#
480ff89c |
|
30-Apr-2024 |
Navdeep Parhar <np@FreeBSD.org> |
cxgbe(4): Rename rx_c_chan to rx_chan. It is the equivalent of tx_chan but for receive so rx_chan is a better name. Initialize both using helper functions and make sure both are displayed in the sysctl MIB. MFC after: 1 week Sponsored by: Chelsio Communications
|
#
fdafd315 |
|
24-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Automated cleanup of cdefs and other formatting Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
70efe1a2 |
|
06-Feb-2023 |
John Baldwin <jhb@FreeBSD.org> |
ccr,ccp: Fix argument order to sglist_append_vmpages. The offset comes before the byte count. Reported by: br Reviewed by: asomers, markj MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D38375
|
#
7063b997 |
|
29-Dec-2022 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Retire ccr_softc member in struct adapter. Prior to Conrad's changes to replace session integer IDs with a pointer to the driver-specific state in commit 1b0909d51a8aa, the driver had to find the softc pointer from the adapter before it could locate the ccr_session structure for a completed request. Since Conrad's changes, the ccr_session pointer can now be obtained directly from the crp. Add a backpoint from ccr_session back to ccr_softc and use this in place of the ccr_softc member in cxgbe's struct adapter. Sponsored by: Chelsio Communications
|
#
478c66fd |
|
09-May-2022 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Remove unused devclass argument to DRIVER_MODULE.
|
#
a727d953 |
|
13-Jan-2022 |
Navdeep Parhar <np@FreeBSD.org> |
cxgbe(4): Fix bad races between sysctl and driver detach. The default sysctl context setup by newbus for a device is eventually freed by device_sysctl_fini, which runs after the device driver's detach routine. sysctl nodes associated with this context must not use any resources (like driver locks, hardware access, counters, etc.) that are released by driver detach. There are a lot of sysctl nodes like this in cxgbe(4) and the fix is to hang them off a context that is explicitly freed by the driver before it releases any resource that might be used by a sysctl. This fixes panics when running "sysctl dev.t6nex dev.cc" in a tight loop and loading/unloading the driver in parallel. Reported by: Suhas Lokesha MFC after: 1 week Sponsored by: Chelsio Communications
|
#
e43cf698 |
|
04-Jan-2022 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Use a software OCF session for requests which fallback to software. Previously the driver duplicated code from cryptosoft.c to handle certain edge case AES-CCM and AES-GCM requests. However, this approach has a few downsides: 1) It only uses "plain" software and not accelerated software since it uses enc_xform directly. 2) It performs the operation synchronously even though the caller believes it is invoking an async driver. This was fine for the original use case of requests with only AAD and no payload that execute quickly, but is a bit more disingenuous for large requests which fall back due to exceeding the size of a firmware work request (e.g. due to large scatter/gather lists). 3) It has required several updates since ccr(4) was added to the tree. Instead, allocate a software session for AES-CCM and AES-GCM sessions and dispatch a cloned request asynchronusly to the software session. Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D33608
|
#
762f1dcb |
|
20-Dec-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Replace 'blkcipher' with just 'cipher'. ccr(4) can handle requests for AES-CTR (a stream cipher), not just block ciphers, so make the function and structure names more generic. Sponsored by: Chelsio Communications
|
#
6e17a2e0 |
|
09-Dec-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Validate AES-GCM IV length in check_csp(). This centralizes the check for valid nonce lengths for AES-GCM. While here, remove some duplicate checks for valid AES-GCM tag lengths from ccp(4) and ccr(4). Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33194
|
#
4361c4eb |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
cryptosoft: Fix support for variable tag lengths in AES-CCM. The tag length is included as one of the values in the flags byte of block 0 passed to CBC_MAC, so merely copying the first N bytes is insufficient. To avoid adding more sideband data to the CBC MAC software context, pull the generation of block 0, the AAD length, and AAD padding out of cbc_mac.c and into cryptosoft.c. This matches how GCM/GMAC are handled where the length block is constructed in cryptosoft.c and passed as an input to the Update callback. As a result, the CBC MAC Update() routine is now much simpler and simply performs the XOR-and-encrypt step on each input block. While here, avoid a copy to the staging block in the Update routine when one or more full blocks are passed as input to the Update callback. Reviewed by: sef Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32120
