LXR linux/drivers/s390/crypto/pkey

   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 *  pkey device driver
   4 *
   5 *  Copyright IBM Corp. 2017,2019
   6 *  Author(s): Harald Freudenberger
   7 */
   8
   9#define KMSG_COMPONENT "pkey"
  10#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
  11
  12#include <linux/fs.h>
  13#include <linux/init.h>
  14#include <linux/miscdevice.h>
  15#include <linux/module.h>
  16#include <linux/slab.h>
  17#include <linux/kallsyms.h>
  18#include <linux/debugfs.h>
  19#include <linux/random.h>
  20#include <linux/cpufeature.h>
  21#include <asm/zcrypt.h>
  22#include <asm/cpacf.h>
  23#include <asm/pkey.h>
  24#include <crypto/aes.h>
  25
  26#include "zcrypt_api.h"
  27#include "zcrypt_ccamisc.h"
  28#include "zcrypt_ep11misc.h"
  29
  30MODULE_LICENSE("GPL");
  31MODULE_AUTHOR("IBM Corporation");
  32MODULE_DESCRIPTION("s390 protected key interface");
  33
  34#define KEYBLOBBUFSIZE 8192  /* key buffer size used for internal processing */
  35#define MAXAPQNSINLIST 64    /* max 64 apqns within a apqn list */
  36
  37/* mask of available pckmo subfunctions, fetched once at module init */
  38static cpacf_mask_t pckmo_functions;
  39
  40/*
  41 * debug feature data and functions
  42 */
  43
  44static debug_info_t *debug_info;
  45
  46#define DEBUG_DBG(...)  debug_sprintf_event(debug_info, 6, ##__VA_ARGS__)
  47#define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__)
  48#define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__)
  49#define DEBUG_ERR(...)  debug_sprintf_event(debug_info, 3, ##__VA_ARGS__)
  50
  51static void __init pkey_debug_init(void)
  52{
  53        /* 5 arguments per dbf entry (including the format string ptr) */
  54        debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
  55        debug_register_view(debug_info, &debug_sprintf_view);
  56        debug_set_level(debug_info, 3);
  57}
  58
  59static void __exit pkey_debug_exit(void)
  60{
  61        debug_unregister(debug_info);
  62}
  63
  64/* inside view of a protected key token (only type 0x00 version 0x01) */
  65struct protaeskeytoken {
  66        u8  type;     /* 0x00 for PAES specific key tokens */
  67        u8  res0[3];
  68        u8  version;  /* should be 0x01 for protected AES key token */
  69        u8  res1[3];
  70        u32 keytype;  /* key type, one of the PKEY_KEYTYPE values */
  71        u32 len;      /* bytes actually stored in protkey[] */
  72        u8  protkey[MAXPROTKEYSIZE]; /* the protected key blob */
  73} __packed;
  74
  75/* inside view of a clear key token (type 0x00 version 0x02) */
  76struct clearaeskeytoken {
  77        u8  type;        /* 0x00 for PAES specific key tokens */
  78        u8  res0[3];
  79        u8  version;     /* 0x02 for clear AES key token */
  80        u8  res1[3];
  81        u32 keytype;     /* key type, one of the PKEY_KEYTYPE values */
  82        u32 len;         /* bytes actually stored in clearkey[] */
  83        u8  clearkey[0]; /* clear key value */
  84} __packed;
  85
  86/*
  87 * Create a protected key from a clear key value.
  88 */
  89static int pkey_clr2protkey(u32 keytype,
  90                            const struct pkey_clrkey *clrkey,
  91                            struct pkey_protkey *protkey)
  92{
  93        long fc;
  94        int keysize;
  95        u8 paramblock[64];
  96
  97        switch (keytype) {
  98        case PKEY_KEYTYPE_AES_128:
  99                keysize = 16;
 100                fc = CPACF_PCKMO_ENC_AES_128_KEY;
 101                break;
 102        case PKEY_KEYTYPE_AES_192:
 103                keysize = 24;
 104                fc = CPACF_PCKMO_ENC_AES_192_KEY;
 105                break;
 106        case PKEY_KEYTYPE_AES_256:
 107                keysize = 32;
 108                fc = CPACF_PCKMO_ENC_AES_256_KEY;
 109                break;
 110        default:
 111                DEBUG_ERR("%s unknown/unsupported keytype %d\n",
 112                          __func__, keytype);
 113                return -EINVAL;
 114        }
 115
 116        /*
 117         * Check if the needed pckmo subfunction is available.
 118         * These subfunctions can be enabled/disabled by customers
 119         * in the LPAR profile or may even change on the fly.
 120         */
 121        if (!cpacf_test_func(&pckmo_functions, fc)) {
 122                DEBUG_ERR("%s pckmo functions not available\n", __func__);
 123                return -ENODEV;
 124        }
 125
 126        /* prepare param block */
 127        memset(paramblock, 0, sizeof(paramblock));
 128        memcpy(paramblock, clrkey->clrkey, keysize);
 129
 130        /* call the pckmo instruction */
 131        cpacf_pckmo(fc, paramblock);
 132
 133        /* copy created protected key */
 134        protkey->type = keytype;
 135        protkey->len = keysize + 32;
 136        memcpy(protkey->protkey, paramblock, keysize + 32);
 137
 138        return 0;
 139}
 140
 141/*
 142 * Find card and transform secure key into protected key.
 143 */
 144static int pkey_skey2pkey(const u8 *key, struct pkey_protkey *pkey)
 145{
 146        int rc, verify;
 147        u16 cardnr, domain;
 148        struct keytoken_header *hdr = (struct keytoken_header *)key;
 149
 150        /*
 151         * The cca_xxx2protkey call may fail when a card has been
 152         * addressed where the master key was changed after last fetch
 153         * of the mkvp into the cache. Try 3 times: First witout verify
 154         * then with verify and last round with verify and old master
 155         * key verification pattern match not ignored.
 156         */
 157        for (verify = 0; verify < 3; verify++) {
 158                rc = cca_findcard(key, &cardnr, &domain, verify);
 159                if (rc < 0)
 160                        continue;
 161                if (rc > 0 && verify < 2)
 162                        continue;
 163                switch (hdr->version) {
 164                case TOKVER_CCA_AES:
 165                        rc = cca_sec2protkey(cardnr, domain,
 166                                             key, pkey->protkey,
 167                                             &pkey->len, &pkey->type);
 168                        break;
 169                case TOKVER_CCA_VLSC:
 170                        rc = cca_cipher2protkey(cardnr, domain,
 171                                                key, pkey->protkey,
 172                                                &pkey->len, &pkey->type);
 173                        break;
 174                default:
 175                        return -EINVAL;
 176                }
 177                if (rc == 0)
 178                        break;
 179        }
 180
 181        if (rc)
 182                DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
 183
 184        return rc;
 185}
 186
 187/*
 188 * Construct EP11 key with given clear key value.
 189 */
 190static int pkey_clr2ep11key(const u8 *clrkey, size_t clrkeylen,
 191                            u8 *keybuf, size_t *keybuflen)
 192{
 193        int i, rc;
 194        u16 card, dom;
 195        u32 nr_apqns, *apqns = NULL;
 196
 197        /* build a list of apqns suitable for ep11 keys with cpacf support */
 198        rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
 199                            ZCRYPT_CEX7, EP11_API_V, NULL);
 200        if (rc)
 201                goto out;
 202
 203        /* go through the list of apqns and try to bild an ep11 key */
 204        for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
 205                card = apqns[i] >> 16;
 206                dom = apqns[i] & 0xFFFF;
 207                rc = ep11_clr2keyblob(card, dom, clrkeylen * 8,
 208                                      0, clrkey, keybuf, keybuflen);
 209                if (rc == 0)
 210                        break;
 211        }
 212
 213out:
 214        kfree(apqns);
 215        if (rc)
 216                DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
 217        return rc;
 218}
 219
 220/*
 221 * Find card and transform EP11 secure key into protected key.
 222 */
 223static int pkey_ep11key2pkey(const u8 *key, struct pkey_protkey *pkey)
 224{
 225        int i, rc;
 226        u16 card, dom;
 227        u32 nr_apqns, *apqns = NULL;
 228        struct ep11keyblob *kb = (struct ep11keyblob *) key;
 229
 230        /* build a list of apqns suitable for this key */
 231        rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
 232                            ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
 233        if (rc)
 234                goto out;
 235
 236        /* go through the list of apqns and try to derive an pkey */
 237        for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
 238                card = apqns[i] >> 16;
 239                dom = apqns[i] & 0xFFFF;
 240                rc = ep11_key2protkey(card, dom, key, kb->head.len,
 241                                      pkey->protkey, &pkey->len, &pkey->type);
 242                if (rc == 0)
 243                        break;
 244        }
 245
 246out:
 247        kfree(apqns);
 248        if (rc)
 249                DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
 250        return rc;
 251}
 252
 253/*
 254 * Verify key and give back some info about the key.
 255 */
 256static int pkey_verifykey(const struct pkey_seckey *seckey,
 257                          u16 *pcardnr, u16 *pdomain,
 258                          u16 *pkeysize, u32 *pattributes)
 259{
 260        struct secaeskeytoken *t = (struct secaeskeytoken *) seckey;
 261        u16 cardnr, domain;
 262        int rc;
 263
 264        /* check the secure key for valid AES secure key */
 265        rc = cca_check_secaeskeytoken(debug_info, 3, (u8 *) seckey, 0);
 266        if (rc)
 267                goto out;
 268        if (pattributes)
 269                *pattributes = PKEY_VERIFY_ATTR_AES;
 270        if (pkeysize)
 271                *pkeysize = t->bitsize;
 272
 273        /* try to find a card which can handle this key */
 274        rc = cca_findcard(seckey->seckey, &cardnr, &domain, 1);
 275        if (rc < 0)
 276                goto out;
 277
 278        if (rc > 0) {
 279                /* key mkvp matches to old master key mkvp */
 280                DEBUG_DBG("%s secure key has old mkvp\n", __func__);
 281                if (pattributes)
 282                        *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
 283                rc = 0;
 284        }
 285
 286        if (pcardnr)
 287                *pcardnr = cardnr;
 288        if (pdomain)
 289                *pdomain = domain;
 290
 291out:
 292        DEBUG_DBG("%s rc=%d\n", __func__, rc);
 293        return rc;
 294}
 295
 296/*
 297 * Generate a random protected key
 298 */
 299static int pkey_genprotkey(u32 keytype, struct pkey_protkey *protkey)
 300{
 301        struct pkey_clrkey clrkey;
 302        int keysize;
 303        int rc;
 304
 305        switch (keytype) {
 306        case PKEY_KEYTYPE_AES_128:
 307                keysize = 16;
 308                break;
 309        case PKEY_KEYTYPE_AES_192:
 310                keysize = 24;
 311                break;
 312        case PKEY_KEYTYPE_AES_256:
 313                keysize = 32;
 314                break;
 315        default:
 316                DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
 317                          keytype);
 318                return -EINVAL;
 319        }
 320
 321        /* generate a dummy random clear key */
 322        get_random_bytes(clrkey.clrkey, keysize);
 323
 324        /* convert it to a dummy protected key */
 325        rc = pkey_clr2protkey(keytype, &clrkey, protkey);
 326        if (rc)
 327                return rc;
 328
 329        /* replace the key part of the protected key with random bytes */
 330        get_random_bytes(protkey->protkey, keysize);
 331
 332        return 0;
 333}
 334
 335/*
 336 * Verify if a protected key is still valid
 337 */
 338static int pkey_verifyprotkey(const struct pkey_protkey *protkey)
 339{
 340        unsigned long fc;
 341        struct {
 342                u8 iv[AES_BLOCK_SIZE];
 343                u8 key[MAXPROTKEYSIZE];
 344        } param;
 345        u8 null_msg[AES_BLOCK_SIZE];
 346        u8 dest_buf[AES_BLOCK_SIZE];
 347        unsigned int k;
 348
 349        switch (protkey->type) {
 350        case PKEY_KEYTYPE_AES_128:
 351                fc = CPACF_KMC_PAES_128;
 352                break;
 353        case PKEY_KEYTYPE_AES_192:
 354                fc = CPACF_KMC_PAES_192;
 355                break;
 356        case PKEY_KEYTYPE_AES_256:
 357                fc = CPACF_KMC_PAES_256;
 358                break;
 359        default:
 360                DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
 361                          protkey->type);
 362                return -EINVAL;
 363        }
 364
 365        memset(null_msg, 0, sizeof(null_msg));
 366
 367        memset(param.iv, 0, sizeof(param.iv));
 368        memcpy(param.key, protkey->protkey, sizeof(param.key));
 369
 370        k = cpacf_kmc(fc | CPACF_ENCRYPT, &param, null_msg, dest_buf,
 371                      sizeof(null_msg));
 372        if (k != sizeof(null_msg)) {
 373                DEBUG_ERR("%s protected key is not valid\n", __func__);
 374                return -EKEYREJECTED;
 375        }
 376
 377        return 0;
 378}
 379
 380/*
 381 * Transform a non-CCA key token into a protected key
 382 */
 383static int pkey_nonccatok2pkey(const u8 *key, u32 keylen,
 384                               struct pkey_protkey *protkey)
 385{
 386        int rc = -EINVAL;
 387        u8 *tmpbuf = NULL;
 388        struct keytoken_header *hdr = (struct keytoken_header *)key;
 389
 390        switch (hdr->version) {
 391        case TOKVER_PROTECTED_KEY: {
 392                struct protaeskeytoken *t;
 393
 394                if (keylen != sizeof(struct protaeskeytoken))
 395                        goto out;
 396                t = (struct protaeskeytoken *)key;
 397                protkey->len = t->len;
 398                protkey->type = t->keytype;
 399                memcpy(protkey->protkey, t->protkey,
 400                       sizeof(protkey->protkey));
 401                rc = pkey_verifyprotkey(protkey);
 402                break;
 403        }
 404        case TOKVER_CLEAR_KEY: {
 405                struct clearaeskeytoken *t;
 406                struct pkey_clrkey ckey;
 407                union u_tmpbuf {
 408                        u8 skey[SECKEYBLOBSIZE];
 409                        u8 ep11key[MAXEP11AESKEYBLOBSIZE];
 410                };
 411                size_t tmpbuflen = sizeof(union u_tmpbuf);
 412
 413                if (keylen < sizeof(struct clearaeskeytoken))
 414                        goto out;
 415                t = (struct clearaeskeytoken *)key;
 416                if (keylen != sizeof(*t) + t->len)
 417                        goto out;
 418                if ((t->keytype == PKEY_KEYTYPE_AES_128 && t->len == 16)
 419                    || (t->keytype == PKEY_KEYTYPE_AES_192 && t->len == 24)
 420                    || (t->keytype == PKEY_KEYTYPE_AES_256 && t->len == 32))
 421                        memcpy(ckey.clrkey, t->clearkey, t->len);
 422                else
 423                        goto out;
 424                /* alloc temp key buffer space */
 425                tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC);
 426                if (!tmpbuf) {
 427                        rc = -ENOMEM;
 428                        goto out;
 429                }
 430                /* try direct way with the PCKMO instruction */
 431                rc = pkey_clr2protkey(t->keytype, &ckey, protkey);
 432                if (rc == 0)
 433                        break;
 434                /* PCKMO failed, so try the CCA secure key way */
 435                rc = cca_clr2seckey(0xFFFF, 0xFFFF, t->keytype,
 436                                    ckey.clrkey, tmpbuf);
 437                if (rc == 0)
 438                        rc = pkey_skey2pkey(tmpbuf, protkey);
 439                if (rc == 0)
 440                        break;
 441                /* if the CCA way also failed, let's try via EP11 */
 442                rc = pkey_clr2ep11key(ckey.clrkey, t->len,
 443                                      tmpbuf, &tmpbuflen);
 444                if (rc == 0)
 445                        rc = pkey_ep11key2pkey(tmpbuf, protkey);
 446                /* now we should really have an protected key */
 447                DEBUG_ERR("%s unable to build protected key from clear",
 448                          __func__);
 449                break;
 450        }
 451        case TOKVER_EP11_AES: {
 452                if (keylen < MINEP11AESKEYBLOBSIZE)
 453                        goto out;
 454                /* check ep11 key for exportable as protected key */
 455                rc = ep11_check_aeskeyblob(debug_info, 3, key, 0, 1);
 456                if (rc)
 457                        goto out;
 458                rc = pkey_ep11key2pkey(key, protkey);
 459                break;
 460        }
 461        default:
 462                DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n",
 463                          __func__, hdr->version);
 464                rc = -EINVAL;
 465        }
 466
 467out:
 468        kfree(tmpbuf);
 469        return rc;
 470}
 471
 472/*
 473 * Transform a CCA internal key token into a protected key
 474 */
 475static int pkey_ccainttok2pkey(const u8 *key, u32 keylen,
 476                               struct pkey_protkey *protkey)
 477{
 478        struct keytoken_header *hdr = (struct keytoken_header *)key;
 479
 480        switch (hdr->version) {
 481        case TOKVER_CCA_AES:
 482                if (keylen != sizeof(struct secaeskeytoken))
 483                        return -EINVAL;
 484                break;
 485        case TOKVER_CCA_VLSC:
 486                if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
 487                        return -EINVAL;
 488                break;
 489        default:
 490                DEBUG_ERR("%s unknown/unsupported CCA internal token version %d\n",
 491                          __func__, hdr->version);
 492                return -EINVAL;
 493        }
 494
 495        return pkey_skey2pkey(key, protkey);
 496}
 497
 498/*
 499 * Transform a key blob (of any type) into a protected key
 500 */
 501int pkey_keyblob2pkey(const u8 *key, u32 keylen,
 502                      struct pkey_protkey *protkey)
 503{
 504        int rc;
