1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Cryptographic API. 4 * 5 * s390 implementation of the AES Cipher Algorithm with protected keys. 6 * 7 * s390 Version: 8 * Copyright IBM Corp. 2017, 2025 9 * Author(s): Martin Schwidefsky <schwidefsky@de.ibm.com> 10 * Harald Freudenberger <freude@de.ibm.com> 11 */ 12 13 #define pr_fmt(fmt) "paes_s390: " fmt 14 15 #include <linux/atomic.h> 16 #include <linux/cpufeature.h> 17 #include <linux/delay.h> 18 #include <linux/err.h> 19 #include <linux/init.h> 20 #include <linux/miscdevice.h> 21 #include <linux/module.h> 22 #include <linux/mutex.h> 23 #include <linux/spinlock.h> 24 #include <crypto/aes.h> 25 #include <crypto/algapi.h> 26 #include <crypto/engine.h> 27 #include <crypto/internal/skcipher.h> 28 #include <crypto/xts.h> 29 #include <asm/cpacf.h> 30 #include <asm/pkey.h> 31 32 /* 33 * Key blobs smaller/bigger than these defines are rejected 34 * by the common code even before the individual setkey function 35 * is called. As paes can handle different kinds of key blobs 36 * and padding is also possible, the limits need to be generous. 37 */ 38 #define PAES_MIN_KEYSIZE 16 39 #define PAES_MAX_KEYSIZE MAXEP11AESKEYBLOBSIZE 40 #define PAES_256_PROTKEY_SIZE (32 + 32) /* key + verification pattern */ 41 #define PXTS_256_PROTKEY_SIZE (32 + 32 + 32) /* k1 + k2 + verification pattern */ 42 43 static bool pkey_clrkey_allowed; 44 module_param_named(clrkey, pkey_clrkey_allowed, bool, 0444); 45 MODULE_PARM_DESC(clrkey, "Allow clear key material (default N)"); 46 47 static u8 *ctrblk; 48 static DEFINE_MUTEX(ctrblk_lock); 49 50 static cpacf_mask_t km_functions, kmc_functions, kmctr_functions; 51 52 static struct crypto_engine *paes_crypto_engine; 53 #define MAX_QLEN 10 54 55 /* 56 * protected key specific stuff 57 */ 58 59 struct paes_protkey { 60 u32 type; 61 u32 len; 62 u8 protkey[PXTS_256_PROTKEY_SIZE]; 63 }; 64 65 #define PK_STATE_NO_KEY 0 66 #define PK_STATE_CONVERT_IN_PROGRESS 1 67 #define PK_STATE_VALID 2 68 69 struct s390_paes_ctx { 70 /* source key material used to derive a protected key from */ 71 u8 keybuf[PAES_MAX_KEYSIZE]; 72 unsigned int keylen; 73 74 /* cpacf function code to use with this protected key type */ 75 long fc; 76 77 /* nr of requests enqueued via crypto engine which use this tfm ctx */ 78 atomic_t via_engine_ctr; 79 80 /* spinlock to atomic read/update all the following fields */ 81 spinlock_t pk_lock; 82 83 /* see PK_STATE* defines above, < 0 holds convert failure rc */ 84 int pk_state; 85 /* if state is valid, pk holds the protected key */ 86 struct paes_protkey pk; 87 }; 88 89 struct s390_pxts_ctx { 90 /* source key material used to derive a protected key from */ 91 u8 keybuf[2 * PAES_MAX_KEYSIZE]; 92 unsigned int keylen; 93 94 /* cpacf function code to use with this protected key type */ 95 long fc; 96 97 /* nr of requests enqueued via crypto engine which use this tfm ctx */ 98 atomic_t via_engine_ctr; 99 100 /* spinlock to atomic read/update all the following fields */ 101 spinlock_t pk_lock; 102 103 /* see PK_STATE* defines above, < 0 holds convert failure rc */ 104 int pk_state; 105 /* if state is valid, pk[] hold(s) the protected key(s) */ 106 struct paes_protkey pk[2]; 107 }; 108 109 /* 110 * make_clrkey_token() - wrap the raw key ck with pkey clearkey token 111 * information. 112 * @returns the size of the clearkey token 113 */ 114 static inline u32 make_clrkey_token(const u8 *ck, size_t cklen, u8 *dest) 115 { 116 struct clrkey_token { 117 u8 type; 118 u8 res0[3]; 119 u8 version; 120 u8 res1[3]; 121 u32 keytype; 122 u32 len; 123 u8 key[]; 124 } __packed *token = (struct clrkey_token *)dest; 125 126 token->type = 0x00; 127 token->version = 0x02; 128 token->keytype = (cklen - 8) >> 3; 129 token->len = cklen; 130 memcpy(token->key, ck, cklen); 131 132 return sizeof(*token) + cklen; 133 } 134 135 /* 136 * paes_ctx_setkey() - Set key value into context, maybe construct 137 * a clear key token digestible by pkey from a clear key value. 138 */ 139 static inline int paes_ctx_setkey(struct s390_paes_ctx *ctx, 140 const u8 *key, unsigned int keylen) 141 { 142 if (keylen > sizeof(ctx->keybuf)) 143 return -EINVAL; 144 145 switch (keylen) { 146 case 16: 147 case 24: 148 case 32: 149 /* clear key value, prepare pkey clear key token in keybuf */ 150 memset(ctx->keybuf, 0, sizeof(ctx->keybuf)); 151 ctx->keylen = make_clrkey_token(key, keylen, ctx->keybuf); 152 break; 153 default: 154 /* other key material, let pkey handle this */ 155 memcpy(ctx->keybuf, key, keylen); 156 ctx->keylen = keylen; 157 break; 158 } 159 160 return 0; 161 } 162 163 /* 164 * pxts_ctx_setkey() - Set key value into context, maybe construct 165 * a clear key token digestible by pkey from a clear key value. 166 */ 167 static inline int pxts_ctx_setkey(struct s390_pxts_ctx *ctx, 168 const u8 *key, unsigned int keylen) 169 { 170 size_t cklen = keylen / 2; 171 172 if (keylen > sizeof(ctx->keybuf)) 173 return -EINVAL; 174 175 switch (keylen) { 176 case 32: 177 case 64: 178 /* clear key value, prepare pkey clear key tokens in keybuf */ 179 memset(ctx->keybuf, 0, sizeof(ctx->keybuf)); 180 ctx->keylen = make_clrkey_token(key, cklen, ctx->keybuf); 181 ctx->keylen += make_clrkey_token(key + cklen, cklen, 182 ctx->keybuf + ctx->keylen); 183 break; 184 default: 185 /* other key material, let pkey handle this */ 186 memcpy(ctx->keybuf, key, keylen); 187 ctx->keylen = keylen; 188 break; 189 } 190 191 return 0; 192 } 193 194 /* 195 * Convert the raw key material into a protected key via PKEY api. 196 * This function may sleep - don't call in non-sleeping context. 197 */ 198 static inline int convert_key(const u8 *key, unsigned int keylen, 199 struct paes_protkey *pk, bool tested) 200 { 201 u32 xflags = PKEY_XFLAG_NOMEMALLOC; 202 int rc, i; 203 204 if (tested && !pkey_clrkey_allowed) 205 xflags |= PKEY_XFLAG_NOCLEARKEY; 206 207 pk->len = sizeof(pk->protkey); 208 209 /* 210 * In case of a busy card retry with increasing delay 211 * of 200, 400, 800 and 1600 ms - in total 3 s. 212 */ 213 for (rc = -EIO, i = 0; rc && i < 5; i++) { 214 if (rc == -EBUSY && msleep_interruptible((1 << i) * 100)) { 215 rc = -EINTR; 216 goto out; 217 } 218 rc = pkey_key2protkey(key, keylen, 219 pk->protkey, &pk->len, &pk->type, 220 xflags); 221 } 222 223 out: 224 pr_debug("rc=%d\n", rc); 225 return rc; 226 } 227 228 /* 229 * (Re-)Convert the raw key material from the ctx into a protected key 230 * via convert_key() function. Update the pk_state, pk_type, pk_len 231 * and the protected key in the tfm context. 