1 // SPDX-License-Identifier: GPL-2.0-only
3 * AMD Cryptographic Coprocessor (CCP) AES CMAC crypto API support
5 * Copyright (C) 2013,2018 Advanced Micro Devices, Inc.
7 * Author: Tom Lendacky <thomas.lendacky@amd.com>
10 #include <linux/module.h>
11 #include <linux/sched.h>
12 #include <linux/delay.h>
13 #include <linux/scatterlist.h>
14 #include <linux/crypto.h>
15 #include <crypto/algapi.h>
16 #include <crypto/aes.h>
17 #include <crypto/hash.h>
18 #include <crypto/internal/hash.h>
19 #include <crypto/scatterwalk.h>
21 #include "ccp-crypto.h"
23 static int ccp_aes_cmac_complete(struct crypto_async_request
*async_req
,
26 struct ahash_request
*req
= ahash_request_cast(async_req
);
27 struct crypto_ahash
*tfm
= crypto_ahash_reqtfm(req
);
28 struct ccp_aes_cmac_req_ctx
*rctx
= ahash_request_ctx(req
);
29 unsigned int digest_size
= crypto_ahash_digestsize(tfm
);
35 /* Save remaining data to buffer */
36 unsigned int offset
= rctx
->nbytes
- rctx
->hash_rem
;
38 scatterwalk_map_and_copy(rctx
->buf
, rctx
->src
,
39 offset
, rctx
->hash_rem
, 0);
40 rctx
->buf_count
= rctx
->hash_rem
;
45 /* Update result area if supplied */
46 if (req
->result
&& rctx
->final
)
47 memcpy(req
->result
, rctx
->iv
, digest_size
);
50 sg_free_table(&rctx
->data_sg
);
55 static int ccp_do_cmac_update(struct ahash_request
*req
, unsigned int nbytes
,
58 struct crypto_ahash
*tfm
= crypto_ahash_reqtfm(req
);
59 struct ccp_ctx
*ctx
= crypto_ahash_ctx(tfm
);
60 struct ccp_aes_cmac_req_ctx
*rctx
= ahash_request_ctx(req
);
61 struct scatterlist
*sg
, *cmac_key_sg
= NULL
;
62 unsigned int block_size
=
63 crypto_tfm_alg_blocksize(crypto_ahash_tfm(tfm
));
64 unsigned int need_pad
, sg_count
;
69 if (!ctx
->u
.aes
.key_len
)
75 len
= (u64
)rctx
->buf_count
+ (u64
)nbytes
;
77 if (!final
&& (len
<= block_size
)) {
78 scatterwalk_map_and_copy(rctx
->buf
+ rctx
->buf_count
, req
->src
,
80 rctx
->buf_count
+= nbytes
;
86 rctx
->nbytes
= nbytes
;
89 rctx
->hash_rem
= final
? 0 : len
& (block_size
- 1);
90 rctx
->hash_cnt
= len
- rctx
->hash_rem
;
91 if (!final
&& !rctx
->hash_rem
) {
92 /* CCP can't do zero length final, so keep some data around */
93 rctx
->hash_cnt
-= block_size
;
94 rctx
->hash_rem
= block_size
;
97 if (final
&& (rctx
->null_msg
|| (len
& (block_size
- 1))))
102 sg_init_one(&rctx
->iv_sg
, rctx
->iv
, sizeof(rctx
->iv
));
104 /* Build the data scatterlist table - allocate enough entries for all
105 * possible data pieces (buffer, input data, padding)
107 sg_count
= (nbytes
) ? sg_nents(req
->src
) + 2 : 2;
108 gfp
= req
->base
.flags
& CRYPTO_TFM_REQ_MAY_SLEEP
?
