1 /*- 2 * Copyright (c) 2017 Chelsio Communications, Inc. 3 * All rights reserved. 4 * Written by: John Baldwin <jhb@FreeBSD.org> 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/types.h> 32 #include <sys/bus.h> 33 #include <sys/lock.h> 34 #include <sys/malloc.h> 35 #include <sys/mutex.h> 36 #include <sys/module.h> 37 #include <sys/sglist.h> 38 39 #include <opencrypto/cryptodev.h> 40 #include <opencrypto/xform.h> 41 42 #include "cryptodev_if.h" 43 44 #include "common/common.h" 45 #include "crypto/t4_crypto.h" 46 47 /* 48 * Requests consist of: 49 * 50 * +-------------------------------+ 51 * | struct fw_crypto_lookaside_wr | 52 * +-------------------------------+ 53 * | struct ulp_txpkt | 54 * +-------------------------------+ 55 * | struct ulptx_idata | 56 * +-------------------------------+ 57 * | struct cpl_tx_sec_pdu | 58 * +-------------------------------+ 59 * | struct cpl_tls_tx_scmd_fmt | 60 * +-------------------------------+ 61 * | key context header | 62 * +-------------------------------+ 63 * | AES key | ----- For requests with AES 64 * +-------------------------------+ 65 * | Hash state | ----- For hash-only requests 66 * +-------------------------------+ - 67 * | IPAD (16-byte aligned) | \ 68 * +-------------------------------+ +---- For requests with HMAC 69 * | OPAD (16-byte aligned) | / 70 * +-------------------------------+ - 71 * | GMAC H | ----- For AES-GCM 72 * +-------------------------------+ - 73 * | struct cpl_rx_phys_dsgl | \ 74 * +-------------------------------+ +---- Destination buffer for 75 * | PHYS_DSGL entries | / non-hash-only requests 76 * +-------------------------------+ - 77 * | 16 dummy bytes | ----- Only for HMAC/hash-only requests 78 * +-------------------------------+ 79 * | IV | ----- If immediate IV 80 * +-------------------------------+ 81 * | Payload | ----- If immediate Payload 82 * +-------------------------------+ - 83 * | struct ulptx_sgl | \ 84 * +-------------------------------+ +---- If payload via SGL 85 * | SGL entries | / 86 * +-------------------------------+ - 87 * 88 * Note that the key context must be padded to ensure 16-byte alignment. 89 * For HMAC requests, the key consists of the partial hash of the IPAD 90 * followed by the partial hash of the OPAD. 91 * 92 * Replies consist of: 93 * 94 * +-------------------------------+ 95 * | struct cpl_fw6_pld | 96 * +-------------------------------+ 97 * | hash digest | ----- For HMAC request with 98 * +-------------------------------+ 'hash_size' set in work request 99 * 100 * A 32-bit big-endian error status word is supplied in the last 4 101 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a 102 * "MAC" error and bit 1 indicates a "PAD" error. 103 * 104 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message 105 * in the request is returned in data[1] of the CPL_FW6_PLD message. 106 * 107 * For block cipher replies, the updated IV is supplied in data[2] and 108 * data[3] of the CPL_FW6_PLD message. 109 * 110 * For hash replies where the work request set 'hash_size' to request 111 * a copy of the hash in the reply, the hash digest is supplied 112 * immediately following the CPL_FW6_PLD message. 113 */ 114 115 /* 116 * The crypto engine supports a maximum AAD size of 511 bytes. 117 */ 118 #define MAX_AAD_LEN 511 119 120 /* 121 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG 122 * entries. While the CPL includes a 16-bit length field, the T6 can 123 * sometimes hang if an error occurs while processing a request with a 124 * single DSGL entry larger than 2k. 125 */ 126 #define MAX_RX_PHYS_DSGL_SGE 32 127 #define DSGL_SGE_MAXLEN 2048 128 129 /* 130 * The adapter only supports requests with a total input or output 131 * length of 64k-1 or smaller. Longer requests either result in hung 132 * requests or incorrect results. 133 */ 134 #define MAX_REQUEST_SIZE 65535 135 136 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto"); 137 138 struct ccr_session_hmac { 139 struct auth_hash *auth_hash; 140 int hash_len; 141 unsigned int partial_digest_len; 142 unsigned int auth_mode; 143 unsigned int mk_size; 144 char pads[CHCR_HASH_MAX_BLOCK_SIZE_128 * 2]; 145 }; 146 147 struct ccr_session_gmac { 148 int hash_len; 149 char ghash_h[GMAC_BLOCK_LEN]; 150 }; 151 152 struct ccr_session_ccm_mac { 153 int hash_len; 154 }; 155 156 struct ccr_session_blkcipher { 157 unsigned int cipher_mode; 158 unsigned int key_len; 159 unsigned int iv_len; 160 __be32 key_ctx_hdr; 161 char enckey[CHCR_AES_MAX_KEY_LEN]; 162 char deckey[CHCR_AES_MAX_KEY_LEN]; 163 }; 164 165 struct ccr_session { 166 bool active; 167 int pending; 168 enum { HASH, HMAC, BLKCIPHER, ETA, GCM, CCM } mode; 169 union { 170 struct ccr_session_hmac hmac; 171 struct ccr_session_gmac gmac; 172 struct ccr_session_ccm_mac ccm_mac; 173 }; 174 struct ccr_session_blkcipher blkcipher; 175 }; 176 177 struct ccr_softc { 178 struct adapter *adapter; 179 device_t dev; 180 uint32_t cid; 181 int tx_channel_id; 182 struct mtx lock; 183 bool detaching; 184 struct sge_wrq *txq; 185 struct sge_rxq *rxq; 186 187 /* 188 * Pre-allocate S/G lists used when preparing a work request. 189 * 'sg_crp' contains an sglist describing the entire buffer 190 * for a 'struct cryptop'. 'sg_ulptx' is used to describe 191 * the data the engine should DMA as input via ULPTX_SGL. 192 * 'sg_dsgl' is used to describe the destination that cipher 193 * text and a tag should be written to. 194 */ 195 struct sglist *sg_crp; 196 struct sglist *sg_ulptx; 197 struct sglist *sg_dsgl; 198 199 /* 200 * Pre-allocate a dummy output buffer for the IV and AAD for 201 * AEAD requests. 202 */ 203 char *iv_aad_buf; 204 struct sglist *sg_iv_aad; 205 206 /* Statistics. */ 207 uint64_t stats_blkcipher_encrypt; 208 uint64_t stats_blkcipher_decrypt; 209 uint64_t stats_hash; 210 uint64_t stats_hmac; 211 uint64_t stats_eta_encrypt; 212 uint64_t stats_eta_decrypt; 213 uint64_t stats_gcm_encrypt; 214 uint64_t stats_gcm_decrypt; 215 uint64_t stats_ccm_encrypt; 216 uint64_t stats_ccm_decrypt; 217 uint64_t stats_wr_nomem; 218 uint64_t stats_inflight; 219 uint64_t stats_mac_error; 220 uint64_t stats_pad_error; 221 uint64_t stats_bad_session; 222 uint64_t stats_sglist_error; 223 uint64_t stats_process_error; 224 uint64_t stats_sw_fallback; 225 }; 226 227 /* 228 * Crypto requests involve two kind of scatter/gather lists. 229 * 230 * Non-hash-only requests require a PHYS_DSGL that describes the 231 * location to store the results of the encryption or decryption 232 * operation. This SGL uses a different format (PHYS_DSGL) and should 233 * exclude the skip bytes at the start of the data as well as any AAD 234 * or IV. For authenticated encryption requests it should include the 235 * destination of the hash or tag. 236 * 237 * The input payload may either be supplied inline as immediate data, 238 * or via a standard ULP_TX SGL. This SGL should include AAD, 239 * ciphertext, and the hash or tag for authenticated decryption 240 * requests. 241 * 242 * These scatter/gather lists can describe different subsets of the 243 * buffer described by the crypto operation. ccr_populate_sglist() 244 * generates a scatter/gather list that covers the entire crypto 245 * operation buffer that is then used to construct the other 246 * scatter/gather lists. 247 */ 248 static int 249 ccr_populate_sglist(struct sglist *sg, struct cryptop *crp) 250 { 251 int error; 252 253 sglist_reset(sg); 254 switch (crp->crp_buf_type) { 255 case CRYPTO_BUF_MBUF: 256 error = sglist_append_mbuf(sg, crp->crp_mbuf); 257 break; 258 case CRYPTO_BUF_UIO: 259 error = sglist_append_uio(sg, crp->crp_uio); 260 break; 261 case CRYPTO_BUF_CONTIG: 262 error = sglist_append(sg, crp->crp_buf, crp->crp_ilen); 263 break; 264 default: 265 error = EINVAL; 266 } 267 return (error); 268 } 269 270 /* 271 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple 272 * segments. 273 */ 274 static int 275 ccr_count_sgl(struct sglist *sg, int maxsegsize) 276 { 277 int i, nsegs; 278 279 nsegs = 0; 280 for (i = 0; i < sg->sg_nseg; i++) 281 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize); 282 return (nsegs); 283 } 284 285 /* These functions deal with PHYS_DSGL for the reply buffer. */ 286 static inline int 287 ccr_phys_dsgl_len(int nsegs) 288 { 289 int len; 290 291 len = (nsegs / 8) * sizeof(struct phys_sge_pairs); 292 if ((nsegs % 8) != 0) { 293 len += sizeof(uint16_t) * 8; 294 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t); 295 } 296 return (len); 297 } 298 299 static void 300 ccr_write_phys_dsgl(struct ccr_softc *sc, void *dst, int nsegs) 301 { 302 struct sglist *sg; 303 struct cpl_rx_phys_dsgl *cpl; 304 struct phys_sge_pairs *sgl; 305 vm_paddr_t paddr; 306 size_t seglen; 307 u_int i, j; 308 309 sg = sc->sg_dsgl; 310 cpl = dst; 311 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) | 312 V_CPL_RX_PHYS_DSGL_ISRDMA(0)); 313 cpl->pcirlxorder_to_noofsgentr = htobe32( 314 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) | 315 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) | 316 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) | 317 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs)); 318 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; 319 cpl->rss_hdr_int.qid = htobe16(sc->rxq->iq.abs_id); 320 cpl->rss_hdr_int.hash_val = 0; 321 sgl = (struct phys_sge_pairs *)(cpl + 1); 322 j = 0; 323 for (i = 0; i < sg->sg_nseg; i++) { 324 seglen = sg->sg_segs[i].ss_len; 325 paddr = sg->sg_segs[i].ss_paddr; 326 do { 327 sgl->addr[j] = htobe64(paddr); 328 if (seglen > DSGL_SGE_MAXLEN) { 329 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN); 330 paddr += DSGL_SGE_MAXLEN; 331 seglen -= DSGL_SGE_MAXLEN; 332 } else { 333 sgl->len[j] = htobe16(seglen); 334 seglen = 0; 335 } 336 j++; 337 if (j == 8) { 338 sgl++; 339 j = 0; 340 } 341 } while (seglen != 0); 342 } 343 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs); 344 } 345 346 /* These functions deal with the ULPTX_SGL for input payload. */ 347 static inline int 348 ccr_ulptx_sgl_len(int nsegs) 349 { 350 u_int n; 351 352 nsegs--; /* first segment is part of ulptx_sgl */ 353 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1)); 354 return (roundup2(n, 16)); 355 } 356 357 static void 358 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs) 359 { 360 struct ulptx_sgl *usgl; 361 struct sglist *sg; 362 struct sglist_seg *ss; 363 int i; 364 365 sg = sc->sg_ulptx; 366 MPASS(nsegs == sg->sg_nseg); 367 ss = &sg->sg_segs[0]; 368 usgl = dst; 369 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) | 370 V_ULPTX_NSGE(nsegs)); 371 usgl->len0 = htobe32(ss->ss_len); 372 usgl->addr0 = htobe64(ss->ss_paddr); 373 ss++; 374 for (i = 0; i < sg->sg_nseg - 1; i++) { 375 