From patchwork Tue Oct 15 08:14:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 176373 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp5571717ill; Tue, 15 Oct 2019 01:14:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqzk+q/i+SHb5TyQ00XO3Oy+pckA9Nxpy8YFEyIumcrJQaa6/DrfX4jaVoaQKr9yWln/V8iH X-Received: by 2002:a17:906:309b:: with SMTP id 27mr32479948ejv.243.1571127260175; Tue, 15 Oct 2019 01:14:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571127260; cv=none; d=google.com; s=arc-20160816; b=Xt4HOIZQfVlDKVEQP5aSoW6yexhgB4ccRNH9etCcKv+fe9GE4rmH/7RlKhwsU+EKNc kq0aN+rRAPyQV6xQ48cuBpave9V4BGNrOUQ63+CIii0cl7VUKR0YyUgJbeHxCEU2+I7H j2tYIyirYcfVRT1eabdkWxU7tku7nXY5vyQ6cjDS0xBgntfljT8BTIilaEJiEQYDNFNG uVxRbrrjJC7CayjpEtagtLqltHYm37mRyWl4N0zGldFhm1BQxYq36fyNp7q84XMZk/Iu tglAxN2BtxA/TIuf4jostDP5GEAcbcJ2iIMx3IgOsC6Zf8VFmZIg3vsWTDN9hAHFzJ6w id7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=CNzhRj9715dIAlH5g4GbpFfzHsByaP7eq8QaF1Kazok=; b=i85IGLdN2CWxBw6bplRYdDHWv/4oI3WbSYJZjUorxwakeo3XjQqXPXE459Rfcby7Pj Gz0le4sEr5cqJPjYomDYA69IEt8kjq1YkrIDDsfZb7g+aDSudPK0EAHNxcA4Odh3t6JB ioY2VPc2EkbBNy1ToiL5yhxJKTP2oTmJwuXb35hRz6OprIJl16Q9C6Kdz4R98o5HYA17 1X5vZd+/90Sp8lI3t0/1+0c2+LCkz7STP5X6zN8Z9deir3oq8MLEclma5o5S6EWIWs3t Oc5HfVjPJ5uXrH7bace9p+YHvYfnp78/gtfv0a4VFBbWcwozOGOxw0OKd2nd0RkO+FTH vwrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BM+3d1XI; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d1si13043566eds.148.2019.10.15.01.14.20; Tue, 15 Oct 2019 01:14:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=BM+3d1XI; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728580AbfJOIOT (ORCPT + 3 others); Tue, 15 Oct 2019 04:14:19 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:38996 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728560AbfJOIOT (ORCPT ); Tue, 15 Oct 2019 04:14:19 -0400 Received: by mail-wr1-f68.google.com with SMTP id r3so22646155wrj.6 for ; Tue, 15 Oct 2019 01:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=CNzhRj9715dIAlH5g4GbpFfzHsByaP7eq8QaF1Kazok=; b=BM+3d1XI4HFrlSwLIpH7fjaZOfh/yUWXNrzZEk5ESrYBV9gzoWA4PXL96UVQMwKCyt v5bk973NJZmSURWE8XT2tp4ta2Oj4D3cAzbBqM864BQfa+a6d9xgnlS5IZeqtIPs1ZqU VogHniayaoRH98Oj534/0KtVgU52BKl4geBKsp85EvlFghSlgiI0E+3AlVrj/smvSCnD J1s7AQ0ofxF2t0T74cIVbTnYIbFIWn4S2kvwqAW3yMW64Bu2gISf52eg+v24naZbKZm1 gBvnyC6KBrE+dVxltIwAxL8a7ut+/LbGlE8BO5yYLvT9zsPlFUS1mxTPuB67SpFEuuaC BQwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CNzhRj9715dIAlH5g4GbpFfzHsByaP7eq8QaF1Kazok=; b=h6mdGWYg37ULcriDCVO71pJKl50CarUDy74RcIzsD4ROfIV7GuvFkY/K/35Aiper1y wGJjuTcl4t/1Co9fGxwvXq0pxKmv+qmfJlVkEWFmPqSuNo5zwOZAnA2z1vfqnQ991hy+ HkO2ol3L4tQAfSqCfcRE5pwi5G2AuBl0MbexOeWp6qoAfaym28UMNndWhB+gc+OUiSQ8 I2zxmfoIlKiS95oUgKR6KrrrYzsYgp3dejNsFX9bfJjIbm6dlDREoSzZ45wkP6g3SZH9 KmmcHWawV/84owz8NisOh1xNj/D79515mR4DaGTLTc+sf63jaz8rHk1eNCNK4f0q+6cf rlEQ== X-Gm-Message-State: APjAAAWjLoUSE9JgSa4V0wpNCghV87lyXng6C9D0A2lZcnuuBJfirGZd /j3hF3nvCgCkyh4CTD7KnX1eg6WMQh7ylkuT X-Received: by 2002:adf:de85:: with SMTP id w5mr28706856wrl.278.1571127255179; Tue, 15 Oct 2019 01:14:15 -0700 (PDT) Received: from e123331-lin.home (lfbn-mar-1-643-104.w90-118.abo.wanadoo.fr. [90.118.215.104]) by smtp.gmail.com with ESMTPSA id b7sm22427078wrx.56.2019.10.15.01.14.