xref: /freebsd/sys/dev/cxgbe/crypto/t4_crypto.c (revision 9e5787d2284e187abb5b654d924394a65772e004)
1 /*-
2  * Copyright (c) 2017 Chelsio Communications, Inc.
3  * All rights reserved.
4  * Written by: John Baldwin <jhb@FreeBSD.org>
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/types.h>
32 #include <sys/bus.h>
33 #include <sys/lock.h>
34 #include <sys/malloc.h>
35 #include <sys/mutex.h>
36 #include <sys/module.h>
37 #include <sys/sglist.h>
38 
39 #include <opencrypto/cryptodev.h>
40 #include <opencrypto/xform.h>
41 
42 #include "cryptodev_if.h"
43 
44 #include "common/common.h"
45 #include "crypto/t4_crypto.h"
46 
47 /*
48  * Requests consist of:
49  *
50  * +-------------------------------+
51  * | struct fw_crypto_lookaside_wr |
52  * +-------------------------------+
53  * | struct ulp_txpkt              |
54  * +-------------------------------+
55  * | struct ulptx_idata            |
56  * +-------------------------------+
57  * | struct cpl_tx_sec_pdu         |
58  * +-------------------------------+
59  * | struct cpl_tls_tx_scmd_fmt    |
60  * +-------------------------------+
61  * | key context header            |
62  * +-------------------------------+
63  * | AES key                       |  ----- For requests with AES
64  * +-------------------------------+
65  * | Hash state                    |  ----- For hash-only requests
66  * +-------------------------------+ -
67  * | IPAD (16-byte aligned)        |  \
68  * +-------------------------------+  +---- For requests with HMAC
69  * | OPAD (16-byte aligned)        |  /
70  * +-------------------------------+ -
71  * | GMAC H                        |  ----- For AES-GCM
72  * +-------------------------------+ -
73  * | struct cpl_rx_phys_dsgl       |  \
74  * +-------------------------------+  +---- Destination buffer for
75  * | PHYS_DSGL entries             |  /     non-hash-only requests
76  * +-------------------------------+ -
77  * | 16 dummy bytes                |  ----- Only for HMAC/hash-only requests
78  * +-------------------------------+
79  * | IV                            |  ----- If immediate IV
80  * +-------------------------------+
81  * | Payload                       |  ----- If immediate Payload
82  * +-------------------------------+ -
83  * | struct ulptx_sgl              |  \
84  * +-------------------------------+  +---- If payload via SGL
85  * | SGL entries                   |  /
86  * +-------------------------------+ -
87  *
88  * Note that the key context must be padded to ensure 16-byte alignment.
89  * For HMAC requests, the key consists of the partial hash of the IPAD
90  * followed by the partial hash of the OPAD.
91  *
92  * Replies consist of:
93  *
94  * +-------------------------------+
95  * | struct cpl_fw6_pld            |
96  * +-------------------------------+
97  * | hash digest                   |  ----- For HMAC request with
98  * +-------------------------------+        'hash_size' set in work request
99  *
100  * A 32-bit big-endian error status word is supplied in the last 4
101  * bytes of data[0] in the CPL_FW6_PLD message.  bit 0 indicates a
102  * "MAC" error and bit 1 indicates a "PAD" error.
103  *
104  * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message
105  * in the request is returned in data[1] of the CPL_FW6_PLD message.
106  *
107  * For block cipher replies, the updated IV is supplied in data[2] and
108  * data[3] of the CPL_FW6_PLD message.
109  *
110  * For hash replies where the work request set 'hash_size' to request
111  * a copy of the hash in the reply, the hash digest is supplied
112  * immediately following the CPL_FW6_PLD message.
113  */
114 
115 /*
116  * The crypto engine supports a maximum AAD size of 511 bytes.
117  */
118 #define	MAX_AAD_LEN		511
119 
120 /*
121  * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG
122  * entries.  While the CPL includes a 16-bit length field, the T6 can
123  * sometimes hang if an error occurs while processing a request with a
124  * single DSGL entry larger than 2k.
125  */
126 #define	MAX_RX_PHYS_DSGL_SGE	32
127 #define	DSGL_SGE_MAXLEN		2048
128 
129 /*
130  * The adapter only supports requests with a total input or output
131  * length of 64k-1 or smaller.  Longer requests either result in hung
132  * requests or incorrect results.
133  */
134 #define	MAX_REQUEST_SIZE	65535
135 
136 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto");
137 
138 struct ccr_session_hmac {
139 	struct auth_hash *auth_hash;
140 	int hash_len;
141 	unsigned int partial_digest_len;
142 	unsigned int auth_mode;
143 	unsigned int mk_size;
144 	char pads[CHCR_HASH_MAX_BLOCK_SIZE_128 * 2];
145 };
146 
147 struct ccr_session_gmac {
148 	int hash_len;
149 	char ghash_h[GMAC_BLOCK_LEN];
150 };
151 
152 struct ccr_session_ccm_mac {
153 	int hash_len;
154 };
155 
156 struct ccr_session_blkcipher {
157 	unsigned int cipher_mode;
158 	unsigned int key_len;
159 	unsigned int iv_len;
160 	__be32 key_ctx_hdr;
161 	char enckey[CHCR_AES_MAX_KEY_LEN];
162 	char deckey[CHCR_AES_MAX_KEY_LEN];
163 };
164 
165 struct ccr_port {
166 	struct sge_wrq *txq;
167 	struct sge_rxq *rxq;
168 	int tx_channel_id;
169 	u_int active_sessions;
170 };
171 
172 struct ccr_session {
173 #ifdef INVARIANTS
174 	int pending;
175 #endif
176 	enum { HASH, HMAC, BLKCIPHER, ETA, GCM, CCM } mode;
177 	struct ccr_port *port;
178 	union {
179 		struct ccr_session_hmac hmac;
180 		struct ccr_session_gmac gmac;
181 		struct ccr_session_ccm_mac ccm_mac;
182 	};
183 	struct ccr_session_blkcipher blkcipher;
184 	struct mtx lock;
185 
186 	/*
187 	 * Pre-allocate S/G lists used when preparing a work request.
188 	 * 'sg_input' contains an sglist describing the entire input
189 	 * buffer for a 'struct cryptop'.  'sg_output' contains an
190 	 * sglist describing the entire output buffer.  'sg_ulptx' is
191 	 * used to describe the data the engine should DMA as input
192 	 * via ULPTX_SGL.  'sg_dsgl' is used to describe the
193 	 * destination that cipher text and a tag should be written
194 	 * to.
195 	 */
196 	struct sglist *sg_input;
197 	struct sglist *sg_output;
198 	struct sglist *sg_ulptx;
199 	struct sglist *sg_dsgl;
200 };
201 
202 struct ccr_softc {
203 	struct adapter *adapter;
204 	device_t dev;
205 	uint32_t cid;
206 	struct mtx lock;
207 	bool detaching;
208 	struct ccr_port ports[MAX_NPORTS];
209 	u_int port_mask;
210 
211 	/*
212 	 * Pre-allocate a dummy output buffer for the IV and AAD for
213 	 * AEAD requests.
214 	 */
215 	char *iv_aad_buf;
216 	struct sglist *sg_iv_aad;
217 
218 	/* Statistics. */
219 	counter_u64_t stats_blkcipher_encrypt;
220 	counter_u64_t stats_blkcipher_decrypt;
221 	counter_u64_t stats_hash;
222 	counter_u64_t stats_hmac;
223 	counter_u64_t stats_eta_encrypt;
224 	counter_u64_t stats_eta_decrypt;
225 	counter_u64_t stats_gcm_encrypt;
226 	counter_u64_t stats_gcm_decrypt;
227 	counter_u64_t stats_ccm_encrypt;
228 	counter_u64_t stats_ccm_decrypt;
229 	counter_u64_t stats_wr_nomem;
230 	counter_u64_t stats_inflight;
231 	counter_u64_t stats_mac_error;
232 	counter_u64_t stats_pad_error;
233 	counter_u64_t stats_sglist_error;
234 	counter_u64_t stats_process_error;
235 	counter_u64_t stats_sw_fallback;
236 };
237 
238 /*
239  * Crypto requests involve two kind of scatter/gather lists.
240  *
241  * Non-hash-only requests require a PHYS_DSGL that describes the
242  * location to store the results of the encryption or decryption
243  * operation.  This SGL uses a different format (PHYS_DSGL) and should
244  * exclude the skip bytes at the start of the data as well as any AAD
245  * or IV.  For authenticated encryption requests it should include the
246  * destination of the hash or tag.
247  *
248  * The input payload may either be supplied inline as immediate data,
249  * or via a standard ULP_TX SGL.  This SGL should include AAD,
250  * ciphertext, and the hash or tag for authenticated decryption
251  * requests.
252  *
253  * These scatter/gather lists can describe different subsets of the
254  * buffers described by the crypto operation.  ccr_populate_sglist()
255  * generates a scatter/gather list that covers an entire crypto
256  * operation buffer that is then used to construct the other
257  * scatter/gather lists.
258  */
259 static int
260 ccr_populate_sglist(struct sglist *sg, struct crypto_buffer *cb)
261 {
262 	int error;
263 
264 	sglist_reset(sg);
265 	switch (cb->cb_type) {
266 	case CRYPTO_BUF_MBUF:
267 		error = sglist_append_mbuf(sg, cb->cb_mbuf);
268 		break;
269 	case CRYPTO_BUF_UIO:
270 		error = sglist_append_uio(sg, cb->cb_uio);
271 		break;
272 	case CRYPTO_BUF_CONTIG:
273 		error = sglist_append(sg, cb->cb_buf, cb->cb_buf_len);
274 		break;
275 	default:
276 		error = EINVAL;
277 	}
278 	return (error);
279 }
280 
281 /*
282  * Segments in 'sg' larger than 'maxsegsize' are counted as multiple
283  * segments.
284  */
285 static int
286 ccr_count_sgl(struct sglist *sg, int maxsegsize)
287 {
288 	int i, nsegs;
289 
290 	nsegs = 0;
291 	for (i = 0; i < sg->sg_nseg; i++)
292 		nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize);
293 	return (nsegs);
294 }
295 
296 /* These functions deal with PHYS_DSGL for the reply buffer. */
297 static inline int
298 ccr_phys_dsgl_len(int nsegs)
299 {
300 	int len;
301 
302 	len = (nsegs / 8) * sizeof(struct phys_sge_pairs);
303 	if ((nsegs % 8) != 0) {
304 		len += sizeof(uint16_t) * 8;
305 		len += roundup2(nsegs % 8, 2) * sizeof(uint64_t);
306 	}
307 	return (len);
308 }
309 
310 static void
311 ccr_write_phys_dsgl(struct ccr_session *s, void *dst, int nsegs)
312 {
313 	struct sglist *sg;
314 	struct cpl_rx_phys_dsgl *cpl;
315 	struct phys_sge_pairs *sgl;
316 	vm_paddr_t paddr;
317 	size_t seglen;
318 	u_int i, j;
319 
320 	sg = s->sg_dsgl;
321 	cpl = dst;
322 	cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) |
323 	    V_CPL_RX_PHYS_DSGL_ISRDMA(0));
324 	cpl->pcirlxorder_to_noofsgentr = htobe32(
325 	    V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) |
326 	    V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) |
327 	    V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) |
328 	    V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs));
329 	cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR;
330 	cpl->rss_hdr_int.qid = htobe16(s->port->rxq->iq.abs_id);
331 	cpl->rss_hdr_int.hash_val = 0;
332 	sgl = (struct phys_sge_pairs *)(cpl + 1);
333 	j = 0;
334 	for (i = 0; i < sg->sg_nseg; i++) {
335 		seglen = sg->sg_segs[i].ss_len;
336 		paddr = sg->sg_segs[i].ss_paddr;
337 		do {
338 			sgl->addr[j] = htobe64(paddr);
339 			if (seglen > DSGL_SGE_MAXLEN) {
340 				sgl->len[j] = htobe16(DSGL_SGE_MAXLEN);
341 				paddr += DSGL_SGE_MAXLEN;
342 				seglen -= DSGL_SGE_MAXLEN;
343 			} else {
344 				sgl->len[j] = htobe16(seglen);
345 				seglen = 0;
346 			}
347 			j++;
348 			if (j == 8) {
349 				sgl++;
350 				j = 0;
351 			}
352 		} while (seglen != 0);
353 	}
354 	MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs);
355 }
356 
357 /* These functions deal with the ULPTX_SGL for input payload. */
358 static inline int
359 ccr_ulptx_sgl_len(int nsegs)
360 {
361 	u_int n;
362 
363 	nsegs--; /* first segment is part of ulptx_sgl */
364 	n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1));
365 	return (roundup2(n, 16));
366 }
367 
368 static void
369 ccr_write_ulptx_sgl(struct ccr_session *s, void *dst, int nsegs)
370 {
371 	struct ulptx_sgl *usgl;
372 	struct sglist *sg;
373 	struct sglist_seg *ss;
374 	int i;
375 
376 	sg = s->sg_ulptx;
377 	MPASS(nsegs == sg->sg_nseg);
378 	ss = &sg->sg_segs[0];
379 	usgl = dst;
380 	usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) |
381 	    V_ULPTX_NSGE(nsegs));
382 	usgl->len0 = htobe32(ss->ss_len);
383 	usgl->addr0 = htobe64(ss->ss_paddr);
384 	ss++;
385 	for (i = 0; i < sg->sg_nseg - 1; i++) {
386 		usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len);
387 		usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr);
388 		ss++;
389 	}
390 }
391 
392 static bool
393 ccr_use_imm_data(u_int transhdr_len, u_int input_len)
394 {
395 
396 	if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN)
397 		return (false);
398 	if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) >
399 	    SGE_MAX_WR_LEN)
400 		return (false);
401 	return (true);
402 }
403 
404 static void
405 ccr_populate_wreq(struct ccr_softc *sc, struct ccr_session *s,
406     struct chcr_wr *crwr, u_int kctx_len, u_int wr_len, u_int imm_len,
407     u_int sgl_len, u_int hash_size, struct cryptop *crp)
408 {
409 	u_int cctx_size, idata_len;
410 
411 	cctx_size = sizeof(struct _key_ctx) + kctx_len;
412 	crwr->wreq.op_to_cctx_size = htobe32(
413 	    V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) |
414 	    V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) |
415 	    V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) |
416 	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) |
417 	    V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4));
418 	crwr->wreq.len16_pkd = htobe32(
419 	    V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16));
420 	crwr->wreq.session_id = 0;
421 	crwr->wreq.rx_chid_to_rx_q_id = htobe32(
422 	    V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(s->port->tx_channel_id) |
423 	    V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) |
424 	    V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) |
425 	    V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) |
426 	    V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) |
427 	    V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) |
428 	    V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(s->port->rxq->iq.abs_id));
429 	crwr->wreq.key_addr = 0;
430 	crwr->wreq.pld_size_hash_size = htobe32(
431 	    V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) |
432 	    V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size));
433 	crwr->wreq.cookie = htobe64((uintptr_t)crp);
434 
435 	crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) |
436 	    V_ULP_TXPKT_DATAMODIFY(0) |
437 	    V_ULP_TXPKT_CHANNELID(s->port->tx_channel_id) |
438 	    V_ULP_TXPKT_DEST(0) |
439 	    V_ULP_TXPKT_FID(s->port->rxq->iq.abs_id) | V_ULP_TXPKT_RO(1));
440 	crwr->ulptx.len = htobe32(
441 	    ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16));
442 
443 	crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) |
444 	    V_ULP_TX_SC_MORE(sgl_len != 0 ? 1 : 0));
445 	idata_len = wr_len - offsetof(struct chcr_wr, sec_cpl) - sgl_len;
446 	if (imm_len % 16 != 0)
447 		idata_len -= 16 - imm_len % 16;
448 	crwr->sc_imm.len = htobe32(idata_len);
449 }
450 
451 static int
452 ccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
453 {
454 	struct chcr_wr *crwr;
455 	struct wrqe *wr;
456 	struct auth_hash *axf;
457 	char *dst;
458 	u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len;
459 	u_int hmac_ctrl, imm_len, iopad_size;
460 	int error, sgl_nsegs, sgl_len, use_opad;
461 
462 	/* Reject requests with too large of an input buffer. */
463 	if (crp->crp_payload_length > MAX_REQUEST_SIZE)
464 		return (EFBIG);
465 
466 	axf = s->hmac.auth_hash;
467 
468 	if (s->mode == HMAC) {
469 		use_opad = 1;
470 		hmac_ctrl = SCMD_HMAC_CTRL_NO_TRUNC;
471 	} else {
472 		use_opad = 0;
473 		hmac_ctrl = SCMD_HMAC_CTRL_NOP;
474 	}
475 
476 	/* PADs must be 128-bit aligned. */
477 	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
478 
479 	/*
480 	 * The 'key' part of the context includes the aligned IPAD and
481 	 * OPAD.
