aes-neonbs-glue.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Bit sliced AES using NEON instructions
  4. *
  5. * Copyright (C) 2016 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  6. */
  7. #include <asm/neon.h>
  8. #include <asm/simd.h>
  9. #include <crypto/aes.h>
  10. #include <crypto/ctr.h>
  11. #include <crypto/internal/simd.h>
  12. #include <crypto/internal/skcipher.h>
  13. #include <crypto/scatterwalk.h>
  14. #include <crypto/xts.h>
  15. #include <linux/module.h>
  16. MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
  17. MODULE_DESCRIPTION("Bit sliced AES using NEON instructions");
  18. MODULE_LICENSE("GPL v2");
  19. MODULE_ALIAS_CRYPTO("ecb(aes)");
  20. MODULE_ALIAS_CRYPTO("cbc(aes)");
  21. MODULE_ALIAS_CRYPTO("ctr(aes)");
  22. MODULE_ALIAS_CRYPTO("xts(aes)");
  23. asmlinkage void aesbs_convert_key(u8 out[], u32 const rk[], int rounds);
  24. asmlinkage void aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[],
  25. int rounds, int blocks);
  26. asmlinkage void aesbs_ecb_decrypt(u8 out[], u8 const in[], u8 const rk[],
  27. int rounds, int blocks);
  28. asmlinkage void aesbs_cbc_decrypt(u8 out[], u8 const in[], u8 const rk[],
  29. int rounds, int blocks, u8 iv[]);
  30. asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[],
  31. int rounds, int blocks, u8 iv[]);
  32. asmlinkage void aesbs_xts_encrypt(u8 out[], u8 const in[], u8 const rk[],
  33. int rounds, int blocks, u8 iv[]);
  34. asmlinkage void aesbs_xts_decrypt(u8 out[], u8 const in[], u8 const rk[],
  35. int rounds, int blocks, u8 iv[]);
  36. /* borrowed from aes-neon-blk.ko */
  37. asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
  38. int rounds, int blocks);
  39. asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
  40. int rounds, int blocks, u8 iv[]);
  41. asmlinkage void neon_aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[],
  42. int rounds, int bytes, u8 ctr[]);
  43. asmlinkage void neon_aes_xts_encrypt(u8 out[], u8 const in[],
  44. u32 const rk1[], int rounds, int bytes,
  45. u32 const rk2[], u8 iv[], int first);
  46. asmlinkage void neon_aes_xts_decrypt(u8 out[], u8 const in[],
  47. u32 const rk1[], int rounds, int bytes,
  48. u32 const rk2[], u8 iv[], int first);
  49. struct aesbs_ctx {
  50. u8 rk[13 * (8 * AES_BLOCK_SIZE) + 32];
  51. int rounds;
  52. } __aligned(AES_BLOCK_SIZE);
  53. struct aesbs_cbc_ctr_ctx {
  54. struct aesbs_ctx key;
  55. u32 enc[AES_MAX_KEYLENGTH_U32];
  56. };
  57. struct aesbs_xts_ctx {
  58. struct aesbs_ctx key;
  59. u32 twkey[AES_MAX_KEYLENGTH_U32];
  60. struct crypto_aes_ctx cts;
  61. };
  62. static int aesbs_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
  63. unsigned int key_len)
  64. {
  65. struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
  66. struct crypto_aes_ctx *rk;
  67. int err;
  68. rk = kmalloc(sizeof(*rk), GFP_KERNEL);
  69. if (!rk)
  70. return -ENOMEM;
  71. err = aes_expandkey(rk, in_key, key_len);
  72. if (err)
  73. goto out;
  74. ctx->rounds = 6 + key_len / 4;
  75. scoped_ksimd()
  76. aesbs_convert_key(ctx->rk, rk->key_enc, ctx->rounds);
  77. out:
  78. kfree_sensitive(rk);
  79. return err;
  80. }
  81. static int __ecb_crypt(struct skcipher_request *req,
  82. void (*fn)(u8 out[], u8 const in[], u8 const rk[],
  83. int rounds, int blocks))
  84. {
  85. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  86. struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
  87. struct skcipher_walk walk;
  88. int err;
  89. err = skcipher_walk_virt(&walk, req, false);