|
#
e148e407 |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Support AES-CCM requests with truncated tags. Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D32117
|
#
3e6a97b3 |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Support multiple nonce lengths for AES-CCM. Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32116
|
#
5ae5ed5b |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
cryptosoft, ccr: Use crp_iv directly for AES-CCM and AES-GCM. Rather than copying crp_iv to a local array on the stack that is then passed to xform reinit routines, pass crp_iv directly and remove the local copy. Reviewed by: markj Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32106
|
#
1833d604 |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Permit variable-sized IVs for ciphers with a reinit hook. Add a 'len' argument to the reinit hook in 'struct enc_xform' to permit support for AEAD ciphers such as AES-CCM and Chacha20-Poly1305 which support different nonce lengths. Reviewed by: markj Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32105
|
#
cb128893 |
|
06-Oct-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccp, ccr: Simplify drivers to assume an AES-GCM IV length of 12. While here, use crypto_read_iv() in a few more places in ccr(4) that I missed previously. Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D32104
|
#
d8787d4f |
|
26-Jul-2021 |
Mark Johnston <markj@FreeBSD.org> |
crypto: Constify all transform descriptors No functional change intended. Reviewed by: ae, jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31196
|
#
883a0196 |
|
25-May-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Add a new type of crypto buffer for a single mbuf. This is intended for use in KTLS transmit where each TLS record is described by a single mbuf that is itself queued in the socket buffer. Using the existing CRYPTO_BUF_MBUF would result in bus_dmamap_load_crp() walking additional mbufs in the socket buffer that are not relevant, but generating a S/G list that potentially exceeds the limit of the tag (while also wasting CPU cycles). Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D30136
|
#
5fe0cd65 |
|
12-Mar-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Disable requests on port 1 when needed to workaround a firmware bug. Completions for crypto requests on port 1 can sometimes return a stale cookie value due to a firmware bug. Disable requests on port 1 by default on affected firmware. Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D26581
|
#
9c5137be |
|
12-Mar-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Add per-port stats of queued and completed requests. Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D29176
|
#
8f885fd1 |
|
12-Mar-2021 |
John Baldwin <jhb@FreeBSD.org> |
ccr: Set the RX channel ID correctly in work requests. These fixes are only relevant for requests on the second port. In some cases, the crypto completion data, completion message, and receive descriptor could be written in the wrong order. - Add a separate rx_channel_id that is a copy of the port's rx_c_chan and use it when an RX channel ID is required in crypto requests instead of using the tx_channel_id. - Set the correct rx_channel_id in the CPL_RX_PHYS_ADDR used to write the crypto result. - Set the FID to the first rx queue ID on the adapter rather than the queue ID of the first rx queue for the port. - While here, use tx_chan to set the tx_channel_id though this is identical to the previous value. Reviewed by: np Reported by: Chelsio QA Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D29175
|
#
0e993396 |
|
29-Sep-2020 |
John Baldwin <jhb@FreeBSD.org> |
Fallback to software for more GCM and CCM requests. ccr(4) uses software to handle GCM and CCM requests not supported by the crypto engine (e.g. with only AAD and no payload). This change adds a fallback for a few more requests such as those with more SGL entries than can fit in a work request (this can happen for GCM when decrypting a TLS record split across 15 or more packets). Reported by: Chelsio QA Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D26582
|
#
e6f6d0c9 |
|
25-Aug-2020 |
Alan Somers <asomers@FreeBSD.org> |
crypto(9): add CRYPTO_BUF_VMPAGE crypto(9) functions can now be used on buffers composed of an array of vm_page_t structures, such as those stored in an unmapped struct bio. It requires the running to kernel to support the direct memory map, so not all architectures can use it. Reviewed by: markj, kib, jhb, mjg, mat, bcr (manpages) MFC after: 1 week Sponsored by: Axcient Differential Revision: https://reviews.freebsd.org/D25671
|
#
94578db2 |
|
