1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * pkey device driver
4*4882a593Smuzhiyun *
5*4882a593Smuzhiyun * Copyright IBM Corp. 2017,2019
6*4882a593Smuzhiyun * Author(s): Harald Freudenberger
7*4882a593Smuzhiyun */
8*4882a593Smuzhiyun
9*4882a593Smuzhiyun #define KMSG_COMPONENT "pkey"
10*4882a593Smuzhiyun #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
11*4882a593Smuzhiyun
12*4882a593Smuzhiyun #include <linux/fs.h>
13*4882a593Smuzhiyun #include <linux/init.h>
14*4882a593Smuzhiyun #include <linux/miscdevice.h>
15*4882a593Smuzhiyun #include <linux/module.h>
16*4882a593Smuzhiyun #include <linux/slab.h>
17*4882a593Smuzhiyun #include <linux/kallsyms.h>
18*4882a593Smuzhiyun #include <linux/debugfs.h>
19*4882a593Smuzhiyun #include <linux/random.h>
20*4882a593Smuzhiyun #include <linux/cpufeature.h>
21*4882a593Smuzhiyun #include <asm/zcrypt.h>
22*4882a593Smuzhiyun #include <asm/cpacf.h>
23*4882a593Smuzhiyun #include <asm/pkey.h>
24*4882a593Smuzhiyun #include <crypto/aes.h>
25*4882a593Smuzhiyun
26*4882a593Smuzhiyun #include "zcrypt_api.h"
27*4882a593Smuzhiyun #include "zcrypt_ccamisc.h"
28*4882a593Smuzhiyun #include "zcrypt_ep11misc.h"
29*4882a593Smuzhiyun
30*4882a593Smuzhiyun MODULE_LICENSE("GPL");
31*4882a593Smuzhiyun MODULE_AUTHOR("IBM Corporation");
32*4882a593Smuzhiyun MODULE_DESCRIPTION("s390 protected key interface");
33*4882a593Smuzhiyun
34*4882a593Smuzhiyun #define KEYBLOBBUFSIZE 8192 /* key buffer size used for internal processing */
35*4882a593Smuzhiyun #define PROTKEYBLOBBUFSIZE 256 /* protected key buffer size used internal */
36*4882a593Smuzhiyun #define MAXAPQNSINLIST 64 /* max 64 apqns within a apqn list */
37*4882a593Smuzhiyun
38*4882a593Smuzhiyun /*
39*4882a593Smuzhiyun * debug feature data and functions
40*4882a593Smuzhiyun */
41*4882a593Smuzhiyun
42*4882a593Smuzhiyun static debug_info_t *debug_info;
43*4882a593Smuzhiyun
44*4882a593Smuzhiyun #define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__)
45*4882a593Smuzhiyun #define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__)
46*4882a593Smuzhiyun #define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__)
47*4882a593Smuzhiyun #define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__)
48*4882a593Smuzhiyun
pkey_debug_init(void)49*4882a593Smuzhiyun static void __init pkey_debug_init(void)
50*4882a593Smuzhiyun {
51*4882a593Smuzhiyun /* 5 arguments per dbf entry (including the format string ptr) */
52*4882a593Smuzhiyun debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
53*4882a593Smuzhiyun debug_register_view(debug_info, &debug_sprintf_view);
54*4882a593Smuzhiyun debug_set_level(debug_info, 3);
55*4882a593Smuzhiyun }
56*4882a593Smuzhiyun
pkey_debug_exit(void)57*4882a593Smuzhiyun static void __exit pkey_debug_exit(void)
58*4882a593Smuzhiyun {
59*4882a593Smuzhiyun debug_unregister(debug_info);
60*4882a593Smuzhiyun }
61*4882a593Smuzhiyun
62*4882a593Smuzhiyun /* inside view of a protected key token (only type 0x00 version 0x01) */
63*4882a593Smuzhiyun struct protaeskeytoken {
64*4882a593Smuzhiyun u8 type; /* 0x00 for PAES specific key tokens */
65*4882a593Smuzhiyun u8 res0[3];
66*4882a593Smuzhiyun u8 version; /* should be 0x01 for protected AES key token */
67*4882a593Smuzhiyun u8 res1[3];
68*4882a593Smuzhiyun u32 keytype; /* key type, one of the PKEY_KEYTYPE values */
69*4882a593Smuzhiyun u32 len; /* bytes actually stored in protkey[] */
70*4882a593Smuzhiyun u8 protkey[MAXPROTKEYSIZE]; /* the protected key blob */
71*4882a593Smuzhiyun } __packed;
72*4882a593Smuzhiyun
73*4882a593Smuzhiyun /* inside view of a clear key token (type 0x00 version 0x02) */
74*4882a593Smuzhiyun struct clearaeskeytoken {
75*4882a593Smuzhiyun u8 type; /* 0x00 for PAES specific key tokens */
76*4882a593Smuzhiyun u8 res0[3];
77*4882a593Smuzhiyun u8 version; /* 0x02 for clear AES key token */
78*4882a593Smuzhiyun u8 res1[3];
79*4882a593Smuzhiyun u32 keytype; /* key type, one of the PKEY_KEYTYPE values */
80*4882a593Smuzhiyun u32 len; /* bytes actually stored in clearkey[] */
81*4882a593Smuzhiyun u8 clearkey[]; /* clear key value */
82*4882a593Smuzhiyun } __packed;
83*4882a593Smuzhiyun
84*4882a593Smuzhiyun /*
85*4882a593Smuzhiyun * Create a protected key from a clear key value.
86*4882a593Smuzhiyun */
pkey_clr2protkey(u32 keytype,const struct pkey_clrkey * clrkey,struct pkey_protkey * protkey)87*4882a593Smuzhiyun static int pkey_clr2protkey(u32 keytype,
88*4882a593Smuzhiyun const struct pkey_clrkey *clrkey,
89*4882a593Smuzhiyun struct pkey_protkey *protkey)
90*4882a593Smuzhiyun {
91*4882a593Smuzhiyun /* mask of available pckmo subfunctions */
92*4882a593Smuzhiyun static cpacf_mask_t pckmo_functions;
93*4882a593Smuzhiyun
94*4882a593Smuzhiyun long fc;
95*4882a593Smuzhiyun int keysize;
96*4882a593Smuzhiyun u8 paramblock[64];
97*4882a593Smuzhiyun
98*4882a593Smuzhiyun switch (keytype) {
99*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_128:
100*4882a593Smuzhiyun keysize = 16;
101*4882a593Smuzhiyun fc = CPACF_PCKMO_ENC_AES_128_KEY;
102*4882a593Smuzhiyun break;
103*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_192:
104*4882a593Smuzhiyun keysize = 24;
105*4882a593Smuzhiyun fc = CPACF_PCKMO_ENC_AES_192_KEY;
106*4882a593Smuzhiyun break;
107*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_256:
108*4882a593Smuzhiyun keysize = 32;
109*4882a593Smuzhiyun fc = CPACF_PCKMO_ENC_AES_256_KEY;
110*4882a593Smuzhiyun break;
111*4882a593Smuzhiyun default:
112*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported keytype %d\n",
113*4882a593Smuzhiyun __func__, keytype);
114*4882a593Smuzhiyun return -EINVAL;
115*4882a593Smuzhiyun }
116*4882a593Smuzhiyun
117*4882a593Smuzhiyun /* Did we already check for PCKMO ? */
118*4882a593Smuzhiyun if (!pckmo_functions.bytes[0]) {
119*4882a593Smuzhiyun /* no, so check now */
120*4882a593Smuzhiyun if (!cpacf_query(CPACF_PCKMO, &pckmo_functions))
121*4882a593Smuzhiyun return -ENODEV;
122*4882a593Smuzhiyun }
123*4882a593Smuzhiyun /* check for the pckmo subfunction we need now */
124*4882a593Smuzhiyun if (!cpacf_test_func(&pckmo_functions, fc)) {
125*4882a593Smuzhiyun DEBUG_ERR("%s pckmo functions not available\n", __func__);
126*4882a593Smuzhiyun return -ENODEV;
127*4882a593Smuzhiyun }
128*4882a593Smuzhiyun
129*4882a593Smuzhiyun /* prepare param block */
130*4882a593Smuzhiyun memset(paramblock, 0, sizeof(paramblock));
131*4882a593Smuzhiyun memcpy(paramblock, clrkey->clrkey, keysize);
132*4882a593Smuzhiyun
133*4882a593Smuzhiyun /* call the pckmo instruction */
134*4882a593Smuzhiyun cpacf_pckmo(fc, paramblock);
135*4882a593Smuzhiyun
136*4882a593Smuzhiyun /* copy created protected key */
137*4882a593Smuzhiyun protkey->type = keytype;
138*4882a593Smuzhiyun protkey->len = keysize + 32;
139*4882a593Smuzhiyun memcpy(protkey->protkey, paramblock, keysize + 32);
140*4882a593Smuzhiyun
141*4882a593Smuzhiyun return 0;
142*4882a593Smuzhiyun }
143*4882a593Smuzhiyun
144*4882a593Smuzhiyun /*
145*4882a593Smuzhiyun * Find card and transform secure key into protected key.
146*4882a593Smuzhiyun */
pkey_skey2pkey(const u8 * key,struct pkey_protkey * pkey)147*4882a593Smuzhiyun static int pkey_skey2pkey(const u8 *key, struct pkey_protkey *pkey)
148*4882a593Smuzhiyun {
149*4882a593Smuzhiyun int rc, verify;
150*4882a593Smuzhiyun u16 cardnr, domain;
151*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
152*4882a593Smuzhiyun
153*4882a593Smuzhiyun /*
154*4882a593Smuzhiyun * The cca_xxx2protkey call may fail when a card has been
155*4882a593Smuzhiyun * addressed where the master key was changed after last fetch
156*4882a593Smuzhiyun * of the mkvp into the cache. Try 3 times: First witout verify
157*4882a593Smuzhiyun * then with verify and last round with verify and old master
158*4882a593Smuzhiyun * key verification pattern match not ignored.
159*4882a593Smuzhiyun */
160*4882a593Smuzhiyun for (verify = 0; verify < 3; verify++) {
161*4882a593Smuzhiyun rc = cca_findcard(key, &cardnr, &domain, verify);
162*4882a593Smuzhiyun if (rc < 0)
163*4882a593Smuzhiyun continue;
164*4882a593Smuzhiyun if (rc > 0 && verify < 2)
165*4882a593Smuzhiyun continue;
166*4882a593Smuzhiyun switch (hdr->version) {
167*4882a593Smuzhiyun case TOKVER_CCA_AES:
168*4882a593Smuzhiyun rc = cca_sec2protkey(cardnr, domain,
169*4882a593Smuzhiyun key, pkey->protkey,
170*4882a593Smuzhiyun &pkey->len, &pkey->type);
171*4882a593Smuzhiyun break;
172*4882a593Smuzhiyun case TOKVER_CCA_VLSC:
173*4882a593Smuzhiyun rc = cca_cipher2protkey(cardnr, domain,
174*4882a593Smuzhiyun key, pkey->protkey,
175*4882a593Smuzhiyun &pkey->len, &pkey->type);
176*4882a593Smuzhiyun break;
177*4882a593Smuzhiyun default:
178*4882a593Smuzhiyun return -EINVAL;
179*4882a593Smuzhiyun }
180*4882a593Smuzhiyun if (rc == 0)
181*4882a593Smuzhiyun break;
182*4882a593Smuzhiyun }
183*4882a593Smuzhiyun
184*4882a593Smuzhiyun if (rc)
185*4882a593Smuzhiyun DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
186*4882a593Smuzhiyun
187*4882a593Smuzhiyun return rc;
188*4882a593Smuzhiyun }
189*4882a593Smuzhiyun
190*4882a593Smuzhiyun /*
191*4882a593Smuzhiyun * Construct EP11 key with given clear key value.
192*4882a593Smuzhiyun */
pkey_clr2ep11key(const u8 * clrkey,size_t clrkeylen,u8 * keybuf,size_t * keybuflen)193*4882a593Smuzhiyun static int pkey_clr2ep11key(const u8 *clrkey, size_t clrkeylen,
194*4882a593Smuzhiyun u8 *keybuf, size_t *keybuflen)
195*4882a593Smuzhiyun {
196*4882a593Smuzhiyun int i, rc;
197*4882a593Smuzhiyun u16 card, dom;
198*4882a593Smuzhiyun u32 nr_apqns, *apqns = NULL;
199*4882a593Smuzhiyun
200*4882a593Smuzhiyun /* build a list of apqns suitable for ep11 keys with cpacf support */
201*4882a593Smuzhiyun rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
202*4882a593Smuzhiyun ZCRYPT_CEX7, EP11_API_V, NULL);
203*4882a593Smuzhiyun if (rc)
204*4882a593Smuzhiyun goto out;
205*4882a593Smuzhiyun
206*4882a593Smuzhiyun /* go through the list of apqns and try to bild an ep11 key */
207*4882a593Smuzhiyun for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
208*4882a593Smuzhiyun card = apqns[i] >> 16;
209*4882a593Smuzhiyun dom = apqns[i] & 0xFFFF;
210*4882a593Smuzhiyun rc = ep11_clr2keyblob(card, dom, clrkeylen * 8,
211*4882a593Smuzhiyun 0, clrkey, keybuf, keybuflen);
212*4882a593Smuzhiyun if (rc == 0)
213*4882a593Smuzhiyun break;
214*4882a593Smuzhiyun }
215*4882a593Smuzhiyun
216*4882a593Smuzhiyun out:
217*4882a593Smuzhiyun kfree(apqns);
218*4882a593Smuzhiyun if (rc)
219*4882a593Smuzhiyun DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
220*4882a593Smuzhiyun return rc;
221*4882a593Smuzhiyun }
222*4882a593Smuzhiyun
223*4882a593Smuzhiyun /*
224*4882a593Smuzhiyun * Find card and transform EP11 secure key into protected key.
225*4882a593Smuzhiyun */
pkey_ep11key2pkey(const u8 * key,struct pkey_protkey * pkey)226*4882a593Smuzhiyun static int pkey_ep11key2pkey(const u8 *key, struct pkey_protkey *pkey)
227*4882a593Smuzhiyun {
228*4882a593Smuzhiyun int i, rc;
229*4882a593Smuzhiyun u16 card, dom;
230*4882a593Smuzhiyun u32 nr_apqns, *apqns = NULL;
231*4882a593Smuzhiyun struct ep11keyblob *kb = (struct ep11keyblob *) key;
232*4882a593Smuzhiyun
233*4882a593Smuzhiyun /* build a list of apqns suitable for this key */
234*4882a593Smuzhiyun rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
235*4882a593Smuzhiyun ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
236*4882a593Smuzhiyun if (rc)
237*4882a593Smuzhiyun goto out;
238*4882a593Smuzhiyun
239*4882a593Smuzhiyun /* go through the list of apqns and try to derive an pkey */
240*4882a593Smuzhiyun for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
241*4882a593Smuzhiyun card = apqns[i] >> 16;
242*4882a593Smuzhiyun dom = apqns[i] & 0xFFFF;
243*4882a593Smuzhiyun pkey->len = sizeof(pkey->protkey);
244*4882a593Smuzhiyun rc = ep11_kblob2protkey(card, dom, key, kb->head.len,
245*4882a593Smuzhiyun pkey->protkey, &pkey->len, &pkey->type);
246*4882a593Smuzhiyun if (rc == 0)
247*4882a593Smuzhiyun break;
248*4882a593Smuzhiyun }
249*4882a593Smuzhiyun
250*4882a593Smuzhiyun out:
251*4882a593Smuzhiyun kfree(apqns);
252*4882a593Smuzhiyun if (rc)
253*4882a593Smuzhiyun DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
254*4882a593Smuzhiyun return rc;
255*4882a593Smuzhiyun }
256*4882a593Smuzhiyun
257*4882a593Smuzhiyun /*
258*4882a593Smuzhiyun * Verify key and give back some info about the key.