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len); 376 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr); 377 ss++; 378 } 379 380 } 381 382 static bool 383 ccr_use_imm_data(u_int transhdr_len, u_int input_len) 384 { 385 386 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN) 387 return (false); 388 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) > 389 SGE_MAX_WR_LEN) 390 return (false); 391 return (true); 392 } 393 394 static void 395 ccr_populate_wreq(struct ccr_softc *sc, struct chcr_wr *crwr, u_int kctx_len, 396 u_int wr_len, u_int imm_len, u_int sgl_len, u_int hash_size, 397 struct cryptop *crp) 398 { 399 u_int cctx_size, idata_len; 400 401 cctx_size = sizeof(struct _key_ctx) + kctx_len; 402 crwr->wreq.op_to_cctx_size = htobe32( 403 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) | 404 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) | 405 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) | 406 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) | 407 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4)); 408 crwr->wreq.len16_pkd = htobe32( 409 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16)); 410 crwr->wreq.session_id = 0; 411 crwr->wreq.rx_chid_to_rx_q_id = htobe32( 412 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(sc->tx_channel_id) | 413 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) | 414 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) | 415 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) | 416 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) | 417 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) | 418 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(sc->rxq->iq.abs_id)); 419 crwr->wreq.key_addr = 0; 420 crwr->wreq.pld_size_hash_size = htobe32( 421 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) | 422 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size)); 423 crwr->wreq.cookie = htobe64((uintptr_t)crp); 424 425 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) | 426 V_ULP_TXPKT_DATAMODIFY(0) | 427 V_ULP_TXPKT_CHANNELID(sc->tx_channel_id) | V_ULP_TXPKT_DEST(0) | 428 V_ULP_TXPKT_FID(sc->rxq->iq.abs_id) | V_ULP_TXPKT_RO(1)); 429 crwr->ulptx.len = htobe32( 430 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16)); 431 432 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) | 433 V_ULP_TX_SC_MORE(sgl_len != 0 ? 1 : 0)); 434 idata_len = wr_len - offsetof(struct chcr_wr, sec_cpl) - sgl_len; 435 if (imm_len % 16 != 0) 436 idata_len -= 16 - imm_len % 16; 437 crwr->sc_imm.len = htobe32(idata_len); 438 } 439 440 static int 441 ccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 442 { 443 struct chcr_wr *crwr; 444 struct wrqe *wr; 445 struct auth_hash *axf; 446 char *dst; 447 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len; 448 u_int hmac_ctrl, imm_len, iopad_size; 449 int error, sgl_nsegs, sgl_len, use_opad; 450 451 /* Reject requests with too large of an input buffer. */ 452 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 453 return (EFBIG); 454 455 axf = s->hmac.auth_hash; 456 457 if (s->mode == HMAC) { 458 use_opad = 1; 459 hmac_ctrl = SCMD_HMAC_CTRL_NO_TRUNC; 460 } else { 461 use_opad = 0; 462 hmac_ctrl = SCMD_HMAC_CTRL_NOP; 463 } 464 465 /* PADs must be 128-bit aligned. */ 466 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 467 468 /* 469 * The 'key' part of the context includes the aligned IPAD and 470 * OPAD. 471 */ 472 kctx_len = iopad_size; 473 if (use_opad) 474 kctx_len += iopad_size; 475 hash_size_in_response = axf->hashsize; 476 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len); 477 478 if (crp->crp_payload_length == 0) { 479 imm_len = axf->blocksize; 480 sgl_nsegs = 0; 481 sgl_len = 0; 482 } else if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length)) { 483 imm_len = crp->crp_payload_length; 484 sgl_nsegs = 0; 485 sgl_len = 0; 486 } else { 487 imm_len = 0; 488 sglist_reset(sc->sg_ulptx); 489 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 490 crp->crp_payload_start, crp->crp_payload_length); 491 if (error) 492 return (error); 493 sgl_nsegs = sc->sg_ulptx->sg_nseg; 494 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 495 } 496 497 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len; 498 if (wr_len > SGE_MAX_WR_LEN) 499 return (EFBIG); 500 wr = alloc_wrqe(wr_len, sc->txq); 501 if (wr == NULL) { 502 sc->stats_wr_nomem++; 503 return (ENOMEM); 504 } 505 crwr = wrtod(wr); 506 memset(crwr, 0, wr_len); 507 508 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, imm_len, sgl_len, 509 hash_size_in_response, crp); 510 511 /* XXX: Hardcodes SGE loopback channel of 0. */ 512 crwr->sec_cpl.op_ivinsrtofst = htobe32( 513 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 514 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 515 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 516 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 517 V_CPL_TX_SEC_PDU_IVINSRTOFST(0)); 518 519 crwr->sec_cpl.pldlen = htobe32(crp->crp_payload_length == 0 ? 520 axf->blocksize : crp->crp_payload_length); 521 522 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 523 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0)); 524 525 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 526 crwr->sec_cpl.seqno_numivs = htobe32( 527 V_SCMD_SEQ_NO_CTRL(0) | 528 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 529 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_NOP) | 530 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 531 V_SCMD_HMAC_CTRL(hmac_ctrl)); 532 crwr->sec_cpl.ivgen_hdrlen = htobe32( 533 V_SCMD_LAST_FRAG(0) | 534 V_SCMD_MORE_FRAGS(crp->crp_payload_length == 0 ? 1 : 0) | 535 V_SCMD_MAC_ONLY(1)); 536 537 memcpy(crwr->key_ctx.key, s->hmac.pads, kctx_len); 538 539 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */ 540 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 541 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 542 V_KEY_CONTEXT_OPAD_PRESENT(use_opad) | 543 V_KEY_CONTEXT_SALT_PRESENT(1) | 544 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) | 545 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1)); 546 547 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES; 548 if (crp->crp_payload_length == 0) { 549 dst[0] = 0x80; 550 if (s->mode == HMAC) 551 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) = 552 htobe64(axf->blocksize << 3); 553 } else if (imm_len != 0) 554 crypto_copydata(crp, crp->crp_payload_start, 555 crp->crp_payload_length, dst); 556 else 557 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 558 559 /* XXX: TODO backpressure */ 560 t4_wrq_tx(sc->adapter, wr); 561 562 return (0); 563 } 564 565 static int 566 ccr_hash_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp, 567 const struct cpl_fw6_pld *cpl, int error) 568 { 569 uint8_t hash[HASH_MAX_LEN]; 570 571 if (error) 572 return (error); 573 574 if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { 575 crypto_copydata(crp, crp->crp_digest_start, s->hmac.hash_len, 576 hash); 577 if (timingsafe_bcmp((cpl + 1), hash, s->hmac.hash_len) != 0) 578 return (EBADMSG); 579 } else 580 crypto_copyback(crp, crp->crp_digest_start, s->hmac.hash_len, 581 (cpl + 1)); 582 return (0); 583 } 584 585 static int 586 ccr_blkcipher(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 587 { 588 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 589 struct chcr_wr *crwr; 590 struct wrqe *wr; 591 char *dst; 592 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 593 u_int imm_len, iv_len; 594 int dsgl_nsegs, dsgl_len; 595 int sgl_nsegs, sgl_len; 596 int error; 597 598 if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0) 599 return (EINVAL); 600 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 601 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 602 return (EINVAL); 603 604 /* Reject requests with too large of an input buffer. */ 605 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 606 return (EFBIG); 607 608 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 609 op_type = CHCR_ENCRYPT_OP; 610 else 611 op_type = CHCR_DECRYPT_OP; 612 613 sglist_reset(sc->sg_dsgl); 614 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 615 crp->crp_payload_start, crp->crp_payload_length); 616 if (error) 617 return (error); 618 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 619 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 620 return (EFBIG); 621 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 622 623 /* The 'key' must be 128-bit aligned. */ 624 kctx_len = roundup2(s->blkcipher.key_len, 16); 625 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 626 627 /* For AES-XTS we send a 16-byte IV in the work request. */ 628 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 629 iv_len = AES_BLOCK_LEN; 630 else 631 iv_len = s->blkcipher.iv_len; 632 633 if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length + iv_len)) { 634 imm_len = crp->crp_payload_length; 635 sgl_nsegs = 0; 636 sgl_len = 0; 637 } else { 638 imm_len = 0; 639 sglist_reset(sc->sg_ulptx); 640 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 641 crp->crp_payload_start, crp->crp_payload_length); 642 if (error) 643 return (error); 644 sgl_nsegs = sc->sg_ulptx->sg_nseg; 645 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 646 } 647 648 wr_len = roundup2(transhdr_len, 16) + iv_len + 649 roundup2(imm_len, 16) + sgl_len; 650 if (wr_len > SGE_MAX_WR_LEN) 651 return (EFBIG); 652 wr = alloc_wrqe(wr_len, sc->txq); 653 if (wr == NULL) { 654 sc->stats_wr_nomem++; 655 return (ENOMEM); 656 } 657 crwr = wrtod(wr); 658 memset(crwr, 0, wr_len); 659 660 /* 661 * Read the existing IV from the request or generate a random 662 * one if none is provided. 