2 * Accelerated poly_hash implementation with ARMv8 PMULL instructions.
4 * Based on ghash-ce-glue.c.
6 * poly_hash is part of the HEH (Hash-Encrypt-Hash) encryption mode, proposed in
7 * Internet Draft https://tools.ietf.org/html/draft-cope-heh-01.
9 * poly_hash is very similar to GHASH: both algorithms are keyed hashes which
10 * interpret their input data as coefficients of a polynomial over GF(2^128),
11 * then calculate a hash value by evaluating that polynomial at the point given
12 * by the key, e.g. using Horner's rule. The difference is that poly_hash uses
13 * the more natural "ble" convention to represent GF(2^128) elements, whereas
14 * GHASH uses the less natural "lle" convention (see include/crypto/gf128mul.h).
15 * The ble convention makes it simpler to implement GF(2^128) multiplication.
17 * Copyright (C) 2014 Linaro Ltd. <ard.biesheuvel@linaro.org>
18 * Copyright (C) 2017 Google Inc. <ebiggers@google.com>
20 * This program is free software; you can redistribute it and/or modify it
21 * under the terms of the GNU General Public License version 2 as published
22 * by the Free Software Foundation.
26 #include <crypto/b128ops.h>
27 #include <crypto/internal/hash.h>
28 #include <linux/cpufeature.h>
29 #include <linux/crypto.h>
30 #include <linux/module.h>
33 * Note: in this algorithm we currently use 'le128' to represent GF(2^128)
34 * elements, even though poly_hash-generic uses 'be128'. Both types are
35 * actually "wrong" because the elements are actually in 'ble' format, and there
36 * should be a ble type to represent this --- as well as lle, bbe, and lbe types
37 * for the other conventions for representing GF(2^128) elements. But
38 * practically it doesn't matter which type we choose here, so we just use le128
39 * since it's arguably more accurate, while poly_hash-generic still has to use
40 * be128 because the generic GF(2^128) multiplication functions all take be128.
43 struct poly_hash_desc_ctx {
48 asmlinkage void pmull_poly_hash_update(le128 *digest, const le128 *key,
49 const u8 *src, unsigned int blocks,
50 unsigned int partial);
52 static int poly_hash_setkey(struct crypto_shash *tfm,
53 const u8 *key, unsigned int keylen)
55 if (keylen != sizeof(le128)) {
56 crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
60 memcpy(crypto_shash_ctx(tfm), key, sizeof(le128));
64 static int poly_hash_init(struct shash_desc *desc)
66 struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc);
68 ctx->digest = (le128) { 0 };
73 static int poly_hash_update(struct shash_desc *desc, const u8 *src,
76 struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc);
77 unsigned int partial = ctx->count % sizeof(le128);
78 u8 *dst = (u8 *)&ctx->digest + partial;
82 /* Finishing at least one block? */
83 if (partial + len >= sizeof(le128)) {
84 const le128 *key = crypto_shash_ctx(desc->tfm);
87 /* Finish the pending block. */
88 unsigned int n = sizeof(le128) - partial;
97 * Do the real work. If 'partial' is nonzero, this starts by
98 * multiplying 'digest' by 'key'. Then for each additional full
99 * block it adds the block to 'digest' and multiplies by 'key'.
101 kernel_neon_begin_partial(8);
102 pmull_poly_hash_update(&ctx->digest, key, src,
103 len / sizeof(le128), partial);
106 src += len - (len % sizeof(le128));
107 len %= sizeof(le128);
108 dst = (u8 *)&ctx->digest;
111 /* Continue adding the next block to 'digest'. */
117 static int poly_hash_final(struct shash_desc *desc, u8 *out)
119 struct poly_hash_desc_ctx *ctx = shash_desc_ctx(desc);
120 unsigned int partial = ctx->count % sizeof(le128);
122 /* Finish the last block if needed. */
124 const le128 *key = crypto_shash_ctx(desc->tfm);
126 kernel_neon_begin_partial(8);
127 pmull_poly_hash_update(&ctx->digest, key, NULL, 0, partial);
131 memcpy(out, &ctx->digest, sizeof(le128));
135 static struct shash_alg poly_hash_alg = {
136 .digestsize = sizeof(le128),
137 .init = poly_hash_init,
138 .update = poly_hash_update,
139 .final = poly_hash_final,
140 .setkey = poly_hash_setkey,
141 .descsize = sizeof(struct poly_hash_desc_ctx),
143 .cra_name = "poly_hash",
144 .cra_driver_name = "poly_hash-ce",
146 .cra_ctxsize = sizeof(le128),
147 .cra_module = THIS_MODULE,
151 static int __init poly_hash_ce_mod_init(void)
153 return crypto_register_shash(&poly_hash_alg);
156 static void __exit poly_hash_ce_mod_exit(void)
158 crypto_unregister_shash(&poly_hash_alg);
161 MODULE_DESCRIPTION("Polynomial evaluation hash using ARMv8 Crypto Extensions");
162 MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");
163 MODULE_LICENSE("GPL v2");
165 module_cpu_feature_match(PMULL, poly_hash_ce_mod_init);
166 module_exit(poly_hash_ce_mod_exit);