1 /*- 2 * Copyright (c) 2017 Chelsio Communications, Inc. 3 * All rights reserved. 4 * Written by: John Baldwin <jhb@FreeBSD.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/types.h> 32 #include <sys/bus.h> 33 #include <sys/lock.h> 34 #include <sys/malloc.h> 35 #include <sys/mutex.h> 36 #include <sys/module.h> 37 #include <sys/sglist.h> 38 39 #include <opencrypto/cryptodev.h> 40 #include <opencrypto/xform.h> 41 42 #include "cryptodev_if.h" 43 44 #include "common/common.h" 45 #include "crypto/t4_crypto.h" 46 47 /* 48 * Requests consist of: 49 * 50 * +-------------------------------+ 51 * | struct fw_crypto_lookaside_wr | 52 * +-------------------------------+ 53 * | struct ulp_txpkt | 54 * +-------------------------------+ 55 * | struct ulptx_idata | 56 * +-------------------------------+ 57 * | struct cpl_tx_sec_pdu | 58 * +-------------------------------+ 59 * | struct cpl_tls_tx_scmd_fmt | 60 * +-------------------------------+ 61 * | key context header | 62 * +-------------------------------+ 63 * | AES key | ----- For requests with AES 64 * +-------------------------------+ - 65 * | IPAD (16-byte aligned) | \ 66 * +-------------------------------+ +---- For requests with HMAC 67 * | OPAD (16-byte aligned) | / 68 * +-------------------------------+ - 69 * | GMAC H | ----- For AES-GCM 70 * +-------------------------------+ - 71 * | struct cpl_rx_phys_dsgl | \ 72 * +-------------------------------+ +---- Destination buffer for 73 * | PHYS_DSGL entries | / non-hash-only requests 74 * +-------------------------------+ - 75 * | 16 dummy bytes | ----- Only for hash-only requests 76 * +-------------------------------+ 77 * | IV | ----- If immediate IV 78 * +-------------------------------+ 79 * | Payload | ----- If immediate Payload 80 * +-------------------------------+ - 81 * | struct ulptx_sgl | \ 82 * +-------------------------------+ +---- If payload via SGL 83 * | SGL entries | / 84 * +-------------------------------+ - 85 * 86 * Note that the key context must be padded to ensure 16-byte alignment. 87 * For HMAC requests, the key consists of the partial hash of the IPAD 88 * followed by the partial hash of the OPAD. 89 * 90 * Replies consist of: 91 * 92 * +-------------------------------+ 93 * | struct cpl_fw6_pld | 94 * +-------------------------------+ 95 * | hash digest | ----- For HMAC request with 96 * +-------------------------------+ 'hash_size' set in work request 97 * 98 * A 32-bit big-endian error status word is supplied in the last 4 99 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a 100 * "MAC" error and bit 1 indicates a "PAD" error. 101 * 102 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message 103 * in the request is returned in data[1] of the CPL_FW6_PLD message. 104 * 105 * For block cipher replies, the updated IV is supplied in data[2] and 106 * data[3] of the CPL_FW6_PLD message. 107 * 108 * For hash replies where the work request set 'hash_size' to request 109 * a copy of the hash in the reply, the hash digest is supplied 110 * immediately following the CPL_FW6_PLD message. 111 */ 112 113 /* 114 * The crypto engine supports a maximum AAD size of 511 bytes. 115 */ 116 #define MAX_AAD_LEN 511 117 118 /* 119 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG 120 * entries. While the CPL includes a 16-bit length field, the T6 can 121 * sometimes hang if an error occurs while processing a request with a 122 * single DSGL entry larger than 2k. 123 */ 124 #define MAX_RX_PHYS_DSGL_SGE 32 125 #define DSGL_SGE_MAXLEN 2048 126 127 /* 128 * The adapter only supports requests with a total input or output 129 * length of 64k-1 or smaller. Longer requests either result in hung 130 * requests or incorrect results. 131 */ 132 #define MAX_REQUEST_SIZE 65535 133 134 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto"); 135 136 struct ccr_session_hmac { 137 struct auth_hash *auth_hash; 138 int hash_len; 139 unsigned int partial_digest_len; 140 unsigned int auth_mode; 141 unsigned int mk_size; 142 char ipad[CHCR_HASH_MAX_BLOCK_SIZE_128]; 143 char opad[CHCR_HASH_MAX_BLOCK_SIZE_128]; 144 }; 145 146 struct ccr_session_gmac { 147 int hash_len; 148 char ghash_h[GMAC_BLOCK_LEN]; 149 }; 150 151 struct ccr_session_blkcipher { 152 unsigned int cipher_mode; 153 unsigned int key_len; 154 unsigned int iv_len; 155 __be32 key_ctx_hdr; 156 char enckey[CHCR_AES_MAX_KEY_LEN]; 157 char deckey[CHCR_AES_MAX_KEY_LEN]; 158 }; 159 160 struct ccr_session { 161 bool active; 162 int pending; 163 enum { HMAC, BLKCIPHER, AUTHENC, GCM } mode; 164 union { 165 struct ccr_session_hmac hmac; 166 struct ccr_session_gmac gmac; 167 }; 168 struct ccr_session_blkcipher blkcipher; 169 }; 170 171 struct ccr_softc { 172 struct adapter *adapter; 173 device_t dev; 174 uint32_t cid; 175 int tx_channel_id; 176 struct ccr_session *sessions; 177 int nsessions; 178 struct mtx lock; 179 bool detaching; 180 struct sge_wrq *txq; 181 struct sge_rxq *rxq; 182 183 /* 184 * Pre-allocate S/G lists used when preparing a work request. 185 * 'sg_crp' contains an sglist describing the entire buffer 186 * for a 'struct cryptop'. 'sg_ulptx' is used to describe 187 * the data the engine should DMA as input via ULPTX_SGL. 188 * 'sg_dsgl' is used to describe the destination that cipher 189 * text and a tag should be written to. 190 */ 191 struct sglist *sg_crp; 192 struct sglist *sg_ulptx; 193 struct sglist *sg_dsgl; 194 195 /* 196 * Pre-allocate a dummy output buffer for the IV and AAD for 197 * AEAD requests. 198 */ 199 char *iv_aad_buf; 200 struct sglist *sg_iv_aad; 201 202 /* Statistics. */ 203 uint64_t stats_blkcipher_encrypt; 204 uint64_t stats_blkcipher_decrypt; 205 uint64_t stats_hmac; 206 uint64_t stats_authenc_encrypt; 207 uint64_t stats_authenc_decrypt; 208 uint64_t stats_gcm_encrypt; 209 uint64_t stats_gcm_decrypt; 210 uint64_t stats_wr_nomem; 211 uint64_t stats_inflight; 212 uint64_t stats_mac_error; 213 uint64_t stats_pad_error; 214 uint64_t stats_bad_session; 215 uint64_t stats_sglist_error; 216 uint64_t stats_process_error; 217 }; 218 219 /* 220 * Crypto requests involve two kind of scatter/gather lists. 221 * 222 * Non-hash-only requests require a PHYS_DSGL that describes the 223 * location to store the results of the encryption or decryption 224 * operation. This SGL uses a different format (PHYS_DSGL) and should 225 * exclude the crd_skip bytes at the start of the data as well as 226 * any AAD or IV. For authenticated encryption requests it should 227 * cover include the destination of the hash or tag. 228 * 229 * The input payload may either be supplied inline as immediate data, 230 * or via a standard ULP_TX SGL. This SGL should include AAD, 231 * ciphertext, and the hash or tag for authenticated decryption 232 * requests. 233 * 234 * These scatter/gather lists can describe different subsets of the 235 * buffer described by the crypto operation. ccr_populate_sglist() 236 * generates a scatter/gather list that covers the entire crypto 237 * operation buffer that is then used to construct the other 238 * scatter/gather lists. 239 */ 240 static int 241 ccr_populate_sglist(struct sglist *sg, struct cryptop *crp) 242 { 243 int error; 244 245 sglist_reset(sg); 246 if (crp->crp_flags & CRYPTO_F_IMBUF) 247 error = sglist_append_mbuf(sg, (struct mbuf *)crp->crp_buf); 248 else if (crp->crp_flags & CRYPTO_F_IOV) 249 error = sglist_append_uio(sg, (struct uio *)crp->crp_buf); 250 else 251 error = sglist_append(sg, crp->crp_buf, crp->crp_ilen); 252 return (error); 253 } 254 255 /* 256 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple 257 * segments. 