232 * Please note this function may be invoked concurrently with the very 233 * same tfm context. The pk_lock spinlock in the context ensures an 234 * atomic update of the pk and the pk state but does not guarantee any 235 * order of update. So a fresh converted valid protected key may get 236 * updated with an 'old' expired key value. As the cpacf instructions 237 * detect this, refuse to operate with an invalid key and the calling 238 * code triggers a (re-)conversion this does no harm. This may lead to 239 * unnecessary additional conversion but never to invalid data on en- 240 * or decrypt operations. 241 */ 242 static int paes_convert_key(struct s390_paes_ctx *ctx, bool tested) 243 { 244 struct paes_protkey pk; 245 int rc; 246 247 spin_lock_bh(&ctx->pk_lock); 248 ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS; 249 spin_unlock_bh(&ctx->pk_lock); 250 251 rc = convert_key(ctx->keybuf, ctx->keylen, &pk, tested); 252 253 /* update context */ 254 spin_lock_bh(&ctx->pk_lock); 255 if (rc) { 256 ctx->pk_state = rc; 257 } else { 258 ctx->pk_state = PK_STATE_VALID; 259 ctx->pk = pk; 260 } 261 spin_unlock_bh(&ctx->pk_lock); 262 263 memzero_explicit(&pk, sizeof(pk)); 264 pr_debug("rc=%d\n", rc); 265 return rc; 266 } 267 268 /* 269 * (Re-)Convert the raw xts key material from the ctx into a 270 * protected key via convert_key() function. Update the pk_state, 271 * pk_type, pk_len and the protected key in the tfm context. 272 * See also comments on function paes_convert_key. 273 */ 274 static int pxts_convert_key(struct s390_pxts_ctx *ctx, bool tested) 275 { 276 struct paes_protkey pk0, pk1; 277 size_t split_keylen; 278 int rc; 279 280 spin_lock_bh(&ctx->pk_lock); 281 ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS; 282 spin_unlock_bh(&ctx->pk_lock); 283 284 rc = convert_key(ctx->keybuf, ctx->keylen, &pk0, tested); 285 if (rc) 286 goto out; 287 288 switch (pk0.type) { 289 case PKEY_KEYTYPE_AES_128: 290 case PKEY_KEYTYPE_AES_256: 291 /* second keytoken required */ 292 if (ctx->keylen % 2) { 293 rc = -EINVAL; 294 goto out; 295 } 296 split_keylen = ctx->keylen / 2; 297 rc = convert_key(ctx->keybuf + split_keylen, 298 split_keylen, &pk1, tested); 299 if (rc) 300 goto out; 301 if (pk0.type != pk1.type) { 302 rc = -EINVAL; 303 goto out; 304 } 305 break; 306 case PKEY_KEYTYPE_AES_XTS_128: 307 case PKEY_KEYTYPE_AES_XTS_256: 308 /* single key */ 309 pk1.type = 0; 310 break; 311 default: 312 /* unsupported protected keytype */ 313 rc = -EINVAL; 314 goto out; 315 } 316 317 out: 318 /* update context */ 319 spin_lock_bh(&ctx->pk_lock); 320 if (rc) { 321 ctx->pk_state = rc; 322 } else { 323 ctx->pk_state = PK_STATE_VALID; 324 ctx->pk[0] = pk0; 325 ctx->pk[1] = pk1; 326 } 327 spin_unlock_bh(&ctx->pk_lock); 328 329 memzero_explicit(&pk0, sizeof(pk0)); 330 memzero_explicit(&pk1, sizeof(pk1)); 331 pr_debug("rc=%d\n", rc); 332 return rc; 333 } 334 335 /* 336 * PAES ECB implementation 337 */ 338 339 struct ecb_param { 340 u8 key[PAES_256_PROTKEY_SIZE]; 341 } __packed; 342 343 struct s390_pecb_req_ctx { 344 unsigned long modifier; 345 struct skcipher_walk walk; 346 bool param_init_done; 347 struct ecb_param param; 348 }; 349 350 static int ecb_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 351 unsigned int key_len) 352 { 353 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 354 bool tested = crypto_skcipher_tested(tfm); 355 long fc; 356 int rc; 357 358 /* set raw key into context */ 359 rc = paes_ctx_setkey(ctx, in_key, key_len); 360 if (rc) 361 goto out; 362 363 /* convert key into protected key */ 364 rc = paes_convert_key(ctx, tested); 365 if (rc) 366 goto out; 367 368 /* Pick the correct function code based on the protected key type */ 369 switch (ctx->pk.type) { 370 case PKEY_KEYTYPE_AES_128: 371 fc = CPACF_KM_PAES_128; 372 break; 373 case PKEY_KEYTYPE_AES_192: 374 fc = CPACF_KM_PAES_192; 375 break; 376 case PKEY_KEYTYPE_AES_256: 377 fc = CPACF_KM_PAES_256; 378 break; 379 default: 380 fc = 0; 381 break; 382 } 383 ctx->fc = (fc && cpacf_test_func(&km_functions, fc)) ? fc : 0; 384 385 rc = fc ? 0 : -EINVAL; 386 387 out: 388 pr_debug("rc=%d\n", rc); 389 return rc; 390 } 391 392 static int ecb_paes_do_crypt(struct s390_paes_ctx *ctx, 393 struct s390_pecb_req_ctx *req_ctx, 394 bool tested, bool maysleep) 395 { 396 struct ecb_param *param = &req_ctx->param; 397 struct skcipher_walk *walk = &req_ctx->walk; 398 unsigned int nbytes, n, k; 399 int pk_state, rc = 0; 400 401 if (!req_ctx->param_init_done) { 402 /* fetch and check protected key state */ 403 spin_lock_bh(&ctx->pk_lock); 404 pk_state = ctx->pk_state; 405 switch (pk_state) { 406 case PK_STATE_NO_KEY: 407 rc = -ENOKEY; 408 break; 409 case PK_STATE_CONVERT_IN_PROGRESS: 410 rc = -EKEYEXPIRED; 411 break; 412 case PK_STATE_VALID: 413 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 414 req_ctx->param_init_done = true; 415 break; 416 default: 417 rc = pk_state < 0 ? pk_state : -EIO; 418 break; 419 } 420 spin_unlock_bh(&ctx->pk_lock); 421 } 422 if (rc) 423 goto out; 424 425 /* 426 * Note that in case of partial processing or failure the walk 427 * is NOT unmapped here. So a follow up task may reuse the walk 428 * or in case of unrecoverable failure needs to unmap it. 429 */ 430 while ((nbytes = walk->nbytes) != 0) { 431 /* only use complete blocks */ 432 n = nbytes & ~(AES_BLOCK_SIZE - 1); 433 k = cpacf_km(ctx->fc | req_ctx->modifier, param, 434 walk->dst.virt.addr, walk->src.virt.addr, n); 435 if (k) 436 rc = skcipher_walk_done(walk, nbytes - k); 437 if (k < n) { 438 if (!maysleep) { 439 rc = -EKEYEXPIRED; 440 goto out; 441 } 442 rc = paes_convert_key(ctx, tested); 443 if (rc) 444 goto out; 445 spin_lock_bh(&ctx->pk_lock); 446 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 447 spin_unlock_bh(&ctx->pk_lock); 448 } 449 } 450 451 out: 452 pr_debug("rc=%d\n", rc); 453 return rc; 454 } 455 456 static int ecb_paes_crypt(struct skcipher_request *req, unsigned long modifier) 457 { 458 struct s390_pecb_req_ctx *req_ctx = skcipher_request_ctx(req); 459 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 460 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 461 struct skcipher_walk *walk = &req_ctx->walk; 462 bool tested = crypto_skcipher_tested(tfm); 463 int rc; 464 465 /* 466 * Attempt synchronous encryption first. If it fails, schedule the request 467 * asynchronously via the crypto engine. To preserve execution order, 468 * once a request is queued to the engine, further requests using the same 469 * tfm will also be routed through the engine. 