xref: /freebsd/sys/dev/cxgbe/crypto/t4_crypto.c (revision 118063fb70c3f74f16678dc7ddbc8528c483a528)
1 /*-
2  * Copyright (c) 2017 Chelsio Communications, Inc.
3  * All rights reserved.
4  * Written by: John Baldwin <jhb@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/types.h>
32 #include <sys/bus.h>
33 #include <sys/lock.h>
34 #include <sys/malloc.h>
35 #include <sys/mutex.h>
36 #include <sys/module.h>
37 #include <sys/sglist.h>
38 
39 #include <opencrypto/cryptodev.h>
40 #include <opencrypto/xform.h>
41 
42 #include "cryptodev_if.h"
43 
44 #include "common/common.h"
45 #include "crypto/t4_crypto.h"
46 
47 /*
48  * Requests consist of:
49  *
50  * +-------------------------------+
51  * | struct fw_crypto_lookaside_wr |
52  * +-------------------------------+
53  * | struct ulp_txpkt              |
54  * +-------------------------------+
55  * | struct ulptx_idata            |
56  * +-------------------------------+
57  * | struct cpl_tx_sec_pdu         |
58  * +-------------------------------+
59  * | struct cpl_tls_tx_scmd_fmt    |
60  * +-------------------------------+
61  * | key context header            |
62  * +-------------------------------+
63  * | AES key                       |  ----- For requests with AES
64  * +-------------------------------+ -
65  * | IPAD (16-byte aligned)        |  \
66  * +-------------------------------+  +---- For requests with HMAC
67  * | OPAD (16-byte aligned)        |  /
68  * +-------------------------------+ -
69  * | GMAC H                        |  ----- For AES-GCM
70  * +-------------------------------+ -
71  * | struct cpl_rx_phys_dsgl       |  \
72  * +-------------------------------+  +---- Destination buffer for
73  * | PHYS_DSGL entries             |  /     non-hash-only requests
74  * +-------------------------------+ -
75  * | 16 dummy bytes                |  ----- Only for hash-only requests
76  * +-------------------------------+
77  * | IV                            |  ----- If immediate IV
78  * +-------------------------------+
79  * | Payload                       |  ----- If immediate Payload
80  * +-------------------------------+ -
81  * | struct ulptx_sgl              |  \
82  * +-------------------------------+  +---- If payload via SGL
83  * | SGL entries                   |  /
84  * +-------------------------------+ -
85  *
86  * Note that the key context must be padded to ensure 16-byte alignment.
87  * For HMAC requests, the key consists of the partial hash of the IPAD
88  * followed by the partial hash of the OPAD.
89  *
90  * Replies consist of:
91  *
92  * +-------------------------------+
93  * | struct cpl_fw6_pld            |
94  * +-------------------------------+
95  * | hash digest                   |  ----- For HMAC request with
96  * +-------------------------------+        'hash_size' set in work request
97  *
98  * A 32-bit big-endian error status word is supplied in the last 4
99  * bytes of data[0] in the CPL_FW6_PLD message.  bit 0 indicates a
100  * "MAC" error and bit 1 indicates a "PAD" error.
101  *
102  * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message
103  * in the request is returned in data[1] of the CPL_FW6_PLD message.
104  *
105  * For block cipher replies, the updated IV is supplied in data[2] and
106  * data[3] of the CPL_FW6_PLD message.
107  *
108  * For hash replies where the work request set 'hash_size' to request
109  * a copy of the hash in the reply, the hash digest is supplied
110  * immediately following the CPL_FW6_PLD message.
111  */
112 
113 /*
114  * The crypto engine supports a maximum AAD size of 511 bytes.
115  */
116 #define	MAX_AAD_LEN		511
117 
118 /*
119  * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG
120  * entries.  While the CPL includes a 16-bit length field, the T6 can
121  * sometimes hang if an error occurs while processing a request with a
122  * single DSGL entry larger than 2k.
123  */
124 #define	MAX_RX_PHYS_DSGL_SGE	32
125 #define	DSGL_SGE_MAXLEN		2048
126 
127 /*
128  * The adapter only supports requests with a total input or output
129  * length of 64k-1 or smaller.  Longer requests either result in hung
130  * requests or incorrect results.
131  */
132 #define	MAX_REQUEST_SIZE	65535
133 
134 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto");
135 
136 struct ccr_session_hmac {
137 	struct auth_hash *auth_hash;
138 	int hash_len;
139 	unsigned int partial_digest_len;
140 	unsigned int auth_mode;
141 	unsigned int mk_size;
142 	char ipad[CHCR_HASH_MAX_BLOCK_SIZE_128];
143 	char opad[CHCR_HASH_MAX_BLOCK_SIZE_128];
144 };
145 
146 struct ccr_session_gmac {
147 	int hash_len;
148 	char ghash_h[GMAC_BLOCK_LEN];
149 };
150 
151 struct ccr_session_blkcipher {
152 	unsigned int cipher_mode;
153 	unsigned int key_len;
154 	unsigned int iv_len;
155 	__be32 key_ctx_hdr;
156 	char enckey[CHCR_AES_MAX_KEY_LEN];
157 	char deckey[CHCR_AES_MAX_KEY_LEN];
158 };
159 
160 struct ccr_session {
161 	bool active;
162 	int pending;
163 	enum { HMAC, BLKCIPHER, AUTHENC, GCM } mode;
164 	union {
165 		struct ccr_session_hmac hmac;
166 		struct ccr_session_gmac gmac;
167 	};
168 	struct ccr_session_blkcipher blkcipher;
169 };
170 
171 struct ccr_softc {
172 	struct adapter *adapter;
173 	device_t dev;
174 	uint32_t cid;
175 	int tx_channel_id;
176 	struct ccr_session *sessions;
177 	int nsessions;
178 	struct mtx lock;
179 	bool detaching;
180 	struct sge_wrq *txq;
181 	struct sge_rxq *rxq;
182 
183 	/*
184 	 * Pre-allocate S/G lists used when preparing a work request.
185 	 * 'sg_crp' contains an sglist describing the entire buffer
186 	 * for a 'struct cryptop'.  'sg_ulptx' is used to describe
187 	 * the data the engine should DMA as input via ULPTX_SGL.
188 	 * 'sg_dsgl' is used to describe the destination that cipher
189 	 * text and a tag should be written to.
190 	 */
191 	struct sglist *sg_crp;
192 	struct sglist *sg_ulptx;
193 	struct sglist *sg_dsgl;
194 
195 	/*
196 	 * Pre-allocate a dummy output buffer for the IV and AAD for
197 	 * AEAD requests.
198 	 */
199 	char *iv_aad_buf;
200 	struct sglist *sg_iv_aad;
201 
202 	/* Statistics. */
203 	uint64_t stats_blkcipher_encrypt;
204 	uint64_t stats_blkcipher_decrypt;
205 	uint64_t stats_hmac;
206 	uint64_t stats_authenc_encrypt;
207 	uint64_t stats_authenc_decrypt;
208 	uint64_t stats_gcm_encrypt;
209 	uint64_t stats_gcm_decrypt;
210 	uint64_t stats_wr_nomem;
211 	uint64_t stats_inflight;
212 	uint64_t stats_mac_error;
213 	uint64_t stats_pad_error;
214 	uint64_t stats_bad_session;
215 	uint64_t stats_sglist_error;
216 	uint64_t stats_process_error;
217 	uint64_t stats_sw_fallback;
218 };
219 
220 /*
221  * Crypto requests involve two kind of scatter/gather lists.
222  *
223  * Non-hash-only requests require a PHYS_DSGL that describes the
224  * location to store the results of the encryption or decryption
225  * operation.  This SGL uses a different format (PHYS_DSGL) and should
226  * exclude the crd_skip bytes at the start of the data as well as
227  * any AAD or IV.  For authenticated encryption requests it should
228  * cover include the destination of the hash or tag.
229  *
230  * The input payload may either be supplied inline as immediate data,
231  * or via a standard ULP_TX SGL.  This SGL should include AAD,
232  * ciphertext, and the hash or tag for authenticated decryption
233  * requests.
234  *
235  * These scatter/gather lists can describe different subsets of the
236  * buffer described by the crypto operation.  ccr_populate_sglist()
237  * generates a scatter/gather list that covers the entire crypto
238  * operation buffer that is then used to construct the other
239  * scatter/gather lists.
240  */
241 static int
242 ccr_populate_sglist(struct sglist *sg, struct cryptop *crp)
243 {
244 	int error;
245 
246 	sglist_reset(sg);
247 	if (crp->crp_flags & CRYPTO_F_IMBUF)
248 		error = sglist_append_mbuf(sg, (struct mbuf *)crp->crp_buf);
249 	else if (crp->crp_flags & CRYPTO_F_IOV)
250 		error = sglist_append_uio(sg, (struct uio *)crp->crp_buf);
251 	else
252 		error = sglist_append(sg, crp->crp_buf, crp->crp_ilen);
253 	return (error);
254 }
255 
256 /*
257  * Segments in 'sg' larger than 'maxsegsize' are counted as multiple
258  * segments.
