1 // SPDX-License-Identifier: GPL-2.0 OR MIT
3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
6 #include <crypto/algapi.h>
7 #include <crypto/internal/hash.h>
8 #include <crypto/internal/poly1305.h>
9 #include <crypto/internal/simd.h>
10 #include <linux/crypto.h>
11 #include <linux/jump_label.h>
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14 #include <asm/intel-family.h>
17 asmlinkage
void poly1305_init_x86_64(void *ctx
,
18 const u8 key
[POLY1305_KEY_SIZE
]);
19 asmlinkage
void poly1305_blocks_x86_64(void *ctx
, const u8
*inp
,
20 const size_t len
, const u32 padbit
);
21 asmlinkage
void poly1305_emit_x86_64(void *ctx
, u8 mac
[POLY1305_DIGEST_SIZE
],
23 asmlinkage
void poly1305_emit_avx(void *ctx
, u8 mac
[POLY1305_DIGEST_SIZE
],
25 asmlinkage
void poly1305_blocks_avx(void *ctx
, const u8
*inp
, const size_t len
,
27 asmlinkage
void poly1305_blocks_avx2(void *ctx
, const u8
*inp
, const size_t len
,
29 asmlinkage
void poly1305_blocks_avx512(void *ctx
, const u8
*inp
,
30 const size_t len
, const u32 padbit
);
32 static __ro_after_init
DEFINE_STATIC_KEY_FALSE(poly1305_use_avx
);
33 static __ro_after_init
DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2
);
34 static __ro_after_init
DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512
);
36 struct poly1305_arch_internal
{
46 struct { u32 r2
, r1
, r4
, r3
; } rn
[9];
49 /* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit
50 * the unfortunate situation of using AVX and then having to go back to scalar
51 * -- because the user is silly and has called the update function from two
52 * separate contexts -- then we need to convert back to the original base before
53 * proceeding. It is possible to reason that the initial reduction below is
54 * sufficient given the implementation invariants. However, for an avoidance of
55 * doubt and because this is not performance critical, we do the full reduction
56 * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py
58 static void convert_to_base2_64(void *ctx
)
60 struct poly1305_arch_internal
*state
= ctx
;
63 if (!state
->is_base2_26
)
66 cy
= state
->h
[0] >> 26; state
->h
[0] &= 0x3ffffff; state
->h
[1] += cy
;
67 cy
= state
->h
[1] >> 26; state
->h
[1] &= 0x3ffffff; state
->h
[2] += cy
;
68 cy
= state
->h
[2] >> 26; state
->h
[2] &= 0x3ffffff; state
->h
[3] += cy
;
69 cy
= state
->h
[3] >> 26; state
->h
[3] &= 0x3ffffff; state
->h
[4] += cy
;
70 state
->hs
[0] = ((u64
)state
->h
[2] << 52) | ((u64
)state
->h
[1] << 26) | state
->h
[0];
71 state
->hs
[1] = ((u64
)state
->h
[4] << 40) | ((u64
)state
->h
[3] << 14) | (state
->h
[2] >> 12);
72 state
->hs
[2] = state
->h
[4] >> 24;
73 #define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
74 cy
= (state
->hs
[2] >> 2) + (state
->hs
[2] & ~3ULL);
77 state
->hs
[1] += (cy
= ULT(state
->hs
[0], cy
));
78 state
->hs
[2] += ULT(state
->hs
[1], cy
);
80 state
->is_base2_26
= 0;
83 static void poly1305_simd_init(void *ctx
, const u8 key
[POLY1305_KEY_SIZE
])
85 poly1305_init_x86_64(ctx
