xref: /linux/arch/s390/crypto/phmac_s390.c (revision 8a5f956a9fb7d74fff681145082acfad5afa6bb8)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright IBM Corp. 2025
4  *
5  * s390 specific HMAC support for protected keys.
6  */
7 
8 #define KMSG_COMPONENT	"phmac_s390"
9 #define pr_fmt(fmt)	KMSG_COMPONENT ": " fmt
10 
11 #include <asm/cpacf.h>
12 #include <asm/pkey.h>
13 #include <crypto/engine.h>
14 #include <crypto/hash.h>
15 #include <crypto/internal/hash.h>
16 #include <crypto/sha2.h>
17 #include <linux/atomic.h>
18 #include <linux/cpufeature.h>
19 #include <linux/delay.h>
20 #include <linux/miscdevice.h>
21 #include <linux/module.h>
22 #include <linux/spinlock.h>
23 
24 static struct crypto_engine *phmac_crypto_engine;
25 #define MAX_QLEN 10
26 
27 /*
28  * A simple hash walk helper
29  */
30 
31 struct hash_walk_helper {
32 	struct crypto_hash_walk walk;
33 	const u8 *walkaddr;
34 	int walkbytes;
35 };
36 
37 /*
38  * Prepare hash walk helper.
39  * Set up the base hash walk, fill walkaddr and walkbytes.
40  * Returns 0 on success or negative value on error.
41  */
42 static inline int hwh_prepare(struct ahash_request *req,
43 			      struct hash_walk_helper *hwh)
44 {
45 	hwh->walkbytes = crypto_hash_walk_first(req, &hwh->walk);
46 	if (hwh->walkbytes < 0)
47 		return hwh->walkbytes;
48 	hwh->walkaddr = hwh->walk.data;
49 	return 0;
50 }
51 
52 /*
53  * Advance hash walk helper by n bytes.
54  * Progress the walkbytes and walkaddr fields by n bytes.
55  * If walkbytes is then 0, pull next hunk from hash walk
56  * and update walkbytes and walkaddr.
57  * If n is negative, unmap hash walk and return error.
58  * Returns 0 on success or negative value on error.
59  */
60 static inline int hwh_advance(struct hash_walk_helper *hwh, int n)
61 {
62 	if (n < 0)
63 		return crypto_hash_walk_done(&hwh->walk, n);
64 
65 	hwh->walkbytes -= n;
66 	hwh->walkaddr += n;
67 	if (hwh->walkbytes > 0)
68 		return 0;
69 
70 	hwh->walkbytes = crypto_hash_walk_done(&hwh->walk, 0);
71 	if (hwh->walkbytes < 0)
72 		return hwh->walkbytes;
73 
74 	hwh->walkaddr = hwh->walk.data;
75 	return 0;
76 }
77 
78 /*
79  * KMAC param block layout for sha2 function codes:
80  * The layout of the param block for the KMAC instruction depends on the
81  * blocksize of the used hashing sha2-algorithm function codes. The param block
82  * contains the hash chaining value (cv), the input message bit-length (imbl)
83  * and the hmac-secret (key). To prevent code duplication, the sizes of all
84  * these are calculated based on the blocksize.
85  *
86  * param-block:
87  * +-------+
88  * | cv    |
89  * +-------+
90  * | imbl  |
91  * +-------+
92  * | key   |
93  * +-------+
94  *
95  * sizes:
96  * part | sh2-alg | calculation | size | type
97  * -----+---------+-------------+------+--------
98  * cv   | 224/256 | blocksize/2 |   32 |  u64[8]
99  *      | 384/512 |             |   64 | u128[8]
100  * imbl | 224/256 | blocksize/8 |    8 |     u64
101  *      | 384/512 |             |   16 |    u128
102  * key  | 224/256 | blocksize   |   96 |  u8[96]
103  *      | 384/512 |             |  160 | u8[160]
104  */
105 
106 #define MAX_DIGEST_SIZE		SHA512_DIGEST_SIZE
107 #define MAX_IMBL_SIZE		sizeof(u128)
108 #define MAX_BLOCK_SIZE		SHA512_BLOCK_SIZE
109 
110 #define SHA2_CV_SIZE(bs)	((bs) >> 1)
111 #define SHA2_IMBL_SIZE(bs)	((bs) >> 3)
112 
113 #define SHA2_IMBL_OFFSET(bs)	(SHA2_CV_SIZE(bs))
114 #define SHA2_KEY_OFFSET(bs)	(SHA2_CV_SIZE(bs) + SHA2_IMBL_SIZE(bs))
115 
