1 /*-
2 * Copyright (c) 2017 Chelsio Communications, Inc.
3 * All rights reserved.
4 * Written by: John Baldwin <jhb@FreeBSD.org>
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30
31 #include <sys/types.h>
32 #include <sys/bus.h>
33 #include <sys/lock.h>
34 #include <sys/malloc.h>
35 #include <sys/mutex.h>
36 #include <sys/module.h>
37 #include <sys/sglist.h>
38
39 #include <opencrypto/cryptodev.h>
40 #include <opencrypto/xform.h>
41
42 #include "cryptodev_if.h"
43
44 #include "common/common.h"
45 #include "crypto/t4_crypto.h"
46
47 /*
48 * Requests consist of:
49 *
50 * +-------------------------------+
51 * | struct fw_crypto_lookaside_wr |
52 * +-------------------------------+
53 * | struct ulp_txpkt |
54 * +-------------------------------+
55 * | struct ulptx_idata |
56 * +-------------------------------+
57 * | struct cpl_tx_sec_pdu |
58 * +-------------------------------+
59 * | struct cpl_tls_tx_scmd_fmt |
60 * +-------------------------------+
61 * | key context header |
62 * +-------------------------------+
63 * | AES key | ----- For requests with AES
64 * +-------------------------------+ -
65 * | IPAD (16-byte aligned) | \
66 * +-------------------------------+ +---- For requests with HMAC
67 * | OPAD (16-byte aligned) | /
68 * +-------------------------------+ -
69 * | GMAC H | ----- For AES-GCM
70 * +-------------------------------+ -
71 * | struct cpl_rx_phys_dsgl | \
72 * +-------------------------------+ +---- Destination buffer for
73 * | PHYS_DSGL entries | / non-hash-only requests
74 * +-------------------------------+ -
75 * | 16 dummy bytes | ----- Only for hash-only requests
76 * +-------------------------------+
77 * | IV | ----- If immediate IV
78 * +-------------------------------+
79 * | Payload | ----- If immediate Payload
80 * +-------------------------------+ -
81 * | struct ulptx_sgl | \
82 * +-------------------------------+ +---- If payload via SGL
83 * | SGL entries | /
84 * +-------------------------------+ -
85 *
86 * Note that the key context must be padded to ensure 16-byte alignment.
87 * For HMAC requests, the key consists of the partial hash of the IPAD
88 * followed by the partial hash of the OPAD.
89 *
90 * Replies consist of:
91 *
92 * +-------------------------------+
93 * | struct cpl_fw6_pld |
94 * +-------------------------------+
95 * | hash digest | ----- For HMAC request with
96 * +-------------------------------+ 'hash_size' set in work request
97 *
98 * A 32-bit big-endian error status word is supplied in the last 4
99 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a
100 * "MAC" error and bit 1 indicates a "PAD" error.
101 *
102 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message
103 * in the request is returned in data[1] of the CPL_FW6_PLD message.
104 *
105 * For block cipher replies, the updated IV is supplied in data[2] and
106 * data[3] of the CPL_FW6_PLD message.
107 *
108 * For hash replies where the work request set 'hash_size' to request
109 * a copy of the hash in the reply, the hash digest is supplied
110 * immediately following the CPL_FW6_PLD message.
111 */
112
113 /*
114 * The crypto engine supports a maximum AAD size of 511 bytes.
115 */
116 #define MAX_AAD_LEN 511
117
118 /*
119 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG
120 * entries. While the CPL includes a 16-bit length field, the T6 can
121 * sometimes hang if an error occurs while processing a request with a
122 * single DSGL entry larger than 2k.
123 */
124 #define MAX_RX_PHYS_DSGL_SGE 32
125 #define DSGL_SGE_MAXLEN 2048
126
127 /*
128 * The adapter only supports requests with a total input or output
129 * length of 64k-1 or smaller. Longer requests either result in hung
130 * requests or incorrect results.
131 */
132 #define MAX_REQUEST_SIZE 65535
133
134 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto");
135
136 struct ccr_session_hmac {
137 struct auth_hash *auth_hash;
138 int hash_len;
139 unsigned int partial_digest_len;
140 unsigned int auth_mode;
141 unsigned int mk_size;
142 char ipad[CHCR_HASH_MAX_BLOCK_SIZE_128];
143 char opad[CHCR_HASH_MAX_BLOCK_SIZE_128];
144 };
145
146 struct ccr_session_gmac {
147 int hash_len;
148 char ghash_h[GMAC_BLOCK_LEN];
149 };
150
151 struct ccr_session_blkcipher {
152 unsigned int cipher_mode;
153 unsigned int key_len;
154 unsigned int iv_len;
155 __be32 key_ctx_hdr;
156 char enckey[CHCR_AES_MAX_KEY_LEN];
157 char deckey[CHCR_AES_MAX_KEY_LEN];
158 };
159
160 struct ccr_session {
161 bool active;
162 int pending;
163 enum { HMAC, BLKCIPHER, AUTHENC, GCM } mode;
164 union {
165 struct ccr_session_hmac hmac;
166 struct ccr_session_gmac gmac;
167 };
168 struct ccr_session_blkcipher blkcipher;
169 };
170
171 struct ccr_softc {
172 struct adapter *adapter;
173 device_t dev;
174 uint32_t cid;
175 int tx_channel_id;
176 struct ccr_session *sessions;
177 int nsessions;
178 struct mtx lock;
179 bool detaching;
180 struct sge_wrq *txq;
181 struct sge_rxq *rxq;
182
183 /*
184 * Pre-allocate S/G lists used when preparing a work request.
185 * 'sg_crp' contains an sglist describing the entire buffer
186 * for a 'struct cryptop'. 'sg_ulptx' is used to describe
187 * the data the engine should DMA as input via ULPTX_SGL.
188 * 'sg_dsgl' is used to describe the destination that cipher
189 * text and a tag should be written to.
190 */
191 struct sglist *sg_crp;
192 struct sglist *sg_ulptx;
193 struct sglist *sg_dsgl;
194
195 /*
196 * Pre-allocate a dummy output buffer for the IV and AAD for
197 * AEAD requests.
198 */
199 char *iv_aad_buf;
200 struct sglist *sg_iv_aad;
201
202 /* Statistics. */
203 uint64_t stats_blkcipher_encrypt;
204 uint64_t stats_blkcipher_decrypt;
205 uint64_t stats_hmac;
206 uint64_t stats_authenc_encrypt;
207 uint64_t stats_authenc_decrypt;
208 uint64_t stats_gcm_encrypt;
209 uint64_t stats_gcm_decrypt;
210 uint64_t stats_wr_nomem;
211 uint64_t stats_inflight;
212 uint64_t stats_mac_error;
213 uint64_t stats_pad_error;
214 uint64_t stats_bad_session;
215 uint64_t stats_sglist_error;
216 uint64_t stats_process_error;
217 uint64_t stats_sw_fallback;
218 };
219
220 /*
221 * Crypto requests involve two kind of scatter/gather lists.
222 *
223 * Non-hash-only requests require a PHYS_DSGL that describes the
224 * location to store the results of the encryption or decryption
225 * operation. This SGL uses a different format (PHYS_DSGL) and should
226 * exclude the crd_skip bytes at the start of the data as well as
227 * any AAD or IV. For authenticated encryption requests it should
228 * cover include the destination of the hash or tag.
229 *
230 * The input payload may either be supplied inline as immediate data,
231 * or via a standard ULP_TX SGL. This SGL should include AAD,
232 * ciphertext, and the hash or tag for authenticated decryption
233 * requests.
234 *
235 * These scatter/gather lists can describe different subsets of the
236 * buffer described by the crypto operation. ccr_populate_sglist()
237 * generates a scatter/gather list that covers the entire crypto
238 * operation buffer that is then used to construct the other
239 * scatter/gather lists.
240 */
241 static int
ccr_populate_sglist(struct sglist * sg,struct cryptop * crp)242 ccr_populate_sglist(struct sglist *sg, struct cryptop *crp)
243 {
244 int error;
245
246 sglist_reset(sg);
247 if (crp->crp_flags & CRYPTO_F_IMBUF)
248 error = sglist_append_mbuf(sg, (struct mbuf *)crp->crp_buf);
249 else if (crp->crp_flags & CRYPTO_F_IOV)
250 error = sglist_append_uio(sg, (struct uio *)crp->crp_buf);
251 else
252 error = sglist_append(sg, crp->crp_buf, crp->crp_ilen);
253 return (error);
254 }
255
256 /*
257 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple
258 * segments.
