Linux-Crypto Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] crypto: inside-secure: Add support for the Chacha20 skcipher and the Chacha20-Poly1305 AEAD suites
@ 2019-09-10 14:38 Pascal van Leeuwen
  2019-09-10 14:38 ` [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher Pascal van Leeuwen
  2019-09-10 14:38 ` [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD Pascal van Leeuwen
  0 siblings, 2 replies; 11+ messages in thread
From: Pascal van Leeuwen @ 2019-09-10 14:38 UTC (permalink / raw)
  To: linux-crypto; +Cc: antoine.tenart, herbert, davem, Pascal van Leeuwen

Extend driver support with chacha20, rfc7539(chacha20,poly1305) and
rfc7539esp(chacha20,poly1305) ciphers.
The patchset has been tested with the eip197c_iesb and eip197c_iewxkbc
configurations on the Xilinx VCU118 development board, including the
crypto extra tests.

Note that this patchset applies on top of the earlier submitted
"Add support for the CBCMAC" series.

Pascal van Leeuwen (2):
  crypto: inside-secure - Added support for the CHACHA20 skcipher
  crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD

 drivers/crypto/inside-secure/safexcel.c        |   3 +
 drivers/crypto/inside-secure/safexcel.h        |  11 +
 drivers/crypto/inside-secure/safexcel_cipher.c | 335 +++++++++++++++++++++++--
 3 files changed, 335 insertions(+), 14 deletions(-)

-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
  2019-09-10 14:38 [PATCH 0/2] crypto: inside-secure: Add support for the Chacha20 skcipher and the Chacha20-Poly1305 AEAD suites Pascal van Leeuwen
@ 2019-09-10 14:38 ` Pascal van Leeuwen
  2019-09-10 17:32   ` Antoine Tenart
  2019-09-10 14:38 ` [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD Pascal van Leeuwen
  1 sibling, 1 reply; 11+ messages in thread
From: Pascal van Leeuwen @ 2019-09-10 14:38 UTC (permalink / raw)
  To: linux-crypto; +Cc: antoine.tenart, herbert, davem, Pascal van Leeuwen

Added support for the CHACHA20 skcipher algorithm.
Tested on an eip197c-iesb configuration in the Xilinx VCU118 devboard,
passes all testmgr vectors plus the extra fuzzing tests.

Signed-off-by: Pascal van Leeuwen <pvanleeuwen@verimatrix.com>
---
 drivers/crypto/inside-secure/safexcel.c        |  1 +
 drivers/crypto/inside-secure/safexcel.h        |  3 +
 drivers/crypto/inside-secure/safexcel_cipher.c | 83 +++++++++++++++++++++++++-
 3 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/inside-secure/safexcel.c b/drivers/crypto/inside-secure/safexcel.c
index a34bf8c..fd9c9e7 100644
--- a/drivers/crypto/inside-secure/safexcel.c
+++ b/drivers/crypto/inside-secure/safexcel.c
@@ -1173,6 +1173,7 @@ static int safexcel_request_ring_irq(void *pdev, int irqid,
 	&safexcel_alg_cbcmac,
 	&safexcel_alg_xcbcmac,
 	&safexcel_alg_cmac,
+	&safexcel_alg_chacha20,
 };
 
 static int safexcel_register_algorithms(struct safexcel_crypto_priv *priv)
diff --git a/drivers/crypto/inside-secure/safexcel.h b/drivers/crypto/inside-secure/safexcel.h
index 6ddc6d1..c7f1a20 100644
--- a/drivers/crypto/inside-secure/safexcel.h
+++ b/drivers/crypto/inside-secure/safexcel.h
@@ -358,6 +358,7 @@ struct safexcel_context_record {
 #define CONTEXT_CONTROL_CRYPTO_ALG_AES128	(0x5 << 17)
 #define CONTEXT_CONTROL_CRYPTO_ALG_AES192	(0x6 << 17)
 #define CONTEXT_CONTROL_CRYPTO_ALG_AES256	(0x7 << 17)
+#define CONTEXT_CONTROL_CRYPTO_ALG_CHACHA20	(0x8 << 17)
 #define CONTEXT_CONTROL_DIGEST_PRECOMPUTED	(0x1 << 21)
 #define CONTEXT_CONTROL_DIGEST_XCM		(0x2 << 21)
 #define CONTEXT_CONTROL_DIGEST_HMAC		(0x3 << 21)
@@ -378,6 +379,7 @@ struct safexcel_context_record {
 /* control1 */
 #define CONTEXT_CONTROL_CRYPTO_MODE_ECB		(0 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_CBC		(1 << 0)
+#define CONTEXT_CONTROL_CHACHA20_MODE_256_32	(2 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_OFB		(4 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_CFB		(5 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_CTR_LOAD	(6 << 0)
@@ -858,5 +860,6 @@ int safexcel_hmac_setkey(const char *alg, const u8 *key, unsigned int keylen,
 extern struct safexcel_alg_template safexcel_alg_cbcmac;
 extern struct safexcel_alg_template safexcel_alg_xcbcmac;
 extern struct safexcel_alg_template safexcel_alg_cmac;
+extern struct safexcel_alg_template safexcel_alg_chacha20;
 
 #endif
diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
index 023cabc..44dc13a 100644
--- a/drivers/crypto/inside-secure/safexcel_cipher.c
+++ b/drivers/crypto/inside-secure/safexcel_cipher.c
@@ -5,13 +5,14 @@
  * Antoine Tenart <antoine.tenart@free-electrons.com>
  */
 
+#include <asm/unaligned.h>
 #include <linux/device.h>
 #include <linux/dma-mapping.h>
 #include <linux/dmapool.h>
-
 #include <crypto/aead.h>
 #include <crypto/aes.h>
 #include <crypto/authenc.h>
+#include <crypto/chacha.h>
 #include <crypto/ctr.h>
 #include <crypto/des.h>
 #include <crypto/gcm.h>
@@ -33,6 +34,7 @@ enum safexcel_cipher_alg {
 	SAFEXCEL_DES,
 	SAFEXCEL_3DES,
 	SAFEXCEL_AES,
+	SAFEXCEL_CHACHA20,
 };
 
 struct safexcel_cipher_ctx {
@@ -81,6 +83,15 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 		cdesc->control_data.token[3] = cpu_to_be32(1);
 
 		return;
+	} else if (ctx->alg == SAFEXCEL_CHACHA20) {
+		cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
+
+		/* 96 bit nonce part */
+		memcpy(&cdesc->control_data.token[0], &iv[4], 12);
+		/* 32 bit counter */
+		cdesc->control_data.token[3] = *(u32 *)iv;
+
+		return;
 	} else if (ctx->xcm == EIP197_XCM_MODE_GCM) {
 		cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
 