663 */ 664 if (crp->crp_flags & CRYPTO_F_IV_GENERATE) { 665 arc4rand(iv, s->blkcipher.iv_len, 0); 666 crypto_copyback(crp, crp->crp_iv_start, s->blkcipher.iv_len, 667 iv); 668 } else if (crp->crp_flags & CRYPTO_F_IV_SEPARATE) 669 memcpy(iv, crp->crp_iv, s->blkcipher.iv_len); 670 else 671 crypto_copydata(crp, crp->crp_iv_start, s->blkcipher.iv_len, 672 iv); 673 674 /* Zero the remainder of the IV for AES-XTS. */ 675 memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len); 676 677 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 678 crp); 679 680 /* XXX: Hardcodes SGE loopback channel of 0. */ 681 crwr->sec_cpl.op_ivinsrtofst = htobe32( 682 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 683 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 684 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 685 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 686 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 687 688 crwr->sec_cpl.pldlen = htobe32(iv_len + crp->crp_payload_length); 689 690 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 691 V_CPL_TX_SEC_PDU_CIPHERSTART(iv_len + 1) | 692 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 693 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 694 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0)); 695 696 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 697 crwr->sec_cpl.seqno_numivs = htobe32( 698 V_SCMD_SEQ_NO_CTRL(0) | 699 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 700 V_SCMD_ENC_DEC_CTRL(op_type) | 701 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 702 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_NOP) | 703 V_SCMD_HMAC_CTRL(SCMD_HMAC_CTRL_NOP) | 704 V_SCMD_IV_SIZE(iv_len / 2) | 705 V_SCMD_NUM_IVS(0)); 706 crwr->sec_cpl.ivgen_hdrlen = htobe32( 707 V_SCMD_IV_GEN_CTRL(0) | 708 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 709 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len)); 710 711 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 712 switch (s->blkcipher.cipher_mode) { 713 case SCMD_CIPH_MODE_AES_CBC: 714 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 715 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 716 s->blkcipher.key_len); 717 else 718 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 719 s->blkcipher.key_len); 720 break; 721 case SCMD_CIPH_MODE_AES_CTR: 722 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 723 s->blkcipher.key_len); 724 break; 725 case SCMD_CIPH_MODE_AES_XTS: 726 key_half = s->blkcipher.key_len / 2; 727 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 728 key_half); 729 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 730 memcpy(crwr->key_ctx.key + key_half, 731 s->blkcipher.enckey, key_half); 732 else 733 memcpy(crwr->key_ctx.key + key_half, 734 s->blkcipher.deckey, key_half); 735 break; 736 } 737 738 dst = (char *)(crwr + 1) + kctx_len; 739 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 740 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 741 memcpy(dst, iv, iv_len); 742 dst += iv_len; 743 if (imm_len != 0) 744 crypto_copydata(crp, crp->crp_payload_start, 745 crp->crp_payload_length, dst); 746 else 747 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 748 749 /* XXX: TODO backpressure */ 750 t4_wrq_tx(sc->adapter, wr); 751 752 return (0); 753 } 754 755 static int 756 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s, 757 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 758 { 759 760 /* 761 * The updated IV to permit chained requests is at 762 * cpl->data[2], but OCF doesn't permit chained requests. 763 */ 764 return (error); 765 } 766 767 /* 768 * 'hashsize' is the length of a full digest. 'authsize' is the 769 * requested digest length for this operation which may be less 770 * than 'hashsize'. 771 */ 772 static int 773 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize) 774 { 775 776 if (authsize == 10) 777 return (SCMD_HMAC_CTRL_TRUNC_RFC4366); 778 if (authsize == 12) 779 return (SCMD_HMAC_CTRL_IPSEC_96BIT); 780 if (authsize == hashsize / 2) 781 return (SCMD_HMAC_CTRL_DIV2); 782 return (SCMD_HMAC_CTRL_NO_TRUNC); 783 } 784 785 static int 786 ccr_eta(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 787 { 788 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 789 struct chcr_wr *crwr; 790 struct wrqe *wr; 791 struct auth_hash *axf; 792 char *dst; 793 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 794 u_int hash_size_in_response, imm_len, iopad_size, iv_len; 795 u_int aad_start, aad_stop; 796 u_int auth_insert; 797 u_int cipher_start, cipher_stop; 798 u_int hmac_ctrl, input_len; 799 int dsgl_nsegs, dsgl_len; 800 int sgl_nsegs, sgl_len; 801 int error; 802 803 /* 804 * If there is a need in the future, requests with an empty 805 * payload could be supported as HMAC-only requests. 806 */ 807 if (s->blkcipher.key_len == 0 || crp->crp_payload_length == 0) 808 return (EINVAL); 809 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 810 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 811 return (EINVAL); 812 813 /* For AES-XTS we send a 16-byte IV in the work request. */ 814 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 815 iv_len = AES_BLOCK_LEN; 816 else 817 iv_len = s->blkcipher.iv_len; 818 819 if (crp->crp_aad_length + iv_len > MAX_AAD_LEN) 820 return (EINVAL); 821 822 axf = s->hmac.auth_hash; 823 hash_size_in_response = s->hmac.hash_len; 824 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 825 op_type = CHCR_ENCRYPT_OP; 826 else 827 op_type = CHCR_DECRYPT_OP; 828 829 /* 830 * The output buffer consists of the cipher text followed by 831 * the hash when encrypting. For decryption it only contains 832 * the plain text. 833 * 834 * Due to a firmware bug, the output buffer must include a 835 * dummy output buffer for the IV and AAD prior to the real 836 * output buffer. 837 */ 838 if (op_type == CHCR_ENCRYPT_OP) { 839 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 840 hash_size_in_response > MAX_REQUEST_SIZE) 841 return (EFBIG); 842 } else { 843 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 844 MAX_REQUEST_SIZE) 845 return (EFBIG); 846 } 847 sglist_reset(sc->sg_dsgl); 848 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, 849 iv_len + crp->crp_aad_length); 850 if (error) 851 return (error); 852 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 853 crp->crp_payload_start, crp->crp_payload_length); 854 if (error) 855 return (error); 856 if (op_type == CHCR_ENCRYPT_OP) { 857 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 858 crp->crp_digest_start, hash_size_in_response); 859 if (error) 860 return (error); 861 } 862 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 863 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 864 return (EFBIG); 865 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 866 867 /* PADs must be 128-bit aligned. */ 868 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 869 870 /* 871 * The 'key' part of the key context consists of the key followed 872 * by the IPAD and OPAD. 873 */ 874 kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2; 875 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 876 877 /* 878 * The input buffer consists of the IV, any AAD, and then the 879 * cipher/plain text. For decryption requests the hash is 880 * appended after the cipher text. 881 * 882 * The IV is always stored at the start of the input buffer 883 * even though it may be duplicated in the payload. The 884 * crypto engine doesn't work properly if the IV offset points 885 * inside of the AAD region, so a second copy is always 886 * required. 887 */ 888 input_len = crp->crp_aad_length + crp->crp_payload_length; 889 890 /* 891 * The firmware hangs if sent a request which is a 892 * bit smaller than MAX_REQUEST_SIZE. In particular, the 893 * firmware appears to require 512 - 16 bytes of spare room 894 * along with the size of the hash even if the hash isn't 895 * included in the input buffer. 896 */ 897 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) > 898 MAX_REQUEST_SIZE) 899 return (EFBIG); 900 if (op_type == CHCR_DECRYPT_OP) 901 input_len += hash_size_in_response; 902 903 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 904 imm_len = input_len; 905 sgl_nsegs = 0; 906 sgl_len = 0; 907 } else { 908 imm_len = 0; 909 sglist_reset(sc->sg_ulptx); 910 if (crp->crp_aad_length != 0) { 911 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 912 crp->crp_aad_start, crp->crp_aad_length); 913 if (error) 914 return (error); 915 } 916 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 917 crp->crp_payload_start, crp->crp_payload_length); 918 if (error) 919 return (error); 920 if (op_type == CHCR_DECRYPT_OP) { 921 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 922 crp->crp_digest_start, hash_size_in_response); 923 if (error) 924 return (error); 925 } 926 sgl_nsegs = sc->sg_ulptx->sg_nseg; 927 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 928 } 929 930 /* 931 * Any auth-only data before the cipher region is marked as AAD. 932 * Auth-data that overlaps with the cipher region is placed in 933 * the auth section. 934 */ 935 if (crp->crp_aad_length != 0) { 936 aad_start = iv_len + 1; 937 aad_stop = aad_start + crp->crp_aad_length - 1; 938 } else { 939 aad_start = 0; 940 aad_stop = 0; 941 } 942 cipher_start = iv_len + crp->crp_aad_length + 1; 943 if (op_type == CHCR_DECRYPT_OP) 944 cipher_stop = hash_size_in_response; 945 else 946 cipher_stop = 0; 947 if (op_type == CHCR_DECRYPT_OP) 948 auth_insert = hash_size_in_response; 949 else 950 auth_insert = 0; 951 952 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 953 sgl_len; 954 if (wr_len > SGE_MAX_WR_LEN) 955 return (EFBIG); 956 wr = alloc_wrqe(wr_len, sc->txq); 957 if (wr == NULL) { 958 sc->stats_wr_nomem++; 959 return (ENOMEM); 960 } 961 crwr = wrtod(wr); 962 memset(crwr, 0, wr_len); 963 964 /* 965 * Read the existing IV from the request or generate a random 966 * one if none is provided. 967 */ 968 if (crp->crp_flags & CRYPTO_F_IV_GENERATE) { 969 arc4rand(iv, s->blkcipher.iv_len, 0); 970 crypto_copyback(crp, crp->crp_iv_start, s->blkcipher.iv_len, 971 iv); 972 } else if (crp->crp_flags & CRYPTO_F_IV_SEPARATE) 973 memcpy(iv, crp->crp_iv, s->blkcipher.iv_len); 974 else 975 crypto_copydata(crp, crp->crp_iv_start, s->blkcipher.iv_len, 976 iv); 977 978 /* Zero the remainder of the IV for AES-XTS. */ 979 memset(iv + s->blkcipher.iv_len, 0, iv_len - s->blkcipher.iv_len); 980 981 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, imm_len, sgl_len, 982 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp); 983 984 /* XXX: Hardcodes SGE loopback channel of 0. */ 985 crwr->sec_cpl.op_ivinsrtofst = htobe32( 986 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 987 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 988 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 989 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 990 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 991 992 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 993 994 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 995 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 996 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 997 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 998 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4)); 999 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1000 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) | 1001 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1002 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1003 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1004 1005 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1006 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response); 