2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2017 Chelsio Communications, Inc.
5 * Copyright (c) 2017 Conrad Meyer <cem@FreeBSD.org>
7 * Largely borrowed from ccr(4), Written by: John Baldwin <jhb@FreeBSD.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
36 #include <sys/types.h>
39 #include <sys/kernel.h>
40 #include <sys/malloc.h>
41 #include <sys/mutex.h>
42 #include <sys/module.h>
43 #include <sys/random.h>
44 #include <sys/sglist.h>
45 #include <sys/sysctl.h>
51 #include <dev/pci/pcivar.h>
53 #include <dev/random/randomdev.h>
55 #include <opencrypto/cryptodev.h>
56 #include <opencrypto/xform.h>
58 #include "cryptodev_if.h"
61 #include "ccp_hardware.h"
63 MALLOC_DEFINE(M_CCP, "ccp", "AMD CCP crypto");
66 * Need a global softc available for garbage random_source API, which lacks any
67 * context pointer. It's also handy for debugging.
69 struct ccp_softc *g_ccp_softc;
71 bool g_debug_print = false;
72 SYSCTL_BOOL(_hw_ccp, OID_AUTO, debug, CTLFLAG_RWTUN, &g_debug_print, 0,
73 "Set to enable debugging log messages");
79 { 0x14561022, "AMD CCP-5a" },
80 { 0x14681022, "AMD CCP-5b" },
83 static struct random_source random_ccp = {
84 .rs_ident = "AMD CCP TRNG",
85 .rs_source = RANDOM_PURE_CCP,
86 .rs_read = random_ccp_read,
90 * ccp_populate_sglist() generates a scatter/gather list that covers the entire
91 * crypto operation buffer.
94 ccp_populate_sglist(struct sglist *sg, struct cryptop *crp)
99 if (crp->crp_flags & CRYPTO_F_IMBUF)
100 error = sglist_append_mbuf(sg, crp->crp_mbuf);
101 else if (crp->crp_flags & CRYPTO_F_IOV)
102 error = sglist_append_uio(sg, crp->crp_uio);
104 error = sglist_append(sg, crp->crp_buf, crp->crp_ilen);
109 * Handle a GCM request with an empty payload by performing the
110 * operation in software. Derived from swcr_authenc().
113 ccp_gcm_soft(struct ccp_session *s, struct cryptop *crp,
114 struct cryptodesc *crda, struct cryptodesc *crde)
116 struct aes_gmac_ctx gmac_ctx;
117 char block[GMAC_BLOCK_LEN];
118 char digest[GMAC_DIGEST_LEN];
119 char iv[AES_BLOCK_LEN];
123 * This assumes a 12-byte IV from the crp. See longer comment
124 * above in ccp_gcm() for more details.
126 if (crde->crd_flags & CRD_F_ENCRYPT) {
127 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
128 memcpy(iv, crde->crd_iv, 12);
131 if ((crde->crd_flags & CRD_F_IV_PRESENT) == 0)
132 crypto_copyback(crp->crp_flags, crp->crp_buf,
133 crde->crd_inject, 12, iv);
135 if (crde->crd_flags & CRD_F_IV_EXPLICIT)
136 memcpy(iv, crde->crd_iv, 12);
138 crypto_copydata(crp->crp_flags, crp->crp_buf,
139 crde->crd_inject, 12, iv);
141 *(uint32_t *)&iv[12] = htobe32(1);
143 /* Initialize the MAC. */
144 AES_GMAC_Init(&gmac_ctx);
145 AES_GMAC_Setkey(&gmac_ctx, s->blkcipher.enckey, s->blkcipher.key_len);
146 AES_GMAC_Reinit(&gmac_ctx, iv, sizeof(iv));
149 for (i = 0; i < crda->crd_len; i += sizeof(block)) {
150 len = imin(crda->crd_len - i, sizeof(block));
151 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_skip +
153 bzero(block + len, sizeof(block) - len);
154 AES_GMAC_Update(&gmac_ctx, block, sizeof(block));
158 bzero(block, sizeof(block));