, key
);
88 static void poly1305_simd_blocks(void *ctx
, const u8
*inp
, size_t len
,
91 struct poly1305_arch_internal
*state
= ctx
;
93 /* SIMD disables preemption, so relax after processing each page. */
94 BUILD_BUG_ON(PAGE_SIZE
< POLY1305_BLOCK_SIZE
||
95 PAGE_SIZE
% POLY1305_BLOCK_SIZE
);
97 if (!IS_ENABLED(CONFIG_AS_AVX
) || !static_branch_likely(&poly1305_use_avx
) ||
98 (len
< (POLY1305_BLOCK_SIZE
* 18) && !state
->is_base2_26
) ||
99 !crypto_simd_usable()) {
100 convert_to_base2_64(ctx
);
101 poly1305_blocks_x86_64(ctx
, inp
, len
, padbit
);
106 const size_t bytes
= min_t(size_t, len
, PAGE_SIZE
);
109 if (IS_ENABLED(CONFIG_AS_AVX512
) && static_branch_likely(&poly1305_use_avx512
))
110 poly1305_blocks_avx512(ctx
, inp
, bytes
, padbit
);
111 else if (IS_ENABLED(CONFIG_AS_AVX2
) && static_branch_likely(&poly1305_use_avx2
))
112 poly1305_blocks_avx2(ctx
, inp
, bytes
, padbit
);
114 poly1305_blocks_avx(ctx
, inp
, bytes
, padbit
);
123 static void poly1305_simd_emit(void *ctx
, u8 mac
[POLY1305_DIGEST_SIZE
],
126 if (!IS_ENABLED(CONFIG_AS_AVX
) || !static_branch_likely(&poly1305_use_avx
))
127 poly1305_emit_x86_64(ctx
, mac
, nonce
);
129 poly1305_emit_avx(ctx
, mac
, nonce
);
132 void poly1305_init_arch(struct poly1305_desc_ctx
*dctx
, const u8
*key
)
134 poly1305_simd_init(&dctx
->h
, key
);
135 dctx
->s
[0] = get_unaligned_le32(&key
[16]);
136 dctx
->s
[1] = get_unaligned_le32(&key
[20]);
137 dctx
->s
[2] = get_unaligned_le32(&key
[24]);
138 dctx
->s
[3] = get_unaligned_le32(&key
[28]);
142 EXPORT_SYMBOL(poly1305_init_arch
);
144 static unsigned int crypto_poly1305_setdctxkey(struct poly1305_desc_ctx
*dctx
,
145 const u8
*inp
, unsigned int len
)
147 unsigned int acc
= 0;
148 if (unlikely(!dctx
->sset
)) {
149 if (!dctx
->rset
&& len
>= POLY1305_BLOCK_SIZE
) {
150 poly1305_simd_init(&dctx
->h
, inp
);
151 inp
+= POLY1305_BLOCK_SIZE
;
152 len
-= POLY1305_BLOCK_SIZE
;
153 acc
+= POLY1305_BLOCK_SIZE
;
156 if (len
>= POLY1305_BLOCK_SIZE
) {
157 dctx
->s
[0] = get_unaligned_le32(&inp
[0]);
158 dctx
->s
[1] = get_unaligned_le32(&inp
[4]);
159 dctx
->s
[2] = get_unaligned_le32(&inp
[8]);
160 dctx
->s
[3] = get_unaligned_le32(&inp
[12]);
161 inp
+= POLY1305_BLOCK_SIZE
;
162 len
-= POLY1305_BLOCK_SIZE
;
163 acc
+= POLY1305_BLOCK_SIZE
;
170 void poly1305_update_arch(struct poly1305_desc_ctx
*dctx
, const u8
*src
,
173 unsigned int bytes
, used
;
175 if (unlikely(dctx
->buflen
)) {
176 bytes
= min(srclen
, POLY1305_BLOCK_SIZE
- dctx
->buflen
);
177 memcpy(dctx
->buf
+ dctx
->buflen
, src
, bytes
);
180 dctx
->buflen
+= bytes
;
182 if (dctx
->buflen
== POLY1305_BLOCK_SIZE
) {
183 if (likely(!crypto_poly1305_setdctxkey(dctx
, dctx
->buf
, POLY1305_BLOCK_SIZE
)))
184 poly1305_simd_blocks(&dctx
->h
, dctx
->buf
, POLY1305_BLOCK_SIZE
, 1);
189 if (likely(srclen
>= POLY1305_BLOCK_SIZE
)) {
190 bytes
= round_down(srclen
, POLY1305_BLOCK_SIZE
);
192 used
= crypto_poly1305_setdctxkey(dctx
, src
, bytes
);
193 if (likely(bytes
- used
))
194 poly1305_simd_blocks(&dctx
