/* $NetBSD: aes_via.c,v 1.9 2024/06/16 16:30:52 rillig Exp $ */
/*-
* Copyright (c) 2020 The NetBSD Foundation, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: aes_via.c,v 1.9 2024/06/16 16:30:52 rillig Exp $");
#ifdef _KERNEL
#include <sys/types.h>
#include <sys/evcnt.h>
#include <sys/systm.h>
#else
#include <assert.h>
#include <err.h>
#include <stdint.h>
#include <string.h>
#define KASSERT assert
#define panic(fmt, args...) err(1, fmt, args)
struct evcnt { uint64_t ev_count; };
#define EVCNT_INITIALIZER(a,b,c,d) {0}
#define EVCNT_ATTACH_STATIC(name) static char name##_attach __unused = 0
#endif
#include <crypto/aes/aes.h>
#include <crypto/aes/aes_bear.h>
#include <crypto/aes/aes_impl.h>
#ifdef _KERNEL
#include <x86/cpufunc.h>
#include <x86/cpuvar.h>
#include <x86/fpu.h>
#include <x86/specialreg.h>
#include <x86/via_padlock.h>
#else
#include <cpuid.h>
#define fpu_kern_enter() ((void)0)
#define fpu_kern_leave() ((void)0)
#define C3_CRYPT_CWLO_ROUND_M 0x0000000f
#define C3_CRYPT_CWLO_ALG_M 0x00000070
#define C3_CRYPT_CWLO_ALG_AES 0x00000000
#define C3_CRYPT_CWLO_KEYGEN_M 0x00000080
#define C3_CRYPT_CWLO_KEYGEN_HW 0x00000000
#define C3_CRYPT_CWLO_KEYGEN_SW 0x00000080
#define C3_CRYPT_CWLO_NORMAL 0x00000000
#define C3_CRYPT_CWLO_INTERMEDIATE 0x00000100
#define C3_CRYPT_CWLO_ENCRYPT 0x00000000
#define C3_CRYPT_CWLO_DECRYPT 0x00000200
#define C3_CRYPT_CWLO_KEY128 0x0000000a /* 128bit, 10 rds */
#define C3_CRYPT_CWLO_KEY192 0x0000040c /* 192bit, 12 rds */
#define C3_CRYPT_CWLO_KEY256 0x0000080e /* 256bit, 15 rds */
#endif
static void
aesvia_reload_keys(void)
{
asm volatile("pushf; popf");
}
static uint32_t
aesvia_keylen_cw0(unsigned nrounds)
{
/*
* Determine the control word bits for the key size / number of
* rounds. For AES-128, the hardware can do key expansion on
* the fly; for AES-192 and AES-256, software must do it.
*/
switch (nrounds) {
case AES_128_NROUNDS:
return C3_CRYPT_CWLO_KEY128;
case AES_192_NROUNDS:
return C3_CRYPT_CWLO_KEY192 | C3_CRYPT_CWLO_KEYGEN_SW;
case AES_256_NROUNDS:
return C3_CRYPT_CWLO_KEY256 | C3_CRYPT_CWLO_KEYGEN_SW;
default:
panic("invalid AES nrounds: %u", nrounds);
}
}
static void
aesvia_setenckey(struct aesenc *enc, const uint8_t *key, uint32_t nrounds)
{
size_t key_len;
switch (nrounds) {
case AES_128_NROUNDS:
enc->aese_aes.aes_rk[0] = le32dec(key + 4*0);
enc->aese_aes.aes_rk[1] = le32dec(key + 4*1);
enc->aese_aes.aes_rk[2] = le32dec(key + 4*2);
enc->aese_aes.aes_rk[3] = le32dec(key + 4*3);
return;
case AES_192_NROUNDS:
key_len = 24;
break;
case AES_256_NROUNDS:
key_len = 32;
break;
default:
panic("invalid AES nrounds: %u", nrounds);
}
br_aes_ct_keysched_stdenc(enc->aese_aes.aes_rk, key, key_len);
}
static void
aesvia_setdeckey(struct aesdec *dec, const uint8_t *key, uint32_t nrounds)
{
size_t key_len;
switch (nrounds) {
case AES_128_NROUNDS:
dec->aesd_aes.aes_rk[0] = le32dec(key + 4*0);
