1 /*- 2 * Copyright (c) 2017 Chelsio Communications, Inc. 3 * Copyright (c) 2021 The FreeBSD Foundation 4 * All rights reserved. 5 * Written by: John Baldwin <jhb@FreeBSD.org> 6 * 7 * Portions of this software were developed by Ararat River 8 * Consulting, LLC under sponsorship of the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/types.h> 36 #include <sys/bus.h> 37 #include <sys/lock.h> 38 #include <sys/malloc.h> 39 #include <sys/mutex.h> 40 #include <sys/module.h> 41 #include <sys/sglist.h> 42 43 #include <opencrypto/cryptodev.h> 44 #include <opencrypto/xform.h> 45 46 #include "cryptodev_if.h" 47 48 #include "common/common.h" 49 #include "crypto/t4_crypto.h" 50 51 /* 52 * Requests consist of: 53 * 54 * +-------------------------------+ 55 * | struct fw_crypto_lookaside_wr | 56 * +-------------------------------+ 57 * | struct ulp_txpkt | 58 * +-------------------------------+ 59 * | struct ulptx_idata | 60 * +-------------------------------+ 61 * | struct cpl_tx_sec_pdu | 62 * +-------------------------------+ 63 * | struct cpl_tls_tx_scmd_fmt | 64 * +-------------------------------+ 65 * | key context header | 66 * +-------------------------------+ 67 * | AES key | ----- For requests with AES 68 * +-------------------------------+ 69 * | Hash state | ----- For hash-only requests 70 * +-------------------------------+ - 71 * | IPAD (16-byte aligned) | \ 72 * +-------------------------------+ +---- For requests with HMAC 73 * | OPAD (16-byte aligned) | / 74 * +-------------------------------+ - 75 * | GMAC H | ----- For AES-GCM 76 * +-------------------------------+ - 77 * | struct cpl_rx_phys_dsgl | \ 78 * +-------------------------------+ +---- Destination buffer for 79 * | PHYS_DSGL entries | / non-hash-only requests 80 * +-------------------------------+ - 81 * | 16 dummy bytes | ----- Only for HMAC/hash-only requests 82 * +-------------------------------+ 83 * | IV | ----- If immediate IV 84 * +-------------------------------+ 85 * | Payload | ----- If immediate Payload 86 * +-------------------------------+ - 87 * | struct ulptx_sgl | \ 88 * +-------------------------------+ +---- If payload via SGL 89 * | SGL entries | / 90 * +-------------------------------+ - 91 * 92 * Note that the key context must be padded to ensure 16-byte alignment. 93 * For HMAC requests, the key consists of the partial hash of the IPAD 94 * followed by the partial hash of the OPAD. 95 * 96 * Replies consist of: 97 * 98 * +-------------------------------+ 99 * | struct cpl_fw6_pld | 100 * +-------------------------------+ 101 * | hash digest | ----- For HMAC request with 102 * +-------------------------------+ 'hash_size' set in work request 103 * 104 * A 32-bit big-endian error status word is supplied in the last 4 105 * bytes of data[0] in the CPL_FW6_PLD message. bit 0 indicates a 106 * "MAC" error and bit 1 indicates a "PAD" error. 107 * 108 * The 64-bit 'cookie' field from the fw_crypto_lookaside_wr message 109 * in the request is returned in data[1] of the CPL_FW6_PLD message. 110 * 111 * For block cipher replies, the updated IV is supplied in data[2] and 112 * data[3] of the CPL_FW6_PLD message. 113 * 114 * For hash replies where the work request set 'hash_size' to request 115 * a copy of the hash in the reply, the hash digest is supplied 116 * immediately following the CPL_FW6_PLD message. 117 */ 118 119 /* 120 * The crypto engine supports a maximum AAD size of 511 bytes. 121 */ 122 #define MAX_AAD_LEN 511 123 124 /* 125 * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 SG 126 * entries. While the CPL includes a 16-bit length field, the T6 can 127 * sometimes hang if an error occurs while processing a request with a 128 * single DSGL entry larger than 2k. 129 */ 130 #define MAX_RX_PHYS_DSGL_SGE 32 131 #define DSGL_SGE_MAXLEN 2048 132 133 /* 134 * The adapter only supports requests with a total input or output 135 * length of 64k-1 or smaller. Longer requests either result in hung 136 * requests or incorrect results. 137 */ 138 #define MAX_REQUEST_SIZE 65535 139 140 static MALLOC_DEFINE(M_CCR, "ccr", "Chelsio T6 crypto"); 141 142 struct ccr_session_hmac { 143 const struct auth_hash *auth_hash; 144 int hash_len; 145 unsigned int partial_digest_len; 146 unsigned int auth_mode; 147 unsigned int mk_size; 148 char pads[CHCR_HASH_MAX_BLOCK_SIZE_128 * 2]; 149 }; 150 151 struct ccr_session_gmac { 152 int hash_len; 153 char ghash_h[GMAC_BLOCK_LEN]; 154 }; 155 156 struct ccr_session_ccm_mac { 157 int hash_len; 158 }; 159 160 struct ccr_session_cipher { 161 unsigned int cipher_mode; 162 unsigned int key_len; 163 unsigned int iv_len; 164 __be32 key_ctx_hdr; 165 char enckey[CHCR_AES_MAX_KEY_LEN]; 166 char deckey[CHCR_AES_MAX_KEY_LEN]; 167 }; 168 169 struct ccr_port { 170 struct sge_wrq *txq; 171 struct sge_rxq *rxq; 172 int rx_channel_id; 173 int tx_channel_id; 174 u_int active_sessions; 175 176 counter_u64_t stats_queued; 177 counter_u64_t stats_completed; 178 }; 179 180 struct ccr_session { 181 #ifdef INVARIANTS 182 int pending; 183 #endif 184 enum { HASH, HMAC, CIPHER, ETA, GCM, CCM } mode; 185 struct ccr_port *port; 186 union { 187 struct ccr_session_hmac hmac; 188 struct ccr_session_gmac gmac; 189 struct ccr_session_ccm_mac ccm_mac; 190 }; 191 struct ccr_session_cipher cipher; 192 struct mtx lock; 193 194 /* 195 * A fallback software session is used for certain GCM/CCM 196 * requests that the hardware can't handle such as requests 197 * with only AAD and no payload. 198 */ 199 crypto_session_t sw_session; 200 201 /* 202 * Pre-allocate S/G lists used when preparing a work request. 203 * 'sg_input' contains an sglist describing the entire input 204 * buffer for a 'struct cryptop'. 'sg_output' contains an 205 * sglist describing the entire output buffer. 'sg_ulptx' is 206 * used to describe the data the engine should DMA as input 207 * via ULPTX_SGL. 'sg_dsgl' is used to describe the 208 * destination that cipher text and a tag should be written 209 * to. 210 */ 211 struct sglist *sg_input; 212 struct sglist *sg_output; 213 struct sglist *sg_ulptx; 214 struct sglist *sg_dsgl; 215 }; 216 217 struct ccr_softc { 218 struct adapter *adapter; 219 device_t dev; 220 uint32_t cid; 221 struct mtx lock; 222 bool detaching; 223 struct ccr_port ports[MAX_NPORTS]; 224 u_int port_mask; 225 int first_rxq_id; 226 227 /* 228 * Pre-allocate a dummy output buffer for the IV and AAD for 229 * AEAD requests. 230 */ 231 char *iv_aad_buf; 232 struct sglist *sg_iv_aad; 233 234 /* Statistics. */ 235 counter_u64_t stats_cipher_encrypt; 236 counter_u64_t stats_cipher_decrypt; 237 counter_u64_t stats_hash; 238 counter_u64_t stats_hmac; 239 counter_u64_t stats_eta_encrypt; 240 counter_u64_t stats_eta_decrypt; 241 counter_u64_t stats_gcm_encrypt; 242 counter_u64_t stats_gcm_decrypt; 243 counter_u64_t stats_ccm_encrypt; 244 counter_u64_t stats_ccm_decrypt; 245 counter_u64_t stats_wr_nomem; 246 counter_u64_t stats_inflight; 247 counter_u64_t stats_mac_error; 248 counter_u64_t stats_pad_error; 249 counter_u64_t stats_sglist_error; 250 counter_u64_t stats_process_error; 251 counter_u64_t stats_sw_fallback; 252 }; 253 254 /* 255 * Crypto requests involve two kind of scatter/gather lists. 256 * 257 * Non-hash-only requests require a PHYS_DSGL that describes the 258 * location to store the results of the encryption or decryption 259 * operation. This SGL uses a different format (PHYS_DSGL) and should 260 * exclude the skip bytes at the start of the data as well as any AAD 261 * or IV. For authenticated encryption requests it should include the 262 * destination of the hash or tag. 263 * 264 * The input payload may either be supplied inline as immediate data, 265 * or via a standard ULP_TX SGL. This SGL should include AAD, 266 * ciphertext, and the hash or tag for authenticated decryption 267 * requests. 268 * 269 * These scatter/gather lists can describe different subsets of the 270 * buffers described by the crypto operation. ccr_populate_sglist() 271 * generates a scatter/gather list that covers an entire crypto 272 * operation buffer that is then used to construct the other 273 * scatter/gather lists. 274 */ 275 static int 276 ccr_populate_sglist(struct sglist *sg, struct crypto_buffer *cb) 277 { 278 int error; 279 280 sglist_reset(sg); 281 switch (cb->cb_type) { 282 case CRYPTO_BUF_MBUF: 283 error = sglist_append_mbuf(sg, cb->cb_mbuf); 284 break; 285 case CRYPTO_BUF_SINGLE_MBUF: 286 error = sglist_append_single_mbuf(sg, cb->cb_mbuf); 287 break; 288 case CRYPTO_BUF_UIO: 289 error = sglist_append_uio(sg, cb->cb_uio); 290 break; 291 case CRYPTO_BUF_CONTIG: 292 error = sglist_append(sg, cb->cb_buf, cb->cb_buf_len); 293 break; 294 case CRYPTO_BUF_VMPAGE: 295 error = sglist_append_vmpages(sg, cb->cb_vm_page, 296 cb->cb_vm_page_len, cb->cb_vm_page_offset); 297 break; 298 default: 299 error = EINVAL; 300 } 301 return (error); 302 } 303 304 /* 305 * Segments in 'sg' larger than 'maxsegsize' are counted as multiple 306 * segments. 307 */ 308 static int 309 ccr_count_sgl(struct sglist *sg, int maxsegsize) 310 { 311 int i, nsegs; 312 313 nsegs = 0; 314 for (i = 0; i < sg->sg_nseg; i++) 315 nsegs += howmany(sg->sg_segs[i].ss_len, maxsegsize); 316 return (nsegs); 317 } 318 319 /* These functions deal with PHYS_DSGL for the reply buffer. */ 320 static inline int 321 ccr_phys_dsgl_len(int nsegs) 322 { 323 int len; 324 325 len = (nsegs / 8) * sizeof(struct phys_sge_pairs); 326 if ((nsegs % 8) != 0) { 327 len += sizeof(uint16_t) * 8; 328 len += roundup2(nsegs % 8, 2) * sizeof(uint64_t); 329 } 330 return (len); 331 } 332 333 static void 334 ccr_write_phys_dsgl(struct ccr_session *s, void *dst, int nsegs) 335 { 336 struct sglist *sg; 337 struct cpl_rx_phys_dsgl *cpl; 338 struct phys_sge_pairs *sgl; 339 vm_paddr_t paddr; 340 size_t seglen; 341 u_int i, j; 342 343 sg = s->sg_dsgl; 344 cpl = dst; 345 cpl->op_to_tid = htobe32(V_CPL_RX_PHYS_DSGL_OPCODE(CPL_RX_PHYS_DSGL) | 346 V_CPL_RX_PHYS_DSGL_ISRDMA(0)); 347 cpl->pcirlxorder_to_noofsgentr = htobe32( 348 V_CPL_RX_PHYS_DSGL_PCIRLXORDER(0) | 349 V_CPL_RX_PHYS_DSGL_PCINOSNOOP(0) | 350 V_CPL_RX_PHYS_DSGL_PCITPHNTENB(0) | V_CPL_RX_PHYS_DSGL_DCAID(0) | 351 V_CPL_RX_PHYS_DSGL_NOOFSGENTR(nsegs)); 352 cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR; 353 cpl->rss_hdr_int.qid = htobe16(s->port->rxq->iq.abs_id); 354 cpl->rss_hdr_int.hash_val = 0; 355 cpl->rss_hdr_int.channel = s->port->rx_channel_id; 356 sgl = (struct phys_sge_pairs *)(cpl + 1); 357 j = 0; 358 for (i = 0; i < sg->sg_nseg; i++) { 359 seglen = sg->sg_segs[i].ss_len; 360 paddr = sg->sg_segs[i].ss_paddr; 361 do { 362 sgl->addr[j] = htobe64(paddr); 363 if (seglen > DSGL_SGE_MAXLEN) { 364 sgl->len[j] = htobe16(DSGL_SGE_MAXLEN); 365 paddr += DSGL_SGE_MAXLEN; 366 seglen -= DSGL_SGE_MAXLEN; 367 } else { 368 sgl->len[j] = htobe16(seglen); 369 seglen = 0; 370 } 371 j++; 372 