1 /*- 2 * Copyright (c) 2017 Chelsio Communications, Inc. 3 * All rights reserved. 4 * Written by: John Baldwin <jhb@FreeBSD.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/types.h> 32 #include <sys/bus.h> 33 #include <sys/lock.h> 34 #include <sys/malloc.h> 35 #include <sys/mutex.h> 36 #include <sys/module.h> 37 #include <sys/sglist.h> 38 39 #include <opencrypto/cryptodev.h> 40 #include <opencrypto/xform.h> 41 42 #include "cryptodev_if.h" 43 44 #include "common/common.h" 45 #include "crypto/t4_crypto.h" 46 47 /* 48 * Requests consist of: 49 * 50 * +-------------------------------+ 51 * | struct fw_crypto_lookaside_wr | 52 * +-------------------------------+ 53 * | struct ulp_txpkt | 54 * +-------------------------------+ 55 * | struct ulptx_idata | 56 * +-------------------------------+ 57 * | struct cpl_tx_sec_pdu | 58 * +-------------------------------+ 59 * | struct cpl_tls_tx_scmd_fmt | 60 * +-------------------------------+ 61 * | key context header | 62 * +-------------------------------+ 63 * | AES key | ----- For requests with AES 64 * +-------------------------------+ - 65 * | IPAD (16-byte aligned) | \ 66 * +-------------------------------+ +---- For requests with HMAC 67 * | OPAD (16-byte aligned) | / 68 * +-------------------------------+ - 69 * | GMAC H | ----- For AES-GCM 70 * +-------------------------------+ - 71 * | struct cpl_rx_phys_dsgl | \ 72 * +-------------------------------+ +---- Destination buffer for 73 * | PHYS_DSGL entries | / non-hash-only requests 74 * +-------------------------------+ - 75 * | 16 dummy bytes | ----- Only for hash-only requests 76 * +-------------------------------+ 77 * | IV | ----- If immediate IV 78 * +-------------------------------+ 79 * | Payload | ----- If immediate Payload 80 * +-------------------------------+ - 81 * | struct ulptx_sgl | \ 82 * +-------------------------------+ +---- If payload via SGL 83 * | SGL entries | / 84 * +-------------------------------+ - 85 * 86 * Note that the key context must be padded to ensure 16-byte alignment. 87 * For HMAC requests, the key consists of the partial hash of the IPAD 88 * followed by the partial hash of the OPAD. 89 * 90 * Replies consist of: 91 * 92 * +-------------------------------+ 93 * | struct cpl_fw6_pld | 94 * +-------------------------------+ 95 * | hash digest | ----- For HMAC request with 96 * +-------------------------------+ 'hash_size' set in work request 97 * 98 * A 32-bit big-endian error status word is supplied in the last 4 99 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a 100 * "MAC" error and bit 1 indicates a "PAD" error. 101 * 102 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message 103 * in the request is returned in data[1] of the CPL_FW6_PLD message. 104 * 105 * For block cipher replies, the updated IV is supplied in data[2] and 106 * data[3] of the CPL_FW6_PLD message. 107 * 108 * For hash replies where the work request set 'hash_size' to request 109 * a copy of the hash in the reply, the hash digest is supplied 110 * immediately following the CPL_FW6_PLD message. 111 */ 112 113 /* 114 * The crypto engine supports a maximum AAD size of 511 bytes. 115 */ 116 #define MAX_AAD_LEN 511 117 118 /* 119 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG 120 * entries. While the CPL includes a 16-bit length field, the T6 can 121 * sometimes hang if an error occurs while processing a request with a 122 * single DSGL entry larger than 2k. 123 */ 124 #define MAX_RX_PHYS_DSGL_SGE 32 125 #define DSGL_SGE_MAXLEN 2048 126 127 /* 128 * The adapter only supports requests with a total input or output 129 * length of 64k-1 or smaller. Longer requests either result in hung 130 * requests or incorrect results. 131 */ 132 #define MAX_REQUEST_SIZE 65535 133 134 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto"); 135 136 struct ccr_session_hmac { 137 struct auth_hash *auth_hash; 138 int hash_len; 139 unsigned int partial_digest_len; 140 unsigned int auth_mode; 141 unsigned int mk_size; 142 char ipad[CHCR_HASH_MAX_BLOCK_SIZE_128]; 143 char opad[CHCR_HASH_MAX_BLOCK_SIZE_128]; 144 }; 145 146 struct ccr_session_gmac { 147 int hash_len; 148 char ghash_h[GMAC_BLOCK_LEN]; 149 }; 150 151 struct ccr_session_blkcipher { 152 unsigned int cipher_mode; 153 unsigned int key_len; 154 unsigned int iv_len; 155 __be32 key_ctx_hdr; 156 char enckey[CHCR_AES_MAX_KEY_LEN]; 157 char deckey[CHCR_AES_MAX_KEY_LEN]; 158 }; 159 160 struct ccr_session { 161 bool active; 162 int pending; 163 enum { HMAC, BLKCIPHER, AUTHENC, GCM } mode; 164 union { 165 struct ccr_session_hmac hmac; 166 struct ccr_session_gmac gmac; 167 }; 168 struct ccr_session_blkcipher blkcipher; 169 }; 170 171 struct ccr_softc { 172 struct adapter *adapter; 173 device_t dev; 174 uint32_t cid; 175 int tx_channel_id; 176 struct ccr_session *sessions; 177 int nsessions; 178 struct mtx lock; 179 bool detaching; 180 struct sge_wrq *txq; 181 struct sge_rxq *rxq; 182 183 /* 184 * Pre-allocate S/G lists used when preparing a work request. 185 * 'sg_crp' contains an sglist describing the entire buffer 186 * for a 'struct cryptop'. 'sg_ulptx' is used to describe 187 * the data the engine should DMA as input via ULPTX_SGL. 188 * 'sg_dsgl' is used to describe the destination that cipher 189 * text and a tag should be written to. 190 */ 191 struct sglist *sg_crp; 192 struct sglist *sg_ulptx; 193 struct sglist *sg_dsgl; 194 195 /* 196 * Pre-allocate a dummy output buffer for the IV and AAD for 197 * AEAD requests. 198 */ 199 char *iv_aad_buf; 200 struct sglist *sg_iv_aad; 201 202 /* Statistics. */ 203 uint64_t stats_blkcipher_encrypt; 204 uint64_t stats_blkcipher_decrypt; 205 uint64_t stats_hmac; 206 uint64_t stats_authenc_encrypt; 207 uint64_t stats_authenc_decrypt; 208 uint64_t stats_gcm_encrypt; 209 uint64_t stats_gcm_decrypt; 210 uint64_t stats_wr_nomem; 211 uint64_t stats_inflight; 212 uint64_t stats_mac_error; 213 uint64_t stats_pad_error; 214 uint64_t stats_bad_session; 215 uint64_t stats_sglist_error; 216 uint64_t stats_process_error; 217 uint64_t stats_sw_fallback; 218 }; 219 220 /* 221 * Crypto requests involve two kind of scatter/gather lists. 222 * 223 * Non-hash-only requests require a PHYS_DSGL that describes the 224 * location to store the results of the encryption or decryption 225 * operation. This SGL uses a different format (PHYS_DSGL) and should 226 * exclude the crd_skip bytes at the start of the data as well as 227 * any AAD or IV. For authenticated encryption requests it should 228 * cover include the destination of the hash or tag. 229 * 230 * The input payload may either be supplied inline as immediate data, 231 * or via a standard ULP_TX SGL. This SGL should include AAD, 232 * ciphertext, and the hash or tag for authenticated decryption 233 * requests. 234 * 235 * These scatter/gather lists can describe different subsets of the 236 * buffer described by the crypto operation. ccr_populate_sglist() 237 * generates a scatter/gather list that covers the entire crypto 238 * operation buffer that is then used to construct the other 239 * scatter/gather lists. 240 */ 241 static int 242 ccr_populate_sglist(struct sglist *sg, struct cryptop *crp) 243 { 244 int error; 245 246 sglist_reset(sg); 247 if (crp->crp_flags & CRYPTO_F_IMBUF) 248 error = sglist_append_mbuf(sg, (struct mbuf *)crp->crp_buf); 249 else if (crp->crp_flags & CRYPTO_F_IOV) 250 error = sglist_append_uio(sg, (struct uio *)crp->crp_buf); 251 else 252 error = sglist_append(sg, crp->crp_buf, crp->crp_ilen); 253 return (error); 254 } 255 256 /* 257 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple 258 * segments. 259 */ 260 static int 261 ccr_count_sgl(struct sglist *sg, int maxsegsize) 262 { 263 int i, nsegs; 264 265 nsegs = 0; 266 for (i = 0; i < sg->sg_nseg; i++) 267 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize); 268 return (nsegs); 269 } 270 271 /* These functions deal with PHYS_DSGL for the reply buffer. */ 272 static inline int 273 ccr_phys_dsgl_len(int nsegs) 274 { 275 int len; 276 277 len = (nsegs / 8) * sizeof(struct phys_sge_pairs); 278 if ((nsegs % 8) != 0) { 279 len += sizeof(uint16_t) * 8; 280 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t); 281 } 282 return (len); 283 } 284 285 static void 286 ccr_write_phys_dsgl(struct ccr_softc *sc, void *dst, int nsegs) 287 { 288 struct sglist *sg; 289 struct cpl_rx_phys_dsgl *cpl; 290 struct phys_sge_pairs *sgl; 291 vm_paddr_t paddr; 292 size_t seglen; 293 u_int i, j; 294 295 sg = sc->sg_dsgl; 296 cpl = dst; 297 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) | 298 V_CPL_RX_PHYS_DSGL_ISRDMA(0)); 299 cpl->pcirlxorder_to_noofsgentr = htobe32( 300 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) | 301 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) | 302 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) | 303 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs)); 304 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; 305 cpl->rss_hdr_int.qid = htobe16(sc->rxq->iq.abs_id); 306 cpl->rss_hdr_int.hash_val = 0; 307 sgl = (struct phys_sge_pairs *)(cpl + 1); 308 j = 0; 309 for (i = 0; i < sg->sg_nseg; i++) { 310 seglen = sg->sg_segs[i].ss_len; 311 paddr = sg->sg_segs[i].ss_paddr; 312 do { 313 sgl->addr[j] = htobe64(paddr); 314 if (seglen > DSGL_SGE_MAXLEN) { 315 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN); 316 paddr += DSGL_SGE_MAXLEN; 317 seglen -= DSGL_SGE_MAXLEN; 318 } else { 319 sgl->len[j] = htobe16(seglen); 320 seglen = 0; 321 } 322 j++; 323 if (j == 8) { 324 sgl++; 325 j = 0; 326 } 327 } while (seglen != 0); 328 } 329 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs); 330 } 331 332 /* These functions deal with the ULPTX_SGL for input payload. */ 333 static inline int 334 ccr_ulptx_sgl_len(int nsegs) 335 { 336 u_int n; 337 338 nsegs--; /* first segment is part of ulptx_sgl */ 339 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1)); 340 return (roundup2(n, 16)); 341 } 342 343 static void 344 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs) 345 { 346 struct ulptx_sgl *usgl; 347 struct sglist *sg; 348 struct sglist_seg *ss; 349 int i; 350 351 sg = sc->sg_ulptx; 352 MPASS(nsegs == sg->sg_nseg); 353 ss = &sg->sg_segs[0]; 354 usgl = dst; 355 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) | 356 V_ULPTX_NSGE(nsegs)); 357 usgl->len0 = htobe32(ss->ss_len); 358 usgl->addr0 = htobe64(ss->ss_paddr); 359 ss++; 360 for (i = 0; i < sg->sg_nseg - 1; i++) { 361 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len); 362 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr); 363 ss++; 364 } 365 366 } 367 368 static bool 369 ccr_use_imm_data(u_int transhdr_len, u_int input_len) 370 { 371 372 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN) 373 return (false); 374 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) > 375 SGE_MAX_WR_LEN) 376 return (false); 377 return (true); 378 } 379 380 static void 381 ccr_populate_wreq(struct ccr_softc *sc, struct chcr_wr *crwr, u_int kctx_len, 382 u_int wr_len, uint32_t sid, u_int imm_len, u_int sgl_len, u_int hash_size, 383 struct cryptop *crp) 384 { 385 u_int cctx_size; 386 387 cctx_size = sizeof(struct _key_ctx) + kctx_len; 388 crwr->wreq.op_to_cctx_size = htobe32( 389 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) | 390 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) | 391 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) | 392 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) | 393 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4)); 394 crwr->wreq.len16_pkd = htobe32( 395 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16)); 396 crwr->wreq.session_id = htobe32(sid); 397 crwr->wreq.rx_chid_to_rx_q_id = htobe32( 398 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(sc->tx_channel_id) | 399 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) | 400 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) | 401 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) | 402 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) | 403 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) | 404 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(sc->rxq->iq.abs_id)); 405 crwr->wreq.key_addr = 0; 406 crwr->wreq.pld_size_hash_size = htobe32( 407 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) | 408 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size)); 409 crwr->wreq.cookie = htobe64((uintptr_t)crp); 410 411 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) | 412 V_ULP_TXPKT_DATAMODIFY(0) | 413 V_ULP_TXPKT_CHANNELID(sc->tx_channel_id) | V_ULP_TXPKT_DEST(0) | 414 V_ULP_TXPKT_FID(0) | V_ULP_TXPKT_RO(1)); 415 crwr->ulptx.len = htobe32( 416 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16)); 417 418 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) | 419 V_ULP_TX_SC_MORE(imm_len != 0 ? 0 : 1)); 420 crwr->sc_imm.len = htobe32(wr_len - offsetof(struct chcr_wr, sec_cpl) - 421 sgl_len); 422 } 423 424 static int 425 ccr_hmac(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 426 struct cryptop *crp) 427 { 428 struct chcr_wr *crwr; 429 struct wrqe *wr; 430 struct auth_hash *axf; 431 struct cryptodesc *crd; 432 char *dst; 433 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len; 434 u_int imm_len, iopad_size; 435 int error, sgl_nsegs, sgl_len; 436 437 crd = crp->crp_desc; 438 439 /* Reject requests with too large of an input buffer. */ 440 if (crd->crd_len > MAX_REQUEST_SIZE) 441 return (EFBIG); 442 443 axf = s->hmac.auth_hash; 444 445 /* PADs must be 128-bit aligned. */ 446 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 447 448 /* 449 * The 'key' part of the context includes the aligned IPAD and 450 * OPAD. 451 */ 452 kctx_len = iopad_size * 2; 453 hash_size_in_response = axf->hashsize; 454 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len); 455 456 if (crd->crd_len == 0) { 457 imm_len = axf->blocksize; 458 sgl_nsegs = 0; 459 sgl_len = 0; 460 } else if (ccr_use_imm_data(transhdr_len, crd->crd_len)) { 461 imm_len = crd->crd_len; 462 sgl_nsegs = 0; 463 sgl_len = 0; 464 } else { 465 imm_len = 0; 466 sglist_reset(sc->sg_ulptx); 467 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 468 crd->crd_skip, crd->crd_len); 469 if (error) 470 return (error); 471 sgl_nsegs = sc->sg_ulptx->sg_nseg; 472 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 473 } 474 475 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len; 476 if (wr_len > SGE_MAX_WR_LEN) 477 return (EFBIG); 478 wr = alloc_wrqe(wr_len, sc->txq); 479 if (wr == NULL) { 480 sc->stats_wr_nomem++; 481 return (ENOMEM); 482 } 483 crwr = wrtod(wr); 484 memset(crwr, 0, wr_len); 485 486 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 487 hash_size_in_response, crp); 488 489 /* XXX: Hardcodes SGE loopback channel of 0. */ 490 crwr->sec_cpl.op_ivinsrtofst = htobe32( 491 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 492 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 493 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 494 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 495 V_CPL_TX_SEC_PDU_IVINSRTOFST(0)); 496 497 crwr->sec_cpl.pldlen = htobe32(crd->crd_len == 0 ? axf->blocksize : 498 crd->crd_len); 499 500 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 501 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0)); 502 503 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 504 crwr->sec_cpl.seqno_numivs = htobe32( 505 V_SCMD_SEQ_NO_CTRL(0) | 506 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 507 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_NOP) | 508 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 509 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NO_TRUNC)); 510 crwr->sec_cpl.ivgen_hdrlen = htobe32( 511 V_SCMD_LAST_FRAG(0) | 512 V_SCMD_MORE_FRAGS(crd->crd_len == 0 ? 1 : 0) | V_SCMD_MAC_ONLY(1)); 513 514 memcpy(crwr->key_ctx.key, s->hmac.ipad, s->hmac.partial_digest_len); 515 memcpy(crwr->key_ctx.key + iopad_size, s->hmac.opad, 516 s->hmac.partial_digest_len); 517 518 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */ 519 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 520 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 521 V_KEY_CONTEXT_OPAD_PRESENT(1) | V_KEY_CONTEXT_SALT_PRESENT(1) | 522 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) | 523 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1)); 524 525 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES; 526 if (crd->crd_len == 0) { 527 dst[0] = 0x80; 528 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) = 529 htobe64(axf->blocksize << 3); 530 } else if (imm_len != 0) 531 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip, 532 crd->crd_len, dst); 533 else 534 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 535 536 /* XXX: TODO backpressure */ 537 t4_wrq_tx(sc->adapter, wr); 538 539 return (0); 540 } 541 542 static int 543 ccr_hmac_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp, 544 const struct cpl_fw6_pld *cpl, int error) 545 { 546 struct cryptodesc *crd; 547 548 crd = crp->crp_desc; 549 if (error == 0) { 550 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject, 551 s->hmac.hash_len, (c_caddr_t)(cpl + 1)); 552 } 553 554 return (error); 555 } 556 557 static int 558 ccr_blkcipher(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 559 struct cryptop *crp) 560 { 561 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 562 struct chcr_wr *crwr; 563 struct wrqe *wr; 564 struct cryptodesc *crd; 565 char *dst; 566 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 567 u_int imm_len; 568 int dsgl_nsegs, dsgl_len; 569 int sgl_nsegs, sgl_len; 570 int error; 571 572 crd = crp->crp_desc; 573 574 if (s->blkcipher.key_len == 0 || crd->crd_len == 0) 575 return (EINVAL); 576 if (crd->crd_alg == CRYPTO_AES_CBC && 577 (crd->crd_len % AES_BLOCK_LEN) != 0) 578 return (EINVAL); 579 580 /* Reject requests with too large of an input buffer. */ 581 if (crd->crd_len > MAX_REQUEST_SIZE) 582 return (EFBIG); 583 584 if (crd->crd_flags & CRD_F_ENCRYPT) 585 op_type = CHCR_ENCRYPT_OP; 586 else 587 op_type = CHCR_DECRYPT_OP; 588 589 sglist_reset(sc->sg_dsgl); 590 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crd->crd_skip, 591 crd->crd_len); 592 if (error) 593 return (error); 594 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 595 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 596 return (EFBIG); 597 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 598 599 /* The 'key' must be 128-bit aligned. */ 600 kctx_len = roundup2(s->blkcipher.key_len, 16); 601 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 602 603 if (ccr_use_imm_data(transhdr_len, crd->crd_len + 604 s->blkcipher.iv_len)) { 605 imm_len = crd->crd_len; 606 sgl_nsegs = 0; 607 sgl_len = 0; 608 } else { 609 imm_len = 0; 610 sglist_reset(sc->sg_ulptx); 611 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 612 crd->crd_skip, crd->crd_len); 613 if (error) 614 return (error); 615 sgl_nsegs = sc->sg_ulptx->sg_nseg; 616 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 617 } 618 619 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len + 620 roundup2(imm_len, 16) + sgl_len; 621 if (wr_len > SGE_MAX_WR_LEN) 622 return (EFBIG); 623 wr = alloc_wrqe(wr_len, sc->txq); 624 if (wr == NULL) { 625 sc->stats_wr_nomem++; 626 return (ENOMEM); 627 } 628 crwr = wrtod(wr); 629 memset(crwr, 0, wr_len); 630 631 /* 632 * Read the existing IV from the request or generate a random 633 * one if none is provided. Optionally copy the generated IV 634 * into the output buffer if requested. 