OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity

crypto: Introduce RSA algorithm

Browse Source 
There are two parts in this patch:
1, support akcipher service by cryptodev-builtin driver
2, virtio-crypto driver supports akcipher service

In principle, we should separate this into two patches, to avoid
compiling error, merge them into one.

Then virtio-crypto gets request from guest side, and forwards the
request to builtin driver to handle it.

Test with a guest linux:
1, The self-test framework of crypto layer works fine in guest kernel
2, Test with Linux guest(with asym support), the following script
test(note that pkey_XXX is supported only in a newer version of keyutils):
  - both public key & private key
  - create/close session
  - encrypt/decrypt/sign/verify basic driver operation
  - also test with kernel crypto layer(pkey add/query)

All the cases work fine.

Run script in guest:
rm -rf *.der *.pem *.pfx
modprobe pkcs8_key_parser # if CONFIG_PKCS8_PRIVATE_KEY_PARSER=m
rm -rf /tmp/data
dd if=/dev/random of=/tmp/data count=1 bs=20

openssl req -nodes -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj "/C=CN/ST=BJ/L=HD/O=qemu/OU=dev/CN=qemu/emailAddress=qemu@qemu.org"
openssl pkcs8 -in key.pem -topk8 -nocrypt -outform DER -out key.der
openssl x509 -in cert.pem -inform PEM -outform DER -out cert.der

PRIV_KEY_ID=`cat key.der | keyctl padd asymmetric test_priv_key @s`
echo "priv key id = "$PRIV_KEY_ID
PUB_KEY_ID=`cat cert.der | keyctl padd asymmetric test_pub_key @s`
echo "pub key id = "$PUB_KEY_ID

keyctl pkey_query $PRIV_KEY_ID 0
keyctl pkey_query $PUB_KEY_ID 0

echo "Enc with priv key..."
keyctl pkey_encrypt $PRIV_KEY_ID 0 /tmp/data enc=pkcs1 >/tmp/enc.priv
echo "Dec with pub key..."
keyctl pkey_decrypt $PRIV_KEY_ID 0 /tmp/enc.priv enc=pkcs1 >/tmp/dec
cmp /tmp/data /tmp/dec

echo "Sign with priv key..."
keyctl pkey_sign $PRIV_KEY_ID 0 /tmp/data enc=pkcs1 hash=sha1 > /tmp/sig
echo "Verify with pub key..."
keyctl pkey_verify $PRIV_KEY_ID 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1

echo "Enc with pub key..."
keyctl pkey_encrypt $PUB_KEY_ID 0 /tmp/data enc=pkcs1 >/tmp/enc.pub
echo "Dec with priv key..."
keyctl pkey_decrypt $PRIV_KEY_ID 0 /tmp/enc.pub enc=pkcs1 >/tmp/dec
cmp /tmp/data /tmp/dec

echo "Verify with pub key..."
keyctl pkey_verify $PUB_KEY_ID 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1

Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: lei he <helei.sig11@bytedance.com
Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Message-Id: <20220611064243.24535-2-pizhenwei@bytedance.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This commit is contained in:
zhenwei pi 2022-06-11 14:42:43 +08:00 committed by Michael S. Tsirkin
parent 23b5f0ff6d
commit 0e660a6f90
6 changed files with 607 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
backends/cryptodev-builtin.c
View File

