On Octeon, the SMS4 engine is exposed through selectors that alias the AES register bank. Add the missing selectors and model the shared RESULT, IV, and key state so the hardware interface matches the processor behaviour.
Use the in-tree SM4 tables to implement the block operation without adding a host crypto dependency. Signed-off-by: James Hilliard <[email protected]> --- Changes v1 -> v2: - Add selector dispatch updates in octeon_translate.c after moving COP2 decode out of translate.c. (suggested by Philippe Mathieu-Daudé) --- target/mips/cpu.h | 18 ++++++ target/mips/tcg/octeon_crypto.c | 109 +++++++++++++++++++++++++++++++++++++ target/mips/tcg/octeon_translate.c | 4 ++ 3 files changed, 131 insertions(+) diff --git a/target/mips/cpu.h b/target/mips/cpu.h index afe5126564..6994925d50 100644 --- a/target/mips/cpu.h +++ b/target/mips/cpu.h @@ -593,6 +593,20 @@ typedef enum MIPSOcteonCop2Sel { OCTEON_COP2_SEL_AES_DEC0 = 0x010e, OCTEON_COP2_SEL_AES_KEYLENGTH = 0x0110, OCTEON_COP2_SEL_AES_DAT0 = 0x0111, + /* + * SMS4 reuses the AES result/input, IV, and key banks and only adds + * operation selectors for ECB/CBC encrypt/decrypt. + */ + OCTEON_COP2_SEL_SMS4_RESINP0 = OCTEON_COP2_SEL_AES_RESULT0, + OCTEON_COP2_SEL_SMS4_RESINP1 = OCTEON_COP2_SEL_AES_RESULT1, + OCTEON_COP2_SEL_SMS4_IV0 = OCTEON_COP2_SEL_AES_IV0, + OCTEON_COP2_SEL_SMS4_IV1 = OCTEON_COP2_SEL_AES_IV1, + OCTEON_COP2_SEL_SMS4_KEY0 = OCTEON_COP2_SEL_AES_KEY0, + OCTEON_COP2_SEL_SMS4_KEY1 = OCTEON_COP2_SEL_AES_KEY1, + OCTEON_COP2_SEL_SMS4_ENC_CBC0 = OCTEON_COP2_SEL_AES_ENC_CBC0, + OCTEON_COP2_SEL_SMS4_ENC0 = OCTEON_COP2_SEL_AES_ENC0, + OCTEON_COP2_SEL_SMS4_DEC_CBC0 = OCTEON_COP2_SEL_AES_DEC_CBC0, + OCTEON_COP2_SEL_SMS4_DEC0 = OCTEON_COP2_SEL_AES_DEC0, OCTEON_COP2_SEL_CRC_POLYNOMIAL = 0x0200, OCTEON_COP2_SEL_CRC_IV = 0x0201, OCTEON_COP2_SEL_CRC_LEN = 0x0202, @@ -661,6 +675,10 @@ typedef enum MIPSOcteonCop2Sel { OCTEON_COP2_SEL_AES_ENC1 = 0x310b, OCTEON_COP2_SEL_AES_DEC_CBC1 = 0x310d, OCTEON_COP2_SEL_AES_DEC1 = 0x310f, + OCTEON_COP2_SEL_SMS4_ENC_CBC1 = 0x3119, + OCTEON_COP2_SEL_SMS4_ENC1 = 0x311b, + OCTEON_COP2_SEL_SMS4_DEC_CBC1 = 0x311d, + OCTEON_COP2_SEL_SMS4_DEC1 = 0x311f, OCTEON_COP2_SEL_HSH_STARTMD5 = 0x4047, OCTEON_COP2_SEL_SNOW3G_START = 0x404d, OCTEON_COP2_SEL_SNOW3G_MORE = 0x404e, diff --git a/target/mips/tcg/octeon_crypto.c b/target/mips/tcg/octeon_crypto.c index 43012ff027..177d112483 100644 --- a/target/mips/tcg/octeon_crypto.c +++ b/target/mips/tcg/octeon_crypto.c @@ -12,6 +12,7 @@ #include "exec/helper-proto.h" #include "crypto/aes.h" #include "crypto/clmul.h" +#include "crypto/sm4.h" #include "qemu/bitops.h" #include "qemu/host-utils.h" @@ -745,6 +746,57 @@ static int octeon_aes_key_bits(const MIPSOcteonCryptoState *crypto) } } +static inline uint32_t octeon_sms4_t(uint32_t x) +{ + x = sm4_subword(x); + return x ^ rol32(x, 2) ^ rol32(x, 10) ^ + rol32(x, 18) ^ rol32(x, 24); +} + +static inline uint32_t octeon_sms4_t_key(uint32_t x) +{ + x = sm4_subword(x); + return x ^ rol32(x, 13) ^ rol32(x, 23); +} + +static void octeon_sms4_expand_key(const uint8_t *key, uint32_t round_keys[32]) +{ + static const uint32_t fk[4] = { + 0xa3b1bac6U, 0x56aa3350U, 0x677d9197U, 0xb27022dcU, + }; + uint32_t k[36]; + + for (int i = 0; i < 4; i++) { + k[i] = ldl_be_p(key + i * 4) ^ fk[i]; + } + for (int i = 0; i < 32; i++) { + k[i + 4] = k[i] ^ octeon_sms4_t_key(k[i + 1] ^ k[i + 2] ^ + k[i + 3] ^ sm4_ck[i]); + round_keys[i] = k[i + 4]; + } +} + +static void octeon_sms4_crypt_block(const uint8_t *in, uint8_t *out, + const uint32_t round_keys[32], + bool encrypt) +{ + uint32_t x[36]; + + for (int i = 0; i < 4; i++) { + x[i] = ldl_be_p(in + i * 4); + } + for (int i = 0; i < 32; i++) { + uint32_t rk = round_keys[encrypt ? i : 31 - i]; + + x[i + 4] = x[i] ^ octeon_sms4_t(x[i + 1] ^ x[i + 2] ^ + x[i + 3] ^ rk); + } + stl_be_p(out, x[35]); + stl_be_p(out + 4, x[34]); + stl_be_p(out + 8, x[33]); + stl_be_p(out + 12, x[32]); +} + static const uint8_t octeon_des_ip[64] = { 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, @@ -1198,6 +1250,47 @@ static void octeon_aes_store_block(uint64_t regs[2], const uint8_t *block) regs[1] = ldq_be_p(block + 8); } +static void octeon_sms4_crypt_common(MIPSOcteonCryptoState *crypto, + bool encrypt, bool cbc) +{ + uint8_t key[16]; + uint8_t in[16]; + uint8_t out[16]; + uint8_t iv[16]; + uint8_t next_iv[16]; + uint32_t round_keys[32]; + + /* + * SMS4 aliases the AES state onto the RESULT/RESINP, IV, and KEY banks, + * with only the operation selectors remaining distinct. + */ + octeon_aes_load_key(crypto, key, sizeof(key)); + octeon_aes_load_block(crypto->aes_input, in); + if (cbc) { + octeon_aes_load_block(crypto->aes_iv, iv); + if (encrypt) { + for (int i = 0; i < sizeof(in); i++) { + in[i] ^= iv[i]; + } + } else { + memcpy(next_iv, in, sizeof(next_iv)); + } + } + + octeon_sms4_expand_key(key, round_keys); + octeon_sms4_crypt_block(in, out, round_keys, encrypt); + if (cbc && !encrypt) { + for (int i = 0; i < sizeof(out); i++) { + out[i] ^= iv[i]; + } + } + + octeon_aes_store_block(crypto->aes_result, out); + if (cbc) { + octeon_aes_store_block(crypto->aes_iv, encrypt ? out : next_iv); + } +} + static void octeon_aes_encrypt_common(MIPSOcteonCryptoState *crypto, bool cbc) { AES_KEY key; @@ -1614,6 +1707,22 @@ void helper_octeon_cop2_dmtc2(CPUMIPSState *env, uint64_t value, crypto->aes_input[1] = q; octeon_aes_decrypt_common(crypto, false); break; + case OCTEON_COP2_SEL_SMS4_ENC_CBC1: + crypto->aes_input[1] = q; + octeon_sms4_crypt_common(crypto, true, true); + break; + case OCTEON_COP2_SEL_SMS4_ENC1: + crypto->aes_input[1] = q; + octeon_sms4_crypt_common(crypto, true, false); + break; + case OCTEON_COP2_SEL_SMS4_DEC_CBC1: + crypto->aes_input[1] = q; + octeon_sms4_crypt_common(crypto, false, true); + break; + case OCTEON_COP2_SEL_SMS4_DEC1: + crypto->aes_input[1] = q; + octeon_sms4_crypt_common(crypto, false, false); + break; case OCTEON_COP2_SEL_GFM_XORMUL1: { uint64_t in[2] = { crypto->gfm_result[0] ^ crypto->gfm_xor0, diff --git a/target/mips/tcg/octeon_translate.c b/target/mips/tcg/octeon_translate.c index 800468038c..81042cfb5f 100644 --- a/target/mips/tcg/octeon_translate.c +++ b/target/mips/tcg/octeon_translate.c @@ -180,6 +180,10 @@ static bool octeon_cop2_is_supported_dmtc2(uint16_t sel) case OCTEON_COP2_SEL_AES_ENC1: case OCTEON_COP2_SEL_AES_DEC_CBC1: case OCTEON_COP2_SEL_AES_DEC1: + case OCTEON_COP2_SEL_SMS4_ENC_CBC1: + case OCTEON_COP2_SEL_SMS4_ENC1: + case OCTEON_COP2_SEL_SMS4_DEC_CBC1: + case OCTEON_COP2_SEL_SMS4_DEC1: return true; default: return false; -- 2.54.0