635 */ 636 if (op_type == CHCR_ENCRYPT_OP) { 637 if (crd->crd_flags & CRD_F_IV_EXPLICIT) 638 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len); 639 else 640 arc4rand(iv, s->blkcipher.iv_len, 0); 641 if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) 642 crypto_copyback(crp->crp_flags, crp->crp_buf, 643 crd->crd_inject, s->blkcipher.iv_len, iv); 644 } else { 645 if (crd->crd_flags & CRD_F_IV_EXPLICIT) 646 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len); 647 else 648 crypto_copydata(crp->crp_flags, crp->crp_buf, 649 crd->crd_inject, s->blkcipher.iv_len, iv); 650 } 651 652 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 0, 653 crp); 654 655 /* XXX: Hardcodes SGE loopback channel of 0. */ 656 crwr->sec_cpl.op_ivinsrtofst = htobe32( 657 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 658 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 659 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 660 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 661 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 662 663 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + crd->crd_len); 664 665 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 666 V_CPL_TX_SEC_PDU_CIPHERSTART(s->blkcipher.iv_len + 1) | 667 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 668 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 669 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0)); 670 671 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 672 crwr->sec_cpl.seqno_numivs = htobe32( 673 V_SCMD_SEQ_NO_CTRL(0) | 674 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 675 V_SCMD_ENC_DEC_CTRL(op_type) | 676 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 677 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_NOP) | 678 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NOP) | 679 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) | 680 V_SCMD_NUM_IVS(0)); 681 crwr->sec_cpl.ivgen_hdrlen = htobe32( 682 V_SCMD_IV_GEN_CTRL(0) | 683 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 684 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len)); 685 686 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 687 switch (crd->crd_alg) { 688 case CRYPTO_AES_CBC: 689 if (crd->crd_flags & CRD_F_ENCRYPT) 690 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 691 s->blkcipher.key_len); 692 else 693 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 694 s->blkcipher.key_len); 695 break; 696 case CRYPTO_AES_ICM: 697 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 698 s->blkcipher.key_len); 699 break; 700 case CRYPTO_AES_XTS: 701 key_half = s->blkcipher.key_len / 2; 702 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 703 key_half); 704 if (crd->crd_flags & CRD_F_ENCRYPT) 705 memcpy(crwr->key_ctx.key + key_half, 706 s->blkcipher.enckey, key_half); 707 else 708 memcpy(crwr->key_ctx.key + key_half, 709 s->blkcipher.deckey, key_half); 710 break; 711 } 712 713 dst = (char *)(crwr + 1) + kctx_len; 714 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 715 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 716 memcpy(dst, iv, s->blkcipher.iv_len); 717 dst += s->blkcipher.iv_len; 718 if (imm_len != 0) 719 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip, 720 crd->crd_len, dst); 721 else 722 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 723 724 /* XXX: TODO backpressure */ 725 t4_wrq_tx(sc->adapter, wr); 726 727 return (0); 728 } 729 730 static int 731 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s, 732 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 733 { 734 735 /* 736 * The updated IV to permit chained requests is at 737 * cpl->data[2], but OCF doesn't permit chained requests. 738 */ 739 return (error); 740 } 741 742 /* 743 * 'hashsize' is the length of a full digest. 'authsize' is the 744 * requested digest length for this operation which may be less 745 * than 'hashsize'. 746 */ 747 static int 748 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize) 749 { 750 751 if (authsize == 10) 752 return (CHCR_SCMD_HMAC_CTRL_TRUNC_RFC4366); 753 if (authsize == 12) 754 return (CHCR_SCMD_HMAC_CTRL_IPSEC_96BIT); 755 if (authsize == hashsize / 2) 756 return (CHCR_SCMD_HMAC_CTRL_DIV2); 757 return (CHCR_SCMD_HMAC_CTRL_NO_TRUNC); 758 } 759 760 static int 761 ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 762 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde) 763 { 764 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 765 struct chcr_wr *crwr; 766 struct wrqe *wr; 767 struct auth_hash *axf; 768 char *dst; 769 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 770 u_int hash_size_in_response, imm_len, iopad_size; 771 u_int aad_start, aad_len, aad_stop; 772 u_int auth_start, auth_stop, auth_insert; 773 u_int cipher_start, cipher_stop; 774 u_int hmac_ctrl, input_len; 775 int dsgl_nsegs, dsgl_len; 776 int sgl_nsegs, sgl_len; 777 int error; 778 779 /* 780 * If there is a need in the future, requests with an empty 781 * payload could be supported as HMAC-only requests. 782 */ 783 if (s->blkcipher.key_len == 0 || crde->crd_len == 0) 784 return (EINVAL); 785 if (crde->crd_alg == CRYPTO_AES_CBC && 786 (crde->crd_len % AES_BLOCK_LEN) != 0) 787 return (EINVAL); 788 789 /* 790 * Compute the length of the AAD (data covered by the 791 * authentication descriptor but not the encryption 792 * descriptor). To simplify the logic, AAD is only permitted 793 * before the cipher/plain text, not after. This is true of 794 * all currently-generated requests. 795 */ 796 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) 797 return (EINVAL); 798 if (crda->crd_skip < crde->crd_skip) { 799 if (crda->crd_skip + crda->crd_len > crde->crd_skip) 800 aad_len = (crde->crd_skip - crda->crd_skip); 801 else 802 aad_len = crda->crd_len; 803 } else 804 aad_len = 0; 805 if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN) 806 return (EINVAL); 807 808 axf = s->hmac.auth_hash; 809 hash_size_in_response = s->hmac.hash_len; 810 if (crde->crd_flags & CRD_F_ENCRYPT) 811 op_type = CHCR_ENCRYPT_OP; 812 else 813 op_type = CHCR_DECRYPT_OP; 814 815 /* 816 * The output buffer consists of the cipher text followed by 817 * the hash when encrypting. For decryption it only contains 818 * the plain text. 819 * 820 * Due to a firmware bug, the output buffer must include a 821 * dummy output buffer for the IV and AAD prior to the real 822 * output buffer. 823 */ 824 if (op_type == CHCR_ENCRYPT_OP) { 825 if (s->blkcipher.iv_len + aad_len + crde->crd_len + 826 hash_size_in_response > MAX_REQUEST_SIZE) 827 return (EFBIG); 828 } else { 829 if (s->blkcipher.iv_len + aad_len + crde->crd_len > 830 MAX_REQUEST_SIZE) 831 return (EFBIG); 832 } 833 sglist_reset(sc->sg_dsgl); 834 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, 835 s->blkcipher.iv_len + aad_len); 836 if (error) 837 return (error); 838 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip, 839 crde->crd_len); 840 if (error) 841 return (error); 842 if (op_type == CHCR_ENCRYPT_OP) { 843 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 844 crda->crd_inject, hash_size_in_response); 845 if (error) 846 return (error); 847 } 848 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 849 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 850 return (EFBIG); 851 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 852 853 /* PADs must be 128-bit aligned. */ 854 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 855 856 /* 857 * The 'key' part of the key context consists of the key followed 858 * by the IPAD and OPAD. 859 */ 860 kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2; 861 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 862 863 /* 864 * The input buffer consists of the IV, any AAD, and then the 865 * cipher/plain text. For decryption requests the hash is 866 * appended after the cipher text. 867 * 868 * The IV is always stored at the start of the input buffer 869 * even though it may be duplicated in the payload. The 870 * crypto engine doesn't work properly if the IV offset points 871 * inside of the AAD region, so a second copy is always 872 * required. 873 */ 874 input_len = aad_len + crde->crd_len; 875 876 /* 877 * The firmware hangs if sent a request which is a 878 * bit smaller than MAX_REQUEST_SIZE. In particular, the 879 * firmware appears to require 512 - 16 bytes of spare room 880 * along with the size of the hash even if the hash isn't 881 * included in the input buffer. 