259  */
260 static int
261 ccr_count_sgl(struct sglist *sg, int maxsegsize)
262 {
263 	int i, nsegs;
264 
265 	nsegs = 0;
266 	for (i = 0; i < sg->sg_nseg; i++)
267 		nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize);
268 	return (nsegs);
269 }
270 
271 /* These functions deal with PHYS_DSGL for the reply buffer. */
272 static inline int
273 ccr_phys_dsgl_len(int nsegs)
274 {
275 	int len;
276 
277 	len = (nsegs / 8) * sizeof(struct phys_sge_pairs);
278 	if ((nsegs % 8) != 0) {
279 		len += sizeof(uint16_t) * 8;
280 		len += roundup2(nsegs % 8, 2) * sizeof(uint64_t);
281 	}
282 	return (len);
283 }
284 
285 static void
286 ccr_write_phys_dsgl(struct ccr_softc *sc, void *dst, int nsegs)
287 {
288 	struct sglist *sg;
289 	struct cpl_rx_phys_dsgl *cpl;
290 	struct phys_sge_pairs *sgl;
291 	vm_paddr_t paddr;
292 	size_t seglen;
293 	u_int i, j;
294 
295 	sg = sc->sg_dsgl;
296 	cpl = dst;
297 	cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) |
298 	    V_CPL_RX_PHYS_DSGL_ISRDMA(0));
299 	cpl->pcirlxorder_to_noofsgentr = htobe32(
300 	    V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) |
301 	    V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) |
302 	    V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) |
303 	    V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs));
304 	cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR;
305 	cpl->rss_hdr_int.qid = htobe16(sc->rxq->iq.abs_id);
306 	cpl->rss_hdr_int.hash_val = 0;
307 	sgl = (struct phys_sge_pairs *)(cpl + 1);
308 	j = 0;
309 	for (i = 0; i < sg->sg_nseg; i++) {
310 		seglen = sg->sg_segs[i].ss_len;
311 		paddr = sg->sg_segs[i].ss_paddr;
312 		do {
313 			sgl->addr[j] = htobe64(paddr);
314 			if (seglen > DSGL_SGE_MAXLEN) {
315 				sgl->len[j] = htobe16(DSGL_SGE_MAXLEN);
316 				paddr += DSGL_SGE_MAXLEN;
317 				seglen -= DSGL_SGE_MAXLEN;
318 			} else {
319 				sgl->len[j] = htobe16(seglen);
320 				seglen = 0;
321 			}
322 			j++;
323 			if (j == 8) {
324 				sgl++;
325 				j = 0;
326 			}
327 		} while (seglen != 0);
328 	}
329 	MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs);
330 }
331 
332 /* These functions deal with the ULPTX_SGL for input payload. */
333 static inline int
334 ccr_ulptx_sgl_len(int nsegs)
335 {
336 	u_int n;
337 
338 	nsegs--; /* first segment is part of ulptx_sgl */
339 	n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1));
340 	return (roundup2(n, 16));
341 }
342 
343 static void
344 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs)
345 {
346 	struct ulptx_sgl *usgl;
347 	struct sglist *sg;
348 	struct sglist_seg *ss;
349 	int i;
350 
351 	sg = sc->sg_ulptx;
352 	MPASS(nsegs == sg->sg_nseg);
353 	ss = &sg->sg_segs[0];
354 	usgl = dst;
355 	usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) |
356 	    V_ULPTX_NSGE(nsegs));
357 	usgl->len0 = htobe32(ss->ss_len);
358 	usgl->addr0 = htobe64(ss->ss_paddr);
359 	ss++;
360 	for (i = 0; i < sg->sg_nseg - 1; i++) {
361 		usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len);
362 		usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr);
363 		ss++;
364 	}
365 
366 }
367 
368 static bool
369 ccr_use_imm_data(u_int transhdr_len, u_int input_len)
370 {
371 
372 	if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN)
373 		return (false);
374 	if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) >
375 	    SGE_MAX_WR_LEN)
376 		return (false);
377 	return (true);
378 }
379 
380 static void
381 ccr_populate_wreq(struct ccr_softc *sc, struct chcr_wr *crwr, u_int kctx_len,
382     u_int wr_len, uint32_t sid, u_int imm_len, u_int sgl_len, u_int hash_size,
383     struct cryptop *crp)
384 {
385 	u_int cctx_size;
386 
387 	cctx_size = sizeof(struct _key_ctx) + kctx_len;
388 	crwr->wreq.op_to_cctx_size = htobe32(
389 	    V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) |
390 	    V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) |
391 	    V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) |
392 	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) |
393 	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4));
394 	crwr->wreq.len16_pkd = htobe32(
395 	    V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16));
396 	crwr->wreq.session_id = htobe32(sid);
397 	crwr->wreq.rx_chid_to_rx_q_id = htobe32(
398 	    V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(sc->tx_channel_id) |
399 	    V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) |
400 	    V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) |
401 	    V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) |
402 	    V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) |
403 	    V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) |
404 	    V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(sc->rxq->iq.abs_id));
405 	crwr->wreq.key_addr = 0;
406 	crwr->wreq.pld_size_hash_size = htobe32(
407 	    V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) |
408 	    V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size));
409 	crwr->wreq.cookie = htobe64((uintptr_t)crp);
410 
411 	crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) |
412 	    V_ULP_TXPKT_DATAMODIFY(0) |
413 	    V_ULP_TXPKT_CHANNELID(sc->tx_channel_id) | V_ULP_TXPKT_DEST(0) |
414 	    V_ULP_TXPKT_FID(0) | V_ULP_TXPKT_RO(1));
415 	crwr->ulptx.len = htobe32(
416 	    ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16));
417 
418 	crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) |
419 	    V_ULP_TX_SC_MORE(imm_len != 0 ? 0 : 1));
420 	crwr->sc_imm.len = htobe32(wr_len - offsetof(struct chcr_wr, sec_cpl) -
421 	    sgl_len);
422 }
423 
424 static int
425 ccr_hmac(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
426     struct cryptop *crp)
427 {
428 	struct chcr_wr *crwr;
429 	struct wrqe *wr;
430 	struct auth_hash *axf;
431 	struct cryptodesc *crd;
432 	char *dst;
433 	u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len;
434 	u_int imm_len, iopad_size;
435 	int error, sgl_nsegs, sgl_len;
436 
437 	crd = crp->crp_desc;
438 
439 	/* Reject requests with too large of an input buffer. */
440 	if (crd->crd_len > MAX_REQUEST_SIZE)
441 		return (EFBIG);
442 
443 	axf = s->hmac.auth_hash;
444 
445 	/* PADs must be 128-bit aligned. */
446 	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
447 
448 	/*
449 	 * The 'key' part of the context includes the aligned IPAD and
450 	 * OPAD.
451 	 */
452 	kctx_len = iopad_size * 2;
453 	hash_size_in_response = axf->hashsize;
454 	transhdr_len = HASH_TRANSHDR_SIZE(kctx_len);
455 
456 	if (crd->crd_len == 0) {
457 		imm_len = axf->blocksize;
458 		sgl_nsegs = 0;
459 		sgl_len = 0;
460 	} else if (ccr_use_imm_data(transhdr_len, crd->crd_len)) {
461 		imm_len = crd->crd_len;
462 		sgl_nsegs = 0;
463 		sgl_len = 0;
464 	} else {
465 		imm_len = 0;
466 		sglist_reset(sc->sg_ulptx);
467 		error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
468 		    crd->crd_skip, crd->crd_len);
469 		if (error)
470 			return (error);
471 		sgl_nsegs = sc->sg_ulptx->sg_nseg;
472 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
473 	}
474 
475 	wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len;
476 	if (wr_len > SGE_MAX_WR_LEN)
477 		return (EFBIG);
478 	wr = alloc_wrqe(wr_len, sc->txq);
479 	if (wr == NULL) {
480 		sc->stats_wr_nomem++;
481 		return (ENOMEM);
482 	}
483 	crwr = wrtod(wr);
484 	memset(crwr, 0, wr_len);
485 
486 	ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
487 	    hash_size_in_response, crp);
488 
489 	/* XXX: Hardcodes SGE loopback channel of 0. */
490 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
491 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
492 	    V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
493 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
494 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
495 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(0));
496 
497 	crwr->sec_cpl.pldlen = htobe32(crd->crd_len == 0 ? axf->blocksize :
498 	    crd->crd_len);
499 
500 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
501 	    V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0));
502 
503 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
504 	crwr->sec_cpl.seqno_numivs = htobe32(
505 	    V_SCMD_SEQ_NO_CTRL(0) |
506 	    V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
507 	    V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_NOP) |
508 	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
509 	    V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NO_TRUNC));
510 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
511 	    V_SCMD_LAST_FRAG(0) |
512 	    V_SCMD_MORE_FRAGS(crd->crd_len == 0 ? 1 : 0) | V_SCMD_MAC_ONLY(1));
513 
514 	memcpy(crwr->key_ctx.key, s->hmac.ipad, s->hmac.partial_digest_len);
515 	memcpy(crwr->key_ctx.key + iopad_size, s->hmac.opad,
516 	    s->hmac.partial_digest_len);
517 
518 	/* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */
519 	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
520 	crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
521 	    V_KEY_CONTEXT_OPAD_PRESENT(1) | V_KEY_CONTEXT_SALT_PRESENT(1) |
522 	    V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) |
523 	    V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1));
524 
525 	dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES;
526 	if (crd->crd_len == 0) {
527 		dst[0] = 0x80;
528 		*(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
529 		    htobe64(axf->blocksize << 3);
530 	} else if (imm_len != 0)
531 		crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip,
532 		    crd->crd_len, dst);
533 	else
534 		ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
535 
536 	/* XXX: TODO backpressure */
537 	t4_wrq_tx(sc->adapter, wr);
538 
539 	return (0);
540 }
541 
542 static int
543 ccr_hmac_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp,
544     const struct cpl_fw6_pld *cpl, int error)
545 {
546 	struct cryptodesc *crd;
547 
548 	crd = crp->crp_desc;
549 	if (error == 0) {
550 		crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject,
551 		    s->hmac.hash_len, (c_caddr_t)(cpl + 1));
552 	}
553 
554 	return (error);
555 }
556 
557 static int
558 ccr_blkcipher(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
559     struct cryptop *crp)
560 {
561 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
562 	struct chcr_wr *crwr;
563 	struct wrqe *wr;
564 	struct cryptodesc *crd;
565 	char *dst;
566 	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
567 	u_int imm_len;
568 	int dsgl_nsegs, dsgl_len;
569 	int sgl_nsegs, sgl_len;
570 	int error;
571 
572 	crd = crp->crp_desc;
573 
574 	if (s->blkcipher.key_len == 0 || crd->crd_len == 0)
575 		return (EINVAL);
576 	if (crd->crd_alg == CRYPTO_AES_CBC &&
577 	    (crd->crd_len % AES_BLOCK_LEN) != 0)
578 		return (EINVAL);
579 
580 	/* Reject requests with too large of an input buffer. */
581 	if (crd->crd_len > MAX_REQUEST_SIZE)
582 		return (EFBIG);
583 
584 	if (crd->crd_flags & CRD_F_ENCRYPT)
585 		op_type = CHCR_ENCRYPT_OP;
586 	else
587 		op_type = CHCR_DECRYPT_OP;
588 
589 	sglist_reset(sc->sg_dsgl);
590 	error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crd->crd_skip,
591 	    crd->crd_len);
592 	if (error)
593 		return (error);
594 	dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
595 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
596 		return (EFBIG);
597 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
598 
599 	/* The 'key' must be 128-bit aligned. */
600 	kctx_len = roundup2(s->blkcipher.key_len, 16);
601 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
602 
603 	if (ccr_use_imm_data(transhdr_len, crd->crd_len +
604 	    s->blkcipher.iv_len)) {
605 		imm_len = crd->crd_len;
606 		sgl_nsegs = 0;
607 		sgl_len = 0;
608 	} else {
609 		imm_len = 0;
610 		sglist_reset(sc->sg_ulptx);
611 		error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
612 		    crd->crd_skip, crd->crd_len);
613 		if (error)
614 			return (error);
615 		sgl_nsegs = sc->sg_ulptx->sg_nseg;
616 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
617 	}
618 
619 	wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len +
620 	    roundup2(imm_len, 16) + sgl_len;
621 	if (wr_len > SGE_MAX_WR_LEN)
622 		return (EFBIG);
623 	wr = alloc_wrqe(wr_len, sc->txq);
624 	if (wr == NULL) {
625 		sc->stats_wr_nomem++;
626 		return (ENOMEM);
627 	}
628 	crwr = wrtod(wr);
629 	memset(crwr, 0, wr_len);
630 
631 	/*
632 	 * Read the existing IV from the request or generate a random
633 	 * one if none is provided.  Optionally copy the generated IV
634 	 * into the output buffer if requested.
