1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Cryptographic API.
4
 *
5
 * s390 implementation of the AES Cipher Algorithm with protected keys.
6
 *
7
 * s390 Version:
8
 *   Copyright IBM Corp. 2017, 2025
9
 *   Author(s): Martin Schwidefsky <[email protected]>
10
 *		Harald Freudenberger <[email protected]>
11
 */
12

13
#define KMSG_COMPONENT "paes_s390"
14
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15

16
#include <linux/atomic.h>
17
#include <linux/cpufeature.h>
18
#include <linux/delay.h>
19
#include <linux/err.h>
20
#include <linux/init.h>
21
#include <linux/miscdevice.h>
22
#include <linux/module.h>
23
#include <linux/mutex.h>
24
#include <linux/spinlock.h>
25
#include <crypto/aes.h>
26
#include <crypto/algapi.h>
27
#include <crypto/engine.h>
28
#include <crypto/internal/skcipher.h>
29
#include <crypto/xts.h>
30
#include <asm/cpacf.h>
31
#include <asm/pkey.h>
32

33
/*
34
 * Key blobs smaller/bigger than these defines are rejected
35
 * by the common code even before the individual setkey function
36
 * is called. As paes can handle different kinds of key blobs
37
 * and padding is also possible, the limits need to be generous.
38
 */
39
#define PAES_MIN_KEYSIZE	16
40
#define PAES_MAX_KEYSIZE	MAXEP11AESKEYBLOBSIZE
41
#define PAES_256_PROTKEY_SIZE	(32 + 32)	/* key + verification pattern */
42
#define PXTS_256_PROTKEY_SIZE	(32 + 32 + 32)	/* k1 + k2 + verification pattern */
43

44
static u8 *ctrblk;
45
static DEFINE_MUTEX(ctrblk_lock);
46

47
static cpacf_mask_t km_functions, kmc_functions, kmctr_functions;
48

49
static struct crypto_engine *paes_crypto_engine;
50
#define MAX_QLEN 10
51

52
/*
53
 * protected key specific stuff
54
 */
55

56
struct paes_protkey {
57
	u32 type;
58
	u32 len;
59
	u8 protkey[PXTS_256_PROTKEY_SIZE];
60
};
61

62
#define PK_STATE_NO_KEY		     0
63
#define PK_STATE_CONVERT_IN_PROGRESS 1
64
#define PK_STATE_VALID		     2
65

66
struct s390_paes_ctx {
67
	/* source key material used to derive a protected key from */
68
	u8 keybuf[PAES_MAX_KEYSIZE];
69
	unsigned int keylen;
70

71
	/* cpacf function code to use with this protected key type */
72
	long fc;
73

74
	/* nr of requests enqueued via crypto engine which use this tfm ctx */
75
	atomic_t via_engine_ctr;
76

77
	/* spinlock to atomic read/update all the following fields */
78
	spinlock_t pk_lock;
79

80
	/* see PK_STATE* defines above, < 0 holds convert failure rc  */
81
	int pk_state;
82
	/* if state is valid, pk holds the protected key */
83
	struct paes_protkey pk;
84
};
85

86
struct s390_pxts_ctx {
87
	/* source key material used to derive a protected key from */
88
	u8 keybuf[2 * PAES_MAX_KEYSIZE];
89
	unsigned int keylen;
90

91
	/* cpacf function code to use with this protected key type */
92
	long fc;
93

94
	/* nr of requests enqueued via crypto engine which use this tfm ctx */
95
	atomic_t via_engine_ctr;
96

97
	/* spinlock to atomic read/update all the following fields */
98
	spinlock_t pk_lock;
99

100
	/* see PK_STATE* defines above, < 0 holds convert failure rc  */
101
	int pk_state;
102
	/* if state is valid, pk[] hold(s) the protected key(s) */
103
	struct paes_protkey pk[2];
104
};
105

106
/*
107
 * make_clrkey_token() - wrap the raw key ck with pkey clearkey token
108
 * information.
109
 * @returns the size of the clearkey token
110
 */
111
static inline u32 make_clrkey_token(const u8 *ck, size_t cklen, u8 *dest)
112
{
113
	struct clrkey_token {
114
		u8  type;
115
		u8  res0[3];
116
		u8  version;
117
		u8  res1[3];
118
		u32 keytype;
119
		u32 len;
120
		u8 key[];
121
	} __packed *token = (struct clrkey_token *)dest;
122

123
	token->type = 0x00;
124
	token->version = 0x02;
125
	token->keytype = (cklen - 8) >> 3;
126
	token->len = cklen;
127
	memcpy(token->key, ck, cklen);
128

129
	return sizeof(*token) + cklen;
130
}
131

132
/*
133
 * paes_ctx_setkey() - Set key value into context, maybe construct
134
 * a clear key token digestible by pkey from a clear key value.
135
 */
136
static inline int paes_ctx_setkey(struct s390_paes_ctx *ctx,
137
				  const u8 *key, unsigned int keylen)
138
{
139
	if (keylen > sizeof(ctx->keybuf))
140
		return -EINVAL;
141

142
	switch (keylen) {
143
	case 16:
144
	case 24:
145
	case 32:
146
		/* clear key value, prepare pkey clear key token in keybuf */
147
		memset(ctx->keybuf, 0, sizeof(ctx->keybuf));
148
		ctx->keylen = make_clrkey_token(key, keylen, ctx->keybuf);
149
		break;
150
	default:
151
		/* other key material, let pkey handle this */
152
		memcpy(ctx->keybuf, key, keylen);
153
		ctx->keylen = keylen;
154
		break;
155
	}
156

157
	return 0;
158
}
159

160
/*
161
 * pxts_ctx_setkey() - Set key value into context, maybe construct
162
 * a clear key token digestible by pkey from a clear key value.
163
 */
164
static inline int pxts_ctx_setkey(struct s390_pxts_ctx *ctx,
165
				  const u8 *key, unsigned int keylen)
166
{
167
	size_t cklen = keylen / 2;
168

169
	if (keylen > sizeof(ctx->keybuf))
170
		return -EINVAL;
171

172
	switch (keylen) {
173
	case 32:
174
	case 64:
175
		/* clear key value, prepare pkey clear key tokens in keybuf */
176
		memset(ctx->keybuf, 0, sizeof(ctx->keybuf));
177
		ctx->keylen = make_clrkey_token(key, cklen, ctx->keybuf);
178
		ctx->keylen += make_clrkey_token(key + cklen, cklen,
179
						 ctx->keybuf + ctx->keylen);
180
		break;
181
	default:
182
		/* other key material, let pkey handle this */
183
		memcpy(ctx->keybuf, key, keylen);
184
		ctx->keylen = keylen;
185
		break;
186
	}
187

188
	return 0;
189
}
190

191
/*
192
 * Convert the raw key material into a protected key via PKEY api.
193
 * This function may sleep - don't call in non-sleeping context.
194
 */
195
static inline int convert_key(const u8 *key, unsigned int keylen,
196
			      struct paes_protkey *pk)
197
{
198
	int rc, i;
199

200
	pk->len = sizeof(pk->protkey);
201

202
	/*
203
	 * In case of a busy card retry with increasing delay
204
	 * of 200, 400, 800 and 1600 ms - in total 3 s.
205
	 */
206
	for (rc = -EIO, i = 0; rc && i < 5; i++) {
207
		if (rc == -EBUSY && msleep_interruptible((1 << i) * 100)) {
208
			rc = -EINTR;
209
			goto out;
210
		}
211
		rc = pkey_key2protkey(key, keylen,
212
				      pk->protkey, &pk->len, &pk->type,
213
				      PKEY_XFLAG_NOMEMALLOC);
214
	}
215

