FD.io VPP  v20.01-48-g3e0dafb74
Vector Packet Processing
aes_cbc.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * Copyright (c) 2019 Cisco and/or its affiliates.
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *------------------------------------------------------------------
16  */
17 
18 #include <vlib/vlib.h>
19 #include <vnet/plugin/plugin.h>
20 #include <vnet/crypto/crypto.h>
21 #include <x86intrin.h>
22 #include <crypto_ia32/crypto_ia32.h>
23 #include <crypto_ia32/aesni.h>
24 
25 #if __GNUC__ > 4 && !__clang__ && CLIB_DEBUG == 0
26 #pragma GCC optimize ("O3")
27 #endif
28 
29 typedef struct
30 {
31  __m128i encrypt_key[15];
32  __m128i decrypt_key[15];
33 } aes_cbc_key_data_t;
34 
35 static_always_inline void
36 aes_cbc_dec (__m128i * k, u8 * src, u8 * dst, u8 * iv, int count,
37  aesni_key_size_t rounds)
38 {
39  __m128i r0, r1, r2, r3, c0, c1, c2, c3, f;
40  int i;
41 
42  f = _mm_loadu_si128 ((__m128i *) iv);
43 
44  while (count >= 64)
45  {
46  _mm_prefetch (src + 128, _MM_HINT_T0);
47  _mm_prefetch (dst + 128, _MM_HINT_T0);
48 
49  c0 = _mm_loadu_si128 (((__m128i *) src + 0));
50  c1 = _mm_loadu_si128 (((__m128i *) src + 1));
51  c2 = _mm_loadu_si128 (((__m128i *) src + 2));
52  c3 = _mm_loadu_si128 (((__m128i *) src + 3));
53 
54  r0 = c0 ^ k[0];
55  r1 = c1 ^ k[0];
56  r2 = c2 ^ k[0];
57  r3 = c3 ^ k[0];
58 
59  for (i = 1; i < rounds; i++)
60  {
61  r0 = _mm_aesdec_si128 (r0, k[i]);
62  r1 = _mm_aesdec_si128 (r1, k[i]);
63  r2 = _mm_aesdec_si128 (r2, k[i]);
64  r3 = _mm_aesdec_si128 (r3, k[i]);
65  }
66 
67  r0 = _mm_aesdeclast_si128 (r0, k[i]);
68  r1 = _mm_aesdeclast_si128 (r1, k[i]);
69  r2 = _mm_aesdeclast_si128 (r2, k[i]);
70  r3 = _mm_aesdeclast_si128 (r3, k[i]);
71 
72  _mm_storeu_si128 ((__m128i *) dst + 0, r0 ^ f);
73  _mm_storeu_si128 ((__m128i *) dst + 1, r1 ^ c0);
74  _mm_storeu_si128 ((__m128i *) dst + 2, r2 ^ c1);
75  _mm_storeu_si128 ((__m128i *) dst + 3, r3 ^ c2);
76 
77  f = c3;
78 
79  count -= 64;
80  src += 64;
81  dst += 64;
82  }
83 
84  while (count > 0)
85  {
86  c0 = _mm_loadu_si128 (((__m128i *) src));
87  r0 = c0 ^ k[0];
88  for (i = 1; i < rounds; i++)
89  r0 = _mm_aesdec_si128 (r0, k[i]);
90  r0 = _mm_aesdeclast_si128 (r0, k[i]);
91  _mm_storeu_si128 ((__m128i *) dst, r0 ^ f);
92  f = c0;
93  count -= 16;
94  src += 16;
95  dst += 16;
96  }
97 }
98 
99 static_always_inline u32
100 aesni_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
101  u32 n_ops, aesni_key_size_t ks)
102 {
103  crypto_ia32_main_t *cm = &crypto_ia32_main;
104  crypto_ia32_per_thread_data_t *ptd = vec_elt_at_index (cm->per_thread_data,
105  vm->thread_index);
106  int rounds = AESNI_KEY_ROUNDS (ks);
107  u8 dummy[8192];
108  u8 *src[4] = { };
109  u8 *dst[4] = { };
110  vnet_crypto_key_index_t key_index[4] = { ~0, ~0, ~0, ~0 };
111  u32x4 dummy_mask = { };
112  u32x4 len = { };
113  u32 i, j, count, n_left = n_ops;
114  __m128i r[4] = { }, k[4][rounds + 1];
115 
116 more:
117  for (i = 0; i < 4; i++)
118  if (len[i] == 0)
119  {
120  if (n_left == 0)
121  {
122  /* no more work to enqueue, so we are enqueueing dummy buffer */
123  src[i] = dst[i] = dummy;
124  len[i] = sizeof (dummy);
125  dummy_mask[i] = 0;