258 */ 259 static int 260 ccr_count_sgl(struct sglist *sg, int maxsegsize) 261 { 262 int i, nsegs; 263 264 nsegs = 0; 265 for (i = 0; i < sg->sg_nseg; i++) 266 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize); 267 return (nsegs); 268 } 269 270 /* These functions deal with PHYS_DSGL for the reply buffer. */ 271 static inline int 272 ccr_phys_dsgl_len(int nsegs) 273 { 274 int len; 275 276 len = (nsegs / 8) * sizeof(struct phys_sge_pairs); 277 if ((nsegs % 8) != 0) { 278 len += sizeof(uint16_t) * 8; 279 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t); 280 } 281 return (len); 282 } 283 284 static void 285 ccr_write_phys_dsgl(struct ccr_softc *sc, void *dst, int nsegs) 286 { 287 struct sglist *sg; 288 struct cpl_rx_phys_dsgl *cpl; 289 struct phys_sge_pairs *sgl; 290 vm_paddr_t paddr; 291 size_t seglen; 292 u_int i, j; 293 294 sg = sc->sg_dsgl; 295 cpl = dst; 296 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) | 297 V_CPL_RX_PHYS_DSGL_ISRDMA(0)); 298 cpl->pcirlxorder_to_noofsgentr = htobe32( 299 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) | 300 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) | 301 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) | 302 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs)); 303 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; 304 cpl->rss_hdr_int.qid = htobe16(sc->rxq->iq.abs_id); 305 cpl->rss_hdr_int.hash_val = 0; 306 sgl = (struct phys_sge_pairs *)(cpl + 1); 307 j = 0; 308 for (i = 0; i < sg->sg_nseg; i++) { 309 seglen = sg->sg_segs[i].ss_len; 310 paddr = sg->sg_segs[i].ss_paddr; 311 do { 312 sgl->addr[j] = htobe64(paddr); 313 if (seglen > DSGL_SGE_MAXLEN) { 314 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN); 315 paddr += DSGL_SGE_MAXLEN; 316 seglen -= DSGL_SGE_MAXLEN; 317 } else { 318 sgl->len[j] = htobe16(seglen); 319 seglen = 0; 320 } 321 j++; 322 if (j == 8) { 323 sgl++; 324 j = 0; 325 } 326 } while (seglen != 0); 327 } 328 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs); 329 } 330 331 /* These functions deal with the ULPTX_SGL for input payload. */ 332 static inline int 333 ccr_ulptx_sgl_len(int nsegs) 334 { 335 u_int n; 336 337 nsegs--; /* first segment is part of ulptx_sgl */ 338 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1)); 339 return (roundup2(n, 16)); 340 } 341 342 static void 343 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs) 344 { 345 struct ulptx_sgl *usgl; 346 struct sglist *sg; 347 struct sglist_seg *ss; 348 int i; 349 350 sg = sc->sg_ulptx; 351 MPASS(nsegs == sg->sg_nseg); 352 ss = &sg->sg_segs[0]; 353 usgl = dst; 354 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) | 355 V_ULPTX_NSGE(nsegs)); 356 usgl->len0 = htobe32(ss->ss_len); 357 usgl->addr0 = htobe64(ss->ss_paddr); 358 ss++; 359 for (i = 0; i < sg->sg_nseg - 1; i++) { 360 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len); 361 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr); 362 ss++; 363 } 364 365 } 366 367 static bool 368 ccr_use_imm_data(u_int transhdr_len, u_int input_len) 369 { 370 371 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN) 372 return (false); 373 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) > 374 SGE_MAX_WR_LEN) 375 return (false); 376 return (true); 377 } 378 379 static void 380 ccr_populate_wreq(struct ccr_softc *sc, struct chcr_wr *crwr, u_int kctx_len, 381 u_int wr_len, uint32_t sid, u_int imm_len, u_int sgl_len, u_int hash_size, 382 struct cryptop *crp) 383 { 384 u_int cctx_size; 385 386 cctx_size = sizeof(struct _key_ctx) + kctx_len; 387 crwr->wreq.op_to_cctx_size = htobe32( 388 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) | 389 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) | 390 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) | 391 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) | 392 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4)); 393 crwr->wreq.len16_pkd = htobe32( 394 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16)); 395 crwr->wreq.session_id = htobe32(sid); 396 crwr->wreq.rx_chid_to_rx_q_id = htobe32( 397 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(sc->tx_channel_id) | 398 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) | 399 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) | 400 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) | 401 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) | 402 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) | 403 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(sc->rxq->iq.abs_id)); 404 crwr->wreq.key_addr = 0; 405 crwr->wreq.pld_size_hash_size = htobe32( 406 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) | 407 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size)); 408 crwr->wreq.cookie = htobe64((uintptr_t)crp); 409 410 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) | 411 V_ULP_TXPKT_DATAMODIFY(0) | 412 V_ULP_TXPKT_CHANNELID(sc->tx_channel_id) | V_ULP_TXPKT_DEST(0) | 413 V_ULP_TXPKT_FID(0) | V_ULP_TXPKT_RO(1)); 414 crwr->ulptx.len = htobe32( 415 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16)); 416 417 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) | 418 V_ULP_TX_SC_MORE(imm_len != 0 ? 0 : 1)); 419 crwr->sc_imm.len = htobe32(wr_len - offsetof(struct chcr_wr, sec_cpl) - 420 sgl_len); 421 } 422 423 static int 424 ccr_hmac(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 425 struct cryptop *crp) 426 { 427 struct chcr_wr *crwr; 428 struct wrqe *wr; 429 struct auth_hash *axf; 430 struct cryptodesc *crd; 431 char *dst; 432 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len; 433 u_int imm_len, iopad_size; 434 int error, sgl_nsegs, sgl_len; 435 436 crd = crp->crp_desc; 437 438 /* Reject requests with too large of an input buffer. */ 439 if (crd->crd_len > MAX_REQUEST_SIZE) 440 return (EFBIG); 441 442 axf = s->hmac.auth_hash; 443 444 /* PADs must be 128-bit aligned. */ 445 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 446 447 /* 448 * The 'key' part of the context includes the aligned IPAD and 449 * OPAD. 450 */ 451 kctx_len = iopad_size * 2; 452 hash_size_in_response = axf->hashsize; 453 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len); 454 455 if (crd->crd_len == 0) { 456 imm_len = axf->blocksize; 457 sgl_nsegs = 0; 458 sgl_len = 0; 459 } else if (ccr_use_imm_data(transhdr_len, crd->crd_len)) { 460 imm_len = crd->crd_len; 461 sgl_nsegs = 0; 462 sgl_len = 0; 463 } else { 464 imm_len = 0; 465 sglist_reset(sc->sg_ulptx); 466 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 467 crd->crd_skip, crd->crd_len); 468 if (error) 469 return (error); 470 sgl_nsegs = sc->sg_ulptx->sg_nseg; 471 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 472 } 473 474 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len; 475 if (wr_len > SGE_MAX_WR_LEN) 476 return (EFBIG); 477 wr = alloc_wrqe(wr_len, sc->txq); 478 if (wr == NULL) { 479 sc->stats_wr_nomem++; 480 return (ENOMEM); 481 } 482 crwr = wrtod(wr); 483 memset(crwr, 0, wr_len); 484 485 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 486 hash_size_in_response, crp); 487 488 /* XXX: Hardcodes SGE loopback channel of 0. */ 489 crwr->sec_cpl.op_ivinsrtofst = htobe32( 490 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 491 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 492 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 493 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 494 V_CPL_TX_SEC_PDU_IVINSRTOFST(0)); 495 496 crwr->sec_cpl.pldlen = htobe32(crd->crd_len == 0 ? axf->blocksize : 497 crd->crd_len); 498 499 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 500 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0)); 501 502 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 503 crwr->sec_cpl.seqno_numivs = htobe32( 504 V_SCMD_SEQ_NO_CTRL(0) | 505 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 506 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_NOP) | 507 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 508 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NO_TRUNC)); 509 crwr->sec_cpl.ivgen_hdrlen = htobe32( 510 V_SCMD_LAST_FRAG(0) | 511 V_SCMD_MORE_FRAGS(crd->crd_len == 0 ? 1 : 0) | V_SCMD_MAC_ONLY(1)); 512 513 memcpy(crwr->key_ctx.key, s->hmac.ipad, s->hmac.partial_digest_len); 514 memcpy(crwr->key_ctx.key + iopad_size, s->hmac.opad, 515 s->hmac.partial_digest_len); 516 517 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */ 518 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 519 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 520 V_KEY_CONTEXT_OPAD_PRESENT(1) | V_KEY_CONTEXT_SALT_PRESENT(1) | 521 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) | 522 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1)); 523 524 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES; 525 if (crd->crd_len == 0) { 526 dst[0] = 0x80; 527 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) = 528 htobe64(axf->blocksize << 3); 529 } else if (imm_len != 0) 530 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip, 531 crd->crd_len, dst); 532 else 533 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 534 535 /* XXX: TODO backpressure */ 536 t4_wrq_tx(sc->adapter, wr); 537 538 return (0); 539 } 540 541 static int 542 ccr_hmac_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp, 543 const struct cpl_fw6_pld *cpl, int error) 544 { 545 struct cryptodesc *crd; 546 547 crd = crp->crp_desc; 548 if (error == 0) { 549 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject, 550 s->hmac.hash_len, (c_caddr_t)(cpl + 1)); 551 } 552 553 return (error); 554 } 555 556 static int 557 ccr_blkcipher(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 558 struct cryptop *crp) 559 { 560 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 561 struct chcr_wr *crwr; 562 struct wrqe *wr; 563 struct cryptodesc *crd; 564 char *dst; 565 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 566 u_int imm_len; 567 int dsgl_nsegs, dsgl_len; 568 int sgl_nsegs, sgl_len; 569 int error; 570 571 crd = crp->crp_desc; 572 573 if (s->blkcipher.key_len == 0 || crd->crd_len == 0) 574 return (EINVAL); 575 if (crd->crd_alg == CRYPTO_AES_CBC && 