1 /* SPDX-License-Identifier: GPL-2.0+ */
2 /*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 *
6 * Collection of EP11 misc functions used by zcrypt and pkey
7 */
8
9 #ifndef _ZCRYPT_EP11MISC_H_
10 #define _ZCRYPT_EP11MISC_H_
11
12 #include <asm/zcrypt.h>
13 #include <asm/pkey.h>
14
15 #define EP11_API_V 4 /* highest known and supported EP11 API version */
16 #define EP11_STRUCT_MAGIC 0x1234
17 #define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
18
19 /*
20 * Internal used values for the version field of the key header.
21 * Should match to the enum pkey_key_type in pkey.h.
22 */
23 #define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */
24 #define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
25 #define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
26
27 /* inside view of an EP11 secure key blob */
28 struct ep11keyblob {
29 union {
30 u8 session[32];
31 /* only used for PKEY_TYPE_EP11: */
32 struct ep11kblob_header head;
33 };
34 u8 wkvp[16]; /* wrapping key verification pattern */
35 u64 attr; /* boolean key attributes */
36 u64 mode; /* mode bits */
37 u16 version; /* 0x1234, EP11_STRUCT_MAGIC */
38 u8 iv[14];
39 u8 encrypted_key_data[144];
40 u8 mac[32];
41 } __packed;
42
43 /* check ep11 key magic to find out if this is an ep11 key blob */
is_ep11_keyblob(const u8 * key)44 static inline bool is_ep11_keyblob(const u8 *key)
45 {
46 struct ep11keyblob *kb = (struct ep11keyblob *) key;
47
48 return (kb->version == EP11_STRUCT_MAGIC);
49 }
50
51 /*
52 * Simple check if the key blob is a valid EP11 AES key blob with header.
53 * If checkcpacfexport is enabled, the key is also checked for the
54 * attributes needed to export this key for CPACF use.
55 * Returns 0 on success or errno value on failure.
56 */
57 int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
58 const u8 *key, size_t keylen, int checkcpacfexp);
59
60 /*
61 * Simple check if the key blob is a valid EP11 ECC key blob with header.
62 * If checkcpacfexport is enabled, the key is also checked for the
63 * attributes needed to export this key for CPACF use.
64 * Returns 0 on success or errno value on failure.
65 */
66 int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
67 const u8 *key, size_t keylen, int checkcpacfexp);
68
69 /*
70 * Simple check if the key blob is a valid EP11 AES key blob with
71 * the header in the session field (old style EP11 AES key).
72 * If checkcpacfexport is enabled, the key is also checked for the
73 * attributes needed to export this key for CPACF use.
74 * Returns 0 on success or errno value on failure.
75 */
76 int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
77 const u8 *key, size_t keylen, int checkcpacfexp);
78
79 /* EP11 card info struct */
80 struct ep11_card_info {
81 u32 API_ord_nr; /* API ordinal number */
82 u16 FW_version; /* Firmware major and minor version */
83 char serial[16]; /* serial number string (16 ascii, no 0x00 !) */
84 u64 op_mode; /* card operational mode(s) */
85 };
86
87 /* EP11 domain info struct */
88 struct ep11_domain_info {
89 char cur_wk_state; /* '0' invalid, '1' valid */
90 char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */
91 u8 cur_wkvp[32]; /* current wrapping key verification pattern */
92 u8 new_wkvp[32]; /* new wrapping key verification pattern */
93 u64 op_mode; /* domain operational mode(s) */
94 };
95
96 /*
97 * Provide information about an EP11 card.
98 */
99 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
100
101 /*
102 * Provide information about a domain within an EP11 card.
103 */
104 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
105
106 /*
107 * Generate (random) EP11 AES secure key.
108 */
109 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
110 u8 *keybuf, size_t *keybufsize);
111
112 /*
113 * Generate EP11 AES secure key with given clear key value.
114 */
115 int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
116 const u8 *clrkey, u8 *keybuf, size_t *keybufsize);
117
118 /*
119 * Build a list of ep11 apqns meeting the following constrains:
120 * - apqn is online and is in fact an EP11 apqn
121 * - if cardnr is not FFFF only apqns with this cardnr
122 * - if domain is not FFFF only apqns with this domainnr
123 * - if minhwtype > 0 only apqns with hwtype >= minhwtype
124 * - if minapi > 0 only apqns with API_ord_nr >= minapi
125 * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
126 * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
127 * key for this domain. When a wkvp is given there will aways be a re-fetch
128 * of the domain info for the potential apqn - so this triggers an request
129 * reply to each apqn eligible.
130 * The array of apqn entries is allocated with kmalloc and returned in *apqns;
131 * the number of apqns stored into the list is returned in *nr_apqns. One apqn
132 * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
133 * may be casted to struct pkey_apqn. The return value is either 0 for success
134 * or a negative errno value. If no apqn meeting the criterias is found,
135 * -ENODEV is returned.
136 */
137 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
138 int minhwtype, int minapi, const u8 *wkvp);
139
140 /*
141 * Derive proteced key from EP11 key blob (AES and ECC keys).
142 */
143 int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, size_t keylen,
144 u8 *protkey, u32 *protkeylen, u32 *protkeytype);
145
146 void zcrypt_ep11misc_exit(void);
147
148 #endif /* _ZCRYPT_EP11MISC_H_ */
149