1 // SPDX-License-Identifier: GPL-2.0-only
3 * AMD Cryptographic Coprocessor (CCP) driver
5 * Copyright (C) 2013-2019 Advanced Micro Devices, Inc.
7 * Author: Tom Lendacky <thomas.lendacky@amd.com>
8 * Author: Gary R Hook <gary.hook@amd.com>
11 #include <linux/module.h>
12 #include <linux/kernel.h>
13 #include <linux/pci.h>
14 #include <linux/interrupt.h>
15 #include <crypto/scatterwalk.h>
16 #include <crypto/des.h>
17 #include <linux/ccp.h>
21 /* SHA initial context values */
22 static const __be32 ccp_sha1_init[SHA1_DIGEST_SIZE / sizeof(__be32)] = {
23 cpu_to_be32(SHA1_H0), cpu_to_be32(SHA1_H1),
24 cpu_to_be32(SHA1_H2), cpu_to_be32(SHA1_H3),
28 static const __be32 ccp_sha224_init[SHA256_DIGEST_SIZE / sizeof(__be32)] = {
29 cpu_to_be32(SHA224_H0), cpu_to_be32(SHA224_H1),
30 cpu_to_be32(SHA224_H2), cpu_to_be32(SHA224_H3),
31 cpu_to_be32(SHA224_H4), cpu_to_be32(SHA224_H5),
32 cpu_to_be32(SHA224_H6), cpu_to_be32(SHA224_H7),
35 static const __be32 ccp_sha256_init[SHA256_DIGEST_SIZE / sizeof(__be32)] = {
36 cpu_to_be32(SHA256_H0), cpu_to_be32(SHA256_H1),
37 cpu_to_be32(SHA256_H2), cpu_to_be32(SHA256_H3),
38 cpu_to_be32(SHA256_H4), cpu_to_be32(SHA256_H5),
39 cpu_to_be32(SHA256_H6), cpu_to_be32(SHA256_H7),
42 static const __be64 ccp_sha384_init[SHA512_DIGEST_SIZE / sizeof(__be64)] = {
43 cpu_to_be64(SHA384_H0), cpu_to_be64(SHA384_H1),
44 cpu_to_be64(SHA384_H2), cpu_to_be64(SHA384_H3),
45 cpu_to_be64(SHA384_H4), cpu_to_be64(SHA384_H5),
46 cpu_to_be64(SHA384_H6), cpu_to_be64(SHA384_H7),
49 static const __be64 ccp_sha512_init[SHA512_DIGEST_SIZE / sizeof(__be64)] = {
50 cpu_to_be64(SHA512_H0), cpu_to_be64(SHA512_H1),
51 cpu_to_be64(SHA512_H2), cpu_to_be64(SHA512_H3),
52 cpu_to_be64(SHA512_H4), cpu_to_be64(SHA512_H5),
53 cpu_to_be64(SHA512_H6), cpu_to_be64(SHA512_H7),
56 #define CCP_NEW_JOBID(ccp) ((ccp->vdata->version == CCP_VERSION(3, 0)) ? \
57 ccp_gen_jobid(ccp) : 0)
59 static u32 ccp_gen_jobid(struct ccp_device *ccp)
61 return atomic_inc_return(&ccp->current_id) & CCP_JOBID_MASK;
64 static void ccp_sg_free(struct ccp_sg_workarea *wa)
67 dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir);
72 static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev,
73 struct scatterlist *sg, u64 len,
74 enum dma_data_direction dma_dir)
76 memset(wa, 0, sizeof(*wa));
82 wa->nents = sg_nents_for_len(sg, len);
92 if (dma_dir == DMA_NONE)
97 wa->dma_dir = dma_dir;
98 wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir);
105 static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len)
107 unsigned int nbytes = min_t(u64, len, wa->bytes_left);
112 wa->sg_used += nbytes;
113 wa->bytes_left -= nbytes;
114 if (wa->sg_used == wa->sg->length) {
115 wa->sg = sg_next(wa->sg);
120 static void ccp_dm_free(struct ccp_dm_workarea *wa)
122 if (wa->length <= CCP_DMAPOOL_MAX_SIZE) {
124 dma_pool_free(wa->dma_pool, wa->address,
128 dma_unmap_single(wa->dev, wa->dma.address, wa->length,
137 static int ccp_init_dm_workarea(struct ccp_dm_workarea *wa,
138 struct ccp_cmd_queue *cmd_q,
140 enum dma_data_direction dir)
142 memset(wa, 0, sizeof(*wa));
147 wa->dev = cmd_q->ccp->dev;
150 if (len <= CCP_DMAPOOL_MAX_SIZE) {
151 wa->dma_pool = cmd_q->dma_pool;
153 wa->address = dma_pool_alloc(wa->dma_pool, GFP_KERNEL,
158 wa->dma.length = CCP_DMAPOOL_MAX_SIZE;
160 memset(wa->address, 0, CCP_DMAPOOL_MAX_SIZE);
162 wa->address = kzalloc(len, GFP_KERNEL);
166 wa->dma.address = dma_map_single(wa->dev, wa->address, len,
168 if (dma_mapping_error(wa->dev, wa->dma.address))
171 wa->dma.length = len;
178 static int ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
179 struct scatterlist *sg, unsigned int sg_offset,
182 WARN_ON(!wa->address);
184 if (len > (wa->length - wa_offset))
187 scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
192 static void ccp_get_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
193 struct scatterlist *sg, unsigned int sg_offset,
196 WARN_ON(!wa->address);
198 scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
202 static int ccp_reverse_set_dm_area(struct ccp_dm_workarea *wa,
203 unsigned int wa_offset,
204 struct scatterlist *sg,
205 unsigned int sg_offset,
211 rc = ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
215 p = wa->address + wa_offset;
227 static void ccp_reverse_get_dm_area(struct ccp_dm_workarea *wa,
228 unsigned int wa_offset,
229 struct scatterlist *sg,
230 unsigned int sg_offset,
235 p = wa->address + wa_offset;
245 ccp_get_dm_area(wa, wa_offset, sg, sg_offset, len);
248 static void ccp_free_data(struct ccp_data *data, struct ccp_cmd_queue *cmd_q)
250 ccp_dm_free(&data->dm_wa);
251 ccp_sg_free(&data->sg_wa);
254 static int ccp_init_data(struct ccp_data *data, struct ccp_cmd_queue *cmd_q,
255 struct scatterlist *sg, u64 sg_len,
257 enum dma_data_direction dir)
261 memset(data, 0, sizeof(*data));
263 ret = ccp_init_sg_workarea(&data->sg_wa, cmd_q->ccp->dev, sg, sg_len,
268 ret = ccp_init_dm_workarea(&data->dm_wa, cmd_q, dm_len, dir);
275 ccp_free_data(data, cmd_q);
280 static unsigned int ccp_queue_buf(struct ccp_data *data, unsigned int from)
282 struct ccp_sg_workarea *sg_wa = &data->sg_wa;
283 struct ccp_dm_workarea *dm_wa = &data->dm_wa;
284 unsigned int buf_count, nbytes;
286 /* Clear the buffer if setting it */
288 memset(dm_wa->address, 0, dm_wa->length);
293 /* Perform the copy operation
294 * nbytes will always be <= UINT_MAX because dm_wa->length is
297 nbytes = min_t(u64, sg_wa->bytes_left, dm_wa->length);
298 scatterwalk_map_and_copy(dm_wa->address, sg_wa->sg, sg_wa->sg_used,
301 /* Update the structures and generate the count */
303 while (sg_wa->bytes_left && (buf_count < dm_wa->length)) {
304 nbytes = min(sg_wa->sg->length - sg_wa->sg_used,
305 dm_wa->length - buf_count);
306 nbytes = min_t(u64, sg_wa->bytes_left, nbytes);
309 ccp_update_sg_workarea(sg_wa, nbytes);
315 static unsigned int ccp_fill_queue_buf(struct ccp_data *data)
317 return ccp_queue_buf(data, 0);
320 static unsigned int ccp_empty_queue_buf(struct ccp_data *data)
322 return ccp_queue_buf(data, 1);
325 static void ccp_prepare_data(struct ccp_data *src, struct ccp_data *dst,
326 struct ccp_op *op, unsigned int block_size,
329 unsigned int sg_src_len, sg_dst_len, op_len;
331 /* The CCP can only DMA from/to one address each per operation. This
332 * requires that we find the smallest DMA area between the source
333 * and destination. The resulting len values will always be <= UINT_MAX
334 * because the dma length is an unsigned int.