116 #define PHMAC_MAX_KEYSIZE       256
117 #define PHMAC_SHA256_PK_SIZE	(SHA256_BLOCK_SIZE + 32)
118 #define PHMAC_SHA512_PK_SIZE	(SHA512_BLOCK_SIZE + 32)
119 #define PHMAC_MAX_PK_SIZE	PHMAC_SHA512_PK_SIZE
120 
121 /* phmac protected key struct */
122 struct phmac_protkey {
123 	u32 type;
124 	u32 len;
125 	u8 protkey[PHMAC_MAX_PK_SIZE];
126 };
127 
128 #define PK_STATE_NO_KEY		     0
129 #define PK_STATE_CONVERT_IN_PROGRESS 1
130 #define PK_STATE_VALID		     2
131 
132 /* phmac tfm context */
133 struct phmac_tfm_ctx {
134 	/* source key material used to derive a protected key from */
135 	u8 keybuf[PHMAC_MAX_KEYSIZE];
136 	unsigned int keylen;
137 
138 	/* cpacf function code to use with this protected key type */
139 	long fc;
140 
141 	/* nr of requests enqueued via crypto engine which use this tfm ctx */
142 	atomic_t via_engine_ctr;
143 
144 	/* spinlock to atomic read/update all the following fields */
145 	spinlock_t pk_lock;
146 
147 	/* see PK_STATE* defines above, < 0 holds convert failure rc  */
148 	int pk_state;
149 	/* if state is valid, pk holds the protected key */
150 	struct phmac_protkey pk;
151 };
152 
153 union kmac_gr0 {
154 	unsigned long reg;
155 	struct {
156 		unsigned long		: 48;
157 		unsigned long ikp	:  1;
158 		unsigned long iimp	:  1;
159 		unsigned long ccup	:  1;
160 		unsigned long		:  6;
161 		unsigned long fc	:  7;
162 	};
163 };
164 
165 struct kmac_sha2_ctx {
166 	u8 param[MAX_DIGEST_SIZE + MAX_IMBL_SIZE + PHMAC_MAX_PK_SIZE];
167 	union kmac_gr0 gr0;
168 	u8 buf[MAX_BLOCK_SIZE];
169 	u64 buflen[2];
170 };
171 
172 /* phmac request context */
173 struct phmac_req_ctx {
174 	struct hash_walk_helper hwh;
175 	struct kmac_sha2_ctx kmac_ctx;
176 	bool final;
177 };
178 
179 /*
180  * Pkey 'token' struct used to derive a protected key value from a clear key.
181  */
182 struct hmac_clrkey_token {
183 	u8  type;
184 	u8  res0[3];
185 	u8  version;
186 	u8  res1[3];
187 	u32 keytype;
188 	u32 len;
189 	u8 key[];
190 } __packed;
191 
192 static int hash_key(const u8 *in, unsigned int inlen,
193 		    u8 *digest, unsigned int digestsize)
194 {
195 	unsigned long func;
196 	union {
197 		struct sha256_paramblock {
198 			u32 h[8];
199 			u64 mbl;
200 		} sha256;
201 		struct sha512_paramblock {
202 			u64 h[8];
203 			u128 mbl;
204 		} sha512;
205 	} __packed param;
206 
207 #define PARAM_INIT(x, y, z)		   \
208 	param.sha##x.h[0] = SHA##y ## _H0; \
209 	param.sha##x.h[1] = SHA##y ## _H1; \
210 	param.sha##x.h[2] = SHA##y ## _H2; \
211 	param.sha##x.h[3] = SHA##y ## _H3; \
212 	param.sha##x.h[4] = SHA##y ## _H4; \
213 	param.sha##x.h[5] = SHA##y ## _H5; \
214 	param.sha##x.h[6] = SHA##y ## _H6; \
215 	param.sha##x.h[7] = SHA##y ## _H7; \
216 	param.sha##x.mbl = (z)
217 
218 	switch (digestsize) {
219 	case SHA224_DIGEST_SIZE:
220 		func = CPACF_KLMD_SHA_256;
221 		PARAM_INIT(256, 224, inlen * 8);
222 		break;
223 	case SHA256_DIGEST_SIZE:
224 		func = CPACF_KLMD_SHA_256;
225 		PARAM_INIT(256, 256, inlen * 8);
226 		break;
227 	case SHA384_DIGEST_SIZE:
228 		func = CPACF_KLMD_SHA_512;
229 		PARAM_INIT(512, 384, inlen * 8);
230 		break;
231 	case SHA512_DIGEST_SIZE:
232 		func = CPACF_KLMD_SHA_512;
233 		PARAM_INIT(512, 512, inlen * 8);
234 		break;
235 	default:
236 		return -EINVAL;
237 	}
238 
239 #undef PARAM_INIT
240 
241 	cpacf_klmd(func, &param, in, inlen);
242 
243 	memcpy(digest, &param, digestsize);
244 
245 	return 0;
246 }
247 
248 /*
249  * make_clrkey_token() - wrap the clear key into a pkey clearkey token.