1007 crwr->sec_cpl.seqno_numivs = htobe32( 1008 V_SCMD_SEQ_NO_CTRL(0) | 1009 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1010 V_SCMD_ENC_DEC_CTRL(op_type) | 1011 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1012 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) | 1013 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 1014 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1015 V_SCMD_IV_SIZE(iv_len / 2) | 1016 V_SCMD_NUM_IVS(0)); 1017 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1018 V_SCMD_IV_GEN_CTRL(0) | 1019 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1020 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1021 1022 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1023 switch (s->blkcipher.cipher_mode) { 1024 case SCMD_CIPH_MODE_AES_CBC: 1025 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1026 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1027 s->blkcipher.key_len); 1028 else 1029 memcpy(crwr->key_ctx.key, s->blkcipher.deckey, 1030 s->blkcipher.key_len); 1031 break; 1032 case SCMD_CIPH_MODE_AES_CTR: 1033 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, 1034 s->blkcipher.key_len); 1035 break; 1036 case SCMD_CIPH_MODE_AES_XTS: 1037 key_half = s->blkcipher.key_len / 2; 1038 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half, 1039 key_half); 1040 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1041 memcpy(crwr->key_ctx.key + key_half, 1042 s->blkcipher.enckey, key_half); 1043 else 1044 memcpy(crwr->key_ctx.key + key_half, 1045 s->blkcipher.deckey, key_half); 1046 break; 1047 } 1048 1049 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1050 memcpy(dst, s->hmac.pads, iopad_size * 2); 1051 1052 dst = (char *)(crwr + 1) + kctx_len; 1053 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1054 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1055 memcpy(dst, iv, iv_len); 1056 dst += iv_len; 1057 if (imm_len != 0) { 1058 if (crp->crp_aad_length != 0) { 1059 crypto_copydata(crp, crp->crp_aad_start, 1060 crp->crp_aad_length, dst); 1061 dst += crp->crp_aad_length; 1062 } 1063 crypto_copydata(crp, crp->crp_payload_start, 1064 crp->crp_payload_length, dst); 1065 dst += crp->crp_payload_length; 1066 if (op_type == CHCR_DECRYPT_OP) 1067 crypto_copydata(crp, crp->crp_digest_start, 1068 hash_size_in_response, dst); 1069 } else 1070 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1071 1072 /* XXX: TODO backpressure */ 1073 t4_wrq_tx(sc->adapter, wr); 1074 1075 return (0); 1076 } 1077 1078 static int 1079 ccr_eta_done(struct ccr_softc *sc, struct ccr_session *s, 1080 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1081 { 1082 1083 /* 1084 * The updated IV to permit chained requests is at 1085 * cpl->data[2], but OCF doesn't permit chained requests. 1086 */ 1087 return (error); 1088 } 1089 1090 static int 1091 ccr_gcm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1092 { 1093 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1094 struct chcr_wr *crwr; 1095 struct wrqe *wr; 1096 char *dst; 1097 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1098 u_int hash_size_in_response, imm_len; 1099 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1100 u_int hmac_ctrl, input_len; 1101 int dsgl_nsegs, dsgl_len; 1102 int sgl_nsegs, sgl_len; 1103 int error; 1104 1105 if (s->blkcipher.key_len == 0) 1106 return (EINVAL); 1107 1108 /* 1109 * The crypto engine doesn't handle GCM requests with an empty 1110 * payload, so handle those in software instead. 1111 */ 1112 if (crp->crp_payload_length == 0) 1113 return (EMSGSIZE); 1114 1115 if (crp->crp_aad_length + AES_BLOCK_LEN > MAX_AAD_LEN) 1116 return (EMSGSIZE); 1117 1118 hash_size_in_response = s->gmac.hash_len; 1119 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1120 op_type = CHCR_ENCRYPT_OP; 1121 else 1122 op_type = CHCR_DECRYPT_OP; 1123 1124 /* 1125 * The IV handling for GCM in OCF is a bit more complicated in 1126 * that IPSec provides a full 16-byte IV (including the 1127 * counter), whereas the /dev/crypto interface sometimes 1128 * provides a full 16-byte IV (if no IV is provided in the 1129 * ioctl) and sometimes a 12-byte IV (if the IV was explicit). 1130 * 1131 * When provided a 12-byte IV, assume the IV is really 16 bytes 1132 * with a counter in the last 4 bytes initialized to 1. 1133 * 1134 * While iv_len is checked below, the value is currently 1135 * always set to 12 when creating a GCM session in this driver 1136 * due to limitations in OCF (there is no way to know what the 1137 * IV length of a given request will be). This means that the 1138 * driver always assumes as 12-byte IV for now. 1139 */ 1140 if (s->blkcipher.iv_len == 12) 1141 iv_len = AES_BLOCK_LEN; 1142 else 1143 iv_len = s->blkcipher.iv_len; 1144 1145 /* 1146 * GCM requests should always provide an explicit IV. 1147 */ 1148 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1149 return (EINVAL); 1150 1151 /* 1152 * The output buffer consists of the cipher text followed by 1153 * the tag when encrypting. For decryption it only contains 1154 * the plain text. 1155 * 1156 * Due to a firmware bug, the output buffer must include a 1157 * dummy output buffer for the IV and AAD prior to the real 1158 * output buffer. 1159 */ 1160 if (op_type == CHCR_ENCRYPT_OP) { 1161 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 1162 hash_size_in_response > MAX_REQUEST_SIZE) 1163 return (EFBIG); 1164 } else { 1165 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 1166 MAX_REQUEST_SIZE) 1167 return (EFBIG); 1168 } 1169 sglist_reset(sc->sg_dsgl); 1170 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1171 crp->crp_aad_length); 1172 if (error) 1173 return (error); 1174 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1175 crp->crp_payload_start, crp->crp_payload_length); 1176 if (error) 1177 return (error); 1178 if (op_type == CHCR_ENCRYPT_OP) { 1179 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1180 crp->crp_digest_start, hash_size_in_response); 1181 if (error) 1182 return (error); 1183 } 1184 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1185 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1186 return (EFBIG); 1187 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1188 1189 /* 1190 * The 'key' part of the key context consists of the key followed 1191 * by the Galois hash key. 1192 */ 1193 kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN; 1194 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1195 1196 /* 1197 * The input buffer consists of the IV, any AAD, and then the 1198 * cipher/plain text. For decryption requests the hash is 1199 * appended after the cipher text. 1200 * 1201 * The IV is always stored at the start of the input buffer 1202 * even though it may be duplicated in the payload. The 1203 * crypto engine doesn't work properly if the IV offset points 1204 * inside of the AAD region, so a second copy is always 1205 * required. 1206 */ 1207 input_len = crp->crp_aad_length + crp->crp_payload_length; 1208 if (op_type == CHCR_DECRYPT_OP) 1209 input_len += hash_size_in_response; 1210 if (input_len > MAX_REQUEST_SIZE) 1211 return (EFBIG); 1212 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1213 imm_len = input_len; 1214 sgl_nsegs = 0; 1215 sgl_len = 0; 1216 } else { 1217 imm_len = 0; 1218 sglist_reset(sc->sg_ulptx); 1219 if (crp->crp_aad_length != 0) { 1220 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1221 crp->crp_aad_start, crp->crp_aad_length); 1222 if (error) 1223 return (error); 1224 } 1225 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1226 crp->crp_payload_start, crp->crp_payload_length); 1227 if (error) 1228 return (error); 1229 if (op_type == CHCR_DECRYPT_OP) { 1230 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1231 crp->crp_digest_start, hash_size_in_response); 1232 if (error) 1233 return (error); 1234 } 1235 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1236 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1237 } 1238 1239 if (crp->crp_aad_length != 0) { 1240 aad_start = iv_len + 1; 1241 aad_stop = aad_start + crp->crp_aad_length - 1; 1242 } else { 1243 aad_start = 0; 1244 aad_stop = 0; 1245 } 1246 cipher_start = iv_len + crp->crp_aad_length + 1; 1247 if (op_type == CHCR_DECRYPT_OP) 1248 cipher_stop = hash_size_in_response; 1249 else 1250 cipher_stop = 0; 1251 if (op_type == CHCR_DECRYPT_OP) 1252 auth_insert = hash_size_in_response; 1253 else 1254 auth_insert = 0; 1255 1256 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1257 sgl_len; 1258 if (wr_len > SGE_MAX_WR_LEN) 1259 return (EFBIG); 1260 wr = alloc_wrqe(wr_len, sc->txq); 1261 if (wr == NULL) { 1262 sc->stats_wr_nomem++; 1263 return (ENOMEM); 1264 } 1265 crwr = wrtod(wr); 1266 memset(crwr, 0, wr_len); 1267 1268 memcpy(iv, crp->crp_iv, s->blkcipher.iv_len); 1269 if (s->blkcipher.iv_len == 12) 1270 *(uint32_t *)&iv[12] = htobe32(1); 1271 1272 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1273 crp); 1274 1275 /* XXX: Hardcodes SGE loopback channel of 0. */ 1276 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1277 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1278 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 1279 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1280 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1281 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1282 1283 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1284 1285 /* 1286 * NB: cipherstop is explicitly set to 0. On encrypt it 1287 * should normally be set to 0 anyway. However, for decrypt 1288 * the cipher ends before the tag in the ETA case (and 1289 * authstop is set to stop before the tag), but for GCM the 1290 * cipher still runs to the end of the buffer. Not sure if 1291 * this is intentional or a firmware quirk, but it is required 1292 * for working tag validation with GCM decryption. 