576 (crd->crd_len % AES_BLOCK_LEN) != 0) 577 return (EINVAL); 578 579 /* Reject requests with too large of an input buffer. */ 580 if (crd->crd_len > MAX_REQUEST_SIZE) 581 return (EFBIG); 582 583 if (crd->crd_flags & CRD_F_ENCRYPT) { 584 op_type = CHCR_ENCRYPT_OP; 585 if (crd->crd_flags & CRD_F_IV_EXPLICIT) 586 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len); 587 else 588 arc4rand(iv, s->blkcipher.iv_len, 0); 589 if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) 590 crypto_copyback(crp->crp_flags, crp->crp_buf, 591 crd->crd_inject, s->blkcipher.iv_len, iv); 592 } else { 593 op_type = CHCR_DECRYPT_OP; 594 if (crd->crd_flags & CRD_F_IV_EXPLICIT) 595 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len); 596 else 597 crypto_copydata(crp->crp_flags, crp->crp_buf, 598 crd->crd_inject, s->blkcipher.iv_len, iv); 599 } 600 601 sglist_reset(sc->sg_dsgl); 602 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crd->crd_skip, 603 crd->crd_len); 604 if (error) 605 return (error); 606 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 607 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 608 return (EFBIG); 609 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 610 611 /* The 'key' must be 128-bit aligned. */ 612 kctx_len = roundup2(s->blkcipher.key_len, 16); 613 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 614 615 if (ccr_use_imm_data(transhdr_len, crd->crd_len + 616 s->blkcipher.iv_len)) { 617 imm_len = crd->crd_len; 618 sgl_nsegs = 0; 619 sgl_len = 0; 620 } else { 621 imm_len = 0; 622 sglist_reset(sc->sg_ulptx); 623 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 624 crd->crd_skip, crd->crd_len); 625 if (error) 626 return (error); 627 sgl_nsegs = sc->sg_ulptx->sg_nseg; 628 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 629 } 630 631 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len + 632 roundup2(imm_len, 16) + sgl_len; 633 if (wr_len > SGE_MAX_WR_LEN) 634 return (EFBIG); 635 wr = alloc_wrqe(wr_len, sc->txq); 636 if (wr == NULL) { 637 sc->stats_wr_nomem++; 638 return (ENOMEM); 639 } 640 crwr = wrtod(wr); 641 memset(crwr, 0, wr_len); 642 643 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 0, 644 crp); 645 646 /* XXX: Hardcodes SGE loopback channel of 0. */ 647 crwr->sec_cpl.op_ivinsrtofst = htobe32( 648 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 649 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 650 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 651 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 652 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 653 654 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + crd->crd_len); 655 656 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 657 V_CPL_TX_SEC_PDU_CIPHERSTART(s->blkcipher.iv_len + 1) | 658 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 659 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 660 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0)); 661 662 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 663 crwr->sec_cpl.seqno_numivs = htobe32( 664 V_SCMD_SEQ_NO_CTRL(0) | 665 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 666 V_SCMD_ENC_DEC_CTRL(op_type) | 667 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 668 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_NOP) | 669 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NOP) | 670 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) | 671 V_SCMD_NUM_IVS(0)); 672 crwr->sec_cpl.ivgen_hdrlen = htobe32( 673 V_SCMD_IV_GEN_CTRL(0) | 674 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 675 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len)); 676 677 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 678 switch (crd->crd_alg) { 679 case CRYPTO_AES_CBC: 680 if (crd->crd_flags & CRD_F_ENCRYPT) 681 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 682 s->blkcipher.key_len); 683 else 684 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 685 s->blkcipher.key_len); 686 break; 687 case CRYPTO_AES_ICM: 688 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 689 s->blkcipher.key_len); 690 break; 691 case CRYPTO_AES_XTS: 692 key_half = s->blkcipher.key_len / 2; 693 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 694 key_half); 695 if (crd->crd_flags & CRD_F_ENCRYPT) 696 memcpy(crwr->key_ctx.key + key_half, 697 s->blkcipher.enckey, key_half); 698 else 699 memcpy(crwr->key_ctx.key + key_half, 700 s->blkcipher.deckey, key_half); 701 break; 702 } 703 704 dst = (char *)(crwr + 1) + kctx_len; 705 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 706 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 707 memcpy(dst, iv, s->blkcipher.iv_len); 708 dst += s->blkcipher.iv_len; 709 if (imm_len != 0) 710 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip, 711 crd->crd_len, dst); 712 else 713 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 714 715 /* XXX: TODO backpressure */ 716 t4_wrq_tx(sc->adapter, wr); 717 718 return (0); 719 } 720 721 static int 722 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s, 723 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 724 { 725 726 /* 727 * The updated IV to permit chained requests is at 728 * cpl->data[2], but OCF doesn't permit chained requests. 729 */ 730 return (error); 731 } 732 733 /* 734 * 'hashsize' is the length of a full digest. 'authsize' is the 735 * requested digest length for this operation which may be less 736 * than 'hashsize'. 737 */ 738 static int 739 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize) 740 { 741 742 if (authsize == 10) 743 return (CHCR_SCMD_HMAC_CTRL_TRUNC_RFC4366); 744 if (authsize == 12) 745 return (CHCR_SCMD_HMAC_CTRL_IPSEC_96BIT); 746 if (authsize == hashsize / 2) 747 return (CHCR_SCMD_HMAC_CTRL_DIV2); 748 return (CHCR_SCMD_HMAC_CTRL_NO_TRUNC); 749 } 750 751 static int 752 ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 753 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde) 754 { 755 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 756 struct chcr_wr *crwr; 757 struct wrqe *wr; 758 struct auth_hash *axf; 759 char *dst; 760 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 761 u_int hash_size_in_response, imm_len, iopad_size; 762 u_int aad_start, aad_len, aad_stop; 763 u_int auth_start, auth_stop, auth_insert; 764 u_int cipher_start, cipher_stop; 765 u_int hmac_ctrl, input_len; 766 int dsgl_nsegs, dsgl_len; 767 int sgl_nsegs, sgl_len; 768 int error; 769 770 /* 771 * If there is a need in the future, requests with an empty 772 * payload could be supported as HMAC-only requests. 773 */ 774 if (s->blkcipher.key_len == 0 || crde->crd_len == 0) 775 return (EINVAL); 776 if (crde->crd_alg == CRYPTO_AES_CBC && 777 (crde->crd_len % AES_BLOCK_LEN) != 0) 778 return (EINVAL); 779 780 /* 781 * Compute the length of the AAD (data covered by the 782 * authentication descriptor but not the encryption 783 * descriptor). To simplify the logic, AAD is only permitted 784 * before the cipher/plain text, not after. This is true of 785 * all currently-generated requests. 786 */ 787 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) 788 return (EINVAL); 789 if (crda->crd_skip < crde->crd_skip) { 790 if (crda->crd_skip + crda->crd_len > crde->crd_skip) 791 aad_len = (crde->crd_skip - crda->crd_skip); 792 else 793 aad_len = crda->crd_len; 794 } else 795 aad_len = 0; 796 if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN) 797 return (EINVAL); 798 799 axf = s->hmac.auth_hash; 800 hash_size_in_response = s->hmac.hash_len; 801 802 /* 803 * The IV is always stored at the start of the buffer even 804 * though it may be duplicated in the payload. The crypto 805 * engine doesn't work properly if the IV offset points inside 806 * of the AAD region, so a second copy is always required. 807 */ 808 if (crde->crd_flags & CRD_F_ENCRYPT) { 809 op_type = CHCR_ENCRYPT_OP; 810 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 811 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 812 else 813 arc4rand(iv, s->blkcipher.iv_len, 0); 814 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0) 815 crypto_copyback(crp->crp_flags, crp->crp_buf, 816 crde->crd_inject, s->blkcipher.iv_len, iv); 817 } else { 818 op_type = CHCR_DECRYPT_OP; 819 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 820 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 821 else 822 crypto_copydata(crp->crp_flags, crp->crp_buf, 823 crde->crd_inject, s->blkcipher.iv_len, iv); 824 } 825 826 /* 827 * The output buffer consists of the cipher text followed by 828 * the hash when encrypting. For decryption it only contains 829 * the plain text. 830 * 831 * Due to a firmware bug, the output buffer must include a 832 * dummy output buffer for the IV and AAD prior to the real 833 * output buffer. 