1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * linux/arch/arm64/crypto/aes-glue.c - wrapper code for ARMv8 AES 4 * 5 * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 */ 7 8 #include <crypto/aes.h> 9 #include <crypto/ctr.h> 10 #include <crypto/internal/skcipher.h> 11 #include <crypto/scatterwalk.h> 12 #include <crypto/sha2.h> 13 #include <crypto/utils.h> 14 #include <crypto/xts.h> 15 #include <linux/cpufeature.h> 16 #include <linux/kernel.h> 17 #include <linux/module.h> 18 #include <linux/string.h> 19 20 #include <asm/hwcap.h> 21 #include <asm/simd.h> 22 23 #ifdef USE_V8_CRYPTO_EXTENSIONS 24 #define MODE "ce" 25 #define PRIO 300 26 #define aes_expandkey ce_aes_expandkey 27 #define aes_ecb_encrypt ce_aes_ecb_encrypt 28 #define aes_ecb_decrypt ce_aes_ecb_decrypt 29 #define aes_cbc_encrypt ce_aes_cbc_encrypt 30 #define aes_cbc_decrypt ce_aes_cbc_decrypt 31 #define aes_cbc_cts_encrypt ce_aes_cbc_cts_encrypt 32 #define aes_cbc_cts_decrypt ce_aes_cbc_cts_decrypt 33 #define aes_essiv_cbc_encrypt ce_aes_essiv_cbc_encrypt 34 #define aes_essiv_cbc_decrypt ce_aes_essiv_cbc_decrypt 35 #define aes_ctr_encrypt ce_aes_ctr_encrypt 36 #define aes_xctr_encrypt ce_aes_xctr_encrypt 37 #define aes_xts_encrypt ce_aes_xts_encrypt 38 #define aes_xts_decrypt ce_aes_xts_decrypt 39 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 Crypto Extensions"); 40 #else 41 #define MODE "neon" 42 #define PRIO 200 43 #define aes_ecb_encrypt neon_aes_ecb_encrypt 44 #define aes_ecb_decrypt neon_aes_ecb_decrypt 45 #define aes_cbc_encrypt neon_aes_cbc_encrypt 46 #define aes_cbc_decrypt neon_aes_cbc_decrypt 47 #define aes_cbc_cts_encrypt neon_aes_cbc_cts_encrypt 48 #define aes_cbc_cts_decrypt neon_aes_cbc_cts_decrypt 49 #define aes_essiv_cbc_encrypt neon_aes_essiv_cbc_encrypt 50 #define aes_essiv_cbc_decrypt neon_aes_essiv_cbc_decrypt 51 #define aes_ctr_encrypt neon_aes_ctr_encrypt 52 #define aes_xctr_encrypt neon_aes_xctr_encrypt 53 #define aes_xts_encrypt neon_aes_xts_encrypt 54 #define aes_xts_decrypt neon_aes_xts_decrypt 55 MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 NEON"); 56 #endif 57 #if defined(USE_V8_CRYPTO_EXTENSIONS) || !IS_ENABLED(CONFIG_CRYPTO_AES_ARM64_BS) 58 MODULE_ALIAS_CRYPTO("ecb(aes)"); 59 MODULE_ALIAS_CRYPTO("cbc(aes)"); 60 MODULE_ALIAS_CRYPTO("ctr(aes)"); 61 MODULE_ALIAS_CRYPTO("xts(aes)"); 62 MODULE_ALIAS_CRYPTO("xctr(aes)"); 63 #endif 64 MODULE_ALIAS_CRYPTO("cts(cbc(aes))"); 65 MODULE_ALIAS_CRYPTO("essiv(cbc(aes),sha256)"); 66 67 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 68 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 69 MODULE_LICENSE("GPL v2"); 70 71 struct crypto_aes_xts_ctx { 72 struct crypto_aes_ctx key1; 73 struct crypto_aes_ctx __aligned(8) key2; 74 }; 75 76 struct crypto_aes_essiv_cbc_ctx { 77 struct crypto_aes_ctx key1; 78 struct crypto_aes_ctx __aligned(8) key2; 79 }; 80 81 static int skcipher_aes_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 82 unsigned int key_len) 83 { 84 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 85 86 return aes_expandkey(ctx, in_key, key_len); 87 } 88 89 static int __maybe_unused xts_set_key(struct crypto_skcipher *tfm, 90 const u8 *in_key, unsigned int key_len) 91 { 