Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
padlock-sha.c
Go to the documentation of this file.
1 /*
2  * Cryptographic API.
3  *
4  * Support for VIA PadLock hardware crypto engine.
5  *
6  * Copyright (c) 2006 Michal Ludvig <[email protected]>
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; either version 2 of the License, or
11  * (at your option) any later version.
12  *
13  */
14 
15 #include <crypto/internal/hash.h>
16 #include <crypto/padlock.h>
17 #include <crypto/sha.h>
18 #include <linux/err.h>
19 #include <linux/module.h>
20 #include <linux/init.h>
21 #include <linux/errno.h>
22 #include <linux/interrupt.h>
23 #include <linux/kernel.h>
24 #include <linux/scatterlist.h>
25 #include <asm/cpu_device_id.h>
26 #include <asm/i387.h>
27 
28 struct padlock_sha_desc {
29  struct shash_desc fallback;
30 };
31 
32 struct padlock_sha_ctx {
33  struct crypto_shash *fallback;
34 };
35 
36 static int padlock_sha_init(struct shash_desc *desc)
37 {
38  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
39  struct padlock_sha_ctx *ctx = crypto_shash_ctx(desc->tfm);
40 
41  dctx->fallback.tfm = ctx->fallback;
42  dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
43  return crypto_shash_init(&dctx->fallback);
44 }
45 
46 static int padlock_sha_update(struct shash_desc *desc,
47  const u8 *data, unsigned int length)
48 {
49  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
50 
51  dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
52  return crypto_shash_update(&dctx->fallback, data, length);
53 }
54 
55 static int padlock_sha_export(struct shash_desc *desc, void *out)
56 {
57  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
58 
59  return crypto_shash_export(&dctx->fallback, out);
60 }
61 
62 static int padlock_sha_import(struct shash_desc *desc, const void *in)
63 {
64  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
65  struct padlock_sha_ctx *ctx = crypto_shash_ctx(desc->tfm);
66 
67  dctx->fallback.tfm = ctx->fallback;
68  dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
69  return crypto_shash_import(&dctx->fallback, in);
70 }
71 
72 static inline void padlock_output_block(uint32_t *src,
73  uint32_t *dst, size_t count)
74 {
75  while (count--)
76  *dst++ = swab32(*src++);
77 }
78 
79 static int padlock_sha1_finup(struct shash_desc *desc, const u8 *in,
80  unsigned int count, u8 *out)
81 {
82  /* We can't store directly to *out as it may be unaligned. */
83  /* BTW Don't reduce the buffer size below 128 Bytes!
84  * PadLock microcode needs it that big. */
85  char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
86  ((aligned(STACK_ALIGN)));
87  char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
88  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
89  struct sha1_state state;
90  unsigned int space;
91  unsigned int leftover;
92  int ts_state;
93  int err;
94 
95  dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
96  err = crypto_shash_export(&dctx->fallback, &state);
97  if (err)
98  goto out;
99 
100  if (state.count + count > ULONG_MAX)
101  return crypto_shash_finup(&dctx->fallback, in, count, out);
102 
103  leftover = ((state.count - 1) & (SHA1_BLOCK_SIZE - 1)) + 1;
104  space = SHA1_BLOCK_SIZE - leftover;
105  if (space) {
106  if (count > space) {
107  err = crypto_shash_update(&dctx->fallback, in, space) ?:
108  crypto_shash_export(&dctx->fallback, &state);
109  if (err)
110  goto out;
111  count -= space;
112  in += space;
113  } else {
114  memcpy(state.buffer + leftover, in, count);
115  in = state.buffer;
116  count += leftover;
117  state.count &= ~(SHA1_BLOCK_SIZE - 1);
118  }
119  }
120 
121  memcpy(result, &state.state, SHA1_DIGEST_SIZE);
122 
123  /* prevent taking the spurious DNA fault with padlock. */
124  ts_state = irq_ts_save();
125  asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */
126  : \
127  : "c"((unsigned long)state.count + count), \
128  "a"((unsigned long)state.count), \
129  "S"(in), "D"(result));
130  irq_ts_restore(ts_state);
131 
132  padlock_output_block((uint32_t *)result, (uint32_t *)out, 5);
133 
134 out:
135  return err;
136 }
137 
138 static int padlock_sha1_final(struct shash_desc *desc, u8 *out)
139 {
140  u8 buf[4];
141 
142  return padlock_sha1_finup(desc, buf, 0, out);
143 }
144 
145 static int padlock_sha256_finup(struct shash_desc *desc, const u8 *in,
146  unsigned int count, u8 *out)
147 {
148  /* We can't store directly to *out as it may be unaligned. */
149  /* BTW Don't reduce the buffer size below 128 Bytes!