216
out:
217
	pr_debug("rc=%d\n", rc);
218
	return rc;
219
}
220

221
/*
222
 * (Re-)Convert the raw key material from the ctx into a protected key
223
 * via convert_key() function. Update the pk_state, pk_type, pk_len
224
 * and the protected key in the tfm context.
225
 * Please note this function may be invoked concurrently with the very
226
 * same tfm context. The pk_lock spinlock in the context ensures an
227
 * atomic update of the pk and the pk state but does not guarantee any
228
 * order of update. So a fresh converted valid protected key may get
229
 * updated with an 'old' expired key value. As the cpacf instructions
230
 * detect this, refuse to operate with an invalid key and the calling
231
 * code triggers a (re-)conversion this does no harm. This may lead to
232
 * unnecessary additional conversion but never to invalid data on en-
233
 * or decrypt operations.
234
 */
235
static int paes_convert_key(struct s390_paes_ctx *ctx)
236
{
237
	struct paes_protkey pk;
238
	int rc;
239

240
	spin_lock_bh(&ctx->pk_lock);
241
	ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
242
	spin_unlock_bh(&ctx->pk_lock);
243

244
	rc = convert_key(ctx->keybuf, ctx->keylen, &pk);
245

246
	/* update context */
247
	spin_lock_bh(&ctx->pk_lock);
248
	if (rc) {
249
		ctx->pk_state = rc;
250
	} else {
251
		ctx->pk_state = PK_STATE_VALID;
252
		ctx->pk = pk;
253
	}
254
	spin_unlock_bh(&ctx->pk_lock);
255

256
	memzero_explicit(&pk, sizeof(pk));
257
	pr_debug("rc=%d\n", rc);
258
	return rc;
259
}
260

261
/*
262
 * (Re-)Convert the raw xts key material from the ctx into a
263
 * protected key via convert_key() function. Update the pk_state,
264
 * pk_type, pk_len and the protected key in the tfm context.
265
 * See also comments on function paes_convert_key.
266
 */
267
static int pxts_convert_key(struct s390_pxts_ctx *ctx)
268
{
269
	struct paes_protkey pk0, pk1;
270
	size_t split_keylen;
271
	int rc;
272

273
	spin_lock_bh(&ctx->pk_lock);
274
	ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
275
	spin_unlock_bh(&ctx->pk_lock);
276

277
	rc = convert_key(ctx->keybuf, ctx->keylen, &pk0);
278
	if (rc)
279
		goto out;
280

281
	switch (pk0.type) {
282
	case PKEY_KEYTYPE_AES_128:
283
	case PKEY_KEYTYPE_AES_256:
284
		/* second keytoken required */
285
		if (ctx->keylen % 2) {
286
			rc = -EINVAL;
287
			goto out;
288
		}
289
		split_keylen = ctx->keylen / 2;
290
		rc = convert_key(ctx->keybuf + split_keylen,
291
				 split_keylen, &pk1);
292
		if (rc)
293
			goto out;
294
		if (pk0.type != pk1.type) {
295
			rc = -EINVAL;
296
			goto out;
297
		}
298
		break;
299
	case PKEY_KEYTYPE_AES_XTS_128:
300
	case PKEY_KEYTYPE_AES_XTS_256:
301
		/* single key */
302
		pk1.type = 0;
303
		break;
304
	default:
305
		/* unsupported protected keytype */
306
		rc = -EINVAL;
307
		goto out;
308
	}
309

310
out:
311
	/* update context */
312
	spin_lock_bh(&ctx->pk_lock);
313
	if (rc) {
314
		ctx->pk_state = rc;
315
	} else {
316
		ctx->pk_state = PK_STATE_VALID;
317
		ctx->pk[0] = pk0;
318
		ctx->pk[1] = pk1;
319
	}
320
	spin_unlock_bh(&ctx->pk_lock);
321

322
	memzero_explicit(&pk0, sizeof(pk0));
323
	memzero_explicit(&pk1, sizeof(pk1));
324
	pr_debug("rc=%d\n", rc);
325
	return rc;
326
}
327

328
/*
329
 * PAES ECB implementation
330
 */
331

332
struct ecb_param {
333
	u8 key[PAES_256_PROTKEY_SIZE];
334
} __packed;
335

336
struct s390_pecb_req_ctx {
337
	unsigned long modifier;
338
	struct skcipher_walk walk;
339
	bool param_init_done;
340
	struct ecb_param param;
341
};
342

343
static int ecb_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
344
			   unsigned int key_len)
345
{
346
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
347
	long fc;
348
	int rc;
349

350
	/* set raw key into context */
351
	rc = paes_ctx_setkey(ctx, in_key, key_len);
352
	if (rc)
353
		goto out;
354

355
	/* convert key into protected key */
356
	rc = paes_convert_key(ctx);
357
	if (rc)
358
		goto out;
359

360
	/* Pick the correct function code based on the protected key type */
361
	switch (ctx->pk.type) {
362
	case PKEY_KEYTYPE_AES_128:
363
		fc = CPACF_KM_PAES_128;
364
		break;
365
	case PKEY_KEYTYPE_AES_192:
366
		fc = CPACF_KM_PAES_192;
367
		break;
368
	case PKEY_KEYTYPE_AES_256:
369
		fc = CPACF_KM_PAES_256;
370
		break;
371
	default:
372
		fc = 0;
373
		break;
374
	}
375
	ctx->fc = (fc && cpacf_test_func(&km_functions, fc)) ? fc : 0;
376

377
	rc = fc ? 0 : -EINVAL;
378

379
out:
380
	pr_debug("rc=%d\n", rc);
381
	return rc;
382
}
383

384
static int ecb_paes_do_crypt(struct s390_paes_ctx *ctx,
385
			     struct s390_pecb_req_ctx *req_ctx,
386
			     bool maysleep)
387
{
388
	struct ecb_param *param = &req_ctx->param;
389
	struct skcipher_walk *walk = &req_ctx->walk;
390
	unsigned int nbytes, n, k;
391
	int pk_state, rc = 0;
392

393
	if (!req_ctx->param_init_done) {
394
		/* fetch and check protected key state */
395
		spin_lock_bh(&ctx->pk_lock);
396
		pk_state = ctx->pk_state;
397
		switch (pk_state) {
398
		case PK_STATE_NO_KEY:
399
			rc = -ENOKEY;
400
			break;
401
		case PK_STATE_CONVERT_IN_PROGRESS:
402
			rc = -EKEYEXPIRED;
403
			break;
404
		case PK_STATE_VALID:
405
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
406
			req_ctx->param_init_done = true;
407
			break;
408
		default:
409
			rc = pk_state < 0 ? pk_state : -EIO;
410
			break;
411
		}
412
		spin_unlock_bh(&ctx->pk_lock);
413
	}
414
	if (rc)
415
		goto out;
416

417
	/*
418
	 * Note that in case of partial processing or failure the walk
419
	 * is NOT unmapped here. So a follow up task may reuse the walk
420
	 * or in case of unrecoverable failure needs to unmap it.
421
	 */
422
	while ((nbytes = walk->nbytes) != 0) {
423
		/* only use complete blocks */
424
		n = nbytes & ~(AES_BLOCK_SIZE - 1);
425
		k = cpacf_km(ctx->fc | req_ctx->modifier, param,
426
			     walk->dst.virt.addr, walk->src.virt.addr, n);
427
		if (k)
428
			rc = skcipher_walk_done(walk, nbytes - k);
429
		if (k < n) {
430
			if (!maysleep) {
431
				rc = -EKEYEXPIRED;
432
				goto out;
433
			}
434
			rc = paes_convert_key(ctx);
435
			if (rc)
436
				goto out;
437
			spin_lock_bh(&ctx->pk_lock);
438
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
439
			spin_unlock_bh(&ctx->pk_lock);
440
		}
441
	}
442

443
out:
444
	pr_debug("rc=%d\n", rc);
445
	return rc;
446
}
447

448
static int ecb_paes_crypt(struct skcipher_request *req, unsigned long modifier)
449
{
450
	struct s390_pecb_req_ctx *req_ctx = skcipher_request_ctx(req);
451
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
452
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
453
	struct skcipher_walk *walk = &req_ctx->walk;
454
	int rc;
455

456
	/*
457
	 * Attempt synchronous encryption first. If it fails, schedule the request
458
	 * asynchronously via the crypto engine. To preserve execution order,
459
	 * once a request is queued to the engine, further requests using the same
460
	 * tfm will also be routed through the engine.
461
	 */
462

