1
// SPDX-License-Identifier: GPL-2.0+
2
/*
3
 * Copyright IBM Corp. 2025
4
 *
5
 * s390 specific HMAC support for protected keys.
6
 */
7

8
#define KMSG_COMPONENT	"phmac_s390"
9
#define pr_fmt(fmt)	KMSG_COMPONENT ": " fmt
10

11
#include <asm/cpacf.h>
12
#include <asm/pkey.h>
13
#include <crypto/engine.h>
14
#include <crypto/hash.h>
15
#include <crypto/internal/hash.h>
16
#include <crypto/sha2.h>
17
#include <linux/atomic.h>
18
#include <linux/cpufeature.h>
19
#include <linux/delay.h>
20
#include <linux/miscdevice.h>
21
#include <linux/module.h>
22
#include <linux/spinlock.h>
23

24
static struct crypto_engine *phmac_crypto_engine;
25
#define MAX_QLEN 10
26

27
/*
28
 * A simple hash walk helper
29
 */
30

31
struct hash_walk_helper {
32
	struct crypto_hash_walk walk;
33
	const u8 *walkaddr;
34
	int walkbytes;
35
};
36

37
/*
38
 * Prepare hash walk helper.
39
 * Set up the base hash walk, fill walkaddr and walkbytes.
40
 * Returns 0 on success or negative value on error.
41
 */
42
static inline int hwh_prepare(struct ahash_request *req,
43
			      struct hash_walk_helper *hwh)
44
{
45
	hwh->walkbytes = crypto_hash_walk_first(req, &hwh->walk);
46
	if (hwh->walkbytes < 0)
47
		return hwh->walkbytes;
48
	hwh->walkaddr = hwh->walk.data;
49
	return 0;
50
}
51

52
/*
53
 * Advance hash walk helper by n bytes.
54
 * Progress the walkbytes and walkaddr fields by n bytes.
55
 * If walkbytes is then 0, pull next hunk from hash walk
56
 * and update walkbytes and walkaddr.
57
 * If n is negative, unmap hash walk and return error.
58
 * Returns 0 on success or negative value on error.
59
 */
60
static inline int hwh_advance(struct hash_walk_helper *hwh, int n)
61
{
62
	if (n < 0)
63
		return crypto_hash_walk_done(&hwh->walk, n);
64

65
	hwh->walkbytes -= n;
66
	hwh->walkaddr += n;
67
	if (hwh->walkbytes > 0)
68
		return 0;
69

70
	hwh->walkbytes = crypto_hash_walk_done(&hwh->walk, 0);
71
	if (hwh->walkbytes < 0)
72
		return hwh->walkbytes;
73

74
	hwh->walkaddr = hwh->walk.data;
75
	return 0;
76
}
77

78
/*
79
 * KMAC param block layout for sha2 function codes:
80
 * The layout of the param block for the KMAC instruction depends on the
81
 * blocksize of the used hashing sha2-algorithm function codes. The param block
82
 * contains the hash chaining value (cv), the input message bit-length (imbl)
83
 * and the hmac-secret (key). To prevent code duplication, the sizes of all
84
 * these are calculated based on the blocksize.
85
 *
86
 * param-block:
87
 * +-------+
88
 * | cv    |
89
 * +-------+
90
 * | imbl  |
91
 * +-------+
92
 * | key   |
93
 * +-------+
94
 *
95
 * sizes:
96
 * part | sh2-alg | calculation | size | type
97
 * -----+---------+-------------+------+--------
98
 * cv   | 224/256 | blocksize/2 |   32 |  u64[8]
99
 *      | 384/512 |             |   64 | u128[8]
100
 * imbl | 224/256 | blocksize/8 |    8 |     u64
101
 *      | 384/512 |             |   16 |    u128
102
 * key  | 224/256 | blocksize   |   96 |  u8[96]
103
 *      | 384/512 |             |  160 | u8[160]
104
 */
105

106
#define MAX_DIGEST_SIZE		SHA512_DIGEST_SIZE
107
#define MAX_IMBL_SIZE		sizeof(u128)
108
#define MAX_BLOCK_SIZE		SHA512_BLOCK_SIZE
109

110
#define SHA2_CV_SIZE(bs)	((bs) >> 1)
111
#define SHA2_IMBL_SIZE(bs)	((bs) >> 3)
112

113
#define SHA2_IMBL_OFFSET(bs)	(SHA2_CV_SIZE(bs))
114
#define SHA2_KEY_OFFSET(bs)	(SHA2_CV_SIZE(bs) + SHA2_IMBL_SIZE(bs))
115

116
#define PHMAC_MAX_KEYSIZE       256
117
#define PHMAC_SHA256_PK_SIZE	(SHA256_BLOCK_SIZE + 32)
118
#define PHMAC_SHA512_PK_SIZE	(SHA512_BLOCK_SIZE + 32)
119
#define PHMAC_MAX_PK_SIZE	PHMAC_SHA512_PK_SIZE
120

