1 /*- 2 * Copyright (c) 2017 Chelsio Communications, Inc. 3 * All rights reserved. 4 * Written by: John Baldwin <jhb@FreeBSD.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/types.h> 32 #include <sys/bus.h> 33 #include <sys/lock.h> 34 #include <sys/malloc.h> 35 #include <sys/mutex.h> 36 #include <sys/module.h> 37 #include <sys/sglist.h> 38 39 #include <opencrypto/cryptodev.h> 40 #include <opencrypto/xform.h> 41 42 #include "cryptodev_if.h" 43 44 #include "common/common.h" 45 #include "crypto/t4_crypto.h" 46 47 /* 48 * Requests consist of: 49 * 50 * +-------------------------------+ 51 * | struct fw_crypto_lookaside_wr | 52 * +-------------------------------+ 53 * | struct ulp_txpkt | 54 * +-------------------------------+ 55 * | struct ulptx_idata | 56 * +-------------------------------+ 57 * | struct cpl_tx_sec_pdu | 58 * +-------------------------------+ 59 * | struct cpl_tls_tx_scmd_fmt | 60 * +-------------------------------+ 61 * | key context header | 62 * +-------------------------------+ 63 * | AES key | ----- For requests with AES 64 * +-------------------------------+ 65 * | Hash state | ----- For hash-only requests 66 * +-------------------------------+ - 67 * | IPAD (16-byte aligned) | \ 68 * +-------------------------------+ +---- For requests with HMAC 69 * | OPAD (16-byte aligned) | / 70 * +-------------------------------+ - 71 * | GMAC H | ----- For AES-GCM 72 * +-------------------------------+ - 73 * | struct cpl_rx_phys_dsgl | \ 74 * +-------------------------------+ +---- Destination buffer for 75 * | PHYS_DSGL entries | / non-hash-only requests 76 * +-------------------------------+ - 77 * | 16 dummy bytes | ----- Only for HMAC/hash-only requests 78 * +-------------------------------+ 79 * | IV | ----- If immediate IV 80 * +-------------------------------+ 81 * | Payload | ----- If immediate Payload 82 * +-------------------------------+ - 83 * | struct ulptx_sgl | \ 84 * +-------------------------------+ +---- If payload via SGL 85 * | SGL entries | / 86 * +-------------------------------+ - 87 * 88 * Note that the key context must be padded to ensure 16-byte alignment. 89 * For HMAC requests, the key consists of the partial hash of the IPAD 90 * followed by the partial hash of the OPAD. 91 * 92 * Replies consist of: 93 * 94 * +-------------------------------+ 95 * | struct cpl_fw6_pld | 96 * +-------------------------------+ 97 * | hash digest | ----- For HMAC request with 98 * +-------------------------------+ 'hash_size' set in work request 99 * 100 * A 32-bit big-endian error status word is supplied in the last 4 101 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a 102 * "MAC" error and bit 1 indicates a "PAD" error. 103 * 104 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message 105 * in the request is returned in data[1] of the CPL_FW6_PLD message. 106 * 107 * For block cipher replies, the updated IV is supplied in data[2] and 108 * data[3] of the CPL_FW6_PLD message. 109 * 110 * For hash replies where the work request set 'hash_size' to request 111 * a copy of the hash in the reply, the hash digest is supplied 112 * immediately following the CPL_FW6_PLD message. 113 */ 114 115 /* 116 * The crypto engine supports a maximum AAD size of 511 bytes. 117 */ 118 #define MAX_AAD_LEN 511 119 120 /* 121 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG 122 * entries. While the CPL includes a 16-bit length field, the T6 can 123 * sometimes hang if an error occurs while processing a request with a 124 * single DSGL entry larger than 2k. 125 */ 126 #define MAX_RX_PHYS_DSGL_SGE 32 127 #define DSGL_SGE_MAXLEN 2048 128 129 /* 130 * The adapter only supports requests with a total input or output 131 * length of 64k-1 or smaller. Longer requests either result in hung 132 * requests or incorrect results. 133 */ 134 #define MAX_REQUEST_SIZE 65535 135 136 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto"); 137 138 struct ccr_session_hmac { 139 struct auth_hash *auth_hash; 140 int hash_len; 141 unsigned int partial_digest_len; 142 unsigned int auth_mode; 143 unsigned int mk_size; 144 char pads[CHCR_HASH_MAX_BLOCK_SIZE_128 * 2]; 145 }; 146 147 struct ccr_session_gmac { 148 int hash_len; 149 char ghash_h[GMAC_BLOCK_LEN]; 150 }; 151 152 struct ccr_session_ccm_mac { 153 int hash_len; 154 }; 155 156 struct ccr_session_blkcipher { 157 unsigned int cipher_mode; 158 unsigned int key_len; 159 unsigned int iv_len; 160 __be32 key_ctx_hdr; 161 char enckey[CHCR_AES_MAX_KEY_LEN]; 162 char deckey[CHCR_AES_MAX_KEY_LEN]; 163 }; 164 165 struct ccr_port { 166 struct sge_wrq *txq; 167 struct sge_rxq *rxq; 168 int tx_channel_id; 169 u_int active_sessions; 170 }; 171 172 struct ccr_session { 173 bool active; 174 int pending; 175 enum { HASH, HMAC, BLKCIPHER, ETA, GCM, CCM } mode; 176 struct ccr_port *port; 177 union { 178 struct ccr_session_hmac hmac; 179 struct ccr_session_gmac gmac; 180 struct ccr_session_ccm_mac ccm_mac; 181 }; 182 struct ccr_session_blkcipher blkcipher; 183 }; 184 185 struct ccr_softc { 186 struct adapter *adapter; 187 device_t dev; 188 uint32_t cid; 189 struct mtx lock; 190 bool detaching; 191 struct ccr_port ports[MAX_NPORTS]; 192 u_int port_mask; 193 194 /* 195 * Pre-allocate S/G lists used when preparing a work request. 196 * 'sg_crp' contains an sglist describing the entire buffer 197 * for a 'struct cryptop'. 'sg_ulptx' is used to describe 198 * the data the engine should DMA as input via ULPTX_SGL. 199 * 'sg_dsgl' is used to describe the destination that cipher 200 * text and a tag should be written to. 201 */ 202 struct sglist *sg_crp; 203 struct sglist *sg_ulptx; 204 struct sglist *sg_dsgl; 205 206 /* 207 * Pre-allocate a dummy output buffer for the IV and AAD for 208 * AEAD requests. 209 */ 210 char *iv_aad_buf; 211 struct sglist *sg_iv_aad; 212 213 /* Statistics. */ 214 uint64_t stats_blkcipher_encrypt; 215 uint64_t stats_blkcipher_decrypt; 216 uint64_t stats_hash; 217 uint64_t stats_hmac; 218 uint64_t stats_eta_encrypt; 219 uint64_t stats_eta_decrypt; 220 uint64_t stats_gcm_encrypt; 221 uint64_t stats_gcm_decrypt; 222 uint64_t stats_ccm_encrypt; 223 uint64_t stats_ccm_decrypt; 224 uint64_t stats_wr_nomem; 225 uint64_t stats_inflight; 226 uint64_t stats_mac_error; 227 uint64_t stats_pad_error; 228 uint64_t stats_bad_session; 229 uint64_t stats_sglist_error; 230 uint64_t stats_process_error; 231 uint64_t stats_sw_fallback; 232 }; 233 234 /* 235 * Crypto requests involve two kind of scatter/gather lists. 236 * 237 * Non-hash-only requests require a PHYS_DSGL that describes the 238 * location to store the results of the encryption or decryption 239 * operation. This SGL uses a different format (PHYS_DSGL) and should 240 * exclude the skip bytes at the start of the data as well as any AAD 241 * or IV. For authenticated encryption requests it should include the 242 * destination of the hash or tag. 243 * 244 * The input payload may either be supplied inline as immediate data, 245 * or via a standard ULP_TX SGL. This SGL should include AAD, 246 * ciphertext, and the hash or tag for authenticated decryption 247 * requests. 248 * 249 * These scatter/gather lists can describe different subsets of the 250 * buffers described by the crypto operation. ccr_populate_sglist() 251 * generates a scatter/gather list that covers an entire crypto 252 * operation buffer that is then used to construct the other 253 * scatter/gather lists. 254 */ 255 static int 256 ccr_populate_sglist(struct sglist *sg, struct crypto_buffer *cb) 257 { 258 int error; 259 260 sglist_reset(sg); 261 switch (cb->cb_type) { 262 case CRYPTO_BUF_MBUF: 263 error = sglist_append_mbuf(sg, cb->cb_mbuf); 264 break; 265 case CRYPTO_BUF_UIO: 266 error = sglist_append_uio(sg, cb->cb_uio); 267 break; 268 case CRYPTO_BUF_CONTIG: 269 error = sglist_append(sg, cb->cb_buf, cb->cb_buf_len); 270 break; 271 default: 272 error = EINVAL; 273 } 274 return (error); 275 } 276 277 /* 278 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple 279 * segments. 280 */ 281 static int 282 ccr_count_sgl(struct sglist *sg, int maxsegsize) 283 { 284 int i, nsegs; 285 286 nsegs = 0; 287 for (i = 0; i < sg->sg_nseg; i++) 288 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize); 289 return (nsegs); 290 } 291 292 /* These functions deal with PHYS_DSGL for the reply buffer. */ 293 static inline int 294 ccr_phys_dsgl_len(int nsegs) 295 { 296 int len; 297 298 len = (nsegs / 8) * sizeof(struct phys_sge_pairs); 299 if ((nsegs % 8) != 0) { 300 len += sizeof(uint16_t) * 8; 301 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t); 302 } 303 return (len); 304 } 305 306 static void 307 ccr_write_phys_dsgl(struct ccr_softc *sc, struct ccr_session *s, void *dst, 308 int nsegs) 309 { 310 struct sglist *sg; 311 struct cpl_rx_phys_dsgl *cpl; 312 struct phys_sge_pairs *sgl; 313 vm_paddr_t paddr; 314 size_t seglen; 315 u_int i, j; 316 317 sg = sc->sg_dsgl; 318 cpl = dst; 319 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) | 320 V_CPL_RX_PHYS_DSGL_ISRDMA(0)); 321 cpl->pcirlxorder_to_noofsgentr = htobe32( 322 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) | 323 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) | 324 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) | 325 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs)); 326 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; 327 cpl->rss_hdr_int.qid = htobe16(s->port->rxq->iq.abs_id); 328 cpl->rss_hdr_int.hash_val = 0; 329 sgl = (struct phys_sge_pairs *)(cpl + 1); 330 j = 0; 331 for (i = 0; i < sg->sg_nseg; i++) { 332 seglen = sg->sg_segs[i].ss_len; 333 paddr = sg->sg_segs[i].ss_paddr; 334 do { 335 sgl->addr[j] = htobe64(paddr); 336 if (seglen > DSGL_SGE_MAXLEN) { 337 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN); 338 paddr += DSGL_SGE_MAXLEN; 339 seglen -= DSGL_SGE_MAXLEN; 340 } else { 341 sgl->len[j] = htobe16(seglen); 342 seglen = 0; 343 } 344 j++; 345 if (j == 8) { 346 sgl++; 347 j = 0; 348 } 349 } while (seglen != 0); 350 } 351 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs); 352 } 353 354 /* These functions deal with the ULPTX_SGL for input payload. */ 355 static inline int 356 ccr_ulptx_sgl_len(int nsegs) 357 { 358 u_int n; 359 360 nsegs--; /* first segment is part of ulptx_sgl */ 361 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1)); 362 return (roundup2(n, 16)); 363 } 364 365 static void 366 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs) 367 { 368 struct ulptx_sgl *usgl; 369 struct sglist *sg; 370 struct sglist_seg *ss; 371 int i; 372 373 sg = sc->sg_ulptx; 374 MPASS(nsegs == sg->sg_nseg); 375 ss = &sg->sg_segs[0]; 376 usgl = dst; 377 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) | 378 V_ULPTX_NSGE(nsegs)); 379 usgl->len0 = htobe32(ss->ss_len); 380 usgl->addr0 = htobe64(ss->ss_paddr); 381 ss++; 382 for (i = 0; i < sg->sg_nseg - 1; i++) { 383 