riscv: AES: Provide a Zvkned-based implementation

The upcoming RISC-V vector crypto extensions provide the Zvkned extension, that provides a AES-specific instructions. This patch provides an implementation that utilizes this extension if available. Tested on QEMU and no regressions observed. Signed-off-by: Christoph Müllner <christoph.muellner@vrull.eu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #21923)
openssl · Oct 26, 2023 · f6631e3 · f6631e3
1 parent 5191bcc
commit f6631e3
Show file tree

Hide file tree

Showing 10 changed files with 793 additions and 7 deletions.
diff --git a/crypto/aes/asm/aes-riscv64-zvkned.pl b/crypto/aes/asm/aes-riscv64-zvkned.pl
diff --git a/crypto/aes/build.info b/crypto/aes/build.info
@@ -47,7 +47,7 @@ IF[{- !$disabled{asm} -}]
   # aes-c64xplus.s implements AES_ctr32_encrypt
   $AESDEF_c64xplus=AES_ASM AES_CTR_ASM
 
-  $AESASM_riscv64=aes_cbc.c aes-riscv64.s aes-riscv64-zkn.s
+  $AESASM_riscv64=aes_cbc.c aes-riscv64.s aes-riscv64-zkn.s aes-riscv64-zvkned.s
   $AESDEF_riscv64=AES_ASM
   $AESASM_riscv32=aes_core.c aes_cbc.c aes-riscv32-zkn.s
 
@@ -124,6 +124,7 @@ INCLUDE[aes-mips.o]=..
 GENERATE[aes-riscv64.s]=asm/aes-riscv64.pl
 GENERATE[aes-riscv64-zkn.s]=asm/aes-riscv64-zkn.pl
 GENERATE[aes-riscv32-zkn.s]=asm/aes-riscv32-zkn.pl
+GENERATE[aes-riscv64-zvkned.s]=asm/aes-riscv64-zvkned.pl
 
 GENERATE[aesv8-armx.S]=asm/aesv8-armx.pl
 INCLUDE[aesv8-armx.o]=..

diff --git a/crypto/perlasm/riscv.pm b/crypto/perlasm/riscv.pm
@@ -498,4 +498,64 @@ sub vgmul_vv {
     return ".word ".($template | ($vs2 << 20) | ($vd << 7));
 }
 
+## Zvkned instructions
+
+sub vaesdf_vs {
+    # vaesdf.vs vd, vs2
+    my $template = 0b101001_1_00000_00001_010_00000_1110111;
+    my $vd = read_vreg  shift;
+    my $vs2 = read_vreg  shift;
+    return ".word ".($template | ($vs2 << 20) | ($vd << 7));
+}
+
+sub vaesdm_vs {
+    # vaesdm.vs vd, vs2
+    my $template = 0b101001_1_00000_00000_010_00000_1110111;
+    my $vd = read_vreg shift;
+    my $vs2 = read_vreg shift;
+    return ".word ".($template | ($vs2 << 20) | ($vd << 7));
+}
+
+sub vaesef_vs {
+    # vaesef.vs vd, vs2
+    my $template = 0b101001_1_00000_00011_010_00000_1110111;
+    my $vd = read_vreg  shift;
+    my $vs2 = read_vreg  shift;
+    return ".word ".($template | ($vs2 << 20) | ($vd << 7));
+}
+
+sub vaesem_vs {
+    # vaesem.vs vd, vs2
+    my $template = 0b101001_1_00000_00010_010_00000_1110111;
+    my $vd = read_vreg  shift;
+    my $vs2 = read_vreg  shift;
+    return ".word ".($template | ($vs2 << 20) | ($vd << 7));
+}
+
+sub vaeskf1_vi {
+    # vaeskf1.vi vd, vs2, uimmm
+    my $template = 0b100010_1_00000_00000_010_00000_1110111;
+    my $vd = read_vreg  shift;
+    my $vs2 = read_vreg  shift;
+    my $uimm = shift;
+    return ".word ".($template | ($uimm << 15) | ($vs2 << 20) | ($vd << 7));
+}
+
+sub vaeskf2_vi {
+    # vaeskf2.vi vd, vs2, uimm
+    my $template = 0b101010_1_00000_00000_010_00000_1110111;
+    my $vd = read_vreg shift;
+    my $vs2 = read_vreg shift;
+    my $uimm = shift;
+    return ".word ".($template | ($vs2 << 20) | ($uimm << 15) | ($vd << 7));
+}
+
+sub vaesz_vs {
+    # vaesz.vs vd, vs2
+    my $template = 0b101001_1_00000_00111_010_00000_1110111;
+    my $vd = read_vreg  shift;
+    my $vs2 = read_vreg  shift;
+    return ".word ".($template | ($vs2 << 20) | ($vd << 7));
+}
+
 1;
diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h
@@ -435,6 +435,7 @@ void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out,
 /* RISC-V 64 support */
 #  include "riscv_arch.h"
 
