1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright IBM Corp. 2017, 2023
7 * Author(s): Harald Freudenberger
10 #define KMSG_COMPONENT "pkey"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/miscdevice.h>
15 #include <linux/slab.h>
17 #include "zcrypt_api.h"
18 #include "zcrypt_ccamisc.h"
20 #include "pkey_base.h"
25 static int key2protkey(const struct pkey_apqn *apqns, size_t nr_apqns,
26 const u8 *key, size_t keylen,
27 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
31 /* try the direct way */
32 rc = pkey_handler_key_to_protkey(apqns, nr_apqns,
37 /* if this did not work, try the slowpath way */
39 rc = pkey_handler_slowpath_key_to_protkey(apqns, nr_apqns,
47 pr_debug("rc=%d\n", rc);
52 * In-Kernel function: Transform a key blob (of any type) into a protected key
54 int pkey_key2protkey(const u8 *key, u32 keylen,
55 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
59 rc = key2protkey(NULL, 0, key, keylen,
60 protkey, protkeylen, protkeytype);
62 pkey_handler_request_modules();
63 rc = key2protkey(NULL, 0, key, keylen,
64 protkey, protkeylen, protkeytype);
69 EXPORT_SYMBOL(pkey_key2protkey);
75 static void *_copy_key_from_user(void __user *ukey, size_t keylen)
77 if (!ukey || keylen < MINKEYBLOBBUFSIZE || keylen > KEYBLOBBUFSIZE)
78 return ERR_PTR(-EINVAL);
80 return memdup_user(ukey, keylen);
83 static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns)
85 if (!uapqns || nr_apqns == 0)
88 return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
91 static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs)
93 struct pkey_genseck kgs;
94 struct pkey_apqn apqn;
98 if (copy_from_user(&kgs, ugs, sizeof(kgs)))
101 apqn.card = kgs.cardnr;
102 apqn.domain = kgs.domain;
103 keybuflen = sizeof(kgs.seckey.seckey);
104 rc = pkey_handler_gen_key(&apqn, 1,
105 kgs.keytype, PKEY_TYPE_CCA_DATA, 0, 0,
106 kgs.seckey.seckey, &keybuflen, NULL);
107 pr_debug("gen_key()=%d\n", rc);
108 if (!rc && copy_to_user(ugs, &kgs, sizeof(kgs)))
110 memzero_explicit(&kgs, sizeof(kgs));
115 static int pkey_ioctl_clr2seck(struct pkey_clr2seck __user *ucs)
117 struct pkey_clr2seck kcs;
118 struct pkey_apqn apqn;
122 if (copy_from_user(&kcs, ucs, sizeof(kcs)))
125 apqn.card = kcs.cardnr;
126 apqn.domain = kcs.domain;
127 keybuflen = sizeof(kcs.seckey.seckey);
128 rc = pkey_handler_clr_to_key(&apqn, 1,
129 kcs.keytype, PKEY_TYPE_CCA_DATA, 0, 0,
131 pkey_keytype_aes_to_size(kcs.keytype),
132 kcs.seckey.seckey, &keybuflen, NULL);
133 pr_debug("clr_to_key()=%d\n", rc);
134 if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs)))
136 memzero_explicit(&kcs, sizeof(kcs));
141 static int pkey_ioctl_sec2protk(struct pkey_sec2protk __user *usp)
143 struct pkey_sec2protk ksp;
144 struct pkey_apqn apqn;
147 if (copy_from_user(&ksp, usp, sizeof(ksp)))
150 apqn.card = ksp.cardnr;
151 apqn.domain = ksp.domain;
152 ksp.protkey.len = sizeof(ksp.protkey.protkey);
153 rc = pkey_handler_key_to_protkey(&apqn, 1,
155 sizeof(ksp.seckey.seckey),
157 &ksp.protkey.len, &ksp.protkey.type);
158 pr_debug("key_to_protkey()=%d\n", rc);
159 if (!rc && copy_to_user(usp, &ksp, sizeof(ksp)))
161 memzero_explicit(&ksp, sizeof(ksp));
166 static int pkey_ioctl_clr2protk(struct pkey_clr2protk __user *ucp)
168 struct pkey_clr2protk kcp;
169 struct clearkeytoken *t;
174 if (copy_from_user(&kcp, ucp, sizeof(kcp)))
177 /* build a 'clear key token' from the clear key value */
178 keylen = pkey_keytype_aes_to_size(kcp.keytype);
180 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n",
181 __func__, kcp.keytype);
182 memzero_explicit(&kcp, sizeof(kcp));
185 tmpbuf = kzalloc(sizeof(*t) + keylen, GFP_KERNEL);
187 memzero_explicit(&kcp, sizeof(kcp));
190 t = (struct clearkeytoken *)tmpbuf;
191 t->type = TOKTYPE_NON_CCA;
192 t->version = TOKVER_CLEAR_KEY;
193 t->keytype = (keylen - 8) >> 3;
195 memcpy(t->clearkey, kcp.clrkey.clrkey, keylen);
196 kcp.protkey.len = sizeof(kcp.protkey.protkey);
198 rc = key2protkey(NULL, 0,
199 tmpbuf, sizeof(*t) + keylen,
201 &kcp.protkey.len, &kcp.protkey.type);
202 pr_debug("key2protkey()=%d\n", rc);
204 kfree_sensitive(tmpbuf);
206 if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp)))
208 memzero_explicit(&kcp, sizeof(kcp));
213 static int pkey_ioctl_findcard(struct pkey_findcard __user *ufc)
215 struct pkey_findcard kfc;
216 struct pkey_apqn *apqns;
220 if (copy_from_user(&kfc, ufc, sizeof(kfc)))
223 nr_apqns = MAXAPQNSINLIST;
224 apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL);
228 rc = pkey_handler_apqns_for_key(kfc.seckey.seckey,
229 sizeof(kfc.seckey.seckey),
230 PKEY_FLAGS_MATCH_CUR_MKVP,
233 rc = pkey_handler_apqns_for_key(kfc.seckey.seckey,
234 sizeof(kfc.seckey.seckey),
235 PKEY_FLAGS_MATCH_ALT_MKVP,
237 pr_debug("apqns_for_key()=%d\n", rc);
242 kfc.cardnr = apqns[0].card;
243 kfc.domain = apqns[0].domain;
245 if (copy_to_user(ufc, &kfc, sizeof(kfc)))
251 static int pkey_ioctl_skey2pkey(struct pkey_skey2pkey __user *usp)
253 struct pkey_skey2pkey ksp;
256 if (copy_from_user(&ksp, usp, sizeof(ksp)))
259 ksp.protkey.len = sizeof(ksp.protkey.protkey);
260 rc = pkey_handler_key_to_protkey(NULL, 0,
262 sizeof(ksp.seckey.seckey),
266 pr_debug("key_to_protkey()=%d\n", rc);
267 if (!rc && copy_to_user(usp, &ksp, sizeof(ksp)))
269 memzero_explicit(&ksp, sizeof(ksp));
274 static int pkey_ioctl_verifykey(struct pkey_verifykey __user *uvk)
276 u32 keytype, keybitsize, flags;
277 struct pkey_verifykey kvk;
280 if (copy_from_user(&kvk, uvk, sizeof(kvk)))
285 rc = pkey_handler_verify_key(kvk.seckey.seckey,
286 sizeof(kvk.seckey.seckey),
287 &kvk.cardnr, &kvk.domain,
288 &keytype, &keybitsize, &flags);
289 pr_debug("verify_key()=%d\n", rc);
290 if (!rc && keytype != PKEY_TYPE_CCA_DATA)
292 kvk.attributes = PKEY_VERIFY_ATTR_AES;
293 kvk.keysize = (u16)keybitsize;
294 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
295 kvk.attributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
296 if (!rc && copy_to_user(uvk, &kvk, sizeof(kvk)))
298 memzero_explicit(&kvk, sizeof(kvk));
303 static int pkey_ioctl_genprotk(struct pkey_genprotk __user *ugp)
305 struct pkey_genprotk kgp;
308 if (copy_from_user(&kgp, ugp, sizeof(kgp)))