482 	 */
483 	kctx_len = iopad_size;
484 	if (use_opad)
485 		kctx_len += iopad_size;
486 	hash_size_in_response = axf->hashsize;
487 	transhdr_len = HASH_TRANSHDR_SIZE(kctx_len);
488 
489 	if (crp->crp_payload_length == 0) {
490 		imm_len = axf->blocksize;
491 		sgl_nsegs = 0;
492 		sgl_len = 0;
493 	} else if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length)) {
494 		imm_len = crp->crp_payload_length;
495 		sgl_nsegs = 0;
496 		sgl_len = 0;
497 	} else {
498 		imm_len = 0;
499 		sglist_reset(s->sg_ulptx);
500 		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
501 		    crp->crp_payload_start, crp->crp_payload_length);
502 		if (error)
503 			return (error);
504 		sgl_nsegs = s->sg_ulptx->sg_nseg;
505 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
506 	}
507 
508 	wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len;
509 	if (wr_len > SGE_MAX_WR_LEN)
510 		return (EFBIG);
511 	wr = alloc_wrqe(wr_len, s->port->txq);
512 	if (wr == NULL) {
513 		counter_u64_add(sc->stats_wr_nomem, 1);
514 		return (ENOMEM);
515 	}
516 	crwr = wrtod(wr);
517 	memset(crwr, 0, wr_len);
518 
519 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len,
520 	    hash_size_in_response, crp);
521 
522 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
523 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
524 	    V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) |
525 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
526 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
527 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(0));
528 
529 	crwr->sec_cpl.pldlen = htobe32(crp->crp_payload_length == 0 ?
530 	    axf->blocksize : crp->crp_payload_length);
531 
532 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
533 	    V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0));
534 
535 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
536 	crwr->sec_cpl.seqno_numivs = htobe32(
537 	    V_SCMD_SEQ_NO_CTRL(0) |
538 	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
539 	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_NOP) |
540 	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
541 	    V_SCMD_HMAC_CTRL(hmac_ctrl));
542 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
543 	    V_SCMD_LAST_FRAG(0) |
544 	    V_SCMD_MORE_FRAGS(crp->crp_payload_length == 0 ? 1 : 0) |
545 	    V_SCMD_MAC_ONLY(1));
546 
547 	memcpy(crwr->key_ctx.key, s->hmac.pads, kctx_len);
548 
549 	/* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */
550 	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
551 	crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
552 	    V_KEY_CONTEXT_OPAD_PRESENT(use_opad) |
553 	    V_KEY_CONTEXT_SALT_PRESENT(1) |
554 	    V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) |
555 	    V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1));
556 
557 	dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES;
558 	if (crp->crp_payload_length == 0) {
559 		dst[0] = 0x80;
560 		if (s->mode == HMAC)
561 			*(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
562 			    htobe64(axf->blocksize << 3);
563 	} else if (imm_len != 0)
564 		crypto_copydata(crp, crp->crp_payload_start,
565 		    crp->crp_payload_length, dst);
566 	else
567 		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
568 
569 	/* XXX: TODO backpressure */
570 	t4_wrq_tx(sc->adapter, wr);
571 
572 	return (0);
573 }
574 
575 static int
576 ccr_hash_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp,
577     const struct cpl_fw6_pld *cpl, int error)
578 {
579 	uint8_t hash[HASH_MAX_LEN];
580 
581 	if (error)
582 		return (error);
583 
584 	if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) {
585 		crypto_copydata(crp, crp->crp_digest_start, s->hmac.hash_len,
586 		    hash);
587 		if (timingsafe_bcmp((cpl + 1), hash, s->hmac.hash_len) != 0)
588 			return (EBADMSG);
589 	} else
590 		crypto_copyback(crp, crp->crp_digest_start, s->hmac.hash_len,
591 		    (cpl + 1));
592 	return (0);
593 }
594 
595 static int
596 ccr_blkcipher(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
597 {
598 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
599 	struct chcr_wr *crwr;
600 	struct wrqe *wr;
601 	char *dst;
602 	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
603 	u_int imm_len, iv_len;
604 	int dsgl_nsegs, dsgl_len;
605 	int sgl_nsegs, sgl_len;
606 	int error;
607 
608 	if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0)
609 		return (EINVAL);
610 	if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC &&
611 	    (crp->crp_payload_length % AES_BLOCK_LEN) != 0)
612 		return (EINVAL);
613 
614 	/* Reject requests with too large of an input buffer. */
615 	if (crp->crp_payload_length > MAX_REQUEST_SIZE)
616 		return (EFBIG);
617 
618 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
619 		op_type = CHCR_ENCRYPT_OP;
620 	else
621 		op_type = CHCR_DECRYPT_OP;
622 
623 	sglist_reset(s->sg_dsgl);
624 	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
625 		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
626 		    crp->crp_payload_output_start, crp->crp_payload_length);
627 	else
628 		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
629 		    crp->crp_payload_start, crp->crp_payload_length);
630 	if (error)
631 		return (error);
632 	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
633 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
634 		return (EFBIG);
635 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
636 
637 	/* The 'key' must be 128-bit aligned. */
638 	kctx_len = roundup2(s->blkcipher.key_len, 16);
639 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
640 
641 	/* For AES-XTS we send a 16-byte IV in the work request. */
642 	if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
643 		iv_len = AES_BLOCK_LEN;
644 	else
645 		iv_len = s->blkcipher.iv_len;
646 
647 	if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length + iv_len)) {
648 		imm_len = crp->crp_payload_length;
649 		sgl_nsegs = 0;
650 		sgl_len = 0;
651 	} else {
652 		imm_len = 0;
653 		sglist_reset(s->sg_ulptx);
654 		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
655 		    crp->crp_payload_start, crp->crp_payload_length);
656 		if (error)
657 			return (error);
658 		sgl_nsegs = s->sg_ulptx->sg_nseg;
659 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
660 	}
661 
662 	wr_len = roundup2(transhdr_len, 16) + iv_len +
663 	    roundup2(imm_len, 16) + sgl_len;
664 	if (wr_len > SGE_MAX_WR_LEN)
665 		return (EFBIG);
666 	wr = alloc_wrqe(wr_len, s->port->txq);
667 	if (wr == NULL) {
668 		counter_u64_add(sc->stats_wr_nomem, 1);
669 		return (ENOMEM);
670 	}
671 	crwr = wrtod(wr);
672 	memset(crwr, 0, wr_len);
673 
674 	crypto_read_iv(crp, iv);
675 
676 	/* Zero the remainder of the IV for AES-XTS. */
677 	memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len);
678 
679 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
680 	    crp);
681 
682 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
683 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
684 	    V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) |
685 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
686 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
687 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
688 
689 	crwr->sec_cpl.pldlen = htobe32(iv_len + crp->crp_payload_length);
690 
691 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
692 	    V_CPL_TX_SEC_PDU_CIPHERSTART(iv_len + 1) |
693 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
694 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
695 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0));
696 
697 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
698 	crwr->sec_cpl.seqno_numivs = htobe32(
699 	    V_SCMD_SEQ_NO_CTRL(0) |
700 	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
701 	    V_SCMD_ENC_DEC_CTRL(op_type) |
702 	    V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
703 	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_NOP) |
704 	    V_SCMD_HMAC_CTRL(SCMD_HMAC_CTRL_NOP) |
705 	    V_SCMD_IV_SIZE(iv_len / 2) |
706 	    V_SCMD_NUM_IVS(0));
707 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
708 	    V_SCMD_IV_GEN_CTRL(0) |
709 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
710 	    V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len));
711 
712 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
713 	switch (s->blkcipher.cipher_mode) {
714 	case SCMD_CIPH_MODE_AES_CBC:
715 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
716 			memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
717 			    s->blkcipher.key_len);
718 		else
719 			memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
720 			    s->blkcipher.key_len);
721 		break;
722 	case SCMD_CIPH_MODE_AES_CTR:
723 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
724 		    s->blkcipher.key_len);
725 		break;
726 	case SCMD_CIPH_MODE_AES_XTS:
727 		key_half = s->blkcipher.key_len / 2;
728 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
729 		    key_half);
730 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
731 			memcpy(crwr->key_ctx.key + key_half,
732 			    s->blkcipher.enckey, key_half);
733 		else
734 			memcpy(crwr->key_ctx.key + key_half,
735 			    s->blkcipher.deckey, key_half);
736 		break;
737 	}
738 
739 	dst = (char *)(crwr + 1) + kctx_len;
740 	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
741 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
742 	memcpy(dst, iv, iv_len);
743 	dst += iv_len;
744 	if (imm_len != 0)
745 		crypto_copydata(crp, crp->crp_payload_start,
746 		    crp->crp_payload_length, dst);
747 	else
748 		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
749 
750 	/* XXX: TODO backpressure */
751 	t4_wrq_tx(sc->adapter, wr);
752 
753 	explicit_bzero(iv, sizeof(iv));
754 	return (0);
755 }
756 
757 static int
758 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s,
759     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
760 {
761 
762 	/*
763 	 * The updated IV to permit chained requests is at
764 	 * cpl->data[2], but OCF doesn't permit chained requests.
765 	 */
766 	return (error);
767 }
768 
769 /*
770  * 'hashsize' is the length of a full digest.  'authsize' is the
771  * requested digest length for this operation which may be less
772  * than 'hashsize'.
773  */
774 static int
775 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize)
776 {
777 
778 	if (authsize == 10)
779 		return (SCMD_HMAC_CTRL_TRUNC_RFC4366);
780 	if (authsize == 12)
781 		return (SCMD_HMAC_CTRL_IPSEC_96BIT);
782 	if (authsize == hashsize / 2)
783 		return (SCMD_HMAC_CTRL_DIV2);
784 	return (SCMD_HMAC_CTRL_NO_TRUNC);
785 }
786 
787 static int
788 ccr_eta(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
789 {
790 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
791 	struct chcr_wr *crwr;
792 	struct wrqe *wr;
793 	struct auth_hash *axf;
794 	char *dst;
795 	u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
796 	u_int hash_size_in_response, imm_len, iopad_size, iv_len;
797 	u_int aad_start, aad_stop;
798 	u_int auth_insert;
799 	u_int cipher_start, cipher_stop;
800 	u_int hmac_ctrl, input_len;
801 	int dsgl_nsegs, dsgl_len;
802 	int sgl_nsegs, sgl_len;
803 	int error;
804 
805 	/*
806 	 * If there is a need in the future, requests with an empty
807 	 * payload could be supported as HMAC-only requests.