92 struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 93 int ret; 94 95 ret = xts_verify_key(tfm, in_key, key_len); 96 if (ret) 97 return ret; 98 99 ret = aes_expandkey(&ctx->key1, in_key, key_len / 2); 100 if (!ret) 101 ret = aes_expandkey(&ctx->key2, &in_key[key_len / 2], 102 key_len / 2); 103 return ret; 104 } 105 106 static int __maybe_unused essiv_cbc_set_key(struct crypto_skcipher *tfm, 107 const u8 *in_key, 108 unsigned int key_len) 109 { 110 struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 111 u8 digest[SHA256_DIGEST_SIZE]; 112 int ret; 113 114 ret = aes_expandkey(&ctx->key1, in_key, key_len); 115 if (ret) 116 return ret; 117 118 sha256(in_key, key_len, digest); 119 120 return aes_expandkey(&ctx->key2, digest, sizeof(digest)); 121 } 122 123 static int __maybe_unused ecb_encrypt(struct skcipher_request *req) 124 { 125 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 126 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 127 int err, rounds = 6 + ctx->key_length / 4; 128 struct skcipher_walk walk; 129 unsigned int blocks; 130 131 err = skcipher_walk_virt(&walk, req, false); 132 133 while ((blocks = (walk.nbytes / AES_BLOCK_SIZE))) { 134 scoped_ksimd() 135 aes_ecb_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 136 ctx->key_enc, rounds, blocks); 137 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); 138 } 139 return err; 140 } 141 142 static int __maybe_unused ecb_decrypt(struct skcipher_request *req) 143 { 144 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 145 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 146 int err, rounds = 6 + ctx->key_length / 4; 147 struct skcipher_walk walk; 148 unsigned int blocks; 149 150 err = skcipher_walk_virt(&walk, req, false); 151 152 while ((blocks = (walk.nbytes / AES_BLOCK_SIZE))) { 153 scoped_ksimd() 154 aes_ecb_decrypt(walk.dst.virt.addr, walk.src.virt.addr, 155 ctx->key_dec, rounds, blocks); 156 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); 157 } 158 return err; 159 } 160 161 static int cbc_encrypt_walk(struct skcipher_request *req, 162 struct skcipher_walk *walk) 163 { 164 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 165 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 166 int err = 0, rounds = 6 + ctx->key_length / 4; 167 unsigned int blocks; 168 169 while ((blocks = (walk->nbytes / AES_BLOCK_SIZE))) { 170 scoped_ksimd() 171 aes_cbc_encrypt(walk->dst.virt.addr, walk->src.virt.addr, 172 ctx->key_enc, rounds, blocks, walk->iv); 173 err = skcipher_walk_done(walk, walk->nbytes % AES_BLOCK_SIZE); 174 } 175 return err; 176 } 177 178 static int __maybe_unused cbc_encrypt(struct skcipher_request *req) 179 { 180 struct skcipher_walk walk; 181 int err; 182 183 err = skcipher_walk_virt(&walk, req, false); 184 if (err) 185 return err; 186 return cbc_encrypt_walk(req, &walk); 187 } 188 189 static int cbc_decrypt_walk(struct skcipher_request *req, 190 struct skcipher_walk *walk) 191 { 192 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 193 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 194 int err = 0, rounds = 6 + ctx->key_length / 4; 195 unsigned int blocks; 196 197 while ((blocks = (walk->nbytes / AES_BLOCK_SIZE))) { 198 scoped_ksimd() 