1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3 * SM4-GCM AEAD Algorithm using ARMv8 Crypto Extensions
4 * as specified in rfc8998
5 * https://datatracker.ietf.org/doc/html/rfc8998
6 *
7 * Copyright (C) 2022 Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
8 */
9
10 #include <linux/module.h>
11 #include <linux/crypto.h>
12 #include <linux/kernel.h>
13 #include <linux/cpufeature.h>
14 #include <asm/neon.h>
15 #include <crypto/b128ops.h>
16 #include <crypto/scatterwalk.h>
17 #include <crypto/internal/aead.h>
18 #include <crypto/internal/skcipher.h>
19 #include <crypto/sm4.h>
20 #include "sm4-ce.h"
21
22 asmlinkage void sm4_ce_pmull_ghash_setup(const u32 *rkey_enc, u8 *ghash_table);
23 asmlinkage void pmull_ghash_update(const u8 *ghash_table, u8 *ghash,
24 const u8 *src, unsigned int nblocks);
25 asmlinkage void sm4_ce_pmull_gcm_enc(const u32 *rkey_enc, u8 *dst,
26 const u8 *src, u8 *iv,
27 unsigned int nbytes, u8 *ghash,
28 const u8 *ghash_table, const u8 *lengths);
29 asmlinkage void sm4_ce_pmull_gcm_dec(const u32 *rkey_enc, u8 *dst,
30 const u8 *src, u8 *iv,
31 unsigned int nbytes, u8 *ghash,
32 const u8 *ghash_table, const u8 *lengths);
33
34 #define GHASH_BLOCK_SIZE 16
35 #define GCM_IV_SIZE 12
36
37 struct sm4_gcm_ctx {
38 struct sm4_ctx key;
39 u8 ghash_table[16 * 4];
40 };
41
42
gcm_setkey(struct crypto_aead * tfm,const u8 * key,unsigned int key_len)43 static int gcm_setkey(struct crypto_aead *tfm, const u8 *key,
44 unsigned int key_len)
45 {
46 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(tfm);
47
48 if (key_len != SM4_KEY_SIZE)
49 return -EINVAL;
50
51 kernel_neon_begin();
52
53 sm4_ce_expand_key(key, ctx->key.rkey_enc, ctx->key.rkey_dec,
54 crypto_sm4_fk, crypto_sm4_ck);
55 sm4_ce_pmull_ghash_setup(ctx->key.rkey_enc, ctx->ghash_table);
56
57 kernel_neon_end();
58 return 0;
59 }
60
gcm_setauthsize(struct crypto_aead * tfm,unsigned int authsize)61 static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
62 {
63 switch (authsize) {
64 case 4:
65 case 8:
66 case 12 ... 16:
67 return 0;
68 default:
69 return -EINVAL;
70 }
71 }
72
gcm_calculate_auth_mac(struct aead_request * req,u8 ghash[])73 static void gcm_calculate_auth_mac(struct aead_request *req, u8 ghash[])
74 {
75 struct crypto_aead *aead = crypto_aead_reqtfm(req);
76 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
77 u8 __aligned(8) buffer[GHASH_BLOCK_SIZE];
78 u32 assoclen = req->assoclen;
79 struct scatter_walk walk;
80 unsigned int buflen = 0;
81
82 scatterwalk_start(&walk, req->src);
83
84 do {
85 unsigned int n, orig_n;
86 const u8 *p;
87
88 orig_n = scatterwalk_next(&walk, assoclen);
89 p = walk.addr;
90 n = orig_n;
91
92 if (n + buflen < GHASH_BLOCK_SIZE) {
93 memcpy(&buffer[buflen], p, n);
94 buflen += n;
95 } else {
96 unsigned int nblocks;
97
98 if (buflen) {
99 unsigned int l = GHASH_BLOCK_SIZE - buflen;
100
101 memcpy(&buffer[buflen], p, l);
102 p += l;
103 n -= l;
104
105 pmull_ghash_update(ctx->ghash_table, ghash,
106 buffer, 1);
107 }
108
109 nblocks = n / GHASH_BLOCK_SIZE;
110 if (nblocks) {
111 pmull_ghash_update(ctx->ghash_table, ghash,
112 p, nblocks);
113 p += nblocks * GHASH_BLOCK_SIZE;
114 }
115
116 buflen = n % GHASH_BLOCK_SIZE;
117 if (buflen)
118 memcpy(&buffer[0], p, buflen);
119 }
120
121 scatterwalk_done_src(&walk, orig_n);
122 assoclen -= orig_n;
123 } while (assoclen);
124
125 /* padding with '0' */
126 if (buflen) {
127 memset(&buffer[buflen], 0, GHASH_BLOCK_SIZE - buflen);
128 pmull_ghash_update(ctx->ghash_table, ghash, buffer, 1);
129 }
130 }
131
gcm_crypt(struct aead_request * req,struct skcipher_walk * walk,u8 ghash[],int err,void (* sm4_ce_pmull_gcm_crypt)(const u32 * rkey_enc,u8 * dst,const u8 * src,u8 * iv,unsigned int nbytes,u8 * ghash,const u8 * ghash_table,const u8 * lengths))132 static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk,
133 u8 ghash[], int err,
134 void (*sm4_ce_pmull_gcm_crypt)(const u32 *rkey_enc,
135 u8 *dst, const u8 *src, u8 *iv,
136 unsigned int nbytes, u8 *ghash,
137 const u8 *ghash_table, const u8 *lengths))
138 {
139 struct crypto_aead *aead = crypto_aead_reqtfm(req);
140 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
141 u8 __aligned(8) iv[SM4_BLOCK_SIZE];
142 be128 __aligned(8) lengths;
143
144 memset(ghash, 0, SM4_BLOCK_SIZE);
145
146 lengths.a = cpu_to_be64(req->assoclen * 8);
147 lengths.b = cpu_to_be64(walk->total * 8);
148
149 memcpy(iv, req->iv, GCM_IV_SIZE);
150 put_unaligned_be32(2, iv + GCM_IV_SIZE);
151
152 kernel_neon_begin();
153
154 if (req->assoclen)
155 gcm_calculate_auth_mac(req, ghash);
156
157 while (walk->nbytes) {
158 unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE;
159 const u8 *src = walk->src.virt.addr;
160 u8 *dst = walk->dst.virt.addr;
161
162 if (walk->nbytes == walk->total) {
163 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
164 walk->nbytes, ghash,
165 ctx->ghash_table,
166 (const u8 *)&lengths);
167
168 kernel_neon_end();
169
170 return skcipher_walk_done(walk, 0);
171 }
172
173 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
174 walk->nbytes - tail, ghash,
175 ctx->ghash_table, NULL);
176
177 kernel_neon_end();
178
179 err = skcipher_walk_done(walk, tail);
180
181 kernel_neon_begin();
182 }
183
184 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, NULL, NULL, iv,
185 walk->nbytes, ghash, ctx->ghash_table,
186 (const u8 *)&lengths);
187
188 kernel_neon_end();
189
190 return err;
191 }
192
gcm_encrypt(struct aead_request * req)193 static int gcm_encrypt(struct aead_request *req)
194 {
195 struct crypto_aead *aead = crypto_aead_reqtfm(req);
196 u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
197 struct skcipher_walk walk;
198 int err;
199
200 err = skcipher_walk_aead_encrypt(&walk, req, false);
201 err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_enc);
202 if (err)
203 return err;
204
205 /* copy authtag to end of dst */
206 scatterwalk_map_and_copy(ghash, req->dst, req->assoclen + req->cryptlen,
207 crypto_aead_authsize(aead), 1);
208
209 return 0;
210 }
211
gcm_decrypt(struct aead_request * req)212 static int gcm_decrypt(struct aead_request *req)
213 {
214 struct crypto_aead *aead = crypto_aead_reqtfm(req);
215 unsigned int authsize = crypto_aead_authsize(aead);
216 u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
217 u8 authtag[SM4_BLOCK_SIZE];
218 struct skcipher_walk walk;
219 int err;
220
221 err = skcipher_walk_aead_decrypt(&walk, req, false);
222 err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_dec);
223 if (err)
224 return err;
225
226 /* compare calculated auth tag with the stored one */
227 scatterwalk_map_and_copy(authtag, req->src,
228 req->assoclen + req->cryptlen - authsize,
229 authsize, 0);
230
231 if (crypto_memneq(authtag, ghash, authsize))
232 return -EBADMSG;
233
234 return 0;
235 }
236
237 static struct aead_alg sm4_gcm_alg = {
238 .base = {
239 .cra_name = "gcm(sm4)",
240 .cra_driver_name = "gcm-sm4-ce",
241 .cra_priority = 400,
242 .cra_blocksize = 1,
243 .cra_ctxsize = sizeof(struct sm4_gcm_ctx),
244 .cra_module = THIS_MODULE,
245 },
246 .ivsize = GCM_IV_SIZE,
247 .chunksize = SM4_BLOCK_SIZE,
248 .maxauthsize = SM4_BLOCK_SIZE,
249 .setkey = gcm_setkey,
250 .setauthsize = gcm_setauthsize,
251 .encrypt = gcm_encrypt,
252 .decrypt = gcm_decrypt,
253 };
254
sm4_ce_gcm_init(void)255 static int __init sm4_ce_gcm_init(void)
256 {
257 if (!cpu_have_named_feature(PMULL))
258 return -ENODEV;
259
260 return crypto_register_aead(&sm4_gcm_alg);
261 }
262
sm4_ce_gcm_exit(void)263 static void __exit sm4_ce_gcm_exit(void)
264 {
265 crypto_unregister_aead(&sm4_gcm_alg);
266 }
267
268 static const struct cpu_feature __maybe_unused sm4_ce_gcm_cpu_feature[] = {
269 { cpu_feature(PMULL) },
270 {}
271 };
272 MODULE_DEVICE_TABLE(cpu, sm4_ce_gcm_cpu_feature);
273
274 module_cpu_feature_match(SM4, sm4_ce_gcm_init);
275 module_exit(sm4_ce_gcm_exit);
276
277 MODULE_DESCRIPTION("Synchronous SM4 in GCM mode using ARMv8 Crypto Extensions");
278 MODULE_ALIAS_CRYPTO("gcm(sm4)");
279 MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>");
280 MODULE_LICENSE("GPL v2");
281