121
/* phmac protected key struct */
122
struct phmac_protkey {
123
	u32 type;
124
	u32 len;
125
	u8 protkey[PHMAC_MAX_PK_SIZE];
126
};
127

128
#define PK_STATE_NO_KEY		     0
129
#define PK_STATE_CONVERT_IN_PROGRESS 1
130
#define PK_STATE_VALID		     2
131

132
/* phmac tfm context */
133
struct phmac_tfm_ctx {
134
	/* source key material used to derive a protected key from */
135
	u8 keybuf[PHMAC_MAX_KEYSIZE];
136
	unsigned int keylen;
137

138
	/* cpacf function code to use with this protected key type */
139
	long fc;
140

141
	/* nr of requests enqueued via crypto engine which use this tfm ctx */
142
	atomic_t via_engine_ctr;
143

144
	/* spinlock to atomic read/update all the following fields */
145
	spinlock_t pk_lock;
146

147
	/* see PK_STATE* defines above, < 0 holds convert failure rc  */
148
	int pk_state;
149
	/* if state is valid, pk holds the protected key */
150
	struct phmac_protkey pk;
151
};
152

153
union kmac_gr0 {
154
	unsigned long reg;
155
	struct {
156
		unsigned long		: 48;
157
		unsigned long ikp	:  1;
158
		unsigned long iimp	:  1;
159
		unsigned long ccup	:  1;
160
		unsigned long		:  6;
161
		unsigned long fc	:  7;
162
	};
163
};
164

165
struct kmac_sha2_ctx {
166
	u8 param[MAX_DIGEST_SIZE + MAX_IMBL_SIZE + PHMAC_MAX_PK_SIZE];
167
	union kmac_gr0 gr0;
168
	u8 buf[MAX_BLOCK_SIZE];
169
	u64 buflen[2];
170
};
171

172
/* phmac request context */
173
struct phmac_req_ctx {
174
	struct hash_walk_helper hwh;
175
	struct kmac_sha2_ctx kmac_ctx;
176
	bool final;
177
};
178

179
/*
180
 * Pkey 'token' struct used to derive a protected key value from a clear key.
181
 */
182
struct hmac_clrkey_token {
183
	u8  type;
184
	u8  res0[3];
185
	u8  version;
186
	u8  res1[3];
187
	u32 keytype;
188
	u32 len;
189
	u8 key[];
190
} __packed;
191

192
static int hash_key(const u8 *in, unsigned int inlen,
193
		    u8 *digest, unsigned int digestsize)
194
{
195
	unsigned long func;
196
	union {
197
		struct sha256_paramblock {
198
			u32 h[8];
199
			u64 mbl;
200
		} sha256;
201
		struct sha512_paramblock {
202
			u64 h[8];
203
			u128 mbl;
204
		} sha512;
205
	} __packed param;
206

207
#define PARAM_INIT(x, y, z)		   \
208
	param.sha##x.h[0] = SHA##y ## _H0; \
209
	param.sha##x.h[1] = SHA##y ## _H1; \
210
	param.sha##x.h[2] = SHA##y ## _H2; \
211
	param.sha##x.h[3] = SHA##y ## _H3; \
212
	param.sha##x.h[4] = SHA##y ## _H4; \
213
	param.sha##x.h[5] = SHA##y ## _H5; \
214
	param.sha##x.h[6] = SHA##y ## _H6; \
215
	param.sha##x.h[7] = SHA##y ## _H7; \
216
	param.sha##x.mbl = (z)
217

218
	switch (digestsize) {
219
	case SHA224_DIGEST_SIZE:
220
		func = CPACF_KLMD_SHA_256;
221
		PARAM_INIT(256, 224, inlen * 8);
222
		break;
223
	case SHA256_DIGEST_SIZE:
224
		func = CPACF_KLMD_SHA_256;
225
		PARAM_INIT(256, 256, inlen * 8);
226
		break;
227
	case SHA384_DIGEST_SIZE:
228
		func = CPACF_KLMD_SHA_512;
229
		PARAM_INIT(512, 384, inlen * 8);
230
		break;
231
	case SHA512_DIGEST_SIZE:
232
		func = CPACF_KLMD_SHA_512;
233
		PARAM_INIT(512, 512, inlen * 8);
234
		break;
235
	default:
236
		return -EINVAL;
237
	}
238

239
#undef PARAM_INIT
240

241
	cpacf_klmd(func, &param, in, inlen);
242

243
	memcpy(digest, &param, digestsize);
244

245
	return 0;
246
}
247

248
/*
249
 * make_clrkey_token() - wrap the clear key into a pkey clearkey token.
250
 */
251
static inline int make_clrkey_token(const u8 *clrkey, size_t clrkeylen,
252
				    unsigned int digestsize, u8 *dest)
253
{
254
	struct hmac_clrkey_token *token = (struct hmac_clrkey_token *)dest;
255
	unsigned int blocksize;
256
	int rc;
257