159 ((uint32_t *)block)[1] = htobe32(crda->crd_len * 8);
160 AES_GMAC_Update(&gmac_ctx, block, sizeof(block));
161 AES_GMAC_Final(digest, &gmac_ctx);
163 if (crde->crd_flags & CRD_F_ENCRYPT) {
164 crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject,
165 sizeof(digest), digest);
168 char digest2[GMAC_DIGEST_LEN];
170 crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject,
171 sizeof(digest2), digest2);
172 if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0)
175 crp->crp_etype = EBADMSG;
181 ccp_probe(device_t dev)
186 id = pci_get_devid(dev);
187 for (ip = ccp_ids; ip < &ccp_ids[nitems(ccp_ids)]; ip++) {
188 if (id == ip->devid) {
189 device_set_desc(dev, ip->desc);
197 ccp_initialize_queues(struct ccp_softc *sc)
199 struct ccp_queue *qp;
202 for (i = 0; i < nitems(sc->queues); i++) {
207 mtx_init(&qp->cq_lock, "ccp queue", NULL, MTX_DEF);
208 /* XXX - arbitrarily chosen sizes */
209 qp->cq_sg_crp = sglist_alloc(32, M_WAITOK);
210 /* Two more SGEs than sg_crp to accommodate ipad. */
211 qp->cq_sg_ulptx = sglist_alloc(34, M_WAITOK);
212 qp->cq_sg_dst = sglist_alloc(2, M_WAITOK);
217 ccp_free_queues(struct ccp_softc *sc)
219 struct ccp_queue *qp;
222 for (i = 0; i < nitems(sc->queues); i++) {
225 mtx_destroy(&qp->cq_lock);
226 sglist_free(qp->cq_sg_crp);
227 sglist_free(qp->cq_sg_ulptx);
228 sglist_free(qp->cq_sg_dst);
233 ccp_attach(device_t dev)
235 struct ccp_softc *sc;
238 sc = device_get_softc(dev);
241 sc->cid = crypto_get_driverid(dev, sizeof(struct ccp_session),
242 CRYPTOCAP_F_HARDWARE);
244 device_printf(dev, "could not get crypto driver id\n");
248 error = ccp_hw_attach(dev);
252 mtx_init(&sc->lock, "ccp", NULL, MTX_DEF);
254 ccp_initialize_queues(sc);
256 if (g_ccp_softc == NULL) {
258 if ((sc->hw_features & VERSION_CAP_TRNG) != 0)
259 random_source_register(&random_ccp);
262 if ((sc->hw_features & VERSION_CAP_AES) != 0) {
263 crypto_register(sc->cid, CRYPTO_AES_CBC, 0, 0);
264 crypto_register(sc->cid, CRYPTO_AES_ICM, 0, 0);
265 crypto_register(sc->cid, CRYPTO_AES_NIST_GCM_16, 0, 0);
266 crypto_register(sc->cid, CRYPTO_AES_128_NIST_GMAC, 0, 0);
267 crypto_register(sc->cid, CRYPTO_AES_192_NIST_GMAC, 0, 0);
268 crypto_register(sc->cid, CRYPTO_AES_256_NIST_GMAC, 0, 0);
269 crypto_register(sc->cid, CRYPTO_AES_XTS, 0, 0);
271 if ((sc->hw_features & VERSION_CAP_SHA) != 0) {
272 crypto_register(sc->cid, CRYPTO_SHA1_HMAC, 0, 0);
273 crypto_register(sc->cid, CRYPTO_SHA2_256_HMAC, 0, 0);
274 crypto_register(sc->cid, CRYPTO_SHA2_384_HMAC, 0, 0);
275 crypto_register(sc->cid, CRYPTO_SHA2_512_HMAC, 0, 0);
282 ccp_detach(device_t dev)
284 struct ccp_softc *sc;
286 sc = device_get_softc(dev);
289 sc->detaching = true;
290 mtx_unlock(&sc->lock);
292 crypto_unregister_all(sc->cid);
293 if (g_ccp_softc == sc && (sc->hw_features & VERSION_CAP_TRNG) != 0)
294 random_source_deregister(&random_ccp);
299 if (g_ccp_softc == sc)
302 mtx_destroy(&sc->lock);
307 ccp_init_hmac_digest(struct ccp_session *s, int cri_alg, char *key,
310 union authctx auth_ctx;
311 struct auth_hash *axf;
315 * If the key is larger than the block size, use the digest of
316 * the key as the key instead.
