1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright IBM Corp. 2017
6 * Author(s): Harald Freudenberger
9 #define KMSG_COMPONENT "pkey"
10 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/miscdevice.h>
15 #include <linux/module.h>
16 #include <linux/slab.h>
17 #include <linux/kallsyms.h>
18 #include <linux/debugfs.h>
19 #include <linux/random.h>
20 #include <linux/cpufeature.h>
21 #include <asm/zcrypt.h>
22 #include <asm/cpacf.h>
24 #include <crypto/aes.h>
26 #include "zcrypt_api.h"
28 MODULE_LICENSE("GPL");
29 MODULE_AUTHOR("IBM Corporation");
30 MODULE_DESCRIPTION("s390 protected key interface");
32 /* Size of parameter block used for all cca requests/replies */
35 /* Size of vardata block used for some of the cca requests/replies */
36 #define VARDATASIZE 4096
38 /* mask of available pckmo subfunctions, fetched once at module init */
39 static cpacf_mask_t pckmo_functions
;
42 * debug feature data and functions
45 static debug_info_t
*debug_info
;
47 #define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__)
48 #define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__)
49 #define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__)
50 #define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__)
52 static void __init
pkey_debug_init(void)
54 /* 5 arguments per dbf entry (including the format string ptr) */
55 debug_info
= debug_register("pkey", 1, 1, 5 * sizeof(long));
56 debug_register_view(debug_info
, &debug_sprintf_view
);
57 debug_set_level(debug_info
, 3);
60 static void __exit
pkey_debug_exit(void)
62 debug_unregister(debug_info
);
66 #define TOKTYPE_NON_CCA 0x00 /* Non-CCA key token */
67 #define TOKTYPE_CCA_INTERNAL 0x01 /* CCA internal key token */
69 /* For TOKTYPE_NON_CCA: */
70 #define TOKVER_PROTECTED_KEY 0x01 /* Protected key token */
72 /* For TOKTYPE_CCA_INTERNAL: */
73 #define TOKVER_CCA_AES 0x04 /* CCA AES key token */
75 /* header part of a key token */
76 struct keytoken_header
{
77 u8 type
; /* one of the TOKTYPE values */
79 u8 version
; /* one of the TOKVER values */
83 /* inside view of a secure key token (only type 0x01 version 0x04) */
84 struct secaeskeytoken
{
85 u8 type
; /* 0x01 for internal key token */
87 u8 version
; /* should be 0x04 */
89 u8 flag
; /* key flags */
91 u64 mkvp
; /* master key verification pattern */
92 u8 key
[32]; /* key value (encrypted) */
93 u8 cv
[8]; /* control vector */
94 u16 bitsize
; /* key bit size */
95 u16 keysize
; /* key byte size */
96 u8 tvv
[4]; /* token validation value */
99 /* inside view of a protected key token (only type 0x00 version 0x01) */
100 struct protaeskeytoken
{
101 u8 type
; /* 0x00 for PAES specific key tokens */
103 u8 version
; /* should be 0x01 for protected AES key token */
105 u32 keytype
; /* key type, one of the PKEY_KEYTYPE values */
106 u32 len
; /* bytes actually stored in protkey[] */
107 u8 protkey
[MAXPROTKEYSIZE
]; /* the protected key blob */
111 * Simple check if the token is a valid CCA secure AES key
112 * token. If keybitsize is given, the bitsize of the key is
113 * also checked. Returns 0 on success or errno value on failure.
115 static int check_secaeskeytoken(const u8
*token
, int keybitsize
)
117 struct secaeskeytoken
*t
= (struct secaeskeytoken
*) token
;
119 if (t
->type
!= TOKTYPE_CCA_INTERNAL
) {
121 "%s secure token check failed, type mismatch 0x%02x != 0x%02x\n",
122 __func__
, (int) t
->type
, TOKTYPE_CCA_INTERNAL
);
125 if (t
->version
!= TOKVER_CCA_AES
) {
127 "%s secure token check failed, version mismatch 0x%02x != 0x%02x\n",
128 __func__
, (int) t
->version
, TOKVER_CCA_AES
);
131 if (keybitsize
> 0 && t
->bitsize
!= keybitsize
) {
133 "%s secure token check failed, bitsize mismatch %d != %d\n",
134 __func__
, (int) t
->bitsize
, keybitsize
);
142 * Allocate consecutive memory for request CPRB, request param
143 * block, reply CPRB and reply param block and fill in values
144 * for the common fields. Returns 0 on success or errno value
147 static int alloc_and_prep_cprbmem(size_t paramblen
,
149 struct CPRBX
**preqCPRB
,
150 struct CPRBX
**prepCPRB
)
153 size_t cprbplusparamblen
= sizeof(struct CPRBX
) + paramblen
;
154 struct CPRBX
*preqcblk
, *prepcblk
;
157 * allocate consecutive memory for request CPRB, request param
158 * block, reply CPRB and reply param block
160 cprbmem
= kcalloc(2, cprbplusparamblen
, GFP_KERNEL
);
164 preqcblk
= (struct CPRBX
*) cprbmem
;
165 prepcblk
= (struct CPRBX
*) (cprbmem
+ cprbplusparamblen
);
167 /* fill request cprb struct */
168 preqcblk
->cprb_len
= sizeof(struct CPRBX
);
169 preqcblk
->cprb_ver_id
= 0x02;
170 memcpy(preqcblk
->func_id
, "T2", 2);
171 preqcblk
->rpl_msgbl
= cprbplusparamblen
;
173 preqcblk
->req_parmb
=
174 ((u8
*) preqcblk
) + sizeof(struct CPRBX
);
175 preqcblk
->rpl_parmb
=
176 ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
180 *preqCPRB
= preqcblk
;
181 *prepCPRB
= prepcblk
;
187 * Free the cprb memory allocated with the function above.
188 * If the scrub value is not zero, the memory is filled
189 * with zeros before freeing (useful if there was some
190 * clear key material in there).