199 aes_cbc_decrypt(walk->dst.virt.addr, walk->src.virt.addr, 200 ctx->key_dec, rounds, blocks, walk->iv); 201 err = skcipher_walk_done(walk, walk->nbytes % AES_BLOCK_SIZE); 202 } 203 return err; 204 } 205 206 static int __maybe_unused cbc_decrypt(struct skcipher_request *req) 207 { 208 struct skcipher_walk walk; 209 int err; 210 211 err = skcipher_walk_virt(&walk, req, false); 212 if (err) 213 return err; 214 return cbc_decrypt_walk(req, &walk); 215 } 216 217 static int cts_cbc_encrypt(struct skcipher_request *req) 218 { 219 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 220 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 221 int err, rounds = 6 + ctx->key_length / 4; 222 int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; 223 struct scatterlist *src = req->src, *dst = req->dst; 224 struct scatterlist sg_src[2], sg_dst[2]; 225 struct skcipher_request subreq; 226 struct skcipher_walk walk; 227 228 skcipher_request_set_tfm(&subreq, tfm); 229 skcipher_request_set_callback(&subreq, skcipher_request_flags(req), 230 NULL, NULL); 231 232 if (req->cryptlen <= AES_BLOCK_SIZE) { 233 if (req->cryptlen < AES_BLOCK_SIZE) 234 return -EINVAL; 235 cbc_blocks = 1; 236 } 237 238 if (cbc_blocks > 0) { 239 skcipher_request_set_crypt(&subreq, req->src, req->dst, 240 cbc_blocks * AES_BLOCK_SIZE, 241 req->iv); 242 243 err = skcipher_walk_virt(&walk, &subreq, false) ?: 244 cbc_encrypt_walk(&subreq, &walk); 245 if (err) 246 return err; 247 248 if (req->cryptlen == AES_BLOCK_SIZE) 249 return 0; 250 251 dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen); 252 if (req->dst != req->src) 253 dst = scatterwalk_ffwd(sg_dst, req->dst, 254 subreq.cryptlen); 255 } 256 257 /* handle ciphertext stealing */ 258 skcipher_request_set_crypt(&subreq, src, dst, 259 req->cryptlen - cbc_blocks * AES_BLOCK_SIZE, 260 req->iv); 261 262 err = skcipher_walk_virt(&walk, &subreq, false); 263 if (err) 264 return err; 265 266 scoped_ksimd() 267 aes_cbc_cts_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 268 ctx->key_enc, rounds, walk.nbytes, walk.iv); 269 270 return skcipher_walk_done(&walk, 0); 271 } 272 273 static int cts_cbc_decrypt(struct skcipher_request *req) 274 { 275 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 276 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 277 int err, rounds = 6 + ctx->key_length / 4; 278 int cbc_blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; 279 struct scatterlist *src = req->src, *dst = req->dst; 280 struct scatterlist sg_src[2], sg_dst[2]; 281 struct skcipher_request subreq; 282 struct skcipher_walk walk; 283 284 skcipher_request_set_tfm(&subreq, tfm); 285 skcipher_request_set_callback(&subreq, skcipher_request_flags(req), 286 NULL, NULL); 287 288 if (req->cryptlen <= AES_BLOCK_SIZE) { 289 if (req->cryptlen < AES_BLOCK_SIZE) 290 return -EINVAL; 291 cbc_blocks = 1; 292 } 293 294 if (cbc_blocks > 0) { 295 skcipher_request_set_crypt(&subreq, req->src, req->dst, 296 cbc_blocks * AES_BLOCK_SIZE, 297 req->iv); 298 299 err = skcipher_walk_virt(&walk, &subreq, false) ?: 300 cbc_decrypt_walk(&subreq, &walk); 301 if (err) 302 return err; 303 304 if (req->cryptlen == AES_BLOCK_SIZE) 305 return 0; 306 307 dst = src = scatterwalk_ffwd(sg_src, req->src, subreq.cryptlen); 308 if (req->dst != req->src) 309 dst = scatterwalk_ffwd(sg_dst, req->dst, 310 subreq.cryptlen); 311 } 312 313 /* handle ciphertext stealing */ 314 skcipher_request_set_crypt(&subreq, src, dst, 315 req->cryptlen - cbc_blocks * AES_BLOCK_SIZE, 316 req->iv); 317 318 err = skcipher_walk_virt(&walk, &subreq, false); 319 if (err) 320 return err; 321 322 scoped_ksimd() 323 aes_cbc_cts_decrypt(walk.dst.virt.addr, walk.src.virt.addr, 324 ctx->key_dec, rounds, walk.nbytes, walk.iv); 325 326 return skcipher_walk_done(&walk, 0); 327 } 328 329 static int __maybe_unused essiv_cbc_encrypt(struct skcipher_request *req) 330 { 331 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 332 struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 333 int err, rounds = 6 + ctx->key1.key_length / 4; 334 struct skcipher_walk walk; 335 unsigned int blocks; 336 337 err = skcipher_walk_virt(&walk, req, false); 338 339 blocks = walk.nbytes / AES_BLOCK_SIZE; 340 if (blocks) { 341 scoped_ksimd() 342 aes_essiv_cbc_encrypt(walk.dst.virt.addr, 343 walk.src.virt.addr, 344 ctx->key1.key_enc, rounds, blocks, 345 req->iv, ctx->key2.key_enc); 346 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); 347 } 348 return err ?: cbc_encrypt_walk(req, &walk); 349 } 350 351 static int __maybe_unused essiv_cbc_decrypt(struct skcipher_request *req) 352 { 353 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 354 struct crypto_aes_essiv_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 355 int err, rounds = 6 + ctx->key1.key_length / 4; 356 struct skcipher_walk walk; 357 unsigned int blocks; 358 359 err = skcipher_walk_virt(&walk, req, false); 360 361 blocks = walk.nbytes / AES_BLOCK_SIZE; 362 if (blocks) { 363 scoped_ksimd() 364 aes_essiv_cbc_decrypt(walk.dst.virt.addr, 365 walk.src.virt.addr, 366 ctx->key1.key_dec, rounds, blocks, 367 req->iv, ctx->key2.key_enc); 368 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); 369 } 370 return err ?: cbc_decrypt_walk(req, &walk); 371 } 372 373 static int __maybe_unused xctr_encrypt(struct skcipher_request *req) 374 { 375 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 376 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 377 int err, rounds = 6 + ctx->key_length / 4; 378 struct skcipher_walk walk; 379 unsigned int byte_ctr = 0; 380 381 err = skcipher_walk_virt(&walk, req, false); 382 383 while (walk.nbytes > 0) { 384 const u8 *src = walk.src.virt.addr; 385 unsigned int nbytes = walk.nbytes; 386 u8 *dst = walk.dst.virt.addr; 387 u8 buf[AES_BLOCK_SIZE]; 388 389 /* 390 * If given less than 16 bytes, we must copy the partial block 391 * into a temporary buffer of 16 bytes to avoid out of bounds 392 * reads and writes. Furthermore, this code is somewhat unusual 393 * in that it expects the end of the data to be at the end of 394 * the temporary buffer, rather than the start of the data at 395 * the start of the temporary buffer. 