318 axf = s->hmac.auth_hash;
320 if (klen > axf->blocksize) {
321 axf->Init(&auth_ctx);
322 axf->Update(&auth_ctx, key, klen);
323 axf->Final(s->hmac.ipad, &auth_ctx);
324 explicit_bzero(&auth_ctx, sizeof(auth_ctx));
325 klen = axf->hashsize;
327 memcpy(s->hmac.ipad, key, klen);
329 memset(s->hmac.ipad + klen, 0, axf->blocksize - klen);
330 memcpy(s->hmac.opad, s->hmac.ipad, axf->blocksize);
332 for (i = 0; i < axf->blocksize; i++) {
333 s->hmac.ipad[i] ^= HMAC_IPAD_VAL;
334 s->hmac.opad[i] ^= HMAC_OPAD_VAL;
339 ccp_aes_check_keylen(int alg, int klen)
345 if (alg == CRYPTO_AES_XTS)
351 if (alg != CRYPTO_AES_XTS)
361 ccp_aes_setkey(struct ccp_session *s, int alg, const void *key, int klen)
365 if (alg == CRYPTO_AES_XTS)
372 s->blkcipher.cipher_type = CCP_AES_TYPE_128;
375 s->blkcipher.cipher_type = CCP_AES_TYPE_192;
378 s->blkcipher.cipher_type = CCP_AES_TYPE_256;
381 panic("should not get here");
384 s->blkcipher.key_len = klen / 8;
385 memcpy(s->blkcipher.enckey, key, s->blkcipher.key_len);
389 ccp_newsession(device_t dev, crypto_session_t cses, struct cryptoini *cri)
391 struct ccp_softc *sc;
392 struct ccp_session *s;
393 struct auth_hash *auth_hash;
394 struct cryptoini *c, *hash, *cipher;
395 enum ccp_aes_mode cipher_mode;
396 unsigned auth_mode, iv_len;
397 unsigned partial_digest_len;
405 s = crypto_get_driver_session(cses);
411 /* XXX reconcile auth_mode with use by ccp_sha */
413 cipher_mode = CCP_AES_MODE_ECB;
415 partial_digest_len = 0;
416 for (c = cri; c != NULL; c = c->cri_next) {
417 switch (c->cri_alg) {
418 case CRYPTO_SHA1_HMAC:
419 case CRYPTO_SHA2_256_HMAC:
420 case CRYPTO_SHA2_384_HMAC:
421 case CRYPTO_SHA2_512_HMAC:
422 case CRYPTO_AES_128_NIST_GMAC:
423 case CRYPTO_AES_192_NIST_GMAC:
424 case CRYPTO_AES_256_NIST_GMAC:
428 switch (c->cri_alg) {
429 case CRYPTO_SHA1_HMAC:
430 auth_hash = &auth_hash_hmac_sha1;
432 partial_digest_len = SHA1_HASH_LEN;
434 case CRYPTO_SHA2_256_HMAC:
435 auth_hash = &auth_hash_hmac_sha2_256;
436 auth_mode = SHA2_256;
437 partial_digest_len = SHA2_256_HASH_LEN;
439 case CRYPTO_SHA2_384_HMAC:
440 auth_hash = &auth_hash_hmac_sha2_384;
441 auth_mode = SHA2_384;
442 partial_digest_len = SHA2_512_HASH_LEN;
444 case CRYPTO_SHA2_512_HMAC:
445 auth_hash = &auth_hash_hmac_sha2_512;
446 auth_mode = SHA2_512;
447 partial_digest_len = SHA2_512_HASH_LEN;
449 case CRYPTO_AES_128_NIST_GMAC:
450 case CRYPTO_AES_192_NIST_GMAC:
451 case CRYPTO_AES_256_NIST_GMAC:
454 auth_mode = CHCR_SCMD_AUTH_MODE_GHASH;
461 case CRYPTO_AES_NIST_GCM_16:
466 switch (c->cri_alg) {
468 cipher_mode = CCP_AES_MODE_CBC;
469 iv_len = AES_BLOCK_LEN;
472 cipher_mode = CCP_AES_MODE_CTR;
473 iv_len = AES_BLOCK_LEN;
475 case CRYPTO_AES_NIST_GCM_16:
476 cipher_mode = CCP_AES_MODE_GCTR;
477 iv_len = AES_GCM_IV_LEN;
480 cipher_mode = CCP_AES_MODE_XTS;
481 iv_len = AES_BLOCK_LEN;
484 if (c->cri_key != NULL) {
485 error = ccp_aes_check_keylen(c->cri_alg,
495 if (gcm_hash != (cipher_mode == CCP_AES_MODE_GCTR))
497 if (hash == NULL && cipher == NULL)
499 if (hash != NULL && hash->cri_key == NULL)
502 sc = device_get_softc(dev);
