HW generates a Data Size error for chacha20 requests that are not
a multiple of 64B, since algorithm state (AS) does not have
the FINAL bit set.
Since updating req->iv (for chaining) is not required,
modify skcipher descriptors to set the FINAL bit for chacha20.
[Note that for skcipher decryption we know that ctx1_iv_off is 0,
which allows for an optimization by not checking algorithm type,
since append_dec_op1() sets FINAL bit for all algorithms except AES.]
Also drop the descriptor operations that save the IV.
However, in order to keep code logic simple, things like
S/G tables generation etc. are not touched.
Cc: <[email protected]> # v5.3+
Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
Signed-off-by: Horia Geantă <[email protected]>
---
drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
index aa9ccca67045..372d3d4ed6c5 100644
--- a/drivers/crypto/caam/caamalg_desc.c
+++ b/drivers/crypto/caam/caamalg_desc.c
@@ -1379,6 +1379,8 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
const u32 ctx1_iv_off)
{
u32 *key_jump_cmd;
+ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
+ OP_ALG_ALGSEL_CHACHA20);
init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
/* Skip if already shared */
@@ -1417,14 +1419,15 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
LDST_OFFSET_SHIFT));
/* Load operation */
- append_operation(desc, cdata->algtype | OP_ALG_AS_INIT |
- OP_ALG_ENCRYPT);
+ if (is_chacha20)
+ options |= OP_ALG_AS_FINALIZE;
+ append_operation(desc, options);
/* Perform operation */
skcipher_append_src_dst(desc);
/* Store IV */
- if (ivsize)
+ if (!is_chacha20 && ivsize)
append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT |
LDST_CLASS_1_CCB | (ctx1_iv_off <<
LDST_OFFSET_SHIFT));
@@ -1451,6 +1454,9 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata,
const u32 ctx1_iv_off)
{
u32 *key_jump_cmd;
+ u32 options = cdata->algtype | OP_ALG_AS_INIT | OP_ALG_ENCRYPT;
+ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
+ OP_ALG_ALGSEL_CHACHA20);
init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
/* Skip if already shared */
@@ -1499,7 +1505,7 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata,
skcipher_append_src_dst(desc);
/* Store IV */
- if (ivsize)
+ if (!is_chacha20 && ivsize)
append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT |
LDST_CLASS_1_CCB | (ctx1_iv_off <<
LDST_OFFSET_SHIFT));
--
2.17.1
On Fri, Feb 21, 2020 at 09:52:01AM +0200, Horia Geantă wrote:
> HW generates a Data Size error for chacha20 requests that are not
> a multiple of 64B, since algorithm state (AS) does not have
> the FINAL bit set.
>
> Since updating req->iv (for chaining) is not required,
> modify skcipher descriptors to set the FINAL bit for chacha20.
>
> [Note that for skcipher decryption we know that ctx1_iv_off is 0,
> which allows for an optimization by not checking algorithm type,
> since append_dec_op1() sets FINAL bit for all algorithms except AES.]
>
> Also drop the descriptor operations that save the IV.
> However, in order to keep code logic simple, things like
> S/G tables generation etc. are not touched.
>
> Cc: <[email protected]> # v5.3+
> Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
> Signed-off-by: Horia Geantă <[email protected]>
> ---
> drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
> index aa9ccca67045..372d3d4ed6c5 100644
> --- a/drivers/crypto/caam/caamalg_desc.c
> +++ b/drivers/crypto/caam/caamalg_desc.c
> @@ -1379,6 +1379,8 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
> const u32 ctx1_iv_off)
> {
> u32 *key_jump_cmd;
> + bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
> + OP_ALG_ALGSEL_CHACHA20);
>
> init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
> /* Skip if already shared */
> @@ -1417,14 +1419,15 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
> LDST_OFFSET_SHIFT));
>
> /* Load operation */
> - append_operation(desc, cdata->algtype | OP_ALG_AS_INIT |
> - OP_ALG_ENCRYPT);
> + if (is_chacha20)
> + options |= OP_ALG_AS_FINALIZE;
> + append_operation(desc, options);
This patch doesn't compile.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On 2/28/2020 2:42 AM, Herbert Xu wrote:
> On Fri, Feb 21, 2020 at 09:52:01AM +0200, Horia Geant? wrote:
>> HW generates a Data Size error for chacha20 requests that are not
>> a multiple of 64B, since algorithm state (AS) does not have
>> the FINAL bit set.
>>
>> Since updating req->iv (for chaining) is not required,
>> modify skcipher descriptors to set the FINAL bit for chacha20.
>>
>> [Note that for skcipher decryption we know that ctx1_iv_off is 0,
>> which allows for an optimization by not checking algorithm type,
>> since append_dec_op1() sets FINAL bit for all algorithms except AES.]
>>
>> Also drop the descriptor operations that save the IV.
>> However, in order to keep code logic simple, things like
>> S/G tables generation etc. are not touched.
>>
>> Cc: <[email protected]> # v5.3+
>> Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
>> Signed-off-by: Horia Geant? <[email protected]>
>> ---
>> drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++----
>> 1 file changed, 10 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
>> index aa9ccca67045..372d3d4ed6c5 100644
>> --- a/drivers/crypto/caam/caamalg_desc.c
>> +++ b/drivers/crypto/caam/caamalg_desc.c
>> @@ -1379,6 +1379,8 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
>> const u32 ctx1_iv_off)
>> {
>> u32 *key_jump_cmd;
>> + bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
>> + OP_ALG_ALGSEL_CHACHA20);
>>
>> init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
>> /* Skip if already shared */
>> @@ -1417,14 +1419,15 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
>> LDST_OFFSET_SHIFT));
>>
>> /* Load operation */
>> - append_operation(desc, cdata->algtype | OP_ALG_AS_INIT |
>> - OP_ALG_ENCRYPT);
>> + if (is_chacha20)
>> + options |= OP_ALG_AS_FINALIZE;
>> + append_operation(desc, options);
>
> This patch doesn't compile.
>
Thanks for catching this.
Not sure how this slipped through, probably it happened due to
piling up too many *.patch files...
Will fix in v2.
Horia