+/* Zkne and Zknd extensions (scalar crypto AES). */
 int rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits,
                           AES_KEY *key);
 int rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits,
@@ -443,6 +444,16 @@ void rv64i_zkne_encrypt(const unsigned char *in, unsigned char *out,
                    const AES_KEY *key);
 void rv64i_zknd_decrypt(const unsigned char *in, unsigned char *out,
                    const AES_KEY *key);
+/* Zvkned extension (vector crypto AES). */
+int rv64i_zvkned_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                 AES_KEY *key);
+int rv64i_zvkned_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                 AES_KEY *key);
+void rv64i_zvkned_encrypt(const unsigned char *in, unsigned char *out,
+                          const AES_KEY *key);
+void rv64i_zvkned_decrypt(const unsigned char *in, unsigned char *out,
+                          const AES_KEY *key);
+
 # elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
 /* RISC-V 32 support */
 #  include "riscv_arch.h"

diff --git a/include/crypto/riscv_arch.def b/include/crypto/riscv_arch.def
@@ -36,6 +36,7 @@ RISCV_DEFINE_CAP(V, 0, 14)
 RISCV_DEFINE_CAP(ZVBB, 0, 15)
 RISCV_DEFINE_CAP(ZVBC, 0, 16)
 RISCV_DEFINE_CAP(ZVKG, 0, 17)
+RISCV_DEFINE_CAP(ZVKNED, 0, 18)
 
 /*
  * In the future ...

diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i.inc
@@ -31,7 +31,41 @@ static const PROV_CCM_HW rv64i_zknd_zkne_ccm = {
     ossl_ccm_generic_gettag
 };
 
+/*-
+ * RISC-V RV64 ZVKNED support for AES CCM.
+ * This file is included by cipher_aes_ccm_hw.c
+ */
+
+static int ccm_rv64i_zvkned_initkey(PROV_CCM_CTX *ctx, const unsigned char *key,
+                                    size_t keylen)
+{
+    PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx;
+
+    /* Zvkned only supports 128 and 256 bit keys. */
+    if (keylen * 8 == 128 || keylen * 8 == 256) {
+        AES_HW_CCM_SET_KEY_FN(rv64i_zvkned_set_encrypt_key, rv64i_zvkned_encrypt,
+                              NULL, NULL);
+    } else {
+        AES_HW_CCM_SET_KEY_FN(AES_set_encrypt_key, AES_encrypt, NULL, NULL)
+    }
+    return 1;
+}
+
+static const PROV_CCM_HW rv64i_zvkned_ccm = {
+    ccm_rv64i_zvkned_initkey,
+    ossl_ccm_generic_setiv,
+    ossl_ccm_generic_setaad,
+    ossl_ccm_generic_auth_encrypt,
+    ossl_ccm_generic_auth_decrypt,
+    ossl_ccm_generic_gettag
+};
+
 const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits)
 {
-    return RISCV_HAS_ZKND_AND_ZKNE() ? &rv64i_zknd_zkne_ccm : &aes_ccm;
+    if (RISCV_HAS_ZVKNED() && riscv_vlen() >= 128)
+        return &rv64i_zvkned_ccm;
+    else if (RISCV_HAS_ZKND_AND_ZKNE())
+        return &rv64i_zknd_zkne_ccm;
+    else
+        return &aes_ccm;
 }
diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc
@@ -31,9 +31,40 @@ static const PROV_GCM_HW rv64i_zknd_zkne_gcm = {
     ossl_gcm_one_shot
 };
 
