1 /* 2 * Copyright 2016 Broadcom 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License, version 2, as 6 * published by the Free Software Foundation (the "GPL"). 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License version 2 (GPLv2) for more details. 12 * 13 * You should have received a copy of the GNU General Public License 14 * version 2 (GPLv2) along with this source code. 15 */ 16 17 #include <linux/kernel.h> 18 #include <linux/string.h> 19 20 #include "util.h" 21 #include "spu.h" 22 #include "spum.h" 23 #include "cipher.h" 24 25 /* This array is based on the hash algo type supported in spu.h */ 26 char *tag_to_hash_idx[] = { "none", "md5", "sha1", "sha224", "sha256" }; 27 28 char *hash_alg_name[] = { "None", "md5", "sha1", "sha224", "sha256", "aes", 29 "sha384", "sha512", "sha3_224", "sha3_256", "sha3_384", "sha3_512" }; 30 31 char *aead_alg_name[] = { "ccm(aes)", "gcm(aes)", "authenc" }; 32 33 /* Assumes SPU-M messages are in big endian */ 34 void spum_dump_msg_hdr(u8 *buf, unsigned int buf_len) 35 { 36 u8 *ptr = buf; 37 struct SPUHEADER *spuh = (struct SPUHEADER *)buf; 38 unsigned int hash_key_len = 0; 39 unsigned int hash_state_len = 0; 40 unsigned int cipher_key_len = 0; 41 unsigned int iv_len; 42 u32 pflags; 43 u32 cflags; 44 u32 ecf; 45 u32 cipher_alg; 46 u32 cipher_mode; 47 u32 cipher_type; 48 u32 hash_alg; 49 u32 hash_mode; 50 u32 hash_type; 51 u32 sctx_size; /* SCTX length in words */ 52 u32 sctx_pl_len; /* SCTX payload length in bytes */ 53 54 packet_log("\n"); 55 packet_log("SPU Message header %p len: %u\n", buf, buf_len); 56 57 /* ========== Decode MH ========== */ 58 packet_log(" MH 0x%08x\n", be32_to_cpu(*((u32 *)ptr))); 59 if (spuh->mh.flags & MH_SCTX_PRES) 60 packet_log(" SCTX present\n"); 61 if (spuh->mh.flags & MH_BDESC_PRES) 62 packet_log(" BDESC present\n"); 63 if (spuh->mh.flags & MH_MFM_PRES) 64 packet_log(" MFM present\n"); 65 if (spuh->mh.flags & MH_BD_PRES) 66 packet_log(" BD present\n"); 67 if (spuh->mh.flags & MH_HASH_PRES) 68 packet_log(" HASH present\n"); 69 if (spuh->mh.flags & MH_SUPDT_PRES) 70 packet_log(" SUPDT present\n"); 71 packet_log(" Opcode 0x%02x\n", spuh->mh.op_code); 72 73 ptr += sizeof(spuh->mh) + sizeof(spuh->emh); /* skip emh. unused */ 74 75 /* ========== Decode SCTX ========== */ 76 if (spuh->mh.flags & MH_SCTX_PRES) { 77 pflags = be32_to_cpu(spuh->sa.proto_flags); 78 packet_log(" SCTX[0] 0x%08x\n", pflags); 79 sctx_size = pflags & SCTX_SIZE; 80 packet_log(" Size %u words\n", sctx_size); 81 82 cflags = be32_to_cpu(spuh->sa.cipher_flags); 83 packet_log(" SCTX[1] 0x%08x\n", cflags); 84 packet_log(" Inbound:%lu (1:decrypt/vrfy 0:encrypt/auth)\n", 85 (cflags & CIPHER_INBOUND) >> CIPHER_INBOUND_SHIFT); 86 packet_log(" Order:%lu (1:AuthFirst 0:EncFirst)\n", 87 (cflags & CIPHER_ORDER) >> CIPHER_ORDER_SHIFT); 88 packet_log(" ICV_IS_512:%lx\n", 89 (cflags & ICV_IS_512) >> ICV_IS_512_SHIFT); 90 cipher_alg = (cflags & CIPHER_ALG) >> CIPHER_ALG_SHIFT; 91 cipher_mode = (cflags & CIPHER_MODE) >> CIPHER_MODE_SHIFT; 92 cipher_type = (cflags & CIPHER_TYPE) >> CIPHER_TYPE_SHIFT; 93 packet_log(" Crypto Alg:%u Mode:%u Type:%u\n", 94 cipher_alg, cipher_mode, cipher_type); 95 hash_alg = (cflags & HASH_ALG) >> HASH_ALG_SHIFT; 96 hash_mode = (cflags & HASH_MODE) >> HASH_MODE_SHIFT; 97 hash_type = (cflags & HASH_TYPE) >> HASH_TYPE_SHIFT; 98 packet_log(" Hash Alg:%x Mode:%x Type:%x\n", 99 hash_alg, hash_mode, hash_type); 100 packet_log(" UPDT_Offset:%u\n", cflags & UPDT_OFST); 101 102 ecf = be32_to_cpu(spuh->sa.ecf); 103 packet_log(" SCTX[2] 0x%08x\n", ecf); 104 packet_log(" WriteICV:%lu CheckICV:%lu ICV_SIZE:%u ", 105 (ecf & INSERT_ICV) >> INSERT_ICV_SHIFT, 106 (ecf & CHECK_ICV) >> CHECK_ICV_SHIFT, 107 (ecf & ICV_SIZE) >> ICV_SIZE_SHIFT); 108 packet_log("BD_SUPPRESS:%lu\n", 109 (ecf & BD_SUPPRESS) >> BD_SUPPRESS_SHIFT); 110 packet_log(" SCTX_IV:%lu ExplicitIV:%lu GenIV:%lu ", 111 (ecf & SCTX_IV) >> SCTX_IV_SHIFT, 112 (ecf & EXPLICIT_IV) >> EXPLICIT_IV_SHIFT, 113 (ecf & GEN_IV) >> GEN_IV_SHIFT); 114 packet_log("IV_OV_OFST:%lu EXP_IV_SIZE:%u\n", 115 (ecf & IV_OFFSET) >> IV_OFFSET_SHIFT, 116 ecf & EXP_IV_SIZE); 117 118 ptr += sizeof(struct SCTX); 119 120 if (hash_alg && hash_mode) { 121 char *name = "NONE"; 122 123 switch (hash_alg) { 124 case HASH_ALG_MD5: 125 hash_key_len = 16; 126 name = "MD5"; 127 break; 128 case HASH_ALG_SHA1: 129 hash_key_len = 20; 130 name = "SHA1"; 131 break; 132 case HASH_ALG_SHA224: 133 hash_key_len = 28; 134 name = "SHA224"; 135 break; 136 case HASH_ALG_SHA256: 137 hash_key_len = 32; 138 name = "SHA256"; 139 break; 140 case HASH_ALG_SHA384: 141 hash_key_len = 48; 142 name = "SHA384"; 143 break; 144 case HASH_ALG_SHA512: 145 hash_key_len = 64; 146 name = "SHA512"; 147 break; 148 case HASH_ALG_AES: 149 hash_key_len = 0; 150 name = "AES"; 151 break; 152 case HASH_ALG_NONE: 153 break; 154 } 155 156 packet_log(" Auth Key Type:%s Length:%u Bytes\n", 157 name, hash_key_len); 158 packet_dump(" KEY: ", ptr, hash_key_len); 159 ptr += hash_key_len; 160 } else if ((hash_alg == HASH_ALG_AES) && 161 (hash_mode == HASH_MODE_XCBC)) { 162 char *name = "NONE"; 163 164 switch (cipher_type) { 165 case CIPHER_TYPE_AES128: 166 hash_key_len = 16; 167 name = "AES128-XCBC"; 168 break; 169 case CIPHER_TYPE_AES192: 170 hash_key_len = 24; 171 name = "AES192-XCBC"; 172 break; 173 case CIPHER_TYPE_AES256: 174 hash_key_len = 32; 175 name = "AES256-XCBC"; 176 break; 177 } 178 packet_log(" Auth Key Type:%s Length:%u Bytes\n", 179 name, hash_key_len); 180 packet_dump(" KEY: ", ptr, hash_key_len); 181 ptr += hash_key_len; 182 } 183 184 if (hash_alg && (hash_mode == HASH_MODE_NONE) && 185 (hash_type == HASH_TYPE_UPDT)) { 186 char *name = "NONE"; 187 188 switch (hash_alg) { 189 case HASH_ALG_MD5: 190 hash_state_len = 16; 191 name = "MD5"; 192 break; 193 case HASH_ALG_SHA1: 194 hash_state_len = 20; 195 name = "SHA1"; 196 break; 197 case HASH_ALG_SHA224: 198 hash_state_len = 32; 199 name = "SHA224"; 200 break; 201 case HASH_ALG_SHA256: 202 hash_state_len = 32; 203 name = "SHA256"; 204 break; 205 case HASH_ALG_SHA384: 206 hash_state_len = 48; 207 name = "SHA384"; 208 break; 209 case HASH_ALG_SHA512: 210 hash_state_len = 64; 211 name = "SHA512"; 212 break; 213 case HASH_ALG_AES: 214 hash_state_len = 0; 215 name = "AES"; 216 break; 217 case HASH_ALG_NONE: 218 break; 219 } 220 221 packet_log(" Auth State Type:%s Length:%u Bytes\n", 222 name, hash_state_len); 223 packet_dump(" State: ", ptr, hash_state_len); 224 ptr += hash_state_len; 225 } 226 227 if (cipher_alg) { 228 char *name = "NONE"; 229 230 switch (cipher_alg) { 231 case CIPHER_ALG_DES: 232 cipher_key_len = 8; 233 name = "DES"; 234 break; 235 case CIPHER_ALG_3DES: 236 cipher_key_len = 24; 237 name = "3DES"; 238 break; 239 case CIPHER_ALG_RC4: 240 cipher_key_len = 260; 241 name = "ARC4"; 242 break; 243 case CIPHER_ALG_AES: 244 switch (cipher_type) { 245 case CIPHER_TYPE_AES128: 246 cipher_key_len = 16; 247 name = "AES128"; 248 break; 249 case CIPHER_TYPE_AES192: 250 cipher_key_len = 24; 251 name = "AES192"; 252 break; 253 case CIPHER_TYPE_AES256: 254 cipher_key_len = 32; 255 name = "AES256"; 256 break; 257 } 258 break; 259 case CIPHER_ALG_NONE: 260 break; 261 } 262 263 packet_log(" Cipher Key Type:%s Length:%u Bytes\n", 264 name, cipher_key_len); 265 266 /* XTS has two keys */ 267 if (cipher_mode == CIPHER_MODE_XTS) { 268 packet_dump(" KEY2: ", ptr, cipher_key_len); 269 ptr += cipher_key_len; 270 packet_dump(" KEY1: ", ptr, cipher_key_len); 271 ptr += cipher_key_len; 272 273 cipher_key_len *= 2; 274 } else { 275 packet_dump(" KEY: ", ptr, cipher_key_len); 276 ptr += cipher_key_len; 277 } 278 279 if (ecf & SCTX_IV) { 280 sctx_pl_len = sctx_size * sizeof(u32) - 281 sizeof(struct SCTX); 282 iv_len = sctx_pl_len - 283 (hash_key_len + hash_state_len + 284 cipher_key_len); 285 packet_log(" IV Length:%u Bytes\n", iv_len); 286 packet_dump(" IV: ", ptr, iv_len); 287 ptr += iv_len; 288 } 289 } 290 } 291 292 /* ========== Decode BDESC ========== */ 293 if (spuh->mh.flags & MH_BDESC_PRES) { 294 #ifdef DEBUG 295 struct BDESC_HEADER *bdesc = (struct BDESC_HEADER *)ptr; 296 #endif 297 packet_log(" BDESC[0] 0x%08x\n", be32_to_cpu(*((u32 *)ptr))); 298 packet_log(" OffsetMAC:%u LengthMAC:%u\n", 299 be16_to_cpu(bdesc->offset_mac), 300 be16_to_cpu(bdesc->length_mac)); 301 ptr += sizeof(u32); 302 303 packet_log(" BDESC[1] 0x%08x\n", be32_to_cpu(*((u32 *)ptr))); 304 packet_log(" OffsetCrypto:%u LengthCrypto:%u\n", 305 be16_to_cpu(bdesc->offset_crypto), 306 be16_to_cpu(bdesc->length_crypto)); 307 ptr += sizeof(u32); 308 309 packet_log(" BDESC[2] 0x%08x\n", be32_to_cpu(*((u32 *)ptr))); 310 packet_log(" OffsetICV:%u OffsetIV:%u\n", 311 be16_to_cpu(bdesc->offset_icv), 312 be16_to_cpu(bdesc->offset_iv)); 313 ptr += sizeof(u32); 314 } 315 316 /* ========== Decode BD ========== */ 317 if (spuh->mh.flags & MH_BD_PRES) { 318 #ifdef DEBUG 319 struct BD_HEADER *bd = (struct BD_HEADER *)ptr; 320 #endif 321 packet_log(" BD[0] 0x%08x\n", be32_to_cpu(*((u32 *)ptr))); 322 packet_log(" Size:%ubytes PrevLength:%u\n", 323 be16_to_cpu(bd->size), be16_to_cpu(bd->prev_length)); 324 ptr += 4; 325 } 326 327 /* Double check sanity */ 328 if (buf + buf_len != ptr) { 329 packet_log(" Packet parsed incorrectly. "); 330 packet_log("buf:%p buf_len:%u buf+buf_len:%p ptr:%p\n", 331 buf, buf_len, buf + buf_len, ptr); 332 } 333 334 packet_log("\n"); 335 } 336 337 /** 338 * spum_ns2_ctx_max_payload() - Determine the max length of the payload for a 339 * SPU message for a given cipher and hash alg context. 340 * @cipher_alg: The cipher algorithm 341 * @cipher_mode: The cipher mode 342 * @blocksize: The size of a block of data for this algo 343 * 344 * The max payload must be a multiple of the blocksize so that if a request is 345 * too large to fit in a single SPU message, the request can be broken into 346 * max_payload sized chunks. Each chunk must be a multiple of blocksize. 