259*4882a593Smuzhiyun */
pkey_verifykey(const struct pkey_seckey * seckey,u16 * pcardnr,u16 * pdomain,u16 * pkeysize,u32 * pattributes)260*4882a593Smuzhiyun static int pkey_verifykey(const struct pkey_seckey *seckey,
261*4882a593Smuzhiyun u16 *pcardnr, u16 *pdomain,
262*4882a593Smuzhiyun u16 *pkeysize, u32 *pattributes)
263*4882a593Smuzhiyun {
264*4882a593Smuzhiyun struct secaeskeytoken *t = (struct secaeskeytoken *) seckey;
265*4882a593Smuzhiyun u16 cardnr, domain;
266*4882a593Smuzhiyun int rc;
267*4882a593Smuzhiyun
268*4882a593Smuzhiyun /* check the secure key for valid AES secure key */
269*4882a593Smuzhiyun rc = cca_check_secaeskeytoken(debug_info, 3, (u8 *) seckey, 0);
270*4882a593Smuzhiyun if (rc)
271*4882a593Smuzhiyun goto out;
272*4882a593Smuzhiyun if (pattributes)
273*4882a593Smuzhiyun *pattributes = PKEY_VERIFY_ATTR_AES;
274*4882a593Smuzhiyun if (pkeysize)
275*4882a593Smuzhiyun *pkeysize = t->bitsize;
276*4882a593Smuzhiyun
277*4882a593Smuzhiyun /* try to find a card which can handle this key */
278*4882a593Smuzhiyun rc = cca_findcard(seckey->seckey, &cardnr, &domain, 1);
279*4882a593Smuzhiyun if (rc < 0)
280*4882a593Smuzhiyun goto out;
281*4882a593Smuzhiyun
282*4882a593Smuzhiyun if (rc > 0) {
283*4882a593Smuzhiyun /* key mkvp matches to old master key mkvp */
284*4882a593Smuzhiyun DEBUG_DBG("%s secure key has old mkvp\n", __func__);
285*4882a593Smuzhiyun if (pattributes)
286*4882a593Smuzhiyun *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
287*4882a593Smuzhiyun rc = 0;
288*4882a593Smuzhiyun }
289*4882a593Smuzhiyun
290*4882a593Smuzhiyun if (pcardnr)
291*4882a593Smuzhiyun *pcardnr = cardnr;
292*4882a593Smuzhiyun if (pdomain)
293*4882a593Smuzhiyun *pdomain = domain;
294*4882a593Smuzhiyun
295*4882a593Smuzhiyun out:
296*4882a593Smuzhiyun DEBUG_DBG("%s rc=%d\n", __func__, rc);
297*4882a593Smuzhiyun return rc;
298*4882a593Smuzhiyun }
299*4882a593Smuzhiyun
300*4882a593Smuzhiyun /*
301*4882a593Smuzhiyun * Generate a random protected key
302*4882a593Smuzhiyun */
pkey_genprotkey(u32 keytype,struct pkey_protkey * protkey)303*4882a593Smuzhiyun static int pkey_genprotkey(u32 keytype, struct pkey_protkey *protkey)
304*4882a593Smuzhiyun {
305*4882a593Smuzhiyun struct pkey_clrkey clrkey;
306*4882a593Smuzhiyun int keysize;
307*4882a593Smuzhiyun int rc;
308*4882a593Smuzhiyun
309*4882a593Smuzhiyun switch (keytype) {
310*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_128:
311*4882a593Smuzhiyun keysize = 16;
312*4882a593Smuzhiyun break;
313*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_192:
314*4882a593Smuzhiyun keysize = 24;
315*4882a593Smuzhiyun break;
316*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_256:
317*4882a593Smuzhiyun keysize = 32;
318*4882a593Smuzhiyun break;
319*4882a593Smuzhiyun default:
320*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
321*4882a593Smuzhiyun keytype);
322*4882a593Smuzhiyun return -EINVAL;
323*4882a593Smuzhiyun }
324*4882a593Smuzhiyun
325*4882a593Smuzhiyun /* generate a dummy random clear key */
326*4882a593Smuzhiyun get_random_bytes(clrkey.clrkey, keysize);
327*4882a593Smuzhiyun
328*4882a593Smuzhiyun /* convert it to a dummy protected key */
329*4882a593Smuzhiyun rc = pkey_clr2protkey(keytype, &clrkey, protkey);
330*4882a593Smuzhiyun if (rc)
331*4882a593Smuzhiyun return rc;
332*4882a593Smuzhiyun
333*4882a593Smuzhiyun /* replace the key part of the protected key with random bytes */
334*4882a593Smuzhiyun get_random_bytes(protkey->protkey, keysize);
335*4882a593Smuzhiyun
336*4882a593Smuzhiyun return 0;
337*4882a593Smuzhiyun }
338*4882a593Smuzhiyun
339*4882a593Smuzhiyun /*
340*4882a593Smuzhiyun * Verify if a protected key is still valid
341*4882a593Smuzhiyun */
pkey_verifyprotkey(const struct pkey_protkey * protkey)342*4882a593Smuzhiyun static int pkey_verifyprotkey(const struct pkey_protkey *protkey)
343*4882a593Smuzhiyun {
344*4882a593Smuzhiyun unsigned long fc;
345*4882a593Smuzhiyun struct {
346*4882a593Smuzhiyun u8 iv[AES_BLOCK_SIZE];
347*4882a593Smuzhiyun u8 key[MAXPROTKEYSIZE];
348*4882a593Smuzhiyun } param;
349*4882a593Smuzhiyun u8 null_msg[AES_BLOCK_SIZE];
350*4882a593Smuzhiyun u8 dest_buf[AES_BLOCK_SIZE];
351*4882a593Smuzhiyun unsigned int k;
352*4882a593Smuzhiyun
353*4882a593Smuzhiyun switch (protkey->type) {
354*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_128:
355*4882a593Smuzhiyun fc = CPACF_KMC_PAES_128;
356*4882a593Smuzhiyun break;
357*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_192:
358*4882a593Smuzhiyun fc = CPACF_KMC_PAES_192;
359*4882a593Smuzhiyun break;
360*4882a593Smuzhiyun case PKEY_KEYTYPE_AES_256:
361*4882a593Smuzhiyun fc = CPACF_KMC_PAES_256;
362*4882a593Smuzhiyun break;
363*4882a593Smuzhiyun default:
364*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
365*4882a593Smuzhiyun protkey->type);
366*4882a593Smuzhiyun return -EINVAL;
367*4882a593Smuzhiyun }
368*4882a593Smuzhiyun
369*4882a593Smuzhiyun memset(null_msg, 0, sizeof(null_msg));
370*4882a593Smuzhiyun
371*4882a593Smuzhiyun memset(param.iv, 0, sizeof(param.iv));
372*4882a593Smuzhiyun memcpy(param.key, protkey->protkey, sizeof(param.key));
373*4882a593Smuzhiyun
374*4882a593Smuzhiyun k = cpacf_kmc(fc | CPACF_ENCRYPT, ¶m, null_msg, dest_buf,
375*4882a593Smuzhiyun sizeof(null_msg));
376*4882a593Smuzhiyun if (k != sizeof(null_msg)) {
377*4882a593Smuzhiyun DEBUG_ERR("%s protected key is not valid\n", __func__);
378*4882a593Smuzhiyun return -EKEYREJECTED;
379*4882a593Smuzhiyun }
380*4882a593Smuzhiyun
381*4882a593Smuzhiyun return 0;
382*4882a593Smuzhiyun }
383*4882a593Smuzhiyun
384*4882a593Smuzhiyun /*
385*4882a593Smuzhiyun * Transform a non-CCA key token into a protected key
386*4882a593Smuzhiyun */
pkey_nonccatok2pkey(const u8 * key,u32 keylen,struct pkey_protkey * protkey)387*4882a593Smuzhiyun static int pkey_nonccatok2pkey(const u8 *key, u32 keylen,
388*4882a593Smuzhiyun struct pkey_protkey *protkey)
389*4882a593Smuzhiyun {
390*4882a593Smuzhiyun int rc = -EINVAL;
391*4882a593Smuzhiyun u8 *tmpbuf = NULL;
392*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
393*4882a593Smuzhiyun
394*4882a593Smuzhiyun switch (hdr->version) {
395*4882a593Smuzhiyun case TOKVER_PROTECTED_KEY: {
396*4882a593Smuzhiyun struct protaeskeytoken *t;
397*4882a593Smuzhiyun
398*4882a593Smuzhiyun if (keylen != sizeof(struct protaeskeytoken))
399*4882a593Smuzhiyun goto out;
400*4882a593Smuzhiyun t = (struct protaeskeytoken *)key;
401*4882a593Smuzhiyun protkey->len = t->len;
402*4882a593Smuzhiyun protkey->type = t->keytype;
403*4882a593Smuzhiyun memcpy(protkey->protkey, t->protkey,
404*4882a593Smuzhiyun sizeof(protkey->protkey));
405*4882a593Smuzhiyun rc = pkey_verifyprotkey(protkey);
406*4882a593Smuzhiyun break;
407*4882a593Smuzhiyun }
408*4882a593Smuzhiyun case TOKVER_CLEAR_KEY: {
409*4882a593Smuzhiyun struct clearaeskeytoken *t;
410*4882a593Smuzhiyun struct pkey_clrkey ckey;
411*4882a593Smuzhiyun union u_tmpbuf {
412*4882a593Smuzhiyun u8 skey[SECKEYBLOBSIZE];
413*4882a593Smuzhiyun u8 ep11key[MAXEP11AESKEYBLOBSIZE];
414*4882a593Smuzhiyun };
415*4882a593Smuzhiyun size_t tmpbuflen = sizeof(union u_tmpbuf);
416*4882a593Smuzhiyun
417*4882a593Smuzhiyun if (keylen < sizeof(struct clearaeskeytoken))
418*4882a593Smuzhiyun goto out;
419*4882a593Smuzhiyun t = (struct clearaeskeytoken *)key;
420*4882a593Smuzhiyun if (keylen != sizeof(*t) + t->len)
421*4882a593Smuzhiyun goto out;
422*4882a593Smuzhiyun if ((t->keytype == PKEY_KEYTYPE_AES_128 && t->len == 16)
423*4882a593Smuzhiyun || (t->keytype == PKEY_KEYTYPE_AES_192 && t->len == 24)
424*4882a593Smuzhiyun || (t->keytype == PKEY_KEYTYPE_AES_256 && t->len == 32))
425*4882a593Smuzhiyun memcpy(ckey.clrkey, t->clearkey, t->len);
426*4882a593Smuzhiyun else
427*4882a593Smuzhiyun goto out;
428*4882a593Smuzhiyun /* alloc temp key buffer space */
429*4882a593Smuzhiyun tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC);
430*4882a593Smuzhiyun if (!tmpbuf) {
431*4882a593Smuzhiyun rc = -ENOMEM;
432*4882a593Smuzhiyun goto out;
433*4882a593Smuzhiyun }
434*4882a593Smuzhiyun /* try direct way with the PCKMO instruction */
435*4882a593Smuzhiyun rc = pkey_clr2protkey(t->keytype, &ckey, protkey);
436*4882a593Smuzhiyun if (rc == 0)
437*4882a593Smuzhiyun break;
438*4882a593Smuzhiyun /* PCKMO failed, so try the CCA secure key way */
439*4882a593Smuzhiyun rc = cca_clr2seckey(0xFFFF, 0xFFFF, t->keytype,
440*4882a593Smuzhiyun ckey.clrkey, tmpbuf);
441*4882a593Smuzhiyun if (rc == 0)
442*4882a593Smuzhiyun rc = pkey_skey2pkey(tmpbuf, protkey);
443*4882a593Smuzhiyun if (rc == 0)
444*4882a593Smuzhiyun break;
445*4882a593Smuzhiyun /* if the CCA way also failed, let's try via EP11 */
446*4882a593Smuzhiyun rc = pkey_clr2ep11key(ckey.clrkey, t->len,
447*4882a593Smuzhiyun tmpbuf, &tmpbuflen);
448*4882a593Smuzhiyun if (rc == 0)
449*4882a593Smuzhiyun rc = pkey_ep11key2pkey(tmpbuf, protkey);
450*4882a593Smuzhiyun /* now we should really have an protected key */
451*4882a593Smuzhiyun DEBUG_ERR("%s unable to build protected key from clear",
452*4882a593Smuzhiyun __func__);
453*4882a593Smuzhiyun break;
454*4882a593Smuzhiyun }
455*4882a593Smuzhiyun case TOKVER_EP11_AES: {
456*4882a593Smuzhiyun /* check ep11 key for exportable as protected key */
457*4882a593Smuzhiyun rc = ep11_check_aes_key(debug_info, 3, key, keylen, 1);
458*4882a593Smuzhiyun if (rc)
459*4882a593Smuzhiyun goto out;
460*4882a593Smuzhiyun rc = pkey_ep11key2pkey(key, protkey);
461*4882a593Smuzhiyun break;
462*4882a593Smuzhiyun }
463*4882a593Smuzhiyun case TOKVER_EP11_AES_WITH_HEADER:
464*4882a593Smuzhiyun /* check ep11 key with header for exportable as protected key */
465*4882a593Smuzhiyun rc = ep11_check_aes_key_with_hdr(debug_info, 3, key, keylen, 1);
466*4882a593Smuzhiyun if (rc)
467*4882a593Smuzhiyun goto out;
468*4882a593Smuzhiyun rc = pkey_ep11key2pkey(key + sizeof(struct ep11kblob_header),
469*4882a593Smuzhiyun protkey);
470*4882a593Smuzhiyun break;
471*4882a593Smuzhiyun default:
472*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n",
473*4882a593Smuzhiyun __func__, hdr->version);
474*4882a593Smuzhiyun rc = -EINVAL;
475*4882a593Smuzhiyun }
476*4882a593Smuzhiyun
477*4882a593Smuzhiyun out:
478*4882a593Smuzhiyun kfree(tmpbuf);
479*4882a593Smuzhiyun return rc;
480*4882a593Smuzhiyun }
481*4882a593Smuzhiyun
482*4882a593Smuzhiyun /*
483*4882a593Smuzhiyun * Transform a CCA internal key token into a protected key
484*4882a593Smuzhiyun */
pkey_ccainttok2pkey(const u8 * key,u32 keylen,struct pkey_protkey * protkey)485*4882a593Smuzhiyun static int pkey_ccainttok2pkey(const u8 *key, u32 keylen,
486*4882a593Smuzhiyun struct pkey_protkey *protkey)
487*4882a593Smuzhiyun {
488*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
489*4882a593Smuzhiyun
490*4882a593Smuzhiyun switch (hdr->version) {
491*4882a593Smuzhiyun case TOKVER_CCA_AES:
492*4882a593Smuzhiyun if (keylen != sizeof(struct secaeskeytoken))
493*4882a593Smuzhiyun return -EINVAL;
494*4882a593Smuzhiyun break;
495*4882a593Smuzhiyun case TOKVER_CCA_VLSC:
496*4882a593Smuzhiyun if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
497*4882a593Smuzhiyun return -EINVAL;
498*4882a593Smuzhiyun break;
499*4882a593Smuzhiyun default:
500*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported CCA internal token version %d\n",
501*4882a593Smuzhiyun __func__, hdr->version);
502*4882a593Smuzhiyun return -EINVAL;
503*4882a593Smuzhiyun }
504*4882a593Smuzhiyun
505*4882a593Smuzhiyun return pkey_skey2pkey(key, protkey);
506*4882a593Smuzhiyun }
507*4882a593Smuzhiyun
508*4882a593Smuzhiyun /*
509*4882a593Smuzhiyun * Transform a key blob (of any type) into a protected key
510*4882a593Smuzhiyun */
pkey_keyblob2pkey(const u8 * key,u32 keylen,struct pkey_protkey * protkey)511*4882a593Smuzhiyun int pkey_keyblob2pkey(const u8 *key, u32 keylen,
512*4882a593Smuzhiyun struct pkey_protkey *protkey)
513*4882a593Smuzhiyun {
514*4882a593Smuzhiyun int rc;
515*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
516*4882a593Smuzhiyun
517*4882a593Smuzhiyun if (keylen < sizeof(struct keytoken_header)) {
518*4882a593Smuzhiyun DEBUG_ERR("%s invalid keylen %d\n", __func__, keylen);
519*4882a593Smuzhiyun return -EINVAL;
520*4882a593Smuzhiyun }
521*4882a593Smuzhiyun
522*4882a593Smuzhiyun switch (hdr->type) {
523*4882a593Smuzhiyun case TOKTYPE_NON_CCA:
524*4882a593Smuzhiyun rc = pkey_nonccatok2pkey(key, keylen, protkey);
525*4882a593Smuzhiyun break;
526*4882a593Smuzhiyun case TOKTYPE_CCA_INTERNAL:
527*4882a593Smuzhiyun rc = pkey_ccainttok2pkey(key, keylen, protkey);