635 	 */
636 	if (op_type == CHCR_ENCRYPT_OP) {
637 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
638 			memcpy(iv, crd->crd_iv, s->blkcipher.iv_len);
639 		else
640 			arc4rand(iv, s->blkcipher.iv_len, 0);
641 		if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0)
642 			crypto_copyback(crp->crp_flags, crp->crp_buf,
643 			    crd->crd_inject, s->blkcipher.iv_len, iv);
644 	} else {
645 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
646 			memcpy(iv, crd->crd_iv, s->blkcipher.iv_len);
647 		else
648 			crypto_copydata(crp->crp_flags, crp->crp_buf,
649 			    crd->crd_inject, s->blkcipher.iv_len, iv);
650 	}
651 
652 	ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 0,
653 	    crp);
654 
655 	/* XXX: Hardcodes SGE loopback channel of 0. */
656 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
657 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
658 	    V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
659 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
660 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
661 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
662 
663 	crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + crd->crd_len);
664 
665 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
666 	    V_CPL_TX_SEC_PDU_CIPHERSTART(s->blkcipher.iv_len + 1) |
667 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
668 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
669 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0));
670 
671 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
672 	crwr->sec_cpl.seqno_numivs = htobe32(
673 	    V_SCMD_SEQ_NO_CTRL(0) |
674 	    V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
675 	    V_SCMD_ENC_DEC_CTRL(op_type) |
676 	    V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
677 	    V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_NOP) |
678 	    V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NOP) |
679 	    V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) |
680 	    V_SCMD_NUM_IVS(0));
681 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
682 	    V_SCMD_IV_GEN_CTRL(0) |
683 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
684 	    V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len));
685 
686 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
687 	switch (crd->crd_alg) {
688 	case CRYPTO_AES_CBC:
689 		if (crd->crd_flags & CRD_F_ENCRYPT)
690 			memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
691 			    s->blkcipher.key_len);
692 		else
693 			memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
694 			    s->blkcipher.key_len);
695 		break;
696 	case CRYPTO_AES_ICM:
697 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
698 		    s->blkcipher.key_len);
699 		break;
700 	case CRYPTO_AES_XTS:
701 		key_half = s->blkcipher.key_len / 2;
702 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
703 		    key_half);
704 		if (crd->crd_flags & CRD_F_ENCRYPT)
705 			memcpy(crwr->key_ctx.key + key_half,
706 			    s->blkcipher.enckey, key_half);
707 		else
708 			memcpy(crwr->key_ctx.key + key_half,
709 			    s->blkcipher.deckey, key_half);
710 		break;
711 	}
712 
713 	dst = (char *)(crwr + 1) + kctx_len;
714 	ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
715 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
716 	memcpy(dst, iv, s->blkcipher.iv_len);
717 	dst += s->blkcipher.iv_len;
718 	if (imm_len != 0)
719 		crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip,
720 		    crd->crd_len, dst);
721 	else
722 		ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
723 
724 	/* XXX: TODO backpressure */
725 	t4_wrq_tx(sc->adapter, wr);
726 
727 	return (0);
728 }
729 
730 static int
731 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s,
732     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
733 {
734 
735 	/*
736 	 * The updated IV to permit chained requests is at
737 	 * cpl->data[2], but OCF doesn't permit chained requests.
738 	 */
739 	return (error);
740 }
741 
742 /*
743  * 'hashsize' is the length of a full digest.  'authsize' is the
744  * requested digest length for this operation which may be less
745  * than 'hashsize'.
746  */
747 static int
748 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize)
749 {
750 
751 	if (authsize == 10)
752 		return (CHCR_SCMD_HMAC_CTRL_TRUNC_RFC4366);
753 	if (authsize == 12)
754 		return (CHCR_SCMD_HMAC_CTRL_IPSEC_96BIT);
755 	if (authsize == hashsize / 2)
756 		return (CHCR_SCMD_HMAC_CTRL_DIV2);
757 	return (CHCR_SCMD_HMAC_CTRL_NO_TRUNC);
758 }
759 
760 static int
761 ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
762     struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde)
763 {
764 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
765 	struct chcr_wr *crwr;
766 	struct wrqe *wr;
767 	struct auth_hash *axf;
768 	char *dst;
769 	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
770 	u_int hash_size_in_response, imm_len, iopad_size;
771 	u_int aad_start, aad_len, aad_stop;
772 	u_int auth_start, auth_stop, auth_insert;
773 	u_int cipher_start, cipher_stop;
774 	u_int hmac_ctrl, input_len;
775 	int dsgl_nsegs, dsgl_len;
776 	int sgl_nsegs, sgl_len;
777 	int error;
778 
779 	/*
780 	 * If there is a need in the future, requests with an empty
781 	 * payload could be supported as HMAC-only requests.
782 	 */
783 	if (s->blkcipher.key_len == 0 || crde->crd_len == 0)
784 		return (EINVAL);
785 	if (crde->crd_alg == CRYPTO_AES_CBC &&
786 	    (crde->crd_len % AES_BLOCK_LEN) != 0)
787 		return (EINVAL);
788 
789 	/*
790 	 * Compute the length of the AAD (data covered by the
791 	 * authentication descriptor but not the encryption
792 	 * descriptor).  To simplify the logic, AAD is only permitted
793 	 * before the cipher/plain text, not after.  This is true of
794 	 * all currently-generated requests.
795 	 */
796 	if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
797 		return (EINVAL);
798 	if (crda->crd_skip < crde->crd_skip) {
799 		if (crda->crd_skip + crda->crd_len > crde->crd_skip)
800 			aad_len = (crde->crd_skip - crda->crd_skip);
801 		else
802 			aad_len = crda->crd_len;
803 	} else
804 		aad_len = 0;
805 	if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN)
806 		return (EINVAL);
807 
808 	axf = s->hmac.auth_hash;
809 	hash_size_in_response = s->hmac.hash_len;
810 	if (crde->crd_flags & CRD_F_ENCRYPT)
811 		op_type = CHCR_ENCRYPT_OP;
812 	else
813 		op_type = CHCR_DECRYPT_OP;
814 
815 	/*
816 	 * The output buffer consists of the cipher text followed by
817 	 * the hash when encrypting.  For decryption it only contains
818 	 * the plain text.
819 	 *
820 	 * Due to a firmware bug, the output buffer must include a
821 	 * dummy output buffer for the IV and AAD prior to the real
822 	 * output buffer.
823 	 */
824 	if (op_type == CHCR_ENCRYPT_OP) {
825 		if (s->blkcipher.iv_len + aad_len + crde->crd_len +
826 		    hash_size_in_response > MAX_REQUEST_SIZE)
827 			return (EFBIG);
828 	} else {
829 		if (s->blkcipher.iv_len + aad_len + crde->crd_len >
830 		    MAX_REQUEST_SIZE)
831 			return (EFBIG);
832 	}
833 	sglist_reset(sc->sg_dsgl);
834 	error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0,
835 	    s->blkcipher.iv_len + aad_len);
836 	if (error)
837 		return (error);
838 	error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip,
839 	    crde->crd_len);
840 	if (error)
841 		return (error);
842 	if (op_type == CHCR_ENCRYPT_OP) {
843 		error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp,
844 		    crda->crd_inject, hash_size_in_response);
845 		if (error)
846 			return (error);
847 	}
848 	dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
849 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
850 		return (EFBIG);
851 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
852 
853 	/* PADs must be 128-bit aligned. */
854 	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
855 
856 	/*
857 	 * The 'key' part of the key context consists of the key followed
858 	 * by the IPAD and OPAD.
859 	 */
860 	kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2;
861 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
862 
863 	/*
864 	 * The input buffer consists of the IV, any AAD, and then the
865 	 * cipher/plain text.  For decryption requests the hash is
866 	 * appended after the cipher text.
867 	 *
868 	 * The IV is always stored at the start of the input buffer
869 	 * even though it may be duplicated in the payload.  The
870 	 * crypto engine doesn't work properly if the IV offset points
871 	 * inside of the AAD region, so a second copy is always
872 	 * required.
873 	 */
874 	input_len = aad_len + crde->crd_len;
875 
876 	/*
877 	 * The firmware hangs if sent a request which is a
878 	 * bit smaller than MAX_REQUEST_SIZE.  In particular, the
879 	 * firmware appears to require 512 - 16 bytes of spare room
880 	 * along with the size of the hash even if the hash isn't
881 	 * included in the input buffer.
882 	 */
883 	if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) >
884 	    MAX_REQUEST_SIZE)
885 		return (EFBIG);
886 	if (op_type == CHCR_DECRYPT_OP)
887 		input_len += hash_size_in_response;
888 	if (ccr_use_imm_data(transhdr_len, s->blkcipher.iv_len + input_len)) {
889 		imm_len = input_len;
890 		sgl_nsegs = 0;
891 		sgl_len = 0;
892 	} else {
893 		imm_len = 0;
894 		sglist_reset(sc->sg_ulptx);
895 		if (aad_len != 0) {
896 			error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
897 			    crda->crd_skip, aad_len);
898 			if (error)
899 				return (error);
900 		}
901 		error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
902 		    crde->crd_skip, crde->crd_len);
903 		if (error)
904 			return (error);
905 		if (op_type == CHCR_DECRYPT_OP) {
906 			error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
907 			    crda->crd_inject, hash_size_in_response);
908 			if (error)
909 				return (error);
910 		}
911 		sgl_nsegs = sc->sg_ulptx->sg_nseg;
912 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
913 	}
914 
915 	/*
916 	 * Any auth-only data before the cipher region is marked as AAD.
917 	 * Auth-data that overlaps with the cipher region is placed in
918 	 * the auth section.
