1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
6 * Collection of EP11 misc functions used by zcrypt and pkey
9 #define KMSG_COMPONENT "zcrypt"
10 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/slab.h>
15 #include <linux/random.h>
16 #include <asm/zcrypt.h>
20 #include "zcrypt_api.h"
21 #include "zcrypt_debug.h"
22 #include "zcrypt_msgtype6.h"
23 #include "zcrypt_ep11misc.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* default iv used here */
32 static const u8 def_iv[16] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
33 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff };
35 /* ep11 card info cache */
36 struct card_list_entry {
37 struct list_head list;
39 struct ep11_card_info info;
41 static LIST_HEAD(card_list);
42 static DEFINE_SPINLOCK(card_list_lock);
44 static int card_cache_fetch(u16 cardnr, struct ep11_card_info *ci)
47 struct card_list_entry *ptr;
49 spin_lock_bh(&card_list_lock);
50 list_for_each_entry(ptr, &card_list, list) {
51 if (ptr->cardnr == cardnr) {
52 memcpy(ci, &ptr->info, sizeof(*ci));
57 spin_unlock_bh(&card_list_lock);
62 static void card_cache_update(u16 cardnr, const struct ep11_card_info *ci)
65 struct card_list_entry *ptr;
67 spin_lock_bh(&card_list_lock);
68 list_for_each_entry(ptr, &card_list, list) {
69 if (ptr->cardnr == cardnr) {
70 memcpy(&ptr->info, ci, sizeof(*ci));
76 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
78 spin_unlock_bh(&card_list_lock);
82 memcpy(&ptr->info, ci, sizeof(*ci));
83 list_add(&ptr->list, &card_list);
85 spin_unlock_bh(&card_list_lock);
88 static void card_cache_scrub(u16 cardnr)
90 struct card_list_entry *ptr;
92 spin_lock_bh(&card_list_lock);
93 list_for_each_entry(ptr, &card_list, list) {
94 if (ptr->cardnr == cardnr) {
100 spin_unlock_bh(&card_list_lock);
103 static void __exit card_cache_free(void)
105 struct card_list_entry *ptr, *pnext;
107 spin_lock_bh(&card_list_lock);
108 list_for_each_entry_safe(ptr, pnext, &card_list, list) {
109 list_del(&ptr->list);
112 spin_unlock_bh(&card_list_lock);
116 * Simple check if the key blob is a valid EP11 secure AES key.
118 int ep11_check_aeskeyblob(debug_info_t *dbg, int dbflvl,
119 const u8 *key, int keybitsize,
120 int checkcpacfexport)
122 struct ep11keyblob *kb = (struct ep11keyblob *) key;
124 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
126 if (kb->head.type != TOKTYPE_NON_CCA) {
128 DBF("%s key check failed, type 0x%02x != 0x%02x\n",
129 __func__, (int) kb->head.type, TOKTYPE_NON_CCA);
132 if (kb->head.version != TOKVER_EP11_AES) {
134 DBF("%s key check failed, version 0x%02x != 0x%02x\n",
135 __func__, (int) kb->head.version, TOKVER_EP11_AES);
138 if (kb->version != EP11_STRUCT_MAGIC) {
140 DBF("%s key check failed, magic 0x%04x != 0x%04x\n",
141 __func__, (int) kb->version, EP11_STRUCT_MAGIC);
144 switch (kb->head.keybitlen) {
151 DBF("%s key check failed, keybitlen %d invalid\n",
152 __func__, (int) kb->head.keybitlen);
155 if (keybitsize > 0 && keybitsize != (int) kb->head.keybitlen) {
156 DBF("%s key check failed, keybitsize %d\n",
157 __func__, keybitsize);
160 if (checkcpacfexport && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) {
162 DBF("%s key check failed, PKEY_EXTRACTABLE is 0\n",
170 EXPORT_SYMBOL(ep11_check_aeskeyblob);
173 * Helper function which calls zcrypt_send_ep11_cprb with
174 * memory management segment adjusted to kernel space
175 * so that the copy_from_user called within this
176 * function do in fact copy from kernel space.