259 */
260 static int
ccr_count_sgl(struct sglist * sg,int maxsegsize)261 ccr_count_sgl(struct sglist *sg, int maxsegsize)
262 {
263 int i, nsegs;
264
265 nsegs = 0;
266 for (i = 0; i < sg->sg_nseg; i++)
267 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize);
268 return (nsegs);
269 }
270
271 /* These functions deal with PHYS_DSGL for the reply buffer. */
272 static inline int
ccr_phys_dsgl_len(int nsegs)273 ccr_phys_dsgl_len(int nsegs)
274 {
275 int len;
276
277 len = (nsegs / 8) * sizeof(struct phys_sge_pairs);
278 if ((nsegs % 8) != 0) {
279 len += sizeof(uint16_t) * 8;
280 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t);
281 }
282 return (len);
283 }
284
285 static void
ccr_write_phys_dsgl(struct ccr_softc * sc,void * dst,int nsegs)286 ccr_write_phys_dsgl(struct ccr_softc *sc, void *dst, int nsegs)
287 {
288 struct sglist *sg;
289 struct cpl_rx_phys_dsgl *cpl;
290 struct phys_sge_pairs *sgl;
291 vm_paddr_t paddr;
292 size_t seglen;
293 u_int i, j;
294
295 sg = sc->sg_dsgl;
296 cpl = dst;
297 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) |
298 V_CPL_RX_PHYS_DSGL_ISRDMA(0));
299 cpl->pcirlxorder_to_noofsgentr = htobe32(
300 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) |
301 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) |
302 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) |
303 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs));
304 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR;
305 cpl->rss_hdr_int.qid = htobe16(sc->rxq->iq.abs_id);
306 cpl->rss_hdr_int.hash_val = 0;
307 sgl = (struct phys_sge_pairs *)(cpl + 1);
308 j = 0;
309 for (i = 0; i < sg->sg_nseg; i++) {
310 seglen = sg->sg_segs[i].ss_len;
311 paddr = sg->sg_segs[i].ss_paddr;
312 do {
313 sgl->addr[j] = htobe64(paddr);
314 if (seglen > DSGL_SGE_MAXLEN) {
315 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN);
316 paddr += DSGL_SGE_MAXLEN;
317 seglen -= DSGL_SGE_MAXLEN;
318 } else {
319 sgl->len[j] = htobe16(seglen);
320 seglen = 0;
321 }
322 j++;
323 if (j == 8) {
324 sgl++;
325 j = 0;
326 }
327 } while (seglen != 0);
328 }
329 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs);
330 }
331
332 /* These functions deal with the ULPTX_SGL for input payload. */
333 static inline int
ccr_ulptx_sgl_len(int nsegs)334 ccr_ulptx_sgl_len(int nsegs)
335 {
336 u_int n;
337
338 nsegs--; /* first segment is part of ulptx_sgl */
339 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1));
340 return (roundup2(n, 16));
341 }
342
343 static void
ccr_write_ulptx_sgl(struct ccr_softc * sc,void * dst,int nsegs)344 ccr_write_ulptx_sgl(struct ccr_softc *sc, void *dst, int nsegs)
345 {
346 struct ulptx_sgl *usgl;
347 struct sglist *sg;
348 struct sglist_seg *ss;
349 int i;
350
351 sg = sc->sg_ulptx;
352 MPASS(nsegs == sg->sg_nseg);
353 ss = &sg->sg_segs[0];
354 usgl = dst;
355 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) |
356 V_ULPTX_NSGE(nsegs));
357 usgl->len0 = htobe32(ss->ss_len);
358 usgl->addr0 = htobe64(ss->ss_paddr);
359 ss++;
360 for (i = 0; i < sg->sg_nseg - 1; i++) {
361 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len);
362 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr);
363 ss++;
364 }
365
366 }
367
368 static bool
ccr_use_imm_data(u_int transhdr_len,u_int input_len)369 ccr_use_imm_data(u_int transhdr_len, u_int input_len)
370 {
371
372 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN)
373 return (false);
374 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) >
375 SGE_MAX_WR_LEN)
376 return (false);
377 return (true);
378 }
379
380 static void
ccr_populate_wreq(struct ccr_softc * sc,struct chcr_wr * crwr,u_int kctx_len,u_int wr_len,uint32_t sid,u_int imm_len,u_int sgl_len,u_int hash_size,struct cryptop * crp)381 ccr_populate_wreq(struct ccr_softc *sc, struct chcr_wr *crwr, u_int kctx_len,
382 u_int wr_len, uint32_t sid, u_int imm_len, u_int sgl_len, u_int hash_size,
383 struct cryptop *crp)
384 {
385 u_int cctx_size;
386
387 cctx_size = sizeof(struct _key_ctx) + kctx_len;
388 crwr->wreq.op_to_cctx_size = htobe32(
389 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) |
390 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) |
391 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) |
392 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) |
393 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4));
394 crwr->wreq.len16_pkd = htobe32(
395 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16));
396 crwr->wreq.session_id = htobe32(sid);
397 crwr->wreq.rx_chid_to_rx_q_id = htobe32(
398 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(sc->tx_channel_id) |
399 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) |
400 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) |
401 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) |
402 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) |
403 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) |
404 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(sc->rxq->iq.abs_id));
405 crwr->wreq.key_addr = 0;
406 crwr->wreq.pld_size_hash_size = htobe32(
407 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) |
408 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size));
409 crwr->wreq.cookie = htobe64((uintptr_t)crp);
410
411 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) |
412 V_ULP_TXPKT_DATAMODIFY(0) |
413 V_ULP_TXPKT_CHANNELID(sc->tx_channel_id) | V_ULP_TXPKT_DEST(0) |
414 V_ULP_TXPKT_FID(sc->rxq->iq.abs_id) | V_ULP_TXPKT_RO(1));
415 crwr->ulptx.len = htobe32(
416 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16));
417
418 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) |
419 V_ULP_TX_SC_MORE(imm_len != 0 ? 0 : 1));
420 crwr->sc_imm.len = htobe32(wr_len - offsetof(struct chcr_wr, sec_cpl) -
421 sgl_len);
422 }
423
424 static int
ccr_hmac(struct ccr_softc * sc,uint32_t sid,struct ccr_session * s,struct cryptop * crp)425 ccr_hmac(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
426 struct cryptop *crp)
427 {
428 struct chcr_wr *crwr;
429 struct wrqe *wr;
430 struct auth_hash *axf;
431 struct cryptodesc *crd;
432 char *dst;
433 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len;
434 u_int imm_len, iopad_size;
435 int error, sgl_nsegs, sgl_len;
436
437 crd = crp->crp_desc;
438
439 /* Reject requests with too large of an input buffer. */
440 if (crd->crd_len > MAX_REQUEST_SIZE)
441 return (EFBIG);
442
443 axf = s->hmac.auth_hash;
444
445 /* PADs must be 128-bit aligned. */
446 iopad_size = roundup2(s->hmac.partial_digest_len, 16);
447
448 /*
449 * The 'key' part of the context includes the aligned IPAD and
450 * OPAD.
451 */
452 kctx_len = iopad_size * 2;
453 hash_size_in_response = axf->hashsize;
454 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len);
455
456 if (crd->crd_len == 0) {
457 imm_len = axf->blocksize;
458 sgl_nsegs = 0;
459 sgl_len = 0;
460 } else if (ccr_use_imm_data(transhdr_len, crd->crd_len)) {
461 imm_len = crd->crd_len;
462 sgl_nsegs = 0;
463 sgl_len = 0;
464 } else {
465 imm_len = 0;
466 sglist_reset(sc->sg_ulptx);
467 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
468 crd->crd_skip, crd->crd_len);
469 if (error)
470 return (error);
471 sgl_nsegs = sc->sg_ulptx->sg_nseg;
472 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
473 }
474
475 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len;
476 if (wr_len > SGE_MAX_WR_LEN)
477 return (EFBIG);
478 wr = alloc_wrqe(wr_len, sc->txq);
479 if (wr == NULL) {
480 sc->stats_wr_nomem++;
481 return (ENOMEM);
482 }
483 crwr = wrtod(wr);
484 memset(crwr, 0, wr_len);
485
486 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
487 hash_size_in_response, crp);
488
489 /* XXX: Hardcodes SGE loopback channel of 0. */
490 crwr->sec_cpl.op_ivinsrtofst = htobe32(
491 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
492 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
493 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
494 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
495 V_CPL_TX_SEC_PDU_IVINSRTOFST(0));
496
497 crwr->sec_cpl.pldlen = htobe32(crd->crd_len == 0 ? axf->blocksize :
498 crd->crd_len);
499
500 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
501 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0));
502
503 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
504 crwr->sec_cpl.seqno_numivs = htobe32(
505 V_SCMD_SEQ_NO_CTRL(0) |
506 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
507 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_NOP) |
508 V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
509 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NO_TRUNC));
510 crwr->sec_cpl.ivgen_hdrlen = htobe32(
511 V_SCMD_LAST_FRAG(0) |
512 V_SCMD_MORE_FRAGS(crd->crd_len == 0 ? 1 : 0) | V_SCMD_MAC_ONLY(1));
513
514 memcpy(crwr->key_ctx.key, s->hmac.ipad, s->hmac.partial_digest_len);
515 memcpy(crwr->key_ctx.key + iopad_size, s->hmac.opad,
516 s->hmac.partial_digest_len);
517
518 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */
519 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
520 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
521 V_KEY_CONTEXT_OPAD_PRESENT(1) | V_KEY_CONTEXT_SALT_PRESENT(1) |
522 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) |
523 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1));
524
525 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES;
526 if (crd->crd_len == 0) {
527 dst[0] = 0x80;
528 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) =
529 htobe64(axf->blocksize << 3);
530 } else if (imm_len != 0)
531 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip,
532 crd->crd_len, dst);
533 else
534 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
535
536 /* XXX: TODO backpressure */
537 t4_wrq_tx(sc->adapter, wr);
538
539 return (0);
540 }
541
542 static int
ccr_hmac_done(struct ccr_softc * sc,struct ccr_session * s,struct cryptop * crp,const struct cpl_fw6_pld * cpl,int error)543 ccr_hmac_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp,
544 const struct cpl_fw6_pld *cpl, int error)
545 {
546 struct cryptodesc *crd;
547
548 crd = crp->crp_desc;
549 if (error == 0) {
550 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject,
551 s->hmac.hash_len, (c_caddr_t)(cpl + 1));
552 }
553
554 return (error);
555 }
556
557 static int
ccr_blkcipher(struct ccr_softc * sc,uint32_t sid,struct ccr_session * s,struct cryptop * crp)558 ccr_blkcipher(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
559 struct cryptop *crp)
560 {
561 char iv[CHCR_MAX_CRYPTO_IV_LEN];
562 struct chcr_wr *crwr;
563 struct wrqe *wr;
564 struct cryptodesc *crd;
565 char *dst;
566 u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
567 u_int imm_len;
568 int dsgl_nsegs, dsgl_len;
569 int sgl_nsegs, sgl_len;
570 int error;
571
572 crd = crp->crp_desc;
573
574 if (s->blkcipher.key_len == 0 || crd->crd_len == 0)
575 return (EINVAL);
576 if (crd->crd_alg == CRYPTO_AES_CBC &&
577 (crd->crd_len % AES_BLOCK_LEN) != 0)
578 return (EINVAL);
579
580 /* Reject requests with too large of an input buffer. */
581 if (crd->crd_len > MAX_REQUEST_SIZE)
582 return (EFBIG);
583
584 if (crd->crd_flags & CRD_F_ENCRYPT)
585 op_type = CHCR_ENCRYPT_OP;
586 else
587 op_type = CHCR_DECRYPT_OP;
588
589 sglist_reset(sc->sg_dsgl);
590 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crd->crd_skip,
591 crd->crd_len);
592 if (error)
593 return (error);
594 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
595 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
596 return (EFBIG);
597 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
598
599 /* The 'key' must be 128-bit aligned. */
600 kctx_len = roundup2(s->blkcipher.key_len, 16);
601 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
602
603 if (ccr_use_imm_data(transhdr_len, crd->crd_len +
604 s->blkcipher.iv_len)) {
605 imm_len = crd->crd_len;
606 sgl_nsegs = 0;
607 sgl_len = 0;
608 } else {
609 imm_len = 0;
610 sglist_reset(sc->sg_ulptx);
611 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
612 crd->crd_skip, crd->crd_len);
613 if (error)
614 return (error);
615 sgl_nsegs = sc->sg_ulptx->sg_nseg;
616 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
617 }
618
619 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len +
620 roundup2(imm_len, 16) + sgl_len;
621 if (wr_len > SGE_MAX_WR_LEN)
622 return (EFBIG);
623 wr = alloc_wrqe(wr_len, sc->txq);
624 if (wr == NULL) {
625 sc->stats_wr_nomem++;
626 return (ENOMEM);
627 }
628 crwr = wrtod(wr);
629 memset(crwr, 0, wr_len);
630
631 /*
632 * Read the existing IV from the request or generate a random
633 * one if none is provided. Optionally copy the generated IV
634 * into the output buffer if requested.
