tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

s390/zcrypt: Rework ep11 misc functions to use cprb mempool

There are two places in the ep11 misc code where a short term
memory buffer is needed. Rework this code to use the cprb mempool
to satisfy this ephemeral memory requirements.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Link: https://lore.kernel.org/r/20250424133619.16495-19-freude@linux.ibm.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

authored by

Harald Freudenberger and committed by
Heiko Carstens 6fecab9b e9f45ef6

+76 -49
+2 -1
drivers/s390/crypto/pkey_ep11.c
··· 280 280 { 281 281 struct pkey_apqn *local_apqns = NULL; 282 282 int i, len, rc; 283 + const u32 xflags = 0; 283 284 284 285 /* check keytype, subtype, keybitsize */ 285 286 switch (keytype) { ··· 329 328 for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 330 329 rc = ep11_genaeskey(apqns[i].card, apqns[i].domain, 331 330 keybitsize, flags, 332 - keybuf, keybuflen, subtype); 331 + keybuf, keybuflen, subtype, xflags); 333 332 } 334 333 335 334 out:
+6 -6
drivers/s390/crypto/zcrypt_cex4.c
··· 214 214 215 215 memset(&ci, 0, sizeof(ci)); 216 216 217 - ep11_get_card_info(ac->id, &ci); 217 + ep11_get_card_info(ac->id, &ci, 0); 218 218 219 219 if (ci.API_ord_nr > 0) 220 220 return sysfs_emit(buf, "%u\n", ci.API_ord_nr); ··· 234 234 235 235 memset(&ci, 0, sizeof(ci)); 236 236 237 - ep11_get_card_info(ac->id, &ci); 237 + ep11_get_card_info(ac->id, &ci, 0); 238 238 239 239 if (ci.FW_version > 0) 240 240 return sysfs_emit(buf, "%d.%d\n", ··· 256 256 257 257 memset(&ci, 0, sizeof(ci)); 258 258 259 - ep11_get_card_info(ac->id, &ci); 259 + ep11_get_card_info(ac->id, &ci, 0); 260 260 261 261 if (ci.serial[0]) 262 262 return sysfs_emit(buf, "%16.16s\n", ci.serial); ··· 293 293 294 294 memset(&ci, 0, sizeof(ci)); 295 295 296 - ep11_get_card_info(ac->id, &ci); 296 + ep11_get_card_info(ac->id, &ci, 0); 297 297 298 298 for (i = 0; ep11_op_modes[i].mode_txt; i++) { 299 299 if (ci.op_mode & (1ULL << ep11_op_modes[i].mode_bit)) { ··· 343 343 if (zq->online) 344 344 ep11_get_domain_info(AP_QID_CARD(zq->queue->qid), 345 345 AP_QID_QUEUE(zq->queue->qid), 346 - &di); 346 + &di, 0); 347 347 348 348 if (di.cur_wk_state == '0') { 349 349 n = sysfs_emit(buf, "WK CUR: %s -\n", ··· 390 390 if (zq->online) 391 391 ep11_get_domain_info(AP_QID_CARD(zq->queue->qid), 392 392 AP_QID_QUEUE(zq->queue->qid), 393 - &di); 393 + &di, 0); 394 394 395 395 for (i = 0; ep11_op_modes[i].mode_txt; i++) { 396 396 if (di.op_mode & (1ULL << ep11_op_modes[i].mode_bit)) {
+64 -39
drivers/s390/crypto/zcrypt_ep11misc.c
··· 549 549 * Helper function which does an ep11 query with given query type. 550 550 */ 551 551 static int ep11_query_info(u16 cardnr, u16 domain, u32 query_type, 552 - size_t buflen, u8 *buf) 552 + size_t buflen, u8 *buf, u32 xflags) 553 553 { 554 554 struct ep11_info_req_pl { 555 555 struct pl_head head; ··· 573 573 struct ep11_target_dev target; 574 574 struct ep11_urb urb; 575 575 int api = EP11_API_V1, rc = -ENOMEM; 576 - const u32 xflags = 0; 577 576 578 577 /* request cprb and payload */ 579 578 req = alloc_cprbmem(sizeof(struct ep11_info_req_pl), xflags); ··· 638 639 /* 639 640 * Provide information about an EP11 card. 640 641 */ 641 - int ep11_get_card_info(u16 card, struct ep11_card_info *info) 642 + int ep11_get_card_info(u16 card, struct ep11_card_info *info, u32 xflags) 642 643 { 643 644 int rc; 644 645 struct ep11_module_query_info { ··· 668 669 u32 max_CP_index; 669 670 } __packed * pmqi = NULL; 670 671 671 - pmqi = kmalloc(sizeof(*pmqi), GFP_KERNEL); 672 + /* use the cprb mempool to satisfy this short term mem alloc */ 673 + pmqi = (xflags & ZCRYPT_XFLAG_NOMEMALLOC) ? 