+/*-
+ * RISC-V RV64 ZVKNED support for AES GCM.
+ * This file is included by cipher_aes_gcm_hw.c
+ */
+
+static int rv64i_zvkned_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key,
+                                    size_t keylen)
+{
+    PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx;
+    AES_KEY *ks = &actx->ks.ks;
+    /* Zvkned only supports 128 and 256 bit keys. */
+    if (keylen * 8 == 128 || keylen * 8 == 256) {
+        GCM_HW_SET_KEY_CTR_FN(ks, rv64i_zvkned_set_encrypt_key,
+                              rv64i_zvkned_encrypt, NULL);
+    } else {
+        GCM_HW_SET_KEY_CTR_FN(ks, AES_set_encrypt_key, AES_encrypt, NULL);
+    }
+    return 1;
+}
+
+static const PROV_GCM_HW rv64i_zvkned_gcm = {
+    rv64i_zvkned_gcm_initkey,
+    ossl_gcm_setiv,
+    ossl_gcm_aad_update,
+    generic_aes_gcm_cipher_update,
+    ossl_gcm_cipher_final,
+    ossl_gcm_one_shot
+};
+
 const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
 {
-    if (RISCV_HAS_ZKND_AND_ZKNE())
+    if (RISCV_HAS_ZVKNED() && riscv_vlen() >= 128)
+        return &rv64i_zvkned_gcm;
+    else if (RISCV_HAS_ZKND_AND_ZKNE())
         return &rv64i_zknd_zkne_gcm;
     else
         return &aes_gcm;

diff --git a/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc b/providers/implementations/ciphers/cipher_aes_hw_rv64i.inc
@@ -48,12 +48,77 @@ static int cipher_hw_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *dat,
     return 1;
 }
 
+/*-
+ * RISC-V RV64 ZVKNED support for AES modes ecb, cbc, ofb, cfb, ctr.
+ * This file is included by cipher_aes_hw.c
+ */
+
+#define cipher_hw_rv64i_zvkned_cbc    ossl_cipher_hw_generic_cbc
+#define cipher_hw_rv64i_zvkned_ecb    ossl_cipher_hw_generic_ecb
+#define cipher_hw_rv64i_zvkned_ofb128 ossl_cipher_hw_generic_ofb128
+#define cipher_hw_rv64i_zvkned_cfb128 ossl_cipher_hw_generic_cfb128
+#define cipher_hw_rv64i_zvkned_cfb8   ossl_cipher_hw_generic_cfb8
+#define cipher_hw_rv64i_zvkned_cfb1   ossl_cipher_hw_generic_cfb1
+#define cipher_hw_rv64i_zvkned_ctr    ossl_cipher_hw_generic_ctr
+
+static int cipher_hw_rv64i_zvkned_initkey(PROV_CIPHER_CTX *dat,
+                                          const unsigned char *key,
+                                          size_t keylen)
+{
+    int ret;
+    PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
+    AES_KEY *ks = &adat->ks.ks;
+
+    dat->ks = ks;
+
+    /* Zvkned only supports 128 and 256 bit keys. */
+    if (keylen * 8 == 128 || keylen * 8 == 256) {
+        if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+            && !dat->enc) {
+            ret = rv64i_zvkned_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f) rv64i_zvkned_decrypt;
+            dat->stream.cbc = NULL;
+        } else {
+            ret = rv64i_zvkned_set_encrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f) rv64i_zvkned_encrypt;
+            dat->stream.cbc = NULL;
+        }
+    } else {
+        if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE)
+            && !dat->enc) {
+            ret = AES_set_decrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)AES_decrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ? (cbc128_f)AES_cbc_encrypt : NULL;
+        } else {
+            ret = AES_set_encrypt_key(key, keylen * 8, ks);
+            dat->block = (block128_f)AES_encrypt;
+            dat->stream.cbc = (dat->mode == EVP_CIPH_CBC_MODE)
+                              ? (cbc128_f)AES_cbc_encrypt : NULL;
+        }
+    }
+
+    if (ret < 0) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
 #define PROV_CIPHER_HW_declare(mode)                                           \
 static const PROV_CIPHER_HW rv64i_zknd_zkne_##mode = {                         \
     cipher_hw_rv64i_zknd_zkne_initkey,                                         \
     cipher_hw_rv64i_zknd_zkne_##mode,                                          \
     cipher_hw_aes_copyctx                                                      \
+};                                                                             \
+static const PROV_CIPHER_HW rv64i_zvkned_##mode = {                            \
+    cipher_hw_rv64i_zvkned_initkey,                                            \
+    cipher_hw_rv64i_zvkned_##mode,                                             \
+    cipher_hw_aes_copyctx                                                      \
 };
 #define PROV_CIPHER_HW_select(mode)                                            \
-if (RISCV_HAS_ZKND_AND_ZKNE())                                                 \
+if (RISCV_HAS_ZVKNED() && riscv_vlen() >= 128)                                 \
+    return &rv64i_zvkned_##mode;                                               \
+else if (RISCV_HAS_ZKND_AND_ZKNE())                                            \
     return &rv64i_zknd_zkne_##mode;
diff --git a/providers/implementations/ciphers/cipher_aes_ocb_hw.c b/providers/implementations/ciphers/cipher_aes_ocb_hw.c
@@ -117,13 +117,38 @@ static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
     return 1;
 }
 
