]>
Commit | Line | Data |
---|---|---|
e80d4af0 HF |
1 | /* |
2 | * pkey device driver | |
3 | * | |
4 | * Copyright IBM Corp. 2017 | |
5 | * Author(s): Harald Freudenberger | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License (version 2 only) | |
9 | * as published by the Free Software Foundation. | |
10 | * | |
11 | */ | |
12 | ||
13 | #define KMSG_COMPONENT "pkey" | |
14 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
15 | ||
16 | #include <linux/fs.h> | |
17 | #include <linux/init.h> | |
18 | #include <linux/miscdevice.h> | |
19 | #include <linux/module.h> | |
20 | #include <linux/slab.h> | |
21 | #include <linux/kallsyms.h> | |
22 | #include <linux/debugfs.h> | |
23 | #include <asm/zcrypt.h> | |
24 | #include <asm/cpacf.h> | |
25 | #include <asm/pkey.h> | |
26 | ||
27 | #include "zcrypt_api.h" | |
28 | ||
29 | MODULE_LICENSE("GPL"); | |
30 | MODULE_AUTHOR("IBM Corporation"); | |
31 | MODULE_DESCRIPTION("s390 protected key interface"); | |
32 | ||
33 | /* Size of parameter block used for all cca requests/replies */ | |
34 | #define PARMBSIZE 512 | |
35 | ||
36 | /* Size of vardata block used for some of the cca requests/replies */ | |
37 | #define VARDATASIZE 4096 | |
38 | ||
39 | /* | |
40 | * debug feature data and functions | |
41 | */ | |
42 | ||
43 | static debug_info_t *debug_info; | |
44 | ||
45 | #define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__) | |
46 | #define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__) | |
47 | #define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__) | |
48 | #define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__) | |
49 | ||
50 | static void __init pkey_debug_init(void) | |
51 | { | |
52 | debug_info = debug_register("pkey", 1, 1, 4 * sizeof(long)); | |
53 | debug_register_view(debug_info, &debug_sprintf_view); | |
54 | debug_set_level(debug_info, 3); | |
55 | } | |
56 | ||
57 | static void __exit pkey_debug_exit(void) | |
58 | { | |
59 | debug_unregister(debug_info); | |
60 | } | |
61 | ||
62 | /* inside view of a secure key token (only type 0x01 version 0x04) */ | |
63 | struct secaeskeytoken { | |
64 | u8 type; /* 0x01 for internal key token */ | |
65 | u8 res0[3]; | |
66 | u8 version; /* should be 0x04 */ | |
67 | u8 res1[1]; | |
68 | u8 flag; /* key flags */ | |
69 | u8 res2[1]; | |
70 | u64 mkvp; /* master key verification pattern */ | |
71 | u8 key[32]; /* key value (encrypted) */ | |
72 | u8 cv[8]; /* control vector */ | |
73 | u16 bitsize; /* key bit size */ | |
74 | u16 keysize; /* key byte size */ | |
75 | u8 tvv[4]; /* token validation value */ | |
76 | } __packed; | |
77 | ||
78 | /* | |
79 | * Simple check if the token is a valid CCA secure AES key | |
80 | * token. If keybitsize is given, the bitsize of the key is | |
81 | * also checked. Returns 0 on success or errno value on failure. | |
82 | */ | |
e61a6134 | 83 | static int check_secaeskeytoken(const u8 *token, int keybitsize) |
e80d4af0 HF |
84 | { |
85 | struct secaeskeytoken *t = (struct secaeskeytoken *) token; | |
86 | ||
87 | if (t->type != 0x01) { | |
88 | DEBUG_ERR( | |
89 | "check_secaeskeytoken secure token check failed, type mismatch 0x%02x != 0x01\n", | |
90 | (int) t->type); | |
91 | return -EINVAL; | |
92 | } | |
93 | if (t->version != 0x04) { | |
94 | DEBUG_ERR( | |
95 | "check_secaeskeytoken secure token check failed, version mismatch 0x%02x != 0x04\n", | |
96 | (int) t->version); | |
97 | return -EINVAL; | |
98 | } | |
99 | if (keybitsize > 0 && t->bitsize != keybitsize) { | |
100 | DEBUG_ERR( | |
101 | "check_secaeskeytoken secure token check failed, bitsize mismatch %d != %d\n", | |
102 | (int) t->bitsize, keybitsize); | |
103 | return -EINVAL; | |
104 | } | |
105 | ||
106 | return 0; | |
107 | } | |
108 | ||
109 | /* | |
110 | * Allocate consecutive memory for request CPRB, request param | |
111 | * block, reply CPRB and reply param block and fill in values | |
112 | * for the common fields. Returns 0 on success or errno value | |
113 | * on failure. | |
114 | */ | |
115 | static int alloc_and_prep_cprbmem(size_t paramblen, | |
116 | u8 **pcprbmem, | |
117 | struct CPRBX **preqCPRB, | |
118 | struct CPRBX **prepCPRB) | |
119 | { | |
120 | u8 *cprbmem; | |
121 | size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen; | |
122 | struct CPRBX *preqcblk, *prepcblk; | |
123 | ||
124 | /* | |
125 | * allocate consecutive memory for request CPRB, request param | |
126 | * block, reply CPRB and reply param block | |
127 | */ | |
128 | cprbmem = kmalloc(2 * cprbplusparamblen, GFP_KERNEL); | |
129 | if (!cprbmem) | |
130 | return -ENOMEM; | |
131 | memset(cprbmem, 0, 2 * cprbplusparamblen); | |
132 | ||
133 | preqcblk = (struct CPRBX *) cprbmem; | |
134 | prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen); | |
135 | ||
136 | /* fill request cprb struct */ | |
137 | preqcblk->cprb_len = sizeof(struct CPRBX); | |
138 | preqcblk->cprb_ver_id = 0x02; | |
139 | memcpy(preqcblk->func_id, "T2", 2); | |
140 | preqcblk->rpl_msgbl = cprbplusparamblen; | |
141 | if (paramblen) { | |
142 | preqcblk->req_parmb = | |
143 | ((u8 *) preqcblk) + sizeof(struct CPRBX); | |
144 | preqcblk->rpl_parmb = | |
