tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

s390/pkey: Introduce pkey base with handler registry and handler modules

Introduce pkey base kernel code with a simple pkey handler registry.
Regroup the pkey code into these kernel modules:
- pkey is the pkey api supporting the ioctls, sysfs and in-kernel api.
Also the pkey base code which offers the handler registry and
handler wrapping invocation functions is integrated there. This
module is automatically loaded in via CPU feature if the MSA feature
is available.
- pkey-cca is the CCA related handler code kernel module a offering
CCA specific implementation for pkey. This module is loaded in
via MODULE_DEVICE_TABLE when a CEX[4-8] card becomes available.
- pkey-ep11 is the EP11 related handler code kernel module offering an
EP11 specific implementation for pkey. This module is loaded in via
MODULE_DEVICE_TABLE when a CEX[4-8] card becomes available.
- pkey-pckmo is the PCKMO related handler code kernel module. This
module is loaded in via CPU feature if the MSA feature is available,
but on init a check for availability of the pckmo instruction is
performed.

The handler modules register via a pkey_handler struct at the pkey
base code and the pkey customer (that is currently the pkey api code
fetches a handler via pkey handler registry functions and calls the
unified handler functions via the pkey base handler functions.

As a result the pkey-cca, pkey-ep11 and pkey-pckmo modules get
independent from each other and it becomes possible to write new
handlers which offer another kind of implementation without implicit
dependencies to other handler implementations and/or kernel device
drivers.

For each of these 4 kernel modules there is an individual Kconfig
entry: CONFIG_PKEY for the base and api, CONFIG_PKEY_CCA for the PKEY
CCA support handler, CONFIG_PKEY_EP11 for the EP11 support handler and
CONFIG_PKEY_PCKMO for the pckmo support. The both CEX related handler
modules (PKEY CCA and PKEY EP11) have a dependency to the zcrypt api
of the zcrypt device driver.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

authored by

Harald Freudenberger and committed by
Vasily Gorbik 8fcc231c ea88e171

+1697 -1332
+3
arch/s390/configs/debug_defconfig
··· 797 797 CONFIG_CRYPTO_HMAC_S390=m 798 798 CONFIG_ZCRYPT=m 799 799 CONFIG_PKEY=m 800 + CONFIG_PKEY_CCA=m 801 + CONFIG_PKEY_EP11=m 802 + CONFIG_PKEY_PCKMO=m 800 803 CONFIG_CRYPTO_PAES_S390=m 801 804 CONFIG_CRYPTO_DEV_VIRTIO=m 802 805 CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+3
arch/s390/configs/defconfig
··· 784 784 CONFIG_CRYPTO_HMAC_S390=m 785 785 CONFIG_ZCRYPT=m 786 786 CONFIG_PKEY=m 787 + CONFIG_PKEY_CCA=m 788 + CONFIG_PKEY_EP11=m 789 + CONFIG_PKEY_PCKMO=m 787 790 CONFIG_CRYPTO_PAES_S390=m 788 791 CONFIG_CRYPTO_DEV_VIRTIO=m 789 792 CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+1
arch/s390/include/uapi/asm/pkey.h
··· 50 50 PKEY_TYPE_CCA_ECC = (__u32) 0x1f, 51 51 PKEY_TYPE_EP11_AES = (__u32) 6, 52 52 PKEY_TYPE_EP11_ECC = (__u32) 7, 53 + PKEY_TYPE_PROTKEY = (__u32) 8, 53 54 }; 54 55 55 56 /* the newer ioctls use a pkey_key_size enum for key size information */
+69 -8
drivers/crypto/Kconfig
··· 21 21 (so called VIA PadLock ACE, Advanced Cryptography Engine) 22 22 that provides instructions for very fast cryptographic 23 23 operations with supported algorithms. 24 - 24 + 25 25 The instructions are used only when the CPU supports them. 26 26 Otherwise software encryption is used. 27 27 ··· 78 78 config PKEY 79 79 tristate "Kernel API for protected key handling" 80 80 depends on S390 81 - depends on ZCRYPT 82 81 help 83 - With this option enabled the pkey kernel module provides an API 82 + With this option enabled the pkey kernel modules provide an API 84 83 for creation and handling of protected keys. Other parts of the 85 84 kernel or userspace applications may use these functions. 86 85 87 - Select this option if you want to enable the kernel and userspace 88 - API for proteced key handling. 86 + The protected key support is distributed into: 87 + - A pkey base and API kernel module (pkey.ko) which offers the 88 + infrastructure for the pkey handler kernel modules, the ioctl 89 + and the sysfs API and the in-kernel API to the crypto cipher 90 + implementations using protected key. 91 + - A pkey pckmo kernel module (pkey-pckmo.ko) which is automatically 92 + loaded when pckmo support (that is generation of protected keys 93 + from clear key values) is available. 94 + - A pkey CCA kernel module (pkey-cca.ko) which is automatically 95 + loaded when a CEX crypto card is available. 96 + - A pkey EP11 kernel module (pkey-ep11.ko) which is automatically 97 + loaded when a CEX crypto card is available. 89 98 90 - Please note that creation of protected keys from secure keys 91 - requires to have at least one CEX card in coprocessor mode 92 - available at runtime. 99 + Select this option if you want to enable the kernel and userspace 100 + API for protected key handling. 101 + 102 + config PKEY_CCA 103 + tristate "PKEY CCA support handler" 104 + depends on PKEY 105 + depends on ZCRYPT 106 + help 107 + This is the CCA support handler for deriving protected keys 108 + from CCA (secure) keys. Also this handler provides an alternate 109 + way to make protected keys from clear key values. 110 + 111 + The PKEY CCA support handler needs a Crypto Express card (CEX) 112 + in CCA mode. 113 + 114 + If you have selected the PKEY option then you should also enable 115 + this option unless you are sure you never need to derive protected 116 + keys from CCA key material. 117 + 118 + config PKEY_EP11 119 + tristate "PKEY EP11 support handler" 120 + depends on PKEY 121 + depends on ZCRYPT 122 + help 123 + This is the EP11 support handler for deriving protected keys 124 + from EP11 (secure) keys. Also this handler provides an alternate 125 + way to make protected keys from clear key values. 126 + 127 + The PKEY EP11 support handler needs a Crypto Express card (CEX) 128 + in EP11 mode. 129 + 130 + If you have selected the PKEY option then you should also enable 131 + this option unless you are sure you never need to derive protected 132 + keys from EP11 key material. 133 + 134 + config PKEY_PCKMO 135 + tristate "PKEY PCKMO support handler" 136 + depends on PKEY 137 + help 138 + This is the PCKMO support handler for deriving protected keys 139 + from clear key values via invoking the PCKMO instruction. 140 + 141 + The PCKMO instruction can be enabled and disabled in the crypto 142 + settings at the LPAR profile. This handler checks for availability 143 + during initialization and if build as a kernel module unloads 144 + itself if PCKMO is disabled. 145 + 146 + The PCKMO way of deriving protected keys from clear key material 147 + is especially used during self test of protected key ciphers like 148 + PAES but the CCA and EP11 handler provide alternate ways to 149 + generate protected keys from clear key values. 150 + 151 + If you have selected the PKEY option then you should also enable 152 + this option unless you are sure you never need to derive protected 153 + keys from clear key values directly via PCKMO. 93 154 94 155 config CRYPTO_PAES_S390 95 156 tristate "PAES cipher algorithms"
+14 -2
drivers/s390/crypto/Makefile
··· 13 13 # adapter drivers depend on ap.o and zcrypt.o 14 14 obj-$(CONFIG_ZCRYPT) += zcrypt_cex4.o 15 15 16 - # pkey kernel module 17 - pkey-objs := pkey_api.o pkey_cca.o pkey_ep11.o pkey_pckmo.o pkey_sysfs.o 16 + # pkey base and api module 17 + pkey-objs := pkey_base.o pkey_api.o pkey_sysfs.o 18 18 obj-$(CONFIG_PKEY) += pkey.o 19 + 20 + # pkey cca handler module 21 + pkey-cca-objs := pkey_cca.o 22 + obj-$(CONFIG_PKEY_CCA) += pkey-cca.o 23 + 24 + # pkey ep11 handler module 25 + pkey-ep11-objs := pkey_ep11.o 26 + obj-$(CONFIG_PKEY_EP11) += pkey-ep11.o 27 + 28 + # pkey pckmo handler module 29 + pkey-pckmo-objs := pkey_pckmo.o 30 + obj-$(CONFIG_PKEY_PCKMO) += pkey-pckmo.o 19 31 20 32 # adjunct processor matrix 21 33 vfio_ap-objs := vfio_ap_drv.o vfio_ap_ops.o
+209 -479
drivers/s390/crypto/pkey_api.c
··· 10 10 #define KMSG_COMPONENT "pkey" 11 11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 12 12 13 - #include <linux/fs.h> 14 13 #include <linux/init.h> 15 14 #include <linux/miscdevice.h> 16 - #include <linux/module.h> 17 15 #include <linux/slab.h> 18 - #include <linux/kallsyms.h> 19 - #include <linux/debugfs.h> 20 - #include <linux/cpufeature.h> 21 - #include <asm/zcrypt.h> 22 - #include <asm/cpacf.h> 23 - #include <asm/pkey.h> 24 16 25 17 #include "zcrypt_api.h" 26 18 #include "zcrypt_ccamisc.h" 27 - #include "zcrypt_ep11misc.h" 28 19 29 20 #include "pkey_base.h" 30 - 31 - MODULE_LICENSE("GPL"); 32 - MODULE_AUTHOR("IBM Corporation"); 33 - MODULE_DESCRIPTION("s390 protected key interface"); 34 - 35 - /* 36 - * Debug feature data and functions 37 - */ 38 - 39 - debug_info_t *pkey_dbf_info; 40 - 41 - static void __init pkey_debug_init(void) 42 - { 43 - /* 5 arguments per dbf entry (including the format string ptr) */ 44 - pkey_dbf_info = debug_register("pkey", 1, 1, 5 * sizeof(long)); 45 - debug_register_view(pkey_dbf_info, &debug_sprintf_view); 46 - debug_set_level(pkey_dbf_info, 3); 47 - } 48 - 49 - static void __exit pkey_debug_exit(void) 50 - { 51 - debug_unregister(pkey_dbf_info); 52 - } 53 21 54 22 /* 55 23 * Helper functions 56 24 */ 57 25 58 - static int apqns4key(const u8 *key, size_t keylen, u32 flags, 59 - struct pkey_apqn *apqns, size_t *nr_apqns) 60 - { 61 - if (pkey_is_cca_key(key, keylen)) { 62 - return pkey_cca_apqns4key(key, keylen, flags, 63 - apqns, nr_apqns); 64 - } else if (pkey_is_ep11_key(key, keylen)) { 65 - return pkey_ep11_apqns4key(key, keylen, flags, 66 - apqns, nr_apqns); 67 - } else { 68 - struct keytoken_header *hdr = (struct keytoken_header *)key; 69 - 70 - PKEY_DBF_ERR("%s unknown/unsupported key type %d version %d\n", 71 - __func__, hdr->type, hdr->version); 72 - return -EINVAL; 73 - } 74 - } 75 - 76 - static int apqns4keytype(enum pkey_key_type ktype, 77 - u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 78 - struct pkey_apqn *apqns, size_t *nr_apqns) 79 - { 80 - if (pkey_is_cca_keytype(ktype)) { 81 - return pkey_cca_apqns4type(ktype, cur_mkvp, alt_mkvp, flags, 82 - apqns, nr_apqns); 83 - } else if (pkey_is_ep11_keytype(ktype)) { 84 - return pkey_ep11_apqns4type(ktype, cur_mkvp, alt_mkvp, flags, 85 - apqns, nr_apqns); 86 - } else { 87 - PKEY_DBF_ERR("%s unknown/unsupported key type %d\n", 88 - __func__, ktype); 89 - return -EINVAL; 90 - } 91 - } 92 - 93 - static int genseck2(const struct pkey_apqn *apqns, size_t nr_apqns, 94 - enum pkey_key_type keytype, enum pkey_key_size keybitsize, 95 - u32 flags, u8 *keybuf, u32 *keybuflen) 96 - { 97 - int i, rc; 98 - u32 u; 99 - 100 - if (pkey_is_cca_keytype(keytype)) { 101 - /* As of now only CCA AES key generation is supported */ 102 - u = pkey_aes_bitsize_to_keytype(keybitsize); 103 - if (!u) { 104 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 105 - __func__, keybitsize); 106 - return -EINVAL; 107 - } 108 - for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 109 - rc = pkey_cca_gen_key(apqns[i].card, 110 - apqns[i].domain, 111 - u, keytype, keybitsize, flags, 112 - keybuf, keybuflen, NULL); 113 - } 114 - } else if (pkey_is_ep11_keytype(keytype)) { 115 - /* As of now only EP11 AES key generation is supported */ 116 - u = pkey_aes_bitsize_to_keytype(keybitsize); 117 - if (!u) { 118 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 119 - __func__, keybitsize); 120 - return -EINVAL; 121 - } 122 - for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 123 - rc = pkey_ep11_gen_key(apqns[i].card, 124 - apqns[i].domain, 125 - u, keytype, keybitsize, flags, 126 - keybuf, keybuflen, NULL); 127 - } 128 - } else { 129 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 130 - __func__, keytype); 131 - return -EINVAL; 132 - } 133 - 134 - return rc; 135 - } 136 - 137 - static int clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns, 138 - enum pkey_key_type keytype, enum pkey_key_size kbitsize, 139 - u32 flags, const u8 *clrkey, u8 *keybuf, u32 *keybuflen) 140 - { 141 - int i, rc; 142 - u32 u; 143 - 144 - if (pkey_is_cca_keytype(keytype)) { 145 - /* As of now only CCA AES key generation is supported */ 146 - u = pkey_aes_bitsize_to_keytype(kbitsize); 147 - if (!u) { 148 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 149 - __func__, kbitsize); 150 - return -EINVAL; 151 - } 152 - for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 153 - rc = pkey_cca_clr2key(apqns[i].card, 154 - apqns[i].domain, 155 - u, keytype, kbitsize, flags, 156 - clrkey, kbitsize / 8, 157 - keybuf, keybuflen, NULL); 158 - } 159 - } else if (pkey_is_ep11_keytype(keytype)) { 160 - /* As of now only EP11 AES key generation is supported */ 161 - u = pkey_aes_bitsize_to_keytype(kbitsize); 162 - if (!u) { 163 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 164 - __func__, kbitsize); 165 - return -EINVAL; 166 - } 167 - for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 168 - rc = pkey_ep11_clr2key(apqns[i].card, 169 - apqns[i].domain, 170 - u, keytype, kbitsize, flags, 171 - clrkey, kbitsize / 8, 172 - keybuf, keybuflen, NULL); 173 - } 174 - } else { 175 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 176 - __func__, keytype); 177 - return -EINVAL; 178 - } 179 - 180 - return rc; 181 - } 182 - 183 - static int ccakey2protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 184 - const u8 *key, size_t keylen, 185 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 186 - { 187 - struct pkey_apqn *local_apqns = NULL; 188 - int i, j, rc; 189 - 190 - /* alloc space for list of apqns if no list given */ 191 - if (!apqns || (nr_apqns == 1 && 192 - apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 193 - nr_apqns = MAXAPQNSINLIST; 194 - local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 