 505        struct keytoken_header *hdr = (struct keytoken_header *)key;
 506
 507        if (keylen < sizeof(struct keytoken_header)) {
 508                DEBUG_ERR("%s invalid keylen %d\n", __func__, keylen);
 509                return -EINVAL;
 510        }
 511
 512        switch (hdr->type) {
 513        case TOKTYPE_NON_CCA:
 514                rc = pkey_nonccatok2pkey(key, keylen, protkey);
 515                break;
 516        case TOKTYPE_CCA_INTERNAL:
 517                rc = pkey_ccainttok2pkey(key, keylen, protkey);
 518                break;
 519        default:
 520                DEBUG_ERR("%s unknown/unsupported blob type %d\n",
 521                          __func__, hdr->type);
 522                return -EINVAL;
 523        }
 524
 525        DEBUG_DBG("%s rc=%d\n", __func__, rc);
 526        return rc;
 527
 528}
 529EXPORT_SYMBOL(pkey_keyblob2pkey);
 530
 531static int pkey_genseckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
 532                           enum pkey_key_type ktype, enum pkey_key_size ksize,
 533                           u32 kflags, u8 *keybuf, size_t *keybufsize)
 534{
 535        int i, card, dom, rc;
 536
 537        /* check for at least one apqn given */
 538        if (!apqns || !nr_apqns)
 539                return -EINVAL;
 540
 541        /* check key type and size */
 542        switch (ktype) {
 543        case PKEY_TYPE_CCA_DATA:
 544        case PKEY_TYPE_CCA_CIPHER:
 545                if (*keybufsize < SECKEYBLOBSIZE)
 546                        return -EINVAL;
 547                break;
 548        case PKEY_TYPE_EP11:
 549                if (*keybufsize < MINEP11AESKEYBLOBSIZE)
 550                        return -EINVAL;
 551                break;
 552        default:
 553                return -EINVAL;
 554        }
 555        switch (ksize) {
 556        case PKEY_SIZE_AES_128:
 557        case PKEY_SIZE_AES_192:
 558        case PKEY_SIZE_AES_256:
 559                break;
 560        default:
 561                return -EINVAL;
 562        }
 563
 564        /* simple try all apqns from the list */
 565        for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
 566                card = apqns[i].card;
 567                dom = apqns[i].domain;
 568                if (ktype == PKEY_TYPE_EP11) {
 569                        rc = ep11_genaeskey(card, dom, ksize, kflags,
 570                                            keybuf, keybufsize);
 571                } else if (ktype == PKEY_TYPE_CCA_DATA) {
 572                        rc = cca_genseckey(card, dom, ksize, keybuf);
 573                        *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
 574                } else /* TOKVER_CCA_VLSC */
 575                        rc = cca_gencipherkey(card, dom, ksize, kflags,
 576                                              keybuf, keybufsize);
 577                if (rc == 0)
 578                        break;
 579        }
 580
 581        return rc;
 582}
 583
 584static int pkey_clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
 585                            enum pkey_key_type ktype, enum pkey_key_size ksize,
 586                            u32 kflags, const u8 *clrkey,
 587                            u8 *keybuf, size_t *keybufsize)
 588{
 589        int i, card, dom, rc;
 590
 591        /* check for at least one apqn given */
 592        if (!apqns || !nr_apqns)
 593                return -EINVAL;
 594
 595        /* check key type and size */
 596        switch (ktype) {
 597        case PKEY_TYPE_CCA_DATA:
 598        case PKEY_TYPE_CCA_CIPHER:
 599                if (*keybufsize < SECKEYBLOBSIZE)
 600                        return -EINVAL;
 601                break;
 602        case PKEY_TYPE_EP11:
 603                if (*keybufsize < MINEP11AESKEYBLOBSIZE)
 604                        return -EINVAL;
 605                break;
 606        default:
 607                return -EINVAL;
 608        }
 609        switch (ksize) {
 610        case PKEY_SIZE_AES_128:
 611        case PKEY_SIZE_AES_192:
 612        case PKEY_SIZE_AES_256:
 613                break;
 614        default:
 615                return -EINVAL;
 616        }
 617
 618        /* simple try all apqns from the list */
 619        for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
 620                card = apqns[i].card;
 621                dom = apqns[i].domain;
 622                if (ktype == PKEY_TYPE_EP11) {
 623                        rc = ep11_clr2keyblob(card, dom, ksize, kflags,
 624                                              clrkey, keybuf, keybufsize);
 625                } else if (ktype == PKEY_TYPE_CCA_DATA) {
 626                        rc = cca_clr2seckey(card, dom, ksize,
 627                                            clrkey, keybuf);
 628                        *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
 629                } else /* TOKVER_CCA_VLSC */
 630                        rc = cca_clr2cipherkey(card, dom, ksize, kflags,
 631                                               clrkey, keybuf, keybufsize);
 632                if (rc == 0)
 633                        break;
 634        }
 635
 636        return rc;
 637}
 638
 639static int pkey_verifykey2(const u8 *key, size_t keylen,
 640                           u16 *cardnr, u16 *domain,
 641                           enum pkey_key_type *ktype,
 642                           enum pkey_key_size *ksize, u32 *flags)
 643{
 644        int rc;
 645        u32 _nr_apqns, *_apqns = NULL;
 646        struct keytoken_header *hdr = (struct keytoken_header *)key;
 647
 648        if (keylen < sizeof(struct keytoken_header))
 649                return -EINVAL;
 650
 651        if (hdr->type == TOKTYPE_CCA_INTERNAL
 652            && hdr->version == TOKVER_CCA_AES) {
 653                struct secaeskeytoken *t = (struct secaeskeytoken *)key;
 654
 655                rc = cca_check_secaeskeytoken(debug_info, 3, key, 0);
 656                if (rc)
 657                        goto out;
 658                if (ktype)
 659                        *ktype = PKEY_TYPE_CCA_DATA;
 660                if (ksize)
 661                        *ksize = (enum pkey_key_size) t->bitsize;
 662
 663                rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
 664                                   ZCRYPT_CEX3C, t->mkvp, 0, 1);
 665                if (rc == 0 && flags)
 666                        *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
 667                if (rc == -ENODEV) {
 668                        rc = cca_findcard2(&_apqns, &_nr_apqns,
 669                                           *cardnr, *domain,
 670                                           ZCRYPT_CEX3C, 0, t->mkvp, 1);
 671                        if (rc == 0 && flags)
 672                                *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
 673                }
 674                if (rc)
 675                        goto out;
 676
 677                *cardnr = ((struct pkey_apqn *)_apqns)->card;
 678                *domain = ((struct pkey_apqn *)_apqns)->domain;
 679
 680        } else if (hdr->type == TOKTYPE_CCA_INTERNAL
 681                   && hdr->version == TOKVER_CCA_VLSC) {
 682                struct cipherkeytoken *t = (struct cipherkeytoken *)key;
 683
 684                rc = cca_check_secaescipherkey(debug_info, 3, key, 0, 1);
 685                if (rc)
 686                        goto out;
 687                if (ktype)
 688                        *ktype = PKEY_TYPE_CCA_CIPHER;
 689                if (ksize) {
 690                        *ksize = PKEY_SIZE_UNKNOWN;
 691                        if (!t->plfver && t->wpllen == 512)
 692                                *ksize = PKEY_SIZE_AES_128;
 693                        else if (!t->plfver && t->wpllen == 576)
 694                                *ksize = PKEY_SIZE_AES_192;
 695                        else if (!t->plfver && t->wpllen == 640)
 696                                *ksize = PKEY_SIZE_AES_256;
 697                }
 698
 699                rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
 700                                   ZCRYPT_CEX6, t->mkvp0, 0, 1);
 701                if (rc == 0 && flags)
 702                        *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
 703                if (rc == -ENODEV) {
 704                        rc = cca_findcard2(&_apqns, &_nr_apqns,
 705                                           *cardnr, *domain,
 706                                           ZCRYPT_CEX6, 0, t->mkvp0, 1);
 707                        if (rc == 0 && flags)
 708                                *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
 709                }
 710                if (rc)
 711                        goto out;
 712
 713                *cardnr = ((struct pkey_apqn *)_apqns)->card;
 714                *domain = ((struct pkey_apqn *)_apqns)->domain;
 715
 716        } else if (hdr->type == TOKTYPE_NON_CCA
 717                   && hdr->version == TOKVER_EP11_AES) {
 718                struct ep11keyblob *kb = (struct ep11keyblob *)key;
 719
 720                rc = ep11_check_aeskeyblob(debug_info, 3, key, 0, 1);
 721                if (rc)
 722                        goto out;
 723                if (ktype)
 724                        *ktype = PKEY_TYPE_EP11;
