ccp-crypto-aes-cmac.c 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AMD Cryptographic Coprocessor (CCP) AES CMAC crypto API support
  4. *
  5. * Copyright (C) 2013,2018 Advanced Micro Devices, Inc.
  6. *
  7. * Author: Tom Lendacky <thomas.lendacky@amd.com>
  8. */
  9. #include <linux/module.h>
  10. #include <linux/sched.h>
  11. #include <linux/delay.h>
  12. #include <linux/scatterlist.h>
  13. #include <linux/crypto.h>
  14. #include <crypto/algapi.h>
  15. #include <crypto/aes.h>
  16. #include <crypto/hash.h>
  17. #include <crypto/internal/hash.h>
  18. #include <crypto/scatterwalk.h>
  19. #include "ccp-crypto.h"
  20. static int ccp_aes_cmac_complete(struct crypto_async_request *async_req,
  21. int ret)
  22. {
  23. struct ahash_request *req = ahash_request_cast(async_req);
  24. struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
  25. struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
  26. unsigned int digest_size = crypto_ahash_digestsize(tfm);
  27. if (ret)
  28. goto e_free;
  29. if (rctx->hash_rem) {
  30. /* Save remaining data to buffer */
  31. unsigned int offset = rctx->nbytes - rctx->hash_rem;
  32. scatterwalk_map_and_copy(rctx->buf, rctx->src,
  33. offset, rctx->hash_rem, 0);
  34. rctx->buf_count = rctx->hash_rem;
  35. } else {
  36. rctx->buf_count = 0;
  37. }
  38. /* Update result area if supplied */
  39. if (req->result && rctx->final)
  40. memcpy(req->result, rctx->iv, digest_size);
  41. e_free:
  42. sg_free_table(&rctx->data_sg);
  43. return ret;
  44. }
  45. static int ccp_do_cmac_update(struct ahash_request *req, unsigned int nbytes,
  46. unsigned int final)
  47. {
  48. struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
  49. struct ccp_ctx *ctx = crypto_ahash_ctx(tfm);
  50. struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
  51. struct scatterlist *sg, *cmac_key_sg = NULL;
  52. unsigned int block_size =
  53. crypto_tfm_alg_blocksize(crypto_ahash_tfm(tfm));
  54. unsigned int need_pad, sg_count;
  55. gfp_t gfp;
  56. u64 len;
  57. int ret;
  58. if (!ctx->u.aes.key_len)
  59. return -EINVAL;
  60. if (nbytes)
  61. rctx->null_msg = 0;
  62. len = (u64)rctx->buf_count + (u64)nbytes;
  63. if (!final && (len <= block_size)) {
  64. scatterwalk_map_and_copy(rctx->buf + rctx->buf_count, req->src,
  65. 0, nbytes, 0);
  66. rctx->buf_count += nbytes;
  67. return 0;
  68. }
  69. rctx->src = req->src;
  70. rctx->nbytes = nbytes;
  71. rctx->final = final;
  72. rctx->hash_rem = final ? 0 : len & (block_size - 1);
  73. rctx->hash_cnt = len - rctx->hash_rem;
  74. if (!final && !rctx->hash_rem) {
  75. /* CCP can't do zero length final, so keep some data around */
  76. rctx->hash_cnt -= block_size;
  77. rctx->hash_rem = block_size;
  78. }
  79. if (final && (rctx->null_msg || (len & (block_size - 1))))
  80. need_pad = 1;
  81. else
  82. need_pad = 0;
  83. sg_init_one(&rctx->iv_sg, rctx->iv, sizeof(rctx->iv));