882 */ 883 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) > 884 MAX_REQUEST_SIZE) 885 return (EFBIG); 886 if (op_type == CHCR_DECRYPT_OP) 887 input_len += hash_size_in_response; 888 if (ccr_use_imm_data(transhdr_len, s->blkcipher.iv_len + input_len)) { 889 imm_len = input_len; 890 sgl_nsegs = 0; 891 sgl_len = 0; 892 } else { 893 imm_len = 0; 894 sglist_reset(sc->sg_ulptx); 895 if (aad_len != 0) { 896 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 897 crda->crd_skip, aad_len); 898 if (error) 899 return (error); 900 } 901 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 902 crde->crd_skip, crde->crd_len); 903 if (error) 904 return (error); 905 if (op_type == CHCR_DECRYPT_OP) { 906 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 907 crda->crd_inject, hash_size_in_response); 908 if (error) 909 return (error); 910 } 911 sgl_nsegs = sc->sg_ulptx->sg_nseg; 912 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 913 } 914 915 /* 916 * Any auth-only data before the cipher region is marked as AAD. 917 * Auth-data that overlaps with the cipher region is placed in 918 * the auth section. 919 */ 920 if (aad_len != 0) { 921 aad_start = s->blkcipher.iv_len + 1; 922 aad_stop = aad_start + aad_len - 1; 923 } else { 924 aad_start = 0; 925 aad_stop = 0; 926 } 927 cipher_start = s->blkcipher.iv_len + aad_len + 1; 928 if (op_type == CHCR_DECRYPT_OP) 929 cipher_stop = hash_size_in_response; 930 else 931 cipher_stop = 0; 932 if (aad_len == crda->crd_len) { 933 auth_start = 0; 934 auth_stop = 0; 935 } else { 936 if (aad_len != 0) 937 auth_start = cipher_start; 938 else 939 auth_start = s->blkcipher.iv_len + crda->crd_skip - 940 crde->crd_skip + 1; 941 auth_stop = (crde->crd_skip + crde->crd_len) - 942 (crda->crd_skip + crda->crd_len) + cipher_stop; 943 } 944 if (op_type == CHCR_DECRYPT_OP) 945 auth_insert = hash_size_in_response; 946 else 947 auth_insert = 0; 948 949 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len + 950 roundup2(imm_len, 16) + sgl_len; 951 if (wr_len > SGE_MAX_WR_LEN) 952 return (EFBIG); 953 wr = alloc_wrqe(wr_len, sc->txq); 954 if (wr == NULL) { 955 sc->stats_wr_nomem++; 956 return (ENOMEM); 957 } 958 crwr = wrtod(wr); 959 memset(crwr, 0, wr_len); 960 961 /* 962 * Read the existing IV from the request or generate a random 963 * one if none is provided. Optionally copy the generated IV 964 * into the output buffer if requested. 965 */ 966 if (op_type == CHCR_ENCRYPT_OP) { 967 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 968 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 969 else 970 arc4rand(iv, s->blkcipher.iv_len, 0); 971 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0) 972 crypto_copyback(crp->crp_flags, crp->crp_buf, 973 crde->crd_inject, s->blkcipher.iv_len, iv); 974 } else { 975 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 976 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 977 else 978 crypto_copydata(crp->crp_flags, crp->crp_buf, 979 crde->crd_inject, s->blkcipher.iv_len, iv); 980 } 981 982 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 983 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp); 984 985 /* XXX: Hardcodes SGE loopback channel of 0. */ 986 crwr->sec_cpl.op_ivinsrtofst = htobe32( 987 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 988 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 989 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 990 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 991 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 992 993 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + input_len); 994 995 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 996 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 997 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 998 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 999 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4)); 1000 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1001 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) | 1002 V_CPL_TX_SEC_PDU_AUTHSTART(auth_start) | 1003 V_CPL_TX_SEC_PDU_AUTHSTOP(auth_stop) | 1004 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1005 1006 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1007 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response); 1008 crwr->sec_cpl.seqno_numivs = htobe32( 1009 V_SCMD_SEQ_NO_CTRL(0) | 1010 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 1011 V_SCMD_ENC_DEC_CTRL(op_type) | 1012 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1013 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 1014 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 1015 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1016 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) | 1017 V_SCMD_NUM_IVS(0)); 1018 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1019 V_SCMD_IV_GEN_CTRL(0) | 1020 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1021 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1022 1023 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1024 switch (crde->crd_alg) { 1025 case CRYPTO_AES_CBC: 1026 if (crde->crd_flags & CRD_F_ENCRYPT) 1027 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1028 s->blkcipher.key_len); 1029 else 1030 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 1031 s->blkcipher.key_len); 1032 break; 1033 case CRYPTO_AES_ICM: 1034 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1035 s->blkcipher.key_len); 1036 break; 1037 case CRYPTO_AES_XTS: 1038 key_half = s->blkcipher.key_len / 2; 1039 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 1040 key_half); 1041 if (crde->crd_flags & CRD_F_ENCRYPT) 1042 memcpy(crwr->key_ctx.key + key_half, 1043 s->blkcipher.enckey, key_half); 1044 else 1045 memcpy(crwr->key_ctx.key + key_half, 1046 s->blkcipher.deckey, key_half); 1047 break; 1048 } 1049 1050 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1051 memcpy(dst, s->hmac.ipad, s->hmac.partial_digest_len); 1052 memcpy(dst + iopad_size, s->hmac.opad, s->hmac.partial_digest_len); 1053 1054 dst = (char *)(crwr + 1) + kctx_len; 1055 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1056 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1057 memcpy(dst, iv, s->blkcipher.iv_len); 1058 dst += s->blkcipher.iv_len; 1059 if (imm_len != 0) { 1060 if (aad_len != 0) { 1061 crypto_copydata(crp->crp_flags, crp->crp_buf, 1062 crda->crd_skip, aad_len, dst); 1063 dst += aad_len; 1064 } 1065 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip, 1066 crde->crd_len, dst); 1067 dst += crde->crd_len; 1068 if (op_type == CHCR_DECRYPT_OP) 1069 crypto_copydata(crp->crp_flags, crp->crp_buf, 1070 crda->crd_inject, hash_size_in_response, dst); 1071 } else 1072 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1073 1074 /* XXX: TODO backpressure */ 1075 t4_wrq_tx(sc->adapter, wr); 1076 1077 return (0); 1078 } 1079 1080 static int 1081 ccr_authenc_done(struct ccr_softc *sc, struct ccr_session *s, 1082 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1083 { 1084 struct cryptodesc *crd; 1085 1086 /* 1087 * The updated IV to permit chained requests is at 1088 * cpl->data[2], but OCF doesn't permit chained requests. 1089 * 1090 * For a decryption request, the hardware may do a verification 1091 * of the HMAC which will fail if the existing HMAC isn't in the 1092 * buffer. If that happens, clear the error and copy the HMAC 1093 * from the CPL reply into the buffer. 1094 * 1095 * For encryption requests, crd should be the cipher request 1096 * which will have CRD_F_ENCRYPT set. For decryption 1097 * requests, crp_desc will be the HMAC request which should 1098 * not have this flag set. 1099 */ 1100 crd = crp->crp_desc; 1101 if (error == EBADMSG && !CHK_PAD_ERR_BIT(be64toh(cpl->data[0])) && 1102 !(crd->crd_flags & CRD_F_ENCRYPT)) { 1103 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject, 1104 s->hmac.hash_len, (c_caddr_t)(cpl + 1)); 1105 error = 0; 1106 } 1107 return (error); 1108 } 1109 1110 static int 1111 ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s, 1112 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde) 1113 { 1114 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1115 struct chcr_wr *crwr; 1116 struct wrqe *wr; 1117 char *dst; 1118 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1119 u_int hash_size_in_response, imm_len; 1120 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1121 u_int hmac_ctrl, input_len; 1122 int dsgl_nsegs, dsgl_len; 1123 int sgl_nsegs, sgl_len; 1124 int error; 1125 1126 if (s->blkcipher.key_len == 0) 1127 return (EINVAL); 1128 1129 /* 1130 * The crypto engine doesn't handle GCM requests with an empty 1131 * payload, so handle those in software instead. 1132 */ 1133 if (crde->crd_len == 0) 1134 return (EMSGSIZE); 1135 1136 /* 1137 * AAD is only permitted before the cipher/plain text, not 1138 * after. 1139 */ 1140 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) 1141 return (EMSGSIZE); 1142 1143 if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN) 1144 return (EMSGSIZE); 1145 1146 hash_size_in_response = s->gmac.hash_len; 1147 if (crde->crd_flags & CRD_F_ENCRYPT) 1148 op_type = CHCR_ENCRYPT_OP; 1149 else 1150 op_type = CHCR_DECRYPT_OP; 1151 1152 /* 1153 * The IV handling for GCM in OCF is a bit more complicated in 1154 * that IPSec provides a full 16-byte IV (including the 1155 * counter), whereas the /dev/crypto interface sometimes 1156 * provides a full 16-byte IV (if no IV is provided in the 1157 * ioctl) and sometimes a 12-byte IV (if the IV was explicit). 