crypto/bcm/spu.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright 2016 Broadcom
0004  */
0005
0006 #include <linux/kernel.h>
0007 #include <linux/string.h>
0008
0009 #include "util.h"
0010 #include "spu.h"
0011 #include "spum.h"
0012 #include "cipher.h"
0013
0014 char *hash_alg_name[] = { "None", "md5", "sha1", "sha224", "sha256", "aes",
0015     "sha384", "sha512", "sha3_224", "sha3_256", "sha3_384", "sha3_512" };
0016
0017 char *aead_alg_name[] = { "ccm(aes)", "gcm(aes)", "authenc" };
0018
0019 /* Assumes SPU-M messages are in big endian */
0020 void spum_dump_msg_hdr(u8 *buf, unsigned int buf_len)
0021 {
0022     u8 *ptr = buf;
0023     struct SPUHEADER *spuh = (struct SPUHEADER *)buf;
0024     unsigned int hash_key_len = 0;
0025     unsigned int hash_state_len = 0;
0026     unsigned int cipher_key_len = 0;
0027     unsigned int iv_len;
0028     u32 pflags;
0029     u32 cflags;
0030     u32 ecf;
0031     u32 cipher_alg;
0032     u32 cipher_mode;
0033     u32 cipher_type;
0034     u32 hash_alg;
0035     u32 hash_mode;
0036     u32 hash_type;
0037     u32 sctx_size;   /* SCTX length in words */
0038     u32 sctx_pl_len; /* SCTX payload length in bytes */
0039
0040     packet_log("\n");
0041     packet_log("SPU Message header %p len: %u\n", buf, buf_len);
0042
0043     /* ========== Decode MH ========== */
0044     packet_log("  MH 0x%08x\n", be32_to_cpup((__be32 *)ptr));
0045     if (spuh->mh.flags & MH_SCTX_PRES)
0046         packet_log("    SCTX  present\n");
0047     if (spuh->mh.flags & MH_BDESC_PRES)
0048         packet_log("    BDESC present\n");
0049     if (spuh->mh.flags & MH_MFM_PRES)
0050         packet_log("    MFM   present\n");
0051     if (spuh->mh.flags & MH_BD_PRES)
0052         packet_log("    BD    present\n");
0053     if (spuh->mh.flags & MH_HASH_PRES)
0054         packet_log("    HASH  present\n");
0055     if (spuh->mh.flags & MH_SUPDT_PRES)
0056         packet_log("    SUPDT present\n");
0057     packet_log("    Opcode 0x%02x\n", spuh->mh.op_code);
0058
0059     ptr += sizeof(spuh->mh) + sizeof(spuh->emh);  /* skip emh. unused */
0060
0061     /* ========== Decode SCTX ========== */
0062     if (spuh->mh.flags & MH_SCTX_PRES) {
0063         pflags = be32_to_cpu(spuh->sa.proto_flags);
0064         packet_log("  SCTX[0] 0x%08x\n", pflags);
0065         sctx_size = pflags & SCTX_SIZE;
0066         packet_log("    Size %u words\n", sctx_size);
0067
0068         cflags = be32_to_cpu(spuh->sa.cipher_flags);
0069         packet_log("  SCTX[1] 0x%08x\n", cflags);
0070         packet_log("    Inbound:%lu (1:decrypt/vrfy 0:encrypt/auth)\n",
0071                (cflags & CIPHER_INBOUND) >> CIPHER_INBOUND_SHIFT);
0072         packet_log("    Order:%lu (1:AuthFirst 0:EncFirst)\n",
0073                (cflags & CIPHER_ORDER) >> CIPHER_ORDER_SHIFT);
0074         packet_log("    ICV_IS_512:%lx\n",
0075                (cflags & ICV_IS_512) >> ICV_IS_512_SHIFT);
0076         cipher_alg = (cflags & CIPHER_ALG) >> CIPHER_ALG_SHIFT;
0077         cipher_mode = (cflags & CIPHER_MODE) >> CIPHER_MODE_SHIFT;
0078         cipher_type = (cflags & CIPHER_TYPE) >> CIPHER_TYPE_SHIFT;
0079         packet_log("    Crypto Alg:%u Mode:%u Type:%u\n",
0080                cipher_alg, cipher_mode, cipher_type);
0081         hash_alg = (cflags & HASH_ALG) >> HASH_ALG_SHIFT;
0082         hash_mode = (cflags & HASH_MODE) >> HASH_MODE_SHIFT;
0083         hash_type = (cflags & HASH_TYPE) >> HASH_TYPE_SHIFT;
0084         packet_log("    Hash   Alg:%x Mode:%x Type:%x\n",
0085                hash_alg, hash_mode, hash_type);
0086         packet_log("    UPDT_Offset:%u\n", cflags & UPDT_OFST);
0087
0088         ecf = be32_to_cpu(spuh->sa.ecf);
0089         packet_log("  SCTX[2] 0x%08x\n", ecf);
0090         packet_log("    WriteICV:%lu CheckICV:%lu ICV_SIZE:%u ",
0091                (ecf & INSERT_ICV) >> INSERT_ICV_SHIFT,
0092                (ecf & CHECK_ICV) >> CHECK_ICV_SHIFT,
0093                (ecf & ICV_SIZE) >> ICV_SIZE_SHIFT);
0094         packet_log("BD_SUPPRESS:%lu\n",
0095                (ecf & BD_SUPPRESS) >> BD_SUPPRESS_SHIFT);
0096         packet_log("    SCTX_IV:%lu ExplicitIV:%lu GenIV:%lu ",
0097                (ecf & SCTX_IV) >> SCTX_IV_SHIFT,
0098                (ecf & EXPLICIT_IV) >> EXPLICIT_IV_SHIFT,
0099                (ecf & GEN_IV) >> GEN_IV_SHIFT);
0100         packet_log("IV_OV_OFST:%lu EXP_IV_SIZE:%u\n",
0101                (ecf & IV_OFFSET) >> IV_OFFSET_SHIFT,
0102                ecf & EXP_IV_SIZE);
0103
0104         ptr += sizeof(struct SCTX);
0105
0106         if (hash_alg && hash_mode) {
0107             char *name = "NONE";
0108
0109             switch (hash_alg) {
0110             case HASH_ALG_MD5:
0111                 hash_key_len = 16;
0112                 name = "MD5";
0113                 break;
0114             case HASH_ALG_SHA1:
0115                 hash_key_len = 20;
0116                 name = "SHA1";
0117                 break;
0118             case HASH_ALG_SHA224:
0119                 hash_key_len = 28;
0120                 name = "SHA224";
0121                 break;
0122             case HASH_ALG_SHA256:
0123                 hash_key_len = 32;
0124                 name = "SHA256";
0125                 break;
0126             case HASH_ALG_SHA384:
0127                 hash_key_len = 48;
0128                 name = "SHA384";
0129                 break;
0130             case HASH_ALG_SHA512:
0131                 hash_key_len = 64;
0132                 name = "SHA512";
0133                 break;
0134             case HASH_ALG_AES:
0135                 hash_key_len = 0;
0136                 name = "AES";
0137                 break;
0138             case HASH_ALG_NONE:
0139                 break;
0140             }
0141
0142             packet_log("    Auth Key Type:%s Length:%u Bytes\n",
0143                    name, hash_key_len);
0144             packet_dump("    KEY: ", ptr, hash_key_len);
0145             ptr += hash_key_len;
0146         } else if ((hash_alg == HASH_ALG_AES) &&
0147                (hash_mode == HASH_MODE_XCBC)) {
0148             char *name = "NONE";
0149
0150             switch (cipher_type) {
0151             case CIPHER_TYPE_AES128:
0152                 hash_key_len = 16;
0153                 name = "AES128-XCBC";