192 static void free_cprbmem(void *mem
, size_t paramblen
, int scrub
)
195 memzero_explicit(mem
, 2 * (sizeof(struct CPRBX
) + paramblen
));
200 * Helper function to prepare the xcrb struct
202 static inline void prep_xcrb(struct ica_xcRB
*pxcrb
,
204 struct CPRBX
*preqcblk
,
205 struct CPRBX
*prepcblk
)
207 memset(pxcrb
, 0, sizeof(*pxcrb
));
208 pxcrb
->agent_ID
= 0x4341; /* 'CA' */
209 pxcrb
->user_defined
= (cardnr
== 0xFFFF ? AUTOSELECT
: cardnr
);
210 pxcrb
->request_control_blk_length
=
211 preqcblk
->cprb_len
+ preqcblk
->req_parml
;
212 pxcrb
->request_control_blk_addr
= (void __user
*) preqcblk
;
213 pxcrb
->reply_control_blk_length
= preqcblk
->rpl_msgbl
;
214 pxcrb
->reply_control_blk_addr
= (void __user
*) prepcblk
;
218 * Helper function which calls zcrypt_send_cprb with
219 * memory management segment adjusted to kernel space
220 * so that the copy_from_user called within this
221 * function do in fact copy from kernel space.
223 static inline int _zcrypt_send_cprb(struct ica_xcRB
*xcrb
)
226 mm_segment_t old_fs
= get_fs();
229 rc
= zcrypt_send_cprb(xcrb
);
236 * Generate (random) AES secure key.
238 int pkey_genseckey(u16 cardnr
, u16 domain
,
239 u32 keytype
, struct pkey_seckey
*seckey
)
244 struct CPRBX
*preqcblk
, *prepcblk
;
245 struct ica_xcRB xcrb
;
261 u8 data
[SECKEYBLOBSIZE
];
275 /* ... some more data ... */
280 /* get already prepared memory for 2 cprbs with param block each */
281 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
285 /* fill request cprb struct */
286 preqcblk
->domain
= domain
;
288 /* fill request cprb param block with KG request */
289 preqparm
= (struct kgreqparm
*) preqcblk
->req_parmb
;
290 memcpy(preqparm
->subfunc_code
, "KG", 2);
291 preqparm
->rule_array_len
= sizeof(preqparm
->rule_array_len
);
292 preqparm
->lv1
.len
= sizeof(struct lv1
);
293 memcpy(preqparm
->lv1
.key_form
, "OP ", 8);
295 case PKEY_KEYTYPE_AES_128
:
297 memcpy(preqparm
->lv1
.key_length
, "KEYLN16 ", 8);
299 case PKEY_KEYTYPE_AES_192
:
301 memcpy(preqparm
->lv1
.key_length
, "KEYLN24 ", 8);
303 case PKEY_KEYTYPE_AES_256
:
305 memcpy(preqparm
->lv1
.key_length
, "KEYLN32 ", 8);
309 "%s unknown/unsupported keytype %d\n",
314 memcpy(preqparm
->lv1
.key_type1
, "AESDATA ", 8);
315 preqparm
->lv2
.len
= sizeof(struct lv2
);
316 for (i
= 0; i
< 6; i
++) {
317 preqparm
->lv2
.keyid
[i
].len
= sizeof(struct keyid
);
318 preqparm
->lv2
.keyid
[i
].attr
= (i
== 2 ? 0x30 : 0x10);
320 preqcblk
->req_parml
= sizeof(struct kgreqparm
);
322 /* fill xcrb struct */
323 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
325 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
326 rc
= _zcrypt_send_cprb(&xcrb
);
329 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
330 __func__
, (int) cardnr
, (int) domain
, rc
);
334 /* check response returncode and reasoncode */
335 if (prepcblk
->ccp_rtcode
!= 0) {
337 "%s secure key generate failure, card response %d/%d\n",
339 (int) prepcblk
->ccp_rtcode
,
340 (int) prepcblk
->ccp_rscode
);
345 /* process response cprb param block */
346 prepcblk
->rpl_parmb
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
347 prepparm
= (struct kgrepparm
*) prepcblk
->rpl_parmb
;
349 /* check length of the returned secure key token */
350 seckeysize
= prepparm
->lv3
.keyblock
.toklen
351 - sizeof(prepparm
->lv3
.keyblock
.toklen
)
352 - sizeof(prepparm
->lv3
.keyblock
.tokattr
);
353 if (seckeysize
!= SECKEYBLOBSIZE
) {
355 "%s secure token size mismatch %d != %d bytes\n",
356 __func__
, seckeysize
, SECKEYBLOBSIZE
);
361 /* check secure key token */
362 rc
= check_secaeskeytoken(prepparm
->lv3
.keyblock
.tok
, 8*keysize
);
368 /* copy the generated secure key token */
369 memcpy(seckey
->seckey
, prepparm
->lv3
.keyblock
.tok
, SECKEYBLOBSIZE
);
372 free_cprbmem(mem
, PARMBSIZE
, 0);
375 EXPORT_SYMBOL(pkey_genseckey
);
378 * Generate an AES secure key with given key value.
380 int pkey_clr2seckey(u16 cardnr
, u16 domain
, u32 keytype
,
381 const struct pkey_clrkey
*clrkey
,
382 struct pkey_seckey
*seckey
)
384 int rc
, keysize
, seckeysize
;
386 struct CPRBX
*preqcblk
, *prepcblk
;
387 struct ica_xcRB xcrb
;
401 u8 data
[SECKEYBLOBSIZE
];
416 /* ... some more data ... */
421 /* get already prepared memory for 2 cprbs with param block each */
422 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
426 /* fill request cprb struct */
427 preqcblk
->domain
= domain
;
429 /* fill request cprb param block with CM request */
430 preqparm
= (struct cmreqparm
*) preqcblk
->req_parmb
;
431 memcpy(preqparm
->subfunc_code
, "CM", 2);
432 memcpy(preqparm
->rule_array
, "AES ", 8);
433 preqparm
->rule_array_len
=
434 sizeof(preqparm
->rule_array_len
) + sizeof(preqparm
->rule_array
);
436 case PKEY_KEYTYPE_AES_128
:
439 case PKEY_KEYTYPE_AES_192
:
442 case PKEY_KEYTYPE_AES_256
:
447 "%s unknown/unsupported keytype %d\n",
452 preqparm
->lv1
.len
= sizeof(struct lv1
) + keysize
;
453 memcpy(preqparm
->lv1
.clrkey
, clrkey
->clrkey
, keysize
);
454 plv2
= (struct lv2
*) (((u8
*) &preqparm
->lv2
) + keysize
);
455 plv2
->len
= sizeof(struct lv2
);
456 plv2
->keyid
.len
= sizeof(struct keyid
);
457 plv2
->keyid
.attr
= 0x30;
458 preqcblk
->req_parml
= sizeof(struct cmreqparm
) + keysize
;
460 /* fill xcrb struct */
461 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
463 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
464 rc
= _zcrypt_send_cprb(&xcrb
);
467 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
468 __func__
, (int) cardnr
, (int) domain
, rc
);
472 /* check response returncode and reasoncode */
473 if (prepcblk
->ccp_rtcode
!= 0) {
475 "%s clear key import failure, card response %d/%d\n",
477 (int) prepcblk
->ccp_rtcode
,
478 (int) prepcblk
->ccp_rscode
);
483 /* process response cprb param block */
484 prepcblk
->rpl_parmb
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
485 prepparm
= (struct cmrepparm
*) prepcblk
->rpl_parmb
;
487 /* check length of the returned secure key token */
488 seckeysize
= prepparm
->lv3
.keyblock
.toklen
489 - sizeof(prepparm
->lv3
.keyblock
.toklen
)
490 - sizeof(prepparm
->lv3
.keyblock
.tokattr
);
491 if (seckeysize
!= SECKEYBLOBSIZE
) {
493 "%s secure token size mismatch %d != %d bytes\n",
494 __func__
, seckeysize
, SECKEYBLOBSIZE
);
499 /* check secure key token */
500 rc
= check_secaeskeytoken(prepparm
->lv3
.keyblock
.tok
, 8*keysize
);
506 /* copy the generated secure key token */
507 memcpy(seckey
->seckey
, prepparm
->lv3
.keyblock
.tok
, SECKEYBLOBSIZE
);
510 free_cprbmem(mem
, PARMBSIZE
, 1);
513 EXPORT_SYMBOL(pkey_clr2seckey
);
516 * Derive a proteced key from the secure key blob.
