4 * Support for VIA PadLock hardware crypto engine.
6 * Copyright (c) 2004 Michal Ludvig <michal@logix.cz>
10 #include <crypto/algapi.h>
11 #include <crypto/aes.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/types.h>
15 #include <linux/errno.h>
16 #include <linux/interrupt.h>
17 #include <linux/kernel.h>
18 #include <linux/percpu.h>
19 #include <linux/smp.h>
20 #include <asm/byteorder.h>
26 unsigned int __attribute__ ((__packed__
))
33 } __attribute__ ((__aligned__(PADLOCK_ALIGNMENT
)));
35 /* Whenever making any changes to the following
36 * structure *make sure* you keep E, d_data
37 * and cword aligned on 16 Bytes boundaries and
38 * the Hardware can access 16 * 16 bytes of E and d_data
39 * (only the first 15 * 16 bytes matter but the HW reads
43 u32 E
[AES_MAX_KEYLENGTH_U32
]
44 __attribute__ ((__aligned__(PADLOCK_ALIGNMENT
)));
45 u32 d_data
[AES_MAX_KEYLENGTH_U32
]
46 __attribute__ ((__aligned__(PADLOCK_ALIGNMENT
)));
54 static DEFINE_PER_CPU(struct cword
*, last_cword
);
56 /* Tells whether the ACE is capable to generate
57 the extended key for a given key_len. */
59 aes_hw_extkey_available(uint8_t key_len
)
61 /* TODO: We should check the actual CPU model/stepping
62 as it's possible that the capability will be
63 added in the next CPU revisions. */
69 static inline struct aes_ctx
*aes_ctx_common(void *ctx
)
71 unsigned long addr
= (unsigned long)ctx
;
72 unsigned long align
= PADLOCK_ALIGNMENT
;
74 if (align
<= crypto_tfm_ctx_alignment())
76 return (struct aes_ctx
*)ALIGN(addr
, align
);
79 static inline struct aes_ctx
*aes_ctx(struct crypto_tfm
*tfm
)
81 return aes_ctx_common(crypto_tfm_ctx(tfm
));
84 static inline struct aes_ctx
*blk_aes_ctx(struct crypto_blkcipher
*tfm
)
86 return aes_ctx_common(crypto_blkcipher_ctx(tfm
));
89 static int aes_set_key(struct crypto_tfm
*tfm
, const u8
*in_key
,
92 struct aes_ctx
*ctx
= aes_ctx(tfm
);
93 const __le32
*key
= (const __le32
*)in_key
;
94 u32
*flags
= &tfm
->crt_flags
;
95 struct crypto_aes_ctx gen_aes
;
99 *flags
|= CRYPTO_TFM_RES_BAD_KEY_LEN
;
104 * If the hardware is capable of generating the extended key
105 * itself we must supply the plain key for both encryption
110 ctx
->E
[0] = le32_to_cpu(key
[0]);
111 ctx
->E
[1] = le32_to_cpu(key
[1]);
112 ctx
->E
[2] = le32_to_cpu(key
[2]);
113 ctx
->E
[3] = le32_to_cpu(key
[3]);
115 /* Prepare control words. */
116 memset(&ctx
->cword
, 0, sizeof(ctx
->cword
));
118 ctx
->cword
.decrypt
.encdec
= 1;
119 ctx
->cword
.encrypt
.rounds
= 10 + (key_len
- 16) / 4;
120 ctx
->cword
.decrypt
.rounds
= ctx
->cword
.encrypt
.rounds
;
121 ctx
->cword
.encrypt
.ksize
= (key_len
- 16) / 8;
122 ctx
->cword
.decrypt
.ksize
= ctx
->cword
.encrypt
.ksize
;
124 /* Don't generate extended keys if the hardware can do it. */
125 if (aes_hw_extkey_available(key_len
))
128 ctx
->D
= ctx
->d_data
;
129 ctx
->cword
.encrypt
.keygen
= 1;
130 ctx
->cword
.decrypt
.keygen
= 1;
132 if (crypto_aes_expand_key(&gen_aes
, in_key
, key_len
)) {
133 *flags
|= CRYPTO_TFM_RES_BAD_KEY_LEN