463
	rc = skcipher_walk_virt(walk, req, false);
464
	if (rc)
465
		goto out;
466

467
	req_ctx->modifier = modifier;
468
	req_ctx->param_init_done = false;
469

470
	/* Try synchronous operation if no active engine usage */
471
	if (!atomic_read(&ctx->via_engine_ctr)) {
472
		rc = ecb_paes_do_crypt(ctx, req_ctx, false);
473
		if (rc == 0)
474
			goto out;
475
	}
476

477
	/*
478
	 * If sync operation failed or key expired or there are already
479
	 * requests enqueued via engine, fallback to async. Mark tfm as
480
	 * using engine to serialize requests.
481
	 */
482
	if (rc == 0 || rc == -EKEYEXPIRED) {
483
		atomic_inc(&ctx->via_engine_ctr);
484
		rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req);
485
		if (rc != -EINPROGRESS)
486
			atomic_dec(&ctx->via_engine_ctr);
487
	}
488

489
	if (rc != -EINPROGRESS)
490
		skcipher_walk_done(walk, rc);
491

492
out:
493
	if (rc != -EINPROGRESS)
494
		memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
495
	pr_debug("rc=%d\n", rc);
496
	return rc;
497
}
498

499
static int ecb_paes_encrypt(struct skcipher_request *req)
500
{
501
	return ecb_paes_crypt(req, 0);
502
}
503

504
static int ecb_paes_decrypt(struct skcipher_request *req)
505
{
506
	return ecb_paes_crypt(req, CPACF_DECRYPT);
507
}
508

509
static int ecb_paes_init(struct crypto_skcipher *tfm)
510
{
511
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
512

513
	memset(ctx, 0, sizeof(*ctx));
514
	spin_lock_init(&ctx->pk_lock);
515

516
	crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pecb_req_ctx));
517

518
	return 0;
519
}
520

521
static void ecb_paes_exit(struct crypto_skcipher *tfm)
522
{
523
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
524

525
	memzero_explicit(ctx, sizeof(*ctx));
526
}
527

528
static int ecb_paes_do_one_request(struct crypto_engine *engine, void *areq)
529
{
530
	struct skcipher_request *req = skcipher_request_cast(areq);
531
	struct s390_pecb_req_ctx *req_ctx = skcipher_request_ctx(req);
532
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
533
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
534
	struct skcipher_walk *walk = &req_ctx->walk;
535
	int rc;
536

537
	/* walk has already been prepared */
538

539
	rc = ecb_paes_do_crypt(ctx, req_ctx, true);
540
	if (rc == -EKEYEXPIRED) {
541
		/*
542
		 * Protected key expired, conversion is in process.
543
		 * Trigger a re-schedule of this request by returning
544
		 * -ENOSPC ("hardware queue is full") to the crypto engine.
545
		 * To avoid immediately re-invocation of this callback,
546
		 * tell the scheduler to voluntarily give up the CPU here.
547
		 */
548
		cond_resched();
549
		pr_debug("rescheduling request\n");
550
		return -ENOSPC;
551
	} else if (rc) {
552
		skcipher_walk_done(walk, rc);
553
	}
554

555
	memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
556
	pr_debug("request complete with rc=%d\n", rc);
557
	local_bh_disable();
558
	atomic_dec(&ctx->via_engine_ctr);
559
	crypto_finalize_skcipher_request(engine, req, rc);
560
	local_bh_enable();
561
	return rc;
562
}
563

564
static struct skcipher_engine_alg ecb_paes_alg = {
565
	.base = {
566
		.base.cra_name	      = "ecb(paes)",
567
		.base.cra_driver_name = "ecb-paes-s390",
568
		.base.cra_priority    = 401,	/* combo: aes + ecb + 1 */
569
		.base.cra_blocksize   = AES_BLOCK_SIZE,
570
		.base.cra_ctxsize     = sizeof(struct s390_paes_ctx),
571
		.base.cra_module      = THIS_MODULE,
572
		.base.cra_list	      = LIST_HEAD_INIT(ecb_paes_alg.base.base.cra_list),
573
		.init		      = ecb_paes_init,
574
		.exit		      = ecb_paes_exit,
575
		.min_keysize	      = PAES_MIN_KEYSIZE,
576
		.max_keysize	      = PAES_MAX_KEYSIZE,
577
		.setkey		      = ecb_paes_setkey,
578
		.encrypt	      = ecb_paes_encrypt,
579
		.decrypt	      = ecb_paes_decrypt,
580
	},
581
	.op = {
582
		.do_one_request	      = ecb_paes_do_one_request,
583
	},
584
};
585

586
/*
587
 * PAES CBC implementation
588
 */
589

590
struct cbc_param {
591
	u8 iv[AES_BLOCK_SIZE];
592
	u8 key[PAES_256_PROTKEY_SIZE];
593
} __packed;
594

595
struct s390_pcbc_req_ctx {
596
	unsigned long modifier;
597
	struct skcipher_walk walk;
598
	bool param_init_done;
599
	struct cbc_param param;
600
};
601

602
static int cbc_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
603
			   unsigned int key_len)
604
{
605
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
606
	long fc;
607
	int rc;
608

609
	/* set raw key into context */
610
	rc = paes_ctx_setkey(ctx, in_key, key_len);
611
	if (rc)
612
		goto out;
613

614
	/* convert raw key into protected key */
615
	rc = paes_convert_key(ctx);
616
	if (rc)
617
		goto out;
618

619
	/* Pick the correct function code based on the protected key type */
620
	switch (ctx->pk.type) {
621
	case PKEY_KEYTYPE_AES_128:
622
		fc = CPACF_KMC_PAES_128;
623
		break;
624
	case PKEY_KEYTYPE_AES_192:
625
		fc = CPACF_KMC_PAES_192;
626
		break;
627
	case PKEY_KEYTYPE_AES_256:
628
		fc = CPACF_KMC_PAES_256;
629
		break;
630
	default:
631
		fc = 0;
632
		break;
633
	}
634
	ctx->fc = (fc && cpacf_test_func(&kmc_functions, fc)) ? fc : 0;
635

636
	rc = fc ? 0 : -EINVAL;
637

638
out:
639
	pr_debug("rc=%d\n", rc);
640
	return rc;
641
}
642

643
static int cbc_paes_do_crypt(struct s390_paes_ctx *ctx,
644
			     struct s390_pcbc_req_ctx *req_ctx,
645
			     bool maysleep)
646
{
647
	struct cbc_param *param = &req_ctx->param;
648
	struct skcipher_walk *walk = &req_ctx->walk;
649
	unsigned int nbytes, n, k;
650
	int pk_state, rc = 0;
651

652
	if (!req_ctx->param_init_done) {
653
		/* fetch and check protected key state */
654
		spin_lock_bh(&ctx->pk_lock);
655
		pk_state = ctx->pk_state;
656
		switch (pk_state) {
657
		case PK_STATE_NO_KEY:
658
			rc = -ENOKEY;
659
			break;
660
		case PK_STATE_CONVERT_IN_PROGRESS:
661
			rc = -EKEYEXPIRED;
662
			break;
663
		case PK_STATE_VALID:
664
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
665
			req_ctx->param_init_done = true;
666
			break;
667
		default:
668
			rc = pk_state < 0 ? pk_state : -EIO;
669
			break;
670
		}
671
		spin_unlock_bh(&ctx->pk_lock);
672
	}
673
	if (rc)
674
		goto out;
675

676
	memcpy(param->iv, walk->iv, AES_BLOCK_SIZE);
677

678
	/*
679
	 * Note that in case of partial processing or failure the walk
680
	 * is NOT unmapped here. So a follow up task may reuse the walk
681
	 * or in case of unrecoverable failure needs to unmap it.
682
	 */
683
	while ((nbytes = walk->nbytes) != 0) {
684
		/* only use complete blocks */
685
		n = nbytes & ~(AES_BLOCK_SIZE - 1);
686
		k = cpacf_kmc(ctx->fc | req_ctx->modifier, param,
687
			      walk->dst.virt.addr, walk->src.virt.addr, n);
688
		if (k) {
689
			memcpy(walk->iv, param->iv, AES_BLOCK_SIZE);
690
			rc = skcipher_walk_done(walk, nbytes - k);
691
		}
692
		if (k < n) {
693
			if (!maysleep) {
694
				rc = -EKEYEXPIRED;
695
				goto out;
696
			}
697
			rc = paes_convert_key(ctx);
698
			if (rc)
699
				goto out;
700
			spin_lock_bh(&ctx->pk_lock);
701
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
702
			spin_unlock_bh(&ctx->pk_lock);
703
		}
704
	}
705

