From 4eb76faff89f29d3b729953007b963b39b2048be Mon Sep 17 00:00:00 2001 From: Pascal van Leeuwen Date: Fri, 30 Aug 2019 09:52:33 +0200 Subject: [PATCH] crypto: inside-secure - Added support for basic AES-CCM This patch adds support for the basic AES-CCM AEAD cipher suite. Signed-off-by: Pascal van Leeuwen Signed-off-by: Herbert Xu --- drivers/crypto/inside-secure/safexcel.c | 4 +- drivers/crypto/inside-secure/safexcel.h | 10 +- .../crypto/inside-secure/safexcel_cipher.c | 280 +++++++++++++++--- 3 files changed, 245 insertions(+), 49 deletions(-) diff --git a/drivers/crypto/inside-secure/safexcel.c b/drivers/crypto/inside-secure/safexcel.c index 5ad4feb07b6f..5d648ee5f0b0 100644 --- a/drivers/crypto/inside-secure/safexcel.c +++ b/drivers/crypto/inside-secure/safexcel.c @@ -715,8 +715,7 @@ inline int safexcel_rdesc_check_errors(struct safexcel_crypto_priv *priv, } else if (rdesc->result_data.error_code & BIT(9)) { /* Authentication failed */ return -EBADMSG; - } else if (!rdesc->result_data.error_code) - return 0; + } /* All other non-fatal errors */ return -EINVAL; @@ -1009,6 +1008,7 @@ static struct safexcel_alg_template *safexcel_algs[] = { &safexcel_alg_authenc_hmac_sha512_ctr_aes, &safexcel_alg_xts_aes, &safexcel_alg_gcm, + &safexcel_alg_ccm, }; static int safexcel_register_algorithms(struct safexcel_crypto_priv *priv) diff --git a/drivers/crypto/inside-secure/safexcel.h b/drivers/crypto/inside-secure/safexcel.h index 0eb344534f36..1407804b66b7 100644 --- a/drivers/crypto/inside-secure/safexcel.h +++ b/drivers/crypto/inside-secure/safexcel.h @@ -19,7 +19,7 @@ /* Static configuration */ #define EIP197_DEFAULT_RING_SIZE 400 -#define EIP197_MAX_TOKENS 10 +#define EIP197_MAX_TOKENS 18 #define EIP197_MAX_RINGS 4 #define EIP197_FETCH_COUNT 1 #define EIP197_MAX_BATCH_SZ 64 @@ -330,6 +330,9 @@ struct safexcel_context_record { #define CONTEXT_CONTROL_CRYPTO_ALG_SHA384 (0x6 << 23) #define CONTEXT_CONTROL_CRYPTO_ALG_SHA512 (0x5 << 23) #define CONTEXT_CONTROL_CRYPTO_ALG_GHASH (0x4 << 23) +#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC128 (0x1 << 23) +#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC192 (0x2 << 23) +#define CONTEXT_CONTROL_CRYPTO_ALG_XCBC256 (0x3 << 23) #define CONTEXT_CONTROL_INV_FR (0x5 << 24) #define CONTEXT_CONTROL_INV_TR (0x6 << 24) @@ -350,6 +353,9 @@ struct safexcel_context_record { #define CONTEXT_CONTROL_CRYPTO_STORE BIT(12) #define CONTEXT_CONTROL_HASH_STORE BIT(19) +#define EIP197_XCM_MODE_GCM 1 +#define EIP197_XCM_MODE_CCM 2 + /* The hash counter given to the engine in the context has a granularity of * 64 bits. */ @@ -464,6 +470,7 @@ static inline void eip197_noop_token(struct safexcel_token *token) /* Instructions */ #define EIP197_TOKEN_INS_INSERT_HASH_DIGEST 0x1c #define EIP197_TOKEN_INS_ORIGIN_IV0 0x14 +#define EIP197_TOKEN_INS_ORIGIN_TOKEN 0x1b #define EIP197_TOKEN_INS_ORIGIN_LEN(x) ((x) << 5) #define EIP197_TOKEN_INS_TYPE_OUTPUT BIT(5) #define EIP197_TOKEN_INS_TYPE_HASH BIT(6) @@ -797,5 +804,6 @@ extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha384_ctr_aes; extern struct safexcel_alg_template safexcel_alg_authenc_hmac_sha512_ctr_aes; extern struct safexcel_alg_template safexcel_alg_xts_aes; extern struct safexcel_alg_template safexcel_alg_gcm; +extern struct safexcel_alg_template safexcel_alg_ccm; #endif diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c index 7a1e78518871..ef51f8c2b473 100644 --- a/drivers/crypto/inside-secure/safexcel_cipher.c +++ b/drivers/crypto/inside-secure/safexcel_cipher.c @@ -81,7 +81,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv, cdesc->control_data.token[3] = cpu_to_be32(1); return; - } else if (ctx->mode == CONTEXT_CONTROL_CRYPTO_MODE_XCM) { + } else if (ctx->xcm == EIP197_XCM_MODE_GCM) { cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD; /* 96 bit IV part */ @@ -89,6 +89,16 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv, /* 32 bit counter, start at 1 (big endian!) */ cdesc->control_data.token[3] = cpu_to_be32(1); + return; + } else if (ctx->xcm == EIP197_XCM_MODE_CCM) { + cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD; + + /* Variable length IV part */ + memcpy(&cdesc->control_data.token[0], iv, 15 - iv[0]); + /* Start variable length counter at 0 */ + memset((u8 *)&cdesc->control_data.token[0] + 15 - iv[0], + 0, iv[0] + 1); + return; } @@ -143,67 +153,117 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv, if (direction == SAFEXCEL_ENCRYPT) { /* align end of instruction sequence to end of token */ token = (struct safexcel_token *)(cdesc->control_data.token + - EIP197_MAX_TOKENS - 5); + EIP197_MAX_TOKENS - 13); - token[4].opcode = EIP197_TOKEN_OPCODE_INSERT; - token[4].packet_length = digestsize; - token[4].stat = EIP197_TOKEN_STAT_LAST_HASH | - EIP197_TOKEN_STAT_LAST_PACKET; - token[4].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT | - EIP197_TOKEN_INS_INSERT_HASH_DIGEST; + token[12].opcode = EIP197_TOKEN_OPCODE_INSERT; + token[12].packet_length = digestsize; + token[12].stat = EIP197_TOKEN_STAT_LAST_HASH | + EIP197_TOKEN_STAT_LAST_PACKET; + token[12].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT | + EIP197_TOKEN_INS_INSERT_HASH_DIGEST; } else { cryptlen -= digestsize; /* align end of instruction sequence to end of token */ token = (struct safexcel_token *)(cdesc->control_data.token + - EIP197_MAX_TOKENS - 6); + EIP197_MAX_TOKENS - 14); - token[4].opcode = EIP197_TOKEN_OPCODE_RETRIEVE; - token[4].packet_length = digestsize; - token[4].stat = EIP197_TOKEN_STAT_LAST_HASH | - EIP197_TOKEN_STAT_LAST_PACKET; - token[4].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST; + token[12].opcode = EIP197_TOKEN_OPCODE_RETRIEVE; + token[12].packet_length = digestsize; + token[12].stat = EIP197_TOKEN_STAT_LAST_HASH | + EIP197_TOKEN_STAT_LAST_PACKET; + token[12].instructions = EIP197_TOKEN_INS_INSERT_HASH_DIGEST; - token[5].opcode = EIP197_TOKEN_OPCODE_VERIFY; - token[5].packet_length = digestsize | - EIP197_TOKEN_HASH_RESULT_VERIFY; - token[5].stat = EIP197_TOKEN_STAT_LAST_HASH | - EIP197_TOKEN_STAT_LAST_PACKET; - token[5].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT; + token[13].opcode = EIP197_TOKEN_OPCODE_VERIFY; + token[13].packet_length = digestsize | + EIP197_TOKEN_HASH_RESULT_VERIFY; + token[13].stat = EIP197_TOKEN_STAT_LAST_HASH | + EIP197_TOKEN_STAT_LAST_PACKET; + token[13].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT; } - token[0].opcode = EIP197_TOKEN_OPCODE_DIRECTION; - token[0].packet_length = assoclen; + token[6].opcode = EIP197_TOKEN_OPCODE_DIRECTION; + token[6].packet_length = assoclen; if (likely(cryptlen)) { - token[0].instructions = EIP197_TOKEN_INS_TYPE_HASH; + token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH; - token[3].opcode = EIP197_TOKEN_OPCODE_DIRECTION; - token[3].packet_length = cryptlen; - token[3].stat = EIP197_TOKEN_STAT_LAST_HASH; - token[3].instructions = EIP197_TOKEN_INS_LAST | - EIP197_TOKEN_INS_TYPE_CRYPTO | - EIP197_TOKEN_INS_TYPE_HASH | - EIP197_TOKEN_INS_TYPE_OUTPUT; - } else { - token[0].stat = EIP197_TOKEN_STAT_LAST_HASH; - token[0].instructions = EIP197_TOKEN_INS_LAST | + token[10].opcode = EIP197_TOKEN_OPCODE_DIRECTION; + token[10].packet_length = cryptlen; + token[10].stat = EIP197_TOKEN_STAT_LAST_HASH; + token[10].instructions = EIP197_TOKEN_INS_LAST | + EIP197_TOKEN_INS_TYPE_CRYPTO | + EIP197_TOKEN_INS_TYPE_HASH | + EIP197_TOKEN_INS_TYPE_OUTPUT; + } else if (ctx->xcm != EIP197_XCM_MODE_CCM) { + token[6].stat = EIP197_TOKEN_STAT_LAST_HASH; + token[6].instructions = EIP197_TOKEN_INS_LAST | EIP197_TOKEN_INS_TYPE_HASH; } - if (ctx->xcm) { - token[0].instructions = EIP197_TOKEN_INS_LAST | + if (!ctx->xcm) + return; + + token[8].