808 	 */
809 	if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0)
810 		return (EINVAL);
811 	if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC &&
812 	    (crp->crp_payload_length % AES_BLOCK_LEN) != 0)
813 		return (EINVAL);
814 
815 	/* For AES-XTS we send a 16-byte IV in the work request. */
816 	if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
817 		iv_len = AES_BLOCK_LEN;
818 	else
819 		iv_len = s->blkcipher.iv_len;
820 
821 	if (crp->crp_aad_length + iv_len > MAX_AAD_LEN)
822 		return (EINVAL);
823 
824 	axf = s->hmac.auth_hash;
825 	hash_size_in_response = s->hmac.hash_len;
826 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
827 		op_type = CHCR_ENCRYPT_OP;
828 	else
829 		op_type = CHCR_DECRYPT_OP;
830 
831 	/*
832 	 * The output buffer consists of the cipher text followed by
833 	 * the hash when encrypting.  For decryption it only contains
834 	 * the plain text.
835 	 *
836 	 * Due to a firmware bug, the output buffer must include a
837 	 * dummy output buffer for the IV and AAD prior to the real
838 	 * output buffer.
839 	 */
840 	if (op_type == CHCR_ENCRYPT_OP) {
841 		if (iv_len + crp->crp_aad_length + crp->crp_payload_length +
842 		    hash_size_in_response > MAX_REQUEST_SIZE)
843 			return (EFBIG);
844 	} else {
845 		if (iv_len + crp->crp_aad_length + crp->crp_payload_length >
846 		    MAX_REQUEST_SIZE)
847 			return (EFBIG);
848 	}
849 	sglist_reset(s->sg_dsgl);
850 	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0,
851 	    iv_len + crp->crp_aad_length);
852 	if (error)
853 		return (error);
854 	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
855 		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
856 		    crp->crp_payload_output_start, crp->crp_payload_length);
857 	else
858 		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
859 		    crp->crp_payload_start, crp->crp_payload_length);
860 	if (error)
861 		return (error);
862 	if (op_type == CHCR_ENCRYPT_OP) {
863 		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
864 			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
865 			    crp->crp_digest_start, hash_size_in_response);
866 		else
867 			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
868 			    crp->crp_digest_start, hash_size_in_response);
869 		if (error)
870 			return (error);
871 	}
872 	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
873 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
874 		return (EFBIG);
875 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
876 
877 	/* PADs must be 128-bit aligned. */
878 	iopad_size = roundup2(s->hmac.partial_digest_len, 16);
879 
880 	/*
881 	 * The 'key' part of the key context consists of the key followed
882 	 * by the IPAD and OPAD.
883 	 */
884 	kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2;
885 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
886 
887 	/*
888 	 * The input buffer consists of the IV, any AAD, and then the
889 	 * cipher/plain text.  For decryption requests the hash is
890 	 * appended after the cipher text.
891 	 *
892 	 * The IV is always stored at the start of the input buffer
893 	 * even though it may be duplicated in the payload.  The
894 	 * crypto engine doesn't work properly if the IV offset points
895 	 * inside of the AAD region, so a second copy is always
896 	 * required.
897 	 */
898 	input_len = crp->crp_aad_length + crp->crp_payload_length;
899 
900 	/*
901 	 * The firmware hangs if sent a request which is a
902 	 * bit smaller than MAX_REQUEST_SIZE.  In particular, the
903 	 * firmware appears to require 512 - 16 bytes of spare room
904 	 * along with the size of the hash even if the hash isn't
905 	 * included in the input buffer.
906 	 */
907 	if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) >
908 	    MAX_REQUEST_SIZE)
909 		return (EFBIG);
910 	if (op_type == CHCR_DECRYPT_OP)
911 		input_len += hash_size_in_response;
912 
913 	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
914 		imm_len = input_len;
915 		sgl_nsegs = 0;
916 		sgl_len = 0;
917 	} else {
918 		imm_len = 0;
919 		sglist_reset(s->sg_ulptx);
920 		if (crp->crp_aad_length != 0) {
921 			if (crp->crp_aad != NULL)
922 				error = sglist_append(s->sg_ulptx,
923 				    crp->crp_aad, crp->crp_aad_length);
924 			else
925 				error = sglist_append_sglist(s->sg_ulptx,
926 				    s->sg_input, crp->crp_aad_start,
927 				    crp->crp_aad_length);
928 			if (error)
929 				return (error);
930 		}
931 		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
932 		    crp->crp_payload_start, crp->crp_payload_length);
933 		if (error)
934 			return (error);
935 		if (op_type == CHCR_DECRYPT_OP) {
936 			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
937 			    crp->crp_digest_start, hash_size_in_response);
938 			if (error)
939 				return (error);
940 		}
941 		sgl_nsegs = s->sg_ulptx->sg_nseg;
942 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
943 	}
944 
945 	/* Any AAD comes after the IV. */
946 	if (crp->crp_aad_length != 0) {
947 		aad_start = iv_len + 1;
948 		aad_stop = aad_start + crp->crp_aad_length - 1;
949 	} else {
950 		aad_start = 0;
951 		aad_stop = 0;
952 	}
953 	cipher_start = iv_len + crp->crp_aad_length + 1;
954 	if (op_type == CHCR_DECRYPT_OP)
955 		cipher_stop = hash_size_in_response;
956 	else
957 		cipher_stop = 0;
958 	if (op_type == CHCR_DECRYPT_OP)
959 		auth_insert = hash_size_in_response;
960 	else
961 		auth_insert = 0;
962 
963 	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
964 	    sgl_len;
965 	if (wr_len > SGE_MAX_WR_LEN)
966 		return (EFBIG);
967 	wr = alloc_wrqe(wr_len, s->port->txq);
968 	if (wr == NULL) {
969 		counter_u64_add(sc->stats_wr_nomem, 1);
970 		return (ENOMEM);
971 	}
972 	crwr = wrtod(wr);
973 	memset(crwr, 0, wr_len);
974 
975 	crypto_read_iv(crp, iv);
976 
977 	/* Zero the remainder of the IV for AES-XTS. */
978 	memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len);
979 
980 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len,
981 	    op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp);
982 
983 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
984 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
985 	    V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) |
986 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
987 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
988 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
989 
990 	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
991 
992 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
993 	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
994 	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
995 	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
996 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4));
997 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
998 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) |
999 	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
1000 	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
1001 	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1002 
1003 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1004 	hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response);
1005 	crwr->sec_cpl.seqno_numivs = htobe32(
1006 	    V_SCMD_SEQ_NO_CTRL(0) |
1007 	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
1008 	    V_SCMD_ENC_DEC_CTRL(op_type) |
1009 	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1010 	    V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
1011 	    V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
1012 	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
1013 	    V_SCMD_IV_SIZE(iv_len / 2) |
1014 	    V_SCMD_NUM_IVS(0));
1015 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
1016 	    V_SCMD_IV_GEN_CTRL(0) |
1017 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1018 	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1019 
1020 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1021 	switch (s->blkcipher.cipher_mode) {
1022 	case SCMD_CIPH_MODE_AES_CBC:
1023 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
1024 			memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1025 			    s->blkcipher.key_len);
1026 		else
1027 			memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
1028 			    s->blkcipher.key_len);
1029 		break;
1030 	case SCMD_CIPH_MODE_AES_CTR:
1031 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1032 		    s->blkcipher.key_len);
1033 		break;
1034 	case SCMD_CIPH_MODE_AES_XTS:
1035 		key_half = s->blkcipher.key_len / 2;
1036 		memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
1037 		    key_half);
1038 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
1039 			memcpy(crwr->key_ctx.key + key_half,
1040 			    s->blkcipher.enckey, key_half);
1041 		else
1042 			memcpy(crwr->key_ctx.key + key_half,
1043 			    s->blkcipher.deckey, key_half);
1044 		break;
1045 	}
1046 
1047 	dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1048 	memcpy(dst, s->hmac.pads, iopad_size * 2);
1049 
1050 	dst = (char *)(crwr + 1) + kctx_len;
1051 	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
1052 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1053 	memcpy(dst, iv, iv_len);
1054 	dst += iv_len;
1055 	if (imm_len != 0) {
1056 		if (crp->crp_aad_length != 0) {
1057 			if (crp->crp_aad != NULL)
1058 				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
1059 			else
1060 				crypto_copydata(crp, crp->crp_aad_start,
1061 				    crp->crp_aad_length, dst);
1062 			dst += crp->crp_aad_length;
1063 		}
1064 		crypto_copydata(crp, crp->crp_payload_start,
1065 		    crp->crp_payload_length, dst);
1066 		dst += crp->crp_payload_length;
1067 		if (op_type == CHCR_DECRYPT_OP)
1068 			crypto_copydata(crp, crp->crp_digest_start,
1069 			    hash_size_in_response, dst);
1070 	} else
1071 		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
1072 
1073 	/* XXX: TODO backpressure */
1074 	t4_wrq_tx(sc->adapter, wr);
1075 
1076 	explicit_bzero(iv, sizeof(iv));
1077 	return (0);
1078 }
1079 
1080 static int
1081 ccr_eta_done(struct ccr_softc *sc, struct ccr_session *s,
1082     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1083 {
1084 
1085 	/*
1086 	 * The updated IV to permit chained requests is at
1087 	 * cpl->data[2], but OCF doesn't permit chained requests.
1088 	 */
1089 	return (error);
1090 }
1091 
1092 static int
1093 ccr_gcm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
1094 {
1095 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
1096 	struct chcr_wr *crwr;
1097 	struct wrqe *wr;
1098 	char *dst;
1099 	u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
1100 	u_int hash_size_in_response, imm_len;
1101 	u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
1102 	u_int hmac_ctrl, input_len;
1103 	int dsgl_nsegs, dsgl_len;
1104 	int sgl_nsegs, sgl_len;
1105 	int error;
1106 
1107 	if (s->blkcipher.key_len == 0)
1108 		return (EINVAL);
1109 
1110 	/*
1111 	 * The crypto engine doesn't handle GCM requests with an empty
1112 	 * payload, so handle those in software instead.
1113 	 */
1114 	if (crp->crp_payload_length == 0)
1115 		return (EMSGSIZE);
1116 
1117 	if (crp->crp_aad_length + AES_BLOCK_LEN > MAX_AAD_LEN)
1118 		return (EMSGSIZE);
1119 
1120 	hash_size_in_response = s->gmac.hash_len;
1121 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
1122 		op_type = CHCR_ENCRYPT_OP;
1123 	else
1124 		op_type = CHCR_DECRYPT_OP;
1125 
1126 	/*
1127 	 * The IV handling for GCM in OCF is a bit more complicated in
1128 	 * that IPSec provides a full 16-byte IV (including the
1129 	 * counter), whereas the /dev/crypto interface sometimes
1130 	 * provides a full 16-byte IV (if no IV is provided in the
1131 	 * ioctl) and sometimes a 12-byte IV (if the IV was explicit).
1132 	 *
1133 	 * When provided a 12-byte IV, assume the IV is really 16 bytes
1134 	 * with a counter in the last 4 bytes initialized to 1.
1135 	 *
1136 	 * While iv_len is checked below, the value is currently
1137 	 * always set to 12 when creating a GCM session in this driver
1138 	 * due to limitations in OCF (there is no way to know what the
1139 	 * IV length of a given request will be).  This means that the
1140 	 * driver always assumes as 12-byte IV for now.
1141 	 */
1142 	if (s->blkcipher.iv_len == 12)
1143 		iv_len = AES_BLOCK_LEN;
1144 	else
1145 		iv_len = s->blkcipher.iv_len;
1146 
1147 	/*
1148 	 * GCM requests should always provide an explicit IV.
1149 	 */
1150 	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0)
1151 		return (EINVAL);
1152 
1153 	/*
1154 	 * The output buffer consists of the cipher text followed by
1155 	 * the tag when encrypting.  For decryption it only contains
1156 	 * the plain text.
1157 	 *
1158 	 * Due to a firmware bug, the output buffer must include a
1159 	 * dummy output buffer for the IV and AAD prior to the real
1160 	 * output buffer.
1161 	 */
1162 	if (op_type == CHCR_ENCRYPT_OP) {
1163 		if (iv_len + crp->crp_aad_length + crp->crp_payload_length +
1164 		    hash_size_in_response > MAX_REQUEST_SIZE)
1165 			return (EFBIG);
1166 	} else {
1167 		if (iv_len + crp->crp_aad_length + crp->crp_payload_length >
1168 		    MAX_REQUEST_SIZE)
1169 			return (EFBIG);
1170 	}
1171 	sglist_reset(s->sg_dsgl);
1172 	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
1173 	    crp->crp_aad_length);
1174 	if (error)
1175 		return (error);
1176 	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
1177 		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
1178 		    crp->crp_payload_output_start, crp->crp_payload_length);
1179 	else
1180 		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
1181 		    crp->crp_payload_start, crp->crp_payload_length);
1182 	if (error)
1183 		return (error);
1184 	if (op_type == CHCR_ENCRYPT_OP) {
1185 		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
1186 			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
1187 			    crp->crp_digest_start, hash_size_in_response);
1188 		else
1189 			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
1190 			    crp->crp_digest_start, hash_size_in_response);
1191 		if (error)
1192 			return (error);
1193 	}
1194 	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
1195 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
1196 		return (EFBIG);
1197 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
1198 
1199 	/*
1200 	 * The 'key' part of the key context consists of the key followed
1201 	 * by the Galois hash key.