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len); 384 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr); 385 ss++; 386 } 387 388 } 389 390 static bool 391 ccr_use_imm_data(u_int transhdr_len, u_int input_len) 392 { 393 394 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN) 395 return (false); 396 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) > 397 SGE_MAX_WR_LEN) 398 return (false); 399 return (true); 400 } 401 402 static void 403 ccr_populate_wreq(struct ccr_softc *sc, struct ccr_session *s, 404 struct chcr_wr *crwr, u_int kctx_len, u_int wr_len, u_int imm_len, 405 u_int sgl_len, u_int hash_size, struct cryptop *crp) 406 { 407 u_int cctx_size, idata_len; 408 409 cctx_size = sizeof(struct _key_ctx) + kctx_len; 410 crwr->wreq.op_to_cctx_size = htobe32( 411 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) | 412 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) | 413 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) | 414 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) | 415 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4)); 416 crwr->wreq.len16_pkd = htobe32( 417 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16)); 418 crwr->wreq.session_id = 0; 419 crwr->wreq.rx_chid_to_rx_q_id = htobe32( 420 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(s->port->tx_channel_id) | 421 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) | 422 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) | 423 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) | 424 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) | 425 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) | 426 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(s->port->rxq->iq.abs_id)); 427 crwr->wreq.key_addr = 0; 428 crwr->wreq.pld_size_hash_size = htobe32( 429 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) | 430 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size)); 431 crwr->wreq.cookie = htobe64((uintptr_t)crp); 432 433 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) | 434 V_ULP_TXPKT_DATAMODIFY(0) | 435 V_ULP_TXPKT_CHANNELID(s->port->tx_channel_id) | 436 V_ULP_TXPKT_DEST(0) | 437 V_ULP_TXPKT_FID(s->port->rxq->iq.abs_id) | V_ULP_TXPKT_RO(1)); 438 crwr->ulptx.len = htobe32( 439 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16)); 440 441 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) | 442 V_ULP_TX_SC_MORE(sgl_len != 0 ? 1 : 0)); 443 idata_len = wr_len - offsetof(struct chcr_wr, sec_cpl) - sgl_len; 444 if (imm_len % 16 != 0) 445 idata_len -= 16 - imm_len % 16; 446 crwr->sc_imm.len = htobe32(idata_len); 447 } 448 449 static int 450 ccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 451 { 452 struct chcr_wr *crwr; 453 struct wrqe *wr; 454 struct auth_hash *axf; 455 char *dst; 456 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len; 457 u_int hmac_ctrl, imm_len, iopad_size; 458 int error, sgl_nsegs, sgl_len, use_opad; 459 460 /* Reject requests with too large of an input buffer. */ 461 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 462 return (EFBIG); 463 464 axf = s->hmac.auth_hash; 465 466 if (s->mode == HMAC) { 467 use_opad = 1; 468 hmac_ctrl = SCMD_HMAC_CTRL_NO_TRUNC; 469 } else { 470 use_opad = 0; 471 hmac_ctrl = SCMD_HMAC_CTRL_NOP; 472 } 473 474 /* PADs must be 128-bit aligned. */ 475 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 476 477 /* 478 * The 'key' part of the context includes the aligned IPAD and 479 * OPAD. 480 */ 481 kctx_len = iopad_size; 482 if (use_opad) 483 kctx_len += iopad_size; 484 hash_size_in_response = axf->hashsize; 485 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len); 486 487 if (crp->crp_payload_length == 0) { 488 imm_len = axf->blocksize; 489 sgl_nsegs = 0; 490 sgl_len = 0; 491 } else if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length)) { 492 imm_len = crp->crp_payload_length; 493 sgl_nsegs = 0; 494 sgl_len = 0; 495 } else { 496 imm_len = 0; 497 sglist_reset(sc->sg_ulptx); 498 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 499 crp->crp_payload_start, crp->crp_payload_length); 500 if (error) 501 return (error); 502 sgl_nsegs = sc->sg_ulptx->sg_nseg; 503 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 504 } 505 506 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len; 507 if (wr_len > SGE_MAX_WR_LEN) 508 return (EFBIG); 509 wr = alloc_wrqe(wr_len, s->port->txq); 510 if (wr == NULL) { 511 sc->stats_wr_nomem++; 512 return (ENOMEM); 513 } 514 crwr = wrtod(wr); 515 memset(crwr, 0, wr_len); 516 517 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 518 hash_size_in_response, crp); 519 520 crwr->sec_cpl.op_ivinsrtofst = htobe32( 521 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 522 V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) | 523 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 524 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 525 V_CPL_TX_SEC_PDU_IVINSRTOFST(0)); 526 527 crwr->sec_cpl.pldlen = htobe32(crp->crp_payload_length == 0 ? 528 axf->blocksize : crp->crp_payload_length); 529 530 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 531 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0)); 532 533 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 534 crwr->sec_cpl.seqno_numivs = htobe32( 535 V_SCMD_SEQ_NO_CTRL(0) | 536 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 537 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_NOP) | 538 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 539 V_SCMD_HMAC_CTRL(hmac_ctrl)); 540 crwr->sec_cpl.ivgen_hdrlen = htobe32( 541 V_SCMD_LAST_FRAG(0) | 542 V_SCMD_MORE_FRAGS(crp->crp_payload_length == 0 ? 1 : 0) | 543 V_SCMD_MAC_ONLY(1)); 544 545 memcpy(crwr->key_ctx.key, s->hmac.pads, kctx_len); 546 547 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */ 548 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 549 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 550 V_KEY_CONTEXT_OPAD_PRESENT(use_opad) | 551 V_KEY_CONTEXT_SALT_PRESENT(1) | 552 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) | 553 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1)); 554 555 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES; 556 if (crp->crp_payload_length == 0) { 557 dst[0] = 0x80; 558 if (s->mode == HMAC) 559 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) = 560 htobe64(axf->blocksize << 3); 561 } else if (imm_len != 0) 562 crypto_copydata(crp, crp->crp_payload_start, 563 crp->crp_payload_length, dst); 564 else 565 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 566 567 /* XXX: TODO backpressure */ 568 t4_wrq_tx(sc->adapter, wr); 569 570 return (0); 571 } 572 573 static int 574 ccr_hash_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp, 575 const struct cpl_fw6_pld *cpl, int error) 576 { 577 uint8_t hash[HASH_MAX_LEN]; 578 579 if (error) 580 return (error); 581 582 if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { 583 crypto_copydata(crp, crp->crp_digest_start, s->hmac.hash_len, 584 hash); 585 if (timingsafe_bcmp((cpl + 1), hash, s->hmac.hash_len) != 0) 586 return (EBADMSG); 587 } else 588 crypto_copyback(crp, crp->crp_digest_start, s->hmac.hash_len, 589 (cpl + 1)); 590 return (0); 591 } 592 593 static int 594 ccr_blkcipher(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 595 { 596 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 597 struct chcr_wr *crwr; 598 struct wrqe *wr; 599 char *dst; 600 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 601 u_int imm_len, iv_len; 602 int dsgl_nsegs, dsgl_len; 603 int sgl_nsegs, sgl_len; 604 int error; 605 606 if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0) 607 return (EINVAL); 608 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 609 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 610 return (EINVAL); 611 612 /* Reject requests with too large of an input buffer. */ 613 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 614 return (EFBIG); 615 616 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 617 op_type = CHCR_ENCRYPT_OP; 618 else 619 op_type = CHCR_DECRYPT_OP; 620 621 sglist_reset(sc->sg_dsgl); 622 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 623 crp->crp_payload_start, crp->crp_payload_length); 624 if (error) 625 return (error); 626 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 627 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 628 return (EFBIG); 629 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 630 631 /* The 'key' must be 128-bit aligned. */ 632 kctx_len = roundup2(s->blkcipher.key_len, 16); 633 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 634 635 /* For AES-XTS we send a 16-byte IV in the work request. */ 636 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 637 iv_len = AES_BLOCK_LEN; 638 else 639 iv_len = s->blkcipher.iv_len; 640 641 if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length + iv_len)) { 642 imm_len = crp->crp_payload_length; 643 sgl_nsegs = 0; 644 sgl_len = 0; 645 } else { 646 imm_len = 0; 647 sglist_reset(sc->sg_ulptx); 648 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 649 crp->crp_payload_start, crp->crp_payload_length); 650 if (error) 651 return (error); 652 sgl_nsegs = sc->sg_ulptx->sg_nseg; 653 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 654 } 655 656 wr_len = roundup2(transhdr_len, 16) + iv_len + 657 roundup2(imm_len, 16) + sgl_len; 658 if (wr_len > SGE_MAX_WR_LEN) 659 return (EFBIG); 660 wr = alloc_wrqe(wr_len, s->port->txq); 661 if (wr == NULL) { 662 sc->stats_wr_nomem++; 663 return (ENOMEM); 664 } 665 crwr = wrtod(wr); 666 memset(crwr, 0, wr_len); 667 668 crypto_read_iv(crp, iv); 669 670 /* Zero the remainder of the IV for AES-XTS. */ 671 memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len); 672 673 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 674 crp); 675 676 crwr->sec_cpl.op_ivinsrtofst = htobe32( 677 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 678 V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) | 679 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 680 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 681 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 682 683 crwr->sec_cpl.pldlen = htobe32(iv_len + crp->crp_payload_length); 684 685 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 686 V_CPL_TX_SEC_PDU_CIPHERSTART(iv_len + 1) | 687 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 688 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 689 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0)); 690 691 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 692 crwr->sec_cpl.seqno_numivs = htobe32( 693 V_SCMD_SEQ_NO_CTRL(0) | 694 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 695 V_SCMD_ENC_DEC_CTRL(op_type) | 696 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 697 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_NOP) | 