919 	 */
920 	if (aad_len != 0) {
921 		aad_start = s->blkcipher.iv_len + 1;
922 		aad_stop = aad_start + aad_len - 1;
923 	} else {
924 		aad_start = 0;
925 		aad_stop = 0;
926 	}
927 	cipher_start = s->blkcipher.iv_len + aad_len + 1;
928 	if (op_type == CHCR_DECRYPT_OP)
929 		cipher_stop = hash_size_in_response;
930 	else
931 		cipher_stop = 0;
932 	if (aad_len == crda->crd_len) {
933 		auth_start = 0;
934 		auth_stop = 0;
935 	} else {
936 		if (aad_len != 0)
937 			auth_start = cipher_start;
938 		else
939 			auth_start = s->blkcipher.iv_len + crda->crd_skip -
940 			    crde->crd_skip + 1;
941 		auth_stop = (crde->crd_skip + crde->crd_len) -
942 		    (crda->crd_skip + crda->crd_len) + cipher_stop;
943 	}
944 	if (op_type == CHCR_DECRYPT_OP)
945 		auth_insert = hash_size_in_response;
946 	else
947 		auth_insert = 0;
948 
949 	wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len +
950 	    roundup2(imm_len, 16) + sgl_len;
951 	if (wr_len > SGE_MAX_WR_LEN)
952 		return (EFBIG);
953 	wr = alloc_wrqe(wr_len, sc->txq);
954 	if (wr == NULL) {
955 		sc->stats_wr_nomem++;
956 		return (ENOMEM);
957 	}
958 	crwr = wrtod(wr);
959 	memset(crwr, 0, wr_len);
960 
961 	/*
962 	 * Read the existing IV from the request or generate a random
963 	 * one if none is provided.  Optionally copy the generated IV
964 	 * into the output buffer if requested.
965 	 */
966 	if (op_type == CHCR_ENCRYPT_OP) {
967 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
968 			memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
969 		else
970 			arc4rand(iv, s->blkcipher.iv_len, 0);
971 		if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
972 			crypto_copyback(crp->crp_flags, crp->crp_buf,
973 			    crde->crd_inject, s->blkcipher.iv_len, iv);
974 	} else {
975 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
976 			memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
977 		else
978 			crypto_copydata(crp->crp_flags, crp->crp_buf,
979 			    crde->crd_inject, s->blkcipher.iv_len, iv);
980 	}
981 
982 	ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
983 	    op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp);
984 
985 	/* XXX: Hardcodes SGE loopback channel of 0. */
986 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
987 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
988 	    V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
989 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
990 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
991 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
992 
993 	crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + input_len);
994 
995 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
996 	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
997 	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
998 	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
999 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4));
1000 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1001 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) |
1002 	    V_CPL_TX_SEC_PDU_AUTHSTART(auth_start) |
1003 	    V_CPL_TX_SEC_PDU_AUTHSTOP(auth_stop) |
1004 	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1005 
1006 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1007 	hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response);
1008 	crwr->sec_cpl.seqno_numivs = htobe32(
1009 	    V_SCMD_SEQ_NO_CTRL(0) |
1010 	    V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
1011 	    V_SCMD_ENC_DEC_CTRL(op_type) |
1012 	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1013 	    V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
1014 	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
1015 	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
1016 	    V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) |
1017 	    V_SCMD_NUM_IVS(0));
1018 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
1019 	    V_SCMD_IV_GEN_CTRL(0) |
1020 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1021 	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1022 
1023 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1024 	switch (crde->crd_alg) {
1025 	case CRYPTO_AES_CBC:
1026 		if (crde->crd_flags & CRD_F_ENCRYPT)
1027 			memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1028 			    s->blkcipher.key_len);
1029 		else
1030 			memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
1031 			    s->blkcipher.key_len);
1032 		break;
1033 	case CRYPTO_AES_ICM:
1034 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1035 		    s->blkcipher.key_len);
1036 		break;
1037 	case CRYPTO_AES_XTS:
1038 		key_half = s->blkcipher.key_len / 2;
1039 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
1040 		    key_half);
1041 		if (crde->crd_flags & CRD_F_ENCRYPT)
1042 			memcpy(crwr->key_ctx.key + key_half,
1043 			    s->blkcipher.enckey, key_half);
1044 		else
1045 			memcpy(crwr->key_ctx.key + key_half,
1046 			    s->blkcipher.deckey, key_half);
1047 		break;
1048 	}
1049 
1050 	dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1051 	memcpy(dst, s->hmac.ipad, s->hmac.partial_digest_len);
1052 	memcpy(dst + iopad_size, s->hmac.opad, s->hmac.partial_digest_len);
1053 
1054 	dst = (char *)(crwr + 1) + kctx_len;
1055 	ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
1056 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1057 	memcpy(dst, iv, s->blkcipher.iv_len);
1058 	dst += s->blkcipher.iv_len;
1059 	if (imm_len != 0) {
1060 		if (aad_len != 0) {
1061 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1062 			    crda->crd_skip, aad_len, dst);
1063 			dst += aad_len;
1064 		}
1065 		crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip,
1066 		    crde->crd_len, dst);
1067 		dst += crde->crd_len;
1068 		if (op_type == CHCR_DECRYPT_OP)
1069 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1070 			    crda->crd_inject, hash_size_in_response, dst);
1071 	} else
1072 		ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
1073 
1074 	/* XXX: TODO backpressure */
1075 	t4_wrq_tx(sc->adapter, wr);
1076 
1077 	return (0);
1078 }
1079 
1080 static int
1081 ccr_authenc_done(struct ccr_softc *sc, struct ccr_session *s,
1082     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1083 {
1084 	struct cryptodesc *crd;
1085 
1086 	/*
1087 	 * The updated IV to permit chained requests is at
1088 	 * cpl->data[2], but OCF doesn't permit chained requests.
1089 	 *
1090 	 * For a decryption request, the hardware may do a verification
1091 	 * of the HMAC which will fail if the existing HMAC isn't in the
1092 	 * buffer.  If that happens, clear the error and copy the HMAC
1093 	 * from the CPL reply into the buffer.
1094 	 *
1095 	 * For encryption requests, crd should be the cipher request
1096 	 * which will have CRD_F_ENCRYPT set.  For decryption
1097 	 * requests, crp_desc will be the HMAC request which should
1098 	 * not have this flag set.
1099 	 */
1100 	crd = crp->crp_desc;
1101 	if (error == EBADMSG && !CHK_PAD_ERR_BIT(be64toh(cpl->data[0])) &&
1102 	    !(crd->crd_flags & CRD_F_ENCRYPT)) {
1103 		crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject,
1104 		    s->hmac.hash_len, (c_caddr_t)(cpl + 1));
1105 		error = 0;
1106 	}
1107 	return (error);
1108 }
1109 
1110 static int
1111 ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
1112     struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde)
1113 {
1114 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
1115 	struct chcr_wr *crwr;
1116 	struct wrqe *wr;
1117 	char *dst;
1118 	u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
1119 	u_int hash_size_in_response, imm_len;
1120 	u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
1121 	u_int hmac_ctrl, input_len;
1122 	int dsgl_nsegs, dsgl_len;
1123 	int sgl_nsegs, sgl_len;
1124 	int error;
1125 
1126 	if (s->blkcipher.key_len == 0)
1127 		return (EINVAL);
1128 
1129 	/*
1130 	 * The crypto engine doesn't handle GCM requests with an empty
1131 	 * payload, so handle those in software instead.
1132 	 */
1133 	if (crde->crd_len == 0)
1134 		return (EMSGSIZE);
1135 
1136 	/*
1137 	 * AAD is only permitted before the cipher/plain text, not
1138 	 * after.
1139 	 */
1140 	if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
1141 		return (EMSGSIZE);
1142 
1143 	if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN)
1144 		return (EMSGSIZE);
1145 
1146 	hash_size_in_response = s->gmac.hash_len;
1147 	if (crde->crd_flags & CRD_F_ENCRYPT)
1148 		op_type = CHCR_ENCRYPT_OP;
1149 	else
1150 		op_type = CHCR_DECRYPT_OP;
1151 
1152 	/*
1153 	 * The IV handling for GCM in OCF is a bit more complicated in
1154 	 * that IPSec provides a full 16-byte IV (including the
1155 	 * counter), whereas the /dev/crypto interface sometimes
1156 	 * provides a full 16-byte IV (if no IV is provided in the
1157 	 * ioctl) and sometimes a 12-byte IV (if the IV was explicit).
1158 	 *
1159 	 * When provided a 12-byte IV, assume the IV is really 16 bytes
1160 	 * with a counter in the last 4 bytes initialized to 1.
1161 	 *
1162 	 * While iv_len is checked below, the value is currently
1163 	 * always set to 12 when creating a GCM session in this driver
1164 	 * due to limitations in OCF (there is no way to know what the
1165 	 * IV length of a given request will be).  This means that the
1166 	 * driver always assumes as 12-byte IV for now.
1167 	 */
1168 	if (s->blkcipher.iv_len == 12)
1169 		iv_len = AES_BLOCK_LEN;
1170 	else
1171 		iv_len = s->blkcipher.iv_len;
1172 
1173 	/*
1174 	 * The output buffer consists of the cipher text followed by
1175 	 * the tag when encrypting.  For decryption it only contains
1176 	 * the plain text.
1177 	 *
1178 	 * Due to a firmware bug, the output buffer must include a
1179 	 * dummy output buffer for the IV and AAD prior to the real
1180 	 * output buffer.
1181 	 */
1182 	if (op_type == CHCR_ENCRYPT_OP) {
1183 		if (iv_len + crda->crd_len + crde->crd_len +
1184 		    hash_size_in_response > MAX_REQUEST_SIZE)
1185 			return (EFBIG);
1186 	} else {
1187 		if (iv_len + crda->crd_len + crde->crd_len > MAX_REQUEST_SIZE)
1188 			return (EFBIG);
1189 	}
1190 	sglist_reset(sc->sg_dsgl);
1191 	error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
1192 	    crda->crd_len);
1193 	if (error)
1194 		return (error);
1195 	error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip,
1196 	    crde->crd_len);
1197 	if (error)
1198 		return (error);
1199 	if (op_type == CHCR_ENCRYPT_OP) {
1200 		error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp,
1201 		    crda->crd_inject, hash_size_in_response);
1202 		if (error)
1203 			return (error);
1204 	}
1205 	dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
1206 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
1207 		return (EFBIG);
1208 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
1209 
1210 	/*
1211 	 * The 'key' part of the key context consists of the key followed
1212 	 * by the Galois hash key.
1213 	 */
1214 	kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN;
1215 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
1216 
1217 	/*
1218 	 * The input buffer consists of the IV, any AAD, and then the
1219 	 * cipher/plain text.  For decryption requests the hash is
1220 	 * appended after the cipher text.