  90. while (walk.nbytes >= AES_BLOCK_SIZE) {
  91. unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
  92. if (walk.nbytes < walk.total)
  93. blocks = round_down(blocks,
  94. walk.stride / AES_BLOCK_SIZE);
  95. scoped_ksimd()
  96. fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk,
  97. ctx->rounds, blocks);
  98. err = skcipher_walk_done(&walk,
  99. walk.nbytes - blocks * AES_BLOCK_SIZE);
  100. }
  101. return err;
  102. }
  103. static int ecb_encrypt(struct skcipher_request *req)
  104. {
  105. return __ecb_crypt(req, aesbs_ecb_encrypt);
  106. }
  107. static int ecb_decrypt(struct skcipher_request *req)
  108. {
  109. return __ecb_crypt(req, aesbs_ecb_decrypt);
  110. }
  111. static int aesbs_cbc_ctr_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
  112. unsigned int key_len)
  113. {
  114. struct aesbs_cbc_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
  115. struct crypto_aes_ctx *rk;
  116. int err;
  117. rk = kmalloc(sizeof(*rk), GFP_KERNEL);
  118. if (!rk)
  119. return -ENOMEM;
  120. err = aes_expandkey(rk, in_key, key_len);
  121. if (err)
  122. goto out;
  123. ctx->key.rounds = 6 + key_len / 4;
  124. memcpy(ctx->enc, rk->key_enc, sizeof(ctx->enc));
  125. scoped_ksimd()
  126. aesbs_convert_key(ctx->key.rk, rk->key_enc, ctx->key.rounds);
  127. out:
  128. kfree_sensitive(rk);
  129. return err;
  130. }
  131. static int cbc_encrypt(struct skcipher_request *req)
  132. {
  133. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  134. struct aesbs_cbc_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
  135. struct skcipher_walk walk;
  136. int err;
  137. err = skcipher_walk_virt(&walk, req, false);
  138. while (walk.nbytes >= AES_BLOCK_SIZE) {
  139. unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
  140. /* fall back to the non-bitsliced NEON implementation */
  141. scoped_ksimd()
  142. neon_aes_cbc_encrypt(walk.dst.virt.addr,
  143. walk.src.virt.addr,
  144. ctx->enc, ctx->key.rounds, blocks,
  145. walk.iv);
  146. err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
  147. }
  148. return err;
  149. }
  150. static int cbc_decrypt(struct skcipher_request *req)
  151. {
  152. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  153. struct aesbs_cbc_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
  154. struct skcipher_walk walk;
  155. int err;
  156. err = skcipher_walk_virt(&walk, req, false);
  157. while (walk.nbytes >= AES_BLOCK_SIZE) {
  158. unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
  159. if (walk.nbytes < walk.total)
  160. blocks = round_down(blocks,
  161. walk.stride / AES_BLOCK_SIZE);
  162. scoped_ksimd()
  163. aesbs_cbc_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
  164. ctx->key.rk, ctx->key.rounds, blocks,
  165. walk.iv);
  166. err = skcipher_walk_done(&walk,
  167. walk.nbytes - blocks * AES_BLOCK_SIZE);
  168. }
  169. return err;
  170. }
  171. static int ctr_encrypt(struct skcipher_request *req)
  172. {
  173. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  174. struct aesbs_cbc_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
  175. struct skcipher_walk walk;
  176. int err;
  177. err = skcipher_walk_virt(&walk, req, false);
  178. while (walk.nbytes > 0) {
  179. int blocks = (walk.nbytes / AES_BLOCK_SIZE) & ~7;
  180. int nbytes = walk.nbytes % (8 * AES_BLOCK_SIZE);
  181. const u8 *src = walk.src.virt.addr;
  182. u8 *dst = walk.dst.virt.addr;
  183. scoped_ksimd() {
  184. if (blocks >= 8) {
  185. aesbs_ctr_encrypt(dst, src, ctx->key.rk,
  186. ctx->key.rounds, blocks,
  187. walk.iv);