if (j == 8) { 373 sgl++; 374 j = 0; 375 } 376 } while (seglen != 0); 377 } 378 MPASS(j + 8 * (sgl - (struct phys_sge_pairs *)(cpl + 1)) == nsegs); 379 } 380 381 /* These functions deal with the ULPTX_SGL for input payload. */ 382 static inline int 383 ccr_ulptx_sgl_len(int nsegs) 384 { 385 u_int n; 386 387 nsegs--; /* first segment is part of ulptx_sgl */ 388 n = sizeof(struct ulptx_sgl) + 8 * ((3 * nsegs) / 2 + (nsegs & 1)); 389 return (roundup2(n, 16)); 390 } 391 392 static void 393 ccr_write_ulptx_sgl(struct ccr_session *s, void *dst, int nsegs) 394 { 395 struct ulptx_sgl *usgl; 396 struct sglist *sg; 397 struct sglist_seg *ss; 398 int i; 399 400 sg = s->sg_ulptx; 401 MPASS(nsegs == sg->sg_nseg); 402 ss = &sg->sg_segs[0]; 403 usgl = dst; 404 usgl->cmd_nsge = htobe32(V_ULPTX_CMD(ULP_TX_SC_DSGL) | 405 V_ULPTX_NSGE(nsegs)); 406 usgl->len0 = htobe32(ss->ss_len); 407 usgl->addr0 = htobe64(ss->ss_paddr); 408 ss++; 409 for (i = 0; i < sg->sg_nseg - 1; i++) { 410 usgl->sge[i / 2].len[i & 1] = htobe32(ss->ss_len); 411 usgl->sge[i / 2].addr[i & 1] = htobe64(ss->ss_paddr); 412 ss++; 413 } 414 } 415 416 static bool 417 ccr_use_imm_data(u_int transhdr_len, u_int input_len) 418 { 419 420 if (input_len > CRYPTO_MAX_IMM_TX_PKT_LEN) 421 return (false); 422 if (roundup2(transhdr_len, 16) + roundup2(input_len, 16) > 423 SGE_MAX_WR_LEN) 424 return (false); 425 return (true); 426 } 427 428 static void 429 ccr_populate_wreq(struct ccr_softc *sc, struct ccr_session *s, 430 struct chcr_wr *crwr, u_int kctx_len, u_int wr_len, u_int imm_len, 431 u_int sgl_len, u_int hash_size, struct cryptop *crp) 432 { 433 u_int cctx_size, idata_len; 434 435 cctx_size = sizeof(struct _key_ctx) + kctx_len; 436 crwr->wreq.op_to_cctx_size = htobe32( 437 V_FW_CRYPTO_LOOKASIDE_WR_OPCODE(FW_CRYPTO_LOOKASIDE_WR) | 438 V_FW_CRYPTO_LOOKASIDE_WR_COMPL(0) | 439 V_FW_CRYPTO_LOOKASIDE_WR_IMM_LEN(imm_len) | 440 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_LOC(1) | 441 V_FW_CRYPTO_LOOKASIDE_WR_CCTX_SIZE(cctx_size >> 4)); 442 crwr->wreq.len16_pkd = htobe32( 443 V_FW_CRYPTO_LOOKASIDE_WR_LEN16(wr_len / 16)); 444 crwr->wreq.session_id = 0; 445 crwr->wreq.rx_chid_to_rx_q_id = htobe32( 446 V_FW_CRYPTO_LOOKASIDE_WR_RX_CHID(s->port->rx_channel_id) | 447 V_FW_CRYPTO_LOOKASIDE_WR_LCB(0) | 448 V_FW_CRYPTO_LOOKASIDE_WR_PHASH(0) | 449 V_FW_CRYPTO_LOOKASIDE_WR_IV(IV_NOP) | 450 V_FW_CRYPTO_LOOKASIDE_WR_FQIDX(0) | 451 V_FW_CRYPTO_LOOKASIDE_WR_TX_CH(0) | /* unused in firmware */ 452 V_FW_CRYPTO_LOOKASIDE_WR_RX_Q_ID(s->port->rxq->iq.abs_id)); 453 crwr->wreq.key_addr = 0; 454 crwr->wreq.pld_size_hash_size = htobe32( 455 V_FW_CRYPTO_LOOKASIDE_WR_PLD_SIZE(sgl_len) | 456 V_FW_CRYPTO_LOOKASIDE_WR_HASH_SIZE(hash_size)); 457 crwr->wreq.cookie = htobe64((uintptr_t)crp); 458 459 crwr->ulptx.cmd_dest = htobe32(V_ULPTX_CMD(ULP_TX_PKT) | 460 V_ULP_TXPKT_DATAMODIFY(0) | 461 V_ULP_TXPKT_CHANNELID(s->port->tx_channel_id) | 462 V_ULP_TXPKT_DEST(0) | 463 V_ULP_TXPKT_FID(sc->first_rxq_id) | V_ULP_TXPKT_RO(1)); 464 crwr->ulptx.len = htobe32( 465 ((wr_len - sizeof(struct fw_crypto_lookaside_wr)) / 16)); 466 467 crwr->sc_imm.cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_IMM) | 468 V_ULP_TX_SC_MORE(sgl_len != 0 ? 1 : 0)); 469 idata_len = wr_len - offsetof(struct chcr_wr, sec_cpl) - sgl_len; 470 if (imm_len % 16 != 0) 471 idata_len -= 16 - imm_len % 16; 472 crwr->sc_imm.len = htobe32(idata_len); 473 } 474 475 static int 476 ccr_hash(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 477 { 478 struct chcr_wr *crwr; 479 struct wrqe *wr; 480 const struct auth_hash *axf; 481 char *dst; 482 u_int hash_size_in_response, kctx_flits, kctx_len, transhdr_len, wr_len; 483 u_int hmac_ctrl, imm_len, iopad_size; 484 int error, sgl_nsegs, sgl_len, use_opad; 485 486 /* Reject requests with too large of an input buffer. */ 487 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 488 return (EFBIG); 489 490 axf = s->hmac.auth_hash; 491 492 if (s->mode == HMAC) { 493 use_opad = 1; 494 hmac_ctrl = SCMD_HMAC_CTRL_NO_TRUNC; 495 } else { 496 use_opad = 0; 497 hmac_ctrl = SCMD_HMAC_CTRL_NOP; 498 } 499 500 /* PADs must be 128-bit aligned. */ 501 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 502 503 /* 504 * The 'key' part of the context includes the aligned IPAD and 505 * OPAD. 506 */ 507 kctx_len = iopad_size; 508 if (use_opad) 509 kctx_len += iopad_size; 510 hash_size_in_response = axf->hashsize; 511 transhdr_len = HASH_TRANSHDR_SIZE(kctx_len); 512 513 if (crp->crp_payload_length == 0) { 514 imm_len = axf->blocksize; 515 sgl_nsegs = 0; 516 sgl_len = 0; 517 } else if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length)) { 518 imm_len = crp->crp_payload_length; 519 sgl_nsegs = 0; 520 sgl_len = 0; 521 } else { 522 imm_len = 0; 523 sglist_reset(s->sg_ulptx); 524 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 525 crp->crp_payload_start, crp->crp_payload_length); 526 if (error) 527 return (error); 528 sgl_nsegs = s->sg_ulptx->sg_nseg; 529 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 530 } 531 532 wr_len = roundup2(transhdr_len, 16) + roundup2(imm_len, 16) + sgl_len; 533 if (wr_len > SGE_MAX_WR_LEN) 534 return (EFBIG); 535 wr = alloc_wrqe(wr_len, s->port->txq); 536 if (wr == NULL) { 537 counter_u64_add(sc->stats_wr_nomem, 1); 538 return (ENOMEM); 539 } 540 crwr = wrtod(wr); 541 memset(crwr, 0, wr_len); 542 543 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 544 hash_size_in_response, crp); 545 546 crwr->sec_cpl.op_ivinsrtofst = htobe32( 547 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 548 V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) | 549 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 550 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 551 V_CPL_TX_SEC_PDU_IVINSRTOFST(0)); 552 553 crwr->sec_cpl.pldlen = htobe32(crp->crp_payload_length == 0 ? 554 axf->blocksize : crp->crp_payload_length); 555 556 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 557 V_CPL_TX_SEC_PDU_AUTHSTART(1) | V_CPL_TX_SEC_PDU_AUTHSTOP(0)); 558 559 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 560 crwr->sec_cpl.seqno_numivs = htobe32( 561 V_SCMD_SEQ_NO_CTRL(0) | 562 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 563 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_NOP) | 564 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 565 V_SCMD_HMAC_CTRL(hmac_ctrl)); 566 crwr->sec_cpl.ivgen_hdrlen = htobe32( 567 V_SCMD_LAST_FRAG(0) | 568 V_SCMD_MORE_FRAGS(crp->crp_payload_length == 0 ? 1 : 0) | 569 V_SCMD_MAC_ONLY(1)); 570 571 memcpy(crwr->key_ctx.key, s->hmac.pads, kctx_len); 572 573 /* XXX: F_KEY_CONTEXT_SALT_PRESENT set, but 'salt' not set. */ 574 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 575 crwr->key_ctx.ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 576 V_KEY_CONTEXT_OPAD_PRESENT(use_opad) | 577 V_KEY_CONTEXT_SALT_PRESENT(1) | 578 V_KEY_CONTEXT_CK_SIZE(CHCR_KEYCTX_NO_KEY) | 579 V_KEY_CONTEXT_MK_SIZE(s->hmac.mk_size) | V_KEY_CONTEXT_VALID(1)); 580 581 dst = (char *)(crwr + 1) + kctx_len + DUMMY_BYTES; 582 if (crp->crp_payload_length == 0) { 583 dst[0] = 0x80; 584 if (s->mode == HMAC) 585 *(uint64_t *)(dst + axf->blocksize - sizeof(uint64_t)) = 586 htobe64(axf->blocksize << 3); 587 } else if (imm_len != 0) 588 crypto_copydata(crp, crp->crp_payload_start, 589 crp->crp_payload_length, dst); 590 else 591 ccr_write_ulptx_sgl(s, dst, sgl_nsegs); 592 593 /* XXX: TODO backpressure */ 594 t4_wrq_tx(sc->adapter, wr); 595 596 return (0); 597 } 598 599 static int 600 ccr_hash_done(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp, 601 const struct cpl_fw6_pld *cpl, int error) 602 { 603 uint8_t hash[HASH_MAX_LEN]; 604 605 if (error) 606 return (error); 607 608 if (crp->crp_op & CRYPTO_OP_VERIFY_DIGEST) { 609 crypto_copydata(crp, crp->crp_digest_start, s->hmac.hash_len, 610 hash); 611 if (timingsafe_bcmp((cpl + 1), hash, s->hmac.hash_len) != 0) 612 return (EBADMSG); 613 } else 614 crypto_copyback(crp, crp->crp_digest_start, s->hmac.hash_len, 615 (cpl + 1)); 616 return (0); 617 } 618 619 static int 620 ccr_cipher(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 621 { 622 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 623 struct chcr_wr *crwr; 624 struct wrqe *wr; 625 char *dst; 626 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 627 u_int imm_len, iv_len; 628 int dsgl_nsegs, dsgl_len; 629 int sgl_nsegs, sgl_len; 630 int error; 631 632 if (s->cipher.key_len == 0 || crp->crp_payload_length == 0) 633 return (EINVAL); 634 if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 635 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 636 return (EINVAL); 637 638 /* Reject requests with too large of an input buffer. */ 639 if (crp->crp_payload_length > MAX_REQUEST_SIZE) 640 return (EFBIG); 641 642 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 643 op_type = CHCR_ENCRYPT_OP; 644 else 645 op_type = CHCR_DECRYPT_OP; 646 647 sglist_reset(s->sg_dsgl); 648 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 649 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 650 crp->crp_payload_output_start, crp->crp_payload_length); 651 else 652 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 653 crp->crp_payload_start, crp->crp_payload_length); 654 if (error) 655 return (error); 656 dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN); 657 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 658 return (EFBIG); 659 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 660 661 /* The 'key' must be 128-bit aligned. */ 662 kctx_len = roundup2(s->cipher.key_len, 16); 663 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 664 665 /* For AES-XTS we send a 16-byte IV in the work request. */ 666 if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 667 iv_len = AES_BLOCK_LEN; 668 else 669 iv_len = s->cipher.iv_len; 670 671 if (ccr_use_imm_data(transhdr_len, crp->crp_payload_length + iv_len)) { 672 imm_len = crp->crp_payload_length; 673 sgl_nsegs = 0; 674 sgl_len = 0; 675 } else { 676 imm_len = 0; 677 sglist_reset(s->sg_ulptx); 678 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 679 crp->crp_payload_start, crp->crp_payload_length); 680 if (error) 681 return (error); 682 sgl_nsegs = s->sg_ulptx->sg_nseg; 683 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 684 } 685 686 wr_len = roundup2(transhdr_len, 16) + iv_len + 687 roundup2(imm_len, 16) + sgl_len; 688 if (wr_len > SGE_MAX_WR_LEN) 689 return (EFBIG); 690 wr = alloc_wrqe(wr_len, s->port->txq); 691 if (wr == NULL) { 692 counter_u64_add(sc->stats_wr_nomem, 1); 693 return (ENOMEM); 694 } 695 crwr = wrtod(wr); 696 memset(crwr, 0, wr_len); 697 698 crypto_read_iv(crp, iv); 699 700 /* Zero the remainder of the IV for AES-XTS. */ 701 memset(iv + s->cipher.iv_len, 0, iv_len - s->cipher.iv_len); 702 703 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 704 crp); 705 