1221 	 *
1222 	 * The IV is always stored at the start of the input buffer
1223 	 * even though it may be duplicated in the payload.  The
1224 	 * crypto engine doesn't work properly if the IV offset points
1225 	 * inside of the AAD region, so a second copy is always
1226 	 * required.
1227 	 */
1228 	input_len = crda->crd_len + crde->crd_len;
1229 	if (op_type == CHCR_DECRYPT_OP)
1230 		input_len += hash_size_in_response;
1231 	if (input_len > MAX_REQUEST_SIZE)
1232 		return (EFBIG);
1233 	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
1234 		imm_len = input_len;
1235 		sgl_nsegs = 0;
1236 		sgl_len = 0;
1237 	} else {
1238 		imm_len = 0;
1239 		sglist_reset(sc->sg_ulptx);
1240 		if (crda->crd_len != 0) {
1241 			error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1242 			    crda->crd_skip, crda->crd_len);
1243 			if (error)
1244 				return (error);
1245 		}
1246 		error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1247 		    crde->crd_skip, crde->crd_len);
1248 		if (error)
1249 			return (error);
1250 		if (op_type == CHCR_DECRYPT_OP) {
1251 			error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1252 			    crda->crd_inject, hash_size_in_response);
1253 			if (error)
1254 				return (error);
1255 		}
1256 		sgl_nsegs = sc->sg_ulptx->sg_nseg;
1257 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
1258 	}
1259 
1260 	if (crda->crd_len != 0) {
1261 		aad_start = iv_len + 1;
1262 		aad_stop = aad_start + crda->crd_len - 1;
1263 	} else {
1264 		aad_start = 0;
1265 		aad_stop = 0;
1266 	}
1267 	cipher_start = iv_len + crda->crd_len + 1;
1268 	if (op_type == CHCR_DECRYPT_OP)
1269 		cipher_stop = hash_size_in_response;
1270 	else
1271 		cipher_stop = 0;
1272 	if (op_type == CHCR_DECRYPT_OP)
1273 		auth_insert = hash_size_in_response;
1274 	else
1275 		auth_insert = 0;
1276 
1277 	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
1278 	    sgl_len;
1279 	if (wr_len > SGE_MAX_WR_LEN)
1280 		return (EFBIG);
1281 	wr = alloc_wrqe(wr_len, sc->txq);
1282 	if (wr == NULL) {
1283 		sc->stats_wr_nomem++;
1284 		return (ENOMEM);
1285 	}
1286 	crwr = wrtod(wr);
1287 	memset(crwr, 0, wr_len);
1288 
1289 	/*
1290 	 * Read the existing IV from the request or generate a random
1291 	 * one if none is provided.  Optionally copy the generated IV
1292 	 * into the output buffer if requested.
1293 	 *
1294 	 * If the input IV is 12 bytes, append an explicit 4-byte
1295 	 * counter of 1.
1296 	 */
1297 	if (op_type == CHCR_ENCRYPT_OP) {
1298 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1299 			memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
1300 		else
1301 			arc4rand(iv, s->blkcipher.iv_len, 0);
1302 		if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
1303 			crypto_copyback(crp->crp_flags, crp->crp_buf,
1304 			    crde->crd_inject, s->blkcipher.iv_len, iv);
1305 	} else {
1306 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1307 			memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
1308 		else
1309 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1310 			    crde->crd_inject, s->blkcipher.iv_len, iv);
1311 	}
1312 	if (s->blkcipher.iv_len == 12)
1313 		*(uint32_t *)&iv[12] = htobe32(1);
1314 
1315 	ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
1316 	    0, crp);
1317 
1318 	/* XXX: Hardcodes SGE loopback channel of 0. */
1319 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
1320 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
1321 	    V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
1322 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
1323 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
1324 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
1325 
1326 	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
1327 
1328 	/*
1329 	 * NB: cipherstop is explicitly set to 0.  On encrypt it
1330 	 * should normally be set to 0 anyway (as the encrypt crd ends
1331 	 * at the end of the input).  However, for decrypt the cipher
1332 	 * ends before the tag in the AUTHENC case (and authstop is
1333 	 * set to stop before the tag), but for GCM the cipher still
1334 	 * runs to the end of the buffer.  Not sure if this is
1335 	 * intentional or a firmware quirk, but it is required for
1336 	 * working tag validation with GCM decryption.
1337 	 */
1338 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
1339 	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
1340 	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
1341 	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
1342 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
1343 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1344 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
1345 	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
1346 	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
1347 	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1348 
1349 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1350 	hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response);
1351 	crwr->sec_cpl.seqno_numivs = htobe32(
1352 	    V_SCMD_SEQ_NO_CTRL(0) |
1353 	    V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
1354 	    V_SCMD_ENC_DEC_CTRL(op_type) |
1355 	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1356 	    V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_AES_GCM) |
1357 	    V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_GHASH) |
1358 	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
1359 	    V_SCMD_IV_SIZE(iv_len / 2) |
1360 	    V_SCMD_NUM_IVS(0));
1361 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
1362 	    V_SCMD_IV_GEN_CTRL(0) |
1363 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1364 	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1365 
1366 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1367 	memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len);
1368 	dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1369 	memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN);
1370 
1371 	dst = (char *)(crwr + 1) + kctx_len;
1372 	ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
1373 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1374 	memcpy(dst, iv, iv_len);
1375 	dst += iv_len;
1376 	if (imm_len != 0) {
1377 		if (crda->crd_len != 0) {
1378 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1379 			    crda->crd_skip, crda->crd_len, dst);
1380 			dst += crda->crd_len;
1381 		}
1382 		crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip,
1383 		    crde->crd_len, dst);
1384 		dst += crde->crd_len;
1385 		if (op_type == CHCR_DECRYPT_OP)
1386 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1387 			    crda->crd_inject, hash_size_in_response, dst);
1388 	} else
1389 		ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
1390 
1391 	/* XXX: TODO backpressure */
1392 	t4_wrq_tx(sc->adapter, wr);
1393 
1394 	return (0);
1395 }
1396 
1397 static int
1398 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s,
1399     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1400 {
1401 
1402 	/*
1403 	 * The updated IV to permit chained requests is at
1404 	 * cpl->data[2], but OCF doesn't permit chained requests.
1405 	 *
1406 	 * Note that the hardware should always verify the GMAC hash.
1407 	 */
1408 	return (error);
1409 }
1410 
1411 /*
1412  * Handle a GCM request that is not supported by the crypto engine by
1413  * performing the operation in software.  Derived from swcr_authenc().
1414  */
1415 static void
1416 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp,
1417     struct cryptodesc *crda, struct cryptodesc *crde)
1418 {
1419 	struct auth_hash *axf;
1420 	struct enc_xform *exf;
1421 	void *auth_ctx;
1422 	uint8_t *kschedule;
1423 	char block[GMAC_BLOCK_LEN];
1424 	char digest[GMAC_DIGEST_LEN];
1425 	char iv[AES_BLOCK_LEN];
1426 	int error, i, len;
1427 
1428 	auth_ctx = NULL;
1429 	kschedule = NULL;
1430 
1431 	/* Initialize the MAC. */
1432 	switch (s->blkcipher.key_len) {
1433 	case 16:
1434 		axf = &auth_hash_nist_gmac_aes_128;
1435 		break;
1436 	case 24:
1437 		axf = &auth_hash_nist_gmac_aes_192;
1438 		break;
1439 	case 32:
1440 		axf = &auth_hash_nist_gmac_aes_256;
1441 		break;
1442 	default:
1443 		error = EINVAL;
1444 		goto out;
1445 	}
1446 	auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT);
1447 	if (auth_ctx == NULL) {
1448 		error = ENOMEM;
1449 		goto out;
1450 	}
1451 	axf->Init(auth_ctx);
1452 	axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len);
1453 
1454 	/* Initialize the cipher. */
1455 	exf = &enc_xform_aes_nist_gcm;
1456 	error = exf->setkey(&kschedule, s->blkcipher.enckey,
1457 	    s->blkcipher.key_len);
1458 	if (error)
1459 		goto out;
1460 
1461 	/*
1462 	 * This assumes a 12-byte IV from the crp.  See longer comment
1463 	 * above in ccr_gcm() for more details.
1464 	 */
1465 	if (crde->crd_flags & CRD_F_ENCRYPT) {
1466 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1467 			memcpy(iv, crde->crd_iv, 12);
1468 		else
1469 			arc4rand(iv, 12, 0);
1470 		if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
1471 			crypto_copyback(crp->crp_flags, crp->crp_buf,
1472 			    crde->crd_inject, 12, iv);
1473 	} else {
1474 		if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1475 			memcpy(iv, crde->crd_iv, 12);
1476 		else
1477 			crypto_copydata(crp->crp_flags, crp->crp_buf,
1478 			    crde->crd_inject, 12, iv);
1479 	}
1480 	*(uint32_t *)&iv[12] = htobe32(1);
1481 
1482 	axf->Reinit(auth_ctx, iv, sizeof(iv));
1483 
1484 	/* MAC the AAD. */
1485 	for (i = 0; i < crda->crd_len; i += sizeof(block)) {
1486 		len = imin(crda->crd_len - i, sizeof(block));
1487 		crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_skip +
1488 		    i, len, block);
1489 		bzero(block + len, sizeof(block) - len);
1490 		axf->Update(auth_ctx, block, sizeof(block));
1491 	}
1492 
1493 	exf->reinit(kschedule, iv);
1494 
1495 	/* Do encryption with MAC */
1496 	for (i = 0; i < crde->crd_len; i += sizeof(block)) {
1497 		len = imin(crde->crd_len - i, sizeof(block));
1498 		crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip +
1499 		    i, len, block);
1500 		bzero(block + len, sizeof(block) - len);
1501 		if (crde->crd_flags & CRD_F_ENCRYPT) {
1502 			exf->encrypt(kschedule, block);
1503 			axf->Update(auth_ctx, block, len);
1504 			crypto_copyback(crp->crp_flags, crp->crp_buf,
1505 			    crde->crd_skip + i, len, block);
1506 		} else {
1507 			axf->Update(auth_ctx, block, len);
1508 		}
1509 	}
1510 
1511 	/* Length block. */
1512 	bzero(block, sizeof(block));
1513 	((uint32_t *)block)[1] = htobe32(crda->crd_len * 8);
1514 	((uint32_t *)block)[3] = htobe32(crde->crd_len * 8);
1515 	axf->Update(auth_ctx, block, sizeof(block));
1516 
1517 	/* Finalize MAC. */
1518 	axf->Final(digest, auth_ctx);
1519 
1520 	/* Inject or validate tag. */
1521 	if (crde->crd_flags & CRD_F_ENCRYPT) {
1522 		crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject,
1523 		    sizeof(digest), digest);
1524 		error = 0;
1525 	} else {
1526 		char digest2[GMAC_DIGEST_LEN];
1527 
1528 		crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject,
1529 		    sizeof(digest2), digest2);
1530 		if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) {
1531 			error = 0;
1532 
1533 			/* Tag matches, decrypt data. */
1534 			for (i = 0; i < crde->crd_len; i += sizeof(block)) {
1535 				len = imin(crde->crd_len - i, sizeof(block));
1536 				crypto_copydata(crp->crp_flags, crp->crp_buf,
1537 				    crde->crd_skip + i, len, block);
1538 				bzero(block + len, sizeof(block) - len);
1539 				exf->decrypt(kschedule, block);
1540 				crypto_copyback(crp->crp_flags, crp->crp_buf,
1541 				    crde->crd_skip + i, len, block);
1542 			}
1543 		} else
1544 			error = EBADMSG;
1545 	}
1546 
1547 	exf->zerokey(&kschedule);
1548 out:
1549 	if (auth_ctx != NULL) {
1550 		memset(auth_ctx, 0, axf->ctxsize);
1551 		free(auth_ctx, M_CCR);
1552 	}
1553 	crp->crp_etype = error;
1554 	crypto_done(crp);
1555 }
1556 
1557 static void
1558 ccr_identify(driver_t *driver, device_t parent)
1559 {
1560 	struct adapter *sc;
1561 
1562 	sc = device_get_softc(parent);
1563 	if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE &&
1564 	    device_find_child(parent, "ccr", -1) == NULL)
1565 		device_add_child(parent, "ccr", -1);
1566 }
1567 
1568 static int
1569 ccr_probe(device_t dev)
1570 {
1571 
1572 	device_set_desc(dev, "Chelsio Crypto Accelerator");
1573 	return (BUS_PROBE_DEFAULT);
1574 }
1575 
1576 static void
1577 ccr_sysctls(struct ccr_softc *sc)
1578 {
1579 	struct sysctl_ctx_list *ctx;
1580 	struct sysctl_oid *oid;
1581 	struct sysctl_oid_list *children;
1582 
1583 	ctx = device_get_sysctl_ctx(sc->dev);
1584 
1585 	/*
1586 	 * dev.ccr.X.