@@ -112,7 +123,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 			block_sz = DES3_EDE_BLOCK_SIZE;
 			cdesc->control_data.options |= EIP197_OPTION_2_TOKEN_IV_CMD;
 			break;
-		case SAFEXCEL_AES:
+		default: /* case SAFEXCEL_AES */
 			block_sz = AES_BLOCK_SIZE;
 			cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
 			break;
@@ -486,6 +497,9 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx,
 				ctx->key_len >> ctx->xts);
 			return -EINVAL;
 		}
+	} else if (ctx->alg == SAFEXCEL_CHACHA20) {
+		cdesc->control_data.control0 |=
+			CONTEXT_CONTROL_CRYPTO_ALG_CHACHA20;
 	}
 
 	return 0;
@@ -2313,3 +2327,68 @@ struct safexcel_alg_template safexcel_alg_ccm = {
 		},
 	},
 };
+
+static int safexcel_skcipher_chacha20_setkey(struct crypto_skcipher *ctfm,
+					     const u8 *key, unsigned int len)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_skcipher_ctx(ctfm);
+	struct safexcel_crypto_priv *priv = ctx->priv;
+	int i;
+
+	if (len != CHACHA_KEY_SIZE) {
+		crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+
+	if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) {
+		for (i = 0; i < CHACHA_KEY_SIZE / sizeof(u32); i++) {
+			if (ctx->key[i] !=
+			    get_unaligned_le32(key + i * sizeof(u32))) {
+				ctx->base.needs_inv = true;
+				break;
+			}
+		}
+	}
+
+	for (i = 0; i < CHACHA_KEY_SIZE / sizeof(u32); i++)
+		ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
+	ctx->key_len = CHACHA_KEY_SIZE;
+
+	return 0;
+}
+
+static int safexcel_skcipher_chacha20_cra_init(struct crypto_tfm *tfm)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+
+	safexcel_skcipher_cra_init(tfm);
+	ctx->alg  = SAFEXCEL_CHACHA20;
+	ctx->mode = CONTEXT_CONTROL_CHACHA20_MODE_256_32;
+	return 0;
+}
+
+struct safexcel_alg_template safexcel_alg_chacha20 = {
+	.type = SAFEXCEL_ALG_TYPE_SKCIPHER,
+	.algo_mask = SAFEXCEL_ALG_CHACHA20,
+	.alg.skcipher = {
+		.setkey = safexcel_skcipher_chacha20_setkey,
+		.encrypt = safexcel_encrypt,
+		.decrypt = safexcel_decrypt,
+		.min_keysize = CHACHA_KEY_SIZE,
+		.max_keysize = CHACHA_KEY_SIZE,
+		.ivsize = CHACHA_IV_SIZE,
+		.base = {
+			.cra_name = "chacha20",
+			.cra_driver_name = "safexcel-chacha20",
+			.cra_priority = SAFEXCEL_CRA_PRIORITY,
+			.cra_flags = CRYPTO_ALG_ASYNC |
+				     CRYPTO_ALG_KERN_DRIVER_ONLY,
+			.cra_blocksize = 1,
+			.cra_ctxsize = sizeof(struct safexcel_cipher_ctx),
+			.cra_alignmask = 0,
+			.cra_init = safexcel_skcipher_chacha20_cra_init,
+			.cra_exit = safexcel_skcipher_cra_exit,
+			.cra_module = THIS_MODULE,
+		},
+	},
+};
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD
  2019-09-10 14:38 [PATCH 0/2] crypto: inside-secure: Add support for the Chacha20 skcipher and the Chacha20-Poly1305 AEAD suites Pascal van Leeuwen
  2019-09-10 14:38 ` [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher Pascal van Leeuwen
@ 2019-09-10 14:38 ` Pascal van Leeuwen
  2019-09-11 15:29   ` Antoine Tenart
  1 sibling, 1 reply; 11+ messages in thread
From: Pascal van Leeuwen @ 2019-09-10 14:38 UTC (permalink / raw)
  To: linux-crypto; +Cc: antoine.tenart, herbert, davem, Pascal van Leeuwen

This patch adds support for the Chacha20-Poly1305 cipher suite.
It adds both the basic rfc7539(chacha20,poly1305) as well as the
rfc7539esp(chacha20,poly1305) variant for IPsec ESP acceleration.

Signed-off-by: Pascal van Leeuwen <pvanleeuwen@verimatrix.com>
---
 drivers/crypto/inside-secure/safexcel.c        |   2 +
 drivers/crypto/inside-secure/safexcel.h        |   8 +
 drivers/crypto/inside-secure/safexcel_cipher.c | 276 ++++++++++++++++++++++---
 3 files changed, 262 insertions(+), 24 deletions(-)

diff --git a/drivers/crypto/inside-secure/safexcel.c b/drivers/crypto/inside-secure/safexcel.c
index fd9c9e7..5886bcd 100644
--- a/drivers/crypto/inside-secure/safexcel.c
+++ b/drivers/crypto/inside-secure/safexcel.c
@@ -1174,6 +1174,8 @@ static int safexcel_request_ring_irq(void *pdev, int irqid,
 	&safexcel_alg_xcbcmac,
 	&safexcel_alg_cmac,
 	&safexcel_alg_chacha20,
+	&safexcel_alg_chachapoly,
+	&safexcel_alg_chachapoly_esp,
 };
 
 static int safexcel_register_algorithms(struct safexcel_crypto_priv *priv)
diff --git a/drivers/crypto/inside-secure/safexcel.h b/drivers/crypto/inside-secure/safexcel.h
index c7f1a20..282d59e 100644
--- a/drivers/crypto/inside-secure/safexcel.h
+++ b/drivers/crypto/inside-secure/safexcel.h
@@ -373,6 +373,7 @@ struct safexcel_context_record {
 #define CONTEXT_CONTROL_CRYPTO_ALG_XCBC128	(0x1 << 23)
 #define CONTEXT_CONTROL_CRYPTO_ALG_XCBC192	(0x2 << 23)
 #define CONTEXT_CONTROL_CRYPTO_ALG_XCBC256	(0x3 << 23)
+#define CONTEXT_CONTROL_CRYPTO_ALG_POLY1305	(0xf << 23)
 #define CONTEXT_CONTROL_INV_FR			(0x5 << 24)
 #define CONTEXT_CONTROL_INV_TR			(0x6 << 24)
 