258
	token->type = 0x00;
259
	token->version = 0x02;
260
	switch (digestsize) {
261
	case SHA224_DIGEST_SIZE:
262
	case SHA256_DIGEST_SIZE:
263
		token->keytype = PKEY_KEYTYPE_HMAC_512;
264
		blocksize = 64;
265
		break;
266
	case SHA384_DIGEST_SIZE:
267
	case SHA512_DIGEST_SIZE:
268
		token->keytype = PKEY_KEYTYPE_HMAC_1024;
269
		blocksize = 128;
270
		break;
271
	default:
272
		return -EINVAL;
273
	}
274
	token->len = blocksize;
275

276
	if (clrkeylen > blocksize) {
277
		rc = hash_key(clrkey, clrkeylen, token->key, digestsize);
278
		if (rc)
279
			return rc;
280
	} else {
281
		memcpy(token->key, clrkey, clrkeylen);
282
	}
283

284
	return 0;
285
}
286

287
/*
288
 * phmac_tfm_ctx_setkey() - Set key value into tfm context, maybe construct
289
 * a clear key token digestible by pkey from a clear key value.
290
 */
291
static inline int phmac_tfm_ctx_setkey(struct phmac_tfm_ctx *tfm_ctx,
292
				       const u8 *key, unsigned int keylen)
293
{
294
	if (keylen > sizeof(tfm_ctx->keybuf))
295
		return -EINVAL;
296

297
	memcpy(tfm_ctx->keybuf, key, keylen);
298
	tfm_ctx->keylen = keylen;
299

300
	return 0;
301
}
302

303
/*
304
 * Convert the raw key material into a protected key via PKEY api.
305
 * This function may sleep - don't call in non-sleeping context.
306
 */
307
static inline int convert_key(const u8 *key, unsigned int keylen,
308
			      struct phmac_protkey *pk)
309
{
310
	int rc, i;
311

312
	pk->len = sizeof(pk->protkey);
313

314
	/*
315
	 * In case of a busy card retry with increasing delay
316
	 * of 200, 400, 800 and 1600 ms - in total 3 s.
317
	 */
318
	for (rc = -EIO, i = 0; rc && i < 5; i++) {
319
		if (rc == -EBUSY && msleep_interruptible((1 << i) * 100)) {
320
			rc = -EINTR;
321
			goto out;
322
		}
323
		rc = pkey_key2protkey(key, keylen,
324
				      pk->protkey, &pk->len, &pk->type,
325
				      PKEY_XFLAG_NOMEMALLOC);
326
	}
327

328
out:
329
	pr_debug("rc=%d\n", rc);
330
	return rc;
331
}
332

333
/*
334
 * (Re-)Convert the raw key material from the tfm ctx into a protected
335
 * key via convert_key() function. Update the pk_state, pk_type, pk_len
336
 * and the protected key in the tfm context.
337
 * Please note this function may be invoked concurrently with the very
338
 * same tfm context. The pk_lock spinlock in the context ensures an
339
 * atomic update of the pk and the pk state but does not guarantee any
340
 * order of update. So a fresh converted valid protected key may get
341
 * updated with an 'old' expired key value. As the cpacf instructions
342
 * detect this, refuse to operate with an invalid key and the calling
343
 * code triggers a (re-)conversion this does no harm. This may lead to
344
 * unnecessary additional conversion but never to invalid data on the
345
 * hash operation.
346
 */
347
static int phmac_convert_key(struct phmac_tfm_ctx *tfm_ctx)
348
{
349
	struct phmac_protkey pk;
350
	int rc;
351

352
	spin_lock_bh(&tfm_ctx->pk_lock);
353
	tfm_ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
354
	spin_unlock_bh(&tfm_ctx->pk_lock);
355

356
	rc = convert_key(tfm_ctx->keybuf, tfm_ctx->keylen, &pk);
357

358
	/* update context */
359
	spin_lock_bh(&tfm_ctx->pk_lock);
360
	if (rc) {
361
		tfm_ctx->pk_state = rc;
362
	} else {
363
		tfm_ctx->pk_state = PK_STATE_VALID;
364
		tfm_ctx->pk = pk;
365
	}
366
	spin_unlock_bh(&tfm_ctx->pk_lock);
367

368
	memzero_explicit(&pk, sizeof(pk));
369
	pr_debug("rc=%d\n", rc);
370
	return rc;
371
}
372

373
/*
374
 * kmac_sha2_set_imbl - sets the input message bit-length based on the blocksize
375
 */
376
static inline void kmac_sha2_set_imbl(u8 *param, u64 buflen_lo,
377
				      u64 buflen_hi, unsigned int blocksize)
378
{
379
	u8 *imbl = param + SHA2_IMBL_OFFSET(blocksize);
380

