crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
/*
|
|
|
|
* AES using the RISC-V vector crypto extensions. Includes the bare block
|
2024-02-13 05:54:42 +00:00
|
|
|
* cipher and the ECB, CBC, CBC-CTS, CTR, and XTS modes.
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
*
|
|
|
|
* Copyright (C) 2023 VRULL GmbH
|
|
|
|
* Author: Heiko Stuebner <heiko.stuebner@vrull.eu>
|
|
|
|
*
|
|
|
|
* Copyright (C) 2023 SiFive, Inc.
|
|
|
|
* Author: Jerry Shih <jerry.shih@sifive.com>
|
2024-02-13 05:54:42 +00:00
|
|
|
*
|
|
|
|
* Copyright 2024 Google LLC
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <asm/simd.h>
|
|
|
|
#include <asm/vector.h>
|
|
|
|
#include <crypto/aes.h>
|
|
|
|
#include <crypto/internal/cipher.h>
|
|
|
|
#include <crypto/internal/simd.h>
|
|
|
|
#include <crypto/internal/skcipher.h>
|
|
|
|
#include <crypto/scatterwalk.h>
|
|
|
|
#include <crypto/xts.h>
|
|
|
|
#include <linux/linkage.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
|
|
|
asmlinkage void aes_encrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 in[AES_BLOCK_SIZE],
|
|
|
|
u8 out[AES_BLOCK_SIZE]);
|
|
|
|
asmlinkage void aes_decrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 in[AES_BLOCK_SIZE],
|
|
|
|
u8 out[AES_BLOCK_SIZE]);
|
|
|
|
|
|
|
|
asmlinkage void aes_ecb_encrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len);
|
|
|
|
asmlinkage void aes_ecb_decrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len);
|
|
|
|
|
|
|
|
asmlinkage void aes_cbc_encrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
u8 iv[AES_BLOCK_SIZE]);
|
|
|
|
asmlinkage void aes_cbc_decrypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
u8 iv[AES_BLOCK_SIZE]);
|
|
|
|
|
2024-02-13 05:54:42 +00:00
|
|
|
asmlinkage void aes_cbc_cts_crypt_zvkned(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
const u8 iv[AES_BLOCK_SIZE], bool enc);
|
|
|
|
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
asmlinkage void aes_ctr32_crypt_zvkned_zvkb(const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
u8 iv[AES_BLOCK_SIZE]);
|
|
|
|
|
|
|
|
asmlinkage void aes_xts_encrypt_zvkned_zvbb_zvkg(
|
|
|
|
const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
u8 tweak[AES_BLOCK_SIZE]);
|
|
|
|
|
|
|
|
asmlinkage void aes_xts_decrypt_zvkned_zvbb_zvkg(
|
|
|
|
const struct crypto_aes_ctx *key,
|
|
|
|
const u8 *in, u8 *out, size_t len,
|
|
|
|
u8 tweak[AES_BLOCK_SIZE]);
|
|
|
|
|
|
|
|
static int riscv64_aes_setkey(struct crypto_aes_ctx *ctx,
|
|
|
|
const u8 *key, unsigned int keylen)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* For now we just use the generic key expansion, for these reasons:
|
|
|
|
*
|
|
|
|
* - zvkned's key expansion instructions don't support AES-192.
|
|
|
|
* So, non-zvkned fallback code would be needed anyway.
|
|
|
|
*
|
|
|
|
* - Users of AES in Linux usually don't change keys frequently.
|
|
|
|
* So, key expansion isn't performance-critical.
|
|
|
|
*
|
|
|
|
* - For single-block AES exposed as a "cipher" algorithm, it's
|
|
|
|
* necessary to use struct crypto_aes_ctx and initialize its 'key_dec'
|
|
|
|
* field with the round keys for the Equivalent Inverse Cipher. This
|
|
|
|
* is because with "cipher", decryption can be requested from a
|
|
|
|
* context where the vector unit isn't usable, necessitating a
|
|
|
|
* fallback to aes_decrypt(). But, zvkned can only generate and use
|
|
|
|
* the normal round keys. Of course, it's preferable to not have
|
|
|
|
* special code just for "cipher", as e.g. XTS also uses a
|
|
|
|
* single-block AES encryption. It's simplest to just use
|
|
|
|
* struct crypto_aes_ctx and aes_expandkey() everywhere.