178 static inline int _zcrypt_send_ep11_cprb(struct ep11_urb *urb)
181 mm_segment_t old_fs = get_fs();
184 rc = zcrypt_send_ep11_cprb(urb);
191 * Allocate and prepare ep11 cprb plus additional payload.
193 static inline struct ep11_cprb *alloc_cprb(size_t payload_len)
195 size_t len = sizeof(struct ep11_cprb) + payload_len;
196 struct ep11_cprb *cprb;
198 cprb = kzalloc(len, GFP_KERNEL);
202 cprb->cprb_len = sizeof(struct ep11_cprb);
203 cprb->cprb_ver_id = 0x04;
204 memcpy(cprb->func_id, "T4", 2);
205 cprb->ret_code = 0xFFFFFFFF;
206 cprb->payload_len = payload_len;
212 * Some helper functions related to ASN1 encoding.
213 * Limited to length info <= 2 byte.
216 #define ASN1TAGLEN(x) (2 + (x) + ((x) > 127 ? 1 : 0) + ((x) > 255 ? 1 : 0))
218 static int asn1tag_write(u8 *ptr, u8 tag, const u8 *pvalue, u16 valuelen)
221 if (valuelen > 255) {
223 *((u16 *)(ptr + 2)) = valuelen;
224 memcpy(ptr + 4, pvalue, valuelen);
227 if (valuelen > 127) {
229 ptr[2] = (u8) valuelen;
230 memcpy(ptr + 3, pvalue, valuelen);
233 ptr[1] = (u8) valuelen;
234 memcpy(ptr + 2, pvalue, valuelen);
238 /* EP11 payload > 127 bytes starts with this struct */
251 /* prep ep11 payload head helper function */
252 static inline void prep_head(struct pl_head *h,
253 size_t pl_size, int api, int func)
257 h->len = pl_size - 4;
259 h->func_len = sizeof(u32);
260 h->func = (api << 16) + func;
262 h->dom_len = sizeof(u32);
265 /* prep urb helper function */
266 static inline void prep_urb(struct ep11_urb *u,
267 struct ep11_target_dev *t, int nt,
268 struct ep11_cprb *req, size_t req_len,
269 struct ep11_cprb *rep, size_t rep_len)
271 u->targets = (u8 __user *) t;
273 u->req = (u8 __user *) req;
274 u->req_len = req_len;
275 u->resp = (u8 __user *) rep;
276 u->resp_len = rep_len;
279 /* Check ep11 reply payload, return 0 or suggested errno value. */
280 static int check_reply_pl(const u8 *pl, const char *func)
287 DEBUG_ERR("%s reply start tag mismatch\n", func);
291 /* payload length format */
295 } else if (*pl == 0x81) {
299 } else if (*pl == 0x82) {
304 DEBUG_ERR("%s reply start tag lenfmt mismatch 0x%02hhx\n",
309 /* len should cover at least 3 fields with 32 bit value each */
311 DEBUG_ERR("%s reply length %d too small\n", func, len);
315 /* function tag, length and value */
316 if (pl[0] != 0x04 || pl[1] != 0x04) {
317 DEBUG_ERR("%s function tag or length mismatch\n", func);
322 /* dom tag, length and value */
323 if (pl[0] != 0x04 || pl[1] != 0x04) {
324 DEBUG_ERR("%s dom tag or length mismatch\n", func);
329 /* return value tag, length and value */
330 if (pl[0] != 0x04 || pl[1] != 0x04) {
331 DEBUG_ERR("%s return value tag or length mismatch\n", func);
337 DEBUG_ERR("%s return value 0x%04x != 0\n", func, ret);
346 * Helper function which does an ep11 query with given query type.
348 static int ep11_query_info(u16 cardnr, u16 domain, u32 query_type,
349 size_t buflen, u8 *buf)
351 struct ep11_info_req_pl {
356 u8 query_subtype_tag;
357 u8 query_subtype_len;
360 struct ep11_info_rep_pl {
369 struct ep11_cprb *req = NULL, *rep = NULL;
370 struct ep11_target_dev target;
371 struct ep11_urb *urb = NULL;
372 int api = 1, rc = -ENOMEM;
374 /* request cprb and payload */
375 req = alloc_cprb(sizeof(struct ep11_info_req_pl));
378 req_pl = (struct ep11_info_req_pl *) (((u8 *) req) + sizeof(*req));
379 prep_head(&req_pl->head, sizeof(*req_pl), api, 38); /* get xcp info */
380 req_pl->query_type_tag = 0x04;
381 req_pl->query_type_len = sizeof(u32);
382 req_pl->query_type = query_type;
383 req_pl->query_subtype_tag = 0x04;
384 req_pl->query_subtype_len = sizeof(u32);
386 /* reply cprb and payload */
387 rep = alloc_cprb(sizeof(struct ep11_info_rep_pl) + buflen);
390 rep_pl = (struct ep11_info_rep_pl *) (((u8 *) rep) + sizeof(*rep));
393 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL);
396 target.ap_id = cardnr;
397 target.dom_id = domain;
398 prep_urb(urb, &target, 1,
399 req, sizeof(*req) + sizeof(*req_pl),
400 rep, sizeof(*rep) + sizeof(*rep_pl) + buflen);
402 rc = _zcrypt_send_ep11_cprb(urb);
405 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
406 __func__, (int) cardnr, (int) domain, rc);
410 rc = check_reply_pl((u8 *)rep_pl, __func__);
413 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
414 DEBUG_ERR("%s unknown reply data format\n", __func__);
418 if (rep_pl->data_len > buflen) {
419 DEBUG_ERR("%s mismatch between reply data len and buffer len\n",
425 memcpy(buf, ((u8 *) rep_pl) + sizeof(*rep_pl), rep_pl->data_len);
435 * Provide information about an EP11 card.
437 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify)
440 struct ep11_module_query_info {
448 u8 xcp_config_hash[32];
449 u8 CSP_config_hash[32];
451 u8 module_date_time[16];
457 u32 digest_state_bytes;
460 u32 priv_key_blob_bytes;
462 u32 max_payload_bytes;
463 u32 CP_profile_bytes;
465 } __packed * pmqi = NULL;
467 rc = card_cache_fetch(card, info);
469 pmqi = kmalloc(sizeof(*pmqi), GFP_KERNEL);
472 rc = ep11_query_info(card, AUTOSEL_DOM,
473 0x01 /* module info query */,
474 sizeof(*pmqi), (u8 *) pmqi);
477 card_cache_scrub(card);
480 memset(info, 0, sizeof(*info));
481 info->API_ord_nr = pmqi->API_ord_nr;
483 (pmqi->FW_major_vers << 8) + pmqi->FW_minor_vers;
484 memcpy(info->serial, pmqi->serial, sizeof(info->serial));
485 info->op_mode = pmqi->op_mode;
486 card_cache_update(card, info);
493 EXPORT_SYMBOL(ep11_get_card_info);
496 * Provide information about a domain within an EP11 card.
498 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info)
501 struct ep11_domain_query_info {
507 } __packed * p_dom_info;
509 p_dom_info = kmalloc(sizeof(*p_dom_info), GFP_KERNEL);
513 rc = ep11_query_info(card, domain, 0x03 /* domain info query */,
514 sizeof(*p_dom_info), (u8 *) p_dom_info);
518 memset(info, 0, sizeof(*info));
519 info->cur_wk_state = '0';
520 info->new_wk_state = '0';
521 if (p_dom_info->dom_flags & 0x10 /* left imprint mode */) {
522 if (p_dom_info->dom_flags & 0x02 /* cur wk valid */) {
523 info->cur_wk_state = '1';
524 memcpy(info->cur_wkvp, p_dom_info->cur_WK_VP, 32);
526 if (p_dom_info->dom_flags & 0x04 /* new wk present */
527 || p_dom_info->dom_flags & 0x08 /* new wk committed */) {
529 p_dom_info->dom_flags & 0x08 ? '2' : '1';
530 memcpy(info->new_wkvp, p_dom_info->new_WK_VP, 32);
533 info->op_mode = p_dom_info->op_mode;
539 EXPORT_SYMBOL(ep11_get_domain_info);
542 * Default EP11 AES key generate attributes, used when no keygenflags given:
543 * XCP_BLOB_ENCRYPT | XCP_BLOB_DECRYPT | XCP_BLOB_PROTKEY_EXTRACTABLE
545 #define KEY_ATTR_DEFAULTS 0x00200c00
547 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
548 u8 *keybuf, size_t *keybufsize)
550 struct keygen_req_pl {
566 u32 attr_val_len_type;
567 u32 attr_val_len_value;
571 struct keygen_rep_pl {
581 struct ep11_cprb *req = NULL, *rep = NULL;
582 struct ep11_target_dev target;
583 struct ep11_urb *urb = NULL;
584 struct ep11keyblob *kb;
585 int api, rc = -ENOMEM;
587 switch (keybitsize) {
594 "%s unknown/unsupported keybitsize %d\n",
595 __func__, keybitsize);
600 /* request cprb and payload */
601 req = alloc_cprb(sizeof(struct keygen_req_pl));
604 req_pl = (struct keygen_req_pl *) (((u8 *) req) + sizeof(*req));
605 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1;
606 prep_head(&req_pl->head, sizeof(*req_pl), api, 21); /* GenerateKey */
607 req_pl->var_tag = 0x04;
608 req_pl->var_len = sizeof(u32);
609 req_pl->keybytes_tag = 0x04;
610 req_pl->keybytes_len = sizeof(u32);
611 req_pl->keybytes = keybitsize / 8;
612 req_pl->mech_tag = 0x04;
613 req_pl->mech_len = sizeof(u32);
614 req_pl->mech = 0x00001080; /* CKM_AES_KEY_GEN */
615 req_pl->attr_tag = 0x04;
616 req_pl->attr_len = 5 * sizeof(u32);
617 req_pl->attr_header = 0x10010000;
618 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
619 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
620 req_pl->attr_val_len_type = 0x00000161; /* CKA_VALUE_LEN */
621 req_pl->attr_val_len_value = keybitsize / 8;
622 req_pl->pin_tag = 0x04;
624 /* reply cprb and payload */
625 rep = alloc_cprb(sizeof(struct keygen_rep_pl));
628 rep_pl = (struct keygen_rep_pl *) (((u8 *) rep) + sizeof(*rep));
631 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL);
635 target.dom_id = domain;
636 prep_urb(urb, &target, 1,
637 req, sizeof(*req) + sizeof(*req_pl),
638 rep, sizeof(*rep) + sizeof(*rep_pl));
640 rc = _zcrypt_send_ep11_cprb(urb);
643 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
644 __func__, (int) card, (int) domain, rc);
648 rc = check_reply_pl((u8 *)rep_pl, __func__);
651 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
652 DEBUG_ERR("%s unknown reply data format\n", __func__);
656 if (rep_pl->data_len > *keybufsize) {
657 DEBUG_ERR("%s mismatch reply data len / key buffer len\n",
663 /* copy key blob and set header values */
664 memcpy(keybuf, rep_pl->data, rep_pl->data_len);
665 *keybufsize = rep_pl->data_len;
666 kb = (struct ep11keyblob *) keybuf;
667 kb->head.type = TOKTYPE_NON_CCA;
668 kb->head.len = rep_pl->data_len;
669 kb->head.version = TOKVER_EP11_AES;
670 kb->head.keybitlen = keybitsize;
678 EXPORT_SYMBOL(ep11_genaeskey);
680 static int ep11_cryptsingle(u16 card, u16 domain,
681 u16 mode, u32 mech, const u8 *iv,
682 const u8 *key, size_t keysize,
683 const u8 *inbuf, size_t inbufsize,
684 u8 *outbuf, size_t *outbufsize)
686 struct crypt_req_pl {
695 * maybe followed by iv data
696 * followed by key tag + key blob
697 * followed by plaintext tag + plaintext
700 struct crypt_rep_pl {
709 struct ep11_cprb *req = NULL, *rep = NULL;
710 struct ep11_target_dev target;
711 struct ep11_urb *urb = NULL;
712 size_t req_pl_size, rep_pl_size;
713 int n, api = 1, rc = -ENOMEM;
716 /* the simple asn1 coding used has length limits */
717 if (keysize > 0xFFFF || inbufsize > 0xFFFF)
720 /* request cprb and payload */
721 req_pl_size = sizeof(struct crypt_req_pl) + (iv ? 16 : 0)
722 + ASN1TAGLEN(keysize) + ASN1TAGLEN(inbufsize);
723 req = alloc_cprb(req_pl_size);
726 req_pl = (struct crypt_req_pl *) (((u8 *) req) + sizeof(*req));
727 prep_head(&req_pl->head, req_pl_size, api, (mode ? 20 : 19));
728 req_pl->var_tag = 0x04;
729 req_pl->var_len = sizeof(u32);
730 /* mech is mech + mech params (iv here) */
731 req_pl->mech_tag = 0x04;
732 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
733 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */
734 p = ((u8 *) req_pl) + sizeof(*req_pl);
739 /* key and input data */
740 p += asn1tag_write(p, 0x04, key, keysize);
741 p += asn1tag_write(p, 0x04, inbuf, inbufsize);
743 /* reply cprb and payload, assume out data size <= in data size + 32 */
744 rep_pl_size = sizeof(struct crypt_rep_pl) + ASN1TAGLEN(inbufsize + 32);
745 rep = alloc_cprb(rep_pl_size);
748 rep_pl = (struct crypt_rep_pl *) (((u8 *) rep) + sizeof(*rep));
751 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL);
755 target.dom_id = domain;
756 prep_urb(urb, &target, 1,
757 req, sizeof(*req) + req_pl_size,
758 rep, sizeof(*rep) + rep_pl_size);
760 rc = _zcrypt_send_ep11_cprb(urb);
763 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
764 __func__, (int) card, (int) domain, rc);
768 rc = check_reply_pl((u8 *)rep_pl, __func__);
771 if (rep_pl->data_tag != 0x04) {
772 DEBUG_ERR("%s unknown reply data format\n", __func__);
776 p = ((u8 *) rep_pl) + sizeof(*rep_pl);
777 if (rep_pl->data_lenfmt <= 127)
778 n = rep_pl->data_lenfmt;
779 else if (rep_pl->data_lenfmt == 0x81)
781 else if (rep_pl->data_lenfmt == 0x82) {
785 DEBUG_ERR("%s unknown reply data length format 0x%02hhx\n",
786 __func__, rep_pl->data_lenfmt);
790 if (n > *outbufsize) {
791 DEBUG_ERR("%s mismatch reply data len %d / output buffer %zu\n",
792 __func__, n, *outbufsize);
797 memcpy(outbuf, p, n);
807 static int ep11_unwrapkey(u16 card, u16 domain,
808 const u8 *kek, size_t keksize,
809 const u8 *enckey, size_t enckeysize,
810 u32 mech, const u8 *iv,
811 u32 keybitsize, u32 keygenflags,
812 u8 *keybuf, size_t *keybufsize)
822 u32 attr_key_type_value;
824 u32 attr_val_len_value;
829 * maybe followed by iv data
830 * followed by kek tag + kek blob
831 * followed by empty mac tag
832 * followed by empty pin tag
833 * followed by encryted key tag + bytes
846 struct ep11_cprb *req = NULL, *rep = NULL;
847 struct ep11_target_dev target;
848 struct ep11_urb *urb = NULL;
849 struct ep11keyblob *kb;
851 int api, rc = -ENOMEM;
854 /* request cprb and payload */
855 req_pl_size = sizeof(struct uw_req_pl) + (iv ? 16 : 0)
856 + ASN1TAGLEN(keksize) + 4 + ASN1TAGLEN(enckeysize);
857 req = alloc_cprb(req_pl_size);
860 req_pl = (struct uw_req_pl *) (((u8 *) req) + sizeof(*req));
861 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1;
862 prep_head(&req_pl->head, req_pl_size, api, 34); /* UnwrapKey */
863 req_pl->attr_tag = 0x04;
864 req_pl->attr_len = 7 * sizeof(u32);
865 req_pl->attr_header = 0x10020000;
866 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
867 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
868 req_pl->attr_key_type = 0x00000100; /* CKA_KEY_TYPE */
869 req_pl->attr_key_type_value = 0x0000001f; /* CKK_AES */
870 req_pl->attr_val_len = 0x00000161; /* CKA_VALUE_LEN */
871 req_pl->attr_val_len_value = keybitsize / 8;
872 /* mech is mech + mech params (iv here) */
873 req_pl->mech_tag = 0x04;
874 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
875 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */
876 p = ((u8 *) req_pl) + sizeof(*req_pl);
882 p += asn1tag_write(p, 0x04, kek, keksize);
883 /* empty mac key tag */
889 /* encrypted key value tag and bytes */
890 p += asn1tag_write(p, 0x04, enckey, enckeysize);
892 /* reply cprb and payload */
893 rep = alloc_cprb(sizeof(struct uw_rep_pl));
896 rep_pl = (struct uw_rep_pl *) (((u8 *) rep) + sizeof(*rep));
899 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL);
903 target.dom_id = domain;
904 prep_urb(urb, &target, 1,
905 req, sizeof(*req) + req_pl_size,
906 rep, sizeof(*rep) + sizeof(*rep_pl));
908 rc = _zcrypt_send_ep11_cprb(urb);
911 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
912 __func__, (int) card, (int) domain, rc);
916 rc = check_reply_pl((u8 *)rep_pl, __func__);
919 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
920 DEBUG_ERR("%s unknown reply data format\n", __func__);
924 if (rep_pl->data_len > *keybufsize) {
925 DEBUG_ERR("%s mismatch reply data len / key buffer len\n",
931 /* copy key blob and set header values */
932 memcpy(keybuf, rep_pl->data, rep_pl->data_len);
933 *keybufsize = rep_pl->data_len;
934 kb = (struct ep11keyblob *) keybuf;
935 kb->head.type = TOKTYPE_NON_CCA;
936 kb->head.len = rep_pl->data_len;
937 kb->head.version = TOKVER_EP11_AES;
938 kb->head.keybitlen = keybitsize;
947 static int ep11_wrapkey(u16 card, u16 domain,
948 const u8 *key, size_t keysize,
949 u32 mech, const u8 *iv,
950 u8 *databuf, size_t *datasize)
961 * followed by iv data
962 * followed by key tag + key blob
963 * followed by dummy kek param
964 * followed by dummy mac param
977 struct ep11_cprb *req = NULL, *rep = NULL;
978 struct ep11_target_dev target;
979 struct ep11_urb *urb = NULL;
980 struct ep11keyblob *kb;
982 int api, rc = -ENOMEM;
985 /* request cprb and payload */
986 req_pl_size = sizeof(struct wk_req_pl) + (iv ? 16 : 0)
987 + ASN1TAGLEN(keysize) + 4;
988 req = alloc_cprb(req_pl_size);
991 if (!mech || mech == 0x80060001)
992 req->flags |= 0x20; /* CPACF_WRAP needs special bit */
993 req_pl = (struct wk_req_pl *) (((u8 *) req) + sizeof(*req));
994 api = (!mech || mech == 0x80060001) ? 4 : 1; /* CKM_IBM_CPACF_WRAP */
995 prep_head(&req_pl->head, req_pl_size, api, 33); /* WrapKey */
996 req_pl->var_tag = 0x04;
997 req_pl->var_len = sizeof(u32);
998 /* mech is mech + mech params (iv here) */
999 req_pl->mech_tag = 0x04;
1000 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
1001 req_pl->mech = (mech ? mech : 0x80060001); /* CKM_IBM_CPACF_WRAP */
1002 p = ((u8 *) req_pl) + sizeof(*req_pl);
1008 p += asn1tag_write(p, 0x04, key, keysize);
1009 /* maybe the key argument needs the head data cleaned out */
1010 kb = (struct ep11keyblob *)(p - keysize);
1011 if (kb->head.version == TOKVER_EP11_AES)
1012 memset(&kb->head, 0, sizeof(kb->head));
1020 /* reply cprb and payload */
1021 rep = alloc_cprb(sizeof(struct wk_rep_pl));
1024 rep_pl = (struct wk_rep_pl *) (((u8 *) rep) + sizeof(*rep));
1026 /* urb and target */
1027 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL);
1030 target.ap_id = card;
1031 target.dom_id = domain;
1032 prep_urb(urb, &target, 1,
1033 req, sizeof(*req) + req_pl_size,
1034 rep, sizeof(*rep) + sizeof(*rep_pl));
1036 rc = _zcrypt_send_ep11_cprb(urb);
1039 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
1040 __func__, (int) card, (int) domain, rc);
1044 rc = check_reply_pl((u8 *)rep_pl, __func__);
1047 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
1048 DEBUG_ERR("%s unknown reply data format\n", __func__);
1052 if (rep_pl->data_len > *datasize) {
1053 DEBUG_ERR("%s mismatch reply data len / data buffer len\n",
1059 /* copy the data from the cprb to the data buffer */
1060 memcpy(databuf, rep_pl->data, rep_pl->data_len);
1061 *datasize = rep_pl->data_len;
1070 int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
1071 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1074 struct ep11keyblob *kb;
1075 u8 encbuf[64], *kek = NULL;
1076 size_t clrkeylen, keklen, encbuflen = sizeof(encbuf);
1078 if (keybitsize == 128 || keybitsize == 192 || keybitsize == 256)
1079 clrkeylen = keybitsize / 8;
1082 "%s unknown/unsupported keybitsize %d\n",
1083 __func__, keybitsize);
1087 /* allocate memory for the temp kek */
1088 keklen = MAXEP11AESKEYBLOBSIZE;
1089 kek = kmalloc(keklen, GFP_ATOMIC);
1095 /* Step 1: generate AES 256 bit random kek key */
1096 rc = ep11_genaeskey(card, domain, 256,
1097 0x00006c00, /* EN/DECRYPT, WRAP/UNWRAP */
1101 "%s generate kek key failed, rc=%d\n",
1105 kb = (struct ep11keyblob *) kek;
1106 memset(&kb->head, 0, sizeof(kb->head));
1108 /* Step 2: encrypt clear key value with the kek key */
1109 rc = ep11_cryptsingle(card, domain, 0, 0, def_iv, kek, keklen,
1110 clrkey, clrkeylen, encbuf, &encbuflen);
1113 "%s encrypting key value with kek key failed, rc=%d\n",
1118 /* Step 3: import the encrypted key value as a new key */
1119 rc = ep11_unwrapkey(card, domain, kek, keklen,
1120 encbuf, encbuflen, 0, def_iv,
1121 keybitsize, 0, keybuf, keybufsize);
1124 "%s importing key value as new key failed,, rc=%d\n",
1133 EXPORT_SYMBOL(ep11_clr2keyblob);
1135 int ep11_key2protkey(u16 card, u16 dom, const u8 *key, size_t keylen,
1136 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1140 size_t wkbuflen = 256;
1151 /* alloc temp working buffer */
1152 wkbuf = kmalloc(wkbuflen, GFP_ATOMIC);
1156 /* ep11 secure key -> protected key + info */
1157 rc = ep11_wrapkey(card, dom, key, keylen,
1158 0, def_iv, wkbuf, &wkbuflen);
1161 "%s rewrapping ep11 key to pkey failed, rc=%d\n",
1165 wki = (struct wk_info *) wkbuf;
1167 /* check struct version and pkey type */
1168 if (wki->version != 1 || wki->pkeytype != 1) {
1169 DEBUG_ERR("%s wk info version %d or pkeytype %d mismatch.\n",
1170 __func__, (int) wki->version, (int) wki->pkeytype);
1175 /* copy the tanslated protected key */
1176 switch (wki->pkeysize) {
1178 /* AES 128 protected key */
1180 *protkeytype = PKEY_KEYTYPE_AES_128;
1183 /* AES 192 protected key */
1185 *protkeytype = PKEY_KEYTYPE_AES_192;
1188 /* AES 256 protected key */
1190 *protkeytype = PKEY_KEYTYPE_AES_256;
1193 DEBUG_ERR("%s unknown/unsupported pkeysize %d\n",
1194 __func__, (int) wki->pkeysize);
1198 memcpy(protkey, wki->pkey, wki->pkeysize);
1200 *protkeylen = (u32) wki->pkeysize;
1207 EXPORT_SYMBOL(ep11_key2protkey);
1209 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1210 int minhwtype, int minapi, const u8 *wkvp)
1212 struct zcrypt_device_status_ext *device_status;
1213 u32 *_apqns = NULL, _nr_apqns = 0;
1214 int i, card, dom, rc = -ENOMEM;
1215 struct ep11_domain_info edi;
1216 struct ep11_card_info eci;
1218 /* fetch status of all crypto cards */
1219 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1220 sizeof(struct zcrypt_device_status_ext),
1224 zcrypt_device_status_mask_ext(device_status);
1226 /* allocate 1k space for up to 256 apqns */
1227 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1229 kvfree(device_status);
1233 /* walk through all the crypto apqnss */
1234 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1235 card = AP_QID_CARD(device_status[i].qid);
1236 dom = AP_QID_QUEUE(device_status[i].qid);
1237 /* check online state */
1238 if (!device_status[i].online)
1240 /* check for ep11 functions */
1241 if (!(device_status[i].functions & 0x01))
1244 if (cardnr != 0xFFFF && card != cardnr)
1247 if (domain != 0xFFFF && dom != domain)
1249 /* check min hardware type */
1250 if (minhwtype && device_status[i].hwtype < minhwtype)
1252 /* check min api version if given */
1254 if (ep11_get_card_info(card, &eci, 0))
1256 if (minapi > eci.API_ord_nr)
1259 /* check wkvp if given */
1261 if (ep11_get_domain_info(card, dom, &edi))
1263 if (edi.cur_wk_state != '1')
1265 if (memcmp(wkvp, edi.cur_wkvp, 16))
1268 /* apqn passed all filtering criterons, add to the array */
1269 if (_nr_apqns < 256)
1270 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom);
1273 /* nothing found ? */
1278 /* no re-allocation, simple return the _apqns array */
1280 *nr_apqns = _nr_apqns;
1284 kvfree(device_status);
1287 EXPORT_SYMBOL(ep11_findcard2);
1289 void __exit zcrypt_ep11misc_exit(void)
projects / linux.git / blob