1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
/* SPDX-License-Identifier: GPL-2.0-only */
/*
* Copyright (c) 2015 Markus Stockhausen <stockhausen@collogia.de>
* Copyright (C) 2015 International Business Machines Inc.
* Copyright 2026 Google LLC
*/
#include <asm/simd.h>
#include <asm/switch_to.h>
#include <linux/cpufeature.h>
#include <linux/jump_label.h>
#include <linux/preempt.h>
#include <linux/uaccess.h>
#ifdef CONFIG_SPE
EXPORT_SYMBOL_GPL(ppc_expand_key_128);
EXPORT_SYMBOL_GPL(ppc_expand_key_192);
EXPORT_SYMBOL_GPL(ppc_expand_key_256);
EXPORT_SYMBOL_GPL(ppc_generate_decrypt_key);
EXPORT_SYMBOL_GPL(ppc_encrypt_ecb);
EXPORT_SYMBOL_GPL(ppc_decrypt_ecb);
EXPORT_SYMBOL_GPL(ppc_encrypt_cbc);
EXPORT_SYMBOL_GPL(ppc_decrypt_cbc);
EXPORT_SYMBOL_GPL(ppc_crypt_ctr);
EXPORT_SYMBOL_GPL(ppc_encrypt_xts);
EXPORT_SYMBOL_GPL(ppc_decrypt_xts);
void ppc_encrypt_aes(u8 *out, const u8 *in, const u32 *key_enc, u32 rounds);
void ppc_decrypt_aes(u8 *out, const u8 *in, const u32 *key_dec, u32 rounds);
static void spe_begin(void)
{
/* disable preemption and save users SPE registers if required */
preempt_disable();
enable_kernel_spe();
}
static void spe_end(void)
{
disable_kernel_spe();
/* reenable preemption */
preempt_enable();
}
static void aes_preparekey_arch(union aes_enckey_arch *k,
union aes_invkey_arch *inv_k,
const u8 *in_key, int key_len, int nrounds)
{
if (key_len == AES_KEYSIZE_128)
ppc_expand_key_128(k->spe_enc_key, in_key);
else if (key_len == AES_KEYSIZE_192)
ppc_expand_key_192(k->spe_enc_key, in_key);
else
ppc_expand_key_256(k->spe_enc_key, in_key);
if (inv_k)
ppc_generate_decrypt_key(inv_k->spe_dec_key, k->spe_enc_key,
key_len);
}
static void aes_encrypt_arch(const struct aes_enckey *key,
u8 out[AES_BLOCK_SIZE],
const u8 in[AES_BLOCK_SIZE])
{
spe_begin();
ppc_encrypt_aes(out, in, key->k.spe_enc_key, key->nrounds / 2 - 1);
spe_end();
}
static void aes_decrypt_arch(const struct aes_key *key,
u8 out[AES_BLOCK_SIZE],
const u8 in[AES_BLOCK_SIZE])
{
spe_begin();
ppc_decrypt_aes(out, in, key->inv_k.spe_dec_key, key->nrounds / 2 - 1);
spe_end();
}
#else /* CONFIG_SPE */
static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_vec_crypto);
EXPORT_SYMBOL_GPL(aes_p8_set_encrypt_key);
EXPORT_SYMBOL_GPL(aes_p8_set_decrypt_key);
EXPORT_SYMBOL_GPL(aes_p8_encrypt);
EXPORT_SYMBOL_GPL(aes_p8_decrypt);
EXPORT_SYMBOL_GPL(aes_p8_cbc_encrypt);
EXPORT_SYMBOL_GPL(aes_p8_ctr32_encrypt_blocks);
EXPORT_SYMBOL_GPL(aes_p8_xts_encrypt);
EXPORT_SYMBOL_GPL(aes_p8_xts_decrypt);
static inline bool is_vsx_format(const struct p8_aes_key *key)
{
return key->nrounds != 0;
}
/*
* Convert a round key from VSX to generic format by reflecting all 16 bytes (if
* little endian) or reflecting the bytes in each 4-byte word (if big endian),
* and (if apply_inv_mix=true) applying InvMixColumn to each column.
*
* It would be nice if the VSX and generic key formats would be compatible. But
* that's very difficult to do, with the assembly code having been borrowed from
* OpenSSL and also targeted to POWER8 rather than POWER9.
*
* Fortunately, this conversion should only be needed in extremely rare cases,
* possibly not at all in practice. It's just included for full correctness.