834 */ 835 if (op_type == CHCR_ENCRYPT_OP) { 836 if (s->blkcipher.iv_len + aad_len + crde->crd_len + 837 hash_size_in_response > MAX_REQUEST_SIZE) 838 return (EFBIG); 839 } else { 840 if (s->blkcipher.iv_len + aad_len + crde->crd_len > 841 MAX_REQUEST_SIZE) 842 return (EFBIG); 843 } 844 sglist_reset(sc->sg_dsgl); 845 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, 846 s->blkcipher.iv_len + aad_len); 847 if (error) 848 return (error); 849 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip, 850 crde->crd_len); 851 if (error) 852 return (error); 853 if (op_type == CHCR_ENCRYPT_OP) { 854 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 855 crda->crd_inject, hash_size_in_response); 856 if (error) 857 return (error); 858 } 859 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 860 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 861 return (EFBIG); 862 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 863 864 /* PADs must be 128-bit aligned. */ 865 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 866 867 /* 868 * The 'key' part of the key context consists of the key followed 869 * by the IPAD and OPAD. 870 */ 871 kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2; 872 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 873 874 /* 875 * The input buffer consists of the IV, any AAD, and then the 876 * cipher/plain text. For decryption requests the hash is 877 * appended after the cipher text. 878 */ 879 input_len = aad_len + crde->crd_len; 880 881 /* 882 * The firmware hangs if sent a request which is a 883 * bit smaller than MAX_REQUEST_SIZE. In particular, the 884 * firmware appears to require 512 - 16 bytes of spare room 885 * along with the size of the hash even if the hash isn't 886 * included in the input buffer. 887 */ 888 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) > 889 MAX_REQUEST_SIZE) 890 return (EFBIG); 891 if (op_type == CHCR_DECRYPT_OP) 892 input_len += hash_size_in_response; 893 if (ccr_use_imm_data(transhdr_len, s->blkcipher.iv_len + input_len)) { 894 imm_len = input_len; 895 sgl_nsegs = 0; 896 sgl_len = 0; 897 } else { 898 imm_len = 0; 899 sglist_reset(sc->sg_ulptx); 900 if (aad_len != 0) { 901 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 902 crda->crd_skip, aad_len); 903 if (error) 904 return (error); 905 } 906 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 907 crde->crd_skip, crde->crd_len); 908 if (error) 909 return (error); 910 if (op_type == CHCR_DECRYPT_OP) { 911 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 912 crda->crd_inject, hash_size_in_response); 913 if (error) 914 return (error); 915 } 916 sgl_nsegs = sc->sg_ulptx->sg_nseg; 917 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 918 } 919 920 /* 921 * Any auth-only data before the cipher region is marked as AAD. 922 * Auth-data that overlaps with the cipher region is placed in 923 * the auth section. 924 */ 925 if (aad_len != 0) { 926 aad_start = s->blkcipher.iv_len + 1; 927 aad_stop = aad_start + aad_len - 1; 928 } else { 929 aad_start = 0; 930 aad_stop = 0; 931 } 932 cipher_start = s->blkcipher.iv_len + aad_len + 1; 933 if (op_type == CHCR_DECRYPT_OP) 934 cipher_stop = hash_size_in_response; 935 else 936 cipher_stop = 0; 937 if (aad_len == crda->crd_len) { 938 auth_start = 0; 939 auth_stop = 0; 940 } else { 941 if (aad_len != 0) 942 auth_start = cipher_start; 943 else 944 auth_start = s->blkcipher.iv_len + crda->crd_skip - 945 crde->crd_skip + 1; 946 auth_stop = (crde->crd_skip + crde->crd_len) - 947 (crda->crd_skip + crda->crd_len) + cipher_stop; 948 } 949 if (op_type == CHCR_DECRYPT_OP) 950 auth_insert = hash_size_in_response; 951 else 952 auth_insert = 0; 953 954 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len + 955 roundup2(imm_len, 16) + sgl_len; 956 if (wr_len > SGE_MAX_WR_LEN) 957 return (EFBIG); 958 wr = alloc_wrqe(wr_len, sc->txq); 959 if (wr == NULL) { 960 sc->stats_wr_nomem++; 961 return (ENOMEM); 962 } 963 crwr = wrtod(wr); 964 memset(crwr, 0, wr_len); 965 966 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 967 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp); 968 969 /* XXX: Hardcodes SGE loopback channel of 0. */ 970 crwr->sec_cpl.op_ivinsrtofst = htobe32( 971 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 972 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 973 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 974 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 975 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 976 977 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + input_len); 978 979 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 980 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 981 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 982 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 983 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4)); 984 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 985 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) | 986 V_CPL_TX_SEC_PDU_AUTHSTART(auth_start) | 987 V_CPL_TX_SEC_PDU_AUTHSTOP(auth_stop) | 988 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 989 990 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 991 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response); 992 crwr->sec_cpl.seqno_numivs = htobe32( 993 V_SCMD_SEQ_NO_CTRL(0) | 994 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 995 V_SCMD_ENC_DEC_CTRL(op_type) | 996 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 997 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 998 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 999 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1000 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) | 1001 V_SCMD_NUM_IVS(0)); 1002 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1003 V_SCMD_IV_GEN_CTRL(0) | 1004 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1005 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1006 1007 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1008 switch (crde->crd_alg) { 1009 case CRYPTO_AES_CBC: 1010 if (crde->crd_flags & CRD_F_ENCRYPT) 1011 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1012 s->blkcipher.key_len); 1013 else 1014 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 1015 s->blkcipher.key_len); 1016 break; 1017 case CRYPTO_AES_ICM: 1018 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1019 s->blkcipher.key_len); 1020 break; 1021 case CRYPTO_AES_XTS: 1022 key_half = s->blkcipher.key_len / 2; 1023 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 1024 key_half); 1025 if (crde->crd_flags & CRD_F_ENCRYPT) 1026 memcpy(crwr->key_ctx.key + key_half, 1027 s->blkcipher.enckey, key_half); 1028 else 1029 memcpy(crwr->key_ctx.key + key_half, 1030 s->blkcipher.deckey, key_half); 1031 break; 1032 } 1033 1034 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1035 memcpy(dst, s->hmac.ipad, s->hmac.partial_digest_len); 1036 memcpy(dst + iopad_size, s->hmac.opad, s->hmac.partial_digest_len); 1037 1038 dst = (char *)(crwr + 1) + kctx_len; 1039 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1040 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1041 memcpy(dst, iv, s->blkcipher.iv_len); 1042 dst += s->blkcipher.iv_len; 1043 if (imm_len != 0) { 1044 if (aad_len != 0) { 1045 crypto_copydata(crp->crp_flags, crp->crp_buf, 1046 crda->crd_skip, aad_len, dst); 1047 dst += aad_len; 1048 } 1049 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip, 1050 crde->crd_len, dst); 1051 dst += crde->crd_len; 1052 if (op_type == CHCR_DECRYPT_OP) 1053 crypto_copydata(crp->crp_flags, crp->crp_buf, 1054 crda->crd_inject, hash_size_in_response, dst); 1055 } else 1056 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1057 1058 /* XXX: TODO backpressure */ 1059 t4_wrq_tx(sc->adapter, wr); 1060 1061 return (0); 1062 } 1063 1064 static int 1065 ccr_authenc_done(struct ccr_softc *sc, struct ccr_session *s, 1066 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1067 { 1068 struct cryptodesc *crd; 1069 1070 /* 1071 * The updated IV to permit chained requests is at 1072 * cpl->data[2], but OCF doesn't permit chained requests. 1073 * 1074 * For a decryption request, the hardware may do a verification 1075 * of the HMAC which will fail if the existing HMAC isn't in the 1076 * buffer. If that happens, clear the error and copy the HMAC 1077 * from the CPL reply into the buffer. 1078 * 1079 * For encryption requests, crd should be the cipher request 1080 * which will have CRD_F_ENCRYPT set. For decryption 1081 * requests, crp_desc will be the HMAC request which should 1082 * not have this flag set. 1083 */ 1084 crd = crp->crp_desc; 1085 if (error == EBADMSG && !CHK_PAD_ERR_BIT(be64toh(cpl->data[0])) && 1086 !