109 GFP_KERNEL
: GFP_ATOMIC
;
110 ret
= sg_alloc_table(&rctx
->data_sg
, sg_count
, gfp
);
115 if (rctx
->buf_count
) {
116 sg_init_one(&rctx
->buf_sg
, rctx
->buf
, rctx
->buf_count
);
117 sg
= ccp_crypto_sg_table_add(&rctx
->data_sg
, &rctx
->buf_sg
);
125 sg
= ccp_crypto_sg_table_add(&rctx
->data_sg
, req
->src
);
133 int pad_length
= block_size
- (len
& (block_size
- 1));
135 rctx
->hash_cnt
+= pad_length
;
137 memset(rctx
->pad
, 0, sizeof(rctx
->pad
));
139 sg_init_one(&rctx
->pad_sg
, rctx
->pad
, pad_length
);
140 sg
= ccp_crypto_sg_table_add(&rctx
->data_sg
, &rctx
->pad_sg
);
148 sg
= rctx
->data_sg
.sgl
;
151 /* Initialize the K1/K2 scatterlist */
153 cmac_key_sg
= (need_pad
) ? &ctx
->u
.aes
.k2_sg
156 memset(&rctx
->cmd
, 0, sizeof(rctx
->cmd
));
157 INIT_LIST_HEAD(&rctx
->cmd
.entry
);
158 rctx
->cmd
.engine
= CCP_ENGINE_AES
;
159 rctx
->cmd
.u
.aes
.type
= ctx
->u
.aes
.type
;
160 rctx
->cmd
.u
.aes
.mode
= ctx
->u
.aes
.mode
;
161 rctx
->cmd
.u
.aes
.action
= CCP_AES_ACTION_ENCRYPT
;
162 rctx
->cmd
.u
.aes
.key
= &ctx
->u
.aes
.key_sg
;
163 rctx
->cmd
.u
.aes
.key_len
= ctx
->u
.aes
.key_len
;
164 rctx
->cmd
.u
.aes
.iv
= &rctx
->iv_sg
;
165 rctx
->cmd
.u
.aes
.iv_len
= AES_BLOCK_SIZE
;
166 rctx
->cmd
.u
.aes
.src
= sg
;
167 rctx
->cmd
.u
.aes
.src_len
= rctx
->hash_cnt
;
168 rctx
->cmd
.u
.aes
.dst
= NULL
;
169 rctx
->cmd
.u
.aes
.cmac_key
= cmac_key_sg
;
170 rctx
->cmd
.u
.aes
.cmac_key_len
= ctx
->u
.aes
.kn_len
;
171 rctx
->cmd
.u
.aes
.cmac_final
= final
;
173 ret
= ccp_crypto_enqueue_request(&req
->base
, &rctx
->cmd
);
178 sg_free_table(&rctx
->data_sg
);
183 static int ccp_aes_cmac_init(struct ahash_request
*req
)
185 struct ccp_aes_cmac_req_ctx
*rctx
= ahash_request_ctx(req
);
187 memset(rctx
, 0, sizeof(*rctx
));
194 static int ccp_aes_cmac_update(struct ahash_request
*req
)
196 return ccp_do_cmac_update(req
, req
->nbytes
, 0);
199 static int ccp_aes_cmac_final(struct ahash_request
*req
)
201 return ccp_do_cmac_update(req
, 0, 1);
204 static int ccp_aes_cmac_finup(struct ahash_request
*req
)
206 return ccp_do_cmac_update(req
, req
->nbytes
, 1);
209 static int ccp_aes_cmac_digest(struct ahash_request
*req
)
213 ret
= ccp_aes_cmac_init(req
);
217 return ccp_aes_cmac_finup(req
);
220 static int ccp_aes_cmac_export(struct ahash_request
*req
, void *out
)
222 struct ccp_aes_cmac_req_ctx
*rctx
= ahash_request_ctx(req
);
223 struct ccp_aes_cmac_exp_ctx state
;
225 /* Don't let anything leak to 'out' */
226 memset(&state
, 0, sizeof(state
));
228 state
.null_msg
= rctx
->null_msg
;
229 memcpy(state
.iv
, rctx
->iv
, sizeof(state
.iv
));
230 state
.buf_count
= rctx
->buf_count
;
231 memcpy(state
.buf
, rctx
->buf
, sizeof(state
.buf
));
233 /* 'out' may not be aligned so memcpy from local variable */
234 memcpy(out
, &state
, sizeof(state
));
239 static int ccp_aes_cmac_import(struct ahash_request
*req
, const void *in
)
241 struct ccp_aes_cmac_req_ctx
*rctx
= ahash_request_ctx(req
);
242 struct ccp_aes_cmac_exp_ctx state
;
244 /* 'in' may not be aligned so memcpy to local variable */
245 memcpy(&state
, in
, sizeof(state
));
247 memset(rctx
, 0, sizeof(*rctx
));
248 rctx
->null_msg
= state
.null_msg
;
249 memcpy(rctx
->iv
, state
.iv
, sizeof(rctx
->iv
));
250 rctx
->buf_count
= state
.buf_count
;
251 memcpy(rctx
->buf
, state
.buf
, sizeof(rctx
->buf
));
256 static int ccp_aes_cmac_setkey(struct crypto_ahash
*tfm
, const u8
*key
,
257 unsigned int key_len
)
259 struct ccp_ctx
*ctx
= crypto_tfm_ctx(crypto_ahash_tfm(tfm
));
260 struct ccp_crypto_ahash_alg
*alg
=