|
|
|
|
*/
|
|
|
|
return aes_expandkey(ctx, key, keylen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_setkey_cipher(struct crypto_tfm *tfm,
|
|
|
|
const u8 *key, unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
|
|
|
|
|
|
return riscv64_aes_setkey(ctx, key, keylen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_setkey_skcipher(struct crypto_skcipher *tfm,
|
|
|
|
const u8 *key, unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
|
|
|
|
return riscv64_aes_setkey(ctx, key, keylen);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Bare AES, without a mode of operation */
|
|
|
|
|
|
|
|
static void riscv64_aes_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
|
|
|
|
{
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
|
|
|
|
|
|
if (crypto_simd_usable()) {
|
|
|
|
kernel_vector_begin();
|
|
|
|
aes_encrypt_zvkned(ctx, src, dst);
|
|
|
|
kernel_vector_end();
|
|
|
|
} else {
|
|
|
|
aes_encrypt(ctx, dst, src);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void riscv64_aes_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
|
|
|
|
{
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
|
|
|
|
|
|
if (crypto_simd_usable()) {
|
|
|
|
kernel_vector_begin();
|
|
|
|
aes_decrypt_zvkned(ctx, src, dst);
|
|
|
|
kernel_vector_end();
|
|
|
|
} else {
|
|
|
|
aes_decrypt(ctx, dst, src);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* AES-ECB */
|
|
|
|
|
|
|
|
static inline int riscv64_aes_ecb_crypt(struct skcipher_request *req, bool enc)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
|
|
|
kernel_vector_begin();
|
|
|
|
if (enc)
|
|
|
|
aes_ecb_encrypt_zvkned(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr,
|
|
|
|
nbytes & ~(AES_BLOCK_SIZE - 1));
|
|
|
|
else
|
|
|
|
aes_ecb_decrypt_zvkned(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr,
|
|
|
|
nbytes & ~(AES_BLOCK_SIZE - 1));
|
|
|
|
kernel_vector_end();
|
|
|
|
err = skcipher_walk_done(&walk, nbytes & (AES_BLOCK_SIZE - 1));
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_ecb_encrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_ecb_crypt(req, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_ecb_decrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_ecb_crypt(req, false);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* AES-CBC */
|
|
|
|
|
2024-02-13 05:54:42 +00:00
|
|
|
static int riscv64_aes_cbc_crypt(struct skcipher_request *req, bool enc)
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
|
|
|
kernel_vector_begin();
|
|
|
|
if (enc)
|
|
|
|
aes_cbc_encrypt_zvkned(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr,
|
|
|
|
nbytes & ~(AES_BLOCK_SIZE - 1),
|
|
|
|
walk.iv);
|
|
|
|
else
|
|
|
|
aes_cbc_decrypt_zvkned(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr,
|
|
|
|
nbytes & ~(AES_BLOCK_SIZE - 1),
|
|
|
|
walk.iv);
|
|
|
|
kernel_vector_end();
|
|
|
|
err = skcipher_walk_done(&walk, nbytes & (AES_BLOCK_SIZE - 1));
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_cbc_encrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_cbc_crypt(req, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_cbc_decrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_cbc_crypt(req, false);
|
|
|
|
}
|
|
|
|
|
2024-02-13 05:54:42 +00:00
|
|
|
/* AES-CBC-CTS */
|
|
|
|
|
|
|
|
static int riscv64_aes_cbc_cts_crypt(struct skcipher_request *req, bool enc)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
struct scatterlist sg_src[2], sg_dst[2];
|
|
|
|
struct skcipher_request subreq;
|
|
|
|
struct scatterlist *src, *dst;
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int cbc_len;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (req->cryptlen < AES_BLOCK_SIZE)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
/*
|
|
|
|
* If the full message is available in one step, decrypt it in one call
|
|
|
|
* to the CBC-CTS assembly function. This reduces overhead, especially
|
|
|
|
* on short messages. Otherwise, fall back to doing CBC up to the last
|
|
|
|
* two blocks, then invoke CTS just for the ciphertext stealing.
