padlock-sha.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * Cryptographic API.
  4. *
  5. * Support for VIA PadLock hardware crypto engine.
  6. *
  7. * Copyright (c) 2006 Michal Ludvig <michal@logix.cz>
  8. */
  9. #include <asm/cpu_device_id.h>
  10. #include <crypto/internal/hash.h>
  11. #include <crypto/padlock.h>
  12. #include <crypto/sha1.h>
  13. #include <crypto/sha2.h>
  14. #include <linux/cpufeature.h>
  15. #include <linux/err.h>
  16. #include <linux/kernel.h>
  17. #include <linux/module.h>
  18. #define PADLOCK_SHA_DESCSIZE (128 + ((PADLOCK_ALIGNMENT - 1) & \
  19. ~(CRYPTO_MINALIGN - 1)))
  20. struct padlock_sha_ctx {
  21. struct crypto_ahash *fallback;
  22. };
  23. static inline void *padlock_shash_desc_ctx(struct shash_desc *desc)
  24. {
  25. return PTR_ALIGN(shash_desc_ctx(desc), PADLOCK_ALIGNMENT);
  26. }
  27. static int padlock_sha1_init(struct shash_desc *desc)
  28. {
  29. struct sha1_state *sctx = padlock_shash_desc_ctx(desc);
  30. *sctx = (struct sha1_state){
  31. .state = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
  32. };
  33. return 0;
  34. }
  35. static int padlock_sha256_init(struct shash_desc *desc)
  36. {
  37. struct crypto_sha256_state *sctx = padlock_shash_desc_ctx(desc);
  38. sha256_block_init(sctx);
  39. return 0;
  40. }
  41. static int padlock_sha_update(struct shash_desc *desc,
  42. const u8 *data, unsigned int length)
  43. {
  44. u8 *state = padlock_shash_desc_ctx(desc);
  45. struct crypto_shash *tfm = desc->tfm;
  46. int err, remain;
  47. remain = length - round_down(length, crypto_shash_blocksize(tfm));
  48. {
  49. struct padlock_sha_ctx *ctx = crypto_shash_ctx(tfm);
  50. HASH_REQUEST_ON_STACK(req, ctx->fallback);
  51. ahash_request_set_callback(req, 0, NULL, NULL);
  52. ahash_request_set_virt(req, data, NULL, length - remain);
  53. err = crypto_ahash_import_core(req, state) ?:
  54. crypto_ahash_update(req) ?:
  55. crypto_ahash_export_core(req, state);
  56. HASH_REQUEST_ZERO(req);
  57. }
  58. return err ?: remain;
  59. }
  60. static int padlock_sha_export(struct shash_desc *desc, void *out)
  61. {
  62. memcpy(out, padlock_shash_desc_ctx(desc),
  63. crypto_shash_coresize(desc->tfm));
  64. return 0;
  65. }
  66. static int padlock_sha_import(struct shash_desc *desc, const void *in)
  67. {
  68. unsigned int bs = crypto_shash_blocksize(desc->tfm);
  69. unsigned int ss = crypto_shash_coresize(desc->tfm);
  70. u64 *state = padlock_shash_desc_ctx(desc);
  71. memcpy(state, in, ss);
  72. /* Stop evil imports from generating a fault. */
  73. state[ss / 8 - 1] &= ~(bs - 1);
  74. return 0;
  75. }
  76. static inline void padlock_output_block(uint32_t *src,
  77. uint32_t *dst, size_t count)
  78. {
  79. while (count--)
  80. *dst++ = swab32(*src++);
  81. }
  82. static int padlock_sha_finup(struct shash_desc *desc, const u8 *in,
  83. unsigned int count, u8 *out)
  84. {
  85. struct padlock_sha_ctx *ctx = crypto_shash_ctx(desc->tfm);
  86. HASH_REQUEST_ON_STACK(req, ctx->fallback);
  87. ahash_request_set_callback(req, 0, NULL, NULL);
  88. ahash_request_set_virt(req, in, out, count);
  89. return crypto_ahash_import_core(req, padlock_shash_desc_ctx(desc)) ?:
  90. crypto_ahash_finup(req);
  91. }
  92. static int padlock_sha1_finup(struct shash_desc *desc, const u8 *in,
  93. unsigned int count, u8 *out)
  94. {
  95. /* We can't store directly to *out as it may be unaligned. */
  96. /* BTW Don't reduce the buffer size below 128 Bytes!
