1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
6 *
7 * Collection of CCA misc functions used by zcrypt and pkey
8 */
9
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
12
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
18 #include <asm/pkey.h>
19
20 #include "ap_bus.h"
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
25
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
30
31 /* Size of parameter block used for all cca requests/replies */
32 #define PARMBSIZE 512
33
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
36
37 struct cca_info_list_entry {
38 struct list_head list;
39 u16 cardnr;
40 u16 domain;
41 struct cca_info info;
42 };
43
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
47
48 /*
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
52 */
cca_check_secaeskeytoken(debug_info_t * dbg,int dbflvl,const u8 * token,int keybitsize)53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
55 {
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
57
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
59
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
61 if (dbg)
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
64 return -EINVAL;
65 }
66 if (t->version != TOKVER_CCA_AES) {
67 if (dbg)
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
70 return -EINVAL;
71 }
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
73 if (dbg)
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
76 return -EINVAL;
77 }
78
79 #undef DBF
80
81 return 0;
82 }
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
84
85 /*
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
91 */
cca_check_secaescipherkey(debug_info_t * dbg,int dbflvl,const u8 * token,int keybitsize,int checkcpacfexport)92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
94 int checkcpacfexport)
95 {
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
98
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
100
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
102 if (dbg)
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
105 return -EINVAL;
106 }
107 if (t->version != TOKVER_CCA_VLSC) {
108 if (dbg)
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
111 return -EINVAL;
112 }
113 if (t->algtype != 0x02) {
114 if (dbg)
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
117 return -EINVAL;
118 }
119 if (t->keytype != 0x0001) {
120 if (dbg)
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
123 return -EINVAL;
124 }
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
126 if (dbg)
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
129 return -EINVAL;
130 }
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
132 if (dbg)
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
135 return -EINVAL;
136 }
137 if (keybitsize > 0) {
138 switch (keybitsize) {
139 case 128:
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
142 break;
143 case 192:
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
146 break;
147 case 256:
148 if (t->wpllen != 640)
149 keybitsizeok = false;
150 break;
151 default:
152 keybitsizeok = false;
153 break;
154 }
155 if (!keybitsizeok) {
156 if (dbg)
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
159 return -EINVAL;
160 }
161 }
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
163 if (dbg)
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
165 __func__);
166 return -EINVAL;
167 }
168
169 #undef DBF
170
171 return 0;
172 }
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
174
175 /*
176 * Simple check if the token is a valid CCA secure ECC private
177 * key token. Returns 0 on success or errno value on failure.
178 */
cca_check_sececckeytoken(debug_info_t * dbg,int dbflvl,const u8 * token,size_t keysize,int checkcpacfexport)179 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
180 const u8 *token, size_t keysize,
181 int checkcpacfexport)
182 {
183 struct eccprivkeytoken *t = (struct eccprivkeytoken *) token;
184
185 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
186
187 if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
188 if (dbg)
189 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
190 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL_PKA);
191 return -EINVAL;
192 }
193 if (t->len > keysize) {
194 if (dbg)
195 DBF("%s token check failed, len %d > keysize %zu\n",
196 __func__, (int) t->len, keysize);
197 return -EINVAL;
198 }
199 if (t->secid != 0x20) {
200 if (dbg)
201 DBF("%s token check failed, secid 0x%02x != 0x20\n",
202 __func__, (int) t->secid);
203 return -EINVAL;
204 }
205 if (checkcpacfexport && !(t->kutc & 0x01)) {
206 if (dbg)
207 DBF("%s token check failed, XPRTCPAC bit is 0\n",
208 __func__);
209 return -EINVAL;
210 }
211
212 #undef DBF
213
214 return 0;
215 }
216 EXPORT_SYMBOL(cca_check_sececckeytoken);
217
218 /*
219 * Allocate consecutive memory for request CPRB, request param
220 * block, reply CPRB and reply param block and fill in values
221 * for the common fields. Returns 0 on success or errno value
222 * on failure.
223 */
alloc_and_prep_cprbmem(size_t paramblen,u8 ** pcprbmem,struct CPRBX ** preqCPRB,struct CPRBX ** prepCPRB)224 static int alloc_and_prep_cprbmem(size_t paramblen,
225 u8 **pcprbmem,
226 struct CPRBX **preqCPRB,
227 struct CPRBX **prepCPRB)
228 {
229 u8 *cprbmem;
230 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
231 struct CPRBX *preqcblk, *prepcblk;
232
233 /*
234 * allocate consecutive memory for request CPRB, request param
235 * block, reply CPRB and reply param block
236 */
237 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
238 if (!cprbmem)
239 return -ENOMEM;
240
241 preqcblk = (struct CPRBX *) cprbmem;
242 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
243
244 /* fill request cprb struct */
245 preqcblk->cprb_len = sizeof(struct CPRBX);
246 preqcblk->cprb_ver_id = 0x02;
247 memcpy(preqcblk->func_id, "T2", 2);
248 preqcblk->rpl_msgbl = cprbplusparamblen;
249 if (paramblen) {
250 preqcblk->req_parmb =
251 ((u8 __user *) preqcblk) + sizeof(struct CPRBX);
252 preqcblk->rpl_parmb =
253 ((u8 __user *) prepcblk) + sizeof(struct CPRBX);
254 }
255
256 *pcprbmem = cprbmem;
257 *preqCPRB = preqcblk;
258 *prepCPRB = prepcblk;
259
260 return 0;
261 }
262
263 /*
264 * Free the cprb memory allocated with the function above.
265 * If the scrub value is not zero, the memory is filled
266 * with zeros before freeing (useful if there was some
267 * clear key material in there).
268 */
free_cprbmem(void * mem,size_t paramblen,int scrub)269 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
270 {
271 if (scrub)
272 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
273 kfree(mem);
274 }
275
276 /*
277 * Helper function to prepare the xcrb struct
278 */
prep_xcrb(struct ica_xcRB * pxcrb,u16 cardnr,struct CPRBX * preqcblk,struct CPRBX * prepcblk)279 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
280 u16 cardnr,
281 struct CPRBX *preqcblk,
282 struct CPRBX *prepcblk)
283 {
284 memset(pxcrb, 0, sizeof(*pxcrb));
285 pxcrb->agent_ID = 0x4341; /* 'CA' */
286 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
287 pxcrb->request_control_blk_length =
288 preqcblk->cprb_len + preqcblk->req_parml;
289 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
290 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
291 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
292 }
293
294 /*
295 * Generate (random) CCA AES DATA secure key.
296 */
cca_genseckey(u16 cardnr,u16 domain,u32 keybitsize,u8 seckey[SECKEYBLOBSIZE])297 int cca_genseckey(u16 cardnr, u16 domain,
298 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
299 {
300 int i, rc, keysize;
301 int seckeysize;
302 u8 *mem, *ptr;
303 struct CPRBX *preqcblk, *prepcblk;
304 struct ica_xcRB xcrb;
305 struct kgreqparm {
306 u8 subfunc_code[2];
307 u16 rule_array_len;
308 struct lv1 {
309 u16 len;
310 char key_form[8];
311 char key_length[8];
312 char key_type1[8];
313 char key_type2[8];
314 } lv1;
315 struct lv2 {
316 u16 len;
317 struct keyid {
318 u16 len;
319 u16 attr;
320 u8 data[SECKEYBLOBSIZE];
321 } keyid[6];
322 } lv2;
323 } __packed * preqparm;
324 struct kgrepparm {
325 u8 subfunc_code[2];
326 u16 rule_array_len;
327 struct lv3 {
328 u16 len;
329 u16 keyblocklen;
330 struct {
331 u16 toklen;
332 u16 tokattr;
333 u8 tok[0];
334 /* ... some more data ... */
335 } keyblock;
336 } lv3;
337 } __packed * prepparm;
338
339 /* get already prepared memory for 2 cprbs with param block each */
340 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
341 if (rc)
342 return rc;
343
344 /* fill request cprb struct */
345 preqcblk->domain = domain;
346
347 /* fill request cprb param block with KG request */
348 preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
349 memcpy(preqparm->subfunc_code, "KG", 2);
350 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
351 preqparm->lv1.len = sizeof(struct lv1);
352 memcpy(preqparm->lv1.key_form, "OP ", 8);
353 switch (keybitsize) {
354 case PKEY_SIZE_AES_128:
355 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
356 keysize = 16;
357 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
358 break;
359 case PKEY_SIZE_AES_192:
360 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
361 keysize = 24;
362 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
363 break;
364 case PKEY_SIZE_AES_256:
365 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
366 keysize = 32;
367 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
368 break;
369 default:
370 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
371 __func__, keybitsize);
372 rc = -EINVAL;
373 goto out;
374 }
375 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
376 preqparm->lv2.len = sizeof(struct lv2);
377 for (i = 0; i < 6; i++) {
378 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
379 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
380 }
381 preqcblk->req_parml = sizeof(struct kgreqparm);
382
383 /* fill xcrb struct */
384 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
385
386 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
387 rc = zcrypt_send_cprb(&xcrb);
388 if (rc) {
389 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
390 __func__, (int) cardnr, (int) domain, rc);
391 goto out;
392 }
393
394 /* check response returncode and reasoncode */
395 if (prepcblk->ccp_rtcode != 0) {
396 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
397 __func__,
398 (int) prepcblk->ccp_rtcode,
399 (int) prepcblk->ccp_rscode);
400 rc = -EIO;
401 goto out;
402 }
403
404 /* process response cprb param block */
405 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
406 prepcblk->rpl_parmb = (u8 __user *) ptr;
407 prepparm = (struct kgrepparm *) ptr;
408
409 /* check length of the returned secure key token */
410 seckeysize = prepparm->lv3.keyblock.toklen
411 - sizeof(prepparm->lv3.keyblock.toklen)
412 - sizeof(prepparm->lv3.keyblock.tokattr);
413 if (seckeysize != SECKEYBLOBSIZE) {
414 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
415 __func__, seckeysize, SECKEYBLOBSIZE);
416 rc = -EIO;
417 goto out;
418 }
419
420 /* check secure key token */
421 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
422 prepparm->lv3.keyblock.tok, 8*keysize);
423 if (rc) {
424 rc = -EIO;
425 goto out;
426 }
427
428 /* copy the generated secure key token */
429 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
430
431 out:
432 free_cprbmem(mem, PARMBSIZE, 0);
433 return rc;
434 }
435 EXPORT_SYMBOL(cca_genseckey);
436
437 /*
438 * Generate an CCA AES DATA secure key with given key value.
439 */
cca_clr2seckey(u16 cardnr,u16 domain,u32 keybitsize,const u8 * clrkey,u8 seckey[SECKEYBLOBSIZE])440 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
441 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
442 {
443 int rc, keysize, seckeysize;
444 u8 *mem, *ptr;
445 struct CPRBX *preqcblk, *prepcblk;
446 struct ica_xcRB xcrb;
447 struct cmreqparm {
448 u8 subfunc_code[2];
449 u16 rule_array_len;
450 char rule_array[8];
451 struct lv1 {
452 u16 len;
453 u8 clrkey[0];
454 } lv1;
455 struct lv2 {
456 u16 len;
457 struct keyid {
458 u16 len;
459 u16 attr;
460 u8 data[SECKEYBLOBSIZE];
461 } keyid;
462 } lv2;
463 } __packed * preqparm;
464 struct lv2 *plv2;
465 struct cmrepparm {
466 u8 subfunc_code[2];
467 u16 rule_array_len;
468 struct lv3 {
469 u16 len;
470 u16 keyblocklen;
471 struct {
472 u16 toklen;
473 u16 tokattr;
474 u8 tok[0];
475 /* ... some more data ... */
476 } keyblock;
477 } lv3;
478 } __packed * prepparm;
479
480 /* get already prepared memory for 2 cprbs with param block each */
481 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
482 if (rc)
483 return rc;
484
485 /* fill request cprb struct */
486 preqcblk->domain = domain;
487
488 /* fill request cprb param block with CM request */
489 preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
490 memcpy(preqparm->subfunc_code, "CM", 2);
491 memcpy(preqparm->rule_array, "AES ", 8);
492 preqparm->rule_array_len =
493 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
494 switch (keybitsize) {
495 case PKEY_SIZE_AES_128:
496 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
497 keysize = 16;
498 break;
499 case PKEY_SIZE_AES_192:
500 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
501 keysize = 24;
502 break;
503 case PKEY_SIZE_AES_256:
504 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
505 keysize = 32;
506 break;
507 default:
508 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
509 __func__, keybitsize);
510 rc = -EINVAL;
511 goto out;
512 }
513 preqparm->lv1.len = sizeof(struct lv1) + keysize;
514 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
515 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
516 plv2->len = sizeof(struct lv2);
517 plv2->keyid.len = sizeof(struct keyid);
518 plv2->keyid.attr = 0x30;
519 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
520
521 /* fill xcrb struct */
522 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
523
524 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
525 rc = zcrypt_send_cprb(&xcrb);
526 if (rc) {
527 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
528 __func__, (int) cardnr, (int) domain, rc);
529 goto out;
530 }
531
532 /* check response returncode and reasoncode */
533 if (prepcblk->ccp_rtcode != 0) {
534 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
535 __func__,
536 (int) prepcblk->ccp_rtcode,
537 (int) prepcblk->ccp_rscode);
538 rc = -EIO;
539 goto out;
540 }
541
542 /* process response cprb param block */
543 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
544 prepcblk->rpl_parmb = (u8 __user *) ptr;
545 prepparm = (struct cmrepparm *) ptr;
546
547 /* check length of the returned secure key token */
548 seckeysize = prepparm->lv3.keyblock.toklen
549 - sizeof(prepparm->lv3.keyblock.toklen)
550 - sizeof(prepparm->lv3.keyblock.tokattr);
551 if (seckeysize != SECKEYBLOBSIZE) {
552 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
553 __func__, seckeysize, SECKEYBLOBSIZE);
554 rc = -EIO;
555 goto out;
556 }
557
558 /* check secure key token */
559 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
560 prepparm->lv3.keyblock.tok, 8*keysize);
561 if (rc) {
562 rc = -EIO;
563 goto out;
564 }
565
566 /* copy the generated secure key token */
567 if (seckey)
568 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
569
570 out:
571 free_cprbmem(mem, PARMBSIZE, 1);
572 return rc;
573 }
574 EXPORT_SYMBOL(cca_clr2seckey);
575
576 /*
577 * Derive proteced key from an CCA AES DATA secure key.
578 */
cca_sec2protkey(u16 cardnr,u16 domain,const u8 seckey[SECKEYBLOBSIZE],u8 * protkey,u32 * protkeylen,u32 * protkeytype)579 int cca_sec2protkey(u16 cardnr, u16 domain,
580 const u8 seckey[SECKEYBLOBSIZE],
581 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
582 {
583 int rc;
584 u8 *mem, *ptr;
585 struct CPRBX *preqcblk, *prepcblk;
586 struct ica_xcRB xcrb;
587 struct uskreqparm {
588 u8 subfunc_code[2];
589 u16 rule_array_len;
590 struct lv1 {
591 u16 len;
592 u16 attr_len;
593 u16 attr_flags;
594 } lv1;
595 struct lv2 {
596 u16 len;
597 u16 attr_len;
598 u16 attr_flags;
599 u8 token[0]; /* cca secure key token */
600 } lv2;
601 } __packed * preqparm;
602 struct uskrepparm {
603 u8 subfunc_code[2];
604 u16 rule_array_len;
605 struct lv3 {
606 u16 len;
607 u16 attr_len;
608 u16 attr_flags;
609 struct cpacfkeyblock {
610 u8 version; /* version of this struct */
611 u8 flags[2];
612 u8 algo;
613 u8 form;
614 u8 pad1[3];
615 u16 len;
616 u8 key[64]; /* the key (len bytes) */
617 u16 keyattrlen;
618 u8 keyattr[32];
619 u8 pad2[1];
620 u8 vptype;
621 u8 vp[32]; /* verification pattern */
622 } ckb;
623 } lv3;
624 } __packed * prepparm;
625
626 /* get already prepared memory for 2 cprbs with param block each */
627 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
628 if (rc)
629 return rc;
630
631 /* fill request cprb struct */
632 preqcblk->domain = domain;
633
634 /* fill request cprb param block with USK request */
635 preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
636 memcpy(preqparm->subfunc_code, "US", 2);
637 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
638 preqparm->lv1.len = sizeof(struct lv1);
639 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
640 preqparm->lv1.attr_flags = 0x0001;
641 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
642 preqparm->lv2.attr_len = sizeof(struct lv2)
643 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
644 preqparm->lv2.attr_flags = 0x0000;
645 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
646 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
647
648 /* fill xcrb struct */
649 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
650
651 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
652 rc = zcrypt_send_cprb(&xcrb);
653 if (rc) {
654 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
655 __func__, (int) cardnr, (int) domain, rc);
656 goto out;
657 }
658
659 /* check response returncode and reasoncode */
660 if (prepcblk->ccp_rtcode != 0) {
661 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
662 __func__,
663 (int) prepcblk->ccp_rtcode,
664 (int) prepcblk->ccp_rscode);
665 rc = -EIO;
666 goto out;
667 }
668 if (prepcblk->ccp_rscode != 0) {
669 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
670 __func__,
671 (int) prepcblk->ccp_rtcode,
672 (int) prepcblk->ccp_rscode);
673 }
674
675 /* process response cprb param block */
676 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
677 prepcblk->rpl_parmb = (u8 __user *) ptr;
678 prepparm = (struct uskrepparm *) ptr;
679
680 /* check the returned keyblock */
681 if (prepparm->lv3.ckb.version != 0x01 &&
682 prepparm->lv3.ckb.version != 0x02) {
683 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
684 __func__, (int) prepparm->lv3.ckb.version);
685 rc = -EIO;
686 goto out;
687 }
688
689 /* copy the tanslated protected key */
690 switch (prepparm->lv3.ckb.len) {
691 case 16+32:
692 /* AES 128 protected key */
693 if (protkeytype)
694 *protkeytype = PKEY_KEYTYPE_AES_128;
695 break;
696 case 24+32:
697 /* AES 192 protected key */
698 if (protkeytype)
699 *protkeytype = PKEY_KEYTYPE_AES_192;
700 break;
701 case 32+32:
702 /* AES 256 protected key */
703 if (protkeytype)
704 *protkeytype = PKEY_KEYTYPE_AES_256;
705 break;
706 default:
707 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
708 __func__, prepparm->lv3.ckb.len);
709 rc = -EIO;
710 goto out;
711 }
712 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
713 if (protkeylen)
714 *protkeylen = prepparm->lv3.ckb.len;
715
716 out:
717 free_cprbmem(mem, PARMBSIZE, 0);
718 return rc;
719 }
720 EXPORT_SYMBOL(cca_sec2protkey);
721
722 /*
723 * AES cipher key skeleton created with CSNBKTB2 with these flags:
724 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
725 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
726 * used by cca_gencipherkey() and cca_clr2cipherkey().
727 */
728 static const u8 aes_cipher_key_skeleton[] = {
729 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
733 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
734 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
735 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
736 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
737
738 /*
739 * Generate (random) CCA AES CIPHER secure key.
740 */
cca_gencipherkey(u16 cardnr,u16 domain,u32 keybitsize,u32 keygenflags,u8 * keybuf,size_t * keybufsize)741 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
742 u8 *keybuf, size_t *keybufsize)
743 {
744 int rc;
745 u8 *mem, *ptr;
746 struct CPRBX *preqcblk, *prepcblk;
747 struct ica_xcRB xcrb;
748 struct gkreqparm {
749 u8 subfunc_code[2];
750 u16 rule_array_len;
751 char rule_array[2*8];
752 struct {
753 u16 len;
754 u8 key_type_1[8];
755 u8 key_type_2[8];
756 u16 clear_key_bit_len;
757 u16 key_name_1_len;
758 u16 key_name_2_len;
759 u16 user_data_1_len;
760 u16 user_data_2_len;
761 u8 key_name_1[0];
762 u8 key_name_2[0];
763 u8 user_data_1[0];
764 u8 user_data_2[0];
765 } vud;
766 struct {
767 u16 len;
768 struct {
769 u16 len;
770 u16 flag;
771 u8 kek_id_1[0];
772 } tlv1;
773 struct {
774 u16 len;
775 u16 flag;
776 u8 kek_id_2[0];
777 } tlv2;
778 struct {
779 u16 len;
780 u16 flag;
781 u8 gen_key_id_1[SIZEOF_SKELETON];
782 } tlv3;
783 struct {
784 u16 len;
785 u16 flag;
786 u8 gen_key_id_1_label[0];
787 } tlv4;
788 struct {
789 u16 len;
790 u16 flag;
791 u8 gen_key_id_2[0];
792 } tlv5;
793 struct {
794 u16 len;
795 u16 flag;
796 u8 gen_key_id_2_label[0];
797 } tlv6;
798 } kb;
799 } __packed * preqparm;
800 struct gkrepparm {
801 u8 subfunc_code[2];
802 u16 rule_array_len;
803 struct {
804 u16 len;
805 } vud;
806 struct {
807 u16 len;
808 struct {
809 u16 len;
810 u16 flag;
811 u8 gen_key[0]; /* 120-136 bytes */
812 } tlv1;
813 } kb;
814 } __packed * prepparm;
815 struct cipherkeytoken *t;
816
817 /* get already prepared memory for 2 cprbs with param block each */
818 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
819 if (rc)
820 return rc;
821
822 /* fill request cprb struct */
823 preqcblk->domain = domain;
824 preqcblk->req_parml = sizeof(struct gkreqparm);
825
826 /* prepare request param block with GK request */
827 preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
828 memcpy(preqparm->subfunc_code, "GK", 2);
829 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
830 memcpy(preqparm->rule_array, "AES OP ", 2*8);
831
832 /* prepare vud block */
833 preqparm->vud.len = sizeof(preqparm->vud);
834 switch (keybitsize) {
835 case 128:
836 case 192:
837 case 256:
838 break;
839 default:
840 DEBUG_ERR(
841 "%s unknown/unsupported keybitsize %d\n",
842 __func__, keybitsize);
843 rc = -EINVAL;
844 goto out;
845 }
846 preqparm->vud.clear_key_bit_len = keybitsize;
847 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
848 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
849
850 /* prepare kb block */
851 preqparm->kb.len = sizeof(preqparm->kb);
852 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
853 preqparm->kb.tlv1.flag = 0x0030;
854 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
855 preqparm->kb.tlv2.flag = 0x0030;
856 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
857 preqparm->kb.tlv3.flag = 0x0030;
858 memcpy(preqparm->kb.tlv3.gen_key_id_1,
859 aes_cipher_key_skeleton, SIZEOF_SKELETON);
860 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
861 preqparm->kb.tlv4.flag = 0x0030;
862 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
863 preqparm->kb.tlv5.flag = 0x0030;
864 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
865 preqparm->kb.tlv6.flag = 0x0030;
866
867 /* patch the skeleton key token export flags inside the kb block */
868 if (keygenflags) {
869 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
870 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
871 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
872 }
873
874 /* prepare xcrb struct */
875 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
876
877 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
878 rc = zcrypt_send_cprb(&xcrb);
879 if (rc) {
880 DEBUG_ERR(
881 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
882 __func__, (int) cardnr, (int) domain, rc);
883 goto out;
884 }
885
886 /* check response returncode and reasoncode */
887 if (prepcblk->ccp_rtcode != 0) {
888 DEBUG_ERR(
889 "%s cipher key generate failure, card response %d/%d\n",
890 __func__,
891 (int) prepcblk->ccp_rtcode,
892 (int) prepcblk->ccp_rscode);
893 rc = -EIO;
894 goto out;
895 }
896
897 /* process response cprb param block */
898 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
899 prepcblk->rpl_parmb = (u8 __user *) ptr;
900 prepparm = (struct gkrepparm *) ptr;
901
902 /* do some plausibility checks on the key block */
903 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
904 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
905 DEBUG_ERR("%s reply with invalid or unknown key block\n",
906 __func__);
907 rc = -EIO;
908 goto out;
909 }
910
911 /* and some checks on the generated key */
912 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
913 prepparm->kb.tlv1.gen_key,
914 keybitsize, 1);
915 if (rc) {
916 rc = -EIO;
917 goto out;
918 }
919
920 /* copy the generated vlsc key token */
921 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
922 if (keybuf) {
923 if (*keybufsize >= t->len)
924 memcpy(keybuf, t, t->len);
925 else
926 rc = -EINVAL;
927 }
928 *keybufsize = t->len;
929
930 out:
931 free_cprbmem(mem, PARMBSIZE, 0);
932 return rc;
933 }
934 EXPORT_SYMBOL(cca_gencipherkey);
935
936 /*
937 * Helper function, does a the CSNBKPI2 CPRB.
938 */
_ip_cprb_helper(u16 cardnr,u16 domain,const char * rule_array_1,const char * rule_array_2,const char * rule_array_3,const u8 * clr_key_value,int clr_key_bit_size,u8 * key_token,int * key_token_size)939 static int _ip_cprb_helper(u16 cardnr, u16 domain,
940 const char *rule_array_1,
941 const char *rule_array_2,
942 const char *rule_array_3,
943 const u8 *clr_key_value,
944 int clr_key_bit_size,
945 u8 *key_token,
946 int *key_token_size)
947 {
948 int rc, n;
949 u8 *mem, *ptr;
950 struct CPRBX *preqcblk, *prepcblk;
951 struct ica_xcRB xcrb;
952 struct rule_array_block {
953 u8 subfunc_code[2];
954 u16 rule_array_len;
955 char rule_array[0];
956 } __packed * preq_ra_block;
957 struct vud_block {
958 u16 len;
959 struct {
960 u16 len;
961 u16 flag; /* 0x0064 */
962 u16 clr_key_bit_len;
963 } tlv1;
964 struct {
965 u16 len;
966 u16 flag; /* 0x0063 */
967 u8 clr_key[0]; /* clear key value bytes */
968 } tlv2;
969 } __packed * preq_vud_block;
970 struct key_block {
971 u16 len;
972 struct {
973 u16 len;
974 u16 flag; /* 0x0030 */
975 u8 key_token[0]; /* key skeleton */
976 } tlv1;
977 } __packed * preq_key_block;
978 struct iprepparm {
979 u8 subfunc_code[2];
980 u16 rule_array_len;
981 struct {
982 u16 len;
983 } vud;
984 struct {
985 u16 len;
986 struct {
987 u16 len;
988 u16 flag; /* 0x0030 */
989 u8 key_token[0]; /* key token */
990 } tlv1;
991 } kb;
992 } __packed * prepparm;
993 struct cipherkeytoken *t;
994 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
995
996 /* get already prepared memory for 2 cprbs with param block each */
997 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
998 if (rc)
999 return rc;
1000
1001 /* fill request cprb struct */
1002 preqcblk->domain = domain;
1003 preqcblk->req_parml = 0;
1004
1005 /* prepare request param block with IP request */
1006 preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
1007 memcpy(preq_ra_block->subfunc_code, "IP", 2);
1008 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
1009 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1010 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1011 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1012 if (rule_array_3) {
1013 preq_ra_block->rule_array_len += 8;
1014 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1015 preqcblk->req_parml += 8;
1016 }
1017
1018 /* prepare vud block */
1019 preq_vud_block = (struct vud_block __force *)
1020 (preqcblk->req_parmb + preqcblk->req_parml);
1021 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1022 preq_vud_block->len = sizeof(struct vud_block) + n;
1023 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1024 preq_vud_block->tlv1.flag = 0x0064;
1025 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1026 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1027 preq_vud_block->tlv2.flag = 0x0063;
1028 if (!complete)
1029 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1030 preqcblk->req_parml += preq_vud_block->len;
1031
1032 /* prepare key block */
1033 preq_key_block = (struct key_block __force *)
1034 (preqcblk->req_parmb + preqcblk->req_parml);
1035 n = *key_token_size;
1036 preq_key_block->len = sizeof(struct key_block) + n;
1037 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1038 preq_key_block->tlv1.flag = 0x0030;
1039 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1040 preqcblk->req_parml += preq_key_block->len;
1041
1042 /* prepare xcrb struct */
1043 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1044
1045 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1046 rc = zcrypt_send_cprb(&xcrb);
1047 if (rc) {
1048 DEBUG_ERR(
1049 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1050 __func__, (int) cardnr, (int) domain, rc);
1051 goto out;
1052 }
1053
1054 /* check response returncode and reasoncode */
1055 if (prepcblk->ccp_rtcode != 0) {
1056 DEBUG_ERR(
1057 "%s CSNBKPI2 failure, card response %d/%d\n",
1058 __func__,
1059 (int) prepcblk->ccp_rtcode,
1060 (int) prepcblk->ccp_rscode);
1061 rc = -EIO;
1062 goto out;
1063 }
1064
1065 /* process response cprb param block */
1066 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1067 prepcblk->rpl_parmb = (u8 __user *) ptr;
1068 prepparm = (struct iprepparm *) ptr;
1069
1070 /* do some plausibility checks on the key block */
1071 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1072 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1073 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1074 __func__);
1075 rc = -EIO;
1076 goto out;
1077 }
1078
1079 /* do not check the key here, it may be incomplete */
1080
1081 /* copy the vlsc key token back */
1082 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1083 memcpy(key_token, t, t->len);
1084 *key_token_size = t->len;
1085
1086 out:
1087 free_cprbmem(mem, PARMBSIZE, 0);
1088 return rc;
1089 }
1090
1091 /*
1092 * Build CCA AES CIPHER secure key with a given clear key value.
1093 */
cca_clr2cipherkey(u16 card,u16 dom,u32 keybitsize,u32 keygenflags,const u8 * clrkey,u8 * keybuf,size_t * keybufsize)1094 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1095 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1096 {
1097 int rc;
1098 u8 *token;
1099 int tokensize;
1100 u8 exorbuf[32];
1101 struct cipherkeytoken *t;
1102
1103 /* fill exorbuf with random data */
1104 get_random_bytes(exorbuf, sizeof(exorbuf));
1105
1106 /* allocate space for the key token to build */
1107 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1108 if (!token)
1109 return -ENOMEM;
1110
1111 /* prepare the token with the key skeleton */
1112 tokensize = SIZEOF_SKELETON;
1113 memcpy(token, aes_cipher_key_skeleton, tokensize);
1114
1115 /* patch the skeleton key token export flags */
1116 if (keygenflags) {
1117 t = (struct cipherkeytoken *) token;
1118 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1119 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1120 }
1121
1122 /*
1123 * Do the key import with the clear key value in 4 steps:
1124 * 1/4 FIRST import with only random data
1125 * 2/4 EXOR the clear key
1126 * 3/4 EXOR the very same random data again
1127 * 4/4 COMPLETE the secure cipher key import
1128 */
1129 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1130 exorbuf, keybitsize, token, &tokensize);
1131 if (rc) {
1132 DEBUG_ERR(
1133 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1134 __func__, rc);
1135 goto out;
1136 }
1137 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1138 clrkey, keybitsize, token, &tokensize);
1139 if (rc) {
1140 DEBUG_ERR(
1141 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1142 __func__, rc);
1143 goto out;
1144 }
1145 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1146 exorbuf, keybitsize, token, &tokensize);
1147 if (rc) {
1148 DEBUG_ERR(
1149 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1150 __func__, rc);
1151 goto out;
1152 }
1153 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1154 NULL, keybitsize, token, &tokensize);
1155 if (rc) {
1156 DEBUG_ERR(
1157 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1158 __func__, rc);
1159 goto out;
1160 }
1161
1162 /* copy the generated key token */
1163 if (keybuf) {
1164 if (tokensize > *keybufsize)
1165 rc = -EINVAL;
1166 else
1167 memcpy(keybuf, token, tokensize);
1168 }
1169 *keybufsize = tokensize;
1170
1171 out:
1172 kfree(token);
1173 return rc;
1174 }
1175 EXPORT_SYMBOL(cca_clr2cipherkey);
1176
1177 /*
1178 * Derive proteced key from CCA AES cipher secure key.
1179 */
cca_cipher2protkey(u16 cardnr,u16 domain,const u8 * ckey,u8 * protkey,u32 * protkeylen,u32 * protkeytype)1180 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1181 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1182 {
1183 int rc;
1184 u8 *mem, *ptr;
1185 struct CPRBX *preqcblk, *prepcblk;
1186 struct ica_xcRB xcrb;
1187 struct aureqparm {
1188 u8 subfunc_code[2];
1189 u16 rule_array_len;
1190 u8 rule_array[8];
1191 struct {
1192 u16 len;
1193 u16 tk_blob_len;
1194 u16 tk_blob_tag;
1195 u8 tk_blob[66];
1196 } vud;
1197 struct {
1198 u16 len;
1199 u16 cca_key_token_len;
1200 u16 cca_key_token_flags;
1201 u8 cca_key_token[0]; // 64 or more
1202 } kb;
1203 } __packed * preqparm;
1204 struct aurepparm {
1205 u8 subfunc_code[2];
1206 u16 rule_array_len;
1207 struct {
1208 u16 len;
1209 u16 sublen;
1210 u16 tag;
1211 struct cpacfkeyblock {
1212 u8 version; /* version of this struct */
1213 u8 flags[2];
1214 u8 algo;
1215 u8 form;
1216 u8 pad1[3];
1217 u16 keylen;
1218 u8 key[64]; /* the key (keylen bytes) */
1219 u16 keyattrlen;
1220 u8 keyattr[32];
1221 u8 pad2[1];
1222 u8 vptype;
1223 u8 vp[32]; /* verification pattern */
1224 } ckb;
1225 } vud;
1226 struct {
1227 u16 len;
1228 } kb;
1229 } __packed * prepparm;
1230 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1231
1232 /* get already prepared memory for 2 cprbs with param block each */
1233 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1234 if (rc)
1235 return rc;
1236
1237 /* fill request cprb struct */
1238 preqcblk->domain = domain;
1239
1240 /* fill request cprb param block with AU request */
1241 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1242 memcpy(preqparm->subfunc_code, "AU", 2);
1243 preqparm->rule_array_len =
1244 sizeof(preqparm->rule_array_len)
1245 + sizeof(preqparm->rule_array);
1246 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1247 /* vud, tk blob */
1248 preqparm->vud.len = sizeof(preqparm->vud);
1249 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1250 + 2 * sizeof(uint16_t);
1251 preqparm->vud.tk_blob_tag = 0x00C2;
1252 /* kb, cca token */
1253 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1254 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1255 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1256 /* now fill length of param block into cprb */
1257 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1258
1259 /* fill xcrb struct */
1260 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1261
1262 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1263 rc = zcrypt_send_cprb(&xcrb);
1264 if (rc) {
1265 DEBUG_ERR(
1266 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1267 __func__, (int) cardnr, (int) domain, rc);
1268 goto out;
1269 }
1270
1271 /* check response returncode and reasoncode */
1272 if (prepcblk->ccp_rtcode != 0) {
1273 DEBUG_ERR(
1274 "%s unwrap secure key failure, card response %d/%d\n",
1275 __func__,
1276 (int) prepcblk->ccp_rtcode,
1277 (int) prepcblk->ccp_rscode);
1278 rc = -EIO;
1279 goto out;
1280 }
1281 if (prepcblk->ccp_rscode != 0) {
1282 DEBUG_WARN(
1283 "%s unwrap secure key warning, card response %d/%d\n",
1284 __func__,
1285 (int) prepcblk->ccp_rtcode,
1286 (int) prepcblk->ccp_rscode);
1287 }
1288
1289 /* process response cprb param block */
1290 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1291 prepcblk->rpl_parmb = (u8 __user *) ptr;
1292 prepparm = (struct aurepparm *) ptr;
1293
1294 /* check the returned keyblock */
1295 if (prepparm->vud.ckb.version != 0x01 &&
1296 prepparm->vud.ckb.version != 0x02) {
1297 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1298 __func__, (int) prepparm->vud.ckb.version);
1299 rc = -EIO;
1300 goto out;
1301 }
1302 if (prepparm->vud.ckb.algo != 0x02) {
1303 DEBUG_ERR(
1304 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1305 __func__, (int) prepparm->vud.ckb.algo);
1306 rc = -EIO;
1307 goto out;
1308 }
1309
1310 /* copy the translated protected key */
1311 switch (prepparm->vud.ckb.keylen) {
1312 case 16+32:
1313 /* AES 128 protected key */
1314 if (protkeytype)
1315 *protkeytype = PKEY_KEYTYPE_AES_128;
1316 break;
1317 case 24+32:
1318 /* AES 192 protected key */
1319 if (protkeytype)
1320 *protkeytype = PKEY_KEYTYPE_AES_192;
1321 break;
1322 case 32+32:
1323 /* AES 256 protected key */
1324 if (protkeytype)
1325 *protkeytype = PKEY_KEYTYPE_AES_256;
1326 break;
1327 default:
1328 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1329 __func__, prepparm->vud.ckb.keylen);
1330 rc = -EIO;
1331 goto out;
1332 }
1333 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1334 if (protkeylen)
1335 *protkeylen = prepparm->vud.ckb.keylen;
1336
1337 out:
1338 free_cprbmem(mem, PARMBSIZE, 0);
1339 return rc;
1340 }
1341 EXPORT_SYMBOL(cca_cipher2protkey);
1342
1343 /*
1344 * Derive protected key from CCA ECC secure private key.
1345 */
cca_ecc2protkey(u16 cardnr,u16 domain,const u8 * key,u8 * protkey,u32 * protkeylen,u32 * protkeytype)1346 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1347 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1348 {
1349 int rc;
1350 u8 *mem, *ptr;
1351 struct CPRBX *preqcblk, *prepcblk;
1352 struct ica_xcRB xcrb;
1353 struct aureqparm {
1354 u8 subfunc_code[2];
1355 u16 rule_array_len;
1356 u8 rule_array[8];
1357 struct {
1358 u16 len;
1359 u16 tk_blob_len;
1360 u16 tk_blob_tag;
1361 u8 tk_blob[66];
1362 } vud;
1363 struct {
1364 u16 len;
1365 u16 cca_key_token_len;
1366 u16 cca_key_token_flags;
1367 u8 cca_key_token[0];
1368 } kb;
1369 } __packed * preqparm;
1370 struct aurepparm {
1371 u8 subfunc_code[2];
1372 u16 rule_array_len;
1373 struct {
1374 u16 len;
1375 u16 sublen;
1376 u16 tag;
1377 struct cpacfkeyblock {
1378 u8 version; /* version of this struct */
1379 u8 flags[2];
1380 u8 algo;
1381 u8 form;
1382 u8 pad1[3];
1383 u16 keylen;
1384 u8 key[0]; /* the key (keylen bytes) */
1385 u16 keyattrlen;
1386 u8 keyattr[32];
1387 u8 pad2[1];
1388 u8 vptype;
1389 u8 vp[32]; /* verification pattern */
1390 } ckb;
1391 } vud;
1392 struct {
1393 u16 len;
1394 } kb;
1395 } __packed * prepparm;
1396 int keylen = ((struct eccprivkeytoken *)key)->len;
1397
1398 /* get already prepared memory for 2 cprbs with param block each */
1399 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1400 if (rc)
1401 return rc;
1402
1403 /* fill request cprb struct */
1404 preqcblk->domain = domain;
1405
1406 /* fill request cprb param block with AU request */
1407 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1408 memcpy(preqparm->subfunc_code, "AU", 2);
1409 preqparm->rule_array_len =
1410 sizeof(preqparm->rule_array_len)
1411 + sizeof(preqparm->rule_array);
1412 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1413 /* vud, tk blob */
1414 preqparm->vud.len = sizeof(preqparm->vud);
1415 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1416 + 2 * sizeof(uint16_t);
1417 preqparm->vud.tk_blob_tag = 0x00C2;
1418 /* kb, cca token */
1419 preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1420 preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1421 memcpy(preqparm->kb.cca_key_token, key, keylen);
1422 /* now fill length of param block into cprb */
1423 preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1424
1425 /* fill xcrb struct */
1426 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1427
1428 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1429 rc = zcrypt_send_cprb(&xcrb);
1430 if (rc) {
1431 DEBUG_ERR(
1432 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1433 __func__, (int) cardnr, (int) domain, rc);
1434 goto out;
1435 }
1436
1437 /* check response returncode and reasoncode */
1438 if (prepcblk->ccp_rtcode != 0) {
1439 DEBUG_ERR(
1440 "%s unwrap secure key failure, card response %d/%d\n",
1441 __func__,
1442 (int) prepcblk->ccp_rtcode,
1443 (int) prepcblk->ccp_rscode);
1444 rc = -EIO;
1445 goto out;
1446 }
1447 if (prepcblk->ccp_rscode != 0) {
1448 DEBUG_WARN(
1449 "%s unwrap secure key warning, card response %d/%d\n",
1450 __func__,
1451 (int) prepcblk->ccp_rtcode,
1452 (int) prepcblk->ccp_rscode);
1453 }
1454
1455 /* process response cprb param block */
1456 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1457 prepcblk->rpl_parmb = (u8 __user *) ptr;
1458 prepparm = (struct aurepparm *) ptr;
1459
1460 /* check the returned keyblock */
1461 if (prepparm->vud.ckb.version != 0x02) {
1462 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1463 __func__, (int) prepparm->vud.ckb.version);
1464 rc = -EIO;
1465 goto out;
1466 }
1467 if (prepparm->vud.ckb.algo != 0x81) {
1468 DEBUG_ERR(
1469 "%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1470 __func__, (int) prepparm->vud.ckb.algo);
1471 rc = -EIO;
1472 goto out;
1473 }
1474
1475 /* copy the translated protected key */
1476 if (prepparm->vud.ckb.keylen > *protkeylen) {
1477 DEBUG_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1478 __func__, prepparm->vud.ckb.keylen, *protkeylen);
1479 rc = -EIO;
1480 goto out;
1481 }
1482 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1483 *protkeylen = prepparm->vud.ckb.keylen;
1484 if (protkeytype)
1485 *protkeytype = PKEY_KEYTYPE_ECC;
1486
1487 out:
1488 free_cprbmem(mem, PARMBSIZE, 0);
1489 return rc;
1490 }
1491 EXPORT_SYMBOL(cca_ecc2protkey);
1492
1493 /*
1494 * query cryptographic facility from CCA adapter
1495 */
cca_query_crypto_facility(u16 cardnr,u16 domain,const char * keyword,u8 * rarray,size_t * rarraylen,u8 * varray,size_t * varraylen)1496 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1497 const char *keyword,
1498 u8 *rarray, size_t *rarraylen,
1499 u8 *varray, size_t *varraylen)
1500 {
1501 int rc;
1502 u16 len;
1503 u8 *mem, *ptr;
1504 struct CPRBX *preqcblk, *prepcblk;
1505 struct ica_xcRB xcrb;
1506 struct fqreqparm {
1507 u8 subfunc_code[2];
1508 u16 rule_array_len;
1509 char rule_array[8];
1510 struct lv1 {
1511 u16 len;
1512 u8 data[VARDATASIZE];
1513 } lv1;
1514 u16 dummylen;
1515 } __packed * preqparm;
1516 size_t parmbsize = sizeof(struct fqreqparm);
1517 struct fqrepparm {
1518 u8 subfunc_code[2];
1519 u8 lvdata[0];
1520 } __packed * prepparm;
1521
1522 /* get already prepared memory for 2 cprbs with param block each */
1523 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1524 if (rc)
1525 return rc;
1526
1527 /* fill request cprb struct */
1528 preqcblk->domain = domain;
1529
1530 /* fill request cprb param block with FQ request */
1531 preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
1532 memcpy(preqparm->subfunc_code, "FQ", 2);
1533 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1534 preqparm->rule_array_len =
1535 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1536 preqparm->lv1.len = sizeof(preqparm->lv1);
1537 preqparm->dummylen = sizeof(preqparm->dummylen);
1538 preqcblk->req_parml = parmbsize;
1539
1540 /* fill xcrb struct */
1541 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1542
1543 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1544 rc = zcrypt_send_cprb(&xcrb);
1545 if (rc) {
1546 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1547 __func__, (int) cardnr, (int) domain, rc);
1548 goto out;
1549 }
1550
1551 /* check response returncode and reasoncode */
1552 if (prepcblk->ccp_rtcode != 0) {
1553 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1554 __func__,
1555 (int) prepcblk->ccp_rtcode,
1556 (int) prepcblk->ccp_rscode);
1557 rc = -EIO;
1558 goto out;
1559 }
1560
1561 /* process response cprb param block */
1562 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1563 prepcblk->rpl_parmb = (u8 __user *) ptr;
1564 prepparm = (struct fqrepparm *) ptr;
1565 ptr = prepparm->lvdata;
1566
1567 /* check and possibly copy reply rule array */
1568 len = *((u16 *) ptr);
1569 if (len > sizeof(u16)) {
1570 ptr += sizeof(u16);
1571 len -= sizeof(u16);
1572 if (rarray && rarraylen && *rarraylen > 0) {
1573 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1574 memcpy(rarray, ptr, *rarraylen);
1575 }
1576 ptr += len;
1577 }
1578 /* check and possible copy reply var array */
1579 len = *((u16 *) ptr);
1580 if (len > sizeof(u16)) {
1581 ptr += sizeof(u16);
1582 len -= sizeof(u16);
1583 if (varray && varraylen && *varraylen > 0) {
1584 *varraylen = (len > *varraylen ? *varraylen : len);
1585 memcpy(varray, ptr, *varraylen);
1586 }
1587 ptr += len;
1588 }
1589
1590 out:
1591 free_cprbmem(mem, parmbsize, 0);
1592 return rc;
1593 }
1594 EXPORT_SYMBOL(cca_query_crypto_facility);
1595
cca_info_cache_fetch(u16 cardnr,u16 domain,struct cca_info * ci)1596 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1597 {
1598 int rc = -ENOENT;
1599 struct cca_info_list_entry *ptr;
1600
1601 spin_lock_bh(&cca_info_list_lock);
1602 list_for_each_entry(ptr, &cca_info_list, list) {
1603 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1604 memcpy(ci, &ptr->info, sizeof(*ci));
1605 rc = 0;
1606 break;
1607 }
1608 }
1609 spin_unlock_bh(&cca_info_list_lock);
1610
1611 return rc;
1612 }
1613
cca_info_cache_update(u16 cardnr,u16 domain,const struct cca_info * ci)1614 static void cca_info_cache_update(u16 cardnr, u16 domain,
1615 const struct cca_info *ci)
1616 {
1617 int found = 0;
1618 struct cca_info_list_entry *ptr;
1619
1620 spin_lock_bh(&cca_info_list_lock);
1621 list_for_each_entry(ptr, &cca_info_list, list) {
1622 if (ptr->cardnr == cardnr &&
1623 ptr->domain == domain) {
1624 memcpy(&ptr->info, ci, sizeof(*ci));
1625 found = 1;
1626 break;
1627 }
1628 }
1629 if (!found) {
1630 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1631 if (!ptr) {
1632 spin_unlock_bh(&cca_info_list_lock);
1633 return;
1634 }
1635 ptr->cardnr = cardnr;
1636 ptr->domain = domain;
1637 memcpy(&ptr->info, ci, sizeof(*ci));
1638 list_add(&ptr->list, &cca_info_list);
1639 }
1640 spin_unlock_bh(&cca_info_list_lock);
1641 }
1642
cca_info_cache_scrub(u16 cardnr,u16 domain)1643 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1644 {
1645 struct cca_info_list_entry *ptr;
1646
1647 spin_lock_bh(&cca_info_list_lock);
1648 list_for_each_entry(ptr, &cca_info_list, list) {
1649 if (ptr->cardnr == cardnr &&
1650 ptr->domain == domain) {
1651 list_del(&ptr->list);
1652 kfree(ptr);
1653 break;
1654 }
1655 }
1656 spin_unlock_bh(&cca_info_list_lock);
1657 }
1658
mkvp_cache_free(void)1659 static void __exit mkvp_cache_free(void)
1660 {
1661 struct cca_info_list_entry *ptr, *pnext;
1662
1663 spin_lock_bh(&cca_info_list_lock);
1664 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1665 list_del(&ptr->list);
1666 kfree(ptr);
1667 }
1668 spin_unlock_bh(&cca_info_list_lock);
1669 }
1670
1671 /*
1672 * Fetch cca_info values via query_crypto_facility from adapter.
1673 */
fetch_cca_info(u16 cardnr,u16 domain,struct cca_info * ci)1674 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1675 {
1676 int rc, found = 0;
1677 size_t rlen, vlen;
1678 u8 *rarray, *varray, *pg;
1679 struct zcrypt_device_status_ext devstat;
1680
1681 memset(ci, 0, sizeof(*ci));
1682
1683 /* get first info from zcrypt device driver about this apqn */
1684 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1685 if (rc)
1686 return rc;
1687 ci->hwtype = devstat.hwtype;
1688
1689 /* prep page for rule array and var array use */
1690 pg = (u8 *) __get_free_page(GFP_KERNEL);
1691 if (!pg)
1692 return -ENOMEM;
1693 rarray = pg;
1694 varray = pg + PAGE_SIZE/2;
1695 rlen = vlen = PAGE_SIZE/2;
1696
1697 /* QF for this card/domain */
1698 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1699 rarray, &rlen, varray, &vlen);
1700 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1701 memcpy(ci->serial, rarray, 8);
1702 ci->new_aes_mk_state = (char) rarray[7*8];
1703 ci->cur_aes_mk_state = (char) rarray[8*8];
1704 ci->old_aes_mk_state = (char) rarray[9*8];
1705 if (ci->old_aes_mk_state == '2')
1706 memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1707 if (ci->cur_aes_mk_state == '2')
1708 memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1709 if (ci->new_aes_mk_state == '3')
1710 memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1711 found++;
1712 }
1713 if (!found)
1714 goto out;
1715 rlen = vlen = PAGE_SIZE/2;
1716 rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1717 rarray, &rlen, varray, &vlen);
1718 if (rc == 0 && rlen >= 13*8 && vlen >= 240) {
1719 ci->new_apka_mk_state = (char) rarray[10*8];
1720 ci->cur_apka_mk_state = (char) rarray[11*8];
1721 ci->old_apka_mk_state = (char) rarray[12*8];
1722 if (ci->old_apka_mk_state == '2')
1723 memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1724 if (ci->cur_apka_mk_state == '2')
1725 memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1726 if (ci->new_apka_mk_state == '3')
1727 memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1728 found++;
1729 }
1730
1731 out:
1732 free_page((unsigned long) pg);
1733 return found == 2 ? 0 : -ENOENT;
1734 }
1735
1736 /*
1737 * Fetch cca information about a CCA queue.
1738 */
cca_get_info(u16 card,u16 dom,struct cca_info * ci,int verify)1739 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1740 {
1741 int rc;
1742
1743 rc = cca_info_cache_fetch(card, dom, ci);
1744 if (rc || verify) {
1745 rc = fetch_cca_info(card, dom, ci);
1746 if (rc == 0)
1747 cca_info_cache_update(card, dom, ci);
1748 }
1749
1750 return rc;
1751 }
1752 EXPORT_SYMBOL(cca_get_info);
1753
1754 /*
1755 * Search for a matching crypto card based on the
1756 * Master Key Verification Pattern given.
1757 */
findcard(u64 mkvp,u16 * pcardnr,u16 * pdomain,int verify,int minhwtype)1758 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1759 int verify, int minhwtype)
1760 {
1761 struct zcrypt_device_status_ext *device_status;
1762 u16 card, dom;
1763 struct cca_info ci;
1764 int i, rc, oi = -1;
1765
1766 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1767 if (mkvp == 0 || minhwtype < 0)
1768 return -EINVAL;
1769
1770 /* fetch status of all crypto cards */
1771 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1772 sizeof(struct zcrypt_device_status_ext),
1773 GFP_KERNEL);
1774 if (!device_status)
1775 return -ENOMEM;
1776 zcrypt_device_status_mask_ext(device_status);
1777
1778 /* walk through all crypto cards */
1779 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1780 card = AP_QID_CARD(device_status[i].qid);
1781 dom = AP_QID_QUEUE(device_status[i].qid);
1782 if (device_status[i].online &&
1783 device_status[i].functions & 0x04) {
1784 /* enabled CCA card, check current mkvp from cache */
1785 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1786 ci.hwtype >= minhwtype &&
1787 ci.cur_aes_mk_state == '2' &&
1788 ci.cur_aes_mkvp == mkvp) {
1789 if (!verify)
1790 break;
1791 /* verify: refresh card info */
1792 if (fetch_cca_info(card, dom, &ci) == 0) {
1793 cca_info_cache_update(card, dom, &ci);
1794 if (ci.hwtype >= minhwtype &&
1795 ci.cur_aes_mk_state == '2' &&
1796 ci.cur_aes_mkvp == mkvp)
1797 break;
1798 }
1799 }
1800 } else {
1801 /* Card is offline and/or not a CCA card. */
1802 /* del mkvp entry from cache if it exists */
1803 cca_info_cache_scrub(card, dom);
1804 }
1805 }
1806 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1807 /* nothing found, so this time without cache */
1808 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1809 if (!(device_status[i].online &&
1810 device_status[i].functions & 0x04))
1811 continue;
1812 card = AP_QID_CARD(device_status[i].qid);
1813 dom = AP_QID_QUEUE(device_status[i].qid);
1814 /* fresh fetch mkvp from adapter */
1815 if (fetch_cca_info(card, dom, &ci) == 0) {
1816 cca_info_cache_update(card, dom, &ci);
1817 if (ci.hwtype >= minhwtype &&
1818 ci.cur_aes_mk_state == '2' &&
1819 ci.cur_aes_mkvp == mkvp)
1820 break;
1821 if (ci.hwtype >= minhwtype &&
1822 ci.old_aes_mk_state == '2' &&
1823 ci.old_aes_mkvp == mkvp &&
1824 oi < 0)
1825 oi = i;
1826 }
1827 }
1828 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1829 /* old mkvp matched, use this card then */
1830 card = AP_QID_CARD(device_status[oi].qid);
1831 dom = AP_QID_QUEUE(device_status[oi].qid);
1832 }
1833 }
1834 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1835 if (pcardnr)
1836 *pcardnr = card;
1837 if (pdomain)
1838 *pdomain = dom;
1839 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1840 } else
1841 rc = -ENODEV;
1842
1843 kvfree(device_status);
1844 return rc;
1845 }
1846
1847 /*
1848 * Search for a matching crypto card based on the Master Key
1849 * Verification Pattern provided inside a secure key token.
1850 */
cca_findcard(const u8 * key,u16 * pcardnr,u16 * pdomain,int verify)1851 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1852 {
1853 u64 mkvp;
1854 int minhwtype = 0;
1855 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1856
1857 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1858 return -EINVAL;
1859
1860 switch (hdr->version) {
1861 case TOKVER_CCA_AES:
1862 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1863 break;
1864 case TOKVER_CCA_VLSC:
1865 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1866 minhwtype = AP_DEVICE_TYPE_CEX6;
1867 break;
1868 default:
1869 return -EINVAL;
1870 }
1871
1872 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1873 }
1874 EXPORT_SYMBOL(cca_findcard);
1875
cca_findcard2(u32 ** apqns,u32 * nr_apqns,u16 cardnr,u16 domain,int minhwtype,int mktype,u64 cur_mkvp,u64 old_mkvp,int verify)1876 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1877 int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1878 int verify)
1879 {
1880 struct zcrypt_device_status_ext *device_status;
1881 u32 *_apqns = NULL, _nr_apqns = 0;
1882 int i, card, dom, curmatch, oldmatch, rc = 0;
1883 struct cca_info ci;
1884
1885 /* fetch status of all crypto cards */
1886 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1887 sizeof(struct zcrypt_device_status_ext),
1888 GFP_KERNEL);
1889 if (!device_status)
1890 return -ENOMEM;
1891 zcrypt_device_status_mask_ext(device_status);
1892
1893 /* allocate 1k space for up to 256 apqns */
1894 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1895 if (!_apqns) {
1896 kvfree(device_status);
1897 return -ENOMEM;
1898 }
1899
1900 /* walk through all the crypto apqnss */
1901 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1902 card = AP_QID_CARD(device_status[i].qid);
1903 dom = AP_QID_QUEUE(device_status[i].qid);
1904 /* check online state */
1905 if (!device_status[i].online)
1906 continue;
1907 /* check for cca functions */
1908 if (!(device_status[i].functions & 0x04))
1909 continue;
1910 /* check cardnr */
1911 if (cardnr != 0xFFFF && card != cardnr)
1912 continue;
1913 /* check domain */
1914 if (domain != 0xFFFF && dom != domain)
1915 continue;
1916 /* get cca info on this apqn */
1917 if (cca_get_info(card, dom, &ci, verify))
1918 continue;
1919 /* current master key needs to be valid */
1920 if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1921 continue;
1922 if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1923 continue;
1924 /* check min hardware type */
1925 if (minhwtype > 0 && minhwtype > ci.hwtype)
1926 continue;
1927 if (cur_mkvp || old_mkvp) {
1928 /* check mkvps */
1929 curmatch = oldmatch = 0;
1930 if (mktype == AES_MK_SET) {
1931 if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1932 curmatch = 1;
1933 if (old_mkvp && ci.old_aes_mk_state == '2' &&
1934 old_mkvp == ci.old_aes_mkvp)
1935 oldmatch = 1;
1936 } else {
1937 if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1938 curmatch = 1;
1939 if (old_mkvp && ci.old_apka_mk_state == '2' &&
1940 old_mkvp == ci.old_apka_mkvp)
1941 oldmatch = 1;
1942 }
1943 if (curmatch + oldmatch < 1)
1944 continue;
1945 }
1946 /* apqn passed all filtering criterons, add to the array */
1947 if (_nr_apqns < 256)
1948 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom);
1949 }
1950
1951 /* nothing found ? */
1952 if (!_nr_apqns) {
1953 kfree(_apqns);
1954 rc = -ENODEV;
1955 } else {
1956 /* no re-allocation, simple return the _apqns array */
1957 *apqns = _apqns;
1958 *nr_apqns = _nr_apqns;
1959 rc = 0;
1960 }
1961
1962 kvfree(device_status);
1963 return rc;
1964 }
1965 EXPORT_SYMBOL(cca_findcard2);
1966
zcrypt_ccamisc_exit(void)1967 void __exit zcrypt_ccamisc_exit(void)
1968 {
1969 mkvp_cache_free();
1970 }
1971