1158 * 1159 * When provided a 12-byte IV, assume the IV is really 16 bytes 1160 * with a counter in the last 4 bytes initialized to 1. 1161 * 1162 * While iv_len is checked below, the value is currently 1163 * always set to 12 when creating a GCM session in this driver 1164 * due to limitations in OCF (there is no way to know what the 1165 * IV length of a given request will be). This means that the 1166 * driver always assumes as 12-byte IV for now. 1167 */ 1168 if (s->blkcipher.iv_len == 12) 1169 iv_len = AES_BLOCK_LEN; 1170 else 1171 iv_len = s->blkcipher.iv_len; 1172 1173 /* 1174 * The output buffer consists of the cipher text followed by 1175 * the tag when encrypting. For decryption it only contains 1176 * the plain text. 1177 * 1178 * Due to a firmware bug, the output buffer must include a 1179 * dummy output buffer for the IV and AAD prior to the real 1180 * output buffer. 1181 */ 1182 if (op_type == CHCR_ENCRYPT_OP) { 1183 if (iv_len + crda->crd_len + crde->crd_len + 1184 hash_size_in_response > MAX_REQUEST_SIZE) 1185 return (EFBIG); 1186 } else { 1187 if (iv_len + crda->crd_len + crde->crd_len > MAX_REQUEST_SIZE) 1188 return (EFBIG); 1189 } 1190 sglist_reset(sc->sg_dsgl); 1191 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1192 crda->crd_len); 1193 if (error) 1194 return (error); 1195 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip, 1196 crde->crd_len); 1197 if (error) 1198 return (error); 1199 if (op_type == CHCR_ENCRYPT_OP) { 1200 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1201 crda->crd_inject, hash_size_in_response); 1202 if (error) 1203 return (error); 1204 } 1205 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1206 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1207 return (EFBIG); 1208 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1209 1210 /* 1211 * The 'key' part of the key context consists of the key followed 1212 * by the Galois hash key. 1213 */ 1214 kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN; 1215 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1216 1217 /* 1218 * The input buffer consists of the IV, any AAD, and then the 1219 * cipher/plain text. For decryption requests the hash is 1220 * appended after the cipher text. 1221 * 1222 * The IV is always stored at the start of the input buffer 1223 * even though it may be duplicated in the payload. The 1224 * crypto engine doesn't work properly if the IV offset points 1225 * inside of the AAD region, so a second copy is always 1226 * required. 1227 */ 1228 input_len = crda->crd_len + crde->crd_len; 1229 if (op_type == CHCR_DECRYPT_OP) 1230 input_len += hash_size_in_response; 1231 if (input_len > MAX_REQUEST_SIZE) 1232 return (EFBIG); 1233 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1234 imm_len = input_len; 1235 sgl_nsegs = 0; 1236 sgl_len = 0; 1237 } else { 1238 imm_len = 0; 1239 sglist_reset(sc->sg_ulptx); 1240 if (crda->crd_len != 0) { 1241 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1242 crda->crd_skip, crda->crd_len); 1243 if (error) 1244 return (error); 1245 } 1246 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1247 crde->crd_skip, crde->crd_len); 1248 if (error) 1249 return (error); 1250 if (op_type == CHCR_DECRYPT_OP) { 1251 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1252 crda->crd_inject, hash_size_in_response); 1253 if (error) 1254 return (error); 1255 } 1256 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1257 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1258 } 1259 1260 if (crda->crd_len != 0) { 1261 aad_start = iv_len + 1; 1262 aad_stop = aad_start + crda->crd_len - 1; 1263 } else { 1264 aad_start = 0; 1265 aad_stop = 0; 1266 } 1267 cipher_start = iv_len + crda->crd_len + 1; 1268 if (op_type == CHCR_DECRYPT_OP) 1269 cipher_stop = hash_size_in_response; 1270 else 1271 cipher_stop = 0; 1272 if (op_type == CHCR_DECRYPT_OP) 1273 auth_insert = hash_size_in_response; 1274 else 1275 auth_insert = 0; 1276 1277 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1278 sgl_len; 1279 if (wr_len > SGE_MAX_WR_LEN) 1280 return (EFBIG); 1281 wr = alloc_wrqe(wr_len, sc->txq); 1282 if (wr == NULL) { 1283 sc->stats_wr_nomem++; 1284 return (ENOMEM); 1285 } 1286 crwr = wrtod(wr); 1287 memset(crwr, 0, wr_len); 1288 1289 /* 1290 * Read the existing IV from the request or generate a random 1291 * one if none is provided. Optionally copy the generated IV 1292 * into the output buffer if requested. 1293 * 1294 * If the input IV is 12 bytes, append an explicit 4-byte 1295 * counter of 1. 1296 */ 1297 if (op_type == CHCR_ENCRYPT_OP) { 1298 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1299 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 1300 else 1301 arc4rand(iv, s->blkcipher.iv_len, 0); 1302 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0) 1303 crypto_copyback(crp->crp_flags, crp->crp_buf, 1304 crde->crd_inject, s->blkcipher.iv_len, iv); 1305 } else { 1306 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1307 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len); 1308 else 1309 crypto_copydata(crp->crp_flags, crp->crp_buf, 1310 crde->crd_inject, s->blkcipher.iv_len, iv); 1311 } 1312 if (s->blkcipher.iv_len == 12) 1313 *(uint32_t *)&iv[12] = htobe32(1); 1314 1315 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 1316 0, crp); 1317 1318 /* XXX: Hardcodes SGE loopback channel of 0. */ 1319 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1320 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1321 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 1322 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1323 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1324 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1325 1326 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1327 1328 /* 1329 * NB: cipherstop is explicitly set to 0. On encrypt it 1330 * should normally be set to 0 anyway (as the encrypt crd ends 1331 * at the end of the input). However, for decrypt the cipher 1332 * ends before the tag in the AUTHENC case (and authstop is 1333 * set to stop before the tag), but for GCM the cipher still 1334 * runs to the end of the buffer. Not sure if this is 1335 * intentional or a firmware quirk, but it is required for 1336 * working tag validation with GCM decryption. 1337 */ 1338 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1339 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1340 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1341 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1342 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1343 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1344 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1345 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1346 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1347 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1348 1349 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1350 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response); 1351 crwr->sec_cpl.seqno_numivs = htobe32( 1352 V_SCMD_SEQ_NO_CTRL(0) | 1353 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) | 1354 V_SCMD_ENC_DEC_CTRL(op_type) | 1355 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1356 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_AES_GCM) | 1357 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_GHASH) | 1358 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1359 V_SCMD_IV_SIZE(iv_len / 2) | 1360 V_SCMD_NUM_IVS(0)); 1361 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1362 V_SCMD_IV_GEN_CTRL(0) | 1363 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1364 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1365 1366 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1367 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1368 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1369 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN); 1370 1371 dst = (char *)(crwr + 1) + kctx_len; 1372 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1373 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1374 memcpy(dst, iv, iv_len); 1375 dst += iv_len; 1376 if (imm_len != 0) { 1377 if (crda->crd_len != 0) { 1378 crypto_copydata(crp->crp_flags, crp->crp_buf, 1379 crda->crd_skip, crda->crd_len, dst); 1380 dst += crda->crd_len; 1381 } 1382 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip, 1383 crde->crd_len, dst); 1384 dst += crde->crd_len; 1385 if (op_type == CHCR_DECRYPT_OP) 1386 crypto_copydata(crp->crp_flags, crp->crp_buf, 1387 crda->crd_inject, hash_size_in_response, dst); 1388 } else 1389 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1390 1391 /* XXX: TODO backpressure */ 1392 t4_wrq_tx(sc->adapter, wr); 1393 1394 return (0); 1395 } 1396 1397 static int 1398 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s, 1399 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1400 { 1401 1402 /* 1403 * The updated IV to permit chained requests is at 1404 * cpl->data[2], but OCF doesn't permit chained requests. 1405 * 1406 * Note that the hardware should always verify the GMAC hash. 1407 */ 1408 return (error); 1409 } 1410 1411 /* 1412 * Handle a GCM request that is not supported by the crypto engine by 1413 * performing the operation in software. Derived from swcr_authenc(). 