(crd->crd_flags & CRD_F_ENCRYPT)) { 1087 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject, 1088 s->hmac.hash_len, (c_caddr_t)(cpl + 1)); 1089 error = 0; 1090 } 1091 return (error); 1092 } 1093 1094 static int 1095 ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 1096 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde) 1097 { 1098 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1099 struct chcr_wr *crwr; 1100 struct wrqe *wr; 1101 char *dst; 1102 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1103 u_int hash_size_in_response, imm_len; 1104 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1105 u_int hmac_ctrl, input_len; 1106 int dsgl_nsegs, dsgl_len; 1107 int sgl_nsegs, sgl_len; 1108 int error; 1109 1110 if (s->blkcipher.key_len == 0) 1111 return (EINVAL); 1112 1113 /* 1114 * AAD is only permitted before the cipher/plain text, not 1115 * after. 1116 */ 1117 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) 1118 return (EINVAL); 1119 1120 if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN) 1121 return (EINVAL); 1122 1123 hash_size_in_response = s->gmac.hash_len; 1124 1125 /* 1126 * The IV is always stored at the start of the buffer even 1127 * though it may be duplicated in the payload. The crypto 1128 * engine doesn't work properly if the IV offset points inside 1129 * of the AAD region, so a second copy is always required. 1130 * 1131 * The IV for GCM is further complicated in that IPSec 1132 * provides a full 16-byte IV (including the counter), whereas 1133 * the /dev/crypto interface sometimes provides a full 16-byte 1134 * IV (if no IV is provided in the ioctl) and sometimes a 1135 * 12-byte IV (if the IV was explicit). For now the driver 1136 * always assumes a 12-byte IV and initializes the low 4 byte 1137 * counter to 1. 1138 */ 1139 if (crde->crd_flags & CRD_F_ENCRYPT) { 1140 op_type = CHCR_ENCRYPT_OP; 1141 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1142 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 1143 else 1144 arc4rand(iv, s->blkcipher.iv_len, 0); 1145 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0) 1146 crypto_copyback(crp->crp_flags, crp->crp_buf, 1147 crde->crd_inject, s->blkcipher.iv_len, iv); 1148 } else { 1149 op_type = CHCR_DECRYPT_OP; 1150 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1151 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 1152 else 1153 crypto_copydata(crp->crp_flags, crp->crp_buf, 1154 crde->crd_inject, s->blkcipher.iv_len, iv); 1155 } 1156 1157 /* 1158 * If the input IV is 12 bytes, append an explicit counter of 1159 * 1. 1160 */ 1161 if (s->blkcipher.iv_len == 12) { 1162 *(uint32_t *)&iv[12] = htobe32(1); 1163 iv_len = AES_BLOCK_LEN; 1164 } else 1165 iv_len = s->blkcipher.iv_len; 1166 1167 /* 1168 * The output buffer consists of the cipher text followed by 1169 * the tag when encrypting. For decryption it only contains 1170 * the plain text. 1171 * 1172 * Due to a firmware bug, the output buffer must include a 1173 * dummy output buffer for the IV and AAD prior to the real 1174 * output buffer. 1175 */ 1176 if (op_type == CHCR_ENCRYPT_OP) { 1177 if (iv_len + crda->crd_len + crde->crd_len + 1178 hash_size_in_response > MAX_REQUEST_SIZE) 1179 return (EFBIG); 1180 } else { 1181 if (iv_len + crda->crd_len + crde->crd_len > MAX_REQUEST_SIZE) 1182 return (EFBIG); 1183 } 1184 sglist_reset(sc->sg_dsgl); 1185 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1186 crda->crd_len); 1187 if (error) 1188 return (error); 1189 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip, 1190 crde->crd_len); 1191 if (error) 1192 return (error); 1193 if (op_type == CHCR_ENCRYPT_OP) { 1194 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1195 crda->crd_inject, hash_size_in_response); 1196 if (error) 1197 return (error); 1198 } 1199 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1200 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1201 return (EFBIG); 1202 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1203 1204 /* 1205 * The 'key' part of the key context consists of the key followed 1206 * by the Galois hash key. 1207 */ 1208 kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN; 1209 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1210 1211 /* 1212 * The input buffer consists of the IV, any AAD, and then the 1213 * cipher/plain text. For decryption requests the hash is 1214 * appended after the cipher text. 1215 */ 1216 input_len = crda->crd_len + crde->crd_len; 1217 if (op_type == CHCR_DECRYPT_OP) 1218 input_len += hash_size_in_response; 1219 if (input_len > MAX_REQUEST_SIZE) 1220 return (EFBIG); 1221 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1222 imm_len = input_len; 1223 sgl_nsegs = 0; 1224 sgl_len = 0; 1225 } else { 1226 imm_len = 0; 1227 sglist_reset(sc->sg_ulptx); 1228 if (crda->crd_len != 0) { 1229 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1230 crda->crd_skip, crda->crd_len); 1231 if (error) 1232 return (error); 1233 } 1234 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1235 crde->crd_skip, crde->crd_len); 1236 if (error) 1237 return (error); 1238 if (op_type == CHCR_DECRYPT_OP) { 1239 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1240 crda->crd_inject, hash_size_in_response); 1241 if (error) 1242 return (error); 1243 } 1244 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1245 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1246 } 1247 1248 if (crda->crd_len != 0) { 1249 aad_start = iv_len + 1; 1250 aad_stop = aad_start + crda->crd_len - 1; 1251 } else { 1252 aad_start = 0; 1253 aad_stop = 0; 1254 } 1255 cipher_start = iv_len + crda->crd_len + 1; 1256 if (op_type == CHCR_DECRYPT_OP) 1257 cipher_stop = hash_size_in_response; 1258 else 1259 cipher_stop = 0; 1260 if (op_type == CHCR_DECRYPT_OP) 1261 auth_insert = hash_size_in_response; 1262 else 1263 auth_insert = 0; 1264 1265 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1266 sgl_len; 1267 if (wr_len > SGE_MAX_WR_LEN) 1268 return (EFBIG); 1269 wr = alloc_wrqe(wr_len, sc->txq); 1270 if (wr == NULL) { 1271 sc->stats_wr_nomem++; 1272 return (ENOMEM); 1273 } 1274 crwr = wrtod(wr); 1275 memset(crwr, 0, wr_len); 1276 1277 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 1278 0, crp); 1279 1280 /* XXX: Hardcodes SGE loopback channel of 0. */ 1281 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1282 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1283 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 1284 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1285 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1286 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1287 1288 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1289 1290 /* 1291 * NB: cipherstop is explicitly set to 0. On encrypt it 1292 * should normally be set to 0 anyway (as the encrypt crd ends 1293 * at the end of the input). However, for decrypt the cipher 1294 * ends before the tag in the AUTHENC case (and authstop is 1295 * set to stop before the tag), but for GCM the cipher still 1296 * runs to the end of the buffer. Not sure if this is 1297 * intentional or a firmware quirk, but it is required for 1298 * working tag validation with GCM decryption. 1299 */ 1300 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1301 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1302 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1303 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1304 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1305 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1306 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1307 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1308 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1309 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1310 1311 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1312 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response); 1313 crwr->sec_cpl.seqno_numivs = htobe32( 1314 V_SCMD_SEQ_NO_CTRL(0) | 1315 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 1316 V_SCMD_ENC_DEC_CTRL(op_type) | 1317 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1318 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_AES_GCM) | 1319 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_GHASH) | 1320 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1321 V_SCMD_IV_SIZE(iv_len / 2) | 1322 V_SCMD_NUM_IVS(0)); 1323 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1324 V_SCMD_IV_GEN_CTRL(0) | 1325 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1326 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1327 1328 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1329 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1330 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1331 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN); 1332 1333 dst = (char *)(crwr + 1) + kctx_len; 1334 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1335 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1336 memcpy(dst, iv, iv_len); 1337 dst += iv_len; 1338 if (imm_len != 0) { 1339 if (crda->crd_len != 0) { 1340 crypto_copydata(crp->crp_flags, crp->crp_buf, 1341 crda->crd_skip, crda->crd_len, dst); 1342 dst += crda->crd_len; 1343 } 1344 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip, 1345 crde->crd_len, dst); 1346 dst += crde->crd_len; 1347 if (op_type == CHCR_DECRYPT_OP) 1348 crypto_copydata(crp->crp_flags, crp->crp_buf, 1349 crda->crd_inject, hash_size_in_response, dst); 1350 } else 1351 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1352 1353 /* XXX: TODO backpressure */ 1354 t4_wrq_tx(sc->adapter, wr); 1355 1356 return (0); 1357 } 1358 1359 static int 1360 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s, 1361 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1362 { 1363 1364 /* 1365 * The updated IV to permit chained requests is at 1366 * cpl->data[2], but OCF doesn't permit chained requests. 