1202 	 */
1203 	kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN;
1204 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
1205 
1206 	/*
1207 	 * The input buffer consists of the IV, any AAD, and then the
1208 	 * cipher/plain text.  For decryption requests the hash is
1209 	 * appended after the cipher text.
1210 	 *
1211 	 * The IV is always stored at the start of the input buffer
1212 	 * even though it may be duplicated in the payload.  The
1213 	 * crypto engine doesn't work properly if the IV offset points
1214 	 * inside of the AAD region, so a second copy is always
1215 	 * required.
1216 	 */
1217 	input_len = crp->crp_aad_length + crp->crp_payload_length;
1218 	if (op_type == CHCR_DECRYPT_OP)
1219 		input_len += hash_size_in_response;
1220 	if (input_len > MAX_REQUEST_SIZE)
1221 		return (EFBIG);
1222 	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
1223 		imm_len = input_len;
1224 		sgl_nsegs = 0;
1225 		sgl_len = 0;
1226 	} else {
1227 		imm_len = 0;
1228 		sglist_reset(s->sg_ulptx);
1229 		if (crp->crp_aad_length != 0) {
1230 			if (crp->crp_aad != NULL)
1231 				error = sglist_append(s->sg_ulptx,
1232 				    crp->crp_aad, crp->crp_aad_length);
1233 			else
1234 				error = sglist_append_sglist(s->sg_ulptx,
1235 				    s->sg_input, crp->crp_aad_start,
1236 				    crp->crp_aad_length);
1237 			if (error)
1238 				return (error);
1239 		}
1240 		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
1241 		    crp->crp_payload_start, crp->crp_payload_length);
1242 		if (error)
1243 			return (error);
1244 		if (op_type == CHCR_DECRYPT_OP) {
1245 			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
1246 			    crp->crp_digest_start, hash_size_in_response);
1247 			if (error)
1248 				return (error);
1249 		}
1250 		sgl_nsegs = s->sg_ulptx->sg_nseg;
1251 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
1252 	}
1253 
1254 	if (crp->crp_aad_length != 0) {
1255 		aad_start = iv_len + 1;
1256 		aad_stop = aad_start + crp->crp_aad_length - 1;
1257 	} else {
1258 		aad_start = 0;
1259 		aad_stop = 0;
1260 	}
1261 	cipher_start = iv_len + crp->crp_aad_length + 1;
1262 	if (op_type == CHCR_DECRYPT_OP)
1263 		cipher_stop = hash_size_in_response;
1264 	else
1265 		cipher_stop = 0;
1266 	if (op_type == CHCR_DECRYPT_OP)
1267 		auth_insert = hash_size_in_response;
1268 	else
1269 		auth_insert = 0;
1270 
1271 	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
1272 	    sgl_len;
1273 	if (wr_len > SGE_MAX_WR_LEN)
1274 		return (EFBIG);
1275 	wr = alloc_wrqe(wr_len, s->port->txq);
1276 	if (wr == NULL) {
1277 		counter_u64_add(sc->stats_wr_nomem, 1);
1278 		return (ENOMEM);
1279 	}
1280 	crwr = wrtod(wr);
1281 	memset(crwr, 0, wr_len);
1282 
1283 	memcpy(iv, crp->crp_iv, s->blkcipher.iv_len);
1284 	if (s->blkcipher.iv_len == 12)
1285 		*(uint32_t *)&iv[12] = htobe32(1);
1286 
1287 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
1288 	    crp);
1289 
1290 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
1291 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
1292 	    V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) |
1293 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
1294 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
1295 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
1296 
1297 	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
1298 
1299 	/*
1300 	 * NB: cipherstop is explicitly set to 0.  On encrypt it
1301 	 * should normally be set to 0 anyway.  However, for decrypt
1302 	 * the cipher ends before the tag in the ETA case (and
1303 	 * authstop is set to stop before the tag), but for GCM the
1304 	 * cipher still runs to the end of the buffer.  Not sure if
1305 	 * this is intentional or a firmware quirk, but it is required
1306 	 * for working tag validation with GCM decryption.
1307 	 */
1308 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
1309 	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
1310 	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
1311 	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
1312 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
1313 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1314 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
1315 	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
1316 	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
1317 	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1318 
1319 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1320 	hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response);
1321 	crwr->sec_cpl.seqno_numivs = htobe32(
1322 	    V_SCMD_SEQ_NO_CTRL(0) |
1323 	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
1324 	    V_SCMD_ENC_DEC_CTRL(op_type) |
1325 	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1326 	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_GCM) |
1327 	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_GHASH) |
1328 	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
1329 	    V_SCMD_IV_SIZE(iv_len / 2) |
1330 	    V_SCMD_NUM_IVS(0));
1331 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
1332 	    V_SCMD_IV_GEN_CTRL(0) |
1333 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1334 	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1335 
1336 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1337 	memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len);
1338 	dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1339 	memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN);
1340 
1341 	dst = (char *)(crwr + 1) + kctx_len;
1342 	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
1343 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1344 	memcpy(dst, iv, iv_len);
1345 	dst += iv_len;
1346 	if (imm_len != 0) {
1347 		if (crp->crp_aad_length != 0) {
1348 			if (crp->crp_aad != NULL)
1349 				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
1350 			else
1351 				crypto_copydata(crp, crp->crp_aad_start,
1352 				    crp->crp_aad_length, dst);
1353 			dst += crp->crp_aad_length;
1354 		}
1355 		crypto_copydata(crp, crp->crp_payload_start,
1356 		    crp->crp_payload_length, dst);
1357 		dst += crp->crp_payload_length;
1358 		if (op_type == CHCR_DECRYPT_OP)
1359 			crypto_copydata(crp, crp->crp_digest_start,
1360 			    hash_size_in_response, dst);
1361 	} else
1362 		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
1363 
1364 	/* XXX: TODO backpressure */
1365 	t4_wrq_tx(sc->adapter, wr);
1366 
1367 	explicit_bzero(iv, sizeof(iv));
1368 	return (0);
1369 }
1370 
1371 static int
1372 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s,
1373     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1374 {
1375 
1376 	/*
1377 	 * The updated IV to permit chained requests is at
1378 	 * cpl->data[2], but OCF doesn't permit chained requests.
1379 	 *
1380 	 * Note that the hardware should always verify the GMAC hash.
1381 	 */
1382 	return (error);
1383 }
1384 
1385 /*
1386  * Handle a GCM request that is not supported by the crypto engine by
1387  * performing the operation in software.  Derived from swcr_authenc().
1388  */
1389 static void
1390 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp)
1391 {
1392 	struct auth_hash *axf;
1393 	struct enc_xform *exf;
1394 	void *auth_ctx, *kschedule;
1395 	char block[GMAC_BLOCK_LEN];
1396 	char digest[GMAC_DIGEST_LEN];
1397 	char iv[AES_BLOCK_LEN];
1398 	int error, i, len;
1399 
1400 	auth_ctx = NULL;
1401 	kschedule = NULL;
1402 
1403 	/* Initialize the MAC. */
1404 	switch (s->blkcipher.key_len) {
1405 	case 16:
1406 		axf = &auth_hash_nist_gmac_aes_128;
1407 		break;
1408 	case 24:
1409 		axf = &auth_hash_nist_gmac_aes_192;
1410 		break;
1411 	case 32:
1412 		axf = &auth_hash_nist_gmac_aes_256;
1413 		break;
1414 	default:
1415 		error = EINVAL;
1416 		goto out;
1417 	}
1418 	auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT);
1419 	if (auth_ctx == NULL) {
1420 		error = ENOMEM;
1421 		goto out;
1422 	}
1423 	axf->Init(auth_ctx);
1424 	axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len);
1425 
1426 	/* Initialize the cipher. */
1427 	exf = &enc_xform_aes_nist_gcm;
1428 	kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT);
1429 	if (kschedule == NULL) {
1430 		error = ENOMEM;
1431 		goto out;
1432 	}
1433 	error = exf->setkey(kschedule, s->blkcipher.enckey,
1434 	    s->blkcipher.key_len);
1435 	if (error)
1436 		goto out;
1437 
1438 	/*
1439 	 * This assumes a 12-byte IV from the crp.  See longer comment
1440 	 * above in ccr_gcm() for more details.
1441 	 */
1442 	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) {
1443 		error = EINVAL;
1444 		goto out;
1445 	}
1446 	memcpy(iv, crp->crp_iv, 12);
1447 	*(uint32_t *)&iv[12] = htobe32(1);
1448 
1449 	axf->Reinit(auth_ctx, iv, sizeof(iv));
1450 
1451 	/* MAC the AAD. */
1452 	if (crp->crp_aad != NULL) {
1453 		len = rounddown(crp->crp_aad_length, sizeof(block));
1454 		if (len != 0)
1455 			axf->Update(auth_ctx, crp->crp_aad, len);
1456 		if (crp->crp_aad_length != len) {
1457 			memset(block, 0, sizeof(block));
1458 			memcpy(block, (char *)crp->crp_aad + len,
1459 			    crp->crp_aad_length - len);
1460 			axf->Update(auth_ctx, block, sizeof(block));
1461 		}
1462 	} else {
1463 		for (i = 0; i < crp->crp_aad_length; i += sizeof(block)) {
1464 			len = imin(crp->crp_aad_length - i, sizeof(block));
1465 			crypto_copydata(crp, crp->crp_aad_start + i, len,
1466 			    block);
1467 			bzero(block + len, sizeof(block) - len);
1468 			axf->Update(auth_ctx, block, sizeof(block));
1469 		}
1470 	}
1471 
1472 	exf->reinit(kschedule, iv);
1473 
1474 	/* Do encryption with MAC */
1475 	for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) {
1476 		len = imin(crp->crp_payload_length - i, sizeof(block));
1477 		crypto_copydata(crp, crp->crp_payload_start + i, len, block);
1478 		bzero(block + len, sizeof(block) - len);
1479 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
1480 			exf->encrypt(kschedule, block, block);
1481 			axf->Update(auth_ctx, block, len);
1482 			crypto_copyback(crp, crp->crp_payload_start + i, len,
1483 			    block);
1484 		} else {
1485 			axf->Update(auth_ctx, block, len);
1486 		}
1487 	}
1488 
1489 	/* Length block. */
1490 	bzero(block, sizeof(block));
1491 	((uint32_t *)block)[1] = htobe32(crp->crp_aad_length * 8);
1492 	((uint32_t *)block)[3] = htobe32(crp->crp_payload_length * 8);
1493 	axf->Update(auth_ctx, block, sizeof(block));
1494 
1495 	/* Finalize MAC. */
1496 	axf->Final(digest, auth_ctx);
1497 
1498 	/* Inject or validate tag. */
1499 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
1500 		crypto_copyback(crp, crp->crp_digest_start, sizeof(digest),
1501 		    digest);
1502 		error = 0;
1503 	} else {
1504 		char digest2[GMAC_DIGEST_LEN];
1505 
1506 		crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2),
1507 		    digest2);
1508 		if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) {
1509 			error = 0;
1510 
1511 			/* Tag matches, decrypt data. */
1512 			for (i = 0; i < crp->crp_payload_length;
1513 			     i += sizeof(block)) {
1514 				len = imin(crp->crp_payload_length - i,
1515 				    sizeof(block));
1516 				crypto_copydata(crp, crp->crp_payload_start + i,
1517 				    len, block);
1518 				bzero(block + len, sizeof(block) - len);
1519 				exf->decrypt(kschedule, block, block);
1520 				crypto_copyback(crp, crp->crp_payload_start + i,
1521 				    len, block);
1522 			}
1523 		} else
1524 			error = EBADMSG;
1525 		explicit_bzero(digest2, sizeof(digest2));
1526 	}
1527 
1528 out:
1529 	zfree(kschedule, M_CCR);
1530 	zfree(auth_ctx, M_CCR);
1531 	explicit_bzero(block, sizeof(block));
1532 	explicit_bzero(iv, sizeof(iv));
1533 	explicit_bzero(digest, sizeof(digest));
1534 	crp->crp_etype = error;
1535 	crypto_done(crp);
1536 }
1537 
1538 static void
1539 generate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response,
1540     const char *iv, char *b0)
1541 {
1542 	u_int i, payload_len;
1543 
1544 	/* NB: L is already set in the first byte of the IV. */
1545 	memcpy(b0, iv, CCM_B0_SIZE);
1546 
1547 	/* Set length of hash in bits 3 - 5. */
1548 	b0[0] |= (((hash_size_in_response - 2) / 2) << 3);
1549 
1550 	/* Store the payload length as a big-endian value. */
1551 	payload_len = crp->crp_payload_length;
1552 	for (i = 0; i < iv[0]; i++) {
1553 		b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len;
1554 		payload_len >>= 8;
1555 	}
1556 
1557 	/*
1558 	 * If there is AAD in the request, set bit 6 in the flags
1559 	 * field and store the AAD length as a big-endian value at the
1560 	 * start of block 1.  This only assumes a 16-bit AAD length
1561 	 * since T6 doesn't support large AAD sizes.