@@ -385,6 +386,7 @@ struct safexcel_context_record {
 #define CONTEXT_CONTROL_CRYPTO_MODE_CTR_LOAD	(6 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_XTS		(7 << 0)
 #define CONTEXT_CONTROL_CRYPTO_MODE_XCM		((6 << 0) | BIT(17))
+#define CONTEXT_CONTROL_CHACHA20_MODE_CALC_OTK	(12 << 0)
 #define CONTEXT_CONTROL_IV0			BIT(5)
 #define CONTEXT_CONTROL_IV1			BIT(6)
 #define CONTEXT_CONTROL_IV2			BIT(7)
@@ -397,6 +399,10 @@ struct safexcel_context_record {
 #define EIP197_XCM_MODE_GCM			1
 #define EIP197_XCM_MODE_CCM			2
 
+#define EIP197_AEAD_TYPE_IPSEC_ESP		2
+#define EIP197_AEAD_IPSEC_IV_SIZE		8
+#define EIP197_AEAD_IPSEC_NONCE_SIZE		4
+
 /* The hash counter given to the engine in the context has a granularity of
  * 64 bits.
  */
@@ -861,5 +867,7 @@ int safexcel_hmac_setkey(const char *alg, const u8 *key, unsigned int keylen,
 extern struct safexcel_alg_template safexcel_alg_xcbcmac;
 extern struct safexcel_alg_template safexcel_alg_cmac;
 extern struct safexcel_alg_template safexcel_alg_chacha20;
+extern struct safexcel_alg_template safexcel_alg_chachapoly;
+extern struct safexcel_alg_template safexcel_alg_chachapoly_esp;
 
 #endif
diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
index 44dc13a..00bf220 100644
--- a/drivers/crypto/inside-secure/safexcel_cipher.c
+++ b/drivers/crypto/inside-secure/safexcel_cipher.c
@@ -17,6 +17,7 @@
 #include <crypto/des.h>
 #include <crypto/gcm.h>
 #include <crypto/ghash.h>
+#include <crypto/poly1305.h>
 #include <crypto/sha.h>
 #include <crypto/xts.h>
 #include <crypto/skcipher.h>
@@ -43,8 +44,8 @@ struct safexcel_cipher_ctx {
 
 	u32 mode;
 	enum safexcel_cipher_alg alg;
-	bool aead;
-	int  xcm; /* 0=authenc, 1=GCM, 2 reserved for CCM */
+	char aead; /* !=0=AEAD, 2=IPSec ESP AEAD */
+	char xcm;  /* 0=authenc, 1=GCM, 2 reserved for CCM */
 
 	__le32 key[16];
 	u32 nonce;
@@ -57,6 +58,7 @@ struct safexcel_cipher_ctx {
 	u32 opad[SHA512_DIGEST_SIZE / sizeof(u32)];
 
 	struct crypto_cipher *hkaes;
+	struct crypto_aead *fback;
 };
 
 struct safexcel_cipher_req {
@@ -86,10 +88,24 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 	} else if (ctx->alg == SAFEXCEL_CHACHA20) {
 		cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
 
-		/* 96 bit nonce part */
-		memcpy(&cdesc->control_data.token[0], &iv[4], 12);
-		/* 32 bit counter */
-		cdesc->control_data.token[3] = *(u32 *)iv;
+		if (ctx->aead == EIP197_AEAD_TYPE_IPSEC_ESP) {
+			/* 32 bit nonce part */
+			cdesc->control_data.token[0] = ctx->nonce;
+			/* 64 bit IV part */
+			memcpy(&cdesc->control_data.token[1], iv, 8);
+			/* 32 bit counter, starting at 0 */
+			cdesc->control_data.token[3] = 0;
+		} else if (ctx->aead) {
+			/* 96 bit nonce part */
+			memcpy(&cdesc->control_data.token[0], iv, 12);
+			/* 32 bit counter, starting at 0 */
+			cdesc->control_data.token[3] = 0;
+		} else {
+			/* 96 bit nonce part */
+			memcpy(&cdesc->control_data.token[0], &iv[4], 12);
+			/* 32 bit counter */
+			cdesc->control_data.token[3] = *(u32 *)iv;
+		}
 
 		return;
 	} else if (ctx->xcm == EIP197_XCM_MODE_GCM) {
@@ -193,12 +209,20 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 		token[13].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT;
 	}
 
+	if (ctx->aead == EIP197_AEAD_TYPE_IPSEC_ESP) {
+		/* For ESP mode, skip over the IV */
+		token[7].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
+		token[7].packet_length = EIP197_AEAD_IPSEC_IV_SIZE;
+
+		assoclen -= EIP197_AEAD_IPSEC_IV_SIZE;
+	}
+
 	token[6].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
 	token[6].packet_length = assoclen;
+	token[6].instructions = EIP197_TOKEN_INS_LAST |
+				EIP197_TOKEN_INS_TYPE_HASH;
 
-	if (likely(cryptlen)) {
-		token[6].instructions = EIP197_TOKEN_INS_TYPE_HASH;
-
+	if (likely(cryptlen || ctx->alg == SAFEXCEL_CHACHA20)) {
 		token[10].opcode = EIP197_TOKEN_OPCODE_DIRECTION;
 		token[10].packet_length = cryptlen;
 		token[10].stat = EIP197_TOKEN_STAT_LAST_HASH;
@@ -208,8 +232,6 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 					 EIP197_TOKEN_INS_TYPE_OUTPUT;
 	} else if (ctx->xcm != EIP197_XCM_MODE_CCM) {
 		token[6].stat = EIP197_TOKEN_STAT_LAST_HASH;
-		token[6].instructions = EIP197_TOKEN_INS_LAST |
-					EIP197_TOKEN_INS_TYPE_HASH;
 	}
 
 	if (!ctx->xcm)
@@ -224,10 +246,7 @@ static void safexcel_aead_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
 	token[9].instructions = EIP197_TOKEN_INS_TYPE_OUTPUT |
 				EIP197_TOKEN_INS_TYPE_CRYPTO;
 