381
	switch (blocksize) {
382
	case SHA256_BLOCK_SIZE:
383
		*(u64 *)imbl = buflen_lo * BITS_PER_BYTE;
384
		break;
385
	case SHA512_BLOCK_SIZE:
386
		*(u128 *)imbl = (((u128)buflen_hi << 64) + buflen_lo) << 3;
387
		break;
388
	default:
389
		break;
390
	}
391
}
392

393
static int phmac_kmac_update(struct ahash_request *req, bool maysleep)
394
{
395
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
396
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
397
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
398
	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
399
	struct hash_walk_helper *hwh = &req_ctx->hwh;
400
	unsigned int bs = crypto_ahash_blocksize(tfm);
401
	unsigned int offset, k, n;
402
	int rc = 0;
403

404
	/*
405
	 * The walk is always mapped when this function is called.
406
	 * Note that in case of partial processing or failure the walk
407
	 * is NOT unmapped here. So a follow up task may reuse the walk
408
	 * or in case of unrecoverable failure needs to unmap it.
409
	 */
410

411
	while (hwh->walkbytes > 0) {
412
		/* check sha2 context buffer */
413
		offset = ctx->buflen[0] % bs;
414
		if (offset + hwh->walkbytes < bs)
415
			goto store;
416

417
		if (offset) {
418
			/* fill ctx buffer up to blocksize and process this block */
419
			n = bs - offset;
420
			memcpy(ctx->buf + offset, hwh->walkaddr, n);
421
			ctx->gr0.iimp = 1;
422
			for (;;) {
423
				k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, ctx->buf, bs);
424
				if (likely(k == bs))
425
					break;
426
				if (unlikely(k > 0)) {
427
					/*
428
					 * Can't deal with hunks smaller than blocksize.
429
					 * And kmac should always return the nr of
430
					 * processed bytes as 0 or a multiple of the
431
					 * blocksize.
432
					 */
433
					rc = -EIO;
434
					goto out;
435
				}
436
				/* protected key is invalid and needs re-conversion */
437
				if (!maysleep) {
438
					rc = -EKEYEXPIRED;
439
					goto out;
440
				}
441
				rc = phmac_convert_key(tfm_ctx);
442
				if (rc)
443
					goto out;
444
				spin_lock_bh(&tfm_ctx->pk_lock);
445
				memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
446
				       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
447
				spin_unlock_bh(&tfm_ctx->pk_lock);
448
			}
449
			ctx->buflen[0] += n;
450
			if (ctx->buflen[0] < n)
451
				ctx->buflen[1]++;
452
			rc = hwh_advance(hwh, n);
453
			if (unlikely(rc))
454
				goto out;
455
			offset = 0;
456
		}
457

458
		/* process as many blocks as possible from the walk */
459
		while (hwh->walkbytes >= bs) {
460
			n = (hwh->walkbytes / bs) * bs;
461
			ctx->gr0.iimp = 1;
462
			k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, hwh->walkaddr, n);
463
			if (likely(k > 0)) {
464
				ctx->buflen[0] += k;
465
				if (ctx->buflen[0] < k)
466
					ctx->buflen[1]++;
467
				rc = hwh_advance(hwh, k);
468
				if (unlikely(rc))
469
					goto out;
470
			}
471
			if (unlikely(k < n)) {
472
				/* protected key is invalid and needs re-conversion */
473
				if (!maysleep) {
474
					rc = -EKEYEXPIRED;
475
					goto out;
476
				}
477
				rc = phmac_convert_key(tfm_ctx);
478
				if (rc)
479
					goto out;
480
				spin_lock_bh(&tfm_ctx->pk_lock);
481
				memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
482
				       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
483
				spin_unlock_bh(&tfm_ctx->pk_lock);
484
			}
485
		}
486

487
store:
488
		/* store incomplete block in context buffer */
489
		if (hwh->walkbytes) {
490
			memcpy(ctx->buf + offset, hwh->walkaddr, hwh->walkbytes);
491
			ctx->buflen[0] += hwh->walkbytes;
492
			if (ctx->buflen[0] < hwh->walkbytes)
493
				ctx->buflen[1]++;
494
			rc = hwh_advance(hwh, hwh->walkbytes);
495
			if (unlikely(rc))
496
				goto out;
497
		}
498

499
	} /* end of while (hwh->walkbytes > 0) */
500

501
out:
502
	pr_debug("rc=%d\n", rc);
503
	return rc;
504
}
505

506
static int phmac_kmac_final(struct ahash_request *req, bool maysleep)
507
{
508
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
509
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
510
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
511
	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
512
	unsigned int ds = crypto_ahash_digestsize(tfm);
513
	unsigned int bs = crypto_ahash_blocksize(tfm);
514
	unsigned int k, n;
515
	int rc = 0;
516