 725                if (ksize)
 726                        *ksize = kb->head.keybitlen;
 727
 728                rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
 729                                    ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
 730                if (rc)
 731                        goto out;
 732
 733                if (flags)
 734                        *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
 735
 736                *cardnr = ((struct pkey_apqn *)_apqns)->card;
 737                *domain = ((struct pkey_apqn *)_apqns)->domain;
 738
 739        } else
 740                rc = -EINVAL;
 741
 742out:
 743        kfree(_apqns);
 744        return rc;
 745}
 746
 747static int pkey_keyblob2pkey2(const struct pkey_apqn *apqns, size_t nr_apqns,
 748                              const u8 *key, size_t keylen,
 749                              struct pkey_protkey *pkey)
 750{
 751        int i, card, dom, rc;
 752        struct keytoken_header *hdr = (struct keytoken_header *)key;
 753
 754        /* check for at least one apqn given */
 755        if (!apqns || !nr_apqns)
 756                return -EINVAL;
 757
 758        if (keylen < sizeof(struct keytoken_header))
 759                return -EINVAL;
 760
 761        if (hdr->type == TOKTYPE_CCA_INTERNAL) {
 762                if (hdr->version == TOKVER_CCA_AES) {
 763                        if (keylen != sizeof(struct secaeskeytoken))
 764                                return -EINVAL;
 765                        if (cca_check_secaeskeytoken(debug_info, 3, key, 0))
 766                                return -EINVAL;
 767                } else if (hdr->version == TOKVER_CCA_VLSC) {
 768                        if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
 769                                return -EINVAL;
 770                        if (cca_check_secaescipherkey(debug_info, 3, key, 0, 1))
 771                                return -EINVAL;
 772                } else {
 773                        DEBUG_ERR("%s unknown CCA internal token version %d\n",
 774                                  __func__, hdr->version);
 775                        return -EINVAL;
 776                }
 777        } else if (hdr->type == TOKTYPE_NON_CCA) {
 778                if (hdr->version == TOKVER_EP11_AES) {
 779                        if (keylen < sizeof(struct ep11keyblob))
 780                                return -EINVAL;
 781                        if (ep11_check_aeskeyblob(debug_info, 3, key, 0, 1))
 782                                return -EINVAL;
 783                } else {
 784                        return pkey_nonccatok2pkey(key, keylen, pkey);
 785                }
 786        } else {
 787                DEBUG_ERR("%s unknown/unsupported blob type %d\n",
 788                          __func__, hdr->type);
 789                return -EINVAL;
 790        }
 791
 792        /* simple try all apqns from the list */
 793        for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
 794                card = apqns[i].card;
 795                dom = apqns[i].domain;
 796                if (hdr->type == TOKTYPE_CCA_INTERNAL
 797                    && hdr->version == TOKVER_CCA_AES)
 798                        rc = cca_sec2protkey(card, dom, key, pkey->protkey,
 799                                             &pkey->len, &pkey->type);
 800                else if (hdr->type == TOKTYPE_CCA_INTERNAL
 801                         && hdr->version == TOKVER_CCA_VLSC)
 802                        rc = cca_cipher2protkey(card, dom, key, pkey->protkey,
 803                                                &pkey->len, &pkey->type);
 804                else { /* EP11 AES secure key blob */
 805                        struct ep11keyblob *kb = (struct ep11keyblob *) key;
 806
 807                        rc = ep11_key2protkey(card, dom, key, kb->head.len,
 808                                              pkey->protkey, &pkey->len,
 809                                              &pkey->type);
 810                }
 811                if (rc == 0)
 812                        break;
 813        }
 814
 815        return rc;
 816}
 817
 818static int pkey_apqns4key(const u8 *key, size_t keylen, u32 flags,
 819                          struct pkey_apqn *apqns, size_t *nr_apqns)
 820{
 821        int rc = EINVAL;
 822        u32 _nr_apqns, *_apqns = NULL;
 823        struct keytoken_header *hdr = (struct keytoken_header *)key;
 824
 825        if (keylen < sizeof(struct keytoken_header) || flags == 0)
 826                return -EINVAL;
 827
 828        if (hdr->type == TOKTYPE_NON_CCA && hdr->version == TOKVER_EP11_AES) {
 829                int minhwtype = 0, api = 0;
 830                struct ep11keyblob *kb = (struct ep11keyblob *) key;
 831
 832                if (flags != PKEY_FLAGS_MATCH_CUR_MKVP)
 833                        return -EINVAL;
 834                if (kb->attr & EP11_BLOB_PKEY_EXTRACTABLE) {
 835                        minhwtype = ZCRYPT_CEX7;
 836                        api = EP11_API_V;
 837                }
 838                rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
 839                                    minhwtype, api, kb->wkvp);
 840                if (rc)
 841                        goto out;
 842        } else if (hdr->type == TOKTYPE_CCA_INTERNAL) {
 843                int minhwtype = ZCRYPT_CEX3C;
 844                u64 cur_mkvp = 0, old_mkvp = 0;
 845
 846                if (hdr->version == TOKVER_CCA_AES) {
 847                        struct secaeskeytoken *t = (struct secaeskeytoken *)key;
 848
 849                        if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
 850                                cur_mkvp = t->mkvp;
 851                        if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
 852                                old_mkvp = t->mkvp;
 853                } else if (hdr->version == TOKVER_CCA_VLSC) {
 854                        struct cipherkeytoken *t = (struct cipherkeytoken *)key;
 855
 856                        minhwtype = ZCRYPT_CEX6;
 857                        if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
 858                                cur_mkvp = t->mkvp0;
 859                        if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
 860                                old_mkvp = t->mkvp0;
 861                } else {
 862                        /* unknown cca internal token type */
 863                        return -EINVAL;
 864                }
 865                rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
 866                                   minhwtype, cur_mkvp, old_mkvp, 1);
 867                if (rc)
 868                        goto out;
 869        } else
 870                return -EINVAL;
 871
 872        if (apqns) {
 873                if (*nr_apqns < _nr_apqns)
 874                        rc = -ENOSPC;
 875                else
 876                        memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
 877        }
 878        *nr_apqns = _nr_apqns;
 879
 880out:
 881        kfree(_apqns);
 882        return rc;
 883}
 884
 885static int pkey_apqns4keytype(enum pkey_key_type ktype,
 886                              u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags,
 887                              struct pkey_apqn *apqns, size_t *nr_apqns)
 888{
 889        int rc = -EINVAL;
 890        u32 _nr_apqns, *_apqns = NULL;
 891
 892        if (ktype == PKEY_TYPE_CCA_DATA || ktype == PKEY_TYPE_CCA_CIPHER) {
 893                u64 cur_mkvp = 0, old_mkvp = 0;
 894                int minhwtype = ZCRYPT_CEX3C;
 895
 896                if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
 897                        cur_mkvp = *((u64 *) cur_mkvp);
 898                if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
 899                        old_mkvp = *((u64 *) alt_mkvp);
 900                if (ktype == PKEY_TYPE_CCA_CIPHER)
 901                        minhwtype = ZCRYPT_CEX6;
 902                rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
 903                                   minhwtype, cur_mkvp, old_mkvp, 1);
 904                if (rc)
 905                        goto out;
 906        } else if (ktype == PKEY_TYPE_EP11) {
 907                u8 *wkvp = NULL;
 908
 909                if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
 910                        wkvp = cur_mkvp;
 911                rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
 912                                    ZCRYPT_CEX7, EP11_API_V, wkvp);
 913                if (rc)
 914                        goto out;
 915
 916        } else
 917                return -EINVAL;
 918
 919        if (apqns) {
 920                if (*nr_apqns < _nr_apqns)
 921                        rc = -ENOSPC;
 922                else
 923                        memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
 924        }
 925        *nr_apqns = _nr_apqns;
 926
 927out:
 928        kfree(_apqns);
 929        return rc;
 930}
 931
 932/*
 933 * File io functions
 934 */
 935
 936static void *_copy_key_from_user(void __user *ukey, size_t keylen)
 937{
 938        void *kkey;
 939
 940        if (!ukey || keylen < MINKEYBLOBSIZE || keylen > KEYBLOBBUFSIZE)
