From: Jamin Lin <jamin_lin@aspeedtech.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>,
"Cédric Le Goater" <clg@kaod.org>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Steven Lee" <steven_lee@aspeedtech.com>,
"Troy Lee" <leetroy@gmail.com>,
"Kane Chen" <kane_chen@aspeedtech.com>,
"Andrew Jeffery" <andrew@codeconstruct.com.au>,
"Joel Stanley" <joel@jms.id.au>, "Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Fabiano Rosas" <farosas@suse.de>,
"Laurent Vivier" <lvivier@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"open list:All patches CC here" <qemu-devel@nongnu.org>,
"open list:ASPEED BMCs" <qemu-arm@nongnu.org>
Cc: Jamin Lin <jamin_lin@aspeedtech.com>, Troy Lee <troy_lee@aspeedtech.com>
Subject: [PATCH v2 10/17] crypto/cipher-nettle: Implement AES-GCM
Date: Wed, 15 Jul 2026 03:33:29 +0000 [thread overview]
Message-ID: <20260715033311.1648424-11-jamin_lin@aspeedtech.com> (raw)
In-Reply-To: <20260715033311.1648424-1-jamin_lin@aspeedtech.com>
Add the AES-GCM AEAD mode to the nettle backend so it is available when
QEMU is built with nettle instead of gcrypt. GCM is driven through
nettle's generic gcm_* interface, using the AES encrypt function for both
directions: gcm_set_iv() sets the (typically 96-bit) nonce, gcm_update()
feeds the associated data, gcm_encrypt()/gcm_decrypt() need not be block
aligned, and gcm_digest() produces the authentication tag.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
crypto/cipher-nettle.c.inc | 128 +++++++++++++++++++++++++++++++++++++
1 file changed, 128 insertions(+)
diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc
index 1afdc391b4..d4847f0efe 100644
--- a/crypto/cipher-nettle.c.inc
+++ b/crypto/cipher-nettle.c.inc
@@ -27,6 +27,7 @@
#include <nettle/twofish.h>
#include <nettle/ctr.h>
#include <nettle/xts.h>
+#include <nettle/gcm.h>
#ifdef CONFIG_CRYPTO_SM4
#include <nettle/sm4.h>
#endif
@@ -410,6 +411,125 @@ DEFINE_ECB(qcrypto_nettle_sm4,
sm4_encrypt_native, sm4_decrypt_native)
#endif
+/*
+ * GCM is an AEAD mode built on AES (128-bit block only). Drive it through the
+ * generic gcm_* interface, using the block cipher's encrypt function for both
+ * directions; associated data is fed with gcm_update() and the authentication
+ * tag is produced by gcm_digest().
+ */
+typedef struct QCryptoNettleAESGCM {
+ QCryptoCipher base;
+ struct gcm_key gcm_key;
+ struct gcm_ctx gcm_ctx;
+ union {
+ struct aes128_ctx aes128;
+ struct aes192_ctx aes192;
+ struct aes256_ctx aes256;
+ } cipher;
+ nettle_cipher_func *encrypt;
+} QCryptoNettleAESGCM;
+
+static int qcrypto_nettle_aes_gcm_setiv(QCryptoCipher *cipher,
+ const uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ QCryptoNettleAESGCM *ctx = container_of(cipher, QCryptoNettleAESGCM, base);
+
+ gcm_set_iv(&ctx->gcm_ctx, &ctx->gcm_key, niv, iv);
+ return 0;
+}
+