706 crwr->sec_cpl.op_ivinsrtofst = htobe32( 707 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 708 V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) | 709 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 710 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 711 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 712 713 crwr->sec_cpl.pldlen = htobe32(iv_len + crp->crp_payload_length); 714 715 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 716 V_CPL_TX_SEC_PDU_CIPHERSTART(iv_len + 1) | 717 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 718 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 719 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0)); 720 721 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 722 crwr->sec_cpl.seqno_numivs = htobe32( 723 V_SCMD_SEQ_NO_CTRL(0) | 724 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 725 V_SCMD_ENC_DEC_CTRL(op_type) | 726 V_SCMD_CIPH_MODE(s->cipher.cipher_mode) | 727 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_NOP) | 728 V_SCMD_HMAC_CTRL(SCMD_HMAC_CTRL_NOP) | 729 V_SCMD_IV_SIZE(iv_len / 2) | 730 V_SCMD_NUM_IVS(0)); 731 crwr->sec_cpl.ivgen_hdrlen = htobe32( 732 V_SCMD_IV_GEN_CTRL(0) | 733 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 734 V_SCMD_AADIVDROP(1) | V_SCMD_HDR_LEN(dsgl_len)); 735 736 crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr; 737 switch (s->cipher.cipher_mode) { 738 case SCMD_CIPH_MODE_AES_CBC: 739 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 740 memcpy(crwr->key_ctx.key, s->cipher.enckey, 741 s->cipher.key_len); 742 else 743 memcpy(crwr->key_ctx.key, s->cipher.deckey, 744 s->cipher.key_len); 745 break; 746 case SCMD_CIPH_MODE_AES_CTR: 747 memcpy(crwr->key_ctx.key, s->cipher.enckey, 748 s->cipher.key_len); 749 break; 750 case SCMD_CIPH_MODE_AES_XTS: 751 key_half = s->cipher.key_len / 2; 752 memcpy(crwr->key_ctx.key, s->cipher.enckey + key_half, 753 key_half); 754 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 755 memcpy(crwr->key_ctx.key + key_half, 756 s->cipher.enckey, key_half); 757 else 758 memcpy(crwr->key_ctx.key + key_half, 759 s->cipher.deckey, key_half); 760 break; 761 } 762 763 dst = (char *)(crwr + 1) + kctx_len; 764 ccr_write_phys_dsgl(s, dst, dsgl_nsegs); 765 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 766 memcpy(dst, iv, iv_len); 767 dst += iv_len; 768 if (imm_len != 0) 769 crypto_copydata(crp, crp->crp_payload_start, 770 crp->crp_payload_length, dst); 771 else 772 ccr_write_ulptx_sgl(s, dst, sgl_nsegs); 773 774 /* XXX: TODO backpressure */ 775 t4_wrq_tx(sc->adapter, wr); 776 777 explicit_bzero(iv, sizeof(iv)); 778 return (0); 779 } 780 781 static int 782 ccr_cipher_done(struct ccr_softc *sc, struct ccr_session *s, 783 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 784 { 785 786 /* 787 * The updated IV to permit chained requests is at 788 * cpl->data[2], but OCF doesn't permit chained requests. 789 */ 790 return (error); 791 } 792 793 /* 794 * 'hashsize' is the length of a full digest. 'authsize' is the 795 * requested digest length for this operation which may be less 796 * than 'hashsize'. 797 */ 798 static int 799 ccr_hmac_ctrl(unsigned int hashsize, unsigned int authsize) 800 { 801 802 if (authsize == 10) 803 return (SCMD_HMAC_CTRL_TRUNC_RFC4366); 804 if (authsize == 12) 805 return (SCMD_HMAC_CTRL_IPSEC_96BIT); 806 if (authsize == hashsize / 2) 807 return (SCMD_HMAC_CTRL_DIV2); 808 return (SCMD_HMAC_CTRL_NO_TRUNC); 809 } 810 811 static int 812 ccr_eta(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 813 { 814 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 815 struct chcr_wr *crwr; 816 struct wrqe *wr; 817 const struct auth_hash *axf; 818 char *dst; 819 u_int kctx_len, key_half, op_type, transhdr_len, wr_len; 820 u_int hash_size_in_response, imm_len, iopad_size, iv_len; 821 u_int aad_start, aad_stop; 822 u_int auth_insert; 823 u_int cipher_start, cipher_stop; 824 u_int hmac_ctrl, input_len; 825 int dsgl_nsegs, dsgl_len; 826 int sgl_nsegs, sgl_len; 827 int error; 828 829 /* 830 * If there is a need in the future, requests with an empty 831 * payload could be supported as HMAC-only requests. 832 */ 833 if (s->cipher.key_len == 0 || crp->crp_payload_length == 0) 834 return (EINVAL); 835 if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_CBC && 836 (crp->crp_payload_length % AES_BLOCK_LEN) != 0) 837 return (EINVAL); 838 839 /* For AES-XTS we send a 16-byte IV in the work request. */ 840 if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 841 iv_len = AES_BLOCK_LEN; 842 else 843 iv_len = s->cipher.iv_len; 844 845 if (crp->crp_aad_length + iv_len > MAX_AAD_LEN) 846 return (EINVAL); 847 848 axf = s->hmac.auth_hash; 849 hash_size_in_response = s->hmac.hash_len; 850 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 851 op_type = CHCR_ENCRYPT_OP; 852 else 853 op_type = CHCR_DECRYPT_OP; 854 855 /* 856 * The output buffer consists of the cipher text followed by 857 * the hash when encrypting. For decryption it only contains 858 * the plain text. 859 * 860 * Due to a firmware bug, the output buffer must include a 861 * dummy output buffer for the IV and AAD prior to the real 862 * output buffer. 863 */ 864 if (op_type == CHCR_ENCRYPT_OP) { 865 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 866 hash_size_in_response > MAX_REQUEST_SIZE) 867 return (EFBIG); 868 } else { 869 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 870 MAX_REQUEST_SIZE) 871 return (EFBIG); 872 } 873 sglist_reset(s->sg_dsgl); 874 error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, 875 iv_len + crp->crp_aad_length); 876 if (error) 877 return (error); 878 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 879 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 880 crp->crp_payload_output_start, crp->crp_payload_length); 881 else 882 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 883 crp->crp_payload_start, crp->crp_payload_length); 884 if (error) 885 return (error); 886 if (op_type == CHCR_ENCRYPT_OP) { 887 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 888 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 889 crp->crp_digest_start, hash_size_in_response); 890 else 891 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 892 crp->crp_digest_start, hash_size_in_response); 893 if (error) 894 return (error); 895 } 896 dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN); 897 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 898 return (EFBIG); 899 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 900 901 /* PADs must be 128-bit aligned. */ 902 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 903 904 /* 905 * The 'key' part of the key context consists of the key followed 906 * by the IPAD and OPAD. 907 */ 908 kctx_len = roundup2(s->cipher.key_len, 16) + iopad_size * 2; 909 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 910 911 /* 912 * The input buffer consists of the IV, any AAD, and then the 913 * cipher/plain text. For decryption requests the hash is 914 * appended after the cipher text. 915 * 916 * The IV is always stored at the start of the input buffer 917 * even though it may be duplicated in the payload. The 918 * crypto engine doesn't work properly if the IV offset points 919 * inside of the AAD region, so a second copy is always 920 * required. 921 */ 922 input_len = crp->crp_aad_length + crp->crp_payload_length; 923 924 /* 925 * The firmware hangs if sent a request which is a 926 * bit smaller than MAX_REQUEST_SIZE. In particular, the 927 * firmware appears to require 512 - 16 bytes of spare room 928 * along with the size of the hash even if the hash isn't 929 * included in the input buffer. 930 */ 931 if (input_len + roundup2(axf->hashsize, 16) + (512 - 16) > 932 MAX_REQUEST_SIZE) 933 return (EFBIG); 934 if (op_type == CHCR_DECRYPT_OP) 935 input_len += hash_size_in_response; 936 937 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 938 imm_len = input_len; 939 sgl_nsegs = 0; 940 sgl_len = 0; 941 } else { 942 imm_len = 0; 943 sglist_reset(s->sg_ulptx); 944 if (crp->crp_aad_length != 0) { 945 if (crp->crp_aad != NULL) 946 error = sglist_append(s->sg_ulptx, 947 crp->crp_aad, crp->crp_aad_length); 948 else 949 error = sglist_append_sglist(s->sg_ulptx, 950 s->sg_input, crp->crp_aad_start, 951 crp->crp_aad_length); 952 if (error) 953 return (error); 954 } 955 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 956 crp->crp_payload_start, crp->crp_payload_length); 957 if (error) 958 return (error); 959 if (op_type == CHCR_DECRYPT_OP) { 960 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 961 crp->crp_digest_start, hash_size_in_response); 962 if (error) 963 return (error); 964 } 965 sgl_nsegs = s->sg_ulptx->sg_nseg; 966 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 967 } 968 969 /* Any AAD comes after the IV. */ 970 if (crp->crp_aad_length != 0) { 971 aad_start = iv_len + 1; 972 aad_stop = aad_start + crp->crp_aad_length - 1; 973 } else { 974 aad_start = 0; 975 aad_stop = 0; 976 } 977 cipher_start = iv_len + crp->crp_aad_length + 1; 978 if (op_type == CHCR_DECRYPT_OP) 979 cipher_stop = hash_size_in_response; 980 else 981 cipher_stop = 0; 982 if (op_type == CHCR_DECRYPT_OP) 983 auth_insert = hash_size_in_response; 984 else 985 auth_insert = 0; 986 987 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 988 sgl_len; 989 if (wr_len > SGE_MAX_WR_LEN) 990 return (EFBIG); 991 wr = alloc_wrqe(wr_len, s->port->txq); 992 if (wr == NULL) { 993 counter_u64_add(sc->stats_wr_nomem, 1); 994 return (ENOMEM); 995 } 996 crwr = wrtod(wr); 997 memset(crwr, 0, wr_len); 998 999 crypto_read_iv(crp, iv); 1000 1001 /* Zero the remainder of the IV for AES-XTS. */ 1002 memset(iv + s->cipher.iv_len, 0, iv_len - s->cipher.iv_len); 1003 1004 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 1005 op_type == CHCR_DECRYPT_OP ? hash_size_in_response : 0, crp); 1006 1007 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1008 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1009 V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) | 1010 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1011 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1012 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1013 1014 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1015 1016 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1017 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1018 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1019 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1020 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(cipher_stop >> 4)); 1021 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1022 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(cipher_stop & 0xf) | 1023 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1024 