dec->aesd_aes.aes_rk[1] = le32dec(key + 4*1);
dec->aesd_aes.aes_rk[2] = le32dec(key + 4*2);
dec->aesd_aes.aes_rk[3] = le32dec(key + 4*3);
return;
case AES_192_NROUNDS:
key_len = 24;
break;
case AES_256_NROUNDS:
key_len = 32;
break;
default:
panic("invalid AES nrounds: %u", nrounds);
}
br_aes_ct_keysched_stddec(dec->aesd_aes.aes_rk, key, key_len);
}
static inline void
aesvia_encN(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
| C3_CRYPT_CWLO_ALG_AES
| C3_CRYPT_CWLO_ENCRYPT
| C3_CRYPT_CWLO_NORMAL),
};
KASSERT(((uintptr_t)enc & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
KASSERT(((uintptr_t)out & 0xf) == 0);
asm volatile("rep xcryptecb"
: "+c"(nblocks), "+S"(in), "+D"(out)
: "b"(enc), "d"(cw)
: "memory", "cc");
}
static inline void
aesvia_decN(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
| C3_CRYPT_CWLO_ALG_AES
| C3_CRYPT_CWLO_DECRYPT
| C3_CRYPT_CWLO_NORMAL),
};
KASSERT(((uintptr_t)dec & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
KASSERT(((uintptr_t)out & 0xf) == 0);
asm volatile("rep xcryptecb"
: "+c"(nblocks), "+S"(in), "+D"(out)
: "b"(dec), "d"(cw)
: "memory", "cc");
}
static struct evcnt enc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "enc aligned");
EVCNT_ATTACH_STATIC(enc_aligned_evcnt);
static struct evcnt enc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "dec unaligned");
EVCNT_ATTACH_STATIC(enc_unaligned_evcnt);
static void
aesvia_enc(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
((uintptr_t)in & 0xff0) != 0xff0) {
enc_aligned_evcnt.ev_count++;
aesvia_encN(enc, in, out, 1, cw0);
} else {
enc_unaligned_evcnt.ev_count++;
/*
* VIA requires 16-byte/128-bit alignment, and
* xcrypt-ecb reads one block past the one we're
* working on -- which may go past the end of the page
* into unmapped territory. Use a bounce buffer if
* either constraint is violated.
*/
uint8_t inbuf[16] __aligned(16);
uint8_t outbuf[16] __aligned(16);
memcpy(inbuf, in, 16);
aesvia_encN(enc, inbuf, outbuf, 1, cw0);
memcpy(out, outbuf, 16);
explicit_memset(inbuf, 0, sizeof inbuf);
explicit_memset(outbuf, 0, sizeof outbuf);
}
fpu_kern_leave();
}
static struct evcnt dec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "dec aligned");
EVCNT_ATTACH_STATIC(dec_aligned_evcnt);
static struct evcnt dec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "dec unaligned");
EVCNT_ATTACH_STATIC(dec_unaligned_evcnt);
static void
aesvia_dec(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
((uintptr_t)in & 0xff0) != 0xff0) {
dec_aligned_evcnt.ev_count++;
aesvia_decN(dec, in, out, 1, cw0);
} else {
dec_unaligned_evcnt.ev_count++;
/*
* VIA requires 16-byte/128-bit alignment, and
* xcrypt-ecb reads one block past the one we're
* working on -- which may go past the end of the page
* into unmapped territory. Use a bounce buffer if
* either constraint is violated.
