1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* 3 * SM4-GCM AEAD Algorithm using ARMv8 Crypto Extensions 4 * as specified in rfc8998 5 * https://datatracker.ietf.org/doc/html/rfc8998 6 * 7 * Copyright (C) 2022 Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 8 */ 9 10 #include <linux/module.h> 11 #include <linux/crypto.h> 12 #include <linux/kernel.h> 13 #include <linux/cpufeature.h> 14 #include <asm/neon.h> 15 #include <crypto/b128ops.h> 16 #include <crypto/scatterwalk.h> 17 #include <crypto/internal/aead.h> 18 #include <crypto/internal/skcipher.h> 19 #include <crypto/sm4.h> 20 #include "sm4-ce.h" 21 22 asmlinkage void sm4_ce_pmull_ghash_setup(const u32 *rkey_enc, u8 *ghash_table); 23 asmlinkage void pmull_ghash_update(const u8 *ghash_table, u8 *ghash, 24 const u8 *src, unsigned int nblocks); 25 asmlinkage void sm4_ce_pmull_gcm_enc(const u32 *rkey_enc, u8 *dst, 26 const u8 *src, u8 *iv, 27 unsigned int nbytes, u8 *ghash, 28 const u8 *ghash_table, const u8 *lengths); 29 asmlinkage void sm4_ce_pmull_gcm_dec(const u32 *rkey_enc, u8 *dst, 30 const u8 *src, u8 *iv, 31 unsigned int nbytes, u8 *ghash, 32 const u8 *ghash_table, const u8 *lengths); 33 34 #define GHASH_BLOCK_SIZE 16 35 #define GCM_IV_SIZE 12 36 37 struct sm4_gcm_ctx { 38 struct sm4_ctx key; 39 u8 ghash_table[16 * 4]; 40 }; 41 42 43 static int gcm_setkey(struct crypto_aead *tfm, const u8 *key, 44 unsigned int key_len) 45 { 46 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(tfm); 47 48 if (key_len != SM4_KEY_SIZE) 49 return -EINVAL; 50 51 kernel_neon_begin(); 52 53 sm4_ce_expand_key(key, ctx->key.rkey_enc, ctx->key.rkey_dec, 54 crypto_sm4_fk, crypto_sm4_ck); 55 sm4_ce_pmull_ghash_setup(ctx->key.rkey_enc, ctx->ghash_table); 56 57 kernel_neon_end(); 58 return 0; 59 } 60 61 static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize) 62 { 63 switch (authsize) { 64 case 4: 65 case 8: 66 case 12 ... 16: 67 return 0; 68 default: 69 return -EINVAL; 70 } 71 } 72 73 static void gcm_calculate_auth_mac(struct aead_request *req, u8 ghash[]) 74 { 75 struct crypto_aead *aead = crypto_aead_reqtfm(req); 76 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead); 77 u8 __aligned(8) buffer[GHASH_BLOCK_SIZE]; 78 u32 assoclen = req->assoclen; 79 struct scatter_walk walk; 80 unsigned int buflen = 0; 81 82 scatterwalk_start(&walk, req->src); 83 84 do { 85 unsigned int n, orig_n; 86 const u8 *p; 87 88 orig_n = scatterwalk_next(&walk, assoclen); 89 p = walk.addr; 90 n = orig_n; 91 92 if (n + buflen < GHASH_BLOCK_SIZE) { 93 memcpy(&buffer[buflen], p, n); 94 buflen += n; 95 } else { 96 unsigned int nblocks; 97 98 if (buflen) { 99 unsigned int l = GHASH_BLOCK_SIZE - buflen; 100 101 memcpy(&buffer[buflen], p, l); 102 p += l; 103 n -= l; 104 105 pmull_ghash_update(ctx->ghash_table, ghash, 106 buffer, 1); 107 } 108 109 nblocks = n / GHASH_BLOCK_SIZE; 110 if (nblocks) { 111 pmull_ghash_update(ctx->ghash_table, ghash, 112 p, nblocks); 113 p += nblocks * GHASH_BLOCK_SIZE; 114 } 115 116 buflen = n % GHASH_BLOCK_SIZE; 117 if (buflen) 118 memcpy(&buffer[0], p, buflen); 119 } 120 121 scatterwalk_done_src(&walk, orig_n); 122 assoclen -= orig_n; 123 } while (assoclen); 124 125 /* padding with '0' */ 126 if (buflen) { 127 memset(&buffer[buflen], 0, GHASH_BLOCK_SIZE - buflen); 128 pmull_ghash_update(ctx->ghash_table, ghash, buffer, 1); 129 } 130 } 131 132 static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk, 133 u8 ghash[], int err, 134 void (*sm4_ce_pmull_gcm_crypt)(const u32 *rkey_enc, 135 u8 *dst, const u8 *src, u8 *iv, 136 unsigned int nbytes, u8 *ghash, 137 const u8 *ghash_table, const u8 *lengths)) 138 { 139 struct crypto_aead *aead = crypto_aead_reqtfm(req); 140 struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead); 141 u8 __aligned(8) iv[SM4_BLOCK_SIZE]; 142 be128 __aligned(8) lengths; 143 144 memset(ghash, 0, SM4_BLOCK_SIZE); 145 146 lengths.a = cpu_to_be64(req->assoclen * 8); 147 lengths.b = cpu_to_be64(walk->total * 8); 148 149 memcpy(iv, req->iv, GCM_IV_SIZE); 150 put_unaligned_be32(2, iv + GCM_IV_SIZE); 151 152 kernel_neon_begin(); 153 154 if (req->assoclen) 155 gcm_calculate_auth_mac(req, ghash); 156 157 while (walk->nbytes) { 158 unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE; 159 const u8 *src = walk->src.virt.addr; 160 u8 *dst = walk->dst.virt.addr; 161 162 if (walk->nbytes == walk->total) { 163 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv, 164 walk->nbytes, ghash, 165 ctx->ghash_table, 166 (const u8 *)&lengths); 167 168 kernel_neon_end(); 169 170 return skcipher_walk_done(walk, 0); 171 } 172 173 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv, 174 walk->nbytes - tail, ghash, 175 ctx->ghash_table, NULL); 176 177 kernel_neon_end(); 178 179 err = skcipher_walk_done(walk, tail); 180 181 kernel_neon_begin(); 182 } 183 184 sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, NULL, NULL, iv, 185 walk->nbytes, ghash, ctx->ghash_table, 186 (const u8 *)&lengths); 187 188 kernel_neon_end(); 189 190 return err; 191 } 192 193 static int gcm_encrypt(struct aead_request *req) 194 { 195 struct crypto_aead *aead = crypto_aead_reqtfm(req); 196 u8 __aligned(8) ghash[SM4_BLOCK_SIZE]; 197 struct skcipher_walk walk; 198 int err; 199 200 err = skcipher_walk_aead_encrypt(&walk, req, false); 201 err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_enc); 202 if (err) 203 return err; 204 205 /* copy authtag to end of dst */ 206 scatterwalk_map_and_copy(ghash, req->dst, req->assoclen + req->cryptlen, 207 crypto_aead_authsize(aead), 1); 208 209 return 0; 210 } 211 212 static int gcm_decrypt(struct aead_request *req) 213 { 214 struct crypto_aead *aead = crypto_aead_reqtfm(req); 215 unsigned int authsize = crypto_aead_authsize(aead); 216 u8 __aligned(8) ghash[SM4_BLOCK_SIZE]; 217 u8 authtag[SM4_BLOCK_SIZE]; 218 struct skcipher_walk walk; 219 int err; 220 221 err = skcipher_walk_aead_decrypt(&walk, req, false); 222 err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_dec); 223 if (err) 224 return err; 225 226 /* compare calculated auth tag with the stored one */ 227 scatterwalk_map_and_copy(authtag, req->src, 228 req->assoclen + req->cryptlen - authsize, 229 authsize, 0); 230 231 if (crypto_memneq(authtag, ghash, authsize)) 232 return -EBADMSG; 233 234 return 0; 235 } 236 237 static struct aead_alg sm4_gcm_alg = { 238 .base = { 239 .cra_name = "gcm(sm4)", 240 .cra_driver_name = "gcm-sm4-ce", 241 .cra_priority = 400, 242 .cra_blocksize = 1, 243 .cra_ctxsize = sizeof(struct sm4_gcm_ctx), 244 .cra_module = THIS_MODULE, 245 }, 246 .ivsize = GCM_IV_SIZE, 247 .chunksize = SM4_BLOCK_SIZE, 248 .maxauthsize = SM4_BLOCK_SIZE, 249 .setkey = gcm_setkey, 250 .setauthsize = gcm_setauthsize, 251 .encrypt = gcm_encrypt, 252 .decrypt = gcm_decrypt, 253 }; 254 255 static int __init sm4_ce_gcm_init(void) 256 { 257 if (!cpu_have_named_feature(PMULL)) 258 return -ENODEV; 259 260 return crypto_register_aead(&sm4_gcm_alg); 261 } 262 263 static void __exit sm4_ce_gcm_exit(void) 264 { 265 crypto_unregister_aead(&sm4_gcm_alg); 266 } 267 268 static const struct cpu_feature __maybe_unused sm4_ce_gcm_cpu_feature[] = { 269 { cpu_feature(PMULL) }, 270 {} 271 }; 272 MODULE_DEVICE_TABLE(cpu, sm4_ce_gcm_cpu_feature); 273 274 module_cpu_feature_match(SM4, sm4_ce_gcm_init); 275 module_exit(sm4_ce_gcm_exit); 276 277 MODULE_DESCRIPTION("Synchronous SM4 in GCM mode using ARMv8 Crypto Extensions"); 278 MODULE_ALIAS_CRYPTO("gcm(sm4)"); 279 MODULE_AUTHOR("Tianjia Zhang <tianjia.zhang@linux.alibaba.com>"); 280 MODULE_LICENSE("GPL v2"); 281