25-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Reduce contention on per-adapter lock. - Move temporary sglists into the session structure and protect them with a per-session lock instead of a per-adapter lock. - Retire an unused session field, and move a debugging field under INVARIANTS to avoid using the session lock for completion handling when INVARIANTS isn't enabled. - Use counter_u64 for per-adapter statistics. Note that this helps for cases where multiple sessions are used (e.g. multiple IPsec SAs or multiple KTLS connections). It does not help for workloads that use a single session (e.g. a single GELI volume). Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25457
|
#
6deb4131 |
|
22-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add support for requests with separate AAD to ccr(4). Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25290
|
#
1a4a7e98 |
|
03-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Explicitly zero IVs on the stack. Reviewed by: delphij Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D25057
|
#
20c128da |
|
03-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add explicit bzero's of sensitive data in software crypto consumers. Explicitly zero IVs, block buffers, and hashes/digests. Reviewed by: delphij Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D25057
|
#
2adc3c94 |
|
25-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Support separate output buffers in ccr(4). Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24545
|
#
9c0e3d3a |
|
25-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Add support for optional separate output buffers to in-kernel crypto. Some crypto consumers such as GELI and KTLS for file-backed sendfile need to store their output in a separate buffer from the input. Currently these consumers copy the contents of the input buffer into the output buffer and queue an in-place crypto operation on the output buffer. Using a separate output buffer avoids this copy. - Create a new 'struct crypto_buffer' describing a crypto buffer containing a type and type-specific fields. crp_ilen is gone, instead buffers that use a flat kernel buffer have a cb_buf_len field for their length. The length of other buffer types is inferred from the backing store (e.g. uio_resid for a uio). Requests now have two such structures: crp_buf for the input buffer, and crp_obuf for the output buffer. - Consumers now use helper functions (crypto_use_*, e.g. crypto_use_mbuf()) to configure the input buffer. If an output buffer is not configured, the request still modifies the input buffer in-place. A consumer uses a second set of helper functions (crypto_use_output_*) to configure an output buffer. - Consumers must request support for separate output buffers when creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are only permitted to queue a request with a separate output buffer on sessions with this flag set. Existing drivers already reject sessions with unknown flags, so this permits drivers to be modified to support this extension without requiring all drivers to change. - Several data-related functions now have matching versions that operate on an explicit buffer (e.g. crypto_apply_buf, crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf). - Most of the existing data-related functions operate on the input buffer. However crypto_copyback always writes to the output buffer if a request uses a separate output buffer. - For the regions in input/output buffers, the following conventions are followed: - AAD and IV are always present in input only and their fields are offsets into the input buffer. - payload is always present in both buffers. If a request uses a separate output buffer, it must set a new crp_payload_start_output field to the offset of the payload in the output buffer. - digest is in the input buffer for verify operations, and in the output buffer for compute operations. crp_digest_start is relative to the appropriate buffer. - Add a crypto buffer cursor abstraction. This is a more general form of some bits in the cryptosoft driver that tried to always use uio's. However, compared to the original code, this avoids rewalking the uio iovec array for requests with multiple vectors. It also avoids allocate an iovec array for mbufs and populating it by instead walking the mbuf chain directly. - Update the cryptosoft(4) driver to support separate output buffers making use of the cursor abstraction. Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24545
|
#
3e947048 |
|