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1025 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1026 1027 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1028 hmac_ctrl = ccr_hmac_ctrl(axf->hashsize, hash_size_in_response); 1029 crwr->sec_cpl.seqno_numivs = htobe32( 1030 V_SCMD_SEQ_NO_CTRL(0) | 1031 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1032 V_SCMD_ENC_DEC_CTRL(op_type) | 1033 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1034 V_SCMD_CIPH_MODE(s->cipher.cipher_mode) | 1035 V_SCMD_AUTH_MODE(s->hmac.auth_mode) | 1036 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1037 V_SCMD_IV_SIZE(iv_len / 2) | 1038 V_SCMD_NUM_IVS(0)); 1039 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1040 V_SCMD_IV_GEN_CTRL(0) | 1041 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1042 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1043 1044 crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr; 1045 switch (s->cipher.cipher_mode) { 1046 case SCMD_CIPH_MODE_AES_CBC: 1047 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1048 memcpy(crwr->key_ctx.key, s->cipher.enckey, 1049 s->cipher.key_len); 1050 else 1051 memcpy(crwr->key_ctx.key, s->cipher.deckey, 1052 s->cipher.key_len); 1053 break; 1054 case SCMD_CIPH_MODE_AES_CTR: 1055 memcpy(crwr->key_ctx.key, s->cipher.enckey, 1056 s->cipher.key_len); 1057 break; 1058 case SCMD_CIPH_MODE_AES_XTS: 1059 key_half = s->cipher.key_len / 2; 1060 memcpy(crwr->key_ctx.key, s->cipher.enckey + key_half, 1061 key_half); 1062 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1063 memcpy(crwr->key_ctx.key + key_half, 1064 s->cipher.enckey, key_half); 1065 else 1066 memcpy(crwr->key_ctx.key + key_half, 1067 s->cipher.deckey, key_half); 1068 break; 1069 } 1070 1071 dst = crwr->key_ctx.key + roundup2(s->cipher.key_len, 16); 1072 memcpy(dst, s->hmac.pads, iopad_size * 2); 1073 1074 dst = (char *)(crwr + 1) + kctx_len; 1075 ccr_write_phys_dsgl(s, dst, dsgl_nsegs); 1076 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1077 memcpy(dst, iv, iv_len); 1078 dst += iv_len; 1079 if (imm_len != 0) { 1080 if (crp->crp_aad_length != 0) { 1081 if (crp->crp_aad != NULL) 1082 memcpy(dst, crp->crp_aad, crp->crp_aad_length); 1083 else 1084 crypto_copydata(crp, crp->crp_aad_start, 1085 crp->crp_aad_length, dst); 1086 dst += crp->crp_aad_length; 1087 } 1088 crypto_copydata(crp, crp->crp_payload_start, 1089 crp->crp_payload_length, dst); 1090 dst += crp->crp_payload_length; 1091 if (op_type == CHCR_DECRYPT_OP) 1092 crypto_copydata(crp, crp->crp_digest_start, 1093 hash_size_in_response, dst); 1094 } else 1095 ccr_write_ulptx_sgl(s, dst, sgl_nsegs); 1096 1097 /* XXX: TODO backpressure */ 1098 t4_wrq_tx(sc->adapter, wr); 1099 1100 explicit_bzero(iv, sizeof(iv)); 1101 return (0); 1102 } 1103 1104 static int 1105 ccr_eta_done(struct ccr_softc *sc, struct ccr_session *s, 1106 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1107 { 1108 1109 /* 1110 * The updated IV to permit chained requests is at 1111 * cpl->data[2], but OCF doesn't permit chained requests. 1112 */ 1113 return (error); 1114 } 1115 1116 static int 1117 ccr_gcm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1118 { 1119 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1120 struct chcr_wr *crwr; 1121 struct wrqe *wr; 1122 char *dst; 1123 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1124 u_int hash_size_in_response, imm_len; 1125 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1126 u_int hmac_ctrl, input_len; 1127 int dsgl_nsegs, dsgl_len; 1128 int sgl_nsegs, sgl_len; 1129 int error; 1130 1131 if (s->cipher.key_len == 0) 1132 return (EINVAL); 1133 1134 /* 1135 * The crypto engine doesn't handle GCM requests with an empty 1136 * payload, so handle those in software instead. 1137 */ 1138 if (crp->crp_payload_length == 0) 1139 return (EMSGSIZE); 1140 1141 if (crp->crp_aad_length + AES_BLOCK_LEN > MAX_AAD_LEN) 1142 return (EMSGSIZE); 1143 1144 hash_size_in_response = s->gmac.hash_len; 1145 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1146 op_type = CHCR_ENCRYPT_OP; 1147 else 1148 op_type = CHCR_DECRYPT_OP; 1149 1150 iv_len = AES_BLOCK_LEN; 1151 1152 /* 1153 * GCM requests should always provide an explicit IV. 1154 */ 1155 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1156 return (EINVAL); 1157 1158 /* 1159 * The output buffer consists of the cipher text followed by 1160 * the tag when encrypting. For decryption it only contains 1161 * the plain text. 1162 * 1163 * Due to a firmware bug, the output buffer must include a 1164 * dummy output buffer for the IV and AAD prior to the real 1165 * output buffer. 1166 */ 1167 if (op_type == CHCR_ENCRYPT_OP) { 1168 if (iv_len + crp->crp_aad_length + crp->crp_payload_length + 1169 hash_size_in_response > MAX_REQUEST_SIZE) 1170 return (EFBIG); 1171 } else { 1172 if (iv_len + crp->crp_aad_length + crp->crp_payload_length > 1173 MAX_REQUEST_SIZE) 1174 return (EFBIG); 1175 } 1176 sglist_reset(s->sg_dsgl); 1177 error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1178 crp->crp_aad_length); 1179 if (error) 1180 return (error); 1181 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 1182 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 1183 crp->crp_payload_output_start, crp->crp_payload_length); 1184 else 1185 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 1186 crp->crp_payload_start, crp->crp_payload_length); 1187 if (error) 1188 return (error); 1189 if (op_type == CHCR_ENCRYPT_OP) { 1190 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 1191 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 1192 crp->crp_digest_start, hash_size_in_response); 1193 else 1194 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 1195 crp->crp_digest_start, hash_size_in_response); 1196 if (error) 1197 return (error); 1198 } 1199 dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN); 1200 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1201 return (EFBIG); 1202 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1203 1204 /* 1205 * The 'key' part of the key context consists of the key followed 1206 * by the Galois hash key. 1207 */ 1208 kctx_len = roundup2(s->cipher.key_len, 16) + GMAC_BLOCK_LEN; 1209 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1210 1211 /* 1212 * The input buffer consists of the IV, any AAD, and then the 1213 * cipher/plain text. For decryption requests the hash is 1214 * appended after the cipher text. 1215 * 1216 * The IV is always stored at the start of the input buffer 1217 * even though it may be duplicated in the payload. The 1218 * crypto engine doesn't work properly if the IV offset points 1219 * inside of the AAD region, so a second copy is always 1220 * required. 1221 */ 1222 input_len = crp->crp_aad_length + crp->crp_payload_length; 1223 if (op_type == CHCR_DECRYPT_OP) 1224 input_len += hash_size_in_response; 1225 if (input_len > MAX_REQUEST_SIZE) 1226 return (EFBIG); 1227 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1228 imm_len = input_len; 1229 sgl_nsegs = 0; 1230 sgl_len = 0; 1231 } else { 1232 imm_len = 0; 1233 sglist_reset(s->sg_ulptx); 1234 if (crp->crp_aad_length != 0) { 1235 if (crp->crp_aad != NULL) 1236 error = sglist_append(s->sg_ulptx, 1237 crp->crp_aad, crp->crp_aad_length); 1238 else 1239 error = sglist_append_sglist(s->sg_ulptx, 1240 s->sg_input, crp->crp_aad_start, 1241 crp->crp_aad_length); 1242 if (error) 1243 return (error); 1244 } 1245 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 1246 crp->crp_payload_start, crp->crp_payload_length); 1247 if (error) 1248 return (error); 1249 if (op_type == CHCR_DECRYPT_OP) { 1250 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 1251 crp->crp_digest_start, hash_size_in_response); 1252 if (error) 1253 return (error); 1254 } 1255 sgl_nsegs = s->sg_ulptx->sg_nseg; 1256 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1257 } 1258 1259 if (crp->crp_aad_length != 0) { 1260 aad_start = iv_len + 1; 1261 aad_stop = aad_start + crp->crp_aad_length - 1; 1262 } else { 1263 aad_start = 0; 1264 aad_stop = 0; 1265 } 1266 cipher_start = iv_len + crp->crp_aad_length + 1; 1267 if (op_type == CHCR_DECRYPT_OP) 1268 cipher_stop = hash_size_in_response; 1269 else 1270 cipher_stop = 0; 1271 if (op_type == CHCR_DECRYPT_OP) 1272 auth_insert = hash_size_in_response; 1273 else 1274 auth_insert = 0; 1275 1276 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1277 sgl_len; 1278 if (wr_len > SGE_MAX_WR_LEN) 1279 return (EFBIG); 1280 wr = alloc_wrqe(wr_len, s->port->txq); 1281 if (wr == NULL) { 1282 counter_u64_add(sc->stats_wr_nomem, 1); 1283 return (ENOMEM); 1284 } 1285 crwr = wrtod(wr); 1286 memset(crwr, 0, wr_len); 1287 1288 crypto_read_iv(crp, iv); 1289 *(uint32_t *)&iv[12] = htobe32(1); 1290 1291 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1292 crp); 1293 1294 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1295 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1296 V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) | 1297 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1298 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1299 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1300 1301 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1302 1303 /* 1304 * NB: cipherstop is explicitly set to 0. On encrypt it 1305 * should normally be set to 0 anyway. However, for decrypt 1306 * the cipher ends before the tag in the ETA case (and 1307 * authstop is set to stop before the tag), but for GCM the 1308 * cipher still runs to the end of the buffer. Not sure if 1309 * this is intentional or a firmware quirk, but it is required 1310 * for working tag validation with GCM decryption. 