crypto: inside-secure - Added support for basic AES-CCM

This patch adds support for the basic AES-CCM AEAD cipher suite.

Signed-off-by: Pascal van Leeuwen <pvanleeuwen@verimatrix.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Pascal van Leeuwen 2019-08-30 09:52:33 +02:00 committed by Herbert Xu
parent 50485dfb6c
commit 4eb76faff8
3 changed files with 245 additions and 49 deletions

View File

@ -715,8 +715,7 @@ inline int safexcel_rdesc_check_errors(struct safexcel_crypto_priv *priv,
} else if (rdesc->result_data.error_code & BIT(9)) {
/* Authentication failed */
return -EBADMSG;
} else if (!rdesc->result_data.error_code)
return 0;
}
/* All other non-fatal errors */
return -EINVAL;
@ -1009,6 +1008,7 @@ static struct safexcel_alg_template *safexcel_algs[] = {
&safexcel_alg_authenc_hmac_sha512_ctr_aes,
&safexcel_alg_xts_aes,
&safexcel_alg_gcm,
&safexcel_alg_ccm,
};
static int safexcel_register_algorithms(struct safexcel_crypto_priv *priv)

View File

@ -19,7 +19,7 @@
/* Static configuration */
#define EIP197_DEFAULT_RING_SIZE 400
#define EIP197_MAX_TOKENS 10
#define EIP197_MAX_TOKENS 18
#define EIP197_MAX_RINGS 4
#define EIP197_FETCH_COUNT 1
#define EIP197_MAX_BATCH_SZ 64
@ -330,6 +330,9 @@ struct safexcel_context_record {
#define CONTEXT_CONTROL_CRYPTO_ALG_SHA384 (0x6 << 23)
#define CONTEXT_CONTROL_CRYPTO_ALG_SHA512 (0x5 << 23)
#define CONTEXT_CONTROL_CRYPTO_ALG_GHASH (0x4 << 23)
#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC128 (0x1 << 23)
#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC192 (0x2 << 23)
#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC256 (0x3 << 23)
#define CONTEXT_CONTROL_INV_FR (0x5 << 24)
#define CONTEXT_CONTROL_INV_TR (0x6 << 24)
@ -350,6 +353,9 @@ struct safexcel_context_record {
#define CONTEXT_CONTROL_CRYPTO_STORE BIT(12)
#define CONTEXT_CONTROL_HASH_STORE BIT(19)
#define EIP197_XCM_MODE_GCM 1
#define EIP197_XCM_MODE_CCM 2
/* The hash counter given to the engine in the context has a granularity of
* 64 bits.
*/
@ -464,6 +470,7 @@ static inline void eip197_noop_token(struct safexcel_token *token)
/* Instructions */
#define EIP197_TOKEN_INS_INSERT_HASH_DIGEST 0x1c
#define EIP197_TOKEN_INS_ORIGIN_IV0 0x14
#define EIP197_TOKEN_INS_ORIGIN_TOKEN 0x1b
#define EIP197_TOKEN_INS_ORIGIN_LEN(x) ((x) << 5)
#define EIP197_TOKEN_INS_TYPE_OUTPUT BIT(5)
#define EIP197_TOKEN_INS_TYPE_HASH BIT(6)
@ -797,5 +804,6 @@ extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha384_ctr_aes;
extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha512_ctr_aes;
extern struct safexcel_alg_template safexcel_alg_xts_aes;
extern struct safexcel_alg_template safexcel_alg_gcm;
extern struct safexcel_alg_template safexcel_alg_ccm;
#endif

