cxgbe/crypto/t4_crypto.c

5033c43bSJohn Baldwin/*-
5033c43bSJohn Baldwin * Copyright (c) 2017 Chelsio Communications, Inc.
1833d604SJohn Baldwin * Copyright (c) 2021 The FreeBSD Foundation
5033c43bSJohn Baldwin * All rights reserved.
5033c43bSJohn Baldwin * Written by: John Baldwin <jhb@FreeBSD.org>
5033c43bSJohn Baldwin *
1833d604SJohn Baldwin * Portions of this software were developed by Ararat River
1833d604SJohn Baldwin * Consulting, LLC under sponsorship of the FreeBSD Foundation.
1833d604SJohn Baldwin *
5033c43bSJohn Baldwin * Redistribution and use in source and binary forms, with or without
5033c43bSJohn Baldwin * modification, are permitted provided that the following conditions
5033c43bSJohn Baldwin * are met:
5033c43bSJohn Baldwin * 1. Redistributions of source code must retain the above copyright
5033c43bSJohn Baldwin *    notice, this list of conditions and the following disclaimer.
5033c43bSJohn Baldwin * 2. Redistributions in binary form must reproduce the above copyright
5033c43bSJohn Baldwin *    notice, this list of conditions and the following disclaimer in the
5033c43bSJohn Baldwin *    documentation and/or other materials provided with the distribution.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
5033c43bSJohn Baldwin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
5033c43bSJohn Baldwin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
5033c43bSJohn Baldwin * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
5033c43bSJohn Baldwin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
5033c43bSJohn Baldwin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
5033c43bSJohn Baldwin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
5033c43bSJohn Baldwin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
5033c43bSJohn Baldwin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5033c43bSJohn Baldwin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5033c43bSJohn Baldwin * SUCH DAMAGE.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin#include <sys/types.h>
5033c43bSJohn Baldwin#include <sys/bus.h>
5033c43bSJohn Baldwin#include <sys/lock.h>
5033c43bSJohn Baldwin#include <sys/malloc.h>
5033c43bSJohn Baldwin#include <sys/mutex.h>
5033c43bSJohn Baldwin#include <sys/module.h>
5033c43bSJohn Baldwin#include <sys/sglist.h>
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin#include <opencrypto/cryptodev.h>
5033c43bSJohn Baldwin#include <opencrypto/xform.h>
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin#include "cryptodev_if.h"
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin#include "common/common.h"
5033c43bSJohn Baldwin#include "crypto/t4_crypto.h"
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/*
5033c43bSJohn Baldwin * Requests consist of:
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct fw_crypto_lookaside_wr |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct ulp_txpkt              |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct ulptx_idata            |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct cpl_tx_sec_pdu         |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct cpl_tls_tx_scmd_fmt    |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | key context header            |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | AES key                       |  ----- For requests with AES
567a3784SJohn Baldwin * +-------------------------------+
567a3784SJohn Baldwin * | Hash state                    |  ----- For hash-only requests
5033c43bSJohn Baldwin * +-------------------------------+ -
5033c43bSJohn Baldwin * | IPAD (16-byte aligned)        |  \
5033c43bSJohn Baldwin * +-------------------------------+  +---- For requests with HMAC
5033c43bSJohn Baldwin * | OPAD (16-byte aligned)        |  /
5033c43bSJohn Baldwin * +-------------------------------+ -
5033c43bSJohn Baldwin * | GMAC H                        |  ----- For AES-GCM
5033c43bSJohn Baldwin * +-------------------------------+ -
5033c43bSJohn Baldwin * | struct cpl_rx_phys_dsgl       |  \
5033c43bSJohn Baldwin * +-------------------------------+  +---- Destination buffer for
5033c43bSJohn Baldwin * | PHYS_DSGL entries             |  /     non-hash-only requests
5033c43bSJohn Baldwin * +-------------------------------+ -
567a3784SJohn Baldwin * | 16 dummy bytes                |  ----- Only for HMAC/hash-only requests
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | IV                            |  ----- If immediate IV
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | Payload                       |  ----- If immediate Payload
5033c43bSJohn Baldwin * +-------------------------------+ -
5033c43bSJohn Baldwin * | struct ulptx_sgl              |  \
5033c43bSJohn Baldwin * +-------------------------------+  +---- If payload via SGL
5033c43bSJohn Baldwin * | SGL entries                   |  /
5033c43bSJohn Baldwin * +-------------------------------+ -
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * Note that the key context must be padded to ensure 16-byte alignment.
5033c43bSJohn Baldwin * For HMAC requests, the key consists of the partial hash of the IPAD
5033c43bSJohn Baldwin * followed by the partial hash of the OPAD.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * Replies consist of:
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | struct cpl_fw6_pld            |
5033c43bSJohn Baldwin * +-------------------------------+
5033c43bSJohn Baldwin * | hash digest                   |  ----- For HMAC request with
5033c43bSJohn Baldwin * +-------------------------------+        'hash_size' set in work request
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * A 32-bit big-endian error status word is supplied in the last 4
5033c43bSJohn Baldwin * bytes of data[0] in the CPL_FW6_PLD message.  bit 0 indicates a
5033c43bSJohn Baldwin * "MAC" error and bit 1 indicates a "PAD" error.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message
5033c43bSJohn Baldwin * in the request is returned in data[1] of the CPL_FW6_PLD message.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * For block cipher replies, the updated IV is supplied in data[2] and
5033c43bSJohn Baldwin * data[3] of the CPL_FW6_PLD message.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * For hash replies where the work request set 'hash_size' to request
5033c43bSJohn Baldwin * a copy of the hash in the reply, the hash digest is supplied
5033c43bSJohn Baldwin * immediately following the CPL_FW6_PLD message.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/*
acaabdbbSJohn Baldwin * The crypto engine supports a maximum AAD size of 511 bytes.
acaabdbbSJohn Baldwin */
acaabdbbSJohn Baldwin#define	MAX_AAD_LEN		511
acaabdbbSJohn Baldwin
acaabdbbSJohn Baldwin/*
bf5b6620SJohn Baldwin * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG
bf5b6620SJohn Baldwin * entries.  While the CPL includes a 16-bit length field, the T6 can
bf5b6620SJohn Baldwin * sometimes hang if an error occurs while processing a request with a
bf5b6620SJohn Baldwin * single DSGL entry larger than 2k.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwin#define	MAX_RX_PHYS_DSGL_SGE	32
bf5b6620SJohn Baldwin#define	DSGL_SGE_MAXLEN		2048
5033c43bSJohn Baldwin
d68990a1SJohn Baldwin/*
d68990a1SJohn Baldwin * The adapter only supports requests with a total input or output
d68990a1SJohn Baldwin * length of 64k-1 or smaller.  Longer requests either result in hung
d68990a1SJohn Baldwin * requests or incorrect results.
d68990a1SJohn Baldwin */
d68990a1SJohn Baldwin#define	MAX_REQUEST_SIZE	65535
d68990a1SJohn Baldwin
5033c43bSJohn Baldwinstatic MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto");
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstruct ccr_session_hmac {
d8787d4fSMark Johnston	const struct auth_hash *auth_hash;
5033c43bSJohn Baldwin	int hash_len;
5033c43bSJohn Baldwin	unsigned int partial_digest_len;
5033c43bSJohn Baldwin	unsigned int auth_mode;
5033c43bSJohn Baldwin	unsigned int mk_size;
a1b2b6e1SJohn Baldwin	char pads[CHCR_HASH_MAX_BLOCK_SIZE_128 * 2];
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstruct ccr_session_gmac {
5033c43bSJohn Baldwin	int hash_len;
5033c43bSJohn Baldwin	char ghash_h[GMAC_BLOCK_LEN];
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
6b0451d6SJohn Baldwinstruct ccr_session_ccm_mac {
6b0451d6SJohn Baldwin	int hash_len;
6b0451d6SJohn Baldwin};
6b0451d6SJohn Baldwin
762f1dcbSJohn Baldwinstruct ccr_session_cipher {
5033c43bSJohn Baldwin	unsigned int cipher_mode;
5033c43bSJohn Baldwin	unsigned int key_len;
5033c43bSJohn Baldwin	unsigned int iv_len;
5033c43bSJohn Baldwin	__be32 key_ctx_hdr;
5033c43bSJohn Baldwin	char enckey[CHCR_AES_MAX_KEY_LEN];
5033c43bSJohn Baldwin	char deckey[CHCR_AES_MAX_KEY_LEN];
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
94fad5ffSJohn Baldwinstruct ccr_port {
94fad5ffSJohn Baldwin	struct sge_wrq *txq;
94fad5ffSJohn Baldwin	struct sge_rxq *rxq;
8f885fd1SJohn Baldwin	int rx_channel_id;
94fad5ffSJohn Baldwin	int tx_channel_id;
94fad5ffSJohn Baldwin	u_int active_sessions;
9c5137beSJohn Baldwin
9c5137beSJohn Baldwin	counter_u64_t stats_queued;
9c5137beSJohn Baldwin	counter_u64_t stats_completed;
94fad5ffSJohn Baldwin};
94fad5ffSJohn Baldwin
94578db2SJohn Baldwinstruct ccr_softc {
94578db2SJohn Baldwin	struct adapter *adapter;
94578db2SJohn Baldwin	device_t dev;
94578db2SJohn Baldwin	uint32_t cid;
94578db2SJohn Baldwin	struct mtx lock;
94578db2SJohn Baldwin	bool detaching;
94578db2SJohn Baldwin	struct ccr_port ports[MAX_NPORTS];
94578db2SJohn Baldwin	u_int port_mask;
8f885fd1SJohn Baldwin	int first_rxq_id;
5033c43bSJohn Baldwin
5929c9fbSJohn Baldwin	/*
5929c9fbSJohn Baldwin	 * Pre-allocate a dummy output buffer for the IV and AAD for
5929c9fbSJohn Baldwin	 * AEAD requests.
5929c9fbSJohn Baldwin	 */
5929c9fbSJohn Baldwin	char *iv_aad_buf;
5929c9fbSJohn Baldwin	struct sglist *sg_iv_aad;
5929c9fbSJohn Baldwin
5033c43bSJohn Baldwin	/* Statistics. */
762f1dcbSJohn Baldwin	counter_u64_t stats_cipher_encrypt;
762f1dcbSJohn Baldwin	counter_u64_t stats_cipher_decrypt;
94578db2SJohn Baldwin	counter_u64_t stats_hash;
94578db2SJohn Baldwin	counter_u64_t stats_hmac;
94578db2SJohn Baldwin	counter_u64_t stats_eta_encrypt;
94578db2SJohn Baldwin	counter_u64_t stats_eta_decrypt;
94578db2SJohn Baldwin	counter_u64_t stats_gcm_encrypt;
94578db2SJohn Baldwin	counter_u64_t stats_gcm_decrypt;
94578db2SJohn Baldwin	counter_u64_t stats_ccm_encrypt;
94578db2SJohn Baldwin	counter_u64_t stats_ccm_decrypt;
94578db2SJohn Baldwin	counter_u64_t stats_wr_nomem;
94578db2SJohn Baldwin	counter_u64_t stats_inflight;
94578db2SJohn Baldwin	counter_u64_t stats_mac_error;
94578db2SJohn Baldwin	counter_u64_t stats_pad_error;
94578db2SJohn Baldwin	counter_u64_t stats_sglist_error;
94578db2SJohn Baldwin	counter_u64_t stats_process_error;
94578db2SJohn Baldwin	counter_u64_t stats_sw_fallback;
a727d953SNavdeep Parhar
a727d953SNavdeep Parhar	struct sysctl_ctx_list ctx;
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
7063b997SJohn Baldwinstruct ccr_session {
7063b997SJohn Baldwin#ifdef INVARIANTS
7063b997SJohn Baldwin	int pending;
7063b997SJohn Baldwin#endif
7063b997SJohn Baldwin	enum { HASH, HMAC, CIPHER, ETA, GCM, CCM } mode;
7063b997SJohn Baldwin	struct ccr_softc *sc;
7063b997SJohn Baldwin	struct ccr_port *port;
7063b997SJohn Baldwin	union {
7063b997SJohn Baldwin		struct ccr_session_hmac hmac;
7063b997SJohn Baldwin		struct ccr_session_gmac gmac;
7063b997SJohn Baldwin		struct ccr_session_ccm_mac ccm_mac;
7063b997SJohn Baldwin	};
7063b997SJohn Baldwin	struct ccr_session_cipher cipher;
7063b997SJohn Baldwin	struct mtx lock;
7063b997SJohn Baldwin
7063b997SJohn Baldwin	/*
7063b997SJohn Baldwin	 * A fallback software session is used for certain GCM/CCM
7063b997SJohn Baldwin	 * requests that the hardware can't handle such as requests
7063b997SJohn Baldwin	 * with only AAD and no payload.
7063b997SJohn Baldwin	 */
7063b997SJohn Baldwin	crypto_session_t sw_session;
7063b997SJohn Baldwin
7063b997SJohn Baldwin	/*
7063b997SJohn Baldwin	 * Pre-allocate S/G lists used when preparing a work request.
7063b997SJohn Baldwin	 * 'sg_input' contains an sglist describing the entire input
7063b997SJohn Baldwin	 * buffer for a 'struct cryptop'.  'sg_output' contains an
7063b997SJohn Baldwin	 * sglist describing the entire output buffer.  'sg_ulptx' is
7063b997SJohn Baldwin	 * used to describe the data the engine should DMA as input
7063b997SJohn Baldwin	 * via ULPTX_SGL.  'sg_dsgl' is used to describe the
7063b997SJohn Baldwin	 * destination that cipher text and a tag should be written
7063b997SJohn Baldwin	 * to.
7063b997SJohn Baldwin	 */
7063b997SJohn Baldwin	struct sglist *sg_input;
7063b997SJohn Baldwin	struct sglist *sg_output;
7063b997SJohn Baldwin	struct sglist *sg_ulptx;
7063b997SJohn Baldwin	struct sglist *sg_dsgl;
7063b997SJohn Baldwin};
7063b997SJohn Baldwin
5033c43bSJohn Baldwin/*
5033c43bSJohn Baldwin * Crypto requests involve two kind of scatter/gather lists.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * Non-hash-only requests require a PHYS_DSGL that describes the
5033c43bSJohn Baldwin * location to store the results of the encryption or decryption
5033c43bSJohn Baldwin * operation.  This SGL uses a different format (PHYS_DSGL) and should
c0341432SJohn Baldwin * exclude the skip bytes at the start of the data as well as any AAD
c0341432SJohn Baldwin * or IV.  For authenticated encryption requests it should include the
c0341432SJohn Baldwin * destination of the hash or tag.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * The input payload may either be supplied inline as immediate data,
5033c43bSJohn Baldwin * or via a standard ULP_TX SGL.  This SGL should include AAD,
5033c43bSJohn Baldwin * ciphertext, and the hash or tag for authenticated decryption
5033c43bSJohn Baldwin * requests.
