* [PATCH v9 00/21] target/s390x: Extend qemu CPACF support
@ 2026-07-01 16:46 Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 01/21] target/s390x: Fix wrong address handling in address loops Harald Freudenberger
` (20 more replies)
0 siblings, 21 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
This patch series extends the s390 qemu CPACF support to be able to
run a subset of the CPACF instruction cross platform. There have been
requests on the kernel crypto mailing list about a way to test
s390 specific crypto implementations. For example a way to test
s390 CPACF exploitation code like the s390_aes.ko kernel module.
So here now is a set of patches verified on x86 and s390 which
over (slow but working) support for a subset of the subfunctions of
some of the CPACF instructions.
Test: There are some very basic tests included with this patch series
suitable for some CI run. Better test coverage can be done by running
a full blown Linux and use for example the in-kernel crypto modules.
The 'usual' in-kernel crpyto modules will be automatically loaded
which run a bunch of test cases. So there is now support for these
kernel modules:
* sha256_s390x (autoloaded, sha256)
* sha512_s390x (autoloaded, sha512)
* aes_s390x (autoloaded, clear key aes ecb, cbc, ctr, xts)
* pkey_pckmo (autoloaded, derive AES protected key from clear key)
* paes_s390x (not autoloaded, protected key aes ecb, cbc, ctr, xts)
All these modules run selftests if configured by the kernel (which is
enabled by default). Failures are reported via syslog. Additionally
the aes testcases from libica can be run either inside such an qemu
environment or with a static build executed with the qemu tcg
application qemu-s390x --cpu max <static-build-libica-test>.
Changelog:
v1: Initial version with
- Related code restructured
- Support KIMD SHA512 and thus SHA256
- Support KMC AES-128, AES-192 and AES-256 and thus have basic AES
support (ECB mode) enabled.
- Support PCC Compute-XTS-Parameter-AES-128 and
Compute-XTS-Parameter-AES-256 but only for block sequence number
0. This is a requirement for the next step:
- Support KM XTS-AES-128 and KM XTS-AES-256. Together with the
minimal PCC support this enables AES-XTS CPACF acceleration.
v2: - Basic PCKMO support to be able to 'derive' an AES protected key
from clear key. See header details.
- Support protected key AES-ECB.
- Support protected key AES-CBC.
- Minimal protected key AES-XTS support for CPACF PCC.
- Support protected key AES-XTS.
- Support AES-CTR.
- Support protected key AES-CTR.
v3: - Reordered patches as suggested by Finn.
- One small bug fix in CPACF_aes.c related to address translation.
v4: - Rename of the parameters based on feedback from Janosch to
make clear these are registers or ptrs to registers.
Added Tested by from Holger. Fixed typo "face" -> "fake".
v5: - Add documentation file docs/system/s390x/cpacf.rst which
describes the state of the CPACF instructions and which
functions are covered when this series is applied.
First version sent to public mailing list qemu-s390x.
v6: - Rebase/rework to build on current qemu head.
- Add docs/system/s390x/cpacf.rst to target-s390x.rst
- New file crypto/aes-helpers.c with some simple
functions to support AES modes CBC, CTR and XTS.
- Slight rewrite of the s390x CPACF implementations to
use these generic AES mode implementations.
v7: - Update on docs/system/s390x/cpacf.rst to mention
the zArchicteture Principles of Operation document
which describes all these CPACF instructions.
v8: - Add a fix which deals with incorrect address handling
in the sha512 implementation related to fetch and push
data from/to memory.
- Slight rework around the capcf function implementation and
exception generation.
- Added some more details to the new cpacf.rst file.
- Fixed some typos and added some suggestions from Finn.
- Fixed cc handling on return of PCKMO (must not update cc).
Missing: simple test cases to verify that the implemented and not
implemented cpacf functions and subfunctions work as expected. But
see the statement about tests at the header.
v9: - Add simple tests for all the implemented CPACF instructions but
pckmo (which is a privileged instruction).
- Reworked the Fix for wrong address to call the wrap function
inline; rephrased commit header.
- Improve the header file cpacf.h to hold defines for all the
cpacf instruction functions and use them in the code.
- one new commit comprising the base protected key support with
exposing the xor pattern and wkvp and en/decrypt key functions
via cpacf.h. So the testcases can use this header file.
- one new commit which reworks the fetch memory and store memory
from and to guest (suggested by Ilya Leoshkevich).
Harald Freudenberger (21):
target/s390x: Fix wrong address handling in address loops
target/s390x: Rework s390 cpacf implementations
target/s390x: Move cpacf sha512 code into a new file
target/s390x: Support cpacf sha256
target/s390x: Support AES ECB for cpacf km instruction
target/s390x: Support AES CBC for cpacf kmc instruction
target/s390x: Support AES CTR for cpacf kmctr instruction
target/s390x: Minimal AES XTS support for cpacf pcc instruction
target/s390x: Support AES XTS for cpacf km instruction
target/s390x: Base support for cpacf protected keys
target/s390x: Support pckmo encrypt AES subfunctions
target/s390x: Support protected key AES ECB for cpacf km instruction
target/s390x: Support protected key AES CBC for cpacf kmc instruction
target/s390x: Support protected key AES CTR for cpacf kmctr
instruction
target/s390x: Minimal protected key AES XTS support for cpacf pcc
instruction
target/s390x: Support protected key AES XTS for cpacf km instruction
docs/s390: Document CPACF instructions support
crypto: Add aes-helpers file to support some AES modes
target/s390x: Use generic AES helper functions
target/s390x: Improve fetch and store mem from and to guest
tests/tcg/s390x: Add tests for CPACF instructions
crypto/aes-helpers.c | 106 ++++
crypto/meson.build | 1 +
docs/system/s390x/cpacf.rst | 144 +++++
docs/system/target-s390x.rst | 1 +
include/crypto/aes.h | 14 +
target/s390x/gen-features.c | 31 ++
target/s390x/tcg/cpacf.h | 312 +++++++++++
target/s390x/tcg/cpacf_aes.c | 903 +++++++++++++++++++++++++++++++
target/s390x/tcg/cpacf_sha256.c | 228 ++++++++
target/s390x/tcg/crypto_helper.c | 426 ++++++++-------
target/s390x/tcg/insn-data.h.inc | 1 +
target/s390x/tcg/meson.build | 3 +
target/s390x/tcg/translate.c | 11 +-
tests/tcg/s390x/Makefile.target | 9 +
tests/tcg/s390x/cpacf-kdsa.c | 59 ++
tests/tcg/s390x/cpacf-kimd.c | 164 ++++++
tests/tcg/s390x/cpacf-klmd.c | 202 +++++++
tests/tcg/s390x/cpacf-km.c | 576 ++++++++++++++++++++
tests/tcg/s390x/cpacf-kmac.c | 59 ++
tests/tcg/s390x/cpacf-kmc.c | 342 ++++++++++++
tests/tcg/s390x/cpacf-kmctr.c | 354 ++++++++++++
tests/tcg/s390x/cpacf-pcc.c | 241 +++++++++
tests/tcg/s390x/cpacf-prno.c | 130 +++++
tests/tcg/s390x/cpacf.h | 570 +++++++++++++++++++
24 files changed, 4670 insertions(+), 217 deletions(-)
create mode 100644 crypto/aes-helpers.c
create mode 100644 docs/system/s390x/cpacf.rst
create mode 100644 target/s390x/tcg/cpacf.h
create mode 100644 target/s390x/tcg/cpacf_aes.c
create mode 100644 target/s390x/tcg/cpacf_sha256.c
create mode 100644 tests/tcg/s390x/cpacf-kdsa.c
create mode 100644 tests/tcg/s390x/cpacf-kimd.c
create mode 100644 tests/tcg/s390x/cpacf-klmd.c
create mode 100644 tests/tcg/s390x/cpacf-km.c
create mode 100644 tests/tcg/s390x/cpacf-kmac.c
create mode 100644 tests/tcg/s390x/cpacf-kmc.c
create mode 100644 tests/tcg/s390x/cpacf-kmctr.c
create mode 100644 tests/tcg/s390x/cpacf-pcc.c
create mode 100644 tests/tcg/s390x/cpacf-prno.c
create mode 100644 tests/tcg/s390x/cpacf.h
base-commit: 20553466cc47af6a8c95f665b601fce3c852e503
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v9 01/21] target/s390x: Fix wrong address handling in address loops
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 02/21] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
` (19 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
The loop increments addr by the element stride (+= 4) before calling
wrap_address, but then overwrites the loop addr with the wrapped
value. On the next iteration the stride is applied to the wrapped
address of the previous element, not to the original unwrapped
address. This results in every element after the first is read from a
wrong (wrapped) address.
Fixes: 9f17bfdab4 ("target/s390x: support SHA-512 extensions")
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/crypto_helper.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index ae392bce0e..8fe0a22219 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -126,8 +126,7 @@ static void sha512_read_icv(CPUS390XState *env, const int mmu_idx,
const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
for (int i = 0; i < 8; i++, addr += 8) {
- addr = wrap_address(env, addr);
- a[i] = cpu_ldq_mmu(env, addr, oi, ra);
+ a[i] = cpu_ldq_mmu(env, wrap_address(env, addr), oi, ra);
}
}
@@ -137,8 +136,7 @@ static void sha512_write_ocv(CPUS390XState *env, const int mmu_idx,
const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
for (int i = 0; i < 8; i++, addr += 8) {
- addr = wrap_address(env, addr);
- cpu_stq_mmu(env, addr, a[i], oi, ra);
+ cpu_stq_mmu(env, wrap_address(env, addr), a[i], oi, ra);
}
}
@@ -148,8 +146,7 @@ static void sha512_read_block(CPUS390XState *env, const int mmu_idx,
const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
for (int i = 0; i < 16; i++, addr += 8) {
- addr = wrap_address(env, addr);
- a[i] = cpu_ldq_mmu(env, addr, oi, ra);
+ a[i] = cpu_ldq_mmu(env, wrap_address(env, addr), oi, ra);
}
}
@@ -159,8 +156,7 @@ static void sha512_read_mbl_be64(CPUS390XState *env, const int mmu_idx,
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
for (int i = 0; i < 16; i++, addr += 1) {
- addr = wrap_address(env, addr);
- a[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ a[i] = cpu_ldb_mmu(env, wrap_address(env, addr), oi, ra);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 02/21] target/s390x: Rework s390 cpacf implementations
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 01/21] target/s390x: Fix wrong address handling in address loops Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 03/21] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
` (18 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Fix missing parts for MSA 9 kdsa and rework the cpacf handling code
so that further extensions can be made in a clean and structured way.
Introduce a new header file to hold defines, structs and function
prototypes around s390 cpacf. Use the cpcaf function defines in the
existing code.
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/cpacf.h | 226 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 90 ++++++++++--
target/s390x/tcg/insn-data.h.inc | 1 +
target/s390x/tcg/translate.c | 2 +
4 files changed, 306 insertions(+), 13 deletions(-)
create mode 100644 target/s390x/tcg/cpacf.h
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
new file mode 100644
index 0000000000..05596e0645
--- /dev/null
+++ b/target/s390x/tcg/cpacf.h
@@ -0,0 +1,226 @@
+/*
+ * s390x cpacf
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef S390X_CPACF_H
+#define S390X_CPACF_H
+
+/*
+ * Function codes for the KM instruction
+ */
+#define CPACF_KM_QUERY 0x00
+#define CPACF_KM_DEA 0x01
+#define CPACF_KM_TDEA_128 0x02
+#define CPACF_KM_TDEA_192 0x03
+#define CPACF_KM_AES_128 0x12
+#define CPACF_KM_AES_192 0x13
+#define CPACF_KM_AES_256 0x14
+#define CPACF_KM_PAES_128 0x1a
+#define CPACF_KM_PAES_192 0x1b
+#define CPACF_KM_PAES_256 0x1c
+#define CPACF_KM_XTS_128 0x32
+#define CPACF_KM_XTS_256 0x34
+#define CPACF_KM_PXTS_128 0x3a
+#define CPACF_KM_PXTS_256 0x3c
+#define CPACF_KM_FULL_XTS_128 0x52
+#define CPACF_KM_FULL_XTS_256 0x54
+#define CPACF_KM_FULL_PXTS_128 0x5a
+#define CPACF_KM_FULL_PXTS_256 0x5c
+
+/*
+ * Function codes for the KMC instruction
+ */
+#define CPACF_KMC_QUERY 0x00
+#define CPACF_KMC_DEA 0x01
+#define CPACF_KMC_TDEA_128 0x02
+#define CPACF_KMC_TDEA_192 0x03
+#define CPACF_KMC_AES_128 0x12
+#define CPACF_KMC_AES_192 0x13
+#define CPACF_KMC_AES_256 0x14
+#define CPACF_KMC_PAES_128 0x1a
+#define CPACF_KMC_PAES_192 0x1b
+#define CPACF_KMC_PAES_256 0x1c
+#define CPACF_KMC_PRNG 0x43
+
+/*
+ * Function codes for the KMCTR instruction
+ */
+#define CPACF_KMCTR_QUERY 0x00
+#define CPACF_KMCTR_DEA 0x01
+#define CPACF_KMCTR_TDEA_128 0x02
+#define CPACF_KMCTR_TDEA_192 0x03
+#define CPACF_KMCTR_AES_128 0x12
+#define CPACF_KMCTR_AES_192 0x13
+#define CPACF_KMCTR_AES_256 0x14
+#define CPACF_KMCTR_PAES_128 0x1a
+#define CPACF_KMCTR_PAES_192 0x1b
+#define CPACF_KMCTR_PAES_256 0x1c
+
+/*
+ * Function codes for the KIMD instruction
+ */
+#define CPACF_KIMD_QUERY 0x00
+#define CPACF_KIMD_SHA_1 0x01
+#define CPACF_KIMD_SHA_256 0x02
+#define CPACF_KIMD_SHA_512 0x03
+#define CPACF_KIMD_SHA3_224 0x20
+#define CPACF_KIMD_SHA3_256 0x21
+#define CPACF_KIMD_SHA3_384 0x22
+#define CPACF_KIMD_SHA3_512 0x23
+#define CPACF_KIMD_SHAKE_128 0x24
+#define CPACF_KIMD_SHAKE_256 0x25
+#define CPACF_KIMD_GHASH 0x41
+
+/*
+ * Function codes for the KLMD instruction
+ */
+#define CPACF_KLMD_QUERY 0x00
+#define CPACF_KLMD_SHA_1 0x01
+#define CPACF_KLMD_SHA_256 0x02
+#define CPACF_KLMD_SHA_512 0x03
+#define CPACF_KLMD_SHA3_224 0x20
+#define CPACF_KLMD_SHA3_256 0x21
+#define CPACF_KLMD_SHA3_384 0x22
+#define CPACF_KLMD_SHA3_512 0x23
+#define CPACF_KLMD_SHAKE_128 0x24
+#define CPACF_KLMD_SHAKE_256 0x25
+
+/*
+ * function codes for the KMAC instruction
+ */
+#define CPACF_KMAC_QUERY 0x00
+#define CPACF_KMAC_DEA 0x01
+#define CPACF_KMAC_TDEA_128 0x02
+#define CPACF_KMAC_TDEA_192 0x03
+#define CPACF_KMAC_AES_128 0x12
+#define CPACF_KMAC_AES_192 0x13
+#define CPACF_KMAC_AES_256 0x14
+#define CPACF_KMAC_PAES_128 0x1A
+#define CPACF_KMAC_PAES_192 0x1B
+#define CPACF_KMAC_PAES_256 0x1C
+#define CPACF_KMAC_HMAC_SHA_224 0x70
+#define CPACF_KMAC_HMAC_SHA_256 0x71
+#define CPACF_KMAC_HMAC_SHA_384 0x72
+#define CPACF_KMAC_HMAC_SHA_512 0x73
+#define CPACF_KMAC_PHMAC_SHA_224 0x78
+#define CPACF_KMAC_PHMAC_SHA_256 0x79
+#define CPACF_KMAC_PHMAC_SHA_384 0x7a
+#define CPACF_KMAC_PHMAC_SHA_512 0x7b
+
+/*
+ * Function codes for the PCKMO instruction
+ */
+#define CPACF_PCKMO_QUERY 0x00
+#define CPACF_PCKMO_ENC_DES_KEY 0x01
+#define CPACF_PCKMO_ENC_TDES_128_KEY 0x02
+#define CPACF_PCKMO_ENC_TDES_192_KEY 0x03
+#define CPACF_PCKMO_ENC_AES_128_KEY 0x12
+#define CPACF_PCKMO_ENC_AES_192_KEY 0x13
+#define CPACF_PCKMO_ENC_AES_256_KEY 0x14
+#define CPACF_PCKMO_ENC_AES_XTS_128_DOUBLE_KEY 0x14
+#define CPACF_PCKMO_ENC_AES_XTS_256_DOUBLE_KEY 0x16
+#define CPACF_PCKMO_ENC_ECC_P256_KEY 0x20
+#define CPACF_PCKMO_ENC_ECC_P384_KEY 0x21
+#define CPACF_PCKMO_ENC_ECC_P521_KEY 0x22
+#define CPACF_PCKMO_ENC_ECC_ED25519_KEY 0x28
+#define CPACF_PCKMO_ENC_ECC_ED448_KEY 0x29
+#define CPACF_PCKMO_ENC_HMAC_512_KEY 0x76
+#define CPACF_PCKMO_ENC_HMAC_1024_KEY 0x7a
+
+/*
+ * Function codes for the PRNO instruction
+ */
+#define CPACF_PRNO_QUERY 0x00
+#define CPACF_PRNO_SHA512_DRNG_GEN 0x03
+#define CPACF_PRNO_SHA512_DRNG_SEED 0x83
+#define CPACF_PRNO_TRNG_Q_R2C_RATIO 0x70
+#define CPACF_PRNO_TRNG 0x72
+
+/*
+ * Function codes for the KMA instruction
+ */
+#define CPACF_KMA_QUERY 0x00
+#define CPACF_KMA_GCM_AES_128 0x12
+#define CPACF_KMA_GCM_AES_192 0x13
+#define CPACF_KMA_GCM_AES_256 0x14
+#define CPACF_KMA_GCM_PAES_128 0x1A
+#define CPACF_KMA_GCM_PAES_192 0x1B
+#define CPACF_KMA_GCM_PAES_256 0x1C
+
+/*
+ * Function codes for the KMF instruction
+ */
+#define CPACF_KMF_QUERY 0
+#define CPACF_KMF_DEA 1
+#define CPACF_KMF_TDEA_128 2
+#define CPACF_KMF_TDEA_192 3
+#define CPACF_KMF_AES_128 18
+#define CPACF_KMF_AES_192 19
+#define CPACF_KMF_AES_256 20
+#define CPACF_KMF_PAES_128 26
+#define CPACF_KMF_PAES_192 27
+#define CPACF_KMF_PAES_256 28
+
+/*
+ * Function codes for the KMO instruction
+ */
+#define CPACF_KMO_QUERY 0
+#define CPACF_KMO_DEA 1
+#define CPACF_KMO_TDEA_128 2
+#define CPACF_KMO_TDEA_192 3
+#define CPACF_KMO_AES_128 18
+#define CPACF_KMO_AES_192 19
+#define CPACF_KMO_AES_256 20
+#define CPACF_KMO_PAES_128 26
+#define CPACF_KMO_PAES_192 27
+#define CPACF_KMO_PAES_256 28
+
+/*
+ * Function codes for the PCC instruction
+ */
+#define CPACF_PCC_QUERY 0
+#define CPACF_PCC_CMAC_DEA 1
+#define CPACF_PCC_CMAC_TDEA_128 2
+#define CPACF_PCC_CMAC_TDEA_192 3
+#define CPACF_PCC_CMAC_AES_128 18
+#define CPACF_PCC_CMAC_AES_192 19
+#define CPACF_PCC_CMAC_AES_256 20
+#define CPACF_PCC_CMAC_PAES_128 26
+#define CPACF_PCC_CMAC_PAES_192 27
+#define CPACF_PCC_CMAC_PAES_256 28
+#define CPACF_PCC_XTS_AES_128 50
+#define CPACF_PCC_XTS_AES_256 52
+#define CPACF_PCC_XTS_PAES_128 58
+#define CPACF_PCC_XTS_PAES_256 60
+#define CPACF_PCC_SM_P256 64
+#define CPACF_PCC_SM_P384 65
+#define CPACF_PCC_SM_P521 66
+#define CPACF_PCC_SM_ED25519 72
+#define CPACF_PCC_SM_ED448 73
+#define CPACF_PCC_SM_X25519 80
+#define CPACF_PCC_SM_X448 81
+
+/*
+ * Function codes for the KDSA instruction
+ */
+#define CPACF_KDSA_QUERY 0
+#define CPACF_KDSA_VERIFY_P256 1
+#define CPACF_KDSA_VERIFY_P384 2
+#define CPACF_KDSA_VERIFY_P521 3
+#define CPACF_KDSA_SIGN_P256 9
+#define CPACF_KDSA_SIGN_P384 10
+#define CPACF_KDSA_SIGN_P521 11
+#define CPACF_KDSA_PSIGN_P256 17
+#define CPACF_KDSA_PSIGN_P384 18
+#define CPACF_KDSA_PSIGN_P521 19
+#define CPACF_KDSA_VERIFY_ED25519 32
+#define CPACF_KDSA_VERIFY_ED448 36
+#define CPACF_KDSA_SIGN_ED25519 40
+#define CPACF_KDSA_SIGN_ED448 44
+#define CPACF_KDSA_PSIGN_ED25519 48
+#define CPACF_KDSA_PSIGN_ED448 52
+
+#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 8fe0a22219..987bc72ae9 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -19,6 +19,7 @@
#include "exec/helper-proto.h"
#include "accel/tcg/cpu-ldst-common.h"
#include "accel/tcg/cpu-mmu-index.h"
+#include "target/s390x/tcg/cpacf.h"
static uint64_t R(uint64_t x, int c)
{
@@ -268,6 +269,57 @@ static void fill_buf_random(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
}
+static int cpacf_kimd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_KIMD_SHA_512:
+ rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KIMD);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
+static int cpacf_klmd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_KLMD_SHA_512:
+ rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KLMD);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
+static int cpacf_ppno(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_PRNO_TRNG:
+ fill_buf_random(env, mmu_idx, ra, &env->regs[r1], &env->regs[r1 + 1]);
+ fill_buf_random(env, mmu_idx, ra, &env->regs[r2], &env->regs[r2 + 1]);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
uint32_t type)
{
@@ -278,13 +330,15 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
uint8_t subfunc[16] = { 0 };