311 kgp.protkey.len = sizeof(kgp.protkey.protkey);
312 rc = pkey_handler_gen_key(NULL, 0, kgp.keytype,
313 PKEY_TYPE_PROTKEY, 0, 0,
314 kgp.protkey.protkey, &kgp.protkey.len,
316 pr_debug("gen_key()=%d\n", rc);
317 if (!rc && copy_to_user(ugp, &kgp, sizeof(kgp)))
319 memzero_explicit(&kgp, sizeof(kgp));
324 static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
326 struct pkey_verifyprotk kvp;
327 struct protaeskeytoken *t;
332 if (copy_from_user(&kvp, uvp, sizeof(kvp)))
335 keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
337 PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
338 __func__, kvp.protkey.len);
339 memzero_explicit(&kvp, sizeof(kvp));
343 /* build a 'protected key token' from the raw protected key */
344 tmpbuf = kzalloc(sizeof(*t), GFP_KERNEL);
346 memzero_explicit(&kvp, sizeof(kvp));
349 t = (struct protaeskeytoken *)tmpbuf;
350 t->type = TOKTYPE_NON_CCA;
351 t->version = TOKVER_PROTECTED_KEY;
352 t->keytype = keytype;
353 t->len = kvp.protkey.len;
354 memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len);
356 rc = pkey_handler_verify_key(tmpbuf, sizeof(*t),
357 NULL, NULL, NULL, NULL, NULL);
358 pr_debug("verify_key()=%d\n", rc);
360 kfree_sensitive(tmpbuf);
361 memzero_explicit(&kvp, sizeof(kvp));
366 static int pkey_ioctl_kblob2protk(struct pkey_kblob2pkey __user *utp)
368 struct pkey_kblob2pkey ktp;
372 if (copy_from_user(&ktp, utp, sizeof(ktp)))
374 kkey = _copy_key_from_user(ktp.key, ktp.keylen);
376 return PTR_ERR(kkey);
377 ktp.protkey.len = sizeof(ktp.protkey.protkey);
378 rc = key2protkey(NULL, 0, kkey, ktp.keylen,
379 ktp.protkey.protkey, &ktp.protkey.len,
381 pr_debug("key2protkey()=%d\n", rc);
382 kfree_sensitive(kkey);
383 if (!rc && copy_to_user(utp, &ktp, sizeof(ktp)))
385 memzero_explicit(&ktp, sizeof(ktp));
390 static int pkey_ioctl_genseck2(struct pkey_genseck2 __user *ugs)
392 u32 klen = KEYBLOBBUFSIZE;
393 struct pkey_genseck2 kgs;
394 struct pkey_apqn *apqns;
399 if (copy_from_user(&kgs, ugs, sizeof(kgs)))
401 u = pkey_aes_bitsize_to_keytype(kgs.size);
403 PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
407 apqns = _copy_apqns_from_user(kgs.apqns, kgs.apqn_entries);
409 return PTR_ERR(apqns);
410 kkey = kzalloc(klen, GFP_KERNEL);
415 rc = pkey_handler_gen_key(apqns, kgs.apqn_entries,
416 u, kgs.type, kgs.size, kgs.keygenflags,
418 pr_debug("gen_key()=%d\n", rc);
421 kfree_sensitive(kkey);
425 if (kgs.keylen < klen) {
426 kfree_sensitive(kkey);
429 if (copy_to_user(kgs.key, kkey, klen)) {
430 kfree_sensitive(kkey);
435 if (copy_to_user(ugs, &kgs, sizeof(kgs)))
437 kfree_sensitive(kkey);
442 static int pkey_ioctl_clr2seck2(struct pkey_clr2seck2 __user *ucs)
444 u32 klen = KEYBLOBBUFSIZE;
445 struct pkey_clr2seck2 kcs;
446 struct pkey_apqn *apqns;
451 if (copy_from_user(&kcs, ucs, sizeof(kcs)))
453 u = pkey_aes_bitsize_to_keytype(kcs.size);
455 PKEY_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
457 memzero_explicit(&kcs, sizeof(kcs));
460 apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);
462 memzero_explicit(&kcs, sizeof(kcs));
463 return PTR_ERR(apqns);
465 kkey = kzalloc(klen, GFP_KERNEL);
468 memzero_explicit(&kcs, sizeof(kcs));
471 rc = pkey_handler_clr_to_key(apqns, kcs.apqn_entries,
472 u, kcs.type, kcs.size, kcs.keygenflags,
473 kcs.clrkey.clrkey, kcs.size / 8,
475 pr_debug("clr_to_key()=%d\n", rc);
478 kfree_sensitive(kkey);
479 memzero_explicit(&kcs, sizeof(kcs));
483 if (kcs.keylen < klen) {
484 kfree_sensitive(kkey);
485 memzero_explicit(&kcs, sizeof(kcs));
488 if (copy_to_user(kcs.key, kkey, klen)) {
489 kfree_sensitive(kkey);
490 memzero_explicit(&kcs, sizeof(kcs));
495 if (copy_to_user(ucs, &kcs, sizeof(kcs)))
497 memzero_explicit(&kcs, sizeof(kcs));
498 kfree_sensitive(kkey);
503 static int pkey_ioctl_verifykey2(struct pkey_verifykey2 __user *uvk)
505 struct pkey_verifykey2 kvk;
509 if (copy_from_user(&kvk, uvk, sizeof(kvk)))
511 kkey = _copy_key_from_user(kvk.key, kvk.keylen);
513 return PTR_ERR(kkey);
515 rc = pkey_handler_verify_key(kkey, kvk.keylen,
516 &kvk.cardnr, &kvk.domain,
517 &kvk.type, &kvk.size, &kvk.flags);
518 pr_debug("verify_key()=%d\n", rc);
520 kfree_sensitive(kkey);
521 if (!rc && copy_to_user(uvk, &kvk, sizeof(kvk)))
527 static int pkey_ioctl_kblob2protk2(struct pkey_kblob2pkey2 __user *utp)
529 struct pkey_apqn *apqns = NULL;
530 struct pkey_kblob2pkey2 ktp;
534 if (copy_from_user(&ktp, utp, sizeof(ktp)))
536 apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
538 return PTR_ERR(apqns);
539 kkey = _copy_key_from_user(ktp.key, ktp.keylen);
542 return PTR_ERR(kkey);
544 ktp.protkey.len = sizeof(ktp.protkey.protkey);
545 rc = key2protkey(apqns, ktp.apqn_entries, kkey, ktp.keylen,
546 ktp.protkey.protkey, &ktp.protkey.len,
548 pr_debug("key2protkey()=%d\n", rc);
550 kfree_sensitive(kkey);
551 if (!rc && copy_to_user(utp, &ktp, sizeof(ktp)))
553 memzero_explicit(&ktp, sizeof(ktp));
558 static int pkey_ioctl_apqns4k(struct pkey_apqns4key __user *uak)
560 struct pkey_apqn *apqns = NULL;
561 struct pkey_apqns4key kak;
562 size_t nr_apqns, len;
566 if (copy_from_user(&kak, uak, sizeof(kak)))
568 nr_apqns = kak.apqn_entries;
570 apqns = kmalloc_array(nr_apqns,
571 sizeof(struct pkey_apqn),
576 kkey = _copy_key_from_user(kak.key, kak.keylen);
579 return PTR_ERR(kkey);
581 rc = pkey_handler_apqns_for_key(kkey, kak.keylen, kak.flags,
583 pr_debug("apqns_for_key()=%d\n", rc);
584 kfree_sensitive(kkey);
585 if (rc && rc != -ENOSPC) {
589 if (!rc && kak.apqns) {
590 if (nr_apqns > kak.apqn_entries) {
594 len = nr_apqns * sizeof(struct pkey_apqn);
596 if (copy_to_user(kak.apqns, apqns, len)) {
602 kak.apqn_entries = nr_apqns;
603 if (copy_to_user(uak, &kak, sizeof(kak)))
610 static int pkey_ioctl_apqns4kt(struct pkey_apqns4keytype __user *uat)
612 struct pkey_apqn *apqns = NULL;
613 struct pkey_apqns4keytype kat;
614 size_t nr_apqns, len;
617 if (copy_from_user(&kat, uat, sizeof(kat)))
619 nr_apqns = kat.apqn_entries;
621 apqns = kmalloc_array(nr_apqns,
622 sizeof(struct pkey_apqn),
627 rc = pkey_handler_apqns_for_keytype(kat.type,
628 kat.cur_mkvp, kat.alt_mkvp,
629 kat.flags, apqns, &nr_apqns);
630 pr_debug("apqns_for_keytype()=%d\n", rc);
631 if (rc && rc != -ENOSPC) {