517
	n = ctx->buflen[0] % bs;
518
	ctx->gr0.iimp = 0;
519
	kmac_sha2_set_imbl(ctx->param, ctx->buflen[0], ctx->buflen[1], bs);
520
	for (;;) {
521
		k = _cpacf_kmac(&ctx->gr0.reg, ctx->param, ctx->buf, n);
522
		if (likely(k == n))
523
			break;
524
		if (unlikely(k > 0)) {
525
			/* Can't deal with hunks smaller than blocksize. */
526
			rc = -EIO;
527
			goto out;
528
		}
529
		/* protected key is invalid and needs re-conversion */
530
		if (!maysleep) {
531
			rc = -EKEYEXPIRED;
532
			goto out;
533
		}
534
		rc = phmac_convert_key(tfm_ctx);
535
		if (rc)
536
			goto out;
537
		spin_lock_bh(&tfm_ctx->pk_lock);
538
		memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
539
		       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
540
		spin_unlock_bh(&tfm_ctx->pk_lock);
541
	}
542

543
	memcpy(req->result, ctx->param, ds);
544

545
out:
546
	pr_debug("rc=%d\n", rc);
547
	return rc;
548
}
549

550
static int phmac_init(struct ahash_request *req)
551
{
552
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
553
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
554
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
555
	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
556
	unsigned int bs = crypto_ahash_blocksize(tfm);
557
	int rc = 0;
558

559
	/* zero request context (includes the kmac sha2 context) */
560
	memset(req_ctx, 0, sizeof(*req_ctx));
561

562
	/*
563
	 * setkey() should have set a valid fc into the tfm context.
564
	 * Copy this function code into the gr0 field of the kmac context.
565
	 */
566
	if (!tfm_ctx->fc) {
567
		rc = -ENOKEY;
568
		goto out;
569
	}
570
	kmac_ctx->gr0.fc = tfm_ctx->fc;
571

572
	/*
573
	 * Copy the pk from tfm ctx into kmac ctx. The protected key
574
	 * may be outdated but update() and final() will handle this.
575
	 */
576
	spin_lock_bh(&tfm_ctx->pk_lock);
577
	memcpy(kmac_ctx->param + SHA2_KEY_OFFSET(bs),
578
	       tfm_ctx->pk.protkey, tfm_ctx->pk.len);
579
	spin_unlock_bh(&tfm_ctx->pk_lock);
580

581
out:
582
	pr_debug("rc=%d\n", rc);
583
	return rc;
584
}
585

586
static int phmac_update(struct ahash_request *req)
587
{
588
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
589
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
590
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
591
	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
592
	struct hash_walk_helper *hwh = &req_ctx->hwh;
593
	int rc;
594

595
	/* prep the walk in the request context */
596
	rc = hwh_prepare(req, hwh);
597
	if (rc)
598
		goto out;
599

600
	/* Try synchronous operation if no active engine usage */
601
	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
602
		rc = phmac_kmac_update(req, false);
603
		if (rc == 0)
604
			goto out;
605
	}
606

607
	/*
608
	 * If sync operation failed or key expired or there are already
609
	 * requests enqueued via engine, fallback to async. Mark tfm as
610
	 * using engine to serialize requests.
611
	 */
612
	if (rc == 0 || rc == -EKEYEXPIRED) {
613
		atomic_inc(&tfm_ctx->via_engine_ctr);
614
		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
615
		if (rc != -EINPROGRESS)
616
			atomic_dec(&tfm_ctx->via_engine_ctr);
617
	}
618

619
	if (rc != -EINPROGRESS) {
620
		hwh_advance(hwh, rc);
621
		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
622
	}
623

624
out:
625
	pr_debug("rc=%d\n", rc);
626
	return rc;
627
}
628

629
static int phmac_final(struct ahash_request *req)
630
{
631
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
632
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
633
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
634
	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
635
	int rc = 0;
636

637
	/* Try synchronous operation if no active engine usage */
638
	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
639
		rc = phmac_kmac_final(req, false);
640
		if (rc == 0)
641
			goto out;
642
	}
643

644
	/*
645
	 * If sync operation failed or key expired or there are already
646
	 * requests enqueued via engine, fallback to async. Mark tfm as
647
	 * using engine to serialize requests.
648
	 */
649
	if (rc == 0 || rc == -EKEYEXPIRED) {
650
		req->nbytes = 0;
651
		req_ctx->final = true;
652
		atomic_inc(&tfm_ctx->via_engine_ctr);
653
		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
654
		if (rc != -EINPROGRESS)
655
			atomic_dec(&tfm_ctx->via_engine_ctr);
656
	}
657