uint64_t param_addr;
MemOpIdx oi;
+ int rc = 0;
switch (type) {
- case S390_FEAT_TYPE_KMAC:
+ case S390_FEAT_TYPE_KDSA:
case S390_FEAT_TYPE_KIMD:
case S390_FEAT_TYPE_KLMD:
- case S390_FEAT_TYPE_PCKMO:
+ case S390_FEAT_TYPE_KMAC:
case S390_FEAT_TYPE_PCC:
+ case S390_FEAT_TYPE_PCKMO:
if (mod) {
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
@@ -296,25 +350,35 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
- switch (fc) {
- case 0: /* query subfunction */
+ /* handle query subfunction */
+ if (fc == 0) {
oi = make_memop_idx(MO_8, mmu_idx);
- for (int i = 0; i < 16; i++) {
+ for (int i = 0; i < sizeof(subfunc); i++) {
param_addr = wrap_address(env, env->regs[1] + i);
cpu_stb_mmu(env, param_addr, subfunc[i], oi, ra);
}
+ goto out;
+ }
+
+ switch (type) {
+ case S390_FEAT_TYPE_KIMD:
+ rc = cpacf_kimd(env, mmu_idx, ra, r1, r2, r3, fc);
break;
- case 3: /* CPACF_*_SHA_512 */
- return cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
- &env->regs[r2 + 1], type);
- case 114: /* CPACF_PRNO_TRNG */
- fill_buf_random(env, mmu_idx, ra, &env->regs[r1], &env->regs[r1 + 1]);
- fill_buf_random(env, mmu_idx, ra, &env->regs[r2], &env->regs[r2 + 1]);
+ case S390_FEAT_TYPE_KLMD:
+ rc = cpacf_klmd(env, mmu_idx, ra, r1, r2, r3, fc);
+ break;
+ case S390_FEAT_TYPE_PPNO:
+ rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
+ break;
+ case S390_FEAT_TYPE_KDSA:
+ case S390_FEAT_TYPE_KMAC:
+ /* subfunctions (other than query) are not implemented yet */
+ tcg_s390_program_interrupt(env, PGM_OPERATION, ra);
break;
default:
- /* we don't implement any other subfunction yet */
g_assert_not_reached();
}
- return 0;
+out:
+ return rc;
}
diff --git a/target/s390x/tcg/insn-data.h.inc b/target/s390x/tcg/insn-data.h.inc
index 0d5392eac5..6a0a7aacda 100644
--- a/target/s390x/tcg/insn-data.h.inc
+++ b/target/s390x/tcg/insn-data.h.inc
@@ -1015,6 +1015,7 @@
D(0xb92e, KM, RRE, MSA, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KM)
D(0xb92f, KMC, RRE, MSA, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KMC)
D(0xb929, KMA, RRF_b, MSA8, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KMA)
+ D(0xb93a, KDSA, RRE, MSA9, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KDSA)
E(0xb93c, PPNO, RRE, MSA5, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_PPNO, IF_IO)
D(0xb93e, KIMD, RRE, MSA, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KIMD)
D(0xb93f, KLMD, RRE, MSA, 0, 0, 0, 0, msa, 0, S390_FEAT_TYPE_KLMD)
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index 82165ac1ec..cef1b55149 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -2592,6 +2592,7 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
/* FALL THROUGH */
case S390_FEAT_TYPE_PCKMO:
case S390_FEAT_TYPE_PCC:
+ case S390_FEAT_TYPE_KDSA:
break;
default:
g_assert_not_reached();
@@ -6046,6 +6047,7 @@ enum DisasInsnEnum {
#define FAC_MSA4 S390_FEAT_MSA_EXT_4 /* msa-extension-4 facility */
#define FAC_MSA5 S390_FEAT_MSA_EXT_5 /* msa-extension-5 facility */
#define FAC_MSA8 S390_FEAT_MSA_EXT_8 /* msa-extension-8 facility */
+#define FAC_MSA9 S390_FEAT_MSA_EXT_9 /* msa-extension-9 facility */
#define FAC_ECT S390_FEAT_EXTRACT_CPU_TIME
#define FAC_PCI S390_FEAT_ZPCI /* z/PCI facility */
#define FAC_AIS S390_FEAT_ADAPTER_INT_SUPPRESSION
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 03/21] target/s390x: Move cpacf sha512 code into a new file
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 01/21] target/s390x: Fix wrong address handling in address loops Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 02/21] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 04/21] target/s390x: Support cpacf sha256 Harald Freudenberger
` (17 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Move the cpacf sha512 implementation into a new file
cpacf_sha512.c. Add this new file to the build and use the cpacf.h
header file storing function the prototypes.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/cpacf.h | 5 +
target/s390x/tcg/crypto_helper.c | 222 -------------------------------
target/s390x/tcg/meson.build | 1 +
3 files changed, 6 insertions(+), 222 deletions(-)
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 05596e0645..6de79a2f8f 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -223,4 +223,9 @@
#define CPACF_KDSA_PSIGN_ED25519 48
#define CPACF_KDSA_PSIGN_ED448 52
+/* from cpacf_sha512.c */
+int cpacf_sha512(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
+ uint32_t type);
+
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 987bc72ae9..dba46baa0d 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -21,228 +21,6 @@
#include "accel/tcg/cpu-mmu-index.h"
#include "target/s390x/tcg/cpacf.h"
-static uint64_t R(uint64_t x, int c)
-{
- return (x >> c) | (x << (64 - c));
-}
-static uint64_t Ch(uint64_t x, uint64_t y, uint64_t z)
-{
- return (x & y) ^ (~x & z);
-}
-static uint64_t Maj(uint64_t x, uint64_t y, uint64_t z)
-{
- return (x & y) ^ (x & z) ^ (y & z);
-}
-static uint64_t Sigma0(uint64_t x)
-{
- return R(x, 28) ^ R(x, 34) ^ R(x, 39);
-}
-static uint64_t Sigma1(uint64_t x)
-{
- return R(x, 14) ^ R(x, 18) ^ R(x, 41);
-}
-static uint64_t sigma0(uint64_t x)
-{
- return R(x, 1) ^ R(x, 8) ^ (x >> 7);
-}
-static uint64_t sigma1(uint64_t x)
-{
- return R(x, 19) ^ R(x, 61) ^ (x >> 6);
-}
-
-static const uint64_t K[80] = {
- 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
- 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
- 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
- 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
- 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
- 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
- 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
- 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
- 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
- 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
- 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
- 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
- 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
- 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
- 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
- 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
- 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
- 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
- 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
- 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
- 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
- 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
- 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
- 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
- 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
- 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
- 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-
-/* a is icv/ocv, w is a single message block. w will get reused internally. */
-static void sha512_bda(uint64_t a[8], uint64_t w[16])
-{
- uint64_t t, z[8], b[8];
- int i, j;
-
- memcpy(z, a, sizeof(z));
- for (i = 0; i < 80; i++) {
- memcpy(b, a, sizeof(b));
-
- t = a[7] + Sigma1(a[4]) + Ch(a[4], a[5], a[6]) + K[i] + w[i % 16];
- b[7] = t + Sigma0(a[0]) + Maj(a[0], a[1], a[2]);
- b[3] += t;
- for (j = 0; j < 8; ++j) {
- a[(j + 1) % 8] = b[j];
- }
- if (i % 16 == 15) {
- for (j = 0; j < 16; ++j) {
- w[j] += w[(j + 9) % 16] + sigma0(w[(j + 1) % 16]) +
- sigma1(w[(j + 14) % 16]);
- }
- }
- }
-
- for (i = 0; i < 8; i++) {
- a[i] += z[i];
- }
-}
-
-/* a is icv/ocv, w is a single message block that needs be64 conversion. */
-static void sha512_bda_be64(uint64_t a[8], uint64_t w[16])
-{
- uint64_t t[16];
- int i;
-
- for (i = 0; i < 16; i++) {
- t[i] = be64_to_cpu(w[i]);
- }
- sha512_bda(a, t);
-}
-
-static void sha512_read_icv(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint64_t a[8], uintptr_t ra)
-{
- const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
-
- for (int i = 0; i < 8; i++, addr += 8) {
- a[i] = cpu_ldq_mmu(env, wrap_address(env, addr), oi, ra);
- }
-}
-
-static void sha512_write_ocv(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint64_t a[8], uintptr_t ra)
-{
- const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
-
- for (int i = 0; i < 8; i++, addr += 8) {
- cpu_stq_mmu(env, wrap_address(env, addr), a[i], oi, ra);
- }
-}
-
-static void sha512_read_block(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint64_t a[16], uintptr_t ra)
-{
- const MemOpIdx oi = make_memop_idx(MO_BE | MO_64 | MO_UNALN, mmu_idx);
-
- for (int i = 0; i < 16; i++, addr += 8) {
- a[i] = cpu_ldq_mmu(env, wrap_address(env, addr), oi, ra);
- }
-}
-
-static void sha512_read_mbl_be64(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint8_t a[16], uintptr_t ra)
-{
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
-
- for (int i = 0; i < 16; i++, addr += 1) {
- a[i] = cpu_ldb_mmu(env, wrap_address(env, addr), oi, ra);
- }
-}
-
-static int cpacf_sha512(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
- uint64_t param_addr, uint64_t *message_reg,
- uint64_t *len_reg, uint32_t type)
-{
- enum { MAX_BLOCKS_PER_RUN = 64 }; /* Arbitrary: keep interactivity. */
- uint64_t len = *len_reg, a[8], processed = 0;
- int i, message_reg_len = 64;
-
- g_assert(type == S390_FEAT_TYPE_KIMD || type == S390_FEAT_TYPE_KLMD);
-
- if (!(env->psw.mask & PSW_MASK_64)) {
- len = (uint32_t)len;
- message_reg_len = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
- }
-
- /* KIMD: length has to be properly aligned. */
- if (type == S390_FEAT_TYPE_KIMD && !QEMU_IS_ALIGNED(len, 128)) {
- tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- }
-
- sha512_read_icv(env, mmu_idx, param_addr, a, ra);
-
- /* Process full blocks first. */
- for (; len >= 128; len -= 128, processed += 128) {
- uint64_t w[16];
-
- if (processed >= MAX_BLOCKS_PER_RUN * 128) {
- break;
- }
-
- sha512_read_block(env, mmu_idx, *message_reg + processed, w, ra);
- sha512_bda(a, w);
- }
-
- /* KLMD: Process partial/empty block last. */
- if (type == S390_FEAT_TYPE_KLMD && len < 128) {
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- uint8_t x[128];
-
- /* Read the remainder of the message byte-per-byte. */
- for (i = 0; i < len; i++) {
- uint64_t addr = wrap_address(env, *message_reg + processed + i);
-
- x[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
- /* Pad the remainder with zero and set the top bit. */
- memset(x + len, 0, 128 - len);
- x[len] = 128;
-
- /*
- * Place the MBL either into this block (if there is space left),
- * or use an additional one.
- */
- if (len < 112) {
- sha512_read_mbl_be64(env, mmu_idx, param_addr + 64, x + 112, ra);
- }
- sha512_bda_be64(a, (uint64_t *)x);
-
- if (len >= 112) {
- memset(x, 0, 112);
- sha512_read_mbl_be64(env, mmu_idx, param_addr + 64, x + 112, ra);
- sha512_bda_be64(a, (uint64_t *)x);
- }
-
- processed += len;
- len = 0;
- }
-
- /*
- * Modify memory after we read all inputs and modify registers only after
- * writing memory succeeded.
- *
- * TODO: if writing fails halfway through (e.g., when crossing page
- * boundaries), we're in trouble. We'd need something like access_prepare().
- */
- sha512_write_ocv(env, mmu_idx, param_addr, a, ra);
- *message_reg = deposit64(*message_reg, 0, message_reg_len,
- *message_reg + processed);
- *len_reg -= processed;
- return !len ? 0 : 3;
-}
-
static void fill_buf_random(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *buf_reg, uint64_t *len_reg)
{
diff --git a/target/s390x/tcg/meson.build b/target/s390x/tcg/meson.build
index 36cb0e079e..54a87393a3 100644
--- a/target/s390x/tcg/meson.build
+++ b/target/s390x/tcg/meson.build
@@ -5,6 +5,7 @@ s390x_ss.add(when: 'CONFIG_TCG', if_true: files(
))
s390x_common_ss.add(when: 'CONFIG_TCG', if_true: files(
'cc_helper.c',
+ 'cpacf_sha512.c',
'crypto_helper.c',
'excp_helper.c',
'fpu_helper.c',
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 04/21] target/s390x: Support cpacf sha256
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (2 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 03/21] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 05/21] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
` (16 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Add a new file cpacf_sha256.c which implements sha256.
Add support for the sha256 subfuction for CPACF kimd and klmd.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 5 +
target/s390x/tcg/cpacf_sha256.c | 228 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 8 ++
target/s390x/tcg/meson.build | 1 +
5 files changed, 244 insertions(+)
create mode 100644 target/s390x/tcg/cpacf_sha256.c
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 8218e6470e..5cf5b92c37 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -916,7 +916,9 @@ static uint16_t qemu_V7_1[] = {
*/
static uint16_t qemu_MAX[] = {
S390_FEAT_MSA_EXT_5,
+ S390_FEAT_KIMD_SHA_256,
S390_FEAT_KIMD_SHA_512,
+ S390_FEAT_KLMD_SHA_256,
S390_FEAT_KLMD_SHA_512,
S390_FEAT_PRNO_TRNG,
};
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 6de79a2f8f..d295b49699 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -223,6 +223,11 @@
#define CPACF_KDSA_PSIGN_ED25519 48
#define CPACF_KDSA_PSIGN_ED448 52
+/* from cpacf_sha256.c */
+int cpacf_sha256(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
+ uint32_t type);
+
/* from cpacf_sha512.c */
int cpacf_sha512(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
diff --git a/target/s390x/tcg/cpacf_sha256.c b/target/s390x/tcg/cpacf_sha256.c
new file mode 100644
index 0000000000..48b2a602a0
--- /dev/null
+++ b/target/s390x/tcg/cpacf_sha256.c
@@ -0,0 +1,228 @@
+/*
+ * s390 cpacf sha256
+ *
+ * Authors:
+ * Harald Freudenberger <freude@linux.ibm.com>
+ *
+ * The sha256 implementation here is more or less a copy-and-paste
+ * from Jason A. Donenfeld's implementation of sha 512 with adaptions
+ * for sha 256.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "s390x-internal.h"
+#include "tcg_s390x.h"
+#include "exec/helper-proto.h"
+#include "accel/tcg/cpu-ldst-common.h"
+#include "accel/tcg/cpu-mmu-index.h"
+#include "target/s390x/tcg/cpacf.h"
+
+static uint32_t R(uint32_t x, int c)
+{
+ return (x >> c) | (x << (32 - c));
+}
+static uint32_t Ch(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) ^ (~x & z);
+}
+static uint32_t Maj(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) ^ (x & z) ^ (y & z);
+}
+static uint32_t Sigma0(uint32_t x)
+{
+ return R(x, 2) ^ R(x, 13) ^ R(x, 22);
+}
+static uint32_t Sigma1(uint32_t x)
+{
+ return R(x, 6) ^ R(x, 11) ^ R(x, 25);
+}
+static uint32_t sigma0(uint32_t x)
+{
+ return R(x, 7) ^ R(x, 18) ^ (x >> 3);
+}
+static uint32_t sigma1(uint32_t x)
+{
+ return R(x, 17) ^ R(x, 19) ^ (x >> 10);
+}
+
+static const uint32_t K[64] = {
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+ 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+ 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+ 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+ 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+ 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+};
+
+/* a is icv/ocv, w is a single message block. w will get reused internally. */
+static void sha256_bda(uint32_t a[8], uint32_t w[16])
+{
+ uint32_t t, z[8], b[8];
+ int i, j;
+
+ memcpy(z, a, sizeof(z));
+ for (i = 0; i < 64; i++) {
+ memcpy(b, a, sizeof(b));
+
+ t = a[7] + Sigma1(a[4]) + Ch(a[4], a[5], a[6]) + K[i] + w[i % 16];
+ b[7] = t + Sigma0(a[0]) + Maj(a[0], a[1], a[2]);
+ b[3] += t;
+ for (j = 0; j < 8; ++j) {
+ a[(j + 1) % 8] = b[j];
+ }
+ if (i % 16 == 15) {
+ for (j = 0; j < 16; ++j) {
+ w[j] += w[(j + 9) % 16] + sigma0(w[(j + 1) % 16]) +
+ sigma1(w[(j + 14) % 16]);
+ }
+ }
+ }
+
+ for (i = 0; i < 8; i++) {
+ a[i] += z[i];
+ }
+}
+
+/* a is icv/ocv, w is a single message block that needs be32 conversion. */
+static void sha256_bda_be32(uint32_t a[8], uint32_t w[16])
+{
+ uint32_t t[16];
+ int i;
+
+ for (i = 0; i < 16; i++) {
+ t[i] = be32_to_cpu(w[i]);
+ }
+ sha256_bda(a, t);
+}
+
+static void sha256_read_icv(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 4) {
+ a[i] = cpu_ldl_mmu(env, wrap_address(env, addr), oi, ra);
+ }
+}
+
+static void sha256_write_ocv(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 4) {
+ cpu_stl_mmu(env, wrap_address(env, addr), a[i], oi, ra);
+ }
+}
+
+static void sha256_read_block(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[16], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 16; i++, addr += 4) {
+ a[i] = cpu_ldl_mmu(env, wrap_address(env, addr), oi, ra);
+ }
+}
+
+static void sha256_read_mbl_be32(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint8_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 1) {
+ a[i] = cpu_ldb_mmu(env, wrap_address(env, addr), oi, ra);
+ }
+}
+
+int cpacf_sha256(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
+ uint32_t type)
+{
+ enum { MAX_BLOCKS_PER_RUN = 128 }; /* 128 * 64 = 8K */
+ uint64_t len = *len_reg, processed = 0;
+ int i, message_reg_len = 64;
+ uint32_t a[8];
+
+ g_assert(type == S390_FEAT_TYPE_KIMD || type == S390_FEAT_TYPE_KLMD);
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ message_reg_len = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* KIMD: length has to be properly aligned. */
+ if (type == S390_FEAT_TYPE_KIMD && !QEMU_IS_ALIGNED(len, 64)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ sha256_read_icv(env, mmu_idx, param_addr, a, ra);
+
+ /* Process full blocks first. */
+ for (; len >= 64; len -= 64, processed += 64) {
+ uint32_t w[16];
+
+ if (processed >= MAX_BLOCKS_PER_RUN * 64) {
+ break;
+ }
+
+ sha256_read_block(env, mmu_idx, *message_reg + processed, w, ra);
+ sha256_bda(a, w);
+ }
+
+ /* KLMD: Process partial/empty block last. */
+ if (type == S390_FEAT_TYPE_KLMD && len < 64) {
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t x[64];
+
+ /* Read the remainder of the message byte-per-byte. */
+ for (i = 0; i < len; i++) {
+ uint64_t addr = wrap_address(env, *message_reg + processed + i);
+
+ x[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* Pad the remainder with zero and set the top bit. */
+ memset(x + len, 0, 64 - len);
+ x[len] = 0x80;
+
+ /*
+ * Place the MBL either into this block (if there is space left),
+ * or use an additional one.
+ */
+ if (len < 56) {
+ sha256_read_mbl_be32(env, mmu_idx, param_addr + 32, x + 56, ra);
+ }
+ sha256_bda_be32(a, (uint32_t *)x);
+
+ if (len >= 56) {
+ memset(x, 0, 56);
+ sha256_read_mbl_be32(env, mmu_idx, param_addr + 32, x + 56, ra);
+ sha256_bda_be32(a, (uint32_t *)x);
+ }
+
+ processed += len;
+ len = 0;
+ }
+
+ /*
+ * Modify memory after we read all inputs and modify registers only after
+ * writing memory succeeded.
+ *
+ * TODO: if writing fails halfway through (e.g., when crossing page
+ * boundaries), we're in trouble. We'd need something like access_prepare().