  188. dst += blocks * AES_BLOCK_SIZE;
  189. src += blocks * AES_BLOCK_SIZE;
  190. }
  191. if (nbytes && walk.nbytes == walk.total) {
  192. u8 buf[AES_BLOCK_SIZE];
  193. u8 *d = dst;
  194. if (unlikely(nbytes < AES_BLOCK_SIZE))
  195. src = dst = memcpy(buf + sizeof(buf) -
  196. nbytes, src, nbytes);
  197. neon_aes_ctr_encrypt(dst, src, ctx->enc,
  198. ctx->key.rounds, nbytes,
  199. walk.iv);
  200. if (unlikely(nbytes < AES_BLOCK_SIZE))
  201. memcpy(d, dst, nbytes);
  202. nbytes = 0;
  203. }
  204. }
  205. err = skcipher_walk_done(&walk, nbytes);
  206. }
  207. return err;
  208. }
  209. static int aesbs_xts_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
  210. unsigned int key_len)
  211. {
  212. struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
  213. struct crypto_aes_ctx rk;
  214. int err;
  215. err = xts_verify_key(tfm, in_key, key_len);
  216. if (err)
  217. return err;
  218. key_len /= 2;
  219. err = aes_expandkey(&ctx->cts, in_key, key_len);
  220. if (err)
  221. return err;
  222. err = aes_expandkey(&rk, in_key + key_len, key_len);
  223. if (err)
  224. return err;
  225. memcpy(ctx->twkey, rk.key_enc, sizeof(ctx->twkey));
  226. return aesbs_setkey(tfm, in_key, key_len);
  227. }
  228. static int __xts_crypt(struct skcipher_request *req, bool encrypt,
  229. void (*fn)(u8 out[], u8 const in[], u8 const rk[],
  230. int rounds, int blocks, u8 iv[]))
  231. {
  232. struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
  233. struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
  234. int tail = req->cryptlen % (8 * AES_BLOCK_SIZE);
  235. struct scatterlist sg_src[2], sg_dst[2];
  236. struct skcipher_request subreq;
  237. struct scatterlist *src, *dst;
  238. struct skcipher_walk walk;
  239. int nbytes, err;
  240. int first = 1;
  241. const u8 *in;
  242. u8 *out;
  243. if (req->cryptlen < AES_BLOCK_SIZE)
  244. return -EINVAL;
  245. /* ensure that the cts tail is covered by a single step */
  246. if (unlikely(tail > 0 && tail < AES_BLOCK_SIZE)) {
  247. int xts_blocks = DIV_ROUND_UP(req->cryptlen,
  248. AES_BLOCK_SIZE) - 2;
  249. skcipher_request_set_tfm(&subreq, tfm);
  250. skcipher_request_set_callback(&subreq,
  251. skcipher_request_flags(req),
  252. NULL, NULL);
  253. skcipher_request_set_crypt(&subreq, req->src, req->dst,
  254. xts_blocks * AES_BLOCK_SIZE,
  255. req->iv);
  256. req = &subreq;
  257. } else {
  258. tail = 0;
  259. }
  260. err = skcipher_walk_virt(&walk, req, false);
  261. if (err)
  262. return err;
  263. scoped_ksimd() {
  264. while (walk.nbytes >= AES_BLOCK_SIZE) {
  265. int blocks = (walk.nbytes / AES_BLOCK_SIZE) & ~7;
  266. out = walk.dst.virt.addr;
  267. in = walk.src.virt.addr;
  268. nbytes = walk.nbytes;
  269. if (blocks >= 8) {
  270. if (first == 1)
  271. neon_aes_ecb_encrypt(walk.iv, walk.iv,
  272. ctx->twkey,
  273. ctx->key.rounds, 1);
  274. first = 2;
  275. fn(out, in, ctx->key.rk, ctx->key.rounds, blocks,
  276. walk.iv);
  277. out += blocks * AES_BLOCK_SIZE;
  278. in += blocks * AES_BLOCK_SIZE;
  279. nbytes -= blocks * AES_BLOCK_SIZE;
  280. }
  281. if (walk.nbytes == walk.total && nbytes > 0) {
  282. if (encrypt)
  283. neon_aes_xts_encrypt(out, in, ctx->cts.key_enc,
  284. ctx->key.rounds, nbytes,
  285. ctx->twkey, walk.iv, first);
  286. else
  287. neon_aes_xts_decrypt(out, in, ctx->cts.key_dec,
  288. ctx->key.rounds, nbytes,
  289. ctx->twkey, walk.iv, first);
  290. nbytes = first = 0;
  291. }
  292. err = skcipher_walk_done(&walk, nbytes);
  293. }
  294. if (err || likely(!tail))