528*4882a593Smuzhiyun break;
529*4882a593Smuzhiyun default:
530*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported blob type %d\n",
531*4882a593Smuzhiyun __func__, hdr->type);
532*4882a593Smuzhiyun return -EINVAL;
533*4882a593Smuzhiyun }
534*4882a593Smuzhiyun
535*4882a593Smuzhiyun DEBUG_DBG("%s rc=%d\n", __func__, rc);
536*4882a593Smuzhiyun return rc;
537*4882a593Smuzhiyun
538*4882a593Smuzhiyun }
539*4882a593Smuzhiyun EXPORT_SYMBOL(pkey_keyblob2pkey);
540*4882a593Smuzhiyun
pkey_genseckey2(const struct pkey_apqn * apqns,size_t nr_apqns,enum pkey_key_type ktype,enum pkey_key_size ksize,u32 kflags,u8 * keybuf,size_t * keybufsize)541*4882a593Smuzhiyun static int pkey_genseckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
542*4882a593Smuzhiyun enum pkey_key_type ktype, enum pkey_key_size ksize,
543*4882a593Smuzhiyun u32 kflags, u8 *keybuf, size_t *keybufsize)
544*4882a593Smuzhiyun {
545*4882a593Smuzhiyun int i, card, dom, rc;
546*4882a593Smuzhiyun
547*4882a593Smuzhiyun /* check for at least one apqn given */
548*4882a593Smuzhiyun if (!apqns || !nr_apqns)
549*4882a593Smuzhiyun return -EINVAL;
550*4882a593Smuzhiyun
551*4882a593Smuzhiyun /* check key type and size */
552*4882a593Smuzhiyun switch (ktype) {
553*4882a593Smuzhiyun case PKEY_TYPE_CCA_DATA:
554*4882a593Smuzhiyun case PKEY_TYPE_CCA_CIPHER:
555*4882a593Smuzhiyun if (*keybufsize < SECKEYBLOBSIZE)
556*4882a593Smuzhiyun return -EINVAL;
557*4882a593Smuzhiyun break;
558*4882a593Smuzhiyun case PKEY_TYPE_EP11:
559*4882a593Smuzhiyun if (*keybufsize < MINEP11AESKEYBLOBSIZE)
560*4882a593Smuzhiyun return -EINVAL;
561*4882a593Smuzhiyun break;
562*4882a593Smuzhiyun default:
563*4882a593Smuzhiyun return -EINVAL;
564*4882a593Smuzhiyun }
565*4882a593Smuzhiyun switch (ksize) {
566*4882a593Smuzhiyun case PKEY_SIZE_AES_128:
567*4882a593Smuzhiyun case PKEY_SIZE_AES_192:
568*4882a593Smuzhiyun case PKEY_SIZE_AES_256:
569*4882a593Smuzhiyun break;
570*4882a593Smuzhiyun default:
571*4882a593Smuzhiyun return -EINVAL;
572*4882a593Smuzhiyun }
573*4882a593Smuzhiyun
574*4882a593Smuzhiyun /* simple try all apqns from the list */
575*4882a593Smuzhiyun for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
576*4882a593Smuzhiyun card = apqns[i].card;
577*4882a593Smuzhiyun dom = apqns[i].domain;
578*4882a593Smuzhiyun if (ktype == PKEY_TYPE_EP11) {
579*4882a593Smuzhiyun rc = ep11_genaeskey(card, dom, ksize, kflags,
580*4882a593Smuzhiyun keybuf, keybufsize);
581*4882a593Smuzhiyun } else if (ktype == PKEY_TYPE_CCA_DATA) {
582*4882a593Smuzhiyun rc = cca_genseckey(card, dom, ksize, keybuf);
583*4882a593Smuzhiyun *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
584*4882a593Smuzhiyun } else /* TOKVER_CCA_VLSC */
585*4882a593Smuzhiyun rc = cca_gencipherkey(card, dom, ksize, kflags,
586*4882a593Smuzhiyun keybuf, keybufsize);
587*4882a593Smuzhiyun if (rc == 0)
588*4882a593Smuzhiyun break;
589*4882a593Smuzhiyun }
590*4882a593Smuzhiyun
591*4882a593Smuzhiyun return rc;
592*4882a593Smuzhiyun }
593*4882a593Smuzhiyun
pkey_clr2seckey2(const struct pkey_apqn * apqns,size_t nr_apqns,enum pkey_key_type ktype,enum pkey_key_size ksize,u32 kflags,const u8 * clrkey,u8 * keybuf,size_t * keybufsize)594*4882a593Smuzhiyun static int pkey_clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
595*4882a593Smuzhiyun enum pkey_key_type ktype, enum pkey_key_size ksize,
596*4882a593Smuzhiyun u32 kflags, const u8 *clrkey,
597*4882a593Smuzhiyun u8 *keybuf, size_t *keybufsize)
598*4882a593Smuzhiyun {
599*4882a593Smuzhiyun int i, card, dom, rc;
600*4882a593Smuzhiyun
601*4882a593Smuzhiyun /* check for at least one apqn given */
602*4882a593Smuzhiyun if (!apqns || !nr_apqns)
603*4882a593Smuzhiyun return -EINVAL;
604*4882a593Smuzhiyun
605*4882a593Smuzhiyun /* check key type and size */
606*4882a593Smuzhiyun switch (ktype) {
607*4882a593Smuzhiyun case PKEY_TYPE_CCA_DATA:
608*4882a593Smuzhiyun case PKEY_TYPE_CCA_CIPHER:
609*4882a593Smuzhiyun if (*keybufsize < SECKEYBLOBSIZE)
610*4882a593Smuzhiyun return -EINVAL;
611*4882a593Smuzhiyun break;
612*4882a593Smuzhiyun case PKEY_TYPE_EP11:
613*4882a593Smuzhiyun if (*keybufsize < MINEP11AESKEYBLOBSIZE)
614*4882a593Smuzhiyun return -EINVAL;
615*4882a593Smuzhiyun break;
616*4882a593Smuzhiyun default:
617*4882a593Smuzhiyun return -EINVAL;
618*4882a593Smuzhiyun }
619*4882a593Smuzhiyun switch (ksize) {
620*4882a593Smuzhiyun case PKEY_SIZE_AES_128:
621*4882a593Smuzhiyun case PKEY_SIZE_AES_192:
622*4882a593Smuzhiyun case PKEY_SIZE_AES_256:
623*4882a593Smuzhiyun break;
624*4882a593Smuzhiyun default:
625*4882a593Smuzhiyun return -EINVAL;
626*4882a593Smuzhiyun }
627*4882a593Smuzhiyun
628*4882a593Smuzhiyun /* simple try all apqns from the list */
629*4882a593Smuzhiyun for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
630*4882a593Smuzhiyun card = apqns[i].card;
631*4882a593Smuzhiyun dom = apqns[i].domain;
632*4882a593Smuzhiyun if (ktype == PKEY_TYPE_EP11) {
633*4882a593Smuzhiyun rc = ep11_clr2keyblob(card, dom, ksize, kflags,
634*4882a593Smuzhiyun clrkey, keybuf, keybufsize);
635*4882a593Smuzhiyun } else if (ktype == PKEY_TYPE_CCA_DATA) {
636*4882a593Smuzhiyun rc = cca_clr2seckey(card, dom, ksize,
637*4882a593Smuzhiyun clrkey, keybuf);
638*4882a593Smuzhiyun *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
639*4882a593Smuzhiyun } else /* TOKVER_CCA_VLSC */
640*4882a593Smuzhiyun rc = cca_clr2cipherkey(card, dom, ksize, kflags,
641*4882a593Smuzhiyun clrkey, keybuf, keybufsize);
642*4882a593Smuzhiyun if (rc == 0)
643*4882a593Smuzhiyun break;
644*4882a593Smuzhiyun }
645*4882a593Smuzhiyun
646*4882a593Smuzhiyun return rc;
647*4882a593Smuzhiyun }
648*4882a593Smuzhiyun
pkey_verifykey2(const u8 * key,size_t keylen,u16 * cardnr,u16 * domain,enum pkey_key_type * ktype,enum pkey_key_size * ksize,u32 * flags)649*4882a593Smuzhiyun static int pkey_verifykey2(const u8 *key, size_t keylen,
650*4882a593Smuzhiyun u16 *cardnr, u16 *domain,
651*4882a593Smuzhiyun enum pkey_key_type *ktype,
652*4882a593Smuzhiyun enum pkey_key_size *ksize, u32 *flags)
653*4882a593Smuzhiyun {
654*4882a593Smuzhiyun int rc;
655*4882a593Smuzhiyun u32 _nr_apqns, *_apqns = NULL;
656*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
657*4882a593Smuzhiyun
658*4882a593Smuzhiyun if (keylen < sizeof(struct keytoken_header))
659*4882a593Smuzhiyun return -EINVAL;
660*4882a593Smuzhiyun
661*4882a593Smuzhiyun if (hdr->type == TOKTYPE_CCA_INTERNAL
662*4882a593Smuzhiyun && hdr->version == TOKVER_CCA_AES) {
663*4882a593Smuzhiyun struct secaeskeytoken *t = (struct secaeskeytoken *)key;
664*4882a593Smuzhiyun
665*4882a593Smuzhiyun rc = cca_check_secaeskeytoken(debug_info, 3, key, 0);
666*4882a593Smuzhiyun if (rc)
667*4882a593Smuzhiyun goto out;
668*4882a593Smuzhiyun if (ktype)
669*4882a593Smuzhiyun *ktype = PKEY_TYPE_CCA_DATA;
670*4882a593Smuzhiyun if (ksize)
671*4882a593Smuzhiyun *ksize = (enum pkey_key_size) t->bitsize;
672*4882a593Smuzhiyun
673*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
674*4882a593Smuzhiyun ZCRYPT_CEX3C, AES_MK_SET, t->mkvp, 0, 1);
675*4882a593Smuzhiyun if (rc == 0 && flags)
676*4882a593Smuzhiyun *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
677*4882a593Smuzhiyun if (rc == -ENODEV) {
678*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns,
679*4882a593Smuzhiyun *cardnr, *domain,
680*4882a593Smuzhiyun ZCRYPT_CEX3C, AES_MK_SET,
681*4882a593Smuzhiyun 0, t->mkvp, 1);
682*4882a593Smuzhiyun if (rc == 0 && flags)
683*4882a593Smuzhiyun *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
684*4882a593Smuzhiyun }
685*4882a593Smuzhiyun if (rc)
686*4882a593Smuzhiyun goto out;
687*4882a593Smuzhiyun
688*4882a593Smuzhiyun *cardnr = ((struct pkey_apqn *)_apqns)->card;
689*4882a593Smuzhiyun *domain = ((struct pkey_apqn *)_apqns)->domain;
690*4882a593Smuzhiyun
691*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_CCA_INTERNAL
692*4882a593Smuzhiyun && hdr->version == TOKVER_CCA_VLSC) {
693*4882a593Smuzhiyun struct cipherkeytoken *t = (struct cipherkeytoken *)key;
694*4882a593Smuzhiyun
695*4882a593Smuzhiyun rc = cca_check_secaescipherkey(debug_info, 3, key, 0, 1);
696*4882a593Smuzhiyun if (rc)
697*4882a593Smuzhiyun goto out;
698*4882a593Smuzhiyun if (ktype)
699*4882a593Smuzhiyun *ktype = PKEY_TYPE_CCA_CIPHER;
700*4882a593Smuzhiyun if (ksize) {
701*4882a593Smuzhiyun *ksize = PKEY_SIZE_UNKNOWN;
702*4882a593Smuzhiyun if (!t->plfver && t->wpllen == 512)
703*4882a593Smuzhiyun *ksize = PKEY_SIZE_AES_128;
704*4882a593Smuzhiyun else if (!t->plfver && t->wpllen == 576)
705*4882a593Smuzhiyun *ksize = PKEY_SIZE_AES_192;
706*4882a593Smuzhiyun else if (!t->plfver && t->wpllen == 640)
707*4882a593Smuzhiyun *ksize = PKEY_SIZE_AES_256;
708*4882a593Smuzhiyun }
709*4882a593Smuzhiyun
710*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
711*4882a593Smuzhiyun ZCRYPT_CEX6, AES_MK_SET, t->mkvp0, 0, 1);
712*4882a593Smuzhiyun if (rc == 0 && flags)
713*4882a593Smuzhiyun *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
714*4882a593Smuzhiyun if (rc == -ENODEV) {
715*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns,
716*4882a593Smuzhiyun *cardnr, *domain,
717*4882a593Smuzhiyun ZCRYPT_CEX6, AES_MK_SET,
718*4882a593Smuzhiyun 0, t->mkvp0, 1);
719*4882a593Smuzhiyun if (rc == 0 && flags)
720*4882a593Smuzhiyun *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
721*4882a593Smuzhiyun }
722*4882a593Smuzhiyun if (rc)
723*4882a593Smuzhiyun goto out;
724*4882a593Smuzhiyun
725*4882a593Smuzhiyun *cardnr = ((struct pkey_apqn *)_apqns)->card;
726*4882a593Smuzhiyun *domain = ((struct pkey_apqn *)_apqns)->domain;
727*4882a593Smuzhiyun
728*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA
729*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_AES) {
730*4882a593Smuzhiyun struct ep11keyblob *kb = (struct ep11keyblob *)key;
731*4882a593Smuzhiyun
732*4882a593Smuzhiyun rc = ep11_check_aes_key(debug_info, 3, key, keylen, 1);
733*4882a593Smuzhiyun if (rc)
734*4882a593Smuzhiyun goto out;
735*4882a593Smuzhiyun if (ktype)
736*4882a593Smuzhiyun *ktype = PKEY_TYPE_EP11;
737*4882a593Smuzhiyun if (ksize)
738*4882a593Smuzhiyun *ksize = kb->head.keybitlen;
739*4882a593Smuzhiyun
740*4882a593Smuzhiyun rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
741*4882a593Smuzhiyun ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
742*4882a593Smuzhiyun if (rc)
743*4882a593Smuzhiyun goto out;
744*4882a593Smuzhiyun
745*4882a593Smuzhiyun if (flags)
746*4882a593Smuzhiyun *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
747*4882a593Smuzhiyun
748*4882a593Smuzhiyun *cardnr = ((struct pkey_apqn *)_apqns)->card;
749*4882a593Smuzhiyun *domain = ((struct pkey_apqn *)_apqns)->domain;
750*4882a593Smuzhiyun
751*4882a593Smuzhiyun } else
752*4882a593Smuzhiyun rc = -EINVAL;
753*4882a593Smuzhiyun
754*4882a593Smuzhiyun out:
755*4882a593Smuzhiyun kfree(_apqns);
756*4882a593Smuzhiyun return rc;
757*4882a593Smuzhiyun }
758*4882a593Smuzhiyun
pkey_keyblob2pkey2(const struct pkey_apqn * apqns,size_t nr_apqns,const u8 * key,size_t keylen,struct pkey_protkey * pkey)759*4882a593Smuzhiyun static int pkey_keyblob2pkey2(const struct pkey_apqn *apqns, size_t nr_apqns,
760*4882a593Smuzhiyun const u8 *key, size_t keylen,
761*4882a593Smuzhiyun struct pkey_protkey *pkey)
762*4882a593Smuzhiyun {
763*4882a593Smuzhiyun int i, card, dom, rc;
764*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
765*4882a593Smuzhiyun
766*4882a593Smuzhiyun /* check for at least one apqn given */
767*4882a593Smuzhiyun if (!apqns || !nr_apqns)
768*4882a593Smuzhiyun return -EINVAL;
769*4882a593Smuzhiyun
770*4882a593Smuzhiyun if (keylen < sizeof(struct keytoken_header))
771*4882a593Smuzhiyun return -EINVAL;
772*4882a593Smuzhiyun
773*4882a593Smuzhiyun if (hdr->type == TOKTYPE_CCA_INTERNAL) {
774*4882a593Smuzhiyun if (hdr->version == TOKVER_CCA_AES) {
775*4882a593Smuzhiyun if (keylen != sizeof(struct secaeskeytoken))
776*4882a593Smuzhiyun return -EINVAL;
777*4882a593Smuzhiyun if (cca_check_secaeskeytoken(debug_info, 3, key, 0))
778*4882a593Smuzhiyun return -EINVAL;
779*4882a593Smuzhiyun } else if (hdr->version == TOKVER_CCA_VLSC) {
780*4882a593Smuzhiyun if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
781*4882a593Smuzhiyun return -EINVAL;
782*4882a593Smuzhiyun if (cca_check_secaescipherkey(debug_info, 3, key, 0, 1))
783*4882a593Smuzhiyun return -EINVAL;
784*4882a593Smuzhiyun } else {
785*4882a593Smuzhiyun DEBUG_ERR("%s unknown CCA internal token version %d\n",
786*4882a593Smuzhiyun __func__, hdr->version);
787*4882a593Smuzhiyun return -EINVAL;