  97. * PadLock microcode needs it that big. */
  98. struct sha1_state *state = padlock_shash_desc_ctx(desc);
  99. u64 start = state->count;
  100. if (start + count > ULONG_MAX)
  101. return padlock_sha_finup(desc, in, count, out);
  102. asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */
  103. : \
  104. : "c"((unsigned long)start + count), \
  105. "a"((unsigned long)start), \
  106. "S"(in), "D"(state));
  107. padlock_output_block(state->state, (uint32_t *)out, 5);
  108. return 0;
  109. }
  110. static int padlock_sha256_finup(struct shash_desc *desc, const u8 *in,
  111. unsigned int count, u8 *out)
  112. {
  113. /* We can't store directly to *out as it may be unaligned. */
  114. /* BTW Don't reduce the buffer size below 128 Bytes!
  115. * PadLock microcode needs it that big. */
  116. struct sha256_state *state = padlock_shash_desc_ctx(desc);
  117. u64 start = state->count;
  118. if (start + count > ULONG_MAX)
  119. return padlock_sha_finup(desc, in, count, out);
  120. asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */
  121. : \
  122. : "c"((unsigned long)start + count), \
  123. "a"((unsigned long)start), \
  124. "S"(in), "D"(state));
  125. padlock_output_block(state->state, (uint32_t *)out, 8);
  126. return 0;
  127. }
  128. static int padlock_init_tfm(struct crypto_shash *hash)
  129. {
  130. const char *fallback_driver_name = crypto_shash_alg_name(hash);
  131. struct padlock_sha_ctx *ctx = crypto_shash_ctx(hash);
  132. struct crypto_ahash *fallback_tfm;
  133. /* Allocate a fallback and abort if it failed. */
  134. fallback_tfm = crypto_alloc_ahash(fallback_driver_name, 0,
  135. CRYPTO_ALG_NEED_FALLBACK |
  136. CRYPTO_ALG_ASYNC);
  137. if (IS_ERR(fallback_tfm)) {
  138. printk(KERN_WARNING PFX "Fallback driver '%s' could not be loaded!\n",
  139. fallback_driver_name);
  140. return PTR_ERR(fallback_tfm);
  141. }
  142. if (crypto_shash_statesize(hash) !=
  143. crypto_ahash_statesize(fallback_tfm)) {
  144. crypto_free_ahash(fallback_tfm);
  145. return -EINVAL;
  146. }
  147. ctx->fallback = fallback_tfm;
  148. return 0;
  149. }
  150. static void padlock_exit_tfm(struct crypto_shash *hash)
  151. {
  152. struct padlock_sha_ctx *ctx = crypto_shash_ctx(hash);
  153. crypto_free_ahash(ctx->fallback);
  154. }
  155. static struct shash_alg sha1_alg = {
  156. .digestsize = SHA1_DIGEST_SIZE,
  157. .init = padlock_sha1_init,
  158. .update = padlock_sha_update,
  159. .finup = padlock_sha1_finup,
  160. .export = padlock_sha_export,
  161. .import = padlock_sha_import,
  162. .init_tfm = padlock_init_tfm,
  163. .exit_tfm = padlock_exit_tfm,
  164. .descsize = PADLOCK_SHA_DESCSIZE,
  165. .statesize = SHA1_STATE_SIZE,
  166. .base = {
  167. .cra_name = "sha1",
  168. .cra_driver_name = "sha1-padlock",
  169. .cra_priority = PADLOCK_CRA_PRIORITY,
  170. .cra_flags = CRYPTO_ALG_NEED_FALLBACK |
  171. CRYPTO_AHASH_ALG_BLOCK_ONLY |
  172. CRYPTO_AHASH_ALG_FINUP_MAX,