1414 */ 1415 static void 1416 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp, 1417 struct cryptodesc *crda, struct cryptodesc *crde) 1418 { 1419 struct auth_hash *axf; 1420 struct enc_xform *exf; 1421 void *auth_ctx; 1422 uint8_t *kschedule; 1423 char block[GMAC_BLOCK_LEN]; 1424 char digest[GMAC_DIGEST_LEN]; 1425 char iv[AES_BLOCK_LEN]; 1426 int error, i, len; 1427 1428 auth_ctx = NULL; 1429 kschedule = NULL; 1430 1431 /* Initialize the MAC. */ 1432 switch (s->blkcipher.key_len) { 1433 case 16: 1434 axf = &auth_hash_nist_gmac_aes_128; 1435 break; 1436 case 24: 1437 axf = &auth_hash_nist_gmac_aes_192; 1438 break; 1439 case 32: 1440 axf = &auth_hash_nist_gmac_aes_256; 1441 break; 1442 default: 1443 error = EINVAL; 1444 goto out; 1445 } 1446 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT); 1447 if (auth_ctx == NULL) { 1448 error = ENOMEM; 1449 goto out; 1450 } 1451 axf->Init(auth_ctx); 1452 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1453 1454 /* Initialize the cipher. */ 1455 exf = &enc_xform_aes_nist_gcm; 1456 error = exf->setkey(&kschedule, s->blkcipher.enckey, 1457 s->blkcipher.key_len); 1458 if (error) 1459 goto out; 1460 1461 /* 1462 * This assumes a 12-byte IV from the crp. See longer comment 1463 * above in ccr_gcm() for more details. 1464 */ 1465 if (crde->crd_flags & CRD_F_ENCRYPT) { 1466 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1467 memcpy(iv, crde->crd_iv, 12); 1468 else 1469 arc4rand(iv, 12, 0); 1470 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0) 1471 crypto_copyback(crp->crp_flags, crp->crp_buf, 1472 crde->crd_inject, 12, iv); 1473 } else { 1474 if (crde->crd_flags & CRD_F_IV_EXPLICIT) 1475 memcpy(iv, crde->crd_iv, 12); 1476 else 1477 crypto_copydata(crp->crp_flags, crp->crp_buf, 1478 crde->crd_inject, 12, iv); 1479 } 1480 *(uint32_t *)&iv[12] = htobe32(1); 1481 1482 axf->Reinit(auth_ctx, iv, sizeof(iv)); 1483 1484 /* MAC the AAD. */ 1485 for (i = 0; i < crda->crd_len; i += sizeof(block)) { 1486 len = imin(crda->crd_len - i, sizeof(block)); 1487 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_skip + 1488 i, len, block); 1489 bzero(block + len, sizeof(block) - len); 1490 axf->Update(auth_ctx, block, sizeof(block)); 1491 } 1492 1493 exf->reinit(kschedule, iv); 1494 1495 /* Do encryption with MAC */ 1496 for (i = 0; i < crde->crd_len; i += sizeof(block)) { 1497 len = imin(crde->crd_len - i, sizeof(block)); 1498 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip + 1499 i, len, block); 1500 bzero(block + len, sizeof(block) - len); 1501 if (crde->crd_flags & CRD_F_ENCRYPT) { 1502 exf->encrypt(kschedule, block); 1503 axf->Update(auth_ctx, block, len); 1504 crypto_copyback(crp->crp_flags, crp->crp_buf, 1505 crde->crd_skip + i, len, block); 1506 } else { 1507 axf->Update(auth_ctx, block, len); 1508 } 1509 } 1510 1511 /* Length block. */ 1512 bzero(block, sizeof(block)); 1513 ((uint32_t *)block)[1] = htobe32(crda->crd_len * 8); 1514 ((uint32_t *)block)[3] = htobe32(crde->crd_len * 8); 1515 axf->Update(auth_ctx, block, sizeof(block)); 1516 1517 /* Finalize MAC. */ 1518 axf->Final(digest, auth_ctx); 1519 1520 /* Inject or validate tag. */ 1521 if (crde->crd_flags & CRD_F_ENCRYPT) { 1522 crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject, 1523 sizeof(digest), digest); 1524 error = 0; 1525 } else { 1526 char digest2[GMAC_DIGEST_LEN]; 1527 1528 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject, 1529 sizeof(digest2), digest2); 1530 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) { 1531 error = 0; 1532 1533 /* Tag matches, decrypt data. */ 1534 for (i = 0; i < crde->crd_len; i += sizeof(block)) { 1535 len = imin(crde->crd_len - i, sizeof(block)); 1536 crypto_copydata(crp->crp_flags, crp->crp_buf, 1537 crde->crd_skip + i, len, block); 1538 bzero(block + len, sizeof(block) - len); 1539 exf->decrypt(kschedule, block); 1540 crypto_copyback(crp->crp_flags, crp->crp_buf, 1541 crde->crd_skip + i, len, block); 1542 } 1543 } else 1544 error = EBADMSG; 1545 } 1546 1547 exf->zerokey(&kschedule); 1548 out: 1549 if (auth_ctx != NULL) { 1550 memset(auth_ctx, 0, axf->ctxsize); 1551 free(auth_ctx, M_CCR); 1552 } 1553 crp->crp_etype = error; 1554 crypto_done(crp); 1555 } 1556 1557 static void 1558 ccr_identify(driver_t *driver, device_t parent) 1559 { 1560 struct adapter *sc; 1561 1562 sc = device_get_softc(parent); 1563 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE && 1564 device_find_child(parent, "ccr", -1) == NULL) 1565 device_add_child(parent, "ccr", -1); 1566 } 1567 1568 static int 1569 ccr_probe(device_t dev) 1570 { 1571 1572 device_set_desc(dev, "Chelsio Crypto Accelerator"); 1573 return (BUS_PROBE_DEFAULT); 1574 } 1575 1576 static void 1577 ccr_sysctls(struct ccr_softc *sc) 1578 { 1579 struct sysctl_ctx_list *ctx; 1580 struct sysctl_oid *oid; 1581 struct sysctl_oid_list *children; 1582 1583 ctx = device_get_sysctl_ctx(sc->dev); 1584 1585 /* 1586 * dev.ccr.X. 1587 */ 1588 oid = device_get_sysctl_tree(sc->dev); 1589 children = SYSCTL_CHILDREN(oid); 1590 1591 /* 1592 * dev.ccr.X.stats. 1593 */ 1594 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", CTLFLAG_RD, 1595 NULL, "statistics"); 1596 children = SYSCTL_CHILDREN(oid); 1597 1598 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD, 1599 &sc->stats_hmac, 0, "HMAC requests submitted"); 1600 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD, 1601 &sc->stats_blkcipher_encrypt, 0, 1602 "Cipher encryption requests submitted"); 1603 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD, 1604 &sc->stats_blkcipher_decrypt, 0, 1605 "Cipher decryption requests submitted"); 1606 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_encrypt", CTLFLAG_RD, 1607 &sc->stats_authenc_encrypt, 0, 1608 "Combined AES+HMAC encryption requests submitted"); 1609 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_decrypt", CTLFLAG_RD, 1610 &sc->stats_authenc_decrypt, 0, 1611 "Combined AES+HMAC decryption requests submitted"); 1612 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD, 1613 &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted"); 1614 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD, 1615 &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted"); 1616 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD, 1617 &sc->stats_wr_nomem, 0, "Work request memory allocation failures"); 1618 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD, 1619 &sc->stats_inflight, 0, "Requests currently pending"); 1620 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD, 1621 &sc->stats_mac_error, 0, "MAC errors"); 1622 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD, 1623 &sc->stats_pad_error, 0, "Padding errors"); 1624 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD, 1625 &sc->stats_bad_session, 0, "Requests with invalid session ID"); 1626 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD, 1627 &sc->stats_sglist_error, 0, 1628 "Requests for which DMA mapping failed"); 1629 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD, 1630 &sc->stats_process_error, 0, "Requests failed during queueing"); 1631 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sw_fallback", CTLFLAG_RD, 1632 &sc->stats_sw_fallback, 0, 1633 "Requests processed by falling back to software"); 1634 } 1635 1636 static int 1637 ccr_attach(device_t dev) 1638 { 1639 struct ccr_softc *sc; 1640 int32_t cid; 1641 1642 /* 1643 * TODO: Crypto requests will panic if the parent device isn't 1644 * initialized so that the queues are up and running. Need to 1645 * figure out how to handle that correctly, maybe just reject 1646 * requests if the adapter isn't fully initialized? 1647 */ 1648 sc = device_get_softc(dev); 1649 sc->dev = dev; 1650 sc->adapter = device_get_softc(device_get_parent(dev)); 1651 sc->txq = &sc->adapter->sge.ctrlq[0]; 1652 sc->rxq = &sc->adapter->sge.rxq[0]; 1653 cid = crypto_get_driverid(dev, CRYPTOCAP_F_HARDWARE); 1654 if (cid < 0) { 1655 device_printf(dev, "could not get crypto driver id\n"); 1656 return (ENXIO); 1657 } 1658 sc->cid = cid; 1659 sc->adapter->ccr_softc = sc; 1660 1661 /* XXX: TODO? */ 1662 sc->tx_channel_id = 0; 1663 1664 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF); 1665 sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 1666 sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 1667 sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK); 1668 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK); 1669 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK); 1670 ccr_sysctls(sc); 1671 1672 crypto_register(cid, CRYPTO_SHA1_HMAC, 0, 0); 1673 crypto_register(cid, CRYPTO_SHA2_256_HMAC, 0, 0); 1674 crypto_register(cid, CRYPTO_SHA2_384_HMAC, 0, 0); 1675 crypto_register(cid, CRYPTO_SHA2_512_HMAC, 0, 0); 1676 crypto_register(cid, CRYPTO_AES_CBC, 0, 0); 1677 crypto_register(cid, CRYPTO_AES_ICM, 0, 0); 1678 crypto_register(cid, CRYPTO_AES_NIST_GCM_16, 0, 0); 1679 crypto_register(cid, CRYPTO_AES_128_NIST_GMAC, 0, 0); 1680 crypto_register(cid, CRYPTO_AES_192_NIST_GMAC, 0, 0); 1681 crypto_register(cid, CRYPTO_AES_256_NIST_GMAC, 0, 0); 1682 crypto_register(cid, CRYPTO_AES_XTS, 0, 0); 1683 return (0); 1684 } 1685 1686 static int 1687 ccr_detach(device_t dev) 1688 { 1689 struct ccr_softc *sc; 1690 int i; 1691 