336 sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used;
337 sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len);
340 sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used;
341 sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len);
342 op_len = min(sg_src_len, sg_dst_len);
347 /* The data operation length will be at least block_size in length
348 * or the smaller of available sg room remaining for the source or
351 op_len = max(op_len, block_size);
353 /* Unless we have to buffer data, there's no reason to wait */
356 if (sg_src_len < block_size) {
357 /* Not enough data in the sg element, so it
358 * needs to be buffered into a blocksize chunk
360 int cp_len = ccp_fill_queue_buf(src);
363 op->src.u.dma.address = src->dm_wa.dma.address;
364 op->src.u.dma.offset = 0;
365 op->src.u.dma.length = (blocksize_op) ? block_size : cp_len;
367 /* Enough data in the sg element, but we need to
368 * adjust for any previously copied data
370 op->src.u.dma.address = sg_dma_address(src->sg_wa.sg);
371 op->src.u.dma.offset = src->sg_wa.sg_used;
372 op->src.u.dma.length = op_len & ~(block_size - 1);
374 ccp_update_sg_workarea(&src->sg_wa, op->src.u.dma.length);
378 if (sg_dst_len < block_size) {
379 /* Not enough room in the sg element or we're on the
380 * last piece of data (when using padding), so the
381 * output needs to be buffered into a blocksize chunk
384 op->dst.u.dma.address = dst->dm_wa.dma.address;
385 op->dst.u.dma.offset = 0;
386 op->dst.u.dma.length = op->src.u.dma.length;
388 /* Enough room in the sg element, but we need to
389 * adjust for any previously used area
391 op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg);
392 op->dst.u.dma.offset = dst->sg_wa.sg_used;
393 op->dst.u.dma.length = op->src.u.dma.length;
398 static void ccp_process_data(struct ccp_data *src, struct ccp_data *dst,
404 if (op->dst.u.dma.address == dst->dm_wa.dma.address)
405 ccp_empty_queue_buf(dst);
407 ccp_update_sg_workarea(&dst->sg_wa,
408 op->dst.u.dma.length);
412 static int ccp_copy_to_from_sb(struct ccp_cmd_queue *cmd_q,
413 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
414 u32 byte_swap, bool from)
418 memset(&op, 0, sizeof(op));
426 op.src.type = CCP_MEMTYPE_SB;
428 op.dst.type = CCP_MEMTYPE_SYSTEM;
429 op.dst.u.dma.address = wa->dma.address;
430 op.dst.u.dma.length = wa->length;
432 op.src.type = CCP_MEMTYPE_SYSTEM;
433 op.src.u.dma.address = wa->dma.address;
434 op.src.u.dma.length = wa->length;
435 op.dst.type = CCP_MEMTYPE_SB;
439 op.u.passthru.byte_swap = byte_swap;
441 return cmd_q->ccp->vdata->perform->passthru(&op);
444 static int ccp_copy_to_sb(struct ccp_cmd_queue *cmd_q,
445 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
448 return ccp_copy_to_from_sb(cmd_q, wa, jobid, sb, byte_swap, false);
451 static int ccp_copy_from_sb(struct ccp_cmd_queue *cmd_q,
452 struct ccp_dm_workarea *wa, u32 jobid, u32 sb,
455 return ccp_copy_to_from_sb(cmd_q, wa, jobid, sb, byte_swap, true);
458 static int ccp_run_aes_cmac_cmd(struct ccp_cmd_queue *cmd_q,
461 struct ccp_aes_engine *aes = &cmd->u.aes;
462 struct ccp_dm_workarea key, ctx;
465 unsigned int dm_offset;
468 if (!((aes->key_len == AES_KEYSIZE_128) ||
469 (aes->key_len == AES_KEYSIZE_192) ||
470 (aes->key_len == AES_KEYSIZE_256)))
473 if (aes->src_len & (AES_BLOCK_SIZE - 1))
476 if (aes->iv_len != AES_BLOCK_SIZE)
479 if (!aes->key || !aes->iv || !aes->src)
482 if (aes->cmac_final) {
483 if (aes->cmac_key_len != AES_BLOCK_SIZE)
490 BUILD_BUG_ON(CCP_AES_KEY_SB_COUNT != 1);
491 BUILD_BUG_ON(CCP_AES_CTX_SB_COUNT != 1);
494 memset(&op, 0, sizeof(op));
496 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
497 op.sb_key = cmd_q->sb_key;
498 op.sb_ctx = cmd_q->sb_ctx;
500 op.u.aes.type = aes->type;
501 op.u.aes.mode = aes->mode;
502 op.u.aes.action = aes->action;
504 /* All supported key sizes fit in a single (32-byte) SB entry
505 * and must be in little endian format. Use the 256-bit byte
506 * swap passthru option to convert from big endian to little
509 ret = ccp_init_dm_workarea(&key, cmd_q,
510 CCP_AES_KEY_SB_COUNT * CCP_SB_BYTES,
515 dm_offset = CCP_SB_BYTES - aes->key_len;
516 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
519 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
520 CCP_PASSTHRU_BYTESWAP_256BIT);
522 cmd->engine_error = cmd_q->cmd_error;
526 /* The AES context fits in a single (32-byte) SB entry and
527 * must be in little endian format. Use the 256-bit byte swap
528 * passthru option to convert from big endian to little endian.
530 ret = ccp_init_dm_workarea(&ctx, cmd_q,
531 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
536 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
537 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
540 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
541 CCP_PASSTHRU_BYTESWAP_256BIT);
543 cmd->engine_error = cmd_q->cmd_error;
547 /* Send data to the CCP AES engine */
548 ret = ccp_init_data(&src, cmd_q, aes->src, aes->src_len,
549 AES_BLOCK_SIZE, DMA_TO_DEVICE);
553 while (src.sg_wa.bytes_left) {
554 ccp_prepare_data(&src, NULL, &op, AES_BLOCK_SIZE, true);
555 if (aes->cmac_final && !src.sg_wa.bytes_left) {
558 /* Push the K1/K2 key to the CCP now */
559 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid,
561 CCP_PASSTHRU_BYTESWAP_256BIT);
563 cmd->engine_error = cmd_q->cmd_error;
567 ret = ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
571 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
572 CCP_PASSTHRU_BYTESWAP_256BIT);
574 cmd->engine_error = cmd_q->cmd_error;
579 ret = cmd_q->ccp->vdata->perform->aes(&op);
581 cmd->engine_error = cmd_q->cmd_error;
585 ccp_process_data(&src, NULL, &op);
588 /* Retrieve the AES context - convert from LE to BE using
589 * 32-byte (256-bit) byteswapping
591 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
592 CCP_PASSTHRU_BYTESWAP_256BIT);
594 cmd->engine_error = cmd_q->cmd_error;
598 /* ...but we only need AES_BLOCK_SIZE bytes */
599 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
600 ccp_get_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
603 ccp_free_data(&src, cmd_q);
614 static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
617 struct ccp_aes_engine *aes = &cmd->u.aes;
618 struct ccp_dm_workarea key, ctx, final_wa, tag;
619 struct ccp_data src, dst;
623 unsigned long long *final;
624 unsigned int dm_offset;
627 bool in_place = true; /* Default value */
630 struct scatterlist *p_inp, sg_inp[2];
631 struct scatterlist *p_tag, sg_tag[2];
632 struct scatterlist *p_outp, sg_outp[2];
633 struct scatterlist *p_aad;
638 if (!((aes->key_len == AES_KEYSIZE_128) ||
639 (aes->key_len == AES_KEYSIZE_192) ||
640 (aes->key_len == AES_KEYSIZE_256)))
643 if (!aes->key) /* Gotta have a key SGL */
646 /* First, decompose the source buffer into AAD & PT,
647 * and the destination buffer into AAD, CT & tag, or
648 * the input into CT & tag.
649 * It is expected that the input and output SGs will
650 * be valid, even if the AAD and input lengths are 0.
