2 * Bit sliced AES using NEON instructions
4 * Copyright (C) 2016 Linaro Ltd <ard.biesheuvel@linaro.org>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
12 #include <crypto/aes.h>
13 #include <crypto/internal/simd.h>
14 #include <crypto/internal/skcipher.h>
15 #include <crypto/xts.h>
16 #include <linux/module.h>
18 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
19 MODULE_LICENSE("GPL v2");
21 MODULE_ALIAS_CRYPTO("ecb(aes)");
22 MODULE_ALIAS_CRYPTO("cbc(aes)");
23 MODULE_ALIAS_CRYPTO("ctr(aes)");
24 MODULE_ALIAS_CRYPTO("xts(aes)");
26 asmlinkage void aesbs_convert_key(u8 out[], u32 const rk[], int rounds);
28 asmlinkage void aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[],
29 int rounds, int blocks);
30 asmlinkage void aesbs_ecb_decrypt(u8 out[], u8 const in[], u8 const rk[],
31 int rounds, int blocks);
33 asmlinkage void aesbs_cbc_decrypt(u8 out[], u8 const in[], u8 const rk[],
34 int rounds, int blocks, u8 iv[]);
36 asmlinkage void aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[],
37 int rounds, int blocks, u8 iv[], u8 final[]);
39 asmlinkage void aesbs_xts_encrypt(u8 out[], u8 const in[], u8 const rk[],
40 int rounds, int blocks, u8 iv[]);
41 asmlinkage void aesbs_xts_decrypt(u8 out[], u8 const in[], u8 const rk[],
42 int rounds, int blocks, u8 iv[]);
44 /* borrowed from aes-neon-blk.ko */
45 asmlinkage void neon_aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[],
46 int rounds, int blocks, int first);
47 asmlinkage void neon_aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[],
48 int rounds, int blocks, u8 iv[],
52 u8 rk[13 * (8 * AES_BLOCK_SIZE) + 32];
54 } __aligned(AES_BLOCK_SIZE);
56 struct aesbs_cbc_ctx {
58 u32 enc[AES_MAX_KEYLENGTH_U32];
61 struct aesbs_xts_ctx {
63 u32 twkey[AES_MAX_KEYLENGTH_U32];
66 static int aesbs_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
69 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
70 struct crypto_aes_ctx rk;
73 err = crypto_aes_expand_key(&rk, in_key, key_len);
77 ctx->rounds = 6 + key_len / 4;
80 aesbs_convert_key(ctx->rk, rk.key_enc, ctx->rounds);
86 static int __ecb_crypt(struct skcipher_request *req,
87 void (*fn)(u8 out[], u8 const in[], u8 const rk[],
88 int rounds, int blocks))
90 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
91 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
92 struct skcipher_walk walk;
95 err = skcipher_walk_virt(&walk, req, true);
98 while (walk.nbytes >= AES_BLOCK_SIZE) {
99 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
101 if (walk.nbytes < walk.total)
102 blocks = round_down(blocks,
103 walk.stride / AES_BLOCK_SIZE);
105 fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk,
106 ctx->rounds, blocks);
107 err = skcipher_walk_done(&walk,
108 walk.nbytes - blocks * AES_BLOCK_SIZE);
115 static int ecb_encrypt(struct skcipher_request *req)
117 return __ecb_crypt(req, aesbs_ecb_encrypt);
120 static int ecb_decrypt(struct skcipher_request *req)
122 return __ecb_crypt(req, aesbs_ecb_decrypt);
125 static int aesbs_cbc_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
126 unsigned int key_len)
128 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
129 struct crypto_aes_ctx rk;
132 err = crypto_aes_expand_key(&rk, in_key, key_len);
136 ctx->key.rounds = 6 + key_len / 4;
138 memcpy(ctx->enc, rk.key_enc, sizeof(ctx->enc));
141 aesbs_convert_key(ctx->key.rk, rk.key_enc, ctx->key.rounds);
147 static int cbc_encrypt(struct skcipher_request *req)
149 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
