crypto: arm64/aes - add NEON/Crypto Extensions CBCMAC/CMAC/XCBC driver
authorArd Biesheuvel <ard.biesheuvel@linaro.org>
Fri, 3 Feb 2017 14:49:37 +0000 (14:49 +0000)
committerHerbert Xu <herbert@gondor.apana.org.au>
Sat, 11 Feb 2017 09:50:45 +0000 (17:50 +0800)
On ARMv8 implementations that do not support the Crypto Extensions,
such as the Raspberry Pi 3, the CCM driver falls back to the generic
table based AES implementation to perform the MAC part of the
algorithm, which is slow and not time invariant. So add a CBCMAC
implementation to the shared glue code between NEON AES and Crypto
Extensions AES, so that it can be used instead now that the CCM
driver has been updated to look for CBCMAC implementations other
than the one it supplies itself.

Also, given how these algorithms mostly only differ in the way the key
handling and the final encryption are implemented, expose CMAC and XCBC
algorithms as well based on the same core update code.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
arch/arm64/crypto/aes-glue.c
arch/arm64/crypto/aes-modes.S

index 055bc3f61138843f337754e0def2e68abc7e47bc..bcf596b0197ef31cfffa60e04c69cd652f5eac09 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * linux/arch/arm64/crypto/aes-glue.c - wrapper code for ARMv8 AES
  *
- * Copyright (C) 2013 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -11,6 +11,7 @@
 #include <asm/neon.h>
 #include <asm/hwcap.h>
 #include <crypto/aes.h>
+#include <crypto/internal/hash.h>
 #include <crypto/internal/simd.h>
 #include <crypto/internal/skcipher.h>
 #include <linux/module.h>
@@ -31,6 +32,7 @@
 #define aes_ctr_encrypt                ce_aes_ctr_encrypt
 #define aes_xts_encrypt                ce_aes_xts_encrypt
 #define aes_xts_decrypt                ce_aes_xts_decrypt
+#define aes_mac_update         ce_aes_mac_update
 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 Crypto Extensions");
 #else
 #define MODE                   "neon"
@@ -44,11 +46,15 @@ MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 Crypto Extensions");
 #define aes_ctr_encrypt                neon_aes_ctr_encrypt
 #define aes_xts_encrypt                neon_aes_xts_encrypt
 #define aes_xts_decrypt                neon_aes_xts_decrypt
+#define aes_mac_update         neon_aes_mac_update
 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS using ARMv8 NEON");
 MODULE_ALIAS_CRYPTO("ecb(aes)");
 MODULE_ALIAS_CRYPTO("cbc(aes)");
 MODULE_ALIAS_CRYPTO("ctr(aes)");
 MODULE_ALIAS_CRYPTO("xts(aes)");
+MODULE_ALIAS_CRYPTO("cmac(aes)");
+MODULE_ALIAS_CRYPTO("xcbc(aes)");
+MODULE_ALIAS_CRYPTO("cbcmac(aes)");
 #endif
 
 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
@@ -75,11 +81,25 @@ asmlinkage void aes_xts_decrypt(u8 out[], u8 const in[], u8 const rk1[],
                                int rounds, int blocks, u8 const rk2[], u8 iv[],
                                int first);
 
+asmlinkage void aes_mac_update(u8 const in[], u32 const rk[], int rounds,
+                              int blocks, u8 dg[], int enc_before,
+                              int enc_after);
+
 struct crypto_aes_xts_ctx {
        struct crypto_aes_ctx key1;
        struct crypto_aes_ctx __aligned(8) key2;
 };
 
+struct mac_tfm_ctx {
+       struct crypto_aes_ctx key;
+       u8 __aligned(8) consts[];
+};
+
+struct mac_desc_ctx {
+       unsigned int len;
+       u8 dg[AES_BLOCK_SIZE];
+};
+
 static int skcipher_aes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
                               unsigned int key_len)
 {
@@ -357,6 +377,217 @@ static struct skcipher_alg aes_algs[] = { {
        .decrypt        = xts_decrypt,
 } };
 
