1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Allocate consecutive memory for request CPRB, request param
177 * block, reply CPRB and reply param block and fill in values
178 * for the common fields. Returns 0 on success or errno value
181 static int alloc_and_prep_cprbmem(size_t paramblen,
183 struct CPRBX **preqCPRB,
184 struct CPRBX **prepCPRB)
187 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
188 struct CPRBX *preqcblk, *prepcblk;
191 * allocate consecutive memory for request CPRB, request param
192 * block, reply CPRB and reply param block
194 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
198 preqcblk = (struct CPRBX *) cprbmem;
199 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
201 /* fill request cprb struct */
202 preqcblk->cprb_len = sizeof(struct CPRBX);
203 preqcblk->cprb_ver_id = 0x02;
204 memcpy(preqcblk->func_id, "T2", 2);
205 preqcblk->rpl_msgbl = cprbplusparamblen;
207 preqcblk->req_parmb =
208 ((u8 *) preqcblk) + sizeof(struct CPRBX);
209 preqcblk->rpl_parmb =
210 ((u8 *) prepcblk) + sizeof(struct CPRBX);
214 *preqCPRB = preqcblk;
215 *prepCPRB = prepcblk;
221 * Free the cprb memory allocated with the function above.
222 * If the scrub value is not zero, the memory is filled
223 * with zeros before freeing (useful if there was some
224 * clear key material in there).
226 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
229 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
234 * Helper function to prepare the xcrb struct
236 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
238 struct CPRBX *preqcblk,
239 struct CPRBX *prepcblk)
241 memset(pxcrb, 0, sizeof(*pxcrb));
242 pxcrb->agent_ID = 0x4341; /* 'CA' */
243 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
244 pxcrb->request_control_blk_length =
245 preqcblk->cprb_len + preqcblk->req_parml;
246 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
247 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
248 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
252 * Helper function which calls zcrypt_send_cprb with
253 * memory management segment adjusted to kernel space
254 * so that the copy_from_user called within this
255 * function do in fact copy from kernel space.
257 static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb)
260 mm_segment_t old_fs = get_fs();
263 rc = zcrypt_send_cprb(xcrb);
270 * Generate (random) CCA AES DATA secure key.
272 int cca_genseckey(u16 cardnr, u16 domain,
273 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
278 struct CPRBX *preqcblk, *prepcblk;
279 struct ica_xcRB xcrb;
295 u8 data[SECKEYBLOBSIZE];
298 } __packed * preqparm;
309 /* ... some more data ... */
312 } __packed * prepparm;
314 /* get already prepared memory for 2 cprbs with param block each */
315 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
319 /* fill request cprb struct */
320 preqcblk->domain = domain;
322 /* fill request cprb param block with KG request */
323 preqparm = (struct kgreqparm *) preqcblk->req_parmb;
324 memcpy(preqparm->subfunc_code, "KG", 2);
325 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
326 preqparm->lv1.len = sizeof(struct lv1);
327 memcpy(preqparm->lv1.key_form, "OP ", 8);
328 switch (keybitsize) {
329 case PKEY_SIZE_AES_128:
330 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
332 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
334 case PKEY_SIZE_AES_192:
335 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
337 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
339 case PKEY_SIZE_AES_256:
340 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
342 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
345 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
346 __func__, keybitsize);
350 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
351 preqparm->lv2.len = sizeof(struct lv2);
352 for (i = 0; i < 6; i++) {
353 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
354 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
356 preqcblk->req_parml = sizeof(struct kgreqparm);
358 /* fill xcrb struct */
359 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
361 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
362 rc = _zcrypt_send_cprb(&xcrb);
364 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
365 __func__, (int) cardnr, (int) domain, rc);
369 /* check response returncode and reasoncode */
370 if (prepcblk->ccp_rtcode != 0) {
371 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
373 (int) prepcblk->ccp_rtcode,
374 (int) prepcblk->ccp_rscode);
379 /* process response cprb param block */
380 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
381 prepparm = (struct kgrepparm *) prepcblk->rpl_parmb;
383 /* check length of the returned secure key token */
384 seckeysize = prepparm->lv3.keyblock.toklen
385 - sizeof(prepparm->lv3.keyblock.toklen)
386 - sizeof(prepparm->lv3.keyblock.tokattr);
387 if (seckeysize != SECKEYBLOBSIZE) {
388 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
389 __func__, seckeysize, SECKEYBLOBSIZE);
394 /* check secure key token */
395 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
396 prepparm->lv3.keyblock.tok, 8*keysize);
402 /* copy the generated secure key token */
403 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
406 free_cprbmem(mem, PARMBSIZE, 0);
409 EXPORT_SYMBOL(cca_genseckey);
412 * Generate an CCA AES DATA secure key with given key value.
