1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Allocate consecutive memory for request CPRB, request param
177 * block, reply CPRB and reply param block and fill in values
178 * for the common fields. Returns 0 on success or errno value
181 static int alloc_and_prep_cprbmem(size_t paramblen,
183 struct CPRBX **preqCPRB,
184 struct CPRBX **prepCPRB)
187 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
188 struct CPRBX *preqcblk, *prepcblk;
191 * allocate consecutive memory for request CPRB, request param
192 * block, reply CPRB and reply param block
194 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
198 preqcblk = (struct CPRBX *) cprbmem;
199 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
201 /* fill request cprb struct */
202 preqcblk->cprb_len = sizeof(struct CPRBX);
203 preqcblk->cprb_ver_id = 0x02;
204 memcpy(preqcblk->func_id, "T2", 2);
205 preqcblk->rpl_msgbl = cprbplusparamblen;
207 preqcblk->req_parmb =
208 ((u8 __user *) preqcblk) + sizeof(struct CPRBX);
209 preqcblk->rpl_parmb =
210 ((u8 __user *) prepcblk) + sizeof(struct CPRBX);
214 *preqCPRB = preqcblk;
215 *prepCPRB = prepcblk;
221 * Free the cprb memory allocated with the function above.
222 * If the scrub value is not zero, the memory is filled
223 * with zeros before freeing (useful if there was some
224 * clear key material in there).
226 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
229 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
234 * Helper function to prepare the xcrb struct
236 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
238 struct CPRBX *preqcblk,
239 struct CPRBX *prepcblk)
241 memset(pxcrb, 0, sizeof(*pxcrb));
242 pxcrb->agent_ID = 0x4341; /* 'CA' */
243 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
244 pxcrb->request_control_blk_length =
245 preqcblk->cprb_len + preqcblk->req_parml;
246 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
247 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
248 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
252 * Helper function which calls zcrypt_send_cprb with
253 * memory management segment adjusted to kernel space
254 * so that the copy_from_user called within this
255 * function do in fact copy from kernel space.
257 static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb)
260 mm_segment_t old_fs = get_fs();
263 rc = zcrypt_send_cprb(xcrb);
270 * Generate (random) CCA AES DATA secure key.
272 int cca_genseckey(u16 cardnr, u16 domain,
273 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
278 struct CPRBX *preqcblk, *prepcblk;
279 struct ica_xcRB xcrb;
295 u8 data[SECKEYBLOBSIZE];
298 } __packed * preqparm;
309 /* ... some more data ... */
312 } __packed * prepparm;
314 /* get already prepared memory for 2 cprbs with param block each */
315 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
319 /* fill request cprb struct */
320 preqcblk->domain = domain;
322 /* fill request cprb param block with KG request */
323 preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
324 memcpy(preqparm->subfunc_code, "KG", 2);
325 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
326 preqparm->lv1.len = sizeof(struct lv1);
327 memcpy(preqparm->lv1.key_form, "OP ", 8);
328 switch (keybitsize) {
329 case PKEY_SIZE_AES_128:
330 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
332 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
334 case PKEY_SIZE_AES_192:
335 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
337 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
339 case PKEY_SIZE_AES_256:
340 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
342 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
345 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
346 __func__, keybitsize);
350 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
351 preqparm->lv2.len = sizeof(struct lv2);
352 for (i = 0; i < 6; i++) {
353 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
354 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
356 preqcblk->req_parml = sizeof(struct kgreqparm);
358 /* fill xcrb struct */
359 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
361 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
362 rc = _zcrypt_send_cprb(&xcrb);
364 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
365 __func__, (int) cardnr, (int) domain, rc);
369 /* check response returncode and reasoncode */
370 if (prepcblk->ccp_rtcode != 0) {
371 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
373 (int) prepcblk->ccp_rtcode,
374 (int) prepcblk->ccp_rscode);
379 /* process response cprb param block */
380 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
381 prepcblk->rpl_parmb = (u8 __user *) ptr;
382 prepparm = (struct kgrepparm *) ptr;
384 /* check length of the returned secure key token */
385 seckeysize = prepparm->lv3.keyblock.toklen
386 - sizeof(prepparm->lv3.keyblock.toklen)
387 - sizeof(prepparm->lv3.keyblock.tokattr);
388 if (seckeysize != SECKEYBLOBSIZE) {
389 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
390 __func__, seckeysize, SECKEYBLOBSIZE);
395 /* check secure key token */
396 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
397 prepparm->lv3.keyblock.tok, 8*keysize);
403 /* copy the generated secure key token */
404 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
407 free_cprbmem(mem, PARMBSIZE, 0);
410 EXPORT_SYMBOL(cca_genseckey);
413 * Generate an CCA AES DATA secure key with given key value.
415 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
416 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
418 int rc, keysize, seckeysize;
420 struct CPRBX *preqcblk, *prepcblk;
421 struct ica_xcRB xcrb;
435 u8 data[SECKEYBLOBSIZE];
438 } __packed * preqparm;
450 /* ... some more data ... */
453 } __packed * prepparm;
455 /* get already prepared memory for 2 cprbs with param block each */
456 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
460 /* fill request cprb struct */
461 preqcblk->domain = domain;
463 /* fill request cprb param block with CM request */
464 preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
465 memcpy(preqparm->subfunc_code, "CM", 2);
466 memcpy(preqparm->rule_array, "AES ", 8);
467 preqparm->rule_array_len =
468 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
469 switch (keybitsize) {
470 case PKEY_SIZE_AES_128:
471 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
474 case PKEY_SIZE_AES_192:
475 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
478 case PKEY_SIZE_AES_256:
479 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
483 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
484 __func__, keybitsize);
488 preqparm->lv1.len = sizeof(struct lv1) + keysize;
489 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
490 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
491 plv2->len = sizeof(struct lv2);
492 plv2->keyid.len = sizeof(struct keyid);
493 plv2->keyid.attr = 0x30;
494 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
496 /* fill xcrb struct */
497 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
499 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
500 rc = _zcrypt_send_cprb(&xcrb);
502 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
503 __func__, (int) cardnr, (int) domain, rc);
507 /* check response returncode and reasoncode */
508 if (prepcblk->ccp_rtcode != 0) {
509 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
511 (int) prepcblk->ccp_rtcode,
512 (int) prepcblk->ccp_rscode);
517 /* process response cprb param block */
518 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
519 prepcblk->rpl_parmb = (u8 __user *) ptr;
520 prepparm = (struct cmrepparm *) ptr;
522 /* check length of the returned secure key token */
523 seckeysize = prepparm->lv3.keyblock.toklen
524 - sizeof(prepparm->lv3.keyblock.toklen)
525 - sizeof(prepparm->lv3.keyblock.tokattr);
526 if (seckeysize != SECKEYBLOBSIZE) {
527 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
528 __func__, seckeysize, SECKEYBLOBSIZE);
533 /* check secure key token */
534 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
535 prepparm->lv3.keyblock.tok, 8*keysize);
541 /* copy the generated secure key token */
543 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
546 free_cprbmem(mem, PARMBSIZE, 1);
549 EXPORT_SYMBOL(cca_clr2seckey);
552 * Derive proteced key from an CCA AES DATA secure key.
554 int cca_sec2protkey(u16 cardnr, u16 domain,
555 const u8 seckey[SECKEYBLOBSIZE],
556 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
560 struct CPRBX *preqcblk, *prepcblk;
561 struct ica_xcRB xcrb;
574 u8 token[0]; /* cca secure key token */
576 } __packed * preqparm;
584 struct cpacfkeyblock {
585 u8 version; /* version of this struct */
591 u8 key[64]; /* the key (len bytes) */
596 u8 vp[32]; /* verification pattern */
599 } __packed * prepparm;
601 /* get already prepared memory for 2 cprbs with param block each */
602 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
606 /* fill request cprb struct */
607 preqcblk->domain = domain;
609 /* fill request cprb param block with USK request */
610 preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
611 memcpy(preqparm->subfunc_code, "US", 2);
612 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
613 preqparm->lv1.len = sizeof(struct lv1);
614 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
615 preqparm->lv1.attr_flags = 0x0001;
616 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
617 preqparm->lv2.attr_len = sizeof(struct lv2)
618 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
619 preqparm->lv2.attr_flags = 0x0000;
620 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
621 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
623 /* fill xcrb struct */
624 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
626 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
627 rc = _zcrypt_send_cprb(&xcrb);
629 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
630 __func__, (int) cardnr, (int) domain, rc);
634 /* check response returncode and reasoncode */
635 if (prepcblk->ccp_rtcode != 0) {
636 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
638 (int) prepcblk->ccp_rtcode,
639 (int) prepcblk->ccp_rscode);
643 if (prepcblk->ccp_rscode != 0) {
644 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
646 (int) prepcblk->ccp_rtcode,
647 (int) prepcblk->ccp_rscode);
650 /* process response cprb param block */
651 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
652 prepcblk->rpl_parmb = (u8 __user *) ptr;
653 prepparm = (struct uskrepparm *) ptr;
655 /* check the returned keyblock */
656 if (prepparm->lv3.ckb.version != 0x01 &&
657 prepparm->lv3.ckb.version != 0x02) {
658 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
659 __func__, (int) prepparm->lv3.ckb.version);
664 /* copy the tanslated protected key */
665 switch (prepparm->lv3.ckb.len) {
667 /* AES 128 protected key */
669 *protkeytype = PKEY_KEYTYPE_AES_128;
672 /* AES 192 protected key */
674 *protkeytype = PKEY_KEYTYPE_AES_192;
677 /* AES 256 protected key */
679 *protkeytype = PKEY_KEYTYPE_AES_256;
682 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
683 __func__, prepparm->lv3.ckb.len);
687 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
689 *protkeylen = prepparm->lv3.ckb.len;
692 free_cprbmem(mem, PARMBSIZE, 0);
695 EXPORT_SYMBOL(cca_sec2protkey);
698 * AES cipher key skeleton created with CSNBKTB2 with these flags:
699 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
700 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
701 * used by cca_gencipherkey() and cca_clr2cipherkey().
703 static const u8 aes_cipher_key_skeleton[] = {
704 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
708 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
709 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
710 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
711 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
714 * Generate (random) CCA AES CIPHER secure key.
716 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
717 u8 *keybuf, size_t *keybufsize)
721 struct CPRBX *preqcblk, *prepcblk;
722 struct ica_xcRB xcrb;
726 char rule_array[2*8];
731 u16 clear_key_bit_len;
756 u8 gen_key_id_1[SIZEOF_SKELETON];
761 u8 gen_key_id_1_label[0];
771 u8 gen_key_id_2_label[0];
774 } __packed * preqparm;
786 u8 gen_key[0]; /* 120-136 bytes */
789 } __packed * prepparm;
790 struct cipherkeytoken *t;
792 /* get already prepared memory for 2 cprbs with param block each */
793 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
797 /* fill request cprb struct */
798 preqcblk->domain = domain;
799 preqcblk->req_parml = sizeof(struct gkreqparm);
801 /* prepare request param block with GK request */
802 preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
803 memcpy(preqparm->subfunc_code, "GK", 2);
804 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
805 memcpy(preqparm->rule_array, "AES OP ", 2*8);
807 /* prepare vud block */
808 preqparm->vud.len = sizeof(preqparm->vud);
809 switch (keybitsize) {
816 "%s unknown/unsupported keybitsize %d\n",
817 __func__, keybitsize);
821 preqparm->vud.clear_key_bit_len = keybitsize;
822 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
823 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
825 /* prepare kb block */
826 preqparm->kb.len = sizeof(preqparm->kb);
827 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
828 preqparm->kb.tlv1.flag = 0x0030;
829 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
830 preqparm->kb.tlv2.flag = 0x0030;
831 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
832 preqparm->kb.tlv3.flag = 0x0030;
833 memcpy(preqparm->kb.tlv3.gen_key_id_1,
834 aes_cipher_key_skeleton, SIZEOF_SKELETON);
835 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
836 preqparm->kb.tlv4.flag = 0x0030;
837 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
838 preqparm->kb.tlv5.flag = 0x0030;
839 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
840 preqparm->kb.tlv6.flag = 0x0030;
842 /* patch the skeleton key token export flags inside the kb block */
844 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
845 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
846 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
849 /* prepare xcrb struct */
850 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
852 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
853 rc = _zcrypt_send_cprb(&xcrb);
856 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
857 __func__, (int) cardnr, (int) domain, rc);
861 /* check response returncode and reasoncode */
862 if (prepcblk->ccp_rtcode != 0) {
864 "%s cipher key generate failure, card response %d/%d\n",
866 (int) prepcblk->ccp_rtcode,
867 (int) prepcblk->ccp_rscode);
872 /* process response cprb param block */
873 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
874 prepcblk->rpl_parmb = (u8 __user *) ptr;
875 prepparm = (struct gkrepparm *) ptr;
877 /* do some plausibility checks on the key block */
878 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
879 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
880 DEBUG_ERR("%s reply with invalid or unknown key block\n",
886 /* and some checks on the generated key */
887 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
888 prepparm->kb.tlv1.gen_key,
895 /* copy the generated vlsc key token */
896 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
898 if (*keybufsize >= t->len)
899 memcpy(keybuf, t, t->len);
903 *keybufsize = t->len;
906 free_cprbmem(mem, PARMBSIZE, 0);
909 EXPORT_SYMBOL(cca_gencipherkey);
912 * Helper function, does a the CSNBKPI2 CPRB.
914 static int _ip_cprb_helper(u16 cardnr, u16 domain,
915 const char *rule_array_1,
916 const char *rule_array_2,
917 const char *rule_array_3,
918 const u8 *clr_key_value,
919 int clr_key_bit_size,
925 struct CPRBX *preqcblk, *prepcblk;
926 struct ica_xcRB xcrb;
927 struct rule_array_block {
931 } __packed * preq_ra_block;
936 u16 flag; /* 0x0064 */
941 u16 flag; /* 0x0063 */
942 u8 clr_key[0]; /* clear key value bytes */
944 } __packed * preq_vud_block;
949 u16 flag; /* 0x0030 */
950 u8 key_token[0]; /* key skeleton */
952 } __packed * preq_key_block;
963 u16 flag; /* 0x0030 */
964 u8 key_token[0]; /* key token */
967 } __packed * prepparm;
968 struct cipherkeytoken *t;
969 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
971 /* get already prepared memory for 2 cprbs with param block each */
972 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
976 /* fill request cprb struct */
977 preqcblk->domain = domain;
978 preqcblk->req_parml = 0;
980 /* prepare request param block with IP request */
981 preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
982 memcpy(preq_ra_block->subfunc_code, "IP", 2);
983 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
984 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
985 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
986 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
988 preq_ra_block->rule_array_len += 8;
989 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
990 preqcblk->req_parml += 8;
993 /* prepare vud block */
994 preq_vud_block = (struct vud_block __force *)
995 (preqcblk->req_parmb + preqcblk->req_parml);
996 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
997 preq_vud_block->len = sizeof(struct vud_block) + n;
998 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
999 preq_vud_block->tlv1.flag = 0x0064;
1000 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1001 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1002 preq_vud_block->tlv2.flag = 0x0063;
1004 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1005 preqcblk->req_parml += preq_vud_block->len;
1007 /* prepare key block */
1008 preq_key_block = (struct key_block __force *)
1009 (preqcblk->req_parmb + preqcblk->req_parml);
1010 n = *key_token_size;
1011 preq_key_block->len = sizeof(struct key_block) + n;
1012 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1013 preq_key_block->tlv1.flag = 0x0030;
1014 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1015 preqcblk->req_parml += preq_key_block->len;
1017 /* prepare xcrb struct */
1018 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1020 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1021 rc = _zcrypt_send_cprb(&xcrb);
1024 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1025 __func__, (int) cardnr, (int) domain, rc);
1029 /* check response returncode and reasoncode */
1030 if (prepcblk->ccp_rtcode != 0) {
1032 "%s CSNBKPI2 failure, card response %d/%d\n",
1034 (int) prepcblk->ccp_rtcode,
1035 (int) prepcblk->ccp_rscode);
1040 /* process response cprb param block */
1041 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1042 prepcblk->rpl_parmb = (u8 __user *) ptr;
1043 prepparm = (struct iprepparm *) ptr;
1045 /* do some plausibility checks on the key block */
1046 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1047 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1048 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1054 /* do not check the key here, it may be incomplete */
1056 /* copy the vlsc key token back */
1057 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1058 memcpy(key_token, t, t->len);
1059 *key_token_size = t->len;
1062 free_cprbmem(mem, PARMBSIZE, 0);
1067 * Build CCA AES CIPHER secure key with a given clear key value.
1069 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1070 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1076 struct cipherkeytoken *t;
1078 /* fill exorbuf with random data */
1079 get_random_bytes(exorbuf, sizeof(exorbuf));
1081 /* allocate space for the key token to build */
1082 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1086 /* prepare the token with the key skeleton */
1087 tokensize = SIZEOF_SKELETON;
1088 memcpy(token, aes_cipher_key_skeleton, tokensize);
1090 /* patch the skeleton key token export flags */
1092 t = (struct cipherkeytoken *) token;
1093 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1094 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1098 * Do the key import with the clear key value in 4 steps:
1099 * 1/4 FIRST import with only random data
1100 * 2/4 EXOR the clear key
1101 * 3/4 EXOR the very same random data again
1102 * 4/4 COMPLETE the secure cipher key import
1104 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1105 exorbuf, keybitsize, token, &tokensize);
1108 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1112 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1113 clrkey, keybitsize, token, &tokensize);
1116 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1120 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1121 exorbuf, keybitsize, token, &tokensize);
1124 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1128 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1129 NULL, keybitsize, token, &tokensize);
1132 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1137 /* copy the generated key token */
1139 if (tokensize > *keybufsize)
1142 memcpy(keybuf, token, tokensize);
1144 *keybufsize = tokensize;
1150 EXPORT_SYMBOL(cca_clr2cipherkey);
1153 * Derive proteced key from CCA AES cipher secure key.
1155 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1156 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1160 struct CPRBX *preqcblk, *prepcblk;
1161 struct ica_xcRB xcrb;
1174 u16 cca_key_token_len;
1175 u16 cca_key_token_flags;
1176 u8 cca_key_token[0]; // 64 or more
1178 } __packed * preqparm;
1186 struct cpacfkeyblock {
1187 u8 version; /* version of this struct */
1193 u8 key[64]; /* the key (keylen bytes) */
1198 u8 vp[32]; /* verification pattern */
1204 } __packed * prepparm;
1205 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1207 /* get already prepared memory for 2 cprbs with param block each */
1208 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1212 /* fill request cprb struct */
1213 preqcblk->domain = domain;
1215 /* fill request cprb param block with AU request */
1216 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1217 memcpy(preqparm->subfunc_code, "AU", 2);
1218 preqparm->rule_array_len =
1219 sizeof(preqparm->rule_array_len)
1220 + sizeof(preqparm->rule_array);
1221 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1223 preqparm->vud.len = sizeof(preqparm->vud);
1224 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1225 + 2 * sizeof(uint16_t);
1226 preqparm->vud.tk_blob_tag = 0x00C2;
1228 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1229 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1230 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1231 /* now fill length of param block into cprb */
1232 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1234 /* fill xcrb struct */
1235 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1237 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1238 rc = _zcrypt_send_cprb(&xcrb);
1241 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1242 __func__, (int) cardnr, (int) domain, rc);
1246 /* check response returncode and reasoncode */
1247 if (prepcblk->ccp_rtcode != 0) {
1249 "%s unwrap secure key failure, card response %d/%d\n",
1251 (int) prepcblk->ccp_rtcode,
1252 (int) prepcblk->ccp_rscode);
1256 if (prepcblk->ccp_rscode != 0) {
1258 "%s unwrap secure key warning, card response %d/%d\n",
1260 (int) prepcblk->ccp_rtcode,
1261 (int) prepcblk->ccp_rscode);
1264 /* process response cprb param block */
1265 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1266 prepcblk->rpl_parmb = (u8 __user *) ptr;
1267 prepparm = (struct aurepparm *) ptr;
1269 /* check the returned keyblock */
1270 if (prepparm->vud.ckb.version != 0x01 &&
1271 prepparm->vud.ckb.version != 0x02) {
1272 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1273 __func__, (int) prepparm->vud.ckb.version);
1277 if (prepparm->vud.ckb.algo != 0x02) {
1279 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1280 __func__, (int) prepparm->vud.ckb.algo);
1285 /* copy the translated protected key */
1286 switch (prepparm->vud.ckb.keylen) {
1288 /* AES 128 protected key */
1290 *protkeytype = PKEY_KEYTYPE_AES_128;
1293 /* AES 192 protected key */
1295 *protkeytype = PKEY_KEYTYPE_AES_192;
1298 /* AES 256 protected key */
1300 *protkeytype = PKEY_KEYTYPE_AES_256;
1303 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1304 __func__, prepparm->vud.ckb.keylen);
1308 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1310 *protkeylen = prepparm->vud.ckb.keylen;
1313 free_cprbmem(mem, PARMBSIZE, 0);
1316 EXPORT_SYMBOL(cca_cipher2protkey);
1319 * query cryptographic facility from CCA adapter
1321 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1322 const char *keyword,
1323 u8 *rarray, size_t *rarraylen,
1324 u8 *varray, size_t *varraylen)
1329 struct CPRBX *preqcblk, *prepcblk;
1330 struct ica_xcRB xcrb;
1337 u8 data[VARDATASIZE];
1340 } __packed * preqparm;
1341 size_t parmbsize = sizeof(struct fqreqparm);
1345 } __packed * prepparm;
1347 /* get already prepared memory for 2 cprbs with param block each */
1348 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1352 /* fill request cprb struct */
1353 preqcblk->domain = domain;
1355 /* fill request cprb param block with FQ request */
1356 preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
1357 memcpy(preqparm->subfunc_code, "FQ", 2);
1358 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1359 preqparm->rule_array_len =
1360 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1361 preqparm->lv1.len = sizeof(preqparm->lv1);
1362 preqparm->dummylen = sizeof(preqparm->dummylen);
1363 preqcblk->req_parml = parmbsize;
1365 /* fill xcrb struct */
1366 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1368 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1369 rc = _zcrypt_send_cprb(&xcrb);
1371 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1372 __func__, (int) cardnr, (int) domain, rc);
1376 /* check response returncode and reasoncode */
1377 if (prepcblk->ccp_rtcode != 0) {
1378 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1380 (int) prepcblk->ccp_rtcode,
1381 (int) prepcblk->ccp_rscode);
1386 /* process response cprb param block */
1387 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1388 prepcblk->rpl_parmb = (u8 __user *) ptr;
1389 prepparm = (struct fqrepparm *) ptr;
1390 ptr = prepparm->lvdata;
1392 /* check and possibly copy reply rule array */
1393 len = *((u16 *) ptr);
1394 if (len > sizeof(u16)) {
1397 if (rarray && rarraylen && *rarraylen > 0) {
1398 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1399 memcpy(rarray, ptr, *rarraylen);
1403 /* check and possible copy reply var array */
1404 len = *((u16 *) ptr);
1405 if (len > sizeof(u16)) {
1408 if (varray && varraylen && *varraylen > 0) {
1409 *varraylen = (len > *varraylen ? *varraylen : len);
1410 memcpy(varray, ptr, *varraylen);
1416 free_cprbmem(mem, parmbsize, 0);
1419 EXPORT_SYMBOL(cca_query_crypto_facility);
1421 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1424 struct cca_info_list_entry *ptr;
1426 spin_lock_bh(&cca_info_list_lock);
1427 list_for_each_entry(ptr, &cca_info_list, list) {
1428 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1429 memcpy(ci, &ptr->info, sizeof(*ci));
1434 spin_unlock_bh(&cca_info_list_lock);
1439 static void cca_info_cache_update(u16 cardnr, u16 domain,
1440 const struct cca_info *ci)
1443 struct cca_info_list_entry *ptr;
1445 spin_lock_bh(&cca_info_list_lock);
1446 list_for_each_entry(ptr, &cca_info_list, list) {
1447 if (ptr->cardnr == cardnr &&
1448 ptr->domain == domain) {
1449 memcpy(&ptr->info, ci, sizeof(*ci));
1455 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1457 spin_unlock_bh(&cca_info_list_lock);
1460 ptr->cardnr = cardnr;
1461 ptr->domain = domain;
1462 memcpy(&ptr->info, ci, sizeof(*ci));
1463 list_add(&ptr->list, &cca_info_list);
1465 spin_unlock_bh(&cca_info_list_lock);
1468 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1470 struct cca_info_list_entry *ptr;
1472 spin_lock_bh(&cca_info_list_lock);
1473 list_for_each_entry(ptr, &cca_info_list, list) {
1474 if (ptr->cardnr == cardnr &&
1475 ptr->domain == domain) {
1476 list_del(&ptr->list);
1481 spin_unlock_bh(&cca_info_list_lock);
1484 static void __exit mkvp_cache_free(void)
1486 struct cca_info_list_entry *ptr, *pnext;
1488 spin_lock_bh(&cca_info_list_lock);
1489 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1490 list_del(&ptr->list);
1493 spin_unlock_bh(&cca_info_list_lock);
1497 * Fetch cca_info values via query_crypto_facility from adapter.
1499 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1503 u8 *rarray, *varray, *pg;
1504 struct zcrypt_device_status_ext devstat;
1506 memset(ci, 0, sizeof(*ci));
1508 /* get first info from zcrypt device driver about this apqn */
1509 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1512 ci->hwtype = devstat.hwtype;
1514 /* prep page for rule array and var array use */
1515 pg = (u8 *) __get_free_page(GFP_KERNEL);
1519 varray = pg + PAGE_SIZE/2;
1520 rlen = vlen = PAGE_SIZE/2;
1522 /* QF for this card/domain */
1523 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1524 rarray, &rlen, varray, &vlen);
1525 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1526 memcpy(ci->serial, rarray, 8);
1527 ci->new_mk_state = (char) rarray[7*8];
1528 ci->cur_mk_state = (char) rarray[8*8];
1529 ci->old_mk_state = (char) rarray[9*8];
1530 if (ci->old_mk_state == '2')
1531 memcpy(&ci->old_mkvp, varray + 172, 8);
1532 if (ci->cur_mk_state == '2')
1533 memcpy(&ci->cur_mkvp, varray + 184, 8);
1534 if (ci->new_mk_state == '3')
1535 memcpy(&ci->new_mkvp, varray + 196, 8);
1539 free_page((unsigned long) pg);
1541 return found ? 0 : -ENOENT;
1545 * Fetch cca information about a CCA queue.
1547 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1551 rc = cca_info_cache_fetch(card, dom, ci);
1553 rc = fetch_cca_info(card, dom, ci);
1555 cca_info_cache_update(card, dom, ci);
1560 EXPORT_SYMBOL(cca_get_info);
1563 * Search for a matching crypto card based on the
1564 * Master Key Verification Pattern given.
1566 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1567 int verify, int minhwtype)
1569 struct zcrypt_device_status_ext *device_status;
1574 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1575 if (mkvp == 0 || minhwtype < 0)
1578 /* fetch status of all crypto cards */
1579 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1580 sizeof(struct zcrypt_device_status_ext),
1584 zcrypt_device_status_mask_ext(device_status);
1586 /* walk through all crypto cards */
1587 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1588 card = AP_QID_CARD(device_status[i].qid);
1589 dom = AP_QID_QUEUE(device_status[i].qid);
1590 if (device_status[i].online &&
1591 device_status[i].functions & 0x04) {
1592 /* enabled CCA card, check current mkvp from cache */
1593 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1594 ci.hwtype >= minhwtype &&
1595 ci.cur_mk_state == '2' &&
1596 ci.cur_mkvp == mkvp) {
1599 /* verify: refresh card info */
1600 if (fetch_cca_info(card, dom, &ci) == 0) {
1601 cca_info_cache_update(card, dom, &ci);
1602 if (ci.hwtype >= minhwtype &&
1603 ci.cur_mk_state == '2' &&
1604 ci.cur_mkvp == mkvp)
1609 /* Card is offline and/or not a CCA card. */
1610 /* del mkvp entry from cache if it exists */
1611 cca_info_cache_scrub(card, dom);
1614 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1615 /* nothing found, so this time without cache */
1616 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1617 if (!(device_status[i].online &&
1618 device_status[i].functions & 0x04))
1620 card = AP_QID_CARD(device_status[i].qid);
1621 dom = AP_QID_QUEUE(device_status[i].qid);
1622 /* fresh fetch mkvp from adapter */
1623 if (fetch_cca_info(card, dom, &ci) == 0) {
1624 cca_info_cache_update(card, dom, &ci);
1625 if (ci.hwtype >= minhwtype &&
1626 ci.cur_mk_state == '2' &&
1627 ci.cur_mkvp == mkvp)
1629 if (ci.hwtype >= minhwtype &&
1630 ci.old_mk_state == '2' &&
1631 ci.old_mkvp == mkvp &&
1636 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1637 /* old mkvp matched, use this card then */
1638 card = AP_QID_CARD(device_status[oi].qid);
1639 dom = AP_QID_QUEUE(device_status[oi].qid);
1642 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1647 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1651 kvfree(device_status);
1656 * Search for a matching crypto card based on the Master Key
1657 * Verification Pattern provided inside a secure key token.
1659 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1663 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1665 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1668 switch (hdr->version) {
1669 case TOKVER_CCA_AES:
1670 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1672 case TOKVER_CCA_VLSC:
1673 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1674 minhwtype = AP_DEVICE_TYPE_CEX6;
1680 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1682 EXPORT_SYMBOL(cca_findcard);
1684 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1685 int minhwtype, u64 cur_mkvp, u64 old_mkvp, int verify)
1687 struct zcrypt_device_status_ext *device_status;
1688 int i, n, card, dom, curmatch, oldmatch, rc = 0;
1694 /* fetch status of all crypto cards */
1695 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1696 sizeof(struct zcrypt_device_status_ext),
1700 zcrypt_device_status_mask_ext(device_status);
1702 /* loop two times: first gather eligible apqns, then store them */
1705 /* walk through all the crypto cards */
1706 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1707 card = AP_QID_CARD(device_status[i].qid);
1708 dom = AP_QID_QUEUE(device_status[i].qid);
1709 /* check online state */
1710 if (!device_status[i].online)
1712 /* check for cca functions */
1713 if (!(device_status[i].functions & 0x04))
1716 if (cardnr != 0xFFFF && card != cardnr)
1719 if (domain != 0xFFFF && dom != domain)
1721 /* get cca info on this apqn */
1722 if (cca_get_info(card, dom, &ci, verify))
1724 /* current master key needs to be valid */
1725 if (ci.cur_mk_state != '2')
1727 /* check min hardware type */
1728 if (minhwtype > 0 && minhwtype > ci.hwtype)
1730 if (cur_mkvp || old_mkvp) {
1732 curmatch = oldmatch = 0;
1733 if (cur_mkvp && cur_mkvp == ci.cur_mkvp)
1735 if (old_mkvp && ci.old_mk_state == '2' &&
1736 old_mkvp == ci.old_mkvp)
1738 if ((cur_mkvp || old_mkvp) &&
1739 (curmatch + oldmatch < 1))
1742 /* apqn passed all filtering criterons */
1743 if (*apqns && n < *nr_apqns)
1744 (*apqns)[n] = (((u16)card) << 16) | ((u16) dom);
1747 /* loop 2nd time: array has been filled */
1750 /* loop 1st time: have # of eligible apqns in n */
1752 rc = -ENODEV; /* no eligible apqns found */
1756 /* allocate array to store n apqns into */
1757 *apqns = kmalloc_array(n, sizeof(u32), GFP_KERNEL);
1765 kfree(device_status);
1768 EXPORT_SYMBOL(cca_findcard2);
1770 void __exit zcrypt_ccamisc_exit(void)
projects / linux.git / blob