Building the caam driver on arm64 produces a harmless warning:

drivers/crypto/caam/caamalg.c:140:139: warning: comparison of distinct pointer types lacks a cast

We can use min_t to tell the compiler which type we want it to use
here.

Fixes: 5ecf8ef9 ("crypto: caam - fix sg dump")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Reviewed-by: NHoria Geantă <horia.geanta@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Ensure scatterlists have a virtual memory mapping before dumping.
Signed-off-by: NCatalin Vasile <cata.vasile@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

-nonce is being loaded using append_load_imm_u32() instead of
append_load_as_imm() (nonce is a byte array / stream, not a 4-byte
variable)
-counter is not being added in big endian format, as mandatated by
RFC3686 and expected by the crypto engine
Signed-off-by: NCatalin Vasile <cata.vasile@nxp.com>
Reviewed-by: NHoria Geantă <horia.geanta@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

For algorithms that implement IV generators before the crypto ops,
the IV needed for decryption is initially located in req->src
scatterlist, not in req->iv.

Avoid copying the IV into req->iv by modifying the (givdecrypt)
descriptors to load it directly from req->src.
aead_givdecrypt() is no longer needed and goes away.

Cc: <stable@vger.kernel.org> # 4.3+
Fixes: 479bcc7c ("crypto: caam - Convert authenc to new AEAD interface")
Signed-off-by: NHoria Geantă <horia.geanta@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

To be able to generate shared descriptors for AEAD, the authentication size
needs to be known. However, there is no imposed order of calling .setkey,
.setauthsize callbacks.

Thus, in case authentication size is not known at .setkey time, defer it
until .setauthsize is called.

The authsize != 0 check was incorrectly removed when converting the driver
to the new AEAD interface.

Cc: <stable@vger.kernel.org> # 4.3+
Fixes: 479bcc7c ("crypto: caam - Convert authenc to new AEAD interface")
Signed-off-by: NHoria Geantă <horia.geanta@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There are a few things missed by the conversion to the
new AEAD interface:

1 - echainiv(authenc) encrypt shared descriptor

The shared descriptor is incorrect: due to the order of operations,
at some point in time MATH3 register is being overwritten.

2 - buffer used for echainiv(authenc) encrypt shared descriptor

Encrypt and givencrypt shared descriptors (for AEAD ops) are mutually
exclusive and thus use the same buffer in context state: sh_desc_enc.

However, there's one place missed by s/sh_desc_givenc/sh_desc_enc,
leading to errors when echainiv(authenc(...)) algorithms are used:
DECO: desc idx 14: Header Error. Invalid length or parity, or
certain other problems.

While here, also fix a typo: dma_mapping_error() is checking
for validity of sh_desc_givenc_dma instead of sh_desc_enc_dma.

Cc: <stable@vger.kernel.org> # 4.3+
Fixes: 479bcc7c ("crypto: caam - Convert authenc to new AEAD interface")
Signed-off-by: NHoria Geantă <horia.geanta@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for AES working in XEX-based Tweaked-codebook mode with
ciphertext Stealing (XTS)

sector index - HW limitation: CAAM device supports sector index of only
8 bytes to be used for sector index inside IV, instead of whole 16 bytes
received on request. This represents 2 ^ 64 = 16,777,216 Tera of possible
values for sector index.
Signed-off-by: NCristian Hristea <cristi.hristea@gmail.com>
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Signed-off-by: NAlex Porosanu <alexandru.porosanu@freescale.com>
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The caam driver use two dma_map_sg path according to SG are chained
or not.
Since dma_map_sg can handle both case, clean the code with all
references to sg chained.

Thus removing dma_map_sg_chained, dma_unmap_sg_chained
and __sg_count functions.
Signed-off-by: NLABBE Corentin <clabbe.montjoie@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

"The preferred form for passing a size of a struct is the following:

        p = kmalloc(sizeof(*p), ...);
....

The preferred form for allocating a zeroed array is the following:

        p = kcalloc(n, sizeof(...), ...); "

,so do as suggested.
Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com>
Reviewed-by: NHoria Geant? <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes the CRYPTO_ALG_AEAD_NEW flag now that everyone
has been converted.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Register only algorithms supported by CAAM hardware, using the CHA
version and instantiation registers to identify hardware capabilities.
Signed-off-by: NVictoria Milhoan <vicki.milhoan@freescale.com>
Tested-by: NHoria Geantă <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Since fields must be ORed in to operate correctly using any order of
operations, changed allocations of the combination of extended
descriptor structs + hardware scatterlists to use kzalloc() instead
of kmalloc(), so as to ensure that residue data would not be ORed in
with the correct data.
Signed-off-by: NSteve Cornelius <steve.cornelius@freescale.com>
Signed-off-by: NVictoria Milhoan <vicki.milhoan@freescale.com>
Tested-by: NHoria Geantă <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the authenc implementations in caam to the
new AEAD interface.  The biggest change is that seqiv no longer
generates a random IV.  Instead the IPsec sequence number is used
as the IV.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The encap shared descriptor was changed to use the new IV convention.
In the process some commands were shifted, making the output length
zero, caam effectively writing garbage in dst.

While here, update the decap descriptor to execute the "write" commands
before the "read"s (as it previously was).
This makes sure the input fifo is drained before becoming full.