0154                 break;
0155             case CIPHER_TYPE_AES192:
0156                 hash_key_len = 24;
0157                 name = "AES192-XCBC";
0158                 break;
0159             case CIPHER_TYPE_AES256:
0160                 hash_key_len = 32;
0161                 name = "AES256-XCBC";
0162                 break;
0163             }
0164             packet_log("    Auth Key Type:%s Length:%u Bytes\n",
0165                    name, hash_key_len);
0166             packet_dump("    KEY: ", ptr, hash_key_len);
0167             ptr += hash_key_len;
0168         }
0169
0170         if (hash_alg && (hash_mode == HASH_MODE_NONE) &&
0171             (hash_type == HASH_TYPE_UPDT)) {
0172             char *name = "NONE";
0173
0174             switch (hash_alg) {
0175             case HASH_ALG_MD5:
0176                 hash_state_len = 16;
0177                 name = "MD5";
0178                 break;
0179             case HASH_ALG_SHA1:
0180                 hash_state_len = 20;
0181                 name = "SHA1";
0182                 break;
0183             case HASH_ALG_SHA224:
0184                 hash_state_len = 32;
0185                 name = "SHA224";
0186                 break;
0187             case HASH_ALG_SHA256:
0188                 hash_state_len = 32;
0189                 name = "SHA256";
0190                 break;
0191             case HASH_ALG_SHA384:
0192                 hash_state_len = 48;
0193                 name = "SHA384";
0194                 break;
0195             case HASH_ALG_SHA512:
0196                 hash_state_len = 64;
0197                 name = "SHA512";
0198                 break;
0199             case HASH_ALG_AES:
0200                 hash_state_len = 0;
0201                 name = "AES";
0202                 break;
0203             case HASH_ALG_NONE:
0204                 break;
0205             }
0206
0207             packet_log("    Auth State Type:%s Length:%u Bytes\n",
0208                    name, hash_state_len);
0209             packet_dump("    State: ", ptr, hash_state_len);
0210             ptr += hash_state_len;
0211         }
0212
0213         if (cipher_alg) {
0214             char *name = "NONE";
0215
0216             switch (cipher_alg) {
0217             case CIPHER_ALG_DES:
0218                 cipher_key_len = 8;
0219                 name = "DES";
0220                 break;
0221             case CIPHER_ALG_3DES:
0222                 cipher_key_len = 24;
0223                 name = "3DES";
0224                 break;
0225             case CIPHER_ALG_AES:
0226                 switch (cipher_type) {
0227                 case CIPHER_TYPE_AES128:
0228                     cipher_key_len = 16;
0229                     name = "AES128";
0230                     break;
0231                 case CIPHER_TYPE_AES192:
0232                     cipher_key_len = 24;
0233                     name = "AES192";
0234                     break;
0235                 case CIPHER_TYPE_AES256:
0236                     cipher_key_len = 32;
0237                     name = "AES256";
0238                     break;
0239                 }
0240                 break;
0241             case CIPHER_ALG_NONE:
0242                 break;
0243             }
0244
0245             packet_log("    Cipher Key Type:%s Length:%u Bytes\n",
0246                    name, cipher_key_len);
0247
0248             /* XTS has two keys */
0249             if (cipher_mode == CIPHER_MODE_XTS) {
0250                 packet_dump("    KEY2: ", ptr, cipher_key_len);
0251                 ptr += cipher_key_len;
0252                 packet_dump("    KEY1: ", ptr, cipher_key_len);
0253                 ptr += cipher_key_len;
0254
0255                 cipher_key_len *= 2;
0256             } else {
0257                 packet_dump("    KEY: ", ptr, cipher_key_len);
0258                 ptr += cipher_key_len;
0259             }
0260
0261             if (ecf & SCTX_IV) {
0262                 sctx_pl_len = sctx_size * sizeof(u32) -
0263                     sizeof(struct SCTX);
0264                 iv_len = sctx_pl_len -
0265                     (hash_key_len + hash_state_len +
0266                      cipher_key_len);
0267                 packet_log("    IV Length:%u Bytes\n", iv_len);
0268                 packet_dump("    IV: ", ptr, iv_len);
0269                 ptr += iv_len;
0270             }
0271         }
0272     }
0273
0274     /* ========== Decode BDESC ========== */
0275     if (spuh->mh.flags & MH_BDESC_PRES) {
0276         struct BDESC_HEADER *bdesc = (struct BDESC_HEADER *)ptr;
0277
0278         packet_log("  BDESC[0] 0x%08x\n", be32_to_cpup((__be32 *)ptr));
0279         packet_log("    OffsetMAC:%u LengthMAC:%u\n",
0280                be16_to_cpu(bdesc->offset_mac),
0281                be16_to_cpu(bdesc->length_mac));
0282         ptr += sizeof(u32);
0283
0284         packet_log("  BDESC[1] 0x%08x\n", be32_to_cpup((__be32 *)ptr));
0285         packet_log("    OffsetCrypto:%u LengthCrypto:%u\n",
0286                be16_to_cpu(bdesc->offset_crypto),
0287                be16_to_cpu(bdesc->length_crypto));
0288         ptr += sizeof(u32);
0289
0290         packet_log("  BDESC[2] 0x%08x\n", be32_to_cpup((__be32 *)ptr));
0291         packet_log("    OffsetICV:%u OffsetIV:%u\n",
0292                be16_to_cpu(bdesc->offset_icv),
0293                be16_to_cpu(bdesc->offset_iv));
0294         ptr += sizeof(u32);
0295     }
0296
0297     /* ========== Decode BD ========== */
0298     if (spuh->mh.flags & MH_BD_PRES) {
0299         struct BD_HEADER *bd = (struct BD_HEADER *)ptr;
0300
0301         packet_log("  BD[0] 0x%08x\n", be32_to_cpup((__be32 *)ptr));
0302         packet_log("    Size:%ubytes PrevLength:%u\n",
0303                be16_to_cpu(bd->size), be16_to_cpu(bd->prev_length));
0304         ptr += 4;
0305     }
0306
0307     /* Double check sanity */
0308     if (buf + buf_len != ptr) {
0309         packet_log(" Packet parsed incorrectly. ");
0310         packet_log("buf:%p buf_len:%u buf+buf_len:%p ptr:%p\n",
0311                buf, buf_len, buf + buf_len, ptr);
0312     }
0313
0314     packet_log("\n");
0315 }
0316
0317 /**
0318  * spum_ns2_ctx_max_payload() - Determine the max length of the payload for a
0319  * SPU message for a given cipher and hash alg context.