150  * PadLock microcode needs it that big. */
151  char buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
152  ((aligned(STACK_ALIGN)));
153  char *result = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
154  struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
155  struct sha256_state state;
156  unsigned int space;
157  unsigned int leftover;
158  int ts_state;
159  int err;
160 
161  dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
162  err = crypto_shash_export(&dctx->fallback, &state);
163  if (err)
164  goto out;
165 
166  if (state.count + count > ULONG_MAX)
167  return crypto_shash_finup(&dctx->fallback, in, count, out);
168 
169  leftover = ((state.count - 1) & (SHA256_BLOCK_SIZE - 1)) + 1;
170  space = SHA256_BLOCK_SIZE - leftover;
171  if (space) {
172  if (count > space) {
173  err = crypto_shash_update(&dctx->fallback, in, space) ?:
174  crypto_shash_export(&dctx->fallback, &state);
175  if (err)
176  goto out;
177  count -= space;
178  in += space;
179  } else {
180  memcpy(state.buf + leftover, in, count);
181  in = state.buf;
182  count += leftover;
183  state.count &= ~(SHA1_BLOCK_SIZE - 1);
184  }
185  }
186 
187  memcpy(result, &state.state, SHA256_DIGEST_SIZE);
188 
189  /* prevent taking the spurious DNA fault with padlock. */
190  ts_state = irq_ts_save();
191  asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */
192  : \
193  : "c"((unsigned long)state.count + count), \
194  "a"((unsigned long)state.count), \
195  "S"(in), "D"(result));
196  irq_ts_restore(ts_state);
197 
198  padlock_output_block((uint32_t *)result, (uint32_t *)out, 8);
199 
200 out:
201  return err;
202 }
203 
204 static int padlock_sha256_final(struct shash_desc *desc, u8 *out)
205 {
206  u8 buf[4];
207 
208  return padlock_sha256_finup(desc, buf, 0, out);
209 }
210 
211 static int padlock_cra_init(struct crypto_tfm *tfm)
212 {
213  struct crypto_shash *hash = __crypto_shash_cast(tfm);
214  const char *fallback_driver_name = tfm->__crt_alg->cra_name;
215  struct padlock_sha_ctx *ctx = crypto_tfm_ctx(tfm);
216  struct crypto_shash *fallback_tfm;
217  int err = -ENOMEM;
218 
219  /* Allocate a fallback and abort if it failed. */
220  fallback_tfm = crypto_alloc_shash(fallback_driver_name, 0,
221  CRYPTO_ALG_NEED_FALLBACK);
222  if (IS_ERR(fallback_tfm)) {
223  printk(KERN_WARNING PFX "Fallback driver '%s' could not be loaded!\n",
224  fallback_driver_name);
225  err = PTR_ERR(fallback_tfm);
226  goto out;
227  }
228 
229  ctx->fallback = fallback_tfm;
230  hash->descsize += crypto_shash_descsize(fallback_tfm);
231  return 0;
232 
233 out:
234  return err;
235 }
236 
237 static void padlock_cra_exit(struct crypto_tfm *tfm)
238 {
239  struct padlock_sha_ctx *ctx = crypto_tfm_ctx(tfm);
240 
241  crypto_free_shash(ctx->fallback);
242 }
243 
244 static struct shash_alg sha1_alg = {
245  .digestsize = SHA1_DIGEST_SIZE,
246  .init = padlock_sha_init,
247  .update = padlock_sha_update,
248  .finup = padlock_sha1_finup,
249  .final = padlock_sha1_final,
250  .export = padlock_sha_export,
251  .import = padlock_sha_import,
252  .descsize = sizeof(struct padlock_sha_desc),
253  .statesize = sizeof(struct sha1_state),
254  .base = {
255  .cra_name = "sha1",
256  .cra_driver_name = "sha1-padlock",
257  .cra_priority = PADLOCK_CRA_PRIORITY,
258  .cra_flags = CRYPTO_ALG_TYPE_SHASH |
259  CRYPTO_ALG_NEED_FALLBACK,
260  .cra_blocksize = SHA1_BLOCK_SIZE,