20-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Various cleanups to the software encryption transform interface. - Consistently use 'void *' for key schedules / key contexts instead of a mix of 'caddr_t', 'uint8_t *', and 'void *'. - Add a ctxsize member to enc_xform similar to what auth transforms use and require callers to malloc/zfree the context. The setkey callback now supplies the caller-allocated context pointer and the zerokey callback is removed. Callers now always use zfree() to ensure key contexts are zeroed. - Consistently use C99 initializers for all statically-initialized instances of 'struct enc_xform'. - Change the encrypt and decrypt functions to accept separate in and out buffer pointers. Almost all of the backend crypto functions already supported separate input and output buffers and this makes it simpler to support separate buffers in OCF. - Remove xform_userland.h shim to permit transforms to be compiled in userland. Transforms no longer call malloc/free directly. Reviewed by: cem (earlier version) Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24855
|
#
29fe41dd |
|
20-Apr-2020 |
John Baldwin <jhb@FreeBSD.org> |
Retire the CRYPTO_F_IV_GENERATE flag. The sole in-tree user of this flag has been retired, so remove this complexity from all drivers. While here, add a helper routine drivers can use to read the current request's IV into a local buffer. Use this routine to replace duplicated code in nearly all drivers. Reviewed by: cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D24450
|
#
94fad5ff |
|
10-Apr-2020 |
John Baldwin <jhb@FreeBSD.org> |
Use both crypto engines on a T6. A T6 adapter contains two crypto engines on separate channels. This commit distributes sessions between the two engines. Previously, only the first engine was used. Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24347
|
#
c0341432 |
|
27-Mar-2020 |
John Baldwin <jhb@FreeBSD.org> |
Refactor driver and consumer interfaces for OCF (in-kernel crypto). - The linked list of cryptoini structures used in session initialization is replaced with a new flat structure: struct crypto_session_params. This session includes a new mode to define how the other fields should be interpreted. Available modes include: - COMPRESS (for compression/decompression) - CIPHER (for simply encryption/decryption) - DIGEST (computing and verifying digests) - AEAD (combined auth and encryption such as AES-GCM and AES-CCM) - ETA (combined auth and encryption using encrypt-then-authenticate) Additional modes could be added in the future (e.g. if we wanted to support TLS MtE for AES-CBC in the kernel we could add a new mode for that. TLS modes might also affect how AAD is interpreted, etc.) The flat structure also includes the key lengths and algorithms as before. However, code doesn't have to walk the linked list and switch on the algorithm to determine which key is the auth key vs encryption key. The 'csp_auth_*' fields are always used for auth keys and settings and 'csp_cipher_*' for cipher. (Compression algorithms are stored in csp_cipher_alg.) - Drivers no longer register a list of supported algorithms. This doesn't quite work when you factor in modes (e.g. a driver might support both AES-CBC and SHA2-256-HMAC separately but not combined for ETA). Instead, a new 'crypto_probesession' method has been added to the kobj interface for symmteric crypto drivers. This method returns a negative value on success (similar to how device_probe works) and the crypto framework uses this value to pick the "best" driver. There are three constants for hardware (e.g. ccr), accelerated software (e.g. aesni), and plain software (cryptosoft) that give preference in that order. One effect of this is that if you request only hardware when creating a new session, you will no longer get a session using accelerated software. Another effect is that the default setting to disallow software crypto via /dev/crypto now disables accelerated software. Once a driver is chosen, 'crypto_newsession' is invoked as before. - Crypto operations are now solely described by the flat 'cryptop' structure. The linked list of descriptors has been removed. A separate enum has been added to describe the type of data buffer in use instead of using CRYPTO_F_* flags to make it easier to add more types in the future if needed (e.g. wired userspace buffers for zero-copy). It will also make it easier to re-introduce separate input and output buffers (in-kernel TLS would benefit from this). Try to make the flags related to IV handling less insane: - CRYPTO_F_IV_SEPARATE means that the IV is stored in the 'crp_iv' member of the operation structure. If this flag is not set, the IV is stored in the data buffer at the 'crp_iv_start' offset. - CRYPTO_F_IV_GENERATE means that a random IV should be generated and stored into the data buffer. This cannot be used with CRYPTO_F_IV_SEPARATE. If a consumer wants to deal with explicit vs implicit IVs, etc. it can always generate the IV however it needs and store partial IVs in the buffer and the full IV/nonce