1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright IBM Corp. 2001, 2023
4 * Author(s): Robert Burroughs
5 * Eric Rossman (edrossma@us.ibm.com)
6 *
7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9 * Ralph Wuerthner <rwuerthn@de.ibm.com>
10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com>
11 */
12
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
23
24 #include "ap_bus.h"
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
29
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
31
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
33
34 #define CEXXC_RESPONSE_TYPE_ICA 0
35 #define CEXXC_RESPONSE_TYPE_XCRB 1
36 #define CEXXC_RESPONSE_TYPE_EP11 2
37
38 MODULE_AUTHOR("IBM Corporation");
39 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
40 "Copyright IBM Corp. 2001, 2023");
41 MODULE_LICENSE("GPL");
42
43 struct function_and_rules_block {
44 unsigned char function_code[2];
45 unsigned short ulen;
46 unsigned char only_rule[8];
47 } __packed;
48
49 /*
50 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
51 * card in a type6 message. The 3 fields that must be filled in at execution
52 * time are req_parml, rpl_parml and usage_domain.
53 * Everything about this interface is ascii/big-endian, since the
54 * device does *not* have 'Intel inside'.
55 *
56 * The CPRBX is followed immediately by the parm block.
57 * The parm block contains:
58 * - function code ('PD' 0x5044 or 'PK' 0x504B)
59 * - rule block (one of:)
60 * + 0x000A 'PKCS-1.2' (MCL2 'PD')
61 * + 0x000A 'ZERO-PAD' (MCL2 'PK')
62 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
63 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK')
64 * - VUD block
65 */
66 static const struct CPRBX static_cprbx = {
67 .cprb_len = 0x00DC,
68 .cprb_ver_id = 0x02,
69 .func_id = {0x54, 0x32},
70 };
71
speed_idx_cca(int req_type)72 int speed_idx_cca(int req_type)
73 {
74 switch (req_type) {
75 case 0x4142:
76 case 0x4149:
77 case 0x414D:
78 case 0x4341:
79 case 0x4344:
80 case 0x4354:
81 case 0x4358:
82 case 0x444B:
83 case 0x4558:
84 case 0x4643:
85 case 0x4651:
86 case 0x4C47:
87 case 0x4C4B:
88 case 0x4C51:
89 case 0x4F48:
90 case 0x504F:
91 case 0x5053:
92 case 0x5058:
93 case 0x5343:
94 case 0x5344:
95 case 0x5345:
96 case 0x5350:
97 return LOW;
98 case 0x414B:
99 case 0x4345:
100 case 0x4349:
101 case 0x434D:
102 case 0x4847:
103 case 0x4849:
104 case 0x484D:
105 case 0x4850:
106 case 0x4851:
107 case 0x4954:
108 case 0x4958:
109 case 0x4B43:
110 case 0x4B44:
111 case 0x4B45:
112 case 0x4B47:
113 case 0x4B48:
114 case 0x4B49:
115 case 0x4B4E:
116 case 0x4B50:
117 case 0x4B52:
118 case 0x4B54:
119 case 0x4B58:
120 case 0x4D50:
121 case 0x4D53:
122 case 0x4D56:
123 case 0x4D58:
124 case 0x5044:
125 case 0x5045:
126 case 0x5046:
127 case 0x5047:
128 case 0x5049:
129 case 0x504B:
130 case 0x504D:
131 case 0x5254:
132 case 0x5347:
133 case 0x5349:
134 case 0x534B:
135 case 0x534D:
136 case 0x5356:
137 case 0x5358:
138 case 0x5443:
139 case 0x544B:
140 case 0x5647:
141 return HIGH;
142 default:
143 return MEDIUM;
144 }
145 }
146
speed_idx_ep11(int req_type)147 int speed_idx_ep11(int req_type)
148 {
149 switch (req_type) {
150 case 1:
151 case 2:
152 case 36:
153 case 37:
154 case 38:
155 case 39:
156 case 40:
157 return LOW;
158 case 17:
159 case 18:
160 case 19:
161 case 20:
162 case 21:
163 case 22:
164 case 26:
165 case 30:
166 case 31:
167 case 32:
168 case 33:
169 case 34:
170 case 35:
171 return HIGH;
172 default:
173 return MEDIUM;
174 }
175 }
176
177 /*
178 * Convert a ICAMEX message to a type6 MEX message.
179 *
180 * @zq: crypto device pointer
181 * @ap_msg: pointer to AP message
182 * @mex: pointer to user input data
183 *
184 * Returns 0 on success or negative errno value.
185 */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)186 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
187 struct ap_message *ap_msg,
188 struct ica_rsa_modexpo *mex)
189 {
190 static struct type6_hdr static_type6_hdrX = {
191 .type = 0x06,
192 .offset1 = 0x00000058,
193 .agent_id = {'C', 'A',},
194 .function_code = {'P', 'K'},
195 };
196 static struct function_and_rules_block static_pke_fnr = {
197 .function_code = {'P', 'K'},
198 .ulen = 10,
199 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
200 };
201 struct {
202 struct type6_hdr hdr;
203 struct CPRBX cprbx;
204 struct function_and_rules_block fr;
205 unsigned short length;
206 char text[];
207 } __packed * msg = ap_msg->msg;
208 int size;
209
210 /*
211 * The inputdatalength was a selection criteria in the dispatching
212 * function zcrypt_rsa_modexpo(). However, make sure the following
213 * copy_from_user() never exceeds the allocated buffer space.