1293 */ 1294 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1295 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1296 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1297 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1298 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1299 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1300 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1301 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1302 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1303 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1304 1305 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1306 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response); 1307 crwr->sec_cpl.seqno_numivs = htobe32( 1308 V_SCMD_SEQ_NO_CTRL(0) | 1309 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1310 V_SCMD_ENC_DEC_CTRL(op_type) | 1311 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1312 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_GCM) | 1313 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_GHASH) | 1314 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1315 V_SCMD_IV_SIZE(iv_len / 2) | 1316 V_SCMD_NUM_IVS(0)); 1317 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1318 V_SCMD_IV_GEN_CTRL(0) | 1319 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1320 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1321 1322 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1323 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1324 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16); 1325 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN); 1326 1327 dst = (char *)(crwr + 1) + kctx_len; 1328 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1329 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1330 memcpy(dst, iv, iv_len); 1331 dst += iv_len; 1332 if (imm_len != 0) { 1333 if (crp->crp_aad_length != 0) { 1334 crypto_copydata(crp, crp->crp_aad_start, 1335 crp->crp_aad_length, dst); 1336 dst += crp->crp_aad_length; 1337 } 1338 crypto_copydata(crp, crp->crp_payload_start, 1339 crp->crp_payload_length, dst); 1340 dst += crp->crp_payload_length; 1341 if (op_type == CHCR_DECRYPT_OP) 1342 crypto_copydata(crp, crp->crp_digest_start, 1343 hash_size_in_response, dst); 1344 } else 1345 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1346 1347 /* XXX: TODO backpressure */ 1348 t4_wrq_tx(sc->adapter, wr); 1349 1350 return (0); 1351 } 1352 1353 static int 1354 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s, 1355 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1356 { 1357 1358 /* 1359 * The updated IV to permit chained requests is at 1360 * cpl->data[2], but OCF doesn't permit chained requests. 1361 * 1362 * Note that the hardware should always verify the GMAC hash. 1363 */ 1364 return (error); 1365 } 1366 1367 /* 1368 * Handle a GCM request that is not supported by the crypto engine by 1369 * performing the operation in software. Derived from swcr_authenc(). 1370 */ 1371 static void 1372 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp) 1373 { 1374 struct auth_hash *axf; 1375 struct enc_xform *exf; 1376 void *auth_ctx; 1377 uint8_t *kschedule; 1378 char block[GMAC_BLOCK_LEN]; 1379 char digest[GMAC_DIGEST_LEN]; 1380 char iv[AES_BLOCK_LEN]; 1381 int error, i, len; 1382 1383 auth_ctx = NULL; 1384 kschedule = NULL; 1385 1386 /* Initialize the MAC. */ 1387 switch (s->blkcipher.key_len) { 1388 case 16: 1389 axf = &auth_hash_nist_gmac_aes_128; 1390 break; 1391 case 24: 1392 axf = &auth_hash_nist_gmac_aes_192; 1393 break; 1394 case 32: 1395 axf = &auth_hash_nist_gmac_aes_256; 1396 break; 1397 default: 1398 error = EINVAL; 1399 goto out; 1400 } 1401 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT); 1402 if (auth_ctx == NULL) { 1403 error = ENOMEM; 1404 goto out; 1405 } 1406 axf->Init(auth_ctx); 1407 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1408 1409 /* Initialize the cipher. */ 1410 exf = &enc_xform_aes_nist_gcm; 1411 error = exf->setkey(&kschedule, s->blkcipher.enckey, 1412 s->blkcipher.key_len); 1413 if (error) 1414 goto out; 1415 1416 /* 1417 * This assumes a 12-byte IV from the crp. See longer comment 1418 * above in ccr_gcm() for more details. 1419 */ 1420 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) { 1421 error = EINVAL; 1422 goto out; 1423 } 1424 memcpy(iv, crp->crp_iv, 12); 1425 *(uint32_t *)&iv[12] = htobe32(1); 1426 1427 axf->Reinit(auth_ctx, iv, sizeof(iv)); 1428 1429 /* MAC the AAD. */ 1430 for (i = 0; i < crp->crp_aad_length; i += sizeof(block)) { 1431 len = imin(crp->crp_aad_length - i, sizeof(block)); 1432 crypto_copydata(crp, crp->crp_aad_start + i, len, block); 1433 bzero(block + len, sizeof(block) - len); 1434 axf->Update(auth_ctx, block, sizeof(block)); 1435 } 1436 1437 exf->reinit(kschedule, iv); 1438 1439 /* Do encryption with MAC */ 1440 for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) { 1441 len = imin(crp->crp_payload_length - i, sizeof(block)); 1442 crypto_copydata(crp, crp->crp_payload_start + i, len, block); 1443 bzero(block + len, sizeof(block) - len); 1444 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1445 exf->encrypt(kschedule, block); 1446 axf->Update(auth_ctx, block, len); 1447 crypto_copyback(crp, crp->crp_payload_start + i, len, 1448 block); 1449 } else { 1450 axf->Update(auth_ctx, block, len); 1451 } 1452 } 1453 1454 /* Length block. */ 1455 bzero(block, sizeof(block)); 1456 ((uint32_t *)block)[1] = htobe32(crp->crp_aad_length * 8); 1457 ((uint32_t *)block)[3] = htobe32(crp->crp_payload_length * 8); 1458 axf->Update(auth_ctx, block, sizeof(block)); 1459 1460 /* Finalize MAC. */ 1461 axf->Final(digest, auth_ctx); 1462 1463 /* Inject or validate tag. */ 1464 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1465 crypto_copyback(crp, crp->crp_digest_start, sizeof(digest), 1466 digest); 1467 error = 0; 1468 } else { 1469 char digest2[GMAC_DIGEST_LEN]; 1470 1471 crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2), 1472 digest2); 1473 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) { 1474 error = 0; 1475 1476 /* Tag matches, decrypt data. */ 1477 for (i = 0; i < crp->crp_payload_length; 1478 i += sizeof(block)) { 1479 len = imin(crp->crp_payload_length - i, 1480 sizeof(block)); 1481 crypto_copydata(crp, crp->crp_payload_start + i, 1482 len, block); 1483 bzero(block + len, sizeof(block) - len); 1484 exf->decrypt(kschedule, block); 1485 crypto_copyback(crp, crp->crp_payload_start + i, 1486 len, block); 1487 } 1488 } else 1489 error = EBADMSG; 1490 } 1491 1492 exf->zerokey(&kschedule); 1493 out: 1494 if (auth_ctx != NULL) { 1495 memset(auth_ctx, 0, axf->ctxsize); 1496 free(auth_ctx, M_CCR); 1497 } 1498 crp->crp_etype = error; 1499 crypto_done(crp); 1500 } 1501 1502 static void 1503 generate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response, 1504 const char *iv, char *b0) 1505 { 1506 u_int i, payload_len; 1507 1508 /* NB: L is already set in the first byte of the IV. */ 1509 memcpy(b0, iv, CCM_B0_SIZE); 1510 1511 /* Set length of hash in bits 3 - 5. */ 1512 b0[0] |= (((hash_size_in_response - 2) / 2) << 3); 1513 1514 /* Store the payload length as a big-endian value. */ 1515 payload_len = crp->crp_payload_length; 1516 for (i = 0; i < iv[0]; i++) { 1517 b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len; 1518 payload_len >>= 8; 1519 } 1520 1521 /* 1522 * If there is AAD in the request, set bit 6 in the flags 1523 * field and store the AAD length as a big-endian value at the 1524 * start of block 1. This only assumes a 16-bit AAD length 1525 * since T6 doesn't support large AAD sizes. 1526 */ 1527 if (crp->crp_aad_length != 0) { 1528 b0[0] |= (1 << 6); 1529 *(uint16_t *)(b0 + CCM_B0_SIZE) = htobe16(crp->crp_aad_length); 1530 } 1531 } 1532 1533 static int 1534 ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1535 { 1536 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1537 struct ulptx_idata *idata; 1538 struct chcr_wr *crwr; 1539 struct wrqe *wr; 1540 char *dst; 1541 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1542 u_int aad_len, b0_len, hash_size_in_response, imm_len; 1543 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1544 u_int hmac_ctrl, input_len; 1545 int dsgl_nsegs, dsgl_len; 1546 int sgl_nsegs, sgl_len; 1547 int error; 1548 1549 if (s->blkcipher.key_len == 0) 1550 return (EINVAL); 1551 1552 /* 1553 * The crypto engine doesn't handle CCM requests with an empty 1554 * payload, so handle those in software instead. 1555 */ 1556 if (crp->crp_payload_length == 0) 1557 return (EMSGSIZE); 1558 1559 /* 1560 * CCM always includes block 0 in the AAD before AAD from the 1561 * request. 1562 */ 1563 b0_len = CCM_B0_SIZE; 1564 if (crp->crp_aad_length != 0) 1565 b0_len += CCM_AAD_FIELD_SIZE; 1566 aad_len = b0_len + crp->crp_aad_length; 1567 1568 /* 1569 * CCM requests should always provide an explicit IV (really 1570 * the nonce). 1571 */ 1572 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1573 return (EINVAL); 1574 1575 /* 1576 * Always assume a 12 byte input nonce for now since that is 1577 * what OCF always generates. The full IV in the work request 1578 * is 16 bytes. 1579 */ 1580 iv_len = AES_BLOCK_LEN; 1581 1582 if (iv_len + aad_len > MAX_AAD_LEN) 1583 return (EMSGSIZE); 1584 1585 hash_size_in_response = s->ccm_mac.hash_len; 1586 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1587 op_type = CHCR_ENCRYPT_OP; 1588 else 1589 op_type = CHCR_DECRYPT_OP; 1590 1591 /* 1592 * The output buffer consists of the cipher text followed by 1593 * the tag when encrypting. For decryption it only contains 1594 * the plain text. 1595 * 1596 * Due to a firmware bug, the output buffer must include a 1597 * dummy output buffer for the IV and AAD prior to the real 1598 * output buffer. 1599 */ 1600 if (op_type == CHCR_ENCRYPT_OP) { 1601 if (iv_len + aad_len + crp->crp_payload_length + 1602 hash_size_in_response > MAX_REQUEST_SIZE) 1603 return (EFBIG); 1604 } else { 1605 if (iv_len + aad_len + crp->crp_payload_length > 1606 MAX_REQUEST_SIZE) 1607 return (EFBIG); 1608 } 1609 sglist_reset(sc->sg_dsgl); 1610 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1611 aad_len); 1612 if (error) 1613 return (error); 1614 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1615 crp->crp_payload_start, crp->crp_payload_length); 1616 if (error) 1617 return (error); 1618 if (op_type == CHCR_ENCRYPT_OP) { 1619 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, 1620 crp->crp_digest_start, hash_size_in_response); 1621 if (error) 1622 return (error); 1623 } 1624 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN); 1625 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1626 return (EFBIG); 1627 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1628 1629 /* 1630 * The 'key' part of the key context consists of two copies of 1631 * the AES key. 1632 */ 1633 kctx_len = roundup2(s->blkcipher.key_len, 16) * 2; 1634 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1635 1636 /* 1637 * The input buffer consists of the IV, AAD (including block 1638 * 0), and then the cipher/plain text. For decryption 1639 * requests the hash is appended after the cipher text. 1640 * 1641 * The IV is always stored at the start of the input buffer 1642 * even though it may be duplicated in the payload. The 1643 * crypto engine doesn't work properly if the IV offset points 1644 * inside of the AAD region, so a second copy is always 1645 * required. 