674 + mempool_alloc_preallocated(cprb_mempool) : 675 + mempool_alloc(cprb_mempool, GFP_KERNEL); 672 676 if (!pmqi) 673 677 return -ENOMEM; 674 678 rc = ep11_query_info(card, AUTOSEL_DOM, 675 679 0x01 /* module info query */, 676 - sizeof(*pmqi), (u8 *)pmqi); 680 + sizeof(*pmqi), (u8 *)pmqi, xflags); 677 681 if (rc) 678 682 goto out; 679 683 ··· 687 685 info->op_mode = pmqi->op_mode; 688 686 689 687 out: 690 - kfree(pmqi); 688 + mempool_free(pmqi, cprb_mempool); 691 689 return rc; 692 690 } 693 691 EXPORT_SYMBOL(ep11_get_card_info); ··· 695 693 /* 696 694 * Provide information about a domain within an EP11 card. 697 695 */ 698 - int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info) 696 + int ep11_get_domain_info(u16 card, u16 domain, 697 + struct ep11_domain_info *info, u32 xflags) 699 698 { 700 699 int rc; 701 700 struct ep11_domain_query_info { ··· 708 705 } __packed dom_query_info; 709 706 710 707 rc = ep11_query_info(card, domain, 0x03 /* domain info query */, 711 - sizeof(dom_query_info), (u8 *)&dom_query_info); 708 + sizeof(dom_query_info), (u8 *)&dom_query_info, 709 + xflags); 712 710 if (rc) 713 711 goto out; 714 712 ··· 743 739 744 740 static int _ep11_genaeskey(u16 card, u16 domain, 745 741 u32 keybitsize, u32 keygenflags, 746 - u8 *keybuf, size_t *keybufsize) 742 + u8 *keybuf, size_t *keybufsize, u32 xflags) 747 743 { 748 744 struct keygen_req_pl { 749 745 struct pl_head head; ··· 781 777 struct ep11_urb urb; 782 778 int api, rc = -ENOMEM; 783 779 u8 *p; 784 - const u32 xflags = 0; 785 780 786 781 switch (keybitsize) { 787 782 case 128: ··· 883 880 } 884 881 885 882 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 886 - u8 *keybuf, u32 *keybufsize, u32 keybufver) 883 + u8 *keybuf, u32 *keybufsize, u32 keybufver, u32 xflags) 887 884 { 888 885 struct ep11kblob_header *hdr; 889 886 size_t hdr_size, pl_size; ··· 904 901 return rc; 905 902 906 903 rc = _ep11_genaeskey(card, domain, keybitsize, keygenflags, 907 - pl, &pl_size); 904 + pl, &pl_size, xflags); 908 905 if (rc) 909 906 return rc; 910 907 ··· 924 921 u16 mode, u32 mech, const u8 *iv, 925 922 const u8 *key, size_t keysize, 926 923 const u8 *inbuf, size_t inbufsize, 927 - u8 *outbuf, size_t *outbufsize) 924 + u8 *outbuf, size_t *outbufsize, 925 + u32 xflags) 928 926 { 929 927 struct crypt_req_pl { 930 928 struct pl_head head; ··· 956 952 size_t req_pl_size, rep_pl_size = 0; 957 953 int n, api = EP11_API_V1, rc = -ENOMEM; 958 954 u8 *p; 959 - const u32 xflags = 0; 960 955 961 956 /* the simple asn1 coding used has length limits */ 962 957 if (keysize > 0xFFFF || inbufsize > 0xFFFF) ··· 1054 1051 const u8 *enckey, size_t enckeysize, 1055 1052 u32 mech, const u8 *iv, 1056 1053 u32 keybitsize, u32 keygenflags, 1057 - u8 *keybuf, size_t *keybufsize) 1054 + u8 *keybuf, size_t *keybufsize, u32 xflags) 1058 1055 { 1059 1056 struct uw_req_pl { 1060 1057 struct pl_head head; ··· 1094 1091 struct ep11_urb urb; 1095 1092 int api, rc = -ENOMEM; 1096 1093 u8 *p; 1097 - const u32 xflags = 0; 1098 1094 1099 1095 /* request cprb and payload */ 1100 1096 api = (!keygenflags || keygenflags & 0x00200000) ? ··· 1201 1199 u32 mech, const u8 *iv, 1202 1200 u32 keybitsize, u32 keygenflags, 1203 1201 u8 *keybuf, u32 *keybufsize, 1204 - u8 keybufver) 1202 + u8 keybufver, u32 xflags) 1205 1203 { 1206 1204 struct ep11kblob_header *hdr; 1207 1205 size_t hdr_size, pl_size; ··· 1215 1213 1216 1214 rc = _ep11_unwrapkey(card, domain, kek, keksize, enckey, enckeysize, 1217 1215 mech, iv, keybitsize, keygenflags, 1218 - pl, &pl_size); 1216 + pl, &pl_size, xflags); 1219 1217 if (rc) 1220 1218 return rc; 1221 1219 ··· 1234 1232 static int _ep11_wrapkey(u16 card, u16 domain, 1235 1233 const u8 *key, size_t keysize, 1236 1234 u32 mech, const u8 *iv, 1237 - u8 *databuf, size_t *datasize) 1235 + u8 *databuf, size_t *datasize, u32 xflags) 1238 1236 { 1239 1237 struct wk_req_pl { 1240 1238 struct pl_head head; ··· 1267 1265 size_t req_pl_size; 1268 1266 int api, rc = -ENOMEM; 1269 1267 u8 *p; 1270 - const u32 xflags = 0; 1271 1268 1272 1269 /* request cprb and payload */ 1273 1270 req_pl_size = sizeof(struct wk_req_pl) + (iv ? 16 : 0) ··· 1356 1355 u32 keytype) 1357 1356 { 1358 1357 int rc; 1359 - u8 encbuf[64], *kek = NULL; 1358 + void *mem; 1359 + u8 encbuf[64], *kek; 1360 1360 size_t clrkeylen, keklen, encbuflen = sizeof(encbuf); 1361 + const u32 xflags = 0; 1361 1362 1362 1363 if (keybitsize == 128 || keybitsize == 192 || keybitsize == 256) { 1363 1364 clrkeylen = keybitsize / 8; ··· 1369 1366 return -EINVAL; 1370 1367 } 1371 1368 1372 - /* allocate memory for the temp kek */ 1369 + /* 1370 + * Allocate space for the temp kek. 1371 + * Also we only need up to MAXEP11AESKEYBLOBSIZE bytes for this 1372 + * we use the already existing cprb mempool to solve this 1373 + * short term memory requirement. 1374 + */ 1375 + mem = (xflags & ZCRYPT_XFLAG_NOMEMALLOC) ? 1376 + mempool_alloc_preallocated(cprb_mempool) : 1377 + mempool_alloc(cprb_mempool, GFP_KERNEL); 1378 + if (!mem) 1379 + return -ENOMEM; 1380 + kek = (u8 *)mem; 1373 1381 keklen = MAXEP11AESKEYBLOBSIZE; 1374 - kek = kmalloc(keklen, GFP_ATOMIC); 1375 - if (!kek) { 1376 - rc = -ENOMEM; 1377 - goto out; 1378 - } 1379 1382 1380 1383 /* Step 1: generate AES 256 bit random kek key */ 1381 1384 rc = _ep11_genaeskey(card, domain, 256, 1382 1385 0x00006c00, /* EN/DECRYPT, WRAP/UNWRAP */ 1383 - kek, &keklen); 1386 + kek, &keklen, xflags); 1384 1387 if (rc) { 1385 1388 ZCRYPT_DBF_ERR("%s generate kek key failed, rc=%d\n", 1386 1389 __func__, rc); ··· 1395 1386 1396 1387 /* Step 2: encrypt clear key value with the kek key */ 1397 1388 rc = ep11_cryptsingle(card, domain, 0, 0, def_iv, kek, keklen, 1398 - clrkey, clrkeylen, encbuf, &encbuflen); 1389 + clrkey, clrkeylen, encbuf, &encbuflen, xflags); 1399 1390 if (rc) { 1400 1391 ZCRYPT_DBF_ERR("%s encrypting key value with kek key failed, rc=%d\n", 1401 1392 __func__, rc); ··· 1405 1396 /* Step 3: import the encrypted key value as a new key */ 1406 1397 rc = ep11_unwrapkey(card, domain, kek, keklen, 1407 1398 encbuf, encbuflen, 0, def_iv, 1408 - keybitsize, 0, keybuf, keybufsize, keytype); 1399 + keybitsize, 0, keybuf, keybufsize, keytype, xflags); 1409 1400 if (rc) { 1410 1401 ZCRYPT_DBF_ERR("%s importing key value as new key failed, rc=%d\n", 1411 1402 __func__, rc); ··· 1413 1404 } 1414 1405 1415 1406 out: 1416 - kfree(kek); 1407 + mempool_free(mem, cprb_mempool); 1417 1408 return rc; 1418 1409 } 1419 1410 EXPORT_SYMBOL(ep11_clr2keyblob); ··· 