tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

s390/zcrypt: add display of ASYM master key verification pattern

This patch extends the sysfs attribute mkvps for CCA cards
to show the states and master key verification patterns for
the old, current and new ASYM master key registers.

With this patch now all relevant master key verification
patterns related to a CCA HSM are available with the mkvps
sysfs attribute. This is a requirement for some exploiters
like the kubernetes cex plugin or initrd code needing to
verify the master key verification patterns on HSMs before
use.

A sample output:
cat /sys/devices/ap/card04/04.0005/mkvps
AES NEW: empty 0x0000000000000000
AES CUR: valid 0xe9a49a58cd039bed
AES OLD: valid 0x7d10d17bc8a409c4
APKA NEW: empty 0x0000000000000000
APKA CUR: valid 0x5f2f27aaa2d59b4a
APKA OLD: valid 0x82a5e2cd5030d5ec
ASYM NEW: empty 0x00000000000000000000000000000000
ASYM CUR: valid 0x650c25a89c27e716d0e692b6c83f10e5
ASYM OLD: valid 0xf8ae2acf8bfc57f0a0957c732c16078b

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Jörg Schmidbauer <jschmidb@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

authored by

Harald Freudenberger and committed by
Heiko Carstens 28d3417a 2ba24343

+47 -4
+9
drivers/s390/crypto/zcrypt_ccamisc.c
··· 1708 1708 rarray, &rlen, varray, &vlen); 1709 1709 if (rc == 0 && rlen >= 10*8 && vlen >= 204) { 1710 1710 memcpy(ci->serial, rarray, 8); 1711 + ci->new_asym_mk_state = (char) rarray[4*8]; 1712 + ci->cur_asym_mk_state = (char) rarray[5*8]; 1713 + ci->old_asym_mk_state = (char) rarray[6*8]; 1714 + if (ci->old_asym_mk_state == '2') 1715 + memcpy(ci->old_asym_mkvp, varray + 64, 16); 1716 + if (ci->cur_asym_mk_state == '2') 1717 + memcpy(ci->cur_asym_mkvp, varray + 84, 16); 1718 + if (ci->new_asym_mk_state == '3') 1719 + memcpy(ci->new_asym_mkvp, varray + 104, 16); 1711 1720 ci->new_aes_mk_state = (char) rarray[7*8]; 1712 1721 ci->cur_aes_mk_state = (char) rarray[8*8]; 1713 1722 ci->old_aes_mk_state = (char) rarray[9*8];
+6
drivers/s390/crypto/zcrypt_ccamisc.h
··· 251 251 char new_apka_mk_state; /* '1' empty, '2' partially full, '3' full */ 252 252 char cur_apka_mk_state; /* '1' invalid, '2' valid */ 253 253 char old_apka_mk_state; /* '1' invalid, '2' valid */ 254 + char new_asym_mk_state; /* '1' empty, '2' partially full, '3' full */ 255 + char cur_asym_mk_state; /* '1' invalid, '2' valid */ 256 + char old_asym_mk_state; /* '1' invalid, '2' valid */ 254 257 u64 new_aes_mkvp; /* truncated sha256 of new aes master key */ 255 258 u64 cur_aes_mkvp; /* truncated sha256 of current aes master key */ 256 259 u64 old_aes_mkvp; /* truncated sha256 of old aes master key */ 257 260 u64 new_apka_mkvp; /* truncated sha256 of new apka master key */ 258 261 u64 cur_apka_mkvp; /* truncated sha256 of current apka mk */ 259 262 u64 old_apka_mkvp; /* truncated sha256 of old apka mk */ 263 + u8 new_asym_mkvp[16]; /* verify pattern of new asym master key */ 264 + u8 cur_asym_mkvp[16]; /* verify pattern of current asym master key */ 265 + u8 old_asym_mkvp[16]; /* verify pattern of old asym master key */ 260 266 char serial[9]; /* serial number (8 ascii numbers + 0x00) */ 261 267 }; 262 268
+32 -4
drivers/s390/crypto/zcrypt_cex4.c
··· 123 123 &ci, zq->online); 124 124 125 125 if (ci.new_aes_mk_state >= '1' && ci.new_aes_mk_state <= '3') 126 - n = scnprintf(buf, PAGE_SIZE, "AES NEW: %s 0x%016llx\n", 127 - new_state[ci.new_aes_mk_state - '1'], 128 - ci.new_aes_mkvp); 126 + n += scnprintf(buf + n, PAGE_SIZE, 127 + "AES NEW: %s 0x%016llx\n", 128 + new_state[ci.new_aes_mk_state - '1'], 129 + ci.new_aes_mkvp); 129 130 else 130 - n = scnprintf(buf, PAGE_SIZE, "AES NEW: - -\n"); 131 + n += scnprintf(buf + n, PAGE_SIZE, "AES NEW: - -\n"); 131 132 132 133 if (ci.cur_aes_mk_state >= '1' && ci.cur_aes_mk_state <= '2') 133 134 n += scnprintf(buf + n, PAGE_SIZE - n, ··· 169 168 ci.old_apka_mkvp); 170 169 else 171 170 n += scnprintf(buf + n, PAGE_SIZE - n, "APKA OLD: - -\n"); 171 + 172 + if (ci.new_asym_mk_state >= '1' && ci.new_asym_mk_state <= '3') 173 + n += scnprintf(buf + n, PAGE_SIZE, 174 + "ASYM NEW: %s 0x%016llx%016llx\n", 175 + new_state[ci.new_asym_mk_state - '1'], 176 + *((u64 *)(ci.new_asym_mkvp)), 177 + *((u64 *)(ci.new_asym_mkvp + sizeof(u64)))); 178 + else 179 + n += scnprintf(buf + n, PAGE_SIZE, "ASYM NEW: - -\n"); 180 + 181 + if (ci.cur_asym_mk_state >= '1' && ci.cur_asym_mk_state <= '2') 182 + n += scnprintf(buf + n, PAGE_SIZE - n, 183 + "ASYM CUR: %s 0x%016llx%016llx\n", 184 + cao_state[ci.cur_asym_mk_state - '1'], 185 + *((u64 *)(ci.cur_asym_mkvp)), 186 + *((u64 *)(ci.cur_asym_mkvp + sizeof(u64)))); 187 + else 188 + n += scnprintf(buf + n, PAGE_SIZE - n, "ASYM CUR: - -\n"); 189 + 190 + if (ci.old_asym_mk_state >= '1' && ci.old_asym_mk_state <= '2') 191 + n += scnprintf(buf + n, PAGE_SIZE - n, 192 + "ASYM OLD: %s 0x%016llx%016llx\n", 193 + cao_state[ci.old_asym_mk_state - '1'], 194 + *((u64 *)(ci.old_asym_mkvp)), 195 + *((u64 *)(ci.old_asym_mkvp + sizeof(u64)))); 196 + else 197 + n += scnprintf(buf + n, PAGE_SIZE - n, "ASYM OLD: - -\n"); 172 198 173 199 return n; 174 200 }