Merge branch 'protected-key' into features

+1 -1

arch/s390/crypto/chacha-glue.c

··· 82 82 * it cannot handle a block of data or less, but otherwise 83 83 * it can handle data of arbitrary size 84 84 */ 85 - if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20) 85 + if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20 || !MACHINE_HAS_VX) 86 86 chacha_crypt_generic(state, dst, src, bytes, nrounds); 87 87 else 88 88 chacha20_crypt_s390(state, dst, src, bytes,

+7 -2

arch/s390/crypto/paes_s390.c

··· 5 5 * s390 implementation of the AES Cipher Algorithm with protected keys. 6 6 * 7 7 * s390 Version: 8 - * Copyright IBM Corp. 2017,2020 8 + * Copyright IBM Corp. 2017, 2023 9 9 * Author(s): Martin Schwidefsky <schwidefsky@de.ibm.com> 10 10 * Harald Freudenberger <freude@de.ibm.com> 11 11 */ ··· 132 132 if (i > 0 && ret == -EAGAIN && in_task()) 133 133 if (msleep_interruptible(1000)) 134 134 return -EINTR; 135 - ret = pkey_keyblob2pkey(kb->key, kb->keylen, pk); 135 + ret = pkey_keyblob2pkey(kb->key, kb->keylen, 136 + pk->protkey, &pk->len, &pk->type); 136 137 if (ret == 0) 137 138 break; 138 139 } ··· 146 145 int ret; 147 146 struct pkey_protkey pkey; 148 147 148 + pkey.len = sizeof(pkey.protkey); 149 149 ret = __paes_keyblob2pkey(&ctx->kb, &pkey); 150 150 if (ret) 151 151 return ret; ··· 415 413 static inline int __xts_paes_convert_key(struct s390_pxts_ctx *ctx) 416 414 { 417 415 struct pkey_protkey pkey0, pkey1; 416 + 417 + pkey0.len = sizeof(pkey0.protkey); 418 + pkey1.len = sizeof(pkey1.protkey); 418 419 419 420 if (__paes_keyblob2pkey(&ctx->kb[0], &pkey0) || 420 421 __paes_keyblob2pkey(&ctx->kb[1], &pkey1))

+6 -1

arch/s390/include/asm/cpacf.h

··· 2 2 /* 3 3 * CP Assist for Cryptographic Functions (CPACF) 4 4 * 5 - * Copyright IBM Corp. 2003, 2017 5 + * Copyright IBM Corp. 2003, 2023 6 6 * Author(s): Thomas Spatzier 7 7 * Jan Glauber 8 8 * Harald Freudenberger (freude@de.ibm.com) ··· 132 132 #define CPACF_PCKMO_ENC_AES_128_KEY 0x12 133 133 #define CPACF_PCKMO_ENC_AES_192_KEY 0x13 134 134 #define CPACF_PCKMO_ENC_AES_256_KEY 0x14 135 + #define CPACF_PCKMO_ENC_ECC_P256_KEY 0x20 136 + #define CPACF_PCKMO_ENC_ECC_P384_KEY 0x21 137 + #define CPACF_PCKMO_ENC_ECC_P521_KEY 0x22 138 + #define CPACF_PCKMO_ENC_ECC_ED25519_KEY 0x28 139 + #define CPACF_PCKMO_ENC_ECC_ED448_KEY 0x29 135 140 136 141 /* 137 142 * Function codes for the PRNO (PERFORM RANDOM NUMBER OPERATION)

+2 -2

arch/s390/include/asm/pkey.h

··· 2 2 /* 3 3 * Kernelspace interface to the pkey device driver 4 4 * 5 - * Copyright IBM Corp. 2016,2019 5 + * Copyright IBM Corp. 2016, 2023 6 6 * 7 7 * Author: Harald Freudenberger <freude@de.ibm.com> 8 8 * ··· 23 23 * @return 0 on success, negative errno value on failure 24 24 */ 25 25 int pkey_keyblob2pkey(const u8 *key, u32 keylen, 26 - struct pkey_protkey *protkey); 26 + u8 *protkey, u32 *protkeylen, u32 *protkeytype); 27 27 28 28 #endif /* _KAPI_PKEY_H */

+10 -5

arch/s390/include/uapi/asm/pkey.h

··· 2 2 /* 3 3 * Userspace interface to the pkey device driver 4 4 * 5 - * Copyright IBM Corp. 2017, 2019 5 + * Copyright IBM Corp. 2017, 2023 6 6 * 7 7 * Author: Harald Freudenberger <freude@de.ibm.com> 8 8 * ··· 32 32 #define MINKEYBLOBSIZE SECKEYBLOBSIZE 33 33 34 34 /* defines for the type field within the pkey_protkey struct */ 35 - #define PKEY_KEYTYPE_AES_128 1 36 - #define PKEY_KEYTYPE_AES_192 2 37 - #define PKEY_KEYTYPE_AES_256 3 38 - #define PKEY_KEYTYPE_ECC 4 35 + #define PKEY_KEYTYPE_AES_128 1 36 + #define PKEY_KEYTYPE_AES_192 2 37 + #define PKEY_KEYTYPE_AES_256 3 38 + #define PKEY_KEYTYPE_ECC 4 39 + #define PKEY_KEYTYPE_ECC_P256 5 40 + #define PKEY_KEYTYPE_ECC_P384 6 41 + #define PKEY_KEYTYPE_ECC_P521 7 42 + #define PKEY_KEYTYPE_ECC_ED25519 8 43 + #define PKEY_KEYTYPE_ECC_ED448 9 39 44 40 45 /* the newer ioctls use a pkey_key_type enum for type information */ 41 46 enum pkey_key_type {