1562 	 */
1563 	if (crp->crp_aad_length != 0) {
1564 		b0[0] |= (1 << 6);
1565 		*(uint16_t *)(b0 + CCM_B0_SIZE) = htobe16(crp->crp_aad_length);
1566 	}
1567 }
1568 
1569 static int
1570 ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
1571 {
1572 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
1573 	struct ulptx_idata *idata;
1574 	struct chcr_wr *crwr;
1575 	struct wrqe *wr;
1576 	char *dst;
1577 	u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
1578 	u_int aad_len, b0_len, hash_size_in_response, imm_len;
1579 	u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
1580 	u_int hmac_ctrl, input_len;
1581 	int dsgl_nsegs, dsgl_len;
1582 	int sgl_nsegs, sgl_len;
1583 	int error;
1584 
1585 	if (s->blkcipher.key_len == 0)
1586 		return (EINVAL);
1587 
1588 	/*
1589 	 * The crypto engine doesn't handle CCM requests with an empty
1590 	 * payload, so handle those in software instead.
1591 	 */
1592 	if (crp->crp_payload_length == 0)
1593 		return (EMSGSIZE);
1594 
1595 	/*
1596 	 * CCM always includes block 0 in the AAD before AAD from the
1597 	 * request.
1598 	 */
1599 	b0_len = CCM_B0_SIZE;
1600 	if (crp->crp_aad_length != 0)
1601 		b0_len += CCM_AAD_FIELD_SIZE;
1602 	aad_len = b0_len + crp->crp_aad_length;
1603 
1604 	/*
1605 	 * CCM requests should always provide an explicit IV (really
1606 	 * the nonce).
1607 	 */
1608 	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0)
1609 		return (EINVAL);
1610 
1611 	/*
1612 	 * Always assume a 12 byte input nonce for now since that is
1613 	 * what OCF always generates.  The full IV in the work request
1614 	 * is 16 bytes.
1615 	 */
1616 	iv_len = AES_BLOCK_LEN;
1617 
1618 	if (iv_len + aad_len > MAX_AAD_LEN)
1619 		return (EMSGSIZE);
1620 
1621 	hash_size_in_response = s->ccm_mac.hash_len;
1622 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
1623 		op_type = CHCR_ENCRYPT_OP;
1624 	else
1625 		op_type = CHCR_DECRYPT_OP;
1626 
1627 	/*
1628 	 * The output buffer consists of the cipher text followed by
1629 	 * the tag when encrypting.  For decryption it only contains
1630 	 * the plain text.
1631 	 *
1632 	 * Due to a firmware bug, the output buffer must include a
1633 	 * dummy output buffer for the IV and AAD prior to the real
1634 	 * output buffer.
1635 	 */
1636 	if (op_type == CHCR_ENCRYPT_OP) {
1637 		if (iv_len + aad_len + crp->crp_payload_length +
1638 		    hash_size_in_response > MAX_REQUEST_SIZE)
1639 			return (EFBIG);
1640 	} else {
1641 		if (iv_len + aad_len + crp->crp_payload_length >
1642 		    MAX_REQUEST_SIZE)
1643 			return (EFBIG);
1644 	}
1645 	sglist_reset(s->sg_dsgl);
1646 	error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
1647 	    aad_len);
1648 	if (error)
1649 		return (error);
1650 	if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
1651 		error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
1652 		    crp->crp_payload_output_start, crp->crp_payload_length);
1653 	else
1654 		error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
1655 		    crp->crp_payload_start, crp->crp_payload_length);
1656 	if (error)
1657 		return (error);
1658 	if (op_type == CHCR_ENCRYPT_OP) {
1659 		if (CRYPTO_HAS_OUTPUT_BUFFER(crp))
1660 			error = sglist_append_sglist(s->sg_dsgl, s->sg_output,
1661 			    crp->crp_digest_start, hash_size_in_response);
1662 		else
1663 			error = sglist_append_sglist(s->sg_dsgl, s->sg_input,
1664 			    crp->crp_digest_start, hash_size_in_response);
1665 		if (error)
1666 			return (error);
1667 	}
1668 	dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN);
1669 	if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
1670 		return (EFBIG);
1671 	dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
1672 
1673 	/*
1674 	 * The 'key' part of the key context consists of two copies of
1675 	 * the AES key.
1676 	 */
1677 	kctx_len = roundup2(s->blkcipher.key_len, 16) * 2;
1678 	transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
1679 
1680 	/*
1681 	 * The input buffer consists of the IV, AAD (including block
1682 	 * 0), and then the cipher/plain text.  For decryption
1683 	 * requests the hash is appended after the cipher text.
1684 	 *
1685 	 * The IV is always stored at the start of the input buffer
1686 	 * even though it may be duplicated in the payload.  The
1687 	 * crypto engine doesn't work properly if the IV offset points
1688 	 * inside of the AAD region, so a second copy is always
1689 	 * required.
1690 	 */
1691 	input_len = aad_len + crp->crp_payload_length;
1692 	if (op_type == CHCR_DECRYPT_OP)
1693 		input_len += hash_size_in_response;
1694 	if (input_len > MAX_REQUEST_SIZE)
1695 		return (EFBIG);
1696 	if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
1697 		imm_len = input_len;
1698 		sgl_nsegs = 0;
1699 		sgl_len = 0;
1700 	} else {
1701 		/* Block 0 is passed as immediate data. */
1702 		imm_len = b0_len;
1703 
1704 		sglist_reset(s->sg_ulptx);
1705 		if (crp->crp_aad_length != 0) {
1706 			if (crp->crp_aad != NULL)
1707 				error = sglist_append(s->sg_ulptx,
1708 				    crp->crp_aad, crp->crp_aad_length);
1709 			else
1710 				error = sglist_append_sglist(s->sg_ulptx,
1711 				    s->sg_input, crp->crp_aad_start,
1712 				    crp->crp_aad_length);
1713 			if (error)
1714 				return (error);
1715 		}
1716 		error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
1717 		    crp->crp_payload_start, crp->crp_payload_length);
1718 		if (error)
1719 			return (error);
1720 		if (op_type == CHCR_DECRYPT_OP) {
1721 			error = sglist_append_sglist(s->sg_ulptx, s->sg_input,
1722 			    crp->crp_digest_start, hash_size_in_response);
1723 			if (error)
1724 				return (error);
1725 		}
1726 		sgl_nsegs = s->sg_ulptx->sg_nseg;
1727 		sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
1728 	}
1729 
1730 	aad_start = iv_len + 1;
1731 	aad_stop = aad_start + aad_len - 1;
1732 	cipher_start = aad_stop + 1;
1733 	if (op_type == CHCR_DECRYPT_OP)
1734 		cipher_stop = hash_size_in_response;
1735 	else
1736 		cipher_stop = 0;
1737 	if (op_type == CHCR_DECRYPT_OP)
1738 		auth_insert = hash_size_in_response;
1739 	else
1740 		auth_insert = 0;
1741 
1742 	wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
1743 	    sgl_len;
1744 	if (wr_len > SGE_MAX_WR_LEN)
1745 		return (EFBIG);
1746 	wr = alloc_wrqe(wr_len, s->port->txq);
1747 	if (wr == NULL) {
1748 		counter_u64_add(sc->stats_wr_nomem, 1);
1749 		return (ENOMEM);
1750 	}
1751 	crwr = wrtod(wr);
1752 	memset(crwr, 0, wr_len);
1753 
1754 	/*
1755 	 * Read the nonce from the request.  Use the nonce to generate
1756 	 * the full IV with the counter set to 0.
1757 	 */
1758 	memset(iv, 0, iv_len);
1759 	iv[0] = (15 - AES_CCM_IV_LEN) - 1;
1760 	memcpy(iv + 1, crp->crp_iv, AES_CCM_IV_LEN);
1761 
1762 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
1763 	    crp);
1764 
1765 	crwr->sec_cpl.op_ivinsrtofst = htobe32(
1766 	    V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
1767 	    V_CPL_TX_SEC_PDU_RXCHID(s->port->tx_channel_id) |
1768 	    V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
1769 	    V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
1770 	    V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
1771 
1772 	crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
1773 
1774 	/*
1775 	 * NB: cipherstop is explicitly set to 0.  See comments above
1776 	 * in ccr_gcm().
1777 	 */
1778 	crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
1779 	    V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
1780 	    V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
1781 	    V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
1782 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
1783 	crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1784 	    V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
1785 	    V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
1786 	    V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
1787 	    V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1788 
1789 	/* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1790 	hmac_ctrl = ccr_hmac_ctrl(AES_CBC_MAC_HASH_LEN, hash_size_in_response);
1791 	crwr->sec_cpl.seqno_numivs = htobe32(
1792 	    V_SCMD_SEQ_NO_CTRL(0) |
1793 	    V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) |
1794 	    V_SCMD_ENC_DEC_CTRL(op_type) |
1795 	    V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 0 : 1) |
1796 	    V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_CCM) |
1797 	    V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_CBCMAC) |
1798 	    V_SCMD_HMAC_CTRL(hmac_ctrl) |
1799 	    V_SCMD_IV_SIZE(iv_len / 2) |
1800 	    V_SCMD_NUM_IVS(0));
1801 	crwr->sec_cpl.ivgen_hdrlen = htobe32(
1802 	    V_SCMD_IV_GEN_CTRL(0) |
1803 	    V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1804 	    V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1805 
1806 	crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1807 	memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len);
1808 	memcpy(crwr->key_ctx.key + roundup(s->blkcipher.key_len, 16),
1809 	    s->blkcipher.enckey, s->blkcipher.key_len);
1810 
1811 	dst = (char *)(crwr + 1) + kctx_len;
1812 	ccr_write_phys_dsgl(s, dst, dsgl_nsegs);
1813 	dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1814 	memcpy(dst, iv, iv_len);
1815 	dst += iv_len;
1816 	generate_ccm_b0(crp, hash_size_in_response, iv, dst);
1817 	if (sgl_nsegs == 0) {
1818 		dst += b0_len;
1819 		if (crp->crp_aad_length != 0) {
1820 			if (crp->crp_aad != NULL)
1821 				memcpy(dst, crp->crp_aad, crp->crp_aad_length);
1822 			else
1823 				crypto_copydata(crp, crp->crp_aad_start,
1824 				    crp->crp_aad_length, dst);
1825 			dst += crp->crp_aad_length;
1826 		}
1827 		crypto_copydata(crp, crp->crp_payload_start,
1828 		    crp->crp_payload_length, dst);
1829 		dst += crp->crp_payload_length;
1830 		if (op_type == CHCR_DECRYPT_OP)
1831 			crypto_copydata(crp, crp->crp_digest_start,
1832 			    hash_size_in_response, dst);
1833 	} else {
1834 		dst += CCM_B0_SIZE;
1835 		if (b0_len > CCM_B0_SIZE) {
1836 			/*
1837 			 * If there is AAD, insert padding including a
1838 			 * ULP_TX_SC_NOOP so that the ULP_TX_SC_DSGL
1839 			 * is 16-byte aligned.
1840 			 */
1841 			KASSERT(b0_len - CCM_B0_SIZE == CCM_AAD_FIELD_SIZE,
1842 			    ("b0_len mismatch"));
1843 			memset(dst + CCM_AAD_FIELD_SIZE, 0,
1844 			    8 - CCM_AAD_FIELD_SIZE);
1845 			idata = (void *)(dst + 8);
1846 			idata->cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_NOOP));
1847 			idata->len = htobe32(0);
1848 			dst = (void *)(idata + 1);
1849 		}
1850 		ccr_write_ulptx_sgl(s, dst, sgl_nsegs);
1851 	}
1852 
1853 	/* XXX: TODO backpressure */
1854 	t4_wrq_tx(sc->adapter, wr);
1855 
1856 	explicit_bzero(iv, sizeof(iv));
1857 	return (0);
1858 }
1859 
1860 static int
1861 ccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s,
1862     struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1863 {
1864 
1865 	/*
1866 	 * The updated IV to permit chained requests is at
1867 	 * cpl->data[2], but OCF doesn't permit chained requests.
1868 	 *
1869 	 * Note that the hardware should always verify the CBC MAC
1870 	 * hash.
1871 	 */
1872 	return (error);
1873 }
1874 
1875 /*
1876  * Handle a CCM request that is not supported by the crypto engine by
1877  * performing the operation in software.  Derived from swcr_authenc().