698 V_SCMD_HMAC_CTRL(SCMD_HMAC_CTRL_NOP) | 699 V_SCMD_IV_SIZE(iv_len / 2) | 700 V_SCMD_NUM_IVS(0)); 701 crwr->sec_cpl.ivgen_hdrlen = htobe32( 702 V_SCMD_IV_GEN_CTRL(0) | 703 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 704 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len)); 705 706 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 707 switch (s->blkcipher.cipher_mode) { 708 case SCMD_CIPH_MODE_AES_CBC: 709 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 710 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 711 s->blkcipher.key_len); 712 else 713 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 714 s->blkcipher.key_len); 715 break; 716 case SCMD_CIPH_MODE_AES_CTR: 717 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 718 s->blkcipher.key_len); 719 break; 720 case SCMD_CIPH_MODE_AES_XTS: 721 key_half = s->blkcipher.key_len / 2; 722 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 723 key_half); 724 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 725 memcpy(crwr->key_ctx.key + key_half, 726 s->blkcipher.enckey, key_half); 727 else 728 memcpy(crwr->key_ctx.key + key_half, 729 s->blkcipher.deckey, key_half); 730 break; 731 } 732 733 dst = (char *)(crwr + 1) + kctx_len; 734 ccr_write_phys_dsgl(sc, s, dst, dsgl_nsegs); 735 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 736 memcpy(dst, iv, iv_len); 737 dst += iv_len; 738 if (imm_len != 0) 739 crypto_copydata(crp, crp->crp_payload_start, 740 crp->crp_payload_length, dst); 741 else 742 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 743 744 /* XXX: TODO backpressure */ 745 t4_wrq_tx(sc->adapter, wr); 746 747 return (0); 748 } 749 750 static int 751 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s, 752 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 753 { 754 755 /* 756 * The updated IV to permit chained requests is at 757 * cpl->data[2], but OCF doesn't permit chained requests. 758 */ 759 return (error); 760 } 761 762 /* 763 * 'hashsize' is the length of a full digest. 'authsize' is the 764 * requested digest length for this operation which may be less 765 * than 'hashsize'. 766 */ 767 static int 768 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize) 769 { 770 771 if (authsize == 10) 772 return (SCMD_HMAC_CTRL_TRUNC_RFC4366); 773 if (authsize == 12) 774 return (SCMD_HMAC_CTRL_IPSEC_96BIT); 775 if (authsize == hashsize / 2) 776 return (SCMD_HMAC_CTRL_DIV2); 777 return (SCMD_HMAC_CTRL_NO_TRUNC); 778 } 779 780 static int 781 ccr_eta(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 782 { 783 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 784 struct chcr_wr *crwr; 785 struct wrqe *wr; 786 struct auth_hash *axf; 787 char *dst; 788 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 789 u_int hash_size_in_response, imm_len, iopad_size, iv_len; 790 u_int aad_start, aad_stop; 791 u_int auth_insert; 792 u_int cipher_start, cipher_stop; 793 u_int hmac_ctrl, input_len; 794 int dsgl_nsegs, dsgl_len; 795 int sgl_nsegs, sgl_len; 796 int error; 797 798 /* 799 * If there is a need in the future, requests with an empty 800 * payload could be supported as HMAC-only requests. 801 */ 802 if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0) 803 return (EINVAL); 804 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 805 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 806 return (EINVAL); 807 808 /* For AES-XTS we send a 16-byte IV in the work request. */ 809 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 810 iv_len = AES_BLOCK_LEN; 811 else 812 iv_len = s->blkcipher.iv_len; 813 814 if (crp->crp_aad_length + iv_len > MAX_AAD_LEN) 815 return (EINVAL); 816 817 axf = s->hmac.auth_hash; 818 hash_size_in_response = s->hmac.hash_len; 819 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 820 op_type = CHCR_ENCRYPT_OP; 821 else 822 op_type = CHCR_DECRYPT_OP; 823 824 /* 825 * The output buffer consists of the cipher text followed by 826 * the hash when encrypting. For decryption it only contains 827 * the plain text. 828 * 829 * Due to a firmware bug, the output buffer must include a 830 * dummy output buffer for the IV and AAD prior to the real 831 * output buffer. 832 */ 833 if (op_type == CHCR_ENCRYPT_OP) { 834 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 835 hash_size_in_response > MAX_REQUEST_SIZE) 836 return (EFBIG); 837 } else { 838 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 839 MAX_REQUEST_SIZE) 840 return (EFBIG); 841 } 842 sglist_reset(sc->sg_dsgl); 843 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, 844 iv_len + crp->crp_aad_length); 845 if (error) 846 return (error); 847 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 848 crp->crp_payload_start, crp->crp_payload_length); 849 if (error) 850 return (error); 851 if (op_type == CHCR_ENCRYPT_OP) { 852 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 853 crp->crp_digest_start, hash_size_in_response); 854 if (error) 855 return (error); 856 } 857 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 858 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 859 return (EFBIG); 860 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 861 862 /* PADs must be 128-bit aligned. */ 863 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 864 865 /* 866 * The 'key' part of the key context consists of the key followed 867 * by the IPAD and OPAD. 868 */ 869 kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2; 870 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 871 872 /* 873 * The input buffer consists of the IV, any AAD, and then the 874 * cipher/plain text. For decryption requests the hash is 875 * appended after the cipher text. 876 * 877 * The IV is always stored at the start of the input buffer 878 * even though it may be duplicated in the payload. The 879 * crypto engine doesn't work properly if the IV offset points 880 * inside of the AAD region, so a second copy is always 881 * required. 882 */ 883 input_len = crp->crp_aad_length + crp->crp_payload_length; 884 885 /* 886 * The firmware hangs if sent a request which is a 887 * bit smaller than MAX_REQUEST_SIZE. In particular, the 888 * firmware appears to require 512 - 16 bytes of spare room 889 * along with the size of the hash even if the hash isn't 890 * included in the input buffer. 891 */ 892 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) > 893 MAX_REQUEST_SIZE) 894 return (EFBIG); 895 if (op_type == CHCR_DECRYPT_OP) 896 input_len += hash_size_in_response; 897 898 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 899 imm_len = input_len; 900 sgl_nsegs = 0; 901 sgl_len = 0; 902 } else { 903 imm_len = 0; 904 sglist_reset(sc->sg_ulptx); 905 if (crp->crp_aad_length != 0) { 906 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 907 crp->crp_aad_start, crp->crp_aad_length); 908 if (error) 909 return (error); 910 } 911 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 912 crp->crp_payload_start, crp->crp_payload_length); 913 if (error) 914 return (error); 915 if (op_type == CHCR_DECRYPT_OP) { 916 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 917 crp->crp_digest_start, hash_size_in_response); 918 if (error) 919 return (error); 920 } 921 sgl_nsegs = sc->sg_ulptx->sg_nseg; 922 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 923 } 924 925 /* 926 * Any auth-only data before the cipher region is marked as AAD. 927 * Auth-data that overlaps with the cipher region is placed in 928 * the auth section. 929 */ 930 if (crp->crp_aad_length != 0) { 931 aad_start = iv_len + 1; 932 aad_stop = aad_start + crp->crp_aad_length - 1; 933 } else { 934 aad_start = 0; 935 aad_stop = 0; 936 } 937 cipher_start = iv_len + crp->crp_aad_length + 1; 938 if (op_type == CHCR_DECRYPT_OP) 939 cipher_stop = hash_size_in_response; 940 else 941 cipher_stop = 0; 942 if (op_type == CHCR_DECRYPT_OP) 943 auth_insert = hash_size_in_response; 944 else 945 auth_insert = 0; 946 947 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 948 sgl_len; 949 if (wr_len > SGE_MAX_WR_LEN) 950 return (EFBIG); 951 wr = alloc_wrqe(wr_len, s->port->txq); 952 if (wr == NULL) { 953 sc->stats_wr_nomem++; 954 return (ENOMEM); 955 } 956 crwr = wrtod(wr); 957 memset(crwr, 0, wr_len); 958 959 crypto_read_iv(crp, iv); 960 961 /* Zero the remainder of the IV for AES-XTS. */ 962 memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len); 963 964 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 965 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp); 966 967 crwr->sec_cpl.op_ivinsrtofst = htobe32( 968 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 969 V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) | 970 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 971 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 972 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 973 974 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 975 976 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 977 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 978 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 979 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 980 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4)); 981 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 982 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) | 983 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 984 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 985 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 986 987 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 988 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response); 989 crwr->sec_cpl.seqno_numivs = htobe32( 990 V_SCMD_SEQ_NO_CTRL(0) | 991 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 992 V_SCMD_ENC_DEC_CTRL(op_type) | 993 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 994 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 995 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 996 V_SCMD_HMAC_CTRL(hmac_ctrl) | 997 V_SCMD_IV_SIZE(iv_len / 2) | 998 V_SCMD_NUM_IVS(0)); 999 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1000 V_SCMD_IV_GEN_CTRL(0) | 1001 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1002 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1003 1004 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1005 switch (s->blkcipher.cipher_mode) { 1006 case SCMD_CIPH_MODE_AES_CBC: 1007 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1008 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1009 s->blkcipher.key_len); 1010 else 1011 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 1012 s->blkcipher.key_len); 1013 break; 1014 case SCMD_CIPH_MODE_AES_CTR: 1015 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1016 s->blkcipher.key_len); 1017 break; 1018 case SCMD_CIPH_MODE_AES_XTS: 1019 key_half = s->blkcipher.key_len / 2; 1020 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 1021 key_half); 1022 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1023 memcpy(crwr->key_ctx.key + key_half, 1024 s->blkcipher.enckey, key_half); 1025 else 1026 memcpy(crwr->key_ctx.key + key_half, 1027 s->blkcipher.deckey, key_half); 1028 break; 1029 } 1030 1031 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1032 memcpy(dst, s->hmac.pads, iopad_size * 2); 1033 1034 dst = (char *)(crwr + 1) + kctx_len; 1035 ccr_write_phys_dsgl(sc, s, dst, dsgl_nsegs); 1036 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1037 memcpy(dst, iv, iv_len); 1038 dst += iv_len; 1039 if (imm_len != 0) { 1040 if (crp->crp_aad_length != 0) { 1041 crypto_copydata(crp, crp->crp_aad_start, 1042 crp->crp_aad_length, dst); 1043 dst += crp->crp_aad_length; 1044 } 1045 crypto_copydata(crp, crp->crp_payload_start, 1046 crp->crp_payload_length, dst); 1047 dst += crp->crp_payload_length; 1048 if (op_type == CHCR_DECRYPT_OP) 1049 crypto_copydata(crp, crp->crp_digest_start, 1050 hash_size_in_response, dst); 1051 } else 1052 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1053 1054 /* XXX: TODO backpressure */ 1055 t4_wrq_tx(sc->adapter, wr); 1056 1057 return (0); 1058 } 1059 1060 static int 1061 ccr_eta_done(struct ccr_softc *sc, struct ccr_session *s, 1062 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1063 { 1064 1065 /* 1066 * The updated IV to permit chained requests is at 1067 * cpl->data[2], but OCF doesn't permit chained requests. 