mk-rootfs.sh

hc

2023-12-11 072de836f53be56a70cecf70b43ae43b7ce17376

 kernel/arch/arm64/crypto/ghash-ce-glue.c
..
..
@@ -1,11 +1,8 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
2
3
  * Accelerated GHASH implementation with ARMv8 PMULL instructions.
3
4
  *
4
5
  * Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
5
- *
6
- * This program is free software; you can redistribute it and/or modify it
7
- * under the terms of the GNU General Public License version 2 as published
8
- * by the Free Software Foundation.
9
6
  */
10
7
 
11
8
 #include <asm/neon.h>
..
..
@@ -17,6 +14,7 @@
17
14
 #include <crypto/gf128mul.h>
18
15
 #include <crypto/internal/aead.h>
19
16
 #include <crypto/internal/hash.h>
17
+#include <crypto/internal/simd.h>
20
18
 #include <crypto/internal/skcipher.h>
21
19
 #include <crypto/scatterwalk.h>
22
20
 #include <linux/cpufeature.h>
..
..
@@ -33,12 +31,8 @@
33
31
 #define GCM_IV_SIZE		12
34
32
 
35
33
 struct ghash_key {
36
-	u64			h[2];
37
-	u64			h2[2];
38
-	u64			h3[2];
39
-	u64			h4[2];
40
-
41
34
 	be128			k;
35
+	u64			h[][2];
42
36
 };
43
37
 
44
38
 struct ghash_desc_ctx {
..
..
@@ -53,46 +47,18 @@
53
47
 };
54
48
 
55
49
 asmlinkage void pmull_ghash_update_p64(int blocks, u64 dg[], const char *src,
56
-				       struct ghash_key const *k,
57
-				       const char *head);
50
+				       u64 const h[][2], const char *head);
58
51
 
59
52
 asmlinkage void pmull_ghash_update_p8(int blocks, u64 dg[], const char *src,
60
-				      struct ghash_key const *k,
61
-				      const char *head);
53
+				      u64 const h[][2], const char *head);
62
54
 
63
-#ifdef CONFIG_CFI_CLANG
64
-static inline void __cfi_pmull_ghash_update_p64(int blocks, u64 dg[],
65
-                const char *src, struct ghash_key const *k, const char *head)
66
-{
67
-        return pmull_ghash_update_p64(blocks, dg, src, k, head);
68
-}
69
-#define pmull_ghash_update_p64 __cfi_pmull_ghash_update_p64
70
-
71
-static inline void __cfi_pmull_ghash_update_p8(int blocks, u64 dg[],
72
-                const char *src, struct ghash_key const *k, const char *head)
73
-{
74
-        return pmull_ghash_update_p8(blocks, dg, src, k, head);
75
-}
76
-#define pmull_ghash_update_p8 __cfi_pmull_ghash_update_p8
77
-#endif
78
-
79
-static void (*pmull_ghash_update)(int blocks, u64 dg[], const char *src,
80
-				  struct ghash_key const *k,
81
-				  const char *head);
82
-
83
-asmlinkage void pmull_gcm_encrypt(int blocks, u64 dg[], u8 dst[],
84
-				  const u8 src[], struct ghash_key const *k,
85
-				  u8 ctr[], u32 const rk[], int rounds,
86
-				  u8 ks[]);
87
-
88
-asmlinkage void pmull_gcm_decrypt(int blocks, u64 dg[], u8 dst[],
89
-				  const u8 src[], struct ghash_key const *k,
90
-				  u8 ctr[], u32 const rk[], int rounds);
91
-
92
-asmlinkage void pmull_gcm_encrypt_block(u8 dst[], u8 const src[],
93
-					u32 const rk[], int rounds);
94
-
95
-asmlinkage void __aes_arm64_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
55
+asmlinkage void pmull_gcm_encrypt(int bytes, u8 dst[], const u8 src[],
56
+				  u64 const h[][2], u64 dg[], u8 ctr[],
57
+				  u32 const rk[], int rounds, u8 tag[]);
58
+asmlinkage int pmull_gcm_decrypt(int bytes, u8 dst[], const u8 src[],
59
+				 u64 const h[][2], u64 dg[], u8 ctr[],
60
+				 u32 const rk[], int rounds, const u8 l[],
61
+				 const u8 tag[], u64 authsize);
96
62
 
