]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
crypto: inside-secure - Added support for basic AES-CCM
authorPascal van Leeuwen <pascalvanl@gmail.com>
Fri, 30 Aug 2019 07:52:33 +0000 (09:52 +0200)
committerHerbert Xu <herbert@gondor.apana.org.au>
Thu, 5 Sep 2019 04:37:30 +0000 (14:37 +1000)
This patch adds support for the basic AES-CCM AEAD cipher suite.

Signed-off-by: Pascal van Leeuwen <pvanleeuwen@verimatrix.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
drivers/crypto/inside-secure/safexcel.c
drivers/crypto/inside-secure/safexcel.h
drivers/crypto/inside-secure/safexcel_cipher.c

index 5ad4feb07b6f1c20da7bfbfc15506c548e94446b..5d648ee5f0b06a09d36a76c7355d78c4dcbd1647 100644 (file)
@@ -715,8 +715,7 @@ inline int safexcel_rdesc_check_errors(struct safexcel_crypto_priv *priv,
        } else if (rdesc->result_data.error_code & BIT(9)) {
                /* Authentication failed */
                return -EBADMSG;
-       } else if (!rdesc->result_data.error_code)
-               return 0;
+       }
 
        /* All other non-fatal errors */
        return -EINVAL;
@@ -1009,6 +1008,7 @@ static struct safexcel_alg_template *safexcel_algs[] = {
        &safexcel_alg_authenc_hmac_sha512_ctr_aes,
        &safexcel_alg_xts_aes,
        &safexcel_alg_gcm,
+       &safexcel_alg_ccm,
 };
 
 static int safexcel_register_algorithms(struct safexcel_crypto_priv *priv)
index 0eb344534f362561a83a555b3990ddec15bcdbfc..1407804b66b7fe181f849e826cd0ecba7b3bed5c 100644 (file)
@@ -19,7 +19,7 @@
 
 /* Static configuration */
 #define EIP197_DEFAULT_RING_SIZE               400
-#define EIP197_MAX_TOKENS                      10
+#define EIP197_MAX_TOKENS                      18
 #define EIP197_MAX_RINGS                       4
 #define EIP197_FETCH_COUNT                     1
 #define EIP197_MAX_BATCH_SZ                    64
@@ -330,6 +330,9 @@ struct safexcel_context_record {
 #define CONTEXT_CONTROL_CRYPTO_ALG_SHA384      (0x6 << 23)
 #define CONTEXT_CONTROL_CRYPTO_ALG_SHA512      (0x5 << 23)
 #define CONTEXT_CONTROL_CRYPTO_ALG_GHASH       (0x4 << 23)
+#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC128     (0x1 << 23)
+#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC192     (0x2 << 23)
+#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC256     (0x3 << 23)
 #define CONTEXT_CONTROL_INV_FR                 (0x5 << 24)
 #define CONTEXT_CONTROL_INV_TR                 (0x6 << 24)
 
@@ -350,6 +353,9 @@ struct safexcel_context_record {
 #define CONTEXT_CONTROL_CRYPTO_STORE           BIT(12)
 #define CONTEXT_CONTROL_HASH_STORE             BIT(19)
 
+#define EIP197_XCM_MODE_GCM                    1
+#define EIP197_XCM_MODE_CCM                    2
+
 /* The hash counter given to the engine in the context has a granularity of
  * 64 bits.
  */
@@ -464,6 +470,7 @@ static inline void eip197_noop_token(struct safexcel_token *token)
 /* Instructions */
 #define EIP197_TOKEN_INS_INSERT_HASH_DIGEST    0x1c
 #define EIP197_TOKEN_INS_ORIGIN_IV0            0x14
+#define EIP197_TOKEN_INS_ORIGIN_TOKEN          0x1b
 #define EIP197_TOKEN_INS_ORIGIN_LEN(x)         ((x) << 5)
 #define EIP197_TOKEN_INS_TYPE_OUTPUT           BIT(5)
 #define EIP197_TOKEN_INS_TYPE_HASH             BIT(6)
@@ -797,5 +804,6 @@ extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha384_ctr_aes;
 extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha512_ctr_aes;
 extern struct safexcel_alg_template safexcel_alg_xts_aes;
 extern struct safexcel_alg_template safexcel_alg_gcm;
+extern struct safexcel_alg_template safexcel_alg_ccm;
 