145 | ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
146 | } | |
147 | ||
148 | *pcprbmem = cprbmem; | |
149 | *preqCPRB = preqcblk; | |
150 | *prepCPRB = prepcblk; | |
151 | ||
152 | return 0; | |
153 | } | |
154 | ||
155 | /* | |
156 | * Free the cprb memory allocated with the function above. | |
157 | * If the scrub value is not zero, the memory is filled | |
158 | * with zeros before freeing (useful if there was some | |
159 | * clear key material in there). | |
160 | */ | |
161 | static void free_cprbmem(void *mem, size_t paramblen, int scrub) | |
162 | { | |
163 | if (scrub) | |
164 | memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen)); | |
165 | kfree(mem); | |
166 | } | |
167 | ||
168 | /* | |
169 | * Helper function to prepare the xcrb struct | |
170 | */ | |
171 | static inline void prep_xcrb(struct ica_xcRB *pxcrb, | |
172 | u16 cardnr, | |
173 | struct CPRBX *preqcblk, | |
174 | struct CPRBX *prepcblk) | |
175 | { | |
176 | memset(pxcrb, 0, sizeof(*pxcrb)); | |
177 | pxcrb->agent_ID = 0x4341; /* 'CA' */ | |
178 | pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr); | |
179 | pxcrb->request_control_blk_length = | |
180 | preqcblk->cprb_len + preqcblk->req_parml; | |
181 | pxcrb->request_control_blk_addr = (void *) preqcblk; | |
182 | pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl; | |
183 | pxcrb->reply_control_blk_addr = (void *) prepcblk; | |
184 | } | |
185 | ||
186 | /* | |
187 | * Helper function which calls zcrypt_send_cprb with | |
188 | * memory management segment adjusted to kernel space | |
189 | * so that the copy_from_user called within this | |
190 | * function do in fact copy from kernel space. | |
191 | */ | |
192 | static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb) | |
193 | { | |
194 | int rc; | |
195 | mm_segment_t old_fs = get_fs(); | |
196 | ||
197 | set_fs(KERNEL_DS); | |
198 | rc = zcrypt_send_cprb(xcrb); | |
199 | set_fs(old_fs); | |
200 | ||
201 | return rc; | |
202 | } | |
203 | ||
204 | /* | |
205 | * Generate (random) AES secure key. | |
206 | */ | |
207 | int pkey_genseckey(u16 cardnr, u16 domain, | |
208 | u32 keytype, struct pkey_seckey *seckey) | |
209 | { | |
210 | int i, rc, keysize; | |
211 | int seckeysize; | |
212 | u8 *mem; | |
213 | struct CPRBX *preqcblk, *prepcblk; | |
214 | struct ica_xcRB xcrb; | |
215 | struct kgreqparm { | |
216 | u8 subfunc_code[2]; | |
217 | u16 rule_array_len; | |
218 | struct lv1 { | |
219 | u16 len; | |
220 | char key_form[8]; | |
221 | char key_length[8]; | |
222 | char key_type1[8]; | |
223 | char key_type2[8]; | |
224 | } lv1; | |
225 | struct lv2 { | |
226 | u16 len; | |
227 | struct keyid { | |
228 | u16 len; | |
229 | u16 attr; | |
230 | u8 data[SECKEYBLOBSIZE]; | |
231 | } keyid[6]; | |
232 | } lv2; | |
233 | } *preqparm; | |
234 | struct kgrepparm { | |
235 | u8 subfunc_code[2]; | |
236 | u16 rule_array_len; | |
237 | struct lv3 { | |
238 | u16 len; | |
239 | u16 keyblocklen; | |
240 | struct { | |
241 | u16 toklen; | |
242 | u16 tokattr; | |
243 | u8 tok[0]; | |
244 | /* ... some more data ... */ | |
245 | } keyblock; | |
246 | } lv3; | |
247 | } *prepparm; | |
248 | ||
249 | /* get already prepared memory for 2 cprbs with param block each */ | |
250 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
251 | if (rc) | |
252 | return rc; | |
253 | ||
254 | /* fill request cprb struct */ | |
255 | preqcblk->domain = domain; | |
256 | ||
257 | /* fill request cprb param block with KG request */ | |
258 | preqparm = (struct kgreqparm *) preqcblk->req_parmb; | |
259 | memcpy(preqparm->subfunc_code, "KG", 2); | |
260 | preqparm->rule_array_len = sizeof(preqparm->rule_array_len); | |
261 | preqparm->lv1.len = sizeof(struct lv1); | |
262 | memcpy(preqparm->lv1.key_form, "OP ", 8); | |
263 | switch (keytype) { | |
264 | case PKEY_KEYTYPE_AES_128: | |
265 | keysize = 16; | |
266 | memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8); | |
267 | break; | |
268 | case PKEY_KEYTYPE_AES_192: | |
269 | keysize = 24; | |
270 | memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8); | |
271 | break; | |
272 | case PKEY_KEYTYPE_AES_256: | |
273 | keysize = 32; | |
274 | memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8); | |
275 | break; | |
276 | default: | |
277 | DEBUG_ERR( | |
278 | "pkey_genseckey unknown/unsupported keytype %d\n", | |
279 | keytype); | |
280 | rc = -EINVAL; | |
281 | goto out; | |
282 | } | |
283 | memcpy(preqparm->lv1.key_type1, "AESDATA ", 8); | |
284 | preqparm->lv2.len = sizeof(struct lv2); | |
285 | for (i = 0; i < 6; i++) { | |
286 | preqparm->lv2.keyid[i].len = sizeof(struct keyid); | |
287 | preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10); | |
288 | } | |
289 | preqcblk->req_parml = sizeof(struct kgreqparm); | |
290 | ||
291 | /* fill xcrb struct */ | |
292 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
293 | ||
294 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
295 | rc = _zcrypt_send_cprb(&xcrb); | |
296 | if (rc) { | |
297 | DEBUG_ERR( | |
298 | "pkey_genseckey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
299 | (int) cardnr, (int) domain, rc); | |
300 | goto out; | |
301 | } | |
302 | ||