in crp_iv and set CRYPTO_F_IV_SEPARATE. The layout of the buffer is now described via fields in cryptop. crp_aad_start and crp_aad_length define the boundaries of any AAD. Previously with GCM and CCM you defined an auth crd with this range, but for ETA your auth crd had to span both the AAD and plaintext (and they had to be adjacent). crp_payload_start and crp_payload_length define the boundaries of the plaintext/ciphertext. Modes that only do a single operation (COMPRESS, CIPHER, DIGEST) should only use this region and leave the AAD region empty. If a digest is present (or should be generated), it's starting location is marked by crp_digest_start. Instead of using the CRD_F_ENCRYPT flag to determine the direction of the operation, cryptop now includes an 'op' field defining the operation to perform. For digests I've added a new VERIFY digest mode which assumes a digest is present in the input and fails the request with EBADMSG if it doesn't match the internally-computed digest. GCM and CCM already assumed this, and the new AEAD mode requires this for decryption. The new ETA mode now also requires this for decryption, so IPsec and GELI no longer do their own authentication verification. Simple DIGEST operations can also do this, though there are no in-tree consumers. To eventually support some refcounting to close races, the session cookie is now passed to crypto_getop() and clients should no longer set crp_sesssion directly. - Assymteric crypto operation structures should be allocated via crypto_getkreq() and freed via crypto_freekreq(). This permits the crypto layer to track open asym requests and close races with a driver trying to unregister while asym requests are in flight. - crypto_copyback, crypto_copydata, crypto_apply, and crypto_contiguous_subsegment now accept the 'crp' object as the first parameter instead of individual members. This makes it easier to deal with different buffer types in the future as well as separate input and output buffers. It's also simpler for driver writers to use. - bus_dmamap_load_crp() loads a DMA mapping for a crypto buffer. This understands the various types of buffers so that drivers that use DMA do not have to be aware of different buffer types. - Helper routines now exist to build an auth context for HMAC IPAD and OPAD. This reduces some duplicated work among drivers. - Key buffers are now treated as const throughout the framework and in device drivers. However, session key buffers provided when a session is created are expected to remain alive for the duration of the session. - GCM and CCM sessions now only specify a cipher algorithm and a cipher key. The redundant auth information is not needed or used. - For cryptosoft, split up the code a bit such that the 'process' callback now invokes a function pointer in the session. This function pointer is set based on the mode (in effect) though it simplifies a few edge cases that would otherwise be in the switch in 'process'. It does split up GCM vs CCM which I think is more readable even if there is some duplication. - I changed /dev/crypto to support GMAC requests using CRYPTO_AES_NIST_GMAC as an auth algorithm and updated cryptocheck to work with it. - Combined cipher and auth sessions via /dev/crypto now always use ETA mode. The COP_F_CIPHER_FIRST flag is now a no-op that is ignored. This was actually documented as being true in crypto(4) before, but the code had not implemented this before I added the CIPHER_FIRST flag. - I have not yet updated /dev/crypto to be aware of explicit modes for sessions. I will probably do that at some point in the future as well as teach it about IV/nonce and tag lengths for AEAD so we can support all of the NIST KAT tests for GCM and CCM. - I've split up the exising crypto.9 manpage into several pages of which many are written from scratch. - I have converted all drivers and consumers in the tree and verified that they compile, but I have not tested all of them. I have tested the following drivers: - cryptosoft - aesni (AES only) - blake2 - ccr and the following consumers: - cryptodev - IPsec - ktls_ocf - GELI (lightly) I have not tested the following: - ccp - aesni with sha - hifn - kgssapi_krb5 - ubsec - padlock - safe - armv8_crypto (aarch64) - glxsb (i386) - sec (ppc) - cesa (armv7) - cryptocteon (mips64) - nlmsec (mips64) Discussed with: cem Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D23677
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
a1b2b6e1 |
|
12-Nov-2019 |
John Baldwin <jhb@FreeBSD.org> |
Create a file to hold shared routines for dealing with T6 key contexts. ccr(4) and TLS support in cxgbe(4) construct key contexts used by the crypto engine in the T6. This consolidates some duplicated code for helper functions used to build key contexts. Reviewed by: np MFC after: 1 month Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D22156