|
|
|
|
*/
|
|
|
|
if (unlikely(walk.nbytes != req->cryptlen)) {
|
|
|
|
cbc_len = round_down(req->cryptlen - AES_BLOCK_SIZE - 1,
|
|
|
|
AES_BLOCK_SIZE);
|
|
|
|
skcipher_walk_abort(&walk);
|
|
|
|
skcipher_request_set_tfm(&subreq, tfm);
|
|
|
|
skcipher_request_set_callback(&subreq,
|
|
|
|
skcipher_request_flags(req),
|
|
|
|
NULL, NULL);
|
|
|
|
skcipher_request_set_crypt(&subreq, req->src, req->dst,
|
|
|
|
cbc_len, req->iv);
|
|
|
|
err = riscv64_aes_cbc_crypt(&subreq, enc);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
dst = src = scatterwalk_ffwd(sg_src, req->src, cbc_len);
|
|
|
|
if (req->dst != req->src)
|
|
|
|
dst = scatterwalk_ffwd(sg_dst, req->dst, cbc_len);
|
|
|
|
skcipher_request_set_crypt(&subreq, src, dst,
|
|
|
|
req->cryptlen - cbc_len, req->iv);
|
|
|
|
err = skcipher_walk_virt(&walk, &subreq, false);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
kernel_vector_begin();
|
|
|
|
aes_cbc_cts_crypt_zvkned(ctx, walk.src.virt.addr, walk.dst.virt.addr,
|
|
|
|
walk.nbytes, req->iv, enc);
|
|
|
|
kernel_vector_end();
|
|
|
|
return skcipher_walk_done(&walk, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_cbc_cts_encrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_cbc_cts_crypt(req, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_cbc_cts_decrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_cbc_cts_crypt(req, false);
|
|
|
|
}
|
|
|
|
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
/* AES-CTR */
|
|
|
|
|
|
|
|
static int riscv64_aes_ctr_crypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
const struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
unsigned int nbytes, p1_nbytes;
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
u32 ctr32, nblocks;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
/* Get the low 32-bit word of the 128-bit big endian counter. */
|
|
|
|
ctr32 = get_unaligned_be32(req->iv + 12);
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
|
|
|
if (nbytes < walk.total) {
|
|
|
|
/* Not the end yet, so keep the length block-aligned. */
|
|
|
|
nbytes = round_down(nbytes, AES_BLOCK_SIZE);
|
|
|
|
nblocks = nbytes / AES_BLOCK_SIZE;
|
|
|
|
} else {
|
|
|
|
/* It's the end, so include any final partial block. */
|
|
|
|
nblocks = DIV_ROUND_UP(nbytes, AES_BLOCK_SIZE);
|
|
|
|
}
|
|
|
|
ctr32 += nblocks;
|
|
|
|
|
|
|
|
kernel_vector_begin();
|
|
|
|
if (ctr32 >= nblocks) {
|
|
|
|
/* The low 32-bit word of the counter won't overflow. */
|
|
|
|
aes_ctr32_crypt_zvkned_zvkb(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, nbytes,
|
|
|
|
req->iv);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* The low 32-bit word of the counter will overflow.
|
|
|
|
* The assembly doesn't handle this case, so split the
|
|
|
|
* operation into two at the point where the overflow
|
|
|
|
* will occur. After the first part, add the carry bit.
|
|
|
|
*/
|
|
|
|
p1_nbytes = min_t(unsigned int, nbytes,
|
|
|
|
(nblocks - ctr32) * AES_BLOCK_SIZE);
|
|
|
|
aes_ctr32_crypt_zvkned_zvkb(ctx, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr,
|
|
|
|
p1_nbytes, req->iv);
|
|
|
|
crypto_inc(req->iv, 12);
|
|
|
|
|
|
|
|
if (ctr32) {
|
|
|
|
aes_ctr32_crypt_zvkned_zvkb(
|
|
|
|
ctx,
|
|
|
|
walk.src.virt.addr + p1_nbytes,
|
|
|
|
walk.dst.virt.addr + p1_nbytes,
|
|
|
|
nbytes - p1_nbytes, req->iv);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
kernel_vector_end();
|
|
|
|
|
|
|
|
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* AES-XTS */
|
|
|
|
|
|
|
|
struct riscv64_aes_xts_ctx {
|
|
|
|
struct crypto_aes_ctx ctx1;
|
|
|
|
struct crypto_aes_ctx ctx2;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int riscv64_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct riscv64_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
|
|
|
|
return xts_verify_key(tfm, key, keylen) ?:
|
|
|
|
riscv64_aes_setkey(&ctx->ctx1, key, keylen / 2) ?:
|
|
|
|
riscv64_aes_setkey(&ctx->ctx2, key + keylen / 2, keylen / 2);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_xts_crypt(struct skcipher_request *req, bool enc)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
const struct riscv64_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
int tail = req->cryptlen % AES_BLOCK_SIZE;
|
|
|
|
struct scatterlist sg_src[2], sg_dst[2];
|
|
|
|
struct skcipher_request subreq;
|
|
|
|
struct scatterlist *src, *dst;
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (req->cryptlen < AES_BLOCK_SIZE)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Encrypt the IV with the tweak key to get the first tweak. */
|
|
|
|
kernel_vector_begin();
|
|
|
|
aes_encrypt_zvkned(&ctx->ctx2, req->iv, req->iv);
|
|
|
|
kernel_vector_end();
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the message length isn't divisible by the AES block size and the
|
|
|
|
* full message isn't available in one step of the scatterlist walk,
|
|
|
|
* then separate off the last full block and the partial block. This
|
|
|
|
* ensures that they are processed in the same call to the assembly
|
|
|
|
* function, which is required for ciphertext stealing.