0320  * @cipher_alg:     The cipher algorithm
0321  * @cipher_mode:    The cipher mode
0322  * @blocksize:      The size of a block of data for this algo
0323  *
0324  * The max payload must be a multiple of the blocksize so that if a request is
0325  * too large to fit in a single SPU message, the request can be broken into
0326  * max_payload sized chunks. Each chunk must be a multiple of blocksize.
0327  *
0328  * Return: Max payload length in bytes
0329  */
0330 u32 spum_ns2_ctx_max_payload(enum spu_cipher_alg cipher_alg,
0331                  enum spu_cipher_mode cipher_mode,
0332                  unsigned int blocksize)
0333 {
0334     u32 max_payload = SPUM_NS2_MAX_PAYLOAD;
0335     u32 excess;
0336
0337     /* In XTS on SPU-M, we'll need to insert tweak before input data */
0338     if (cipher_mode == CIPHER_MODE_XTS)
0339         max_payload -= SPU_XTS_TWEAK_SIZE;
0340
0341     excess = max_payload % blocksize;
0342
0343     return max_payload - excess;
0344 }
0345
0346 /**
0347  * spum_nsp_ctx_max_payload() - Determine the max length of the payload for a
0348  * SPU message for a given cipher and hash alg context.
0349  * @cipher_alg:     The cipher algorithm
0350  * @cipher_mode:    The cipher mode
0351  * @blocksize:      The size of a block of data for this algo
0352  *
0353  * The max payload must be a multiple of the blocksize so that if a request is
0354  * too large to fit in a single SPU message, the request can be broken into
0355  * max_payload sized chunks. Each chunk must be a multiple of blocksize.
0356  *
0357  * Return: Max payload length in bytes
0358  */
0359 u32 spum_nsp_ctx_max_payload(enum spu_cipher_alg cipher_alg,
0360                  enum spu_cipher_mode cipher_mode,
0361                  unsigned int blocksize)
0362 {
0363     u32 max_payload = SPUM_NSP_MAX_PAYLOAD;
0364     u32 excess;
0365
0366     /* In XTS on SPU-M, we'll need to insert tweak before input data */
0367     if (cipher_mode == CIPHER_MODE_XTS)
0368         max_payload -= SPU_XTS_TWEAK_SIZE;
0369
0370     excess = max_payload % blocksize;
0371
0372     return max_payload - excess;
0373 }
0374
0375 /** spum_payload_length() - Given a SPU-M message header, extract the payload
0376  * length.
0377  * @spu_hdr:    Start of SPU header
0378  *
0379  * Assumes just MH, EMH, BD (no SCTX, BDESC. Works for response frames.
0380  *
0381  * Return: payload length in bytes
0382  */
0383 u32 spum_payload_length(u8 *spu_hdr)
0384 {
0385     struct BD_HEADER *bd;
0386     u32 pl_len;
0387
0388     /* Find BD header.  skip MH, EMH */
0389     bd = (struct BD_HEADER *)(spu_hdr + 8);
0390     pl_len = be16_to_cpu(bd->size);
0391
0392     return pl_len;
0393 }
0394
0395 /**
0396  * spum_response_hdr_len() - Given the length of the hash key and encryption
0397  * key, determine the expected length of a SPU response header.
0398  * @auth_key_len:   authentication key length (bytes)
0399  * @enc_key_len:    encryption key length (bytes)
0400  * @is_hash:        true if response message is for a hash operation
0401  *
0402  * Return: length of SPU response header (bytes)
0403  */
0404 u16 spum_response_hdr_len(u16 auth_key_len, u16 enc_key_len, bool is_hash)
0405 {
0406     if (is_hash)
0407         return SPU_HASH_RESP_HDR_LEN;
0408     else
0409         return SPU_RESP_HDR_LEN;
0410 }
0411
0412 /**
0413  * spum_hash_pad_len() - Calculate the length of hash padding required to extend
0414  * data to a full block size.
0415  * @hash_alg:   hash algorithm
0416  * @hash_mode:       hash mode
0417  * @chunksize:  length of data, in bytes
0418  * @hash_block_size:  size of a block of data for hash algorithm
0419  *
0420  * Reserve space for 1 byte (0x80) start of pad and the total length as u64
0421  *
0422  * Return:  length of hash pad in bytes
0423  */
0424 u16 spum_hash_pad_len(enum hash_alg hash_alg, enum hash_mode hash_mode,
0425               u32 chunksize, u16 hash_block_size)
0426 {
0427     unsigned int length_len;
0428     unsigned int used_space_last_block;
0429     int hash_pad_len;
0430
0431     /* AES-XCBC hash requires just padding to next block boundary */
0432     if ((hash_alg == HASH_ALG_AES) && (hash_mode == HASH_MODE_XCBC)) {
0433         used_space_last_block = chunksize % hash_block_size;
0434         hash_pad_len = hash_block_size - used_space_last_block;
0435         if (hash_pad_len >= hash_block_size)
0436             hash_pad_len -= hash_block_size;
0437         return hash_pad_len;
0438     }
0439
0440     used_space_last_block = chunksize % hash_block_size + 1;
0441     if ((hash_alg == HASH_ALG_SHA384) || (hash_alg == HASH_ALG_SHA512))
0442         length_len = 2 * sizeof(u64);
0443     else
0444         length_len = sizeof(u64);
0445
0446     used_space_last_block += length_len;
0447     hash_pad_len = hash_block_size - used_space_last_block;
0448     if (hash_pad_len < 0)
0449         hash_pad_len += hash_block_size;
0450
0451     hash_pad_len += 1 + length_len;
0452     return hash_pad_len;
0453 }
0454
0455 /**
0456  * spum_gcm_ccm_pad_len() - Determine the required length of GCM or CCM padding.