635 */
636 if (op_type == CHCR_ENCRYPT_OP) {
637 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
638 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len);
639 else
640 arc4rand(iv, s->blkcipher.iv_len, 0);
641 if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0)
642 crypto_copyback(crp->crp_flags, crp->crp_buf,
643 crd->crd_inject, s->blkcipher.iv_len, iv);
644 } else {
645 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
646 memcpy(iv, crd->crd_iv, s->blkcipher.iv_len);
647 else
648 crypto_copydata(crp->crp_flags, crp->crp_buf,
649 crd->crd_inject, s->blkcipher.iv_len, iv);
650 }
651
652 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len, 0,
653 crp);
654
655 /* XXX: Hardcodes SGE loopback channel of 0. */
656 crwr->sec_cpl.op_ivinsrtofst = htobe32(
657 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
658 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
659 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
660 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
661 V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
662
663 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + crd->crd_len);
664
665 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
666 V_CPL_TX_SEC_PDU_CIPHERSTART(s->blkcipher.iv_len + 1) |
667 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
668 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
669 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0));
670
671 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
672 crwr->sec_cpl.seqno_numivs = htobe32(
673 V_SCMD_SEQ_NO_CTRL(0) |
674 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
675 V_SCMD_ENC_DEC_CTRL(op_type) |
676 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
677 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_NOP) |
678 V_SCMD_HMAC_CTRL(CHCR_SCMD_HMAC_CTRL_NOP) |
679 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) |
680 V_SCMD_NUM_IVS(0));
681 crwr->sec_cpl.ivgen_hdrlen = htobe32(
682 V_SCMD_IV_GEN_CTRL(0) |
683 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
684 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len));
685
686 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
687 switch (crd->crd_alg) {
688 case CRYPTO_AES_CBC:
689 if (crd->crd_flags & CRD_F_ENCRYPT)
690 memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
691 s->blkcipher.key_len);
692 else
693 memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
694 s->blkcipher.key_len);
695 break;
696 case CRYPTO_AES_ICM:
697 memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
698 s->blkcipher.key_len);
699 break;
700 case CRYPTO_AES_XTS:
701 key_half = s->blkcipher.key_len / 2;
702 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
703 key_half);
704 if (crd->crd_flags & CRD_F_ENCRYPT)
705 memcpy(crwr->key_ctx.key + key_half,
706 s->blkcipher.enckey, key_half);
707 else
708 memcpy(crwr->key_ctx.key + key_half,
709 s->blkcipher.deckey, key_half);
710 break;
711 }
712
713 dst = (char *)(crwr + 1) + kctx_len;
714 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
715 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
716 memcpy(dst, iv, s->blkcipher.iv_len);
717 dst += s->blkcipher.iv_len;
718 if (imm_len != 0)
719 crypto_copydata(crp->crp_flags, crp->crp_buf, crd->crd_skip,
720 crd->crd_len, dst);
721 else
722 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
723
724 /* XXX: TODO backpressure */
725 t4_wrq_tx(sc->adapter, wr);
726
727 return (0);
728 }
729
730 static int
ccr_blkcipher_done(struct ccr_softc * sc,struct ccr_session * s,struct cryptop * crp,const struct cpl_fw6_pld * cpl,int error)731 ccr_blkcipher_done(struct ccr_softc *sc, struct ccr_session *s,
732 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
733 {
734
735 /*
736 * The updated IV to permit chained requests is at
737 * cpl->data[2], but OCF doesn't permit chained requests.
738 */
739 return (error);
740 }
741
742 /*
743 * 'hashsize' is the length of a full digest. 'authsize' is the
744 * requested digest length for this operation which may be less
745 * than 'hashsize'.
746 */
747 static int
ccr_hmac_ctrl(unsigned int hashsize,unsigned int authsize)748 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize)
749 {
750
751 if (authsize == 10)
752 return (CHCR_SCMD_HMAC_CTRL_TRUNC_RFC4366);
753 if (authsize == 12)
754 return (CHCR_SCMD_HMAC_CTRL_IPSEC_96BIT);
755 if (authsize == hashsize / 2)
756 return (CHCR_SCMD_HMAC_CTRL_DIV2);
757 return (CHCR_SCMD_HMAC_CTRL_NO_TRUNC);
758 }
759
760 static int
ccr_authenc(struct ccr_softc * sc,uint32_t sid,struct ccr_session * s,struct cryptop * crp,struct cryptodesc * crda,struct cryptodesc * crde)761 ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
762 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde)
763 {
764 char iv[CHCR_MAX_CRYPTO_IV_LEN];
765 struct chcr_wr *crwr;
766 struct wrqe *wr;
767 struct auth_hash *axf;
768 char *dst;
769 u_int kctx_len, key_half, op_type, transhdr_len, wr_len;
770 u_int hash_size_in_response, imm_len, iopad_size;
771 u_int aad_start, aad_len, aad_stop;
772 u_int auth_start, auth_stop, auth_insert;
773 u_int cipher_start, cipher_stop;
774 u_int hmac_ctrl, input_len;
775 int dsgl_nsegs, dsgl_len;
776 int sgl_nsegs, sgl_len;
777 int error;
778
779 /*
780 * If there is a need in the future, requests with an empty
781 * payload could be supported as HMAC-only requests.
782 */
783 if (s->blkcipher.key_len == 0 || crde->crd_len == 0)
784 return (EINVAL);
785 if (crde->crd_alg == CRYPTO_AES_CBC &&
786 (crde->crd_len % AES_BLOCK_LEN) != 0)
787 return (EINVAL);
788
789 /*
790 * Compute the length of the AAD (data covered by the
791 * authentication descriptor but not the encryption
792 * descriptor). To simplify the logic, AAD is only permitted
793 * before the cipher/plain text, not after. This is true of
794 * all currently-generated requests.
795 */
796 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
797 return (EINVAL);
798 if (crda->crd_skip < crde->crd_skip) {
799 if (crda->crd_skip + crda->crd_len > crde->crd_skip)
800 aad_len = (crde->crd_skip - crda->crd_skip);
801 else
802 aad_len = crda->crd_len;
803 } else
804 aad_len = 0;
805 if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN)
806 return (EINVAL);
807
808 axf = s->hmac.auth_hash;
809 hash_size_in_response = s->hmac.hash_len;
810 if (crde->crd_flags & CRD_F_ENCRYPT)
811 op_type = CHCR_ENCRYPT_OP;
812 else
813 op_type = CHCR_DECRYPT_OP;
814
815 /*
816 * The output buffer consists of the cipher text followed by
817 * the hash when encrypting. For decryption it only contains
818 * the plain text.
819 *
820 * Due to a firmware bug, the output buffer must include a
821 * dummy output buffer for the IV and AAD prior to the real
822 * output buffer.
823 */
824 if (op_type == CHCR_ENCRYPT_OP) {
825 if (s->blkcipher.iv_len + aad_len + crde->crd_len +
826 hash_size_in_response > MAX_REQUEST_SIZE)
827 return (EFBIG);
828 } else {
829 if (s->blkcipher.iv_len + aad_len + crde->crd_len >
830 MAX_REQUEST_SIZE)
831 return (EFBIG);
832 }
833 sglist_reset(sc->sg_dsgl);
834 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0,
835 s->blkcipher.iv_len + aad_len);
836 if (error)
837 return (error);
838 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip,
839 crde->crd_len);
840 if (error)
841 return (error);
842 if (op_type == CHCR_ENCRYPT_OP) {
843 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp,
844 crda->crd_inject, hash_size_in_response);
845 if (error)
846 return (error);
847 }
848 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
849 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
850 return (EFBIG);
851 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
852
853 /* PADs must be 128-bit aligned. */
854 iopad_size = roundup2(s->hmac.partial_digest_len, 16);
855
856 /*
857 * The 'key' part of the key context consists of the key followed
858 * by the IPAD and OPAD.
859 */
860 kctx_len = roundup2(s->blkcipher.key_len, 16) + iopad_size * 2;
861 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
862
863 /*
864 * The input buffer consists of the IV, any AAD, and then the
865 * cipher/plain text. For decryption requests the hash is
866 * appended after the cipher text.
867 *
868 * The IV is always stored at the start of the input buffer
869 * even though it may be duplicated in the payload. The
870 * crypto engine doesn't work properly if the IV offset points
871 * inside of the AAD region, so a second copy is always
872 * required.
873 */
874 input_len = aad_len + crde->crd_len;
875
876 /*
877 * The firmware hangs if sent a request which is a
878 * bit smaller than MAX_REQUEST_SIZE. In particular, the
879 * firmware appears to require 512 - 16 bytes of spare room
880 * along with the size of the hash even if the hash isn't
881 * included in the input buffer.
882 */
883 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) >
884 MAX_REQUEST_SIZE)
885 return (EFBIG);
886 if (op_type == CHCR_DECRYPT_OP)
887 input_len += hash_size_in_response;
888 if (ccr_use_imm_data(transhdr_len, s->blkcipher.iv_len + input_len)) {
889 imm_len = input_len;
890 sgl_nsegs = 0;
891 sgl_len = 0;
892 } else {
893 imm_len = 0;
894 sglist_reset(sc->sg_ulptx);
895 if (aad_len != 0) {
896 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
897 crda->crd_skip, aad_len);
898 if (error)
899 return (error);
900 }
901 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
902 crde->crd_skip, crde->crd_len);
903 if (error)
904 return (error);
905 if (op_type == CHCR_DECRYPT_OP) {
906 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
907 crda->crd_inject, hash_size_in_response);
908 if (error)
909 return (error);
910 }
911 sgl_nsegs = sc->sg_ulptx->sg_nseg;
912 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
913 }
914
915 /*
916 * Any auth-only data before the cipher region is marked as AAD.
917 * Auth-data that overlaps with the cipher region is placed in
918 * the auth section.
919 */
920 if (aad_len != 0) {
921 aad_start = s->blkcipher.iv_len + 1;
922 aad_stop = aad_start + aad_len - 1;
923 } else {
924 aad_start = 0;
925 aad_stop = 0;
926 }
927 cipher_start = s->blkcipher.iv_len + aad_len + 1;
928 if (op_type == CHCR_DECRYPT_OP)
929 cipher_stop = hash_size_in_response;
930 else
931 cipher_stop = 0;
932 if (aad_len == crda->crd_len) {
933 auth_start = 0;
934 auth_stop = 0;
935 } else {
936 if (aad_len != 0)
937 auth_start = cipher_start;
938 else
939 auth_start = s->blkcipher.iv_len + crda->crd_skip -
940 crde->crd_skip + 1;
941 auth_stop = (crde->crd_skip + crde->crd_len) -
942 (crda->crd_skip + crda->crd_len) + cipher_stop;
943 }
944 if (op_type == CHCR_DECRYPT_OP)
945 auth_insert = hash_size_in_response;
946 else
947 auth_insert = 0;
948
949 wr_len = roundup2(transhdr_len, 16) + s->blkcipher.iv_len +
950 roundup2(imm_len, 16) + sgl_len;
951 if (wr_len > SGE_MAX_WR_LEN)
952 return (EFBIG);
953 wr = alloc_wrqe(wr_len, sc->txq);
954 if (wr == NULL) {
955 sc->stats_wr_nomem++;
956 return (ENOMEM);
957 }
958 crwr = wrtod(wr);
959 memset(crwr, 0, wr_len);
960
961 /*
962 * Read the existing IV from the request or generate a random
963 * one if none is provided. Optionally copy the generated IV
964 * into the output buffer if requested.