214 */
215 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
216 return -EINVAL;
217
218 /* VUD.ciphertext */
219 msg->length = mex->inputdatalength + 2;
220 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
221 return -EFAULT;
222
223 /* Set up key which is located after the variable length text. */
224 size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
225 if (size < 0)
226 return size;
227 size += sizeof(*msg) + mex->inputdatalength;
228
229 /* message header, cprbx and f&r */
230 msg->hdr = static_type6_hdrX;
231 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
232 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
233
234 msg->cprbx = static_cprbx;
235 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
236 msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
237
238 msg->fr = static_pke_fnr;
239
240 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
241
242 ap_msg->len = size;
243 return 0;
244 }
245
246 /*
247 * Convert a ICACRT message to a type6 CRT message.
248 *
249 * @zq: crypto device pointer
250 * @ap_msg: pointer to AP message
251 * @crt: pointer to user input data
252 *
253 * Returns 0 on success or negative errno value.
254 */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)255 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
256 struct ap_message *ap_msg,
257 struct ica_rsa_modexpo_crt *crt)
258 {
259 static struct type6_hdr static_type6_hdrX = {
260 .type = 0x06,
261 .offset1 = 0x00000058,
262 .agent_id = {'C', 'A',},
263 .function_code = {'P', 'D'},
264 };
265 static struct function_and_rules_block static_pkd_fnr = {
266 .function_code = {'P', 'D'},
267 .ulen = 10,
268 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
269 };
270
271 struct {
272 struct type6_hdr hdr;
273 struct CPRBX cprbx;
274 struct function_and_rules_block fr;
275 unsigned short length;
276 char text[];
277 } __packed * msg = ap_msg->msg;
278 int size;
279
280 /*
281 * The inputdatalength was a selection criteria in the dispatching
282 * function zcrypt_rsa_crt(). However, make sure the following
283 * copy_from_user() never exceeds the allocated buffer space.
284 */
285 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
286 return -EINVAL;
287
288 /* VUD.ciphertext */
289 msg->length = crt->inputdatalength + 2;
290 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
291 return -EFAULT;
292
293 /* Set up key which is located after the variable length text. */
294 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
295 if (size < 0)
296 return size;
297 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */
298
299 /* message header, cprbx and f&r */
300 msg->hdr = static_type6_hdrX;
301 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
302 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
303
304 msg->cprbx = static_cprbx;
305 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
306 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
307 size - sizeof(msg->hdr) - sizeof(msg->cprbx);
308
309 msg->fr = static_pkd_fnr;
310
311 ap_msg->len = size;
312 return 0;
313 }
314
315 /*
316 * Convert a XCRB message to a type6 CPRB message.
317 *
318 * @zq: crypto device pointer
319 * @ap_msg: pointer to AP message
320 * @xcRB: pointer to user input data
321 *
322 * Returns 0 on success or -EFAULT, -EINVAL.
323 */
324 struct type86_fmt2_msg {
325 struct type86_hdr hdr;
326 struct type86_fmt2_ext fmt2;
327 } __packed;
328
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned short ** dom)329 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
330 struct ica_xcRB *xcrb,
331 unsigned int *fcode,
332 unsigned short **dom)
333 {
334 static struct type6_hdr static_type6_hdrX = {
335 .type = 0x06,
336 .offset1 = 0x00000058,
337 };
338 struct {
339 struct type6_hdr hdr;
340 union {
341 struct CPRBX cprbx;
342 DECLARE_FLEX_ARRAY(u8, userdata);
343 };
344 } __packed * msg = ap_msg->msg;
345
346 int rcblen = CEIL4(xcrb->request_control_blk_length);
347 int req_sumlen, resp_sumlen;
348 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
349 char *function_code;
350
351 if (CEIL4(xcrb->request_control_blk_length) <
352 xcrb->request_control_blk_length)
353 return -EINVAL; /* overflow after alignment*/
354
355 /* length checks */
356 ap_msg->len = sizeof(struct type6_hdr) +
357 CEIL4(xcrb->request_control_blk_length) +
358 xcrb->request_data_length;
359 if (ap_msg->len > ap_msg->bufsize)
360 return -EINVAL;
361
362 /*
363 * Overflow check
364 * sum must be greater (or equal) than the largest operand
365 */
366 req_sumlen = CEIL4(xcrb->request_control_blk_length) +
367 xcrb->request_data_length;
368 if ((CEIL4(xcrb->request_control_blk_length) <=
369 xcrb->request_data_length) ?
370 req_sumlen < xcrb->request_data_length :
371 req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
372 return -EINVAL;
373 }
374
375 if (CEIL4(xcrb->reply_control_blk_length) <
376 xcrb->reply_control_blk_length)
377 return -EINVAL; /* overflow after alignment*/
378
379 /*
380 * Overflow check
381 * sum must be greater (or equal) than the largest operand
382 */
383 resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
384 xcrb->reply_data_length;
385 if ((CEIL4(xcrb->reply_control_blk_length) <=
386 xcrb->reply_data_length) ?