347 * 348 * Return: Max payload length in bytes 349 */ 350 u32 spum_ns2_ctx_max_payload(enum spu_cipher_alg cipher_alg, 351 enum spu_cipher_mode cipher_mode, 352 unsigned int blocksize) 353 { 354 u32 max_payload = SPUM_NS2_MAX_PAYLOAD; 355 u32 excess; 356 357 /* In XTS on SPU-M, we'll need to insert tweak before input data */ 358 if (cipher_mode == CIPHER_MODE_XTS) 359 max_payload -= SPU_XTS_TWEAK_SIZE; 360 361 excess = max_payload % blocksize; 362 363 return max_payload - excess; 364 } 365 366 /** 367 * spum_nsp_ctx_max_payload() - Determine the max length of the payload for a 368 * SPU message for a given cipher and hash alg context. 369 * @cipher_alg: The cipher algorithm 370 * @cipher_mode: The cipher mode 371 * @blocksize: The size of a block of data for this algo 372 * 373 * The max payload must be a multiple of the blocksize so that if a request is 374 * too large to fit in a single SPU message, the request can be broken into 375 * max_payload sized chunks. Each chunk must be a multiple of blocksize. 376 * 377 * Return: Max payload length in bytes 378 */ 379 u32 spum_nsp_ctx_max_payload(enum spu_cipher_alg cipher_alg, 380 enum spu_cipher_mode cipher_mode, 381 unsigned int blocksize) 382 { 383 u32 max_payload = SPUM_NSP_MAX_PAYLOAD; 384 u32 excess; 385 386 /* In XTS on SPU-M, we'll need to insert tweak before input data */ 387 if (cipher_mode == CIPHER_MODE_XTS) 388 max_payload -= SPU_XTS_TWEAK_SIZE; 389 390 excess = max_payload % blocksize; 391 392 return max_payload - excess; 393 } 394 395 /** spum_payload_length() - Given a SPU-M message header, extract the payload 396 * length. 397 * @spu_hdr: Start of SPU header 398 * 399 * Assumes just MH, EMH, BD (no SCTX, BDESC. Works for response frames. 400 * 401 * Return: payload length in bytes 402 */ 403 u32 spum_payload_length(u8 *spu_hdr) 404 { 405 struct BD_HEADER *bd; 406 u32 pl_len; 407 408 /* Find BD header. skip MH, EMH */ 409 bd = (struct BD_HEADER *)(spu_hdr + 8); 410 pl_len = be16_to_cpu(bd->size); 411 412 return pl_len; 413 } 414 415 /** 416 * spum_response_hdr_len() - Given the length of the hash key and encryption 417 * key, determine the expected length of a SPU response header. 418 * @auth_key_len: authentication key length (bytes) 419 * @enc_key_len: encryption key length (bytes) 420 * @is_hash: true if response message is for a hash operation 421 * 422 * Return: length of SPU response header (bytes) 423 */ 424 u16 spum_response_hdr_len(u16 auth_key_len, u16 enc_key_len, bool is_hash) 425 { 426 if (is_hash) 427 return SPU_HASH_RESP_HDR_LEN; 428 else 429 return SPU_RESP_HDR_LEN; 430 } 431 432 /** 433 * spum_hash_pad_len() - Calculate the length of hash padding required to extend 434 * data to a full block size. 435 * @hash_alg: hash algorithm 436 * @hash_mode: hash mode 437 * @chunksize: length of data, in bytes 438 * @hash_block_size: size of a block of data for hash algorithm 439 * 440 * Reserve space for 1 byte (0x80) start of pad and the total length as u64 441 * 442 * Return: length of hash pad in bytes 443 */ 444 u16 spum_hash_pad_len(enum hash_alg hash_alg, enum hash_mode hash_mode, 445 u32 chunksize, u16 hash_block_size) 446 { 447 unsigned int length_len; 448 unsigned int used_space_last_block; 449 int hash_pad_len; 450 451 /* AES-XCBC hash requires just padding to next block boundary */ 452 if ((hash_alg == HASH_ALG_AES) && (hash_mode == HASH_MODE_XCBC)) { 453 used_space_last_block = chunksize % hash_block_size; 454 hash_pad_len = hash_block_size - used_space_last_block; 455 if (hash_pad_len >= hash_block_size) 456 hash_pad_len -= hash_block_size; 457 return hash_pad_len; 458 } 459 460 used_space_last_block = chunksize % hash_block_size + 1; 461 if ((hash_alg == HASH_ALG_SHA384) || (hash_alg == HASH_ALG_SHA512)) 462 length_len = 2 * sizeof(u64); 463 else 464 length_len = sizeof(u64); 465 466 used_space_last_block += length_len; 467 hash_pad_len = hash_block_size - used_space_last_block; 468 if (hash_pad_len < 0) 469 hash_pad_len += hash_block_size; 470 471 hash_pad_len += 1 + length_len; 472 return hash_pad_len; 473 } 474 475 /** 476 * spum_gcm_ccm_pad_len() - Determine the required length of GCM or CCM padding. 477 * @cipher_mode: Algo type 478 * @data_size: Length of plaintext (bytes) 479 * 480 * @Return: Length of padding, in bytes 481 */ 482 u32 spum_gcm_ccm_pad_len(enum spu_cipher_mode cipher_mode, 483 unsigned int data_size) 484 { 485 u32 pad_len = 0; 486 u32 m1 = SPU_GCM_CCM_ALIGN - 1; 487 488 if ((cipher_mode == CIPHER_MODE_GCM) || 489 (cipher_mode == CIPHER_MODE_CCM)) 490 pad_len = ((data_size + m1) & ~m1) - data_size; 491 492 return pad_len; 493 } 494 495 /** 496 * spum_assoc_resp_len() - Determine the size of the receive buffer required to 497 * catch associated data. 498 * @cipher_mode: cipher mode 499 * @assoc_len: length of associated data (bytes) 500 * @iv_len: length of IV (bytes) 501 * @is_encrypt: true if encrypting. false if decrypting. 502 * 503 * Return: length of associated data in response message (bytes) 504 */ 505 u32 spum_assoc_resp_len(enum spu_cipher_mode cipher_mode, 506 unsigned int assoc_len, unsigned int iv_len, 507 bool is_encrypt) 508 { 509 u32 buflen = 0; 510 u32 pad; 511 512 if (assoc_len) 513 buflen = assoc_len; 514 515 if (cipher_mode == CIPHER_MODE_GCM) { 516 /* AAD needs to be padded in responses too */ 517 pad = spum_gcm_ccm_pad_len(cipher_mode, buflen); 518 buflen += pad; 519 } 520 if (cipher_mode == CIPHER_MODE_CCM) { 521 /* 522 * AAD needs to be padded in responses too 523 * for CCM, len + 2 needs to be 128-bit aligned. 524 */ 525 pad = spum_gcm_ccm_pad_len(cipher_mode, buflen + 2); 526 buflen += pad; 527 } 528 529 return buflen; 530 } 531 532 /** 533 * spu_aead_ivlen() - Calculate the length of the AEAD IV to be included 534 * in a SPU request after the AAD and before the payload. 535 * @cipher_mode: cipher mode 536 * @iv_ctr_len: initialization vector length in bytes 537 * 538 * In Linux ~4.2 and later, the assoc_data sg includes the IV. So no need 539 * to include the IV as a separate field in the SPU request msg. 540 * 541 * Return: Length of AEAD IV in bytes 542 */ 543 u8 spum_aead_ivlen(enum spu_cipher_mode cipher_mode, u16 iv_len) 544 { 545 return 0; 546 } 547 548 /** 549 * spum_hash_type() - Determine the type of hash operation. 550 * @src_sent: The number of bytes in the current request that have already 551 * been sent to the SPU to be hashed. 552 * 553 * We do not use HASH_TYPE_FULL for requests that fit in a single SPU message. 554 * Using FULL causes failures (such as when the string to be hashed is empty). 555 * For similar reasons, we never use HASH_TYPE_FIN. Instead, submit messages 556 * as INIT or UPDT and do the hash padding in sw. 557 */ 558 enum hash_type spum_hash_type(u32 src_sent) 559 { 560 return src_sent ? HASH_TYPE_UPDT : HASH_TYPE_INIT; 561 } 562 563 /** 564 * spum_digest_size() - Determine the size of a hash digest to expect the SPU to 565 * return. 566 * alg_digest_size: Number of bytes in the final digest for the given algo 567 * alg: The hash algorithm 568 * htype: Type of hash operation (init, update, full, etc) 569 * 570 * When doing incremental hashing for an algorithm with a truncated hash 571 * (e.g., SHA224), the SPU returns the full digest so that it can be fed back as 572 * a partial result for the next chunk. 573 */ 574 u32 spum_digest_size(u32 alg_digest_size, enum hash_alg alg, 575 enum hash_type htype) 576 { 577 u32 digestsize = alg_digest_size; 578 579 /* SPU returns complete digest when doing incremental hash and truncated 580 * hash algo. 581 */ 582 if ((htype == HASH_TYPE_INIT) || (htype == HASH_TYPE_UPDT)) { 583 if (alg == HASH_ALG_SHA224) 584 digestsize = SHA256_DIGEST_SIZE; 585 else if (alg == HASH_ALG_SHA384) 586 digestsize = SHA512_DIGEST_SIZE; 587 } 588 return digestsize; 589 } 590 591 /** 592 * spum_create_request() - Build a SPU request message header, up to and 593 * including the BD header. Construct the message starting at spu_hdr. Caller 594 * should allocate this buffer in DMA-able memory at least SPU_HEADER_ALLOC_LEN 595 * bytes long. 596 * @spu_hdr: Start of buffer where SPU request header is to be written 597 * @req_opts: SPU request message options 598 * @cipher_parms: Parameters related to cipher algorithm 599 * @hash_parms: Parameters related to hash algorithm 600 * @aead_parms: Parameters related to AEAD operation 601 * @data_size: Length of data to be encrypted or authenticated. If AEAD, does 602 * not include length of AAD. 603 604 * Return: the length of the SPU header in bytes. 0 if an error occurs. 605 */ 606 u32 spum_create_request(u8 *spu_hdr, 607 struct spu_request_opts *req_opts, 608 struct spu_cipher_parms *cipher_parms, 609 struct spu_hash_parms *hash_parms, 610 struct spu_aead_parms *aead_parms, 611 unsigned int data_size) 612 { 613 struct SPUHEADER *spuh; 614 struct BDESC_HEADER *bdesc; 615 struct BD_HEADER *bd; 616 617 u8 *ptr; 618 u32 protocol_bits = 0; 619 u32 cipher_bits = 0; 620 u32 ecf_bits = 0; 621 u8 sctx_words = 0; 622 unsigned int buf_len = 0; 623 624 /* size of the cipher payload */ 625 unsigned int cipher_len = hash_parms->prebuf_len + data_size + 626 hash_parms->pad_len; 627 628 /* offset of prebuf or data from end of BD header */ 629 unsigned int cipher_offset = aead_parms->assoc_size + 630 aead_parms->iv_len + aead_parms->aad_pad_len; 631 632 /* total size of the DB data (without STAT word padding) */ 633 unsigned int real_db_size = spu_real_db_size(aead_parms->assoc_size, 634 aead_parms->iv_len, 635 hash_parms->prebuf_len, 636 data_size, 637 aead_parms->aad_pad_len, 638 aead_parms->data_pad_len, 639 hash_parms->pad_len); 640 641 unsigned int auth_offset = 0; 642 unsigned int offset_iv = 0; 643 644 /* size/offset of the auth payload */ 645 unsigned int auth_len; 646 647 auth_len = real_db_size; 648 649 if (req_opts->is_aead && req_opts->is_inbound) 650 cipher_len -= hash_parms->digestsize; 651 652 if (req_opts->is_aead && req_opts->is_inbound) 653 auth_len -= hash_parms->digestsize; 654 655 if ((hash_parms->alg == HASH_ALG_AES) && 656 (hash_parms->mode == HASH_MODE_XCBC)) { 657 auth_len -= hash_parms->pad_len; 658 cipher_len -= hash_parms->pad_len; 659 } 660 661 flow_log("%s()\n", __func__); 662 flow_log(" in:%u authFirst:%u\n", 663 req_opts->is_inbound, req_opts->auth_first); 664 flow_log(" %s. cipher alg:%u mode:%u type %u\n", 665 spu_alg_name(cipher_parms->alg, cipher_parms->mode), 666 cipher_parms->alg, cipher_parms->mode, cipher_parms->type); 667 flow_log(" key: %d\n", cipher_parms->key_len); 668 flow_dump(" key: ", cipher_parms->key_buf, cipher_parms->key_len); 669 flow_log(" iv: %d\n", cipher_parms->iv_len); 670 flow_dump(" iv: ", cipher_parms->iv_buf, cipher_parms->iv_len); 671 flow_log(" auth alg:%u mode:%u type %u\n", 672 hash_parms->alg, hash_parms->mode, hash_parms->type); 673 flow_log(" digestsize: %u\n", hash_parms->digestsize); 674 flow_log(" authkey: %d\n", hash_parms->key_len); 675 flow_dump(" authkey: ", hash_parms->key_buf, hash_parms->key_len); 676 flow_log(" assoc_size:%u\n", aead_parms->assoc_size); 677 flow_log(" prebuf_len:%u\n", hash_parms->prebuf_len); 678 flow_log(" data_size:%u\n", data_size); 679 flow_log(" hash_pad_len:%u\n", hash_parms->pad_len); 680 flow_log(" real_db_size:%u\n", real_db_size); 681 flow_log(" auth_offset:%u auth_len:%u cipher_offset:%u cipher_len:%u\n", 682 auth_offset, auth_len, cipher_offset, cipher_len); 683 flow_log(" aead_iv: %u\n", aead_parms->iv_len); 684 685 /* starting out: zero the header (plus some) */ 686 ptr = spu_hdr; 687 memset(ptr, 0, sizeof(struct SPUHEADER)); 688 689 /* format master header word */ 690 /* Do not set the next bit even though the datasheet says to */ 691 spuh = (struct SPUHEADER *)ptr; 692 ptr += sizeof(struct SPUHEADER); 693 buf_len += sizeof(struct SPUHEADER); 694 695 spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC; 696 spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES); 697 698 /* Format sctx word 0 (protocol_bits) */ 699 sctx_words = 3; /* size in words */ 700 701 /* Format sctx word 1 (cipher_bits) */ 702 if (req_opts->is_inbound) 703 cipher_bits |= CIPHER_INBOUND; 704 if (req_opts->auth_first) 705 cipher_bits |= CIPHER_ORDER; 706 707 /* Set the crypto parameters in the cipher.flags */ 708 cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT; 709 cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT; 710 cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT; 711 712 /* Set the auth parameters in the cipher.flags */ 713 cipher_bits |= hash_parms->alg << HASH_ALG_SHIFT; 714 cipher_bits |= hash_parms->mode << HASH_MODE_SHIFT; 715 cipher_bits |= hash_parms->type << HASH_TYPE_SHIFT; 716 717 /* 718 * Format sctx extensions if required, and update main fields if 719 * required) 720 */ 721 if (hash_parms->alg) { 722 /* Write the authentication key material if present */ 723 if (hash_parms->key_len) { 724 memcpy(ptr, hash_parms->key_buf, hash_parms->key_len); 725 ptr += hash_parms->key_len; 726 buf_len += hash_parms->key_len; 727 sctx_words += hash_parms->key_len / 4; 728 } 729 730 if ((cipher_parms->mode == CIPHER_MODE_GCM) || 731 (cipher_parms->mode == CIPHER_MODE_CCM)) 732 /* unpadded length */ 733 offset_iv = aead_parms->assoc_size; 734 735 /* if GCM/CCM we need to write ICV into the payload */ 736 if (!req_opts->is_inbound) { 737 if ((cipher_parms->mode == CIPHER_MODE_GCM) || 738 (cipher_parms->mode == CIPHER_MODE_CCM)) 739 ecf_bits |= 1 << INSERT_ICV_SHIFT; 740 } else { 741 ecf_bits |= CHECK_ICV; 742 } 743 744 /* Inform the SPU of the ICV size (in words) */ 745 if (hash_parms->digestsize == 64) 746 cipher_bits |= ICV_IS_512; 747 else 748 ecf_bits |= 749 (hash_parms->digestsize / 4) << ICV_SIZE_SHIFT; 750 } 751 752 if (req_opts->bd_suppress) 753 ecf_bits |= BD_SUPPRESS; 754 755 /* copy the encryption keys in the SAD entry */ 756 if (cipher_parms->alg) { 757 if (cipher_parms->key_len) { 758 memcpy(ptr, cipher_parms->key_buf, 759 cipher_parms->key_len); 760 ptr += cipher_parms->key_len; 761 buf_len += cipher_parms->key_len; 762 sctx_words += cipher_parms->key_len / 4; 763 } 764 765 /* 766 * if encrypting then set IV size, use SCTX IV unless no IV 767 * given here 768 */ 769 if (cipher_parms->iv_buf && cipher_parms->iv_len) { 770 /* Use SCTX IV */ 771 ecf_bits |= SCTX_IV; 772 773 /* cipher iv provided so put it in here */ 774 memcpy(ptr, cipher_parms->iv_buf, cipher_parms->iv_len); 775 776 ptr += cipher_parms->iv_len; 777 buf_len += cipher_parms->iv_len; 778 sctx_words += cipher_parms->iv_len / 4; 779 } 780 } 781 782 /* 783 * RFC4543 (GMAC/ESP) requires data to be sent as part of AAD 784 * so we need to override the BDESC parameters. 785 */ 786 if (req_opts->is_rfc4543) { 787 if (req_opts->is_inbound) 788 data_size -= hash_parms->digestsize; 789 offset_iv = aead_parms->assoc_size + data_size; 790 cipher_len = 0; 791 cipher_offset = offset_iv; 792 auth_len = cipher_offset + aead_parms->data_pad_len; 793 } 794 795 /* write in the total sctx length now that we know it */ 796 protocol_bits |= sctx_words; 797 798 /* Endian adjust the SCTX */ 799 spuh->sa.proto_flags = cpu_to_be32(protocol_bits); 800 spuh->sa.cipher_flags = cpu_to_be32(cipher_bits); 801 spuh->sa.ecf = cpu_to_be32(ecf_bits); 802 803 /* === create the BDESC section === */ 804 bdesc = (struct BDESC_HEADER *)ptr; 805 806 bdesc->offset_mac = cpu_to_be16(auth_offset); 807 bdesc->length_mac = cpu_to_be16(auth_len); 808 bdesc->offset_crypto = cpu_to_be16(cipher_offset); 809 bdesc->length_crypto = cpu_to_be16(cipher_len); 810 811 /* 812 * CCM in SPU-M requires that ICV not be in same 32-bit word as data or 813 * padding. So account for padding as necessary. 