250  */
251 static inline int make_clrkey_token(const u8 *clrkey, size_t clrkeylen,
252 				    unsigned int digestsize, u8 *dest)
253 {
254 	struct hmac_clrkey_token *token = (struct hmac_clrkey_token *)dest;
255 	unsigned int blocksize;
256 	int rc;
257 
258 	token->type = 0x00;
259 	token->version = 0x02;
260 	switch (digestsize) {
261 	case SHA224_DIGEST_SIZE:
262 	case SHA256_DIGEST_SIZE:
263 		token->keytype = PKEY_KEYTYPE_HMAC_512;
264 		blocksize = 64;
265 		break;
266 	case SHA384_DIGEST_SIZE:
267 	case SHA512_DIGEST_SIZE:
268 		token->keytype = PKEY_KEYTYPE_HMAC_1024;
269 		blocksize = 128;
270 		break;
271 	default:
272 		return -EINVAL;
273 	}
274 	token->len = blocksize;
275 
276 	if (clrkeylen > blocksize) {
277 		rc = hash_key(clrkey, clrkeylen, token->key, digestsize);
278 		if (rc)
279 			return rc;
280 	} else {
281 		memcpy(token->key, clrkey, clrkeylen);
282 	}
283 
284 	return 0;
285 }
286 
287 /*
288  * phmac_tfm_ctx_setkey() - Set key value into tfm context, maybe construct
289  * a clear key token digestible by pkey from a clear key value.
290  */
291 static inline int phmac_tfm_ctx_setkey(struct phmac_tfm_ctx *tfm_ctx,
292 				       const u8 *key, unsigned int keylen)
293 {
294 	if (keylen > sizeof(tfm_ctx->keybuf))
295 		return -EINVAL;
296 
297 	memcpy(tfm_ctx->keybuf, key, keylen);
298 	tfm_ctx->keylen = keylen;
299 
300 	return 0;
301 }
302 
303 /*
304  * Convert the raw key material into a protected key via PKEY api.
305  * This function may sleep - don't call in non-sleeping context.
306  */
307 static inline int convert_key(const u8 *key, unsigned int keylen,
308 			      struct phmac_protkey *pk)
309 {
310 	int rc, i;
311 
312 	pk->len = sizeof(pk->protkey);
313 
314 	/*
315 	 * In case of a busy card retry with increasing delay
316 	 * of 200, 400, 800 and 1600 ms - in total 3 s.
317 	 */
318 	for (rc = -EIO, i = 0; rc && i < 5; i++) {
319 		if (rc == -EBUSY && msleep_interruptible((1 << i) * 100)) {
320 			rc = -EINTR;
321 			goto out;
322 		}
323 		rc = pkey_key2protkey(key, keylen,
324 				      pk->protkey, &pk->len, &pk->type,
325 				      PKEY_XFLAG_NOMEMALLOC);
326 	}
327 
328 out:
329 	pr_debug("rc=%d\n", rc);
330 	return rc;
331 }
332 
333 /*
334  * (Re-)Convert the raw key material from the tfm ctx into a protected
335  * key via convert_key() function. Update the pk_state, pk_type, pk_len
336  * and the protected key in the tfm context.
337  * Please note this function may be invoked concurrently with the very
338  * same tfm context. The pk_lock spinlock in the context ensures an
339  * atomic update of the pk and the pk state but does not guarantee any
340  * order of update. So a fresh converted valid protected key may get
341  * updated with an 'old' expired key value. As the cpacf instructions
342  * detect this, refuse to operate with an invalid key and the calling
343  * code triggers a (re-)conversion this does no harm. This may lead to
344  * unnecessary additional conversion but never to invalid data on the
345  * hash operation.