470 */ 471 472 rc = skcipher_walk_virt(walk, req, false); 473 if (rc) 474 goto out; 475 476 req_ctx->modifier = modifier; 477 req_ctx->param_init_done = false; 478 479 /* Try synchronous operation if no active engine usage */ 480 if (!atomic_read(&ctx->via_engine_ctr)) { 481 rc = ecb_paes_do_crypt(ctx, req_ctx, tested, false); 482 if (rc == 0) 483 goto out; 484 } 485 486 /* 487 * If sync operation failed or key expired or there are already 488 * requests enqueued via engine, fallback to async. Mark tfm as 489 * using engine to serialize requests. 490 */ 491 if (rc == 0 || rc == -EKEYEXPIRED) { 492 atomic_inc(&ctx->via_engine_ctr); 493 rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req); 494 if (rc != -EINPROGRESS) 495 atomic_dec(&ctx->via_engine_ctr); 496 } 497 498 if (rc != -EINPROGRESS) 499 skcipher_walk_done(walk, rc); 500 501 out: 502 if (rc != -EINPROGRESS) 503 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 504 pr_debug("rc=%d\n", rc); 505 return rc; 506 } 507 508 static int ecb_paes_encrypt(struct skcipher_request *req) 509 { 510 return ecb_paes_crypt(req, 0); 511 } 512 513 static int ecb_paes_decrypt(struct skcipher_request *req) 514 { 515 return ecb_paes_crypt(req, CPACF_DECRYPT); 516 } 517 518 static int ecb_paes_init(struct crypto_skcipher *tfm) 519 { 520 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 521 522 memset(ctx, 0, sizeof(*ctx)); 523 spin_lock_init(&ctx->pk_lock); 524 525 crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pecb_req_ctx)); 526 527 return 0; 528 } 529 530 static void ecb_paes_exit(struct crypto_skcipher *tfm) 531 { 532 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 533 534 memzero_explicit(ctx, sizeof(*ctx)); 535 } 536 537 static int ecb_paes_do_one_request(struct crypto_engine *engine, void *areq) 538 { 539 struct skcipher_request *req = skcipher_request_cast(areq); 540 struct s390_pecb_req_ctx *req_ctx = skcipher_request_ctx(req); 541 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 542 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 543 struct skcipher_walk *walk = &req_ctx->walk; 544 bool tested = crypto_skcipher_tested(tfm); 545 int rc; 546 547 /* walk has already been prepared */ 548 549 rc = ecb_paes_do_crypt(ctx, req_ctx, tested, true); 550 if (rc == -EKEYEXPIRED) { 551 /* 552 * Protected key expired, conversion is in process. 553 * Trigger a re-schedule of this request by returning 554 * -ENOSPC ("hardware queue is full") to the crypto engine. 555 * To avoid immediately re-invocation of this callback, 556 * tell the scheduler to voluntarily give up the CPU here. 557 */ 558 cond_resched(); 559 pr_debug("rescheduling request\n"); 560 return -ENOSPC; 561 } else if (rc) { 562 skcipher_walk_done(walk, rc); 563 } 564 565 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 566 pr_debug("request complete with rc=%d\n", rc); 567 local_bh_disable(); 568 atomic_dec(&ctx->via_engine_ctr); 569 crypto_finalize_skcipher_request(engine, req, rc); 570 local_bh_enable(); 571 return rc; 572 } 573 574 static struct skcipher_engine_alg ecb_paes_alg = { 575 .base = { 576 .base.cra_name = "ecb(paes)", 577 .base.cra_driver_name = "ecb-paes-s390", 578 .base.cra_priority = 401, /* combo: aes + ecb + 1 */ 579 .base.cra_blocksize = AES_BLOCK_SIZE, 580 .base.cra_ctxsize = sizeof(struct s390_paes_ctx), 581 .base.cra_module = THIS_MODULE, 582 .base.cra_list = LIST_HEAD_INIT(ecb_paes_alg.base.base.cra_list), 583 .init = ecb_paes_init, 584 .exit = ecb_paes_exit, 585 .min_keysize = PAES_MIN_KEYSIZE, 586 .max_keysize = PAES_MAX_KEYSIZE, 587 .setkey = ecb_paes_setkey, 588 .encrypt = ecb_paes_encrypt, 589 .decrypt = ecb_paes_decrypt, 590 }, 591 .op = { 592 .do_one_request = ecb_paes_do_one_request, 593 }, 594 }; 595 596 /* 597 * PAES CBC implementation 598 */ 599 600 struct cbc_param { 601 u8 iv[AES_BLOCK_SIZE]; 602 u8 key[PAES_256_PROTKEY_SIZE]; 603 } __packed; 604 605 struct s390_pcbc_req_ctx { 606 unsigned long modifier; 607 struct skcipher_walk walk; 608 bool param_init_done; 609 struct cbc_param param; 610 }; 611 612 static int cbc_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 613 unsigned int key_len) 614 { 615 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 616 bool tested = crypto_skcipher_tested(tfm); 617 long fc; 618 int rc; 619 620 /* set raw key into context */ 621 rc = paes_ctx_setkey(ctx, in_key, key_len); 622 if (rc) 623 goto out; 624 625 /* convert raw key into protected key */ 626 rc = paes_convert_key(ctx, tested); 627 if (rc) 628 goto out; 629 630 /* Pick the correct function code based on the protected key type */ 631 switch (ctx->pk.type) { 632 case PKEY_KEYTYPE_AES_128: 633 fc = CPACF_KMC_PAES_128; 634 break; 635 case PKEY_KEYTYPE_AES_192: 636 fc = CPACF_KMC_PAES_192; 637 break; 638 case PKEY_KEYTYPE_AES_256: 639 fc = CPACF_KMC_PAES_256; 640 break; 641 default: 642 fc = 0; 643 break; 644 } 645 ctx->fc = (fc && cpacf_test_func(&kmc_functions, fc)) ? fc : 0; 646 647 rc = fc ? 