1 // SPDX-License-Identifier: GPL-2.0-only
3 * Bit sliced AES using NEON instructions
5 * Copyright (C) 2016 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
10 #include <crypto/aes.h>
11 #include <crypto/ctr.h>
12 #include <crypto/internal/simd.h>
13 #include <crypto/internal/skcipher.h>
14 #include <crypto/scatterwalk.h>
15 #include <crypto/xts.h>
16 #include <linux/module.h>
18 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
19 MODULE_LICENSE("GPL v2");
21 asmlinkage void aesbs_convert_key(u8 out[], u32 const rk[], int rounds);
23 asmlinkage void aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[],
24 int rounds, int blocks);
25 asmlinkage void aesbs_ecb_decrypt(u8 out[], u8 const in[], u8 const rk[],
26 int rounds, int blocks);
28 asmlinkage void aesbs_cbc_decrypt(u8 out[], u8 const in[], u8 const rk[],
29 int rounds, int blocks, u8 iv[]);
31 asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[],
32 int rounds, int blocks, u8 iv[], u8 final[]);
34 asmlinkage void aesbs_xts_encrypt(u8 out[], u8 const in[], u8 const rk[],
35 int rounds, int blocks, u8 iv[]);
36 asmlinkage void aesbs_xts_decrypt(u8 out[], u8 const in[], u8 const rk[],
37 int rounds, int blocks, u8 iv[]);
39 /* borrowed from aes-neon-blk.ko */
40 asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
41 int rounds, int blocks);
42 asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
43 int rounds, int blocks, u8 iv[]);
44 asmlinkage void neon_aes_xts_encrypt(u8 out[], u8 const in[],
45 u32 const rk1[], int rounds, int bytes,
46 u32 const rk2[], u8 iv[], int first);
47 asmlinkage void neon_aes_xts_decrypt(u8 out[], u8 const in[],
48 u32 const rk1[], int rounds, int bytes,
49 u32 const rk2[], u8 iv[], int first);
52 u8 rk[13 * (8 * AES_BLOCK_SIZE) + 32];
54 } __aligned(AES_BLOCK_SIZE);
56 struct aesbs_cbc_ctx {
58 u32 enc[AES_MAX_KEYLENGTH_U32];
61 struct aesbs_ctr_ctx {
62 struct aesbs_ctx key; /* must be first member */
63 struct crypto_aes_ctx fallback;
66 struct aesbs_xts_ctx {
68 u32 twkey[AES_MAX_KEYLENGTH_U32];
69 struct crypto_aes_ctx cts;
72 static int aesbs_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
75 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
76 struct crypto_aes_ctx rk;
79 err = aes_expandkey(&rk, in_key, key_len);
83 ctx->rounds = 6 + key_len / 4;
86 aesbs_convert_key(ctx->rk, rk.key_enc, ctx->rounds);
92 static int __ecb_crypt(struct skcipher_request *req,
93 void (*fn)(u8 out[], u8 const in[], u8 const rk[],
94 int rounds, int blocks))
96 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
97 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
98 struct skcipher_walk walk;
101 err = skcipher_walk_virt(&walk, req, false);
103 while (walk.nbytes >= AES_BLOCK_SIZE) {
104 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
106 if (walk.nbytes < walk.total)
107 blocks = round_down(blocks,
108 walk.stride / AES_BLOCK_SIZE);
111 fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk,
112 ctx->rounds, blocks);
114 err = skcipher_walk_done(&walk,
115 walk.nbytes - blocks * AES_BLOCK_SIZE);
121 static int ecb_encrypt(struct skcipher_request *req)
123 return __ecb_crypt(req, aesbs_ecb_encrypt);
126 static int ecb_decrypt(struct skcipher_request *req)
128 return __ecb_crypt(req, aesbs_ecb_decrypt);
131 static int aesbs_cbc_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
132 unsigned int key_len)
134 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
135 struct crypto_aes_ctx rk;
138 err = aes_expandkey(&rk, in_key, key_len);