 941                return ERR_PTR(-EINVAL);
 942        kkey = kmalloc(keylen, GFP_KERNEL);
 943        if (!kkey)
 944                return ERR_PTR(-ENOMEM);
 945        if (copy_from_user(kkey, ukey, keylen)) {
 946                kfree(kkey);
 947                return ERR_PTR(-EFAULT);
 948        }
 949
 950        return kkey;
 951}
 952
 953static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns)
 954{
 955        void *kapqns = NULL;
 956        size_t nbytes;
 957
 958        if (uapqns && nr_apqns > 0) {
 959                nbytes = nr_apqns * sizeof(struct pkey_apqn);
 960                kapqns = kmalloc(nbytes, GFP_KERNEL);
 961                if (!kapqns)
 962                        return ERR_PTR(-ENOMEM);
 963                if (copy_from_user(kapqns, uapqns, nbytes))
 964                        return ERR_PTR(-EFAULT);
 965        }
 966
 967        return kapqns;
 968}
 969
 970static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
 971                                unsigned long arg)
 972{
 973        int rc;
 974
 975        switch (cmd) {
 976        case PKEY_GENSECK: {
 977                struct pkey_genseck __user *ugs = (void __user *) arg;
 978                struct pkey_genseck kgs;
 979
 980                if (copy_from_user(&kgs, ugs, sizeof(kgs)))
 981                        return -EFAULT;
 982                rc = cca_genseckey(kgs.cardnr, kgs.domain,
 983                                   kgs.keytype, kgs.seckey.seckey);
 984                DEBUG_DBG("%s cca_genseckey()=%d\n", __func__, rc);
 985                if (rc)
 986                        break;
 987                if (copy_to_user(ugs, &kgs, sizeof(kgs)))
 988                        return -EFAULT;
 989                break;
 990        }
 991        case PKEY_CLR2SECK: {
 992                struct pkey_clr2seck __user *ucs = (void __user *) arg;
 993                struct pkey_clr2seck kcs;
 994
 995                if (copy_from_user(&kcs, ucs, sizeof(kcs)))
 996                        return -EFAULT;
 997                rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,
 998                                    kcs.clrkey.clrkey, kcs.seckey.seckey);
 999                DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc);
1000                if (rc)

1001                        break;
1002                if (copy_to_user(ucs, &kcs, sizeof(kcs)))
1003                        return -EFAULT;
1004                memzero_explicit(&kcs, sizeof(kcs));
1005                break;
1006        }
1007        case PKEY_SEC2PROTK: {
1008                struct pkey_sec2protk __user *usp = (void __user *) arg;
1009                struct pkey_sec2protk ksp;
1010
1011                if (copy_from_user(&ksp, usp, sizeof(ksp)))
1012                        return -EFAULT;
1013                rc = cca_sec2protkey(ksp.cardnr, ksp.domain,
1014                                     ksp.seckey.seckey, ksp.protkey.protkey,
1015                                     &ksp.protkey.len, &ksp.protkey.type);
1016                DEBUG_DBG("%s cca_sec2protkey()=%d\n", __func__, rc);
1017                if (rc)
1018                        break;
1019                if (copy_to_user(usp, &ksp, sizeof(ksp)))
1020                        return -EFAULT;
1021                break;
1022        }
1023        case PKEY_CLR2PROTK: {
1024                struct pkey_clr2protk __user *ucp = (void __user *) arg;
1025                struct pkey_clr2protk kcp;
1026
1027                if (copy_from_user(&kcp, ucp, sizeof(kcp)))
1028                        return -EFAULT;
1029                rc = pkey_clr2protkey(kcp.keytype,
1030                                      &kcp.clrkey, &kcp.protkey);
1031                DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc);
1032                if (rc)
1033                        break;
1034                if (copy_to_user(ucp, &kcp, sizeof(kcp)))
1035                        return -EFAULT;
1036                memzero_explicit(&kcp, sizeof(kcp));
1037                break;
1038        }
1039        case PKEY_FINDCARD: {
1040                struct pkey_findcard __user *ufc = (void __user *) arg;
1041                struct pkey_findcard kfc;
1042
1043                if (copy_from_user(&kfc, ufc, sizeof(kfc)))
1044                        return -EFAULT;
1045                rc = cca_findcard(kfc.seckey.seckey,
1046                                  &kfc.cardnr, &kfc.domain, 1);
1047                DEBUG_DBG("%s cca_findcard()=%d\n", __func__, rc);
1048                if (rc < 0)
1049                        break;
1050                if (copy_to_user(ufc, &kfc, sizeof(kfc)))
1051                        return -EFAULT;
1052                break;
1053        }
1054        case PKEY_SKEY2PKEY: {
1055                struct pkey_skey2pkey __user *usp = (void __user *) arg;
1056                struct pkey_skey2pkey ksp;
1057
1058                if (copy_from_user(&ksp, usp, sizeof(ksp)))
1059                        return -EFAULT;
1060                rc = pkey_skey2pkey(ksp.seckey.seckey, &ksp.protkey);
1061                DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__, rc);
1062                if (rc)
1063                        break;
1064                if (copy_to_user(usp, &ksp, sizeof(ksp)))
1065                        return -EFAULT;
1066                break;
1067        }
1068        case PKEY_VERIFYKEY: {
1069                struct pkey_verifykey __user *uvk = (void __user *) arg;
1070                struct pkey_verifykey kvk;
1071
1072                if (copy_from_user(&kvk, uvk, sizeof(kvk)))
1073                        return -EFAULT;
1074                rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain,
1075                                    &kvk.keysize, &kvk.attributes);
1076                DEBUG_DBG("%s pkey_verifykey()=%d\n", __func__, rc);
1077                if (rc)
1078                        break;
1079                if (copy_to_user(uvk, &kvk, sizeof(kvk)))
1080                        return -EFAULT;
1081                break;
1082        }
1083        case PKEY_GENPROTK: {
1084                struct pkey_genprotk __user *ugp = (void __user *) arg;
1085                struct pkey_genprotk kgp;
1086
1087                if (copy_from_user(&kgp, ugp, sizeof(kgp)))
1088                        return -EFAULT;
1089                rc = pkey_genprotkey(kgp.keytype, &kgp.protkey);
1090                DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__, rc);
1091                if (rc)
1092                        break;
1093                if (copy_to_user(ugp, &kgp, sizeof(kgp)))
1094                        return -EFAULT;
1095                break;
1096        }
1097        case PKEY_VERIFYPROTK: {
1098                struct pkey_verifyprotk __user *uvp = (void __user *) arg;
1099                struct pkey_verifyprotk kvp;
1100
1101                if (copy_from_user(&kvp, uvp, sizeof(kvp)))
1102                        return -EFAULT;
1103                rc = pkey_verifyprotkey(&kvp.protkey);
1104                DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__, rc);
1105                break;
1106        }
1107        case PKEY_KBLOB2PROTK: {
1108                struct pkey_kblob2pkey __user *utp = (void __user *) arg;
1109                struct pkey_kblob2pkey ktp;
1110                u8 *kkey;
1111
1112                if (copy_from_user(&ktp, utp, sizeof(ktp)))
1113                        return -EFAULT;
1114                kkey = _copy_key_from_user(ktp.key, ktp.keylen);
1115                if (IS_ERR(kkey))
1116                        return PTR_ERR(kkey);
1117                rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey);
1118                DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
1119                kfree(kkey);
1120                if (rc)
1121                        break;
1122                if (copy_to_user(utp, &ktp, sizeof(ktp)))
1123                        return -EFAULT;
1124                break;
1125        }
1126        case PKEY_GENSECK2: {
1127                struct pkey_genseck2 __user *ugs = (void __user *) arg;
1128                struct pkey_genseck2 kgs;
1129                struct pkey_apqn *apqns;
1130                size_t klen = KEYBLOBBUFSIZE;
1131                u8 *kkey;
1132
1133                if (copy_from_user(&kgs, ugs, sizeof(kgs)))
1134                        return -EFAULT;
1135                apqns = _copy_apqns_from_user(kgs.apqns, kgs.apqn_entries);
1136                if (IS_ERR(apqns))
1137                        return PTR_ERR(apqns);
1138                kkey = kmalloc(klen, GFP_KERNEL);
1139                if (!kkey) {
1140                        kfree(apqns);
1141                        return -ENOMEM;
1142                }
1143                rc = pkey_genseckey2(apqns, kgs.apqn_entries,
1144                                     kgs.type, kgs.size, kgs.keygenflags,
1145                                     kkey, &klen);
1146                DEBUG_DBG("%s pkey_genseckey2()=%d\n", __func__, rc);
1147                kfree(apqns);
1148                if (rc) {
1149                        kfree(kkey);
1150                        break;
1151                }
1152                if (kgs.key) {
1153                        if (kgs.keylen < klen) {