+338 -174

drivers/s390/crypto/pkey_api.c

··· 2 2 /* 3 3 * pkey device driver 4 4 * 5 - * Copyright IBM Corp. 2017,2019 5 + * Copyright IBM Corp. 2017, 2023 6 + * 6 7 * Author(s): Harald Freudenberger 7 8 */ 8 9 ··· 33 32 MODULE_DESCRIPTION("s390 protected key interface"); 34 33 35 34 #define KEYBLOBBUFSIZE 8192 /* key buffer size used for internal processing */ 35 + #define MINKEYBLOBBUFSIZE (sizeof(struct keytoken_header)) 36 36 #define PROTKEYBLOBBUFSIZE 256 /* protected key buffer size used internal */ 37 37 #define MAXAPQNSINLIST 64 /* max 64 apqns within a apqn list */ 38 + #define AES_WK_VP_SIZE 32 /* Size of WK VP block appended to a prot key */ 38 39 39 40 /* 40 41 * debug feature data and functions ··· 74 71 } __packed; 75 72 76 73 /* inside view of a clear key token (type 0x00 version 0x02) */ 77 - struct clearaeskeytoken { 78 - u8 type; /* 0x00 for PAES specific key tokens */ 74 + struct clearkeytoken { 75 + u8 type; /* 0x00 for PAES specific key tokens */ 79 76 u8 res0[3]; 80 - u8 version; /* 0x02 for clear AES key token */ 77 + u8 version; /* 0x02 for clear key token */ 81 78 u8 res1[3]; 82 - u32 keytype; /* key type, one of the PKEY_KEYTYPE values */ 83 - u32 len; /* bytes actually stored in clearkey[] */ 79 + u32 keytype; /* key type, one of the PKEY_KEYTYPE_* values */ 80 + u32 len; /* bytes actually stored in clearkey[] */ 84 81 u8 clearkey[]; /* clear key value */ 85 82 } __packed; 86 83 84 + /* helper function which translates the PKEY_KEYTYPE_AES_* to their keysize */ 85 + static inline u32 pkey_keytype_aes_to_size(u32 keytype) 86 + { 87 + switch (keytype) { 88 + case PKEY_KEYTYPE_AES_128: 89 + return 16; 90 + case PKEY_KEYTYPE_AES_192: 91 + return 24; 92 + case PKEY_KEYTYPE_AES_256: 93 + return 32; 94 + default: 95 + return 0; 96 + } 97 + } 98 + 87 99 /* 88 - * Create a protected key from a clear key value. 100 + * Create a protected key from a clear key value via PCKMO instruction. 89 101 */ 90 - static int pkey_clr2protkey(u32 keytype, 91 - const struct pkey_clrkey *clrkey, 92 - struct pkey_protkey *protkey) 102 + static int pkey_clr2protkey(u32 keytype, const u8 *clrkey, 103 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 93 104 { 94 105 /* mask of available pckmo subfunctions */ 95 106 static cpacf_mask_t pckmo_functions; 96 107 97 - long fc; 108 + u8 paramblock[112]; 109 + u32 pkeytype; 98 110 int keysize; 99 - u8 paramblock[64]; 111 + long fc; 100 112 101 113 switch (keytype) { 102 114 case PKEY_KEYTYPE_AES_128: 115 + /* 16 byte key, 32 byte aes wkvp, total 48 bytes */ 103 116 keysize = 16; 117 + pkeytype = keytype; 104 118 fc = CPACF_PCKMO_ENC_AES_128_KEY; 105 119 break; 106 120 case PKEY_KEYTYPE_AES_192: 121 + /* 24 byte key, 32 byte aes wkvp, total 56 bytes */ 107 122 keysize = 24; 123 + pkeytype = keytype; 108 124 fc = CPACF_PCKMO_ENC_AES_192_KEY; 109 125 break; 110 126 case PKEY_KEYTYPE_AES_256: 127 + /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 111 128 keysize = 32; 129 + pkeytype = keytype; 112 130 fc = CPACF_PCKMO_ENC_AES_256_KEY; 113 131 break; 132 + case PKEY_KEYTYPE_ECC_P256: 133 + /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 134 + keysize = 32; 135 + pkeytype = PKEY_KEYTYPE_ECC; 136 + fc = CPACF_PCKMO_ENC_ECC_P256_KEY; 137 + break; 138 + case PKEY_KEYTYPE_ECC_P384: 139 + /* 48 byte key, 32 byte aes wkvp, total 80 bytes */ 140 + keysize = 48; 141 + pkeytype = PKEY_KEYTYPE_ECC; 142 + fc = CPACF_PCKMO_ENC_ECC_P384_KEY; 143 + break; 144 + case PKEY_KEYTYPE_ECC_P521: 145 + /* 80 byte key, 32 byte aes wkvp, total 112 bytes */ 146 + keysize = 80; 147 + pkeytype = PKEY_KEYTYPE_ECC; 148 + fc = CPACF_PCKMO_ENC_ECC_P521_KEY; 149 + break; 150 + case PKEY_KEYTYPE_ECC_ED25519: 151 + /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 152 + keysize = 32; 153 + pkeytype = PKEY_KEYTYPE_ECC; 154 + fc = CPACF_PCKMO_ENC_ECC_ED25519_KEY; 155 + break; 156 + case PKEY_KEYTYPE_ECC_ED448: 157 + /* 64 byte key, 32 byte aes wkvp, total 96 bytes */ 158 + keysize = 64; 159 + pkeytype = PKEY_KEYTYPE_ECC; 160 + fc = CPACF_PCKMO_ENC_ECC_ED448_KEY; 161 + break; 114 162 default: 115 - DEBUG_ERR("%s unknown/unsupported keytype %d\n", 163 + DEBUG_ERR("%s unknown/unsupported keytype %u\n", 116 164 __func__, keytype); 165 + return -EINVAL; 166 + } 167 + 168 + if (*protkeylen < keysize + AES_WK_VP_SIZE) { 169 + DEBUG_ERR("%s prot key buffer size too small: %u < %d\n", 170 + __func__, *protkeylen, keysize + AES_WK_VP_SIZE); 117 171 return -EINVAL; 118 172 } 119 173 ··· 188 128 189 129 /* prepare param block */ 190 130 memset(paramblock, 0, sizeof(paramblock)); 191 - memcpy(paramblock, clrkey->clrkey, keysize); 131 + memcpy(paramblock, clrkey, keysize); 192 132 193 133 /* call the pckmo instruction */ 194 134 cpacf_pckmo(fc, paramblock); 195 135 196 - /* copy created protected key */ 197 - protkey->type = keytype; 198 - protkey->len = keysize + 32; 199 - memcpy(protkey->protkey, paramblock, keysize + 32); 136 + /* copy created protected key to key buffer including the wkvp block */ 137 + *protkeylen = keysize + AES_WK_VP_SIZE; 138 + memcpy(protkey, paramblock, *protkeylen); 139 + *protkeytype = pkeytype; 200 140 201 141 return 0; 202 142 } ··· 204 144 /* 205 145 * Find card and transform secure key into protected key. 206 146 */ 207 - static int pkey_skey2pkey(const u8 *key, struct pkey_protkey *pkey) 147 + static int pkey_skey2pkey(const u8 *key, u8 *protkey, 148 + u32 *protkeylen, u32 *protkeytype) 208 149 { 209 - int rc, verify; 210 - u16 cardnr, domain; 211 150 struct keytoken_header *hdr = (struct keytoken_header *)key; 151 + u16 cardnr, domain; 152 + int rc, verify; 212 153 213 154 zcrypt_wait_api_operational(); 214 155 ··· 228 167 continue; 229 168 switch (hdr->version) { 230 169 case TOKVER_CCA_AES: 231 - rc = cca_sec2protkey(cardnr, domain, 232 - key, pkey->protkey, 233 - &pkey->len, &pkey->type); 170 + rc = cca_sec2protkey(cardnr, domain, key, 171 + protkey, protkeylen, protkeytype); 234 172 break; 235 173 case TOKVER_CCA_VLSC: 236 - rc = cca_cipher2protkey(cardnr, domain, 237 - key, pkey->protkey, 238 - &pkey->len, &pkey->type); 174 + rc = cca_cipher2protkey(cardnr, domain, key, 175 + protkey, protkeylen, 176 + protkeytype); 239 177 break; 240 178 default: 241 179 return -EINVAL; ··· 255 195 static int pkey_clr2ep11key(const u8 *clrkey, size_t clrkeylen, 256 196 u8 *keybuf, size_t *keybuflen) 257 197 { 258 - int i, rc; 259 - u16 card, dom; 260 198 u32 nr_apqns, *apqns = NULL; 199 + u16 card, dom; 200 + int i, rc; 261 201 262 202 zcrypt_wait_api_operational(); 263 203 ··· 287 227 /* 288 228 * Find card and transform EP11 secure key into protected key. 289 229 */ 290 - static int pkey_ep11key2pkey(const u8 *key, struct pkey_protkey *pkey) 230 + static int pkey_ep11key2pkey(const u8 *key, u8 *protkey, 231 + u32 *protkeylen, u32 *protkeytype) 291 232 { 292 - int i, rc; 293 - u16 card, dom; 294 - u32 nr_apqns, *apqns = NULL; 295 233 struct ep11keyblob *kb = (struct ep11keyblob *)key; 234 + u32 nr_apqns, *apqns = NULL; 235 + u16 card, dom; 236 + int i, rc; 296 237 297 238 zcrypt_wait_api_operational(); 298 239 ··· 307 246 for (rc = -ENODEV, i = 0; i < nr_apqns; i++) { 308 247 card = apqns[i] >> 16; 309 248 dom = apqns[i] & 0xFFFF; 310 - pkey->len = sizeof(pkey->protkey); 311 249 rc = ep11_kblob2protkey(card, dom, key, kb->head.len, 312 - pkey->protkey, &pkey->len, &pkey->type); 250 + protkey, protkeylen, protkeytype); 313 251 if (rc == 0) 314 252 break; 315 253 } ··· 366 306 /* 367 307 * Generate a random protected key 368 308 */ 369 - static int pkey_genprotkey(u32 keytype, struct pkey_protkey *protkey) 309 + static int pkey_genprotkey(u32 keytype, u8 *protkey, 310 + u32 *protkeylen, u32 *protkeytype) 370 311 { 371 - struct pkey_clrkey clrkey; 312 + u8 clrkey[32]; 372 313 int keysize; 373 314 int rc; 374 315 375 - switch (keytype) { 376 - case PKEY_KEYTYPE_AES_128: 377 - keysize = 16; 378 - break; 379 - case PKEY_KEYTYPE_AES_192: 380 - keysize = 24; 381 - break; 382 - case PKEY_KEYTYPE_AES_256: 383 - keysize = 32; 384 - break; 385 - default: 316 + keysize = pkey_keytype_aes_to_size(keytype); 317 + if (!keysize) { 386 318 DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__, 387 319 keytype); 388 320 return -EINVAL; 389 321 } 390 322 391 323 /* generate a dummy random clear key */ 392 - get_random_bytes(clrkey.clrkey, keysize); 324 + get_random_bytes(clrkey, keysize); 393 325 394 326 /* convert it to a dummy protected key */ 395 - rc = pkey_clr2protkey(keytype, &clrkey, protkey); 327 + rc = pkey_clr2protkey(keytype, clrkey, 328 + protkey, protkeylen, protkeytype); 396 329 if (rc) 397 330 return rc; 398 331 399 332 /* replace the key part of the protected key with random bytes */ 400 - get_random_bytes(protkey->protkey, keysize); 333 + get_random_bytes(protkey, keysize); 401 334 402 335 return 0; 403 336 } ··· 398 345 /* 399 346 * Verify if a protected key is still valid 400 347 */ 401 - static int pkey_verifyprotkey(const struct pkey_protkey *protkey) 348 + static int pkey_verifyprotkey(const u8 *protkey, u32 protkeylen, 349 + u32 protkeytype) 402 350 { 403 - unsigned long fc; 404 351 struct { 405 352 u8 iv[AES_BLOCK_SIZE]; 406 353 u8 key[MAXPROTKEYSIZE]; 407 354 } param; 408 355 u8 