142 ctx->key.rounds = 6 + key_len / 4;
144 memcpy(ctx->enc, rk.key_enc, sizeof(ctx->enc));
147 aesbs_convert_key(ctx->key.rk, rk.key_enc, ctx->key.rounds);
149 memzero_explicit(&rk, sizeof(rk));
154 static int cbc_encrypt(struct skcipher_request *req)
156 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
157 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
158 struct skcipher_walk walk;
161 err = skcipher_walk_virt(&walk, req, false);
163 while (walk.nbytes >= AES_BLOCK_SIZE) {
164 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
166 /* fall back to the non-bitsliced NEON implementation */
168 neon_aes_cbc_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
169 ctx->enc, ctx->key.rounds, blocks,
172 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
177 static int cbc_decrypt(struct skcipher_request *req)
179 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
180 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
181 struct skcipher_walk walk;
184 err = skcipher_walk_virt(&walk, req, false);
186 while (walk.nbytes >= AES_BLOCK_SIZE) {
187 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
189 if (walk.nbytes < walk.total)
190 blocks = round_down(blocks,
191 walk.stride / AES_BLOCK_SIZE);
194 aesbs_cbc_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
195 ctx->key.rk, ctx->key.rounds, blocks,
198 err = skcipher_walk_done(&walk,
199 walk.nbytes - blocks * AES_BLOCK_SIZE);
205 static int aesbs_ctr_setkey_sync(struct crypto_skcipher *tfm, const u8 *in_key,
206 unsigned int key_len)
208 struct aesbs_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
211 err = aes_expandkey(&ctx->fallback, in_key, key_len);
215 ctx->key.rounds = 6 + key_len / 4;
218 aesbs_convert_key(ctx->key.rk, ctx->fallback.key_enc, ctx->key.rounds);
224 static int ctr_encrypt(struct skcipher_request *req)
226 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
227 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
228 struct skcipher_walk walk;
229 u8 buf[AES_BLOCK_SIZE];
232 err = skcipher_walk_virt(&walk, req, false);
234 while (walk.nbytes > 0) {
235 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
236 u8 *final = (walk.total % AES_BLOCK_SIZE) ? buf : NULL;
238 if (walk.nbytes < walk.total) {
239 blocks = round_down(blocks,
240 walk.stride / AES_BLOCK_SIZE);
245 aesbs_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
246 ctx->rk, ctx->rounds, blocks, walk.iv, final);
250 u8 *dst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
251 u8 *src = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
253 crypto_xor_cpy(dst, src, final,
254 walk.total % AES_BLOCK_SIZE);
256 err = skcipher_walk_done(&walk, 0);
259 err = skcipher_walk_done(&walk,
260 walk.nbytes - blocks * AES_BLOCK_SIZE);
265 static int aesbs_xts_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
266 unsigned int key_len)
268 struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
269 struct crypto_aes_ctx rk;
272 err = xts_verify_key(tfm, in_key, key_len);
277 err = aes_expandkey(&ctx->cts, in_key, key_len);
281 err = aes_expandkey(&rk, in_key + key_len, key_len);
285 memcpy(ctx->twkey, rk.key_enc, sizeof(ctx->twkey));
287 return aesbs_setkey(tfm, in_key, key_len);
290 static void ctr_encrypt_one(struct crypto_skcipher *tfm, const u8 *src, u8 *dst)
292 struct aesbs_ctr_ctx *ctx = crypto_skcipher_ctx(tfm);
296 * Temporarily disable interrupts to avoid races where
297 * cachelines are evicted when the CPU is interrupted
298 * to do something else.