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2019 01:14:14 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, Ard Biesheuvel , Eric Biggers Subject: [PATCH] crypto: powerpc/spe-xts - implement support for ciphertext stealing Date: Tue, 15 Oct 2019 10:14:12 +0200 Message-Id: <20191015081412.5295-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add the logic to deal with input sizes that are not a round multiple of the AES block size, as described by the XTS spec. This brings the SPE implementation in line with other kernel drivers that have been updated recently to take this into account. Cc: Eric Biggers Signed-off-by: Ard Biesheuvel --- This applies onto Eric's series 'crypto: powerpc - convert SPE AES algorithms to skcipher API', which helpfully contained instructions how to run this code under QEMU, allowing me to test the changes below. arch/powerpc/crypto/aes-spe-glue.c | 81 +++++++++++++++++++- 1 file changed, 79 insertions(+), 2 deletions(-) -- 2.17.1 diff --git a/arch/powerpc/crypto/aes-spe-glue.c b/arch/powerpc/crypto/aes-spe-glue.c index f828f8bcd0c6..1fad5d4c658d 100644 --- a/arch/powerpc/crypto/aes-spe-glue.c +++ b/arch/powerpc/crypto/aes-spe-glue.c @@ -19,6 +19,8 @@ #include #include #include +#include +#include /* * MAX_BYTES defines the number of bytes that are allowed to be processed @@ -327,12 +329,87 @@ static int ppc_xts_crypt(struct skcipher_request *req, bool enc) static int ppc_xts_encrypt(struct skcipher_request *req) { - return ppc_xts_crypt(req, true); + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); + struct ppc_xts_ctx *ctx = crypto_skcipher_ctx(tfm); + int tail = req->cryptlen % AES_BLOCK_SIZE; + int offset = req->cryptlen - tail - AES_BLOCK_SIZE; + struct skcipher_request subreq; + u8 b[2][AES_BLOCK_SIZE]; + int err; + + if (req->cryptlen < AES_BLOCK_SIZE) + return -EINVAL; + + if (tail) { + subreq = *req; + skcipher_request_set_crypt(&subreq, req->src, req->dst, + req->cryptlen - tail, req->iv); + req = &subreq; + } + + err = ppc_xts_crypt(req, true); + if (err || !tail) + return err; + + scatterwalk_map_and_copy(b[0], req->dst, offset, AES_BLOCK_SIZE, 0); + memcpy(b[1], b[0], tail); + scatterwalk_map_and_copy(b[0], req->src, offset + AES_BLOCK_SIZE, tail, 0); + + spe_begin(); + ppc_encrypt_xts(b[0], b[0], ctx->key_enc, ctx->rounds, AES_BLOCK_SIZE, + req->iv, NULL); + spe_end(); + + scatterwalk_map_and_copy(b[0], req->dst, offset, AES_BLOCK_SIZE + tail, 1); + + return 0; } static int ppc_xts_decrypt(struct skcipher_request *req) { - return ppc_xts_crypt(req, false); + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); + struct ppc_xts_ctx *ctx = crypto_skcipher_ctx(tfm); + int tail = req->cryptlen % AES_BLOCK_SIZE; + int offset = req->cryptlen - tail - AES_BLOCK_SIZE; + struct skcipher_request subreq; + u8 b[3][AES_BLOCK_SIZE]; + le128 twk; + int err; + + if (req->cryptlen < AES_BLOCK_SIZE) + return -EINVAL; + + if (tail) { + subreq = *req; + skcipher_request_set_crypt(&subreq, req->src, req->dst, + offset, req->iv); + req = &subreq; + } + + err = ppc_xts_crypt(req, false); + if (err || !tail) + return err; + + scatterwalk_map_and_copy(b[1], req->src, offset, AES_BLOCK_SIZE + tail, 0); + + spe_begin(); + if (!offset) + ppc_encrypt_ecb(req->iv, req->iv, ctx->key_twk, ctx->rounds, + AES_BLOCK_SIZE); + + gf128mul_x_ble(&twk, (le128 *)req->iv); + + ppc_decrypt_xts(b[1], b[1], ctx->key_dec, ctx->rounds, AES_BLOCK_SIZE, + (u8 *)&twk, NULL); + memcpy(b[0], b[2], tail); + memcpy(b[0] + tail, b[1] + tail, AES_BLOCK_SIZE - tail); + ppc_decrypt_xts(b[0], b[0], ctx->key_dec, ctx->rounds, AES_BLOCK_SIZE, + req->iv, NULL); + spe_end(); + + scatterwalk_map_and_copy(b[0], req->dst, offset, AES_BLOCK_SIZE + tail, 1); + + return 0; } /*