1154                                kfree(kkey);
1155                                return -EINVAL;
1156                        }
1157                        if (copy_to_user(kgs.key, kkey, klen)) {
1158                                kfree(kkey);
1159                                return -EFAULT;
1160                        }
1161                }
1162                kgs.keylen = klen;
1163                if (copy_to_user(ugs, &kgs, sizeof(kgs)))
1164                        rc = -EFAULT;
1165                kfree(kkey);
1166                break;
1167        }
1168        case PKEY_CLR2SECK2: {
1169                struct pkey_clr2seck2 __user *ucs = (void __user *) arg;
1170                struct pkey_clr2seck2 kcs;
1171                struct pkey_apqn *apqns;
1172                size_t klen = KEYBLOBBUFSIZE;
1173                u8 *kkey;
1174
1175                if (copy_from_user(&kcs, ucs, sizeof(kcs)))
1176                        return -EFAULT;
1177                apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);
1178                if (IS_ERR(apqns))
1179                        return PTR_ERR(apqns);
1180                kkey = kmalloc(klen, GFP_KERNEL);
1181                if (!kkey) {
1182                        kfree(apqns);
1183                        return -ENOMEM;
1184                }
1185                rc = pkey_clr2seckey2(apqns, kcs.apqn_entries,
1186                                      kcs.type, kcs.size, kcs.keygenflags,
1187                                      kcs.clrkey.clrkey, kkey, &klen);
1188                DEBUG_DBG("%s pkey_clr2seckey2()=%d\n", __func__, rc);
1189                kfree(apqns);
1190                if (rc) {
1191                        kfree(kkey);
1192                        break;
1193                }
1194                if (kcs.key) {
1195                        if (kcs.keylen < klen) {
1196                                kfree(kkey);
1197                                return -EINVAL;
1198                        }
1199                        if (copy_to_user(kcs.key, kkey, klen)) {
1200                                kfree(kkey);
1201                                return -EFAULT;
1202                        }
1203                }
1204                kcs.keylen = klen;
1205                if (copy_to_user(ucs, &kcs, sizeof(kcs)))
1206                        rc = -EFAULT;
1207                memzero_explicit(&kcs, sizeof(kcs));
1208                kfree(kkey);
1209                break;
1210        }
1211        case PKEY_VERIFYKEY2: {
1212                struct pkey_verifykey2 __user *uvk = (void __user *) arg;
1213                struct pkey_verifykey2 kvk;
1214                u8 *kkey;
1215
1216                if (copy_from_user(&kvk, uvk, sizeof(kvk)))
1217                        return -EFAULT;
1218                kkey = _copy_key_from_user(kvk.key, kvk.keylen);
1219                if (IS_ERR(kkey))
1220                        return PTR_ERR(kkey);
1221                rc = pkey_verifykey2(kkey, kvk.keylen,
1222                                     &kvk.cardnr, &kvk.domain,
1223                                     &kvk.type, &kvk.size, &kvk.flags);
1224                DEBUG_DBG("%s pkey_verifykey2()=%d\n", __func__, rc);
1225                kfree(kkey);
1226                if (rc)
1227                        break;
1228                if (copy_to_user(uvk, &kvk, sizeof(kvk)))
1229                        return -EFAULT;
1230                break;
1231        }
1232        case PKEY_KBLOB2PROTK2: {
1233                struct pkey_kblob2pkey2 __user *utp = (void __user *) arg;
1234                struct pkey_kblob2pkey2 ktp;
1235                struct pkey_apqn *apqns = NULL;
1236                u8 *kkey;
1237
1238                if (copy_from_user(&ktp, utp, sizeof(ktp)))
1239                        return -EFAULT;
1240                apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
1241                if (IS_ERR(apqns))
1242                        return PTR_ERR(apqns);
1243                kkey = _copy_key_from_user(ktp.key, ktp.keylen);
1244                if (IS_ERR(kkey)) {
1245                        kfree(apqns);
1246                        return PTR_ERR(kkey);
1247                }
1248                rc = pkey_keyblob2pkey2(apqns, ktp.apqn_entries,
1249                                        kkey, ktp.keylen, &ktp.protkey);
1250                DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
1251                kfree(apqns);
1252                kfree(kkey);
1253                if (rc)
1254                        break;
1255                if (copy_to_user(utp, &ktp, sizeof(ktp)))
1256                        return -EFAULT;
1257                break;
1258        }
1259        case PKEY_APQNS4K: {
1260                struct pkey_apqns4key __user *uak = (void __user *) arg;
1261                struct pkey_apqns4key kak;
1262                struct pkey_apqn *apqns = NULL;
1263                size_t nr_apqns, len;
1264                u8 *kkey;
1265
1266                if (copy_from_user(&kak, uak, sizeof(kak)))
1267                        return -EFAULT;
1268                nr_apqns = kak.apqn_entries;
1269                if (nr_apqns) {
1270                        apqns = kmalloc_array(nr_apqns,
1271                                              sizeof(struct pkey_apqn),
1272                                              GFP_KERNEL);
1273                        if (!apqns)
1274                                return -ENOMEM;
1275                }
1276                kkey = _copy_key_from_user(kak.key, kak.keylen);
1277                if (IS_ERR(kkey)) {
1278                        kfree(apqns);
1279                        return PTR_ERR(kkey);
1280                }
1281                rc = pkey_apqns4key(kkey, kak.keylen, kak.flags,
1282                                    apqns, &nr_apqns);
1283                DEBUG_DBG("%s pkey_apqns4key()=%d\n", __func__, rc);
1284                kfree(kkey);
1285                if (rc && rc != -ENOSPC) {
1286                        kfree(apqns);
1287                        break;
1288                }
1289                if (!rc && kak.apqns) {
1290                        if (nr_apqns > kak.apqn_entries) {
1291                                kfree(apqns);
1292                                return -EINVAL;
1293                        }
1294                        len = nr_apqns * sizeof(struct pkey_apqn);
1295                        if (len) {
1296                                if (copy_to_user(kak.apqns, apqns, len)) {
1297                                        kfree(apqns);
1298                                        return -EFAULT;
1299                                }
1300                        }
1301                }
1302                kak.apqn_entries = nr_apqns;
1303                if (copy_to_user(uak, &kak, sizeof(kak)))
1304                        rc = -EFAULT;
1305                kfree(apqns);
1306                break;
1307        }
1308        case PKEY_APQNS4KT: {
1309                struct pkey_apqns4keytype __user *uat = (void __user *) arg;
1310                struct pkey_apqns4keytype kat;
1311                struct pkey_apqn *apqns = NULL;
1312                size_t nr_apqns, len;
1313
1314                if (copy_from_user(&kat, uat, sizeof(kat)))
1315                        return -EFAULT;
1316                nr_apqns = kat.apqn_entries;
1317                if (nr_apqns) {
1318                        apqns = kmalloc_array(nr_apqns,
1319                                              sizeof(struct pkey_apqn),
1320                                              GFP_KERNEL);
1321                        if (!apqns)
1322                                return -ENOMEM;
1323                }
1324                rc = pkey_apqns4keytype(kat.type, kat.cur_mkvp, kat.alt_mkvp,
1325                                        kat.flags, apqns, &nr_apqns);
1326                DEBUG_DBG("%s pkey_apqns4keytype()=%d\n", __func__, rc);
1327                if (rc && rc != -ENOSPC) {
1328                        kfree(apqns);
1329                        break;
1330                }
1331                if (!rc && kat.apqns) {
1332                        if (nr_apqns > kat.apqn_entries) {
1333                                kfree(apqns);
1334                                return -EINVAL;
1335                        }
1336                        len = nr_apqns * sizeof(struct pkey_apqn);
1337                        if (len) {
1338                                if (copy_to_user(kat.apqns, apqns, len)) {
1339                                        kfree(apqns);
1340                                        return -EFAULT;
1341                                }
1342                        }
1343                }
1344                kat.apqn_entries = nr_apqns;
1345                if (copy_to_user(uat, &kat, sizeof(kat)))
1346                        rc = -EFAULT;
1347                kfree(apqns);
1348                break;
1349        }
1350        default:
1351                /* unknown/unsupported ioctl cmd */
1352                return -ENOTTY;
1353        }
1354
1355        return rc;
1356}
1357
1358/*
1359 * Sysfs and file io operations
1360 */
1361
1362/*
1363 * Sysfs attribute read function for all protected key binary attributes.