-	if (ctx->xcm == EIP197_XCM_MODE_GCM) {
-		token[6].instructions = EIP197_TOKEN_INS_LAST |
-					EIP197_TOKEN_INS_TYPE_HASH;
-	} else {
+	if (ctx->xcm != EIP197_XCM_MODE_GCM) {
 		u8 *cbcmaciv = (u8 *)&token[1];
 		u32 *aadlen = (u32 *)&token[5];
 
@@ -392,7 +411,7 @@ static int safexcel_aead_setkey(struct crypto_aead *ctfm, const u8 *key,
 			goto badkey;
 		break;
 	default:
-		dev_err(priv->dev, "aead: unsupported hash algorithm\n");
+		dev_err(priv->dev, "aead: unsupported hash algorithmn");
 		goto badkey;
 	}
 
@@ -440,6 +459,17 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx,
 				CONTEXT_CONTROL_DIGEST_XCM |
 				ctx->hash_alg |
 				CONTEXT_CONTROL_SIZE(ctrl_size);
+		} else if (ctx->alg == SAFEXCEL_CHACHA20) {
+			/* Chacha20-Poly1305 */
+			cdesc->control_data.control0 =
+				CONTEXT_CONTROL_KEY_EN |
+				CONTEXT_CONTROL_CRYPTO_ALG_CHACHA20 |
+				(sreq->direction == SAFEXCEL_ENCRYPT ?
+					CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT :
+					CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN) |
+				ctx->hash_alg |
+				CONTEXT_CONTROL_SIZE(ctrl_size);
+			return 0;
 		} else {
 			ctrl_size += ctx->state_sz / sizeof(u32) * 2;
 			cdesc->control_data.control0 =
@@ -2328,18 +2358,12 @@ struct safexcel_alg_template safexcel_alg_ccm = {
 	},
 };
 
-static int safexcel_skcipher_chacha20_setkey(struct crypto_skcipher *ctfm,
-					     const u8 *key, unsigned int len)
+static void safexcel_chacha20_setkey(struct safexcel_cipher_ctx *ctx,
+				     const u8 *key)
 {
-	struct safexcel_cipher_ctx *ctx = crypto_skcipher_ctx(ctfm);
 	struct safexcel_crypto_priv *priv = ctx->priv;
 	int i;
 
-	if (len != CHACHA_KEY_SIZE) {
-		crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
-		return -EINVAL;
-	}
-
 	if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) {
 		for (i = 0; i < CHACHA_KEY_SIZE / sizeof(u32); i++) {
 			if (ctx->key[i] !=
@@ -2353,6 +2377,18 @@ static int safexcel_skcipher_chacha20_setkey(struct crypto_skcipher *ctfm,
 	for (i = 0; i < CHACHA_KEY_SIZE / sizeof(u32); i++)
 		ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
 	ctx->key_len = CHACHA_KEY_SIZE;
+}
+
+static int safexcel_skcipher_chacha20_setkey(struct crypto_skcipher *ctfm,
+					     const u8 *key, unsigned int len)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_skcipher_ctx(ctfm);
+
+	if (len != CHACHA_KEY_SIZE) {
+		crypto_skcipher_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+	safexcel_chacha20_setkey(ctx, key);
 