97
63
 static int ghash_init(struct shash_desc *desc)
98
64
 {
..
..
@@ -105,30 +71,41 @@
105
71
 static void ghash_do_update(int blocks, u64 dg[], const char *src,
106
72
 			    struct ghash_key *key, const char *head)
107
73
 {
108
-	if (likely(may_use_simd())) {
74
+	be128 dst = { cpu_to_be64(dg[1]), cpu_to_be64(dg[0]) };
75
+
76
+	do {
77
+		const u8 *in = src;
78
+
79
+		if (head) {
80
+			in = head;
81
+			blocks++;
82
+			head = NULL;
83
+		} else {
84
+			src += GHASH_BLOCK_SIZE;
85
+		}
86
+
87
+		crypto_xor((u8 *)&dst, in, GHASH_BLOCK_SIZE);
88
+		gf128mul_lle(&dst, &key->k);
89
+	} while (--blocks);
90
+
91
+	dg[0] = be64_to_cpu(dst.b);
92
+	dg[1] = be64_to_cpu(dst.a);
93
+}
94
+
95
+static __always_inline
96
+void ghash_do_simd_update(int blocks, u64 dg[], const char *src,
97
+			  struct ghash_key *key, const char *head,
98
+			  void (*simd_update)(int blocks, u64 dg[],
99
+					      const char *src,
100
+					      u64 const h[][2],
101
+					      const char *head))
102
+{
103
+	if (likely(crypto_simd_usable())) {
109
104
 		kernel_neon_begin();
110
-		pmull_ghash_update(blocks, dg, src, key, head);
105
+		simd_update(blocks, dg, src, key->h, head);
111
106
 		kernel_neon_end();
112
107
 	} else {
113
-		be128 dst = { cpu_to_be64(dg[1]), cpu_to_be64(dg[0]) };
114
-
115
-		do {
116
-			const u8 *in = src;
117
-
118
-			if (head) {
119
-				in = head;
120
-				blocks++;
121
-				head = NULL;
122
-			} else {
123
-				src += GHASH_BLOCK_SIZE;
124
-			}
125
-
126
-			crypto_xor((u8 *)&dst, in, GHASH_BLOCK_SIZE);
127
-			gf128mul_lle(&dst, &key->k);
128
-		} while (--blocks);
129
-
130
-		dg[0] = be64_to_cpu(dst.b);
131
-		dg[1] = be64_to_cpu(dst.a);
108
+		ghash_do_update(blocks, dg, src, key, head);
132
109
 	}
133
110
 }
134
111
 
..
..
@@ -161,8 +138,9 @@
161
138
 		do {
162
139
 			int chunk = min(blocks, MAX_BLOCKS);
163
140
 
164
-			ghash_do_update(chunk, ctx->digest, src, key,
165
-					partial ? ctx->buf : NULL);
141
+			ghash_do_simd_update(chunk, ctx->digest, src, key,
142
+					     partial ? ctx->buf : NULL,
143
+					     pmull_ghash_update_p8);
166
144
 
167
145
 			blocks -= chunk;
168
146
 			src += chunk * GHASH_BLOCK_SIZE;
..
..
@@ -184,7 +162,8 @@
184
162
 
185
163
 		memset(ctx->buf + partial, 0, GHASH_BLOCK_SIZE - partial);
186
164
 
187
-		ghash_do_update(1, ctx->digest, ctx->buf, key, NULL);
165
+		ghash_do_simd_update(1, ctx->digest, ctx->buf, key, NULL,
166
+				     pmull_ghash_update_p8);
188
167
 	}
189
168
 	put_unaligned_be64(ctx->digest[1], dst);
190
169
 	put_unaligned_be64(ctx->digest[0], dst + 8);
..
..
@@ -204,48 +183,27 @@
204
183
 		h[1] ^= 0xc200000000000000UL;
205
184
 }
206
185
 
207
-static int __ghash_setkey(struct ghash_key *key,
208
-			  const u8 *inkey, unsigned int keylen)
209
-{
210
-	be128 h;
211
-
212
-	/* needed for the fallback */
213
-	memcpy(&key->k, inkey, GHASH_BLOCK_SIZE);
214
-
215
-	ghash_reflect(key->h, &key->k);
216
-
217
-	h = key->k;
218
-	gf128mul_lle(&h, &key->k);
219
-	ghash_reflect(key->h2, &h);
220
-
221
-	gf128mul_lle(&h, &key->k);
222
-	ghash_reflect(key->h3, &h);
223
-
224
-	gf128mul_lle(&h, &key->k);
225
-	ghash_reflect(key->h4, &h);
226
-
227
-	return 0;
228
-}
229
-
230
186
 static int ghash_setkey(struct crypto_shash *tfm,
231
187
 			const u8 *inkey, unsigned int keylen)
232
188
 {
233
189
 	struct ghash_key *key = crypto_shash_ctx(tfm);
234
190
 