1692 sc = device_get_softc(dev); 1693 1694 mtx_lock(&sc->lock); 1695 for (i = 0; i < sc->nsessions; i++) { 1696 if (sc->sessions[i].active || sc->sessions[i].pending != 0) { 1697 mtx_unlock(&sc->lock); 1698 return (EBUSY); 1699 } 1700 } 1701 sc->detaching = true; 1702 mtx_unlock(&sc->lock); 1703 1704 crypto_unregister_all(sc->cid); 1705 free(sc->sessions, M_CCR); 1706 mtx_destroy(&sc->lock); 1707 sglist_free(sc->sg_iv_aad); 1708 free(sc->iv_aad_buf, M_CCR); 1709 sglist_free(sc->sg_dsgl); 1710 sglist_free(sc->sg_ulptx); 1711 sglist_free(sc->sg_crp); 1712 sc->adapter->ccr_softc = NULL; 1713 return (0); 1714 } 1715 1716 static void 1717 ccr_copy_partial_hash(void *dst, int cri_alg, union authctx *auth_ctx) 1718 { 1719 uint32_t *u32; 1720 uint64_t *u64; 1721 u_int i; 1722 1723 u32 = (uint32_t *)dst; 1724 u64 = (uint64_t *)dst; 1725 switch (cri_alg) { 1726 case CRYPTO_SHA1_HMAC: 1727 for (i = 0; i < SHA1_HASH_LEN / 4; i++) 1728 u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]); 1729 break; 1730 case CRYPTO_SHA2_256_HMAC: 1731 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++) 1732 u32[i] = htobe32(auth_ctx->sha256ctx.state[i]); 1733 break; 1734 case CRYPTO_SHA2_384_HMAC: 1735 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++) 1736 u64[i] = htobe64(auth_ctx->sha384ctx.state[i]); 1737 break; 1738 case CRYPTO_SHA2_512_HMAC: 1739 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++) 1740 u64[i] = htobe64(auth_ctx->sha512ctx.state[i]); 1741 break; 1742 } 1743 } 1744 1745 static void 1746 ccr_init_hmac_digest(struct ccr_session *s, int cri_alg, char *key, 1747 int klen) 1748 { 1749 union authctx auth_ctx; 1750 struct auth_hash *axf; 1751 u_int i; 1752 1753 /* 1754 * If the key is larger than the block size, use the digest of 1755 * the key as the key instead. 1756 */ 1757 axf = s->hmac.auth_hash; 1758 klen /= 8; 1759 if (klen > axf->blocksize) { 1760 axf->Init(&auth_ctx); 1761 axf->Update(&auth_ctx, key, klen); 1762 axf->Final(s->hmac.ipad, &auth_ctx); 1763 klen = axf->hashsize; 1764 } else 1765 memcpy(s->hmac.ipad, key, klen); 1766 1767 memset(s->hmac.ipad + klen, 0, axf->blocksize); 1768 memcpy(s->hmac.opad, s->hmac.ipad, axf->blocksize); 1769 1770 for (i = 0; i < axf->blocksize; i++) { 1771 s->hmac.ipad[i] ^= HMAC_IPAD_VAL; 1772 s->hmac.opad[i] ^= HMAC_OPAD_VAL; 1773 } 1774 1775 /* 1776 * Hash the raw ipad and opad and store the partial result in 1777 * the same buffer. 1778 */ 1779 axf->Init(&auth_ctx); 1780 axf->Update(&auth_ctx, s->hmac.ipad, axf->blocksize); 1781 ccr_copy_partial_hash(s->hmac.ipad, cri_alg, &auth_ctx); 1782 1783 axf->Init(&auth_ctx); 1784 axf->Update(&auth_ctx, s->hmac.opad, axf->blocksize); 1785 ccr_copy_partial_hash(s->hmac.opad, cri_alg, &auth_ctx); 1786 } 1787 1788 /* 1789 * Borrowed from AES_GMAC_Setkey(). 1790 */ 1791 static void 1792 ccr_init_gmac_hash(struct ccr_session *s, char *key, int klen) 1793 { 1794 static char zeroes[GMAC_BLOCK_LEN]; 1795 uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)]; 1796 int rounds; 1797 1798 rounds = rijndaelKeySetupEnc(keysched, key, klen); 1799 rijndaelEncrypt(keysched, rounds, zeroes, s->gmac.ghash_h); 1800 } 1801 1802 static int 1803 ccr_aes_check_keylen(int alg, int klen) 1804 { 1805 1806 switch (klen) { 1807 case 128: 1808 case 192: 1809 if (alg == CRYPTO_AES_XTS) 1810 return (EINVAL); 1811 break; 1812 case 256: 1813 break; 1814 case 512: 1815 if (alg != CRYPTO_AES_XTS) 1816 return (EINVAL); 1817 break; 1818 default: 1819 return (EINVAL); 1820 } 1821 return (0); 1822 } 1823 1824 /* 1825 * Borrowed from cesa_prep_aes_key(). We should perhaps have a public 1826 * function to generate this instead. 1827 * 1828 * NB: The crypto engine wants the words in the decryption key in reverse 1829 * order. 1830 */ 1831 static void 1832 ccr_aes_getdeckey(void *dec_key, const void *enc_key, unsigned int kbits) 1833 { 1834 uint32_t ek[4 * (RIJNDAEL_MAXNR + 1)]; 1835 uint32_t *dkey; 1836 int i; 1837 1838 rijndaelKeySetupEnc(ek, enc_key, kbits); 1839 dkey = dec_key; 1840 dkey += (kbits / 8) / 4; 1841 1842 switch (kbits) { 1843 case 128: 1844 for (i = 0; i < 4; i++) 1845 *--dkey = htobe32(ek[4 * 10 + i]); 1846 break; 1847 case 192: 1848 for (i = 0; i < 2; i++) 1849 *--dkey = htobe32(ek[4 * 11 + 2 + i]); 1850 for (i = 0; i < 4; i++) 1851 *--dkey = htobe32(ek[4 * 12 + i]); 1852 break; 1853 case 256: 1854 for (i = 0; i < 4; i++) 1855 *--dkey = htobe32(ek[4 * 13 + i]); 1856 for (i = 0; i < 4; i++) 1857 *--dkey = htobe32(ek[4 * 14 + i]); 1858 break; 1859 } 1860 MPASS(dkey == dec_key); 1861 } 1862 1863 static void 1864 ccr_aes_setkey(struct ccr_session *s, int alg, const void *key, int klen) 1865 { 1866 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size; 1867 unsigned int opad_present; 1868 1869 if (alg == CRYPTO_AES_XTS) 1870 kbits = klen / 2; 1871 else 1872 kbits = klen; 1873 switch (kbits) { 1874 case 128: 1875 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128; 1876 break; 1877 case 192: 1878 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192; 1879 break; 1880 case 256: 1881 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; 1882 break; 1883 default: 1884 panic("should not get here"); 1885 } 1886 1887 s->blkcipher.key_len = klen / 8; 1888 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len); 1889 switch (alg) { 1890 case CRYPTO_AES_CBC: 1891 case CRYPTO_AES_XTS: 1892 ccr_aes_getdeckey(s->blkcipher.deckey, key, kbits); 1893 break; 1894 } 1895 1896 kctx_len = roundup2(s->blkcipher.key_len, 16); 1897 switch (s->mode) { 1898 case AUTHENC: 1899 mk_size = s->hmac.mk_size; 1900 opad_present = 1; 1901 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 1902 kctx_len += iopad_size * 2; 1903 break; 1904 case GCM: 1905 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 1906 opad_present = 0; 1907 kctx_len += GMAC_BLOCK_LEN; 1908 break; 1909 default: 1910 mk_size = CHCR_KEYCTX_NO_KEY; 1911 opad_present = 0; 1912 break; 1913 } 1914 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 1915 s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 1916 V_KEY_CONTEXT_DUAL_CK(alg == CRYPTO_AES_XTS) | 1917 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) | 1918 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) | 1919 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1)); 1920 } 1921 1922 static int 1923 ccr_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri) 1924 { 1925 struct ccr_softc *sc; 1926 struct ccr_session *s; 1927 struct auth_hash *auth_hash; 1928 struct cryptoini *c, *hash, *cipher; 1929 unsigned int auth_mode, cipher_mode, iv_len, mk_size; 1930 unsigned int partial_digest_len; 1931 int error, i, sess; 1932 bool gcm_hash; 1933 1934 if (sidp == NULL || cri == NULL) 1935 return (EINVAL); 1936 1937 gcm_hash = false; 1938 cipher = NULL; 1939 hash = NULL; 1940 auth_hash = NULL; 1941 auth_mode = CHCR_SCMD_AUTH_MODE_NOP; 1942 cipher_mode = CHCR_SCMD_CIPHER_MODE_NOP; 1943 iv_len = 0; 1944 mk_size = 0; 1945 partial_digest_len = 0; 1946 for (c = cri; c != NULL; c = c->cri_next) { 1947 switch (c->cri_alg) { 1948 case CRYPTO_SHA1_HMAC: 1949 case CRYPTO_SHA2_256_HMAC: 1950 case CRYPTO_SHA2_384_HMAC: 1951 case CRYPTO_SHA2_512_HMAC: 1952 case CRYPTO_AES_128_NIST_GMAC: 1953 case CRYPTO_AES_192_NIST_GMAC: 1954 case CRYPTO_AES_256_NIST_GMAC: 1955 if (hash) 1956 return (EINVAL); 1957 hash = c; 1958 switch (c->cri_alg) { 1959 case CRYPTO_SHA1_HMAC: 1960 auth_hash = &auth_hash_hmac_sha1; 1961 auth_mode = CHCR_SCMD_AUTH_MODE_SHA1; 1962 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160; 1963 partial_digest_len = SHA1_HASH_LEN; 1964 break; 1965 case CRYPTO_SHA2_256_HMAC: 1966 auth_hash = &auth_hash_hmac_sha2_256; 1967 auth_mode = CHCR_SCMD_AUTH_MODE_SHA256; 1968 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 1969 partial_digest_len = SHA2_256_HASH_LEN; 1970 break; 1971 case CRYPTO_SHA2_384_HMAC: 1972 auth_hash = &auth_hash_hmac_sha2_384; 1973 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_384; 1974 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 1975 partial_digest_len = SHA2_512_HASH_LEN; 1976 break; 1977 case CRYPTO_SHA2_512_HMAC: 1978 auth_hash = &auth_hash_hmac_sha2_512; 1979 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_512; 1980 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 1981 partial_digest_len = SHA2_512_HASH_LEN; 1982 break; 1983 case CRYPTO_AES_128_NIST_GMAC: 1984 case CRYPTO_AES_192_NIST_GMAC: 1985 case CRYPTO_AES_256_NIST_GMAC: 1986 gcm_hash = true; 1987 auth_mode = CHCR_SCMD_AUTH_MODE_GHASH; 1988 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 1989 break; 1990 } 1991 break; 1992 case CRYPTO_AES_CBC: 1993 case CRYPTO_AES_ICM: 1994 case CRYPTO_AES_NIST_GCM_16: 1995 case CRYPTO_AES_XTS: 1996 if (cipher) 1997 return (EINVAL); 1998 cipher = c; 1999 switch (c->cri_alg) { 2000 case CRYPTO_AES_CBC: 2001 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CBC; 2002 iv_len = AES_BLOCK_LEN; 2003 break; 2004 case CRYPTO_AES_ICM: 2005 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CTR; 2006 iv_len = AES_BLOCK_LEN; 2007 break; 2008 case CRYPTO_AES_NIST_GCM_16: 2009 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_GCM; 2010 iv_len = AES_GCM_IV_LEN; 2011 break; 2012 case CRYPTO_AES_XTS: 2013 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_XTS; 2014 iv_len = AES_BLOCK_LEN; 2015 break; 2016 } 2017 if (c->cri_key != NULL) { 