null_msg[AES_BLOCK_SIZE]; 409 356 u8 dest_buf[AES_BLOCK_SIZE]; 410 - unsigned int k; 357 + unsigned int k, pkeylen; 358 + unsigned long fc; 411 359 412 - switch (protkey->type) { 360 + switch (protkeytype) { 413 361 case PKEY_KEYTYPE_AES_128: 362 + pkeylen = 16 + AES_WK_VP_SIZE; 414 363 fc = CPACF_KMC_PAES_128; 415 364 break; 416 365 case PKEY_KEYTYPE_AES_192: 366 + pkeylen = 24 + AES_WK_VP_SIZE; 417 367 fc = CPACF_KMC_PAES_192; 418 368 break; 419 369 case PKEY_KEYTYPE_AES_256: 370 + pkeylen = 32 + AES_WK_VP_SIZE; 420 371 fc = CPACF_KMC_PAES_256; 421 372 break; 422 373 default: 423 - DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__, 424 - protkey->type); 374 + DEBUG_ERR("%s unknown/unsupported keytype %u\n", __func__, 375 + protkeytype); 376 + return -EINVAL; 377 + } 378 + if (protkeylen != pkeylen) { 379 + DEBUG_ERR("%s invalid protected key size %u for keytype %u\n", 380 + __func__, protkeylen, protkeytype); 425 381 return -EINVAL; 426 382 } 427 383 428 384 memset(null_msg, 0, sizeof(null_msg)); 429 385 430 386 memset(param.iv, 0, sizeof(param.iv)); 431 - memcpy(param.key, protkey->protkey, sizeof(param.key)); 387 + memcpy(param.key, protkey, protkeylen); 432 388 433 389 k = cpacf_kmc(fc | CPACF_ENCRYPT, &param, null_msg, dest_buf, 434 390 sizeof(null_msg)); ··· 449 387 return 0; 450 388 } 451 389 390 + /* Helper for pkey_nonccatok2pkey, handles aes clear key token */ 391 + static int nonccatokaes2pkey(const struct clearkeytoken *t, 392 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 393 + { 394 + size_t tmpbuflen = max_t(size_t, SECKEYBLOBSIZE, MAXEP11AESKEYBLOBSIZE); 395 + u8 *tmpbuf = NULL; 396 + u32 keysize; 397 + int rc; 398 + 399 + keysize = pkey_keytype_aes_to_size(t->keytype); 400 + if (!keysize) { 401 + DEBUG_ERR("%s unknown/unsupported keytype %u\n", 402 + __func__, t->keytype); 403 + return -EINVAL; 404 + } 405 + if (t->len != keysize) { 406 + DEBUG_ERR("%s non clear key aes token: invalid key len %u\n", 407 + __func__, t->len); 408 + return -EINVAL; 409 + } 410 + 411 + /* try direct way with the PCKMO instruction */ 412 + rc = pkey_clr2protkey(t->keytype, t->clearkey, 413 + protkey, protkeylen, protkeytype); 414 + if (!rc) 415 + goto out; 416 + 417 + /* PCKMO failed, so try the CCA secure key way */ 418 + tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC); 419 + if (!tmpbuf) 420 + return -ENOMEM; 421 + zcrypt_wait_api_operational(); 422 + rc = cca_clr2seckey(0xFFFF, 0xFFFF, t->keytype, t->clearkey, tmpbuf); 423 + if (rc) 424 + goto try_via_ep11; 425 + rc = pkey_skey2pkey(tmpbuf, 426 + protkey, protkeylen, protkeytype); 427 + if (!rc) 428 + goto out; 429 + 430 + try_via_ep11: 431 + /* if the CCA way also failed, let's try via EP11 */ 432 + rc = pkey_clr2ep11key(t->clearkey, t->len, 433 + tmpbuf, &tmpbuflen); 434 + if (rc) 435 + goto failure; 436 + rc = pkey_ep11key2pkey(tmpbuf, 437 + protkey, protkeylen, protkeytype); 438 + if (!rc) 439 + goto out; 440 + 441 + failure: 442 + DEBUG_ERR("%s unable to build protected key from clear", __func__); 443 + 444 + out: 445 + kfree(tmpbuf); 446 + return rc; 447 + } 448 + 449 + /* Helper for pkey_nonccatok2pkey, handles ecc clear key token */ 450 + static int nonccatokecc2pkey(const struct clearkeytoken *t, 451 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 452 + { 453 + u32 keylen; 454 + int rc; 455 + 456 + switch (t->keytype) { 457 + case PKEY_KEYTYPE_ECC_P256: 458 + keylen = 32; 459 + break; 460 + case PKEY_KEYTYPE_ECC_P384: 461 + keylen = 48; 462 + break; 463 + case PKEY_KEYTYPE_ECC_P521: 464 + keylen = 80; 465 + break; 466 + case PKEY_KEYTYPE_ECC_ED25519: 467 + keylen = 32; 468 + break; 469 + case PKEY_KEYTYPE_ECC_ED448: 470 + keylen = 64; 471 + break; 472 + default: 473 + DEBUG_ERR("%s unknown/unsupported keytype %u\n", 474 + __func__, t->keytype); 475 + return -EINVAL; 476 + } 477 + 478 + if (t->len != keylen) { 479 + DEBUG_ERR("%s non clear key ecc token: invalid key len %u\n", 480 + __func__, t->len); 481 + return -EINVAL; 482 + } 483 + 484 + /* only one path possible: via PCKMO instruction */ 485 + rc = pkey_clr2protkey(t->keytype, t->clearkey, 486 + protkey, protkeylen, protkeytype); 487 + if (rc) { 488 + DEBUG_ERR("%s unable to build protected key from clear", 489 + __func__); 490 + } 491 + 492 + return rc; 493 + } 494 + 452 495 /* 453 496 * Transform a non-CCA key token into a protected key 454 497 */ 455 498 static int pkey_nonccatok2pkey(const u8 *key, u32 keylen, 456 - struct pkey_protkey *protkey) 499 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 457 500 { 458 - int rc = -EINVAL; 459 - u8 *tmpbuf = NULL; 460 501 struct