*/
uint8_t inbuf[16] __aligned(16);
uint8_t outbuf[16] __aligned(16);
memcpy(inbuf, in, 16);
aesvia_decN(dec, inbuf, outbuf, 1, cw0);
memcpy(out, outbuf, 16);
explicit_memset(inbuf, 0, sizeof inbuf);
explicit_memset(outbuf, 0, sizeof outbuf);
}
fpu_kern_leave();
}
static inline void
aesvia_cbc_encN(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint8_t **ivp, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
| C3_CRYPT_CWLO_ALG_AES
| C3_CRYPT_CWLO_ENCRYPT
| C3_CRYPT_CWLO_NORMAL),
};
KASSERT(((uintptr_t)enc & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
KASSERT(((uintptr_t)out & 0xf) == 0);
KASSERT(((uintptr_t)*ivp & 0xf) == 0);
/*
* Register effects:
* - Counts nblocks down to zero.
* - Advances in by nblocks (units of blocks).
* - Advances out by nblocks (units of blocks).
* - Updates *ivp to point at the last block of out.
*/
asm volatile("rep xcryptcbc"
: "+c"(nblocks), "+S"(in), "+D"(out), "+a"(*ivp)
: "b"(enc), "d"(cw)
: "memory", "cc");
}
static inline void
aesvia_cbc_decN(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint8_t iv[static 16],
uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
| C3_CRYPT_CWLO_ALG_AES
| C3_CRYPT_CWLO_DECRYPT
| C3_CRYPT_CWLO_NORMAL),
};
KASSERT(((uintptr_t)dec & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
KASSERT(((uintptr_t)out & 0xf) == 0);
KASSERT(((uintptr_t)iv & 0xf) == 0);
/*
* Register effects:
* - Counts nblocks down to zero.
* - Advances in by nblocks (units of blocks).
* - Advances out by nblocks (units of blocks).
* Memory side effects:
* - Writes what was the last block of in at the address iv.
*/
asm volatile("rep xcryptcbc"
: "+c"(nblocks), "+S"(in), "+D"(out)
: "a"(iv), "b"(dec), "d"(cw)
: "memory", "cc");
}
static inline void
xor128(void *x, const void *a, const void *b)
{
uint32_t *x32 = x;
const uint32_t *a32 = a;
const uint32_t *b32 = b;
x32[0] = a32[0] ^ b32[0];
x32[1] = a32[1] ^ b32[1];
x32[2] = a32[2] ^ b32[2];
x32[3] = a32[3] ^ b32[3];
}
static struct evcnt cbcenc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcenc aligned");
EVCNT_ATTACH_STATIC(cbcenc_aligned_evcnt);
static struct evcnt cbcenc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcenc unaligned");
EVCNT_ATTACH_STATIC(cbcenc_unaligned_evcnt);
static void
aesvia_cbc_enc(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
KASSERT(nbytes % 16 == 0);
if (nbytes == 0)
return;
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
cbcenc_aligned_evcnt.ev_count++;
uint8_t *ivp = iv;
aesvia_cbc_encN(enc, in, out, nbytes/16, &ivp, cw0);
memcpy(iv, ivp, 16);
} else {
cbcenc_unaligned_evcnt.ev_count++;
uint8_t cv[16] __aligned(16);
uint8_t tmp[16] __aligned(16);
memcpy(cv, iv, 16);
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(tmp, in, 16);
xor128(tmp, tmp, cv);
aesvia_encN(enc, tmp, cv, 1, cw0);
memcpy(out, cv, 16);
}
memcpy(iv, cv, 16);
}
fpu_kern_leave();
}
static struct evcnt cbcdec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcdec aligned");