1646 */ 1647 input_len = aad_len + crp->crp_payload_length; 1648 if (op_type == CHCR_DECRYPT_OP) 1649 input_len += hash_size_in_response; 1650 if (input_len > MAX_REQUEST_SIZE) 1651 return (EFBIG); 1652 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1653 imm_len = input_len; 1654 sgl_nsegs = 0; 1655 sgl_len = 0; 1656 } else { 1657 /* Block 0 is passed as immediate data. */ 1658 imm_len = b0_len; 1659 1660 sglist_reset(sc->sg_ulptx); 1661 if (crp->crp_aad_length != 0) { 1662 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1663 crp->crp_aad_start, crp->crp_aad_length); 1664 if (error) 1665 return (error); 1666 } 1667 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1668 crp->crp_payload_start, crp->crp_payload_length); 1669 if (error) 1670 return (error); 1671 if (op_type == CHCR_DECRYPT_OP) { 1672 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp, 1673 crp->crp_digest_start, hash_size_in_response); 1674 if (error) 1675 return (error); 1676 } 1677 sgl_nsegs = sc->sg_ulptx->sg_nseg; 1678 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1679 } 1680 1681 aad_start = iv_len + 1; 1682 aad_stop = aad_start + aad_len - 1; 1683 cipher_start = aad_stop + 1; 1684 if (op_type == CHCR_DECRYPT_OP) 1685 cipher_stop = hash_size_in_response; 1686 else 1687 cipher_stop = 0; 1688 if (op_type == CHCR_DECRYPT_OP) 1689 auth_insert = hash_size_in_response; 1690 else 1691 auth_insert = 0; 1692 1693 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1694 sgl_len; 1695 if (wr_len > SGE_MAX_WR_LEN) 1696 return (EFBIG); 1697 wr = alloc_wrqe(wr_len, sc->txq); 1698 if (wr == NULL) { 1699 sc->stats_wr_nomem++; 1700 return (ENOMEM); 1701 } 1702 crwr = wrtod(wr); 1703 memset(crwr, 0, wr_len); 1704 1705 /* 1706 * Read the nonce from the request. Use the nonce to generate 1707 * the full IV with the counter set to 0. 1708 */ 1709 memset(iv, 0, iv_len); 1710 iv[0] = (15 - AES_CCM_IV_LEN) - 1; 1711 memcpy(iv + 1, crp->crp_iv, AES_CCM_IV_LEN); 1712 1713 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1714 crp); 1715 1716 /* XXX: Hardcodes SGE loopback channel of 0. */ 1717 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1718 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1719 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) | 1720 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1721 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1722 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1723 1724 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1725 1726 /* 1727 * NB: cipherstop is explicitly set to 0. See comments above 1728 * in ccr_gcm(). 1729 */ 1730 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1731 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1732 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1733 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1734 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1735 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1736 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1737 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1738 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1739 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1740 1741 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1742 hmac_ctrl = ccr_hmac_ctrl(AES_CBC_MAC_HASH_LEN, hash_size_in_response); 1743 crwr->sec_cpl.seqno_numivs = htobe32( 1744 V_SCMD_SEQ_NO_CTRL(0) | 1745 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1746 V_SCMD_ENC_DEC_CTRL(op_type) | 1747 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 0 : 1) | 1748 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_CCM) | 1749 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_CBCMAC) | 1750 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1751 V_SCMD_IV_SIZE(iv_len / 2) | 1752 V_SCMD_NUM_IVS(0)); 1753 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1754 V_SCMD_IV_GEN_CTRL(0) | 1755 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1756 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1757 1758 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr; 1759 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len); 1760 memcpy(crwr->key_ctx.key + roundup(s->blkcipher.key_len, 16), 1761 s->blkcipher.enckey, s->blkcipher.key_len); 1762 1763 dst = (char *)(crwr + 1) + kctx_len; 1764 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs); 1765 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1766 memcpy(dst, iv, iv_len); 1767 dst += iv_len; 1768 generate_ccm_b0(crp, hash_size_in_response, iv, dst); 1769 if (sgl_nsegs == 0) { 1770 dst += b0_len; 1771 if (crp->crp_aad_length != 0) { 1772 crypto_copydata(crp, crp->crp_aad_start, 1773 crp->crp_aad_length, dst); 1774 dst += crp->crp_aad_length; 1775 } 1776 crypto_copydata(crp, crp->crp_payload_start, 1777 crp->crp_payload_length, dst); 1778 dst += crp->crp_payload_length; 1779 if (op_type == CHCR_DECRYPT_OP) 1780 crypto_copydata(crp, crp->crp_digest_start, 1781 hash_size_in_response, dst); 1782 } else { 1783 dst += CCM_B0_SIZE; 1784 if (b0_len > CCM_B0_SIZE) { 1785 /* 1786 * If there is AAD, insert padding including a 1787 * ULP_TX_SC_NOOP so that the ULP_TX_SC_DSGL 1788 * is 16-byte aligned. 1789 */ 1790 KASSERT(b0_len - CCM_B0_SIZE == CCM_AAD_FIELD_SIZE, 1791 ("b0_len mismatch")); 1792 memset(dst + CCM_AAD_FIELD_SIZE, 0, 1793 8 - CCM_AAD_FIELD_SIZE); 1794 idata = (void *)(dst + 8); 1795 idata->cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_NOOP)); 1796 idata->len = htobe32(0); 1797 dst = (void *)(idata + 1); 1798 } 1799 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs); 1800 } 1801 1802 /* XXX: TODO backpressure */ 1803 t4_wrq_tx(sc->adapter, wr); 1804 1805 return (0); 1806 } 1807 1808 static int 1809 ccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s, 1810 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1811 { 1812 1813 /* 1814 * The updated IV to permit chained requests is at 1815 * cpl->data[2], but OCF doesn't permit chained requests. 1816 * 1817 * Note that the hardware should always verify the CBC MAC 1818 * hash. 1819 */ 1820 return (error); 1821 } 1822 1823 /* 1824 * Handle a CCM request that is not supported by the crypto engine by 1825 * performing the operation in software. Derived from swcr_authenc(). 1826 */ 1827 static void 1828 ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp) 1829 { 1830 struct auth_hash *axf; 1831 struct enc_xform *exf; 1832 union authctx *auth_ctx; 1833 uint8_t *kschedule; 1834 char block[CCM_CBC_BLOCK_LEN]; 1835 char digest[AES_CBC_MAC_HASH_LEN]; 1836 char iv[AES_CCM_IV_LEN]; 1837 int error, i, len; 1838 1839 auth_ctx = NULL; 1840 kschedule = NULL; 1841 1842 /* Initialize the MAC. */ 1843 switch (s->blkcipher.key_len) { 1844 case 16: 1845 axf = &auth_hash_ccm_cbc_mac_128; 1846 break; 1847 case 24: 1848 axf = &auth_hash_ccm_cbc_mac_192; 1849 break; 1850 case 32: 1851 axf = &auth_hash_ccm_cbc_mac_256; 1852 break; 1853 default: 1854 error = EINVAL; 1855 goto out; 1856 } 1857 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT); 1858 if (auth_ctx == NULL) { 1859 error = ENOMEM; 1860 goto out; 1861 } 1862 axf->Init(auth_ctx); 1863 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len); 1864 1865 /* Initialize the cipher. */ 1866 exf = &enc_xform_ccm; 1867 error = exf->setkey(&kschedule, s->blkcipher.enckey, 1868 s->blkcipher.key_len); 1869 if (error) 1870 goto out; 1871 1872 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) { 1873 error = EINVAL; 1874 goto out; 1875 } 1876 memcpy(iv, crp->crp_iv, AES_CCM_IV_LEN); 1877 1878 auth_ctx->aes_cbc_mac_ctx.authDataLength = crp->crp_aad_length; 1879 auth_ctx->aes_cbc_mac_ctx.cryptDataLength = crp->crp_payload_length; 1880 axf->Reinit(auth_ctx, iv, sizeof(iv)); 1881 1882 /* MAC the AAD. */ 1883 for (i = 0; i < crp->crp_aad_length; i += sizeof(block)) { 1884 len = imin(crp->crp_aad_length - i, sizeof(block)); 1885 crypto_copydata(crp, crp->crp_aad_start + i, len, block); 1886 bzero(block + len, sizeof(block) - len); 1887 axf->Update(auth_ctx, block, sizeof(block)); 1888 } 1889 1890 exf->reinit(kschedule, iv); 1891 1892 /* Do encryption/decryption with MAC */ 1893 for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) { 1894 len = imin(crp->crp_payload_length - i, sizeof(block)); 1895 crypto_copydata(crp, crp->crp_payload_start + i, len, block); 1896 bzero(block + len, sizeof(block) - len); 1897 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1898 axf->Update(auth_ctx, block, len); 1899 exf->encrypt(kschedule, block); 1900 crypto_copyback(crp, crp->crp_payload_start + i, len, 1901 block); 1902 } else { 1903 exf->decrypt(kschedule, block); 1904 axf->Update(auth_ctx, block, len); 1905 } 1906 } 1907 1908 /* Finalize MAC. */ 1909 axf->Final(digest, auth_ctx); 1910 1911 /* Inject or validate tag. */ 1912 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) { 1913 crypto_copyback(crp, crp->crp_digest_start, sizeof(digest), 1914 digest); 1915 error = 0; 1916 } else { 1917 char digest2[AES_CBC_MAC_HASH_LEN]; 1918 1919 crypto_copydata(crp, crp->crp_digest_start, sizeof(digest2), 1920 digest2); 1921 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) { 1922 error = 0; 1923 1924 /* Tag matches, decrypt data. */ 1925 exf->reinit(kschedule, iv); 1926 for (i = 0; i < crp->crp_payload_length; 1927 i += sizeof(block)) { 1928 len = imin(crp->crp_payload_length - i, 1929 sizeof(block)); 1930 crypto_copydata(crp, crp->crp_payload_start + i, 1931 len, block); 1932 bzero(block + len, sizeof(block) - len); 1933 exf->decrypt(kschedule, block); 1934 crypto_copyback(crp, crp->crp_payload_start + i, 1935 len, block); 1936 } 1937 } else 1938 error = EBADMSG; 1939 } 1940 1941 exf->zerokey(&kschedule); 1942 out: 1943 if (auth_ctx != NULL) { 1944 memset(auth_ctx, 0, axf->ctxsize); 1945 free(auth_ctx, M_CCR); 1946 } 1947 crp->crp_etype = error; 1948 crypto_done(crp); 1949 } 1950 1951 static void 1952 ccr_identify(driver_t *driver, device_t parent) 1953 { 1954 struct adapter *sc; 1955 1956 sc = device_get_softc(parent); 1957 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE && 1958 device_find_child(parent, "ccr", -1) == NULL) 1959 device_add_child(parent, "ccr", -1); 1960 } 1961 1962 static int 1963 ccr_probe(device_t dev) 1964 { 1965 1966 device_set_desc(dev, "Chelsio Crypto Accelerator"); 1967 return (BUS_PROBE_DEFAULT); 1968 } 1969 1970 static void 1971 ccr_sysctls(struct ccr_softc *sc) 1972 { 1973 struct sysctl_ctx_list *ctx; 1974 struct sysctl_oid *oid; 1975 struct sysctl_oid_list *children; 1976 1977 ctx = device_get_sysctl_ctx(sc->dev); 1978 1979 /* 1980 * dev.ccr.X. 1981 */ 1982 oid = device_get_sysctl_tree(sc->dev); 1983 children = SYSCTL_CHILDREN(oid); 1984 1985 /* 1986 * dev.ccr.X.stats. 