2018 error = ccr_aes_check_keylen(c->cri_alg, 2019 c->cri_klen); 2020 if (error) 2021 return (error); 2022 } 2023 break; 2024 default: 2025 return (EINVAL); 2026 } 2027 } 2028 if (gcm_hash != (cipher_mode == CHCR_SCMD_CIPHER_MODE_AES_GCM)) 2029 return (EINVAL); 2030 if (hash == NULL && cipher == NULL) 2031 return (EINVAL); 2032 if (hash != NULL && hash->cri_key == NULL) 2033 return (EINVAL); 2034 2035 sc = device_get_softc(dev); 2036 mtx_lock(&sc->lock); 2037 if (sc->detaching) { 2038 mtx_unlock(&sc->lock); 2039 return (ENXIO); 2040 } 2041 sess = -1; 2042 for (i = 0; i < sc->nsessions; i++) { 2043 if (!sc->sessions[i].active && sc->sessions[i].pending == 0) { 2044 sess = i; 2045 break; 2046 } 2047 } 2048 if (sess == -1) { 2049 s = malloc(sizeof(*s) * (sc->nsessions + 1), M_CCR, 2050 M_NOWAIT | M_ZERO); 2051 if (s == NULL) { 2052 mtx_unlock(&sc->lock); 2053 return (ENOMEM); 2054 } 2055 if (sc->sessions != NULL) 2056 memcpy(s, sc->sessions, sizeof(*s) * sc->nsessions); 2057 sess = sc->nsessions; 2058 free(sc->sessions, M_CCR); 2059 sc->sessions = s; 2060 sc->nsessions++; 2061 } 2062 2063 s = &sc->sessions[sess]; 2064 2065 if (gcm_hash) 2066 s->mode = GCM; 2067 else if (hash != NULL && cipher != NULL) 2068 s->mode = AUTHENC; 2069 else if (hash != NULL) 2070 s->mode = HMAC; 2071 else { 2072 MPASS(cipher != NULL); 2073 s->mode = BLKCIPHER; 2074 } 2075 if (gcm_hash) { 2076 if (hash->cri_mlen == 0) 2077 s->gmac.hash_len = AES_GMAC_HASH_LEN; 2078 else 2079 s->gmac.hash_len = hash->cri_mlen; 2080 ccr_init_gmac_hash(s, hash->cri_key, hash->cri_klen); 2081 } else if (hash != NULL) { 2082 s->hmac.auth_hash = auth_hash; 2083 s->hmac.auth_mode = auth_mode; 2084 s->hmac.mk_size = mk_size; 2085 s->hmac.partial_digest_len = partial_digest_len; 2086 if (hash->cri_mlen == 0) 2087 s->hmac.hash_len = auth_hash->hashsize; 2088 else 2089 s->hmac.hash_len = hash->cri_mlen; 2090 ccr_init_hmac_digest(s, hash->cri_alg, hash->cri_key, 2091 hash->cri_klen); 2092 } 2093 if (cipher != NULL) { 2094 s->blkcipher.cipher_mode = cipher_mode; 2095 s->blkcipher.iv_len = iv_len; 2096 if (cipher->cri_key != NULL) 2097 ccr_aes_setkey(s, cipher->cri_alg, cipher->cri_key, 2098 cipher->cri_klen); 2099 } 2100 2101 s->active = true; 2102 mtx_unlock(&sc->lock); 2103 2104 *sidp = sess; 2105 return (0); 2106 } 2107 2108 static int 2109 ccr_freesession(device_t dev, uint64_t tid) 2110 { 2111 struct ccr_softc *sc; 2112 uint32_t sid; 2113 int error; 2114 2115 sc = device_get_softc(dev); 2116 sid = CRYPTO_SESID2LID(tid); 2117 mtx_lock(&sc->lock); 2118 if (sid >= sc->nsessions || !sc->sessions[sid].active) 2119 error = EINVAL; 2120 else { 2121 if (sc->sessions[sid].pending != 0) 2122 device_printf(dev, 2123 "session %d freed with %d pending requests\n", sid, 2124 sc->sessions[sid].pending); 2125 sc->sessions[sid].active = false; 2126 error = 0; 2127 } 2128 mtx_unlock(&sc->lock); 2129 return (error); 2130 } 2131 2132 static int 2133 ccr_process(device_t dev, struct cryptop *crp, int hint) 2134 { 2135 struct ccr_softc *sc; 2136 struct ccr_session *s; 2137 struct cryptodesc *crd, *crda, *crde; 2138 uint32_t sid; 2139 int error; 2140 2141 if (crp == NULL) 2142 return (EINVAL); 2143 2144 crd = crp->crp_desc; 2145 sid = CRYPTO_SESID2LID(crp->crp_sid); 2146 sc = device_get_softc(dev); 2147 mtx_lock(&sc->lock); 2148 if (sid >= sc->nsessions || !sc->sessions[sid].active) { 2149 sc->stats_bad_session++; 2150 error = EINVAL; 2151 goto out; 2152 } 2153 2154 error = ccr_populate_sglist(sc->sg_crp, crp); 2155 if (error) { 2156 sc->stats_sglist_error++; 2157 goto out; 2158 } 2159 2160 s = &sc->sessions[sid]; 2161 switch (s->mode) { 2162 case HMAC: 2163 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) 2164 ccr_init_hmac_digest(s, crd->crd_alg, crd->crd_key, 2165 crd->crd_klen); 2166 error = ccr_hmac(sc, sid, s, crp); 2167 if (error == 0) 2168 sc->stats_hmac++; 2169 break; 2170 case BLKCIPHER: 2171 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) { 2172 error = ccr_aes_check_keylen(crd->crd_alg, 2173 crd->crd_klen); 2174 if (error) 2175 break; 2176 ccr_aes_setkey(s, crd->crd_alg, crd->crd_key, 2177 crd->crd_klen); 2178 } 2179 error = ccr_blkcipher(sc, sid, s, crp); 2180 if (error == 0) { 2181 if (crd->crd_flags & CRD_F_ENCRYPT) 2182 sc->stats_blkcipher_encrypt++; 2183 else 2184 sc->stats_blkcipher_decrypt++; 2185 } 2186 break; 2187 case AUTHENC: 2188 error = 0; 2189 switch (crd->crd_alg) { 2190 case CRYPTO_AES_CBC: 2191 case CRYPTO_AES_ICM: 2192 case CRYPTO_AES_XTS: 2193 /* Only encrypt-then-authenticate supported. */ 2194 crde = crd; 2195 crda = crd->crd_next; 2196 if (!(crde->crd_flags & CRD_F_ENCRYPT)) { 2197 error = EINVAL; 2198 break; 2199 } 2200 break; 2201 default: 2202 crda = crd; 2203 crde = crd->crd_next; 2204 if (crde->crd_flags & CRD_F_ENCRYPT) { 2205 error = EINVAL; 2206 break; 2207 } 2208 break; 2209 } 2210 if (error) 2211 break; 2212 if (crda->crd_flags & CRD_F_KEY_EXPLICIT) 2213 ccr_init_hmac_digest(s, crda->crd_alg, crda->crd_key, 2214 crda->crd_klen); 2215 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) { 2216 error = ccr_aes_check_keylen(crde->crd_alg, 2217 crde->crd_klen); 2218 if (error) 2219 break; 2220 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key, 2221 crde->crd_klen); 2222 } 2223 error = ccr_authenc(sc, sid, s, crp, crda, crde); 2224 if (error == 0) { 2225 if (crde->crd_flags & CRD_F_ENCRYPT) 2226 sc->stats_authenc_encrypt++; 2227 else 2228 sc->stats_authenc_decrypt++; 2229 } 2230 break; 2231 case GCM: 2232 error = 0; 2233 if (crd->crd_alg == CRYPTO_AES_NIST_GCM_16) { 2234 crde = crd; 2235 crda = crd->crd_next; 2236 } else { 2237 crda = crd; 2238 crde = crd->crd_next; 2239 } 2240 if (crda->crd_flags & CRD_F_KEY_EXPLICIT) 2241 ccr_init_gmac_hash(s, crda->crd_key, crda->crd_klen); 2242 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) { 2243 error = ccr_aes_check_keylen(crde->crd_alg, 2244 crde->crd_klen); 2245 if (error) 2246 break; 2247 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key, 2248 crde->crd_klen); 2249 } 2250 if (crde->crd_len == 0) { 2251 mtx_unlock(&sc->lock); 2252 ccr_gcm_soft(s, crp, crda, crde); 2253 return (0); 2254 } 2255 error = ccr_gcm(sc, sid, s, crp, crda, crde); 2256 if (error == EMSGSIZE) { 2257 sc->stats_sw_fallback++; 2258 mtx_unlock(&sc->lock); 2259 ccr_gcm_soft(s, crp, crda, crde); 2260 return (0); 2261 } 2262 if (error == 0) { 2263 if (crde->crd_flags & CRD_F_ENCRYPT) 2264 sc->stats_gcm_encrypt++; 2265 else 2266 sc->stats_gcm_decrypt++; 2267 } 2268 break; 2269 } 2270 2271 if (error == 0) { 2272 s->pending++; 2273 sc->stats_inflight++; 2274 } else 2275 sc->stats_process_error++; 2276 2277 out: 2278 mtx_unlock(&sc->lock); 2279 2280 if (error) { 2281 crp->crp_etype = error; 2282 crypto_done(crp); 2283 } 2284 2285 return (0); 2286 } 2287 2288 static int 2289 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss, 2290 struct mbuf *m) 2291 { 2292 struct ccr_softc *sc = iq->adapter->ccr_softc; 2293 struct ccr_session *s; 2294 const struct cpl_fw6_pld *cpl; 2295 struct cryptop *crp; 2296 uint32_t sid, status; 2297 int error; 2298 2299 if (m != NULL) 2300 cpl = mtod(m, const void *); 2301 else 2302 cpl = (const void *)(rss + 1); 2303 2304 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]); 2305 sid = CRYPTO_SESID2LID(crp->crp_sid); 2306 status = be64toh(cpl->data[0]); 2307 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status)) 2308 error = EBADMSG; 2309 else 2310 error = 0; 2311 2312 mtx_lock(&sc->lock); 2313 MPASS(sid < sc->nsessions); 2314 s = &sc->sessions[sid]; 2315 s->pending--; 2316 sc->stats_inflight--; 2317 2318 switch (s->mode) { 2319 case HMAC: 2320 error = ccr_hmac_done(sc, s, crp, cpl, error); 2321 break; 2322 case BLKCIPHER: 2323 error = ccr_blkcipher_done(sc, s, crp, cpl, error); 2324 break; 2325 case AUTHENC: 2326 error = ccr_authenc_done(sc, s, crp, cpl, error); 2327 break; 2328 case GCM: 2329 error = ccr_gcm_done(sc, s, crp, cpl, error); 2330 break; 2331 } 2332 2333 if (error == EBADMSG) { 2334 if (CHK_MAC_ERR_BIT(status)) 2335 sc->stats_mac_error++; 2336 if (CHK_PAD_ERR_BIT(status)) 2337 sc->stats_pad_error++; 2338 } 2339 mtx_unlock(&sc->lock); 2340 crp->crp_etype = error; 2341 crypto_done(crp); 2342 m_freem(m); 2343 return (0); 2344 } 2345 2346 static int 2347 ccr_modevent(module_t mod, int cmd, void *arg) 2348 { 2349 2350 switch (cmd) { 2351 case MOD_LOAD: 2352 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld); 2353 return (0); 2354 case MOD_UNLOAD: 2355 t4_register_cpl_handler(CPL_FW6_PLD, NULL); 2356 return (0); 2357 default: 2358 return (EOPNOTSUPP); 2359 } 2360 } 2361 2362 static device_method_t ccr_methods[] = { 2363 DEVMETHOD(device_identify, ccr_identify), 2364 DEVMETHOD(device_probe, ccr_probe), 2365 DEVMETHOD(device_attach, ccr_attach), 2366 DEVMETHOD(device_detach, ccr_detach), 2367 2368 DEVMETHOD(cryptodev_newsession, ccr_newsession), 2369 DEVMETHOD(cryptodev_freesession, ccr_freesession), 2370 DEVMETHOD(cryptodev_process, ccr_process), 2371 2372 DEVMETHOD_END 2373 }; 2374 2375 static driver_t ccr_driver = { 2376 "ccr", 2377 ccr_methods, 2378 sizeof(struct ccr_softc) 2379 }; 2380 2381 static devclass_t ccr_devclass; 2382 2383 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL); 2384 MODULE_VERSION(ccr, 1); 2385 MODULE_DEPEND(ccr, crypto, 1, 1, 1); 2386 MODULE_DEPEND(ccr, t6nex, 1, 1, 1); 2387