;
137 memcpy(ctx
->E
, gen_aes
.key_enc
, AES_MAX_KEYLENGTH
);
138 memcpy(ctx
->D
, gen_aes
.key_dec
, AES_MAX_KEYLENGTH
);
141 for_each_online_cpu(cpu
)
142 if (&ctx
->cword
.encrypt
== per_cpu(last_cword
, cpu
) ||
143 &ctx
->cword
.decrypt
== per_cpu(last_cword
, cpu
))
144 per_cpu(last_cword
, cpu
) = NULL
;
149 /* ====== Encryption/decryption routines ====== */
151 /* These are the real call to PadLock. */
152 static inline void padlock_reset_key(struct cword
*cword
)
154 int cpu
= raw_smp_processor_id();
156 if (cword
!= per_cpu(last_cword
, cpu
))
157 asm volatile ("pushfl; popfl");
160 static inline void padlock_store_cword(struct cword
*cword
)
162 per_cpu(last_cword
, raw_smp_processor_id()) = cword
;
166 * While the padlock instructions don't use FP/SSE registers, they
167 * generate a spurious DNA fault when cr0.ts is '1'. These instructions
168 * should be used only inside the irq_ts_save/restore() context
171 static inline void padlock_xcrypt(const u8
*input
, u8
*output
, void *key
,
172 struct cword
*control_word
)
174 asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
175 : "+S"(input
), "+D"(output
)
176 : "d"(control_word
), "b"(key
), "c"(1));
179 static void aes_crypt_copy(const u8
*in
, u8
*out
, u32
*key
, struct cword
*cword
)
181 u8 buf
[AES_BLOCK_SIZE
* 2 + PADLOCK_ALIGNMENT
- 1];
182 u8
*tmp
= PTR_ALIGN(&buf
[0], PADLOCK_ALIGNMENT
);
184 memcpy(tmp
, in
, AES_BLOCK_SIZE
);
185 padlock_xcrypt(tmp
, out
, key
, cword
);
188 static inline void aes_crypt(const u8
*in
, u8
*out
, u32
*key
,
191 /* padlock_xcrypt requires at least two blocks of data. */
192 if (unlikely(!(((unsigned long)in
^ (PAGE_SIZE
- AES_BLOCK_SIZE
)) &
194 aes_crypt_copy(in
, out
, key
, cword
);
198 padlock_xcrypt(in
, out
, key
, cword
);
201 static inline void padlock_xcrypt_ecb(const u8
*input
, u8
*output
, void *key
,
202 void *control_word
, u32 count
)
205 aes_crypt(input
, output
, key
, control_word
);
209 asm volatile ("test $1, %%cl;"
211 "lea -1(%%ecx), %%eax;"
213 ".byte 0xf3,0x0f,0xa7,0xc8;" /* rep xcryptecb */
216 ".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
217 : "+S"(input
), "+D"(output
)
218 : "d"(control_word
), "b"(key
), "c"(count
)
222 static inline u8
*padlock_xcrypt_cbc(const u8
*input
, u8
*output
, void *key
,
223 u8
*iv
, void *control_word
, u32 count
)
226 asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"
227 : "+S" (input
), "+D" (output
), "+a" (iv
)
228 : "d" (control_word
), "b" (key
), "c" (count
));
232 static void aes_encrypt(struct crypto_tfm
*tfm
, u8
*out
, const u8
*in
)
234 struct aes_ctx
*ctx
= aes_ctx(tfm
);
237 padlock_reset_key(&ctx
->cword
.encrypt
);
238 ts_state
= irq_ts_save();
239 aes_crypt(in
, out
, ctx
->E
, &ctx
->cword
.encrypt
);
240 irq_ts_restore(ts_state
);
241 padlock_store_cword(&ctx
->cword
.encrypt
);
244 static void aes_decrypt(struct crypto_tfm
*tfm
, u8
*out
, const u8
*in
)
246 struct aes_ctx
*ctx
= aes_ctx(tfm
);
249 padlock_reset_key(&ctx
->cword
.encrypt
);