150 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
151 struct skcipher_walk walk;
154 err = skcipher_walk_virt(&walk, req, true);
157 while (walk.nbytes >= AES_BLOCK_SIZE) {
158 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
160 /* fall back to the non-bitsliced NEON implementation */
161 neon_aes_cbc_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
162 ctx->enc, ctx->key.rounds, blocks, walk.iv,
164 err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE);
171 static int cbc_decrypt(struct skcipher_request *req)
173 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
174 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm);
175 struct skcipher_walk walk;
178 err = skcipher_walk_virt(&walk, req, true);
181 while (walk.nbytes >= AES_BLOCK_SIZE) {
182 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
184 if (walk.nbytes < walk.total)
185 blocks = round_down(blocks,
186 walk.stride / AES_BLOCK_SIZE);
188 aesbs_cbc_decrypt(walk.dst.virt.addr, walk.src.virt.addr,
189 ctx->key.rk, ctx->key.rounds, blocks,
191 err = skcipher_walk_done(&walk,
192 walk.nbytes - blocks * AES_BLOCK_SIZE);
199 static int ctr_encrypt(struct skcipher_request *req)
201 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
202 struct aesbs_ctx *ctx = crypto_skcipher_ctx(tfm);
203 struct skcipher_walk walk;
204 u8 buf[AES_BLOCK_SIZE];
207 err = skcipher_walk_virt(&walk, req, true);
210 while (walk.nbytes > 0) {
211 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
212 u8 *final = (walk.total % AES_BLOCK_SIZE) ? buf : NULL;
214 if (walk.nbytes < walk.total) {
215 blocks = round_down(blocks,
216 walk.stride / AES_BLOCK_SIZE);
220 aesbs_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr,
221 ctx->rk, ctx->rounds, blocks, walk.iv, final);
224 u8 *dst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
225 u8 *src = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
228 memcpy(dst, src, walk.total % AES_BLOCK_SIZE);
229 crypto_xor(dst, final, walk.total % AES_BLOCK_SIZE);
231 err = skcipher_walk_done(&walk, 0);
234 err = skcipher_walk_done(&walk,
235 walk.nbytes - blocks * AES_BLOCK_SIZE);
242 static int aesbs_xts_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
243 unsigned int key_len)
245 struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
246 struct crypto_aes_ctx rk;
249 err = xts_verify_key(tfm, in_key, key_len);
254 err = crypto_aes_expand_key(&rk, in_key + key_len, key_len);
258 memcpy(ctx->twkey, rk.key_enc, sizeof(ctx->twkey));
260 return aesbs_setkey(tfm, in_key, key_len);
263 static int __xts_crypt(struct skcipher_request *req,
264 void (*fn)(u8 out[], u8 const in[], u8 const rk[],
265 int rounds, int blocks, u8 iv[]))
267 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
268 struct aesbs_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
269 struct skcipher_walk walk;
272 err = skcipher_walk_virt(&walk, req, true);
276 neon_aes_ecb_encrypt(walk.iv, walk.iv, ctx->twkey,
277 ctx->key.rounds, 1, 1);
279 while (walk.nbytes >= AES_BLOCK_SIZE) {
280 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE;
282 if (walk.nbytes < walk.total)
283 blocks = round_down(blocks,
284 walk.stride / AES_BLOCK_SIZE);
286 fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->key.rk,
287 ctx->key.rounds, blocks, walk.iv);
288 err = skcipher_walk_done(&walk,
289 walk.nbytes - blocks * AES_BLOCK_SIZE);
296 static int xts_encrypt(struct skcipher_request *req)
298 return __xts_crypt(req, aesbs_xts_encrypt);
301 static int xts_decrypt(struct skcipher_request *req)
303 return __xts_crypt(req, aesbs_xts_decrypt);