|
#
c59050aa |
|
08-Oct-2019 |
John Baldwin <jhb@FreeBSD.org> |
Set the FID field in lookaside crypto requests to the rx queue ID. The PCI block in the adapter requires this field to be set to a valid queue ID. It is not clear why it did not fail on all machines, but the effect was that crypto operations reading input data via DMA failed with an internal PCI read error on machines with 128G or more of RAM. Reported by: gallatin Reviewed by: np MFC after: 3 days Sponsored by: Chelsio Communications
|
#
6b0451d6 |
|
24-Apr-2019 |
John Baldwin <jhb@FreeBSD.org> |
Add support for AES-CCM to ccr(4). This is fairly similar to the AES-GCM support in ccr(4) in that it will fall back to software for certain cases (requests with only AAD and requests that are too large). Tested by: cryptocheck, cryptotest.py MFC after: 1 month Sponsored by: Chelsio Communications
|
#
a2ad169e |
|
24-Apr-2019 |
John Baldwin <jhb@FreeBSD.org> |
Fix requests for "plain" SHA digests of an empty buffer. To workaround limitations in the crypto engine, empty buffers are handled by manually constructing the final length block as the payload passed to the crypto engine and disabling the normal "final" handling. For HMAC this length block should hold the length of a single block since the hash is actually the hash of the IPAD digest, but for "plain" SHA the length should be zero instead. Reported by: NIST SHA1 test failure MFC after: 2 weeks Sponsored by: Chelsio Communications
|
#
475d54fa |
|
15-Jan-2019 |
John Baldwin <jhb@FreeBSD.org> |
Reject new sessions if the necessary queues aren't initialized. ccr reuses the control queue and first rx queue from the first port on each adapter. The driver cannot send requests until those queues are initialized. Refuse to create sessions for now if the queues aren't ready. This is a workaround until cxgbe allocates one or more dedicated queues for ccr. PR: 233851 MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D18478
|
#
d09389fd |
|
16-Nov-2018 |
John Baldwin <jhb@FreeBSD.org> |
Consolidate on a single set of constants for SCMD fields. Both ccr(4) and the TOE TLS code had separate sets of constants for fields in SCMD messages. Sponsored by: Chelsio Communications
|
#
567a3784 |
|
29-Oct-2018 |
John Baldwin <jhb@FreeBSD.org> |
Add support for "plain" (non-HMAC) SHA digests. MFC after: 2 months Sponsored by: Chelsio Communications
|
#
1146377b |
|
23-Oct-2018 |
John Baldwin <jhb@FreeBSD.org> |
Support the SHA224 HMAC algorithm in ccr(4). MFC after: 2 months Sponsored by: Chelsio Communications
|
#
1b0909d5 |
|
17-Jul-2018 |
Conrad Meyer <cem@FreeBSD.org> |
OpenCrypto: Convert sessions to opaque handles instead of integers Track session objects in the framework, and pass handles between the framework (OCF), consumers, and drivers. Avoid redundancy and complexity in individual drivers by allocating session memory in the framework and providing it to drivers in ::newsession(). Session handles are no longer integers with information encoded in various high bits. Use of the CRYPTO_SESID2FOO() macros should be replaced with the appropriate crypto_ses2foo() function on the opaque session handle. Convert OCF drivers (in particular, cryptosoft, as well as myriad others) to the opaque handle interface. Discard existing session tracking as much as possible (quick pass). There may be additional code ripe for deletion. Convert OCF consumers (ipsec, geom_eli, krb5, cryptodev) to handle-style interface. The conversion is largely mechnical. The change is documented in crypto.9. Inspired by https://lists.freebsd.org/pipermail/freebsd-arch/2018-January/018835.html . No objection from: ae (ipsec portion) Reported by: jhb
|
#
db631975 |
|
26-Feb-2018 |
John Baldwin <jhb@FreeBSD.org> |
Don't overflow the ipad[] array when clearing the remainder. After the auth key is copied into the ipad[] array, any remaining bytes are cleared to zero (in case the key is shorter than one block size). The full block size was used as the length of the zero rather than the size of the remaining ipad[]. In practice this overflow was harmless as it could only clear bytes in the following opad[] array which is initialized with a copy of ipad[] in the next statement. Sponsored by: Chelsio Communications
|
#
52f8c526 |
|
26-Feb-2018 |
John Baldwin <jhb@FreeBSD.org> |
Move ccr_aes_getdeckey() from ccr(4) to the cxgbe(4) driver. This routine will also be used by the TOE module to manage TLS keys. Sponsored by: Chelsio Communications
|
#
c0154062 |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Store IV in output buffer in GCM software fallback when requested. Properly honor the lack of the CRD_F_IV_PRESENT flag in the GCM software fallback case for encryption requests. Submitted by: Harsh Jain @ Chelsio Sponsored by: Chelsio Communications