250 ts_state
= irq_ts_save();
251 aes_crypt(in
, out
, ctx
->D
, &ctx
->cword
.decrypt
);
252 irq_ts_restore(ts_state
);
253 padlock_store_cword(&ctx
->cword
.encrypt
);
256 static struct crypto_alg aes_alg
= {
258 .cra_driver_name
= "aes-padlock",
259 .cra_priority
= PADLOCK_CRA_PRIORITY
,
260 .cra_flags
= CRYPTO_ALG_TYPE_CIPHER
,
261 .cra_blocksize
= AES_BLOCK_SIZE
,
262 .cra_ctxsize
= sizeof(struct aes_ctx
),
263 .cra_alignmask
= PADLOCK_ALIGNMENT
- 1,
264 .cra_module
= THIS_MODULE
,
265 .cra_list
= LIST_HEAD_INIT(aes_alg
.cra_list
),
268 .cia_min_keysize
= AES_MIN_KEY_SIZE
,
269 .cia_max_keysize
= AES_MAX_KEY_SIZE
,
270 .cia_setkey
= aes_set_key
,
271 .cia_encrypt
= aes_encrypt
,
272 .cia_decrypt
= aes_decrypt
,
277 static int ecb_aes_encrypt(struct blkcipher_desc
*desc
,
278 struct scatterlist
*dst
, struct scatterlist
*src
,
281 struct aes_ctx
*ctx
= blk_aes_ctx(desc
->tfm
);
282 struct blkcipher_walk walk
;
286 padlock_reset_key(&ctx
->cword
.encrypt
);
288 blkcipher_walk_init(&walk
, dst
, src
, nbytes
);
289 err
= blkcipher_walk_virt(desc
, &walk
);
291 ts_state
= irq_ts_save();
292 while ((nbytes
= walk
.nbytes
)) {
293 padlock_xcrypt_ecb(walk
.src
.virt
.addr
, walk
.dst
.virt
.addr
,
294 ctx
->E
, &ctx
->cword
.encrypt
,
295 nbytes
/ AES_BLOCK_SIZE
);
296 nbytes
&= AES_BLOCK_SIZE
- 1;
297 err
= blkcipher_walk_done(desc
, &walk
, nbytes
);
299 irq_ts_restore(ts_state
);
301 padlock_store_cword(&ctx
->cword
.encrypt
);
306 static int ecb_aes_decrypt(struct blkcipher_desc
*desc
,
307 struct scatterlist
*dst
, struct scatterlist
*src
,
310 struct aes_ctx
*ctx
= blk_aes_ctx(desc
->tfm
);
311 struct blkcipher_walk walk
;
315 padlock_reset_key(&ctx
->cword
.decrypt
);
317 blkcipher_walk_init(&walk
, dst
, src
, nbytes
);
318 err
= blkcipher_walk_virt(desc
, &walk
);
320 ts_state
= irq_ts_save();
321 while ((nbytes
= walk
.nbytes
)) {
322 padlock_xcrypt_ecb(walk
.src
.virt
.addr
, walk
.dst
.virt
.addr
,
323 ctx
->D
, &ctx
->cword
.decrypt
,
324 nbytes
/ AES_BLOCK_SIZE
);
325 nbytes
&= AES_BLOCK_SIZE
- 1;
326 err
= blkcipher_walk_done(desc
, &walk
, nbytes
);
328 irq_ts_restore(ts_state
);
330 padlock_store_cword(&ctx
->cword
.encrypt
);
335 static struct crypto_alg ecb_aes_alg
= {
336 .cra_name
= "ecb(aes)",
337 .cra_driver_name
= "ecb-aes-padlock",
338 .cra_priority
= PADLOCK_COMPOSITE_PRIORITY
,
339 .cra_flags
= CRYPTO_ALG_TYPE_BLKCIPHER
,
340 .cra_blocksize
= AES_BLOCK_SIZE
,
341 .cra_ctxsize
= sizeof(struct aes_ctx
),
342 .cra_alignmask
= PADLOCK_ALIGNMENT
- 1,
343 .cra_type
= &crypto_blkcipher_type
,
344 .cra_module
= THIS_MODULE
,
345 .cra_list
= LIST_HEAD_INIT(ecb_aes_alg
.cra_list
),
348 .min_keysize
= AES_MIN_KEY_SIZE
,
349 .max_keysize
= AES_MAX_KEY_SIZE
,
350 .setkey
= aes_set_key
,
351 .encrypt
= ecb_aes_encrypt
,
352 .decrypt
= ecb_aes_decrypt
,
357 static int cbc_aes_encrypt(struct blkcipher_desc
*desc
,
358 struct scatterlist
*dst
, struct scatterlist
*src
,
361 struct aes_ctx
*ctx
= blk_aes_ctx(desc
->tfm
);
362 struct blkcipher_walk walk