653 p_inp = scatterwalk_ffwd(sg_inp, aes->src, aes->aad_len);
654 p_outp = scatterwalk_ffwd(sg_outp, aes->dst, aes->aad_len);
655 if (aes->action == CCP_AES_ACTION_ENCRYPT) {
657 p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
659 /* Input length for decryption includes tag */
660 ilen = aes->src_len - AES_BLOCK_SIZE;
661 p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
664 jobid = CCP_NEW_JOBID(cmd_q->ccp);
666 memset(&op, 0, sizeof(op));
669 op.sb_key = cmd_q->sb_key; /* Pre-allocated */
670 op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
672 op.u.aes.type = aes->type;
674 /* Copy the key to the LSB */
675 ret = ccp_init_dm_workarea(&key, cmd_q,
676 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
681 dm_offset = CCP_SB_BYTES - aes->key_len;
682 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
685 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
686 CCP_PASSTHRU_BYTESWAP_256BIT);
688 cmd->engine_error = cmd_q->cmd_error;
692 /* Copy the context (IV) to the LSB.
693 * There is an assumption here that the IV is 96 bits in length, plus
694 * a nonce of 32 bits. If no IV is present, use a zeroed buffer.
696 ret = ccp_init_dm_workarea(&ctx, cmd_q,
697 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
702 dm_offset = CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES - aes->iv_len;
703 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
707 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
708 CCP_PASSTHRU_BYTESWAP_256BIT);
710 cmd->engine_error = cmd_q->cmd_error;
715 if (aes->aad_len > 0) {
716 /* Step 1: Run a GHASH over the Additional Authenticated Data */
717 ret = ccp_init_data(&aad, cmd_q, p_aad, aes->aad_len,
723 op.u.aes.mode = CCP_AES_MODE_GHASH;
724 op.u.aes.action = CCP_AES_GHASHAAD;
726 while (aad.sg_wa.bytes_left) {
727 ccp_prepare_data(&aad, NULL, &op, AES_BLOCK_SIZE, true);
729 ret = cmd_q->ccp->vdata->perform->aes(&op);
731 cmd->engine_error = cmd_q->cmd_error;
735 ccp_process_data(&aad, NULL, &op);
740 op.u.aes.mode = CCP_AES_MODE_GCTR;
741 op.u.aes.action = aes->action;
744 /* Step 2: Run a GCTR over the plaintext */
745 in_place = (sg_virt(p_inp) == sg_virt(p_outp)) ? true : false;
747 ret = ccp_init_data(&src, cmd_q, p_inp, ilen,
749 in_place ? DMA_BIDIRECTIONAL
757 ret = ccp_init_data(&dst, cmd_q, p_outp, ilen,
758 AES_BLOCK_SIZE, DMA_FROM_DEVICE);
766 while (src.sg_wa.bytes_left) {
767 ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
768 if (!src.sg_wa.bytes_left) {
769 unsigned int nbytes = aes->src_len
774 op.u.aes.size = (nbytes * 8) - 1;
778 ret = cmd_q->ccp->vdata->perform->aes(&op);
780 cmd->engine_error = cmd_q->cmd_error;
784 ccp_process_data(&src, &dst, &op);
789 /* Step 3: Update the IV portion of the context with the original IV */
790 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
791 CCP_PASSTHRU_BYTESWAP_256BIT);
793 cmd->engine_error = cmd_q->cmd_error;
797 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
801 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
802 CCP_PASSTHRU_BYTESWAP_256BIT);
804 cmd->engine_error = cmd_q->cmd_error;
808 /* Step 4: Concatenate the lengths of the AAD and source, and
809 * hash that 16 byte buffer.
811 ret = ccp_init_dm_workarea(&final_wa, cmd_q, AES_BLOCK_SIZE,
815 final = (unsigned long long *) final_wa.address;
816 final[0] = cpu_to_be64(aes->aad_len * 8);
817 final[1] = cpu_to_be64(ilen * 8);
819 memset(&op, 0, sizeof(op));
822 op.sb_key = cmd_q->sb_key; /* Pre-allocated */
823 op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
825 op.u.aes.type = aes->type;
826 op.u.aes.mode = CCP_AES_MODE_GHASH;
827 op.u.aes.action = CCP_AES_GHASHFINAL;
828 op.src.type = CCP_MEMTYPE_SYSTEM;
829 op.src.u.dma.address = final_wa.dma.address;
830 op.src.u.dma.length = AES_BLOCK_SIZE;
831 op.dst.type = CCP_MEMTYPE_SYSTEM;
832 op.dst.u.dma.address = final_wa.dma.address;
833 op.dst.u.dma.length = AES_BLOCK_SIZE;
836 ret = cmd_q->ccp->vdata->perform->aes(&op);
840 if (aes->action == CCP_AES_ACTION_ENCRYPT) {
841 /* Put the ciphered tag after the ciphertext. */
842 ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
844 /* Does this ciphered tag match the input? */
845 ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
849 ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
853 ret = crypto_memneq(tag.address, final_wa.address,
854 AES_BLOCK_SIZE) ? -EBADMSG : 0;
859 ccp_dm_free(&final_wa);
862 if (aes->src_len && !in_place)
863 ccp_free_data(&dst, cmd_q);
867 ccp_free_data(&src, cmd_q);
871 ccp_free_data(&aad, cmd_q);
882 static int ccp_run_aes_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
884 struct ccp_aes_engine *aes = &cmd->u.aes;
885 struct ccp_dm_workarea key, ctx;
886 struct ccp_data src, dst;
888 unsigned int dm_offset;
889 bool in_place = false;
892 if (aes->mode == CCP_AES_MODE_CMAC)
893 return ccp_run_aes_cmac_cmd(cmd_q, cmd);
895 if (aes->mode == CCP_AES_MODE_GCM)
896 return ccp_run_aes_gcm_cmd(cmd_q, cmd);
898 if (!((aes->key_len == AES_KEYSIZE_128) ||
899 (aes->key_len == AES_KEYSIZE_192) ||
900 (aes->key_len == AES_KEYSIZE_256)))
903 if (((aes->mode == CCP_AES_MODE_ECB) ||
904 (aes->mode == CCP_AES_MODE_CBC)) &&
905 (aes->src_len & (AES_BLOCK_SIZE - 1)))
908 if (!aes->key || !aes->src || !aes->dst)
911 if (aes->mode != CCP_AES_MODE_ECB) {
912 if (aes->iv_len != AES_BLOCK_SIZE)
919 BUILD_BUG_ON(CCP_AES_KEY_SB_COUNT != 1);
920 BUILD_BUG_ON(CCP_AES_CTX_SB_COUNT != 1);
923 memset(&op, 0, sizeof(op));
925 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
926 op.sb_key = cmd_q->sb_key;
927 op.sb_ctx = cmd_q->sb_ctx;
928 op.init = (aes->mode == CCP_AES_MODE_ECB) ? 0 : 1;
929 op.u.aes.type = aes->type;
930 op.u.aes.mode = aes->mode;
931 op.u.aes.action = aes->action;
933 /* All supported key sizes fit in a single (32-byte) SB entry
934 * and must be in little endian format. Use the 256-bit byte
935 * swap passthru option to convert from big endian to little
938 ret = ccp_init_dm_workarea(&key, cmd_q,
939 CCP_AES_KEY_SB_COUNT * CCP_SB_BYTES,
944 dm_offset = CCP_SB_BYTES - aes->key_len;
945 ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
948 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
949 CCP_PASSTHRU_BYTESWAP_256BIT);
951 cmd->engine_error = cmd_q->cmd_error;
955 /* The AES context fits in a single (32-byte) SB entry and
956 * must be in little endian format. Use the 256-bit byte swap
957 * passthru option to convert from big endian to little endian.
959 ret = ccp_init_dm_workarea(&ctx, cmd_q,
960 CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES,
965 if (aes->mode != CCP_AES_MODE_ECB) {
966 /* Load the AES context - convert to LE */
967 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
968 ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
971 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
972 CCP_PASSTHRU_BYTESWAP_256BIT);
974 cmd->engine_error = cmd_q->cmd_error;
979 case CCP_AES_MODE_CFB: /* CFB128 only */
980 case CCP_AES_MODE_CTR:
981 op.u.aes.size = AES_BLOCK_SIZE * BITS_PER_BYTE - 1;
987 /* Prepare the input and output data workareas. For in-place
988 * operations we need to set the dma direction to BIDIRECTIONAL
989 * and copy the src workarea to the dst workarea.