396 */ 397 if (unlikely(nbytes < AES_BLOCK_SIZE)) 398 src = dst = memcpy(buf + sizeof(buf) - nbytes, 399 src, nbytes); 400 else if (nbytes < walk.total) 401 nbytes &= ~(AES_BLOCK_SIZE - 1); 402 403 scoped_ksimd() 404 aes_xctr_encrypt(dst, src, ctx->key_enc, rounds, nbytes, 405 walk.iv, byte_ctr); 406 407 if (unlikely(nbytes < AES_BLOCK_SIZE)) 408 memcpy(walk.dst.virt.addr, 409 buf + sizeof(buf) - nbytes, nbytes); 410 byte_ctr += nbytes; 411 412 err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 413 } 414 415 return err; 416 } 417 418 static int __maybe_unused ctr_encrypt(struct skcipher_request *req) 419 { 420 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 421 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 422 int err, rounds = 6 + ctx->key_length / 4; 423 struct skcipher_walk walk; 424 425 err = skcipher_walk_virt(&walk, req, false); 426 427 while (walk.nbytes > 0) { 428 const u8 *src = walk.src.virt.addr; 429 unsigned int nbytes = walk.nbytes; 430 u8 *dst = walk.dst.virt.addr; 431 u8 buf[AES_BLOCK_SIZE]; 432 433 /* 434 * If given less than 16 bytes, we must copy the partial block 435 * into a temporary buffer of 16 bytes to avoid out of bounds 436 * reads and writes. Furthermore, this code is somewhat unusual 437 * in that it expects the end of the data to be at the end of 438 * the temporary buffer, rather than the start of the data at 439 * the start of the temporary buffer. 440 */ 441 if (unlikely(nbytes < AES_BLOCK_SIZE)) 442 src = dst = memcpy(buf + sizeof(buf) - nbytes, 443 src, nbytes); 444 else if (nbytes < walk.total) 445 nbytes &= ~(AES_BLOCK_SIZE - 1); 446 447 scoped_ksimd() 448 aes_ctr_encrypt(dst, src, ctx->key_enc, rounds, nbytes, 449 walk.iv); 450 451 if (unlikely(nbytes < AES_BLOCK_SIZE)) 452 memcpy(walk.dst.virt.addr, 453 buf + sizeof(buf) - nbytes, nbytes); 454 455 err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 456 } 457 458 return err; 459 } 460 461 static int __maybe_unused xts_encrypt(struct skcipher_request *req) 462 { 463 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 464 struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 465 int err, first, rounds = 6 + ctx->key1.key_length / 4; 466 int tail = req->cryptlen % AES_BLOCK_SIZE; 467 struct scatterlist sg_src[2], sg_dst[2]; 468 struct skcipher_request subreq; 469 struct scatterlist *src, *dst; 470 struct skcipher_walk walk; 471 472 if (req->cryptlen < AES_BLOCK_SIZE) 473 return -EINVAL; 474 475 err = skcipher_walk_virt(&walk, req, false); 476 477 if (unlikely(tail > 0 && walk.nbytes < walk.total)) { 478 int xts_blocks = DIV_ROUND_UP(req->cryptlen, 479 AES_BLOCK_SIZE) - 2; 480 481 skcipher_walk_abort(&walk); 482 483 skcipher_request_set_tfm(&subreq, tfm); 484 skcipher_request_set_callback(&subreq, 485 skcipher_request_flags(req), 486 NULL, NULL); 487 skcipher_request_set_crypt(&subreq, req->src, req->dst, 488 xts_blocks * AES_BLOCK_SIZE, 489 req->iv); 490 req = &subreq; 491 err = skcipher_walk_virt(&walk, req, false); 492 } else { 493 tail = 0; 494 } 495 496 scoped_ksimd() { 497 for (first = 1; walk.nbytes >= AES_BLOCK_SIZE; first = 0) { 498 int nbytes = walk.nbytes; 499 500 if (walk.nbytes < walk.total) 501 nbytes &= ~(AES_BLOCK_SIZE - 1); 502 503 aes_xts_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 504 ctx->key1.key_enc, rounds, nbytes, 505 ctx->key2.key_enc, walk.iv, first); 506 err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 507 } 508 509 if (err || likely(!tail)) 510 