1987 */ 1988 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", 1989 CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "statistics"); 1990 children = SYSCTL_CHILDREN(oid); 1991 1992 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hash", CTLFLAG_RD, 1993 &sc->stats_hash, 0, "Hash requests submitted"); 1994 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD, 1995 &sc->stats_hmac, 0, "HMAC requests submitted"); 1996 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD, 1997 &sc->stats_blkcipher_encrypt, 0, 1998 "Cipher encryption requests submitted"); 1999 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD, 2000 &sc->stats_blkcipher_decrypt, 0, 2001 "Cipher decryption requests submitted"); 2002 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "eta_encrypt", CTLFLAG_RD, 2003 &sc->stats_eta_encrypt, 0, 2004 "Combined AES+HMAC encryption requests submitted"); 2005 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "eta_decrypt", CTLFLAG_RD, 2006 &sc->stats_eta_decrypt, 0, 2007 "Combined AES+HMAC decryption requests submitted"); 2008 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD, 2009 &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted"); 2010 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD, 2011 &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted"); 2012 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "ccm_encrypt", CTLFLAG_RD, 2013 &sc->stats_ccm_encrypt, 0, "AES-CCM encryption requests submitted"); 2014 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "ccm_decrypt", CTLFLAG_RD, 2015 &sc->stats_ccm_decrypt, 0, "AES-CCM decryption requests submitted"); 2016 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD, 2017 &sc->stats_wr_nomem, 0, "Work request memory allocation failures"); 2018 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD, 2019 &sc->stats_inflight, 0, "Requests currently pending"); 2020 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD, 2021 &sc->stats_mac_error, 0, "MAC errors"); 2022 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD, 2023 &sc->stats_pad_error, 0, "Padding errors"); 2024 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD, 2025 &sc->stats_bad_session, 0, "Requests with invalid session ID"); 2026 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD, 2027 &sc->stats_sglist_error, 0, 2028 "Requests for which DMA mapping failed"); 2029 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD, 2030 &sc->stats_process_error, 0, "Requests failed during queueing"); 2031 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sw_fallback", CTLFLAG_RD, 2032 &sc->stats_sw_fallback, 0, 2033 "Requests processed by falling back to software"); 2034 } 2035 2036 static int 2037 ccr_attach(device_t dev) 2038 { 2039 struct ccr_softc *sc; 2040 int32_t cid; 2041 2042 sc = device_get_softc(dev); 2043 sc->dev = dev; 2044 sc->adapter = device_get_softc(device_get_parent(dev)); 2045 sc->txq = &sc->adapter->sge.ctrlq[0]; 2046 sc->rxq = &sc->adapter->sge.rxq[0]; 2047 cid = crypto_get_driverid(dev, sizeof(struct ccr_session), 2048 CRYPTOCAP_F_HARDWARE); 2049 if (cid < 0) { 2050 device_printf(dev, "could not get crypto driver id\n"); 2051 return (ENXIO); 2052 } 2053 sc->cid = cid; 2054 sc->adapter->ccr_softc = sc; 2055 2056 /* XXX: TODO? */ 2057 sc->tx_channel_id = 0; 2058 2059 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF); 2060 sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 2061 sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK); 2062 sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK); 2063 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK); 2064 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK); 2065 ccr_sysctls(sc); 2066 2067 return (0); 2068 } 2069 2070 static int 2071 ccr_detach(device_t dev) 2072 { 2073 struct ccr_softc *sc; 2074 2075 sc = device_get_softc(dev); 2076 2077 mtx_lock(&sc->lock); 2078 sc->detaching = true; 2079 mtx_unlock(&sc->lock); 2080 2081 crypto_unregister_all(sc->cid); 2082 2083 mtx_destroy(&sc->lock); 2084 sglist_free(sc->sg_iv_aad); 2085 free(sc->iv_aad_buf, M_CCR); 2086 sglist_free(sc->sg_dsgl); 2087 sglist_free(sc->sg_ulptx); 2088 sglist_free(sc->sg_crp); 2089 sc->adapter->ccr_softc = NULL; 2090 return (0); 2091 } 2092 2093 static void 2094 ccr_init_hash_digest(struct ccr_session *s) 2095 { 2096 union authctx auth_ctx; 2097 struct auth_hash *axf; 2098 2099 axf = s->hmac.auth_hash; 2100 axf->Init(&auth_ctx); 2101 t4_copy_partial_hash(axf->type, &auth_ctx, s->hmac.pads); 2102 } 2103 2104 static bool 2105 ccr_aes_check_keylen(int alg, int klen) 2106 { 2107 2108 switch (klen * 8) { 2109 case 128: 2110 case 192: 2111 if (alg == CRYPTO_AES_XTS) 2112 return (false); 2113 break; 2114 case 256: 2115 break; 2116 case 512: 2117 if (alg != CRYPTO_AES_XTS) 2118 return (false); 2119 break; 2120 default: 2121 return (false); 2122 } 2123 return (true); 2124 } 2125 2126 static void 2127 ccr_aes_setkey(struct ccr_session *s, const void *key, int klen) 2128 { 2129 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size; 2130 unsigned int opad_present; 2131 2132 if (s->blkcipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 2133 kbits = (klen / 2) * 8; 2134 else 2135 kbits = klen * 8; 2136 switch (kbits) { 2137 case 128: 2138 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128; 2139 break; 2140 case 192: 2141 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192; 2142 break; 2143 case 256: 2144 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; 2145 break; 2146 default: 2147 panic("should not get here"); 2148 } 2149 2150 s->blkcipher.key_len = klen; 2151 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len); 2152 switch (s->blkcipher.cipher_mode) { 2153 case SCMD_CIPH_MODE_AES_CBC: 2154 case SCMD_CIPH_MODE_AES_XTS: 2155 t4_aes_getdeckey(s->blkcipher.deckey, key, kbits); 2156 break; 2157 } 2158 2159 kctx_len = roundup2(s->blkcipher.key_len, 16); 2160 switch (s->mode) { 2161 case ETA: 2162 mk_size = s->hmac.mk_size; 2163 opad_present = 1; 2164 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 2165 kctx_len += iopad_size * 2; 2166 break; 2167 case GCM: 2168 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2169 opad_present = 0; 2170 kctx_len += GMAC_BLOCK_LEN; 2171 break; 2172 case CCM: 2173 switch (kbits) { 2174 case 128: 2175 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2176 break; 2177 case 192: 2178 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_192; 2179 break; 2180 case 256: 2181 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2182 break; 2183 default: 2184 panic("should not get here"); 2185 } 2186 opad_present = 0; 2187 kctx_len *= 2; 2188 break; 2189 default: 2190 mk_size = CHCR_KEYCTX_NO_KEY; 2191 opad_present = 0; 2192 break; 2193 } 2194 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 2195 s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 2196 V_KEY_CONTEXT_DUAL_CK(s->blkcipher.cipher_mode == 2197 SCMD_CIPH_MODE_AES_XTS) | 2198 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) | 2199 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) | 2200 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1)); 2201 } 2202 2203 static bool 2204 ccr_auth_supported(const struct crypto_session_params *csp) 2205 { 2206 2207 switch (csp->csp_auth_alg) { 2208 case CRYPTO_SHA1: 2209 case CRYPTO_SHA2_224: 2210 case CRYPTO_SHA2_256: 2211 case CRYPTO_SHA2_384: 2212 case CRYPTO_SHA2_512: 2213 case CRYPTO_SHA1_HMAC: 2214 case CRYPTO_SHA2_224_HMAC: 2215 case CRYPTO_SHA2_256_HMAC: 2216 case CRYPTO_SHA2_384_HMAC: 2217 case CRYPTO_SHA2_512_HMAC: 2218 break; 2219 default: 2220 return (false); 2221 } 2222 return (true); 2223 } 2224 2225 static bool 2226 ccr_cipher_supported(const struct crypto_session_params *csp) 2227 { 2228 2229 switch (csp->csp_cipher_alg) { 2230 case CRYPTO_AES_CBC: 2231 if (csp->csp_ivlen != AES_BLOCK_LEN) 2232 return (false); 2233 break; 2234 case CRYPTO_AES_ICM: 2235 if (csp->csp_ivlen != AES_BLOCK_LEN) 2236 return (false); 2237 break; 2238 case CRYPTO_AES_XTS: 2239 if (csp->csp_ivlen != AES_XTS_IV_LEN) 2240 return (false); 2241 break; 2242 default: 2243 return (false); 2244 } 2245 return (ccr_aes_check_keylen(csp->csp_cipher_alg, 2246 csp->csp_cipher_klen)); 2247 } 2248 2249 static int 2250 ccr_cipher_mode(const struct crypto_session_params *csp) 2251 { 2252 2253 switch (csp->csp_cipher_alg) { 2254 case CRYPTO_AES_CBC: 2255 return (SCMD_CIPH_MODE_AES_CBC); 2256 case CRYPTO_AES_ICM: 2257 return (SCMD_CIPH_MODE_AES_CTR); 2258 case CRYPTO_AES_NIST_GCM_16: 2259 return (SCMD_CIPH_MODE_AES_GCM); 2260 case CRYPTO_AES_XTS: 2261 return (SCMD_CIPH_MODE_AES_XTS); 2262 case CRYPTO_AES_CCM_16: 2263 return (SCMD_CIPH_MODE_AES_CCM); 2264 default: 2265 return (SCMD_CIPH_MODE_NOP); 2266 } 2267 } 2268 2269 static int 2270 ccr_probesession(device_t dev, const struct crypto_session_params *csp) 2271 { 2272 unsigned int cipher_mode; 2273 2274 if (csp->csp_flags != 0) 2275 return (EINVAL); 2276 switch (csp->csp_mode) { 2277 case CSP_MODE_DIGEST: 2278 if (!ccr_auth_supported(csp)) 2279 return (EINVAL); 2280 break; 2281 case CSP_MODE_CIPHER: 2282 if (!ccr_cipher_supported(csp)) 2283 return (EINVAL); 2284 break; 2285 case CSP_MODE_AEAD: 2286 switch (csp->csp_cipher_alg) { 2287 case CRYPTO_AES_NIST_GCM_16: 2288 if (csp->csp_ivlen != AES_GCM_IV_LEN) 2289 return (EINVAL); 2290 if (csp->csp_auth_mlen < 0 || 2291 csp->csp_auth_mlen > AES_GMAC_HASH_LEN) 2292 return (EINVAL); 2293 break; 2294 case CRYPTO_AES_CCM_16: 2295 if (csp->csp_ivlen != AES_CCM_IV_LEN) 2296 return (EINVAL); 2297 if (csp->csp_auth_mlen < 0 || 2298 csp->csp_auth_mlen > AES_CBC_MAC_HASH_LEN) 2299 return (EINVAL); 2300 break; 2301 default: 2302 return (EINVAL); 2303 } 2304 break; 2305 case CSP_MODE_ETA: 2306 if (!ccr_auth_supported(csp) || !ccr_cipher_supported(csp)) 2307 return (EINVAL); 2308 break; 2309 default: 2310 return (EINVAL); 2311 } 2312 2313 if (csp->csp_cipher_klen != 0) { 2314 cipher_mode = ccr_cipher_mode(csp); 2315 if (cipher_mode == SCMD_CIPH_MODE_NOP) 2316 return (EINVAL); 2317 } 2318 2319 return (CRYPTODEV_PROBE_HARDWARE); 2320 } 2321 2322 static int 2323 ccr_newsession(device_t dev, crypto_session_t cses, 2324 const struct crypto_session_params *csp) 2325 { 2326 struct ccr_softc *sc; 2327 struct ccr_session *s; 2328 struct auth_hash *auth_hash; 2329 unsigned int auth_mode, cipher_mode, mk_size; 2330 unsigned int partial_digest_len; 2331 2332 switch (csp->csp_auth_alg) { 2333 case CRYPTO_SHA1: 2334 case CRYPTO_SHA1_HMAC: 2335 auth_hash = &auth_hash_hmac_sha1; 2336 auth_mode = SCMD_AUTH_MODE_SHA1; 2337 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160; 2338 partial_digest_len = SHA1_HASH_LEN; 2339 break; 2340 case CRYPTO_SHA2_224: 2341 case CRYPTO_SHA2_224_HMAC: 2342 auth_hash = &auth_hash_hmac_sha2_224; 2343 auth_mode = SCMD_AUTH_MODE_SHA224; 2344 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2345 partial_digest_len = SHA2_256_HASH_LEN; 2346 break; 2347 case CRYPTO_SHA2_256: 2348 case CRYPTO_SHA2_256_HMAC: 2349 auth_hash = &auth_hash_hmac_sha2_256; 2350 auth_mode = SCMD_AUTH_MODE_SHA256; 2351 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2352 partial_digest_len = SHA2_256_HASH_LEN; 2353 break; 2354 case CRYPTO_SHA2_384: 2355 case CRYPTO_SHA2_384_HMAC: 2356 auth_hash = &auth_hash_hmac_sha2_384; 2357 auth_mode = SCMD_AUTH_MODE_SHA512_384; 2358 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2359 partial_digest_len = SHA2_512_HASH_LEN; 2360 break; 2361 case CRYPTO_SHA2_512: 2362 case CRYPTO_SHA2_512_HMAC: 2363 auth_hash = &auth_hash_hmac_sha2_512; 2364 auth_mode = SCMD_AUTH_MODE_SHA512_512; 2365 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2366 partial_digest_len = SHA2_512_HASH_LEN; 2367 break; 2368 default: 2369 auth_hash = NULL; 2370 auth_mode = SCMD_AUTH_MODE_NOP; 2371 mk_size = 0; 2372 partial_digest_len = 0; 2373 break; 2374 } 2375 2376 cipher_mode = ccr_cipher_mode(csp); 2377 2378 #ifdef INVARIANTS 2379 switch (csp->csp_mode) { 2380 case CSP_MODE_CIPHER: 2381 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2382 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2383 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2384 panic("invalid cipher algo"); 2385 break; 2386 case CSP_MODE_DIGEST: 2387 if (auth_mode == SCMD_AUTH_MODE_NOP) 2388 panic("invalid auth algo"); 2389 break; 2390 case CSP_MODE_AEAD: 2391 if (cipher_mode != SCMD_CIPH_MODE_AES_GCM && 2392 cipher_mode != SCMD_CIPH_MODE_AES_CCM) 2393 panic("invalid aead cipher algo"); 2394 if (auth_mode != SCMD_AUTH_MODE_NOP) 2395 panic("invalid aead auth aglo"); 2396 break; 2397 case CSP_MODE_ETA: 2398 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2399 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2400 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2401 panic("invalid cipher algo"); 2402 if (auth_mode == SCMD_AUTH_MODE_NOP) 2403 panic("invalid auth algo"); 2404 break; 2405 default: 2406 panic("invalid csp mode"); 2407 } 2408 #endif 2409 2410 sc = device_get_softc(dev); 2411 2412 /* 2413 * XXX: Don't create a session if the queues aren't 2414 * initialized. This is racy as the rxq can be destroyed by 2415 * the associated VI detaching. Eventually ccr should use 2416 * dedicated queues. 2417 */ 2418 if (sc->rxq->iq.adapter == NULL || sc->txq->adapter == NULL) 2419 return (ENXIO); 2420 2421 mtx_lock(&sc->lock); 2422 if (sc->detaching) { 2423 mtx_unlock(&sc->lock); 2424 return (ENXIO); 2425 } 2426 2427 s = crypto_get_driver_session(cses); 2428 2429 switch (csp->csp_mode) { 2430 case CSP_MODE_AEAD: 2431 if (cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2432 s->mode = CCM; 2433 else 2434 s->mode = GCM; 2435 break; 2436 case CSP_MODE_ETA: 2437 s->mode = ETA; 2438 break; 2439 case CSP_MODE_DIGEST: 2440 if (csp->csp_auth_klen != 0) 2441 s->mode = HMAC; 2442 else 2443 s->mode = HASH; 2444 break; 2445 case CSP_MODE_CIPHER: 2446 s->mode = BLKCIPHER; 2447 break; 2448 } 2449 2450 if (s->mode == GCM) { 2451 if (csp->csp_auth_mlen == 0) 2452 s->gmac.hash_len = AES_GMAC_HASH_LEN; 2453 else 2454 s->gmac.hash_len = csp->csp_auth_mlen; 2455 t4_init_gmac_hash(csp->csp_cipher_key, csp->csp_cipher_klen, 2456 s->gmac.ghash_h); 2457 } else if (s->mode == CCM) { 2458 if (csp->csp_auth_mlen == 0) 2459 s->ccm_mac.hash_len = AES_CBC_MAC_HASH_LEN; 2460 else 2461 s->ccm_mac.hash_len = csp->csp_auth_mlen; 2462 } else if (auth_mode != SCMD_AUTH_MODE_NOP) { 2463 s->hmac.auth_hash = auth_hash; 2464 s->hmac.auth_mode = auth_mode; 2465 s->hmac.mk_size = mk_size; 2466 s->hmac.partial_digest_len = partial_digest_len; 2467 if (csp->csp_auth_mlen == 0) 2468 s->hmac.hash_len = auth_hash->hashsize; 2469 else 2470 s->hmac.hash_len = csp->csp_auth_mlen; 2471 if (csp->csp_auth_key != NULL) 2472 t4_init_hmac_digest(auth_hash, partial_digest_len, 2473 csp->csp_auth_key, csp->csp_auth_klen, 2474 s->hmac.pads); 2475 else 2476 ccr_init_hash_digest(s); 2477 } 2478 if (cipher_mode != SCMD_CIPH_MODE_NOP) { 2479 s->blkcipher.cipher_mode = cipher_mode; 2480 s->blkcipher.iv_len = csp->csp_ivlen; 2481 if (csp->csp_cipher_key != NULL) 2482 ccr_aes_setkey(s, csp->csp_cipher_key, 2483 csp->csp_cipher_klen); 2484 } 2485 2486 s->active = true; 2487 mtx_unlock(&sc->lock); 2488 return (0); 2489 } 2490 2491 static void 2492 ccr_freesession(device_t dev, crypto_session_t cses) 2493 { 2494 struct ccr_softc *sc; 2495 struct ccr_session *s; 2496 2497 sc = device_get_softc(dev); 2498 s = crypto_get_driver_session(cses); 2499 mtx_lock(&sc->lock); 2500 if (s->pending != 0) 2501 device_printf(dev, 2502 "session %p freed with %d pending requests\n", s, 2503 s->pending); 2504 s->active = false; 2505 mtx_unlock(&sc->lock); 2506 } 2507 2508 static int 2509 ccr_process(device_t dev, struct cryptop *crp, int hint) 2510 { 2511 const struct crypto_session_params *csp; 2512 struct ccr_softc *sc; 2513 struct ccr_session *s; 2514 int error; 2515 2516 csp = crypto_get_params(crp->crp_session); 2517 s = crypto_get_driver_session(crp->crp_session); 2518 sc = device_get_softc(dev); 2519 2520 mtx_lock(&sc->lock); 2521 error = ccr_populate_sglist(sc->sg_crp, crp); 2522 if (error) { 2523 sc->stats_sglist_error++; 2524 goto out; 2525 } 2526 2527 switch (s->mode) { 2528 case HASH: 2529 error = ccr_hash(sc, s, crp); 2530 if (error == 0) 2531 sc->stats_hash++; 2532 break; 2533 case HMAC: 2534 if (crp->crp_auth_key != NULL) 2535 t4_init_hmac_digest(s->hmac.auth_hash, 2536 s->hmac.partial_digest_len, crp->crp_auth_key, 2537 csp->csp_auth_klen, s->hmac.pads); 2538 error = ccr_hash(sc, s, crp); 2539 if (error == 0) 2540 sc->stats_hmac++; 2541 break; 2542 case BLKCIPHER: 2543 if (crp->crp_cipher_key != NULL) 2544 ccr_aes_setkey(s, crp->crp_cipher_key, 2545 csp->csp_cipher_klen); 2546 error = ccr_blkcipher(sc, s, crp); 2547 if (error == 0) { 2548 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2549 sc->stats_blkcipher_encrypt++; 2550 else 2551 sc->stats_blkcipher_decrypt++; 2552 } 2553 break; 2554 case ETA: 2555 if (crp->crp_auth_key != NULL) 2556 t4_init_hmac_digest(s->hmac.auth_hash, 2557 s->hmac.partial_digest_len, crp->crp_auth_key, 2558 csp->csp_auth_klen, s->hmac.pads); 2559 if (crp->crp_cipher_key != NULL) 2560 ccr_aes_setkey(s, crp->crp_cipher_key, 2561 csp->csp_cipher_klen); 2562 error = ccr_eta(sc, s, crp); 2563 if (error == 0) { 2564 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2565 sc->stats_eta_encrypt++; 2566 else 2567 sc->stats_eta_decrypt++; 2568 } 2569 break; 2570 case GCM: 2571 if (crp->crp_cipher_key != NULL) { 2572 t4_init_gmac_hash(crp->crp_cipher_key, 2573 csp->csp_cipher_klen, s->gmac.ghash_h); 2574 ccr_aes_setkey(s, crp->crp_cipher_key, 2575 csp->csp_cipher_klen); 2576 } 2577 if (crp->crp_payload_length == 0) { 2578 mtx_unlock(&sc->lock); 2579 ccr_gcm_soft(s, crp); 2580 return (0); 2581 } 2582 error = ccr_gcm(sc, s, crp); 2583 if (error == EMSGSIZE) { 2584 sc->stats_sw_fallback++; 2585 mtx_unlock(&sc->lock); 2586 ccr_gcm_soft(s, crp); 2587 return (0); 2588 } 2589 if (error == 0) { 2590 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2591 sc->stats_gcm_encrypt++; 2592 else 2593 sc->stats_gcm_decrypt++; 2594 } 2595 break; 2596 case CCM: 2597 if (crp->crp_cipher_key != NULL) { 2598 ccr_aes_setkey(s, crp->crp_cipher_key, 2599 csp->csp_cipher_klen); 2600 } 2601 error = ccr_ccm(sc, s, crp); 2602 if (error == EMSGSIZE) { 2603 sc->stats_sw_fallback++; 2604 mtx_unlock(&sc->lock); 2605 ccr_ccm_soft(s, crp); 2606 return (0); 2607 } 2608 if (error == 0) { 2609 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2610 sc->stats_ccm_encrypt++; 2611 else 2612 sc->stats_ccm_decrypt++; 2613 } 2614 break; 2615 } 2616 2617 if (error == 0) { 2618 s->pending++; 2619 sc->stats_inflight++; 2620 } else 2621 sc->stats_process_error++; 2622 2623 out: 2624 mtx_unlock(&sc->lock); 2625 2626 if (error) { 2627 crp->crp_etype = error; 2628 crypto_done(crp); 2629 } 2630 2631 return (0); 2632 } 2633 2634 static int 2635 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss, 2636 struct mbuf *m) 2637 { 2638 struct ccr_softc *sc = iq->adapter->ccr_softc; 2639 struct ccr_session *s; 2640 const struct cpl_fw6_pld *cpl; 2641 struct cryptop *crp; 2642 uint32_t status; 2643 int error; 2644 2645 if (m != NULL) 2646 cpl = mtod(m, const void *); 2647 else 2648 cpl = (const void *)(rss + 1); 2649 2650 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]); 2651 s = crypto_get_driver_session(crp->crp_session); 2652 status = be64toh(cpl->data[0]); 2653 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status)) 2654 error = EBADMSG; 2655 else 2656 error = 0; 2657 2658 mtx_lock(&sc->lock); 2659 s->pending--; 2660 sc->stats_inflight--; 2661 2662 switch (s->mode) { 2663 case HASH: 2664 case HMAC: 2665 error = ccr_hash_done(sc, s, crp, cpl, error); 2666 break; 2667 case BLKCIPHER: 2668 error = ccr_blkcipher_done(sc, s, crp, cpl, error); 2669 break; 2670 case ETA: 2671 error = ccr_eta_done(sc, s, crp, cpl, error); 2672 break; 2673 case GCM: 2674 error = ccr_gcm_done(sc, s, crp, cpl, error); 2675 break; 2676 case CCM: 2677 error = ccr_ccm_done(sc, s, crp, cpl, error); 2678 break; 2679 } 2680 2681 if (error == EBADMSG) { 2682 if (CHK_MAC_ERR_BIT(status)) 2683 sc->stats_mac_error++; 2684 if (CHK_PAD_ERR_BIT(status)) 2685 sc->stats_pad_error++; 2686 } 2687 mtx_unlock(&sc->lock); 2688 crp->crp_etype = error; 2689 crypto_done(crp); 2690 m_freem(m); 2691 return (0); 2692 } 2693 2694 static int 2695 ccr_modevent(module_t mod, int cmd, void *arg) 2696 { 2697 2698 switch (cmd) { 2699 case MOD_LOAD: 2700 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld); 2701 return (0); 2702 case MOD_UNLOAD: 2703 t4_register_cpl_handler(CPL_FW6_PLD, NULL); 2704 return (0); 2705 default: 2706 return (EOPNOTSUPP); 2707 } 2708 } 2709 2710 static device_method_t ccr_methods[] = { 2711 DEVMETHOD(device_identify, ccr_identify), 2712 DEVMETHOD(device_probe, ccr_probe), 2713 DEVMETHOD(device_attach, ccr_attach), 2714 DEVMETHOD(device_detach, ccr_detach), 2715 2716 DEVMETHOD(cryptodev_probesession, ccr_probesession), 2717 DEVMETHOD(cryptodev_newsession, ccr_newsession), 2718 DEVMETHOD(cryptodev_freesession, ccr_freesession), 2719 DEVMETHOD(cryptodev_process, ccr_process), 2720 2721 DEVMETHOD_END 2722 }; 2723 2724 static driver_t ccr_driver = { 2725 "ccr", 2726 ccr_methods, 2727 sizeof(struct ccr_softc) 2728 }; 2729 2730 static devclass_t ccr_devclass; 2731 2732 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL); 2733 MODULE_VERSION(ccr, 1); 2734 MODULE_DEPEND(ccr, crypto, 1, 1, 1); 2735 MODULE_DEPEND(ccr, t6nex, 1, 1, 1); 2736