965 */
966 if (op_type == CHCR_ENCRYPT_OP) {
967 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
968 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
969 else
970 arc4rand(iv, s->blkcipher.iv_len, 0);
971 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
972 crypto_copyback(crp->crp_flags, crp->crp_buf,
973 crde->crd_inject, s->blkcipher.iv_len, iv);
974 } else {
975 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
976 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
977 else
978 crypto_copydata(crp->crp_flags, crp->crp_buf,
979 crde->crd_inject, s->blkcipher.iv_len, iv);
980 }
981
982 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
983 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp);
984
985 /* XXX: Hardcodes SGE loopback channel of 0. */
986 crwr->sec_cpl.op_ivinsrtofst = htobe32(
987 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
988 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
989 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
990 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
991 V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
992
993 crwr->sec_cpl.pldlen = htobe32(s->blkcipher.iv_len + input_len);
994
995 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
996 V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
997 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
998 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
999 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4));
1000 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1001 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) |
1002 V_CPL_TX_SEC_PDU_AUTHSTART(auth_start) |
1003 V_CPL_TX_SEC_PDU_AUTHSTOP(auth_stop) |
1004 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1005
1006 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1007 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response);
1008 crwr->sec_cpl.seqno_numivs = htobe32(
1009 V_SCMD_SEQ_NO_CTRL(0) |
1010 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
1011 V_SCMD_ENC_DEC_CTRL(op_type) |
1012 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1013 V_SCMD_CIPH_MODE(s->blkcipher.cipher_mode) |
1014 V_SCMD_AUTH_MODE(s->hmac.auth_mode) |
1015 V_SCMD_HMAC_CTRL(hmac_ctrl) |
1016 V_SCMD_IV_SIZE(s->blkcipher.iv_len / 2) |
1017 V_SCMD_NUM_IVS(0));
1018 crwr->sec_cpl.ivgen_hdrlen = htobe32(
1019 V_SCMD_IV_GEN_CTRL(0) |
1020 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1021 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1022
1023 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1024 switch (crde->crd_alg) {
1025 case CRYPTO_AES_CBC:
1026 if (crde->crd_flags & CRD_F_ENCRYPT)
1027 memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1028 s->blkcipher.key_len);
1029 else
1030 memcpy(crwr->key_ctx.key, s->blkcipher.deckey,
1031 s->blkcipher.key_len);
1032 break;
1033 case CRYPTO_AES_ICM:
1034 memcpy(crwr->key_ctx.key, s->blkcipher.enckey,
1035 s->blkcipher.key_len);
1036 break;
1037 case CRYPTO_AES_XTS:
1038 key_half = s->blkcipher.key_len / 2;
1039 memcpy(crwr->key_ctx.key, s->blkcipher.enckey + key_half,
1040 key_half);
1041 if (crde->crd_flags & CRD_F_ENCRYPT)
1042 memcpy(crwr->key_ctx.key + key_half,
1043 s->blkcipher.enckey, key_half);
1044 else
1045 memcpy(crwr->key_ctx.key + key_half,
1046 s->blkcipher.deckey, key_half);
1047 break;
1048 }
1049
1050 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1051 memcpy(dst, s->hmac.ipad, s->hmac.partial_digest_len);
1052 memcpy(dst + iopad_size, s->hmac.opad, s->hmac.partial_digest_len);
1053
1054 dst = (char *)(crwr + 1) + kctx_len;
1055 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
1056 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1057 memcpy(dst, iv, s->blkcipher.iv_len);
1058 dst += s->blkcipher.iv_len;
1059 if (imm_len != 0) {
1060 if (aad_len != 0) {
1061 crypto_copydata(crp->crp_flags, crp->crp_buf,
1062 crda->crd_skip, aad_len, dst);
1063 dst += aad_len;
1064 }
1065 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip,
1066 crde->crd_len, dst);
1067 dst += crde->crd_len;
1068 if (op_type == CHCR_DECRYPT_OP)
1069 crypto_copydata(crp->crp_flags, crp->crp_buf,
1070 crda->crd_inject, hash_size_in_response, dst);
1071 } else
1072 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
1073
1074 /* XXX: TODO backpressure */
1075 t4_wrq_tx(sc->adapter, wr);
1076
1077 return (0);
1078 }
1079
1080 static int
ccr_authenc_done(struct ccr_softc * sc,struct ccr_session * s,struct cryptop * crp,const struct cpl_fw6_pld * cpl,int error)1081 ccr_authenc_done(struct ccr_softc *sc, struct ccr_session *s,
1082 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1083 {
1084 struct cryptodesc *crd;
1085
1086 /*
1087 * The updated IV to permit chained requests is at
1088 * cpl->data[2], but OCF doesn't permit chained requests.
1089 *
1090 * For a decryption request, the hardware may do a verification
1091 * of the HMAC which will fail if the existing HMAC isn't in the
1092 * buffer. If that happens, clear the error and copy the HMAC
1093 * from the CPL reply into the buffer.
1094 *
1095 * For encryption requests, crd should be the cipher request
1096 * which will have CRD_F_ENCRYPT set. For decryption
1097 * requests, crp_desc will be the HMAC request which should
1098 * not have this flag set.
1099 */
1100 crd = crp->crp_desc;
1101 if (error == EBADMSG && !CHK_PAD_ERR_BIT(be64toh(cpl->data[0])) &&
1102 !(crd->crd_flags & CRD_F_ENCRYPT)) {
1103 crypto_copyback(crp->crp_flags, crp->crp_buf, crd->crd_inject,
1104 s->hmac.hash_len, (c_caddr_t)(cpl + 1));
1105 error = 0;
1106 }
1107 return (error);
1108 }
1109
1110 static int
ccr_gcm(struct ccr_softc * sc,uint32_t sid,struct ccr_session * s,struct cryptop * crp,struct cryptodesc * crda,struct cryptodesc * crde)1111 ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr_session *s,
1112 struct cryptop *crp, struct cryptodesc *crda, struct cryptodesc *crde)
1113 {
1114 char iv[CHCR_MAX_CRYPTO_IV_LEN];
1115 struct chcr_wr *crwr;
1116 struct wrqe *wr;
1117 char *dst;
1118 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len;
1119 u_int hash_size_in_response, imm_len;
1120 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert;
1121 u_int hmac_ctrl, input_len;
1122 int dsgl_nsegs, dsgl_len;
1123 int sgl_nsegs, sgl_len;
1124 int error;
1125
1126 if (s->blkcipher.key_len == 0)
1127 return (EINVAL);
1128
1129 /*
1130 * The crypto engine doesn't handle GCM requests with an empty
1131 * payload, so handle those in software instead.
1132 */
1133 if (crde->crd_len == 0)
1134 return (EMSGSIZE);
1135
1136 /*
1137 * AAD is only permitted before the cipher/plain text, not
1138 * after.
1139 */
1140 if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
1141 return (EMSGSIZE);
1142
1143 if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN)
1144 return (EMSGSIZE);
1145
1146 hash_size_in_response = s->gmac.hash_len;
1147 if (crde->crd_flags & CRD_F_ENCRYPT)
1148 op_type = CHCR_ENCRYPT_OP;
1149 else
1150 op_type = CHCR_DECRYPT_OP;
1151
1152 /*
1153 * The IV handling for GCM in OCF is a bit more complicated in
1154 * that IPSec provides a full 16-byte IV (including the
1155 * counter), whereas the /dev/crypto interface sometimes
1156 * provides a full 16-byte IV (if no IV is provided in the
1157 * ioctl) and sometimes a 12-byte IV (if the IV was explicit).
1158 *
1159 * When provided a 12-byte IV, assume the IV is really 16 bytes
1160 * with a counter in the last 4 bytes initialized to 1.
1161 *
1162 * While iv_len is checked below, the value is currently
1163 * always set to 12 when creating a GCM session in this driver
1164 * due to limitations in OCF (there is no way to know what the
1165 * IV length of a given request will be). This means that the
1166 * driver always assumes as 12-byte IV for now.
1167 */
1168 if (s->blkcipher.iv_len == 12)
1169 iv_len = AES_BLOCK_LEN;
1170 else
1171 iv_len = s->blkcipher.iv_len;
1172
1173 /*
1174 * The output buffer consists of the cipher text followed by
1175 * the tag when encrypting. For decryption it only contains
1176 * the plain text.
1177 *
1178 * Due to a firmware bug, the output buffer must include a
1179 * dummy output buffer for the IV and AAD prior to the real
1180 * output buffer.
1181 */
1182 if (op_type == CHCR_ENCRYPT_OP) {
1183 if (iv_len + crda->crd_len + crde->crd_len +
1184 hash_size_in_response > MAX_REQUEST_SIZE)
1185 return (EFBIG);
1186 } else {
1187 if (iv_len + crda->crd_len + crde->crd_len > MAX_REQUEST_SIZE)
1188 return (EFBIG);
1189 }
1190 sglist_reset(sc->sg_dsgl);
1191 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_iv_aad, 0, iv_len +
1192 crda->crd_len);
1193 if (error)
1194 return (error);
1195 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp, crde->crd_skip,
1196 crde->crd_len);
1197 if (error)
1198 return (error);
1199 if (op_type == CHCR_ENCRYPT_OP) {
1200 error = sglist_append_sglist(sc->sg_dsgl, sc->sg_crp,
1201 crda->crd_inject, hash_size_in_response);
1202 if (error)
1203 return (error);
1204 }
1205 dsgl_nsegs = ccr_count_sgl(sc->sg_dsgl, DSGL_SGE_MAXLEN);
1206 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE)
1207 return (EFBIG);
1208 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs);
1209
1210 /*
1211 * The 'key' part of the key context consists of the key followed
1212 * by the Galois hash key.
1213 */
1214 kctx_len = roundup2(s->blkcipher.key_len, 16) + GMAC_BLOCK_LEN;
1215 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len);
1216
1217 /*
1218 * The input buffer consists of the IV, any AAD, and then the
1219 * cipher/plain text. For decryption requests the hash is
1220 * appended after the cipher text.
1221 *
1222 * The IV is always stored at the start of the input buffer
1223 * even though it may be duplicated in the payload. The
1224 * crypto engine doesn't work properly if the IV offset points
1225 * inside of the AAD region, so a second copy is always
1226 * required.