0 : -EINVAL; 648 649 out: 650 pr_debug("rc=%d\n", rc); 651 return rc; 652 } 653 654 static int cbc_paes_do_crypt(struct s390_paes_ctx *ctx, 655 struct s390_pcbc_req_ctx *req_ctx, 656 bool tested, bool maysleep) 657 { 658 struct cbc_param *param = &req_ctx->param; 659 struct skcipher_walk *walk = &req_ctx->walk; 660 unsigned int nbytes, n, k; 661 int pk_state, rc = 0; 662 663 if (!req_ctx->param_init_done) { 664 /* fetch and check protected key state */ 665 spin_lock_bh(&ctx->pk_lock); 666 pk_state = ctx->pk_state; 667 switch (pk_state) { 668 case PK_STATE_NO_KEY: 669 rc = -ENOKEY; 670 break; 671 case PK_STATE_CONVERT_IN_PROGRESS: 672 rc = -EKEYEXPIRED; 673 break; 674 case PK_STATE_VALID: 675 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 676 req_ctx->param_init_done = true; 677 break; 678 default: 679 rc = pk_state < 0 ? pk_state : -EIO; 680 break; 681 } 682 spin_unlock_bh(&ctx->pk_lock); 683 } 684 if (rc) 685 goto out; 686 687 memcpy(param->iv, walk->iv, AES_BLOCK_SIZE); 688 689 /* 690 * Note that in case of partial processing or failure the walk 691 * is NOT unmapped here. So a follow up task may reuse the walk 692 * or in case of unrecoverable failure needs to unmap it. 693 */ 694 while ((nbytes = walk->nbytes) != 0) { 695 /* only use complete blocks */ 696 n = nbytes & ~(AES_BLOCK_SIZE - 1); 697 k = cpacf_kmc(ctx->fc | req_ctx->modifier, param, 698 walk->dst.virt.addr, walk->src.virt.addr, n); 699 if (k) { 700 memcpy(walk->iv, param->iv, AES_BLOCK_SIZE); 701 rc = skcipher_walk_done(walk, nbytes - k); 702 } 703 if (k < n) { 704 if (!maysleep) { 705 rc = -EKEYEXPIRED; 706 goto out; 707 } 708 rc = paes_convert_key(ctx, tested); 709 if (rc) 710 goto out; 711 spin_lock_bh(&ctx->pk_lock); 712 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 713 spin_unlock_bh(&ctx->pk_lock); 714 } 715 } 716 717 out: 718 pr_debug("rc=%d\n", rc); 719 return rc; 720 } 721 722 static int cbc_paes_crypt(struct skcipher_request *req, unsigned long modifier) 723 { 724 struct s390_pcbc_req_ctx *req_ctx = skcipher_request_ctx(req); 725 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 726 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 727 struct skcipher_walk *walk = &req_ctx->walk; 728 bool tested = crypto_skcipher_tested(tfm); 729 int rc; 730 731 /* 732 * Attempt synchronous encryption first. If it fails, schedule the request 733 * asynchronously via the crypto engine. To preserve execution order, 734 * once a request is queued to the engine, further requests using the same 735 * tfm will also be routed through the engine. 736 */ 737 738 rc = skcipher_walk_virt(walk, req, false); 739 if (rc) 740 goto out; 741 742 req_ctx->modifier = modifier; 743 req_ctx->param_init_done = false; 744 745 /* Try synchronous operation if no active engine usage */ 746 if (!atomic_read(&ctx->via_engine_ctr)) { 747 rc = cbc_paes_do_crypt(ctx, req_ctx, tested, false); 748 if (rc == 0) 749 goto out; 750 } 751 752 /* 753 * If sync operation failed or key expired or there are already 754 * requests enqueued via engine, fallback to async. Mark tfm as 755 * using engine to serialize requests. 756 */ 757 if (rc == 0 || rc == -EKEYEXPIRED) { 758 atomic_inc(&ctx->via_engine_ctr); 759 rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req); 760 if (rc != -EINPROGRESS) 761 atomic_dec(&ctx->via_engine_ctr); 762 } 763 764 if (rc != -EINPROGRESS) 765 skcipher_walk_done(walk, rc); 766 767 out: 768 if (rc != -EINPROGRESS) 769 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 770 pr_debug("rc=%d\n", rc); 771 return rc; 772 } 773 774 static int cbc_paes_encrypt(struct skcipher_request *req) 775 { 776 return cbc_paes_crypt(req, 0); 777 } 778 779 static int cbc_paes_decrypt(struct skcipher_request *req) 780 { 781 return cbc_paes_crypt(req, CPACF_DECRYPT); 782 } 783 784 static int cbc_paes_init(struct crypto_skcipher *tfm) 785 { 786 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 787 788 memset(ctx, 0, sizeof(*ctx)); 789 spin_lock_init(&ctx->pk_lock); 790 791 crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pcbc_req_ctx)); 792 793 return 0; 794 } 795 796 static void cbc_paes_exit(struct crypto_skcipher *tfm) 797 { 798 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 799 800 memzero_explicit(ctx, sizeof(*ctx)); 801 } 802 803 static int cbc_paes_do_one_request(struct crypto_engine *engine, void *areq) 804 { 805 struct skcipher_request *req = skcipher_request_cast(areq); 806 struct s390_pcbc_req_ctx *req_ctx = skcipher_request_ctx(req); 807 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 808 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 809 struct skcipher_walk *walk = &req_ctx->walk; 810 bool tested = crypto_skcipher_tested(tfm); 811 int rc; 812 813 /* walk has already been prepared */ 814 815 rc = cbc_paes_do_crypt(ctx, req_ctx, tested, true); 816 if (rc == -EKEYEXPIRED) { 817 /* 818 * Protected key expired, conversion is in process. 819 * Trigger a re-schedule of this request by returning 820 * -ENOSPC ("hardware queue is full") to the crypto engine. 821 * To avoid immediately re-invocation of this callback, 822 * tell the scheduler to voluntarily give up the CPU here. 823 */ 824 cond_resched(); 825 pr_debug("rescheduling request\n"); 826 return -ENOSPC; 827 } else if (rc) { 828 skcipher_walk_done(walk, rc); 829 } 830 831 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 832 pr_debug("request complete with rc=%d\n", rc); 833 local_bh_disable(); 834 atomic_dec(&ctx->via_engine_ctr); 835 crypto_finalize_skcipher_request(engine, req, rc); 836 local_bh_enable(); 837 return rc; 838 } 839 840 static struct skcipher_engine_alg cbc_paes_alg = { 841 .base = { 842 .base.cra_name = "cbc(paes)", 843 .base.cra_driver_name = "cbc-paes-s390", 844 .base.cra_priority = 402, /* cbc-paes-s390 + 1 */ 845 .base.cra_blocksize = AES_BLOCK_SIZE, 846 .base.cra_ctxsize = sizeof(struct s390_paes_ctx), 847 .base.cra_module = THIS_MODULE, 848 .base.cra_list = LIST_HEAD_INIT(cbc_paes_alg.base.base.cra_list), 849 .init = cbc_paes_init, 850 .exit = cbc_paes_exit, 851 .min_keysize = PAES_MIN_KEYSIZE, 852 .max_keysize = PAES_MAX_KEYSIZE, 853 .ivsize = AES_BLOCK_SIZE, 854 .setkey = cbc_paes_setkey, 855 .encrypt = cbc_paes_encrypt, 856 .decrypt = cbc_paes_decrypt, 857 }, 858 .op = { 859 .do_one_request = cbc_paes_do_one_request, 860 }, 861 }; 862 863 /* 864 * PAES CTR implementation 865 */ 866 867 struct ctr_param { 868 u8 key[PAES_256_PROTKEY_SIZE]; 869 } __packed; 870 871 struct s390_pctr_req_ctx { 872 unsigned long modifier; 873 struct skcipher_walk walk; 874 bool param_init_done; 875 struct ctr_param param; 876 }; 877 878 static int ctr_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 879 unsigned int key_len) 880 { 881 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 882 bool tested = crypto_skcipher_tested(tfm); 883 long fc; 884 int rc; 885 886 /* set raw key into context */ 887 rc = paes_ctx_setkey(ctx, in_key, key_len); 888 if (rc) 889 goto out; 890 891 /* convert raw key into protected key */ 892 rc = paes_convert_key(ctx, tested); 893 if (rc) 894 goto out; 895 896 /* Pick the correct function code based on the protected key type */ 897 switch (ctx->pk.type) { 898 case PKEY_KEYTYPE_AES_128: 899 fc = CPACF_KMCTR_PAES_128; 900 break; 901 case PKEY_KEYTYPE_AES_192: 902 fc = CPACF_KMCTR_PAES_192; 903 break; 904 case PKEY_KEYTYPE_AES_256: 905 fc = CPACF_KMCTR_PAES_256; 906 break; 907 default: 908 fc = 0; 909 break; 910 } 911 ctx->fc = (fc && cpacf_test_func(&kmctr_functions, fc)) ? fc : 0; 912 913 rc = fc ? 