5033c43bSJohn Baldwin *
5033c43bSJohn Baldwin * These scatter/gather lists can describe different subsets of the
9c0e3d3aSJohn Baldwin * buffers described by the crypto operation.  ccr_populate_sglist()
9c0e3d3aSJohn Baldwin * generates a scatter/gather list that covers an entire crypto
5033c43bSJohn Baldwin * operation buffer that is then used to construct the other
5033c43bSJohn Baldwin * scatter/gather lists.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwinstatic int
9c0e3d3aSJohn Baldwinccr_populate_sglist(struct sglist *sg, struct crypto_buffer *cb)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	sglist_reset(sg);
9c0e3d3aSJohn Baldwin	switch (cb->cb_type) {
c0341432SJohn Baldwin	case CRYPTO_BUF_MBUF:
9c0e3d3aSJohn Baldwin		error = sglist_append_mbuf(sg, cb->cb_mbuf);
c0341432SJohn Baldwin		break;
883a0196SJohn Baldwin	case CRYPTO_BUF_SINGLE_MBUF:
883a0196SJohn Baldwin		error = sglist_append_single_mbuf(sg, cb->cb_mbuf);
883a0196SJohn Baldwin		break;
c0341432SJohn Baldwin	case CRYPTO_BUF_UIO:
9c0e3d3aSJohn Baldwin		error = sglist_append_uio(sg, cb->cb_uio);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CRYPTO_BUF_CONTIG:
9c0e3d3aSJohn Baldwin		error = sglist_append(sg, cb->cb_buf, cb->cb_buf_len);
c0341432SJohn Baldwin		break;
e6f6d0c9SAlan Somers	case CRYPTO_BUF_VMPAGE:
e6f6d0c9SAlan Somers		error = sglist_append_vmpages(sg, cb->cb_vm_page,
70efe1a2SJohn Baldwin		    cb->cb_vm_page_offset, cb->cb_vm_page_len);
e6f6d0c9SAlan Somers		break;
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		error = EINVAL;
c0341432SJohn Baldwin	}
5033c43bSJohn Baldwin	return (error);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/*
5033c43bSJohn Baldwin * Segments in 'sg' larger than 'maxsegsize' are counted as multiple
5033c43bSJohn Baldwin * segments.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_count_sgl(struct sglist *sg, int maxsegsize)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	int i, nsegs;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	nsegs = 0;
5033c43bSJohn Baldwin	for (i = 0; i < sg->sg_nseg; i++)
5033c43bSJohn Baldwin		nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize);
5033c43bSJohn Baldwin	return (nsegs);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/* These functions deal with PHYS_DSGL for the reply buffer. */
5033c43bSJohn Baldwinstatic inline int
5033c43bSJohn Baldwinccr_phys_dsgl_len(int nsegs)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	int len;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	len = (nsegs / 8) * sizeof(struct phys_sge_pairs);
5033c43bSJohn Baldwin	if ((nsegs % 8) != 0) {
5033c43bSJohn Baldwin		len += sizeof(uint16_t) * 8;
5033c43bSJohn Baldwin		len += roundup2(nsegs % 8, 2) * sizeof(uint64_t);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	return (len);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
94578db2SJohn Baldwinccr_write_phys_dsgl(struct ccr_session *s, void *dst, int nsegs)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct sglist *sg;
5033c43bSJohn Baldwin	struct cpl_rx_phys_dsgl *cpl;
5033c43bSJohn Baldwin	struct phys_sge_pairs *sgl;
5033c43bSJohn Baldwin	vm_paddr_t paddr;
5033c43bSJohn Baldwin	size_t seglen;
5033c43bSJohn Baldwin	u_int i, j;
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	sg = s->sg_dsgl;
5033c43bSJohn Baldwin	cpl = dst;
5033c43bSJohn Baldwin	cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) |
5033c43bSJohn Baldwin	    V_CPL_RX_PHYS_DSGL_ISRDMA(0));
5033c43bSJohn Baldwin	cpl->pcirlxorder_to_noofsgentr = htobe32(
5033c43bSJohn Baldwin	    V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) |
5033c43bSJohn Baldwin	    V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) |
5033c43bSJohn Baldwin	    V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) |
5033c43bSJohn Baldwin	    V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs));
5033c43bSJohn Baldwin	cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR;
94fad5ffSJohn Baldwin	cpl->rss_hdr_int.qid = htobe16(s->port->rxq->iq.abs_id);
5033c43bSJohn Baldwin	cpl->rss_hdr_int.hash_val = 0;
8f885fd1SJohn Baldwin	cpl->rss_hdr_int.channel = s->port->rx_channel_id;
5033c43bSJohn Baldwin	sgl = (struct phys_sge_pairs *)(cpl + 1);
5033c43bSJohn Baldwin	j = 0;
5033c43bSJohn Baldwin	for (i = 0; i < sg->sg_nseg; i++) {
5033c43bSJohn Baldwin		seglen = sg->sg_segs[i].ss_len;
5033c43bSJohn Baldwin		paddr = sg->sg_segs[i].ss_paddr;
5033c43bSJohn Baldwin		do {
5033c43bSJohn Baldwin			sgl->addr[j] = htobe64(paddr);
5033c43bSJohn Baldwin			if (seglen > DSGL_SGE_MAXLEN) {
5033c43bSJohn Baldwin				sgl->len[j] = htobe16(DSGL_SGE_MAXLEN);
5033c43bSJohn Baldwin				paddr += DSGL_SGE_MAXLEN;
5033c43bSJohn Baldwin				seglen -= DSGL_SGE_MAXLEN;
5033c43bSJohn Baldwin			} else {
5033c43bSJohn Baldwin				sgl->len[j] = htobe16(seglen);
5033c43bSJohn Baldwin				seglen = 0;
5033c43bSJohn Baldwin			}
5033c43bSJohn Baldwin			j++;
5033c43bSJohn Baldwin			if (j == 8) {
5033c43bSJohn Baldwin				sgl++;
5033c43bSJohn Baldwin				j = 0;
5033c43bSJohn Baldwin			}
5033c43bSJohn Baldwin		} while (seglen != 0);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/* These functions deal with the ULPTX_SGL for input payload. */
5033c43bSJohn Baldwinstatic inline int
5033c43bSJohn Baldwinccr_ulptx_sgl_len(int nsegs)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	u_int n;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	nsegs--; /* first segment is part of ulptx_sgl */
5033c43bSJohn Baldwin	n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1));
5033c43bSJohn Baldwin	return (roundup2(n, 16));
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
94578db2SJohn Baldwinccr_write_ulptx_sgl(struct ccr_session *s, void *dst, int nsegs)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct ulptx_sgl *usgl;
5033c43bSJohn Baldwin	struct sglist *sg;
5033c43bSJohn Baldwin	struct sglist_seg *ss;
5033c43bSJohn Baldwin	int i;
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	sg = s->sg_ulptx;
5033c43bSJohn Baldwin	MPASS(nsegs == sg->sg_nseg);
5033c43bSJohn Baldwin	ss = &sg->sg_segs[0];
5033c43bSJohn Baldwin	usgl = dst;
5033c43bSJohn Baldwin	usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) |
5033c43bSJohn Baldwin	    V_ULPTX_NSGE(nsegs));
5033c43bSJohn Baldwin	usgl->len0 = htobe32(ss->ss_len);
5033c43bSJohn Baldwin	usgl->addr0 = htobe64(ss->ss_paddr);
5033c43bSJohn Baldwin	ss++;
5033c43bSJohn Baldwin	for (i = 0; i < sg->sg_nseg - 1; i++) {
5033c43bSJohn Baldwin		usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len);
5033c43bSJohn Baldwin		usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr);
5033c43bSJohn Baldwin		ss++;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic bool
5033c43bSJohn Baldwinccr_use_imm_data(u_int transhdr_len, u_int input_len)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN)
5033c43bSJohn Baldwin		return (false);
5033c43bSJohn Baldwin	if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) >
5033c43bSJohn Baldwin	    SGE_MAX_WR_LEN)
5033c43bSJohn Baldwin		return (false);
5033c43bSJohn Baldwin	return (true);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
94fad5ffSJohn Baldwinccr_populate_wreq(struct ccr_softc *sc, struct ccr_session *s,
94fad5ffSJohn Baldwin    struct chcr_wr *crwr, u_int kctx_len, u_int wr_len, u_int imm_len,
94fad5ffSJohn Baldwin    u_int sgl_len, u_int hash_size, struct cryptop *crp)
5033c43bSJohn Baldwin{
6b0451d6SJohn Baldwin	u_int cctx_size, idata_len;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	cctx_size = sizeof(struct _key_ctx) + kctx_len;
5033c43bSJohn Baldwin	crwr->wreq.op_to_cctx_size = htobe32(
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4));
5033c43bSJohn Baldwin	crwr->wreq.len16_pkd = htobe32(
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16));
1b0909d5SConrad Meyer	crwr->wreq.session_id = 0;
5033c43bSJohn Baldwin	crwr->wreq.rx_chid_to_rx_q_id = htobe32(
8f885fd1SJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(s->port->rx_channel_id) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) |
020ce53aSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) |
8f885fd1SJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) |	/* unused in firmware */
94fad5ffSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(s->port->rxq->iq.abs_id));
5033c43bSJohn Baldwin	crwr->wreq.key_addr = 0;
5033c43bSJohn Baldwin	crwr->wreq.pld_size_hash_size = htobe32(
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) |
5033c43bSJohn Baldwin	    V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size));
5033c43bSJohn Baldwin	crwr->wreq.cookie = htobe64((uintptr_t)crp);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) |
5033c43bSJohn Baldwin	    V_ULP_TXPKT_DATAMODIFY(0) |
94fad5ffSJohn Baldwin	    V_ULP_TXPKT_CHANNELID(s->port->tx_channel_id) |
94fad5ffSJohn Baldwin	    V_ULP_TXPKT_DEST(0) |
8f885fd1SJohn Baldwin	    V_ULP_TXPKT_FID(sc->first_rxq_id) | V_ULP_TXPKT_RO(1));
5033c43bSJohn Baldwin	crwr->ulptx.len = htobe32(
5033c43bSJohn Baldwin	    ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) |
6b0451d6SJohn Baldwin	    V_ULP_TX_SC_MORE(sgl_len != 0 ? 1 : 0));
6b0451d6SJohn Baldwin	idata_len = wr_len - offsetof(struct chcr_wr, sec_cpl) - sgl_len;
6b0451d6SJohn Baldwin	if (imm_len % 16 != 0)
6b0451d6SJohn Baldwin		idata_len -= 16 - imm_len % 16;
6b0451d6SJohn Baldwin	crwr->sc_imm.len = htobe32(idata_len);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
567a3784SJohn Baldwinccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct chcr_wr *crwr;
5033c43bSJohn Baldwin	struct wrqe *wr;
d8787d4fSMark Johnston	const struct auth_hash *axf;
5033c43bSJohn Baldwin	char *dst;
5033c43bSJohn Baldwin	u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len;
567a3784SJohn Baldwin	u_int hmac_ctrl, imm_len, iopad_size;
567a3784SJohn Baldwin	int error, sgl_nsegs, sgl_len, use_opad;
5033c43bSJohn Baldwin
d68990a1SJohn Baldwin	/* Reject requests with too large of an input buffer. */
c0341432SJohn Baldwin	if (crp->crp_payload_length > MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin		return (EFBIG);
d68990a1SJohn Baldwin
5033c43bSJohn Baldwin	axf = s->hmac.auth_hash;
5033c43bSJohn Baldwin
567a3784SJohn Baldwin	if (s->mode == HMAC) {
567a3784SJohn Baldwin		use_opad = 1;
d09389fdSJohn Baldwin		hmac_ctrl = SCMD_HMAC_CTRL_NO_TRUNC;
567a3784SJohn Baldwin	} else {
567a3784SJohn Baldwin		use_opad = 0;
d09389fdSJohn Baldwin		hmac_ctrl = SCMD_HMAC_CTRL_NOP;
567a3784SJohn Baldwin	}
567a3784SJohn Baldwin
5033c43bSJohn Baldwin	/* PADs must be 128-bit aligned. */
5033c43bSJohn Baldwin	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The 'key' part of the context includes the aligned IPAD and
5033c43bSJohn Baldwin	 * OPAD.
5033c43bSJohn Baldwin	 */
567a3784SJohn Baldwin	kctx_len = iopad_size;
567a3784SJohn Baldwin	if (use_opad)
567a3784SJohn Baldwin		kctx_len += iopad_size;
5033c43bSJohn Baldwin	hash_size_in_response = axf->hashsize;
5033c43bSJohn Baldwin	transhdr_len = HASH_TRANSHDR_SIZE(kctx_len);
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	if (crp->crp_payload_length == 0) {
4623e047SJohn Baldwin		imm_len = axf->blocksize;
4623e047SJohn Baldwin		sgl_nsegs = 0;
4623e047SJohn Baldwin		sgl_len = 0;
c0341432SJohn Baldwin	} else if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length)) {
c0341432SJohn Baldwin		imm_len = crp->crp_payload_length;
5033c43bSJohn Baldwin		sgl_nsegs = 0;
5033c43bSJohn Baldwin		sgl_len = 0;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		imm_len = 0;
94578db2SJohn Baldwin		sglist_reset(s->sg_ulptx);
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
94578db2SJohn Baldwin		sgl_nsegs = s->sg_ulptx->sg_nseg;
5033c43bSJohn Baldwin		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len;
f7b61e2fSJohn Baldwin	if (wr_len > SGE_MAX_WR_LEN)
f7b61e2fSJohn Baldwin		return (EFBIG);
94fad5ffSJohn Baldwin	wr = alloc_wrqe(wr_len, s->port->txq);
5033c43bSJohn Baldwin	if (wr == NULL) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_wr_nomem, 1);
5033c43bSJohn Baldwin		return (ENOMEM);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	crwr = wrtod(wr);
5033c43bSJohn Baldwin	memset(crwr, 0, wr_len);
5033c43bSJohn Baldwin
94fad5ffSJohn Baldwin	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len,
020ce53aSJohn Baldwin	    hash_size_in_response, crp);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.op_ivinsrtofst = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
8f885fd1SJohn Baldwin	    V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_IVINSRTOFST(0));
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	crwr->sec_cpl.pldlen = htobe32(crp->crp_payload_length == 0 ?
c0341432SJohn Baldwin	    axf->blocksize : crp->crp_payload_length);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
5033c43bSJohn Baldwin	crwr->sec_cpl.seqno_numivs = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_SEQ_NO_CTRL(0) |
d09389fdSJohn Baldwin	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
d09389fdSJohn Baldwin	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_NOP) |
5033c43bSJohn Baldwin	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
567a3784SJohn Baldwin	    V_SCMD_HMAC_CTRL(hmac_ctrl));
5033c43bSJohn Baldwin	crwr->sec_cpl.ivgen_hdrlen = htobe32(
4623e047SJohn Baldwin	    V_SCMD_LAST_FRAG(0) |
c0341432SJohn Baldwin	    V_SCMD_MORE_FRAGS(crp->crp_payload_length == 0 ? 1 : 0) |
c0341432SJohn Baldwin	    V_SCMD_MAC_ONLY(1));
5033c43bSJohn Baldwin
a1b2b6e1SJohn Baldwin	memcpy(crwr->key_ctx.key, s->hmac.pads, kctx_len);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */
5033c43bSJohn Baldwin	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
5033c43bSJohn Baldwin	crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
567a3784SJohn Baldwin	    V_KEY_CONTEXT_OPAD_PRESENT(use_opad) |
567a3784SJohn Baldwin	    V_KEY_CONTEXT_SALT_PRESENT(1) |
5033c43bSJohn Baldwin	    V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) |
5033c43bSJohn Baldwin	    V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES;
c0341432SJohn Baldwin	if (crp->crp_payload_length == 0) {
4623e047SJohn Baldwin		dst[0] = 0x80;
a2ad169eSJohn Baldwin		if (s->mode == HMAC)
4623e047SJohn Baldwin			*(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
4623e047SJohn Baldwin			    htobe64(axf->blocksize << 3);
4623e047SJohn Baldwin	} else if (imm_len != 0)
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_payload_start,
c0341432SJohn Baldwin		    crp->crp_payload_length, dst);
5033c43bSJohn Baldwin	else
94578db2SJohn Baldwin		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* XXX: TODO backpressure */
5033c43bSJohn Baldwin	t4_wrq_tx(sc->adapter, wr);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
567a3784SJohn Baldwinccr_hash_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp,
5033c43bSJohn Baldwin    const struct cpl_fw6_pld *cpl, int error)
5033c43bSJohn Baldwin{
c0341432SJohn Baldwin	uint8_t hash[HASH_MAX_LEN];
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	if (error)
5033c43bSJohn Baldwin		return (error);
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_digest_start, s->hmac.hash_len,
c0341432SJohn Baldwin		    hash);
c0341432SJohn Baldwin		if (timingsafe_bcmp((cpl + 1), hash, s->hmac.hash_len) != 0)
c0341432SJohn Baldwin			return (EBADMSG);
c0341432SJohn Baldwin	} else
c0341432SJohn Baldwin		crypto_copyback(crp, crp->crp_digest_start, s->hmac.hash_len,
c0341432SJohn Baldwin		    (cpl + 1));
c0341432SJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
762f1dcbSJohn Baldwinccr_cipher(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	char iv[CHCR_MAX_CRYPTO_IV_LEN];
5033c43bSJohn Baldwin	struct chcr_wr *crwr;
5033c43bSJohn Baldwin	struct wrqe *wr;
5033c43bSJohn Baldwin	char *dst;
d3f25aa1SJohn Baldwin	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
c0341432SJohn Baldwin	u_int imm_len, iv_len;
5033c43bSJohn Baldwin	int dsgl_nsegs, dsgl_len;
5033c43bSJohn Baldwin	int sgl_nsegs, sgl_len;
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	if (s->cipher.key_len == 0 || crp->crp_payload_length == 0)
5033c43bSJohn Baldwin		return (EINVAL);
762f1dcbSJohn Baldwin	if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC &&
c0341432SJohn Baldwin	    (crp->crp_payload_length % AES_BLOCK_LEN) != 0)
5033c43bSJohn Baldwin		return (EINVAL);
5033c43bSJohn Baldwin
d68990a1SJohn Baldwin	/* Reject requests with too large of an input buffer. */
c0341432SJohn Baldwin	if (crp->crp_payload_length > MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin		return (EFBIG);
d68990a1SJohn Baldwin
c0341432SJohn Baldwin	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
5033c43bSJohn Baldwin		op_type = CHCR_ENCRYPT_OP;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		op_type = CHCR_DECRYPT_OP;
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	sglist_reset(s->sg_dsgl);
2adc3c94SJohn Baldwin	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin		    crp->crp_payload_output_start, crp->crp_payload_length);
2adc3c94SJohn Baldwin	else
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin	if (error)
5033c43bSJohn Baldwin		return (error);
94578db2SJohn Baldwin	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
5033c43bSJohn Baldwin	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
5033c43bSJohn Baldwin		return (EFBIG);
5033c43bSJohn Baldwin	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* The 'key' must be 128-bit aligned. */
762f1dcbSJohn Baldwin	kctx_len = roundup2(s->cipher.key_len, 16);
5033c43bSJohn Baldwin	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	/* For AES-XTS we send a 16-byte IV in the work request. */
762f1dcbSJohn Baldwin	if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
c0341432SJohn Baldwin		iv_len = AES_BLOCK_LEN;
c0341432SJohn Baldwin	else
762f1dcbSJohn Baldwin		iv_len = s->cipher.iv_len;
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length + iv_len)) {
c0341432SJohn Baldwin		imm_len = crp->crp_payload_length;
5033c43bSJohn Baldwin		sgl_nsegs = 0;
5033c43bSJohn Baldwin		sgl_len = 0;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		imm_len = 0;
94578db2SJohn Baldwin		sglist_reset(s->sg_ulptx);
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
94578db2SJohn Baldwin		sgl_nsegs = s->sg_ulptx->sg_nseg;
5033c43bSJohn Baldwin		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	wr_len = roundup2(transhdr_len, 16) + iv_len +
d3f25aa1SJohn Baldwin	    roundup2(imm_len, 16) + sgl_len;
f7b61e2fSJohn Baldwin	if (wr_len > SGE_MAX_WR_LEN)
f7b61e2fSJohn Baldwin		return (EFBIG);