1227 */
1228 input_len = crda->crd_len + crde->crd_len;
1229 if (op_type == CHCR_DECRYPT_OP)
1230 input_len += hash_size_in_response;
1231 if (input_len > MAX_REQUEST_SIZE)
1232 return (EFBIG);
1233 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) {
1234 imm_len = input_len;
1235 sgl_nsegs = 0;
1236 sgl_len = 0;
1237 } else {
1238 imm_len = 0;
1239 sglist_reset(sc->sg_ulptx);
1240 if (crda->crd_len != 0) {
1241 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1242 crda->crd_skip, crda->crd_len);
1243 if (error)
1244 return (error);
1245 }
1246 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1247 crde->crd_skip, crde->crd_len);
1248 if (error)
1249 return (error);
1250 if (op_type == CHCR_DECRYPT_OP) {
1251 error = sglist_append_sglist(sc->sg_ulptx, sc->sg_crp,
1252 crda->crd_inject, hash_size_in_response);
1253 if (error)
1254 return (error);
1255 }
1256 sgl_nsegs = sc->sg_ulptx->sg_nseg;
1257 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs);
1258 }
1259
1260 if (crda->crd_len != 0) {
1261 aad_start = iv_len + 1;
1262 aad_stop = aad_start + crda->crd_len - 1;
1263 } else {
1264 aad_start = 0;
1265 aad_stop = 0;
1266 }
1267 cipher_start = iv_len + crda->crd_len + 1;
1268 if (op_type == CHCR_DECRYPT_OP)
1269 cipher_stop = hash_size_in_response;
1270 else
1271 cipher_stop = 0;
1272 if (op_type == CHCR_DECRYPT_OP)
1273 auth_insert = hash_size_in_response;
1274 else
1275 auth_insert = 0;
1276
1277 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) +
1278 sgl_len;
1279 if (wr_len > SGE_MAX_WR_LEN)
1280 return (EFBIG);
1281 wr = alloc_wrqe(wr_len, sc->txq);
1282 if (wr == NULL) {
1283 sc->stats_wr_nomem++;
1284 return (ENOMEM);
1285 }
1286 crwr = wrtod(wr);
1287 memset(crwr, 0, wr_len);
1288
1289 /*
1290 * Read the existing IV from the request or generate a random
1291 * one if none is provided. Optionally copy the generated IV
1292 * into the output buffer if requested.
1293 *
1294 * If the input IV is 12 bytes, append an explicit 4-byte
1295 * counter of 1.
1296 */
1297 if (op_type == CHCR_ENCRYPT_OP) {
1298 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1299 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
1300 else
1301 arc4rand(iv, s->blkcipher.iv_len, 0);
1302 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
1303 crypto_copyback(crp->crp_flags, crp->crp_buf,
1304 crde->crd_inject, s->blkcipher.iv_len, iv);
1305 } else {
1306 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1307 memcpy(iv, crde->crd_iv, s->blkcipher.iv_len);
1308 else
1309 crypto_copydata(crp->crp_flags, crp->crp_buf,
1310 crde->crd_inject, s->blkcipher.iv_len, iv);
1311 }
1312 if (s->blkcipher.iv_len == 12)
1313 *(uint32_t *)&iv[12] = htobe32(1);
1314
1315 ccr_populate_wreq(sc, crwr, kctx_len, wr_len, sid, imm_len, sgl_len,
1316 0, crp);
1317
1318 /* XXX: Hardcodes SGE loopback channel of 0. */
1319 crwr->sec_cpl.op_ivinsrtofst = htobe32(
1320 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) |
1321 V_CPL_TX_SEC_PDU_RXCHID(sc->tx_channel_id) |
1322 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) |
1323 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) |
1324 V_CPL_TX_SEC_PDU_IVINSRTOFST(1));
1325
1326 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len);
1327
1328 /*
1329 * NB: cipherstop is explicitly set to 0. On encrypt it
1330 * should normally be set to 0 anyway (as the encrypt crd ends
1331 * at the end of the input). However, for decrypt the cipher
1332 * ends before the tag in the AUTHENC case (and authstop is
1333 * set to stop before the tag), but for GCM the cipher still
1334 * runs to the end of the buffer. Not sure if this is
1335 * intentional or a firmware quirk, but it is required for
1336 * working tag validation with GCM decryption.
1337 */
1338 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32(
1339 V_CPL_TX_SEC_PDU_AADSTART(aad_start) |
1340 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) |
1341 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) |
1342 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0));
1343 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32(
1344 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) |
1345 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) |
1346 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) |
1347 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert));
1348
1349 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */
1350 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response);
1351 crwr->sec_cpl.seqno_numivs = htobe32(
1352 V_SCMD_SEQ_NO_CTRL(0) |
1353 V_SCMD_PROTO_VERSION(CHCR_SCMD_PROTO_VERSION_GENERIC) |
1354 V_SCMD_ENC_DEC_CTRL(op_type) |
1355 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) |
1356 V_SCMD_CIPH_MODE(CHCR_SCMD_CIPHER_MODE_AES_GCM) |
1357 V_SCMD_AUTH_MODE(CHCR_SCMD_AUTH_MODE_GHASH) |
1358 V_SCMD_HMAC_CTRL(hmac_ctrl) |
1359 V_SCMD_IV_SIZE(iv_len / 2) |
1360 V_SCMD_NUM_IVS(0));
1361 crwr->sec_cpl.ivgen_hdrlen = htobe32(
1362 V_SCMD_IV_GEN_CTRL(0) |
1363 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) |
1364 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len));
1365
1366 crwr->key_ctx.ctx_hdr = s->blkcipher.key_ctx_hdr;
1367 memcpy(crwr->key_ctx.key, s->blkcipher.enckey, s->blkcipher.key_len);
1368 dst = crwr->key_ctx.key + roundup2(s->blkcipher.key_len, 16);
1369 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN);
1370
1371 dst = (char *)(crwr + 1) + kctx_len;
1372 ccr_write_phys_dsgl(sc, dst, dsgl_nsegs);
1373 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len;
1374 memcpy(dst, iv, iv_len);
1375 dst += iv_len;
1376 if (imm_len != 0) {
1377 if (crda->crd_len != 0) {
1378 crypto_copydata(crp->crp_flags, crp->crp_buf,
1379 crda->crd_skip, crda->crd_len, dst);
1380 dst += crda->crd_len;
1381 }
1382 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip,
1383 crde->crd_len, dst);
1384 dst += crde->crd_len;
1385 if (op_type == CHCR_DECRYPT_OP)
1386 crypto_copydata(crp->crp_flags, crp->crp_buf,
1387 crda->crd_inject, hash_size_in_response, dst);
1388 } else
1389 ccr_write_ulptx_sgl(sc, dst, sgl_nsegs);
1390
1391 /* XXX: TODO backpressure */
1392 t4_wrq_tx(sc->adapter, wr);
1393
1394 return (0);
1395 }
1396
1397 static int
ccr_gcm_done(struct ccr_softc * sc,struct ccr_session * s,struct cryptop * crp,const struct cpl_fw6_pld * cpl,int error)1398 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s,
1399 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error)
1400 {
1401
1402 /*
1403 * The updated IV to permit chained requests is at
1404 * cpl->data[2], but OCF doesn't permit chained requests.
1405 *
1406 * Note that the hardware should always verify the GMAC hash.
1407 */
1408 return (error);
1409 }
1410
1411 /*
1412 * Handle a GCM request that is not supported by the crypto engine by
1413 * performing the operation in software. Derived from swcr_authenc().
1414 */
1415 static void
ccr_gcm_soft(struct ccr_session * s,struct cryptop * crp,struct cryptodesc * crda,struct cryptodesc * crde)1416 ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp,
1417 struct cryptodesc *crda, struct cryptodesc *crde)
1418 {
1419 struct auth_hash *axf;
1420 struct enc_xform *exf;
1421 void *auth_ctx;
1422 uint8_t *kschedule;
1423 char block[GMAC_BLOCK_LEN];
1424 char digest[GMAC_DIGEST_LEN];
1425 char iv[AES_BLOCK_LEN];
1426 int error, i, len;
1427
1428 auth_ctx = NULL;
1429 kschedule = NULL;
1430
1431 /* Initialize the MAC. */
1432 switch (s->blkcipher.key_len) {
1433 case 16:
1434 axf = &auth_hash_nist_gmac_aes_128;
1435 break;
1436 case 24:
1437 axf = &auth_hash_nist_gmac_aes_192;
1438 break;
1439 case 32:
1440 axf = &auth_hash_nist_gmac_aes_256;
1441 break;
1442 default:
1443 error = EINVAL;
1444 goto out;
1445 }
1446 auth_ctx = malloc(axf->ctxsize, M_CCR, M_NOWAIT);
1447 if (auth_ctx == NULL) {
1448 error = ENOMEM;
1449 goto out;
1450 }
1451 axf->Init(auth_ctx);
1452 axf->Setkey(auth_ctx, s->blkcipher.enckey, s->blkcipher.key_len);
1453
1454 /* Initialize the cipher. */
1455 exf = &enc_xform_aes_nist_gcm;
1456 error = exf->setkey(&kschedule, s->blkcipher.enckey,
1457 s->blkcipher.key_len);
1458 if (error)
1459 goto out;
1460
1461 /*
1462 * This assumes a 12-byte IV from the crp. See longer comment
1463 * above in ccr_gcm() for more details.