814 */ 815 if (cipher_parms->mode == CIPHER_MODE_CCM) 816 auth_len += spum_wordalign_padlen(auth_len); 817 818 bdesc->offset_icv = cpu_to_be16(auth_len); 819 bdesc->offset_iv = cpu_to_be16(offset_iv); 820 821 ptr += sizeof(struct BDESC_HEADER); 822 buf_len += sizeof(struct BDESC_HEADER); 823 824 /* === no MFM section === */ 825 826 /* === create the BD section === */ 827 828 /* add the BD header */ 829 bd = (struct BD_HEADER *)ptr; 830 bd->size = cpu_to_be16(real_db_size); 831 bd->prev_length = 0; 832 833 ptr += sizeof(struct BD_HEADER); 834 buf_len += sizeof(struct BD_HEADER); 835 836 packet_dump(" SPU request header: ", spu_hdr, buf_len); 837 838 return buf_len; 839 } 840 841 /** 842 * spum_cipher_req_init() - Build a SPU request message header, up to and 843 * including the BD header. 844 * @spu_hdr: Start of SPU request header (MH) 845 * @cipher_parms: Parameters that describe the cipher request 846 * 847 * Construct the message starting at spu_hdr. Caller should allocate this buffer 848 * in DMA-able memory at least SPU_HEADER_ALLOC_LEN bytes long. 849 * 850 * Return: the length of the SPU header in bytes. 0 if an error occurs. 851 */ 852 u16 spum_cipher_req_init(u8 *spu_hdr, struct spu_cipher_parms *cipher_parms) 853 { 854 struct SPUHEADER *spuh; 855 u32 protocol_bits = 0; 856 u32 cipher_bits = 0; 857 u32 ecf_bits = 0; 858 u8 sctx_words = 0; 859 u8 *ptr = spu_hdr; 860 861 flow_log("%s()\n", __func__); 862 flow_log(" cipher alg:%u mode:%u type %u\n", cipher_parms->alg, 863 cipher_parms->mode, cipher_parms->type); 864 flow_log(" cipher_iv_len: %u\n", cipher_parms->iv_len); 865 flow_log(" key: %d\n", cipher_parms->key_len); 866 flow_dump(" key: ", cipher_parms->key_buf, cipher_parms->key_len); 867 868 /* starting out: zero the header (plus some) */ 869 memset(spu_hdr, 0, sizeof(struct SPUHEADER)); 870 ptr += sizeof(struct SPUHEADER); 871 872 /* format master header word */ 873 /* Do not set the next bit even though the datasheet says to */ 874 spuh = (struct SPUHEADER *)spu_hdr; 875 876 spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC; 877 spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES); 878 879 /* Format sctx word 0 (protocol_bits) */ 880 sctx_words = 3; /* size in words */ 881 882 /* copy the encryption keys in the SAD entry */ 883 if (cipher_parms->alg) { 884 if (cipher_parms->key_len) { 885 ptr += cipher_parms->key_len; 886 sctx_words += cipher_parms->key_len / 4; 887 } 888 889 /* 890 * if encrypting then set IV size, use SCTX IV unless no IV 891 * given here 892 */ 893 if (cipher_parms->iv_len) { 894 /* Use SCTX IV */ 895 ecf_bits |= SCTX_IV; 896 ptr += cipher_parms->iv_len; 897 sctx_words += cipher_parms->iv_len / 4; 898 } 899 } 900 901 /* Set the crypto parameters in the cipher.flags */ 902 cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT; 903 cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT; 904 cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT; 905 906 /* copy the encryption keys in the SAD entry */ 907 if (cipher_parms->alg && cipher_parms->key_len) 908 memcpy(spuh + 1, cipher_parms->key_buf, cipher_parms->key_len); 909 910 /* write in the total sctx length now that we know it */ 911 protocol_bits |= sctx_words; 912 913 /* Endian adjust the SCTX */ 914 spuh->sa.proto_flags = cpu_to_be32(protocol_bits); 915 916 /* Endian adjust the SCTX */ 917 spuh->sa.cipher_flags = cpu_to_be32(cipher_bits); 918 spuh->sa.ecf = cpu_to_be32(ecf_bits); 919 920 packet_dump(" SPU request header: ", spu_hdr, 921 sizeof(struct SPUHEADER)); 922 923 return sizeof(struct SPUHEADER) + cipher_parms->key_len + 924 cipher_parms->iv_len + sizeof(struct BDESC_HEADER) + 925 sizeof(struct BD_HEADER); 926 } 927 928 /** 929 * spum_cipher_req_finish() - Finish building a SPU request message header for a 930 * block cipher request. Assumes much of the header was already filled in at 931 * setkey() time in spu_cipher_req_init(). 932 * @spu_hdr: Start of the request message header (MH field) 933 * @spu_req_hdr_len: Length in bytes of the SPU request header 934 * @isInbound: 0 encrypt, 1 decrypt 935 * @cipher_parms: Parameters describing cipher operation to be performed 936 * @update_key: If true, rewrite the cipher key in SCTX 937 * @data_size: Length of the data in the BD field 938 * 939 * Assumes much of the header was already filled in at setkey() time in 940 * spum_cipher_req_init(). 941 * spum_cipher_req_init() fills in the encryption key. For RC4, when submitting 942 * a request for a non-first chunk, we use the 260-byte SUPDT field from the 943 * previous response as the key. update_key is true for this case. Unused in all 944 * other cases. 