1
/* SPDX-License-Identifier: GPL-2.0-or-later */
2
/*
3
 * SM4-GCM AEAD Algorithm using ARMv8 Crypto Extensions
4
 * as specified in rfc8998
5
 * https://datatracker.ietf.org/doc/html/rfc8998
6
 *
7
 * Copyright (C) 2022 Tianjia Zhang <[email protected]>
8
 */
9

10
#include <linux/module.h>
11
#include <linux/crypto.h>
12
#include <linux/kernel.h>
13
#include <linux/cpufeature.h>
14
#include <asm/neon.h>
15
#include <crypto/b128ops.h>
16
#include <crypto/scatterwalk.h>
17
#include <crypto/internal/aead.h>
18
#include <crypto/internal/skcipher.h>
19
#include <crypto/sm4.h>
20
#include "sm4-ce.h"
21

22
asmlinkage void sm4_ce_pmull_ghash_setup(const u32 *rkey_enc, u8 *ghash_table);
23
asmlinkage void pmull_ghash_update(const u8 *ghash_table, u8 *ghash,
24
				   const u8 *src, unsigned int nblocks);
25
asmlinkage void sm4_ce_pmull_gcm_enc(const u32 *rkey_enc, u8 *dst,
26
				     const u8 *src, u8 *iv,
27
				     unsigned int nbytes, u8 *ghash,
28
				     const u8 *ghash_table, const u8 *lengths);
29
asmlinkage void sm4_ce_pmull_gcm_dec(const u32 *rkey_enc, u8 *dst,
30
				     const u8 *src, u8 *iv,
31
				     unsigned int nbytes, u8 *ghash,
32
				     const u8 *ghash_table, const u8 *lengths);
33

34
#define GHASH_BLOCK_SIZE	16
35
#define GCM_IV_SIZE		12
36

37
struct sm4_gcm_ctx {
38
	struct sm4_ctx key;
39
	u8 ghash_table[16 * 4];
40
};
41

42

43
static int gcm_setkey(struct crypto_aead *tfm, const u8 *key,
44
		      unsigned int key_len)
45
{
46
	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(tfm);
47

48
	if (key_len != SM4_KEY_SIZE)
49
		return -EINVAL;
50

51
	kernel_neon_begin();
52

53
	sm4_ce_expand_key(key, ctx->key.rkey_enc, ctx->key.rkey_dec,
54
			  crypto_sm4_fk, crypto_sm4_ck);
55
	sm4_ce_pmull_ghash_setup(ctx->key.rkey_enc, ctx->ghash_table);
56

57
	kernel_neon_end();
58
	return 0;
59
}
60

61
static int gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
62
{
63
	switch (authsize) {
64
	case 4:
65
	case 8:
66
	case 12 ... 16:
67
		return 0;
68
	default:
69
		return -EINVAL;
70
	}
71
}
72

73
static void gcm_calculate_auth_mac(struct aead_request *req, u8 ghash[])
74
{
75
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
76
	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
77
	u8 __aligned(8) buffer[GHASH_BLOCK_SIZE];
78
	u32 assoclen = req->assoclen;
79
	struct scatter_walk walk;
80
	unsigned int buflen = 0;
81

82
	scatterwalk_start(&walk, req->src);
83

84
	do {
85
		unsigned int n, orig_n;
86
		const u8 *p;
87

88
		orig_n = scatterwalk_next(&walk, assoclen);
89
		p = walk.addr;
90
		n = orig_n;
91

92
		if (n + buflen < GHASH_BLOCK_SIZE) {
93
			memcpy(&buffer[buflen], p, n);
94
			buflen += n;
95
		} else {
96
			unsigned int nblocks;
97

98
			if (buflen) {
99
				unsigned int l = GHASH_BLOCK_SIZE - buflen;
100

101
				memcpy(&buffer[buflen], p, l);
102
				p += l;
103
				n -= l;
104

105
				pmull_ghash_update(ctx->ghash_table, ghash,
106
						   buffer, 1);
107
			}
108

109
			nblocks = n / GHASH_BLOCK_SIZE;
110
			if (nblocks) {
111
				pmull_ghash_update(ctx->ghash_table, ghash,
112
						   p, nblocks);
113
				p += nblocks * GHASH_BLOCK_SIZE;
114
			}
115

116
			buflen = n % GHASH_BLOCK_SIZE;
117
			if (buflen)
118
				memcpy(&buffer[0], p, buflen);
119
		}
120

121
		scatterwalk_done_src(&walk, orig_n);
122
		assoclen -= orig_n;
123
	} while (assoclen);
124

125
	/* padding with '0' */
126
	if (buflen) {
127
		memset(&buffer[buflen], 0, GHASH_BLOCK_SIZE - buflen);
128
		pmull_ghash_update(ctx->ghash_table, ghash, buffer, 1);
129
	}
130
}
131

132
static int gcm_crypt(struct aead_request *req, struct skcipher_walk *walk,
133
		     u8 ghash[], int err,
134
		     void (*sm4_ce_pmull_gcm_crypt)(const u32 *rkey_enc,
135
				u8 *dst, const u8 *src, u8 *iv,
136
				unsigned int nbytes, u8 *ghash,
137
				const u8 *ghash_table, const u8 *lengths))
138
{
139
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
140
	struct sm4_gcm_ctx *ctx = crypto_aead_ctx(aead);
141
	u8 __aligned(8) iv[SM4_BLOCK_SIZE];
142
	be128 __aligned(8) lengths;
143

144
	memset(ghash, 0, SM4_BLOCK_SIZE);
145

146
	lengths.a = cpu_to_be64(req->assoclen * 8);
147
	lengths.b = cpu_to_be64(walk->total * 8);
148

149
	memcpy(iv, req->iv, GCM_IV_SIZE);
150
	put_unaligned_be32(2, iv + GCM_IV_SIZE);
151

152
	kernel_neon_begin();
153

154
	if (req->assoclen)
155
		gcm_calculate_auth_mac(req, ghash);
156

157
	while (walk->nbytes) {
158
		unsigned int tail = walk->nbytes % SM4_BLOCK_SIZE;
159
		const u8 *src = walk->src.virt.addr;
160
		u8 *dst = walk->dst.virt.addr;
161

162
		if (walk->nbytes == walk->total) {
163
			sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
164
					       walk->nbytes, ghash,
165
					       ctx->ghash_table,
166
					       (const u8 *)&lengths);
167

168
			kernel_neon_end();
169

170
			return skcipher_walk_done(walk, 0);
171
		}
172

173
		sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, dst, src, iv,
174
				       walk->nbytes - tail, ghash,
175
				       ctx->ghash_table, NULL);
176

177
		kernel_neon_end();
178

179
		err = skcipher_walk_done(walk, tail);
180

181
		kernel_neon_begin();
182
	}
183

184
	sm4_ce_pmull_gcm_crypt(ctx->key.rkey_enc, NULL, NULL, iv,
185
			       walk->nbytes, ghash, ctx->ghash_table,
186
			       (const u8 *)&lengths);
187

188
	kernel_neon_end();
189

190
	return err;
191
}
192

193
static int gcm_encrypt(struct aead_request *req)
194
{
195
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
196
	u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
197
	struct skcipher_walk walk;
198
	int err;
199

200
	err = skcipher_walk_aead_encrypt(&walk, req, false);
201
	err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_enc);
202
	if (err)
203
		return err;
204

205
	/* copy authtag to end of dst */
206
	scatterwalk_map_and_copy(ghash, req->dst, req->assoclen + req->cryptlen,
207
				 crypto_aead_authsize(aead), 1);
208

209
	return 0;
210
}
211

212
static int gcm_decrypt(struct aead_request *req)
213
{
214
	struct crypto_aead *aead = crypto_aead_reqtfm(req);
215
	unsigned int authsize = crypto_aead_authsize(aead);
216
	u8 __aligned(8) ghash[SM4_BLOCK_SIZE];
217
	u8 authtag[SM4_BLOCK_SIZE];
218
	struct skcipher_walk walk;
219
	int err;
220

221
	err = skcipher_walk_aead_decrypt(&walk, req, false);
222
	err = gcm_crypt(req, &walk, ghash, err, sm4_ce_pmull_gcm_dec);
223
	if (err)
224
		return err;
225

226
	/* compare calculated auth tag with the stored one */
227
	scatterwalk_map_and_copy(authtag, req->src,
228
				 req->assoclen + req->cryptlen - authsize,
229
				 authsize, 0);
230

231
	if (crypto_memneq(authtag, ghash, authsize))
232
		return -EBADMSG;
233

234
	return 0;
235
}
236

237
static struct aead_alg sm4_gcm_alg = {
238
	.base = {
239
		.cra_name		= "gcm(sm4)",
240
		.cra_driver_name	= "gcm-sm4-ce",
241
		.cra_priority		= 400,
242
		.cra_blocksize		= 1,
243
		.cra_ctxsize		= sizeof(struct sm4_gcm_ctx),
244
		.cra_module		= THIS_MODULE,
245
	},
246
	.ivsize		= GCM_IV_SIZE,
247
	.chunksize	= SM4_BLOCK_SIZE,
248
	.maxauthsize	= SM4_BLOCK_SIZE,
249
	.setkey		= gcm_setkey,
250
	.setauthsize	= gcm_setauthsize,
251
	.encrypt	= gcm_encrypt,
252
	.decrypt	= gcm_decrypt,
253
};
254

255
static int __init sm4_ce_gcm_init(void)
256
{
257
	if (!cpu_have_named_feature(PMULL))
258
		return -ENODEV;
259

260
	return crypto_register_aead(&sm4_gcm_alg);
261
}
262

263
static void __exit sm4_ce_gcm_exit(void)
264
{
265
	crypto_unregister_aead(&sm4_gcm_alg);
266
}
267

268
static const struct cpu_feature __maybe_unused sm4_ce_gcm_cpu_feature[] = {
269
	{ cpu_feature(PMULL) },
270
	{}
271
};
272
MODULE_DEVICE_TABLE(cpu, sm4_ce_gcm_cpu_feature);
273

274
module_cpu_feature_match(SM4, sm4_ce_gcm_init);
275
module_exit(sm4_ce_gcm_exit);
276

277
MODULE_DESCRIPTION("Synchronous SM4 in GCM mode using ARMv8 Crypto Extensions");
278
MODULE_ALIAS_CRYPTO("gcm(sm4)");
279
MODULE_AUTHOR("Tianjia Zhang <[email protected]>");
280
MODULE_LICENSE("GPL v2");
281

282