991 if (sg_virt(aes->src) == sg_virt(aes->dst))
994 ret = ccp_init_data(&src, cmd_q, aes->src, aes->src_len,
996 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1003 ret = ccp_init_data(&dst, cmd_q, aes->dst, aes->src_len,
1004 AES_BLOCK_SIZE, DMA_FROM_DEVICE);
1009 /* Send data to the CCP AES engine */
1010 while (src.sg_wa.bytes_left) {
1011 ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
1012 if (!src.sg_wa.bytes_left) {
1015 /* Since we don't retrieve the AES context in ECB
1016 * mode we have to wait for the operation to complete
1017 * on the last piece of data
1019 if (aes->mode == CCP_AES_MODE_ECB)
1023 ret = cmd_q->ccp->vdata->perform->aes(&op);
1025 cmd->engine_error = cmd_q->cmd_error;
1029 ccp_process_data(&src, &dst, &op);
1032 if (aes->mode != CCP_AES_MODE_ECB) {
1033 /* Retrieve the AES context - convert from LE to BE using
1034 * 32-byte (256-bit) byteswapping
1036 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1037 CCP_PASSTHRU_BYTESWAP_256BIT);
1039 cmd->engine_error = cmd_q->cmd_error;
1043 /* ...but we only need AES_BLOCK_SIZE bytes */
1044 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
1045 ccp_get_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
1050 ccp_free_data(&dst, cmd_q);
1053 ccp_free_data(&src, cmd_q);
1064 static int ccp_run_xts_aes_cmd(struct ccp_cmd_queue *cmd_q,
1065 struct ccp_cmd *cmd)
1067 struct ccp_xts_aes_engine *xts = &cmd->u.xts;
1068 struct ccp_dm_workarea key, ctx;
1069 struct ccp_data src, dst;
1071 unsigned int unit_size, dm_offset;
1072 bool in_place = false;
1073 unsigned int sb_count;
1074 enum ccp_aes_type aestype;
1077 switch (xts->unit_size) {
1078 case CCP_XTS_AES_UNIT_SIZE_16:
1081 case CCP_XTS_AES_UNIT_SIZE_512:
1084 case CCP_XTS_AES_UNIT_SIZE_1024:
1087 case CCP_XTS_AES_UNIT_SIZE_2048:
1090 case CCP_XTS_AES_UNIT_SIZE_4096:
1098 if (xts->key_len == AES_KEYSIZE_128)
1099 aestype = CCP_AES_TYPE_128;
1100 else if (xts->key_len == AES_KEYSIZE_256)
1101 aestype = CCP_AES_TYPE_256;
1105 if (!xts->final && (xts->src_len & (AES_BLOCK_SIZE - 1)))
1108 if (xts->iv_len != AES_BLOCK_SIZE)
1111 if (!xts->key || !xts->iv || !xts->src || !xts->dst)
1114 BUILD_BUG_ON(CCP_XTS_AES_KEY_SB_COUNT != 1);
1115 BUILD_BUG_ON(CCP_XTS_AES_CTX_SB_COUNT != 1);
1118 memset(&op, 0, sizeof(op));
1120 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1121 op.sb_key = cmd_q->sb_key;
1122 op.sb_ctx = cmd_q->sb_ctx;
1124 op.u.xts.type = aestype;
1125 op.u.xts.action = xts->action;
1126 op.u.xts.unit_size = xts->unit_size;
1128 /* A version 3 device only supports 128-bit keys, which fits into a
1129 * single SB entry. A version 5 device uses a 512-bit vector, so two
1132 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
1133 sb_count = CCP_XTS_AES_KEY_SB_COUNT;
1135 sb_count = CCP5_XTS_AES_KEY_SB_COUNT;
1136 ret = ccp_init_dm_workarea(&key, cmd_q,
1137 sb_count * CCP_SB_BYTES,
1142 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0)) {
1143 /* All supported key sizes must be in little endian format.
1144 * Use the 256-bit byte swap passthru option to convert from
1145 * big endian to little endian.
1147 dm_offset = CCP_SB_BYTES - AES_KEYSIZE_128;
1148 ret = ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
1151 ret = ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
1155 /* Version 5 CCPs use a 512-bit space for the key: each portion
1156 * occupies 256 bits, or one entire slot, and is zero-padded.
1160 dm_offset = CCP_SB_BYTES;
1161 pad = dm_offset - xts->key_len;
1162 ret = ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
1165 ret = ccp_set_dm_area(&key, dm_offset + pad, xts->key,
1166 xts->key_len, xts->key_len);
1170 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
1171 CCP_PASSTHRU_BYTESWAP_256BIT);
1173 cmd->engine_error = cmd_q->cmd_error;
1177 /* The AES context fits in a single (32-byte) SB entry and
1178 * for XTS is already in little endian format so no byte swapping
1181 ret = ccp_init_dm_workarea(&ctx, cmd_q,
1182 CCP_XTS_AES_CTX_SB_COUNT * CCP_SB_BYTES,
1187 ret = ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
1190 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1191 CCP_PASSTHRU_BYTESWAP_NOOP);
1193 cmd->engine_error = cmd_q->cmd_error;
1197 /* Prepare the input and output data workareas. For in-place
1198 * operations we need to set the dma direction to BIDIRECTIONAL
1199 * and copy the src workarea to the dst workarea.
1201 if (sg_virt(xts->src) == sg_virt(xts->dst))
1204 ret = ccp_init_data(&src, cmd_q, xts->src, xts->src_len,
1206 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1213 ret = ccp_init_data(&dst, cmd_q, xts->dst, xts->src_len,
1214 unit_size, DMA_FROM_DEVICE);
1219 /* Send data to the CCP AES engine */
1220 while (src.sg_wa.bytes_left) {
1221 ccp_prepare_data(&src, &dst, &op, unit_size, true);
1222 if (!src.sg_wa.bytes_left)
1225 ret = cmd_q->ccp->vdata->perform->xts_aes(&op);
1227 cmd->engine_error = cmd_q->cmd_error;
1231 ccp_process_data(&src, &dst, &op);
1234 /* Retrieve the AES context - convert from LE to BE using
1235 * 32-byte (256-bit) byteswapping
1237 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1238 CCP_PASSTHRU_BYTESWAP_256BIT);
1240 cmd->engine_error = cmd_q->cmd_error;
1244 /* ...but we only need AES_BLOCK_SIZE bytes */
1245 dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
1246 ccp_get_dm_area(&ctx, dm_offset, xts->iv, 0, xts->iv_len);
1250 ccp_free_data(&dst, cmd_q);
1253 ccp_free_data(&src, cmd_q);
1264 static int ccp_run_des3_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1266 struct ccp_des3_engine *des3 = &cmd->u.des3;
1268 struct ccp_dm_workarea key, ctx;
1269 struct ccp_data src, dst;
1271 unsigned int dm_offset;
1272 unsigned int len_singlekey;
1273 bool in_place = false;
1277 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0))
1280 if (!cmd_q->ccp->vdata->perform->des3)
1283 if (des3->key_len != DES3_EDE_KEY_SIZE)
1286 if (((des3->mode == CCP_DES3_MODE_ECB) ||
1287 (des3->mode == CCP_DES3_MODE_CBC)) &&
1288 (des3->src_len & (DES3_EDE_BLOCK_SIZE - 1)))
1291 if (!des3->key || !des3->src || !des3->dst)
1294 if (des3->mode != CCP_DES3_MODE_ECB) {
1295 if (des3->iv_len != DES3_EDE_BLOCK_SIZE)
1303 /* Zero out all the fields of the command desc */
1304 memset(&op, 0, sizeof(op));
1306 /* Set up the Function field */
1308 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1309 op.sb_key = cmd_q->sb_key;
1311 op.init = (des3->mode == CCP_DES3_MODE_ECB) ? 0 : 1;
1312 op.u.des3.type = des3->type;
1313 op.u.des3.mode = des3->mode;
1314 op.u.des3.action = des3->action;
1317 * All supported key sizes fit in a single (32-byte) KSB entry and
1318 * (like AES) must be in little endian format. Use the 256-bit byte
1319 * swap passthru option to convert from big endian to little endian.
1321 ret = ccp_init_dm_workarea(&key, cmd_q,
1322 CCP_DES3_KEY_SB_COUNT * CCP_SB_BYTES,
1328 * The contents of the key triplet are in the reverse order of what
1329 * is required by the engine. Copy the 3 pieces individually to put
1330 * them where they belong.