346  */
347 static int phmac_convert_key(struct phmac_tfm_ctx *tfm_ctx)
348 {
349 	struct phmac_protkey pk;
350 	int rc;
351 
352 	spin_lock_bh(&tfm_ctx->pk_lock);
353 	tfm_ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
354 	spin_unlock_bh(&tfm_ctx->pk_lock);
355 
356 	rc = convert_key(tfm_ctx->keybuf, tfm_ctx->keylen, &pk);
357 
358 	/* update context */
359 	spin_lock_bh(&tfm_ctx->pk_lock);
360 	if (rc) {
361 		tfm_ctx->pk_state = rc;
362 	} else {
363 		tfm_ctx->pk_state = PK_STATE_VALID;
364 		tfm_ctx->pk = pk;
365 	}
366 	spin_unlock_bh(&tfm_ctx->pk_lock);
367 
368 	memzero_explicit(&pk, sizeof(pk));
369 	pr_debug("rc=%d\n", rc);
370 	return rc;
371 }
372 
373 /*
374  * kmac_sha2_set_imbl - sets the input message bit-length based on the blocksize
375  */
376 static inline void kmac_sha2_set_imbl(u8 *param, u64 buflen_lo,
377 				      u64 buflen_hi, unsigned int blocksize)
378 {
379 	u8 *imbl = param + SHA2_IMBL_OFFSET(blocksize);
380 
381 	switch (blocksize) {
382 	case SHA256_BLOCK_SIZE:
383 		*(u64 *)imbl = buflen_lo * BITS_PER_BYTE;
384 		break;
385 	case SHA512_BLOCK_SIZE:
386 		*(u128 *)imbl = (((u128)buflen_hi << 64) + buflen_lo) << 3;
387 		break;
388 	default:
389 		break;
390 	}
391 }
392 
393 static int phmac_kmac_update(struct ahash_request *req, bool maysleep)
394 {
395 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
396 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
397 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
398 	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
399 	struct hash_walk_helper *hwh = &req_ctx->hwh;
400 	unsigned int bs = crypto_ahash_blocksize(tfm);
401 	unsigned int offset, k, n;
402 	int rc = 0;
403 
404 	/*
405 	 * The walk is always mapped when this function is called.
406 	 * Note that in case of partial processing or failure the walk
407 	 * is NOT unmapped here. So a follow up task may reuse the walk
408 	 * or in case of unrecoverable failure needs to unmap it.
409 	 */
410 
411 	while (hwh->walkbytes > 0) {
412 		/* check sha2 context buffer */
413 		offset = ctx->buflen[0] % bs;
414 		if (offset + hwh->walkbytes < bs)
415 			goto store;
416 
417 		if (offset) {
418 			/* fill ctx buffer up to blocksize and process this block */
419 			n = bs - offset;
420 			memcpy(ctx->buf + offset, hwh->walkaddr, n);
421 			ctx->gr0.iimp = 1;
422 			for (;;) {
423 				k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, ctx->buf, bs);
424 				if (likely(k == bs))
425 					break;
426 				if (unlikely(k > 0)) {
427 					/*
428 					 * Can't deal with hunks smaller than blocksize.
429 					 * And kmac should always return the nr of
430 					 * processed bytes as 0 or a multiple of the
431 					 * blocksize.
432 					 */
433 					rc = -EIO;
434 					goto out;
435 				}
436 				/* protected key is invalid and needs re-conversion */
437 				if (!maysleep) {
438 					rc = -EKEYEXPIRED;
439 					goto out;
440 				}
441 				rc = phmac_convert_key(tfm_ctx);
442 				if (rc)
443 					goto out;
444 				spin_lock_bh(&tfm_ctx->pk_lock);
445 				memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
446 				       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
447 				spin_unlock_bh(&tfm_ctx->pk_lock);
448 			}
449 			ctx->buflen[0] += n;
450 			if (ctx->buflen[0] < n)
451 				ctx->buflen[1]++;
452 			rc = hwh_advance(hwh, n);
453 			if (unlikely(rc))
454 				goto out;
455 			offset = 0;
456 		}
457 
458 		/* process as many blocks as possible from the walk */
459 		while (hwh->walkbytes >= bs) {
460 			n = (hwh->walkbytes / bs) * bs;
461 			ctx->gr0.iimp = 1;
462 			k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, hwh->walkaddr, n);
463 			if (likely(k > 0)) {
464 				ctx->buflen[0] += k;
465 				if (ctx->buflen[0] < k)
466 					ctx->buflen[1]++;
467 				rc = hwh_advance(hwh, k);
468 				if (unlikely(rc))
469 					goto out;
470 			}
471 			if (unlikely(k < n)) {
472 				/* protected key is invalid and needs re-conversion */
473 				if (!maysleep) {
474 					rc = -EKEYEXPIRED;
475 					goto out;
476 				}
477 				rc = phmac_convert_key(tfm_ctx);
478 				if (rc)
479 					goto out;
480 				spin_lock_bh(&tfm_ctx->pk_lock);
481 				memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
482 				       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
483 				spin_unlock_bh(&tfm_ctx->pk_lock);
484 			}
485 		}
486 
487 store:
488 		/* store incomplete block in context buffer */
489 		if (hwh->walkbytes) {
490 			memcpy(ctx->buf + offset, hwh->walkaddr, hwh->walkbytes);
491 			ctx->buflen[0] += hwh->walkbytes;
492 			if (ctx->buflen[0] < hwh->walkbytes)
493 				ctx->buflen[1]++;
494 			rc = hwh_advance(hwh, hwh->walkbytes);
495 			if (unlikely(rc))
496 				goto out;