keytoken_header *hdr = (struct keytoken_header *)key; 502 + int rc = -EINVAL; 461 503 462 504 switch (hdr->version) { 463 505 case TOKVER_PROTECTED_KEY: { ··· 570 404 if (keylen != sizeof(struct protaeskeytoken)) 571 405 goto out; 572 406 t = (struct protaeskeytoken *)key; 573 - protkey->len = t->len; 574 - protkey->type = t->keytype; 575 - memcpy(protkey->protkey, t->protkey, 576 - sizeof(protkey->protkey)); 577 - rc = pkey_verifyprotkey(protkey); 407 + rc = pkey_verifyprotkey(t->protkey, t->len, t->keytype); 408 + if (rc) 409 + goto out; 410 + memcpy(protkey, t->protkey, t->len); 411 + *protkeylen = t->len; 412 + *protkeytype = t->keytype; 578 413 break; 579 414 } 580 415 case TOKVER_CLEAR_KEY: { 581 - struct clearaeskeytoken *t; 582 - struct pkey_clrkey ckey; 583 - union u_tmpbuf { 584 - u8 skey[SECKEYBLOBSIZE]; 585 - u8 ep11key[MAXEP11AESKEYBLOBSIZE]; 586 - }; 587 - size_t tmpbuflen = sizeof(union u_tmpbuf); 416 + struct clearkeytoken *t = (struct clearkeytoken *)key; 588 417 589 - if (keylen < sizeof(struct clearaeskeytoken)) 418 + if (keylen < sizeof(struct clearkeytoken) || 419 + keylen != sizeof(*t) + t->len) 590 420 goto out; 591 - t = (struct clearaeskeytoken *)key; 592 - if (keylen != sizeof(*t) + t->len) 593 - goto out; 594 - if ((t->keytype == PKEY_KEYTYPE_AES_128 && t->len == 16) || 595 - (t->keytype == PKEY_KEYTYPE_AES_192 && t->len == 24) || 596 - (t->keytype == PKEY_KEYTYPE_AES_256 && t->len == 32)) 597 - memcpy(ckey.clrkey, t->clearkey, t->len); 598 - else 599 - goto out; 600 - /* alloc temp key buffer space */ 601 - tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC); 602 - if (!tmpbuf) { 603 - rc = -ENOMEM; 604 - goto out; 421 + switch (t->keytype) { 422 + case PKEY_KEYTYPE_AES_128: 423 + case PKEY_KEYTYPE_AES_192: 424 + case PKEY_KEYTYPE_AES_256: 425 + rc = nonccatokaes2pkey(t, protkey, 426 + protkeylen, protkeytype); 427 + break; 428 + case PKEY_KEYTYPE_ECC_P256: 429 + case PKEY_KEYTYPE_ECC_P384: 430 + case PKEY_KEYTYPE_ECC_P521: 431 + case PKEY_KEYTYPE_ECC_ED25519: 432 + case PKEY_KEYTYPE_ECC_ED448: 433 + rc = nonccatokecc2pkey(t, protkey, 434 + protkeylen, protkeytype); 435 + break; 436 + default: 437 + DEBUG_ERR("%s unknown/unsupported non cca clear key type %u\n", 438 + __func__, t->keytype); 439 + return -EINVAL; 605 440 } 606 - /* try direct way with the PCKMO instruction */ 607 - rc = pkey_clr2protkey(t->keytype, &ckey, protkey); 608 - if (rc == 0) 609 - break; 610 - /* PCKMO failed, so try the CCA secure key way */ 611 - zcrypt_wait_api_operational(); 612 - rc = cca_clr2seckey(0xFFFF, 0xFFFF, t->keytype, 613 - ckey.clrkey, tmpbuf); 614 - if (rc == 0) 615 - rc = pkey_skey2pkey(tmpbuf, protkey); 616 - if (rc == 0) 617 - break; 618 - /* if the CCA way also failed, let's try via EP11 */ 619 - rc = pkey_clr2ep11key(ckey.clrkey, t->len, 620 - tmpbuf, &tmpbuflen); 621 - if (rc == 0) 622 - rc = pkey_ep11key2pkey(tmpbuf, protkey); 623 - /* now we should really have an protected key */ 624 - DEBUG_ERR("%s unable to build protected key from clear", 625 - __func__); 626 441 break; 627 442 } 628 443 case TOKVER_EP11_AES: { ··· 611 464 rc = ep11_check_aes_key(debug_info, 3, key, keylen, 1); 612 465 if (rc) 613 466 goto out; 614 - rc = pkey_ep11key2pkey(key, protkey); 467 + rc = pkey_ep11key2pkey(key, 468 + protkey, protkeylen, protkeytype); 615 469 break; 616 470 } 617 471 case TOKVER_EP11_AES_WITH_HEADER: ··· 621 473 if (rc) 622 474 goto out; 623 475 rc = pkey_ep11key2pkey(key + sizeof(struct ep11kblob_header), 624 - protkey); 476 + protkey, protkeylen, protkeytype); 625 477 break; 626 478 default: 627 479 DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n", 628 480 __func__, hdr->version); 629 - rc = -EINVAL; 630 481 } 631 482 632 483 out: 633 - kfree(tmpbuf); 634 484 return rc; 635 485 } 636 486 ··· 636 490 * Transform a CCA internal key token into a protected key 637 491 */ 638 492 static int pkey_ccainttok2pkey(const u8 *key, u32 keylen, 639 - struct pkey_protkey *protkey) 493 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 640 494 { 641 495 struct keytoken_header *hdr = (struct keytoken_header *)key; 642 496 ··· 655 509 return -EINVAL; 656 510 } 657 511 658 - return pkey_skey2pkey(key, protkey); 512 + return pkey_skey2pkey(key, protkey, protkeylen, protkeytype); 659 513 } 660 514 661 515 /* 662 516 * Transform a key blob (of any type) into a protected key 663 517 */ 664 518 int pkey_keyblob2pkey(const u8 *key, u32 keylen, 665 - struct pkey_protkey *protkey) 519 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 666 520 { 667 - int rc; 668 521 struct keytoken_header *hdr = (struct keytoken_header *)key; 522 + int rc; 669 523 670 524 if (keylen < sizeof(struct keytoken_header)) { 671 525 DEBUG_ERR("%s invalid keylen %d\n", __func__, keylen); ··· 674 528 675 529 switch (hdr->type) { 676 530 case TOKTYPE_NON_CCA: 677 - rc = pkey_nonccatok2pkey(key, keylen, protkey); 531 + rc = pkey_nonccatok2pkey(key, keylen, 532 + protkey, protkeylen, protkeytype); 678 533 break; 679 534 case TOKTYPE_CCA_INTERNAL: 680 - rc = pkey_ccainttok2pkey(key, keylen, protkey); 535 + rc = pkey_ccainttok2pkey(key, keylen, 536 + protkey, protkeylen, protkeytype); 681 537 break; 682 538 default: 683 539 DEBUG_ERR("%s unknown/unsupported blob type %d\n", ··· 811 663 enum pkey_key_type *ktype, 812 664 enum pkey_key_size *ksize, u32 *flags) 813 665 { 814 - int rc; 815 - u32 _nr_apqns, *_apqns = NULL; 816 666 struct keytoken_header *hdr = (struct keytoken_header *)key; 667 + u32 _nr_apqns, *_apqns = NULL; 668 + int rc; 817 669 818 670 if (keylen < sizeof(struct keytoken_header)) 819 671 return -EINVAL; ··· 919 771 920 772 static int pkey_keyblob2pkey2(const struct pkey_apqn *apqns, size_t nr_apqns, 921 773 const u8 *key, size_t keylen, 922 - struct pkey_protkey *pkey) 774 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 923 775 { 924 - int i, card, dom, rc; 925 776 struct keytoken_header *hdr = (struct keytoken_header *)key; 777 + int i, card, dom, rc; 926 778 927 779 /* check for at least one apqn given */ 928 780 if (!apqns || !nr_apqns) ··· 954 806 if (ep11_check_aes_key(debug_info, 3, key, keylen, 1)) 955 807 return -EINVAL; 956 808 } else { 957 - return pkey_nonccatok2pkey(key, keylen, pkey); 809 + return pkey_nonccatok2pkey(key, keylen, 810 + protkey, protkeylen, 811 + protkeytype); 958 812 } 959 813 } else { 960 814 DEBUG_ERR("%s unknown/unsupported blob type %d\n", ··· 972 822 dom = apqns[i].domain; 973 823 if (hdr->type == TOKTYPE_CCA_INTERNAL && 974 824 hdr->version == TOKVER_CCA_AES) { 975 - rc = cca_sec2protkey(card, dom, key, pkey->protkey, 976 - &pkey->len, &pkey->type); 825 + rc = cca_sec2protkey(card, dom, key, 826 + protkey, protkeylen, protkeytype); 977 827 } else if (hdr->type == TOKTYPE_CCA_INTERNAL && 978 828 hdr->version == TOKVER_CCA_VLSC) { 979 - rc = cca_cipher2protkey(card, dom, key, pkey->protkey, 980 - &pkey->len, &pkey->type); 829 + rc = cca_cipher2protkey(card, dom, key, 830 + protkey, protkeylen, 831 + protkeytype); 981 832 } else { 982 833 /* EP11 AES secure key blob */ 983 834 struct ep11keyblob *kb = (struct ep11keyblob *)key; 984 835 985 - pkey->len = sizeof(pkey->protkey); 986 836 rc = ep11_kblob2protkey(card, dom, key, kb->head.len, 987 - pkey->protkey, &pkey->len, 988 - &pkey->type); 837 + protkey, protkeylen, 838 + protkeytype); 989 839 } 990 840 if (rc == 0) 991 841 break; ··· 997 847 static int pkey_apqns4key(const u8 *key, size_t keylen, u32 flags, 998 848 struct pkey_apqn *apqns, size_t *nr_apqns) 999 849 { 1000 - int rc; 1001 - u32 _nr_apqns, *_apqns = NULL; 1002 850 struct keytoken_header *hdr = (struct keytoken_header *)key; 851 + u32 _nr_apqns, *_apqns = NULL; 852 + int rc; 1003 853 1004 854 if (keylen < sizeof(struct keytoken_header) || flags == 0) 1005 855 return -EINVAL; ··· 1010 860 (hdr->version == TOKVER_EP11_AES_WITH_HEADER || 1011 861 hdr->version == TOKVER_EP11_ECC_WITH_HEADER) && 1012 862 is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) { 1013 - int minhwtype = 0, api = 0; 1014 863 struct ep11keyblob *kb = (struct ep11keyblob *) 1015 864 (key + sizeof(struct ep11kblob_header)); 865 + int minhwtype = 0, api = 0; 1016 866 1017 867 if (flags != PKEY_FLAGS_MATCH_CUR_MKVP) 1018 868 return -EINVAL; ··· 1027 877 } else if (hdr->type == TOKTYPE_NON_CCA && 1028 878 hdr->version == TOKVER_EP11_AES && 1029 879 is_ep11_keyblob(key)) { 1030 - int minhwtype = 0, api = 0; 1031 880 struct ep11keyblob *kb = (struct ep11keyblob *)key; 881 + int minhwtype = 0, api = 0; 1032 882 1033 883 if (flags != PKEY_FLAGS_MATCH_CUR_MKVP) 1034 884 return -EINVAL; ··· 1041 891 if (rc) 1042 892 goto out; 1043 893 } else if (hdr->type == TOKTYPE_CCA_INTERNAL) { 1044 - int minhwtype = ZCRYPT_CEX3C; 1045 894 u64 cur_mkvp = 0, old_mkvp = 0; 895 + int minhwtype = ZCRYPT_CEX3C; 1046 896 1047 897 if (hdr->version == TOKVER_CCA_AES) { 1048 898 struct secaeskeytoken *t = (struct secaeskeytoken *)key; ··· 1069 919 if (rc) 1070 920 goto out; 1071 921 } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) { 1072 - u64 cur_mkvp = 0, old_mkvp = 0; 1073 922 struct eccprivkeytoken *t = (struct eccprivkeytoken *)key; 923 + u64 cur_mkvp = 0, old_mkvp = 0; 1074 924 1075 925 if (t->secid == 0x20) { 1076 