1878  */
1879 static void
1880 ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
1881 {
1882 	struct auth_hash *axf;
1883 	struct enc_xform *exf;
1884 	union authctx *auth_ctx;
1885 	void *kschedule;
1886 	char block[CCM_CBC_BLOCK_LEN];
1887 	char digest[AES_CBC_MAC_HASH_LEN];
1888 	char iv[AES_CCM_IV_LEN];
1889 	int error, i, len;
1890 
1891 	auth_ctx = NULL;
1892 	kschedule = NULL;
1893 
1894 	/* Initialize the MAC. */
1895 	switch (s->blkcipher.key_len) {
1896 	case 16:
1897 		axf = &auth_hash_ccm_cbc_mac_128;
1898 		break;
1899 	case 24:
1900 		axf = &auth_hash_ccm_cbc_mac_192;
1901 		break;
1902 	case 32:
1903 		axf = &auth_hash_ccm_cbc_mac_256;
1904 		break;
1905 	default:
1906 		error = EINVAL;
1907 		goto out;
1908 	}
1909 	auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT);
1910 	if (auth_ctx == NULL) {
1911 		error = ENOMEM;
1912 		goto out;
1913 	}
1914 	axf->Init(auth_ctx);
1915 	axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len);
1916 
1917 	/* Initialize the cipher. */
1918 	exf = &enc_xform_ccm;
1919 	kschedule = malloc(exf->ctxsize, M_CCR, M_NOWAIT);
1920 	if (kschedule == NULL) {
1921 		error = ENOMEM;
1922 		goto out;
1923 	}
1924 	error = exf->setkey(kschedule, s->blkcipher.enckey,
1925 	    s->blkcipher.key_len);
1926 	if (error)
1927 		goto out;
1928 
1929 	if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) {
1930 		error = EINVAL;
1931 		goto out;
1932 	}
1933 	memcpy(iv, crp->crp_iv, AES_CCM_IV_LEN);
1934 
1935 	auth_ctx->aes_cbc_mac_ctx.authDataLength = crp->crp_aad_length;
1936 	auth_ctx->aes_cbc_mac_ctx.cryptDataLength = crp->crp_payload_length;
1937 	axf->Reinit(auth_ctx, iv, sizeof(iv));
1938 
1939 	/* MAC the AAD. */
1940 	if (crp->crp_aad != NULL)
1941 		error = axf->Update(auth_ctx, crp->crp_aad,
1942 		    crp->crp_aad_length);
1943 	else
1944 		error = crypto_apply(crp, crp->crp_aad_start,
1945 		    crp->crp_aad_length, axf->Update, auth_ctx);
1946 	if (error)
1947 		goto out;
1948 
1949 	exf->reinit(kschedule, iv);
1950 
1951 	/* Do encryption/decryption with MAC */
1952 	for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) {
1953 		len = imin(crp->crp_payload_length - i, sizeof(block));
1954 		crypto_copydata(crp, crp->crp_payload_start + i, len, block);
1955 		bzero(block + len, sizeof(block) - len);
1956 		if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
1957 			axf->Update(auth_ctx, block, len);
1958 			exf->encrypt(kschedule, block, block);
1959 			crypto_copyback(crp, crp->crp_payload_start + i, len,
1960 			    block);
1961 		} else {
1962 			exf->decrypt(kschedule, block, block);
1963 			axf->Update(auth_ctx, block, len);
1964 		}
1965 	}
1966 
1967 	/* Finalize MAC. */
1968 	axf->Final(digest, auth_ctx);
1969 
1970 	/* Inject or validate tag. */
1971 	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
1972 		crypto_copyback(crp, crp->crp_digest_start, sizeof(digest),
1973 		    digest);
1974 		error = 0;
1975 	} else {
1976 		char digest2[AES_CBC_MAC_HASH_LEN];
1977 
1978 		crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2),
1979 		    digest2);
1980 		if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) {
1981 			error = 0;
1982 
1983 			/* Tag matches, decrypt data. */
1984 			exf->reinit(kschedule, iv);
1985 			for (i = 0; i < crp->crp_payload_length;
1986 			     i += sizeof(block)) {
1987 				len = imin(crp->crp_payload_length - i,
1988 				    sizeof(block));
1989 				crypto_copydata(crp, crp->crp_payload_start + i,
1990 				    len, block);
1991 				bzero(block + len, sizeof(block) - len);
1992 				exf->decrypt(kschedule, block, block);
1993 				crypto_copyback(crp, crp->crp_payload_start + i,
1994 				    len, block);
1995 			}
1996 		} else
1997 			error = EBADMSG;
1998 		explicit_bzero(digest2, sizeof(digest2));
1999 	}
2000 
2001 out:
2002 	zfree(kschedule, M_CCR);
2003 	zfree(auth_ctx, M_CCR);
2004 	explicit_bzero(block, sizeof(block));
2005 	explicit_bzero(iv, sizeof(iv));
2006 	explicit_bzero(digest, sizeof(digest));
2007 	crp->crp_etype = error;
2008 	crypto_done(crp);
2009 }
2010 
2011 static void
2012 ccr_identify(driver_t *driver, device_t parent)
2013 {
2014 	struct adapter *sc;
2015 
2016 	sc = device_get_softc(parent);
2017 	if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE &&
2018 	    device_find_child(parent, "ccr", -1) == NULL)
2019 		device_add_child(parent, "ccr", -1);
2020 }
2021 
2022 static int
2023 ccr_probe(device_t dev)
2024 {
2025 
2026 	device_set_desc(dev, "Chelsio Crypto Accelerator");
2027 	return (BUS_PROBE_DEFAULT);
2028 }
2029 
2030 static void
2031 ccr_sysctls(struct ccr_softc *sc)
2032 {
2033 	struct sysctl_ctx_list *ctx;
2034 	struct sysctl_oid *oid, *port_oid;
2035 	struct sysctl_oid_list *children;
2036 	char buf[16];
2037 	int i;
2038 
2039 	ctx = device_get_sysctl_ctx(sc->dev);
2040 
2041 	/*
2042 	 * dev.ccr.X.
2043 	 */
2044 	oid = device_get_sysctl_tree(sc->dev);
2045 	children = SYSCTL_CHILDREN(oid);
2046 
2047 	SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "port_mask", CTLFLAG_RW,
2048 	    &sc->port_mask, 0, "Mask of enabled ports");
2049 
2050 	/*
2051 	 * dev.ccr.X.stats.
2052 	 */
2053 	oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats",
2054 	    CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "statistics");
2055 	children = SYSCTL_CHILDREN(oid);
2056 
2057 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hash", CTLFLAG_RD,
2058 	    &sc->stats_hash, "Hash requests submitted");
2059 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD,
2060 	    &sc->stats_hmac, "HMAC requests submitted");
2061 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_encrypt",
2062 	    CTLFLAG_RD, &sc->stats_blkcipher_encrypt,
2063 	    "Cipher encryption requests submitted");
2064 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_decrypt",
2065 	    CTLFLAG_RD, &sc->stats_blkcipher_decrypt,
2066 	    "Cipher decryption requests submitted");
2067 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_encrypt",
2068 	    CTLFLAG_RD, &sc->stats_eta_encrypt,
2069 	    "Combined AES+HMAC encryption requests submitted");
2070 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_decrypt",
2071 	    CTLFLAG_RD, &sc->stats_eta_decrypt,
2072 	    "Combined AES+HMAC decryption requests submitted");
2073 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_encrypt",
2074 	    CTLFLAG_RD, &sc->stats_gcm_encrypt,
2075 	    "AES-GCM encryption requests submitted");
2076 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_decrypt",
2077 	    CTLFLAG_RD, &sc->stats_gcm_decrypt,
2078 	    "AES-GCM decryption requests submitted");
2079 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_encrypt",
2080 	    CTLFLAG_RD, &sc->stats_ccm_encrypt,
2081 	    "AES-CCM encryption requests submitted");
2082 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_decrypt",
2083 	    CTLFLAG_RD, &sc->stats_ccm_decrypt,
2084 	    "AES-CCM decryption requests submitted");
2085 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD,
2086 	    &sc->stats_wr_nomem, "Work request memory allocation failures");
2087 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD,
2088 	    &sc->stats_inflight, "Requests currently pending");
2089 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD,
2090 	    &sc->stats_mac_error, "MAC errors");
2091 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD,
2092 	    &sc->stats_pad_error, "Padding errors");
2093 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sglist_error",
2094 	    CTLFLAG_RD, &sc->stats_sglist_error,
2095 	    "Requests for which DMA mapping failed");
2096 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "process_error",
2097 	    CTLFLAG_RD, &sc->stats_process_error,
2098 	    "Requests failed during queueing");
2099 	SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sw_fallback",
2100 	    CTLFLAG_RD, &sc->stats_sw_fallback,
2101 	    "Requests processed by falling back to software");
2102 
2103 	/*
2104 	 * dev.ccr.X.stats.port
2105 	 */
2106 	port_oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "port",
2107 	    CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "Per-port statistics");
2108 
2109 	for (i = 0; i < nitems(sc->ports); i++) {
2110 		if (sc->ports[i].rxq == NULL)
2111 			continue;
2112 
2113 		/*
2114 		 * dev.ccr.X.stats.port.Y
2115 		 */
2116 		snprintf(buf, sizeof(buf), "%d", i);
2117 		oid = SYSCTL_ADD_NODE(ctx, SYSCTL_CHILDREN(port_oid), OID_AUTO,
2118 		    buf, CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, buf);
2119 		children = SYSCTL_CHILDREN(oid);
2120 
2121 		SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "active_sessions",
2122 		    CTLFLAG_RD, &sc->ports[i].active_sessions, 0,
2123 		    "Count of active sessions");
2124 	}
2125 }
2126 
2127 static void
2128 ccr_init_port(struct ccr_softc *sc, int port)
2129 {
2130 
2131 	sc->ports[port].txq = &sc->adapter->sge.ctrlq[port];
2132 	sc->ports[port].rxq =
2133 	    &sc->adapter->sge.rxq[sc->adapter->port[port]->vi->first_rxq];
2134 	sc->ports[port].tx_channel_id = port;
2135 	_Static_assert(sizeof(sc->port_mask) * NBBY >= MAX_NPORTS - 1,
2136 	    "Too many ports to fit in port_mask");
2137 	sc->port_mask |= 1u << port;
2138 }
2139 
2140 static int
2141 ccr_attach(device_t dev)
2142 {
2143 	struct ccr_softc *sc;
2144 	int32_t cid;
2145 	int i;
2146 
2147 	sc = device_get_softc(dev);
2148 	sc->dev = dev;
2149 	sc->adapter = device_get_softc(device_get_parent(dev));
2150 	for_each_port(sc->adapter, i) {
2151 		ccr_init_port(sc, i);
2152 	}
2153 	cid = crypto_get_driverid(dev, sizeof(struct ccr_session),
2154 	    CRYPTOCAP_F_HARDWARE);
2155 	if (cid < 0) {
2156 		device_printf(dev, "could not get crypto driver id\n");
2157 		return (ENXIO);
2158 	}
2159 	sc->cid = cid;
2160 	sc->adapter->ccr_softc = sc;
2161 
2162 	mtx_init(&sc->lock, "ccr", NULL, MTX_DEF);
2163 	sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK);
2164 	sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK);
2165 	sc->stats_blkcipher_encrypt = counter_u64_alloc(M_WAITOK);
2166 	sc->stats_blkcipher_decrypt = counter_u64_alloc(M_WAITOK);
2167 	sc->stats_hash = counter_u64_alloc(M_WAITOK);
2168 	sc->stats_hmac = counter_u64_alloc(M_WAITOK);
2169 	sc->stats_eta_encrypt = counter_u64_alloc(M_WAITOK);
2170 	sc->stats_eta_decrypt = counter_u64_alloc(M_WAITOK);
2171 	sc->stats_gcm_encrypt = counter_u64_alloc(M_WAITOK);
2172 	sc->stats_gcm_decrypt = counter_u64_alloc(M_WAITOK);
2173 	sc->stats_ccm_encrypt = counter_u64_alloc(M_WAITOK);
2174 	sc->stats_ccm_decrypt = counter_u64_alloc(M_WAITOK);
2175 	sc->stats_wr_nomem = counter_u64_alloc(M_WAITOK);
2176 	sc->stats_inflight = counter_u64_alloc(M_WAITOK);
2177 	sc->stats_mac_error = counter_u64_alloc(M_WAITOK);
2178 	sc->stats_pad_error = counter_u64_alloc(M_WAITOK);
2179 	sc->stats_sglist_error = counter_u64_alloc(M_WAITOK);
2180 	sc->stats_process_error = counter_u64_alloc(M_WAITOK);