788*4882a593Smuzhiyun }
789*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA) {
790*4882a593Smuzhiyun if (hdr->version == TOKVER_EP11_AES) {
791*4882a593Smuzhiyun if (keylen < sizeof(struct ep11keyblob))
792*4882a593Smuzhiyun return -EINVAL;
793*4882a593Smuzhiyun if (ep11_check_aes_key(debug_info, 3, key, keylen, 1))
794*4882a593Smuzhiyun return -EINVAL;
795*4882a593Smuzhiyun } else {
796*4882a593Smuzhiyun return pkey_nonccatok2pkey(key, keylen, pkey);
797*4882a593Smuzhiyun }
798*4882a593Smuzhiyun } else {
799*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported blob type %d\n",
800*4882a593Smuzhiyun __func__, hdr->type);
801*4882a593Smuzhiyun return -EINVAL;
802*4882a593Smuzhiyun }
803*4882a593Smuzhiyun
804*4882a593Smuzhiyun /* simple try all apqns from the list */
805*4882a593Smuzhiyun for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
806*4882a593Smuzhiyun card = apqns[i].card;
807*4882a593Smuzhiyun dom = apqns[i].domain;
808*4882a593Smuzhiyun if (hdr->type == TOKTYPE_CCA_INTERNAL
809*4882a593Smuzhiyun && hdr->version == TOKVER_CCA_AES)
810*4882a593Smuzhiyun rc = cca_sec2protkey(card, dom, key, pkey->protkey,
811*4882a593Smuzhiyun &pkey->len, &pkey->type);
812*4882a593Smuzhiyun else if (hdr->type == TOKTYPE_CCA_INTERNAL
813*4882a593Smuzhiyun && hdr->version == TOKVER_CCA_VLSC)
814*4882a593Smuzhiyun rc = cca_cipher2protkey(card, dom, key, pkey->protkey,
815*4882a593Smuzhiyun &pkey->len, &pkey->type);
816*4882a593Smuzhiyun else { /* EP11 AES secure key blob */
817*4882a593Smuzhiyun struct ep11keyblob *kb = (struct ep11keyblob *) key;
818*4882a593Smuzhiyun
819*4882a593Smuzhiyun pkey->len = sizeof(pkey->protkey);
820*4882a593Smuzhiyun rc = ep11_kblob2protkey(card, dom, key, kb->head.len,
821*4882a593Smuzhiyun pkey->protkey, &pkey->len,
822*4882a593Smuzhiyun &pkey->type);
823*4882a593Smuzhiyun }
824*4882a593Smuzhiyun if (rc == 0)
825*4882a593Smuzhiyun break;
826*4882a593Smuzhiyun }
827*4882a593Smuzhiyun
828*4882a593Smuzhiyun return rc;
829*4882a593Smuzhiyun }
830*4882a593Smuzhiyun
pkey_apqns4key(const u8 * key,size_t keylen,u32 flags,struct pkey_apqn * apqns,size_t * nr_apqns)831*4882a593Smuzhiyun static int pkey_apqns4key(const u8 *key, size_t keylen, u32 flags,
832*4882a593Smuzhiyun struct pkey_apqn *apqns, size_t *nr_apqns)
833*4882a593Smuzhiyun {
834*4882a593Smuzhiyun int rc;
835*4882a593Smuzhiyun u32 _nr_apqns, *_apqns = NULL;
836*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
837*4882a593Smuzhiyun
838*4882a593Smuzhiyun if (keylen < sizeof(struct keytoken_header) || flags == 0)
839*4882a593Smuzhiyun return -EINVAL;
840*4882a593Smuzhiyun
841*4882a593Smuzhiyun if (hdr->type == TOKTYPE_NON_CCA
842*4882a593Smuzhiyun && (hdr->version == TOKVER_EP11_AES_WITH_HEADER
843*4882a593Smuzhiyun || hdr->version == TOKVER_EP11_ECC_WITH_HEADER)
844*4882a593Smuzhiyun && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
845*4882a593Smuzhiyun int minhwtype = 0, api = 0;
846*4882a593Smuzhiyun struct ep11keyblob *kb = (struct ep11keyblob *)
847*4882a593Smuzhiyun (key + sizeof(struct ep11kblob_header));
848*4882a593Smuzhiyun
849*4882a593Smuzhiyun if (flags != PKEY_FLAGS_MATCH_CUR_MKVP)
850*4882a593Smuzhiyun return -EINVAL;
851*4882a593Smuzhiyun if (kb->attr & EP11_BLOB_PKEY_EXTRACTABLE) {
852*4882a593Smuzhiyun minhwtype = ZCRYPT_CEX7;
853*4882a593Smuzhiyun api = EP11_API_V;
854*4882a593Smuzhiyun }
855*4882a593Smuzhiyun rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
856*4882a593Smuzhiyun minhwtype, api, kb->wkvp);
857*4882a593Smuzhiyun if (rc)
858*4882a593Smuzhiyun goto out;
859*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA
860*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_AES
861*4882a593Smuzhiyun && is_ep11_keyblob(key)) {
862*4882a593Smuzhiyun int minhwtype = 0, api = 0;
863*4882a593Smuzhiyun struct ep11keyblob *kb = (struct ep11keyblob *) key;
864*4882a593Smuzhiyun
865*4882a593Smuzhiyun if (flags != PKEY_FLAGS_MATCH_CUR_MKVP)
866*4882a593Smuzhiyun return -EINVAL;
867*4882a593Smuzhiyun if (kb->attr & EP11_BLOB_PKEY_EXTRACTABLE) {
868*4882a593Smuzhiyun minhwtype = ZCRYPT_CEX7;
869*4882a593Smuzhiyun api = EP11_API_V;
870*4882a593Smuzhiyun }
871*4882a593Smuzhiyun rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
872*4882a593Smuzhiyun minhwtype, api, kb->wkvp);
873*4882a593Smuzhiyun if (rc)
874*4882a593Smuzhiyun goto out;
875*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_CCA_INTERNAL) {
876*4882a593Smuzhiyun int minhwtype = ZCRYPT_CEX3C;
877*4882a593Smuzhiyun u64 cur_mkvp = 0, old_mkvp = 0;
878*4882a593Smuzhiyun
879*4882a593Smuzhiyun if (hdr->version == TOKVER_CCA_AES) {
880*4882a593Smuzhiyun struct secaeskeytoken *t = (struct secaeskeytoken *)key;
881*4882a593Smuzhiyun
882*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
883*4882a593Smuzhiyun cur_mkvp = t->mkvp;
884*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
885*4882a593Smuzhiyun old_mkvp = t->mkvp;
886*4882a593Smuzhiyun } else if (hdr->version == TOKVER_CCA_VLSC) {
887*4882a593Smuzhiyun struct cipherkeytoken *t = (struct cipherkeytoken *)key;
888*4882a593Smuzhiyun
889*4882a593Smuzhiyun minhwtype = ZCRYPT_CEX6;
890*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
891*4882a593Smuzhiyun cur_mkvp = t->mkvp0;
892*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
893*4882a593Smuzhiyun old_mkvp = t->mkvp0;
894*4882a593Smuzhiyun } else {
895*4882a593Smuzhiyun /* unknown cca internal token type */
896*4882a593Smuzhiyun return -EINVAL;
897*4882a593Smuzhiyun }
898*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
899*4882a593Smuzhiyun minhwtype, AES_MK_SET,
900*4882a593Smuzhiyun cur_mkvp, old_mkvp, 1);
901*4882a593Smuzhiyun if (rc)
902*4882a593Smuzhiyun goto out;
903*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) {
904*4882a593Smuzhiyun u64 cur_mkvp = 0, old_mkvp = 0;
905*4882a593Smuzhiyun struct eccprivkeytoken *t = (struct eccprivkeytoken *)key;
906*4882a593Smuzhiyun
907*4882a593Smuzhiyun if (t->secid == 0x20) {
908*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
909*4882a593Smuzhiyun cur_mkvp = t->mkvp;
910*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
911*4882a593Smuzhiyun old_mkvp = t->mkvp;
912*4882a593Smuzhiyun } else {
913*4882a593Smuzhiyun /* unknown cca internal 2 token type */
914*4882a593Smuzhiyun return -EINVAL;
915*4882a593Smuzhiyun }
916*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
917*4882a593Smuzhiyun ZCRYPT_CEX7, APKA_MK_SET,
918*4882a593Smuzhiyun cur_mkvp, old_mkvp, 1);
919*4882a593Smuzhiyun if (rc)
920*4882a593Smuzhiyun goto out;
921*4882a593Smuzhiyun } else
922*4882a593Smuzhiyun return -EINVAL;
923*4882a593Smuzhiyun
924*4882a593Smuzhiyun if (apqns) {
925*4882a593Smuzhiyun if (*nr_apqns < _nr_apqns)
926*4882a593Smuzhiyun rc = -ENOSPC;
927*4882a593Smuzhiyun else
928*4882a593Smuzhiyun memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
929*4882a593Smuzhiyun }
930*4882a593Smuzhiyun *nr_apqns = _nr_apqns;
931*4882a593Smuzhiyun
932*4882a593Smuzhiyun out:
933*4882a593Smuzhiyun kfree(_apqns);
934*4882a593Smuzhiyun return rc;
935*4882a593Smuzhiyun }
936*4882a593Smuzhiyun
pkey_apqns4keytype(enum pkey_key_type ktype,u8 cur_mkvp[32],u8 alt_mkvp[32],u32 flags,struct pkey_apqn * apqns,size_t * nr_apqns)937*4882a593Smuzhiyun static int pkey_apqns4keytype(enum pkey_key_type ktype,
938*4882a593Smuzhiyun u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags,
939*4882a593Smuzhiyun struct pkey_apqn *apqns, size_t *nr_apqns)
940*4882a593Smuzhiyun {
941*4882a593Smuzhiyun int rc;
942*4882a593Smuzhiyun u32 _nr_apqns, *_apqns = NULL;
943*4882a593Smuzhiyun
944*4882a593Smuzhiyun if (ktype == PKEY_TYPE_CCA_DATA || ktype == PKEY_TYPE_CCA_CIPHER) {
945*4882a593Smuzhiyun u64 cur_mkvp = 0, old_mkvp = 0;
946*4882a593Smuzhiyun int minhwtype = ZCRYPT_CEX3C;
947*4882a593Smuzhiyun
948*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
949*4882a593Smuzhiyun cur_mkvp = *((u64 *) cur_mkvp);
950*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
951*4882a593Smuzhiyun old_mkvp = *((u64 *) alt_mkvp);
952*4882a593Smuzhiyun if (ktype == PKEY_TYPE_CCA_CIPHER)
953*4882a593Smuzhiyun minhwtype = ZCRYPT_CEX6;
954*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
955*4882a593Smuzhiyun minhwtype, AES_MK_SET,
956*4882a593Smuzhiyun cur_mkvp, old_mkvp, 1);
957*4882a593Smuzhiyun if (rc)
958*4882a593Smuzhiyun goto out;
959*4882a593Smuzhiyun } else if (ktype == PKEY_TYPE_CCA_ECC) {
960*4882a593Smuzhiyun u64 cur_mkvp = 0, old_mkvp = 0;
961*4882a593Smuzhiyun
962*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
963*4882a593Smuzhiyun cur_mkvp = *((u64 *) cur_mkvp);
964*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
965*4882a593Smuzhiyun old_mkvp = *((u64 *) alt_mkvp);
966*4882a593Smuzhiyun rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
967*4882a593Smuzhiyun ZCRYPT_CEX7, APKA_MK_SET,
968*4882a593Smuzhiyun cur_mkvp, old_mkvp, 1);
969*4882a593Smuzhiyun if (rc)
970*4882a593Smuzhiyun goto out;
971*4882a593Smuzhiyun
972*4882a593Smuzhiyun } else if (ktype == PKEY_TYPE_EP11 ||
973*4882a593Smuzhiyun ktype == PKEY_TYPE_EP11_AES ||
974*4882a593Smuzhiyun ktype == PKEY_TYPE_EP11_ECC) {
975*4882a593Smuzhiyun u8 *wkvp = NULL;
976*4882a593Smuzhiyun
977*4882a593Smuzhiyun if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
978*4882a593Smuzhiyun wkvp = cur_mkvp;
979*4882a593Smuzhiyun rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
980*4882a593Smuzhiyun ZCRYPT_CEX7, EP11_API_V, wkvp);
981*4882a593Smuzhiyun if (rc)
982*4882a593Smuzhiyun goto out;
983*4882a593Smuzhiyun
984*4882a593Smuzhiyun } else
985*4882a593Smuzhiyun return -EINVAL;
986*4882a593Smuzhiyun
987*4882a593Smuzhiyun if (apqns) {
988*4882a593Smuzhiyun if (*nr_apqns < _nr_apqns)
989*4882a593Smuzhiyun rc = -ENOSPC;
990*4882a593Smuzhiyun else
991*4882a593Smuzhiyun memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
992*4882a593Smuzhiyun }
993*4882a593Smuzhiyun *nr_apqns = _nr_apqns;
994*4882a593Smuzhiyun
995*4882a593Smuzhiyun out:
996*4882a593Smuzhiyun kfree(_apqns);
997*4882a593Smuzhiyun return rc;
998*4882a593Smuzhiyun }
999*4882a593Smuzhiyun
pkey_keyblob2pkey3(const struct pkey_apqn * apqns,size_t nr_apqns,const u8 * key,size_t keylen,u32 * protkeytype,u8 * protkey,u32 * protkeylen)1000*4882a593Smuzhiyun static int pkey_keyblob2pkey3(const struct pkey_apqn *apqns, size_t nr_apqns,
1001*4882a593Smuzhiyun const u8 *key, size_t keylen, u32 *protkeytype,
1002*4882a593Smuzhiyun u8 *protkey, u32 *protkeylen)
1003*4882a593Smuzhiyun {
1004*4882a593Smuzhiyun int i, card, dom, rc;
1005*4882a593Smuzhiyun struct keytoken_header *hdr = (struct keytoken_header *)key;
1006*4882a593Smuzhiyun
1007*4882a593Smuzhiyun /* check for at least one apqn given */
1008*4882a593Smuzhiyun if (!apqns || !nr_apqns)
1009*4882a593Smuzhiyun return -EINVAL;
1010*4882a593Smuzhiyun
1011*4882a593Smuzhiyun if (keylen < sizeof(struct keytoken_header))
1012*4882a593Smuzhiyun return -EINVAL;
1013*4882a593Smuzhiyun
1014*4882a593Smuzhiyun if (hdr->type == TOKTYPE_NON_CCA
1015*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_AES_WITH_HEADER
1016*4882a593Smuzhiyun && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
1017*4882a593Smuzhiyun /* EP11 AES key blob with header */
1018*4882a593Smuzhiyun if (ep11_check_aes_key_with_hdr(debug_info, 3, key, keylen, 1))
1019*4882a593Smuzhiyun return -EINVAL;
1020*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA
1021*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_ECC_WITH_HEADER
1022*4882a593Smuzhiyun && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
1023*4882a593Smuzhiyun /* EP11 ECC key blob with header */
1024*4882a593Smuzhiyun if (ep11_check_ecc_key_with_hdr(debug_info, 3, key, keylen, 1))
1025*4882a593Smuzhiyun return -EINVAL;
1026*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA
1027*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_AES
1028*4882a593Smuzhiyun && is_ep11_keyblob(key)) {
1029*4882a593Smuzhiyun /* EP11 AES key blob with header in session field */
1030*4882a593Smuzhiyun if (ep11_check_aes_key(debug_info, 3, key, keylen, 1))
1031*4882a593Smuzhiyun return -EINVAL;
1032*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_CCA_INTERNAL) {
1033*4882a593Smuzhiyun if (hdr->version == TOKVER_CCA_AES) {
1034*4882a593Smuzhiyun /* CCA AES data key */
1035*4882a593Smuzhiyun if (keylen != sizeof(struct secaeskeytoken))
1036*4882a593Smuzhiyun return -EINVAL;
1037*4882a593Smuzhiyun if (cca_check_secaeskeytoken(debug_info, 3, key, 0))