1068 */ 1069 return (error); 1070 } 1071 1072 static int 1073 ccr_gcm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1074 { 1075 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1076 struct chcr_wr *crwr; 1077 struct wrqe *wr; 1078 char *dst; 1079 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1080 u_int hash_size_in_response, imm_len; 1081 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1082 u_int hmac_ctrl, input_len; 1083 int dsgl_nsegs, dsgl_len; 1084 int sgl_nsegs, sgl_len; 1085 int error; 1086 1087 if (s->blkcipher.key_len == 0) 1088 return (EINVAL); 1089 1090 /* 1091 * The crypto engine doesn't handle GCM requests with an empty 1092 * payload, so handle those in software instead. 1093 */ 1094 if (crp->crp_payload_length == 0) 1095 return (EMSGSIZE); 1096 1097 if (crp->crp_aad_length + AES_BLOCK_LEN > MAX_AAD_LEN) 1098 return (EMSGSIZE); 1099 1100 hash_size_in_response = s->gmac.hash_len; 1101 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1102 op_type = CHCR_ENCRYPT_OP; 1103 else 1104 op_type = CHCR_DECRYPT_OP; 1105 1106 /* 1107 * The IV handling for GCM in OCF is a bit more complicated in 1108 * that IPSec provides a full 16-byte IV (including the 1109 * counter), whereas the /dev/crypto interface sometimes 1110 * provides a full 16-byte IV (if no IV is provided in the 1111 * ioctl) and sometimes a 12-byte IV (if the IV was explicit). 1112 * 1113 * When provided a 12-byte IV, assume the IV is really 16 bytes 1114 * with a counter in the last 4 bytes initialized to 1. 1115 * 1116 * While iv_len is checked below, the value is currently 1117 * always set to 12 when creating a GCM session in this driver 1118 * due to limitations in OCF (there is no way to know what the 1119 * IV length of a given request will be). This means that the 1120 * driver always assumes as 12-byte IV for now. 1121 */ 1122 if (s->blkcipher.iv_len == 12) 1123 iv_len = AES_BLOCK_LEN; 1124 else 1125 iv_len = s->blkcipher.iv_len; 1126 1127 /* 1128 * GCM requests should always provide an explicit IV. 1129 */ 1130 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1131 return (EINVAL); 1132 1133 /* 1134 * The output buffer consists of the cipher text followed by 1135 * the tag when encrypting. For decryption it only contains 1136 * the plain text. 1137 * 1138 * Due to a firmware bug, the output buffer must include a 1139 * dummy output buffer for the IV and AAD prior to the real 1140 * output buffer. 1141 */ 1142 if (op_type == CHCR_ENCRYPT_OP) { 1143 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 1144 hash_size_in_response > MAX_REQUEST_SIZE) 1145 return (EFBIG); 1146 } else { 1147 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 1148 MAX_REQUEST_SIZE) 1149 return (EFBIG); 1150 } 1151 sglist_reset(sc->sg_dsgl); 1152 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1153 crp->crp_aad_length); 1154 if (error) 1155 return (error); 1156 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1157 crp->crp_payload_start, crp->crp_payload_length); 1158 if (error) 1159 return (error); 1160 if (op_type == CHCR_ENCRYPT_OP) { 1161 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1162 crp->crp_digest_start, hash_size_in_response); 1163 if (error) 1164 return (error); 1165 } 1166 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1167 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1168 return (EFBIG); 1169 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1170 1171 /* 1172 * The 'key' part of the key context consists of the key followed 1173 * by the Galois hash key. 1174 */ 1175 kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN; 1176 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1177 1178 /* 1179 * The input buffer consists of the IV, any AAD, and then the 1180 * cipher/plain text. For decryption requests the hash is 1181 * appended after the cipher text. 1182 * 1183 * The IV is always stored at the start of the input buffer 1184 * even though it may be duplicated in the payload. The 1185 * crypto engine doesn't work properly if the IV offset points 1186 * inside of the AAD region, so a second copy is always 1187 * required. 1188 */ 1189 input_len = crp->crp_aad_length + crp->crp_payload_length; 1190 if (op_type == CHCR_DECRYPT_OP) 1191 input_len += hash_size_in_response; 1192 if (input_len > MAX_REQUEST_SIZE) 1193 return (EFBIG); 1194 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1195 imm_len = input_len; 1196 sgl_nsegs = 0; 1197 sgl_len = 0; 1198 } else { 1199 imm_len = 0; 1200 sglist_reset(sc->sg_ulptx); 1201 if (crp->crp_aad_length != 0) { 1202 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1203 crp->crp_aad_start, crp->crp_aad_length); 1204 if (error) 1205 return (error); 1206 } 1207 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1208 crp->crp_payload_start, crp->crp_payload_length); 1209 if (error) 1210 return (error); 1211 if (op_type == CHCR_DECRYPT_OP) { 1212 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1213 crp->crp_digest_start, hash_size_in_response); 1214 if (error) 1215 return (error); 1216 } 1217 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1218 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1219 } 1220 1221 if (crp->crp_aad_length != 0) { 1222 aad_start = iv_len + 1; 1223 aad_stop = aad_start + crp->crp_aad_length - 1; 1224 } else { 1225 aad_start = 0; 1226 aad_stop = 0; 1227 } 1228 cipher_start = iv_len + crp->crp_aad_length + 1; 1229 if (op_type == CHCR_DECRYPT_OP) 1230 cipher_stop = hash_size_in_response; 1231 else 1232 cipher_stop = 0; 1233 if (op_type == CHCR_DECRYPT_OP) 1234 auth_insert = hash_size_in_response; 1235 else 1236 auth_insert = 0; 1237 1238 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1239 sgl_len; 1240 if (wr_len > SGE_MAX_WR_LEN) 1241 return (EFBIG); 1242 wr = alloc_wrqe(wr_len, s->port->txq); 1243 if (wr == NULL) { 1244 sc->stats_wr_nomem++; 1245 return (ENOMEM); 1246 } 1247 crwr = wrtod(wr); 1248 memset(crwr, 0, wr_len); 1249 1250 memcpy(iv, crp->crp_iv, s->blkcipher.iv_len); 1251 if (s->blkcipher.iv_len == 12) 1252 *(uint32_t *)&iv[12] = htobe32(1); 1253 1254 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1255 crp); 1256 1257 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1258 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1259 V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) | 1260 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1261 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1262 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1263 1264 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1265 1266 /* 1267 * NB: cipherstop is explicitly set to 0. On encrypt it 1268 * should normally be set to 0 anyway. However, for decrypt 1269 * the cipher ends before the tag in the ETA case (and 1270 * authstop is set to stop before the tag), but for GCM the 1271 * cipher still runs to the end of the buffer. Not sure if 1272 * this is intentional or a firmware quirk, but it is required 1273 * for working tag validation with GCM decryption. 1274 */ 1275 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1276 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1277 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1278 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1279 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1280 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1281 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1282 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1283 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1284 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1285 1286 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1287 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response); 1288 crwr->sec_cpl.seqno_numivs = htobe32( 1289 V_SCMD_SEQ_NO_CTRL(0) | 1290 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1291 V_SCMD_ENC_DEC_CTRL(op_type) | 1292 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1293 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_GCM) | 1294 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_GHASH) | 1295 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1296 V_SCMD_IV_SIZE(iv_len / 2) | 1297 V_SCMD_NUM_IVS(0)); 1298 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1299 V_SCMD_IV_GEN_CTRL(0) | 1300 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1301 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1302 1303 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1304 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1305 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1306 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN); 1307 1308 dst = (char *)(crwr + 1) + kctx_len; 1309 ccr_write_phys_dsgl(sc, s, dst, dsgl_nsegs); 1310 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1311 memcpy(dst, iv, iv_len); 1312 dst += iv_len; 1313 if (imm_len != 0) { 1314 if (crp->crp_aad_length != 0) { 1315 crypto_copydata(crp, crp->crp_aad_start, 1316 crp->crp_aad_length, dst); 1317 dst += crp->crp_aad_length; 1318 } 1319 crypto_copydata(crp, crp->crp_payload_start, 1320 crp->crp_payload_length, dst); 1321 dst += crp->crp_payload_length; 1322 if (op_type == CHCR_DECRYPT_OP) 1323 crypto_copydata(crp, crp->crp_digest_start, 1324 hash_size_in_response, dst); 1325 } else 1326 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1327 1328 /* XXX: TODO backpressure */ 1329 t4_wrq_tx(sc->adapter, wr); 1330 1331 return (0); 1332 } 1333 1334 static int 1335 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s, 1336 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1337 { 1338 1339 /* 1340 * The updated IV to permit chained requests is at 1341 * cpl->data[2], but OCF doesn't permit chained requests. 