 #endif
index 7a1e78518871a98e8d3914b24cfaeecb7063c367..ef51f8c2b473ba8c914a1d6258c7602697e96676 100644 (file)
@@ -81,7 +81,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
                cdesc->control_data.token[3] = cpu_to_be32(1);
 
                return;
-       } else if (ctx->mode == CONTEXT_CONTROL_CRYPTO_MODE_XCM) {
+       } else if (ctx->xcm == EIP197_XCM_MODE_GCM) {
                cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
 
                /* 96 bit IV part */
@@ -89,6 +89,16 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
                /* 32 bit counter, start at 1 (big endian!) */
                cdesc->control_data.token[3] = cpu_to_be32(1);
 
+               return;
+       } else if (ctx->xcm == EIP197_XCM_MODE_CCM) {
+               cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
+
+               /* Variable length IV part */
+               memcpy(&cdesc->control_data.token[0], iv, 15 - iv[0]);
+               /* Start variable length counter at 0 */
+               memset((u8 *)&cdesc->control_data.token[0] + 15 - iv[0],
+                      0, iv[0] + 1);
+
                return;
        }
 
@@ -143,67 +153,117 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
        if (direction == SAFEXCEL_ENCRYPT) {
                /* align end of instruction sequence to end of token */
                token = (struct safexcel_token *)(cdesc->control_data.token +
-                        EIP197_MAX_TOKENS - 5);
-
-               token[4].opcode = EIP197_TOKEN_OPCODE_INSERT;
-               token[4].packet_length = digestsize;
-               token[4].stat = EIP197_TOKEN_STAT_LAST_HASH |
-                               EIP197_TOKEN_STAT_LAST_PACKET;
-               token[4].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
-                                       EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
+                        EIP197_MAX_TOKENS - 13);
+
+               token[12].opcode = EIP197_TOKEN_OPCODE_INSERT;
+               token[12].packet_length = digestsize;
+               token[12].stat = EIP197_TOKEN_STAT_LAST_HASH |
+                                EIP197_TOKEN_STAT_LAST_PACKET;
+               token[12].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
+                                        EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
        } else {
                cryptlen -= digestsize;
 
                /* align end of instruction sequence to end of token */
                token = (struct safexcel_token *)(cdesc->control_data.token +
-                        EIP197_MAX_TOKENS - 6);
-
-               token[4].opcode = EIP197_TOKEN_OPCODE_RETRIEVE;
-               token[4].packet_length = digestsize;
-               token[4].stat = EIP197_TOKEN_STAT_LAST_HASH |
-                               EIP197_TOKEN_STAT_LAST_PACKET;
-               token[4].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
-
-               token[5].opcode = EIP197_TOKEN_OPCODE_VERIFY;
-               token[5].packet_length = digestsize |
-                                        EIP197_TOKEN_HASH_RESULT_VERIFY;
-               token[5].stat = EIP197_TOKEN_STAT_LAST_HASH |
-                               EIP197_TOKEN_STAT_LAST_PACKET;
-               token[5].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT;
+                        EIP197_MAX_TOKENS - 14);
+
+               token[12].opcode = EIP197_TOKEN_OPCODE_RETRIEVE;
+               token[12].packet_length = digestsize;
+               token[12].stat = EIP197_TOKEN_STAT_LAST_HASH |
+                                EIP197_TOKEN_STAT_LAST_PACKET;
+               token[12].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
+
+               token[13].opcode = EIP197_TOKEN_OPCODE_VERIFY;
+               token[13].packet_length = digestsize |
+                                         EIP197_TOKEN_HASH_RESULT_VERIFY;
+               token[13].stat = EIP197_TOKEN_STAT_LAST_HASH |
+                                EIP197_TOKEN_STAT_LAST_PACKET;
+               token[13].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT;
        }
 