706
out:
707
	pr_debug("rc=%d\n", rc);
708
	return rc;
709
}
710

711
static int cbc_paes_crypt(struct skcipher_request *req, unsigned long modifier)
712
{
713
	struct s390_pcbc_req_ctx *req_ctx = skcipher_request_ctx(req);
714
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
715
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
716
	struct skcipher_walk *walk = &req_ctx->walk;
717
	int rc;
718

719
	/*
720
	 * Attempt synchronous encryption first. If it fails, schedule the request
721
	 * asynchronously via the crypto engine. To preserve execution order,
722
	 * once a request is queued to the engine, further requests using the same
723
	 * tfm will also be routed through the engine.
724
	 */
725

726
	rc = skcipher_walk_virt(walk, req, false);
727
	if (rc)
728
		goto out;
729

730
	req_ctx->modifier = modifier;
731
	req_ctx->param_init_done = false;
732

733
	/* Try synchronous operation if no active engine usage */
734
	if (!atomic_read(&ctx->via_engine_ctr)) {
735
		rc = cbc_paes_do_crypt(ctx, req_ctx, false);
736
		if (rc == 0)
737
			goto out;
738
	}
739

740
	/*
741
	 * If sync operation failed or key expired or there are already
742
	 * requests enqueued via engine, fallback to async. Mark tfm as
743
	 * using engine to serialize requests.
744
	 */
745
	if (rc == 0 || rc == -EKEYEXPIRED) {
746
		atomic_inc(&ctx->via_engine_ctr);
747
		rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req);
748
		if (rc != -EINPROGRESS)
749
			atomic_dec(&ctx->via_engine_ctr);
750
	}
751

752
	if (rc != -EINPROGRESS)
753
		skcipher_walk_done(walk, rc);
754

755
out:
756
	if (rc != -EINPROGRESS)
757
		memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
758
	pr_debug("rc=%d\n", rc);
759
	return rc;
760
}
761

762
static int cbc_paes_encrypt(struct skcipher_request *req)
763
{
764
	return cbc_paes_crypt(req, 0);
765
}
766

767
static int cbc_paes_decrypt(struct skcipher_request *req)
768
{
769
	return cbc_paes_crypt(req, CPACF_DECRYPT);
770
}
771

772
static int cbc_paes_init(struct crypto_skcipher *tfm)
773
{
774
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
775

776
	memset(ctx, 0, sizeof(*ctx));
777
	spin_lock_init(&ctx->pk_lock);
778

779
	crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pcbc_req_ctx));
780

781
	return 0;
782
}
783

784
static void cbc_paes_exit(struct crypto_skcipher *tfm)
785
{
786
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
787

788
	memzero_explicit(ctx, sizeof(*ctx));
789
}
790

791
static int cbc_paes_do_one_request(struct crypto_engine *engine, void *areq)
792
{
793
	struct skcipher_request *req = skcipher_request_cast(areq);
794
	struct s390_pcbc_req_ctx *req_ctx = skcipher_request_ctx(req);
795
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
796
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
797
	struct skcipher_walk *walk = &req_ctx->walk;
798
	int rc;
799

800
	/* walk has already been prepared */
801

802
	rc = cbc_paes_do_crypt(ctx, req_ctx, true);
803
	if (rc == -EKEYEXPIRED) {
804
		/*
805
		 * Protected key expired, conversion is in process.
806
		 * Trigger a re-schedule of this request by returning
807
		 * -ENOSPC ("hardware queue is full") to the crypto engine.
808
		 * To avoid immediately re-invocation of this callback,
809
		 * tell the scheduler to voluntarily give up the CPU here.
810
		 */
811
		cond_resched();
812
		pr_debug("rescheduling request\n");
813
		return -ENOSPC;
814
	} else if (rc) {
815
		skcipher_walk_done(walk, rc);
816
	}
817

818
	memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
819
	pr_debug("request complete with rc=%d\n", rc);
820
	local_bh_disable();
821
	atomic_dec(&ctx->via_engine_ctr);
822
	crypto_finalize_skcipher_request(engine, req, rc);
823
	local_bh_enable();
824
	return rc;
825
}
826

827
static struct skcipher_engine_alg cbc_paes_alg = {
828
	.base = {
829
		.base.cra_name	      = "cbc(paes)",
830
		.base.cra_driver_name = "cbc-paes-s390",
831
		.base.cra_priority    = 402,	/* cbc-paes-s390 + 1 */
832
		.base.cra_blocksize   = AES_BLOCK_SIZE,
833
		.base.cra_ctxsize     = sizeof(struct s390_paes_ctx),
834
		.base.cra_module      = THIS_MODULE,
835
		.base.cra_list	      = LIST_HEAD_INIT(cbc_paes_alg.base.base.cra_list),
836
		.init		      = cbc_paes_init,
837
		.exit		      = cbc_paes_exit,
838
		.min_keysize	      = PAES_MIN_KEYSIZE,
839
		.max_keysize	      = PAES_MAX_KEYSIZE,
840
		.ivsize		      = AES_BLOCK_SIZE,
841
		.setkey		      = cbc_paes_setkey,
842
		.encrypt	      = cbc_paes_encrypt,
843
		.decrypt	      = cbc_paes_decrypt,
844
	},
845
	.op = {
846
		.do_one_request	      = cbc_paes_do_one_request,
847
	},
848
};
849

850
/*
851
 * PAES CTR implementation
852
 */
853

854
struct ctr_param {
855
	u8 key[PAES_256_PROTKEY_SIZE];
856
} __packed;
857

858
struct s390_pctr_req_ctx {
859
	unsigned long modifier;
860
	struct skcipher_walk walk;
861
	bool param_init_done;
862
	struct ctr_param param;
863
};
864

865
static int ctr_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
866
			   unsigned int key_len)
867
{
868
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
869
	long fc;
870
	int rc;
871

872
	/* set raw key into context */
873
	rc = paes_ctx_setkey(ctx, in_key, key_len);
874
	if (rc)
875
		goto out;
876

877
	/* convert raw key into protected key */
878
	rc = paes_convert_key(ctx);
879
	if (rc)
880
		goto out;
881

882
	/* Pick the correct function code based on the protected key type */
883
	switch (ctx->pk.type) {
884
	case PKEY_KEYTYPE_AES_128:
885
		fc = CPACF_KMCTR_PAES_128;
886
		break;
887
	case PKEY_KEYTYPE_AES_192:
888
		fc = CPACF_KMCTR_PAES_192;
889
		break;
890
	case PKEY_KEYTYPE_AES_256:
891
		fc = CPACF_KMCTR_PAES_256;
892
		break;
893
	default:
894
		fc = 0;
895
		break;
896
	}
897
	ctx->fc = (fc && cpacf_test_func(&kmctr_functions, fc)) ? fc : 0;
898

899
	rc = fc ? 0 : -EINVAL;
900

901
out:
902
	pr_debug("rc=%d\n", rc);
903
	return rc;
904
}
905

906
static inline unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes)
907
{
908
	unsigned int i, n;
909

910
	/* only use complete blocks, max. PAGE_SIZE */
911
	memcpy(ctrptr, iv, AES_BLOCK_SIZE);
912
	n = (nbytes > PAGE_SIZE) ? PAGE_SIZE : nbytes & ~(AES_BLOCK_SIZE - 1);
913
	for (i = (n / AES_BLOCK_SIZE) - 1; i > 0; i--) {
914
		memcpy(ctrptr + AES_BLOCK_SIZE, ctrptr, AES_BLOCK_SIZE);
915
		crypto_inc(ctrptr + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
916
		ctrptr += AES_BLOCK_SIZE;
917
	}
918
	return n;
919
}
920