EVCNT_ATTACH_STATIC(cbcdec_aligned_evcnt);
static struct evcnt cbcdec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcdec unaligned");
EVCNT_ATTACH_STATIC(cbcdec_unaligned_evcnt);
static void
aesvia_cbc_dec(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
KASSERT(nbytes % 16 == 0);
if (nbytes == 0)
return;
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
cbcdec_aligned_evcnt.ev_count++;
aesvia_cbc_decN(dec, in, out, nbytes/16, iv, cw0);
} else {
cbcdec_unaligned_evcnt.ev_count++;
uint8_t iv0[16] __aligned(16);
uint8_t cv[16] __aligned(16);
uint8_t tmp[16] __aligned(16);
memcpy(iv0, iv, 16);
memcpy(cv, in + nbytes - 16, 16);
memcpy(iv, cv, 16);
for (;;) {
aesvia_decN(dec, cv, tmp, 1, cw0);
if ((nbytes -= 16) == 0)
break;
memcpy(cv, in + nbytes - 16, 16);
xor128(tmp, tmp, cv);
memcpy(out + nbytes, tmp, 16);
}
xor128(tmp, tmp, iv0);
memcpy(out, tmp, 16);
explicit_memset(tmp, 0, sizeof tmp);
}
fpu_kern_leave();
}
static inline void
aesvia_xts_update(uint32_t *t0, uint32_t *t1, uint32_t *t2, uint32_t *t3)
{
uint32_t s0, s1, s2, s3;
s0 = *t0 >> 31;
s1 = *t1 >> 31;
s2 = *t2 >> 31;
s3 = *t3 >> 31;
*t0 = (*t0 << 1) ^ (-s3 & 0x87);
*t1 = (*t1 << 1) ^ s0;
*t2 = (*t2 << 1) ^ s1;
*t3 = (*t3 << 1) ^ s2;
}
static int
aesvia_xts_update_selftest(void)
{
static const struct {
uint32_t in[4], out[4];
} cases[] = {
{ {1}, {2} },
{ {0x80000000U,0,0,0}, {0,1,0,0} },
{ {0,0x80000000U,0,0}, {0,0,1,0} },
{ {0,0,0x80000000U,0}, {0,0,0,1} },
{ {0,0,0,0x80000000U}, {0x87,0,0,0} },
{ {0,0x80000000U,0,0x80000000U}, {0x87,0,1,0} },
};
unsigned i;
uint32_t t0, t1, t2, t3;
for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++) {
t0 = cases[i].in[0];
t1 = cases[i].in[1];
t2 = cases[i].in[2];
t3 = cases[i].in[3];
aesvia_xts_update(&t0, &t1, &t2, &t3);
if (t0 != cases[i].out[0] ||
t1 != cases[i].out[1] ||
t2 != cases[i].out[2] ||
t3 != cases[i].out[3])
return -1;
}
/* Success! */
return 0;
}
static struct evcnt xtsenc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "xtsenc aligned");
EVCNT_ATTACH_STATIC(xtsenc_aligned_evcnt);
static struct evcnt xtsenc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "xtsenc unaligned");
EVCNT_ATTACH_STATIC(xtsenc_unaligned_evcnt);
static void
aesvia_xts_enc(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
uint32_t t[4];
KASSERT(nbytes % 16 == 0);
memcpy(t, tweak, 16);
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
xtsenc_aligned_evcnt.ev_count++;
unsigned lastblock = 0;
uint32_t buf[8*4] __aligned(16);
/*
* Make sure the last block is not the last block of a
* page. (Note that we store the AES input in `out' as
* a temporary buffer, rather than reading it directly
* from `in', since we have to combine the tweak
* first.)
*/
lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
nbytes -= lastblock;
/*
* Handle an odd number of initial blocks so we can
* process the rest in eight-block (128-byte) chunks.