1342 * 1343 * Note that the hardware should always verify the GMAC hash. 1344 */ 1345 return (error); 1346 } 1347 1348 /* 1349 * Handle a GCM request that is not supported by the crypto engine by 1350 * performing the operation in software. Derived from swcr_authenc(). 1351 */ 1352 static void 1353 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp) 1354 { 1355 struct auth_hash *axf; 1356 struct enc_xform *exf; 1357 void *auth_ctx, *kschedule; 1358 char block[GMAC_BLOCK_LEN]; 1359 char digest[GMAC_DIGEST_LEN]; 1360 char iv[AES_BLOCK_LEN]; 1361 int error, i, len; 1362 1363 auth_ctx = NULL; 1364 kschedule = NULL; 1365 1366 /* Initialize the MAC. */ 1367 switch (s->blkcipher.key_len) { 1368 case 16: 1369 axf = &auth_hash_nist_gmac_aes_128; 1370 break; 1371 case 24: 1372 axf = &auth_hash_nist_gmac_aes_192; 1373 break; 1374 case 32: 1375 axf = &auth_hash_nist_gmac_aes_256; 1376 break; 1377 default: 1378 error = EINVAL; 1379 goto out; 1380 } 1381 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT); 1382 if (auth_ctx == NULL) { 1383 error = ENOMEM; 1384 goto out; 1385 } 1386 axf->Init(auth_ctx); 1387 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1388 1389 /* Initialize the cipher. */ 1390 exf = &enc_xform_aes_nist_gcm; 1391 kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT); 1392 if (kschedule == NULL) { 1393 error = ENOMEM; 1394 goto out; 1395 } 1396 error = exf->setkey(kschedule, s->blkcipher.enckey, 1397 s->blkcipher.key_len); 1398 if (error) 1399 goto out; 1400 1401 /* 1402 * This assumes a 12-byte IV from the crp. See longer comment 1403 * above in ccr_gcm() for more details. 1404 */ 1405 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) { 1406 error = EINVAL; 1407 goto out; 1408 } 1409 memcpy(iv, crp->crp_iv, 12); 1410 *(uint32_t *)&iv[12] = htobe32(1); 1411 1412 axf->Reinit(auth_ctx, iv, sizeof(iv)); 1413 1414 /* MAC the AAD. */ 1415 for (i = 0; i < crp->crp_aad_length; i += sizeof(block)) { 1416 len = imin(crp->crp_aad_length - i, sizeof(block)); 1417 crypto_copydata(crp, crp->crp_aad_start + i, len, block); 1418 bzero(block + len, sizeof(block) - len); 1419 axf->Update(auth_ctx, block, sizeof(block)); 1420 } 1421 1422 exf->reinit(kschedule, iv); 1423 1424 /* Do encryption with MAC */ 1425 for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) { 1426 len = imin(crp->crp_payload_length - i, sizeof(block)); 1427 crypto_copydata(crp, crp->crp_payload_start + i, len, block); 1428 bzero(block + len, sizeof(block) - len); 1429 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1430 exf->encrypt(kschedule, block, block); 1431 axf->Update(auth_ctx, block, len); 1432 crypto_copyback(crp, crp->crp_payload_start + i, len, 1433 block); 1434 } else { 1435 axf->Update(auth_ctx, block, len); 1436 } 1437 } 1438 1439 /* Length block. */ 1440 bzero(block, sizeof(block)); 1441 ((uint32_t *)block)[1] = htobe32(crp->crp_aad_length * 8); 1442 ((uint32_t *)block)[3] = htobe32(crp->crp_payload_length * 8); 1443 axf->Update(auth_ctx, block, sizeof(block)); 1444 1445 /* Finalize MAC. */ 1446 axf->Final(digest, auth_ctx); 1447 1448 /* Inject or validate tag. */ 1449 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1450 crypto_copyback(crp, crp->crp_digest_start, sizeof(digest), 1451 digest); 1452 error = 0; 1453 } else { 1454 char digest2[GMAC_DIGEST_LEN]; 1455 1456 crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2), 1457 digest2); 1458 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) { 1459 error = 0; 1460 1461 /* Tag matches, decrypt data. */ 1462 for (i = 0; i < crp->crp_payload_length; 1463 i += sizeof(block)) { 1464 len = imin(crp->crp_payload_length - i, 1465 sizeof(block)); 1466 crypto_copydata(crp, crp->crp_payload_start + i, 1467 len, block); 1468 bzero(block + len, sizeof(block) - len); 1469 exf->decrypt(kschedule, block, block); 1470 crypto_copyback(crp, crp->crp_payload_start + i, 1471 len, block); 1472 } 1473 } else 1474 error = EBADMSG; 1475 } 1476 1477 out: 1478 zfree(kschedule, M_CCR); 1479 zfree(auth_ctx, M_CCR); 1480 crp->crp_etype = error; 1481 crypto_done(crp); 1482 } 1483 1484 static void 1485 generate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response, 1486 const char *iv, char *b0) 1487 { 1488 u_int i, payload_len; 1489 1490 /* NB: L is already set in the first byte of the IV. */ 1491 memcpy(b0, iv, CCM_B0_SIZE); 1492 1493 /* Set length of hash in bits 3 - 5. */ 1494 b0[0] |= (((hash_size_in_response - 2) / 2) << 3); 1495 1496 /* Store the payload length as a big-endian value. */ 1497 payload_len = crp->crp_payload_length; 1498 for (i = 0; i < iv[0]; i++) { 1499 b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len; 1500 payload_len >>= 8; 1501 } 1502 1503 /* 1504 * If there is AAD in the request, set bit 6 in the flags 1505 * field and store the AAD length as a big-endian value at the 1506 * start of block 1. This only assumes a 16-bit AAD length 1507 * since T6 doesn't support large AAD sizes. 1508 */ 1509 if (crp->crp_aad_length != 0) { 1510 b0[0] |= (1 << 6); 1511 *(uint16_t *)(b0 + CCM_B0_SIZE) = htobe16(crp->crp_aad_length); 1512 } 1513 } 1514 1515 static int 1516 ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1517 { 1518 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1519 struct ulptx_idata *idata; 1520 struct chcr_wr *crwr; 1521 struct wrqe *wr; 1522 char *dst; 1523 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1524 u_int aad_len, b0_len, hash_size_in_response, imm_len; 1525 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1526 u_int hmac_ctrl, input_len; 1527 int dsgl_nsegs, dsgl_len; 1528 int sgl_nsegs, sgl_len; 1529 int error; 1530 1531 if (s->blkcipher.key_len == 0) 1532 return (EINVAL); 1533 1534 /* 1535 * The crypto engine doesn't handle CCM requests with an empty 1536 * payload, so handle those in software instead. 1537 */ 1538 if (crp->crp_payload_length == 0) 1539 return (EMSGSIZE); 1540 1541 /* 1542 * CCM always includes block 0 in the AAD before AAD from the 1543 * request. 1544 */ 1545 b0_len = CCM_B0_SIZE; 1546 if (crp->crp_aad_length != 0) 1547 b0_len += CCM_AAD_FIELD_SIZE; 1548 aad_len = b0_len + crp->crp_aad_length; 1549 1550 /* 1551 * CCM requests should always provide an explicit IV (really 1552 * the nonce). 1553 */ 1554 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1555 return (EINVAL); 1556 1557 /* 1558 * Always assume a 12 byte input nonce for now since that is 1559 * what OCF always generates. The full IV in the work request 1560 * is 16 bytes. 1561 */ 1562 iv_len = AES_BLOCK_LEN; 1563 1564 if (iv_len + aad_len > MAX_AAD_LEN) 1565 return (EMSGSIZE); 1566 1567 hash_size_in_response = s->ccm_mac.hash_len; 1568 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1569 op_type = CHCR_ENCRYPT_OP; 1570 else 1571 op_type = CHCR_DECRYPT_OP; 1572 1573 /* 1574 * The output buffer consists of the cipher text followed by 1575 * the tag when encrypting. For decryption it only contains 1576 * the plain text. 1577 * 1578 * Due to a firmware bug, the output buffer must include a 1579 * dummy output buffer for the IV and AAD prior to the real 1580 * output buffer. 1581 */ 1582 if (op_type == CHCR_ENCRYPT_OP) { 1583 if (iv_len + aad_len + crp->crp_payload_length + 1584 hash_size_in_response > MAX_REQUEST_SIZE) 1585 return (EFBIG); 1586 } else { 1587 if (iv_len + aad_len + crp->crp_payload_length > 1588 MAX_REQUEST_SIZE) 1589 return (EFBIG); 1590 } 1591 sglist_reset(sc->sg_dsgl); 1592 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1593 aad_len); 1594 if (error) 1595 return (error); 1596 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1597 crp->crp_payload_start, crp->crp_payload_length); 1598 if (error) 1599 return (error); 1600 if (op_type == CHCR_ENCRYPT_OP) { 1601 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1602 crp->crp_digest_start, hash_size_in_response); 1603 if (error) 1604 return (error); 1605 } 1606 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1607 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1608 return (EFBIG); 1609 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1610 1611 /* 1612 * The 'key' part of the key context consists of two copies of 1613 * the AES key. 1614 */ 1615 kctx_len = roundup2(s->blkcipher.key_len, 16) * 2; 1616 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1617 1618 /* 1619 * The input buffer consists of the IV, AAD (including block 1620 * 0), and then the cipher/plain text. For decryption 1621 * requests the hash is appended after the cipher text. 1622 * 1623 * The IV is always stored at the start of the input buffer 1624 * even though it may be duplicated in the payload. The 1625 * crypto engine doesn't work properly if the IV offset points 1626 * inside of the AAD region, so a second copy is always 1627 * required. 1628 */ 1629 input_len = aad_len + crp->crp_payload_length; 1630 if (op_type == CHCR_DECRYPT_OP) 1631 input_len += hash_size_in_response; 1632 if (input_len > MAX_REQUEST_SIZE) 1633 return (EFBIG); 1634 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1635 imm_len = input_len; 1636 sgl_nsegs = 0; 1637 sgl_len = 0; 1638 } else { 1639 /* Block 0 is passed as immediate data. */ 1640 imm_len = b0_len; 1641 1642 sglist_reset(sc->sg_ulptx); 1643 if (crp->crp_aad_length != 0) { 1644 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1645 crp->crp_aad_start, crp->crp_aad_length); 1646 if (error) 1647 return (error); 1648 } 1649 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1650 crp->crp_payload_start, crp->crp_payload_length); 1651 if (error) 1652 return (error); 1653 if (op_type == CHCR_DECRYPT_OP) { 1654 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1655 crp->crp_digest_start, hash_size_in_response); 1656 if (error) 1657 return (error); 1658 } 1659 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1660 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1661 } 1662 1663 aad_start = iv_len + 1; 1664 aad_stop = aad_start + aad_len - 1; 1665 cipher_start = aad_stop + 1; 1666 if (op_type == CHCR_DECRYPT_OP) 1667 cipher_stop = hash_size_in_response; 1668 else 1669 cipher_stop = 0; 1670 if (op_type == CHCR_DECRYPT_OP) 1671 auth_insert = hash_size_in_response; 1672 else 1673 auth_insert = 0; 1674 1675 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1676 sgl_len; 1677 if (wr_len > SGE_MAX_WR_LEN) 1678 return (EFBIG); 1679 wr = alloc_wrqe(wr_len, s->port->txq); 1680 if (wr == NULL) { 1681 sc->stats_wr_nomem++; 1682 return (ENOMEM); 1683 } 1684 crwr = wrtod(wr); 1685 memset(crwr, 0, wr_len); 1686 1687 /* 1688 * Read the nonce from the request. Use the nonce to generate 1689 * the full IV with the counter set to 0. 