->h
, src
+ used
, bytes
- used
, 1);
198 if (unlikely(srclen
)) {
199 dctx
->buflen
= srclen
;
200 memcpy(dctx
->buf
, src
, srclen
);
203 EXPORT_SYMBOL(poly1305_update_arch
);
205 void poly1305_final_arch(struct poly1305_desc_ctx
*dctx
, u8
*dst
)
207 if (unlikely(dctx
->buflen
)) {
208 dctx
->buf
[dctx
->buflen
++] = 1;
209 memset(dctx
->buf
+ dctx
->buflen
, 0,
210 POLY1305_BLOCK_SIZE
- dctx
->buflen
);
211 poly1305_simd_blocks(&dctx
->h
, dctx
->buf
, POLY1305_BLOCK_SIZE
, 0);
214 poly1305_simd_emit(&dctx
->h
, dst
, dctx
->s
);
215 *dctx
= (struct poly1305_desc_ctx
){};
217 EXPORT_SYMBOL(poly1305_final_arch
);
219 static int crypto_poly1305_init(struct shash_desc
*desc
)
221 struct poly1305_desc_ctx
*dctx
= shash_desc_ctx(desc
);
223 *dctx
= (struct poly1305_desc_ctx
){};
227 static int crypto_poly1305_update(struct shash_desc
*desc
,
228 const u8
*src
, unsigned int srclen
)
230 struct poly1305_desc_ctx
*dctx
= shash_desc_ctx(desc
);
232 poly1305_update_arch(dctx
, src
, srclen
);
236 static int crypto_poly1305_final(struct shash_desc
*desc
, u8
*dst
)
238 struct poly1305_desc_ctx
*dctx
= shash_desc_ctx(desc
);
240 if (unlikely(!dctx
->sset
))
243 poly1305_final_arch(dctx
, dst
);
247 static struct shash_alg alg
= {
248 .digestsize
= POLY1305_DIGEST_SIZE
,
249 .init
= crypto_poly1305_init
,
250 .update
= crypto_poly1305_update
,
251 .final
= crypto_poly1305_final
,
252 .descsize
= sizeof(struct poly1305_desc_ctx
),
254 .cra_name
= "poly1305",
255 .cra_driver_name
= "poly1305-simd",
257 .cra_blocksize
= POLY1305_BLOCK_SIZE
,
258 .cra_module
= THIS_MODULE
,
262 static int __init
poly1305_simd_mod_init(void)
264 if (IS_ENABLED(CONFIG_AS_AVX
) && boot_cpu_has(X86_FEATURE_AVX
) &&
265 cpu_has_xfeatures(XFEATURE_MASK_SSE
| XFEATURE_MASK_YMM
, NULL
))
266 static_branch_enable(&poly1305_use_avx
);
267 if (IS_ENABLED(CONFIG_AS_AVX2
) && boot_cpu_has(X86_FEATURE_AVX
) &&
268 boot_cpu_has(X86_FEATURE_AVX2
) &&
269 cpu_has_xfeatures(XFEATURE_MASK_SSE
| XFEATURE_MASK_YMM
, NULL
))
270 static_branch_enable(&poly1305_use_avx2
);
271 if (IS_ENABLED(CONFIG_AS_AVX512
) && boot_cpu_has(X86_FEATURE_AVX
) &&
272 boot_cpu_has(X86_FEATURE_AVX2
) && boot_cpu_has(X86_FEATURE_AVX512F
) &&
273 cpu_has_xfeatures(XFEATURE_MASK_SSE
| XFEATURE_MASK_YMM
| XFEATURE_MASK_AVX512
, NULL
) &&
274 /* Skylake downclocks unacceptably much when using zmm, but later generations are fast. */
275 boot_cpu_data
.x86_model
!= INTEL_FAM6_SKYLAKE_X
)
276 static_branch_enable(&poly1305_use_avx512
);
277 return IS_REACHABLE(CONFIG_CRYPTO_HASH
) ? crypto_register_shash(&alg
) : 0;
280 static void __exit
poly1305_simd_mod_exit(void)
282 if (IS_REACHABLE(CONFIG_CRYPTO_HASH
))
283 crypto_unregister_shash(&alg
);
286 module_init(poly1305_simd_mod_init
);
287 module_exit(poly1305_simd_mod_exit
);
289 MODULE_LICENSE("GPL");
290 MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
291 MODULE_DESCRIPTION("Poly1305 authenticator");
292 MODULE_ALIAS_CRYPTO("poly1305");
293 MODULE_ALIAS_CRYPTO("poly1305-simd");