1038*4882a593Smuzhiyun return -EINVAL;
1039*4882a593Smuzhiyun } else if (hdr->version == TOKVER_CCA_VLSC) {
1040*4882a593Smuzhiyun /* CCA AES cipher key */
1041*4882a593Smuzhiyun if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
1042*4882a593Smuzhiyun return -EINVAL;
1043*4882a593Smuzhiyun if (cca_check_secaescipherkey(debug_info, 3, key, 0, 1))
1044*4882a593Smuzhiyun return -EINVAL;
1045*4882a593Smuzhiyun } else {
1046*4882a593Smuzhiyun DEBUG_ERR("%s unknown CCA internal token version %d\n",
1047*4882a593Smuzhiyun __func__, hdr->version);
1048*4882a593Smuzhiyun return -EINVAL;
1049*4882a593Smuzhiyun }
1050*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) {
1051*4882a593Smuzhiyun /* CCA ECC (private) key */
1052*4882a593Smuzhiyun if (keylen < sizeof(struct eccprivkeytoken))
1053*4882a593Smuzhiyun return -EINVAL;
1054*4882a593Smuzhiyun if (cca_check_sececckeytoken(debug_info, 3, key, keylen, 1))
1055*4882a593Smuzhiyun return -EINVAL;
1056*4882a593Smuzhiyun } else if (hdr->type == TOKTYPE_NON_CCA) {
1057*4882a593Smuzhiyun struct pkey_protkey pkey;
1058*4882a593Smuzhiyun
1059*4882a593Smuzhiyun rc = pkey_nonccatok2pkey(key, keylen, &pkey);
1060*4882a593Smuzhiyun if (rc)
1061*4882a593Smuzhiyun return rc;
1062*4882a593Smuzhiyun memcpy(protkey, pkey.protkey, pkey.len);
1063*4882a593Smuzhiyun *protkeylen = pkey.len;
1064*4882a593Smuzhiyun *protkeytype = pkey.type;
1065*4882a593Smuzhiyun return 0;
1066*4882a593Smuzhiyun } else {
1067*4882a593Smuzhiyun DEBUG_ERR("%s unknown/unsupported blob type %d\n",
1068*4882a593Smuzhiyun __func__, hdr->type);
1069*4882a593Smuzhiyun return -EINVAL;
1070*4882a593Smuzhiyun }
1071*4882a593Smuzhiyun
1072*4882a593Smuzhiyun /* simple try all apqns from the list */
1073*4882a593Smuzhiyun for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) {
1074*4882a593Smuzhiyun card = apqns[i].card;
1075*4882a593Smuzhiyun dom = apqns[i].domain;
1076*4882a593Smuzhiyun if (hdr->type == TOKTYPE_NON_CCA
1077*4882a593Smuzhiyun && (hdr->version == TOKVER_EP11_AES_WITH_HEADER
1078*4882a593Smuzhiyun || hdr->version == TOKVER_EP11_ECC_WITH_HEADER)
1079*4882a593Smuzhiyun && is_ep11_keyblob(key + sizeof(struct ep11kblob_header)))
1080*4882a593Smuzhiyun rc = ep11_kblob2protkey(card, dom, key, hdr->len,
1081*4882a593Smuzhiyun protkey, protkeylen, protkeytype);
1082*4882a593Smuzhiyun else if (hdr->type == TOKTYPE_NON_CCA
1083*4882a593Smuzhiyun && hdr->version == TOKVER_EP11_AES
1084*4882a593Smuzhiyun && is_ep11_keyblob(key))
1085*4882a593Smuzhiyun rc = ep11_kblob2protkey(card, dom, key, hdr->len,
1086*4882a593Smuzhiyun protkey, protkeylen, protkeytype);
1087*4882a593Smuzhiyun else if (hdr->type == TOKTYPE_CCA_INTERNAL &&
1088*4882a593Smuzhiyun hdr->version == TOKVER_CCA_AES)
1089*4882a593Smuzhiyun rc = cca_sec2protkey(card, dom, key, protkey,
1090*4882a593Smuzhiyun protkeylen, protkeytype);
1091*4882a593Smuzhiyun else if (hdr->type == TOKTYPE_CCA_INTERNAL &&
1092*4882a593Smuzhiyun hdr->version == TOKVER_CCA_VLSC)
1093*4882a593Smuzhiyun rc = cca_cipher2protkey(card, dom, key, protkey,
1094*4882a593Smuzhiyun protkeylen, protkeytype);
1095*4882a593Smuzhiyun else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA)
1096*4882a593Smuzhiyun rc = cca_ecc2protkey(card, dom, key, protkey,
1097*4882a593Smuzhiyun protkeylen, protkeytype);
1098*4882a593Smuzhiyun else
1099*4882a593Smuzhiyun return -EINVAL;
1100*4882a593Smuzhiyun }
1101*4882a593Smuzhiyun
1102*4882a593Smuzhiyun return rc;
1103*4882a593Smuzhiyun }
1104*4882a593Smuzhiyun
1105*4882a593Smuzhiyun /*
1106*4882a593Smuzhiyun * File io functions
1107*4882a593Smuzhiyun */
1108*4882a593Smuzhiyun
_copy_key_from_user(void __user * ukey,size_t keylen)1109*4882a593Smuzhiyun static void *_copy_key_from_user(void __user *ukey, size_t keylen)
1110*4882a593Smuzhiyun {
1111*4882a593Smuzhiyun if (!ukey || keylen < MINKEYBLOBSIZE || keylen > KEYBLOBBUFSIZE)
1112*4882a593Smuzhiyun return ERR_PTR(-EINVAL);
1113*4882a593Smuzhiyun
1114*4882a593Smuzhiyun return memdup_user(ukey, keylen);
1115*4882a593Smuzhiyun }
1116*4882a593Smuzhiyun
_copy_apqns_from_user(void __user * uapqns,size_t nr_apqns)1117*4882a593Smuzhiyun static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns)
1118*4882a593Smuzhiyun {
1119*4882a593Smuzhiyun if (!uapqns || nr_apqns == 0)
1120*4882a593Smuzhiyun return NULL;
1121*4882a593Smuzhiyun
1122*4882a593Smuzhiyun return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
1123*4882a593Smuzhiyun }
1124*4882a593Smuzhiyun
pkey_unlocked_ioctl(struct file * filp,unsigned int cmd,unsigned long arg)1125*4882a593Smuzhiyun static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
1126*4882a593Smuzhiyun unsigned long arg)
1127*4882a593Smuzhiyun {
1128*4882a593Smuzhiyun int rc;
1129*4882a593Smuzhiyun
1130*4882a593Smuzhiyun switch (cmd) {
1131*4882a593Smuzhiyun case PKEY_GENSECK: {
1132*4882a593Smuzhiyun struct pkey_genseck __user *ugs = (void __user *) arg;
1133*4882a593Smuzhiyun struct pkey_genseck kgs;
1134*4882a593Smuzhiyun
1135*4882a593Smuzhiyun if (copy_from_user(&kgs, ugs, sizeof(kgs)))
1136*4882a593Smuzhiyun return -EFAULT;
1137*4882a593Smuzhiyun rc = cca_genseckey(kgs.cardnr, kgs.domain,
1138*4882a593Smuzhiyun kgs.keytype, kgs.seckey.seckey);
1139*4882a593Smuzhiyun DEBUG_DBG("%s cca_genseckey()=%d\n", __func__, rc);
1140*4882a593Smuzhiyun if (rc)
1141*4882a593Smuzhiyun break;
1142*4882a593Smuzhiyun if (copy_to_user(ugs, &kgs, sizeof(kgs)))
1143*4882a593Smuzhiyun return -EFAULT;
1144*4882a593Smuzhiyun break;
1145*4882a593Smuzhiyun }
1146*4882a593Smuzhiyun case PKEY_CLR2SECK: {
1147*4882a593Smuzhiyun struct pkey_clr2seck __user *ucs = (void __user *) arg;
1148*4882a593Smuzhiyun struct pkey_clr2seck kcs;
1149*4882a593Smuzhiyun
1150*4882a593Smuzhiyun if (copy_from_user(&kcs, ucs, sizeof(kcs)))
1151*4882a593Smuzhiyun return -EFAULT;
1152*4882a593Smuzhiyun rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,
1153*4882a593Smuzhiyun kcs.clrkey.clrkey, kcs.seckey.seckey);
1154*4882a593Smuzhiyun DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc);
1155*4882a593Smuzhiyun if (rc)
1156*4882a593Smuzhiyun break;
1157*4882a593Smuzhiyun if (copy_to_user(ucs, &kcs, sizeof(kcs)))
1158*4882a593Smuzhiyun return -EFAULT;
1159*4882a593Smuzhiyun memzero_explicit(&kcs, sizeof(kcs));
1160*4882a593Smuzhiyun break;
1161*4882a593Smuzhiyun }
1162*4882a593Smuzhiyun case PKEY_SEC2PROTK: {
1163*4882a593Smuzhiyun struct pkey_sec2protk __user *usp = (void __user *) arg;
1164*4882a593Smuzhiyun struct pkey_sec2protk ksp;
1165*4882a593Smuzhiyun
1166*4882a593Smuzhiyun if (copy_from_user(&ksp, usp, sizeof(ksp)))
1167*4882a593Smuzhiyun return -EFAULT;
1168*4882a593Smuzhiyun rc = cca_sec2protkey(ksp.cardnr, ksp.domain,
1169*4882a593Smuzhiyun ksp.seckey.seckey, ksp.protkey.protkey,
1170*4882a593Smuzhiyun &ksp.protkey.len, &ksp.protkey.type);
1171*4882a593Smuzhiyun DEBUG_DBG("%s cca_sec2protkey()=%d\n", __func__, rc);
1172*4882a593Smuzhiyun if (rc)
1173*4882a593Smuzhiyun break;
1174*4882a593Smuzhiyun if (copy_to_user(usp, &ksp, sizeof(ksp)))
1175*4882a593Smuzhiyun return -EFAULT;
1176*4882a593Smuzhiyun break;
1177*4882a593Smuzhiyun }
1178*4882a593Smuzhiyun case PKEY_CLR2PROTK: {
1179*4882a593Smuzhiyun struct pkey_clr2protk __user *ucp = (void __user *) arg;
1180*4882a593Smuzhiyun struct pkey_clr2protk kcp;
1181*4882a593Smuzhiyun
1182*4882a593Smuzhiyun if (copy_from_user(&kcp, ucp, sizeof(kcp)))
1183*4882a593Smuzhiyun return -EFAULT;
1184*4882a593Smuzhiyun rc = pkey_clr2protkey(kcp.keytype,
1185*4882a593Smuzhiyun &kcp.clrkey, &kcp.protkey);
1186*4882a593Smuzhiyun DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc);
1187*4882a593Smuzhiyun if (rc)
1188*4882a593Smuzhiyun break;
1189*4882a593Smuzhiyun if (copy_to_user(ucp, &kcp, sizeof(kcp)))
1190*4882a593Smuzhiyun return -EFAULT;
1191*4882a593Smuzhiyun memzero_explicit(&kcp, sizeof(kcp));
1192*4882a593Smuzhiyun break;
1193*4882a593Smuzhiyun }
1194*4882a593Smuzhiyun case PKEY_FINDCARD: {
1195*4882a593Smuzhiyun struct pkey_findcard __user *ufc = (void __user *) arg;
1196*4882a593Smuzhiyun struct pkey_findcard kfc;
1197*4882a593Smuzhiyun
1198*4882a593Smuzhiyun if (copy_from_user(&kfc, ufc, sizeof(kfc)))
1199*4882a593Smuzhiyun return -EFAULT;
1200*4882a593Smuzhiyun rc = cca_findcard(kfc.seckey.seckey,
1201*4882a593Smuzhiyun &kfc.cardnr, &kfc.domain, 1);
1202*4882a593Smuzhiyun DEBUG_DBG("%s cca_findcard()=%d\n", __func__, rc);
1203*4882a593Smuzhiyun if (rc < 0)
1204*4882a593Smuzhiyun break;
1205*4882a593Smuzhiyun if (copy_to_user(ufc, &kfc, sizeof(kfc)))
1206*4882a593Smuzhiyun return -EFAULT;
1207*4882a593Smuzhiyun break;
1208*4882a593Smuzhiyun }
1209*4882a593Smuzhiyun case PKEY_SKEY2PKEY: {
1210*4882a593Smuzhiyun struct pkey_skey2pkey __user *usp = (void __user *) arg;
1211*4882a593Smuzhiyun struct pkey_skey2pkey ksp;
1212*4882a593Smuzhiyun
1213*4882a593Smuzhiyun if (copy_from_user(&ksp, usp, sizeof(ksp)))
1214*4882a593Smuzhiyun return -EFAULT;
1215*4882a593Smuzhiyun rc = pkey_skey2pkey(ksp.seckey.seckey, &ksp.protkey);
1216*4882a593Smuzhiyun DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__, rc);
1217*4882a593Smuzhiyun if (rc)
1218*4882a593Smuzhiyun break;
1219*4882a593Smuzhiyun if (copy_to_user(usp, &ksp, sizeof(ksp)))
1220*4882a593Smuzhiyun return -EFAULT;
1221*4882a593Smuzhiyun break;
1222*4882a593Smuzhiyun }
1223*4882a593Smuzhiyun case PKEY_VERIFYKEY: {
1224*4882a593Smuzhiyun struct pkey_verifykey __user *uvk = (void __user *) arg;
1225*4882a593Smuzhiyun struct pkey_verifykey kvk;
1226*4882a593Smuzhiyun
1227*4882a593Smuzhiyun if (copy_from_user(&kvk, uvk, sizeof(kvk)))
1228*4882a593Smuzhiyun return -EFAULT;
1229*4882a593Smuzhiyun rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain,
1230*4882a593Smuzhiyun &kvk.keysize, &kvk.attributes);
1231*4882a593Smuzhiyun DEBUG_DBG("%s pkey_verifykey()=%d\n", __func__, rc);
1232*4882a593Smuzhiyun if (rc)
1233*4882a593Smuzhiyun break;
1234*4882a593Smuzhiyun if (copy_to_user(uvk, &kvk, sizeof(kvk)))
1235*4882a593Smuzhiyun return -EFAULT;
1236*4882a593Smuzhiyun break;
1237*4882a593Smuzhiyun }
1238*4882a593Smuzhiyun case PKEY_GENPROTK: {
1239*4882a593Smuzhiyun struct pkey_genprotk __user *ugp = (void __user *) arg;
1240*4882a593Smuzhiyun struct pkey_genprotk kgp;
1241*4882a593Smuzhiyun
1242*4882a593Smuzhiyun if (copy_from_user(&kgp, ugp, sizeof(kgp)))
1243*4882a593Smuzhiyun return -EFAULT;
1244*4882a593Smuzhiyun rc = pkey_genprotkey(kgp.keytype, &kgp.protkey);
1245*4882a593Smuzhiyun DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__, rc);
1246*4882a593Smuzhiyun if (rc)
1247*4882a593Smuzhiyun break;
1248*4882a593Smuzhiyun if (copy_to_user(ugp, &kgp, sizeof(kgp)))
1249*4882a593Smuzhiyun return -EFAULT;
1250*4882a593Smuzhiyun break;
1251*4882a593Smuzhiyun }
1252*4882a593Smuzhiyun case PKEY_VERIFYPROTK: {
1253*4882a593Smuzhiyun struct pkey_verifyprotk __user *uvp = (void __user *) arg;
1254*4882a593Smuzhiyun struct pkey_verifyprotk kvp;
1255*4882a593Smuzhiyun
1256*4882a593Smuzhiyun if (copy_from_user(&kvp, uvp, sizeof(kvp)))
1257*4882a593Smuzhiyun return -EFAULT;
1258*4882a593Smuzhiyun rc = pkey_verifyprotkey(&kvp.protkey);
1259*4882a593Smuzhiyun DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__, rc);
1260*4882a593Smuzhiyun break;
1261*4882a593Smuzhiyun }
1262*4882a593Smuzhiyun case PKEY_KBLOB2PROTK: {
1263*4882a593Smuzhiyun struct pkey_kblob2pkey __user *utp = (void __user *) arg;
1264*4882a593Smuzhiyun struct pkey_kblob2pkey ktp;
1265*4882a593Smuzhiyun u8 *kkey;
1266*4882a593Smuzhiyun
1267*4882a593Smuzhiyun if (copy_from_user(&ktp, utp, sizeof(ktp)))
1268*4882a593Smuzhiyun return -EFAULT;
1269*4882a593Smuzhiyun kkey = _copy_key_from_user(ktp.key, ktp.keylen);
1270*4882a593Smuzhiyun if (IS_ERR(kkey))
1271*4882a593Smuzhiyun return PTR_ERR(kkey);
1272*4882a593Smuzhiyun rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey);
1273*4882a593Smuzhiyun DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
1274*4882a593Smuzhiyun kfree(kkey);
1275*4882a593Smuzhiyun if (rc)
1276*4882a593Smuzhiyun break;
1277*4882a593Smuzhiyun if (copy_to_user(utp, &ktp, sizeof(ktp)))
1278*4882a593Smuzhiyun return -EFAULT;
1279*4882a593Smuzhiyun break;
1280*4882a593Smuzhiyun }
1281*4882a593Smuzhiyun case PKEY_GENSECK2: {
1282*4882a593Smuzhiyun struct pkey_genseck2 __user *ugs = (void __user *) arg;
1283*4882a593Smuzhiyun struct pkey_genseck2 kgs;
1284*4882a593Smuzhiyun struct pkey_apqn *apqns;
1285*4882a593Smuzhiyun size_t klen = KEYBLOBBUFSIZE;
1286*4882a593Smuzhiyun u8 *kkey;
1287*4882a593Smuzhiyun