1464 */
1465 if (crde->crd_flags & CRD_F_ENCRYPT) {
1466 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1467 memcpy(iv, crde->crd_iv, 12);
1468 else
1469 arc4rand(iv, 12, 0);
1470 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
1471 crypto_copyback(crp->crp_flags, crp->crp_buf,
1472 crde->crd_inject, 12, iv);
1473 } else {
1474 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
1475 memcpy(iv, crde->crd_iv, 12);
1476 else
1477 crypto_copydata(crp->crp_flags, crp->crp_buf,
1478 crde->crd_inject, 12, iv);
1479 }
1480 *(uint32_t *)&iv[12] = htobe32(1);
1481
1482 axf->Reinit(auth_ctx, iv, sizeof(iv));
1483
1484 /* MAC the AAD. */
1485 for (i = 0; i < crda->crd_len; i += sizeof(block)) {
1486 len = imin(crda->crd_len - i, sizeof(block));
1487 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_skip +
1488 i, len, block);
1489 bzero(block + len, sizeof(block) - len);
1490 axf->Update(auth_ctx, block, sizeof(block));
1491 }
1492
1493 exf->reinit(kschedule, iv);
1494
1495 /* Do encryption with MAC */
1496 for (i = 0; i < crde->crd_len; i += sizeof(block)) {
1497 len = imin(crde->crd_len - i, sizeof(block));
1498 crypto_copydata(crp->crp_flags, crp->crp_buf, crde->crd_skip +
1499 i, len, block);
1500 bzero(block + len, sizeof(block) - len);
1501 if (crde->crd_flags & CRD_F_ENCRYPT) {
1502 exf->encrypt(kschedule, block);
1503 axf->Update(auth_ctx, block, len);
1504 crypto_copyback(crp->crp_flags, crp->crp_buf,
1505 crde->crd_skip + i, len, block);
1506 } else {
1507 axf->Update(auth_ctx, block, len);
1508 }
1509 }
1510
1511 /* Length block. */
1512 bzero(block, sizeof(block));
1513 ((uint32_t *)block)[1] = htobe32(crda->crd_len * 8);
1514 ((uint32_t *)block)[3] = htobe32(crde->crd_len * 8);
1515 axf->Update(auth_ctx, block, sizeof(block));
1516
1517 /* Finalize MAC. */
1518 axf->Final(digest, auth_ctx);
1519
1520 /* Inject or validate tag. */
1521 if (crde->crd_flags & CRD_F_ENCRYPT) {
1522 crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject,
1523 sizeof(digest), digest);
1524 error = 0;
1525 } else {
1526 char digest2[GMAC_DIGEST_LEN];
1527
1528 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject,
1529 sizeof(digest2), digest2);
1530 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0) {
1531 error = 0;
1532
1533 /* Tag matches, decrypt data. */
1534 for (i = 0; i < crde->crd_len; i += sizeof(block)) {
1535 len = imin(crde->crd_len - i, sizeof(block));
1536 crypto_copydata(crp->crp_flags, crp->crp_buf,
1537 crde->crd_skip + i, len, block);
1538 bzero(block + len, sizeof(block) - len);
1539 exf->decrypt(kschedule, block);
1540 crypto_copyback(crp->crp_flags, crp->crp_buf,
1541 crde->crd_skip + i, len, block);
1542 }
1543 } else
1544 error = EBADMSG;
1545 }
1546
1547 exf->zerokey(&kschedule);
1548 out:
1549 if (auth_ctx != NULL) {
1550 memset(auth_ctx, 0, axf->ctxsize);
1551 free(auth_ctx, M_CCR);
1552 }
1553 crp->crp_etype = error;
1554 crypto_done(crp);
1555 }
1556
1557 static void
ccr_identify(driver_t * driver,device_t parent)1558 ccr_identify(driver_t *driver, device_t parent)
1559 {
1560 struct adapter *sc;
1561
1562 sc = device_get_softc(parent);
1563 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE &&
1564 device_find_child(parent, "ccr", -1) == NULL)
1565 device_add_child(parent, "ccr", -1);
1566 }
1567
1568 static int
ccr_probe(device_t dev)1569 ccr_probe(device_t dev)
1570 {
1571
1572 device_set_desc(dev, "Chelsio Crypto Accelerator");
1573 return (BUS_PROBE_DEFAULT);
1574 }
1575
1576 static void
ccr_sysctls(struct ccr_softc * sc)1577 ccr_sysctls(struct ccr_softc *sc)
1578 {
1579 struct sysctl_ctx_list *ctx;
1580 struct sysctl_oid *oid;
1581 struct sysctl_oid_list *children;
1582
1583 ctx = device_get_sysctl_ctx(sc->dev);
1584
1585 /*
1586 * dev.ccr.X.
1587 */
1588 oid = device_get_sysctl_tree(sc->dev);
1589 children = SYSCTL_CHILDREN(oid);
1590
1591 /*
1592 * dev.ccr.X.stats.
1593 */
1594 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", CTLFLAG_RD,
1595 NULL, "statistics");
1596 children = SYSCTL_CHILDREN(oid);
1597
1598 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD,
1599 &sc->stats_hmac, 0, "HMAC requests submitted");
1600 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_encrypt", CTLFLAG_RD,
1601 &sc->stats_blkcipher_encrypt, 0,
1602 "Cipher encryption requests submitted");
1603 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "cipher_decrypt", CTLFLAG_RD,
1604 &sc->stats_blkcipher_decrypt, 0,
1605 "Cipher decryption requests submitted");
1606 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_encrypt", CTLFLAG_RD,
1607 &sc->stats_authenc_encrypt, 0,
1608 "Combined AES+HMAC encryption requests submitted");
1609 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "authenc_decrypt", CTLFLAG_RD,
1610 &sc->stats_authenc_decrypt, 0,
1611 "Combined AES+HMAC decryption requests submitted");
1612 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_encrypt", CTLFLAG_RD,
1613 &sc->stats_gcm_encrypt, 0, "AES-GCM encryption requests submitted");
1614 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "gcm_decrypt", CTLFLAG_RD,
1615 &sc->stats_gcm_decrypt, 0, "AES-GCM decryption requests submitted");
1616 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD,
1617 &sc->stats_wr_nomem, 0, "Work request memory allocation failures");
1618 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD,
1619 &sc->stats_inflight, 0, "Requests currently pending");
1620 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD,
1621 &sc->stats_mac_error, 0, "MAC errors");
1622 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD,
1623 &sc->stats_pad_error, 0, "Padding errors");
1624 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "bad_session", CTLFLAG_RD,
1625 &sc->stats_bad_session, 0, "Requests with invalid session ID");
1626 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sglist_error", CTLFLAG_RD,
1627 &sc->stats_sglist_error, 0,
1628 "Requests for which DMA mapping failed");
1629 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "process_error", CTLFLAG_RD,
1630 &sc->stats_process_error, 0, "Requests failed during queueing");
1631 SYSCTL_ADD_U64(ctx, children, OID_AUTO, "sw_fallback", CTLFLAG_RD,
1632 &sc->stats_sw_fallback, 0,
1633 "Requests processed by falling back to software");
1634 }
1635
1636 static int
ccr_attach(device_t dev)1637 ccr_attach(device_t dev)
1638 {
1639 struct ccr_softc *sc;
1640 int32_t cid;
1641
1642 sc = device_get_softc(dev);
1643 sc->dev = dev;
1644 sc->adapter = device_get_softc(device_get_parent(dev));
1645 sc->txq = &sc->adapter->sge.ctrlq[0];
1646 sc->rxq = &sc->adapter->sge.rxq[0];
1647 cid = crypto_get_driverid(dev, CRYPTOCAP_F_HARDWARE);
1648 if (cid < 0) {
1649 device_printf(dev, "could not get crypto driver id\n");
1650 return (ENXIO);
1651 }
1652 sc->cid = cid;
1653 sc->adapter->ccr_softc = sc;
1654
1655 /* XXX: TODO? */
1656 sc->tx_channel_id = 0;
1657
1658 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF);
1659 sc->sg_crp = sglist_alloc(TX_SGL_SEGS, M_WAITOK);
1660 sc->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_WAITOK);
1661 sc->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_WAITOK);
1662 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK);
1663 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK);
1664 ccr_sysctls(sc);
1665
1666 crypto_register(cid, CRYPTO_SHA1_HMAC, 0, 0);
1667 crypto_register(cid, CRYPTO_SHA2_256_HMAC, 0, 0);
1668 crypto_register(cid, CRYPTO_SHA2_384_HMAC, 0, 0);
1669 crypto_register(cid, CRYPTO_SHA2_512_HMAC, 0, 0);
1670 crypto_register(cid, CRYPTO_AES_CBC, 0, 0);
1671 crypto_register(cid, CRYPTO_AES_ICM, 0, 0);
1672 crypto_register(cid, CRYPTO_AES_NIST_GCM_16, 0, 0);
1673 crypto_register(cid, CRYPTO_AES_128_NIST_GMAC, 0, 0);
1674 crypto_register(cid, CRYPTO_AES_192_NIST_GMAC, 0, 0);
1675 crypto_register(cid, CRYPTO_AES_256_NIST_GMAC, 0, 0);
1676 crypto_register(cid, CRYPTO_AES_XTS, 0, 0);
1677 return (0);
1678 }
1679
1680 static int
ccr_detach(device_t dev)1681 ccr_detach(device_t dev)
1682 {
1683 struct ccr_softc *sc;
1684 int i;
1685
1686 sc = device_get_softc(dev);
1687
1688 mtx_lock(&sc->lock);
1689 for (i = 0; i < sc->nsessions; i++) {
1690 if (sc->sessions[i].active || sc->sessions[i].pending != 0) {
1691 mtx_unlock(&sc->lock);
1692 return (EBUSY);
1693 }
1694 }
1695 sc->detaching = true;
1696 mtx_unlock(&sc->lock);
1697
1698 crypto_unregister_all(sc->cid);
1699 free(sc->sessions, M_CCR);
1700 mtx_destroy(&sc->lock);
1701 sglist_free(sc->sg_iv_aad);
1702 free(sc->iv_aad_buf, M_CCR);
1703 sglist_free(sc->sg_dsgl);
1704 sglist_free(sc->sg_ulptx);
1705 sglist_free(sc->sg_crp);
1706 sc->adapter->ccr_softc = NULL;
1707 return (0);
1708 }
1709
1710 static void
ccr_copy_partial_hash(void * dst,int cri_alg,union authctx * auth_ctx)1711 ccr_copy_partial_hash(void *dst, int cri_alg, union authctx *auth_ctx)
1712 {
1713 uint32_t *u32;
1714 uint64_t *u64;
1715 u_int i;
1716
1717 u32 = (uint32_t *)dst;
1718 u64 = (uint64_t *)dst;
1719 switch (cri_alg) {
1720 case CRYPTO_SHA1_HMAC:
1721 for (i = 0; i < SHA1_HASH_LEN / 4; i++)
1722 u32[i] = htobe32(auth_ctx->sha1ctx.h.b32[i]);
1723 break;
1724 case CRYPTO_SHA2_256_HMAC:
1725 for (i = 0; i < SHA2_256_HASH_LEN / 4; i++)
1726 u32[i] = htobe32(auth_ctx->sha256ctx.state[i]);
1727 break;
1728 case CRYPTO_SHA2_384_HMAC:
1729 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
1730 u64[i] = htobe64(auth_ctx->sha384ctx.state[i]);
1731 break;
1732 case CRYPTO_SHA2_512_HMAC:
1733 for (i = 0; i < SHA2_512_HASH_LEN / 8; i++)
1734 u64[i] = htobe64(auth_ctx->sha512ctx.state[i]);
1735 break;
1736 }
1737 }
1738
1739 static void
ccr_init_hmac_digest(struct ccr_session * s,int cri_alg,char * key,int klen)1740 ccr_init_hmac_digest(struct ccr_session *s, int cri_alg, char *key,
1741 int klen)
1742 {
1743 union authctx auth_ctx;
1744 struct auth_hash *axf;
1745 u_int i;
1746
1747 /*
1748 * If the key is larger than the block size, use the digest of
1749 * the key as the key instead.