0457  * @cipher_mode:    Algo type
0458  * @data_size:      Length of plaintext (bytes)
0459  *
0460  * Return: Length of padding, in bytes
0461  */
0462 u32 spum_gcm_ccm_pad_len(enum spu_cipher_mode cipher_mode,
0463              unsigned int data_size)
0464 {
0465     u32 pad_len = 0;
0466     u32 m1 = SPU_GCM_CCM_ALIGN - 1;
0467
0468     if ((cipher_mode == CIPHER_MODE_GCM) ||
0469         (cipher_mode == CIPHER_MODE_CCM))
0470         pad_len = ((data_size + m1) & ~m1) - data_size;
0471
0472     return pad_len;
0473 }
0474
0475 /**
0476  * spum_assoc_resp_len() - Determine the size of the receive buffer required to
0477  * catch associated data.
0478  * @cipher_mode:    cipher mode
0479  * @assoc_len:      length of associated data (bytes)
0480  * @iv_len:     length of IV (bytes)
0481  * @is_encrypt:     true if encrypting. false if decrypting.
0482  *
0483  * Return: length of associated data in response message (bytes)
0484  */
0485 u32 spum_assoc_resp_len(enum spu_cipher_mode cipher_mode,
0486             unsigned int assoc_len, unsigned int iv_len,
0487             bool is_encrypt)
0488 {
0489     u32 buflen = 0;
0490     u32 pad;
0491
0492     if (assoc_len)
0493         buflen = assoc_len;
0494
0495     if (cipher_mode == CIPHER_MODE_GCM) {
0496         /* AAD needs to be padded in responses too */
0497         pad = spum_gcm_ccm_pad_len(cipher_mode, buflen);
0498         buflen += pad;
0499     }
0500     if (cipher_mode == CIPHER_MODE_CCM) {
0501         /*
0502          * AAD needs to be padded in responses too
0503          * for CCM, len + 2 needs to be 128-bit aligned.
0504          */
0505         pad = spum_gcm_ccm_pad_len(cipher_mode, buflen + 2);
0506         buflen += pad;
0507     }
0508
0509     return buflen;
0510 }
0511
0512 /**
0513  * spum_aead_ivlen() - Calculate the length of the AEAD IV to be included
0514  * in a SPU request after the AAD and before the payload.
0515  * @cipher_mode:  cipher mode
0516  * @iv_len:   initialization vector length in bytes
0517  *
0518  * In Linux ~4.2 and later, the assoc_data sg includes the IV. So no need
0519  * to include the IV as a separate field in the SPU request msg.
0520  *
0521  * Return: Length of AEAD IV in bytes
0522  */
0523 u8 spum_aead_ivlen(enum spu_cipher_mode cipher_mode, u16 iv_len)
0524 {
0525     return 0;
0526 }
0527
0528 /**
0529  * spum_hash_type() - Determine the type of hash operation.
0530  * @src_sent:  The number of bytes in the current request that have already
0531  *             been sent to the SPU to be hashed.
0532  *
0533  * We do not use HASH_TYPE_FULL for requests that fit in a single SPU message.
0534  * Using FULL causes failures (such as when the string to be hashed is empty).
0535  * For similar reasons, we never use HASH_TYPE_FIN. Instead, submit messages
0536  * as INIT or UPDT and do the hash padding in sw.
0537  */
0538 enum hash_type spum_hash_type(u32 src_sent)
0539 {
0540     return src_sent ? HASH_TYPE_UPDT : HASH_TYPE_INIT;
0541 }
0542
0543 /**
0544  * spum_digest_size() - Determine the size of a hash digest to expect the SPU to
0545  * return.
0546  * @alg_digest_size: Number of bytes in the final digest for the given algo
0547  * @alg:             The hash algorithm
0548  * @htype:           Type of hash operation (init, update, full, etc)
0549  *
0550  * When doing incremental hashing for an algorithm with a truncated hash
0551  * (e.g., SHA224), the SPU returns the full digest so that it can be fed back as
0552  * a partial result for the next chunk.
0553  */
0554 u32 spum_digest_size(u32 alg_digest_size, enum hash_alg alg,
0555              enum hash_type htype)
0556 {
0557     u32 digestsize = alg_digest_size;
0558
0559     /* SPU returns complete digest when doing incremental hash and truncated
0560      * hash algo.
0561      */
0562     if ((htype == HASH_TYPE_INIT) || (htype == HASH_TYPE_UPDT)) {
0563         if (alg == HASH_ALG_SHA224)
0564             digestsize = SHA256_DIGEST_SIZE;
0565         else if (alg == HASH_ALG_SHA384)
0566             digestsize = SHA512_DIGEST_SIZE;
0567     }
0568     return digestsize;
0569 }
0570
0571 /**
0572  * spum_create_request() - Build a SPU request message header, up to and
0573  * including the BD header. Construct the message starting at spu_hdr. Caller
0574  * should allocate this buffer in DMA-able memory at least SPU_HEADER_ALLOC_LEN
0575  * bytes long.
0576  * @spu_hdr: Start of buffer where SPU request header is to be written
0577  * @req_opts: SPU request message options
0578  * @cipher_parms: Parameters related to cipher algorithm
0579  * @hash_parms:   Parameters related to hash algorithm
0580  * @aead_parms:   Parameters related to AEAD operation
0581  * @data_size:    Length of data to be encrypted or authenticated. If AEAD, does
0582  *        not include length of AAD.
0583  *
0584  * Return: the length of the SPU header in bytes. 0 if an error occurs.