303 | /* check response returncode and reasoncode */ | |
304 | if (prepcblk->ccp_rtcode != 0) { | |
305 | DEBUG_ERR( | |
306 | "pkey_genseckey secure key generate failure, card response %d/%d\n", | |
307 | (int) prepcblk->ccp_rtcode, | |
308 | (int) prepcblk->ccp_rscode); | |
309 | rc = -EIO; | |
310 | goto out; | |
311 | } | |
312 | ||
313 | /* process response cprb param block */ | |
314 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
315 | prepparm = (struct kgrepparm *) prepcblk->rpl_parmb; | |
316 | ||
317 | /* check length of the returned secure key token */ | |
318 | seckeysize = prepparm->lv3.keyblock.toklen | |
319 | - sizeof(prepparm->lv3.keyblock.toklen) | |
320 | - sizeof(prepparm->lv3.keyblock.tokattr); | |
321 | if (seckeysize != SECKEYBLOBSIZE) { | |
322 | DEBUG_ERR( | |
323 | "pkey_genseckey secure token size mismatch %d != %d bytes\n", | |
324 | seckeysize, SECKEYBLOBSIZE); | |
325 | rc = -EIO; | |
326 | goto out; | |
327 | } | |
328 | ||
329 | /* check secure key token */ | |
330 | rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize); | |
331 | if (rc) { | |
332 | rc = -EIO; | |
333 | goto out; | |
334 | } | |
335 | ||
336 | /* copy the generated secure key token */ | |
337 | memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE); | |
338 | ||
339 | out: | |
340 | free_cprbmem(mem, PARMBSIZE, 0); | |
341 | return rc; | |
342 | } | |
343 | EXPORT_SYMBOL(pkey_genseckey); | |
344 | ||
345 | /* | |
346 | * Generate an AES secure key with given key value. | |
347 | */ | |
348 | int pkey_clr2seckey(u16 cardnr, u16 domain, u32 keytype, | |
349 | const struct pkey_clrkey *clrkey, | |
350 | struct pkey_seckey *seckey) | |
351 | { | |
352 | int rc, keysize, seckeysize; | |
353 | u8 *mem; | |
354 | struct CPRBX *preqcblk, *prepcblk; | |
355 | struct ica_xcRB xcrb; | |
356 | struct cmreqparm { | |
357 | u8 subfunc_code[2]; | |
358 | u16 rule_array_len; | |
359 | char rule_array[8]; | |
360 | struct lv1 { | |
361 | u16 len; | |
362 | u8 clrkey[0]; | |
363 | } lv1; | |
364 | struct lv2 { | |
365 | u16 len; | |
366 | struct keyid { | |
367 | u16 len; | |
368 | u16 attr; | |
369 | u8 data[SECKEYBLOBSIZE]; | |
370 | } keyid; | |
371 | } lv2; | |
372 | } *preqparm; | |
373 | struct lv2 *plv2; | |
374 | struct cmrepparm { | |
375 | u8 subfunc_code[2]; | |
376 | u16 rule_array_len; | |
377 | struct lv3 { | |
378 | u16 len; | |
379 | u16 keyblocklen; | |
380 | struct { | |
381 | u16 toklen; | |
382 | u16 tokattr; | |
383 | u8 tok[0]; | |
384 | /* ... some more data ... */ | |
385 | } keyblock; | |
386 | } lv3; | |
387 | } *prepparm; | |
388 | ||
389 | /* get already prepared memory for 2 cprbs with param block each */ | |
390 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
391 | if (rc) | |
392 | return rc; | |
393 | ||
394 | /* fill request cprb struct */ | |
395 | preqcblk->domain = domain; | |
396 | ||
397 | /* fill request cprb param block with CM request */ | |
398 | preqparm = (struct cmreqparm *) preqcblk->req_parmb; | |
399 | memcpy(preqparm->subfunc_code, "CM", 2); | |
400 | memcpy(preqparm->rule_array, "AES ", 8); | |
401 | preqparm->rule_array_len = | |
402 | sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array); | |
403 | switch (keytype) { | |
404 | case PKEY_KEYTYPE_AES_128: | |
405 | keysize = 16; | |
406 | break; | |
407 | case PKEY_KEYTYPE_AES_192: | |
408 | keysize = 24; | |
409 | break; | |
410 | case PKEY_KEYTYPE_AES_256: | |
411 | keysize = 32; | |
412 | break; | |
413 | default: | |
414 | DEBUG_ERR( | |
415 | "pkey_clr2seckey unknown/unsupported keytype %d\n", | |
416 | keytype); | |
417 | rc = -EINVAL; | |
418 | goto out; | |
419 | } | |
420 | preqparm->lv1.len = sizeof(struct lv1) + keysize; | |
421 | memcpy(preqparm->lv1.clrkey, clrkey->clrkey, keysize); | |
422 | plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize); | |
423 | plv2->len = sizeof(struct lv2); | |
424 | plv2->keyid.len = sizeof(struct keyid); | |
425 | plv2->keyid.attr = 0x30; | |
426 | preqcblk->req_parml = sizeof(struct cmreqparm) + keysize; | |
427 | ||
428 | /* fill xcrb struct */ | |
429 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
430 | ||
431 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
432 | rc = _zcrypt_send_cprb(&xcrb); | |
433 | if (rc) { | |
434 | DEBUG_ERR( | |
435 | "pkey_clr2seckey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
436 | (int) cardnr, (int) domain, rc); | |
437 | goto out; | |
438 | } | |
439 | ||
440 | /* check response returncode and reasoncode */ | |
441 | if (prepcblk->ccp_rtcode != 0) { | |
442 | DEBUG_ERR( | |
443 | "pkey_clr2seckey clear key import failure, card response %d/%d\n", | |
444 | (int) prepcblk->ccp_rtcode, | |
445 | (int) prepcblk->ccp_rscode); | |
446 | rc = -EIO; | |
447 | goto out; | |
448 | } | |
449 | ||
450 | /* process response cprb param block */ | |
451 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
452 | prepparm = (struct cmrepparm *) prepcblk->rpl_parmb; | |
453 | ||
454 | /* check length of the returned secure key token */ | |
455 | seckeysize = prepparm->lv3.keyblock.toklen | |
456 | - sizeof(prepparm->lv3.keyblock.toklen) | |
457 | - sizeof(prepparm->lv3.keyblock.tokattr); | |