94fad5ffSJohn Baldwin	wr = alloc_wrqe(wr_len, s->port->txq);
5033c43bSJohn Baldwin	if (wr == NULL) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_wr_nomem, 1);
5033c43bSJohn Baldwin		return (ENOMEM);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	crwr = wrtod(wr);
5033c43bSJohn Baldwin	memset(crwr, 0, wr_len);
5033c43bSJohn Baldwin
29fe41ddSJohn Baldwin	crypto_read_iv(crp, iv);
c0341432SJohn Baldwin
c0341432SJohn Baldwin	/* Zero the remainder of the IV for AES-XTS. */
762f1dcbSJohn Baldwin	memset(iv + s->cipher.iv_len, 0, iv_len - s->cipher.iv_len);
2bc40b6cSJohn Baldwin
94fad5ffSJohn Baldwin	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
020ce53aSJohn Baldwin	    crp);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.op_ivinsrtofst = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
8f885fd1SJohn Baldwin	    V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	crwr->sec_cpl.pldlen = htobe32(iv_len + crp->crp_payload_length);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
c0341432SJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTART(iv_len + 1) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
5033c43bSJohn Baldwin	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
5033c43bSJohn Baldwin	crwr->sec_cpl.seqno_numivs = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_SEQ_NO_CTRL(0) |
d09389fdSJohn Baldwin	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
5033c43bSJohn Baldwin	    V_SCMD_ENC_DEC_CTRL(op_type) |
762f1dcbSJohn Baldwin	    V_SCMD_CIPH_MODE(s->cipher.cipher_mode) |
d09389fdSJohn Baldwin	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_NOP) |
d09389fdSJohn Baldwin	    V_SCMD_HMAC_CTRL(SCMD_HMAC_CTRL_NOP) |
c0341432SJohn Baldwin	    V_SCMD_IV_SIZE(iv_len / 2) |
5033c43bSJohn Baldwin	    V_SCMD_NUM_IVS(0));
5033c43bSJohn Baldwin	crwr->sec_cpl.ivgen_hdrlen = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_IV_GEN_CTRL(0) |
5033c43bSJohn Baldwin	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
5033c43bSJohn Baldwin	    V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len));
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr;
762f1dcbSJohn Baldwin	switch (s->cipher.cipher_mode) {
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_CBC:
c0341432SJohn Baldwin		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
762f1dcbSJohn Baldwin			memcpy(crwr->key_ctx.key, s->cipher.enckey,
762f1dcbSJohn Baldwin			    s->cipher.key_len);
5033c43bSJohn Baldwin		else
762f1dcbSJohn Baldwin			memcpy(crwr->key_ctx.key, s->cipher.deckey,
762f1dcbSJohn Baldwin			    s->cipher.key_len);
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_CTR:
762f1dcbSJohn Baldwin		memcpy(crwr->key_ctx.key, s->cipher.enckey,
762f1dcbSJohn Baldwin		    s->cipher.key_len);
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_XTS:
762f1dcbSJohn Baldwin		key_half = s->cipher.key_len / 2;
762f1dcbSJohn Baldwin		memcpy(crwr->key_ctx.key, s->cipher.enckey + key_half,
5033c43bSJohn Baldwin		    key_half);
c0341432SJohn Baldwin		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
5033c43bSJohn Baldwin			memcpy(crwr->key_ctx.key + key_half,
762f1dcbSJohn Baldwin			    s->cipher.enckey, key_half);
5033c43bSJohn Baldwin		else
5033c43bSJohn Baldwin			memcpy(crwr->key_ctx.key + key_half,
762f1dcbSJohn Baldwin			    s->cipher.deckey, key_half);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	dst = (char *)(crwr + 1) + kctx_len;
94578db2SJohn Baldwin	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
5033c43bSJohn Baldwin	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
c0341432SJohn Baldwin	memcpy(dst, iv, iv_len);
c0341432SJohn Baldwin	dst += iv_len;
5033c43bSJohn Baldwin	if (imm_len != 0)
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_payload_start,
c0341432SJohn Baldwin		    crp->crp_payload_length, dst);
5033c43bSJohn Baldwin	else
94578db2SJohn Baldwin		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* XXX: TODO backpressure */
5033c43bSJohn Baldwin	t4_wrq_tx(sc->adapter, wr);
5033c43bSJohn Baldwin
1a4a7e98SJohn Baldwin	explicit_bzero(iv, sizeof(iv));
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
762f1dcbSJohn Baldwinccr_cipher_done(struct ccr_softc *sc, struct ccr_session *s,
5033c43bSJohn Baldwin    struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The updated IV to permit chained requests is at
5033c43bSJohn Baldwin	 * cpl->data[2], but OCF doesn't permit chained requests.
5033c43bSJohn Baldwin	 */
5033c43bSJohn Baldwin	return (error);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin/*
5033c43bSJohn Baldwin * 'hashsize' is the length of a full digest.  'authsize' is the
5033c43bSJohn Baldwin * requested digest length for this operation which may be less
5033c43bSJohn Baldwin * than 'hashsize'.
5033c43bSJohn Baldwin */
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (authsize == 10)
d09389fdSJohn Baldwin		return (SCMD_HMAC_CTRL_TRUNC_RFC4366);
5033c43bSJohn Baldwin	if (authsize == 12)
d09389fdSJohn Baldwin		return (SCMD_HMAC_CTRL_IPSEC_96BIT);
5033c43bSJohn Baldwin	if (authsize == hashsize / 2)
d09389fdSJohn Baldwin		return (SCMD_HMAC_CTRL_DIV2);
d09389fdSJohn Baldwin	return (SCMD_HMAC_CTRL_NO_TRUNC);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
c0341432SJohn Baldwinccr_eta(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	char iv[CHCR_MAX_CRYPTO_IV_LEN];
5033c43bSJohn Baldwin	struct chcr_wr *crwr;
5033c43bSJohn Baldwin	struct wrqe *wr;
d8787d4fSMark Johnston	const struct auth_hash *axf;
5033c43bSJohn Baldwin	char *dst;
d3f25aa1SJohn Baldwin	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
c0341432SJohn Baldwin	u_int hash_size_in_response, imm_len, iopad_size, iv_len;
c0341432SJohn Baldwin	u_int aad_start, aad_stop;
c0341432SJohn Baldwin	u_int auth_insert;
5033c43bSJohn Baldwin	u_int cipher_start, cipher_stop;
5033c43bSJohn Baldwin	u_int hmac_ctrl, input_len;
5033c43bSJohn Baldwin	int dsgl_nsegs, dsgl_len;
5033c43bSJohn Baldwin	int sgl_nsegs, sgl_len;
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
4623e047SJohn Baldwin	/*
4623e047SJohn Baldwin	 * If there is a need in the future, requests with an empty
4623e047SJohn Baldwin	 * payload could be supported as HMAC-only requests.
4623e047SJohn Baldwin	 */
762f1dcbSJohn Baldwin	if (s->cipher.key_len == 0 || crp->crp_payload_length == 0)
5033c43bSJohn Baldwin		return (EINVAL);
762f1dcbSJohn Baldwin	if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC &&
c0341432SJohn Baldwin	    (crp->crp_payload_length % AES_BLOCK_LEN) != 0)
5033c43bSJohn Baldwin		return (EINVAL);
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	/* For AES-XTS we send a 16-byte IV in the work request. */
762f1dcbSJohn Baldwin	if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
c0341432SJohn Baldwin		iv_len = AES_BLOCK_LEN;
acaabdbbSJohn Baldwin	else
762f1dcbSJohn Baldwin		iv_len = s->cipher.iv_len;
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (crp->crp_aad_length + iv_len > MAX_AAD_LEN)
acaabdbbSJohn Baldwin		return (EINVAL);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	axf = s->hmac.auth_hash;
5033c43bSJohn Baldwin	hash_size_in_response = s->hmac.hash_len;
c0341432SJohn Baldwin	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
5033c43bSJohn Baldwin		op_type = CHCR_ENCRYPT_OP;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		op_type = CHCR_DECRYPT_OP;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The output buffer consists of the cipher text followed by
5033c43bSJohn Baldwin	 * the hash when encrypting.  For decryption it only contains
5033c43bSJohn Baldwin	 * the plain text.
5929c9fbSJohn Baldwin	 *
5929c9fbSJohn Baldwin	 * Due to a firmware bug, the output buffer must include a
5929c9fbSJohn Baldwin	 * dummy output buffer for the IV and AAD prior to the real
5929c9fbSJohn Baldwin	 * output buffer.
5033c43bSJohn Baldwin	 */
d68990a1SJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
c0341432SJohn Baldwin		if (iv_len + crp->crp_aad_length + crp->crp_payload_length +
5929c9fbSJohn Baldwin		    hash_size_in_response > MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin			return (EFBIG);
d68990a1SJohn Baldwin	} else {
c0341432SJohn Baldwin		if (iv_len + crp->crp_aad_length + crp->crp_payload_length >
5929c9fbSJohn Baldwin		    MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin			return (EFBIG);
d68990a1SJohn Baldwin	}
94578db2SJohn Baldwin	sglist_reset(s->sg_dsgl);
94578db2SJohn Baldwin	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0,
c0341432SJohn Baldwin	    iv_len + crp->crp_aad_length);
5929c9fbSJohn Baldwin	if (error)
5929c9fbSJohn Baldwin		return (error);
2adc3c94SJohn Baldwin	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin		    crp->crp_payload_output_start, crp->crp_payload_length);
2adc3c94SJohn Baldwin	else
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin	if (error)
5033c43bSJohn Baldwin		return (error);
5033c43bSJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
2adc3c94SJohn Baldwin		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
2adc3c94SJohn Baldwin		else
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
5033c43bSJohn Baldwin	}
94578db2SJohn Baldwin	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
5033c43bSJohn Baldwin	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
5033c43bSJohn Baldwin		return (EFBIG);
5033c43bSJohn Baldwin	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* PADs must be 128-bit aligned. */
5033c43bSJohn Baldwin	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The 'key' part of the key context consists of the key followed
5033c43bSJohn Baldwin	 * by the IPAD and OPAD.
5033c43bSJohn Baldwin	 */
762f1dcbSJohn Baldwin	kctx_len = roundup2(s->cipher.key_len, 16) + iopad_size * 2;
5033c43bSJohn Baldwin	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The input buffer consists of the IV, any AAD, and then the
5033c43bSJohn Baldwin	 * cipher/plain text.  For decryption requests the hash is
5033c43bSJohn Baldwin	 * appended after the cipher text.
2bc40b6cSJohn Baldwin	 *
2bc40b6cSJohn Baldwin	 * The IV is always stored at the start of the input buffer
2bc40b6cSJohn Baldwin	 * even though it may be duplicated in the payload.  The
2bc40b6cSJohn Baldwin	 * crypto engine doesn't work properly if the IV offset points
2bc40b6cSJohn Baldwin	 * inside of the AAD region, so a second copy is always
2bc40b6cSJohn Baldwin	 * required.
5033c43bSJohn Baldwin	 */
c0341432SJohn Baldwin	input_len = crp->crp_aad_length + crp->crp_payload_length;
d68990a1SJohn Baldwin
d68990a1SJohn Baldwin	/*
d68990a1SJohn Baldwin	 * The firmware hangs if sent a request which is a
d68990a1SJohn Baldwin	 * bit smaller than MAX_REQUEST_SIZE.  In particular, the
d68990a1SJohn Baldwin	 * firmware appears to require 512 - 16 bytes of spare room
d68990a1SJohn Baldwin	 * along with the size of the hash even if the hash isn't
d68990a1SJohn Baldwin	 * included in the input buffer.
d68990a1SJohn Baldwin	 */
d68990a1SJohn Baldwin	if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) >
d68990a1SJohn Baldwin	    MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin		return (EFBIG);
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		input_len += hash_size_in_response;
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
5033c43bSJohn Baldwin		imm_len = input_len;
5033c43bSJohn Baldwin		sgl_nsegs = 0;
5033c43bSJohn Baldwin		sgl_len = 0;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		imm_len = 0;
94578db2SJohn Baldwin		sglist_reset(s->sg_ulptx);
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
94578db2SJohn Baldwin				error = sglist_append(s->sg_ulptx,
6deb4131SJohn Baldwin				    crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
94578db2SJohn Baldwin				error = sglist_append_sglist(s->sg_ulptx,
94578db2SJohn Baldwin				    s->sg_input, crp->crp_aad_start,
6deb4131SJohn Baldwin				    crp->crp_aad_length);
5033c43bSJohn Baldwin			if (error)
5033c43bSJohn Baldwin				return (error);
5033c43bSJohn Baldwin		}
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
5033c43bSJohn Baldwin		if (op_type == CHCR_DECRYPT_OP) {
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
5033c43bSJohn Baldwin			if (error)
5033c43bSJohn Baldwin				return (error);
5033c43bSJohn Baldwin		}
94578db2SJohn Baldwin		sgl_nsegs = s->sg_ulptx->sg_nseg;
5033c43bSJohn Baldwin		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
6deb4131SJohn Baldwin	/* Any AAD comes after the IV. */
c0341432SJohn Baldwin	if (crp->crp_aad_length != 0) {
c0341432SJohn Baldwin		aad_start = iv_len + 1;
c0341432SJohn Baldwin		aad_stop = aad_start + crp->crp_aad_length - 1;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		aad_start = 0;
5033c43bSJohn Baldwin		aad_stop = 0;
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin	cipher_start = iv_len + crp->crp_aad_length + 1;
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		cipher_stop = hash_size_in_response;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		cipher_stop = 0;
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		auth_insert = hash_size_in_response;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		auth_insert = 0;
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
c0341432SJohn Baldwin	    sgl_len;
f7b61e2fSJohn Baldwin	if (wr_len > SGE_MAX_WR_LEN)
f7b61e2fSJohn Baldwin		return (EFBIG);
94fad5ffSJohn Baldwin	wr = alloc_wrqe(wr_len, s->port->txq);
5033c43bSJohn Baldwin	if (wr == NULL) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_wr_nomem, 1);
5033c43bSJohn Baldwin		return (ENOMEM);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	crwr = wrtod(wr);
5033c43bSJohn Baldwin	memset(crwr, 0, wr_len);
5033c43bSJohn Baldwin
29fe41ddSJohn Baldwin	crypto_read_iv(crp, iv);
c0341432SJohn Baldwin
c0341432SJohn Baldwin	/* Zero the remainder of the IV for AES-XTS. */
762f1dcbSJohn Baldwin	memset(iv + s->cipher.iv_len, 0, iv_len - s->cipher.iv_len);
2bc40b6cSJohn Baldwin
94fad5ffSJohn Baldwin	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len,
020ce53aSJohn Baldwin	    op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.op_ivinsrtofst = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
8f885fd1SJohn Baldwin	    V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4));
5033c43bSJohn Baldwin	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) |
c0341432SJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
c0341432SJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
5033c43bSJohn Baldwin	hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response);
5033c43bSJohn Baldwin	crwr->sec_cpl.seqno_numivs = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_SEQ_NO_CTRL(0) |
d09389fdSJohn Baldwin	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
5033c43bSJohn Baldwin	    V_SCMD_ENC_DEC_CTRL(op_type) |
5033c43bSJohn Baldwin	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
762f1dcbSJohn Baldwin	    V_SCMD_CIPH_MODE(s->cipher.cipher_mode) |
5033c43bSJohn Baldwin	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
5033c43bSJohn Baldwin	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
c0341432SJohn Baldwin	    V_SCMD_IV_SIZE(iv_len / 2) |
5033c43bSJohn Baldwin	    V_SCMD_NUM_IVS(0));
5033c43bSJohn Baldwin	crwr->sec_cpl.ivgen_hdrlen = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_IV_GEN_CTRL(0) |
5033c43bSJohn Baldwin	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
5929c9fbSJohn Baldwin	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr;
762f1dcbSJohn Baldwin	switch (s->cipher.cipher_mode) {
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_CBC:
c0341432SJohn Baldwin		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
762f1dcbSJohn Baldwin			memcpy(crwr->key_ctx.key, s->cipher.enckey,
762f1dcbSJohn Baldwin			    s->cipher.key_len);
5033c43bSJohn Baldwin		else
762f1dcbSJohn Baldwin			memcpy(crwr->key_ctx.key, s->cipher.deckey,
762f1dcbSJohn Baldwin			    s->cipher.key_len);
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_CTR:
762f1dcbSJohn Baldwin		memcpy(crwr->key_ctx.key, s->cipher.enckey,
762f1dcbSJohn Baldwin		    s->cipher.key_len);
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_XTS:
762f1dcbSJohn Baldwin		key_half = s->cipher.key_len / 2;
762f1dcbSJohn Baldwin		memcpy(crwr->key_ctx.key, s->cipher.enckey + key_half,
5033c43bSJohn Baldwin		    key_half);
c0341432SJohn Baldwin		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
5033c43bSJohn Baldwin			memcpy(crwr->key_ctx.key + key_half,
762f1dcbSJohn Baldwin			    s->cipher.enckey, key_half);
5033c43bSJohn Baldwin		else
5033c43bSJohn Baldwin			memcpy(crwr->key_ctx.key + key_half,
762f1dcbSJohn Baldwin			    s->cipher.deckey, key_half);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	dst = crwr->key_ctx.key + roundup2(s->cipher.key_len, 16);
a1b2b6e1SJohn Baldwin	memcpy(dst, s->hmac.pads, iopad_size * 2);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	dst = (char *)(crwr + 1) + kctx_len;
94578db2SJohn Baldwin	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
5033c43bSJohn Baldwin	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
c0341432SJohn Baldwin	memcpy(dst, iv, iv_len);
c0341432SJohn Baldwin	dst += iv_len;
5033c43bSJohn Baldwin	if (imm_len != 0) {
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
6deb4131SJohn Baldwin				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
c0341432SJohn Baldwin				crypto_copydata(crp, crp->crp_aad_start,
c0341432SJohn Baldwin				    crp->crp_aad_length, dst);
c0341432SJohn Baldwin			dst += crp->crp_aad_length;
5033c43bSJohn Baldwin		}
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_payload_start,
c0341432SJohn Baldwin		    crp->crp_payload_length, dst);
c0341432SJohn Baldwin		dst += crp->crp_payload_length;
5033c43bSJohn Baldwin		if (op_type == CHCR_DECRYPT_OP)
c0341432SJohn Baldwin			crypto_copydata(crp, crp->crp_digest_start,
c0341432SJohn Baldwin			    hash_size_in_response, dst);
5033c43bSJohn Baldwin	} else
94578db2SJohn Baldwin		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* XXX: TODO backpressure */
5033c43bSJohn Baldwin	t4_wrq_tx(sc->adapter, wr);
5033c43bSJohn Baldwin
1a4a7e98SJohn Baldwin	explicit_bzero(iv, sizeof(iv));
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
c0341432SJohn Baldwinccr_eta_done(struct ccr_softc *sc, struct ccr_session *s,
5033c43bSJohn Baldwin    struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The updated IV to permit chained requests is at
5033c43bSJohn Baldwin	 * cpl->data[2], but OCF doesn't permit chained requests.