1690 */ 1691 memset(iv, 0, iv_len); 1692 iv[0] = (15 - AES_CCM_IV_LEN) - 1; 1693 memcpy(iv + 1, crp->crp_iv, AES_CCM_IV_LEN); 1694 1695 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1696 crp); 1697 1698 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1699 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1700 V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) | 1701 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1702 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1703 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1704 1705 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1706 1707 /* 1708 * NB: cipherstop is explicitly set to 0. See comments above 1709 * in ccr_gcm(). 1710 */ 1711 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1712 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1713 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1714 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1715 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1716 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1717 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1718 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1719 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1720 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1721 1722 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1723 hmac_ctrl = ccr_hmac_ctrl(AES_CBC_MAC_HASH_LEN, hash_size_in_response); 1724 crwr->sec_cpl.seqno_numivs = htobe32( 1725 V_SCMD_SEQ_NO_CTRL(0) | 1726 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1727 V_SCMD_ENC_DEC_CTRL(op_type) | 1728 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 0 : 1) | 1729 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_CCM) | 1730 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_CBCMAC) | 1731 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1732 V_SCMD_IV_SIZE(iv_len / 2) | 1733 V_SCMD_NUM_IVS(0)); 1734 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1735 V_SCMD_IV_GEN_CTRL(0) | 1736 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1737 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1738 1739 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1740 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1741 memcpy(crwr->key_ctx.key + roundup(s->blkcipher.key_len, 16), 1742 s->blkcipher.enckey, s->blkcipher.key_len); 1743 1744 dst = (char *)(crwr + 1) + kctx_len; 1745 ccr_write_phys_dsgl(sc, s, dst, dsgl_nsegs); 1746 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1747 memcpy(dst, iv, iv_len); 1748 dst += iv_len; 1749 generate_ccm_b0(crp, hash_size_in_response, iv, dst); 1750 if (sgl_nsegs == 0) { 1751 dst += b0_len; 1752 if (crp->crp_aad_length != 0) { 1753 crypto_copydata(crp, crp->crp_aad_start, 1754 crp->crp_aad_length, dst); 1755 dst += crp->crp_aad_length; 1756 } 1757 crypto_copydata(crp, crp->crp_payload_start, 1758 crp->crp_payload_length, dst); 1759 dst += crp->crp_payload_length; 1760 if (op_type == CHCR_DECRYPT_OP) 1761 crypto_copydata(crp, crp->crp_digest_start, 1762 hash_size_in_response, dst); 1763 } else { 1764 dst += CCM_B0_SIZE; 1765 if (b0_len > CCM_B0_SIZE) { 1766 /* 1767 * If there is AAD, insert padding including a 1768 * ULP_TX_SC_NOOP so that the ULP_TX_SC_DSGL 1769 * is 16-byte aligned. 1770 */ 1771 KASSERT(b0_len - CCM_B0_SIZE == CCM_AAD_FIELD_SIZE, 1772 ("b0_len mismatch")); 1773 memset(dst + CCM_AAD_FIELD_SIZE, 0, 1774 8 - CCM_AAD_FIELD_SIZE); 1775 idata = (void *)(dst + 8); 1776 idata->cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_NOOP)); 1777 idata->len = htobe32(0); 1778 dst = (void *)(idata + 1); 1779 } 1780 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1781 } 1782 1783 /* XXX: TODO backpressure */ 1784 t4_wrq_tx(sc->adapter, wr); 1785 1786 return (0); 1787 } 1788 1789 static int 1790 ccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s, 1791 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1792 { 1793 1794 /* 1795 * The updated IV to permit chained requests is at 1796 * cpl->data[2], but OCF doesn't permit chained requests. 1797 * 1798 * Note that the hardware should always verify the CBC MAC 1799 * hash. 1800 */ 1801 return (error); 1802 } 1803 1804 /* 1805 * Handle a CCM request that is not supported by the crypto engine by 1806 * performing the operation in software. Derived from swcr_authenc(). 1807 */ 1808 static void 1809 ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp) 1810 { 1811 struct auth_hash *axf; 1812 struct enc_xform *exf; 1813 union authctx *auth_ctx; 1814 void *kschedule; 1815 char block[CCM_CBC_BLOCK_LEN]; 1816 char digest[AES_CBC_MAC_HASH_LEN]; 1817 char iv[AES_CCM_IV_LEN]; 1818 int error, i, len; 1819 1820 auth_ctx = NULL; 1821 kschedule = NULL; 1822 1823 /* Initialize the MAC. */ 1824 switch (s->blkcipher.key_len) { 1825 case 16: 1826 axf = &auth_hash_ccm_cbc_mac_128; 1827 break; 1828 case 24: 1829 axf = &auth_hash_ccm_cbc_mac_192; 1830 break; 1831 case 32: 1832 axf = &auth_hash_ccm_cbc_mac_256; 1833 break; 1834 default: 1835 error = EINVAL; 1836 goto out; 1837 } 1838 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT); 1839 if (auth_ctx == NULL) { 1840 error = ENOMEM; 1841 goto out; 1842 } 1843 axf->Init(auth_ctx); 1844 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1845 1846 /* Initialize the cipher. */ 1847 exf = &enc_xform_ccm; 1848 kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT); 1849 if (kschedule == NULL) { 1850 error = ENOMEM; 1851 goto out; 1852 } 1853 error = exf->setkey(kschedule, s->blkcipher.enckey, 1854 s->blkcipher.key_len); 1855 if (error) 1856 goto out; 1857 1858 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) { 1859 error = EINVAL; 1860 goto out; 1861 } 1862 memcpy(iv, crp->crp_iv, AES_CCM_IV_LEN); 1863 1864 auth_ctx->aes_cbc_mac_ctx.authDataLength = crp->crp_aad_length; 1865 auth_ctx->aes_cbc_mac_ctx.cryptDataLength = crp->crp_payload_length; 1866 axf->Reinit(auth_ctx, iv, sizeof(iv)); 1867 1868 /* MAC the AAD. */ 1869 for (i = 0; i < crp->crp_aad_length; i += sizeof(block)) { 1870 len = imin(crp->crp_aad_length - i, sizeof(block)); 1871 crypto_copydata(crp, crp->crp_aad_start + i, len, block); 1872 bzero(block + len, sizeof(block) - len); 1873 axf->Update(auth_ctx, block, sizeof(block)); 1874 } 1875 1876 exf->reinit(kschedule, iv); 1877 1878 /* Do encryption/decryption with MAC */ 1879 for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) { 1880 len = imin(crp->crp_payload_length - i, sizeof(block)); 1881 crypto_copydata(crp, crp->crp_payload_start + i, len, block); 1882 bzero(block + len, sizeof(block) - len); 1883 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1884 axf->Update(auth_ctx, block, len); 1885 exf->encrypt(kschedule, block, block); 1886 crypto_copyback(crp, crp->crp_payload_start + i, len, 1887 block); 1888 } else { 1889 exf->decrypt(kschedule, block, block); 1890 axf->Update(auth_ctx, block, len); 1891 } 1892 } 1893 1894 /* Finalize MAC. */ 1895 axf->Final(digest, auth_ctx); 1896 1897 /* Inject or validate tag. */ 1898 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1899 crypto_copyback(crp, crp->crp_digest_start, sizeof(digest), 1900 digest); 1901 error = 0; 1902 } else { 1903 char digest2[AES_CBC_MAC_HASH_LEN]; 1904 1905 crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2), 1906 digest2); 1907 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) { 1908 error = 0; 1909 1910 /* Tag matches, decrypt data. */ 1911 exf->reinit(kschedule, iv); 1912 for (i = 0; i < crp->crp_payload_length; 1913 i += sizeof(block)) { 1914 len = imin(crp->crp_payload_length - i, 1915 sizeof(block)); 1916 crypto_copydata(crp, crp->crp_payload_start + i, 1917 len, block); 1918 bzero(block + len, sizeof(block) - len); 1919 exf->decrypt(kschedule, block, block); 1920 crypto_copyback(crp, crp->crp_payload_start + i, 1921 len, block); 1922 } 1923 } else 1924 error = EBADMSG; 1925 } 1926 1927 out: 1928 zfree(kschedule, M_CCR); 1929 zfree(auth_ctx, M_CCR); 1930 crp->crp_etype = error; 1931 crypto_done(crp); 1932 } 1933 1934 static void 1935 ccr_identify(driver_t *driver, device_t parent) 1936 { 1937 struct adapter *sc; 1938 1939 sc = device_get_softc(parent); 1940 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE && 1941 device_find_child(parent, "ccr", -1) == NULL) 1942 device_add_child(parent, "ccr", -1); 1943 } 1944 1945 static int 1946 ccr_probe(device_t dev) 1947 { 1948 1949 device_set_desc(dev, "Chelsio Crypto Accelerator"); 1950 return (BUS_PROBE_DEFAULT); 1951 } 1952 1953 static void 1954 ccr_sysctls(struct ccr_softc *sc) 1955 { 1956 struct sysctl_ctx_list *ctx; 1957 struct sysctl_oid *oid, *port_oid; 1958 struct sysctl_oid_list *children; 1959 char buf[16]; 1960 int i; 1961 1962 ctx = device_get_sysctl_ctx(sc->dev); 1963 1964 /* 1965 * dev.ccr.X. 1966 */ 1967 oid = device_get_sysctl_tree(sc->dev); 1968 children = SYSCTL_CHILDREN(oid); 1969 1970 SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "port_mask", CTLFLAG_RW, 1971 &sc->port_mask, 0, "Mask of enabled ports"); 1972 1973 /* 1974 * dev.ccr.X.stats. 1975 */ 1976 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", 1977 CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "statistics"); 1978 children = SYSCTL_CHILDREN(oid); 1979 1980 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hash", CTLFLAG_RD, 1981 &sc->stats_hash, 0, "Hash requests submitted"); 1982 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD, 1983 &sc->stats_hmac, 0, "HMAC requests submitted"); 1984 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD, 1985 &sc->stats_blkcipher_encrypt, 0, 1986 "Cipher encryption requests submitted"); 1987 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD, 1988 &sc->stats_blkcipher_decrypt, 0, 1989 "Cipher decryption requests submitted"); 1990 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "eta_encrypt", CTLFLAG_RD, 1991 &sc->stats_eta_encrypt, 0, 1992 "Combined AES+HMAC encryption requests submitted"); 1993 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "eta_decrypt", CTLFLAG_RD, 1994 &sc->stats_eta_decrypt, 0, 1995 "Combined AES+HMAC decryption requests submitted"); 1996 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD, 1997 &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted"); 1998 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD, 1999 &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted"); 2000 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "ccm_encrypt", CTLFLAG_RD, 2001 &sc->stats_ccm_encrypt, 0, "AES-CCM encryption requests submitted"); 2002 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "ccm_decrypt", CTLFLAG_RD, 2003 &sc->stats_ccm_decrypt, 0, "AES-CCM decryption requests submitted"); 2004 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD, 