 	return 0;
 }
@@ -2392,3 +2428,195 @@ struct safexcel_alg_template safexcel_alg_chacha20 = {
 		},
 	},
 };
+
+static int safexcel_aead_chachapoly_setkey(struct crypto_aead *ctfm,
+				    const u8 *key, unsigned int len)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_aead_ctx(ctfm);
+
+	if (ctx->aead  == EIP197_AEAD_TYPE_IPSEC_ESP &&
+	    len > EIP197_AEAD_IPSEC_NONCE_SIZE) {
+		/* ESP variant has nonce appended to key */
+		len -= EIP197_AEAD_IPSEC_NONCE_SIZE;
+		ctx->nonce = *(u32 *)(key + len);
+	}
+	if (len != CHACHA_KEY_SIZE) {
+		crypto_aead_set_flags(ctfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+		return -EINVAL;
+	}
+	safexcel_chacha20_setkey(ctx, key);
+
+	return 0;
+}
+
+static int safexcel_aead_chachapoly_setauthsize(struct crypto_aead *tfm,
+					 unsigned int authsize)
+{
+	if (authsize != POLY1305_DIGEST_SIZE)
+		return -EINVAL;
+	return 0;
+}
+
+static int safexcel_aead_chachapoly_crypt(struct aead_request *req,
+					  enum safexcel_cipher_direction dir)
+{
+	struct safexcel_cipher_req *creq = aead_request_ctx(req);
+	struct crypto_aead *aead = crypto_aead_reqtfm(req);
+	struct crypto_tfm *tfm = crypto_aead_tfm(aead);
+	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+	struct aead_request *subreq = aead_request_ctx(req);
+	u32 key[CHACHA_KEY_SIZE / sizeof(u32) + 1];
+	int i, ret = 0;
+
+	/*
+	 * Instead of wasting time detecting umpteen silly corner cases,
+	 * just dump all "small" requests to the fallback implementation.
+	 * HW would not be faster on such small requests anyway.
+	 */
+	if (likely(req->assoclen > EIP197_AEAD_IPSEC_IV_SIZE &&
+		   req->cryptlen >= POLY1305_DIGEST_SIZE)) {
+		return safexcel_queue_req(&req->base, creq, dir);
+	}
+
+	/* HW cannot do full (AAD+payload) zero length, use fallback */
+	for (i = 0; i < CHACHA_KEY_SIZE / sizeof(u32); i++)
+		key[i] = cpu_to_le32(ctx->key[i]);
+	if (ctx->aead == EIP197_AEAD_TYPE_IPSEC_ESP) {
+		/* ESP variant has nonce appended to the key */
+		key[CHACHA_KEY_SIZE / sizeof(u32)] = ctx->nonce;
+		ret = crypto_aead_setkey(ctx->fback, (u8 *)key,
+					 CHACHA_KEY_SIZE +
+					 EIP197_AEAD_IPSEC_NONCE_SIZE);
+	} else {
+		ret = crypto_aead_setkey(ctx->fback, (u8 *)key,
+					 CHACHA_KEY_SIZE);
+	}
+	if (ret) {
+		crypto_aead_clear_flags(aead, CRYPTO_TFM_REQ_MASK);
+		crypto_aead_set_flags(aead, crypto_aead_get_flags(ctx->fback) &
+					    CRYPTO_TFM_REQ_MASK);
+		return ret;
+	}
+
+	aead_request_set_tfm(subreq, ctx->fback);
+	aead_request_set_callback(subreq, req->base.flags, req->base.complete,
+				  req->base.data);
+	aead_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
+			       req->iv);
+	aead_request_set_ad(subreq, req->assoclen);
+
+	return (dir ==  SAFEXCEL_ENCRYPT) ?
+		crypto_aead_encrypt(subreq) :
+		crypto_aead_decrypt(subreq);
+}
+
+static int safexcel_aead_chachapoly_encrypt(struct aead_request *req)
+{
+	return safexcel_aead_chachapoly_crypt(req, SAFEXCEL_ENCRYPT);
+}
+
+static int safexcel_aead_chachapoly_decrypt(struct aead_request *req)
+{
+	return safexcel_aead_chachapoly_crypt(req, SAFEXCEL_DECRYPT);
+}
+
+static int safexcel_aead_chachapoly_cra_init(struct crypto_tfm *tfm)
+{
+	struct crypto_aead *aead = __crypto_aead_cast(tfm);
+	struct aead_alg *alg = crypto_aead_alg(aead);
+	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+
+	safexcel_aead_cra_init(tfm);
+	ctx->alg  = SAFEXCEL_CHACHA20;
+	ctx->mode = CONTEXT_CONTROL_CHACHA20_MODE_256_32 |
+		    CONTEXT_CONTROL_CHACHA20_MODE_CALC_OTK;
+	ctx->hash_alg = CONTEXT_CONTROL_CRYPTO_ALG_POLY1305;
+	ctx->state_sz = 0; /* Precomputed by HW */
+
+	/* Allocate fallback implementation */
+	ctx->fback = crypto_alloc_aead(alg->base.cra_name, 0,
+				       CRYPTO_ALG_ASYNC |
+				       CRYPTO_ALG_NEED_FALLBACK);
+	if (IS_ERR(ctx->fback))
+		return PTR_ERR(ctx->fback);
+
+	crypto_aead_set_reqsize(aead, max(sizeof(struct safexcel_cipher_req),
+					  sizeof(struct aead_request) +
+					  crypto_aead_reqsize(ctx->fback)));
+
+	return 0;
+}
+
+static void safexcel_aead_chachapoly_cra_exit(struct crypto_tfm *tfm)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+
+	crypto_free_aead(ctx->fback);
+	safexcel_aead_cra_exit(tfm);
+}
+
+struct safexcel_alg_template safexcel_alg_chachapoly = {
+	.type = SAFEXCEL_ALG_TYPE_AEAD,
+	.algo_mask = SAFEXCEL_ALG_CHACHA20 | SAFEXCEL_ALG_POLY1305,
+	.alg.aead = {
+		.setkey = safexcel_aead_chachapoly_setkey,
+		.setauthsize = safexcel_aead_chachapoly_setauthsize,
+		.encrypt = safexcel_aead_chachapoly_encrypt,
+		.decrypt = safexcel_aead_chachapoly_decrypt,
+		.ivsize = CHACHAPOLY_IV_SIZE,
+		.maxauthsize = POLY1305_DIGEST_SIZE,
+		.base = {
+			.cra_name = "rfc7539(chacha20,poly1305)",
+			.cra_driver_name = "safexcel-chacha20-poly1305",
+			/* +1 to put it above HW chacha + SW poly */
+			.cra_priority = SAFEXCEL_CRA_PRIORITY + 1,
+			.cra_flags = CRYPTO_ALG_ASYNC |
+				     CRYPTO_ALG_KERN_DRIVER_ONLY |
+				     CRYPTO_ALG_NEED_FALLBACK,
+			.cra_blocksize = 1,
+			.cra_ctxsize = sizeof(struct safexcel_cipher_ctx),
+			.cra_alignmask = 0,
+			.cra_init = safexcel_aead_chachapoly_cra_init,
+			.cra_exit = safexcel_aead_chachapoly_cra_exit,
+			.cra_module = THIS_MODULE,
+		},
+	},
+};
+
+static int safexcel_aead_chachapolyesp_cra_init(struct crypto_tfm *tfm)
+{
+	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
+	int ret;
+
+	ret = safexcel_aead_chachapoly_cra_init(tfm);
+	ctx->aead  = EIP197_AEAD_TYPE_IPSEC_ESP;
+	return ret;
+}
+
+struct safexcel_alg_template safexcel_alg_chachapoly_esp = {
+	.type = SAFEXCEL_ALG_TYPE_AEAD,
+	.algo_mask = SAFEXCEL_ALG_CHACHA20 | SAFEXCEL_ALG_POLY1305,
+	.alg.aead = {
+		.setkey = safexcel_aead_chachapoly_setkey,
+		.setauthsize = safexcel_aead_chachapoly_setauthsize,
+		.encrypt = safexcel_aead_chachapoly_encrypt,
+		.decrypt = safexcel_aead_chachapoly_decrypt,
+		.ivsize = CHACHAPOLY_IV_SIZE - EIP197_AEAD_IPSEC_NONCE_SIZE,
+		.maxauthsize = POLY1305_DIGEST_SIZE,
+		.base = {
+			.cra_name = "rfc7539esp(chacha20,poly1305)",
+			.cra_driver_name = "safexcel-chacha20-poly1305-esp",
+			/* +1 to put it above HW chacha + SW poly */
+			.cra_priority = SAFEXCEL_CRA_PRIORITY + 1,
+			.cra_flags = CRYPTO_ALG_ASYNC |
+				     CRYPTO_ALG_KERN_DRIVER_ONLY |
+				     CRYPTO_ALG_NEED_FALLBACK,
+			.cra_blocksize = 1,
+			.cra_ctxsize = sizeof(struct safexcel_cipher_ctx),
+			.cra_alignmask = 0,
+			.cra_init = safexcel_aead_chachapolyesp_cra_init,
+			.cra_exit = safexcel_aead_chachapoly_cra_exit,
+			.cra_module = THIS_MODULE,
+		},
+	},
+};
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
  2019-09-10 14:38 ` [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher Pascal van Leeuwen
@ 2019-09-10 17:32   ` Antoine Tenart
  2019-09-10 18:58     ` Pascal Van Leeuwen
  0 siblings, 1 reply; 11+ messages in thread
From: Antoine Tenart @ 2019-09-10 17:32 UTC (permalink / raw)
  To: Pascal van Leeuwen
  Cc: linux-crypto, antoine.tenart, herbert, davem, Pascal van Leeuwen