458 | if (seckeysize != SECKEYBLOBSIZE) { | |
459 | DEBUG_ERR( | |
460 | "pkey_clr2seckey secure token size mismatch %d != %d bytes\n", | |
461 | seckeysize, SECKEYBLOBSIZE); | |
462 | rc = -EIO; | |
463 | goto out; | |
464 | } | |
465 | ||
466 | /* check secure key token */ | |
467 | rc = check_secaeskeytoken(prepparm->lv3.keyblock.tok, 8*keysize); | |
468 | if (rc) { | |
469 | rc = -EIO; | |
470 | goto out; | |
471 | } | |
472 | ||
473 | /* copy the generated secure key token */ | |
474 | memcpy(seckey->seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE); | |
475 | ||
476 | out: | |
477 | free_cprbmem(mem, PARMBSIZE, 1); | |
478 | return rc; | |
479 | } | |
480 | EXPORT_SYMBOL(pkey_clr2seckey); | |
481 | ||
482 | /* | |
483 | * Derive a proteced key from the secure key blob. | |
484 | */ | |
485 | int pkey_sec2protkey(u16 cardnr, u16 domain, | |
486 | const struct pkey_seckey *seckey, | |
487 | struct pkey_protkey *protkey) | |
488 | { | |
489 | int rc; | |
490 | u8 *mem; | |
491 | struct CPRBX *preqcblk, *prepcblk; | |
492 | struct ica_xcRB xcrb; | |
493 | struct uskreqparm { | |
494 | u8 subfunc_code[2]; | |
495 | u16 rule_array_len; | |
496 | struct lv1 { | |
497 | u16 len; | |
498 | u16 attr_len; | |
499 | u16 attr_flags; | |
500 | } lv1; | |
501 | struct lv2 { | |
502 | u16 len; | |
503 | u16 attr_len; | |
504 | u16 attr_flags; | |
505 | u8 token[0]; /* cca secure key token */ | |
506 | } lv2 __packed; | |
507 | } *preqparm; | |
508 | struct uskrepparm { | |
509 | u8 subfunc_code[2]; | |
510 | u16 rule_array_len; | |
511 | struct lv3 { | |
512 | u16 len; | |
513 | u16 attr_len; | |
514 | u16 attr_flags; | |
515 | struct cpacfkeyblock { | |
516 | u8 version; /* version of this struct */ | |
517 | u8 flags[2]; | |
518 | u8 algo; | |
519 | u8 form; | |
520 | u8 pad1[3]; | |
521 | u16 keylen; | |
522 | u8 key[64]; /* the key (keylen bytes) */ | |
523 | u16 keyattrlen; | |
524 | u8 keyattr[32]; | |
525 | u8 pad2[1]; | |
526 | u8 vptype; | |
527 | u8 vp[32]; /* verification pattern */ | |
528 | } keyblock; | |
529 | } lv3 __packed; | |
530 | } *prepparm; | |
531 | ||
532 | /* get already prepared memory for 2 cprbs with param block each */ | |
533 | rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk); | |
534 | if (rc) | |
535 | return rc; | |
536 | ||
537 | /* fill request cprb struct */ | |
538 | preqcblk->domain = domain; | |
539 | ||
540 | /* fill request cprb param block with USK request */ | |
541 | preqparm = (struct uskreqparm *) preqcblk->req_parmb; | |
542 | memcpy(preqparm->subfunc_code, "US", 2); | |
543 | preqparm->rule_array_len = sizeof(preqparm->rule_array_len); | |
544 | preqparm->lv1.len = sizeof(struct lv1); | |
545 | preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len); | |
546 | preqparm->lv1.attr_flags = 0x0001; | |
547 | preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE; | |
548 | preqparm->lv2.attr_len = sizeof(struct lv2) | |
549 | - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE; | |
550 | preqparm->lv2.attr_flags = 0x0000; | |
551 | memcpy(preqparm->lv2.token, seckey->seckey, SECKEYBLOBSIZE); | |
552 | preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE; | |
553 | ||
554 | /* fill xcrb struct */ | |
555 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
556 | ||
557 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
558 | rc = _zcrypt_send_cprb(&xcrb); | |
559 | if (rc) { | |
560 | DEBUG_ERR( | |
561 | "pkey_sec2protkey zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
562 | (int) cardnr, (int) domain, rc); | |
563 | goto out; | |
564 | } | |
565 | ||
566 | /* check response returncode and reasoncode */ | |
567 | if (prepcblk->ccp_rtcode != 0) { | |
568 | DEBUG_ERR( | |
569 | "pkey_sec2protkey unwrap secure key failure, card response %d/%d\n", | |
570 | (int) prepcblk->ccp_rtcode, | |
571 | (int) prepcblk->ccp_rscode); | |
572 | rc = -EIO; | |
573 | goto out; | |
574 | } | |
ca681ec8 HF |
575 | if (prepcblk->ccp_rscode != 0) { |
576 | DEBUG_WARN( | |
577 | "pkey_sec2protkey unwrap secure key warning, card response %d/%d\n", | |
578 | (int) prepcblk->ccp_rtcode, | |
579 | (int) prepcblk->ccp_rscode); | |
580 | } | |
e80d4af0 HF |
581 | |
582 | /* process response cprb param block */ | |
583 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
584 | prepparm = (struct uskrepparm *) prepcblk->rpl_parmb; | |
585 | ||
586 | /* check the returned keyblock */ | |
587 | if (prepparm->lv3.keyblock.version != 0x01) { | |
588 | DEBUG_ERR( | |
589 | "pkey_sec2protkey reply param keyblock version mismatch 0x%02x != 0x01\n", | |
590 | (int) prepparm->lv3.keyblock.version); | |
591 | rc = -EIO; | |
592 | goto out; | |
593 | } | |
594 | ||
595 | /* copy the tanslated protected key */ | |
596 | switch (prepparm->lv3.keyblock.keylen) { | |
597 | case 16+32: | |
598 | protkey->type = PKEY_KEYTYPE_AES_128; | |
599 | break; | |
600 | case 24+32: | |
601 | protkey->type = PKEY_KEYTYPE_AES_192; | |
602 | break; | |
603 | case 32+32: | |
604 | protkey->type = PKEY_KEYTYPE_AES_256; | |
605 | break; | |
606 | default: | |
607 | DEBUG_ERR("pkey_sec2protkey unknown/unsupported keytype %d\n", | |
