1 // SPDX-License-Identifier: GPL-2.0-only
3 * AMD Cryptographic Coprocessor (CCP) driver
5 * Copyright (C) 2013-2019 Advanced Micro Devices, Inc.
7 * Author: Tom Lendacky <thomas.lendacky@amd.com>
8 * Author: Gary R Hook <gary.hook@amd.com>
11 #include <linux/module.h>
12 #include <linux/kernel.h>
13 #include <linux/pci.h>
14 #include <linux/interrupt.h>
15 #include <crypto/scatterwalk.h>
16 #include <crypto/des.h>
17 #include <linux/ccp.h>
21 /* SHA initial context values */
22 static const __be32 ccp_sha1_init[SHA1_DIGEST_SIZE / sizeof(__be32)] = {
23 cpu_to_be32(SHA1_H0), cpu_to_be32(SHA1_H1),
24 cpu_to_be32(SHA1_H2), cpu_to_be32(SHA1_H3),
28 static const __be32 ccp_sha224_init[SHA256_DIGEST_SIZE / sizeof(__be32)] = {
29 cpu_to_be32(SHA224_H0), cpu_to_be32(SHA224_H1),
30 cpu_to_be32(SHA224_H2), cpu_to_be32(SHA224_H3),
31 cpu_to_be32(SHA224_H4), cpu_to_be32(SHA224_H5),
32 cpu_to_be32(SHA224_H6), cpu_to_be32(SHA224_H7),
35 static const __be32 ccp_sha256_init[SHA256_DIGEST_SIZE / sizeof(__be32)] = {
36 cpu_to_be32(SHA256_H0), cpu_to_be32(SHA256_H1),
37 cpu_to_be32(SHA256_H2), cpu_to_be32(SHA256_H3),
38 cpu_to_be32(SHA256_H4), cpu_to_be32(SHA256_H5),
39 cpu_to_be32(SHA256_H6), cpu_to_be32(SHA256_H7),
42 static const __be64 ccp_sha384_init[SHA512_DIGEST_SIZE / sizeof(__be64)] = {
43 cpu_to_be64(SHA384_H0), cpu_to_be64(SHA384_H1),
44 cpu_to_be64(SHA384_H2), cpu_to_be64(SHA384_H3),
45 cpu_to_be64(SHA384_H4), cpu_to_be64(SHA384_H5),
46 cpu_to_be64(SHA384_H6), cpu_to_be64(SHA384_H7),
49 static const __be64 ccp_sha512_init[SHA512_DIGEST_SIZE / sizeof(__be64)] = {
50 cpu_to_be64(SHA512_H0), cpu_to_be64(SHA512_H1),
51 cpu_to_be64(SHA512_H2), cpu_to_be64(SHA512_H3),
52 cpu_to_be64(SHA512_H4), cpu_to_be64(SHA512_H5),
53 cpu_to_be64(SHA512_H6), cpu_to_be64(SHA512_H7),
56 #define CCP_NEW_JOBID(ccp) ((ccp->vdata->version == CCP_VERSION(3, 0)) ? \
57 ccp_gen_jobid(ccp) : 0)
59 static u32 ccp_gen_jobid(struct ccp_device *ccp)
61 return atomic_inc_return(&ccp->current_id) & CCP_JOBID_MASK;
64 static void ccp_sg_free(struct ccp_sg_workarea *wa)
67 dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir);
72 static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev,
73 struct scatterlist *sg, u64 len,
74 enum dma_data_direction dma_dir)
76 memset(wa, 0, sizeof(*wa));
82 wa->nents = sg_nents_for_len(sg, len);
92 if (dma_dir == DMA_NONE)
97 wa->dma_dir = dma_dir;
98 wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir);
105 static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len)
107 unsigned int nbytes = min_t(u64, len, wa->bytes_left);
112 wa->sg_used += nbytes;
113 wa->bytes_left -= nbytes;
114 if (wa->sg_used == wa->sg->length) {
115 wa->sg = sg_next(wa->sg);
120 static void ccp_dm_free(struct ccp_dm_workarea *wa)
122 if (wa->length <= CCP_DMAPOOL_MAX_SIZE) {
124 dma_pool_free(wa->dma_pool, wa->address,
128 dma_unmap_single(wa->dev, wa->dma.address, wa->length,
137 static int ccp_init_dm_workarea(struct ccp_dm_workarea *wa,
138 struct ccp_cmd_queue *cmd_q,
140 enum dma_data_direction dir)
142 memset(wa, 0, sizeof(*wa));
147 wa->dev = cmd_q->ccp->dev;
150 if (len <= CCP_DMAPOOL_MAX_SIZE) {
151 wa->dma_pool = cmd_q->dma_pool;
153 wa->address = dma_pool_alloc(wa->dma_pool, GFP_KERNEL,
158 wa->dma.length = CCP_DMAPOOL_MAX_SIZE;
160 memset(wa->address, 0, CCP_DMAPOOL_MAX_SIZE);
162 wa->address = kzalloc(len, GFP_KERNEL);
166 wa->dma.address = dma_map_single(wa->dev, wa->address, len,
168 if (dma_mapping_error(wa->dev, wa->dma.address))
171 wa->dma.length = len;
178 static int ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
179 struct scatterlist *sg, unsigned int sg_offset,
182 WARN_ON(!wa->address);
184 if (len > (wa->length - wa_offset))
187 scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
192 static void ccp_get_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
193 struct scatterlist *sg, unsigned int sg_offset,
196 WARN_ON(!wa->address);
198 scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
202 static int ccp_reverse_set_dm_area(struct ccp_dm_workarea *wa,
203 unsigned int wa_offset,
204 struct scatterlist *sg,
205 unsigned int sg_offset,
211 rc = ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
215 p = wa->address + wa_offset;
227 static void ccp_reverse_get_dm_area(struct ccp_dm_workarea *wa,
228 unsigned int wa_offset,
229 struct scatterlist *sg,
230 unsigned int sg_offset,
235 p = wa->address + wa_offset;
245 ccp_get_dm_area(wa, wa_offset, sg, sg_offset, len);
248 static void ccp_free_data(struct ccp_data *data, struct ccp_cmd_queue *cmd_q)
250 ccp_dm_free(&data->dm_wa);
251 ccp_sg_free(&data->sg_wa);
254 static int ccp_init_data(struct ccp_data *data, struct ccp_cmd_queue *cmd_q,
255 struct scatterlist *sg, u64 sg_len,
257 enum dma_data_direction dir)
261 memset(data, 0, sizeof(*data));
263 ret = ccp_init_sg_workarea(&data->sg_wa, cmd_q->ccp->dev, sg, sg_len,
268 ret = ccp_init_dm_workarea(&data->dm_wa, cmd_q, dm_len, dir);
275 ccp_free_data(data, cmd_q);
280 static unsigned int ccp_queue_buf(struct ccp_data *data, unsigned int from)
282 struct ccp_sg_workarea *sg_wa = &data->sg_wa;
283 struct ccp_dm_workarea *dm_wa = &data->dm_wa;
284 unsigned int buf_count, nbytes;
286 /* Clear the buffer if setting it */
288 memset(dm_wa->address, 0, dm_wa->length);
293 /* Perform the copy operation
294 * nbytes will always be <= UINT_MAX because dm_wa->length is
297 nbytes = min_t(u64, sg_wa->bytes_left, dm_wa->length);
298 scatterwalk_map_and_copy(dm_wa->address, sg_wa->sg, sg_wa->sg_used,
301 /* Update the structures and generate the count */
303 while (sg_wa->bytes_left && (buf_count < dm_wa->length)) {
304 nbytes = min(sg_wa->sg->length - sg_wa->sg_used,
305 dm_wa->length - buf_count);
306 nbytes = min_t(u64, sg_wa->bytes_left, nbytes);
309 ccp_update_sg_workarea(sg_wa, nbytes);
315 static unsigned int ccp_fill_queue_buf(struct ccp_data *data)
317 return ccp_queue_buf(data, 0);
320 static unsigned int ccp_empty_queue_buf(struct ccp_data *data)
322 return ccp_queue_buf(data, 1);
325 static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst,
326 struct ccp_op *op, unsigned int block_size,
329 unsigned int sg_src_len, sg_dst_len, op_len;
331 /* The CCP can only DMA from/to one address each per operation. This
332 * requires that we find the smallest DMA area between the source
333 * and destination. The resulting len values will always be <= UINT_MAX
334 * because the dma length is an unsigned int.