1364 * The implementation can not deal with partial reads, because a new random
1365 * protected key blob is generated with each read. In case of partial reads
1366 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1367 */
1368static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1369                                          loff_t off, size_t count)
1370{
1371        struct protaeskeytoken protkeytoken;
1372        struct pkey_protkey protkey;
1373        int rc;
1374
1375        if (off != 0 || count < sizeof(protkeytoken))
1376                return -EINVAL;
1377        if (is_xts)
1378                if (count < 2 * sizeof(protkeytoken))
1379                        return -EINVAL;
1380
1381        memset(&protkeytoken, 0, sizeof(protkeytoken));
1382        protkeytoken.type = TOKTYPE_NON_CCA;
1383        protkeytoken.version = TOKVER_PROTECTED_KEY;
1384        protkeytoken.keytype = keytype;
1385
1386        rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1387        if (rc)
1388                return rc;
1389
1390        protkeytoken.len = protkey.len;
1391        memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1392
1393        memcpy(buf, &protkeytoken, sizeof(protkeytoken));
1394
1395        if (is_xts) {
1396                rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1397                if (rc)
1398                        return rc;
1399
1400                protkeytoken.len = protkey.len;
1401                memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1402
1403                memcpy(buf + sizeof(protkeytoken), &protkeytoken,
1404                       sizeof(protkeytoken));
1405
1406                return 2 * sizeof(protkeytoken);
1407        }
1408
1409        return sizeof(protkeytoken);
1410}
1411
1412static ssize_t protkey_aes_128_read(struct file *filp,
1413                                    struct kobject *kobj,
1414                                    struct bin_attribute *attr,
1415                                    char *buf, loff_t off,
1416                                    size_t count)
1417{
1418        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1419                                          off, count);
1420}
1421
1422static ssize_t protkey_aes_192_read(struct file *filp,
1423                                    struct kobject *kobj,
1424                                    struct bin_attribute *attr,
1425                                    char *buf, loff_t off,
1426                                    size_t count)
1427{
1428        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1429                                          off, count);
1430}
1431
1432static ssize_t protkey_aes_256_read(struct file *filp,
1433                                    struct kobject *kobj,
1434                                    struct bin_attribute *attr,
1435                                    char *buf, loff_t off,
1436                                    size_t count)
1437{
1438        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1439                                          off, count);
1440}
1441
1442static ssize_t protkey_aes_128_xts_read(struct file *filp,
1443                                        struct kobject *kobj,
1444                                        struct bin_attribute *attr,
1445                                        char *buf, loff_t off,
1446                                        size_t count)
1447{
1448        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1449                                          off, count);
1450}
1451
1452static ssize_t protkey_aes_256_xts_read(struct file *filp,
1453                                        struct kobject *kobj,
1454                                        struct bin_attribute *attr,
1455                                        char *buf, loff_t off,
1456                                        size_t count)
1457{
1458        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1459                                          off, count);
1460}
1461
1462static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
1463static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
1464static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
1465static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
1466static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
1467
1468static struct bin_attribute *protkey_attrs[] = {
1469        &bin_attr_protkey_aes_128,
1470        &bin_attr_protkey_aes_192,
1471        &bin_attr_protkey_aes_256,
1472        &bin_attr_protkey_aes_128_xts,
1473        &bin_attr_protkey_aes_256_xts,
1474        NULL
1475};
1476
1477static struct attribute_group protkey_attr_group = {
1478        .name      = "protkey",
1479        .bin_attrs = protkey_attrs,
1480};
1481
1482/*
1483 * Sysfs attribute read function for all secure key ccadata binary attributes.
1484 * The implementation can not deal with partial reads, because a new random
1485 * protected key blob is generated with each read. In case of partial reads
1486 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1487 */
1488static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1489                                          loff_t off, size_t count)
1490{
1491        int rc;
1492        struct pkey_seckey *seckey = (struct pkey_seckey *) buf;
1493
1494        if (off != 0 || count < sizeof(struct secaeskeytoken))
1495                return -EINVAL;
1496        if (is_xts)
1497                if (count < 2 * sizeof(struct secaeskeytoken))
1498                        return -EINVAL;
1499
1500        rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
1501        if (rc)
1502                return rc;
1503
1504        if (is_xts) {
1505                seckey++;
1506                rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
1507                if (rc)
1508                        return rc;
1509
1510                return 2 * sizeof(struct secaeskeytoken);
1511        }
1512
1513        return sizeof(struct secaeskeytoken);
1514}
1515
1516static ssize_t ccadata_aes_128_read(struct file *filp,
1517                                    struct kobject *kobj,
1518                                    struct bin_attribute *attr,
1519                                    char *buf, loff_t off,
1520                                    size_t count)
1521{
1522        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1523                                          off, count);
1524}
1525
1526static ssize_t ccadata_aes_192_read(struct file *filp,
1527                                    struct kobject *kobj,
1528                                    struct bin_attribute *attr,
1529                                    char *buf, loff_t off,
1530                                    size_t count)
1531{
1532        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1533                                          off, count);
1534}
1535
1536static ssize_t ccadata_aes_256_read(struct file *filp,
1537                                    struct kobject *kobj,
1538                                    struct bin_attribute *attr,
1539                                    char *buf, loff_t off,
1540                                    size_t count)
1541{
1542        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1543                                          off, count);
1544}
1545
1546static ssize_t ccadata_aes_128_xts_read(struct file *filp,
1547                                        struct kobject *kobj,
1548                                        struct bin_attribute *attr,
1549                                        char *buf, loff_t off,
1550                                        size_t count)
1551{
1552        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1553                                          off, count);
1554}
1555
1556static ssize_t ccadata_aes_256_xts_read(struct file *filp,
1557                                        struct kobject *kobj,
1558                                        struct bin_attribute *attr,
1559                                        char *buf, loff_t off,
1560                                        size_t count)
1561{
1562        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1563                                          off, count);
1564}
1565
1566static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
1567static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
1568static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
1569static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
1570static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
1571
1572static struct bin_attribute *ccadata_attrs[] = {
1573        &bin_attr_ccadata_aes_128,
1574        &bin_attr_ccadata_aes_192,
1575        &bin_attr_ccadata_aes_256,
1576        &bin_attr_ccadata_aes_128_xts,
1577        &bin_attr_ccadata_aes_256_xts,
1578        NULL
1579};
1580
1581static struct attribute_group ccadata_attr_group = {
1582        .name      = "ccadata",
1583        .bin_attrs = ccadata_attrs,
1584};
1585
1586#define CCACIPHERTOKENSIZE      (sizeof(struct cipherkeytoken) + 80)
1587
1588/*
1589 * Sysfs attribute read function for all secure key ccacipher binary attributes.