Hi Pascal,

On Tue, Sep 10, 2019 at 04:38:12PM +0200, Pascal van Leeuwen wrote:
>  
> @@ -112,7 +123,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8 *iv,
>  			block_sz = DES3_EDE_BLOCK_SIZE;
>  			cdesc->control_data.options |= EIP197_OPTION_2_TOKEN_IV_CMD;
>  			break;
> -		case SAFEXCEL_AES:
> +		default: /* case SAFEXCEL_AES */

Can't you keep an explicit case here?

>  			block_sz = AES_BLOCK_SIZE;
>  			cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
>  			break;

Thanks,
Antoine

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
  2019-09-10 17:32   ` Antoine Tenart
@ 2019-09-10 18:58     ` Pascal Van Leeuwen
  2019-09-11 15:21       ` Antoine Tenart
  0 siblings, 1 reply; 11+ messages in thread
From: Pascal Van Leeuwen @ 2019-09-10 18:58 UTC (permalink / raw)
  To: Antoine Tenart, Pascal van Leeuwen; +Cc: linux-crypto, herbert, davem

> -----Original Message-----
> From: Antoine Tenart <antoine.tenart@bootlin.com>
> Sent: Tuesday, September 10, 2019 7:33 PM
> To: Pascal van Leeuwen <pascalvanl@gmail.com>
> Cc: linux-crypto@vger.kernel.org; antoine.tenart@bootlin.com; herbert@gondor.apana.org.au;
> davem@davemloft.net; Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Subject: Re: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
> 
> Hi Pascal,
> 
> On Tue, Sep 10, 2019 at 04:38:12PM +0200, Pascal van Leeuwen wrote:
> >
> > @@ -112,7 +123,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8
> *iv,
> >  			block_sz = DES3_EDE_BLOCK_SIZE;
> >  			cdesc->control_data.options |= EIP197_OPTION_2_TOKEN_IV_CMD;
> >  			break;
> > -		case SAFEXCEL_AES:
> > +		default: /* case SAFEXCEL_AES */
> 
> Can't you keep an explicit case here?
> 
If I do that, the compiler will complain about SAFEXCEL_CHACHA20 not
being covered. And Chacha20 won't even make it this far, so it doesn't
make much sense to add that to the switch.

I suppose an explicit case plus an empty default would be an alternative?
But I figured the comment should suffice to remind anyone working on that
switch statement what it should really do. I'm fine with either approach.

> >  			block_sz = AES_BLOCK_SIZE;
> >  			cdesc->control_data.options |= EIP197_OPTION_4_TOKEN_IV_CMD;
> >  			break;
> 
> Thanks,
> Antoine
> 
> --
> Antoine Ténart, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
  2019-09-10 18:58     ` Pascal Van Leeuwen
@ 2019-09-11 15:21       ` Antoine Tenart
  2019-09-11 15:32         ` Pascal Van Leeuwen
  0 siblings, 1 reply; 11+ messages in thread
From: Antoine Tenart @ 2019-09-11 15:21 UTC (permalink / raw)
  To: Pascal Van Leeuwen
  Cc: Antoine Tenart, Pascal van Leeuwen, linux-crypto, herbert, davem

Hello Pascal,

On Tue, Sep 10, 2019 at 06:58:18PM +0000, Pascal Van Leeuwen wrote:
> > On Tue, Sep 10, 2019 at 04:38:12PM +0200, Pascal van Leeuwen wrote:
> > > @@ -112,7 +123,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx *ctx, u8
> > *iv,
> > >  			block_sz = DES3_EDE_BLOCK_SIZE;
> > >  			cdesc->control_data.options |= EIP197_OPTION_2_TOKEN_IV_CMD;
> > >  			break;
> > > -		case SAFEXCEL_AES:
> > > +		default: /* case SAFEXCEL_AES */
> > 
> > Can't you keep an explicit case here?
> > 
> If I do that, the compiler will complain about SAFEXCEL_CHACHA20 not
> being covered. And Chacha20 won't even make it this far, so it doesn't
> make much sense to add that to the switch.
> 
> I suppose an explicit case plus an empty default would be an alternative?
> But I figured the comment should suffice to remind anyone working on that
> switch statement what it should really do. I'm fine with either approach.

Yes, please use an explicit case and an empty default.

Thanks,
Antoine

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD
  2019-09-10 14:38 ` [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD Pascal van Leeuwen
@ 2019-09-11 15:29   ` Antoine Tenart
  2019-09-11 15:37     ` Pascal Van Leeuwen
  0 siblings, 1 reply; 11+ messages in thread
From: Antoine Tenart @ 2019-09-11 15:29 UTC (permalink / raw)
  To: Pascal van Leeuwen
  Cc: linux-crypto, antoine.tenart, herbert, davem, Pascal van Leeuwen

Hello Pascal,

On Tue, Sep 10, 2019 at 04:38:13PM +0200, Pascal van Leeuwen wrote:
> @@ -43,8 +44,8 @@ struct safexcel_cipher_ctx {
>  
>  	u32 mode;
>  	enum safexcel_cipher_alg alg;
> -	bool aead;
> -	int  xcm; /* 0=authenc, 1=GCM, 2 reserved for CCM */
> +	char aead; /* !=0=AEAD, 2=IPSec ESP AEAD */
> +	char xcm;  /* 0=authenc, 1=GCM, 2 reserved for CCM */

You could use an u8 instead. It also seems the aead comment has an
issue, I'll let you check that.

> -		dev_err(priv->dev, "aead: unsupported hash algorithm\n");
> +		dev_err(priv->dev, "aead: unsupported hash algorithmn");

You remove the '\' here.