@ -26,6 +26,7 @@
#include "qapi/error.h" #include "qapi/error.h"
#include "standard-headers/linux/virtio_crypto.h" #include "standard-headers/linux/virtio_crypto.h"
#include "crypto/cipher.h" #include "crypto/cipher.h"
#include "crypto/akcipher.h"
#include "qom/object.h" #include "qom/object.h"
@ -42,10 +43,11 @@ typedef struct CryptoDevBackendBuiltinSession {
QCryptoCipher *cipher; QCryptoCipher *cipher;
uint8_t direction; /* encryption or decryption */ uint8_t direction; /* encryption or decryption */
uint8_t type; /* cipher? hash? aead? */ uint8_t type; /* cipher? hash? aead? */
QCryptoAkCipher *akcipher;
QTAILQ_ENTRY(CryptoDevBackendBuiltinSession) next; QTAILQ_ENTRY(CryptoDevBackendBuiltinSession) next;
} CryptoDevBackendBuiltinSession; } CryptoDevBackendBuiltinSession;
/* Max number of symmetric sessions */ /* Max number of symmetric/asymmetric sessions */
#define MAX_NUM_SESSIONS 256 #define MAX_NUM_SESSIONS 256
#define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512 #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512
@ -80,15 +82,17 @@ static void cryptodev_builtin_init(
backend->conf.crypto_services = backend->conf.crypto_services =
1u << VIRTIO_CRYPTO_SERVICE_CIPHER | 1u << VIRTIO_CRYPTO_SERVICE_CIPHER |
1u << VIRTIO_CRYPTO_SERVICE_HASH | 1u << VIRTIO_CRYPTO_SERVICE_HASH |
1u << VIRTIO_CRYPTO_SERVICE_MAC; 1u << VIRTIO_CRYPTO_SERVICE_MAC |
1u << VIRTIO_CRYPTO_SERVICE_AKCIPHER;
backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC; backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1; backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
backend->conf.akcipher_algo = 1u << VIRTIO_CRYPTO_AKCIPHER_RSA;
/* /*
* Set the Maximum length of crypto request. * Set the Maximum length of crypto request.
* Why this value? Just avoid to overflow when * Why this value? Just avoid to overflow when
* memory allocation for each crypto request. * memory allocation for each crypto request.
*/ */
backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendSymOpInfo); backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN; backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN; backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
@ -148,6 +152,55 @@ err:
return -1; return -1;
} }
static int cryptodev_builtin_get_rsa_hash_algo(
int virtio_rsa_hash, Error **errp)
{
switch (virtio_rsa_hash) {
case VIRTIO_CRYPTO_RSA_MD5:
return QCRYPTO_HASH_ALG_MD5;
case VIRTIO_CRYPTO_RSA_SHA1:
return QCRYPTO_HASH_ALG_SHA1;
case VIRTIO_CRYPTO_RSA_SHA256:
return QCRYPTO_HASH_ALG_SHA256;
case VIRTIO_CRYPTO_RSA_SHA512:
return QCRYPTO_HASH_ALG_SHA512;
default:
error_setg(errp, "Unsupported rsa hash algo: %d", virtio_rsa_hash);
return -1;
}
}
static int cryptodev_builtin_set_rsa_options(
int virtio_padding_algo,
int virtio_hash_algo,
QCryptoAkCipherOptionsRSA *opt,
Error **errp)
{
if (virtio_padding_algo == VIRTIO_CRYPTO_RSA_PKCS1_PADDING) {
int hash_alg;
hash_alg = cryptodev_builtin_get_rsa_hash_algo(virtio_hash_algo, errp);
if (hash_alg < 0) {
return -1;
}
opt->hash_alg = hash_alg;
opt->padding_alg = QCRYPTO_RSA_PADDING_ALG_PKCS1;
return 0;
}
if (virtio_padding_algo == VIRTIO_CRYPTO_RSA_RAW_PADDING) {
opt->padding_alg = QCRYPTO_RSA_PADDING_ALG_RAW;
return 0;
}
error_setg(errp, "Unsupported rsa padding algo: %d", virtio_padding_algo);
return -1;
}
static int cryptodev_builtin_create_cipher_session( static int cryptodev_builtin_create_cipher_session(
CryptoDevBackendBuiltin *builtin, CryptoDevBackendBuiltin *builtin,
CryptoDevBackendSymSessionInfo *sess_info, CryptoDevBackendSymSessionInfo *sess_info,
@ -240,26 +293,89 @@ static int cryptodev_builtin_create_cipher_session(
return index; return index;
} }
static int64_t cryptodev_builtin_sym_create_session( static int cryptodev_builtin_create_akcipher_session(
CryptoDevBackendBuiltin *builtin,
CryptoDevBackendAsymSessionInfo *sess_info,
Error **errp)
{
CryptoDevBackendBuiltinSession *sess;
QCryptoAkCipher *akcipher;
int index;
QCryptoAkCipherKeyType type;
QCryptoAkCipherOptions opts;
switch (sess_info->algo) {
case VIRTIO_CRYPTO_AKCIPHER_RSA:
opts.alg = QCRYPTO_AKCIPHER_ALG_RSA;
if (cryptodev_builtin_set_rsa_options(sess_info->u.rsa.padding_algo,
sess_info->u.rsa.hash_algo, &opts.u.rsa, errp) != 0) {
return -1;
}
break;
/* TODO support DSA&ECDSA until qemu crypto framework support these */
default:
error_setg(errp, "Unsupported akcipher alg %u", sess_info->algo);
return -1;
}
switch (sess_info->keytype) {
case VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PUBLIC:
type = QCRYPTO_AKCIPHER_KEY_TYPE_PUBLIC;
break;
case VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PRIVATE:
type = QCRYPTO_AKCIPHER_KEY_TYPE_PRIVATE;
break;
default:
error_setg(errp, "Unsupported akcipher keytype %u", sess_info->keytype);
return -1;
}
index = cryptodev_builtin_get_unused_session_index(builtin);
if (index < 0) {
error_setg(errp, "Total number of sessions created exceeds %u",
MAX_NUM_SESSIONS);
return -1;
}
akcipher = qcrypto_akcipher_new(&opts, type, sess_info->key,
sess_info->keylen, errp);
if (!akcipher) {
return -1;
}
sess = g_new0(CryptoDevBackendBuiltinSession, 1);
sess->akcipher = akcipher;
builtin->sessions[index] = sess;
return index;
}
static int64_t cryptodev_builtin_create_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
CryptoDevBackendSymSessionInfo *sess_info, CryptoDevBackendSessionInfo *sess_info,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
{ {
CryptoDevBackendBuiltin *builtin = CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend); CRYPTODEV_BACKEND_BUILTIN(backend);
int64_t session_id = -1; CryptoDevBackendSymSessionInfo *sym_sess_info;
int ret; CryptoDevBackendAsymSessionInfo *asym_sess_info;
switch (sess_info->op_code) { switch (sess_info->op_code) {
case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION: case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION:
ret = cryptodev_builtin_create_cipher_session( sym_sess_info = &sess_info->u.sym_sess_info;
builtin, sess_info, errp); return cryptodev_builtin_create_cipher_session(
if (ret < 0) { builtin, sym_sess_info, errp);
return ret;
} else { case VIRTIO_CRYPTO_AKCIPHER_CREATE_SESSION:
session_id = ret; asym_sess_info = &sess_info->u.asym_sess_info;
} return cryptodev_builtin_create_akcipher_session(
break; builtin, asym_sess_info, errp);
case VIRTIO_CRYPTO_HASH_CREATE_SESSION: case VIRTIO_CRYPTO_HASH_CREATE_SESSION:
case VIRTIO_CRYPTO_MAC_CREATE_SESSION: case VIRTIO_CRYPTO_MAC_CREATE_SESSION:
default: default:
@ -268,50 +384,44 @@ static int64_t cryptodev_builtin_sym_create_session(
return -1; return -1;
} }
return session_id; return -1;
} }
static int cryptodev_builtin_sym_close_session( static int cryptodev_builtin_close_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
uint64_t session_id, uint64_t session_id,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
{ {
CryptoDevBackendBuiltin *builtin = CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend); CRYPTODEV_BACKEND_BUILTIN(backend);
CryptoDevBackendBuiltinSession *session;
assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]); assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]);
qcrypto_cipher_free(builtin->sessions[session_id]->cipher); session = builtin->sessions[session_id];
g_free(builtin->sessions[session_id]); if (session->cipher) {
qcrypto_cipher_free(session->cipher);
} else if (session->akcipher) {
qcrypto_akcipher_free(session->akcipher);
}
g_free(session);
builtin->sessions[session_id] = NULL; builtin->sessions[session_id] = NULL;
return 0; return 0;
} }
static int cryptodev_builtin_sym_operation( static int cryptodev_builtin_sym_operation(
CryptoDevBackend *backend, CryptoDevBackendBuiltinSession *sess,
CryptoDevBackendSymOpInfo *op_info, CryptoDevBackendSymOpInfo *op_info, Error **errp)
uint32_t queue_index, Error **errp)
{ {
CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend);
CryptoDevBackendBuiltinSession *sess;
int ret; int ret;
if (op_info->session_id >= MAX_NUM_SESSIONS ||
builtin->sessions[op_info->session_id] == NULL) {
error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
op_info->session_id);
return -VIRTIO_CRYPTO_INVSESS;
}
if (op_info->op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) { if (op_info->op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) {
error_setg(errp, error_setg(errp,
"Algorithm chain is unsupported for cryptdoev-builtin"); "Algorithm chain is unsupported for cryptdoev-builtin");
return -VIRTIO_CRYPTO_NOTSUPP; return -VIRTIO_CRYPTO_NOTSUPP;
} }
sess = builtin->sessions[op_info->session_id];
if (op_info->iv_len > 0) { if (op_info->iv_len > 0) {
ret = qcrypto_cipher_setiv(sess->cipher, op_info->iv, ret = qcrypto_cipher_setiv(sess->cipher, op_info->iv,
op_info->iv_len, errp); op_info->iv_len, errp);
@ -333,9 +443,99 @@ static int cryptodev_builtin_sym_operation(
return -VIRTIO_CRYPTO_ERR; return -VIRTIO_CRYPTO_ERR;
} }
} }
return VIRTIO_CRYPTO_OK; return VIRTIO_CRYPTO_OK;
} }
static int cryptodev_builtin_asym_operation(
CryptoDevBackendBuiltinSession *sess, uint32_t op_code,
CryptoDevBackendAsymOpInfo *op_info, Error **errp)
{
int ret;
switch (op_code) {
case VIRTIO_CRYPTO_AKCIPHER_ENCRYPT:
ret = qcrypto_akcipher_encrypt(sess->akcipher,
op_info->src, op_info->src_len,
op_info->dst, op_info->dst_len, errp);
break;
case VIRTIO_CRYPTO_AKCIPHER_DECRYPT:
ret = qcrypto_akcipher_decrypt(sess->akcipher,
op_info->src, op_info->src_len,
op_info->dst, op_info->dst_len, errp);
break;
case VIRTIO_CRYPTO_AKCIPHER_SIGN:
ret = qcrypto_akcipher_sign(sess->akcipher,
op_info->src, op_info->src_len,
op_info->dst, op_info->dst_len, errp);
break;
case VIRTIO_CRYPTO_AKCIPHER_VERIFY:
ret = qcrypto_akcipher_verify(sess->akcipher,
op_info->src, op_info->src_len,
op_info->dst, op_info->dst_len, errp);
break;
default:
return -VIRTIO_CRYPTO_ERR;
}
if (ret < 0) {
if (op_code == VIRTIO_CRYPTO_AKCIPHER_VERIFY) {
return -VIRTIO_CRYPTO_KEY_REJECTED;
}
return -VIRTIO_CRYPTO_ERR;
}
/* Buffer is too short, typically the driver should handle this case */
if (unlikely(ret > op_info->dst_len)) {
if (errp && !*errp) {
error_setg(errp, "dst buffer too short");
}
return -VIRTIO_CRYPTO_ERR;
}
op_info->dst_len = ret;
return VIRTIO_CRYPTO_OK;
}
static int cryptodev_builtin_operation(
CryptoDevBackend *backend,
CryptoDevBackendOpInfo *op_info,
uint32_t queue_index, Error **errp)
{
CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend);
CryptoDevBackendBuiltinSession *sess;
CryptoDevBackendSymOpInfo *sym_op_info;
CryptoDevBackendAsymOpInfo *asym_op_info;
enum CryptoDevBackendAlgType algtype = op_info->algtype;
int ret = -VIRTIO_CRYPTO_ERR;
if (op_info->session_id >= MAX_NUM_SESSIONS ||
builtin->sessions[op_info->session_id] == NULL) {
error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
op_info->session_id);
return -VIRTIO_CRYPTO_INVSESS;
}
sess = builtin->sessions[op_info->session_id];
if (algtype == CRYPTODEV_BACKEND_ALG_SYM) {
sym_op_info = op_info->u.sym_op_info;
ret = cryptodev_builtin_sym_operation(sess, sym_op_info, errp);
} else if (algtype == CRYPTODEV_BACKEND_ALG_ASYM) {
asym_op_info = op_info->u.asym_op_info;
ret = cryptodev_builtin_asym_operation(sess, op_info->op_code,
asym_op_info, errp);
}
return ret;
}
static void cryptodev_builtin_cleanup( static void cryptodev_builtin_cleanup(
CryptoDevBackend *backend, CryptoDevBackend *backend,
Error **errp) Error **errp)
@ -348,7 +548,7 @@ static void cryptodev_builtin_cleanup(
for (i = 0; i < MAX_NUM_SESSIONS; i++) { for (i = 0; i < MAX_NUM_SESSIONS; i++) {
if (builtin->sessions[i] != NULL) { if (builtin->sessions[i] != NULL) {
cryptodev_builtin_sym_close_session(backend, i, 0, &error_abort); cryptodev_builtin_close_session(backend, i, 0, &error_abort);
} }
} }
@ -370,9 +570,9 @@ cryptodev_builtin_class_init(ObjectClass *oc, void *data)
bc->init = cryptodev_builtin_init; bc->init = cryptodev_builtin_init;
bc->cleanup = cryptodev_builtin_cleanup; bc->cleanup = cryptodev_builtin_cleanup;
bc->create_session = cryptodev_builtin_sym_create_session; bc->create_session = cryptodev_builtin_create_session;
bc->close_session = cryptodev_builtin_sym_close_session; bc->close_session = cryptodev_builtin_close_session;
bc->do_sym_op = cryptodev_builtin_sym_operation; bc->do_op = cryptodev_builtin_operation;
} }
static const TypeInfo cryptodev_builtin_info = { static const TypeInfo cryptodev_builtin_info = {