*/
if (nbytes % 128) {
unsigned nbytes128 = nbytes % 128;
nbytes -= nbytes128;
for (; nbytes128; nbytes128 -= 16, in += 16, out += 16)
{
xor128(out, in, t);
aesvia_encN(enc, out, out, 1, cw0);
xor128(out, out, t);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
}
/* Process eight blocks at a time. */
for (; nbytes; nbytes -= 128, in += 128, out += 128) {
unsigned i;
for (i = 0; i < 8; i++) {
memcpy(buf + 4*i, t, 16);
xor128(out + 4*i, in + 4*i, t);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
aesvia_encN(enc, out, out, 8, cw0);
for (i = 0; i < 8; i++)
xor128(out + 4*i, in + 4*i, buf + 4*i);
}
/* Handle the last block of a page, if necessary. */
if (lastblock) {
xor128(buf, in, t);
aesvia_encN(enc, (const void *)buf, out, 1, cw0);
}
explicit_memset(buf, 0, sizeof buf);
} else {
xtsenc_unaligned_evcnt.ev_count++;
uint8_t buf[16] __aligned(16);
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(buf, in, 16);
xor128(buf, buf, t);
aesvia_encN(enc, buf, buf, 1, cw0);
xor128(buf, buf, t);
memcpy(out, buf, 16);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
explicit_memset(buf, 0, sizeof buf);
}
fpu_kern_leave();
memcpy(tweak, t, 16);
explicit_memset(t, 0, sizeof t);
}
static struct evcnt xtsdec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "xtsdec aligned");
EVCNT_ATTACH_STATIC(xtsdec_aligned_evcnt);
static struct evcnt xtsdec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "xtsdec unaligned");
EVCNT_ATTACH_STATIC(xtsdec_unaligned_evcnt);
static void
aesvia_xts_dec(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
uint32_t t[4];
KASSERT(nbytes % 16 == 0);
memcpy(t, tweak, 16);
fpu_kern_enter();
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
xtsdec_aligned_evcnt.ev_count++;
unsigned lastblock = 0;
uint32_t buf[8*4] __aligned(16);
/*
* Make sure the last block is not the last block of a
* page. (Note that we store the AES input in `out' as
* a temporary buffer, rather than reading it directly
* from `in', since we have to combine the tweak
* first.)
*/
lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
nbytes -= lastblock;
/*
* Handle an odd number of initial blocks so we can
* process the rest in eight-block (128-byte) chunks.
*/
if (nbytes % 128) {
unsigned nbytes128 = nbytes % 128;
nbytes -= nbytes128;
for (; nbytes128; nbytes128 -= 16, in += 16, out += 16)
{
xor128(out, in, t);
aesvia_decN(dec, out, out, 1, cw0);
xor128(out, out, t);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
}
/* Process eight blocks at a time. */
for (; nbytes; nbytes -= 128, in += 128, out += 128) {
unsigned i;
for (i = 0; i < 8; i++) {
memcpy(buf + 4*i, t, 16);
xor128(out + 4*i, in + 4*i, t);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
aesvia_decN(dec, out, out, 8, cw0);
for (i = 0; i < 8; i++)
xor128(out + 4*i, in + 4*i, buf + 4*i);
}
/* Handle the last block of a page, if necessary. */
if (lastblock) {
xor128(buf, in, t);
aesvia_decN(dec, (const void *)buf, out, 1, cw0);
}
explicit_memset(buf, 0, sizeof buf);
} else {
xtsdec_unaligned_evcnt.ev_count++;
uint8_t buf[16] __aligned(16);
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(buf, in, 16);
xor128(buf, buf, t);
aesvia_decN(dec, buf, buf, 1, cw0);