> @@ -440,6 +459,17 @@ static int safexcel_context_control(struct safexcel_cipher_ctx *ctx,
>  				CONTEXT_CONTROL_DIGEST_XCM |
>  				ctx->hash_alg |
>  				CONTEXT_CONTROL_SIZE(ctrl_size);
> +		} else if (ctx->alg == SAFEXCEL_CHACHA20) {
> +			/* Chacha20-Poly1305 */
> +			cdesc->control_data.control0 =
> +				CONTEXT_CONTROL_KEY_EN |
> +				CONTEXT_CONTROL_CRYPTO_ALG_CHACHA20 |
> +				(sreq->direction == SAFEXCEL_ENCRYPT ?
> +					CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT :
> +					CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN) |
> +				ctx->hash_alg |
> +				CONTEXT_CONTROL_SIZE(ctrl_size);

I think you could use an if + |= for readability here.

> +static int safexcel_aead_chachapoly_crypt(struct aead_request *req,
> +					  enum safexcel_cipher_direction dir)
> +{
> +	struct safexcel_cipher_req *creq = aead_request_ctx(req);
> +	struct crypto_aead *aead = crypto_aead_reqtfm(req);
> +	struct crypto_tfm *tfm = crypto_aead_tfm(aead);
> +	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
> +	struct aead_request *subreq = aead_request_ctx(req);
> +	u32 key[CHACHA_KEY_SIZE / sizeof(u32) + 1];

Shouldn't you explicitly memzero the key at the end of the function?

Thanks!
Antoine

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
  2019-09-11 15:21       ` Antoine Tenart
@ 2019-09-11 15:32         ` Pascal Van Leeuwen
  0 siblings, 0 replies; 11+ messages in thread
From: Pascal Van Leeuwen @ 2019-09-11 15:32 UTC (permalink / raw)
  To: Antoine Tenart; +Cc: Pascal van Leeuwen, linux-crypto, herbert, davem

> -----Original Message-----
> From: Antoine Tenart <antoine.tenart@bootlin.com>
> Sent: Wednesday, September 11, 2019 5:21 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Cc: Antoine Tenart <antoine.tenart@bootlin.com>; Pascal van Leeuwen
> <pascalvanl@gmail.com>; linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au;
> davem@davemloft.net
> Subject: Re: [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher
> 
> Hello Pascal,
> 
> On Tue, Sep 10, 2019 at 06:58:18PM +0000, Pascal Van Leeuwen wrote:
> > > On Tue, Sep 10, 2019 at 04:38:12PM +0200, Pascal van Leeuwen wrote:
> > > > @@ -112,7 +123,7 @@ static void safexcel_cipher_token(struct safexcel_cipher_ctx
> *ctx, u8
> > > *iv,
> > > >  			block_sz = DES3_EDE_BLOCK_SIZE;
> > > >  			cdesc->control_data.options |= EIP197_OPTION_2_TOKEN_IV_CMD;
> > > >  			break;
> > > > -		case SAFEXCEL_AES:
> > > > +		default: /* case SAFEXCEL_AES */
> > >
> > > Can't you keep an explicit case here?
> > >
> > If I do that, the compiler will complain about SAFEXCEL_CHACHA20 not
> > being covered. And Chacha20 won't even make it this far, so it doesn't
> > make much sense to add that to the switch.
> >
> > I suppose an explicit case plus an empty default would be an alternative?
> > But I figured the comment should suffice to remind anyone working on that
> > switch statement what it should really do. I'm fine with either approach.
> 
> Yes, please use an explicit case and an empty default.
> 
OK, will do

> Thanks,
> Antoine
> 
> --
> Antoine Ténart, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Thanks,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD
  2019-09-11 15:29   ` Antoine Tenart
@ 2019-09-11 15:37     ` Pascal Van Leeuwen
  2019-09-11 15:45       ` Antoine Tenart
  0 siblings, 1 reply; 11+ messages in thread
From: Pascal Van Leeuwen @ 2019-09-11 15:37 UTC (permalink / raw)
  To: Antoine Tenart, Pascal van Leeuwen; +Cc: linux-crypto, herbert, davem

> -----Original Message-----
> From: Antoine Tenart <antoine.tenart@bootlin.com>
> Sent: Wednesday, September 11, 2019 5:30 PM
> To: Pascal van Leeuwen <pascalvanl@gmail.com>
> Cc: linux-crypto@vger.kernel.org; antoine.tenart@bootlin.com;
> herbert@gondor.apana.org.au; davem@davemloft.net; Pascal Van Leeuwen
> <pvanleeuwen@verimatrix.com>
> Subject: Re: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305
> AEAD
> 
> Hello Pascal,
> 
> On Tue, Sep 10, 2019 at 04:38:13PM +0200, Pascal van Leeuwen wrote:
> > @@ -43,8 +44,8 @@ struct safexcel_cipher_ctx {
> >
> >  	u32 mode;
> >  	enum safexcel_cipher_alg alg;
> > -	bool aead;
> > -	int  xcm; /* 0=authenc, 1=GCM, 2 reserved for CCM */
> > +	char aead; /* !=0=AEAD, 2=IPSec ESP AEAD */
> > +	char xcm;  /* 0=authenc, 1=GCM, 2 reserved for CCM */
> 
> You could use an u8 instead. It also seems the aead comment has an
> issue, I'll let you check that.
> 
Yes, u8 would be better, I'll fix that.
I don't see what's wrong with the comment though?
Anything unequal to 0 is AEAD, with value 2 being the ESP variant.

> > -		dev_err(priv->dev, "aead: unsupported hash algorithm\n");
> > +		dev_err(priv->dev, "aead: unsupported hash algorithmn");
> 
> You remove the '\' here.
> 
Oops. Must've accidentally happended during editing. Good catch.