126  }
127  else
128  {
129  if (ops[0]->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
130  {
131  r[i] = ptd->cbc_iv[i];
132  _mm_storeu_si128 ((__m128i *) ops[0]->iv, r[i]);
133  ptd->cbc_iv[i] = _mm_aesenc_si128 (r[i], r[i]);
134  }
135  else
136  r[i] = _mm_loadu_si128 ((__m128i *) ops[0]->iv);
137  src[i] = ops[0]->src;
138  dst[i] = ops[0]->dst;
139  len[i] = ops[0]->len;
140  dummy_mask[i] = ~0;
141  if (key_index[i] != ops[0]->key_index)
142  {
143  aes_cbc_key_data_t *kd;
144  key_index[i] = ops[0]->key_index;
145  kd = (aes_cbc_key_data_t *) cm->key_data[key_index[i]];
146  clib_memcpy_fast (k[i], kd->encrypt_key,
147  (rounds + 1) * sizeof (__m128i));
148  }
149  ops[0]->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
150  n_left--;
151  ops++;
152  }
153  }
154 
155  count = u32x4_min_scalar (len);
156 
157  ASSERT (count % 16 == 0);
158 
159  for (i = 0; i < count; i += 16)
160  {
161  r[0] ^= _mm_loadu_si128 ((__m128i *) (src[0] + i)) ^ k[0][0];
162  r[1] ^= _mm_loadu_si128 ((__m128i *) (src[1] + i)) ^ k[1][0];
163  r[2] ^= _mm_loadu_si128 ((__m128i *) (src[2] + i)) ^ k[2][0];
164  r[3] ^= _mm_loadu_si128 ((__m128i *) (src[3] + i)) ^ k[3][0];
165 
166  for (j = 1; j < rounds; j++)
167  {
168  r[0] = _mm_aesenc_si128 (r[0], k[0][j]);
169  r[1] = _mm_aesenc_si128 (r[1], k[1][j]);
170  r[2] = _mm_aesenc_si128 (r[2], k[2][j]);
171  r[3] = _mm_aesenc_si128 (r[3], k[3][j]);
172  }
173 
174  r[0] = _mm_aesenclast_si128 (r[0], k[0][j]);
175  r[1] = _mm_aesenclast_si128 (r[1], k[1][j]);
176  r[2] = _mm_aesenclast_si128 (r[2], k[2][j]);
177  r[3] = _mm_aesenclast_si128 (r[3], k[3][j]);
178 
179  _mm_storeu_si128 ((__m128i *) (dst[0] + i), r[0]);
180  _mm_storeu_si128 ((__m128i *) (dst[1] + i), r[1]);
181  _mm_storeu_si128 ((__m128i *) (dst[2] + i), r[2]);
182  _mm_storeu_si128 ((__m128i *) (dst[3] + i), r[3]);
183  }
184 
185  for (i = 0; i < 4; i++)
186  {
187  src[i] += count;
188  dst[i] += count;
189  len[i] -= count;
190  }
191 
192  if (n_left > 0)
193  goto more;
194 
195  if (!u32x4_is_all_zero (len & dummy_mask))
196  goto more;
197 
198  return n_ops;
199 }
200 
201 static_always_inline u32
202 aesni_ops_dec_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
203  u32 n_ops, aesni_key_size_t ks)
204 {
205  crypto_ia32_main_t *cm = &crypto_ia32_main;
206  int rounds = AESNI_KEY_ROUNDS (ks);
207  vnet_crypto_op_t *op = ops[0];
208  aes_cbc_key_data_t *kd = (aes_cbc_key_data_t *) cm->key_data[op->key_index];
209  u32 n_left = n_ops;
210 
211  ASSERT (n_ops >= 1);
212 
213 decrypt:
214  aes_cbc_dec (kd->decrypt_key, op->src, op->dst, op->iv, op->len, rounds);
215  op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
216 
217  if (--n_left)
218  {
219  op += 1;
220  kd = (aes_cbc_key_data_t *) cm->key_data[op->key_index];
221  goto decrypt;
222  }
223 
224  return n_ops;
225 }
226 
227 static_always_inline void *
228 aesni_cbc_key_exp (vnet_crypto_key_t * key, aesni_key_size_t ks)
229 {
230  aes_cbc_key_data_t *kd;
231  kd = clib_mem_alloc_aligned (sizeof (*kd), CLIB_CACHE_LINE_BYTES);
232  aes_key_expand (kd->encrypt_key, key->data, ks);
233  aes_key_expand (kd->decrypt_key, key->data, ks);