658
out:
659
	if (rc != -EINPROGRESS)
660
		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
661
	pr_debug("rc=%d\n", rc);
662
	return rc;
663
}
664

665
static int phmac_finup(struct ahash_request *req)
666
{
667
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
668
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
669
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
670
	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
671
	struct hash_walk_helper *hwh = &req_ctx->hwh;
672
	int rc;
673

674
	/* prep the walk in the request context */
675
	rc = hwh_prepare(req, hwh);
676
	if (rc)
677
		goto out;
678

679
	/* Try synchronous operations if no active engine usage */
680
	if (!atomic_read(&tfm_ctx->via_engine_ctr)) {
681
		rc = phmac_kmac_update(req, false);
682
		if (rc == 0)
683
			req->nbytes = 0;
684
	}
685
	if (!rc && !req->nbytes && !atomic_read(&tfm_ctx->via_engine_ctr)) {
686
		rc = phmac_kmac_final(req, false);
687
		if (rc == 0)
688
			goto out;
689
	}
690

691
	/*
692
	 * If sync operation failed or key expired or there are already
693
	 * requests enqueued via engine, fallback to async. Mark tfm as
694
	 * using engine to serialize requests.
695
	 */
696
	if (rc == 0 || rc == -EKEYEXPIRED) {
697
		req_ctx->final = true;
698
		atomic_inc(&tfm_ctx->via_engine_ctr);
699
		rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req);
700
		if (rc != -EINPROGRESS)
701
			atomic_dec(&tfm_ctx->via_engine_ctr);
702
	}
703

704
	if (rc != -EINPROGRESS)
705
		hwh_advance(hwh, rc);
706

707
out:
708
	if (rc != -EINPROGRESS)
709
		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
710
	pr_debug("rc=%d\n", rc);
711
	return rc;
712
}
713

714
static int phmac_digest(struct ahash_request *req)
715
{
716
	int rc;
717

718
	rc = phmac_init(req);
719
	if (rc)
720
		goto out;
721

722
	rc = phmac_finup(req);
723

724
out:
725
	pr_debug("rc=%d\n", rc);
726
	return rc;
727
}
728

729
static int phmac_setkey(struct crypto_ahash *tfm,
730
			const u8 *key, unsigned int keylen)
731
{
732
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
733
	unsigned int ds = crypto_ahash_digestsize(tfm);
734
	unsigned int bs = crypto_ahash_blocksize(tfm);
735
	unsigned int tmpkeylen;
736
	u8 *tmpkey = NULL;
737
	int rc = 0;
738

739
	if (!crypto_ahash_tested(tfm)) {
740
		/*
741
		 * selftest running: key is a raw hmac clear key and needs
742
		 * to get embedded into a 'clear key token' in order to have
743
		 * it correctly processed by the pkey module.
744
		 */
745
		tmpkeylen = sizeof(struct hmac_clrkey_token) + bs;
746
		tmpkey = kzalloc(tmpkeylen, GFP_KERNEL);
747
		if (!tmpkey) {
748
			rc = -ENOMEM;
749
			goto out;
750
		}
751
		rc = make_clrkey_token(key, keylen, ds, tmpkey);
752
		if (rc)
753
			goto out;
754
		keylen = tmpkeylen;
755
		key = tmpkey;
756
	}
757

758
	/* copy raw key into tfm context */
759
	rc = phmac_tfm_ctx_setkey(tfm_ctx, key, keylen);
760
	if (rc)
761
		goto out;
762

763
	/* convert raw key into protected key */
764
	rc = phmac_convert_key(tfm_ctx);
765
	if (rc)
766
		goto out;
767

768
	/* set function code in tfm context, check for valid pk type */
769
	switch (ds) {
770
	case SHA224_DIGEST_SIZE:
771
		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_512)
772
			rc = -EINVAL;
773
		else
774
			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_224;
775
		break;
776
	case SHA256_DIGEST_SIZE:
777
		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_512)
778
			rc = -EINVAL;
779
		else
780
			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_256;
781
		break;
782
	case SHA384_DIGEST_SIZE:
783
		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_1024)
784
			rc = -EINVAL;
785
		else
786
			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_384;
787
		break;
788
	case SHA512_DIGEST_SIZE:
789
		if (tfm_ctx->pk.type != PKEY_KEYTYPE_HMAC_1024)
790
			rc = -EINVAL;
791
		else
792
			tfm_ctx->fc = CPACF_KMAC_PHMAC_SHA_512;
793
		break;
794
	default:
795
		tfm_ctx->fc = 0;
796
		rc = -EINVAL;
797
	}
798

799
out:
800
	kfree(tmpkey);
801
	pr_debug("rc=%d\n", rc);
802
	return rc;
803
}
804

805
static int phmac_export(struct ahash_request *req, void *out)
806
{
807
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
808
	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
809