+static int cbcmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
+                        unsigned int key_len)
+{
+       struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+       int err;
+
+       err = aes_expandkey(&ctx->key, in_key, key_len);
+       if (err)
+               crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+
+       return err;
+}
+
+static void cmac_gf128_mul_by_x(be128 *y, const be128 *x)
+{
+       u64 a = be64_to_cpu(x->a);
+       u64 b = be64_to_cpu(x->b);
+
+       y->a = cpu_to_be64((a << 1) | (b >> 63));
+       y->b = cpu_to_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0));
+}
+
+static int cmac_setkey(struct crypto_shash *tfm, const u8 *in_key,
+                      unsigned int key_len)
+{
+       struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+       be128 *consts = (be128 *)ctx->consts;
+       u8 *rk = (u8 *)ctx->key.key_enc;
+       int rounds = 6 + key_len / 4;
+       int err;
+
+       err = cbcmac_setkey(tfm, in_key, key_len);
+       if (err)
+               return err;
+
+       /* encrypt the zero vector */
+       kernel_neon_begin();
+       aes_ecb_encrypt(ctx->consts, (u8[AES_BLOCK_SIZE]){}, rk, rounds, 1, 1);
+       kernel_neon_end();
+
+       cmac_gf128_mul_by_x(consts, consts);
+       cmac_gf128_mul_by_x(consts + 1, consts);
+
+       return 0;
+}
+
+static int xcbc_setkey(struct crypto_shash *tfm, const u8 *in_key,
+                      unsigned int key_len)
+{
+       static u8 const ks[3][AES_BLOCK_SIZE] = {
+               { [0 ... AES_BLOCK_SIZE - 1] = 0x1 },
+               { [0 ... AES_BLOCK_SIZE - 1] = 0x2 },
+               { [0 ... AES_BLOCK_SIZE - 1] = 0x3 },
+       };
+
+       struct mac_tfm_ctx *ctx = crypto_shash_ctx(tfm);
+       u8 *rk = (u8 *)ctx->key.key_enc;
+       int rounds = 6 + key_len / 4;
+       u8 key[AES_BLOCK_SIZE];
+       int err;
+
+       err = cbcmac_setkey(tfm, in_key, key_len);
+       if (err)
+               return err;
+
+       kernel_neon_begin();
+       aes_ecb_encrypt(key, ks[0], rk, rounds, 1, 1);
+       aes_ecb_encrypt(ctx->consts, ks[1], rk, rounds, 2, 0);
+       kernel_neon_end();
+
+       return cbcmac_setkey(tfm, key, sizeof(key));
+}
+
+static int mac_init(struct shash_desc *desc)
+{
+       struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+
+       memset(ctx->dg, 0, AES_BLOCK_SIZE);
+       ctx->len = 0;
+
+       return 0;
+}
+
+static int mac_update(struct shash_desc *desc, const u8 *p, unsigned int len)
+{
+       struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+       struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+       int rounds = 6 + tctx->key.key_length / 4;
+
+       while (len > 0) {
+               unsigned int l;
+
+               if ((ctx->len % AES_BLOCK_SIZE) == 0 &&
+                   (ctx->len + len) > AES_BLOCK_SIZE) {
+
+                       int blocks = len / AES_BLOCK_SIZE;
+
+                       len %= AES_BLOCK_SIZE;
+
+                       kernel_neon_begin();
+                       aes_mac_update(p, tctx->key.key_enc, rounds, blocks,
+                                      ctx->dg, (ctx->len != 0), (len != 0));
+                       kernel_neon_end();
+
+                       p += blocks * AES_BLOCK_SIZE;
+
+                       if (!len) {
+                               ctx->len = AES_BLOCK_SIZE;
+                               break;
+                       }
+                       ctx->len = 0;
+               }
+
+               l = min(len, AES_BLOCK_SIZE - ctx->len);
+
+               if (l <= AES_BLOCK_SIZE) {
+                       crypto_xor(ctx->dg + ctx->len, p, l);
+                       ctx->len += l;
+                       len -= l;
+                       p += l;
+               }
+       }
+
+       return 0;
+}
+
+static int cbcmac_final(struct shash_desc *desc, u8 *out)
+{
+       struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+       struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+       int rounds = 6 + tctx->key.key_length / 4;
+
+       kernel_neon_begin();
+       aes_mac_update(NULL, tctx->key.key_enc, rounds, 0, ctx->dg, 1, 0);
+       kernel_neon_end();
+
+       memcpy(out, ctx->dg, AES_BLOCK_SIZE);
+
+       return 0;
+}
+
+static int cmac_final(struct shash_desc *desc, u8 *out)
+{
+       struct mac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
+       struct mac_desc_ctx *ctx = shash_desc_ctx(desc);
+       int rounds = 6 + tctx->key.key_length / 4;
+       u8 *consts = tctx->consts;
+
+       if (ctx->len != AES_BLOCK_SIZE) {
+               ctx->dg[ctx->len] ^= 0x80;
+               consts += AES_BLOCK_SIZE;
+       }
+
+       kernel_neon_begin();
+       aes_mac_update(consts, tctx->key.key_enc, rounds, 1, ctx->dg, 0, 1);
+       kernel_neon_end();
+
+       memcpy(out, ctx->dg, AES_BLOCK_SIZE);
+
+       return 0;
+}
+
+static struct shash_alg mac_algs[] = { {
+       .base.cra_name          = "cmac(aes)",
+       .base.cra_driver_name   = "cmac-aes-" MODE,
+       .base.cra_priority      = PRIO,
+       .base.cra_flags         = CRYPTO_ALG_TYPE_SHASH,
+       .base.cra_blocksize     = AES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct mac_tfm_ctx) +
+                                 2 * AES_BLOCK_SIZE,
+       .base.cra_module        = THIS_MODULE,
+
+       .digestsize             = AES_BLOCK_SIZE,
+       .init                   = mac_init,
+       .update                 = mac_update,
+       .final                  = cmac_final,
+       .setkey                 = cmac_setkey,
+       .descsize               = sizeof(struct mac_desc_ctx),
+}, {
+       .base.cra_name          = "xcbc(aes)",
+       .base.cra_driver_name   = "xcbc-aes-" MODE,
+       .base.cra_priority      = PRIO,
+       .base.cra_flags         = CRYPTO_ALG_TYPE_SHASH,
+       .base.cra_blocksize     = AES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct mac_tfm_ctx) +
+                                 2 * AES_BLOCK_SIZE,
+       .base.cra_module        = THIS_MODULE,
+
+       .digestsize             = AES_BLOCK_SIZE,
+       .init                   = mac_init,
+       .update                 = mac_update,
+       .final                  = cmac_final,
+       .setkey                 = xcbc_setkey,
+       .descsize               = sizeof(struct mac_desc_ctx),
+}, {
+       .base.cra_name          = "cbcmac(aes)",
+       .base.cra_driver_name   = "cbcmac-aes-" MODE,
+       .base.cra_priority      = PRIO,
+       .base.cra_flags         = CRYPTO_ALG_TYPE_SHASH,
+       .base.cra_blocksize     = 1,
+       .base.cra_ctxsize       = sizeof(struct mac_tfm_ctx),
+       .base.cra_module        = THIS_MODULE,
+
+       .digestsize             = AES_BLOCK_SIZE,
+       .init                   = mac_init,
+       .update                 = mac_update,
+       .final                  = cbcmac_final,
+       .setkey                 = cbcmac_setkey,
+       .descsize               = sizeof(struct mac_desc_ctx),
+} };
+
 static struct simd_skcipher_alg *aes_simd_algs[ARRAY_SIZE(aes_algs)];
 