497 		}
498 
499 	} /* end of while (hwh->walkbytes > 0) */
500 
501 out:
502 	pr_debug("rc=%d\n", rc);
503 	return rc;
504 }
505 
506 static int phmac_kmac_final(struct ahash_request *req, bool maysleep)
507 {
508 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
509 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
510 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
511 	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
512 	unsigned int ds = crypto_ahash_digestsize(tfm);
513 	unsigned int bs = crypto_ahash_blocksize(tfm);
514 	unsigned int k, n;
515 	int rc = 0;
516 
517 	n = ctx->buflen[0] % bs;
518 	ctx->gr0.iimp = 0;
519 	kmac_sha2_set_imbl(ctx->param, ctx->buflen[0], ctx->buflen[1], bs);
520 	for (;;) {
521 		k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, ctx->buf, n);
522 		if (likely(k == n))
523 			break;
524 		if (unlikely(k > 0)) {
525 			/* Can't deal with hunks smaller than blocksize. */
526 			rc = -EIO;
527 			goto out;
528 		}
529 		/* protected key is invalid and needs re-conversion */
530 		if (!maysleep) {
531 			rc = -EKEYEXPIRED;
532 			goto out;
533 		}
534 		rc = phmac_convert_key(tfm_ctx);
535 		if (rc)
536 			goto out;
537 		spin_lock_bh(&tfm_ctx->pk_lock);
538 		memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
539 		       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
540 		spin_unlock_bh(&tfm_ctx->pk_lock);
541 	}
542 
543 	memcpy(req->result, ctx->param, ds);
544 
545 out:
546 	pr_debug("rc=%d\n", rc);
547 	return rc;
548 }
549 
550 static int phmac_init(struct ahash_request *req)
551 {
552 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
553 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
554 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
555 	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
556 	unsigned int bs = crypto_ahash_blocksize(tfm);
557 	int rc = 0;
558 
559 	/* zero request context (includes the kmac sha2 context) */
560 	memset(req_ctx, 0, sizeof(*req_ctx));
561 
562 	/*
563 	 * setkey() should have set a valid fc into the tfm context.
564 	 * Copy this function code into the gr0 field of the kmac context.
565 	 */
566 	if (!tfm_ctx->fc) {
567 		rc = -ENOKEY;
568 		goto out;
569 	}
570 	kmac_ctx->gr0.fc = tfm_ctx->fc;
571 
572 	/*
573 	 * Copy the pk from tfm ctx into kmac ctx. The protected key
574 	 * may be outdated but update() and final() will handle this.
575 	 */
576 	spin_lock_bh(&tfm_ctx->pk_lock);
577 	memcpy(kmac_ctx->param + SHA2_KEY_OFFSET(bs),
578 	       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
579 	spin_unlock_bh(&tfm_ctx->pk_lock);
580 
581 out:
582 	pr_debug("rc=%d\n", rc);
583 	return rc;
584 }
585 
586 static int phmac_update(struct ahash_request *req)
587 {
588 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
589 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
590 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
591 	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
592 	struct hash_walk_helper *hwh = &req_ctx->hwh;
593 	int rc;
594 
595 	/* prep the walk in the request context */
596 	rc = hwh_prepare(req, hwh);
597 	if (rc)
598 		goto out;
599 
600 	/* Try synchronous operation if no active engine usage */
601 	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
602 		rc = phmac_kmac_update(req, false);
603 		if (rc == 0)
604 			goto out;
605 	}
606 
607 	/*
608 	 * If sync operation failed or key expired or there are already
609 	 * requests enqueued via engine, fallback to async. Mark tfm as
610 	 * using engine to serialize requests.
611 	 */
612 	if (rc == 0 || rc == -EKEYEXPIRED) {
613 		atomic_inc(&tfm_ctx->via_engine_ctr);
614 		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
615 		if (rc != -EINPROGRESS)
616 			atomic_dec(&tfm_ctx->via_engine_ctr);
617 	}
618 
619 	if (rc != -EINPROGRESS) {
620 		hwh_advance(hwh, rc);
621 		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
622 	}
623 
624 out:
625 	pr_debug("rc=%d\n", rc);
626 	return rc;
627 }
628 
629 static int phmac_final(struct ahash_request *req)
630 {
631 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
632 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
633 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
634 	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
635 	int rc = 0;
636 
637 	/* Try synchronous operation if no active engine usage */
638 	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
639 		rc = phmac_kmac_final(req, false);
640 		if (rc == 0)
641 			goto out;
642 	}
643 
644 	/*
645 	 * If sync operation failed or key expired or there are already
646 	 * requests enqueued via engine, fallback to async. Mark tfm as
647 	 * using engine to serialize requests.
