On 07.11.2024 15:55, Harald Freudenberger wrote:
> From: Holger Dengler <dengler@xxxxxxxxxxxxx>
>
> Add support for protected key hmac ("phmac") for s390 arch.
>
> With the latest machine generation there is now support for
> protected key (that is a key wrapped by a master key stored
> in firmware) hmac for sha2 (sha224, sha256, sha384 and sha512)
> for the s390 specific CPACF instruction kmac.
>
> This patch adds support via 4 new shashes registered as
> phmac(sha224), phmac(sha256), phmac(sha384) and phmac(sha512).
>
> Please note that as of now, there is no selftest enabled for
> these shashes, but the implementation has been tested with
> testcases via AF_ALG interface.
>
> Signed-off-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
> Signed-off-by: Harald Freudenberger <freude@xxxxxxxxxxxxx>
> ---
> arch/s390/configs/debug_defconfig | 1 +
> arch/s390/configs/defconfig | 1 +
> arch/s390/crypto/Makefile | 1 +
> arch/s390/crypto/phmac_s390.c | 473 ++++++++++++++++++++++++++++++
> drivers/crypto/Kconfig | 12 +
> 5 files changed, 488 insertions(+)
> create mode 100644 arch/s390/crypto/phmac_s390.c
>
> diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig
> index 6b602d972e91..a8ba72e7162d 100644
> --- a/arch/s390/configs/debug_defconfig
> +++ b/arch/s390/configs/debug_defconfig
> @@ -804,6 +804,7 @@ CONFIG_PKEY_EP11=m
> CONFIG_PKEY_PCKMO=m
> CONFIG_PKEY_UV=m
> CONFIG_CRYPTO_PAES_S390=m
> +CONFIG_CRYPTO_PHMAC_S390=m
> CONFIG_CRYPTO_DEV_VIRTIO=m
> CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> CONFIG_CORDIC=m
> diff --git a/arch/s390/configs/defconfig b/arch/s390/configs/defconfig
> index 7844b9f5851b..cd2e9c94b736 100644
> --- a/arch/s390/configs/defconfig
> +++ b/arch/s390/configs/defconfig
> @@ -790,6 +790,7 @@ CONFIG_PKEY_EP11=m
> CONFIG_PKEY_PCKMO=m
> CONFIG_PKEY_UV=m
> CONFIG_CRYPTO_PAES_S390=m
> +CONFIG_CRYPTO_PHMAC_S390=m
> CONFIG_CRYPTO_DEV_VIRTIO=m
> CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> CONFIG_CORDIC=m
> diff --git a/arch/s390/crypto/Makefile b/arch/s390/crypto/Makefile
> index a0cb96937c3d..47637140b95c 100644
> --- a/arch/s390/crypto/Makefile
> +++ b/arch/s390/crypto/Makefile
> @@ -16,6 +16,7 @@ obj-$(CONFIG_S390_PRNG) += prng.o
> obj-$(CONFIG_CRYPTO_GHASH_S390) += ghash_s390.o
> obj-$(CONFIG_CRYPTO_CRC32_S390) += crc32-vx_s390.o
> obj-$(CONFIG_CRYPTO_HMAC_S390) += hmac_s390.o
> +obj-$(CONFIG_CRYPTO_PHMAC_S390) += phmac_s390.o
> obj-y += arch_random.o
>
> crc32-vx_s390-y := crc32-vx.o crc32le-vx.o crc32be-vx.o
> diff --git a/arch/s390/crypto/phmac_s390.c b/arch/s390/crypto/phmac_s390.c
> new file mode 100644
> index 000000000000..77a5244b2eb4
> --- /dev/null
> +++ b/arch/s390/crypto/phmac_s390.c
> @@ -0,0 +1,473 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright IBM Corp. 2024
> + *
> + * s390 specific HMAC support for protected keys.
> + */
> +
> +#define KMSG_COMPONENT "phmac_s390"
> +#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
> +
> +#include <asm/cpacf.h>
> +#include <asm/pkey.h>
> +#include <crypto/sha2.h>
> +#include <crypto/internal/hash.h>
> +#include <linux/cpufeature.h>
> +#include <linux/delay.h>
> +#include <linux/module.h>
> +#include <linux/spinlock.h>
> +
> +/*
> + * KMAC param block layout for sha2 function codes:
> + * The layout of the param block for the KMAC instruction depends on the
> + * blocksize of the used hashing sha2-algorithm function codes. The param block
> + * contains the hash chaining value (cv), the input message bit-length (imbl)
> + * and the hmac-secret (key). To prevent code duplication, the sizes of all
> + * these are calculated based on the blocksize.