+static int qcrypto_nettle_aes_gcm_setaad(QCryptoCipher *cipher,
+ const uint8_t *aad, size_t len,
+ Error **errp)
+{
+ QCryptoNettleAESGCM *ctx = container_of(cipher, QCryptoNettleAESGCM, base);
+
+ gcm_update(&ctx->gcm_ctx, &ctx->gcm_key, len, aad);
+ return 0;
+}
+
+static int qcrypto_nettle_aes_gcm_encrypt(QCryptoCipher *cipher,
+ const void *in, void *out,
+ size_t len, Error **errp)
+{
+ QCryptoNettleAESGCM *ctx = container_of(cipher, QCryptoNettleAESGCM, base);
+
+ gcm_encrypt(&ctx->gcm_ctx, &ctx->gcm_key, &ctx->cipher, ctx->encrypt,
+ len, out, in);
+ return 0;
+}
+
+static int qcrypto_nettle_aes_gcm_decrypt(QCryptoCipher *cipher,
+ const void *in, void *out,
+ size_t len, Error **errp)
+{
+ QCryptoNettleAESGCM *ctx = container_of(cipher, QCryptoNettleAESGCM, base);
+
+ gcm_decrypt(&ctx->gcm_ctx, &ctx->gcm_key, &ctx->cipher, ctx->encrypt,
+ len, out, in);
+ return 0;
+}
+
+static int qcrypto_nettle_aes_gcm_gettag(QCryptoCipher *cipher,
+ uint8_t *tag, size_t len,
+ Error **errp)
+{
+ QCryptoNettleAESGCM *ctx = container_of(cipher, QCryptoNettleAESGCM, base);
+
+ gcm_digest(&ctx->gcm_ctx, &ctx->gcm_key, &ctx->cipher, ctx->encrypt,
+ len, tag);
+ return 0;
+}
+
+static const struct QCryptoCipherDriver qcrypto_nettle_aes_gcm_driver = {
+ .cipher_encrypt = qcrypto_nettle_aes_gcm_encrypt,
+ .cipher_decrypt = qcrypto_nettle_aes_gcm_decrypt,
+ .cipher_setiv = qcrypto_nettle_aes_gcm_setiv,
+ .cipher_setaad = qcrypto_nettle_aes_gcm_setaad,
+ .cipher_gettag = qcrypto_nettle_aes_gcm_gettag,
+ .cipher_free = qcrypto_cipher_ctx_free,
+};
+
+static QCryptoCipher *qcrypto_nettle_aes_gcm_ctx_new(QCryptoCipherAlgo alg,
+ const uint8_t *key,
+ size_t nkey,
+ Error **errp)
+{
+ QCryptoNettleAESGCM *ctx;
+
+ if (!qcrypto_cipher_validate_key_length(alg, QCRYPTO_CIPHER_MODE_GCM,
+ nkey, errp)) {
+ return NULL;
+ }
+
+ ctx = g_new0(QCryptoNettleAESGCM, 1);
+ ctx->base.driver = &qcrypto_nettle_aes_gcm_driver;
+
+ switch (alg) {
+ case QCRYPTO_CIPHER_ALGO_AES_128:
+ aes128_set_encrypt_key(&ctx->cipher.aes128, key);
+ ctx->encrypt = aes128_encrypt_native;
+ break;
+ case QCRYPTO_CIPHER_ALGO_AES_192:
+ aes192_set_encrypt_key(&ctx->cipher.aes192, key);
+ ctx->encrypt = aes192_encrypt_native;
+ break;
+ case QCRYPTO_CIPHER_ALGO_AES_256:
+ aes256_set_encrypt_key(&ctx->cipher.aes256, key);
+ ctx->encrypt = aes256_encrypt_native;
+ break;
+ default:
+ error_setg(errp, "Unsupported cipher algorithm %s with GCM mode",
+ QCryptoCipherAlgo_str(alg));
+ g_free(ctx);
+ return NULL;
+ }
+
+ gcm_set_key(&ctx->gcm_key, &ctx->cipher, ctx->encrypt);
+ return &ctx->base;
+}
+
bool qcrypto_cipher_supports(QCryptoCipherAlgo alg,
QCryptoCipherMode mode)
{
@@ -440,6 +560,10 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgo alg,
case QCRYPTO_CIPHER_MODE_XTS:
case QCRYPTO_CIPHER_MODE_CTR:
return true;