945 */ 946 void spum_cipher_req_finish(u8 *spu_hdr, 947 u16 spu_req_hdr_len, 948 unsigned int is_inbound, 949 struct spu_cipher_parms *cipher_parms, 950 bool update_key, 951 unsigned int data_size) 952 { 953 struct SPUHEADER *spuh; 954 struct BDESC_HEADER *bdesc; 955 struct BD_HEADER *bd; 956 u8 *bdesc_ptr = spu_hdr + spu_req_hdr_len - 957 (sizeof(struct BD_HEADER) + sizeof(struct BDESC_HEADER)); 958 959 u32 cipher_bits; 960 961 flow_log("%s()\n", __func__); 962 flow_log(" in: %u\n", is_inbound); 963 flow_log(" cipher alg: %u, cipher_type: %u\n", cipher_parms->alg, 964 cipher_parms->type); 965 if (update_key) { 966 flow_log(" cipher key len: %u\n", cipher_parms->key_len); 967 flow_dump(" key: ", cipher_parms->key_buf, 968 cipher_parms->key_len); 969 } 970 971 /* 972 * In XTS mode, API puts "i" parameter (block tweak) in IV. For 973 * SPU-M, should be in start of the BD; tx_sg_create() copies it there. 974 * IV in SPU msg for SPU-M should be 0, since that's the "j" parameter 975 * (block ctr within larger data unit) - given we can send entire disk 976 * block (<= 4KB) in 1 SPU msg, don't need to use this parameter. 977 */ 978 if (cipher_parms->mode == CIPHER_MODE_XTS) 979 memset(cipher_parms->iv_buf, 0, cipher_parms->iv_len); 980 981 flow_log(" iv len: %d\n", cipher_parms->iv_len); 982 flow_dump(" iv: ", cipher_parms->iv_buf, cipher_parms->iv_len); 983 flow_log(" data_size: %u\n", data_size); 984 985 /* format master header word */ 986 /* Do not set the next bit even though the datasheet says to */ 987 spuh = (struct SPUHEADER *)spu_hdr; 988 989 /* cipher_bits was initialized at setkey time */ 990 cipher_bits = be32_to_cpu(spuh->sa.cipher_flags); 991 992 /* Format sctx word 1 (cipher_bits) */ 993 if (is_inbound) 994 cipher_bits |= CIPHER_INBOUND; 995 else 996 cipher_bits &= ~CIPHER_INBOUND; 997 998 /* update encryption key for RC4 on non-first chunk */ 999 if (update_key) { 1000 spuh->sa.cipher_flags |= 1001 cipher_parms->type << CIPHER_TYPE_SHIFT; 1002 memcpy(spuh + 1, cipher_parms->key_buf, cipher_parms->key_len); 1003 } 1004 1005 if (cipher_parms->alg && cipher_parms->iv_buf && cipher_parms->iv_len) 1006 /* cipher iv provided so put it in here */ 1007 memcpy(bdesc_ptr - cipher_parms->iv_len, cipher_parms->iv_buf, 1008 cipher_parms->iv_len); 1009 1010 spuh->sa.cipher_flags = cpu_to_be32(cipher_bits); 1011 1012 /* === create the BDESC section === */ 1013 bdesc = (struct BDESC_HEADER *)bdesc_ptr; 1014 bdesc->offset_mac = 0; 1015 bdesc->length_mac = 0; 1016 bdesc->offset_crypto = 0; 1017 1018 /* XTS mode, data_size needs to include tweak parameter */ 1019 if (cipher_parms->mode == CIPHER_MODE_XTS) 1020 bdesc->length_crypto = cpu_to_be16(data_size + 1021 SPU_XTS_TWEAK_SIZE); 1022 else 1023 bdesc->length_crypto = cpu_to_be16(data_size); 1024 1025 bdesc->offset_icv = 0; 1026 bdesc->offset_iv = 0; 1027 1028 /* === no MFM section === */ 1029 1030 /* === create the BD section === */ 1031 /* add the BD header */ 1032 bd = (struct BD_HEADER *)(bdesc_ptr + sizeof(struct BDESC_HEADER)); 1033 bd->size = cpu_to_be16(data_size); 1034 1035 /* XTS mode, data_size needs to include tweak parameter */ 1036 if (cipher_parms->mode == CIPHER_MODE_XTS) 1037 bd->size = cpu_to_be16(data_size + SPU_XTS_TWEAK_SIZE); 1038 else 1039 bd->size = cpu_to_be16(data_size); 1040 1041 bd->prev_length = 0; 1042 1043 packet_dump(" SPU request header: ", spu_hdr, spu_req_hdr_len); 1044 } 1045 1046 /** 1047 * spum_request_pad() - Create pad bytes at the end of the data. 1048 * @pad_start: Start of buffer where pad bytes are to be written 1049 * @gcm_ccm_padding: length of GCM/CCM padding, in bytes 1050 * @hash_pad_len: Number of bytes of padding extend data to full block 1051 * @auth_alg: authentication algorithm 1052 * @auth_mode: authentication mode 1053 * @total_sent: length inserted at end of hash pad 1054 * @status_padding: Number of bytes of padding to align STATUS word 1055 * 1056 * There may be three forms of pad: 1057 * 1. GCM/CCM pad - for GCM/CCM mode ciphers, pad to 16-byte alignment 1058 * 2. hash pad - pad to a block length, with 0x80 data terminator and 1059 * size at the end 1060 * 3. STAT pad - to ensure the STAT field is 4-byte aligned 1061 */ 1062 void spum_request_pad(u8 *pad_start, 1063 u32 gcm_ccm_padding, 1064 u32 hash_pad_len, 1065 enum hash_alg auth_alg, 1066 enum hash_mode auth_mode, 1067 unsigned int total_sent, u32 status_padding) 1068 { 1069 u8 *ptr = pad_start; 1070 1071 /* fix data alignent for GCM/CCM */ 1072 if (gcm_ccm_padding > 0) { 1073 flow_log(" GCM: padding to 16 byte alignment: %u bytes\n", 1074 gcm_ccm_padding); 1075 memset(ptr, 0, gcm_ccm_padding); 1076 ptr += gcm_ccm_padding; 1077 } 1078 1079 if (hash_pad_len > 0) { 1080 /* clear the padding section */ 1081 memset(ptr, 0, hash_pad_len); 1082 1083 if ((auth_alg == HASH_ALG_AES) && 1084 (auth_mode == HASH_MODE_XCBC)) { 1085 /* AES/XCBC just requires padding to be 0s */ 1086 ptr += hash_pad_len; 1087 } else { 1088 /* terminate the data */ 1089 *ptr = 0x80; 1090 ptr += (hash_pad_len - sizeof(u64)); 1091 1092 /* add the size at the end as required per alg */ 1093 if (auth_alg == HASH_ALG_MD5) 1094 *(u64 *)ptr = cpu_to_le64((u64)total_sent * 8); 1095 else /* SHA1, SHA2-224, SHA2-256 */ 1096 *(u64 *)ptr = cpu_to_be64((u64)total_sent * 8); 1097 ptr += sizeof(u64); 1098 } 1099 } 1100 1101 /* pad to a 4byte alignment for STAT */ 1102 if (status_padding > 0) { 1103 flow_log(" STAT: padding to 4 byte alignment: %u bytes\n", 1104 status_padding); 1105 1106 memset(ptr, 0, status_padding); 1107 ptr += status_padding; 1108 } 1109 } 1110 1111 /** 1112 * spum_xts_tweak_in_payload() - Indicate that SPUM DOES place the XTS tweak 1113 * field in the packet payload (rather than using IV) 1114 * 1115 * Return: 1 1116 */ 1117 u8 spum_xts_tweak_in_payload(void) 1118 { 1119 return 1; 1120 } 1121 1122 /** 1123 * spum_tx_status_len() - Return the length of the STATUS field in a SPU 1124 * response message. 