414 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
415 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
417 int rc, keysize, seckeysize;
419 struct CPRBX *preqcblk, *prepcblk;
420 struct ica_xcRB xcrb;
434 u8 data[SECKEYBLOBSIZE];
437 } __packed * preqparm;
449 /* ... some more data ... */
452 } __packed * prepparm;
454 /* get already prepared memory for 2 cprbs with param block each */
455 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
459 /* fill request cprb struct */
460 preqcblk->domain = domain;
462 /* fill request cprb param block with CM request */
463 preqparm = (struct cmreqparm *) preqcblk->req_parmb;
464 memcpy(preqparm->subfunc_code, "CM", 2);
465 memcpy(preqparm->rule_array, "AES ", 8);
466 preqparm->rule_array_len =
467 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
468 switch (keybitsize) {
469 case PKEY_SIZE_AES_128:
470 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
473 case PKEY_SIZE_AES_192:
474 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
477 case PKEY_SIZE_AES_256:
478 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
482 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
483 __func__, keybitsize);
487 preqparm->lv1.len = sizeof(struct lv1) + keysize;
488 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
489 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
490 plv2->len = sizeof(struct lv2);
491 plv2->keyid.len = sizeof(struct keyid);
492 plv2->keyid.attr = 0x30;
493 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
495 /* fill xcrb struct */
496 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
498 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
499 rc = _zcrypt_send_cprb(&xcrb);
501 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
502 __func__, (int) cardnr, (int) domain, rc);
506 /* check response returncode and reasoncode */
507 if (prepcblk->ccp_rtcode != 0) {
508 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
510 (int) prepcblk->ccp_rtcode,
511 (int) prepcblk->ccp_rscode);
516 /* process response cprb param block */
517 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
518 prepparm = (struct cmrepparm *) prepcblk->rpl_parmb;
520 /* check length of the returned secure key token */
521 seckeysize = prepparm->lv3.keyblock.toklen
522 - sizeof(prepparm->lv3.keyblock.toklen)
523 - sizeof(prepparm->lv3.keyblock.tokattr);
524 if (seckeysize != SECKEYBLOBSIZE) {
525 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
526 __func__, seckeysize, SECKEYBLOBSIZE);
531 /* check secure key token */
532 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
533 prepparm->lv3.keyblock.tok, 8*keysize);
539 /* copy the generated secure key token */
541 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
544 free_cprbmem(mem, PARMBSIZE, 1);
547 EXPORT_SYMBOL(cca_clr2seckey);
550 * Derive proteced key from an CCA AES DATA secure key.
