sm4-ce-gcm-glue.c 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262
  1. /* SPDX-License-Identifier: GPL-2.0-or-later */
  2. /*
  3. * SM4-GCM AEAD Algorithm using ARMv8 Crypto Extensions
  4. * as specified in rfc8998
  5. * https://datatracker.ietf.org/doc/html/rfc8998
  6. *
  7. * Copyright (C) 2022 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
  8. */
  9. #include <linux/module.h>
  10. #include <linux/crypto.h>
  11. #include <linux/kernel.h>
  12. #include <linux/cpufeature.h>
  13. #include <asm/simd.h>
  14. #include <crypto/b128ops.h>
  15. #include <crypto/scatterwalk.h>
  16. #include <crypto/internal/aead.h>
  17. #include <crypto/internal/skcipher.h>
  18. #include <crypto/sm4.h>
  19. #include "sm4-ce.h"
  20. asmlinkage void sm4_ce_pmull_ghash_setup(const u32 *rkey_enc, u8 *ghash_table);
  21. asmlinkage void pmull_ghash_update(const u8 *ghash_table, u8 *ghash,
  22. const u8 *src, unsigned int nblocks);
  23. asmlinkage void sm4_ce_pmull_gcm_enc(const u32 *rkey_enc, u8 *dst,
  24. const u8 *src, u8 *iv,
  25. unsigned int nbytes, u8 *ghash,
  26. const u8 *ghash_table, const u8 *lengths);
  27. asmlinkage void sm4_ce_pmull_gcm_dec(const u32 *rkey_enc, u8 *dst,
  28. const u8 *src, u8 *iv,
  29. unsigned int nbytes, u8 *ghash,
  30. const u8 *ghash_table, const u8 *lengths);
  31. #define GHASH_BLOCK_SIZE 16
  32. #define GCM_IV_SIZE 12
  33. struct sm4_gcm_ctx {
  34. struct sm4_ctx key;
  35. u8 ghash_table[16 * 4];
  36. };
  37. static int gcm_setkey(struct crypto_aead *tfm, const u8 *key,
  38. unsigned int key_len)
  39. {
  40. struct sm4_gcm_ctx *ctx = crypto_aead_ctx(tfm);
  41. if (key_len != SM4_KEY_SIZE)
  42. return -EINVAL;
  43. scoped_ksimd() {
  44. sm4_ce_expand_key(key, ctx->key.rkey_enc, ctx->key.rkey_dec,
  45. crypto_sm4_fk, crypto_sm4_ck);
  46. sm4_ce_pmull_ghash_setup(ctx->key.rkey_enc, ctx->ghash_table);
  47. }
  48. return 0;
  49. }
  50. static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
  51. {
  52. switch (authsize) {
  53. case 4:
  54. case 8:
  55. case 12 ... 16:
  56. return 0;
  57. default:
  58. return -EINVAL;
  59. }
  60. }
  61. static void gcm_calculate_auth_mac(struct aead_request *req, u8 ghash[])
  62. {
  63. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  64. struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
  65. u8 __aligned(8) buffer[GHASH_BLOCK_SIZE];
  66. u32 assoclen = req->assoclen;
  67. struct scatter_walk walk;
  68. unsigned int buflen = 0;
  69. scatterwalk_start(&walk, req->src);
  70. do {
  71. unsigned int n, orig_n;
  72. const u8 *p;
  73. orig_n = scatterwalk_next(&walk, assoclen);
  74. p = walk.addr;
  75. n = orig_n;
  76. if (n + buflen < GHASH_BLOCK_SIZE) {
  77. memcpy(&buffer[buflen], p, n);
  78. buflen += n;
  79. } else {
  80. unsigned int nblocks;
  81. if (buflen) {
  82. unsigned int l = GHASH_BLOCK_SIZE - buflen;
  83. memcpy(&buffer[buflen], p, l);
  84. p += l;
  85. n -= l;
  86. pmull_ghash_update(ctx->ghash_table, ghash,
  87. buffer, 1);
  88. }
  89. nblocks = n / GHASH_BLOCK_SIZE;
  90. if (nblocks) {
  91. pmull_ghash_update(ctx->ghash_table, ghash,
  92. p, nblocks);
  93. p += nblocks * GHASH_BLOCK_SIZE;
  94. }
  95. buflen = n % GHASH_BLOCK_SIZE;
  96. if (buflen)
  97. memcpy(&buffer[0], p, buflen);
  98. }
  99. scatterwalk_done_src(&walk, orig_n);
  100. assoclen -= orig_n;
  101. } while (assoclen);
  102. /* padding with '0' */
  103. if (buflen) {
  104. memset(&buffer[buflen], 0, GHASH_BLOCK_SIZE - buflen);
  105. pmull_ghash_update(ctx->ghash_table, ghash, buffer, 1);
  106. }
  107. }
  108. static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk,
  109. u8 ghash[], int err,
  110. void (*sm4_ce_pmull_gcm_crypt)(const u32 *rkey_enc,
  111. u8 *dst, const u8 *src, u8 *iv,