1367 * 1368 * Note that the hardware should always verify the GMAC hash. 1369 */ 1370 return (error); 1371 } 1372 1373 /* 1374 * Handle a GCM request with an empty payload by performing the 1375 * operation in software. Derived from swcr_authenc(). 1376 */ 1377 static void 1378 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp, 1379 struct cryptodesc *crda, struct cryptodesc *crde) 1380 { 1381 struct aes_gmac_ctx gmac_ctx; 1382 char block[GMAC_BLOCK_LEN]; 1383 char digest[GMAC_DIGEST_LEN]; 1384 char iv[AES_BLOCK_LEN]; 1385 int i, len; 1386 1387 /* 1388 * This assumes a 12-byte IV from the crp. See longer comment 1389 * above in ccr_gcm() for more details. 1390 */ 1391 if (crde->crd_flags & CRD_F_ENCRYPT) { 1392 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1393 memcpy(iv, crde->crd_iv, 12); 1394 else 1395 arc4rand(iv, 12, 0); 1396 } else { 1397 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1398 memcpy(iv, crde->crd_iv, 12); 1399 else 1400 crypto_copydata(crp->crp_flags, crp->crp_buf, 1401 crde->crd_inject, 12, iv); 1402 } 1403 *(uint32_t *)&iv[12] = htobe32(1); 1404 1405 /* Initialize the MAC. */ 1406 AES_GMAC_Init(&gmac_ctx); 1407 AES_GMAC_Setkey(&gmac_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1408 AES_GMAC_Reinit(&gmac_ctx, iv, sizeof(iv)); 1409 1410 /* MAC the AAD. */ 1411 for (i = 0; i < crda->crd_len; i += sizeof(block)) { 1412 len = imin(crda->crd_len - i, sizeof(block)); 1413 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_skip + 1414 i, len, block); 1415 bzero(block + len, sizeof(block) - len); 1416 AES_GMAC_Update(&gmac_ctx, block, sizeof(block)); 1417 } 1418 1419 /* Length block. */ 1420 bzero(block, sizeof(block)); 1421 ((uint32_t *)block)[1] = htobe32(crda->crd_len * 8); 1422 AES_GMAC_Update(&gmac_ctx, block, sizeof(block)); 1423 AES_GMAC_Final(digest, &gmac_ctx); 1424 1425 if (crde->crd_flags & CRD_F_ENCRYPT) { 1426 crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject, 1427 sizeof(digest), digest); 1428 crp->crp_etype = 0; 1429 } else { 1430 char digest2[GMAC_DIGEST_LEN]; 1431 1432 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject, 1433 sizeof(digest2), digest2); 1434 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) 1435 crp->crp_etype = 0; 1436 else 1437 crp->crp_etype = EBADMSG; 1438 } 1439 crypto_done(crp); 1440 } 1441 1442 static void 1443 ccr_identify(driver_t *driver, device_t parent) 1444 { 1445 struct adapter *sc; 1446 1447 sc = device_get_softc(parent); 1448 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE && 1449 device_find_child(parent, "ccr", -1) == NULL) 1450 device_add_child(parent, "ccr", -1); 1451 } 1452 1453 static int 1454 ccr_probe(device_t dev) 1455 { 1456 1457 device_set_desc(dev, "Chelsio Crypto Accelerator"); 1458 return (BUS_PROBE_DEFAULT); 1459 } 1460 1461 static void 1462 ccr_sysctls(struct ccr_softc *sc) 1463 { 1464 struct sysctl_ctx_list *ctx; 1465 struct sysctl_oid *oid; 1466 struct sysctl_oid_list *children; 1467 1468 ctx = device_get_sysctl_ctx(sc->dev); 1469 1470 /* 1471 * dev.ccr.X. 1472 */ 1473 oid = device_get_sysctl_tree(sc->dev); 1474 children = SYSCTL_CHILDREN(oid); 1475 1476 /* 1477 * dev.ccr.X.stats. 1478 */ 1479 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", CTLFLAG_RD, 1480 NULL, "statistics"); 1481 children = SYSCTL_CHILDREN(oid); 1482 1483 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD, 1484 &sc->stats_hmac, 0, "HMAC requests submitted"); 1485 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD, 1486 &sc->stats_blkcipher_encrypt, 0, 1487 "Cipher encryption requests submitted"); 1488 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD, 1489 &sc->stats_blkcipher_decrypt, 0, 1490 "Cipher decryption requests submitted"); 1491 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_encrypt", CTLFLAG_RD, 1492 &sc->stats_authenc_encrypt, 0, 1493 "Combined AES+HMAC encryption requests submitted"); 1494 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_decrypt", CTLFLAG_RD, 1495 &sc->stats_authenc_decrypt, 0, 1496 "Combined AES+HMAC decryption requests submitted"); 1497 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD, 1498 &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted"); 1499 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD, 1500 &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted"); 1501 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD, 1502 &sc->stats_wr_nomem, 0, "Work request memory allocation failures"); 1503 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD, 1504 &sc->stats_inflight, 0, "Requests currently pending"); 1505 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD, 1506 &sc->stats_mac_error, 0, "MAC errors"); 1507 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD, 1508 &sc->stats_pad_error, 0, "Padding errors"); 1509 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD, 1510 &sc->stats_bad_session, 0, "Requests with invalid session ID"); 1511 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD, 1512 &sc->stats_sglist_error, 0, 1513 "Requests for which DMA mapping failed"); 1514 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD, 1515 &sc->stats_process_error, 0, "Requests failed during queueing"); 1516 } 1517 1518 static int 1519 ccr_attach(device_t dev) 1520 { 1521 struct ccr_softc *sc; 1522 int32_t cid; 1523 1524 /* 1525 * TODO: Crypto requests will panic if the parent device isn't 1526 * initialized so that the queues are up and running. Need to 1527 * figure out how to handle that correctly, maybe just reject 1528 * requests if the adapter isn't fully initialized? 1529 */ 1530 sc = device_get_softc(dev); 1531 sc->dev = dev; 1532 sc->adapter = device_get_softc(device_get_parent(dev)); 1533 sc->txq = &sc->adapter->sge.ctrlq[0]; 1534 sc->rxq = &sc->adapter->sge.rxq[0]; 1535 cid = crypto_get_driverid(dev, CRYPTOCAP_F_HARDWARE); 1536 if (cid < 0) { 1537 device_printf(dev, "could not get crypto driver id\n"); 1538 return (ENXIO); 1539 } 1540 sc->cid = cid; 1541 sc->adapter->ccr_softc = sc; 1542 1543 /* XXX: TODO? */ 1544 sc->tx_channel_id = 0; 1545 1546 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF); 1547 sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 1548 sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 1549 sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK); 1550 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK); 1551 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK); 1552 ccr_sysctls(sc); 1553 1554 crypto_register(cid, CRYPTO_SHA1_HMAC, 0, 0); 1555 crypto_register(cid, CRYPTO_SHA2_256_HMAC, 0, 0); 1556 crypto_register(cid, CRYPTO_SHA2_384_HMAC, 0, 0); 1557 crypto_register(cid, CRYPTO_SHA2_512_HMAC, 0, 0); 1558 crypto_register(cid, CRYPTO_AES_CBC, 0, 0); 1559 crypto_register(cid, CRYPTO_AES_ICM, 0, 0); 1560 crypto_register(cid, CRYPTO_AES_NIST_GCM_16, 0, 0); 1561 crypto_register(cid, CRYPTO_AES_128_NIST_GMAC, 0, 0); 1562 crypto_register(cid, CRYPTO_AES_192_NIST_GMAC, 0, 0); 1563 crypto_register(cid, CRYPTO_AES_256_NIST_GMAC, 0, 0); 1564 crypto_register(cid, CRYPTO_AES_XTS, 0, 0); 1565 return (0); 1566 } 1567 1568 static int 1569 ccr_detach(device_t dev) 1570 { 1571 struct ccr_softc *sc; 1572 int i; 1573 1574 sc = device_get_softc(dev); 1575 1576 mtx_lock(&sc->lock); 1577 for (i = 0; i < sc->nsessions; i++) { 1578 if (sc->sessions[i].active || sc->sessions[i].pending != 0) { 1579 mtx_unlock(&sc->lock); 1580 return (EBUSY); 1581 } 1582 } 1583 sc->detaching = true; 1584 mtx_unlock(&sc->lock); 1585 1586 crypto_unregister_all(sc->cid); 1587 free(sc->sessions, M_CCR); 1588 mtx_destroy(&sc->lock); 1589 sglist_free(sc->sg_iv_aad); 1590 free(sc->iv_aad_buf, M_CCR); 1591 sglist_free(sc->sg_dsgl); 1592 sglist_free(sc->sg_ulptx); 1593 sglist_free(sc->sg_crp); 1594 sc->adapter->ccr_softc = NULL; 1595 return (0); 1596 } 1597 1598 static void 1599 ccr_copy_partial_hash(void *dst, int cri_alg, union authctx *auth_ctx) 1600 { 1601 uint32_t *u32; 1602 uint64_t *u64; 1603 u_int i; 1604 1605 u32 = (uint32_t *)dst; 1606 u64 = (uint64_t *)dst; 1607 switch (cri_alg) { 1608 case CRYPTO_SHA1_HMAC: 1609 for (i = 0; i < SHA1_HASH_LEN / 4; i++) 1610 u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]); 1611 break; 1612 case CRYPTO_SHA2_256_HMAC: 1613 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++) 1614 u32[i] = htobe32(auth_ctx->sha256ctx.state[i]); 1615 break; 1616 case CRYPTO_SHA2_384_HMAC: 1617 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++) 1618 u64[i] = htobe64(auth_ctx->sha384ctx.state[i]); 1619 break; 1620 case CRYPTO_SHA2_512_HMAC: 1621 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++) 1622 u64[i] = htobe64(auth_ctx->sha512ctx.state[i]); 1623 break; 1624 } 1625 } 1626 1627 static void 1628 ccr_init_hmac_digest(struct ccr_session *s, int cri_alg, char *key, 1629 int klen) 1630 { 1631 union authctx auth_ctx; 1632 struct auth_hash *axf; 1633 u_int i; 1634 1635 /* 1636 * If the key is larger than the block size, use the digest of 1637 * the key as the key instead. 