235
-	if (keylen != GHASH_BLOCK_SIZE) {
236
-		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
191
+	if (keylen != GHASH_BLOCK_SIZE)
237
192
 		return -EINVAL;
238
-	}
239
193
 
240
-	return __ghash_setkey(key, inkey, keylen);
194
+	/* needed for the fallback */
195
+	memcpy(&key->k, inkey, GHASH_BLOCK_SIZE);
196
+
197
+	ghash_reflect(key->h[0], &key->k);
198
+	return 0;
241
199
 }
242
200
 
243
201
 static struct shash_alg ghash_alg = {
244
202
 	.base.cra_name		= "ghash",
245
-	.base.cra_driver_name	= "ghash-ce",
246
-	.base.cra_priority	= 200,
203
+	.base.cra_driver_name	= "ghash-neon",
204
+	.base.cra_priority	= 150,
247
205
 	.base.cra_blocksize	= GHASH_BLOCK_SIZE,
248
-	.base.cra_ctxsize	= sizeof(struct ghash_key),
206
+	.base.cra_ctxsize	= sizeof(struct ghash_key) + sizeof(u64[2]),
249
207
 	.base.cra_module	= THIS_MODULE,
250
208
 
251
209
 	.digestsize		= GHASH_DIGEST_SIZE,
..
..
@@ -273,18 +231,31 @@
273
231
 {
274
232
 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(tfm);
275
233
 	u8 key[GHASH_BLOCK_SIZE];
234
+	be128 h;
276
235
 	int ret;
277
236
 
278
-	ret = crypto_aes_expand_key(&ctx->aes_key, inkey, keylen);
279
-	if (ret) {
280
-		tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
237
+	ret = aes_expandkey(&ctx->aes_key, inkey, keylen);
238
+	if (ret)
281
239
 		return -EINVAL;
282
-	}
283
240
 
284
-	__aes_arm64_encrypt(ctx->aes_key.key_enc, key, (u8[AES_BLOCK_SIZE]){},
285
-			    num_rounds(&ctx->aes_key));
241
+	aes_encrypt(&ctx->aes_key, key, (u8[AES_BLOCK_SIZE]){});
286
242
 
287
-	return __ghash_setkey(&ctx->ghash_key, key, sizeof(be128));
243
+	/* needed for the fallback */
244
+	memcpy(&ctx->ghash_key.k, key, GHASH_BLOCK_SIZE);
245
+
246
+	ghash_reflect(ctx->ghash_key.h[0], &ctx->ghash_key.k);
247
+
248
+	h = ctx->ghash_key.k;
249
+	gf128mul_lle(&h, &ctx->ghash_key.k);
250
+	ghash_reflect(ctx->ghash_key.h[1], &h);
251
+
252
+	gf128mul_lle(&h, &ctx->ghash_key.k);
253
+	ghash_reflect(ctx->ghash_key.h[2], &h);
254
+
255
+	gf128mul_lle(&h, &ctx->ghash_key.k);
256
+	ghash_reflect(ctx->ghash_key.h[3], &h);
257
+
258
+	return 0;
288
259
 }
289
260
 
290
261
 static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
..
..
@@ -316,8 +287,9 @@
316
287
 	if (count >= GHASH_BLOCK_SIZE || *buf_count == GHASH_BLOCK_SIZE) {
317
288
 		int blocks = count / GHASH_BLOCK_SIZE;
318
289
 
319
-		ghash_do_update(blocks, dg, src, &ctx->ghash_key,
320
-				*buf_count ? buf : NULL);
290
+		ghash_do_simd_update(blocks, dg, src, &ctx->ghash_key,
291
+				     *buf_count ? buf : NULL,
292
+				     pmull_ghash_update_p64);
321
293
 
322
294
 		src += blocks * GHASH_BLOCK_SIZE;
323
295
 		count %= GHASH_BLOCK_SIZE;
..
..
@@ -361,141 +333,116 @@
361
333
 