0 : -EINVAL; 914 915 out: 916 pr_debug("rc=%d\n", rc); 917 return rc; 918 } 919 920 static inline unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes) 921 { 922 unsigned int i, n; 923 924 /* only use complete blocks, max. PAGE_SIZE */ 925 memcpy(ctrptr, iv, AES_BLOCK_SIZE); 926 n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(AES_BLOCK_SIZE - 1); 927 for (i = (n / AES_BLOCK_SIZE) - 1; i > 0; i--) { 928 memcpy(ctrptr + AES_BLOCK_SIZE, ctrptr, AES_BLOCK_SIZE); 929 crypto_inc(ctrptr + AES_BLOCK_SIZE, AES_BLOCK_SIZE); 930 ctrptr += AES_BLOCK_SIZE; 931 } 932 return n; 933 } 934 935 static int ctr_paes_do_crypt(struct s390_paes_ctx *ctx, 936 struct s390_pctr_req_ctx *req_ctx, 937 bool tested, bool maysleep) 938 { 939 struct ctr_param *param = &req_ctx->param; 940 struct skcipher_walk *walk = &req_ctx->walk; 941 u8 buf[AES_BLOCK_SIZE], *ctrptr; 942 unsigned int nbytes, n, k; 943 int pk_state, locked, rc = 0; 944 945 if (!req_ctx->param_init_done) { 946 /* fetch and check protected key state */ 947 spin_lock_bh(&ctx->pk_lock); 948 pk_state = ctx->pk_state; 949 switch (pk_state) { 950 case PK_STATE_NO_KEY: 951 rc = -ENOKEY; 952 break; 953 case PK_STATE_CONVERT_IN_PROGRESS: 954 rc = -EKEYEXPIRED; 955 break; 956 case PK_STATE_VALID: 957 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 958 req_ctx->param_init_done = true; 959 break; 960 default: 961 rc = pk_state < 0 ? pk_state : -EIO; 962 break; 963 } 964 spin_unlock_bh(&ctx->pk_lock); 965 } 966 if (rc) 967 goto out; 968 969 locked = mutex_trylock(&ctrblk_lock); 970 971 /* 972 * Note that in case of partial processing or failure the walk 973 * is NOT unmapped here. So a follow up task may reuse the walk 974 * or in case of unrecoverable failure needs to unmap it. 975 */ 976 while ((nbytes = walk->nbytes) >= AES_BLOCK_SIZE) { 977 n = AES_BLOCK_SIZE; 978 if (nbytes >= 2 * AES_BLOCK_SIZE && locked) 979 n = __ctrblk_init(ctrblk, walk->iv, nbytes); 980 ctrptr = (n > AES_BLOCK_SIZE) ? ctrblk : walk->iv; 981 k = cpacf_kmctr(ctx->fc, param, walk->dst.virt.addr, 982 walk->src.virt.addr, n, ctrptr); 983 if (k) { 984 if (ctrptr == ctrblk) 985 memcpy(walk->iv, ctrptr + k - AES_BLOCK_SIZE, 986 AES_BLOCK_SIZE); 987 crypto_inc(walk->iv, AES_BLOCK_SIZE); 988 rc = skcipher_walk_done(walk, nbytes - k); 989 } 990 if (k < n) { 991 if (!maysleep) { 992 if (locked) 993 mutex_unlock(&ctrblk_lock); 994 rc = -EKEYEXPIRED; 995 goto out; 996 } 997 rc = paes_convert_key(ctx, tested); 998 if (rc) { 999 if (locked) 1000 mutex_unlock(&ctrblk_lock); 1001 goto out; 1002 } 1003 spin_lock_bh(&ctx->pk_lock); 1004 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 1005 spin_unlock_bh(&ctx->pk_lock); 1006 } 1007 } 1008 if (locked) 1009 mutex_unlock(&ctrblk_lock); 1010 1011 /* final block may be < AES_BLOCK_SIZE, copy only nbytes */ 1012 if (nbytes) { 1013 memset(buf, 0, AES_BLOCK_SIZE); 1014 memcpy(buf, walk->src.virt.addr, nbytes); 1015 while (1) { 1016 if (cpacf_kmctr(ctx->fc, param, buf, 1017 buf, AES_BLOCK_SIZE, 1018 walk->iv) == AES_BLOCK_SIZE) 1019 break; 1020 if (!maysleep) { 1021 rc = -EKEYEXPIRED; 1022 goto out; 1023 } 1024 rc = paes_convert_key(ctx, tested); 1025 if (rc) 1026 goto out; 1027 spin_lock_bh(&ctx->pk_lock); 1028 memcpy(param->key, ctx->pk.protkey, sizeof(param->key)); 1029 spin_unlock_bh(&ctx->pk_lock); 1030 } 1031 memcpy(walk->dst.virt.addr, buf, nbytes); 1032 crypto_inc(walk->iv, AES_BLOCK_SIZE); 1033 rc = skcipher_walk_done(walk, 0); 1034 } 1035 1036 out: 1037 pr_debug("rc=%d\n", rc); 1038 return rc; 1039 } 1040 1041 static int ctr_paes_crypt(struct skcipher_request *req) 1042 { 1043 struct s390_pctr_req_ctx *req_ctx = skcipher_request_ctx(req); 1044 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1045 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 1046 struct skcipher_walk *walk = &req_ctx->walk; 1047 bool tested = crypto_skcipher_tested(tfm); 1048 int rc; 1049 1050 /* 1051 * Attempt synchronous encryption first. If it fails, schedule the request 1052 * asynchronously via the crypto engine. To preserve execution order, 1053 * once a request is queued to the engine, further requests using the same 1054 * tfm will also be routed through the engine. 1055 */ 1056 1057 rc = skcipher_walk_virt(walk, req, false); 1058 if (rc) 1059 goto out; 1060 1061 req_ctx->param_init_done = false; 1062 1063 /* Try synchronous operation if no active engine usage */ 1064 if (!atomic_read(&ctx->via_engine_ctr)) { 1065 rc = ctr_paes_do_crypt(ctx, req_ctx, tested, false); 1066 if (rc == 0) 1067 goto out; 1068 } 1069 1070 /* 1071 * If sync operation failed or key expired or there are already 1072 * requests enqueued via engine, fallback to async. Mark tfm as 1073 * using engine to serialize requests. 1074 */ 1075 if (rc == 0 || rc == -EKEYEXPIRED) { 1076 atomic_inc(&ctx->via_engine_ctr); 1077 rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req); 1078 if (rc != -EINPROGRESS) 1079 atomic_dec(&ctx->via_engine_ctr); 1080 } 1081 1082 if (rc != -EINPROGRESS) 1083 skcipher_walk_done(walk, rc); 1084 1085 out: 1086 if (rc != -EINPROGRESS) 1087 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 1088 pr_debug("rc=%d\n", rc); 1089 return rc; 1090 } 1091 1092 static int ctr_paes_init(struct crypto_skcipher *tfm) 1093 { 1094 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 1095 1096 memset(ctx, 0, sizeof(*ctx)); 1097 spin_lock_init(&ctx->pk_lock); 1098 1099 crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pctr_req_ctx)); 1100 1101 return 0; 1102 } 1103 1104 static void ctr_paes_exit(struct crypto_skcipher *tfm) 1105 { 1106 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 1107 1108 memzero_explicit(ctx, sizeof(*ctx)); 1109 } 1110 1111 static int ctr_paes_do_one_request(struct crypto_engine *engine, void *areq) 1112 { 1113 struct skcipher_request *req = skcipher_request_cast(areq); 1114 struct s390_pctr_req_ctx *req_ctx = skcipher_request_ctx(req); 1115 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1116 struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm); 1117 struct skcipher_walk *walk = &req_ctx->walk; 1118 bool tested = crypto_skcipher_tested(tfm); 1119 int rc; 1120 1121 /* walk has already been prepared */ 1122 1123 rc = ctr_paes_do_crypt(ctx, req_ctx, tested, true); 1124 if (rc == -EKEYEXPIRED) { 1125 /* 1126 * Protected key expired, conversion is in process. 