1590 * The implementation can not deal with partial reads, because a new random
1591 * secure key blob is generated with each read. In case of partial reads
1592 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1593 */
1594static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
1595                                            bool is_xts, char *buf, loff_t off,
1596                                            size_t count)
1597{
1598        int i, rc, card, dom;
1599        u32 nr_apqns, *apqns = NULL;
1600        size_t keysize = CCACIPHERTOKENSIZE;
1601
1602        if (off != 0 || count < CCACIPHERTOKENSIZE)
1603                return -EINVAL;
1604        if (is_xts)
1605                if (count < 2 * CCACIPHERTOKENSIZE)
1606                        return -EINVAL;
1607
1608        /* build a list of apqns able to generate an cipher key */
1609        rc = cca_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
1610                           ZCRYPT_CEX6, 0, 0, 0);
1611        if (rc)
1612                return rc;
1613
1614        memset(buf, 0, is_xts ? 2 * keysize : keysize);
1615
1616        /* simple try all apqns from the list */
1617        for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
1618                card = apqns[i] >> 16;
1619                dom = apqns[i] & 0xFFFF;
1620                rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
1621                if (rc == 0)
1622                        break;
1623        }
1624                if (rc)
1625                        return rc;
1626
1627        if (is_xts) {
1628                keysize = CCACIPHERTOKENSIZE;
1629                buf += CCACIPHERTOKENSIZE;
1630                rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
1631                if (rc == 0)
1632                        return 2 * CCACIPHERTOKENSIZE;
1633        }
1634
1635        return CCACIPHERTOKENSIZE;
1636}
1637
1638static ssize_t ccacipher_aes_128_read(struct file *filp,
1639                                      struct kobject *kobj,
1640                                      struct bin_attribute *attr,
1641                                      char *buf, loff_t off,
1642                                      size_t count)
1643{
1644        return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
1645                                            off, count);
1646}
1647
1648static ssize_t ccacipher_aes_192_read(struct file *filp,
1649                                      struct kobject *kobj,
1650                                      struct bin_attribute *attr,
1651                                      char *buf, loff_t off,
1652                                      size_t count)
1653{
1654        return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
1655                                            off, count);
1656}
1657
1658static ssize_t ccacipher_aes_256_read(struct file *filp,
1659                                      struct kobject *kobj,
1660                                      struct bin_attribute *attr,
1661                                      char *buf, loff_t off,
1662                                      size_t count)
1663{
1664        return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
1665                                            off, count);
1666}
1667
1668static ssize_t ccacipher_aes_128_xts_read(struct file *filp,
1669                                          struct kobject *kobj,
1670                                          struct bin_attribute *attr,
1671                                          char *buf, loff_t off,
1672                                          size_t count)
1673{
1674        return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
1675                                            off, count);
1676}
1677
1678static ssize_t ccacipher_aes_256_xts_read(struct file *filp,
1679                                          struct kobject *kobj,
1680                                          struct bin_attribute *attr,
1681                                          char *buf, loff_t off,
1682                                          size_t count)
1683{
1684        return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
1685                                            off, count);
1686}
1687
1688static BIN_ATTR_RO(ccacipher_aes_128, CCACIPHERTOKENSIZE);
1689static BIN_ATTR_RO(ccacipher_aes_192, CCACIPHERTOKENSIZE);
1690static BIN_ATTR_RO(ccacipher_aes_256, CCACIPHERTOKENSIZE);
1691static BIN_ATTR_RO(ccacipher_aes_128_xts, 2 * CCACIPHERTOKENSIZE);
1692static BIN_ATTR_RO(ccacipher_aes_256_xts, 2 * CCACIPHERTOKENSIZE);
1693
1694static struct bin_attribute *ccacipher_attrs[] = {
1695        &bin_attr_ccacipher_aes_128,
1696        &bin_attr_ccacipher_aes_192,
1697        &bin_attr_ccacipher_aes_256,
1698        &bin_attr_ccacipher_aes_128_xts,
1699        &bin_attr_ccacipher_aes_256_xts,
1700        NULL
1701};
1702
1703static struct attribute_group ccacipher_attr_group = {
1704        .name      = "ccacipher",
1705        .bin_attrs = ccacipher_attrs,
1706};
1707
1708/*
1709 * Sysfs attribute read function for all ep11 aes key binary attributes.
1710 * The implementation can not deal with partial reads, because a new random
1711 * secure key blob is generated with each read. In case of partial reads
1712 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1713 * This function and the sysfs attributes using it provide EP11 key blobs
1714 * padded to the upper limit of MAXEP11AESKEYBLOBSIZE which is currently
1715 * 320 bytes.
1716 */
1717static ssize_t pkey_ep11_aes_attr_read(enum pkey_key_size keybits,
1718                                       bool is_xts, char *buf, loff_t off,
1719                                       size_t count)
1720{
1721        int i, rc, card, dom;
1722        u32 nr_apqns, *apqns = NULL;
1723        size_t keysize = MAXEP11AESKEYBLOBSIZE;
1724
1725        if (off != 0 || count < MAXEP11AESKEYBLOBSIZE)
1726                return -EINVAL;
1727        if (is_xts)
1728                if (count < 2 * MAXEP11AESKEYBLOBSIZE)
1729                        return -EINVAL;
1730
1731        /* build a list of apqns able to generate an cipher key */
1732        rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
1733                            ZCRYPT_CEX7, EP11_API_V, NULL);
1734        if (rc)
1735                return rc;
1736
1737        memset(buf, 0, is_xts ? 2 * keysize : keysize);
1738
1739        /* simple try all apqns from the list */
1740        for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
1741                card = apqns[i] >> 16;
1742                dom = apqns[i] & 0xFFFF;
1743                rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
1744                if (rc == 0)
1745                        break;
1746        }
1747        if (rc)
1748                return rc;
1749
1750        if (is_xts) {
1751                keysize = MAXEP11AESKEYBLOBSIZE;
1752                buf += MAXEP11AESKEYBLOBSIZE;
1753                rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
1754                if (rc == 0)
1755                        return 2 * MAXEP11AESKEYBLOBSIZE;
1756        }
1757
1758        return MAXEP11AESKEYBLOBSIZE;
1759}
1760
1761static ssize_t ep11_aes_128_read(struct file *filp,
1762                                 struct kobject *kobj,
1763                                 struct bin_attribute *attr,
1764                                 char *buf, loff_t off,
1765                                 size_t count)
1766{
1767        return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
1768                                       off, count);
1769}
1770
1771static ssize_t ep11_aes_192_read(struct file *filp,
1772                                 struct kobject *kobj,
1773                                 struct bin_attribute *attr,
1774                                 char *buf, loff_t off,
1775                                 size_t count)
1776{
1777        return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
1778                                       off, count);
1779}
1780
1781static ssize_t ep11_aes_256_read(struct file *filp,
1782                                 struct kobject *kobj,
1783                                 struct bin_attribute *attr,
1784                                 char *buf, loff_t off,
1785                                 size_t count)
1786{
1787        return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
1788                                       off, count);
1789}
1790
1791static ssize_t ep11_aes_128_xts_read(struct file *filp,
1792                                     struct kobject *kobj,
1793                                     struct bin_attribute *attr,
1794                                     char *buf, loff_t off,
1795                                     size_t count)
1796{
1797        return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
1798                                       off, count);
1799}
1800
1801static ssize_t ep11_aes_256_xts_read(struct file *filp,
1802                                     struct kobject *kobj,
1803                                     struct bin_attribute *attr,
1804                                     char *buf, loff_t off,
1805                                     size_t count)
1806{
1807        return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
1808                                       off, count);
1809}
1810
1811static BIN_ATTR_RO(ep11_aes_128, MAXEP11AESKEYBLOBSIZE);
1812static BIN_ATTR_RO(ep11_aes_192, MAXEP11AESKEYBLOBSIZE);
1813static BIN_ATTR_RO(ep11_aes_256, MAXEP11AESKEYBLOBSIZE);
1814static BIN_ATTR_RO(ep11_aes_128_xts, 2 * MAXEP11AESKEYBLOBSIZE);
1815static BIN_ATTR_RO(ep11_aes_256_xts, 2 * MAXEP11AESKEYBLOBSIZE);
1816
1817static struct bin_attribute *ep11_attrs[] = {
1818        &bin_attr_ep11_aes_128,
1819        &bin_attr_ep11_aes_192,
1820        &bin_attr_ep11_aes_256,
1821        &bin_attr_ep11_aes_128_xts,
1822        &bin_attr_ep11_aes_256_xts,
1823        NULL
1824};
1825
1826static struct attribute_group ep11_attr_group = {
1827        .name      = "ep11",
1828        .bin_attrs = ep11_attrs,
1829};
1830
1831static const struct attribute_group *pkey_attr_groups[] = {
1832        &protkey_attr_group,
1833        &ccadata_attr_group,
1834        &ccacipher_attr_group,
1835        &ep11_attr_group,
1836        NULL,
1837};
1838
1839static const struct file_operations pkey_fops = {
1840        .owner          = THIS_MODULE,
1841        .open           = nonseekable_open,
1842        .llseek         = no_llseek,
1843        .unlocked_ioctl = pkey_unlocked_ioctl,
1844};
1845
1846static struct miscdevice pkey_dev = {
1847        .name   = "pkey",
1848        .minor  = MISC_DYNAMIC_MINOR,
1849        .mode   = 0666,
1850        .fops   = &pkey_fops,
1851        .groups = pkey_attr_groups,
1852};
1853
1854/*
1855 * Module init
1856 */
1857static int __init pkey_init(void)
1858{
1859        cpacf_mask_t kmc_functions;
1860
1861        /*
1862         * The pckmo instruction should be available - even if we don't
1863         * actually invoke it. This instruction comes with MSA 3 which
1864         * is also the minimum level for the kmc instructions which
1865         * are able to work with protected keys.
1866         */
1867        if (!cpacf_query(CPACF_PCKMO, &pckmo_functions))
1868                return -ENODEV;
1869
1870        /* check for kmc instructions available */
1871        if (!cpacf_query(CPACF_KMC, &kmc_functions))
1872                return -ENODEV;
1873        if (!cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_128) ||
1874            !cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_192) ||
1875            !cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_256))
1876                return -ENODEV;
1877
1878        pkey_debug_init();
1879
1880        return misc_register(&pkey_dev);
1881}
1882
1883/*
1884 * Module exit
1885 */
1886static void __exit pkey_exit(void)
1887{
1888        misc_deregister(&pkey_dev);
1889        pkey_debug_exit();
1890}
1891
1892module_cpu_feature_match(MSA, pkey_init);
1893module_exit(pkey_exit);
1894