiyun .cra_module = THIS_MODULE,
1053*4882a593Smuzhiyun },
1054*4882a593Smuzhiyun } };
1055*4882a593Smuzhiyun #else
1056*4882a593Smuzhiyun static struct aead_alg aesni_aeads[0];
1057*4882a593Smuzhiyun #endif
1058*4882a593Smuzhiyun
1059*4882a593Smuzhiyun static struct simd_aead_alg *aesni_simd_aeads[ARRAY_SIZE(aesni_aeads)];
1060*4882a593Smuzhiyun
1061*4882a593Smuzhiyun static const struct x86_cpu_id aesni_cpu_id[] = {
1062*4882a593Smuzhiyun X86_MATCH_FEATURE(X86_FEATURE_AES, NULL),
1063*4882a593Smuzhiyun {}
1064*4882a593Smuzhiyun };
1065*4882a593Smuzhiyun MODULE_DEVICE_TABLE(x86cpu, aesni_cpu_id);
1066*4882a593Smuzhiyun
aesni_init(void)1067*4882a593Smuzhiyun static int __init aesni_init(void)
1068*4882a593Smuzhiyun {
1069*4882a593Smuzhiyun int err;
1070*4882a593Smuzhiyun
1071*4882a593Smuzhiyun if (!x86_match_cpu(aesni_cpu_id))
1072*4882a593Smuzhiyun return -ENODEV;
1073*4882a593Smuzhiyun #ifdef CONFIG_X86_64
1074*4882a593Smuzhiyun if (boot_cpu_has(X86_FEATURE_AVX2)) {
1075*4882a593Smuzhiyun pr_info("AVX2 version of gcm_enc/dec engaged.\n");
1076*4882a593Smuzhiyun aesni_gcm_tfm = &aesni_gcm_tfm_avx_gen4;
1077*4882a593Smuzhiyun } else
1078*4882a593Smuzhiyun if (boot_cpu_has(X86_FEATURE_AVX)) {
1079*4882a593Smuzhiyun pr_info("AVX version of gcm_enc/dec engaged.\n");
1080*4882a593Smuzhiyun aesni_gcm_tfm = &aesni_gcm_tfm_avx_gen2;
1081*4882a593Smuzhiyun } else {
1082*4882a593Smuzhiyun pr_info("SSE version of gcm_enc/dec engaged.\n");
1083*4882a593Smuzhiyun aesni_gcm_tfm = &aesni_gcm_tfm_sse;
1084*4882a593Smuzhiyun }
1085*4882a593Smuzhiyun aesni_ctr_enc_tfm = aesni_ctr_enc;
1086*4882a593Smuzhiyun if (boot_cpu_has(X86_FEATURE_AVX)) {
1087*4882a593Smuzhiyun /* optimize performance of ctr mode encryption transform */
1088*4882a593Smuzhiyun aesni_ctr_enc_tfm = aesni_ctr_enc_avx_tfm;
1089*4882a593Smuzhiyun pr_info("AES CTR mode by8 optimization enabled\n");
1090*4882a593Smuzhiyun }
1091*4882a593Smuzhiyun #endif
1092*4882a593Smuzhiyun
1093*4882a593Smuzhiyun err = crypto_register_alg(&aesni_cipher_alg);
1094*4882a593Smuzhiyun if (err)
1095*4882a593Smuzhiyun return err;
1096*4882a593Smuzhiyun
1097*4882a593Smuzhiyun err = simd_register_skciphers_compat(aesni_skciphers,
1098*4882a593Smuzhiyun ARRAY_SIZE(aesni_skciphers),
1099*4882a593Smuzhiyun aesni_simd_skciphers);
1100*4882a593Smuzhiyun if (err)
1101*4882a593Smuzhiyun goto unregister_cipher;
1102*4882a593Smuzhiyun
1103*4882a593Smuzhiyun err = simd_register_aeads_compat(aesni_aeads, ARRAY_SIZE(aesni_aeads),
1104*4882a593Smuzhiyun aesni_simd_aeads);
1105*4882a593Smuzhiyun if (err)
1106*4882a593Smuzhiyun goto unregister_skciphers;
1107*4882a593Smuzhiyun
1108*4882a593Smuzhiyun return 0;
1109*4882a593Smuzhiyun
1110*4882a593Smuzhiyun unregister_skciphers:
1111*4882a593Smuzhiyun simd_unregister_skciphers(aesni_skciphers, ARRAY_SIZE(aesni_skciphers),
1112*4882a593Smuzhiyun aesni_simd_skciphers);
1113*4882a593Smuzhiyun unregister_cipher:
1114*4882a593Smuzhiyun crypto_unregister_alg(&aesni_cipher_alg);
1115*4882a593Smuzhiyun return err;
1116*4882a593Smuzhiyun }
1117*4882a593Smuzhiyun
aesni_exit(void)1118*4882a593Smuzhiyun static void __exit aesni_exit(void)
1119*4882a593Smuzhiyun {
1120*4882a593Smuzhiyun simd_unregister_aeads(aesni_aeads, ARRAY_SIZE(aesni_aeads),
1121*4882a593Smuzhiyun aesni_simd_aeads);
1122*4882a593Smuzhiyun simd_unregister_skciphers(aesni_skciphers, ARRAY_SIZE(aesni_skciphers),
1123*4882a593Smuzhiyun aesni_simd_skciphers);
1124*4882a593Smuzhiyun crypto_unregister_alg(&aesni_cipher_alg);
1125*4882a593Smuzhiyun }
1126*4882a593Smuzhiyun
1127*4882a593Smuzhiyun late_initcall(aesni_init);
1128*4882a593Smuzhiyun module_exit(aesni_exit);
1129*4882a593Smuzhiyun
1130*4882a593Smuzhiyun MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm, Intel AES-NI instructions optimized");
1131*4882a593Smuzhiyun MODULE_LICENSE("GPL");
1132*4882a593Smuzhiyun MODULE_ALIAS_CRYPTO("aes");
1133