195 - GFP_KERNEL); 196 - if (!local_apqns) 197 - return -ENOMEM; 198 - apqns = local_apqns; 199 - } 200 - 201 - /* try two times in case of failure */ 202 - for (i = 0, rc = -ENODEV; i < 2 && rc; i++) { 203 - if (local_apqns) { 204 - /* gather list of apqns able to deal with this key */ 205 - nr_apqns = MAXAPQNSINLIST; 206 - rc = pkey_cca_apqns4key(key, keylen, 0, 207 - local_apqns, &nr_apqns); 208 - if (rc) 209 - continue; 210 - } 211 - /* go through the list of apqns until success or end */ 212 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 213 - rc = pkey_cca_key2protkey(apqns[j].card, 214 - apqns[j].domain, 215 - key, keylen, 216 - protkey, protkeylen, 217 - protkeytype); 218 - } 219 - } 220 - 221 - kfree(local_apqns); 222 - 223 - return rc; 224 - } 225 - 226 - static int ep11key2protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 227 - const u8 *key, size_t keylen, 228 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 229 - { 230 - struct pkey_apqn *local_apqns = NULL; 231 - int i, j, rc; 232 - 233 - /* alloc space for list of apqns if no list given */ 234 - if (!apqns || (nr_apqns == 1 && 235 - apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 236 - nr_apqns = MAXAPQNSINLIST; 237 - local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 238 - GFP_KERNEL); 239 - if (!local_apqns) 240 - return -ENOMEM; 241 - apqns = local_apqns; 242 - } 243 - 244 - /* try two times in case of failure */ 245 - for (i = 0, rc = -ENODEV; i < 2 && rc; i++) { 246 - if (local_apqns) { 247 - /* gather list of apqns able to deal with this key */ 248 - nr_apqns = MAXAPQNSINLIST; 249 - rc = pkey_ep11_apqns4key(key, keylen, 0, 250 - local_apqns, &nr_apqns); 251 - if (rc) 252 - continue; 253 - } 254 - /* go through the list of apqns until success or end */ 255 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 256 - rc = pkey_ep11_key2protkey(apqns[j].card, 257 - apqns[j].domain, 258 - key, keylen, 259 - protkey, protkeylen, 260 - protkeytype); 261 - } 262 - } 263 - 264 - kfree(local_apqns); 265 - 266 - return rc; 267 - } 268 - 269 - static int pckmokey2protkey_fallback(const struct clearkeytoken *t, 270 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 26 + static int key2protkey_fallback(const struct clearkeytoken *t, 27 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 271 28 { 272 29 size_t tmpbuflen = max_t(size_t, SECKEYBLOBSIZE, MAXEP11AESKEYBLOBSIZE); 273 - struct pkey_apqn *apqns = NULL; 274 - u32 keysize, tmplen; 30 + u32 keysize, keybitsize, tmplen; 275 31 u8 *tmpbuf = NULL; 276 - size_t nr_apqns; 277 - int i, j, rc; 32 + int i, rc; 278 33 279 34 /* As of now only for AES keys a fallback is available */ 280 35 ··· 44 289 __func__, t->len); 45 290 return -EINVAL; 46 291 } 292 + keybitsize = 8 * keysize; 47 293 48 - /* alloc tmp buffer and space for apqns */ 294 + /* alloc tmp key buffer */ 49 295 tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC); 50 296 if (!tmpbuf) 51 297 return -ENOMEM; 52 - nr_apqns = MAXAPQNSINLIST; 53 - apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL); 54 - if (!apqns) { 55 - kfree(tmpbuf); 56 - return -ENOMEM; 57 - } 58 298 59 299 /* try two times in case of failure */ 60 300 for (i = 0, rc = -ENODEV; i < 2 && rc; i++) { 61 301 62 302 /* CCA secure key way */ 63 - nr_apqns = MAXAPQNSINLIST; 64 - rc = pkey_cca_apqns4type(PKEY_TYPE_CCA_DATA, 65 - NULL, NULL, 0, apqns, &nr_apqns); 66 - pr_debug("pkey_cca_apqns4type(CCA_DATA)=%d\n", rc); 303 + tmplen = tmpbuflen; 304 + rc = pkey_handler_clr_to_key(NULL, 0, 305 + t->keytype, PKEY_TYPE_CCA_DATA, 306 + keybitsize, 0, 307 + t->clearkey, t->len, 308 + tmpbuf, &tmplen, NULL); 309 + pr_debug("clr_to_key()=%d\n", rc); 67 310 if (rc) 68 311 goto try_via_ep11; 69 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 70 - tmplen = tmpbuflen; 71 - rc = pkey_cca_clr2key(apqns[j].card, apqns[j].domain, 72 - t->keytype, PKEY_TYPE_CCA_DATA, 73 - 8 * keysize, 0, 74 - t->clearkey, t->len, 75 - tmpbuf, &tmplen, NULL); 76 - pr_debug("pkey_cca_clr2key()=%d\n", rc); 77 - } 78 - if (rc) 79 - goto try_via_ep11; 80 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 81 - rc = pkey_cca_key2protkey(apqns[j].card, 82 - apqns[j].domain, 83 - tmpbuf, tmplen, 84 - protkey, protkeylen, 85 - protkeytype); 86 - pr_debug("pkey_cca_key2protkey()=%d\n", rc); 87 - } 312 + rc = pkey_handler_key_to_protkey(NULL, 0, 313 + tmpbuf, tmplen, 314 + protkey, protkeylen, 315 + protkeytype); 316 + pr_debug("key_to_protkey()=%d\n", rc); 88 317 if (!rc) 89 318 break; 90 319 91 320 try_via_ep11: 92 321 /* the CCA way failed, try via EP11 */ 93 - nr_apqns = MAXAPQNSINLIST; 94 - rc = pkey_ep11_apqns4type(PKEY_TYPE_EP11_AES, 95 - NULL, NULL, 0, apqns, &nr_apqns); 96 - pr_debug("pkey_ep11_apqns4type(EP11_AES)=%d\n", rc); 322 + tmplen = tmpbuflen; 323 + rc = pkey_handler_clr_to_key(NULL, 0, 324 + t->keytype, PKEY_TYPE_EP11_AES, 325 + keybitsize, 0, 326 + t->clearkey, t->len, 327 + tmpbuf, &tmplen, NULL); 328 + pr_debug("clr_to_key()=%d\n", rc); 97 329 if (rc) 98 330 continue; 99 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 100 - tmplen = tmpbuflen; 101 - rc = pkey_ep11_clr2key(apqns[j].card, apqns[j].domain, 102 - t->keytype, PKEY_TYPE_EP11_AES, 103 - 8 * keysize, 0, 104 - t->clearkey, t->len, 105 - tmpbuf, &tmplen, NULL); 106 - pr_debug("pkey_ep11_clr2key()=%d\n", rc); 107 - } 108 - if (rc) 109 - continue; 110 - for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) { 111 - rc = pkey_ep11_key2protkey(apqns[j].card, 112 - apqns[j].domain, 113 - tmpbuf, tmplen, 114 - protkey, protkeylen, 115 - protkeytype); 116 - pr_debug("pkey_ep11_key2protkey()=%d\n", rc); 117 - } 331 + rc = pkey_handler_key_to_protkey(NULL, 0, 332 + tmpbuf, tmplen, 333 + protkey, protkeylen, 334 + protkeytype); 335 + pr_debug("key_to_protkey()=%d\n", rc); 118 336 } 119 337 120 338 kfree(tmpbuf); 121 - kfree(apqns); 122 - 123 - return rc; 124 - } 125 - 126 - static int pckmokey2protkey(const u8 *key, size_t keylen, 127 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 128 - { 129 - int rc; 130 - 131 - rc = pkey_pckmo_key2protkey(0, 0, key, keylen, 132 - protkey, protkeylen, protkeytype); 133 - if (rc == -ENODEV) { 134 - struct keytoken_header *hdr = (struct keytoken_header *)key; 135 - struct clearkeytoken *t = (struct clearkeytoken *)key; 136 - 137 - /* maybe a fallback is possible */ 138 - if (hdr->type == TOKTYPE_NON_CCA && 139 - hdr->version == TOKVER_CLEAR_KEY) { 140 - rc = pckmokey2protkey_fallback(t, protkey, 141 - protkeylen, 142 - protkeytype); 143 - if (rc) 144 - rc = -ENODEV; 145 - } 146 - } 147 - 148 - if (rc) 149 - PKEY_DBF_ERR("%s unable to build protected key from clear, rc=%d", 150 - __func__, rc); 151 339 152 340 return rc; 153 341 } ··· 99 401 const u8 *key, size_t keylen, 100 402 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 101 403 { 102 - if (pkey_is_cca_key(key, keylen)) { 103 - return ccakey2protkey(apqns, nr_apqns, key, keylen, 104 - protkey, protkeylen, protkeytype); 105 - } else if (pkey_is_ep11_key(key, keylen)) { 106 - return ep11key2protkey(apqns, nr_apqns, key, keylen, 107 - protkey, protkeylen, protkeytype); 108 - } else if (pkey_is_pckmo_key(key, keylen)) { 109 - return pckmokey2protkey(key, keylen, 110 - protkey, protkeylen, protkeytype); 111 - } else { 112 - struct keytoken_header *hdr = (struct keytoken_header *)key; 404 + struct keytoken_header *hdr = (struct keytoken_header *)key; 405 + int i, rc; 113 406 114 - PKEY_DBF_ERR("%s unknown/unsupported key type %d version %d\n", 115 - __func__, hdr->type, hdr->version); 116 - return -EINVAL; 407 + /* retry two times */ 408 + for (rc = -ENODEV, i = 0; rc && i < 2; i++) { 409 + /* First try the direct way */ 410 + rc = pkey_handler_key_to_protkey(apqns, nr_apqns, 411 + key, keylen, 412 + protkey, protkeylen, 413 + protkeytype); 414 + /* For some clear key tokens there exists a fallback way */ 415 + if (rc && 416 + hdr->type == TOKTYPE_NON_CCA && 417 + hdr->version == TOKVER_CLEAR_KEY) 418 + rc = key2protkey_fallback((struct clearkeytoken *)key, 419 + protkey, protkeylen, 420 + protkeytype); 117 421 } 422 + 423 + return rc; 118 424 } 119 425 120 426 /* ··· 155 453 static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) 156 454 { 157 455 struct pkey_genseck kgs; 456 + struct pkey_apqn apqn; 158 457 u32 keybuflen; 159 458 int rc; 160 459 161 460 if (copy_from_user(&kgs, ugs, sizeof(kgs))) 162 461 return -EFAULT; 462 + 463 + apqn.card = kgs.cardnr; 464 + apqn.domain = kgs.domain; 163 465 keybuflen = sizeof(kgs.seckey.seckey); 164 - rc = pkey_cca_gen_key(kgs.cardnr, kgs.domain, 165 - kgs.keytype, PKEY_TYPE_CCA_DATA, 0, 0, 166 - kgs.seckey.seckey, &keybuflen, NULL); 167 - pr_debug("pkey_cca_gen_key()=%d\n", rc); 466 + rc = pkey_handler_gen_key(&apqn, 1, 467 + kgs.keytype, PKEY_TYPE_CCA_DATA, 0, 0, 468 + kgs.seckey.seckey, &keybuflen, NULL); 469 + pr_debug("gen_key()=%d\n", rc); 168 470 if (!rc && copy_to_user(ugs, &kgs, sizeof(kgs))) 169 471 rc = -EFAULT; 170 472 memzero_explicit(&kgs, sizeof(kgs)); ··· 179 473 static int pkey_ioctl_clr2seck(struct pkey_clr2seck __user *ucs) 180 474 { 181 475 struct pkey_clr2seck kcs; 476 + struct pkey_apqn apqn; 182 477 u32 keybuflen; 183 478 int rc; 184 479 185 480 if (copy_from_user(&kcs, ucs, sizeof(kcs))) 186 481 return -EFAULT; 482 + 483 + apqn.card = kcs.cardnr; 484 + apqn.domain = kcs.domain; 187 485 keybuflen = sizeof(kcs.seckey.seckey); 188 - rc = pkey_cca_clr2key(kcs.cardnr, kcs.domain, 189 - kcs.keytype, PKEY_TYPE_CCA_DATA, 0, 0, 190 - kcs.clrkey.clrkey, 191 - pkey_keytype_aes_to_size(kcs.keytype), 192 - kcs.seckey.seckey, &keybuflen, NULL); 193 - pr_debug("pkey_cca_clr2key()=%d\n", rc); 486 + rc = pkey_handler_clr_to_key(&apqn, 1, 487 + kcs.keytype, PKEY_TYPE_CCA_DATA, 0, 0, 488 + kcs.clrkey.clrkey, 489 + pkey_keytype_aes_to_size(kcs.keytype), 490 + kcs.seckey.seckey, &keybuflen, NULL); 491 + pr_debug("clr_to_key()=%d\n", rc); 194 492 if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) 195 493 rc = -EFAULT; 196 494 memzero_explicit(&kcs, sizeof(kcs)); ··· 205 495 static int pkey_ioctl_sec2protk(struct pkey_sec2protk __user *usp) 206 496 { 207 497 struct pkey_sec2protk ksp; 498 + struct pkey_apqn apqn; 208 499 int rc; 209 500 210 501 if (copy_from_user(&ksp, usp, sizeof(ksp))) 211 502 return -EFAULT; 503 + 504 + apqn.card = ksp.cardnr; 505 + apqn.domain = ksp.domain; 212 506 ksp.protkey.len = sizeof(ksp.protkey.protkey); 213 - rc = pkey_cca_key2protkey(ksp.cardnr, ksp.domain, 214 - ksp.seckey.seckey, sizeof(ksp.seckey.seckey), 215 - ksp.protkey.protkey, 216 - &ksp.protkey.len, &ksp.protkey.type); 217 - pr_debug("pkey_cca_key2protkey()=%d\n", rc); 507 + rc = pkey_handler_key_to_protkey(&apqn, 1, 508 + ksp.seckey.seckey, 509 + sizeof(ksp.seckey.seckey), 510 + ksp.protkey.protkey, 511 + &ksp.protkey.len, &ksp.protkey.type); 512 + pr_debug("key_to_protkey()=%d\n", rc); 218 513 if (!rc && copy_to_user(usp, &ksp, sizeof(ksp))) 219 514 rc = -EFAULT; 220 515 memzero_explicit(&ksp, sizeof(ksp)); ··· 230 515 static int pkey_ioctl_clr2protk(struct pkey_clr2protk __user *ucp) 231 516 { 232 517 struct pkey_clr2protk kcp; 518 + struct clearkeytoken *t; 519 + u32 keylen; 520 + u8 *tmpbuf; 233 521 int rc; 234 522 235 523 if (copy_from_user(&kcp, ucp, sizeof(kcp))) 236 524 return -EFAULT; 525 + 526 + /* build a 'clear key token' from the clear key value */ 527 + keylen = pkey_keytype_aes_to_size(kcp.keytype); 528 + if (!keylen) { 529 + PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", 530 + __func__, kcp.keytype); 531 + memzero_explicit(&kcp, sizeof(kcp)); 532 + return -EINVAL; 533 + } 534 + tmpbuf = kzalloc(sizeof(*t) + keylen, GFP_KERNEL); 535 + if (!tmpbuf) { 536 + memzero_explicit(&kcp, sizeof(kcp)); 537 + return -ENOMEM; 538 + } 539 + t = (struct clearkeytoken *)tmpbuf; 540 + t->type = TOKTYPE_NON_CCA; 541 + t->version = TOKVER_CLEAR_KEY; 542 + t->keytype = (keylen - 8) >> 3; 543 + t->len = keylen; 544 + memcpy(t->clearkey, kcp.clrkey.clrkey, keylen); 237 545 kcp.protkey.len = sizeof(kcp.protkey.protkey); 238 - rc = pkey_pckmo_clr2key(0, 0, kcp.keytype, 0, 0, 0, 239 - kcp.clrkey.clrkey, 0, 240 - kcp.protkey.protkey, 241 - &kcp.protkey.len, &kcp.protkey.type); 242 - pr_debug("pkey_pckmo_clr2key()=%d\n", rc); 546 + 547 + rc = key2protkey(NULL, 0, 548 + tmpbuf, sizeof(*t) + keylen, 549 + kcp.protkey.protkey, 550 + &kcp.protkey.len, &kcp.protkey.type); 551 + pr_debug("key2protkey()=%d\n", rc); 552 + 553 + kfree_sensitive(tmpbuf); 554 + 243 555 if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) 244 556 rc = -EFAULT; 245 557 memzero_explicit(&kcp, sizeof(kcp)); ··· 284 542 if (copy_from_user(&kfc, ufc, sizeof(kfc))) 285 543 return -EFAULT; 286 544 287 - if (!pkey_is_cca_key(kfc.seckey.seckey, sizeof(kfc.seckey.seckey))) 288 - return -EINVAL; 289 - 290 545 nr_apqns = MAXAPQNSINLIST; 291 546 apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL); 292 547 if (!apqns) 293 548 return -ENOMEM; 294 - rc = pkey_cca_apqns4key(kfc.seckey.seckey, 295 - sizeof(kfc.seckey.seckey), 296 - PKEY_FLAGS_MATCH_CUR_MKVP, 297 - apqns, &nr_apqns); 298 - if (rc == -ENODEV) 299 - rc = pkey_cca_apqns4key(kfc.seckey.seckey, 549 + 550 + rc = pkey_handler_apqns_for_key(kfc.seckey.seckey, 300 551 sizeof(kfc.seckey.seckey), 301 - PKEY_FLAGS_MATCH_ALT_MKVP, 552 + PKEY_FLAGS_MATCH_CUR_MKVP, 302 553 apqns, &nr_apqns); 303 - pr_debug("pkey_cca_apqns4key()=%d\n", rc); 554 + if (rc == -ENODEV) 555 + rc = pkey_handler_apqns_for_key(kfc.seckey.seckey, 556 + sizeof(kfc.seckey.seckey), 557 + PKEY_FLAGS_MATCH_ALT_MKVP, 558 + apqns, &nr_apqns); 559 + pr_debug("apqns_for_key()=%d\n", rc); 304 560 if (rc) { 305 561 kfree(apqns); 306 562 return rc; ··· 315 575 static int pkey_ioctl_skey2pkey(struct pkey_skey2pkey __user *usp) 316 576 { 317 577 struct pkey_skey2pkey ksp; 318 - struct pkey_apqn *apqns; 319 - size_t nr_apqns; 320 - int i, rc; 578 + int rc; 321 579 