505 mtx_unlock(&sc->lock);
509 /* Just grab the first usable queue for now. */
510 for (q = 0; q < nitems(sc->queues); q++)
511 if ((sc->valid_queues & (1 << q)) != 0)
513 if (q == nitems(sc->queues)) {
514 mtx_unlock(&sc->lock);
521 else if (hash != NULL && cipher != NULL)
523 else if (hash != NULL)
526 MPASS(cipher != NULL);
530 if (hash->cri_mlen == 0)
531 s->gmac.hash_len = AES_GMAC_HASH_LEN;
533 s->gmac.hash_len = hash->cri_mlen;
534 } else if (hash != NULL) {
535 s->hmac.auth_hash = auth_hash;
536 s->hmac.auth_mode = auth_mode;
537 s->hmac.partial_digest_len = partial_digest_len;
538 if (hash->cri_mlen == 0)
539 s->hmac.hash_len = auth_hash->hashsize;
541 s->hmac.hash_len = hash->cri_mlen;
542 ccp_init_hmac_digest(s, hash->cri_alg, hash->cri_key,
545 if (cipher != NULL) {
546 s->blkcipher.cipher_mode = cipher_mode;
547 s->blkcipher.iv_len = iv_len;
548 if (cipher->cri_key != NULL)
549 ccp_aes_setkey(s, cipher->cri_alg, cipher->cri_key,
554 mtx_unlock(&sc->lock);
560 ccp_freesession(device_t dev, crypto_session_t cses)
562 struct ccp_session *s;
564 s = crypto_get_driver_session(cses);
568 "session %p freed with %d pending requests\n", s,
574 ccp_process(device_t dev, struct cryptop *crp, int hint)
576 struct ccp_softc *sc;
577 struct ccp_queue *qp;
578 struct ccp_session *s;
579 struct cryptodesc *crd, *crda, *crde;
589 s = crypto_get_driver_session(crp->crp_session);
590 sc = device_get_softc(dev);
592 qp = &sc->queues[s->queue];
593 mtx_unlock(&sc->lock);
594 error = ccp_queue_acquire_reserve(qp, 1 /* placeholder */, M_NOWAIT);
599 error = ccp_populate_sglist(qp->cq_sg_crp, crp);
605 if (crd->crd_flags & CRD_F_KEY_EXPLICIT)
606 ccp_init_hmac_digest(s, crd->crd_alg, crd->crd_key,
608 error = ccp_hmac(qp, s, crp);
611 if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
612 error = ccp_aes_check_keylen(crd->crd_alg,
616 ccp_aes_setkey(s, crd->crd_alg, crd->crd_key,
619 error = ccp_blkcipher(qp, s, crp);
623 switch (crd->crd_alg) {
627 /* Only encrypt-then-authenticate supported. */
629 crda = crd->crd_next;
630 if (!(crde->crd_flags & CRD_F_ENCRYPT)) {
634 s->cipher_first = true;
638 crde = crd->crd_next;
639 if (crde->crd_flags & CRD_F_ENCRYPT) {
643 s->cipher_first = false;
648 if (crda->crd_flags & CRD_F_KEY_EXPLICIT)
649 ccp_init_hmac_digest(s, crda->crd_alg, crda->crd_key,
651 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
652 error = ccp_aes_check_keylen(crde->crd_alg,
656 ccp_aes_setkey(s, crde->crd_alg, crde->crd_key,
659 error = ccp_authenc(qp, s, crp, crda, crde);
663 if (crd->crd_alg == CRYPTO_AES_NIST_GCM_16) {
665 crda = crd->crd_next;
666 s->cipher_first = true;
669 crde = crd->crd_next;
670 s->cipher_first = false;
672 if (crde->crd_flags & CRD_F_KEY_EXPLICIT) {
673 error = ccp_aes_check_keylen(crde->crd_alg,
677 ccp_aes_setkey(s, crde->crd_alg, crde->crd_key,
680 if (crde->crd_len == 0) {
681 mtx_unlock(&qp->cq_lock);
682 ccp_gcm_soft(s, crp, crda, crde);
685 error = ccp_gcm(qp, s, crp, crda, crde);
696 * Squash EAGAIN so callers don't uselessly and
697 * expensively retry if the ring was full.