34
backends/cryptodev-vhost-user.c
View File

@ -259,7 +259,33 @@ static int64_t cryptodev_vhost_user_sym_create_session(
return -1; return -1;
} }
static int cryptodev_vhost_user_sym_close_session( static int64_t cryptodev_vhost_user_create_session(
CryptoDevBackend *backend,
CryptoDevBackendSessionInfo *sess_info,
uint32_t queue_index, Error **errp)
{
uint32_t op_code = sess_info->op_code;
CryptoDevBackendSymSessionInfo *sym_sess_info;
switch (op_code) {
case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION:
case VIRTIO_CRYPTO_HASH_CREATE_SESSION:
case VIRTIO_CRYPTO_MAC_CREATE_SESSION:
case VIRTIO_CRYPTO_AEAD_CREATE_SESSION:
sym_sess_info = &sess_info->u.sym_sess_info;
return cryptodev_vhost_user_sym_create_session(backend, sym_sess_info,
queue_index, errp);
default:
error_setg(errp, "Unsupported opcode :%" PRIu32 "",
sess_info->op_code);
return -1;
}
return -1;
}
static int cryptodev_vhost_user_close_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
uint64_t session_id, uint64_t session_id,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
@ -351,9 +377,9 @@ cryptodev_vhost_user_class_init(ObjectClass *oc, void *data)
bc->init = cryptodev_vhost_user_init; bc->init = cryptodev_vhost_user_init;
bc->cleanup = cryptodev_vhost_user_cleanup; bc->cleanup = cryptodev_vhost_user_cleanup;
bc->create_session = cryptodev_vhost_user_sym_create_session; bc->create_session = cryptodev_vhost_user_create_session;
bc->close_session = cryptodev_vhost_user_sym_close_session; bc->close_session = cryptodev_vhost_user_close_session;
bc->do_sym_op = NULL; bc->do_op = NULL;
object_class_property_add_str(oc, "chardev", object_class_property_add_str(oc, "chardev",
cryptodev_vhost_user_get_chardev, cryptodev_vhost_user_get_chardev,

32
backends/cryptodev.c
View File

@ -72,9 +72,9 @@ void cryptodev_backend_cleanup(
} }
} }
int64_t cryptodev_backend_sym_create_session( int64_t cryptodev_backend_create_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
CryptoDevBackendSymSessionInfo *sess_info, CryptoDevBackendSessionInfo *sess_info,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
{ {
CryptoDevBackendClass *bc = CryptoDevBackendClass *bc =
@ -87,7 +87,7 @@ int64_t cryptodev_backend_sym_create_session(
return -1; return -1;
} }
int cryptodev_backend_sym_close_session( int cryptodev_backend_close_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
uint64_t session_id, uint64_t session_id,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
@ -102,16 +102,16 @@ int cryptodev_backend_sym_close_session(
return -1; return -1;
} }
static int cryptodev_backend_sym_operation( static int cryptodev_backend_operation(
CryptoDevBackend *backend, CryptoDevBackend *backend,
CryptoDevBackendSymOpInfo *op_info, CryptoDevBackendOpInfo *op_info,
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
{ {
CryptoDevBackendClass *bc = CryptoDevBackendClass *bc =
CRYPTODEV_BACKEND_GET_CLASS(backend); CRYPTODEV_BACKEND_GET_CLASS(backend);
if (bc->do_sym_op) { if (bc->do_op) {
return bc->do_sym_op(backend, op_info, queue_index, errp); return bc->do_op(backend, op_info, queue_index, errp);
} }
return -VIRTIO_CRYPTO_ERR; return -VIRTIO_CRYPTO_ERR;
@ -123,20 +123,18 @@ int cryptodev_backend_crypto_operation(
uint32_t queue_index, Error **errp) uint32_t queue_index, Error **errp)
{ {
VirtIOCryptoReq *req = opaque; VirtIOCryptoReq *req = opaque;
CryptoDevBackendOpInfo *op_info = &req->op_info;
enum CryptoDevBackendAlgType algtype = req->flags;
if (req->flags == CRYPTODEV_BACKEND_ALG_SYM) { if ((algtype != CRYPTODEV_BACKEND_ALG_SYM)
CryptoDevBackendSymOpInfo *op_info; && (algtype != CRYPTODEV_BACKEND_ALG_ASYM)) {
op_info = req->u.sym_op_info;
return cryptodev_backend_sym_operation(backend,
op_info, queue_index, errp);
} else {
error_setg(errp, "Unsupported cryptodev alg type: %" PRIu32 "", error_setg(errp, "Unsupported cryptodev alg type: %" PRIu32 "",
req->flags); algtype);
return -VIRTIO_CRYPTO_NOTSUPP;
return -VIRTIO_CRYPTO_NOTSUPP;
} }
return -VIRTIO_CRYPTO_ERR; return cryptodev_backend_operation(backend, op_info, queue_index, errp);
} }
static void static void

319
hw/virtio/virtio-crypto.c
View File

@ -83,7 +83,8 @@ virtio_crypto_create_sym_session(VirtIOCrypto *vcrypto,
struct iovec *iov, unsigned int out_num) struct iovec *iov, unsigned int out_num)
{ {
VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto); VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto);
CryptoDevBackendSymSessionInfo info; CryptoDevBackendSessionInfo info;
CryptoDevBackendSymSessionInfo *sym_info;
int64_t session_id; int64_t session_id;
int queue_index; int queue_index;
uint32_t op_type; uint32_t op_type;
@ -92,11 +93,13 @@ virtio_crypto_create_sym_session(VirtIOCrypto *vcrypto,
memset(&info, 0, sizeof(info)); memset(&info, 0, sizeof(info));
op_type = ldl_le_p(&sess_req->op_type); op_type = ldl_le_p(&sess_req->op_type);
info.op_type = op_type;
info.op_code = opcode; info.op_code = opcode;
sym_info = &info.u.sym_sess_info;
sym_info->op_type = op_type;
if (op_type == VIRTIO_CRYPTO_SYM_OP_CIPHER) { if (op_type == VIRTIO_CRYPTO_SYM_OP_CIPHER) {
ret = virtio_crypto_cipher_session_helper(vdev, &info, ret = virtio_crypto_cipher_session_helper(vdev, sym_info,
&sess_req->u.cipher.para, &sess_req->u.cipher.para,
&iov, &out_num); &iov, &out_num);
if (ret < 0) { if (ret < 0) {
@ -105,47 +108,47 @@ virtio_crypto_create_sym_session(VirtIOCrypto *vcrypto,
} else if (op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) { } else if (op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) {
size_t s; size_t s;
/* cipher part */ /* cipher part */
ret = virtio_crypto_cipher_session_helper(vdev, &info, ret = virtio_crypto_cipher_session_helper(vdev, sym_info,
&sess_req->u.chain.para.cipher_param, &sess_req->u.chain.para.cipher_param,
&iov, &out_num); &iov, &out_num);
if (ret < 0) { if (ret < 0) {
goto err; goto err;
} }
/* hash part */ /* hash part */
info.alg_chain_order = ldl_le_p( sym_info->alg_chain_order = ldl_le_p(
&sess_req->u.chain.para.alg_chain_order); &sess_req->u.chain.para.alg_chain_order);
info.add_len = ldl_le_p(&sess_req->u.chain.para.aad_len); sym_info->add_len = ldl_le_p(&sess_req->u.chain.para.aad_len);
info.hash_mode = ldl_le_p(&sess_req->u.chain.para.hash_mode); sym_info->hash_mode = ldl_le_p(&sess_req->u.chain.para.hash_mode);
if (info.hash_mode == VIRTIO_CRYPTO_SYM_HASH_MODE_AUTH) { if (sym_info->hash_mode == VIRTIO_CRYPTO_SYM_HASH_MODE_AUTH) {
info.hash_alg = ldl_le_p(&sess_req->u.chain.para.u.mac_param.algo); sym_info->hash_alg =
info.auth_key_len = ldl_le_p( ldl_le_p(&sess_req->u.chain.para.u.mac_param.algo);
sym_info->auth_key_len = ldl_le_p(
&sess_req->u.chain.para.u.mac_param.auth_key_len); &sess_req->u.chain.para.u.mac_param.auth_key_len);
info.hash_result_len = ldl_le_p( sym_info->hash_result_len = ldl_le_p(
&sess_req->u.chain.para.u.mac_param.hash_result_len); &sess_req->u.chain.para.u.mac_param.hash_result_len);
if (info.auth_key_len > vcrypto->conf.max_auth_key_len) { if (sym_info->auth_key_len > vcrypto->conf.max_auth_key_len) {
error_report("virtio-crypto length of auth key is too big: %u", error_report("virtio-crypto length of auth key is too big: %u",
info.auth_key_len); sym_info->auth_key_len);
ret = -VIRTIO_CRYPTO_ERR; ret = -VIRTIO_CRYPTO_ERR;
goto err; goto err;
} }
/* get auth key */ /* get auth key */
if (info.auth_key_len > 0) { if (sym_info->auth_key_len > 0) {
DPRINTF("auth_keylen=%" PRIu32 "\n", info.auth_key_len); sym_info->auth_key = g_malloc(sym_info->auth_key_len);
info.auth_key = g_malloc(info.auth_key_len); s = iov_to_buf(iov, out_num, 0, sym_info->auth_key,
s = iov_to_buf(iov, out_num, 0, info.auth_key, sym_info->auth_key_len);
info.auth_key_len); if (unlikely(s != sym_info->auth_key_len)) {
if (unlikely(s != info.auth_key_len)) {
virtio_error(vdev, virtio_error(vdev,
"virtio-crypto authenticated key incorrect"); "virtio-crypto authenticated key incorrect");
ret = -EFAULT; ret = -EFAULT;
goto err; goto err;
} }
iov_discard_front(&iov, &out_num, info.auth_key_len); iov_discard_front(&iov, &out_num, sym_info->auth_key_len);
} }
} else if (info.hash_mode == VIRTIO_CRYPTO_SYM_HASH_MODE_PLAIN) { } else if (sym_info->hash_mode == VIRTIO_CRYPTO_SYM_HASH_MODE_PLAIN) {
info.hash_alg = ldl_le_p( sym_info->hash_alg = ldl_le_p(
&sess_req->u.chain.para.u.hash_param.algo); &sess_req->u.chain.para.u.hash_param.algo);
info.hash_result_len = ldl_le_p( sym_info->hash_result_len = ldl_le_p(
&sess_req->u.chain.para.u.hash_param.hash_result_len); &sess_req->u.chain.para.u.hash_param.hash_result_len);
} else { } else {
/* VIRTIO_CRYPTO_SYM_HASH_MODE_NESTED */ /* VIRTIO_CRYPTO_SYM_HASH_MODE_NESTED */
@ -161,13 +164,10 @@ virtio_crypto_create_sym_session(VirtIOCrypto *vcrypto,
} }
queue_index = virtio_crypto_vq2q(queue_id); queue_index = virtio_crypto_vq2q(queue_id);
session_id = cryptodev_backend_sym_create_session( session_id = cryptodev_backend_create_session(
vcrypto->cryptodev, vcrypto->cryptodev,
&info, queue_index, &local_err); &info, queue_index, &local_err);
if (session_id >= 0) { if (session_id >= 0) {
DPRINTF("create session_id=%" PRIu64 " successfully\n",
session_id);
ret = session_id; ret = session_id;
} else { } else {
if (local_err) { if (local_err) {
@ -177,11 +177,78 @@ virtio_crypto_create_sym_session(VirtIOCrypto *vcrypto,
} }
err: err:
g_free(info.cipher_key); g_free(sym_info->cipher_key);
g_free(info.auth_key); g_free(sym_info->auth_key);
return ret; return ret;
} }
static int64_t
virtio_crypto_create_asym_session(VirtIOCrypto *vcrypto,
struct virtio_crypto_akcipher_create_session_req *sess_req,
uint32_t queue_id, uint32_t opcode,
struct iovec *iov, unsigned int out_num)
{
VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto);
CryptoDevBackendSessionInfo info = {0};
CryptoDevBackendAsymSessionInfo *asym_info;
int64_t session_id;
int queue_index;
uint32_t algo, keytype, keylen;
g_autofree uint8_t *key = NULL;
Error *local_err = NULL;
algo = ldl_le_p(&sess_req->para.algo);
keytype = ldl_le_p(&sess_req->para.keytype);
keylen = ldl_le_p(&sess_req->para.keylen);
if ((keytype != VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PUBLIC)
&& (keytype != VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PRIVATE)) {
error_report("unsupported asym keytype: %d", keytype);
return -VIRTIO_CRYPTO_NOTSUPP;
}
if (keylen) {
key = g_malloc(keylen);
if (iov_to_buf(iov, out_num, 0, key, keylen) != keylen) {
virtio_error(vdev, "virtio-crypto asym key incorrect");
return -EFAULT;
}
iov_discard_front(&iov, &out_num, keylen);
}
info.op_code = opcode;
asym_info = &info.u.asym_sess_info;
asym_info->algo = algo;
asym_info->keytype = keytype;
asym_info->keylen = keylen;
asym_info->key = key;
switch (asym_info->algo) {
case VIRTIO_CRYPTO_AKCIPHER_RSA:
asym_info->u.rsa.padding_algo =
ldl_le_p(&sess_req->para.u.rsa.padding_algo);
asym_info->u.rsa.hash_algo =
ldl_le_p(&sess_req->para.u.rsa.hash_algo);
break;
/* TODO DSA&ECDSA handling */
default:
return -VIRTIO_CRYPTO_ERR;
}
queue_index = virtio_crypto_vq2q(queue_id);
session_id = cryptodev_backend_create_session(vcrypto->cryptodev, &info,
queue_index, &local_err);
if (session_id < 0) {
if (local_err) {
error_report_err(local_err);
}
return -VIRTIO_CRYPTO_ERR;
}
return session_id;