1332 dm_offset = CCP_SB_BYTES - des3->key_len; /* Basic offset */
1334 len_singlekey = des3->key_len / 3;
1335 ret = ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
1336 des3->key, 0, len_singlekey);
1339 ret = ccp_set_dm_area(&key, dm_offset + len_singlekey,
1340 des3->key, len_singlekey, len_singlekey);
1343 ret = ccp_set_dm_area(&key, dm_offset,
1344 des3->key, 2 * len_singlekey, len_singlekey);
1348 /* Copy the key to the SB */
1349 ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
1350 CCP_PASSTHRU_BYTESWAP_256BIT);
1352 cmd->engine_error = cmd_q->cmd_error;
1357 * The DES3 context fits in a single (32-byte) KSB entry and
1358 * must be in little endian format. Use the 256-bit byte swap
1359 * passthru option to convert from big endian to little endian.
1361 if (des3->mode != CCP_DES3_MODE_ECB) {
1362 op.sb_ctx = cmd_q->sb_ctx;
1364 ret = ccp_init_dm_workarea(&ctx, cmd_q,
1365 CCP_DES3_CTX_SB_COUNT * CCP_SB_BYTES,
1370 /* Load the context into the LSB */
1371 dm_offset = CCP_SB_BYTES - des3->iv_len;
1372 ret = ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0,
1377 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1378 CCP_PASSTHRU_BYTESWAP_256BIT);
1380 cmd->engine_error = cmd_q->cmd_error;
1386 * Prepare the input and output data workareas. For in-place
1387 * operations we need to set the dma direction to BIDIRECTIONAL
1388 * and copy the src workarea to the dst workarea.
1390 if (sg_virt(des3->src) == sg_virt(des3->dst))
1393 ret = ccp_init_data(&src, cmd_q, des3->src, des3->src_len,
1394 DES3_EDE_BLOCK_SIZE,
1395 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
1402 ret = ccp_init_data(&dst, cmd_q, des3->dst, des3->src_len,
1403 DES3_EDE_BLOCK_SIZE, DMA_FROM_DEVICE);
1408 /* Send data to the CCP DES3 engine */
1409 while (src.sg_wa.bytes_left) {
1410 ccp_prepare_data(&src, &dst, &op, DES3_EDE_BLOCK_SIZE, true);
1411 if (!src.sg_wa.bytes_left) {
1414 /* Since we don't retrieve the context in ECB mode
1415 * we have to wait for the operation to complete
1416 * on the last piece of data
1421 ret = cmd_q->ccp->vdata->perform->des3(&op);
1423 cmd->engine_error = cmd_q->cmd_error;
1427 ccp_process_data(&src, &dst, &op);
1430 if (des3->mode != CCP_DES3_MODE_ECB) {
1431 /* Retrieve the context and make BE */
1432 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1433 CCP_PASSTHRU_BYTESWAP_256BIT);
1435 cmd->engine_error = cmd_q->cmd_error;
1439 /* ...but we only need the last DES3_EDE_BLOCK_SIZE bytes */
1440 ccp_get_dm_area(&ctx, dm_offset, des3->iv, 0,
1441 DES3_EDE_BLOCK_SIZE);
1445 ccp_free_data(&dst, cmd_q);
1448 ccp_free_data(&src, cmd_q);
1451 if (des3->mode != CCP_DES3_MODE_ECB)
1460 static int ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1462 struct ccp_sha_engine *sha = &cmd->u.sha;
1463 struct ccp_dm_workarea ctx;
1464 struct ccp_data src;
1466 unsigned int ioffset, ooffset;
1467 unsigned int digest_size;
1474 switch (sha->type) {
1475 case CCP_SHA_TYPE_1:
1476 if (sha->ctx_len < SHA1_DIGEST_SIZE)
1478 block_size = SHA1_BLOCK_SIZE;
1480 case CCP_SHA_TYPE_224:
1481 if (sha->ctx_len < SHA224_DIGEST_SIZE)
1483 block_size = SHA224_BLOCK_SIZE;
1485 case CCP_SHA_TYPE_256:
1486 if (sha->ctx_len < SHA256_DIGEST_SIZE)
1488 block_size = SHA256_BLOCK_SIZE;
1490 case CCP_SHA_TYPE_384:
1491 if (cmd_q->ccp->vdata->version < CCP_VERSION(4, 0)
1492 || sha->ctx_len < SHA384_DIGEST_SIZE)
1494 block_size = SHA384_BLOCK_SIZE;
1496 case CCP_SHA_TYPE_512:
1497 if (cmd_q->ccp->vdata->version < CCP_VERSION(4, 0)
1498 || sha->ctx_len < SHA512_DIGEST_SIZE)
1500 block_size = SHA512_BLOCK_SIZE;
1509 if (!sha->final && (sha->src_len & (block_size - 1)))
1512 /* The version 3 device can't handle zero-length input */
1513 if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0)) {
1515 if (!sha->src_len) {
1516 unsigned int digest_len;
1519 /* Not final, just return */
1523 /* CCP can't do a zero length sha operation so the
1524 * caller must buffer the data.
1529 /* The CCP cannot perform zero-length sha operations
1530 * so the caller is required to buffer data for the
1531 * final operation. However, a sha operation for a
1532 * message with a total length of zero is valid so
1533 * known values are required to supply the result.
1535 switch (sha->type) {
1536 case CCP_SHA_TYPE_1:
1537 sha_zero = sha1_zero_message_hash;
1538 digest_len = SHA1_DIGEST_SIZE;
1540 case CCP_SHA_TYPE_224:
1541 sha_zero = sha224_zero_message_hash;
1542 digest_len = SHA224_DIGEST_SIZE;
1544 case CCP_SHA_TYPE_256:
1545 sha_zero = sha256_zero_message_hash;
1546 digest_len = SHA256_DIGEST_SIZE;
1552 scatterwalk_map_and_copy((void *)sha_zero, sha->ctx, 0,
1559 /* Set variables used throughout */
1560 switch (sha->type) {
1561 case CCP_SHA_TYPE_1:
1562 digest_size = SHA1_DIGEST_SIZE;
1563 init = (void *) ccp_sha1_init;
1564 ctx_size = SHA1_DIGEST_SIZE;
1566 if (cmd_q->ccp->vdata->version != CCP_VERSION(3, 0))
1567 ooffset = ioffset = CCP_SB_BYTES - SHA1_DIGEST_SIZE;
1569 ooffset = ioffset = 0;
1571 case CCP_SHA_TYPE_224:
1572 digest_size = SHA224_DIGEST_SIZE;
1573 init = (void *) ccp_sha224_init;
1574 ctx_size = SHA256_DIGEST_SIZE;
1577 if (cmd_q->ccp->vdata->version != CCP_VERSION(3, 0))
1578 ooffset = CCP_SB_BYTES - SHA224_DIGEST_SIZE;
1582 case CCP_SHA_TYPE_256:
1583 digest_size = SHA256_DIGEST_SIZE;
1584 init = (void *) ccp_sha256_init;
1585 ctx_size = SHA256_DIGEST_SIZE;
1587 ooffset = ioffset = 0;
1589 case CCP_SHA_TYPE_384:
1590 digest_size = SHA384_DIGEST_SIZE;
1591 init = (void *) ccp_sha384_init;
1592 ctx_size = SHA512_DIGEST_SIZE;
1595 ooffset = 2 * CCP_SB_BYTES - SHA384_DIGEST_SIZE;
1597 case CCP_SHA_TYPE_512:
1598 digest_size = SHA512_DIGEST_SIZE;
1599 init = (void *) ccp_sha512_init;
1600 ctx_size = SHA512_DIGEST_SIZE;
1602 ooffset = ioffset = 0;
1609 /* For zero-length plaintext the src pointer is ignored;
1610 * otherwise both parts must be valid
1612 if (sha->src_len && !sha->src)
1615 memset(&op, 0, sizeof(op));
1617 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1618 op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
1619 op.u.sha.type = sha->type;
1620 op.u.sha.msg_bits = sha->msg_bits;
1622 /* For SHA1/224/256 the context fits in a single (32-byte) SB entry;
1623 * SHA384/512 require 2 adjacent SB slots, with the right half in the
1624 * first slot, and the left half in the second. Each portion must then
1625 * be in little endian format: use the 256-bit byte swap option.