635 if (!rc && kat.apqns) {
636 if (nr_apqns > kat.apqn_entries) {
640 len = nr_apqns * sizeof(struct pkey_apqn);
642 if (copy_to_user(kat.apqns, apqns, len)) {
648 kat.apqn_entries = nr_apqns;
649 if (copy_to_user(uat, &kat, sizeof(kat)))
656 static int pkey_ioctl_kblob2protk3(struct pkey_kblob2pkey3 __user *utp)
658 u32 protkeylen = PROTKEYBLOBBUFSIZE;
659 struct pkey_apqn *apqns = NULL;
660 struct pkey_kblob2pkey3 ktp;
664 if (copy_from_user(&ktp, utp, sizeof(ktp)))
666 apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
668 return PTR_ERR(apqns);
669 kkey = _copy_key_from_user(ktp.key, ktp.keylen);
672 return PTR_ERR(kkey);
674 protkey = kmalloc(protkeylen, GFP_KERNEL);
677 kfree_sensitive(kkey);
680 rc = key2protkey(apqns, ktp.apqn_entries, kkey, ktp.keylen,
681 protkey, &protkeylen, &ktp.pkeytype);
682 pr_debug("key2protkey()=%d\n", rc);
684 kfree_sensitive(kkey);
686 kfree_sensitive(protkey);
689 if (ktp.pkey && ktp.pkeylen) {
690 if (protkeylen > ktp.pkeylen) {
691 kfree_sensitive(protkey);
694 if (copy_to_user(ktp.pkey, protkey, protkeylen)) {
695 kfree_sensitive(protkey);
699 kfree_sensitive(protkey);
700 ktp.pkeylen = protkeylen;
701 if (copy_to_user(utp, &ktp, sizeof(ktp)))
707 static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
714 rc = pkey_ioctl_genseck((struct pkey_genseck __user *)arg);
717 rc = pkey_ioctl_clr2seck((struct pkey_clr2seck __user *)arg);
720 rc = pkey_ioctl_sec2protk((struct pkey_sec2protk __user *)arg);
723 rc = pkey_ioctl_clr2protk((struct pkey_clr2protk __user *)arg);
726 rc = pkey_ioctl_findcard((struct pkey_findcard __user *)arg);
729 rc = pkey_ioctl_skey2pkey((struct pkey_skey2pkey __user *)arg);
732 rc = pkey_ioctl_verifykey((struct pkey_verifykey __user *)arg);
735 rc = pkey_ioctl_genprotk((struct pkey_genprotk __user *)arg);
737 case PKEY_VERIFYPROTK:
738 rc = pkey_ioctl_verifyprotk((struct pkey_verifyprotk __user *)arg);
740 case PKEY_KBLOB2PROTK:
741 rc = pkey_ioctl_kblob2protk((struct pkey_kblob2pkey __user *)arg);
744 rc = pkey_ioctl_genseck2((struct pkey_genseck2 __user *)arg);
747 rc = pkey_ioctl_clr2seck2((struct pkey_clr2seck2 __user *)arg);
749 case PKEY_VERIFYKEY2:
750 rc = pkey_ioctl_verifykey2((struct pkey_verifykey2 __user *)arg);
752 case PKEY_KBLOB2PROTK2:
753 rc = pkey_ioctl_kblob2protk2((struct pkey_kblob2pkey2 __user *)arg);
756 rc = pkey_ioctl_apqns4k((struct pkey_apqns4key __user *)arg);
759 rc = pkey_ioctl_apqns4kt((struct pkey_apqns4keytype __user *)arg);
761 case PKEY_KBLOB2PROTK3:
762 rc = pkey_ioctl_kblob2protk3((struct pkey_kblob2pkey3 __user *)arg);
765 /* unknown/unsupported ioctl cmd */
776 static const struct file_operations pkey_fops = {
777 .owner = THIS_MODULE,
778 .open = nonseekable_open,
779 .unlocked_ioctl = pkey_unlocked_ioctl,
782 static struct miscdevice pkey_dev = {
784 .minor = MISC_DYNAMIC_MINOR,
787 .groups = pkey_attr_groups,
790 int __init pkey_api_init(void)
792 /* register as a misc device */
793 return misc_register(&pkey_dev);
796 void __exit pkey_api_exit(void)
798 misc_deregister(&pkey_dev);
projects / J-linux.git / blob