552 int cca_sec2protkey(u16 cardnr, u16 domain,
553 const u8 seckey[SECKEYBLOBSIZE],
554 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
558 struct CPRBX *preqcblk, *prepcblk;
559 struct ica_xcRB xcrb;
572 u8 token[0]; /* cca secure key token */
574 } __packed * preqparm;
582 struct cpacfkeyblock {
583 u8 version; /* version of this struct */
589 u8 key[64]; /* the key (len bytes) */
594 u8 vp[32]; /* verification pattern */
597 } __packed * prepparm;
599 /* get already prepared memory for 2 cprbs with param block each */
600 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
604 /* fill request cprb struct */
605 preqcblk->domain = domain;
607 /* fill request cprb param block with USK request */
608 preqparm = (struct uskreqparm *) preqcblk->req_parmb;
609 memcpy(preqparm->subfunc_code, "US", 2);
610 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
611 preqparm->lv1.len = sizeof(struct lv1);
612 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
613 preqparm->lv1.attr_flags = 0x0001;
614 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
615 preqparm->lv2.attr_len = sizeof(struct lv2)
616 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
617 preqparm->lv2.attr_flags = 0x0000;
618 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
619 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
621 /* fill xcrb struct */
622 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
624 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
625 rc = _zcrypt_send_cprb(&xcrb);
627 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
628 __func__, (int) cardnr, (int) domain, rc);
632 /* check response returncode and reasoncode */
633 if (prepcblk->ccp_rtcode != 0) {
634 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
636 (int) prepcblk->ccp_rtcode,
637 (int) prepcblk->ccp_rscode);
641 if (prepcblk->ccp_rscode != 0) {
642 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
644 (int) prepcblk->ccp_rtcode,
645 (int) prepcblk->ccp_rscode);
648 /* process response cprb param block */
649 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
650 prepparm = (struct uskrepparm *) prepcblk->rpl_parmb;
652 /* check the returned keyblock */
653 if (prepparm->lv3.keyblock.version != 0x01) {
654 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x01\n",
655 __func__, (int) prepparm->lv3.keyblock.version);
660 /* copy the tanslated protected key */
661 switch (prepparm->lv3.keyblock.len) {
663 /* AES 128 protected key */
665 *protkeytype = PKEY_KEYTYPE_AES_128;
668 /* AES 192 protected key */
670 *protkeytype = PKEY_KEYTYPE_AES_192;
673 /* AES 256 protected key */
675 *protkeytype = PKEY_KEYTYPE_AES_256;
678 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
679 __func__, prepparm->lv3.keyblock.len);
683 memcpy(protkey, prepparm->lv3.keyblock.key, prepparm->lv3.keyblock.len);
685 *protkeylen = prepparm->lv3.keyblock.len;
688 free_cprbmem(mem, PARMBSIZE, 0);
691 EXPORT_SYMBOL(cca_sec2protkey);
694 * AES cipher key skeleton created with CSNBKTB2 with these flags:
695 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
696 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
697 * used by cca_gencipherkey() and cca_clr2cipherkey().
699 static const u8 aes_cipher_key_skeleton[] = {
700 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
704 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
705 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
706 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
707 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
710 * Generate (random) CCA AES CIPHER secure key.
712 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
713 u8 *keybuf, size_t *keybufsize)
717 struct CPRBX *preqcblk, *prepcblk;
718 struct ica_xcRB xcrb;
722 char rule_array[2*8];
727 u16 clear_key_bit_len;
752 u8 gen_key_id_1[SIZEOF_SKELETON];
757 u8 gen_key_id_1_label[0];
767 u8 gen_key_id_2_label[0];
770 } __packed * preqparm;
782 u8 gen_key[0]; /* 120-136 bytes */
785 } __packed * prepparm;
786 struct cipherkeytoken *t;
788 /* get already prepared memory for 2 cprbs with param block each */
789 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
793 /* fill request cprb struct */
794 preqcblk->domain = domain;
795 preqcblk->req_parml = sizeof(struct gkreqparm);
797 /* prepare request param block with GK request */
798 preqparm = (struct gkreqparm *) preqcblk->req_parmb;
799 memcpy(preqparm->subfunc_code, "GK", 2);
800 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
801 memcpy(preqparm->rule_array, "AES OP ", 2*8);
803 /* prepare vud block */
804 preqparm->vud.len = sizeof(preqparm->vud);
805 switch (keybitsize) {
812 "%s unknown/unsupported keybitsize %d\n",
813 __func__, keybitsize);
817 preqparm->vud.clear_key_bit_len = keybitsize;
818 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
819 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
821 /* prepare kb block */
822 preqparm->kb.len = sizeof(preqparm->kb);
823 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
824 preqparm->kb.tlv1.flag = 0x0030;
825 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
826 preqparm->kb.tlv2.flag = 0x0030;
827 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
828 preqparm->kb.tlv3.flag = 0x0030;
829 memcpy(preqparm->kb.tlv3.gen_key_id_1,
830 aes_cipher_key_skeleton, SIZEOF_SKELETON);
831 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
832 preqparm->kb.tlv4.flag = 0x0030;
833 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