1311 */ 1312 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1313 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1314 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1315 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1316 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1317 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1318 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1319 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1320 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1321 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1322 1323 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1324 hmac_ctrl = ccr_hmac_ctrl(AES_GMAC_HASH_LEN, hash_size_in_response); 1325 crwr->sec_cpl.seqno_numivs = htobe32( 1326 V_SCMD_SEQ_NO_CTRL(0) | 1327 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1328 V_SCMD_ENC_DEC_CTRL(op_type) | 1329 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 1 : 0) | 1330 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_GCM) | 1331 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_GHASH) | 1332 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1333 V_SCMD_IV_SIZE(iv_len / 2) | 1334 V_SCMD_NUM_IVS(0)); 1335 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1336 V_SCMD_IV_GEN_CTRL(0) | 1337 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1338 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1339 1340 crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr; 1341 memcpy(crwr->key_ctx.key, s->cipher.enckey, s->cipher.key_len); 1342 dst = crwr->key_ctx.key + roundup2(s->cipher.key_len, 16); 1343 memcpy(dst, s->gmac.ghash_h, GMAC_BLOCK_LEN); 1344 1345 dst = (char *)(crwr + 1) + kctx_len; 1346 ccr_write_phys_dsgl(s, dst, dsgl_nsegs); 1347 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1348 memcpy(dst, iv, iv_len); 1349 dst += iv_len; 1350 if (imm_len != 0) { 1351 if (crp->crp_aad_length != 0) { 1352 if (crp->crp_aad != NULL) 1353 memcpy(dst, crp->crp_aad, crp->crp_aad_length); 1354 else 1355 crypto_copydata(crp, crp->crp_aad_start, 1356 crp->crp_aad_length, dst); 1357 dst += crp->crp_aad_length; 1358 } 1359 crypto_copydata(crp, crp->crp_payload_start, 1360 crp->crp_payload_length, dst); 1361 dst += crp->crp_payload_length; 1362 if (op_type == CHCR_DECRYPT_OP) 1363 crypto_copydata(crp, crp->crp_digest_start, 1364 hash_size_in_response, dst); 1365 } else 1366 ccr_write_ulptx_sgl(s, dst, sgl_nsegs); 1367 1368 /* XXX: TODO backpressure */ 1369 t4_wrq_tx(sc->adapter, wr); 1370 1371 explicit_bzero(iv, sizeof(iv)); 1372 return (0); 1373 } 1374 1375 static int 1376 ccr_gcm_done(struct ccr_softc *sc, struct ccr_session *s, 1377 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1378 { 1379 1380 /* 1381 * The updated IV to permit chained requests is at 1382 * cpl->data[2], but OCF doesn't permit chained requests. 1383 * 1384 * Note that the hardware should always verify the GMAC hash. 1385 */ 1386 return (error); 1387 } 1388 1389 static int 1390 ccr_ccm_hmac_ctrl(unsigned int authsize) 1391 { 1392 switch (authsize) { 1393 case 4: 1394 return (SCMD_HMAC_CTRL_PL1); 1395 case 6: 1396 return (SCMD_HMAC_CTRL_PL2); 1397 case 8: 1398 return (SCMD_HMAC_CTRL_DIV2); 1399 case 10: 1400 return (SCMD_HMAC_CTRL_TRUNC_RFC4366); 1401 case 12: 1402 return (SCMD_HMAC_CTRL_IPSEC_96BIT); 1403 case 14: 1404 return (SCMD_HMAC_CTRL_PL3); 1405 case 16: 1406 return (SCMD_HMAC_CTRL_NO_TRUNC); 1407 default: 1408 __assert_unreachable(); 1409 } 1410 } 1411 1412 static void 1413 generate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response, 1414 const char *iv, char *b0) 1415 { 1416 u_int i, payload_len, L; 1417 1418 /* NB: L is already set in the first byte of the IV. */ 1419 memcpy(b0, iv, CCM_B0_SIZE); 1420 L = iv[0] + 1; 1421 1422 /* Set length of hash in bits 3 - 5. */ 1423 b0[0] |= (((hash_size_in_response - 2) / 2) << 3); 1424 1425 /* Store the payload length as a big-endian value. */ 1426 payload_len = crp->crp_payload_length; 1427 for (i = 0; i < L; i++) { 1428 b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len; 1429 payload_len >>= 8; 1430 } 1431 1432 /* 1433 * If there is AAD in the request, set bit 6 in the flags 1434 * field and store the AAD length as a big-endian value at the 1435 * start of block 1. This only assumes a 16-bit AAD length 1436 * since T6 doesn't support large AAD sizes. 1437 */ 1438 if (crp->crp_aad_length != 0) { 1439 b0[0] |= (1 << 6); 1440 *(uint16_t *)(b0 + CCM_B0_SIZE) = htobe16(crp->crp_aad_length); 1441 } 1442 } 1443 1444 static int 1445 ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp) 1446 { 1447 char iv[CHCR_MAX_CRYPTO_IV_LEN]; 1448 const struct crypto_session_params *csp; 1449 struct ulptx_idata *idata; 1450 struct chcr_wr *crwr; 1451 struct wrqe *wr; 1452 char *dst; 1453 u_int iv_len, kctx_len, op_type, transhdr_len, wr_len; 1454 u_int aad_len, b0_len, hash_size_in_response, imm_len; 1455 u_int aad_start, aad_stop, cipher_start, cipher_stop, auth_insert; 1456 u_int hmac_ctrl, input_len; 1457 int dsgl_nsegs, dsgl_len; 1458 int sgl_nsegs, sgl_len; 1459 int error; 1460 1461 csp = crypto_get_params(crp->crp_session); 1462 1463 if (s->cipher.key_len == 0) 1464 return (EINVAL); 1465 1466 /* 1467 * The crypto engine doesn't handle CCM requests with an empty 1468 * payload, so handle those in software instead. 1469 */ 1470 if (crp->crp_payload_length == 0) 1471 return (EMSGSIZE); 1472 1473 /* The length has to fit within the length field in block 0. */ 1474 if (crp->crp_payload_length > ccm_max_payload_length(csp)) 1475 return (EMSGSIZE); 1476 1477 /* 1478 * CCM always includes block 0 in the AAD before AAD from the 1479 * request. 1480 */ 1481 b0_len = CCM_B0_SIZE; 1482 if (crp->crp_aad_length != 0) 1483 b0_len += CCM_AAD_FIELD_SIZE; 1484 aad_len = b0_len + crp->crp_aad_length; 1485 1486 /* 1487 * CCM requests should always provide an explicit IV (really 1488 * the nonce). 1489 */ 1490 if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0) 1491 return (EINVAL); 1492 1493 /* 1494 * The IV in the work request is 16 bytes and not just the 1495 * nonce. 1496 */ 1497 iv_len = AES_BLOCK_LEN; 1498 1499 if (iv_len + aad_len > MAX_AAD_LEN) 1500 return (EMSGSIZE); 1501 1502 hash_size_in_response = s->ccm_mac.hash_len; 1503 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 1504 op_type = CHCR_ENCRYPT_OP; 1505 else 1506 op_type = CHCR_DECRYPT_OP; 1507 1508 /* 1509 * The output buffer consists of the cipher text followed by 1510 * the tag when encrypting. For decryption it only contains 1511 * the plain text. 1512 * 1513 * Due to a firmware bug, the output buffer must include a 1514 * dummy output buffer for the IV and AAD prior to the real 1515 * output buffer. 1516 */ 1517 if (op_type == CHCR_ENCRYPT_OP) { 1518 if (iv_len + aad_len + crp->crp_payload_length + 1519 hash_size_in_response > MAX_REQUEST_SIZE) 1520 return (EFBIG); 1521 } else { 1522 if (iv_len + aad_len + crp->crp_payload_length > 1523 MAX_REQUEST_SIZE) 1524 return (EFBIG); 1525 } 1526 sglist_reset(s->sg_dsgl); 1527 error = sglist_append_sglist(s->sg_dsgl, sc->sg_iv_aad, 0, iv_len + 1528 aad_len); 1529 if (error) 1530 return (error); 1531 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 1532 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 1533 crp->crp_payload_output_start, crp->crp_payload_length); 1534 else 1535 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 1536 crp->crp_payload_start, crp->crp_payload_length); 1537 if (error) 1538 return (error); 1539 if (op_type == CHCR_ENCRYPT_OP) { 1540 if (CRYPTO_HAS_OUTPUT_BUFFER(crp)) 1541 error = sglist_append_sglist(s->sg_dsgl, s->sg_output, 1542 crp->crp_digest_start, hash_size_in_response); 1543 else 1544 error = sglist_append_sglist(s->sg_dsgl, s->sg_input, 1545 crp->crp_digest_start, hash_size_in_response); 1546 if (error) 1547 return (error); 1548 } 1549 dsgl_nsegs = ccr_count_sgl(s->sg_dsgl, DSGL_SGE_MAXLEN); 1550 if (dsgl_nsegs > MAX_RX_PHYS_DSGL_SGE) 1551 return (EFBIG); 1552 dsgl_len = ccr_phys_dsgl_len(dsgl_nsegs); 1553 1554 /* 1555 * The 'key' part of the key context consists of two copies of 1556 * the AES key. 1557 */ 1558 kctx_len = roundup2(s->cipher.key_len, 16) * 2; 1559 transhdr_len = CIPHER_TRANSHDR_SIZE(kctx_len, dsgl_len); 1560 1561 /* 1562 * The input buffer consists of the IV, AAD (including block 1563 * 0), and then the cipher/plain text. For decryption 1564 * requests the hash is appended after the cipher text. 1565 * 1566 * The IV is always stored at the start of the input buffer 1567 * even though it may be duplicated in the payload. The 1568 * crypto engine doesn't work properly if the IV offset points 1569 * inside of the AAD region, so a second copy is always 1570 * required. 1571 */ 1572 input_len = aad_len + crp->crp_payload_length; 1573 if (op_type == CHCR_DECRYPT_OP) 1574 input_len += hash_size_in_response; 1575 if (input_len > MAX_REQUEST_SIZE) 1576 return (EFBIG); 1577 if (ccr_use_imm_data(transhdr_len, iv_len + input_len)) { 1578 imm_len = input_len; 1579 sgl_nsegs = 0; 1580 sgl_len = 0; 1581 } else { 1582 /* Block 0 is passed as immediate data. */ 1583 imm_len = b0_len; 1584 1585 sglist_reset(s->sg_ulptx); 1586 if (crp->crp_aad_length != 0) { 1587 if (crp->crp_aad != NULL) 1588 error = sglist_append(s->sg_ulptx, 1589 crp->crp_aad, crp->crp_aad_length); 1590 else 1591 error = sglist_append_sglist(s->sg_ulptx, 1592 s->sg_input, crp->crp_aad_start, 1593 crp->crp_aad_length); 1594 if (error) 1595 return (error); 1596 } 1597 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 1598 crp->crp_payload_start, crp->crp_payload_length); 1599 if (error) 1600 return (error); 1601 if (op_type == CHCR_DECRYPT_OP) { 1602 error = sglist_append_sglist(s->sg_ulptx, s->sg_input, 1603 crp->crp_digest_start, hash_size_in_response); 1604 if (error) 1605 return (error); 1606 } 1607 sgl_nsegs = s->sg_ulptx->sg_nseg; 1608 sgl_len = ccr_ulptx_sgl_len(sgl_nsegs); 1609 } 1610 1611 aad_start = iv_len + 1; 1612 aad_stop = aad_start + aad_len - 1; 1613 cipher_start = aad_stop + 1; 1614 if (op_type == CHCR_DECRYPT_OP) 1615 cipher_stop = hash_size_in_response; 1616 else 1617 cipher_stop = 0; 1618 if (op_type == CHCR_DECRYPT_OP) 1619 auth_insert = hash_size_in_response; 1620 else 1621 auth_insert = 0; 1622 1623 wr_len = roundup2(transhdr_len, 16) + iv_len + roundup2(imm_len, 16) + 1624 sgl_len; 1625 if (wr_len > SGE_MAX_WR_LEN) 1626 return (EFBIG); 1627 wr = alloc_wrqe(wr_len, s->port->txq); 1628 if (wr == NULL) { 1629 counter_u64_add(sc->stats_wr_nomem, 1); 1630 return (ENOMEM); 1631 } 1632 crwr = wrtod(wr); 1633 memset(crwr, 0, wr_len); 1634 1635 /* 1636 * Read the nonce from the request. Use the nonce to generate 1637 * the full IV with the counter set to 0. 1638 */ 1639 memset(iv, 0, iv_len); 1640 iv[0] = (15 - csp->csp_ivlen) - 1; 1641 crypto_read_iv(crp, iv + 1); 1642 1643 ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0, 1644 crp); 1645 1646 crwr->sec_cpl.op_ivinsrtofst = htobe32( 1647 V_CPL_TX_SEC_PDU_OPCODE(CPL_TX_SEC_PDU) | 1648 V_CPL_TX_SEC_PDU_RXCHID(s->port->rx_channel_id) | 1649 V_CPL_TX_SEC_PDU_ACKFOLLOWS(0) | V_CPL_TX_SEC_PDU_ULPTXLPBK(1) | 1650 V_CPL_TX_SEC_PDU_CPLLEN(2) | V_CPL_TX_SEC_PDU_PLACEHOLDER(0) | 1651 V_CPL_TX_SEC_PDU_IVINSRTOFST(1)); 1652 1653 crwr->sec_cpl.pldlen = htobe32(iv_len + input_len); 1654 1655 /* 1656 * NB: cipherstop is explicitly set to 0. See comments above 1657 * in ccr_gcm(). 1658 */ 1659 crwr->sec_cpl.aadstart_cipherstop_hi = htobe32( 1660 V_CPL_TX_SEC_PDU_AADSTART(aad_start) | 1661 V_CPL_TX_SEC_PDU_AADSTOP(aad_stop) | 1662 V_CPL_TX_SEC_PDU_CIPHERSTART(cipher_start) | 1663 V_CPL_TX_SEC_PDU_CIPHERSTOP_HI(0)); 1664 crwr->sec_cpl.cipherstop_lo_authinsert = htobe32( 1665 V_CPL_TX_SEC_PDU_CIPHERSTOP_LO(0) | 1666 V_CPL_TX_SEC_PDU_AUTHSTART(cipher_start) | 1667 V_CPL_TX_SEC_PDU_AUTHSTOP(cipher_stop) | 1668 V_CPL_TX_SEC_PDU_AUTHINSERT(auth_insert)); 1669 1670 /* These two flits are actually a CPL_TLS_TX_SCMD_FMT. */ 1671 hmac_ctrl = ccr_ccm_hmac_ctrl(hash_size_in_response); 1672 crwr->sec_cpl.seqno_numivs = htobe32( 1673 V_SCMD_SEQ_NO_CTRL(0) | 1674 V_SCMD_PROTO_VERSION(SCMD_PROTO_VERSION_GENERIC) | 1675 V_SCMD_ENC_DEC_CTRL(op_type) | 1676 V_SCMD_CIPH_AUTH_SEQ_CTRL(op_type == CHCR_ENCRYPT_OP ? 