  173. .cra_blocksize = SHA1_BLOCK_SIZE,
  174. .cra_ctxsize = sizeof(struct padlock_sha_ctx),
  175. .cra_module = THIS_MODULE,
  176. }
  177. };
  178. static struct shash_alg sha256_alg = {
  179. .digestsize = SHA256_DIGEST_SIZE,
  180. .init = padlock_sha256_init,
  181. .update = padlock_sha_update,
  182. .finup = padlock_sha256_finup,
  183. .init_tfm = padlock_init_tfm,
  184. .export = padlock_sha_export,
  185. .import = padlock_sha_import,
  186. .exit_tfm = padlock_exit_tfm,
  187. .descsize = PADLOCK_SHA_DESCSIZE,
  188. .statesize = sizeof(struct crypto_sha256_state),
  189. .base = {
  190. .cra_name = "sha256",
  191. .cra_driver_name = "sha256-padlock",
  192. .cra_priority = PADLOCK_CRA_PRIORITY,
  193. .cra_flags = CRYPTO_ALG_NEED_FALLBACK |
  194. CRYPTO_AHASH_ALG_BLOCK_ONLY |
  195. CRYPTO_AHASH_ALG_FINUP_MAX,
  196. .cra_blocksize = SHA256_BLOCK_SIZE,
  197. .cra_ctxsize = sizeof(struct padlock_sha_ctx),
  198. .cra_module = THIS_MODULE,
  199. }
  200. };
  201. /* Add two shash_alg instance for hardware-implemented *
  202. * multiple-parts hash supported by VIA Nano Processor.*/
  203. static int padlock_sha1_update_nano(struct shash_desc *desc,
  204. const u8 *src, unsigned int len)
  205. {
  206. /*The PHE require the out buffer must 128 bytes and 16-bytes aligned*/
  207. struct sha1_state *state = padlock_shash_desc_ctx(desc);
  208. int blocks = len / SHA1_BLOCK_SIZE;
  209. len -= blocks * SHA1_BLOCK_SIZE;
  210. state->count += blocks * SHA1_BLOCK_SIZE;
  211. /* Process the left bytes from the input data */
  212. asm volatile (".byte 0xf3,0x0f,0xa6,0xc8"
  213. : "+S"(src), "+D"(state)
  214. : "a"((long)-1),
  215. "c"((unsigned long)blocks));
  216. return len;
  217. }
  218. static int padlock_sha256_update_nano(struct shash_desc *desc, const u8 *src,
  219. unsigned int len)
  220. {
  221. /*The PHE require the out buffer must 128 bytes and 16-bytes aligned*/
  222. struct crypto_sha256_state *state = padlock_shash_desc_ctx(desc);
  223. int blocks = len / SHA256_BLOCK_SIZE;
  224. len -= blocks * SHA256_BLOCK_SIZE;
  225. state->count += blocks * SHA256_BLOCK_SIZE;
  226. /* Process the left bytes from input data*/
  227. asm volatile (".byte 0xf3,0x0f,0xa6,0xd0"
  228. : "+S"(src), "+D"(state)
  229. : "a"((long)-1),
  230. "c"((unsigned long)blocks));
  231. return len;
  232. }
  233. static struct shash_alg sha1_alg_nano = {
  234. .digestsize = SHA1_DIGEST_SIZE,
  235. .init = padlock_sha1_init,
  236. .update = padlock_sha1_update_nano,
  237. .finup = padlock_sha1_finup,
  238. .export = padlock_sha_export,
  239. .import = padlock_sha_import,
  240. .descsize = PADLOCK_SHA_DESCSIZE,
  241. .statesize = SHA1_STATE_SIZE,
  242. .base = {
  243. .cra_name = "sha1",
  244. .cra_driver_name = "sha1-padlock-nano",
  245. .cra_priority = PADLOCK_CRA_PRIORITY,
  246. .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY |
  247. CRYPTO_AHASH_ALG_FINUP_MAX,