336 sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used;
337 sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len);
340 sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used;
341 sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len);
342 op_len = min(sg_src_len, sg_dst_len);
347 /* The data operation length will be at least block_size in length
348 * or the smaller of available sg room remaining for the source or
351 op_len = max(op_len, block_size);
353 /* Unless we have to buffer data, there's no reason to wait */
356 if (sg_src_len < block_size) {
357 /* Not enough data in the sg element, so it
358 * needs to be buffered into a blocksize chunk
360 int cp_len = ccp_fill_queue_buf(src);
363 op->src.u.dma.address = src->dm_wa.dma.address;
364 op->src.u.dma.offset = 0;
365 op->src.u.dma.length = (blocksize_op) ? block_size : cp_len;
367 /* Enough data in the sg element, but we need to
368 * adjust for any previously copied data
370 op->src.u.dma.address = sg_dma_address(src->sg_wa.sg);
371 op->src.u.dma.offset = src->sg_wa.sg_used;
372 op->src.u.dma.length = op_len & ~(block_size - 1);
374 ccp_update_sg_workarea(&src->sg_wa, op->src.u.dma.length);
378 if (sg_dst_len < block_size) {
379 /* Not enough room in the sg element or we're on the
380 * last piece of data (when using padding), so the
381 * output needs to be buffered into a blocksize chunk
384 op->dst.u.dma.address = dst->dm_wa.dma.address;
385 op->dst.u.dma.offset = 0;
386 op->dst.u.dma.length = op->src.u.dma.length;
388 /* Enough room in the sg element, but we need to
389 * adjust for any previously used area
391 op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg);
392 op->dst.u.dma.offset = dst->sg_wa.sg_used;
393 op->dst.u.dma.length = op->src.u.dma.length;
398 static void ccp_process_data(struct ccp_data *src, struct ccp_data *dst,
404 if (op->dst.u.dma.address == dst->dm_wa.dma.address)
405 ccp_empty_queue_buf(dst);
407 ccp_update_sg_workarea(&dst->sg_wa,
408 op->dst.u.dma.length);
412 static int ccp_copy_to_from_sb(struct ccp_cmd_queue *cmd_q,
413 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
414 u32 byte_swap, bool from)
418 memset(&op, 0, sizeof(op));
426 op.src.type = CCP_MEMTYPE_SB;
428 op.dst.type = CCP_MEMTYPE_SYSTEM;
429 op.dst.u.dma.address = wa->dma.address;
430 op.dst.u.dma.length = wa->length;
432 op.src.type = CCP_MEMTYPE_SYSTEM;
433 op.src.u.dma.address = wa->dma.address;
434 op.src.u.dma.length = wa->length;
435 op.dst.type = CCP_MEMTYPE_SB;
439 op.u.passthru.byte_swap = byte_swap;
441 return cmd_q->ccp->vdata->perform->passthru(&op);
444 static int ccp_copy_to_sb(struct ccp_cmd_queue *cmd_q,
445 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
448 return ccp_copy_to_from_sb(cmd_q, wa, jobid, sb, byte_swap, false);
451 static int ccp_copy_from_sb(struct ccp_cmd_queue *cmd_q,
452 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
455 return ccp_copy_to_from_sb(cmd_q, wa, jobid, sb, byte_swap, true);
458 static int ccp_run_aes_cmac_cmd(struct ccp_cmd_queue *cmd_q,
461 struct ccp_aes_engine *aes = &cmd->u.aes;
462 struct ccp_dm_workarea key, ctx;
465 unsigned int dm_offset;
468 if (!((aes->key_len == AES_KEYSIZE_128) ||
469 (aes->key_len == AES_KEYSIZE_192) ||
470 (aes->key_len == AES_KEYSIZE_256)))
473 if (aes->src_len & (AES_BLOCK_SIZE - 1))
476 if (aes->iv_len != AES_BLOCK_SIZE)
479 if (!aes->key || !aes->iv || !aes->src)
482 if (aes->cmac_final) {
483 if (aes->cmac_key_len != AES_BLOCK_SIZE)
490 BUILD_BUG_ON(CCP_AES_KEY_SB_COUNT != 1);
491 BUILD_BUG_ON(CCP_AES_CTX_SB_COUNT != 1);
494 memset(&op, 0, sizeof(op));
496 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
497 op.sb_key = cmd_q->sb_key;
498 op.sb_ctx = cmd_q->sb_ctx;
500 op.u.aes.type = aes->type;
501 op.u.aes.mode = aes->mode;
502 op.u.aes.action = aes->action;
504 /* All supported key sizes fit in a single (32-byte) SB entry
505 * and must be in little endian format. Use the 256-bit byte
506 * swap passthru option to convert from big endian to little
509 ret = ccp_init_dm_workarea(&key, cmd_q,
510 CCP_AES_KEY_SB_COUNT * CCP_SB_BYTES,
515 dm_offset = CCP_SB_BYTES - aes->key_len;
516 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
519 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
520 CCP_PASSTHRU_BYTESWAP_256BIT);
522 cmd->engine_error = cmd_q->cmd_error;
526 /* The AES context fits in a single (32-byte) SB entry and
527 * must be in little endian format. Use the 256-bit byte swap
528 * passthru option to convert from big endian to little endian.
530 ret = ccp_init_dm_workarea(&ctx, cmd_q,
531 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
536 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
537 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
540 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
541 CCP_PASSTHRU_BYTESWAP_256BIT);
543 cmd->engine_error = cmd_q->cmd_error;
547 /* Send data to the CCP AES engine */
548 ret = ccp_init_data(&src, cmd_q, aes->src, aes->src_len,
549 AES_BLOCK_SIZE, DMA_TO_DEVICE);
553 while (src.sg_wa.bytes_left) {
554 ccp_prepare_data(&src, NULL, &op, AES_BLOCK_SIZE, true);
555 if (aes->cmac_final && !src.sg_wa.bytes_left) {
558 /* Push the K1/K2 key to the CCP now */
559 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid,
561 CCP_PASSTHRU_BYTESWAP_256BIT);
563 cmd->engine_error = cmd_q->cmd_error;
567 ret = ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
571 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
572 CCP_PASSTHRU_BYTESWAP_256BIT);
574 cmd->engine_error = cmd_q->cmd_error;
579 ret = cmd_q->ccp->vdata->perform->aes(&op);
581 cmd->engine_error = cmd_q->cmd_error;
585 ccp_process_data(&src, NULL, &op);
588 /* Retrieve the AES context - convert from LE to BE using
589 * 32-byte (256-bit) byteswapping
591 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
592 CCP_PASSTHRU_BYTESWAP_256BIT);
594 cmd->engine_error = cmd_q->cmd_error;
598 /* ...but we only need AES_BLOCK_SIZE bytes */
599 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
600 ccp_get_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
603 ccp_free_data(&src, cmd_q);
614 static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
617 struct ccp_aes_engine *aes = &cmd->u.aes;
618 struct ccp_dm_workarea key, ctx, final_wa, tag;
619 struct ccp_data src, dst;
623 unsigned long long *final;
624 unsigned int dm_offset;
626 bool in_place = true; /* Default value */
629 struct scatterlist *p_inp, sg_inp[2];
630 struct scatterlist *p_tag, sg_tag[2];
631 struct scatterlist *p_outp, sg_outp[2];
632 struct scatterlist *p_aad;
637 if (!((aes->key_len == AES_KEYSIZE_128) ||
638 (aes->key_len == AES_KEYSIZE_192) ||
639 (aes->key_len == AES_KEYSIZE_256)))
642 if (!aes->key) /* Gotta have a key SGL */
645 /* First, decompose the source buffer into AAD & PT,
646 * and the destination buffer into AAD, CT & tag, or
647 * the input into CT & tag.
648 * It is expected that the input and output SGs will
649 * be valid, even if the AAD and input lengths are 0.