xor128(buf, buf, t);
memcpy(out, buf, 16);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
}
explicit_memset(buf, 0, sizeof buf);
}
fpu_kern_leave();
memcpy(tweak, t, 16);
explicit_memset(t, 0, sizeof t);
}
static struct evcnt cbcmac_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcmac aligned");
EVCNT_ATTACH_STATIC(cbcmac_aligned_evcnt);
static struct evcnt cbcmac_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "cbcmac unaligned");
EVCNT_ATTACH_STATIC(cbcmac_unaligned_evcnt);
static void
aesvia_cbcmac_update1(const struct aesenc *enc, const uint8_t in[static 16],
size_t nbytes, uint8_t auth0[static 16], uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
uint8_t authbuf[16] __aligned(16);
uint8_t *auth = auth0;
KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);
if ((uintptr_t)auth0 & 0xf) {
memcpy(authbuf, auth0, 16);
auth = authbuf;
cbcmac_unaligned_evcnt.ev_count++;
} else {
cbcmac_aligned_evcnt.ev_count++;
}
fpu_kern_enter();
aesvia_reload_keys();
for (; nbytes; nbytes -= 16, in += 16) {
xor128(auth, auth, in);
aesvia_encN(enc, auth, auth, 1, cw0);
}
fpu_kern_leave();
if ((uintptr_t)auth0 & 0xf) {
memcpy(auth0, authbuf, 16);
explicit_memset(authbuf, 0, sizeof authbuf);
}
}
static struct evcnt ccmenc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "ccmenc aligned");
EVCNT_ATTACH_STATIC(ccmenc_aligned_evcnt);
static struct evcnt ccmenc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "ccmenc unaligned");
EVCNT_ATTACH_STATIC(ccmenc_unaligned_evcnt);
static void
aesvia_ccm_enc1(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t authctr0[static 32],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
uint8_t authctrbuf[32] __aligned(16);
uint8_t *authctr;
uint32_t c0, c1, c2, c3;
KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);
if ((uintptr_t)authctr0 & 0xf) {
memcpy(authctrbuf, authctr0, 16);
authctr = authctrbuf;
ccmenc_unaligned_evcnt.ev_count++;
} else {
authctr = authctr0;
ccmenc_aligned_evcnt.ev_count++;
}
c0 = le32dec(authctr0 + 16 + 4*0);
c1 = le32dec(authctr0 + 16 + 4*1);
c2 = le32dec(authctr0 + 16 + 4*2);
c3 = be32dec(authctr0 + 16 + 4*3);
/*
* In principle we could use REP XCRYPTCTR here, but that
* doesn't help to compute the CBC-MAC step, and certain VIA
* CPUs have some weird errata with REP XCRYPTCTR that make it
* kind of a pain to use. So let's just use REP XCRYPTECB to
* simultaneously compute the CBC-MAC step and the CTR step.
* (Maybe some VIA CPUs will compute REP XCRYPTECB in parallel,
* who knows...)
*/
fpu_kern_enter();
aesvia_reload_keys();
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
xor128(authctr, authctr, in);
le32enc(authctr + 16 + 4*0, c0);
le32enc(authctr + 16 + 4*1, c1);
le32enc(authctr + 16 + 4*2, c2);
be32enc(authctr + 16 + 4*3, ++c3);
aesvia_encN(enc, authctr, authctr, 2, cw0);
xor128(out, in, authctr + 16);
}
fpu_kern_leave();
if ((uintptr_t)authctr0 & 0xf) {
memcpy(authctr0, authctrbuf, 16);
explicit_memset(authctrbuf, 0, sizeof authctrbuf);
}
le32enc(authctr0 + 16 + 4*0, c0);
le32enc(authctr0 + 16 + 4*1, c1);
le32enc(authctr0 + 16 + 4*2, c2);
be32enc(authctr0 + 16 + 4*3, c3);
}