834 preqparm->kb.tlv5.flag = 0x0030;
835 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
836 preqparm->kb.tlv6.flag = 0x0030;
838 /* patch the skeleton key token export flags inside the kb block */
840 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
841 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
842 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
845 /* prepare xcrb struct */
846 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
848 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
849 rc = _zcrypt_send_cprb(&xcrb);
852 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
853 __func__, (int) cardnr, (int) domain, rc);
857 /* check response returncode and reasoncode */
858 if (prepcblk->ccp_rtcode != 0) {
860 "%s cipher key generate failure, card response %d/%d\n",
862 (int) prepcblk->ccp_rtcode,
863 (int) prepcblk->ccp_rscode);
868 /* process response cprb param block */
869 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
870 prepparm = (struct gkrepparm *) prepcblk->rpl_parmb;
872 /* do some plausibility checks on the key block */
873 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
874 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
875 DEBUG_ERR("%s reply with invalid or unknown key block\n",
881 /* and some checks on the generated key */
882 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
883 prepparm->kb.tlv1.gen_key,
890 /* copy the generated vlsc key token */
891 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
893 if (*keybufsize >= t->len)
894 memcpy(keybuf, t, t->len);
898 *keybufsize = t->len;
901 free_cprbmem(mem, PARMBSIZE, 0);
904 EXPORT_SYMBOL(cca_gencipherkey);
907 * Helper function, does a the CSNBKPI2 CPRB.
909 static int _ip_cprb_helper(u16 cardnr, u16 domain,
910 const char *rule_array_1,
911 const char *rule_array_2,
912 const char *rule_array_3,
913 const u8 *clr_key_value,
914 int clr_key_bit_size,
920 struct CPRBX *preqcblk, *prepcblk;
921 struct ica_xcRB xcrb;
922 struct rule_array_block {
926 } __packed * preq_ra_block;
931 u16 flag; /* 0x0064 */
936 u16 flag; /* 0x0063 */
937 u8 clr_key[0]; /* clear key value bytes */
939 } __packed * preq_vud_block;
944 u16 flag; /* 0x0030 */
945 u8 key_token[0]; /* key skeleton */
947 } __packed * preq_key_block;
958 u16 flag; /* 0x0030 */
959 u8 key_token[0]; /* key token */
962 } __packed * prepparm;
963 struct cipherkeytoken *t;
964 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
966 /* get already prepared memory for 2 cprbs with param block each */
967 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
971 /* fill request cprb struct */
972 preqcblk->domain = domain;
973 preqcblk->req_parml = 0;
975 /* prepare request param block with IP request */
976 preq_ra_block = (struct rule_array_block *) preqcblk->req_parmb;
977 memcpy(preq_ra_block->subfunc_code, "IP", 2);
978 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
979 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
980 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
981 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
983 preq_ra_block->rule_array_len += 8;
984 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
985 preqcblk->req_parml += 8;
988 /* prepare vud block */
989 preq_vud_block = (struct vud_block *)
990 (preqcblk->req_parmb + preqcblk->req_parml);
991 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
992 preq_vud_block->len = sizeof(struct vud_block) + n;
993 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
994 preq_vud_block->tlv1.flag = 0x0064;
995 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
996 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
997 preq_vud_block->tlv2.flag = 0x0063;
999 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1000 preqcblk->req_parml += preq_vud_block->len;
1002 /* prepare key block */
1003 preq_key_block = (struct key_block *)
1004 (preqcblk->req_parmb + preqcblk->req_parml);
1005 n = *key_token_size;
1006 preq_key_block->len = sizeof(struct key_block) + n;
1007 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1008 preq_key_block->tlv1.flag = 0x0030;
1009 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1010 preqcblk->req_parml += preq_key_block->len;
1012 /* prepare xcrb struct */
1013 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1015 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1016 rc = _zcrypt_send_cprb(&xcrb);
1019 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1020 __func__, (int) cardnr, (int) domain, rc);
1024 /* check response returncode and reasoncode */
1025 if (prepcblk->ccp_rtcode != 0) {
1027 "%s CSNBKPI2 failure, card response %d/%d\n",
1029 (int) prepcblk->ccp_rtcode,
1030 (int) prepcblk->ccp_rscode);
1035 /* process response cprb param block */
1036 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1037 prepparm = (struct iprepparm *) prepcblk->rpl_parmb;
1039 /* do some plausibility checks on the key block */
1040 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1041 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1042 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1048 /* do not check the key here, it may be incomplete */
1050 /* copy the vlsc key token back */
1051 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1052 memcpy(key_token, t, t->len);
1053 *key_token_size = t->len;
1056 free_cprbmem(mem, PARMBSIZE, 0);
1061 * Build CCA AES CIPHER secure key with a given clear key value.