return err; 511 512 dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen); 513 if (req->dst != req->src) 514 dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); 515 516 skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, 517 req->iv); 518 519 err = skcipher_walk_virt(&walk, &subreq, false); 520 if (err) 521 return err; 522 523 aes_xts_encrypt(walk.dst.virt.addr, walk.src.virt.addr, 524 ctx->key1.key_enc, rounds, walk.nbytes, 525 ctx->key2.key_enc, walk.iv, first); 526 } 527 return skcipher_walk_done(&walk, 0); 528 } 529 530 static int __maybe_unused xts_decrypt(struct skcipher_request *req) 531 { 532 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 533 struct crypto_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm); 534 int err, first, rounds = 6 + ctx->key1.key_length / 4; 535 int tail = req->cryptlen % AES_BLOCK_SIZE; 536 struct scatterlist sg_src[2], sg_dst[2]; 537 struct skcipher_request subreq; 538 struct scatterlist *src, *dst; 539 struct skcipher_walk walk; 540 541 if (req->cryptlen < AES_BLOCK_SIZE) 542 return -EINVAL; 543 544 err = skcipher_walk_virt(&walk, req, false); 545 546 if (unlikely(tail > 0 && walk.nbytes < walk.total)) { 547 int xts_blocks = DIV_ROUND_UP(req->cryptlen, 548 AES_BLOCK_SIZE) - 2; 549 550 skcipher_walk_abort(&walk); 551 552 skcipher_request_set_tfm(&subreq, tfm); 553 skcipher_request_set_callback(&subreq, 554 skcipher_request_flags(req), 555 NULL, NULL); 556 skcipher_request_set_crypt(&subreq, req->src, req->dst, 557 xts_blocks * AES_BLOCK_SIZE, 558 req->iv); 559 req = &subreq; 560 err = skcipher_walk_virt(&walk, req, false); 561 } else { 562 tail = 0; 563 } 564 565 scoped_ksimd() { 566 for (first = 1; walk.nbytes >= AES_BLOCK_SIZE; first = 0) { 567 int nbytes = walk.nbytes; 568 569 if (walk.nbytes < walk.total) 570 nbytes &= ~(AES_BLOCK_SIZE - 1); 571 572 aes_xts_decrypt(walk.dst.virt.addr, walk.src.virt.addr, 573 ctx->key1.key_dec, rounds, nbytes, 574 ctx->key2.key_enc, walk.iv, first); 575 err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 576 } 577 578 if (err || likely(!tail)) 579 return err; 580 581 dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen); 582 if (req->dst != req->src) 583 dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); 584 585 skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, 586 req->iv); 587 588 err = skcipher_walk_virt(&walk, &subreq, false); 589 if (err) 590 return err; 591 592 aes_xts_decrypt(walk.dst.virt.addr, walk.src.virt.addr, 593 ctx->key1.key_dec, rounds, walk.nbytes, 594 ctx->key2.key_enc, walk.iv, first); 595 } 596 return skcipher_walk_done(&walk, 0); 597 } 598 599 static struct skcipher_alg aes_algs[] = { { 600 #if defined(USE_V8_CRYPTO_EXTENSIONS) || !IS_ENABLED(CONFIG_CRYPTO_AES_ARM64_BS) 601 .base = { 602 .cra_name = "ecb(aes)", 603 .cra_driver_name = "ecb-aes-" MODE, 604 .cra_priority = PRIO, 605 .cra_blocksize = AES_BLOCK_SIZE, 606 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 607 .cra_module = THIS_MODULE, 608 }, 609 .min_keysize = AES_MIN_KEY_SIZE, 610 .max_keysize = AES_MAX_KEY_SIZE, 611 .setkey = skcipher_aes_setkey, 612 .encrypt = ecb_encrypt, 613 .decrypt = ecb_decrypt, 614 }, { 615 .base = { 616 .cra_name = "cbc(aes)", 