1638 */ 1639 axf = s->hmac.auth_hash; 1640 klen /= 8; 1641 if (klen > axf->blocksize) { 1642 axf->Init(&auth_ctx); 1643 axf->Update(&auth_ctx, key, klen); 1644 axf->Final(s->hmac.ipad, &auth_ctx); 1645 klen = axf->hashsize; 1646 } else 1647 memcpy(s->hmac.ipad, key, klen); 1648 1649 memset(s->hmac.ipad + klen, 0, axf->blocksize); 1650 memcpy(s->hmac.opad, s->hmac.ipad, axf->blocksize); 1651 1652 for (i = 0; i < axf->blocksize; i++) { 1653 s->hmac.ipad[i] ^= HMAC_IPAD_VAL; 1654 s->hmac.opad[i] ^= HMAC_OPAD_VAL; 1655 } 1656 1657 /* 1658 * Hash the raw ipad and opad and store the partial result in 1659 * the same buffer. 1660 */ 1661 axf->Init(&auth_ctx); 1662 axf->Update(&auth_ctx, s->hmac.ipad, axf->blocksize); 1663 ccr_copy_partial_hash(s->hmac.ipad, cri_alg, &auth_ctx); 1664 1665 axf->Init(&auth_ctx); 1666 axf->Update(&auth_ctx, s->hmac.opad, axf->blocksize); 1667 ccr_copy_partial_hash(s->hmac.opad, cri_alg, &auth_ctx); 1668 } 1669 1670 /* 1671 * Borrowed from AES_GMAC_Setkey(). 1672 */ 1673 static void 1674 ccr_init_gmac_hash(struct ccr_session *s, char *key, int klen) 1675 { 1676 static char zeroes[GMAC_BLOCK_LEN]; 1677 uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)]; 1678 int rounds; 1679 1680 rounds = rijndaelKeySetupEnc(keysched, key, klen); 1681 rijndaelEncrypt(keysched, rounds, zeroes, s->gmac.ghash_h); 1682 } 1683 1684 static int 1685 ccr_aes_check_keylen(int alg, int klen) 1686 { 1687 1688 switch (klen) { 1689 case 128: 1690 case 192: 1691 if (alg == CRYPTO_AES_XTS) 1692 return (EINVAL); 1693 break; 1694 case 256: 1695 break; 1696 case 512: 1697 if (alg != CRYPTO_AES_XTS) 1698 return (EINVAL); 1699 break; 1700 default: 1701 return (EINVAL); 1702 } 1703 return (0); 1704 } 1705 1706 /* 1707 * Borrowed from cesa_prep_aes_key(). We should perhaps have a public 1708 * function to generate this instead. 1709 * 1710 * NB: The crypto engine wants the words in the decryption key in reverse 1711 * order. 1712 */ 1713 static void 1714 ccr_aes_getdeckey(void *dec_key, const void *enc_key, unsigned int kbits) 1715 { 1716 uint32_t ek[4 * (RIJNDAEL_MAXNR + 1)]; 1717 uint32_t *dkey; 1718 int i; 1719 1720 rijndaelKeySetupEnc(ek, enc_key, kbits); 1721 dkey = dec_key; 1722 dkey += (kbits / 8) / 4; 1723 1724 switch (kbits) { 1725 case 128: 1726 for (i = 0; i < 4; i++) 1727 *--dkey = htobe32(ek[4 * 10 + i]); 1728 break; 1729 case 192: 1730 for (i = 0; i < 2; i++) 1731 *--dkey = htobe32(ek[4 * 11 + 2 + i]); 1732 for (i = 0; i < 4; i++) 1733 *--dkey = htobe32(ek[4 * 12 + i]); 1734 break; 1735 case 256: 1736 for (i = 0; i < 4; i++) 1737 *--dkey = htobe32(ek[4 * 13 + i]); 1738 for (i = 0; i < 4; i++) 1739 *--dkey = htobe32(ek[4 * 14 + i]); 1740 break; 1741 } 1742 MPASS(dkey == dec_key); 1743 } 1744 1745 static void 1746 ccr_aes_setkey(struct ccr_session *s, int alg, const void *key, int klen) 1747 { 1748 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size; 1749 unsigned int opad_present; 1750 1751 if (alg == CRYPTO_AES_XTS) 1752 kbits = klen / 2; 1753 else 1754 kbits = klen; 1755 switch (kbits) { 1756 case 128: 1757 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128; 1758 break; 1759 case 192: 1760 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192; 1761 break; 1762 case 256: 1763 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; 1764 break; 1765 default: 1766 panic("should not get here"); 1767 } 1768 1769 s->blkcipher.key_len = klen / 8; 1770 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len); 1771 switch (alg) { 1772 case CRYPTO_AES_CBC: 1773 case CRYPTO_AES_XTS: 1774 ccr_aes_getdeckey(s->blkcipher.deckey, key, kbits); 1775 break; 1776 } 1777 1778 kctx_len = roundup2(s->blkcipher.key_len, 16); 1779 switch (s->mode) { 1780 case AUTHENC: 1781 mk_size = s->hmac.mk_size; 1782 opad_present = 1; 1783 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 1784 kctx_len += iopad_size * 2; 1785 break; 1786 case GCM: 1787 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 1788 opad_present = 0; 1789 kctx_len += GMAC_BLOCK_LEN; 1790 break; 1791 default: 1792 mk_size = CHCR_KEYCTX_NO_KEY; 1793 opad_present = 0; 1794 break; 1795 } 1796 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 1797 s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 1798 V_KEY_CONTEXT_DUAL_CK(alg == CRYPTO_AES_XTS) | 1799 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) | 1800 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) | 1801 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1)); 1802 } 1803 1804 static int 1805 ccr_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri) 1806 { 1807 struct ccr_softc *sc; 1808 struct ccr_session *s; 1809 struct auth_hash *auth_hash; 1810 struct cryptoini *c, *hash, *cipher; 1811 unsigned int auth_mode, cipher_mode, iv_len, mk_size; 1812 unsigned int partial_digest_len; 1813 int error, i, sess; 1814 bool gcm_hash; 1815 1816 if (sidp == NULL || cri == NULL) 1817 return (EINVAL); 1818 1819 gcm_hash = false; 1820 cipher = NULL; 1821 hash = NULL; 1822 auth_hash = NULL; 1823 auth_mode = CHCR_SCMD_AUTH_MODE_NOP; 1824 cipher_mode = CHCR_SCMD_CIPHER_MODE_NOP; 1825 iv_len = 0; 1826 mk_size = 0; 1827 partial_digest_len = 0; 1828 for (c = cri; c != NULL; c = c->cri_next) { 1829 switch (c->cri_alg) { 1830 case CRYPTO_SHA1_HMAC: 1831 case CRYPTO_SHA2_256_HMAC: 1832 case CRYPTO_SHA2_384_HMAC: 1833 case CRYPTO_SHA2_512_HMAC: 1834 case CRYPTO_AES_128_NIST_GMAC: 1835 case CRYPTO_AES_192_NIST_GMAC: 1836 case CRYPTO_AES_256_NIST_GMAC: 1837 if (hash) 1838 return (EINVAL); 1839 hash = c; 1840 switch (c->cri_alg) { 1841 case CRYPTO_SHA1_HMAC: 1842 auth_hash = &auth_hash_hmac_sha1; 1843 auth_mode = CHCR_SCMD_AUTH_MODE_SHA1; 1844 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160; 1845 partial_digest_len = SHA1_HASH_LEN; 1846 break; 1847 case CRYPTO_SHA2_256_HMAC: 1848 auth_hash = &auth_hash_hmac_sha2_256; 1849 auth_mode = CHCR_SCMD_AUTH_MODE_SHA256; 1850 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 1851 partial_digest_len = SHA2_256_HASH_LEN; 1852 break; 1853 case CRYPTO_SHA2_384_HMAC: 1854 auth_hash = &auth_hash_hmac_sha2_384; 1855 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_384; 1856 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 1857 partial_digest_len = SHA2_512_HASH_LEN; 1858 break; 1859 case CRYPTO_SHA2_512_HMAC: 1860 auth_hash = &auth_hash_hmac_sha2_512; 1861 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_512; 1862 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 1863 partial_digest_len = SHA2_512_HASH_LEN; 1864 break; 1865 case CRYPTO_AES_128_NIST_GMAC: 1866 case CRYPTO_AES_192_NIST_GMAC: 1867 case CRYPTO_AES_256_NIST_GMAC: 1868 gcm_hash = true; 1869 auth_mode = CHCR_SCMD_AUTH_MODE_GHASH; 1870 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 1871 break; 1872 } 1873 break; 1874 case CRYPTO_AES_CBC: 1875 case CRYPTO_AES_ICM: 1876 case CRYPTO_AES_NIST_GCM_16: 1877 case CRYPTO_AES_XTS: 1878 if (cipher) 1879 return (EINVAL); 1880 cipher = c; 1881 switch (c->cri_alg) { 1882 case CRYPTO_AES_CBC: 1883 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CBC; 1884 iv_len = AES_BLOCK_LEN; 1885 break; 1886 case CRYPTO_AES_ICM: 1887 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CTR; 1888 iv_len = AES_BLOCK_LEN; 1889 break; 1890 case CRYPTO_AES_NIST_GCM_16: 1891 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_GCM; 1892 iv_len = AES_GCM_IV_LEN; 1893 break; 1894 case CRYPTO_AES_XTS: 1895 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_XTS; 1896 iv_len = AES_BLOCK_LEN; 1897 break; 1898 } 1899 if (c->cri_key != NULL) { 1900 error = ccr_aes_check_keylen(c->cri_alg, 1901 c->cri_klen); 1902 if (error) 1903 return (error); 1904 } 1905 break; 1906 default: 1907 return (EINVAL); 1908 } 1909 } 1910 if (gcm_hash != (cipher_mode == CHCR_SCMD_CIPHER_MODE_AES_GCM)) 1911 return (EINVAL); 1912 if (hash == NULL && cipher == NULL) 1913 return (EINVAL); 