Commit | Line | Data |
---|---|---|
812141a9 | 1 | // SPDX-License-Identifier: GPL-2.0 |
e80d4af0 HF |
2 | /* |
3 | * pkey device driver | |
4 | * | |
5 | * Copyright IBM Corp. 2017 | |
6 | * Author(s): Harald Freudenberger | |
e80d4af0 HF |
7 | */ |
8 | ||
9 | #define KMSG_COMPONENT "pkey" | |
10 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
11 | ||
12 | #include <linux/fs.h> | |
13 | #include <linux/init.h> | |
14 | #include <linux/miscdevice.h> | |
15 | #include <linux/module.h> | |
16 | #include <linux/slab.h> | |
17 | #include <linux/kallsyms.h> | |
18 | #include <linux/debugfs.h> | |
19 | #include <asm/zcrypt.h> | |
20 | #include <asm/cpacf.h> | |
21 | #include <asm/pkey.h> | |
22 | ||
23 | #include "zcrypt_api.h" | |
24 | ||
25 | MODULE_LICENSE("GPL"); | |
26 | MODULE_AUTHOR("IBM Corporation"); | |
27 | MODULE_DESCRIPTION("s390 protected key interface"); | |
28 | ||
29 | /* Size of parameter block used for all cca requests/replies */ | |
30 | #define PARMBSIZE 512 | |
31 | ||
32 | /* Size of vardata block used for some of the cca requests/replies */ | |
33 | #define VARDATASIZE 4096 | |
34 | ||
35 | /* | |
36 | * debug feature data and functions | |
37 | */ | |
38 | ||
39 | static debug_info_t *debug_info; | |
40 | ||
41 | #define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__) | |
42 | #define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__) | |
43 | #define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__) | |
44 | #define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__) | |
45 | ||
46 | static void __init pkey_debug_init(void) | |
47 | { | |
48 | debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long)); | |
49 | debug_register_view(debug_info, &debug_sprintf_view); | |
50 | debug_set_level(debug_info, 3); | |
51 | } | |
52 | ||
53 | static void __exit pkey_debug_exit(void) | |
54 | { | |
55 | debug_unregister(debug_info); | |
56 | } | |
57 | ||
58 | /* inside view of a secure key token (only type 0x01 version 0x04) */ | |
59 | struct secaeskeytoken { | |
60 | u8 type; /* 0x01 for internal key token */ | |
61 | u8 res0[3]; | |
62 | u8 version; /* should be 0x04 */ | |
63 | u8 res1[1]; | |
64 | u8 flag; /* key flags */ | |
65 | u8 res2[1]; | |
66 | u64 mkvp; /* master key verification pattern */ | |
67 | u8 key[32]; /* key value (encrypted) */ | |
68 | u8 cv[8]; /* control vector */ | |
69 | u16 bitsize; /* key bit size */ | |
70 | u16 keysize; /* key byte size */ | |
71 | u8 tvv[4]; /* token validation value */ | |
72 | } __packed; | |
73 | ||
74 | /* | |
75 | * Simple check if the token is a valid CCA secure AES key | |
76 | * token. If keybitsize is given, the bitsize of the key is | |
77 | * also checked. Returns 0 on success or errno value on failure. | |
78 | */ | |
e61a6134 | 79 | static int check_secaeskeytoken(const u8 *token, int keybitsize) |
e80d4af0 HF |
80 | { |
81 | struct secaeskeytoken *t = (struct secaeskeytoken *) token; | |
82 | ||
83 | if (t->type != 0x01) { | |
84 | DEBUG_ERR( | |
85 | "check_secaeskeytoken secure token check failed, type mismatch 0x%02x != 0x01\n", | |
86 | (int) t->type); | |
87 | return -EINVAL; | |
88 | } | |
89 | if (t->version != 0x04) { | |
90 | DEBUG_ERR( | |
91 | "check_secaeskeytoken secure token check failed, version mismatch 0x%02x != 0x04\n", | |
92 | (int) t->version); | |
93 | return -EINVAL; | |
94 | } | |
95 | if (keybitsize > 0 && t->bitsize != keybitsize) { | |
96 | DEBUG_ERR( | |
97 | "check_secaeskeytoken secure token check failed, bitsize mismatch %d != %d\n", | |
98 | (int) t->bitsize, keybitsize); | |
99 | return -EINVAL; | |
100 | } | |
101 | ||
102 | return 0; | |
103 | } | |
104 | ||
105 | /* | |
106 | * Allocate consecutive memory for request CPRB, request param | |
107 | * block, reply CPRB and reply param block and fill in values | |
108 | * for the common fields. Returns 0 on success or errno value | |
109 | * on failure. | |
110 | */ | |
111 | static int alloc_and_prep_cprbmem(size_t paramblen, | |
112 | u8 **pcprbmem, | |
113 | struct CPRBX **preqCPRB, | |
114 | struct CPRBX **prepCPRB) | |
115 | { | |
116 | u8 *cprbmem; | |
117 | size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen; | |
118 | struct CPRBX *preqcblk, *prepcblk; | |
119 | ||
120 | /* | |
121 | * allocate consecutive memory for request CPRB, request param | |
122 | * block, reply CPRB and reply param block | |
123 | */ | |
6396bb22 | 124 | cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL); |
e80d4af0 HF |
125 | if (!cprbmem) |
126 | return -ENOMEM; | |
e80d4af0 HF |
127 | |
128 | preqcblk = (struct CPRBX *) cprbmem; | |
129 | prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen); | |
130 | ||
131 | /* fill request cprb struct */ | |
132 | preqcblk->cprb_len = sizeof(struct CPRBX); | |
133 | preqcblk->cprb_ver_id = 0x02; | |
134 | memcpy(preqcblk->func_id, "T2", 2); | |
135 | preqcblk->rpl_msgbl = cprbplusparamblen; | |
136 | if (paramblen) { | |
137 | preqcblk->req_parmb = | |
138 | ((u8 *) preqcblk) + sizeof(struct CPRBX); | |
139 | preqcblk->rpl_parmb = | |
140 | ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
141 | } | |
142 | ||
143 | *pcprbmem = cprbmem; | |
144 | *preqCPRB = preqcblk; | |
145 | *prepCPRB = prepcblk; | |
146 | ||
147 | return 0; | |
148 | } | |
149 | ||
150 | /* | |
151 | * Free the cprb memory allocated with the function above. | |
152 | * If the scrub value is not zero, the memory is filled | |
153 | * with zeros before freeing (useful if there was some | |
154 | * clear key material in there). | |
155 | */ | |
156 | static void free_cprbmem(void *mem, size_t paramblen, int scrub) | |
157 | { | |
158 | if (scrub) | |
159 | memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen)); | |
160 | kfree(mem); | |
161 | } | |
162 | ||
163 | /* | |
164 | * Helper function to prepare the xcrb struct | |
165 | */ | |
166 | static inline void prep_xcrb(struct ica_xcRB *pxcrb, | |
167 | u16 cardnr, | |
168 | struct CPRBX *preqcblk, | |
169 | struct CPRBX *prepcblk) | |
170 | { | |
171 | memset(pxcrb, 0, sizeof(*pxcrb)); | |
172 | pxcrb->agent_ID = 0x4341; /* 'CA' */ | |
173 | pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr); | |
174 | pxcrb->request_control_blk_length = | |
175 | preqcblk->cprb_len + preqcblk->req_parml; | |
7a003637 | 176 | pxcrb->request_control_blk_addr = (void __user *) preqcblk; |
e80d4af0 | 177 | pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl; |
7a003637 | 178 | pxcrb->reply_control_blk_addr = (void __user *) prepcblk; |
e80d4af0 HF |
179 | } |
180 | ||
181 | /* | |
182 | * Helper function which calls zcrypt_send_cprb with | |
183 | * memory management segment adjusted to kernel space | |
184 | * so that the copy_from_user called within this | |
185 | * function do in fact copy from kernel space. | |
186 | */ | |
187 | static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb) | |
188 | { | |
189 | int rc; | |
190 | mm_segment_t old_fs = get_fs(); | |
191 | ||
192 | set_fs(KERNEL_DS); | |
193 | rc = zcrypt_send_cprb(xcrb); | |
194 | set_fs(old_fs); | |
195 | ||
196 | return rc; | |
197 | } | |
198 | ||
199 | /* | |
200 | * Generate (random) AES secure key. | |
201 | */ | |
202 | int pkey_genseckey(u16 cardnr, u16 domain, | |
203 | u32 keytype, struct pkey_seckey *seckey) | |
204 | { | |
205 | int i, rc, keysize; | |
206 | int seckeysize; | |
207 | u8 *mem; | |
208 | struct CPRBX *preqcblk, *prepcblk; | |
209 | struct ica_xcRB xcrb; | |
210 | struct kgreqparm { | |
211 | u8 subfunc_code[2]; | |
212 | u16 rule_array_len; | |
213 | struct lv1 { | |
214 | u16 len; | |
215 | char key_form[8]; | |
216 | char key_length[8]; | |
217 | char key_type1[8]; | |
218 | char key_type2[8]; | |
219 | } lv1; | |
220 | struct lv2 { | |
221 | u16 len; | |
222 | struct keyid { | |
223 | u16 len; | |
224 | u16 attr; | |
225 | u8 data[SECKEYBLOBSIZE]; | |
226 | } keyid[6]; | |
227 | } lv2; | |
228 | } *preqparm; | |
229 | struct kgrepparm { | |
230 | u8 subfunc_code[2]; | |
231 | u16 rule_array_len; | |
232 | struct lv3 { | |
233 | u16 len; | |
234 | u16 keyblocklen; | |
235 | struct { | |
236 | u16 toklen; | |
237 | u16 tokattr; | |
238 | u8 tok[0]; | |
239 | /* ... some more data ... */ | |
240 | } keyblock; | |
241 | } lv3; | |
242 | } *prepparm; | |
243 | ||
244 | /* get already prepared memory for 2 cprbs with param block each */ | |
245 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
246 | if (rc) | |
247 | return rc; | |
248 | ||
249 | /* fill request cprb struct */ | |
250 | preqcblk->domain = domain; | |
251 | ||
252 | /* fill request cprb param block with KG request */ | |
253 | preqparm = (struct kgreqparm *) preqcblk->req_parmb; | |
254 | memcpy(preqparm->subfunc_code, "KG", 2); | |
255 | preqparm->rule_array_len = sizeof(preqparm->rule_array_len); | |
256 | preqparm->lv1.len = sizeof(struct lv1); | |
257 | memcpy(preqparm->lv1.key_form, "OP ", 8); | |
258 | switch (keytype) { | |
259 | case PKEY_KEYTYPE_AES_128: | |
260 | keysize = 16; | |
261 | memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8); | |
262 | break; | |
263 | case PKEY_KEYTYPE_AES_192: | |
264 | keysize = 24; | |
265 | memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8); | |
266 | break; | |
267 | case PKEY_KEYTYPE_AES_256: | |
268 | keysize = 32; | |
269 | memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8); | |
270 | break; | |
271 | default: | |
272 | DEBUG_ERR( | |
273 | "pkey_genseckey unknown/unsupported keytype %d\n", | |
274 | keytype); | |
275 | rc = -EINVAL; | |
276 | goto out; | |
277 | } | |
278 | memcpy(preqparm->lv1.key_type1, "AESDATA ", 8); | |
279 | preqparm->lv2.len = sizeof(struct lv2); | |
280 | for (i = 0; i < 6; i++) { | |
281 | preqparm->lv2.keyid[i].len = sizeof(struct keyid); | |
282 | preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10); | |
283 | } | |
284 | preqcblk->req_parml = sizeof(struct kgreqparm); | |
285 | ||
286 | /* fill xcrb struct */ | |
287 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
288 | ||
289 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
290 | rc = _zcrypt_send_cprb(&xcrb); | |
291 | if (rc) { | |
292 | DEBUG_ERR( | |
293 | "pkey_genseckey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
294 | (int) cardnr, (int) domain, rc); | |
295 | goto out; | |
296 | } | |
297 | ||
298 | /* check response returncode and reasoncode */ | |
299 | if (prepcblk->ccp_rtcode != 0) { | |
300 | DEBUG_ERR( | |
301 | "pkey_genseckey secure key generate failure, card response %d/%d\n", | |
302 | (int) prepcblk->ccp_rtcode, | |
303 | (int) prepcblk->ccp_rscode); | |
304 | rc = -EIO; | |
305 | goto out; | |
306 | } | |
307 | ||
308 | /* process response cprb param block */ | |
309 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
310 | prepparm = (struct kgrepparm *) prepcblk->rpl_parmb; | |
311 | ||
312 | /* check length of the returned secure key token */ | |
313 | seckeysize = prepparm->lv3.keyblock.toklen | |
314 | - sizeof(prepparm->lv3.keyblock.toklen) | |
315 | - sizeof(prepparm->lv3.keyblock.tokattr); | |
316 | if (seckeysize != SECKEYBLOBSIZE) { | |
317 | DEBUG_ERR( | |
318 | "pkey_genseckey secure token size mismatch %d != %d bytes\n", | |
319 | seckeysize, SECKEYBLOBSIZE); | |
320 | rc = -EIO; | |
321 | goto out; | |
322 | } | |
323 | ||
324 | /* check secure key token */ | |
325 | rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize); | |
326 | if (rc) { | |
327 | rc = -EIO; | |
328 | goto out; | |
329 | } | |
330 | ||
331 | /* copy the generated secure key token */ | |
332 | memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE); | |
333 | ||
334 | out: | |
335 | free_cprbmem(mem, PARMBSIZE, 0); | |
336 | return rc; | |
337 | } | |
338 | EXPORT_SYMBOL(pkey_genseckey); | |
339 | ||
340 | /* | |
341 | * Generate an AES secure key with given key value. | |
342 | */ | |
343 | int pkey_clr2seckey(u16 cardnr, u16 domain, u32 keytype, | |
344 | const struct pkey_clrkey *clrkey, | |
345 | struct pkey_seckey *seckey) | |
346 | { | |
347 | int rc, keysize, seckeysize; | |
348 | u8 *mem; | |
349 | struct CPRBX *preqcblk, *prepcblk; | |
350 | struct ica_xcRB xcrb; | |
351 | struct cmreqparm { | |
352 | u8 subfunc_code[2]; | |
353 | u16 rule_array_len; | |
354 | char rule_array[8]; | |
355 | struct lv1 { | |
356 | u16 len; | |
357 | u8 clrkey[0]; | |
358 | } lv1; | |
359 | struct lv2 { | |
360 | u16 len; | |
361 | struct keyid { | |
362 | u16 len; | |
363 | u16 attr; | |
364 | u8 data[SECKEYBLOBSIZE]; | |
365 | } keyid; | |
366 | } lv2; | |
367 | } *preqparm; | |
368 | struct lv2 *plv2; | |
369 | struct cmrepparm { | |
370 | u8 subfunc_code[2]; | |
371 | u16 rule_array_len; | |
372 | struct lv3 { | |
373 | u16 len; | |
374 | u16 keyblocklen; | |
375 | struct { | |
376 | u16 toklen; | |
377 | u16 tokattr; | |
378 | u8 tok[0]; | |
379 | /* ... some more data ... */ | |
380 | } keyblock; | |
381 | } lv3; | |
382 | } *prepparm; | |
383 | ||
384 | /* get already prepared memory for 2 cprbs with param block each */ | |
385 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
386 | if (rc) | |
387 | return rc; | |
388 | ||
389 | /* fill request cprb struct */ | |
390 | preqcblk->domain = domain; | |
391 | ||
392 | /* fill request cprb param block with CM request */ | |
393 | preqparm = (struct cmreqparm *) preqcblk->req_parmb; | |
394 | memcpy(preqparm->subfunc_code, "CM", 2); | |
395 | memcpy(preqparm->rule_array, "AES ", 8); | |
396 | preqparm->rule_array_len = | |
397 | sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array); | |
398 | switch (keytype) { | |
399 | case PKEY_KEYTYPE_AES_128: | |
400 | keysize = 16; | |
401 | break; | |
402 | case PKEY_KEYTYPE_AES_192: | |
403 | keysize = 24; | |
404 | break; | |
405 | case PKEY_KEYTYPE_AES_256: | |
406 | keysize = 32; | |
407 | break; | |
408 | default: | |
409 | DEBUG_ERR( | |
410 | "pkey_clr2seckey unknown/unsupported keytype %d\n", | |
411 | keytype); | |
412 | rc = -EINVAL; | |
413 | goto out; | |
414 | } | |
415 | preqparm->lv1.len = sizeof(struct lv1) + keysize; | |
416 | memcpy(preqparm->lv1.clrkey, clrkey->clrkey, keysize); | |
417 | plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize); | |
418 | plv2->len = sizeof(struct lv2); | |
419 | plv2->keyid.len = sizeof(struct keyid); | |
420 | plv2->keyid.attr = 0x30; | |
421 | preqcblk->req_parml = sizeof(struct cmreqparm) + keysize; | |
422 | ||
423 | /* fill xcrb struct */ | |
424 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
425 | ||
426 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
427 | rc = _zcrypt_send_cprb(&xcrb); | |
428 | if (rc) { | |
429 | DEBUG_ERR( | |
430 | "pkey_clr2seckey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
431 | (int) cardnr, (int) domain, rc); | |
432 | goto out; | |
433 | } | |
434 | ||
435 | /* check response returncode and reasoncode */ | |
436 | if (prepcblk->ccp_rtcode != 0) { | |
437 | DEBUG_ERR( | |
438 | "pkey_clr2seckey clear key import failure, card response %d/%d\n", | |
439 | (int) prepcblk->ccp_rtcode, | |
440 | (int) prepcblk->ccp_rscode); | |
441 | rc = -EIO; | |
442 | goto out; | |
443 | } | |
444 | ||
445 | /* process response cprb param block */ | |
446 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
447 | prepparm = (struct cmrepparm *) prepcblk->rpl_parmb; | |
448 | ||
449 | /* check length of the returned secure key token */ | |
450 | seckeysize = prepparm->lv3.keyblock.toklen | |
451 | - sizeof(prepparm->lv3.keyblock.toklen) | |
452 | - sizeof(prepparm->lv3.keyblock.tokattr); | |
453 | if (seckeysize != SECKEYBLOBSIZE) { | |
454 | DEBUG_ERR( | |
455 | "pkey_clr2seckey secure token size mismatch %d != %d bytes\n", | |
456 | seckeysize, SECKEYBLOBSIZE); | |
457 | rc = -EIO; | |
458 | goto out; | |
459 | } | |
460 | ||
461 | /* check secure key token */ | |
462 | rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize); | |
463 | if (rc) { | |
464 | rc = -EIO; | |
465 | goto out; | |
466 | } | |
467 | ||
468 | /* copy the generated secure key token */ | |
469 | memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE); | |
470 | ||
471 | out: | |
472 | free_cprbmem(mem, PARMBSIZE, 1); | |
473 | return rc; | |
474 | } | |
475 | EXPORT_SYMBOL(pkey_clr2seckey); | |
476 | ||
477 | /* | |
478 | * Derive a proteced key from the secure key blob. | |
479 | */ | |
480 | int pkey_sec2protkey(u16 cardnr, u16 domain, | |
481 | const struct pkey_seckey *seckey, | |
482 | struct pkey_protkey *protkey) | |
483 | { | |
484 | int rc; | |
485 | u8 *mem; | |
486 | struct CPRBX *preqcblk, *prepcblk; | |
487 | struct ica_xcRB xcrb; | |
488 | struct uskreqparm { | |
489 | u8 subfunc_code[2]; | |
490 | u16 rule_array_len; | |
491 | struct lv1 { | |
492 | u16 len; | |
493 | u16 attr_len; | |
494 | u16 attr_flags; | |
495 | } lv1; | |
496 | struct lv2 { | |
497 | u16 len; | |
498 | u16 attr_len; | |
499 | u16 attr_flags; | |
500 | u8 token[0]; /* cca secure key token */ | |
501 | } lv2 __packed; | |
502 | } *preqparm; | |
503 | struct uskrepparm { | |
504 | u8 subfunc_code[2]; | |
505 | u16 rule_array_len; | |
506 | struct lv3 { | |
507 | u16 len; | |
508 | u16 attr_len; | |
509 | u16 attr_flags; | |
510 | struct cpacfkeyblock { | |
511 | u8 version; /* version of this struct */ | |
512 | u8 flags[2]; | |
513 | u8 algo; | |
514 | u8 form; | |
515 | u8 pad1[3]; | |
516 | u16 keylen; | |
517 | u8 key[64]; /* the key (keylen bytes) */ | |
518 | u16 keyattrlen; | |
519 | u8 keyattr[32]; | |
520 | u8 pad2[1]; | |
521 | u8 vptype; | |
522 | u8 vp[32]; /* verification pattern */ | |
523 | } keyblock; | |
524 | } lv3 __packed; | |
525 | } *prepparm; | |
526 | ||
527 | /* get already prepared memory for 2 cprbs with param block each */ | |
528 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
529 | if (rc) | |
530 | return rc; | |
531 | ||
532 | /* fill request cprb struct */ | |
533 | preqcblk->domain = domain; | |
534 | ||
535 | /* fill request cprb param block with USK request */ | |
536 | preqparm = (struct uskreqparm *) preqcblk->req_parmb; | |
537 | memcpy(preqparm->subfunc_code, "US", 2); | |
538 | preqparm->rule_array_len = sizeof(preqparm->rule_array_len); | |
539 | preqparm->lv1.len = sizeof(struct lv1); | |
540 | preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len); | |
541 | preqparm->lv1.attr_flags = 0x0001; | |
542 | preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE; | |
543 | preqparm->lv2.attr_len = sizeof(struct lv2) | |
544 | - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE; | |
545 | preqparm->lv2.attr_flags = 0x0000; | |
546 | memcpy(preqparm->lv2.token, seckey->seckey, SECKEYBLOBSIZE); | |
547 | preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE; | |
548 | ||
549 | /* fill xcrb struct */ | |
550 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
551 | ||
552 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
553 | rc = _zcrypt_send_cprb(&xcrb); | |
554 | if (rc) { | |
555 | DEBUG_ERR( | |
556 | "pkey_sec2protkey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
557 | (int) cardnr, (int) domain, rc); | |
558 | goto out; | |
559 | } | |
560 | ||
561 | /* check response returncode and reasoncode */ | |
562 | if (prepcblk->ccp_rtcode != 0) { | |
563 | DEBUG_ERR( | |
564 | "pkey_sec2protkey unwrap secure key failure, card response %d/%d\n", | |
565 | (int) prepcblk->ccp_rtcode, | |
566 | (int) prepcblk->ccp_rscode); | |
567 | rc = -EIO; | |
568 | goto out; | |
569 | } | |
ca681ec8 HF |
570 | if (prepcblk->ccp_rscode != 0) { |
571 | DEBUG_WARN( | |
572 | "pkey_sec2protkey unwrap secure key warning, card response %d/%d\n", | |
573 | (int) prepcblk->ccp_rtcode, | |
574 | (int) prepcblk->ccp_rscode); | |
575 | } | |
e80d4af0 HF |
576 | |
577 | /* process response cprb param block */ | |
578 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
579 | prepparm = (struct uskrepparm *) prepcblk->rpl_parmb; | |
580 | ||
581 | /* check the returned keyblock */ | |
582 | if (prepparm->lv3.keyblock.version != 0x01) { | |
583 | DEBUG_ERR( | |
584 | "pkey_sec2protkey reply param keyblock version mismatch 0x%02x != 0x01\n", | |
585 | (int) prepparm->lv3.keyblock.version); | |
586 | rc = -EIO; | |
587 | goto out; | |
588 | } | |
589 | ||
590 | /* copy the tanslated protected key */ | |
591 | switch (prepparm->lv3.keyblock.keylen) { | |
592 | case 16+32: | |
593 | protkey->type = PKEY_KEYTYPE_AES_128; | |
594 | break; | |
595 | case 24+32: | |
596 | protkey->type = PKEY_KEYTYPE_AES_192; | |
597 | break; | |
598 | case 32+32: | |
599 | protkey->type = PKEY_KEYTYPE_AES_256; | |
600 | break; | |
601 | default: | |
602 | DEBUG_ERR("pkey_sec2protkey unknown/unsupported keytype %d\n", | |
603 | prepparm->lv3.keyblock.keylen); | |
604 | rc = -EIO; | |
605 | goto out; | |
606 | } | |
607 | protkey->len = prepparm->lv3.keyblock.keylen; | |
608 | memcpy(protkey->protkey, prepparm->lv3.keyblock.key, protkey->len); | |
609 | ||
610 | out: | |
611 | free_cprbmem(mem, PARMBSIZE, 0); | |
612 | return rc; | |
613 | } | |
614 | EXPORT_SYMBOL(pkey_sec2protkey); | |
615 | ||
616 | /* | |
617 | * Create a protected key from a clear key value. | |
618 | */ | |
619 | int pkey_clr2protkey(u32 keytype, | |
620 | const struct pkey_clrkey *clrkey, | |
621 | struct pkey_protkey *protkey) | |
622 | { | |
623 | long fc; | |
624 | int keysize; | |
625 | u8 paramblock[64]; | |
626 | ||
627 | switch (keytype) { | |
628 | case PKEY_KEYTYPE_AES_128: | |
629 | keysize = 16; | |
630 | fc = CPACF_PCKMO_ENC_AES_128_KEY; | |
631 | break; | |
632 | case PKEY_KEYTYPE_AES_192: | |
633 | keysize = 24; | |
634 | fc = CPACF_PCKMO_ENC_AES_192_KEY; | |
635 | break; | |
636 | case PKEY_KEYTYPE_AES_256: | |
637 | keysize = 32; | |
638 | fc = CPACF_PCKMO_ENC_AES_256_KEY; | |
639 | break; | |
640 | default: | |
641 | DEBUG_ERR("pkey_clr2protkey unknown/unsupported keytype %d\n", | |
642 | keytype); | |
643 | return -EINVAL; | |
644 | } | |
645 | ||
646 | /* prepare param block */ | |
647 | memset(paramblock, 0, sizeof(paramblock)); | |
648 | memcpy(paramblock, clrkey->clrkey, keysize); | |
649 | ||
650 | /* call the pckmo instruction */ | |
651 | cpacf_pckmo(fc, paramblock); | |
652 | ||
653 | /* copy created protected key */ | |
654 | protkey->type = keytype; | |
655 | protkey->len = keysize + 32; | |
656 | memcpy(protkey->protkey, paramblock, keysize + 32); | |
657 | ||
658 | return 0; | |
659 | } | |
660 | EXPORT_SYMBOL(pkey_clr2protkey); | |
661 | ||
662 | /* | |
663 | * query cryptographic facility from adapter | |
664 | */ | |
665 | static int query_crypto_facility(u16 cardnr, u16 domain, | |
666 | const char *keyword, | |
667 | u8 *rarray, size_t *rarraylen, | |
668 | u8 *varray, size_t *varraylen) | |
669 | { | |
670 | int rc; | |
671 | u16 len; | |
672 | u8 *mem, *ptr; | |
673 | struct CPRBX *preqcblk, *prepcblk; | |
674 | struct ica_xcRB xcrb; | |
675 | struct fqreqparm { | |
676 | u8 subfunc_code[2]; | |
677 | u16 rule_array_len; | |
678 | char rule_array[8]; | |
679 | struct lv1 { | |
680 | u16 len; | |
681 | u8 data[VARDATASIZE]; | |
682 | } lv1; | |
683 | u16 dummylen; | |
684 | } *preqparm; | |
685 | size_t parmbsize = sizeof(struct fqreqparm); | |
686 | struct fqrepparm { | |
687 | u8 subfunc_code[2]; | |
688 | u8 lvdata[0]; | |
689 | } *prepparm; | |
690 | ||
691 | /* get already prepared memory for 2 cprbs with param block each */ | |
692 | rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk); | |
693 | if (rc) | |
694 | return rc; | |
695 | ||
696 | /* fill request cprb struct */ | |
697 | preqcblk->domain = domain; | |
698 | ||
699 | /* fill request cprb param block with FQ request */ | |
700 | preqparm = (struct fqreqparm *) preqcblk->req_parmb; | |
701 | memcpy(preqparm->subfunc_code, "FQ", 2); | |
702 | strncpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array)); | |
703 | preqparm->rule_array_len = | |
704 | sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array); | |
705 | preqparm->lv1.len = sizeof(preqparm->lv1); | |
706 | preqparm->dummylen = sizeof(preqparm->dummylen); | |
707 | preqcblk->req_parml = parmbsize; | |
708 | ||
709 | /* fill xcrb struct */ | |
710 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
711 | ||
712 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
713 | rc = _zcrypt_send_cprb(&xcrb); | |
714 | if (rc) { | |
715 | DEBUG_ERR( | |
716 | "query_crypto_facility zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
717 | (int) cardnr, (int) domain, rc); | |
718 | goto out; | |
719 | } | |
720 | ||
721 | /* check response returncode and reasoncode */ | |
722 | if (prepcblk->ccp_rtcode != 0) { | |
723 | DEBUG_ERR( | |
724 | "query_crypto_facility unwrap secure key failure, card response %d/%d\n", | |
725 | (int) prepcblk->ccp_rtcode, | |
726 | (int) prepcblk->ccp_rscode); | |
727 | rc = -EIO; | |
728 | goto out; | |
729 | } | |
730 | ||
731 | /* process response cprb param block */ | |
732 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
733 | prepparm = (struct fqrepparm *) prepcblk->rpl_parmb; | |
734 | ptr = prepparm->lvdata; | |
735 | ||
736 | /* check and possibly copy reply rule array */ | |
737 | len = *((u16 *) ptr); | |
738 | if (len > sizeof(u16)) { | |
739 | ptr += sizeof(u16); | |
740 | len -= sizeof(u16); | |
741 | if (rarray && rarraylen && *rarraylen > 0) { | |
742 | *rarraylen = (len > *rarraylen ? *rarraylen : len); | |
743 | memcpy(rarray, ptr, *rarraylen); | |
744 | } | |
745 | ptr += len; | |
746 | } | |
747 | /* check and possible copy reply var array */ | |
748 | len = *((u16 *) ptr); | |
749 | if (len > sizeof(u16)) { | |
750 | ptr += sizeof(u16); | |
751 | len -= sizeof(u16); | |
752 | if (varray && varraylen && *varraylen > 0) { | |
753 | *varraylen = (len > *varraylen ? *varraylen : len); | |
754 | memcpy(varray, ptr, *varraylen); | |
755 | } | |
756 | ptr += len; | |
757 | } | |
758 | ||
759 | out: | |
760 | free_cprbmem(mem, parmbsize, 0); | |
761 | return rc; | |
762 | } | |
763 | ||
764 | /* | |
ca681ec8 HF |
765 | * Fetch the current and old mkvp values via |
766 | * query_crypto_facility from adapter. | |
e80d4af0 | 767 | */ |
ca681ec8 | 768 | static int fetch_mkvp(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
769 | { |
770 | int rc, found = 0; | |
771 | size_t rlen, vlen; | |
772 | u8 *rarray, *varray, *pg; | |
773 | ||
774 | pg = (u8 *) __get_free_page(GFP_KERNEL); | |
775 | if (!pg) | |
776 | return -ENOMEM; | |
777 | rarray = pg; | |
778 | varray = pg + PAGE_SIZE/2; | |
779 | rlen = vlen = PAGE_SIZE/2; | |
780 | ||
781 | rc = query_crypto_facility(cardnr, domain, "STATICSA", | |
782 | rarray, &rlen, varray, &vlen); | |
783 | if (rc == 0 && rlen > 8*8 && vlen > 184+8) { | |
ca681ec8 | 784 | if (rarray[8*8] == '2') { |
e80d4af0 | 785 | /* current master key state is valid */ |
ca681ec8 HF |
786 | mkvp[0] = *((u64 *)(varray + 184)); |
787 | mkvp[1] = *((u64 *)(varray + 172)); | |
e80d4af0 HF |
788 | found = 1; |
789 | } | |
790 | } | |
791 | ||
792 | free_page((unsigned long) pg); | |
793 | ||
794 | return found ? 0 : -ENOENT; | |
795 | } | |
796 | ||
797 | /* struct to hold cached mkvp info for each card/domain */ | |
798 | struct mkvp_info { | |
799 | struct list_head list; | |
800 | u16 cardnr; | |
801 | u16 domain; | |
ca681ec8 | 802 | u64 mkvp[2]; |
e80d4af0 HF |
803 | }; |
804 | ||
805 | /* a list with mkvp_info entries */ | |
806 | static LIST_HEAD(mkvp_list); | |
807 | static DEFINE_SPINLOCK(mkvp_list_lock); | |
808 | ||
ca681ec8 | 809 | static int mkvp_cache_fetch(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
810 | { |
811 | int rc = -ENOENT; | |
812 | struct mkvp_info *ptr; | |
813 | ||
814 | spin_lock_bh(&mkvp_list_lock); | |
815 | list_for_each_entry(ptr, &mkvp_list, list) { | |
816 | if (ptr->cardnr == cardnr && | |
817 | ptr->domain == domain) { | |
ca681ec8 | 818 | memcpy(mkvp, ptr->mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
819 | rc = 0; |
820 | break; | |
821 | } | |
822 | } | |
823 | spin_unlock_bh(&mkvp_list_lock); | |
824 | ||
825 | return rc; | |
826 | } | |
827 | ||
ca681ec8 | 828 | static void mkvp_cache_update(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
829 | { |
830 | int found = 0; | |
831 | struct mkvp_info *ptr; | |
832 | ||
833 | spin_lock_bh(&mkvp_list_lock); | |
834 | list_for_each_entry(ptr, &mkvp_list, list) { | |
835 | if (ptr->cardnr == cardnr && | |
836 | ptr->domain == domain) { | |
ca681ec8 | 837 | memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
838 | found = 1; |
839 | break; | |
840 | } | |
841 | } | |
842 | if (!found) { | |
843 | ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC); | |
844 | if (!ptr) { | |
845 | spin_unlock_bh(&mkvp_list_lock); | |
846 | return; | |
847 | } | |
848 | ptr->cardnr = cardnr; | |
849 | ptr->domain = domain; | |
ca681ec8 | 850 | memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
851 | list_add(&ptr->list, &mkvp_list); |
852 | } | |
853 | spin_unlock_bh(&mkvp_list_lock); | |
854 | } | |
855 | ||
856 | static void mkvp_cache_scrub(u16 cardnr, u16 domain) | |
857 | { | |
858 | struct mkvp_info *ptr; | |
859 | ||
860 | spin_lock_bh(&mkvp_list_lock); | |
861 | list_for_each_entry(ptr, &mkvp_list, list) { | |
862 | if (ptr->cardnr == cardnr && | |
863 | ptr->domain == domain) { | |
864 | list_del(&ptr->list); | |
865 | kfree(ptr); | |
866 | break; | |
867 | } | |
868 | } | |
869 | spin_unlock_bh(&mkvp_list_lock); | |
870 | } | |
871 | ||
872 | static void __exit mkvp_cache_free(void) | |
873 | { | |
874 | struct mkvp_info *ptr, *pnext; | |
875 | ||
876 | spin_lock_bh(&mkvp_list_lock); | |
877 | list_for_each_entry_safe(ptr, pnext, &mkvp_list, list) { | |
878 | list_del(&ptr->list); | |
879 | kfree(ptr); | |
880 | } | |
881 | spin_unlock_bh(&mkvp_list_lock); | |
882 | } | |
883 | ||
884 | /* | |
885 | * Search for a matching crypto card based on the Master Key | |
886 | * Verification Pattern provided inside a secure key. | |
887 | */ | |
888 | int pkey_findcard(const struct pkey_seckey *seckey, | |
889 | u16 *pcardnr, u16 *pdomain, int verify) | |
890 | { | |
891 | struct secaeskeytoken *t = (struct secaeskeytoken *) seckey; | |
af4a7227 | 892 | struct zcrypt_device_status_ext *device_status; |
e80d4af0 | 893 | u16 card, dom; |
ca681ec8 HF |
894 | u64 mkvp[2]; |
895 | int i, rc, oi = -1; | |
e80d4af0 HF |
896 | |
897 | /* mkvp must not be zero */ | |
898 | if (t->mkvp == 0) | |
899 | return -EINVAL; | |
900 | ||
901 | /* fetch status of all crypto cards */ | |
6da2ec56 KC |
902 | device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT, |
903 | sizeof(struct zcrypt_device_status_ext), | |
904 | GFP_KERNEL); | |
af4a7227 | 905 | if (!device_status) |
e80d4af0 | 906 | return -ENOMEM; |
af4a7227 | 907 | zcrypt_device_status_mask_ext(device_status); |
e80d4af0 HF |
908 | |
909 | /* walk through all crypto cards */ | |
af4a7227 HF |
910 | for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) { |
911 | card = AP_QID_CARD(device_status[i].qid); | |
912 | dom = AP_QID_QUEUE(device_status[i].qid); | |
913 | if (device_status[i].online && | |
914 | device_status[i].functions & 0x04) { | |
e80d4af0 HF |
915 | /* an enabled CCA Coprocessor card */ |
916 | /* try cached mkvp */ | |
ca681ec8 HF |
917 | if (mkvp_cache_fetch(card, dom, mkvp) == 0 && |
918 | t->mkvp == mkvp[0]) { | |
e80d4af0 HF |
919 | if (!verify) |
920 | break; | |
921 | /* verify: fetch mkvp from adapter */ | |
ca681ec8 | 922 | if (fetch_mkvp(card, dom, mkvp) == 0) { |
e80d4af0 | 923 | mkvp_cache_update(card, dom, mkvp); |
ca681ec8 | 924 | if (t->mkvp == mkvp[0]) |
e80d4af0 HF |
925 | break; |
926 | } | |
927 | } | |
928 | } else { | |
929 | /* Card is offline and/or not a CCA card. */ | |
930 | /* del mkvp entry from cache if it exists */ | |
931 | mkvp_cache_scrub(card, dom); | |
932 | } | |
933 | } | |
af4a7227 | 934 | if (i >= MAX_ZDEV_ENTRIES_EXT) { |
e80d4af0 | 935 | /* nothing found, so this time without cache */ |
af4a7227 HF |
936 | for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) { |
937 | if (!(device_status[i].online && | |
938 | device_status[i].functions & 0x04)) | |
e80d4af0 | 939 | continue; |
af4a7227 HF |
940 | card = AP_QID_CARD(device_status[i].qid); |
941 | dom = AP_QID_QUEUE(device_status[i].qid); | |
e80d4af0 | 942 | /* fresh fetch mkvp from adapter */ |
ca681ec8 | 943 | if (fetch_mkvp(card, dom, mkvp) == 0) { |
e80d4af0 | 944 | mkvp_cache_update(card, dom, mkvp); |
ca681ec8 | 945 | if (t->mkvp == mkvp[0]) |
e80d4af0 | 946 | break; |
ca681ec8 HF |
947 | if (t->mkvp == mkvp[1] && oi < 0) |
948 | oi = i; | |
e80d4af0 HF |
949 | } |
950 | } | |
af4a7227 | 951 | if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) { |
ca681ec8 | 952 | /* old mkvp matched, use this card then */ |
af4a7227 HF |
953 | card = AP_QID_CARD(device_status[oi].qid); |
954 | dom = AP_QID_QUEUE(device_status[oi].qid); | |
ca681ec8 | 955 | } |
e80d4af0 | 956 | } |
af4a7227 | 957 | if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) { |
e80d4af0 HF |
958 | if (pcardnr) |
959 | *pcardnr = card; | |
960 | if (pdomain) | |
961 | *pdomain = dom; | |
962 | rc = 0; | |
963 | } else | |
964 | rc = -ENODEV; | |
965 | ||
af4a7227 | 966 | kfree(device_status); |
e80d4af0 HF |
967 | return rc; |
968 | } | |
969 | EXPORT_SYMBOL(pkey_findcard); | |
970 | ||
971 | /* | |
972 | * Find card and transform secure key into protected key. | |
973 | */ | |
974 | int pkey_skey2pkey(const struct pkey_seckey *seckey, | |
975 | struct pkey_protkey *protkey) | |
976 | { | |
977 | u16 cardnr, domain; | |
978 | int rc, verify; | |
979 | ||
980 | /* | |
981 | * The pkey_sec2protkey call may fail when a card has been | |
982 | * addressed where the master key was changed after last fetch | |
983 | * of the mkvp into the cache. So first try without verify then | |
984 | * with verify enabled (thus refreshing the mkvp for each card). | |
985 | */ | |
986 | for (verify = 0; verify < 2; verify++) { | |
987 | rc = pkey_findcard(seckey, &cardnr, &domain, verify); | |
988 | if (rc) | |
989 | continue; | |
990 | rc = pkey_sec2protkey(cardnr, domain, seckey, protkey); | |
991 | if (rc == 0) | |
992 | break; | |
993 | } | |
994 | ||
995 | if (rc) | |
996 | DEBUG_DBG("pkey_skey2pkey failed rc=%d\n", rc); | |
997 | ||
998 | return rc; | |
999 | } | |
1000 | EXPORT_SYMBOL(pkey_skey2pkey); | |
1001 | ||
e61a6134 HF |
1002 | /* |
1003 | * Verify key and give back some info about the key. | |
1004 | */ | |
1005 | int pkey_verifykey(const struct pkey_seckey *seckey, | |
1006 | u16 *pcardnr, u16 *pdomain, | |
1007 | u16 *pkeysize, u32 *pattributes) | |
1008 | { | |
1009 | struct secaeskeytoken *t = (struct secaeskeytoken *) seckey; | |
1010 | u16 cardnr, domain; | |
1011 | u64 mkvp[2]; | |
1012 | int rc; | |
1013 | ||
1014 | /* check the secure key for valid AES secure key */ | |
1015 | rc = check_secaeskeytoken((u8 *) seckey, 0); | |
1016 | if (rc) | |
1017 | goto out; | |
1018 | if (pattributes) | |
1019 | *pattributes = PKEY_VERIFY_ATTR_AES; | |
1020 | if (pkeysize) | |
1021 | *pkeysize = t->bitsize; | |
1022 | ||
1023 | /* try to find a card which can handle this key */ | |
1024 | rc = pkey_findcard(seckey, &cardnr, &domain, 1); | |
1025 | if (rc) | |
1026 | goto out; | |
1027 | ||
1028 | /* check mkvp for old mkvp match */ | |
1029 | rc = mkvp_cache_fetch(cardnr, domain, mkvp); | |
1030 | if (rc) | |
1031 | goto out; | |
1032 | if (t->mkvp == mkvp[1]) { | |
1033 | DEBUG_DBG("pkey_verifykey secure key has old mkvp\n"); | |
1034 | if (pattributes) | |
1035 | *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP; | |
1036 | } | |
1037 | ||
1038 | if (pcardnr) | |
1039 | *pcardnr = cardnr; | |
1040 | if (pdomain) | |
1041 | *pdomain = domain; | |
1042 | ||
1043 | out: | |
1044 | DEBUG_DBG("pkey_verifykey rc=%d\n", rc); | |
1045 | return rc; | |
1046 | } | |
1047 | EXPORT_SYMBOL(pkey_verifykey); | |
1048 | ||
e80d4af0 HF |
1049 | /* |
1050 | * File io functions | |
1051 | */ | |
1052 | ||
1053 | static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, | |
1054 | unsigned long arg) | |
1055 | { | |
1056 | int rc; | |
1057 | ||
1058 | switch (cmd) { | |
1059 | case PKEY_GENSECK: { | |
1060 | struct pkey_genseck __user *ugs = (void __user *) arg; | |
1061 | struct pkey_genseck kgs; | |
1062 | ||
1063 | if (copy_from_user(&kgs, ugs, sizeof(kgs))) | |
1064 | return -EFAULT; | |
1065 | rc = pkey_genseckey(kgs.cardnr, kgs.domain, | |
1066 | kgs.keytype, &kgs.seckey); | |
1067 | DEBUG_DBG("pkey_ioctl pkey_genseckey()=%d\n", rc); | |
1068 | if (rc) | |
1069 | break; | |
1070 | if (copy_to_user(ugs, &kgs, sizeof(kgs))) | |
1071 | return -EFAULT; | |
1072 | break; | |
1073 | } | |
1074 | case PKEY_CLR2SECK: { | |
1075 | struct pkey_clr2seck __user *ucs = (void __user *) arg; | |
1076 | struct pkey_clr2seck kcs; | |
1077 | ||
1078 | if (copy_from_user(&kcs, ucs, sizeof(kcs))) | |
1079 | return -EFAULT; | |
1080 | rc = pkey_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, | |
1081 | &kcs.clrkey, &kcs.seckey); | |
1082 | DEBUG_DBG("pkey_ioctl pkey_clr2seckey()=%d\n", rc); | |
1083 | if (rc) | |
1084 | break; | |
1085 | if (copy_to_user(ucs, &kcs, sizeof(kcs))) | |
1086 | return -EFAULT; | |
1087 | memzero_explicit(&kcs, sizeof(kcs)); | |
1088 | break; | |
1089 | } | |
1090 | case PKEY_SEC2PROTK: { | |
1091 | struct pkey_sec2protk __user *usp = (void __user *) arg; | |
1092 | struct pkey_sec2protk ksp; | |
1093 | ||
1094 | if (copy_from_user(&ksp, usp, sizeof(ksp))) | |
1095 | return -EFAULT; | |
1096 | rc = pkey_sec2protkey(ksp.cardnr, ksp.domain, | |
1097 | &ksp.seckey, &ksp.protkey); | |
1098 | DEBUG_DBG("pkey_ioctl pkey_sec2protkey()=%d\n", rc); | |
1099 | if (rc) | |
1100 | break; | |
1101 | if (copy_to_user(usp, &ksp, sizeof(ksp))) | |
1102 | return -EFAULT; | |
1103 | break; | |
1104 | } | |
1105 | case PKEY_CLR2PROTK: { | |
1106 | struct pkey_clr2protk __user *ucp = (void __user *) arg; | |
1107 | struct pkey_clr2protk kcp; | |
1108 | ||
1109 | if (copy_from_user(&kcp, ucp, sizeof(kcp))) | |
1110 | return -EFAULT; | |
1111 | rc = pkey_clr2protkey(kcp.keytype, | |
1112 | &kcp.clrkey, &kcp.protkey); | |
1113 | DEBUG_DBG("pkey_ioctl pkey_clr2protkey()=%d\n", rc); | |
1114 | if (rc) | |
1115 | break; | |
1116 | if (copy_to_user(ucp, &kcp, sizeof(kcp))) | |
1117 | return -EFAULT; | |
1118 | memzero_explicit(&kcp, sizeof(kcp)); | |
1119 | break; | |
1120 | } | |
1121 | case PKEY_FINDCARD: { | |
1122 | struct pkey_findcard __user *ufc = (void __user *) arg; | |
1123 | struct pkey_findcard kfc; | |
1124 | ||
1125 | if (copy_from_user(&kfc, ufc, sizeof(kfc))) | |
1126 | return -EFAULT; | |
1127 | rc = pkey_findcard(&kfc.seckey, | |
1128 | &kfc.cardnr, &kfc.domain, 1); | |
1129 | DEBUG_DBG("pkey_ioctl pkey_findcard()=%d\n", rc); | |
1130 | if (rc) | |
1131 | break; | |
1132 | if (copy_to_user(ufc, &kfc, sizeof(kfc))) | |
1133 | return -EFAULT; | |
1134 | break; | |
1135 | } | |
1136 | case PKEY_SKEY2PKEY: { | |
1137 | struct pkey_skey2pkey __user *usp = (void __user *) arg; | |
1138 | struct pkey_skey2pkey ksp; | |
1139 | ||
1140 | if (copy_from_user(&ksp, usp, sizeof(ksp))) | |
1141 | return -EFAULT; | |
1142 | rc = pkey_skey2pkey(&ksp.seckey, &ksp.protkey); | |
1143 | DEBUG_DBG("pkey_ioctl pkey_skey2pkey()=%d\n", rc); | |
1144 | if (rc) | |
1145 | break; | |
1146 | if (copy_to_user(usp, &ksp, sizeof(ksp))) | |
1147 | return -EFAULT; | |
1148 | break; | |
1149 | } | |
e61a6134 HF |
1150 | case PKEY_VERIFYKEY: { |
1151 | struct pkey_verifykey __user *uvk = (void __user *) arg; | |
1152 | struct pkey_verifykey kvk; | |
1153 | ||
1154 | if (copy_from_user(&kvk, uvk, sizeof(kvk))) | |
1155 | return -EFAULT; | |
1156 | rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain, | |
1157 | &kvk.keysize, &kvk.attributes); | |
1158 | DEBUG_DBG("pkey_ioctl pkey_verifykey()=%d\n", rc); | |
1159 | if (rc) | |
1160 | break; | |
1161 | if (copy_to_user(uvk, &kvk, sizeof(kvk))) | |
1162 | return -EFAULT; | |
1163 | break; | |
1164 | } | |
e80d4af0 HF |
1165 | default: |
1166 | /* unknown/unsupported ioctl cmd */ | |
1167 | return -ENOTTY; | |
1168 | } | |
1169 | ||
1170 | return rc; | |
1171 | } | |
1172 | ||
1173 | /* | |
1174 | * Sysfs and file io operations | |
1175 | */ | |
1176 | static const struct file_operations pkey_fops = { | |
1177 | .owner = THIS_MODULE, | |
1178 | .open = nonseekable_open, | |
1179 | .llseek = no_llseek, | |
1180 | .unlocked_ioctl = pkey_unlocked_ioctl, | |
1181 | }; | |
1182 | ||
1183 | static struct miscdevice pkey_dev = { | |
1184 | .name = "pkey", | |
1185 | .minor = MISC_DYNAMIC_MINOR, | |
1186 | .mode = 0666, | |
1187 | .fops = &pkey_fops, | |
1188 | }; | |
1189 | ||
1190 | /* | |
1191 | * Module init | |
1192 | */ | |
cb4ef3c2 | 1193 | static int __init pkey_init(void) |
e80d4af0 HF |
1194 | { |
1195 | cpacf_mask_t pckmo_functions; | |
1196 | ||
1197 | /* check for pckmo instructions available */ | |
1198 | if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) | |
1199 | return -EOPNOTSUPP; | |
1200 | if (!cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_128_KEY) || | |
1201 | !cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_192_KEY) || | |
1202 | !cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_256_KEY)) | |
1203 | return -EOPNOTSUPP; | |
1204 | ||
1205 | pkey_debug_init(); | |
1206 | ||
1207 | return misc_register(&pkey_dev); | |
1208 | } | |
1209 | ||
1210 | /* | |
1211 | * Module exit | |
1212 | */ | |
1213 | static void __exit pkey_exit(void) | |
1214 | { | |
1215 | misc_deregister(&pkey_dev); | |
1216 | mkvp_cache_free(); | |
1217 | pkey_debug_exit(); | |
1218 | } | |
1219 | ||
1220 | module_init(pkey_init); | |
1221 | module_exit(pkey_exit); |