810
	memcpy(out, ctx, sizeof(*ctx));
811

812
	return 0;
813
}
814

815
static int phmac_import(struct ahash_request *req, const void *in)
816
{
817
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
818
	struct kmac_sha2_ctx *ctx = &req_ctx->kmac_ctx;
819

820
	memset(req_ctx, 0, sizeof(*req_ctx));
821
	memcpy(ctx, in, sizeof(*ctx));
822

823
	return 0;
824
}
825

826
static int phmac_init_tfm(struct crypto_ahash *tfm)
827
{
828
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
829

830
	memset(tfm_ctx, 0, sizeof(*tfm_ctx));
831
	spin_lock_init(&tfm_ctx->pk_lock);
832

833
	crypto_ahash_set_reqsize(tfm, sizeof(struct phmac_req_ctx));
834

835
	return 0;
836
}
837

838
static void phmac_exit_tfm(struct crypto_ahash *tfm)
839
{
840
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
841

842
	memzero_explicit(tfm_ctx->keybuf, sizeof(tfm_ctx->keybuf));
843
	memzero_explicit(&tfm_ctx->pk, sizeof(tfm_ctx->pk));
844
}
845

846
static int phmac_do_one_request(struct crypto_engine *engine, void *areq)
847
{
848
	struct ahash_request *req = ahash_request_cast(areq);
849
	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
850
	struct phmac_tfm_ctx *tfm_ctx = crypto_ahash_ctx(tfm);
851
	struct phmac_req_ctx *req_ctx = ahash_request_ctx(req);
852
	struct kmac_sha2_ctx *kmac_ctx = &req_ctx->kmac_ctx;
853
	struct hash_walk_helper *hwh = &req_ctx->hwh;
854
	int rc = -EINVAL;
855

856
	/*
857
	 * Three kinds of requests come in here:
858
	 * update when req->nbytes > 0 and req_ctx->final is false
859
	 * final when req->nbytes = 0 and req_ctx->final is true
860
	 * finup when req->nbytes > 0 and req_ctx->final is true
861
	 * For update and finup the hwh walk needs to be prepared and
862
	 * up to date but the actual nr of bytes in req->nbytes may be
863
	 * any non zero number. For final there is no hwh walk needed.
864
	 */
865

866
	if (req->nbytes) {
867
		rc = phmac_kmac_update(req, true);
868
		if (rc == -EKEYEXPIRED) {
869
			/*
870
			 * Protected key expired, conversion is in process.
871
			 * Trigger a re-schedule of this request by returning
872
			 * -ENOSPC ("hardware queue full") to the crypto engine.
873
			 * To avoid immediately re-invocation of this callback,
874
			 * tell scheduler to voluntarily give up the CPU here.
875
			 */
876
			pr_debug("rescheduling request\n");
877
			cond_resched();
878
			return -ENOSPC;
879
		} else if (rc) {
880
			hwh_advance(hwh, rc);
881
			goto out;
882
		}
883
		req->nbytes = 0;
884
	}
885

886
	if (req_ctx->final) {
887
		rc = phmac_kmac_final(req, true);
888
		if (rc == -EKEYEXPIRED) {
889
			/*
890
			 * Protected key expired, conversion is in process.
891
			 * Trigger a re-schedule of this request by returning
892
			 * -ENOSPC ("hardware queue full") to the crypto engine.
893
			 * To avoid immediately re-invocation of this callback,
894
			 * tell scheduler to voluntarily give up the CPU here.
895
			 */
896
			pr_debug("rescheduling request\n");
897
			cond_resched();
898
			return -ENOSPC;
899
		}
900
	}
901

902
out:
903
	if (rc || req_ctx->final)
904
		memzero_explicit(kmac_ctx, sizeof(*kmac_ctx));
905
	pr_debug("request complete with rc=%d\n", rc);
906
	local_bh_disable();
907
	atomic_dec(&tfm_ctx->via_engine_ctr);
908
	crypto_finalize_hash_request(engine, req, rc);
909
	local_bh_enable();
910
	return rc;
911
}
912

913
#define S390_ASYNC_PHMAC_ALG(x)						\
914
{									\
915
	.base = {							\
916
		.init	  = phmac_init,					\
917
		.update	  = phmac_update,				\
918
		.final	  = phmac_final,				\
919
		.finup	  = phmac_finup,				\
920
		.digest	  = phmac_digest,				\
921
		.setkey	  = phmac_setkey,				\
922
		.import	  = phmac_import,				\
923
		.export	  = phmac_export,				\
924
		.init_tfm = phmac_init_tfm,				\
925
		.exit_tfm = phmac_exit_tfm,				\
926
		.halg = {						\
927
			.digestsize = SHA##x##_DIGEST_SIZE,		\
928
			.statesize  = sizeof(struct kmac_sha2_ctx),	\
929
			.base = {					\
930
				.cra_name = "phmac(sha" #x ")",		\
931
				.cra_driver_name = "phmac_s390_sha" #x,	\
932
				.cra_blocksize = SHA##x##_BLOCK_SIZE,	\
933
				.cra_priority = 400,			\
934
				.cra_flags = CRYPTO_ALG_ASYNC |		\
935
					     CRYPTO_ALG_NO_FALLBACK,	\
936
				.cra_ctxsize = sizeof(struct phmac_tfm_ctx), \
937
				.cra_module = THIS_MODULE,		\
938
			},						\
939
		},							\
940
	},								\
941
	.op = {								\
942
		.do_one_request = phmac_do_one_request,			\
943
	},								\
944
}
945