+ */
+ sha256_write_ocv(env, mmu_idx, param_addr, a, ra);
+ *message_reg = deposit64(*message_reg, 0, message_reg_len,
+ *message_reg + processed);
+ *len_reg -= processed;
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index dba46baa0d..6c296f6731 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -53,6 +53,10 @@ static int cpacf_kimd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
int rc = 0;
switch (fc) {
+ case CPACF_KIMD_SHA_256:
+ rc = cpacf_sha256(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KIMD);
+ break;
case CPACF_KIMD_SHA_512:
rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
&env->regs[r2 + 1], S390_FEAT_TYPE_KIMD);
@@ -70,6 +74,10 @@ static int cpacf_klmd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
int rc = 0;
switch (fc) {
+ case CPACF_KLMD_SHA_256:
+ rc = cpacf_sha256(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KLMD);
+ break;
case CPACF_KLMD_SHA_512:
rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
&env->regs[r2 + 1], S390_FEAT_TYPE_KLMD);
diff --git a/target/s390x/tcg/meson.build b/target/s390x/tcg/meson.build
index 54a87393a3..8ae8da9708 100644
--- a/target/s390x/tcg/meson.build
+++ b/target/s390x/tcg/meson.build
@@ -5,6 +5,7 @@ s390x_ss.add(when: 'CONFIG_TCG', if_true: files(
))
s390x_common_ss.add(when: 'CONFIG_TCG', if_true: files(
'cc_helper.c',
+ 'cpacf_sha256.c',
'cpacf_sha512.c',
'crypto_helper.c',
'excp_helper.c',
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 05/21] target/s390x: Support AES ECB for cpacf km instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (3 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 04/21] target/s390x: Support cpacf sha256 Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 06/21] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
` (15 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KM_AES_128, CPACF_KM_AES_192
and CPACF_KM_AES_256 for the cpacf km instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 +
target/s390x/tcg/cpacf.h | 6 ++
target/s390x/tcg/cpacf_aes.c | 112 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 24 +++++++
target/s390x/tcg/meson.build | 1 +
5 files changed, 146 insertions(+)
create mode 100644 target/s390x/tcg/cpacf_aes.c
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 5cf5b92c37..a35d1fd2f9 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -921,6 +921,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KLMD_SHA_256,
S390_FEAT_KLMD_SHA_512,
S390_FEAT_PRNO_TRNG,
+ S390_FEAT_KM_AES_128,
+ S390_FEAT_KM_AES_192,
+ S390_FEAT_KM_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index d295b49699..ca1850c976 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -233,4 +233,10 @@ int cpacf_sha512(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
uint32_t type);
+/* from cpacf_aes.c */
+int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
+
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
new file mode 100644
index 0000000000..3b0676b7d5
--- /dev/null
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -0,0 +1,112 @@
+/*
+ * s390 cpacf aes
+ *
+ * Authors:
+ * Harald Freudenberger <freude@linux.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "s390x-internal.h"
+#include "tcg_s390x.h"
+#include "accel/tcg/cpu-ldst-common.h"
+#include "accel/tcg/cpu-mmu-index.h"
+#include "crypto/aes.h"
+#include "target/s390x/tcg/cpacf.h"
+
+static void aes_read_block(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint8_t *a, uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+
+ for (int i = 0; i < AES_BLOCK_SIZE; i++, addr += 1) {
+ uint64_t _addr = wrap_address(env, addr);
+ a[i] = cpu_ldb_mmu(env, _addr, oi, ra);
+ }
+}
+
+static void aes_write_block(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint8_t *a, uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+
+ for (int i = 0; i < AES_BLOCK_SIZE; i++, addr += 1) {
+ uint64_t _addr = wrap_address(env, addr);
+ cpu_stb_mmu(env, _addr, a[i], oi, ra);
+ }
+}
+
+int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ uint8_t key[32];
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KM);
+ switch (fc) {
+ case CPACF_KM_AES_128:
+ keysize = 16;
+ break;
+ case CPACF_KM_AES_192:
+ keysize = 24;
+ break;
+ case CPACF_KM_AES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ if (mod) {
+ AES_decrypt(in, out, &exkey);
+ } else {
+ AES_encrypt(in, out, &exkey);
+ }
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 6c296f6731..3907b9748c 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -89,6 +89,27 @@ static int cpacf_klmd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
return rc;
}
+static int cpacf_km(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3,
+ uint8_t fc, uint8_t mod)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_KM_AES_128:
+ case CPACF_KM_AES_192:
+ case CPACF_KM_AES_256:
+ rc = cpacf_aes_ecb(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KM, fc, mod);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
static int cpacf_ppno(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
{
@@ -153,6 +174,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_KLMD:
rc = cpacf_klmd(env, mmu_idx, ra, r1, r2, r3, fc);
break;
+ case S390_FEAT_TYPE_KM:
+ rc = cpacf_km(env, mmu_idx, ra, r1, r2, r3, fc, mod);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
diff --git a/target/s390x/tcg/meson.build b/target/s390x/tcg/meson.build
index 8ae8da9708..6f2e75764b 100644
--- a/target/s390x/tcg/meson.build
+++ b/target/s390x/tcg/meson.build
@@ -5,6 +5,7 @@ s390x_ss.add(when: 'CONFIG_TCG', if_true: files(
))
s390x_common_ss.add(when: 'CONFIG_TCG', if_true: files(
'cc_helper.c',
+ 'cpacf_aes.c',
'cpacf_sha256.c',
'cpacf_sha512.c',
'crypto_helper.c',
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 06/21] target/s390x: Support AES CBC for cpacf kmc instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (4 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 05/21] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 07/21] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
` (14 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KMC_AES_128, CPACF_KMC_AES_192
and CPACF_KMC_AES_256 for the cpacf kmc instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 +
target/s390x/tcg/cpacf.h | 4 ++
target/s390x/tcg/cpacf_aes.c | 103 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 24 +++++++
4 files changed, 134 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index a35d1fd2f9..9c0c0b229f 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -924,6 +924,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KM_AES_128,
S390_FEAT_KM_AES_192,
S390_FEAT_KM_AES_256,
+ S390_FEAT_KMC_AES_128,
+ S390_FEAT_KMC_AES_192,
+ S390_FEAT_KMC_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index ca1850c976..572c588d38 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -238,5 +238,9 @@ int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 3b0676b7d5..add91876c6 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -110,3 +110,106 @@ int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+static void aes_xor(const uint8_t *src1, const uint8_t *src2, uint8_t *dst)
+{
+ for (int i = 0; i < AES_BLOCK_SIZE; i++) {
+ dst[i] = src1[i] ^ src2[i];
+ }
+}
+
+int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ uint8_t key[32], iv[AES_BLOCK_SIZE];
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KMC);
+
+ switch (fc) {
+ case CPACF_KMC_AES_128:
+ keysize = 16;
+ break;
+ case CPACF_KMC_AES_192:
+ keysize = 24;
+ break;
+ case CPACF_KMC_AES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch iv from param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + i);
+ iv[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ if (mod) {
+ /* decrypt in => buf */
+ AES_decrypt(in, buf, &exkey);
+ /* buf xor iv => out */
+ aes_xor(buf, iv, out);
+ /* prep iv for next round */
+ memcpy(iv, in, AES_BLOCK_SIZE);
+ } else {
+ /* in xor iv => buf */
+ aes_xor(in, iv, buf);
+ /* encrypt buf => out */
+ AES_encrypt(buf, out, &exkey);
+ /* prep iv for next round */
+ memcpy(iv, out, AES_BLOCK_SIZE);
+ }
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ /* update iv in param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + i);
+ cpu_stb_mmu(env, addr, iv[i], oi, ra);
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 3907b9748c..1fe1d7157b 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -110,6 +110,27 @@ static int cpacf_km(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return rc;
}
+static int cpacf_kmc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3,
+ uint8_t fc, uint8_t mod)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_KMC_AES_128:
+ case CPACF_KMC_AES_192:
+ case CPACF_KMC_AES_256:
+ rc = cpacf_aes_cbc(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KMC, fc, mod);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
static int cpacf_ppno(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
{
@@ -177,6 +198,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_KM:
rc = cpacf_km(env, mmu_idx, ra, r1, r2, r3, fc, mod);
break;
+ case S390_FEAT_TYPE_KMC:
+ rc = cpacf_kmc(env, mmu_idx, ra, r1, r2, r3, fc, mod);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 07/21] target/s390x: Support AES CTR for cpacf kmctr instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (5 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 06/21] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 08/21] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
` (13 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KMCTR_AES_128, CPACF_KMCTR_AES_192
and CPACF_KMCTR_AES_256 for the cpacf kmctr instruction.
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 ++
target/s390x/tcg/cpacf.h | 5 +++
target/s390x/tcg/cpacf_aes.c | 77 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 24 ++++++++++
4 files changed, 109 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 9c0c0b229f..59c2a47539 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -927,6 +927,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMC_AES_128,
S390_FEAT_KMC_AES_192,
S390_FEAT_KMC_AES_256,
+ S390_FEAT_KMCTR_AES_128,
+ S390_FEAT_KMCTR_AES_192,
+ S390_FEAT_KMCTR_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 572c588d38..3707308661 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -242,5 +242,10 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint64_t *ctr_ptr_reg, uint32_t type,
+ uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index add91876c6..3d6aa19df2 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -213,3 +213,80 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint64_t *ctr_ptr_reg, uint32_t type,
+ uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t ctr[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ uint8_t key[32];
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KMCTR);
+
+ switch (fc) {
+ case CPACF_KMCTR_AES_128:
+ keysize = 16;
+ break;
+ case CPACF_KMCTR_AES_192:
+ keysize = 24;
+ break;
+ case CPACF_KMCTR_AES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ /* read in nonce/ctr => ctr */
+ aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
+ /* encrypt ctr => buf */
+ AES_encrypt(ctr, buf, &exkey);
+ /* read in one block of input data => in */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ /* xor input data with encrypted ctr => out */
+ aes_xor(in, buf, out);
+ /* write out the processed block */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *ctr_ptr_reg = deposit64(*ctr_ptr_reg, 0, addr_reg_size,
+ *ctr_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 1fe1d7157b..9be8a14a80 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -131,6 +131,27 @@ static int cpacf_kmc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return rc;
}
+static int cpacf_kmctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint32_t r1, uint32_t r2, uint32_t r3,
+ uint8_t fc, uint8_t mod)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_KMCTR_AES_128:
+ case CPACF_KMCTR_AES_192:
+ case CPACF_KMCTR_AES_256:
+ rc = cpacf_aes_ctr(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ &env->regs[r3], S390_FEAT_TYPE_KMCTR, fc, mod);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
static int cpacf_ppno(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t r1, uint32_t r2, uint32_t r3, uint8_t fc)
{
@@ -201,6 +222,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_KMC:
rc = cpacf_kmc(env, mmu_idx, ra, r1, r2, r3, fc, mod);
break;
+ case S390_FEAT_TYPE_KMCTR:
+ rc = cpacf_kmctr(env, mmu_idx, ra, r1, r2, r3, fc, mod);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 08/21] target/s390x: Minimal AES XTS support for cpacf pcc instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (6 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 07/21] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 09/21] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
` (12 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support CPACF pcc subfunctions PCC-Compute-XTS-Parameter-AES-128
and PCC-Compute-XTS-Parameter-AES-128 but only for the special
case block sequential number is 0. However, this covers the s390
AES XTS implementation in the Linux kernel and Libica and thus
also Opencryptoki clear key via Libica.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 2 +
target/s390x/tcg/cpacf_aes.c | 63 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 20 ++++++++++
4 files changed, 87 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 59c2a47539..1b6a874b90 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -930,6 +930,8 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMCTR_AES_128,
S390_FEAT_KMCTR_AES_192,
S390_FEAT_KMCTR_AES_256,
+ S390_FEAT_PCC_XTS_AES_128,
+ S390_FEAT_PCC_XTS_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 3707308661..2e8ed72758 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -247,5 +247,7 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint64_t *ctr_ptr_reg, uint32_t type,
uint8_t fc, uint8_t mod);
+int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 3d6aa19df2..f41b7dc541 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -290,3 +290,66 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc)
+{
+ uint8_t key[32], tweak[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ int keysize, i;
+ uint64_t addr;
+ AES_KEY exkey;
+
+ switch (fc) {
+ case CPACF_PCC_XTS_AES_128:
+ keysize = 16;
+ break;
+ case CPACF_PCC_XTS_AES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ /* fetch block sequence nr from param block into buf */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + AES_BLOCK_SIZE + i);
+ buf[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* is the block sequence nr 0 ? */
+ for (i = 0; i < AES_BLOCK_SIZE && !buf[i]; i++) {
+ ;
+ }
+ if (i < AES_BLOCK_SIZE) {
+ /* no, sorry handling of non zero block sequence is not implemented */
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ return 1;
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* fetch tweak from param block into tweak */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+
+ /* encrypt tweak */
+ AES_encrypt(tweak, buf, &exkey);
+
+ /* store encrypted tweak into xts parameter field of the param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + 3 * AES_BLOCK_SIZE + i);
+ cpu_stb_mmu(env, addr, buf[i], oi, ra);
+ }
+
+ return 0;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 9be8a14a80..1d447cef30 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -169,6 +169,23 @@ static int cpacf_ppno(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return rc;
}
+static int cpacf_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_PCC_XTS_AES_128:
+ case CPACF_PCC_XTS_AES_256:
+ rc = cpacf_aes_pcc(env, mmu_idx, ra, env->regs[1], fc);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
uint32_t type)
{
@@ -225,6 +242,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_KMCTR:
rc = cpacf_kmctr(env, mmu_idx, ra, r1, r2, r3, fc, mod);
break;
+ case S390_FEAT_TYPE_PCC:
+ rc = cpacf_pcc(env, mmu_idx, ra, fc);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 09/21] target/s390x: Support AES XTS for cpacf km instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (7 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 08/21] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 10/21] target/s390x: Base support for cpacf protected keys Harald Freudenberger
` (11 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions XTS-AES-128 and XTS-AES-256
for the cpacf km instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 4 ++
target/s390x/tcg/cpacf_aes.c | 108 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 6 ++
4 files changed, 120 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 1b6a874b90..f9b1a40c7c 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -924,6 +924,8 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KM_AES_128,
S390_FEAT_KM_AES_192,
S390_FEAT_KM_AES_256,
+ S390_FEAT_KM_XTS_AES_128,
+ S390_FEAT_KM_XTS_AES_256,
S390_FEAT_KMC_AES_128,
S390_FEAT_KMC_AES_192,
S390_FEAT_KMC_AES_256,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 2e8ed72758..e585b77766 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -249,5 +249,9 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint8_t fc, uint8_t mod);
int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc);
+int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index f41b7dc541..4a28cc3d7c 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -353,3 +353,111 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return 0;
}
+
+static void aes_xts_prep_next_tweak(uint8_t tweak[AES_BLOCK_SIZE])
+{
+ uint8_t carry;
+ int i;
+
+ carry = tweak[AES_BLOCK_SIZE - 1] >> 7;
+
+ for (i = AES_BLOCK_SIZE - 1; i > 0; i--) {
+ tweak[i] = (uint8_t)((tweak[i] << 1) | (tweak[i - 1] >> 7));
+ }
+
+ tweak[i] = (uint8_t)(tweak[i] << 1);
+ tweak[i] ^= (uint8_t)(0x87 & (uint8_t)(-(int8_t)carry));
+}
+
+int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ uint8_t buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint64_t addr, len = *src_len_reg, done = 0;
+ uint8_t key[32], tweak[AES_BLOCK_SIZE];
+ int i, keysize, addr_reg_size = 64;
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KM);
+
+ switch (fc) {
+ case CPACF_KM_XTS_128:
+ keysize = 16;
+ break;
+ case CPACF_KM_XTS_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* fetch tweak from param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ /* fetch one AES block into buf1 */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, buf1, ra);
+ /* buf1 xor tweak => buf2 */
+ aes_xor(buf1, tweak, buf2);
+ if (mod) {
+ /* decrypt buf2 => buf1 */
+ AES_decrypt(buf2, buf1, &exkey);
+ } else {
+ /* encrypt buf2 => buf1 */
+ AES_encrypt(buf2, buf1, &exkey);
+ }
+ /* buf1 xor tweak => buf2 */
+ aes_xor(buf1, tweak, buf2);
+ /* prep tweak for next round */
+ aes_xts_prep_next_tweak(tweak);
+ /* write out this processed block from buf2 */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, buf2, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ /* update tweak in param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ cpu_stb_mmu(env, addr, tweak[i], oi, ra);
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 1d447cef30..564f7fa243 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -103,6 +103,12 @@ static int cpacf_km(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
&env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
S390_FEAT_TYPE_KM, fc, mod);
break;
+ case CPACF_KM_XTS_128:
+ case CPACF_KM_XTS_256:
+ rc = cpacf_aes_xts(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KM, fc, mod);
+ break;
default:
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 10/21] target/s390x: Base support for cpacf protected keys
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (8 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 09/21] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 11/21] target/s390x: Support pckmo encrypt AES subfunctions Harald Freudenberger
` (10 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Add base support for cpacf protected key handling.
The qemu version provided here is only a fake intended to make
protected key available for developing and testing purpose:
* The protected key is 'derived' from the clear key by xoring
the fixed pattern 0xAAAA... onto the key value.
* The AES Wrapping Key Verification Pattern is a fixed
value of 32 bytes 0xFACEFACE...
Add preprocessor defines for the xor pattern and wkvp used to
construct ('encrypt') a protected key from a clear key value with
this implementation. Also add some static functions to 'encrypt'
from clear key to protected key and 'decrypt' back to cpacf_aes.c.
The preprocessor defines shall be used later in testcases to
construct and decode protected keys.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/cpacf.h | 25 +++++++++++++++++++++++
target/s390x/tcg/cpacf_aes.c | 39 ++++++++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+)
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index e585b77766..df7f258443 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -254,4 +254,29 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+/*
+ * Support for protected key cpacf functions. Note that this is
+ * a fake implementation intended for debugging and development.
+ * Do not use for production load !
+ */
+
+/*
+ * Hard coded pattern xored with the AES clear key
+ * to 'produce' the protected key.
+ */
+#define PROTKEY_XOR_PATTERN { \
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, \
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, \
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, \
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA }
+
+/*
+ * Hard coded wkvp ("Wrapping Key Verification Pattern")
+ */
+#define PROTKEY_WKVP { \
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E, \
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E, \
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E, \
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E }
+
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 4a28cc3d7c..6702006b66 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -461,3 +461,42 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+/*
+ * Support for protected key cpacf functions. Note that this is
+ * a fake implementation intended for debugging and development.
+ * Do not use for production load !
+ */
+
+/*
+ * Hard coded pattern xored with the AES clear key
+ * to 'produce' the protected key.
+ */
+static const uint8_t protkey_xor_pattern[32] = PROTKEY_XOR_PATTERN;
+
+/*
+ * Hard coded wkvp ("Wrapping Key Verification Pattern")
+ */
+static const uint8_t protkey_wkvp[32] = PROTKEY_WKVP;
+
+/*
+ * 'encrypt' the clear key value into a protected key
+ * by xor-ing the protkey_xor_pattern onto it.
+ */
+static void encrypt_clrkey(uint8_t *key, int keysize)
+{
+ for (int i = 0; i < keysize; i++) {
+ key[i] ^= protkey_xor_pattern[i];
+ }
+}
+
+/*
+ * 'decrypt' the protected key by reverting the xor
+ * of the protkey_xor_pattern onto the clear key value.
+ */
+static void decrypt_protkey(uint8_t *key, int keysize)
+{
+ for (int i = 0; i < keysize; i++) {
+ key[i] ^= protkey_xor_pattern[i];
+ }
+}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 11/21] target/s390x: Support pckmo encrypt AES subfunctions
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (9 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 10/21] target/s390x: Base support for cpacf protected keys Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 12/21] target/s390x: Support protected key AES ECB for cpacf km instruction Harald Freudenberger
` (9 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfuctions PCKMO-Encrypt-AES-128-Key,
PCKMO-Encrypt-AES-192-Key and PCKMO-Encrypt-AES-256-Key.