921
static int ctr_paes_do_crypt(struct s390_paes_ctx *ctx,
922
			     struct s390_pctr_req_ctx *req_ctx,
923
			     bool maysleep)
924
{
925
	struct ctr_param *param = &req_ctx->param;
926
	struct skcipher_walk *walk = &req_ctx->walk;
927
	u8 buf[AES_BLOCK_SIZE], *ctrptr;
928
	unsigned int nbytes, n, k;
929
	int pk_state, locked, rc = 0;
930

931
	if (!req_ctx->param_init_done) {
932
		/* fetch and check protected key state */
933
		spin_lock_bh(&ctx->pk_lock);
934
		pk_state = ctx->pk_state;
935
		switch (pk_state) {
936
		case PK_STATE_NO_KEY:
937
			rc = -ENOKEY;
938
			break;
939
		case PK_STATE_CONVERT_IN_PROGRESS:
940
			rc = -EKEYEXPIRED;
941
			break;
942
		case PK_STATE_VALID:
943
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
944
			req_ctx->param_init_done = true;
945
			break;
946
		default:
947
			rc = pk_state < 0 ? pk_state : -EIO;
948
			break;
949
		}
950
		spin_unlock_bh(&ctx->pk_lock);
951
	}
952
	if (rc)
953
		goto out;
954

955
	locked = mutex_trylock(&ctrblk_lock);
956

957
	/*
958
	 * Note that in case of partial processing or failure the walk
959
	 * is NOT unmapped here. So a follow up task may reuse the walk
960
	 * or in case of unrecoverable failure needs to unmap it.
961
	 */
962
	while ((nbytes = walk->nbytes) >= AES_BLOCK_SIZE) {
963
		n = AES_BLOCK_SIZE;
964
		if (nbytes >= 2 * AES_BLOCK_SIZE && locked)
965
			n = __ctrblk_init(ctrblk, walk->iv, nbytes);
966
		ctrptr = (n > AES_BLOCK_SIZE) ? ctrblk : walk->iv;
967
		k = cpacf_kmctr(ctx->fc, param, walk->dst.virt.addr,
968
				walk->src.virt.addr, n, ctrptr);
969
		if (k) {
970
			if (ctrptr == ctrblk)
971
				memcpy(walk->iv, ctrptr + k - AES_BLOCK_SIZE,
972
				       AES_BLOCK_SIZE);
973
			crypto_inc(walk->iv, AES_BLOCK_SIZE);
974
			rc = skcipher_walk_done(walk, nbytes - k);
975
		}
976
		if (k < n) {
977
			if (!maysleep) {
978
				if (locked)
979
					mutex_unlock(&ctrblk_lock);
980
				rc = -EKEYEXPIRED;
981
				goto out;
982
			}
983
			rc = paes_convert_key(ctx);
984
			if (rc) {
985
				if (locked)
986
					mutex_unlock(&ctrblk_lock);
987
				goto out;
988
			}
989
			spin_lock_bh(&ctx->pk_lock);
990
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
991
			spin_unlock_bh(&ctx->pk_lock);
992
		}
993
	}
994
	if (locked)
995
		mutex_unlock(&ctrblk_lock);
996

997
	/* final block may be < AES_BLOCK_SIZE, copy only nbytes */
998
	if (nbytes) {
999
		memset(buf, 0, AES_BLOCK_SIZE);
1000
		memcpy(buf, walk->src.virt.addr, nbytes);
1001
		while (1) {
1002
			if (cpacf_kmctr(ctx->fc, param, buf,
1003
					buf, AES_BLOCK_SIZE,
1004
					walk->iv) == AES_BLOCK_SIZE)
1005
				break;
1006
			if (!maysleep) {
1007
				rc = -EKEYEXPIRED;
1008
				goto out;
1009
			}
1010
			rc = paes_convert_key(ctx);
1011
			if (rc)
1012
				goto out;
1013
			spin_lock_bh(&ctx->pk_lock);
1014
			memcpy(param->key, ctx->pk.protkey, sizeof(param->key));
1015
			spin_unlock_bh(&ctx->pk_lock);
1016
		}
1017
		memcpy(walk->dst.virt.addr, buf, nbytes);
1018
		crypto_inc(walk->iv, AES_BLOCK_SIZE);
1019
		rc = skcipher_walk_done(walk, 0);
1020
	}
1021

1022
out:
1023
	pr_debug("rc=%d\n", rc);
1024
	return rc;
1025
}
1026

1027
static int ctr_paes_crypt(struct skcipher_request *req)
1028
{
1029
	struct s390_pctr_req_ctx *req_ctx = skcipher_request_ctx(req);
1030
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1031
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
1032
	struct skcipher_walk *walk = &req_ctx->walk;
1033
	int rc;
1034

1035
	/*
1036
	 * Attempt synchronous encryption first. If it fails, schedule the request
1037
	 * asynchronously via the crypto engine. To preserve execution order,
1038
	 * once a request is queued to the engine, further requests using the same
1039
	 * tfm will also be routed through the engine.
1040
	 */
1041

1042
	rc = skcipher_walk_virt(walk, req, false);
1043
	if (rc)
1044
		goto out;
1045

1046
	req_ctx->param_init_done = false;
1047

1048
	/* Try synchronous operation if no active engine usage */
1049
	if (!atomic_read(&ctx->via_engine_ctr)) {
1050
		rc = ctr_paes_do_crypt(ctx, req_ctx, false);
1051
		if (rc == 0)
1052
			goto out;
1053
	}
1054

1055
	/*
1056
	 * If sync operation failed or key expired or there are already
1057
	 * requests enqueued via engine, fallback to async. Mark tfm as
1058
	 * using engine to serialize requests.
1059
	 */
1060
	if (rc == 0 || rc == -EKEYEXPIRED) {
1061
		atomic_inc(&ctx->via_engine_ctr);
1062
		rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req);
1063
		if (rc != -EINPROGRESS)
1064
			atomic_dec(&ctx->via_engine_ctr);
1065
	}
1066

1067
	if (rc != -EINPROGRESS)
1068
		skcipher_walk_done(walk, rc);
1069

1070
out:
1071
	if (rc != -EINPROGRESS)
1072
		memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
1073
	pr_debug("rc=%d\n", rc);
1074
	return rc;
1075
}
1076

1077
static int ctr_paes_init(struct crypto_skcipher *tfm)
1078
{
1079
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
1080

1081
	memset(ctx, 0, sizeof(*ctx));
1082
	spin_lock_init(&ctx->pk_lock);
1083

1084
	crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pctr_req_ctx));
1085

1086
	return 0;
1087
}
1088

1089
static void ctr_paes_exit(struct crypto_skcipher *tfm)
1090
{
1091
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
1092

1093
	memzero_explicit(ctx, sizeof(*ctx));
1094
}
1095

1096
static int ctr_paes_do_one_request(struct crypto_engine *engine, void *areq)
1097
{
1098
	struct skcipher_request *req = skcipher_request_cast(areq);
1099
	struct s390_pctr_req_ctx *req_ctx = skcipher_request_ctx(req);
1100
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1101
	struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
1102
	struct skcipher_walk *walk = &req_ctx->walk;
1103
	int rc;
1104

1105
	/* walk has already been prepared */
1106

1107
	rc = ctr_paes_do_crypt(ctx, req_ctx, true);
1108
	if (rc == -EKEYEXPIRED) {
1109
		/*
1110
		 * Protected key expired, conversion is in process.
1111
		 * Trigger a re-schedule of this request by returning
1112
		 * -ENOSPC ("hardware queue is full") to the crypto engine.
1113
		 * To avoid immediately re-invocation of this callback,
1114
		 * tell the scheduler to voluntarily give up the CPU here.
1115
		 */
1116
		cond_resched();
1117
		pr_debug("rescheduling request\n");
1118
		return -ENOSPC;
1119
	} else if (rc) {
1120
		skcipher_walk_done(walk, rc);
1121
	}
1122

1123
	memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
1124
	pr_debug("request complete with rc=%d\n", rc);
1125
	local_bh_disable();
1126
	atomic_dec(&ctx->via_engine_ctr);
1127
	crypto_finalize_skcipher_request(engine, req, rc);
1128
	local_bh_enable();
1129
	return rc;
1130
}
1131