*/
static void rndkey_from_vsx(u32 out[4], const u32 in[4], bool apply_inv_mix)
{
const bool be = IS_ENABLED(CONFIG_CPU_BIG_ENDIAN);
u32 k0 = swab32(in[0]);
u32 k1 = swab32(in[1]);
u32 k2 = swab32(in[2]);
u32 k3 = swab32(in[3]);
if (apply_inv_mix) {
k0 = inv_mix_columns(k0);
k1 = inv_mix_columns(k1);
k2 = inv_mix_columns(k2);
k3 = inv_mix_columns(k3);
}
out[0] = be ? k0 : k3;
out[1] = be ? k1 : k2;
out[2] = be ? k2 : k1;
out[3] = be ? k3 : k0;
}
static void aes_preparekey_arch(union aes_enckey_arch *k,
union aes_invkey_arch *inv_k,
const u8 *in_key, int key_len, int nrounds)
{
const int keybits = 8 * key_len;
int ret;
if (static_branch_likely(&have_vec_crypto) && likely(may_use_simd())) {
preempt_disable();
pagefault_disable();
enable_kernel_vsx();
ret = aes_p8_set_encrypt_key(in_key, keybits, &k->p8);
/*
* aes_p8_set_encrypt_key() should never fail here, since the
* key length was already validated.
*/
WARN_ON_ONCE(ret);
if (inv_k) {
ret = aes_p8_set_decrypt_key(in_key, keybits,
&inv_k->p8);
/* ... and likewise for aes_p8_set_decrypt_key(). */
WARN_ON_ONCE(ret);
}
disable_kernel_vsx();
pagefault_enable();
preempt_enable();
} else {
aes_expandkey_generic(k->rndkeys,
inv_k ? inv_k->inv_rndkeys : NULL,
in_key, key_len);
/* Mark the key as using the generic format. */
k->p8.nrounds = 0;
if (inv_k)
inv_k->p8.nrounds = 0;
}
}
static void aes_encrypt_arch(const struct aes_enckey *key,
u8 out[AES_BLOCK_SIZE],
const u8 in[AES_BLOCK_SIZE])
{
if (static_branch_likely(&have_vec_crypto) &&
likely(is_vsx_format(&key->k.p8) && may_use_simd())) {
preempt_disable();
pagefault_disable();
enable_kernel_vsx();
aes_p8_encrypt(in, out, &key->k.p8);
disable_kernel_vsx();
pagefault_enable();
preempt_enable();
} else if (unlikely(is_vsx_format(&key->k.p8))) {
/*
* This handles (the hopefully extremely rare) case where a key
* was prepared using the VSX optimized format, then encryption
* is done in a context that cannot use VSX instructions.
*/
u32 rndkeys[AES_MAX_KEYLENGTH_U32];
for (int i = 0; i < 4 * (key->nrounds + 1); i += 4)
rndkey_from_vsx(&rndkeys[i],
&key->k.p8.rndkeys[i], false);
aes_encrypt_generic(rndkeys, key->nrounds, out, in);
} else {
aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in);
}
}
static void aes_decrypt_arch(const struct aes_key *key, u8 out[AES_BLOCK_SIZE],
const u8 in[AES_BLOCK_SIZE])
{
if (static_branch_likely(&have_vec_crypto) &&
likely(is_vsx_format(&key->inv_k.p8) && may_use_simd())) {
preempt_disable();
pagefault_disable();
enable_kernel_vsx();
aes_p8_decrypt(in, out, &key->inv_k.p8);
disable_kernel_vsx();
pagefault_enable();
preempt_enable();
} else if (unlikely(is_vsx_format(&key->inv_k.p8))) {
/*
* This handles (the hopefully extremely rare) case where a key
* was prepared using the VSX optimized format, then decryption
* is done in a context that cannot use VSX instructions.
*/
u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32];
int i;
rndkey_from_vsx(&inv_rndkeys[0],
&key->inv_k.p8.rndkeys[0], false);
for (i = 4; i < 4 * key->nrounds; i += 4) {
rndkey_from_vsx(&inv_rndkeys[i],
&key->inv_k.p8.rndkeys[i], true);
}
rndkey_from_vsx(&inv_rndkeys[i],
&key->inv_k.p8.rndkeys[i], false);
aes_decrypt_generic(inv_rndkeys, key->nrounds, out, in);
} else {
aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds,
out, in);
}
}
#define aes_mod_init_arch aes_mod_init_arch
static void aes_mod_init_arch(void)
{
if (cpu_has_feature(CPU_FTR_ARCH_207S) &&
(cur_cpu_spec->cpu_user_features2 & PPC_FEATURE2_VEC_CRYPTO))
static_branch_enable(&have_vec_crypto);
}
#endif /* !CONFIG_SPE */
|