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES; + token[8].packet_length = 0; + token[8].instructions = AES_BLOCK_SIZE; + + token[9].opcode = EIP197_TOKEN_OPCODE_INSERT; + token[9].packet_length = AES_BLOCK_SIZE; + token[9].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT | + EIP197_TOKEN_INS_TYPE_CRYPTO; + + if (ctx->xcm == EIP197_XCM_MODE_GCM) { + token[6].instructions = EIP197_TOKEN_INS_LAST | EIP197_TOKEN_INS_TYPE_HASH; + } else { + u8 *cbcmaciv = (u8 *)&token[1]; + u32 *aadlen = (u32 *)&token[5]; - token[1].opcode = EIP197_TOKEN_OPCODE_INSERT_REMRES; - token[1].packet_length = 0; - token[1].stat = EIP197_TOKEN_STAT_LAST_HASH; - token[1].instructions = AES_BLOCK_SIZE; + /* Construct IV block B0 for the CBC-MAC */ + token[0].opcode = EIP197_TOKEN_OPCODE_INSERT; + token[0].packet_length = AES_BLOCK_SIZE + + ((assoclen > 0) << 1); + token[0].instructions = EIP197_TOKEN_INS_ORIGIN_TOKEN | + EIP197_TOKEN_INS_TYPE_HASH; + /* Variable length IV part */ + memcpy(cbcmaciv, iv, 15 - iv[0]); + /* fixup flags byte */ + cbcmaciv[0] |= ((assoclen > 0) << 6) | ((digestsize - 2) << 2); + /* Clear upper bytes of variable message length to 0 */ + memset(cbcmaciv + 15 - iv[0], 0, iv[0] - 1); + /* insert lower 2 bytes of message length */ + cbcmaciv[14] = cryptlen >> 8; + cbcmaciv[15] = cryptlen & 255; - token[2].opcode = EIP197_TOKEN_OPCODE_INSERT; - token[2].packet_length = AES_BLOCK_SIZE; - token[2].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT | - EIP197_TOKEN_INS_TYPE_CRYPTO; + if (assoclen) { + *aadlen = cpu_to_le32(cpu_to_be16(assoclen)); + assoclen += 2; + } + + token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH; + + /* Align AAD data towards hash engine */ + token[7].opcode = EIP197_TOKEN_OPCODE_INSERT; + assoclen &= 15; + token[7].packet_length = assoclen ? 16 - assoclen : 0; + + if (likely(cryptlen)) { + token[7].instructions = EIP197_TOKEN_INS_TYPE_HASH; + + /* Align crypto data towards hash engine */ + token[10].stat = 0; + + token[11].opcode = EIP197_TOKEN_OPCODE_INSERT; + cryptlen &= 15; + token[11].packet_length = cryptlen ? 16 - cryptlen : 0; + token[11].stat = EIP197_TOKEN_STAT_LAST_HASH; + token[11].instructions = EIP197_TOKEN_INS_TYPE_HASH; + } else { + token[7].stat = EIP197_TOKEN_STAT_LAST_HASH; + token[7].instructions = EIP197_TOKEN_INS_LAST | + EIP197_TOKEN_INS_TYPE_HASH; + } } } @@ -373,10 +433,15 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx, } if (sreq->direction == SAFEXCEL_ENCRYPT) cdesc->control_data.control0 |= - CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT; + (ctx->xcm == EIP197_XCM_MODE_CCM) ? + CONTEXT_CONTROL_TYPE_HASH_ENCRYPT_OUT : + CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT; + else cdesc->control_data.control0 |= - CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN; + (ctx->xcm == EIP197_XCM_MODE_CCM) ? + CONTEXT_CONTROL_TYPE_DECRYPT_HASH_IN : + CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN; } else { if (sreq->direction == SAFEXCEL_ENCRYPT) cdesc->control_data.control0 = @@ -2066,7 +2131,7 @@ static int safexcel_aead_gcm_cra_init(struct crypto_tfm *tfm) safexcel_aead_cra_init(tfm); ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_GHASH; ctx->state_sz = GHASH_BLOCK_SIZE; - ctx->xcm = 1; /* GCM */ + ctx->xcm = EIP197_XCM_MODE_GCM; ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */ ctx->hkaes = crypto_alloc_cipher("aes", 0, 0); @@ -2115,3 +2180,126 @@ struct safexcel_alg_template safexcel_alg_gcm = { }, }, }; + +static int safexcel_aead_ccm_setkey(struct crypto_aead *ctfm, const u8 *key, + unsigned int len) +{ + struct crypto_tfm *tfm = crypto_aead_tfm(ctfm); + struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm); + struct safexcel_crypto_priv *priv = ctx->priv; + struct crypto_aes_ctx aes; + int ret, i; + + ret = aes_expandkey(&aes, key, len); + if (ret) { + crypto_aead_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN); + memzero_explicit(&aes, sizeof(aes)); + return ret; + } + + if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) { + for (i = 0; i < len / sizeof(u32); i++) { + if (ctx->key[i] != cpu_to_le32(aes.key_enc[i])) { + ctx->base.needs_inv = true; + break; + } + } + } + + for (i = 0; i < len / sizeof(u32); i++) { + ctx->key[i] = cpu_to_le32(aes.key_enc[i]); + ctx->ipad[i + 2 * AES_BLOCK_SIZE / sizeof(u32)] = + cpu_to_be32(aes.key_enc[i]); + } + + ctx->key_len = len; + ctx->state_sz = 2 * AES_BLOCK_SIZE + len; + + if (len == AES_KEYSIZE_192) + ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC192; + else if (len == AES_KEYSIZE_256) + ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC256; + else + ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128; + + memzero_explicit(&aes, sizeof(aes)); + return 0; +} + +static int safexcel_aead_ccm_cra_init(struct crypto_tfm *tfm) +{ + struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm); + + safexcel_aead_cra_init(tfm); + ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_XCBC128; + ctx->state_sz = 3 * AES_BLOCK_SIZE; + ctx->xcm = EIP197_XCM_MODE_CCM; + ctx->mode = CONTEXT_CONTROL_CRYPTO_MODE_XCM; /* override default */ + return 0; +} + +static int safexcel_aead_ccm_setauthsize(struct crypto_aead *tfm, + unsigned int authsize) +{ + /* Borrowed from crypto/ccm.c */ + switch (authsize) { + case 4: + case 6: + case 8: + case 10: + case 12: + case 14: + case 16: + break; + default: + return -EINVAL; + } + + return 0; +} + +static int safexcel_ccm_encrypt(struct aead_request *req) +{ + struct safexcel_cipher_req *creq = aead_request_ctx(req); + + if (req->iv[0] < 1 || req->iv[0] > 7) + return -EINVAL; + + return safexcel_queue_req(&req->base, creq, SAFEXCEL_ENCRYPT); +} + +static int safexcel_ccm_decrypt(struct aead_request *req) +{ + struct safexcel_cipher_req *creq = aead_request_ctx(req); + + if (req->iv[0] < 1 || req->iv[0] > 7) + return -EINVAL; + + return safexcel_queue_req(&req->base, creq, SAFEXCEL_DECRYPT); +} + +struct safexcel_alg_template safexcel_alg_ccm = { + .type = SAFEXCEL_ALG_TYPE_AEAD, + .algo_mask = SAFEXCEL_ALG_AES | SAFEXCEL_ALG_CBC_MAC_ALL, + .alg.aead = { + .setkey = safexcel_aead_ccm_setkey, + .setauthsize = safexcel_aead_ccm_setauthsize, + .encrypt = safexcel_ccm_encrypt, + .decrypt = safexcel_ccm_decrypt, + .ivsize = AES_BLOCK_SIZE, + .maxauthsize = AES_BLOCK_SIZE, + .base = { + .cra_name = "ccm(aes)", + .cra_driver_name = "safexcel-ccm-aes", + .cra_priority = SAFEXCEL_CRA_PRIORITY, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_KERN_DRIVER_ONLY, + .cra_blocksize = 1, + .cra_ctxsize = sizeof(struct safexcel_cipher_ctx), + .cra_alignmask = 0, + .cra_init = safexcel_aead_ccm_cra_init, + .cra_exit = safexcel_aead_cra_exit, + .cra_module = THIS_MODULE, + }, + }, +};