1750 */
1751 axf = s->hmac.auth_hash;
1752 klen /= 8;
1753 if (klen > axf->blocksize) {
1754 axf->Init(&auth_ctx);
1755 axf->Update(&auth_ctx, key, klen);
1756 axf->Final(s->hmac.ipad, &auth_ctx);
1757 klen = axf->hashsize;
1758 } else
1759 memcpy(s->hmac.ipad, key, klen);
1760
1761 memset(s->hmac.ipad + klen, 0, axf->blocksize - klen);
1762 memcpy(s->hmac.opad, s->hmac.ipad, axf->blocksize);
1763
1764 for (i = 0; i < axf->blocksize; i++) {
1765 s->hmac.ipad[i] ^= HMAC_IPAD_VAL;
1766 s->hmac.opad[i] ^= HMAC_OPAD_VAL;
1767 }
1768
1769 /*
1770 * Hash the raw ipad and opad and store the partial result in
1771 * the same buffer.
1772 */
1773 axf->Init(&auth_ctx);
1774 axf->Update(&auth_ctx, s->hmac.ipad, axf->blocksize);
1775 ccr_copy_partial_hash(s->hmac.ipad, cri_alg, &auth_ctx);
1776
1777 axf->Init(&auth_ctx);
1778 axf->Update(&auth_ctx, s->hmac.opad, axf->blocksize);
1779 ccr_copy_partial_hash(s->hmac.opad, cri_alg, &auth_ctx);
1780 }
1781
1782 /*
1783 * Borrowed from AES_GMAC_Setkey().
1784 */
1785 static void
ccr_init_gmac_hash(struct ccr_session * s,char * key,int klen)1786 ccr_init_gmac_hash(struct ccr_session *s, char *key, int klen)
1787 {
1788 static char zeroes[GMAC_BLOCK_LEN];
1789 uint32_t keysched[4 * (RIJNDAEL_MAXNR + 1)];
1790 int rounds;
1791
1792 rounds = rijndaelKeySetupEnc(keysched, key, klen);
1793 rijndaelEncrypt(keysched, rounds, zeroes, s->gmac.ghash_h);
1794 }
1795
1796 static int
ccr_aes_check_keylen(int alg,int klen)1797 ccr_aes_check_keylen(int alg, int klen)
1798 {
1799
1800 switch (klen) {
1801 case 128:
1802 case 192:
1803 if (alg == CRYPTO_AES_XTS)
1804 return (EINVAL);
1805 break;
1806 case 256:
1807 break;
1808 case 512:
1809 if (alg != CRYPTO_AES_XTS)
1810 return (EINVAL);
1811 break;
1812 default:
1813 return (EINVAL);
1814 }
1815 return (0);
1816 }
1817
1818 static void
ccr_aes_setkey(struct ccr_session * s,int alg,const void * key,int klen)1819 ccr_aes_setkey(struct ccr_session *s, int alg, const void *key, int klen)
1820 {
1821 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size;
1822 unsigned int opad_present;
1823
1824 if (alg == CRYPTO_AES_XTS)
1825 kbits = klen / 2;
1826 else
1827 kbits = klen;
1828 switch (kbits) {
1829 case 128:
1830 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
1831 break;
1832 case 192:
1833 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192;
1834 break;
1835 case 256:
1836 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
1837 break;
1838 default:
1839 panic("should not get here");
1840 }
1841
1842 s->blkcipher.key_len = klen / 8;
1843 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len);
1844 switch (alg) {
1845 case CRYPTO_AES_CBC:
1846 case CRYPTO_AES_XTS:
1847 t4_aes_getdeckey(s->blkcipher.deckey, key, kbits);
1848 break;
1849 }
1850
1851 kctx_len = roundup2(s->blkcipher.key_len, 16);
1852 switch (s->mode) {
1853 case AUTHENC:
1854 mk_size = s->hmac.mk_size;
1855 opad_present = 1;
1856 iopad_size = roundup2(s->hmac.partial_digest_len, 16);
1857 kctx_len += iopad_size * 2;
1858 break;
1859 case GCM:
1860 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
1861 opad_present = 0;
1862 kctx_len += GMAC_BLOCK_LEN;
1863 break;
1864 default:
1865 mk_size = CHCR_KEYCTX_NO_KEY;
1866 opad_present = 0;
1867 break;
1868 }
1869 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16;
1870 s->blkcipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) |
1871 V_KEY_CONTEXT_DUAL_CK(alg == CRYPTO_AES_XTS) |
1872 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) |
1873 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) |
1874 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1));
1875 }
1876
1877 static int
ccr_newsession(device_t dev,uint32_t * sidp,struct cryptoini * cri)1878 ccr_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri)
1879 {
1880 struct ccr_softc *sc;
1881 struct ccr_session *s;
1882 struct auth_hash *auth_hash;
1883 struct cryptoini *c, *hash, *cipher;
1884 unsigned int auth_mode, cipher_mode, iv_len, mk_size;
1885 unsigned int partial_digest_len;
1886 int error, i, sess;
1887 bool gcm_hash;
1888
1889 if (sidp == NULL || cri == NULL)
1890 return (EINVAL);
1891
1892 gcm_hash = false;
1893 cipher = NULL;
1894 hash = NULL;
1895 auth_hash = NULL;
1896 auth_mode = CHCR_SCMD_AUTH_MODE_NOP;
1897 cipher_mode = CHCR_SCMD_CIPHER_MODE_NOP;
1898 iv_len = 0;
1899 mk_size = 0;
1900 partial_digest_len = 0;
1901 for (c = cri; c != NULL; c = c->cri_next) {
1902 switch (c->cri_alg) {
1903 case CRYPTO_SHA1_HMAC:
1904 case CRYPTO_SHA2_256_HMAC:
1905 case CRYPTO_SHA2_384_HMAC:
1906 case CRYPTO_SHA2_512_HMAC:
1907 case CRYPTO_AES_128_NIST_GMAC:
1908 case CRYPTO_AES_192_NIST_GMAC:
1909 case CRYPTO_AES_256_NIST_GMAC:
1910 if (hash)
1911 return (EINVAL);
1912 hash = c;
1913 switch (c->cri_alg) {
1914 case CRYPTO_SHA1_HMAC:
1915 auth_hash = &auth_hash_hmac_sha1;
1916 auth_mode = CHCR_SCMD_AUTH_MODE_SHA1;
1917 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160;
1918 partial_digest_len = SHA1_HASH_LEN;
1919 break;
1920 case CRYPTO_SHA2_256_HMAC:
1921 auth_hash = &auth_hash_hmac_sha2_256;
1922 auth_mode = CHCR_SCMD_AUTH_MODE_SHA256;
1923 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
1924 partial_digest_len = SHA2_256_HASH_LEN;
1925 break;
1926 case CRYPTO_SHA2_384_HMAC:
1927 auth_hash = &auth_hash_hmac_sha2_384;
1928 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_384;
1929 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
1930 partial_digest_len = SHA2_512_HASH_LEN;
1931 break;
1932 case CRYPTO_SHA2_512_HMAC:
1933 auth_hash = &auth_hash_hmac_sha2_512;
1934 auth_mode = CHCR_SCMD_AUTH_MODE_SHA512_512;
1935 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512;
1936 partial_digest_len = SHA2_512_HASH_LEN;
1937 break;
1938 case CRYPTO_AES_128_NIST_GMAC:
1939 case CRYPTO_AES_192_NIST_GMAC:
1940 case CRYPTO_AES_256_NIST_GMAC:
1941 gcm_hash = true;
1942 auth_mode = CHCR_SCMD_AUTH_MODE_GHASH;
1943 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128;
1944 break;
1945 }
1946 break;
1947 case CRYPTO_AES_CBC:
1948 case CRYPTO_AES_ICM:
1949 case CRYPTO_AES_NIST_GCM_16:
1950 case CRYPTO_AES_XTS:
1951 if (cipher)
1952 return (EINVAL);
1953 cipher = c;
1954 switch (c->cri_alg) {
1955 case CRYPTO_AES_CBC:
1956 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CBC;
1957 iv_len = AES_BLOCK_LEN;
1958 break;
1959 case CRYPTO_AES_ICM:
1960 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_CTR;
1961 iv_len = AES_BLOCK_LEN;
1962 break;
1963 case CRYPTO_AES_NIST_GCM_16:
1964 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_GCM;
1965 iv_len = AES_GCM_IV_LEN;
1966 break;
1967 case CRYPTO_AES_XTS:
1968 cipher_mode = CHCR_SCMD_CIPHER_MODE_AES_XTS;
1969 iv_len = AES_BLOCK_LEN;
1970 break;
1971 }
1972 if (c->cri_key != NULL) {
1973 error = ccr_aes_check_keylen(c->cri_alg,
1974 c->cri_klen);
1975 if (error)
1976 return (error);
1977 }
1978 break;
1979 default:
1980 return (EINVAL);
1981 }
1982 }
1983 if (gcm_hash != (cipher_mode == CHCR_SCMD_CIPHER_MODE_AES_GCM))
1984 return (EINVAL);
1985 if (hash == NULL && cipher == NULL)
1986 return (EINVAL);
1987 if (hash != NULL && hash->cri_key == NULL)
1988 return (EINVAL);
1989
1990 sc = device_get_softc(dev);
1991
1992 /*
1993 * XXX: Don't create a session if the queues aren't
1994 * initialized. This is racy as the rxq can be destroyed by
1995 * the associated VI detaching. Eventually ccr should use
1996 * dedicated queues.