0585  */
0586 u32 spum_create_request(u8 *spu_hdr,
0587             struct spu_request_opts *req_opts,
0588             struct spu_cipher_parms *cipher_parms,
0589             struct spu_hash_parms *hash_parms,
0590             struct spu_aead_parms *aead_parms,
0591             unsigned int data_size)
0592 {
0593     struct SPUHEADER *spuh;
0594     struct BDESC_HEADER *bdesc;
0595     struct BD_HEADER *bd;
0596
0597     u8 *ptr;
0598     u32 protocol_bits = 0;
0599     u32 cipher_bits = 0;
0600     u32 ecf_bits = 0;
0601     u8 sctx_words = 0;
0602     unsigned int buf_len = 0;
0603
0604     /* size of the cipher payload */
0605     unsigned int cipher_len = hash_parms->prebuf_len + data_size +
0606                 hash_parms->pad_len;
0607
0608     /* offset of prebuf or data from end of BD header */
0609     unsigned int cipher_offset = aead_parms->assoc_size +
0610         aead_parms->iv_len + aead_parms->aad_pad_len;
0611
0612     /* total size of the DB data (without STAT word padding) */
0613     unsigned int real_db_size = spu_real_db_size(aead_parms->assoc_size,
0614                          aead_parms->iv_len,
0615                          hash_parms->prebuf_len,
0616                          data_size,
0617                          aead_parms->aad_pad_len,
0618                          aead_parms->data_pad_len,
0619                          hash_parms->pad_len);
0620
0621     unsigned int auth_offset = 0;
0622     unsigned int offset_iv = 0;
0623
0624     /* size/offset of the auth payload */
0625     unsigned int auth_len;
0626
0627     auth_len = real_db_size;
0628
0629     if (req_opts->is_aead && req_opts->is_inbound)
0630         cipher_len -= hash_parms->digestsize;
0631
0632     if (req_opts->is_aead && req_opts->is_inbound)
0633         auth_len -= hash_parms->digestsize;
0634
0635     if ((hash_parms->alg == HASH_ALG_AES) &&
0636         (hash_parms->mode == HASH_MODE_XCBC)) {
0637         auth_len -= hash_parms->pad_len;
0638         cipher_len -= hash_parms->pad_len;
0639     }
0640
0641     flow_log("%s()\n", __func__);
0642     flow_log("  in:%u authFirst:%u\n",
0643          req_opts->is_inbound, req_opts->auth_first);
0644     flow_log("  %s. cipher alg:%u mode:%u type %u\n",
0645          spu_alg_name(cipher_parms->alg, cipher_parms->mode),
0646          cipher_parms->alg, cipher_parms->mode, cipher_parms->type);
0647     flow_log("    key: %d\n", cipher_parms->key_len);
0648     flow_dump("    key: ", cipher_parms->key_buf, cipher_parms->key_len);
0649     flow_log("    iv: %d\n", cipher_parms->iv_len);
0650     flow_dump("    iv: ", cipher_parms->iv_buf, cipher_parms->iv_len);
0651     flow_log("  auth alg:%u mode:%u type %u\n",
0652          hash_parms->alg, hash_parms->mode, hash_parms->type);
0653     flow_log("  digestsize: %u\n", hash_parms->digestsize);
0654     flow_log("  authkey: %d\n", hash_parms->key_len);
0655     flow_dump("  authkey: ", hash_parms->key_buf, hash_parms->key_len);
0656     flow_log("  assoc_size:%u\n", aead_parms->assoc_size);
0657     flow_log("  prebuf_len:%u\n", hash_parms->prebuf_len);
0658     flow_log("  data_size:%u\n", data_size);
0659     flow_log("  hash_pad_len:%u\n", hash_parms->pad_len);
0660     flow_log("  real_db_size:%u\n", real_db_size);
0661     flow_log(" auth_offset:%u auth_len:%u cipher_offset:%u cipher_len:%u\n",
0662          auth_offset, auth_len, cipher_offset, cipher_len);
0663     flow_log("  aead_iv: %u\n", aead_parms->iv_len);
0664
0665     /* starting out: zero the header (plus some) */
0666     ptr = spu_hdr;
0667     memset(ptr, 0, sizeof(struct SPUHEADER));
0668
0669     /* format master header word */
0670     /* Do not set the next bit even though the datasheet says to */
0671     spuh = (struct SPUHEADER *)ptr;
0672     ptr += sizeof(struct SPUHEADER);
0673     buf_len += sizeof(struct SPUHEADER);
0674
0675     spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC;
0676     spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES);
0677
0678     /* Format sctx word 0 (protocol_bits) */
0679     sctx_words = 3;     /* size in words */
0680
0681     /* Format sctx word 1 (cipher_bits) */
0682     if (req_opts->is_inbound)
0683         cipher_bits |= CIPHER_INBOUND;
0684     if (req_opts->auth_first)
0685         cipher_bits |= CIPHER_ORDER;
0686
0687     /* Set the crypto parameters in the cipher.flags */
0688     cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT;
0689     cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT;
0690     cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT;
0691
0692     /* Set the auth parameters in the cipher.flags */
0693     cipher_bits |= hash_parms->alg << HASH_ALG_SHIFT;
0694     cipher_bits |= hash_parms->mode << HASH_MODE_SHIFT;
0695     cipher_bits |= hash_parms->type << HASH_TYPE_SHIFT;
0696
0697     /*
0698      * Format sctx extensions if required, and update main fields if
0699      * required)
0700      */
0701     if (hash_parms->alg) {
0702         /* Write the authentication key material if present */
0703         if (hash_parms->key_len) {
0704             memcpy(ptr, hash_parms->key_buf, hash_parms->key_len);
0705             ptr += hash_parms->key_len;
0706             buf_len += hash_parms->key_len;
0707             sctx_words += hash_parms->key_len / 4;
0708         }
0709
0710         if ((cipher_parms->mode == CIPHER_MODE_GCM) ||
0711             (cipher_parms->mode == CIPHER_MODE_CCM))
0712             /* unpadded length */
0713             offset_iv = aead_parms->assoc_size;
0714
0715         /* if GCM/CCM we need to write ICV into the payload */
0716         if (!req_opts->is_inbound) {
0717             if ((cipher_parms->mode == CIPHER_MODE_GCM) ||
0718                 (cipher_parms->mode == CIPHER_MODE_CCM))
0719                 ecf_bits |= 1 << INSERT_ICV_SHIFT;
0720         } else {
0721             ecf_bits |= CHECK_ICV;
0722         }
0723
0724         /* Inform the SPU of the ICV size (in words) */
0725         if (hash_parms->digestsize == 64)
0726             cipher_bits |= ICV_IS_512;
0727         else
0728             ecf_bits |=
0729             (hash_parms->digestsize / 4) << ICV_SIZE_SHIFT;
0730     }
0731
0732     if (req_opts->bd_suppress)
0733         ecf_bits |= BD_SUPPRESS;
0734
0735     /* copy the encryption keys in the SAD entry */
0736     if (cipher_parms->alg) {
0737         if (cipher_parms->key_len) {
0738             memcpy(ptr, cipher_parms->key_buf,
0739                    cipher_parms->key_len);
0740             ptr += cipher_parms->key_len;
0741             buf_len += cipher_parms->key_len;
0742             sctx_words += cipher_parms->key_len / 4;
0743         }
0744
0745         /*
0746          * if encrypting then set IV size, use SCTX IV unless no IV
0747          * given here
0748          */
0749         if (cipher_parms->iv_buf && cipher_parms->iv_len) {
0750             /* Use SCTX IV */
0751             ecf_bits |= SCTX_IV;
0752
0753             /* cipher iv provided so put it in here */
0754             memcpy(ptr, cipher_parms->iv_buf, cipher_parms->iv_len);
0755
0756             ptr += cipher_parms->iv_len;
0757             buf_len += cipher_parms->iv_len;
0758             sctx_words += cipher_parms->iv_len / 4;
0759         }
0760     }
0761
0762     /*
0763      * RFC4543 (GMAC/ESP) requires data to be sent as part of AAD
0764      * so we need to override the BDESC parameters.