362
334
 	if (buf_count) {
363
335
 		memset(&buf[buf_count], 0, GHASH_BLOCK_SIZE - buf_count);
364
-		ghash_do_update(1, dg, buf, &ctx->ghash_key, NULL);
336
+		ghash_do_simd_update(1, dg, buf, &ctx->ghash_key, NULL,
337
+				     pmull_ghash_update_p64);
365
338
 	}
366
-}
367
-
368
-static void gcm_final(struct aead_request *req, struct gcm_aes_ctx *ctx,
369
-		      u64 dg[], u8 tag[], int cryptlen)
370
-{
371
-	u8 mac[AES_BLOCK_SIZE];
372
-	u128 lengths;
373
-
374
-	lengths.a = cpu_to_be64(req->assoclen * 8);
375
-	lengths.b = cpu_to_be64(cryptlen * 8);
376
-
377
-	ghash_do_update(1, dg, (void *)&lengths, &ctx->ghash_key, NULL);
378
-
379
-	put_unaligned_be64(dg[1], mac);
380
-	put_unaligned_be64(dg[0], mac + 8);
381
-
382
-	crypto_xor(tag, mac, AES_BLOCK_SIZE);
383
339
 }
384
340
 
385
341
 static int gcm_encrypt(struct aead_request *req)
386
342
 {
387
343
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
388
344
 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
389
-	struct skcipher_walk walk;
390
-	u8 iv[AES_BLOCK_SIZE];
391
-	u8 ks[2 * AES_BLOCK_SIZE];
392
-	u8 tag[AES_BLOCK_SIZE];
393
-	u64 dg[2] = {};
394
345
 	int nrounds = num_rounds(&ctx->aes_key);
346
+	struct skcipher_walk walk;
347
+	u8 buf[AES_BLOCK_SIZE];
348
+	u8 iv[AES_BLOCK_SIZE];
349
+	u64 dg[2] = {};
350
+	be128 lengths;
351
+	u8 *tag;
395
352
 	int err;
353
+
354
+	lengths.a = cpu_to_be64(req->assoclen * 8);
355
+	lengths.b = cpu_to_be64(req->cryptlen * 8);
396
356
 
397
357
 	if (req->assoclen)
398
358
 		gcm_calculate_auth_mac(req, dg);
399
359
 
400
360
 	memcpy(iv, req->iv, GCM_IV_SIZE);
401
-	put_unaligned_be32(1, iv + GCM_IV_SIZE);
361
+	put_unaligned_be32(2, iv + GCM_IV_SIZE);
402
362
 
403
363
 	err = skcipher_walk_aead_encrypt(&walk, req, false);
404
364
 
405
-	if (likely(may_use_simd() && walk.total >= 2 * AES_BLOCK_SIZE)) {
406
-		u32 const *rk = NULL;
407
-
408
-		kernel_neon_begin();
409
-		pmull_gcm_encrypt_block(tag, iv, ctx->aes_key.key_enc, nrounds);
410
-		put_unaligned_be32(2, iv + GCM_IV_SIZE);
411
-		pmull_gcm_encrypt_block(ks, iv, NULL, nrounds);
412
-		put_unaligned_be32(3, iv + GCM_IV_SIZE);
413
-		pmull_gcm_encrypt_block(ks + AES_BLOCK_SIZE, iv, NULL, nrounds);
414
-		put_unaligned_be32(4, iv + GCM_IV_SIZE);
415
-
365
+	if (likely(crypto_simd_usable())) {
416
366
 		do {
417
-			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
367
+			const u8 *src = walk.src.virt.addr;
368
+			u8 *dst = walk.dst.virt.addr;
369
+			int nbytes = walk.nbytes;
418
370
 
419
-			if (rk)
420
-				kernel_neon_begin();
371
+			tag = (u8 *)&lengths;
421
372
 
422
-			pmull_gcm_encrypt(blocks, dg, walk.dst.virt.addr,
423
-					  walk.src.virt.addr, &ctx->ghash_key,
424
-					  iv, rk, nrounds, ks);
373
+			if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE)) {
374
+				src = dst = memcpy(buf + sizeof(buf) - nbytes,
375
+						   src, nbytes);
376
+			} else if (nbytes < walk.total) {
377
+				nbytes &= ~(AES_BLOCK_SIZE - 1);
378
+				tag = NULL;
379
+			}
380
+
381
+			kernel_neon_begin();
382
+			pmull_gcm_encrypt(nbytes, dst, src, ctx->ghash_key.h,
383
+					  dg, iv, ctx->aes_key.key_enc, nrounds,
384
+					  tag);
425
385
 			kernel_neon_end();
426
386
 