1288*4882a593Smuzhiyun if (copy_from_user(&kgs, ugs, sizeof(kgs)))
1289*4882a593Smuzhiyun return -EFAULT;
1290*4882a593Smuzhiyun apqns = _copy_apqns_from_user(kgs.apqns, kgs.apqn_entries);
1291*4882a593Smuzhiyun if (IS_ERR(apqns))
1292*4882a593Smuzhiyun return PTR_ERR(apqns);
1293*4882a593Smuzhiyun kkey = kmalloc(klen, GFP_KERNEL);
1294*4882a593Smuzhiyun if (!kkey) {
1295*4882a593Smuzhiyun kfree(apqns);
1296*4882a593Smuzhiyun return -ENOMEM;
1297*4882a593Smuzhiyun }
1298*4882a593Smuzhiyun rc = pkey_genseckey2(apqns, kgs.apqn_entries,
1299*4882a593Smuzhiyun kgs.type, kgs.size, kgs.keygenflags,
1300*4882a593Smuzhiyun kkey, &klen);
1301*4882a593Smuzhiyun DEBUG_DBG("%s pkey_genseckey2()=%d\n", __func__, rc);
1302*4882a593Smuzhiyun kfree(apqns);
1303*4882a593Smuzhiyun if (rc) {
1304*4882a593Smuzhiyun kfree(kkey);
1305*4882a593Smuzhiyun break;
1306*4882a593Smuzhiyun }
1307*4882a593Smuzhiyun if (kgs.key) {
1308*4882a593Smuzhiyun if (kgs.keylen < klen) {
1309*4882a593Smuzhiyun kfree(kkey);
1310*4882a593Smuzhiyun return -EINVAL;
1311*4882a593Smuzhiyun }
1312*4882a593Smuzhiyun if (copy_to_user(kgs.key, kkey, klen)) {
1313*4882a593Smuzhiyun kfree(kkey);
1314*4882a593Smuzhiyun return -EFAULT;
1315*4882a593Smuzhiyun }
1316*4882a593Smuzhiyun }
1317*4882a593Smuzhiyun kgs.keylen = klen;
1318*4882a593Smuzhiyun if (copy_to_user(ugs, &kgs, sizeof(kgs)))
1319*4882a593Smuzhiyun rc = -EFAULT;
1320*4882a593Smuzhiyun kfree(kkey);
1321*4882a593Smuzhiyun break;
1322*4882a593Smuzhiyun }
1323*4882a593Smuzhiyun case PKEY_CLR2SECK2: {
1324*4882a593Smuzhiyun struct pkey_clr2seck2 __user *ucs = (void __user *) arg;
1325*4882a593Smuzhiyun struct pkey_clr2seck2 kcs;
1326*4882a593Smuzhiyun struct pkey_apqn *apqns;
1327*4882a593Smuzhiyun size_t klen = KEYBLOBBUFSIZE;
1328*4882a593Smuzhiyun u8 *kkey;
1329*4882a593Smuzhiyun
1330*4882a593Smuzhiyun if (copy_from_user(&kcs, ucs, sizeof(kcs)))
1331*4882a593Smuzhiyun return -EFAULT;
1332*4882a593Smuzhiyun apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);
1333*4882a593Smuzhiyun if (IS_ERR(apqns))
1334*4882a593Smuzhiyun return PTR_ERR(apqns);
1335*4882a593Smuzhiyun kkey = kmalloc(klen, GFP_KERNEL);
1336*4882a593Smuzhiyun if (!kkey) {
1337*4882a593Smuzhiyun kfree(apqns);
1338*4882a593Smuzhiyun return -ENOMEM;
1339*4882a593Smuzhiyun }
1340*4882a593Smuzhiyun rc = pkey_clr2seckey2(apqns, kcs.apqn_entries,
1341*4882a593Smuzhiyun kcs.type, kcs.size, kcs.keygenflags,
1342*4882a593Smuzhiyun kcs.clrkey.clrkey, kkey, &klen);
1343*4882a593Smuzhiyun DEBUG_DBG("%s pkey_clr2seckey2()=%d\n", __func__, rc);
1344*4882a593Smuzhiyun kfree(apqns);
1345*4882a593Smuzhiyun if (rc) {
1346*4882a593Smuzhiyun kfree(kkey);
1347*4882a593Smuzhiyun break;
1348*4882a593Smuzhiyun }
1349*4882a593Smuzhiyun if (kcs.key) {
1350*4882a593Smuzhiyun if (kcs.keylen < klen) {
1351*4882a593Smuzhiyun kfree(kkey);
1352*4882a593Smuzhiyun return -EINVAL;
1353*4882a593Smuzhiyun }
1354*4882a593Smuzhiyun if (copy_to_user(kcs.key, kkey, klen)) {
1355*4882a593Smuzhiyun kfree(kkey);
1356*4882a593Smuzhiyun return -EFAULT;
1357*4882a593Smuzhiyun }
1358*4882a593Smuzhiyun }
1359*4882a593Smuzhiyun kcs.keylen = klen;
1360*4882a593Smuzhiyun if (copy_to_user(ucs, &kcs, sizeof(kcs)))
1361*4882a593Smuzhiyun rc = -EFAULT;
1362*4882a593Smuzhiyun memzero_explicit(&kcs, sizeof(kcs));
1363*4882a593Smuzhiyun kfree(kkey);
1364*4882a593Smuzhiyun break;
1365*4882a593Smuzhiyun }
1366*4882a593Smuzhiyun case PKEY_VERIFYKEY2: {
1367*4882a593Smuzhiyun struct pkey_verifykey2 __user *uvk = (void __user *) arg;
1368*4882a593Smuzhiyun struct pkey_verifykey2 kvk;
1369*4882a593Smuzhiyun u8 *kkey;
1370*4882a593Smuzhiyun
1371*4882a593Smuzhiyun if (copy_from_user(&kvk, uvk, sizeof(kvk)))
1372*4882a593Smuzhiyun return -EFAULT;
1373*4882a593Smuzhiyun kkey = _copy_key_from_user(kvk.key, kvk.keylen);
1374*4882a593Smuzhiyun if (IS_ERR(kkey))
1375*4882a593Smuzhiyun return PTR_ERR(kkey);
1376*4882a593Smuzhiyun rc = pkey_verifykey2(kkey, kvk.keylen,
1377*4882a593Smuzhiyun &kvk.cardnr, &kvk.domain,
1378*4882a593Smuzhiyun &kvk.type, &kvk.size, &kvk.flags);
1379*4882a593Smuzhiyun DEBUG_DBG("%s pkey_verifykey2()=%d\n", __func__, rc);
1380*4882a593Smuzhiyun kfree(kkey);
1381*4882a593Smuzhiyun if (rc)
1382*4882a593Smuzhiyun break;
1383*4882a593Smuzhiyun if (copy_to_user(uvk, &kvk, sizeof(kvk)))
1384*4882a593Smuzhiyun return -EFAULT;
1385*4882a593Smuzhiyun break;
1386*4882a593Smuzhiyun }
1387*4882a593Smuzhiyun case PKEY_KBLOB2PROTK2: {
1388*4882a593Smuzhiyun struct pkey_kblob2pkey2 __user *utp = (void __user *) arg;
1389*4882a593Smuzhiyun struct pkey_kblob2pkey2 ktp;
1390*4882a593Smuzhiyun struct pkey_apqn *apqns = NULL;
1391*4882a593Smuzhiyun u8 *kkey;
1392*4882a593Smuzhiyun
1393*4882a593Smuzhiyun if (copy_from_user(&ktp, utp, sizeof(ktp)))
1394*4882a593Smuzhiyun return -EFAULT;
1395*4882a593Smuzhiyun apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
1396*4882a593Smuzhiyun if (IS_ERR(apqns))
1397*4882a593Smuzhiyun return PTR_ERR(apqns);
1398*4882a593Smuzhiyun kkey = _copy_key_from_user(ktp.key, ktp.keylen);
1399*4882a593Smuzhiyun if (IS_ERR(kkey)) {
1400*4882a593Smuzhiyun kfree(apqns);
1401*4882a593Smuzhiyun return PTR_ERR(kkey);
1402*4882a593Smuzhiyun }
1403*4882a593Smuzhiyun rc = pkey_keyblob2pkey2(apqns, ktp.apqn_entries,
1404*4882a593Smuzhiyun kkey, ktp.keylen, &ktp.protkey);
1405*4882a593Smuzhiyun DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
1406*4882a593Smuzhiyun kfree(apqns);
1407*4882a593Smuzhiyun kfree(kkey);
1408*4882a593Smuzhiyun if (rc)
1409*4882a593Smuzhiyun break;
1410*4882a593Smuzhiyun if (copy_to_user(utp, &ktp, sizeof(ktp)))
1411*4882a593Smuzhiyun return -EFAULT;
1412*4882a593Smuzhiyun break;
1413*4882a593Smuzhiyun }
1414*4882a593Smuzhiyun case PKEY_APQNS4K: {
1415*4882a593Smuzhiyun struct pkey_apqns4key __user *uak = (void __user *) arg;
1416*4882a593Smuzhiyun struct pkey_apqns4key kak;
1417*4882a593Smuzhiyun struct pkey_apqn *apqns = NULL;
1418*4882a593Smuzhiyun size_t nr_apqns, len;
1419*4882a593Smuzhiyun u8 *kkey;
1420*4882a593Smuzhiyun
1421*4882a593Smuzhiyun if (copy_from_user(&kak, uak, sizeof(kak)))
1422*4882a593Smuzhiyun return -EFAULT;
1423*4882a593Smuzhiyun nr_apqns = kak.apqn_entries;
1424*4882a593Smuzhiyun if (nr_apqns) {
1425*4882a593Smuzhiyun apqns = kmalloc_array(nr_apqns,
1426*4882a593Smuzhiyun sizeof(struct pkey_apqn),
1427*4882a593Smuzhiyun GFP_KERNEL);
1428*4882a593Smuzhiyun if (!apqns)
1429*4882a593Smuzhiyun return -ENOMEM;
1430*4882a593Smuzhiyun }
1431*4882a593Smuzhiyun kkey = _copy_key_from_user(kak.key, kak.keylen);
1432*4882a593Smuzhiyun if (IS_ERR(kkey)) {
1433*4882a593Smuzhiyun kfree(apqns);
1434*4882a593Smuzhiyun return PTR_ERR(kkey);
1435*4882a593Smuzhiyun }
1436*4882a593Smuzhiyun rc = pkey_apqns4key(kkey, kak.keylen, kak.flags,
1437*4882a593Smuzhiyun apqns, &nr_apqns);
1438*4882a593Smuzhiyun DEBUG_DBG("%s pkey_apqns4key()=%d\n", __func__, rc);
1439*4882a593Smuzhiyun kfree(kkey);
1440*4882a593Smuzhiyun if (rc && rc != -ENOSPC) {
1441*4882a593Smuzhiyun kfree(apqns);
1442*4882a593Smuzhiyun break;
1443*4882a593Smuzhiyun }
1444*4882a593Smuzhiyun if (!rc && kak.apqns) {
1445*4882a593Smuzhiyun if (nr_apqns > kak.apqn_entries) {
1446*4882a593Smuzhiyun kfree(apqns);
1447*4882a593Smuzhiyun return -EINVAL;
1448*4882a593Smuzhiyun }
1449*4882a593Smuzhiyun len = nr_apqns * sizeof(struct pkey_apqn);
1450*4882a593Smuzhiyun if (len) {
1451*4882a593Smuzhiyun if (copy_to_user(kak.apqns, apqns, len)) {
1452*4882a593Smuzhiyun kfree(apqns);
1453*4882a593Smuzhiyun return -EFAULT;
1454*4882a593Smuzhiyun }
1455*4882a593Smuzhiyun }
1456*4882a593Smuzhiyun }
1457*4882a593Smuzhiyun kak.apqn_entries = nr_apqns;
1458*4882a593Smuzhiyun if (copy_to_user(uak, &kak, sizeof(kak)))
1459*4882a593Smuzhiyun rc = -EFAULT;
1460*4882a593Smuzhiyun kfree(apqns);
1461*4882a593Smuzhiyun break;
1462*4882a593Smuzhiyun }
1463*4882a593Smuzhiyun case PKEY_APQNS4KT: {
1464*4882a593Smuzhiyun struct pkey_apqns4keytype __user *uat = (void __user *) arg;
1465*4882a593Smuzhiyun struct pkey_apqns4keytype kat;
1466*4882a593Smuzhiyun struct pkey_apqn *apqns = NULL;
1467*4882a593Smuzhiyun size_t nr_apqns, len;
1468*4882a593Smuzhiyun
1469*4882a593Smuzhiyun if (copy_from_user(&kat, uat, sizeof(kat)))
1470*4882a593Smuzhiyun return -EFAULT;
1471*4882a593Smuzhiyun nr_apqns = kat.apqn_entries;
1472*4882a593Smuzhiyun if (nr_apqns) {
1473*4882a593Smuzhiyun apqns = kmalloc_array(nr_apqns,
1474*4882a593Smuzhiyun sizeof(struct pkey_apqn),
1475*4882a593Smuzhiyun GFP_KERNEL);
1476*4882a593Smuzhiyun if (!apqns)
1477*4882a593Smuzhiyun return -ENOMEM;
1478*4882a593Smuzhiyun }
1479*4882a593Smuzhiyun rc = pkey_apqns4keytype(kat.type, kat.cur_mkvp, kat.alt_mkvp,
1480*4882a593Smuzhiyun kat.flags, apqns, &nr_apqns);
1481*4882a593Smuzhiyun DEBUG_DBG("%s pkey_apqns4keytype()=%d\n", __func__, rc);
1482*4882a593Smuzhiyun if (rc && rc != -ENOSPC) {
1483*4882a593Smuzhiyun kfree(apqns);
1484*4882a593Smuzhiyun break;
1485*4882a593Smuzhiyun }
1486*4882a593Smuzhiyun if (!rc && kat.apqns) {
1487*4882a593Smuzhiyun if (nr_apqns > kat.apqn_entries) {
1488*4882a593Smuzhiyun kfree(apqns);
1489*4882a593Smuzhiyun return -EINVAL;
1490*4882a593Smuzhiyun }
1491*4882a593Smuzhiyun len = nr_apqns * sizeof(struct pkey_apqn);
1492*4882a593Smuzhiyun if (len) {
1493*4882a593Smuzhiyun if (copy_to_user(kat.apqns, apqns, len)) {
1494*4882a593Smuzhiyun kfree(apqns);
1495*4882a593Smuzhiyun return -EFAULT;
1496*4882a593Smuzhiyun }
1497*4882a593Smuzhiyun }
1498*4882a593Smuzhiyun }
1499*4882a593Smuzhiyun kat.apqn_entries = nr_apqns;
1500*4882a593Smuzhiyun if (copy_to_user(uat, &kat, sizeof(kat)))
1501*4882a593Smuzhiyun rc = -EFAULT;
1502*4882a593Smuzhiyun kfree(apqns);
1503*4882a593Smuzhiyun break;
1504*4882a593Smuzhiyun }
1505*4882a593Smuzhiyun case PKEY_KBLOB2PROTK3: {
1506*4882a593Smuzhiyun struct pkey_kblob2pkey3 __user *utp = (void __user *) arg;
1507*4882a593Smuzhiyun struct pkey_kblob2pkey3 ktp;
1508*4882a593Smuzhiyun struct pkey_apqn *apqns = NULL;
1509*4882a593Smuzhiyun u32 protkeylen = PROTKEYBLOBBUFSIZE;
1510*4882a593Smuzhiyun u8 *kkey, *protkey;
1511*4882a593Smuzhiyun
1512*4882a593Smuzhiyun if (copy_from_user(&ktp, utp, sizeof(ktp)))
1513*4882a593Smuzhiyun return -EFAULT;
1514*4882a593Smuzhiyun apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
1515*4882a593Smuzhiyun if (IS_ERR(apqns))
1516*4882a593Smuzhiyun return PTR_ERR(apqns);
1517*4882a593Smuzhiyun kkey = _copy_key_from_user(ktp.key, ktp.keylen);
1518*4882a593Smuzhiyun if (IS_ERR(kkey)) {
1519*4882a593Smuzhiyun kfree(apqns);
1520*4882a593Smuzhiyun return PTR_ERR(kkey);
1521*4882a593Smuzhiyun }
1522*4882a593Smuzhiyun protkey = kmalloc(protkeylen, GFP_KERNEL);
1523*4882a593Smuzhiyun if (!protkey) {
1524*4882a593Smuzhiyun kfree(apqns);
1525*4882a593Smuzhiyun kfree(kkey);
1526*4882a593Smuzhiyun return -ENOMEM;
1527*4882a593Smuzhiyun }
1528*4882a593Smuzhiyun rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries, kkey,
1529*4882a593Smuzhiyun ktp.keylen, &ktp.pkeytype,
1530*4882a593Smuzhiyun protkey, &protkeylen);
1531*4882a593Smuzhiyun DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc);
1532*4882a593Smuzhiyun kfree(apqns);
1533*4882a593Smuzhiyun kfree(kkey);
1534*4882a593Smuzhiyun if (rc) {
1535*4882a593Smuzhiyun kfree(protkey);
1536*4882a593Smuzhiyun break;
1537*4882a593Smuzhiyun }
1538*4882a593Smuzhiyun if (ktp.pkey && ktp.pkeylen) {
1539*4882a593Smuzhiyun if (protkeylen > ktp.pkeylen) {
1540*4882a593Smuzhiyun kfree(protkey);
1541*4882a593Smuzhiyun return -EINVAL;
1542*4882a593Smuzhiyun }
1543*4882a593Smuzhiyun if (copy_to_user(ktp.pkey, protkey, protkeylen)) {
1544*4882a593Smuzhiyun kfree(protkey);
1545*4882a593Smuzhiyun return -EFAULT;
1546*4882a593Smuzhiyun }
1547*4882a593Smuzhiyun }
1548*4882a593Smuzhiyun kfree(protkey);
1549*4882a593Smuzhiyun ktp.pkeylen = protkeylen;
1550*4882a593Smuzhiyun if (copy_to_user(utp, &ktp, sizeof(ktp)))
1551*4882a593Smuzhiyun return -EFAULT;
1552*4882a593Smuzhiyun break;
1553*4882a593Smuzhiyun }
1554*4882a593Smuzhiyun default:
1555*4882a593Smuzhiyun /* unknown/unsupported ioctl cmd */
1556*4882a593Smuzhiyun return -ENOTTY;
1557*4882a593Smuzhiyun }
1558*4882a593Smuzhiyun
1559*4882a593Smuzhiyun return rc;
1560*4882a593Smuzhiyun }
1561*4882a593Smuzhiyun
1562*4882a593Smuzhiyun /*
1563*4882a593Smuzhiyun * Sysfs and file io operations
1564*4882a593Smuzhiyun */
1565*4882a593Smuzhiyun
1566*4882a593Smuzhiyun /*
1567*4882a593Smuzhiyun * Sysfs attribute read function for all protected key binary attributes.