322 580 if (copy_from_user(&ksp, usp, sizeof(ksp))) 323 581 return -EFAULT; 324 582 325 - if (!pkey_is_cca_key(ksp.seckey.seckey, sizeof(ksp.seckey.seckey))) 326 - return -EINVAL; 327 - 328 - nr_apqns = MAXAPQNSINLIST; 329 - apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL); 330 - if (!apqns) 331 - return -ENOMEM; 332 - rc = pkey_cca_apqns4key(ksp.seckey.seckey, sizeof(ksp.seckey.seckey), 333 - 0, apqns, &nr_apqns); 334 - pr_debug("pkey_cca_apqns4key()=%d\n", rc); 335 - if (rc) { 336 - kfree(apqns); 337 - return rc; 338 - } 339 583 ksp.protkey.len = sizeof(ksp.protkey.protkey); 340 - for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 341 - rc = pkey_cca_key2protkey(apqns[i].card, apqns[i].domain, 342 - ksp.seckey.seckey, 343 - sizeof(ksp.seckey.seckey), 344 - ksp.protkey.protkey, 345 - &ksp.protkey.len, 346 - &ksp.protkey.type); 347 - pr_debug("pkey_cca_key2protkey()=%d\n", rc); 348 - } 349 - kfree(apqns); 584 + rc = pkey_handler_key_to_protkey(NULL, 0, 585 + ksp.seckey.seckey, 586 + sizeof(ksp.seckey.seckey), 587 + ksp.protkey.protkey, 588 + &ksp.protkey.len, 589 + &ksp.protkey.type); 590 + pr_debug("key_to_protkey()=%d\n", rc); 350 591 if (!rc && copy_to_user(usp, &ksp, sizeof(ksp))) 351 592 rc = -EFAULT; 352 593 memzero_explicit(&ksp, sizeof(ksp)); ··· 343 622 344 623 if (copy_from_user(&kvk, uvk, sizeof(kvk))) 345 624 return -EFAULT; 625 + 346 626 kvk.cardnr = 0xFFFF; 347 627 kvk.domain = 0xFFFF; 348 - rc = pkey_cca_verifykey(kvk.seckey.seckey, sizeof(kvk.seckey.seckey), 349 - &kvk.cardnr, &kvk.domain, 350 - &keytype, &keybitsize, &flags); 351 - pr_debug("pkey_cca_verifykey()=%d\n", rc); 628 + rc = pkey_handler_verify_key(kvk.seckey.seckey, 629 + sizeof(kvk.seckey.seckey), 630 + &kvk.cardnr, &kvk.domain, 631 + &keytype, &keybitsize, &flags); 632 + pr_debug("verify_key()=%d\n", rc); 352 633 if (!rc && keytype != PKEY_TYPE_CCA_DATA) 353 634 rc = -EINVAL; 354 635 kvk.attributes = PKEY_VERIFY_ATTR_AES; ··· 371 648 372 649 if (copy_from_user(&kgp, ugp, sizeof(kgp))) 373 650 return -EFAULT; 651 + 374 652 kgp.protkey.len = sizeof(kgp.protkey.protkey); 375 - rc = pkey_pckmo_gen_key(0, 0, kgp.keytype, 0, 0, 0, 376 - kgp.protkey.protkey, 377 - &kgp.protkey.len, &kgp.protkey.type); 378 - pr_debug("pkey_pckmo_gen_key()=%d\n", rc); 653 + rc = pkey_handler_gen_key(NULL, 0, kgp.keytype, 654 + PKEY_TYPE_PROTKEY, 0, 0, 655 + kgp.protkey.protkey, &kgp.protkey.len, 656 + &kgp.protkey.type); 657 + pr_debug("gen_key()=%d\n", rc); 379 658 if (!rc && copy_to_user(ugp, &kgp, sizeof(kgp))) 380 659 rc = -EFAULT; 381 660 memzero_explicit(&kgp, sizeof(kgp)); ··· 388 663 static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp) 389 664 { 390 665 struct pkey_verifyprotk kvp; 666 + struct protaeskeytoken *t; 667 + u32 keytype; 668 + u8 *tmpbuf; 391 669 int rc; 392 670 393 671 if (copy_from_user(&kvp, uvp, sizeof(kvp))) 394 672 return -EFAULT; 395 - rc = pkey_pckmo_verifykey(kvp.protkey.protkey, kvp.protkey.len, 396 - 0, 0, &kvp.protkey.type, 0, 0); 397 - pr_debug("pkey_pckmo_verifykey()=%d\n", rc); 673 + 674 + keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len); 675 + if (!keytype) { 676 + PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n", 677 + __func__, kvp.protkey.len); 678 + memzero_explicit(&kvp, sizeof(kvp)); 679 + return -EINVAL; 680 + } 681 + 682 + /* build a 'protected key token' from the raw protected key */ 683 + tmpbuf = kzalloc(sizeof(*t), GFP_KERNEL); 684 + if (!tmpbuf) { 685 + memzero_explicit(&kvp, sizeof(kvp)); 686 + return -ENOMEM; 687 + } 688 + t = (struct protaeskeytoken *)tmpbuf; 689 + t->type = TOKTYPE_NON_CCA; 690 + t->version = TOKVER_PROTECTED_KEY; 691 + t->keytype = keytype; 692 + t->len = kvp.protkey.len; 693 + memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len); 694 + 695 + rc = pkey_handler_verify_key(tmpbuf, sizeof(*t), 696 + NULL, NULL, NULL, NULL, NULL); 697 + pr_debug("verify_key()=%d\n", rc); 698 + 699 + kfree_sensitive(tmpbuf); 398 700 memzero_explicit(&kvp, sizeof(kvp)); 399 701 400 702 return rc; ··· 458 706 struct pkey_apqn *apqns; 459 707 u8 *kkey; 460 708 int rc; 709 + u32 u; 461 710 462 711 if (copy_from_user(&kgs, ugs, sizeof(kgs))) 463 712 return -EFAULT; 713 + u = pkey_aes_bitsize_to_keytype(kgs.size); 714 + if (!u) { 715 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 716 + __func__, kgs.size); 717 + return -EINVAL; 718 + } 464 719 apqns = _copy_apqns_from_user(kgs.apqns, kgs.apqn_entries); 465 720 if (IS_ERR(apqns)) 466 721 return PTR_ERR(apqns); ··· 476 717 kfree(apqns); 477 718 return -ENOMEM; 478 719 } 479 - rc = genseck2(apqns, kgs.apqn_entries, 480 - kgs.type, kgs.size, kgs.keygenflags, 481 - kkey, &klen); 482 - pr_debug("genseckey2()=%d\n", rc); 720 + rc = pkey_handler_gen_key(apqns, kgs.apqn_entries, 721 + u, kgs.type, kgs.size, kgs.keygenflags, 722 + kkey, &klen, NULL); 723 + pr_debug("gen_key()=%d\n", rc); 483 724 kfree(apqns); 484 725 if (rc) { 485 726 kfree_sensitive(kkey); ··· 510 751 struct pkey_apqn *apqns; 511 752 u8 *kkey; 512 753 int rc; 754 + u32 u; 513 755 514 756 if (copy_from_user(&kcs, ucs, sizeof(kcs))) 515 757 return -EFAULT; 758 + u = pkey_aes_bitsize_to_keytype(kcs.size); 759 + if (!u) { 760 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 761 + __func__, kcs.size); 762 + memzero_explicit(&kcs, sizeof(kcs)); 763 + return -EINVAL; 764 + } 516 765 apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); 517 766 if (IS_ERR(apqns)) { 518 767 memzero_explicit(&kcs, sizeof(kcs)); ··· 532 765 memzero_explicit(&kcs, sizeof(kcs)); 533 766 return -ENOMEM; 534 767 } 535 - rc = clr2seckey2(apqns, kcs.apqn_entries, 536 - kcs.type, kcs.size, kcs.keygenflags, 537 - kcs.clrkey.clrkey, kkey, &klen); 538 - pr_debug("clr2seckey2()=%d\n", rc); 768 + rc = pkey_handler_clr_to_key(apqns, kcs.apqn_entries, 769 + u, kcs.type, kcs.size, kcs.keygenflags, 770 + kcs.clrkey.clrkey, kcs.size / 8, 771 + kkey, &klen, NULL); 772 + pr_debug("clr_to_key()=%d\n", rc); 539 773 kfree(apqns); 540 774 if (rc) { 541 775 kfree_sensitive(kkey); ··· 575 807 kkey = _copy_key_from_user(kvk.key, kvk.keylen); 576 808 if (IS_ERR(kkey)) 577 809 return PTR_ERR(kkey); 578 - if (pkey_is_cca_key(kkey, kvk.keylen)) { 579 - rc = pkey_cca_verifykey(kkey, kvk.keylen, 580 - &kvk.cardnr, &kvk.domain, 581 - &kvk.type, &kvk.size, &kvk.flags); 582 - pr_debug("pkey_cca_verifykey()=%d\n", rc); 583 - } else if (pkey_is_ep11_key(kkey, kvk.keylen)) { 584 - rc = pkey_ep11_verifykey(kkey, kvk.keylen, 585 - &kvk.cardnr, &kvk.domain, 586 - &kvk.type, &kvk.size, &kvk.flags); 587 - pr_debug("pkey_ep11_verifykey()=%d\n", rc); 588 - } else { 589 - rc = -EINVAL; 590 - } 810 + 811 + rc = pkey_handler_verify_key(kkey, kvk.keylen, 812 + &kvk.cardnr, &kvk.domain, 813 + &kvk.type, &kvk.size, &kvk.flags); 814 + pr_debug("verify_key()=%d\n", rc); 815 + 591 816 kfree_sensitive(kkey); 592 - if (rc) 593 - return rc; 594 - if (copy_to_user(uvk, &kvk, sizeof(kvk))) 817 + if (!rc && copy_to_user(uvk, &kvk, sizeof(kvk))) 595 818 return -EFAULT; 596 819 597 - return 0; 820 + return rc; 598 821 } 599 822 600 823 static int pkey_ioctl_kblob2protk2(struct pkey_kblob2pkey2 __user *utp) ··· 642 883 kfree(apqns); 643 884 return PTR_ERR(kkey); 644 885 } 645 - rc = apqns4key(kkey, kak.keylen, kak.flags, 646 - apqns, &nr_apqns); 647 - pr_debug("apqns4key()=%d\n", rc); 886 + rc = pkey_handler_apqns_for_key(kkey, kak.keylen, kak.flags, 887 + apqns, &nr_apqns); 888 + pr_debug("apqns_for_key()=%d\n", rc); 648 889 kfree_sensitive(kkey); 649 890 if (rc && rc != -ENOSPC) { 650 891 kfree(apqns); ··· 688 929 if (!apqns) 689 930 return -ENOMEM; 690 931 } 691 - rc = apqns4keytype(kat.type, kat.cur_mkvp, kat.alt_mkvp, 692 - kat.flags, apqns, &nr_apqns); 693 - pr_debug("apqns4keytype()=%d\n", rc); 932 + rc = pkey_handler_apqns_for_keytype(kat.type, 933 + kat.cur_mkvp, kat.alt_mkvp, 934 + kat.flags, apqns, &nr_apqns); 935 + pr_debug("apqns_for_keytype()=%d\n", rc); 694 936 if (rc && rc != -ENOSPC) { 695 937 kfree(apqns); 696 938 return rc; ··· 852 1092 .groups = pkey_attr_groups, 853 1093 }; 854 1094 855 - /* 856 - * Module init 857 - */ 858 - static int __init pkey_init(void) 1095 + int __init pkey_api_init(void) 859 1096 { 860 - cpacf_mask_t func_mask; 861 - 862 - /* 863 - * The pckmo instruction should be available - even if we don't 864 - * actually invoke it. This instruction comes with MSA 3 which 865 - * is also the minimum level for the kmc instructions which 866 - * are able to work with protected keys. 867 - */ 868 - if (!cpacf_query(CPACF_PCKMO, &func_mask)) 869 - return -ENODEV; 870 - 871 - /* check for kmc instructions available */ 872 - if (!cpacf_query(CPACF_KMC, &func_mask)) 873 - return -ENODEV; 874 - if (!cpacf_test_func(&func_mask, CPACF_KMC_PAES_128) || 875 - !cpacf_test_func(&func_mask, CPACF_KMC_PAES_192) || 876 - !cpacf_test_func(&func_mask, CPACF_KMC_PAES_256)) 877 - return -ENODEV; 878 - 879 - pkey_debug_init(); 880 - 1097 + /* register as a misc device */ 881 1098 return misc_register(&pkey_dev); 882 1099 } 883 1100 884 - /* 885 - * Module exit 886 - */ 887 - static void __exit pkey_exit(void) 1101 + void __exit pkey_api_exit(void) 888 1102 { 889 1103 misc_deregister(&pkey_dev); 890 - pkey_debug_exit(); 891 1104 } 892 - 893 - module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_init); 894 - module_exit(pkey_exit);
+293
drivers/s390/crypto/pkey_base.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * pkey base: debug feature, pkey handler registry 4 + * 5 + * Copyright IBM Corp. 2024 6 + */ 7 + 8 + #define KMSG_COMPONENT "pkey" 9 + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 + 11 + #include <linux/cpufeature.h> 12 + #include <linux/init.h> 13 + #include <linux/list.h> 14 + #include <linux/module.h> 15 + #include <linux/rculist.h> 16 + 17 + #include "pkey_base.h" 18 + 19 + MODULE_LICENSE("GPL"); 20 + MODULE_AUTHOR("IBM Corporation"); 21 + MODULE_DESCRIPTION("s390 protected key base and api"); 22 + 23 + /* 24 + * pkey debug feature 25 + */ 26 + debug_info_t *pkey_dbf_info; 27 + EXPORT_SYMBOL(pkey_dbf_info); 28 + 29 + /* 30 + * pkey handler registry 31 + */ 32 + 33 + static DEFINE_SPINLOCK(handler_list_write_lock); 34 + static LIST_HEAD(handler_list); 35 + 36 + int pkey_handler_register(struct pkey_handler *handler) 37 + { 38 + const struct pkey_handler *h; 39 + 40 + if (!handler || 41 + !handler->is_supported_key || 42 + !handler->is_supported_keytype) 43 + return -EINVAL; 44 + 45 + if (!try_module_get(handler->module)) 46 + return -ENXIO; 47 + 48 + spin_lock(&handler_list_write_lock); 49 + 50 + rcu_read_lock(); 51 + list_for_each_entry_rcu(h, &handler_list, list) { 52 + if (h == handler) { 53 + rcu_read_unlock(); 54 + spin_unlock(&handler_list_write_lock); 55 + module_put(handler->module); 56 + return -EEXIST; 57 + } 58 + } 59 + rcu_read_unlock(); 60 + 61 + list_add_rcu(&handler->list, &handler_list); 62 + spin_unlock(&handler_list_write_lock); 63 + synchronize_rcu(); 64 + 65 + module_put(handler->module); 66 + 67 + PKEY_DBF_INFO("%s pkey handler '%s' registered\n", __func__, 68 + handler->name ?: "<no name>"); 69 + 70 + return 0; 71 + } 72 + EXPORT_SYMBOL(pkey_handler_register); 73 + 74 + int pkey_handler_unregister(struct pkey_handler *handler) 75 + { 76 + spin_lock(&handler_list_write_lock); 77 + list_del_rcu(&handler->list); 78 + INIT_LIST_HEAD_RCU(&handler->list); 79 + spin_unlock(&handler_list_write_lock); 80 + synchronize_rcu(); 81 + 82 + PKEY_DBF_INFO("%s pkey handler '%s' unregistered\n", __func__, 83 + handler->name ?: "<no name>"); 84 + 85 + return 0; 86 + } 87 + EXPORT_SYMBOL(pkey_handler_unregister); 88 + 89 + /* 90 + * Handler invocation functions. 91 + */ 92 + 93 + const struct pkey_handler *pkey_handler_get_keybased(const u8 *key, u32 keylen) 94 + { 95 + const struct pkey_handler *h; 96 + 97 + rcu_read_lock(); 98 + list_for_each_entry_rcu(h, &handler_list, list) { 99 + if (!try_module_get(h->module)) 100 + continue; 101 + if (h->is_supported_key(key, keylen)) { 102 + rcu_read_unlock(); 103 + return h; 104 + } 105 + module_put(h->module); 106 + } 107 + rcu_read_unlock(); 108 + 109 + return NULL; 110 + } 111 + EXPORT_SYMBOL(pkey_handler_get_keybased); 112 + 113 + const struct pkey_handler *pkey_handler_get_keytypebased(enum pkey_key_type kt) 114 + { 115 + const struct pkey_handler *h; 116 + 117 + rcu_read_lock(); 118 + list_for_each_entry_rcu(h, &handler_list, list) { 119 + if (!try_module_get(h->module)) 120 + continue; 121 + if (h->is_supported_keytype(kt)) { 122 + rcu_read_unlock(); 123 + return h; 124 + } 125 + module_put(h->module); 126 + } 127 + rcu_read_unlock(); 128 + 129 + return NULL; 130 + } 131 + EXPORT_SYMBOL(pkey_handler_get_keytypebased); 132 + 133 + void pkey_handler_put(const struct pkey_handler *handler) 134 + { 135 + const struct pkey_handler *h; 136 + 137 + if (!handler) 138 + return; 139 + 140 + rcu_read_lock(); 141 + list_for_each_entry_rcu(h, &handler_list, list) { 142 + if (h == handler) { 143 + module_put(h->module); 144 + break; 145 + } 146 + } 147 + rcu_read_unlock(); 148 + } 149 + EXPORT_SYMBOL(pkey_handler_put); 150 + 151 + int pkey_handler_key_to_protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 152 + const u8 *key, u32 keylen, 153 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 154 + { 155 + const struct pkey_handler *h; 156 + int rc = -ENODEV; 157 + 158 + h = pkey_handler_get_keybased(key, keylen); 159 + if (h && h->key_to_protkey) { 160 + rc = h->key_to_protkey(apqns, nr_apqns, key, keylen, 161 + protkey, protkeylen, 162 + protkeytype); 163 + } 164 + pkey_handler_put(h); 165 + 166 + return rc; 167 + } 168 + EXPORT_SYMBOL(pkey_handler_key_to_protkey); 169 + 170 + int pkey_handler_gen_key(const struct pkey_apqn *apqns, size_t nr_apqns, 171 + u32 keytype, u32 keysubtype, 172 + u32 keybitsize, u32 flags, 173 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 174 + { 175 + const struct pkey_handler *h; 176 + int rc = -ENODEV; 177 + 178 + h = pkey_handler_get_keytypebased(keysubtype); 179 + if (h && h->gen_key) { 180 + rc = h->gen_key(apqns, nr_apqns, keytype, keysubtype, 181 + keybitsize, flags, 182 + keybuf, keybuflen, keyinfo); 183 + } 184 + pkey_handler_put(h); 185 + 186 + return rc; 187 + } 188 + EXPORT_SYMBOL(pkey_handler_gen_key); 189 + 190 + int pkey_handler_clr_to_key(const struct pkey_apqn *apqns, size_t nr_apqns, 191 + u32 keytype, u32 keysubtype, 192 + u32 keybitsize, u32 flags, 193 + const u8 *clrkey, u32 clrkeylen, 194 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 195 + { 196 + const struct pkey_handler *h; 197 + int rc = -ENODEV; 198 + 199 + h = pkey_handler_get_keytypebased(keysubtype); 200 + if (h && h->clr_to_key) { 201 + rc = h->clr_to_key(apqns, nr_apqns, keytype, keysubtype, 202 + keybitsize, flags, clrkey, clrkeylen, 203 + keybuf, keybuflen, keyinfo); 204 + } 205 + pkey_handler_put(h); 206 + 207 + return rc; 208 + } 209 + EXPORT_SYMBOL(pkey_handler_clr_to_key); 210 + 211 + int pkey_handler_verify_key(const u8 *key, u32 keylen, 212 + u16 *card, u16 *dom, 213 + u32 *keytype, u32 *keybitsize, u32 *flags) 214 + { 215 + const struct pkey_handler *h; 216 + int rc = -ENODEV; 217 + 218 + h = pkey_handler_get_keybased(key, keylen); 219 + if (h && h->verify_key) { 220 + rc = h->verify_key(key, keylen, card, dom, 221 + keytype, keybitsize, flags); 222 + } 223 + pkey_handler_put(h); 224 + 225 + return rc; 226 + } 227 + EXPORT_SYMBOL(pkey_handler_verify_key); 228 + 229 + int pkey_handler_apqns_for_key(const u8 *key, u32 keylen, u32 flags, 230 + struct pkey_apqn *apqns, size_t *nr_apqns) 231 + { 232 + const struct pkey_handler *h; 233 + int rc = -ENODEV; 234 + 235 + h = pkey_handler_get_keybased(key, keylen); 236 + if (h && h->apqns_for_key) 237 + rc = h->apqns_for_key(key, keylen, flags, apqns, nr_apqns); 238 + pkey_handler_put(h); 239 + 240 + return rc; 241 + } 242 + EXPORT_SYMBOL(pkey_handler_apqns_for_key); 243 + 244 + int pkey_handler_apqns_for_keytype(enum pkey_key_type keysubtype, 245 + u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 246 + struct pkey_apqn *apqns, size_t *nr_apqns) 247 + { 248 + const struct pkey_handler *h; 249 + int rc = -ENODEV; 250 + 251 + h = pkey_handler_get_keytypebased(keysubtype); 252 + if (h && h->apqns_for_keytype) { 253 + rc = h->apqns_for_keytype(keysubtype, 254 + cur_mkvp, alt_mkvp, flags, 255 + apqns, nr_apqns); 256 + } 257 + pkey_handler_put(h); 258 + 259 + return rc; 260 + } 261 + EXPORT_SYMBOL(pkey_handler_apqns_for_keytype); 262 + 263 + /* 264 + * Module init 265 + */ 266 + static int __init pkey_init(void) 267 + { 268 + int rc; 269 + 270 + /* init debug feature */ 271 + pkey_dbf_info = debug_register("pkey", 1, 1, 5 * sizeof(long)); 272 + debug_register_view(pkey_dbf_info, &debug_sprintf_view); 273 + debug_set_level(pkey_dbf_info, 4); 274 + 275 + /* the handler registry does not need any init */ 276 + 277 + rc = pkey_api_init(); 278 + if (rc) 279 + debug_unregister(pkey_dbf_info); 280 + 281 + return rc; 282 + } 283 + 284 + /* 285 + * Module exit 286 + */ 287 + static void __exit pkey_exit(void) 288 + { 289 + pkey_api_exit(); 290 + } 291 + 292 + module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_init); 293 + module_exit(pkey_exit);
+72 -72
drivers/s390/crypto/pkey_base.h
··· 86 86 } 87 87 88 88 /* 89 - * pkey_cca.c: 89 + * pkey_api.c: 90 90 */ 91 - 92 - bool pkey_is_cca_key(const u8 *key, u32 keylen); 93 - bool pkey_is_cca_keytype(enum pkey_key_type); 94 - int pkey_cca_key2protkey(u16 card, u16 dom, 95 - const u8 *key, u32 keylen, 96 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 97 - int pkey_cca_gen_key(u16 card, u16 dom, 98 - u32 keytype, u32 keysubtype, 99 - u32 keybitsize, u32 flags, 100 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo); 101 - int pkey_cca_clr2key(u16 card, u16 dom, 102 - u32 keytype, u32 keysubtype, 103 - u32 keybitsize, u32 flags, 104 - const u8 *clrkey, u32 clrkeylen, 105 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo); 106 - int pkey_cca_verifykey(const u8 *key, u32 keylen, 107 - u16 *card, u16 *dom, 108 - u32 *keytype, u32 *keybitsize, u32 *flags); 109 - int pkey_cca_apqns4key(const u8 *key, u32 keylen, u32 flags, 110 - struct pkey_apqn *apqns, size_t *nr_apqns); 111 - int pkey_cca_apqns4type(enum pkey_key_type ktype, 112 - u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 113 - struct pkey_apqn *apqns, size_t *nr_apqns); 114 - 115 - /* 116 - * pkey_ep11.c: 117 - */ 118 - 119 - bool pkey_is_ep11_key(const u8 *key, u32 keylen); 120 - bool pkey_is_ep11_keytype(enum pkey_key_type); 121 - int pkey_ep11_key2protkey(u16 card, u16 dom, 122 - const u8 *key, u32 keylen, 123 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 124 - int pkey_ep11_gen_key(u16 card, u16 dom, 125 - u32 keytype, u32 keysubtype, 126 - u32 keybitsize, u32 flags, 127 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo); 128 - int pkey_ep11_clr2key(u16 card, u16 dom, 129 - u32 keytype, u32 keysubtype, 130 - u32 keybitsize, u32 flags, 131 - const u8 *clrkey, u32 clrkeylen, 132 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo); 133 - int pkey_ep11_verifykey(const u8 *key, u32 keylen, 134 - u16 *card, u16 *dom, 135 - u32 *keytype, u32 *keybitsize, u32 *flags); 136 - int pkey_ep11_apqns4key(const u8 *key, u32 keylen, u32 flags, 137 - struct pkey_apqn *apqns, size_t *nr_apqns); 138 - int pkey_ep11_apqns4type(enum pkey_key_type ktype, 139 - u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 140 - struct pkey_apqn *apqns, size_t *nr_apqns); 141 - 142 - /* 143 - * pkey_pckmo.c: 144 - */ 145 - 146 - bool pkey_is_pckmo_key(const u8 *key, u32 keylen); 147 - int pkey_pckmo_key2protkey(u16 _card, u16 _dom, 148 - const u8 *key, u32 keylen, 149 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 150 - int pkey_pckmo_gen_key(u16 _card, u16 _dom, 151 - u32 keytype, u32 _keysubtype, 152 - u32 _keybitsize, u32 _flags, 153 - u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 154 - int pkey_pckmo_clr2key(u16 _card, u16 _dom, 155 - u32 keytype, u32 _keysubtype, 156 - u32 _keybitsize, u32 _flags, 157 - const u8 *clrkey, u32 clrkeylen, 158 - u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 159 - int pkey_pckmo_verifykey(const u8 *key, u32 keylen, 160 - u16 *_card, u16 *_dom, 161 - u32 *keytype, u32 *_keybitsize, u32 *_flags); 91 + int __init pkey_api_init(void); 92 + void __exit pkey_api_exit(void); 162 93 163 94 /* 164 95 * pkey_sysfs.c: 165 96 */ 166 97 167 98 extern const struct attribute_group *pkey_attr_groups[]; 99 + 100 + /* 101 + * pkey handler registry 102 + */ 103 + 104 + struct pkey_handler { 105 + struct module *module; 106 + const char *name; 107 + /* 108 + * is_supported_key() and is_supported_keytype() are called 109 + * within an rcu_read_lock() scope and thus must not sleep! 110 + */ 111 + bool (*is_supported_key)(const u8 *key, u32 keylen); 112 + bool (*is_supported_keytype)(enum pkey_key_type); 113 + int (*key_to_protkey)(const struct pkey_apqn *apqns, size_t nr_apqns, 114 + const u8 *key, u32 keylen, 115 + u8 *protkey, u32 *protkeylen, u32 *protkeytype); 116 + int (*gen_key)(const struct pkey_apqn *apqns, size_t nr_apqns, 117 + u32 keytype, u32 keysubtype, 118 + u32 keybitsize, u32 flags, 119 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 120 + int (*clr_to_key)(const struct pkey_apqn *apqns, size_t nr_apqns, 121 + u32 keytype, u32 keysubtype, 122 + u32 keybitsize, u32 flags, 123 + const u8 *clrkey, u32 clrkeylen, 124 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 125 + int (*verify_key)(const u8 *key, u32 keylen, 126 + u16 *card, u16 *dom, 127 + u32 *keytype, u32 *keybitsize, u32 *flags); 128 + int (*apqns_for_key)(const u8 *key, u32 keylen, u32 flags, 129 + struct pkey_apqn *apqns, size_t *nr_apqns); 130 + int (*apqns_for_keytype)(enum pkey_key_type ktype, 131 + u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 132 + struct pkey_apqn *apqns, size_t *nr_apqns); 133 + /* used internal by pkey base */ 134 + struct list_head list; 135 + }; 136 + 137 + int pkey_handler_register(struct pkey_handler *handler); 138 + int pkey_handler_unregister(struct pkey_handler *handler); 139 + 140 + /* 141 + * invocation function for the registered pkey handlers 142 + */ 143 + 144 + const struct pkey_handler *pkey_handler_get_keybased(const u8 *key, u32 keylen); 145 + const struct pkey_handler *pkey_handler_get_keytypebased(enum pkey_key_type kt); 146 + void pkey_handler_put(const struct pkey_handler *handler); 147 + 148 + int pkey_handler_key_to_protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 149 + const u8 *key, u32 keylen, 150 + u8 *protkey, u32 *protkeylen, u32 *protkeytype); 151 + int pkey_handler_gen_key(const struct pkey_apqn *apqns, size_t nr_apqns, 152 + u32 keytype, u32 keysubtype, 153 + u32 keybitsize, u32 flags, 154 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 155 + int pkey_handler_clr_to_key(const struct pkey_apqn *apqns, size_t nr_apqns, 156 + u32 keytype, u32 keysubtype, 157 + u32 keybitsize, u32 flags, 158 + const u8 *clrkey, u32 clrkeylen, 159 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo); 160 + int pkey_handler_verify_key(const u8 *key, u32 keylen, 161 + u16 *card, u16 *dom, 162 + u32 *keytype, u32 *keybitsize, u32 *flags); 163 + int pkey_handler_apqns_for_key(const u8 *key, u32 keylen, u32 flags, 164 + struct pkey_apqn *apqns, size_t *nr_apqns); 165 + int pkey_handler_apqns_for_keytype(enum pkey_key_type ktype, 166 + u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 167 + struct pkey_apqn *apqns, size_t *nr_apqns); 168 168 169 169 #endif /* _PKEY_BASE_H_ */
+391 -268
drivers/s390/crypto/pkey_cca.c
··· 8 8 #define KMSG_COMPONENT "pkey" 9 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 10 11 + #include <linux/init.h> 12 + #include <linux/module.h> 13 + #include <linux/cpufeature.h> 14 + 11 15 #include "zcrypt_api.h" 12 16 #include "zcrypt_ccamisc.h" 13 - 14 17 #include "pkey_base.h" 18 + 19 + MODULE_LICENSE("GPL"); 20 + MODULE_AUTHOR("IBM Corporation"); 21 + MODULE_DESCRIPTION("s390 protected key CCA handler"); 22 + 23 + #if IS_MODULE(CONFIG_PKEY_CCA) 24 + static struct ap_device_id pkey_cca_card_ids[] = { 25 + { .dev_type = AP_DEVICE_TYPE_CEX4 }, 26 + { .dev_type = AP_DEVICE_TYPE_CEX5 }, 27 + { .dev_type = AP_DEVICE_TYPE_CEX6 }, 28 + { .dev_type = AP_DEVICE_TYPE_CEX7 }, 29 + { .dev_type = AP_DEVICE_TYPE_CEX8 }, 30 + { /* end of list */ }, 31 + }; 32 + MODULE_DEVICE_TABLE(ap, pkey_cca_card_ids); 33 + #endif 15 34 16 35 /* 17 36 * Check key blob for known and supported CCA key. 18 37 */ 19 - bool pkey_is_cca_key(const u8 *key, u32 keylen) 38 + static bool is_cca_key(const u8 *key, u32 keylen) 20 39 { 21 40 struct keytoken_header *hdr = (struct keytoken_header *)key; 22 41 ··· 58 39 } 59 40 } 60 41 61 - bool pkey_is_cca_keytype(enum pkey_key_type key_type) 42 + static bool is_cca_keytype(enum pkey_key_type key_type) 62 43 { 63 44 switch (key_type) { 64 45 case PKEY_TYPE_CCA_DATA: ··· 70 51 } 71 52 } 72 53 73 - int pkey_cca_key2protkey(u16 card, u16 dom, 74 - const u8 *key, u32 keylen, 75 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 76 - { 77 - struct keytoken_header *hdr = (struct keytoken_header *)key; 78 - int rc; 79 - 80 - if (keylen < sizeof(*hdr)) 81 - return -EINVAL; 82 - 83 - zcrypt_wait_api_operational(); 84 - 85 - if (hdr->type == TOKTYPE_CCA_INTERNAL && 86 - hdr->version == TOKVER_CCA_AES) { 87 - /* CCA AES data key */ 88 - if (keylen != sizeof(struct secaeskeytoken)) 89 - return -EINVAL; 90 - if (cca_check_secaeskeytoken(pkey_dbf_info, 3, key, 0)) 91 - return -EINVAL; 92 - rc = cca_sec2protkey(card, dom, key, protkey, 93 - protkeylen, protkeytype); 94 - } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 95 - hdr->version == TOKVER_CCA_VLSC) { 96 - /* CCA AES cipher key */ 97 - if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE) 98 - return -EINVAL; 99 - if (cca_check_secaescipherkey(pkey_dbf_info, 100 - 3, key, 0, 1)) 101 - return -EINVAL; 102 - rc = cca_cipher2protkey(card, dom, key, protkey, 103 - protkeylen, protkeytype); 104 - } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) { 105 - /* CCA ECC (private) key */ 106 - if (keylen < sizeof(struct eccprivkeytoken)) 107 - return -EINVAL; 108 - if (cca_check_sececckeytoken(pkey_dbf_info, 3, key, keylen, 1)) 109 - return -EINVAL; 110 - rc = cca_ecc2protkey(card, dom, key, protkey, 111 - protkeylen, protkeytype); 112 - } else { 113 - PKEY_DBF_ERR("%s unknown/unsupported blob type %d version %d\n", 114 - __func__, hdr->type, hdr->version); 115 - rc = -EINVAL; 116 - } 117 - 118 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 119 - return rc; 120 - } 121 - 122 - /* 123 - * Generate CCA secure key. 124 - * As of now only CCA AES Data or Cipher secure keys are 125 - * supported. 126 - * keytype is one of the PKEY_KEYTYPE_* constants, 127 - * subtype may be 0 or PKEY_TYPE_CCA_DATA or PKEY_TYPE_CCA_CIPHER, 128 - * keybitsize is the bit size of the key (may be 0 for 129 - * keytype PKEY_KEYTYPE_AES_*). 130 - */ 131 - int pkey_cca_gen_key(u16 card, u16 dom, 132 - u32 keytype, u32 subtype, 133 - u32 keybitsize, u32 flags, 134 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 135 - { 136 - int len, rc; 137 - 138 - /* check keytype, subtype, keybitsize */ 139 - switch (keytype) { 140 - case PKEY_KEYTYPE_AES_128: 141 - case PKEY_KEYTYPE_AES_192: 142 - case PKEY_KEYTYPE_AES_256: 143 - len = pkey_keytype_aes_to_size(keytype); 144 - if (keybitsize && keybitsize != 8 * len) { 145 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 146 - __func__, keybitsize); 147 - return -EINVAL; 148 - } 149 - keybitsize = 8 * len; 150 - switch (subtype) { 151 - case 0: 152 - case PKEY_TYPE_CCA_DATA: 153 - case PKEY_TYPE_CCA_CIPHER: 154 - break; 155 - default: 156 - PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 157 - __func__, subtype); 158 - return -EINVAL; 159 - } 160 - break; 161 - default: 162 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 163 - __func__, keytype); 164 - return -EINVAL; 165 - } 166 - 167 - zcrypt_wait_api_operational(); 168 - 169 - if (subtype == PKEY_TYPE_CCA_CIPHER) { 170 - rc = cca_gencipherkey(card, dom, keybitsize, flags, 171 - keybuf, keybuflen); 172 - } else { 173 - /* 0 or PKEY_TYPE_CCA_DATA */ 174 - rc = cca_genseckey(card, dom, keybitsize, keybuf); 175 - *keybuflen = (rc ? 