-       token[0].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
-       token[0].packet_length = assoclen;
+       token[6].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
+       token[6].packet_length = assoclen;
 
        if (likely(cryptlen)) {
-               token[0].instructions = EIP197_TOKEN_INS_TYPE_HASH;
-
-               token[3].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
-               token[3].packet_length = cryptlen;
-               token[3].stat = EIP197_TOKEN_STAT_LAST_HASH;
-               token[3].instructions = EIP197_TOKEN_INS_LAST |
-                                       EIP197_TOKEN_INS_TYPE_CRYPTO |
-                                       EIP197_TOKEN_INS_TYPE_HASH |
-                                       EIP197_TOKEN_INS_TYPE_OUTPUT;
-       } else {
-               token[0].stat = EIP197_TOKEN_STAT_LAST_HASH;
-               token[0].instructions = EIP197_TOKEN_INS_LAST |
+               token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH;
+
+               token[10].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
+               token[10].packet_length = cryptlen;
+               token[10].stat = EIP197_TOKEN_STAT_LAST_HASH;
+               token[10].instructions = EIP197_TOKEN_INS_LAST |
+                                        EIP197_TOKEN_INS_TYPE_CRYPTO |
+                                        EIP197_TOKEN_INS_TYPE_HASH |
+                                        EIP197_TOKEN_INS_TYPE_OUTPUT;
+       } else if (ctx->xcm != EIP197_XCM_MODE_CCM) {
+               token[6].stat = EIP197_TOKEN_STAT_LAST_HASH;
+               token[6].instructions = EIP197_TOKEN_INS_LAST |
                                        EIP197_TOKEN_INS_TYPE_HASH;
        }
 
-       if (ctx->xcm) {
-               token[0].instructions = EIP197_TOKEN_INS_LAST |
+       if (!ctx->xcm)
+               return;
+
+       token[8].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES;
+       token[8].packet_length = 0;
+       token[8].instructions = AES_BLOCK_SIZE;
+
+       token[9].opcode = EIP197_TOKEN_OPCODE_INSERT;
+       token[9].packet_length = AES_BLOCK_SIZE;
+       token[9].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
+                               EIP197_TOKEN_INS_TYPE_CRYPTO;
+
+       if (ctx->xcm == EIP197_XCM_MODE_GCM) {
+               token[6].instructions = EIP197_TOKEN_INS_LAST |
                                        EIP197_TOKEN_INS_TYPE_HASH;
+       } else {
+               u8 *cbcmaciv = (u8 *)&token[1];
+               u32 *aadlen = (u32 *)&token[5];
+
+               /* Construct IV block B0 for the CBC-MAC */
+               token[0].opcode = EIP197_TOKEN_OPCODE_INSERT;
+               token[0].packet_length = AES_BLOCK_SIZE +
+                                        ((assoclen > 0) << 1);
+               token[0].instructions = EIP197_TOKEN_INS_ORIGIN_TOKEN |
+                                       EIP197_TOKEN_INS_TYPE_HASH;
+               /* Variable length IV part */
+               memcpy(cbcmaciv, iv, 15 - iv[0]);
+               /* fixup flags byte */
+               cbcmaciv[0] |= ((assoclen > 0) << 6) | ((digestsize - 2) << 2);
+               /* Clear upper bytes of variable message length to 0 */
+               memset(cbcmaciv + 15 - iv[0], 0, iv[0] - 1);
+               /* insert lower 2 bytes of message length */
+               cbcmaciv[14] = cryptlen >> 8;
+               cbcmaciv[15] = cryptlen & 255;
 
