LXR linux/drivers/s390/crypto/zcrypt

   1// SPDX-License-Identifier: GPL-2.0+
   2/*
   3 *  Copyright IBM Corp. 2001, 2012
   4 *  Author(s): Robert Burroughs
   5 *             Eric Rossman (edrossma@us.ibm.com)
   6 *
   7 *  Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
   8 *  Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
   9 *                                Ralph Wuerthner <rwuerthn@de.ibm.com>
  10 *  MSGTYPE restruct:             Holger Dengler <hd@linux.vnet.ibm.com>
  11 */
  12
  13#define KMSG_COMPONENT "zcrypt"
  14#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
  15
  16#include <linux/module.h>
  17#include <linux/init.h>
  18#include <linux/err.h>
  19#include <linux/delay.h>
  20#include <linux/slab.h>
  21#include <linux/atomic.h>
  22#include <linux/uaccess.h>
  23
  24#include "ap_bus.h"
  25#include "zcrypt_api.h"
  26#include "zcrypt_error.h"
  27#include "zcrypt_msgtype6.h"
  28#include "zcrypt_cca_key.h"
  29
  30#define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply       */
  31
  32#define CEIL4(x) ((((x)+3)/4)*4)
  33
  34struct response_type {
  35        struct completion work;
  36        int type;
  37};
  38#define CEXXC_RESPONSE_TYPE_ICA  0
  39#define CEXXC_RESPONSE_TYPE_XCRB 1
  40#define CEXXC_RESPONSE_TYPE_EP11 2
  41
  42MODULE_AUTHOR("IBM Corporation");
  43MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
  44                   "Copyright IBM Corp. 2001, 2012");
  45MODULE_LICENSE("GPL");
  46
  47/*
  48 * CPRB
  49 *        Note that all shorts, ints and longs are little-endian.
  50 *        All pointer fields are 32-bits long, and mean nothing
  51 *
  52 *        A request CPRB is followed by a request_parameter_block.
  53 *
  54 *        The request (or reply) parameter block is organized thus:
  55 *          function code
  56 *          VUD block
  57 *          key block
  58 */
  59struct CPRB {
  60        unsigned short cprb_len;        /* CPRB length                   */
  61        unsigned char cprb_ver_id;      /* CPRB version id.              */
  62        unsigned char pad_000;          /* Alignment pad byte.           */
  63        unsigned char srpi_rtcode[4];   /* SRPI return code LELONG       */
  64        unsigned char srpi_verb;        /* SRPI verb type                */
  65        unsigned char flags;            /* flags                         */
  66        unsigned char func_id[2];       /* function id                   */
  67        unsigned char checkpoint_flag;  /*                               */
  68        unsigned char resv2;            /* reserved                      */
  69        unsigned short req_parml;       /* request parameter buffer      */
  70                                        /* length 16-bit little endian   */
  71        unsigned char req_parmp[4];     /* request parameter buffer      *
  72                                         * pointer (means nothing: the   *
  73                                         * parameter buffer follows      *
  74                                         * the CPRB).                    */
  75        unsigned char req_datal[4];     /* request data buffer           */
  76                                        /* length         ULELONG        */
  77        unsigned char req_datap[4];     /* request data buffer           */
  78                                        /* pointer                       */
  79        unsigned short rpl_parml;       /* reply  parameter buffer       */
  80                                        /* length 16-bit little endian   */
  81        unsigned char pad_001[2];       /* Alignment pad bytes. ULESHORT */
  82        unsigned char rpl_parmp[4];     /* reply parameter buffer        *
  83                                         * pointer (means nothing: the   *
  84                                         * parameter buffer follows      *
  85                                         * the CPRB).                    */
  86        unsigned char rpl_datal[4];     /* reply data buffer len ULELONG */
  87        unsigned char rpl_datap[4];     /* reply data buffer             */
  88                                        /* pointer                       */
  89        unsigned short ccp_rscode;      /* server reason code   ULESHORT */
  90        unsigned short ccp_rtcode;      /* server return code   ULESHORT */
  91        unsigned char repd_parml[2];    /* replied parameter len ULESHORT*/
  92        unsigned char mac_data_len[2];  /* Mac Data Length      ULESHORT */
  93        unsigned char repd_datal[4];    /* replied data length  ULELONG  */
  94        unsigned char req_pc[2];        /* PC identifier                 */
  95        unsigned char res_origin[8];    /* resource origin               */
  96        unsigned char mac_value[8];     /* Mac Value                     */
  97        unsigned char logon_id[8];      /* Logon Identifier              */
  98        unsigned char usage_domain[2];  /* cdx                           */
  99        unsigned char resv3[18];        /* reserved for requestor        */
 100        unsigned short svr_namel;       /* server name length  ULESHORT  */
 101        unsigned char svr_name[8];      /* server name                   */
 102} __packed;
 103
 104struct function_and_rules_block {
 105        unsigned char function_code[2];
 106        unsigned short ulen;
 107        unsigned char only_rule[8];
 108} __packed;
 109
 110/*
 111 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
 112 * card in a type6 message. The 3 fields that must be filled in at execution
 113 * time are  req_parml, rpl_parml and usage_domain.
 114 * Everything about this interface is ascii/big-endian, since the
 115 * device does *not* have 'Intel inside'.
 116 *
 117 * The CPRBX is followed immediately by the parm block.
 118 * The parm block contains:
 119 * - function code ('PD' 0x5044 or 'PK' 0x504B)
 120 * - rule block (one of:)
 121 *   + 0x000A 'PKCS-1.2' (MCL2 'PD')
 122 *   + 0x000A 'ZERO-PAD' (MCL2 'PK')
 123 *   + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
 124 *   + 0x000A 'MRP     ' (MCL3 'PK' or CEX2C 'PK')
 125 * - VUD block
 126 */
 127static const struct CPRBX static_cprbx = {
 128        .cprb_len       =  0x00DC,
 129        .cprb_ver_id    =  0x02,
 130        .func_id        = {0x54, 0x32},
 131};
 132
 133int speed_idx_cca(int req_type)
 134{
 135        switch (req_type) {
 136        case 0x4142:
 137        case 0x4149:
 138        case 0x414D:
 139        case 0x4341:
 140        case 0x4344:
 141        case 0x4354:
 142        case 0x4358:
 143        case 0x444B:
 144        case 0x4558:
 145        case 0x4643:
 146        case 0x4651:
 147        case 0x4C47:
 148        case 0x4C4B:
 149        case 0x4C51:
 150        case 0x4F48:
 151        case 0x504F:
 152        case 0x5053:
 153        case 0x5058:
 154        case 0x5343:
 155        case 0x5344:
 156        case 0x5345:
 157        case 0x5350:
 158                return LOW;
 159        case 0x414B:
 160        case 0x4345:
 161        case 0x4349:
 162        case 0x434D:
 163        case 0x4847:
 164        case 0x4849:
 165        case 0x484D:
 166        case 0x4850:
 167        case 0x4851:
 168        case 0x4954:
 169        case 0x4958:
 170        case 0x4B43:
 171        case 0x4B44:
 172        case 0x4B45:
 173        case 0x4B47:
 174        case 0x4B48:
 175        case 0x4B49:
 176        case 0x4B4E:
 177        case 0x4B50:
 178        case 0x4B52:
 179        case 0x4B54:
 180        case 0x4B58:
 181        case 0x4D50:
 182        case 0x4D53:
 183        case 0x4D56:
 184        case 0x4D58:
 185        case 0x5044:
 186        case 0x5045:
 187        case 0x5046:
 188        case 0x5047:
 189        case 0x5049:
 190        case 0x504B:
 191        case 0x504D:
 192        case 0x5254:
 193        case 0x5347:
 194        case 0x5349:
 195        case 0x534B:
 196        case 0x534D:
 197        case 0x5356:
 198        case 0x5358:
 199        case 0x5443:
 200        case 0x544B:
 201        case 0x5647:
 202                return HIGH;
 203        default:
 204                return MEDIUM;
 205        }
 206}
 207
 208int speed_idx_ep11(int req_type)
 209{
 210        switch (req_type) {
 211        case  1:
 212        case  2:
 213        case 36:
 214        case 37:
 215        case 38:
 216        case 39:
 217        case 40:
 218                return LOW;
 219        case 17:
 220        case 18:
 221        case 19:
 222        case 20:
 223        case 21:
 224        case 22:
 225        case 26:
 226        case 30:
 227        case 31:
 228        case 32:
 229        case 33:
 230        case 34:
 231        case 35:
 232                return HIGH;
 233        default:
 234                return MEDIUM;
 235        }
 236}
 237
 238
 239/*
 240 * Convert a ICAMEX message to a type6 MEX message.
 241 *
 242 * @zq: crypto device pointer
 243 * @ap_msg: pointer to AP message
 244 * @mex: pointer to user input data
 245 *
 246 * Returns 0 on success or negative errno value.
 247 */
 248static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,
 249                                       struct ap_message *ap_msg,
 250                                       struct ica_rsa_modexpo *mex)
 251{
 252        static struct type6_hdr static_type6_hdrX = {
 253                .type           =  0x06,
 254                .offset1        =  0x00000058,
 255                .agent_id       = {'C', 'A',},
 256                .function_code  = {'P', 'K'},
 257        };
 258        static struct function_and_rules_block static_pke_fnr = {
 259                .function_code  = {'P', 'K'},
 260                .ulen           = 10,
 261                .only_rule      = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
 262        };
 263        struct {
 264                struct type6_hdr hdr;
 265                struct CPRBX cprbx;
 266                struct function_and_rules_block fr;
 267                unsigned short length;
 268                char text[0];
 269        } __packed * msg = ap_msg->msg;
 270        int size;
 271
 272        /*
 273         * The inputdatalength was a selection criteria in the dispatching
 274         * function zcrypt_rsa_modexpo(). However, make sure the following
 275         * copy_from_user() never exceeds the allocated buffer space.
 276         */
 277        if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
 278                return -EINVAL;
 279
 280        /* VUD.ciphertext */
 281        msg->length = mex->inputdatalength + 2;
 282        if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
 283                return -EFAULT;
 284
 285        /* Set up key which is located after the variable length text. */
 286        size = zcrypt_type6_mex_key_en(mex, msg->text+mex->inputdatalength);
 287        if (size < 0)
 288                return size;
 289        size += sizeof(*msg) + mex->inputdatalength;
 290
 291        /* message header, cprbx and f&r */
 292        msg->hdr = static_type6_hdrX;
 293        msg->hdr.ToCardLen1 = size - sizeof(msg->hdr);
 294        msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
 295
 296        msg->cprbx = static_cprbx;
 297        msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
 298        msg->cprbx.rpl_msgbl = msg->hdr.FromCardLen1;
 299
 300        msg->fr = static_pke_fnr;
 301
 302        msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
 303
 304        ap_msg->len = size;
 305        return 0;
 306}
 307
 308/*
 309 * Convert a ICACRT message to a type6 CRT message.
 310 *
 311 * @zq: crypto device pointer
 312 * @ap_msg: pointer to AP message
 313 * @crt: pointer to user input data
 314 *
 315 * Returns 0 on success or negative errno value.
 316 */
 317static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq,
 318                                       struct ap_message *ap_msg,
 319                                       struct ica_rsa_modexpo_crt *crt)
 320{
 321        static struct type6_hdr static_type6_hdrX = {
 322                .type           =  0x06,
 323                .offset1        =  0x00000058,
 324                .agent_id       = {'C', 'A',},
 325                .function_code  = {'P', 'D'},
 326        };
 327        static struct function_and_rules_block static_pkd_fnr = {
 328                .function_code  = {'P', 'D'},
 329                .ulen           = 10,
 330                .only_rule      = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
 331        };
 332
 333        struct {
 334                struct type6_hdr hdr;
 335                struct CPRBX cprbx;
 336                struct function_and_rules_block fr;
 337                unsigned short length;
 338                char text[0];
 339        } __packed * msg = ap_msg->msg;
 340        int size;
 341
 342        /*
 343         * The inputdatalength was a selection criteria in the dispatching
 344         * function zcrypt_rsa_crt(). However, make sure the following
 345         * copy_from_user() never exceeds the allocated buffer space.
 346         */
 347        if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
 348                return -EINVAL;
 349
 350        /* VUD.ciphertext */
 351        msg->length = crt->inputdatalength + 2;
 352        if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
 353                return -EFAULT;
 354
 355        /* Set up key which is located after the variable length text. */
 356        size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
 357        if (size < 0)
 358                return size;
 359        size += sizeof(*msg) + crt->inputdatalength;    /* total size of msg */
 360
 361        /* message header, cprbx and f&r */
 362        msg->hdr = static_type6_hdrX;
 363        msg->hdr.ToCardLen1 = size -  sizeof(msg->hdr);
 364        msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
 365
 366        msg->cprbx = static_cprbx;
 367        msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
 368        msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
 369                size - sizeof(msg->hdr) - sizeof(msg->cprbx);
 370
 371        msg->fr = static_pkd_fnr;
 372
 373        ap_msg->len = size;
 374        return 0;
 375}
 376
 377/*
 378 * Convert a XCRB message to a type6 CPRB message.
 379 *
 380 * @zq: crypto device pointer
 381 * @ap_msg: pointer to AP message
 382 * @xcRB: pointer to user input data
 383 *
 384 * Returns 0 on success or -EFAULT, -EINVAL.
 385 */
 386struct type86_fmt2_msg {
 387        struct type86_hdr hdr;
 388        struct type86_fmt2_ext fmt2;
 389} __packed;
 390
 391static int XCRB_msg_to_type6CPRB_msgX(bool userspace, struct ap_message *ap_msg,
 392                                      struct ica_xcRB *xcRB,
 393                                      unsigned int *fcode,
 394                                      unsigned short **dom)
 395{
 396        static struct type6_hdr static_type6_hdrX = {
 397                .type           =  0x06,
 398                .offset1        =  0x00000058,
 399        };
 400        struct {
 401                struct type6_hdr hdr;
 402                struct CPRBX cprbx;
 403        } __packed * msg = ap_msg->msg;
 404
 405        int rcblen = CEIL4(xcRB->request_control_blk_length);
 406        int req_sumlen, resp_sumlen;
 407        char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
 408        char *function_code;
 409
 410        if (CEIL4(xcRB->request_control_blk_length) <
 411                        xcRB->request_control_blk_length)
 412                return -EINVAL; /* overflow after alignment*/
 413
 414        /* length checks */
 415        ap_msg->len = sizeof(struct type6_hdr) +
 416                CEIL4(xcRB->request_control_blk_length) +
 417                xcRB->request_data_length;
 418        if (ap_msg->len > ap_msg->bufsize)
 419                return -EINVAL;
 420
 421        /*
 422         * Overflow check
 423         * sum must be greater (or equal) than the largest operand
 424         */
 425        req_sumlen = CEIL4(xcRB->request_control_blk_length) +
 426                        xcRB->request_data_length;
 427        if ((CEIL4(xcRB->request_control_blk_length) <=
 428                                                xcRB->request_data_length) ?
 429                (req_sumlen < xcRB->request_data_length) :
 430                (req_sumlen < CEIL4(xcRB->request_control_blk_length))) {
 431                return -EINVAL;
 432        }
 433
 434        if (CEIL4(xcRB->reply_control_blk_length) <
 435                        xcRB->reply_control_blk_length)
 436                return -EINVAL; /* overflow after alignment*/
 437
 438        /*
 439         * Overflow check
 440         * sum must be greater (or equal) than the largest operand
 441         */
 442        resp_sumlen = CEIL4(xcRB->reply_control_blk_length) +
 443                        xcRB->reply_data_length;
 444        if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ?
 445                (resp_sumlen < xcRB->reply_data_length) :
 446                (resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) {
 447                return -EINVAL;
 448        }
 449
 450        /* prepare type6 header */
 451        msg->hdr = static_type6_hdrX;
 452        memcpy(msg->hdr.agent_id, &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
 453        msg->hdr.ToCardLen1 = xcRB->request_control_blk_length;
 454        if (xcRB->request_data_length) {
 455                msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
 456                msg->hdr.ToCardLen2 = xcRB->request_data_length;
 457        }
 458        msg->hdr.FromCardLen1 = xcRB->reply_control_blk_length;
 459        msg->hdr.FromCardLen2 = xcRB->reply_data_length;
 460
 461        /* prepare CPRB */
 462        if (z_copy_from_user(userspace, &(msg->cprbx), xcRB->request_control_blk_addr,
 463                             xcRB->request_control_blk_length))
 464                return -EFAULT;
 465        if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
 466            xcRB->request_control_blk_length)
 467                return -EINVAL;
 468        function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
 469        memcpy(msg->hdr.function_code, function_code,
 470               sizeof(msg->hdr.function_code));
 471
 472        *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
 473        *dom = (unsigned short *)&msg->cprbx.domain;
 474
 475        if (memcmp(function_code, "US", 2) == 0
 476            || memcmp(function_code, "AU", 2) == 0)
 477                ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
 478
 479#ifdef CONFIG_ZCRYPT_DEBUG
 480        if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
 481                ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
 482#endif
 483
 484        /* copy data block */
 485        if (xcRB->request_data_length &&
 486            z_copy_from_user(userspace, req_data, xcRB->request_data_address,
 487                             xcRB->request_data_length))
 488                return -EFAULT;
 489
 490        return 0;
 491}
 492
 493static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
 494                                           struct ep11_urb *xcRB,
 495                                           unsigned int *fcode)
 496{
 497        unsigned int lfmt;
 498        static struct type6_hdr static_type6_ep11_hdr = {
 499                .type           =  0x06,
 500                .rqid           = {0x00, 0x01},
 501                .function_code  = {0x00, 0x00},
 502                .agent_id[0]    =  0x58,        /* {'X'} */
 503                .agent_id[1]    =  0x43,        /* {'C'} */
 504                .offset1        =  0x00000058,
 505        };
 506
 507        struct {
 508                struct type6_hdr hdr;
 509                struct ep11_cprb cprbx;
 510                unsigned char   pld_tag;        /* fixed value 0x30 */
 511                unsigned char   pld_lenfmt;     /* payload length format */
 512        } __packed * msg = ap_msg->msg;
 513
 514        struct pld_hdr {
 515                unsigned char   func_tag;       /* fixed value 0x4 */
 516                unsigned char   func_len;       /* fixed value 0x4 */
 517                unsigned int    func_val;       /* function ID     */
 518                unsigned char   dom_tag;        /* fixed value 0x4 */
 519                unsigned char   dom_len;        /* fixed value 0x4 */
 520                unsigned int    dom_val;        /* domain id       */
 521        } __packed * payload_hdr = NULL;
 522
 523        if (CEIL4(xcRB->req_len) < xcRB->req_len)
 524                return -EINVAL; /* overflow after alignment*/
 525
 526        /* length checks */
 527        ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcRB->req_len);
 528        if (ap_msg->len > ap_msg->bufsize)
 529                return -EINVAL;
 530
 531        if (CEIL4(xcRB->resp_len) < xcRB->resp_len)
 532                return -EINVAL; /* overflow after alignment*/
 533
 534        /* prepare type6 header */
 535        msg->hdr = static_type6_ep11_hdr;
 536        msg->hdr.ToCardLen1   = xcRB->req_len;
 537        msg->hdr.FromCardLen1 = xcRB->resp_len;
 538
 539        /* Import CPRB data from the ioctl input parameter */
 540        if (z_copy_from_user(userspace, &(msg->cprbx.cprb_len),
 541                             (char __force __user *)xcRB->req, xcRB->req_len)) {
 542                return -EFAULT;
 543        }
 544
 545        if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
 546                switch (msg->pld_lenfmt & 0x03) {
 547                case 1:
 548                        lfmt = 2;
 549                        break;
 550                case 2:
 551                        lfmt = 3;
 552                        break;
 553                default:
 554                        return -EINVAL;
 555                }
 556        } else {
 557                lfmt = 1; /* length format #1 */
 558        }
 559        payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt);
 560        *fcode = payload_hdr->func_val & 0xFFFF;
 561
 562        /* enable special processing based on the cprbs flags special bit */
 563        if (msg->cprbx.flags & 0x20)
 564                ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
 565
 566#ifdef CONFIG_ZCRYPT_DEBUG
 567        if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
 568                ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
 569#endif
 570
 571        return 0;
 572}
 573
 574/*
 575 * Copy results from a type 86 ICA reply message back to user space.
 576 *
 577 * @zq: crypto device pointer
 578 * @reply: reply AP message.
 579 * @data: pointer to user output data
 580 * @length: size of user output data
 581 *
 582 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
 583 */
 584struct type86x_reply {
 585        struct type86_hdr hdr;
 586        struct type86_fmt2_ext fmt2;
 587        struct CPRBX cprbx;
 588        unsigned char pad[4];   /* 4 byte function code/rules block ? */
 589        unsigned short length;
 590        char text[];
 591} __packed;
 592
 593struct type86_ep11_reply {
 594        struct type86_hdr hdr;
 595        struct type86_fmt2_ext fmt2;
 596        struct ep11_cprb cprbx;
 597} __packed;
 598
 599static int convert_type86_ica(struct zcrypt_queue *zq,
 600                          struct ap_message *reply,
 601                          char __user *outputdata,
 602                          unsigned int outputdatalength)
 603{
 604        static unsigned char static_pad[] = {
 605                0x00, 0x02,
 606                0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
 607                0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
 608                0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
 609                0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
 610                0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
 611                0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
 612                0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
 613                0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
 614                0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
 615                0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
 616                0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
 617                0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
 618                0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
 619                0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
 620                0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
 621                0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
 622                0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
 623                0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
 624                0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
 625                0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
 626                0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
 627                0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
 628                0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
 629                0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
 630                0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
 631                0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
 632                0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
 633                0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
 634                0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
 635                0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
 636                0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
 637                0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
 638        };
 639        struct type86x_reply *msg = reply->msg;
 640        unsigned short service_rc, service_rs;
 641        unsigned int reply_len, pad_len;
 642        char *data;
 643
 644        service_rc = msg->cprbx.ccp_rtcode;
 645        if (unlikely(service_rc != 0)) {
 646                service_rs = msg->cprbx.ccp_rscode;
 647                if ((service_rc == 8 && service_rs == 66) ||
 648                    (service_rc == 8 && service_rs == 65) ||
 649                    (service_rc == 8 && service_rs == 72) ||
 650                    (service_rc == 8 && service_rs == 770) ||
 651                    (service_rc == 12 && service_rs == 769)) {
 652                        ZCRYPT_DBF_WARN("dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
 653                                        AP_QID_CARD(zq->queue->qid),
 654                                        AP_QID_QUEUE(zq->queue->qid),
 655                                        (int) service_rc, (int) service_rs);
 656                        return -EINVAL;
 657                }
 658                zq->online = 0;
 659                pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
 660                       AP_QID_CARD(zq->queue->qid),
 661                       AP_QID_QUEUE(zq->queue->qid),
 662                       (int) service_rc, (int) service_rs);
 663                ZCRYPT_DBF_ERR("dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
 664                               AP_QID_CARD(zq->queue->qid),
 665                               AP_QID_QUEUE(zq->queue->qid),
 666                               (int) service_rc, (int) service_rs);
 667                ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
 668                return -EAGAIN;
 669        }
 670        data = msg->text;
 671        reply_len = msg->length - 2;
 672        if (reply_len > outputdatalength)
 673                return -EINVAL;
 674        /*
 675         * For all encipher requests, the length of the ciphertext (reply_len)
 676         * will always equal the modulus length. For MEX decipher requests
 677         * the output needs to get padded. Minimum pad size is 10.
 678         *
 679         * Currently, the cases where padding will be added is for:
 680         * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
 681         *   ZERO-PAD and CRT is only supported for PKD requests)
 682         * - PCICC, always
 683         */
 684        pad_len = outputdatalength - reply_len;
 685        if (pad_len > 0) {
 686                if (pad_len < 10)
 687                        return -EINVAL;
 688                /* 'restore' padding left in the CEXXC card. */
 689                if (copy_to_user(outputdata, static_pad, pad_len - 1))
 690                        return -EFAULT;
 691                if (put_user(0, outputdata + pad_len - 1))
 692                        return -EFAULT;
 693        }
 694        /* Copy the crypto response to user space. */
 695        if (copy_to_user(outputdata + pad_len, data, reply_len))
 696                return -EFAULT;
 697        return 0;
 698}
 699
 700/*
 701 * Copy results from a type 86 XCRB reply message back to user space.
 702 *
 703 * @zq: crypto device pointer
 704 * @reply: reply AP message.
 705 * @xcRB: pointer to XCRB
 706 *
 707 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
 708 */
 709static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
 710                               struct ap_message *reply,
 711                               struct ica_xcRB *xcRB)
 712{
 713        struct type86_fmt2_msg *msg = reply->msg;
 714        char *data = reply->msg;
 715
 716        /* Copy CPRB to user */
 717        if (z_copy_to_user(userspace, xcRB->reply_control_blk_addr,
 718                           data + msg->fmt2.offset1, msg->fmt2.count1))
 719                return -EFAULT;
 720        xcRB->reply_control_blk_length = msg->fmt2.count1;
 721
 722        /* Copy data buffer to user */
 723        if (msg->fmt2.count2)
 724                if (z_copy_to_user(userspace, xcRB->reply_data_addr,
 725                                   data + msg->fmt2.offset2, msg->fmt2.count2))
 726                        return -EFAULT;
 727        xcRB->reply_data_length = msg->fmt2.count2;
 728        return 0;
 729}
 730
 731/*
 732 * Copy results from a type 86 EP11 XCRB reply message back to user space.
 733 *
 734 * @zq: crypto device pointer
 735 * @reply: reply AP message.
 736 * @xcRB: pointer to EP11 user request block
 737 *
 738 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
 739 */
 740static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
 741                                    struct ap_message *reply,
 742                                    struct ep11_urb *xcRB)
 743{
 744        struct type86_fmt2_msg *msg = reply->msg;
 745        char *data = reply->msg;
 746
 747        if (xcRB->resp_len < msg->fmt2.count1)
 748                return -EINVAL;
 749
 750        /* Copy response CPRB to user */
 751        if (z_copy_to_user(userspace, (char __force __user *)xcRB->resp,
 752                           data + msg->fmt2.offset1, msg->fmt2.count1))
 753                return -EFAULT;
 754        xcRB->resp_len = msg->fmt2.count1;
 755        return 0;
 756}
 757
 758static int convert_type86_rng(struct zcrypt_queue *zq,
 759                          struct ap_message *reply,
 760                          char *buffer)
 761{
 762        struct {
 763                struct type86_hdr hdr;
 764                struct type86_fmt2_ext fmt2;
 765                struct CPRBX cprbx;
 766        } __packed * msg = reply->msg;
 767        char *data = reply->msg;
 768
 769        if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
 770                return -EINVAL;
 771        memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
 772        return msg->fmt2.count2;
 773}
 774
 775static int convert_response_ica(struct zcrypt_queue *zq,
 776                            struct ap_message *reply,
 777                            char __user *outputdata,
 778                            unsigned int outputdatalength)
 779{
 780        struct type86x_reply *msg = reply->msg;
 781
 782        switch (msg->hdr.type) {
 783        case TYPE82_RSP_CODE:
 784        case TYPE88_RSP_CODE:
 785                return convert_error(zq, reply);
 786        case TYPE86_RSP_CODE:
 787                if (msg->cprbx.ccp_rtcode &&
 788                   (msg->cprbx.ccp_rscode == 0x14f) &&
 789                   (outputdatalength > 256)) {
 790                        if (zq->zcard->max_exp_bit_length <= 17) {
 791                                zq->zcard->max_exp_bit_length = 17;
 792                                return -EAGAIN;
 793                        } else
 794                                return -EINVAL;
 795                }
 796                if (msg->hdr.reply_code)
 797                        return convert_error(zq, reply);
 798                if (msg->cprbx.cprb_ver_id == 0x02)
 799                        return convert_type86_ica(zq, reply,
 800                                                  outputdata, outputdatalength);
 801                fallthrough;    /* wrong cprb version is an unknown response */
 802        default:
 803                /* Unknown response type, this should NEVER EVER happen */
 804                zq->online = 0;
 805                pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 806                       AP_QID_CARD(zq->queue->qid),
 807                       AP_QID_QUEUE(zq->queue->qid),
 808                       (int) msg->hdr.type);
 809                ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 810                               AP_QID_CARD(zq->queue->qid),
 811                               AP_QID_QUEUE(zq->queue->qid),
 812                               (int) msg->hdr.type);
 813                ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
 814                return -EAGAIN;
 815        }
 816}
 817
 818static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
 819                                 struct ap_message *reply,
 820                                 struct ica_xcRB *xcRB)
 821{
 822        struct type86x_reply *msg = reply->msg;
 823
 824        switch (msg->hdr.type) {
 825        case TYPE82_RSP_CODE:
 826        case TYPE88_RSP_CODE:
 827                xcRB->status = 0x0008044DL; /* HDD_InvalidParm */
 828                return convert_error(zq, reply);
 829        case TYPE86_RSP_CODE:
 830                if (msg->hdr.reply_code) {
 831                        memcpy(&(xcRB->status), msg->fmt2.apfs, sizeof(u32));
 832                        return convert_error(zq, reply);
 833                }
 834                if (msg->cprbx.cprb_ver_id == 0x02)
 835                        return convert_type86_xcrb(userspace, zq, reply, xcRB);
 836                fallthrough;    /* wrong cprb version is an unknown response */
 837        default: /* Unknown response type, this should NEVER EVER happen */
 838                xcRB->status = 0x0008044DL; /* HDD_InvalidParm */
 839                zq->online = 0;
 840                pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 841                       AP_QID_CARD(zq->queue->qid),
 842                       AP_QID_QUEUE(zq->queue->qid),
 843                       (int) msg->hdr.type);
 844                ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 845                               AP_QID_CARD(zq->queue->qid),
 846                               AP_QID_QUEUE(zq->queue->qid),
 847                               (int) msg->hdr.type);
 848                ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
 849                return -EAGAIN;
 850        }
 851}
 852
 853static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
 854                                      struct ap_message *reply, struct ep11_urb *xcRB)
 855{
 856        struct type86_ep11_reply *msg = reply->msg;
 857
 858        switch (msg->hdr.type) {
 859        case TYPE82_RSP_CODE:
 860        case TYPE87_RSP_CODE:
 861                return convert_error(zq, reply);
 862        case TYPE86_RSP_CODE:
 863                if (msg->hdr.reply_code)
 864                        return convert_error(zq, reply);
 865                if (msg->cprbx.cprb_ver_id == 0x04)
 866                        return convert_type86_ep11_xcrb(userspace, zq, reply, xcRB);
 867                fallthrough;    /* wrong cprb version is an unknown resp */
 868        default: /* Unknown response type, this should NEVER EVER happen */
 869                zq->online = 0;
 870                pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 871                       AP_QID_CARD(zq->queue->qid),
 872                       AP_QID_QUEUE(zq->queue->qid),
 873                       (int) msg->hdr.type);
 874                ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 875                               AP_QID_CARD(zq->queue->qid),
 876                               AP_QID_QUEUE(zq->queue->qid),
 877                               (int) msg->hdr.type);
 878                ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
 879                return -EAGAIN;
 880        }
 881}
 882
 883static int convert_response_rng(struct zcrypt_queue *zq,
 884                                 struct ap_message *reply,
 885                                 char *data)
 886{
 887        struct type86x_reply *msg = reply->msg;
 888
 889        switch (msg->hdr.type) {
 890        case TYPE82_RSP_CODE:
 891        case TYPE88_RSP_CODE:
 892                return -EINVAL;
 893        case TYPE86_RSP_CODE:
 894                if (msg->hdr.reply_code)
 895                        return -EINVAL;
 896                if (msg->cprbx.cprb_ver_id == 0x02)
 897                        return convert_type86_rng(zq, reply, data);
 898                fallthrough;    /* wrong cprb version is an unknown response */
 899        default: /* Unknown response type, this should NEVER EVER happen */
 900                zq->online = 0;
 901                pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 902                       AP_QID_CARD(zq->queue->qid),
 903                       AP_QID_QUEUE(zq->queue->qid),
 904                       (int) msg->hdr.type);
 905                ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
 906                               AP_QID_CARD(zq->queue->qid),
 907                               AP_QID_QUEUE(zq->queue->qid),
 908                               (int) msg->hdr.type);
 909                ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
 910                return -EAGAIN;
 911        }
 912}
 913
 914/*
 915 * This function is called from the AP bus code after a crypto request
 916 * "msg" has finished with the reply message "reply".
 917 * It is called from tasklet context.
 918 * @aq: pointer to the AP queue
 919 * @msg: pointer to the AP message
 920 * @reply: pointer to the AP reply message
 921 */
 922static void zcrypt_msgtype6_receive(struct ap_queue *aq,
 923                                  struct ap_message *msg,
 924                                  struct ap_message *reply)
 925{
 926        static struct error_hdr error_reply = {
 927                .type = TYPE82_RSP_CODE,
 928                .reply_code = REP82_ERROR_MACHINE_FAILURE,
 929        };
 930        struct response_type *resp_type =
 931                (struct response_type *) msg->private;
 932        struct type86x_reply *t86r;
 933        int len;
 934
 935        /* Copy the reply message to the request message buffer. */
 936        if (!reply)
 937                goto out;       /* ap_msg->rc indicates the error */
 938        t86r = reply->msg;
 939        if (t86r->hdr.type == TYPE86_RSP_CODE &&
 940                 t86r->cprbx.cprb_ver_id == 0x02) {
 941                switch (resp_type->type) {
 942                case CEXXC_RESPONSE_TYPE_ICA:
 943                        len = sizeof(struct type86x_reply) + t86r->length - 2;
 944                        if (len > reply->bufsize || len > msg->bufsize) {
 945                                msg->rc = -EMSGSIZE;
 946                        } else {
 947                                memcpy(msg->msg, reply->msg, len);
 948                                msg->len = len;
 949                        }
 950                        break;
 951                case CEXXC_RESPONSE_TYPE_XCRB:
 952                        len = t86r->fmt2.offset2 + t86r->fmt2.count2;
 953                        if (len > reply->bufsize || len > msg->bufsize) {
 954                                msg->rc = -EMSGSIZE;
 955                        } else {
 956                                memcpy(msg->msg, reply->msg, len);
 957                                msg->len = len;
 958                        }
 959                        break;
 960                default:
 961                        memcpy(msg->msg, &error_reply, sizeof(error_reply));
 962                }
 963        } else
 964                memcpy(msg->msg, reply->msg, sizeof(error_reply));
 965out:
 966        complete(&(resp_type->work));
 967}
 968
 969/*
 970 * This function is called from the AP bus code after a crypto request
 971 * "msg" has finished with the reply message "reply".
 972 * It is called from tasklet context.
 973 * @aq: pointer to the AP queue
 974 * @msg: pointer to the AP message
 975 * @reply: pointer to the AP reply message
 976 */
 977static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
 978                                         struct ap_message *msg,
 979                                         struct ap_message *reply)
 980{
 981        static struct error_hdr error_reply = {
 982                .type = TYPE82_RSP_CODE,
 983                .reply_code = REP82_ERROR_MACHINE_FAILURE,
 984        };
 985        struct response_type *resp_type =
 986                (struct response_type *)msg->private;
 987        struct type86_ep11_reply *t86r;
 988        int len;
 989
 990        /* Copy the reply message to the request message buffer. */
 991        if (!reply)
 992                goto out;       /* ap_msg->rc indicates the error */
 993        t86r = reply->msg;
 994        if (t86r->hdr.type == TYPE86_RSP_CODE &&
 995            t86r->cprbx.cprb_ver_id == 0x04) {
 996                switch (resp_type->type) {
 997                case CEXXC_RESPONSE_TYPE_EP11:
 998                        len = t86r->fmt2.offset1 + t86r->fmt2.count1;
 999                        if (len > reply->bufsize || len > msg->bufsize) {
1000                                msg->rc = -EMSGSIZE;

1001                        } else {
1002                                memcpy(msg->msg, reply->msg, len);
1003                                msg->len = len;
1004                        }
1005                        break;
1006                default:
1007                        memcpy(msg->msg, &error_reply, sizeof(error_reply));
1008                }
1009        } else {
1010                memcpy(msg->msg, reply->msg, sizeof(error_reply));
1011        }
1012out:
1013        complete(&(resp_type->work));
1014}
1015
1016static atomic_t zcrypt_step = ATOMIC_INIT(0);
1017
1018/*
1019 * The request distributor calls this function if it picked the CEXxC
1020 * device to handle a modexpo request.
1021 * @zq: pointer to zcrypt_queue structure that identifies the
1022 *      CEXxC device to the request distributor
1023 * @mex: pointer to the modexpo request buffer
1024 */
1025static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1026                                    struct ica_rsa_modexpo *mex,
1027                                    struct ap_message *ap_msg)
1028{
1029        struct response_type resp_type = {
1030                .type = CEXXC_RESPONSE_TYPE_ICA,
1031        };
1032        int rc;
1033
1034        ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL);
1035        if (!ap_msg->msg)
1036                return -ENOMEM;
1037        ap_msg->bufsize = PAGE_SIZE;
1038        ap_msg->receive = zcrypt_msgtype6_receive;
1039        ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1040                atomic_inc_return(&zcrypt_step);
1041        ap_msg->private = &resp_type;
1042        rc = ICAMEX_msg_to_type6MEX_msgX(zq, ap_msg, mex);
1043        if (rc)
1044                goto out_free;
1045        init_completion(&resp_type.work);
1046        rc = ap_queue_message(zq->queue, ap_msg);
1047        if (rc)
1048                goto out_free;
1049        rc = wait_for_completion_interruptible(&resp_type.work);
1050        if (rc == 0) {
1051                rc = ap_msg->rc;
1052                if (rc == 0)
1053                        rc = convert_response_ica(zq, ap_msg,
1054                                                  mex->outputdata,
1055                                                  mex->outputdatalength);
1056        } else
1057                /* Signal pending. */
1058                ap_cancel_message(zq->queue, ap_msg);
1059out_free:
1060        free_page((unsigned long) ap_msg->msg);
1061        ap_msg->private = NULL;
1062        ap_msg->msg = NULL;
1063        return rc;
1064}
1065
1066/*
1067 * The request distributor calls this function if it picked the CEXxC
1068 * device to handle a modexpo_crt request.
1069 * @zq: pointer to zcrypt_queue structure that identifies the
1070 *      CEXxC device to the request distributor
1071 * @crt: pointer to the modexpoc_crt request buffer
1072 */
1073static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1074                                        struct ica_rsa_modexpo_crt *crt,
1075                                        struct ap_message *ap_msg)
1076{
1077        struct response_type resp_type = {
1078                .type = CEXXC_RESPONSE_TYPE_ICA,
1079        };
1080        int rc;
1081
1082        ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL);
1083        if (!ap_msg->msg)
1084                return -ENOMEM;
1085        ap_msg->bufsize = PAGE_SIZE;
1086        ap_msg->receive = zcrypt_msgtype6_receive;
1087        ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1088                atomic_inc_return(&zcrypt_step);
1089        ap_msg->private = &resp_type;
1090        rc = ICACRT_msg_to_type6CRT_msgX(zq, ap_msg, crt);
1091        if (rc)
1092                goto out_free;
1093        init_completion(&resp_type.work);
1094        rc = ap_queue_message(zq->queue, ap_msg);
1095        if (rc)
1096                goto out_free;
1097        rc = wait_for_completion_interruptible(&resp_type.work);
1098        if (rc == 0) {
1099                rc = ap_msg->rc;
1100                if (rc == 0)
1101                        rc = convert_response_ica(zq, ap_msg,
1102                                                  crt->outputdata,
1103                                                  crt->outputdatalength);
1104        } else {
1105                /* Signal pending. */
1106                ap_cancel_message(zq->queue, ap_msg);
1107        }
1108out_free:
1109        free_page((unsigned long) ap_msg->msg);
1110        ap_msg->private = NULL;
1111        ap_msg->msg = NULL;
1112        return rc;
1113}
1114
1115/*
1116 * Fetch function code from cprb.
1117 * Extracting the fc requires to copy the cprb from userspace.
1118 * So this function allocates memory and needs an ap_msg prepared
1119 * by the caller with ap_init_message(). Also the caller has to
1120 * make sure ap_release_message() is always called even on failure.
1121 */
1122unsigned int get_cprb_fc(bool userspace, struct ica_xcRB *xcRB,
1123                         struct ap_message *ap_msg,
1124                         unsigned int *func_code, unsigned short **dom)
1125{
1126        struct response_type resp_type = {
1127                .type = CEXXC_RESPONSE_TYPE_XCRB,
1128        };
1129
1130        ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1131        ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1132        if (!ap_msg->msg)
1133                return -ENOMEM;
1134        ap_msg->receive = zcrypt_msgtype6_receive;
1135        ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1136                                atomic_inc_return(&zcrypt_step);
1137        ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1138        if (!ap_msg->private)
1139                return -ENOMEM;
1140        return XCRB_msg_to_type6CPRB_msgX(userspace, ap_msg, xcRB, func_code, dom);
1141}
1142
1143/*
1144 * The request distributor calls this function if it picked the CEXxC
1145 * device to handle a send_cprb request.
1146 * @zq: pointer to zcrypt_queue structure that identifies the
1147 *      CEXxC device to the request distributor
1148 * @xcRB: pointer to the send_cprb request buffer
1149 */
1150static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1151                                      struct ica_xcRB *xcRB,
1152                                      struct ap_message *ap_msg)
1153{
1154        int rc;
1155        struct response_type *rtype = (struct response_type *)(ap_msg->private);
1156
1157        init_completion(&rtype->work);
1158        rc = ap_queue_message(zq->queue, ap_msg);
1159        if (rc)
1160                goto out;
1161        rc = wait_for_completion_interruptible(&rtype->work);
1162        if (rc == 0) {
1163                rc = ap_msg->rc;
1164                if (rc == 0)
1165                        rc = convert_response_xcrb(userspace, zq, ap_msg, xcRB);
1166        } else
1167                /* Signal pending. */
1168                ap_cancel_message(zq->queue, ap_msg);
1169out:
1170        return rc;
1171}
1172
1173/*
1174 * Fetch function code from ep11 cprb.
1175 * Extracting the fc requires to copy the ep11 cprb from userspace.
1176 * So this function allocates memory and needs an ap_msg prepared
1177 * by the caller with ap_init_message(). Also the caller has to
1178 * make sure ap_release_message() is always called even on failure.
1179 */
1180unsigned int get_ep11cprb_fc(bool userspace, struct ep11_urb *xcrb,
1181                             struct ap_message *ap_msg,
1182                             unsigned int *func_code)
1183{
1184        struct response_type resp_type = {
1185                .type = CEXXC_RESPONSE_TYPE_EP11,
1186        };
1187
1188        ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1189        ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1190        if (!ap_msg->msg)
1191                return -ENOMEM;
1192        ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1193        ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1194                                atomic_inc_return(&zcrypt_step);
1195        ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1196        if (!ap_msg->private)
1197                return -ENOMEM;
1198        return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb, func_code);
1199}
1200
1201/*
1202 * The request distributor calls this function if it picked the CEX4P
1203 * device to handle a send_ep11_cprb request.
1204 * @zq: pointer to zcrypt_queue structure that identifies the
1205 *        CEX4P device to the request distributor
1206 * @xcRB: pointer to the ep11 user request block
1207 */
1208static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1209                                           struct ep11_urb *xcrb,
1210                                           struct ap_message *ap_msg)
1211{
1212        int rc;
1213        unsigned int lfmt;
1214        struct response_type *rtype = (struct response_type *)(ap_msg->private);
1215        struct {
1216                struct type6_hdr hdr;
1217                struct ep11_cprb cprbx;
1218                unsigned char   pld_tag;        /* fixed value 0x30 */
1219                unsigned char   pld_lenfmt;     /* payload length format */
1220        } __packed * msg = ap_msg->msg;
1221        struct pld_hdr {
1222                unsigned char   func_tag;       /* fixed value 0x4 */
1223                unsigned char   func_len;       /* fixed value 0x4 */
1224                unsigned int    func_val;       /* function ID     */
1225                unsigned char   dom_tag;        /* fixed value 0x4 */
1226                unsigned char   dom_len;        /* fixed value 0x4 */
1227                unsigned int    dom_val;        /* domain id       */
1228        } __packed * payload_hdr = NULL;
1229
1230
1231        /*
1232         * The target domain field within the cprb body/payload block will be
1233         * replaced by the usage domain for non-management commands only.
1234         * Therefore we check the first bit of the 'flags' parameter for
1235         * management command indication.
1236         *   0 - non management command
1237         *   1 - management command
1238         */
1239        if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1240                msg->cprbx.target_id = (unsigned int)
1241                                        AP_QID_QUEUE(zq->queue->qid);
1242
1243                if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1244                        switch (msg->pld_lenfmt & 0x03) {
1245                        case 1:
1246                                lfmt = 2;
1247                                break;
1248                        case 2:
1249                                lfmt = 3;
1250                                break;
1251                        default:
1252                                return -EINVAL;
1253                        }
1254                } else {
1255                        lfmt = 1; /* length format #1 */
1256                }
1257                payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt);
1258                payload_hdr->dom_val = (unsigned int)
1259                                        AP_QID_QUEUE(zq->queue->qid);
1260        }
1261
1262        init_completion(&rtype->work);
1263        rc = ap_queue_message(zq->queue, ap_msg);
1264        if (rc)
1265                goto out;
1266        rc = wait_for_completion_interruptible(&rtype->work);
1267        if (rc == 0) {
1268                rc = ap_msg->rc;
1269                if (rc == 0)
1270                        rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1271        } else
1272                /* Signal pending. */
1273                ap_cancel_message(zq->queue, ap_msg);
1274out:
1275        return rc;
1276}
1277
1278unsigned int get_rng_fc(struct ap_message *ap_msg, int *func_code,
1279                                                   unsigned int *domain)
1280{
1281        struct response_type resp_type = {
1282                .type = CEXXC_RESPONSE_TYPE_XCRB,
1283        };
1284
1285        ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1286        ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1287        if (!ap_msg->msg)
1288                return -ENOMEM;
1289        ap_msg->receive = zcrypt_msgtype6_receive;
1290        ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1291                                atomic_inc_return(&zcrypt_step);
1292        ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1293        if (!ap_msg->private)
1294                return -ENOMEM;
1295
1296        rng_type6CPRB_msgX(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1297
1298        *func_code = HWRNG;
1299        return 0;
1300}
1301
1302/*
1303 * The request distributor calls this function if it picked the CEXxC
1304 * device to generate random data.
1305 * @zq: pointer to zcrypt_queue structure that identifies the
1306 *      CEXxC device to the request distributor
1307 * @buffer: pointer to a memory page to return random data
1308 */
1309static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1310                                char *buffer, struct ap_message *ap_msg)
1311{
1312        struct {
1313                struct type6_hdr hdr;
1314                struct CPRBX cprbx;
1315                char function_code[2];
1316                short int rule_length;
1317                char rule[8];
1318                short int verb_length;
1319                short int key_length;
1320        } __packed * msg = ap_msg->msg;
1321        struct response_type *rtype = (struct response_type *)(ap_msg->private);
1322        int rc;
1323
1324        msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1325
1326        init_completion(&rtype->work);
1327        rc = ap_queue_message(zq->queue, ap_msg);
1328        if (rc)
1329                goto out;
1330        rc = wait_for_completion_interruptible(&rtype->work);
1331        if (rc == 0) {
1332                rc = ap_msg->rc;
1333                if (rc == 0)
1334                        rc = convert_response_rng(zq, ap_msg, buffer);
1335        } else
1336                /* Signal pending. */
1337                ap_cancel_message(zq->queue, ap_msg);
1338out:
1339        return rc;
1340}
1341
1342/*
1343 * The crypto operations for a CEXxC card.
1344 */
1345static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1346        .owner = THIS_MODULE,
1347        .name = MSGTYPE06_NAME,
1348        .variant = MSGTYPE06_VARIANT_NORNG,
1349        .rsa_modexpo = zcrypt_msgtype6_modexpo,
1350        .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1351        .send_cprb = zcrypt_msgtype6_send_cprb,
1352};
1353
1354static struct zcrypt_ops zcrypt_msgtype6_ops = {
1355        .owner = THIS_MODULE,
1356        .name = MSGTYPE06_NAME,
1357        .variant = MSGTYPE06_VARIANT_DEFAULT,
1358        .rsa_modexpo = zcrypt_msgtype6_modexpo,
1359        .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1360        .send_cprb = zcrypt_msgtype6_send_cprb,
1361        .rng = zcrypt_msgtype6_rng,
1362};
1363
1364static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1365        .owner = THIS_MODULE,
1366        .name = MSGTYPE06_NAME,
1367        .variant = MSGTYPE06_VARIANT_EP11,
1368        .rsa_modexpo = NULL,
1369        .rsa_modexpo_crt = NULL,
1370        .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1371};
1372
1373void __init zcrypt_msgtype6_init(void)
1374{
1375        zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1376        zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1377        zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1378}
1379
1380void __exit zcrypt_msgtype6_exit(void)
1381{
1382        zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1383        zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1384        zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1385}
1386