926 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) ··· 1107 957 u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags, 1108 958 struct pkey_apqn *apqns, size_t *nr_apqns) 1109 959 { 1110 - int rc; 1111 960 u32 _nr_apqns, *_apqns = NULL; 961 + int rc; 1112 962 1113 963 zcrypt_wait_api_operational(); 1114 964 ··· 1170 1020 } 1171 1021 1172 1022 static int pkey_keyblob2pkey3(const struct pkey_apqn *apqns, size_t nr_apqns, 1173 - const u8 *key, size_t keylen, u32 *protkeytype, 1174 - u8 *protkey, u32 *protkeylen) 1023 + const u8 *key, size_t keylen, 1024 + u8 *protkey, u32 *protkeylen, u32 *protkeytype) 1175 1025 { 1176 - int i, card, dom, rc; 1177 1026 struct keytoken_header *hdr = (struct keytoken_header *)key; 1027 + int i, card, dom, rc; 1178 1028 1179 1029 /* check for at least one apqn given */ 1180 1030 if (!apqns || !nr_apqns) ··· 1226 1076 if (cca_check_sececckeytoken(debug_info, 3, key, keylen, 1)) 1227 1077 return -EINVAL; 1228 1078 } else if (hdr->type == TOKTYPE_NON_CCA) { 1229 - struct pkey_protkey pkey; 1230 - 1231 - rc = pkey_nonccatok2pkey(key, keylen, &pkey); 1232 - if (rc) 1233 - return rc; 1234 - memcpy(protkey, pkey.protkey, pkey.len); 1235 - *protkeylen = pkey.len; 1236 - *protkeytype = pkey.type; 1237 - return 0; 1079 + return pkey_nonccatok2pkey(key, keylen, 1080 + protkey, protkeylen, protkeytype); 1238 1081 } else { 1239 1082 DEBUG_ERR("%s unknown/unsupported blob type %d\n", 1240 1083 __func__, hdr->type); ··· 1273 1130 1274 1131 static void *_copy_key_from_user(void __user *ukey, size_t keylen) 1275 1132 { 1276 - if (!ukey || keylen < MINKEYBLOBSIZE || keylen > KEYBLOBBUFSIZE) 1133 + if (!ukey || keylen < MINKEYBLOBBUFSIZE || keylen > KEYBLOBBUFSIZE) 1277 1134 return ERR_PTR(-EINVAL); 1278 1135 1279 1136 return memdup_user(ukey, keylen); ··· 1330 1187 1331 1188 if (copy_from_user(&ksp, usp, sizeof(ksp))) 1332 1189 return -EFAULT; 1190 + ksp.protkey.len = sizeof(ksp.protkey.protkey); 1333 1191 rc = cca_sec2protkey(ksp.cardnr, ksp.domain, 1334 1192 ksp.seckey.seckey, ksp.protkey.protkey, 1335 1193 &ksp.protkey.len, &ksp.protkey.type); ··· 1347 1203 1348 1204 if (copy_from_user(&kcp, ucp, sizeof(kcp))) 1349 1205 return -EFAULT; 1350 - rc = pkey_clr2protkey(kcp.keytype, 1351 - &kcp.clrkey, &kcp.protkey); 1206 + kcp.protkey.len = sizeof(kcp.protkey.protkey); 1207 + rc = pkey_clr2protkey(kcp.keytype, kcp.clrkey.clrkey, 1208 + kcp.protkey.protkey, 1209 + &kcp.protkey.len, &kcp.protkey.type); 1352 1210 DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc); 1353 1211 if (rc) 1354 1212 break; ··· 1380 1234 1381 1235 if (copy_from_user(&ksp, usp, sizeof(ksp))) 1382 1236 return -EFAULT; 1383 - rc = pkey_skey2pkey(ksp.seckey.seckey, &ksp.protkey); 1237 + ksp.protkey.len = sizeof(ksp.protkey.protkey); 1238 + rc = pkey_skey2pkey(ksp.seckey.seckey, ksp.protkey.protkey, 1239 + &ksp.protkey.len, &ksp.protkey.type); 1384 1240 DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__, rc); 1385 1241 if (rc) 1386 1242 break; ··· 1411 1263 1412 1264 if (copy_from_user(&kgp, ugp, sizeof(kgp))) 1413 1265 return -EFAULT; 1414 - rc = pkey_genprotkey(kgp.keytype, &kgp.protkey); 1266 + kgp.protkey.len = sizeof(kgp.protkey.protkey); 1267 + rc = pkey_genprotkey(kgp.keytype, kgp.protkey.protkey, 1268 + &kgp.protkey.len, &kgp.protkey.type); 1415 1269 DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__, rc); 1416 1270 if (rc) 1417 1271 break; ··· 1427 1277 1428 1278 if (copy_from_user(&kvp, uvp, sizeof(kvp))) 1429 1279 return -EFAULT; 1430 - rc = pkey_verifyprotkey(&kvp.protkey); 1280 + rc = pkey_verifyprotkey(kvp.protkey.protkey, 1281 + kvp.protkey.len, kvp.protkey.type); 1431 1282 DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__, rc); 1432 1283 break; 1433 1284 } ··· 1442 1291 kkey = _copy_key_from_user(ktp.key, ktp.keylen); 1443 1292 if (IS_ERR(kkey)) 1444 1293 return PTR_ERR(kkey); 1445 - rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey); 1294 + ktp.protkey.len = sizeof(ktp.protkey.protkey); 1295 + rc = pkey_keyblob2pkey(kkey, ktp.keylen, ktp.protkey.protkey, 1296 + &ktp.protkey.len, &ktp.protkey.type); 1446 1297 DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc); 1298 + memzero_explicit(kkey, ktp.keylen); 1447 1299 kfree(kkey); 1448 1300 if (rc) 1449 1301 break; ··· 1456 1302 } 1457 1303 case PKEY_GENSECK2: { 1458 1304 struct pkey_genseck2 __user *ugs = (void __user *)arg; 1305 + size_t klen = KEYBLOBBUFSIZE; 1459 1306 struct pkey_genseck2 kgs; 1460 1307 struct pkey_apqn *apqns; 1461 - size_t klen = KEYBLOBBUFSIZE; 1462 1308 u8 *kkey; 1463 1309 1464 1310 if (copy_from_user(&kgs, ugs, sizeof(kgs))) ··· 1498 1344 } 1499 1345 case PKEY_CLR2SECK2: { 1500 1346 struct pkey_clr2seck2 __user *ucs = (void __user *)arg; 1347 + size_t klen = KEYBLOBBUFSIZE; 1501 1348 struct pkey_clr2seck2 kcs; 1502 1349 struct pkey_apqn *apqns; 1503 - size_t klen = KEYBLOBBUFSIZE; 1504 1350 u8 *kkey; 1505 1351 1506 1352 if (copy_from_user(&kcs, ucs, sizeof(kcs))) ··· 1562 1408 } 1563 1409 case PKEY_KBLOB2PROTK2: { 1564 1410 struct pkey_kblob2pkey2 __user *utp = (void __user *)arg; 1565 - struct pkey_kblob2pkey2 ktp; 1566 1411 struct pkey_apqn *apqns = NULL; 1412 + struct pkey_kblob2pkey2 ktp; 1567 1413 u8 *kkey; 1568 1414 1569 1415 if (copy_from_user(&ktp, utp, sizeof(ktp))) ··· 1576 1422 kfree(apqns); 1577 1423 return PTR_ERR(kkey); 1578 1424 } 1425 + ktp.protkey.len = sizeof(ktp.protkey.protkey); 1579 1426 rc = pkey_keyblob2pkey2(apqns, ktp.apqn_entries, 1580 - kkey, ktp.keylen, &ktp.protkey); 1427 + kkey, ktp.keylen, 1428 + ktp.protkey.protkey, &ktp.protkey.len, 1429 + &ktp.protkey.type); 1581 1430 DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc); 1582 1431 kfree(apqns); 1432 + memzero_explicit(kkey, ktp.keylen); 1583 1433 kfree(kkey); 1584 1434 if (rc) 1585 1435 break; ··· 1593 1435 } 1594 1436 case PKEY_APQNS4K: { 1595 1437 struct pkey_apqns4key __user *uak = (void __user *)arg; 1596 - struct pkey_apqns4key kak; 1597 1438 struct pkey_apqn *apqns = NULL; 1439 + struct pkey_apqns4key kak; 1598 1440 size_t nr_apqns, len; 1599 1441 u8 *kkey; 1600 1442 ··· 1642 1484 } 1643 1485 case PKEY_APQNS4KT: { 1644 1486 struct pkey_apqns4keytype __user *uat = (void __user *)arg; 1645 - struct pkey_apqns4keytype kat; 1646 1487 struct pkey_apqn *apqns = NULL; 1488 + struct pkey_apqns4keytype kat; 1647 1489 size_t nr_apqns, len; 1648 1490 1649 1491 if (copy_from_user(&kat, uat, sizeof(kat))) ··· 1684 1526 } 1685 1527 case PKEY_KBLOB2PROTK3: { 1686 1528 struct pkey_kblob2pkey3 __user *utp = (void __user *)arg; 1687 - struct pkey_kblob2pkey3 ktp; 1688 - struct pkey_apqn *apqns = NULL; 1689 1529 u32 protkeylen = PROTKEYBLOBBUFSIZE; 1530 + struct pkey_apqn *apqns = NULL; 1531 + struct pkey_kblob2pkey3 ktp; 1690 1532 u8 *kkey, *protkey; 1691 1533 1692 1534 if (copy_from_user(&ktp, utp, sizeof(ktp))) ··· 1705 1547 kfree(kkey); 1706 1548 return -ENOMEM; 1707 1549 } 1708 - rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries, kkey, 1709 - ktp.keylen, &ktp.pkeytype, 1710 - protkey, &protkeylen); 1550 + rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries, 1551 + kkey, ktp.keylen, 1552 + protkey, &protkeylen, &ktp.pkeytype); 1711 1553 DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc); 1712 1554 kfree(apqns); 1555 + memzero_explicit(kkey, ktp.keylen); 1713 1556 kfree(kkey); 1714 1557 if (rc) { 1715 1558 kfree(protkey); ··· 1768 1609 protkeytoken.version = TOKVER_PROTECTED_KEY; 1769 1610 protkeytoken.keytype = keytype; 1770 1611 1771 - rc = pkey_genprotkey(protkeytoken.keytype, &protkey); 1612 + protkey.len = sizeof(protkey.protkey); 1613 + rc = pkey_genprotkey(protkeytoken.keytype, 1614 + protkey.protkey, &protkey.len, &protkey.type); 1772 1615 if (rc) 1773 1616 return rc; 1774 1617 ··· 1780 1619 memcpy(buf, &protkeytoken, sizeof(protkeytoken)); 1781 1620 1782 1621 if (is_xts) { 1783 - rc = pkey_genprotkey(protkeytoken.keytype, &protkey); 1622 + /* xts needs a second protected key, reuse protkey struct */ 1623 + protkey.len = sizeof(protkey.protkey); 1624 + rc = pkey_genprotkey(protkeytoken.keytype, 1625 + protkey.protkey, &protkey.len, &protkey.type); 1784 1626 if (rc) 1785 1627 return rc; 1786 1628 ··· 1878 1714 static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf, 1879 1715 loff_t off, size_t count) 1880 1716 { 1881 - int rc; 1882 1717 struct pkey_seckey *seckey = (struct pkey_seckey *)buf; 1718 + int rc; 1883 1719 1884 1720 if (off != 0 || count < sizeof(struct secaeskeytoken)) 1885 1721 return -EINVAL; ··· 1985 1821 bool is_xts, char *buf, loff_t off, 1986 1822 size_t count) 1987 1823 { 1988 - int i, rc, card, dom; 1989 - u32 nr_apqns, *apqns = NULL; 1990 1824 size_t keysize = CCACIPHERTOKENSIZE; 1825 + u32 nr_apqns, *apqns = NULL; 1826 + int i, rc, card, dom; 1991 1827 1992 1828 if (off != 0 || count < CCACIPHERTOKENSIZE) 1993 1829 return -EINVAL; ··· 2108 1944 bool is_xts, char *buf, loff_t off, 2109 1945 size_t count) 2110 1946 { 2111 - int i, rc, card, dom; 2112 - u32 nr_apqns, *apqns = NULL; 2113 1947 size_t keysize = MAXEP11AESKEYBLOBSIZE; 1948 + u32 nr_apqns, *apqns = NULL; 1949 + int i, rc, card, dom; 2114 1950 2115 1951 if (off != 0 || count < MAXEP11AESKEYBLOBSIZE) 2116 1952 return -EINVAL;