1127 * Trigger a re-schedule of this request by returning 1128 * -ENOSPC ("hardware queue is full") to the crypto engine. 1129 * To avoid immediately re-invocation of this callback, 1130 * tell the scheduler to voluntarily give up the CPU here. 1131 */ 1132 cond_resched(); 1133 pr_debug("rescheduling request\n"); 1134 return -ENOSPC; 1135 } else if (rc) { 1136 skcipher_walk_done(walk, rc); 1137 } 1138 1139 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 1140 pr_debug("request complete with rc=%d\n", rc); 1141 local_bh_disable(); 1142 atomic_dec(&ctx->via_engine_ctr); 1143 crypto_finalize_skcipher_request(engine, req, rc); 1144 local_bh_enable(); 1145 return rc; 1146 } 1147 1148 static struct skcipher_engine_alg ctr_paes_alg = { 1149 .base = { 1150 .base.cra_name = "ctr(paes)", 1151 .base.cra_driver_name = "ctr-paes-s390", 1152 .base.cra_priority = 402, /* ecb-paes-s390 + 1 */ 1153 .base.cra_blocksize = 1, 1154 .base.cra_ctxsize = sizeof(struct s390_paes_ctx), 1155 .base.cra_module = THIS_MODULE, 1156 .base.cra_list = LIST_HEAD_INIT(ctr_paes_alg.base.base.cra_list), 1157 .init = ctr_paes_init, 1158 .exit = ctr_paes_exit, 1159 .min_keysize = PAES_MIN_KEYSIZE, 1160 .max_keysize = PAES_MAX_KEYSIZE, 1161 .ivsize = AES_BLOCK_SIZE, 1162 .setkey = ctr_paes_setkey, 1163 .encrypt = ctr_paes_crypt, 1164 .decrypt = ctr_paes_crypt, 1165 .chunksize = AES_BLOCK_SIZE, 1166 }, 1167 .op = { 1168 .do_one_request = ctr_paes_do_one_request, 1169 }, 1170 }; 1171 1172 /* 1173 * PAES XTS implementation 1174 */ 1175 1176 struct xts_full_km_param { 1177 u8 key[64]; 1178 u8 tweak[16]; 1179 u8 nap[16]; 1180 u8 wkvp[32]; 1181 } __packed; 1182 1183 struct xts_km_param { 1184 u8 key[PAES_256_PROTKEY_SIZE]; 1185 u8 init[16]; 1186 } __packed; 1187 1188 struct xts_pcc_param { 1189 u8 key[PAES_256_PROTKEY_SIZE]; 1190 u8 tweak[16]; 1191 u8 block[16]; 1192 u8 bit[16]; 1193 u8 xts[16]; 1194 } __packed; 1195 1196 struct s390_pxts_req_ctx { 1197 unsigned long modifier; 1198 struct skcipher_walk walk; 1199 bool param_init_done; 1200 union { 1201 struct xts_full_km_param full_km_param; 1202 struct xts_km_param km_param; 1203 } param; 1204 }; 1205 1206 static int xts_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key, 1207 unsigned int in_keylen) 1208 { 1209 struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm); 1210 bool tested = crypto_skcipher_tested(tfm); 1211 u8 ckey[2 * AES_MAX_KEY_SIZE]; 1212 unsigned int ckey_len; 1213 long fc; 1214 int rc; 1215 1216 if ((in_keylen == 32 || in_keylen == 64) && 1217 xts_verify_key(tfm, in_key, in_keylen)) 1218 return -EINVAL; 1219 1220 /* set raw key into context */ 1221 rc = pxts_ctx_setkey(ctx, in_key, in_keylen); 1222 if (rc) 1223 goto out; 1224 1225 /* convert raw key(s) into protected key(s) */ 1226 rc = pxts_convert_key(ctx, tested); 1227 if (rc) 1228 goto out; 1229 1230 /* 1231 * xts_verify_key verifies the key length is not odd and makes 1232 * sure that the two keys are not the same. This can be done 1233 * on the two protected keys as well - but not for full xts keys. 1234 */ 1235 if (ctx->pk[0].type == PKEY_KEYTYPE_AES_128 || 1236 ctx->pk[0].type == PKEY_KEYTYPE_AES_256) { 1237 ckey_len = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ? 1238 AES_KEYSIZE_128 : AES_KEYSIZE_256; 1239 memcpy(ckey, ctx->pk[0].protkey, ckey_len); 1240 memcpy(ckey + ckey_len, ctx->pk[1].protkey, ckey_len); 1241 rc = xts_verify_key(tfm, ckey, 2 * ckey_len); 1242 memzero_explicit(ckey, sizeof(ckey)); 1243 if (rc) 1244 goto out; 1245 } 1246 1247 /* Pick the correct function code based on the protected key type */ 1248 switch (ctx->pk[0].type) { 1249 case PKEY_KEYTYPE_AES_128: 1250 fc = CPACF_KM_PXTS_128; 1251 break; 1252 case PKEY_KEYTYPE_AES_256: 1253 fc = CPACF_KM_PXTS_256; 1254 break; 1255 case PKEY_KEYTYPE_AES_XTS_128: 1256 fc = CPACF_KM_PXTS_128_FULL; 1257 break; 1258 case PKEY_KEYTYPE_AES_XTS_256: 1259 fc = CPACF_KM_PXTS_256_FULL; 1260 break; 1261 default: 1262 fc = 0; 1263 break; 1264 } 1265 ctx->fc = (fc && cpacf_test_func(&km_functions, fc)) ? fc : 0; 1266 1267 rc = fc ? 0 : -EINVAL; 1268 1269 out: 1270 pr_debug("rc=%d\n", rc); 1271 return rc; 1272 } 1273 1274 static int xts_paes_do_crypt_fullkey(struct s390_pxts_ctx *ctx, 1275 struct s390_pxts_req_ctx *req_ctx, 1276 bool tested, bool maysleep) 1277 { 1278 struct xts_full_km_param *param = &req_ctx->param.full_km_param; 1279 struct skcipher_walk *walk = &req_ctx->walk; 1280 unsigned int keylen, offset, nbytes, n, k; 1281 int rc = 0; 1282 1283 /* 1284 * The calling function xts_paes_do_crypt() ensures the 1285 * protected key state is always PK_STATE_VALID when this 1286 * function is invoked. 1287 */ 1288 1289 keylen = (ctx->pk[0].type == PKEY_KEYTYPE_AES_XTS_128) ? 32 : 64; 1290 offset = (ctx->pk[0].type == PKEY_KEYTYPE_AES_XTS_128) ? 32 : 0; 1291 1292 if (!req_ctx->param_init_done) { 1293 memset(param, 0, sizeof(*param)); 1294 spin_lock_bh(&ctx->pk_lock); 1295 memcpy(param->key + offset, ctx->pk[0].protkey, keylen); 1296 memcpy(param->wkvp, ctx->pk[0].protkey + keylen, sizeof(param->wkvp)); 1297 spin_unlock_bh(&ctx->pk_lock); 1298 memcpy(param->tweak, walk->iv, sizeof(param->tweak)); 1299 param->nap[0] = 0x01; /* initial alpha power (1, little-endian) */ 1300 req_ctx->param_init_done = true; 1301 } 1302 1303 /* 1304 * Note that in case of partial processing or failure the walk 1305 * is NOT unmapped here. So a follow up task may reuse the walk 1306 * or in case of unrecoverable failure needs to unmap it. 1307 */ 1308 while ((nbytes = walk->nbytes) != 0) { 1309 /* only use complete blocks */ 1310 n = nbytes & ~(AES_BLOCK_SIZE - 1); 1311 k = cpacf_km(ctx->fc | req_ctx->modifier, param->key + offset, 1312 walk->dst.virt.addr, walk->src.virt.addr, n); 1313 if (k) 1314 rc = skcipher_walk_done(walk, nbytes - k); 1315 if (k < n) { 1316 if (!maysleep) { 