|
|
|
|
*/
|
|
|
|
if (unlikely(tail > 0 && walk.nbytes < walk.total)) {
|
|
|
|
skcipher_walk_abort(&walk);
|
|
|
|
|
|
|
|
skcipher_request_set_tfm(&subreq, tfm);
|
|
|
|
skcipher_request_set_callback(&subreq,
|
|
|
|
skcipher_request_flags(req),
|
|
|
|
NULL, NULL);
|
|
|
|
skcipher_request_set_crypt(&subreq, req->src, req->dst,
|
|
|
|
req->cryptlen - tail - AES_BLOCK_SIZE,
|
|
|
|
req->iv);
|
|
|
|
req = &subreq;
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
} else {
|
|
|
|
tail = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (walk.nbytes) {
|
|
|
|
unsigned int nbytes = walk.nbytes;
|
|
|
|
|
|
|
|
if (nbytes < walk.total)
|
|
|
|
nbytes = round_down(nbytes, AES_BLOCK_SIZE);
|
|
|
|
|
|
|
|
kernel_vector_begin();
|
|
|
|
if (enc)
|
|
|
|
aes_xts_encrypt_zvkned_zvbb_zvkg(
|
|
|
|
&ctx->ctx1, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, nbytes, req->iv);
|
|
|
|
else
|
|
|
|
aes_xts_decrypt_zvkned_zvbb_zvkg(
|
|
|
|
&ctx->ctx1, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, nbytes, req->iv);
|
|
|
|
kernel_vector_end();
|
|
|
|
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (err || likely(!tail))
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/* Do ciphertext stealing with the last full block and partial block. */
|
|
|
|
|
|
|
|
dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
|
|
|
|
if (req->dst != req->src)
|
|
|
|
dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
|
|
|
|
|
|
|
|
skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
|
|
|
|
req->iv);
|
|
|
|
|
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
kernel_vector_begin();
|
|
|
|
if (enc)
|
|
|
|
aes_xts_encrypt_zvkned_zvbb_zvkg(
|
|
|
|
&ctx->ctx1, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, walk.nbytes, req->iv);
|
|
|
|
else
|
|
|
|
aes_xts_decrypt_zvkned_zvbb_zvkg(
|
|
|
|
&ctx->ctx1, walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, walk.nbytes, req->iv);
|
|
|
|
kernel_vector_end();
|
|
|
|
|
|
|
|
return skcipher_walk_done(&walk, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_xts_encrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_xts_crypt(req, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int riscv64_aes_xts_decrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
return riscv64_aes_xts_crypt(req, false);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Algorithm definitions */
|
|
|
|
|
|
|
|
static struct crypto_alg riscv64_zvkned_aes_cipher_alg = {
|
|
|
|
.cra_flags = CRYPTO_ALG_TYPE_CIPHER,
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.cra_ctxsize = sizeof(struct crypto_aes_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "aes",
|
|
|
|
.cra_driver_name = "aes-riscv64-zvkned",
|
|
|
|
.cra_cipher = {
|
|
|
|
.cia_min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.cia_max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.cia_setkey = riscv64_aes_setkey_cipher,
|
|
|
|
.cia_encrypt = riscv64_aes_encrypt,
|
|
|
|
.cia_decrypt = riscv64_aes_decrypt,
|
|
|
|
},
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct skcipher_alg riscv64_zvkned_aes_skcipher_algs[] = {
|
|
|
|
{
|
|
|
|
.setkey = riscv64_aes_setkey_skcipher,
|
|
|
|
.encrypt = riscv64_aes_ecb_encrypt,
|
|
|
|
.decrypt = riscv64_aes_ecb_decrypt,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.walksize = 8 * AES_BLOCK_SIZE, /* matches LMUL=8 */
|
|
|
|