0765      */
0766     if (req_opts->is_rfc4543) {
0767         if (req_opts->is_inbound)
0768             data_size -= hash_parms->digestsize;
0769         offset_iv = aead_parms->assoc_size + data_size;
0770         cipher_len = 0;
0771         cipher_offset = offset_iv;
0772         auth_len = cipher_offset + aead_parms->data_pad_len;
0773     }
0774
0775     /* write in the total sctx length now that we know it */
0776     protocol_bits |= sctx_words;
0777
0778     /* Endian adjust the SCTX */
0779     spuh->sa.proto_flags = cpu_to_be32(protocol_bits);
0780     spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
0781     spuh->sa.ecf = cpu_to_be32(ecf_bits);
0782
0783     /* === create the BDESC section === */
0784     bdesc = (struct BDESC_HEADER *)ptr;
0785
0786     bdesc->offset_mac = cpu_to_be16(auth_offset);
0787     bdesc->length_mac = cpu_to_be16(auth_len);
0788     bdesc->offset_crypto = cpu_to_be16(cipher_offset);
0789     bdesc->length_crypto = cpu_to_be16(cipher_len);
0790
0791     /*
0792      * CCM in SPU-M requires that ICV not be in same 32-bit word as data or
0793      * padding.  So account for padding as necessary.
0794      */
0795     if (cipher_parms->mode == CIPHER_MODE_CCM)
0796         auth_len += spum_wordalign_padlen(auth_len);
0797
0798     bdesc->offset_icv = cpu_to_be16(auth_len);
0799     bdesc->offset_iv = cpu_to_be16(offset_iv);
0800
0801     ptr += sizeof(struct BDESC_HEADER);
0802     buf_len += sizeof(struct BDESC_HEADER);
0803
0804     /* === no MFM section === */
0805
0806     /* === create the BD section === */
0807
0808     /* add the BD header */
0809     bd = (struct BD_HEADER *)ptr;
0810     bd->size = cpu_to_be16(real_db_size);
0811     bd->prev_length = 0;
0812
0813     ptr += sizeof(struct BD_HEADER);
0814     buf_len += sizeof(struct BD_HEADER);
0815
0816     packet_dump("  SPU request header: ", spu_hdr, buf_len);
0817
0818     return buf_len;
0819 }
0820
0821 /**
0822  * spum_cipher_req_init() - Build a SPU request message header, up to and
0823  * including the BD header.
0824  * @spu_hdr:      Start of SPU request header (MH)
0825  * @cipher_parms: Parameters that describe the cipher request
0826  *
0827  * Construct the message starting at spu_hdr. Caller should allocate this buffer
0828  * in DMA-able memory at least SPU_HEADER_ALLOC_LEN bytes long.
0829  *
0830  * Return: the length of the SPU header in bytes. 0 if an error occurs.
0831  */
0832 u16 spum_cipher_req_init(u8 *spu_hdr, struct spu_cipher_parms *cipher_parms)
0833 {
0834     struct SPUHEADER *spuh;
0835     u32 protocol_bits = 0;
0836     u32 cipher_bits = 0;
0837     u32 ecf_bits = 0;
0838     u8 sctx_words = 0;
0839     u8 *ptr = spu_hdr;
0840
0841     flow_log("%s()\n", __func__);
0842     flow_log("  cipher alg:%u mode:%u type %u\n", cipher_parms->alg,
0843          cipher_parms->mode, cipher_parms->type);
0844     flow_log("  cipher_iv_len: %u\n", cipher_parms->iv_len);
0845     flow_log("    key: %d\n", cipher_parms->key_len);
0846     flow_dump("    key: ", cipher_parms->key_buf, cipher_parms->key_len);
0847
0848     /* starting out: zero the header (plus some) */
0849     memset(spu_hdr, 0, sizeof(struct SPUHEADER));
0850     ptr += sizeof(struct SPUHEADER);
0851
0852     /* format master header word */
0853     /* Do not set the next bit even though the datasheet says to */
0854     spuh = (struct SPUHEADER *)spu_hdr;
0855
0856     spuh->mh.op_code = SPU_CRYPTO_OPERATION_GENERIC;
0857     spuh->mh.flags |= (MH_SCTX_PRES | MH_BDESC_PRES | MH_BD_PRES);
0858
0859     /* Format sctx word 0 (protocol_bits) */
0860     sctx_words = 3;     /* size in words */
0861
0862     /* copy the encryption keys in the SAD entry */
0863     if (cipher_parms->alg) {
0864         if (cipher_parms->key_len) {
0865             ptr += cipher_parms->key_len;
0866             sctx_words += cipher_parms->key_len / 4;
0867         }
0868
0869         /*
0870          * if encrypting then set IV size, use SCTX IV unless no IV
0871          * given here
0872          */
0873         if (cipher_parms->iv_len) {
0874             /* Use SCTX IV */
0875             ecf_bits |= SCTX_IV;
0876             ptr += cipher_parms->iv_len;
0877             sctx_words += cipher_parms->iv_len / 4;
0878         }
0879     }
0880
0881     /* Set the crypto parameters in the cipher.flags */
0882     cipher_bits |= cipher_parms->alg << CIPHER_ALG_SHIFT;
0883     cipher_bits |= cipher_parms->mode << CIPHER_MODE_SHIFT;
0884     cipher_bits |= cipher_parms->type << CIPHER_TYPE_SHIFT;
0885
0886     /* copy the encryption keys in the SAD entry */
0887     if (cipher_parms->alg && cipher_parms->key_len)
0888         memcpy(spuh + 1, cipher_parms->key_buf, cipher_parms->key_len);
0889
0890     /* write in the total sctx length now that we know it */
0891     protocol_bits |= sctx_words;
0892
0893     /* Endian adjust the SCTX */
0894     spuh->sa.proto_flags = cpu_to_be32(protocol_bits);
0895
0896     /* Endian adjust the SCTX */
0897     spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
0898     spuh->sa.ecf = cpu_to_be32(ecf_bits);
0899
0900     packet_dump("  SPU request header: ", spu_hdr,
0901             sizeof(struct SPUHEADER));
0902
0903     return sizeof(struct SPUHEADER) + cipher_parms->key_len +
0904         cipher_parms->iv_len + sizeof(struct BDESC_HEADER) +
0905         sizeof(struct BD_HEADER);
0906 }
0907
0908 /**
0909  * spum_cipher_req_finish() - Finish building a SPU request message header for a
0910  * block cipher request. Assumes much of the header was already filled in at
0911  * setkey() time in spu_cipher_req_init().