1125 * 1126 * Return: Length of STATUS field in bytes. 1127 */ 1128 u8 spum_tx_status_len(void) 1129 { 1130 return SPU_TX_STATUS_LEN; 1131 } 1132 1133 /** 1134 * spum_rx_status_len() - Return the length of the STATUS field in a SPU 1135 * response message. 1136 * 1137 * Return: Length of STATUS field in bytes. 1138 */ 1139 u8 spum_rx_status_len(void) 1140 { 1141 return SPU_RX_STATUS_LEN; 1142 } 1143 1144 /** 1145 * spum_status_process() - Process the status from a SPU response message. 1146 * @statp: start of STATUS word 1147 * Return: 1148 * 0 - if status is good and response should be processed 1149 * !0 - status indicates an error and response is invalid 1150 */ 1151 int spum_status_process(u8 *statp) 1152 { 1153 u32 status; 1154 1155 status = __be32_to_cpu(*(__be32 *)statp); 1156 flow_log("SPU response STATUS %#08x\n", status); 1157 if (status & SPU_STATUS_ERROR_FLAG) { 1158 pr_err("%s() Warning: Error result from SPU: %#08x\n", 1159 __func__, status); 1160 if (status & SPU_STATUS_INVALID_ICV) 1161 return SPU_INVALID_ICV; 1162 return -EBADMSG; 1163 } 1164 return 0; 1165 } 1166 1167 /** 1168 * spum_ccm_update_iv() - Update the IV as per the requirements for CCM mode. 1169 * 1170 * @digestsize: Digest size of this request 1171 * @cipher_parms: (pointer to) cipher parmaeters, includes IV buf & IV len 1172 * @assoclen: Length of AAD data 1173 * @chunksize: length of input data to be sent in this req 1174 * @is_encrypt: true if this is an output/encrypt operation 1175 * @is_esp: true if this is an ESP / RFC4309 operation 1176 * 1177 */ 1178 void spum_ccm_update_iv(unsigned int digestsize, 1179 struct spu_cipher_parms *cipher_parms, 1180 unsigned int assoclen, 1181 unsigned int chunksize, 1182 bool is_encrypt, 1183 bool is_esp) 1184 { 1185 u8 L; /* L from CCM algorithm, length of plaintext data */ 1186 u8 mprime; /* M' from CCM algo, (M - 2) / 2, where M=authsize */ 1187 u8 adata; 1188 1189 if (cipher_parms->iv_len != CCM_AES_IV_SIZE) { 1190 pr_err("%s(): Invalid IV len %d for CCM mode, should be %d\n", 1191 __func__, cipher_parms->iv_len, CCM_AES_IV_SIZE); 1192 return; 1193 } 1194 1195 /* 1196 * IV needs to be formatted as follows: 1197 * 1198 * | Byte 0 | Bytes 1 - N | Bytes (N+1) - 15 | 1199 * | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | Bits 7 - 0 | Bits 7 - 0 | 1200 * | 0 |Ad?|(M - 2) / 2| L - 1 | Nonce | Plaintext Length | 1201 * 1202 * Ad? = 1 if AAD present, 0 if not present 1203 * M = size of auth field, 8, 12, or 16 bytes (SPU-M) -or- 1204 * 4, 6, 8, 10, 12, 14, 16 bytes (SPU2) 1205 * L = Size of Plaintext Length field; Nonce size = 15 - L 1206 * 1207 * It appears that the crypto API already expects the L-1 portion 1208 * to be set in the first byte of the IV, which implicitly determines 1209 * the nonce size, and also fills in the nonce. But the other bits 1210 * in byte 0 as well as the plaintext length need to be filled in. 1211 * 1212 * In rfc4309/esp mode, L is not already in the supplied IV and 1213 * we need to fill it in, as well as move the IV data to be after 1214 * the salt 1215 */ 1216 if (is_esp) { 1217 L = CCM_ESP_L_VALUE; /* RFC4309 has fixed L */ 1218 } else { 1219 /* L' = plaintext length - 1 so Plaintext length is L' + 1 */ 1220 L = ((cipher_parms->iv_buf[0] & CCM_B0_L_PRIME) >> 1221 CCM_B0_L_PRIME_SHIFT) + 1; 1222 } 1223 1224 mprime = (digestsize - 2) >> 1; /* M' = (M - 2) / 2 */ 1225 adata = (assoclen > 0); /* adata = 1 if any associated data */ 1226 1227 cipher_parms->iv_buf[0] = (adata << CCM_B0_ADATA_SHIFT) | 1228 (mprime << CCM_B0_M_PRIME_SHIFT) | 1229 ((L - 1) << CCM_B0_L_PRIME_SHIFT); 1230 1231 /* Nonce is already filled in by crypto API, and is 15 - L bytes */ 1232 1233 /* Don't include digest in plaintext size when decrypting */ 1234 if (!is_encrypt) 1235 chunksize -= digestsize; 1236 1237 /* Fill in length of plaintext, formatted to be L bytes long */ 1238 format_value_ccm(chunksize, &cipher_parms->iv_buf[15 - L + 1], L); 1239 } 1240 1241 /** 1242 * spum_wordalign_padlen() - Given the length of a data field, determine the 1243 * padding required to align the data following this field on a 4-byte boundary. 1244 * @data_size: length of data field in bytes 1245 * 1246 * Return: length of status field padding, in bytes 1247 */ 1248 u32 spum_wordalign_padlen(u32 data_size) 1249 { 1250 return ((data_size + 3) & ~3) - data_size; 1251 } 1252