-               token[1].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES;
-               token[1].packet_length = 0;
-               token[1].stat = EIP197_TOKEN_STAT_LAST_HASH;
-               token[1].instructions = AES_BLOCK_SIZE;
+               if (assoclen) {
+                       *aadlen = cpu_to_le32(cpu_to_be16(assoclen));
+                       assoclen += 2;
+               }
 
-               token[2].opcode = EIP197_TOKEN_OPCODE_INSERT;
-               token[2].packet_length = AES_BLOCK_SIZE;
-               token[2].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
-                                       EIP197_TOKEN_INS_TYPE_CRYPTO;
+               token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH;
+
+               /* Align AAD data towards hash engine */
+               token[7].opcode = EIP197_TOKEN_OPCODE_INSERT;
+               assoclen &= 15;
+               token[7].packet_length = assoclen ? 16 - assoclen : 0;
+
+               if (likely(cryptlen)) {
+                       token[7].instructions = EIP197_TOKEN_INS_TYPE_HASH;
+
+                       /* Align crypto data towards hash engine */
+                       token[10].stat = 0;
+
+                       token[11].opcode = EIP197_TOKEN_OPCODE_INSERT;
+                       cryptlen &= 15;
+                       token[11].packet_length = cryptlen ? 16 - cryptlen : 0;
+                       token[11].stat = EIP197_TOKEN_STAT_LAST_HASH;
+                       token[11].instructions = EIP197_TOKEN_INS_TYPE_HASH;
+               } else {
+                       token[7].stat = EIP197_TOKEN_STAT_LAST_HASH;
+                       token[7].instructions = EIP197_TOKEN_INS_LAST |
+                                               EIP197_TOKEN_INS_TYPE_HASH;
+               }
        }
 }
 
@@ -373,10 +433,15 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx,
                }
                if (sreq->direction == SAFEXCEL_ENCRYPT)
                        cdesc->control_data.control0 |=
-                               CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT;
+                               (ctx->xcm == EIP197_XCM_MODE_CCM) ?
+                                       CONTEXT_CONTROL_TYPE_HASH_ENCRYPT_OUT :
+                                       CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT;
+
                else
                        cdesc->control_data.control0 |=
-                               CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN;
+                               (ctx->xcm == EIP197_XCM_MODE_CCM) ?
+                                       CONTEXT_CONTROL_TYPE_DECRYPT_HASH_IN :
+                                       CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN;
        } else {
                if (sreq->direction == SAFEXCEL_ENCRYPT)
                        cdesc->control_data.control0 =
@@ -2066,7 +2131,7 @@ static int safexcel_aead_gcm_cra_init(struct crypto_tfm *tfm)
        safexcel_aead_cra_init(tfm);
        ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_GHASH;
        ctx->state_sz = GHASH_BLOCK_SIZE;
-       ctx->xcm = 1; /* GCM */
+       ctx->xcm = EIP197_XCM_MODE_GCM;
        ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */
 