1627 ret = ccp_init_dm_workarea(&ctx, cmd_q, sb_count * CCP_SB_BYTES,
1632 switch (sha->type) {
1633 case CCP_SHA_TYPE_1:
1634 case CCP_SHA_TYPE_224:
1635 case CCP_SHA_TYPE_256:
1636 memcpy(ctx.address + ioffset, init, ctx_size);
1638 case CCP_SHA_TYPE_384:
1639 case CCP_SHA_TYPE_512:
1640 memcpy(ctx.address + ctx_size / 2, init,
1642 memcpy(ctx.address, init + ctx_size / 2,
1650 /* Restore the context */
1651 ret = ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
1652 sb_count * CCP_SB_BYTES);
1657 ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1658 CCP_PASSTHRU_BYTESWAP_256BIT);
1660 cmd->engine_error = cmd_q->cmd_error;
1665 /* Send data to the CCP SHA engine; block_size is set above */
1666 ret = ccp_init_data(&src, cmd_q, sha->src, sha->src_len,
1667 block_size, DMA_TO_DEVICE);
1671 while (src.sg_wa.bytes_left) {
1672 ccp_prepare_data(&src, NULL, &op, block_size, false);
1673 if (sha->final && !src.sg_wa.bytes_left)
1676 ret = cmd_q->ccp->vdata->perform->sha(&op);
1678 cmd->engine_error = cmd_q->cmd_error;
1682 ccp_process_data(&src, NULL, &op);
1686 ret = cmd_q->ccp->vdata->perform->sha(&op);
1688 cmd->engine_error = cmd_q->cmd_error;
1693 /* Retrieve the SHA context - convert from LE to BE using
1694 * 32-byte (256-bit) byteswapping to BE
1696 ret = ccp_copy_from_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
1697 CCP_PASSTHRU_BYTESWAP_256BIT);
1699 cmd->engine_error = cmd_q->cmd_error;
1704 /* Finishing up, so get the digest */
1705 switch (sha->type) {
1706 case CCP_SHA_TYPE_1:
1707 case CCP_SHA_TYPE_224:
1708 case CCP_SHA_TYPE_256:
1709 ccp_get_dm_area(&ctx, ooffset,
1713 case CCP_SHA_TYPE_384:
1714 case CCP_SHA_TYPE_512:
1715 ccp_get_dm_area(&ctx, 0,
1716 sha->ctx, LSB_ITEM_SIZE - ooffset,
1718 ccp_get_dm_area(&ctx, LSB_ITEM_SIZE + ooffset,
1720 LSB_ITEM_SIZE - ooffset);
1727 /* Stash the context */
1728 ccp_get_dm_area(&ctx, 0, sha->ctx, 0,
1729 sb_count * CCP_SB_BYTES);
1732 if (sha->final && sha->opad) {
1733 /* HMAC operation, recursively perform final SHA */
1734 struct ccp_cmd hmac_cmd;
1735 struct scatterlist sg;
1738 if (sha->opad_len != block_size) {
1743 hmac_buf = kmalloc(block_size + digest_size, GFP_KERNEL);
1748 sg_init_one(&sg, hmac_buf, block_size + digest_size);
1750 scatterwalk_map_and_copy(hmac_buf, sha->opad, 0, block_size, 0);
1751 switch (sha->type) {
1752 case CCP_SHA_TYPE_1:
1753 case CCP_SHA_TYPE_224:
1754 case CCP_SHA_TYPE_256:
1755 memcpy(hmac_buf + block_size,
1756 ctx.address + ooffset,
1759 case CCP_SHA_TYPE_384:
1760 case CCP_SHA_TYPE_512:
1761 memcpy(hmac_buf + block_size,
1762 ctx.address + LSB_ITEM_SIZE + ooffset,
1764 memcpy(hmac_buf + block_size +
1765 (LSB_ITEM_SIZE - ooffset),
1774 memset(&hmac_cmd, 0, sizeof(hmac_cmd));
1775 hmac_cmd.engine = CCP_ENGINE_SHA;
1776 hmac_cmd.u.sha.type = sha->type;
1777 hmac_cmd.u.sha.ctx = sha->ctx;
1778 hmac_cmd.u.sha.ctx_len = sha->ctx_len;
1779 hmac_cmd.u.sha.src = &sg;
1780 hmac_cmd.u.sha.src_len = block_size + digest_size;
1781 hmac_cmd.u.sha.opad = NULL;
1782 hmac_cmd.u.sha.opad_len = 0;
1783 hmac_cmd.u.sha.first = 1;
1784 hmac_cmd.u.sha.final = 1;
1785 hmac_cmd.u.sha.msg_bits = (block_size + digest_size) << 3;
1787 ret = ccp_run_sha_cmd(cmd_q, &hmac_cmd);
1789 cmd->engine_error = hmac_cmd.engine_error;
1796 ccp_free_data(&src, cmd_q);
1804 static int ccp_run_rsa_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
1806 struct ccp_rsa_engine *rsa = &cmd->u.rsa;
1807 struct ccp_dm_workarea exp, src, dst;
1809 unsigned int sb_count, i_len, o_len;
1812 /* Check against the maximum allowable size, in bits */
1813 if (rsa->key_size > cmd_q->ccp->vdata->rsamax)
1816 if (!rsa->exp || !rsa->mod || !rsa->src || !rsa->dst)
1819 memset(&op, 0, sizeof(op));
1821 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1823 /* The RSA modulus must precede the message being acted upon, so
1824 * it must be copied to a DMA area where the message and the
1825 * modulus can be concatenated. Therefore the input buffer
1826 * length required is twice the output buffer length (which
1827 * must be a multiple of 256-bits). Compute o_len, i_len in bytes.
1828 * Buffer sizes must be a multiple of 32 bytes; rounding up may be
1831 o_len = 32 * ((rsa->key_size + 255) / 256);
1835 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0)) {
1836 /* sb_count is the number of storage block slots required
1839 sb_count = o_len / CCP_SB_BYTES;
1840 op.sb_key = cmd_q->ccp->vdata->perform->sballoc(cmd_q,
1845 /* A version 5 device allows a modulus size that will not fit
1846 * in the LSB, so the command will transfer it from memory.
1847 * Set the sb key to the default, even though it's not used.
1849 op.sb_key = cmd_q->sb_key;
1852 /* The RSA exponent must be in little endian format. Reverse its
1855 ret = ccp_init_dm_workarea(&exp, cmd_q, o_len, DMA_TO_DEVICE);
1859 ret = ccp_reverse_set_dm_area(&exp, 0, rsa->exp, 0, rsa->exp_len);
1863 if (cmd_q->ccp->vdata->version < CCP_VERSION(5, 0)) {
1864 /* Copy the exponent to the local storage block, using
1865 * as many 32-byte blocks as were allocated above. It's
1866 * already little endian, so no further change is required.
1868 ret = ccp_copy_to_sb(cmd_q, &exp, op.jobid, op.sb_key,
1869 CCP_PASSTHRU_BYTESWAP_NOOP);
1871 cmd->engine_error = cmd_q->cmd_error;
1875 /* The exponent can be retrieved from memory via DMA. */
1876 op.exp.u.dma.address = exp.dma.address;
1877 op.exp.u.dma.offset = 0;
1880 /* Concatenate the modulus and the message. Both the modulus and
1881 * the operands must be in little endian format. Since the input
1882 * is in big endian format it must be converted.
