1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
6 *
7 * Collection of CCA misc functions used by zcrypt and pkey
8 */
9
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
12
13 #include <linux/export.h>
14 #include <linux/init.h>
15 #include <linux/mempool.h>
16 #include <linux/module.h>
17 #include <linux/slab.h>
18 #include <linux/random.h>
19 #include <asm/zcrypt.h>
20 #include <asm/pkey.h>
21
22 #include "ap_bus.h"
23 #include "zcrypt_api.h"
24 #include "zcrypt_debug.h"
25 #include "zcrypt_msgtype6.h"
26 #include "zcrypt_ccamisc.h"
27
28 /* Size of parameter block used for all cca requests/replies */
29 #define PARMBSIZE 512
30
31 /* Size of vardata block used for some of the cca requests/replies */
32 #define VARDATASIZE 4096
33
34 /*
35 * Cprb memory pool held for urgent cases where no memory
36 * can be allocated via kmalloc. This pool is only used
37 * when alloc_and_prep_cprbmem() is called with the xflag
38 * ZCRYPT_XFLAG_NOMEMALLOC. The cprb memory needs to hold
39 * space for request AND reply!
40 */
41 #define CPRB_MEMPOOL_ITEM_SIZE (16 * 1024)
42 static mempool_t *cprb_mempool;
43
44 /*
45 * This is a pre-allocated memory for the device status array
46 * used within the findcard() functions. It is currently
47 * 128 * 128 * 4 bytes = 64 KB big. Usage of this memory is
48 * controlled via dev_status_mem_mutex. Needs adaption if more
49 * than 128 cards or domains to be are supported.
50 */
51 #define ZCRYPT_DEV_STATUS_CARD_MAX 128
52 #define ZCRYPT_DEV_STATUS_QUEUE_MAX 128
53 #define ZCRYPT_DEV_STATUS_ENTRIES (ZCRYPT_DEV_STATUS_CARD_MAX * \
54 ZCRYPT_DEV_STATUS_QUEUE_MAX)
55 #define ZCRYPT_DEV_STATUS_EXT_SIZE (ZCRYPT_DEV_STATUS_ENTRIES * \
56 sizeof(struct zcrypt_device_status_ext))
57 static void *dev_status_mem;
58 static DEFINE_MUTEX(dev_status_mem_mutex);
59
60 /*
61 * Simple check if the token is a valid CCA secure AES data key
62 * token. If keybitsize is given, the bitsize of the key is
63 * also checked. Returns 0 on success or errno value on failure.
64 */
cca_check_secaeskeytoken(debug_info_t * dbg,int dbflvl,const u8 * token,int keybitsize)65 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
66 const u8 *token, int keybitsize)
67 {
68 struct secaeskeytoken *t = (struct secaeskeytoken *)token;
69
70 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
71
72 if (t->type != TOKTYPE_CCA_INTERNAL) {
73 if (dbg)
74 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
75 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
76 return -EINVAL;
77 }
78 if (t->version != TOKVER_CCA_AES) {
79 if (dbg)
80 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
81 __func__, (int)t->version, TOKVER_CCA_AES);
82 return -EINVAL;
83 }
84 if (keybitsize > 0 && t->bitsize != keybitsize) {
85 if (dbg)
86 DBF("%s token check failed, bitsize %d != %d\n",
87 __func__, (int)t->bitsize, keybitsize);
88 return -EINVAL;
89 }
90
91 #undef DBF
92
93 return 0;
94 }
95 EXPORT_SYMBOL(cca_check_secaeskeytoken);
96
97 /*
98 * Simple check if the token is a valid CCA secure AES cipher key
99 * token. If keybitsize is given, the bitsize of the key is
100 * also checked. If checkcpacfexport is enabled, the key is also
101 * checked for the export flag to allow CPACF export.
102 * Returns 0 on success or errno value on failure.
103 */
cca_check_secaescipherkey(debug_info_t * dbg,int dbflvl,const u8 * token,int keybitsize,int checkcpacfexport)104 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
105 const u8 *token, int keybitsize,
106 int checkcpacfexport)
107 {
108 struct cipherkeytoken *t = (struct cipherkeytoken *)token;
109 bool keybitsizeok = true;
110
111 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
112
113 if (t->type != TOKTYPE_CCA_INTERNAL) {
114 if (dbg)
115 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
116 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
117 return -EINVAL;
118 }
119 if (t->version != TOKVER_CCA_VLSC) {
120 if (dbg)
121 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
122 __func__, (int)t->version, TOKVER_CCA_VLSC);
123 return -EINVAL;
124 }
125 if (t->algtype != 0x02) {
126 if (dbg)
127 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
128 __func__, (int)t->algtype);
129 return -EINVAL;
130 }
131 if (t->keytype != 0x0001) {
132 if (dbg)
133 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
134 __func__, (int)t->keytype);
135 return -EINVAL;
136 }
137 if (t->plfver != 0x00 && t->plfver != 0x01) {
138 if (dbg)
139 DBF("%s token check failed, unknown plfver 0x%02x\n",
140 __func__, (int)t->plfver);
141 return -EINVAL;
142 }
143 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
144 if (dbg)
145 DBF("%s token check failed, unknown wpllen %d\n",
146 __func__, (int)t->wpllen);
147 return -EINVAL;
148 }
149 if (keybitsize > 0) {
150 switch (keybitsize) {
151 case 128:
152 if (t->wpllen != (t->plfver ? 640 : 512))
153 keybitsizeok = false;
154 break;
155 case 192:
156 if (t->wpllen != (t->plfver ? 640 : 576))
157 keybitsizeok = false;
158 break;
159 case 256:
160 if (t->wpllen != 640)
161 keybitsizeok = false;
162 break;
163 default:
164 keybitsizeok = false;
165 break;
166 }
167 if (!keybitsizeok) {
168 if (dbg)
169 DBF("%s token check failed, bitsize %d\n",
170 __func__, keybitsize);
171 return -EINVAL;
172 }
173 }
174 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
175 if (dbg)
176 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
177 __func__);
178 return -EINVAL;
179 }
180
181 #undef DBF
182
183 return 0;
184 }
185 EXPORT_SYMBOL(cca_check_secaescipherkey);
186
187 /*
188 * Simple check if the token is a valid CCA secure ECC private
189 * key token. Returns 0 on success or errno value on failure.
190 */
cca_check_sececckeytoken(debug_info_t * dbg,int dbflvl,const u8 * token,u32 keysize,int checkcpacfexport)191 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
192 const u8 *token, u32 keysize,
193 int checkcpacfexport)
194 {
195 struct eccprivkeytoken *t = (struct eccprivkeytoken *)token;
196
197 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
198
199 if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
200 if (dbg)
201 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
202 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL_PKA);
203 return -EINVAL;
204 }
205 if (t->len > keysize) {
206 if (dbg)
207 DBF("%s token check failed, len %d > keysize %u\n",
208 __func__, (int)t->len, keysize);
209 return -EINVAL;
210 }
211 if (t->secid != 0x20) {
212 if (dbg)
213 DBF("%s token check failed, secid 0x%02x != 0x20\n",
214 __func__, (int)t->secid);
215 return -EINVAL;
216 }
217 if (checkcpacfexport && !(t->kutc & 0x01)) {
218 if (dbg)
219 DBF("%s token check failed, XPRTCPAC bit is 0\n",
220 __func__);
221 return -EINVAL;
222 }
223
224 #undef DBF
225
226 return 0;
227 }
228 EXPORT_SYMBOL(cca_check_sececckeytoken);
229
230 /*
231 * Allocate consecutive memory for request CPRB, request param
232 * block, reply CPRB and reply param block and fill in values
233 * for the common fields. Returns 0 on success or errno value
234 * on failure.
235 */
alloc_and_prep_cprbmem(size_t paramblen,u8 ** p_cprb_mem,struct CPRBX ** p_req_cprb,struct CPRBX ** p_rep_cprb,u32 xflags)236 static int alloc_and_prep_cprbmem(size_t paramblen,
237 u8 **p_cprb_mem,
238 struct CPRBX **p_req_cprb,
239 struct CPRBX **p_rep_cprb,
240 u32 xflags)
241 {
242 u8 *cprbmem = NULL;
243 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
244 size_t len = 2 * cprbplusparamblen;
245 struct CPRBX *preqcblk, *prepcblk;
246
247 /*
248 * allocate consecutive memory for request CPRB, request param
249 * block, reply CPRB and reply param block
250 */
251 if (xflags & ZCRYPT_XFLAG_NOMEMALLOC) {
252 if (len <= CPRB_MEMPOOL_ITEM_SIZE)
253 cprbmem = mempool_alloc_preallocated(cprb_mempool);
254 } else {
255 cprbmem = kmalloc(len, GFP_KERNEL);
256 }
257 if (!cprbmem)
258 return -ENOMEM;
259 memset(cprbmem, 0, len);
260
261 preqcblk = (struct CPRBX *)cprbmem;
262 prepcblk = (struct CPRBX *)(cprbmem + cprbplusparamblen);
263
264 /* fill request cprb struct */
265 preqcblk->cprb_len = sizeof(struct CPRBX);
266 preqcblk->cprb_ver_id = 0x02;
267 memcpy(preqcblk->func_id, "T2", 2);
268 preqcblk->rpl_msgbl = cprbplusparamblen;
269 if (paramblen) {
270 preqcblk->req_parmb =
271 ((u8 __user *)preqcblk) + sizeof(struct CPRBX);
272 preqcblk->rpl_parmb =
273 ((u8 __user *)prepcblk) + sizeof(struct CPRBX);
274 }
275
276 *p_cprb_mem = cprbmem;
277 *p_req_cprb = preqcblk;
278 *p_rep_cprb = prepcblk;
279
280 return 0;
281 }
282
283 /*
284 * Free the cprb memory allocated with the function above.
285 * If the scrub value is not zero, the memory is filled
286 * with zeros before freeing (useful if there was some
287 * clear key material in there).
288 */
free_cprbmem(void * mem,size_t paramblen,bool scrub,u32 xflags)289 static void free_cprbmem(void *mem, size_t paramblen, bool scrub, u32 xflags)
290 {
291 if (mem && scrub)
292 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
293
294 if (xflags & ZCRYPT_XFLAG_NOMEMALLOC)
295 mempool_free(mem, cprb_mempool);
296 else
297 kfree(mem);
298 }
299
300 /*
301 * Helper function to prepare the xcrb struct
302 */
prep_xcrb(struct ica_xcRB * pxcrb,u16 cardnr,struct CPRBX * preqcblk,struct CPRBX * prepcblk)303 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
304 u16 cardnr,
305 struct CPRBX *preqcblk,
306 struct CPRBX *prepcblk)
307 {
308 memset(pxcrb, 0, sizeof(*pxcrb));
309 pxcrb->agent_ID = 0x4341; /* 'CA' */
310 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
311 pxcrb->request_control_blk_length =
312 preqcblk->cprb_len + preqcblk->req_parml;
313 pxcrb->request_control_blk_addr = (void __user *)preqcblk;
314 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
315 pxcrb->reply_control_blk_addr = (void __user *)prepcblk;
316 }
317
318 /*
319 * Generate (random) CCA AES DATA secure key.
320 */
cca_genseckey(u16 cardnr,u16 domain,u32 keybitsize,u8 * seckey,u32 xflags)321 int cca_genseckey(u16 cardnr, u16 domain,
322 u32 keybitsize, u8 *seckey, u32 xflags)
323 {
324 int i, rc, keysize;
325 int seckeysize;
326 u8 *mem, *ptr;
327 struct CPRBX *preqcblk, *prepcblk;
328 struct ica_xcRB xcrb;
329 struct kgreqparm {
330 u8 subfunc_code[2];
331 u16 rule_array_len;
332 struct lv1 {
333 u16 len;
334 char key_form[8];
335 char key_length[8];
336 char key_type1[8];
337 char key_type2[8];
338 } lv1;
339 struct lv2 {
340 u16 len;
341 struct keyid {
342 u16 len;
343 u16 attr;
344 u8 data[SECKEYBLOBSIZE];
345 } keyid[6];
346 } lv2;
347 } __packed * preqparm;
348 struct kgrepparm {
349 u8 subfunc_code[2];
350 u16 rule_array_len;
351 struct lv3 {
352 u16 len;
353 u16 keyblocklen;
354 struct {
355 u16 toklen;
356 u16 tokattr;
357 u8 tok[];
358 /* ... some more data ... */
359 } keyblock;
360 } lv3;
361 } __packed * prepparm;
362
363 /* get already prepared memory for 2 cprbs with param block each */
364 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
365 &preqcblk, &prepcblk, xflags);
366 if (rc)
367 return rc;
368
369 /* fill request cprb struct */
370 preqcblk->domain = domain;
371
372 /* fill request cprb param block with KG request */
373 preqparm = (struct kgreqparm __force *)preqcblk->req_parmb;
374 memcpy(preqparm->subfunc_code, "KG", 2);
375 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
376 preqparm->lv1.len = sizeof(struct lv1);
377 memcpy(preqparm->lv1.key_form, "OP ", 8);
378 switch (keybitsize) {
379 case PKEY_SIZE_AES_128:
380 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
381 keysize = 16;
382 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
383 break;
384 case PKEY_SIZE_AES_192:
385 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
386 keysize = 24;
387 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
388 break;
389 case PKEY_SIZE_AES_256:
390 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
391 keysize = 32;
392 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
393 break;
394 default:
395 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
396 __func__, keybitsize);
397 rc = -EINVAL;
398 goto out;
399 }
400 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
401 preqparm->lv2.len = sizeof(struct lv2);
402 for (i = 0; i < 6; i++) {
403 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
404 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
405 }
406 preqcblk->req_parml = sizeof(struct kgreqparm);
407
408 /* fill xcrb struct */
409 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
410
411 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
412 rc = zcrypt_send_cprb(&xcrb, xflags);
413 if (rc) {
414 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
415 __func__, (int)cardnr, (int)domain, rc);
416 goto out;
417 }
418
419 /* check response returncode and reasoncode */
420 if (prepcblk->ccp_rtcode != 0) {
421 ZCRYPT_DBF_ERR("%s secure key generate failure, card response %d/%d\n",
422 __func__,
423 (int)prepcblk->ccp_rtcode,
424 (int)prepcblk->ccp_rscode);
425 rc = -EIO;
426 goto out;
427 }
428
429 /* process response cprb param block */
430 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
431 prepcblk->rpl_parmb = (u8 __user *)ptr;
432 prepparm = (struct kgrepparm *)ptr;
433
434 /* check length of the returned secure key token */
435 seckeysize = prepparm->lv3.keyblock.toklen
436 - sizeof(prepparm->lv3.keyblock.toklen)
437 - sizeof(prepparm->lv3.keyblock.tokattr);
438 if (seckeysize != SECKEYBLOBSIZE) {
439 ZCRYPT_DBF_ERR("%s secure token size mismatch %d != %d bytes\n",
440 __func__, seckeysize, SECKEYBLOBSIZE);
441 rc = -EIO;
442 goto out;
443 }
444
445 /* check secure key token */
446 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
447 prepparm->lv3.keyblock.tok, 8 * keysize);
448 if (rc) {
449 rc = -EIO;
450 goto out;
451 }
452
453 /* copy the generated secure key token */
454 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
455
456 out:
457 free_cprbmem(mem, PARMBSIZE, false, xflags);
458 return rc;
459 }
460 EXPORT_SYMBOL(cca_genseckey);
461
462 /*
463 * Generate an CCA AES DATA secure key with given key value.
464 */
cca_clr2seckey(u16 cardnr,u16 domain,u32 keybitsize,const u8 * clrkey,u8 * seckey,u32 xflags)465 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
466 const u8 *clrkey, u8 *seckey, u32 xflags)
467 {
468 int rc, keysize, seckeysize;
469 u8 *mem, *ptr;
470 struct CPRBX *preqcblk, *prepcblk;
471 struct ica_xcRB xcrb;
472 struct cmreqparm {
473 u8 subfunc_code[2];
474 u16 rule_array_len;
475 char rule_array[8];
476 struct lv1 {
477 u16 len;
478 u8 clrkey[];
479 } lv1;
480 /* followed by struct lv2 */
481 } __packed * preqparm;
482 struct lv2 {
483 u16 len;
484 struct keyid {
485 u16 len;
486 u16 attr;
487 u8 data[SECKEYBLOBSIZE];
488 } keyid;
489 } __packed * plv2;
490 struct cmrepparm {
491 u8 subfunc_code[2];
492 u16 rule_array_len;
493 struct lv3 {
494 u16 len;
495 u16 keyblocklen;
496 struct {
497 u16 toklen;
498 u16 tokattr;
499 u8 tok[];
500 /* ... some more data ... */
501 } keyblock;
502 } lv3;
503 } __packed * prepparm;
504
505 /* get already prepared memory for 2 cprbs with param block each */
506 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
507 &preqcblk, &prepcblk, xflags);
508 if (rc)
509 return rc;
510
511 /* fill request cprb struct */
512 preqcblk->domain = domain;
513
514 /* fill request cprb param block with CM request */
515 preqparm = (struct cmreqparm __force *)preqcblk->req_parmb;
516 memcpy(preqparm->subfunc_code, "CM", 2);
517 memcpy(preqparm->rule_array, "AES ", 8);
518 preqparm->rule_array_len =
519 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
520 switch (keybitsize) {
521 case PKEY_SIZE_AES_128:
522 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
523 keysize = 16;
524 break;
525 case PKEY_SIZE_AES_192:
526 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
527 keysize = 24;
528 break;
529 case PKEY_SIZE_AES_256:
530 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
531 keysize = 32;
532 break;
533 default:
534 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
535 __func__, keybitsize);
536 rc = -EINVAL;
537 goto out;
538 }
539 preqparm->lv1.len = sizeof(struct lv1) + keysize;
540 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
541 plv2 = (struct lv2 *)(((u8 *)preqparm) + sizeof(*preqparm) + keysize);
542 plv2->len = sizeof(struct lv2);
543 plv2->keyid.len = sizeof(struct keyid);
544 plv2->keyid.attr = 0x30;
545 preqcblk->req_parml = sizeof(*preqparm) + keysize + sizeof(*plv2);
546
547 /* fill xcrb struct */
548 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
549
550 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
551 rc = zcrypt_send_cprb(&xcrb, xflags);
552 if (rc) {
553 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
554 __func__, (int)cardnr, (int)domain, rc);
555 goto out;
556 }
557
558 /* check response returncode and reasoncode */
559 if (prepcblk->ccp_rtcode != 0) {
560 ZCRYPT_DBF_ERR("%s clear key import failure, card response %d/%d\n",
561 __func__,
562 (int)prepcblk->ccp_rtcode,
563 (int)prepcblk->ccp_rscode);
564 rc = -EIO;
565 goto out;
566 }
567
568 /* process response cprb param block */
569 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
570 prepcblk->rpl_parmb = (u8 __user *)ptr;
571 prepparm = (struct cmrepparm *)ptr;
572
573 /* check length of the returned secure key token */
574 seckeysize = prepparm->lv3.keyblock.toklen
575 - sizeof(prepparm->lv3.keyblock.toklen)
576 - sizeof(prepparm->lv3.keyblock.tokattr);
577 if (seckeysize != SECKEYBLOBSIZE) {
578 ZCRYPT_DBF_ERR("%s secure token size mismatch %d != %d bytes\n",
579 __func__, seckeysize, SECKEYBLOBSIZE);
580 rc = -EIO;
581 goto out;
582 }
583
584 /* check secure key token */
585 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
586 prepparm->lv3.keyblock.tok, 8 * keysize);
587 if (rc) {
588 rc = -EIO;
589 goto out;
590 }
591
592 /* copy the generated secure key token */
593 if (seckey)
594 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
595
596 out:
597 free_cprbmem(mem, PARMBSIZE, true, xflags);
598 return rc;
599 }
600 EXPORT_SYMBOL(cca_clr2seckey);
601
602 /*
603 * Derive proteced key from an CCA AES DATA secure key.
604 */
cca_sec2protkey(u16 cardnr,u16 domain,const u8 * seckey,u8 * protkey,u32 * protkeylen,u32 * protkeytype,u32 xflags)605 int cca_sec2protkey(u16 cardnr, u16 domain,
606 const u8 *seckey, u8 *protkey, u32 *protkeylen,
607 u32 *protkeytype, u32 xflags)
608 {
609 int rc;
610 u8 *mem, *ptr;
611 struct CPRBX *preqcblk, *prepcblk;
612 struct ica_xcRB xcrb;
613 struct uskreqparm {
614 u8 subfunc_code[2];
615 u16 rule_array_len;
616 struct lv1 {
617 u16 len;
618 u16 attr_len;
619 u16 attr_flags;
620 } lv1;
621 struct lv2 {
622 u16 len;
623 u16 attr_len;
624 u16 attr_flags;
625 u8 token[]; /* cca secure key token */
626 } lv2;
627 } __packed * preqparm;
628 struct uskrepparm {
629 u8 subfunc_code[2];
630 u16 rule_array_len;
631 struct lv3 {
632 u16 len;
633 u16 attr_len;
634 u16 attr_flags;
635 struct cpacfkeyblock {
636 u8 version; /* version of this struct */
637 u8 flags[2];
638 u8 algo;
639 u8 form;
640 u8 pad1[3];
641 u16 len;
642 u8 key[64]; /* the key (len bytes) */
643 u16 keyattrlen;
644 u8 keyattr[32];
645 u8 pad2[1];
646 u8 vptype;
647 u8 vp[32]; /* verification pattern */
648 } ckb;
649 } lv3;
650 } __packed * prepparm;
651
652 /* get already prepared memory for 2 cprbs with param block each */
653 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
654 &preqcblk, &prepcblk, xflags);
655 if (rc)
656 return rc;
657
658 /* fill request cprb struct */
659 preqcblk->domain = domain;
660
661 /* fill request cprb param block with USK request */
662 preqparm = (struct uskreqparm __force *)preqcblk->req_parmb;
663 memcpy(preqparm->subfunc_code, "US", 2);
664 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
665 preqparm->lv1.len = sizeof(struct lv1);
666 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
667 preqparm->lv1.attr_flags = 0x0001;
668 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
669 preqparm->lv2.attr_len = sizeof(struct lv2)
670 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
671 preqparm->lv2.attr_flags = 0x0000;
672 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
673 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
674
675 /* fill xcrb struct */
676 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
677
678 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
679 rc = zcrypt_send_cprb(&xcrb, xflags);
680 if (rc) {
681 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
682 __func__, (int)cardnr, (int)domain, rc);
683 goto out;
684 }
685
686 /* check response returncode and reasoncode */
687 if (prepcblk->ccp_rtcode != 0) {
688 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
689 __func__,
690 (int)prepcblk->ccp_rtcode,
691 (int)prepcblk->ccp_rscode);
692 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
693 rc = -EBUSY;
694 else
695 rc = -EIO;
696 goto out;
697 }
698 if (prepcblk->ccp_rscode != 0) {
699 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
700 __func__,
701 (int)prepcblk->ccp_rtcode,
702 (int)prepcblk->ccp_rscode);
703 }
704
705 /* process response cprb param block */
706 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
707 prepcblk->rpl_parmb = (u8 __user *)ptr;
708 prepparm = (struct uskrepparm *)ptr;
709
710 /* check the returned keyblock */
711 if (prepparm->lv3.ckb.version != 0x01 &&
712 prepparm->lv3.ckb.version != 0x02) {
713 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x\n",
714 __func__, (int)prepparm->lv3.ckb.version);
715 rc = -EIO;
716 goto out;
717 }
718
719 /* copy the translated protected key */
720 switch (prepparm->lv3.ckb.len) {
721 case 16 + 32:
722 /* AES 128 protected key */
723 if (protkeytype)
724 *protkeytype = PKEY_KEYTYPE_AES_128;
725 break;
726 case 24 + 32:
727 /* AES 192 protected key */
728 if (protkeytype)
729 *protkeytype = PKEY_KEYTYPE_AES_192;
730 break;
731 case 32 + 32:
732 /* AES 256 protected key */
733 if (protkeytype)
734 *protkeytype = PKEY_KEYTYPE_AES_256;
735 break;
736 default:
737 ZCRYPT_DBF_ERR("%s unknown/unsupported keylen %d\n",
738 __func__, prepparm->lv3.ckb.len);
739 rc = -EIO;
740 goto out;
741 }
742 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
743 if (protkeylen)
744 *protkeylen = prepparm->lv3.ckb.len;
745
746 out:
747 free_cprbmem(mem, PARMBSIZE, true, xflags);
748 return rc;
749 }
750 EXPORT_SYMBOL(cca_sec2protkey);
751
752 /*
753 * AES cipher key skeleton created with CSNBKTB2 with these flags:
754 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
755 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
756 * used by cca_gencipherkey() and cca_clr2cipherkey().
757 */
758 static const u8 aes_cipher_key_skeleton[] = {
759 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
763 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
764 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
765 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
766 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
767
768 /*
769 * Generate (random) CCA AES CIPHER secure key.
770 */
cca_gencipherkey(u16 cardnr,u16 domain,u32 keybitsize,u32 keygenflags,u8 * keybuf,u32 * keybufsize,u32 xflags)771 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
772 u8 *keybuf, u32 *keybufsize, u32 xflags)
773 {
774 int rc;
775 u8 *mem, *ptr;
776 struct CPRBX *preqcblk, *prepcblk;
777 struct ica_xcRB xcrb;
778 struct gkreqparm {
779 u8 subfunc_code[2];
780 u16 rule_array_len;
781 char rule_array[2 * 8];
782 struct {
783 u16 len;
784 u8 key_type_1[8];
785 u8 key_type_2[8];
786 u16 clear_key_bit_len;
787 u16 key_name_1_len;
788 u16 key_name_2_len;
789 u16 user_data_1_len;
790 u16 user_data_2_len;
791 /* u8 key_name_1[]; */
792 /* u8 key_name_2[]; */
793 /* u8 user_data_1[]; */
794 /* u8 user_data_2[]; */
795 } vud;
796 struct {
797 u16 len;
798 struct {
799 u16 len;
800 u16 flag;
801 /* u8 kek_id_1[]; */
802 } tlv1;
803 struct {
804 u16 len;
805 u16 flag;
806 /* u8 kek_id_2[]; */
807 } tlv2;
808 struct {
809 u16 len;
810 u16 flag;
811 u8 gen_key_id_1[SIZEOF_SKELETON];
812 } tlv3;
813 struct {
814 u16 len;
815 u16 flag;
816 /* u8 gen_key_id_1_label[]; */
817 } tlv4;
818 struct {
819 u16 len;
820 u16 flag;
821 /* u8 gen_key_id_2[]; */
822 } tlv5;
823 struct {
824 u16 len;
825 u16 flag;
826 /* u8 gen_key_id_2_label[]; */
827 } tlv6;
828 } kb;
829 } __packed * preqparm;
830 struct gkrepparm {
831 u8 subfunc_code[2];
832 u16 rule_array_len;
833 struct {
834 u16 len;
835 } vud;
836 struct {
837 u16 len;
838 struct {
839 u16 len;
840 u16 flag;
841 u8 gen_key[]; /* 120-136 bytes */
842 } tlv1;
843 } kb;
844 } __packed * prepparm;
845 struct cipherkeytoken *t;
846
847 /* get already prepared memory for 2 cprbs with param block each */
848 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
849 &preqcblk, &prepcblk, xflags);
850 if (rc)
851 return rc;
852
853 /* fill request cprb struct */
854 preqcblk->domain = domain;
855 preqcblk->req_parml = sizeof(struct gkreqparm);
856
857 /* prepare request param block with GK request */
858 preqparm = (struct gkreqparm __force *)preqcblk->req_parmb;
859 memcpy(preqparm->subfunc_code, "GK", 2);
860 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
861 memcpy(preqparm->rule_array, "AES OP ", 2 * 8);
862
863 /* prepare vud block */
864 preqparm->vud.len = sizeof(preqparm->vud);
865 switch (keybitsize) {
866 case 128:
867 case 192:
868 case 256:
869 break;
870 default:
871 ZCRYPT_DBF_ERR("%s unknown/unsupported keybitsize %d\n",
872 __func__, keybitsize);
873 rc = -EINVAL;
874 goto out;
875 }
876 preqparm->vud.clear_key_bit_len = keybitsize;
877 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
878 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
879
880 /* prepare kb block */
881 preqparm->kb.len = sizeof(preqparm->kb);
882 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
883 preqparm->kb.tlv1.flag = 0x0030;
884 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
885 preqparm->kb.tlv2.flag = 0x0030;
886 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
887 preqparm->kb.tlv3.flag = 0x0030;
888 memcpy(preqparm->kb.tlv3.gen_key_id_1,
889 aes_cipher_key_skeleton, SIZEOF_SKELETON);
890 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
891 preqparm->kb.tlv4.flag = 0x0030;
892 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
893 preqparm->kb.tlv5.flag = 0x0030;
894 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
895 preqparm->kb.tlv6.flag = 0x0030;
896
897 /* patch the skeleton key token export flags inside the kb block */
898 if (keygenflags) {
899 t = (struct cipherkeytoken *)preqparm->kb.tlv3.gen_key_id_1;
900 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
901 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
902 }
903
904 /* prepare xcrb struct */
905 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
906
907 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
908 rc = zcrypt_send_cprb(&xcrb, xflags);
909 if (rc) {
910 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
911 __func__, (int)cardnr, (int)domain, rc);
912 goto out;
913 }
914
915 /* check response returncode and reasoncode */
916 if (prepcblk->ccp_rtcode != 0) {
917 ZCRYPT_DBF_ERR("%s cipher key generate failure, card response %d/%d\n",
918 __func__,
919 (int)prepcblk->ccp_rtcode,
920 (int)prepcblk->ccp_rscode);
921 rc = -EIO;
922 goto out;
923 }
924
925 /* process response cprb param block */
926 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
927 prepcblk->rpl_parmb = (u8 __user *)ptr;
928 prepparm = (struct gkrepparm *)ptr;
929
930 /* do some plausibility checks on the key block */
931 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
932 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
933 ZCRYPT_DBF_ERR("%s reply with invalid or unknown key block\n",
934 __func__);
935 rc = -EIO;
936 goto out;
937 }
938
939 /* and some checks on the generated key */
940 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
941 prepparm->kb.tlv1.gen_key,
942 keybitsize, 1);
943 if (rc) {
944 rc = -EIO;
945 goto out;
946 }
947
948 /* copy the generated vlsc key token */
949 t = (struct cipherkeytoken *)prepparm->kb.tlv1.gen_key;
950 if (keybuf) {
951 if (*keybufsize >= t->len)
952 memcpy(keybuf, t, t->len);
953 else
954 rc = -EINVAL;
955 }
956 *keybufsize = t->len;
957
958 out:
959 free_cprbmem(mem, PARMBSIZE, false, xflags);
960 return rc;
961 }
962 EXPORT_SYMBOL(cca_gencipherkey);
963
964 /*
965 * Helper function, does a the CSNBKPI2 CPRB.
966 */
_ip_cprb_helper(u16 cardnr,u16 domain,const char * rule_array_1,const char * rule_array_2,const char * rule_array_3,const u8 * clr_key_value,int clr_key_bit_size,u8 * key_token,int * key_token_size,u32 xflags)967 static int _ip_cprb_helper(u16 cardnr, u16 domain,
968 const char *rule_array_1,
969 const char *rule_array_2,
970 const char *rule_array_3,
971 const u8 *clr_key_value,
972 int clr_key_bit_size,
973 u8 *key_token,
974 int *key_token_size,
975 u32 xflags)
976 {
977 int rc, n;
978 u8 *mem, *ptr;
979 struct CPRBX *preqcblk, *prepcblk;
980 struct ica_xcRB xcrb;
981 struct rule_array_block {
982 u8 subfunc_code[2];
983 u16 rule_array_len;
984 char rule_array[];
985 } __packed * preq_ra_block;
986 struct vud_block {
987 u16 len;
988 struct {
989 u16 len;
990 u16 flag; /* 0x0064 */
991 u16 clr_key_bit_len;
992 } tlv1;
993 struct {
994 u16 len;
995 u16 flag; /* 0x0063 */
996 u8 clr_key[]; /* clear key value bytes */
997 } tlv2;
998 } __packed * preq_vud_block;
999 struct key_block {
1000 u16 len;
1001 struct {
1002 u16 len;
1003 u16 flag; /* 0x0030 */
1004 u8 key_token[]; /* key skeleton */
1005 } tlv1;
1006 } __packed * preq_key_block;
1007 struct iprepparm {
1008 u8 subfunc_code[2];
1009 u16 rule_array_len;
1010 struct {
1011 u16 len;
1012 } vud;
1013 struct {
1014 u16 len;
1015 struct {
1016 u16 len;
1017 u16 flag; /* 0x0030 */
1018 u8 key_token[]; /* key token */
1019 } tlv1;
1020 } kb;
1021 } __packed * prepparm;
1022 struct cipherkeytoken *t;
1023 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
1024
1025 /* get already prepared memory for 2 cprbs with param block each */
1026 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
1027 &preqcblk, &prepcblk, xflags);
1028 if (rc)
1029 return rc;
1030
1031 /* fill request cprb struct */
1032 preqcblk->domain = domain;
1033 preqcblk->req_parml = 0;
1034
1035 /* prepare request param block with IP request */
1036 preq_ra_block = (struct rule_array_block __force *)preqcblk->req_parmb;
1037 memcpy(preq_ra_block->subfunc_code, "IP", 2);
1038 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
1039 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1040 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1041 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1042 if (rule_array_3) {
1043 preq_ra_block->rule_array_len += 8;
1044 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1045 preqcblk->req_parml += 8;
1046 }
1047
1048 /* prepare vud block */
1049 preq_vud_block = (struct vud_block __force *)
1050 (preqcblk->req_parmb + preqcblk->req_parml);
1051 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1052 preq_vud_block->len = sizeof(struct vud_block) + n;
1053 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1054 preq_vud_block->tlv1.flag = 0x0064;
1055 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1056 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1057 preq_vud_block->tlv2.flag = 0x0063;
1058 if (!complete)
1059 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1060 preqcblk->req_parml += preq_vud_block->len;
1061
1062 /* prepare key block */
1063 preq_key_block = (struct key_block __force *)
1064 (preqcblk->req_parmb + preqcblk->req_parml);
1065 n = *key_token_size;
1066 preq_key_block->len = sizeof(struct key_block) + n;
1067 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1068 preq_key_block->tlv1.flag = 0x0030;
1069 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1070 preqcblk->req_parml += preq_key_block->len;
1071
1072 /* prepare xcrb struct */
1073 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1074
1075 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1076 rc = zcrypt_send_cprb(&xcrb, xflags);
1077 if (rc) {
1078 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1079 __func__, (int)cardnr, (int)domain, rc);
1080 goto out;
1081 }
1082
1083 /* check response returncode and reasoncode */
1084 if (prepcblk->ccp_rtcode != 0) {
1085 ZCRYPT_DBF_ERR("%s CSNBKPI2 failure, card response %d/%d\n",
1086 __func__,
1087 (int)prepcblk->ccp_rtcode,
1088 (int)prepcblk->ccp_rscode);
1089 rc = -EIO;
1090 goto out;
1091 }
1092
1093 /* process response cprb param block */
1094 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1095 prepcblk->rpl_parmb = (u8 __user *)ptr;
1096 prepparm = (struct iprepparm *)ptr;
1097
1098 /* do some plausibility checks on the key block */
1099 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1100 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1101 ZCRYPT_DBF_ERR("%s reply with invalid or unknown key block\n",
1102 __func__);
1103 rc = -EIO;
1104 goto out;
1105 }
1106
1107 /* do not check the key here, it may be incomplete */
1108
1109 /* copy the vlsc key token back */
1110 t = (struct cipherkeytoken *)prepparm->kb.tlv1.key_token;
1111 memcpy(key_token, t, t->len);
1112 *key_token_size = t->len;
1113
1114 out:
1115 free_cprbmem(mem, PARMBSIZE, false, xflags);
1116 return rc;
1117 }
1118
1119 /*
1120 * Build CCA AES CIPHER secure key with a given clear key value.
1121 */
cca_clr2cipherkey(u16 card,u16 dom,u32 keybitsize,u32 keygenflags,const u8 * clrkey,u8 * keybuf,u32 * keybufsize,u32 xflags)1122 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1123 const u8 *clrkey, u8 *keybuf, u32 *keybufsize, u32 xflags)
1124 {
1125 int rc;
1126 void *mem;
1127 int tokensize;
1128 u8 *token, exorbuf[32];
1129 struct cipherkeytoken *t;
1130
1131 /* fill exorbuf with random data */
1132 get_random_bytes(exorbuf, sizeof(exorbuf));
1133
1134 /*
1135 * Allocate space for the key token to build.
1136 * Also we only need up to MAXCCAVLSCTOKENSIZE bytes for this
1137 * we use the already existing cprb mempool to solve this
1138 * short term memory requirement.
1139 */
1140 mem = (xflags & ZCRYPT_XFLAG_NOMEMALLOC) ?
1141 mempool_alloc_preallocated(cprb_mempool) :
1142 mempool_alloc(cprb_mempool, GFP_KERNEL);
1143 if (!mem)
1144 return -ENOMEM;
1145
1146 /* prepare the token with the key skeleton */
1147 token = (u8 *)mem;
1148 tokensize = SIZEOF_SKELETON;
1149 memcpy(token, aes_cipher_key_skeleton, tokensize);
1150
1151 /* patch the skeleton key token export flags */
1152 if (keygenflags) {
1153 t = (struct cipherkeytoken *)token;
1154 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
1155 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
1156 }
1157
1158 /*
1159 * Do the key import with the clear key value in 4 steps:
1160 * 1/4 FIRST import with only random data
1161 * 2/4 EXOR the clear key
1162 * 3/4 EXOR the very same random data again
1163 * 4/4 COMPLETE the secure cipher key import
1164 */
1165 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1166 exorbuf, keybitsize, token, &tokensize, xflags);
1167 if (rc) {
1168 ZCRYPT_DBF_ERR("%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1169 __func__, rc);
1170 goto out;
1171 }
1172 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1173 clrkey, keybitsize, token, &tokensize, xflags);
1174 if (rc) {
1175 ZCRYPT_DBF_ERR("%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1176 __func__, rc);
1177 goto out;
1178 }
1179 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1180 exorbuf, keybitsize, token, &tokensize, xflags);
1181 if (rc) {
1182 ZCRYPT_DBF_ERR("%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1183 __func__, rc);
1184 goto out;
1185 }
1186 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1187 NULL, keybitsize, token, &tokensize, xflags);
1188 if (rc) {
1189 ZCRYPT_DBF_ERR("%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1190 __func__, rc);
1191 goto out;
1192 }
1193
1194 /* copy the generated key token */
1195 if (keybuf) {
1196 if (tokensize > *keybufsize)
1197 rc = -EINVAL;
1198 else
1199 memcpy(keybuf, token, tokensize);
1200 }
1201 *keybufsize = tokensize;
1202
1203 out:
1204 mempool_free(mem, cprb_mempool);
1205 return rc;
1206 }
1207 EXPORT_SYMBOL(cca_clr2cipherkey);
1208
1209 /*
1210 * Derive proteced key from CCA AES cipher secure key.
1211 */
cca_cipher2protkey(u16 cardnr,u16 domain,const u8 * ckey,u8 * protkey,u32 * protkeylen,u32 * protkeytype,u32 xflags)1212 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1213 u8 *protkey, u32 *protkeylen, u32 *protkeytype,
1214 u32 xflags)
1215 {
1216 int rc;
1217 u8 *mem, *ptr;
1218 struct CPRBX *preqcblk, *prepcblk;
1219 struct ica_xcRB xcrb;
1220 struct aureqparm {
1221 u8 subfunc_code[2];
1222 u16 rule_array_len;
1223 u8 rule_array[8];
1224 struct {
1225 u16 len;
1226 u16 tk_blob_len;
1227 u16 tk_blob_tag;
1228 u8 tk_blob[66];
1229 } vud;
1230 struct {
1231 u16 len;
1232 u16 cca_key_token_len;
1233 u16 cca_key_token_flags;
1234 u8 cca_key_token[]; /* 64 or more */
1235 } kb;
1236 } __packed * preqparm;
1237 struct aurepparm {
1238 u8 subfunc_code[2];
1239 u16 rule_array_len;
1240 struct {
1241 u16 len;
1242 u16 sublen;
1243 u16 tag;
1244 struct cpacfkeyblock {
1245 u8 version; /* version of this struct */
1246 u8 flags[2];
1247 u8 algo;
1248 u8 form;
1249 u8 pad1[3];
1250 u16 keylen;
1251 u8 key[64]; /* the key (keylen bytes) */
1252 u16 keyattrlen;
1253 u8 keyattr[32];
1254 u8 pad2[1];
1255 u8 vptype;
1256 u8 vp[32]; /* verification pattern */
1257 } ckb;
1258 } vud;
1259 struct {
1260 u16 len;
1261 } kb;
1262 } __packed * prepparm;
1263 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1264
1265 /* get already prepared memory for 2 cprbs with param block each */
1266 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
1267 &preqcblk, &prepcblk, xflags);
1268 if (rc)
1269 return rc;
1270
1271 /* fill request cprb struct */
1272 preqcblk->domain = domain;
1273
1274 /* fill request cprb param block with AU request */
1275 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1276 memcpy(preqparm->subfunc_code, "AU", 2);
1277 preqparm->rule_array_len =
1278 sizeof(preqparm->rule_array_len)
1279 + sizeof(preqparm->rule_array);
1280 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1281 /* vud, tk blob */
1282 preqparm->vud.len = sizeof(preqparm->vud);
1283 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1284 + 2 * sizeof(uint16_t);
1285 preqparm->vud.tk_blob_tag = 0x00C2;
1286 /* kb, cca token */
1287 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1288 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1289 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1290 /* now fill length of param block into cprb */
1291 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1292
1293 /* fill xcrb struct */
1294 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1295
1296 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1297 rc = zcrypt_send_cprb(&xcrb, xflags);
1298 if (rc) {
1299 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1300 __func__, (int)cardnr, (int)domain, rc);
1301 goto out;
1302 }
1303
1304 /* check response returncode and reasoncode */
1305 if (prepcblk->ccp_rtcode != 0) {
1306 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1307 __func__,
1308 (int)prepcblk->ccp_rtcode,
1309 (int)prepcblk->ccp_rscode);
1310 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1311 rc = -EBUSY;
1312 else
1313 rc = -EIO;
1314 goto out;
1315 }
1316 if (prepcblk->ccp_rscode != 0) {
1317 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
1318 __func__,
1319 (int)prepcblk->ccp_rtcode,
1320 (int)prepcblk->ccp_rscode);
1321 }
1322
1323 /* process response cprb param block */
1324 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1325 prepcblk->rpl_parmb = (u8 __user *)ptr;
1326 prepparm = (struct aurepparm *)ptr;
1327
1328 /* check the returned keyblock */
1329 if (prepparm->vud.ckb.version != 0x01 &&
1330 prepparm->vud.ckb.version != 0x02) {
1331 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1332 __func__, (int)prepparm->vud.ckb.version);
1333 rc = -EIO;
1334 goto out;
1335 }
1336 if (prepparm->vud.ckb.algo != 0x02) {
1337 ZCRYPT_DBF_ERR("%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1338 __func__, (int)prepparm->vud.ckb.algo);
1339 rc = -EIO;
1340 goto out;
1341 }
1342
1343 /* copy the translated protected key */
1344 switch (prepparm->vud.ckb.keylen) {
1345 case 16 + 32:
1346 /* AES 128 protected key */
1347 if (protkeytype)
1348 *protkeytype = PKEY_KEYTYPE_AES_128;
1349 break;
1350 case 24 + 32:
1351 /* AES 192 protected key */
1352 if (protkeytype)
1353 *protkeytype = PKEY_KEYTYPE_AES_192;
1354 break;
1355 case 32 + 32:
1356 /* AES 256 protected key */
1357 if (protkeytype)
1358 *protkeytype = PKEY_KEYTYPE_AES_256;
1359 break;
1360 default:
1361 ZCRYPT_DBF_ERR("%s unknown/unsupported keylen %d\n",
1362 __func__, prepparm->vud.ckb.keylen);
1363 rc = -EIO;
1364 goto out;
1365 }
1366 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1367 if (protkeylen)
1368 *protkeylen = prepparm->vud.ckb.keylen;
1369
1370 out:
1371 free_cprbmem(mem, PARMBSIZE, true, xflags);
1372 return rc;
1373 }
1374 EXPORT_SYMBOL(cca_cipher2protkey);
1375
1376 /*
1377 * Derive protected key from CCA ECC secure private key.
1378 */
cca_ecc2protkey(u16 cardnr,u16 domain,const u8 * key,u8 * protkey,u32 * protkeylen,u32 * protkeytype,u32 xflags)1379 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1380 u8 *protkey, u32 *protkeylen, u32 *protkeytype, u32 xflags)
1381 {
1382 int rc;
1383 u8 *mem, *ptr;
1384 struct CPRBX *preqcblk, *prepcblk;
1385 struct ica_xcRB xcrb;
1386 struct aureqparm {
1387 u8 subfunc_code[2];
1388 u16 rule_array_len;
1389 u8 rule_array[8];
1390 struct {
1391 u16 len;
1392 u16 tk_blob_len;
1393 u16 tk_blob_tag;
1394 u8 tk_blob[66];
1395 } vud;
1396 struct {
1397 u16 len;
1398 u16 cca_key_token_len;
1399 u16 cca_key_token_flags;
1400 u8 cca_key_token[];
1401 } kb;
1402 } __packed * preqparm;
1403 struct aurepparm {
1404 u8 subfunc_code[2];
1405 u16 rule_array_len;
1406 struct {
1407 u16 len;
1408 u16 sublen;
1409 u16 tag;
1410 struct cpacfkeyblock {
1411 u8 version; /* version of this struct */
1412 u8 flags[2];
1413 u8 algo;
1414 u8 form;
1415 u8 pad1[3];
1416 u16 keylen;
1417 u8 key[]; /* the key (keylen bytes) */
1418 /* u16 keyattrlen; */
1419 /* u8 keyattr[32]; */
1420 /* u8 pad2[1]; */
1421 /* u8 vptype; */
1422 /* u8 vp[32]; verification pattern */
1423 } ckb;
1424 } vud;
1425 /* followed by a key block */
1426 } __packed * prepparm;
1427 int keylen = ((struct eccprivkeytoken *)key)->len;
1428
1429 /* get already prepared memory for 2 cprbs with param block each */
1430 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem,
1431 &preqcblk, &prepcblk, xflags);
1432 if (rc)
1433 return rc;
1434
1435 /* fill request cprb struct */
1436 preqcblk->domain = domain;
1437
1438 /* fill request cprb param block with AU request */
1439 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1440 memcpy(preqparm->subfunc_code, "AU", 2);
1441 preqparm->rule_array_len =
1442 sizeof(preqparm->rule_array_len)
1443 + sizeof(preqparm->rule_array);
1444 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1445 /* vud, tk blob */
1446 preqparm->vud.len = sizeof(preqparm->vud);
1447 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1448 + 2 * sizeof(uint16_t);
1449 preqparm->vud.tk_blob_tag = 0x00C2;
1450 /* kb, cca token */
1451 preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1452 preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1453 memcpy(preqparm->kb.cca_key_token, key, keylen);
1454 /* now fill length of param block into cprb */
1455 preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1456
1457 /* fill xcrb struct */
1458 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1459
1460 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1461 rc = zcrypt_send_cprb(&xcrb, xflags);
1462 if (rc) {
1463 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1464 __func__, (int)cardnr, (int)domain, rc);
1465 goto out;
1466 }
1467
1468 /* check response returncode and reasoncode */
1469 if (prepcblk->ccp_rtcode != 0) {
1470 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1471 __func__,
1472 (int)prepcblk->ccp_rtcode,
1473 (int)prepcblk->ccp_rscode);
1474 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1475 rc = -EBUSY;
1476 else
1477 rc = -EIO;
1478 goto out;
1479 }
1480 if (prepcblk->ccp_rscode != 0) {
1481 ZCRYPT_DBF_WARN("%s unwrap secure key warning, card response %d/%d\n",
1482 __func__,
1483 (int)prepcblk->ccp_rtcode,
1484 (int)prepcblk->ccp_rscode);
1485 }
1486
1487 /* process response cprb param block */
1488 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1489 prepcblk->rpl_parmb = (u8 __user *)ptr;
1490 prepparm = (struct aurepparm *)ptr;
1491
1492 /* check the returned keyblock */
1493 if (prepparm->vud.ckb.version != 0x02) {
1494 ZCRYPT_DBF_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1495 __func__, (int)prepparm->vud.ckb.version);
1496 rc = -EIO;
1497 goto out;
1498 }
1499 if (prepparm->vud.ckb.algo != 0x81) {
1500 ZCRYPT_DBF_ERR("%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1501 __func__, (int)prepparm->vud.ckb.algo);
1502 rc = -EIO;
1503 goto out;
1504 }
1505
1506 /* copy the translated protected key */
1507 if (prepparm->vud.ckb.keylen > *protkeylen) {
1508 ZCRYPT_DBF_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1509 __func__, prepparm->vud.ckb.keylen, *protkeylen);
1510 rc = -EIO;
1511 goto out;
1512 }
1513 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1514 *protkeylen = prepparm->vud.ckb.keylen;
1515 if (protkeytype)
1516 *protkeytype = PKEY_KEYTYPE_ECC;
1517
1518 out:
1519 free_cprbmem(mem, PARMBSIZE, true, xflags);
1520 return rc;
1521 }
1522 EXPORT_SYMBOL(cca_ecc2protkey);
1523
1524 /*
1525 * query cryptographic facility from CCA adapter
1526 */
cca_query_crypto_facility(u16 cardnr,u16 domain,const char * keyword,u8 * rarray,size_t * rarraylen,u8 * varray,size_t * varraylen,u32 xflags)1527 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1528 const char *keyword,
1529 u8 *rarray, size_t *rarraylen,
1530 u8 *varray, size_t *varraylen,
1531 u32 xflags)
1532 {
1533 int rc;
1534 u16 len;
1535 u8 *mem, *ptr;
1536 struct CPRBX *preqcblk, *prepcblk;
1537 struct ica_xcRB xcrb;
1538 struct fqreqparm {
1539 u8 subfunc_code[2];
1540 u16 rule_array_len;
1541 char rule_array[8];
1542 struct lv1 {
1543 u16 len;
1544 u8 data[VARDATASIZE];
1545 } lv1;
1546 u16 dummylen;
1547 } __packed * preqparm;
1548 size_t parmbsize = sizeof(struct fqreqparm);
1549 struct fqrepparm {
1550 u8 subfunc_code[2];
1551 u8 lvdata[];
1552 } __packed * prepparm;
1553
1554 /* get already prepared memory for 2 cprbs with param block each */
1555 rc = alloc_and_prep_cprbmem(parmbsize, &mem,
1556 &preqcblk, &prepcblk, xflags);
1557 if (rc)
1558 return rc;
1559
1560 /* fill request cprb struct */
1561 preqcblk->domain = domain;
1562
1563 /* fill request cprb param block with FQ request */
1564 preqparm = (struct fqreqparm __force *)preqcblk->req_parmb;
1565 memcpy(preqparm->subfunc_code, "FQ", 2);
1566 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1567 preqparm->rule_array_len =
1568 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1569 preqparm->lv1.len = sizeof(preqparm->lv1);
1570 preqparm->dummylen = sizeof(preqparm->dummylen);
1571 preqcblk->req_parml = parmbsize;
1572
1573 /* fill xcrb struct */
1574 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1575
1576 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1577 rc = zcrypt_send_cprb(&xcrb, xflags);
1578 if (rc) {
1579 ZCRYPT_DBF_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1580 __func__, (int)cardnr, (int)domain, rc);
1581 goto out;
1582 }
1583
1584 /* check response returncode and reasoncode */
1585 if (prepcblk->ccp_rtcode != 0) {
1586 ZCRYPT_DBF_ERR("%s unwrap secure key failure, card response %d/%d\n",
1587 __func__,
1588 (int)prepcblk->ccp_rtcode,
1589 (int)prepcblk->ccp_rscode);
1590 rc = -EIO;
1591 goto out;
1592 }
1593
1594 /* process response cprb param block */
1595 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1596 prepcblk->rpl_parmb = (u8 __user *)ptr;
1597 prepparm = (struct fqrepparm *)ptr;
1598 ptr = prepparm->lvdata;
1599
1600 /* check and possibly copy reply rule array */
1601 len = *((u16 *)ptr);
1602 if (len > sizeof(u16)) {
1603 ptr += sizeof(u16);
1604 len -= sizeof(u16);
1605 if (rarray && rarraylen && *rarraylen > 0) {
1606 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1607 memcpy(rarray, ptr, *rarraylen);
1608 }
1609 ptr += len;
1610 }
1611 /* check and possible copy reply var array */
1612 len = *((u16 *)ptr);
1613 if (len > sizeof(u16)) {
1614 ptr += sizeof(u16);
1615 len -= sizeof(u16);
1616 if (varray && varraylen && *varraylen > 0) {
1617 *varraylen = (len > *varraylen ? *varraylen : len);
1618 memcpy(varray, ptr, *varraylen);
1619 }
1620 ptr += len;
1621 }
1622
1623 out:
1624 free_cprbmem(mem, parmbsize, false, xflags);
1625 return rc;
1626 }
1627 EXPORT_SYMBOL(cca_query_crypto_facility);
1628
1629 /*
1630 * Fetch cca_info values about a CCA queue via
1631 * query_crypto_facility from adapter.
1632 */
cca_get_info(u16 cardnr,u16 domain,struct cca_info * ci,u32 xflags)1633 int cca_get_info(u16 cardnr, u16 domain, struct cca_info *ci, u32 xflags)
1634 {
1635 void *mem;
1636 int rc, found = 0;
1637 size_t rlen, vlen;
1638 u8 *rarray, *varray;
1639 struct zcrypt_device_status_ext devstat;
1640
1641 memset(ci, 0, sizeof(*ci));
1642
1643 /* get first info from zcrypt device driver about this apqn */
1644 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1645 if (rc)
1646 return rc;
1647 ci->hwtype = devstat.hwtype;
1648
1649 /*
1650 * Prep memory for rule array and var array use.
1651 * Use the cprb mempool for this.
1652 */
1653 mem = (xflags & ZCRYPT_XFLAG_NOMEMALLOC) ?
1654 mempool_alloc_preallocated(cprb_mempool) :
1655 mempool_alloc(cprb_mempool, GFP_KERNEL);
1656 if (!mem)
1657 return -ENOMEM;
1658 rarray = (u8 *)mem;
1659 varray = (u8 *)mem + PAGE_SIZE / 2;
1660 rlen = vlen = PAGE_SIZE / 2;
1661
1662 /* QF for this card/domain */
1663 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1664 rarray, &rlen, varray, &vlen, xflags);
1665 if (rc == 0 && rlen >= 10 * 8 && vlen >= 204) {
1666 memcpy(ci->serial, rarray, 8);
1667 ci->new_asym_mk_state = (char)rarray[4 * 8];
1668 ci->cur_asym_mk_state = (char)rarray[5 * 8];
1669 ci->old_asym_mk_state = (char)rarray[6 * 8];
1670 if (ci->old_asym_mk_state == '2')
1671 memcpy(ci->old_asym_mkvp, varray + 64, 16);
1672 if (ci->cur_asym_mk_state == '2')
1673 memcpy(ci->cur_asym_mkvp, varray + 84, 16);
1674 if (ci->new_asym_mk_state == '3')
1675 memcpy(ci->new_asym_mkvp, varray + 104, 16);
1676 ci->new_aes_mk_state = (char)rarray[7 * 8];
1677 ci->cur_aes_mk_state = (char)rarray[8 * 8];
1678 ci->old_aes_mk_state = (char)rarray[9 * 8];
1679 if (ci->old_aes_mk_state == '2')
1680 memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1681 if (ci->cur_aes_mk_state == '2')
1682 memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1683 if (ci->new_aes_mk_state == '3')
1684 memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1685 found++;
1686 }
1687 if (!found)
1688 goto out;
1689 rlen = vlen = PAGE_SIZE / 2;
1690 rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1691 rarray, &rlen, varray, &vlen, xflags);
1692 if (rc == 0 && rlen >= 13 * 8 && vlen >= 240) {
1693 ci->new_apka_mk_state = (char)rarray[10 * 8];
1694 ci->cur_apka_mk_state = (char)rarray[11 * 8];
1695 ci->old_apka_mk_state = (char)rarray[12 * 8];
1696 if (ci->old_apka_mk_state == '2')
1697 memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1698 if (ci->cur_apka_mk_state == '2')
1699 memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1700 if (ci->new_apka_mk_state == '3')
1701 memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1702 found++;
1703 }
1704
1705 out:
1706 mempool_free(mem, cprb_mempool);
1707 return found == 2 ? 0 : -ENOENT;
1708 }
1709 EXPORT_SYMBOL(cca_get_info);
1710
cca_findcard2(u32 * apqns,u32 * nr_apqns,u16 cardnr,u16 domain,int minhwtype,int mktype,u64 cur_mkvp,u64 old_mkvp,u32 xflags)1711 int cca_findcard2(u32 *apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1712 int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1713 u32 xflags)
1714 {
1715 struct zcrypt_device_status_ext *device_status;
1716 int i, card, dom, curmatch, oldmatch;
1717 struct cca_info ci;
1718 u32 _nr_apqns = 0;
1719
1720 /* occupy the device status memory */
1721 mutex_lock(&dev_status_mem_mutex);
1722 memset(dev_status_mem, 0, ZCRYPT_DEV_STATUS_EXT_SIZE);
1723 device_status = (struct zcrypt_device_status_ext *)dev_status_mem;
1724
1725 /* fetch crypto device status into this struct */
1726 zcrypt_device_status_mask_ext(device_status,
1727 ZCRYPT_DEV_STATUS_CARD_MAX,
1728 ZCRYPT_DEV_STATUS_QUEUE_MAX);
1729
1730 /* walk through all the crypto apqnss */
1731 for (i = 0; i < ZCRYPT_DEV_STATUS_ENTRIES; i++) {
1732 card = AP_QID_CARD(device_status[i].qid);
1733 dom = AP_QID_QUEUE(device_status[i].qid);
1734 /* check online state */
1735 if (!device_status[i].online)
1736 continue;
1737 /* check for cca functions */
1738 if (!(device_status[i].functions & 0x04))
1739 continue;
1740 /* check cardnr */
1741 if (cardnr != 0xFFFF && card != cardnr)
1742 continue;
1743 /* check domain */
1744 if (domain != 0xFFFF && dom != domain)
1745 continue;
1746 /* get cca info on this apqn */
1747 if (cca_get_info(card, dom, &ci, xflags))
1748 continue;
1749 /* current master key needs to be valid */
1750 if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1751 continue;
1752 if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1753 continue;
1754 /* check min hardware type */
1755 if (minhwtype > 0 && minhwtype > ci.hwtype)
1756 continue;
1757 if (cur_mkvp || old_mkvp) {
1758 /* check mkvps */
1759 curmatch = oldmatch = 0;
1760 if (mktype == AES_MK_SET) {
1761 if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1762 curmatch = 1;
1763 if (old_mkvp && ci.old_aes_mk_state == '2' &&
1764 old_mkvp == ci.old_aes_mkvp)
1765 oldmatch = 1;
1766 } else {
1767 if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1768 curmatch = 1;
1769 if (old_mkvp && ci.old_apka_mk_state == '2' &&
1770 old_mkvp == ci.old_apka_mkvp)
1771 oldmatch = 1;
1772 }
1773 if (curmatch + oldmatch < 1)
1774 continue;
1775 }
1776 /* apqn passed all filtering criterons, add to the array */
1777 if (_nr_apqns < *nr_apqns)
1778 apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16)dom);
1779 }
1780
1781 *nr_apqns = _nr_apqns;
1782
1783 /* release the device status memory */
1784 mutex_unlock(&dev_status_mem_mutex);
1785
1786 return _nr_apqns ? 0 : -ENODEV;
1787 }
1788 EXPORT_SYMBOL(cca_findcard2);
1789
zcrypt_ccamisc_init(void)1790 int __init zcrypt_ccamisc_init(void)
1791 {
1792 /* Pre-allocate a small memory pool for cca cprbs. */
1793 cprb_mempool = mempool_create_kmalloc_pool(zcrypt_mempool_threshold,
1794 CPRB_MEMPOOL_ITEM_SIZE);
1795 if (!cprb_mempool)
1796 return -ENOMEM;
1797
1798 /* Pre-allocate one crypto status card struct used in findcard() */
1799 dev_status_mem = kvmalloc(ZCRYPT_DEV_STATUS_EXT_SIZE, GFP_KERNEL);
1800 if (!dev_status_mem) {
1801 mempool_destroy(cprb_mempool);
1802 return -ENOMEM;
1803 }
1804
1805 return 0;
1806 }
1807
zcrypt_ccamisc_exit(void)1808 void zcrypt_ccamisc_exit(void)
1809 {
1810 mutex_lock(&dev_status_mem_mutex);
1811 kvfree(dev_status_mem);
1812 mutex_unlock(&dev_status_mem_mutex);
1813 mempool_destroy(cprb_mempool);
1814 }
1815