1568*4882a593Smuzhiyun * The implementation can not deal with partial reads, because a new random
1569*4882a593Smuzhiyun * protected key blob is generated with each read. In case of partial reads
1570*4882a593Smuzhiyun * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1571*4882a593Smuzhiyun */
pkey_protkey_aes_attr_read(u32 keytype,bool is_xts,char * buf,loff_t off,size_t count)1572*4882a593Smuzhiyun static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1573*4882a593Smuzhiyun loff_t off, size_t count)
1574*4882a593Smuzhiyun {
1575*4882a593Smuzhiyun struct protaeskeytoken protkeytoken;
1576*4882a593Smuzhiyun struct pkey_protkey protkey;
1577*4882a593Smuzhiyun int rc;
1578*4882a593Smuzhiyun
1579*4882a593Smuzhiyun if (off != 0 || count < sizeof(protkeytoken))
1580*4882a593Smuzhiyun return -EINVAL;
1581*4882a593Smuzhiyun if (is_xts)
1582*4882a593Smuzhiyun if (count < 2 * sizeof(protkeytoken))
1583*4882a593Smuzhiyun return -EINVAL;
1584*4882a593Smuzhiyun
1585*4882a593Smuzhiyun memset(&protkeytoken, 0, sizeof(protkeytoken));
1586*4882a593Smuzhiyun protkeytoken.type = TOKTYPE_NON_CCA;
1587*4882a593Smuzhiyun protkeytoken.version = TOKVER_PROTECTED_KEY;
1588*4882a593Smuzhiyun protkeytoken.keytype = keytype;
1589*4882a593Smuzhiyun
1590*4882a593Smuzhiyun rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1591*4882a593Smuzhiyun if (rc)
1592*4882a593Smuzhiyun return rc;
1593*4882a593Smuzhiyun
1594*4882a593Smuzhiyun protkeytoken.len = protkey.len;
1595*4882a593Smuzhiyun memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1596*4882a593Smuzhiyun
1597*4882a593Smuzhiyun memcpy(buf, &protkeytoken, sizeof(protkeytoken));
1598*4882a593Smuzhiyun
1599*4882a593Smuzhiyun if (is_xts) {
1600*4882a593Smuzhiyun rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
1601*4882a593Smuzhiyun if (rc)
1602*4882a593Smuzhiyun return rc;
1603*4882a593Smuzhiyun
1604*4882a593Smuzhiyun protkeytoken.len = protkey.len;
1605*4882a593Smuzhiyun memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
1606*4882a593Smuzhiyun
1607*4882a593Smuzhiyun memcpy(buf + sizeof(protkeytoken), &protkeytoken,
1608*4882a593Smuzhiyun sizeof(protkeytoken));
1609*4882a593Smuzhiyun
1610*4882a593Smuzhiyun return 2 * sizeof(protkeytoken);
1611*4882a593Smuzhiyun }
1612*4882a593Smuzhiyun
1613*4882a593Smuzhiyun return sizeof(protkeytoken);
1614*4882a593Smuzhiyun }
1615*4882a593Smuzhiyun
protkey_aes_128_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1616*4882a593Smuzhiyun static ssize_t protkey_aes_128_read(struct file *filp,
1617*4882a593Smuzhiyun struct kobject *kobj,
1618*4882a593Smuzhiyun struct bin_attribute *attr,
1619*4882a593Smuzhiyun char *buf, loff_t off,
1620*4882a593Smuzhiyun size_t count)
1621*4882a593Smuzhiyun {
1622*4882a593Smuzhiyun return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1623*4882a593Smuzhiyun off, count);
1624*4882a593Smuzhiyun }
1625*4882a593Smuzhiyun
protkey_aes_192_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1626*4882a593Smuzhiyun static ssize_t protkey_aes_192_read(struct file *filp,
1627*4882a593Smuzhiyun struct kobject *kobj,
1628*4882a593Smuzhiyun struct bin_attribute *attr,
1629*4882a593Smuzhiyun char *buf, loff_t off,
1630*4882a593Smuzhiyun size_t count)
1631*4882a593Smuzhiyun {
1632*4882a593Smuzhiyun return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1633*4882a593Smuzhiyun off, count);
1634*4882a593Smuzhiyun }
1635*4882a593Smuzhiyun
protkey_aes_256_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1636*4882a593Smuzhiyun static ssize_t protkey_aes_256_read(struct file *filp,
1637*4882a593Smuzhiyun struct kobject *kobj,
1638*4882a593Smuzhiyun struct bin_attribute *attr,
1639*4882a593Smuzhiyun char *buf, loff_t off,
1640*4882a593Smuzhiyun size_t count)
1641*4882a593Smuzhiyun {
1642*4882a593Smuzhiyun return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1643*4882a593Smuzhiyun off, count);
1644*4882a593Smuzhiyun }
1645*4882a593Smuzhiyun
protkey_aes_128_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1646*4882a593Smuzhiyun static ssize_t protkey_aes_128_xts_read(struct file *filp,
1647*4882a593Smuzhiyun struct kobject *kobj,
1648*4882a593Smuzhiyun struct bin_attribute *attr,
1649*4882a593Smuzhiyun char *buf, loff_t off,
1650*4882a593Smuzhiyun size_t count)
1651*4882a593Smuzhiyun {
1652*4882a593Smuzhiyun return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1653*4882a593Smuzhiyun off, count);
1654*4882a593Smuzhiyun }
1655*4882a593Smuzhiyun
protkey_aes_256_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1656*4882a593Smuzhiyun static ssize_t protkey_aes_256_xts_read(struct file *filp,
1657*4882a593Smuzhiyun struct kobject *kobj,
1658*4882a593Smuzhiyun struct bin_attribute *attr,
1659*4882a593Smuzhiyun char *buf, loff_t off,
1660*4882a593Smuzhiyun size_t count)
1661*4882a593Smuzhiyun {
1662*4882a593Smuzhiyun return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1663*4882a593Smuzhiyun off, count);
1664*4882a593Smuzhiyun }
1665*4882a593Smuzhiyun
1666*4882a593Smuzhiyun static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
1667*4882a593Smuzhiyun static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
1668*4882a593Smuzhiyun static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
1669*4882a593Smuzhiyun static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
1670*4882a593Smuzhiyun static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
1671*4882a593Smuzhiyun
1672*4882a593Smuzhiyun static struct bin_attribute *protkey_attrs[] = {
1673*4882a593Smuzhiyun &bin_attr_protkey_aes_128,
1674*4882a593Smuzhiyun &bin_attr_protkey_aes_192,
1675*4882a593Smuzhiyun &bin_attr_protkey_aes_256,
1676*4882a593Smuzhiyun &bin_attr_protkey_aes_128_xts,
1677*4882a593Smuzhiyun &bin_attr_protkey_aes_256_xts,
1678*4882a593Smuzhiyun NULL
1679*4882a593Smuzhiyun };
1680*4882a593Smuzhiyun
1681*4882a593Smuzhiyun static struct attribute_group protkey_attr_group = {
1682*4882a593Smuzhiyun .name = "protkey",
1683*4882a593Smuzhiyun .bin_attrs = protkey_attrs,
1684*4882a593Smuzhiyun };
1685*4882a593Smuzhiyun
1686*4882a593Smuzhiyun /*
1687*4882a593Smuzhiyun * Sysfs attribute read function for all secure key ccadata binary attributes.
1688*4882a593Smuzhiyun * The implementation can not deal with partial reads, because a new random
1689*4882a593Smuzhiyun * protected key blob is generated with each read. In case of partial reads
1690*4882a593Smuzhiyun * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1691*4882a593Smuzhiyun */
pkey_ccadata_aes_attr_read(u32 keytype,bool is_xts,char * buf,loff_t off,size_t count)1692*4882a593Smuzhiyun static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
1693*4882a593Smuzhiyun loff_t off, size_t count)
1694*4882a593Smuzhiyun {
1695*4882a593Smuzhiyun int rc;
1696*4882a593Smuzhiyun struct pkey_seckey *seckey = (struct pkey_seckey *) buf;
1697*4882a593Smuzhiyun
1698*4882a593Smuzhiyun if (off != 0 || count < sizeof(struct secaeskeytoken))
1699*4882a593Smuzhiyun return -EINVAL;
1700*4882a593Smuzhiyun if (is_xts)
1701*4882a593Smuzhiyun if (count < 2 * sizeof(struct secaeskeytoken))
1702*4882a593Smuzhiyun return -EINVAL;
1703*4882a593Smuzhiyun
1704*4882a593Smuzhiyun rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
1705*4882a593Smuzhiyun if (rc)
1706*4882a593Smuzhiyun return rc;
1707*4882a593Smuzhiyun
1708*4882a593Smuzhiyun if (is_xts) {
1709*4882a593Smuzhiyun seckey++;
1710*4882a593Smuzhiyun rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
1711*4882a593Smuzhiyun if (rc)
1712*4882a593Smuzhiyun return rc;
1713*4882a593Smuzhiyun
1714*4882a593Smuzhiyun return 2 * sizeof(struct secaeskeytoken);
1715*4882a593Smuzhiyun }
1716*4882a593Smuzhiyun
1717*4882a593Smuzhiyun return sizeof(struct secaeskeytoken);
1718*4882a593Smuzhiyun }
1719*4882a593Smuzhiyun
ccadata_aes_128_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1720*4882a593Smuzhiyun static ssize_t ccadata_aes_128_read(struct file *filp,
1721*4882a593Smuzhiyun struct kobject *kobj,
1722*4882a593Smuzhiyun struct bin_attribute *attr,
1723*4882a593Smuzhiyun char *buf, loff_t off,
1724*4882a593Smuzhiyun size_t count)
1725*4882a593Smuzhiyun {
1726*4882a593Smuzhiyun return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
1727*4882a593Smuzhiyun off, count);
1728*4882a593Smuzhiyun }
1729*4882a593Smuzhiyun
ccadata_aes_192_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1730*4882a593Smuzhiyun static ssize_t ccadata_aes_192_read(struct file *filp,
1731*4882a593Smuzhiyun struct kobject *kobj,
1732*4882a593Smuzhiyun struct bin_attribute *attr,
1733*4882a593Smuzhiyun char *buf, loff_t off,
1734*4882a593Smuzhiyun size_t count)
1735*4882a593Smuzhiyun {
1736*4882a593Smuzhiyun return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
1737*4882a593Smuzhiyun off, count);
1738*4882a593Smuzhiyun }
1739*4882a593Smuzhiyun
ccadata_aes_256_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1740*4882a593Smuzhiyun static ssize_t ccadata_aes_256_read(struct file *filp,
1741*4882a593Smuzhiyun struct kobject *kobj,
1742*4882a593Smuzhiyun struct bin_attribute *attr,
1743*4882a593Smuzhiyun char *buf, loff_t off,
1744*4882a593Smuzhiyun size_t count)
1745*4882a593Smuzhiyun {
1746*4882a593Smuzhiyun return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
1747*4882a593Smuzhiyun off, count);
1748*4882a593Smuzhiyun }
1749*4882a593Smuzhiyun
ccadata_aes_128_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1750*4882a593Smuzhiyun static ssize_t ccadata_aes_128_xts_read(struct file *filp,
1751*4882a593Smuzhiyun struct kobject *kobj,
1752*4882a593Smuzhiyun struct bin_attribute *attr,
1753*4882a593Smuzhiyun char *buf, loff_t off,
1754*4882a593Smuzhiyun size_t count)
1755*4882a593Smuzhiyun {
1756*4882a593Smuzhiyun return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
1757*4882a593Smuzhiyun off, count);
1758*4882a593Smuzhiyun }
1759*4882a593Smuzhiyun
ccadata_aes_256_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1760*4882a593Smuzhiyun static ssize_t ccadata_aes_256_xts_read(struct file *filp,
1761*4882a593Smuzhiyun struct kobject *kobj,
1762*4882a593Smuzhiyun struct bin_attribute *attr,
1763*4882a593Smuzhiyun char *buf, loff_t off,
1764*4882a593Smuzhiyun size_t count)
1765*4882a593Smuzhiyun {
1766*4882a593Smuzhiyun return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
1767*4882a593Smuzhiyun off, count);
1768*4882a593Smuzhiyun }
1769*4882a593Smuzhiyun
1770*4882a593Smuzhiyun static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
1771*4882a593Smuzhiyun static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
1772*4882a593Smuzhiyun static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
1773*4882a593Smuzhiyun static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
1774*4882a593Smuzhiyun static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
1775*4882a593Smuzhiyun
1776*4882a593Smuzhiyun static struct bin_attribute *ccadata_attrs[] = {
1777*4882a593Smuzhiyun &bin_attr_ccadata_aes_128,
1778*4882a593Smuzhiyun &bin_attr_ccadata_aes_192,
1779*4882a593Smuzhiyun &bin_attr_ccadata_aes_256,
1780*4882a593Smuzhiyun &bin_attr_ccadata_aes_128_xts,
1781*4882a593Smuzhiyun &bin_attr_ccadata_aes_256_xts,
1782*4882a593Smuzhiyun NULL
1783*4882a593Smuzhiyun };
1784*4882a593Smuzhiyun
1785*4882a593Smuzhiyun static struct attribute_group ccadata_attr_group = {
1786*4882a593Smuzhiyun .name = "ccadata",
1787*4882a593Smuzhiyun .bin_attrs = ccadata_attrs,
1788*4882a593Smuzhiyun };
1789*4882a593Smuzhiyun
1790*4882a593Smuzhiyun #define CCACIPHERTOKENSIZE (sizeof(struct cipherkeytoken) + 80)
1791*4882a593Smuzhiyun
1792*4882a593Smuzhiyun /*
1793*4882a593Smuzhiyun * Sysfs attribute read function for all secure key ccacipher binary attributes.