387 resp_sumlen < xcrb->reply_data_length :
388 resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
389 return -EINVAL;
390 }
391
392 /* prepare type6 header */
393 msg->hdr = static_type6_hdrX;
394 memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
395 msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
396 if (xcrb->request_data_length) {
397 msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
398 msg->hdr.tocardlen2 = xcrb->request_data_length;
399 }
400 msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
401 msg->hdr.fromcardlen2 = xcrb->reply_data_length;
402
403 /* prepare CPRB */
404 if (z_copy_from_user(userspace, msg->userdata,
405 xcrb->request_control_blk_addr,
406 xcrb->request_control_blk_length))
407 return -EFAULT;
408 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
409 xcrb->request_control_blk_length)
410 return -EINVAL;
411 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
412 memcpy(msg->hdr.function_code, function_code,
413 sizeof(msg->hdr.function_code));
414
415 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
416 *dom = (unsigned short *)&msg->cprbx.domain;
417
418 /* check subfunction, US and AU need special flag with NQAP */
419 if (memcmp(function_code, "US", 2) == 0 ||
420 memcmp(function_code, "AU", 2) == 0)
421 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
422
423 /* check CPRB minor version, set info bits in ap_message flag field */
424 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
425 case 0x5432: /* "T2" */
426 ap_msg->flags |= AP_MSG_FLAG_USAGE;
427 break;
428 case 0x5433: /* "T3" */
429 case 0x5435: /* "T5" */
430 case 0x5436: /* "T6" */
431 case 0x5437: /* "T7" */
432 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
433 break;
434 default:
435 pr_debug("unknown CPRB minor version '%c%c'\n",
436 msg->cprbx.func_id[0], msg->cprbx.func_id[1]);
437 }
438
439 /* copy data block */
440 if (xcrb->request_data_length &&
441 z_copy_from_user(userspace, req_data, xcrb->request_data_address,
442 xcrb->request_data_length))
443 return -EFAULT;
444
445 return 0;
446 }
447
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)448 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
449 struct ep11_urb *xcrb,
450 unsigned int *fcode,
451 unsigned int *domain)
452 {
453 unsigned int lfmt;
454 static struct type6_hdr static_type6_ep11_hdr = {
455 .type = 0x06,
456 .rqid = {0x00, 0x01},
457 .function_code = {0x00, 0x00},
458 .agent_id[0] = 0x58, /* {'X'} */
459 .agent_id[1] = 0x43, /* {'C'} */
460 .offset1 = 0x00000058,
461 };
462
463 struct {
464 struct type6_hdr hdr;
465 union {
466 struct {
467 struct ep11_cprb cprbx;
468 unsigned char pld_tag; /* fixed value 0x30 */
469 unsigned char pld_lenfmt; /* length format */
470 } __packed;
471 DECLARE_FLEX_ARRAY(u8, userdata);
472 };
473 } __packed * msg = ap_msg->msg;
474
475 struct pld_hdr {
476 unsigned char func_tag; /* fixed value 0x4 */
477 unsigned char func_len; /* fixed value 0x4 */
478 unsigned int func_val; /* function ID */
479 unsigned char dom_tag; /* fixed value 0x4 */
480 unsigned char dom_len; /* fixed value 0x4 */
481 unsigned int dom_val; /* domain id */
482 } __packed * payload_hdr = NULL;
483
484 if (CEIL4(xcrb->req_len) < xcrb->req_len)
485 return -EINVAL; /* overflow after alignment*/
486
487 /* length checks */
488 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
489 if (ap_msg->len > ap_msg->bufsize)
490 return -EINVAL;
491
492 if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
493 return -EINVAL; /* overflow after alignment*/
494
495 /* prepare type6 header */
496 msg->hdr = static_type6_ep11_hdr;
497 msg->hdr.tocardlen1 = xcrb->req_len;
498 msg->hdr.fromcardlen1 = xcrb->resp_len;
499
500 /* Import CPRB data from the ioctl input parameter */
501 if (z_copy_from_user(userspace, msg->userdata,
502 (char __force __user *)xcrb->req, xcrb->req_len)) {
503 return -EFAULT;
504 }
505
506 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
507 switch (msg->pld_lenfmt & 0x03) {
508 case 1:
509 lfmt = 2;
510 break;
511 case 2:
512 lfmt = 3;
513 break;
514 default:
515 return -EINVAL;
516 }
517 } else {
518 lfmt = 1; /* length format #1 */
519 }
520 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
521 *fcode = payload_hdr->func_val & 0xFFFF;
522
523 /* enable special processing based on the cprbs flags special bit */
524 if (msg->cprbx.flags & 0x20)
525 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
526
527 /* set info bits in ap_message flag field */
528 if (msg->cprbx.flags & 0x80)
529 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
530 else
531 ap_msg->flags |= AP_MSG_FLAG_USAGE;
532
533 *domain = msg->cprbx.target_id;
534
535 return 0;
536 }
537
538 /*
539 * Copy results from a type 86 ICA reply message back to user space.
540 *
541 * @zq: crypto device pointer
542 * @reply: reply AP message.