.base = {
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.cra_ctxsize = sizeof(struct crypto_aes_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "ecb(aes)",
|
|
|
|
.cra_driver_name = "ecb-aes-riscv64-zvkned",
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
},
|
|
|
|
}, {
|
|
|
|
.setkey = riscv64_aes_setkey_skcipher,
|
|
|
|
.encrypt = riscv64_aes_cbc_encrypt,
|
|
|
|
.decrypt = riscv64_aes_cbc_decrypt,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.ivsize = AES_BLOCK_SIZE,
|
|
|
|
.base = {
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.cra_ctxsize = sizeof(struct crypto_aes_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "cbc(aes)",
|
|
|
|
.cra_driver_name = "cbc-aes-riscv64-zvkned",
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
},
|
2024-02-13 05:54:42 +00:00
|
|
|
}, {
|
|
|
|
.setkey = riscv64_aes_setkey_skcipher,
|
|
|
|
.encrypt = riscv64_aes_cbc_cts_encrypt,
|
|
|
|
.decrypt = riscv64_aes_cbc_cts_decrypt,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.ivsize = AES_BLOCK_SIZE,
|
|
|
|
.walksize = 4 * AES_BLOCK_SIZE, /* matches LMUL=4 */
|
|
|
|
.base = {
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.cra_ctxsize = sizeof(struct crypto_aes_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "cts(cbc(aes))",
|
|
|
|
.cra_driver_name = "cts-cbc-aes-riscv64-zvkned",
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
},
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct skcipher_alg riscv64_zvkned_zvkb_aes_skcipher_alg = {
|
|
|
|
.setkey = riscv64_aes_setkey_skcipher,
|
|
|
|
.encrypt = riscv64_aes_ctr_crypt,
|
|
|
|
.decrypt = riscv64_aes_ctr_crypt,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.ivsize = AES_BLOCK_SIZE,
|
|
|
|
.chunksize = AES_BLOCK_SIZE,
|
|
|
|
.walksize = 4 * AES_BLOCK_SIZE, /* matches LMUL=4 */
|
|
|
|
.base = {
|
|
|
|
.cra_blocksize = 1,
|
|
|
|
.cra_ctxsize = sizeof(struct crypto_aes_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "ctr(aes)",
|
|
|
|
.cra_driver_name = "ctr-aes-riscv64-zvkned-zvkb",
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct skcipher_alg riscv64_zvkned_zvbb_zvkg_aes_skcipher_alg = {
|
|
|
|
.setkey = riscv64_aes_xts_setkey,
|
|
|
|
.encrypt = riscv64_aes_xts_encrypt,
|
|
|
|
.decrypt = riscv64_aes_xts_decrypt,
|
|
|
|
.min_keysize = 2 * AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = 2 * AES_MAX_KEY_SIZE,
|
|
|
|
.ivsize = AES_BLOCK_SIZE,
|
|
|
|
.chunksize = AES_BLOCK_SIZE,
|
|
|
|
.walksize = 4 * AES_BLOCK_SIZE, /* matches LMUL=4 */
|
|
|
|
.base = {
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.cra_ctxsize = sizeof(struct riscv64_aes_xts_ctx),
|
|
|
|
.cra_priority = 300,
|
|
|
|
.cra_name = "xts(aes)",
|
|
|
|
.cra_driver_name = "xts-aes-riscv64-zvkned-zvbb-zvkg",
|
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
static inline bool riscv64_aes_xts_supported(void)
|
|
|
|
{
|
|
|
|
return riscv_isa_extension_available(NULL, ZVBB) &&
|
|
|
|
riscv_isa_extension_available(NULL, ZVKG) &&
|
|
|
|
riscv_vector_vlen() < 2048 /* Implementation limitation */;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __init riscv64_aes_mod_init(void)
|
|
|
|
{
|
|
|
|
int err = -ENODEV;
|
|
|
|
|
|
|
|
if (riscv_isa_extension_available(NULL, ZVKNED) &&
|
|
|
|
riscv_vector_vlen() >= 128) {
|
|
|
|
err = crypto_register_alg(&riscv64_zvkned_aes_cipher_alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
