1
2
3
4
5
6
7
8
9#define KMSG_COMPONENT "pkey"
10#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
11
12#include <linux/fs.h>
13#include <linux/init.h>
14#include <linux/miscdevice.h>
15#include <linux/module.h>
16#include <linux/slab.h>
17#include <linux/kallsyms.h>
18#include <linux/debugfs.h>
19#include <linux/random.h>
20#include <linux/cpufeature.h>
21#include <asm/zcrypt.h>
22#include <asm/cpacf.h>
23#include <asm/pkey.h>
24#include <crypto/aes.h>
25
26#include "zcrypt_api.h"
27
28MODULE_LICENSE("GPL");
29MODULE_AUTHOR("IBM Corporation");
30MODULE_DESCRIPTION("s390 protected key interface");
31
32
33#define PARMBSIZE 512
34
35
36#define VARDATASIZE 4096
37
38
39static cpacf_mask_t pckmo_functions;
40
41
42
43
44
45static debug_info_t *debug_info;
46
47#define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__)
48#define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__)
49#define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__)
50#define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__)
51
52static void __init pkey_debug_init(void)
53{
54
55 debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
56 debug_register_view(debug_info, &debug_sprintf_view);
57 debug_set_level(debug_info, 3);
58}
59
60static void __exit pkey_debug_exit(void)
61{
62 debug_unregister(debug_info);
63}
64
65
66#define TOKTYPE_NON_CCA 0x00
67#define TOKTYPE_CCA_INTERNAL 0x01
68
69
70#define TOKVER_PROTECTED_KEY 0x01
71
72
73#define TOKVER_CCA_AES 0x04
74
75
76struct keytoken_header {
77 u8 type;
78 u8 res0[3];
79 u8 version;
80 u8 res1[3];
81} __packed;
82
83
84struct secaeskeytoken {
85 u8 type;
86 u8 res0[3];
87 u8 version;
88 u8 res1[1];
89 u8 flag;
90 u8 res2[1];
91 u64 mkvp;
92 u8 key[32];
93 u8 cv[8];
94 u16 bitsize;
95 u16 keysize;
96 u8 tvv[4];
97} __packed;
98
99
100struct protaeskeytoken {
101 u8 type;
102 u8 res0[3];
103 u8 version;
104 u8 res1[3];
105 u32 keytype;
106 u32 len;
107 u8 protkey[MAXPROTKEYSIZE];
108} __packed;
109
110
111
112
113
114
115static int check_secaeskeytoken(const u8 *token, int keybitsize)
116{
117 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
118
119 if (t->type != TOKTYPE_CCA_INTERNAL) {
120 DEBUG_ERR(
121 "%s secure token check failed, type mismatch 0x%02x != 0x%02x\n",
122 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
123 return -EINVAL;
124 }
125 if (t->version != TOKVER_CCA_AES) {
126 DEBUG_ERR(
127 "%s secure token check failed, version mismatch 0x%02x != 0x%02x\n",
128 __func__, (int) t->version, TOKVER_CCA_AES);
129 return -EINVAL;
130 }
131 if (keybitsize > 0 && t->bitsize != keybitsize) {
132 DEBUG_ERR(
133 "%s secure token check failed, bitsize mismatch %d != %d\n",
134 __func__, (int) t->bitsize, keybitsize);
135 return -EINVAL;
136 }
137
138 return 0;
139}
140
141
142
143
144
145
146
147static int alloc_and_prep_cprbmem(size_t paramblen,
148 u8 **pcprbmem,
149 struct CPRBX **preqCPRB,
150 struct CPRBX **prepCPRB)
151{
152 u8 *cprbmem;
153 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
154 struct CPRBX *preqcblk, *prepcblk;
155
156
157
158
159
160 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
161 if (!cprbmem)
162 return -ENOMEM;
163
164 preqcblk = (struct CPRBX *) cprbmem;
165 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
166
167
168 preqcblk->cprb_len = sizeof(struct CPRBX);
169 preqcblk->cprb_ver_id = 0x02;
170 memcpy(preqcblk->func_id, "T2", 2);
171 preqcblk->rpl_msgbl = cprbplusparamblen;
172 if (paramblen) {
173 preqcblk->req_parmb =
174 ((u8 *) preqcblk) + sizeof(struct CPRBX);
175 preqcblk->rpl_parmb =
176 ((u8 *) prepcblk) + sizeof(struct CPRBX);
177 }
178
179 *pcprbmem = cprbmem;
180 *preqCPRB = preqcblk;
181 *prepCPRB = prepcblk;
182
183 return 0;
184}
185
186
187
188
189
190
191
192static void free_cprbmem(void *mem, size_t paramblen, int scrub)
193{
194 if (scrub)
195 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
196 kfree(mem);
197}
198
199
200
201
202static inline void prep_xcrb(struct ica_xcRB *pxcrb,
203 u16 cardnr,
204 struct CPRBX *preqcblk,
205 struct CPRBX *prepcblk)
206{
207 memset(pxcrb, 0, sizeof(*pxcrb));
208 pxcrb->agent_ID = 0x4341;
209 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
210 pxcrb->request_control_blk_length =
211 preqcblk->cprb_len + preqcblk->req_parml;
212 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
213 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
214 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
215}
216
217
218
219
220
221
222
223static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb)
224{
225 int rc;
226 mm_segment_t old_fs = get_fs();
227
228 set_fs(KERNEL_DS);
229 rc = zcrypt_send_cprb(xcrb);
230 set_fs(old_fs);
231
232 return rc;
233}
234
235
236
237
238int pkey_genseckey(u16 cardnr, u16 domain,
239 u32 keytype, struct pkey_seckey *seckey)
240{
241 int i, rc, keysize;
242 int seckeysize;
243 u8 *mem;
244 struct CPRBX *preqcblk, *prepcblk;
245 struct ica_xcRB xcrb;
246 struct kgreqparm {
247 u8 subfunc_code[2];
248 u16 rule_array_len;
249 struct lv1 {
250 u16 len;
251 char key_form[8];
252 char key_length[8];
253 char key_type1[8];
254 char key_type2[8];
255 } lv1;
256 struct lv2 {
257 u16 len;
258 struct keyid {
259 u16 len;
260 u16 attr;
261 u8 data[SECKEYBLOBSIZE];
262 } keyid[6];
263 } lv2;
264 } *preqparm;
265 struct kgrepparm {
266 u8 subfunc_code[2];
267 u16 rule_array_len;
268 struct lv3 {
269 u16 len;
270 u16 keyblocklen;
271 struct {
272 u16 toklen;
273 u16 tokattr;
274 u8 tok[0];
275
276 } keyblock;
277 } lv3;
278 } *prepparm;
279
280
281 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
282 if (rc)
283 return rc;
284
285
286 preqcblk->domain = domain;
287
288
289 preqparm = (struct kgreqparm *) preqcblk->req_parmb;
290 memcpy(preqparm->subfunc_code, "KG", 2);
291 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
292 preqparm->lv1.len = sizeof(struct lv1);
293 memcpy(preqparm->lv1.key_form, "OP ", 8);
294 switch (keytype) {
295 case PKEY_KEYTYPE_AES_128:
296 keysize = 16;
297 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
298 break;
299 case PKEY_KEYTYPE_AES_192:
300 keysize = 24;
301 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
302 break;
303 case PKEY_KEYTYPE_AES_256:
304 keysize = 32;
305 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
306 break;
307 default:
308 DEBUG_ERR(
309 "%s unknown/unsupported keytype %d\n",
310 __func__, keytype);
311 rc = -EINVAL;
312 goto out;
313 }
314 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
315 preqparm->lv2.len = sizeof(struct lv2);
316 for (i = 0; i < 6; i++) {
317 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
318 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
319 }
320 preqcblk->req_parml = sizeof(struct kgreqparm);
321
322
323 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
324
325
326 rc = _zcrypt_send_cprb(&xcrb);
327 if (rc) {
328 DEBUG_ERR(
329 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
330 __func__, (int) cardnr, (int) domain, rc);
331 goto out;
332 }
333
334
335 if (prepcblk->ccp_rtcode != 0) {
336 DEBUG_ERR(
337 "%s secure key generate failure, card response %d/%d\n",
338 __func__,
339 (int) prepcblk->ccp_rtcode,
340 (int) prepcblk->ccp_rscode);
341 rc = -EIO;
342 goto out;
343 }
344
345
346 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
347 prepparm = (struct kgrepparm *) prepcblk->rpl_parmb;
348
349
350 seckeysize = prepparm->lv3.keyblock.toklen
351 - sizeof(prepparm->lv3.keyblock.toklen)
352 - sizeof(prepparm->lv3.keyblock.tokattr);
353 if (seckeysize != SECKEYBLOBSIZE) {
354 DEBUG_ERR(
355 "%s secure token size mismatch %d != %d bytes\n",
356 __func__, seckeysize, SECKEYBLOBSIZE);
357 rc = -EIO;
358 goto out;
359 }
360
361
362 rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize);
363 if (rc) {
364 rc = -EIO;
365 goto out;
366 }
367
368
369 memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
370
371out:
372 free_cprbmem(mem, PARMBSIZE, 0);
373 return rc;
374}
375EXPORT_SYMBOL(pkey_genseckey);
376
377
378
379
380int pkey_clr2seckey(u16 cardnr, u16 domain, u32 keytype,
381 const struct pkey_clrkey *clrkey,
382 struct pkey_seckey *seckey)
383{
384 int rc, keysize, seckeysize;
385 u8 *mem;
386 struct CPRBX *preqcblk, *prepcblk;
387 struct ica_xcRB xcrb;
388 struct cmreqparm {
389 u8 subfunc_code[2];
390 u16 rule_array_len;
391 char rule_array[8];
392 struct lv1 {
393 u16 len;
394 u8 clrkey[0];
395 } lv1;
396 struct lv2 {
397 u16 len;
398 struct keyid {
399 u16 len;
400 u16 attr;
401 u8 data[SECKEYBLOBSIZE];
402 } keyid;
403 } lv2;
404 } *preqparm;
405 struct lv2 *plv2;
406 struct cmrepparm {
407 u8 subfunc_code[2];
408 u16 rule_array_len;
409 struct lv3 {
410 u16 len;
411 u16 keyblocklen;
412 struct {
413 u16 toklen;
414 u16 tokattr;
415 u8 tok[0];
416
417 } keyblock;
418 } lv3;
419 } *prepparm;
420
421
422 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
423 if (rc)
424 return rc;
425
426
427 preqcblk->domain = domain;
428
429
430 preqparm = (struct cmreqparm *) preqcblk->req_parmb;
431 memcpy(preqparm->subfunc_code, "CM", 2);
432 memcpy(preqparm->rule_array, "AES ", 8);
433 preqparm->rule_array_len =
434 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
435 switch (keytype) {
436 case PKEY_KEYTYPE_AES_128:
437 keysize = 16;
438 break;
439 case PKEY_KEYTYPE_AES_192:
440 keysize = 24;
441 break;
442 case PKEY_KEYTYPE_AES_256:
443 keysize = 32;
444 break;
445 default:
446 DEBUG_ERR(
447 "%s unknown/unsupported keytype %d\n",
448 __func__, keytype);
449 rc = -EINVAL;
450 goto out;
451 }
452 preqparm->lv1.len = sizeof(struct lv1) + keysize;
453 memcpy(preqparm->lv1.clrkey, clrkey->clrkey, keysize);
454 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
455 plv2->len = sizeof(struct lv2);
456 plv2->keyid.len = sizeof(struct keyid);
457 plv2->keyid.attr = 0x30;
458 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
459
460
461 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
462
463
464 rc = _zcrypt_send_cprb(&xcrb);
465 if (rc) {
466 DEBUG_ERR(
467 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
468 __func__, (int) cardnr, (int) domain, rc);
469 goto out;
470 }
471
472
473 if (prepcblk->ccp_rtcode != 0) {
474 DEBUG_ERR(
475 "%s clear key import failure, card response %d/%d\n",
476 __func__,
477 (int) prepcblk->ccp_rtcode,
478 (int) prepcblk->ccp_rscode);
479 rc = -EIO;
480 goto out;
481 }
482
483
484 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
485 prepparm = (struct cmrepparm *) prepcblk->rpl_parmb;
486
487
488 seckeysize = prepparm->lv3.keyblock.toklen
489 - sizeof(prepparm->lv3.keyblock.toklen)
490 - sizeof(prepparm->lv3.keyblock.tokattr);
491 if (seckeysize != SECKEYBLOBSIZE) {
492 DEBUG_ERR(
493 "%s secure token size mismatch %d != %d bytes\n",
494 __func__, seckeysize, SECKEYBLOBSIZE);
495 rc = -EIO;
496 goto out;
497 }
498
499
500 rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize);
501 if (rc) {
502 rc = -EIO;
503 goto out;
504 }
505
506
507 memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
508
509out:
510 free_cprbmem(mem, PARMBSIZE, 1);
511 return rc;
512}
513EXPORT_SYMBOL(pkey_clr2seckey);
514
515
516
517
518int pkey_sec2protkey(u16 cardnr, u16 domain,
519 const struct pkey_seckey *seckey,
520 struct pkey_protkey *protkey)
521{
522 int rc;
523 u8 *mem;
524 struct CPRBX *preqcblk, *prepcblk;
525 struct ica_xcRB xcrb;
526 struct uskreqparm {
527 u8 subfunc_code[2];
528 u16 rule_array_len;
529 struct lv1 {
530 u16 len;
531 u16 attr_len;
532 u16 attr_flags;
533 } lv1;
534 struct lv2 {
535 u16 len;
536 u16 attr_len;
537 u16 attr_flags;
538 u8 token[0];
539 } lv2 __packed;
540 } *preqparm;
541 struct uskrepparm {
542 u8 subfunc_code[2];
543 u16 rule_array_len;
544 struct lv3 {
545 u16 len;
546 u16 attr_len;
547 u16 attr_flags;
548 struct cpacfkeyblock {
549 u8 version;
550 u8 flags[2];
551 u8 algo;
552 u8 form;
553 u8 pad1[3];
554 u16 keylen;
555 u8 key[64];
556 u16 keyattrlen;
557 u8 keyattr[32];
558 u8 pad2[1];
559 u8 vptype;
560 u8 vp[32];
561 } keyblock;
562 } lv3 __packed;
563 } *prepparm;
564
565
566 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
567 if (rc)
568 return rc;
569
570
571 preqcblk->domain = domain;
572
573
574 preqparm = (struct uskreqparm *) preqcblk->req_parmb;
575 memcpy(preqparm->subfunc_code, "US", 2);
576 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
577 preqparm->lv1.len = sizeof(struct lv1);
578 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
579 preqparm->lv1.attr_flags = 0x0001;
580 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
581 preqparm->lv2.attr_len = sizeof(struct lv2)
582 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
583 preqparm->lv2.attr_flags = 0x0000;
584 memcpy(preqparm->lv2.token, seckey->seckey, SECKEYBLOBSIZE);
585 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
586
587
588 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
589
590
591 rc = _zcrypt_send_cprb(&xcrb);
592 if (rc) {
593 DEBUG_ERR(
594 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
595 __func__, (int) cardnr, (int) domain, rc);
596 goto out;
597 }
598
599
600 if (prepcblk->ccp_rtcode != 0) {
601 DEBUG_ERR(
602 "%s unwrap secure key failure, card response %d/%d\n",
603 __func__,
604 (int) prepcblk->ccp_rtcode,
605 (int) prepcblk->ccp_rscode);
606 rc = -EIO;
607 goto out;
608 }
609 if (prepcblk->ccp_rscode != 0) {
610 DEBUG_WARN(
611 "%s unwrap secure key warning, card response %d/%d\n",
612 __func__,
613 (int) prepcblk->ccp_rtcode,
614 (int) prepcblk->ccp_rscode);
615 }
616
617
618 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
619 prepparm = (struct uskrepparm *) prepcblk->rpl_parmb;
620
621
622 if (prepparm->lv3.keyblock.version != 0x01) {
623 DEBUG_ERR(
624 "%s reply param keyblock version mismatch 0x%02x != 0x01\n",
625 __func__, (int) prepparm->lv3.keyblock.version);
626 rc = -EIO;
627 goto out;
628 }
629
630
631 switch (prepparm->lv3.keyblock.keylen) {
632 case 16+32:
633 protkey->type = PKEY_KEYTYPE_AES_128;
634 break;
635 case 24+32:
636 protkey->type = PKEY_KEYTYPE_AES_192;
637 break;
638 case 32+32:
639 protkey->type = PKEY_KEYTYPE_AES_256;
640 break;
641 default:
642 DEBUG_ERR("%s unknown/unsupported keytype %d\n",
643 __func__, prepparm->lv3.keyblock.keylen);
644 rc = -EIO;
645 goto out;
646 }
647 protkey->len = prepparm->lv3.keyblock.keylen;
648 memcpy(protkey->protkey, prepparm->lv3.keyblock.key, protkey->len);
649
650out:
651 free_cprbmem(mem, PARMBSIZE, 0);
652 return rc;
653}
654EXPORT_SYMBOL(pkey_sec2protkey);
655
656
657
658
659int pkey_clr2protkey(u32 keytype,
660 const struct pkey_clrkey *clrkey,
661 struct pkey_protkey *protkey)
662{
663 long fc;
664 int keysize;
665 u8 paramblock[64];
666
667 switch (keytype) {
668 case PKEY_KEYTYPE_AES_128:
669 keysize = 16;
670 fc = CPACF_PCKMO_ENC_AES_128_KEY;
671 break;
672 case PKEY_KEYTYPE_AES_192:
673 keysize = 24;
674 fc = CPACF_PCKMO_ENC_AES_192_KEY;
675 break;
676 case PKEY_KEYTYPE_AES_256:
677 keysize = 32;
678 fc = CPACF_PCKMO_ENC_AES_256_KEY;
679 break;
680 default:
681 DEBUG_ERR("%s unknown/unsupported keytype %d\n",
682 __func__, keytype);
683 return -EINVAL;
684 }
685
686
687
688
689
690
691 if (!cpacf_test_func(&pckmo_functions, fc)) {
692 DEBUG_ERR("%s pckmo functions not available\n", __func__);
693 return -ENODEV;
694 }
695
696
697 memset(paramblock, 0, sizeof(paramblock));
698 memcpy(paramblock, clrkey->clrkey, keysize);
699
700
701 cpacf_pckmo(fc, paramblock);
702
703
704 protkey->type = keytype;
705 protkey->len = keysize + 32;
706 memcpy(protkey->protkey, paramblock, keysize + 32);
707
708 return 0;
709}
710EXPORT_SYMBOL(pkey_clr2protkey);
711
712
713
714
715static int query_crypto_facility(u16 cardnr, u16 domain,
716 const char *keyword,
717 u8 *rarray, size_t *rarraylen,
718 u8 *varray, size_t *varraylen)
719{
720 int rc;
721 u16 len;
722 u8 *mem, *ptr;
723 struct CPRBX *preqcblk, *prepcblk;
724 struct ica_xcRB xcrb;
725 struct fqreqparm {
726 u8 subfunc_code[2];
727 u16 rule_array_len;
728 char rule_array[8];
729 struct lv1 {
730 u16 len;
731 u8 data[VARDATASIZE];
732 } lv1;
733 u16 dummylen;
734 } *preqparm;
735 size_t parmbsize = sizeof(struct fqreqparm);
736 struct fqrepparm {
737 u8 subfunc_code[2];
738 u8 lvdata[0];
739 } *prepparm;
740
741
742 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
743 if (rc)
744 return rc;
745
746
747 preqcblk->domain = domain;
748
749
750 preqparm = (struct fqreqparm *) preqcblk->req_parmb;
751 memcpy(preqparm->subfunc_code, "FQ", 2);
752 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
753 preqparm->rule_array_len =
754 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
755 preqparm->lv1.len = sizeof(preqparm->lv1);
756 preqparm->dummylen = sizeof(preqparm->dummylen);
757 preqcblk->req_parml = parmbsize;
758
759
760 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
761
762
763 rc = _zcrypt_send_cprb(&xcrb);
764 if (rc) {
765 DEBUG_ERR(
766 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
767 __func__, (int) cardnr, (int) domain, rc);
768 goto out;
769 }
770
771
772 if (prepcblk->ccp_rtcode != 0) {
773 DEBUG_ERR(
774 "%s unwrap secure key failure, card response %d/%d\n",
775 __func__,
776 (int) prepcblk->ccp_rtcode,
777 (int) prepcblk->ccp_rscode);
778 rc = -EIO;
779 goto out;
780 }
781
782
783 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
784 prepparm = (struct fqrepparm *) prepcblk->rpl_parmb;
785 ptr = prepparm->lvdata;
786
787
788 len = *((u16 *) ptr);
789 if (len > sizeof(u16)) {
790 ptr += sizeof(u16);
791 len -= sizeof(u16);
792 if (rarray && rarraylen && *rarraylen > 0) {
793 *rarraylen = (len > *rarraylen ? *rarraylen : len);
794 memcpy(rarray, ptr, *rarraylen);
795 }
796 ptr += len;
797 }
798
799 len = *((u16 *) ptr);
800 if (len > sizeof(u16)) {
801 ptr += sizeof(u16);
802 len -= sizeof(u16);
803 if (varray && varraylen && *varraylen > 0) {
804 *varraylen = (len > *varraylen ? *varraylen : len);
805 memcpy(varray, ptr, *varraylen);
806 }
807 ptr += len;
808 }
809
810out:
811 free_cprbmem(mem, parmbsize, 0);
812 return rc;
813}
814
815
816
817
818
819static int fetch_mkvp(u16 cardnr, u16 domain, u64 mkvp[2])
820{
821 int rc, found = 0;
822 size_t rlen, vlen;
823 u8 *rarray, *varray, *pg;
824
825 pg = (u8 *) __get_free_page(GFP_KERNEL);
826 if (!pg)
827 return -ENOMEM;
828 rarray = pg;
829 varray = pg + PAGE_SIZE/2;
830 rlen = vlen = PAGE_SIZE/2;
831
832 rc = query_crypto_facility(cardnr, domain, "STATICSA",
833 rarray, &rlen, varray, &vlen);
834 if (rc == 0 && rlen > 8*8 && vlen > 184+8) {
835 if (rarray[8*8] == '2') {
836
837 mkvp[0] = *((u64 *)(varray + 184));
838 mkvp[1] = *((u64 *)(varray + 172));
839 found = 1;
840 }
841 }
842
843 free_page((unsigned long) pg);
844
845 return found ? 0 : -ENOENT;
846}
847
848
849struct mkvp_info {
850 struct list_head list;
851 u16 cardnr;
852 u16 domain;
853 u64 mkvp[2];
854};
855
856
857static LIST_HEAD(mkvp_list);
858static DEFINE_SPINLOCK(mkvp_list_lock);
859
860static int mkvp_cache_fetch(u16 cardnr, u16 domain, u64 mkvp[2])
861{
862 int rc = -ENOENT;
863 struct mkvp_info *ptr;
864
865 spin_lock_bh(&mkvp_list_lock);
866 list_for_each_entry(ptr, &mkvp_list, list) {
867 if (ptr->cardnr == cardnr &&
868 ptr->domain == domain) {
869 memcpy(mkvp, ptr->mkvp, 2 * sizeof(u64));
870 rc = 0;
871 break;
872 }
873 }
874 spin_unlock_bh(&mkvp_list_lock);
875
876 return rc;
877}
878
879static void mkvp_cache_update(u16 cardnr, u16 domain, u64 mkvp[2])
880{
881 int found = 0;
882 struct mkvp_info *ptr;
883
884 spin_lock_bh(&mkvp_list_lock);
885 list_for_each_entry(ptr, &mkvp_list, list) {
886 if (ptr->cardnr == cardnr &&
887 ptr->domain == domain) {
888 memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64));
889 found = 1;
890 break;
891 }
892 }
893 if (!found) {
894 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
895 if (!ptr) {
896 spin_unlock_bh(&mkvp_list_lock);
897 return;
898 }
899 ptr->cardnr = cardnr;
900 ptr->domain = domain;
901 memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64));
902 list_add(&ptr->list, &mkvp_list);
903 }
904 spin_unlock_bh(&mkvp_list_lock);
905}
906
907static void mkvp_cache_scrub(u16 cardnr, u16 domain)
908{
909 struct mkvp_info *ptr;
910
911 spin_lock_bh(&mkvp_list_lock);
912 list_for_each_entry(ptr, &mkvp_list, list) {
913 if (ptr->cardnr == cardnr &&
914 ptr->domain == domain) {
915 list_del(&ptr->list);
916 kfree(ptr);
917 break;
918 }
919 }
920 spin_unlock_bh(&mkvp_list_lock);
921}
922
923static void __exit mkvp_cache_free(void)
924{
925 struct mkvp_info *ptr, *pnext;
926
927 spin_lock_bh(&mkvp_list_lock);
928 list_for_each_entry_safe(ptr, pnext, &mkvp_list, list) {
929 list_del(&ptr->list);
930 kfree(ptr);
931 }
932 spin_unlock_bh(&mkvp_list_lock);
933}
934
935
936
937
938
939int pkey_findcard(const struct pkey_seckey *seckey,
940 u16 *pcardnr, u16 *pdomain, int verify)
941{
942 struct secaeskeytoken *t = (struct secaeskeytoken *) seckey;
943 struct zcrypt_device_status_ext *device_status;
944 u16 card, dom;
945 u64 mkvp[2];
946 int i, rc, oi = -1;
947
948
949 if (t->mkvp == 0)
950 return -EINVAL;
951
952
953 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
954 sizeof(struct zcrypt_device_status_ext),
955 GFP_KERNEL);
956 if (!device_status)
957 return -ENOMEM;
958 zcrypt_device_status_mask_ext(device_status);
959
960
961 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
962 card = AP_QID_CARD(device_status[i].qid);
963 dom = AP_QID_QUEUE(device_status[i].qid);
964 if (device_status[i].online &&
965 device_status[i].functions & 0x04) {
966
967
968 if (mkvp_cache_fetch(card, dom, mkvp) == 0 &&
969 t->mkvp == mkvp[0]) {
970 if (!verify)
971 break;
972
973 if (fetch_mkvp(card, dom, mkvp) == 0) {
974 mkvp_cache_update(card, dom, mkvp);
975 if (t->mkvp == mkvp[0])
976 break;
977 }
978 }
979 } else {
980
981
982 mkvp_cache_scrub(card, dom);
983 }
984 }
985 if (i >= MAX_ZDEV_ENTRIES_EXT) {
986
987 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
988 if (!(device_status[i].online &&
989 device_status[i].functions & 0x04))
990 continue;
991 card = AP_QID_CARD(device_status[i].qid);
992 dom = AP_QID_QUEUE(device_status[i].qid);
993
994 if (fetch_mkvp(card, dom, mkvp) == 0) {
995 mkvp_cache_update(card, dom, mkvp);
996 if (t->mkvp == mkvp[0])
997 break;
998 if (t->mkvp == mkvp[1] && oi < 0)
999 oi = i;
1000 }
1001 }
1002 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1003
1004 card = AP_QID_CARD(device_status[oi].qid);
1005 dom = AP_QID_QUEUE(device_status[oi].qid);
1006 }
1007 }
1008 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1009 if (pcardnr)
1010 *pcardnr = card;
1011 if (pdomain)
1012 *pdomain = dom;
1013 rc = 0;
1014 } else
1015 rc = -ENODEV;
1016
1017 kfree(device_status);
1018 return rc;
1019}
1020EXPORT_SYMBOL(pkey_findcard);
1021
1022
1023
1024
1025int pkey_skey2pkey(const struct pkey_seckey *seckey,
1026 struct pkey_protkey *protkey)
1027{
1028 u16 cardnr, domain;
1029 int rc, verify;
1030
1031
1032
1033
1034
1035
1036
1037 for (verify = 0; verify < 2; verify++) {
1038 rc = pkey_findcard(seckey, &cardnr, &domain, verify);
1039 if (rc)
1040 continue;
1041 rc = pkey_sec2protkey(cardnr, domain, seckey, protkey);
1042 if (rc == 0)
1043 break;
1044 }
1045
1046 if (rc)
1047 DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
1048
1049 return rc;
1050}
1051EXPORT_SYMBOL(pkey_skey2pkey);
1052
1053
1054
1055
1056int pkey_verifykey(const struct pkey_seckey *seckey,
1057 u16 *pcardnr, u16 *pdomain,
1058 u16 *pkeysize, u32 *pattributes)
1059{
1060 struct secaeskeytoken *t = (struct secaeskeytoken *) seckey;
1061 u16 cardnr, domain;
1062 u64 mkvp[2];
1063 int rc;
1064
1065
1066 rc = check_secaeskeytoken((u8 *) seckey, 0);
1067 if (rc)
1068 goto out;
1069 if (pattributes)
1070 *pattributes = PKEY_VERIFY_ATTR_AES;
1071 if (pkeysize)
1072 *pkeysize = t->bitsize;
1073
1074
1075 rc = pkey_findcard(seckey, &cardnr, &domain, 1);
1076 if (rc)
1077 goto out;
1078
1079
1080 rc = mkvp_cache_fetch(cardnr, domain, mkvp);
1081 if (rc)
1082 goto out;
1083 if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) {
1084 DEBUG_DBG("%s secure key has old mkvp\n", __func__);
1085 if (pattributes)
1086 *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
1087 }
1088
1089 if (pcardnr)
1090 *pcardnr = cardnr;
1091 if (pdomain)
1092 *pdomain = domain;
1093
1094out:
1095 DEBUG_DBG("%s rc=%d\n", __func__, rc);
1096 return rc;
1097}
1098EXPORT_SYMBOL(pkey_verifykey);
1099
1100
1101
1102
1103int pkey_genprotkey(__u32 keytype, struct pkey_protkey *protkey)
1104{
1105 struct pkey_clrkey clrkey;
1106 int keysize;
1107 int rc;
1108
1109 switch (keytype) {
1110 case PKEY_KEYTYPE_AES_128:
1111 keysize = 16;
1112 break;
1113 case PKEY_KEYTYPE_AES_192:
1114 keysize = 24;
1115 break;
1116 case PKEY_KEYTYPE_AES_256:
1117 keysize = 32;
1118 break;
1119 default:
1120 DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
1121 keytype);
1122 return -EINVAL;
1123 }
1124
1125
1126 get_random_bytes(clrkey.clrkey, keysize);
1127
1128
1129 rc = pkey_clr2protkey(keytype, &clrkey, protkey);
1130 if (rc)
1131 return rc;
1132
1133
1134 get_random_bytes(protkey->protkey, keysize);
1135
1136 return 0;
1137}
1138EXPORT_SYMBOL(pkey_genprotkey);
1139
1140
1141
1142
1143int pkey_verifyprotkey(const struct pkey_protkey *protkey)
1144{
1145 unsigned long fc;
1146 struct {
1147 u8 iv[AES_BLOCK_SIZE];
1148 u8 key[MAXPROTKEYSIZE];
1149 } param;
1150 u8 null_msg[AES_BLOCK_SIZE];
1151 u8 dest_buf[AES_BLOCK_SIZE];
1152 unsigned int k;
1153
1154 switch (protkey->type) {
1155 case PKEY_KEYTYPE_AES_128:
1156 fc = CPACF_KMC_PAES_128;
1157 break;
1158 case PKEY_KEYTYPE_AES_192:
1159 fc = CPACF_KMC_PAES_192;
1160 break;
1161 case PKEY_KEYTYPE_AES_256:
1162 fc = CPACF_KMC_PAES_256;
1163 break;
1164 default:
1165 DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
1166 protkey->type);
1167 return -EINVAL;
1168 }
1169
1170 memset(null_msg, 0, sizeof(null_msg));
1171
1172 memset(param.iv, 0, sizeof(param.iv));
1173 memcpy(param.key, protkey->protkey, sizeof(param.key));
1174
1175 k = cpacf_kmc(fc | CPACF_ENCRYPT, ¶m, null_msg, dest_buf,
1176 sizeof(null_msg));
1177 if (k != sizeof(null_msg)) {
1178 DEBUG_ERR("%s protected key is not valid\n", __func__);
1179 return -EKEYREJECTED;
1180 }
1181
1182 return 0;
1183}
1184EXPORT_SYMBOL(pkey_verifyprotkey);
1185
1186
1187
1188
1189static int pkey_nonccatok2pkey(const __u8 *key, __u32 keylen,
1190 struct pkey_protkey *protkey)
1191{
1192 struct keytoken_header *hdr = (struct keytoken_header *)key;
1193 struct protaeskeytoken *t;
1194
1195 switch (hdr->version) {
1196 case TOKVER_PROTECTED_KEY:
1197 if (keylen != sizeof(struct protaeskeytoken))
1198 return -EINVAL;
1199
1200 t = (struct protaeskeytoken *)key;
1201 protkey->len = t->len;
1202 protkey->type = t->keytype;
1203 memcpy(protkey->protkey, t->protkey,
1204 sizeof(protkey->protkey));
1205
1206 return pkey_verifyprotkey(protkey);
1207 default:
1208 DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n",
1209 __func__, hdr->version);
1210 return -EINVAL;
1211 }
1212}
1213
1214
1215
1216
1217static int pkey_ccainttok2pkey(const __u8 *key, __u32 keylen,
1218 struct pkey_protkey *protkey)
1219{
1220 struct keytoken_header *hdr = (struct keytoken_header *)key;
1221
1222 switch (hdr->version) {
1223 case TOKVER_CCA_AES:
1224 if (keylen != sizeof(struct secaeskeytoken))
1225 return -EINVAL;
1226
1227 return pkey_skey2pkey((struct pkey_seckey *)key,
1228 protkey);
1229 default:
1230 DEBUG_ERR("%s unknown/unsupported CCA internal token version %d\n",
1231 __func__, hdr->version);
1232 return -EINVAL;
1233 }
1234}
1235
1236
1237
1238
1239int pkey_keyblob2pkey(const __u8 *key, __u32 keylen,
1240 struct pkey_protkey *protkey)
1241{
1242 struct keytoken_header *hdr = (struct keytoken_header *)key;
1243
1244 if (keylen < sizeof(struct keytoken_header))
1245 return -EINVAL;
1246
1247 switch (hdr->type) {
1248 case TOKTYPE_NON_CCA:
1249 return pkey_nonccatok2pkey(key, keylen, protkey);
1250 case TOKTYPE_CCA_INTERNAL:
1251 return pkey_ccainttok2pkey(key, keylen, protkey);
1252 default:
1253 DEBUG_ERR("%s unknown/unsupported blob type %d\n", __func__,
1254 hdr->type);
1255 return -EINVAL;
1256 }
1257}
1258EXPORT_SYMBOL(pkey_keyblob2pkey);
1259
1260
1261
1262
1263
1264static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
1265 unsigned long arg)
1266{
1267 int rc;
1268
1269 switch (cmd) {
1270 case PKEY_GENSECK: {
1271 struct pkey_genseck __user *ugs = (void __user *) arg;
1272 struct pkey_genseck kgs;
1273
1274 if (copy_from_user(&kgs, ugs, sizeof(kgs)))
1275 return -EFAULT;
1276 rc = pkey_genseckey(kgs.cardnr, kgs.domain,
1277 kgs.keytype, &kgs.seckey);
1278 DEBUG_DBG("%s pkey_genseckey()=%d\n", __func__, rc);
1279 if (rc)
1280 break;
1281 if (copy_to_user(ugs, &kgs, sizeof(kgs)))
1282 return -EFAULT;
1283 break;
1284 }
1285 case PKEY_CLR2SECK: {
1286 struct pkey_clr2seck __user *ucs = (void __user *) arg;
1287 struct pkey_clr2seck kcs;
1288
1289 if (copy_from_user(&kcs, ucs, sizeof(kcs)))
1290 return -EFAULT;
1291 rc = pkey_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,
1292 &kcs.clrkey, &kcs.seckey);
1293 DEBUG_DBG("%s pkey_clr2seckey()=%d\n", __func__, rc);
1294 if (rc)
1295 break;
1296 if (copy_to_user(ucs, &kcs, sizeof(kcs)))
1297 return -EFAULT;
1298 memzero_explicit(&kcs, sizeof(kcs));
1299 break;
1300 }
1301 case PKEY_SEC2PROTK: {
1302 struct pkey_sec2protk __user *usp = (void __user *) arg;
1303 struct pkey_sec2protk ksp;
1304
1305 if (copy_from_user(&ksp, usp, sizeof(ksp)))
1306 return -EFAULT;
1307 rc = pkey_sec2protkey(ksp.cardnr, ksp.domain,
1308 &ksp.seckey, &ksp.protkey);
1309 DEBUG_DBG("%s pkey_sec2protkey()=%d\n", __func__, rc);
1310 if (rc)
1311 break;
1312 if (copy_to_user(usp, &ksp, sizeof(ksp)))
1313 return -EFAULT;
1314 break;
1315 }
1316 case PKEY_CLR2PROTK: {
1317 struct pkey_clr2protk __user *ucp = (void __user *) arg;
1318 struct pkey_clr2protk kcp;
1319
1320 if (copy_from_user(&kcp, ucp, sizeof(kcp)))
1321 return -EFAULT;
1322 rc = pkey_clr2protkey(kcp.keytype,
1323 &kcp.clrkey, &kcp.protkey);
1324 DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc);
1325 if (rc)
1326 break;
1327 if (copy_to_user(ucp, &kcp, sizeof(kcp)))
1328 return -EFAULT;
1329 memzero_explicit(&kcp, sizeof(kcp));
1330 break;
1331 }
1332 case PKEY_FINDCARD: {
1333 struct pkey_findcard __user *ufc = (void __user *) arg;
1334 struct pkey_findcard kfc;
1335
1336 if (copy_from_user(&kfc, ufc, sizeof(kfc)))
1337 return -EFAULT;
1338 rc = pkey_findcard(&kfc.seckey,
1339 &kfc.cardnr, &kfc.domain, 1);
1340 DEBUG_DBG("%s pkey_findcard()=%d\n", __func__, rc);
1341 if (rc)
1342 break;
1343 if (copy_to_user(ufc, &kfc, sizeof(kfc)))
1344 return -EFAULT;
1345 break;
1346 }
1347 case PKEY_SKEY2PKEY: {
1348 struct pkey_skey2pkey __user *usp = (void __user *) arg;
1349 struct pkey_skey2pkey ksp;
1350
1351 if (copy_from_user(&ksp, usp, sizeof(ksp)))
1352 return -EFAULT;
1353 rc = pkey_skey2pkey(&ksp.seckey, &ksp.protkey);
1354 DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__, rc);
1355 if (rc)
1356 break;
1357 if (copy_to_user(usp, &ksp, sizeof(ksp)))
1358 return -EFAULT;
1359 break;
1360 }
1361 case PKEY_VERIFYKEY: {
1362 struct pkey_verifykey __user *uvk = (void __user *) arg;
1363 struct pkey_verifykey kvk;
1364
1365 if (copy_from_user(&kvk, uvk, sizeof(kvk)))
1366 return -EFAULT;
1367 rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain,
1368 &kvk.keysize, &kvk.attributes);
1369 DEBUG_DBG("%s pkey_verifykey()=%d\n", __func__, rc);
1370 if (rc)
1371 break;
1372 if (copy_to_user(uvk, &kvk, sizeof(kvk)))
1373 return -EFAULT;
1374 break;
1375 }
1376 case PKEY_GENPROTK: {
1377 struct pkey_genprotk __user *ugp = (void __user *) arg;
1378 struct pkey_genprotk kgp;
1379
1380 if (copy_from_user(&kgp, ugp, sizeof(kgp)))
1381 return -EFAULT;
1382 rc = pkey_genprotkey(kgp.keytype, &kgp.protkey);
1383 DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__, rc);
1384 if (rc)
1385 break;
1386 if (copy_to_user(ugp, &kgp, sizeof(kgp)))
1387 return -EFAULT;
1388 break;
1389 }
1390 case PKEY_VERIFYPROTK: {
1391 struct pkey_verifyprotk __user *uvp = (void __user *) arg;
1392 struct pkey_verifyprotk kvp;
1393
1394 if (copy_from_user(&kvp, uvp, sizeof(kvp)))
1395 return -EFAULT;
1396 rc = pkey_verifyprotkey(&kvp.protkey);
1397 DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__, rc);
1398 break;
1399 }
1400 case PKEY_KBLOB2PROTK: {
1401 struct pkey_kblob2pkey __user *utp = (void __user *) arg;
1402 struct pkey_kblob2pkey ktp;
1403 __u8 __user *ukey;
1404 __u8 *kkey;
1405
1406 if (copy_from_user(&ktp, utp, sizeof(ktp)))
1407 return -EFAULT;
1408 if (ktp.keylen < MINKEYBLOBSIZE ||
1409 ktp.keylen > MAXKEYBLOBSIZE)
1410 return -EINVAL;
1411 ukey = ktp.key;
1412 kkey = kmalloc(ktp.keylen, GFP_KERNEL);
1413 if (kkey == NULL)
1414 return -ENOMEM;
1415 if (copy_from_user(kkey, ukey, ktp.keylen)) {
1416 kfree(kkey);
1417 return -EFAULT;
1418 }
1419 rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey);
1420 DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
1421 kfree(kkey);
1422 if (rc)
1423 break;
1424 if (copy_to_user(utp, &ktp, sizeof(ktp)))
1425 return -EFAULT;
1426 break;
1427 }
1428 default:
1429
1430 return -ENOTTY;
1431 }
1432
1433 return rc;
1434}
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1447 loff_t off, size_t count)
1448{
1449 struct protaeskeytoken protkeytoken;
1450 struct pkey_protkey protkey;
1451 int rc;
1452
1453 if (off != 0 || count < sizeof(protkeytoken))
1454 return -EINVAL;
1455 if (is_xts)
1456 if (count < 2 * sizeof(protkeytoken))
1457 return -EINVAL;
1458
1459 memset(&protkeytoken, 0, sizeof(protkeytoken));
1460 protkeytoken.type = TOKTYPE_NON_CCA;
1461 protkeytoken.version = TOKVER_PROTECTED_KEY;
1462 protkeytoken.keytype = keytype;
1463
1464 rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1465 if (rc)
1466 return rc;
1467
1468 protkeytoken.len = protkey.len;
1469 memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1470
1471 memcpy(buf, &protkeytoken, sizeof(protkeytoken));
1472
1473 if (is_xts) {
1474 rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1475 if (rc)
1476 return rc;
1477
1478 protkeytoken.len = protkey.len;
1479 memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1480
1481 memcpy(buf + sizeof(protkeytoken), &protkeytoken,
1482 sizeof(protkeytoken));
1483
1484 return 2 * sizeof(protkeytoken);
1485 }
1486
1487 return sizeof(protkeytoken);
1488}
1489
1490static ssize_t protkey_aes_128_read(struct file *filp,
1491 struct kobject *kobj,
1492 struct bin_attribute *attr,
1493 char *buf, loff_t off,
1494 size_t count)
1495{
1496 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1497 off, count);
1498}
1499
1500static ssize_t protkey_aes_192_read(struct file *filp,
1501 struct kobject *kobj,
1502 struct bin_attribute *attr,
1503 char *buf, loff_t off,
1504 size_t count)
1505{
1506 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1507 off, count);
1508}
1509
1510static ssize_t protkey_aes_256_read(struct file *filp,
1511 struct kobject *kobj,
1512 struct bin_attribute *attr,
1513 char *buf, loff_t off,
1514 size_t count)
1515{
1516 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1517 off, count);
1518}
1519
1520static ssize_t protkey_aes_128_xts_read(struct file *filp,
1521 struct kobject *kobj,
1522 struct bin_attribute *attr,
1523 char *buf, loff_t off,
1524 size_t count)
1525{
1526 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1527 off, count);
1528}
1529
1530static ssize_t protkey_aes_256_xts_read(struct file *filp,
1531 struct kobject *kobj,
1532 struct bin_attribute *attr,
1533 char *buf, loff_t off,
1534 size_t count)
1535{
1536 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1537 off, count);
1538}
1539
1540static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
1541static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
1542static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
1543static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
1544static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
1545
1546static struct bin_attribute *protkey_attrs[] = {
1547 &bin_attr_protkey_aes_128,
1548 &bin_attr_protkey_aes_192,
1549 &bin_attr_protkey_aes_256,
1550 &bin_attr_protkey_aes_128_xts,
1551 &bin_attr_protkey_aes_256_xts,
1552 NULL
1553};
1554
1555static struct attribute_group protkey_attr_group = {
1556 .name = "protkey",
1557 .bin_attrs = protkey_attrs,
1558};
1559
1560
1561
1562
1563
1564
1565
1566static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1567 loff_t off, size_t count)
1568{
1569 int rc;
1570
1571 if (off != 0 || count < sizeof(struct secaeskeytoken))
1572 return -EINVAL;
1573 if (is_xts)
1574 if (count < 2 * sizeof(struct secaeskeytoken))
1575 return -EINVAL;
1576
1577 rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
1578 if (rc)
1579 return rc;
1580
1581 if (is_xts) {
1582 buf += sizeof(struct pkey_seckey);
1583 rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
1584 if (rc)
1585 return rc;
1586
1587 return 2 * sizeof(struct secaeskeytoken);
1588 }
1589
1590 return sizeof(struct secaeskeytoken);
1591}
1592
1593static ssize_t ccadata_aes_128_read(struct file *filp,
1594 struct kobject *kobj,
1595 struct bin_attribute *attr,
1596 char *buf, loff_t off,
1597 size_t count)
1598{
1599 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1600 off, count);
1601}
1602
1603static ssize_t ccadata_aes_192_read(struct file *filp,
1604 struct kobject *kobj,
1605 struct bin_attribute *attr,
1606 char *buf, loff_t off,
1607 size_t count)
1608{
1609 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1610 off, count);
1611}
1612
1613static ssize_t ccadata_aes_256_read(struct file *filp,
1614 struct kobject *kobj,
1615 struct bin_attribute *attr,
1616 char *buf, loff_t off,
1617 size_t count)
1618{
1619 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1620 off, count);
1621}
1622
1623static ssize_t ccadata_aes_128_xts_read(struct file *filp,
1624 struct kobject *kobj,
1625 struct bin_attribute *attr,
1626 char *buf, loff_t off,
1627 size_t count)
1628{
1629 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1630 off, count);
1631}
1632
1633static ssize_t ccadata_aes_256_xts_read(struct file *filp,
1634 struct kobject *kobj,
1635 struct bin_attribute *attr,
1636 char *buf, loff_t off,
1637 size_t count)
1638{
1639 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1640 off, count);
1641}
1642
1643static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
1644static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
1645static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
1646static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
1647static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
1648
1649static struct bin_attribute *ccadata_attrs[] = {
1650 &bin_attr_ccadata_aes_128,
1651 &bin_attr_ccadata_aes_192,
1652 &bin_attr_ccadata_aes_256,
1653 &bin_attr_ccadata_aes_128_xts,
1654 &bin_attr_ccadata_aes_256_xts,
1655 NULL
1656};
1657
1658static struct attribute_group ccadata_attr_group = {
1659 .name = "ccadata",
1660 .bin_attrs = ccadata_attrs,
1661};
1662
1663static const struct attribute_group *pkey_attr_groups[] = {
1664 &protkey_attr_group,
1665 &ccadata_attr_group,
1666 NULL,
1667};
1668
1669static const struct file_operations pkey_fops = {
1670 .owner = THIS_MODULE,
1671 .open = nonseekable_open,
1672 .llseek = no_llseek,
1673 .unlocked_ioctl = pkey_unlocked_ioctl,
1674};
1675
1676static struct miscdevice pkey_dev = {
1677 .name = "pkey",
1678 .minor = MISC_DYNAMIC_MINOR,
1679 .mode = 0666,
1680 .fops = &pkey_fops,
1681 .groups = pkey_attr_groups,
1682};
1683
1684
1685
1686
1687static int __init pkey_init(void)
1688{
1689 cpacf_mask_t kmc_functions;
1690
1691
1692
1693
1694
1695
1696
1697 if (!cpacf_query(CPACF_PCKMO, &pckmo_functions))
1698 return -ENODEV;
1699
1700
1701 if (!cpacf_query(CPACF_KMC, &kmc_functions))
1702 return -ENODEV;
1703 if (!cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_128) ||
1704 !cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_192) ||
1705 !cpacf_test_func(&kmc_functions, CPACF_KMC_PAES_256))
1706 return -ENODEV;
1707
1708 pkey_debug_init();
1709
1710 return misc_register(&pkey_dev);
1711}
1712
1713
1714
1715
1716static void __exit pkey_exit(void)
1717{
1718 misc_deregister(&pkey_dev);
1719 mkvp_cache_free();
1720 pkey_debug_exit();
1721}
1722
1723module_cpu_feature_match(MSA, pkey_init);
1724module_exit(pkey_exit);
1725