261  .cra_ctxsize = sizeof(struct padlock_sha_ctx),
262  .cra_module = THIS_MODULE,
263  .cra_init = padlock_cra_init,
264  .cra_exit = padlock_cra_exit,
265  }
266 };
267 
268 static struct shash_alg sha256_alg = {
269  .digestsize = SHA256_DIGEST_SIZE,
270  .init = padlock_sha_init,
271  .update = padlock_sha_update,
272  .finup = padlock_sha256_finup,
273  .final = padlock_sha256_final,
274  .export = padlock_sha_export,
275  .import = padlock_sha_import,
276  .descsize = sizeof(struct padlock_sha_desc),
277  .statesize = sizeof(struct sha256_state),
278  .base = {
279  .cra_name = "sha256",
280  .cra_driver_name = "sha256-padlock",
281  .cra_priority = PADLOCK_CRA_PRIORITY,
282  .cra_flags = CRYPTO_ALG_TYPE_SHASH |
283  CRYPTO_ALG_NEED_FALLBACK,
284  .cra_blocksize = SHA256_BLOCK_SIZE,
285  .cra_ctxsize = sizeof(struct padlock_sha_ctx),
286  .cra_module = THIS_MODULE,
287  .cra_init = padlock_cra_init,
288  .cra_exit = padlock_cra_exit,
289  }
290 };
291 
292 /* Add two shash_alg instance for hardware-implemented *
293 * multiple-parts hash supported by VIA Nano Processor.*/
294 static int padlock_sha1_init_nano(struct shash_desc *desc)
295 {
296  struct sha1_state *sctx = shash_desc_ctx(desc);
297 
298  *sctx = (struct sha1_state){
299  .state = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
300  };
301 
302  return 0;
303 }
304 
305 static int padlock_sha1_update_nano(struct shash_desc *desc,
306  const u8 *data, unsigned int len)
307 {
308  struct sha1_state *sctx = shash_desc_ctx(desc);
309  unsigned int partial, done;
310  const u8 *src;
311  /*The PHE require the out buffer must 128 bytes and 16-bytes aligned*/
312  u8 buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
313  ((aligned(STACK_ALIGN)));
314  u8 *dst = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
315  int ts_state;
316 
317  partial = sctx->count & 0x3f;
318  sctx->count += len;
319  done = 0;
320  src = data;
321  memcpy(dst, (u8 *)(sctx->state), SHA1_DIGEST_SIZE);
322 
323  if ((partial + len) >= SHA1_BLOCK_SIZE) {
324 
325  /* Append the bytes in state's buffer to a block to handle */
326  if (partial) {
327  done = -partial;
328  memcpy(sctx->buffer + partial, data,
329  done + SHA1_BLOCK_SIZE);
330  src = sctx->buffer;
331  ts_state = irq_ts_save();
332  asm volatile (".byte 0xf3,0x0f,0xa6,0xc8"
333  : "+S"(src), "+D"(dst) \
334  : "a"((long)-1), "c"((unsigned long)1));
335  irq_ts_restore(ts_state);
336  done += SHA1_BLOCK_SIZE;
337  src = data + done;
338  }
339 
340  /* Process the left bytes from the input data */
341  if (len - done >= SHA1_BLOCK_SIZE) {
342  ts_state = irq_ts_save();
343  asm volatile (".byte 0xf3,0x0f,0xa6,0xc8"
344  : "+S"(src), "+D"(dst)
345  : "a"((long)-1),
346  "c"((unsigned long)((len - done) / SHA1_BLOCK_SIZE)));
347  irq_ts_restore(ts_state);
348  done += ((len - done) - (len - done) % SHA1_BLOCK_SIZE);
349  src = data + done;
350  }
351  partial = 0;
352  }
353  memcpy((u8 *)(sctx->state), dst, SHA1_DIGEST_SIZE);
354  memcpy(sctx->buffer + partial, src, len - done);
355 
356  return 0;
357 }
358 
359 static int padlock_sha1_final_nano(struct shash_desc *desc, u8 *out)
360 {
361  struct sha1_state *state = (struct sha1_state *)shash_desc_ctx(desc);
362  unsigned int partial, padlen;
363  __be64 bits;
364  static const u8 padding[64] = { 0x80, };
365 
366  bits = cpu_to_be64(state->count << 3);
367 
368  /* Pad out to 56 mod 64 */