648 	 */
649 	if (rc == 0 || rc == -EKEYEXPIRED) {
650 		req->nbytes = 0;
651 		req_ctx->final = true;
652 		atomic_inc(&tfm_ctx->via_engine_ctr);
653 		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
654 		if (rc != -EINPROGRESS)
655 			atomic_dec(&tfm_ctx->via_engine_ctr);
656 	}
657 
658 out:
659 	if (rc != -EINPROGRESS)
660 		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
661 	pr_debug("rc=%d\n", rc);
662 	return rc;
663 }
664 
665 static int phmac_finup(struct ahash_request *req)
666 {
667 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
668 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
669 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
670 	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
671 	struct hash_walk_helper *hwh = &req_ctx->hwh;
672 	int rc;
673 
674 	/* prep the walk in the request context */
675 	rc = hwh_prepare(req, hwh);
676 	if (rc)
677 		goto out;
678 
679 	/* Try synchronous operations if no active engine usage */
680 	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
681 		rc = phmac_kmac_update(req, false);
682 		if (rc == 0)
683 			req->nbytes = 0;
684 	}
685 	if (!rc && !req->nbytes && !atomic_read(&tfm_ctx->via_engine_ctr)) {
686 		rc = phmac_kmac_final(req, false);
687 		if (rc == 0)
688 			goto out;
689 	}
690 
691 	/*
692 	 * If sync operation failed or key expired or there are already
693 	 * requests enqueued via engine, fallback to async. Mark tfm as
694 	 * using engine to serialize requests.
695 	 */
696 	if (rc == 0 || rc == -EKEYEXPIRED) {
697 		req_ctx->final = true;
698 		atomic_inc(&tfm_ctx->via_engine_ctr);
699 		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
700 		if (rc != -EINPROGRESS)
701 			atomic_dec(&tfm_ctx->via_engine_ctr);
702 	}
703 
704 	if (rc != -EINPROGRESS)
705 		hwh_advance(hwh, rc);
706 
707 out:
708 	if (rc != -EINPROGRESS)
709 		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
710 	pr_debug("rc=%d\n", rc);
711 	return rc;
712 }
713 
714 static int phmac_digest(struct ahash_request *req)
715 {
716 	int rc;
717 
718 	rc = phmac_init(req);
719 	if (rc)
720 		goto out;
721 
722 	rc = phmac_finup(req);
723 
724 out:
725 	pr_debug("rc=%d\n", rc);
726 	return rc;
727 }
728 
729 static int phmac_setkey(struct crypto_ahash *tfm,
730 			const u8 *key, unsigned int keylen)
731 {
732 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
733 	unsigned int ds = crypto_ahash_digestsize(tfm);
734 	unsigned int bs = crypto_ahash_blocksize(tfm);
735 	unsigned int tmpkeylen;
736 	u8 *tmpkey = NULL;
737 	int rc = 0;
738 
739 	if (!crypto_ahash_tested(tfm)) {
740 		/*
741 		 * selftest running: key is a raw hmac clear key and needs
742 		 * to get embedded into a 'clear key token' in order to have
743 		 * it correctly processed by the pkey module.
744 		 */
745 		tmpkeylen = sizeof(struct hmac_clrkey_token) + bs;
746 		tmpkey = kzalloc(tmpkeylen, GFP_KERNEL);
747 		if (!tmpkey) {
748 			rc = -ENOMEM;
749 			goto out;
750 		}
751 		rc = make_clrkey_token(key, keylen, ds, tmpkey);
752 		if (rc)
753 			goto out;
754 		keylen = tmpkeylen;
755 		key = tmpkey;
756 	}
757 
758 	/* copy raw key into tfm context */
759 	rc = phmac_tfm_ctx_setkey(tfm_ctx, key, keylen);
760 	if (rc)
761 		goto out;
762 
763 	/* convert raw key into protected key */
764 	rc = phmac_convert_key(tfm_ctx);
765 	if (rc)
766 		goto out;
767 
768 	/* set function code in tfm context, check for valid pk type */
769 	switch (ds) {
770 	case SHA224_DIGEST_SIZE:
771 		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_512)
772 			rc = -EINVAL;
773 		else
774 			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_224;
775 		break;
776 	case SHA256_DIGEST_SIZE:
777 		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_512)
778 			rc = -EINVAL;
779 		else
780 			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_256;
781 		break;
782 	case SHA384_DIGEST_SIZE:
783 		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_1024)
