| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 |
- /* SPDX-License-Identifier: GPL-2.0-or-later */
- /*
- * SHA-3 optimized using the CP Assist for Cryptographic Functions (CPACF)
- *
- * Copyright 2025 Google LLC
- */
- #include <asm/cpacf.h>
- #include <linux/cpufeature.h>
- static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha3);
- static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha3_init_optim);
- static void sha3_absorb_blocks(struct sha3_state *state, const u8 *data,
- size_t nblocks, size_t block_size)
- {
- if (static_branch_likely(&have_sha3)) {
- /*
- * Note that KIMD assumes little-endian order of the state
- * words. sha3_state already uses that order, though, so
- * there's no need for a byteswap.
- */
- switch (block_size) {
- case SHA3_224_BLOCK_SIZE:
- cpacf_kimd(CPACF_KIMD_SHA3_224, state,
- data, nblocks * block_size);
- return;
- case SHA3_256_BLOCK_SIZE:
- /*
- * This case handles both SHA3-256 and SHAKE256, since
- * they have the same block size.
- */
- cpacf_kimd(CPACF_KIMD_SHA3_256, state,
- data, nblocks * block_size);
- return;
- case SHA3_384_BLOCK_SIZE:
- cpacf_kimd(CPACF_KIMD_SHA3_384, state,
- data, nblocks * block_size);
- return;
- case SHA3_512_BLOCK_SIZE:
- cpacf_kimd(CPACF_KIMD_SHA3_512, state,
- data, nblocks * block_size);
- return;
- }
- }
- sha3_absorb_blocks_generic(state, data, nblocks, block_size);
- }
- static void sha3_keccakf(struct sha3_state *state)
- {
- if (static_branch_likely(&have_sha3)) {
- /*
- * Passing zeroes into any of CPACF_KIMD_SHA3_* gives the plain
- * Keccak-f permutation, which is what we want here. Use
- * SHA3-512 since it has the smallest block size.
- */
- static const u8 zeroes[SHA3_512_BLOCK_SIZE];
- cpacf_kimd(CPACF_KIMD_SHA3_512, state, zeroes, sizeof(zeroes));
- } else {
- sha3_keccakf_generic(state);
- }
- }
- static inline bool s390_sha3(int func, const u8 *in, size_t in_len,
- u8 *out, size_t out_len)
- {
- struct sha3_state state;
- if (!static_branch_likely(&have_sha3))
- return false;
- if (static_branch_likely(&have_sha3_init_optim))
- func |= CPACF_KLMD_NIP | CPACF_KLMD_DUFOP;
- else
- memset(&state, 0, sizeof(state));
- cpacf_klmd(func, &state, in, in_len);
- if (static_branch_likely(&have_sha3_init_optim))
- kmsan_unpoison_memory(&state, out_len);
- memcpy(out, &state, out_len);
- memzero_explicit(&state, sizeof(state));
- return true;
- }
- #define sha3_224_arch sha3_224_arch
- static bool sha3_224_arch(const u8 *in, size_t in_len,
- u8 out[SHA3_224_DIGEST_SIZE])
- {
- return s390_sha3(CPACF_KLMD_SHA3_224, in, in_len,
- out, SHA3_224_DIGEST_SIZE);
- }
- #define sha3_256_arch sha3_256_arch
- static bool sha3_256_arch(const u8 *in, size_t in_len,
- u8 out[SHA3_256_DIGEST_SIZE])
- {
- return s390_sha3(CPACF_KLMD_SHA3_256, in, in_len,
- out, SHA3_256_DIGEST_SIZE);
- }
- #define sha3_384_arch sha3_384_arch
- static bool sha3_384_arch(const u8 *in, size_t in_len,
- u8 out[SHA3_384_DIGEST_SIZE])
- {
- return s390_sha3(CPACF_KLMD_SHA3_384, in, in_len,
- out, SHA3_384_DIGEST_SIZE);
- }
- #define sha3_512_arch sha3_512_arch
- static bool sha3_512_arch(const u8 *in, size_t in_len,
- u8 out[SHA3_512_DIGEST_SIZE])
- {
- return s390_sha3(CPACF_KLMD_SHA3_512, in, in_len,
- out, SHA3_512_DIGEST_SIZE);
- }
- #define sha3_mod_init_arch sha3_mod_init_arch
- static void sha3_mod_init_arch(void)
- {
- int num_present = 0;
- int num_possible = 0;
- if (!cpu_have_feature(S390_CPU_FEATURE_MSA))
- return;
- /*
- * Since all the SHA-3 functions are in Message-Security-Assist
- * Extension 6, just treat them as all or nothing. This way we need
- * only one static_key.
- */
- #define QUERY(opcode, func) \
- ({ num_present += !!cpacf_query_func(opcode, func); num_possible++; })
- QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_224);
- QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_256);
- QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_384);
- QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_512);
- QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_224);
- QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_256);
- QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_384);
- QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_512);
- #undef QUERY
- if (num_present == num_possible) {
- static_branch_enable(&have_sha3);
- if (test_facility(86))
- static_branch_enable(&have_sha3_init_optim);
- } else if (num_present != 0) {
- pr_warn("Unsupported combination of SHA-3 facilities\n");
- }
- }
|