drivers/s390/crypto/pkey_pckmo.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  *  pkey pckmo specific code
   4  *
   5  *  Copyright IBM Corp. 2024
   6  */
   7
   8 #define KMSG_COMPONENT "pkey"
   9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
  10
  11 #include <linux/init.h>
  12 #include <linux/module.h>
  13 #include <linux/cpufeature.h>
  14 #include <asm/cpacf.h>
  15 #include <crypto/aes.h>
  16 #include <linux/random.h>
  17
  18 #include "zcrypt_ccamisc.h"
  19 #include "pkey_base.h"
  20
  21 MODULE_LICENSE("GPL");
  22 MODULE_AUTHOR("IBM Corporation");
  23 MODULE_DESCRIPTION("s390 protected key PCKMO handler");
  24
  25 /*
  26  * Check key blob for known and supported here.
  27  */
  28 static bool is_pckmo_key(const u8 *key, u32 keylen)
  29 {
  30         struct keytoken_header *hdr = (struct keytoken_header *)key;
  31         struct clearkeytoken *t = (struct clearkeytoken *)key;
  32
  33         if (keylen < sizeof(*hdr))
  34                 return false;
  35
  36         switch (hdr->type) {
  37         case TOKTYPE_NON_CCA:
  38                 switch (hdr->version) {
  39                 case TOKVER_CLEAR_KEY:
  40                         if (pkey_keytype_to_size(t->keytype))
  41                                 return true;
  42                         return false;
  43                 case TOKVER_PROTECTED_KEY:
  44                         return true;
  45                 default:
  46                         return false;
  47                 }
  48         default:
  49                 return false;
  50         }
  51 }
  52
  53 static bool is_pckmo_keytype(enum pkey_key_type keytype)
  54 {
  55         switch (keytype) {
  56         case PKEY_TYPE_PROTKEY:
  57                 return true;
  58         default:
  59                 return false;
  60         }
  61 }
  62
  63 /*
  64  * Create a protected key from a clear key value via PCKMO instruction.
  65  */
  66 static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen,
  67                              u8 *protkey, u32 *protkeylen, u32 *protkeytype)
  68 {
  69         /* mask of available pckmo subfunctions */
  70         static cpacf_mask_t pckmo_functions;
  71
  72         int keysize, rc = -EINVAL;
  73         u8 paramblock[160];
  74         u32 pkeytype = 0;
  75         unsigned int fc;
  76
  77         switch (keytype) {
  78         case PKEY_KEYTYPE_AES_128:
  79                 fc = CPACF_PCKMO_ENC_AES_128_KEY;
  80                 break;
  81         case PKEY_KEYTYPE_AES_192:
  82                 fc = CPACF_PCKMO_ENC_AES_192_KEY;
  83                 break;
  84         case PKEY_KEYTYPE_AES_256:
  85                 fc = CPACF_PCKMO_ENC_AES_256_KEY;
  86                 break;
  87         case PKEY_KEYTYPE_ECC_P256:
  88                 pkeytype = PKEY_KEYTYPE_ECC;
  89                 fc = CPACF_PCKMO_ENC_ECC_P256_KEY;
  90                 break;
  91         case PKEY_KEYTYPE_ECC_P384:
  92                 pkeytype = PKEY_KEYTYPE_ECC;
  93                 fc = CPACF_PCKMO_ENC_ECC_P384_KEY;
  94                 break;
  95         case PKEY_KEYTYPE_ECC_P521:
  96                 pkeytype = PKEY_KEYTYPE_ECC;
  97                 fc = CPACF_PCKMO_ENC_ECC_P521_KEY;
  98                 break;
  99         case PKEY_KEYTYPE_ECC_ED25519:
 100                 pkeytype = PKEY_KEYTYPE_ECC;
 101                 fc = CPACF_PCKMO_ENC_ECC_ED25519_KEY;
 102                 break;
 103         case PKEY_KEYTYPE_ECC_ED448:
 104                 pkeytype = PKEY_KEYTYPE_ECC;
 105                 fc = CPACF_PCKMO_ENC_ECC_ED448_KEY;
 106                 break;
 107         case PKEY_KEYTYPE_AES_XTS_128:
 108                 fc = CPACF_PCKMO_ENC_AES_XTS_128_DOUBLE_KEY;
 109                 break;
 110         case PKEY_KEYTYPE_AES_XTS_256:
 111                 fc = CPACF_PCKMO_ENC_AES_XTS_256_DOUBLE_KEY;
 112                 break;
 113         case PKEY_KEYTYPE_HMAC_512:
 114                 fc = CPACF_PCKMO_ENC_HMAC_512_KEY;
 115                 break;
 116         case PKEY_KEYTYPE_HMAC_1024:
 117                 fc = CPACF_PCKMO_ENC_HMAC_1024_KEY;
 118                 break;
 119         default:
 120                 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n",
 121                              __func__, keytype);
 122                 goto out;
 123         }
 124
 125         keysize = pkey_keytype_to_size(keytype);
 126         pkeytype = pkeytype ?: keytype;
 127
 128         if (clrkeylen && clrkeylen < keysize) {
 129                 PKEY_DBF_ERR("%s clear key size too small: %u < %d\n",
 130                              __func__, clrkeylen, keysize);
 131                 goto out;
 132         }
 133         if (*protkeylen < keysize + AES_WK_VP_SIZE) {
 134                 PKEY_DBF_ERR("%s prot key buffer size too small: %u < %d\n",
 135                              __func__, *protkeylen, keysize + AES_WK_VP_SIZE);
 136                 goto out;
 137         }
 138
 139         /* Did we already check for PCKMO ? */
 140         if (!pckmo_functions.bytes[0]) {
 141                 /* no, so check now */
 142                 if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) {
 143                         PKEY_DBF_ERR("%s cpacf_query() failed\n", __func__);
 144                         rc = -ENODEV;
 145                         goto out;
 146                 }
 147         }
 148         /* check for the pckmo subfunction we need now */
 149         if (!cpacf_test_func(&pckmo_functions, fc)) {
 150                 PKEY_DBF_ERR("%s pckmo fc 0x%02x not available\n",
 151                              __func__, fc);
 152                 rc = -ENODEV;
 153                 goto out;
 154         }
 155
 156         /* prepare param block */
 157         memset(paramblock, 0, sizeof(paramblock));
 158         memcpy(paramblock, clrkey, keysize);
 159
 160         /* call the pckmo instruction */
 161         cpacf_pckmo(fc, paramblock);
 162
 163         /* copy created protected key to key buffer including the wkvp block */
 164         *protkeylen = keysize + AES_WK_VP_SIZE;
 165         memcpy(protkey, paramblock, *protkeylen);
 166         *protkeytype = pkeytype;
 167
 168         rc = 0;
 169
 170 out:
 171         pr_debug("rc=%d\n", rc);
 172         return rc;
 173 }
 174
 175 /*
 176  * Verify a raw protected key blob.
 177  */
 178 static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
 179                                 u32 protkeytype)
 180 {
 181         u8 clrkey[16] = { 0 }, tmpkeybuf[16 + AES_WK_VP_SIZE];
 182         u32 tmpkeybuflen, tmpkeytype;
 183         int keysize, rc = -EINVAL;
 184         u8 *wkvp;
 185
 186         /* check protkey type and size */
 187         keysize = pkey_keytype_to_size(protkeytype);
 188         if (!keysize) {
 189                 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", __func__,
 190                              protkeytype);
 191                 goto out;
 192         }
 193         if (protkeylen < keysize + AES_WK_VP_SIZE)
 194                 goto out;
 195
 196         /* generate a dummy AES 128 protected key */
 197         tmpkeybuflen = sizeof(tmpkeybuf);
 198         rc = pckmo_clr2protkey(PKEY_KEYTYPE_AES_128,
 199                                clrkey, sizeof(clrkey),
 200                                tmpkeybuf, &tmpkeybuflen, &tmpkeytype);
 201         if (rc)
 202                 goto out;
 203         memzero_explicit(tmpkeybuf, 16);
 204         wkvp = tmpkeybuf + 16;
 205
 206         /* compare WK VP from the temp key with that of the given prot key */
 207         if (memcmp(wkvp, protkey + keysize, AES_WK_VP_SIZE)) {
 208                 PKEY_DBF_ERR("%s protected key WK VP mismatch\n", __func__);
 209                 rc = -EKEYREJECTED;
 210                 goto out;
 211         }
 212
 213 out:
 214         pr_debug("rc=%d\n", rc);
 215         return rc;
 216 }
 217
 218 static int pckmo_key2protkey(const u8 *key, u32 keylen,
 219                              u8 *protkey, u32 *protkeylen, u32 *protkeytype)
 220 {
 221         struct keytoken_header *hdr = (struct keytoken_header *)key;
 222         int rc = -EINVAL;
 223
 224         if (keylen < sizeof(*hdr))
 225                 return -EINVAL;
 226         if (hdr->type != TOKTYPE_NON_CCA)
 227                 return -EINVAL;
 228
 229         switch (hdr->version) {
 230         case TOKVER_PROTECTED_KEY: {
 231                 struct protkeytoken *t = (struct protkeytoken *)key;
 232                 u32 keysize;
 233
 234                 if (keylen < sizeof(*t))
 235                         goto out;
 236                 keysize = pkey_keytype_to_size(t->keytype);
 237                 if (!keysize) {
 238                         PKEY_DBF_ERR("%s protected key token: unknown keytype %u\n",
 239                                      __func__, t->keytype);
 240                         goto out;
 241                 }
 242                 switch (t->keytype) {
 243                 case PKEY_KEYTYPE_AES_128:
 244                 case PKEY_KEYTYPE_AES_192:
 245                 case PKEY_KEYTYPE_AES_256:
 246                         if (t->len != keysize + AES_WK_VP_SIZE ||
 247                             keylen < sizeof(struct protaeskeytoken))
 248                                 goto out;
 249                         rc = pckmo_verify_protkey(t->protkey, t->len,
 250                                                   t->keytype);
 251                         if (rc)
 252                                 goto out;
 253                         break;
 254                 default:
 255                         if (t->len != keysize + AES_WK_VP_SIZE ||
 256                             keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
 257                                 goto out;
 258                         break;
 259                 }
 260                 memcpy(protkey, t->protkey, t->len);
 261                 *protkeylen = t->len;
 262                 *protkeytype = t->keytype;
 263                 rc = 0;
 264                 break;
 265         }
 266         case TOKVER_CLEAR_KEY: {
 267                 struct clearkeytoken *t = (struct clearkeytoken *)key;
 268                 u32 keysize;
 269
 270                 if (keylen < sizeof(*t) ||
 271                     keylen < sizeof(*t) + t->len)
 272                         goto out;
 273                 keysize = pkey_keytype_to_size(t->keytype);
 274                 if (!keysize) {
 275                         PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n",
 276                                      __func__, t->keytype);
 277                         goto out;
 278                 }
 279                 if (t->len != keysize) {
 280                         PKEY_DBF_ERR("%s clear key token: invalid key len %u\n",
 281                                      __func__, t->len);
 282                         goto out;
 283                 }
 284                 rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len,
 285                                        protkey, protkeylen, protkeytype);
 286                 break;
 287         }
 288         default:
 289                 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
 290                              __func__, hdr->version);
 291                 break;
 292         }
 293
 294 out:
 295         pr_debug("rc=%d\n", rc);
 296         return rc;
 297 }
 298
 299 /*
 300  * Generate a random protected key.
 301  */
 302 static int pckmo_gen_protkey(u32 keytype, u32 subtype,
 303                              u8 *protkey, u32 *protkeylen, u32 *protkeytype)
 304 {
 305         u8 clrkey[128];
 306         int keysize;
 307         int rc;
 308
 309         keysize = pkey_keytype_to_size(keytype);
 310         if (!keysize) {
 311                 PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n",
 312                              __func__, keytype);
 313                 return -EINVAL;
 314         }
 315         if (subtype != PKEY_TYPE_PROTKEY) {
 316                 PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n",
 317                              __func__, subtype);
 318                 return -EINVAL;
 319         }
 320
 321         switch (keytype) {
 322         case PKEY_KEYTYPE_AES_128:
 323         case PKEY_KEYTYPE_AES_192:
 324         case PKEY_KEYTYPE_AES_256:
 325         case PKEY_KEYTYPE_AES_XTS_128:
 326         case PKEY_KEYTYPE_AES_XTS_256:
 327         case PKEY_KEYTYPE_HMAC_512:
 328         case PKEY_KEYTYPE_HMAC_1024:
 329                 break;
 330         default:
 331                 PKEY_DBF_ERR("%s unsupported keytype %d\n",
 332                              __func__, keytype);
 333                 return -EINVAL;
 334         }
 335
 336         /* generate a dummy random clear key */
 337         get_random_bytes(clrkey, keysize);
 338
 339         /* convert it to a dummy protected key */
 340         rc = pckmo_clr2protkey(keytype, clrkey, keysize,
 341                                protkey, protkeylen, protkeytype);
 342         if (rc)
 343                 goto out;
 344
 345         /* replace the key part of the protected key with random bytes */
 346         get_random_bytes(protkey, keysize);
 347
 348 out:
 349         pr_debug("rc=%d\n", rc);
 350         return rc;
 351 }
 352
 353 /*
 354  * Verify a protected key token blob.
 355  */
 356 static int pckmo_verify_key(const u8 *key, u32 keylen)
 357 {
 358         struct keytoken_header *hdr = (struct keytoken_header *)key;
 359         int rc = -EINVAL;
 360
 361         if (keylen < sizeof(*hdr))
 362                 return -EINVAL;
 363         if (hdr->type != TOKTYPE_NON_CCA)
 364                 return -EINVAL;
 365
 366         switch (hdr->version) {
 367         case TOKVER_PROTECTED_KEY: {
 368                 struct protkeytoken *t = (struct protkeytoken *)key;
 369                 u32 keysize;
 370
 371                 if (keylen < sizeof(*t))
 372                         goto out;
 373                 keysize = pkey_keytype_to_size(t->keytype);
 374                 if (!keysize || t->len != keysize + AES_WK_VP_SIZE)
 375                         goto out;
 376                 switch (t->keytype) {
 377                 case PKEY_KEYTYPE_AES_128:
 378                 case PKEY_KEYTYPE_AES_192:
 379                 case PKEY_KEYTYPE_AES_256:
 380                         if (keylen < sizeof(struct protaeskeytoken))
 381                                 goto out;
 382                         break;
 383                 default:
 384                         if (keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
 385                                 goto out;
 386                         break;
 387                 }
 388                 rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype);
 389                 break;
 390         }
 391         default:
 392                 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
 393                              __func__, hdr->version);
 394                 break;
 395         }
 396
 397 out:
 398         pr_debug("rc=%d\n", rc);
 399         return rc;
 400 }
 401
 402 /*
 403  * Wrapper functions used for the pkey handler struct
 404  */
 405
 406 static int pkey_pckmo_key2protkey(const struct pkey_apqn *_apqns,
 407                                   size_t _nr_apqns,
 408                                   const u8 *key, u32 keylen,
 409                                   u8 *protkey, u32 *protkeylen, u32 *keyinfo)
 410 {
 411         return pckmo_key2protkey(key, keylen,
 412                                  protkey, protkeylen, keyinfo);
 413 }
 414
 415 static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns,
 416                               u32 keytype, u32 keysubtype,
 417                               u32 _keybitsize, u32 _flags,
 418                               u8 *keybuf, u32 *keybuflen, u32 *keyinfo)
 419 {
 420         return pckmo_gen_protkey(keytype, keysubtype,
 421                                  keybuf, keybuflen, keyinfo);
 422 }
 423
 424 static int pkey_pckmo_verifykey(const u8 *key, u32 keylen,
 425                                 u16 *_card, u16 *_dom,
 426                                 u32 *_keytype, u32 *_keybitsize, u32 *_flags)
 427 {
 428         return pckmo_verify_key(key, keylen);
 429 }
 430
 431 static struct pkey_handler pckmo_handler = {
 432         .module               = THIS_MODULE,
 433         .name                 = "PKEY PCKMO handler",
 434         .is_supported_key     = is_pckmo_key,
 435         .is_supported_keytype = is_pckmo_keytype,
 436         .key_to_protkey       = pkey_pckmo_key2protkey,
 437         .gen_key              = pkey_pckmo_gen_key,
 438         .verify_key           = pkey_pckmo_verifykey,
 439 };
 440
 441 /*
 442  * Module init
 443  */
 444 static int __init pkey_pckmo_init(void)
 445 {
 446         cpacf_mask_t func_mask;
 447
 448         /*
 449          * The pckmo instruction should be available - even if we don't
 450          * actually invoke it. This instruction comes with MSA 3 which
 451          * is also the minimum level for the kmc instructions which
 452          * are able to work with protected keys.
 453          */
 454         if (!cpacf_query(CPACF_PCKMO, &func_mask))
 455                 return -ENODEV;
 456
 457         /* register this module as pkey handler for all the pckmo stuff */
 458         return pkey_handler_register(&pckmo_handler);
 459 }
 460
 461 /*
 462  * Module exit
 463  */
 464 static void __exit pkey_pckmo_exit(void)
 465 {
 466         /* unregister this module as pkey handler */
 467         pkey_handler_unregister(&pckmo_handler);
 468 }
 469
 470 module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_pckmo_init);
 471 module_exit(pkey_pckmo_exit);