652 p_inp = scatterwalk_ffwd(sg_inp, aes->src, aes->aad_len);
653 p_outp = scatterwalk_ffwd(sg_outp, aes->dst, aes->aad_len);
654 if (aes->action == CCP_AES_ACTION_ENCRYPT) {
656 p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
658 /* Input length for decryption includes tag */
659 ilen = aes->src_len - AES_BLOCK_SIZE;
660 p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
663 memset(&op, 0, sizeof(op));
665 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
666 op.sb_key = cmd_q->sb_key; /* Pre-allocated */
667 op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
669 op.u.aes.type = aes->type;
671 /* Copy the key to the LSB */
672 ret = ccp_init_dm_workarea(&key, cmd_q,
673 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
678 dm_offset = CCP_SB_BYTES - aes->key_len;
679 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
682 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
683 CCP_PASSTHRU_BYTESWAP_256BIT);
685 cmd->engine_error = cmd_q->cmd_error;
689 /* Copy the context (IV) to the LSB.
690 * There is an assumption here that the IV is 96 bits in length, plus
691 * a nonce of 32 bits. If no IV is present, use a zeroed buffer.
693 ret = ccp_init_dm_workarea(&ctx, cmd_q,
694 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
699 dm_offset = CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES - aes->iv_len;
700 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
704 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
705 CCP_PASSTHRU_BYTESWAP_256BIT);
707 cmd->engine_error = cmd_q->cmd_error;
712 if (aes->aad_len > 0) {
713 /* Step 1: Run a GHASH over the Additional Authenticated Data */
714 ret = ccp_init_data(&aad, cmd_q, p_aad, aes->aad_len,
720 op.u.aes.mode = CCP_AES_MODE_GHASH;
721 op.u.aes.action = CCP_AES_GHASHAAD;
723 while (aad.sg_wa.bytes_left) {
724 ccp_prepare_data(&aad, NULL, &op, AES_BLOCK_SIZE, true);
726 ret = cmd_q->ccp->vdata->perform->aes(&op);
728 cmd->engine_error = cmd_q->cmd_error;
732 ccp_process_data(&aad, NULL, &op);
737 op.u.aes.mode = CCP_AES_MODE_GCTR;
738 op.u.aes.action = aes->action;
741 /* Step 2: Run a GCTR over the plaintext */
742 in_place = (sg_virt(p_inp) == sg_virt(p_outp)) ? true : false;
744 ret = ccp_init_data(&src, cmd_q, p_inp, ilen,
746 in_place ? DMA_BIDIRECTIONAL
754 ret = ccp_init_data(&dst, cmd_q, p_outp, ilen,
755 AES_BLOCK_SIZE, DMA_FROM_DEVICE);
763 while (src.sg_wa.bytes_left) {
764 ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
765 if (!src.sg_wa.bytes_left) {
766 unsigned int nbytes = aes->src_len
771 op.u.aes.size = (nbytes * 8) - 1;
775 ret = cmd_q->ccp->vdata->perform->aes(&op);
777 cmd->engine_error = cmd_q->cmd_error;
781 ccp_process_data(&src, &dst, &op);
786 /* Step 3: Update the IV portion of the context with the original IV */
787 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
788 CCP_PASSTHRU_BYTESWAP_256BIT);
790 cmd->engine_error = cmd_q->cmd_error;
794 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
798 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
799 CCP_PASSTHRU_BYTESWAP_256BIT);
801 cmd->engine_error = cmd_q->cmd_error;
805 /* Step 4: Concatenate the lengths of the AAD and source, and
806 * hash that 16 byte buffer.
808 ret = ccp_init_dm_workarea(&final_wa, cmd_q, AES_BLOCK_SIZE,
812 final = (unsigned long long *) final_wa.address;
813 final[0] = cpu_to_be64(aes->aad_len * 8);
814 final[1] = cpu_to_be64(ilen * 8);
816 op.u.aes.mode = CCP_AES_MODE_GHASH;
817 op.u.aes.action = CCP_AES_GHASHFINAL;
818 op.src.type = CCP_MEMTYPE_SYSTEM;
819 op.src.u.dma.address = final_wa.dma.address;
820 op.src.u.dma.length = AES_BLOCK_SIZE;
821 op.dst.type = CCP_MEMTYPE_SYSTEM;
822 op.dst.u.dma.address = final_wa.dma.address;
823 op.dst.u.dma.length = AES_BLOCK_SIZE;
826 ret = cmd_q->ccp->vdata->perform->aes(&op);
830 if (aes->action == CCP_AES_ACTION_ENCRYPT) {
831 /* Put the ciphered tag after the ciphertext. */
832 ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
834 /* Does this ciphered tag match the input? */
835 ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
839 ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
843 ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
848 ccp_dm_free(&final_wa);
851 if (aes->src_len && !in_place)
852 ccp_free_data(&dst, cmd_q);
856 ccp_free_data(&src, cmd_q);
860 ccp_free_data(&aad, cmd_q);
871 static int ccp_run_aes_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
873 struct ccp_aes_engine *aes = &cmd->u.aes;
874 struct ccp_dm_workarea key, ctx;
875 struct ccp_data src, dst;
877 unsigned int dm_offset;
878 bool in_place = false;
881 if (aes->mode == CCP_AES_MODE_CMAC)
882 return ccp_run_aes_cmac_cmd(cmd_q, cmd);
884 if (aes->mode == CCP_AES_MODE_GCM)
885 return ccp_run_aes_gcm_cmd(cmd_q, cmd);
887 if (!((aes->key_len == AES_KEYSIZE_128) ||
888 (aes->key_len == AES_KEYSIZE_192) ||
889 (aes->key_len == AES_KEYSIZE_256)))
892 if (((aes->mode == CCP_AES_MODE_ECB) ||
893 (aes->mode == CCP_AES_MODE_CBC)) &&
894 (aes->src_len & (AES_BLOCK_SIZE - 1)))
897 if (!aes->key || !aes->src || !aes->dst)
900 if (aes->mode != CCP_AES_MODE_ECB) {
901 if (aes->iv_len != AES_BLOCK_SIZE)
908 BUILD_BUG_ON(CCP_AES_KEY_SB_COUNT != 1);
909 BUILD_BUG_ON(CCP_AES_CTX_SB_COUNT != 1);
912 memset(&op, 0, sizeof(op));
914 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
915 op.sb_key = cmd_q->sb_key;
916 op.sb_ctx = cmd_q->sb_ctx;
917 op.init = (aes->mode == CCP_AES_MODE_ECB) ? 0 : 1;
918 op.u.aes.type = aes->type;
919 op.u.aes.mode = aes->mode;
920 op.u.aes.action = aes->action;
922 /* All supported key sizes fit in a single (32-byte) SB entry
923 * and must be in little endian format. Use the 256-bit byte
924 * swap passthru option to convert from big endian to little
927 ret = ccp_init_dm_workarea(&key, cmd_q,
928 CCP_AES_KEY_SB_COUNT * CCP_SB_BYTES,
933 dm_offset = CCP_SB_BYTES - aes->key_len;
934 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
937 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
938 CCP_PASSTHRU_BYTESWAP_256BIT);
940 cmd->engine_error = cmd_q->cmd_error;
944 /* The AES context fits in a single (32-byte) SB entry and
945 * must be in little endian format. Use the 256-bit byte swap
946 * passthru option to convert from big endian to little endian.
948 ret = ccp_init_dm_workarea(&ctx, cmd_q,
949 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
954 if (aes->mode != CCP_AES_MODE_ECB) {
955 /* Load the AES context - convert to LE */
956 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
957 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
960 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
961 CCP_PASSTHRU_BYTESWAP_256BIT);
963 cmd->engine_error = cmd_q->cmd_error;
968 case CCP_AES_MODE_CFB: /* CFB128 only */
969 case CCP_AES_MODE_CTR:
970 op.u.aes.size = AES_BLOCK_SIZE * BITS_PER_BYTE - 1;
976 /* Prepare the input and output data workareas. For in-place
977 * operations we need to set the dma direction to BIDIRECTIONAL
978 * and copy the src workarea to the dst workarea.