2181 	sc->stats_sw_fallback = counter_u64_alloc(M_WAITOK);
2182 	ccr_sysctls(sc);
2183 
2184 	return (0);
2185 }
2186 
2187 static int
2188 ccr_detach(device_t dev)
2189 {
2190 	struct ccr_softc *sc;
2191 
2192 	sc = device_get_softc(dev);
2193 
2194 	mtx_lock(&sc->lock);
2195 	sc->detaching = true;
2196 	mtx_unlock(&sc->lock);
2197 
2198 	crypto_unregister_all(sc->cid);
2199 
2200 	mtx_destroy(&sc->lock);
2201 	counter_u64_free(sc->stats_blkcipher_encrypt);
2202 	counter_u64_free(sc->stats_blkcipher_decrypt);
2203 	counter_u64_free(sc->stats_hash);
2204 	counter_u64_free(sc->stats_hmac);
2205 	counter_u64_free(sc->stats_eta_encrypt);
2206 	counter_u64_free(sc->stats_eta_decrypt);
2207 	counter_u64_free(sc->stats_gcm_encrypt);
2208 	counter_u64_free(sc->stats_gcm_decrypt);
2209 	counter_u64_free(sc->stats_ccm_encrypt);
2210 	counter_u64_free(sc->stats_ccm_decrypt);
2211 	counter_u64_free(sc->stats_wr_nomem);
2212 	counter_u64_free(sc->stats_inflight);
2213 	counter_u64_free(sc->stats_mac_error);
2214 	counter_u64_free(sc->stats_pad_error);
2215 	counter_u64_free(sc->stats_sglist_error);
2216 	counter_u64_free(sc->stats_process_error);
2217 	counter_u64_free(sc->stats_sw_fallback);
2218 	sglist_free(sc->sg_iv_aad);
2219 	free(sc->iv_aad_buf, M_CCR);
2220 	sc->adapter->ccr_softc = NULL;
2221 	return (0);
2222 }
2223 
2224 static void
2225 ccr_init_hash_digest(struct ccr_session *s)
2226 {
2227 	union authctx auth_ctx;
2228 	struct auth_hash *axf;
2229 
2230 	axf = s->hmac.auth_hash;
2231 	axf->Init(&auth_ctx);
2232 	t4_copy_partial_hash(axf->type, &auth_ctx, s->hmac.pads);
2233 }
2234 
2235 static bool
2236 ccr_aes_check_keylen(int alg, int klen)
2237 {
2238 
2239 	switch (klen * 8) {
2240 	case 128:
2241 	case 192:
2242 		if (alg == CRYPTO_AES_XTS)
2243 			return (false);
2244 		break;
2245 	case 256:
2246 		break;
2247 	case 512:
2248 		if (alg != CRYPTO_AES_XTS)
2249 			return (false);
2250 		break;
2251 	default:
2252 		return (false);
2253 	}
2254 	return (true);
2255 }
2256 
2257 static void
2258 ccr_aes_setkey(struct ccr_session *s, const void *key, int klen)
2259 {
2260 	unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size;
2261 	unsigned int opad_present;
2262 
2263 	if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS)
2264 		kbits = (klen / 2) * 8;
2265 	else
2266 		kbits = klen * 8;
2267 	switch (kbits) {
2268 	case 128:
2269 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
2270 		break;
2271 	case 192:
2272 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192;
2273 		break;
2274 	case 256:
2275 		ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
2276 		break;
2277 	default:
2278 		panic("should not get here");
2279 	}
2280 
2281 	s->blkcipher.key_len = klen;
2282 	memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len);
2283 	switch (s->blkcipher.cipher_mode) {
2284 	case SCMD_CIPH_MODE_AES_CBC:
2285 	case SCMD_CIPH_MODE_AES_XTS:
2286 		t4_aes_getdeckey(s->blkcipher.deckey, key, kbits);
2287 		break;
2288 	}
2289 
2290 	kctx_len = roundup2(s->blkcipher.key_len, 16);
2291 	switch (s->mode) {
2292 	case ETA:
2293 		mk_size = s->hmac.mk_size;
2294 		opad_present = 1;
2295 		iopad_size = roundup2(s->hmac.partial_digest_len, 16);
2296 		kctx_len += iopad_size * 2;
2297 		break;
2298 	case GCM:
2299 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
2300 		opad_present = 0;
2301 		kctx_len += GMAC_BLOCK_LEN;
2302 		break;
2303 	case CCM:
2304 		switch (kbits) {
2305 		case 128:
2306 			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
2307 			break;
2308 		case 192:
2309 			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_192;
2310 			break;
2311 		case 256:
2312 			mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
2313 			break;
2314 		default:
2315 			panic("should not get here");
2316 		}
2317 		opad_present = 0;
2318 		kctx_len *= 2;
2319 		break;
2320 	default:
2321 		mk_size = CHCR_KEYCTX_NO_KEY;
2322 		opad_present = 0;
2323 		break;
2324 	}
2325 	kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
2326 	s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
2327 	    V_KEY_CONTEXT_DUAL_CK(s->blkcipher.cipher_mode ==
2328 	    SCMD_CIPH_MODE_AES_XTS) |
2329 	    V_KEY_CONTEXT_OPAD_PRESENT(opad_present) |
2330 	    V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) |
2331 	    V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1));
2332 }
2333 
2334 static bool
2335 ccr_auth_supported(const struct crypto_session_params *csp)
2336 {
2337 
2338 	switch (csp->csp_auth_alg) {
2339 	case CRYPTO_SHA1:
2340 	case CRYPTO_SHA2_224:
2341 	case CRYPTO_SHA2_256:
2342 	case CRYPTO_SHA2_384:
2343 	case CRYPTO_SHA2_512:
2344 	case CRYPTO_SHA1_HMAC:
2345 	case CRYPTO_SHA2_224_HMAC:
2346 	case CRYPTO_SHA2_256_HMAC:
2347 	case CRYPTO_SHA2_384_HMAC:
2348 	case CRYPTO_SHA2_512_HMAC:
2349 		break;
2350 	default:
2351 		return (false);
2352 	}
2353 	return (true);
2354 }
2355 
2356 static bool
2357 ccr_cipher_supported(const struct crypto_session_params *csp)
2358 {
2359 
2360 	switch (csp->csp_cipher_alg) {
2361 	case CRYPTO_AES_CBC:
2362 		if (csp->csp_ivlen != AES_BLOCK_LEN)
2363 			return (false);
2364 		break;
2365 	case CRYPTO_AES_ICM:
2366 		if (csp->csp_ivlen != AES_BLOCK_LEN)
2367 			return (false);
2368 		break;
2369 	case CRYPTO_AES_XTS:
2370 		if (csp->csp_ivlen != AES_XTS_IV_LEN)
2371 			return (false);
2372 		break;
2373 	default:
2374 		return (false);
2375 	}
2376 	return (ccr_aes_check_keylen(csp->csp_cipher_alg,
2377 	    csp->csp_cipher_klen));
2378 }
2379 
2380 static int
2381 ccr_cipher_mode(const struct crypto_session_params *csp)
2382 {
2383 
2384 	switch (csp->csp_cipher_alg) {
2385 	case CRYPTO_AES_CBC:
2386 		return (SCMD_CIPH_MODE_AES_CBC);
2387 	case CRYPTO_AES_ICM:
2388 		return (SCMD_CIPH_MODE_AES_CTR);
2389 	case CRYPTO_AES_NIST_GCM_16:
2390 		return (SCMD_CIPH_MODE_AES_GCM);
2391 	case CRYPTO_AES_XTS:
2392 		return (SCMD_CIPH_MODE_AES_XTS);
2393 	case CRYPTO_AES_CCM_16:
2394 		return (SCMD_CIPH_MODE_AES_CCM);
2395 	default:
2396 		return (SCMD_CIPH_MODE_NOP);
2397 	}
2398 }
2399 
2400 static int
2401 ccr_probesession(device_t dev, const struct crypto_session_params *csp)
2402 {
2403 	unsigned int cipher_mode;
2404 
2405 	if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
2406 	    0)
2407 		return (EINVAL);
2408 	switch (csp->csp_mode) {
2409 	case CSP_MODE_DIGEST:
2410 		if (!ccr_auth_supported(csp))
2411 			return (EINVAL);
2412 		break;
2413 	case CSP_MODE_CIPHER:
2414 		if (!ccr_cipher_supported(csp))
2415 			return (EINVAL);
2416 		break;
2417 	case CSP_MODE_AEAD:
2418 		switch (csp->csp_cipher_alg) {
2419 		case CRYPTO_AES_NIST_GCM_16:
2420 			if (csp->csp_ivlen != AES_GCM_IV_LEN)
2421 				return (EINVAL);
2422 			if (csp->csp_auth_mlen < 0 ||
2423 			    csp->csp_auth_mlen > AES_GMAC_HASH_LEN)
2424 				return (EINVAL);
2425 			break;
2426 		case CRYPTO_AES_CCM_16:
2427 			if (csp->csp_ivlen != AES_CCM_IV_LEN)
2428 				return (EINVAL);
2429 			if (csp->csp_auth_mlen < 0 ||
2430 			    csp->csp_auth_mlen > AES_CBC_MAC_HASH_LEN)
2431 				return (EINVAL);
2432 			break;
2433 		default:
2434 			return (EINVAL);
2435 		}
2436 		break;
2437 	case CSP_MODE_ETA:
2438 		if (!ccr_auth_supported(csp) || !ccr_cipher_supported(csp))
2439 			return (EINVAL);
2440 		break;
2441 	default:
2442 		return (EINVAL);
2443 	}
2444 
2445 	if (csp->csp_cipher_klen != 0) {
2446 		cipher_mode = ccr_cipher_mode(csp);
2447 		if (cipher_mode == SCMD_CIPH_MODE_NOP)
2448 			return (EINVAL);
2449 	}
2450 
2451 	return (CRYPTODEV_PROBE_HARDWARE);
2452 }
2453 
2454 /*
2455  * Select an available port with the lowest number of active sessions.
2456  */
2457 static struct ccr_port *
2458 ccr_choose_port(struct ccr_softc *sc)
2459 {
2460 	struct ccr_port *best, *p;
2461 	int i;
2462 
2463 	mtx_assert(&sc->lock, MA_OWNED);
2464 	best = NULL;
2465 	for (i = 0; i < nitems(sc->ports); i++) {
2466 		p = &sc->ports[i];
2467 
2468 		/* Ignore non-existent ports. */
2469 		if (p->rxq == NULL)
2470 			continue;
2471 
2472 		/*
2473 		 * XXX: Ignore ports whose queues aren't initialized.
2474 		 * This is racy as the rxq can be destroyed by the
2475 		 * associated VI detaching.  Eventually ccr should use
2476 		 * dedicated queues.
2477 		 */
2478 		if (p->rxq->iq.adapter == NULL || p->txq->adapter == NULL)
2479 			continue;
2480 
2481 		if ((sc->port_mask & (1u << i)) == 0)
2482 			continue;
2483 
2484 		if (best == NULL ||
2485 		    p->active_sessions < best->active_sessions)
2486 			best = p;
2487 	}
2488 	return (best);
2489 }
2490 
2491 static void
2492 ccr_delete_session(struct ccr_session *s)
2493 {
2494 	sglist_free(s->sg_input);
2495 	sglist_free(s->sg_output);
2496 	sglist_free(s->sg_ulptx);
2497 	sglist_free(s->sg_dsgl);
2498 	mtx_destroy(&s->lock);
2499 }
2500 
2501 static int
2502 ccr_newsession(device_t dev, crypto_session_t cses,
2503     const struct crypto_session_params *csp)
2504 {
2505 	struct ccr_softc *sc;
2506 	struct ccr_session *s;
2507 	struct auth_hash *auth_hash;
2508 	unsigned int auth_mode, cipher_mode, mk_size;
2509 	unsigned int partial_digest_len;
2510 
2511 	switch (csp->csp_auth_alg) {
2512 	case CRYPTO_SHA1:
2513 	case CRYPTO_SHA1_HMAC:
2514 		auth_hash = &auth_hash_hmac_sha1;
2515 		auth_mode = SCMD_AUTH_MODE_SHA1;
2516 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160;
2517 		partial_digest_len = SHA1_HASH_LEN;
2518 		break;
2519 	case CRYPTO_SHA2_224:
2520 	case CRYPTO_SHA2_224_HMAC:
2521 		auth_hash = &auth_hash_hmac_sha2_224;
2522 		auth_mode = SCMD_AUTH_MODE_SHA224;
2523 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
2524 		partial_digest_len = SHA2_256_HASH_LEN;
2525 		break;
2526 	case CRYPTO_SHA2_256:
2527 	case CRYPTO_SHA2_256_HMAC:
2528 		auth_hash = &auth_hash_hmac_sha2_256;
2529 		auth_mode = SCMD_AUTH_MODE_SHA256;
2530 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
2531 		partial_digest_len = SHA2_256_HASH_LEN;
2532 		break;
2533 	case CRYPTO_SHA2_384:
2534 	case CRYPTO_SHA2_384_HMAC:
2535 		auth_hash = &auth_hash_hmac_sha2_384;
2536 		auth_mode = SCMD_AUTH_MODE_SHA512_384;
2537 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
2538 		partial_digest_len = SHA2_512_HASH_LEN;
2539 		break;
2540 	case CRYPTO_SHA2_512:
2541 	case CRYPTO_SHA2_512_HMAC:
2542 		auth_hash = &auth_hash_hmac_sha2_512;
2543 		auth_mode = SCMD_AUTH_MODE_SHA512_512;
2544 		mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
2545 		partial_digest_len = SHA2_512_HASH_LEN;
2546 		break;
2547 	default:
2548 		auth_hash = NULL;
2549 		auth_mode = SCMD_AUTH_MODE_NOP;
2550 		mk_size = 0;
2551 		partial_digest_len = 0;
2552 		break;
2553 	}
2554 
2555 	cipher_mode = ccr_cipher_mode(csp);
2556 
2557 #ifdef INVARIANTS
2558 	switch (csp->csp_mode) {
2559 	case CSP_MODE_CIPHER:
2560 		if (cipher_mode == SCMD_CIPH_MODE_NOP ||
2561 		    cipher_mode == SCMD_CIPH_MODE_AES_GCM ||
2562 		    cipher_mode == SCMD_CIPH_MODE_AES_CCM)
2563 			panic("invalid cipher algo");