608 | prepparm->lv3.keyblock.keylen); | |
609 | rc = -EIO; | |
610 | goto out; | |
611 | } | |
612 | protkey->len = prepparm->lv3.keyblock.keylen; | |
613 | memcpy(protkey->protkey, prepparm->lv3.keyblock.key, protkey->len); | |
614 | ||
615 | out: | |
616 | free_cprbmem(mem, PARMBSIZE, 0); | |
617 | return rc; | |
618 | } | |
619 | EXPORT_SYMBOL(pkey_sec2protkey); | |
620 | ||
621 | /* | |
622 | * Create a protected key from a clear key value. | |
623 | */ | |
624 | int pkey_clr2protkey(u32 keytype, | |
625 | const struct pkey_clrkey *clrkey, | |
626 | struct pkey_protkey *protkey) | |
627 | { | |
628 | long fc; | |
629 | int keysize; | |
630 | u8 paramblock[64]; | |
631 | ||
632 | switch (keytype) { | |
633 | case PKEY_KEYTYPE_AES_128: | |
634 | keysize = 16; | |
635 | fc = CPACF_PCKMO_ENC_AES_128_KEY; | |
636 | break; | |
637 | case PKEY_KEYTYPE_AES_192: | |
638 | keysize = 24; | |
639 | fc = CPACF_PCKMO_ENC_AES_192_KEY; | |
640 | break; | |
641 | case PKEY_KEYTYPE_AES_256: | |
642 | keysize = 32; | |
643 | fc = CPACF_PCKMO_ENC_AES_256_KEY; | |
644 | break; | |
645 | default: | |
646 | DEBUG_ERR("pkey_clr2protkey unknown/unsupported keytype %d\n", | |
647 | keytype); | |
648 | return -EINVAL; | |
649 | } | |
650 | ||
651 | /* prepare param block */ | |
652 | memset(paramblock, 0, sizeof(paramblock)); | |
653 | memcpy(paramblock, clrkey->clrkey, keysize); | |
654 | ||
655 | /* call the pckmo instruction */ | |
656 | cpacf_pckmo(fc, paramblock); | |
657 | ||
658 | /* copy created protected key */ | |
659 | protkey->type = keytype; | |
660 | protkey->len = keysize + 32; | |
661 | memcpy(protkey->protkey, paramblock, keysize + 32); | |
662 | ||
663 | return 0; | |
664 | } | |
665 | EXPORT_SYMBOL(pkey_clr2protkey); | |
666 | ||
667 | /* | |
668 | * query cryptographic facility from adapter | |
669 | */ | |
670 | static int query_crypto_facility(u16 cardnr, u16 domain, | |
671 | const char *keyword, | |
672 | u8 *rarray, size_t *rarraylen, | |
673 | u8 *varray, size_t *varraylen) | |
674 | { | |
675 | int rc; | |
676 | u16 len; | |
677 | u8 *mem, *ptr; | |
678 | struct CPRBX *preqcblk, *prepcblk; | |
679 | struct ica_xcRB xcrb; | |
680 | struct fqreqparm { | |
681 | u8 subfunc_code[2]; | |
682 | u16 rule_array_len; | |
683 | char rule_array[8]; | |
684 | struct lv1 { | |
685 | u16 len; | |
686 | u8 data[VARDATASIZE]; | |
687 | } lv1; | |
688 | u16 dummylen; | |
689 | } *preqparm; | |
690 | size_t parmbsize = sizeof(struct fqreqparm); | |
691 | struct fqrepparm { | |
692 | u8 subfunc_code[2]; | |
693 | u8 lvdata[0]; | |
694 | } *prepparm; | |
695 | ||
696 | /* get already prepared memory for 2 cprbs with param block each */ | |
697 | rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk); | |
698 | if (rc) | |
699 | return rc; | |
700 | ||
701 | /* fill request cprb struct */ | |
702 | preqcblk->domain = domain; | |
703 | ||
704 | /* fill request cprb param block with FQ request */ | |
705 | preqparm = (struct fqreqparm *) preqcblk->req_parmb; | |
706 | memcpy(preqparm->subfunc_code, "FQ", 2); | |
707 | strncpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array)); | |
708 | preqparm->rule_array_len = | |
709 | sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array); | |
710 | preqparm->lv1.len = sizeof(preqparm->lv1); | |
711 | preqparm->dummylen = sizeof(preqparm->dummylen); | |
712 | preqcblk->req_parml = parmbsize; | |
713 | ||
714 | /* fill xcrb struct */ | |
715 | prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk); | |
716 | ||
717 | /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */ | |
718 | rc = _zcrypt_send_cprb(&xcrb); | |
719 | if (rc) { | |
720 | DEBUG_ERR( | |
721 | "query_crypto_facility zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n", | |
722 | (int) cardnr, (int) domain, rc); | |
723 | goto out; | |
724 | } | |
725 | ||
726 | /* check response returncode and reasoncode */ | |
727 | if (prepcblk->ccp_rtcode != 0) { | |
728 | DEBUG_ERR( | |
729 | "query_crypto_facility unwrap secure key failure, card response %d/%d\n", | |
730 | (int) prepcblk->ccp_rtcode, | |
731 | (int) prepcblk->ccp_rscode); | |
732 | rc = -EIO; | |
733 | goto out; | |
734 | } | |
735 | ||
736 | /* process response cprb param block */ | |
737 | prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX); | |
738 | prepparm = (struct fqrepparm *) prepcblk->rpl_parmb; | |
739 | ptr = prepparm->lvdata; | |
740 | ||
741 | /* check and possibly copy reply rule array */ | |
742 | len = *((u16 *) ptr); | |
743 | if (len > sizeof(u16)) { | |
744 | ptr += sizeof(u16); | |
745 | len -= sizeof(u16); | |
746 | if (rarray && rarraylen && *rarraylen > 0) { | |
747 | *rarraylen = (len > *rarraylen ? *rarraylen : len); | |
748 | memcpy(rarray, ptr, *rarraylen); | |
749 | } | |
750 | ptr += len; | |
751 | } | |
752 | /* check and possible copy reply var array */ | |
753 | len = *((u16 *) ptr); | |
754 | if (len > sizeof(u16)) { | |
755 | ptr += sizeof(u16); | |
756 | len -= sizeof(u16); | |
757 | if (varray && varraylen && *varraylen > 0) { | |
758 | *varraylen = (len > *varraylen ? *varraylen : len); | |
759 | memcpy(varray, ptr, *varraylen); | |
760 | } | |
761 | ptr += len; | |