err = crypto_register_skciphers(
|
|
|
|
riscv64_zvkned_aes_skcipher_algs,
|
|
|
|
ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs));
|
|
|
|
if (err)
|
|
|
|
goto unregister_zvkned_cipher_alg;
|
|
|
|
|
|
|
|
if (riscv_isa_extension_available(NULL, ZVKB)) {
|
|
|
|
err = crypto_register_skcipher(
|
|
|
|
&riscv64_zvkned_zvkb_aes_skcipher_alg);
|
|
|
|
if (err)
|
|
|
|
goto unregister_zvkned_skcipher_algs;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (riscv64_aes_xts_supported()) {
|
|
|
|
err = crypto_register_skcipher(
|
|
|
|
&riscv64_zvkned_zvbb_zvkg_aes_skcipher_alg);
|
|
|
|
if (err)
|
|
|
|
goto unregister_zvkned_zvkb_skcipher_alg;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
unregister_zvkned_zvkb_skcipher_alg:
|
|
|
|
if (riscv_isa_extension_available(NULL, ZVKB))
|
|
|
|
crypto_unregister_skcipher(&riscv64_zvkned_zvkb_aes_skcipher_alg);
|
|
|
|
unregister_zvkned_skcipher_algs:
|
|
|
|
crypto_unregister_skciphers(riscv64_zvkned_aes_skcipher_algs,
|
|
|
|
ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs));
|
|
|
|
unregister_zvkned_cipher_alg:
|
|
|
|
crypto_unregister_alg(&riscv64_zvkned_aes_cipher_alg);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit riscv64_aes_mod_exit(void)
|
|
|
|
{
|
|
|
|
if (riscv64_aes_xts_supported())
|
|
|
|
crypto_unregister_skcipher(&riscv64_zvkned_zvbb_zvkg_aes_skcipher_alg);
|
|
|
|
if (riscv_isa_extension_available(NULL, ZVKB))
|
|
|
|
crypto_unregister_skcipher(&riscv64_zvkned_zvkb_aes_skcipher_alg);
|
|
|
|
crypto_unregister_skciphers(riscv64_zvkned_aes_skcipher_algs,
|
|
|
|
ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs));
|
|
|
|
crypto_unregister_alg(&riscv64_zvkned_aes_cipher_alg);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(riscv64_aes_mod_init);
|
|
|
|
module_exit(riscv64_aes_mod_exit);
|
|
|
|
|
2024-02-13 05:54:42 +00:00
|
|
|
MODULE_DESCRIPTION("AES-ECB/CBC/CTS/CTR/XTS (RISC-V accelerated)");
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
MODULE_AUTHOR("Jerry Shih <jerry.shih@sifive.com>");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_ALIAS_CRYPTO("aes");
|
|
|
|
MODULE_ALIAS_CRYPTO("ecb(aes)");
|
|
|
|
MODULE_ALIAS_CRYPTO("cbc(aes)");
|
2024-02-13 05:54:42 +00:00
|
|
|
MODULE_ALIAS_CRYPTO("cts(cbc(aes))");
|
crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}
Add implementations of AES-ECB, AES-CBC, AES-CTR, and AES-XTS, as well
as bare (single-block) AES, using the RISC-V vector crypto extensions.
The assembly code is derived from OpenSSL code (openssl/openssl#21923)
that was dual-licensed so that it could be reused in the kernel.
Nevertheless, the assembly has been significantly reworked for
integration with the kernel, for example by using regular .S files
instead of the so-called perlasm, using the assembler instead of bare
'.inst', greatly reducing code duplication, supporting AES-192, and
making the code use the same AES key structure as the C code.
Co-developed-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Phoebe Chen <phoebe.chen@sifive.com>
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
Co-developed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20240122002024.27477-5-ebiggers@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
2024-01-22 00:19:15 +00:00
|
|
|
MODULE_ALIAS_CRYPTO("ctr(aes)");
|
|
|
|
MODULE_ALIAS_CRYPTO("xts(aes)");
|