234  aes_key_enc_to_dec (kd->decrypt_key, ks);
235  return kd;
236 }
237 
238 #define foreach_aesni_cbc_handler_type _(128) _(192) _(256)
239 
240 #define _(x) \
241 static u32 aesni_ops_dec_aes_cbc_##x \
242 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops) \
243 { return aesni_ops_dec_aes_cbc (vm, ops, n_ops, AESNI_KEY_##x); } \
244 static u32 aesni_ops_enc_aes_cbc_##x \
245 (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops) \
246 { return aesni_ops_enc_aes_cbc (vm, ops, n_ops, AESNI_KEY_##x); } \
247 static void * aesni_cbc_key_exp_##x (vnet_crypto_key_t *key) \
248 { return aesni_cbc_key_exp (key, AESNI_KEY_##x); }
249 
250 foreach_aesni_cbc_handler_type;
251 #undef _
252 
253 #include <fcntl.h>
254 
255 clib_error_t *
256 #ifdef __AVX512F__
257 crypto_ia32_aesni_cbc_init_avx512 (vlib_main_t * vm)
258 #elif __AVX2__
259 crypto_ia32_aesni_cbc_init_avx2 (vlib_main_t * vm)
260 #else
261 crypto_ia32_aesni_cbc_init_sse42 (vlib_main_t * vm)
262 #endif
263 {
264  crypto_ia32_main_t *cm = &crypto_ia32_main;
265  crypto_ia32_per_thread_data_t *ptd;
266  clib_error_t *err = 0;
267  int fd;
268 
269  if ((fd = open ("/dev/urandom", O_RDONLY)) < 0)
270  return clib_error_return_unix (0, "failed to open '/dev/urandom'");
271 
272  /* *INDENT-OFF* */
273  vec_foreach (ptd, cm->per_thread_data)
274  {
275  for (int i = 0; i < 4; i++)
276  {
277  if (read(fd, ptd->cbc_iv, sizeof (ptd->cbc_iv)) !=
278  sizeof (ptd->cbc_iv))
279  {
280  err = clib_error_return_unix (0, "'/dev/urandom' read failure");
281  goto error;
282  }
283  }
284  }
285  /* *INDENT-ON* */
286 
287 #define _(x) \
288  vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
289  VNET_CRYPTO_OP_AES_##x##_CBC_ENC, \
290  aesni_ops_enc_aes_cbc_##x); \
291  vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
292  VNET_CRYPTO_OP_AES_##x##_CBC_DEC, \
293  aesni_ops_dec_aes_cbc_##x); \
294  cm->key_fn[VNET_CRYPTO_ALG_AES_##x##_CBC] = aesni_cbc_key_exp_##x;
295  foreach_aesni_cbc_handler_type;
296 #undef _
297 
298 error:
299  close (fd);
300  return err;
301 }
302 
303 /*
304  * fd.io coding-style-patch-verification: ON
305  *
306  * Local Variables:
307  * eval: (c-set-style "gnu")
308  * End:
309  */
vnet_crypto_op_t::dst
u8 * dst
Definition: crypto.h:139
count
u8 count
Definition: dhcp.api:208
crypto_ia32_main
crypto_ia32_main_t crypto_ia32_main
Definition: main.c:23
u32x4_min_scalar
static_always_inline u32 u32x4_min_scalar(u32x4 v)
Definition: vector_sse42.h:579
aes_cbc_key_data_t::encrypt_key
__m128i encrypt_key[15]
Definition: aes_cbc.c:31
vnet_crypto_key_t::data
u8 * data
Definition: crypto.h:101
clib_memcpy_fast
#define clib_memcpy_fast(a, b, c)
Definition: string.h:81
vnet_crypto_op_t::iv
u8 * iv
Definition: crypto.h:137
vlib_main_t::thread_index
u32 thread_index
Definition: main.h:218
src
vl_api_address_t src
Definition: gre.api:60
i
int i
Definition: flowhash_template.h:376
AESNI_KEY_ROUNDS
#define AESNI_KEY_ROUNDS(x)
Definition: aesni.h:28
aesni_cbc_key_exp
static_always_inline void * aesni_cbc_key_exp(vnet_crypto_key_t *key, aesni_key_size_t ks)
Definition: aes_cbc.c:228
aes_key_expand
static_always_inline void aes_key_expand(__m128i *k, u8 *key, aesni_key_size_t ks)