5033c43bSJohn Baldwin	 */
5033c43bSJohn Baldwin	return (error);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
c0341432SJohn Baldwinccr_gcm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	char iv[CHCR_MAX_CRYPTO_IV_LEN];
5033c43bSJohn Baldwin	struct chcr_wr *crwr;
5033c43bSJohn Baldwin	struct wrqe *wr;
5033c43bSJohn Baldwin	char *dst;
d3f25aa1SJohn Baldwin	u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
5033c43bSJohn Baldwin	u_int hash_size_in_response, imm_len;
5033c43bSJohn Baldwin	u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
5033c43bSJohn Baldwin	u_int hmac_ctrl, input_len;
5033c43bSJohn Baldwin	int dsgl_nsegs, dsgl_len;
5033c43bSJohn Baldwin	int sgl_nsegs, sgl_len;
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	if (s->cipher.key_len == 0)
5033c43bSJohn Baldwin		return (EINVAL);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
04043b3dSJohn Baldwin	 * The crypto engine doesn't handle GCM requests with an empty
04043b3dSJohn Baldwin	 * payload, so handle those in software instead.
04043b3dSJohn Baldwin	 */
c0341432SJohn Baldwin	if (crp->crp_payload_length == 0)
04043b3dSJohn Baldwin		return (EMSGSIZE);
04043b3dSJohn Baldwin
c0341432SJohn Baldwin	if (crp->crp_aad_length + AES_BLOCK_LEN > MAX_AAD_LEN)
04043b3dSJohn Baldwin		return (EMSGSIZE);
acaabdbbSJohn Baldwin
5033c43bSJohn Baldwin	hash_size_in_response = s->gmac.hash_len;
c0341432SJohn Baldwin	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
5033c43bSJohn Baldwin		op_type = CHCR_ENCRYPT_OP;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		op_type = CHCR_DECRYPT_OP;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	iv_len = AES_BLOCK_LEN;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
c0341432SJohn Baldwin	 * GCM requests should always provide an explicit IV.
c0341432SJohn Baldwin	 */
c0341432SJohn Baldwin	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0)
c0341432SJohn Baldwin		return (EINVAL);
c0341432SJohn Baldwin
c0341432SJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The output buffer consists of the cipher text followed by
5033c43bSJohn Baldwin	 * the tag when encrypting.  For decryption it only contains
5033c43bSJohn Baldwin	 * the plain text.
5929c9fbSJohn Baldwin	 *
5929c9fbSJohn Baldwin	 * Due to a firmware bug, the output buffer must include a
5929c9fbSJohn Baldwin	 * dummy output buffer for the IV and AAD prior to the real
5929c9fbSJohn Baldwin	 * output buffer.
5033c43bSJohn Baldwin	 */
d68990a1SJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
c0341432SJohn Baldwin		if (iv_len + crp->crp_aad_length + crp->crp_payload_length +
5929c9fbSJohn Baldwin		    hash_size_in_response > MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin			return (EFBIG);
d68990a1SJohn Baldwin	} else {
c0341432SJohn Baldwin		if (iv_len + crp->crp_aad_length + crp->crp_payload_length >
c0341432SJohn Baldwin		    MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin			return (EFBIG);
d68990a1SJohn Baldwin	}
94578db2SJohn Baldwin	sglist_reset(s->sg_dsgl);
94578db2SJohn Baldwin	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
c0341432SJohn Baldwin	    crp->crp_aad_length);
5929c9fbSJohn Baldwin	if (error)
5929c9fbSJohn Baldwin		return (error);
2adc3c94SJohn Baldwin	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin		    crp->crp_payload_output_start, crp->crp_payload_length);
2adc3c94SJohn Baldwin	else
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin	if (error)
5033c43bSJohn Baldwin		return (error);
5033c43bSJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
2adc3c94SJohn Baldwin		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
2adc3c94SJohn Baldwin		else
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
5033c43bSJohn Baldwin	}
94578db2SJohn Baldwin	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
5033c43bSJohn Baldwin	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
5033c43bSJohn Baldwin		return (EFBIG);
5033c43bSJohn Baldwin	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The 'key' part of the key context consists of the key followed
5033c43bSJohn Baldwin	 * by the Galois hash key.
5033c43bSJohn Baldwin	 */
762f1dcbSJohn Baldwin	kctx_len = roundup2(s->cipher.key_len, 16) + GMAC_BLOCK_LEN;
5033c43bSJohn Baldwin	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The input buffer consists of the IV, any AAD, and then the
5033c43bSJohn Baldwin	 * cipher/plain text.  For decryption requests the hash is
5033c43bSJohn Baldwin	 * appended after the cipher text.
2bc40b6cSJohn Baldwin	 *
2bc40b6cSJohn Baldwin	 * The IV is always stored at the start of the input buffer
2bc40b6cSJohn Baldwin	 * even though it may be duplicated in the payload.  The
2bc40b6cSJohn Baldwin	 * crypto engine doesn't work properly if the IV offset points
2bc40b6cSJohn Baldwin	 * inside of the AAD region, so a second copy is always
2bc40b6cSJohn Baldwin	 * required.
5033c43bSJohn Baldwin	 */
c0341432SJohn Baldwin	input_len = crp->crp_aad_length + crp->crp_payload_length;
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		input_len += hash_size_in_response;
d68990a1SJohn Baldwin	if (input_len > MAX_REQUEST_SIZE)
d68990a1SJohn Baldwin		return (EFBIG);
5033c43bSJohn Baldwin	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
5033c43bSJohn Baldwin		imm_len = input_len;
5033c43bSJohn Baldwin		sgl_nsegs = 0;
5033c43bSJohn Baldwin		sgl_len = 0;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		imm_len = 0;
94578db2SJohn Baldwin		sglist_reset(s->sg_ulptx);
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
94578db2SJohn Baldwin				error = sglist_append(s->sg_ulptx,
6deb4131SJohn Baldwin				    crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
94578db2SJohn Baldwin				error = sglist_append_sglist(s->sg_ulptx,
94578db2SJohn Baldwin				    s->sg_input, crp->crp_aad_start,
6deb4131SJohn Baldwin				    crp->crp_aad_length);
5033c43bSJohn Baldwin			if (error)
5033c43bSJohn Baldwin				return (error);
5033c43bSJohn Baldwin		}
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
5033c43bSJohn Baldwin		if (error)
5033c43bSJohn Baldwin			return (error);
5033c43bSJohn Baldwin		if (op_type == CHCR_DECRYPT_OP) {
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
5033c43bSJohn Baldwin			if (error)
5033c43bSJohn Baldwin				return (error);
5033c43bSJohn Baldwin		}
94578db2SJohn Baldwin		sgl_nsegs = s->sg_ulptx->sg_nseg;
5033c43bSJohn Baldwin		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	if (crp->crp_aad_length != 0) {
5033c43bSJohn Baldwin		aad_start = iv_len + 1;
c0341432SJohn Baldwin		aad_stop = aad_start + crp->crp_aad_length - 1;
5033c43bSJohn Baldwin	} else {
5033c43bSJohn Baldwin		aad_start = 0;
5033c43bSJohn Baldwin		aad_stop = 0;
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin	cipher_start = iv_len + crp->crp_aad_length + 1;
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		cipher_stop = hash_size_in_response;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		cipher_stop = 0;
5033c43bSJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
5033c43bSJohn Baldwin		auth_insert = hash_size_in_response;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		auth_insert = 0;
5033c43bSJohn Baldwin
d3f25aa1SJohn Baldwin	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
d3f25aa1SJohn Baldwin	    sgl_len;
f7b61e2fSJohn Baldwin	if (wr_len > SGE_MAX_WR_LEN)
f7b61e2fSJohn Baldwin		return (EFBIG);
94fad5ffSJohn Baldwin	wr = alloc_wrqe(wr_len, s->port->txq);
5033c43bSJohn Baldwin	if (wr == NULL) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_wr_nomem, 1);
5033c43bSJohn Baldwin		return (ENOMEM);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	crwr = wrtod(wr);
5033c43bSJohn Baldwin	memset(crwr, 0, wr_len);
5033c43bSJohn Baldwin
cb128893SJohn Baldwin	crypto_read_iv(crp, iv);
2bc40b6cSJohn Baldwin	*(uint32_t *)&iv[12] = htobe32(1);
2bc40b6cSJohn Baldwin
94fad5ffSJohn Baldwin	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
1b0909d5SConrad Meyer	    crp);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.op_ivinsrtofst = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
8f885fd1SJohn Baldwin	    V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * NB: cipherstop is explicitly set to 0.  On encrypt it
c0341432SJohn Baldwin	 * should normally be set to 0 anyway.  However, for decrypt
c0341432SJohn Baldwin	 * the cipher ends before the tag in the ETA case (and
c0341432SJohn Baldwin	 * authstop is set to stop before the tag), but for GCM the
c0341432SJohn Baldwin	 * cipher still runs to the end of the buffer.  Not sure if
c0341432SJohn Baldwin	 * this is intentional or a firmware quirk, but it is required
c0341432SJohn Baldwin	 * for working tag validation with GCM decryption.
5033c43bSJohn Baldwin	 */
5033c43bSJohn Baldwin	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
5033c43bSJohn Baldwin	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
5033c43bSJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
5033c43bSJohn Baldwin	hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response);
5033c43bSJohn Baldwin	crwr->sec_cpl.seqno_numivs = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_SEQ_NO_CTRL(0) |
d09389fdSJohn Baldwin	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
5033c43bSJohn Baldwin	    V_SCMD_ENC_DEC_CTRL(op_type) |
5033c43bSJohn Baldwin	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
d09389fdSJohn Baldwin	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_GCM) |
d09389fdSJohn Baldwin	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_GHASH) |
5033c43bSJohn Baldwin	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
5033c43bSJohn Baldwin	    V_SCMD_IV_SIZE(iv_len / 2) |
5033c43bSJohn Baldwin	    V_SCMD_NUM_IVS(0));
5033c43bSJohn Baldwin	crwr->sec_cpl.ivgen_hdrlen = htobe32(
5033c43bSJohn Baldwin	    V_SCMD_IV_GEN_CTRL(0) |
5033c43bSJohn Baldwin	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
5929c9fbSJohn Baldwin	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr;
762f1dcbSJohn Baldwin	memcpy(crwr->key_ctx.key, s->cipher.enckey, s->cipher.key_len);
762f1dcbSJohn Baldwin	dst = crwr->key_ctx.key + roundup2(s->cipher.key_len, 16);
5033c43bSJohn Baldwin	memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	dst = (char *)(crwr + 1) + kctx_len;
94578db2SJohn Baldwin	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
5033c43bSJohn Baldwin	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
5033c43bSJohn Baldwin	memcpy(dst, iv, iv_len);
5033c43bSJohn Baldwin	dst += iv_len;
5033c43bSJohn Baldwin	if (imm_len != 0) {
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
6deb4131SJohn Baldwin				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
c0341432SJohn Baldwin				crypto_copydata(crp, crp->crp_aad_start,
c0341432SJohn Baldwin				    crp->crp_aad_length, dst);
c0341432SJohn Baldwin			dst += crp->crp_aad_length;
5033c43bSJohn Baldwin		}
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_payload_start,
c0341432SJohn Baldwin		    crp->crp_payload_length, dst);
c0341432SJohn Baldwin		dst += crp->crp_payload_length;
5033c43bSJohn Baldwin		if (op_type == CHCR_DECRYPT_OP)
c0341432SJohn Baldwin			crypto_copydata(crp, crp->crp_digest_start,
c0341432SJohn Baldwin			    hash_size_in_response, dst);
5033c43bSJohn Baldwin	} else
94578db2SJohn Baldwin		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/* XXX: TODO backpressure */
5033c43bSJohn Baldwin	t4_wrq_tx(sc->adapter, wr);
5033c43bSJohn Baldwin
1a4a7e98SJohn Baldwin	explicit_bzero(iv, sizeof(iv));
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s,
5033c43bSJohn Baldwin    struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * The updated IV to permit chained requests is at
5033c43bSJohn Baldwin	 * cpl->data[2], but OCF doesn't permit chained requests.
5033c43bSJohn Baldwin	 *
5033c43bSJohn Baldwin	 * Note that the hardware should always verify the GMAC hash.
5033c43bSJohn Baldwin	 */
5033c43bSJohn Baldwin	return (error);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
e148e407SJohn Baldwinstatic int
e148e407SJohn Baldwinccr_ccm_hmac_ctrl(unsigned int authsize)
e148e407SJohn Baldwin{
e148e407SJohn Baldwin	switch (authsize) {
e148e407SJohn Baldwin	case 4:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_PL1);
e148e407SJohn Baldwin	case 6:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_PL2);
e148e407SJohn Baldwin	case 8:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_DIV2);
e148e407SJohn Baldwin	case 10:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_TRUNC_RFC4366);
e148e407SJohn Baldwin	case 12:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_IPSEC_96BIT);
e148e407SJohn Baldwin	case 14:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_PL3);
e148e407SJohn Baldwin	case 16:
e148e407SJohn Baldwin		return (SCMD_HMAC_CTRL_NO_TRUNC);
e148e407SJohn Baldwin	default:
e148e407SJohn Baldwin		__assert_unreachable();
e148e407SJohn Baldwin	}
e148e407SJohn Baldwin}
e148e407SJohn Baldwin
5033c43bSJohn Baldwinstatic void
c0341432SJohn Baldwingenerate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response,
c0341432SJohn Baldwin    const char *iv, char *b0)
6b0451d6SJohn Baldwin{
3e6a97b3SJohn Baldwin	u_int i, payload_len, L;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/* NB: L is already set in the first byte of the IV. */
6b0451d6SJohn Baldwin	memcpy(b0, iv, CCM_B0_SIZE);
3e6a97b3SJohn Baldwin	L = iv[0] + 1;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/* Set length of hash in bits 3 - 5. */
6b0451d6SJohn Baldwin	b0[0] |= (((hash_size_in_response - 2) / 2) << 3);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/* Store the payload length as a big-endian value. */
c0341432SJohn Baldwin	payload_len = crp->crp_payload_length;
3e6a97b3SJohn Baldwin	for (i = 0; i < L; i++) {
6b0451d6SJohn Baldwin		b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len;
6b0451d6SJohn Baldwin		payload_len >>= 8;
6b0451d6SJohn Baldwin	}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * If there is AAD in the request, set bit 6 in the flags
6b0451d6SJohn Baldwin	 * field and store the AAD length as a big-endian value at the
6b0451d6SJohn Baldwin	 * start of block 1.  This only assumes a 16-bit AAD length
6b0451d6SJohn Baldwin	 * since T6 doesn't support large AAD sizes.