 static void aes_exit(void)
@@ -367,6 +598,7 @@ static void aes_exit(void)
                if (aes_simd_algs[i])
                        simd_skcipher_free(aes_simd_algs[i]);
 
+       crypto_unregister_shashes(mac_algs, ARRAY_SIZE(mac_algs));
        crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
 }
 
@@ -383,6 +615,10 @@ static int __init aes_init(void)
        if (err)
                return err;
 
+       err = crypto_register_shashes(mac_algs, ARRAY_SIZE(mac_algs));
+       if (err)
+               goto unregister_ciphers;
+
        for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
                if (!(aes_algs[i].base.cra_flags & CRYPTO_ALG_INTERNAL))
                        continue;
@@ -402,6 +638,8 @@ static int __init aes_init(void)
 
 unregister_simds:
        aes_exit();
+unregister_ciphers:
+       crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
        return err;
 }
 
index 92b982a8b11214b63d44e376568c8a17e2e8a564..2674d43d1384b87614074a6e02e5c1305545c8bd 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * linux/arch/arm64/crypto/aes-modes.S - chaining mode wrappers for AES
  *
- * Copyright (C) 2013 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -525,3 +525,30 @@ AES_ENTRY(aes_xts_decrypt)
        FRAME_POP
        ret
 AES_ENDPROC(aes_xts_decrypt)
+
+       /*
+        * aes_mac_update(u8 const in[], u32 const rk[], int rounds,
+        *                int blocks, u8 dg[], int enc_before, int enc_after)
+        */
+AES_ENTRY(aes_mac_update)
+       ld1             {v0.16b}, [x4]                  /* get dg */
+       enc_prepare     w2, x1, x7
+       cbnz            w5, .Lmacenc
+
+.Lmacloop:
+       cbz             w3, .Lmacout
+       ld1             {v1.16b}, [x0], #16             /* get next pt block */
+       eor             v0.16b, v0.16b, v1.16b          /* ..and xor with dg */
+
+       subs            w3, w3, #1
+       csinv           x5, x6, xzr, eq
+       cbz             w5, .Lmacout
+
+.Lmacenc:
+       encrypt_block   v0, w2, x1, x7, w8
+       b               .Lmacloop
+
+.Lmacout:
+       st1             {v0.16b}, [x4]                  /* return dg */
+       ret
+AES_ENDPROC(aes_mac_update)