300 local_irq_save(flags);
301 aes_encrypt(&ctx->fallback, dst, src);
302 local_irq_restore(flags);
305 static int ctr_encrypt_sync(struct skcipher_request *req)
307 if (!crypto_simd_usable())
308 return crypto_ctr_encrypt_walk(req, ctr_encrypt_one);
310 return ctr_encrypt(req);
313 static int __xts_crypt(struct skcipher_request *req, bool encrypt,
314 void (*fn)(u8 out[], u8 const in[], u8 const rk[],
315 int rounds, int blocks, u8 iv[]))
317 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
318 struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
319 int tail = req->cryptlen % (8 * AES_BLOCK_SIZE);
320 struct scatterlist sg_src[2], sg_dst[2];
321 struct skcipher_request subreq;
322 struct scatterlist *src, *dst;
323 struct skcipher_walk walk;
328 if (req->cryptlen < AES_BLOCK_SIZE)
331 /* ensure that the cts tail is covered by a single step */
332 if (unlikely(tail > 0 && tail < AES_BLOCK_SIZE)) {
333 int xts_blocks = DIV_ROUND_UP(req->cryptlen,
336 skcipher_request_set_tfm(&subreq, tfm);
337 skcipher_request_set_callback(&subreq,
338 skcipher_request_flags(req),
340 skcipher_request_set_crypt(&subreq, req->src, req->dst,
341 xts_blocks * AES_BLOCK_SIZE,
348 err = skcipher_walk_virt(&walk, req, false);
352 while (walk.nbytes >= AES_BLOCK_SIZE) {
353 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
355 if (walk.nbytes < walk.total || walk.nbytes % AES_BLOCK_SIZE)
356 blocks = round_down(blocks,
357 walk.stride / AES_BLOCK_SIZE);
359 out = walk.dst.virt.addr;
360 in = walk.src.virt.addr;
361 nbytes = walk.nbytes;
364 if (likely(blocks > 6)) { /* plain NEON is faster otherwise */
366 neon_aes_ecb_encrypt(walk.iv, walk.iv,
371 fn(out, in, ctx->key.rk, ctx->key.rounds, blocks,
374 out += blocks * AES_BLOCK_SIZE;
375 in += blocks * AES_BLOCK_SIZE;
376 nbytes -= blocks * AES_BLOCK_SIZE;
379 if (walk.nbytes == walk.total && nbytes > 0)
383 err = skcipher_walk_done(&walk, nbytes);
386 if (err || likely(!tail))
389 /* handle ciphertext stealing */
390 dst = src = scatterwalk_ffwd(sg_src, req->src, req->cryptlen);
391 if (req->dst != req->src)
392 dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen);
394 skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail,
397 err = skcipher_walk_virt(&walk, req, false);
401 out = walk.dst.virt.addr;
402 in = walk.src.virt.addr;
403 nbytes = walk.nbytes;
408 neon_aes_xts_encrypt(out, in, ctx->cts.key_enc, ctx->key.rounds,
409 nbytes, ctx->twkey, walk.iv, first ?: 2);
411 neon_aes_xts_decrypt(out, in, ctx->cts.key_dec, ctx->key.rounds,
412 nbytes, ctx->twkey, walk.iv, first ?: 2);
415 return skcipher_walk_done(&walk, 0);
418 static int xts_encrypt(struct skcipher_request *req)
420 return __xts_crypt(req, true, aesbs_xts_encrypt);
423 static int xts_decrypt(struct skcipher_request *req)
425 return __xts_crypt(req, false, aesbs_xts_decrypt);
428 static struct skcipher_alg aes_algs[] = { {
429 .base.cra_name = "__ecb(aes)",
430 .base.cra_driver_name = "__ecb-aes-neonbs",
431 .base.cra_priority = 250,
432 .base.cra_blocksize = AES_BLOCK_SIZE,
433 .base.cra_ctxsize = sizeof(struct aesbs_ctx),
434 .base.cra_module = THIS_MODULE,
435 .base.cra_flags = CRYPTO_ALG_INTERNAL,