6b0451d6SJohn Baldwin	 */
c0341432SJohn Baldwin	if (crp->crp_aad_length != 0) {
6b0451d6SJohn Baldwin		b0[0] |= (1 << 6);
c0341432SJohn Baldwin		*(uint16_t *)(b0 + CCM_B0_SIZE) = htobe16(crp->crp_aad_length);
6b0451d6SJohn Baldwin	}
6b0451d6SJohn Baldwin}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwinstatic int
c0341432SJohn Baldwinccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
6b0451d6SJohn Baldwin{
6b0451d6SJohn Baldwin	char iv[CHCR_MAX_CRYPTO_IV_LEN];
3e6a97b3SJohn Baldwin	const struct crypto_session_params *csp;
6b0451d6SJohn Baldwin	struct ulptx_idata *idata;
6b0451d6SJohn Baldwin	struct chcr_wr *crwr;
6b0451d6SJohn Baldwin	struct wrqe *wr;
6b0451d6SJohn Baldwin	char *dst;
6b0451d6SJohn Baldwin	u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
6b0451d6SJohn Baldwin	u_int aad_len, b0_len, hash_size_in_response, imm_len;
6b0451d6SJohn Baldwin	u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
6b0451d6SJohn Baldwin	u_int hmac_ctrl, input_len;
6b0451d6SJohn Baldwin	int dsgl_nsegs, dsgl_len;
6b0451d6SJohn Baldwin	int sgl_nsegs, sgl_len;
6b0451d6SJohn Baldwin	int error;
6b0451d6SJohn Baldwin
3e6a97b3SJohn Baldwin	csp = crypto_get_params(crp->crp_session);
3e6a97b3SJohn Baldwin
762f1dcbSJohn Baldwin	if (s->cipher.key_len == 0)
6b0451d6SJohn Baldwin		return (EINVAL);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * The crypto engine doesn't handle CCM requests with an empty
6b0451d6SJohn Baldwin	 * payload, so handle those in software instead.
6b0451d6SJohn Baldwin	 */
c0341432SJohn Baldwin	if (crp->crp_payload_length == 0)
6b0451d6SJohn Baldwin		return (EMSGSIZE);
6b0451d6SJohn Baldwin
3e6a97b3SJohn Baldwin	/* The length has to fit within the length field in block 0. */
3e6a97b3SJohn Baldwin	if (crp->crp_payload_length > ccm_max_payload_length(csp))
3e6a97b3SJohn Baldwin		return (EMSGSIZE);
3e6a97b3SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * CCM always includes block 0 in the AAD before AAD from the
6b0451d6SJohn Baldwin	 * request.
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	b0_len = CCM_B0_SIZE;
c0341432SJohn Baldwin	if (crp->crp_aad_length != 0)
6b0451d6SJohn Baldwin		b0_len += CCM_AAD_FIELD_SIZE;
c0341432SJohn Baldwin	aad_len = b0_len + crp->crp_aad_length;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
c0341432SJohn Baldwin	 * CCM requests should always provide an explicit IV (really
c0341432SJohn Baldwin	 * the nonce).
c0341432SJohn Baldwin	 */
c0341432SJohn Baldwin	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0)
c0341432SJohn Baldwin		return (EINVAL);
c0341432SJohn Baldwin
c0341432SJohn Baldwin	/*
3e6a97b3SJohn Baldwin	 * The IV in the work request is 16 bytes and not just the
3e6a97b3SJohn Baldwin	 * nonce.
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	iv_len = AES_BLOCK_LEN;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	if (iv_len + aad_len > MAX_AAD_LEN)
6b0451d6SJohn Baldwin		return (EMSGSIZE);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	hash_size_in_response = s->ccm_mac.hash_len;
c0341432SJohn Baldwin	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
6b0451d6SJohn Baldwin		op_type = CHCR_ENCRYPT_OP;
6b0451d6SJohn Baldwin	else
6b0451d6SJohn Baldwin		op_type = CHCR_DECRYPT_OP;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * The output buffer consists of the cipher text followed by
6b0451d6SJohn Baldwin	 * the tag when encrypting.  For decryption it only contains
6b0451d6SJohn Baldwin	 * the plain text.
6b0451d6SJohn Baldwin	 *
6b0451d6SJohn Baldwin	 * Due to a firmware bug, the output buffer must include a
6b0451d6SJohn Baldwin	 * dummy output buffer for the IV and AAD prior to the real
6b0451d6SJohn Baldwin	 * output buffer.
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
c0341432SJohn Baldwin		if (iv_len + aad_len + crp->crp_payload_length +
c0341432SJohn Baldwin		    hash_size_in_response > MAX_REQUEST_SIZE)
6b0451d6SJohn Baldwin			return (EFBIG);
6b0451d6SJohn Baldwin	} else {
c0341432SJohn Baldwin		if (iv_len + aad_len + crp->crp_payload_length >
c0341432SJohn Baldwin		    MAX_REQUEST_SIZE)
6b0451d6SJohn Baldwin			return (EFBIG);
6b0451d6SJohn Baldwin	}
94578db2SJohn Baldwin	sglist_reset(s->sg_dsgl);
94578db2SJohn Baldwin	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
6b0451d6SJohn Baldwin	    aad_len);
6b0451d6SJohn Baldwin	if (error)
6b0451d6SJohn Baldwin		return (error);
2adc3c94SJohn Baldwin	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin		    crp->crp_payload_output_start, crp->crp_payload_length);
2adc3c94SJohn Baldwin	else
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
6b0451d6SJohn Baldwin	if (error)
6b0451d6SJohn Baldwin		return (error);
6b0451d6SJohn Baldwin	if (op_type == CHCR_ENCRYPT_OP) {
2adc3c94SJohn Baldwin		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
2adc3c94SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
2adc3c94SJohn Baldwin		else
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
6b0451d6SJohn Baldwin		if (error)
6b0451d6SJohn Baldwin			return (error);
6b0451d6SJohn Baldwin	}
94578db2SJohn Baldwin	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
6b0451d6SJohn Baldwin	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
6b0451d6SJohn Baldwin		return (EFBIG);
6b0451d6SJohn Baldwin	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * The 'key' part of the key context consists of two copies of
6b0451d6SJohn Baldwin	 * the AES key.
6b0451d6SJohn Baldwin	 */
762f1dcbSJohn Baldwin	kctx_len = roundup2(s->cipher.key_len, 16) * 2;
6b0451d6SJohn Baldwin	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * The input buffer consists of the IV, AAD (including block
6b0451d6SJohn Baldwin	 * 0), and then the cipher/plain text.  For decryption
6b0451d6SJohn Baldwin	 * requests the hash is appended after the cipher text.
6b0451d6SJohn Baldwin	 *
6b0451d6SJohn Baldwin	 * The IV is always stored at the start of the input buffer
6b0451d6SJohn Baldwin	 * even though it may be duplicated in the payload.  The
6b0451d6SJohn Baldwin	 * crypto engine doesn't work properly if the IV offset points
6b0451d6SJohn Baldwin	 * inside of the AAD region, so a second copy is always
6b0451d6SJohn Baldwin	 * required.
6b0451d6SJohn Baldwin	 */
c0341432SJohn Baldwin	input_len = aad_len + crp->crp_payload_length;
6b0451d6SJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
6b0451d6SJohn Baldwin		input_len += hash_size_in_response;
6b0451d6SJohn Baldwin	if (input_len > MAX_REQUEST_SIZE)
6b0451d6SJohn Baldwin		return (EFBIG);
6b0451d6SJohn Baldwin	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
6b0451d6SJohn Baldwin		imm_len = input_len;
6b0451d6SJohn Baldwin		sgl_nsegs = 0;
6b0451d6SJohn Baldwin		sgl_len = 0;
6b0451d6SJohn Baldwin	} else {
6b0451d6SJohn Baldwin		/* Block 0 is passed as immediate data. */
6b0451d6SJohn Baldwin		imm_len = b0_len;
6b0451d6SJohn Baldwin
94578db2SJohn Baldwin		sglist_reset(s->sg_ulptx);
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
94578db2SJohn Baldwin				error = sglist_append(s->sg_ulptx,
6deb4131SJohn Baldwin				    crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
94578db2SJohn Baldwin				error = sglist_append_sglist(s->sg_ulptx,
94578db2SJohn Baldwin				    s->sg_input, crp->crp_aad_start,
6deb4131SJohn Baldwin				    crp->crp_aad_length);
6b0451d6SJohn Baldwin			if (error)
6b0451d6SJohn Baldwin				return (error);
6b0451d6SJohn Baldwin		}
94578db2SJohn Baldwin		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin		    crp->crp_payload_start, crp->crp_payload_length);
6b0451d6SJohn Baldwin		if (error)
6b0451d6SJohn Baldwin			return (error);
6b0451d6SJohn Baldwin		if (op_type == CHCR_DECRYPT_OP) {
94578db2SJohn Baldwin			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
c0341432SJohn Baldwin			    crp->crp_digest_start, hash_size_in_response);
6b0451d6SJohn Baldwin			if (error)
6b0451d6SJohn Baldwin				return (error);
6b0451d6SJohn Baldwin		}
94578db2SJohn Baldwin		sgl_nsegs = s->sg_ulptx->sg_nseg;
6b0451d6SJohn Baldwin		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
6b0451d6SJohn Baldwin	}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	aad_start = iv_len + 1;
6b0451d6SJohn Baldwin	aad_stop = aad_start + aad_len - 1;
6b0451d6SJohn Baldwin	cipher_start = aad_stop + 1;
6b0451d6SJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
6b0451d6SJohn Baldwin		cipher_stop = hash_size_in_response;
6b0451d6SJohn Baldwin	else
6b0451d6SJohn Baldwin		cipher_stop = 0;
6b0451d6SJohn Baldwin	if (op_type == CHCR_DECRYPT_OP)
6b0451d6SJohn Baldwin		auth_insert = hash_size_in_response;
6b0451d6SJohn Baldwin	else
6b0451d6SJohn Baldwin		auth_insert = 0;
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
6b0451d6SJohn Baldwin	    sgl_len;
6b0451d6SJohn Baldwin	if (wr_len > SGE_MAX_WR_LEN)
6b0451d6SJohn Baldwin		return (EFBIG);
94fad5ffSJohn Baldwin	wr = alloc_wrqe(wr_len, s->port->txq);
6b0451d6SJohn Baldwin	if (wr == NULL) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_wr_nomem, 1);
6b0451d6SJohn Baldwin		return (ENOMEM);
6b0451d6SJohn Baldwin	}
6b0451d6SJohn Baldwin	crwr = wrtod(wr);
6b0451d6SJohn Baldwin	memset(crwr, 0, wr_len);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
c0341432SJohn Baldwin	 * Read the nonce from the request.  Use the nonce to generate
c0341432SJohn Baldwin	 * the full IV with the counter set to 0.
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	memset(iv, 0, iv_len);
3e6a97b3SJohn Baldwin	iv[0] = (15 - csp->csp_ivlen) - 1;
cb128893SJohn Baldwin	crypto_read_iv(crp, iv + 1);
6b0451d6SJohn Baldwin
94fad5ffSJohn Baldwin	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
6b0451d6SJohn Baldwin	    crp);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	crwr->sec_cpl.op_ivinsrtofst = htobe32(
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
8f885fd1SJohn Baldwin	    V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * NB: cipherstop is explicitly set to 0.  See comments above
6b0451d6SJohn Baldwin	 * in ccr_gcm().
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
6b0451d6SJohn Baldwin	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
6b0451d6SJohn Baldwin	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
e148e407SJohn Baldwin	hmac_ctrl = ccr_ccm_hmac_ctrl(hash_size_in_response);
6b0451d6SJohn Baldwin	crwr->sec_cpl.seqno_numivs = htobe32(
6b0451d6SJohn Baldwin	    V_SCMD_SEQ_NO_CTRL(0) |
6b0451d6SJohn Baldwin	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
6b0451d6SJohn Baldwin	    V_SCMD_ENC_DEC_CTRL(op_type) |
6b0451d6SJohn Baldwin	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 0 : 1) |
6b0451d6SJohn Baldwin	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_CCM) |
6b0451d6SJohn Baldwin	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_CBCMAC) |
6b0451d6SJohn Baldwin	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
6b0451d6SJohn Baldwin	    V_SCMD_IV_SIZE(iv_len / 2) |
6b0451d6SJohn Baldwin	    V_SCMD_NUM_IVS(0));
6b0451d6SJohn Baldwin	crwr->sec_cpl.ivgen_hdrlen = htobe32(
6b0451d6SJohn Baldwin	    V_SCMD_IV_GEN_CTRL(0) |
6b0451d6SJohn Baldwin	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
6b0451d6SJohn Baldwin	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
6b0451d6SJohn Baldwin
762f1dcbSJohn Baldwin	crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr;
762f1dcbSJohn Baldwin	memcpy(crwr->key_ctx.key, s->cipher.enckey, s->cipher.key_len);
762f1dcbSJohn Baldwin	memcpy(crwr->key_ctx.key + roundup(s->cipher.key_len, 16),
762f1dcbSJohn Baldwin	    s->cipher.enckey, s->cipher.key_len);
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	dst = (char *)(crwr + 1) + kctx_len;
94578db2SJohn Baldwin	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
6b0451d6SJohn Baldwin	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
6b0451d6SJohn Baldwin	memcpy(dst, iv, iv_len);
6b0451d6SJohn Baldwin	dst += iv_len;
c0341432SJohn Baldwin	generate_ccm_b0(crp, hash_size_in_response, iv, dst);
6b0451d6SJohn Baldwin	if (sgl_nsegs == 0) {
6b0451d6SJohn Baldwin		dst += b0_len;
c0341432SJohn Baldwin		if (crp->crp_aad_length != 0) {
6deb4131SJohn Baldwin			if (crp->crp_aad != NULL)
6deb4131SJohn Baldwin				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
6deb4131SJohn Baldwin			else
c0341432SJohn Baldwin				crypto_copydata(crp, crp->crp_aad_start,
c0341432SJohn Baldwin				    crp->crp_aad_length, dst);
c0341432SJohn Baldwin			dst += crp->crp_aad_length;
6b0451d6SJohn Baldwin		}
c0341432SJohn Baldwin		crypto_copydata(crp, crp->crp_payload_start,
c0341432SJohn Baldwin		    crp->crp_payload_length, dst);
c0341432SJohn Baldwin		dst += crp->crp_payload_length;
6b0451d6SJohn Baldwin		if (op_type == CHCR_DECRYPT_OP)
c0341432SJohn Baldwin			crypto_copydata(crp, crp->crp_digest_start,
c0341432SJohn Baldwin			    hash_size_in_response, dst);
6b0451d6SJohn Baldwin	} else {
6b0451d6SJohn Baldwin		dst += CCM_B0_SIZE;
6b0451d6SJohn Baldwin		if (b0_len > CCM_B0_SIZE) {
6b0451d6SJohn Baldwin			/*
6b0451d6SJohn Baldwin			 * If there is AAD, insert padding including a
6b0451d6SJohn Baldwin			 * ULP_TX_SC_NOOP so that the ULP_TX_SC_DSGL
6b0451d6SJohn Baldwin			 * is 16-byte aligned.
6b0451d6SJohn Baldwin			 */
6b0451d6SJohn Baldwin			KASSERT(b0_len - CCM_B0_SIZE == CCM_AAD_FIELD_SIZE,
6b0451d6SJohn Baldwin			    ("b0_len mismatch"));
6b0451d6SJohn Baldwin			memset(dst + CCM_AAD_FIELD_SIZE, 0,
6b0451d6SJohn Baldwin			    8 - CCM_AAD_FIELD_SIZE);
6b0451d6SJohn Baldwin			idata = (void *)(dst + 8);
6b0451d6SJohn Baldwin			idata->cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_NOOP));
6b0451d6SJohn Baldwin			idata->len = htobe32(0);
6b0451d6SJohn Baldwin			dst = (void *)(idata + 1);
6b0451d6SJohn Baldwin		}
94578db2SJohn Baldwin		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
6b0451d6SJohn Baldwin	}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/* XXX: TODO backpressure */
6b0451d6SJohn Baldwin	t4_wrq_tx(sc->adapter, wr);
6b0451d6SJohn Baldwin
1a4a7e98SJohn Baldwin	explicit_bzero(iv, sizeof(iv));
6b0451d6SJohn Baldwin	return (0);
6b0451d6SJohn Baldwin}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwinstatic int
6b0451d6SJohn Baldwinccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s,
6b0451d6SJohn Baldwin    struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
6b0451d6SJohn Baldwin{
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin	/*
6b0451d6SJohn Baldwin	 * The updated IV to permit chained requests is at
6b0451d6SJohn Baldwin	 * cpl->data[2], but OCF doesn't permit chained requests.
6b0451d6SJohn Baldwin	 *
6b0451d6SJohn Baldwin	 * Note that the hardware should always verify the CBC MAC
6b0451d6SJohn Baldwin	 * hash.
6b0451d6SJohn Baldwin	 */
6b0451d6SJohn Baldwin	return (error);
6b0451d6SJohn Baldwin}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwin/*
e43cf698SJohn Baldwin * Use the software session for requests not supported by the crypto
e43cf698SJohn Baldwin * engine (e.g. CCM and GCM requests with an empty payload).