  84. /* Build the data scatterlist table - allocate enough entries for all
  85. * possible data pieces (buffer, input data, padding)
  86. */
  87. sg_count = (nbytes) ? sg_nents(req->src) + 2 : 2;
  88. gfp = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
  89. GFP_KERNEL : GFP_ATOMIC;
  90. ret = sg_alloc_table(&rctx->data_sg, sg_count, gfp);
  91. if (ret)
  92. return ret;
  93. sg = NULL;
  94. if (rctx->buf_count) {
  95. sg_init_one(&rctx->buf_sg, rctx->buf, rctx->buf_count);
  96. sg = ccp_crypto_sg_table_add(&rctx->data_sg, &rctx->buf_sg);
  97. if (!sg) {
  98. ret = -EINVAL;
  99. goto e_free;
  100. }
  101. }
  102. if (nbytes) {
  103. sg = ccp_crypto_sg_table_add(&rctx->data_sg, req->src);
  104. if (!sg) {
  105. ret = -EINVAL;
  106. goto e_free;
  107. }
  108. }
  109. if (need_pad) {
  110. int pad_length = block_size - (len & (block_size - 1));
  111. rctx->hash_cnt += pad_length;
  112. memset(rctx->pad, 0, sizeof(rctx->pad));
  113. rctx->pad[0] = 0x80;
  114. sg_init_one(&rctx->pad_sg, rctx->pad, pad_length);
  115. sg = ccp_crypto_sg_table_add(&rctx->data_sg, &rctx->pad_sg);
  116. if (!sg) {
  117. ret = -EINVAL;
  118. goto e_free;
  119. }
  120. }
  121. if (sg) {
  122. sg_mark_end(sg);
  123. sg = rctx->data_sg.sgl;
  124. }
  125. /* Initialize the K1/K2 scatterlist */
  126. if (final)
  127. cmac_key_sg = (need_pad) ? &ctx->u.aes.k2_sg
  128. : &ctx->u.aes.k1_sg;
  129. memset(&rctx->cmd, 0, sizeof(rctx->cmd));
  130. INIT_LIST_HEAD(&rctx->cmd.entry);
  131. rctx->cmd.engine = CCP_ENGINE_AES;
  132. rctx->cmd.u.aes.type = ctx->u.aes.type;
  133. rctx->cmd.u.aes.mode = ctx->u.aes.mode;
  134. rctx->cmd.u.aes.action = CCP_AES_ACTION_ENCRYPT;
  135. rctx->cmd.u.aes.key = &ctx->u.aes.key_sg;
  136. rctx->cmd.u.aes.key_len = ctx->u.aes.key_len;
  137. rctx->cmd.u.aes.iv = &rctx->iv_sg;
  138. rctx->cmd.u.aes.iv_len = AES_BLOCK_SIZE;
  139. rctx->cmd.u.aes.src = sg;
  140. rctx->cmd.u.aes.src_len = rctx->hash_cnt;
  141. rctx->cmd.u.aes.dst = NULL;
  142. rctx->cmd.u.aes.cmac_key = cmac_key_sg;
  143. rctx->cmd.u.aes.cmac_key_len = ctx->u.aes.kn_len;
  144. rctx->cmd.u.aes.cmac_final = final;
  145. ret = ccp_crypto_enqueue_request(&req->base, &rctx->cmd);
  146. return ret;
  147. e_free:
  148. sg_free_table(&rctx->data_sg);
  149. return ret;
  150. }
  151. static int ccp_aes_cmac_init(struct ahash_request *req)
  152. {
  153. struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
  154. memset(rctx, 0, sizeof(*rctx));
  155. rctx->null_msg = 1;
  156. return 0;
  157. }
  158. static int ccp_aes_cmac_update(struct ahash_request *req)
  159. {
  160. return ccp_do_cmac_update(req, req->nbytes, 0);
  161. }
  162. static int ccp_aes_cmac_final(struct ahash_request *req)
  163. {
  164. return ccp_do_cmac_update(req, 0, 1);
  165. }
  166. static int ccp_aes_cmac_finup(struct ahash_request *req)
  167. {
  168. return ccp_do_cmac_update(req, req->nbytes, 1);
  169. }