437 .min_keysize = AES_MIN_KEY_SIZE,
438 .max_keysize = AES_MAX_KEY_SIZE,
439 .walksize = 8 * AES_BLOCK_SIZE,
440 .setkey = aesbs_setkey,
441 .encrypt = ecb_encrypt,
442 .decrypt = ecb_decrypt,
444 .base.cra_name = "__cbc(aes)",
445 .base.cra_driver_name = "__cbc-aes-neonbs",
446 .base.cra_priority = 250,
447 .base.cra_blocksize = AES_BLOCK_SIZE,
448 .base.cra_ctxsize = sizeof(struct aesbs_cbc_ctx),
449 .base.cra_module = THIS_MODULE,
450 .base.cra_flags = CRYPTO_ALG_INTERNAL,
452 .min_keysize = AES_MIN_KEY_SIZE,
453 .max_keysize = AES_MAX_KEY_SIZE,
454 .walksize = 8 * AES_BLOCK_SIZE,
455 .ivsize = AES_BLOCK_SIZE,
456 .setkey = aesbs_cbc_setkey,
457 .encrypt = cbc_encrypt,
458 .decrypt = cbc_decrypt,
460 .base.cra_name = "__ctr(aes)",
461 .base.cra_driver_name = "__ctr-aes-neonbs",
462 .base.cra_priority = 250,
463 .base.cra_blocksize = 1,
464 .base.cra_ctxsize = sizeof(struct aesbs_ctx),
465 .base.cra_module = THIS_MODULE,
466 .base.cra_flags = CRYPTO_ALG_INTERNAL,
468 .min_keysize = AES_MIN_KEY_SIZE,
469 .max_keysize = AES_MAX_KEY_SIZE,
470 .chunksize = AES_BLOCK_SIZE,
471 .walksize = 8 * AES_BLOCK_SIZE,
472 .ivsize = AES_BLOCK_SIZE,
473 .setkey = aesbs_setkey,
474 .encrypt = ctr_encrypt,
475 .decrypt = ctr_encrypt,
477 .base.cra_name = "ctr(aes)",
478 .base.cra_driver_name = "ctr-aes-neonbs",
479 .base.cra_priority = 250 - 1,
480 .base.cra_blocksize = 1,
481 .base.cra_ctxsize = sizeof(struct aesbs_ctr_ctx),
482 .base.cra_module = THIS_MODULE,
484 .min_keysize = AES_MIN_KEY_SIZE,
485 .max_keysize = AES_MAX_KEY_SIZE,
486 .chunksize = AES_BLOCK_SIZE,
487 .walksize = 8 * AES_BLOCK_SIZE,
488 .ivsize = AES_BLOCK_SIZE,
489 .setkey = aesbs_ctr_setkey_sync,
490 .encrypt = ctr_encrypt_sync,
491 .decrypt = ctr_encrypt_sync,
493 .base.cra_name = "__xts(aes)",
494 .base.cra_driver_name = "__xts-aes-neonbs",
495 .base.cra_priority = 250,
496 .base.cra_blocksize = AES_BLOCK_SIZE,
497 .base.cra_ctxsize = sizeof(struct aesbs_xts_ctx),
498 .base.cra_module = THIS_MODULE,
499 .base.cra_flags = CRYPTO_ALG_INTERNAL,
501 .min_keysize = 2 * AES_MIN_KEY_SIZE,
502 .max_keysize = 2 * AES_MAX_KEY_SIZE,
503 .walksize = 8 * AES_BLOCK_SIZE,
504 .ivsize = AES_BLOCK_SIZE,
505 .setkey = aesbs_xts_setkey,
506 .encrypt = xts_encrypt,
507 .decrypt = xts_decrypt,
510 static struct simd_skcipher_alg *aes_simd_algs[ARRAY_SIZE(aes_algs)];
512 static void aes_exit(void)
516 for (i = 0; i < ARRAY_SIZE(aes_simd_algs); i++)
517 if (aes_simd_algs[i])
518 simd_skcipher_free(aes_simd_algs[i]);
520 crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
523 static int __init aes_init(void)
525 struct simd_skcipher_alg *simd;
526 const char *basename;
532 if (!cpu_have_named_feature(ASIMD))
535 err = crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
539 for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
540 if (!(aes_algs[i].base.cra_flags & CRYPTO_ALG_INTERNAL))
543 algname = aes_algs[i].base.cra_name + 2;
544 drvname = aes_algs[i].base.cra_driver_name + 2;
545 basename = aes_algs[i].base.cra_driver_name;
546 simd = simd_skcipher_create_compat(algname, drvname, basename);
549 goto unregister_simds;
551 aes_simd_algs[i] = simd;
560 module_init(aes_init);
561 module_exit(aes_exit);