}
static uint8_t static uint8_t
virtio_crypto_handle_close_session(VirtIOCrypto *vcrypto, virtio_crypto_handle_close_session(VirtIOCrypto *vcrypto,
struct virtio_crypto_destroy_session_req *close_sess_req, struct virtio_crypto_destroy_session_req *close_sess_req,
@ -195,7 +262,7 @@ virtio_crypto_handle_close_session(VirtIOCrypto *vcrypto,
session_id = ldq_le_p(&close_sess_req->session_id); session_id = ldq_le_p(&close_sess_req->session_id);
DPRINTF("close session, id=%" PRIu64 "\n", session_id); DPRINTF("close session, id=%" PRIu64 "\n", session_id);
ret = cryptodev_backend_sym_close_session( ret = cryptodev_backend_close_session(
vcrypto->cryptodev, session_id, queue_id, &local_err); vcrypto->cryptodev, session_id, queue_id, &local_err);
if (ret == 0) { if (ret == 0) {
status = VIRTIO_CRYPTO_OK; status = VIRTIO_CRYPTO_OK;
@ -260,13 +327,22 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
opcode = ldl_le_p(&ctrl.header.opcode); opcode = ldl_le_p(&ctrl.header.opcode);
queue_id = ldl_le_p(&ctrl.header.queue_id); queue_id = ldl_le_p(&ctrl.header.queue_id);
memset(&input, 0, sizeof(input));
switch (opcode) { switch (opcode) {
case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION: case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION:
memset(&input, 0, sizeof(input));
session_id = virtio_crypto_create_sym_session(vcrypto, session_id = virtio_crypto_create_sym_session(vcrypto,
&ctrl.u.sym_create_session, &ctrl.u.sym_create_session,
queue_id, opcode, queue_id, opcode,
out_iov, out_num); out_iov, out_num);
goto check_session;
case VIRTIO_CRYPTO_AKCIPHER_CREATE_SESSION:
session_id = virtio_crypto_create_asym_session(vcrypto,
&ctrl.u.akcipher_create_session,
queue_id, opcode,
out_iov, out_num);
check_session:
/* Serious errors, need to reset virtio crypto device */ /* Serious errors, need to reset virtio crypto device */
if (session_id == -EFAULT) { if (session_id == -EFAULT) {
virtqueue_detach_element(vq, elem, 0); virtqueue_detach_element(vq, elem, 0);
@ -290,10 +366,12 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
virtqueue_push(vq, elem, sizeof(input)); virtqueue_push(vq, elem, sizeof(input));
virtio_notify(vdev, vq); virtio_notify(vdev, vq);
break; break;
case VIRTIO_CRYPTO_CIPHER_DESTROY_SESSION: case VIRTIO_CRYPTO_CIPHER_DESTROY_SESSION:
case VIRTIO_CRYPTO_HASH_DESTROY_SESSION: case VIRTIO_CRYPTO_HASH_DESTROY_SESSION:
case VIRTIO_CRYPTO_MAC_DESTROY_SESSION: case VIRTIO_CRYPTO_MAC_DESTROY_SESSION:
case VIRTIO_CRYPTO_AEAD_DESTROY_SESSION: case VIRTIO_CRYPTO_AEAD_DESTROY_SESSION:
case VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION:
status = virtio_crypto_handle_close_session(vcrypto, status = virtio_crypto_handle_close_session(vcrypto,
&ctrl.u.destroy_session, queue_id); &ctrl.u.destroy_session, queue_id);
/* The status only occupy one byte, we can directly use it */ /* The status only occupy one byte, we can directly use it */
@ -311,7 +389,6 @@ static void virtio_crypto_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
case VIRTIO_CRYPTO_AEAD_CREATE_SESSION: case VIRTIO_CRYPTO_AEAD_CREATE_SESSION:
default: default:
error_report("virtio-crypto unsupported ctrl opcode: %d", opcode); error_report("virtio-crypto unsupported ctrl opcode: %d", opcode);
memset(&input, 0, sizeof(input));
stl_le_p(&input.status, VIRTIO_CRYPTO_NOTSUPP); stl_le_p(&input.status, VIRTIO_CRYPTO_NOTSUPP);
s = iov_from_buf(in_iov, in_num, 0, &input, sizeof(input)); s = iov_from_buf(in_iov, in_num, 0, &input, sizeof(input));
if (unlikely(s != sizeof(input))) { if (unlikely(s != sizeof(input))) {
@ -339,28 +416,39 @@ static void virtio_crypto_init_request(VirtIOCrypto *vcrypto, VirtQueue *vq,
req->in_num = 0; req->in_num = 0;
req->in_len = 0; req->in_len = 0;
req->flags = CRYPTODEV_BACKEND_ALG__MAX; req->flags = CRYPTODEV_BACKEND_ALG__MAX;
req->u.sym_op_info = NULL; memset(&req->op_info, 0x00, sizeof(req->op_info));
} }
static void virtio_crypto_free_request(VirtIOCryptoReq *req) static void virtio_crypto_free_request(VirtIOCryptoReq *req)
{ {
if (req) { if (!req) {
if (req->flags == CRYPTODEV_BACKEND_ALG_SYM) { return;
size_t max_len; }
CryptoDevBackendSymOpInfo *op_info = req->u.sym_op_info;
max_len = op_info->iv_len + if (req->flags == CRYPTODEV_BACKEND_ALG_SYM) {
op_info->aad_len + size_t max_len;
op_info->src_len + CryptoDevBackendSymOpInfo *op_info = req->op_info.u.sym_op_info;
op_info->dst_len +
op_info->digest_result_len;
/* Zeroize and free request data structure */ max_len = op_info->iv_len +
memset(op_info, 0, sizeof(*op_info) + max_len); op_info->aad_len +
op_info->src_len +
op_info->dst_len +
op_info->digest_result_len;
/* Zeroize and free request data structure */
memset(op_info, 0, sizeof(*op_info) + max_len);
g_free(op_info);
} else if (req->flags == CRYPTODEV_BACKEND_ALG_ASYM) {
CryptoDevBackendAsymOpInfo *op_info = req->op_info.u.asym_op_info;
if (op_info) {
g_free(op_info->src);
g_free(op_info->dst);
memset(op_info, 0, sizeof(*op_info));
g_free(op_info); g_free(op_info);
} }
g_free(req);
} }
g_free(req);
} }
static void static void
@ -397,6 +485,35 @@ virtio_crypto_sym_input_data_helper(VirtIODevice *vdev,
} }
} }
static void
virtio_crypto_akcipher_input_data_helper(VirtIODevice *vdev,
VirtIOCryptoReq *req, int32_t status,
CryptoDevBackendAsymOpInfo *asym_op_info)
{
size_t s, len;
if (status != VIRTIO_CRYPTO_OK) {
return;
}
len = asym_op_info->dst_len;
if (!len) {
return;
}
s = iov_from_buf(req->in_iov, req->in_num, 0, asym_op_info->dst, len);
if (s != len) {
virtio_error(vdev, "virtio-crypto asym dest data incorrect");
return;
}
iov_discard_front(&req->in_iov, &req->in_num, len);
/* For akcipher, dst_len may be changed after operation */
req->in_len = sizeof(struct virtio_crypto_inhdr) + asym_op_info->dst_len;
}
static void virtio_crypto_req_complete(VirtIOCryptoReq *req, uint8_t status) static void virtio_crypto_req_complete(VirtIOCryptoReq *req, uint8_t status)
{ {
VirtIOCrypto *vcrypto = req->vcrypto; VirtIOCrypto *vcrypto = req->vcrypto;
@ -404,7 +521,10 @@ static void virtio_crypto_req_complete(VirtIOCryptoReq *req, uint8_t status)
if (req->flags == CRYPTODEV_BACKEND_ALG_SYM) { if (req->flags == CRYPTODEV_BACKEND_ALG_SYM) {
virtio_crypto_sym_input_data_helper(vdev, req, status, virtio_crypto_sym_input_data_helper(vdev, req, status,
req->u.sym_op_info); req->op_info.u.sym_op_info);
} else if (req->flags == CRYPTODEV_BACKEND_ALG_ASYM) {
virtio_crypto_akcipher_input_data_helper(vdev, req, status,
req->op_info.u.asym_op_info);
} }
stb_p(&req->in->status, status); stb_p(&req->in->status, status);
virtqueue_push(req->vq, &req->elem, req->in_len); virtqueue_push(req->vq, &req->elem, req->in_len);
@ -543,41 +663,100 @@ err:
static int static int
virtio_crypto_handle_sym_req(VirtIOCrypto *vcrypto, virtio_crypto_handle_sym_req(VirtIOCrypto *vcrypto,
struct virtio_crypto_sym_data_req *req, struct virtio_crypto_sym_data_req *req,
CryptoDevBackendSymOpInfo **sym_op_info, CryptoDevBackendOpInfo *op_info,
struct iovec *iov, unsigned int out_num) struct iovec *iov, unsigned int out_num)
{ {
VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto); VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto);