0 : SECKEYBLOBSIZE); 176 - } 177 - 178 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 179 - return rc; 180 - } 181 - 182 - /* 183 - * Generate CCA secure key with given clear key value. 184 - * As of now only CCA AES Data or Cipher secure keys are 185 - * supported. 186 - * keytype is one of the PKEY_KEYTYPE_* constants, 187 - * subtype may be 0 or PKEY_TYPE_CCA_DATA or PKEY_TYPE_CCA_CIPHER, 188 - * keybitsize is the bit size of the key (may be 0 for 189 - * keytype PKEY_KEYTYPE_AES_*). 190 - */ 191 - int pkey_cca_clr2key(u16 card, u16 dom, 192 - u32 keytype, u32 subtype, 193 - u32 keybitsize, u32 flags, 194 - const u8 *clrkey, u32 clrkeylen, 195 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 196 - { 197 - int len, rc; 198 - 199 - /* check keytype, subtype, clrkeylen, keybitsize */ 200 - switch (keytype) { 201 - case PKEY_KEYTYPE_AES_128: 202 - case PKEY_KEYTYPE_AES_192: 203 - case PKEY_KEYTYPE_AES_256: 204 - len = pkey_keytype_aes_to_size(keytype); 205 - if (keybitsize && keybitsize != 8 * len) { 206 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 207 - __func__, keybitsize); 208 - return -EINVAL; 209 - } 210 - keybitsize = 8 * len; 211 - if (clrkeylen != len) { 212 - PKEY_DBF_ERR("%s invalid clear key len %d != %d\n", 213 - __func__, clrkeylen, len); 214 - return -EINVAL; 215 - } 216 - switch (subtype) { 217 - case 0: 218 - case PKEY_TYPE_CCA_DATA: 219 - case PKEY_TYPE_CCA_CIPHER: 220 - break; 221 - default: 222 - PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 223 - __func__, subtype); 224 - return -EINVAL; 225 - } 226 - break; 227 - default: 228 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 229 - __func__, keytype); 230 - return -EINVAL; 231 - } 232 - 233 - zcrypt_wait_api_operational(); 234 - 235 - if (subtype == PKEY_TYPE_CCA_CIPHER) { 236 - rc = cca_clr2cipherkey(card, dom, keybitsize, 237 - flags, clrkey, keybuf, keybuflen); 238 - } else { 239 - /* 0 or PKEY_TYPE_CCA_DATA */ 240 - rc = cca_clr2seckey(card, dom, keybitsize, 241 - clrkey, keybuf); 242 - *keybuflen = (rc ? 0 : SECKEYBLOBSIZE); 243 - } 244 - 245 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 246 - return rc; 247 - } 248 - 249 - int pkey_cca_verifykey(const u8 *key, u32 keylen, 250 - u16 *card, u16 *dom, 251 - u32 *keytype, u32 *keybitsize, u32 *flags) 252 - { 253 - struct keytoken_header *hdr = (struct keytoken_header *)key; 254 - u32 nr_apqns, *apqns = NULL; 255 - int rc; 256 - 257 - if (keylen < sizeof(*hdr)) 258 - return -EINVAL; 259 - 260 - zcrypt_wait_api_operational(); 261 - 262 - if (hdr->type == TOKTYPE_CCA_INTERNAL && 263 - hdr->version == TOKVER_CCA_AES) { 264 - struct secaeskeytoken *t = (struct secaeskeytoken *)key; 265 - 266 - rc = cca_check_secaeskeytoken(pkey_dbf_info, 3, key, 0); 267 - if (rc) 268 - goto out; 269 - *keytype = PKEY_TYPE_CCA_DATA; 270 - *keybitsize = t->bitsize; 271 - rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 272 - ZCRYPT_CEX3C, AES_MK_SET, 273 - t->mkvp, 0, 1); 274 - if (!rc) 275 - *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 276 - if (rc == -ENODEV) { 277 - rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 278 - ZCRYPT_CEX3C, AES_MK_SET, 279 - 0, t->mkvp, 1); 280 - if (!rc) 281 - *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 282 - } 283 - if (rc) 284 - goto out; 285 - 286 - *card = ((struct pkey_apqn *)apqns)->card; 287 - *dom = ((struct pkey_apqn *)apqns)->domain; 288 - 289 - } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 290 - hdr->version == TOKVER_CCA_VLSC) { 291 - struct cipherkeytoken *t = (struct cipherkeytoken *)key; 292 - 293 - rc = cca_check_secaescipherkey(pkey_dbf_info, 3, key, 0, 1); 294 - if (rc) 295 - goto out; 296 - *keytype = PKEY_TYPE_CCA_CIPHER; 297 - *keybitsize = PKEY_SIZE_UNKNOWN; 298 - if (!t->plfver && t->wpllen == 512) 299 - *keybitsize = PKEY_SIZE_AES_128; 300 - else if (!t->plfver && t->wpllen == 576) 301 - *keybitsize = PKEY_SIZE_AES_192; 302 - else if (!t->plfver && t->wpllen == 640) 303 - *keybitsize = PKEY_SIZE_AES_256; 304 - rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 305 - ZCRYPT_CEX6, AES_MK_SET, 306 - t->mkvp0, 0, 1); 307 - if (!rc) 308 - *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 309 - if (rc == -ENODEV) { 310 - rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 311 - ZCRYPT_CEX6, AES_MK_SET, 312 - 0, t->mkvp0, 1); 313 - if (!rc) 314 - *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 315 - } 316 - if (rc) 317 - goto out; 318 - 319 - *card = ((struct pkey_apqn *)apqns)->card; 320 - *dom = ((struct pkey_apqn *)apqns)->domain; 321 - 322 - } else { 323 - /* unknown/unsupported key blob */ 324 - rc = -EINVAL; 325 - } 326 - 327 - out: 328 - kfree(apqns); 329 - pr_debug("rc=%d\n", rc); 330 - return rc; 331 - } 332 - 333 - int pkey_cca_apqns4key(const u8 *key, u32 keylen, u32 flags, 334 - struct pkey_apqn *apqns, size_t *nr_apqns) 54 + static int cca_apqns4key(const u8 *key, u32 keylen, u32 flags, 55 + struct pkey_apqn *apqns, size_t *nr_apqns) 335 56 { 336 57 struct keytoken_header *hdr = (struct keytoken_header *)key; 337 58 u32 _nr_apqns, *_apqns = NULL; ··· 153 394 return rc; 154 395 } 155 396 156 - int pkey_cca_apqns4type(enum pkey_key_type ktype, 157 - u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 158 - struct pkey_apqn *apqns, size_t *nr_apqns) 397 + static int cca_apqns4type(enum pkey_key_type ktype, 398 + u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 399 + struct pkey_apqn *apqns, size_t *nr_apqns) 159 400 { 160 401 u32 _nr_apqns, *_apqns = NULL; 161 402 int rc; ··· 210 451 pr_debug("rc=%d\n", rc); 211 452 return rc; 212 453 } 454 + 455 + static int cca_key2protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 456 + const u8 *key, u32 keylen, 457 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 458 + { 459 + struct keytoken_header *hdr = (struct keytoken_header *)key; 460 + struct pkey_apqn *local_apqns = NULL; 461 + int i, rc; 462 + 463 + if (keylen < sizeof(*hdr)) 464 + return -EINVAL; 465 + 466 + if (hdr->type == TOKTYPE_CCA_INTERNAL && 467 + hdr->version == TOKVER_CCA_AES) { 468 + /* CCA AES data key */ 469 + if (keylen != sizeof(struct secaeskeytoken)) 470 + return -EINVAL; 471 + if (cca_check_secaeskeytoken(pkey_dbf_info, 3, key, 0)) 472 + return -EINVAL; 473 + } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 474 + hdr->version == TOKVER_CCA_VLSC) { 475 + /* CCA AES cipher key */ 476 + if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE) 477 + return -EINVAL; 478 + if (cca_check_secaescipherkey(pkey_dbf_info, 479 + 3, key, 0, 1)) 480 + return -EINVAL; 481 + } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) { 482 + /* CCA ECC (private) key */ 483 + if (keylen < sizeof(struct eccprivkeytoken)) 484 + return -EINVAL; 485 + if (cca_check_sececckeytoken(pkey_dbf_info, 3, key, keylen, 1)) 486 + return -EINVAL; 487 + } else { 488 + PKEY_DBF_ERR("%s unknown/unsupported blob type %d version %d\n", 489 + __func__, hdr->type, hdr->version); 490 + return -EINVAL; 491 + } 492 + 493 + zcrypt_wait_api_operational(); 494 + 495 + if (!apqns || (nr_apqns == 1 && 496 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 497 + nr_apqns = MAXAPQNSINLIST; 498 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 499 + GFP_KERNEL); 500 + if (!local_apqns) 501 + return -ENOMEM; 502 + rc = cca_apqns4key(key, keylen, 0, local_apqns, &nr_apqns); 503 + if (rc) 504 + goto out; 505 + apqns = local_apqns; 506 + } 507 + 508 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 509 + if (hdr->type == TOKTYPE_CCA_INTERNAL && 510 + hdr->version == TOKVER_CCA_AES) { 511 + rc = cca_sec2protkey(apqns[i].card, apqns[i].domain, 512 + key, protkey, 513 + protkeylen, protkeytype); 514 + } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 515 + hdr->version == TOKVER_CCA_VLSC) { 516 + rc = cca_cipher2protkey(apqns[i].card, apqns[i].domain, 517 + key, protkey, 518 + protkeylen, protkeytype); 519 + } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) { 520 + rc = cca_ecc2protkey(apqns[i].card, apqns[i].domain, 521 + key, protkey, 522 + protkeylen, protkeytype); 523 + } else { 524 + rc = -EINVAL; 525 + break; 526 + } 527 + } 528 + 529 + out: 530 + kfree(local_apqns); 531 + pr_debug("rc=%d\n", rc); 532 + return rc; 533 + } 534 + 535 + /* 536 + * Generate CCA secure key. 537 + * As of now only CCA AES Data or Cipher secure keys are 538 + * supported. 539 + * keytype is one of the PKEY_KEYTYPE_* constants, 540 + * subtype may be 0 or PKEY_TYPE_CCA_DATA or PKEY_TYPE_CCA_CIPHER, 541 + * keybitsize is the bit size of the key (may be 0 for 542 + * keytype PKEY_KEYTYPE_AES_*). 543 + */ 544 + static int cca_gen_key(const struct pkey_apqn *apqns, size_t nr_apqns, 545 + u32 keytype, u32 subtype, 546 + u32 keybitsize, u32 flags, 547 + u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 548 + { 549 + struct pkey_apqn *local_apqns = NULL; 550 + int i, len, rc; 551 + 552 + /* check keytype, subtype, keybitsize */ 553 + switch (keytype) { 554 + case PKEY_KEYTYPE_AES_128: 555 + case PKEY_KEYTYPE_AES_192: 556 + case PKEY_KEYTYPE_AES_256: 557 + len = pkey_keytype_aes_to_size(keytype); 558 + if (keybitsize && keybitsize != 8 * len) { 559 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 560 + __func__, keybitsize); 561 + return -EINVAL; 562 + } 563 + keybitsize = 8 * len; 564 + switch (subtype) { 565 + case PKEY_TYPE_CCA_DATA: 566 + case PKEY_TYPE_CCA_CIPHER: 567 + break; 568 + default: 569 + PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 570 + __func__, subtype); 571 + return -EINVAL; 572 + } 573 + break; 574 + default: 575 + PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 576 + __func__, keytype); 577 + return -EINVAL; 578 + } 579 + 580 + zcrypt_wait_api_operational(); 581 + 582 + if (!apqns || (nr_apqns == 1 && 583 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 584 + nr_apqns = MAXAPQNSINLIST; 585 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 586 + GFP_KERNEL); 587 + if (!local_apqns) 588 + return -ENOMEM; 589 + rc = cca_apqns4type(subtype, NULL, NULL, 0, 590 + local_apqns, &nr_apqns); 591 + if (rc) 592 + goto out; 593 + apqns = local_apqns; 594 + } 595 + 596 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 597 + if (subtype == PKEY_TYPE_CCA_CIPHER) { 598 + rc = cca_gencipherkey(apqns[i].card, apqns[i].domain, 599 + keybitsize, flags, 600 + keybuf, keybuflen); 601 + } else { 602 + /* PKEY_TYPE_CCA_DATA */ 603 + rc = cca_genseckey(apqns[i].card, apqns[i].domain, 604 + keybitsize, keybuf); 605 + *keybuflen = (rc ? 0 : SECKEYBLOBSIZE); 606 + } 607 + } 608 + 609 + out: 610 + kfree(local_apqns); 611 + pr_debug("rc=%d\n", rc); 612 + return rc; 613 + } 614 + 615 + /* 616 + * Generate CCA secure key with given clear key value. 617 + * As of now only CCA AES Data or Cipher secure keys are 618 + * supported. 619 + * keytype is one of the PKEY_KEYTYPE_* constants, 620 + * subtype may be 0 or PKEY_TYPE_CCA_DATA or PKEY_TYPE_CCA_CIPHER, 621 + * keybitsize is the bit size of the key (may be 0 for 622 + * keytype PKEY_KEYTYPE_AES_*). 623 + */ 624 + static int cca_clr2key(const struct pkey_apqn *apqns, size_t nr_apqns, 625 + u32 keytype, u32 subtype, 626 + u32 keybitsize, u32 flags, 627 + const u8 *clrkey, u32 clrkeylen, 628 + u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 629 + { 630 + struct pkey_apqn *local_apqns = NULL; 631 + int i, len, rc; 632 + 633 + /* check keytype, subtype, clrkeylen, keybitsize */ 634 + switch (keytype) { 635 + case PKEY_KEYTYPE_AES_128: 636 + case PKEY_KEYTYPE_AES_192: 637 + case PKEY_KEYTYPE_AES_256: 638 + len = pkey_keytype_aes_to_size(keytype); 639 + if (keybitsize && keybitsize != 8 * len) { 640 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 641 + __func__, keybitsize); 642 + return -EINVAL; 643 + } 644 + keybitsize = 8 * len; 645 + if (clrkeylen != len) { 646 + PKEY_DBF_ERR("%s invalid clear key len %d != %d\n", 647 + __func__, clrkeylen, len); 648 + return -EINVAL; 649 + } 650 + switch (subtype) { 651 + case PKEY_TYPE_CCA_DATA: 652 + case PKEY_TYPE_CCA_CIPHER: 653 + break; 654 + default: 655 + PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 656 + __func__, subtype); 657 + return -EINVAL; 658 + } 659 + break; 660 + default: 661 + PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 662 + __func__, keytype); 663 + return -EINVAL; 664 + } 665 + 666 + zcrypt_wait_api_operational(); 667 + 668 + if (!apqns || (nr_apqns == 1 && 669 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 670 + nr_apqns = MAXAPQNSINLIST; 671 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 672 + GFP_KERNEL); 673 + if (!local_apqns) 674 + return -ENOMEM; 675 + rc = cca_apqns4type(subtype, NULL, NULL, 0, 676 + local_apqns, &nr_apqns); 677 + if (rc) 678 + goto out; 679 + apqns = local_apqns; 680 + } 681 + 682 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 683 + if (subtype == PKEY_TYPE_CCA_CIPHER) { 684 + rc = cca_clr2cipherkey(apqns[i].card, apqns[i].domain, 685 + keybitsize, flags, clrkey, 686 + keybuf, keybuflen); 687 + } else { 688 + /* PKEY_TYPE_CCA_DATA */ 689 + rc = cca_clr2seckey(apqns[i].card, apqns[i].domain, 690 + keybitsize, clrkey, keybuf); 691 + *keybuflen = (rc ? 