306 static struct skcipher_alg aes_algs[] = { {
307 .base.cra_name = "__ecb(aes)",
308 .base.cra_driver_name = "__ecb-aes-neonbs",
309 .base.cra_priority = 250,
310 .base.cra_blocksize = AES_BLOCK_SIZE,
311 .base.cra_ctxsize = sizeof(struct aesbs_ctx),
312 .base.cra_module = THIS_MODULE,
313 .base.cra_flags = CRYPTO_ALG_INTERNAL,
315 .min_keysize = AES_MIN_KEY_SIZE,
316 .max_keysize = AES_MAX_KEY_SIZE,
317 .walksize = 8 * AES_BLOCK_SIZE,
318 .setkey = aesbs_setkey,
319 .encrypt = ecb_encrypt,
320 .decrypt = ecb_decrypt,
322 .base.cra_name = "__cbc(aes)",
323 .base.cra_driver_name = "__cbc-aes-neonbs",
324 .base.cra_priority = 250,
325 .base.cra_blocksize = AES_BLOCK_SIZE,
326 .base.cra_ctxsize = sizeof(struct aesbs_cbc_ctx),
327 .base.cra_module = THIS_MODULE,
328 .base.cra_flags = CRYPTO_ALG_INTERNAL,
330 .min_keysize = AES_MIN_KEY_SIZE,
331 .max_keysize = AES_MAX_KEY_SIZE,
332 .walksize = 8 * AES_BLOCK_SIZE,
333 .ivsize = AES_BLOCK_SIZE,
334 .setkey = aesbs_cbc_setkey,
335 .encrypt = cbc_encrypt,
336 .decrypt = cbc_decrypt,
338 .base.cra_name = "__ctr(aes)",
339 .base.cra_driver_name = "__ctr-aes-neonbs",
340 .base.cra_priority = 250,
341 .base.cra_blocksize = 1,
342 .base.cra_ctxsize = sizeof(struct aesbs_ctx),
343 .base.cra_module = THIS_MODULE,
344 .base.cra_flags = CRYPTO_ALG_INTERNAL,
346 .min_keysize = AES_MIN_KEY_SIZE,
347 .max_keysize = AES_MAX_KEY_SIZE,
348 .chunksize = AES_BLOCK_SIZE,
349 .walksize = 8 * AES_BLOCK_SIZE,
350 .ivsize = AES_BLOCK_SIZE,
351 .setkey = aesbs_setkey,
352 .encrypt = ctr_encrypt,
353 .decrypt = ctr_encrypt,
355 .base.cra_name = "ctr(aes)",
356 .base.cra_driver_name = "ctr-aes-neonbs",
357 .base.cra_priority = 250 - 1,
358 .base.cra_blocksize = 1,
359 .base.cra_ctxsize = sizeof(struct aesbs_ctx),
360 .base.cra_module = THIS_MODULE,
362 .min_keysize = AES_MIN_KEY_SIZE,
363 .max_keysize = AES_MAX_KEY_SIZE,
364 .chunksize = AES_BLOCK_SIZE,
365 .walksize = 8 * AES_BLOCK_SIZE,
366 .ivsize = AES_BLOCK_SIZE,
367 .setkey = aesbs_setkey,
368 .encrypt = ctr_encrypt,
369 .decrypt = ctr_encrypt,
371 .base.cra_name = "__xts(aes)",
372 .base.cra_driver_name = "__xts-aes-neonbs",
373 .base.cra_priority = 250,
374 .base.cra_blocksize = AES_BLOCK_SIZE,
375 .base.cra_ctxsize = sizeof(struct aesbs_xts_ctx),
376 .base.cra_module = THIS_MODULE,
377 .base.cra_flags = CRYPTO_ALG_INTERNAL,
379 .min_keysize = 2 * AES_MIN_KEY_SIZE,
380 .max_keysize = 2 * AES_MAX_KEY_SIZE,
381 .walksize = 8 * AES_BLOCK_SIZE,
382 .ivsize = AES_BLOCK_SIZE,
383 .setkey = aesbs_xts_setkey,
384 .encrypt = xts_encrypt,
385 .decrypt = xts_decrypt,
388 static struct simd_skcipher_alg *aes_simd_algs[ARRAY_SIZE(aes_algs)];
390 static void aes_exit(void)
394 for (i = 0; i < ARRAY_SIZE(aes_simd_algs); i++)
395 if (aes_simd_algs[i])
396 simd_skcipher_free(aes_simd_algs[i]);
398 crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
401 static int __init aes_init(void)
403 struct simd_skcipher_alg *simd;
404 const char *basename;
410 if (!(elf_hwcap & HWCAP_ASIMD))
413 err = crypto_register_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
417 for (i = 0; i < ARRAY_SIZE(aes_algs); i++) {
418 if (!(aes_algs[i].base.cra_flags & CRYPTO_ALG_INTERNAL))
421 algname = aes_algs[i].base.cra_name + 2;
422 drvname = aes_algs[i].base.cra_driver_name + 2;
423 basename = aes_algs[i].base.cra_driver_name;
424 simd = simd_skcipher_create_compat(algname, drvname, basename);
427 goto unregister_simds;
429 aes_simd_algs[i] = simd;
438 module_init(aes_init);
439 module_exit(aes_exit);