261 ccp_crypto_ahash_alg(crypto_ahash_tfm(tfm
));
262 u64 k0_hi
, k0_lo
, k1_hi
, k1_lo
, k2_hi
, k2_lo
;
263 u64 rb_hi
= 0x00, rb_lo
= 0x87;
264 struct crypto_aes_ctx aes
;
269 case AES_KEYSIZE_128
:
270 ctx
->u
.aes
.type
= CCP_AES_TYPE_128
;
272 case AES_KEYSIZE_192
:
273 ctx
->u
.aes
.type
= CCP_AES_TYPE_192
;
275 case AES_KEYSIZE_256
:
276 ctx
->u
.aes
.type
= CCP_AES_TYPE_256
;
281 ctx
->u
.aes
.mode
= alg
->mode
;
283 /* Set to zero until complete */
284 ctx
->u
.aes
.key_len
= 0;
286 /* Set the key for the AES cipher used to generate the keys */
287 ret
= aes_expandkey(&aes
, key
, key_len
);
291 /* Encrypt a block of zeroes - use key area in context */
292 memset(ctx
->u
.aes
.key
, 0, sizeof(ctx
->u
.aes
.key
));
293 aes_encrypt(&aes
, ctx
->u
.aes
.key
, ctx
->u
.aes
.key
);
294 memzero_explicit(&aes
, sizeof(aes
));
296 /* Generate K1 and K2 */
297 k0_hi
= be64_to_cpu(*((__be64
*)ctx
->u
.aes
.key
));
298 k0_lo
= be64_to_cpu(*((__be64
*)ctx
->u
.aes
.key
+ 1));
300 k1_hi
= (k0_hi
<< 1) | (k0_lo
>> 63);
302 if (ctx
->u
.aes
.key
[0] & 0x80) {
306 gk
= (__be64
*)ctx
->u
.aes
.k1
;
307 *gk
= cpu_to_be64(k1_hi
);
309 *gk
= cpu_to_be64(k1_lo
);
311 k2_hi
= (k1_hi
<< 1) | (k1_lo
>> 63);
313 if (ctx
->u
.aes
.k1
[0] & 0x80) {
317 gk
= (__be64
*)ctx
->u
.aes
.k2
;
318 *gk
= cpu_to_be64(k2_hi
);
320 *gk
= cpu_to_be64(k2_lo
);
322 ctx
->u
.aes
.kn_len
= sizeof(ctx
->u
.aes
.k1
);
323 sg_init_one(&ctx
->u
.aes
.k1_sg
, ctx
->u
.aes
.k1
, sizeof(ctx
->u
.aes
.k1
));
324 sg_init_one(&ctx
->u
.aes
.k2_sg
, ctx
->u
.aes
.k2
, sizeof(ctx
->u
.aes
.k2
));
326 /* Save the supplied key */
327 memset(ctx
->u
.aes
.key
, 0, sizeof(ctx
->u
.aes
.key
));
328 memcpy(ctx
->u
.aes
.key
, key
, key_len
);
329 ctx
->u
.aes
.key_len
= key_len
;
330 sg_init_one(&ctx
->u
.aes
.key_sg
, ctx
->u
.aes
.key
, key_len
);
335 static int ccp_aes_cmac_cra_init(struct crypto_tfm
*tfm
)
337 struct ccp_ctx
*ctx
= crypto_tfm_ctx(tfm
);
338 struct crypto_ahash
*ahash
= __crypto_ahash_cast(tfm
);
340 ctx
->complete
= ccp_aes_cmac_complete
;
341 ctx
->u
.aes
.key_len
= 0;
343 crypto_ahash_set_reqsize(ahash
, sizeof(struct ccp_aes_cmac_req_ctx
));
348 int ccp_register_aes_cmac_algs(struct list_head
*head
)
350 struct ccp_crypto_ahash_alg
*ccp_alg
;
351 struct ahash_alg
*alg
;
352 struct hash_alg_common
*halg
;
353 struct crypto_alg
*base
;
356 ccp_alg
= kzalloc(sizeof(*ccp_alg
), GFP_KERNEL
);
360 INIT_LIST_HEAD(&ccp_alg
->entry
);
361 ccp_alg
->mode
= CCP_AES_MODE_CMAC
;
364 alg
->init
= ccp_aes_cmac_init
;
365 alg
->update
= ccp_aes_cmac_update
;
366 alg
->final
= ccp_aes_cmac_final
;
367 alg
->finup
= ccp_aes_cmac_finup
;
368 alg
->digest
= ccp_aes_cmac_digest
;
369 alg
->export
= ccp_aes_cmac_export
;
370 alg
->import
= ccp_aes_cmac_import
;
371 alg
->setkey
= ccp_aes_cmac_setkey
;
374 halg
->digestsize
= AES_BLOCK_SIZE
;
375 halg
->statesize
= sizeof(struct ccp_aes_cmac_exp_ctx
);
378 snprintf(base
->cra_name
, CRYPTO_MAX_ALG_NAME
, "cmac(aes)");
379 snprintf(base
->cra_driver_name
, CRYPTO_MAX_ALG_NAME
, "cmac-aes-ccp");
380 base
->cra_flags
= CRYPTO_ALG_ASYNC
|
381 CRYPTO_ALG_ALLOCATES_MEMORY
|
382 CRYPTO_ALG_KERN_DRIVER_ONLY
|
383 CRYPTO_ALG_NEED_FALLBACK
;
384 base
->cra_blocksize
= AES_BLOCK_SIZE
;
385 base
->cra_ctxsize
= sizeof(struct ccp_ctx
);
386 base
->cra_priority
= CCP_CRA_PRIORITY
;
387 base
->cra_init
= ccp_aes_cmac_cra_init
;
388 base
->cra_module
= THIS_MODULE
;
390 ret
= crypto_register_ahash(alg
);
392 pr_err("%s ahash algorithm registration error (%d)\n",
393 base
->cra_name
, ret
);
398 list_add(&ccp_alg
->entry
, head
);