0 : SECKEYBLOBSIZE); 692 + } 693 + } 694 + 695 + out: 696 + kfree(local_apqns); 697 + pr_debug("rc=%d\n", rc); 698 + return rc; 699 + } 700 + 701 + static int cca_verifykey(const u8 *key, u32 keylen, 702 + u16 *card, u16 *dom, 703 + u32 *keytype, u32 *keybitsize, u32 *flags) 704 + { 705 + struct keytoken_header *hdr = (struct keytoken_header *)key; 706 + u32 nr_apqns, *apqns = NULL; 707 + int rc; 708 + 709 + if (keylen < sizeof(*hdr)) 710 + return -EINVAL; 711 + 712 + zcrypt_wait_api_operational(); 713 + 714 + if (hdr->type == TOKTYPE_CCA_INTERNAL && 715 + hdr->version == TOKVER_CCA_AES) { 716 + struct secaeskeytoken *t = (struct secaeskeytoken *)key; 717 + 718 + rc = cca_check_secaeskeytoken(pkey_dbf_info, 3, key, 0); 719 + if (rc) 720 + goto out; 721 + *keytype = PKEY_TYPE_CCA_DATA; 722 + *keybitsize = t->bitsize; 723 + rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 724 + ZCRYPT_CEX3C, AES_MK_SET, 725 + t->mkvp, 0, 1); 726 + if (!rc) 727 + *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 728 + if (rc == -ENODEV) { 729 + rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 730 + ZCRYPT_CEX3C, AES_MK_SET, 731 + 0, t->mkvp, 1); 732 + if (!rc) 733 + *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 734 + } 735 + if (rc) 736 + goto out; 737 + 738 + *card = ((struct pkey_apqn *)apqns)->card; 739 + *dom = ((struct pkey_apqn *)apqns)->domain; 740 + 741 + } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 742 + hdr->version == TOKVER_CCA_VLSC) { 743 + struct cipherkeytoken *t = (struct cipherkeytoken *)key; 744 + 745 + rc = cca_check_secaescipherkey(pkey_dbf_info, 3, key, 0, 1); 746 + if (rc) 747 + goto out; 748 + *keytype = PKEY_TYPE_CCA_CIPHER; 749 + *keybitsize = PKEY_SIZE_UNKNOWN; 750 + if (!t->plfver && t->wpllen == 512) 751 + *keybitsize = PKEY_SIZE_AES_128; 752 + else if (!t->plfver && t->wpllen == 576) 753 + *keybitsize = PKEY_SIZE_AES_192; 754 + else if (!t->plfver && t->wpllen == 640) 755 + *keybitsize = PKEY_SIZE_AES_256; 756 + rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 757 + ZCRYPT_CEX6, AES_MK_SET, 758 + t->mkvp0, 0, 1); 759 + if (!rc) 760 + *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 761 + if (rc == -ENODEV) { 762 + rc = cca_findcard2(&apqns, &nr_apqns, *card, *dom, 763 + ZCRYPT_CEX6, AES_MK_SET, 764 + 0, t->mkvp0, 1); 765 + if (!rc) 766 + *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 767 + } 768 + if (rc) 769 + goto out; 770 + 771 + *card = ((struct pkey_apqn *)apqns)->card; 772 + *dom = ((struct pkey_apqn *)apqns)->domain; 773 + 774 + } else { 775 + /* unknown/unsupported key blob */ 776 + rc = -EINVAL; 777 + } 778 + 779 + out: 780 + kfree(apqns); 781 + pr_debug("rc=%d\n", rc); 782 + return rc; 783 + } 784 + 785 + static struct pkey_handler cca_handler = { 786 + .module = THIS_MODULE, 787 + .name = "PKEY CCA handler", 788 + .is_supported_key = is_cca_key, 789 + .is_supported_keytype = is_cca_keytype, 790 + .key_to_protkey = cca_key2protkey, 791 + .gen_key = cca_gen_key, 792 + .clr_to_key = cca_clr2key, 793 + .verify_key = cca_verifykey, 794 + .apqns_for_key = cca_apqns4key, 795 + .apqns_for_keytype = cca_apqns4type, 796 + }; 797 + 798 + /* 799 + * Module init 800 + */ 801 + static int __init pkey_cca_init(void) 802 + { 803 + /* register this module as pkey handler for all the cca stuff */ 804 + return pkey_handler_register(&cca_handler); 805 + } 806 + 807 + /* 808 + * Module exit 809 + */ 810 + static void __exit pkey_cca_exit(void) 811 + { 812 + /* unregister this module as pkey handler */ 813 + pkey_handler_unregister(&cca_handler); 814 + } 815 + 816 + module_init(pkey_cca_init); 817 + module_exit(pkey_cca_exit);
+367 -245
drivers/s390/crypto/pkey_ep11.c
··· 8 8 #define KMSG_COMPONENT "pkey" 9 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 10 11 + #include <linux/init.h> 12 + #include <linux/module.h> 13 + #include <linux/cpufeature.h> 14 + 11 15 #include "zcrypt_api.h" 12 16 #include "zcrypt_ccamisc.h" 13 17 #include "zcrypt_ep11misc.h" 14 - 15 18 #include "pkey_base.h" 19 + 20 + MODULE_LICENSE("GPL"); 21 + MODULE_AUTHOR("IBM Corporation"); 22 + MODULE_DESCRIPTION("s390 protected key EP11 handler"); 23 + 24 + #if IS_MODULE(CONFIG_PKEY_EP11) 25 + static struct ap_device_id pkey_ep11_card_ids[] = { 26 + { .dev_type = AP_DEVICE_TYPE_CEX4 }, 27 + { .dev_type = AP_DEVICE_TYPE_CEX5 }, 28 + { .dev_type = AP_DEVICE_TYPE_CEX6 }, 29 + { .dev_type = AP_DEVICE_TYPE_CEX7 }, 30 + { .dev_type = AP_DEVICE_TYPE_CEX8 }, 31 + { /* end of list */ }, 32 + }; 33 + MODULE_DEVICE_TABLE(ap, pkey_ep11_card_ids); 34 + #endif 16 35 17 36 /* 18 37 * Check key blob for known and supported EP11 key. 19 38 */ 20 - bool pkey_is_ep11_key(const u8 *key, u32 keylen) 39 + static bool is_ep11_key(const u8 *key, u32 keylen) 21 40 { 22 41 struct keytoken_header *hdr = (struct keytoken_header *)key; 23 42 ··· 58 39 } 59 40 } 60 41 61 - bool pkey_is_ep11_keytype(enum pkey_key_type key_type) 42 + static bool is_ep11_keytype(enum pkey_key_type key_type) 62 43 { 63 44 switch (key_type) { 64 45 case PKEY_TYPE_EP11: ··· 70 51 } 71 52 } 72 53 73 - int pkey_ep11_key2protkey(u16 card, u16 dom, 74 - const u8 *key, u32 keylen, 75 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 76 - { 77 - struct keytoken_header *hdr = (struct keytoken_header *)key; 78 - int rc; 79 - 80 - if (keylen < sizeof(*hdr)) 81 - return -EINVAL; 82 - 83 - zcrypt_wait_api_operational(); 84 - 85 - if (hdr->type == TOKTYPE_NON_CCA && 86 - hdr->version == TOKVER_EP11_AES_WITH_HEADER && 87 - is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 88 - /* EP11 AES key blob with header */ 89 - if (ep11_check_aes_key_with_hdr(pkey_dbf_info, 90 - 3, key, keylen, 1)) 91 - return -EINVAL; 92 - rc = ep11_kblob2protkey(card, dom, key, hdr->len, 93 - protkey, protkeylen, protkeytype); 94 - } else if (hdr->type == TOKTYPE_NON_CCA && 95 - hdr->version == TOKVER_EP11_ECC_WITH_HEADER && 96 - is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 97 - /* EP11 ECC key blob with header */ 98 - if (ep11_check_ecc_key_with_hdr(pkey_dbf_info, 99 - 3, key, keylen, 1)) 100 - return -EINVAL; 101 - rc = ep11_kblob2protkey(card, dom, key, hdr->len, 102 - protkey, protkeylen, protkeytype); 103 - } else if (hdr->type == TOKTYPE_NON_CCA && 104 - hdr->version == TOKVER_EP11_AES && 105 - is_ep11_keyblob(key)) { 106 - /* EP11 AES key blob with header in session field */ 107 - if (ep11_check_aes_key(pkey_dbf_info, 3, key, keylen, 1)) 108 - return -EINVAL; 109 - rc = ep11_kblob2protkey(card, dom, key, hdr->len, 110 - protkey, protkeylen, protkeytype); 111 - } else { 112 - PKEY_DBF_ERR("%s unknown/unsupported blob type %d version %d\n", 113 - __func__, hdr->type, hdr->version); 114 - return -EINVAL; 115 - } 116 - 117 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 118 - return rc; 119 - } 120 - 121 - /* 122 - * Generate EP11 secure key. 123 - * As of now only EP11 AES secure keys are supported. 124 - * keytype is one of the PKEY_KEYTYPE_* constants, 125 - * subtype may be PKEY_TYPE_EP11 or PKEY_TYPE_EP11_AES 126 - * or 0 (results in subtype PKEY_TYPE_EP11_AES), 127 - * keybitsize is the bit size of the key (may be 0 for 128 - * keytype PKEY_KEYTYPE_AES_*). 129 - */ 130 - int pkey_ep11_gen_key(u16 card, u16 dom, 131 - u32 keytype, u32 subtype, 132 - u32 keybitsize, u32 flags, 133 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 134 - { 135 - int len, rc; 136 - 137 - /* check keytype, subtype, keybitsize */ 138 - switch (keytype) { 139 - case PKEY_KEYTYPE_AES_128: 140 - case PKEY_KEYTYPE_AES_192: 141 - case PKEY_KEYTYPE_AES_256: 142 - len = pkey_keytype_aes_to_size(keytype); 143 - if (keybitsize && keybitsize != 8 * len) { 144 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 145 - __func__, keybitsize); 146 - return -EINVAL; 147 - } 148 - keybitsize = 8 * len; 149 - switch (subtype) { 150 - case 0: 151 - subtype = PKEY_TYPE_EP11_AES; 152 - break; 153 - case PKEY_TYPE_EP11: 154 - case PKEY_TYPE_EP11_AES: 155 - break; 156 - default: 157 - PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 158 - __func__, subtype); 159 - return -EINVAL; 160 - } 161 - break; 162 - default: 163 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 164 - __func__, keytype); 165 - return -EINVAL; 166 - } 167 - 168 - zcrypt_wait_api_operational(); 169 - 170 - rc = ep11_genaeskey(card, dom, keybitsize, flags, 171 - keybuf, keybuflen, subtype); 172 - 173 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 174 - return rc; 175 - } 176 - 177 - /* 178 - * Generate EP11 secure key with given clear key value. 179 - * As of now only EP11 AES secure keys are supported. 180 - * keytype is one of the PKEY_KEYTYPE_* constants, 181 - * subtype may be PKEY_TYPE_EP11 or PKEY_TYPE_EP11_AES 182 - * or 0 (assumes PKEY_TYPE_EP11_AES then). 183 - * keybitsize is the bit size of the key (may be 0 for 184 - * keytype PKEY_KEYTYPE_AES_*). 185 - */ 186 - int pkey_ep11_clr2key(u16 card, u16 dom, 187 - u32 keytype, u32 subtype, 188 - u32 keybitsize, u32 flags, 189 - const u8 *clrkey, u32 clrkeylen, 190 - u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 191 - { 192 - int len, rc; 193 - 194 - /* check keytype, subtype, clrkeylen, keybitsize */ 195 - switch (keytype) { 196 - case PKEY_KEYTYPE_AES_128: 197 - case PKEY_KEYTYPE_AES_192: 198 - case PKEY_KEYTYPE_AES_256: 199 - len = pkey_keytype_aes_to_size(keytype); 200 - if (keybitsize && keybitsize != 8 * len) { 201 - PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 202 - __func__, keybitsize); 203 - return -EINVAL; 204 - } 205 - keybitsize = 8 * len; 206 - if (clrkeylen != len) { 207 - PKEY_DBF_ERR("%s invalid clear key len %d != %d\n", 208 - __func__, clrkeylen, len); 209 - return -EINVAL; 210 - } 211 - switch (subtype) { 212 - case 0: 213 - subtype = PKEY_TYPE_EP11_AES; 214 - break; 215 - case PKEY_TYPE_EP11: 216 - case PKEY_TYPE_EP11_AES: 217 - break; 218 - default: 219 - PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 220 - __func__, subtype); 221 - return -EINVAL; 222 - } 223 - break; 224 - default: 225 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 226 - __func__, keytype); 227 - return -EINVAL; 228 - } 229 - 230 - zcrypt_wait_api_operational(); 231 - 232 - rc = ep11_clr2keyblob(card, dom, keybitsize, flags, 233 - clrkey, keybuf, keybuflen, subtype); 234 - 235 - pr_debug("card=%d dom=%d rc=%d\n", card, dom, rc); 236 - return rc; 237 - } 238 - 239 - int pkey_ep11_verifykey(const u8 *key, u32 keylen, 240 - u16 *card, u16 *dom, 241 - u32 *keytype, u32 *keybitsize, u32 *flags) 242 - { 243 - struct keytoken_header *hdr = (struct keytoken_header *)key; 244 - u32 nr_apqns, *apqns = NULL; 245 - int rc; 246 - 247 - if (keylen < sizeof(*hdr)) 248 - return -EINVAL; 249 - 250 - zcrypt_wait_api_operational(); 251 - 252 - if (hdr->type == TOKTYPE_NON_CCA && 253 - hdr->version == TOKVER_EP11_AES) { 254 - struct ep11keyblob *kb = (struct ep11keyblob *)key; 255 - int api; 256 - 257 - rc = ep11_check_aes_key(pkey_dbf_info, 3, key, keylen, 1); 258 - if (rc) 259 - goto out; 260 - *keytype = PKEY_TYPE_EP11; 261 - *keybitsize = kb->head.bitlen; 262 - 263 - api = ap_is_se_guest() ? EP11_API_V6 : EP11_API_V4; 264 - rc = ep11_findcard2(&apqns, &nr_apqns, *card, *dom, 265 - ZCRYPT_CEX7, api, 266 - ep11_kb_wkvp(key, keylen)); 267 - if (rc) 268 - goto out; 269 - 270 - *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 271 - 272 - *card = ((struct pkey_apqn *)apqns)->card; 273 - *dom = ((struct pkey_apqn *)apqns)->domain; 274 - 275 - } else if (hdr->type == TOKTYPE_NON_CCA && 276 - hdr->version == TOKVER_EP11_AES_WITH_HEADER) { 277 - struct ep11kblob_header *kh = (struct ep11kblob_header *)key; 278 - int api; 279 - 280 - rc = ep11_check_aes_key_with_hdr(pkey_dbf_info, 281 - 3, key, keylen, 1); 282 - if (rc) 283 - goto out; 284 - *keytype = PKEY_TYPE_EP11_AES; 285 - *keybitsize = kh->bitlen; 286 - 287 - api = ap_is_se_guest() ? EP11_API_V6 : EP11_API_V4; 288 - rc = ep11_findcard2(&apqns, &nr_apqns, *card, *dom, 289 - ZCRYPT_CEX7, api, 290 - ep11_kb_wkvp(key, keylen)); 291 - if (rc) 292 - goto out; 293 - 294 - *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 295 - 296 - *card = ((struct pkey_apqn *)apqns)->card; 297 - *dom = ((struct pkey_apqn *)apqns)->domain; 298 - 299 - } else { 300 - /* unknown/unsupported key blob */ 301 - rc = -EINVAL; 302 - } 303 - 304 - out: 305 - kfree(apqns); 306 - pr_debug("rc=%d\n", rc); 307 - return rc; 308 - } 309 - 310 - int pkey_ep11_apqns4key(const u8 *key, u32 keylen, u32 flags, 311 - struct pkey_apqn *apqns, size_t *nr_apqns) 54 + static int ep11_apqns4key(const u8 *key, u32 keylen, u32 flags, 55 + struct pkey_apqn *apqns, size_t *nr_apqns) 312 56 { 313 57 struct keytoken_header *hdr = (struct keytoken_header *)key; 314 58 u32 _nr_apqns, *_apqns = NULL; ··· 141 359 return rc; 142 360 } 143 361 144 - int pkey_ep11_apqns4type(enum pkey_key_type ktype, 145 - u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 146 - struct pkey_apqn *apqns, size_t *nr_apqns) 362 + static int ep11_apqns4type(enum pkey_key_type ktype, 363 + u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 364 + struct pkey_apqn *apqns, size_t *nr_apqns) 147 365 { 148 366 u32 _nr_apqns, *_apqns = NULL; 149 367 int rc; ··· 183 401 pr_debug("rc=%d\n", rc); 184 402 return rc; 185 403 } 404 + 405 + static int ep11_key2protkey(const struct pkey_apqn *apqns, size_t nr_apqns, 406 + const u8 *key, u32 keylen, 407 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 408 + { 409 + struct keytoken_header *hdr = (struct keytoken_header *)key; 410 + struct pkey_apqn *local_apqns = NULL; 411 + int i, rc; 412 + 413 + if (keylen < sizeof(*hdr)) 414 + return -EINVAL; 415 + 416 + if (hdr->type == TOKTYPE_NON_CCA && 417 + hdr->version == TOKVER_EP11_AES_WITH_HEADER && 418 + is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 419 + /* EP11 AES key blob with header */ 420 + if (ep11_check_aes_key_with_hdr(pkey_dbf_info, 421 + 3, key, keylen, 1)) 422 + return -EINVAL; 423 + } else if (hdr->type == TOKTYPE_NON_CCA && 424 + hdr->version == TOKVER_EP11_ECC_WITH_HEADER && 425 + is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 426 + /* EP11 ECC