+ case QCRYPTO_CIPHER_MODE_GCM:
+ return alg == QCRYPTO_CIPHER_ALGO_AES_128 ||
+ alg == QCRYPTO_CIPHER_ALGO_AES_192 ||
+ alg == QCRYPTO_CIPHER_ALGO_AES_256;
default:
return false;
}
@@ -451,6 +575,10 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgo alg,
size_t nkey,
Error **errp)
{
+ if (mode == QCRYPTO_CIPHER_MODE_GCM) {
+ return qcrypto_nettle_aes_gcm_ctx_new(alg, key, nkey, errp);
+ }
+
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
--
2.43.0
next prev parent reply other threads:[~2026-07-15 3:37 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 3:33 [PATCH v2 00/17] Support the ASPEED HACE crypto command Jamin Lin
2026-07-15 3:33 ` [PATCH v2 01/17] hw/misc/aspeed_hace: Support the crypto command in direct access mode Jamin Lin
2026-07-15 3:33 ` [PATCH v2 02/17] tests/qtest/aspeed-hace: Test the crypto command on the AST2500 Jamin Lin
2026-07-15 3:33 ` [PATCH v2 03/17] hw/misc/aspeed_hace: Support scatter-gather mode for the crypto command Jamin Lin
2026-07-15 3:33 ` [PATCH v2 04/17] hw/misc/aspeed_hace: Support the CTR " Jamin Lin
2026-07-15 3:33 ` [PATCH v2 05/17] tests/qtest/aspeed-hace: Test the crypto command on the AST2600 Jamin Lin
2026-07-15 3:33 ` [PATCH v2 06/17] tests/qtest/aspeed-hace: Test the crypto command on the AST1030 Jamin Lin
2026-07-15 3:33 ` [PATCH v2 07/17] crypto/cipher: Add GCM to QCryptoCipherMode Jamin Lin
2026-07-15 4:51 ` Markus Armbruster
2026-07-15 3:33 ` [PATCH v2 08/17] crypto/cipher: Add setaad/gettag for AEAD modes Jamin Lin
2026-07-15 3:33 ` [PATCH v2 09/17] crypto/cipher-gcrypt: Implement AES-GCM Jamin Lin
2026-07-15 3:33 ` Jamin Lin [this message]
2026-07-15 3:33 ` [PATCH v2 11/17] crypto/cipher-gnutls: " Jamin Lin
2026-07-15 3:33 ` [PATCH v2 12/17] tests/unit/test-crypto-cipher: Test AES-GCM mode Jamin Lin
2026-07-15 3:33 ` [PATCH v2 13/17] hw/misc/aspeed_hace: Support 64-bit DMA for the crypto command Jamin Lin
2026-07-15 3:33 ` [PATCH v2 14/17] hw/misc/aspeed_hace: Support the AES-GCM mode " Jamin Lin
2026-07-15 3:33 ` [PATCH v2 15/17] hw/misc/aspeed_hace: Enable the crypto command on the AST2700 Jamin Lin
2026-07-15 3:33 ` [PATCH v2 16/17] tests/qtest/aspeed-hace: Test " Jamin Lin
2026-07-15 3:33 ` [PATCH v2 17/17] tests/functional/aarch64/test_aspeed_ast2700: Drop the AST2700 crypto self-test workaround Jamin Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260715033311.1648424-11-jamin_lin@aspeedtech.com \
--to=jamin_lin@aspeedtech.com \
--cc=andrew@codeconstruct.com.au \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=clg@kaod.org \
--cc=eblake@redhat.com \
--cc=farosas@suse.de \
--cc=joel@jms.id.au \
--cc=kane_chen@aspeedtech.com \
--cc=leetroy@gmail.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=steven_lee@aspeedtech.com \
--cc=troy_lee@aspeedtech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.