703 ccp_queue_release(qp);
707 DPRINTF(dev, "%s: early error:%d\n", __func__, error);
708 crp->crp_etype = error;
714 static device_method_t ccp_methods[] = {
715 DEVMETHOD(device_probe, ccp_probe),
716 DEVMETHOD(device_attach, ccp_attach),
717 DEVMETHOD(device_detach, ccp_detach),
719 DEVMETHOD(cryptodev_newsession, ccp_newsession),
720 DEVMETHOD(cryptodev_freesession, ccp_freesession),
721 DEVMETHOD(cryptodev_process, ccp_process),
726 static driver_t ccp_driver = {
729 sizeof(struct ccp_softc)
732 static devclass_t ccp_devclass;
733 DRIVER_MODULE(ccp, pci, ccp_driver, ccp_devclass, NULL, NULL);
734 MODULE_VERSION(ccp, 1);
735 MODULE_DEPEND(ccp, crypto, 1, 1, 1);
736 MODULE_DEPEND(ccp, random_device, 1, 1, 1);
737 #if 0 /* There are enough known issues that we shouldn't load automatically */
738 MODULE_PNP_INFO("W32:vendor/device", pci, ccp, ccp_ids,
743 ccp_queue_reserve_space(struct ccp_queue *qp, unsigned n, int mflags)
745 struct ccp_softc *sc;
747 mtx_assert(&qp->cq_lock, MA_OWNED);
750 if (n < 1 || n >= (1 << sc->ring_size_order))
754 if (ccp_queue_get_ring_space(qp) >= n)
756 if ((mflags & M_WAITOK) == 0)
758 qp->cq_waiting = true;
759 msleep(&qp->cq_tail, &qp->cq_lock, 0, "ccpqfull", 0);
764 ccp_queue_acquire_reserve(struct ccp_queue *qp, unsigned n, int mflags)
768 mtx_lock(&qp->cq_lock);
769 qp->cq_acq_tail = qp->cq_tail;
770 error = ccp_queue_reserve_space(qp, n, mflags);
772 mtx_unlock(&qp->cq_lock);
777 ccp_queue_release(struct ccp_queue *qp)
780 mtx_assert(&qp->cq_lock, MA_OWNED);
781 if (qp->cq_tail != qp->cq_acq_tail) {
783 ccp_queue_write_tail(qp);
785 mtx_unlock(&qp->cq_lock);
789 ccp_queue_abort(struct ccp_queue *qp)
793 mtx_assert(&qp->cq_lock, MA_OWNED);
795 /* Wipe out any descriptors associated with this aborted txn. */
796 for (i = qp->cq_acq_tail; i != qp->cq_tail;
797 i = (i + 1) % (1 << qp->cq_softc->ring_size_order)) {
798 memset(&qp->desc_ring[i], 0, sizeof(qp->desc_ring[i]));
800 qp->cq_tail = qp->cq_acq_tail;
802 mtx_unlock(&qp->cq_lock);
806 #define _db_show_lock(lo) LOCK_CLASS(lo)->lc_ddb_show(lo)
807 #define db_show_lock(lk) _db_show_lock(&(lk)->lock_object)
809 db_show_ccp_sc(struct ccp_softc *sc)
812 db_printf("ccp softc at %p\n", sc);
813 db_printf(" cid: %d\n", (int)sc->cid);
815 db_printf(" lock: ");
816 db_show_lock(&sc->lock);
818 db_printf(" detaching: %d\n", (int)sc->detaching);
819 db_printf(" ring_size_order: %u\n", sc->ring_size_order);
821 db_printf(" hw_version: %d\n", (int)sc->hw_version);
822 db_printf(" hw_features: %b\n", (int)sc->hw_features,
823 "\20\24ELFC\23TRNG\22Zip_Compress\16Zip_Decompress\13ECC\12RSA"
824 "\11SHA\0103DES\07AES");
826 db_printf(" hw status:\n");
831 db_show_ccp_qp(struct ccp_queue *qp)
834 db_printf(" lock: ");
835 db_show_lock(&qp->cq_lock);
837 db_printf(" cq_qindex: %u\n", qp->cq_qindex);
838 db_printf(" cq_softc: %p\n", qp->cq_softc);
840 db_printf(" head: %u\n", qp->cq_head);
841 db_printf(" tail: %u\n", qp->cq_tail);
842 db_printf(" acq_tail: %u\n", qp->cq_acq_tail);
843 db_printf(" desc_ring: %p\n", qp->desc_ring);
844 db_printf(" completions_ring: %p\n", qp->completions_ring);
845 db_printf(" descriptors (phys): 0x%jx\n",
846 (uintmax_t)qp->desc_ring_bus_addr);
848 db_printf(" hw status:\n");
849 db_ccp_show_queue_hw(qp);
852 DB_SHOW_COMMAND(ccp, db_show_ccp)
854 struct ccp_softc *sc;
855 unsigned unit, qindex;
860 unit = (unsigned)addr;
862 sc = devclass_get_softc(ccp_devclass, unit);
864 db_printf("No such device ccp%u\n", unit);
873 qindex = (unsigned)count;
874 if (qindex >= nitems(sc->queues)) {
875 db_printf("No such queue %u\n", qindex);
878 db_show_ccp_qp(&sc->queues[qindex]);
882 db_printf("usage: show ccp <unit>[,<qindex>]\n");