1317 rc = -EKEYEXPIRED; 1318 goto out; 1319 } 1320 rc = pxts_convert_key(ctx, tested); 1321 if (rc) 1322 goto out; 1323 spin_lock_bh(&ctx->pk_lock); 1324 memcpy(param->key + offset, ctx->pk[0].protkey, keylen); 1325 memcpy(param->wkvp, ctx->pk[0].protkey + keylen, sizeof(param->wkvp)); 1326 spin_unlock_bh(&ctx->pk_lock); 1327 } 1328 } 1329 1330 out: 1331 pr_debug("rc=%d\n", rc); 1332 return rc; 1333 } 1334 1335 static inline int __xts_2keys_prep_param(struct s390_pxts_ctx *ctx, 1336 struct xts_km_param *param, 1337 struct skcipher_walk *walk, 1338 unsigned int keylen, 1339 unsigned int offset, 1340 bool tested, bool maysleep) 1341 { 1342 struct xts_pcc_param pcc_param; 1343 unsigned long cc = 1; 1344 int rc = 0; 1345 1346 while (cc) { 1347 memset(&pcc_param, 0, sizeof(pcc_param)); 1348 memcpy(pcc_param.tweak, walk->iv, sizeof(pcc_param.tweak)); 1349 spin_lock_bh(&ctx->pk_lock); 1350 memcpy(pcc_param.key + offset, ctx->pk[1].protkey, keylen); 1351 memcpy(param->key + offset, ctx->pk[0].protkey, keylen); 1352 spin_unlock_bh(&ctx->pk_lock); 1353 cc = cpacf_pcc(ctx->fc, pcc_param.key + offset); 1354 if (cc) { 1355 if (!maysleep) { 1356 rc = -EKEYEXPIRED; 1357 break; 1358 } 1359 rc = pxts_convert_key(ctx, tested); 1360 if (rc) 1361 break; 1362 continue; 1363 } 1364 memcpy(param->init, pcc_param.xts, 16); 1365 } 1366 1367 memzero_explicit(pcc_param.key, sizeof(pcc_param.key)); 1368 return rc; 1369 } 1370 1371 static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx, 1372 struct s390_pxts_req_ctx *req_ctx, 1373 bool tested, bool maysleep) 1374 { 1375 struct xts_km_param *param = &req_ctx->param.km_param; 1376 struct skcipher_walk *walk = &req_ctx->walk; 1377 unsigned int keylen, offset, nbytes, n, k; 1378 int rc = 0; 1379 1380 /* 1381 * The calling function xts_paes_do_crypt() ensures the 1382 * protected key state is always PK_STATE_VALID when this 1383 * function is invoked. 1384 */ 1385 1386 keylen = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ? 48 : 64; 1387 offset = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ? 16 : 0; 1388 1389 if (!req_ctx->param_init_done) { 1390 rc = __xts_2keys_prep_param(ctx, param, walk, 1391 keylen, offset, tested, maysleep); 1392 if (rc) 1393 goto out; 1394 req_ctx->param_init_done = true; 1395 } 1396 1397 /* 1398 * Note that in case of partial processing or failure the walk 1399 * is NOT unmapped here. So a follow up task may reuse the walk 1400 * or in case of unrecoverable failure needs to unmap it. 1401 */ 1402 while ((nbytes = walk->nbytes) != 0) { 1403 /* only use complete blocks */ 1404 n = nbytes & ~(AES_BLOCK_SIZE - 1); 1405 k = cpacf_km(ctx->fc | req_ctx->modifier, param->key + offset, 1406 walk->dst.virt.addr, walk->src.virt.addr, n); 1407 if (k) 1408 rc = skcipher_walk_done(walk, nbytes - k); 1409 if (k < n) { 1410 if (!maysleep) { 1411 rc = -EKEYEXPIRED; 1412 goto out; 1413 } 1414 rc = pxts_convert_key(ctx, tested); 1415 if (rc) 1416 goto out; 1417 spin_lock_bh(&ctx->pk_lock); 1418 memcpy(param->key + offset, ctx->pk[0].protkey, keylen); 1419 spin_unlock_bh(&ctx->pk_lock); 1420 } 1421 } 1422 1423 out: 1424 pr_debug("rc=%d\n", rc); 1425 return rc; 1426 } 1427 1428 static int xts_paes_do_crypt(struct s390_pxts_ctx *ctx, 1429 struct s390_pxts_req_ctx *req_ctx, 1430 bool tested, bool maysleep) 1431 { 1432 int pk_state, rc = 0; 1433 1434 /* fetch and check protected key state */ 1435 spin_lock_bh(&ctx->pk_lock); 1436 pk_state = ctx->pk_state; 1437 switch (pk_state) { 1438 case PK_STATE_NO_KEY: 1439 rc = -ENOKEY; 1440 break; 1441 case PK_STATE_CONVERT_IN_PROGRESS: 1442 rc = -EKEYEXPIRED; 1443 break; 1444 case PK_STATE_VALID: 1445 break; 1446 default: 1447 rc = pk_state < 0 ? pk_state : -EIO; 1448 break; 1449 } 1450 spin_unlock_bh(&ctx->pk_lock); 1451 if (rc) 1452 goto out; 1453 1454 /* Call the 'real' crypt function based on the xts prot key type. */ 1455 switch (ctx->fc) { 1456 case CPACF_KM_PXTS_128: 1457 case CPACF_KM_PXTS_256: 1458 rc = xts_paes_do_crypt_2keys(ctx, req_ctx, tested, maysleep); 1459 break; 1460 case CPACF_KM_PXTS_128_FULL: 1461 case CPACF_KM_PXTS_256_FULL: 1462 rc = xts_paes_do_crypt_fullkey(ctx, req_ctx, tested, maysleep); 1463 break; 1464 default: 1465 rc = -EINVAL; 1466 } 1467 1468 out: 1469 pr_debug("rc=%d\n", rc); 1470 return rc; 1471 } 1472 1473 static inline int xts_paes_crypt(struct skcipher_request *req, unsigned long modifier) 1474 { 1475 struct s390_pxts_req_ctx *req_ctx = skcipher_request_ctx(req); 1476 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1477 struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm); 1478 struct skcipher_walk *walk = &req_ctx->walk; 1479 bool tested = crypto_skcipher_tested(tfm); 1480 int rc; 1481 1482 /* 1483 * Attempt synchronous encryption first. If it fails, schedule the request 1484 * asynchronously via the crypto engine. To preserve execution order, 1485 * once a request is queued to the engine, further requests using the same 1486 * tfm will also be routed through the engine. 1487 */ 1488 1489 rc = skcipher_walk_virt(walk, req, false); 1490 if (rc) 1491 goto out; 1492 1493 req_ctx->modifier = modifier; 1494 req_ctx->param_init_done = false; 1495 1496 /* Try synchronous operation if no active engine usage */ 1497 if (!atomic_read(&ctx->via_engine_ctr)) { 1498 rc = xts_paes_do_crypt(ctx, req_ctx, tested, false); 1499 if (rc == 0) 1500 goto out; 1501 } 1502 1503 /* 1504 * If sync operation failed or key expired or there are already 1505 * requests enqueued via engine, fallback to async. Mark tfm as 1506 * using engine to serialize requests. 