key blob with header */ 427 + if (ep11_check_ecc_key_with_hdr(pkey_dbf_info, 428 + 3, key, keylen, 1)) 429 + return -EINVAL; 430 + } else if (hdr->type == TOKTYPE_NON_CCA && 431 + hdr->version == TOKVER_EP11_AES && 432 + is_ep11_keyblob(key)) { 433 + /* EP11 AES key blob with header in session field */ 434 + if (ep11_check_aes_key(pkey_dbf_info, 3, key, keylen, 1)) 435 + return -EINVAL; 436 + } else { 437 + PKEY_DBF_ERR("%s unknown/unsupported blob type %d version %d\n", 438 + __func__, hdr->type, hdr->version); 439 + return -EINVAL; 440 + } 441 + 442 + zcrypt_wait_api_operational(); 443 + 444 + if (!apqns || (nr_apqns == 1 && 445 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 446 + nr_apqns = MAXAPQNSINLIST; 447 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 448 + GFP_KERNEL); 449 + if (!local_apqns) 450 + return -ENOMEM; 451 + rc = ep11_apqns4key(key, keylen, 0, local_apqns, &nr_apqns); 452 + if (rc) 453 + goto out; 454 + apqns = local_apqns; 455 + } 456 + 457 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 458 + if (hdr->type == TOKTYPE_NON_CCA && 459 + hdr->version == TOKVER_EP11_AES_WITH_HEADER && 460 + is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 461 + rc = ep11_kblob2protkey(apqns[i].card, apqns[i].domain, 462 + key, hdr->len, protkey, 463 + protkeylen, protkeytype); 464 + } else if (hdr->type == TOKTYPE_NON_CCA && 465 + hdr->version == TOKVER_EP11_ECC_WITH_HEADER && 466 + is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 467 + rc = ep11_kblob2protkey(apqns[i].card, apqns[i].domain, 468 + key, hdr->len, protkey, 469 + protkeylen, protkeytype); 470 + } else if (hdr->type == TOKTYPE_NON_CCA && 471 + hdr->version == TOKVER_EP11_AES && 472 + is_ep11_keyblob(key)) { 473 + rc = ep11_kblob2protkey(apqns[i].card, apqns[i].domain, 474 + key, hdr->len, protkey, 475 + protkeylen, protkeytype); 476 + } else { 477 + rc = -EINVAL; 478 + break; 479 + } 480 + } 481 + 482 + out: 483 + kfree(local_apqns); 484 + pr_debug("rc=%d\n", rc); 485 + return rc; 486 + } 487 + 488 + /* 489 + * Generate EP11 secure key. 490 + * As of now only EP11 AES secure keys are supported. 491 + * keytype is one of the PKEY_KEYTYPE_* constants, 492 + * subtype may be PKEY_TYPE_EP11 or PKEY_TYPE_EP11_AES 493 + * or 0 (results in subtype PKEY_TYPE_EP11_AES), 494 + * keybitsize is the bit size of the key (may be 0 for 495 + * keytype PKEY_KEYTYPE_AES_*). 496 + */ 497 + static int ep11_gen_key(const struct pkey_apqn *apqns, size_t nr_apqns, 498 + u32 keytype, u32 subtype, 499 + u32 keybitsize, u32 flags, 500 + u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 501 + { 502 + struct pkey_apqn *local_apqns = NULL; 503 + int i, len, rc; 504 + 505 + /* check keytype, subtype, keybitsize */ 506 + switch (keytype) { 507 + case PKEY_KEYTYPE_AES_128: 508 + case PKEY_KEYTYPE_AES_192: 509 + case PKEY_KEYTYPE_AES_256: 510 + len = pkey_keytype_aes_to_size(keytype); 511 + if (keybitsize && keybitsize != 8 * len) { 512 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 513 + __func__, keybitsize); 514 + return -EINVAL; 515 + } 516 + keybitsize = 8 * len; 517 + switch (subtype) { 518 + case PKEY_TYPE_EP11: 519 + case PKEY_TYPE_EP11_AES: 520 + break; 521 + default: 522 + PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 523 + __func__, subtype); 524 + return -EINVAL; 525 + } 526 + break; 527 + default: 528 + PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 529 + __func__, keytype); 530 + return -EINVAL; 531 + } 532 + 533 + zcrypt_wait_api_operational(); 534 + 535 + if (!apqns || (nr_apqns == 1 && 536 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 537 + nr_apqns = MAXAPQNSINLIST; 538 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 539 + GFP_KERNEL); 540 + if (!local_apqns) 541 + return -ENOMEM; 542 + rc = ep11_apqns4type(subtype, NULL, NULL, 0, 543 + local_apqns, &nr_apqns); 544 + if (rc) 545 + goto out; 546 + apqns = local_apqns; 547 + } 548 + 549 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 550 + rc = ep11_genaeskey(apqns[i].card, apqns[i].domain, 551 + keybitsize, flags, 552 + keybuf, keybuflen, subtype); 553 + } 554 + 555 + out: 556 + kfree(local_apqns); 557 + pr_debug("rc=%d\n", rc); 558 + return rc; 559 + } 560 + 561 + /* 562 + * Generate EP11 secure key with given clear key value. 563 + * As of now only EP11 AES secure keys are supported. 564 + * keytype is one of the PKEY_KEYTYPE_* constants, 565 + * subtype may be PKEY_TYPE_EP11 or PKEY_TYPE_EP11_AES 566 + * or 0 (assumes PKEY_TYPE_EP11_AES then). 567 + * keybitsize is the bit size of the key (may be 0 for 568 + * keytype PKEY_KEYTYPE_AES_*). 569 + */ 570 + static int ep11_clr2key(const struct pkey_apqn *apqns, size_t nr_apqns, 571 + u32 keytype, u32 subtype, 572 + u32 keybitsize, u32 flags, 573 + const u8 *clrkey, u32 clrkeylen, 574 + u8 *keybuf, u32 *keybuflen, u32 *_keyinfo) 575 + { 576 + struct pkey_apqn *local_apqns = NULL; 577 + int i, len, rc; 578 + 579 + /* check keytype, subtype, clrkeylen, keybitsize */ 580 + switch (keytype) { 581 + case PKEY_KEYTYPE_AES_128: 582 + case PKEY_KEYTYPE_AES_192: 583 + case PKEY_KEYTYPE_AES_256: 584 + len = pkey_keytype_aes_to_size(keytype); 585 + if (keybitsize && keybitsize != 8 * len) { 586 + PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n", 587 + __func__, keybitsize); 588 + return -EINVAL; 589 + } 590 + keybitsize = 8 * len; 591 + if (clrkeylen != len) { 592 + PKEY_DBF_ERR("%s invalid clear key len %d != %d\n", 593 + __func__, clrkeylen, len); 594 + return -EINVAL; 595 + } 596 + switch (subtype) { 597 + case PKEY_TYPE_EP11: 598 + case PKEY_TYPE_EP11_AES: 599 + break; 600 + default: 601 + PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 602 + __func__, subtype); 603 + return -EINVAL; 604 + } 605 + break; 606 + default: 607 + PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 608 + __func__, keytype); 609 + return -EINVAL; 610 + } 611 + 612 + zcrypt_wait_api_operational(); 613 + 614 + if (!apqns || (nr_apqns == 1 && 615 + apqns[0].card == 0xFFFF && apqns[0].domain == 0xFFFF)) { 616 + nr_apqns = MAXAPQNSINLIST; 617 + local_apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), 618 + GFP_KERNEL); 619 + if (!local_apqns) 620 + return -ENOMEM; 621 + rc = ep11_apqns4type(subtype, NULL, NULL, 0, 622 + local_apqns, &nr_apqns); 623 + if (rc) 624 + goto out; 625 + apqns = local_apqns; 626 + } 627 + 628 + for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) { 629 + rc = ep11_clr2keyblob(apqns[i].card, apqns[i].domain, 630 + keybitsize, flags, clrkey, 631 + keybuf, keybuflen, subtype); 632 + } 633 + 634 + out: 635 + kfree(local_apqns); 636 + pr_debug("rc=%d\n", rc); 637 + return rc; 638 + } 639 + 640 + static int ep11_verifykey(const u8 *key, u32 keylen, 641 + u16 *card, u16 *dom, 642 + u32 *keytype, u32 *keybitsize, u32 *flags) 643 + { 644 + struct keytoken_header *hdr = (struct keytoken_header *)key; 645 + u32 nr_apqns, *apqns = NULL; 646 + int rc; 647 + 648 + if (keylen < sizeof(*hdr)) 649 + return -EINVAL; 650 + 651 + zcrypt_wait_api_operational(); 652 + 653 + if (hdr->type == TOKTYPE_NON_CCA && 654 + hdr->version == TOKVER_EP11_AES) { 655 + struct ep11keyblob *kb = (struct ep11keyblob *)key; 656 + int api; 657 + 658 + rc = ep11_check_aes_key(pkey_dbf_info, 3, key, keylen, 1); 659 + if (rc) 660 + goto out; 661 + *keytype = PKEY_TYPE_EP11; 662 + *keybitsize = kb->head.bitlen; 663 + 664 + api = ap_is_se_guest() ? EP11_API_V6 : EP11_API_V4; 665 + rc = ep11_findcard2(&apqns, &nr_apqns, *card, *dom, 666 + ZCRYPT_CEX7, api, 667 + ep11_kb_wkvp(key, keylen)); 668 + if (rc) 669 + goto out; 670 + 671 + *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 672 + 673 + *card = ((struct pkey_apqn *)apqns)->card; 674 + *dom = ((struct pkey_apqn *)apqns)->domain; 675 + 676 + } else if (hdr->type == TOKTYPE_NON_CCA && 677 + hdr->version == TOKVER_EP11_AES_WITH_HEADER) { 678 + struct ep11kblob_header *kh = (struct ep11kblob_header *)key; 679 + int api; 680 + 681 + rc = ep11_check_aes_key_with_hdr(pkey_dbf_info, 682 + 3, key, keylen, 1); 683 + if (rc) 684 + goto out; 685 + *keytype = PKEY_TYPE_EP11_AES; 686 + *keybitsize = kh->bitlen; 687 + 688 + api = ap_is_se_guest() ? EP11_API_V6 : EP11_API_V4; 689 + rc = ep11_findcard2(&apqns, &nr_apqns, *card, *dom, 690 + ZCRYPT_CEX7, api, 691 + ep11_kb_wkvp(key, keylen)); 692 + if (rc) 693 + goto out; 694 + 695 + *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 696 + 697 + *card = ((struct pkey_apqn *)apqns)->card; 698 + *dom = ((struct pkey_apqn *)apqns)->domain; 699 + 700 + } else { 701 + /* unknown/unsupported key blob */ 702 + rc = -EINVAL; 703 + } 704 + 705 + out: 706 + kfree(apqns); 707 + pr_debug("rc=%d\n", rc); 708 + return rc; 709 + } 710 + 711 + static struct pkey_handler ep11_handler = { 712 + .module = THIS_MODULE, 713 + .name = "PKEY EP11 handler", 714 + .is_supported_key = is_ep11_key, 715 + .is_supported_keytype = is_ep11_keytype, 716 + .key_to_protkey = ep11_key2protkey, 717 + .gen_key = ep11_gen_key, 718 + .clr_to_key = ep11_clr2key, 719 + .verify_key = ep11_verifykey, 720 + .apqns_for_key = ep11_apqns4key, 721 + .apqns_for_keytype = ep11_apqns4type, 722 + }; 723 + 724 + /* 725 + * Module init 726 + */ 727 + static int __init pkey_ep11_init(void) 728 + { 729 + /* register this module as pkey handler for all the ep11 stuff */ 730 + return pkey_handler_register(&ep11_handler); 731 + } 732 + 733 + /* 734 + * Module exit 735 + */ 736 + static void __exit pkey_ep11_exit(void) 737 + { 738 + /* unregister this module as pkey handler */ 739 + pkey_handler_unregister(&ep11_handler); 740 + } 741 + 742 + module_init(pkey_ep11_init); 743 + module_exit(pkey_ep11_exit);
+241 -171
drivers/s390/crypto/pkey_pckmo.c
··· 8 8 #define KMSG_COMPONENT "pkey" 9 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 10 11 + #include <linux/init.h> 12 + #include <linux/module.h> 13 + #include <linux/cpufeature.h> 11 14 #include <asm/cpacf.h> 12 15 #include <crypto/aes.h> 13 16 #include <linux/random.h> 14 17 15 18 #include "zcrypt_api.h" 16 19 #include "zcrypt_ccamisc.h" 17 - 18 20 #include "pkey_base.h" 19 21 20 - /* 21 - * Prototypes 22 - */ 23 - 24 - static bool is_pckmo_key(const u8 *key, u32 keylen); 25 - static int pckmo_key2protkey(const u8 *key, u32 keylen, 26 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 27 - static int pckmo_gen_protkey(u32 keytype, 28 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 29 - static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen, 30 - u8 *protkey, u32 *protkeylen, u32 *protkeytype); 31 - static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen, 32 - u32 protkeytype); 33 - 34 - /* 35 - * Wrapper functions 36 - */ 37 - 38 - bool pkey_is_pckmo_key(const u8 *key, u32 keylen) 39 - { 40 - return is_pckmo_key(key, keylen); 41 - } 42 - 43 - int pkey_pckmo_key2protkey(u16 _card, u16 _dom, 44 - const u8 *key, u32 keylen, 45 - u8 *protkey, u32 *protkeylen, u32 *keyinfo) 46 - { 47 - return pckmo_key2protkey(key, keylen, 48 - protkey, protkeylen, keyinfo); 49 - } 50 - 51 - int pkey_pckmo_gen_key(u16 _card, u16 _dom, 52 - u32 keytype, u32 _keysubtype, 53 - u32 _keybitsize, u32 _flags, 54 - u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 55 - { 56 - return pckmo_gen_protkey(keytype, 57 - keybuf, keybuflen, keyinfo); 58 - } 59 - 60 - int pkey_pckmo_clr2key(u16 _card, u16 _dom, 61 - u32 keytype, u32 _keysubtype, 62 - u32 _keybitsize, u32 _flags, 63 - const u8 *clrkey, u32 clrkeylen, 64 - u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 65 - { 66 - return pckmo_clr2protkey(keytype, clrkey, clrkeylen, 67 - keybuf, keybuflen, keyinfo); 68 - } 69 - 70 - int pkey_pckmo_verifykey(const u8 *key, u32 keylen, 71 - u16 *_card, u16 *_dom, 72 - u32 *keytype, u32 *_keybitsize, u32 *_flags) 73 - { 74 - return pckmo_verify_protkey(key, keylen, *keytype); 75 - } 22 + MODULE_LICENSE("GPL"); 23 + MODULE_AUTHOR("IBM Corporation"); 24 + MODULE_DESCRIPTION("s390 protected key PCKMO handler"); 76 25 77 26 /* 78 27 * Check key blob for known and supported here. ··· 61 112 } 62 113 } 63 114 64 - static int pckmo_key2protkey(const u8 *key, u32 keylen, 65 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 115 + static bool is_pckmo_keytype(enum pkey_key_type keytype) 66 116 { 67 - struct keytoken_header *hdr = (struct keytoken_header *)key; 68 - int rc = -EINVAL; 69 - 70 - if (keylen < sizeof(*hdr)) 71 - return -EINVAL; 72 - if (hdr->type != TOKTYPE_NON_CCA) 73 - return -EINVAL; 74 - 75 - switch (hdr->version) { 76 - case TOKVER_PROTECTED_KEY: { 77 - struct protaeskeytoken *t; 78 - 79 - if (keylen != sizeof(struct protaeskeytoken)) 80 - goto out; 81 - t = (struct protaeskeytoken *)key; 82 - rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype); 83 - if (rc) 84 - goto out; 85 - memcpy(protkey, t->protkey, t->len); 86 - *protkeylen = t->len; 87 - *protkeytype = t->keytype; 88 - break; 89 - } 90 - case TOKVER_CLEAR_KEY: { 91 - struct clearkeytoken *t = (struct clearkeytoken *)key; 92 - u32 keysize = 0; 93 - 94 - if (keylen < sizeof(struct clearkeytoken) || 95 - keylen != sizeof(*t) + t->len) 96 - goto out; 97 - switch (t->keytype) { 98 - case PKEY_KEYTYPE_AES_128: 99 - case PKEY_KEYTYPE_AES_192: 100 - case PKEY_KEYTYPE_AES_256: 101 - keysize = pkey_keytype_aes_to_size(t->keytype); 102 - break; 103 - case PKEY_KEYTYPE_ECC_P256: 104 - keysize = 32; 105 - break; 106 - case PKEY_KEYTYPE_ECC_P384: 107 - keysize = 48; 108 - break; 109 - case PKEY_KEYTYPE_ECC_P521: 110 - keysize = 80; 111 - break; 112 - case PKEY_KEYTYPE_ECC_ED25519: 113 - keysize = 32; 114 - break; 115 - case PKEY_KEYTYPE_ECC_ED448: 116 - keysize = 64; 117 - break; 118 - default: 119 - break; 120 - } 121 - if (!keysize) { 122 - PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n", 123 - __func__, t->keytype); 124 - goto out; 125 - } 126 - if (t->len != keysize) { 127 - PKEY_DBF_ERR("%s clear key token: invalid key len %u\n", 128 - __func__, t->len); 129 - goto out; 130 - } 131 - rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len, 132 - protkey, protkeylen, protkeytype); 133 - break; 134 - } 117 + switch (keytype) { 118 + case PKEY_TYPE_PROTKEY: 119 + return true; 135 120 default: 136 - PKEY_DBF_ERR("%s unknown non-CCA token version %d\n", 137 - __func__, hdr->version); 138 - break; 121 + return false; 139 122 } 140 - 141 - out: 142 - pr_debug("rc=%d\n", rc); 143 - return rc; 144 - } 145 - 146 - /* 147 - * Generate a random protected key. 148 - * Currently only the generation of AES protected keys 149 - * is supported. 