0912  * @spu_hdr:         Start of the request message header (MH field)
0913  * @spu_req_hdr_len: Length in bytes of the SPU request header
0914  * @is_inbound:      0 encrypt, 1 decrypt
0915  * @cipher_parms:    Parameters describing cipher operation to be performed
0916  * @data_size:       Length of the data in the BD field
0917  *
0918  * Assumes much of the header was already filled in at setkey() time in
0919  * spum_cipher_req_init().
0920  * spum_cipher_req_init() fills in the encryption key.
0921  */
0922 void spum_cipher_req_finish(u8 *spu_hdr,
0923                 u16 spu_req_hdr_len,
0924                 unsigned int is_inbound,
0925                 struct spu_cipher_parms *cipher_parms,
0926                 unsigned int data_size)
0927 {
0928     struct SPUHEADER *spuh;
0929     struct BDESC_HEADER *bdesc;
0930     struct BD_HEADER *bd;
0931     u8 *bdesc_ptr = spu_hdr + spu_req_hdr_len -
0932         (sizeof(struct BD_HEADER) + sizeof(struct BDESC_HEADER));
0933
0934     u32 cipher_bits;
0935
0936     flow_log("%s()\n", __func__);
0937     flow_log(" in: %u\n", is_inbound);
0938     flow_log(" cipher alg: %u, cipher_type: %u\n", cipher_parms->alg,
0939          cipher_parms->type);
0940
0941     /*
0942      * In XTS mode, API puts "i" parameter (block tweak) in IV.  For
0943      * SPU-M, should be in start of the BD; tx_sg_create() copies it there.
0944      * IV in SPU msg for SPU-M should be 0, since that's the "j" parameter
0945      * (block ctr within larger data unit) - given we can send entire disk
0946      * block (<= 4KB) in 1 SPU msg, don't need to use this parameter.
0947      */
0948     if (cipher_parms->mode == CIPHER_MODE_XTS)
0949         memset(cipher_parms->iv_buf, 0, cipher_parms->iv_len);
0950
0951     flow_log(" iv len: %d\n", cipher_parms->iv_len);
0952     flow_dump("    iv: ", cipher_parms->iv_buf, cipher_parms->iv_len);
0953     flow_log(" data_size: %u\n", data_size);
0954
0955     /* format master header word */
0956     /* Do not set the next bit even though the datasheet says to */
0957     spuh = (struct SPUHEADER *)spu_hdr;
0958
0959     /* cipher_bits was initialized at setkey time */
0960     cipher_bits = be32_to_cpu(spuh->sa.cipher_flags);
0961
0962     /* Format sctx word 1 (cipher_bits) */
0963     if (is_inbound)
0964         cipher_bits |= CIPHER_INBOUND;
0965     else
0966         cipher_bits &= ~CIPHER_INBOUND;
0967
0968     if (cipher_parms->alg && cipher_parms->iv_buf && cipher_parms->iv_len)
0969         /* cipher iv provided so put it in here */
0970         memcpy(bdesc_ptr - cipher_parms->iv_len, cipher_parms->iv_buf,
0971                cipher_parms->iv_len);
0972
0973     spuh->sa.cipher_flags = cpu_to_be32(cipher_bits);
0974
0975     /* === create the BDESC section === */
0976     bdesc = (struct BDESC_HEADER *)bdesc_ptr;
0977     bdesc->offset_mac = 0;
0978     bdesc->length_mac = 0;
0979     bdesc->offset_crypto = 0;
0980
0981     /* XTS mode, data_size needs to include tweak parameter */
0982     if (cipher_parms->mode == CIPHER_MODE_XTS)
0983         bdesc->length_crypto = cpu_to_be16(data_size +
0984                           SPU_XTS_TWEAK_SIZE);
0985     else
0986         bdesc->length_crypto = cpu_to_be16(data_size);
0987
0988     bdesc->offset_icv = 0;
0989     bdesc->offset_iv = 0;
0990
0991     /* === no MFM section === */
0992
0993     /* === create the BD section === */
0994     /* add the BD header */
0995     bd = (struct BD_HEADER *)(bdesc_ptr + sizeof(struct BDESC_HEADER));
0996     bd->size = cpu_to_be16(data_size);
0997
0998     /* XTS mode, data_size needs to include tweak parameter */
0999     if (cipher_parms->mode == CIPHER_MODE_XTS)
1000         bd->size = cpu_to_be16(data_size + SPU_XTS_TWEAK_SIZE);
1001     else
1002         bd->size = cpu_to_be16(data_size);
1003
1004     bd->prev_length = 0;
1005
1006     packet_dump("  SPU request header: ", spu_hdr, spu_req_hdr_len);
1007 }
1008
1009 /**
1010  * spum_request_pad() - Create pad bytes at the end of the data.
1011  * @pad_start:      Start of buffer where pad bytes are to be written
1012  * @gcm_ccm_padding:    length of GCM/CCM padding, in bytes
1013  * @hash_pad_len:   Number of bytes of padding extend data to full block
1014  * @auth_alg:       authentication algorithm
1015  * @auth_mode:      authentication mode
1016  * @total_sent:     length inserted at end of hash pad
1017  * @status_padding: Number of bytes of padding to align STATUS word
1018  *
1019  * There may be three forms of pad:
1020  *  1. GCM/CCM pad - for GCM/CCM mode ciphers, pad to 16-byte alignment
1021  *  2. hash pad - pad to a block length, with 0x80 data terminator and
1022  *                size at the end
1023  *  3. STAT pad - to ensure the STAT field is 4-byte aligned
1024  */
1025 void spum_request_pad(u8 *pad_start,
1026               u32 gcm_ccm_padding,
1027               u32 hash_pad_len,
1028               enum hash_alg auth_alg,
1029               enum hash_mode auth_mode,
1030               unsigned int total_sent, u32 status_padding)
1031 {
1032     u8 *ptr = pad_start;
1033
1034     /* fix data alignent for GCM/CCM */
1035     if (gcm_ccm_padding > 0) {
1036         flow_log("  GCM: padding to 16 byte alignment: %u bytes\n",
1037              gcm_ccm_padding);
1038         memset(ptr, 0, gcm_ccm_padding);
1039         ptr += gcm_ccm_padding;
1040     }
1041
1042     if (hash_pad_len > 0) {
1043         /* clear the padding section */
1044         memset(ptr, 0, hash_pad_len);
1045
1046         if ((auth_alg == HASH_ALG_AES) &&
1047             (auth_mode == HASH_MODE_XCBC)) {
1048             /* AES/XCBC just requires padding to be 0s */
1049             ptr += hash_pad_len;
1050         } else {
1051             /* terminate the data */
1052             *ptr = 0x80;
1053             ptr += (hash_pad_len - sizeof(u64));
1054
1055             /* add the size at the end as required per alg */
1056             if (auth_alg == HASH_ALG_MD5)
1057                 *(__le64 *)ptr = cpu_to_le64(total_sent * 8ull);
1058             else        /* SHA1, SHA2-224, SHA2-256 */
1059                 *(__be64 *)ptr = cpu_to_be64(total_sent * 8ull);
1060             ptr += sizeof(u64);
1061         }
1062     }
1063
1064     /* pad to a 4byte alignment for STAT */
1065     if (status_padding > 0) {
1066         flow_log("  STAT: padding to 4 byte alignment: %u bytes\n",
1067              status_padding);
1068
1069         memset(ptr, 0, status_padding);
1070         ptr += status_padding;
1071     }
1072 }
1073
1074 /**
1075  * spum_xts_tweak_in_payload() - Indicate that SPUM DOES place the XTS tweak
1076  * field in the packet payload (rather than using IV)
1077  *
1078  * Return: 1
1079  */
1080 u8 spum_xts_tweak_in_payload(void)
1081 {
1082     return 1;
1083 }
1084
1085 /**
1086  * spum_tx_status_len() - Return the length of the STATUS field in a SPU
1087  * response message.