  170. static int ccp_aes_cmac_digest(struct ahash_request *req)
  171. {
  172. int ret;
  173. ret = ccp_aes_cmac_init(req);
  174. if (ret)
  175. return ret;
  176. return ccp_aes_cmac_finup(req);
  177. }
  178. static int ccp_aes_cmac_export(struct ahash_request *req, void *out)
  179. {
  180. struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
  181. struct ccp_aes_cmac_exp_ctx state;
  182. /* Don't let anything leak to 'out' */
  183. memset(&state, 0, sizeof(state));
  184. state.null_msg = rctx->null_msg;
  185. memcpy(state.iv, rctx->iv, sizeof(state.iv));
  186. state.buf_count = rctx->buf_count;
  187. memcpy(state.buf, rctx->buf, sizeof(state.buf));
  188. /* 'out' may not be aligned so memcpy from local variable */
  189. memcpy(out, &state, sizeof(state));
  190. return 0;
  191. }
  192. static int ccp_aes_cmac_import(struct ahash_request *req, const void *in)
  193. {
  194. struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
  195. struct ccp_aes_cmac_exp_ctx state;
  196. /* 'in' may not be aligned so memcpy to local variable */
  197. memcpy(&state, in, sizeof(state));
  198. memset(rctx, 0, sizeof(*rctx));
  199. rctx->null_msg = state.null_msg;
  200. memcpy(rctx->iv, state.iv, sizeof(rctx->iv));
  201. rctx->buf_count = state.buf_count;
  202. memcpy(rctx->buf, state.buf, sizeof(rctx->buf));
  203. return 0;
  204. }
  205. static int ccp_aes_cmac_setkey(struct crypto_ahash *tfm, const u8 *key,
  206. unsigned int key_len)
  207. {
  208. struct ccp_ctx *ctx = crypto_tfm_ctx(crypto_ahash_tfm(tfm));
  209. struct ccp_crypto_ahash_alg *alg =
  210. ccp_crypto_ahash_alg(crypto_ahash_tfm(tfm));
  211. u64 k0_hi, k0_lo, k1_hi, k1_lo, k2_hi, k2_lo;
  212. u64 rb_hi = 0x00, rb_lo = 0x87;
  213. struct crypto_aes_ctx aes;
  214. __be64 *gk;
  215. int ret;
  216. switch (key_len) {
  217. case AES_KEYSIZE_128:
  218. ctx->u.aes.type = CCP_AES_TYPE_128;
  219. break;
  220. case AES_KEYSIZE_192:
  221. ctx->u.aes.type = CCP_AES_TYPE_192;
  222. break;
  223. case AES_KEYSIZE_256:
  224. ctx->u.aes.type = CCP_AES_TYPE_256;
  225. break;
  226. default:
  227. crypto_ahash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
  228. return -EINVAL;
  229. }
  230. ctx->u.aes.mode = alg->mode;
  231. /* Set to zero until complete */
  232. ctx->u.aes.key_len = 0;
  233. /* Set the key for the AES cipher used to generate the keys */
  234. ret = aes_expandkey(&aes, key, key_len);
  235. if (ret)
  236. return ret;
  237. /* Encrypt a block of zeroes - use key area in context */
  238. memset(ctx->u.aes.key, 0, sizeof(ctx->u.aes.key));
  239. aes_encrypt(&aes, ctx->u.aes.key, ctx->u.aes.key);
  240. memzero_explicit(&aes, sizeof(aes));
  241. /* Generate K1 and K2 */
  242. k0_hi = be64_to_cpu(*((__be64 *)ctx->u.aes.key));
  243. k0_lo = be64_to_cpu(*((__be64 *)ctx->u.aes.key + 1));
  244. k1_hi = (k0_hi << 1) | (k0_lo >> 63);
  245. k1_lo = k0_lo << 1;
  246. if (ctx->u.aes.key[0] & 0x80) {