150 - */ 151 - static int pckmo_gen_protkey(u32 keytype, u8 *protkey, 152 - u32 *protkeylen, u32 *protkeytype) 153 - { 154 - u8 clrkey[32]; 155 - int keysize; 156 - int rc; 157 - 158 - keysize = pkey_keytype_aes_to_size(keytype); 159 - if (!keysize) { 160 - PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", __func__, 161 - keytype); 162 - return -EINVAL; 163 - } 164 - 165 - /* generate a dummy random clear key */ 166 - get_random_bytes(clrkey, keysize); 167 - 168 - /* convert it to a dummy protected key */ 169 - rc = pckmo_clr2protkey(keytype, clrkey, keysize, 170 - protkey, protkeylen, protkeytype); 171 - if (rc) 172 - goto out; 173 - 174 - /* replace the key part of the protected key with random bytes */ 175 - get_random_bytes(protkey, keysize); 176 - 177 - out: 178 - pr_debug("rc=%d\n", rc); 179 - return rc; 180 123 } 181 124 182 125 /* ··· 187 346 } 188 347 189 348 /* 190 - * Verify a protected key blob. 349 + * Verify a raw protected key blob. 191 350 * Currently only AES protected keys are supported. 192 351 */ 193 352 static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen, ··· 246 405 pr_debug("rc=%d\n", rc); 247 406 return rc; 248 407 } 408 + 409 + static int pckmo_key2protkey(const u8 *key, u32 keylen, 410 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 411 + { 412 + struct keytoken_header *hdr = (struct keytoken_header *)key; 413 + int rc = -EINVAL; 414 + 415 + if (keylen < sizeof(*hdr)) 416 + return -EINVAL; 417 + if (hdr->type != TOKTYPE_NON_CCA) 418 + return -EINVAL; 419 + 420 + switch (hdr->version) { 421 + case TOKVER_PROTECTED_KEY: { 422 + struct protaeskeytoken *t; 423 + 424 + if (keylen != sizeof(struct protaeskeytoken)) 425 + goto out; 426 + t = (struct protaeskeytoken *)key; 427 + rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype); 428 + if (rc) 429 + goto out; 430 + memcpy(protkey, t->protkey, t->len); 431 + *protkeylen = t->len; 432 + *protkeytype = t->keytype; 433 + break; 434 + } 435 + case TOKVER_CLEAR_KEY: { 436 + struct clearkeytoken *t = (struct clearkeytoken *)key; 437 + u32 keysize = 0; 438 + 439 + if (keylen < sizeof(struct clearkeytoken) || 440 + keylen != sizeof(*t) + t->len) 441 + goto out; 442 + switch (t->keytype) { 443 + case PKEY_KEYTYPE_AES_128: 444 + case PKEY_KEYTYPE_AES_192: 445 + case PKEY_KEYTYPE_AES_256: 446 + keysize = pkey_keytype_aes_to_size(t->keytype); 447 + break; 448 + case PKEY_KEYTYPE_ECC_P256: 449 + keysize = 32; 450 + break; 451 + case PKEY_KEYTYPE_ECC_P384: 452 + keysize = 48; 453 + break; 454 + case PKEY_KEYTYPE_ECC_P521: 455 + keysize = 80; 456 + break; 457 + case PKEY_KEYTYPE_ECC_ED25519: 458 + keysize = 32; 459 + break; 460 + case PKEY_KEYTYPE_ECC_ED448: 461 + keysize = 64; 462 + break; 463 + default: 464 + break; 465 + } 466 + if (!keysize) { 467 + PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n", 468 + __func__, t->keytype); 469 + goto out; 470 + } 471 + if (t->len != keysize) { 472 + PKEY_DBF_ERR("%s clear key token: invalid key len %u\n", 473 + __func__, t->len); 474 + goto out; 475 + } 476 + rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len, 477 + protkey, protkeylen, protkeytype); 478 + break; 479 + } 480 + default: 481 + PKEY_DBF_ERR("%s unknown non-CCA token version %d\n", 482 + __func__, hdr->version); 483 + break; 484 + } 485 + 486 + out: 487 + pr_debug("rc=%d\n", rc); 488 + return rc; 489 + } 490 + 491 + /* 492 + * Generate a random protected key. 493 + * Currently only the generation of AES protected keys 494 + * is supported. 495 + */ 496 + static int pckmo_gen_protkey(u32 keytype, u32 subtype, 497 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 498 + { 499 + u8 clrkey[32]; 500 + int keysize; 501 + int rc; 502 + 503 + keysize = pkey_keytype_aes_to_size(keytype); 504 + if (!keysize) { 505 + PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", __func__, 506 + keytype); 507 + return -EINVAL; 508 + } 509 + if (subtype != PKEY_TYPE_PROTKEY) { 510 + PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 511 + __func__, subtype); 512 + return -EINVAL; 513 + } 514 + 515 + /* generate a dummy random clear key */ 516 + get_random_bytes(clrkey, keysize); 517 + 518 + /* convert it to a dummy protected key */ 519 + rc = pckmo_clr2protkey(keytype, clrkey, keysize, 520 + protkey, protkeylen, protkeytype); 521 + if (rc) 522 + goto out; 523 + 524 + /* replace the key part of the protected key with random bytes */ 525 + get_random_bytes(protkey, keysize); 526 + 527 + out: 528 + pr_debug("rc=%d\n", rc); 529 + return rc; 530 + } 531 + 532 + /* 533 + * Verify a protected key token blob. 534 + * Currently only AES protected keys are supported. 535 + */ 536 + static int pckmo_verify_key(const u8 *key, u32 keylen) 537 + { 538 + struct keytoken_header *hdr = (struct keytoken_header *)key; 539 + int rc = -EINVAL; 540 + 541 + if (keylen < sizeof(*hdr)) 542 + return -EINVAL; 543 + if (hdr->type != TOKTYPE_NON_CCA) 544 + return -EINVAL; 545 + 546 + switch (hdr->version) { 547 + case TOKVER_PROTECTED_KEY: { 548 + struct protaeskeytoken *t; 549 + 550 + if (keylen != sizeof(struct protaeskeytoken)) 551 + goto out; 552 + t = (struct protaeskeytoken *)key; 553 + rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype); 554 + break; 555 + } 556 + default: 557 + PKEY_DBF_ERR("%s unknown non-CCA token version %d\n", 558 + __func__, hdr->version); 559 + break; 560 + } 561 + 562 + out: 563 + pr_debug("rc=%d\n", rc); 564 + return rc; 565 + } 566 + 567 + /* 568 + * Wrapper functions used for the pkey handler struct 569 + */ 570 + 571 + static int pkey_pckmo_key2protkey(const struct pkey_apqn *_apqns, 572 + size_t _nr_apqns, 573 + const u8 *key, u32 keylen, 574 + u8 *protkey, u32 *protkeylen, u32 *keyinfo) 575 + { 576 + return pckmo_key2protkey(key, keylen, 577 + protkey, protkeylen, keyinfo); 578 + } 579 + 580 + static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns, 581 + u32 keytype, u32 keysubtype, 582 + u32 _keybitsize, u32 _flags, 583 + u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 584 + { 585 + return pckmo_gen_protkey(keytype, keysubtype, 586 + keybuf, keybuflen, keyinfo); 587 + } 588 + 589 + static int pkey_pckmo_verifykey(const u8 *key, u32 keylen, 590 + u16 *_card, u16 *_dom, 591 + u32 *_keytype, u32 *_keybitsize, u32 *_flags) 592 + { 593 + return pckmo_verify_key(key, keylen); 594 + } 595 + 596 + static struct pkey_handler pckmo_handler = { 597 + .module = THIS_MODULE, 598 + .name = "PKEY PCKMO handler", 599 + .is_supported_key = is_pckmo_key, 600 + .is_supported_keytype = is_pckmo_keytype, 601 + .key_to_protkey = pkey_pckmo_key2protkey, 602 + .gen_key = pkey_pckmo_gen_key, 603 + .verify_key = pkey_pckmo_verifykey, 604 + }; 605 + 606 + /* 607 + * Module init 608 + */ 609 + static int __init pkey_pckmo_init(void) 610 + { 611 + cpacf_mask_t func_mask; 612 + 613 + /* 614 + * The pckmo instruction should be available - even if we don't 615 + * actually invoke it. This instruction comes with MSA 3 which 616 + * is also the minimum level for the kmc instructions which 617 + * are able to work with protected keys. 618 + */ 619 + if (!cpacf_query(CPACF_PCKMO, &func_mask)) 620 + return -ENODEV; 621 + 622 + /* register this module as pkey handler for all the pckmo stuff */ 623 + return pkey_handler_register(&pckmo_handler); 624 + } 625 + 626 + /* 627 + * Module exit 628 + */ 629 + static void __exit pkey_pckmo_exit(void) 630 + { 631 + /* unregister this module as pkey handler */ 632 + pkey_handler_unregister(&pckmo_handler); 633 + } 634 + 635 + module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_pckmo_init); 636 + module_exit(pkey_pckmo_exit);
+34 -87
drivers/s390/crypto/pkey_sysfs.c
··· 8 8 #define KMSG_COMPONENT "pkey" 9 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 10 11 - #include <asm/pkey.h> 12 11 #include <linux/sysfs.h> 13 12 14 13 #include "zcrypt_api.h" ··· 41 42 protkeytoken.keytype = keytype; 42 43 43 44 protkey.len = sizeof(protkey.protkey); 44 - rc = pkey_pckmo_gen_key(0, 0, 45 - protkeytoken.keytype, 0, 0, 0, 46 - protkey.protkey, &protkey.len, 47 - &protkey.type); 45 + rc = pkey_handler_gen_key(NULL, 0, keytype, 46 + PKEY_TYPE_PROTKEY, 0, 0, 47 + protkey.protkey, &protkey.len, 48 + &protkey.type); 48 49 if (rc) 49 50 return rc; 50 51 ··· 56 57 if (is_xts) { 57 58 /* xts needs a second protected key, reuse protkey struct */ 58 59 protkey.len = sizeof(protkey.protkey); 59 - rc = pkey_pckmo_gen_key(0, 0, 60 - protkeytoken.keytype, 0, 0, 0, 61 - protkey.protkey, &protkey.len, 62 - &protkey.type); 60 + rc = pkey_handler_gen_key(NULL, 0, keytype, 61 + PKEY_TYPE_PROTKEY, 0, 0, 62 + protkey.protkey, &protkey.len, 63 + &protkey.type); 63 64 if (rc) 64 65 return rc; 65 66 ··· 165 166 return -EINVAL; 166 167 167 168 buflen = sizeof(seckey->seckey); 168 - rc = pkey_cca_gen_key(-1, -1, keytype, 169 - PKEY_TYPE_CCA_DATA, 0, 0, 170 - seckey->seckey, &buflen, NULL); 169 + rc = pkey_handler_gen_key(NULL, 0, keytype, 170 + PKEY_TYPE_CCA_DATA, 0, 0, 171 + seckey->seckey, &buflen, NULL); 171 172 if (rc) 172 173 return rc; 173 174 174 175 if (is_xts) { 175 176 seckey++; 176 177 buflen = sizeof(seckey->seckey); 177 - rc = pkey_cca_gen_key(-1, -1, keytype, 178 - PKEY_TYPE_CCA_DATA, 0, 0, 179 - seckey->seckey, &buflen, NULL); 178 + rc = pkey_handler_gen_key(NULL, 0, keytype, 179 + PKEY_TYPE_CCA_DATA, 0, 0, 180 + seckey->seckey, &buflen, NULL); 180 181 if (rc) 181 182 return rc; 182 183 ··· 269 270 size_t count) 270 271 { 271 272 u32 keysize = CCACIPHERTOKENSIZE; 272 - struct pkey_apqn *apqns = NULL; 273 - int i, rc, card, dom; 274 - size_t nr_apqns; 273 + int rc; 275 274 276 275 if (off != 0 || count < CCACIPHERTOKENSIZE) 277 276 return -EINVAL; ··· 277 280 if (count < 2 * CCACIPHERTOKENSIZE) 278 281 return -EINVAL; 279 282 280 - nr_apqns = MAXAPQNSINLIST; 281 - apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL); 282 - if (!apqns) 283 - return -ENOMEM; 284 - 285 - /* build a list of apqns able to generate an cipher key */ 286 - rc = pkey_cca_apqns4type(PKEY_TYPE_CCA_CIPHER, 287 - NULL, NULL, 0, 288 - apqns, &nr_apqns); 289 - if (rc) { 290 - kfree(apqns); 291 - return rc; 292 - } 293 - 294 283 memset(buf, 0, is_xts ? 2 * keysize : keysize); 295 284 296 - /* simple try all apqns from the list */ 297 - for (i = 0, rc = -ENODEV; rc && i < nr_apqns; i++) { 298 - card = apqns[i].card; 299 - dom = apqns[i].domain; 300 - rc = pkey_cca_gen_key(card, dom, 301 - pkey_aes_bitsize_to_keytype(keybits), 302 - PKEY_TYPE_CCA_CIPHER, keybits, 0, 303 - buf, &keysize, NULL); 304 - } 305 - if (rc) { 306 - kfree(apqns); 285 + rc = pkey_handler_gen_key(NULL, 0, 286 + pkey_aes_bitsize_to_keytype(keybits), 287 + PKEY_TYPE_CCA_CIPHER, keybits, 0, 288 + buf, &keysize, NULL); 289 + if (rc) 307 290 return rc; 308 - } 309 291 310 292 if (is_xts) { 311 293 keysize = CCACIPHERTOKENSIZE; 312 294 buf += CCACIPHERTOKENSIZE; 313 - rc = pkey_cca_gen_key(card, dom, 314 - pkey_aes_bitsize_to_keytype(keybits), 315 - PKEY_TYPE_CCA_CIPHER, keybits, 0, 316 - buf, &keysize, NULL); 317 - kfree(apqns); 295 + rc = pkey_handler_gen_key(NULL, 0, 296 + pkey_aes_bitsize_to_keytype(keybits), 297 + PKEY_TYPE_CCA_CIPHER, keybits, 0, 298 + buf, &keysize, NULL); 318 299 if (rc) 319 300 return rc; 320 301 return 2 * CCACIPHERTOKENSIZE; 321 302 } 322 - 323 - kfree(apqns); 324 303 325 304 return CCACIPHERTOKENSIZE; 326 305 } ··· 385 412 size_t count) 386 413 { 387 414 u32 keysize = MAXEP11AESKEYBLOBSIZE; 388 - struct pkey_apqn *apqns = NULL; 389 - int i, rc, card, dom; 390 - size_t nr_apqns; 415 + int rc; 391 416 392 417 if (off != 0 || count < MAXEP11AESKEYBLOBSIZE) 393 418 return -EINVAL; ··· 393 422 if (count < 2 * MAXEP11AESKEYBLOBSIZE) 394 423 return -EINVAL; 395 424 396 - nr_apqns = MAXAPQNSINLIST; 397 - apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL); 398 - if (!apqns) 399 - return -ENOMEM; 400 - 401 - /* build a list of apqns able to generate an EP11 AES key */ 402 - rc = pkey_ep11_apqns4type(PKEY_TYPE_EP11_AES, 403 - NULL, NULL, 0, 404 - apqns, &nr_apqns); 405 - if (rc) { 406 - kfree(apqns); 407 - return rc; 408 - } 409 - 410 425 memset(buf, 0, is_xts ? 2 * keysize : keysize); 411 426 412 - /* simple try all apqns from the list */ 413 - for (i = 0, rc = -ENODEV; rc && i < nr_apqns; i++) { 414 - card = apqns[i].card; 415 - dom = apqns[i].domain; 416 - rc = pkey_ep11_gen_key(card, dom, 417 - pkey_aes_bitsize_to_keytype(keybits), 418 - PKEY_TYPE_EP11_AES, keybits, 0, 419 - buf, &keysize, NULL); 420 - } 421 - if (rc) { 422 - kfree(apqns); 427 + rc = pkey_handler_gen_key(NULL, 0, 428 + pkey_aes_bitsize_to_keytype(keybits), 429 + PKEY_TYPE_EP11_AES, keybits, 0, 430 + buf, &keysize, NULL); 431 + if (rc) 423 432 return rc; 424 - } 425 433 426 434 if (is_xts) { 427 435 keysize = MAXEP11AESKEYBLOBSIZE; 428 436 buf += MAXEP11AESKEYBLOBSIZE; 429 - rc = pkey_ep11_gen_key(card, dom, 430 - pkey_aes_bitsize_to_keytype(keybits), 431 - PKEY_TYPE_EP11_AES, keybits, 0, 432 - buf, &keysize, NULL); 433 - kfree(apqns); 437 + rc = pkey_handler_gen_key(NULL, 0, 438 + pkey_aes_bitsize_to_keytype(keybits), 439 + PKEY_TYPE_EP11_AES, keybits, 0, 440 + buf, &keysize, NULL); 434 441 if (rc) 435 442 return rc; 436 443 return 2 * MAXEP11AESKEYBLOBSIZE; 437 444 } 438 - 439 - kfree(apqns); 440 445 441 446 return MAXEP11AESKEYBLOBSIZE; 442 447 }