369  partial = state->count & 0x3f;
370  padlen = (partial < 56) ? (56 - partial) : ((64+56) - partial);
371  padlock_sha1_update_nano(desc, padding, padlen);
372 
373  /* Append length field bytes */
374  padlock_sha1_update_nano(desc, (const u8 *)&bits, sizeof(bits));
375 
376  /* Swap to output */
377  padlock_output_block((uint32_t *)(state->state), (uint32_t *)out, 5);
378 
379  return 0;
380 }
381 
382 static int padlock_sha256_init_nano(struct shash_desc *desc)
383 {
384  struct sha256_state *sctx = shash_desc_ctx(desc);
385 
386  *sctx = (struct sha256_state){
387  .state = { SHA256_H0, SHA256_H1, SHA256_H2, SHA256_H3, \
388  SHA256_H4, SHA256_H5, SHA256_H6, SHA256_H7},
389  };
390 
391  return 0;
392 }
393 
394 static int padlock_sha256_update_nano(struct shash_desc *desc, const u8 *data,
395  unsigned int len)
396 {
397  struct sha256_state *sctx = shash_desc_ctx(desc);
398  unsigned int partial, done;
399  const u8 *src;
400  /*The PHE require the out buffer must 128 bytes and 16-bytes aligned*/
401  u8 buf[128 + PADLOCK_ALIGNMENT - STACK_ALIGN] __attribute__
402  ((aligned(STACK_ALIGN)));
403  u8 *dst = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
404  int ts_state;
405 
406  partial = sctx->count & 0x3f;
407  sctx->count += len;
408  done = 0;
409  src = data;
410  memcpy(dst, (u8 *)(sctx->state), SHA256_DIGEST_SIZE);
411 
412  if ((partial + len) >= SHA256_BLOCK_SIZE) {
413 
414  /* Append the bytes in state's buffer to a block to handle */
415  if (partial) {
416  done = -partial;
417  memcpy(sctx->buf + partial, data,
418  done + SHA256_BLOCK_SIZE);
419  src = sctx->buf;
420  ts_state = irq_ts_save();
421  asm volatile (".byte 0xf3,0x0f,0xa6,0xd0"
422  : "+S"(src), "+D"(dst)
423  : "a"((long)-1), "c"((unsigned long)1));
424  irq_ts_restore(ts_state);
425  done += SHA256_BLOCK_SIZE;
426  src = data + done;
427  }
428 
429  /* Process the left bytes from input data*/
430  if (len - done >= SHA256_BLOCK_SIZE) {
431  ts_state = irq_ts_save();
432  asm volatile (".byte 0xf3,0x0f,0xa6,0xd0"
433  : "+S"(src), "+D"(dst)
434  : "a"((long)-1),
435  "c"((unsigned long)((len - done) / 64)));
436  irq_ts_restore(ts_state);
437  done += ((len - done) - (len - done) % 64);
438  src = data + done;
439  }
440  partial = 0;
441  }
442  memcpy((u8 *)(sctx->state), dst, SHA256_DIGEST_SIZE);
443  memcpy(sctx->buf + partial, src, len - done);
444 
445  return 0;
446 }
447 
448 static int padlock_sha256_final_nano(struct shash_desc *desc, u8 *out)
449 {
450  struct sha256_state *state =
451  (struct sha256_state *)shash_desc_ctx(desc);
452  unsigned int partial, padlen;
453  __be64 bits;
454  static const u8 padding[64] = { 0x80, };
455 
456  bits = cpu_to_be64(state->count << 3);
457 
458  /* Pad out to 56 mod 64 */
459  partial = state->count & 0x3f;
460  padlen = (partial < 56) ? (56 - partial) : ((64+56) - partial);
461  padlock_sha256_update_nano(desc, padding, padlen);
462 
463  /* Append length field bytes */
464  padlock_sha256_update_nano(desc, (const u8 *)&bits, sizeof(bits));
465 
466  /* Swap to output */
467  padlock_output_block((uint32_t *)(state->state), (uint32_t *)out, 8);
468 
469  return 0;
470 }
471 
472 static int padlock_sha_export_nano(struct shash_desc *desc,
473  void *out)
474 {
475  int statesize = crypto_shash_statesize(desc->tfm);
476  void *sctx = shash_desc_ctx(desc);
477 
478  memcpy(out, sctx, statesize);
479  return 0;
480 }
481 