2005 &sc->stats_wr_nomem, 0, "Work request memory allocation failures"); 2006 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD, 2007 &sc->stats_inflight, 0, "Requests currently pending"); 2008 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD, 2009 &sc->stats_mac_error, 0, "MAC errors"); 2010 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD, 2011 &sc->stats_pad_error, 0, "Padding errors"); 2012 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD, 2013 &sc->stats_bad_session, 0, "Requests with invalid session ID"); 2014 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD, 2015 &sc->stats_sglist_error, 0, 2016 "Requests for which DMA mapping failed"); 2017 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD, 2018 &sc->stats_process_error, 0, "Requests failed during queueing"); 2019 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sw_fallback", CTLFLAG_RD, 2020 &sc->stats_sw_fallback, 0, 2021 "Requests processed by falling back to software"); 2022 2023 /* 2024 * dev.ccr.X.stats.port 2025 */ 2026 port_oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "port", 2027 CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "Per-port statistics"); 2028 2029 for (i = 0; i < nitems(sc->ports); i++) { 2030 if (sc->ports[i].rxq == NULL) 2031 continue; 2032 2033 /* 2034 * dev.ccr.X.stats.port.Y 2035 */ 2036 snprintf(buf, sizeof(buf), "%d", i); 2037 oid = SYSCTL_ADD_NODE(ctx, SYSCTL_CHILDREN(port_oid), OID_AUTO, 2038 buf, CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, buf); 2039 children = SYSCTL_CHILDREN(oid); 2040 2041 SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "active_sessions", 2042 CTLFLAG_RD, &sc->ports[i].active_sessions, 0, 2043 "Count of active sessions"); 2044 } 2045 } 2046 2047 static void 2048 ccr_init_port(struct ccr_softc *sc, int port) 2049 { 2050 2051 sc->ports[port].txq = &sc->adapter->sge.ctrlq[port]; 2052 sc->ports[port].rxq = 2053 &sc->adapter->sge.rxq[sc->adapter->port[port]->vi->first_rxq]; 2054 sc->ports[port].tx_channel_id = port; 2055 _Static_assert(sizeof(sc->port_mask) * NBBY >= MAX_NPORTS - 1, 2056 "Too many ports to fit in port_mask"); 2057 sc->port_mask |= 1u << port; 2058 } 2059 2060 static int 2061 ccr_attach(device_t dev) 2062 { 2063 struct ccr_softc *sc; 2064 int32_t cid; 2065 int i; 2066 2067 sc = device_get_softc(dev); 2068 sc->dev = dev; 2069 sc->adapter = device_get_softc(device_get_parent(dev)); 2070 for_each_port(sc->adapter, i) { 2071 ccr_init_port(sc, i); 2072 } 2073 cid = crypto_get_driverid(dev, sizeof(struct ccr_session), 2074 CRYPTOCAP_F_HARDWARE); 2075 if (cid < 0) { 2076 device_printf(dev, "could not get crypto driver id\n"); 2077 return (ENXIO); 2078 } 2079 sc->cid = cid; 2080 sc->adapter->ccr_softc = sc; 2081 2082 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF); 2083 sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 2084 sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 2085 sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK); 2086 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK); 2087 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK); 2088 ccr_sysctls(sc); 2089 2090 return (0); 2091 } 2092 2093 static int 2094 ccr_detach(device_t dev) 2095 { 2096 struct ccr_softc *sc; 2097 2098 sc = device_get_softc(dev); 2099 2100 mtx_lock(&sc->lock); 2101 sc->detaching = true; 2102 mtx_unlock(&sc->lock); 2103 2104 crypto_unregister_all(sc->cid); 2105 2106 mtx_destroy(&sc->lock); 2107 sglist_free(sc->sg_iv_aad); 2108 free(sc->iv_aad_buf, M_CCR); 2109 sglist_free(sc->sg_dsgl); 2110 sglist_free(sc->sg_ulptx); 2111 sglist_free(sc->sg_crp); 2112 sc->adapter->ccr_softc = NULL; 2113 return (0); 2114 } 2115 2116 static void 2117 ccr_init_hash_digest(struct ccr_session *s) 2118 { 2119 union authctx auth_ctx; 2120 struct auth_hash *axf; 2121 2122 axf = s->hmac.auth_hash; 2123 axf->Init(&auth_ctx); 2124 t4_copy_partial_hash(axf->type, &auth_ctx, s->hmac.pads); 2125 } 2126 2127 static bool 2128 ccr_aes_check_keylen(int alg, int klen) 2129 { 2130 2131 switch (klen * 8) { 2132 case 128: 2133 case 192: 2134 if (alg == CRYPTO_AES_XTS) 2135 return (false); 2136 break; 2137 case 256: 2138 break; 2139 case 512: 2140 if (alg != CRYPTO_AES_XTS) 2141 return (false); 2142 break; 2143 default: 2144 return (false); 2145 } 2146 return (true); 2147 } 2148 2149 static void 2150 ccr_aes_setkey(struct ccr_session *s, const void *key, int klen) 2151 { 2152 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size; 2153 unsigned int opad_present; 2154 2155 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 2156 kbits = (klen / 2) * 8; 2157 else 2158 kbits = klen * 8; 2159 switch (kbits) { 2160 case 128: 2161 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128; 2162 break; 2163 case 192: 2164 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192; 2165 break; 2166 case 256: 2167 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; 2168 break; 2169 default: 2170 panic("should not get here"); 2171 } 2172 2173 s->blkcipher.key_len = klen; 2174 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len); 2175 switch (s->blkcipher.cipher_mode) { 2176 case SCMD_CIPH_MODE_AES_CBC: 2177 case SCMD_CIPH_MODE_AES_XTS: 2178 t4_aes_getdeckey(s->blkcipher.deckey, key, kbits); 2179 break; 2180 } 2181 2182 kctx_len = roundup2(s->blkcipher.key_len, 16); 2183 switch (s->mode) { 2184 case ETA: 2185 mk_size = s->hmac.mk_size; 2186 opad_present = 1; 2187 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 2188 kctx_len += iopad_size * 2; 2189 break; 2190 case GCM: 2191 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2192 opad_present = 0; 2193 kctx_len += GMAC_BLOCK_LEN; 2194 break; 2195 case CCM: 2196 switch (kbits) { 2197 case 128: 2198 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2199 break; 2200 case 192: 2201 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_192; 2202 break; 2203 case 256: 2204 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2205 break; 2206 default: 2207 panic("should not get here"); 2208 } 2209 opad_present = 0; 2210 kctx_len *= 2; 2211 break; 2212 default: 2213 mk_size = CHCR_KEYCTX_NO_KEY; 2214 opad_present = 0; 2215 break; 2216 } 2217 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 2218 s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 2219 V_KEY_CONTEXT_DUAL_CK(s->blkcipher.cipher_mode == 2220 SCMD_CIPH_MODE_AES_XTS) | 2221 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) | 2222 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) | 2223 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1)); 2224 } 2225 2226 static bool 2227 ccr_auth_supported(const struct crypto_session_params *csp) 2228 { 2229 2230 switch (csp->csp_auth_alg) { 2231 case CRYPTO_SHA1: 2232 case CRYPTO_SHA2_224: 2233 case CRYPTO_SHA2_256: 2234 case CRYPTO_SHA2_384: 2235 case CRYPTO_SHA2_512: 2236 case CRYPTO_SHA1_HMAC: 2237 case CRYPTO_SHA2_224_HMAC: 2238 case CRYPTO_SHA2_256_HMAC: 2239 case CRYPTO_SHA2_384_HMAC: 2240 case CRYPTO_SHA2_512_HMAC: 2241 break; 2242 default: 2243 return (false); 2244 } 2245 return (true); 2246 } 2247 2248 static bool 2249 ccr_cipher_supported(const struct crypto_session_params *csp) 2250 { 2251 2252 switch (csp->csp_cipher_alg) { 2253 case CRYPTO_AES_CBC: 2254 if (csp->csp_ivlen != AES_BLOCK_LEN) 2255 return (false); 2256 break; 2257 case CRYPTO_AES_ICM: 2258 if (csp->csp_ivlen != AES_BLOCK_LEN) 2259 return (false); 2260 break; 2261 case CRYPTO_AES_XTS: 2262 if (csp->csp_ivlen != AES_XTS_IV_LEN) 2263 return (false); 2264 break; 2265 default: 2266 return (false); 2267 } 2268 return (ccr_aes_check_keylen(csp->csp_cipher_alg, 2269 csp->csp_cipher_klen)); 2270 } 2271 2272 static int 2273 ccr_cipher_mode(const struct crypto_session_params *csp) 2274 { 2275 2276 switch (csp->csp_cipher_alg) { 2277 case CRYPTO_AES_CBC: 2278 return (SCMD_CIPH_MODE_AES_CBC); 2279 case CRYPTO_AES_ICM: 2280 return (SCMD_CIPH_MODE_AES_CTR); 2281 case CRYPTO_AES_NIST_GCM_16: 2282 return (SCMD_CIPH_MODE_AES_GCM); 2283 case CRYPTO_AES_XTS: 2284 return (SCMD_CIPH_MODE_AES_XTS); 2285 case CRYPTO_AES_CCM_16: 2286 return (SCMD_CIPH_MODE_AES_CCM); 2287 default: 2288 return (SCMD_CIPH_MODE_NOP); 2289 } 2290 } 2291 2292 static int 2293 ccr_probesession(device_t dev, const struct crypto_session_params *csp) 2294 { 2295 unsigned int cipher_mode; 2296 2297 if (csp->csp_flags != 0) 2298 return (EINVAL); 2299 switch (csp->csp_mode) { 2300 case CSP_MODE_DIGEST: 2301 if (!ccr_auth_supported(csp)) 2302 return (EINVAL); 2303 break; 2304 case CSP_MODE_CIPHER: 2305 if (!ccr_cipher_supported(csp)) 2306 return (EINVAL); 2307 break; 2308 case CSP_MODE_AEAD: 2309 switch (csp->csp_cipher_alg) { 2310 case CRYPTO_AES_NIST_GCM_16: 2311 if (csp->csp_ivlen != AES_GCM_IV_LEN) 2312 return (EINVAL); 2313 if (csp->csp_auth_mlen < 0 || 2314 csp->csp_auth_mlen > AES_GMAC_HASH_LEN) 2315 return (EINVAL); 2316 break; 2317 case CRYPTO_AES_CCM_16: 2318 if (csp->csp_ivlen != AES_CCM_IV_LEN) 2319 return (EINVAL); 2320 if (csp->csp_auth_mlen < 0 || 2321 csp->csp_auth_mlen > AES_CBC_MAC_HASH_LEN) 2322 return (EINVAL); 2323 break; 2324 default: 2325 return (EINVAL); 2326 } 2327 break; 2328 case CSP_MODE_ETA: 2329 if (!ccr_auth_supported(csp) || !ccr_cipher_supported(csp)) 2330 return (EINVAL); 2331 break; 2332 default: 2333 return (EINVAL); 2334 } 2335 2336 if (csp->csp_cipher_klen != 0) { 2337 cipher_mode = ccr_cipher_mode(csp); 2338 if (cipher_mode == SCMD_CIPH_MODE_NOP) 2339 return (EINVAL); 2340 } 2341 2342 return (CRYPTODEV_PROBE_HARDWARE); 2343 } 2344 2345 /* 2346 * Select an available port with the lowest number of active sessions. 2347 */ 2348 static struct ccr_port * 2349 ccr_choose_port(struct ccr_softc *sc) 2350 { 2351 struct ccr_port *best, *p; 2352 int i; 2353 2354 mtx_assert(&sc->lock, MA_OWNED); 2355 best = NULL; 2356 for (i = 0; i < nitems(sc->ports); i++) { 2357 p = &sc->ports[i]; 2358 2359 /* Ignore non-existent ports. */ 2360 if (p->rxq == NULL) 2361 continue; 2362 2363 /* 2364 * XXX: Ignore ports whose queues aren't initialized. 2365 * This is racy as the rxq can be destroyed by the 2366 * associated VI detaching. Eventually ccr should use 2367 * dedicated queues. 