1997 */
1998 if (sc->rxq->iq.adapter == NULL || sc->txq->adapter == NULL)
1999 return (ENXIO);
2000
2001 mtx_lock(&sc->lock);
2002 if (sc->detaching) {
2003 mtx_unlock(&sc->lock);
2004 return (ENXIO);
2005 }
2006 sess = -1;
2007 for (i = 0; i < sc->nsessions; i++) {
2008 if (!sc->sessions[i].active && sc->sessions[i].pending == 0) {
2009 sess = i;
2010 break;
2011 }
2012 }
2013 if (sess == -1) {
2014 s = malloc(sizeof(*s) * (sc->nsessions + 1), M_CCR,
2015 M_NOWAIT | M_ZERO);
2016 if (s == NULL) {
2017 mtx_unlock(&sc->lock);
2018 return (ENOMEM);
2019 }
2020 if (sc->sessions != NULL)
2021 memcpy(s, sc->sessions, sizeof(*s) * sc->nsessions);
2022 sess = sc->nsessions;
2023 free(sc->sessions, M_CCR);
2024 sc->sessions = s;
2025 sc->nsessions++;
2026 }
2027
2028 s = &sc->sessions[sess];
2029
2030 if (gcm_hash)
2031 s->mode = GCM;
2032 else if (hash != NULL && cipher != NULL)
2033 s->mode = AUTHENC;
2034 else if (hash != NULL)
2035 s->mode = HMAC;
2036 else {
2037 MPASS(cipher != NULL);
2038 s->mode = BLKCIPHER;
2039 }
2040 if (gcm_hash) {
2041 if (hash->cri_mlen == 0)
2042 s->gmac.hash_len = AES_GMAC_HASH_LEN;
2043 else
2044 s->gmac.hash_len = hash->cri_mlen;
2045 ccr_init_gmac_hash(s, hash->cri_key, hash->cri_klen);
2046 } else if (hash != NULL) {
2047 s->hmac.auth_hash = auth_hash;
2048 s->hmac.auth_mode = auth_mode;
2049 s->hmac.mk_size = mk_size;
2050 s->hmac.partial_digest_len = partial_digest_len;
2051 if (hash->cri_mlen == 0)
2052 s->hmac.hash_len = auth_hash->hashsize;
2053 else
2054 s->hmac.hash_len = hash->cri_mlen;
2055 ccr_init_hmac_digest(s, hash->cri_alg, hash->cri_key,
2056 hash->cri_klen);
2057 }
2058 if (cipher != NULL) {
2059 s->blkcipher.cipher_mode = cipher_mode;
2060 s->blkcipher.iv_len = iv_len;
2061 if (cipher->cri_key != NULL)
2062 ccr_aes_setkey(s, cipher->cri_alg, cipher->cri_key,
2063 cipher->cri_klen);
2064 }
2065
2066 s->active = true;
2067 mtx_unlock(&sc->lock);
2068
2069 *sidp = sess;
2070 return (0);
2071 }
2072
2073 static int
ccr_freesession(device_t dev,uint64_t tid)2074 ccr_freesession(device_t dev, uint64_t tid)
2075 {
2076 struct ccr_softc *sc;
2077 uint32_t sid;
2078 int error;
2079
2080 sc = device_get_softc(dev);
2081 sid = CRYPTO_SESID2LID(tid);
2082 mtx_lock(&sc->lock);
2083 if (sid >= sc->nsessions || !sc->sessions[sid].active)
2084 error = EINVAL;
2085 else {
2086 if (sc->sessions[sid].pending != 0)
2087 device_printf(dev,
2088 "session %d freed with %d pending requests\n", sid,
2089 sc->sessions[sid].pending);
2090 sc->sessions[sid].active = false;
2091 error = 0;
2092 }
2093 mtx_unlock(&sc->lock);
2094 return (error);
2095 }
2096
2097 static int
ccr_process(device_t dev,struct cryptop * crp,int hint)2098 ccr_process(device_t dev, struct cryptop *crp, int hint)
2099 {
2100 struct ccr_softc *sc;
2101 struct ccr_session *s;
2102 struct cryptodesc *crd, *crda, *crde;
2103 uint32_t sid;
2104 int error;
2105
2106 if (crp == NULL)
2107 return (EINVAL);
2108
2109 crd = crp->crp_desc;
2110 sid = CRYPTO_SESID2LID(crp->crp_sid);
2111 sc = device_get_softc(dev);
2112 mtx_lock(&sc->lock);
2113 if (sid >= sc->nsessions || !sc->sessions[sid].active) {
2114 sc->stats_bad_session++;
2115 error = EINVAL;
2116 goto out;
2117 }
2118
2119 error = ccr_populate_sglist(sc->sg_crp, crp);
2120 if (error) {
2121 sc->stats_sglist_error++;
2122 goto out;
2123 }
2124
2125 s = &sc->sessions[sid];
2126 switch (s->mode) {
2127 case HMAC:
2128 if (crd->crd_flags & CRD_F_KEY_EXPLICIT)
2129 ccr_init_hmac_digest(s, crd->crd_alg, crd->crd_key,
2130 crd->crd_klen);
2131 error = ccr_hmac(sc, sid, s, crp);
2132 if (error == 0)
2133 sc->stats_hmac++;
2134 break;
2135 case BLKCIPHER:
2136 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
2137 error = ccr_aes_check_keylen(crd->crd_alg,
2138 crd->crd_klen);
2139 if (error)
2140 break;
2141 ccr_aes_setkey(s, crd->crd_alg, crd->crd_key,
2142 crd->crd_klen);
2143 }
2144 error = ccr_blkcipher(sc, sid, s, crp);
2145 if (error == 0) {
2146 if (crd->crd_flags & CRD_F_ENCRYPT)
2147 sc->stats_blkcipher_encrypt++;
2148 else
2149 sc->stats_blkcipher_decrypt++;
2150 }
2151 break;
2152 case AUTHENC:
2153 error = 0;
2154 switch (crd->crd_alg) {
2155 case CRYPTO_AES_CBC:
2156 case CRYPTO_AES_ICM:
2157 case CRYPTO_AES_XTS:
2158 /* Only encrypt-then-authenticate supported. */
2159 crde = crd;
2160 crda = crd->crd_next;
2161 if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
2162 error = EINVAL;
2163 break;
2164 }
2165 break;
2166 default:
2167 crda = crd;
2168 crde = crd->crd_next;
2169 if (crde->crd_flags & CRD_F_ENCRYPT) {
2170 error = EINVAL;
2171 break;
2172 }
2173 break;
2174 }
2175 if (error)
2176 break;
2177 if (crda->crd_flags & CRD_F_KEY_EXPLICIT)
2178 ccr_init_hmac_digest(s, crda->crd_alg, crda->crd_key,
2179 crda->crd_klen);
2180 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
2181 error = ccr_aes_check_keylen(crde->crd_alg,
2182 crde->crd_klen);
2183 if (error)
2184 break;
2185 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key,
2186 crde->crd_klen);
2187 }
2188 error = ccr_authenc(sc, sid, s, crp, crda, crde);
2189 if (error == 0) {
2190 if (crde->crd_flags & CRD_F_ENCRYPT)
2191 sc->stats_authenc_encrypt++;
2192 else
2193 sc->stats_authenc_decrypt++;
2194 }
2195 break;
2196 case GCM:
2197 error = 0;
2198 if (crd->crd_alg == CRYPTO_AES_NIST_GCM_16) {
2199 crde = crd;
2200 crda = crd->crd_next;
2201 } else {
2202 crda = crd;
2203 crde = crd->crd_next;
2204 }
2205 if (crda->crd_flags & CRD_F_KEY_EXPLICIT)
2206 ccr_init_gmac_hash(s, crda->crd_key, crda->crd_klen);
2207 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
2208 error = ccr_aes_check_keylen(crde->crd_alg,
2209 crde->crd_klen);
2210 if (error)
2211 break;
2212 ccr_aes_setkey(s, crde->crd_alg, crde->crd_key,
2213 crde->crd_klen);
2214 }
2215 if (crde->crd_len == 0) {
2216 mtx_unlock(&sc->lock);
2217 ccr_gcm_soft(s, crp, crda, crde);
2218 return (0);
2219 }
2220 error = ccr_gcm(sc, sid, s, crp, crda, crde);
2221 if (error == EMSGSIZE) {
2222 sc->stats_sw_fallback++;
2223 mtx_unlock(&sc->lock);
2224 ccr_gcm_soft(s, crp, crda, crde);
2225 return (0);
2226 }
2227 if (error == 0) {
2228 if (crde->crd_flags & CRD_F_ENCRYPT)
2229 sc->stats_gcm_encrypt++;
2230 else
2231 sc->stats_gcm_decrypt++;
2232 }
2233 break;
2234 }
2235
2236 if (error == 0) {
2237 s->pending++;
2238 sc->stats_inflight++;
2239 } else
2240 sc->stats_process_error++;
2241
2242 out:
2243 mtx_unlock(&sc->lock);
2244
2245 if (error) {
2246 crp->crp_etype = error;
2247 crypto_done(crp);
2248 }
2249
2250 return (0);
2251 }
2252
2253 static int
do_cpl6_fw_pld(struct sge_iq * iq,const struct rss_header * rss,struct mbuf * m)2254 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss,
2255 struct mbuf *m)
2256 {
2257 struct ccr_softc *sc = iq->adapter->ccr_softc;
2258 struct ccr_session *s;
2259 const struct cpl_fw6_pld *cpl;
2260 struct cryptop *crp;
2261 uint32_t sid, status;
2262 int error;
2263
2264 if (m != NULL)
2265 cpl = mtod(m, const void *);
2266 else
2267 cpl = (const void *)(rss + 1);
2268
2269 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]);
2270 sid = CRYPTO_SESID2LID(crp->crp_sid);
2271 status = be64toh(cpl->data[0]);
2272 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status))
2273 error = EBADMSG;
2274 else
2275 error = 0;
2276
2277 mtx_lock(&sc->lock);
2278 MPASS(sid < sc->nsessions);
2279 s = &sc->sessions[sid];
2280 s->pending--;
2281 sc->stats_inflight--;
2282
2283 switch (s->mode) {
2284 case HMAC:
2285 error = ccr_hmac_done(sc, s, crp, cpl, error);
2286 break;
2287 case BLKCIPHER:
2288 error = ccr_blkcipher_done(sc, s, crp, cpl, error);
2289 break;
2290 case AUTHENC:
2291 error = ccr_authenc_done(sc, s, crp, cpl, error);
2292 break;
2293 case GCM:
2294 error = ccr_gcm_done(sc, s, crp, cpl, error);
2295 break;
2296 }
2297
2298 if (error == EBADMSG) {
2299 if (CHK_MAC_ERR_BIT(status))
2300 sc->stats_mac_error++;
2301 if (CHK_PAD_ERR_BIT(status))
2302 sc->stats_pad_error++;
2303 }
2304 mtx_unlock(&sc->lock);
2305 crp->crp_etype = error;
2306 crypto_done(crp);
2307 m_freem(m);
2308 return (0);
2309 }
2310
2311 static int
ccr_modevent(module_t mod,int cmd,void * arg)2312 ccr_modevent(module_t mod, int cmd, void *arg)
2313 {
2314
2315 switch (cmd) {
2316 case MOD_LOAD:
2317 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld);
2318 return (0);
2319 case MOD_UNLOAD:
2320 t4_register_cpl_handler(CPL_FW6_PLD, NULL);
2321 return (0);
2322 default:
2323 return (EOPNOTSUPP);
2324 }
2325 }
2326
2327 static device_method_t ccr_methods[] = {
2328 DEVMETHOD(device_identify, ccr_identify),
2329 DEVMETHOD(device_probe, ccr_probe),
2330 DEVMETHOD(device_attach, ccr_attach),
2331 DEVMETHOD(device_detach, ccr_detach),
2332
2333 DEVMETHOD(cryptodev_newsession, ccr_newsession),
2334 DEVMETHOD(cryptodev_freesession, ccr_freesession),
2335 DEVMETHOD(cryptodev_process, ccr_process),
2336
2337 DEVMETHOD_END
2338 };
2339
2340 static driver_t ccr_driver = {
2341 "ccr",
2342 ccr_methods,
2343 sizeof(struct ccr_softc)
2344 };
2345
2346 static devclass_t ccr_devclass;
2347
2348 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL);
2349 MODULE_VERSION(ccr, 1);
2350 MODULE_DEPEND(ccr, crypto, 1, 1, 1);
2351 MODULE_DEPEND(ccr, t6nex, 1, 1, 1);
2352