946
static struct phmac_alg {
947
	unsigned int fc;
948
	struct ahash_engine_alg alg;
949
	bool registered;
950
} phmac_algs[] = {
951
	{
952
		.fc = CPACF_KMAC_PHMAC_SHA_224,
953
		.alg = S390_ASYNC_PHMAC_ALG(224),
954
	}, {
955
		.fc = CPACF_KMAC_PHMAC_SHA_256,
956
		.alg = S390_ASYNC_PHMAC_ALG(256),
957
	}, {
958
		.fc = CPACF_KMAC_PHMAC_SHA_384,
959
		.alg = S390_ASYNC_PHMAC_ALG(384),
960
	}, {
961
		.fc = CPACF_KMAC_PHMAC_SHA_512,
962
		.alg = S390_ASYNC_PHMAC_ALG(512),
963
	}
964
};
965

966
static struct miscdevice phmac_dev = {
967
	.name	= "phmac",
968
	.minor	= MISC_DYNAMIC_MINOR,
969
};
970

971
static void s390_phmac_exit(void)
972
{
973
	struct phmac_alg *phmac;
974
	int i;
975

976
	if (phmac_crypto_engine) {
977
		crypto_engine_stop(phmac_crypto_engine);
978
		crypto_engine_exit(phmac_crypto_engine);
979
	}
980

981
	for (i = ARRAY_SIZE(phmac_algs) - 1; i >= 0; i--) {
982
		phmac = &phmac_algs[i];
983
		if (phmac->registered)
984
			crypto_engine_unregister_ahash(&phmac->alg);
985
	}
986

987
	misc_deregister(&phmac_dev);
988
}
989

990
static int __init s390_phmac_init(void)
991
{
992
	struct phmac_alg *phmac;
993
	int i, rc;
994

995
	/* for selftest cpacf klmd subfunction is needed */
996
	if (!cpacf_query_func(CPACF_KLMD, CPACF_KLMD_SHA_256))
997
		return -ENODEV;
998
	if (!cpacf_query_func(CPACF_KLMD, CPACF_KLMD_SHA_512))
999
		return -ENODEV;
1000

1001
	/* register a simple phmac pseudo misc device */
1002
	rc = misc_register(&phmac_dev);
1003
	if (rc)
1004
		return rc;
1005

1006
	/* with this pseudo device alloc and start a crypto engine */
1007
	phmac_crypto_engine =
1008
		crypto_engine_alloc_init_and_set(phmac_dev.this_device,
1009
						 true, false, MAX_QLEN);
1010
	if (!phmac_crypto_engine) {
1011
		rc = -ENOMEM;
1012
		goto out_err;
1013
	}
1014
	rc = crypto_engine_start(phmac_crypto_engine);
1015
	if (rc) {
1016
		crypto_engine_exit(phmac_crypto_engine);
1017
		phmac_crypto_engine = NULL;
1018
		goto out_err;
1019
	}
1020

1021
	for (i = 0; i < ARRAY_SIZE(phmac_algs); i++) {
1022
		phmac = &phmac_algs[i];
1023
		if (!cpacf_query_func(CPACF_KMAC, phmac->fc))
1024
			continue;
1025
		rc = crypto_engine_register_ahash(&phmac->alg);
1026
		if (rc)
1027
			goto out_err;
1028
		phmac->registered = true;
1029
		pr_debug("%s registered\n", phmac->alg.base.halg.base.cra_name);
1030
	}
1031

1032
	return 0;
1033

1034
out_err:
1035
	s390_phmac_exit();
1036
	return rc;
1037
}
1038

1039
module_init(s390_phmac_init);
1040
module_exit(s390_phmac_exit);
1041

1042
MODULE_ALIAS_CRYPTO("phmac(sha224)");
1043
MODULE_ALIAS_CRYPTO("phmac(sha256)");
1044
MODULE_ALIAS_CRYPTO("phmac(sha384)");
1045
MODULE_ALIAS_CRYPTO("phmac(sha512)");
1046

1047
MODULE_DESCRIPTION("S390 HMAC driver for protected keys");
1048
MODULE_LICENSE("GPL");
1049

1050