  248. .cra_blocksize = SHA1_BLOCK_SIZE,
  249. .cra_module = THIS_MODULE,
  250. }
  251. };
  252. static struct shash_alg sha256_alg_nano = {
  253. .digestsize = SHA256_DIGEST_SIZE,
  254. .init = padlock_sha256_init,
  255. .update = padlock_sha256_update_nano,
  256. .finup = padlock_sha256_finup,
  257. .export = padlock_sha_export,
  258. .import = padlock_sha_import,
  259. .descsize = PADLOCK_SHA_DESCSIZE,
  260. .statesize = sizeof(struct crypto_sha256_state),
  261. .base = {
  262. .cra_name = "sha256",
  263. .cra_driver_name = "sha256-padlock-nano",
  264. .cra_priority = PADLOCK_CRA_PRIORITY,
  265. .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY |
  266. CRYPTO_AHASH_ALG_FINUP_MAX,
  267. .cra_blocksize = SHA256_BLOCK_SIZE,
  268. .cra_module = THIS_MODULE,
  269. }
  270. };
  271. static const struct x86_cpu_id padlock_sha_ids[] = {
  272. X86_MATCH_FEATURE(X86_FEATURE_PHE, NULL),
  273. {}
  274. };
  275. MODULE_DEVICE_TABLE(x86cpu, padlock_sha_ids);
  276. static int __init padlock_init(void)
  277. {
  278. int rc = -ENODEV;
  279. struct cpuinfo_x86 *c = &cpu_data(0);
  280. struct shash_alg *sha1;
  281. struct shash_alg *sha256;
  282. if (!x86_match_cpu(padlock_sha_ids) || !boot_cpu_has(X86_FEATURE_PHE_EN))
  283. return -ENODEV;
  284. /*
  285. * Skip family 0x07 and newer used by Zhaoxin processors,
  286. * as the driver's self-tests fail on these CPUs.
  287. */
  288. if (c->x86 >= 0x07)
  289. return -ENODEV;
  290. /* Register the newly added algorithm module if on *
  291. * VIA Nano processor, or else just do as before */
  292. if (c->x86_model < 0x0f) {
  293. sha1 = &sha1_alg;
  294. sha256 = &sha256_alg;
  295. } else {
  296. sha1 = &sha1_alg_nano;
  297. sha256 = &sha256_alg_nano;
  298. }
  299. rc = crypto_register_shash(sha1);
  300. if (rc)
  301. goto out;
  302. rc = crypto_register_shash(sha256);
  303. if (rc)
  304. goto out_unreg1;
  305. printk(KERN_NOTICE PFX "Using VIA PadLock ACE for SHA1/SHA256 algorithms.\n");
  306. return 0;
  307. out_unreg1:
  308. crypto_unregister_shash(sha1);
  309. out:
  310. printk(KERN_ERR PFX "VIA PadLock SHA1/SHA256 initialization failed.\n");
  311. return rc;
  312. }
  313. static void __exit padlock_fini(void)
  314. {
  315. struct cpuinfo_x86 *c = &cpu_data(0);
  316. if (c->x86_model >= 0x0f) {
  317. crypto_unregister_shash(&sha1_alg_nano);
  318. crypto_unregister_shash(&sha256_alg_nano);
  319. } else {
  320. crypto_unregister_shash(&sha1_alg);
  321. crypto_unregister_shash(&sha256_alg);
  322. }
  323. }
  324. module_init(padlock_init);
  325. module_exit(padlock_fini);
  326. MODULE_DESCRIPTION("VIA PadLock SHA1/SHA256 algorithms support.");
  327. MODULE_LICENSE("GPL");
  328. MODULE_AUTHOR("Michal Ludvig");
  329. MODULE_ALIAS_CRYPTO("sha1-all");
  330. MODULE_ALIAS_CRYPTO("sha256-all");
  331. MODULE_ALIAS_CRYPTO("sha1-padlock");
  332. MODULE_ALIAS_CRYPTO("sha256-padlock");