0 : 1) | 1677 V_SCMD_CIPH_MODE(SCMD_CIPH_MODE_AES_CCM) | 1678 V_SCMD_AUTH_MODE(SCMD_AUTH_MODE_CBCMAC) | 1679 V_SCMD_HMAC_CTRL(hmac_ctrl) | 1680 V_SCMD_IV_SIZE(iv_len / 2) | 1681 V_SCMD_NUM_IVS(0)); 1682 crwr->sec_cpl.ivgen_hdrlen = htobe32( 1683 V_SCMD_IV_GEN_CTRL(0) | 1684 V_SCMD_MORE_FRAGS(0) | V_SCMD_LAST_FRAG(0) | V_SCMD_MAC_ONLY(0) | 1685 V_SCMD_AADIVDROP(0) | V_SCMD_HDR_LEN(dsgl_len)); 1686 1687 crwr->key_ctx.ctx_hdr = s->cipher.key_ctx_hdr; 1688 memcpy(crwr->key_ctx.key, s->cipher.enckey, s->cipher.key_len); 1689 memcpy(crwr->key_ctx.key + roundup(s->cipher.key_len, 16), 1690 s->cipher.enckey, s->cipher.key_len); 1691 1692 dst = (char *)(crwr + 1) + kctx_len; 1693 ccr_write_phys_dsgl(s, dst, dsgl_nsegs); 1694 dst += sizeof(struct cpl_rx_phys_dsgl) + dsgl_len; 1695 memcpy(dst, iv, iv_len); 1696 dst += iv_len; 1697 generate_ccm_b0(crp, hash_size_in_response, iv, dst); 1698 if (sgl_nsegs == 0) { 1699 dst += b0_len; 1700 if (crp->crp_aad_length != 0) { 1701 if (crp->crp_aad != NULL) 1702 memcpy(dst, crp->crp_aad, crp->crp_aad_length); 1703 else 1704 crypto_copydata(crp, crp->crp_aad_start, 1705 crp->crp_aad_length, dst); 1706 dst += crp->crp_aad_length; 1707 } 1708 crypto_copydata(crp, crp->crp_payload_start, 1709 crp->crp_payload_length, dst); 1710 dst += crp->crp_payload_length; 1711 if (op_type == CHCR_DECRYPT_OP) 1712 crypto_copydata(crp, crp->crp_digest_start, 1713 hash_size_in_response, dst); 1714 } else { 1715 dst += CCM_B0_SIZE; 1716 if (b0_len > CCM_B0_SIZE) { 1717 /* 1718 * If there is AAD, insert padding including a 1719 * ULP_TX_SC_NOOP so that the ULP_TX_SC_DSGL 1720 * is 16-byte aligned. 1721 */ 1722 KASSERT(b0_len - CCM_B0_SIZE == CCM_AAD_FIELD_SIZE, 1723 ("b0_len mismatch")); 1724 memset(dst + CCM_AAD_FIELD_SIZE, 0, 1725 8 - CCM_AAD_FIELD_SIZE); 1726 idata = (void *)(dst + 8); 1727 idata->cmd_more = htobe32(V_ULPTX_CMD(ULP_TX_SC_NOOP)); 1728 idata->len = htobe32(0); 1729 dst = (void *)(idata + 1); 1730 } 1731 ccr_write_ulptx_sgl(s, dst, sgl_nsegs); 1732 } 1733 1734 /* XXX: TODO backpressure */ 1735 t4_wrq_tx(sc->adapter, wr); 1736 1737 explicit_bzero(iv, sizeof(iv)); 1738 return (0); 1739 } 1740 1741 static int 1742 ccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s, 1743 struct cryptop *crp, const struct cpl_fw6_pld *cpl, int error) 1744 { 1745 1746 /* 1747 * The updated IV to permit chained requests is at 1748 * cpl->data[2], but OCF doesn't permit chained requests. 1749 * 1750 * Note that the hardware should always verify the CBC MAC 1751 * hash. 1752 */ 1753 return (error); 1754 } 1755 1756 /* 1757 * Use the software session for requests not supported by the crypto 1758 * engine (e.g. CCM and GCM requests with an empty payload). 1759 */ 1760 static int 1761 ccr_soft_done(struct cryptop *crp) 1762 { 1763 struct cryptop *orig; 1764 1765 orig = crp->crp_opaque; 1766 orig->crp_etype = crp->crp_etype; 1767 crypto_freereq(crp); 1768 crypto_done(orig); 1769 return (0); 1770 } 1771 1772 static void 1773 ccr_soft(struct ccr_session *s, struct cryptop *crp) 1774 { 1775 struct cryptop *new; 1776 int error; 1777 1778 new = crypto_clonereq(crp, s->sw_session, M_NOWAIT); 1779 if (new == NULL) { 1780 crp->crp_etype = ENOMEM; 1781 crypto_done(crp); 1782 return; 1783 } 1784 1785 /* 1786 * XXX: This only really needs CRYPTO_ASYNC_ORDERED if the 1787 * original request was dispatched that way. There is no way 1788 * to know that though since crypto_dispatch_async() discards 1789 * the flag for async backends (such as ccr(4)). 1790 */ 1791 new->crp_opaque = crp; 1792 new->crp_callback = ccr_soft_done; 1793 error = crypto_dispatch_async(new, CRYPTO_ASYNC_ORDERED); 1794 if (error != 0) { 1795 crp->crp_etype = error; 1796 crypto_done(crp); 1797 } 1798 } 1799 1800 static void 1801 ccr_identify(driver_t *driver, device_t parent) 1802 { 1803 struct adapter *sc; 1804 1805 sc = device_get_softc(parent); 1806 if (sc->cryptocaps & FW_CAPS_CONFIG_CRYPTO_LOOKASIDE && 1807 device_find_child(parent, "ccr", -1) == NULL) 1808 device_add_child(parent, "ccr", -1); 1809 } 1810 1811 static int 1812 ccr_probe(device_t dev) 1813 { 1814 1815 device_set_desc(dev, "Chelsio Crypto Accelerator"); 1816 return (BUS_PROBE_DEFAULT); 1817 } 1818 1819 static void 1820 ccr_sysctls(struct ccr_softc *sc) 1821 { 1822 struct sysctl_ctx_list *ctx; 1823 struct sysctl_oid *oid, *port_oid; 1824 struct sysctl_oid_list *children; 1825 char buf[16]; 1826 int i; 1827 1828 ctx = device_get_sysctl_ctx(sc->dev); 1829 1830 /* 1831 * dev.ccr.X. 1832 */ 1833 oid = device_get_sysctl_tree(sc->dev); 1834 children = SYSCTL_CHILDREN(oid); 1835 1836 SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "port_mask", CTLFLAG_RW, 1837 &sc->port_mask, 0, "Mask of enabled ports"); 1838 1839 /* 1840 * dev.ccr.X.stats. 1841 */ 1842 oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "stats", 1843 CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "statistics"); 1844 children = SYSCTL_CHILDREN(oid); 1845 1846 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hash", CTLFLAG_RD, 1847 &sc->stats_hash, "Hash requests submitted"); 1848 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "hmac", CTLFLAG_RD, 1849 &sc->stats_hmac, "HMAC requests submitted"); 1850 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_encrypt", 1851 CTLFLAG_RD, &sc->stats_cipher_encrypt, 1852 "Cipher encryption requests submitted"); 1853 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "cipher_decrypt", 1854 CTLFLAG_RD, &sc->stats_cipher_decrypt, 1855 "Cipher decryption requests submitted"); 1856 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_encrypt", 1857 CTLFLAG_RD, &sc->stats_eta_encrypt, 1858 "Combined AES+HMAC encryption requests submitted"); 1859 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "eta_decrypt", 1860 CTLFLAG_RD, &sc->stats_eta_decrypt, 1861 "Combined AES+HMAC decryption requests submitted"); 1862 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_encrypt", 1863 CTLFLAG_RD, &sc->stats_gcm_encrypt, 1864 "AES-GCM encryption requests submitted"); 1865 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "gcm_decrypt", 1866 CTLFLAG_RD, &sc->stats_gcm_decrypt, 1867 "AES-GCM decryption requests submitted"); 1868 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_encrypt", 1869 CTLFLAG_RD, &sc->stats_ccm_encrypt, 1870 "AES-CCM encryption requests submitted"); 1871 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "ccm_decrypt", 1872 CTLFLAG_RD, &sc->stats_ccm_decrypt, 1873 "AES-CCM decryption requests submitted"); 1874 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "wr_nomem", CTLFLAG_RD, 1875 &sc->stats_wr_nomem, "Work request memory allocation failures"); 1876 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "inflight", CTLFLAG_RD, 1877 &sc->stats_inflight, "Requests currently pending"); 1878 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "mac_error", CTLFLAG_RD, 1879 &sc->stats_mac_error, "MAC errors"); 1880 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "pad_error", CTLFLAG_RD, 1881 &sc->stats_pad_error, "Padding errors"); 1882 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sglist_error", 1883 CTLFLAG_RD, &sc->stats_sglist_error, 1884 "Requests for which DMA mapping failed"); 1885 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "process_error", 1886 CTLFLAG_RD, &sc->stats_process_error, 1887 "Requests failed during queueing"); 1888 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "sw_fallback", 1889 CTLFLAG_RD, &sc->stats_sw_fallback, 1890 "Requests processed by falling back to software"); 1891 1892 /* 1893 * dev.ccr.X.stats.port 1894 */ 1895 port_oid = SYSCTL_ADD_NODE(ctx, children, OID_AUTO, "port", 1896 CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, "Per-port statistics"); 1897 1898 for (i = 0; i < nitems(sc->ports); i++) { 1899 if (sc->ports[i].rxq == NULL) 1900 continue; 1901 1902 /* 1903 * dev.ccr.X.stats.port.Y 1904 */ 1905 snprintf(buf, sizeof(buf), "%d", i); 1906 oid = SYSCTL_ADD_NODE(ctx, SYSCTL_CHILDREN(port_oid), OID_AUTO, 1907 buf, CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, buf); 1908 children = SYSCTL_CHILDREN(oid); 1909 1910 SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "active_sessions", 1911 CTLFLAG_RD, &sc->ports[i].active_sessions, 0, 1912 "Count of active sessions"); 1913 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "queued", 1914 CTLFLAG_RD, &sc->ports[i].stats_queued, "Requests queued"); 1915 SYSCTL_ADD_COUNTER_U64(ctx, children, OID_AUTO, "completed", 1916 CTLFLAG_RD, &sc->ports[i].stats_completed, 1917 "Requests completed"); 1918 } 1919 } 1920 1921 static void 1922 ccr_init_port(struct ccr_softc *sc, int port) 1923 { 1924 struct port_info *pi; 1925 1926 pi = sc->adapter->port[port]; 1927 sc->ports[port].txq = &sc->adapter->sge.ctrlq[port]; 1928 sc->ports[port].rxq = &sc->adapter->sge.rxq[pi->vi->first_rxq]; 1929 sc->ports[port].rx_channel_id = pi->rx_c_chan; 1930 sc->ports[port].tx_channel_id = pi->tx_chan; 1931 sc->ports[port].stats_queued = counter_u64_alloc(M_WAITOK); 1932 sc->ports[port].stats_completed = counter_u64_alloc(M_WAITOK); 1933 _Static_assert(sizeof(sc->port_mask) * NBBY >= MAX_NPORTS - 1, 1934 "Too many ports to fit in port_mask"); 1935 1936 /* 1937 * Completions for crypto requests on port 1 can sometimes 1938 * return a stale cookie value due to a firmware bug. Disable 1939 * requests on port 1 by default on affected firmware. 1940 */ 1941 if (sc->adapter->params.fw_vers >= FW_VERSION32(1, 25, 4, 0) || 1942 port == 0) 1943 sc->port_mask |= 1u << port; 1944 } 1945 1946 static int 1947 ccr_attach(device_t dev) 1948 { 1949 struct ccr_softc *sc; 1950 int32_t cid; 1951 int i; 1952 1953 sc = device_get_softc(dev); 1954 sc->dev = dev; 1955 sc->adapter = device_get_softc(device_get_parent(dev)); 1956 for_each_port(sc->adapter, i) { 1957 ccr_init_port(sc, i); 1958 } 1959 cid = crypto_get_driverid(dev, sizeof(struct ccr_session), 1960 CRYPTOCAP_F_HARDWARE); 1961 if (cid < 0) { 1962 device_printf(dev, "could not get crypto driver id\n"); 1963 return (ENXIO); 1964 } 1965 sc->cid = cid; 1966 sc->adapter->ccr_softc = sc; 1967 1968 /* 1969 * The FID must be the first RXQ for port 0 regardless of 1970 * which port is used to service the request. 