static struct evcnt ccmdec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "ccmdec aligned");
EVCNT_ATTACH_STATIC(ccmdec_aligned_evcnt);
static struct evcnt ccmdec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
NULL, "aesvia", "ccmdec unaligned");
EVCNT_ATTACH_STATIC(ccmdec_unaligned_evcnt);
static void
aesvia_ccm_dec1(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nbytes, uint8_t authctr0[static 32],
uint32_t nrounds)
{
const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
uint8_t authctrbuf[32] __aligned(16);
uint8_t *authctr;
uint32_t c0, c1, c2, c3;
KASSERT(nbytes);
KASSERT(nbytes % 16 == 0);
c0 = le32dec(authctr0 + 16 + 4*0);
c1 = le32dec(authctr0 + 16 + 4*1);
c2 = le32dec(authctr0 + 16 + 4*2);
c3 = be32dec(authctr0 + 16 + 4*3);
if ((uintptr_t)authctr0 & 0xf) {
memcpy(authctrbuf, authctr0, 16);
authctr = authctrbuf;
le32enc(authctr + 16 + 4*0, c0);
le32enc(authctr + 16 + 4*1, c1);
le32enc(authctr + 16 + 4*2, c2);
ccmdec_unaligned_evcnt.ev_count++;
} else {
authctr = authctr0;
ccmdec_aligned_evcnt.ev_count++;
}
fpu_kern_enter();
aesvia_reload_keys();
be32enc(authctr + 16 + 4*3, ++c3);
aesvia_encN(enc, authctr + 16, authctr + 16, 1, cw0);
for (;; in += 16, out += 16) {
xor128(out, authctr + 16, in);
xor128(authctr, authctr, out);
if ((nbytes -= 16) == 0)
break;
le32enc(authctr + 16 + 4*0, c0);
le32enc(authctr + 16 + 4*1, c1);
le32enc(authctr + 16 + 4*2, c2);
be32enc(authctr + 16 + 4*3, ++c3);
aesvia_encN(enc, authctr, authctr, 2, cw0);
}
aesvia_encN(enc, authctr, authctr, 1, cw0);
fpu_kern_leave();
if ((uintptr_t)authctr0 & 0xf) {
memcpy(authctr0, authctrbuf, 16);
explicit_memset(authctrbuf, 0, sizeof authctrbuf);
}
le32enc(authctr0 + 16 + 4*0, c0);
le32enc(authctr0 + 16 + 4*1, c1);
le32enc(authctr0 + 16 + 4*2, c2);
be32enc(authctr0 + 16 + 4*3, c3);
}
static int
aesvia_probe(void)
{
/* Verify that the CPU advertises VIA ACE support. */
#ifdef _KERNEL
if ((cpu_feature[4] & CPUID_VIA_HAS_ACE) == 0)
return -1;
#else
/*
* From the VIA PadLock Programming Guide:
*
https://web.archive.org/web/20220104214041/http://linux.via.com.tw/support/beginDownload.action?eleid=181&fid=261
*/
unsigned eax, ebx, ecx, edx;
if (!__get_cpuid(0, &eax, &ebx, &ecx, &edx))
return -1;
if (ebx != signature_CENTAUR_ebx ||
ecx != signature_CENTAUR_ecx ||
edx != signature_CENTAUR_edx)
return -1;
if (eax < 0xc0000000)
return -1;
if (!__get_cpuid(0xc0000000, &eax, &ebx, &ecx, &edx))
return -1;
if (eax < 0xc0000001)
return -1;
if (!__get_cpuid(0xc0000001, &eax, &ebx, &ecx, &edx))
return -1;
/* Check whether ACE or ACE2 is both supported and enabled. */
if ((edx & 0x000000c0) != 0x000000c0 ||
(edx & 0x00000300) != 0x00000300)
return -1;
#endif
/* Verify that our XTS tweak update logic works. */
if (aesvia_xts_update_selftest())
return -1;
/* Success! */
return 0;
}
struct aes_impl aes_via_impl = {
.ai_name = "VIA ACE",
.ai_probe = aesvia_probe,
.ai_setenckey = aesvia_setenckey,
.ai_setdeckey = aesvia_setdeckey,
.ai_enc = aesvia_enc,
.ai_dec = aesvia_dec,
.ai_cbc_enc = aesvia_cbc_enc,
.ai_cbc_dec = aesvia_cbc_dec,
.ai_xts_enc = aesvia_xts_enc,
.ai_xts_dec = aesvia_xts_dec,
.ai_cbcmac_update1 = aesvia_cbcmac_update1,
.ai_ccm_enc1 = aesvia_ccm_enc1,
.ai_ccm_dec1 = aesvia_ccm_dec1,
};