1884 ret = ccp_init_dm_workarea(&src, cmd_q, i_len, DMA_TO_DEVICE);
1888 ret = ccp_reverse_set_dm_area(&src, 0, rsa->mod, 0, rsa->mod_len);
1891 ret = ccp_reverse_set_dm_area(&src, o_len, rsa->src, 0, rsa->src_len);
1895 /* Prepare the output area for the operation */
1896 ret = ccp_init_dm_workarea(&dst, cmd_q, o_len, DMA_FROM_DEVICE);
1901 op.src.u.dma.address = src.dma.address;
1902 op.src.u.dma.offset = 0;
1903 op.src.u.dma.length = i_len;
1904 op.dst.u.dma.address = dst.dma.address;
1905 op.dst.u.dma.offset = 0;
1906 op.dst.u.dma.length = o_len;
1908 op.u.rsa.mod_size = rsa->key_size;
1909 op.u.rsa.input_len = i_len;
1911 ret = cmd_q->ccp->vdata->perform->rsa(&op);
1913 cmd->engine_error = cmd_q->cmd_error;
1917 ccp_reverse_get_dm_area(&dst, 0, rsa->dst, 0, rsa->mod_len);
1930 cmd_q->ccp->vdata->perform->sbfree(cmd_q, op.sb_key, sb_count);
1935 static int ccp_run_passthru_cmd(struct ccp_cmd_queue *cmd_q,
1936 struct ccp_cmd *cmd)
1938 struct ccp_passthru_engine *pt = &cmd->u.passthru;
1939 struct ccp_dm_workarea mask;
1940 struct ccp_data src, dst;
1942 bool in_place = false;
1946 if (!pt->final && (pt->src_len & (CCP_PASSTHRU_BLOCKSIZE - 1)))
1949 if (!pt->src || !pt->dst)
1952 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
1953 if (pt->mask_len != CCP_PASSTHRU_MASKSIZE)
1959 BUILD_BUG_ON(CCP_PASSTHRU_SB_COUNT != 1);
1961 memset(&op, 0, sizeof(op));
1963 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
1965 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
1967 op.sb_key = cmd_q->sb_key;
1969 ret = ccp_init_dm_workarea(&mask, cmd_q,
1970 CCP_PASSTHRU_SB_COUNT *
1976 ret = ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
1979 ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
1980 CCP_PASSTHRU_BYTESWAP_NOOP);
1982 cmd->engine_error = cmd_q->cmd_error;
1987 /* Prepare the input and output data workareas. For in-place
1988 * operations we need to set the dma direction to BIDIRECTIONAL
1989 * and copy the src workarea to the dst workarea.
1991 if (sg_virt(pt->src) == sg_virt(pt->dst))
1994 ret = ccp_init_data(&src, cmd_q, pt->src, pt->src_len,
1995 CCP_PASSTHRU_MASKSIZE,
1996 in_place ? DMA_BIDIRECTIONAL : DMA_TO_DEVICE);
2003 ret = ccp_init_data(&dst, cmd_q, pt->dst, pt->src_len,
2004 CCP_PASSTHRU_MASKSIZE, DMA_FROM_DEVICE);
2009 /* Send data to the CCP Passthru engine
2010 * Because the CCP engine works on a single source and destination
2011 * dma address at a time, each entry in the source scatterlist
2012 * (after the dma_map_sg call) must be less than or equal to the
2013 * (remaining) length in the destination scatterlist entry and the
2014 * length must be a multiple of CCP_PASSTHRU_BLOCKSIZE
2016 dst.sg_wa.sg_used = 0;
2017 for (i = 1; i <= src.sg_wa.dma_count; i++) {
2018 if (!dst.sg_wa.sg ||
2019 (dst.sg_wa.sg->length < src.sg_wa.sg->length)) {
2024 if (i == src.sg_wa.dma_count) {
2029 op.src.type = CCP_MEMTYPE_SYSTEM;
2030 op.src.u.dma.address = sg_dma_address(src.sg_wa.sg);
2031 op.src.u.dma.offset = 0;
2032 op.src.u.dma.length = sg_dma_len(src.sg_wa.sg);
2034 op.dst.type = CCP_MEMTYPE_SYSTEM;
2035 op.dst.u.dma.address = sg_dma_address(dst.sg_wa.sg);
2036 op.dst.u.dma.offset = dst.sg_wa.sg_used;
2037 op.dst.u.dma.length = op.src.u.dma.length;
2039 ret = cmd_q->ccp->vdata->perform->passthru(&op);
2041 cmd->engine_error = cmd_q->cmd_error;
2045 dst.sg_wa.sg_used += src.sg_wa.sg->length;
2046 if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) {
2047 dst.sg_wa.sg = sg_next(dst.sg_wa.sg);
2048 dst.sg_wa.sg_used = 0;
2050 src.sg_wa.sg = sg_next(src.sg_wa.sg);
2055 ccp_free_data(&dst, cmd_q);
2058 ccp_free_data(&src, cmd_q);
2061 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP)
2067 static int ccp_run_passthru_nomap_cmd(struct ccp_cmd_queue *cmd_q,
2068 struct ccp_cmd *cmd)
2070 struct ccp_passthru_nomap_engine *pt = &cmd->u.passthru_nomap;
2071 struct ccp_dm_workarea mask;
2075 if (!pt->final && (pt->src_len & (CCP_PASSTHRU_BLOCKSIZE - 1)))
2078 if (!pt->src_dma || !pt->dst_dma)
2081 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
2082 if (pt->mask_len != CCP_PASSTHRU_MASKSIZE)
2088 BUILD_BUG_ON(CCP_PASSTHRU_SB_COUNT != 1);
2090 memset(&op, 0, sizeof(op));
2092 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2094 if (pt->bit_mod != CCP_PASSTHRU_BITWISE_NOOP) {
2096 op.sb_key = cmd_q->sb_key;
2098 mask.length = pt->mask_len;
2099 mask.dma.address = pt->mask;
2100 mask.dma.length = pt->mask_len;
2102 ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
2103 CCP_PASSTHRU_BYTESWAP_NOOP);
2105 cmd->engine_error = cmd_q->cmd_error;
2110 /* Send data to the CCP Passthru engine */
2114 op.src.type = CCP_MEMTYPE_SYSTEM;
2115 op.src.u.dma.address = pt->src_dma;
2116 op.src.u.dma.offset = 0;
2117 op.src.u.dma.length = pt->src_len;
2119 op.dst.type = CCP_MEMTYPE_SYSTEM;
2120 op.dst.u.dma.address = pt->dst_dma;
2121 op.dst.u.dma.offset = 0;
2122 op.dst.u.dma.length = pt->src_len;
2124 ret = cmd_q->ccp->vdata->perform->passthru(&op);
2126 cmd->engine_error = cmd_q->cmd_error;
2131 static int ccp_run_ecc_mm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2133 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2134 struct ccp_dm_workarea src, dst;
2139 if (!ecc->u.mm.operand_1 ||
2140 (ecc->u.mm.operand_1_len > CCP_ECC_MODULUS_BYTES))
2143 if (ecc->function != CCP_ECC_FUNCTION_MINV_384BIT)
2144 if (!ecc->u.mm.operand_2 ||
2145 (ecc->u.mm.operand_2_len > CCP_ECC_MODULUS_BYTES))
2148 if (!ecc->u.mm.result ||
2149 (ecc->u.mm.result_len < CCP_ECC_MODULUS_BYTES))
2152 memset(&op, 0, sizeof(op));
2154 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2156 /* Concatenate the modulus and the operands. Both the modulus and
2157 * the operands must be in little endian format. Since the input
2158 * is in big endian format it must be converted and placed in a
2159 * fixed length buffer.