2564 		break;
2565 	case CSP_MODE_DIGEST:
2566 		if (auth_mode == SCMD_AUTH_MODE_NOP)
2567 			panic("invalid auth algo");
2568 		break;
2569 	case CSP_MODE_AEAD:
2570 		if (cipher_mode != SCMD_CIPH_MODE_AES_GCM &&
2571 		    cipher_mode != SCMD_CIPH_MODE_AES_CCM)
2572 			panic("invalid aead cipher algo");
2573 		if (auth_mode != SCMD_AUTH_MODE_NOP)
2574 			panic("invalid aead auth aglo");
2575 		break;
2576 	case CSP_MODE_ETA:
2577 		if (cipher_mode == SCMD_CIPH_MODE_NOP ||
2578 		    cipher_mode == SCMD_CIPH_MODE_AES_GCM ||
2579 		    cipher_mode == SCMD_CIPH_MODE_AES_CCM)
2580 			panic("invalid cipher algo");
2581 		if (auth_mode == SCMD_AUTH_MODE_NOP)
2582 			panic("invalid auth algo");
2583 		break;
2584 	default:
2585 		panic("invalid csp mode");
2586 	}
2587 #endif
2588 
2589 	s = crypto_get_driver_session(cses);
2590 	mtx_init(&s->lock, "ccr session", NULL, MTX_DEF);
2591 	s->sg_input = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
2592 	s->sg_output = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
2593 	s->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_NOWAIT);
2594 	s->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_NOWAIT);
2595 	if (s->sg_input == NULL || s->sg_output == NULL ||
2596 	    s->sg_ulptx == NULL || s->sg_dsgl == NULL) {
2597 		ccr_delete_session(s);
2598 		return (ENOMEM);
2599 	}
2600 
2601 	sc = device_get_softc(dev);
2602 
2603 	mtx_lock(&sc->lock);
2604 	if (sc->detaching) {
2605 		mtx_unlock(&sc->lock);
2606 		ccr_delete_session(s);
2607 		return (ENXIO);
2608 	}
2609 
2610 	s->port = ccr_choose_port(sc);
2611 	if (s->port == NULL) {
2612 		mtx_unlock(&sc->lock);
2613 		ccr_delete_session(s);
2614 		return (ENXIO);
2615 	}
2616 
2617 	switch (csp->csp_mode) {
2618 	case CSP_MODE_AEAD:
2619 		if (cipher_mode == SCMD_CIPH_MODE_AES_CCM)
2620 			s->mode = CCM;
2621 		else
2622 			s->mode = GCM;
2623 		break;
2624 	case CSP_MODE_ETA:
2625 		s->mode = ETA;
2626 		break;
2627 	case CSP_MODE_DIGEST:
2628 		if (csp->csp_auth_klen != 0)
2629 			s->mode = HMAC;
2630 		else
2631 			s->mode = HASH;
2632 		break;
2633 	case CSP_MODE_CIPHER:
2634 		s->mode = BLKCIPHER;
2635 		break;
2636 	}
2637 
2638 	if (s->mode == GCM) {
2639 		if (csp->csp_auth_mlen == 0)
2640 			s->gmac.hash_len = AES_GMAC_HASH_LEN;
2641 		else
2642 			s->gmac.hash_len = csp->csp_auth_mlen;
2643 		t4_init_gmac_hash(csp->csp_cipher_key, csp->csp_cipher_klen,
2644 		    s->gmac.ghash_h);
2645 	} else if (s->mode == CCM) {
2646 		if (csp->csp_auth_mlen == 0)
2647 			s->ccm_mac.hash_len = AES_CBC_MAC_HASH_LEN;
2648 		else
2649 			s->ccm_mac.hash_len = csp->csp_auth_mlen;
2650 	} else if (auth_mode != SCMD_AUTH_MODE_NOP) {
2651 		s->hmac.auth_hash = auth_hash;
2652 		s->hmac.auth_mode = auth_mode;
2653 		s->hmac.mk_size = mk_size;
2654 		s->hmac.partial_digest_len = partial_digest_len;
2655 		if (csp->csp_auth_mlen == 0)
2656 			s->hmac.hash_len = auth_hash->hashsize;
2657 		else
2658 			s->hmac.hash_len = csp->csp_auth_mlen;
2659 		if (csp->csp_auth_key != NULL)
2660 			t4_init_hmac_digest(auth_hash, partial_digest_len,
2661 			    csp->csp_auth_key, csp->csp_auth_klen,
2662 			    s->hmac.pads);
2663 		else
2664 			ccr_init_hash_digest(s);
2665 	}
2666 	if (cipher_mode != SCMD_CIPH_MODE_NOP) {
2667 		s->blkcipher.cipher_mode = cipher_mode;
2668 		s->blkcipher.iv_len = csp->csp_ivlen;
2669 		if (csp->csp_cipher_key != NULL)
2670 			ccr_aes_setkey(s, csp->csp_cipher_key,
2671 			    csp->csp_cipher_klen);
2672 	}
2673 
2674 	s->port->active_sessions++;
2675 	mtx_unlock(&sc->lock);
2676 	return (0);
2677 }
2678 
2679 static void
2680 ccr_freesession(device_t dev, crypto_session_t cses)
2681 {
2682 	struct ccr_softc *sc;
2683 	struct ccr_session *s;
2684 
2685 	sc = device_get_softc(dev);
2686 	s = crypto_get_driver_session(cses);
2687 #ifdef INVARIANTS
2688 	if (s->pending != 0)
2689 		device_printf(dev,
2690 		    "session %p freed with %d pending requests\n", s,
2691 		    s->pending);
2692 #endif
2693 	mtx_lock(&sc->lock);
2694 	s->port->active_sessions--;
2695 	mtx_unlock(&sc->lock);
2696 	ccr_delete_session(s);
2697 }
2698 
2699 static int
2700 ccr_process(device_t dev, struct cryptop *crp, int hint)
2701 {
2702 	const struct crypto_session_params *csp;
2703 	struct ccr_softc *sc;
2704 	struct ccr_session *s;
2705 	int error;
2706 
2707 	csp = crypto_get_params(crp->crp_session);
2708 	s = crypto_get_driver_session(crp->crp_session);
2709 	sc = device_get_softc(dev);
2710 
2711 	mtx_lock(&s->lock);
2712 	error = ccr_populate_sglist(s->sg_input, &crp->crp_buf);
2713 	if (error == 0 && CRYPTO_HAS_OUTPUT_BUFFER(crp))
2714 		error = ccr_populate_sglist(s->sg_output, &crp->crp_obuf);
2715 	if (error) {
2716 		counter_u64_add(sc->stats_sglist_error, 1);
2717 		goto out;
2718 	}
2719 
2720 	switch (s->mode) {
2721 	case HASH:
2722 		error = ccr_hash(sc, s, crp);
2723 		if (error == 0)
2724 			counter_u64_add(sc->stats_hash, 1);
2725 		break;
2726 	case HMAC:
2727 		if (crp->crp_auth_key != NULL)
2728 			t4_init_hmac_digest(s->hmac.auth_hash,
2729 			    s->hmac.partial_digest_len, crp->crp_auth_key,
2730 			    csp->csp_auth_klen, s->hmac.pads);
2731 		error = ccr_hash(sc, s, crp);
2732 		if (error == 0)
2733 			counter_u64_add(sc->stats_hmac, 1);
2734 		break;
2735 	case BLKCIPHER:
2736 		if (crp->crp_cipher_key != NULL)
2737 			ccr_aes_setkey(s, crp->crp_cipher_key,
2738 			    csp->csp_cipher_klen);
2739 		error = ccr_blkcipher(sc, s, crp);
2740 		if (error == 0) {
2741 			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
2742 				counter_u64_add(sc->stats_blkcipher_encrypt, 1);
2743 			else
2744 				counter_u64_add(sc->stats_blkcipher_decrypt, 1);
2745 		}
2746 		break;
2747 	case ETA:
2748 		if (crp->crp_auth_key != NULL)
2749 			t4_init_hmac_digest(s->hmac.auth_hash,
2750 			    s->hmac.partial_digest_len, crp->crp_auth_key,
2751 			    csp->csp_auth_klen, s->hmac.pads);
2752 		if (crp->crp_cipher_key != NULL)
2753 			ccr_aes_setkey(s, crp->crp_cipher_key,
2754 			    csp->csp_cipher_klen);
2755 		error = ccr_eta(sc, s, crp);
2756 		if (error == 0) {
2757 			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
2758 				counter_u64_add(sc->stats_eta_encrypt, 1);
2759 			else
2760 				counter_u64_add(sc->stats_eta_decrypt, 1);
2761 		}
2762 		break;
2763 	case GCM:
2764 		if (crp->crp_cipher_key != NULL) {
2765 			t4_init_gmac_hash(crp->crp_cipher_key,
2766 			    csp->csp_cipher_klen, s->gmac.ghash_h);
2767 			ccr_aes_setkey(s, crp->crp_cipher_key,
2768 			    csp->csp_cipher_klen);
2769 		}
2770 		if (crp->crp_payload_length == 0) {
2771 			mtx_unlock(&s->lock);
2772 			ccr_gcm_soft(s, crp);
2773 			return (0);
2774 		}
2775 		error = ccr_gcm(sc, s, crp);
2776 		if (error == EMSGSIZE) {
2777 			counter_u64_add(sc->stats_sw_fallback, 1);
2778 			mtx_unlock(&s->lock);
2779 			ccr_gcm_soft(s, crp);
2780 			return (0);
2781 		}
2782 		if (error == 0) {
2783 			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
2784 				counter_u64_add(sc->stats_gcm_encrypt, 1);
2785 			else
2786 				counter_u64_add(sc->stats_gcm_decrypt, 1);
2787 		}
2788 		break;
2789 	case CCM:
2790 		if (crp->crp_cipher_key != NULL) {
2791 			ccr_aes_setkey(s, crp->crp_cipher_key,
2792 			    csp->csp_cipher_klen);
2793 		}
2794 		error = ccr_ccm(sc, s, crp);
2795 		if (error == EMSGSIZE) {
2796 			counter_u64_add(sc->stats_sw_fallback, 1);
2797 			mtx_unlock(&s->lock);
2798 			ccr_ccm_soft(s, crp);
2799 			return (0);
2800 		}
2801 		if (error == 0) {
2802 			if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op))
2803 				counter_u64_add(sc->stats_ccm_encrypt, 1);
2804 			else
2805 				counter_u64_add(sc->stats_ccm_decrypt, 1);
2806 		}
2807 		break;
2808 	}
2809 
2810 	if (error == 0) {
2811 #ifdef INVARIANTS
2812 		s->pending++;
2813 #endif
2814 		counter_u64_add(sc->stats_inflight, 1);
2815 	} else
2816 		counter_u64_add(sc->stats_process_error, 1);
2817 
2818 out:
2819 	mtx_unlock(&s->lock);
2820 
2821 	if (error) {
2822 		crp->crp_etype = error;
2823 		crypto_done(crp);
2824 	}
2825 
2826 	return (0);
2827 }
2828 
2829 static int
2830 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss,
2831     struct mbuf *m)
2832 {
2833 	struct ccr_softc *sc = iq->adapter->ccr_softc;
2834 	struct ccr_session *s;
2835 	const struct cpl_fw6_pld *cpl;
2836 	struct cryptop *crp;
2837 	uint32_t status;
2838 	int error;
2839 
2840 	if (m != NULL)
2841 		cpl = mtod(m, const void *);
2842 	else
2843 		cpl = (const void *)(rss + 1);
2844 
2845 	crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]);
2846 	s = crypto_get_driver_session(crp->crp_session);
2847 	status = be64toh(cpl->data[0]);
2848 	if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status))
2849 		error = EBADMSG;
2850 	else
2851 		error = 0;
2852 
2853 #ifdef INVARIANTS
2854 	mtx_lock(&s->lock);
2855 	s->pending--;
2856 	mtx_unlock(&s->lock);
2857 #endif
2858 	counter_u64_add(sc->stats_inflight, -1);
2859 
2860 	switch (s->mode) {
2861 	case HASH:
2862 	case HMAC:
2863 		error = ccr_hash_done(sc, s, crp, cpl, error);
2864 		break;
2865 	case BLKCIPHER:
2866 		error = ccr_blkcipher_done(sc, s, crp, cpl, error);
2867 		break;
2868 	case ETA:
2869 		error = ccr_eta_done(sc, s, crp, cpl, error);
2870 		break;
2871 	case GCM:
2872 		error = ccr_gcm_done(sc, s, crp, cpl, error);
2873 		break;
2874 	case CCM:
2875 		error = ccr_ccm_done(sc, s, crp, cpl, error);
2876 		break;
2877 	}
2878 
2879 	if (error == EBADMSG) {
2880 		if (CHK_MAC_ERR_BIT(status))
2881 			counter_u64_add(sc->stats_mac_error, 1);
2882 		if (CHK_PAD_ERR_BIT(status))
2883 			counter_u64_add(sc->stats_pad_error, 1);
2884 	}
2885 	crp->crp_etype = error;
2886 	crypto_done(crp);
2887 	m_freem(m);
2888 	return (0);
2889 }
2890 
2891 static int
2892 ccr_modevent(module_t mod, int cmd, void *arg)
2893 {
2894 
2895 	switch (cmd) {
2896 	case MOD_LOAD:
2897 		t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld);
2898 		return (0);
2899 	case MOD_UNLOAD:
2900 		t4_register_cpl_handler(CPL_FW6_PLD, NULL);
2901 		return (0);
2902 	default:
2903 		return (EOPNOTSUPP);
2904 	}
2905 }
2906 
2907 static device_method_t ccr_methods[] = {
2908 	DEVMETHOD(device_identify,	ccr_identify),
2909 	DEVMETHOD(device_probe,		ccr_probe),
2910 	DEVMETHOD(device_attach,	ccr_attach),
2911 	DEVMETHOD(device_detach,	ccr_detach),
2912 
2913 	DEVMETHOD(cryptodev_probesession, ccr_probesession),
2914 	DEVMETHOD(cryptodev_newsession,	ccr_newsession),
2915 	DEVMETHOD(cryptodev_freesession, ccr_freesession),
2916 	DEVMETHOD(cryptodev_process,	ccr_process),
2917 
2918 	DEVMETHOD_END
2919 };
2920 
2921 static driver_t ccr_driver = {
2922 	"ccr",
2923 	ccr_methods,
2924 	sizeof(struct ccr_softc)
2925 };
2926 
2927 static devclass_t ccr_devclass;
2928 
2929 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL);
2930 MODULE_VERSION(ccr, 1);
2931 MODULE_DEPEND(ccr, crypto, 1, 1, 1);
2932 MODULE_DEPEND(ccr, t6nex, 1, 1, 1);
2933