These subfunctions derive a protected key from an AES clear key
by encrypting it with an internal AES wrapping key. More
details can be found in the "z/Architecture Prinziples of
Operation" document.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
---
target/s390x/gen-features.c | 3 +++
target/s390x/tcg/cpacf.h | 4 +++
target/s390x/tcg/cpacf_aes.c | 45 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 21 +++++++++++++++
target/s390x/tcg/translate.c | 9 +++++--
5 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index f9b1a40c7c..d3e69aaca6 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -934,6 +934,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMCTR_AES_256,
S390_FEAT_PCC_XTS_AES_128,
S390_FEAT_PCC_XTS_AES_256,
+ S390_FEAT_PCKMO_AES_128,
+ S390_FEAT_PCKMO_AES_192,
+ S390_FEAT_PCKMO_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index df7f258443..7512c0ea4c 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -279,4 +279,8 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E, \
0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E }
+/* from cpacf_aes.c */
+int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc);
+
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 6702006b66..37c616ca5c 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -500,3 +500,48 @@ static void decrypt_protkey(uint8_t *key, int keysize)
key[i] ^= protkey_xor_pattern[i];
}
}
+
+int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t key[32];
+ int keysize, i;
+ uint64_t addr;
+
+ switch (fc) {
+ case CPACF_PCKMO_ENC_AES_128_KEY:
+ keysize = 16;
+ break;
+ case CPACF_PCKMO_ENC_AES_192_KEY:
+ keysize = 24;
+ break;
+ case CPACF_PCKMO_ENC_AES_256_KEY:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* 'derive' the protected key from the clear key */
+ encrypt_clrkey(key, keysize);
+
+ /* store the protected key into param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ cpu_stb_mmu(env, addr, key[i], oi, ra);
+ }
+ /* followed by the fake wkvp */
+ for (i = 0; i < sizeof(protkey_wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ cpu_stb_mmu(env, addr, protkey_wkvp[i], oi, ra);
+ }
+
+ return 0;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 564f7fa243..08151e916f 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -192,6 +192,24 @@ static int cpacf_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return rc;
}
+static int cpacf_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case CPACF_PCKMO_ENC_AES_128_KEY:
+ case CPACF_PCKMO_ENC_AES_192_KEY:
+ case CPACF_PCKMO_ENC_AES_256_KEY:
+ rc = cpacf_aes_pckmo(env, mmu_idx, ra, env->regs[1], fc);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
uint32_t type)
{
@@ -251,6 +269,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_PCC:
rc = cpacf_pcc(env, mmu_idx, ra, fc);
break;
+ case S390_FEAT_TYPE_PCKMO:
+ rc = cpacf_pckmo(env, mmu_idx, ra, fc);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index cef1b55149..d7a99e6c1e 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -2558,6 +2558,7 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
int r2 = have_field(s, r2) ? get_field(s, r2) : 0;
int r3 = have_field(s, r3) ? get_field(s, r3) : 0;
TCGv_i32 t_r1, t_r2, t_r3, type;
+ bool update_cc = true;
switch (s->insn->data) {
case S390_FEAT_TYPE_KMA:
@@ -2589,8 +2590,10 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
gen_program_exception(s, PGM_SPECIFICATION);
return DISAS_NORETURN;
}
- /* FALL THROUGH */
+ break;
case S390_FEAT_TYPE_PCKMO:
+ update_cc = false;
+ /* FALL THROUGH */
case S390_FEAT_TYPE_PCC:
case S390_FEAT_TYPE_KDSA:
break;
@@ -2603,7 +2606,9 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
t_r3 = tcg_constant_i32(r3);
type = tcg_constant_i32(s->insn->data);
gen_helper_msa(cc_op, tcg_env, t_r1, t_r2, t_r3, type);
- set_cc_static(s);
+ if (update_cc) {
+ set_cc_static(s);
+ }
return DISAS_NEXT;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 12/21] target/s390x: Support protected key AES ECB for cpacf km instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (10 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 11/21] target/s390x: Support pckmo encrypt AES subfunctions Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 13/21] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
` (8 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KM_PAES_128, CPACF_KM_PAES_192
and CPACF_KM_PAES_256 for the cpacf km instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 ++
target/s390x/tcg/cpacf.h | 4 ++
target/s390x/tcg/cpacf_aes.c | 86 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 7 +++
4 files changed, 100 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index d3e69aaca6..71e0e41d6e 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -924,6 +924,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KM_AES_128,
S390_FEAT_KM_AES_192,
S390_FEAT_KM_AES_256,
+ S390_FEAT_KM_EAES_128,
+ S390_FEAT_KM_EAES_192,
+ S390_FEAT_KM_EAES_256,
S390_FEAT_KM_XTS_AES_128,
S390_FEAT_KM_XTS_AES_256,
S390_FEAT_KMC_AES_128,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 7512c0ea4c..cc545fb703 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -282,5 +282,9 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* from cpacf_aes.c */
int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc);
+int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 37c616ca5c..b7f1dc99e9 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -545,3 +545,89 @@ int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return 0;
}
+
+int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ uint8_t key[32], wkvp[32];
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KM);
+
+ switch (fc) {
+ case CPACF_KM_PAES_128:
+ keysize = 16;
+ break;
+ case CPACF_KM_PAES_192:
+ keysize = 24;
+ break;
+ case CPACF_KM_PAES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch and check wkvp from param block */
+ for (i = 0; i < sizeof(wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
+ /* wkvp mismatch -> return with cc 1 */
+ return 1;
+ }
+
+ /* fetch protected key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* decrypt the protected key */
+ decrypt_protkey(key, keysize);
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ if (mod) {
+ AES_decrypt(in, out, &exkey);
+ } else {
+ AES_encrypt(in, out, &exkey);
+ }
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 08151e916f..b00351d8c1 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -103,6 +103,13 @@ static int cpacf_km(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
&env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
S390_FEAT_TYPE_KM, fc, mod);
break;
+ case CPACF_KM_PAES_128:
+ case CPACF_KM_PAES_192:
+ case CPACF_KM_PAES_256:
+ rc = cpacf_paes_ecb(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KM, fc, mod);
+ break;
case CPACF_KM_XTS_128:
case CPACF_KM_XTS_256:
rc = cpacf_aes_xts(env, mmu_idx, ra, env->regs[1],
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 13/21] target/s390x: Support protected key AES CBC for cpacf kmc instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (11 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 12/21] target/s390x: Support protected key AES ECB for cpacf km instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 14/21] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
` (7 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KMC_PAES_128, CPACF_KMC_PAES_192
and CPACF_KMC_PAES_256 for the cpacf kmc instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 +
target/s390x/tcg/cpacf.h | 4 ++
target/s390x/tcg/cpacf_aes.c | 108 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 7 ++
4 files changed, 122 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 71e0e41d6e..074c53aecd 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -932,6 +932,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMC_AES_128,
S390_FEAT_KMC_AES_192,
S390_FEAT_KMC_AES_256,
+ S390_FEAT_KMC_EAES_128,
+ S390_FEAT_KMC_EAES_192,
+ S390_FEAT_KMC_EAES_256,
S390_FEAT_KMCTR_AES_128,
S390_FEAT_KMCTR_AES_192,
S390_FEAT_KMCTR_AES_256,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index cc545fb703..b0d484c3cb 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -286,5 +286,9 @@ int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index b7f1dc99e9..bb3488e38f 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -631,3 +631,111 @@ int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t key[32], wkvp[32], iv[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KMC);
+
+ switch (fc) {
+ case CPACF_KMC_PAES_128:
+ keysize = 16;
+ break;
+ case CPACF_KMC_PAES_192:
+ keysize = 24;
+ break;
+ case CPACF_KMC_PAES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch and check wkvp from param block */
+ for (i = 0; i < sizeof(wkvp); i++) {
+ addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + keysize + i);
+ wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
+ /* wkvp mismatch -> return with cc 1 */
+ return 1;
+ }
+
+ /* fetch iv from param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + i);
+ iv[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* fetch protected key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* decrypt the protected key */
+ decrypt_protkey(key, keysize);
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ if (mod) {
+ /* decrypt in => buf */
+ AES_decrypt(in, buf, &exkey);
+ /* buf xor iv => out */
+ aes_xor(buf, iv, out);
+ /* prep iv for next round */
+ memcpy(iv, in, AES_BLOCK_SIZE);
+ } else {
+ /* in xor iv => buf */
+ aes_xor(in, iv, buf);
+ /* encrypt buf => out */
+ AES_encrypt(buf, out, &exkey);
+ /* prep iv for next round */
+ memcpy(iv, out, AES_BLOCK_SIZE);
+ }
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ /* update iv in param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + i);
+ cpu_stb_mmu(env, addr, iv[i], oi, ra);
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index b00351d8c1..237ce744b7 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -137,6 +137,13 @@ static int cpacf_kmc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
&env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
S390_FEAT_TYPE_KMC, fc, mod);
break;
+ case CPACF_KMC_PAES_128:
+ case CPACF_KMC_PAES_192:
+ case CPACF_KMC_PAES_256:
+ rc = cpacf_paes_cbc(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KMC, fc, mod);
+ break;
default:
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 14/21] target/s390x: Support protected key AES CTR for cpacf kmctr instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (12 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 13/21] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 15/21] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
` (6 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KMCTR_PAES_128, CPACF_KMCTR_PAES_192
and CPACF_KMCTR_PAES_256 for the cpacf kmctr instruction.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 3 ++
target/s390x/tcg/cpacf.h | 5 ++
target/s390x/tcg/cpacf_aes.c | 89 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 7 +++
4 files changed, 104 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 074c53aecd..4a131dc191 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -938,6 +938,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMCTR_AES_128,
S390_FEAT_KMCTR_AES_192,
S390_FEAT_KMCTR_AES_256,
+ S390_FEAT_KMCTR_EAES_128,
+ S390_FEAT_KMCTR_EAES_192,
+ S390_FEAT_KMCTR_EAES_256,
S390_FEAT_PCC_XTS_AES_128,
S390_FEAT_PCC_XTS_AES_256,
S390_FEAT_PCKMO_AES_128,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index b0d484c3cb..6071f21fb6 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -290,5 +290,10 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint64_t *ctr_ptr_reg, uint32_t type,
+ uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index bb3488e38f..c52df6510f 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -739,3 +739,92 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint64_t *ctr_ptr_reg, uint32_t type,
+ uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t ctr[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ uint8_t key[32], wkvp[32];
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KMCTR);
+
+ switch (fc) {
+ case CPACF_KMCTR_PAES_128:
+ keysize = 16;
+ break;
+ case CPACF_KMCTR_PAES_192:
+ keysize = 24;
+ break;
+ case CPACF_KMCTR_PAES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch and check wkvp from param block */
+ for (i = 0; i < sizeof(wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
+ /* wkvp mismatch -> return with cc 1 */
+ return 1;
+ }
+
+ /* fetch protected key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* decrypt the protected key */
+ decrypt_protkey(key, keysize);
+
+ /* expand key */
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ /* read in nonce/ctr => ctr */
+ aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
+ /* encrypt ctr => buf */
+ AES_encrypt(ctr, buf, &exkey);
+ /* read in one block of input data => in */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ /* exor input data with encrypted ctr => out */
+ aes_xor(in, buf, out);
+ /* write out the processed block */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *ctr_ptr_reg = deposit64(*ctr_ptr_reg, 0, addr_reg_size,
+ *ctr_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 237ce744b7..73b2a6557c 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -165,6 +165,13 @@ static int cpacf_kmctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
&env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
&env->regs[r3], S390_FEAT_TYPE_KMCTR, fc, mod);
break;
+ case CPACF_KMCTR_PAES_128:
+ case CPACF_KMCTR_PAES_192:
+ case CPACF_KMCTR_PAES_256:
+ rc = cpacf_paes_ctr(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ &env->regs[r3], S390_FEAT_TYPE_KMCTR, fc, mod);
+ break;
default:
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 15/21] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (13 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 14/21] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 16/21] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
` (5 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support CPACF pcc subfunctions PCC-Compute-XTS-Parameter-Encrypted-AES-128
and PCC-Compute-XTS-Parameter-Encrypted-AES-128 but only for the special
case block sequential number is 0. However, this covers the s390 PAES XTS
implementation in the Linux kernel.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 2 +
target/s390x/tcg/cpacf_aes.c | 77 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 4 ++
4 files changed, 85 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 4a131dc191..126bacb281 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -943,6 +943,8 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMCTR_EAES_256,
S390_FEAT_PCC_XTS_AES_128,
S390_FEAT_PCC_XTS_AES_256,
+ S390_FEAT_PCC_XTS_EAES_128,
+ S390_FEAT_PCC_XTS_EAES_256,
S390_FEAT_PCKMO_AES_128,
S390_FEAT_PCKMO_AES_192,
S390_FEAT_PCKMO_AES_256,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 6071f21fb6..9dc197388e 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -295,5 +295,7 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint64_t *ctr_ptr_reg, uint32_t type,
uint8_t fc, uint8_t mod);
+int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index c52df6510f..df4cd7ae70 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -828,3 +828,80 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc)
+{
+ uint8_t key[32], wkvp[32], tweak[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ int keysize, i;
+ uint64_t addr;
+ AES_KEY exkey;
+
+ switch (fc) {
+ case CPACF_PCC_XTS_PAES_128:
+ keysize = 16;
+ break;
+ case CPACF_PCC_XTS_PAES_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ /* fetch and check wkvp from param block */
+ for (i = 0; i < sizeof(wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
+ /* wkvp mismatch -> return with cc 1 */
+ return 1;
+ }
+
+ /* fetch block sequence nr from param block into buf */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize +
+ sizeof(wkvp) + AES_BLOCK_SIZE + i);
+ buf[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* is the block sequence nr 0 ? */
+ for (i = 0; i < AES_BLOCK_SIZE && !buf[i]; i++) {
+ ;
+ }
+ if (i < AES_BLOCK_SIZE) {
+ /* no, sorry handling of non zero block sequence is not implemented */
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ return 1;
+ }
+
+ /* fetch protected key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* decrypt the protected key */
+ decrypt_protkey(key, keysize);
+
+ /* fetch tweak from param block into tweak */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
+ tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* expand key */
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+
+ /* encrypt tweak */
+ AES_encrypt(tweak, buf, &exkey);
+
+ /* store encrypted tweak into xts parameter field of the param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize +
+ sizeof(wkvp) + 3 * AES_BLOCK_SIZE + i);
+ cpu_stb_mmu(env, addr, buf[i], oi, ra);
+ }
+
+ return 0;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 73b2a6557c..5e924b78f5 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -206,6 +206,10 @@ static int cpacf_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
case CPACF_PCC_XTS_AES_256:
rc = cpacf_aes_pcc(env, mmu_idx, ra, env->regs[1], fc);
break;
+ case CPACF_PCC_XTS_PAES_128:
+ case CPACF_PCC_XTS_PAES_256:
+ rc = cpacf_paes_pcc(env, mmu_idx, ra, env->regs[1], fc);
+ break;
default:
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 16/21] target/s390x: Support protected key AES XTS for cpacf km instruction
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (14 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 15/21] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 17/21] docs/s390: Document CPACF instructions support Harald Freudenberger
` (4 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Support the subfunctions CPACF_KM_PXTS_128 and CPACF_KM_PXTS_256
for the cpacf km instruction.
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 4 ++
target/s390x/tcg/cpacf_aes.c | 105 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 6 ++
4 files changed, 117 insertions(+)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 126bacb281..c4c59c3504 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -929,6 +929,8 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KM_EAES_256,
S390_FEAT_KM_XTS_AES_128,
S390_FEAT_KM_XTS_AES_256,
+ S390_FEAT_KM_XTS_EAES_128,
+ S390_FEAT_KM_XTS_EAES_256,
S390_FEAT_KMC_AES_128,
S390_FEAT_KMC_AES_192,
S390_FEAT_KMC_AES_256,
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index 9dc197388e..b2223b4d64 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -297,5 +297,9 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint8_t fc, uint8_t mod);
int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc);
+int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod);
#endif /* S390X_CPACF_H */
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index df4cd7ae70..0c3cbb29e3 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -905,3 +905,108 @@ int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return 0;
}
+
+int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *dst_ptr_reg,
+ uint64_t *src_ptr_reg, uint64_t *src_len_reg,
+ uint32_t type, uint8_t fc, uint8_t mod)
+{
+ enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
+ uint8_t buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t key[32], wkvp[32], tweak[AES_BLOCK_SIZE];
+ uint64_t addr, len = *src_len_reg, done = 0;
+ int i, keysize, addr_reg_size = 64;
+ AES_KEY exkey;
+
+ g_assert(type == S390_FEAT_TYPE_KM);
+
+ switch (fc) {
+ case CPACF_KM_PXTS_128:
+ keysize = 16;
+ break;
+ case CPACF_KM_PXTS_256:
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ addr_reg_size = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* length has to be properly aligned. */
+ if (!QEMU_IS_ALIGNED(len, AES_BLOCK_SIZE)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ /* fetch and check wkvp from param block */
+ for (i = 0; i < sizeof(wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
+ /* wkvp mismatch -> return with cc 1 */
+ return 1;
+ }
+
+ /* fetch protected key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* decrypt the protected key */
+ decrypt_protkey(key, keysize);
+
+ /* expand key */
+ if (mod) {
+ AES_set_decrypt_key(key, keysize * 8, &exkey);
+ } else {
+ AES_set_encrypt_key(key, keysize * 8, &exkey);
+ }
+
+ /* fetch tweak from param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
+ tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* process up to MAX_BLOCKS_PER_RUN aes blocks */
+ for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
+ /* fetch one AES block into buf1 */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, buf1, ra);
+ /* buf1 xor tweak => buf2 */
+ aes_xor(buf1, tweak, buf2);
+ if (mod) {
+ /* decrypt buf2 => buf1 */
+ AES_decrypt(buf2, buf1, &exkey);
+ } else {
+ /* encrypt buf2 => buf1 */
+ AES_encrypt(buf2, buf1, &exkey);
+ }
+ /* buf1 xor tweak => buf2 */
+ aes_xor(buf1, tweak, buf2);
+ /* prep tweak for next round */
+ aes_xts_prep_next_tweak(tweak);
+ /* write out this processed block from buf2 */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, buf2, ra);
+ len -= AES_BLOCK_SIZE;
+ done += AES_BLOCK_SIZE;
+ }
+
+ /* update tweak in param block */
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
+ cpu_stb_mmu(env, addr, tweak[i], oi, ra);
+ }
+
+ *src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
+ *src_ptr_reg + done);
+ *dst_ptr_reg = deposit64(*dst_ptr_reg, 0, addr_reg_size,
+ *dst_ptr_reg + done);
+ *src_len_reg -= done;
+
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 5e924b78f5..6172012979 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -116,6 +116,12 @@ static int cpacf_km(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
&env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
S390_FEAT_TYPE_KM, fc, mod);
break;
+ case CPACF_KM_PXTS_128:
+ case CPACF_KM_PXTS_256:
+ rc = cpacf_paes_xts(env, mmu_idx, ra, env->regs[1],
+ &env->regs[r1], &env->regs[r2], &env->regs[r2 + 1],
+ S390_FEAT_TYPE_KM, fc, mod);
+ break;
default:
tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 17/21] docs/s390: Document CPACF instructions support
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (15 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 16/21] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 18/21] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
` (3 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Add a first document covering the Qemu s390 CPACF instructions
and functions supported.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
---
docs/system/s390x/cpacf.rst | 144 +++++++++++++++++++++++++++++++++++
docs/system/target-s390x.rst | 1 +
2 files changed, 145 insertions(+)
create mode 100644 docs/system/s390x/cpacf.rst
diff --git a/docs/system/s390x/cpacf.rst b/docs/system/s390x/cpacf.rst
new file mode 100644
index 0000000000..1c3a07c59d
--- /dev/null
+++ b/docs/system/s390x/cpacf.rst
@@ -0,0 +1,144 @@
+CPACF Support
+=============
+
+CPACF
+-----
+
+CP Assist for Cryptographic Function (CPACF) is a hardware-integrated
+coprocessor feature built into every processor core of IBM Z and
+LinuxONE mainframes (s390x architecture). It provides high-speed,
+hardware-accelerated encryption and hashing directly on the CPU.
+
+CPACF provides a set of z/Architecture instructions (known as Message
+Security Assist or MSA) that execute cryptographic operations
+synchronously with the main processor.
+
+- Symmetric Encryption: Support for AES (128, 192, 256-bit), DES, and
+ Triple-DES (TDES).
+- Hashing: Acceleration for SHA-1, SHA-2 (up to SHA-512), SHA-3 and
+ SHAKE.
+- Random Number Generation: Pseudo Random Number Generator (PRNG) and
+ a hardware-based True Random Number Generator (TRNG).
+- Asymmetric Support: Elliptic Curve Cryptography (ECC) primitives
+ P-256, P-384, P-521, Montgomery/Edwards curves (e.g., Ed25519).
+
+Documentation about CPACF instructions is publicly available and
+can be found in the "z/Architecture Principles of Operation"
+accessible at the IBM documentation hub https://www.ibm.com/docs/en.
+For example the latest version as a pdf is available here:
+https://www.ibm.com/support/pages/zvm/library/other/22783214.pdf
+
+
+CPACF instructions
+------------------
+
+Here is a list of implemented CPACF instructions and the supported
+functions for each instruction:
+
+KDSA (COMPUTE DIGITAL SIGNATURE AUTHENTICATION)
+- Function code 0x00 - Function Query
+
+KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST)
+- Function code 0x00 - Function Query
+- Function code 0x02 - CPACF_KIMD_SHA_256
+- Function code 0x03 - CPACF_KIMD_SHA_512
+
+KLMD (COMPUTE LAST MESSAGE DIGEST)
+- Function code 0x00 - Function Query
+- Function code 0x02 - CPACF_KLMD_SHA_256
+- Function code 0x03 - CPACF_KLMD_SHA_512
+
+KM (CIPHER MESSAGE)
+- Function code 0x00 - Function Query
+- Function code 0x12 - CPACF_KM_AES_128
+- Function code 0x13 - CPACF_KM_AES_192
+- Function code 0x14 - CPACF_KM_AES_256
+- Function code 0x1a - CPACF_KM_PAES_128
+- Function code 0x1b - CPACF_KM_PAES_192
+- Function code 0x1c - CPACF_KM_PAES_256
+- Function code 0x32 - CPACF_KM_XTS_128
+- Function code 0x34 - CPACF_KM_XTS_256
+- Function code 0x3a - CPACF_KM_PXTS_128
+- Function code 0x3c - CPACF_KM_PXTS_256
+
+KMAC (COMPUTE MESSAGE AUTHENTICATION CODE)
+- Function code 0x00 - Function Query
+
+KMC (CIPHER MESSAGE WITH CHAINING)
+- Function code 0x00 - Function Query
+- Function code 0x12 - CPACF_KMC_AES_128
+- Function code 0x13 - CPACF_KMC_AES_192
+- Function code 0x14 - CPACF_KMC_AES_256
+- Function code 0x1a - CPACF_KMC_PAES_128
+- Function code 0x1b - CPACF_KMC_PAES_192
+- Function code 0x1c - CPACF_KMC_PAES_256
+
+KMCTR (CIPHER MESSAGE WITH COUNTER)
+- Function code 0x00 - Function Query
+- Function code 0x12 - CPACF_KMCTR_AES_128
+- Function code 0x13 - CPACF_KMCTR_AES_192
+- Function code 0x14 - CPACF_KMCTR_AES_256
+- Function code 0x1a - CPACF_KMCTR_PAES_128
+- Function code 0x1b - CPACF_KMCTR_PAES_192
+- Function code 0x1c - CPACF_KMCTR_PAES_256
+
+KMF (CIPHER MESSAGE WITH CIPHER FEEDBACK)
+- not supported
+
+KMO (CIPHER MESSAGE WITH OUTPUT FEEDBACK)
+- not supported
+
+PCC (PERFORM CRYPTOGRAPHIC COMPUTATION)
+- Function code 0x00 - Function Query
+- Function code 0x32 - compute XTS param AES-128
+- Function code 0x34 - compute XTS param AES-256
+- Function code 0x3a - compute XTS param Encrypted AES-128
+- Function code 0x3c - compute XTS param Encrypted AES-256
+
+PCKMO (PERFORM CRYPTOGRAPHIC KEY MANAGEMENT OPERATION)
+- Function code 0x00 - Function Query
+- Function code 0x12 - CPACF_PCKMO_ENC_AES_128_KEY
+- Function code 0x13 - CPACF_PCKMO_ENC_AES_192_KEY
+- Function code 0x14 - CPACF_PCKMO_ENC_AES_256_KEY
+
+PRNO (PERFORM RANDOM NUMBER OPERATION)
+- Function code 0x00 - Function Query
+- Function code 0x72 - CPACF_PRNO_TRNG
+
+Note that the use of a not supported CPACF instruction (KMF and KMO)
+or invocation of a not listed function will result in a Specification
+Exception.
+
+Not listed CPACF instructions (KMA, KMF, KMO) cause an Operation
+Exception when used. Not listed functions cause a Specification
+Exception when called. If only the query function is listed (KDSA),
+then the query function will return a function status word with all
+but the query function bit set to 0.
+
+
+Protected key support
+---------------------
+
+The qemu version for protected key support is only a fake provided
+here for developing and testing purpose:
+
+- The protected key is _derived_ from the clear key by xoring the
+ fixed pattern 0xAAAA... onto the key value.
+- The AES Wrapping Key Verification Pattern is a fixed value of 32
+ bytes 0xFACEFACE...
+
+The PCKMO instruction implementation does exactly this - _derive_ a
+_protected_ key from the clear key given by xor 0xAAAA... and writing
+the fixed value for the WKVP of 0xFACEFACE into the blob.
+The other subfunctions of the CPACF instructions dealing with
+protected key treat the protected key blob by first checking for the
+WKVP (against the fixed value of 0xFACEFACE...) and second
+_decrypting_ the key value by xoring 0xAAAA... and then execute the
+clear key operation with the decrypted key value.
+This is suitable for testing purpose but such keys are not for real
+production load and would open up a huge security breach!
+
+For more details about protected keys see the "z/Architecture
+Principles of Operation" document chapter "General Instructions"
+sub-chapter "Protection of Cryptographic Keys" and again the
+implementation here does NOT implement what is explained there.
diff --git a/docs/system/target-s390x.rst b/docs/system/target-s390x.rst
index 94c981e732..49159826eb 100644
--- a/docs/system/target-s390x.rst
+++ b/docs/system/target-s390x.rst
@@ -35,3 +35,4 @@ Architectural features
s390x/bootdevices
s390x/protvirt
s390x/cpu-topology
+ s390x/cpacf
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 18/21] crypto: Add aes-helpers file to support some AES modes
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (16 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 17/21] docs/s390: Document CPACF instructions support Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 19/21] target/s390x: Use generic AES helper functions Harald Freudenberger
` (2 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Add a new file crypto/aes-helpers.c with simple functions
to support some AES modes:
- AES cbc: AES_cbc_encrypt() AES_cbc_decrypt()
- AES ctr: AES_ctr_encrypt()
- AES xts: AES_xts_encrypt() AES_xts_decrypt()
and some AES related helpers:
- AES_xor()
- AES_xts_prep_next_tweak()
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
---
crypto/aes-helpers.c | 106 +++++++++++++++++++++++++++++++++++++++++++
crypto/meson.build | 1 +
include/crypto/aes.h | 14 ++++++
3 files changed, 121 insertions(+)
create mode 100644 crypto/aes-helpers.c
diff --git a/crypto/aes-helpers.c b/crypto/aes-helpers.c
new file mode 100644
index 0000000000..065a7afabf
--- /dev/null
+++ b/crypto/aes-helpers.c
@@ -0,0 +1,106 @@
+/*
+ * AES helper functions and mode implementations
+ *
+ * Authors:
+ * Harald Freudenberger <freude@linux.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdint.h>
+#include <string.h>
+#include "crypto/aes.h"
+
+void AES_xor(const unsigned char *src1, const unsigned char *src2,
+ unsigned char *dst)
+{
+ int i;
+
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ dst[i] = src1[i] ^ src2[i];
+ }
+}
+
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ unsigned char *iv, const AES_KEY *key)
+{
+ unsigned char buf[AES_BLOCK_SIZE];
+
+ /* in xor iv => buf */
+ AES_xor(in, iv, buf);
+ /* encrypt buf => out */
+ AES_encrypt(buf, out, key);
+ /* prep iv for next round */
+ memcpy(iv, out, AES_BLOCK_SIZE);
+}
+
+void AES_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ unsigned char *iv, const AES_KEY *key)
+{
+ unsigned char buf[AES_BLOCK_SIZE];
+
+ /* decrypt in => buf */
+ AES_decrypt(in, buf, key);
+ /* buf xor iv => out */
+ AES_xor(buf, iv, out);
+ /* prep iv for next round */
+ memcpy(iv, in, AES_BLOCK_SIZE);
+}
+
+void AES_ctr_encrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *ctr, const AES_KEY *key)
+{
+ unsigned char buf[AES_BLOCK_SIZE];
+
+ /* encrypt ctr => buf */
+ AES_encrypt(ctr, buf, key);
+ /* exor input data with encrypted ctr => out */
+ AES_xor(in, buf, out);
+}
+
+/* Tweak calculation for AES XTS.
+ * Multiply tweak by α (x) in GF(2^128) per IEEE 1619-2007. The tweak
+ * is a 128-bit little-endian integer (tweak[0]=LSB, tweak[15]=MSB).
+ * This implementation has been verified on litte and big endian.