784 			rc = -EINVAL;
785 		else
786 			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_384;
787 		break;
788 	case SHA512_DIGEST_SIZE:
789 		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_1024)
790 			rc = -EINVAL;
791 		else
792 			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_512;
793 		break;
794 	default:
795 		tfm_ctx->fc = 0;
796 		rc = -EINVAL;
797 	}
798 
799 out:
800 	kfree(tmpkey);
801 	pr_debug("rc=%d\n", rc);
802 	return rc;
803 }
804 
805 static int phmac_export(struct ahash_request *req, void *out)
806 {
807 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
808 	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
809 
810 	memcpy(out, ctx, sizeof(*ctx));
811 
812 	return 0;
813 }
814 
815 static int phmac_import(struct ahash_request *req, const void *in)
816 {
817 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
818 	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
819 
820 	memset(req_ctx, 0, sizeof(*req_ctx));
821 	memcpy(ctx, in, sizeof(*ctx));
822 
823 	return 0;
824 }
825 
826 static int phmac_init_tfm(struct crypto_ahash *tfm)
827 {
828 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
829 
830 	memset(tfm_ctx, 0, sizeof(*tfm_ctx));
831 	spin_lock_init(&tfm_ctx->pk_lock);
832 
833 	crypto_ahash_set_reqsize(tfm, sizeof(struct phmac_req_ctx));
834 
835 	return 0;
836 }
837 
838 static void phmac_exit_tfm(struct crypto_ahash *tfm)
839 {
840 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
841 
842 	memzero_explicit(tfm_ctx->keybuf, sizeof(tfm_ctx->keybuf));
843 	memzero_explicit(&tfm_ctx->pk, sizeof(tfm_ctx->pk));
844 }
845 
846 static int phmac_do_one_request(struct crypto_engine *engine, void *areq)
847 {
848 	struct ahash_request *req = ahash_request_cast(areq);
849 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
850 	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
851 	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
852 	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
853 	struct hash_walk_helper *hwh = &req_ctx->hwh;
854 	int rc = -EINVAL;
855 
856 	/*
857 	 * Three kinds of requests come in here:
858 	 * update when req->nbytes > 0 and req_ctx->final is false
859 	 * final when req->nbytes = 0 and req_ctx->final is true
860 	 * finup when req->nbytes > 0 and req_ctx->final is true
861 	 * For update and finup the hwh walk needs to be prepared and
862 	 * up to date but the actual nr of bytes in req->nbytes may be
863 	 * any non zero number. For final there is no hwh walk needed.
864 	 */
865 
866 	if (req->nbytes) {
867 		rc = phmac_kmac_update(req, true);
868 		if (rc == -EKEYEXPIRED) {
869 			/*
870 			 * Protected key expired, conversion is in process.
871 			 * Trigger a re-schedule of this request by returning
872 			 * -ENOSPC ("hardware queue full") to the crypto engine.
873 			 * To avoid immediately re-invocation of this callback,
874 			 * tell scheduler to voluntarily give up the CPU here.
875 			 */
876 			pr_debug("rescheduling request\n");
877 			cond_resched();
878 			return -ENOSPC;
879 		} else if (rc) {
880 			hwh_advance(hwh, rc);
881 			goto out;
882 		}
883 		req->nbytes = 0;
884 	}
885 
886 	if (req_ctx->final) {
887 		rc = phmac_kmac_final(req, true);
888 		if (rc == -EKEYEXPIRED) {
889 			/*
890 			 * Protected key expired, conversion is in process.
891 			 * Trigger a re-schedule of this request by returning
892 			 * -ENOSPC ("hardware queue full") to the crypto engine.
893 			 * To avoid immediately re-invocation of this callback,
894 			 * tell scheduler to voluntarily give up the CPU here.
895 			 */
896 			pr_debug("rescheduling request\n");
897 			cond_resched();
898 			return -ENOSPC;
899 		}
900 	}
901 
902 out:
903 	if (rc || req_ctx->final)
904 		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
905 	pr_debug("request complete with rc=%d\n", rc);
906 	local_bh_disable();
907 	atomic_dec(&tfm_ctx->via_engine_ctr);
908 	crypto_finalize_hash_request(engine, req, rc);
