1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry
{
38 struct list_head list
;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list
);
46 static DEFINE_SPINLOCK(cca_info_list_lock
);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t
*dbg
, int dbflvl
,
54 const u8
*token
, int keybitsize
)
56 struct secaeskeytoken
*t
= (struct secaeskeytoken
*) token
;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t
->type
!= TOKTYPE_CCA_INTERNAL
) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__
, (int) t
->type
, TOKTYPE_CCA_INTERNAL
);
66 if (t
->version
!= TOKVER_CCA_AES
) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__
, (int) t
->version
, TOKVER_CCA_AES
);
72 if (keybitsize
> 0 && t
->bitsize
!= keybitsize
) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__
, (int) t
->bitsize
, keybitsize
);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken
);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t
*dbg
, int dbflvl
,
93 const u8
*token
, int keybitsize
,
96 struct cipherkeytoken
*t
= (struct cipherkeytoken
*) token
;
97 bool keybitsizeok
= true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t
->type
!= TOKTYPE_CCA_INTERNAL
) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__
, (int) t
->type
, TOKTYPE_CCA_INTERNAL
);
107 if (t
->version
!= TOKVER_CCA_VLSC
) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__
, (int) t
->version
, TOKVER_CCA_VLSC
);
113 if (t
->algtype
!= 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__
, (int) t
->algtype
);
119 if (t
->keytype
!= 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__
, (int) t
->keytype
);
125 if (t
->plfver
!= 0x00 && t
->plfver
!= 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__
, (int) t
->plfver
);
131 if (t
->wpllen
!= 512 && t
->wpllen
!= 576 && t
->wpllen
!= 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__
, (int) t
->wpllen
);
137 if (keybitsize
> 0) {
138 switch (keybitsize
) {
140 if (t
->wpllen
!= (t
->plfver
? 640 : 512))
141 keybitsizeok
= false;
144 if (t
->wpllen
!= (t
->plfver
? 640 : 576))
145 keybitsizeok
= false;
148 if (t
->wpllen
!= 640)
149 keybitsizeok
= false;
152 keybitsizeok
= false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__
, keybitsize
);
162 if (checkcpacfexport
&& !(t
->kmf1
& KMF1_XPRT_CPAC
)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey
);
176 * Simple check if the token is a valid CCA secure ECC private
177 * key token. Returns 0 on success or errno value on failure.
179 int cca_check_sececckeytoken(debug_info_t
*dbg
, int dbflvl
,
180 const u8
*token
, size_t keysize
,
181 int checkcpacfexport
)
183 struct eccprivkeytoken
*t
= (struct eccprivkeytoken
*) token
;
185 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
187 if (t
->type
!= TOKTYPE_CCA_INTERNAL_PKA
) {
189 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
190 __func__
, (int) t
->type
, TOKTYPE_CCA_INTERNAL_PKA
);
193 if (t
->len
> keysize
) {
195 DBF("%s token check failed, len %d > keysize %zu\n",
196 __func__
, (int) t
->len
, keysize
);
199 if (t
->secid
!= 0x20) {
201 DBF("%s token check failed, secid 0x%02x != 0x20\n",
202 __func__
, (int) t
->secid
);
205 if (checkcpacfexport
&& !(t
->kutc
& 0x01)) {
207 DBF("%s token check failed, XPRTCPAC bit is 0\n",
216 EXPORT_SYMBOL(cca_check_sececckeytoken
);
219 * Allocate consecutive memory for request CPRB, request param
220 * block, reply CPRB and reply param block and fill in values
221 * for the common fields. Returns 0 on success or errno value
224 static int alloc_and_prep_cprbmem(size_t paramblen
,
226 struct CPRBX
**preqCPRB
,
227 struct CPRBX
**prepCPRB
)
230 size_t cprbplusparamblen
= sizeof(struct CPRBX
) + paramblen
;
231 struct CPRBX
*preqcblk
, *prepcblk
;
234 * allocate consecutive memory for request CPRB, request param
235 * block, reply CPRB and reply param block
237 cprbmem
= kcalloc(2, cprbplusparamblen
, GFP_KERNEL
);
241 preqcblk
= (struct CPRBX
*) cprbmem
;
242 prepcblk
= (struct CPRBX
*) (cprbmem
+ cprbplusparamblen
);
244 /* fill request cprb struct */
245 preqcblk
->cprb_len
= sizeof(struct CPRBX
);
246 preqcblk
->cprb_ver_id
= 0x02;
247 memcpy(preqcblk
->func_id
, "T2", 2);
248 preqcblk
->rpl_msgbl
= cprbplusparamblen
;
250 preqcblk
->req_parmb
=
251 ((u8 __user
*) preqcblk
) + sizeof(struct CPRBX
);
252 preqcblk
->rpl_parmb
=
253 ((u8 __user
*) prepcblk
) + sizeof(struct CPRBX
);
257 *preqCPRB
= preqcblk
;
258 *prepCPRB
= prepcblk
;
264 * Free the cprb memory allocated with the function above.
265 * If the scrub value is not zero, the memory is filled
266 * with zeros before freeing (useful if there was some
267 * clear key material in there).
269 static void free_cprbmem(void *mem
, size_t paramblen
, int scrub
)
272 memzero_explicit(mem
, 2 * (sizeof(struct CPRBX
) + paramblen
));
277 * Helper function to prepare the xcrb struct
279 static inline void prep_xcrb(struct ica_xcRB
*pxcrb
,
281 struct CPRBX
*preqcblk
,
282 struct CPRBX
*prepcblk
)
284 memset(pxcrb
, 0, sizeof(*pxcrb
));
285 pxcrb
->agent_ID
= 0x4341; /* 'CA' */
286 pxcrb
->user_defined
= (cardnr
== 0xFFFF ? AUTOSELECT
: cardnr
);
287 pxcrb
->request_control_blk_length
=
288 preqcblk
->cprb_len
+ preqcblk
->req_parml
;
289 pxcrb
->request_control_blk_addr
= (void __user
*) preqcblk
;
290 pxcrb
->reply_control_blk_length
= preqcblk
->rpl_msgbl
;
291 pxcrb
->reply_control_blk_addr
= (void __user
*) prepcblk
;
295 * Generate (random) CCA AES DATA secure key.
297 int cca_genseckey(u16 cardnr
, u16 domain
,
298 u32 keybitsize
, u8 seckey
[SECKEYBLOBSIZE
])
303 struct CPRBX
*preqcblk
, *prepcblk
;
304 struct ica_xcRB xcrb
;
320 u8 data
[SECKEYBLOBSIZE
];
323 } __packed
* preqparm
;
334 /* ... some more data ... */
337 } __packed
* prepparm
;
339 /* get already prepared memory for 2 cprbs with param block each */
340 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
344 /* fill request cprb struct */
345 preqcblk
->domain
= domain
;
347 /* fill request cprb param block with KG request */
348 preqparm
= (struct kgreqparm __force
*) preqcblk
->req_parmb
;
349 memcpy(preqparm
->subfunc_code
, "KG", 2);
350 preqparm
->rule_array_len
= sizeof(preqparm
->rule_array_len
);
351 preqparm
->lv1
.len
= sizeof(struct lv1
);
352 memcpy(preqparm
->lv1
.key_form
, "OP ", 8);
353 switch (keybitsize
) {
354 case PKEY_SIZE_AES_128
:
355 case PKEY_KEYTYPE_AES_128
: /* older ioctls used this */
357 memcpy(preqparm
->lv1
.key_length
, "KEYLN16 ", 8);
359 case PKEY_SIZE_AES_192
:
360 case PKEY_KEYTYPE_AES_192
: /* older ioctls used this */
362 memcpy(preqparm
->lv1
.key_length
, "KEYLN24 ", 8);
364 case PKEY_SIZE_AES_256
:
365 case PKEY_KEYTYPE_AES_256
: /* older ioctls used this */
367 memcpy(preqparm
->lv1
.key_length
, "KEYLN32 ", 8);
370 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
371 __func__
, keybitsize
);
375 memcpy(preqparm
->lv1
.key_type1
, "AESDATA ", 8);
376 preqparm
->lv2
.len
= sizeof(struct lv2
);
377 for (i
= 0; i
< 6; i
++) {
378 preqparm
->lv2
.keyid
[i
].len
= sizeof(struct keyid
);
379 preqparm
->lv2
.keyid
[i
].attr
= (i
== 2 ? 0x30 : 0x10);
381 preqcblk
->req_parml
= sizeof(struct kgreqparm
);
383 /* fill xcrb struct */
384 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
386 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
387 rc
= zcrypt_send_cprb(&xcrb
);
389 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
390 __func__
, (int) cardnr
, (int) domain
, rc
);
394 /* check response returncode and reasoncode */
395 if (prepcblk
->ccp_rtcode
!= 0) {
396 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
398 (int) prepcblk
->ccp_rtcode
,
399 (int) prepcblk
->ccp_rscode
);
404 /* process response cprb param block */
405 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
406 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
407 prepparm
= (struct kgrepparm
*) ptr
;
409 /* check length of the returned secure key token */
410 seckeysize
= prepparm
->lv3
.keyblock
.toklen
411 - sizeof(prepparm
->lv3
.keyblock
.toklen
)
412 - sizeof(prepparm
->lv3
.keyblock
.tokattr
);
413 if (seckeysize
!= SECKEYBLOBSIZE
) {
414 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
415 __func__
, seckeysize
, SECKEYBLOBSIZE
);
420 /* check secure key token */
421 rc
= cca_check_secaeskeytoken(zcrypt_dbf_info
, DBF_ERR
,
422 prepparm
->lv3
.keyblock
.tok
, 8*keysize
);
428 /* copy the generated secure key token */
429 memcpy(seckey
, prepparm
->lv3
.keyblock
.tok
, SECKEYBLOBSIZE
);
432 free_cprbmem(mem
, PARMBSIZE
, 0);
435 EXPORT_SYMBOL(cca_genseckey
);
438 * Generate an CCA AES DATA secure key with given key value.
440 int cca_clr2seckey(u16 cardnr
, u16 domain
, u32 keybitsize
,
441 const u8
*clrkey
, u8 seckey
[SECKEYBLOBSIZE
])
443 int rc
, keysize
, seckeysize
;
445 struct CPRBX
*preqcblk
, *prepcblk
;
446 struct ica_xcRB xcrb
;
460 u8 data
[SECKEYBLOBSIZE
];
463 } __packed
* preqparm
;
475 /* ... some more data ... */
478 } __packed
* prepparm
;
480 /* get already prepared memory for 2 cprbs with param block each */
481 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
485 /* fill request cprb struct */
486 preqcblk
->domain
= domain
;
488 /* fill request cprb param block with CM request */
489 preqparm
= (struct cmreqparm __force
*) preqcblk
->req_parmb
;
490 memcpy(preqparm
->subfunc_code
, "CM", 2);
491 memcpy(preqparm
->rule_array
, "AES ", 8);
492 preqparm
->rule_array_len
=
493 sizeof(preqparm
->rule_array_len
) + sizeof(preqparm
->rule_array
);
494 switch (keybitsize
) {
495 case PKEY_SIZE_AES_128
:
496 case PKEY_KEYTYPE_AES_128
: /* older ioctls used this */
499 case PKEY_SIZE_AES_192
:
500 case PKEY_KEYTYPE_AES_192
: /* older ioctls used this */
503 case PKEY_SIZE_AES_256
:
504 case PKEY_KEYTYPE_AES_256
: /* older ioctls used this */
508 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
509 __func__
, keybitsize
);
513 preqparm
->lv1
.len
= sizeof(struct lv1
) + keysize
;
514 memcpy(preqparm
->lv1
.clrkey
, clrkey
, keysize
);
515 plv2
= (struct lv2
*) (((u8
*) &preqparm
->lv2
) + keysize
);
516 plv2
->len
= sizeof(struct lv2
);
517 plv2
->keyid
.len
= sizeof(struct keyid
);
518 plv2
->keyid
.attr
= 0x30;
519 preqcblk
->req_parml
= sizeof(struct cmreqparm
) + keysize
;
521 /* fill xcrb struct */
522 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
524 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
525 rc
= zcrypt_send_cprb(&xcrb
);
527 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
528 __func__
, (int) cardnr
, (int) domain
, rc
);
532 /* check response returncode and reasoncode */
533 if (prepcblk
->ccp_rtcode
!= 0) {
534 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
536 (int) prepcblk
->ccp_rtcode
,
537 (int) prepcblk
->ccp_rscode
);
542 /* process response cprb param block */
543 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
544 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
545 prepparm
= (struct cmrepparm
*) ptr
;
547 /* check length of the returned secure key token */
548 seckeysize
= prepparm
->lv3
.keyblock
.toklen
549 - sizeof(prepparm
->lv3
.keyblock
.toklen
)
550 - sizeof(prepparm
->lv3
.keyblock
.tokattr
);
551 if (seckeysize
!= SECKEYBLOBSIZE
) {
552 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
553 __func__
, seckeysize
, SECKEYBLOBSIZE
);
558 /* check secure key token */
559 rc
= cca_check_secaeskeytoken(zcrypt_dbf_info
, DBF_ERR
,
560 prepparm
->lv3
.keyblock
.tok
, 8*keysize
);
566 /* copy the generated secure key token */
568 memcpy(seckey
, prepparm
->lv3
.keyblock
.tok
, SECKEYBLOBSIZE
);
571 free_cprbmem(mem
, PARMBSIZE
, 1);
574 EXPORT_SYMBOL(cca_clr2seckey
);
577 * Derive proteced key from an CCA AES DATA secure key.