+ */
+void AES_xts_prep_next_tweak(unsigned char *tweak)
+{
+ unsigned char carry;
+ int i;
+
+ carry = tweak[AES_BLOCK_SIZE - 1] >> 7;
+
+ for (i = AES_BLOCK_SIZE - 1; i > 0; i--) {
+ tweak[i] = (unsigned char)((tweak[i] << 1) | (tweak[i - 1] >> 7));
+ }
+
+ tweak[i] = (unsigned char)(tweak[i] << 1);
+ tweak[i] ^= (unsigned char)(0x87 & (unsigned char)(-(unsigned char)carry));
+}
+
+void AES_xts_encrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *tweak, const AES_KEY *key)
+{
+ unsigned char buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+
+ /* in xor tweak => buf1 */
+ AES_xor(in, tweak, buf1);
+ /* encrypt buf1 => buf2 */
+ AES_encrypt(buf1, buf2, key);
+ /* buf2 xor tweak => out */
+ AES_xor(buf2, tweak, out);
+}
+
+void AES_xts_decrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *tweak, const AES_KEY *key)
+{
+ unsigned char buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+
+ /* in xor tweak => buf1 */
+ AES_xor(in, tweak, buf1);
+ /* encrypt buf1 => buf2 */
+ AES_decrypt(buf1, buf2, key);
+ /* buf2 xor tweak => out */
+ AES_xor(buf2, tweak, out);
+}
diff --git a/crypto/meson.build b/crypto/meson.build
index b51597a879..675f27311c 100644
--- a/crypto/meson.build
+++ b/crypto/meson.build
@@ -55,6 +55,7 @@ system_ss.add(when: gnutls, if_true: files('tls-cipher-suites.c'))
util_ss.add(files(
'aes.c',
+ 'aes-helpers.c',
'clmul.c',
'init.c',
'sm4.c',
diff --git a/include/crypto/aes.h b/include/crypto/aes.h
index 381f24c902..df6239cb9c 100644
--- a/include/crypto/aes.h
+++ b/include/crypto/aes.h
@@ -37,4 +37,18 @@ AES_Td0[x] = Si[x].[0e, 09, 0d, 0b];
extern const uint32_t AES_Te0[256], AES_Td0[256];
+void AES_xor(const unsigned char *src1, const unsigned char *src2,
+ unsigned char *dst);
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+ unsigned char *iv, const AES_KEY *key);
+void AES_cbc_decrypt(const unsigned char *in, unsigned char *out,
+ unsigned char *iv, const AES_KEY *key);
+void AES_ctr_encrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *ctr, const AES_KEY *key);
+void AES_xts_prep_next_tweak(unsigned char *tweak);
+void AES_xts_encrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *tweak, const AES_KEY *key);
+void AES_xts_decrypt(const unsigned char *in, unsigned char *out,
+ const unsigned char *tweak, const AES_KEY *key);
+
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 19/21] target/s390x: Use generic AES helper functions
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (17 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 18/21] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 20/21] target/s390x: Improve fetch and store mem from and to guest Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 21/21] tests/tcg/s390x: Add tests for CPACF instructions Harald Freudenberger
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Rewrite the cpacf implementations to use the generic
AES helper functions from crypto/aes-helpers.c
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
---
target/s390x/tcg/cpacf_aes.c | 124 ++++++++++-------------------------
1 file changed, 36 insertions(+), 88 deletions(-)
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 0c3cbb29e3..4298a0eac6 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -111,20 +111,13 @@ int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
-static void aes_xor(const uint8_t *src1, const uint8_t *src2, uint8_t *dst)
-{
- for (int i = 0; i < AES_BLOCK_SIZE; i++) {
- dst[i] = src1[i] ^ src2[i];
- }
-}
-
int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint64_t addr, len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
@@ -180,19 +173,11 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
if (mod) {
- /* decrypt in => buf */
- AES_decrypt(in, buf, &exkey);
- /* buf xor iv => out */
- aes_xor(buf, iv, out);
- /* prep iv for next round */
- memcpy(iv, in, AES_BLOCK_SIZE);
+ /* decrypt in => out */
+ AES_cbc_decrypt(in, out, iv, &exkey);
} else {
- /* in xor iv => buf */
- aes_xor(in, iv, buf);
- /* encrypt buf => out */
- AES_encrypt(buf, out, &exkey);
- /* prep iv for next round */
- memcpy(iv, out, AES_BLOCK_SIZE);
+ /* encrypt in => out */
+ AES_cbc_encrypt(in, out, iv, &exkey);
}
aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
@@ -222,11 +207,10 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- uint8_t ctr[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
uint64_t addr, len = *src_len_reg, done = 0;
+ uint8_t ctr[AES_BLOCK_SIZE], key[32];
int i, keysize, addr_reg_size = 64;
- uint8_t key[32];
AES_KEY exkey;
g_assert(type == S390_FEAT_TYPE_KMCTR);
@@ -268,12 +252,10 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* read in nonce/ctr => ctr */
aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
- /* encrypt ctr => buf */
- AES_encrypt(ctr, buf, &exkey);
/* read in one block of input data => in */
aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
- /* xor input data with encrypted ctr => out */
- aes_xor(in, buf, out);
+ /* encrypt ctr and xor with in => out */
+ AES_ctr_encrypt(in, out, ctr, &exkey);
/* write out the processed block */
aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
@@ -354,28 +336,13 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return 0;
}
-static void aes_xts_prep_next_tweak(uint8_t tweak[AES_BLOCK_SIZE])
-{
- uint8_t carry;
- int i;
-
- carry = tweak[AES_BLOCK_SIZE - 1] >> 7;
-
- for (i = AES_BLOCK_SIZE - 1; i > 0; i--) {
- tweak[i] = (uint8_t)((tweak[i] << 1) | (tweak[i - 1] >> 7));
- }
-
- tweak[i] = (uint8_t)(tweak[i] << 1);
- tweak[i] ^= (uint8_t)(0x87 & (uint8_t)(-(int8_t)carry));
-}
-
int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- uint8_t buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint64_t addr, len = *src_len_reg, done = 0;
uint8_t key[32], tweak[AES_BLOCK_SIZE];
@@ -426,23 +393,19 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- /* fetch one AES block into buf1 */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, buf1, ra);
- /* buf1 xor tweak => buf2 */
- aes_xor(buf1, tweak, buf2);
+ /* fetch one AES block into in */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
if (mod) {
- /* decrypt buf2 => buf1 */
- AES_decrypt(buf2, buf1, &exkey);
+ /* decrypt in => out */
+ AES_xts_decrypt(in, out, tweak, &exkey);
} else {
- /* encrypt buf2 => buf1 */
- AES_encrypt(buf2, buf1, &exkey);
+ /* encrypt in => out */
+ AES_xts_encrypt(in, out, tweak, &exkey);
}
- /* buf1 xor tweak => buf2 */
- aes_xor(buf1, tweak, buf2);
/* prep tweak for next round */
- aes_xts_prep_next_tweak(tweak);
- /* write out this processed block from buf2 */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, buf2, ra);
+ AES_xts_prep_next_tweak(tweak);
+ /* write out this processed block from out */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
@@ -638,7 +601,7 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t key[32], wkvp[32], iv[AES_BLOCK_SIZE];
uint64_t addr, len = *src_len_reg, done = 0;
@@ -706,19 +669,11 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
if (mod) {
- /* decrypt in => buf */
- AES_decrypt(in, buf, &exkey);
- /* buf xor iv => out */
- aes_xor(buf, iv, out);
- /* prep iv for next round */
- memcpy(iv, in, AES_BLOCK_SIZE);
+ /* decrypt in => out */
+ AES_cbc_decrypt(in, out, iv, &exkey);
} else {
- /* in xor iv => buf */
- aes_xor(in, iv, buf);
- /* encrypt buf => out */
- AES_encrypt(buf, out, &exkey);
- /* prep iv for next round */
- memcpy(iv, out, AES_BLOCK_SIZE);
+ /* encrypt in => out */
+ AES_cbc_encrypt(in, out, iv, &exkey);
}
aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
@@ -748,11 +703,10 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- uint8_t ctr[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
+ uint8_t ctr[AES_BLOCK_SIZE], key[32], wkvp[32];
uint64_t addr, len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
- uint8_t key[32], wkvp[32];
AES_KEY exkey;
g_assert(type == S390_FEAT_TYPE_KMCTR);
@@ -806,12 +760,10 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* read in nonce/ctr => ctr */
aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
- /* encrypt ctr => buf */
- AES_encrypt(ctr, buf, &exkey);
/* read in one block of input data => in */
aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
- /* exor input data with encrypted ctr => out */
- aes_xor(in, buf, out);
+ /* encrypt ctr and xor with in => out */
+ AES_ctr_encrypt(in, out, ctr, &exkey);
/* write out the processed block */
aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
@@ -912,7 +864,7 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- uint8_t buf1[AES_BLOCK_SIZE], buf2[AES_BLOCK_SIZE];
+ uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t key[32], wkvp[32], tweak[AES_BLOCK_SIZE];
uint64_t addr, len = *src_len_reg, done = 0;
@@ -975,23 +927,19 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- /* fetch one AES block into buf1 */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, buf1, ra);
- /* buf1 xor tweak => buf2 */
- aes_xor(buf1, tweak, buf2);
+ /* fetch one AES block into in */
+ aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
if (mod) {
- /* decrypt buf2 => buf1 */
- AES_decrypt(buf2, buf1, &exkey);
+ /* decrypt in => out */
+ AES_xts_decrypt(in, out, tweak, &exkey);
} else {
- /* encrypt buf2 => buf1 */
- AES_encrypt(buf2, buf1, &exkey);
+ /* encrypt in => out */
+ AES_xts_encrypt(in, out, tweak, &exkey);
}
- /* buf1 xor tweak => buf2 */
- aes_xor(buf1, tweak, buf2);
/* prep tweak for next round */
- aes_xts_prep_next_tweak(tweak);
- /* write out this processed block from buf2 */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, buf2, ra);
+ AES_xts_prep_next_tweak(tweak);
+ /* write out this processed block from out */
+ aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 20/21] target/s390x: Improve fetch and store mem from and to guest
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (18 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 19/21] target/s390x: Use generic AES helper functions Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 21/21] tests/tcg/s390x: Add tests for CPACF instructions Harald Freudenberger
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Introduce helper functions:
* copy_from_guest_wrap()
* copy_to_guest_wrap()
for copy some memory from guest into a local buffer and the reverse
direction. Rework the other functions to use these helpers. By doing
so some local variables could be removed also and the code is better
readable now.
Suggested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/cpacf_aes.c | 305 ++++++++++++++---------------------
1 file changed, 124 insertions(+), 181 deletions(-)
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 4298a0eac6..15124f3274 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -16,37 +16,64 @@
#include "crypto/aes.h"
#include "target/s390x/tcg/cpacf.h"
-static void aes_read_block(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint8_t *a, uintptr_t ra)
+/*
+ * helper function to copy some memory from guest to a local buffer
+ */
+static inline void copy_from_guest_wrap(CPUS390XState *env, const int mmu_idx,
+ const uintptr_t ra, uint64_t guest_addr,
+ uint8_t *dest, size_t len)
{
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- for (int i = 0; i < AES_BLOCK_SIZE; i++, addr += 1) {
- uint64_t _addr = wrap_address(env, addr);
- a[i] = cpu_ldb_mmu(env, _addr, oi, ra);
+ for (size_t i = 0; i < len; i++, guest_addr++) {
+ uint64_t waddr = wrap_address(env, guest_addr);
+ dest[i] = cpu_ldb_mmu(env, waddr, oi, ra);
}
}
-static void aes_write_block(CPUS390XState *env, const int mmu_idx,
- uint64_t addr, uint8_t *a, uintptr_t ra)
+/*
+ * helper function to copy from a local buffer to guest memory
+ */
+static inline void copy_to_guest_wrap(CPUS390XState *env, const int mmu_idx,
+ const uintptr_t ra, uint64_t guest_addr,
+ const uint8_t *src, size_t len)
{
const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- for (int i = 0; i < AES_BLOCK_SIZE; i++, addr += 1) {
- uint64_t _addr = wrap_address(env, addr);
- cpu_stb_mmu(env, _addr, a[i], oi, ra);
+ for (size_t i = 0; i < len; i++, guest_addr++) {
+ uint64_t waddr = wrap_address(env, guest_addr);
+ cpu_stb_mmu(env, waddr, src[i], oi, ra);
}
}
+/*
+ * read exactly one AES block from guest memory into a local buffer
+ */
+static inline void aes_read_block(CPUS390XState *env, const int mmu_idx,
+ const uintptr_t ra, uint64_t guest_addr,
+ uint8_t *buf)
+{
+ copy_from_guest_wrap(env, mmu_idx, ra, guest_addr, buf, AES_BLOCK_SIZE);
+}
+
+/*
+ * write exactly one AES block from local buffer to guest memory
+ */
+static void aes_write_block(CPUS390XState *env, const int mmu_idx,
+ const uintptr_t ra, uint64_t guest_addr,
+ uint8_t *buf)
+{
+ copy_to_guest_wrap(env, mmu_idx, ra, guest_addr, buf, AES_BLOCK_SIZE);
+}
+
int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
uint8_t key[32];
AES_KEY exkey;
@@ -77,10 +104,7 @@ int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* expand key */
if (mod) {
@@ -91,13 +115,13 @@ int cpacf_aes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
AES_decrypt(in, out, &exkey);
} else {
AES_encrypt(in, out, &exkey);
}
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
@@ -118,8 +142,7 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
uint8_t key[32], iv[AES_BLOCK_SIZE];
AES_KEY exkey;
@@ -151,16 +174,11 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch iv from param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + i);
- iv[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, iv, AES_BLOCK_SIZE);
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + AES_BLOCK_SIZE, key, keysize);
/* expand key */
if (mod) {
@@ -171,7 +189,7 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
/* decrypt in => out */
AES_cbc_decrypt(in, out, iv, &exkey);
@@ -179,16 +197,13 @@ int cpacf_aes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* encrypt in => out */
AES_cbc_encrypt(in, out, iv, &exkey);
}
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
/* update iv in param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + i);
- cpu_stb_mmu(env, addr, iv[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra, param_addr, iv, AES_BLOCK_SIZE);
*src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
*src_ptr_reg + done);
@@ -206,9 +221,8 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
uint8_t ctr[AES_BLOCK_SIZE], key[32];
int i, keysize, addr_reg_size = 64;
AES_KEY exkey;
@@ -240,10 +254,7 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* expand key */
AES_set_encrypt_key(key, keysize * 8, &exkey);
@@ -251,13 +262,13 @@ int cpacf_aes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* read in nonce/ctr => ctr */
- aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
+ aes_read_block(env, mmu_idx, ra, *ctr_ptr_reg + done, ctr);
/* read in one block of input data => in */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
/* encrypt ctr and xor with in => out */
AES_ctr_encrypt(in, out, ctr, &exkey);
/* write out the processed block */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
@@ -277,9 +288,7 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc)
{
uint8_t key[32], tweak[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
int keysize, i;
- uint64_t addr;
AES_KEY exkey;
switch (fc) {
@@ -294,10 +303,9 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch block sequence nr from param block into buf */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + AES_BLOCK_SIZE + i);
- buf[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + AES_BLOCK_SIZE,
+ buf, AES_BLOCK_SIZE);
/* is the block sequence nr 0 ? */
for (i = 0; i < AES_BLOCK_SIZE && !buf[i]; i++) {
@@ -310,16 +318,11 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* fetch tweak from param block into tweak */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, tweak, AES_BLOCK_SIZE);
/* expand key */
AES_set_encrypt_key(key, keysize * 8, &exkey);
@@ -328,10 +331,9 @@ int cpacf_aes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
AES_encrypt(tweak, buf, &exkey);
/* store encrypted tweak into xts parameter field of the param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + 3 * AES_BLOCK_SIZE + i);
- cpu_stb_mmu(env, addr, buf[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + 3 * AES_BLOCK_SIZE,
+ buf, AES_BLOCK_SIZE);
return 0;
}
@@ -343,8 +345,7 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
uint8_t key[32], tweak[AES_BLOCK_SIZE];
int i, keysize, addr_reg_size = 64;
AES_KEY exkey;
@@ -373,10 +374,7 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* expand key */
if (mod) {
@@ -386,15 +384,13 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch tweak from param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, tweak, AES_BLOCK_SIZE);
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* fetch one AES block into in */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
/* decrypt in => out */
AES_xts_decrypt(in, out, tweak, &exkey);
@@ -405,16 +401,14 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* prep tweak for next round */
AES_xts_prep_next_tweak(tweak);
/* write out this processed block from out */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
/* update tweak in param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- cpu_stb_mmu(env, addr, tweak[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, tweak, AES_BLOCK_SIZE);
*src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
*src_ptr_reg + done);
@@ -467,10 +461,8 @@ static void decrypt_protkey(uint8_t *key, int keysize)
int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc)
{
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t key[32];
- int keysize, i;
- uint64_t addr;
+ int keysize;
switch (fc) {
case CPACF_PCKMO_ENC_AES_128_KEY:
@@ -487,24 +479,17 @@ int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* 'derive' the protected key from the clear key */
encrypt_clrkey(key, keysize);
/* store the protected key into param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- cpu_stb_mmu(env, addr, key[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* followed by the fake wkvp */
- for (i = 0; i < sizeof(protkey_wkvp); i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- cpu_stb_mmu(env, addr, protkey_wkvp[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize,
+ protkey_wkvp, sizeof(protkey_wkvp));
return 0;
}
@@ -515,9 +500,8 @@ int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint32_t type, uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
uint8_t key[32], wkvp[32];
AES_KEY exkey;
@@ -549,20 +533,15 @@ int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch and check wkvp from param block */
- for (i = 0; i < sizeof(wkvp); i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, wkvp, sizeof(wkvp));
if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
/* wkvp mismatch -> return with cc 1 */
return 1;
}
/* fetch protected key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* decrypt the protected key */
decrypt_protkey(key, keysize);
@@ -575,13 +554,13 @@ int cpacf_paes_ecb(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
AES_decrypt(in, out, &exkey);
} else {
AES_encrypt(in, out, &exkey);
}
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
@@ -602,9 +581,8 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t key[32], wkvp[32], iv[AES_BLOCK_SIZE];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
AES_KEY exkey;
@@ -635,26 +613,20 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch and check wkvp from param block */
- for (i = 0; i < sizeof(wkvp); i++) {
- addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + keysize + i);
- wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + AES_BLOCK_SIZE + keysize,
+ wkvp, sizeof(wkvp));
if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
/* wkvp mismatch -> return with cc 1 */
return 1;
}
/* fetch iv from param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + i);
- iv[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, iv, AES_BLOCK_SIZE);
/* fetch protected key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + AES_BLOCK_SIZE + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + AES_BLOCK_SIZE, key, keysize);
/* decrypt the protected key */
decrypt_protkey(key, keysize);
@@ -667,7 +639,7 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
/* decrypt in => out */
AES_cbc_decrypt(in, out, iv, &exkey);
@@ -675,16 +647,13 @@ int cpacf_paes_cbc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* encrypt in => out */
AES_cbc_encrypt(in, out, iv, &exkey);
}
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
/* update iv in param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + i);
- cpu_stb_mmu(env, addr, iv[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra, param_addr, iv, AES_BLOCK_SIZE);
*src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
*src_ptr_reg + done);
@@ -702,10 +671,9 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint8_t fc, uint8_t mod)
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
uint8_t ctr[AES_BLOCK_SIZE], key[32], wkvp[32];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
AES_KEY exkey;
@@ -736,20 +704,15 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch and check wkvp from param block */
- for (i = 0; i < sizeof(wkvp); i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, wkvp, sizeof(wkvp));
if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
/* wkvp mismatch -> return with cc 1 */
return 1;
}
/* fetch protected key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* decrypt the protected key */
decrypt_protkey(key, keysize);
@@ -759,13 +722,13 @@ int cpacf_paes_ctr(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* read in nonce/ctr => ctr */
- aes_read_block(env, mmu_idx, *ctr_ptr_reg + done, ctr, ra);
+ aes_read_block(env, mmu_idx, ra, *ctr_ptr_reg + done, ctr);
/* read in one block of input data => in */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
/* encrypt ctr and xor with in => out */
AES_ctr_encrypt(in, out, ctr, &exkey);
/* write out the processed block */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
@@ -785,9 +748,7 @@ int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc)
{
uint8_t key[32], wkvp[32], tweak[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
int keysize, i;
- uint64_t addr;
AES_KEY exkey;
switch (fc) {
@@ -802,21 +763,17 @@ int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch and check wkvp from param block */
- for (i = 0; i < sizeof(wkvp); i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, wkvp, sizeof(wkvp));
if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
/* wkvp mismatch -> return with cc 1 */
return 1;
}
/* fetch block sequence nr from param block into buf */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize +
- sizeof(wkvp) + AES_BLOCK_SIZE + i);
- buf[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + sizeof(wkvp) + AES_BLOCK_SIZE,
+ buf, AES_BLOCK_SIZE);
/* is the block sequence nr 0 ? */
for (i = 0; i < AES_BLOCK_SIZE && !buf[i]; i++) {
@@ -829,18 +786,14 @@ int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch protected key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* decrypt the protected key */
decrypt_protkey(key, keysize);
/* fetch tweak from param block into tweak */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
- tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + sizeof(wkvp),
+ tweak, AES_BLOCK_SIZE);
/* expand key */
AES_set_encrypt_key(key, keysize * 8, &exkey);
@@ -849,11 +802,9 @@ int cpacf_paes_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
AES_encrypt(tweak, buf, &exkey);
/* store encrypted tweak into xts parameter field of the param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize +
- sizeof(wkvp) + 3 * AES_BLOCK_SIZE + i);
- cpu_stb_mmu(env, addr, buf[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + sizeof(wkvp) + 3 * AES_BLOCK_SIZE,
+ buf, AES_BLOCK_SIZE);
return 0;
}
@@ -865,9 +816,8 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
{
enum { MAX_BLOCKS_PER_RUN = 8192 / AES_BLOCK_SIZE };
uint8_t in[AES_BLOCK_SIZE], out[AES_BLOCK_SIZE];
- const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
uint8_t key[32], wkvp[32], tweak[AES_BLOCK_SIZE];
- uint64_t addr, len = *src_len_reg, done = 0;
+ uint64_t len = *src_len_reg, done = 0;
int i, keysize, addr_reg_size = 64;
AES_KEY exkey;
@@ -895,20 +845,15 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch and check wkvp from param block */
- for (i = 0; i < sizeof(wkvp); i++) {
- addr = wrap_address(env, param_addr + keysize + i);
- wkvp[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize, wkvp, sizeof(wkvp));
if (memcmp(wkvp, protkey_wkvp, sizeof(wkvp))) {
/* wkvp mismatch -> return with cc 1 */
return 1;
}
/* fetch protected key from param block */
- for (i = 0; i < keysize; i++) {
- addr = wrap_address(env, param_addr + i);
- key[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra, param_addr, key, keysize);
/* decrypt the protected key */
decrypt_protkey(key, keysize);
@@ -920,15 +865,14 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
}
/* fetch tweak from param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
- tweak[i] = cpu_ldb_mmu(env, addr, oi, ra);
- }
+ copy_from_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + sizeof(wkvp),
+ tweak, AES_BLOCK_SIZE);
/* process up to MAX_BLOCKS_PER_RUN aes blocks */
for (i = 0; i < MAX_BLOCKS_PER_RUN && len >= AES_BLOCK_SIZE; i++) {
/* fetch one AES block into in */
- aes_read_block(env, mmu_idx, *src_ptr_reg + done, in, ra);
+ aes_read_block(env, mmu_idx, ra, *src_ptr_reg + done, in);
if (mod) {
/* decrypt in => out */
AES_xts_decrypt(in, out, tweak, &exkey);
@@ -939,16 +883,15 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
/* prep tweak for next round */
AES_xts_prep_next_tweak(tweak);
/* write out this processed block from out */
- aes_write_block(env, mmu_idx, *dst_ptr_reg + done, out, ra);
+ aes_write_block(env, mmu_idx, ra, *dst_ptr_reg + done, out);
len -= AES_BLOCK_SIZE;
done += AES_BLOCK_SIZE;
}
/* update tweak in param block */
- for (i = 0; i < AES_BLOCK_SIZE; i++) {
- addr = wrap_address(env, param_addr + keysize + sizeof(wkvp) + i);
- cpu_stb_mmu(env, addr, tweak[i], oi, ra);
- }
+ copy_to_guest_wrap(env, mmu_idx, ra,
+ param_addr + keysize + sizeof(wkvp),
+ tweak, AES_BLOCK_SIZE);
*src_ptr_reg = deposit64(*src_ptr_reg, 0, addr_reg_size,
*src_ptr_reg + done);
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v9 21/21] tests/tcg/s390x: Add tests for CPACF instructions
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
` (19 preceding siblings ...)