543 * @data: pointer to user output data
544 * @length: size of user output data
545 *
546 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
547 */
548 struct type86x_reply {
549 struct type86_hdr hdr;
550 struct type86_fmt2_ext fmt2;
551 struct CPRBX cprbx;
552 unsigned char pad[4]; /* 4 byte function code/rules block ? */
553 unsigned short length; /* length of data including length field size */
554 char data[];
555 } __packed;
556
557 struct type86_ep11_reply {
558 struct type86_hdr hdr;
559 struct type86_fmt2_ext fmt2;
560 struct ep11_cprb cprbx;
561 } __packed;
562
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)563 static int convert_type86_ica(struct zcrypt_queue *zq,
564 struct ap_message *reply,
565 char __user *outputdata,
566 unsigned int outputdatalength)
567 {
568 struct type86x_reply *msg = reply->msg;
569 unsigned short service_rc, service_rs;
570 unsigned int data_len;
571
572 service_rc = msg->cprbx.ccp_rtcode;
573 if (unlikely(service_rc != 0)) {
574 service_rs = msg->cprbx.ccp_rscode;
575 if ((service_rc == 8 && service_rs == 66) ||
576 (service_rc == 8 && service_rs == 65) ||
577 (service_rc == 8 && service_rs == 72) ||
578 (service_rc == 8 && service_rs == 770) ||
579 (service_rc == 12 && service_rs == 769)) {
580 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
581 __func__, AP_QID_CARD(zq->queue->qid),
582 AP_QID_QUEUE(zq->queue->qid),
583 (int)service_rc, (int)service_rs);
584 return -EINVAL;
585 }
586 zq->online = 0;
587 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
588 AP_QID_CARD(zq->queue->qid),
589 AP_QID_QUEUE(zq->queue->qid),
590 (int)service_rc, (int)service_rs);
591 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
592 __func__, AP_QID_CARD(zq->queue->qid),
593 AP_QID_QUEUE(zq->queue->qid),
594 (int)service_rc, (int)service_rs);
595 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
596 return -EAGAIN;
597 }
598 data_len = msg->length - sizeof(msg->length);
599 if (data_len > outputdatalength)
600 return -EMSGSIZE;
601
602 /* Copy the crypto response to user space. */
603 if (copy_to_user(outputdata, msg->data, data_len))
604 return -EFAULT;
605 return 0;
606 }
607
608 /*
609 * Copy results from a type 86 XCRB reply message back to user space.
610 *
611 * @zq: crypto device pointer
612 * @reply: reply AP message.
613 * @xcrb: pointer to XCRB
614 *
615 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
616 */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)617 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
618 struct ap_message *reply,
619 struct ica_xcRB *xcrb)
620 {
621 struct type86_fmt2_msg *msg = reply->msg;
622 char *data = reply->msg;
623
624 /* Copy CPRB to user */
625 if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
626 pr_debug("reply_control_blk_length %u < required %u => EMSGSIZE\n",
627 xcrb->reply_control_blk_length, msg->fmt2.count1);
628 return -EMSGSIZE;
629 }
630 if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
631 data + msg->fmt2.offset1, msg->fmt2.count1))
632 return -EFAULT;
633 xcrb->reply_control_blk_length = msg->fmt2.count1;
634
635 /* Copy data buffer to user */
636 if (msg->fmt2.count2) {
637 if (xcrb->reply_data_length < msg->fmt2.count2) {
638 pr_debug("reply_data_length %u < required %u => EMSGSIZE\n",
639 xcrb->reply_data_length, msg->fmt2.count2);
640 return -EMSGSIZE;
641 }
642 if (z_copy_to_user(userspace, xcrb->reply_data_addr,
643 data + msg->fmt2.offset2, msg->fmt2.count2))
644 return -EFAULT;
645 }
646 xcrb->reply_data_length = msg->fmt2.count2;
647
648 return 0;
649 }
650
651 /*
652 * Copy results from a type 86 EP11 XCRB reply message back to user space.
653 *
654 * @zq: crypto device pointer
655 * @reply: reply AP message.
656 * @xcrb: pointer to EP11 user request block
657 *
658 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
659 */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)660 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
661 struct ap_message *reply,
662 struct ep11_urb *xcrb)
663 {
664 struct type86_fmt2_msg *msg = reply->msg;
665 char *data = reply->msg;
666
667 if (xcrb->resp_len < msg->fmt2.count1) {
668 pr_debug("resp_len %u < required %u => EMSGSIZE\n",
669 (unsigned int)xcrb->resp_len, msg->fmt2.count1);
670 return -EMSGSIZE;
671 }
672
673 /* Copy response CPRB to user */
674 if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
675 data + msg->fmt2.offset1, msg->fmt2.count1))
676 return -EFAULT;
677 xcrb->resp_len = msg->fmt2.count1;
678 return 0;
679 }
680
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)681 static int convert_type86_rng(struct zcrypt_queue *zq,
682 struct ap_message *reply,
683 char *buffer)
684 {
685 struct {
686 struct type86_hdr hdr;
687 struct type86_fmt2_ext fmt2;
688 struct CPRBX cprbx;
689 } __packed * msg = reply->msg;
690 char *data = reply->msg;
691
692 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
693 return -EINVAL;
694 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
695 return msg->fmt2.count2;
696 }
697
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)698 static int convert_response_ica(struct zcrypt_queue *zq,
699 struct ap_message *reply,
700 char __user *outputdata,
701 unsigned int outputdatalength)
702 {
703 struct type86x_reply *msg = reply->msg;
704
705 switch (msg->hdr.type) {
706 case TYPE82_RSP_CODE:
707 case TYPE88_RSP_CODE:
708 return convert_error(zq, reply);
709 case TYPE86_RSP_CODE:
710 if (msg->cprbx.ccp_rtcode &&
711 msg->cprbx.ccp_rscode == 0x14f &&
712 outputdatalength > 256) {
713 if (zq->zcard->max_exp_bit_length <= 17) {
714 zq->zcard->max_exp_bit_length = 17;
715 return -EAGAIN;
716 } else {
717 return -EINVAL;
718 }
719 }
720 if (msg->hdr.reply_code)
721 return convert_error(zq, reply);
722 if (msg->cprbx.cprb_ver_id == 0x02)
723 return convert_type86_ica(zq, reply,
724 outputdata, outputdatalength);
725 fallthrough; /* wrong cprb version is an unknown response */
726 default:
727 /* Unknown response type, this should NEVER EVER happen */
728 zq->online = 0;
729 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
730 AP_QID_CARD(zq->queue->qid),
731 AP_QID_QUEUE(zq->queue->qid),
732 (int)msg->hdr.type);
733 ZCRYPT_DBF_ERR(
734 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
735 __func__, AP_QID_CARD(zq->queue->qid),
736 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
737 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
738 return -EAGAIN;
739 }
740 }
741
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)742 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
743 struct ap_message *reply,
744 struct ica_xcRB *xcrb)
745 {
746 struct type86x_reply *msg = reply->msg;
747
748 switch (msg->hdr.type) {
749 case TYPE82_RSP_CODE:
750 case TYPE88_RSP_CODE:
751 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
752 return convert_error(zq, reply);
753 case TYPE86_RSP_CODE:
754 if (msg->hdr.reply_code) {
755 memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
756 return convert_error(zq, reply);
757 }
758 if (msg->cprbx.cprb_ver_id == 0x02)
759 return convert_type86_xcrb(userspace, zq, reply, xcrb);
760 fallthrough; /* wrong cprb version is an unknown response */
761 default: /* Unknown response type, this should NEVER EVER happen */
762 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
763 zq->online = 0;
764 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
765 AP_QID_CARD(zq->queue->qid),
766 AP_QID_QUEUE(zq->queue->qid),
767 (int)msg->hdr.type);
768 ZCRYPT_DBF_ERR(
769 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
770 __func__, AP_QID_CARD(zq->queue->qid),
771 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
772 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
773 return -EAGAIN;
774 }
775 }
776
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)777 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
778 struct ap_message *reply, struct ep11_urb *xcrb)
779 {
780 struct type86_ep11_reply *msg = reply->msg;
781
782 switch (msg->hdr.type) {
783 case TYPE82_RSP_CODE:
784 case TYPE87_RSP_CODE:
785 return convert_error(zq, reply);
786 case TYPE86_RSP_CODE:
787 if (msg->hdr.reply_code)
788 return convert_error(zq, reply);
789 if (msg->cprbx.cprb_ver_id == 0x04)
790 return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
791 fallthrough; /* wrong cprb version is an unknown resp */
792 default: /* Unknown response type, this should NEVER EVER happen */
793 zq->online = 0;
794 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
795 AP_QID_CARD(zq->queue->qid),
796 AP_QID_QUEUE(zq->queue->qid),
797 (int)msg->hdr.type);
798 ZCRYPT_DBF_ERR(
799 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
800 __func__, AP_QID_CARD(zq->queue->qid),
801 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
802 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
803 return -EAGAIN;
804 }
805 }
806
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)807 static int convert_response_rng(struct zcrypt_queue *zq,
808 struct ap_message *reply,
809 char *data)
810 {
811 struct type86x_reply *msg = reply->msg;
812
813 switch (msg->hdr.type) {
814 case TYPE82_RSP_CODE:
815 case TYPE88_RSP_CODE:
816 return -EINVAL;
817 case TYPE86_RSP_CODE:
818 if (msg->hdr.reply_code)
819 return -EINVAL;
820 if (msg->cprbx.cprb_ver_id == 0x02)
821 return convert_type86_rng(zq, reply, data);
822 fallthrough; /* wrong cprb version is an unknown response */
823 default: /* Unknown response type, this should NEVER EVER happen */
824 zq->online = 0;
825 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
826 AP_QID_CARD(zq->queue->qid),
827 AP_QID_QUEUE(zq->queue->qid),
828 (int)msg->hdr.type);
829 ZCRYPT_DBF_ERR(
830 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
831 __func__, AP_QID_CARD(zq->queue->qid),
832 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
833 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
834 return -EAGAIN;
835 }
836 }
837
838 /*
839 * This function is called from the AP bus code after a crypto request
840 * "msg" has finished with the reply message "reply".
841 * It is called from tasklet context.
842 * @aq: pointer to the AP queue
843 * @msg: pointer to the AP message
844 * @reply: pointer to the AP reply message
845 */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)846 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
847 struct ap_message *msg,
848 struct ap_message *reply)
849 {
850 static struct error_hdr error_reply = {
851 .type = TYPE82_RSP_CODE,
852 .reply_code = REP82_ERROR_MACHINE_FAILURE,
853 };
854 struct ap_response_type *resp_type = &msg->response;
855 struct type86x_reply *t86r;
856 int len;
857
858 /* Copy the reply message to the request message buffer. */
859 if (!reply)
860 goto out; /* ap_msg->rc indicates the error */
861 t86r = reply->msg;
862 if (t86r->hdr.type == TYPE86_RSP_CODE &&
863 t86r->cprbx.cprb_ver_id == 0x02) {
864 switch (resp_type->type) {
865 case CEXXC_RESPONSE_TYPE_ICA:
866 len = sizeof(struct type86x_reply) + t86r->length;
867 if (len > reply->bufsize || len > msg->bufsize ||
868 len != reply->len) {
869 pr_debug("len mismatch => EMSGSIZE\n");
870 msg->rc = -EMSGSIZE;
871 goto out;
872 }
873 memcpy(msg->msg, reply->msg, len);
874 msg->len = len;
875 break;
876 case CEXXC_RESPONSE_TYPE_XCRB:
877 if (t86r->fmt2.count2)
878 len = t86r->fmt2.offset2 + t86r->fmt2.count2;
879 else
880 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
881 if (len > reply->bufsize || len > msg->bufsize ||
882 len != reply->len) {
883 pr_debug("len mismatch => EMSGSIZE\n");
884 msg->rc = -EMSGSIZE;
885 goto out;
886 }
887 memcpy(msg->msg, reply->msg, len);
888 msg->len = len;
889 break;
890 default:
891 memcpy(msg->msg, &error_reply, sizeof(error_reply));
892 msg->len = sizeof(error_reply);
893 }
894 } else {
895 memcpy(msg->msg, reply->msg, sizeof(error_reply));
896 msg->len = sizeof(error_reply);
897 }
898 out:
899 complete(&resp_type->work);
900 }
901
902 /*
903 * This function is called from the AP bus code after a crypto request
904 * "msg" has finished with the reply message "reply".
905 * It is called from tasklet context.
906 * @aq: pointer to the AP queue
907 * @msg: pointer to the AP message
908 * @reply: pointer to the AP reply message
909 */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)910 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
911 struct ap_message *msg,
912 struct ap_message *reply)
913 {
914 static struct error_hdr error_reply = {
915 .type = TYPE82_RSP_CODE,
916 .reply_code = REP82_ERROR_MACHINE_FAILURE,
917 };
918 struct ap_response_type *resp_type = &msg->response;
919 struct type86_ep11_reply *t86r;
920 int len;
921
922 /* Copy the reply message to the request message buffer. */
923 if (!reply)
924 goto out; /* ap_msg->rc indicates the error */
925 t86r = reply->msg;
926 if (t86r->hdr.type == TYPE86_RSP_CODE &&
927 t86r->cprbx.cprb_ver_id == 0x04) {
928 switch (resp_type->type) {
929 case CEXXC_RESPONSE_TYPE_EP11:
930 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
931 if (len > reply->bufsize || len > msg->bufsize ||
932 len != reply->len) {
933 pr_debug("len mismatch => EMSGSIZE\n");
934 msg->rc = -EMSGSIZE;
935 goto out;
936 }
937 memcpy(msg->msg, reply->msg, len);
938 msg->len = len;
939 break;
940 default:
941 memcpy(msg->msg, &error_reply, sizeof(error_reply));
942 msg->len = sizeof(error_reply);
943 }
944 } else {
945 memcpy(msg->msg, reply->msg, sizeof(error_reply));
946 msg->len = sizeof(error_reply);
947 }
948 out:
949 complete(&resp_type->work);
950 }
951
952 static atomic_t zcrypt_step = ATOMIC_INIT(0);
953
954 /*
955 * The request distributor calls this function if it picked the CEXxC
956 * device to handle a modexpo request.
957 * @zq: pointer to zcrypt_queue structure that identifies the
958 * CEXxC device to the request distributor
959 * @mex: pointer to the modexpo request buffer
960 */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)961 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
962 struct ica_rsa_modexpo *mex,
963 struct ap_message *ap_msg)
964 {
965 struct ap_response_type *resp_type = &ap_msg->response;
966 int rc;
967
968 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
969 if (!ap_msg->msg)
970 return -ENOMEM;
971 ap_msg->bufsize = PAGE_SIZE;
972 ap_msg->receive = zcrypt_msgtype6_receive;
973 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
974 atomic_inc_return(&zcrypt_step);
975 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
976 if (rc)
977 goto out_free;
978 resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
979 init_completion(&resp_type->work);
980 rc = ap_queue_message(zq->queue, ap_msg);
981 if (rc)
982 goto out_free;
983 rc = wait_for_completion_interruptible(&resp_type->work);
984 if (rc == 0) {
985 rc = ap_msg->rc;
986 if (rc == 0)
987 rc = convert_response_ica(zq, ap_msg,
988 mex->outputdata,
989 mex->outputdatalength);
990 } else {
991 /* Signal pending. */
992 ap_cancel_message(zq->queue, ap_msg);
993 }
994
995 out_free:
996 free_page((unsigned long)ap_msg->msg);
997 ap_msg->msg = NULL;
998 return rc;
999 }
1000
1001 /*
1002 * The request distributor calls this function if it picked the CEXxC
1003 * device to handle a modexpo_crt request.
1004 * @zq: pointer to zcrypt_queue structure that identifies the
1005 * CEXxC device to the request distributor
1006 * @crt: pointer to the modexpoc_crt request buffer
1007 */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1008 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1009 struct ica_rsa_modexpo_crt *crt,
1010 struct ap_message *ap_msg)
1011 {
1012 struct ap_response_type *resp_type = &ap_msg->response;
1013 int rc;
1014
1015 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1016 if (!ap_msg->msg)
1017 return -ENOMEM;
1018 ap_msg->bufsize = PAGE_SIZE;
1019 ap_msg->receive = zcrypt_msgtype6_receive;
1020 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1021 atomic_inc_return(&zcrypt_step);
1022 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1023 if (rc)
1024 goto out_free;
1025 resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
1026 init_completion(&resp_type->work);
1027 rc = ap_queue_message(zq->queue, ap_msg);
1028 if (rc)
1029 goto out_free;
1030 rc = wait_for_completion_interruptible(&resp_type->work);
1031 if (rc == 0) {
1032 rc = ap_msg->rc;
1033 if (rc == 0)
1034 rc = convert_response_ica(zq, ap_msg,
1035 crt->outputdata,
1036 crt->outputdatalength);
1037 } else {
1038 /* Signal pending. */
1039 ap_cancel_message(zq->queue, ap_msg);
1040 }
1041
1042 out_free:
1043 free_page((unsigned long)ap_msg->msg);
1044 ap_msg->msg = NULL;
1045 return rc;
1046 }
1047
1048 /*
1049 * Prepare a CCA AP msg request.
1050 * Prepare a CCA AP msg: fetch the required data from userspace,
1051 * prepare the AP msg, fill some info into the ap_message struct,
1052 * extract some data from the CPRB and give back to the caller.
1053 * This function assumes that ap_msg has been initialized with
1054 * ap_init_apmsg() and thus a valid buffer with the size of
1055 * ap_msg->bufsize is available within ap_msg. Also the caller has
1056 * to make sure ap_release_apmsg() is always called even on failure.
1057 */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned short ** dom)1058 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1059 struct ap_message *ap_msg,
1060 unsigned int *func_code, unsigned short **dom)
1061 {
1062 struct ap_response_type *resp_type = &ap_msg->response;
1063
1064 ap_msg->receive = zcrypt_msgtype6_receive;
1065 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1066 atomic_inc_return(&zcrypt_step);
1067 resp_type->type = CEXXC_RESPONSE_TYPE_XCRB;
1068 return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1069 }
1070
1071 /*
1072 * The request distributor calls this function if it picked the CEXxC
1073 * device to handle a send_cprb request.
1074 * @zq: pointer to zcrypt_queue structure that identifies the
1075 * CEXxC device to the request distributor
1076 * @xcrb: pointer to the send_cprb request buffer
1077 */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1078 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1079 struct ica_xcRB *xcrb,
1080 struct ap_message *ap_msg)
1081 {
1082 struct ap_response_type *resp_type = &ap_msg->response;
1083 struct {
1084 struct type6_hdr hdr;
1085 struct CPRBX cprbx;
1086 /* ... more data blocks ... */
1087 } __packed * msg = ap_msg->msg;
1088 unsigned int max_payload_size;
1089 int rc, delta;
1090
1091 /* calculate maximum payload for this card and msg type */
1092 max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
1093
1094 /* limit each of the two from fields to the maximum payload size */
1095 msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
1096 msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
1097
1098 /* calculate delta if the sum of both exceeds max payload size */
1099 delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
1100 - max_payload_size;
1101 if (delta > 0) {
1102 /*
1103 * Sum exceeds maximum payload size, prune fromcardlen1
1104 * (always trust fromcardlen2)
1105 */
1106 if (delta > msg->hdr.fromcardlen1) {
1107 rc = -EINVAL;
1108 goto out;
1109 }
1110 msg->hdr.fromcardlen1 -= delta;
1111 }
1112
1113 init_completion(&resp_type->work);
1114 rc = ap_queue_message(zq->queue, ap_msg);
1115 if (rc)
1116 goto out;
1117 rc = wait_for_completion_interruptible(&resp_type->work);
1118 if (rc == 0) {
1119 rc = ap_msg->rc;
1120 if (rc == 0)
1121 rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1122 } else {
1123 /* Signal pending. */
1124 ap_cancel_message(zq->queue, ap_msg);
1125 }
1126
1127 if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1128 rc = -EIO; /* do not retry administrative requests */
1129
1130 out:
1131 if (rc)
1132 pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1133 AP_QID_CARD(zq->queue->qid),
1134 AP_QID_QUEUE(zq->queue->qid), rc);
1135 return rc;
1136 }
1137
1138 /*
1139 * Prepare an EP11 AP msg request.
1140 * Prepare an EP11 AP msg: fetch the required data from userspace,
1141 * prepare the AP msg, fill some info into the ap_message struct,
1142 * extract some data from the CPRB and give back to the caller.
1143 * This function assumes that ap_msg has been initialized with
1144 * ap_init_apmsg() and thus a valid buffer with the size of
1145 * ap_msg->bufsize is available within ap_msg. Also the caller has
1146 * to make sure ap_release_apmsg() is always called even on failure.
1147 */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1148 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1149 struct ap_message *ap_msg,
1150 unsigned int *func_code, unsigned int *domain)
1151 {
1152 struct ap_response_type *resp_type = &ap_msg->response;
1153
1154 ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1155 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1156 atomic_inc_return(&zcrypt_step);
1157 resp_type->type = CEXXC_RESPONSE_TYPE_EP11;
1158 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1159 func_code, domain);
1160 }
1161
1162 /*
1163 * The request distributor calls this function if it picked the CEX4P
1164 * device to handle a send_ep11_cprb request.
1165 * @zq: pointer to zcrypt_queue structure that identifies the
1166 * CEX4P device to the request distributor
1167 * @xcrb: pointer to the ep11 user request block
1168 */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1169 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1170 struct ep11_urb *xcrb,
1171 struct ap_message *ap_msg)
1172 {
1173 int rc;
1174 unsigned int lfmt;
1175 struct ap_response_type *resp_type = &ap_msg->response;
1176 struct {
1177 struct type6_hdr hdr;
1178 struct ep11_cprb cprbx;
1179 unsigned char pld_tag; /* fixed value 0x30 */
1180 unsigned char pld_lenfmt; /* payload length format */
1181 } __packed * msg = ap_msg->msg;
1182 struct pld_hdr {
1183 unsigned char func_tag; /* fixed value 0x4 */
1184 unsigned char func_len; /* fixed value 0x4 */
1185 unsigned int func_val; /* function ID */
1186 unsigned char dom_tag; /* fixed value 0x4 */
1187 unsigned char dom_len; /* fixed value 0x4 */
1188 unsigned int dom_val; /* domain id */
1189 } __packed * payload_hdr = NULL;
1190
1191 /*
1192 * The target domain field within the cprb body/payload block will be
1193 * replaced by the usage domain for non-management commands only.
1194 * Therefore we check the first bit of the 'flags' parameter for
1195 * management command indication.
1196 * 0 - non management command
1197 * 1 - management command
1198 */
1199 if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1200 msg->cprbx.target_id = (unsigned int)
1201 AP_QID_QUEUE(zq->queue->qid);
1202
1203 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1204 switch (msg->pld_lenfmt & 0x03) {
1205 case 1:
1206 lfmt = 2;
1207 break;
1208 case 2:
1209 lfmt = 3;
1210 break;
1211 default:
1212 return -EINVAL;
1213 }
1214 } else {
1215 lfmt = 1; /* length format #1 */
1216 }
1217 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1218 payload_hdr->dom_val = (unsigned int)
1219 AP_QID_QUEUE(zq->queue->qid);
1220 }
1221
1222 /*
1223 * Set the queue's reply buffer length minus the two prepend headers
1224 * as reply limit for the card firmware.
1225 */
1226 msg->hdr.fromcardlen1 = zq->reply.bufsize -
1227 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1228
1229 init_completion(&resp_type->work);
1230 rc = ap_queue_message(zq->queue, ap_msg);
1231 if (rc)
1232 goto out;
1233 rc = wait_for_completion_interruptible(&resp_type->work);
1234 if (rc == 0) {
1235 rc = ap_msg->rc;
1236 if (rc == 0)
1237 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1238 } else {
1239 /* Signal pending. */
1240 ap_cancel_message(zq->queue, ap_msg);
1241 }
1242
1243 if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1244 rc = -EIO; /* do not retry administrative requests */
1245
1246 out:
1247 if (rc)
1248 pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1249 AP_QID_CARD(zq->queue->qid),
1250 AP_QID_QUEUE(zq->queue->qid), rc);
1251 return rc;
1252 }
1253
1254 /*
1255 * Prepare a CEXXC get random request ap message.
1256 * This function assumes that ap_msg has been initialized with
1257 * ap_init_apmsg() and thus a valid buffer with the size of
1258 * ap_max_msg_size is available within ap_msg. Also the caller has
1259 * to make sure ap_release_apmsg() is always called even on failure.
1260 */
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1261 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1262 unsigned int *domain)
1263 {
1264 struct ap_response_type *resp_type = &ap_msg->response;
1265
1266 if (ap_msg->bufsize < AP_DEFAULT_MAX_MSG_SIZE)
1267 return -EMSGSIZE;
1268 ap_msg->receive = zcrypt_msgtype6_receive;
1269 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1270 atomic_inc_return(&zcrypt_step);
1271
1272 resp_type->type = CEXXC_RESPONSE_TYPE_XCRB;
1273
1274 rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1275
1276 *func_code = HWRNG;
1277 return 0;
1278 }
1279
1280 /*
1281 * The request distributor calls this function if it picked the CEXxC
1282 * device to generate random data.
1283 * @zq: pointer to zcrypt_queue structure that identifies the
1284 * CEXxC device to the request distributor
1285 * @buffer: pointer to a memory page to return random data
1286 */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1287 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1288 char *buffer, struct ap_message *ap_msg)
1289 {
1290 struct {
1291 struct type6_hdr hdr;
1292 struct CPRBX cprbx;
1293 char function_code[2];
1294 short int rule_length;
1295 char rule[8];
1296 short int verb_length;
1297 short int key_length;
1298 } __packed * msg = ap_msg->msg;
1299 struct ap_response_type *resp_type = &ap_msg->response;
1300 int rc;
1301
1302 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1303
1304 init_completion(&resp_type->work);
1305 rc = ap_queue_message(zq->queue, ap_msg);
1306 if (rc)
1307 goto out;
1308 rc = wait_for_completion_interruptible(&resp_type->work);
1309 if (rc == 0) {
1310 rc = ap_msg->rc;
1311 if (rc == 0)
1312 rc = convert_response_rng(zq, ap_msg, buffer);
1313 } else {
1314 /* Signal pending. */
1315 ap_cancel_message(zq->queue, ap_msg);
1316 }
1317 out:
1318 return rc;
1319 }
1320
1321 /*
1322 * The crypto operations for a CEXxC card.
1323 */
1324
1325 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1326 .owner = THIS_MODULE,
1327 .name = MSGTYPE06_NAME,
1328 .variant = MSGTYPE06_VARIANT_DEFAULT,
1329 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1330 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1331 .send_cprb = zcrypt_msgtype6_send_cprb,
1332 .rng = zcrypt_msgtype6_rng,
1333 };
1334
1335 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1336 .owner = THIS_MODULE,
1337 .name = MSGTYPE06_NAME,
1338 .variant = MSGTYPE06_VARIANT_EP11,
1339 .rsa_modexpo = NULL,
1340 .rsa_modexpo_crt = NULL,
1341 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1342 };
1343
zcrypt_msgtype6_init(void)1344 void __init zcrypt_msgtype6_init(void)
1345 {
1346 zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1347 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1348 }
1349
zcrypt_msgtype6_exit(void)1350 void __exit zcrypt_msgtype6_exit(void)
1351 {
1352 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1353 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1354 }
1355