1587 	 */
1588 	oid = device_get_sysctl_tree(sc->dev);
1589 	children = SYSCTL_CHILDREN(oid);
1590 
1591 	/*
1592 	 * dev.ccr.X.stats.
1593 	 */
1594 	oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", CTLFLAG_RD,
1595 	    NULL, "statistics");
1596 	children = SYSCTL_CHILDREN(oid);
1597 
1598 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD,
1599 	    &sc->stats_hmac, 0, "HMAC requests submitted");
1600 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD,
1601 	    &sc->stats_blkcipher_encrypt, 0,
1602 	    "Cipher encryption requests submitted");
1603 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD,
1604 	    &sc->stats_blkcipher_decrypt, 0,
1605 	    "Cipher decryption requests submitted");
1606 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_encrypt", CTLFLAG_RD,
1607 	    &sc->stats_authenc_encrypt, 0,
1608 	    "Combined AES+HMAC encryption requests submitted");
1609 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_decrypt", CTLFLAG_RD,
1610 	    &sc->stats_authenc_decrypt, 0,
1611 	    "Combined AES+HMAC decryption requests submitted");
1612 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD,
1613 	    &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted");
1614 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD,
1615 	    &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted");
1616 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD,
1617 	    &sc->stats_wr_nomem, 0, "Work request memory allocation failures");
1618 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD,
1619 	    &sc->stats_inflight, 0, "Requests currently pending");
1620 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD,
1621 	    &sc->stats_mac_error, 0, "MAC errors");
1622 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD,
1623 	    &sc->stats_pad_error, 0, "Padding errors");
1624 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD,
1625 	    &sc->stats_bad_session, 0, "Requests with invalid session ID");
1626 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD,
1627 	    &sc->stats_sglist_error, 0,
1628 	    "Requests for which DMA mapping failed");
1629 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD,
1630 	    &sc->stats_process_error, 0, "Requests failed during queueing");
1631 	SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sw_fallback", CTLFLAG_RD,
1632 	    &sc->stats_sw_fallback, 0,
1633 	    "Requests processed by falling back to software");
1634 }
1635 
1636 static int
1637 ccr_attach(device_t dev)
1638 {
1639 	struct ccr_softc *sc;
1640 	int32_t cid;
1641 
1642 	/*
1643 	 * TODO: Crypto requests will panic if the parent device isn't
1644 	 * initialized so that the queues are up and running.  Need to
1645 	 * figure out how to handle that correctly, maybe just reject
1646 	 * requests if the adapter isn't fully initialized?
1647 	 */
1648 	sc = device_get_softc(dev);
1649 	sc->dev = dev;
1650 	sc->adapter = device_get_softc(device_get_parent(dev));
1651 	sc->txq = &sc->adapter->sge.ctrlq[0];
1652 	sc->rxq = &sc->adapter->sge.rxq[0];
1653 	cid = crypto_get_driverid(dev, CRYPTOCAP_F_HARDWARE);
1654 	if (cid < 0) {
1655 		device_printf(dev, "could not get crypto driver id\n");
1656 		return (ENXIO);
1657 	}
1658 	sc->cid = cid;
1659 	sc->adapter->ccr_softc = sc;
1660 
1661 	/* XXX: TODO? */
1662 	sc->tx_channel_id = 0;
1663 
1664 	mtx_init(&sc->lock, "ccr", NULL, MTX_DEF);
1665 	sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK);
1666 	sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK);
1667 	sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK);
1668 	sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK);
1669 	sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK);
1670 	ccr_sysctls(sc);
1671 
1672 	crypto_register(cid, CRYPTO_SHA1_HMAC, 0, 0);
1673 	crypto_register(cid, CRYPTO_SHA2_256_HMAC, 0, 0);
1674 	crypto_register(cid, CRYPTO_SHA2_384_HMAC, 0, 0);
1675 	crypto_register(cid, CRYPTO_SHA2_512_HMAC, 0, 0);
1676 	crypto_register(cid, CRYPTO_AES_CBC, 0, 0);
1677 	crypto_register(cid, CRYPTO_AES_ICM, 0, 0);
1678 	crypto_register(cid, CRYPTO_AES_NIST_GCM_16, 0, 0);
1679 	crypto_register(cid, CRYPTO_AES_128_NIST_GMAC, 0, 0);
1680 	crypto_register(cid, CRYPTO_AES_192_NIST_GMAC, 0, 0);
1681 	crypto_register(cid, CRYPTO_AES_256_NIST_GMAC, 0, 0);
1682 	crypto_register(cid, CRYPTO_AES_XTS, 0, 0);
1683 	return (0);
1684 }
1685 
1686 static int
1687 ccr_detach(device_t dev)
1688 {
1689 	struct ccr_softc *sc;
1690 	int i;
1691 
1692 	sc = device_get_softc(dev);
1693 
1694 	mtx_lock(&sc->lock);
1695 	for (i = 0; i < sc->nsessions; i++) {
1696 		if (sc->sessions[i].active || sc->sessions[i].pending != 0) {
1697 			mtx_unlock(&sc->lock);
1698 			return (EBUSY);
1699 		}
1700 	}
1701 	sc->detaching = true;
1702 	mtx_unlock(&sc->lock);
1703 
1704 	crypto_unregister_all(sc->cid);
1705 	free(sc->sessions, M_CCR);
1706 	mtx_destroy(&sc->lock);
1707 	sglist_free(sc->sg_iv_aad);
1708 	free(sc->iv_aad_buf, M_CCR);
1709 	sglist_free(sc->sg_dsgl);
1710 	sglist_free(sc->sg_ulptx);
1711 	sglist_free(sc->sg_crp);
1712 	sc->adapter->ccr_softc = NULL;
1713 	return (0);
1714 }
1715 
1716 static void
1717 ccr_copy_partial_hash(void *dst, int cri_alg, union authctx *auth_ctx)
1718 {
1719 	uint32_t *u32;
1720 	uint64_t *u64;
1721 	u_int i;
1722 
1723 	u32 = (uint32_t *)dst;
1724 	u64 = (uint64_t *)dst;
1725 	switch (cri_alg) {
1726 	case CRYPTO_SHA1_HMAC:
1727 		for (i = 0; i < SHA1_HASH_LEN / 4; i++)
1728 			u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]);
1729 		break;
1730 	case CRYPTO_SHA2_256_HMAC:
1731 		for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
1732 			u32[i] = htobe32(auth_ctx->sha256ctx.state[i]);
1733 		break;
1734 	case CRYPTO_SHA2_384_HMAC:
1735 		for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
1736 			u64[i] = htobe64(auth_ctx->sha384ctx.state[i]);
1737 		break;
1738 	case CRYPTO_SHA2_512_HMAC:
1739 		for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
1740 			u64[i] = htobe64(auth_ctx->sha512ctx.state[i]);
1741 		break;
1742 	}
1743 }
1744 
1745 static void
1746 ccr_init_hmac_digest(struct ccr_session *s, int cri_alg, char *key,
1747     int klen)
1748 {
1749 	union authctx auth_ctx;
1750 	struct auth_hash *axf;
1751 	u_int i;
1752 
1753 	/*
1754 	 * If the key is larger than the block size, use the digest of
1755 	 * the key as the key instead.
1756 	 */
1757 	axf = s->hmac.auth_hash;
1758 	klen /= 8;
1759 	if (klen > axf->blocksize) {
1760 		axf->Init(&auth_ctx);
1761 		axf->Update(&auth_ctx, key, klen);
1762 		axf->Final(s->hmac.ipad, &auth_ctx);
1763 		klen = axf->hashsize;
1764 	} else
1765 		memcpy(s->hmac.ipad, key, klen);
1766 
1767 	memset(s->hmac.ipad + klen, 0, axf->blocksize - klen);
1768 	memcpy(s->hmac.opad, s->hmac.ipad, axf->blocksize);
1769 
1770 	for (i = 0; i < axf->blocksize; i++) {
1771 		s->hmac.ipad[i] ^= HMAC_IPAD_VAL;
1772 		s->hmac.opad[i] ^= HMAC_OPAD_VAL;
1773 	}
1774 
1775 	/*
1776 	 * Hash the raw ipad and opad and store the partial result in
1777 	 * the same buffer.
1778 	 */
1779 	axf->Init(&auth_ctx);
1780 	axf->Update(&auth_ctx, s->hmac.ipad, axf->blocksize);
1781 	ccr_copy_partial_hash(s->hmac.ipad, cri_alg, &auth_ctx);
1782 
1783 	axf->Init(&auth_ctx);
1784 	axf->Update(&auth_ctx, s->hmac.opad, axf->blocksize);
1785 	ccr_copy_partial_hash(s->hmac.opad, cri_alg, &auth_ctx);
1786 }
1787 
1788 /*
1789  * Borrowed from AES_GMAC_Setkey().
1790  */
1791 static void
1792 ccr_init_gmac_hash(struct ccr_session *s, char *key, int klen)
1793 {
1794 	static char zeroes[GMAC_BLOCK_LEN];
1795 	uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)];
1796 	int rounds;
1797 
1798 	rounds = rijndaelKeySetupEnc(keysched, key, klen);
1799 	rijndaelEncrypt(keysched, rounds, zeroes, s->gmac.ghash_h);
1800 }
1801 
1802 static int
1803 ccr_aes_check_keylen(int alg, int klen)
1804 {
1805 
1806 	switch (klen) {
1807 	case 128:
1808 	case 192:
1809 		if (alg == CRYPTO_AES_XTS)
1810 			return (EINVAL);
1811 		break;
1812 	case 256:
1813 		break;
1814 	case 512:
1815 		if (alg != CRYPTO_AES_XTS)
1816 			return (EINVAL);
1817 		break;
1818 	default:
1819 		return (EINVAL);
1820 	}
1821 	return (0);
1822 }
1823 
1824 static void
1825 ccr_aes_setkey(struct ccr_session *s, int alg, const void *key, int klen)
1826 {
1827 	unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size;
1828 	unsigned int opad_present;
1829 
1830 	if (alg == CRYPTO_AES_XTS)
1831 		kbits = klen / 2;
1832 	else
1833 		kbits = klen;
1834 	switch (kbits) {
1835 	case 128:
1836 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
1837 		break;
1838 	case 192:
1839 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192;
1840 		break;
1841 	case 256:
1842 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
1843 		break;
1844 	default:
1845 		panic("should not get here");
1846 	}
1847 
1848 	s->blkcipher.key_len = klen / 8;
1849 	memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len);
1850 	switch (alg) {
1851 	case CRYPTO_AES_CBC:
1852 	case CRYPTO_AES_XTS:
1853 		t4_aes_getdeckey(s->blkcipher.deckey, key, kbits);
1854 		break;
1855 	}
1856 
1857 	kctx_len = roundup2(s->blkcipher.key_len, 16);
1858 	switch (s->mode) {
1859 	case AUTHENC:
1860 		mk_size = s->hmac.mk_size;
1861 		opad_present = 1;
1862 		iopad_size = roundup2(s->hmac.partial_digest_len, 16);
1863 		kctx_len += iopad_size * 2;
1864 		break;
1865 	case GCM:
1866 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
1867 		opad_present = 0;
1868 		kctx_len += GMAC_BLOCK_LEN;
1869 		break;
1870 	default:
1871 		mk_size = CHCR_KEYCTX_NO_KEY;
1872 		opad_present = 0;
1873 		break;
1874 	}
1875 	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
1876 	s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
1877 	    V_KEY_CONTEXT_DUAL_CK(alg == CRYPTO_AES_XTS) |
1878 	    V_KEY_CONTEXT_OPAD_PRESENT(opad_present) |
1879 	    V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) |
1880 	    V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1));
1881 }
1882 
1883 static int
1884 ccr_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri)
1885 {
1886 	struct ccr_softc *sc;
1887 	struct ccr_session *s;
1888 	struct auth_hash *auth_hash;
1889 	struct cryptoini *c, *hash, *cipher;
1890 	unsigned int auth_mode, cipher_mode, iv_len, mk_size;
1891 	unsigned int partial_digest_len;
1892 	int error, i, sess;
1893 	bool gcm_hash;
1894 
1895 	if (sidp == NULL || cri == NULL)
1896 		return (EINVAL);
1897 
1898 	gcm_hash = false;
1899 	cipher = NULL;
1900 	hash = NULL;
1901 	auth_hash = NULL;
1902 	auth_mode = CHCR_SCMD_AUTH_MODE_NOP;
1903 	cipher_mode = CHCR_SCMD_CIPHER_MODE_NOP;
1904 	iv_len = 0;
1905 	mk_size = 0;
1906 	partial_digest_len = 0;
1907 	for (c = cri; c != NULL; c = c->cri_next) {
1908 		switch (c->cri_alg) {
1909 		case CRYPTO_SHA1_HMAC:
1910 		case CRYPTO_SHA2_256_HMAC:
1911 		case CRYPTO_SHA2_384_HMAC:
1912 		case CRYPTO_SHA2_512_HMAC:
1913 		case CRYPTO_AES_128_NIST_GMAC:
1914 		case CRYPTO_AES_192_NIST_GMAC:
1915 		case CRYPTO_AES_256_NIST_GMAC:
1916 			if (hash)
1917 				return (EINVAL);
1918 			hash = c;
1919 			switch (c->cri_alg) {
1920 			case CRYPTO_SHA1_HMAC:
1921 				auth_hash = &auth_hash_hmac_sha1;
1922 				auth_mode = CHCR_SCMD_AUTH_MODE_SHA1;
1923 				mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160;
1924 				partial_digest_len = SHA1_HASH_LEN;
1925 				break;
1926 			case CRYPTO_SHA2_256_HMAC:
1927 				auth_hash = &auth_hash_hmac_sha2_256;
1928 				auth_mode = CHCR_SCMD_AUTH_MODE_SHA256;
1929 				mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
1930 				partial_digest_len = SHA2_256_HASH_LEN;
1931 				break;
1932 			case CRYPTO_SHA2_384_HMAC:
1933 				auth_hash = &auth_hash_hmac_sha2_384;
1934 				auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_384;
1935 				mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
1936 				partial_digest_len = SHA2_512_HASH_LEN;
1937 				break;
1938 			case CRYPTO_SHA2_512_HMAC:
1939 				auth_hash = &auth_hash_hmac_sha2_512;
1940 				auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_512;
1941 				mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
1942 				partial_digest_len = SHA2_512_HASH_LEN;
1943 				break;
1944 			case CRYPTO_AES_128_NIST_GMAC:
1945 			case CRYPTO_AES_192_NIST_GMAC:
1946 			case CRYPTO_AES_256_NIST_GMAC:
1947 				gcm_hash = true;
1948 				auth_mode = CHCR_SCMD_AUTH_MODE_GHASH;
1949 				mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
1950 				break;
1951 			}
1952 			break;
1953 		case CRYPTO_AES_CBC:
1954 		case CRYPTO_AES_ICM:
1955 		case CRYPTO_AES_NIST_GCM_16:
1956 		case CRYPTO_AES_XTS:
1957 			if (cipher)
1958 				return (EINVAL);
1959 			cipher = c;
1960 			switch (c->cri_alg) {
1961 			case CRYPTO_AES_CBC:
1962 				cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CBC;
1963 				iv_len = AES_BLOCK_LEN;
1964 				break;
1965 			case CRYPTO_AES_ICM:
1966 				cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CTR;
1967 				iv_len = AES_BLOCK_LEN;
1968 				break;
1969 			case CRYPTO_AES_NIST_GCM_16:
1970 				cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_GCM;
1971 				iv_len = AES_GCM_IV_LEN;
1972 				break;
1973 			case CRYPTO_AES_XTS:
1974 				cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_XTS;
1975 				iv_len = AES_BLOCK_LEN;
1976 				break;
1977 			}
1978 			if (c->cri_key != NULL) {
1979 				error = ccr_aes_check_keylen(c->cri_alg,
1980 				    c->cri_klen);
1981 				if (error)
1982 					return (error);
1983 			}
1984 			break;
1985 		default:
1986 			return (EINVAL);
1987 		}
1988 	}
1989 	if (gcm_hash != (cipher_mode == CHCR_SCMD_CIPHER_MODE_AES_GCM))
1990 		return (EINVAL);
1991 	if (hash == NULL && cipher == NULL)
1992 		return (EINVAL);
1993 	if (hash != NULL && hash->cri_key == NULL)
1994 		return (EINVAL);
1995 
1996 	sc = device_get_softc(dev);
1997 	mtx_lock(&sc->lock);
1998 	if (sc->detaching) {
1999 		mtx_unlock(&sc->lock);
2000 		return (ENXIO);
2001 	}
2002 	sess = -1;
2003 	for (i = 0; i < sc->nsessions; i++) {
2004 		if (!sc->sessions[i].active && sc->sessions[i].pending == 0) {
2005 			sess = i;
2006 			break;
2007 		}
2008 	}
2009 	if (sess == -1) {
2010 		s = malloc(sizeof(*s) * (sc->nsessions + 1), M_CCR,
2011 		    M_NOWAIT | M_ZERO);
2012 		if (s == NULL) {
2013 			mtx_unlock(&sc->lock);
2014 			return (ENOMEM);
2015 		}
2016 		if (sc->sessions != NULL)
2017 			memcpy(s, sc->sessions, sizeof(*s) * sc->nsessions);
2018 		sess = sc->nsessions;
2019 		free(sc->sessions, M_CCR);
2020 		sc->sessions = s;
2021 		sc->nsessions++;
2022 	}
2023 
2024 	s = &sc->sessions[sess];
2025 
2026 	if (gcm_hash)
2027 		s->mode = GCM;
2028 	else if (hash != NULL && cipher != NULL)
2029 		s->mode = AUTHENC;
2030 	else if (hash != NULL)
2031 		s->mode = HMAC;
2032 	else {
2033 		MPASS(cipher != NULL);
2034 		s->mode = BLKCIPHER;
2035 	}
2036 	if (gcm_hash) {
2037 		if (hash->cri_mlen == 0)
2038 			s->gmac.hash_len = AES_GMAC_HASH_LEN;
2039 		else
2040 			s->gmac.hash_len = hash->cri_mlen;
2041 		ccr_init_gmac_hash(s, hash->cri_key, hash->cri_klen);
2042 	} else if (hash != NULL) {
2043 		s->hmac.auth_hash = auth_hash;
2044 		s->hmac.auth_mode = auth_mode;
2045 		s->hmac.mk_size = mk_size;