2026-07-01 16:46 ` [PATCH v9 20/21] target/s390x: Improve fetch and store mem from and to guest Harald Freudenberger
@ 2026-07-01 16:46 ` Harald Freudenberger
20 siblings, 0 replies; 22+ messages in thread
From: Harald Freudenberger @ 2026-07-01 16:46 UTC (permalink / raw)
To: richard.henderson, iii, david, thuth, berrange
Cc: qemu-s390x, qemu-devel, linux390-list, linux-s390, dengler,
borntraeger, fcallies, cohuck
Add simple tests for the CPACF instructions implemented:
- kdsa - minimal as only query is implemented
- kimd - query, sha256, sha512
- klmd - query, sha256, sha512
- km - query, aes 128, 192, 256 with clear and prot key
- kmac - minimal as only query is implemented
- kmc - query, aes 128, 192, 256 with clear and prot key
- kmctr - query, aes 128, 192, 256 with clear and prot key
- pcc - query, xts aes 128, 256 and prot key xts aes 128, 256
- prno - query, trng
No test for pckmo as this is a privileged instruction.
No test for kma, kmf, kmo as these instructions are currently
not implemented at all.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
---
target/s390x/tcg/cpacf.h | 7 +
tests/tcg/s390x/Makefile.target | 9 +
tests/tcg/s390x/cpacf-kdsa.c | 59 ++++
tests/tcg/s390x/cpacf-kimd.c | 164 +++++++++
tests/tcg/s390x/cpacf-klmd.c | 202 +++++++++++
tests/tcg/s390x/cpacf-km.c | 576 ++++++++++++++++++++++++++++++++
tests/tcg/s390x/cpacf-kmac.c | 59 ++++
tests/tcg/s390x/cpacf-kmc.c | 342 +++++++++++++++++++
tests/tcg/s390x/cpacf-kmctr.c | 354 ++++++++++++++++++++
tests/tcg/s390x/cpacf-pcc.c | 241 +++++++++++++
tests/tcg/s390x/cpacf-prno.c | 130 +++++++
tests/tcg/s390x/cpacf.h | 570 +++++++++++++++++++++++++++++++
12 files changed, 2713 insertions(+)
create mode 100644 tests/tcg/s390x/cpacf-kdsa.c
create mode 100644 tests/tcg/s390x/cpacf-kimd.c
create mode 100644 tests/tcg/s390x/cpacf-klmd.c
create mode 100644 tests/tcg/s390x/cpacf-km.c
create mode 100644 tests/tcg/s390x/cpacf-kmac.c
create mode 100644 tests/tcg/s390x/cpacf-kmc.c
create mode 100644 tests/tcg/s390x/cpacf-kmctr.c
create mode 100644 tests/tcg/s390x/cpacf-pcc.c
create mode 100644 tests/tcg/s390x/cpacf-prno.c
create mode 100644 tests/tcg/s390x/cpacf.h
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index b2223b4d64..685fd773c2 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -223,6 +223,8 @@
#define CPACF_KDSA_PSIGN_ED25519 48
#define CPACF_KDSA_PSIGN_ED448 52
+#ifndef CPACF_H_INCLUDE_FOR_TESTS
+
/* from cpacf_sha256.c */
int cpacf_sha256(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
@@ -254,6 +256,8 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+#endif /* CPACF_H_INCLUDE_FOR_TESTS */
+
/*
* Support for protected key cpacf functions. Note that this is
* a fake implementation intended for debugging and development.
@@ -279,6 +283,8 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E, \
0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E }
+#ifndef CPACF_H_INCLUDE_FOR_TESTS
+
/* from cpacf_aes.c */
int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint8_t fc);
@@ -302,4 +308,5 @@ int cpacf_paes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+#endif /* CPACF_H_INCLUDE_FOR_TESTS */
#endif /* S390X_CPACF_H */
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index 0ca030ded0..68e6a1816d 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -50,6 +50,15 @@ TESTS+=cvb
TESTS+=ts
TESTS+=ex-smc
TESTS+=divide-to-integer
+TESTS+=cpacf-kdsa
+TESTS+=cpacf-kimd
+TESTS+=cpacf-klmd
+TESTS+=cpacf-km
+TESTS+=cpacf-kmac
+TESTS+=cpacf-kmc
+TESTS+=cpacf-kmctr
+TESTS+=cpacf-pcc
+TESTS+=cpacf-prno
cdsg: CFLAGS+=-pthread
cdsg: LDFLAGS+=-pthread
diff --git a/tests/tcg/s390x/cpacf-kdsa.c b/tests/tcg/s390x/cpacf-kdsa.c
new file mode 100644
index 0000000000..ba4b94e1a3
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-kdsa.c
@@ -0,0 +1,59 @@
+/*
+ * Simple test for the CPACF KDSA instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected kdsa query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+static int test_kdsa_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_kdsa(CPACF_KDSA_QUERY, query_block, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc;
+
+ /* Test query function */
+ rc = test_kdsa_query();
+
+ /* As of now only KDSA query is implemented */
+
+ if (rc) {
+ printf("cpacf-kdsa: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-kimd.c b/tests/tcg/s390x/cpacf-kimd.c
new file mode 100644
index 0000000000..a086c3bd53
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-kimd.c
@@ -0,0 +1,164 @@
+/*
+ * Simple test for CPACF KIMD instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected kimd query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0xB0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* SHA-256 test data */
+static const uint8_t sha256in[] = {
+ 0x5a, 0x86, 0xb7, 0x37, 0xea, 0xea, 0x8e, 0xe9,
+ 0x76, 0xa0, 0xa2, 0x4d, 0xa6, 0x3e, 0x7e, 0xd7,
+ 0xee, 0xfa, 0xd1, 0x8a, 0x10, 0x1c, 0x12, 0x11,
+ 0xe2, 0xb3, 0x65, 0x0c, 0x51, 0x87, 0xc2, 0xa8,
+ 0xa6, 0x50, 0x54, 0x72, 0x08, 0x25, 0x1f, 0x6d,
+ 0x42, 0x37, 0xe6, 0x61, 0xc7, 0xbf, 0x4c, 0x77,
+ 0xf3, 0x35, 0x39, 0x03, 0x94, 0xc3, 0x7f, 0xa1,
+ 0xa9, 0xf9, 0xbe, 0x83, 0x6a, 0xc2, 0x85, 0x09
+};
+
+/* SHA-512 test data */
+static const uint8_t sha512in[] = {
+ 0xfd, 0x22, 0x03, 0xe4, 0x67, 0x57, 0x4e, 0x83,
+ 0x4a, 0xb0, 0x7c, 0x90, 0x97, 0xae, 0x16, 0x45,
+ 0x32, 0xf2, 0x4b, 0xe1, 0xeb, 0x5d, 0x88, 0xf1,
+ 0xaf, 0x77, 0x48, 0xce, 0xff, 0x0d, 0x2c, 0x67,
+ 0xa2, 0x1f, 0x4e, 0x40, 0x97, 0xf9, 0xd3, 0xbb,
+ 0x4e, 0x9f, 0xbf, 0x97, 0x18, 0x6e, 0x0d, 0xb6,
+ 0xdb, 0x01, 0x00, 0x23, 0x0a, 0x52, 0xb4, 0x53,
+ 0xd4, 0x21, 0xf8, 0xab, 0x9c, 0x9a, 0x60, 0x43,
+ 0xaa, 0x32, 0x95, 0xea, 0x20, 0xd2, 0xf0, 0x6a,
+ 0x2f, 0x37, 0x47, 0x0d, 0x8a, 0x99, 0x07, 0x5f,
+ 0x1b, 0x8a, 0x83, 0x36, 0xf6, 0x22, 0x8c, 0xf0,
+ 0x8b, 0x59, 0x42, 0xfc, 0x1f, 0xb4, 0x29, 0x9c,
+ 0x7d, 0x24, 0x80, 0xe8, 0xe8, 0x2b, 0xce, 0x17,
+ 0x55, 0x40, 0xbd, 0xfa, 0xd7, 0x75, 0x2b, 0xc9,
+ 0x5b, 0x57, 0x7f, 0x22, 0x95, 0x15, 0x39, 0x4f,
+ 0x3a, 0xe5, 0xce, 0xc8, 0x70, 0xa4, 0xb2, 0xf8
+};
+
+/* query test for kimd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kimd_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_kimd(CPACF_KIMD_QUERY, query_block, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KIMD_SHA_256 test for kimd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kimd_sha256(void)
+{
+ uint32_t param[8];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Initialize SHA-256 hash values */
+ param[0] = 0x6a09e667u;
+ param[1] = 0xbb67ae85u;
+ param[2] = 0x3c6ef372u;
+ param[3] = 0xa54ff53au;
+ param[4] = 0x510e527fu;
+ param[5] = 0x9b05688cu;
+ param[6] = 0x1f83d9abu;
+ param[7] = 0x5be0cd19u;
+
+ /* Process input data */
+ cpacf_kimd(CPACF_KIMD_SHA_256, param, sha256in, sizeof(sha256in), &cc);
+
+ /* No check of the result in param block as this is an intermediate value */
+
+ /* Check for correct condition code (should be 0 on success) */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KIMD_SHA_512 test for kimd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kimd_sha512(void)
+{
+ uint64_t param[8];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Initialize SHA-512 hash values */
+ param[0] = 0x6a09e667f3bcc908lu;
+ param[1] = 0xbb67ae8584caa73blu;
+ param[2] = 0x3c6ef372fe94f82blu;
+ param[3] = 0xa54ff53a5f1d36f1lu;
+ param[4] = 0x510e527fade682d1lu;
+ param[5] = 0x9b05688c2b3e6c1flu;
+ param[6] = 0x1f83d9abfb41bd6blu;
+ param[7] = 0x5be0cd19137e2179lu;
+
+ /* Process input data */
+ cpacf_kimd(CPACF_KIMD_SHA_512, param, sha512in, sizeof(sha512in), &cc);
+
+ /* No check of the result in param block as this is an intermediate value */
+
+ /* Check for correct condition code (should be 0 on success) */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_kimd_query();
+
+ /* Test SHA-256 */
+ rc += test_kimd_sha256();
+
+ /* Test SHA-512 */
+ rc += test_kimd_sha512();
+
+ if (rc) {
+ printf("cpacf-kimd: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-klmd.c b/tests/tcg/s390x/cpacf-klmd.c
new file mode 100644
index 0000000000..3562227de8
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-klmd.c
@@ -0,0 +1,202 @@
+/*
+ * Simple test for CPACF KLMD instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected klmd query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0xB0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* SHA-256 test data */
+static const uint8_t sha256in[] = {
+ 0x5a, 0x86, 0xb7, 0x37, 0xea, 0xea, 0x8e, 0xe9,
+ 0x76, 0xa0, 0xa2, 0x4d, 0xa6, 0x3e, 0x7e, 0xd7,
+ 0xee, 0xfa, 0xd1, 0x8a, 0x10, 0x1c, 0x12, 0x11,
+ 0xe2, 0xb3, 0x65, 0x0c, 0x51, 0x87, 0xc2, 0xa8,
+ 0xa6, 0x50, 0x54, 0x72, 0x08, 0x25, 0x1f, 0x6d,
+ 0x42, 0x37, 0xe6, 0x61, 0xc7, 0xbf, 0x4c, 0x77,
+ 0xf3, 0x35, 0x39, 0x03, 0x94, 0xc3, 0x7f, 0xa1,
+ 0xa9, 0xf9, 0xbe, 0x83, 0x6a, 0xc2, 0x85, 0x09
+};
+
+static const uint8_t sha256md[] = {
+ 0x42, 0xe6, 0x1e, 0x17, 0x4f, 0xbb, 0x38, 0x97,
+ 0xd6, 0xdd, 0x6c, 0xef, 0x3d, 0xd2, 0x80, 0x2f,
+ 0xe6, 0x7b, 0x33, 0x19, 0x53, 0xb0, 0x61, 0x14,
+ 0xa6, 0x5c, 0x77, 0x28, 0x59, 0xdf, 0xc1, 0xaa
+};
+
+/* SHA-512 test data */
+static const uint8_t sha512in[] = {
+ 0xfd, 0x22, 0x03, 0xe4, 0x67, 0x57, 0x4e, 0x83,
+ 0x4a, 0xb0, 0x7c, 0x90, 0x97, 0xae, 0x16, 0x45,
+ 0x32, 0xf2, 0x4b, 0xe1, 0xeb, 0x5d, 0x88, 0xf1,
+ 0xaf, 0x77, 0x48, 0xce, 0xff, 0x0d, 0x2c, 0x67,
+ 0xa2, 0x1f, 0x4e, 0x40, 0x97, 0xf9, 0xd3, 0xbb,
+ 0x4e, 0x9f, 0xbf, 0x97, 0x18, 0x6e, 0x0d, 0xb6,
+ 0xdb, 0x01, 0x00, 0x23, 0x0a, 0x52, 0xb4, 0x53,
+ 0xd4, 0x21, 0xf8, 0xab, 0x9c, 0x9a, 0x60, 0x43,
+ 0xaa, 0x32, 0x95, 0xea, 0x20, 0xd2, 0xf0, 0x6a,
+ 0x2f, 0x37, 0x47, 0x0d, 0x8a, 0x99, 0x07, 0x5f,
+ 0x1b, 0x8a, 0x83, 0x36, 0xf6, 0x22, 0x8c, 0xf0,
+ 0x8b, 0x59, 0x42, 0xfc, 0x1f, 0xb4, 0x29, 0x9c,
+ 0x7d, 0x24, 0x80, 0xe8, 0xe8, 0x2b, 0xce, 0x17,
+ 0x55, 0x40, 0xbd, 0xfa, 0xd7, 0x75, 0x2b, 0xc9,
+ 0x5b, 0x57, 0x7f, 0x22, 0x95, 0x15, 0x39, 0x4f,
+ 0x3a, 0xe5, 0xce, 0xc8, 0x70, 0xa4, 0xb2, 0xf8
+};
+
+static const uint8_t sha512md[] = {
+ 0xa2, 0x1b, 0x10, 0x77, 0xd5, 0x2b, 0x27, 0xac,
+ 0x54, 0x5a, 0xf6, 0x3b, 0x32, 0x74, 0x6c, 0x6e,
+ 0x3c, 0x51, 0xcb, 0x0c, 0xb9, 0xf2, 0x81, 0xeb,
+ 0x9f, 0x35, 0x80, 0xa6, 0xd4, 0x99, 0x6d, 0x5c,
+ 0x99, 0x17, 0xd2, 0xa6, 0xe4, 0x84, 0x62, 0x7a,
+ 0x9d, 0x5a, 0x06, 0xfa, 0x1b, 0x25, 0x32, 0x7a,
+ 0x9d, 0x71, 0x0e, 0x02, 0x73, 0x87, 0xfc, 0x3e,
+ 0x07, 0xd7, 0xc4, 0xd1, 0x4c, 0x60, 0x86, 0xcc
+};
+
+/* query test for klmd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_klmd_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_klmd(CPACF_KLMD_QUERY, query_block, NULL, 0, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KLMD_SHA_256 test for klmd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_klmd_sha256(void)
+{
+ uint8_t param[40]; /* 32 bytes hash + 8 bytes message bit length */
+ uint32_t *hash = (uint32_t *)param;
+ uint64_t *mbl = (uint64_t *)(param + 32);
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Initialize SHA-256 hash values (H0-H7) */
+ hash[0] = 0x6a09e667u;
+ hash[1] = 0xbb67ae85u;
+ hash[2] = 0x3c6ef372u;
+ hash[3] = 0xa54ff53au;
+ hash[4] = 0x510e527fu;
+ hash[5] = 0x9b05688cu;
+ hash[6] = 0x1f83d9abu;
+ hash[7] = 0x5be0cd19u;
+
+ /* Set message bit length for KLMD */
+ *mbl = sizeof(sha256in) * 8;
+
+ /* Process input data with KLMD (finalize hash) */
+ cpacf_klmd(CPACF_KLMD_SHA_256, param, sha256in, sizeof(sha256in), NULL, 0, &cc);
+
+ /* Check for correct condition code (should be 0 on success) */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare hash result in param with expected message digest */
+ if (memcmp(param, sha256md, sizeof(sha256md))) {
+ printf("%s failed: hash mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KLMD_SHA_512 test for klmd
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_klmd_sha512(void)
+{
+ uint8_t param[80]; /* 64 bytes hash + 16 bytes message bit length */
+ uint64_t *hash = (uint64_t *)param;
+ uint64_t *mbl_high = (uint64_t *)(param + 64);
+ uint64_t *mbl_low = (uint64_t *)(param + 72);
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Initialize SHA-512 hash values (H0-H7) */
+ hash[0] = 0x6a09e667f3bcc908lu;
+ hash[1] = 0xbb67ae8584caa73blu;
+ hash[2] = 0x3c6ef372fe94f82blu;
+ hash[3] = 0xa54ff53a5f1d36f1lu;
+ hash[4] = 0x510e527fade682d1lu;
+ hash[5] = 0x9b05688c2b3e6c1flu;
+ hash[6] = 0x1f83d9abfb41bd6blu;
+ hash[7] = 0x5be0cd19137e2179lu;
+
+ /* Set message bit length for KLMD (128-bit, high and low) */
+ *mbl_high = 0;
+ *mbl_low = sizeof(sha512in) * 8;
+
+ /* Process input data with KLMD (finalize hash) */
+ cpacf_klmd(CPACF_KLMD_SHA_512, param, sha512in, sizeof(sha512in), NULL, 0, &cc);
+
+ /* Check for correct condition code (should be 0 on success) */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare hash result in param with expected message digest */
+ if (memcmp(param, sha512md, sizeof(sha512md))) {
+ printf("%s failed: hash mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_klmd_query();
+
+ /* Test SHA-256 */
+ rc += test_klmd_sha256();
+
+ /* Test SHA-512 */
+ rc += test_klmd_sha512();
+
+ if (rc) {
+ printf("cpacf-klmd: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-km.c b/tests/tcg/s390x/cpacf-km.c
new file mode 100644
index 0000000000..024fdc9c58
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-km.c
@@ -0,0 +1,576 @@
+/*
+ * Simple test for CPACF KM instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected km query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x38, 0x38, 0x00, 0x00, 0x28, 0x28,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* KM AES-128 test data */
+static const uint8_t kmaes128key[] = {
+ 0xed, 0xfd, 0xb2, 0x57, 0xcb, 0x37, 0xcd, 0xf1,
+ 0x82, 0xc5, 0x45, 0x5b, 0x0c, 0x0e, 0xfe, 0xbb
+};
+static const uint8_t kmaes128plain[] = {
+ 0x16, 0x95, 0xfe, 0x47, 0x54, 0x21, 0xca, 0xce,
+ 0x35, 0x57, 0xda, 0xca, 0x01, 0xf4, 0x45, 0xff
+};
+static const uint8_t kmaes128cipher[] = {
+ 0x78, 0x88, 0xbe, 0xae, 0x6e, 0x7a, 0x42, 0x63,
+ 0x32, 0xa7, 0xea, 0xa2, 0xf8, 0x08, 0xe6, 0x37
+};
+
+/* KM AES-192 test data */
+static const uint8_t kmaes192key[] = {
+ 0x61, 0x39, 0x6c, 0x53, 0x0c, 0xc1, 0x74, 0x9a,
+ 0x5b, 0xab, 0x6f, 0xbc, 0xf9, 0x06, 0xfe, 0x67,
+ 0x2d, 0x0c, 0x4a, 0xb2, 0x01, 0xaf, 0x45, 0x54
+};
+static const uint8_t kmaes192plain[] = {
+ 0x60, 0xbc, 0xdb, 0x94, 0x16, 0xba, 0xc0, 0x8d,
+ 0x7f, 0xd0, 0xd7, 0x80, 0x35, 0x37, 0x40, 0xa5
+};
+static const uint8_t kmaes192cipher[] = {
+ 0x24, 0xf4, 0x0c, 0x4e, 0xec, 0xd9, 0xc4, 0x98,
+ 0x25, 0x00, 0x0f, 0xcb, 0x49, 0x72, 0x64, 0x7a
+};
+
+/* KM AES-256 test data */
+static const uint8_t kmaes256key[] = {
+ 0xcc, 0x22, 0xda, 0x78, 0x7f, 0x37, 0x57, 0x11,
+ 0xc7, 0x63, 0x02, 0xbe, 0xf0, 0x97, 0x9d, 0x8e,
+ 0xdd, 0xf8, 0x42, 0x82, 0x9c, 0x2b, 0x99, 0xef,
+ 0x3d, 0xd0, 0x4e, 0x23, 0xe5, 0x4c, 0xc2, 0x4b
+};
+static const uint8_t kmaes256plain[] = {
+ 0xcc, 0xc6, 0x2c, 0x6b, 0x0a, 0x09, 0xa6, 0x71,
+ 0xd6, 0x44, 0x56, 0x81, 0x8d, 0xb2, 0x9a, 0x4d
+};
+static const uint8_t kmaes256cipher[] = {
+ 0xdf, 0x86, 0x34, 0xca, 0x02, 0xb1, 0x3a, 0x12,
+ 0x5b, 0x78, 0x6e, 0x1d, 0xce, 0x90, 0x65, 0x8b
+};
+
+/* KM AES XTS-128 test data */
+static const uint8_t kmaesxts128key1[] = {
+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
+ 0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62
+};
+static const uint8_t kmaesxts128key2[] = {
+ 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
+};
+static const uint8_t kmaesxts128sect[] = {
+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
+ 0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
+};
+static const uint8_t kmaesxts128plain[] = {
+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+ 0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c
+};
+static const uint8_t kmaesxts128cipher[] = {
+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a,
+ 0x82, 0x50, 0x81, 0xd5, 0xbe, 0x47, 0x1c, 0x63
+};
+
+/* KM AES XTS-256 test data */
+static const uint8_t kmaesxts256key1[] = {
+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e,
+ 0x48, 0x01, 0xe4, 0x2f, 0x4b, 0x09, 0x47, 0x14,
+ 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c
+};
+static const uint8_t kmaesxts256key2[] = {
+ 0xd6, 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d,
+ 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58,
+ 0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08
+};
+static const uint8_t kmaesxts256sect[] = {
+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2,
+ 0xf0, 0x42, 0x8e, 0x84, 0xa9, 0xf8, 0x75, 0x64
+};
+static const uint8_t kmaesxts256plain[] = {
+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1,
+ 0xac, 0xc6, 0x47, 0xe8, 0x10, 0xbb, 0xc3, 0x64,
+ 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
+};
+static const uint8_t kmaesxts256cipher[] = {
+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5,
+ 0x0b, 0x37, 0xf9, 0x34, 0xd4, 0x6a, 0x9b, 0x13,
+ 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
+};
+
+/* static byte array containing the WKVP */
+static const uint8_t protkey_wkvp[32] = PROTKEY_WKVP;
+
+/* query test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_km(CPACF_KM_QUERY, query_block, NULL, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_AES_128 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_aes_128(void)
+{
+ uint8_t param[16]; /* key only, no IV for ECB mode */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmaes128key, sizeof(kmaes128key));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_AES_128, param, output, kmaes128plain,
+ sizeof(kmaes128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes128cipher, sizeof(kmaes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_AES_192 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_aes_192(void)
+{
+ uint8_t param[24]; /* key only, no IV for ECB mode */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmaes192key, sizeof(kmaes192key));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_AES_192, param, output, kmaes192plain,
+ sizeof(kmaes192plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes192cipher, sizeof(kmaes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_AES_256 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_aes_256(void)
+{
+ uint8_t param[32]; /* key only, no IV for ECB mode */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmaes256key, sizeof(kmaes256key));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_AES_256, param, output, kmaes256plain,
+ sizeof(kmaes256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes256cipher, sizeof(kmaes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_PAES_128 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_paes_128(void)
+{
+ uint8_t param[16 + 32]; /* protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmaes128key, sizeof(kmaes128key));
+ encrypt_clrkey(param, sizeof(kmaes128key));
+ memcpy(param + sizeof(kmaes128key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_PAES_128, param, output, kmaes128plain,
+ sizeof(kmaes128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes128cipher, sizeof(kmaes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_PAES_192 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_paes_192(void)
+{
+ uint8_t param[24 + 32]; /* protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmaes192key, sizeof(kmaes192key));
+ encrypt_clrkey(param, sizeof(kmaes192key));
+ memcpy(param + sizeof(kmaes192key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_PAES_192, param, output, kmaes192plain,
+ sizeof(kmaes192plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes192cipher, sizeof(kmaes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_PAES_256 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_paes_256(void)
+{
+ uint8_t param[32 + 32]; /* protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmaes256key, sizeof(kmaes256key));
+ encrypt_clrkey(param, sizeof(kmaes256key));
+ memcpy(param + sizeof(kmaes256key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_PAES_256, param, output, kmaes256plain,
+ sizeof(kmaes256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaes256cipher, sizeof(kmaes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_XTS_128 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_xts_128(void)
+{
+ uint8_t param[16 + 16]; /* key + initial XTS value */
+ uint8_t output[16];
+ uint8_t init_xts[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* First compute initial XTS value using key2 and sector */