1132
static struct skcipher_engine_alg ctr_paes_alg = {
1133
	.base = {
1134
		.base.cra_name	      =	"ctr(paes)",
1135
		.base.cra_driver_name =	"ctr-paes-s390",
1136
		.base.cra_priority    =	402,	/* ecb-paes-s390 + 1 */
1137
		.base.cra_blocksize   =	1,
1138
		.base.cra_ctxsize     =	sizeof(struct s390_paes_ctx),
1139
		.base.cra_module      =	THIS_MODULE,
1140
		.base.cra_list	      =	LIST_HEAD_INIT(ctr_paes_alg.base.base.cra_list),
1141
		.init		      =	ctr_paes_init,
1142
		.exit		      =	ctr_paes_exit,
1143
		.min_keysize	      =	PAES_MIN_KEYSIZE,
1144
		.max_keysize	      =	PAES_MAX_KEYSIZE,
1145
		.ivsize		      =	AES_BLOCK_SIZE,
1146
		.setkey		      =	ctr_paes_setkey,
1147
		.encrypt	      =	ctr_paes_crypt,
1148
		.decrypt	      =	ctr_paes_crypt,
1149
		.chunksize	      =	AES_BLOCK_SIZE,
1150
	},
1151
	.op = {
1152
		.do_one_request	      = ctr_paes_do_one_request,
1153
	},
1154
};
1155

1156
/*
1157
 * PAES XTS implementation
1158
 */
1159

1160
struct xts_full_km_param {
1161
	u8 key[64];
1162
	u8 tweak[16];
1163
	u8 nap[16];
1164
	u8 wkvp[32];
1165
} __packed;
1166

1167
struct xts_km_param {
1168
	u8 key[PAES_256_PROTKEY_SIZE];
1169
	u8 init[16];
1170
} __packed;
1171

1172
struct xts_pcc_param {
1173
	u8 key[PAES_256_PROTKEY_SIZE];
1174
	u8 tweak[16];
1175
	u8 block[16];
1176
	u8 bit[16];
1177
	u8 xts[16];
1178
} __packed;
1179

1180
struct s390_pxts_req_ctx {
1181
	unsigned long modifier;
1182
	struct skcipher_walk walk;
1183
	bool param_init_done;
1184
	union {
1185
		struct xts_full_km_param full_km_param;
1186
		struct xts_km_param km_param;
1187
	} param;
1188
};
1189

1190
static int xts_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
1191
			   unsigned int in_keylen)
1192
{
1193
	struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
1194
	u8 ckey[2 * AES_MAX_KEY_SIZE];
1195
	unsigned int ckey_len;
1196
	long fc;
1197
	int rc;
1198

1199
	if ((in_keylen == 32 || in_keylen == 64) &&
1200
	    xts_verify_key(tfm, in_key, in_keylen))
1201
		return -EINVAL;
1202

1203
	/* set raw key into context */
1204
	rc = pxts_ctx_setkey(ctx, in_key, in_keylen);
1205
	if (rc)
1206
		goto out;
1207

1208
	/* convert raw key(s) into protected key(s) */
1209
	rc = pxts_convert_key(ctx);
1210
	if (rc)
1211
		goto out;
1212

1213
	/*
1214
	 * xts_verify_key verifies the key length is not odd and makes
1215
	 * sure that the two keys are not the same. This can be done
1216
	 * on the two protected keys as well - but not for full xts keys.
1217
	 */
1218
	if (ctx->pk[0].type == PKEY_KEYTYPE_AES_128 ||
1219
	    ctx->pk[0].type == PKEY_KEYTYPE_AES_256) {
1220
		ckey_len = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ?
1221
			AES_KEYSIZE_128 : AES_KEYSIZE_256;
1222
		memcpy(ckey, ctx->pk[0].protkey, ckey_len);
1223
		memcpy(ckey + ckey_len, ctx->pk[1].protkey, ckey_len);
1224
		rc = xts_verify_key(tfm, ckey, 2 * ckey_len);
1225
		memzero_explicit(ckey, sizeof(ckey));
1226
		if (rc)
1227
			goto out;
1228
	}
1229

1230
	/* Pick the correct function code based on the protected key type */
1231
	switch (ctx->pk[0].type) {
1232
	case PKEY_KEYTYPE_AES_128:
1233
		fc = CPACF_KM_PXTS_128;
1234
		break;
1235
	case PKEY_KEYTYPE_AES_256:
1236
		fc = CPACF_KM_PXTS_256;
1237
		break;
1238
	case PKEY_KEYTYPE_AES_XTS_128:
1239
		fc = CPACF_KM_PXTS_128_FULL;
1240
		break;
1241
	case PKEY_KEYTYPE_AES_XTS_256:
1242
		fc = CPACF_KM_PXTS_256_FULL;
1243
		break;
1244
	default:
1245
		fc = 0;
1246
		break;
1247
	}
1248
	ctx->fc = (fc && cpacf_test_func(&km_functions, fc)) ? fc : 0;
1249

1250
	rc = fc ? 0 : -EINVAL;
1251

1252
out:
1253
	pr_debug("rc=%d\n", rc);
1254
	return rc;
1255
}
1256

1257
static int xts_paes_do_crypt_fullkey(struct s390_pxts_ctx *ctx,
1258
				     struct s390_pxts_req_ctx *req_ctx,
1259
				     bool maysleep)
1260
{
1261
	struct xts_full_km_param *param = &req_ctx->param.full_km_param;
1262
	struct skcipher_walk *walk = &req_ctx->walk;
1263
	unsigned int keylen, offset, nbytes, n, k;
1264
	int rc = 0;
1265

1266
	/*
1267
	 * The calling function xts_paes_do_crypt() ensures the
1268
	 * protected key state is always PK_STATE_VALID when this
1269
	 * function is invoked.
1270
	 */
1271

1272
	keylen = (ctx->pk[0].type == PKEY_KEYTYPE_AES_XTS_128) ? 32 : 64;
1273
	offset = (ctx->pk[0].type == PKEY_KEYTYPE_AES_XTS_128) ? 32 : 0;
1274

1275
	if (!req_ctx->param_init_done) {
1276
		memset(param, 0, sizeof(*param));
1277
		spin_lock_bh(&ctx->pk_lock);
1278
		memcpy(param->key + offset, ctx->pk[0].protkey, keylen);
1279
		memcpy(param->wkvp, ctx->pk[0].protkey + keylen, sizeof(param->wkvp));
1280
		spin_unlock_bh(&ctx->pk_lock);
1281
		memcpy(param->tweak, walk->iv, sizeof(param->tweak));
1282
		param->nap[0] = 0x01; /* initial alpha power (1, little-endian) */
1283
		req_ctx->param_init_done = true;
1284
	}
1285

1286
	/*
1287
	 * Note that in case of partial processing or failure the walk
1288
	 * is NOT unmapped here. So a follow up task may reuse the walk
1289
	 * or in case of unrecoverable failure needs to unmap it.
1290
	 */
1291
	while ((nbytes = walk->nbytes) != 0) {
1292
		/* only use complete blocks */
1293
		n = nbytes & ~(AES_BLOCK_SIZE - 1);
1294
		k = cpacf_km(ctx->fc | req_ctx->modifier, param->key + offset,
1295
			     walk->dst.virt.addr, walk->src.virt.addr, n);
1296
		if (k)
1297
			rc = skcipher_walk_done(walk, nbytes - k);
1298
		if (k < n) {
1299
			if (!maysleep) {
1300
				rc = -EKEYEXPIRED;
1301
				goto out;
1302
			}
1303
			rc = pxts_convert_key(ctx);
1304
			if (rc)
1305
				goto out;
1306
			spin_lock_bh(&ctx->pk_lock);
1307
			memcpy(param->key + offset, ctx->pk[0].protkey, keylen);
1308
			memcpy(param->wkvp, ctx->pk[0].protkey + keylen, sizeof(param->wkvp));
1309
			spin_unlock_bh(&ctx->pk_lock);
1310
		}
1311
	}
1312