762 | } | |
763 | ||
764 | out: | |
765 | free_cprbmem(mem, parmbsize, 0); | |
766 | return rc; | |
767 | } | |
768 | ||
769 | /* | |
ca681ec8 HF |
770 | * Fetch the current and old mkvp values via |
771 | * query_crypto_facility from adapter. | |
e80d4af0 | 772 | */ |
ca681ec8 | 773 | static int fetch_mkvp(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
774 | { |
775 | int rc, found = 0; | |
776 | size_t rlen, vlen; | |
777 | u8 *rarray, *varray, *pg; | |
778 | ||
779 | pg = (u8 *) __get_free_page(GFP_KERNEL); | |
780 | if (!pg) | |
781 | return -ENOMEM; | |
782 | rarray = pg; | |
783 | varray = pg + PAGE_SIZE/2; | |
784 | rlen = vlen = PAGE_SIZE/2; | |
785 | ||
786 | rc = query_crypto_facility(cardnr, domain, "STATICSA", | |
787 | rarray, &rlen, varray, &vlen); | |
788 | if (rc == 0 && rlen > 8*8 && vlen > 184+8) { | |
ca681ec8 | 789 | if (rarray[8*8] == '2') { |
e80d4af0 | 790 | /* current master key state is valid */ |
ca681ec8 HF |
791 | mkvp[0] = *((u64 *)(varray + 184)); |
792 | mkvp[1] = *((u64 *)(varray + 172)); | |
e80d4af0 HF |
793 | found = 1; |
794 | } | |
795 | } | |
796 | ||
797 | free_page((unsigned long) pg); | |
798 | ||
799 | return found ? 0 : -ENOENT; | |
800 | } | |
801 | ||
802 | /* struct to hold cached mkvp info for each card/domain */ | |
803 | struct mkvp_info { | |
804 | struct list_head list; | |
805 | u16 cardnr; | |
806 | u16 domain; | |
ca681ec8 | 807 | u64 mkvp[2]; |
e80d4af0 HF |
808 | }; |
809 | ||
810 | /* a list with mkvp_info entries */ | |
811 | static LIST_HEAD(mkvp_list); | |
812 | static DEFINE_SPINLOCK(mkvp_list_lock); | |
813 | ||
ca681ec8 | 814 | static int mkvp_cache_fetch(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
815 | { |
816 | int rc = -ENOENT; | |
817 | struct mkvp_info *ptr; | |
818 | ||
819 | spin_lock_bh(&mkvp_list_lock); | |
820 | list_for_each_entry(ptr, &mkvp_list, list) { | |
821 | if (ptr->cardnr == cardnr && | |
822 | ptr->domain == domain) { | |
ca681ec8 | 823 | memcpy(mkvp, ptr->mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
824 | rc = 0; |
825 | break; | |
826 | } | |
827 | } | |
828 | spin_unlock_bh(&mkvp_list_lock); | |
829 | ||
830 | return rc; | |
831 | } | |
832 | ||
ca681ec8 | 833 | static void mkvp_cache_update(u16 cardnr, u16 domain, u64 mkvp[2]) |
e80d4af0 HF |
834 | { |
835 | int found = 0; | |
836 | struct mkvp_info *ptr; | |
837 | ||
838 | spin_lock_bh(&mkvp_list_lock); | |
839 | list_for_each_entry(ptr, &mkvp_list, list) { | |
840 | if (ptr->cardnr == cardnr && | |
841 | ptr->domain == domain) { | |
ca681ec8 | 842 | memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
843 | found = 1; |
844 | break; | |
845 | } | |
846 | } | |
847 | if (!found) { | |
848 | ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC); | |
849 | if (!ptr) { | |
850 | spin_unlock_bh(&mkvp_list_lock); | |
851 | return; | |
852 | } | |
853 | ptr->cardnr = cardnr; | |
854 | ptr->domain = domain; | |
ca681ec8 | 855 | memcpy(ptr->mkvp, mkvp, 2 * sizeof(u64)); |
e80d4af0 HF |
856 | list_add(&ptr->list, &mkvp_list); |
857 | } | |
858 | spin_unlock_bh(&mkvp_list_lock); | |
859 | } | |
860 | ||
861 | static void mkvp_cache_scrub(u16 cardnr, u16 domain) | |
862 | { | |
863 | struct mkvp_info *ptr; | |
864 | ||
865 | spin_lock_bh(&mkvp_list_lock); | |
866 | list_for_each_entry(ptr, &mkvp_list, list) { | |
867 | if (ptr->cardnr == cardnr && | |
868 | ptr->domain == domain) { | |
869 | list_del(&ptr->list); | |
870 | kfree(ptr); | |
871 | break; | |
872 | } | |
873 | } | |
874 | spin_unlock_bh(&mkvp_list_lock); | |
875 | } | |
876 | ||
877 | static void __exit mkvp_cache_free(void) | |
878 | { | |
879 | struct mkvp_info *ptr, *pnext; | |
880 | ||
881 | spin_lock_bh(&mkvp_list_lock); | |
882 | list_for_each_entry_safe(ptr, pnext, &mkvp_list, list) { | |
883 | list_del(&ptr->list); | |
884 | kfree(ptr); | |
885 | } | |
886 | spin_unlock_bh(&mkvp_list_lock); | |
887 | } | |
888 | ||
889 | /* | |
890 | * Search for a matching crypto card based on the Master Key | |
891 | * Verification Pattern provided inside a secure key. | |
892 | */ | |
893 | int pkey_findcard(const struct pkey_seckey *seckey, | |
894 | u16 *pcardnr, u16 *pdomain, int verify) | |
895 | { | |
896 | struct secaeskeytoken *t = (struct secaeskeytoken *) seckey; | |
897 | struct zcrypt_device_matrix *device_matrix; | |
898 | u16 card, dom; | |
ca681ec8 HF |
899 | u64 mkvp[2]; |
900 | int i, rc, oi = -1; | |
e80d4af0 HF |
901 | |
902 | /* mkvp must not be zero */ | |
903 | if (t->mkvp == 0) | |
904 | return -EINVAL; | |
905 | ||
906 | /* fetch status of all crypto cards */ | |
907 | device_matrix = kmalloc(sizeof(struct zcrypt_device_matrix), | |
908 | GFP_KERNEL); | |
909 | if (!device_matrix) | |
910 | return -ENOMEM; | |
911 | zcrypt_device_status_mask(device_matrix); | |
912 | ||
913 | /* walk through all crypto cards */ | |
914 | for (i = 0; i < MAX_ZDEV_ENTRIES; i++) { | |
915 | card = AP_QID_CARD(device_matrix->device[i].qid); | |
916 | dom = AP_QID_QUEUE(device_matrix->device[i].qid); | |
917 | if (device_matrix->device[i].online && | |
918 | device_matrix->device[i].functions & 0x04) { | |
919 | /* an enabled CCA Coprocessor card */ | |