427
-			err = skcipher_walk_done(&walk,
428
-					walk.nbytes % (2 * AES_BLOCK_SIZE));
387
+			if (unlikely(!nbytes))
388
+				break;
429
389
 
430
-			rk = ctx->aes_key.key_enc;
431
-		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
390
+			if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
391
+				memcpy(walk.dst.virt.addr,
392
+				       buf + sizeof(buf) - nbytes, nbytes);
393
+
394
+			err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
395
+		} while (walk.nbytes);
432
396
 	} else {
433
-		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
434
-		put_unaligned_be32(2, iv + GCM_IV_SIZE);
435
-
436
-		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
437
-			const int blocks =
438
-				walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
397
+		while (walk.nbytes >= AES_BLOCK_SIZE) {
398
+			int blocks = walk.nbytes / AES_BLOCK_SIZE;
399
+			const u8 *src = walk.src.virt.addr;
439
400
 			u8 *dst = walk.dst.virt.addr;
440
-			u8 *src = walk.src.virt.addr;
441
401
 			int remaining = blocks;
442
402
 
443
403
 			do {
444
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
445
-						    ks, iv, nrounds);
446
-				crypto_xor_cpy(dst, src, ks, AES_BLOCK_SIZE);
404
+				aes_encrypt(&ctx->aes_key, buf, iv);
405
+				crypto_xor_cpy(dst, src, buf, AES_BLOCK_SIZE);
447
406
 				crypto_inc(iv, AES_BLOCK_SIZE);
448
407
 
449
408
 				dst += AES_BLOCK_SIZE;
450
409
 				src += AES_BLOCK_SIZE;
451
410
 			} while (--remaining > 0);
452
411
 
453
-			ghash_do_update(blocks, dg,
454
-					walk.dst.virt.addr, &ctx->ghash_key,
455
-					NULL);
412
+			ghash_do_update(blocks, dg, walk.dst.virt.addr,
413
+					&ctx->ghash_key, NULL);
456
414
 
457
415
 			err = skcipher_walk_done(&walk,
458
-						 walk.nbytes % (2 * AES_BLOCK_SIZE));
416
+						 walk.nbytes % AES_BLOCK_SIZE);
459
417
 		}
418
+
419
+		/* handle the tail */
460
420
 		if (walk.nbytes) {
461
-			__aes_arm64_encrypt(ctx->aes_key.key_enc, ks, iv,
462
-					    nrounds);
463
-			if (walk.nbytes > AES_BLOCK_SIZE) {
464
-				crypto_inc(iv, AES_BLOCK_SIZE);
465
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
466
-					            ks + AES_BLOCK_SIZE, iv,
467
-						    nrounds);
468
-			}
469
-		}
470
-	}
421
+			aes_encrypt(&ctx->aes_key, buf, iv);
471
422
 
472
-	/* handle the tail */
473
-	if (walk.nbytes) {
474
-		u8 buf[GHASH_BLOCK_SIZE];
475
-		unsigned int nbytes = walk.nbytes;
476
-		u8 *dst = walk.dst.virt.addr;
477
-		u8 *head = NULL;
423
+			crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr,
424
+				       buf, walk.nbytes);
478
425
 
479
-		crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr, ks,
480
-			       walk.nbytes);
481
-
482
-		if (walk.nbytes > GHASH_BLOCK_SIZE) {
483
-			head = dst;
484
-			dst += GHASH_BLOCK_SIZE;
485
-			nbytes %= GHASH_BLOCK_SIZE;
426
+			memcpy(buf, walk.dst.virt.addr, walk.nbytes);
427
+			memset(buf + walk.nbytes, 0, sizeof(buf) - walk.nbytes);
486
428
 		}
487
429
 
488
-		memcpy(buf, dst, nbytes);
489
-		memset(buf + nbytes, 0, GHASH_BLOCK_SIZE - nbytes);
490
-		ghash_do_update(!!nbytes, dg, buf, &ctx->ghash_key, head);
430
+		tag = (u8 *)&lengths;
431
+		ghash_do_update(1, dg, tag, &ctx->ghash_key,
432
+				walk.nbytes ? buf : NULL);
491
433
 