6b0451d6SJohn Baldwin */
4361c4ebSJohn Baldwinstatic int
e43cf698SJohn Baldwinccr_soft_done(struct cryptop *crp)
4361c4ebSJohn Baldwin{
e43cf698SJohn Baldwin	struct cryptop *orig;
e43cf698SJohn Baldwin
e43cf698SJohn Baldwin	orig = crp->crp_opaque;
e43cf698SJohn Baldwin	orig->crp_etype = crp->crp_etype;
e43cf698SJohn Baldwin	crypto_freereq(crp);
e43cf698SJohn Baldwin	crypto_done(orig);
e43cf698SJohn Baldwin	return (0);
4361c4ebSJohn Baldwin}
4361c4ebSJohn Baldwin
4361c4ebSJohn Baldwinstatic void
e43cf698SJohn Baldwinccr_soft(struct ccr_session *s, struct cryptop *crp)
6b0451d6SJohn Baldwin{
e43cf698SJohn Baldwin	struct cryptop *new;
e43cf698SJohn Baldwin	int error;
6b0451d6SJohn Baldwin
e43cf698SJohn Baldwin	new = crypto_clonereq(crp, s->sw_session, M_NOWAIT);
e43cf698SJohn Baldwin	if (new == NULL) {
e43cf698SJohn Baldwin		crp->crp_etype = ENOMEM;
e43cf698SJohn Baldwin		crypto_done(crp);
e43cf698SJohn Baldwin		return;
3e6a97b3SJohn Baldwin	}
3e6a97b3SJohn Baldwin
e43cf698SJohn Baldwin	/*
e43cf698SJohn Baldwin	 * XXX: This only really needs CRYPTO_ASYNC_ORDERED if the
e43cf698SJohn Baldwin	 * original request was dispatched that way.  There is no way
e43cf698SJohn Baldwin	 * to know that though since crypto_dispatch_async() discards
e43cf698SJohn Baldwin	 * the flag for async backends (such as ccr(4)).
e43cf698SJohn Baldwin	 */
e43cf698SJohn Baldwin	new->crp_opaque = crp;
e43cf698SJohn Baldwin	new->crp_callback = ccr_soft_done;
e43cf698SJohn Baldwin	error = crypto_dispatch_async(new, CRYPTO_ASYNC_ORDERED);
e43cf698SJohn Baldwin	if (error != 0) {
6b0451d6SJohn Baldwin		crp->crp_etype = error;
6b0451d6SJohn Baldwin		crypto_done(crp);
6b0451d6SJohn Baldwin	}
e43cf698SJohn Baldwin}
6b0451d6SJohn Baldwin
6b0451d6SJohn Baldwinstatic void
5033c43bSJohn Baldwinccr_identify(driver_t *driver, device_t parent)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct adapter *sc;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	sc = device_get_softc(parent);
5033c43bSJohn Baldwin	if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE &&
*b670c9baSAhmad Khalifa	    device_find_child(parent, "ccr", DEVICE_UNIT_ANY) == NULL)
5b56413dSWarner Losh		device_add_child(parent, "ccr", DEVICE_UNIT_ANY);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_probe(device_t dev)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	device_set_desc(dev, "Chelsio Crypto Accelerator");
5033c43bSJohn Baldwin	return (BUS_PROBE_DEFAULT);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
5033c43bSJohn Baldwinccr_sysctls(struct ccr_softc *sc)
5033c43bSJohn Baldwin{
a727d953SNavdeep Parhar	struct sysctl_ctx_list *ctx = &sc->ctx;
94fad5ffSJohn Baldwin	struct sysctl_oid *oid, *port_oid;
5033c43bSJohn Baldwin	struct sysctl_oid_list *children;
94fad5ffSJohn Baldwin	char buf[16];
94fad5ffSJohn Baldwin	int i;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * dev.ccr.X.
5033c43bSJohn Baldwin	 */
5033c43bSJohn Baldwin	oid = device_get_sysctl_tree(sc->dev);
5033c43bSJohn Baldwin	children = SYSCTL_CHILDREN(oid);
5033c43bSJohn Baldwin
94fad5ffSJohn Baldwin	SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "port_mask", CTLFLAG_RW,
94fad5ffSJohn Baldwin	    &sc->port_mask, 0, "Mask of enabled ports");
94fad5ffSJohn Baldwin
5033c43bSJohn Baldwin	/*
5033c43bSJohn Baldwin	 * dev.ccr.X.stats.
5033c43bSJohn Baldwin	 */
7029da5cSPawel Biernacki	oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats",
7029da5cSPawel Biernacki	    CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "statistics");
5033c43bSJohn Baldwin	children = SYSCTL_CHILDREN(oid);
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hash", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_hash, "Hash requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_hmac, "HMAC requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_encrypt",
762f1dcbSJohn Baldwin	    CTLFLAG_RD, &sc->stats_cipher_encrypt,
5033c43bSJohn Baldwin	    "Cipher encryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_decrypt",
762f1dcbSJohn Baldwin	    CTLFLAG_RD, &sc->stats_cipher_decrypt,
5033c43bSJohn Baldwin	    "Cipher decryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_encrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_eta_encrypt,
5033c43bSJohn Baldwin	    "Combined AES+HMAC encryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_decrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_eta_decrypt,
5033c43bSJohn Baldwin	    "Combined AES+HMAC decryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_encrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_gcm_encrypt,
94578db2SJohn Baldwin	    "AES-GCM encryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_decrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_gcm_decrypt,
94578db2SJohn Baldwin	    "AES-GCM decryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_encrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_ccm_encrypt,
94578db2SJohn Baldwin	    "AES-CCM encryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_decrypt",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_ccm_decrypt,
94578db2SJohn Baldwin	    "AES-CCM decryption requests submitted");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_wr_nomem, "Work request memory allocation failures");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_inflight, "Requests currently pending");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_mac_error, "MAC errors");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD,
94578db2SJohn Baldwin	    &sc->stats_pad_error, "Padding errors");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sglist_error",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_sglist_error,
2bd1e600SJohn Baldwin	    "Requests for which DMA mapping failed");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "process_error",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_process_error,
94578db2SJohn Baldwin	    "Requests failed during queueing");
94578db2SJohn Baldwin	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sw_fallback",
94578db2SJohn Baldwin	    CTLFLAG_RD, &sc->stats_sw_fallback,
04043b3dSJohn Baldwin	    "Requests processed by falling back to software");
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin	/*
94fad5ffSJohn Baldwin	 * dev.ccr.X.stats.port
94fad5ffSJohn Baldwin	 */
94fad5ffSJohn Baldwin	port_oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "port",
94fad5ffSJohn Baldwin	    CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "Per-port statistics");
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin	for (i = 0; i < nitems(sc->ports); i++) {
94fad5ffSJohn Baldwin		if (sc->ports[i].rxq == NULL)
94fad5ffSJohn Baldwin			continue;
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		/*
94fad5ffSJohn Baldwin		 * dev.ccr.X.stats.port.Y
94fad5ffSJohn Baldwin		 */
94fad5ffSJohn Baldwin		snprintf(buf, sizeof(buf), "%d", i);
94fad5ffSJohn Baldwin		oid = SYSCTL_ADD_NODE(ctx, SYSCTL_CHILDREN(port_oid), OID_AUTO,
94fad5ffSJohn Baldwin		    buf, CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, buf);
94fad5ffSJohn Baldwin		children = SYSCTL_CHILDREN(oid);
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "active_sessions",
94fad5ffSJohn Baldwin		    CTLFLAG_RD, &sc->ports[i].active_sessions, 0,
94fad5ffSJohn Baldwin		    "Count of active sessions");
9c5137beSJohn Baldwin		SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "queued",
9c5137beSJohn Baldwin		    CTLFLAG_RD, &sc->ports[i].stats_queued, "Requests queued");
9c5137beSJohn Baldwin		SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "completed",
9c5137beSJohn Baldwin		    CTLFLAG_RD, &sc->ports[i].stats_completed,
9c5137beSJohn Baldwin		    "Requests completed");
94fad5ffSJohn Baldwin	}
94fad5ffSJohn Baldwin}
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwinstatic void
94fad5ffSJohn Baldwinccr_init_port(struct ccr_softc *sc, int port)
94fad5ffSJohn Baldwin{
8f885fd1SJohn Baldwin	struct port_info *pi;
94fad5ffSJohn Baldwin
8f885fd1SJohn Baldwin	pi = sc->adapter->port[port];
94fad5ffSJohn Baldwin	sc->ports[port].txq = &sc->adapter->sge.ctrlq[port];
8f885fd1SJohn Baldwin	sc->ports[port].rxq = &sc->adapter->sge.rxq[pi->vi->first_rxq];
480ff89cSNavdeep Parhar	sc->ports[port].rx_channel_id = pi->rx_chan;
8f885fd1SJohn Baldwin	sc->ports[port].tx_channel_id = pi->tx_chan;
9c5137beSJohn Baldwin	sc->ports[port].stats_queued = counter_u64_alloc(M_WAITOK);
9c5137beSJohn Baldwin	sc->ports[port].stats_completed = counter_u64_alloc(M_WAITOK);
94fad5ffSJohn Baldwin	_Static_assert(sizeof(sc->port_mask) * NBBY >= MAX_NPORTS - 1,
94fad5ffSJohn Baldwin	    "Too many ports to fit in port_mask");
5fe0cd65SJohn Baldwin
5fe0cd65SJohn Baldwin	/*
5fe0cd65SJohn Baldwin	 * Completions for crypto requests on port 1 can sometimes
5fe0cd65SJohn Baldwin	 * return a stale cookie value due to a firmware bug.  Disable
5fe0cd65SJohn Baldwin	 * requests on port 1 by default on affected firmware.
5fe0cd65SJohn Baldwin	 */
5fe0cd65SJohn Baldwin	if (sc->adapter->params.fw_vers >= FW_VERSION32(1, 25, 4, 0) ||
5fe0cd65SJohn Baldwin	    port == 0)
94fad5ffSJohn Baldwin		sc->port_mask |= 1u << port;
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_attach(device_t dev)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct ccr_softc *sc;
5033c43bSJohn Baldwin	int32_t cid;
94fad5ffSJohn Baldwin	int i;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	sc = device_get_softc(dev);
5033c43bSJohn Baldwin	sc->dev = dev;
a727d953SNavdeep Parhar	sysctl_ctx_init(&sc->ctx);
5033c43bSJohn Baldwin	sc->adapter = device_get_softc(device_get_parent(dev));
94fad5ffSJohn Baldwin	for_each_port(sc->adapter, i) {
94fad5ffSJohn Baldwin		ccr_init_port(sc, i);
94fad5ffSJohn Baldwin	}
1b0909d5SConrad Meyer	cid = crypto_get_driverid(dev, sizeof(struct ccr_session),
1b0909d5SConrad Meyer	    CRYPTOCAP_F_HARDWARE);
5033c43bSJohn Baldwin	if (cid < 0) {
5033c43bSJohn Baldwin		device_printf(dev, "could not get crypto driver id\n");
5033c43bSJohn Baldwin		return (ENXIO);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	sc->cid = cid;
5033c43bSJohn Baldwin
8f885fd1SJohn Baldwin	/*
8f885fd1SJohn Baldwin	 * The FID must be the first RXQ for port 0 regardless of
8f885fd1SJohn Baldwin	 * which port is used to service the request.
8f885fd1SJohn Baldwin	 */
8f885fd1SJohn Baldwin	sc->first_rxq_id = sc->adapter->sge.rxq[0].iq.abs_id;
8f885fd1SJohn Baldwin
5033c43bSJohn Baldwin	mtx_init(&sc->lock, "ccr", NULL, MTX_DEF);
5929c9fbSJohn Baldwin	sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK);
5929c9fbSJohn Baldwin	sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK);
762f1dcbSJohn Baldwin	sc->stats_cipher_encrypt = counter_u64_alloc(M_WAITOK);
762f1dcbSJohn Baldwin	sc->stats_cipher_decrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_hash = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_hmac = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_eta_encrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_eta_decrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_gcm_encrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_gcm_decrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_ccm_encrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_ccm_decrypt = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_wr_nomem = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_inflight = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_mac_error = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_pad_error = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_sglist_error = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_process_error = counter_u64_alloc(M_WAITOK);
94578db2SJohn Baldwin	sc->stats_sw_fallback = counter_u64_alloc(M_WAITOK);
5033c43bSJohn Baldwin	ccr_sysctls(sc);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
9c5137beSJohn Baldwinstatic void
9c5137beSJohn Baldwinccr_free_port(struct ccr_softc *sc, int port)
9c5137beSJohn Baldwin{
9c5137beSJohn Baldwin
9c5137beSJohn Baldwin	counter_u64_free(sc->ports[port].stats_queued);
9c5137beSJohn Baldwin	counter_u64_free(sc->ports[port].stats_completed);
9c5137beSJohn Baldwin}
9c5137beSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_detach(device_t dev)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct ccr_softc *sc;
9c5137beSJohn Baldwin	int i;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	sc = device_get_softc(dev);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	mtx_lock(&sc->lock);
5033c43bSJohn Baldwin	sc->detaching = true;
5033c43bSJohn Baldwin	mtx_unlock(&sc->lock);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crypto_unregister_all(sc->cid);
1b0909d5SConrad Meyer
a727d953SNavdeep Parhar	sysctl_ctx_free(&sc->ctx);
5033c43bSJohn Baldwin	mtx_destroy(&sc->lock);
762f1dcbSJohn Baldwin	counter_u64_free(sc->stats_cipher_encrypt);
762f1dcbSJohn Baldwin	counter_u64_free(sc->stats_cipher_decrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_hash);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_hmac);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_eta_encrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_eta_decrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_gcm_encrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_gcm_decrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_ccm_encrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_ccm_decrypt);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_wr_nomem);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_inflight);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_mac_error);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_pad_error);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_sglist_error);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_process_error);
94578db2SJohn Baldwin	counter_u64_free(sc->stats_sw_fallback);
9c5137beSJohn Baldwin	for_each_port(sc->adapter, i) {
9c5137beSJohn Baldwin		ccr_free_port(sc, i);
9c5137beSJohn Baldwin	}
5929c9fbSJohn Baldwin	sglist_free(sc->sg_iv_aad);
5929c9fbSJohn Baldwin	free(sc->iv_aad_buf, M_CCR);
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
c0341432SJohn Baldwinccr_init_hash_digest(struct ccr_session *s)
567a3784SJohn Baldwin{
567a3784SJohn Baldwin	union authctx auth_ctx;
d8787d4fSMark Johnston	const struct auth_hash *axf;
567a3784SJohn Baldwin
567a3784SJohn Baldwin	axf = s->hmac.auth_hash;
567a3784SJohn Baldwin	axf->Init(&auth_ctx);
c0341432SJohn Baldwin	t4_copy_partial_hash(axf->type, &auth_ctx, s->hmac.pads);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
c0341432SJohn Baldwinstatic bool
5033c43bSJohn Baldwinccr_aes_check_keylen(int alg, int klen)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	switch (klen * 8) {
5033c43bSJohn Baldwin	case 128:
5033c43bSJohn Baldwin	case 192:
5033c43bSJohn Baldwin		if (alg == CRYPTO_AES_XTS)
c0341432SJohn Baldwin			return (false);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case 256:
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case 512:
5033c43bSJohn Baldwin		if (alg != CRYPTO_AES_XTS)
c0341432SJohn Baldwin			return (false);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	default:
c0341432SJohn Baldwin		return (false);
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin	return (true);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic void
c0341432SJohn Baldwinccr_aes_setkey(struct ccr_session *s, const void *key, int klen)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size;
5033c43bSJohn Baldwin	unsigned int opad_present;
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
c0341432SJohn Baldwin		kbits = (klen / 2) * 8;
5033c43bSJohn Baldwin	else
c0341432SJohn Baldwin		kbits = klen * 8;
5033c43bSJohn Baldwin	switch (kbits) {
5033c43bSJohn Baldwin	case 128:
5033c43bSJohn Baldwin		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case 192:
5033c43bSJohn Baldwin		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192;
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case 256:
5033c43bSJohn Baldwin		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	default:
5033c43bSJohn Baldwin		panic("should not get here");
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	s->cipher.key_len = klen;
762f1dcbSJohn Baldwin	memcpy(s->cipher.enckey, key, s->cipher.key_len);
762f1dcbSJohn Baldwin	switch (s->cipher.cipher_mode) {
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_CBC:
c0341432SJohn Baldwin	case SCMD_CIPH_MODE_AES_XTS:
762f1dcbSJohn Baldwin		t4_aes_getdeckey(s->cipher.deckey, key, kbits);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
762f1dcbSJohn Baldwin	kctx_len = roundup2(s->cipher.key_len, 16);
5033c43bSJohn Baldwin	switch (s->mode) {
c0341432SJohn Baldwin	case ETA:
5033c43bSJohn Baldwin		mk_size = s->hmac.mk_size;
5033c43bSJohn Baldwin		opad_present = 1;
5033c43bSJohn Baldwin		iopad_size = roundup2(s->hmac.partial_digest_len, 16);
5033c43bSJohn Baldwin		kctx_len += iopad_size * 2;
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case GCM:
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
5033c43bSJohn Baldwin		opad_present = 0;
5033c43bSJohn Baldwin		kctx_len += GMAC_BLOCK_LEN;
5033c43bSJohn Baldwin		break;
6b0451d6SJohn Baldwin	case CCM:
6b0451d6SJohn Baldwin		switch (kbits) {
6b0451d6SJohn Baldwin		case 128:
6b0451d6SJohn Baldwin			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
6b0451d6SJohn Baldwin			break;
6b0451d6SJohn Baldwin		case 192:
6b0451d6SJohn Baldwin			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_192;
6b0451d6SJohn Baldwin			break;
6b0451d6SJohn Baldwin		case 256:
6b0451d6SJohn Baldwin			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
6b0451d6SJohn Baldwin			break;
6b0451d6SJohn Baldwin		default:
6b0451d6SJohn Baldwin			panic("should not get here");
6b0451d6SJohn Baldwin		}
6b0451d6SJohn Baldwin		opad_present = 0;
6b0451d6SJohn Baldwin		kctx_len *= 2;
6b0451d6SJohn Baldwin		break;
5033c43bSJohn Baldwin	default:
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_NO_KEY;
5033c43bSJohn Baldwin		opad_present = 0;
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
762f1dcbSJohn Baldwin	s->cipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
762f1dcbSJohn Baldwin	    V_KEY_CONTEXT_DUAL_CK(s->cipher.cipher_mode ==
c0341432SJohn Baldwin	    SCMD_CIPH_MODE_AES_XTS) |
5033c43bSJohn Baldwin	    V_KEY_CONTEXT_OPAD_PRESENT(opad_present) |
5033c43bSJohn Baldwin	    V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) |
5033c43bSJohn Baldwin	    V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1));
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
c0341432SJohn Baldwinstatic bool
c0341432SJohn Baldwinccr_auth_supported(const struct crypto_session_params *csp)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	switch (csp->csp_auth_alg) {
567a3784SJohn Baldwin	case CRYPTO_SHA1:
567a3784SJohn Baldwin	case CRYPTO_SHA2_224:
567a3784SJohn Baldwin	case CRYPTO_SHA2_256:
567a3784SJohn Baldwin	case CRYPTO_SHA2_384:
567a3784SJohn Baldwin	case CRYPTO_SHA2_512:
5033c43bSJohn Baldwin	case CRYPTO_SHA1_HMAC:
1146377bSJohn Baldwin	case CRYPTO_SHA2_224_HMAC:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_256_HMAC:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_384_HMAC:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_512_HMAC:
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		return (false);
c0341432SJohn Baldwin	}
c0341432SJohn Baldwin	return (true);
c0341432SJohn Baldwin}
c0341432SJohn Baldwin
c0341432SJohn Baldwinstatic bool
c0341432SJohn Baldwinccr_cipher_supported(const struct crypto_session_params *csp)
c0341432SJohn Baldwin{
c0341432SJohn Baldwin
c0341432SJohn Baldwin	switch (csp->csp_cipher_alg) {
c0341432SJohn Baldwin	case CRYPTO_AES_CBC:
c0341432SJohn Baldwin		if (csp->csp_ivlen != AES_BLOCK_LEN)
c0341432SJohn Baldwin			return (false);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CRYPTO_AES_ICM:
c0341432SJohn Baldwin		if (csp->csp_ivlen != AES_BLOCK_LEN)
c0341432SJohn Baldwin			return (false);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CRYPTO_AES_XTS:
c0341432SJohn Baldwin		if (csp->csp_ivlen != AES_XTS_IV_LEN)
c0341432SJohn Baldwin			return (false);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		return (false);
c0341432SJohn Baldwin	}
c0341432SJohn Baldwin	return (ccr_aes_check_keylen(csp->csp_cipher_alg,
c0341432SJohn Baldwin	    csp->csp_cipher_klen));
c0341432SJohn Baldwin}
c0341432SJohn Baldwin
c0341432SJohn Baldwinstatic int
c0341432SJohn Baldwinccr_cipher_mode(const struct crypto_session_params *csp)
c0341432SJohn Baldwin{
c0341432SJohn Baldwin
c0341432SJohn Baldwin	switch (csp->csp_cipher_alg) {
c0341432SJohn Baldwin	case CRYPTO_AES_CBC:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_AES_CBC);
c0341432SJohn Baldwin	case CRYPTO_AES_ICM:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_AES_CTR);
c0341432SJohn Baldwin	case CRYPTO_AES_NIST_GCM_16:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_AES_GCM);
c0341432SJohn Baldwin	case CRYPTO_AES_XTS:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_AES_XTS);
c0341432SJohn Baldwin	case CRYPTO_AES_CCM_16:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_AES_CCM);
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		return (SCMD_CIPH_MODE_NOP);
c0341432SJohn Baldwin	}
c0341432SJohn Baldwin}
c0341432SJohn Baldwin
c0341432SJohn Baldwinstatic int
c0341432SJohn Baldwinccr_probesession(device_t dev, const struct crypto_session_params *csp)
c0341432SJohn Baldwin{
c0341432SJohn Baldwin	unsigned int cipher_mode;
c0341432SJohn Baldwin
6deb4131SJohn Baldwin	if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
6deb4131SJohn Baldwin	    0)
5033c43bSJohn Baldwin		return (EINVAL);
c0341432SJohn Baldwin	switch (csp->csp_mode) {
c0341432SJohn Baldwin	case CSP_MODE_DIGEST:
c0341432SJohn Baldwin		if (!ccr_auth_supported(csp))
c0341432SJohn Baldwin			return (EINVAL);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_CIPHER:
c0341432SJohn Baldwin		if (!ccr_cipher_supported(csp))
c0341432SJohn Baldwin			return (EINVAL);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_AEAD:
c0341432SJohn Baldwin		switch (csp->csp_cipher_alg) {
c0341432SJohn Baldwin		case CRYPTO_AES_NIST_GCM_16:
c0341432SJohn Baldwin		case CRYPTO_AES_CCM_16:
c0341432SJohn Baldwin			break;
c0341432SJohn Baldwin		default:
c0341432SJohn Baldwin			return (EINVAL);
c0341432SJohn Baldwin		}
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_ETA:
c0341432SJohn Baldwin		if (!ccr_auth_supported(csp) || !ccr_cipher_supported(csp))
c0341432SJohn Baldwin			return (EINVAL);
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		return (EINVAL);
c0341432SJohn Baldwin	}
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (csp->csp_cipher_klen != 0) {
c0341432SJohn Baldwin		cipher_mode = ccr_cipher_mode(csp);
c0341432SJohn Baldwin		if (cipher_mode == SCMD_CIPH_MODE_NOP)
c0341432SJohn Baldwin			return (EINVAL);
c0341432SJohn Baldwin	}
c0341432SJohn Baldwin
c0341432SJohn Baldwin	return (CRYPTODEV_PROBE_HARDWARE);
c0341432SJohn Baldwin}
c0341432SJohn Baldwin
94fad5ffSJohn Baldwin/*
94fad5ffSJohn Baldwin * Select an available port with the lowest number of active sessions.
94fad5ffSJohn Baldwin */
94fad5ffSJohn Baldwinstatic struct ccr_port *
94fad5ffSJohn Baldwinccr_choose_port(struct ccr_softc *sc)
94fad5ffSJohn Baldwin{
94fad5ffSJohn Baldwin	struct ccr_port *best, *p;
94fad5ffSJohn Baldwin	int i;
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin	mtx_assert(&sc->lock, MA_OWNED);
94fad5ffSJohn Baldwin	best = NULL;
94fad5ffSJohn Baldwin	for (i = 0; i < nitems(sc->ports); i++) {
94fad5ffSJohn Baldwin		p = &sc->ports[i];
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		/* Ignore non-existent ports. */
94fad5ffSJohn Baldwin		if (p->rxq == NULL)
94fad5ffSJohn Baldwin			continue;
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		/*
94fad5ffSJohn Baldwin		 * XXX: Ignore ports whose queues aren't initialized.
94fad5ffSJohn Baldwin		 * This is racy as the rxq can be destroyed by the
94fad5ffSJohn Baldwin		 * associated VI detaching.  Eventually ccr should use
94fad5ffSJohn Baldwin		 * dedicated queues.
94fad5ffSJohn Baldwin		 */
94fad5ffSJohn Baldwin		if (p->rxq->iq.adapter == NULL || p->txq->adapter == NULL)
94fad5ffSJohn Baldwin			continue;
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		if ((sc->port_mask & (1u << i)) == 0)
94fad5ffSJohn Baldwin			continue;
94fad5ffSJohn Baldwin
94fad5ffSJohn Baldwin		if (best == NULL ||
94fad5ffSJohn Baldwin		    p->active_sessions < best->active_sessions)
94fad5ffSJohn Baldwin			best = p;
94fad5ffSJohn Baldwin	}
94fad5ffSJohn Baldwin	return (best);
94fad5ffSJohn Baldwin}
94fad5ffSJohn Baldwin
94578db2SJohn Baldwinstatic void
94578db2SJohn Baldwinccr_delete_session(struct ccr_session *s)
94578db2SJohn Baldwin{
e43cf698SJohn Baldwin	crypto_freesession(s->sw_session);
94578db2SJohn Baldwin	sglist_free(s->sg_input);
94578db2SJohn Baldwin	sglist_free(s->sg_output);
94578db2SJohn Baldwin	sglist_free(s->sg_ulptx);
94578db2SJohn Baldwin	sglist_free(s->sg_dsgl);
94578db2SJohn Baldwin	mtx_destroy(&s->lock);
94578db2SJohn Baldwin}
94578db2SJohn Baldwin
c0341432SJohn Baldwinstatic int
c0341432SJohn Baldwinccr_newsession(device_t dev, crypto_session_t cses,
c0341432SJohn Baldwin    const struct crypto_session_params *csp)
c0341432SJohn Baldwin{
c0341432SJohn Baldwin	struct ccr_softc *sc;
c0341432SJohn Baldwin	struct ccr_session *s;
d8787d4fSMark Johnston	const struct auth_hash *auth_hash;
c0341432SJohn Baldwin	unsigned int auth_mode, cipher_mode, mk_size;
c0341432SJohn Baldwin	unsigned int partial_digest_len;
e43cf698SJohn Baldwin	int error;
c0341432SJohn Baldwin
c0341432SJohn Baldwin	switch (csp->csp_auth_alg) {
567a3784SJohn Baldwin	case CRYPTO_SHA1:
5033c43bSJohn Baldwin	case CRYPTO_SHA1_HMAC:
5033c43bSJohn Baldwin		auth_hash = &auth_hash_hmac_sha1;
d09389fdSJohn Baldwin		auth_mode = SCMD_AUTH_MODE_SHA1;
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160;
5033c43bSJohn Baldwin		partial_digest_len = SHA1_HASH_LEN;
5033c43bSJohn Baldwin		break;
567a3784SJohn Baldwin	case CRYPTO_SHA2_224:
1146377bSJohn Baldwin	case CRYPTO_SHA2_224_HMAC:
1146377bSJohn Baldwin		auth_hash = &auth_hash_hmac_sha2_224;
d09389fdSJohn Baldwin		auth_mode = SCMD_AUTH_MODE_SHA224;
1146377bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
1146377bSJohn Baldwin		partial_digest_len = SHA2_256_HASH_LEN;
1146377bSJohn Baldwin		break;
567a3784SJohn Baldwin	case CRYPTO_SHA2_256:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_256_HMAC:
5033c43bSJohn Baldwin		auth_hash = &auth_hash_hmac_sha2_256;
d09389fdSJohn Baldwin		auth_mode = SCMD_AUTH_MODE_SHA256;
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
5033c43bSJohn Baldwin		partial_digest_len = SHA2_256_HASH_LEN;
5033c43bSJohn Baldwin		break;
567a3784SJohn Baldwin	case CRYPTO_SHA2_384:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_384_HMAC:
5033c43bSJohn Baldwin		auth_hash = &auth_hash_hmac_sha2_384;
d09389fdSJohn Baldwin		auth_mode = SCMD_AUTH_MODE_SHA512_384;
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
5033c43bSJohn Baldwin		partial_digest_len = SHA2_512_HASH_LEN;
5033c43bSJohn Baldwin		break;
567a3784SJohn Baldwin	case CRYPTO_SHA2_512:
5033c43bSJohn Baldwin	case CRYPTO_SHA2_512_HMAC:
5033c43bSJohn Baldwin		auth_hash = &auth_hash_hmac_sha2_512;
d09389fdSJohn Baldwin		auth_mode = SCMD_AUTH_MODE_SHA512_512;
5033c43bSJohn Baldwin		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
5033c43bSJohn Baldwin		partial_digest_len = SHA2_512_HASH_LEN;
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	default:
c0341432SJohn Baldwin		auth_hash = NULL;
c0341432SJohn Baldwin		auth_mode = SCMD_AUTH_MODE_NOP;
c0341432SJohn Baldwin		mk_size = 0;
c0341432SJohn Baldwin		partial_digest_len = 0;
6b0451d6SJohn Baldwin		break;
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin
c0341432SJohn Baldwin	cipher_mode = ccr_cipher_mode(csp);
c0341432SJohn Baldwin
c0341432SJohn Baldwin#ifdef INVARIANTS
c0341432SJohn Baldwin	switch (csp->csp_mode) {
c0341432SJohn Baldwin	case CSP_MODE_CIPHER:
c0341432SJohn Baldwin		if (cipher_mode == SCMD_CIPH_MODE_NOP ||
c0341432SJohn Baldwin		    cipher_mode == SCMD_CIPH_MODE_AES_GCM ||
c0341432SJohn Baldwin		    cipher_mode == SCMD_CIPH_MODE_AES_CCM)
c0341432SJohn Baldwin			panic("invalid cipher algo");
567a3784SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_DIGEST:
c0341432SJohn Baldwin		if (auth_mode == SCMD_AUTH_MODE_NOP)
c0341432SJohn Baldwin			panic("invalid auth algo");
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_AEAD:
c0341432SJohn Baldwin		if (cipher_mode != SCMD_CIPH_MODE_AES_GCM &&
c0341432SJohn Baldwin		    cipher_mode != SCMD_CIPH_MODE_AES_CCM)
c0341432SJohn Baldwin			panic("invalid aead cipher algo");
c0341432SJohn Baldwin		if (auth_mode != SCMD_AUTH_MODE_NOP)
c0341432SJohn Baldwin			panic("invalid aead auth aglo");
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_ETA:
c0341432SJohn Baldwin		if (cipher_mode == SCMD_CIPH_MODE_NOP ||
c0341432SJohn Baldwin		    cipher_mode == SCMD_CIPH_MODE_AES_GCM ||
c0341432SJohn Baldwin		    cipher_mode == SCMD_CIPH_MODE_AES_CCM)
c0341432SJohn Baldwin			panic("invalid cipher algo");
c0341432SJohn Baldwin		if (auth_mode == SCMD_AUTH_MODE_NOP)
c0341432SJohn Baldwin			panic("invalid auth algo");
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	default:
c0341432SJohn Baldwin		panic("invalid csp mode");
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin#endif
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	s = crypto_get_driver_session(cses);
94578db2SJohn Baldwin	mtx_init(&s->lock, "ccr session", NULL, MTX_DEF);
94578db2SJohn Baldwin	s->sg_input = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
94578db2SJohn Baldwin	s->sg_output = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
94578db2SJohn Baldwin	s->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
94578db2SJohn Baldwin	s->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_NOWAIT);
94578db2SJohn Baldwin	if (s->sg_input == NULL || s->sg_output == NULL ||
