1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 /* Size of parameter block used for all cca requests/replies */
29 /* Size of vardata block used for some of the cca requests/replies */
30 #define VARDATASIZE 4096
32 struct cca_info_list_entry {
33 struct list_head list;
39 /* a list with cca_info_list_entry entries */
40 static LIST_HEAD(cca_info_list);
41 static DEFINE_SPINLOCK(cca_info_list_lock);
44 * Simple check if the token is a valid CCA secure AES data key
45 * token. If keybitsize is given, the bitsize of the key is
46 * also checked. Returns 0 on success or errno value on failure.
48 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
49 const u8 *token, int keybitsize)
51 struct secaeskeytoken *t = (struct secaeskeytoken *)token;
53 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
55 if (t->type != TOKTYPE_CCA_INTERNAL) {
57 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
58 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
61 if (t->version != TOKVER_CCA_AES) {
63 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
64 __func__, (int)t->version, TOKVER_CCA_AES);
67 if (keybitsize > 0 && t->bitsize != keybitsize) {
69 DBF("%s token check failed, bitsize %d != %d\n",
70 __func__, (int)t->bitsize, keybitsize);
78 EXPORT_SYMBOL(cca_check_secaeskeytoken);
81 * Simple check if the token is a valid CCA secure AES cipher key
82 * token. If keybitsize is given, the bitsize of the key is
83 * also checked. If checkcpacfexport is enabled, the key is also
84 * checked for the export flag to allow CPACF export.
85 * Returns 0 on success or errno value on failure.
87 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
88 const u8 *token, int keybitsize,
91 struct cipherkeytoken *t = (struct cipherkeytoken *)token;
92 bool keybitsizeok = true;
94 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
96 if (t->type != TOKTYPE_CCA_INTERNAL) {
98 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
99 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
102 if (t->version != TOKVER_CCA_VLSC) {
104 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
105 __func__, (int)t->version, TOKVER_CCA_VLSC);
108 if (t->algtype != 0x02) {
110 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
111 __func__, (int)t->algtype);
114 if (t->keytype != 0x0001) {
116 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
117 __func__, (int)t->keytype);
120 if (t->plfver != 0x00 && t->plfver != 0x01) {
122 DBF("%s token check failed, unknown plfver 0x%02x\n",
123 __func__, (int)t->plfver);
126 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
128 DBF("%s token check failed, unknown wpllen %d\n",
129 __func__, (int)t->wpllen);
132 if (keybitsize > 0) {
133 switch (keybitsize) {
135 if (t->wpllen != (t->plfver ? 640 : 512))
136 keybitsizeok = false;
139 if (t->wpllen != (t->plfver ? 640 : 576))
140 keybitsizeok = false;
143 if (t->wpllen != 640)
144 keybitsizeok = false;
147 keybitsizeok = false;
152 DBF("%s token check failed, bitsize %d\n",
153 __func__, keybitsize);
157 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
159 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
168 EXPORT_SYMBOL(cca_check_secaescipherkey);
171 * Simple check if the token is a valid CCA secure ECC private
172 * key token. Returns 0 on success or errno value on failure.
174 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
175 const u8 *token, u32 keysize,
176 int checkcpacfexport)
178 struct eccprivkeytoken *t = (struct eccprivkeytoken *)token;
180 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
182 if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
184 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
185 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL_PKA);
188 if (t->len > keysize) {
190 DBF("%s token check failed, len %d > keysize %u\n",
191 __func__, (int)t->len, keysize);
194 if (t->secid != 0x20) {
196 DBF("%s token check failed, secid 0x%02x != 0x20\n",
197 __func__, (int)t->secid);
200 if (checkcpacfexport && !(t->kutc & 0x01)) {
202 DBF("%s token check failed, XPRTCPAC bit is 0\n",
211 EXPORT_SYMBOL(cca_check_sececckeytoken);
214 * Allocate consecutive memory for request CPRB, request param
215 * block, reply CPRB and reply param block and fill in values
216 * for the common fields. Returns 0 on success or errno value
219 static int alloc_and_prep_cprbmem(size_t paramblen,
221 struct CPRBX **p_req_cprb,
222 struct CPRBX **p_rep_cprb)
225 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
226 struct CPRBX *preqcblk, *prepcblk;
229 * allocate consecutive memory for request CPRB, request param
230 * block, reply CPRB and reply param block
232 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
236 preqcblk = (struct CPRBX *)cprbmem;
237 prepcblk = (struct CPRBX *)(cprbmem + cprbplusparamblen);
239 /* fill request cprb struct */
240 preqcblk->cprb_len = sizeof(struct CPRBX);
241 preqcblk->cprb_ver_id = 0x02;
242 memcpy(preqcblk->func_id, "T2", 2);
243 preqcblk->rpl_msgbl = cprbplusparamblen;
245 preqcblk->req_parmb =
246 ((u8 __user *)preqcblk) + sizeof(struct CPRBX);
247 preqcblk->rpl_parmb =
248 ((u8 __user *)prepcblk) + sizeof(struct CPRBX);
251 *p_cprb_mem = cprbmem;
252 *p_req_cprb = preqcblk;
253 *p_rep_cprb = prepcblk;
259 * Free the cprb memory allocated with the function above.
260 * If the scrub value is not zero, the memory is filled
261 * with zeros before freeing (useful if there was some
262 * clear key material in there).
264 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
267 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
272 * Helper function to prepare the xcrb struct
274 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
276 struct CPRBX *preqcblk,
277 struct CPRBX *prepcblk)
279 memset(pxcrb, 0, sizeof(*pxcrb));
280 pxcrb->agent_ID = 0x4341; /* 'CA' */
281 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
282 pxcrb->request_control_blk_length =
283 preqcblk->cprb_len + preqcblk->req_parml;
284 pxcrb->request_control_blk_addr = (void __user *)preqcblk;
285 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
286 pxcrb->reply_control_blk_addr = (void __user *)prepcblk;
290 * Generate (random) CCA AES DATA secure key.
292 int cca_genseckey(u16 cardnr, u16 domain,
293 u32 keybitsize, u8 *seckey)
298 struct CPRBX *preqcblk, *prepcblk;
299 struct ica_xcRB xcrb;
315 u8 data[SECKEYBLOBSIZE];
318 } __packed * preqparm;
329 /* ... some more data ... */
332 } __packed * prepparm;
334 /* get already prepared memory for 2 cprbs with param block each */
335 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
339 /* fill request cprb struct */
340 preqcblk->domain = domain;
342 /* fill request cprb param block with KG request */
343 preqparm = (struct kgreqparm __force *)preqcblk->req_parmb;
344 memcpy(preqparm->subfunc_code, "KG", 2);
345 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
346 preqparm->lv1.len = sizeof(struct lv1);
347 memcpy(preqparm->lv1.key_form, "OP ", 8);
348 switch (keybitsize) {
349 case PKEY_SIZE_AES_128:
350 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
352 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
354 case PKEY_SIZE_AES_192:
355 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
357 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
359 case PKEY_SIZE_AES_256:
360 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
362 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
365 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
366 __func__, keybitsize);
370 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
371 preqparm->lv2.len = sizeof(struct lv2);
372 for (i = 0; i < 6; i++) {
373 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
374 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
376 preqcblk->req_parml = sizeof(struct kgreqparm);
378 /* fill xcrb struct */
379 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
381 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
382 rc = zcrypt_send_cprb(&xcrb);
384 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
385 __func__, (int)cardnr, (int)domain, rc);
389 /* check response returncode and reasoncode */
390 if (prepcblk->ccp_rtcode != 0) {
391 ZCRYPT_DBF_ERR("%s secure key generate failure, card response %d/%d\n",
393 (int)prepcblk->ccp_rtcode,
394 (int)prepcblk->ccp_rscode);
399 /* process response cprb param block */
400 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
401 prepcblk->rpl_parmb = (u8 __user *)ptr;
402 prepparm = (struct kgrepparm *)ptr;
404 /* check length of the returned secure key token */
405 seckeysize = prepparm->lv3.keyblock.toklen
406 - sizeof(prepparm->lv3.keyblock.toklen)
407 - sizeof(prepparm->lv3.keyblock.tokattr);
408 if (seckeysize != SECKEYBLOBSIZE) {
409 ZCRYPT_DBF_ERR("%s secure token size mismatch %d != %d bytes\n",
410 __func__, seckeysize, SECKEYBLOBSIZE);
415 /* check secure key token */
416 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
417 prepparm->lv3.keyblock.tok, 8 * keysize);
423 /* copy the generated secure key token */
424 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
427 free_cprbmem(mem, PARMBSIZE, 0);
430 EXPORT_SYMBOL(cca_genseckey);
433 * Generate an CCA AES DATA secure key with given key value.
435 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
436 const u8 *clrkey, u8 *seckey)
438 int rc, keysize, seckeysize;
440 struct CPRBX *preqcblk, *prepcblk;
441 struct ica_xcRB xcrb;
450 /* followed by struct lv2 */
451 } __packed * preqparm;
457 u8 data[SECKEYBLOBSIZE];
470 /* ... some more data ... */
473 } __packed * prepparm;
475 /* get already prepared memory for 2 cprbs with param block each */
476 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
480 /* fill request cprb struct */
481 preqcblk->domain = domain;
483 /* fill request cprb param block with CM request */
484 preqparm = (struct cmreqparm __force *)preqcblk->req_parmb;
485 memcpy(preqparm->subfunc_code, "CM", 2);
486 memcpy(preqparm->rule_array, "AES ", 8);
487 preqparm->rule_array_len =
488 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
489 switch (keybitsize) {
490 case PKEY_SIZE_AES_128:
491 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
494 case PKEY_SIZE_AES_192:
495 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
498 case PKEY_SIZE_AES_256:
499 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
503 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
504 __func__, keybitsize);
508 preqparm->lv1.len = sizeof(struct lv1) + keysize;
509 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
510 plv2 = (struct lv2 *)(((u8 *)preqparm) + sizeof(*preqparm) + keysize);
511 plv2->len = sizeof(struct lv2);
512 plv2->keyid.len = sizeof(struct keyid);
513 plv2->keyid.attr = 0x30;
514 preqcblk->req_parml = sizeof(*preqparm) + keysize + sizeof(*plv2);
516 /* fill xcrb struct */
517 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
519 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
520 rc = zcrypt_send_cprb(&xcrb);
522 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
523 __func__, (int)cardnr, (int)domain, rc);
527 /* check response returncode and reasoncode */
528 if (prepcblk->ccp_rtcode != 0) {
529 ZCRYPT_DBF_ERR("%s clear key import failure, card response %d/%d\n",
531 (int)prepcblk->ccp_rtcode,
532 (int)prepcblk->ccp_rscode);
537 /* process response cprb param block */
538 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
539 prepcblk->rpl_parmb = (u8 __user *)ptr;
540 prepparm = (struct cmrepparm *)ptr;
542 /* check length of the returned secure key token */
543 seckeysize = prepparm->lv3.keyblock.toklen
544 - sizeof(prepparm->lv3.keyblock.toklen)
545 - sizeof(prepparm->lv3.keyblock.tokattr);
546 if (seckeysize != SECKEYBLOBSIZE) {
547 ZCRYPT_DBF_ERR("%s secure token size mismatch %d != %d bytes\n",
548 __func__, seckeysize, SECKEYBLOBSIZE);
553 /* check secure key token */
554 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
555 prepparm->lv3.keyblock.tok, 8 * keysize);
561 /* copy the generated secure key token */
563 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
566 free_cprbmem(mem, PARMBSIZE, 1);
569 EXPORT_SYMBOL(cca_clr2seckey);
572 * Derive proteced key from an CCA AES DATA secure key.
574 int cca_sec2protkey(u16 cardnr, u16 domain,
575 const u8 *seckey, u8 *protkey, u32 *protkeylen,
580 struct CPRBX *preqcblk, *prepcblk;
581 struct ica_xcRB xcrb;
594 u8 token[]; /* cca secure key token */
596 } __packed * preqparm;
604 struct cpacfkeyblock {
605 u8 version; /* version of this struct */
611 u8 key[64]; /* the key (len bytes) */
616 u8 vp[32]; /* verification pattern */
619 } __packed * prepparm;
621 /* get already prepared memory for 2 cprbs with param block each */
622 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
626 /* fill request cprb struct */
627 preqcblk->domain = domain;
629 /* fill request cprb param block with USK request */
630 preqparm = (struct uskreqparm __force *)preqcblk->req_parmb;
631 memcpy(preqparm->subfunc_code, "US", 2);
632 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
633 preqparm->lv1.len = sizeof(struct lv1);
634 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
635 preqparm->lv1.attr_flags = 0x0001;
636 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
637 preqparm->lv2.attr_len = sizeof(struct lv2)
638 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
639 preqparm->lv2.attr_flags = 0x0000;
640 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
641 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
643 /* fill xcrb struct */
644 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
646 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
647 rc = zcrypt_send_cprb(&xcrb);
649 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
650 __func__, (int)cardnr, (int)domain, rc);
654 /* check response returncode and reasoncode */
655 if (prepcblk->ccp_rtcode != 0) {
656 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
658 (int)prepcblk->ccp_rtcode,
659 (int)prepcblk->ccp_rscode);
660 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
666 if (prepcblk->ccp_rscode != 0) {
667 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
669 (int)prepcblk->ccp_rtcode,
670 (int)prepcblk->ccp_rscode);
673 /* process response cprb param block */
674 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
675 prepcblk->rpl_parmb = (u8 __user *)ptr;
676 prepparm = (struct uskrepparm *)ptr;
678 /* check the returned keyblock */
679 if (prepparm->lv3.ckb.version != 0x01 &&
680 prepparm->lv3.ckb.version != 0x02) {
681 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x\n",
682 __func__, (int)prepparm->lv3.ckb.version);
687 /* copy the translated protected key */
688 switch (prepparm->lv3.ckb.len) {
690 /* AES 128 protected key */
692 *protkeytype = PKEY_KEYTYPE_AES_128;
695 /* AES 192 protected key */
697 *protkeytype = PKEY_KEYTYPE_AES_192;
700 /* AES 256 protected key */
702 *protkeytype = PKEY_KEYTYPE_AES_256;
705 ZCRYPT_DBF_ERR("%s unknown/unsupported keylen %d\n",
706 __func__, prepparm->lv3.ckb.len);
710 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
712 *protkeylen = prepparm->lv3.ckb.len;
715 free_cprbmem(mem, PARMBSIZE, 0);
718 EXPORT_SYMBOL(cca_sec2protkey);
721 * AES cipher key skeleton created with CSNBKTB2 with these flags:
722 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
723 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
724 * used by cca_gencipherkey() and cca_clr2cipherkey().
726 static const u8 aes_cipher_key_skeleton[] = {
727 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
731 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
733 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
734 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
737 * Generate (random) CCA AES CIPHER secure key.
739 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
740 u8 *keybuf, u32 *keybufsize)
744 struct CPRBX *preqcblk, *prepcblk;
745 struct ica_xcRB xcrb;
749 char rule_array[2 * 8];
754 u16 clear_key_bit_len;
759 /* u8 key_name_1[]; */
760 /* u8 key_name_2[]; */
761 /* u8 user_data_1[]; */
762 /* u8 user_data_2[]; */
779 u8 gen_key_id_1[SIZEOF_SKELETON];
784 /* u8 gen_key_id_1_label[]; */
789 /* u8 gen_key_id_2[]; */
794 /* u8 gen_key_id_2_label[]; */
797 } __packed * preqparm;
809 u8 gen_key[]; /* 120-136 bytes */
812 } __packed * prepparm;
813 struct cipherkeytoken *t;
815 /* get already prepared memory for 2 cprbs with param block each */
816 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
820 /* fill request cprb struct */
821 preqcblk->domain = domain;
822 preqcblk->req_parml = sizeof(struct gkreqparm);
824 /* prepare request param block with GK request */
825 preqparm = (struct gkreqparm __force *)preqcblk->req_parmb;
826 memcpy(preqparm->subfunc_code, "GK", 2);
827 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
828 memcpy(preqparm->rule_array, "AES OP ", 2 * 8);
830 /* prepare vud block */
831 preqparm->vud.len = sizeof(preqparm->vud);
832 switch (keybitsize) {
838 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
839 __func__, keybitsize);
843 preqparm->vud.clear_key_bit_len = keybitsize;
844 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
845 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
847 /* prepare kb block */
848 preqparm->kb.len = sizeof(preqparm->kb);
849 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
850 preqparm->kb.tlv1.flag = 0x0030;
851 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
852 preqparm->kb.tlv2.flag = 0x0030;
853 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
854 preqparm->kb.tlv3.flag = 0x0030;
855 memcpy(preqparm->kb.tlv3.gen_key_id_1,
856 aes_cipher_key_skeleton, SIZEOF_SKELETON);
857 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
858 preqparm->kb.tlv4.flag = 0x0030;
859 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
860 preqparm->kb.tlv5.flag = 0x0030;
861 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
862 preqparm->kb.tlv6.flag = 0x0030;
864 /* patch the skeleton key token export flags inside the kb block */
866 t = (struct cipherkeytoken *)preqparm->kb.tlv3.gen_key_id_1;
867 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
868 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
871 /* prepare xcrb struct */
872 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
874 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
875 rc = zcrypt_send_cprb(&xcrb);
877 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
878 __func__, (int)cardnr, (int)domain, rc);
882 /* check response returncode and reasoncode */
883 if (prepcblk->ccp_rtcode != 0) {
884 ZCRYPT_DBF_ERR("%s cipher key generate failure, card response %d/%d\n",
886 (int)prepcblk->ccp_rtcode,
887 (int)prepcblk->ccp_rscode);
892 /* process response cprb param block */
893 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
894 prepcblk->rpl_parmb = (u8 __user *)ptr;
895 prepparm = (struct gkrepparm *)ptr;
897 /* do some plausibility checks on the key block */
898 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
899 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
900 ZCRYPT_DBF_ERR("%s reply with invalid or unknown key block\n",
906 /* and some checks on the generated key */
907 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
908 prepparm->kb.tlv1.gen_key,
915 /* copy the generated vlsc key token */
916 t = (struct cipherkeytoken *)prepparm->kb.tlv1.gen_key;
918 if (*keybufsize >= t->len)
919 memcpy(keybuf, t, t->len);
923 *keybufsize = t->len;
926 free_cprbmem(mem, PARMBSIZE, 0);
929 EXPORT_SYMBOL(cca_gencipherkey);
932 * Helper function, does a the CSNBKPI2 CPRB.
934 static int _ip_cprb_helper(u16 cardnr, u16 domain,
935 const char *rule_array_1,
936 const char *rule_array_2,
937 const char *rule_array_3,
938 const u8 *clr_key_value,
939 int clr_key_bit_size,
945 struct CPRBX *preqcblk, *prepcblk;
946 struct ica_xcRB xcrb;
947 struct rule_array_block {
951 } __packed * preq_ra_block;
956 u16 flag; /* 0x0064 */
961 u16 flag; /* 0x0063 */
962 u8 clr_key[]; /* clear key value bytes */
964 } __packed * preq_vud_block;
969 u16 flag; /* 0x0030 */
970 u8 key_token[]; /* key skeleton */
972 } __packed * preq_key_block;
983 u16 flag; /* 0x0030 */
984 u8 key_token[]; /* key token */
987 } __packed * prepparm;
988 struct cipherkeytoken *t;
989 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
991 /* get already prepared memory for 2 cprbs with param block each */
992 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
996 /* fill request cprb struct */
997 preqcblk->domain = domain;
998 preqcblk->req_parml = 0;
1000 /* prepare request param block with IP request */
1001 preq_ra_block = (struct rule_array_block __force *)preqcblk->req_parmb;
1002 memcpy(preq_ra_block->subfunc_code, "IP", 2);
1003 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
1004 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1005 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1006 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1008 preq_ra_block->rule_array_len += 8;
1009 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1010 preqcblk->req_parml += 8;
1013 /* prepare vud block */
1014 preq_vud_block = (struct vud_block __force *)
1015 (preqcblk->req_parmb + preqcblk->req_parml);
1016 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1017 preq_vud_block->len = sizeof(struct vud_block) + n;
1018 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1019 preq_vud_block->tlv1.flag = 0x0064;
1020 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1021 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1022 preq_vud_block->tlv2.flag = 0x0063;
1024 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1025 preqcblk->req_parml += preq_vud_block->len;
1027 /* prepare key block */
1028 preq_key_block = (struct key_block __force *)
1029 (preqcblk->req_parmb + preqcblk->req_parml);
1030 n = *key_token_size;
1031 preq_key_block->len = sizeof(struct key_block) + n;
1032 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1033 preq_key_block->tlv1.flag = 0x0030;
1034 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1035 preqcblk->req_parml += preq_key_block->len;
1037 /* prepare xcrb struct */
1038 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1040 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1041 rc = zcrypt_send_cprb(&xcrb);
1043 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1044 __func__, (int)cardnr, (int)domain, rc);
1048 /* check response returncode and reasoncode */
1049 if (prepcblk->ccp_rtcode != 0) {
1050 ZCRYPT_DBF_ERR("%s CSNBKPI2 failure, card response %d/%d\n",
1052 (int)prepcblk->ccp_rtcode,
1053 (int)prepcblk->ccp_rscode);
1058 /* process response cprb param block */
1059 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1060 prepcblk->rpl_parmb = (u8 __user *)ptr;
1061 prepparm = (struct iprepparm *)ptr;
1063 /* do some plausibility checks on the key block */
1064 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1065 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1066 ZCRYPT_DBF_ERR("%s reply with invalid or unknown key block\n",
1072 /* do not check the key here, it may be incomplete */
1074 /* copy the vlsc key token back */
1075 t = (struct cipherkeytoken *)prepparm->kb.tlv1.key_token;
1076 memcpy(key_token, t, t->len);
1077 *key_token_size = t->len;
1080 free_cprbmem(mem, PARMBSIZE, 0);
1085 * Build CCA AES CIPHER secure key with a given clear key value.
1087 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1088 const u8 *clrkey, u8 *keybuf, u32 *keybufsize)
1094 struct cipherkeytoken *t;
1096 /* fill exorbuf with random data */
1097 get_random_bytes(exorbuf, sizeof(exorbuf));
1099 /* allocate space for the key token to build */
1100 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1104 /* prepare the token with the key skeleton */
1105 tokensize = SIZEOF_SKELETON;
1106 memcpy(token, aes_cipher_key_skeleton, tokensize);
1108 /* patch the skeleton key token export flags */
1110 t = (struct cipherkeytoken *)token;
1111 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
1112 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
1116 * Do the key import with the clear key value in 4 steps:
1117 * 1/4 FIRST import with only random data
1118 * 2/4 EXOR the clear key
1119 * 3/4 EXOR the very same random data again
1120 * 4/4 COMPLETE the secure cipher key import
1122 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1123 exorbuf, keybitsize, token, &tokensize);
1125 ZCRYPT_DBF_ERR("%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1129 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1130 clrkey, keybitsize, token, &tokensize);
1132 ZCRYPT_DBF_ERR("%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1136 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1137 exorbuf, keybitsize, token, &tokensize);
1139 ZCRYPT_DBF_ERR("%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1143 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1144 NULL, keybitsize, token, &tokensize);
1146 ZCRYPT_DBF_ERR("%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1151 /* copy the generated key token */
1153 if (tokensize > *keybufsize)
1156 memcpy(keybuf, token, tokensize);
1158 *keybufsize = tokensize;
1164 EXPORT_SYMBOL(cca_clr2cipherkey);
1167 * Derive proteced key from CCA AES cipher secure key.
1169 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1170 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1174 struct CPRBX *preqcblk, *prepcblk;
1175 struct ica_xcRB xcrb;
1188 u16 cca_key_token_len;
1189 u16 cca_key_token_flags;
1190 u8 cca_key_token[]; /* 64 or more */
1192 } __packed * preqparm;
1200 struct cpacfkeyblock {
1201 u8 version; /* version of this struct */
1207 u8 key[64]; /* the key (keylen bytes) */
1212 u8 vp[32]; /* verification pattern */
1218 } __packed * prepparm;
1219 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1221 /* get already prepared memory for 2 cprbs with param block each */
1222 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1226 /* fill request cprb struct */
1227 preqcblk->domain = domain;
1229 /* fill request cprb param block with AU request */
1230 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1231 memcpy(preqparm->subfunc_code, "AU", 2);
1232 preqparm->rule_array_len =
1233 sizeof(preqparm->rule_array_len)
1234 + sizeof(preqparm->rule_array);
1235 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1237 preqparm->vud.len = sizeof(preqparm->vud);
1238 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1239 + 2 * sizeof(uint16_t);
1240 preqparm->vud.tk_blob_tag = 0x00C2;
1242 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1243 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1244 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1245 /* now fill length of param block into cprb */
1246 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1248 /* fill xcrb struct */
1249 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1251 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1252 rc = zcrypt_send_cprb(&xcrb);
1254 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1255 __func__, (int)cardnr, (int)domain, rc);
1259 /* check response returncode and reasoncode */
1260 if (prepcblk->ccp_rtcode != 0) {
1261 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1263 (int)prepcblk->ccp_rtcode,
1264 (int)prepcblk->ccp_rscode);
1265 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1271 if (prepcblk->ccp_rscode != 0) {
1272 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
1274 (int)prepcblk->ccp_rtcode,
1275 (int)prepcblk->ccp_rscode);
1278 /* process response cprb param block */
1279 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1280 prepcblk->rpl_parmb = (u8 __user *)ptr;
1281 prepparm = (struct aurepparm *)ptr;
1283 /* check the returned keyblock */
1284 if (prepparm->vud.ckb.version != 0x01 &&
1285 prepparm->vud.ckb.version != 0x02) {
1286 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1287 __func__, (int)prepparm->vud.ckb.version);
1291 if (prepparm->vud.ckb.algo != 0x02) {
1292 ZCRYPT_DBF_ERR("%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1293 __func__, (int)prepparm->vud.ckb.algo);
1298 /* copy the translated protected key */
1299 switch (prepparm->vud.ckb.keylen) {
1301 /* AES 128 protected key */
1303 *protkeytype = PKEY_KEYTYPE_AES_128;
1306 /* AES 192 protected key */
1308 *protkeytype = PKEY_KEYTYPE_AES_192;
1311 /* AES 256 protected key */
1313 *protkeytype = PKEY_KEYTYPE_AES_256;
1316 ZCRYPT_DBF_ERR("%s unknown/unsupported keylen %d\n",
1317 __func__, prepparm->vud.ckb.keylen);
1321 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1323 *protkeylen = prepparm->vud.ckb.keylen;
1326 free_cprbmem(mem, PARMBSIZE, 0);
1329 EXPORT_SYMBOL(cca_cipher2protkey);
1332 * Derive protected key from CCA ECC secure private key.
1334 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1335 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1339 struct CPRBX *preqcblk, *prepcblk;
1340 struct ica_xcRB xcrb;
1353 u16 cca_key_token_len;
1354 u16 cca_key_token_flags;
1357 } __packed * preqparm;
1365 struct cpacfkeyblock {
1366 u8 version; /* version of this struct */
1372 u8 key[]; /* the key (keylen bytes) */
1373 /* u16 keyattrlen; */
1374 /* u8 keyattr[32]; */
1377 /* u8 vp[32]; verification pattern */
1380 /* followed by a key block */
1381 } __packed * prepparm;
1382 int keylen = ((struct eccprivkeytoken *)key)->len;
1384 /* get already prepared memory for 2 cprbs with param block each */
1385 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1389 /* fill request cprb struct */
1390 preqcblk->domain = domain;
1392 /* fill request cprb param block with AU request */
1393 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1394 memcpy(preqparm->subfunc_code, "AU", 2);
1395 preqparm->rule_array_len =
1396 sizeof(preqparm->rule_array_len)
1397 + sizeof(preqparm->rule_array);
1398 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1400 preqparm->vud.len = sizeof(preqparm->vud);
1401 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1402 + 2 * sizeof(uint16_t);
1403 preqparm->vud.tk_blob_tag = 0x00C2;
1405 preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1406 preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1407 memcpy(preqparm->kb.cca_key_token, key, keylen);
1408 /* now fill length of param block into cprb */
1409 preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1411 /* fill xcrb struct */
1412 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1414 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1415 rc = zcrypt_send_cprb(&xcrb);
1417 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1418 __func__, (int)cardnr, (int)domain, rc);
1422 /* check response returncode and reasoncode */
1423 if (prepcblk->ccp_rtcode != 0) {
1424 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1426 (int)prepcblk->ccp_rtcode,
1427 (int)prepcblk->ccp_rscode);
1428 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1434 if (prepcblk->ccp_rscode != 0) {
1435 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
1437 (int)prepcblk->ccp_rtcode,
1438 (int)prepcblk->ccp_rscode);
1441 /* process response cprb param block */
1442 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1443 prepcblk->rpl_parmb = (u8 __user *)ptr;
1444 prepparm = (struct aurepparm *)ptr;
1446 /* check the returned keyblock */
1447 if (prepparm->vud.ckb.version != 0x02) {
1448 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1449 __func__, (int)prepparm->vud.ckb.version);
1453 if (prepparm->vud.ckb.algo != 0x81) {
1454 ZCRYPT_DBF_ERR("%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1455 __func__, (int)prepparm->vud.ckb.algo);
1460 /* copy the translated protected key */
1461 if (prepparm->vud.ckb.keylen > *protkeylen) {
1462 ZCRYPT_DBF_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1463 __func__, prepparm->vud.ckb.keylen, *protkeylen);
1467 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1468 *protkeylen = prepparm->vud.ckb.keylen;
1470 *protkeytype = PKEY_KEYTYPE_ECC;
1473 free_cprbmem(mem, PARMBSIZE, 0);
1476 EXPORT_SYMBOL(cca_ecc2protkey);
1479 * query cryptographic facility from CCA adapter
1481 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1482 const char *keyword,
1483 u8 *rarray, size_t *rarraylen,
1484 u8 *varray, size_t *varraylen)
1489 struct CPRBX *preqcblk, *prepcblk;
1490 struct ica_xcRB xcrb;
1497 u8 data[VARDATASIZE];
1500 } __packed * preqparm;
1501 size_t parmbsize = sizeof(struct fqreqparm);
1505 } __packed * prepparm;
1507 /* get already prepared memory for 2 cprbs with param block each */
1508 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1512 /* fill request cprb struct */
1513 preqcblk->domain = domain;
1515 /* fill request cprb param block with FQ request */
1516 preqparm = (struct fqreqparm __force *)preqcblk->req_parmb;
1517 memcpy(preqparm->subfunc_code, "FQ", 2);
1518 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1519 preqparm->rule_array_len =
1520 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1521 preqparm->lv1.len = sizeof(preqparm->lv1);
1522 preqparm->dummylen = sizeof(preqparm->dummylen);
1523 preqcblk->req_parml = parmbsize;
1525 /* fill xcrb struct */
1526 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1528 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1529 rc = zcrypt_send_cprb(&xcrb);
1531 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1532 __func__, (int)cardnr, (int)domain, rc);
1536 /* check response returncode and reasoncode */
1537 if (prepcblk->ccp_rtcode != 0) {
1538 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1540 (int)prepcblk->ccp_rtcode,
1541 (int)prepcblk->ccp_rscode);
1546 /* process response cprb param block */
1547 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1548 prepcblk->rpl_parmb = (u8 __user *)ptr;
1549 prepparm = (struct fqrepparm *)ptr;
1550 ptr = prepparm->lvdata;
1552 /* check and possibly copy reply rule array */
1553 len = *((u16 *)ptr);
1554 if (len > sizeof(u16)) {
1557 if (rarray && rarraylen && *rarraylen > 0) {
1558 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1559 memcpy(rarray, ptr, *rarraylen);
1563 /* check and possible copy reply var array */
1564 len = *((u16 *)ptr);
1565 if (len > sizeof(u16)) {
1568 if (varray && varraylen && *varraylen > 0) {
1569 *varraylen = (len > *varraylen ? *varraylen : len);
1570 memcpy(varray, ptr, *varraylen);
1576 free_cprbmem(mem, parmbsize, 0);
1579 EXPORT_SYMBOL(cca_query_crypto_facility);
1581 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1584 struct cca_info_list_entry *ptr;
1586 spin_lock_bh(&cca_info_list_lock);
1587 list_for_each_entry(ptr, &cca_info_list, list) {
1588 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1589 memcpy(ci, &ptr->info, sizeof(*ci));
1594 spin_unlock_bh(&cca_info_list_lock);
1599 static void cca_info_cache_update(u16 cardnr, u16 domain,
1600 const struct cca_info *ci)
1603 struct cca_info_list_entry *ptr;
1605 spin_lock_bh(&cca_info_list_lock);
1606 list_for_each_entry(ptr, &cca_info_list, list) {
1607 if (ptr->cardnr == cardnr &&
1608 ptr->domain == domain) {
1609 memcpy(&ptr->info, ci, sizeof(*ci));
1615 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1617 spin_unlock_bh(&cca_info_list_lock);
1620 ptr->cardnr = cardnr;
1621 ptr->domain = domain;
1622 memcpy(&ptr->info, ci, sizeof(*ci));
1623 list_add(&ptr->list, &cca_info_list);
1625 spin_unlock_bh(&cca_info_list_lock);
1628 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1630 struct cca_info_list_entry *ptr;
1632 spin_lock_bh(&cca_info_list_lock);
1633 list_for_each_entry(ptr, &cca_info_list, list) {
1634 if (ptr->cardnr == cardnr &&
1635 ptr->domain == domain) {
1636 list_del(&ptr->list);
1641 spin_unlock_bh(&cca_info_list_lock);
1644 static void __exit mkvp_cache_free(void)
1646 struct cca_info_list_entry *ptr, *pnext;
1648 spin_lock_bh(&cca_info_list_lock);
1649 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1650 list_del(&ptr->list);
1653 spin_unlock_bh(&cca_info_list_lock);
1657 * Fetch cca_info values via query_crypto_facility from adapter.
1659 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1663 u8 *rarray, *varray, *pg;
1664 struct zcrypt_device_status_ext devstat;
1666 memset(ci, 0, sizeof(*ci));
1668 /* get first info from zcrypt device driver about this apqn */
1669 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1672 ci->hwtype = devstat.hwtype;
1674 /* prep page for rule array and var array use */
1675 pg = (u8 *)__get_free_page(GFP_KERNEL);
1679 varray = pg + PAGE_SIZE / 2;
1680 rlen = vlen = PAGE_SIZE / 2;
1682 /* QF for this card/domain */
1683 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1684 rarray, &rlen, varray, &vlen);
1685 if (rc == 0 && rlen >= 10 * 8 && vlen >= 204) {
1686 memcpy(ci->serial, rarray, 8);
1687 ci->new_asym_mk_state = (char)rarray[4 * 8];
1688 ci->cur_asym_mk_state = (char)rarray[5 * 8];
1689 ci->old_asym_mk_state = (char)rarray[6 * 8];
1690 if (ci->old_asym_mk_state == '2')
1691 memcpy(ci->old_asym_mkvp, varray + 64, 16);
1692 if (ci->cur_asym_mk_state == '2')
1693 memcpy(ci->cur_asym_mkvp, varray + 84, 16);
1694 if (ci->new_asym_mk_state == '3')
1695 memcpy(ci->new_asym_mkvp, varray + 104, 16);
1696 ci->new_aes_mk_state = (char)rarray[7 * 8];
1697 ci->cur_aes_mk_state = (char)rarray[8 * 8];
1698 ci->old_aes_mk_state = (char)rarray[9 * 8];
1699 if (ci->old_aes_mk_state == '2')
1700 memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1701 if (ci->cur_aes_mk_state == '2')
1702 memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1703 if (ci->new_aes_mk_state == '3')
1704 memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1709 rlen = vlen = PAGE_SIZE / 2;
1710 rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1711 rarray, &rlen, varray, &vlen);
1712 if (rc == 0 && rlen >= 13 * 8 && vlen >= 240) {
1713 ci->new_apka_mk_state = (char)rarray[10 * 8];
1714 ci->cur_apka_mk_state = (char)rarray[11 * 8];
1715 ci->old_apka_mk_state = (char)rarray[12 * 8];
1716 if (ci->old_apka_mk_state == '2')
1717 memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1718 if (ci->cur_apka_mk_state == '2')
1719 memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1720 if (ci->new_apka_mk_state == '3')
1721 memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1726 free_page((unsigned long)pg);
1727 return found == 2 ? 0 : -ENOENT;
1731 * Fetch cca information about a CCA queue.
1733 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1737 rc = cca_info_cache_fetch(card, dom, ci);
1739 rc = fetch_cca_info(card, dom, ci);
1741 cca_info_cache_update(card, dom, ci);
1746 EXPORT_SYMBOL(cca_get_info);
1749 * Search for a matching crypto card based on the
1750 * Master Key Verification Pattern given.
1752 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1753 int verify, int minhwtype)
1755 struct zcrypt_device_status_ext *device_status;
1760 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1761 if (mkvp == 0 || minhwtype < 0)
1764 /* fetch status of all crypto cards */
1765 device_status = kvcalloc(MAX_ZDEV_ENTRIES_EXT,
1766 sizeof(struct zcrypt_device_status_ext),
1770 zcrypt_device_status_mask_ext(device_status);
1772 /* walk through all crypto cards */
1773 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1774 card = AP_QID_CARD(device_status[i].qid);
1775 dom = AP_QID_QUEUE(device_status[i].qid);
1776 if (device_status[i].online &&
1777 device_status[i].functions & 0x04) {
1778 /* enabled CCA card, check current mkvp from cache */
1779 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1780 ci.hwtype >= minhwtype &&
1781 ci.cur_aes_mk_state == '2' &&
1782 ci.cur_aes_mkvp == mkvp) {
1785 /* verify: refresh card info */
1786 if (fetch_cca_info(card, dom, &ci) == 0) {
1787 cca_info_cache_update(card, dom, &ci);
1788 if (ci.hwtype >= minhwtype &&
1789 ci.cur_aes_mk_state == '2' &&
1790 ci.cur_aes_mkvp == mkvp)
1795 /* Card is offline and/or not a CCA card. */
1796 /* del mkvp entry from cache if it exists */
1797 cca_info_cache_scrub(card, dom);
1800 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1801 /* nothing found, so this time without cache */
1802 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1803 if (!(device_status[i].online &&
1804 device_status[i].functions & 0x04))
1806 card = AP_QID_CARD(device_status[i].qid);
1807 dom = AP_QID_QUEUE(device_status[i].qid);
1808 /* fresh fetch mkvp from adapter */
1809 if (fetch_cca_info(card, dom, &ci) == 0) {
1810 cca_info_cache_update(card, dom, &ci);
1811 if (ci.hwtype >= minhwtype &&
1812 ci.cur_aes_mk_state == '2' &&
1813 ci.cur_aes_mkvp == mkvp)
1815 if (ci.hwtype >= minhwtype &&
1816 ci.old_aes_mk_state == '2' &&
1817 ci.old_aes_mkvp == mkvp &&
1822 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1823 /* old mkvp matched, use this card then */
1824 card = AP_QID_CARD(device_status[oi].qid);
1825 dom = AP_QID_QUEUE(device_status[oi].qid);
1828 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1833 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1838 kvfree(device_status);
1843 * Search for a matching crypto card based on the Master Key
1844 * Verification Pattern provided inside a secure key token.
1846 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1850 const struct keytoken_header *hdr = (struct keytoken_header *)key;
1852 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1855 switch (hdr->version) {
1856 case TOKVER_CCA_AES:
1857 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1859 case TOKVER_CCA_VLSC:
1860 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1861 minhwtype = AP_DEVICE_TYPE_CEX6;
1867 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1869 EXPORT_SYMBOL(cca_findcard);
1871 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1872 int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1875 struct zcrypt_device_status_ext *device_status;
1876 u32 *_apqns = NULL, _nr_apqns = 0;
1877 int i, card, dom, curmatch, oldmatch, rc = 0;
1880 /* fetch status of all crypto cards */
1881 device_status = kvcalloc(MAX_ZDEV_ENTRIES_EXT,
1882 sizeof(struct zcrypt_device_status_ext),
1886 zcrypt_device_status_mask_ext(device_status);
1888 /* allocate 1k space for up to 256 apqns */
1889 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1891 kvfree(device_status);
1895 /* walk through all the crypto apqnss */
1896 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1897 card = AP_QID_CARD(device_status[i].qid);
1898 dom = AP_QID_QUEUE(device_status[i].qid);
1899 /* check online state */
1900 if (!device_status[i].online)
1902 /* check for cca functions */
1903 if (!(device_status[i].functions & 0x04))
1906 if (cardnr != 0xFFFF && card != cardnr)
1909 if (domain != 0xFFFF && dom != domain)
1911 /* get cca info on this apqn */
1912 if (cca_get_info(card, dom, &ci, verify))
1914 /* current master key needs to be valid */
1915 if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1917 if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1919 /* check min hardware type */
1920 if (minhwtype > 0 && minhwtype > ci.hwtype)
1922 if (cur_mkvp || old_mkvp) {
1924 curmatch = oldmatch = 0;
1925 if (mktype == AES_MK_SET) {
1926 if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1928 if (old_mkvp && ci.old_aes_mk_state == '2' &&
1929 old_mkvp == ci.old_aes_mkvp)
1932 if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1934 if (old_mkvp && ci.old_apka_mk_state == '2' &&
1935 old_mkvp == ci.old_apka_mkvp)
1938 if (curmatch + oldmatch < 1)
1941 /* apqn passed all filtering criterons, add to the array */
1942 if (_nr_apqns < 256)
1943 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16)dom);
1946 /* nothing found ? */
1951 /* no re-allocation, simple return the _apqns array */
1953 *nr_apqns = _nr_apqns;
1957 kvfree(device_status);
1960 EXPORT_SYMBOL(cca_findcard2);
1962 void __exit zcrypt_ccamisc_exit(void)
projects / J-linux.git / blob