sha3.h 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. /* SPDX-License-Identifier: GPL-2.0-or-later */
  2. /*
  3. * SHA-3 optimized using the CP Assist for Cryptographic Functions (CPACF)
  4. *
  5. * Copyright 2025 Google LLC
  6. */
  7. #include <asm/cpacf.h>
  8. #include <linux/cpufeature.h>
  9. static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha3);
  10. static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha3_init_optim);
  11. static void sha3_absorb_blocks(struct sha3_state *state, const u8 *data,
  12. size_t nblocks, size_t block_size)
  13. {
  14. if (static_branch_likely(&have_sha3)) {
  15. /*
  16. * Note that KIMD assumes little-endian order of the state
  17. * words. sha3_state already uses that order, though, so
  18. * there's no need for a byteswap.
  19. */
  20. switch (block_size) {
  21. case SHA3_224_BLOCK_SIZE:
  22. cpacf_kimd(CPACF_KIMD_SHA3_224, state,
  23. data, nblocks * block_size);
  24. return;
  25. case SHA3_256_BLOCK_SIZE:
  26. /*
  27. * This case handles both SHA3-256 and SHAKE256, since
  28. * they have the same block size.
  29. */
  30. cpacf_kimd(CPACF_KIMD_SHA3_256, state,
  31. data, nblocks * block_size);
  32. return;
  33. case SHA3_384_BLOCK_SIZE:
  34. cpacf_kimd(CPACF_KIMD_SHA3_384, state,
  35. data, nblocks * block_size);
  36. return;
  37. case SHA3_512_BLOCK_SIZE:
  38. cpacf_kimd(CPACF_KIMD_SHA3_512, state,
  39. data, nblocks * block_size);
  40. return;
  41. }
  42. }
  43. sha3_absorb_blocks_generic(state, data, nblocks, block_size);
  44. }
  45. static void sha3_keccakf(struct sha3_state *state)
  46. {
  47. if (static_branch_likely(&have_sha3)) {
  48. /*
  49. * Passing zeroes into any of CPACF_KIMD_SHA3_* gives the plain
  50. * Keccak-f permutation, which is what we want here. Use
  51. * SHA3-512 since it has the smallest block size.
  52. */
  53. static const u8 zeroes[SHA3_512_BLOCK_SIZE];
  54. cpacf_kimd(CPACF_KIMD_SHA3_512, state, zeroes, sizeof(zeroes));
  55. } else {
  56. sha3_keccakf_generic(state);
  57. }
  58. }
  59. static inline bool s390_sha3(int func, const u8 *in, size_t in_len,
  60. u8 *out, size_t out_len)
  61. {
  62. struct sha3_state state;
  63. if (!static_branch_likely(&have_sha3))
  64. return false;
  65. if (static_branch_likely(&have_sha3_init_optim))
  66. func |= CPACF_KLMD_NIP | CPACF_KLMD_DUFOP;
  67. else
  68. memset(&state, 0, sizeof(state));
  69. cpacf_klmd(func, &state, in, in_len);
  70. if (static_branch_likely(&have_sha3_init_optim))
  71. kmsan_unpoison_memory(&state, out_len);
  72. memcpy(out, &state, out_len);
  73. memzero_explicit(&state, sizeof(state));
  74. return true;
  75. }
  76. #define sha3_224_arch sha3_224_arch
  77. static bool sha3_224_arch(const u8 *in, size_t in_len,
  78. u8 out[SHA3_224_DIGEST_SIZE])
  79. {
  80. return s390_sha3(CPACF_KLMD_SHA3_224, in, in_len,
  81. out, SHA3_224_DIGEST_SIZE);
  82. }
  83. #define sha3_256_arch sha3_256_arch
  84. static bool sha3_256_arch(const u8 *in, size_t in_len,
  85. u8 out[SHA3_256_DIGEST_SIZE])
  86. {
  87. return s390_sha3(CPACF_KLMD_SHA3_256, in, in_len,
  88. out, SHA3_256_DIGEST_SIZE);
  89. }
  90. #define sha3_384_arch sha3_384_arch
  91. static bool sha3_384_arch(const u8 *in, size_t in_len,
  92. u8 out[SHA3_384_DIGEST_SIZE])
  93. {
  94. return s390_sha3(CPACF_KLMD_SHA3_384, in, in_len,
  95. out, SHA3_384_DIGEST_SIZE);
  96. }
  97. #define sha3_512_arch sha3_512_arch
  98. static bool sha3_512_arch(const u8 *in, size_t in_len,
  99. u8 out[SHA3_512_DIGEST_SIZE])
  100. {
  101. return s390_sha3(CPACF_KLMD_SHA3_512, in, in_len,
  102. out, SHA3_512_DIGEST_SIZE);
  103. }
  104. #define sha3_mod_init_arch sha3_mod_init_arch
  105. static void sha3_mod_init_arch(void)
  106. {
  107. int num_present = 0;
  108. int num_possible = 0;
  109. if (!cpu_have_feature(S390_CPU_FEATURE_MSA))
  110. return;
  111. /*
  112. * Since all the SHA-3 functions are in Message-Security-Assist
  113. * Extension 6, just treat them as all or nothing. This way we need
  114. * only one static_key.
  115. */
  116. #define QUERY(opcode, func) \
  117. ({ num_present += !!cpacf_query_func(opcode, func); num_possible++; })
  118. QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_224);
  119. QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_256);
  120. QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_384);
  121. QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_512);
  122. QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_224);
  123. QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_256);
  124. QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_384);
  125. QUERY(CPACF_KLMD, CPACF_KLMD_SHA3_512);
  126. #undef QUERY
  127. if (num_present == num_possible) {
  128. static_branch_enable(&have_sha3);
  129. if (test_facility(86))
  130. static_branch_enable(&have_sha3_init_optim);
  131. } else if (num_present != 0) {
  132. pr_warn("Unsupported combination of SHA-3 facilities\n");
  133. }
  134. }