1088  *
1089  * Return: Length of STATUS field in bytes.
1090  */
1091 u8 spum_tx_status_len(void)
1092 {
1093     return SPU_TX_STATUS_LEN;
1094 }
1095
1096 /**
1097  * spum_rx_status_len() - Return the length of the STATUS field in a SPU
1098  * response message.
1099  *
1100  * Return: Length of STATUS field in bytes.
1101  */
1102 u8 spum_rx_status_len(void)
1103 {
1104     return SPU_RX_STATUS_LEN;
1105 }
1106
1107 /**
1108  * spum_status_process() - Process the status from a SPU response message.
1109  * @statp:  start of STATUS word
1110  * Return:
1111  *   0 - if status is good and response should be processed
1112  *   !0 - status indicates an error and response is invalid
1113  */
1114 int spum_status_process(u8 *statp)
1115 {
1116     u32 status;
1117
1118     status = __be32_to_cpu(*(__be32 *)statp);
1119     flow_log("SPU response STATUS %#08x\n", status);
1120     if (status & SPU_STATUS_ERROR_FLAG) {
1121         pr_err("%s() Warning: Error result from SPU: %#08x\n",
1122                __func__, status);
1123         if (status & SPU_STATUS_INVALID_ICV)
1124             return SPU_INVALID_ICV;
1125         return -EBADMSG;
1126     }
1127     return 0;
1128 }
1129
1130 /**
1131  * spum_ccm_update_iv() - Update the IV as per the requirements for CCM mode.
1132  *
1133  * @digestsize:     Digest size of this request
1134  * @cipher_parms:   (pointer to) cipher parmaeters, includes IV buf & IV len
1135  * @assoclen:       Length of AAD data
1136  * @chunksize:      length of input data to be sent in this req
1137  * @is_encrypt:     true if this is an output/encrypt operation
1138  * @is_esp:     true if this is an ESP / RFC4309 operation
1139  *
1140  */
1141 void spum_ccm_update_iv(unsigned int digestsize,
1142             struct spu_cipher_parms *cipher_parms,
1143             unsigned int assoclen,
1144             unsigned int chunksize,
1145             bool is_encrypt,
1146             bool is_esp)
1147 {
1148     u8 L;       /* L from CCM algorithm, length of plaintext data */
1149     u8 mprime;  /* M' from CCM algo, (M - 2) / 2, where M=authsize */
1150     u8 adata;
1151
1152     if (cipher_parms->iv_len != CCM_AES_IV_SIZE) {
1153         pr_err("%s(): Invalid IV len %d for CCM mode, should be %d\n",
1154                __func__, cipher_parms->iv_len, CCM_AES_IV_SIZE);
1155         return;
1156     }
1157
1158     /*
1159      * IV needs to be formatted as follows:
1160      *
1161      * |          Byte 0               | Bytes 1 - N | Bytes (N+1) - 15 |
1162      * | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | Bits 7 - 0  |    Bits 7 - 0    |
1163      * | 0 |Ad?|(M - 2) / 2|   L - 1   |    Nonce    | Plaintext Length |
1164      *
1165      * Ad? = 1 if AAD present, 0 if not present
1166      * M = size of auth field, 8, 12, or 16 bytes (SPU-M) -or-
1167      *                         4, 6, 8, 10, 12, 14, 16 bytes (SPU2)
1168      * L = Size of Plaintext Length field; Nonce size = 15 - L
1169      *
1170      * It appears that the crypto API already expects the L-1 portion
1171      * to be set in the first byte of the IV, which implicitly determines
1172      * the nonce size, and also fills in the nonce.  But the other bits
1173      * in byte 0 as well as the plaintext length need to be filled in.
1174      *
1175      * In rfc4309/esp mode, L is not already in the supplied IV and
1176      * we need to fill it in, as well as move the IV data to be after
1177      * the salt
1178      */
1179     if (is_esp) {
1180         L = CCM_ESP_L_VALUE;    /* RFC4309 has fixed L */
1181     } else {
1182         /* L' = plaintext length - 1 so Plaintext length is L' + 1 */
1183         L = ((cipher_parms->iv_buf[0] & CCM_B0_L_PRIME) >>
1184               CCM_B0_L_PRIME_SHIFT) + 1;
1185     }
1186
1187     mprime = (digestsize - 2) >> 1;  /* M' = (M - 2) / 2 */
1188     adata = (assoclen > 0);  /* adata = 1 if any associated data */
1189
1190     cipher_parms->iv_buf[0] = (adata << CCM_B0_ADATA_SHIFT) |
1191                   (mprime << CCM_B0_M_PRIME_SHIFT) |
1192                   ((L - 1) << CCM_B0_L_PRIME_SHIFT);
1193
1194     /* Nonce is already filled in by crypto API, and is 15 - L bytes */
1195
1196     /* Don't include digest in plaintext size when decrypting */
1197     if (!is_encrypt)
1198         chunksize -= digestsize;
1199
1200     /* Fill in length of plaintext, formatted to be L bytes long */
1201     format_value_ccm(chunksize, &cipher_parms->iv_buf[15 - L + 1], L);
1202 }
1203
1204 /**
1205  * spum_wordalign_padlen() - Given the length of a data field, determine the
1206  * padding required to align the data following this field on a 4-byte boundary.
1207  * @data_size: length of data field in bytes
1208  *
1209  * Return: length of status field padding, in bytes
1210  */
1211 u32 spum_wordalign_padlen(u32 data_size)
1212 {
1213     return ((data_size + 3) & ~3) - data_size;
1214 }