RE: [PATCH 1/2] crypto: caam - add support for gcm(aes)

[tudor.amba...@freescale.com]

On Thu, 9 Oct 2014 17:54:09 +0300
Tudor Ambarus tudor.amba...@freescale.com wrote:

 + /*
 +  * Job Descriptor and Shared Descriptors
 +  * must all fit into the 64-word Descriptor h/w Buffer
 +  */
 + if (DESC_GCM_DEC_LEN + DESC_JOB_IO_LEN +
 + ctx-enckeylen = CAAM_DESC_BYTES_MAX)
 + keys_fit_inline = true;

we need to reset the encrypt descriptor's keys_fit_inline setting to false 
before re-evaluating for decrypt.
[TA] Agreed. 

 + /* Galois Counter Mode */
 + {
 + .name = gcm(aes),
 + .driver_name = gcm-aes-caam,
 + .blocksize = 1,
 + .type = CRYPTO_ALG_TYPE_AEAD,
 + .template_aead = {
 + .setkey = gcm_setkey,
 + .setauthsize = gcm_setauthsize,
 + .encrypt = aead_encrypt,
 + .decrypt = aead_decrypt,
 + .givencrypt = NULL,
 + .geniv = built-in,
 + .ivsize = 12,
 + .maxauthsize = 16,

AES_BLOCK_SIZE
[TA] I think we shall not change the blocksize value to AES_BLOCK_SIZE.
GCM uses a block cipher as a stream cipher. It generates encryption blocks, 
which are then XORed with the plaintext blocks to get the ciphertext. Just as 
with other stream ciphers, flipping a bit in the ciphertext produces a flipped 
bit in the plaintext at the same location.


Thanks,

Kim
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] crypto: caam - add support for gcm(aes)

[Kim Phillips]

On Fri, 10 Oct 2014 03:47:18 -0500
Ambarus Tudor-Dan-B38632 tudor.amba...@freescale.com wrote:

 On Thu, 9 Oct 2014 17:54:09 +0300
 Tudor Ambarus tudor.amba...@freescale.com wrote:
  +   /* Galois Counter Mode */
  +   {
  +   .name = gcm(aes),
  +   .driver_name = gcm-aes-caam,
  +   .blocksize = 1,
  +   .type = CRYPTO_ALG_TYPE_AEAD,
  +   .template_aead = {
  +   .setkey = gcm_setkey,
  +   .setauthsize = gcm_setauthsize,
  +   .encrypt = aead_encrypt,
  +   .decrypt = aead_decrypt,
  +   .givencrypt = NULL,
  +   .geniv = built-in,
  +   .ivsize = 12,
  +   .maxauthsize = 16,
 
 AES_BLOCK_SIZE
 [TA] I think we shall not change the blocksize value to AES_BLOCK_SIZE.
 GCM uses a block cipher as a stream cipher. It generates encryption blocks, 
 which are then XORed with the plaintext blocks to get the ciphertext. Just as 
 with other stream ciphers, flipping a bit in the ciphertext produces a 
 flipped bit in the plaintext at the same location.
 

Sorry, I meant just .maxauthsize = AES_BLOCK_SIZE.

Kim
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2] crypto: caam - add support for gcm(aes)

[Tudor Ambarus]

Add support for AES working in Galois Counter Mode.

There is a limitation related to IV size, similar to the one present in
SW implementation (crypto/gcm.c):
The only IV size allowed is 12 bytes. It will be padded by HW to the right
with 0x_0001 (up to 16 bytes - AES block size), according to the GCM
specification.

Signed-off-by: Tudor Ambarus tudor.amba...@freescale.com
Signed-off-by: Horia Geanta horia.gea...@freescale.com
---
 drivers/crypto/caam/caamalg.c | 330 --
 1 file changed, 320 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index a80ea85..6178e95 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -74,6 +74,10 @@
 #define DESC_AEAD_NULL_ENC_LEN (DESC_AEAD_NULL_BASE + 14 * CAAM_CMD_SZ)
 #define DESC_AEAD_NULL_DEC_LEN (DESC_AEAD_NULL_BASE + 17 * CAAM_CMD_SZ)
 
+#define DESC_GCM_BASE  (3 * CAAM_CMD_SZ)
+#define DESC_GCM_ENC_LEN   (DESC_GCM_BASE + 23 * CAAM_CMD_SZ)
+#define DESC_GCM_DEC_LEN   (DESC_GCM_BASE + 19 * CAAM_CMD_SZ)
+
 #define DESC_ABLKCIPHER_BASE   (3 * CAAM_CMD_SZ)
 #define DESC_ABLKCIPHER_ENC_LEN(DESC_ABLKCIPHER_BASE + \
 20 * CAAM_CMD_SZ)
@@ -630,6 +634,235 @@ static int aead_setauthsize(struct crypto_aead *authenc,
return 0;
 }
 