        ctx->hkaes = crypto_alloc_cipher("aes", 0, 0);
@@ -2115,3 +2180,126 @@ struct safexcel_alg_template safexcel_alg_gcm = {
                },
        },
 };
+
+static int safexcel_aead_ccm_setkey(struct crypto_aead *ctfm, const u8 *key,
+                                   unsigned int len)
+{
+       struct crypto_tfm *tfm = crypto_aead_tfm(ctfm);
+       struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+       struct safexcel_crypto_priv *priv = ctx->priv;
+       struct crypto_aes_ctx aes;
+       int ret, i;
+
+       ret = aes_expandkey(&aes, key, len);
+       if (ret) {
+               crypto_aead_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+               memzero_explicit(&aes, sizeof(aes));
+               return ret;
+       }
+
+       if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) {
+               for (i = 0; i < len / sizeof(u32); i++) {
+                       if (ctx->key[i] != cpu_to_le32(aes.key_enc[i])) {
+                               ctx->base.needs_inv = true;
+                               break;
+                       }
+               }
+       }
+
+       for (i = 0; i < len / sizeof(u32); i++) {
+               ctx->key[i] = cpu_to_le32(aes.key_enc[i]);
+               ctx->ipad[i + 2 * AES_BLOCK_SIZE / sizeof(u32)] =
+                       cpu_to_be32(aes.key_enc[i]);
+       }
+
+       ctx->key_len = len;
+       ctx->state_sz = 2 * AES_BLOCK_SIZE + len;
+
+       if (len == AES_KEYSIZE_192)
+               ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC192;
+       else if (len == AES_KEYSIZE_256)
+               ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC256;
+       else
+               ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128;
+
+       memzero_explicit(&aes, sizeof(aes));
+       return 0;
+}
+
+static int safexcel_aead_ccm_cra_init(struct crypto_tfm *tfm)
+{
+       struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+
+       safexcel_aead_cra_init(tfm);
+       ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128;
+       ctx->state_sz = 3 * AES_BLOCK_SIZE;
+       ctx->xcm = EIP197_XCM_MODE_CCM;
+       ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */
+       return 0;
+}
+
+static int safexcel_aead_ccm_setauthsize(struct crypto_aead *tfm,
+                                        unsigned int authsize)
+{
+       /* Borrowed from crypto/ccm.c */
+       switch (authsize) {
+       case 4:
+       case 6:
+       case 8:
+       case 10:
+       case 12:
+       case 14:
+       case 16:
+               break;
+       default:
+               return -EINVAL;
+       }
+
+       return 0;
+}
+
+static int safexcel_ccm_encrypt(struct aead_request *req)
+{
+       struct safexcel_cipher_req *creq = aead_request_ctx(req);
+
+       if (req->iv[0] < 1 || req->iv[0] > 7)
+               return -EINVAL;
+
+       return safexcel_queue_req(&req->base, creq, SAFEXCEL_ENCRYPT);
+}
+
+static int safexcel_ccm_decrypt(struct aead_request *req)
+{
+       struct safexcel_cipher_req *creq = aead_request_ctx(req);
+
+       if (req->iv[0] < 1 || req->iv[0] > 7)
+               return -EINVAL;
+
+       return safexcel_queue_req(&req->base, creq, SAFEXCEL_DECRYPT);
+}
+
+struct safexcel_alg_template safexcel_alg_ccm = {
+       .type = SAFEXCEL_ALG_TYPE_AEAD,
+       .algo_mask = SAFEXCEL_ALG_AES | SAFEXCEL_ALG_CBC_MAC_ALL,
+       .alg.aead = {
+               .setkey = safexcel_aead_ccm_setkey,
+               .setauthsize = safexcel_aead_ccm_setauthsize,
+               .encrypt = safexcel_ccm_encrypt,
+               .decrypt = safexcel_ccm_decrypt,
+               .ivsize = AES_BLOCK_SIZE,
+               .maxauthsize = AES_BLOCK_SIZE,
+               .base = {
+                       .cra_name = "ccm(aes)",
+                       .cra_driver_name = "safexcel-ccm-aes",
+                       .cra_priority = SAFEXCEL_CRA_PRIORITY,
+                       .cra_flags = CRYPTO_ALG_ASYNC |
+                                    CRYPTO_ALG_KERN_DRIVER_ONLY,
+                       .cra_blocksize = 1,
+                       .cra_ctxsize = sizeof(struct safexcel_cipher_ctx),
+                       .cra_alignmask = 0,
+                       .cra_init = safexcel_aead_ccm_cra_init,
+                       .cra_exit = safexcel_aead_cra_exit,
+                       .cra_module = THIS_MODULE,
+               },
+       },
+};