CryptoDevBackendSymOpInfo *sym_op_info;
uint32_t op_type; uint32_t op_type;
CryptoDevBackendSymOpInfo *op_info;
op_type = ldl_le_p(&req->op_type); op_type = ldl_le_p(&req->op_type);
if (op_type == VIRTIO_CRYPTO_SYM_OP_CIPHER) { if (op_type == VIRTIO_CRYPTO_SYM_OP_CIPHER) {
op_info = virtio_crypto_sym_op_helper(vdev, &req->u.cipher.para, sym_op_info = virtio_crypto_sym_op_helper(vdev, &req->u.cipher.para,
NULL, iov, out_num); NULL, iov, out_num);
if (!op_info) { if (!sym_op_info) {
return -EFAULT; return -EFAULT;
} }
op_info->op_type = op_type;
} else if (op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) { } else if (op_type == VIRTIO_CRYPTO_SYM_OP_ALGORITHM_CHAINING) {
op_info = virtio_crypto_sym_op_helper(vdev, NULL, sym_op_info = virtio_crypto_sym_op_helper(vdev, NULL,
&req->u.chain.para, &req->u.chain.para,
iov, out_num); iov, out_num);
if (!op_info) { if (!sym_op_info) {
return -EFAULT; return -EFAULT;
} }
op_info->op_type = op_type;
} else { } else {
/* VIRTIO_CRYPTO_SYM_OP_NONE */ /* VIRTIO_CRYPTO_SYM_OP_NONE */
error_report("virtio-crypto unsupported cipher type"); error_report("virtio-crypto unsupported cipher type");
return -VIRTIO_CRYPTO_NOTSUPP; return -VIRTIO_CRYPTO_NOTSUPP;
} }
*sym_op_info = op_info; sym_op_info->op_type = op_type;
op_info->u.sym_op_info = sym_op_info;
return 0; return 0;
} }
static int
virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
struct virtio_crypto_akcipher_data_req *req,
CryptoDevBackendOpInfo *op_info,
struct iovec *iov, unsigned int out_num)
{
VirtIODevice *vdev = VIRTIO_DEVICE(vcrypto);
CryptoDevBackendAsymOpInfo *asym_op_info;
uint32_t src_len;
uint32_t dst_len;
uint32_t len;
uint8_t *src = NULL;
uint8_t *dst = NULL;
asym_op_info = g_malloc0(sizeof(CryptoDevBackendAsymOpInfo));
src_len = ldl_le_p(&req->para.src_data_len);
dst_len = ldl_le_p(&req->para.dst_data_len);
if (src_len > 0) {
src = g_malloc0(src_len);
len = iov_to_buf(iov, out_num, 0, src, src_len);
if (unlikely(len != src_len)) {
virtio_error(vdev, "virtio-crypto asym src data incorrect"
"expected %u, actual %u", src_len, len);
goto err;
}
iov_discard_front(&iov, &out_num, src_len);
}
if (dst_len > 0) {
dst = g_malloc0(dst_len);
if (op_info->op_code == VIRTIO_CRYPTO_AKCIPHER_VERIFY) {
len = iov_to_buf(iov, out_num, 0, dst, dst_len);
if (unlikely(len != dst_len)) {
virtio_error(vdev, "virtio-crypto asym dst data incorrect"
"expected %u, actual %u", dst_len, len);
goto err;
}
iov_discard_front(&iov, &out_num, dst_len);
}
}
asym_op_info->src_len = src_len;
asym_op_info->dst_len = dst_len;
asym_op_info->src = src;
asym_op_info->dst = dst;
op_info->u.asym_op_info = asym_op_info;
return 0;
err:
g_free(asym_op_info);
g_free(src);
g_free(dst);
return -EFAULT;
}
static int static int
virtio_crypto_handle_request(VirtIOCryptoReq *request) virtio_crypto_handle_request(VirtIOCryptoReq *request)
{ {
@ -595,8 +774,7 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request)
unsigned out_num; unsigned out_num;
uint32_t opcode; uint32_t opcode;
uint8_t status = VIRTIO_CRYPTO_ERR; uint8_t status = VIRTIO_CRYPTO_ERR;
uint64_t session_id; CryptoDevBackendOpInfo *op_info = &request->op_info;
CryptoDevBackendSymOpInfo *sym_op_info = NULL;
Error *local_err = NULL; Error *local_err = NULL;
if (elem->out_num < 1 || elem->in_num < 1) { if (elem->out_num < 1 || elem->in_num < 1) {
@ -639,15 +817,28 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request)
request->in_iov = in_iov; request->in_iov = in_iov;
opcode = ldl_le_p(&req.header.opcode); opcode = ldl_le_p(&req.header.opcode);
session_id = ldq_le_p(&req.header.session_id); op_info->session_id = ldq_le_p(&req.header.session_id);
op_info->op_code = opcode;
switch (opcode) { switch (opcode) {
case VIRTIO_CRYPTO_CIPHER_ENCRYPT: case VIRTIO_CRYPTO_CIPHER_ENCRYPT:
case VIRTIO_CRYPTO_CIPHER_DECRYPT: case VIRTIO_CRYPTO_CIPHER_DECRYPT:
op_info->algtype = request->flags = CRYPTODEV_BACKEND_ALG_SYM;
ret = virtio_crypto_handle_sym_req(vcrypto, ret = virtio_crypto_handle_sym_req(vcrypto,
&req.u.sym_req, &req.u.sym_req, op_info,
&sym_op_info,
out_iov, out_num); out_iov, out_num);
goto check_result;
case VIRTIO_CRYPTO_AKCIPHER_ENCRYPT:
case VIRTIO_CRYPTO_AKCIPHER_DECRYPT:
case VIRTIO_CRYPTO_AKCIPHER_SIGN:
case VIRTIO_CRYPTO_AKCIPHER_VERIFY:
op_info->algtype = request->flags = CRYPTODEV_BACKEND_ALG_ASYM;
ret = virtio_crypto_handle_asym_req(vcrypto,
&req.u.akcipher_req, op_info,
out_iov, out_num);
check_result:
/* Serious errors, need to reset virtio crypto device */ /* Serious errors, need to reset virtio crypto device */
if (ret == -EFAULT) { if (ret == -EFAULT) {
return -1; return -1;
@ -655,11 +846,8 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request)
virtio_crypto_req_complete(request, VIRTIO_CRYPTO_NOTSUPP); virtio_crypto_req_complete(request, VIRTIO_CRYPTO_NOTSUPP);
virtio_crypto_free_request(request); virtio_crypto_free_request(request);
} else { } else {
sym_op_info->session_id = session_id;
/* Set request's parameter */ /* Set request's parameter */
request->flags = CRYPTODEV_BACKEND_ALG_SYM;
request->u.sym_op_info = sym_op_info;
ret = cryptodev_backend_crypto_operation(vcrypto->cryptodev, ret = cryptodev_backend_crypto_operation(vcrypto->cryptodev,
request, queue_index, &local_err); request, queue_index, &local_err);
if (ret < 0) { if (ret < 0) {
@ -674,6 +862,7 @@ virtio_crypto_handle_request(VirtIOCryptoReq *request)
virtio_crypto_free_request(request); virtio_crypto_free_request(request);
} }
break; break;
case VIRTIO_CRYPTO_HASH: case VIRTIO_CRYPTO_HASH:
case VIRTIO_CRYPTO_MAC: case VIRTIO_CRYPTO_MAC:
case VIRTIO_CRYPTO_AEAD_ENCRYPT: case VIRTIO_CRYPTO_AEAD_ENCRYPT:
@ -779,6 +968,7 @@ static void virtio_crypto_init_config(VirtIODevice *vdev)
vcrypto->conf.mac_algo_l = vcrypto->conf.cryptodev->conf.mac_algo_l; vcrypto->conf.mac_algo_l = vcrypto->conf.cryptodev->conf.mac_algo_l;
vcrypto->conf.mac_algo_h = vcrypto->conf.cryptodev->conf.mac_algo_h; vcrypto->conf.mac_algo_h = vcrypto->conf.cryptodev->conf.mac_algo_h;
vcrypto->conf.aead_algo = vcrypto->conf.cryptodev->conf.aead_algo; vcrypto->conf.aead_algo = vcrypto->conf.cryptodev->conf.aead_algo;
vcrypto->conf.akcipher_algo = vcrypto->conf.cryptodev->conf.akcipher_algo;
vcrypto->conf.max_cipher_key_len = vcrypto->conf.max_cipher_key_len =
vcrypto->conf.cryptodev->conf.max_cipher_key_len; vcrypto->conf.cryptodev->conf.max_cipher_key_len;
vcrypto->conf.max_auth_key_len = vcrypto->conf.max_auth_key_len =
@ -891,6 +1081,7 @@ static void virtio_crypto_get_config(VirtIODevice *vdev, uint8_t *config)
stl_le_p(&crypto_cfg.max_cipher_key_len, c->conf.max_cipher_key_len); stl_le_p(&crypto_cfg.max_cipher_key_len, c->conf.max_cipher_key_len);
stl_le_p(&crypto_cfg.max_auth_key_len, c->conf.max_auth_key_len); stl_le_p(&crypto_cfg.max_auth_key_len, c->conf.max_auth_key_len);
stq_le_p(&crypto_cfg.max_size, c->conf.max_size); stq_le_p(&crypto_cfg.max_size, c->conf.max_size);
stl_le_p(&crypto_cfg.akcipher_algo, c->conf.akcipher_algo);
memcpy(config, &crypto_cfg, c->config_size); memcpy(config, &crypto_cfg, c->config_size);
} }