  247. k1_hi ^= rb_hi;
  248. k1_lo ^= rb_lo;
  249. }
  250. gk = (__be64 *)ctx->u.aes.k1;
  251. *gk = cpu_to_be64(k1_hi);
  252. gk++;
  253. *gk = cpu_to_be64(k1_lo);
  254. k2_hi = (k1_hi << 1) | (k1_lo >> 63);
  255. k2_lo = k1_lo << 1;
  256. if (ctx->u.aes.k1[0] & 0x80) {
  257. k2_hi ^= rb_hi;
  258. k2_lo ^= rb_lo;
  259. }
  260. gk = (__be64 *)ctx->u.aes.k2;
  261. *gk = cpu_to_be64(k2_hi);
  262. gk++;
  263. *gk = cpu_to_be64(k2_lo);
  264. ctx->u.aes.kn_len = sizeof(ctx->u.aes.k1);
  265. sg_init_one(&ctx->u.aes.k1_sg, ctx->u.aes.k1, sizeof(ctx->u.aes.k1));
  266. sg_init_one(&ctx->u.aes.k2_sg, ctx->u.aes.k2, sizeof(ctx->u.aes.k2));
  267. /* Save the supplied key */
  268. memset(ctx->u.aes.key, 0, sizeof(ctx->u.aes.key));
  269. memcpy(ctx->u.aes.key, key, key_len);
  270. ctx->u.aes.key_len = key_len;
  271. sg_init_one(&ctx->u.aes.key_sg, ctx->u.aes.key, key_len);
  272. return ret;
  273. }
  274. static int ccp_aes_cmac_cra_init(struct crypto_tfm *tfm)
  275. {
  276. struct ccp_ctx *ctx = crypto_tfm_ctx(tfm);
  277. struct crypto_ahash *ahash = __crypto_ahash_cast(tfm);
  278. ctx->complete = ccp_aes_cmac_complete;
  279. ctx->u.aes.key_len = 0;
  280. crypto_ahash_set_reqsize(ahash, sizeof(struct ccp_aes_cmac_req_ctx));
  281. return 0;
  282. }
  283. int ccp_register_aes_cmac_algs(struct list_head *head)
  284. {
  285. struct ccp_crypto_ahash_alg *ccp_alg;
  286. struct ahash_alg *alg;
  287. struct hash_alg_common *halg;
  288. struct crypto_alg *base;
  289. int ret;
  290. ccp_alg = kzalloc(sizeof(*ccp_alg), GFP_KERNEL);
  291. if (!ccp_alg)
  292. return -ENOMEM;
  293. INIT_LIST_HEAD(&ccp_alg->entry);
  294. ccp_alg->mode = CCP_AES_MODE_CMAC;
  295. alg = &ccp_alg->alg;
  296. alg->init = ccp_aes_cmac_init;
  297. alg->update = ccp_aes_cmac_update;
  298. alg->final = ccp_aes_cmac_final;
  299. alg->finup = ccp_aes_cmac_finup;
  300. alg->digest = ccp_aes_cmac_digest;
  301. alg->export = ccp_aes_cmac_export;
  302. alg->import = ccp_aes_cmac_import;
  303. alg->setkey = ccp_aes_cmac_setkey;
  304. halg = &alg->halg;
  305. halg->digestsize = AES_BLOCK_SIZE;
  306. halg->statesize = sizeof(struct ccp_aes_cmac_exp_ctx);
  307. base = &halg->base;
  308. snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)");
  309. snprintf(base->cra_driver_name, CRYPTO_MAX_ALG_NAME, "cmac-aes-ccp");
  310. base->cra_flags = CRYPTO_ALG_ASYNC |
  311. CRYPTO_ALG_KERN_DRIVER_ONLY |
  312. CRYPTO_ALG_NEED_FALLBACK;
  313. base->cra_blocksize = AES_BLOCK_SIZE;
  314. base->cra_ctxsize = sizeof(struct ccp_ctx);
  315. base->cra_priority = CCP_CRA_PRIORITY;
  316. base->cra_init = ccp_aes_cmac_cra_init;
  317. base->cra_module = THIS_MODULE;
  318. ret = crypto_register_ahash(alg);
  319. if (ret) {
  320. pr_err("%s ahash algorithm registration error (%d)\n",
  321. base->cra_name, ret);
  322. kfree(ccp_alg);
  323. return ret;
  324. }
  325. list_add(&ccp_alg->entry, head);
  326. return 0;
  327. }