909 	local_bh_enable();
910 	return rc;
911 }
912 
913 #define S390_ASYNC_PHMAC_ALG(x)						\
914 {									\
915 	.base = {							\
916 		.init	  = phmac_init,					\
917 		.update	  = phmac_update,				\
918 		.final	  = phmac_final,				\
919 		.finup	  = phmac_finup,				\
920 		.digest	  = phmac_digest,				\
921 		.setkey	  = phmac_setkey,				\
922 		.import	  = phmac_import,				\
923 		.export	  = phmac_export,				\
924 		.init_tfm = phmac_init_tfm,				\
925 		.exit_tfm = phmac_exit_tfm,				\
926 		.halg = {						\
927 			.digestsize = SHA##x##_DIGEST_SIZE,		\
928 			.statesize  = sizeof(struct kmac_sha2_ctx),	\
929 			.base = {					\
930 				.cra_name = "phmac(sha" #x ")",		\
931 				.cra_driver_name = "phmac_s390_sha" #x,	\
932 				.cra_blocksize = SHA##x##_BLOCK_SIZE,	\
933 				.cra_priority = 400,			\
934 				.cra_flags = CRYPTO_ALG_ASYNC |		\
935 					     CRYPTO_ALG_NO_FALLBACK,	\
936 				.cra_ctxsize = sizeof(struct phmac_tfm_ctx), \
937 				.cra_module = THIS_MODULE,		\
938 			},						\
939 		},							\
940 	},								\
941 	.op = {								\
942 		.do_one_request = phmac_do_one_request,			\
943 	},								\
944 }
945 
946 static struct phmac_alg {
947 	unsigned int fc;
948 	struct ahash_engine_alg alg;
949 	bool registered;
950 } phmac_algs[] = {
951 	{
952 		.fc = CPACF_KMAC_PHMAC_SHA_224,
953 		.alg = S390_ASYNC_PHMAC_ALG(224),
954 	}, {
955 		.fc = CPACF_KMAC_PHMAC_SHA_256,
956 		.alg = S390_ASYNC_PHMAC_ALG(256),
957 	}, {
958 		.fc = CPACF_KMAC_PHMAC_SHA_384,
959 		.alg = S390_ASYNC_PHMAC_ALG(384),
960 	}, {
961 		.fc = CPACF_KMAC_PHMAC_SHA_512,
962 		.alg = S390_ASYNC_PHMAC_ALG(512),
963 	}
964 };
965 
966 static struct miscdevice phmac_dev = {
967 	.name	= "phmac",
968 	.minor	= MISC_DYNAMIC_MINOR,
969 };
970 
971 static void s390_phmac_exit(void)
972 {
973 	struct phmac_alg *phmac;
974 	int i;
975 
976 	if (phmac_crypto_engine) {
977 		crypto_engine_stop(phmac_crypto_engine);
978 		crypto_engine_exit(phmac_crypto_engine);
979 	}
980 
981 	for (i = ARRAY_SIZE(phmac_algs) - 1; i >= 0; i--) {
982 		phmac = &phmac_algs[i];
983 		if (phmac->registered)
984 			crypto_engine_unregister_ahash(&phmac->alg);
985 	}
986 
987 	misc_deregister(&phmac_dev);
988 }
989 
990 static int __init s390_phmac_init(void)
991 {
992 	struct phmac_alg *phmac;
993 	int i, rc;
994 
995 	/* for selftest cpacf klmd subfunction is needed */
996 	if (!cpacf_query_func(CPACF_KLMD, CPACF_KLMD_SHA_256))
997 		return -ENODEV;
998 	if (!cpacf_query_func(CPACF_KLMD, CPACF_KLMD_SHA_512))
999 		return -ENODEV;
1000 
1001 	/* register a simple phmac pseudo misc device */
1002 	rc = misc_register(&phmac_dev);
1003 	if (rc)
1004 		return rc;
1005 
1006 	/* with this pseudo device alloc and start a crypto engine */
1007 	phmac_crypto_engine =
1008 		crypto_engine_alloc_init_and_set(phmac_dev.this_device,
1009 						 true, false, MAX_QLEN);
1010 	if (!phmac_crypto_engine) {
1011 		rc = -ENOMEM;
1012 		goto out_err;
1013 	}
1014 	rc = crypto_engine_start(phmac_crypto_engine);
1015 	if (rc) {
1016 		crypto_engine_exit(phmac_crypto_engine);
1017 		phmac_crypto_engine = NULL;
1018 		goto out_err;
1019 	}
1020 
1021 	for (i = 0; i < ARRAY_SIZE(phmac_algs); i++) {
1022 		phmac = &phmac_algs[i];
1023 		if (!cpacf_query_func(CPACF_KMAC, phmac->fc))
1024 			continue;
1025 		rc = crypto_engine_register_ahash(&phmac->alg);
1026 		if (rc)
1027 			goto out_err;
1028 		phmac->registered = true;
1029 		pr_debug("%s registered\n", phmac->alg.base.halg.base.cra_name);
1030 	}
1031 
1032 	return 0;
1033 
1034 out_err:
1035 	s390_phmac_exit();
1036 	return rc;
1037 }
1038 
1039 module_init(s390_phmac_init);
1040 module_exit(s390_phmac_exit);
1041 
1042 MODULE_ALIAS_CRYPTO("phmac(sha224)");
1043 MODULE_ALIAS_CRYPTO("phmac(sha256)");
1044 MODULE_ALIAS_CRYPTO("phmac(sha384)");
1045 MODULE_ALIAS_CRYPTO("phmac(sha512)");
1046 
1047 MODULE_DESCRIPTION("S390 HMAC driver for protected keys");
1048 MODULE_LICENSE("GPL");
1049