1914 if (hash != NULL && hash->cri_key == NULL) 1915 return (EINVAL); 1916 1917 sc = device_get_softc(dev); 1918 mtx_lock(&sc->lock); 1919 if (sc->detaching) { 1920 mtx_unlock(&sc->lock); 1921 return (ENXIO); 1922 } 1923 sess = -1; 1924 for (i = 0; i < sc->nsessions; i++) { 1925 if (!sc->sessions[i].active && sc->sessions[i].pending == 0) { 1926 sess = i; 1927 break; 1928 } 1929 } 1930 if (sess == -1) { 1931 s = malloc(sizeof(*s) * (sc->nsessions + 1), M_CCR, 1932 M_NOWAIT | M_ZERO); 1933 if (s == NULL) { 1934 mtx_unlock(&sc->lock); 1935 return (ENOMEM); 1936 } 1937 if (sc->sessions != NULL) 1938 memcpy(s, sc->sessions, sizeof(*s) * sc->nsessions); 1939 sess = sc->nsessions; 1940 free(sc->sessions, M_CCR); 1941 sc->sessions = s; 1942 sc->nsessions++; 1943 } 1944 1945 s = &sc->sessions[sess]; 1946 1947 if (gcm_hash) 1948 s->mode = GCM; 1949 else if (hash != NULL && cipher != NULL) 1950 s->mode = AUTHENC; 1951 else if (hash != NULL) 1952 s->mode = HMAC; 1953 else { 1954 MPASS(cipher != NULL); 1955 s->mode = BLKCIPHER; 1956 } 1957 if (gcm_hash) { 1958 if (hash->cri_mlen == 0) 1959 s->gmac.hash_len = AES_GMAC_HASH_LEN; 1960 else 1961 s->gmac.hash_len = hash->cri_mlen; 1962 ccr_init_gmac_hash(s, hash->cri_key, hash->cri_klen); 1963 } else if (hash != NULL) { 1964 s->hmac.auth_hash = auth_hash; 1965 s->hmac.auth_mode = auth_mode; 1966 s->hmac.mk_size = mk_size; 1967 s->hmac.partial_digest_len = partial_digest_len; 1968 if (hash->cri_mlen == 0) 1969 s->hmac.hash_len = auth_hash->hashsize; 1970 else 1971 s->hmac.hash_len = hash->cri_mlen; 1972 ccr_init_hmac_digest(s, hash->cri_alg, hash->cri_key, 1973 hash->cri_klen); 1974 } 1975 if (cipher != NULL) { 1976 s->blkcipher.cipher_mode = cipher_mode; 1977 s->blkcipher.iv_len = iv_len; 1978 if (cipher->cri_key != NULL) 1979 ccr_aes_setkey(s, cipher->cri_alg, cipher->cri_key, 1980 cipher->cri_klen); 1981 } 1982 1983 s->active = true; 1984 mtx_unlock(&sc->lock); 1985 1986 *sidp = sess; 1987 return (0); 1988 } 1989 1990 static int 1991 ccr_freesession(device_t dev, uint64_t tid) 1992 { 1993 struct ccr_softc *sc; 1994 uint32_t sid; 1995 int error; 1996 1997 sc = device_get_softc(dev); 1998 sid = CRYPTO_SESID2LID(tid); 1999 mtx_lock(&sc->lock); 2000 if (sid >= sc->nsessions || !sc->sessions[sid].active) 2001 error = EINVAL; 2002 else { 2003 if (sc->sessions[sid].pending != 0) 2004 device_printf(dev, 2005 "session %d freed with %d pending requests\n", sid, 2006 sc->sessions[sid].pending); 2007 sc->sessions[sid].active = false; 2008 error = 0; 2009 } 2010 mtx_unlock(&sc->lock); 2011 return (error); 2012 } 2013 2014 static int 2015 ccr_process(device_t dev, struct cryptop *crp, int hint) 2016 { 2017 struct ccr_softc *sc; 2018 struct ccr_session *s; 2019 struct cryptodesc *crd, *crda, *crde; 2020 uint32_t sid; 2021 int error; 2022 2023 if (crp == NULL) 2024 return (EINVAL); 2025 2026 crd = crp->crp_desc; 2027 sid = CRYPTO_SESID2LID(crp->crp_sid); 2028 sc = device_get_softc(dev); 2029 mtx_lock(&sc->lock); 2030 if (sid >= sc->nsessions || !sc->sessions[sid].active) { 2031 sc->stats_bad_session++; 2032 error = EINVAL; 2033 goto out; 2034 } 2035 2036 error = ccr_populate_sglist(sc->sg_crp, crp); 2037 if (error) { 2038 sc->stats_sglist_error++; 2039 goto out; 2040 } 2041 2042 s = &sc->sessions[sid]; 2043 switch (s->mode) { 2044 case HMAC: 2045 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) 2046 ccr_init_hmac_digest(s, crd->crd_alg, crd->crd_key, 2047 crd->crd_klen); 2048 error = ccr_hmac(sc, sid, s, crp); 2049 if (error == 0) 2050 sc->stats_hmac++; 2051 break; 2052 case BLKCIPHER: 2053 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) { 2054 error = ccr_aes_check_keylen(crd->crd_alg, 2055 crd->crd_klen); 2056 if (error) 2057 break; 2058 ccr_aes_setkey(s, crd->crd_alg, crd->crd_key, 2059 crd->crd_klen); 2060 } 2061 error = ccr_blkcipher(sc, sid, s, crp); 2062 if (error == 0) { 2063 if (crd->crd_flags & CRD_F_ENCRYPT) 2064 sc->stats_blkcipher_encrypt++; 2065 else 2066 sc->stats_blkcipher_decrypt++; 2067 } 2068 break; 2069 case AUTHENC: 2070 error = 0; 2071 switch (crd->crd_alg) { 2072 case CRYPTO_AES_CBC: 2073 case CRYPTO_AES_ICM: 2074 case CRYPTO_AES_XTS: 2075 /* Only encrypt-then-authenticate supported. */ 2076 crde = crd; 2077 crda = crd->crd_next; 2078 if (!(crde->crd_flags & CRD_F_ENCRYPT)) { 2079 error = EINVAL; 2080 break; 2081 } 2082 break; 2083 default: 2084 crda = crd; 2085 crde = crd->crd_next; 2086 if (crde->crd_flags & CRD_F_ENCRYPT) { 2087 error = EINVAL; 2088 break; 2089 } 2090 break; 2091 } 2092 if (error) 2093 break; 2094 if (crda->crd_flags & CRD_F_KEY_EXPLICIT) 2095 ccr_init_hmac_digest(s, crda->crd_alg, crda->crd_key, 2096 crda->crd_klen); 2097 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) { 2098 error = ccr_aes_check_keylen(crde->crd_alg, 2099 crde->crd_klen); 2100 if (error) 2101 break; 2102 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key, 2103 crde->crd_klen); 2104 } 2105 error = ccr_authenc(sc, sid, s, crp, crda, crde); 2106 if (error == 0) { 2107 if (crde->crd_flags & CRD_F_ENCRYPT) 2108 sc->stats_authenc_encrypt++; 2109 else 2110 sc->stats_authenc_decrypt++; 2111 } 2112 break; 2113 case GCM: 2114 error = 0; 2115 if (crd->crd_alg == CRYPTO_AES_NIST_GCM_16) { 2116 crde = crd; 2117 crda = crd->crd_next; 2118 } else { 2119 crda = crd; 2120 crde = crd->crd_next; 2121 } 2122 if (crda->crd_flags & CRD_F_KEY_EXPLICIT) 2123 ccr_init_gmac_hash(s, crda->crd_key, crda->crd_klen); 2124 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) { 2125 error = ccr_aes_check_keylen(crde->crd_alg, 2126 crde->crd_klen); 2127 if (error) 2128 break; 2129 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key, 2130 crde->crd_klen); 2131 } 2132 if (crde->crd_len == 0) { 2133 mtx_unlock(&sc->lock); 2134 ccr_gcm_soft(s, crp, crda, crde); 2135 return (0); 2136 } 2137 error = ccr_gcm(sc, sid, s, crp, crda, crde); 2138 if (error == 0) { 2139 if (crde->crd_flags & CRD_F_ENCRYPT) 2140 sc->stats_gcm_encrypt++; 2141 else 2142 sc->stats_gcm_decrypt++; 2143 } 2144 break; 2145 } 2146 2147 if (error == 0) { 2148 s->pending++; 2149 sc->stats_inflight++; 2150 } else 2151 sc->stats_process_error++; 2152 2153 out: 2154 mtx_unlock(&sc->lock); 2155 2156 if (error) { 2157 crp->crp_etype = error; 2158 crypto_done(crp); 2159 } 2160 2161 return (0); 2162 } 2163 2164 static int 2165 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss, 2166 struct mbuf *m) 2167 { 2168 struct ccr_softc *sc = iq->adapter->ccr_softc; 2169 struct ccr_session *s; 2170 const struct cpl_fw6_pld *cpl; 2171 struct cryptop *crp; 2172 uint32_t sid, status; 2173 int error; 2174 2175 if (m != NULL) 2176 cpl = mtod(m, const void *); 2177 else 2178 cpl = (const void *)(rss + 1); 2179 2180 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]); 2181 sid = CRYPTO_SESID2LID(crp->crp_sid); 2182 status = be64toh(cpl->data[0]); 2183 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status)) 2184 error = EBADMSG; 2185 else 2186 error = 0; 2187 2188 mtx_lock(&sc->lock); 2189 MPASS(sid < sc->nsessions); 2190 s = &sc->sessions[sid]; 2191 s->pending--; 2192 sc->stats_inflight--; 2193 2194 switch (s->mode) { 2195 case HMAC: 2196 error = ccr_hmac_done(sc, s, crp, cpl, error); 2197 break; 2198 case BLKCIPHER: 2199 error = ccr_blkcipher_done(sc, s, crp, cpl, error); 2200 break; 2201 case AUTHENC: 2202 error = ccr_authenc_done(sc, s, crp, cpl, error); 2203 break; 2204 case GCM: 2205 error = ccr_gcm_done(sc, s, crp, cpl, error); 2206 break; 2207 } 2208 2209 if (error == EBADMSG) { 2210 if (CHK_MAC_ERR_BIT(status)) 2211 sc->stats_mac_error++; 2212 if (CHK_PAD_ERR_BIT(status)) 2213 sc->stats_pad_error++; 2214 } 2215 mtx_unlock(&sc->lock); 2216 crp->crp_etype = error; 2217 crypto_done(crp); 2218 m_freem(m); 2219 return (0); 2220 } 2221 2222 static int 2223 ccr_modevent(module_t mod, int cmd, void *arg) 2224 { 2225 2226 switch (cmd) { 2227 case MOD_LOAD: 2228 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld); 2229 return (0); 2230 case MOD_UNLOAD: 2231 t4_register_cpl_handler(CPL_FW6_PLD, NULL); 2232 return (0); 2233 default: 2234 return (EOPNOTSUPP); 2235 } 2236 } 2237 2238 static device_method_t ccr_methods[] = { 2239 DEVMETHOD(device_identify, ccr_identify), 2240 DEVMETHOD(device_probe, ccr_probe), 2241 DEVMETHOD(device_attach, ccr_attach), 2242 DEVMETHOD(device_detach, ccr_detach), 2243 2244 DEVMETHOD(cryptodev_newsession, ccr_newsession), 2245 DEVMETHOD(cryptodev_freesession, ccr_freesession), 2246 DEVMETHOD(cryptodev_process, ccr_process), 2247 2248 DEVMETHOD_END 2249 }; 2250 2251 static driver_t ccr_driver = { 2252 "ccr", 2253 ccr_methods, 2254 sizeof(struct ccr_softc) 2255 }; 2256 2257 static devclass_t ccr_devclass; 2258 2259 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL); 2260 MODULE_VERSION(ccr, 1); 2261 MODULE_DEPEND(ccr, crypto, 1, 1, 1); 2262 MODULE_DEPEND(ccr, t6nex, 1, 1, 1); 2263