980 if (sg_virt(aes->src) == sg_virt(aes->dst))
983 ret = ccp_init_data(&src, cmd_q, aes->src, aes->src_len,
985 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
992 ret = ccp_init_data(&dst, cmd_q, aes->dst, aes->src_len,
993 AES_BLOCK_SIZE, DMA_FROM_DEVICE);
998 /* Send data to the CCP AES engine */
999 while (src.sg_wa.bytes_left) {
1000 ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
1001 if (!src.sg_wa.bytes_left) {
1004 /* Since we don't retrieve the AES context in ECB
1005 * mode we have to wait for the operation to complete
1006 * on the last piece of data
1008 if (aes->mode == CCP_AES_MODE_ECB)
1012 ret = cmd_q->ccp->vdata->perform->aes(&op);
1014 cmd->engine_error = cmd_q->cmd_error;
1018 ccp_process_data(&src, &dst, &op);
1021 if (aes->mode != CCP_AES_MODE_ECB) {
1022 /* Retrieve the AES context - convert from LE to BE using
1023 * 32-byte (256-bit) byteswapping
1025 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1026 CCP_PASSTHRU_BYTESWAP_256BIT);
1028 cmd->engine_error = cmd_q->cmd_error;
1032 /* ...but we only need AES_BLOCK_SIZE bytes */
1033 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
1034 ccp_get_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
1039 ccp_free_data(&dst, cmd_q);
1042 ccp_free_data(&src, cmd_q);
1053 static int ccp_run_xts_aes_cmd(struct ccp_cmd_queue *cmd_q,
1054 struct ccp_cmd *cmd)
1056 struct ccp_xts_aes_engine *xts = &cmd->u.xts;
1057 struct ccp_dm_workarea key, ctx;
1058 struct ccp_data src, dst;
1060 unsigned int unit_size, dm_offset;
1061 bool in_place = false;
1062 unsigned int sb_count;
1063 enum ccp_aes_type aestype;
1066 switch (xts->unit_size) {
1067 case CCP_XTS_AES_UNIT_SIZE_16:
1070 case CCP_XTS_AES_UNIT_SIZE_512:
1073 case CCP_XTS_AES_UNIT_SIZE_1024:
1076 case CCP_XTS_AES_UNIT_SIZE_2048:
1079 case CCP_XTS_AES_UNIT_SIZE_4096:
1087 if (xts->key_len == AES_KEYSIZE_128)
1088 aestype = CCP_AES_TYPE_128;
1089 else if (xts->key_len == AES_KEYSIZE_256)
1090 aestype = CCP_AES_TYPE_256;
1094 if (!xts->final && (xts->src_len & (AES_BLOCK_SIZE - 1)))
1097 if (xts->iv_len != AES_BLOCK_SIZE)
1100 if (!xts->key || !xts->iv || !xts->src || !xts->dst)
1103 BUILD_BUG_ON(CCP_XTS_AES_KEY_SB_COUNT != 1);
1104 BUILD_BUG_ON(CCP_XTS_AES_CTX_SB_COUNT != 1);
1107 memset(&op, 0, sizeof(op));
1109 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1110 op.sb_key = cmd_q->sb_key;
1111 op.sb_ctx = cmd_q->sb_ctx;
1113 op.u.xts.type = aestype;
1114 op.u.xts.action = xts->action;
1115 op.u.xts.unit_size = xts->unit_size;
1117 /* A version 3 device only supports 128-bit keys, which fits into a
1118 * single SB entry. A version 5 device uses a 512-bit vector, so two
1121 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
1122 sb_count = CCP_XTS_AES_KEY_SB_COUNT;
1124 sb_count = CCP5_XTS_AES_KEY_SB_COUNT;
1125 ret = ccp_init_dm_workarea(&key, cmd_q,
1126 sb_count * CCP_SB_BYTES,
1131 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0)) {
1132 /* All supported key sizes must be in little endian format.
1133 * Use the 256-bit byte swap passthru option to convert from
1134 * big endian to little endian.
1136 dm_offset = CCP_SB_BYTES - AES_KEYSIZE_128;
1137 ret = ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
1140 ret = ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
1144 /* Version 5 CCPs use a 512-bit space for the key: each portion
1145 * occupies 256 bits, or one entire slot, and is zero-padded.
1149 dm_offset = CCP_SB_BYTES;
1150 pad = dm_offset - xts->key_len;
1151 ret = ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
1154 ret = ccp_set_dm_area(&key, dm_offset + pad, xts->key,
1155 xts->key_len, xts->key_len);
1159 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
1160 CCP_PASSTHRU_BYTESWAP_256BIT);
1162 cmd->engine_error = cmd_q->cmd_error;
1166 /* The AES context fits in a single (32-byte) SB entry and
1167 * for XTS is already in little endian format so no byte swapping
1170 ret = ccp_init_dm_workarea(&ctx, cmd_q,
1171 CCP_XTS_AES_CTX_SB_COUNT * CCP_SB_BYTES,
1176 ret = ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
1179 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1180 CCP_PASSTHRU_BYTESWAP_NOOP);
1182 cmd->engine_error = cmd_q->cmd_error;
1186 /* Prepare the input and output data workareas. For in-place
1187 * operations we need to set the dma direction to BIDIRECTIONAL
1188 * and copy the src workarea to the dst workarea.
1190 if (sg_virt(xts->src) == sg_virt(xts->dst))
1193 ret = ccp_init_data(&src, cmd_q, xts->src, xts->src_len,
1195 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1202 ret = ccp_init_data(&dst, cmd_q, xts->dst, xts->src_len,
1203 unit_size, DMA_FROM_DEVICE);
1208 /* Send data to the CCP AES engine */
1209 while (src.sg_wa.bytes_left) {
1210 ccp_prepare_data(&src, &dst, &op, unit_size, true);
1211 if (!src.sg_wa.bytes_left)
1214 ret = cmd_q->ccp->vdata->perform->xts_aes(&op);
1216 cmd->engine_error = cmd_q->cmd_error;
1220 ccp_process_data(&src, &dst, &op);
1223 /* Retrieve the AES context - convert from LE to BE using
1224 * 32-byte (256-bit) byteswapping
1226 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1227 CCP_PASSTHRU_BYTESWAP_256BIT);
1229 cmd->engine_error = cmd_q->cmd_error;
1233 /* ...but we only need AES_BLOCK_SIZE bytes */
1234 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
1235 ccp_get_dm_area(&ctx, dm_offset, xts->iv, 0, xts->iv_len);
1239 ccp_free_data(&dst, cmd_q);
1242 ccp_free_data(&src, cmd_q);
1253 static int ccp_run_des3_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1255 struct ccp_des3_engine *des3 = &cmd->u.des3;
1257 struct ccp_dm_workarea key, ctx;
1258 struct ccp_data src, dst;
1260 unsigned int dm_offset;
1261 unsigned int len_singlekey;
1262 bool in_place = false;
1266 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0))
1269 if (!cmd_q->ccp->vdata->perform->des3)
1272 if (des3->key_len != DES3_EDE_KEY_SIZE)
1275 if (((des3->mode == CCP_DES3_MODE_ECB) ||
1276 (des3->mode == CCP_DES3_MODE_CBC)) &&
1277 (des3->src_len & (DES3_EDE_BLOCK_SIZE - 1)))
1280 if (!des3->key || !des3->src || !des3->dst)
1283 if (des3->mode != CCP_DES3_MODE_ECB) {
1284 if (des3->iv_len != DES3_EDE_BLOCK_SIZE)
1292 /* Zero out all the fields of the command desc */
1293 memset(&op, 0, sizeof(op));
1295 /* Set up the Function field */
1297 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1298 op.sb_key = cmd_q->sb_key;
1300 op.init = (des3->mode == CCP_DES3_MODE_ECB) ? 0 : 1;
1301 op.u.des3.type = des3->type;
1302 op.u.des3.mode = des3->mode;
1303 op.u.des3.action = des3->action;
1306 * All supported key sizes fit in a single (32-byte) KSB entry and
1307 * (like AES) must be in little endian format. Use the 256-bit byte
1308 * swap passthru option to convert from big endian to little endian.
1310 ret = ccp_init_dm_workarea(&key, cmd_q,
1311 CCP_DES3_KEY_SB_COUNT * CCP_SB_BYTES,
1317 * The contents of the key triplet are in the reverse order of what
1318 * is required by the engine. Copy the 3 pieces individually to put
1319 * them where they belong.
1321 dm_offset = CCP_SB_BYTES - des3->key_len; /* Basic offset */
1323 len_singlekey = des3->key_len / 3;
1324 ret = ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
1325 des3->key, 0, len_singlekey);
1328 ret = ccp_set_dm_area(&key, dm_offset + len_singlekey,
1329 des3->key, len_singlekey, len_singlekey);
1332 ret = ccp_set_dm_area(&key, dm_offset,
1333 des3->key, 2 * len_singlekey, len_singlekey);
1337 /* Copy the key to the SB */
1338 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
1339 CCP_PASSTHRU_BYTESWAP_256BIT);
1341 cmd->engine_error = cmd_q->cmd_error;
1346 * The DES3 context fits in a single (32-byte) KSB entry and
1347 * must be in little endian format. Use the 256-bit byte swap
1348 * passthru option to convert from big endian to little endian.
1350 if (des3->mode != CCP_DES3_MODE_ECB) {
1351 op.sb_ctx = cmd_q->sb_ctx;
1353 ret = ccp_init_dm_workarea(&ctx, cmd_q,
1354 CCP_DES3_CTX_SB_COUNT * CCP_SB_BYTES,
1359 /* Load the context into the LSB */
1360 dm_offset = CCP_SB_BYTES - des3->iv_len;
1361 ret = ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0,
1366 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1367 CCP_PASSTHRU_BYTESWAP_256BIT);
1369 cmd->engine_error = cmd_q->cmd_error;
1375 * Prepare the input and output data workareas. For in-place
1376 * operations we need to set the dma direction to BIDIRECTIONAL
1377 * and copy the src workarea to the dst workarea.
1379 if (sg_virt(des3->src) == sg_virt(des3->dst))
1382 ret = ccp_init_data(&src, cmd_q, des3->src, des3->src_len,
1383 DES3_EDE_BLOCK_SIZE,
1384 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1391 ret = ccp_init_data(&dst, cmd_q, des3->dst, des3->src_len,
1392 DES3_EDE_BLOCK_SIZE, DMA_FROM_DEVICE);
1397 /* Send data to the CCP DES3 engine */
1398 while (src.sg_wa.bytes_left) {
1399 ccp_prepare_data(&src, &dst, &op, DES3_EDE_BLOCK_SIZE, true);
1400 if (!src.sg_wa.bytes_left) {
1403 /* Since we don't retrieve the context in ECB mode
1404 * we have to wait for the operation to complete
1405 * on the last piece of data
1410 ret = cmd_q->ccp->vdata->perform->des3(&op);
1412 cmd->engine_error = cmd_q->cmd_error;
1416 ccp_process_data(&src, &dst, &op);
1419 if (des3->mode != CCP_DES3_MODE_ECB) {
1420 /* Retrieve the context and make BE */
1421 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1422 CCP_PASSTHRU_BYTESWAP_256BIT);
1424 cmd->engine_error = cmd_q->cmd_error;
1428 /* ...but we only need the last DES3_EDE_BLOCK_SIZE bytes */
1429 ccp_get_dm_area(&ctx, dm_offset, des3->iv, 0,
1430 DES3_EDE_BLOCK_SIZE);
1434 ccp_free_data(&dst, cmd_q);
1437 ccp_free_data(&src, cmd_q);
1440 if (des3->mode != CCP_DES3_MODE_ECB)
1449 static int ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1451 struct ccp_sha_engine *sha = &cmd->u.sha;
1452 struct ccp_dm_workarea ctx;
1453 struct ccp_data src;
1455 unsigned int ioffset, ooffset;
1456 unsigned int digest_size;
1463 switch (sha->type) {
1464 case CCP_SHA_TYPE_1:
1465 if (sha->ctx_len < SHA1_DIGEST_SIZE)
1467 block_size = SHA1_BLOCK_SIZE;
1469 case CCP_SHA_TYPE_224:
1470 if (sha->ctx_len < SHA224_DIGEST_SIZE)
1472 block_size = SHA224_BLOCK_SIZE;
1474 case CCP_SHA_TYPE_256:
1475 if (sha->ctx_len < SHA256_DIGEST_SIZE)
1477 block_size = SHA256_BLOCK_SIZE;
1479 case CCP_SHA_TYPE_384:
1480 if (cmd_q->ccp->vdata->version < CCP_VERSION(4, 0)
1481 || sha->ctx_len < SHA384_DIGEST_SIZE)
1483 block_size = SHA384_BLOCK_SIZE;
1485 case CCP_SHA_TYPE_512:
1486 if (cmd_q->ccp->vdata->version < CCP_VERSION(4, 0)
1487 || sha->ctx_len < SHA512_DIGEST_SIZE)
1489 block_size = SHA512_BLOCK_SIZE;
1498 if (!sha->final && (sha->src_len & (block_size - 1)))
1501 /* The version 3 device can't handle zero-length input */
1502 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0)) {
1504 if (!sha->src_len) {
1505 unsigned int digest_len;
1508 /* Not final, just return */
1512 /* CCP can't do a zero length sha operation so the
1513 * caller must buffer the data.
1518 /* The CCP cannot perform zero-length sha operations
1519 * so the caller is required to buffer data for the
1520 * final operation. However, a sha operation for a
1521 * message with a total length of zero is valid so
1522 * known values are required to supply the result.
1524 switch (sha->type) {
1525 case CCP_SHA_TYPE_1:
1526 sha_zero = sha1_zero_message_hash;
1527 digest_len = SHA1_DIGEST_SIZE;
1529 case CCP_SHA_TYPE_224:
1530 sha_zero = sha224_zero_message_hash;
1531 digest_len = SHA224_DIGEST_SIZE;
1533 case CCP_SHA_TYPE_256:
1534 sha_zero = sha256_zero_message_hash;
1535 digest_len = SHA256_DIGEST_SIZE;
1541 scatterwalk_map_and_copy((void *)sha_zero, sha->ctx, 0,
1548 /* Set variables used throughout */
1549 switch (sha->type) {
1550 case CCP_SHA_TYPE_1:
1551 digest_size = SHA1_DIGEST_SIZE;
1552 init = (void *) ccp_sha1_init;
1553 ctx_size = SHA1_DIGEST_SIZE;
1555 if (cmd_q->ccp->vdata->version != CCP_VERSION(3, 0))
1556 ooffset = ioffset = CCP_SB_BYTES - SHA1_DIGEST_SIZE;
1558 ooffset = ioffset = 0;
1560 case CCP_SHA_TYPE_224:
1561 digest_size = SHA224_DIGEST_SIZE;
1562 init = (void *) ccp_sha224_init;
1563 ctx_size = SHA256_DIGEST_SIZE;
1566 if (cmd_q->ccp->vdata->version != CCP_VERSION(3, 0))
1567 ooffset = CCP_SB_BYTES - SHA224_DIGEST_SIZE;
1571 case CCP_SHA_TYPE_256:
1572 digest_size = SHA256_DIGEST_SIZE;
1573 init = (void *) ccp_sha256_init;
1574 ctx_size = SHA256_DIGEST_SIZE;
1576 ooffset = ioffset = 0;
1578 case CCP_SHA_TYPE_384:
1579 digest_size = SHA384_DIGEST_SIZE;
1580 init = (void *) ccp_sha384_init;
1581 ctx_size = SHA512_DIGEST_SIZE;
1584 ooffset = 2 * CCP_SB_BYTES - SHA384_DIGEST_SIZE;
1586 case CCP_SHA_TYPE_512:
1587 digest_size = SHA512_DIGEST_SIZE;
1588 init = (void *) ccp_sha512_init;
1589 ctx_size = SHA512_DIGEST_SIZE;
1591 ooffset = ioffset = 0;
1598 /* For zero-length plaintext the src pointer is ignored;
1599 * otherwise both parts must be valid
1601 if (sha->src_len && !sha->src)
1604 memset(&op, 0, sizeof(op));
1606 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1607 op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
1608 op.u.sha.type = sha->type;
1609 op.u.sha.msg_bits = sha->msg_bits;
1611 /* For SHA1/224/256 the context fits in a single (32-byte) SB entry;
1612 * SHA384/512 require 2 adjacent SB slots, with the right half in the
1613 * first slot, and the left half in the second. Each portion must then
1614 * be in little endian format: use the 256-bit byte swap option.
1616 ret = ccp_init_dm_workarea(&ctx, cmd_q, sb_count * CCP_SB_BYTES,
1621 switch (sha->type) {
1622 case CCP_SHA_TYPE_1:
1623 case CCP_SHA_TYPE_224:
1624 case CCP_SHA_TYPE_256:
1625 memcpy(ctx.address + ioffset, init, ctx_size);
1627 case CCP_SHA_TYPE_384:
1628 case CCP_SHA_TYPE_512:
1629 memcpy(ctx.address + ctx_size / 2, init,
1631 memcpy(ctx.address, init + ctx_size / 2,
1639 /* Restore the context */
1640 ret = ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
1641 sb_count * CCP_SB_BYTES);
1646 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1647 CCP_PASSTHRU_BYTESWAP_256BIT);
1649 cmd->engine_error = cmd_q->cmd_error;
1654 /* Send data to the CCP SHA engine; block_size is set above */
1655 ret = ccp_init_data(&src, cmd_q, sha->src, sha->src_len,
1656 block_size, DMA_TO_DEVICE);
1660 while (src.sg_wa.bytes_left) {
1661 ccp_prepare_data(&src, NULL, &op, block_size, false);
1662 if (sha->final && !src.sg_wa.bytes_left)
1665 ret = cmd_q->ccp->vdata->perform->sha(&op);
1667 cmd->engine_error = cmd_q->cmd_error;
1671 ccp_process_data(&src, NULL, &op);
1675 ret = cmd_q->ccp->vdata->perform->sha(&op);
1677 cmd->engine_error = cmd_q->cmd_error;
1682 /* Retrieve the SHA context - convert from LE to BE using
1683 * 32-byte (256-bit) byteswapping to BE
1685 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1686 CCP_PASSTHRU_BYTESWAP_256BIT);
1688 cmd->engine_error = cmd_q->cmd_error;
1693 /* Finishing up, so get the digest */
1694 switch (sha->type) {
1695 case CCP_SHA_TYPE_1:
1696 case CCP_SHA_TYPE_224:
1697 case CCP_SHA_TYPE_256:
1698 ccp_get_dm_area(&ctx, ooffset,
1702 case CCP_SHA_TYPE_384:
1703 case CCP_SHA_TYPE_512:
1704 ccp_get_dm_area(&ctx, 0,
1705 sha->ctx, LSB_ITEM_SIZE - ooffset,
1707 ccp_get_dm_area(&ctx, LSB_ITEM_SIZE + ooffset,
1709 LSB_ITEM_SIZE - ooffset);
1716 /* Stash the context */
1717 ccp_get_dm_area(&ctx, 0, sha->ctx, 0,
1718 sb_count * CCP_SB_BYTES);
1721 if (sha->final && sha->opad) {
1722 /* HMAC operation, recursively perform final SHA */
1723 struct ccp_cmd hmac_cmd;
1724 struct scatterlist sg;
1727 if (sha->opad_len != block_size) {
1732 hmac_buf = kmalloc(block_size + digest_size, GFP_KERNEL);
1737 sg_init_one(&sg, hmac_buf, block_size + digest_size);
1739 scatterwalk_map_and_copy(hmac_buf, sha->opad, 0, block_size, 0);
1740 switch (sha->type) {
1741 case CCP_SHA_TYPE_1:
1742 case CCP_SHA_TYPE_224:
1743 case CCP_SHA_TYPE_256:
1744 memcpy(hmac_buf + block_size,
1745 ctx.address + ooffset,
1748 case CCP_SHA_TYPE_384:
1749 case CCP_SHA_TYPE_512:
1750 memcpy(hmac_buf + block_size,
1751 ctx.address + LSB_ITEM_SIZE + ooffset,
1753 memcpy(hmac_buf + block_size +
1754 (LSB_ITEM_SIZE - ooffset),
1763 memset(&hmac_cmd, 0, sizeof(hmac_cmd));
1764 hmac_cmd.engine = CCP_ENGINE_SHA;
1765 hmac_cmd.u.sha.type = sha->type;
1766 hmac_cmd.u.sha.ctx = sha->ctx;
1767 hmac_cmd.u.sha.ctx_len = sha->ctx_len;
1768 hmac_cmd.u.sha.src = &sg;
1769 hmac_cmd.u.sha.src_len = block_size + digest_size;
1770 hmac_cmd.u.sha.opad = NULL;
1771 hmac_cmd.u.sha.opad_len = 0;
1772 hmac_cmd.u.sha.first = 1;
1773 hmac_cmd.u.sha.final = 1;
1774 hmac_cmd.u.sha.msg_bits = (block_size + digest_size) << 3;
1776 ret = ccp_run_sha_cmd(cmd_q, &hmac_cmd);
1778 cmd->engine_error = hmac_cmd.engine_error;
1785 ccp_free_data(&src, cmd_q);
1793 static int ccp_run_rsa_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1795 struct ccp_rsa_engine *rsa = &cmd->u.rsa;
1796 struct ccp_dm_workarea exp, src, dst;
1798 unsigned int sb_count, i_len, o_len;
1801 /* Check against the maximum allowable size, in bits */
1802 if (rsa->key_size > cmd_q->ccp->vdata->rsamax)
1805 if (!rsa->exp || !rsa->mod || !rsa->src || !rsa->dst)
1808 memset(&op, 0, sizeof(op));
1810 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1812 /* The RSA modulus must precede the message being acted upon, so
1813 * it must be copied to a DMA area where the message and the
1814 * modulus can be concatenated. Therefore the input buffer
1815 * length required is twice the output buffer length (which
1816 * must be a multiple of 256-bits). Compute o_len, i_len in bytes.
1817 * Buffer sizes must be a multiple of 32 bytes; rounding up may be
1820 o_len = 32 * ((rsa->key_size + 255) / 256);
1824 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0)) {
1825 /* sb_count is the number of storage block slots required
1828 sb_count = o_len / CCP_SB_BYTES;
1829 op.sb_key = cmd_q->ccp->vdata->perform->sballoc(cmd_q,
1834 /* A version 5 device allows a modulus size that will not fit
1835 * in the LSB, so the command will transfer it from memory.
1836 * Set the sb key to the default, even though it's not used.
1838 op.sb_key = cmd_q->sb_key;
1841 /* The RSA exponent must be in little endian format. Reverse its
1844 ret = ccp_init_dm_workarea(&exp, cmd_q, o_len, DMA_TO_DEVICE);
1848 ret = ccp_reverse_set_dm_area(&exp, 0, rsa->exp, 0, rsa->exp_len);
1852 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0)) {
1853 /* Copy the exponent to the local storage block, using
1854 * as many 32-byte blocks as were allocated above. It's
1855 * already little endian, so no further change is required.
1857 ret = ccp_copy_to_sb(cmd_q, &exp, op.jobid, op.sb_key,
1858 CCP_PASSTHRU_BYTESWAP_NOOP);
1860 cmd->engine_error = cmd_q->cmd_error;
1864 /* The exponent can be retrieved from memory via DMA. */
1865 op.exp.u.dma.address = exp.dma.address;
1866 op.exp.u.dma.offset = 0;
1869 /* Concatenate the modulus and the message. Both the modulus and
1870 * the operands must be in little endian format. Since the input
1871 * is in big endian format it must be converted.
1873 ret = ccp_init_dm_workarea(&src, cmd_q, i_len, DMA_TO_DEVICE);
1877 ret = ccp_reverse_set_dm_area(&src, 0, rsa->mod, 0, rsa->mod_len);
1880 ret = ccp_reverse_set_dm_area(&src, o_len, rsa->src, 0, rsa->src_len);
1884 /* Prepare the output area for the operation */
1885 ret = ccp_init_dm_workarea(&dst, cmd_q, o_len, DMA_FROM_DEVICE);
1890 op.src.u.dma.address = src.dma.address;
1891 op.src.u.dma.offset = 0;
1892 op.src.u.dma.length = i_len;
1893 op.dst.u.dma.address = dst.dma.address;
1894 op.dst.u.dma.offset = 0;
1895 op.dst.u.dma.length = o_len;
1897 op.u.rsa.mod_size = rsa->key_size;
1898 op.u.rsa.input_len = i_len;
1900 ret = cmd_q->ccp->vdata->perform->rsa(&op);
1902 cmd->engine_error = cmd_q->cmd_error;
1906 ccp_reverse_get_dm_area(&dst, 0, rsa->dst, 0, rsa->mod_len);
1919 cmd_q->ccp->vdata->perform->sbfree(cmd_q, op.sb_key, sb_count);
1924 static int ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q,
1925 struct ccp_cmd *cmd)
1927 struct ccp_passthru_engine *pt = &cmd->u.passthru;
1928 struct ccp_dm_workarea mask;
1929 struct ccp_data src, dst;
1931 bool in_place = false;
1935 if (!pt->final && (pt->src_len & (CCP_PASSTHRU_BLOCKSIZE - 1)))
1938 if (!pt->src || !pt->dst)
1941 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
1942 if (pt->mask_len != CCP_PASSTHRU_MASKSIZE)
1948 BUILD_BUG_ON(CCP_PASSTHRU_SB_COUNT != 1);
1950 memset(&op, 0, sizeof(op));
1952 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1954 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
1956 op.sb_key = cmd_q->sb_key;
1958 ret = ccp_init_dm_workarea(&mask, cmd_q,
1959 CCP_PASSTHRU_SB_COUNT *
1965 ret = ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
1968 ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
1969 CCP_PASSTHRU_BYTESWAP_NOOP);
1971 cmd->engine_error = cmd_q->cmd_error;
1976 /* Prepare the input and output data workareas. For in-place
1977 * operations we need to set the dma direction to BIDIRECTIONAL
1978 * and copy the src workarea to the dst workarea.
1980 if (sg_virt(pt->src) == sg_virt(pt->dst))
1983 ret = ccp_init_data(&src, cmd_q, pt->src, pt->src_len,
1984 CCP_PASSTHRU_MASKSIZE,
1985 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1992 ret = ccp_init_data(&dst, cmd_q, pt->dst, pt->src_len,
1993 CCP_PASSTHRU_MASKSIZE, DMA_FROM_DEVICE);
1998 /* Send data to the CCP Passthru engine
1999 * Because the CCP engine works on a single source and destination
2000 * dma address at a time, each entry in the source scatterlist
2001 * (after the dma_map_sg call) must be less than or equal to the
2002 * (remaining) length in the destination scatterlist entry and the
2003 * length must be a multiple of CCP_PASSTHRU_BLOCKSIZE
2005 dst.sg_wa.sg_used = 0;
2006 for (i = 1; i <= src.sg_wa.dma_count; i++) {
2007 if (!dst.sg_wa.sg ||
2008 (dst.sg_wa.sg->length < src.sg_wa.sg->length)) {
2013 if (i == src.sg_wa.dma_count) {
2018 op.src.type = CCP_MEMTYPE_SYSTEM;
2019 op.src.u.dma.address = sg_dma_address(src.sg_wa.sg);
2020 op.src.u.dma.offset = 0;
2021 op.src.u.dma.length = sg_dma_len(src.sg_wa.sg);
2023 op.dst.type = CCP_MEMTYPE_SYSTEM;
2024 op.dst.u.dma.address = sg_dma_address(dst.sg_wa.sg);
2025 op.dst.u.dma.offset = dst.sg_wa.sg_used;
2026 op.dst.u.dma.length = op.src.u.dma.length;
2028 ret = cmd_q->ccp->vdata->perform->passthru(&op);
2030 cmd->engine_error = cmd_q->cmd_error;
2034 dst.sg_wa.sg_used += src.sg_wa.sg->length;
2035 if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) {
2036 dst.sg_wa.sg = sg_next(dst.sg_wa.sg);
2037 dst.sg_wa.sg_used = 0;
2039 src.sg_wa.sg = sg_next(src.sg_wa.sg);
2044 ccp_free_data(&dst, cmd_q);
2047 ccp_free_data(&src, cmd_q);
2050 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP)
2056 static int ccp_run_passthru_nomap_cmd(struct ccp_cmd_queue *cmd_q,
2057 struct ccp_cmd *cmd)
2059 struct ccp_passthru_nomap_engine *pt = &cmd->u.passthru_nomap;
2060 struct ccp_dm_workarea mask;
2064 if (!pt->final && (pt->src_len & (CCP_PASSTHRU_BLOCKSIZE - 1)))
2067 if (!pt->src_dma || !pt->dst_dma)
2070 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
2071 if (pt->mask_len != CCP_PASSTHRU_MASKSIZE)
2077 BUILD_BUG_ON(CCP_PASSTHRU_SB_COUNT != 1);
2079 memset(&op, 0, sizeof(op));
2081 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2083 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
2085 op.sb_key = cmd_q->sb_key;
2087 mask.length = pt->mask_len;
2088 mask.dma.address = pt->mask;
2089 mask.dma.length = pt->mask_len;
2091 ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
2092 CCP_PASSTHRU_BYTESWAP_NOOP);
2094 cmd->engine_error = cmd_q->cmd_error;
2099 /* Send data to the CCP Passthru engine */
2103 op.src.type = CCP_MEMTYPE_SYSTEM;
2104 op.src.u.dma.address = pt->src_dma;
2105 op.src.u.dma.offset = 0;
2106 op.src.u.dma.length = pt->src_len;
2108 op.dst.type = CCP_MEMTYPE_SYSTEM;
2109 op.dst.u.dma.address = pt->dst_dma;
2110 op.dst.u.dma.offset = 0;
2111 op.dst.u.dma.length = pt->src_len;
2113 ret = cmd_q->ccp->vdata->perform->passthru(&op);
2115 cmd->engine_error = cmd_q->cmd_error;
2120 static int ccp_run_ecc_mm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2122 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2123 struct ccp_dm_workarea src, dst;
2128 if (!ecc->u.mm.operand_1 ||
2129 (ecc->u.mm.operand_1_len > CCP_ECC_MODULUS_BYTES))
2132 if (ecc->function != CCP_ECC_FUNCTION_MINV_384BIT)
2133 if (!ecc->u.mm.operand_2 ||
2134 (ecc->u.mm.operand_2_len > CCP_ECC_MODULUS_BYTES))
2137 if (!ecc->u.mm.result ||
2138 (ecc->u.mm.result_len < CCP_ECC_MODULUS_BYTES))
2141 memset(&op, 0, sizeof(op));
2143 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2145 /* Concatenate the modulus and the operands. Both the modulus and
2146 * the operands must be in little endian format. Since the input
2147 * is in big endian format it must be converted and placed in a
2148 * fixed length buffer.