2046 		s->hmac.partial_digest_len = partial_digest_len;
2047 		if (hash->cri_mlen == 0)
2048 			s->hmac.hash_len = auth_hash->hashsize;
2049 		else
2050 			s->hmac.hash_len = hash->cri_mlen;
2051 		ccr_init_hmac_digest(s, hash->cri_alg, hash->cri_key,
2052 		    hash->cri_klen);
2053 	}
2054 	if (cipher != NULL) {
2055 		s->blkcipher.cipher_mode = cipher_mode;
2056 		s->blkcipher.iv_len = iv_len;
2057 		if (cipher->cri_key != NULL)
2058 			ccr_aes_setkey(s, cipher->cri_alg, cipher->cri_key,
2059 			    cipher->cri_klen);
2060 	}
2061 
2062 	s->active = true;
2063 	mtx_unlock(&sc->lock);
2064 
2065 	*sidp = sess;
2066 	return (0);
2067 }
2068 
2069 static int
2070 ccr_freesession(device_t dev, uint64_t tid)
2071 {
2072 	struct ccr_softc *sc;
2073 	uint32_t sid;
2074 	int error;
2075 
2076 	sc = device_get_softc(dev);
2077 	sid = CRYPTO_SESID2LID(tid);
2078 	mtx_lock(&sc->lock);
2079 	if (sid >= sc->nsessions || !sc->sessions[sid].active)
2080 		error = EINVAL;
2081 	else {
2082 		if (sc->sessions[sid].pending != 0)
2083 			device_printf(dev,
2084 			    "session %d freed with %d pending requests\n", sid,
2085 			    sc->sessions[sid].pending);
2086 		sc->sessions[sid].active = false;
2087 		error = 0;
2088 	}
2089 	mtx_unlock(&sc->lock);
2090 	return (error);
2091 }
2092 
2093 static int
2094 ccr_process(device_t dev, struct cryptop *crp, int hint)
2095 {
2096 	struct ccr_softc *sc;
2097 	struct ccr_session *s;
2098 	struct cryptodesc *crd, *crda, *crde;
2099 	uint32_t sid;
2100 	int error;
2101 
2102 	if (crp == NULL)
2103 		return (EINVAL);
2104 
2105 	crd = crp->crp_desc;
2106 	sid = CRYPTO_SESID2LID(crp->crp_sid);
2107 	sc = device_get_softc(dev);
2108 	mtx_lock(&sc->lock);
2109 	if (sid >= sc->nsessions || !sc->sessions[sid].active) {
2110 		sc->stats_bad_session++;
2111 		error = EINVAL;
2112 		goto out;
2113 	}
2114 
2115 	error = ccr_populate_sglist(sc->sg_crp, crp);
2116 	if (error) {
2117 		sc->stats_sglist_error++;
2118 		goto out;
2119 	}
2120 
2121 	s = &sc->sessions[sid];
2122 	switch (s->mode) {
2123 	case HMAC:
2124 		if (crd->crd_flags & CRD_F_KEY_EXPLICIT)
2125 			ccr_init_hmac_digest(s, crd->crd_alg, crd->crd_key,
2126 			    crd->crd_klen);
2127 		error = ccr_hmac(sc, sid, s, crp);
2128 		if (error == 0)
2129 			sc->stats_hmac++;
2130 		break;
2131 	case BLKCIPHER:
2132 		if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
2133 			error = ccr_aes_check_keylen(crd->crd_alg,
2134 			    crd->crd_klen);
2135 			if (error)
2136 				break;
2137 			ccr_aes_setkey(s, crd->crd_alg, crd->crd_key,
2138 			    crd->crd_klen);
2139 		}
2140 		error = ccr_blkcipher(sc, sid, s, crp);
2141 		if (error == 0) {
2142 			if (crd->crd_flags & CRD_F_ENCRYPT)
2143 				sc->stats_blkcipher_encrypt++;
2144 			else
2145 				sc->stats_blkcipher_decrypt++;
2146 		}
2147 		break;
2148 	case AUTHENC:
2149 		error = 0;
2150 		switch (crd->crd_alg) {
2151 		case CRYPTO_AES_CBC:
2152 		case CRYPTO_AES_ICM:
2153 		case CRYPTO_AES_XTS:
2154 			/* Only encrypt-then-authenticate supported. */
2155 			crde = crd;
2156 			crda = crd->crd_next;
2157 			if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
2158 				error = EINVAL;
2159 				break;
2160 			}
2161 			break;
2162 		default:
2163 			crda = crd;
2164 			crde = crd->crd_next;
2165 			if (crde->crd_flags & CRD_F_ENCRYPT) {
2166 				error = EINVAL;
2167 				break;
2168 			}
2169 			break;
2170 		}
2171 		if (error)
2172 			break;
2173 		if (crda->crd_flags & CRD_F_KEY_EXPLICIT)
2174 			ccr_init_hmac_digest(s, crda->crd_alg, crda->crd_key,
2175 			    crda->crd_klen);
2176 		if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
2177 			error = ccr_aes_check_keylen(crde->crd_alg,
2178 			    crde->crd_klen);
2179 			if (error)
2180 				break;
2181 			ccr_aes_setkey(s, crde->crd_alg, crde->crd_key,
2182 			    crde->crd_klen);
2183 		}
2184 		error = ccr_authenc(sc, sid, s, crp, crda, crde);
2185 		if (error == 0) {
2186 			if (crde->crd_flags & CRD_F_ENCRYPT)
2187 				sc->stats_authenc_encrypt++;
2188 			else
2189 				sc->stats_authenc_decrypt++;
2190 		}
2191 		break;
2192 	case GCM:
2193 		error = 0;
2194 		if (crd->crd_alg == CRYPTO_AES_NIST_GCM_16) {
2195 			crde = crd;
2196 			crda = crd->crd_next;
2197 		} else {
2198 			crda = crd;
2199 			crde = crd->crd_next;
2200 		}
2201 		if (crda->crd_flags & CRD_F_KEY_EXPLICIT)
2202 			ccr_init_gmac_hash(s, crda->crd_key, crda->crd_klen);
2203 		if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
2204 			error = ccr_aes_check_keylen(crde->crd_alg,
2205 			    crde->crd_klen);
2206 			if (error)
2207 				break;
2208 			ccr_aes_setkey(s, crde->crd_alg, crde->crd_key,
2209 			    crde->crd_klen);
2210 		}
2211 		if (crde->crd_len == 0) {
2212 			mtx_unlock(&sc->lock);
2213 			ccr_gcm_soft(s, crp, crda, crde);
2214 			return (0);
2215 		}
2216 		error = ccr_gcm(sc, sid, s, crp, crda, crde);
2217 		if (error == EMSGSIZE) {
2218 			sc->stats_sw_fallback++;
2219 			mtx_unlock(&sc->lock);
2220 			ccr_gcm_soft(s, crp, crda, crde);
2221 			return (0);
2222 		}
2223 		if (error == 0) {
2224 			if (crde->crd_flags & CRD_F_ENCRYPT)
2225 				sc->stats_gcm_encrypt++;
2226 			else
2227 				sc->stats_gcm_decrypt++;
2228 		}
2229 		break;
2230 	}
2231 
2232 	if (error == 0) {
2233 		s->pending++;
2234 		sc->stats_inflight++;
2235 	} else
2236 		sc->stats_process_error++;
2237 
2238 out:
2239 	mtx_unlock(&sc->lock);
2240 
2241 	if (error) {
2242 		crp->crp_etype = error;
2243 		crypto_done(crp);
2244 	}
2245 
2246 	return (0);
2247 }
2248 
2249 static int
2250 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss,
2251     struct mbuf *m)
2252 {
2253 	struct ccr_softc *sc = iq->adapter->ccr_softc;
2254 	struct ccr_session *s;
2255 	const struct cpl_fw6_pld *cpl;
2256 	struct cryptop *crp;
2257 	uint32_t sid, status;
2258 	int error;
2259 
2260 	if (m != NULL)
2261 		cpl = mtod(m, const void *);
2262 	else
2263 		cpl = (const void *)(rss + 1);
2264 
2265 	crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]);
2266 	sid = CRYPTO_SESID2LID(crp->crp_sid);
2267 	status = be64toh(cpl->data[0]);
2268 	if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status))
2269 		error = EBADMSG;
2270 	else
2271 		error = 0;
2272 
2273 	mtx_lock(&sc->lock);
2274 	MPASS(sid < sc->nsessions);
2275 	s = &sc->sessions[sid];
2276 	s->pending--;
2277 	sc->stats_inflight--;
2278 
2279 	switch (s->mode) {
2280 	case HMAC:
2281 		error = ccr_hmac_done(sc, s, crp, cpl, error);
2282 		break;
2283 	case BLKCIPHER:
2284 		error = ccr_blkcipher_done(sc, s, crp, cpl, error);
2285 		break;
2286 	case AUTHENC:
2287 		error = ccr_authenc_done(sc, s, crp, cpl, error);
2288 		break;
2289 	case GCM:
2290 		error = ccr_gcm_done(sc, s, crp, cpl, error);
2291 		break;
2292 	}
2293 
2294 	if (error == EBADMSG) {
2295 		if (CHK_MAC_ERR_BIT(status))
2296 			sc->stats_mac_error++;
2297 		if (CHK_PAD_ERR_BIT(status))
2298 			sc->stats_pad_error++;
2299 	}
2300 	mtx_unlock(&sc->lock);
2301 	crp->crp_etype = error;
2302 	crypto_done(crp);
2303 	m_freem(m);
2304 	return (0);
2305 }
2306 
2307 static int
2308 ccr_modevent(module_t mod, int cmd, void *arg)
2309 {
2310 
2311 	switch (cmd) {
2312 	case MOD_LOAD:
2313 		t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld);
2314 		return (0);
2315 	case MOD_UNLOAD:
2316 		t4_register_cpl_handler(CPL_FW6_PLD, NULL);
2317 		return (0);
2318 	default:
2319 		return (EOPNOTSUPP);
2320 	}
2321 }
2322 
2323 static device_method_t ccr_methods[] = {
2324 	DEVMETHOD(device_identify,	ccr_identify),
2325 	DEVMETHOD(device_probe,		ccr_probe),
2326 	DEVMETHOD(device_attach,	ccr_attach),
2327 	DEVMETHOD(device_detach,	ccr_detach),
2328 
2329 	DEVMETHOD(cryptodev_newsession,	ccr_newsession),
2330 	DEVMETHOD(cryptodev_freesession, ccr_freesession),
2331 	DEVMETHOD(cryptodev_process,	ccr_process),
2332 
2333 	DEVMETHOD_END
2334 };
2335 
2336 static driver_t ccr_driver = {
2337 	"ccr",
2338 	ccr_methods,
2339 	sizeof(struct ccr_softc)
2340 };
2341 
2342 static devclass_t ccr_devclass;
2343 
2344 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL);
2345 MODULE_VERSION(ccr, 1);
2346 MODULE_DEPEND(ccr, crypto, 1, 1, 1);
2347 MODULE_DEPEND(ccr, t6nex, 1, 1, 1);
2348