> > @@ -440,6 +459,17 @@ static int safexcel_context_control(struct safexcel_cipher_ctx
> *ctx,
> >  				CONTEXT_CONTROL_DIGEST_XCM |
> >  				ctx->hash_alg |
> >  				CONTEXT_CONTROL_SIZE(ctrl_size);
> > +		} else if (ctx->alg == SAFEXCEL_CHACHA20) {
> > +			/* Chacha20-Poly1305 */
> > +			cdesc->control_data.control0 =
> > +				CONTEXT_CONTROL_KEY_EN |
> > +				CONTEXT_CONTROL_CRYPTO_ALG_CHACHA20 |
> > +				(sreq->direction == SAFEXCEL_ENCRYPT ?
> > +					CONTEXT_CONTROL_TYPE_ENCRYPT_HASH_OUT :
> > +					CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN) |
> > +				ctx->hash_alg |
> > +				CONTEXT_CONTROL_SIZE(ctrl_size);
> 
> I think you could use an if + |= for readability here.
> 
Ok, I can do that

> > +static int safexcel_aead_chachapoly_crypt(struct aead_request *req,
> > +					  enum safexcel_cipher_direction dir)
> > +{
> > +	struct safexcel_cipher_req *creq = aead_request_ctx(req);
> > +	struct crypto_aead *aead = crypto_aead_reqtfm(req);
> > +	struct crypto_tfm *tfm = crypto_aead_tfm(aead);
> > +	struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm);
> > +	struct aead_request *subreq = aead_request_ctx(req);
> > +	u32 key[CHACHA_KEY_SIZE / sizeof(u32) + 1];
> 
> Shouldn't you explicitly memzero the key at the end of the function?
>
Yes! :-) And good catch, again.

> Thanks!
> Antoine
> 
> --
> Antoine Ténart, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Thanks,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD
  2019-09-11 15:37     ` Pascal Van Leeuwen
@ 2019-09-11 15:45       ` Antoine Tenart
  2019-09-11 15:49         ` Pascal Van Leeuwen
  0 siblings, 1 reply; 11+ messages in thread
From: Antoine Tenart @ 2019-09-11 15:45 UTC (permalink / raw)
  To: Pascal Van Leeuwen
  Cc: Antoine Tenart, Pascal van Leeuwen, linux-crypto, herbert, davem

On Wed, Sep 11, 2019 at 03:37:25PM +0000, Pascal Van Leeuwen wrote:
> > On Tue, Sep 10, 2019 at 04:38:13PM +0200, Pascal van Leeuwen wrote:
> > > @@ -43,8 +44,8 @@ struct safexcel_cipher_ctx {
> > >
> > >  	u32 mode;
> > >  	enum safexcel_cipher_alg alg;
> > > -	bool aead;
> > > -	int  xcm; /* 0=authenc, 1=GCM, 2 reserved for CCM */
> > > +	char aead; /* !=0=AEAD, 2=IPSec ESP AEAD */
> > > +	char xcm;  /* 0=authenc, 1=GCM, 2 reserved for CCM */
> > 
> > You could use an u8 instead. It also seems the aead comment has an
> > issue, I'll let you check that.
> > 
> I don't see what's wrong with the comment though?
> Anything unequal to 0 is AEAD, with value 2 being the ESP variant.

OK, that wasn't clear to me when I first read it. Maybe you could say
that 1: AEAD, 2: IPsec ESP AEAD; and then of course the check of this
value being > 0 would mean it's one of the two.

Thanks!
Antoine

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* RE: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD
  2019-09-11 15:45       ` Antoine Tenart
@ 2019-09-11 15:49         ` Pascal Van Leeuwen
  0 siblings, 0 replies; 11+ messages in thread
From: Pascal Van Leeuwen @ 2019-09-11 15:49 UTC (permalink / raw)
  To: Antoine Tenart; +Cc: Pascal van Leeuwen, linux-crypto, herbert, davem

> -----Original Message-----
> From: Antoine Tenart <antoine.tenart@bootlin.com>
> Sent: Wednesday, September 11, 2019 5:45 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Cc: Antoine Tenart <antoine.tenart@bootlin.com>; Pascal van Leeuwen
> <pascalvanl@gmail.com>; linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au;
> davem@davemloft.net
> Subject: Re: [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305
> AEAD
> 
> On Wed, Sep 11, 2019 at 03:37:25PM +0000, Pascal Van Leeuwen wrote:
> > > On Tue, Sep 10, 2019 at 04:38:13PM +0200, Pascal van Leeuwen wrote:
> > > > @@ -43,8 +44,8 @@ struct safexcel_cipher_ctx {
> > > >
> > > >  	u32 mode;
> > > >  	enum safexcel_cipher_alg alg;
> > > > -	bool aead;
> > > > -	int  xcm; /* 0=authenc, 1=GCM, 2 reserved for CCM */
> > > > +	char aead; /* !=0=AEAD, 2=IPSec ESP AEAD */
> > > > +	char xcm;  /* 0=authenc, 1=GCM, 2 reserved for CCM */
> > >
> > > You could use an u8 instead. It also seems the aead comment has an
> > > issue, I'll let you check that.
> > >
> > I don't see what's wrong with the comment though?
> > Anything unequal to 0 is AEAD, with value 2 being the ESP variant.
> 
> OK, that wasn't clear to me when I first read it. Maybe you could say
> that 1: AEAD, 2: IPsec ESP AEAD; and then of course the check of this
> value being > 0 would mean it's one of the two.
> 
OK, agree that that's clearer so I will change it to that.

> Thanks!
> Antoine
> 
> --
> Antoine Ténart, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, back to index

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-10 14:38 [PATCH 0/2] crypto: inside-secure: Add support for the Chacha20 skcipher and the Chacha20-Poly1305 AEAD suites Pascal van Leeuwen
2019-09-10 14:38 ` [PATCH 1/2] crypto: inside-secure - Added support for the CHACHA20 skcipher Pascal van Leeuwen
2019-09-10 17:32   ` Antoine Tenart
2019-09-10 18:58     ` Pascal Van Leeuwen
2019-09-11 15:21       ` Antoine Tenart
2019-09-11 15:32         ` Pascal Van Leeuwen
2019-09-10 14:38 ` [PATCH 2/2] crypto: inside-secure - Add support for the Chacha20-Poly1305 AEAD Pascal van Leeuwen
2019-09-11 15:29   ` Antoine Tenart
2019-09-11 15:37     ` Pascal Van Leeuwen
2019-09-11 15:45       ` Antoine Tenart
2019-09-11 15:49         ` Pascal Van Leeuwen

Linux-Crypto Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-crypto/0 linux-crypto/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-crypto linux-crypto/ https://lore.kernel.org/linux-crypto \
		linux-crypto@vger.kernel.org linux-crypto@archiver.kernel.org
	public-inbox-index linux-crypto

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-crypto


AGPL code for this site: git clone https://public-inbox.org/ public-inbox