1794*4882a593Smuzhiyun * The implementation can not deal with partial reads, because a new random
1795*4882a593Smuzhiyun * secure key blob is generated with each read. In case of partial reads
1796*4882a593Smuzhiyun * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1797*4882a593Smuzhiyun */
pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,bool is_xts,char * buf,loff_t off,size_t count)1798*4882a593Smuzhiyun static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
1799*4882a593Smuzhiyun bool is_xts, char *buf, loff_t off,
1800*4882a593Smuzhiyun size_t count)
1801*4882a593Smuzhiyun {
1802*4882a593Smuzhiyun int i, rc, card, dom;
1803*4882a593Smuzhiyun u32 nr_apqns, *apqns = NULL;
1804*4882a593Smuzhiyun size_t keysize = CCACIPHERTOKENSIZE;
1805*4882a593Smuzhiyun
1806*4882a593Smuzhiyun if (off != 0 || count < CCACIPHERTOKENSIZE)
1807*4882a593Smuzhiyun return -EINVAL;
1808*4882a593Smuzhiyun if (is_xts)
1809*4882a593Smuzhiyun if (count < 2 * CCACIPHERTOKENSIZE)
1810*4882a593Smuzhiyun return -EINVAL;
1811*4882a593Smuzhiyun
1812*4882a593Smuzhiyun /* build a list of apqns able to generate an cipher key */
1813*4882a593Smuzhiyun rc = cca_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
1814*4882a593Smuzhiyun ZCRYPT_CEX6, 0, 0, 0, 0);
1815*4882a593Smuzhiyun if (rc)
1816*4882a593Smuzhiyun return rc;
1817*4882a593Smuzhiyun
1818*4882a593Smuzhiyun memset(buf, 0, is_xts ? 2 * keysize : keysize);
1819*4882a593Smuzhiyun
1820*4882a593Smuzhiyun /* simple try all apqns from the list */
1821*4882a593Smuzhiyun for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
1822*4882a593Smuzhiyun card = apqns[i] >> 16;
1823*4882a593Smuzhiyun dom = apqns[i] & 0xFFFF;
1824*4882a593Smuzhiyun rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
1825*4882a593Smuzhiyun if (rc == 0)
1826*4882a593Smuzhiyun break;
1827*4882a593Smuzhiyun }
1828*4882a593Smuzhiyun if (rc)
1829*4882a593Smuzhiyun return rc;
1830*4882a593Smuzhiyun
1831*4882a593Smuzhiyun if (is_xts) {
1832*4882a593Smuzhiyun keysize = CCACIPHERTOKENSIZE;
1833*4882a593Smuzhiyun buf += CCACIPHERTOKENSIZE;
1834*4882a593Smuzhiyun rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
1835*4882a593Smuzhiyun if (rc == 0)
1836*4882a593Smuzhiyun return 2 * CCACIPHERTOKENSIZE;
1837*4882a593Smuzhiyun }
1838*4882a593Smuzhiyun
1839*4882a593Smuzhiyun return CCACIPHERTOKENSIZE;
1840*4882a593Smuzhiyun }
1841*4882a593Smuzhiyun
ccacipher_aes_128_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1842*4882a593Smuzhiyun static ssize_t ccacipher_aes_128_read(struct file *filp,
1843*4882a593Smuzhiyun struct kobject *kobj,
1844*4882a593Smuzhiyun struct bin_attribute *attr,
1845*4882a593Smuzhiyun char *buf, loff_t off,
1846*4882a593Smuzhiyun size_t count)
1847*4882a593Smuzhiyun {
1848*4882a593Smuzhiyun return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
1849*4882a593Smuzhiyun off, count);
1850*4882a593Smuzhiyun }
1851*4882a593Smuzhiyun
ccacipher_aes_192_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1852*4882a593Smuzhiyun static ssize_t ccacipher_aes_192_read(struct file *filp,
1853*4882a593Smuzhiyun struct kobject *kobj,
1854*4882a593Smuzhiyun struct bin_attribute *attr,
1855*4882a593Smuzhiyun char *buf, loff_t off,
1856*4882a593Smuzhiyun size_t count)
1857*4882a593Smuzhiyun {
1858*4882a593Smuzhiyun return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
1859*4882a593Smuzhiyun off, count);
1860*4882a593Smuzhiyun }
1861*4882a593Smuzhiyun
ccacipher_aes_256_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1862*4882a593Smuzhiyun static ssize_t ccacipher_aes_256_read(struct file *filp,
1863*4882a593Smuzhiyun struct kobject *kobj,
1864*4882a593Smuzhiyun struct bin_attribute *attr,
1865*4882a593Smuzhiyun char *buf, loff_t off,
1866*4882a593Smuzhiyun size_t count)
1867*4882a593Smuzhiyun {
1868*4882a593Smuzhiyun return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
1869*4882a593Smuzhiyun off, count);
1870*4882a593Smuzhiyun }
1871*4882a593Smuzhiyun
ccacipher_aes_128_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1872*4882a593Smuzhiyun static ssize_t ccacipher_aes_128_xts_read(struct file *filp,
1873*4882a593Smuzhiyun struct kobject *kobj,
1874*4882a593Smuzhiyun struct bin_attribute *attr,
1875*4882a593Smuzhiyun char *buf, loff_t off,
1876*4882a593Smuzhiyun size_t count)
1877*4882a593Smuzhiyun {
1878*4882a593Smuzhiyun return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
1879*4882a593Smuzhiyun off, count);
1880*4882a593Smuzhiyun }
1881*4882a593Smuzhiyun
ccacipher_aes_256_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1882*4882a593Smuzhiyun static ssize_t ccacipher_aes_256_xts_read(struct file *filp,
1883*4882a593Smuzhiyun struct kobject *kobj,
1884*4882a593Smuzhiyun struct bin_attribute *attr,
1885*4882a593Smuzhiyun char *buf, loff_t off,
1886*4882a593Smuzhiyun size_t count)
1887*4882a593Smuzhiyun {
1888*4882a593Smuzhiyun return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
1889*4882a593Smuzhiyun off, count);
1890*4882a593Smuzhiyun }
1891*4882a593Smuzhiyun
1892*4882a593Smuzhiyun static BIN_ATTR_RO(ccacipher_aes_128, CCACIPHERTOKENSIZE);
1893*4882a593Smuzhiyun static BIN_ATTR_RO(ccacipher_aes_192, CCACIPHERTOKENSIZE);
1894*4882a593Smuzhiyun static BIN_ATTR_RO(ccacipher_aes_256, CCACIPHERTOKENSIZE);
1895*4882a593Smuzhiyun static BIN_ATTR_RO(ccacipher_aes_128_xts, 2 * CCACIPHERTOKENSIZE);
1896*4882a593Smuzhiyun static BIN_ATTR_RO(ccacipher_aes_256_xts, 2 * CCACIPHERTOKENSIZE);
1897*4882a593Smuzhiyun
1898*4882a593Smuzhiyun static struct bin_attribute *ccacipher_attrs[] = {
1899*4882a593Smuzhiyun &bin_attr_ccacipher_aes_128,
1900*4882a593Smuzhiyun &bin_attr_ccacipher_aes_192,
1901*4882a593Smuzhiyun &bin_attr_ccacipher_aes_256,
1902*4882a593Smuzhiyun &bin_attr_ccacipher_aes_128_xts,
1903*4882a593Smuzhiyun &bin_attr_ccacipher_aes_256_xts,
1904*4882a593Smuzhiyun NULL
1905*4882a593Smuzhiyun };
1906*4882a593Smuzhiyun
1907*4882a593Smuzhiyun static struct attribute_group ccacipher_attr_group = {
1908*4882a593Smuzhiyun .name = "ccacipher",
1909*4882a593Smuzhiyun .bin_attrs = ccacipher_attrs,
1910*4882a593Smuzhiyun };
1911*4882a593Smuzhiyun
1912*4882a593Smuzhiyun /*
1913*4882a593Smuzhiyun * Sysfs attribute read function for all ep11 aes key binary attributes.
1914*4882a593Smuzhiyun * The implementation can not deal with partial reads, because a new random
1915*4882a593Smuzhiyun * secure key blob is generated with each read. In case of partial reads
1916*4882a593Smuzhiyun * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1917*4882a593Smuzhiyun * This function and the sysfs attributes using it provide EP11 key blobs
1918*4882a593Smuzhiyun * padded to the upper limit of MAXEP11AESKEYBLOBSIZE which is currently
1919*4882a593Smuzhiyun * 320 bytes.
1920*4882a593Smuzhiyun */
pkey_ep11_aes_attr_read(enum pkey_key_size keybits,bool is_xts,char * buf,loff_t off,size_t count)1921*4882a593Smuzhiyun static ssize_t pkey_ep11_aes_attr_read(enum pkey_key_size keybits,
1922*4882a593Smuzhiyun bool is_xts, char *buf, loff_t off,
1923*4882a593Smuzhiyun size_t count)
1924*4882a593Smuzhiyun {
1925*4882a593Smuzhiyun int i, rc, card, dom;
1926*4882a593Smuzhiyun u32 nr_apqns, *apqns = NULL;
1927*4882a593Smuzhiyun size_t keysize = MAXEP11AESKEYBLOBSIZE;
1928*4882a593Smuzhiyun
1929*4882a593Smuzhiyun if (off != 0 || count < MAXEP11AESKEYBLOBSIZE)
1930*4882a593Smuzhiyun return -EINVAL;
1931*4882a593Smuzhiyun if (is_xts)
1932*4882a593Smuzhiyun if (count < 2 * MAXEP11AESKEYBLOBSIZE)
1933*4882a593Smuzhiyun return -EINVAL;
1934*4882a593Smuzhiyun
1935*4882a593Smuzhiyun /* build a list of apqns able to generate an cipher key */
1936*4882a593Smuzhiyun rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
1937*4882a593Smuzhiyun ZCRYPT_CEX7, EP11_API_V, NULL);
1938*4882a593Smuzhiyun if (rc)
1939*4882a593Smuzhiyun return rc;
1940*4882a593Smuzhiyun
1941*4882a593Smuzhiyun memset(buf, 0, is_xts ? 2 * keysize : keysize);
1942*4882a593Smuzhiyun
1943*4882a593Smuzhiyun /* simple try all apqns from the list */
1944*4882a593Smuzhiyun for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
1945*4882a593Smuzhiyun card = apqns[i] >> 16;
1946*4882a593Smuzhiyun dom = apqns[i] & 0xFFFF;
1947*4882a593Smuzhiyun rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
1948*4882a593Smuzhiyun if (rc == 0)
1949*4882a593Smuzhiyun break;
1950*4882a593Smuzhiyun }
1951*4882a593Smuzhiyun if (rc)
1952*4882a593Smuzhiyun return rc;
1953*4882a593Smuzhiyun
1954*4882a593Smuzhiyun if (is_xts) {
1955*4882a593Smuzhiyun keysize = MAXEP11AESKEYBLOBSIZE;
1956*4882a593Smuzhiyun buf += MAXEP11AESKEYBLOBSIZE;
1957*4882a593Smuzhiyun rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
1958*4882a593Smuzhiyun if (rc == 0)
1959*4882a593Smuzhiyun return 2 * MAXEP11AESKEYBLOBSIZE;
1960*4882a593Smuzhiyun }
1961*4882a593Smuzhiyun
1962*4882a593Smuzhiyun return MAXEP11AESKEYBLOBSIZE;
1963*4882a593Smuzhiyun }
1964*4882a593Smuzhiyun
ep11_aes_128_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1965*4882a593Smuzhiyun static ssize_t ep11_aes_128_read(struct file *filp,
1966*4882a593Smuzhiyun struct kobject *kobj,
1967*4882a593Smuzhiyun struct bin_attribute *attr,
1968*4882a593Smuzhiyun char *buf, loff_t off,
1969*4882a593Smuzhiyun size_t count)
1970*4882a593Smuzhiyun {
1971*4882a593Smuzhiyun return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
1972*4882a593Smuzhiyun off, count);
1973*4882a593Smuzhiyun }
1974*4882a593Smuzhiyun
ep11_aes_192_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1975*4882a593Smuzhiyun static ssize_t ep11_aes_192_read(struct file *filp,
1976*4882a593Smuzhiyun struct kobject *kobj,
1977*4882a593Smuzhiyun struct bin_attribute *attr,
1978*4882a593Smuzhiyun char *buf, loff_t off,
1979*4882a593Smuzhiyun size_t count)
1980*4882a593Smuzhiyun {
1981*4882a593Smuzhiyun return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
1982*4882a593Smuzhiyun off, count);
1983*4882a593Smuzhiyun }
1984*4882a593Smuzhiyun
ep11_aes_256_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1985*4882a593Smuzhiyun static ssize_t ep11_aes_256_read(struct file *filp,
1986*4882a593Smuzhiyun struct kobject *kobj,
1987*4882a593Smuzhiyun struct bin_attribute *attr,
1988*4882a593Smuzhiyun char *buf, loff_t off,
1989*4882a593Smuzhiyun size_t count)
1990*4882a593Smuzhiyun {
1991*4882a593Smuzhiyun return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
1992*4882a593Smuzhiyun off, count);
1993*4882a593Smuzhiyun }
1994*4882a593Smuzhiyun
ep11_aes_128_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)1995*4882a593Smuzhiyun static ssize_t ep11_aes_128_xts_read(struct file *filp,
1996*4882a593Smuzhiyun struct kobject *kobj,
1997*4882a593Smuzhiyun struct bin_attribute *attr,
1998*4882a593Smuzhiyun char *buf, loff_t off,
1999*4882a593Smuzhiyun size_t count)
2000*4882a593Smuzhiyun {
2001*4882a593Smuzhiyun return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
2002*4882a593Smuzhiyun off, count);
2003*4882a593Smuzhiyun }
2004*4882a593Smuzhiyun
ep11_aes_256_xts_read(struct file * filp,struct kobject * kobj,struct bin_attribute * attr,char * buf,loff_t off,size_t count)2005*4882a593Smuzhiyun static ssize_t ep11_aes_256_xts_read(struct file *filp,
2006*4882a593Smuzhiyun struct kobject *kobj,
2007*4882a593Smuzhiyun struct bin_attribute *attr,
2008*4882a593Smuzhiyun char *buf, loff_t off,
2009*4882a593Smuzhiyun size_t count)
2010*4882a593Smuzhiyun {
2011*4882a593Smuzhiyun return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
2012*4882a593Smuzhiyun off, count);
2013*4882a593Smuzhiyun }
2014*4882a593Smuzhiyun
2015*4882a593Smuzhiyun static BIN_ATTR_RO(ep11_aes_128, MAXEP11AESKEYBLOBSIZE);
2016*4882a593Smuzhiyun static BIN_ATTR_RO(ep11_aes_192, MAXEP11AESKEYBLOBSIZE);
2017*4882a593Smuzhiyun static BIN_ATTR_RO(ep11_aes_256, MAXEP11AESKEYBLOBSIZE);
2018*4882a593Smuzhiyun static BIN_ATTR_RO(ep11_aes_128_xts, 2 * MAXEP11AESKEYBLOBSIZE);
2019*4882a593Smuzhiyun static BIN_ATTR_RO(ep11_aes_256_xts, 2 * MAXEP11AESKEYBLOBSIZE);
2020*4882a593Smuzhiyun
2021*4882a593Smuzhiyun static struct bin_attribute *ep11_attrs[] = {
2022*4882a593Smuzhiyun &bin_attr_ep11_aes_128,
2023*4882a593Smuzhiyun &bin_attr_ep11_aes_192,
2024*4882a593Smuzhiyun &bin_attr_ep11_aes_256,
2025*4882a593Smuzhiyun &bin_attr_ep11_aes_128_xts,
2026*4882a593Smuzhiyun &bin_attr_ep11_aes_256_xts,
2027*4882a593Smuzhiyun NULL
2028*4882a593Smuzhiyun };
2029*4882a593Smuzhiyun
2030*4882a593Smuzhiyun static struct attribute_group ep11_attr_group = {
2031*4882a593Smuzhiyun .name = "ep11",
2032*4882a593Smuzhiyun .bin_attrs = ep11_attrs,
2033*4882a593Smuzhiyun };
2034*4882a593Smuzhiyun
2035*4882a593Smuzhiyun static const struct attribute_group *pkey_attr_groups[] = {
2036*4882a593Smuzhiyun &protkey_attr_group,
2037*4882a593Smuzhiyun &ccadata_attr_group,
2038*4882a593Smuzhiyun &ccacipher_attr_group,
2039*4882a593Smuzhiyun &ep11_attr_group,
2040*4882a593Smuzhiyun NULL,
2041*4882a593Smuzhiyun };
2042*4882a593Smuzhiyun
2043*4882a593Smuzhiyun static const struct file_operations pkey_fops = {
2044*4882a593Smuzhiyun .owner = THIS_MODULE,
2045*4882a593Smuzhiyun .open = nonseekable_open,
2046*4882a593Smuzhiyun .llseek = no_llseek,
2047*4882a593Smuzhiyun .unlocked_ioctl = pkey_unlocked_ioctl,
2048*4882a593Smuzhiyun };
2049*4882a593Smuzhiyun
2050*4882a593Smuzhiyun static struct miscdevice pkey_dev = {
2051*4882a593Smuzhiyun .name = "pkey",
2052*4882a593Smuzhiyun .minor = MISC_DYNAMIC_MINOR,
2053*4882a593Smuzhiyun .mode = 0666,
2054*4882a593Smuzhiyun .fops = &pkey_fops,
2055*4882a593Smuzhiyun .groups = pkey_attr_groups,
2056*4882a593Smuzhiyun };
2057*4882a593Smuzhiyun
2058*4882a593Smuzhiyun /*
2059*4882a593Smuzhiyun * Module init
2060*4882a593Smuzhiyun */
pkey_init(void)2061*4882a593Smuzhiyun static int __init pkey_init(void)
2062*4882a593Smuzhiyun {
2063*4882a593Smuzhiyun cpacf_mask_t func_mask;
2064*4882a593Smuzhiyun
2065*4882a593Smuzhiyun /*
2066*4882a593Smuzhiyun * The pckmo instruction should be available - even if we don't
2067*4882a593Smuzhiyun * actually invoke it. This instruction comes with MSA 3 which
2068*4882a593Smuzhiyun * is also the minimum level for the kmc instructions which
2069*4882a593Smuzhiyun * are able to work with protected keys.
2070*4882a593Smuzhiyun */
2071*4882a593Smuzhiyun if (!cpacf_query(CPACF_PCKMO, &func_mask))
2072*4882a593Smuzhiyun return -ENODEV;
2073*4882a593Smuzhiyun
2074*4882a593Smuzhiyun /* check for kmc instructions available */
2075*4882a593Smuzhiyun if (!cpacf_query(CPACF_KMC, &func_mask))
2076*4882a593Smuzhiyun return -ENODEV;
2077*4882a593Smuzhiyun if (!cpacf_test_func(&func_mask, CPACF_KMC_PAES_128) ||
2078*4882a593Smuzhiyun !cpacf_test_func(&func_mask, CPACF_KMC_PAES_192) ||
2079*4882a593Smuzhiyun !cpacf_test_func(&func_mask, CPACF_KMC_PAES_256))
2080*4882a593Smuzhiyun return -ENODEV;
2081*4882a593Smuzhiyun
2082*4882a593Smuzhiyun pkey_debug_init();
2083*4882a593Smuzhiyun
2084*4882a593Smuzhiyun return misc_register(&pkey_dev);
2085*4882a593Smuzhiyun }
2086*4882a593Smuzhiyun
2087*4882a593Smuzhiyun /*
2088*4882a593Smuzhiyun * Module exit
2089*4882a593Smuzhiyun */
pkey_exit(void)2090*4882a593Smuzhiyun static void __exit pkey_exit(void)
2091*4882a593Smuzhiyun {
2092*4882a593Smuzhiyun misc_deregister(&pkey_dev);
2093*4882a593Smuzhiyun pkey_debug_exit();
2094*4882a593Smuzhiyun }
2095*4882a593Smuzhiyun
2096*4882a593Smuzhiyun module_cpu_feature_match(MSA, pkey_init);
2097*4882a593Smuzhiyun module_exit(pkey_exit);
2098