s390 hmac

s390 hmac

[Herbert Xu]

Hi Harald:

I'm working on making the export format of hash algorithms compatible
so that you can switch between implementations seamlessly.

I've got a question about the s390 hmac implementation.  How does
the hardware tell if it's the first update (where the cv from the
param block contains undefined state) or not? Is it a bit in
s390_kmac_gr0 or is it the imbl?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: s390 hmac

[Holger Dengler]

Hi Herbert,

On 23/03/2025 14:13, Herbert Xu wrote:
> Hi Harald:
> 
> I'm working on making the export format of hash algorithms compatible
> so that you can switch between implementations seamlessly.
> 
> I've got a question about the s390 hmac implementation.  How does
> the hardware tell if it's the first update (where the cv from the
> param block contains undefined state) or not? Is it a bit in
> s390_kmac_gr0 or is it the imbl?

The bit s390_kmac_gr0.ikp indicates, if the instruction has processed the inner key padding or not. The bit is zeroed at init() and the first instruction call for a context will set this bit to 1 and update the cv. So, if this bit is 0, the cv in param block contains undefined state.

> 
> Thanks,

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler
--
IBM Systems, Linux on IBM Z Development
dengler@linux.ibm.com

Re: s390 hmac

[Herbert Xu]

On Mon, Mar 24, 2025 at 08:50:21AM +0100, Holger Dengler wrote:
>
> The bit s390_kmac_gr0.ikp indicates, if the instruction has processed the inner key padding or not. The bit is zeroed at init() and the first instruction call for a context will set this bit to 1 and update the cv. So, if this bit is 0, the cv in param block contains undefined state.

Thanks for the info!
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: s390 hmac

[Harald Freudenberger]

On 2025-03-23 14:13, Herbert Xu wrote:
> Hi Harald:
> 
> I'm working on making the export format of hash algorithms compatible
> so that you can switch between implementations seamlessly.
> 
> I've got a question about the s390 hmac implementation.  How does
> the hardware tell if it's the first update (where the cv from the
> param block contains undefined state) or not? Is it a bit in
> s390_kmac_gr0 or is it the imbl?
> 
> Thanks,

Hi Herbert

that is the ikp bit in the s390_kmac_gr0 struct:

union s390_kmac_gr0 {
	unsigned long reg;
	struct {
		unsigned long		: 48;
		unsigned long ikp	:  1;
		unsigned long iimp	:  1;
		unsigned long ccup	:  1;
		unsigned long		:  6;
		unsigned long fc	:  7;
	};
};

It needs to be initial 0 and the firmware sets it to 1 with
the inner key padding and the hashing done.

Holger's implementation in hmac_s390.c of the clear key hmac
holds this gr0 value as part of the running hash context:

struct s390_kmac_sha2_ctx {
	u8 param[MAX_DIGEST_SIZE + MAX_IMBL_SIZE + MAX_BLOCK_SIZE];
	union s390_kmac_gr0 gr0;
	u8 buf[MAX_BLOCK_SIZE];
	unsigned int buflen;
};

Re: s390 hmac

[Herbert Xu]

On Mon, Mar 24, 2025 at 11:04:56AM +0100, Harald Freudenberger wrote:
>
> that is the ikp bit in the s390_kmac_gr0 struct:

Thank you Harald!

> union s390_kmac_gr0 {
> 	unsigned long reg;
> 	struct {
> 		unsigned long		: 48;
> 		unsigned long ikp	:  1;
> 		unsigned long iimp	:  1;
> 		unsigned long ccup	:  1;

I hope I don't have to worry about ccup and can just leave it
as zero during import, right?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: s390 hmac

[Holger Dengler]

On 25/03/2025 09:22, Herbert Xu wrote:
> On Mon, Mar 24, 2025 at 11:04:56AM +0100, Harald Freudenberger wrote:
>>
>> that is the ikp bit in the s390_kmac_gr0 struct:
> 
> Thank you Harald!
> 
>> union s390_kmac_gr0 {
>> 	unsigned long reg;
>> 	struct {
>> 		unsigned long		: 48;
>> 		unsigned long ikp	:  1;
>> 		unsigned long iimp	:  1;
>> 		unsigned long ccup	:  1;
> 
> I hope I don't have to worry about ccup and can just leave it
> as zero during import, right?

I've to do some further test to be 100% sure. This bit is an indicator, if the instruction has updated the hardware crypto counter for hmac or not. Normally, it should be initialized with 0 before the first instruction call and after the instruction call the flag indicates, if the counter has been updated or not. If the flag is 1, it should be 1 for the following calls, otherwise the hardware crypto counters show wrong statistics.

I've no idea how to set the bit on import correctly, if parts of the hmac operation has been processed by another cipher implementation. Setting it to 0 means, the partial hmac operation is counters as a full operation. setting it to 1 would mean, that the operation after an import is not reflected in the statistics.

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler
--
IBM Systems, Linux on IBM Z Development
dengler@linux.ibm.com

Re: s390 hmac

[Herbert Xu]

On Tue, Mar 25, 2025 at 07:10:34PM +0100, Holger Dengler wrote:
>
> I've no idea how to set the bit on import correctly, if parts of the hmac operation has been processed by another cipher implementation. Setting it to 0 means, the partial hmac operation is counters as a full operation. setting it to 1 would mean, that the operation after an import is not reflected in the statistics.

I'll just leave it at zero for now.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt