drivers/s390/crypto/zcrypt_ep11misc.h

   1 /* SPDX-License-Identifier: GPL-2.0+ */
   2 /*
   3  *  Copyright IBM Corp. 2019
   4  *  Author(s): Harald Freudenberger <freude@linux.ibm.com>
   5  *
   6  *  Collection of EP11 misc functions used by zcrypt and pkey
   7  */
   8
   9 #ifndef _ZCRYPT_EP11MISC_H_
  10 #define _ZCRYPT_EP11MISC_H_
  11
  12 #include <asm/zcrypt.h>
  13 #include <asm/pkey.h>
  14
  15 #define EP11_API_V1 1  /* min EP11 API, default if no higher api required */
  16 #define EP11_API_V4 4  /* supported EP11 API for the ep11misc cprbs */
  17 #define EP11_API_V6 6  /* min EP11 API for some cprbs in SE environment */
  18 #define EP11_STRUCT_MAGIC 0x1234
  19 #define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
  20
  21 /*
  22  * Internal used values for the version field of the key header.
  23  * Should match to the enum pkey_key_type in pkey.h.
  24  */
  25 #define TOKVER_EP11_AES  0x03  /* EP11 AES key blob (old style) */
  26 #define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
  27 #define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
  28
  29 /* inside view of an EP11 secure key blob */
  30 struct ep11keyblob {
  31         union {
  32                 u8 session[32];
  33                 /* only used for PKEY_TYPE_EP11: */
  34                 struct ep11kblob_header head;
  35         };
  36         u8  wkvp[16];  /* wrapping key verification pattern */
  37         u64 attr;      /* boolean key attributes */
  38         u64 mode;      /* mode bits */
  39         u16 version;   /* 0x1234, EP11_STRUCT_MAGIC */
  40         u8  iv[14];
  41         u8  encrypted_key_data[144];
  42         u8  mac[32];
  43 } __packed;
  44
  45 /* check ep11 key magic to find out if this is an ep11 key blob */
  46 static inline bool is_ep11_keyblob(const u8 *key)
  47 {
  48         struct ep11keyblob *kb = (struct ep11keyblob *)key;
  49
  50         return (kb->version == EP11_STRUCT_MAGIC);
  51 }
  52
  53 /*
  54  * For valid ep11 keyblobs, returns a reference to the wrappingkey verification
  55  * pattern. Otherwise NULL.
  56  */
  57 const u8 *ep11_kb_wkvp(const u8 *kblob, u32 kbloblen);
  58
  59 /*
  60  * Simple check if the key blob is a valid EP11 AES key blob with header.
  61  * If checkcpacfexport is enabled, the key is also checked for the
  62  * attributes needed to export this key for CPACF use.
  63  * Returns 0 on success or errno value on failure.
  64  */
  65 int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
  66                                 const u8 *key, u32 keylen, int checkcpacfexp);
  67
  68 /*
  69  * Simple check if the key blob is a valid EP11 ECC key blob with header.
  70  * If checkcpacfexport is enabled, the key is also checked for the
  71  * attributes needed to export this key for CPACF use.
  72  * Returns 0 on success or errno value on failure.
  73  */
  74 int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
  75                                 const u8 *key, u32 keylen, int checkcpacfexp);
  76
  77 /*
  78  * Simple check if the key blob is a valid EP11 AES key blob with
  79  * the header in the session field (old style EP11 AES key).
  80  * If checkcpacfexport is enabled, the key is also checked for the
  81  * attributes needed to export this key for CPACF use.
  82  * Returns 0 on success or errno value on failure.
  83  */
  84 int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
  85                        const u8 *key, u32 keylen, int checkcpacfexp);
  86
  87 /* EP11 card info struct */
  88 struct ep11_card_info {
  89         u32  API_ord_nr;    /* API ordinal number */
  90         u16  FW_version;    /* Firmware major and minor version */
  91         char serial[16];    /* serial number string (16 ascii, no 0x00 !) */
  92         u64  op_mode;       /* card operational mode(s) */
  93 };
  94
  95 /* EP11 domain info struct */
  96 struct ep11_domain_info {
  97         char cur_wk_state;  /* '0' invalid, '1' valid */
  98         char new_wk_state;  /* '0' empty, '1' uncommitted, '2' committed */
  99         u8   cur_wkvp[32];  /* current wrapping key verification pattern */
 100         u8   new_wkvp[32];  /* new wrapping key verification pattern */
 101         u64  op_mode;       /* domain operational mode(s) */
 102 };
 103
 104 /*
 105  * Provide information about an EP11 card.
 106  */
 107 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
 108
 109 /*
 110  * Provide information about a domain within an EP11 card.
 111  */
 112 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
 113
 114 /*
 115  * Generate (random) EP11 AES secure key.
 116  */
 117 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
 118                    u8 *keybuf, u32 *keybufsize, u32 keybufver);
 119
 120 /*
 121  * Generate EP11 AES secure key with given clear key value.
 122  */
 123 int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
 124                      const u8 *clrkey, u8 *keybuf, u32 *keybufsize,
 125                      u32 keytype);
 126
 127 /*
 128  * Build a list of ep11 apqns meeting the following constrains:
 129  * - apqn is online and is in fact an EP11 apqn
 130  * - if cardnr is not FFFF only apqns with this cardnr
 131  * - if domain is not FFFF only apqns with this domainnr
 132  * - if minhwtype > 0 only apqns with hwtype >= minhwtype
 133  * - if minapi > 0 only apqns with API_ord_nr >= minapi
 134  * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
 135  *   to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
 136  *   key for this domain. When a wkvp is given there will always be a re-fetch
 137  *   of the domain info for the potential apqn - so this triggers an request
 138  *   reply to each apqn eligible.
 139  * The array of apqn entries is allocated with kmalloc and returned in *apqns;
 140  * the number of apqns stored into the list is returned in *nr_apqns. One apqn
 141  * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
 142  * may be casted to struct pkey_apqn. The return value is either 0 for success
 143  * or a negative errno value. If no apqn meeting the criteria is found,
 144  * -ENODEV is returned.
 145  */
 146 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
 147                    int minhwtype, int minapi, const u8 *wkvp);
 148
 149 /*
 150  * Derive proteced key from EP11 key blob (AES and ECC keys).
 151  */
 152 int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, u32 keylen,
 153                        u8 *protkey, u32 *protkeylen, u32 *protkeytype);
 154
 155 void zcrypt_ep11misc_exit(void);
 156
 157 #endif /* _ZCRYPT_EP11MISC_H_ */