  295. return err;
  296. /* handle ciphertext stealing */
  297. dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
  298. if (req->dst != req->src)
  299. dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
  300. skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
  301. req->iv);
  302. err = skcipher_walk_virt(&walk, req, false);
  303. if (err)
  304. return err;
  305. out = walk.dst.virt.addr;
  306. in = walk.src.virt.addr;
  307. nbytes = walk.nbytes;
  308. if (encrypt)
  309. neon_aes_xts_encrypt(out, in, ctx->cts.key_enc,
  310. ctx->key.rounds, nbytes, ctx->twkey,
  311. walk.iv, first);
  312. else
  313. neon_aes_xts_decrypt(out, in, ctx->cts.key_dec,
  314. ctx->key.rounds, nbytes, ctx->twkey,
  315. walk.iv, first);
  316. }
  317. return skcipher_walk_done(&walk, 0);
  318. }
  319. static int xts_encrypt(struct skcipher_request *req)
  320. {
  321. return __xts_crypt(req, true, aesbs_xts_encrypt);
  322. }
  323. static int xts_decrypt(struct skcipher_request *req)
  324. {
  325. return __xts_crypt(req, false, aesbs_xts_decrypt);
  326. }
  327. static struct skcipher_alg aes_algs[] = { {
  328. .base.cra_name = "ecb(aes)",
  329. .base.cra_driver_name = "ecb-aes-neonbs",
  330. .base.cra_priority = 250,
  331. .base.cra_blocksize = AES_BLOCK_SIZE,
  332. .base.cra_ctxsize = sizeof(struct aesbs_ctx),
  333. .base.cra_module = THIS_MODULE,
  334. .min_keysize = AES_MIN_KEY_SIZE,
  335. .max_keysize = AES_MAX_KEY_SIZE,
  336. .walksize = 8 * AES_BLOCK_SIZE,
  337. .setkey = aesbs_setkey,
  338. .encrypt = ecb_encrypt,
  339. .decrypt = ecb_decrypt,
  340. }, {
  341. .base.cra_name = "cbc(aes)",
  342. .base.cra_driver_name = "cbc-aes-neonbs",
  343. .base.cra_priority = 250,
  344. .base.cra_blocksize = AES_BLOCK_SIZE,
  345. .base.cra_ctxsize = sizeof(struct aesbs_cbc_ctr_ctx),
  346. .base.cra_module = THIS_MODULE,
  347. .min_keysize = AES_MIN_KEY_SIZE,
  348. .max_keysize = AES_MAX_KEY_SIZE,
  349. .walksize = 8 * AES_BLOCK_SIZE,
  350. .ivsize = AES_BLOCK_SIZE,
  351. .setkey = aesbs_cbc_ctr_setkey,
  352. .encrypt = cbc_encrypt,
  353. .decrypt = cbc_decrypt,
  354. }, {
  355. .base.cra_name = "ctr(aes)",
  356. .base.cra_driver_name = "ctr-aes-neonbs",
  357. .base.cra_priority = 250,
  358. .base.cra_blocksize = 1,
  359. .base.cra_ctxsize = sizeof(struct aesbs_cbc_ctr_ctx),
  360. .base.cra_module = THIS_MODULE,
  361. .min_keysize = AES_MIN_KEY_SIZE,
  362. .max_keysize = AES_MAX_KEY_SIZE,
  363. .chunksize = AES_BLOCK_SIZE,
  364. .walksize = 8 * AES_BLOCK_SIZE,
  365. .ivsize = AES_BLOCK_SIZE,
  366. .setkey = aesbs_cbc_ctr_setkey,
  367. .encrypt = ctr_encrypt,
  368. .decrypt = ctr_encrypt,
  369. }, {
  370. .base.cra_name = "xts(aes)",
  371. .base.cra_driver_name = "xts-aes-neonbs",
  372. .base.cra_priority = 250,
  373. .base.cra_blocksize = AES_BLOCK_SIZE,
  374. .base.cra_ctxsize = sizeof(struct aesbs_xts_ctx),
  375. .base.cra_module = THIS_MODULE,
  376. .min_keysize = 2 * AES_MIN_KEY_SIZE,
  377. .max_keysize = 2 * AES_MAX_KEY_SIZE,
  378. .walksize = 8 * AES_BLOCK_SIZE,
  379. .ivsize = AES_BLOCK_SIZE,
  380. .setkey = aesbs_xts_setkey,
  381. .encrypt = xts_encrypt,
  382. .decrypt = xts_decrypt,
  383. } };
  384. static void aes_exit(void)
  385. {
  386. crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
  387. }
  388. static int __init aes_init(void)
  389. {
  390. if (!cpu_have_named_feature(ASIMD))
  391. return -ENODEV;
  392. return crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
  393. }
  394. module_init(aes_init);
  395. module_exit(aes_exit);