492
-		err = skcipher_walk_done(&walk, 0);
434
+		if (walk.nbytes)
435
+			err = skcipher_walk_done(&walk, 0);
436
+
437
+		put_unaligned_be64(dg[1], tag);
438
+		put_unaligned_be64(dg[0], tag + 8);
439
+		put_unaligned_be32(1, iv + GCM_IV_SIZE);
440
+		aes_encrypt(&ctx->aes_key, iv, iv);
441
+		crypto_xor(tag, iv, AES_BLOCK_SIZE);
493
442
 	}
494
443
 
495
444
 	if (err)
496
445
 		return err;
497
-
498
-	gcm_final(req, ctx, dg, tag, req->cryptlen);
499
446
 
500
447
 	/* copy authtag to end of dst */
501
448
 	scatterwalk_map_and_copy(tag, req->dst, req->assoclen + req->cryptlen,
..
..
@@ -509,78 +456,81 @@
509
456
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
510
457
 	struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
511
458
 	unsigned int authsize = crypto_aead_authsize(aead);
512
-	struct skcipher_walk walk;
513
-	u8 iv[2 * AES_BLOCK_SIZE];
514
-	u8 tag[AES_BLOCK_SIZE];
515
-	u8 buf[2 * GHASH_BLOCK_SIZE];
516
-	u64 dg[2] = {};
517
459
 	int nrounds = num_rounds(&ctx->aes_key);
460
+	struct skcipher_walk walk;
461
+	u8 otag[AES_BLOCK_SIZE];
462
+	u8 buf[AES_BLOCK_SIZE];
463
+	u8 iv[AES_BLOCK_SIZE];
464
+	u64 dg[2] = {};
465
+	be128 lengths;
466
+	u8 *tag;
518
467
 	int err;
468
+
469
+	lengths.a = cpu_to_be64(req->assoclen * 8);
470
+	lengths.b = cpu_to_be64((req->cryptlen - authsize) * 8);
519
471
 
520
472
 	if (req->assoclen)
521
473
 		gcm_calculate_auth_mac(req, dg);
522
474
 
523
475
 	memcpy(iv, req->iv, GCM_IV_SIZE);
524
-	put_unaligned_be32(1, iv + GCM_IV_SIZE);
476
+	put_unaligned_be32(2, iv + GCM_IV_SIZE);
477
+
478
+	scatterwalk_map_and_copy(otag, req->src,
479
+				 req->assoclen + req->cryptlen - authsize,
480
+				 authsize, 0);
525
481
 
526
482
 	err = skcipher_walk_aead_decrypt(&walk, req, false);
527
483
 
528
-	if (likely(may_use_simd() && walk.total >= 2 * AES_BLOCK_SIZE)) {
529
-		u32 const *rk = NULL;
530
-
531
-		kernel_neon_begin();
532
-		pmull_gcm_encrypt_block(tag, iv, ctx->aes_key.key_enc, nrounds);
533
-		put_unaligned_be32(2, iv + GCM_IV_SIZE);
484
+	if (likely(crypto_simd_usable())) {
485
+		int ret;
534
486
 
535
487
 		do {
536
-			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
537
-			int rem = walk.total - blocks * AES_BLOCK_SIZE;
488
+			const u8 *src = walk.src.virt.addr;
489
+			u8 *dst = walk.dst.virt.addr;
490
+			int nbytes = walk.nbytes;
538
491
 
539
-			if (rk)
540
-				kernel_neon_begin();
492
+			tag = (u8 *)&lengths;
541
493
 
542
-			pmull_gcm_decrypt(blocks, dg, walk.dst.virt.addr,
543
-					  walk.src.virt.addr, &ctx->ghash_key,
544
-					  iv, rk, nrounds);
545
-
546
-			/* check if this is the final iteration of the loop */
547
-			if (rem < (2 * AES_BLOCK_SIZE)) {
548
-				u8 *iv2 = iv + AES_BLOCK_SIZE;
549
-
550
-				if (rem > AES_BLOCK_SIZE) {
551
-					memcpy(iv2, iv, AES_BLOCK_SIZE);
552
-					crypto_inc(iv2, AES_BLOCK_SIZE);
553
-				}
554
-
555
-				pmull_gcm_encrypt_block(iv, iv, NULL, nrounds);
556
-
557
-				if (rem > AES_BLOCK_SIZE)
558
-					pmull_gcm_encrypt_block(iv2, iv2, NULL,
559
-								nrounds);
494
+			if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE)) {
495
+				src = dst = memcpy(buf + sizeof(buf) - nbytes,
496
+						   src, nbytes);
497
+			} else if (nbytes < walk.total) {
498
+				nbytes &= ~(AES_BLOCK_SIZE - 1);
499
+				tag = NULL;
560
500
 			}
561
501
 