+static int cipher_hw_aes_ocb_rv64i_zvkned_initkey(PROV_CIPHER_CTX *vctx,
+                                                     const unsigned char *key,
+                                                     size_t keylen)
+{
+    PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
+
+    /* Zvkned only supports 128 and 256 bit keys. */
+    if (keylen * 8 == 128 || keylen * 8 == 256) {
+        OCB_SET_KEY_FN(rv64i_zvkned_set_encrypt_key,
+                       rv64i_zvkned_set_decrypt_key,
+                       rv64i_zvkned_encrypt, rv64i_zvkned_decrypt,
+                       NULL, NULL);
+    } else {
+        OCB_SET_KEY_FN(AES_set_encrypt_key, AES_set_decrypt_key,
+                       AES_encrypt, AES_decrypt, NULL, NULL);
+    }
+    return 1;
+}
+
 # define PROV_CIPHER_HW_declare()                                              \
 static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = {                        \
     cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey,                                 \
     NULL                                                                       \
+};                                                                             \
+static const PROV_CIPHER_HW aes_rv64i_zvkned_ocb = {                           \
+    cipher_hw_aes_ocb_rv64i_zvkned_initkey,                                    \
+    NULL                                                                       \
 };
 # define PROV_CIPHER_HW_select()                                               \
-    if (RISCV_HAS_ZKND_AND_ZKNE())                                             \
+    if (RISCV_HAS_ZVKNED() && riscv_vlen() >= 128)                             \
+        return &aes_rv64i_zvkned_ocb;                                          \
+    else if (RISCV_HAS_ZKND_AND_ZKNE())                                        \
         return &aes_rv64i_zknd_zkne_ocb;
 
 #elif defined(__riscv) && __riscv_xlen == 32

diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c
@@ -175,15 +175,45 @@ static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
     return 1;
 }
 
+static int cipher_hw_aes_xts_rv64i_zvkned_initkey(PROV_CIPHER_CTX *ctx,
+                                                     const unsigned char *key,
+                                                     size_t keylen)
+{
+    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)ctx;
+    OSSL_xts_stream_fn stream_enc = NULL;
+    OSSL_xts_stream_fn stream_dec = NULL;
+
+    /* Zvkned only supports 128 and 256 bit keys. */
+    if (keylen * 8 == 128 || keylen * 8 == 256) {
+        XTS_SET_KEY_FN(rv64i_zvkned_set_encrypt_key,
+                       rv64i_zvkned_set_decrypt_key,
+                       rv64i_zvkned_encrypt, rv64i_zvkned_decrypt,
+                       stream_enc, stream_dec);
+    } else {
+        XTS_SET_KEY_FN(AES_set_encrypt_key, AES_set_decrypt_key,
+                       AES_encrypt, AES_decrypt,
+                       stream_enc, stream_dec);
+    }
+    return 1;
+}
+
 # define PROV_CIPHER_HW_declare_xts()                                          \
 static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = {                        \
     cipher_hw_aes_xts_rv64i_zknd_zkne_initkey,                                 \
     NULL,                                                                      \
     cipher_hw_aes_xts_copyctx                                                  \
 };
+static const PROV_CIPHER_HW aes_xts_rv64i_zvkned = {                           \
+    cipher_hw_aes_xts_rv64i_zvkned_initkey,                                    \
+    NULL,                                                                      \
+    cipher_hw_aes_xts_copyctx                                                  \
+};
+
 # define PROV_CIPHER_HW_select_xts()                                           \
-if (RISCV_HAS_ZKND_AND_ZKNE())                                                 \
-    return &aes_xts_rv64i_zknd_zkne;
+if (RISCV_HAS_ZVKNED() && riscv_vlen() >= 128)                                 \
+    return &aes_xts_rv64i_zvkned;                                              \
+else if (RISCV_HAS_ZKND_AND_ZKNE())                                            \
+    return &aes_xts_rv64i_zknd_zkne;                                           \
 
 #elif defined(__riscv) && __riscv_xlen == 32