> + *
> + * param-block:
> + * +-------+
> + * | cv |
> + * +-------+
> + * | imbl |
> + * +-------+
> + * | key |
> + * +-------+
> + *
> + * sizes:
> + * part | sh2-alg | calculation | size | type
> + * -----+---------+-------------+------+--------
> + * cv | 224/256 | blocksize/2 | 32 | u64[8]
> + * | 384/512 | | 64 | u128[8]
> + * imbl | 224/256 | blocksize/8 | 8 | u64
> + * | 384/512 | | 16 | u128
> + * key | 224/256 | blocksize | 96 | u8[96]
> + * | 384/512 | | 160 | u8[160]
> + */
> +
> +#define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> +#define MAX_IMBL_SIZE sizeof(u128)
> +#define MAX_BLOCK_SIZE SHA512_BLOCK_SIZE
> +
> +#define SHA2_CV_SIZE(bs) ((bs) >> 1)
> +#define SHA2_IMBL_SIZE(bs) ((bs) >> 3)
> +
> +#define SHA2_IMBL_OFFSET(bs) (SHA2_CV_SIZE(bs))
> +#define SHA2_KEY_OFFSET(bs) (SHA2_CV_SIZE(bs) + SHA2_IMBL_SIZE(bs))
> +
> +#define PHMAC_SHA256_KEY_SIZE (SHA256_BLOCK_SIZE + 32)
> +#define PHMAC_SHA512_KEY_SIZE (SHA512_BLOCK_SIZE + 32)
> +#define PHMAC_MAX_KEY_SIZE PHMAC_SHA512_KEY_SIZE
> +
> +struct phmac_protkey {
> + u32 type;
> + u32 len;
> + u8 protkey[PHMAC_MAX_KEY_SIZE];
> +};
> +
> +struct s390_phmac_ctx {
> + u8 *key;
> + unsigned int keylen;
> +
> + struct phmac_protkey pk;
> + /* spinlock to atomic update pk */
> + spinlock_t pk_lock;
> +};
> +
....
> +
> +static inline int s390_phmac_sha2_setkey(struct crypto_shash *tfm,
> + const u8 *key, unsigned int keylen)
> +{
> + struct s390_phmac_ctx *tfm_ctx = crypto_shash_ctx(tfm);
> +
> + if (tfm_ctx->keylen) {
> + kfree_sensitive(tfm_ctx->key);
> + tfm_ctx->key = NULL;
> + tfm_ctx->keylen = 0;
> + }
> +
> + tfm_ctx->key = kmemdup(key, keylen, GFP_ATOMIC);
> + if (!tfm_ctx->key)
> + return -ENOMEM;
> + tfm_ctx->keylen = keylen;
> +
> + return 0;
> +}
> +
> +static int s390_phmac_sha2_init(struct shash_desc *desc)
> +{
> + struct s390_phmac_ctx *tfm_ctx = crypto_shash_ctx(desc->tfm);
> + struct s390_kmac_sha2_ctx *ctx = shash_desc_ctx(desc);
> + unsigned int bs = crypto_shash_blocksize(desc->tfm);
> + int rc;
> +
> + rc = phmac_convert_key(desc->tfm);
There is no need to perform the (possibly time consuming) key conversation at every init.
You only need to convert the key if a new key was set (via setkey function) before.
Once converted, it can be reused by multiple init calls, if no other setkey is done in between.
One possibility to achieve this is to add a flag field into struct s390_phmac_ctx (i.e. new_key_set).
In the setkey function set new_key_set to 1 once te key has been updated in the context.
In the init function, if new_key_set is != 0, then convert the key and set new_key_set to 0.
Any subsequent init calls (with no setkey in-between) will see new_key_set == 0 and thus will not convert the key again, but reuse the already converted key.
If the key hasn't changed it is simply unnecessary to perform the (possibly time consuming) key conversation again and again.
This improves performance for use cases where a tfm is allocated, a key is set once, and then multiple sequences of init/update/final are performed to calculate the HMACs of different pieces of data but with the same key. This is for example what dm-integrity does, it does init/update/final for every sector, but the key is set only once at the very beginning.
> + if (rc)
> + goto out;
> +
> + spin_lock_bh(&tfm_ctx->pk_lock);
> + memcpy(ctx->param + SHA2_KEY_OFFSET(bs),
> + tfm_ctx->pk.protkey, tfm_ctx->pk.len);
> + spin_unlock_bh(&tfm_ctx->pk_lock);
> +
> + ctx->buflen = 0;
> + ctx->gr0.reg = 0;
> +
> + switch (crypto_shash_digestsize(desc->tfm)) {
> + case SHA224_DIGEST_SIZE:
> + ctx->gr0.fc = CPACF_KMAC_PHMAC_SHA_224;
> + break;
> + case SHA256_DIGEST_SIZE:
> + ctx->gr0.fc = CPACF_KMAC_PHMAC_SHA_256;
> + break;
> + case SHA384_DIGEST_SIZE:
> + ctx->gr0.fc = CPACF_KMAC_PHMAC_SHA_384;
> + break;
> + case SHA512_DIGEST_SIZE:
> + ctx->gr0.fc = CPACF_KMAC_PHMAC_SHA_512;
> + break;
> + default:
> + rc = -EINVAL;
> + }
> +
> +out:
> + pr_debug("rc=%d\n", rc);
> + return rc;
> +}
> +
>
--
Ingo Franzki
eMail: ifranzki@xxxxxxxxxxxxx
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