1313
out:
1314
	pr_debug("rc=%d\n", rc);
1315
	return rc;
1316
}
1317

1318
static inline int __xts_2keys_prep_param(struct s390_pxts_ctx *ctx,
1319
					 struct xts_km_param *param,
1320
					 struct skcipher_walk *walk,
1321
					 unsigned int keylen,
1322
					 unsigned int offset, bool maysleep)
1323
{
1324
	struct xts_pcc_param pcc_param;
1325
	unsigned long cc = 1;
1326
	int rc = 0;
1327

1328
	while (cc) {
1329
		memset(&pcc_param, 0, sizeof(pcc_param));
1330
		memcpy(pcc_param.tweak, walk->iv, sizeof(pcc_param.tweak));
1331
		spin_lock_bh(&ctx->pk_lock);
1332
		memcpy(pcc_param.key + offset, ctx->pk[1].protkey, keylen);
1333
		memcpy(param->key + offset, ctx->pk[0].protkey, keylen);
1334
		spin_unlock_bh(&ctx->pk_lock);
1335
		cc = cpacf_pcc(ctx->fc, pcc_param.key + offset);
1336
		if (cc) {
1337
			if (!maysleep) {
1338
				rc = -EKEYEXPIRED;
1339
				break;
1340
			}
1341
			rc = pxts_convert_key(ctx);
1342
			if (rc)
1343
				break;
1344
			continue;
1345
		}
1346
		memcpy(param->init, pcc_param.xts, 16);
1347
	}
1348

1349
	memzero_explicit(pcc_param.key, sizeof(pcc_param.key));
1350
	return rc;
1351
}
1352

1353
static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx,
1354
				   struct s390_pxts_req_ctx *req_ctx,
1355
				   bool maysleep)
1356
{
1357
	struct xts_km_param *param = &req_ctx->param.km_param;
1358
	struct skcipher_walk *walk = &req_ctx->walk;
1359
	unsigned int keylen, offset, nbytes, n, k;
1360
	int rc = 0;
1361

1362
	/*
1363
	 * The calling function xts_paes_do_crypt() ensures the
1364
	 * protected key state is always PK_STATE_VALID when this
1365
	 * function is invoked.
1366
	 */
1367

1368
	keylen = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ? 48 : 64;
1369
	offset = (ctx->pk[0].type == PKEY_KEYTYPE_AES_128) ? 16 : 0;
1370

1371
	if (!req_ctx->param_init_done) {
1372
		rc = __xts_2keys_prep_param(ctx, param, walk,
1373
					    keylen, offset, maysleep);
1374
		if (rc)
1375
			goto out;
1376
		req_ctx->param_init_done = true;
1377
	}
1378

1379
	/*
1380
	 * Note that in case of partial processing or failure the walk
1381
	 * is NOT unmapped here. So a follow up task may reuse the walk
1382
	 * or in case of unrecoverable failure needs to unmap it.
1383
	 */
1384
	while ((nbytes = walk->nbytes) != 0) {
1385
		/* only use complete blocks */
1386
		n = nbytes & ~(AES_BLOCK_SIZE - 1);
1387
		k = cpacf_km(ctx->fc | req_ctx->modifier, param->key + offset,
1388
			     walk->dst.virt.addr, walk->src.virt.addr, n);
1389
		if (k)
1390
			rc = skcipher_walk_done(walk, nbytes - k);
1391
		if (k < n) {
1392
			if (!maysleep) {
1393
				rc = -EKEYEXPIRED;
1394
				goto out;
1395
			}
1396
			rc = pxts_convert_key(ctx);
1397
			if (rc)
1398
				goto out;
1399
			spin_lock_bh(&ctx->pk_lock);
1400
			memcpy(param->key + offset, ctx->pk[0].protkey, keylen);
1401
			spin_unlock_bh(&ctx->pk_lock);
1402
		}
1403
	}
1404

1405
out:
1406
	pr_debug("rc=%d\n", rc);
1407
	return rc;
1408
}
1409

1410
static int xts_paes_do_crypt(struct s390_pxts_ctx *ctx,
1411
			     struct s390_pxts_req_ctx *req_ctx,
1412
			     bool maysleep)
1413
{
1414
	int pk_state, rc = 0;
1415

1416
	/* fetch and check protected key state */
1417
	spin_lock_bh(&ctx->pk_lock);
1418
	pk_state = ctx->pk_state;
1419
	switch (pk_state) {
1420
	case PK_STATE_NO_KEY:
1421
		rc = -ENOKEY;
1422
		break;
1423
	case PK_STATE_CONVERT_IN_PROGRESS:
1424
		rc = -EKEYEXPIRED;
1425
		break;
1426
	case PK_STATE_VALID:
1427
		break;
1428
	default:
1429
		rc = pk_state < 0 ? pk_state : -EIO;
1430
		break;
1431
	}
1432
	spin_unlock_bh(&ctx->pk_lock);
1433
	if (rc)
1434
		goto out;
1435

1436
	/* Call the 'real' crypt function based on the xts prot key type. */
1437
	switch (ctx->fc) {
1438
	case CPACF_KM_PXTS_128:
1439
	case CPACF_KM_PXTS_256:
1440
		rc = xts_paes_do_crypt_2keys(ctx, req_ctx, maysleep);
1441
		break;
1442
	case CPACF_KM_PXTS_128_FULL:
1443
	case CPACF_KM_PXTS_256_FULL:
1444
		rc = xts_paes_do_crypt_fullkey(ctx, req_ctx, maysleep);
1445
		break;
1446
	default:
1447
		rc = -EINVAL;
1448
	}
1449

1450
out:
1451
	pr_debug("rc=%d\n", rc);
1452
	return rc;
1453
}
1454

1455
static inline int xts_paes_crypt(struct skcipher_request *req, unsigned long modifier)
1456
{
1457
	struct s390_pxts_req_ctx *req_ctx = skcipher_request_ctx(req);
1458
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1459
	struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
1460
	struct skcipher_walk *walk = &req_ctx->walk;
1461
	int rc;
1462

1463
	/*
1464
	 * Attempt synchronous encryption first. If it fails, schedule the request
1465
	 * asynchronously via the crypto engine. To preserve execution order,
1466
	 * once a request is queued to the engine, further requests using the same
1467
	 * tfm will also be routed through the engine.
1468
	 */
1469

1470
	rc = skcipher_walk_virt(walk, req, false);
1471
	if (rc)
1472
		goto out;
1473

1474
	req_ctx->modifier = modifier;
1475
	req_ctx->param_init_done = false;
1476

1477
	/* Try synchronous operation if no active engine usage */
1478
	if (!atomic_read(&ctx->via_engine_ctr)) {
1479
		rc = xts_paes_do_crypt(ctx, req_ctx, false);
1480
		if (rc == 0)
1481
			goto out;
1482
	}
1483

1484
	/*
1485
	 * If sync operation failed or key expired or there are already
1486
	 * requests enqueued via engine, fallback to async. Mark tfm as
1487
	 * using engine to serialize requests.
1488
	 */
1489
	if (rc == 0 || rc == -EKEYEXPIRED) {
1490
		atomic_inc(&ctx->via_engine_ctr);
1491
		rc = crypto_transfer_skcipher_request_to_engine(paes_crypto_engine, req);
1492
		if (rc != -EINPROGRESS)
1493
			atomic_dec(&ctx->via_engine_ctr);
1494
	}
1495

1496
	if (rc != -EINPROGRESS)
1497
		skcipher_walk_done(walk, rc);
1498

1499
out:
1500
	if (rc != -EINPROGRESS)
1501
		memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
1502
	pr_debug("rc=%d\n", rc);
1503
	return rc;
1504
}
1505

1506
static int xts_paes_encrypt(struct skcipher_request *req)
1507
{
1508
	return xts_paes_crypt(req, 0);
1509
}
1510

1511
static int xts_paes_decrypt(struct skcipher_request *req)
1512
{
1513
	return xts_paes_crypt(req, CPACF_DECRYPT);
1514
}
1515

1516
static int xts_paes_init(struct crypto_skcipher *tfm)
1517
{
1518
	struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
1519