View File

@ -81,7 +81,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
cdesc->control_data.token[3] = cpu_to_be32(1);
return;
} else if (ctx->mode == CONTEXT_CONTROL_CRYPTO_MODE_XCM) {
} else if (ctx->xcm == EIP197_XCM_MODE_GCM) {
cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
/* 96 bit IV part */
@ -89,6 +89,16 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
/* 32 bit counter, start at 1 (big endian!) */
cdesc->control_data.token[3] = cpu_to_be32(1);
return;
} else if (ctx->xcm == EIP197_XCM_MODE_CCM) {
cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
/* Variable length IV part */
memcpy(&cdesc->control_data.token[0], iv, 15 - iv[0]);
/* Start variable length counter at 0 */
memset((u8 *)&cdesc->control_data.token[0] + 15 - iv[0],
0, iv[0] + 1);
return;
}
@ -143,67 +153,117 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
if (direction == SAFEXCEL_ENCRYPT) {
/* align end of instruction sequence to end of token */
token = (struct safexcel_token *)(cdesc->control_data.token +
EIP197_MAX_TOKENS - 5);
EIP197_MAX_TOKENS - 13);
token[4].opcode = EIP197_TOKEN_OPCODE_INSERT;
token[4].packet_length = digestsize;
token[4].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[4].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
token[12].opcode = EIP197_TOKEN_OPCODE_INSERT;
token[12].packet_length = digestsize;
token[12].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[12].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
} else {
cryptlen -= digestsize;
/* align end of instruction sequence to end of token */
token = (struct safexcel_token *)(cdesc->control_data.token +
EIP197_MAX_TOKENS - 6);
EIP197_MAX_TOKENS - 14);
token[4].opcode = EIP197_TOKEN_OPCODE_RETRIEVE;
token[4].packet_length = digestsize;
token[4].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[4].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
token[12].opcode = EIP197_TOKEN_OPCODE_RETRIEVE;
token[12].packet_length = digestsize;
token[12].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[12].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST;
token[5].opcode = EIP197_TOKEN_OPCODE_VERIFY;
token[5].packet_length = digestsize |
EIP197_TOKEN_HASH_RESULT_VERIFY;
token[5].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[5].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT;
token[13].opcode = EIP197_TOKEN_OPCODE_VERIFY;
token[13].packet_length = digestsize |
EIP197_TOKEN_HASH_RESULT_VERIFY;
token[13].stat = EIP197_TOKEN_STAT_LAST_HASH |
EIP197_TOKEN_STAT_LAST_PACKET;
token[13].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT;
}
token[0].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
token[0].packet_length = assoclen;
token[6].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
token[6].packet_length = assoclen;
if (likely(cryptlen)) {
token[0].instructions = EIP197_TOKEN_INS_TYPE_HASH;
token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH;
token[3].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
token[3].packet_length = cryptlen;
token[3].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[3].instructions = EIP197_TOKEN_INS_LAST |
EIP197_TOKEN_INS_TYPE_CRYPTO |
EIP197_TOKEN_INS_TYPE_HASH |
EIP197_TOKEN_INS_TYPE_OUTPUT;
} else {
token[0].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[0].instructions = EIP197_TOKEN_INS_LAST |
token[10].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
token[10].packet_length = cryptlen;
token[10].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[10].instructions = EIP197_TOKEN_INS_LAST |
EIP197_TOKEN_INS_TYPE_CRYPTO |
EIP197_TOKEN_INS_TYPE_HASH |
EIP197_TOKEN_INS_TYPE_OUTPUT;
} else if (ctx->xcm != EIP197_XCM_MODE_CCM) {
token[6].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[6].instructions = EIP197_TOKEN_INS_LAST |
EIP197_TOKEN_INS_TYPE_HASH;
}
if (ctx->xcm) {
token[0].instructions = EIP197_TOKEN_INS_LAST |
if (!ctx->xcm)
return;
token[8].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES;
token[8].packet_length = 0;
token[8].instructions = AES_BLOCK_SIZE;
token[9].opcode = EIP197_TOKEN_OPCODE_INSERT;
token[9].packet_length = AES_BLOCK_SIZE;
token[9].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
EIP197_TOKEN_INS_TYPE_CRYPTO;
if (ctx->xcm == EIP197_XCM_MODE_GCM) {
token[6].instructions = EIP197_TOKEN_INS_LAST |
EIP197_TOKEN_INS_TYPE_HASH;
} else {
u8 *cbcmaciv = (u8 *)&token[1];
u32 *aadlen = (u32 *)&token[5];
token[1].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES;
token[1].packet_length = 0;
token[1].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[1].instructions = AES_BLOCK_SIZE;
/* Construct IV block B0 for the CBC-MAC */
token[0].opcode = EIP197_TOKEN_OPCODE_INSERT;
token[0].packet_length = AES_BLOCK_SIZE +
((assoclen > 0) << 1);
token[0].instructions = EIP197_TOKEN_INS_ORIGIN_TOKEN |
EIP197_TOKEN_INS_TYPE_HASH;
/* Variable length IV part */
memcpy(cbcmaciv, iv, 15 - iv[0]);
/* fixup flags byte */
cbcmaciv[0] |= ((assoclen > 0) << 6) | ((digestsize - 2) << 2);
/* Clear upper bytes of variable message length to 0 */
memset(cbcmaciv + 15 - iv[0], 0, iv[0] - 1);
/* insert lower 2 bytes of message length */