2368 */ 2369 if (p->rxq->iq.adapter == NULL || p->txq->adapter == NULL) 2370 continue; 2371 2372 if ((sc->port_mask & (1u << i)) == 0) 2373 continue; 2374 2375 if (best == NULL || 2376 p->active_sessions < best->active_sessions) 2377 best = p; 2378 } 2379 return (best); 2380 } 2381 2382 static int 2383 ccr_newsession(device_t dev, crypto_session_t cses, 2384 const struct crypto_session_params *csp) 2385 { 2386 struct ccr_softc *sc; 2387 struct ccr_session *s; 2388 struct auth_hash *auth_hash; 2389 unsigned int auth_mode, cipher_mode, mk_size; 2390 unsigned int partial_digest_len; 2391 2392 switch (csp->csp_auth_alg) { 2393 case CRYPTO_SHA1: 2394 case CRYPTO_SHA1_HMAC: 2395 auth_hash = &auth_hash_hmac_sha1; 2396 auth_mode = SCMD_AUTH_MODE_SHA1; 2397 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160; 2398 partial_digest_len = SHA1_HASH_LEN; 2399 break; 2400 case CRYPTO_SHA2_224: 2401 case CRYPTO_SHA2_224_HMAC: 2402 auth_hash = &auth_hash_hmac_sha2_224; 2403 auth_mode = SCMD_AUTH_MODE_SHA224; 2404 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2405 partial_digest_len = SHA2_256_HASH_LEN; 2406 break; 2407 case CRYPTO_SHA2_256: 2408 case CRYPTO_SHA2_256_HMAC: 2409 auth_hash = &auth_hash_hmac_sha2_256; 2410 auth_mode = SCMD_AUTH_MODE_SHA256; 2411 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2412 partial_digest_len = SHA2_256_HASH_LEN; 2413 break; 2414 case CRYPTO_SHA2_384: 2415 case CRYPTO_SHA2_384_HMAC: 2416 auth_hash = &auth_hash_hmac_sha2_384; 2417 auth_mode = SCMD_AUTH_MODE_SHA512_384; 2418 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2419 partial_digest_len = SHA2_512_HASH_LEN; 2420 break; 2421 case CRYPTO_SHA2_512: 2422 case CRYPTO_SHA2_512_HMAC: 2423 auth_hash = &auth_hash_hmac_sha2_512; 2424 auth_mode = SCMD_AUTH_MODE_SHA512_512; 2425 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2426 partial_digest_len = SHA2_512_HASH_LEN; 2427 break; 2428 default: 2429 auth_hash = NULL; 2430 auth_mode = SCMD_AUTH_MODE_NOP; 2431 mk_size = 0; 2432 partial_digest_len = 0; 2433 break; 2434 } 2435 2436 cipher_mode = ccr_cipher_mode(csp); 2437 2438 #ifdef INVARIANTS 2439 switch (csp->csp_mode) { 2440 case CSP_MODE_CIPHER: 2441 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2442 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2443 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2444 panic("invalid cipher algo"); 2445 break; 2446 case CSP_MODE_DIGEST: 2447 if (auth_mode == SCMD_AUTH_MODE_NOP) 2448 panic("invalid auth algo"); 2449 break; 2450 case CSP_MODE_AEAD: 2451 if (cipher_mode != SCMD_CIPH_MODE_AES_GCM && 2452 cipher_mode != SCMD_CIPH_MODE_AES_CCM) 2453 panic("invalid aead cipher algo"); 2454 if (auth_mode != SCMD_AUTH_MODE_NOP) 2455 panic("invalid aead auth aglo"); 2456 break; 2457 case CSP_MODE_ETA: 2458 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2459 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2460 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2461 panic("invalid cipher algo"); 2462 if (auth_mode == SCMD_AUTH_MODE_NOP) 2463 panic("invalid auth algo"); 2464 break; 2465 default: 2466 panic("invalid csp mode"); 2467 } 2468 #endif 2469 2470 sc = device_get_softc(dev); 2471 2472 mtx_lock(&sc->lock); 2473 if (sc->detaching) { 2474 mtx_unlock(&sc->lock); 2475 return (ENXIO); 2476 } 2477 2478 s = crypto_get_driver_session(cses); 2479 s->port = ccr_choose_port(sc); 2480 if (s->port == NULL) { 2481 mtx_unlock(&sc->lock); 2482 return (ENXIO); 2483 } 2484 2485 switch (csp->csp_mode) { 2486 case CSP_MODE_AEAD: 2487 if (cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2488 s->mode = CCM; 2489 else 2490 s->mode = GCM; 2491 break; 2492 case CSP_MODE_ETA: 2493 s->mode = ETA; 2494 break; 2495 case CSP_MODE_DIGEST: 2496 if (csp->csp_auth_klen != 0) 2497 s->mode = HMAC; 2498 else 2499 s->mode = HASH; 2500 break; 2501 case CSP_MODE_CIPHER: 2502 s->mode = BLKCIPHER; 2503 break; 2504 } 2505 2506 if (s->mode == GCM) { 2507 if (csp->csp_auth_mlen == 0) 2508 s->gmac.hash_len = AES_GMAC_HASH_LEN; 2509 else 2510 s->gmac.hash_len = csp->csp_auth_mlen; 2511 t4_init_gmac_hash(csp->csp_cipher_key, csp->csp_cipher_klen, 2512 s->gmac.ghash_h); 2513 } else if (s->mode == CCM) { 2514 if (csp->csp_auth_mlen == 0) 2515 s->ccm_mac.hash_len = AES_CBC_MAC_HASH_LEN; 2516 else 2517 s->ccm_mac.hash_len = csp->csp_auth_mlen; 2518 } else if (auth_mode != SCMD_AUTH_MODE_NOP) { 2519 s->hmac.auth_hash = auth_hash; 2520 s->hmac.auth_mode = auth_mode; 2521 s->hmac.mk_size = mk_size; 2522 s->hmac.partial_digest_len = partial_digest_len; 2523 if (csp->csp_auth_mlen == 0) 2524 s->hmac.hash_len = auth_hash->hashsize; 2525 else 2526 s->hmac.hash_len = csp->csp_auth_mlen; 2527 if (csp->csp_auth_key != NULL) 2528 t4_init_hmac_digest(auth_hash, partial_digest_len, 2529 csp->csp_auth_key, csp->csp_auth_klen, 2530 s->hmac.pads); 2531 else 2532 ccr_init_hash_digest(s); 2533 } 2534 if (cipher_mode != SCMD_CIPH_MODE_NOP) { 2535 s->blkcipher.cipher_mode = cipher_mode; 2536 s->blkcipher.iv_len = csp->csp_ivlen; 2537 if (csp->csp_cipher_key != NULL) 2538 ccr_aes_setkey(s, csp->csp_cipher_key, 2539 csp->csp_cipher_klen); 2540 } 2541 2542 s->active = true; 2543 s->port->active_sessions++; 2544 mtx_unlock(&sc->lock); 2545 return (0); 2546 } 2547 2548 static void 2549 ccr_freesession(device_t dev, crypto_session_t cses) 2550 { 2551 struct ccr_softc *sc; 2552 struct ccr_session *s; 2553 2554 sc = device_get_softc(dev); 2555 s = crypto_get_driver_session(cses); 2556 mtx_lock(&sc->lock); 2557 if (s->pending != 0) 2558 device_printf(dev, 2559 "session %p freed with %d pending requests\n", s, 2560 s->pending); 2561 s->active = false; 2562 s->port->active_sessions--; 2563 mtx_unlock(&sc->lock); 2564 } 2565 2566 static int 2567 ccr_process(device_t dev, struct cryptop *crp, int hint) 2568 { 2569 const struct crypto_session_params *csp; 2570 struct ccr_softc *sc; 2571 struct ccr_session *s; 2572 int error; 2573 2574 csp = crypto_get_params(crp->crp_session); 2575 s = crypto_get_driver_session(crp->crp_session); 2576 sc = device_get_softc(dev); 2577 2578 mtx_lock(&sc->lock); 2579 error = ccr_populate_sglist(sc->sg_crp, &crp->crp_buf); 2580 if (error) { 2581 sc->stats_sglist_error++; 2582 goto out; 2583 } 2584 2585 switch (s->mode) { 2586 case HASH: 2587 error = ccr_hash(sc, s, crp); 2588 if (error == 0) 2589 sc->stats_hash++; 2590 break; 2591 case HMAC: 2592 if (crp->crp_auth_key != NULL) 2593 t4_init_hmac_digest(s->hmac.auth_hash, 2594 s->hmac.partial_digest_len, crp->crp_auth_key, 2595 csp->csp_auth_klen, s->hmac.pads); 2596 error = ccr_hash(sc, s, crp); 2597 if (error == 0) 2598 sc->stats_hmac++; 2599 break; 2600 case BLKCIPHER: 2601 if (crp->crp_cipher_key != NULL) 2602 ccr_aes_setkey(s, crp->crp_cipher_key, 2603 csp->csp_cipher_klen); 2604 error = ccr_blkcipher(sc, s, crp); 2605 if (error == 0) { 2606 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2607 sc->stats_blkcipher_encrypt++; 2608 else 2609 sc->stats_blkcipher_decrypt++; 2610 } 2611 break; 2612 case ETA: 2613 if (crp->crp_auth_key != NULL) 2614 t4_init_hmac_digest(s->hmac.auth_hash, 2615 s->hmac.partial_digest_len, crp->crp_auth_key, 2616 csp->csp_auth_klen, s->hmac.pads); 2617 if (crp->crp_cipher_key != NULL) 2618 ccr_aes_setkey(s, crp->crp_cipher_key, 2619 csp->csp_cipher_klen); 2620 error = ccr_eta(sc, s, crp); 2621 if (error == 0) { 2622 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2623 sc->stats_eta_encrypt++; 2624 else 2625 sc->stats_eta_decrypt++; 2626 } 2627 break; 2628 case GCM: 2629 if (crp->crp_cipher_key != NULL) { 2630 t4_init_gmac_hash(crp->crp_cipher_key, 2631 csp->csp_cipher_klen, s->gmac.ghash_h); 2632 ccr_aes_setkey(s, crp->crp_cipher_key, 2633 csp->csp_cipher_klen); 2634 } 2635 if (crp->crp_payload_length == 0) { 2636 mtx_unlock(&sc->lock); 2637 ccr_gcm_soft(s, crp); 2638 return (0); 2639 } 2640 error = ccr_gcm(sc, s, crp); 2641 if (error == EMSGSIZE) { 2642 sc->stats_sw_fallback++; 2643 mtx_unlock(&sc->lock); 2644 ccr_gcm_soft(s, crp); 2645 return (0); 2646 } 2647 if (error == 0) { 2648 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2649 sc->stats_gcm_encrypt++; 2650 else 2651 sc->stats_gcm_decrypt++; 2652 } 2653 break; 2654 case CCM: 2655 if (crp->crp_cipher_key != NULL) { 2656 ccr_aes_setkey(s, crp->crp_cipher_key, 2657 csp->csp_cipher_klen); 2658 } 2659 error = ccr_ccm(sc, s, crp); 2660 if (error == EMSGSIZE) { 2661 sc->stats_sw_fallback++; 2662 mtx_unlock(&sc->lock); 2663 ccr_ccm_soft(s, crp); 2664 return (0); 2665 } 2666 if (error == 0) { 2667 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2668 sc->stats_ccm_encrypt++; 2669 else 2670 sc->stats_ccm_decrypt++; 2671 } 2672 break; 2673 } 2674 2675 if (error == 0) { 2676 s->pending++; 2677 sc->stats_inflight++; 2678 } else 2679 sc->stats_process_error++; 2680 2681 out: 2682 mtx_unlock(&sc->lock); 2683 2684 if (error) { 2685 crp->crp_etype = error; 2686 crypto_done(crp); 2687 } 2688 2689 return (0); 2690 } 2691 2692 static int 2693 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss, 2694 struct mbuf *m) 2695 { 2696 struct ccr_softc *sc = iq->adapter->ccr_softc; 2697 struct ccr_session *s; 2698 const struct cpl_fw6_pld *cpl; 2699 struct cryptop *crp; 2700 uint32_t status; 2701 int error; 2702 2703 if (m != NULL) 2704 cpl = mtod(m, const void *); 2705 else 2706 cpl = (const void *)(rss + 1); 2707 2708 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]); 2709 s = crypto_get_driver_session(crp->crp_session); 2710 status = be64toh(cpl->data[0]); 2711 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status)) 2712 error = EBADMSG; 2713 else 2714 error = 0; 2715 2716 mtx_lock(&sc->lock); 2717 s->pending--; 2718 sc->stats_inflight--; 2719 2720 switch (s->mode) { 2721 case HASH: 2722 case HMAC: 2723 error = ccr_hash_done(sc, s, crp, cpl, error); 2724 break; 2725 case BLKCIPHER: 2726 error = ccr_blkcipher_done(sc, s, crp, cpl, error); 2727 break; 2728 case ETA: 2729 error = ccr_eta_done(sc, s, crp, cpl, error); 2730 break; 2731 case GCM: 2732 error = ccr_gcm_done(sc, s, crp, cpl, error); 2733 break; 2734 case CCM: 2735 error = ccr_ccm_done(sc, s, crp, cpl, error); 2736 break; 2737 } 2738 2739 if (error == EBADMSG) { 2740 if (CHK_MAC_ERR_BIT(status)) 2741 sc->stats_mac_error++; 2742 if (CHK_PAD_ERR_BIT(status)) 2743 sc->stats_pad_error++; 2744 } 2745 mtx_unlock(&sc->lock); 2746 crp->crp_etype = error; 2747 crypto_done(crp); 2748 m_freem(m); 2749 return (0); 2750 } 2751 2752 static int 2753 ccr_modevent(module_t mod, int cmd, void *arg) 2754 { 2755 2756 switch (cmd) { 2757 case MOD_LOAD: 2758 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld); 2759 return (0); 2760 case MOD_UNLOAD: 2761 t4_register_cpl_handler(CPL_FW6_PLD, NULL); 2762 return (0); 2763 default: 2764 return (EOPNOTSUPP); 2765 } 2766 } 2767 2768 static device_method_t ccr_methods[] = { 2769 DEVMETHOD(device_identify, ccr_identify), 2770 DEVMETHOD(device_probe, ccr_probe), 2771 DEVMETHOD(device_attach, ccr_attach), 2772 DEVMETHOD(device_detach, ccr_detach), 2773 2774 DEVMETHOD(cryptodev_probesession, ccr_probesession), 2775 DEVMETHOD(cryptodev_newsession, ccr_newsession), 2776 DEVMETHOD(cryptodev_freesession, ccr_freesession), 2777 DEVMETHOD(cryptodev_process, ccr_process), 2778 2779 DEVMETHOD_END 2780 }; 2781 2782 static driver_t ccr_driver = { 2783 "ccr", 2784 ccr_methods, 2785 sizeof(struct ccr_softc) 2786 }; 2787 2788 static devclass_t ccr_devclass; 2789 2790 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL); 2791 MODULE_VERSION(ccr, 1); 2792 MODULE_DEPEND(ccr, crypto, 1, 1, 1); 2793 MODULE_DEPEND(ccr, t6nex, 1, 1, 1); 2794