Definition: aesni.h:181
u8
unsigned char u8
Definition: types.h:56
static_always_inline
#define static_always_inline
Definition: clib.h:99
aesni_key_size_t
aesni_key_size_t
Definition: aesni.h:21
crypto_ia32_per_thread_data_t::cbc_iv
__m128i cbc_iv[4]
Definition: crypto_ia32.h:25
aesni_ops_dec_aes_cbc
static_always_inline u32 aesni_ops_dec_aes_cbc(vlib_main_t *vm, vnet_crypto_op_t *ops[], u32 n_ops, aesni_key_size_t ks)
Definition: aes_cbc.c:202
vec_elt_at_index
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
Definition: vec_bootstrap.h:188
u32
unsigned int u32
Definition: types.h:88
crypto_ia32_main_t
Definition: crypto_ia32.h:28
cm
vnet_crypto_main_t * cm
Definition: quic_crypto.c:41
iv
static u8 iv[]
Definition: aes_cbc.c:24
crypto_ia32.h
clib_error_return_unix
#define clib_error_return_unix(e, args...)
Definition: error.h:102
aes_cbc_key_data_t::decrypt_key
__m128i decrypt_key[15]
Definition: aes_cbc.c:32
dst
vl_api_address_t dst
Definition: gre.api:61
len
u8 len
Definition: ip_types.api:91
flags
u32 flags
Definition: vhost_user.h:141
VNET_CRYPTO_OP_FLAG_INIT_IV
#define VNET_CRYPTO_OP_FLAG_INIT_IV
Definition: crypto.h:131
aes_cbc_key_data_t
Definition: aes_cbc.c:29
crypto_ia32_main_t::per_thread_data
crypto_ia32_per_thread_data_t * per_thread_data
Definition: crypto_ia32.h:31
crypto_ia32_aesni_cbc_init_avx2
clib_error_t * crypto_ia32_aesni_cbc_init_avx2(vlib_main_t *vm)
aes_cbc_dec
static_always_inline void aes_cbc_dec(__m128i *k, u8 *src, u8 *dst, u8 *iv, int count, aesni_key_size_t rounds)
Definition: aes_cbc.c:36
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
vnet_crypto_op_t::len
u32 len
Definition: crypto.h:134
crypto_ia32_main_t::key_data
void ** key_data
Definition: crypto_ia32.h:33
vnet_crypto_key_index_t
u32 vnet_crypto_key_index_t
Definition: crypto.h:159
vnet_crypto_key_t
Definition: crypto.h:99
clib_error_t
Definition: clib_error.h:21
key
typedef key
Definition: ipsec_types.api:83
crypto_ia32_per_thread_data_t
Definition: crypto_ia32.h:23
aesni_ops_enc_aes_cbc
static_always_inline u32 aesni_ops_enc_aes_cbc(vlib_main_t *vm, vnet_crypto_op_t *ops[], u32 n_ops, aesni_key_size_t ks)
Definition: aes_cbc.c:100
vnet_crypto_op_t::src
u8 * src
Definition: crypto.h:138
aes_key_enc_to_dec
static_always_inline void aes_key_enc_to_dec(__m128i *k, aesni_key_size_t ks)
Definition: aesni.h:199
vlib_main_t
Definition: main.h:83
crypto_ia32_aesni_cbc_init_sse42
clib_error_t * crypto_ia32_aesni_cbc_init_sse42(vlib_main_t *vm)
Definition: aes_cbc.c:261
vnet_crypto_op_t::status
vnet_crypto_op_status_t status
Definition: crypto.h:129
clib_mem_alloc_aligned
static void * clib_mem_alloc_aligned(uword size, uword align)
Definition: mem.h:161
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:198
u32x4
unsigned long long u32x4
Definition: ixge.c:28
foreach_aesni_cbc_handler_type
#define foreach_aesni_cbc_handler_type
Definition: aes_cbc.c:238
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
vnet_crypto_op_t::key_index
u32 key_index
Definition: crypto.h:133
crypto_ia32_aesni_cbc_init_avx512
clib_error_t * crypto_ia32_aesni_cbc_init_avx512(vlib_main_t *vm)
vnet_crypto_op_t
Definition: crypto.h:125