617 .cra_driver_name = "cbc-aes-" MODE, 618 .cra_priority = PRIO, 619 .cra_blocksize = AES_BLOCK_SIZE, 620 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 621 .cra_module = THIS_MODULE, 622 }, 623 .min_keysize = AES_MIN_KEY_SIZE, 624 .max_keysize = AES_MAX_KEY_SIZE, 625 .ivsize = AES_BLOCK_SIZE, 626 .setkey = skcipher_aes_setkey, 627 .encrypt = cbc_encrypt, 628 .decrypt = cbc_decrypt, 629 }, { 630 .base = { 631 .cra_name = "ctr(aes)", 632 .cra_driver_name = "ctr-aes-" MODE, 633 .cra_priority = PRIO, 634 .cra_blocksize = 1, 635 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 636 .cra_module = THIS_MODULE, 637 }, 638 .min_keysize = AES_MIN_KEY_SIZE, 639 .max_keysize = AES_MAX_KEY_SIZE, 640 .ivsize = AES_BLOCK_SIZE, 641 .chunksize = AES_BLOCK_SIZE, 642 .setkey = skcipher_aes_setkey, 643 .encrypt = ctr_encrypt, 644 .decrypt = ctr_encrypt, 645 }, { 646 .base = { 647 .cra_name = "xctr(aes)", 648 .cra_driver_name = "xctr-aes-" MODE, 649 .cra_priority = PRIO, 650 .cra_blocksize = 1, 651 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 652 .cra_module = THIS_MODULE, 653 }, 654 .min_keysize = AES_MIN_KEY_SIZE, 655 .max_keysize = AES_MAX_KEY_SIZE, 656 .ivsize = AES_BLOCK_SIZE, 657 .chunksize = AES_BLOCK_SIZE, 658 .setkey = skcipher_aes_setkey, 659 .encrypt = xctr_encrypt, 660 .decrypt = xctr_encrypt, 661 }, { 662 .base = { 663 .cra_name = "xts(aes)", 664 .cra_driver_name = "xts-aes-" MODE, 665 .cra_priority = PRIO, 666 .cra_blocksize = AES_BLOCK_SIZE, 667 .cra_ctxsize = sizeof(struct crypto_aes_xts_ctx), 668 .cra_module = THIS_MODULE, 669 }, 670 .min_keysize = 2 * AES_MIN_KEY_SIZE, 671 .max_keysize = 2 * AES_MAX_KEY_SIZE, 672 .ivsize = AES_BLOCK_SIZE, 673 .walksize = 2 * AES_BLOCK_SIZE, 674 .setkey = xts_set_key, 675 .encrypt = xts_encrypt, 676 .decrypt = xts_decrypt, 677 }, { 678 #endif 679 .base = { 680 .cra_name = "cts(cbc(aes))", 681 .cra_driver_name = "cts-cbc-aes-" MODE, 682 .cra_priority = PRIO, 683 .cra_blocksize = AES_BLOCK_SIZE, 684 .cra_ctxsize = sizeof(struct crypto_aes_ctx), 685 .cra_module = THIS_MODULE, 686 }, 687 .min_keysize = AES_MIN_KEY_SIZE, 688 .max_keysize = AES_MAX_KEY_SIZE, 689 .ivsize = AES_BLOCK_SIZE, 690 .walksize = 2 * AES_BLOCK_SIZE, 691 .setkey = skcipher_aes_setkey, 692 .encrypt = cts_cbc_encrypt, 693 .decrypt = cts_cbc_decrypt, 694 }, { 695 .base = { 696 .cra_name = "essiv(cbc(aes),sha256)", 697 .cra_driver_name = "essiv-cbc-aes-sha256-" MODE, 698 .cra_priority = PRIO + 1, 699 .cra_blocksize = AES_BLOCK_SIZE, 700 .cra_ctxsize = sizeof(struct crypto_aes_essiv_cbc_ctx), 701 .cra_module = THIS_MODULE, 702 }, 703 .min_keysize = AES_MIN_KEY_SIZE, 704 .max_keysize = AES_MAX_KEY_SIZE, 705 .ivsize = AES_BLOCK_SIZE, 706 .setkey = essiv_cbc_set_key, 707 .encrypt = essiv_cbc_encrypt, 708 .decrypt = essiv_cbc_decrypt, 709 } }; 710 711 static void aes_exit(void) 712 { 713 crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs)); 714 } 715 716 static int __init aes_init(void) 717 { 718 return crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs)); 719 } 720 721 #ifdef USE_V8_CRYPTO_EXTENSIONS 722 module_cpu_feature_match(AES, aes_init); 723 #else 724 module_init(aes_init); 725 #endif 726 module_exit(aes_exit); 727