579 int cca_sec2protkey(u16 cardnr
, u16 domain
,
580 const u8 seckey
[SECKEYBLOBSIZE
],
581 u8
*protkey
, u32
*protkeylen
, u32
*protkeytype
)
585 struct CPRBX
*preqcblk
, *prepcblk
;
586 struct ica_xcRB xcrb
;
599 u8 token
[0]; /* cca secure key token */
601 } __packed
* preqparm
;
609 struct cpacfkeyblock
{
610 u8 version
; /* version of this struct */
616 u8 key
[64]; /* the key (len bytes) */
621 u8 vp
[32]; /* verification pattern */
624 } __packed
* prepparm
;
626 /* get already prepared memory for 2 cprbs with param block each */
627 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
631 /* fill request cprb struct */
632 preqcblk
->domain
= domain
;
634 /* fill request cprb param block with USK request */
635 preqparm
= (struct uskreqparm __force
*) preqcblk
->req_parmb
;
636 memcpy(preqparm
->subfunc_code
, "US", 2);
637 preqparm
->rule_array_len
= sizeof(preqparm
->rule_array_len
);
638 preqparm
->lv1
.len
= sizeof(struct lv1
);
639 preqparm
->lv1
.attr_len
= sizeof(struct lv1
) - sizeof(preqparm
->lv1
.len
);
640 preqparm
->lv1
.attr_flags
= 0x0001;
641 preqparm
->lv2
.len
= sizeof(struct lv2
) + SECKEYBLOBSIZE
;
642 preqparm
->lv2
.attr_len
= sizeof(struct lv2
)
643 - sizeof(preqparm
->lv2
.len
) + SECKEYBLOBSIZE
;
644 preqparm
->lv2
.attr_flags
= 0x0000;
645 memcpy(preqparm
->lv2
.token
, seckey
, SECKEYBLOBSIZE
);
646 preqcblk
->req_parml
= sizeof(struct uskreqparm
) + SECKEYBLOBSIZE
;
648 /* fill xcrb struct */
649 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
651 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
652 rc
= zcrypt_send_cprb(&xcrb
);
654 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
655 __func__
, (int) cardnr
, (int) domain
, rc
);
659 /* check response returncode and reasoncode */
660 if (prepcblk
->ccp_rtcode
!= 0) {
661 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
663 (int) prepcblk
->ccp_rtcode
,
664 (int) prepcblk
->ccp_rscode
);
668 if (prepcblk
->ccp_rscode
!= 0) {
669 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
671 (int) prepcblk
->ccp_rtcode
,
672 (int) prepcblk
->ccp_rscode
);
675 /* process response cprb param block */
676 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
677 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
678 prepparm
= (struct uskrepparm
*) ptr
;
680 /* check the returned keyblock */
681 if (prepparm
->lv3
.ckb
.version
!= 0x01 &&
682 prepparm
->lv3
.ckb
.version
!= 0x02) {
683 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
684 __func__
, (int) prepparm
->lv3
.ckb
.version
);
689 /* copy the tanslated protected key */
690 switch (prepparm
->lv3
.ckb
.len
) {
692 /* AES 128 protected key */
694 *protkeytype
= PKEY_KEYTYPE_AES_128
;
697 /* AES 192 protected key */
699 *protkeytype
= PKEY_KEYTYPE_AES_192
;
702 /* AES 256 protected key */
704 *protkeytype
= PKEY_KEYTYPE_AES_256
;
707 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
708 __func__
, prepparm
->lv3
.ckb
.len
);
712 memcpy(protkey
, prepparm
->lv3
.ckb
.key
, prepparm
->lv3
.ckb
.len
);
714 *protkeylen
= prepparm
->lv3
.ckb
.len
;
717 free_cprbmem(mem
, PARMBSIZE
, 0);
720 EXPORT_SYMBOL(cca_sec2protkey
);
723 * AES cipher key skeleton created with CSNBKTB2 with these flags:
724 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
725 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
726 * used by cca_gencipherkey() and cca_clr2cipherkey().
728 static const u8 aes_cipher_key_skeleton
[] = {
729 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
733 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
734 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
735 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
736 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
739 * Generate (random) CCA AES CIPHER secure key.
741 int cca_gencipherkey(u16 cardnr
, u16 domain
, u32 keybitsize
, u32 keygenflags
,
742 u8
*keybuf
, size_t *keybufsize
)
746 struct CPRBX
*preqcblk
, *prepcblk
;
747 struct ica_xcRB xcrb
;
751 char rule_array
[2*8];
756 u16 clear_key_bit_len
;
781 u8 gen_key_id_1
[SIZEOF_SKELETON
];
786 u8 gen_key_id_1_label
[0];
796 u8 gen_key_id_2_label
[0];
799 } __packed
* preqparm
;
811 u8 gen_key
[0]; /* 120-136 bytes */
814 } __packed
* prepparm
;
815 struct cipherkeytoken
*t
;
817 /* get already prepared memory for 2 cprbs with param block each */
818 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
822 /* fill request cprb struct */
823 preqcblk
->domain
= domain
;
824 preqcblk
->req_parml
= sizeof(struct gkreqparm
);
826 /* prepare request param block with GK request */
827 preqparm
= (struct gkreqparm __force
*) preqcblk
->req_parmb
;
828 memcpy(preqparm
->subfunc_code
, "GK", 2);
829 preqparm
->rule_array_len
= sizeof(uint16_t) + 2 * 8;
830 memcpy(preqparm
->rule_array
, "AES OP ", 2*8);
832 /* prepare vud block */
833 preqparm
->vud
.len
= sizeof(preqparm
->vud
);
834 switch (keybitsize
) {
841 "%s unknown/unsupported keybitsize %d\n",
842 __func__
, keybitsize
);
846 preqparm
->vud
.clear_key_bit_len
= keybitsize
;
847 memcpy(preqparm
->vud
.key_type_1
, "TOKEN ", 8);
848 memset(preqparm
->vud
.key_type_2
, ' ', sizeof(preqparm
->vud
.key_type_2
));
850 /* prepare kb block */
851 preqparm
->kb
.len
= sizeof(preqparm
->kb
);
852 preqparm
->kb
.tlv1
.len
= sizeof(preqparm
->kb
.tlv1
);
853 preqparm
->kb
.tlv1
.flag
= 0x0030;
854 preqparm
->kb
.tlv2
.len
= sizeof(preqparm
->kb
.tlv2
);
855 preqparm
->kb
.tlv2
.flag
= 0x0030;
856 preqparm
->kb
.tlv3
.len
= sizeof(preqparm
->kb
.tlv3
);
857 preqparm
->kb
.tlv3
.flag
= 0x0030;
858 memcpy(preqparm
->kb
.tlv3
.gen_key_id_1
,
859 aes_cipher_key_skeleton
, SIZEOF_SKELETON
);
860 preqparm
->kb
.tlv4
.len
= sizeof(preqparm
->kb
.tlv4
);
861 preqparm
->kb
.tlv4
.flag
= 0x0030;
862 preqparm
->kb
.tlv5
.len
= sizeof(preqparm
->kb
.tlv5
);
863 preqparm
->kb
.tlv5
.flag
= 0x0030;
864 preqparm
->kb
.tlv6
.len
= sizeof(preqparm
->kb
.tlv6
);
865 preqparm
->kb
.tlv6
.flag
= 0x0030;
867 /* patch the skeleton key token export flags inside the kb block */
869 t
= (struct cipherkeytoken
*) preqparm
->kb
.tlv3
.gen_key_id_1
;
870 t
->kmf1
|= (u16
) (keygenflags
& 0x0000FF00);
871 t
->kmf1
&= (u16
) ~(keygenflags
& 0x000000FF);
874 /* prepare xcrb struct */
875 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
877 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
878 rc
= zcrypt_send_cprb(&xcrb
);
881 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
882 __func__
, (int) cardnr
, (int) domain
, rc
);
886 /* check response returncode and reasoncode */
887 if (prepcblk
->ccp_rtcode
!= 0) {
889 "%s cipher key generate failure, card response %d/%d\n",
891 (int) prepcblk
->ccp_rtcode
,
892 (int) prepcblk
->ccp_rscode
);
897 /* process response cprb param block */
898 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
899 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
900 prepparm
= (struct gkrepparm
*) ptr
;
902 /* do some plausibility checks on the key block */
903 if (prepparm
->kb
.len
< 120 + 5 * sizeof(uint16_t) ||
904 prepparm
->kb
.len
> 136 + 5 * sizeof(uint16_t)) {
905 DEBUG_ERR("%s reply with invalid or unknown key block\n",
911 /* and some checks on the generated key */
912 rc
= cca_check_secaescipherkey(zcrypt_dbf_info
, DBF_ERR
,
913 prepparm
->kb
.tlv1
.gen_key
,
920 /* copy the generated vlsc key token */
921 t
= (struct cipherkeytoken
*) prepparm
->kb
.tlv1
.gen_key
;
923 if (*keybufsize
>= t
->len
)
924 memcpy(keybuf
, t
, t
->len
);
928 *keybufsize
= t
->len
;
931 free_cprbmem(mem
, PARMBSIZE
, 0);
934 EXPORT_SYMBOL(cca_gencipherkey
);
937 * Helper function, does a the CSNBKPI2 CPRB.
939 static int _ip_cprb_helper(u16 cardnr
, u16 domain
,
940 const char *rule_array_1
,
941 const char *rule_array_2
,
942 const char *rule_array_3
,
943 const u8
*clr_key_value
,
944 int clr_key_bit_size
,
950 struct CPRBX
*preqcblk
, *prepcblk
;
951 struct ica_xcRB xcrb
;
952 struct rule_array_block
{
956 } __packed
* preq_ra_block
;
961 u16 flag
; /* 0x0064 */
966 u16 flag
; /* 0x0063 */
967 u8 clr_key
[0]; /* clear key value bytes */
969 } __packed
* preq_vud_block
;
974 u16 flag
; /* 0x0030 */
975 u8 key_token
[0]; /* key skeleton */
977 } __packed
* preq_key_block
;
988 u16 flag
; /* 0x0030 */
989 u8 key_token
[0]; /* key token */
992 } __packed
* prepparm
;
993 struct cipherkeytoken
*t
;
994 int complete
= strncmp(rule_array_2
, "COMPLETE", 8) ? 0 : 1;
996 /* get already prepared memory for 2 cprbs with param block each */
997 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
1001 /* fill request cprb struct */
1002 preqcblk
->domain
= domain
;
1003 preqcblk
->req_parml
= 0;
1005 /* prepare request param block with IP request */
1006 preq_ra_block
= (struct rule_array_block __force
*) preqcblk
->req_parmb
;
1007 memcpy(preq_ra_block
->subfunc_code
, "IP", 2);
1008 preq_ra_block
->rule_array_len
= sizeof(uint16_t) + 2 * 8;
1009 memcpy(preq_ra_block
->rule_array
, rule_array_1
, 8);
1010 memcpy(preq_ra_block
->rule_array
+ 8, rule_array_2
, 8);
1011 preqcblk
->req_parml
= sizeof(struct rule_array_block
) + 2 * 8;
1013 preq_ra_block
->rule_array_len
+= 8;
1014 memcpy(preq_ra_block
->rule_array
+ 16, rule_array_3
, 8);
1015 preqcblk
->req_parml
+= 8;
1018 /* prepare vud block */
1019 preq_vud_block
= (struct vud_block __force
*)
1020 (preqcblk
->req_parmb
+ preqcblk
->req_parml
);
1021 n
= complete
? 0 : (clr_key_bit_size
+ 7) / 8;
1022 preq_vud_block
->len
= sizeof(struct vud_block
) + n
;
1023 preq_vud_block
->tlv1
.len
= sizeof(preq_vud_block
->tlv1
);
1024 preq_vud_block
->tlv1
.flag
= 0x0064;
1025 preq_vud_block
->tlv1
.clr_key_bit_len
= complete
? 0 : clr_key_bit_size
;
1026 preq_vud_block
->tlv2
.len
= sizeof(preq_vud_block
->tlv2
) + n
;
1027 preq_vud_block
->tlv2
.flag
= 0x0063;
1029 memcpy(preq_vud_block
->tlv2
.clr_key
, clr_key_value
, n
);
1030 preqcblk
->req_parml
+= preq_vud_block
->len
;
1032 /* prepare key block */
1033 preq_key_block
= (struct key_block __force
*)
1034 (preqcblk
->req_parmb
+ preqcblk
->req_parml
);
1035 n
= *key_token_size
;
1036 preq_key_block
->len
= sizeof(struct key_block
) + n
;
1037 preq_key_block
->tlv1
.len
= sizeof(preq_key_block
->tlv1
) + n
;
1038 preq_key_block
->tlv1
.flag
= 0x0030;
1039 memcpy(preq_key_block
->tlv1
.key_token
, key_token
, *key_token_size
);
1040 preqcblk
->req_parml
+= preq_key_block
->len
;
1042 /* prepare xcrb struct */
1043 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
1045 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1046 rc
= zcrypt_send_cprb(&xcrb
);
1049 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1050 __func__
, (int) cardnr
, (int) domain
, rc
);
1054 /* check response returncode and reasoncode */
1055 if (prepcblk
->ccp_rtcode
!= 0) {
1057 "%s CSNBKPI2 failure, card response %d/%d\n",
1059 (int) prepcblk
->ccp_rtcode
,
1060 (int) prepcblk
->ccp_rscode
);
1065 /* process response cprb param block */
1066 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
1067 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
1068 prepparm
= (struct iprepparm
*) ptr
;
1070 /* do some plausibility checks on the key block */
1071 if (prepparm
->kb
.len
< 120 + 3 * sizeof(uint16_t) ||
1072 prepparm
->kb
.len
> 136 + 3 * sizeof(uint16_t)) {
1073 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1079 /* do not check the key here, it may be incomplete */
1081 /* copy the vlsc key token back */
1082 t
= (struct cipherkeytoken
*) prepparm
->kb
.tlv1
.key_token
;
1083 memcpy(key_token
, t
, t
->len
);
1084 *key_token_size
= t
->len
;
1087 free_cprbmem(mem
, PARMBSIZE
, 0);
1092 * Build CCA AES CIPHER secure key with a given clear key value.
1094 int cca_clr2cipherkey(u16 card
, u16 dom
, u32 keybitsize
, u32 keygenflags
,
1095 const u8
*clrkey
, u8
*keybuf
, size_t *keybufsize
)
1101 struct cipherkeytoken
*t
;
1103 /* fill exorbuf with random data */
1104 get_random_bytes(exorbuf
, sizeof(exorbuf
));
1106 /* allocate space for the key token to build */
1107 token
= kmalloc(MAXCCAVLSCTOKENSIZE
, GFP_KERNEL
);
1111 /* prepare the token with the key skeleton */
1112 tokensize
= SIZEOF_SKELETON
;
1113 memcpy(token
, aes_cipher_key_skeleton
, tokensize
);
1115 /* patch the skeleton key token export flags */
1117 t
= (struct cipherkeytoken
*) token
;
1118 t
->kmf1
|= (u16
) (keygenflags
& 0x0000FF00);
1119 t
->kmf1
&= (u16
) ~(keygenflags
& 0x000000FF);
1123 * Do the key import with the clear key value in 4 steps:
1124 * 1/4 FIRST import with only random data
1125 * 2/4 EXOR the clear key
1126 * 3/4 EXOR the very same random data again
1127 * 4/4 COMPLETE the secure cipher key import
1129 rc
= _ip_cprb_helper(card
, dom
, "AES ", "FIRST ", "MIN3PART",
1130 exorbuf
, keybitsize
, token
, &tokensize
);
1133 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1137 rc
= _ip_cprb_helper(card
, dom
, "AES ", "ADD-PART", NULL
,
1138 clrkey
, keybitsize
, token
, &tokensize
);
1141 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1145 rc
= _ip_cprb_helper(card
, dom
, "AES ", "ADD-PART", NULL
,
1146 exorbuf
, keybitsize
, token
, &tokensize
);
1149 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1153 rc
= _ip_cprb_helper(card
, dom
, "AES ", "COMPLETE", NULL
,
1154 NULL
, keybitsize
, token
, &tokensize
);
1157 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1162 /* copy the generated key token */
1164 if (tokensize
> *keybufsize
)
1167 memcpy(keybuf
, token
, tokensize
);
1169 *keybufsize
= tokensize
;
1175 EXPORT_SYMBOL(cca_clr2cipherkey
);
1178 * Derive proteced key from CCA AES cipher secure key.
1180 int cca_cipher2protkey(u16 cardnr
, u16 domain
, const u8
*ckey
,
1181 u8
*protkey
, u32
*protkeylen
, u32
*protkeytype
)
1185 struct CPRBX
*preqcblk
, *prepcblk
;
1186 struct ica_xcRB xcrb
;
1199 u16 cca_key_token_len
;
1200 u16 cca_key_token_flags
;
1201 u8 cca_key_token
[0]; // 64 or more
1203 } __packed
* preqparm
;
1211 struct cpacfkeyblock
{
1212 u8 version
; /* version of this struct */
1218 u8 key
[64]; /* the key (keylen bytes) */
1223 u8 vp
[32]; /* verification pattern */
1229 } __packed
* prepparm
;
1230 int keytoklen
= ((struct cipherkeytoken
*)ckey
)->len
;
1232 /* get already prepared memory for 2 cprbs with param block each */
1233 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
1237 /* fill request cprb struct */
1238 preqcblk
->domain
= domain
;
1240 /* fill request cprb param block with AU request */
1241 preqparm
= (struct aureqparm __force
*) preqcblk
->req_parmb
;
1242 memcpy(preqparm
->subfunc_code
, "AU", 2);
1243 preqparm
->rule_array_len
=
1244 sizeof(preqparm
->rule_array_len
)
1245 + sizeof(preqparm
->rule_array
);
1246 memcpy(preqparm
->rule_array
, "EXPT-SK ", 8);
1248 preqparm
->vud
.len
= sizeof(preqparm
->vud
);
1249 preqparm
->vud
.tk_blob_len
= sizeof(preqparm
->vud
.tk_blob
)
1250 + 2 * sizeof(uint16_t);
1251 preqparm
->vud
.tk_blob_tag
= 0x00C2;
1253 preqparm
->kb
.len
= keytoklen
+ 3 * sizeof(uint16_t);
1254 preqparm
->kb
.cca_key_token_len
= keytoklen
+ 2 * sizeof(uint16_t);
1255 memcpy(preqparm
->kb
.cca_key_token
, ckey
, keytoklen
);
1256 /* now fill length of param block into cprb */
1257 preqcblk
->req_parml
= sizeof(struct aureqparm
) + keytoklen
;
1259 /* fill xcrb struct */
1260 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
1262 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1263 rc
= zcrypt_send_cprb(&xcrb
);
1266 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1267 __func__
, (int) cardnr
, (int) domain
, rc
);
1271 /* check response returncode and reasoncode */
1272 if (prepcblk
->ccp_rtcode
!= 0) {
1274 "%s unwrap secure key failure, card response %d/%d\n",
1276 (int) prepcblk
->ccp_rtcode
,
1277 (int) prepcblk
->ccp_rscode
);
1281 if (prepcblk
->ccp_rscode
!= 0) {
1283 "%s unwrap secure key warning, card response %d/%d\n",
1285 (int) prepcblk
->ccp_rtcode
,
1286 (int) prepcblk
->ccp_rscode
);
1289 /* process response cprb param block */
1290 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
1291 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
1292 prepparm
= (struct aurepparm
*) ptr
;
1294 /* check the returned keyblock */
1295 if (prepparm
->vud
.ckb
.version
!= 0x01 &&
1296 prepparm
->vud
.ckb
.version
!= 0x02) {
1297 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1298 __func__
, (int) prepparm
->vud
.ckb
.version
);
1302 if (prepparm
->vud
.ckb
.algo
!= 0x02) {
1304 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1305 __func__
, (int) prepparm
->vud
.ckb
.algo
);
1310 /* copy the translated protected key */
1311 switch (prepparm
->vud
.ckb
.keylen
) {
1313 /* AES 128 protected key */
1315 *protkeytype
= PKEY_KEYTYPE_AES_128
;
1318 /* AES 192 protected key */
1320 *protkeytype
= PKEY_KEYTYPE_AES_192
;
1323 /* AES 256 protected key */
1325 *protkeytype
= PKEY_KEYTYPE_AES_256
;
1328 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1329 __func__
, prepparm
->vud
.ckb
.keylen
);
1333 memcpy(protkey
, prepparm
->vud
.ckb
.key
, prepparm
->vud
.ckb
.keylen
);
1335 *protkeylen
= prepparm
->vud
.ckb
.keylen
;
1338 free_cprbmem(mem
, PARMBSIZE
, 0);
1341 EXPORT_SYMBOL(cca_cipher2protkey
);
1344 * Derive protected key from CCA ECC secure private key.
1346 int cca_ecc2protkey(u16 cardnr
, u16 domain
, const u8
*key
,
1347 u8
*protkey
, u32
*protkeylen
, u32
*protkeytype
)
1351 struct CPRBX
*preqcblk
, *prepcblk
;
1352 struct ica_xcRB xcrb
;
1365 u16 cca_key_token_len
;
1366 u16 cca_key_token_flags
;
1367 u8 cca_key_token
[0];
1369 } __packed
* preqparm
;
1377 struct cpacfkeyblock
{
1378 u8 version
; /* version of this struct */
1384 u8 key
[0]; /* the key (keylen bytes) */
1389 u8 vp
[32]; /* verification pattern */
1395 } __packed
* prepparm
;
1396 int keylen
= ((struct eccprivkeytoken
*)key
)->len
;
1398 /* get already prepared memory for 2 cprbs with param block each */
1399 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
1403 /* fill request cprb struct */
1404 preqcblk
->domain
= domain
;
1406 /* fill request cprb param block with AU request */
1407 preqparm
= (struct aureqparm __force
*) preqcblk
->req_parmb
;
1408 memcpy(preqparm
->subfunc_code
, "AU", 2);
1409 preqparm
->rule_array_len
=
1410 sizeof(preqparm
->rule_array_len
)
1411 + sizeof(preqparm
->rule_array
);
1412 memcpy(preqparm
->rule_array
, "EXPT-SK ", 8);
1414 preqparm
->vud
.len
= sizeof(preqparm
->vud
);
1415 preqparm
->vud
.tk_blob_len
= sizeof(preqparm
->vud
.tk_blob
)
1416 + 2 * sizeof(uint16_t);
1417 preqparm
->vud
.tk_blob_tag
= 0x00C2;
1419 preqparm
->kb
.len
= keylen
+ 3 * sizeof(uint16_t);
1420 preqparm
->kb
.cca_key_token_len
= keylen
+ 2 * sizeof(uint16_t);
1421 memcpy(preqparm
->kb
.cca_key_token
, key
, keylen
);
1422 /* now fill length of param block into cprb */
1423 preqcblk
->req_parml
= sizeof(struct aureqparm
) + keylen
;
1425 /* fill xcrb struct */
1426 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
1428 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1429 rc
= zcrypt_send_cprb(&xcrb
);
1432 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1433 __func__
, (int) cardnr
, (int) domain
, rc
);
1437 /* check response returncode and reasoncode */
1438 if (prepcblk
->ccp_rtcode
!= 0) {
1440 "%s unwrap secure key failure, card response %d/%d\n",
1442 (int) prepcblk
->ccp_rtcode
,
1443 (int) prepcblk
->ccp_rscode
);
1447 if (prepcblk
->ccp_rscode
!= 0) {
1449 "%s unwrap secure key warning, card response %d/%d\n",
1451 (int) prepcblk
->ccp_rtcode
,
1452 (int) prepcblk
->ccp_rscode
);
1455 /* process response cprb param block */
1456 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
1457 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
1458 prepparm
= (struct aurepparm
*) ptr
;
1460 /* check the returned keyblock */
1461 if (prepparm
->vud
.ckb
.version
!= 0x02) {
1462 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1463 __func__
, (int) prepparm
->vud
.ckb
.version
);
1467 if (prepparm
->vud
.ckb
.algo
!= 0x81) {
1469 "%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1470 __func__
, (int) prepparm
->vud
.ckb
.algo
);
1475 /* copy the translated protected key */
1476 if (prepparm
->vud
.ckb
.keylen
> *protkeylen
) {
1477 DEBUG_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1478 __func__
, prepparm
->vud
.ckb
.keylen
, *protkeylen
);
1482 memcpy(protkey
, prepparm
->vud
.ckb
.key
, prepparm
->vud
.ckb
.keylen
);
1483 *protkeylen
= prepparm
->vud
.ckb
.keylen
;
1485 *protkeytype
= PKEY_KEYTYPE_ECC
;
1488 free_cprbmem(mem
, PARMBSIZE
, 0);
1491 EXPORT_SYMBOL(cca_ecc2protkey
);
1494 * query cryptographic facility from CCA adapter
1496 int cca_query_crypto_facility(u16 cardnr
, u16 domain
,
1497 const char *keyword
,
1498 u8
*rarray
, size_t *rarraylen
,
1499 u8
*varray
, size_t *varraylen
)
1504 struct CPRBX
*preqcblk
, *prepcblk
;
1505 struct ica_xcRB xcrb
;
1512 u8 data
[VARDATASIZE
];
1515 } __packed
* preqparm
;
1516 size_t parmbsize
= sizeof(struct fqreqparm
);
1520 } __packed
* prepparm
;
1522 /* get already prepared memory for 2 cprbs with param block each */
1523 rc
= alloc_and_prep_cprbmem(parmbsize
, &mem
, &preqcblk
, &prepcblk
);
1527 /* fill request cprb struct */
1528 preqcblk
->domain
= domain
;
1530 /* fill request cprb param block with FQ request */
1531 preqparm
= (struct fqreqparm __force
*) preqcblk
->req_parmb
;
1532 memcpy(preqparm
->subfunc_code
, "FQ", 2);
1533 memcpy(preqparm
->rule_array
, keyword
, sizeof(preqparm
->rule_array
));
1534 preqparm
->rule_array_len
=
1535 sizeof(preqparm
->rule_array_len
) + sizeof(preqparm
->rule_array
);
1536 preqparm
->lv1
.len
= sizeof(preqparm
->lv1
);
1537 preqparm
->dummylen
= sizeof(preqparm
->dummylen
);
1538 preqcblk
->req_parml
= parmbsize
;
1540 /* fill xcrb struct */
1541 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
1543 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1544 rc
= zcrypt_send_cprb(&xcrb
);
1546 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1547 __func__
, (int) cardnr
, (int) domain
, rc
);
1551 /* check response returncode and reasoncode */
1552 if (prepcblk
->ccp_rtcode
!= 0) {
1553 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1555 (int) prepcblk
->ccp_rtcode
,
1556 (int) prepcblk
->ccp_rscode
);
1561 /* process response cprb param block */
1562 ptr
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
1563 prepcblk
->rpl_parmb
= (u8 __user
*) ptr
;
1564 prepparm
= (struct fqrepparm
*) ptr
;
1565 ptr
= prepparm
->lvdata
;
1567 /* check and possibly copy reply rule array */
1568 len
= *((u16
*) ptr
);
1569 if (len
> sizeof(u16
)) {
1572 if (rarray
&& rarraylen
&& *rarraylen
> 0) {
1573 *rarraylen
= (len
> *rarraylen
? *rarraylen
: len
);
1574 memcpy(rarray
, ptr
, *rarraylen
);
1578 /* check and possible copy reply var array */
1579 len
= *((u16
*) ptr
);
1580 if (len
> sizeof(u16
)) {
1583 if (varray
&& varraylen
&& *varraylen
> 0) {
1584 *varraylen
= (len
> *varraylen
? *varraylen
: len
);
1585 memcpy(varray
, ptr
, *varraylen
);
1591 free_cprbmem(mem
, parmbsize
, 0);
1594 EXPORT_SYMBOL(cca_query_crypto_facility
);
1596 static int cca_info_cache_fetch(u16 cardnr
, u16 domain
, struct cca_info
*ci
)
1599 struct cca_info_list_entry
*ptr
;
1601 spin_lock_bh(&cca_info_list_lock
);
1602 list_for_each_entry(ptr
, &cca_info_list
, list
) {
1603 if (ptr
->cardnr
== cardnr
&& ptr
->domain
== domain
) {
1604 memcpy(ci
, &ptr
->info
, sizeof(*ci
));
1609 spin_unlock_bh(&cca_info_list_lock
);
1614 static void cca_info_cache_update(u16 cardnr
, u16 domain
,
1615 const struct cca_info
*ci
)
1618 struct cca_info_list_entry
*ptr
;
1620 spin_lock_bh(&cca_info_list_lock
);
1621 list_for_each_entry(ptr
, &cca_info_list
, list
) {
1622 if (ptr
->cardnr
== cardnr
&&
1623 ptr
->domain
== domain
) {
1624 memcpy(&ptr
->info
, ci
, sizeof(*ci
));
1630 ptr
= kmalloc(sizeof(*ptr
), GFP_ATOMIC
);
1632 spin_unlock_bh(&cca_info_list_lock
);
1635 ptr
->cardnr
= cardnr
;
1636 ptr
->domain
= domain
;
1637 memcpy(&ptr
->info
, ci
, sizeof(*ci
));
1638 list_add(&ptr
->list
, &cca_info_list
);
1640 spin_unlock_bh(&cca_info_list_lock
);
1643 static void cca_info_cache_scrub(u16 cardnr
, u16 domain
)
1645 struct cca_info_list_entry
*ptr
;
1647 spin_lock_bh(&cca_info_list_lock
);
1648 list_for_each_entry(ptr
, &cca_info_list
, list
) {
1649 if (ptr
->cardnr
== cardnr
&&
1650 ptr
->domain
== domain
) {
1651 list_del(&ptr
->list
);
1656 spin_unlock_bh(&cca_info_list_lock
);
1659 static void __exit
mkvp_cache_free(void)
1661 struct cca_info_list_entry
*ptr
, *pnext
;
1663 spin_lock_bh(&cca_info_list_lock
);
1664 list_for_each_entry_safe(ptr
, pnext
, &cca_info_list
, list
) {
1665 list_del(&ptr
->list
);
1668 spin_unlock_bh(&cca_info_list_lock
);
1672 * Fetch cca_info values via query_crypto_facility from adapter.
1674 static int fetch_cca_info(u16 cardnr
, u16 domain
, struct cca_info
*ci
)
1678 u8
*rarray
, *varray
, *pg
;
1679 struct zcrypt_device_status_ext devstat
;
1681 memset(ci
, 0, sizeof(*ci
));
1683 /* get first info from zcrypt device driver about this apqn */
1684 rc
= zcrypt_device_status_ext(cardnr
, domain
, &devstat
);
1687 ci
->hwtype
= devstat
.hwtype
;
1689 /* prep page for rule array and var array use */
1690 pg
= (u8
*) __get_free_page(GFP_KERNEL
);
1694 varray
= pg
+ PAGE_SIZE
/2;
1695 rlen
= vlen
= PAGE_SIZE
/2;
1697 /* QF for this card/domain */
1698 rc
= cca_query_crypto_facility(cardnr
, domain
, "STATICSA",
1699 rarray
, &rlen
, varray
, &vlen
);
1700 if (rc
== 0 && rlen
>= 10*8 && vlen
>= 204) {
1701 memcpy(ci
->serial
, rarray
, 8);
1702 ci
->new_aes_mk_state
= (char) rarray
[7*8];
1703 ci
->cur_aes_mk_state
= (char) rarray
[8*8];
1704 ci
->old_aes_mk_state
= (char) rarray
[9*8];
1705 if (ci
->old_aes_mk_state
== '2')
1706 memcpy(&ci
->old_aes_mkvp
, varray
+ 172, 8);
1707 if (ci
->cur_aes_mk_state
== '2')
1708 memcpy(&ci
->cur_aes_mkvp
, varray
+ 184, 8);
1709 if (ci
->new_aes_mk_state
== '3')
1710 memcpy(&ci
->new_aes_mkvp
, varray
+ 196, 8);
1715 rlen
= vlen
= PAGE_SIZE
/2;
1716 rc
= cca_query_crypto_facility(cardnr
, domain
, "STATICSB",
1717 rarray
, &rlen
, varray
, &vlen
);
1718 if (rc
== 0 && rlen
>= 10*8 && vlen
>= 240) {
1719 ci
->new_apka_mk_state
= (char) rarray
[7*8];
1720 ci
->cur_apka_mk_state
= (char) rarray
[8*8];
1721 ci
->old_apka_mk_state
= (char) rarray
[9*8];
1722 if (ci
->old_apka_mk_state
== '2')
1723 memcpy(&ci
->old_apka_mkvp
, varray
+ 208, 8);
1724 if (ci
->cur_apka_mk_state
== '2')
1725 memcpy(&ci
->cur_apka_mkvp
, varray
+ 220, 8);
1726 if (ci
->new_apka_mk_state
== '3')
1727 memcpy(&ci
->new_apka_mkvp
, varray
+ 232, 8);
1732 free_page((unsigned long) pg
);
1733 return found
== 2 ? 0 : -ENOENT
;
1737 * Fetch cca information about a CCA queue.
1739 int cca_get_info(u16 card
, u16 dom
, struct cca_info
*ci
, int verify
)
1743 rc
= cca_info_cache_fetch(card
, dom
, ci
);
1745 rc
= fetch_cca_info(card
, dom
, ci
);
1747 cca_info_cache_update(card
, dom
, ci
);
1752 EXPORT_SYMBOL(cca_get_info
);
1755 * Search for a matching crypto card based on the
1756 * Master Key Verification Pattern given.
1758 static int findcard(u64 mkvp
, u16
*pcardnr
, u16
*pdomain
,
1759 int verify
, int minhwtype
)
1761 struct zcrypt_device_status_ext
*device_status
;
1766 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1767 if (mkvp
== 0 || minhwtype
< 0)
1770 /* fetch status of all crypto cards */
1771 device_status
= kvmalloc_array(MAX_ZDEV_ENTRIES_EXT
,
1772 sizeof(struct zcrypt_device_status_ext
),
1776 zcrypt_device_status_mask_ext(device_status
);
1778 /* walk through all crypto cards */
1779 for (i
= 0; i
< MAX_ZDEV_ENTRIES_EXT
; i
++) {
1780 card
= AP_QID_CARD(device_status
[i
].qid
);
1781 dom
= AP_QID_QUEUE(device_status
[i
].qid
);
1782 if (device_status
[i
].online
&&
1783 device_status
[i
].functions
& 0x04) {
1784 /* enabled CCA card, check current mkvp from cache */
1785 if (cca_info_cache_fetch(card
, dom
, &ci
) == 0 &&
1786 ci
.hwtype
>= minhwtype
&&
1787 ci
.cur_aes_mk_state
== '2' &&
1788 ci
.cur_aes_mkvp
== mkvp
) {
1791 /* verify: refresh card info */
1792 if (fetch_cca_info(card
, dom
, &ci
) == 0) {
1793 cca_info_cache_update(card
, dom
, &ci
);
1794 if (ci
.hwtype
>= minhwtype
&&
1795 ci
.cur_aes_mk_state
== '2' &&
1796 ci
.cur_aes_mkvp
== mkvp
)
1801 /* Card is offline and/or not a CCA card. */
1802 /* del mkvp entry from cache if it exists */
1803 cca_info_cache_scrub(card
, dom
);
1806 if (i
>= MAX_ZDEV_ENTRIES_EXT
) {
1807 /* nothing found, so this time without cache */
1808 for (i
= 0; i
< MAX_ZDEV_ENTRIES_EXT
; i
++) {
1809 if (!(device_status
[i
].online
&&
1810 device_status
[i
].functions
& 0x04))
1812 card
= AP_QID_CARD(device_status
[i
].qid
);
1813 dom
= AP_QID_QUEUE(device_status
[i
].qid
);
1814 /* fresh fetch mkvp from adapter */
1815 if (fetch_cca_info(card
, dom
, &ci
) == 0) {
1816 cca_info_cache_update(card
, dom
, &ci
);
1817 if (ci
.hwtype
>= minhwtype
&&
1818 ci
.cur_aes_mk_state
== '2' &&
1819 ci
.cur_aes_mkvp
== mkvp
)
1821 if (ci
.hwtype
>= minhwtype
&&
1822 ci
.old_aes_mk_state
== '2' &&
1823 ci
.old_aes_mkvp
== mkvp
&&
1828 if (i
>= MAX_ZDEV_ENTRIES_EXT
&& oi
>= 0) {
1829 /* old mkvp matched, use this card then */
1830 card
= AP_QID_CARD(device_status
[oi
].qid
);
1831 dom
= AP_QID_QUEUE(device_status
[oi
].qid
);
1834 if (i
< MAX_ZDEV_ENTRIES_EXT
|| oi
>= 0) {
1839 rc
= (i
< MAX_ZDEV_ENTRIES_EXT
? 0 : 1);
1843 kvfree(device_status
);
1848 * Search for a matching crypto card based on the Master Key
1849 * Verification Pattern provided inside a secure key token.
1851 int cca_findcard(const u8
*key
, u16
*pcardnr
, u16
*pdomain
, int verify
)
1855 const struct keytoken_header
*hdr
= (struct keytoken_header
*) key
;
1857 if (hdr
->type
!= TOKTYPE_CCA_INTERNAL
)
1860 switch (hdr
->version
) {
1861 case TOKVER_CCA_AES
:
1862 mkvp
= ((struct secaeskeytoken
*)key
)->mkvp
;
1864 case TOKVER_CCA_VLSC
:
1865 mkvp
= ((struct cipherkeytoken
*)key
)->mkvp0
;
1866 minhwtype
= AP_DEVICE_TYPE_CEX6
;
1872 return findcard(mkvp
, pcardnr
, pdomain
, verify
, minhwtype
);
1874 EXPORT_SYMBOL(cca_findcard
);
1876 int cca_findcard2(u32
**apqns
, u32
*nr_apqns
, u16 cardnr
, u16 domain
,
1877 int minhwtype
, int mktype
, u64 cur_mkvp
, u64 old_mkvp
,
1880 struct zcrypt_device_status_ext
*device_status
;
1881 u32
*_apqns
= NULL
, _nr_apqns
= 0;
1882 int i
, card
, dom
, curmatch
, oldmatch
, rc
= 0;
1885 /* fetch status of all crypto cards */
1886 device_status
= kvmalloc_array(MAX_ZDEV_ENTRIES_EXT
,
1887 sizeof(struct zcrypt_device_status_ext
),
1891 zcrypt_device_status_mask_ext(device_status
);
1893 /* allocate 1k space for up to 256 apqns */
1894 _apqns
= kmalloc_array(256, sizeof(u32
), GFP_KERNEL
);
1896 kvfree(device_status
);
1900 /* walk through all the crypto apqnss */
1901 for (i
= 0; i
< MAX_ZDEV_ENTRIES_EXT
; i
++) {
1902 card
= AP_QID_CARD(device_status
[i
].qid
);
1903 dom
= AP_QID_QUEUE(device_status
[i
].qid
);
1904 /* check online state */
1905 if (!device_status
[i
].online
)
1907 /* check for cca functions */
1908 if (!(device_status
[i
].functions
& 0x04))
1911 if (cardnr
!= 0xFFFF && card
!= cardnr
)
1914 if (domain
!= 0xFFFF && dom
!= domain
)
1916 /* get cca info on this apqn */
1917 if (cca_get_info(card
, dom
, &ci
, verify
))
1919 /* current master key needs to be valid */
1920 if (mktype
== AES_MK_SET
&& ci
.cur_aes_mk_state
!= '2')
1922 if (mktype
== APKA_MK_SET
&& ci
.cur_apka_mk_state
!= '2')
1924 /* check min hardware type */
1925 if (minhwtype
> 0 && minhwtype
> ci
.hwtype
)
1927 if (cur_mkvp
|| old_mkvp
) {
1929 curmatch
= oldmatch
= 0;
1930 if (mktype
== AES_MK_SET
) {
1931 if (cur_mkvp
&& cur_mkvp
== ci
.cur_aes_mkvp
)
1933 if (old_mkvp
&& ci
.old_aes_mk_state
== '2' &&
1934 old_mkvp
== ci
.old_aes_mkvp
)
1937 if (cur_mkvp
&& cur_mkvp
== ci
.cur_apka_mkvp
)
1939 if (old_mkvp
&& ci
.old_apka_mk_state
== '2' &&
1940 old_mkvp
== ci
.old_apka_mkvp
)
1943 if (curmatch
+ oldmatch
< 1)
1946 /* apqn passed all filtering criterons, add to the array */
1947 if (_nr_apqns
< 256)
1948 _apqns
[_nr_apqns
++] = (((u16
)card
) << 16) | ((u16
) dom
);
1951 /* nothing found ? */
1956 /* no re-allocation, simple return the _apqns array */
1958 *nr_apqns
= _nr_apqns
;
1962 kvfree(device_status
);
1965 EXPORT_SYMBOL(cca_findcard2
);
1967 void __exit
zcrypt_ccamisc_exit(void)