Fixes: 46218750 ("crypto: caam - Use new IV convention")
Signed-off-by: NHoria Geant? <horia.geanta@freescale.com>
Signed-off-by: NTudor Ambarus <tudor.ambarus@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts rfc4106 to the new calling convention where
the IV is now part of the AD and needs to be skipped.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The new aead_edesc_alloc left out the bit indicating the last
entry on the source SG list.  This patch fixes it.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

I incorrectly removed DESC_MAX_USED_BYTES when enlarging the size
of the shared descriptor buffers, thus making it four times larger
than what is necessary.  This patch restores the division by four
calculation.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the caam GCM implementations to the new AEAD
interface.  This is compile-tested only.

Note that all IV generation for GCM algorithms have been removed.
The reason is that the current generation uses purely random IVs
which is not appropriate for counter-based algorithms where we
first and foremost require uniqueness.

Of course there is no reason why you couldn't implement seqiv or
seqniv within caam since all they do is xor the sequence number
with a salt, but since I can't test this on actual hardware I'll
leave it alone for now.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Currently caam assumes that the SG list contains exactly the number
of bytes required.  This assumption is incorrect.

Up until now this has been harmless.  However with the new AEAD
interface this now breaks as the AD SG list contains more bytes
than just the AD.

This patch fixes this by always clamping the AD SG list by the
specified AD length.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch replaces references to aead_alg with old_aead_alg.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

crt_aead is an internal implementation detail and must not be
used outside of the crypto API itself.  This patch replaces the
unnecessary uses of crt_aead with crypto_aead_ivsize.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The caam driver includes algorithm types that it doesn't even
use, such as struct rng_alg which has recently been moved to an
internal header file and consequently broke the build of caam.

This patch removes these bogus references.
Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

- assoc_nents and src_nents are never zero when all_contig is false
- iv_contig is zero on the else branch
Signed-off-by: NCristian Stoica <cristian.stoica@freescale.com>
Reviewed-by: NRichard Schmitt <richard.schmitt@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Merge DES Cipher Block Chaining mode (CBC) and Triple DES Cipher Block
Chaining mode (CBC) algorithms from ablkcipher to givencrypt.
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for one-shot givencrypt algorithms.
Givencrypt algorithms will generate their IV and encrypt data
within the same shared job descriptors.
Current algorithms merged from ablkcipher to givencrypt are:
 - AES Cipher Block Chaining (CBC)
 - AES Counter Mode (CTR) compliant with RFC3686
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for AES Counter Mode (CTR) compliant with RFC3686 to be
used along with authenc algorithms (md5, sha1, sha224, sha256, sha384,
sha512) as one-shot aead algorithms.
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for Advanced Encryption Standard (AES) in Counter Mode (CTR)
as provided in IPsec implementation standard RFC3686.

ablkcipher shared descriptors now save context registers after job
execution. This is used to load Nonce specific to RFC3686 only at
first execution of shared job descriptor.
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for AES working in Counter Mode
Signed-off-by: NCatalin Vasile <catalin.vasile@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add AES-GMAC as an IPSec ESP mechanism to provide
data origin authentication, but not confidentiality.
This method is referred as ENCR_NULL_AUTH_AES_GMAC.
Signed-off-by: NTudor Ambarus <tudor.ambarus@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch fixes the assumption that output sequence is not contiguous
when input sequence is not contiguous and in-place encryption is done.
Output sequence does not need to be contiguous with associated data.
Signed-off-by: NTudor Ambarus <tudor.ambarus@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
as an IPsec Encapsulating Security Payload (ESP) mechanism
to provide confidentiality and data origin authentication.
Signed-off-by: NTudor Ambarus <tudor.ambarus@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for AES working in Galois Counter Mode.

There is a limitation related to IV size, similar to the one present in
SW implementation (crypto/gcm.c):
The only IV size allowed is 12 bytes. It will be padded by HW to the right
with 0x0000_0001 (up to 16 bytes - AES block size), according to the GCM
specification.
Signed-off-by: NTudor Ambarus <tudor.ambarus@freescale.com>
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

AES currently shares descriptor creation functions with DES and 3DES.
DK bit is set in all cases, however it is valid only for
the AES accelerator.
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use dma_mapping_error for every dma_map_single / dma_map_page.
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Acked-by: NKim Phillips <kim.phillips@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

dma_mapping_error checks for an incorrect DMA address:
s/ctx->sh_desc_enc_dma/ctx->sh_desc_dec_dma
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Acked-by: NKim Phillips <kim.phillips@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The layer which registers with the crypto API should check for the presence of
the CAAM device it is going to use.  If the platform's device tree doesn't have
the required CAAM node, the layer should return an error and not register the
algorithms with crypto API layer.
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

At few places in caamhash and caamalg, after allocating a dmable
buffer for sg table , the buffer was being modified.  As per
definition of DMA_FROM_DEVICE ,afer allocation the memory should
be treated as read-only by the driver. This patch shifts the
allocation of dmable buffer for sg table after it is populated
by the  driver, making it read-only as per the DMA API's requirement.
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Re-initialize keys_fit_inline to avoid using its stale encrypt() shared
descriptor value prior to building descriptors for the decrypt() and
givencrypt() cases.
Signed-off-by: NVakul Garg <vakul@freescale.com>
[reworded commit text, enhanced code readability]
Signed-off-by: NKim Phillips <kim.phillips@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The tentacles of this function were firmly attached to various
places in the CAAM code. Just cut them, or this cthulhu function
will sprout them anew.
Signed-off-by: NMarek Vasut <marex@denx.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Horia Geanta <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

(struct caam_ctx) ctx->key_dma needs to be unmapped
when context is cleaned up.
Signed-off-by: NHoria Geanta <horia.geanta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>