|
#
2bc40b6c |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Don't read or generate an IV until all error checking is complete. In particular, this avoids edge cases where a generated IV might be written into the output buffer even though the request is failed with an error. Sponsored by: Chelsio Communications
|
#
04043b3d |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Expand the software fallback for GCM to cover more cases. - Extend ccr_gcm_soft() to handle requests with a non-empty payload. While here, switch to allocating the GMAC context instead of placing it on the stack since it is over 1KB in size. - Allow ccr_gcm() to return a special error value (EMSGSIZE) which triggers a fallback to ccr_gcm_soft(). Move the existing empty payload check into ccr_gcm() and change a few other cases (e.g. large AAD) to fallback to software via EMSGSIZE as well. - Add a new 'sw_fallback' stat to count the number of requests processed via the software fallback. Submitted by: Harsh Jain @ Chelsio (original version) Sponsored by: Chelsio Communications
|
#
bf5b6620 |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Clamp DSGL entries to a length of 2KB. This works around an issue in the T6 that can result in DMA engine stalls if an error occurs while processing a DSGL entry with a length larger than 2KB. Submitted by: Harsh Jain @ Chelsio Sponsored by: Chelsio Communications
|
#
f7b61e2f |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Fail crypto requests when the resulting work request is too large. Most crypto requests will not trigger this condition, but a request with a highly-fragmented data buffer (and a resulting "large" S/G list) could trigger it. Sponsored by: Chelsio Communications
|
#
5929c9fb |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Don't discard AAD and IV output data for AEAD requests. The T6 can hang when processing certain AEAD requests if the request sets a flag asking the crypto engine to discard the input IV and AAD rather than copying them into the output buffer. The existing driver always discards the IV and AAD as we do not need it. As a workaround, allocate a single "dummy" buffer when the ccr driver attaches and change all AEAD requests to write the IV and AAD to this scratch buffer. The contents of the scratch buffer are never used (similar to "bogus_page"), and it is ok for multiple in-flight requests to share this dummy buffer. Submitted by: Harsh Jain @ Chelsio (original version) Sponsored by: Chelsio Communications
|
#
acaabdbb |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Reject requests with AAD and IV larger than 511 bytes. The T6 crypto engine's control messages only support a total AAD length (including the prefixed IV) of 511 bytes. Reject requests with large AAD rather than returning incorrect results. Sponsored by: Chelsio Communications
|
#
020ce53a |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Always set the IV location to IV_NOP. The firmware ignores this field in the FW_CRYPTO_LOOKASIDE_WR work request. Submitted by: Harsh Jain @ Chelsio Sponsored by: Chelsio Communications
|
#
d3f25aa1 |
|
24-Jan-2018 |
John Baldwin <jhb@FreeBSD.org> |
Always store the IV in the immediate portion of a work request. Combined authentication-encryption and GCM requests already stored the IV in the immediate explicitly. This extends this behavior to block cipher requests to work around a firmware bug. While here, simplify the AEAD and GCM handlers to not include always-true conditions. Submitted by: Harsh Jain @ Chelsio Sponsored by: Chelsio Communications
|
#
ac2fffa4 |
|
21-Jan-2018 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Revert r327828, r327949, r327953, r328016-r328026, r328041: Uses of mallocarray(9). The use of mallocarray(9) has rocketed the required swap to build FreeBSD. This is likely caused by the allocation size attributes which put extra pressure on the compiler. Given that most of these checks are superfluous we have to choose better where to use mallocarray(9). We still have more uses of mallocarray(9) but hopefully this is enough to bring swap usage to a reasonable level. Reported by: wosch PR: 225197
|
#
26c1d774 |
|
13-Jan-2018 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
dev: make some use of mallocarray(9). Focus on code where we are doing multiplications within malloc(9). None of these is likely to overflow, however the change is still useful as some static checkers can benefit from the allocation attributes we use for mallocarray. This initial sweep only covers malloc(9) calls with M_NOWAIT. No good reason but I started doing the changes before r327796 and at that time it was convenient to make sure the sorrounding code could handle NULL values.