920 | /* try cached mkvp */ | |
ca681ec8 HF |
921 | if (mkvp_cache_fetch(card, dom, mkvp) == 0 && |
922 | t->mkvp == mkvp[0]) { | |
e80d4af0 HF |
923 | if (!verify) |
924 | break; | |
925 | /* verify: fetch mkvp from adapter */ | |
ca681ec8 | 926 | if (fetch_mkvp(card, dom, mkvp) == 0) { |
e80d4af0 | 927 | mkvp_cache_update(card, dom, mkvp); |
ca681ec8 | 928 | if (t->mkvp == mkvp[0]) |
e80d4af0 HF |
929 | break; |
930 | } | |
931 | } | |
932 | } else { | |
933 | /* Card is offline and/or not a CCA card. */ | |
934 | /* del mkvp entry from cache if it exists */ | |
935 | mkvp_cache_scrub(card, dom); | |
936 | } | |
937 | } | |
938 | if (i >= MAX_ZDEV_ENTRIES) { | |
939 | /* nothing found, so this time without cache */ | |
940 | for (i = 0; i < MAX_ZDEV_ENTRIES; i++) { | |
941 | if (!(device_matrix->device[i].online && | |
942 | device_matrix->device[i].functions & 0x04)) | |
943 | continue; | |
944 | card = AP_QID_CARD(device_matrix->device[i].qid); | |
945 | dom = AP_QID_QUEUE(device_matrix->device[i].qid); | |
946 | /* fresh fetch mkvp from adapter */ | |
ca681ec8 | 947 | if (fetch_mkvp(card, dom, mkvp) == 0) { |
e80d4af0 | 948 | mkvp_cache_update(card, dom, mkvp); |
ca681ec8 | 949 | if (t->mkvp == mkvp[0]) |
e80d4af0 | 950 | break; |
ca681ec8 HF |
951 | if (t->mkvp == mkvp[1] && oi < 0) |
952 | oi = i; | |
e80d4af0 HF |
953 | } |
954 | } | |
ca681ec8 HF |
955 | if (i >= MAX_ZDEV_ENTRIES && oi >= 0) { |
956 | /* old mkvp matched, use this card then */ | |
957 | card = AP_QID_CARD(device_matrix->device[oi].qid); | |
958 | dom = AP_QID_QUEUE(device_matrix->device[oi].qid); | |
959 | } | |
e80d4af0 | 960 | } |
ca681ec8 | 961 | if (i < MAX_ZDEV_ENTRIES || oi >= 0) { |
e80d4af0 HF |
962 | if (pcardnr) |
963 | *pcardnr = card; | |
964 | if (pdomain) | |
965 | *pdomain = dom; | |
966 | rc = 0; | |
967 | } else | |
968 | rc = -ENODEV; | |
969 | ||
970 | kfree(device_matrix); | |
971 | return rc; | |
972 | } | |
973 | EXPORT_SYMBOL(pkey_findcard); | |
974 | ||
975 | /* | |
976 | * Find card and transform secure key into protected key. | |
977 | */ | |
978 | int pkey_skey2pkey(const struct pkey_seckey *seckey, | |
979 | struct pkey_protkey *protkey) | |
980 | { | |
981 | u16 cardnr, domain; | |
982 | int rc, verify; | |
983 | ||
984 | /* | |
985 | * The pkey_sec2protkey call may fail when a card has been | |
986 | * addressed where the master key was changed after last fetch | |
987 | * of the mkvp into the cache. So first try without verify then | |
988 | * with verify enabled (thus refreshing the mkvp for each card). | |
989 | */ | |
990 | for (verify = 0; verify < 2; verify++) { | |
991 | rc = pkey_findcard(seckey, &cardnr, &domain, verify); | |
992 | if (rc) | |
993 | continue; | |
994 | rc = pkey_sec2protkey(cardnr, domain, seckey, protkey); | |
995 | if (rc == 0) | |
996 | break; | |
997 | } | |
998 | ||
999 | if (rc) | |
1000 | DEBUG_DBG("pkey_skey2pkey failed rc=%d\n", rc); | |
1001 | ||
1002 | return rc; | |
1003 | } | |
1004 | EXPORT_SYMBOL(pkey_skey2pkey); | |
1005 | ||
e61a6134 HF |
1006 | /* |
1007 | * Verify key and give back some info about the key. | |
1008 | */ | |
1009 | int pkey_verifykey(const struct pkey_seckey *seckey, | |
1010 | u16 *pcardnr, u16 *pdomain, | |
1011 | u16 *pkeysize, u32 *pattributes) | |
1012 | { | |
1013 | struct secaeskeytoken *t = (struct secaeskeytoken *) seckey; | |
1014 | u16 cardnr, domain; | |
1015 | u64 mkvp[2]; | |
1016 | int rc; | |
1017 | ||
1018 | /* check the secure key for valid AES secure key */ | |
1019 | rc = check_secaeskeytoken((u8 *) seckey, 0); | |
1020 | if (rc) | |
1021 | goto out; | |
1022 | if (pattributes) | |
1023 | *pattributes = PKEY_VERIFY_ATTR_AES; | |
1024 | if (pkeysize) | |
1025 | *pkeysize = t->bitsize; | |
1026 | ||
1027 | /* try to find a card which can handle this key */ | |
1028 | rc = pkey_findcard(seckey, &cardnr, &domain, 1); | |
1029 | if (rc) | |
1030 | goto out; | |
1031 | ||
1032 | /* check mkvp for old mkvp match */ | |
1033 | rc = mkvp_cache_fetch(cardnr, domain, mkvp); | |
1034 | if (rc) | |
1035 | goto out; | |
1036 | if (t->mkvp == mkvp[1]) { | |
1037 | DEBUG_DBG("pkey_verifykey secure key has old mkvp\n"); | |
1038 | if (pattributes) | |
1039 | *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP; | |
1040 | } | |
1041 | ||
1042 | if (pcardnr) | |
1043 | *pcardnr = cardnr; | |
1044 | if (pdomain) | |
1045 | *pdomain = domain; | |
1046 | ||
1047 | out: | |
1048 | DEBUG_DBG("pkey_verifykey rc=%d\n", rc); | |
1049 | return rc; | |
1050 | } | |
1051 | EXPORT_SYMBOL(pkey_verifykey); | |
1052 | ||
e80d4af0 HF |
1053 | /* |
1054 | * File io functions | |
1055 | */ | |
1056 | ||
1057 | static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, | |
1058 | unsigned long arg) | |
1059 | { | |
1060 | int rc; | |
1061 | ||
1062 | switch (cmd) { | |
1063 | case PKEY_GENSECK: { | |
1064 | struct pkey_genseck __user *ugs = (void __user *) arg; | |
1065 | struct pkey_genseck kgs; | |
1066 | ||
1067 | if (copy_from_user(&kgs, ugs, sizeof(kgs))) | |
1068 | return -EFAULT; | |
1069 | rc = pkey_genseckey(kgs.cardnr, kgs.domain, | |
1070 | kgs.keytype, &kgs.seckey); | |