5
include/hw/virtio/virtio-crypto.h
View File

@ -50,6 +50,7 @@ typedef struct VirtIOCryptoConf {
uint32_t mac_algo_l; uint32_t mac_algo_l;
uint32_t mac_algo_h; uint32_t mac_algo_h;
uint32_t aead_algo; uint32_t aead_algo;
uint32_t akcipher_algo;
/* Maximum length of cipher key */ /* Maximum length of cipher key */
uint32_t max_cipher_key_len; uint32_t max_cipher_key_len;
@ -71,9 +72,7 @@ typedef struct VirtIOCryptoReq {
size_t in_len; size_t in_len;
VirtQueue *vq; VirtQueue *vq;
struct VirtIOCrypto *vcrypto; struct VirtIOCrypto *vcrypto;
union { CryptoDevBackendOpInfo op_info;
CryptoDevBackendSymOpInfo *sym_op_info;
} u;
} VirtIOCryptoReq; } VirtIOCryptoReq;
typedef struct VirtIOCryptoQueue { typedef struct VirtIOCryptoQueue {

83
include/sysemu/cryptodev.h
View File

@ -50,13 +50,13 @@ typedef struct CryptoDevBackendClient
enum CryptoDevBackendAlgType { enum CryptoDevBackendAlgType {
CRYPTODEV_BACKEND_ALG_SYM, CRYPTODEV_BACKEND_ALG_SYM,
CRYPTODEV_BACKEND_ALG_ASYM,
CRYPTODEV_BACKEND_ALG__MAX, CRYPTODEV_BACKEND_ALG__MAX,
}; };
/** /**
* CryptoDevBackendSymSessionInfo: * CryptoDevBackendSymSessionInfo:
* *
* @op_code: operation code (refer to virtio_crypto.h)
* @cipher_alg: algorithm type of CIPHER * @cipher_alg: algorithm type of CIPHER
* @key_len: byte length of cipher key * @key_len: byte length of cipher key
* @hash_alg: algorithm type of HASH/MAC * @hash_alg: algorithm type of HASH/MAC
@ -74,7 +74,6 @@ enum CryptoDevBackendAlgType {
*/ */
typedef struct CryptoDevBackendSymSessionInfo { typedef struct CryptoDevBackendSymSessionInfo {
/* corresponding with virtio crypto spec */ /* corresponding with virtio crypto spec */
uint32_t op_code;
uint32_t cipher_alg; uint32_t cipher_alg;
uint32_t key_len; uint32_t key_len;
uint32_t hash_alg; uint32_t hash_alg;
@ -89,11 +88,36 @@ typedef struct CryptoDevBackendSymSessionInfo {
uint8_t *auth_key; uint8_t *auth_key;
} CryptoDevBackendSymSessionInfo; } CryptoDevBackendSymSessionInfo;
/**
* CryptoDevBackendAsymSessionInfo:
*/
typedef struct CryptoDevBackendRsaPara {
uint32_t padding_algo;
uint32_t hash_algo;
} CryptoDevBackendRsaPara;
typedef struct CryptoDevBackendAsymSessionInfo {
/* corresponding with virtio crypto spec */
uint32_t algo;
uint32_t keytype;
uint32_t keylen;
uint8_t *key;
union {
CryptoDevBackendRsaPara rsa;
} u;
} CryptoDevBackendAsymSessionInfo;
typedef struct CryptoDevBackendSessionInfo {
uint32_t op_code;
union {
CryptoDevBackendSymSessionInfo sym_sess_info;
CryptoDevBackendAsymSessionInfo asym_sess_info;
} u;
} CryptoDevBackendSessionInfo;
/** /**
* CryptoDevBackendSymOpInfo: * CryptoDevBackendSymOpInfo:
* *
* @session_id: session index which was previously
* created by cryptodev_backend_sym_create_session()
* @aad_len: byte length of additional authenticated data * @aad_len: byte length of additional authenticated data
* @iv_len: byte length of initialization vector or counter * @iv_len: byte length of initialization vector or counter
* @src_len: byte length of source data * @src_len: byte length of source data
@ -119,7 +143,6 @@ typedef struct CryptoDevBackendSymSessionInfo {
* *
*/ */
typedef struct CryptoDevBackendSymOpInfo { typedef struct CryptoDevBackendSymOpInfo {
uint64_t session_id;
uint32_t aad_len; uint32_t aad_len;
uint32_t iv_len; uint32_t iv_len;
uint32_t src_len; uint32_t src_len;
@ -138,6 +161,33 @@ typedef struct CryptoDevBackendSymOpInfo {
uint8_t data[]; uint8_t data[];
} CryptoDevBackendSymOpInfo; } CryptoDevBackendSymOpInfo;
/**
* CryptoDevBackendAsymOpInfo:
*
* @src_len: byte length of source data
* @dst_len: byte length of destination data
* @src: point to the source data
* @dst: point to the destination data
*
*/
typedef struct CryptoDevBackendAsymOpInfo {
uint32_t src_len;
uint32_t dst_len;
uint8_t *src;
uint8_t *dst;
} CryptoDevBackendAsymOpInfo;
typedef struct CryptoDevBackendOpInfo {
enum CryptoDevBackendAlgType algtype;
uint32_t op_code;
uint64_t session_id;
union {
CryptoDevBackendSymOpInfo *sym_op_info;
CryptoDevBackendAsymOpInfo *asym_op_info;
} u;
} CryptoDevBackendOpInfo;
struct CryptoDevBackendClass { struct CryptoDevBackendClass {
ObjectClass parent_class; ObjectClass parent_class;
@ -145,13 +195,13 @@ struct CryptoDevBackendClass {
void (*cleanup)(CryptoDevBackend *backend, Error **errp); void (*cleanup)(CryptoDevBackend *backend, Error **errp);
int64_t (*create_session)(CryptoDevBackend *backend, int64_t (*create_session)(CryptoDevBackend *backend,
CryptoDevBackendSymSessionInfo *sess_info, CryptoDevBackendSessionInfo *sess_info,
uint32_t queue_index, Error **errp); uint32_t queue_index, Error **errp);
int (*close_session)(CryptoDevBackend *backend, int (*close_session)(CryptoDevBackend *backend,
uint64_t session_id, uint64_t session_id,
uint32_t queue_index, Error **errp); uint32_t queue_index, Error **errp);
int (*do_sym_op)(CryptoDevBackend *backend, int (*do_op)(CryptoDevBackend *backend,
CryptoDevBackendSymOpInfo *op_info, CryptoDevBackendOpInfo *op_info,
uint32_t queue_index, Error **errp); uint32_t queue_index, Error **errp);
}; };
@ -190,6 +240,7 @@ struct CryptoDevBackendConf {
uint32_t mac_algo_l; uint32_t mac_algo_l;
uint32_t mac_algo_h; uint32_t mac_algo_h;
uint32_t aead_algo; uint32_t aead_algo;
uint32_t akcipher_algo;
/* Maximum length of cipher key */ /* Maximum length of cipher key */
uint32_t max_cipher_key_len; uint32_t max_cipher_key_len;
/* Maximum length of authenticated key */ /* Maximum length of authenticated key */
@ -247,34 +298,34 @@ void cryptodev_backend_cleanup(
Error **errp); Error **errp);
/** /**
* cryptodev_backend_sym_create_session: * cryptodev_backend_create_session:
* @backend: the cryptodev backend object * @backend: the cryptodev backend object
* @sess_info: parameters needed by session creating * @sess_info: parameters needed by session creating
* @queue_index: queue index of cryptodev backend client * @queue_index: queue index of cryptodev backend client
* @errp: pointer to a NULL-initialized error object * @errp: pointer to a NULL-initialized error object
* *
* Create a session for symmetric algorithms * Create a session for symmetric/symmetric algorithms
* *
* Returns: session id on success, or -1 on error * Returns: session id on success, or -1 on error
*/ */
int64_t cryptodev_backend_sym_create_session( int64_t cryptodev_backend_create_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
CryptoDevBackendSymSessionInfo *sess_info, CryptoDevBackendSessionInfo *sess_info,
uint32_t queue_index, Error **errp); uint32_t queue_index, Error **errp);
/** /**
* cryptodev_backend_sym_close_session: * cryptodev_backend_close_session:
* @backend: the cryptodev backend object * @backend: the cryptodev backend object
* @session_id: the session id * @session_id: the session id
* @queue_index: queue index of cryptodev backend client * @queue_index: queue index of cryptodev backend client
* @errp: pointer to a NULL-initialized error object * @errp: pointer to a NULL-initialized error object
* *
* Close a session for symmetric algorithms which was previously * Close a session for which was previously
* created by cryptodev_backend_sym_create_session() * created by cryptodev_backend_create_session()
* *
* Returns: 0 on success, or Negative on error * Returns: 0 on success, or Negative on error
*/ */
int cryptodev_backend_sym_close_session( int cryptodev_backend_close_session(
CryptoDevBackend *backend, CryptoDevBackend *backend,
uint64_t session_id, uint64_t session_id,
uint32_t queue_index, Error **errp); uint32_t queue_index, Error **errp);