|
#
2bd1e600 |
|
14-Sep-2017 |
John Baldwin <jhb@FreeBSD.org> |
Fix some incorrect sysctl pointers for some error stats. The bad_session, sglist_error, and process_error sysctl nodes were returning the value of the pad_error node instead of the appropriate error counters. Sponsored by: Chelsio Communications
|
#
1496376f |
|
08-Jun-2017 |
John Baldwin <jhb@FreeBSD.org> |
Fix the software fallback for GCM to validate the existing tag for decrypts. Sponsored by: Chelsio Communications
|
#
4623e047 |
|
08-Jun-2017 |
John Baldwin <jhb@FreeBSD.org> |
Add explicit handling for requests with an empty payload. - For HMAC requests, construct a special input buffer to request an empty hash result. - For plain cipher requests and requests that chain an AES cipher with an HMAC, fail with EINVAL if there is no cipher payload. If needed in the future, chained requests that only contain AAD could be serviced as HMAC-only requests. - For GCM requests, the hardware does not support generating the tag for an AAD-only request. Instead, complete these requests synchronously in software on the assumption that such requests are rare. Sponsored by: Chelsio Communications
|
#
d68990a1 |
|
26-May-2017 |
John Baldwin <jhb@FreeBSD.org> |
Fail large requests with EFBIG. The adapter firmware in general does not accept PDUs larger than 64k - 1 bytes in size. Sending crypto requests larger than this size result in hangs or incorrect output, so reject them with EFBIG. For requests chaining an AES cipher with an HMAC, the firmware appears to require slightly smaller requests (around 512 bytes). Sponsored by: Chelsio Communications
|
#
5033c43b |
|
17-May-2017 |
John Baldwin <jhb@FreeBSD.org> |
Add a driver for the Chelsio T6 crypto accelerator engine. The ccr(4) driver supports use of the crypto accelerator engine on Chelsio T6 NICs in "lookaside" mode via the opencrypto framework. Currently, the driver supports AES-CBC, AES-CTR, AES-GCM, and AES-XTS cipher algorithms as well as the SHA1-HMAC, SHA2-256-HMAC, SHA2-384-HMAC, and SHA2-512-HMAC authentication algorithms. The driver also supports chaining one of AES-CBC, AES-CTR, or AES-XTS with an authentication algorithm for encrypt-then-authenticate operations. Note that this driver is still under active development and testing and may not yet be ready for production use. It does pass the tests in tests/sys/opencrypto with the exception that the AES-GCM implementation in the driver does not yet support requests with a zero byte payload. To use this driver currently, the "uwire" configuration must be used along with explicitly enabling support for lookaside crypto capabilities in the cxgbe(4) driver. These can be done by setting the following tunables before loading the cxgbe(4) driver: hw.cxgbe.config_file=uwire hw.cxgbe.cryptocaps_allowed=-1 MFC after: 1 month Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D10763
|