482 static int padlock_sha_import_nano(struct shash_desc *desc,
483  const void *in)
484 {
485  int statesize = crypto_shash_statesize(desc->tfm);
486  void *sctx = shash_desc_ctx(desc);
487 
488  memcpy(sctx, in, statesize);
489  return 0;
490 }
491 
492 static struct shash_alg sha1_alg_nano = {
493  .digestsize = SHA1_DIGEST_SIZE,
494  .init = padlock_sha1_init_nano,
495  .update = padlock_sha1_update_nano,
496  .final = padlock_sha1_final_nano,
497  .export = padlock_sha_export_nano,
498  .import = padlock_sha_import_nano,
499  .descsize = sizeof(struct sha1_state),
500  .statesize = sizeof(struct sha1_state),
501  .base = {
502  .cra_name = "sha1",
503  .cra_driver_name = "sha1-padlock-nano",
504  .cra_priority = PADLOCK_CRA_PRIORITY,
505  .cra_flags = CRYPTO_ALG_TYPE_SHASH,
506  .cra_blocksize = SHA1_BLOCK_SIZE,
507  .cra_module = THIS_MODULE,
508  }
509 };
510 
511 static struct shash_alg sha256_alg_nano = {
512  .digestsize = SHA256_DIGEST_SIZE,
513  .init = padlock_sha256_init_nano,
514  .update = padlock_sha256_update_nano,
515  .final = padlock_sha256_final_nano,
516  .export = padlock_sha_export_nano,
517  .import = padlock_sha_import_nano,
518  .descsize = sizeof(struct sha256_state),
519  .statesize = sizeof(struct sha256_state),
520  .base = {
521  .cra_name = "sha256",
522  .cra_driver_name = "sha256-padlock-nano",
523  .cra_priority = PADLOCK_CRA_PRIORITY,
524  .cra_flags = CRYPTO_ALG_TYPE_SHASH,
525  .cra_blocksize = SHA256_BLOCK_SIZE,
526  .cra_module = THIS_MODULE,
527  }
528 };
529 
530 static struct x86_cpu_id padlock_sha_ids[] = {
531  X86_FEATURE_MATCH(X86_FEATURE_PHE),
532  {}
533 };
534 MODULE_DEVICE_TABLE(x86cpu, padlock_sha_ids);
535 
536 static int __init padlock_init(void)
537 {
538  int rc = -ENODEV;
539  struct cpuinfo_x86 *c = &cpu_data(0);
540  struct shash_alg *sha1;
541  struct shash_alg *sha256;
542 
543  if (!x86_match_cpu(padlock_sha_ids) || !cpu_has_phe_enabled)
544  return -ENODEV;
545 
546  /* Register the newly added algorithm module if on *
547  * VIA Nano processor, or else just do as before */
548  if (c->x86_model < 0x0f) {
549  sha1 = &sha1_alg;
550  sha256 = &sha256_alg;
551  } else {
552  sha1 = &sha1_alg_nano;
553  sha256 = &sha256_alg_nano;
554  }
555 
556  rc = crypto_register_shash(sha1);
557  if (rc)
558  goto out;
559 
560  rc = crypto_register_shash(sha256);
561  if (rc)
562  goto out_unreg1;
563 
564  printk(KERN_NOTICE PFX "Using VIA PadLock ACE for SHA1/SHA256 algorithms.\n");
565 
566  return 0;
567 
568 out_unreg1:
569  crypto_unregister_shash(sha1);
570 
571 out:
572  printk(KERN_ERR PFX "VIA PadLock SHA1/SHA256 initialization failed.\n");
573  return rc;
574 }
575 
576 static void __exit padlock_fini(void)
577 {
578  struct cpuinfo_x86 *c = &cpu_data(0);
579 
580  if (c->x86_model >= 0x0f) {
581  crypto_unregister_shash(&sha1_alg_nano);
582  crypto_unregister_shash(&sha256_alg_nano);
583  } else {
584  crypto_unregister_shash(&sha1_alg);
585  crypto_unregister_shash(&sha256_alg);
586  }
587 }
588 
589 module_init(padlock_init);
590 module_exit(padlock_fini);
591 
592 MODULE_DESCRIPTION("VIA PadLock SHA1/SHA256 algorithms support.");
593 MODULE_LICENSE("GPL");
594 MODULE_AUTHOR("Michal Ludvig");
595 
596 MODULE_ALIAS("sha1-all");
597 MODULE_ALIAS("sha256-all");
598 MODULE_ALIAS("sha1-padlock");
599 MODULE_ALIAS("sha256-padlock");
Generated on Thu Jan 10 2013 13:29:02 for Linux Kernel by   doxygen 1.8.2