1520
	memset(ctx, 0, sizeof(*ctx));
1521
	spin_lock_init(&ctx->pk_lock);
1522

1523
	crypto_skcipher_set_reqsize(tfm, sizeof(struct s390_pxts_req_ctx));
1524

1525
	return 0;
1526
}
1527

1528
static void xts_paes_exit(struct crypto_skcipher *tfm)
1529
{
1530
	struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
1531

1532
	memzero_explicit(ctx, sizeof(*ctx));
1533
}
1534

1535
static int xts_paes_do_one_request(struct crypto_engine *engine, void *areq)
1536
{
1537
	struct skcipher_request *req = skcipher_request_cast(areq);
1538
	struct s390_pxts_req_ctx *req_ctx = skcipher_request_ctx(req);
1539
	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1540
	struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
1541
	struct skcipher_walk *walk = &req_ctx->walk;
1542
	int rc;
1543

1544
	/* walk has already been prepared */
1545

1546
	rc = xts_paes_do_crypt(ctx, req_ctx, true);
1547
	if (rc == -EKEYEXPIRED) {
1548
		/*
1549
		 * Protected key expired, conversion is in process.
1550
		 * Trigger a re-schedule of this request by returning
1551
		 * -ENOSPC ("hardware queue is full") to the crypto engine.
1552
		 * To avoid immediately re-invocation of this callback,
1553
		 * tell the scheduler to voluntarily give up the CPU here.
1554
		 */
1555
		cond_resched();
1556
		pr_debug("rescheduling request\n");
1557
		return -ENOSPC;
1558
	} else if (rc) {
1559
		skcipher_walk_done(walk, rc);
1560
	}
1561

1562
	memzero_explicit(&req_ctx->param, sizeof(req_ctx->param));
1563
	pr_debug("request complete with rc=%d\n", rc);
1564
	local_bh_disable();
1565
	atomic_dec(&ctx->via_engine_ctr);
1566
	crypto_finalize_skcipher_request(engine, req, rc);
1567
	local_bh_enable();
1568
	return rc;
1569
}
1570

1571
static struct skcipher_engine_alg xts_paes_alg = {
1572
	.base = {
1573
		.base.cra_name	      =	"xts(paes)",
1574
		.base.cra_driver_name =	"xts-paes-s390",
1575
		.base.cra_priority    =	402,	/* ecb-paes-s390 + 1 */
1576
		.base.cra_blocksize   =	AES_BLOCK_SIZE,
1577
		.base.cra_ctxsize     =	sizeof(struct s390_pxts_ctx),
1578
		.base.cra_module      =	THIS_MODULE,
1579
		.base.cra_list	      =	LIST_HEAD_INIT(xts_paes_alg.base.base.cra_list),
1580
		.init		      =	xts_paes_init,
1581
		.exit		      =	xts_paes_exit,
1582
		.min_keysize	      =	2 * PAES_MIN_KEYSIZE,
1583
		.max_keysize	      =	2 * PAES_MAX_KEYSIZE,
1584
		.ivsize		      =	AES_BLOCK_SIZE,
1585
		.setkey		      =	xts_paes_setkey,
1586
		.encrypt	      =	xts_paes_encrypt,
1587
		.decrypt	      =	xts_paes_decrypt,
1588
	},
1589
	.op = {
1590
		.do_one_request	      = xts_paes_do_one_request,
1591
	},
1592
};
1593

1594
/*
1595
 * alg register, unregister, module init, exit
1596
 */
1597

1598
static struct miscdevice paes_dev = {
1599
	.name	= "paes",
1600
	.minor	= MISC_DYNAMIC_MINOR,
1601
};
1602

1603
static inline void __crypto_unregister_skcipher(struct skcipher_engine_alg *alg)
1604
{
1605
	if (!list_empty(&alg->base.base.cra_list))
1606
		crypto_engine_unregister_skcipher(alg);
1607
}
1608

1609
static void paes_s390_fini(void)
1610
{
1611
	if (paes_crypto_engine) {
1612
		crypto_engine_stop(paes_crypto_engine);
1613
		crypto_engine_exit(paes_crypto_engine);
1614
	}
1615
	__crypto_unregister_skcipher(&ctr_paes_alg);
1616
	__crypto_unregister_skcipher(&xts_paes_alg);
1617
	__crypto_unregister_skcipher(&cbc_paes_alg);
1618
	__crypto_unregister_skcipher(&ecb_paes_alg);
1619
	if (ctrblk)
1620
		free_page((unsigned long)ctrblk);
1621
	misc_deregister(&paes_dev);
1622
}
1623

1624
static int __init paes_s390_init(void)
1625
{
1626
	int rc;
1627

1628
	/* register a simple paes pseudo misc device */
1629
	rc = misc_register(&paes_dev);
1630
	if (rc)
1631
		return rc;
1632

1633
	/* with this pseudo devie alloc and start a crypto engine */
1634
	paes_crypto_engine =
1635
		crypto_engine_alloc_init_and_set(paes_dev.this_device,
1636
						 true, false, MAX_QLEN);
1637
	if (!paes_crypto_engine) {
1638
		rc = -ENOMEM;
1639
		goto out_err;
1640
	}
1641
	rc = crypto_engine_start(paes_crypto_engine);
1642
	if (rc) {
1643
		crypto_engine_exit(paes_crypto_engine);
1644
		paes_crypto_engine = NULL;
1645
		goto out_err;
1646
	}
1647

1648
	/* Query available functions for KM, KMC and KMCTR */
1649
	cpacf_query(CPACF_KM, &km_functions);
1650
	cpacf_query(CPACF_KMC, &kmc_functions);
1651
	cpacf_query(CPACF_KMCTR, &kmctr_functions);
1652

1653
	if (cpacf_test_func(&km_functions, CPACF_KM_PAES_128) ||
1654
	    cpacf_test_func(&km_functions, CPACF_KM_PAES_192) ||
1655
	    cpacf_test_func(&km_functions, CPACF_KM_PAES_256)) {
1656
		rc = crypto_engine_register_skcipher(&ecb_paes_alg);
1657
		if (rc)
1658
			goto out_err;
1659
		pr_debug("%s registered\n", ecb_paes_alg.base.base.cra_driver_name);
1660
	}
1661

1662
	if (cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_128) ||
1663
	    cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_192) ||
1664
	    cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_256)) {
1665
		rc = crypto_engine_register_skcipher(&cbc_paes_alg);
1666
		if (rc)
1667
			goto out_err;
1668
		pr_debug("%s registered\n", cbc_paes_alg.base.base.cra_driver_name);
1669
	}
1670

1671
	if (cpacf_test_func(&km_functions, CPACF_KM_PXTS_128) ||
1672
	    cpacf_test_func(&km_functions, CPACF_KM_PXTS_256)) {
1673
		rc = crypto_engine_register_skcipher(&xts_paes_alg);
1674
		if (rc)
1675
			goto out_err;
1676
		pr_debug("%s registered\n", xts_paes_alg.base.base.cra_driver_name);
1677
	}
1678

1679
	if (cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_128) ||
1680
	    cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_192) ||
1681
	    cpacf_test_func(&kmctr_functions, CPACF_KMCTR_PAES_256)) {
1682
		ctrblk = (u8 *)__get_free_page(GFP_KERNEL);
1683
		if (!ctrblk) {
1684
			rc = -ENOMEM;
1685
			goto out_err;
1686
		}
1687
		rc = crypto_engine_register_skcipher(&ctr_paes_alg);
1688
		if (rc)
1689
			goto out_err;
1690
		pr_debug("%s registered\n", ctr_paes_alg.base.base.cra_driver_name);
1691
	}
1692

1693
	return 0;
1694

1695
out_err:
1696
	paes_s390_fini();
1697
	return rc;
1698
}
1699

1700
module_init(paes_s390_init);
1701
module_exit(paes_s390_fini);
1702

1703
MODULE_ALIAS_CRYPTO("ecb(paes)");
1704
MODULE_ALIAS_CRYPTO("cbc(paes)");
1705
MODULE_ALIAS_CRYPTO("ctr(paes)");
1706
MODULE_ALIAS_CRYPTO("xts(paes)");
1707

1708
MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm with protected keys");
1709
MODULE_LICENSE("GPL");
1710

1711