1507 */ 1508 if (rc == 0 || rc == -EKEYEXPIRED) { 1509 atomic_inc(&ctx->via_engine_ctr); 1510 rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req); 1511 if (rc != -EINPROGRESS) 1512 atomic_dec(&ctx->via_engine_ctr); 1513 } 1514 1515 if (rc != -EINPROGRESS) 1516 skcipher_walk_done(walk, rc); 1517 1518 out: 1519 if (rc != -EINPROGRESS) 1520 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 1521 pr_debug("rc=%d\n", rc); 1522 return rc; 1523 } 1524 1525 static int xts_paes_encrypt(struct skcipher_request *req) 1526 { 1527 return xts_paes_crypt(req, 0); 1528 } 1529 1530 static int xts_paes_decrypt(struct skcipher_request *req) 1531 { 1532 return xts_paes_crypt(req, CPACF_DECRYPT); 1533 } 1534 1535 static int xts_paes_init(struct crypto_skcipher *tfm) 1536 { 1537 struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm); 1538 1539 memset(ctx, 0, sizeof(*ctx)); 1540 spin_lock_init(&ctx->pk_lock); 1541 1542 crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pxts_req_ctx)); 1543 1544 return 0; 1545 } 1546 1547 static void xts_paes_exit(struct crypto_skcipher *tfm) 1548 { 1549 struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm); 1550 1551 memzero_explicit(ctx, sizeof(*ctx)); 1552 } 1553 1554 static int xts_paes_do_one_request(struct crypto_engine *engine, void *areq) 1555 { 1556 struct skcipher_request *req = skcipher_request_cast(areq); 1557 struct s390_pxts_req_ctx *req_ctx = skcipher_request_ctx(req); 1558 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1559 struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm); 1560 struct skcipher_walk *walk = &req_ctx->walk; 1561 bool tested = crypto_skcipher_tested(tfm); 1562 int rc; 1563 1564 /* walk has already been prepared */ 1565 1566 rc = xts_paes_do_crypt(ctx, req_ctx, tested, true); 1567 if (rc == -EKEYEXPIRED) { 1568 /* 1569 * Protected key expired, conversion is in process. 1570 * Trigger a re-schedule of this request by returning 1571 * -ENOSPC ("hardware queue is full") to the crypto engine. 1572 * To avoid immediately re-invocation of this callback, 1573 * tell the scheduler to voluntarily give up the CPU here. 1574 */ 1575 cond_resched(); 1576 pr_debug("rescheduling request\n"); 1577 return -ENOSPC; 1578 } else if (rc) { 1579 skcipher_walk_done(walk, rc); 1580 } 1581 1582 memzero_explicit(&req_ctx->param, sizeof(req_ctx->param)); 1583 pr_debug("request complete with rc=%d\n", rc); 1584 local_bh_disable(); 1585 atomic_dec(&ctx->via_engine_ctr); 1586 crypto_finalize_skcipher_request(engine, req, rc); 1587 local_bh_enable(); 1588 return rc; 1589 } 1590 1591 static struct skcipher_engine_alg xts_paes_alg = { 1592 .base = { 1593 .base.cra_name = "xts(paes)", 1594 .base.cra_driver_name = "xts-paes-s390", 1595 .base.cra_priority = 402, /* ecb-paes-s390 + 1 */ 1596 .base.cra_blocksize = AES_BLOCK_SIZE, 1597 .base.cra_ctxsize = sizeof(struct s390_pxts_ctx), 1598 .base.cra_module = THIS_MODULE, 1599 .base.cra_list = LIST_HEAD_INIT(xts_paes_alg.base.base.cra_list), 1600 .init = xts_paes_init, 1601 .exit = xts_paes_exit, 1602 .min_keysize = 2 * PAES_MIN_KEYSIZE, 1603 .max_keysize = 2 * PAES_MAX_KEYSIZE, 1604 .ivsize = AES_BLOCK_SIZE, 1605 .setkey = xts_paes_setkey, 1606 .encrypt = xts_paes_encrypt, 1607 .decrypt = xts_paes_decrypt, 1608 }, 1609 .op = { 1610 .do_one_request = xts_paes_do_one_request, 1611 }, 1612 }; 1613 1614 /* 1615 * alg register, unregister, module init, exit 1616 */ 1617 1618 static struct miscdevice paes_dev = { 1619 .name = "paes", 1620 .minor = MISC_DYNAMIC_MINOR, 1621 }; 1622 1623 static inline void __crypto_unregister_skcipher(struct skcipher_engine_alg *alg) 1624 { 1625 if (!list_empty(&alg->base.base.cra_list)) 1626 crypto_engine_unregister_skcipher(alg); 1627 } 1628 1629 static void paes_s390_fini(void) 1630 { 1631 if (paes_crypto_engine) { 1632 crypto_engine_stop(paes_crypto_engine); 1633 crypto_engine_exit(paes_crypto_engine); 1634 } 1635 __crypto_unregister_skcipher(&ctr_paes_alg); 1636 __crypto_unregister_skcipher(&xts_paes_alg); 1637 __crypto_unregister_skcipher(&cbc_paes_alg); 1638 __crypto_unregister_skcipher(&ecb_paes_alg); 1639 if (ctrblk) 1640 free_page((unsigned long)ctrblk); 1641 misc_deregister(&paes_dev); 1642 } 1643 1644 static int __init paes_s390_init(void) 1645 { 1646 int rc; 1647 1648 /* register a simple paes pseudo misc device */ 1649 rc = misc_register(&paes_dev); 1650 if (rc) 1651 return rc; 1652 1653 /* with this pseudo devie alloc and start a crypto engine */ 1654 paes_crypto_engine = 1655 crypto_engine_alloc_init_and_set(paes_dev.this_device, 1656 true, false, MAX_QLEN); 1657 if (!paes_crypto_engine) { 1658 rc = -ENOMEM; 1659 goto out_err; 1660 } 1661 rc = crypto_engine_start(paes_crypto_engine); 1662 if (rc) { 1663 crypto_engine_exit(paes_crypto_engine); 1664 paes_crypto_engine = NULL; 1665 goto out_err; 1666 } 1667 1668 /* Query available functions for KM, KMC and KMCTR */ 1669 cpacf_query(CPACF_KM, &km_functions); 1670 cpacf_query(CPACF_KMC, &kmc_functions); 1671 cpacf_query(CPACF_KMCTR, &kmctr_functions); 1672 1673 if (cpacf_test_func(&km_functions, CPACF_KM_PAES_128) || 1674 cpacf_test_func(&km_functions, CPACF_KM_PAES_192) || 1675 cpacf_test_func(&km_functions, CPACF_KM_PAES_256)) { 1676 rc = crypto_engine_register_skcipher(&ecb_paes_alg); 1677 if (rc) 1678 goto out_err; 1679 pr_debug("%s registered\n", ecb_paes_alg.base.base.cra_driver_name); 1680 } 1681 1682 if (cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_128) || 1683 cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_192) || 1684 cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_256)) { 1685 rc = crypto_engine_register_skcipher(&cbc_paes_alg); 1686 if (rc) 1687 goto out_err; 1688 pr_debug("%s registered\n", cbc_paes_alg.base.base.cra_driver_name); 1689 } 1690 1691 if (cpacf_test_func(&km_functions, CPACF_KM_PXTS_128) || 1692 cpacf_test_func(&km_functions, CPACF_KM_PXTS_256)) { 1693 rc = crypto_engine_register_skcipher(&xts_paes_alg); 1694 if (rc) 1695 goto out_err; 1696 pr_debug("%s registered\n", xts_paes_alg.base.base.cra_driver_name); 1697 } 1698 1699 if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_128) || 1700 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_192) || 1701 cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_256)) { 1702 ctrblk = (u8 *)__get_free_page(GFP_KERNEL); 1703 if (!ctrblk) { 1704 rc = -ENOMEM; 1705 goto out_err; 1706 } 1707 rc = crypto_engine_register_skcipher(&ctr_paes_alg); 1708 if (rc) 1709 goto out_err; 1710 pr_debug("%s registered\n", ctr_paes_alg.base.base.cra_driver_name); 1711 } 1712 1713 return 0; 1714 1715 out_err: 1716 paes_s390_fini(); 1717 return rc; 1718 } 1719 1720 module_init(paes_s390_init); 1721 module_exit(paes_s390_fini); 1722 1723 MODULE_ALIAS_CRYPTO("ecb(paes)"); 1724 MODULE_ALIAS_CRYPTO("cbc(paes)"); 1725 MODULE_ALIAS_CRYPTO("ctr(paes)"); 1726 MODULE_ALIAS_CRYPTO("xts(paes)"); 1727 1728 MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm with protected keys"); 1729 MODULE_LICENSE("GPL"); 1730