cbcmaciv[14] = cryptlen >> 8;
cbcmaciv[15] = cryptlen & 255;
token[2].opcode = EIP197_TOKEN_OPCODE_INSERT;
token[2].packet_length = AES_BLOCK_SIZE;
token[2].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
EIP197_TOKEN_INS_TYPE_CRYPTO;
if (assoclen) {
*aadlen = cpu_to_le32(cpu_to_be16(assoclen));
assoclen += 2;
}
token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH;
/* Align AAD data towards hash engine */
token[7].opcode = EIP197_TOKEN_OPCODE_INSERT;
assoclen &= 15;
token[7].packet_length = assoclen ? 16 - assoclen : 0;
if (likely(cryptlen)) {
token[7].instructions = EIP197_TOKEN_INS_TYPE_HASH;
/* Align crypto data towards hash engine */
token[10].stat = 0;
token[11].opcode = EIP197_TOKEN_OPCODE_INSERT;
cryptlen &= 15;
token[11].packet_length = cryptlen ? 16 - cryptlen : 0;
token[11].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[11].instructions = EIP197_TOKEN_INS_TYPE_HASH;
} else {
token[7].stat = EIP197_TOKEN_STAT_LAST_HASH;
token[7].instructions = EIP197_TOKEN_INS_LAST |
EIP197_TOKEN_INS_TYPE_HASH;
}
}
}
@ -373,10 +433,15 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx,
}
if (sreq->direction == SAFEXCEL_ENCRYPT)
cdesc->control_data.control0 |=
CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT;
(ctx->xcm == EIP197_XCM_MODE_CCM) ?
CONTEXT_CONTROL_TYPE_HASH_ENCRYPT_OUT :
CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT;
else
cdesc->control_data.control0 |=
CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN;
(ctx->xcm == EIP197_XCM_MODE_CCM) ?
CONTEXT_CONTROL_TYPE_DECRYPT_HASH_IN :
CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN;
} else {
if (sreq->direction == SAFEXCEL_ENCRYPT)
cdesc->control_data.control0 =
@ -2066,7 +2131,7 @@ static int safexcel_aead_gcm_cra_init(struct crypto_tfm *tfm)
safexcel_aead_cra_init(tfm);
ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_GHASH;
ctx->state_sz = GHASH_BLOCK_SIZE;
ctx->xcm = 1; /* GCM */
ctx->xcm = EIP197_XCM_MODE_GCM;
ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */
ctx->hkaes = crypto_alloc_cipher("aes", 0, 0);
@ -2115,3 +2180,126 @@ struct safexcel_alg_template safexcel_alg_gcm = {
},
},
};
static int safexcel_aead_ccm_setkey(struct crypto_aead *ctfm, const u8 *key,
unsigned int len)
{
struct crypto_tfm *tfm = crypto_aead_tfm(ctfm);
struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
struct safexcel_crypto_priv *priv = ctx->priv;
struct crypto_aes_ctx aes;
int ret, i;
ret = aes_expandkey(&aes, key, len);
if (ret) {
crypto_aead_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
memzero_explicit(&aes, sizeof(aes));
return ret;
}
if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) {
for (i = 0; i < len / sizeof(u32); i++) {
if (ctx->key[i] != cpu_to_le32(aes.key_enc[i])) {
ctx->base.needs_inv = true;
break;
}
}
}
for (i = 0; i < len / sizeof(u32); i++) {
ctx->key[i] = cpu_to_le32(aes.key_enc[i]);
ctx->ipad[i + 2 * AES_BLOCK_SIZE / sizeof(u32)] =
cpu_to_be32(aes.key_enc[i]);
}
ctx->key_len = len;
ctx->state_sz = 2 * AES_BLOCK_SIZE + len;
if (len == AES_KEYSIZE_192)
ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC192;
else if (len == AES_KEYSIZE_256)
ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC256;
else
ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128;
memzero_explicit(&aes, sizeof(aes));
return 0;
}
static int safexcel_aead_ccm_cra_init(struct crypto_tfm *tfm)
{
struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
safexcel_aead_cra_init(tfm);
ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128;
ctx->state_sz = 3 * AES_BLOCK_SIZE;
ctx->xcm = EIP197_XCM_MODE_CCM;
ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */
return 0;
}
static int safexcel_aead_ccm_setauthsize(struct crypto_aead *tfm,
unsigned int authsize)
{
/* Borrowed from crypto/ccm.c */
switch (authsize) {
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
break;
default:
return -EINVAL;
}
return 0;
}
static int safexcel_ccm_encrypt(struct aead_request *req)
{
struct safexcel_cipher_req *creq = aead_request_ctx(req);
if (req->iv[0] < 1 || req->iv[0] > 7)
return -EINVAL;
return safexcel_queue_req(&req->base, creq, SAFEXCEL_ENCRYPT);
}
static int safexcel_ccm_decrypt(struct aead_request *req)
{
struct safexcel_cipher_req *creq = aead_request_ctx(req);
if (req->iv[0] < 1 || req->iv[0] > 7)
return -EINVAL;
return safexcel_queue_req(&req->base, creq, SAFEXCEL_DECRYPT);
}
struct safexcel_alg_template safexcel_alg_ccm = {
.type = SAFEXCEL_ALG_TYPE_AEAD,
.algo_mask = SAFEXCEL_ALG_AES | SAFEXCEL_ALG_CBC_MAC_ALL,
.alg.aead = {
.setkey = safexcel_aead_ccm_setkey,
.setauthsize = safexcel_aead_ccm_setauthsize,
.encrypt = safexcel_ccm_encrypt,
.decrypt = safexcel_ccm_decrypt,
.ivsize = AES_BLOCK_SIZE,
.maxauthsize = AES_BLOCK_SIZE,
.base = {
.cra_name = "ccm(aes)",
.cra_driver_name = "safexcel-ccm-aes",
.cra_priority = SAFEXCEL_CRA_PRIORITY,
.cra_flags = CRYPTO_ALG_ASYNC |
CRYPTO_ALG_KERN_DRIVER_ONLY,
.cra_blocksize = 1,
.cra_ctxsize = sizeof(struct safexcel_cipher_ctx),
.cra_alignmask = 0,
.cra_init = safexcel_aead_ccm_cra_init,
.cra_exit = safexcel_aead_cra_exit,
.cra_module = THIS_MODULE,
},
},
};