502
+			kernel_neon_begin();
503
+			ret = pmull_gcm_decrypt(nbytes, dst, src,
504
+						ctx->ghash_key.h,
505
+						dg, iv, ctx->aes_key.key_enc,
506
+						nrounds, tag, otag, authsize);
562
507
 			kernel_neon_end();
563
508
 
564
-			err = skcipher_walk_done(&walk,
565
-					walk.nbytes % (2 * AES_BLOCK_SIZE));
509
+			if (unlikely(!nbytes))
510
+				break;
566
511
 
567
-			rk = ctx->aes_key.key_enc;
568
-		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
512
+			if (unlikely(nbytes > 0 && nbytes < AES_BLOCK_SIZE))
513
+				memcpy(walk.dst.virt.addr,
514
+				       buf + sizeof(buf) - nbytes, nbytes);
515
+
516
+			err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
517
+		} while (walk.nbytes);
518
+
519
+		if (err)
520
+			return err;
521
+		if (ret)
522
+			return -EBADMSG;
569
523
 	} else {
570
-		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
571
-		put_unaligned_be32(2, iv + GCM_IV_SIZE);
572
-
573
-		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
574
-			int blocks = walk.nbytes / (2 * AES_BLOCK_SIZE) * 2;
524
+		while (walk.nbytes >= AES_BLOCK_SIZE) {
525
+			int blocks = walk.nbytes / AES_BLOCK_SIZE;
526
+			const u8 *src = walk.src.virt.addr;
575
527
 			u8 *dst = walk.dst.virt.addr;
576
-			u8 *src = walk.src.virt.addr;
577
528
 
578
529
 			ghash_do_update(blocks, dg, walk.src.virt.addr,
579
530
 					&ctx->ghash_key, NULL);
580
531
 
581
532
 			do {
582
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
583
-						    buf, iv, nrounds);
533
+				aes_encrypt(&ctx->aes_key, buf, iv);
584
534
 				crypto_xor_cpy(dst, src, buf, AES_BLOCK_SIZE);
585
535
 				crypto_inc(iv, AES_BLOCK_SIZE);
586
536
 
..
..
@@ -589,63 +539,48 @@
589
539
 			} while (--blocks > 0);
590
540
 
591
541
 			err = skcipher_walk_done(&walk,
592
-						 walk.nbytes % (2 * AES_BLOCK_SIZE));
542
+						 walk.nbytes % AES_BLOCK_SIZE);
593
543
 		}
544
+
545
+		/* handle the tail */
594
546
 		if (walk.nbytes) {
595
-			if (walk.nbytes > AES_BLOCK_SIZE) {
596
-				u8 *iv2 = iv + AES_BLOCK_SIZE;
597
-
598
-				memcpy(iv2, iv, AES_BLOCK_SIZE);
599
-				crypto_inc(iv2, AES_BLOCK_SIZE);
600
-
601
-				__aes_arm64_encrypt(ctx->aes_key.key_enc, iv2,
602
-						    iv2, nrounds);
603
-			}
604
-			__aes_arm64_encrypt(ctx->aes_key.key_enc, iv, iv,
605
-					    nrounds);
606
-		}
607
-	}
608
-
609
-	/* handle the tail */
610
-	if (walk.nbytes) {
611
-		const u8 *src = walk.src.virt.addr;
612
-		const u8 *head = NULL;
613
-		unsigned int nbytes = walk.nbytes;
614
-
615
-		if (walk.nbytes > GHASH_BLOCK_SIZE) {
616
-			head = src;
617
-			src += GHASH_BLOCK_SIZE;
618
-			nbytes %= GHASH_BLOCK_SIZE;
547
+			memcpy(buf, walk.src.virt.addr, walk.nbytes);
548
+			memset(buf + walk.nbytes, 0, sizeof(buf) - walk.nbytes);
619
549
 		}
620
550
 
621
-		memcpy(buf, src, nbytes);
622
-		memset(buf + nbytes, 0, GHASH_BLOCK_SIZE - nbytes);
623
-		ghash_do_update(!!nbytes, dg, buf, &ctx->ghash_key, head);
551
+		tag = (u8 *)&lengths;
552
+		ghash_do_update(1, dg, tag, &ctx->ghash_key,
553
+				walk.nbytes ? buf : NULL);
624
554
 