2150 ret = ccp_init_dm_workarea(&src, cmd_q, CCP_ECC_SRC_BUF_SIZE,
2155 /* Save the workarea address since it is updated in order to perform
2160 /* Copy the ECC modulus */
2161 ret = ccp_reverse_set_dm_area(&src, 0, ecc->mod, 0, ecc->mod_len);
2164 src.address += CCP_ECC_OPERAND_SIZE;
2166 /* Copy the first operand */
2167 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.mm.operand_1, 0,
2168 ecc->u.mm.operand_1_len);
2171 src.address += CCP_ECC_OPERAND_SIZE;
2173 if (ecc->function != CCP_ECC_FUNCTION_MINV_384BIT) {
2174 /* Copy the second operand */
2175 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.mm.operand_2, 0,
2176 ecc->u.mm.operand_2_len);
2179 src.address += CCP_ECC_OPERAND_SIZE;
2182 /* Restore the workarea address */
2185 /* Prepare the output area for the operation */
2186 ret = ccp_init_dm_workarea(&dst, cmd_q, CCP_ECC_DST_BUF_SIZE,
2192 op.src.u.dma.address = src.dma.address;
2193 op.src.u.dma.offset = 0;
2194 op.src.u.dma.length = src.length;
2195 op.dst.u.dma.address = dst.dma.address;
2196 op.dst.u.dma.offset = 0;
2197 op.dst.u.dma.length = dst.length;
2199 op.u.ecc.function = cmd->u.ecc.function;
2201 ret = cmd_q->ccp->vdata->perform->ecc(&op);
2203 cmd->engine_error = cmd_q->cmd_error;
2207 ecc->ecc_result = le16_to_cpup(
2208 (const __le16 *)(dst.address + CCP_ECC_RESULT_OFFSET));
2209 if (!(ecc->ecc_result & CCP_ECC_RESULT_SUCCESS)) {
2214 /* Save the ECC result */
2215 ccp_reverse_get_dm_area(&dst, 0, ecc->u.mm.result, 0,
2216 CCP_ECC_MODULUS_BYTES);
2227 static int ccp_run_ecc_pm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2229 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2230 struct ccp_dm_workarea src, dst;
2235 if (!ecc->u.pm.point_1.x ||
2236 (ecc->u.pm.point_1.x_len > CCP_ECC_MODULUS_BYTES) ||
2237 !ecc->u.pm.point_1.y ||
2238 (ecc->u.pm.point_1.y_len > CCP_ECC_MODULUS_BYTES))
2241 if (ecc->function == CCP_ECC_FUNCTION_PADD_384BIT) {
2242 if (!ecc->u.pm.point_2.x ||
2243 (ecc->u.pm.point_2.x_len > CCP_ECC_MODULUS_BYTES) ||
2244 !ecc->u.pm.point_2.y ||
2245 (ecc->u.pm.point_2.y_len > CCP_ECC_MODULUS_BYTES))
2248 if (!ecc->u.pm.domain_a ||
2249 (ecc->u.pm.domain_a_len > CCP_ECC_MODULUS_BYTES))
2252 if (ecc->function == CCP_ECC_FUNCTION_PMUL_384BIT)
2253 if (!ecc->u.pm.scalar ||
2254 (ecc->u.pm.scalar_len > CCP_ECC_MODULUS_BYTES))
2258 if (!ecc->u.pm.result.x ||
2259 (ecc->u.pm.result.x_len < CCP_ECC_MODULUS_BYTES) ||
2260 !ecc->u.pm.result.y ||
2261 (ecc->u.pm.result.y_len < CCP_ECC_MODULUS_BYTES))
2264 memset(&op, 0, sizeof(op));
2266 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2268 /* Concatenate the modulus and the operands. Both the modulus and
2269 * the operands must be in little endian format. Since the input
2270 * is in big endian format it must be converted and placed in a
2271 * fixed length buffer.
2273 ret = ccp_init_dm_workarea(&src, cmd_q, CCP_ECC_SRC_BUF_SIZE,
2278 /* Save the workarea address since it is updated in order to perform
2283 /* Copy the ECC modulus */
2284 ret = ccp_reverse_set_dm_area(&src, 0, ecc->mod, 0, ecc->mod_len);
2287 src.address += CCP_ECC_OPERAND_SIZE;
2289 /* Copy the first point X and Y coordinate */
2290 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_1.x, 0,
2291 ecc->u.pm.point_1.x_len);
2294 src.address += CCP_ECC_OPERAND_SIZE;
2295 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_1.y, 0,
2296 ecc->u.pm.point_1.y_len);
2299 src.address += CCP_ECC_OPERAND_SIZE;
2301 /* Set the first point Z coordinate to 1 */
2302 *src.address = 0x01;
2303 src.address += CCP_ECC_OPERAND_SIZE;
2305 if (ecc->function == CCP_ECC_FUNCTION_PADD_384BIT) {
2306 /* Copy the second point X and Y coordinate */
2307 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_2.x, 0,
2308 ecc->u.pm.point_2.x_len);
2311 src.address += CCP_ECC_OPERAND_SIZE;
2312 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_2.y, 0,
2313 ecc->u.pm.point_2.y_len);
2316 src.address += CCP_ECC_OPERAND_SIZE;
2318 /* Set the second point Z coordinate to 1 */
2319 *src.address = 0x01;
2320 src.address += CCP_ECC_OPERAND_SIZE;
2322 /* Copy the Domain "a" parameter */
2323 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.domain_a, 0,
2324 ecc->u.pm.domain_a_len);
2327 src.address += CCP_ECC_OPERAND_SIZE;
2329 if (ecc->function == CCP_ECC_FUNCTION_PMUL_384BIT) {
2330 /* Copy the scalar value */
2331 ret = ccp_reverse_set_dm_area(&src, 0,
2332 ecc->u.pm.scalar, 0,
2333 ecc->u.pm.scalar_len);
2336 src.address += CCP_ECC_OPERAND_SIZE;
2340 /* Restore the workarea address */
2343 /* Prepare the output area for the operation */
2344 ret = ccp_init_dm_workarea(&dst, cmd_q, CCP_ECC_DST_BUF_SIZE,
2350 op.src.u.dma.address = src.dma.address;
2351 op.src.u.dma.offset = 0;
2352 op.src.u.dma.length = src.length;
2353 op.dst.u.dma.address = dst.dma.address;
2354 op.dst.u.dma.offset = 0;
2355 op.dst.u.dma.length = dst.length;
2357 op.u.ecc.function = cmd->u.ecc.function;
2359 ret = cmd_q->ccp->vdata->perform->ecc(&op);
2361 cmd->engine_error = cmd_q->cmd_error;
2365 ecc->ecc_result = le16_to_cpup(
2366 (const __le16 *)(dst.address + CCP_ECC_RESULT_OFFSET));
2367 if (!(ecc->ecc_result & CCP_ECC_RESULT_SUCCESS)) {
2372 /* Save the workarea address since it is updated as we walk through
2373 * to copy the point math result
2377 /* Save the ECC result X and Y coordinates */
2378 ccp_reverse_get_dm_area(&dst, 0, ecc->u.pm.result.x, 0,
2379 CCP_ECC_MODULUS_BYTES);
2380 dst.address += CCP_ECC_OUTPUT_SIZE;
2381 ccp_reverse_get_dm_area(&dst, 0, ecc->u.pm.result.y, 0,
2382 CCP_ECC_MODULUS_BYTES);
2383 dst.address += CCP_ECC_OUTPUT_SIZE;
2385 /* Restore the workarea address */
2397 static int ccp_run_ecc_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2399 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2401 ecc->ecc_result = 0;
2404 (ecc->mod_len > CCP_ECC_MODULUS_BYTES))
2407 switch (ecc->function) {
2408 case CCP_ECC_FUNCTION_MMUL_384BIT:
2409 case CCP_ECC_FUNCTION_MADD_384BIT:
2410 case CCP_ECC_FUNCTION_MINV_384BIT:
2411 return ccp_run_ecc_mm_cmd(cmd_q, cmd);
2413 case CCP_ECC_FUNCTION_PADD_384BIT:
2414 case CCP_ECC_FUNCTION_PMUL_384BIT:
2415 case CCP_ECC_FUNCTION_PDBL_384BIT:
2416 return ccp_run_ecc_pm_cmd(cmd_q, cmd);
2423 int ccp_run_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2427 cmd->engine_error = 0;
2428 cmd_q->cmd_error = 0;
2429 cmd_q->int_rcvd = 0;
2430 cmd_q->free_slots = cmd_q->ccp->vdata->perform->get_free_slots(cmd_q);
2432 switch (cmd->engine) {
2433 case CCP_ENGINE_AES:
2434 ret = ccp_run_aes_cmd(cmd_q, cmd);
2436 case CCP_ENGINE_XTS_AES_128:
2437 ret = ccp_run_xts_aes_cmd(cmd_q, cmd);
2439 case CCP_ENGINE_DES3:
2440 ret = ccp_run_des3_cmd(cmd_q, cmd);
2442 case CCP_ENGINE_SHA:
2443 ret = ccp_run_sha_cmd(cmd_q, cmd);
2445 case CCP_ENGINE_RSA:
2446 ret = ccp_run_rsa_cmd(cmd_q, cmd);
2448 case CCP_ENGINE_PASSTHRU:
2449 if (cmd->flags & CCP_CMD_PASSTHRU_NO_DMA_MAP)
2450 ret = ccp_run_passthru_nomap_cmd(cmd_q, cmd);
2452 ret = ccp_run_passthru_cmd(cmd_q, cmd);
2454 case CCP_ENGINE_ECC:
2455 ret = ccp_run_ecc_cmd(cmd_q, cmd);