94578db2SJohn Baldwin	    s->sg_ulptx == NULL || s->sg_dsgl == NULL) {
94578db2SJohn Baldwin		ccr_delete_session(s);
94578db2SJohn Baldwin		return (ENOMEM);
94578db2SJohn Baldwin	}
94578db2SJohn Baldwin
e43cf698SJohn Baldwin	if (csp->csp_mode == CSP_MODE_AEAD) {
e43cf698SJohn Baldwin		error = crypto_newsession(&s->sw_session, csp,
e43cf698SJohn Baldwin		    CRYPTOCAP_F_SOFTWARE);
e43cf698SJohn Baldwin		if (error) {
e43cf698SJohn Baldwin			ccr_delete_session(s);
e43cf698SJohn Baldwin			return (error);
e43cf698SJohn Baldwin		}
e43cf698SJohn Baldwin	}
e43cf698SJohn Baldwin
5033c43bSJohn Baldwin	sc = device_get_softc(dev);
7063b997SJohn Baldwin	s->sc = sc;
475d54faSJohn Baldwin
5033c43bSJohn Baldwin	mtx_lock(&sc->lock);
5033c43bSJohn Baldwin	if (sc->detaching) {
5033c43bSJohn Baldwin		mtx_unlock(&sc->lock);
94578db2SJohn Baldwin		ccr_delete_session(s);
5033c43bSJohn Baldwin		return (ENXIO);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
94fad5ffSJohn Baldwin	s->port = ccr_choose_port(sc);
94fad5ffSJohn Baldwin	if (s->port == NULL) {
94fad5ffSJohn Baldwin		mtx_unlock(&sc->lock);
94578db2SJohn Baldwin		ccr_delete_session(s);
94fad5ffSJohn Baldwin		return (ENXIO);
94fad5ffSJohn Baldwin	}
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	switch (csp->csp_mode) {
c0341432SJohn Baldwin	case CSP_MODE_AEAD:
c0341432SJohn Baldwin		if (cipher_mode == SCMD_CIPH_MODE_AES_CCM)
6b0451d6SJohn Baldwin			s->mode = CCM;
c0341432SJohn Baldwin		else
c0341432SJohn Baldwin			s->mode = GCM;
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_ETA:
c0341432SJohn Baldwin		s->mode = ETA;
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_DIGEST:
c0341432SJohn Baldwin		if (csp->csp_auth_klen != 0)
5033c43bSJohn Baldwin			s->mode = HMAC;
567a3784SJohn Baldwin		else
567a3784SJohn Baldwin			s->mode = HASH;
c0341432SJohn Baldwin		break;
c0341432SJohn Baldwin	case CSP_MODE_CIPHER:
762f1dcbSJohn Baldwin		s->mode = CIPHER;
c0341432SJohn Baldwin		break;
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin
c0341432SJohn Baldwin	if (s->mode == GCM) {
c0341432SJohn Baldwin		if (csp->csp_auth_mlen == 0)
5033c43bSJohn Baldwin			s->gmac.hash_len = AES_GMAC_HASH_LEN;
5033c43bSJohn Baldwin		else
c0341432SJohn Baldwin			s->gmac.hash_len = csp->csp_auth_mlen;
c0341432SJohn Baldwin		t4_init_gmac_hash(csp->csp_cipher_key, csp->csp_cipher_klen,
a1b2b6e1SJohn Baldwin		    s->gmac.ghash_h);
c0341432SJohn Baldwin	} else if (s->mode == CCM) {
c0341432SJohn Baldwin		if (csp->csp_auth_mlen == 0)
6b0451d6SJohn Baldwin			s->ccm_mac.hash_len = AES_CBC_MAC_HASH_LEN;
6b0451d6SJohn Baldwin		else
c0341432SJohn Baldwin			s->ccm_mac.hash_len = csp->csp_auth_mlen;
c0341432SJohn Baldwin	} else if (auth_mode != SCMD_AUTH_MODE_NOP) {
5033c43bSJohn Baldwin		s->hmac.auth_hash = auth_hash;
5033c43bSJohn Baldwin		s->hmac.auth_mode = auth_mode;
5033c43bSJohn Baldwin		s->hmac.mk_size = mk_size;
5033c43bSJohn Baldwin		s->hmac.partial_digest_len = partial_digest_len;
c0341432SJohn Baldwin		if (csp->csp_auth_mlen == 0)
5033c43bSJohn Baldwin			s->hmac.hash_len = auth_hash->hashsize;
5033c43bSJohn Baldwin		else
c0341432SJohn Baldwin			s->hmac.hash_len = csp->csp_auth_mlen;
c0341432SJohn Baldwin		if (csp->csp_auth_key != NULL)
a1b2b6e1SJohn Baldwin			t4_init_hmac_digest(auth_hash, partial_digest_len,
c0341432SJohn Baldwin			    csp->csp_auth_key, csp->csp_auth_klen,
c0341432SJohn Baldwin			    s->hmac.pads);
567a3784SJohn Baldwin		else
c0341432SJohn Baldwin			ccr_init_hash_digest(s);
5033c43bSJohn Baldwin	}
c0341432SJohn Baldwin	if (cipher_mode != SCMD_CIPH_MODE_NOP) {
762f1dcbSJohn Baldwin		s->cipher.cipher_mode = cipher_mode;
762f1dcbSJohn Baldwin		s->cipher.iv_len = csp->csp_ivlen;
c0341432SJohn Baldwin		if (csp->csp_cipher_key != NULL)
c0341432SJohn Baldwin			ccr_aes_setkey(s, csp->csp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
94fad5ffSJohn Baldwin	s->port->active_sessions++;
5033c43bSJohn Baldwin	mtx_unlock(&sc->lock);
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
1b0909d5SConrad Meyerstatic void
1b0909d5SConrad Meyerccr_freesession(device_t dev, crypto_session_t cses)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin	struct ccr_softc *sc;
1b0909d5SConrad Meyer	struct ccr_session *s;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	sc = device_get_softc(dev);
1b0909d5SConrad Meyer	s = crypto_get_driver_session(cses);
94578db2SJohn Baldwin#ifdef INVARIANTS
1b0909d5SConrad Meyer	if (s->pending != 0)
5033c43bSJohn Baldwin		device_printf(dev,
1b0909d5SConrad Meyer		    "session %p freed with %d pending requests\n", s,
1b0909d5SConrad Meyer		    s->pending);
94578db2SJohn Baldwin#endif
94578db2SJohn Baldwin	mtx_lock(&sc->lock);
94fad5ffSJohn Baldwin	s->port->active_sessions--;
5033c43bSJohn Baldwin	mtx_unlock(&sc->lock);
94578db2SJohn Baldwin	ccr_delete_session(s);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_process(device_t dev, struct cryptop *crp, int hint)
5033c43bSJohn Baldwin{
c0341432SJohn Baldwin	const struct crypto_session_params *csp;
5033c43bSJohn Baldwin	struct ccr_softc *sc;
5033c43bSJohn Baldwin	struct ccr_session *s;
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	csp = crypto_get_params(crp->crp_session);
1b0909d5SConrad Meyer	s = crypto_get_driver_session(crp->crp_session);
5033c43bSJohn Baldwin	sc = device_get_softc(dev);
5033c43bSJohn Baldwin
94578db2SJohn Baldwin	mtx_lock(&s->lock);
94578db2SJohn Baldwin	error = ccr_populate_sglist(s->sg_input, &crp->crp_buf);
2adc3c94SJohn Baldwin	if (error == 0 && CRYPTO_HAS_OUTPUT_BUFFER(crp))
94578db2SJohn Baldwin		error = ccr_populate_sglist(s->sg_output, &crp->crp_obuf);
5033c43bSJohn Baldwin	if (error) {
94578db2SJohn Baldwin		counter_u64_add(sc->stats_sglist_error, 1);
5033c43bSJohn Baldwin		goto out;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	switch (s->mode) {
567a3784SJohn Baldwin	case HASH:
567a3784SJohn Baldwin		error = ccr_hash(sc, s, crp);
567a3784SJohn Baldwin		if (error == 0)
94578db2SJohn Baldwin			counter_u64_add(sc->stats_hash, 1);
567a3784SJohn Baldwin		break;
5033c43bSJohn Baldwin	case HMAC:
c0341432SJohn Baldwin		if (crp->crp_auth_key != NULL)
a1b2b6e1SJohn Baldwin			t4_init_hmac_digest(s->hmac.auth_hash,
c0341432SJohn Baldwin			    s->hmac.partial_digest_len, crp->crp_auth_key,
c0341432SJohn Baldwin			    csp->csp_auth_klen, s->hmac.pads);
567a3784SJohn Baldwin		error = ccr_hash(sc, s, crp);
5033c43bSJohn Baldwin		if (error == 0)
94578db2SJohn Baldwin			counter_u64_add(sc->stats_hmac, 1);
5033c43bSJohn Baldwin		break;
762f1dcbSJohn Baldwin	case CIPHER:
c0341432SJohn Baldwin		if (crp->crp_cipher_key != NULL)
c0341432SJohn Baldwin			ccr_aes_setkey(s, crp->crp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen);
762f1dcbSJohn Baldwin		error = ccr_cipher(sc, s, crp);
5033c43bSJohn Baldwin		if (error == 0) {
c0341432SJohn Baldwin			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
762f1dcbSJohn Baldwin				counter_u64_add(sc->stats_cipher_encrypt, 1);
5033c43bSJohn Baldwin			else
762f1dcbSJohn Baldwin				counter_u64_add(sc->stats_cipher_decrypt, 1);
5033c43bSJohn Baldwin		}
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case ETA:
c0341432SJohn Baldwin		if (crp->crp_auth_key != NULL)
a1b2b6e1SJohn Baldwin			t4_init_hmac_digest(s->hmac.auth_hash,
c0341432SJohn Baldwin			    s->hmac.partial_digest_len, crp->crp_auth_key,
c0341432SJohn Baldwin			    csp->csp_auth_klen, s->hmac.pads);
c0341432SJohn Baldwin		if (crp->crp_cipher_key != NULL)
c0341432SJohn Baldwin			ccr_aes_setkey(s, crp->crp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen);
c0341432SJohn Baldwin		error = ccr_eta(sc, s, crp);
5033c43bSJohn Baldwin		if (error == 0) {
c0341432SJohn Baldwin			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
94578db2SJohn Baldwin				counter_u64_add(sc->stats_eta_encrypt, 1);
5033c43bSJohn Baldwin			else
94578db2SJohn Baldwin				counter_u64_add(sc->stats_eta_decrypt, 1);
5033c43bSJohn Baldwin		}
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case GCM:
c0341432SJohn Baldwin		if (crp->crp_cipher_key != NULL) {
c0341432SJohn Baldwin			t4_init_gmac_hash(crp->crp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen, s->gmac.ghash_h);
c0341432SJohn Baldwin			ccr_aes_setkey(s, crp->crp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen);
5033c43bSJohn Baldwin		}
c0341432SJohn Baldwin		error = ccr_gcm(sc, s, crp);
0e993396SJohn Baldwin		if (error == EMSGSIZE || error == EFBIG) {
94578db2SJohn Baldwin			counter_u64_add(sc->stats_sw_fallback, 1);
94578db2SJohn Baldwin			mtx_unlock(&s->lock);
e43cf698SJohn Baldwin			ccr_soft(s, crp);
04043b3dSJohn Baldwin			return (0);
04043b3dSJohn Baldwin		}
5033c43bSJohn Baldwin		if (error == 0) {
c0341432SJohn Baldwin			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
94578db2SJohn Baldwin				counter_u64_add(sc->stats_gcm_encrypt, 1);
5033c43bSJohn Baldwin			else
94578db2SJohn Baldwin				counter_u64_add(sc->stats_gcm_decrypt, 1);
5033c43bSJohn Baldwin		}
5033c43bSJohn Baldwin		break;
6b0451d6SJohn Baldwin	case CCM:
c0341432SJohn Baldwin		if (crp->crp_cipher_key != NULL) {
c0341432SJohn Baldwin			ccr_aes_setkey(s, crp->crp_cipher_key,
c0341432SJohn Baldwin			    csp->csp_cipher_klen);
6b0451d6SJohn Baldwin		}
c0341432SJohn Baldwin		error = ccr_ccm(sc, s, crp);
0e993396SJohn Baldwin		if (error == EMSGSIZE || error == EFBIG) {
94578db2SJohn Baldwin			counter_u64_add(sc->stats_sw_fallback, 1);
94578db2SJohn Baldwin			mtx_unlock(&s->lock);
e43cf698SJohn Baldwin			ccr_soft(s, crp);
6b0451d6SJohn Baldwin			return (0);
6b0451d6SJohn Baldwin		}
6b0451d6SJohn Baldwin		if (error == 0) {
c0341432SJohn Baldwin			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
94578db2SJohn Baldwin				counter_u64_add(sc->stats_ccm_encrypt, 1);
6b0451d6SJohn Baldwin			else
94578db2SJohn Baldwin				counter_u64_add(sc->stats_ccm_decrypt, 1);
6b0451d6SJohn Baldwin		}
6b0451d6SJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (error == 0) {
94578db2SJohn Baldwin#ifdef INVARIANTS
5033c43bSJohn Baldwin		s->pending++;
94578db2SJohn Baldwin#endif
94578db2SJohn Baldwin		counter_u64_add(sc->stats_inflight, 1);
9c5137beSJohn Baldwin		counter_u64_add(s->port->stats_queued, 1);
5033c43bSJohn Baldwin	} else
94578db2SJohn Baldwin		counter_u64_add(sc->stats_process_error, 1);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinout:
94578db2SJohn Baldwin	mtx_unlock(&s->lock);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (error) {
5033c43bSJohn Baldwin		crp->crp_etype = error;
5033c43bSJohn Baldwin		crypto_done(crp);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwindo_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss,
5033c43bSJohn Baldwin    struct mbuf *m)
5033c43bSJohn Baldwin{
7063b997SJohn Baldwin	struct ccr_softc *sc;
5033c43bSJohn Baldwin	struct ccr_session *s;
5033c43bSJohn Baldwin	const struct cpl_fw6_pld *cpl;
5033c43bSJohn Baldwin	struct cryptop *crp;
1b0909d5SConrad Meyer	uint32_t status;
5033c43bSJohn Baldwin	int error;
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (m != NULL)
5033c43bSJohn Baldwin		cpl = mtod(m, const void *);
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		cpl = (const void *)(rss + 1);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]);
1b0909d5SConrad Meyer	s = crypto_get_driver_session(crp->crp_session);
5033c43bSJohn Baldwin	status = be64toh(cpl->data[0]);
5033c43bSJohn Baldwin	if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status))
5033c43bSJohn Baldwin		error = EBADMSG;
5033c43bSJohn Baldwin	else
5033c43bSJohn Baldwin		error = 0;
5033c43bSJohn Baldwin
7063b997SJohn Baldwin	sc = s->sc;
94578db2SJohn Baldwin#ifdef INVARIANTS
94578db2SJohn Baldwin	mtx_lock(&s->lock);
5033c43bSJohn Baldwin	s->pending--;
94578db2SJohn Baldwin	mtx_unlock(&s->lock);
94578db2SJohn Baldwin#endif
94578db2SJohn Baldwin	counter_u64_add(sc->stats_inflight, -1);
9c5137beSJohn Baldwin	counter_u64_add(s->port->stats_completed, 1);
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	switch (s->mode) {
567a3784SJohn Baldwin	case HASH:
5033c43bSJohn Baldwin	case HMAC:
567a3784SJohn Baldwin		error = ccr_hash_done(sc, s, crp, cpl, error);
5033c43bSJohn Baldwin		break;
762f1dcbSJohn Baldwin	case CIPHER:
762f1dcbSJohn Baldwin		error = ccr_cipher_done(sc, s, crp, cpl, error);
5033c43bSJohn Baldwin		break;
c0341432SJohn Baldwin	case ETA:
c0341432SJohn Baldwin		error = ccr_eta_done(sc, s, crp, cpl, error);
5033c43bSJohn Baldwin		break;
5033c43bSJohn Baldwin	case GCM:
5033c43bSJohn Baldwin		error = ccr_gcm_done(sc, s, crp, cpl, error);
5033c43bSJohn Baldwin		break;
6b0451d6SJohn Baldwin	case CCM:
6b0451d6SJohn Baldwin		error = ccr_ccm_done(sc, s, crp, cpl, error);
6b0451d6SJohn Baldwin		break;
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	if (error == EBADMSG) {
5033c43bSJohn Baldwin		if (CHK_MAC_ERR_BIT(status))
94578db2SJohn Baldwin			counter_u64_add(sc->stats_mac_error, 1);
5033c43bSJohn Baldwin		if (CHK_PAD_ERR_BIT(status))
94578db2SJohn Baldwin			counter_u64_add(sc->stats_pad_error, 1);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin	crp->crp_etype = error;
5033c43bSJohn Baldwin	crypto_done(crp);
5033c43bSJohn Baldwin	m_freem(m);
5033c43bSJohn Baldwin	return (0);
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic int
5033c43bSJohn Baldwinccr_modevent(module_t mod, int cmd, void *arg)
5033c43bSJohn Baldwin{
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	switch (cmd) {
5033c43bSJohn Baldwin	case MOD_LOAD:
5033c43bSJohn Baldwin		t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld);
5033c43bSJohn Baldwin		return (0);
5033c43bSJohn Baldwin	case MOD_UNLOAD:
5033c43bSJohn Baldwin		t4_register_cpl_handler(CPL_FW6_PLD, NULL);
5033c43bSJohn Baldwin		return (0);
5033c43bSJohn Baldwin	default:
5033c43bSJohn Baldwin		return (EOPNOTSUPP);
5033c43bSJohn Baldwin	}
5033c43bSJohn Baldwin}
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic device_method_t ccr_methods[] = {
5033c43bSJohn Baldwin	DEVMETHOD(device_identify,	ccr_identify),
5033c43bSJohn Baldwin	DEVMETHOD(device_probe,		ccr_probe),
5033c43bSJohn Baldwin	DEVMETHOD(device_attach,	ccr_attach),
5033c43bSJohn Baldwin	DEVMETHOD(device_detach,	ccr_detach),
5033c43bSJohn Baldwin
c0341432SJohn Baldwin	DEVMETHOD(cryptodev_probesession, ccr_probesession),
5033c43bSJohn Baldwin	DEVMETHOD(cryptodev_newsession,	ccr_newsession),
5033c43bSJohn Baldwin	DEVMETHOD(cryptodev_freesession, ccr_freesession),
5033c43bSJohn Baldwin	DEVMETHOD(cryptodev_process,	ccr_process),
5033c43bSJohn Baldwin
5033c43bSJohn Baldwin	DEVMETHOD_END
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
5033c43bSJohn Baldwinstatic driver_t ccr_driver = {
5033c43bSJohn Baldwin	"ccr",
5033c43bSJohn Baldwin	ccr_methods,
5033c43bSJohn Baldwin	sizeof(struct ccr_softc)
5033c43bSJohn Baldwin};
5033c43bSJohn Baldwin
478c66fdSJohn BaldwinDRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_modevent, NULL);
5033c43bSJohn BaldwinMODULE_VERSION(ccr, 1);
5033c43bSJohn BaldwinMODULE_DEPEND(ccr, crypto, 1, 1, 1);
5033c43bSJohn BaldwinMODULE_DEPEND(ccr, t6nex, 1, 1, 1);