518 int pkey_sec2protkey(u16 cardnr
, u16 domain
,
519 const struct pkey_seckey
*seckey
,
520 struct pkey_protkey
*protkey
)
524 struct CPRBX
*preqcblk
, *prepcblk
;
525 struct ica_xcRB xcrb
;
538 u8 token
[0]; /* cca secure key token */
548 struct cpacfkeyblock
{
549 u8 version
; /* version of this struct */
555 u8 key
[64]; /* the key (keylen bytes) */
560 u8 vp
[32]; /* verification pattern */
565 /* get already prepared memory for 2 cprbs with param block each */
566 rc
= alloc_and_prep_cprbmem(PARMBSIZE
, &mem
, &preqcblk
, &prepcblk
);
570 /* fill request cprb struct */
571 preqcblk
->domain
= domain
;
573 /* fill request cprb param block with USK request */
574 preqparm
= (struct uskreqparm
*) preqcblk
->req_parmb
;
575 memcpy(preqparm
->subfunc_code
, "US", 2);
576 preqparm
->rule_array_len
= sizeof(preqparm
->rule_array_len
);
577 preqparm
->lv1
.len
= sizeof(struct lv1
);
578 preqparm
->lv1
.attr_len
= sizeof(struct lv1
) - sizeof(preqparm
->lv1
.len
);
579 preqparm
->lv1
.attr_flags
= 0x0001;
580 preqparm
->lv2
.len
= sizeof(struct lv2
) + SECKEYBLOBSIZE
;
581 preqparm
->lv2
.attr_len
= sizeof(struct lv2
)
582 - sizeof(preqparm
->lv2
.len
) + SECKEYBLOBSIZE
;
583 preqparm
->lv2
.attr_flags
= 0x0000;
584 memcpy(preqparm
->lv2
.token
, seckey
->seckey
, SECKEYBLOBSIZE
);
585 preqcblk
->req_parml
= sizeof(struct uskreqparm
) + SECKEYBLOBSIZE
;
587 /* fill xcrb struct */
588 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
590 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
591 rc
= _zcrypt_send_cprb(&xcrb
);
594 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
595 __func__
, (int) cardnr
, (int) domain
, rc
);
599 /* check response returncode and reasoncode */
600 if (prepcblk
->ccp_rtcode
!= 0) {
602 "%s unwrap secure key failure, card response %d/%d\n",
604 (int) prepcblk
->ccp_rtcode
,
605 (int) prepcblk
->ccp_rscode
);
609 if (prepcblk
->ccp_rscode
!= 0) {
611 "%s unwrap secure key warning, card response %d/%d\n",
613 (int) prepcblk
->ccp_rtcode
,
614 (int) prepcblk
->ccp_rscode
);
617 /* process response cprb param block */
618 prepcblk
->rpl_parmb
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
619 prepparm
= (struct uskrepparm
*) prepcblk
->rpl_parmb
;
621 /* check the returned keyblock */
622 if (prepparm
->lv3
.keyblock
.version
!= 0x01) {
624 "%s reply param keyblock version mismatch 0x%02x != 0x01\n",
625 __func__
, (int) prepparm
->lv3
.keyblock
.version
);
630 /* copy the tanslated protected key */
631 switch (prepparm
->lv3
.keyblock
.keylen
) {
633 protkey
->type
= PKEY_KEYTYPE_AES_128
;
636 protkey
->type
= PKEY_KEYTYPE_AES_192
;
639 protkey
->type
= PKEY_KEYTYPE_AES_256
;
642 DEBUG_ERR("%s unknown/unsupported keytype %d\n",
643 __func__
, prepparm
->lv3
.keyblock
.keylen
);
647 protkey
->len
= prepparm
->lv3
.keyblock
.keylen
;
648 memcpy(protkey
->protkey
, prepparm
->lv3
.keyblock
.key
, protkey
->len
);
651 free_cprbmem(mem
, PARMBSIZE
, 0);
654 EXPORT_SYMBOL(pkey_sec2protkey
);
657 * Create a protected key from a clear key value.
659 int pkey_clr2protkey(u32 keytype
,
660 const struct pkey_clrkey
*clrkey
,
661 struct pkey_protkey
*protkey
)
668 case PKEY_KEYTYPE_AES_128
:
670 fc
= CPACF_PCKMO_ENC_AES_128_KEY
;
672 case PKEY_KEYTYPE_AES_192
:
674 fc
= CPACF_PCKMO_ENC_AES_192_KEY
;
676 case PKEY_KEYTYPE_AES_256
:
678 fc
= CPACF_PCKMO_ENC_AES_256_KEY
;
681 DEBUG_ERR("%s unknown/unsupported keytype %d\n",
687 * Check if the needed pckmo subfunction is available.
688 * These subfunctions can be enabled/disabled by customers
689 * in the LPAR profile or may even change on the fly.
691 if (!cpacf_test_func(&pckmo_functions
, fc
)) {
692 DEBUG_ERR("%s pckmo functions not available\n", __func__
);
696 /* prepare param block */
697 memset(paramblock
, 0, sizeof(paramblock
));
698 memcpy(paramblock
, clrkey
->clrkey
, keysize
);
700 /* call the pckmo instruction */
701 cpacf_pckmo(fc
, paramblock
);
703 /* copy created protected key */
704 protkey
->type
= keytype
;
705 protkey
->len
= keysize
+ 32;
706 memcpy(protkey
->protkey
, paramblock
, keysize
+ 32);
710 EXPORT_SYMBOL(pkey_clr2protkey
);
713 * query cryptographic facility from adapter
715 static int query_crypto_facility(u16 cardnr
, u16 domain
,
717 u8
*rarray
, size_t *rarraylen
,
718 u8
*varray
, size_t *varraylen
)
723 struct CPRBX
*preqcblk
, *prepcblk
;
724 struct ica_xcRB xcrb
;
731 u8 data
[VARDATASIZE
];
735 size_t parmbsize
= sizeof(struct fqreqparm
);
741 /* get already prepared memory for 2 cprbs with param block each */
742 rc
= alloc_and_prep_cprbmem(parmbsize
, &mem
, &preqcblk
, &prepcblk
);
746 /* fill request cprb struct */
747 preqcblk
->domain
= domain
;
749 /* fill request cprb param block with FQ request */
750 preqparm
= (struct fqreqparm
*) preqcblk
->req_parmb
;
751 memcpy(preqparm
->subfunc_code
, "FQ", 2);
752 memcpy(preqparm
->rule_array
, keyword
, sizeof(preqparm
->rule_array
));
753 preqparm
->rule_array_len
=
754 sizeof(preqparm
->rule_array_len
) + sizeof(preqparm
->rule_array
);
755 preqparm
->lv1
.len
= sizeof(preqparm
->lv1
);
756 preqparm
->dummylen
= sizeof(preqparm
->dummylen
);
757 preqcblk
->req_parml
= parmbsize
;
759 /* fill xcrb struct */
760 prep_xcrb(&xcrb
, cardnr
, preqcblk
, prepcblk
);
762 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
763 rc
= _zcrypt_send_cprb(&xcrb
);
766 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed with errno %d\n",
767 __func__
, (int) cardnr
, (int) domain
, rc
);
771 /* check response returncode and reasoncode */
772 if (prepcblk
->ccp_rtcode
!= 0) {
774 "%s unwrap secure key failure, card response %d/%d\n",
776 (int) prepcblk
->ccp_rtcode
,
777 (int) prepcblk
->ccp_rscode
);
782 /* process response cprb param block */
783 prepcblk
->rpl_parmb
= ((u8
*) prepcblk
) + sizeof(struct CPRBX
);
784 prepparm
= (struct fqrepparm
*) prepcblk
->rpl_parmb
;
785 ptr
= prepparm
->lvdata
;
787 /* check and possibly copy reply rule array */
788 len
= *((u16
*) ptr
);
789 if (len
> sizeof(u16
)) {
792 if (rarray
&& rarraylen
&& *rarraylen
> 0) {
793 *rarraylen
= (len
> *rarraylen
? *rarraylen
: len
);
794 memcpy(rarray
, ptr
, *rarraylen
);
798 /* check and possible copy reply var array */
799 len
= *((u16
*) ptr
);
800 if (len
> sizeof(u16
)) {
803 if (varray
&& varraylen
&& *varraylen
> 0) {
804 *varraylen
= (len
> *varraylen
? *varraylen
: len
);
805 memcpy(varray
, ptr
, *varraylen
);
811 free_cprbmem(mem
, parmbsize
, 0);
816 * Fetch the current and old mkvp values via
817 * query_crypto_facility from adapter.
819 static int fetch_mkvp(u16 cardnr
, u16 domain
, u64 mkvp
[2])
823 u8
*rarray
, *varray
, *pg
;
825 pg
= (u8
*) __get_free_page(GFP_KERNEL
);
829 varray
= pg
+ PAGE_SIZE
/2;
830 rlen
= vlen
= PAGE_SIZE
/2;
832 rc
= query_crypto_facility(cardnr
, domain
, "STATICSA",
833 rarray
, &rlen
, varray
, &vlen
);
834 if (rc
== 0 && rlen
> 8*8 && vlen
> 184+8) {
835 if (rarray
[8*8] == '2') {
836 /* current master key state is valid */
837 mkvp
[0] = *((u64
*)(varray
+ 184));
838 mkvp
[1] = *((u64
*)(varray
+ 172));
843 free_page((unsigned long) pg
);
845 return found
? 0 : -ENOENT
;
848 /* struct to hold cached mkvp info for each card/domain */
850 struct list_head list
;
856 /* a list with mkvp_info entries */
857 static LIST_HEAD(mkvp_list
);
858 static DEFINE_SPINLOCK(mkvp_list_lock
);
860 static int mkvp_cache_fetch(u16 cardnr
, u16 domain
, u64 mkvp
[2])
863 struct mkvp_info
*ptr
;
865 spin_lock_bh(&mkvp_list_lock
);
866 list_for_each_entry(ptr
, &mkvp_list
, list
) {
867 if (ptr
->cardnr
== cardnr
&&
868 ptr
->domain
== domain
) {
869 memcpy(mkvp
, ptr
->mkvp
, 2 * sizeof(u64
));
874 spin_unlock_bh(&mkvp_list_lock
);
879 static void mkvp_cache_update(u16 cardnr
, u16 domain
, u64 mkvp
[2])
882 struct mkvp_info
*ptr
;
884 spin_lock_bh(&mkvp_list_lock
);
885 list_for_each_entry(ptr
, &mkvp_list
, list
) {
886 if (ptr
->cardnr
== cardnr
&&
887 ptr
->domain
== domain
) {
888 memcpy(ptr
->mkvp
, mkvp
, 2 * sizeof(u64
));
894 ptr
= kmalloc(sizeof(*ptr
), GFP_ATOMIC
);
896 spin_unlock_bh(&mkvp_list_lock
);
899 ptr
->cardnr
= cardnr
;
900 ptr
->domain
= domain
;
901 memcpy(ptr
->mkvp
, mkvp
, 2 * sizeof(u64
));
902 list_add(&ptr
->list
, &mkvp_list
);
904 spin_unlock_bh(&mkvp_list_lock
);
907 static void mkvp_cache_scrub(u16 cardnr
, u16 domain
)
909 struct mkvp_info
*ptr
;
911 spin_lock_bh(&mkvp_list_lock
);
912 list_for_each_entry(ptr
, &mkvp_list
, list
) {
913 if (ptr
->cardnr
== cardnr
&&
914 ptr
->domain
== domain
) {
915 list_del(&ptr
->list
);
920 spin_unlock_bh(&mkvp_list_lock
);
923 static void __exit
mkvp_cache_free(void)
925 struct mkvp_info
*ptr
, *pnext
;
927 spin_lock_bh(&mkvp_list_lock
);
928 list_for_each_entry_safe(ptr
, pnext
, &mkvp_list
, list
) {
929 list_del(&ptr
->list
);
932 spin_unlock_bh(&mkvp_list_lock
);
936 * Search for a matching crypto card based on the Master Key
937 * Verification Pattern provided inside a secure key.
939 int pkey_findcard(const struct pkey_seckey
*seckey
,
940 u16
*pcardnr
, u16
*pdomain
, int verify
)
942 struct secaeskeytoken
*t
= (struct secaeskeytoken
*) seckey
;
943 struct zcrypt_device_status_ext
*device_status
;
948 /* mkvp must not be zero */
952 /* fetch status of all crypto cards */
953 device_status
= kmalloc_array(MAX_ZDEV_ENTRIES_EXT
,
954 sizeof(struct zcrypt_device_status_ext
),
958 zcrypt_device_status_mask_ext(device_status
);
960 /* walk through all crypto cards */
961 for (i
= 0; i
< MAX_ZDEV_ENTRIES_EXT
; i
++) {
962 card
= AP_QID_CARD(device_status
[i
].qid
);
963 dom
= AP_QID_QUEUE(device_status
[i
].qid
);
964 if (device_status
[i
].online
&&
965 device_status
[i
].functions
& 0x04) {
966 /* an enabled CCA Coprocessor card */
967 /* try cached mkvp */
968 if (mkvp_cache_fetch(card
, dom
, mkvp
) == 0 &&
969 t
->mkvp
== mkvp
[0]) {
972 /* verify: fetch mkvp from adapter */
973 if (fetch_mkvp(card
, dom
, mkvp
) == 0) {
974 mkvp_cache_update(card
, dom
, mkvp
);
975 if (t
->mkvp
== mkvp
[0])
980 /* Card is offline and/or not a CCA card. */
981 /* del mkvp entry from cache if it exists */
982 mkvp_cache_scrub(card
, dom
);
985 if (i
>= MAX_ZDEV_ENTRIES_EXT
) {
986 /* nothing found, so this time without cache */
987 for (i
= 0; i
< MAX_ZDEV_ENTRIES_EXT
; i
++) {
988 if (!(device_status
[i
].online
&&
989 device_status
[i
].functions
& 0x04))
991 card
= AP_QID_CARD(device_status
[i
].qid
);
992 dom
= AP_QID_QUEUE(device_status
[i
].qid
);
993 /* fresh fetch mkvp from adapter */
994 if (fetch_mkvp(card
, dom
, mkvp
) == 0) {
995 mkvp_cache_update(card
, dom
, mkvp
);
996 if (t
->mkvp
== mkvp
[0])
998 if (t
->mkvp
== mkvp
[1] && oi
< 0)
1002 if (i
>= MAX_ZDEV_ENTRIES_EXT
&& oi
>= 0) {
1003 /* old mkvp matched, use this card then */
1004 card
= AP_QID_CARD(device_status
[oi
].qid
);
1005 dom
= AP_QID_QUEUE(device_status
[oi
].qid
);
1008 if (i
< MAX_ZDEV_ENTRIES_EXT
|| oi
>= 0) {
1017 kfree(device_status
);
1020 EXPORT_SYMBOL(pkey_findcard
);
1023 * Find card and transform secure key into protected key.
1025 int pkey_skey2pkey(const struct pkey_seckey
*seckey
,
1026 struct pkey_protkey
*protkey
)
1032 * The pkey_sec2protkey call may fail when a card has been
1033 * addressed where the master key was changed after last fetch
1034 * of the mkvp into the cache. So first try without verify then
1035 * with verify enabled (thus refreshing the mkvp for each card).
1037 for (verify
= 0; verify
< 2; verify
++) {
1038 rc
= pkey_findcard(seckey
, &cardnr
, &domain
, verify
);
1041 rc
= pkey_sec2protkey(cardnr
, domain
, seckey
, protkey
);
1047 DEBUG_DBG("%s failed rc=%d\n", __func__
, rc
);
1051 EXPORT_SYMBOL(pkey_skey2pkey
);
1054 * Verify key and give back some info about the key.
1056 int pkey_verifykey(const struct pkey_seckey
*seckey
,
1057 u16
*pcardnr
, u16
*pdomain
,
1058 u16
*pkeysize
, u32
*pattributes
)
1060 struct secaeskeytoken
*t
= (struct secaeskeytoken
*) seckey
;
1065 /* check the secure key for valid AES secure key */
1066 rc
= check_secaeskeytoken((u8
*) seckey
, 0);
1070 *pattributes
= PKEY_VERIFY_ATTR_AES
;
1072 *pkeysize
= t
->bitsize
;
1074 /* try to find a card which can handle this key */
1075 rc
= pkey_findcard(seckey
, &cardnr
, &domain
, 1);
1079 /* check mkvp for old mkvp match */
1080 rc
= mkvp_cache_fetch(cardnr
, domain
, mkvp
);
1083 if (t
->mkvp
== mkvp
[1] && t
->mkvp
!= mkvp
[0]) {
1084 DEBUG_DBG("%s secure key has old mkvp\n", __func__
);
1086 *pattributes
|= PKEY_VERIFY_ATTR_OLD_MKVP
;
1095 DEBUG_DBG("%s rc=%d\n", __func__
, rc
);
1098 EXPORT_SYMBOL(pkey_verifykey
);
1101 * Generate a random protected key
1103 int pkey_genprotkey(__u32 keytype
, struct pkey_protkey
*protkey
)
1105 struct pkey_clrkey clrkey
;
1110 case PKEY_KEYTYPE_AES_128
:
1113 case PKEY_KEYTYPE_AES_192
:
1116 case PKEY_KEYTYPE_AES_256
:
1120 DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__
,
1125 /* generate a dummy random clear key */
1126 get_random_bytes(clrkey
.clrkey
, keysize
);
1128 /* convert it to a dummy protected key */
1129 rc
= pkey_clr2protkey(keytype
, &clrkey
, protkey
);
1133 /* replace the key part of the protected key with random bytes */
1134 get_random_bytes(protkey
->protkey
, keysize
);
1138 EXPORT_SYMBOL(pkey_genprotkey
);
1141 * Verify if a protected key is still valid
1143 int pkey_verifyprotkey(const struct pkey_protkey
*protkey
)
1147 u8 iv
[AES_BLOCK_SIZE
];
1148 u8 key
[MAXPROTKEYSIZE
];
1150 u8 null_msg
[AES_BLOCK_SIZE
];
1151 u8 dest_buf
[AES_BLOCK_SIZE
];
1154 switch (protkey
->type
) {
1155 case PKEY_KEYTYPE_AES_128
:
1156 fc
= CPACF_KMC_PAES_128
;
1158 case PKEY_KEYTYPE_AES_192
:
1159 fc
= CPACF_KMC_PAES_192
;
1161 case PKEY_KEYTYPE_AES_256
:
1162 fc
= CPACF_KMC_PAES_256
;
1165 DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__
,
1170 memset(null_msg
, 0, sizeof(null_msg
));
1172 memset(param
.iv
, 0, sizeof(param
.iv
));
1173 memcpy(param
.key
, protkey
->protkey
, sizeof(param
.key
));
1175 k
= cpacf_kmc(fc
| CPACF_ENCRYPT
, ¶m
, null_msg
, dest_buf
,
1177 if (k
!= sizeof(null_msg
)) {
1178 DEBUG_ERR("%s protected key is not valid\n", __func__
);
1179 return -EKEYREJECTED
;
1184 EXPORT_SYMBOL(pkey_verifyprotkey
);
1187 * Transform a non-CCA key token into a protected key
1189 static int pkey_nonccatok2pkey(const __u8
*key
, __u32 keylen
,
1190 struct pkey_protkey
*protkey
)
1192 struct keytoken_header
*hdr
= (struct keytoken_header
*)key
;
1193 struct protaeskeytoken
*t
;
1195 switch (hdr
->version
) {
1196 case TOKVER_PROTECTED_KEY
:
1197 if (keylen
!= sizeof(struct protaeskeytoken
))
1200 t
= (struct protaeskeytoken
*)key
;
1201 protkey
->len
= t
->len
;
1202 protkey
->type
= t
->keytype
;
1203 memcpy(protkey
->protkey
, t
->protkey
,
1204 sizeof(protkey
->protkey
));
1206 return pkey_verifyprotkey(protkey
);
1208 DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n",
1209 __func__
, hdr
->version
);
1215 * Transform a CCA internal key token into a protected key
1217 static int pkey_ccainttok2pkey(const __u8
*key
, __u32 keylen
,
1218 struct pkey_protkey
*protkey
)
1220 struct keytoken_header
*hdr
= (struct keytoken_header
*)key
;
1222 switch (hdr
->version
) {
1223 case TOKVER_CCA_AES
:
1224 if (keylen
!= sizeof(struct secaeskeytoken
))
1227 return pkey_skey2pkey((struct pkey_seckey
*)key
,
1230 DEBUG_ERR("%s unknown/unsupported CCA internal token version %d\n",
1231 __func__
, hdr
->version
);
1237 * Transform a key blob (of any type) into a protected key
1239 int pkey_keyblob2pkey(const __u8
*key
, __u32 keylen
,
1240 struct pkey_protkey
*protkey
)
1242 struct keytoken_header
*hdr
= (struct keytoken_header
*)key
;
1244 if (keylen
< sizeof(struct keytoken_header
))
1247 switch (hdr
->type
) {
1248 case TOKTYPE_NON_CCA
:
1249 return pkey_nonccatok2pkey(key
, keylen
, protkey
);
1250 case TOKTYPE_CCA_INTERNAL
:
1251 return pkey_ccainttok2pkey(key
, keylen
, protkey
);
1253 DEBUG_ERR("%s unknown/unsupported blob type %d\n", __func__
,
1258 EXPORT_SYMBOL(pkey_keyblob2pkey
);
1264 static long pkey_unlocked_ioctl(struct file
*filp
, unsigned int cmd
,
1270 case PKEY_GENSECK
: {
1271 struct pkey_genseck __user
*ugs
= (void __user
*) arg
;
1272 struct pkey_genseck kgs
;
1274 if (copy_from_user(&kgs
, ugs
, sizeof(kgs
)))
1276 rc
= pkey_genseckey(kgs
.cardnr
, kgs
.domain
,
1277 kgs
.keytype
, &kgs
.seckey
);
1278 DEBUG_DBG("%s pkey_genseckey()=%d\n", __func__
, rc
);
1281 if (copy_to_user(ugs
, &kgs
, sizeof(kgs
)))
1285 case PKEY_CLR2SECK
: {
1286 struct pkey_clr2seck __user
*ucs
= (void __user
*) arg
;
1287 struct pkey_clr2seck kcs
;
1289 if (copy_from_user(&kcs
, ucs
, sizeof(kcs
)))
1291 rc
= pkey_clr2seckey(kcs
.cardnr
, kcs
.domain
, kcs
.keytype
,
1292 &kcs
.clrkey
, &kcs
.seckey
);
1293 DEBUG_DBG("%s pkey_clr2seckey()=%d\n", __func__
, rc
);
1296 if (copy_to_user(ucs
, &kcs
, sizeof(kcs
)))
1298 memzero_explicit(&kcs
, sizeof(kcs
));
1301 case PKEY_SEC2PROTK
: {
1302 struct pkey_sec2protk __user
*usp
= (void __user
*) arg
;
1303 struct pkey_sec2protk ksp
;
1305 if (copy_from_user(&ksp
, usp
, sizeof(ksp
)))
1307 rc
= pkey_sec2protkey(ksp
.cardnr
, ksp
.domain
,
1308 &ksp
.seckey
, &ksp
.protkey
);
1309 DEBUG_DBG("%s pkey_sec2protkey()=%d\n", __func__
, rc
);
1312 if (copy_to_user(usp
, &ksp
, sizeof(ksp
)))
1316 case PKEY_CLR2PROTK
: {
1317 struct pkey_clr2protk __user
*ucp
= (void __user
*) arg
;
1318 struct pkey_clr2protk kcp
;
1320 if (copy_from_user(&kcp
, ucp
, sizeof(kcp
)))
1322 rc
= pkey_clr2protkey(kcp
.keytype
,
1323 &kcp
.clrkey
, &kcp
.protkey
);
1324 DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__
, rc
);
1327 if (copy_to_user(ucp
, &kcp
, sizeof(kcp
)))
1329 memzero_explicit(&kcp
, sizeof(kcp
));
1332 case PKEY_FINDCARD
: {
1333 struct pkey_findcard __user
*ufc
= (void __user
*) arg
;
1334 struct pkey_findcard kfc
;
1336 if (copy_from_user(&kfc
, ufc
, sizeof(kfc
)))
1338 rc
= pkey_findcard(&kfc
.seckey
,
1339 &kfc
.cardnr
, &kfc
.domain
, 1);
1340 DEBUG_DBG("%s pkey_findcard()=%d\n", __func__
, rc
);
1343 if (copy_to_user(ufc
, &kfc
, sizeof(kfc
)))
1347 case PKEY_SKEY2PKEY
: {
1348 struct pkey_skey2pkey __user
*usp
= (void __user
*) arg
;
1349 struct pkey_skey2pkey ksp
;
1351 if (copy_from_user(&ksp
, usp
, sizeof(ksp
)))
1353 rc
= pkey_skey2pkey(&ksp
.seckey
, &ksp
.protkey
);
1354 DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__
, rc
);
1357 if (copy_to_user(usp
, &ksp
, sizeof(ksp
)))
1361 case PKEY_VERIFYKEY
: {
1362 struct pkey_verifykey __user
*uvk
= (void __user
*) arg
;
1363 struct pkey_verifykey kvk
;
1365 if (copy_from_user(&kvk
, uvk
, sizeof(kvk
)))
1367 rc
= pkey_verifykey(&kvk
.seckey
, &kvk
.cardnr
, &kvk
.domain
,
1368 &kvk
.keysize
, &kvk
.attributes
);
1369 DEBUG_DBG("%s pkey_verifykey()=%d\n", __func__
, rc
);
1372 if (copy_to_user(uvk
, &kvk
, sizeof(kvk
)))
1376 case PKEY_GENPROTK
: {
1377 struct pkey_genprotk __user
*ugp
= (void __user
*) arg
;
1378 struct pkey_genprotk kgp
;
1380 if (copy_from_user(&kgp
, ugp
, sizeof(kgp
)))
1382 rc
= pkey_genprotkey(kgp
.keytype
, &kgp
.protkey
);
1383 DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__
, rc
);
1386 if (copy_to_user(ugp
, &kgp
, sizeof(kgp
)))
1390 case PKEY_VERIFYPROTK
: {
1391 struct pkey_verifyprotk __user
*uvp
= (void __user
*) arg
;
1392 struct pkey_verifyprotk kvp
;
1394 if (copy_from_user(&kvp
, uvp
, sizeof(kvp
)))
1396 rc
= pkey_verifyprotkey(&kvp
.protkey
);
1397 DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__
, rc
);
1400 case PKEY_KBLOB2PROTK
: {
1401 struct pkey_kblob2pkey __user
*utp
= (void __user
*) arg
;
1402 struct pkey_kblob2pkey ktp
;
1406 if (copy_from_user(&ktp
, utp
, sizeof(ktp
)))
1408 if (ktp
.keylen
< MINKEYBLOBSIZE
||
1409 ktp
.keylen
> MAXKEYBLOBSIZE
)
1412 kkey
= kmalloc(ktp
.keylen
, GFP_KERNEL
);
1415 if (copy_from_user(kkey
, ukey
, ktp
.keylen
)) {
1419 rc
= pkey_keyblob2pkey(kkey
, ktp
.keylen
, &ktp
.protkey
);
1420 DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__
, rc
);
1424 if (copy_to_user(utp
, &ktp
, sizeof(ktp
)))
1429 /* unknown/unsupported ioctl cmd */
1437 * Sysfs and file io operations
1441 * Sysfs attribute read function for all protected key binary attributes.
1442 * The implementation can not deal with partial reads, because a new random
1443 * protected key blob is generated with each read. In case of partial reads
1444 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1446 static ssize_t
pkey_protkey_aes_attr_read(u32 keytype
, bool is_xts
, char *buf
,
1447 loff_t off
, size_t count
)
1449 struct protaeskeytoken protkeytoken
;
1450 struct pkey_protkey protkey
;
1453 if (off
!= 0 || count
< sizeof(protkeytoken
))
1456 if (count
< 2 * sizeof(protkeytoken
))
1459 memset(&protkeytoken
, 0, sizeof(protkeytoken
));
1460 protkeytoken
.type
= TOKTYPE_NON_CCA
;
1461 protkeytoken
.version
= TOKVER_PROTECTED_KEY
;
1462 protkeytoken
.keytype
= keytype
;
1464 rc
= pkey_genprotkey(protkeytoken
.keytype
, &protkey
);
1468 protkeytoken
.len
= protkey
.len
;
1469 memcpy(&protkeytoken
.protkey
, &protkey
.protkey
, protkey
.len
);
1471 memcpy(buf
, &protkeytoken
, sizeof(protkeytoken
));
1474 rc
= pkey_genprotkey(protkeytoken
.keytype
, &protkey
);
1478 protkeytoken
.len
= protkey
.len
;
1479 memcpy(&protkeytoken
.protkey
, &protkey
.protkey
, protkey
.len
);
1481 memcpy(buf
+ sizeof(protkeytoken
), &protkeytoken
,
1482 sizeof(protkeytoken
));
1484 return 2 * sizeof(protkeytoken
);
1487 return sizeof(protkeytoken
);
1490 static ssize_t
protkey_aes_128_read(struct file
*filp
,
1491 struct kobject
*kobj
,
1492 struct bin_attribute
*attr
,
1493 char *buf
, loff_t off
,
1496 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128
, false, buf
,
1500 static ssize_t
protkey_aes_192_read(struct file
*filp
,
1501 struct kobject
*kobj
,
1502 struct bin_attribute
*attr
,
1503 char *buf
, loff_t off
,
1506 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192
, false, buf
,
1510 static ssize_t
protkey_aes_256_read(struct file
*filp
,
1511 struct kobject
*kobj
,
1512 struct bin_attribute
*attr
,
1513 char *buf
, loff_t off
,
1516 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256
, false, buf
,
1520 static ssize_t
protkey_aes_128_xts_read(struct file
*filp
,
1521 struct kobject
*kobj
,
1522 struct bin_attribute
*attr
,
1523 char *buf
, loff_t off
,
1526 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128
, true, buf
,
1530 static ssize_t
protkey_aes_256_xts_read(struct file
*filp
,
1531 struct kobject
*kobj
,
1532 struct bin_attribute
*attr
,
1533 char *buf
, loff_t off
,
1536 return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256
, true, buf
,
1540 static BIN_ATTR_RO(protkey_aes_128
, sizeof(struct protaeskeytoken
));
1541 static BIN_ATTR_RO(protkey_aes_192
, sizeof(struct protaeskeytoken
));
1542 static BIN_ATTR_RO(protkey_aes_256
, sizeof(struct protaeskeytoken
));
1543 static BIN_ATTR_RO(protkey_aes_128_xts
, 2 * sizeof(struct protaeskeytoken
));
1544 static BIN_ATTR_RO(protkey_aes_256_xts
, 2 * sizeof(struct protaeskeytoken
));
1546 static struct bin_attribute
*protkey_attrs
[] = {
1547 &bin_attr_protkey_aes_128
,
1548 &bin_attr_protkey_aes_192
,
1549 &bin_attr_protkey_aes_256
,
1550 &bin_attr_protkey_aes_128_xts
,
1551 &bin_attr_protkey_aes_256_xts
,
1555 static struct attribute_group protkey_attr_group
= {
1557 .bin_attrs
= protkey_attrs
,
1561 * Sysfs attribute read function for all secure key ccadata binary attributes.
1562 * The implementation can not deal with partial reads, because a new random
1563 * protected key blob is generated with each read. In case of partial reads
1564 * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
1566 static ssize_t
pkey_ccadata_aes_attr_read(u32 keytype
, bool is_xts
, char *buf
,
1567 loff_t off
, size_t count
)
1571 if (off
!= 0 || count
< sizeof(struct secaeskeytoken
))
1574 if (count
< 2 * sizeof(struct secaeskeytoken
))
1577 rc
= pkey_genseckey(-1, -1, keytype
, (struct pkey_seckey
*)buf
);
1582 buf
+= sizeof(struct pkey_seckey
);
1583 rc
= pkey_genseckey(-1, -1, keytype
, (struct pkey_seckey
*)buf
);
1587 return 2 * sizeof(struct secaeskeytoken
);
1590 return sizeof(struct secaeskeytoken
);
1593 static ssize_t
ccadata_aes_128_read(struct file
*filp
,
1594 struct kobject
*kobj
,
1595 struct bin_attribute
*attr
,
1596 char *buf
, loff_t off
,
1599 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128
, false, buf
,
1603 static ssize_t
ccadata_aes_192_read(struct file
*filp
,
1604 struct kobject
*kobj
,
1605 struct bin_attribute
*attr
,
1606 char *buf
, loff_t off
,
1609 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192
, false, buf
,
1613 static ssize_t
ccadata_aes_256_read(struct file
*filp
,
1614 struct kobject
*kobj
,
1615 struct bin_attribute
*attr
,
1616 char *buf
, loff_t off
,
1619 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256
, false, buf
,
1623 static ssize_t
ccadata_aes_128_xts_read(struct file
*filp
,
1624 struct kobject
*kobj
,
1625 struct bin_attribute
*attr
,
1626 char *buf
, loff_t off
,
1629 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128
, true, buf
,
1633 static ssize_t
ccadata_aes_256_xts_read(struct file
*filp
,
1634 struct kobject
*kobj
,
1635 struct bin_attribute
*attr
,
1636 char *buf
, loff_t off
,
1639 return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256
, true, buf
,
1643 static BIN_ATTR_RO(ccadata_aes_128
, sizeof(struct secaeskeytoken
));
1644 static BIN_ATTR_RO(ccadata_aes_192
, sizeof(struct secaeskeytoken
));
1645 static BIN_ATTR_RO(ccadata_aes_256
, sizeof(struct secaeskeytoken
));
1646 static BIN_ATTR_RO(ccadata_aes_128_xts
, 2 * sizeof(struct secaeskeytoken
));
1647 static BIN_ATTR_RO(ccadata_aes_256_xts
, 2 * sizeof(struct secaeskeytoken
));
1649 static struct bin_attribute
*ccadata_attrs
[] = {
1650 &bin_attr_ccadata_aes_128
,
1651 &bin_attr_ccadata_aes_192
,
1652 &bin_attr_ccadata_aes_256
,
1653 &bin_attr_ccadata_aes_128_xts
,
1654 &bin_attr_ccadata_aes_256_xts
,
1658 static struct attribute_group ccadata_attr_group
= {
1660 .bin_attrs
= ccadata_attrs
,
1663 static const struct attribute_group
*pkey_attr_groups
[] = {
1664 &protkey_attr_group
,
1665 &ccadata_attr_group
,
1669 static const struct file_operations pkey_fops
= {
1670 .owner
= THIS_MODULE
,
1671 .open
= nonseekable_open
,
1672 .llseek
= no_llseek
,
1673 .unlocked_ioctl
= pkey_unlocked_ioctl
,
1676 static struct miscdevice pkey_dev
= {
1678 .minor
= MISC_DYNAMIC_MINOR
,
1681 .groups
= pkey_attr_groups
,
1687 static int __init
pkey_init(void)
1689 cpacf_mask_t kmc_functions
;
1692 * The pckmo instruction should be available - even if we don't
1693 * actually invoke it. This instruction comes with MSA 3 which
1694 * is also the minimum level for the kmc instructions which
1695 * are able to work with protected keys.
1697 if (!cpacf_query(CPACF_PCKMO
, &pckmo_functions
))
1700 /* check for kmc instructions available */
1701 if (!cpacf_query(CPACF_KMC
, &kmc_functions
))
1703 if (!cpacf_test_func(&kmc_functions
, CPACF_KMC_PAES_128
) ||
1704 !cpacf_test_func(&kmc_functions
, CPACF_KMC_PAES_192
) ||
1705 !cpacf_test_func(&kmc_functions
, CPACF_KMC_PAES_256
))
1710 return misc_register(&pkey_dev
);
1716 static void __exit
pkey_exit(void)
1718 misc_deregister(&pkey_dev
);
1723 module_cpu_feature_match(MSA
, pkey_init
);
1724 module_exit(pkey_exit
);