1071 | DEBUG_DBG("pkey_ioctl pkey_genseckey()=%d\n", rc); | |
1072 | if (rc) | |
1073 | break; | |
1074 | if (copy_to_user(ugs, &kgs, sizeof(kgs))) | |
1075 | return -EFAULT; | |
1076 | break; | |
1077 | } | |
1078 | case PKEY_CLR2SECK: { | |
1079 | struct pkey_clr2seck __user *ucs = (void __user *) arg; | |
1080 | struct pkey_clr2seck kcs; | |
1081 | ||
1082 | if (copy_from_user(&kcs, ucs, sizeof(kcs))) | |
1083 | return -EFAULT; | |
1084 | rc = pkey_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, | |
1085 | &kcs.clrkey, &kcs.seckey); | |
1086 | DEBUG_DBG("pkey_ioctl pkey_clr2seckey()=%d\n", rc); | |
1087 | if (rc) | |
1088 | break; | |
1089 | if (copy_to_user(ucs, &kcs, sizeof(kcs))) | |
1090 | return -EFAULT; | |
1091 | memzero_explicit(&kcs, sizeof(kcs)); | |
1092 | break; | |
1093 | } | |
1094 | case PKEY_SEC2PROTK: { | |
1095 | struct pkey_sec2protk __user *usp = (void __user *) arg; | |
1096 | struct pkey_sec2protk ksp; | |
1097 | ||
1098 | if (copy_from_user(&ksp, usp, sizeof(ksp))) | |
1099 | return -EFAULT; | |
1100 | rc = pkey_sec2protkey(ksp.cardnr, ksp.domain, | |
1101 | &ksp.seckey, &ksp.protkey); | |
1102 | DEBUG_DBG("pkey_ioctl pkey_sec2protkey()=%d\n", rc); | |
1103 | if (rc) | |
1104 | break; | |
1105 | if (copy_to_user(usp, &ksp, sizeof(ksp))) | |
1106 | return -EFAULT; | |
1107 | break; | |
1108 | } | |
1109 | case PKEY_CLR2PROTK: { | |
1110 | struct pkey_clr2protk __user *ucp = (void __user *) arg; | |
1111 | struct pkey_clr2protk kcp; | |
1112 | ||
1113 | if (copy_from_user(&kcp, ucp, sizeof(kcp))) | |
1114 | return -EFAULT; | |
1115 | rc = pkey_clr2protkey(kcp.keytype, | |
1116 | &kcp.clrkey, &kcp.protkey); | |
1117 | DEBUG_DBG("pkey_ioctl pkey_clr2protkey()=%d\n", rc); | |
1118 | if (rc) | |
1119 | break; | |
1120 | if (copy_to_user(ucp, &kcp, sizeof(kcp))) | |
1121 | return -EFAULT; | |
1122 | memzero_explicit(&kcp, sizeof(kcp)); | |
1123 | break; | |
1124 | } | |
1125 | case PKEY_FINDCARD: { | |
1126 | struct pkey_findcard __user *ufc = (void __user *) arg; | |
1127 | struct pkey_findcard kfc; | |
1128 | ||
1129 | if (copy_from_user(&kfc, ufc, sizeof(kfc))) | |
1130 | return -EFAULT; | |
1131 | rc = pkey_findcard(&kfc.seckey, | |
1132 | &kfc.cardnr, &kfc.domain, 1); | |
1133 | DEBUG_DBG("pkey_ioctl pkey_findcard()=%d\n", rc); | |
1134 | if (rc) | |
1135 | break; | |
1136 | if (copy_to_user(ufc, &kfc, sizeof(kfc))) | |
1137 | return -EFAULT; | |
1138 | break; | |
1139 | } | |
1140 | case PKEY_SKEY2PKEY: { | |
1141 | struct pkey_skey2pkey __user *usp = (void __user *) arg; | |
1142 | struct pkey_skey2pkey ksp; | |
1143 | ||
1144 | if (copy_from_user(&ksp, usp, sizeof(ksp))) | |
1145 | return -EFAULT; | |
1146 | rc = pkey_skey2pkey(&ksp.seckey, &ksp.protkey); | |
1147 | DEBUG_DBG("pkey_ioctl pkey_skey2pkey()=%d\n", rc); | |
1148 | if (rc) | |
1149 | break; | |
1150 | if (copy_to_user(usp, &ksp, sizeof(ksp))) | |
1151 | return -EFAULT; | |
1152 | break; | |
1153 | } | |
e61a6134 HF |
1154 | case PKEY_VERIFYKEY: { |
1155 | struct pkey_verifykey __user *uvk = (void __user *) arg; | |
1156 | struct pkey_verifykey kvk; | |
1157 | ||
1158 | if (copy_from_user(&kvk, uvk, sizeof(kvk))) | |
1159 | return -EFAULT; | |
1160 | rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain, | |
1161 | &kvk.keysize, &kvk.attributes); | |
1162 | DEBUG_DBG("pkey_ioctl pkey_verifykey()=%d\n", rc); | |
1163 | if (rc) | |
1164 | break; | |
1165 | if (copy_to_user(uvk, &kvk, sizeof(kvk))) | |
1166 | return -EFAULT; | |
1167 | break; | |
1168 | } | |
e80d4af0 HF |
1169 | default: |
1170 | /* unknown/unsupported ioctl cmd */ | |
1171 | return -ENOTTY; | |
1172 | } | |
1173 | ||
1174 | return rc; | |
1175 | } | |
1176 | ||
1177 | /* | |
1178 | * Sysfs and file io operations | |
1179 | */ | |
1180 | static const struct file_operations pkey_fops = { | |
1181 | .owner = THIS_MODULE, | |
1182 | .open = nonseekable_open, | |
1183 | .llseek = no_llseek, | |
1184 | .unlocked_ioctl = pkey_unlocked_ioctl, | |
1185 | }; | |
1186 | ||
1187 | static struct miscdevice pkey_dev = { | |
1188 | .name = "pkey", | |
1189 | .minor = MISC_DYNAMIC_MINOR, | |
1190 | .mode = 0666, | |
1191 | .fops = &pkey_fops, | |
1192 | }; | |
1193 | ||
1194 | /* | |
1195 | * Module init | |
1196 | */ | |
1197 | int __init pkey_init(void) | |
1198 | { | |
1199 | cpacf_mask_t pckmo_functions; | |
1200 | ||
1201 | /* check for pckmo instructions available */ | |
1202 | if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) | |
1203 | return -EOPNOTSUPP; | |
1204 | if (!cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_128_KEY) || | |
1205 | !cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_192_KEY) || | |
1206 | !cpacf_test_func(&pckmo_functions, CPACF_PCKMO_ENC_AES_256_KEY)) | |
1207 | return -EOPNOTSUPP; | |
1208 | ||
1209 | pkey_debug_init(); | |
1210 | ||
1211 | return misc_register(&pkey_dev); | |
1212 | } | |
1213 | ||
1214 | /* | |
1215 | * Module exit | |
1216 | */ | |
1217 | static void __exit pkey_exit(void) | |
1218 | { | |
1219 | misc_deregister(&pkey_dev); | |
1220 | mkvp_cache_free(); | |
1221 | pkey_debug_exit(); | |
1222 | } | |
1223 | ||
1224 | module_init(pkey_init); | |
1225 | module_exit(pkey_exit); |