  112. unsigned int nbytes, u8 *ghash,
  113. const u8 *ghash_table, const u8 *lengths))
  114. {
  115. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  116. struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
  117. u8 __aligned(8) iv[SM4_BLOCK_SIZE];
  118. be128 __aligned(8) lengths;
  119. memset(ghash, 0, SM4_BLOCK_SIZE);
  120. lengths.a = cpu_to_be64(req->assoclen * 8);
  121. lengths.b = cpu_to_be64(walk->total * 8);
  122. memcpy(iv, req->iv, GCM_IV_SIZE);
  123. put_unaligned_be32(2, iv + GCM_IV_SIZE);
  124. scoped_ksimd() {
  125. if (req->assoclen)
  126. gcm_calculate_auth_mac(req, ghash);
  127. do {
  128. unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE;
  129. const u8 *src = walk->src.virt.addr;
  130. u8 *dst = walk->dst.virt.addr;
  131. const u8 *l = NULL;
  132. if (walk->nbytes == walk->total) {
  133. l = (const u8 *)&lengths;
  134. tail = 0;
  135. }
  136. sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
  137. walk->nbytes - tail, ghash,
  138. ctx->ghash_table, l);
  139. err = skcipher_walk_done(walk, tail);
  140. } while (walk->nbytes);
  141. }
  142. return err;
  143. }
  144. static int gcm_encrypt(struct aead_request *req)
  145. {
  146. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  147. u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
  148. struct skcipher_walk walk;
  149. int err;
  150. err = skcipher_walk_aead_encrypt(&walk, req, false);
  151. err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_enc);
  152. if (err)
  153. return err;
  154. /* copy authtag to end of dst */
  155. scatterwalk_map_and_copy(ghash, req->dst, req->assoclen + req->cryptlen,
  156. crypto_aead_authsize(aead), 1);
  157. return 0;
  158. }
  159. static int gcm_decrypt(struct aead_request *req)
  160. {
  161. struct crypto_aead *aead = crypto_aead_reqtfm(req);
  162. unsigned int authsize = crypto_aead_authsize(aead);
  163. u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
  164. u8 authtag[SM4_BLOCK_SIZE];
  165. struct skcipher_walk walk;
  166. int err;
  167. err = skcipher_walk_aead_decrypt(&walk, req, false);
  168. err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_dec);
  169. if (err)
  170. return err;
  171. /* compare calculated auth tag with the stored one */
  172. scatterwalk_map_and_copy(authtag, req->src,
  173. req->assoclen + req->cryptlen - authsize,
  174. authsize, 0);
  175. if (crypto_memneq(authtag, ghash, authsize))
  176. return -EBADMSG;
  177. return 0;
  178. }
  179. static struct aead_alg sm4_gcm_alg = {
  180. .base = {
  181. .cra_name = "gcm(sm4)",
  182. .cra_driver_name = "gcm-sm4-ce",
  183. .cra_priority = 400,
  184. .cra_blocksize = 1,
  185. .cra_ctxsize = sizeof(struct sm4_gcm_ctx),
  186. .cra_module = THIS_MODULE,
  187. },
  188. .ivsize = GCM_IV_SIZE,
  189. .chunksize = SM4_BLOCK_SIZE,
  190. .maxauthsize = SM4_BLOCK_SIZE,
  191. .setkey = gcm_setkey,
  192. .setauthsize = gcm_setauthsize,
  193. .encrypt = gcm_encrypt,
  194. .decrypt = gcm_decrypt,
  195. };
  196. static int __init sm4_ce_gcm_init(void)
  197. {
  198. if (!cpu_have_named_feature(PMULL))
  199. return -ENODEV;
  200. return crypto_register_aead(&sm4_gcm_alg);
  201. }
  202. static void __exit sm4_ce_gcm_exit(void)
  203. {
  204. crypto_unregister_aead(&sm4_gcm_alg);
  205. }
  206. static const struct cpu_feature __maybe_unused sm4_ce_gcm_cpu_feature[] = {
  207. { cpu_feature(PMULL) },
  208. {}
  209. };
  210. MODULE_DEVICE_TABLE(cpu, sm4_ce_gcm_cpu_feature);
  211. module_cpu_feature_match(SM4, sm4_ce_gcm_init);
  212. module_exit(sm4_ce_gcm_exit);
  213. MODULE_DESCRIPTION("Synchronous SM4 in GCM mode using ARMv8 Crypto Extensions");
  214. MODULE_ALIAS_CRYPTO("gcm(sm4)");
  215. MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
  216. MODULE_LICENSE("GPL v2");