;
366 padlock_reset_key(&ctx
->cword
.encrypt
);
368 blkcipher_walk_init(&walk
, dst
, src
, nbytes
);
369 err
= blkcipher_walk_virt(desc
, &walk
);
371 ts_state
= irq_ts_save();
372 while ((nbytes
= walk
.nbytes
)) {
373 u8
*iv
= padlock_xcrypt_cbc(walk
.src
.virt
.addr
,
374 walk
.dst
.virt
.addr
, ctx
->E
,
375 walk
.iv
, &ctx
->cword
.encrypt
,
376 nbytes
/ AES_BLOCK_SIZE
);
377 memcpy(walk
.iv
, iv
, AES_BLOCK_SIZE
);
378 nbytes
&= AES_BLOCK_SIZE
- 1;
379 err
= blkcipher_walk_done(desc
, &walk
, nbytes
);
381 irq_ts_restore(ts_state
);
383 padlock_store_cword(&ctx
->cword
.decrypt
);
388 static int cbc_aes_decrypt(struct blkcipher_desc
*desc
,
389 struct scatterlist
*dst
, struct scatterlist
*src
,
392 struct aes_ctx
*ctx
= blk_aes_ctx(desc
->tfm
);
393 struct blkcipher_walk walk
;
397 padlock_reset_key(&ctx
->cword
.encrypt
);
399 blkcipher_walk_init(&walk
, dst
, src
, nbytes
);
400 err
= blkcipher_walk_virt(desc
, &walk
);
402 ts_state
= irq_ts_save();
403 while ((nbytes
= walk
.nbytes
)) {
404 padlock_xcrypt_cbc(walk
.src
.virt
.addr
, walk
.dst
.virt
.addr
,
405 ctx
->D
, walk
.iv
, &ctx
->cword
.decrypt
,
406 nbytes
/ AES_BLOCK_SIZE
);
407 nbytes
&= AES_BLOCK_SIZE
- 1;
408 err
= blkcipher_walk_done(desc
, &walk
, nbytes
);
411 irq_ts_restore(ts_state
);
413 padlock_store_cword(&ctx
->cword
.encrypt
);
418 static struct crypto_alg cbc_aes_alg
= {
419 .cra_name
= "cbc(aes)",
420 .cra_driver_name
= "cbc-aes-padlock",
421 .cra_priority
= PADLOCK_COMPOSITE_PRIORITY
,
422 .cra_flags
= CRYPTO_ALG_TYPE_BLKCIPHER
,
423 .cra_blocksize
= AES_BLOCK_SIZE
,
424 .cra_ctxsize
= sizeof(struct aes_ctx
),
425 .cra_alignmask
= PADLOCK_ALIGNMENT
- 1,
426 .cra_type
= &crypto_blkcipher_type
,
427 .cra_module
= THIS_MODULE
,
428 .cra_list
= LIST_HEAD_INIT(cbc_aes_alg
.cra_list
),
431 .min_keysize
= AES_MIN_KEY_SIZE
,
432 .max_keysize
= AES_MAX_KEY_SIZE
,
433 .ivsize
= AES_BLOCK_SIZE
,
434 .setkey
= aes_set_key
,
435 .encrypt
= cbc_aes_encrypt
,
436 .decrypt
= cbc_aes_decrypt
,
441 static int __init
padlock_init(void)
445 if (!cpu_has_xcrypt
) {
446 printk(KERN_NOTICE PFX
"VIA PadLock not detected.\n");
450 if (!cpu_has_xcrypt_enabled
) {
451 printk(KERN_NOTICE PFX
"VIA PadLock detected, but not enabled. Hmm, strange...\n");
455 if ((ret
= crypto_register_alg(&aes_alg
)))
458 if ((ret
= crypto_register_alg(&ecb_aes_alg
)))
461 if ((ret
= crypto_register_alg(&cbc_aes_alg
)))
464 printk(KERN_NOTICE PFX
"Using VIA PadLock ACE for AES algorithm.\n");
470 crypto_unregister_alg(&ecb_aes_alg
);
472 crypto_unregister_alg(&aes_alg
);
474 printk(KERN_ERR PFX
"VIA PadLock AES initialization failed.\n");
478 static void __exit
padlock_fini(void)
480 crypto_unregister_alg(&cbc_aes_alg
);
481 crypto_unregister_alg(&ecb_aes_alg
);
482 crypto_unregister_alg(&aes_alg
);
485 module_init(padlock_init
);
486 module_exit(padlock_fini
);
488 MODULE_DESCRIPTION("VIA PadLock AES algorithm support");
489 MODULE_LICENSE("GPL");
490 MODULE_AUTHOR("Michal Ludvig");
492 MODULE_ALIAS("aes-all");