1063 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1064 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1070 struct cipherkeytoken *t;
1072 /* fill exorbuf with random data */
1073 get_random_bytes(exorbuf, sizeof(exorbuf));
1075 /* allocate space for the key token to build */
1076 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1080 /* prepare the token with the key skeleton */
1081 tokensize = SIZEOF_SKELETON;
1082 memcpy(token, aes_cipher_key_skeleton, tokensize);
1084 /* patch the skeleton key token export flags */
1086 t = (struct cipherkeytoken *) token;
1087 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1088 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1092 * Do the key import with the clear key value in 4 steps:
1093 * 1/4 FIRST import with only random data
1094 * 2/4 EXOR the clear key
1095 * 3/4 EXOR the very same random data again
1096 * 4/4 COMPLETE the secure cipher key import
1098 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1099 exorbuf, keybitsize, token, &tokensize);
1102 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1106 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1107 clrkey, keybitsize, token, &tokensize);
1110 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1114 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1115 exorbuf, keybitsize, token, &tokensize);
1118 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1122 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1123 NULL, keybitsize, token, &tokensize);
1126 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1131 /* copy the generated key token */
1133 if (tokensize > *keybufsize)
1136 memcpy(keybuf, token, tokensize);
1138 *keybufsize = tokensize;
1144 EXPORT_SYMBOL(cca_clr2cipherkey);
1147 * Derive proteced key from CCA AES cipher secure key.
1149 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1150 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1154 struct CPRBX *preqcblk, *prepcblk;
1155 struct ica_xcRB xcrb;
1168 u16 cca_key_token_len;
1169 u16 cca_key_token_flags;
1170 u8 cca_key_token[0]; // 64 or more
1172 } __packed * preqparm;
1180 struct cpacfkeyblock {
1181 u8 version; /* version of this struct */
1187 u8 key[64]; /* the key (keylen bytes) */
1192 u8 vp[32]; /* verification pattern */
1198 } __packed * prepparm;
1199 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1201 /* get already prepared memory for 2 cprbs with param block each */
1202 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1206 /* fill request cprb struct */
1207 preqcblk->domain = domain;
1209 /* fill request cprb param block with AU request */
1210 preqparm = (struct aureqparm *) preqcblk->req_parmb;
1211 memcpy(preqparm->subfunc_code, "AU", 2);
1212 preqparm->rule_array_len =
1213 sizeof(preqparm->rule_array_len)
1214 + sizeof(preqparm->rule_array);
1215 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1217 preqparm->vud.len = sizeof(preqparm->vud);
1218 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1219 + 2 * sizeof(uint16_t);
1220 preqparm->vud.tk_blob_tag = 0x00C2;
1222 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1223 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1224 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1225 /* now fill length of param block into cprb */
1226 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1228 /* fill xcrb struct */
1229 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1231 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1232 rc = _zcrypt_send_cprb(&xcrb);
1235 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1236 __func__, (int) cardnr, (int) domain, rc);
1240 /* check response returncode and reasoncode */
1241 if (prepcblk->ccp_rtcode != 0) {
1243 "%s unwrap secure key failure, card response %d/%d\n",
1245 (int) prepcblk->ccp_rtcode,
1246 (int) prepcblk->ccp_rscode);
1250 if (prepcblk->ccp_rscode != 0) {
1252 "%s unwrap secure key warning, card response %d/%d\n",
1254 (int) prepcblk->ccp_rtcode,
1255 (int) prepcblk->ccp_rscode);
1258 /* process response cprb param block */
1259 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1260 prepparm = (struct aurepparm *) prepcblk->rpl_parmb;
1262 /* check the returned keyblock */
1263 if (prepparm->vud.ckb.version != 0x01) {
1265 "%s reply param keyblock version mismatch 0x%02x != 0x01\n",
1266 __func__, (int) prepparm->vud.ckb.version);
1270 if (prepparm->vud.ckb.algo != 0x02) {
1272 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1273 __func__, (int) prepparm->vud.ckb.algo);
1278 /* copy the translated protected key */
1279 switch (prepparm->vud.ckb.keylen) {
1281 /* AES 128 protected key */
1283 *protkeytype = PKEY_KEYTYPE_AES_128;
1286 /* AES 192 protected key */
1288 *protkeytype = PKEY_KEYTYPE_AES_192;
1291 /* AES 256 protected key */
1293 *protkeytype = PKEY_KEYTYPE_AES_256;
1296 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1297 __func__, prepparm->vud.ckb.keylen);
1301 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1303 *protkeylen = prepparm->vud.ckb.keylen;
1306 free_cprbmem(mem, PARMBSIZE, 0);
1309 EXPORT_SYMBOL(cca_cipher2protkey);
1312 * query cryptographic facility from CCA adapter
1314 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1315 const char *keyword,
1316 u8 *rarray, size_t *rarraylen,
1317 u8 *varray, size_t *varraylen)
1322 struct CPRBX *preqcblk, *prepcblk;
1323 struct ica_xcRB xcrb;
1330 u8 data[VARDATASIZE];
1333 } __packed * preqparm;
1334 size_t parmbsize = sizeof(struct fqreqparm);
1338 } __packed * prepparm;
1340 /* get already prepared memory for 2 cprbs with param block each */
1341 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1345 /* fill request cprb struct */
1346 preqcblk->domain = domain;
1348 /* fill request cprb param block with FQ request */
1349 preqparm = (struct fqreqparm *) preqcblk->req_parmb;
1350 memcpy(preqparm->subfunc_code, "FQ", 2);
1351 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1352 preqparm->rule_array_len =
1353 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1354 preqparm->lv1.len = sizeof(preqparm->lv1);
1355 preqparm->dummylen = sizeof(preqparm->dummylen);
1356 preqcblk->req_parml = parmbsize;
1358 /* fill xcrb struct */
1359 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1361 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1362 rc = _zcrypt_send_cprb(&xcrb);
1364 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1365 __func__, (int) cardnr, (int) domain, rc);
1369 /* check response returncode and reasoncode */
1370 if (prepcblk->ccp_rtcode != 0) {
1371 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1373 (int) prepcblk->ccp_rtcode,
1374 (int) prepcblk->ccp_rscode);
1379 /* process response cprb param block */
1380 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1381 prepparm = (struct fqrepparm *) prepcblk->rpl_parmb;
1382 ptr = prepparm->lvdata;
1384 /* check and possibly copy reply rule array */
1385 len = *((u16 *) ptr);
1386 if (len > sizeof(u16)) {
1389 if (rarray && rarraylen && *rarraylen > 0) {
1390 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1391 memcpy(rarray, ptr, *rarraylen);
1395 /* check and possible copy reply var array */
1396 len = *((u16 *) ptr);
1397 if (len > sizeof(u16)) {
1400 if (varray && varraylen && *varraylen > 0) {
1401 *varraylen = (len > *varraylen ? *varraylen : len);
1402 memcpy(varray, ptr, *varraylen);
1408 free_cprbmem(mem, parmbsize, 0);
1411 EXPORT_SYMBOL(cca_query_crypto_facility);
1413 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1416 struct cca_info_list_entry *ptr;
1418 spin_lock_bh(&cca_info_list_lock);
1419 list_for_each_entry(ptr, &cca_info_list, list) {
1420 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1421 memcpy(ci, &ptr->info, sizeof(*ci));
1426 spin_unlock_bh(&cca_info_list_lock);
1431 static void cca_info_cache_update(u16 cardnr, u16 domain,
1432 const struct cca_info *ci)
1435 struct cca_info_list_entry *ptr;
1437 spin_lock_bh(&cca_info_list_lock);
1438 list_for_each_entry(ptr, &cca_info_list, list) {
1439 if (ptr->cardnr == cardnr &&
1440 ptr->domain == domain) {
1441 memcpy(&ptr->info, ci, sizeof(*ci));
1447 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1449 spin_unlock_bh(&cca_info_list_lock);
1452 ptr->cardnr = cardnr;
1453 ptr->domain = domain;
1454 memcpy(&ptr->info, ci, sizeof(*ci));
1455 list_add(&ptr->list, &cca_info_list);
1457 spin_unlock_bh(&cca_info_list_lock);
1460 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1462 struct cca_info_list_entry *ptr;
1464 spin_lock_bh(&cca_info_list_lock);
1465 list_for_each_entry(ptr, &cca_info_list, list) {
1466 if (ptr->cardnr == cardnr &&
1467 ptr->domain == domain) {
1468 list_del(&ptr->list);
1473 spin_unlock_bh(&cca_info_list_lock);
1476 static void __exit mkvp_cache_free(void)
1478 struct cca_info_list_entry *ptr, *pnext;
1480 spin_lock_bh(&cca_info_list_lock);
1481 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1482 list_del(&ptr->list);
1485 spin_unlock_bh(&cca_info_list_lock);
1489 * Fetch cca_info values via query_crypto_facility from adapter.
1491 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1495 u8 *rarray, *varray, *pg;
1496 struct zcrypt_device_status_ext devstat;
1498 memset(ci, 0, sizeof(*ci));
1500 /* get first info from zcrypt device driver about this apqn */
1501 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1504 ci->hwtype = devstat.hwtype;
1506 /* prep page for rule array and var array use */
1507 pg = (u8 *) __get_free_page(GFP_KERNEL);
1511 varray = pg + PAGE_SIZE/2;
1512 rlen = vlen = PAGE_SIZE/2;
1514 /* QF for this card/domain */
1515 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1516 rarray, &rlen, varray, &vlen);
1517 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1518 memcpy(ci->serial, rarray, 8);
1519 ci->new_mk_state = (char) rarray[7*8];
1520 ci->cur_mk_state = (char) rarray[8*8];
1521 ci->old_mk_state = (char) rarray[9*8];
1522 if (ci->old_mk_state == '2')
1523 memcpy(&ci->old_mkvp, varray + 172, 8);
1524 if (ci->cur_mk_state == '2')
1525 memcpy(&ci->cur_mkvp, varray + 184, 8);
1526 if (ci->new_mk_state == '3')
1527 memcpy(&ci->new_mkvp, varray + 196, 8);
1531 free_page((unsigned long) pg);
1533 return found ? 0 : -ENOENT;
1537 * Fetch cca information about a CCA queue.
1539 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1543 rc = cca_info_cache_fetch(card, dom, ci);
1545 rc = fetch_cca_info(card, dom, ci);
1547 cca_info_cache_update(card, dom, ci);
1552 EXPORT_SYMBOL(cca_get_info);
1555 * Search for a matching crypto card based on the
1556 * Master Key Verification Pattern given.
1558 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1559 int verify, int minhwtype)
1561 struct zcrypt_device_status_ext *device_status;
1566 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1567 if (mkvp == 0 || minhwtype < 0)
1570 /* fetch status of all crypto cards */
1571 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1572 sizeof(struct zcrypt_device_status_ext),
1576 zcrypt_device_status_mask_ext(device_status);
1578 /* walk through all crypto cards */
1579 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1580 card = AP_QID_CARD(device_status[i].qid);
1581 dom = AP_QID_QUEUE(device_status[i].qid);
1582 if (device_status[i].online &&
1583 device_status[i].functions & 0x04) {
1584 /* enabled CCA card, check current mkvp from cache */
1585 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1586 ci.hwtype >= minhwtype &&
1587 ci.cur_mk_state == '2' &&
1588 ci.cur_mkvp == mkvp) {
1591 /* verify: refresh card info */
1592 if (fetch_cca_info(card, dom, &ci) == 0) {
1593 cca_info_cache_update(card, dom, &ci);
1594 if (ci.hwtype >= minhwtype &&
1595 ci.cur_mk_state == '2' &&
1596 ci.cur_mkvp == mkvp)
1601 /* Card is offline and/or not a CCA card. */
1602 /* del mkvp entry from cache if it exists */
1603 cca_info_cache_scrub(card, dom);
1606 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1607 /* nothing found, so this time without cache */
1608 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1609 if (!(device_status[i].online &&
1610 device_status[i].functions & 0x04))
1612 card = AP_QID_CARD(device_status[i].qid);
1613 dom = AP_QID_QUEUE(device_status[i].qid);
1614 /* fresh fetch mkvp from adapter */
1615 if (fetch_cca_info(card, dom, &ci) == 0) {
1616 cca_info_cache_update(card, dom, &ci);
1617 if (ci.hwtype >= minhwtype &&
1618 ci.cur_mk_state == '2' &&
1619 ci.cur_mkvp == mkvp)
1621 if (ci.hwtype >= minhwtype &&
1622 ci.old_mk_state == '2' &&
1623 ci.old_mkvp == mkvp &&
1628 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1629 /* old mkvp matched, use this card then */
1630 card = AP_QID_CARD(device_status[oi].qid);
1631 dom = AP_QID_QUEUE(device_status[oi].qid);
1634 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1639 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1643 kfree(device_status);
1648 * Search for a matching crypto card based on the Master Key
1649 * Verification Pattern provided inside a secure key token.
1651 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1655 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1657 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1660 switch (hdr->version) {
1661 case TOKVER_CCA_AES:
1662 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1664 case TOKVER_CCA_VLSC:
1665 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1666 minhwtype = AP_DEVICE_TYPE_CEX6;
1672 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1674 EXPORT_SYMBOL(cca_findcard);
1676 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1677 int minhwtype, u64 cur_mkvp, u64 old_mkvp, int verify)
1679 struct zcrypt_device_status_ext *device_status;
1680 int i, n, card, dom, curmatch, oldmatch, rc = 0;
1686 /* fetch status of all crypto cards */
1687 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1688 sizeof(struct zcrypt_device_status_ext),
1692 zcrypt_device_status_mask_ext(device_status);
1694 /* loop two times: first gather eligible apqns, then store them */
1697 /* walk through all the crypto cards */
1698 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1699 card = AP_QID_CARD(device_status[i].qid);
1700 dom = AP_QID_QUEUE(device_status[i].qid);
1701 /* check online state */
1702 if (!device_status[i].online)
1704 /* check for cca functions */
1705 if (!(device_status[i].functions & 0x04))
1708 if (cardnr != 0xFFFF && card != cardnr)
1711 if (domain != 0xFFFF && dom != domain)
1713 /* get cca info on this apqn */
1714 if (cca_get_info(card, dom, &ci, verify))
1716 /* current master key needs to be valid */
1717 if (ci.cur_mk_state != '2')
1719 /* check min hardware type */
1720 if (minhwtype > 0 && minhwtype > ci.hwtype)
1722 if (cur_mkvp || old_mkvp) {
1724 curmatch = oldmatch = 0;
1725 if (cur_mkvp && cur_mkvp == ci.cur_mkvp)
1727 if (old_mkvp && ci.old_mk_state == '2' &&
1728 old_mkvp == ci.old_mkvp)
1730 if ((cur_mkvp || old_mkvp) &&
1731 (curmatch + oldmatch < 1))
1734 /* apqn passed all filtering criterons */
1735 if (*apqns && n < *nr_apqns)
1736 (*apqns)[n] = (((u16)card) << 16) | ((u16) dom);
1739 /* loop 2nd time: array has been filled */
1742 /* loop 1st time: have # of eligible apqns in n */
1744 rc = -ENODEV; /* no eligible apqns found */
1748 /* allocate array to store n apqns into */
1749 *apqns = kmalloc_array(n, sizeof(u32), GFP_KERNEL);
1757 kfree(device_status);
1760 EXPORT_SYMBOL(cca_findcard2);
1762 void __exit zcrypt_ccamisc_exit(void)