625
-		crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr, iv,
626
-			       walk.nbytes);
555
+		if (walk.nbytes) {
556
+			aes_encrypt(&ctx->aes_key, buf, iv);
627
557
 
628
-		err = skcipher_walk_done(&walk, 0);
558
+			crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr,
559
+				       buf, walk.nbytes);
560
+
561
+			err = skcipher_walk_done(&walk, 0);
562
+		}
563
+
564
+		if (err)
565
+			return err;
566
+
567
+		put_unaligned_be64(dg[1], tag);
568
+		put_unaligned_be64(dg[0], tag + 8);
569
+		put_unaligned_be32(1, iv + GCM_IV_SIZE);
570
+		aes_encrypt(&ctx->aes_key, iv, iv);
571
+		crypto_xor(tag, iv, AES_BLOCK_SIZE);
572
+
573
+		if (crypto_memneq(tag, otag, authsize)) {
574
+			memzero_explicit(tag, AES_BLOCK_SIZE);
575
+			return -EBADMSG;
576
+		}
629
577
 	}
630
-
631
-	if (err)
632
-		return err;
633
-
634
-	gcm_final(req, ctx, dg, tag, req->cryptlen - authsize);
635
-
636
-	/* compare calculated auth tag with the stored one */
637
-	scatterwalk_map_and_copy(buf, req->src,
638
-				 req->assoclen + req->cryptlen - authsize,
639
-				 authsize, 0);
640
-
641
-	if (crypto_memneq(tag, buf, authsize))
642
-		return -EBADMSG;
643
578
 	return 0;
644
579
 }
645
580
 
646
581
 static struct aead_alg gcm_aes_alg = {
647
582
 	.ivsize			= GCM_IV_SIZE,
648
-	.chunksize		= 2 * AES_BLOCK_SIZE,
583
+	.chunksize		= AES_BLOCK_SIZE,
649
584
 	.maxauthsize		= AES_BLOCK_SIZE,
650
585
 	.setkey			= gcm_setkey,
651
586
 	.setauthsize		= gcm_setauthsize,
..
..
@@ -656,39 +591,28 @@
656
591
 	.base.cra_driver_name	= "gcm-aes-ce",
657
592
 	.base.cra_priority	= 300,
658
593
 	.base.cra_blocksize	= 1,
659
-	.base.cra_ctxsize	= sizeof(struct gcm_aes_ctx),
594
+	.base.cra_ctxsize	= sizeof(struct gcm_aes_ctx) +
595
+				  4 * sizeof(u64[2]),
660
596
 	.base.cra_module	= THIS_MODULE,
661
597
 };
662
598
 
663
599
 static int __init ghash_ce_mod_init(void)
664
600
 {
665
-	int ret;
666
-
667
-	if (!(elf_hwcap & HWCAP_ASIMD))
601
+	if (!cpu_have_named_feature(ASIMD))
668
602
 		return -ENODEV;
669
603
 
670
-	if (elf_hwcap & HWCAP_PMULL)
671
-		pmull_ghash_update = pmull_ghash_update_p64;
604
+	if (cpu_have_named_feature(PMULL))
605
+		return crypto_register_aead(&gcm_aes_alg);
672
606
 
673
-	else
674
-		pmull_ghash_update = pmull_ghash_update_p8;
675
-
676
-	ret = crypto_register_shash(&ghash_alg);
677
-	if (ret)
678
-		return ret;
679
-
680
-	if (elf_hwcap & HWCAP_PMULL) {
681
-		ret = crypto_register_aead(&gcm_aes_alg);
682
-		if (ret)
683
-			crypto_unregister_shash(&ghash_alg);
684
-	}
685
-	return ret;
607
+	return crypto_register_shash(&ghash_alg);
686
608
 }
687
609
 
688
610
 static void __exit ghash_ce_mod_exit(void)
689
611
 {
690
-	crypto_unregister_shash(&ghash_alg);
691
-	crypto_unregister_aead(&gcm_aes_alg);
612
+	if (cpu_have_named_feature(PMULL))
613
+		crypto_unregister_aead(&gcm_aes_alg);
614
+	else
615
+		crypto_unregister_shash(&ghash_alg);
692
616
 }
693
617
 
694
618
 static const struct cpu_feature ghash_cpu_feature[] = {