+static int gcm_set_sh_desc(struct crypto_aead *aead)
+{
+   struct aead_tfm *tfm = aead-base.crt_aead;
+   struct caam_ctx *ctx = crypto_aead_ctx(aead);
+   struct device *jrdev = ctx-jrdev;
+   bool keys_fit_inline = false;
+   u32 *key_jump_cmd, *zero_payload_jump_cmd,
+   *zero_assoc_jump_cmd1, *zero_assoc_jump_cmd2;
+   u32 *desc;
+
+   if (!ctx-enckeylen || !ctx-authsize)
+   return 0;
+
+   /*
+* AES GCM encrypt shared descriptor
+* Job Descriptor and Shared Descriptor
+* must fit into the 64-word Descriptor h/w Buffer
+*/
+   if (DESC_GCM_ENC_LEN + DESC_JOB_IO_LEN +
+   ctx-enckeylen = CAAM_DESC_BYTES_MAX)
+   keys_fit_inline = true;
+
+   desc = ctx-sh_desc_enc;
+
+   init_sh_desc(desc, HDR_SHARE_SERIAL);
+
+   /* skip key loading if they are loaded due to sharing */
+   key_jump_cmd = append_jump(desc, JUMP_JSL | JUMP_TEST_ALL |
+  JUMP_COND_SHRD | JUMP_COND_SELF);
+   if (keys_fit_inline)
+   append_key_as_imm(desc, (void *)ctx-key, ctx-enckeylen,
+ ctx-enckeylen, CLASS_1 | KEY_DEST_CLASS_REG);
+   else
+   append_key(desc, ctx-key_dma, ctx-enckeylen,
+  CLASS_1 | KEY_DEST_CLASS_REG);
+   set_jump_tgt_here(desc, key_jump_cmd);
+
+   /* class 1 operation */
+   append_operation(desc, ctx-class1_alg_type |
+OP_ALG_AS_INITFINAL | OP_ALG_ENCRYPT);
+
+   /* cryptlen = seqoutlen - authsize */
+   append_math_sub_imm_u32(desc, REG3, SEQOUTLEN, IMM, ctx-authsize);
+
+   /* assoclen + cryptlen = seqinlen - ivsize */
+   append_math_sub_imm_u32(desc, REG2, SEQINLEN, IMM, tfm-ivsize);
+
+   /* assoclen = (assoclen + cryptlen) - cryptlen */
+   append_math_sub(desc, REG1, REG2, REG3, CAAM_CMD_SZ);
+
+   /* if cryptlen is ZERO jump to zero-payload commands */
+   append_math_add(desc, VARSEQOUTLEN, ZERO, REG3, CAAM_CMD_SZ);
+   zero_payload_jump_cmd = append_jump(desc, JUMP_TEST_ALL |
+   JUMP_COND_MATH_Z);
+   /* read IV */
+   append_seq_fifo_load(desc, tfm-ivsize, FIFOLD_CLASS_CLASS1 |
+FIFOLD_TYPE_IV | FIFOLD_TYPE_FLUSH1);
+
+   /* if assoclen is ZERO, skip reading the assoc data */
+   append_math_add(desc, VARSEQINLEN, ZERO, REG1, CAAM_CMD_SZ);
+   zero_assoc_jump_cmd1 = append_jump(desc, JUMP_TEST_ALL |
+  JUMP_COND_MATH_Z);
+
+   /* read assoc data */
+   append_seq_fifo_load(desc, 0, FIFOLD_CLASS_CLASS1 | FIFOLDST_VLF |
+FIFOLD_TYPE_AAD | FIFOLD_TYPE_FLUSH1);
+   set_jump_tgt_here(desc, zero_assoc_jump_cmd1);
+
+   append_math_add(desc, VARSEQINLEN, ZERO, REG3, CAAM_CMD_SZ);
+
+   /* write encrypted data */
+   append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | FIFOLDST_VLF);
+
+   /* read payload data */
+   append_seq_fifo_load(desc, 0, FIFOLD_CLASS_CLASS1 | FIFOLDST_VLF |
+FIFOLD_TYPE_MSG | FIFOLD_TYPE_LAST1);
+
+   /* jump the zero-payload commands */
+   append_jump(desc, JUMP_TEST_ALL | 7);
+
+   /* zero-payload commands */
+   set_jump_tgt_here(desc, zero_payload_jump_cmd);
+
+   /* if assoclen is ZERO, jump to IV reading - is the only input data */
+   append_math_add(desc, VARSEQINLEN, ZERO, REG1, CAAM_CMD_SZ);
+   

Re: [PATCH 1/2] crypto: caam - add support for gcm(aes)

[Kim Phillips]

On Thu, 9 Oct 2014 17:54:09 +0300
Tudor Ambarus tudor.amba...@freescale.com wrote:

 + /*
 +  * Job Descriptor and Shared Descriptors
 +  * must all fit into the 64-word Descriptor h/w Buffer
 +  */
 + if (DESC_GCM_DEC_LEN + DESC_JOB_IO_LEN +
 + ctx-enckeylen = CAAM_DESC_BYTES_MAX)
 + keys_fit_inline = true;

we need to reset the encrypt descriptor's keys_fit_inline setting to
false before re-evaluating for decrypt.

 + /* Galois Counter Mode */
 + {
 + .name = gcm(aes),
 + .driver_name = gcm-aes-caam,
 + .blocksize = 1,
 + .type = CRYPTO_ALG_TYPE_AEAD,
 + .template_aead = {
 + .setkey = gcm_setkey,
 + .setauthsize = gcm_setauthsize,
 + .encrypt = aead_encrypt,
 + .decrypt = aead_decrypt,
 + .givencrypt = NULL,
 + .geniv = built-in,
 + .ivsize = 12,
 + .maxauthsize = 16,

AES_BLOCK_SIZE

Thanks,

Kim
--
To unsubscribe from this list: send the line unsubscribe linux-crypto in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html