2161 ret = ccp_init_dm_workarea(&src, cmd_q, CCP_ECC_SRC_BUF_SIZE,
2166 /* Save the workarea address since it is updated in order to perform
2171 /* Copy the ECC modulus */
2172 ret = ccp_reverse_set_dm_area(&src, 0, ecc->mod, 0, ecc->mod_len);
2175 src.address += CCP_ECC_OPERAND_SIZE;
2177 /* Copy the first operand */
2178 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.mm.operand_1, 0,
2179 ecc->u.mm.operand_1_len);
2182 src.address += CCP_ECC_OPERAND_SIZE;
2184 if (ecc->function != CCP_ECC_FUNCTION_MINV_384BIT) {
2185 /* Copy the second operand */
2186 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.mm.operand_2, 0,
2187 ecc->u.mm.operand_2_len);
2190 src.address += CCP_ECC_OPERAND_SIZE;
2193 /* Restore the workarea address */
2196 /* Prepare the output area for the operation */
2197 ret = ccp_init_dm_workarea(&dst, cmd_q, CCP_ECC_DST_BUF_SIZE,
2203 op.src.u.dma.address = src.dma.address;
2204 op.src.u.dma.offset = 0;
2205 op.src.u.dma.length = src.length;
2206 op.dst.u.dma.address = dst.dma.address;
2207 op.dst.u.dma.offset = 0;
2208 op.dst.u.dma.length = dst.length;
2210 op.u.ecc.function = cmd->u.ecc.function;
2212 ret = cmd_q->ccp->vdata->perform->ecc(&op);
2214 cmd->engine_error = cmd_q->cmd_error;
2218 ecc->ecc_result = le16_to_cpup(
2219 (const __le16 *)(dst.address + CCP_ECC_RESULT_OFFSET));
2220 if (!(ecc->ecc_result & CCP_ECC_RESULT_SUCCESS)) {
2225 /* Save the ECC result */
2226 ccp_reverse_get_dm_area(&dst, 0, ecc->u.mm.result, 0,
2227 CCP_ECC_MODULUS_BYTES);
2238 static int ccp_run_ecc_pm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2240 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2241 struct ccp_dm_workarea src, dst;
2246 if (!ecc->u.pm.point_1.x ||
2247 (ecc->u.pm.point_1.x_len > CCP_ECC_MODULUS_BYTES) ||
2248 !ecc->u.pm.point_1.y ||
2249 (ecc->u.pm.point_1.y_len > CCP_ECC_MODULUS_BYTES))
2252 if (ecc->function == CCP_ECC_FUNCTION_PADD_384BIT) {
2253 if (!ecc->u.pm.point_2.x ||
2254 (ecc->u.pm.point_2.x_len > CCP_ECC_MODULUS_BYTES) ||
2255 !ecc->u.pm.point_2.y ||
2256 (ecc->u.pm.point_2.y_len > CCP_ECC_MODULUS_BYTES))
2259 if (!ecc->u.pm.domain_a ||
2260 (ecc->u.pm.domain_a_len > CCP_ECC_MODULUS_BYTES))
2263 if (ecc->function == CCP_ECC_FUNCTION_PMUL_384BIT)
2264 if (!ecc->u.pm.scalar ||
2265 (ecc->u.pm.scalar_len > CCP_ECC_MODULUS_BYTES))
2269 if (!ecc->u.pm.result.x ||
2270 (ecc->u.pm.result.x_len < CCP_ECC_MODULUS_BYTES) ||
2271 !ecc->u.pm.result.y ||
2272 (ecc->u.pm.result.y_len < CCP_ECC_MODULUS_BYTES))
2275 memset(&op, 0, sizeof(op));
2277 op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
2279 /* Concatenate the modulus and the operands. Both the modulus and
2280 * the operands must be in little endian format. Since the input
2281 * is in big endian format it must be converted and placed in a
2282 * fixed length buffer.
2284 ret = ccp_init_dm_workarea(&src, cmd_q, CCP_ECC_SRC_BUF_SIZE,
2289 /* Save the workarea address since it is updated in order to perform
2294 /* Copy the ECC modulus */
2295 ret = ccp_reverse_set_dm_area(&src, 0, ecc->mod, 0, ecc->mod_len);
2298 src.address += CCP_ECC_OPERAND_SIZE;
2300 /* Copy the first point X and Y coordinate */
2301 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_1.x, 0,
2302 ecc->u.pm.point_1.x_len);
2305 src.address += CCP_ECC_OPERAND_SIZE;
2306 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_1.y, 0,
2307 ecc->u.pm.point_1.y_len);
2310 src.address += CCP_ECC_OPERAND_SIZE;
2312 /* Set the first point Z coordinate to 1 */
2313 *src.address = 0x01;
2314 src.address += CCP_ECC_OPERAND_SIZE;
2316 if (ecc->function == CCP_ECC_FUNCTION_PADD_384BIT) {
2317 /* Copy the second point X and Y coordinate */
2318 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_2.x, 0,
2319 ecc->u.pm.point_2.x_len);
2322 src.address += CCP_ECC_OPERAND_SIZE;
2323 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.point_2.y, 0,
2324 ecc->u.pm.point_2.y_len);
2327 src.address += CCP_ECC_OPERAND_SIZE;
2329 /* Set the second point Z coordinate to 1 */
2330 *src.address = 0x01;
2331 src.address += CCP_ECC_OPERAND_SIZE;
2333 /* Copy the Domain "a" parameter */
2334 ret = ccp_reverse_set_dm_area(&src, 0, ecc->u.pm.domain_a, 0,
2335 ecc->u.pm.domain_a_len);
2338 src.address += CCP_ECC_OPERAND_SIZE;
2340 if (ecc->function == CCP_ECC_FUNCTION_PMUL_384BIT) {
2341 /* Copy the scalar value */
2342 ret = ccp_reverse_set_dm_area(&src, 0,
2343 ecc->u.pm.scalar, 0,
2344 ecc->u.pm.scalar_len);
2347 src.address += CCP_ECC_OPERAND_SIZE;
2351 /* Restore the workarea address */
2354 /* Prepare the output area for the operation */
2355 ret = ccp_init_dm_workarea(&dst, cmd_q, CCP_ECC_DST_BUF_SIZE,
2361 op.src.u.dma.address = src.dma.address;
2362 op.src.u.dma.offset = 0;
2363 op.src.u.dma.length = src.length;
2364 op.dst.u.dma.address = dst.dma.address;
2365 op.dst.u.dma.offset = 0;
2366 op.dst.u.dma.length = dst.length;
2368 op.u.ecc.function = cmd->u.ecc.function;
2370 ret = cmd_q->ccp->vdata->perform->ecc(&op);
2372 cmd->engine_error = cmd_q->cmd_error;
2376 ecc->ecc_result = le16_to_cpup(
2377 (const __le16 *)(dst.address + CCP_ECC_RESULT_OFFSET));
2378 if (!(ecc->ecc_result & CCP_ECC_RESULT_SUCCESS)) {
2383 /* Save the workarea address since it is updated as we walk through
2384 * to copy the point math result
2388 /* Save the ECC result X and Y coordinates */
2389 ccp_reverse_get_dm_area(&dst, 0, ecc->u.pm.result.x, 0,
2390 CCP_ECC_MODULUS_BYTES);
2391 dst.address += CCP_ECC_OUTPUT_SIZE;
2392 ccp_reverse_get_dm_area(&dst, 0, ecc->u.pm.result.y, 0,
2393 CCP_ECC_MODULUS_BYTES);
2394 dst.address += CCP_ECC_OUTPUT_SIZE;
2396 /* Restore the workarea address */
2408 static int ccp_run_ecc_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2410 struct ccp_ecc_engine *ecc = &cmd->u.ecc;
2412 ecc->ecc_result = 0;
2415 (ecc->mod_len > CCP_ECC_MODULUS_BYTES))
2418 switch (ecc->function) {
2419 case CCP_ECC_FUNCTION_MMUL_384BIT:
2420 case CCP_ECC_FUNCTION_MADD_384BIT:
2421 case CCP_ECC_FUNCTION_MINV_384BIT:
2422 return ccp_run_ecc_mm_cmd(cmd_q, cmd);
2424 case CCP_ECC_FUNCTION_PADD_384BIT:
2425 case CCP_ECC_FUNCTION_PMUL_384BIT:
2426 case CCP_ECC_FUNCTION_PDBL_384BIT:
2427 return ccp_run_ecc_pm_cmd(cmd_q, cmd);
2434 int ccp_run_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
2438 cmd->engine_error = 0;
2439 cmd_q->cmd_error = 0;
2440 cmd_q->int_rcvd = 0;
2441 cmd_q->free_slots = cmd_q->ccp->vdata->perform->get_free_slots(cmd_q);
2443 switch (cmd->engine) {
2444 case CCP_ENGINE_AES:
2445 ret = ccp_run_aes_cmd(cmd_q, cmd);
2447 case CCP_ENGINE_XTS_AES_128:
2448 ret = ccp_run_xts_aes_cmd(cmd_q, cmd);
2450 case CCP_ENGINE_DES3:
2451 ret = ccp_run_des3_cmd(cmd_q, cmd);
2453 case CCP_ENGINE_SHA:
2454 ret = ccp_run_sha_cmd(cmd_q, cmd);
2456 case CCP_ENGINE_RSA:
2457 ret = ccp_run_rsa_cmd(cmd_q, cmd);
2459 case CCP_ENGINE_PASSTHRU:
2460 if (cmd->flags & CCP_CMD_PASSTHRU_NO_DMA_MAP)
2461 ret = ccp_run_passthru_nomap_cmd(cmd_q, cmd);
2463 ret = ccp_run_passthru_cmd(cmd_q, cmd);
2465 case CCP_ENGINE_ECC:
2466 ret = ccp_run_ecc_cmd(cmd_q, cmd);