+ memcpy(param, kmaesxts128key2, sizeof(kmaesxts128key2));
+ cpacf_km(CPACF_KM_AES_128, param, init_xts, kmaesxts128sect,
+ sizeof(kmaesxts128sect), &cc);
+
+ if (cc != 0) {
+ printf("%s failed: initial XTS computation cc=%lu\n", __func__, cc);
+ return 1;
+ }
+
+ /* Setup parameter block: key1 + initial XTS value */
+ memcpy(param, kmaesxts128key1, sizeof(kmaesxts128key1));
+ memcpy(param + 16, init_xts, sizeof(init_xts));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_XTS_128, param, output, kmaesxts128plain,
+ sizeof(kmaesxts128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaesxts128cipher, sizeof(kmaesxts128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_XTS_256 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_xts_256(void)
+{
+ uint8_t param[32 + 16]; /* key + initial XTS value */
+ uint8_t output[32];
+ uint8_t init_xts[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* First compute initial XTS value using key2 and sector */
+ memcpy(param, kmaesxts256key2, sizeof(kmaesxts256key2));
+ cpacf_km(CPACF_KM_AES_256, param, init_xts, kmaesxts256sect,
+ sizeof(kmaesxts256sect), &cc);
+
+ if (cc != 0) {
+ printf("%s failed: initial XTS computation cc=%lu\n", __func__, cc);
+ return 1;
+ }
+
+ /* Setup parameter block: key1 + initial XTS value */
+ memcpy(param, kmaesxts256key1, sizeof(kmaesxts256key1));
+ memcpy(param + 32, init_xts, sizeof(init_xts));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_XTS_256, param, output, kmaesxts256plain,
+ sizeof(kmaesxts256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaesxts256cipher, sizeof(kmaesxts256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_PXTS_128 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_pxts_128(void)
+{
+ uint8_t param[16 + 32 + 16]; /* protected key + wkvp + initial XTS value */
+ uint8_t output[16];
+ uint8_t init_xts[16];
+ uint8_t key2_param[16 + 32];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* First compute initial XTS value using protected key2 and sector */
+ memcpy(key2_param, kmaesxts128key2, sizeof(kmaesxts128key2));
+ encrypt_clrkey(key2_param, sizeof(kmaesxts128key2));
+ memcpy(key2_param + sizeof(kmaesxts128key2), protkey_wkvp, sizeof(protkey_wkvp));
+
+ cpacf_km(CPACF_KM_PAES_128, key2_param, init_xts, kmaesxts128sect,
+ sizeof(kmaesxts128sect), &cc);
+
+ if (cc != 0) {
+ printf("%s failed: initial XTS computation cc=%lu\n", __func__, cc);
+ return 1;
+ }
+
+ /* Setup parameter block: protected key1 + wkvp + initial XTS value */
+ memcpy(param, kmaesxts128key1, sizeof(kmaesxts128key1));
+ encrypt_clrkey(param, sizeof(kmaesxts128key1));
+ memcpy(param + sizeof(kmaesxts128key1), protkey_wkvp, sizeof(protkey_wkvp));
+ memcpy(param + sizeof(kmaesxts128key1) + sizeof(protkey_wkvp), init_xts, sizeof(init_xts));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_PXTS_128, param, output, kmaesxts128plain,
+ sizeof(kmaesxts128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaesxts128cipher, sizeof(kmaesxts128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KM_PXTS_256 test for km
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_km_pxts_256(void)
+{
+ uint8_t param[32 + 32 + 16]; /* protected key + wkvp + initial XTS value */
+ uint8_t output[32];
+ uint8_t init_xts[16];
+ uint8_t key2_param[32 + 32];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* First compute initial XTS value using protected key2 and sector */
+ memcpy(key2_param, kmaesxts256key2, sizeof(kmaesxts256key2));
+ encrypt_clrkey(key2_param, sizeof(kmaesxts256key2));
+ memcpy(key2_param + sizeof(kmaesxts256key2), protkey_wkvp, sizeof(protkey_wkvp));
+
+ cpacf_km(CPACF_KM_PAES_256, key2_param, init_xts, kmaesxts256sect,
+ sizeof(kmaesxts256sect), &cc);
+
+ if (cc != 0) {
+ printf("%s failed: initial XTS computation cc=%lu\n", __func__, cc);
+ return 1;
+ }
+
+ /* Setup parameter block: protected key1 + wkvp + initial XTS value */
+ memcpy(param, kmaesxts256key1, sizeof(kmaesxts256key1));
+ encrypt_clrkey(param, sizeof(kmaesxts256key1));
+ memcpy(param + sizeof(kmaesxts256key1), protkey_wkvp, sizeof(protkey_wkvp));
+ memcpy(param + sizeof(kmaesxts256key1) + sizeof(protkey_wkvp), init_xts, sizeof(init_xts));
+
+ /* Encrypt */
+ cpacf_km(CPACF_KM_PXTS_256, param, output, kmaesxts256plain,
+ sizeof(kmaesxts256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmaesxts256cipher, sizeof(kmaesxts256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_km_query();
+
+ /* Test AES-128 */
+ rc += test_km_aes_128();
+
+ /* Test AES-192 */
+ rc += test_km_aes_192();
+
+ /* Test AES-256 */
+ rc += test_km_aes_256();
+
+ /* Test PAES-128 */
+ rc += test_km_paes_128();
+
+ /* Test PAES-192 */
+ rc += test_km_paes_192();
+
+ /* Test PAES-256 */
+ rc += test_km_paes_256();
+
+ /* Test XTS-128 */
+ rc += test_km_xts_128();
+
+ /* Test XTS-256 */
+ rc += test_km_xts_256();
+
+ /* Test PXTS-128 */
+ rc += test_km_pxts_128();
+
+ /* Test PXTS-256 */
+ rc += test_km_pxts_256();
+
+ if (rc) {
+ printf("cpacf-km: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-kmac.c b/tests/tcg/s390x/cpacf-kmac.c
new file mode 100644
index 0000000000..e5a122b74c
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-kmac.c
@@ -0,0 +1,59 @@
+/*
+ * Simple test for the CPACF KMAC instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected kmac query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+static int test_kmac_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_kmac(CPACF_KMAC_QUERY, query_block, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc;
+
+ /* Test query function */
+ rc = test_kmac_query();
+
+ /* As of now only KMAC query is implemented */
+
+ if (rc) {
+ printf("cpacf-kmac: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-kmc.c b/tests/tcg/s390x/cpacf-kmc.c
new file mode 100644
index 0000000000..1ebd2e5d4a
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-kmc.c
@@ -0,0 +1,342 @@
+/*
+ * Simple test for CPACF KMC instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected kmc query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x38, 0x38, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* KMC AES-128 test data */
+static const uint8_t kmcaes128key[] = {
+ 0x1f, 0x8e, 0x49, 0x73, 0x95, 0x3f, 0x3f, 0xb0,
+ 0xbd, 0x6b, 0x16, 0x66, 0x2e, 0x9a, 0x3c, 0x17
+};
+static const uint8_t kmcaes128iv[] = {
+ 0x2f, 0xe2, 0xb3, 0x33, 0xce, 0xda, 0x8f, 0x98,
+ 0xf4, 0xa9, 0x9b, 0x40, 0xd2, 0xcd, 0x34, 0xa8
+};
+static const uint8_t kmcaes128plain[] = {
+ 0x45, 0xcf, 0x12, 0x96, 0x4f, 0xc8, 0x24, 0xab,
+ 0x76, 0x61, 0x6a, 0xe2, 0xf4, 0xbf, 0x08, 0x22
+};
+static const uint8_t kmcaes128cipher[] = {
+ 0x0f, 0x61, 0xc4, 0xd4, 0x4c, 0x51, 0x47, 0xc0,
+ 0x3c, 0x19, 0x5a, 0xd7, 0xe2, 0xcc, 0x12, 0xb2
+};
+
+/* KMC AES-192 test data */
+static const uint8_t kmcaes192key[] = {
+ 0xba, 0x75, 0xf4, 0xd1, 0xd9, 0xd7, 0xcf, 0x7f,
+ 0x55, 0x14, 0x45, 0xd5, 0x6c, 0xc1, 0xa8, 0xab,
+ 0x2a, 0x07, 0x8e, 0x15, 0xe0, 0x49, 0xdc, 0x2c
+};
+static const uint8_t kmcaes192iv[] = {
+ 0x53, 0x1c, 0xe7, 0x81, 0x76, 0x40, 0x16, 0x66,
+ 0xaa, 0x30, 0xdb, 0x94, 0xec, 0x4a, 0x30, 0xeb
+};
+static const uint8_t kmcaes192plain[] = {
+ 0xc5, 0x1f, 0xc2, 0x76, 0x77, 0x4d, 0xad, 0x94,
+ 0xbc, 0xdc, 0x1d, 0x28, 0x91, 0xec, 0x86, 0x68
+};
+static const uint8_t kmcaes192cipher[] = {
+ 0x70, 0xdd, 0x95, 0xa1, 0x4e, 0xe9, 0x75, 0xe2,
+ 0x39, 0xdf, 0x36, 0xff, 0x4a, 0xee, 0x1d, 0x5d
+};
+
+/* KMC AES-256 test data */
+static const uint8_t kmcaes256key[] = {
+ 0x6e, 0xd7, 0x6d, 0x2d, 0x97, 0xc6, 0x9f, 0xd1,
+ 0x33, 0x95, 0x89, 0x52, 0x39, 0x31, 0xf2, 0xa6,
+ 0xcf, 0xf5, 0x54, 0xb1, 0x5f, 0x73, 0x8f, 0x21,
+ 0xec, 0x72, 0xdd, 0x97, 0xa7, 0x33, 0x09, 0x07
+};
+static const uint8_t kmcaes256iv[] = {
+ 0x85, 0x1e, 0x87, 0x64, 0x77, 0x6e, 0x67, 0x96,
+ 0xaa, 0xb7, 0x22, 0xdb, 0xb6, 0x44, 0xac, 0xe8
+};
+static const uint8_t kmcaes256plain[] = {
+ 0x62, 0x82, 0xb8, 0xc0, 0x5c, 0x5c, 0x15, 0x30,
+ 0xb9, 0x7d, 0x48, 0x16, 0xca, 0x43, 0x47, 0x62
+};
+static const uint8_t kmcaes256cipher[] = {
+ 0x6a, 0xcc, 0x04, 0x14, 0x2e, 0x10, 0x0a, 0x65,
+ 0xf5, 0x1b, 0x97, 0xad, 0xf5, 0x17, 0x2c, 0x41
+};
+
+/* static byte array containing the WKVP */
+static const uint8_t protkey_wkvp[32] = PROTKEY_WKVP;
+
+/* query test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_kmc(CPACF_KMC_QUERY, query_block, NULL, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_AES_128 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_aes_128(void)
+{
+ uint8_t param[16 + 16]; /* IV + key */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV followed by key */
+ memcpy(param, kmcaes128iv, sizeof(kmcaes128iv));
+ memcpy(param + sizeof(kmcaes128iv), kmcaes128key, sizeof(kmcaes128key));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_AES_128, param, output, kmcaes128plain,
+ sizeof(kmcaes128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes128cipher, sizeof(kmcaes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_AES_192 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_aes_192(void)
+{
+ uint8_t param[16 + 24]; /* IV + key */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV followed by key */
+ memcpy(param, kmcaes192iv, sizeof(kmcaes192iv));
+ memcpy(param + sizeof(kmcaes192iv), kmcaes192key, sizeof(kmcaes192key));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_AES_192, param, output, kmcaes192plain,
+ sizeof(kmcaes192plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes192cipher, sizeof(kmcaes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_AES_256 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_aes_256(void)
+{
+ uint8_t param[16 + 32]; /* IV + key */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV followed by key */
+ memcpy(param, kmcaes256iv, sizeof(kmcaes256iv));
+ memcpy(param + sizeof(kmcaes256iv), kmcaes256key, sizeof(kmcaes256key));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_AES_256, param, output, kmcaes256plain,
+ sizeof(kmcaes256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes256cipher, sizeof(kmcaes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_PAES_128 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_paes_128(void)
+{
+ uint8_t param[16 + 16 + 32]; /* IV + protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV + protected key + wkvp */
+ memcpy(param, kmcaes128iv, sizeof(kmcaes128iv));
+ memcpy(param + sizeof(kmcaes128iv), kmcaes128key, sizeof(kmcaes128key));
+ encrypt_clrkey(param + sizeof(kmcaes128iv), sizeof(kmcaes128key));
+ memcpy(param + sizeof(kmcaes128iv) + sizeof(kmcaes128key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_PAES_128, param, output, kmcaes128plain,
+ sizeof(kmcaes128plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes128cipher, sizeof(kmcaes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_PAES_192 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_paes_192(void)
+{
+ uint8_t param[16 + 24 + 32]; /* IV + protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV + protected key + wkvp */
+ memcpy(param, kmcaes192iv, sizeof(kmcaes192iv));
+ memcpy(param + sizeof(kmcaes192iv), kmcaes192key, sizeof(kmcaes192key));
+ encrypt_clrkey(param + sizeof(kmcaes192iv), sizeof(kmcaes192key));
+ memcpy(param + sizeof(kmcaes192iv) + sizeof(kmcaes192key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_PAES_192, param, output, kmcaes192plain,
+ sizeof(kmcaes192plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes192cipher, sizeof(kmcaes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMC_PAES_256 test for kmc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmc_paes_256(void)
+{
+ uint8_t param[16 + 32 + 32]; /* IV + protected key + wkvp */
+ uint8_t output[16];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: IV + protected key + wkvp */
+ memcpy(param, kmcaes256iv, sizeof(kmcaes256iv));
+ memcpy(param + sizeof(kmcaes256iv), kmcaes256key, sizeof(kmcaes256key));
+ encrypt_clrkey(param + sizeof(kmcaes256iv), sizeof(kmcaes256key));
+ memcpy(param + sizeof(kmcaes256iv) + sizeof(kmcaes256key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Encrypt */
+ cpacf_kmc(CPACF_KMC_PAES_256, param, output, kmcaes256plain,
+ sizeof(kmcaes256plain), &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmcaes256cipher, sizeof(kmcaes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_kmc_query();
+
+ /* Test AES-128 */
+ rc += test_kmc_aes_128();
+
+ /* Test AES-192 */
+ rc += test_kmc_aes_192();
+
+ /* Test AES-256 */
+ rc += test_kmc_aes_256();
+
+ /* Test PAES-128 */
+ rc += test_kmc_paes_128();
+
+ /* Test PAES-192 */
+ rc += test_kmc_paes_192();
+
+ /* Test PAES-256 */
+ rc += test_kmc_paes_256();
+
+ if (rc) {
+ printf("cpacf-kmc: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-kmctr.c b/tests/tcg/s390x/cpacf-kmctr.c
new file mode 100644
index 0000000000..5b9886988b
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-kmctr.c
@@ -0,0 +1,354 @@
+/*
+ * Simple test for CPACF KMCTR instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected kmctr query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x38, 0x38, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* KMCTR AES-128 test data */
+static const uint8_t kmctraes128key[] = {
+ 0xed, 0xfd, 0xb2, 0x57, 0xcb, 0x37, 0xcd, 0xf1,
+ 0x82, 0xc5, 0x45, 0x5b, 0x0c, 0x0e, 0xfe, 0xbb
+};
+static const uint8_t kmctraes128plain[] = {
+ 0x16, 0x95, 0xfe, 0x47, 0x54, 0x21, 0xca, 0xce,
+ 0x35, 0x57, 0xda, 0xca, 0x01, 0xf4, 0x45, 0xff
+};
+static const uint8_t kmctraes128cipher[] = {
+ 0x78, 0x88, 0xbe, 0xae, 0x6e, 0x7a, 0x42, 0x63,
+ 0x32, 0xa7, 0xea, 0xa2, 0xf8, 0x08, 0xe6, 0x37
+};
+
+/* KMCTR AES-192 test data */
+static const uint8_t kmctraes192key[] = {
+ 0x61, 0x39, 0x6c, 0x53, 0x0c, 0xc1, 0x74, 0x9a,
+ 0x5b, 0xab, 0x6f, 0xbc, 0xf9, 0x06, 0xfe, 0x67,
+ 0x2d, 0x0c, 0x4a, 0xb2, 0x01, 0xaf, 0x45, 0x54
+};
+static const uint8_t kmctraes192plain[] = {
+ 0x60, 0xbc, 0xdb, 0x94, 0x16, 0xba, 0xc0, 0x8d,
+ 0x7f, 0xd0, 0xd7, 0x80, 0x35, 0x37, 0x40, 0xa5
+};
+static const uint8_t kmctraes192cipher[] = {
+ 0x24, 0xf4, 0x0c, 0x4e, 0xec, 0xd9, 0xc4, 0x98,
+ 0x25, 0x00, 0x0f, 0xcb, 0x49, 0x72, 0x64, 0x7a
+};
+
+/* KMCTR AES-256 test data */
+static const uint8_t kmctraes256key[] = {
+ 0xcc, 0x22, 0xda, 0x78, 0x7f, 0x37, 0x57, 0x11,
+ 0xc7, 0x63, 0x02, 0xbe, 0xf0, 0x97, 0x9d, 0x8e,
+ 0xdd, 0xf8, 0x42, 0x82, 0x9c, 0x2b, 0x99, 0xef,
+ 0x3d, 0xd0, 0x4e, 0x23, 0xe5, 0x4c, 0xc2, 0x4b
+};
+static const uint8_t kmctraes256plain[] = {
+ 0xcc, 0xc6, 0x2c, 0x6b, 0x0a, 0x09, 0xa6, 0x71,
+ 0xd6, 0x44, 0x56, 0x81, 0x8d, 0xb2, 0x9a, 0x4d
+};
+static const uint8_t kmctraes256cipher[] = {
+ 0xdf, 0x86, 0x34, 0xca, 0x02, 0xb1, 0x3a, 0x12,
+ 0x5b, 0x78, 0x6e, 0x1d, 0xce, 0x90, 0x65, 0x8b
+};
+
+/* static byte array containing the WKVP */
+static const uint8_t protkey_wkvp[32] = PROTKEY_WKVP;
+
+/* query test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_kmctr(CPACF_KMCTR_QUERY, query_block, NULL, NULL, 0, NULL, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_AES_128 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_aes_128(void)
+{
+ uint8_t param[16]; /* Parameter block: AES-128 key */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmctraes128key, sizeof(kmctraes128key));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes128plain, sizeof(kmctraes128plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_AES_128, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes128cipher, sizeof(kmctraes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_AES_192 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_aes_192(void)
+{
+ uint8_t param[24]; /* Parameter block: AES-192 key */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmctraes192key, sizeof(kmctraes192key));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes192plain, sizeof(kmctraes192plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_AES_192, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes192cipher, sizeof(kmctraes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_AES_256 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_aes_256(void)
+{
+ uint8_t param[32]; /* Parameter block: AES-256 key */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key only */
+ memcpy(param, kmctraes256key, sizeof(kmctraes256key));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes256plain, sizeof(kmctraes256plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_AES_256, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes256cipher, sizeof(kmctraes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_PAES_128 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_paes_128(void)
+{
+ uint8_t param[16 + 32]; /* Parameter block: protected key + wkvp */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmctraes128key, sizeof(kmctraes128key));
+ encrypt_clrkey(param, sizeof(kmctraes128key));
+ memcpy(param + sizeof(kmctraes128key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes128plain, sizeof(kmctraes128plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_PAES_128, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes128cipher, sizeof(kmctraes128cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_PAES_192 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_paes_192(void)
+{
+ uint8_t param[24 + 32]; /* Parameter block: protected key + wkvp */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmctraes192key, sizeof(kmctraes192key));
+ encrypt_clrkey(param, sizeof(kmctraes192key));
+ memcpy(param + sizeof(kmctraes192key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes192plain, sizeof(kmctraes192plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_PAES_192, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes192cipher, sizeof(kmctraes192cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_KMCTR_PAES_256 test for kmctr
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_kmctr_paes_256(void)
+{
+ uint8_t param[32 + 32]; /* Parameter block: protected key + wkvp */
+ uint8_t src[16] = {0}; /* Source data (zeros for this test) */
+ uint8_t counter[16]; /* Counter value */
+ uint8_t output[16]; /* Output buffer */
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp */
+ memcpy(param, kmctraes256key, sizeof(kmctraes256key));
+ encrypt_clrkey(param, sizeof(kmctraes256key));
+ memcpy(param + sizeof(kmctraes256key), protkey_wkvp, sizeof(protkey_wkvp));
+
+ /* Setup counter buffer */
+ memcpy(counter, kmctraes256plain, sizeof(kmctraes256plain));
+
+ /* En/Decrypt src with given counter, note that src is all zero */
+ cpacf_kmctr(CPACF_KMCTR_PAES_256, param, output, src,
+ sizeof(src), counter, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare result with expected ciphertext */
+ if (memcmp(output, kmctraes256cipher, sizeof(kmctraes256cipher))) {
+ printf("%s failed: output mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_kmctr_query();
+
+ /* Test AES-128 */
+ rc += test_kmctr_aes_128();
+
+ /* Test AES-192 */
+ rc += test_kmctr_aes_192();
+
+ /* Test AES-256 */
+ rc += test_kmctr_aes_256();
+
+ /* Test PAES-128 */
+ rc += test_kmctr_paes_128();
+
+ /* Test PAES-192 */
+ rc += test_kmctr_paes_192();
+
+ /* Test PAES-256 */
+ rc += test_kmctr_paes_256();
+
+ if (rc) {
+ printf("cpacf-kmctr: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-pcc.c b/tests/tcg/s390x/cpacf-pcc.c
new file mode 100644
index 0000000000..3ef86a5b65
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-pcc.c
@@ -0,0 +1,241 @@
+/*
+ * Simple test for CPACF PCC instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+
+/* expected pcc query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x28,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+
+/* PCC XTS AES-128 test data */
+static const uint8_t kmaes128key[] = {
+ 0xed, 0xfd, 0xb2, 0x57, 0xcb, 0x37, 0xcd, 0xf1,
+ 0x82, 0xc5, 0x45, 0x5b, 0x0c, 0x0e, 0xfe, 0xbb
+};
+static const uint8_t kmaes128plain[] = {
+ 0x16, 0x95, 0xfe, 0x47, 0x54, 0x21, 0xca, 0xce,
+ 0x35, 0x57, 0xda, 0xca, 0x01, 0xf4, 0x45, 0xff
+};
+static const uint8_t kmaes128cipher[] = {
+ 0x78, 0x88, 0xbe, 0xae, 0x6e, 0x7a, 0x42, 0x63,
+ 0x32, 0xa7, 0xea, 0xa2, 0xf8, 0x08, 0xe6, 0x37
+};
+
+/* PCC XTS AES-256 test data */
+static const uint8_t kmaes256key[] = {
+ 0xcc, 0x22, 0xda, 0x78, 0x7f, 0x37, 0x57, 0x11,
+ 0xc7, 0x63, 0x02, 0xbe, 0xf0, 0x97, 0x9d, 0x8e,
+ 0xdd, 0xf8, 0x42, 0x82, 0x9c, 0x2b, 0x99, 0xef,
+ 0x3d, 0xd0, 0x4e, 0x23, 0xe5, 0x4c, 0xc2, 0x4b
+};
+static const uint8_t kmaes256plain[] = {