1436 1427 } __packed * wki; 1437 1428 u8 *wkbuf = NULL; 1438 1429 int rc = -EIO; 1430 + const u32 xflags = 0; 1439 1431 1440 1432 if (ep11_kb_decode((u8 *)keyblob, keybloblen, &hdr, NULL, &key, &keylen)) 1441 1433 return -EINVAL; ··· 1447 1437 } 1448 1438 /* !!! hdr is no longer a valid header !!! */ 1449 1439 1450 - /* alloc temp working buffer */ 1440 + /* need a temp working buffer */ 1451 1441 wkbuflen = (keylen + AES_BLOCK_SIZE) & (~(AES_BLOCK_SIZE - 1)); 1452 - wkbuf = kmalloc(wkbuflen, GFP_ATOMIC); 1453 - if (!wkbuf) 1454 - return -ENOMEM; 1442 + if (wkbuflen > CPRB_MEMPOOL_ITEM_SIZE) { 1443 + /* this should never happen */ 1444 + rc = -ENOMEM; 1445 + ZCRYPT_DBF_WARN("%s wkbuflen %d > cprb mempool item size %d, rc=%d\n", 1446 + __func__, (int)wkbuflen, CPRB_MEMPOOL_ITEM_SIZE, rc); 1447 + return rc; 1448 + } 1449 + /* use the cprb mempool to satisfy this short term mem allocation */ 1450 + wkbuf = (xflags & ZCRYPT_XFLAG_NOMEMALLOC) ? 1451 + mempool_alloc_preallocated(cprb_mempool) : 1452 + mempool_alloc(cprb_mempool, GFP_ATOMIC); 1453 + if (!wkbuf) { 1454 + rc = -ENOMEM; 1455 + ZCRYPT_DBF_WARN("%s allocating tmp buffer via cprb mempool failed, rc=%d\n", 1456 + __func__, rc); 1457 + return rc; 1458 + } 1455 1459 1456 1460 /* ep11 secure key -> protected key + info */ 1457 1461 rc = _ep11_wrapkey(card, dom, (u8 *)key, keylen, 1458 - 0, def_iv, wkbuf, &wkbuflen); 1462 + 0, def_iv, wkbuf, &wkbuflen, xflags); 1459 1463 if (rc) { 1460 1464 ZCRYPT_DBF_ERR("%s rewrapping ep11 key to pkey failed, rc=%d\n", 1461 1465 __func__, rc); ··· 1536 1512 *protkeylen = wki->pkeysize; 1537 1513 1538 1514 out: 1539 - kfree(wkbuf); 1515 + mempool_free(wkbuf, cprb_mempool); 1540 1516 return rc; 1541 1517 } 1542 1518 EXPORT_SYMBOL(ep11_kblob2protkey); ··· 1549 1525 struct ep11_card_info eci; 1550 1526 u32 _nr_apqns = 0; 1551 1527 int i, card, dom; 1528 + const u32 xflags = 0; 1552 1529 1553 1530 /* occupy the device status memory */ 1554 1531 mutex_lock(&dev_status_mem_mutex); ··· 1582 1557 continue; 1583 1558 /* check min api version if given */ 1584 1559 if (minapi > 0) { 1585 - if (ep11_get_card_info(card, &eci)) 1560 + if (ep11_get_card_info(card, &eci, xflags)) 1586 1561 continue; 1587 1562 if (minapi > eci.API_ord_nr) 1588 1563 continue; 1589 1564 } 1590 1565 /* check wkvp if given */ 1591 1566 if (wkvp) { 1592 - if (ep11_get_domain_info(card, dom, &edi)) 1567 + if (ep11_get_domain_info(card, dom, &edi, xflags)) 1593 1568 continue; 1594 1569 if (edi.cur_wk_state != '1') 1595 1570 continue;
+4 -3
drivers/s390/crypto/zcrypt_ep11misc.h
··· 104 104 /* 105 105 * Provide information about an EP11 card. 106 106 */ 107 - int ep11_get_card_info(u16 card, struct ep11_card_info *info); 107 + int ep11_get_card_info(u16 card, struct ep11_card_info *info, u32 xflags); 108 108 109 109 /* 110 110 * Provide information about a domain within an EP11 card. 111 111 */ 112 - int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info); 112 + int ep11_get_domain_info(u16 card, u16 domain, 113 + struct ep11_domain_info *info, u32 xflags); 113 114 114 115 /* 115 116 * Generate (random) EP11 AES secure key. 116 117 */ 117 118 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 118 - u8 *keybuf, u32 *keybufsize, u32 keybufver); 119 + u8 *keybuf, u32 *keybufsize, u32 keybufver, u32 xflags); 119 120 120 121 /* 121 122 * Generate EP11 AES secure key with given clear key value.