1971 */ 1972 sc->first_rxq_id = sc->adapter->sge.rxq[0].iq.abs_id; 1973 1974 mtx_init(&sc->lock, "ccr", NULL, MTX_DEF); 1975 sc->iv_aad_buf = malloc(MAX_AAD_LEN, M_CCR, M_WAITOK); 1976 sc->sg_iv_aad = sglist_build(sc->iv_aad_buf, MAX_AAD_LEN, M_WAITOK); 1977 sc->stats_cipher_encrypt = counter_u64_alloc(M_WAITOK); 1978 sc->stats_cipher_decrypt = counter_u64_alloc(M_WAITOK); 1979 sc->stats_hash = counter_u64_alloc(M_WAITOK); 1980 sc->stats_hmac = counter_u64_alloc(M_WAITOK); 1981 sc->stats_eta_encrypt = counter_u64_alloc(M_WAITOK); 1982 sc->stats_eta_decrypt = counter_u64_alloc(M_WAITOK); 1983 sc->stats_gcm_encrypt = counter_u64_alloc(M_WAITOK); 1984 sc->stats_gcm_decrypt = counter_u64_alloc(M_WAITOK); 1985 sc->stats_ccm_encrypt = counter_u64_alloc(M_WAITOK); 1986 sc->stats_ccm_decrypt = counter_u64_alloc(M_WAITOK); 1987 sc->stats_wr_nomem = counter_u64_alloc(M_WAITOK); 1988 sc->stats_inflight = counter_u64_alloc(M_WAITOK); 1989 sc->stats_mac_error = counter_u64_alloc(M_WAITOK); 1990 sc->stats_pad_error = counter_u64_alloc(M_WAITOK); 1991 sc->stats_sglist_error = counter_u64_alloc(M_WAITOK); 1992 sc->stats_process_error = counter_u64_alloc(M_WAITOK); 1993 sc->stats_sw_fallback = counter_u64_alloc(M_WAITOK); 1994 ccr_sysctls(sc); 1995 1996 return (0); 1997 } 1998 1999 static void 2000 ccr_free_port(struct ccr_softc *sc, int port) 2001 { 2002 2003 counter_u64_free(sc->ports[port].stats_queued); 2004 counter_u64_free(sc->ports[port].stats_completed); 2005 } 2006 2007 static int 2008 ccr_detach(device_t dev) 2009 { 2010 struct ccr_softc *sc; 2011 int i; 2012 2013 sc = device_get_softc(dev); 2014 2015 mtx_lock(&sc->lock); 2016 sc->detaching = true; 2017 mtx_unlock(&sc->lock); 2018 2019 crypto_unregister_all(sc->cid); 2020 2021 mtx_destroy(&sc->lock); 2022 counter_u64_free(sc->stats_cipher_encrypt); 2023 counter_u64_free(sc->stats_cipher_decrypt); 2024 counter_u64_free(sc->stats_hash); 2025 counter_u64_free(sc->stats_hmac); 2026 counter_u64_free(sc->stats_eta_encrypt); 2027 counter_u64_free(sc->stats_eta_decrypt); 2028 counter_u64_free(sc->stats_gcm_encrypt); 2029 counter_u64_free(sc->stats_gcm_decrypt); 2030 counter_u64_free(sc->stats_ccm_encrypt); 2031 counter_u64_free(sc->stats_ccm_decrypt); 2032 counter_u64_free(sc->stats_wr_nomem); 2033 counter_u64_free(sc->stats_inflight); 2034 counter_u64_free(sc->stats_mac_error); 2035 counter_u64_free(sc->stats_pad_error); 2036 counter_u64_free(sc->stats_sglist_error); 2037 counter_u64_free(sc->stats_process_error); 2038 counter_u64_free(sc->stats_sw_fallback); 2039 for_each_port(sc->adapter, i) { 2040 ccr_free_port(sc, i); 2041 } 2042 sglist_free(sc->sg_iv_aad); 2043 free(sc->iv_aad_buf, M_CCR); 2044 sc->adapter->ccr_softc = NULL; 2045 return (0); 2046 } 2047 2048 static void 2049 ccr_init_hash_digest(struct ccr_session *s) 2050 { 2051 union authctx auth_ctx; 2052 const struct auth_hash *axf; 2053 2054 axf = s->hmac.auth_hash; 2055 axf->Init(&auth_ctx); 2056 t4_copy_partial_hash(axf->type, &auth_ctx, s->hmac.pads); 2057 } 2058 2059 static bool 2060 ccr_aes_check_keylen(int alg, int klen) 2061 { 2062 2063 switch (klen * 8) { 2064 case 128: 2065 case 192: 2066 if (alg == CRYPTO_AES_XTS) 2067 return (false); 2068 break; 2069 case 256: 2070 break; 2071 case 512: 2072 if (alg != CRYPTO_AES_XTS) 2073 return (false); 2074 break; 2075 default: 2076 return (false); 2077 } 2078 return (true); 2079 } 2080 2081 static void 2082 ccr_aes_setkey(struct ccr_session *s, const void *key, int klen) 2083 { 2084 unsigned int ck_size, iopad_size, kctx_flits, kctx_len, kbits, mk_size; 2085 unsigned int opad_present; 2086 2087 if (s->cipher.cipher_mode == SCMD_CIPH_MODE_AES_XTS) 2088 kbits = (klen / 2) * 8; 2089 else 2090 kbits = klen * 8; 2091 switch (kbits) { 2092 case 128: 2093 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128; 2094 break; 2095 case 192: 2096 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192; 2097 break; 2098 case 256: 2099 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; 2100 break; 2101 default: 2102 panic("should not get here"); 2103 } 2104 2105 s->cipher.key_len = klen; 2106 memcpy(s->cipher.enckey, key, s->cipher.key_len); 2107 switch (s->cipher.cipher_mode) { 2108 case SCMD_CIPH_MODE_AES_CBC: 2109 case SCMD_CIPH_MODE_AES_XTS: 2110 t4_aes_getdeckey(s->cipher.deckey, key, kbits); 2111 break; 2112 } 2113 2114 kctx_len = roundup2(s->cipher.key_len, 16); 2115 switch (s->mode) { 2116 case ETA: 2117 mk_size = s->hmac.mk_size; 2118 opad_present = 1; 2119 iopad_size = roundup2(s->hmac.partial_digest_len, 16); 2120 kctx_len += iopad_size * 2; 2121 break; 2122 case GCM: 2123 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2124 opad_present = 0; 2125 kctx_len += GMAC_BLOCK_LEN; 2126 break; 2127 case CCM: 2128 switch (kbits) { 2129 case 128: 2130 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_128; 2131 break; 2132 case 192: 2133 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_192; 2134 break; 2135 case 256: 2136 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2137 break; 2138 default: 2139 panic("should not get here"); 2140 } 2141 opad_present = 0; 2142 kctx_len *= 2; 2143 break; 2144 default: 2145 mk_size = CHCR_KEYCTX_NO_KEY; 2146 opad_present = 0; 2147 break; 2148 } 2149 kctx_flits = (sizeof(struct _key_ctx) + kctx_len) / 16; 2150 s->cipher.key_ctx_hdr = htobe32(V_KEY_CONTEXT_CTX_LEN(kctx_flits) | 2151 V_KEY_CONTEXT_DUAL_CK(s->cipher.cipher_mode == 2152 SCMD_CIPH_MODE_AES_XTS) | 2153 V_KEY_CONTEXT_OPAD_PRESENT(opad_present) | 2154 V_KEY_CONTEXT_SALT_PRESENT(1) | V_KEY_CONTEXT_CK_SIZE(ck_size) | 2155 V_KEY_CONTEXT_MK_SIZE(mk_size) | V_KEY_CONTEXT_VALID(1)); 2156 } 2157 2158 static bool 2159 ccr_auth_supported(const struct crypto_session_params *csp) 2160 { 2161 2162 switch (csp->csp_auth_alg) { 2163 case CRYPTO_SHA1: 2164 case CRYPTO_SHA2_224: 2165 case CRYPTO_SHA2_256: 2166 case CRYPTO_SHA2_384: 2167 case CRYPTO_SHA2_512: 2168 case CRYPTO_SHA1_HMAC: 2169 case CRYPTO_SHA2_224_HMAC: 2170 case CRYPTO_SHA2_256_HMAC: 2171 case CRYPTO_SHA2_384_HMAC: 2172 case CRYPTO_SHA2_512_HMAC: 2173 break; 2174 default: 2175 return (false); 2176 } 2177 return (true); 2178 } 2179 2180 static bool 2181 ccr_cipher_supported(const struct crypto_session_params *csp) 2182 { 2183 2184 switch (csp->csp_cipher_alg) { 2185 case CRYPTO_AES_CBC: 2186 if (csp->csp_ivlen != AES_BLOCK_LEN) 2187 return (false); 2188 break; 2189 case CRYPTO_AES_ICM: 2190 if (csp->csp_ivlen != AES_BLOCK_LEN) 2191 return (false); 2192 break; 2193 case CRYPTO_AES_XTS: 2194 if (csp->csp_ivlen != AES_XTS_IV_LEN) 2195 return (false); 2196 break; 2197 default: 2198 return (false); 2199 } 2200 return (ccr_aes_check_keylen(csp->csp_cipher_alg, 2201 csp->csp_cipher_klen)); 2202 } 2203 2204 static int 2205 ccr_cipher_mode(const struct crypto_session_params *csp) 2206 { 2207 2208 switch (csp->csp_cipher_alg) { 2209 case CRYPTO_AES_CBC: 2210 return (SCMD_CIPH_MODE_AES_CBC); 2211 case CRYPTO_AES_ICM: 2212 return (SCMD_CIPH_MODE_AES_CTR); 2213 case CRYPTO_AES_NIST_GCM_16: 2214 return (SCMD_CIPH_MODE_AES_GCM); 2215 case CRYPTO_AES_XTS: 2216 return (SCMD_CIPH_MODE_AES_XTS); 2217 case CRYPTO_AES_CCM_16: 2218 return (SCMD_CIPH_MODE_AES_CCM); 2219 default: 2220 return (SCMD_CIPH_MODE_NOP); 2221 } 2222 } 2223 2224 static int 2225 ccr_probesession(device_t dev, const struct crypto_session_params *csp) 2226 { 2227 unsigned int cipher_mode; 2228 2229 if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) != 2230 0) 2231 return (EINVAL); 2232 switch (csp->csp_mode) { 2233 case CSP_MODE_DIGEST: 2234 if (!ccr_auth_supported(csp)) 2235 return (EINVAL); 2236 break; 2237 case CSP_MODE_CIPHER: 2238 if (!ccr_cipher_supported(csp)) 2239 return (EINVAL); 2240 break; 2241 case CSP_MODE_AEAD: 2242 switch (csp->csp_cipher_alg) { 2243 case CRYPTO_AES_NIST_GCM_16: 2244 case CRYPTO_AES_CCM_16: 2245 break; 2246 default: 2247 return (EINVAL); 2248 } 2249 break; 2250 case CSP_MODE_ETA: 2251 if (!ccr_auth_supported(csp) || !ccr_cipher_supported(csp)) 2252 return (EINVAL); 2253 break; 2254 default: 2255 return (EINVAL); 2256 } 2257 2258 if (csp->csp_cipher_klen != 0) { 2259 cipher_mode = ccr_cipher_mode(csp); 2260 if (cipher_mode == SCMD_CIPH_MODE_NOP) 2261 return (EINVAL); 2262 } 2263 2264 return (CRYPTODEV_PROBE_HARDWARE); 2265 } 2266 2267 /* 2268 * Select an available port with the lowest number of active sessions. 2269 */ 2270 static struct ccr_port * 2271 ccr_choose_port(struct ccr_softc *sc) 2272 { 2273 struct ccr_port *best, *p; 2274 int i; 2275 2276 mtx_assert(&sc->lock, MA_OWNED); 2277 best = NULL; 2278 for (i = 0; i < nitems(sc->ports); i++) { 2279 p = &sc->ports[i]; 2280 2281 /* Ignore non-existent ports. */ 2282 if (p->rxq == NULL) 2283 continue; 2284 2285 /* 2286 * XXX: Ignore ports whose queues aren't initialized. 2287 * This is racy as the rxq can be destroyed by the 2288 * associated VI detaching. Eventually ccr should use 2289 * dedicated queues. 2290 */ 2291 if (p->rxq->iq.adapter == NULL || p->txq->adapter == NULL) 2292 continue; 2293 2294 if ((sc->port_mask & (1u << i)) == 0) 2295 continue; 2296 2297 if (best == NULL || 2298 p->active_sessions < best->active_sessions) 2299 best = p; 2300 } 2301 return (best); 2302 } 2303 2304 static void 2305 ccr_delete_session(struct ccr_session *s) 2306 { 2307 crypto_freesession(s->sw_session); 2308 sglist_free(s->sg_input); 2309 sglist_free(s->sg_output); 2310 sglist_free(s->sg_ulptx); 2311 sglist_free(s->sg_dsgl); 2312 mtx_destroy(&s->lock); 2313 } 2314 2315 static int 2316 ccr_newsession(device_t dev, crypto_session_t cses, 2317 const struct crypto_session_params *csp) 2318 { 2319 struct ccr_softc *sc; 2320 struct ccr_session *s; 2321 const struct auth_hash *auth_hash; 2322 unsigned int auth_mode, cipher_mode, mk_size; 2323 unsigned int partial_digest_len; 2324 int error; 2325 2326 switch (csp->csp_auth_alg) { 2327 case CRYPTO_SHA1: 2328 case CRYPTO_SHA1_HMAC: 2329 auth_hash = &auth_hash_hmac_sha1; 2330 auth_mode = SCMD_AUTH_MODE_SHA1; 2331 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_160; 2332 partial_digest_len = SHA1_HASH_LEN; 2333 break; 2334 case CRYPTO_SHA2_224: 2335 case CRYPTO_SHA2_224_HMAC: 2336 auth_hash = &auth_hash_hmac_sha2_224; 2337 auth_mode = SCMD_AUTH_MODE_SHA224; 2338 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2339 partial_digest_len = SHA2_256_HASH_LEN; 2340 break; 2341 case CRYPTO_SHA2_256: 2342 case CRYPTO_SHA2_256_HMAC: 2343 auth_hash = &auth_hash_hmac_sha2_256; 2344 auth_mode = SCMD_AUTH_MODE_SHA256; 2345 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; 2346 partial_digest_len = SHA2_256_HASH_LEN; 2347 break; 2348 case CRYPTO_SHA2_384: 2349 case CRYPTO_SHA2_384_HMAC: 2350 auth_hash = &auth_hash_hmac_sha2_384; 2351 auth_mode = SCMD_AUTH_MODE_SHA512_384; 2352 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2353 partial_digest_len = SHA2_512_HASH_LEN; 2354 break; 2355 case CRYPTO_SHA2_512: 2356 case CRYPTO_SHA2_512_HMAC: 2357 auth_hash = &auth_hash_hmac_sha2_512; 2358 auth_mode = SCMD_AUTH_MODE_SHA512_512; 2359 mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_512; 2360 partial_digest_len = SHA2_512_HASH_LEN; 2361 break; 2362 default: 2363 auth_hash = NULL; 2364 auth_mode = SCMD_AUTH_MODE_NOP; 2365 mk_size = 0; 2366 partial_digest_len = 0; 2367 break; 2368 } 2369 2370 cipher_mode = ccr_cipher_mode(csp); 2371 2372 #ifdef INVARIANTS 2373 switch (csp->csp_mode) { 2374 case CSP_MODE_CIPHER: 2375 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2376 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2377 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2378 panic("invalid cipher algo"); 2379 break; 2380 case CSP_MODE_DIGEST: 2381 if (auth_mode == SCMD_AUTH_MODE_NOP) 2382 panic("invalid auth algo"); 2383 break; 2384 case CSP_MODE_AEAD: 2385 if (cipher_mode != SCMD_CIPH_MODE_AES_GCM && 2386 cipher_mode != SCMD_CIPH_MODE_AES_CCM) 2387 panic("invalid aead cipher algo"); 2388 if (auth_mode != SCMD_AUTH_MODE_NOP) 2389 panic("invalid aead auth aglo"); 2390 break; 2391 case CSP_MODE_ETA: 2392 if (cipher_mode == SCMD_CIPH_MODE_NOP || 2393 cipher_mode == SCMD_CIPH_MODE_AES_GCM || 2394 cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2395 panic("invalid cipher algo"); 2396 if (auth_mode == SCMD_AUTH_MODE_NOP) 2397 panic("invalid auth algo"); 2398 break; 2399 default: 2400 panic("invalid csp mode"); 2401 } 2402 #endif 2403 2404 s = crypto_get_driver_session(cses); 2405 mtx_init(&s->lock, "ccr session", NULL, MTX_DEF); 2406 s->sg_input = sglist_alloc(TX_SGL_SEGS, M_NOWAIT); 2407 s->sg_output = sglist_alloc(TX_SGL_SEGS, M_NOWAIT); 2408 s->sg_ulptx = sglist_alloc(TX_SGL_SEGS, M_NOWAIT); 2409 s->sg_dsgl = sglist_alloc(MAX_RX_PHYS_DSGL_SGE, M_NOWAIT); 2410 if (s->sg_input == NULL || s->sg_output == NULL || 2411 s->sg_ulptx == NULL || s->sg_dsgl == NULL) { 2412 ccr_delete_session(s); 2413 return (ENOMEM); 2414 } 2415 2416 if (csp->csp_mode == CSP_MODE_AEAD) { 2417 error = crypto_newsession(&s->sw_session, csp, 2418 CRYPTOCAP_F_SOFTWARE); 2419 if (error) { 2420 ccr_delete_session(s); 2421 return (error); 2422 } 2423 } 2424 2425 sc = device_get_softc(dev); 2426 2427 mtx_lock(&sc->lock); 2428 if (sc->detaching) { 2429 mtx_unlock(&sc->lock); 2430 ccr_delete_session(s); 2431 return (ENXIO); 2432 } 2433 2434 s->port = ccr_choose_port(sc); 2435 if (s->port == NULL) { 2436 mtx_unlock(&sc->lock); 2437 ccr_delete_session(s); 2438 return (ENXIO); 2439 } 2440 2441 switch (csp->csp_mode) { 2442 case CSP_MODE_AEAD: 2443 if (cipher_mode == SCMD_CIPH_MODE_AES_CCM) 2444 s->mode = CCM; 2445 else 2446 s->mode = GCM; 2447 break; 2448 case CSP_MODE_ETA: 2449 s->mode = ETA; 2450 break; 2451 case CSP_MODE_DIGEST: 2452 if (csp->csp_auth_klen != 0) 2453 s->mode = HMAC; 2454 else 2455 s->mode = HASH; 2456 break; 2457 case CSP_MODE_CIPHER: 2458 s->mode = CIPHER; 2459 break; 2460 } 2461 2462 if (s->mode == GCM) { 2463 if (csp->csp_auth_mlen == 0) 2464 s->gmac.hash_len = AES_GMAC_HASH_LEN; 2465 else 2466 s->gmac.hash_len = csp->csp_auth_mlen; 2467 t4_init_gmac_hash(csp->csp_cipher_key, csp->csp_cipher_klen, 2468 s->gmac.ghash_h); 2469 } else if (s->mode == CCM) { 2470 if (csp->csp_auth_mlen == 0) 2471 s->ccm_mac.hash_len = AES_CBC_MAC_HASH_LEN; 2472 else 2473 s->ccm_mac.hash_len = csp->csp_auth_mlen; 2474 } else if (auth_mode != SCMD_AUTH_MODE_NOP) { 2475 s->hmac.auth_hash = auth_hash; 2476 s->hmac.auth_mode = auth_mode; 2477 s->hmac.mk_size = mk_size; 2478 s->hmac.partial_digest_len = partial_digest_len; 2479 if (csp->csp_auth_mlen == 0) 2480 s->hmac.hash_len = auth_hash->hashsize; 2481 else 2482 s->hmac.hash_len = csp->csp_auth_mlen; 2483 if (csp->csp_auth_key != NULL) 2484 t4_init_hmac_digest(auth_hash, partial_digest_len, 2485 csp->csp_auth_key, csp->csp_auth_klen, 2486 s->hmac.pads); 2487 else 2488 ccr_init_hash_digest(s); 2489 } 2490 if (cipher_mode != SCMD_CIPH_MODE_NOP) { 2491 s->cipher.cipher_mode = cipher_mode; 2492 s->cipher.iv_len = csp->csp_ivlen; 2493 if (csp->csp_cipher_key != NULL) 2494 ccr_aes_setkey(s, csp->csp_cipher_key, 2495 csp->csp_cipher_klen); 2496 } 2497 2498 s->port->active_sessions++; 2499 mtx_unlock(&sc->lock); 2500 return (0); 2501 } 2502 2503 static void 2504 ccr_freesession(device_t dev, crypto_session_t cses) 2505 { 2506 struct ccr_softc *sc; 2507 struct ccr_session *s; 2508 2509 sc = device_get_softc(dev); 2510 s = crypto_get_driver_session(cses); 2511 #ifdef INVARIANTS 2512 if (s->pending != 0) 2513 device_printf(dev, 2514 "session %p freed with %d pending requests\n", s, 2515 s->pending); 2516 #endif 2517 mtx_lock(&sc->lock); 2518 s->port->active_sessions--; 2519 mtx_unlock(&sc->lock); 2520 ccr_delete_session(s); 2521 } 2522 2523 static int 2524 ccr_process(device_t dev, struct cryptop *crp, int hint) 2525 { 2526 const struct crypto_session_params *csp; 2527 struct ccr_softc *sc; 2528 struct ccr_session *s; 2529 int error; 2530 2531 csp = crypto_get_params(crp->crp_session); 2532 s = crypto_get_driver_session(crp->crp_session); 2533 sc = device_get_softc(dev); 2534 2535 mtx_lock(&s->lock); 2536 error = ccr_populate_sglist(s->sg_input, &crp->crp_buf); 2537 if (error == 0 && CRYPTO_HAS_OUTPUT_BUFFER(crp)) 2538 error = ccr_populate_sglist(s->sg_output, &crp->crp_obuf); 2539 if (error) { 2540 counter_u64_add(sc->stats_sglist_error, 1); 2541 goto out; 2542 } 2543 2544 switch (s->mode) { 2545 case HASH: 2546 error = ccr_hash(sc, s, crp); 2547 if (error == 0) 2548 counter_u64_add(sc->stats_hash, 1); 2549 break; 2550 case HMAC: 2551 if (crp->crp_auth_key != NULL) 2552 t4_init_hmac_digest(s->hmac.auth_hash, 2553 s->hmac.partial_digest_len, crp->crp_auth_key, 2554 csp->csp_auth_klen, s->hmac.pads); 2555 error = ccr_hash(sc, s, crp); 2556 if (error == 0) 2557 counter_u64_add(sc->stats_hmac, 1); 2558 break; 2559 case CIPHER: 2560 if (crp->crp_cipher_key != NULL) 2561 ccr_aes_setkey(s, crp->crp_cipher_key, 2562 csp->csp_cipher_klen); 2563 error = ccr_cipher(sc, s, crp); 2564 if (error == 0) { 2565 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2566 counter_u64_add(sc->stats_cipher_encrypt, 1); 2567 else 2568 counter_u64_add(sc->stats_cipher_decrypt, 1); 2569 } 2570 break; 2571 case ETA: 2572 if (crp->crp_auth_key != NULL) 2573 t4_init_hmac_digest(s->hmac.auth_hash, 2574 s->hmac.partial_digest_len, crp->crp_auth_key, 2575 csp->csp_auth_klen, s->hmac.pads); 2576 if (crp->crp_cipher_key != NULL) 2577 ccr_aes_setkey(s, crp->crp_cipher_key, 2578 csp->csp_cipher_klen); 2579 error = ccr_eta(sc, s, crp); 2580 if (error == 0) { 2581 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2582 counter_u64_add(sc->stats_eta_encrypt, 1); 2583 else 2584 counter_u64_add(sc->stats_eta_decrypt, 1); 2585 } 2586 break; 2587 case GCM: 2588 if (crp->crp_cipher_key != NULL) { 2589 t4_init_gmac_hash(crp->crp_cipher_key, 2590 csp->csp_cipher_klen, s->gmac.ghash_h); 2591 ccr_aes_setkey(s, crp->crp_cipher_key, 2592 csp->csp_cipher_klen); 2593 } 2594 error = ccr_gcm(sc, s, crp); 2595 if (error == EMSGSIZE || error == EFBIG) { 2596 counter_u64_add(sc->stats_sw_fallback, 1); 2597 mtx_unlock(&s->lock); 2598 ccr_soft(s, crp); 2599 return (0); 2600 } 2601 if (error == 0) { 2602 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2603 counter_u64_add(sc->stats_gcm_encrypt, 1); 2604 else 2605 counter_u64_add(sc->stats_gcm_decrypt, 1); 2606 } 2607 break; 2608 case CCM: 2609 if (crp->crp_cipher_key != NULL) { 2610 ccr_aes_setkey(s, crp->crp_cipher_key, 2611 csp->csp_cipher_klen); 2612 } 2613 error = ccr_ccm(sc, s, crp); 2614 if (error == EMSGSIZE || error == EFBIG) { 2615 counter_u64_add(sc->stats_sw_fallback, 1); 2616 mtx_unlock(&s->lock); 2617 ccr_soft(s, crp); 2618 return (0); 2619 } 2620 if (error == 0) { 2621 if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) 2622 counter_u64_add(sc->stats_ccm_encrypt, 1); 2623 else 2624 counter_u64_add(sc->stats_ccm_decrypt, 1); 2625 } 2626 break; 2627 } 2628 2629 if (error == 0) { 2630 #ifdef INVARIANTS 2631 s->pending++; 2632 #endif 2633 counter_u64_add(sc->stats_inflight, 1); 2634 counter_u64_add(s->port->stats_queued, 1); 2635 } else 2636 counter_u64_add(sc->stats_process_error, 1); 2637 2638 out: 2639 mtx_unlock(&s->lock); 2640 2641 if (error) { 2642 crp->crp_etype = error; 2643 crypto_done(crp); 2644 } 2645 2646 return (0); 2647 } 2648 2649 static int 2650 do_cpl6_fw_pld(struct sge_iq *iq, const struct rss_header *rss, 2651 struct mbuf *m) 2652 { 2653 struct ccr_softc *sc = iq->adapter->ccr_softc; 2654 struct ccr_session *s; 2655 const struct cpl_fw6_pld *cpl; 2656 struct cryptop *crp; 2657 uint32_t status; 2658 int error; 2659 2660 if (m != NULL) 2661 cpl = mtod(m, const void *); 2662 else 2663 cpl = (const void *)(rss + 1); 2664 2665 crp = (struct cryptop *)(uintptr_t)be64toh(cpl->data[1]); 2666 s = crypto_get_driver_session(crp->crp_session); 2667 status = be64toh(cpl->data[0]); 2668 if (CHK_MAC_ERR_BIT(status) || CHK_PAD_ERR_BIT(status)) 2669 error = EBADMSG; 2670 else 2671 error = 0; 2672 2673 #ifdef INVARIANTS 2674 mtx_lock(&s->lock); 2675 s->pending--; 2676 mtx_unlock(&s->lock); 2677 #endif 2678 counter_u64_add(sc->stats_inflight, -1); 2679 counter_u64_add(s->port->stats_completed, 1); 2680 2681 switch (s->mode) { 2682 case HASH: 2683 case HMAC: 2684 error = ccr_hash_done(sc, s, crp, cpl, error); 2685 break; 2686 case CIPHER: 2687 error = ccr_cipher_done(sc, s, crp, cpl, error); 2688 break; 2689 case ETA: 2690 error = ccr_eta_done(sc, s, crp, cpl, error); 2691 break; 2692 case GCM: 2693 error = ccr_gcm_done(sc, s, crp, cpl, error); 2694 break; 2695 case CCM: 2696 error = ccr_ccm_done(sc, s, crp, cpl, error); 2697 break; 2698 } 2699 2700 if (error == EBADMSG) { 2701 if (CHK_MAC_ERR_BIT(status)) 2702 counter_u64_add(sc->stats_mac_error, 1); 2703 if (CHK_PAD_ERR_BIT(status)) 2704 counter_u64_add(sc->stats_pad_error, 1); 2705 } 2706 crp->crp_etype = error; 2707 crypto_done(crp); 2708 m_freem(m); 2709 return (0); 2710 } 2711 2712 static int 2713 ccr_modevent(module_t mod, int cmd, void *arg) 2714 { 2715 2716 switch (cmd) { 2717 case MOD_LOAD: 2718 t4_register_cpl_handler(CPL_FW6_PLD, do_cpl6_fw_pld); 2719 return (0); 2720 case MOD_UNLOAD: 2721 t4_register_cpl_handler(CPL_FW6_PLD, NULL); 2722 return (0); 2723 default: 2724 return (EOPNOTSUPP); 2725 } 2726 } 2727 2728 static device_method_t ccr_methods[] = { 2729 DEVMETHOD(device_identify, ccr_identify), 2730 DEVMETHOD(device_probe, ccr_probe), 2731 DEVMETHOD(device_attach, ccr_attach), 2732 DEVMETHOD(device_detach, ccr_detach), 2733 2734 DEVMETHOD(cryptodev_probesession, ccr_probesession), 2735 DEVMETHOD(cryptodev_newsession, ccr_newsession), 2736 DEVMETHOD(cryptodev_freesession, ccr_freesession), 2737 DEVMETHOD(cryptodev_process, ccr_process), 2738 2739 DEVMETHOD_END 2740 }; 2741 2742 static driver_t ccr_driver = { 2743 "ccr", 2744 ccr_methods, 2745 sizeof(struct ccr_softc) 2746 }; 2747 2748 static devclass_t ccr_devclass; 2749 2750 DRIVER_MODULE(ccr, t6nex, ccr_driver, ccr_devclass, ccr_modevent, NULL); 2751 MODULE_VERSION(ccr, 1); 2752 MODULE_DEPEND(ccr, crypto, 1, 1, 1); 2753 MODULE_DEPEND(ccr, t6nex, 1, 1, 1); 2754