+ 0xcc, 0xc6, 0x2c, 0x6b, 0x0a, 0x09, 0xa6, 0x71,
+ 0xd6, 0x44, 0x56, 0x81, 0x8d, 0xb2, 0x9a, 0x4d
+};
+static const uint8_t kmaes256cipher[] = {
+ 0xdf, 0x86, 0x34, 0xca, 0x02, 0xb1, 0x3a, 0x12,
+ 0x5b, 0x78, 0x6e, 0x1d, 0xce, 0x90, 0x65, 0x8b
+};
+
+/* static byte array containing the WKVP */
+static const uint8_t protkey_wkvp[32] = PROTKEY_WKVP;
+
+/* query test for pcc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_pcc_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_pcc(CPACF_PCC_QUERY, query_block, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_PCC_XTS_AES_128 test for pcc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_pcc_xts_aes_128(void)
+{
+ uint8_t param[80];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key + plaintext + zeros */
+ memcpy(param, kmaes128key, sizeof(kmaes128key));
+ memcpy(param + 16, kmaes128plain, sizeof(kmaes128plain));
+ /* Clear Block Sequential Number, Intermediate Bit Index, and XTS Parameter */
+ memset(param + 32, 0, 48);
+
+ /* Execute PCC to compute XTS parameter */
+ cpacf_pcc(CPACF_PCC_XTS_AES_128, param, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare computed XTS parameter (at offset 64) with expected cipher */
+ if (memcmp(param + 64, kmaes128cipher, sizeof(kmaes128cipher))) {
+ printf("%s failed: XTS parameter mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_PCC_XTS_AES_256 test for pcc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_pcc_xts_aes_256(void)
+{
+ uint8_t param[96];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: key + plaintext + zeros */
+ memcpy(param, kmaes256key, sizeof(kmaes256key));
+ memcpy(param + 32, kmaes256plain, sizeof(kmaes256plain));
+ /* Clear Block Sequential Number, Intermediate Bit Index, and XTS Parameter */
+ memset(param + 48, 0, 48);
+
+ /* Execute PCC to compute XTS parameter */
+ cpacf_pcc(CPACF_PCC_XTS_AES_256, param, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare computed XTS parameter (at offset 80) with expected cipher */
+ if (memcmp(param + 80, kmaes256cipher, sizeof(kmaes256cipher))) {
+ printf("%s failed: XTS parameter mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_PCC_XTS_PAES_128 test for pcc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_pcc_xts_paes_128(void)
+{
+ uint8_t param[112];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp + plaintext + zeros */
+ memcpy(param, kmaes128key, sizeof(kmaes128key));
+ encrypt_clrkey(param, sizeof(kmaes128key));
+ memcpy(param + 16, protkey_wkvp, sizeof(protkey_wkvp));
+ memcpy(param + 48, kmaes128plain, sizeof(kmaes128plain));
+ /* Clear Block Sequential Number, Intermediate Bit Index, and XTS Parameter */
+ memset(param + 64, 0, 48);
+
+ /* Execute PCC to compute XTS parameter */
+ cpacf_pcc(CPACF_PCC_XTS_PAES_128, param, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare computed XTS parameter (at offset 96) with expected cipher */
+ if (memcmp(param + 96, kmaes128cipher, sizeof(kmaes128cipher))) {
+ printf("%s failed: XTS parameter mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+/* subfunction CPACF_PCC_XTS_PAES_256 test for pcc
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_pcc_xts_paes_256(void)
+{
+ uint8_t param[128];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Setup parameter block: protected key + wkvp + plaintext + zeros */
+ memcpy(param, kmaes256key, sizeof(kmaes256key));
+ encrypt_clrkey(param, sizeof(kmaes256key));
+ memcpy(param + 32, protkey_wkvp, sizeof(protkey_wkvp));
+ memcpy(param + 64, kmaes256plain, sizeof(kmaes256plain));
+ /* Clear Block Sequential Number, Intermediate Bit Index, and XTS Parameter */
+ memset(param + 80, 0, 48);
+
+ /* Execute PCC to compute XTS parameter */
+ cpacf_pcc(CPACF_PCC_XTS_PAES_256, param, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu\n", __func__, cc);
+ rc = 1;
+ }
+
+ /* Compare computed XTS parameter (at offset 112) with expected cipher */
+ if (memcmp(param + 112, kmaes256cipher, sizeof(kmaes256cipher))) {
+ printf("%s failed: XTS parameter mismatch\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_pcc_query();
+
+ /* Test XTS-AES-128 */
+ rc += test_pcc_xts_aes_128();
+
+ /* Test XTS-AES-256 */
+ rc += test_pcc_xts_aes_256();
+
+ /* Test XTS-PAES-128 */
+ rc += test_pcc_xts_paes_128();
+
+ /* Test XTS-PAES-256 */
+ rc += test_pcc_xts_paes_256();
+
+ if (rc) {
+ printf("cpacf-pcc: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf-prno.c b/tests/tcg/s390x/cpacf-prno.c
new file mode 100644
index 0000000000..133cd2e064
--- /dev/null
+++ b/tests/tcg/s390x/cpacf-prno.c
@@ -0,0 +1,130 @@
+/*
+ * Simple test for CPACF PRNO instruction
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include "cpacf.h"
+
+#define QUERY_BLOCK_SIZE 16
+#define TRNG_OUTPUT_SIZE 32
+
+/* expected prno query block */
+static uint8_t exp_query_block[QUERY_BLOCK_SIZE] = {
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00,
+};
+
+/* query test for prno
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_prno_query(void)
+{
+ uint8_t query_block[QUERY_BLOCK_SIZE] = {0};
+ unsigned long cc = 0;
+ int i, rc = 0;
+
+ cpacf_prno(CPACF_PRNO_QUERY, query_block, NULL, 0, NULL, 0, &cc);
+
+ /* compare with expected query block */
+ for (i = 0; i < QUERY_BLOCK_SIZE; i++) {
+ if (query_block[i] != exp_query_block[i]) {
+ rc++;
+ break;
+ }
+ }
+
+ if (rc) {
+ printf("%s failed\n", __func__);
+ }
+
+ return rc;
+}
+
+/* check for buffer is all zero */
+static bool is_all_zeros(const uint8_t *buf, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ if (buf[i] != 0) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+/* subfunction CPACF_PRNO_TRNG test for prno
+ * returns > 0 on failure, otherwise 0
+ */
+static int test_prno_trng(void)
+{
+ uint8_t output1[TRNG_OUTPUT_SIZE];
+ uint8_t output2[TRNG_OUTPUT_SIZE];
+ unsigned long cc = 0;
+ int rc = 0;
+
+ /* Initialize outputs to detect if they get filled */
+ memset(output1, 0, sizeof(output1));
+ memset(output2, 0, sizeof(output2));
+
+ /* First TRNG call */
+ cpacf_prno(CPACF_PRNO_TRNG, NULL, output1, sizeof(output1), NULL, 0, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu on first call\n", __func__, cc);
+ rc = 1;
+ }
+ /* Verify output is not all zeros */
+ if (is_all_zeros(output1, TRNG_OUTPUT_SIZE)) {
+ printf("%s failed: output1 is all zeros\n", __func__);
+ rc = 1;
+ }
+
+ /* Second TRNG call */
+ cpacf_prno(CPACF_PRNO_TRNG, NULL, output2, sizeof(output2), NULL, 0, &cc);
+
+ /* Check for correct condition code */
+ if (cc != 0) {
+ printf("%s failed: unexpected cc=%lu on second call\n", __func__, cc);
+ rc = 1;
+ }
+ /* Verify output is not all zeros */
+ if (is_all_zeros(output2, TRNG_OUTPUT_SIZE)) {
+ printf("%s failed: output2 is all zeros\n", __func__);
+ rc = 1;
+ }
+
+ /* Verify the two outputs are different */
+ if (memcmp(output1, output2, TRNG_OUTPUT_SIZE) == 0) {
+ printf("%s failed: two TRNG calls produced same output\n", __func__);
+ rc = 1;
+ }
+
+ return rc;
+}
+
+int main(void)
+{
+ int rc = 0;
+
+ /* Test query function */
+ rc += test_prno_query();
+
+ /* Test TRNG */
+ rc += test_prno_trng();
+
+ if (rc) {
+ printf("cpacf-prno: %d failures\n", rc);
+ }
+
+ return rc ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/cpacf.h b/tests/tcg/s390x/cpacf.h
new file mode 100644
index 0000000000..febb976e8c
--- /dev/null
+++ b/tests/tcg/s390x/cpacf.h
@@ -0,0 +1,570 @@
+/*
+ * Defines and inline functions around testing CPACF instructions
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef _S390_CPACF_H_
+#define _S390_CPACF_H_
+
+#define CPACF_H_INCLUDE_FOR_TESTS
+#include "../../../target/s390x/tcg/cpacf.h"
+
+union register_pair {
+ unsigned __int128 pair;
+ struct {
+ unsigned long even;
+ unsigned long odd;
+ };
+};
+
+/*
+ * Instruction opcodes for the CPACF instructions
+ */
+#define CPACF_KMAC 0xb91e /* MSA */
+#define CPACF_KM 0xb92e /* MSA */
+#define CPACF_KMC 0xb92f /* MSA */
+#define CPACF_KIMD 0xb93e /* MSA */
+#define CPACF_KLMD 0xb93f /* MSA */
+#define CPACF_PCKMO 0xb928 /* MSA3 */
+#define CPACF_KMF 0xb92a /* MSA4 */
+#define CPACF_KMO 0xb92b /* MSA4 */
+#define CPACF_PCC 0xb92c /* MSA4 */
+#define CPACF_KMCTR 0xb92d /* MSA4 */
+#define CPACF_PRNO 0xb93c /* MSA5 */
+#define CPACF_KMA 0xb929 /* MSA8 */
+#define CPACF_KDSA 0xb93a /* MSA9 */
+
+/*
+ * 'encrypt' the clear key value into a protected key
+ * by xor-ing the protkey_xor_pattern onto it.
+ */
+static inline void encrypt_clrkey(uint8_t *key, int keysize)
+{
+ const uint8_t protkey_xor_pattern[32] = PROTKEY_XOR_PATTERN;
+
+ for (int i = 0; i < keysize; i++) {
+ key[i] ^= protkey_xor_pattern[i];
+ }
+}
+
+/**
+ * cpacf_km() - executes the KM instruction
+ * @func: the function code passed to KM; see CPACF_KM_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, number of processed bytes for
+ * encryption/decryption funcs
+ */
+static inline int cpacf_km(unsigned long func, void *param,
+ uint8_t *dest, const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair d, s;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KM)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_kmc() - executes the KMC instruction
+ * @func: the function code passed to KM; see CPACF_KMC_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, number of processed bytes for
+ * encryption/decryption funcs
+ */
+static inline int cpacf_kmc(unsigned long func, void *param,
+ uint8_t *dest, const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair d, s;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMC)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_kimd() - executes the KIMD instruction
+ * @func: the function code passed to KM; see CPACF_KIMD_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ */
+static inline void cpacf_kimd(unsigned long func, void *param,
+ const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair s;
+
+ *cc = 0;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,0,%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)(param)),
+ [opc] "i" (CPACF_KIMD)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_klmd() - executes the KLMD instruction
+ * @func: the function code passed to KM; see CPACF_KLMD_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ */
+static inline void cpacf_klmd(unsigned long func, void *param,
+ const uint8_t *src, long src_len,
+ uint8_t *dest, long dest_len,
+ unsigned long *cc)
+{
+ union register_pair s,d;
+
+ *cc = 0;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ d.even = (unsigned long)dest;
+ d.odd = (unsigned long)dest_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KLMD)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_kmac() - executes the KMAC instruction
+ * @func: the function code passed to KM; see CPACF_KMAC_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, number of processed bytes for digest funcs
+ */
+static inline int cpacf_kmac(unsigned long func, void *param,
+ const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair s;
+
+ *cc = 0;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,0,%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMAC)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+static inline int cpacf_kmac_x(unsigned long *func, void *param,
+ const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair s;
+ unsigned long fc = *func;
+
+ *cc = 0;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,0,%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2: lgr %[fc],0\n"
+ : [fc] "+d" (fc), [src] "+&d" (s.pair), [__cc] "+Q" (*cc)
+ : [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMAC)
+ : "cc", "memory", "0", "1");
+
+ *func = fc;
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_kmctr() - executes the KMCTR instruction
+ * @func: the function code passed to KMCTR; see CPACF_KMCTR_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ * @counter: address of counter value
+ *
+ * Returns 0 for the query func, number of processed bytes for
+ * encryption/decryption funcs
+ */
+static inline int cpacf_kmctr(unsigned long func, void *param, uint8_t *dest,
+ const uint8_t *src, long src_len, uint8_t *counter,
+ unsigned long *cc)
+{
+ union register_pair d, s, c;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ c.even = (unsigned long)counter;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rrf,%[opc] << 16,%[dst],%[src],%[ctr],0\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair),
+ [ctr] "+&d" (c.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMCTR)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_prno() - executes the PRNO instruction
+ * @func: the function code passed to PRNO; see CPACF_PRNO_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @dest_len: size of destination memory area in bytes
+ * @seed: address of seed data
+ * @seed_len: size of seed data in bytes
+ */
+static inline void cpacf_prno(unsigned long func, void *param,
+ uint8_t *dest, unsigned long dest_len,
+ const uint8_t *seed, unsigned long seed_len,
+ unsigned long *cc)
+{
+ union register_pair d, s;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ d.odd = (unsigned long)dest_len;
+ s.even = (unsigned long)seed;
+ s.odd = (unsigned long)seed_len;
+ asm volatile (
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[seed]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [seed] "d" (s.pair), [opc] "i" (CPACF_PRNO)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_trng() - executes the TRNG subfunction of the PRNO instruction
+ * @ucbuf: buffer for unconditioned data
+ * @ucbuf_len: amount of unconditioned data to fetch in bytes
+ * @cbuf: buffer for conditioned data
+ * @cbuf_len: amount of conditioned data to fetch in bytes
+ */
+static inline void cpacf_trng(uint8_t *ucbuf, unsigned long ucbuf_len,
+ uint8_t *cbuf, unsigned long cbuf_len,
+ unsigned long *cc)
+{
+ union register_pair u, c;
+
+ *cc = 0;
+ u.even = (unsigned long)ucbuf;
+ u.odd = (unsigned long)ucbuf_len;
+ c.even = (unsigned long)cbuf;
+ c.odd = (unsigned long)cbuf_len;
+ asm volatile (
+ " lghi 0,%[fc]\n"
+ "0: .insn rre,%[opc] << 16,%[ucbuf],%[cbuf]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [ucbuf] "+&d" (u.pair), [cbuf] "+&d" (c.pair), [__cc] "+Q" (*cc)
+ : [fc] "K" (CPACF_PRNO_TRNG), [opc] "i" (CPACF_PRNO)
+ : "cc", "memory", "0");
+}
+
+/**
+ * cpacf_pcc() - executes the PCC instruction
+ * @func: the function code passed to PCC; see CPACF_KM_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ */
+static inline void cpacf_pcc(unsigned long func, void *param, unsigned long *cc)
+{
+ *cc = 0;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,0,0\n" /* PCC opcode */
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_PCC)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_pckmo() - executes the PCKMO instruction
+ * @func: the function code passed to PCKMO; see CPACF_PCKMO_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ */
+static inline void cpacf_pckmo(long func, void *param)
+{
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ " .insn rre,%[opc] << 16,0,0\n" /* PCKMO opcode */
+ :
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_PCKMO)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_kma() - executes the KMA instruction
+ * @func: the function code passed to KMA; see CPACF_KMA_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ * @aad: address of additional authenticated data memory area
+ * @aad_len: length of aad operand in bytes
+ */
+static inline void cpacf_kma(unsigned long func, void *param, uint8_t *dest,
+ const uint8_t *src, unsigned long src_len,
+ const uint8_t *aad, unsigned long aad_len,
+ unsigned long *cc)
+{
+ union register_pair d, s, a;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ a.even = (unsigned long)aad;
+ a.odd = (unsigned long)aad_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rrf,%[opc] << 16,%[dst],%[src],%[aad],0\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [dst] "+&d" (d.pair), [src] "+&d" (s.pair),
+ [aad] "+&d" (a.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMA)
+ : "cc", "memory", "0", "1");
+}
+
+/**
+ * cpacf_kmf() - executes the KMF instruction
+ * @func: the function code passed to KMF; see CPACF_KMF_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, number of processed bytes for
+ * encryption/decryption funcs
+ */
+static inline int cpacf_kmf(unsigned long func, void *param,
+ uint8_t *dest, const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair d, s;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMF)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_kmo() - executes the KMO instruction
+ * @func: the function code passed to KMO; see CPACF_KMO_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @dest: address of destination memory area
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, number of processed bytes for
+ * encryption/decryption funcs
+ */
+static inline int cpacf_kmo(unsigned long func, void *param,
+ uint8_t *dest, const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair d, s;
+
+ *cc = 0;
+ d.even = (unsigned long)dest;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,%[dst],%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [dst] "+&d" (d.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KMO)
+ : "cc", "memory", "0", "1");
+
+ return src_len - s.odd;
+}
+
+/**
+ * cpacf_kdsa() - executes the KDSA instruction
+ * @func: the function code passed to KDSA; see CPACF_KDSA_xxx defines
+ * @param: address of parameter block; see POP for details on each func
+ * @src: address of source memory area
+ * @src_len: length of src operand in bytes
+ *
+ * Returns 0 for the query func, otherwise the condition code is checked
+ * and 0 returned on cc 0, otherwise a value != 0 to indicate failure.
+ */
+static inline int cpacf_kdsa(unsigned long func, void *param,
+ const uint8_t *src, long src_len,
+ unsigned long *cc)
+{
+ union register_pair s;
+
+ *cc = 0;
+ s.even = (unsigned long)src;
+ s.odd = (unsigned long)src_len;
+ asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[pba]\n"
+ "0: .insn rre,%[opc] << 16,0,%[src]\n"
+ " brc 1,0b\n" /* handle partial completion */
+ " brc 8,2f\n"
+ " brc 4,1f\n"
+ " agsi %[__cc],1\n"
+ "1: agsi %[__cc],1\n"
+ "2:\n"
+ : [src] "+&d" (s.pair), [__cc] "+Q" (*cc)
+ : [fc] "d" (func), [pba] "d" ((unsigned long)param),
+ [opc] "i" (CPACF_KDSA)
+ : "cc", "memory", "0", "1");
+
+ return (int)(*cc != 0);
+}
+
+#endif /* _S390_CPACF_H_ */
--
2.43.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
end of thread, other threads:[~2026-07-01 16:47 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 16:46 [PATCH v9 00/21] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 01/21] target/s390x: Fix wrong address handling in address loops Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 02/21] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 03/21] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 04/21] target/s390x: Support cpacf sha256 Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 05/21] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 06/21] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 07/21] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 08/21] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 09/21] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 10/21] target/s390x: Base support for cpacf protected keys Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 11/21] target/s390x: Support pckmo encrypt AES subfunctions Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 12/21] target/s390x: Support protected key AES ECB for cpacf km instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 13/21] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 14/21] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 15/21] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 16/21] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 17/21] docs/s390: Document CPACF instructions support Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 18/21] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 19/21] target/s390x: Use generic AES helper functions Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 20/21] target/s390x: Improve fetch and store mem from and to guest Harald Freudenberger
2026-07-01 16:46 ` [PATCH v9 21/21] tests/tcg/s390x: Add tests for CPACF instructions Harald Freudenberger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox