projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'gpio-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux...
[linux-2.6-block.git] / drivers / s390 / crypto / zcrypt_ccamisc.c
CommitLineData
efc598e6
HF		 1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
6 *
7 * Collection of CCA misc functions used by zcrypt and pkey
8 */
9
10#define KMSG_COMPONENT "zcrypt"
11#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
12
13#include <linux/init.h>
14#include <linux/module.h>
15#include <linux/slab.h>
4bc123b1 16#include <linux/random.h>
efc598e6
HF		 17#include <asm/zcrypt.h>
18#include <asm/pkey.h>
19
20#include "ap_bus.h"
21#include "zcrypt_api.h"
22#include "zcrypt_debug.h"
23#include "zcrypt_msgtype6.h"
24#include "zcrypt_ccamisc.h"
25
26#define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27#define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28#define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29#define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
30
31/* Size of parameter block used for all cca requests/replies */
32#define PARMBSIZE 512
33
34/* Size of vardata block used for some of the cca requests/replies */
35#define VARDATASIZE 4096
36
94bbd34e 37struct cca_info_list_entry {
efc598e6
HF		 38 struct list_head list;
39 u16 cardnr;
40 u16 domain;
94bbd34e 41 struct cca_info info;
efc598e6
HF		 42};
43
94bbd34e
HF		 44/* a list with cca_info_list_entry entries */
45static LIST_HEAD(cca_info_list);
46static DEFINE_SPINLOCK(cca_info_list_lock);
efc598e6
HF		 47
48/*
4bc123b1 49 * Simple check if the token is a valid CCA secure AES data key
efc598e6
HF		 50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
52 */
53int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
efc598e6
HF		 55{
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
57
58#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
59
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
61 if (dbg)
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
64 return -EINVAL;
65 }
66 if (t->version != TOKVER_CCA_AES) {
67 if (dbg)
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
70 return -EINVAL;
71 }
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
73 if (dbg)
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
76 return -EINVAL;
77 }
78
79#undef DBF
80
81 return 0;
82}
83EXPORT_SYMBOL(cca_check_secaeskeytoken);
84
4bc123b1
HF		 85/*
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
91 */
92int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
94 int checkcpacfexport)
95{
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
98
99#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
100
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
102 if (dbg)
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
105 return -EINVAL;
106 }
107 if (t->version != TOKVER_CCA_VLSC) {
108 if (dbg)
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
111 return -EINVAL;
112 }
113 if (t->algtype != 0x02) {
114 if (dbg)
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
117 return -EINVAL;
118 }
119 if (t->keytype != 0x0001) {
120 if (dbg)
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
123 return -EINVAL;
124 }
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
126 if (dbg)
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
129 return -EINVAL;
130 }
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
132 if (dbg)
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
135 return -EINVAL;
136 }
137 if (keybitsize > 0) {
138 switch (keybitsize) {
139 case 128:
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
142 break;
143 case 192:
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
146 break;
147 case 256:
148 if (t->wpllen != 640)
149 keybitsizeok = false;
150 break;
151 default:
152 keybitsizeok = false;
153 break;
154 }
155 if (!keybitsizeok) {
156 if (dbg)
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
159 return -EINVAL;
160 }
161 }
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
163 if (dbg)
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
165 __func__);
166 return -EINVAL;
167 }
168
169#undef DBF
170
171 return 0;
172}
173EXPORT_SYMBOL(cca_check_secaescipherkey);
174
efc598e6
HF		 175/*
176 * Allocate consecutive memory for request CPRB, request param
177 * block, reply CPRB and reply param block and fill in values
178 * for the common fields. Returns 0 on success or errno value
179 * on failure.
180 */
181static int alloc_and_prep_cprbmem(size_t paramblen,
182 u8 **pcprbmem,
183 struct CPRBX **preqCPRB,
184 struct CPRBX **prepCPRB)
185{
186 u8 *cprbmem;
187 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
188 struct CPRBX *preqcblk, *prepcblk;
189
190 /*
191 * allocate consecutive memory for request CPRB, request param
192 * block, reply CPRB and reply param block
193 */
194 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
195 if (!cprbmem)
196 return -ENOMEM;
197
198 preqcblk = (struct CPRBX *) cprbmem;
199 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
200
201 /* fill request cprb struct */
202 preqcblk->cprb_len = sizeof(struct CPRBX);
203 preqcblk->cprb_ver_id = 0x02;
204 memcpy(preqcblk->func_id, "T2", 2);
205 preqcblk->rpl_msgbl = cprbplusparamblen;
206 if (paramblen) {
207 preqcblk->req_parmb =
74ecbef7 208 ((u8 __user *) preqcblk) + sizeof(struct CPRBX);
efc598e6 209 preqcblk->rpl_parmb =
74ecbef7 210 ((u8 __user *) prepcblk) + sizeof(struct CPRBX);
efc598e6
HF		 211 }
212
213 *pcprbmem = cprbmem;
214 *preqCPRB = preqcblk;
215 *prepCPRB = prepcblk;
216
217 return 0;
218}
219
220/*
221 * Free the cprb memory allocated with the function above.
222 * If the scrub value is not zero, the memory is filled
223 * with zeros before freeing (useful if there was some
224 * clear key material in there).
225 */
226static void free_cprbmem(void *mem, size_t paramblen, int scrub)
227{
228 if (scrub)
229 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
230 kfree(mem);
231}
232
233/*
234 * Helper function to prepare the xcrb struct
235 */
236static inline void prep_xcrb(struct ica_xcRB *pxcrb,
237 u16 cardnr,
238 struct CPRBX *preqcblk,
239 struct CPRBX *prepcblk)
240{
241 memset(pxcrb, 0, sizeof(*pxcrb));
242 pxcrb->agent_ID = 0x4341; /* 'CA' */
243 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
244 pxcrb->request_control_blk_length =
245 preqcblk->cprb_len + preqcblk->req_parml;
7c4e91c0 246 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
efc598e6 247 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
7c4e91c0 248 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
efc598e6
HF		 249}
250
251/*
252 * Helper function which calls zcrypt_send_cprb with
253 * memory management segment adjusted to kernel space
254 * so that the copy_from_user called within this
255 * function do in fact copy from kernel space.
256 */
257static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb)
258{
259 int rc;
260 mm_segment_t old_fs = get_fs();
261
262 set_fs(KERNEL_DS);
263 rc = zcrypt_send_cprb(xcrb);
264 set_fs(old_fs);
265
266 return rc;
267}
268
269/*
270 * Generate (random) CCA AES DATA secure key.
271 */
272int cca_genseckey(u16 cardnr, u16 domain,
f2bbc96e 273 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
efc598e6
HF		 274{
275 int i, rc, keysize;
276 int seckeysize;
74ecbef7 277 u8 *mem, *ptr;
efc598e6
HF		 278 struct CPRBX *preqcblk, *prepcblk;
279 struct ica_xcRB xcrb;
280 struct kgreqparm {
281 u8 subfunc_code[2];
282 u16 rule_array_len;
283 struct lv1 {
284 u16 len;
285 char key_form[8];
286 char key_length[8];
287 char key_type1[8];
288 char key_type2[8];
289 } lv1;
290 struct lv2 {
291 u16 len;
292 struct keyid {
293 u16 len;
294 u16 attr;
295 u8 data[SECKEYBLOBSIZE];
296 } keyid[6];
297 } lv2;
298 } __packed * preqparm;
299 struct kgrepparm {
300 u8 subfunc_code[2];
301 u16 rule_array_len;
302 struct lv3 {
303 u16 len;
304 u16 keyblocklen;
305 struct {
306 u16 toklen;
307 u16 tokattr;
308 u8 tok[0];
309 /* ... some more data ... */
310 } keyblock;
311 } lv3;
312 } __packed * prepparm;
313
314 /* get already prepared memory for 2 cprbs with param block each */
315 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
316 if (rc)
317 return rc;
318
319 /* fill request cprb struct */
320 preqcblk->domain = domain;
321
322 /* fill request cprb param block with KG request */
74ecbef7 323 preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
efc598e6
HF		 324 memcpy(preqparm->subfunc_code, "KG", 2);
325 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
326 preqparm->lv1.len = sizeof(struct lv1);
327 memcpy(preqparm->lv1.key_form, "OP ", 8);
f2bbc96e
HF		 328 switch (keybitsize) {
329 case PKEY_SIZE_AES_128:
330 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
efc598e6
HF		 331 keysize = 16;
332 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
333 break;
f2bbc96e
HF		 334 case PKEY_SIZE_AES_192:
335 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
efc598e6
HF		 336 keysize = 24;
337 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
338 break;
f2bbc96e
HF		 339 case PKEY_SIZE_AES_256:
340 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
efc598e6
HF		 341 keysize = 32;
342 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
343 break;
344 default:
f2bbc96e
HF		 345 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
346 __func__, keybitsize);
efc598e6
HF		 347 rc = -EINVAL;
348 goto out;
349 }
350 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
351 preqparm->lv2.len = sizeof(struct lv2);
352 for (i = 0; i < 6; i++) {
353 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
354 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
355 }
356 preqcblk->req_parml = sizeof(struct kgreqparm);
357
358 /* fill xcrb struct */
359 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
360
361 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
362 rc = _zcrypt_send_cprb(&xcrb);
363 if (rc) {
364 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
365 __func__, (int) cardnr, (int) domain, rc);
366 goto out;
367 }
368
369 /* check response returncode and reasoncode */
370 if (prepcblk->ccp_rtcode != 0) {
371 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
372 __func__,
373 (int) prepcblk->ccp_rtcode,
374 (int) prepcblk->ccp_rscode);
375 rc = -EIO;
376 goto out;
377 }
378
379 /* process response cprb param block */
74ecbef7
HF		 380 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
381 prepcblk->rpl_parmb = (u8 __user *) ptr;
382 prepparm = (struct kgrepparm *) ptr;
efc598e6
HF		 383
384 /* check length of the returned secure key token */
385 seckeysize = prepparm->lv3.keyblock.toklen
386 - sizeof(prepparm->lv3.keyblock.toklen)
387 - sizeof(prepparm->lv3.keyblock.tokattr);
388 if (seckeysize != SECKEYBLOBSIZE) {
389 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
390 __func__, seckeysize, SECKEYBLOBSIZE);
391 rc = -EIO;
392 goto out;
393 }
394
395 /* check secure key token */
396 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
397 prepparm->lv3.keyblock.tok, 8*keysize);
398 if (rc) {
399 rc = -EIO;
400 goto out;
401 }
402
403 /* copy the generated secure key token */
404 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
405
406out:
407 free_cprbmem(mem, PARMBSIZE, 0);
408 return rc;
409}
410EXPORT_SYMBOL(cca_genseckey);
411
412/*
413 * Generate an CCA AES DATA secure key with given key value.
414 */
f2bbc96e 415int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
efc598e6
HF		 416 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
417{
418 int rc, keysize, seckeysize;
74ecbef7 419 u8 *mem, *ptr;
efc598e6
HF		 420 struct CPRBX *preqcblk, *prepcblk;
421 struct ica_xcRB xcrb;
422 struct cmreqparm {
423 u8 subfunc_code[2];
424 u16 rule_array_len;
425 char rule_array[8];
426 struct lv1 {
427 u16 len;
428 u8 clrkey[0];
429 } lv1;
430 struct lv2 {
431 u16 len;
432 struct keyid {
433 u16 len;
434 u16 attr;
435 u8 data[SECKEYBLOBSIZE];
436 } keyid;
437 } lv2;
438 } __packed * preqparm;
439 struct lv2 *plv2;
440 struct cmrepparm {
441 u8 subfunc_code[2];
442 u16 rule_array_len;
443 struct lv3 {
444 u16 len;
445 u16 keyblocklen;
446 struct {
447 u16 toklen;
448 u16 tokattr;
449 u8 tok[0];
450 /* ... some more data ... */
451 } keyblock;
452 } lv3;
453 } __packed * prepparm;
454
455 /* get already prepared memory for 2 cprbs with param block each */
456 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
457 if (rc)
458 return rc;
459
460 /* fill request cprb struct */
461 preqcblk->domain = domain;
462
463 /* fill request cprb param block with CM request */
74ecbef7 464 preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
efc598e6
HF		 465 memcpy(preqparm->subfunc_code, "CM", 2);
466 memcpy(preqparm->rule_array, "AES ", 8);
467 preqparm->rule_array_len =
468 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
f2bbc96e
HF		 469 switch (keybitsize) {
470 case PKEY_SIZE_AES_128:
471 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
efc598e6
HF		 472 keysize = 16;
473 break;
f2bbc96e
HF		 474 case PKEY_SIZE_AES_192:
475 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
efc598e6
HF		 476 keysize = 24;
477 break;
f2bbc96e
HF		 478 case PKEY_SIZE_AES_256:
479 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
efc598e6
HF		 480 keysize = 32;
481 break;
482 default:
f2bbc96e
HF		 483 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
484 __func__, keybitsize);
efc598e6
HF		 485 rc = -EINVAL;
486 goto out;
487 }
488 preqparm->lv1.len = sizeof(struct lv1) + keysize;
489 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
490 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
491 plv2->len = sizeof(struct lv2);
492 plv2->keyid.len = sizeof(struct keyid);
493 plv2->keyid.attr = 0x30;
494 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
495
496 /* fill xcrb struct */
497 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
498
499 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
500 rc = _zcrypt_send_cprb(&xcrb);
501 if (rc) {
502 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
503 __func__, (int) cardnr, (int) domain, rc);
504 goto out;
505 }
506
507 /* check response returncode and reasoncode */
508 if (prepcblk->ccp_rtcode != 0) {
509 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
510 __func__,
511 (int) prepcblk->ccp_rtcode,
512 (int) prepcblk->ccp_rscode);
513 rc = -EIO;
514 goto out;
515 }
516
517 /* process response cprb param block */
74ecbef7
HF		 518 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
519 prepcblk->rpl_parmb = (u8 __user *) ptr;
520 prepparm = (struct cmrepparm *) ptr;
efc598e6
HF		 521
522 /* check length of the returned secure key token */
523 seckeysize = prepparm->lv3.keyblock.toklen
524 - sizeof(prepparm->lv3.keyblock.toklen)
525 - sizeof(prepparm->lv3.keyblock.tokattr);
526 if (seckeysize != SECKEYBLOBSIZE) {
527 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
528 __func__, seckeysize, SECKEYBLOBSIZE);
529 rc = -EIO;
530 goto out;
531 }
532
533 /* check secure key token */
534 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
535 prepparm->lv3.keyblock.tok, 8*keysize);
536 if (rc) {
537 rc = -EIO;
538 goto out;
539 }
540
541 /* copy the generated secure key token */
4bc123b1
HF		 542 if (seckey)
543 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
efc598e6
HF		 544
545out:
546 free_cprbmem(mem, PARMBSIZE, 1);
547 return rc;
548}
549EXPORT_SYMBOL(cca_clr2seckey);
550
551/*
552 * Derive proteced key from an CCA AES DATA secure key.
553 */
554int cca_sec2protkey(u16 cardnr, u16 domain,
555 const u8 seckey[SECKEYBLOBSIZE],
f2bbc96e 556 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
efc598e6
HF		 557{
558 int rc;
74ecbef7 559 u8 *mem, *ptr;
efc598e6
HF		 560 struct CPRBX *preqcblk, *prepcblk;
561 struct ica_xcRB xcrb;
562 struct uskreqparm {
563 u8 subfunc_code[2];
564 u16 rule_array_len;
565 struct lv1 {
566 u16 len;
567 u16 attr_len;
568 u16 attr_flags;
569 } lv1;
570 struct lv2 {
571 u16 len;
572 u16 attr_len;
573 u16 attr_flags;
574 u8 token[0]; /* cca secure key token */
575 } lv2;
576 } __packed * preqparm;
577 struct uskrepparm {
578 u8 subfunc_code[2];
579 u16 rule_array_len;
580 struct lv3 {
581 u16 len;
582 u16 attr_len;
583 u16 attr_flags;
584 struct cpacfkeyblock {
585 u8 version; /* version of this struct */
586 u8 flags[2];
587 u8 algo;
588 u8 form;
589 u8 pad1[3];
590 u16 len;
591 u8 key[64]; /* the key (len bytes) */
592 u16 keyattrlen;
593 u8 keyattr[32];
594 u8 pad2[1];
595 u8 vptype;
596 u8 vp[32]; /* verification pattern */
c4f762ff 597 } ckb;
efc598e6
HF		 598 } lv3;
599 } __packed * prepparm;
600
601 /* get already prepared memory for 2 cprbs with param block each */
602 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
603 if (rc)
604 return rc;
605
606 /* fill request cprb struct */
607 preqcblk->domain = domain;
608
609 /* fill request cprb param block with USK request */
74ecbef7 610 preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
efc598e6
HF		 611 memcpy(preqparm->subfunc_code, "US", 2);
612 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
613 preqparm->lv1.len = sizeof(struct lv1);
614 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
615 preqparm->lv1.attr_flags = 0x0001;
616 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
617 preqparm->lv2.attr_len = sizeof(struct lv2)
618 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
619 preqparm->lv2.attr_flags = 0x0000;
620 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
621 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
622
623 /* fill xcrb struct */
624 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
625
626 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
627 rc = _zcrypt_send_cprb(&xcrb);
628 if (rc) {
629 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
630 __func__, (int) cardnr, (int) domain, rc);
631 goto out;
632 }
633
634 /* check response returncode and reasoncode */
635 if (prepcblk->ccp_rtcode != 0) {
636 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
637 __func__,
638 (int) prepcblk->ccp_rtcode,
639 (int) prepcblk->ccp_rscode);
640 rc = -EIO;
641 goto out;
642 }
643 if (prepcblk->ccp_rscode != 0) {
644 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
645 __func__,
646 (int) prepcblk->ccp_rtcode,
647 (int) prepcblk->ccp_rscode);
648 }
649
650 /* process response cprb param block */
74ecbef7
HF		 651 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
652 prepcblk->rpl_parmb = (u8 __user *) ptr;
653 prepparm = (struct uskrepparm *) ptr;
efc598e6
HF		 654
655 /* check the returned keyblock */
c4f762ff
HF		 656 if (prepparm->lv3.ckb.version != 0x01 &&
657 prepparm->lv3.ckb.version != 0x02) {
658 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
659 __func__, (int) prepparm->lv3.ckb.version);
efc598e6
HF		 660 rc = -EIO;
661 goto out;
662 }
663
664 /* copy the tanslated protected key */
c4f762ff 665 switch (prepparm->lv3.ckb.len) {
efc598e6
HF		 666 case 16+32:
667 /* AES 128 protected key */
f2bbc96e
HF		 668 if (protkeytype)
669 *protkeytype = PKEY_KEYTYPE_AES_128;
efc598e6
HF		 670 break;
671 case 24+32:
672 /* AES 192 protected key */
f2bbc96e
HF		 673 if (protkeytype)
674 *protkeytype = PKEY_KEYTYPE_AES_192;
efc598e6
HF		 675 break;
676 case 32+32:
677 /* AES 256 protected key */
f2bbc96e
HF		 678 if (protkeytype)
679 *protkeytype = PKEY_KEYTYPE_AES_256;
efc598e6
HF		 680 break;
681 default:
f2bbc96e 682 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
c4f762ff 683 __func__, prepparm->lv3.ckb.len);
efc598e6
HF		 684 rc = -EIO;
685 goto out;
686 }
c4f762ff 687 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
efc598e6 688 if (protkeylen)
c4f762ff 689 *protkeylen = prepparm->lv3.ckb.len;
efc598e6
HF		 690
691out:
692 free_cprbmem(mem, PARMBSIZE, 0);
693 return rc;
694}
695EXPORT_SYMBOL(cca_sec2protkey);
696
4bc123b1
HF		 697/*
698 * AES cipher key skeleton created with CSNBKTB2 with these flags:
699 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
700 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
701 * used by cca_gencipherkey() and cca_clr2cipherkey().
702 */
703static const u8 aes_cipher_key_skeleton[] = {
704 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
708 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
710 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
711#define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
712
713/*
714 * Generate (random) CCA AES CIPHER secure key.
715 */
716int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
717 u8 *keybuf, size_t *keybufsize)
718{
719 int rc;
74ecbef7 720 u8 *mem, *ptr;
4bc123b1
HF		 721 struct CPRBX *preqcblk, *prepcblk;
722 struct ica_xcRB xcrb;
723 struct gkreqparm {
724 u8 subfunc_code[2];
725 u16 rule_array_len;
726 char rule_array[2*8];
727 struct {
728 u16 len;
729 u8 key_type_1[8];
730 u8 key_type_2[8];
731 u16 clear_key_bit_len;
732 u16 key_name_1_len;
733 u16 key_name_2_len;
734 u16 user_data_1_len;
735 u16 user_data_2_len;
736 u8 key_name_1[0];
737 u8 key_name_2[0];
738 u8 user_data_1[0];
739 u8 user_data_2[0];
740 } vud;
741 struct {
742 u16 len;
743 struct {
744 u16 len;
745 u16 flag;
746 u8 kek_id_1[0];
747 } tlv1;
748 struct {
749 u16 len;
750 u16 flag;
751 u8 kek_id_2[0];
752 } tlv2;
753 struct {
754 u16 len;
755 u16 flag;
756 u8 gen_key_id_1[SIZEOF_SKELETON];
757 } tlv3;
758 struct {
759 u16 len;
760 u16 flag;
761 u8 gen_key_id_1_label[0];
762 } tlv4;
763 struct {
764 u16 len;
765 u16 flag;
766 u8 gen_key_id_2[0];
767 } tlv5;
768 struct {
769 u16 len;
770 u16 flag;
771 u8 gen_key_id_2_label[0];
772 } tlv6;
773 } kb;
774 } __packed * preqparm;
775 struct gkrepparm {
776 u8 subfunc_code[2];
777 u16 rule_array_len;
778 struct {
779 u16 len;
780 } vud;
781 struct {
782 u16 len;
783 struct {
784 u16 len;
785 u16 flag;
786 u8 gen_key[0]; /* 120-136 bytes */
787 } tlv1;
788 } kb;
789 } __packed * prepparm;
790 struct cipherkeytoken *t;
791
792 /* get already prepared memory for 2 cprbs with param block each */
793 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
794 if (rc)
795 return rc;
796
797 /* fill request cprb struct */
798 preqcblk->domain = domain;
799 preqcblk->req_parml = sizeof(struct gkreqparm);
800
801 /* prepare request param block with GK request */
74ecbef7 802 preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
4bc123b1
HF		 803 memcpy(preqparm->subfunc_code, "GK", 2);
804 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
805 memcpy(preqparm->rule_array, "AES OP ", 2*8);
806
807 /* prepare vud block */
808 preqparm->vud.len = sizeof(preqparm->vud);
809 switch (keybitsize) {
810 case 128:
811 case 192:
812 case 256:
813 break;
814 default:
815 DEBUG_ERR(
816 "%s unknown/unsupported keybitsize %d\n",
817 __func__, keybitsize);
818 rc = -EINVAL;
819 goto out;
820 }
821 preqparm->vud.clear_key_bit_len = keybitsize;
822 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
823 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
824
825 /* prepare kb block */
826 preqparm->kb.len = sizeof(preqparm->kb);
827 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
828 preqparm->kb.tlv1.flag = 0x0030;
829 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
830 preqparm->kb.tlv2.flag = 0x0030;
831 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
832 preqparm->kb.tlv3.flag = 0x0030;
833 memcpy(preqparm->kb.tlv3.gen_key_id_1,
834 aes_cipher_key_skeleton, SIZEOF_SKELETON);
835 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
836 preqparm->kb.tlv4.flag = 0x0030;
837 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
838 preqparm->kb.tlv5.flag = 0x0030;
839 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
840 preqparm->kb.tlv6.flag = 0x0030;
841
842 /* patch the skeleton key token export flags inside the kb block */
843 if (keygenflags) {
844 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
deffa48f
HF		 845 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
846 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
4bc123b1
HF		 847 }
848
849 /* prepare xcrb struct */
850 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
851
852 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
853 rc = _zcrypt_send_cprb(&xcrb);
854 if (rc) {
855 DEBUG_ERR(
856 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
857 __func__, (int) cardnr, (int) domain, rc);
858 goto out;
859 }
860
861 /* check response returncode and reasoncode */
862 if (prepcblk->ccp_rtcode != 0) {
863 DEBUG_ERR(
864 "%s cipher key generate failure, card response %d/%d\n",
865 __func__,
866 (int) prepcblk->ccp_rtcode,
867 (int) prepcblk->ccp_rscode);
868 rc = -EIO;
869 goto out;
870 }
871
872 /* process response cprb param block */
74ecbef7
HF		 873 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
874 prepcblk->rpl_parmb = (u8 __user *) ptr;
875 prepparm = (struct gkrepparm *) ptr;
4bc123b1
HF		 876
877 /* do some plausibility checks on the key block */
878 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
879 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
880 DEBUG_ERR("%s reply with invalid or unknown key block\n",
881 __func__);
882 rc = -EIO;
883 goto out;
884 }
885
886 /* and some checks on the generated key */
887 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
888 prepparm->kb.tlv1.gen_key,
889 keybitsize, 1);
890 if (rc) {
891 rc = -EIO;
892 goto out;
893 }
894
895 /* copy the generated vlsc key token */
896 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
897 if (keybuf) {
898 if (*keybufsize >= t->len)
899 memcpy(keybuf, t, t->len);
900 else
901 rc = -EINVAL;
902 }
903 *keybufsize = t->len;
904
905out:
906 free_cprbmem(mem, PARMBSIZE, 0);
907 return rc;
908}
909EXPORT_SYMBOL(cca_gencipherkey);
910
911/*
912 * Helper function, does a the CSNBKPI2 CPRB.
913 */
914static int _ip_cprb_helper(u16 cardnr, u16 domain,
915 const char *rule_array_1,
916 const char *rule_array_2,
917 const char *rule_array_3,
918 const u8 *clr_key_value,
919 int clr_key_bit_size,
920 u8 *key_token,
921 int *key_token_size)
922{
923 int rc, n;
74ecbef7 924 u8 *mem, *ptr;
4bc123b1
HF		 925 struct CPRBX *preqcblk, *prepcblk;
926 struct ica_xcRB xcrb;
927 struct rule_array_block {
928 u8 subfunc_code[2];
929 u16 rule_array_len;
930 char rule_array[0];
931 } __packed * preq_ra_block;
932 struct vud_block {
933 u16 len;
934 struct {
935 u16 len;
936 u16 flag; /* 0x0064 */
937 u16 clr_key_bit_len;
938 } tlv1;
939 struct {
940 u16 len;
941 u16 flag; /* 0x0063 */
942 u8 clr_key[0]; /* clear key value bytes */
943 } tlv2;
944 } __packed * preq_vud_block;
945 struct key_block {
946 u16 len;
947 struct {
948 u16 len;
949 u16 flag; /* 0x0030 */
950 u8 key_token[0]; /* key skeleton */
951 } tlv1;
952 } __packed * preq_key_block;
953 struct iprepparm {
954 u8 subfunc_code[2];
955 u16 rule_array_len;
956 struct {
957 u16 len;
958 } vud;
959 struct {
960 u16 len;
961 struct {
962 u16 len;
963 u16 flag; /* 0x0030 */
964 u8 key_token[0]; /* key token */
965 } tlv1;
966 } kb;
967 } __packed * prepparm;
968 struct cipherkeytoken *t;
969 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
970
971 /* get already prepared memory for 2 cprbs with param block each */
972 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
973 if (rc)
974 return rc;
975
976 /* fill request cprb struct */
977 preqcblk->domain = domain;
978 preqcblk->req_parml = 0;
979
980 /* prepare request param block with IP request */
74ecbef7 981 preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
4bc123b1
HF		 982 memcpy(preq_ra_block->subfunc_code, "IP", 2);
983 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
984 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
985 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
986 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
987 if (rule_array_3) {
988 preq_ra_block->rule_array_len += 8;
989 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
990 preqcblk->req_parml += 8;
991 }
992
993 /* prepare vud block */
74ecbef7 994 preq_vud_block = (struct vud_block __force *)
4bc123b1
HF		 995 (preqcblk->req_parmb + preqcblk->req_parml);
996 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
997 preq_vud_block->len = sizeof(struct vud_block) + n;
998 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
999 preq_vud_block->tlv1.flag = 0x0064;
1000 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1001 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1002 preq_vud_block->tlv2.flag = 0x0063;
1003 if (!complete)
1004 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1005 preqcblk->req_parml += preq_vud_block->len;
1006
1007 /* prepare key block */
74ecbef7 1008 preq_key_block = (struct key_block __force *)
4bc123b1
HF		 1009 (preqcblk->req_parmb + preqcblk->req_parml);
1010 n = *key_token_size;
1011 preq_key_block->len = sizeof(struct key_block) + n;
1012 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1013 preq_key_block->tlv1.flag = 0x0030;
1014 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1015 preqcblk->req_parml += preq_key_block->len;
1016
1017 /* prepare xcrb struct */
1018 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1019
1020 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1021 rc = _zcrypt_send_cprb(&xcrb);
1022 if (rc) {
1023 DEBUG_ERR(
1024 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1025 __func__, (int) cardnr, (int) domain, rc);
1026 goto out;
1027 }
1028
1029 /* check response returncode and reasoncode */
1030 if (prepcblk->ccp_rtcode != 0) {
1031 DEBUG_ERR(
1032 "%s CSNBKPI2 failure, card response %d/%d\n",
1033 __func__,
1034 (int) prepcblk->ccp_rtcode,
1035 (int) prepcblk->ccp_rscode);
1036 rc = -EIO;
1037 goto out;
1038 }
1039
1040 /* process response cprb param block */
74ecbef7
HF		 1041 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1042 prepcblk->rpl_parmb = (u8 __user *) ptr;
1043 prepparm = (struct iprepparm *) ptr;
4bc123b1
HF		 1044
1045 /* do some plausibility checks on the key block */
94dd3bad
HF		 1046 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1047 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
4bc123b1
HF		 1048 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1049 __func__);
1050 rc = -EIO;
1051 goto out;
1052 }
1053
1054 /* do not check the key here, it may be incomplete */
1055
1056 /* copy the vlsc key token back */
1057 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1058 memcpy(key_token, t, t->len);
1059 *key_token_size = t->len;
1060
1061out:
1062 free_cprbmem(mem, PARMBSIZE, 0);
1063 return rc;
1064}
1065
1066/*
1067 * Build CCA AES CIPHER secure key with a given clear key value.
1068 */
1069int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1070 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1071{
1072 int rc;
1073 u8 *token;
1074 int tokensize;
1075 u8 exorbuf[32];
1076 struct cipherkeytoken *t;
1077
1078 /* fill exorbuf with random data */
1079 get_random_bytes(exorbuf, sizeof(exorbuf));
1080
1081 /* allocate space for the key token to build */
1082 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1083 if (!token)
1084 return -ENOMEM;
1085
1086 /* prepare the token with the key skeleton */
1087 tokensize = SIZEOF_SKELETON;
1088 memcpy(token, aes_cipher_key_skeleton, tokensize);
1089
1090 /* patch the skeleton key token export flags */
1091 if (keygenflags) {
1092 t = (struct cipherkeytoken *) token;
1093 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1094 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1095 }
1096
1097 /*
1098 * Do the key import with the clear key value in 4 steps:
1099 * 1/4 FIRST import with only random data
1100 * 2/4 EXOR the clear key
1101 * 3/4 EXOR the very same random data again
1102 * 4/4 COMPLETE the secure cipher key import
1103 */
1104 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1105 exorbuf, keybitsize, token, &tokensize);
1106 if (rc) {
1107 DEBUG_ERR(
1108 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1109 __func__, rc);
1110 goto out;
1111 }
1112 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1113 clrkey, keybitsize, token, &tokensize);
1114 if (rc) {
1115 DEBUG_ERR(
1116 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1117 __func__, rc);
1118 goto out;
1119 }
1120 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1121 exorbuf, keybitsize, token, &tokensize);
1122 if (rc) {
1123 DEBUG_ERR(
1124 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1125 __func__, rc);
1126 goto out;
1127 }
1128 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1129 NULL, keybitsize, token, &tokensize);
1130 if (rc) {
1131 DEBUG_ERR(
1132 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1133 __func__, rc);
1134 goto out;
1135 }
1136
1137 /* copy the generated key token */
1138 if (keybuf) {
1139 if (tokensize > *keybufsize)
1140 rc = -EINVAL;
1141 else
1142 memcpy(keybuf, token, tokensize);
1143 }
1144 *keybufsize = tokensize;
1145
1146out:
1147 kfree(token);
1148 return rc;
1149}
1150EXPORT_SYMBOL(cca_clr2cipherkey);
1151
1152/*
1153 * Derive proteced key from CCA AES cipher secure key.
1154 */
1155int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1156 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1157{
1158 int rc;
74ecbef7 1159 u8 *mem, *ptr;
4bc123b1
HF		 1160 struct CPRBX *preqcblk, *prepcblk;
1161 struct ica_xcRB xcrb;
1162 struct aureqparm {
1163 u8 subfunc_code[2];
1164 u16 rule_array_len;
1165 u8 rule_array[8];
1166 struct {
1167 u16 len;
1168 u16 tk_blob_len;
1169 u16 tk_blob_tag;
1170 u8 tk_blob[66];
1171 } vud;
1172 struct {
1173 u16 len;
1174 u16 cca_key_token_len;
1175 u16 cca_key_token_flags;
1176 u8 cca_key_token[0]; // 64 or more
1177 } kb;
1178 } __packed * preqparm;
1179 struct aurepparm {
1180 u8 subfunc_code[2];
1181 u16 rule_array_len;
1182 struct {
1183 u16 len;
1184 u16 sublen;
1185 u16 tag;
1186 struct cpacfkeyblock {
1187 u8 version; /* version of this struct */
1188 u8 flags[2];
1189 u8 algo;
1190 u8 form;
1191 u8 pad1[3];
1192 u16 keylen;
1193 u8 key[64]; /* the key (keylen bytes) */
1194 u16 keyattrlen;
1195 u8 keyattr[32];
1196 u8 pad2[1];
1197 u8 vptype;
1198 u8 vp[32]; /* verification pattern */
1199 } ckb;
1200 } vud;
1201 struct {
1202 u16 len;
1203 } kb;
1204 } __packed * prepparm;
1205 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1206
1207 /* get already prepared memory for 2 cprbs with param block each */
1208 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1209 if (rc)
1210 return rc;
1211
1212 /* fill request cprb struct */
1213 preqcblk->domain = domain;
1214
1215 /* fill request cprb param block with AU request */
74ecbef7 1216 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
4bc123b1
HF		 1217 memcpy(preqparm->subfunc_code, "AU", 2);
1218 preqparm->rule_array_len =
1219 sizeof(preqparm->rule_array_len)
1220 + sizeof(preqparm->rule_array);
1221 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1222 /* vud, tk blob */
1223 preqparm->vud.len = sizeof(preqparm->vud);
1224 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1225 + 2 * sizeof(uint16_t);
1226 preqparm->vud.tk_blob_tag = 0x00C2;
1227 /* kb, cca token */
1228 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1229 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1230 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1231 /* now fill length of param block into cprb */
1232 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1233
1234 /* fill xcrb struct */
1235 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1236
1237 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1238 rc = _zcrypt_send_cprb(&xcrb);
1239 if (rc) {
1240 DEBUG_ERR(
1241 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1242 __func__, (int) cardnr, (int) domain, rc);
1243 goto out;
1244 }
1245
1246 /* check response returncode and reasoncode */
1247 if (prepcblk->ccp_rtcode != 0) {
1248 DEBUG_ERR(
1249 "%s unwrap secure key failure, card response %d/%d\n",
1250 __func__,
1251 (int) prepcblk->ccp_rtcode,
1252 (int) prepcblk->ccp_rscode);
1253 rc = -EIO;
1254 goto out;
1255 }
1256 if (prepcblk->ccp_rscode != 0) {
1257 DEBUG_WARN(
1258 "%s unwrap secure key warning, card response %d/%d\n",
1259 __func__,
1260 (int) prepcblk->ccp_rtcode,
1261 (int) prepcblk->ccp_rscode);
1262 }
1263
1264 /* process response cprb param block */
74ecbef7
HF		 1265 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1266 prepcblk->rpl_parmb = (u8 __user *) ptr;
1267 prepparm = (struct aurepparm *) ptr;
4bc123b1
HF		 1268
1269 /* check the returned keyblock */
c4f762ff
HF		 1270 if (prepparm->vud.ckb.version != 0x01 &&
1271 prepparm->vud.ckb.version != 0x02) {
1272 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1273 __func__, (int) prepparm->vud.ckb.version);
4bc123b1
HF		 1274 rc = -EIO;
1275 goto out;
1276 }
1277 if (prepparm->vud.ckb.algo != 0x02) {
1278 DEBUG_ERR(
1279 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1280 __func__, (int) prepparm->vud.ckb.algo);
1281 rc = -EIO;
1282 goto out;
1283 }
1284
1285 /* copy the translated protected key */
1286 switch (prepparm->vud.ckb.keylen) {
1287 case 16+32:
1288 /* AES 128 protected key */
1289 if (protkeytype)
1290 *protkeytype = PKEY_KEYTYPE_AES_128;
1291 break;
1292 case 24+32:
1293 /* AES 192 protected key */
1294 if (protkeytype)
1295 *protkeytype = PKEY_KEYTYPE_AES_192;
1296 break;
1297 case 32+32:
1298 /* AES 256 protected key */
1299 if (protkeytype)
1300 *protkeytype = PKEY_KEYTYPE_AES_256;
1301 break;
1302 default:
1303 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1304 __func__, prepparm->vud.ckb.keylen);
1305 rc = -EIO;
1306 goto out;
1307 }
1308 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1309 if (protkeylen)
1310 *protkeylen = prepparm->vud.ckb.keylen;
1311
1312out:
1313 free_cprbmem(mem, PARMBSIZE, 0);
1314 return rc;
1315}
1316EXPORT_SYMBOL(cca_cipher2protkey);
1317
efc598e6
HF		 1318/*
1319 * query cryptographic facility from CCA adapter
1320 */
1321int cca_query_crypto_facility(u16 cardnr, u16 domain,
1322 const char *keyword,
1323 u8 *rarray, size_t *rarraylen,
1324 u8 *varray, size_t *varraylen)
1325{
1326 int rc;
1327 u16 len;
1328 u8 *mem, *ptr;
1329 struct CPRBX *preqcblk, *prepcblk;
1330 struct ica_xcRB xcrb;
1331 struct fqreqparm {
1332 u8 subfunc_code[2];
1333 u16 rule_array_len;
1334 char rule_array[8];
1335 struct lv1 {
1336 u16 len;
1337 u8 data[VARDATASIZE];
1338 } lv1;
1339 u16 dummylen;
1340 } __packed * preqparm;
1341 size_t parmbsize = sizeof(struct fqreqparm);
1342 struct fqrepparm {
1343 u8 subfunc_code[2];
1344 u8 lvdata[0];
1345 } __packed * prepparm;
1346
1347 /* get already prepared memory for 2 cprbs with param block each */
1348 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1349 if (rc)
1350 return rc;
1351
1352 /* fill request cprb struct */
1353 preqcblk->domain = domain;
1354
1355 /* fill request cprb param block with FQ request */
74ecbef7 1356 preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
efc598e6
HF		 1357 memcpy(preqparm->subfunc_code, "FQ", 2);
1358 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1359 preqparm->rule_array_len =
1360 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1361 preqparm->lv1.len = sizeof(preqparm->lv1);
1362 preqparm->dummylen = sizeof(preqparm->dummylen);
1363 preqcblk->req_parml = parmbsize;
1364
1365 /* fill xcrb struct */
1366 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1367
1368 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1369 rc = _zcrypt_send_cprb(&xcrb);
1370 if (rc) {
1371 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1372 __func__, (int) cardnr, (int) domain, rc);
1373 goto out;
1374 }
1375
1376 /* check response returncode and reasoncode */
1377 if (prepcblk->ccp_rtcode != 0) {
1378 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1379 __func__,
1380 (int) prepcblk->ccp_rtcode,
1381 (int) prepcblk->ccp_rscode);
1382 rc = -EIO;
1383 goto out;
1384 }
1385
1386 /* process response cprb param block */
74ecbef7
HF		 1387 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1388 prepcblk->rpl_parmb = (u8 __user *) ptr;
1389 prepparm = (struct fqrepparm *) ptr;
efc598e6
HF		 1390 ptr = prepparm->lvdata;
1391
1392 /* check and possibly copy reply rule array */
1393 len = *((u16 *) ptr);
1394 if (len > sizeof(u16)) {
1395 ptr += sizeof(u16);
1396 len -= sizeof(u16);
1397 if (rarray && rarraylen && *rarraylen > 0) {
1398 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1399 memcpy(rarray, ptr, *rarraylen);
1400 }
1401 ptr += len;
1402 }
1403 /* check and possible copy reply var array */
1404 len = *((u16 *) ptr);
1405 if (len > sizeof(u16)) {
1406 ptr += sizeof(u16);
1407 len -= sizeof(u16);
1408 if (varray && varraylen && *varraylen > 0) {
1409 *varraylen = (len > *varraylen ? *varraylen : len);
1410 memcpy(varray, ptr, *varraylen);
1411 }
1412 ptr += len;
1413 }
1414
1415out:
1416 free_cprbmem(mem, parmbsize, 0);
1417 return rc;
1418}
1419EXPORT_SYMBOL(cca_query_crypto_facility);
1420
94bbd34e 1421static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
efc598e6
HF		 1422{
1423 int rc = -ENOENT;
94bbd34e 1424 struct cca_info_list_entry *ptr;
efc598e6 1425
94bbd34e
HF		 1426 spin_lock_bh(&cca_info_list_lock);
1427 list_for_each_entry(ptr, &cca_info_list, list) {
1428 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1429 memcpy(ci, &ptr->info, sizeof(*ci));
efc598e6
HF		 1430 rc = 0;
1431 break;
1432 }
1433 }
94bbd34e 1434 spin_unlock_bh(&cca_info_list_lock);
efc598e6
HF		 1435
1436 return rc;
1437}
1438
94bbd34e
HF		 1439static void cca_info_cache_update(u16 cardnr, u16 domain,
1440 const struct cca_info *ci)
efc598e6
HF		 1441{
1442 int found = 0;
94bbd34e 1443 struct cca_info_list_entry *ptr;
efc598e6 1444
94bbd34e
HF		 1445 spin_lock_bh(&cca_info_list_lock);
1446 list_for_each_entry(ptr, &cca_info_list, list) {
efc598e6
HF		 1447 if (ptr->cardnr == cardnr &&
1448 ptr->domain == domain) {
94bbd34e 1449 memcpy(&ptr->info, ci, sizeof(*ci));
efc598e6
HF		 1450 found = 1;
1451 break;
1452 }
1453 }
1454 if (!found) {
1455 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1456 if (!ptr) {
94bbd34e 1457 spin_unlock_bh(&cca_info_list_lock);
efc598e6
HF		 1458 return;
1459 }
1460 ptr->cardnr = cardnr;
1461 ptr->domain = domain;
94bbd34e
HF		 1462 memcpy(&ptr->info, ci, sizeof(*ci));
1463 list_add(&ptr->list, &cca_info_list);
efc598e6 1464 }
94bbd34e 1465 spin_unlock_bh(&cca_info_list_lock);
efc598e6
HF		 1466}
1467
94bbd34e 1468static void cca_info_cache_scrub(u16 cardnr, u16 domain)
efc598e6 1469{
94bbd34e 1470 struct cca_info_list_entry *ptr;
efc598e6 1471
94bbd34e
HF		 1472 spin_lock_bh(&cca_info_list_lock);
1473 list_for_each_entry(ptr, &cca_info_list, list) {
efc598e6
HF		 1474 if (ptr->cardnr == cardnr &&
1475 ptr->domain == domain) {
1476 list_del(&ptr->list);
1477 kfree(ptr);
1478 break;
1479 }
1480 }
94bbd34e 1481 spin_unlock_bh(&cca_info_list_lock);
efc598e6
HF		 1482}
1483
1484static void __exit mkvp_cache_free(void)
1485{
94bbd34e 1486 struct cca_info_list_entry *ptr, *pnext;
efc598e6 1487
94bbd34e
HF		 1488 spin_lock_bh(&cca_info_list_lock);
1489 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
efc598e6
HF		 1490 list_del(&ptr->list);
1491 kfree(ptr);
1492 }
94bbd34e 1493 spin_unlock_bh(&cca_info_list_lock);
efc598e6
HF		 1494}
1495
1496/*
94bbd34e 1497 * Fetch cca_info values via query_crypto_facility from adapter.
efc598e6 1498 */
94bbd34e 1499static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
efc598e6
HF		 1500{
1501 int rc, found = 0;
1502 size_t rlen, vlen;
1503 u8 *rarray, *varray, *pg;
4da57a2f 1504 struct zcrypt_device_status_ext devstat;
efc598e6 1505
4da57a2f
HF		 1506 memset(ci, 0, sizeof(*ci));
1507
1508 /* get first info from zcrypt device driver about this apqn */
1509 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1510 if (rc)
1511 return rc;
1512 ci->hwtype = devstat.hwtype;
1513
1514 /* prep page for rule array and var array use */
efc598e6
HF		 1515 pg = (u8 *) __get_free_page(GFP_KERNEL);
1516 if (!pg)
1517 return -ENOMEM;
1518 rarray = pg;
1519 varray = pg + PAGE_SIZE/2;
1520 rlen = vlen = PAGE_SIZE/2;
1521
4da57a2f 1522 /* QF for this card/domain */
efc598e6
HF		 1523 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1524 rarray, &rlen, varray, &vlen);
94bbd34e 1525 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
94bbd34e
HF		 1526 memcpy(ci->serial, rarray, 8);
1527 ci->new_mk_state = (char) rarray[7*8];
1528 ci->cur_mk_state = (char) rarray[8*8];
1529 ci->old_mk_state = (char) rarray[9*8];
1530 if (ci->old_mk_state == '2')
1531 memcpy(&ci->old_mkvp, varray + 172, 8);
1532 if (ci->cur_mk_state == '2')
1533 memcpy(&ci->cur_mkvp, varray + 184, 8);
1534 if (ci->new_mk_state == '3')
1535 memcpy(&ci->new_mkvp, varray + 196, 8);
1536 found = 1;
efc598e6
HF		 1537 }
1538
1539 free_page((unsigned long) pg);
1540
1541 return found ? 0 : -ENOENT;
1542}
1543
7c4e91c0
HF		 1544/*
1545 * Fetch cca information about a CCA queue.
1546 */
1547int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1548{
1549 int rc;
1550
1551 rc = cca_info_cache_fetch(card, dom, ci);
1552 if (rc || verify) {
1553 rc = fetch_cca_info(card, dom, ci);
1554 if (rc == 0)
1555 cca_info_cache_update(card, dom, ci);
1556 }
1557
1558 return rc;
1559}
1560EXPORT_SYMBOL(cca_get_info);
1561
efc598e6 1562/*
4da57a2f
HF		 1563 * Search for a matching crypto card based on the
1564 * Master Key Verification Pattern given.
efc598e6 1565 */
4da57a2f
HF		 1566static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1567 int verify, int minhwtype)
efc598e6 1568{
efc598e6
HF		 1569 struct zcrypt_device_status_ext *device_status;
1570 u16 card, dom;
94bbd34e 1571 struct cca_info ci;
efc598e6
HF		 1572 int i, rc, oi = -1;
1573
4da57a2f
HF		 1574 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1575 if (mkvp == 0 || minhwtype < 0)
efc598e6
HF		 1576 return -EINVAL;
1577
1578 /* fetch status of all crypto cards */
34515df2
HF		 1579 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1580 sizeof(struct zcrypt_device_status_ext),
1581 GFP_KERNEL);
efc598e6
HF		 1582 if (!device_status)
1583 return -ENOMEM;
1584 zcrypt_device_status_mask_ext(device_status);
1585
1586 /* walk through all crypto cards */
1587 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1588 card = AP_QID_CARD(device_status[i].qid);
1589 dom = AP_QID_QUEUE(device_status[i].qid);
1590 if (device_status[i].online &&
1591 device_status[i].functions & 0x04) {
94bbd34e
HF		 1592 /* enabled CCA card, check current mkvp from cache */
1593 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
4da57a2f 1594 ci.hwtype >= minhwtype &&
94bbd34e 1595 ci.cur_mk_state == '2' &&
4da57a2f 1596 ci.cur_mkvp == mkvp) {
efc598e6
HF		 1597 if (!verify)
1598 break;
94bbd34e
HF		 1599 /* verify: refresh card info */
1600 if (fetch_cca_info(card, dom, &ci) == 0) {
1601 cca_info_cache_update(card, dom, &ci);
4da57a2f
HF		 1602 if (ci.hwtype >= minhwtype &&
1603 ci.cur_mk_state == '2' &&
1604 ci.cur_mkvp == mkvp)
efc598e6
HF		 1605 break;
1606 }
1607 }
1608 } else {
1609 /* Card is offline and/or not a CCA card. */
1610 /* del mkvp entry from cache if it exists */
94bbd34e 1611 cca_info_cache_scrub(card, dom);
efc598e6
HF		 1612 }
1613 }
1614 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1615 /* nothing found, so this time without cache */
1616 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1617 if (!(device_status[i].online &&
1618 device_status[i].functions & 0x04))
1619 continue;
1620 card = AP_QID_CARD(device_status[i].qid);
1621 dom = AP_QID_QUEUE(device_status[i].qid);
1622 /* fresh fetch mkvp from adapter */
94bbd34e
HF		 1623 if (fetch_cca_info(card, dom, &ci) == 0) {
1624 cca_info_cache_update(card, dom, &ci);
4da57a2f
HF		 1625 if (ci.hwtype >= minhwtype &&
1626 ci.cur_mk_state == '2' &&
1627 ci.cur_mkvp == mkvp)
efc598e6 1628 break;
4da57a2f
HF		 1629 if (ci.hwtype >= minhwtype &&
1630 ci.old_mk_state == '2' &&
1631 ci.old_mkvp == mkvp &&
94bbd34e 1632 oi < 0)
efc598e6
HF		 1633 oi = i;
1634 }
1635 }
1636 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1637 /* old mkvp matched, use this card then */
1638 card = AP_QID_CARD(device_status[oi].qid);
1639 dom = AP_QID_QUEUE(device_status[oi].qid);
1640 }
1641 }
1642 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1643 if (pcardnr)
1644 *pcardnr = card;
1645 if (pdomain)
1646 *pdomain = dom;
1647 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1648 } else
1649 rc = -ENODEV;
1650
34515df2 1651 kvfree(device_status);
efc598e6
HF		 1652 return rc;
1653}
4da57a2f
HF		 1654
1655/*
1656 * Search for a matching crypto card based on the Master Key
1657 * Verification Pattern provided inside a secure key token.
1658 */
1659int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1660{
1661 u64 mkvp;
f2bbc96e 1662 int minhwtype = 0;
4da57a2f
HF		 1663 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1664
1665 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1666 return -EINVAL;
1667
1668 switch (hdr->version) {
1669 case TOKVER_CCA_AES:
1670 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1671 break;
f2bbc96e
HF		 1672 case TOKVER_CCA_VLSC:
1673 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1674 minhwtype = AP_DEVICE_TYPE_CEX6;
1675 break;
4da57a2f
HF		 1676 default:
1677 return -EINVAL;
1678 }
1679
f2bbc96e 1680 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
4da57a2f 1681}
efc598e6
HF		 1682EXPORT_SYMBOL(cca_findcard);
1683
4bc123b1
HF		 1684int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1685 int minhwtype, u64 cur_mkvp, u64 old_mkvp, int verify)
1686{
1687 struct zcrypt_device_status_ext *device_status;
1688 int i, n, card, dom, curmatch, oldmatch, rc = 0;
1689 struct cca_info ci;
1690
1691 *apqns = NULL;
1692 *nr_apqns = 0;
1693
1694 /* fetch status of all crypto cards */
b6186d7f
HF		 1695 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1696 sizeof(struct zcrypt_device_status_ext),
1697 GFP_KERNEL);
4bc123b1
HF		 1698 if (!device_status)
1699 return -ENOMEM;
1700 zcrypt_device_status_mask_ext(device_status);
1701
1702 /* loop two times: first gather eligible apqns, then store them */
1703 while (1) {
1704 n = 0;
1705 /* walk through all the crypto cards */
1706 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1707 card = AP_QID_CARD(device_status[i].qid);
1708 dom = AP_QID_QUEUE(device_status[i].qid);
1709 /* check online state */
1710 if (!device_status[i].online)
1711 continue;
1712 /* check for cca functions */
1713 if (!(device_status[i].functions & 0x04))
1714 continue;
1715 /* check cardnr */
1716 if (cardnr != 0xFFFF && card != cardnr)
1717 continue;
1718 /* check domain */
1719 if (domain != 0xFFFF && dom != domain)
1720 continue;
1721 /* get cca info on this apqn */
1722 if (cca_get_info(card, dom, &ci, verify))
1723 continue;
1724 /* current master key needs to be valid */
1725 if (ci.cur_mk_state != '2')
1726 continue;
1727 /* check min hardware type */
1728 if (minhwtype > 0 && minhwtype > ci.hwtype)
1729 continue;
1730 if (cur_mkvp || old_mkvp) {
1731 /* check mkvps */
1732 curmatch = oldmatch = 0;
1733 if (cur_mkvp && cur_mkvp == ci.cur_mkvp)
1734 curmatch = 1;
1735 if (old_mkvp && ci.old_mk_state == '2' &&
1736 old_mkvp == ci.old_mkvp)
1737 oldmatch = 1;
1738 if ((cur_mkvp || old_mkvp) &&
1739 (curmatch + oldmatch < 1))
1740 continue;
1741 }
1742 /* apqn passed all filtering criterons */
1743 if (*apqns && n < *nr_apqns)
1744 (*apqns)[n] = (((u16)card) << 16) | ((u16) dom);
1745 n++;
1746 }
1747 /* loop 2nd time: array has been filled */
1748 if (*apqns)
1749 break;
1750 /* loop 1st time: have # of eligible apqns in n */
1751 if (!n) {
1752 rc = -ENODEV; /* no eligible apqns found */
1753 break;
1754 }
1755 *nr_apqns = n;
1756 /* allocate array to store n apqns into */
1757 *apqns = kmalloc_array(n, sizeof(u32), GFP_KERNEL);
1758 if (!*apqns) {
1759 rc = -ENOMEM;
1760 break;
1761 }
1762 verify = 0;
1763 }
1764
b6186d7f 1765 kvfree(device_status);
4bc123b1
HF		 1766 return rc;
1767}
1768EXPORT_SYMBOL(cca_findcard2);
1769
efc598e6
HF		 1770void __exit zcrypt_ccamisc_exit(void)
1771{
1772 mkvp_cache_free();
1773}
Linux 6.x block layer and io_uring tree(s)