1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Allocate consecutive memory for request CPRB, request param
177 * block, reply CPRB and reply param block and fill in values
178 * for the common fields. Returns 0 on success or errno value
181 static int alloc_and_prep_cprbmem(size_t paramblen,
183 struct CPRBX **preqCPRB,
184 struct CPRBX **prepCPRB)
187 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
188 struct CPRBX *preqcblk, *prepcblk;
191 * allocate consecutive memory for request CPRB, request param
192 * block, reply CPRB and reply param block
194 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
198 preqcblk = (struct CPRBX *) cprbmem;
199 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
201 /* fill request cprb struct */
202 preqcblk->cprb_len = sizeof(struct CPRBX);
203 preqcblk->cprb_ver_id = 0x02;
204 memcpy(preqcblk->func_id, "T2", 2);
205 preqcblk->rpl_msgbl = cprbplusparamblen;
207 preqcblk->req_parmb =
208 ((u8 *) preqcblk) + sizeof(struct CPRBX);
209 preqcblk->rpl_parmb =
210 ((u8 *) prepcblk) + sizeof(struct CPRBX);
214 *preqCPRB = preqcblk;
215 *prepCPRB = prepcblk;
221 * Free the cprb memory allocated with the function above.
222 * If the scrub value is not zero, the memory is filled
223 * with zeros before freeing (useful if there was some
224 * clear key material in there).
226 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
229 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
234 * Helper function to prepare the xcrb struct
236 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
238 struct CPRBX *preqcblk,
239 struct CPRBX *prepcblk)
241 memset(pxcrb, 0, sizeof(*pxcrb));
242 pxcrb->agent_ID = 0x4341; /* 'CA' */
243 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
244 pxcrb->request_control_blk_length =
245 preqcblk->cprb_len + preqcblk->req_parml;
246 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
247 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
248 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
252 * Helper function which calls zcrypt_send_cprb with
253 * memory management segment adjusted to kernel space
254 * so that the copy_from_user called within this
255 * function do in fact copy from kernel space.
257 static inline int _zcrypt_send_cprb(struct ica_xcRB *xcrb)
260 mm_segment_t old_fs = get_fs();
263 rc = zcrypt_send_cprb(xcrb);
270 * Generate (random) CCA AES DATA secure key.
272 int cca_genseckey(u16 cardnr, u16 domain,
273 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
278 struct CPRBX *preqcblk, *prepcblk;
279 struct ica_xcRB xcrb;
295 u8 data[SECKEYBLOBSIZE];
298 } __packed * preqparm;
309 /* ... some more data ... */
312 } __packed * prepparm;
314 /* get already prepared memory for 2 cprbs with param block each */
315 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
319 /* fill request cprb struct */
320 preqcblk->domain = domain;
322 /* fill request cprb param block with KG request */
323 preqparm = (struct kgreqparm *) preqcblk->req_parmb;
324 memcpy(preqparm->subfunc_code, "KG", 2);
325 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
326 preqparm->lv1.len = sizeof(struct lv1);
327 memcpy(preqparm->lv1.key_form, "OP ", 8);
328 switch (keybitsize) {
329 case PKEY_SIZE_AES_128:
330 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
332 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
334 case PKEY_SIZE_AES_192:
335 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
337 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
339 case PKEY_SIZE_AES_256:
340 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
342 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
345 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
346 __func__, keybitsize);
350 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
351 preqparm->lv2.len = sizeof(struct lv2);
352 for (i = 0; i < 6; i++) {
353 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
354 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
356 preqcblk->req_parml = sizeof(struct kgreqparm);
358 /* fill xcrb struct */
359 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
361 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
362 rc = _zcrypt_send_cprb(&xcrb);
364 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
365 __func__, (int) cardnr, (int) domain, rc);
369 /* check response returncode and reasoncode */
370 if (prepcblk->ccp_rtcode != 0) {
371 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
373 (int) prepcblk->ccp_rtcode,
374 (int) prepcblk->ccp_rscode);
379 /* process response cprb param block */
380 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
381 prepparm = (struct kgrepparm *) prepcblk->rpl_parmb;
383 /* check length of the returned secure key token */
384 seckeysize = prepparm->lv3.keyblock.toklen
385 - sizeof(prepparm->lv3.keyblock.toklen)
386 - sizeof(prepparm->lv3.keyblock.tokattr);
387 if (seckeysize != SECKEYBLOBSIZE) {
388 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
389 __func__, seckeysize, SECKEYBLOBSIZE);
394 /* check secure key token */
395 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
396 prepparm->lv3.keyblock.tok, 8*keysize);
402 /* copy the generated secure key token */
403 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
406 free_cprbmem(mem, PARMBSIZE, 0);
409 EXPORT_SYMBOL(cca_genseckey);
412 * Generate an CCA AES DATA secure key with given key value.
414 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
415 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
417 int rc, keysize, seckeysize;
419 struct CPRBX *preqcblk, *prepcblk;
420 struct ica_xcRB xcrb;
434 u8 data[SECKEYBLOBSIZE];
437 } __packed * preqparm;
449 /* ... some more data ... */
452 } __packed * prepparm;
454 /* get already prepared memory for 2 cprbs with param block each */
455 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
459 /* fill request cprb struct */
460 preqcblk->domain = domain;
462 /* fill request cprb param block with CM request */
463 preqparm = (struct cmreqparm *) preqcblk->req_parmb;
464 memcpy(preqparm->subfunc_code, "CM", 2);
465 memcpy(preqparm->rule_array, "AES ", 8);
466 preqparm->rule_array_len =
467 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
468 switch (keybitsize) {
469 case PKEY_SIZE_AES_128:
470 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
473 case PKEY_SIZE_AES_192:
474 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
477 case PKEY_SIZE_AES_256:
478 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
482 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
483 __func__, keybitsize);
487 preqparm->lv1.len = sizeof(struct lv1) + keysize;
488 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
489 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
490 plv2->len = sizeof(struct lv2);
491 plv2->keyid.len = sizeof(struct keyid);
492 plv2->keyid.attr = 0x30;
493 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
495 /* fill xcrb struct */
496 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
498 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
499 rc = _zcrypt_send_cprb(&xcrb);
501 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
502 __func__, (int) cardnr, (int) domain, rc);
506 /* check response returncode and reasoncode */
507 if (prepcblk->ccp_rtcode != 0) {
508 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
510 (int) prepcblk->ccp_rtcode,
511 (int) prepcblk->ccp_rscode);
516 /* process response cprb param block */
517 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
518 prepparm = (struct cmrepparm *) prepcblk->rpl_parmb;
520 /* check length of the returned secure key token */
521 seckeysize = prepparm->lv3.keyblock.toklen
522 - sizeof(prepparm->lv3.keyblock.toklen)
523 - sizeof(prepparm->lv3.keyblock.tokattr);
524 if (seckeysize != SECKEYBLOBSIZE) {
525 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
526 __func__, seckeysize, SECKEYBLOBSIZE);
531 /* check secure key token */
532 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
533 prepparm->lv3.keyblock.tok, 8*keysize);
539 /* copy the generated secure key token */
541 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
544 free_cprbmem(mem, PARMBSIZE, 1);
547 EXPORT_SYMBOL(cca_clr2seckey);
550 * Derive proteced key from an CCA AES DATA secure key.
552 int cca_sec2protkey(u16 cardnr, u16 domain,
553 const u8 seckey[SECKEYBLOBSIZE],
554 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
558 struct CPRBX *preqcblk, *prepcblk;
559 struct ica_xcRB xcrb;
572 u8 token[0]; /* cca secure key token */
574 } __packed * preqparm;
582 struct cpacfkeyblock {
583 u8 version; /* version of this struct */
589 u8 key[64]; /* the key (len bytes) */
594 u8 vp[32]; /* verification pattern */
597 } __packed * prepparm;
599 /* get already prepared memory for 2 cprbs with param block each */
600 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
604 /* fill request cprb struct */
605 preqcblk->domain = domain;
607 /* fill request cprb param block with USK request */
608 preqparm = (struct uskreqparm *) preqcblk->req_parmb;
609 memcpy(preqparm->subfunc_code, "US", 2);
610 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
611 preqparm->lv1.len = sizeof(struct lv1);
612 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
613 preqparm->lv1.attr_flags = 0x0001;
614 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
615 preqparm->lv2.attr_len = sizeof(struct lv2)
616 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
617 preqparm->lv2.attr_flags = 0x0000;
618 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
619 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
621 /* fill xcrb struct */
622 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
624 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
625 rc = _zcrypt_send_cprb(&xcrb);
627 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
628 __func__, (int) cardnr, (int) domain, rc);
632 /* check response returncode and reasoncode */
633 if (prepcblk->ccp_rtcode != 0) {
634 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
636 (int) prepcblk->ccp_rtcode,
637 (int) prepcblk->ccp_rscode);
641 if (prepcblk->ccp_rscode != 0) {
642 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
644 (int) prepcblk->ccp_rtcode,
645 (int) prepcblk->ccp_rscode);
648 /* process response cprb param block */
649 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
650 prepparm = (struct uskrepparm *) prepcblk->rpl_parmb;
652 /* check the returned keyblock */
653 if (prepparm->lv3.ckb.version != 0x01 &&
654 prepparm->lv3.ckb.version != 0x02) {
655 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
656 __func__, (int) prepparm->lv3.ckb.version);
661 /* copy the tanslated protected key */
662 switch (prepparm->lv3.ckb.len) {
664 /* AES 128 protected key */
666 *protkeytype = PKEY_KEYTYPE_AES_128;
669 /* AES 192 protected key */
671 *protkeytype = PKEY_KEYTYPE_AES_192;
674 /* AES 256 protected key */
676 *protkeytype = PKEY_KEYTYPE_AES_256;
679 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
680 __func__, prepparm->lv3.ckb.len);
684 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
686 *protkeylen = prepparm->lv3.ckb.len;
689 free_cprbmem(mem, PARMBSIZE, 0);
692 EXPORT_SYMBOL(cca_sec2protkey);
695 * AES cipher key skeleton created with CSNBKTB2 with these flags:
696 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
697 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
698 * used by cca_gencipherkey() and cca_clr2cipherkey().
700 static const u8 aes_cipher_key_skeleton[] = {
701 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
705 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
706 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
707 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
708 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
711 * Generate (random) CCA AES CIPHER secure key.
713 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
714 u8 *keybuf, size_t *keybufsize)
718 struct CPRBX *preqcblk, *prepcblk;
719 struct ica_xcRB xcrb;
723 char rule_array[2*8];
728 u16 clear_key_bit_len;
753 u8 gen_key_id_1[SIZEOF_SKELETON];
758 u8 gen_key_id_1_label[0];
768 u8 gen_key_id_2_label[0];
771 } __packed * preqparm;
783 u8 gen_key[0]; /* 120-136 bytes */
786 } __packed * prepparm;
787 struct cipherkeytoken *t;
789 /* get already prepared memory for 2 cprbs with param block each */
790 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
794 /* fill request cprb struct */
795 preqcblk->domain = domain;
796 preqcblk->req_parml = sizeof(struct gkreqparm);
798 /* prepare request param block with GK request */
799 preqparm = (struct gkreqparm *) preqcblk->req_parmb;
800 memcpy(preqparm->subfunc_code, "GK", 2);
801 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
802 memcpy(preqparm->rule_array, "AES OP ", 2*8);
804 /* prepare vud block */
805 preqparm->vud.len = sizeof(preqparm->vud);
806 switch (keybitsize) {
813 "%s unknown/unsupported keybitsize %d\n",
814 __func__, keybitsize);
818 preqparm->vud.clear_key_bit_len = keybitsize;
819 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
820 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
822 /* prepare kb block */
823 preqparm->kb.len = sizeof(preqparm->kb);
824 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
825 preqparm->kb.tlv1.flag = 0x0030;
826 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
827 preqparm->kb.tlv2.flag = 0x0030;
828 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
829 preqparm->kb.tlv3.flag = 0x0030;
830 memcpy(preqparm->kb.tlv3.gen_key_id_1,
831 aes_cipher_key_skeleton, SIZEOF_SKELETON);
832 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
833 preqparm->kb.tlv4.flag = 0x0030;
834 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
835 preqparm->kb.tlv5.flag = 0x0030;
836 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
837 preqparm->kb.tlv6.flag = 0x0030;
839 /* patch the skeleton key token export flags inside the kb block */
841 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
842 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
843 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
846 /* prepare xcrb struct */
847 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
849 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
850 rc = _zcrypt_send_cprb(&xcrb);
853 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
854 __func__, (int) cardnr, (int) domain, rc);
858 /* check response returncode and reasoncode */
859 if (prepcblk->ccp_rtcode != 0) {
861 "%s cipher key generate failure, card response %d/%d\n",
863 (int) prepcblk->ccp_rtcode,
864 (int) prepcblk->ccp_rscode);
869 /* process response cprb param block */
870 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
871 prepparm = (struct gkrepparm *) prepcblk->rpl_parmb;
873 /* do some plausibility checks on the key block */
874 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
875 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
876 DEBUG_ERR("%s reply with invalid or unknown key block\n",
882 /* and some checks on the generated key */
883 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
884 prepparm->kb.tlv1.gen_key,
891 /* copy the generated vlsc key token */
892 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
894 if (*keybufsize >= t->len)
895 memcpy(keybuf, t, t->len);
899 *keybufsize = t->len;
902 free_cprbmem(mem, PARMBSIZE, 0);
905 EXPORT_SYMBOL(cca_gencipherkey);
908 * Helper function, does a the CSNBKPI2 CPRB.
910 static int _ip_cprb_helper(u16 cardnr, u16 domain,
911 const char *rule_array_1,
912 const char *rule_array_2,
913 const char *rule_array_3,
914 const u8 *clr_key_value,
915 int clr_key_bit_size,
921 struct CPRBX *preqcblk, *prepcblk;
922 struct ica_xcRB xcrb;
923 struct rule_array_block {
927 } __packed * preq_ra_block;
932 u16 flag; /* 0x0064 */
937 u16 flag; /* 0x0063 */
938 u8 clr_key[0]; /* clear key value bytes */
940 } __packed * preq_vud_block;
945 u16 flag; /* 0x0030 */
946 u8 key_token[0]; /* key skeleton */
948 } __packed * preq_key_block;
959 u16 flag; /* 0x0030 */
960 u8 key_token[0]; /* key token */
963 } __packed * prepparm;
964 struct cipherkeytoken *t;
965 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
967 /* get already prepared memory for 2 cprbs with param block each */
968 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
972 /* fill request cprb struct */
973 preqcblk->domain = domain;
974 preqcblk->req_parml = 0;
976 /* prepare request param block with IP request */
977 preq_ra_block = (struct rule_array_block *) preqcblk->req_parmb;
978 memcpy(preq_ra_block->subfunc_code, "IP", 2);
979 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
980 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
981 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
982 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
984 preq_ra_block->rule_array_len += 8;
985 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
986 preqcblk->req_parml += 8;
989 /* prepare vud block */
990 preq_vud_block = (struct vud_block *)
991 (preqcblk->req_parmb + preqcblk->req_parml);
992 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
993 preq_vud_block->len = sizeof(struct vud_block) + n;
994 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
995 preq_vud_block->tlv1.flag = 0x0064;
996 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
997 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
998 preq_vud_block->tlv2.flag = 0x0063;
1000 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1001 preqcblk->req_parml += preq_vud_block->len;
1003 /* prepare key block */
1004 preq_key_block = (struct key_block *)
1005 (preqcblk->req_parmb + preqcblk->req_parml);
1006 n = *key_token_size;
1007 preq_key_block->len = sizeof(struct key_block) + n;
1008 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1009 preq_key_block->tlv1.flag = 0x0030;
1010 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1011 preqcblk->req_parml += preq_key_block->len;
1013 /* prepare xcrb struct */
1014 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1016 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1017 rc = _zcrypt_send_cprb(&xcrb);
1020 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1021 __func__, (int) cardnr, (int) domain, rc);
1025 /* check response returncode and reasoncode */
1026 if (prepcblk->ccp_rtcode != 0) {
1028 "%s CSNBKPI2 failure, card response %d/%d\n",
1030 (int) prepcblk->ccp_rtcode,
1031 (int) prepcblk->ccp_rscode);
1036 /* process response cprb param block */
1037 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1038 prepparm = (struct iprepparm *) prepcblk->rpl_parmb;
1040 /* do some plausibility checks on the key block */
1041 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1042 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1043 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1049 /* do not check the key here, it may be incomplete */
1051 /* copy the vlsc key token back */
1052 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1053 memcpy(key_token, t, t->len);
1054 *key_token_size = t->len;
1057 free_cprbmem(mem, PARMBSIZE, 0);
1062 * Build CCA AES CIPHER secure key with a given clear key value.
1064 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1065 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1071 struct cipherkeytoken *t;
1073 /* fill exorbuf with random data */
1074 get_random_bytes(exorbuf, sizeof(exorbuf));
1076 /* allocate space for the key token to build */
1077 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1081 /* prepare the token with the key skeleton */
1082 tokensize = SIZEOF_SKELETON;
1083 memcpy(token, aes_cipher_key_skeleton, tokensize);
1085 /* patch the skeleton key token export flags */
1087 t = (struct cipherkeytoken *) token;
1088 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1089 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1093 * Do the key import with the clear key value in 4 steps:
1094 * 1/4 FIRST import with only random data
1095 * 2/4 EXOR the clear key
1096 * 3/4 EXOR the very same random data again
1097 * 4/4 COMPLETE the secure cipher key import
1099 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1100 exorbuf, keybitsize, token, &tokensize);
1103 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1107 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1108 clrkey, keybitsize, token, &tokensize);
1111 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1115 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1116 exorbuf, keybitsize, token, &tokensize);
1119 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1123 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1124 NULL, keybitsize, token, &tokensize);
1127 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1132 /* copy the generated key token */
1134 if (tokensize > *keybufsize)
1137 memcpy(keybuf, token, tokensize);
1139 *keybufsize = tokensize;
1145 EXPORT_SYMBOL(cca_clr2cipherkey);
1148 * Derive proteced key from CCA AES cipher secure key.
1150 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1151 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1155 struct CPRBX *preqcblk, *prepcblk;
1156 struct ica_xcRB xcrb;
1169 u16 cca_key_token_len;
1170 u16 cca_key_token_flags;
1171 u8 cca_key_token[0]; // 64 or more
1173 } __packed * preqparm;
1181 struct cpacfkeyblock {
1182 u8 version; /* version of this struct */
1188 u8 key[64]; /* the key (keylen bytes) */
1193 u8 vp[32]; /* verification pattern */
1199 } __packed * prepparm;
1200 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1202 /* get already prepared memory for 2 cprbs with param block each */
1203 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1207 /* fill request cprb struct */
1208 preqcblk->domain = domain;
1210 /* fill request cprb param block with AU request */
1211 preqparm = (struct aureqparm *) preqcblk->req_parmb;
1212 memcpy(preqparm->subfunc_code, "AU", 2);
1213 preqparm->rule_array_len =
1214 sizeof(preqparm->rule_array_len)
1215 + sizeof(preqparm->rule_array);
1216 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1218 preqparm->vud.len = sizeof(preqparm->vud);
1219 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1220 + 2 * sizeof(uint16_t);
1221 preqparm->vud.tk_blob_tag = 0x00C2;
1223 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1224 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1225 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1226 /* now fill length of param block into cprb */
1227 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1229 /* fill xcrb struct */
1230 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1232 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1233 rc = _zcrypt_send_cprb(&xcrb);
1236 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1237 __func__, (int) cardnr, (int) domain, rc);
1241 /* check response returncode and reasoncode */
1242 if (prepcblk->ccp_rtcode != 0) {
1244 "%s unwrap secure key failure, card response %d/%d\n",
1246 (int) prepcblk->ccp_rtcode,
1247 (int) prepcblk->ccp_rscode);
1251 if (prepcblk->ccp_rscode != 0) {
1253 "%s unwrap secure key warning, card response %d/%d\n",
1255 (int) prepcblk->ccp_rtcode,
1256 (int) prepcblk->ccp_rscode);
1259 /* process response cprb param block */
1260 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1261 prepparm = (struct aurepparm *) prepcblk->rpl_parmb;
1263 /* check the returned keyblock */
1264 if (prepparm->vud.ckb.version != 0x01 &&
1265 prepparm->vud.ckb.version != 0x02) {
1266 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1267 __func__, (int) prepparm->vud.ckb.version);
1271 if (prepparm->vud.ckb.algo != 0x02) {
1273 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1274 __func__, (int) prepparm->vud.ckb.algo);
1279 /* copy the translated protected key */
1280 switch (prepparm->vud.ckb.keylen) {
1282 /* AES 128 protected key */
1284 *protkeytype = PKEY_KEYTYPE_AES_128;
1287 /* AES 192 protected key */
1289 *protkeytype = PKEY_KEYTYPE_AES_192;
1292 /* AES 256 protected key */
1294 *protkeytype = PKEY_KEYTYPE_AES_256;
1297 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1298 __func__, prepparm->vud.ckb.keylen);
1302 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1304 *protkeylen = prepparm->vud.ckb.keylen;
1307 free_cprbmem(mem, PARMBSIZE, 0);
1310 EXPORT_SYMBOL(cca_cipher2protkey);
1313 * query cryptographic facility from CCA adapter
1315 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1316 const char *keyword,
1317 u8 *rarray, size_t *rarraylen,
1318 u8 *varray, size_t *varraylen)
1323 struct CPRBX *preqcblk, *prepcblk;
1324 struct ica_xcRB xcrb;
1331 u8 data[VARDATASIZE];
1334 } __packed * preqparm;
1335 size_t parmbsize = sizeof(struct fqreqparm);
1339 } __packed * prepparm;
1341 /* get already prepared memory for 2 cprbs with param block each */
1342 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1346 /* fill request cprb struct */
1347 preqcblk->domain = domain;
1349 /* fill request cprb param block with FQ request */
1350 preqparm = (struct fqreqparm *) preqcblk->req_parmb;
1351 memcpy(preqparm->subfunc_code, "FQ", 2);
1352 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1353 preqparm->rule_array_len =
1354 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1355 preqparm->lv1.len = sizeof(preqparm->lv1);
1356 preqparm->dummylen = sizeof(preqparm->dummylen);
1357 preqcblk->req_parml = parmbsize;
1359 /* fill xcrb struct */
1360 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1362 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1363 rc = _zcrypt_send_cprb(&xcrb);
1365 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1366 __func__, (int) cardnr, (int) domain, rc);
1370 /* check response returncode and reasoncode */
1371 if (prepcblk->ccp_rtcode != 0) {
1372 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1374 (int) prepcblk->ccp_rtcode,
1375 (int) prepcblk->ccp_rscode);
1380 /* process response cprb param block */
1381 prepcblk->rpl_parmb = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1382 prepparm = (struct fqrepparm *) prepcblk->rpl_parmb;
1383 ptr = prepparm->lvdata;
1385 /* check and possibly copy reply rule array */
1386 len = *((u16 *) ptr);
1387 if (len > sizeof(u16)) {
1390 if (rarray && rarraylen && *rarraylen > 0) {
1391 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1392 memcpy(rarray, ptr, *rarraylen);
1396 /* check and possible copy reply var array */
1397 len = *((u16 *) ptr);
1398 if (len > sizeof(u16)) {
1401 if (varray && varraylen && *varraylen > 0) {
1402 *varraylen = (len > *varraylen ? *varraylen : len);
1403 memcpy(varray, ptr, *varraylen);
1409 free_cprbmem(mem, parmbsize, 0);
1412 EXPORT_SYMBOL(cca_query_crypto_facility);
1414 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1417 struct cca_info_list_entry *ptr;
1419 spin_lock_bh(&cca_info_list_lock);
1420 list_for_each_entry(ptr, &cca_info_list, list) {
1421 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1422 memcpy(ci, &ptr->info, sizeof(*ci));
1427 spin_unlock_bh(&cca_info_list_lock);
1432 static void cca_info_cache_update(u16 cardnr, u16 domain,
1433 const struct cca_info *ci)
1436 struct cca_info_list_entry *ptr;
1438 spin_lock_bh(&cca_info_list_lock);
1439 list_for_each_entry(ptr, &cca_info_list, list) {
1440 if (ptr->cardnr == cardnr &&
1441 ptr->domain == domain) {
1442 memcpy(&ptr->info, ci, sizeof(*ci));
1448 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1450 spin_unlock_bh(&cca_info_list_lock);
1453 ptr->cardnr = cardnr;
1454 ptr->domain = domain;
1455 memcpy(&ptr->info, ci, sizeof(*ci));
1456 list_add(&ptr->list, &cca_info_list);
1458 spin_unlock_bh(&cca_info_list_lock);
1461 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1463 struct cca_info_list_entry *ptr;
1465 spin_lock_bh(&cca_info_list_lock);
1466 list_for_each_entry(ptr, &cca_info_list, list) {
1467 if (ptr->cardnr == cardnr &&
1468 ptr->domain == domain) {
1469 list_del(&ptr->list);
1474 spin_unlock_bh(&cca_info_list_lock);
1477 static void __exit mkvp_cache_free(void)
1479 struct cca_info_list_entry *ptr, *pnext;
1481 spin_lock_bh(&cca_info_list_lock);
1482 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1483 list_del(&ptr->list);
1486 spin_unlock_bh(&cca_info_list_lock);
1490 * Fetch cca_info values via query_crypto_facility from adapter.
1492 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1496 u8 *rarray, *varray, *pg;
1497 struct zcrypt_device_status_ext devstat;
1499 memset(ci, 0, sizeof(*ci));
1501 /* get first info from zcrypt device driver about this apqn */
1502 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1505 ci->hwtype = devstat.hwtype;
1507 /* prep page for rule array and var array use */
1508 pg = (u8 *) __get_free_page(GFP_KERNEL);
1512 varray = pg + PAGE_SIZE/2;
1513 rlen = vlen = PAGE_SIZE/2;
1515 /* QF for this card/domain */
1516 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1517 rarray, &rlen, varray, &vlen);
1518 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1519 memcpy(ci->serial, rarray, 8);
1520 ci->new_mk_state = (char) rarray[7*8];
1521 ci->cur_mk_state = (char) rarray[8*8];
1522 ci->old_mk_state = (char) rarray[9*8];
1523 if (ci->old_mk_state == '2')
1524 memcpy(&ci->old_mkvp, varray + 172, 8);
1525 if (ci->cur_mk_state == '2')
1526 memcpy(&ci->cur_mkvp, varray + 184, 8);
1527 if (ci->new_mk_state == '3')
1528 memcpy(&ci->new_mkvp, varray + 196, 8);
1532 free_page((unsigned long) pg);
1534 return found ? 0 : -ENOENT;
1538 * Fetch cca information about a CCA queue.
1540 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1544 rc = cca_info_cache_fetch(card, dom, ci);
1546 rc = fetch_cca_info(card, dom, ci);
1548 cca_info_cache_update(card, dom, ci);
1553 EXPORT_SYMBOL(cca_get_info);
1556 * Search for a matching crypto card based on the
1557 * Master Key Verification Pattern given.
1559 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1560 int verify, int minhwtype)
1562 struct zcrypt_device_status_ext *device_status;
1567 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1568 if (mkvp == 0 || minhwtype < 0)
1571 /* fetch status of all crypto cards */
1572 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1573 sizeof(struct zcrypt_device_status_ext),
1577 zcrypt_device_status_mask_ext(device_status);
1579 /* walk through all crypto cards */
1580 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1581 card = AP_QID_CARD(device_status[i].qid);
1582 dom = AP_QID_QUEUE(device_status[i].qid);
1583 if (device_status[i].online &&
1584 device_status[i].functions & 0x04) {
1585 /* enabled CCA card, check current mkvp from cache */
1586 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1587 ci.hwtype >= minhwtype &&
1588 ci.cur_mk_state == '2' &&
1589 ci.cur_mkvp == mkvp) {
1592 /* verify: refresh card info */
1593 if (fetch_cca_info(card, dom, &ci) == 0) {
1594 cca_info_cache_update(card, dom, &ci);
1595 if (ci.hwtype >= minhwtype &&
1596 ci.cur_mk_state == '2' &&
1597 ci.cur_mkvp == mkvp)
1602 /* Card is offline and/or not a CCA card. */
1603 /* del mkvp entry from cache if it exists */
1604 cca_info_cache_scrub(card, dom);
1607 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1608 /* nothing found, so this time without cache */
1609 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1610 if (!(device_status[i].online &&
1611 device_status[i].functions & 0x04))
1613 card = AP_QID_CARD(device_status[i].qid);
1614 dom = AP_QID_QUEUE(device_status[i].qid);
1615 /* fresh fetch mkvp from adapter */
1616 if (fetch_cca_info(card, dom, &ci) == 0) {
1617 cca_info_cache_update(card, dom, &ci);
1618 if (ci.hwtype >= minhwtype &&
1619 ci.cur_mk_state == '2' &&
1620 ci.cur_mkvp == mkvp)
1622 if (ci.hwtype >= minhwtype &&
1623 ci.old_mk_state == '2' &&
1624 ci.old_mkvp == mkvp &&
1629 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1630 /* old mkvp matched, use this card then */
1631 card = AP_QID_CARD(device_status[oi].qid);
1632 dom = AP_QID_QUEUE(device_status[oi].qid);
1635 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1640 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1644 kvfree(device_status);
1649 * Search for a matching crypto card based on the Master Key
1650 * Verification Pattern provided inside a secure key token.
1652 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1656 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1658 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1661 switch (hdr->version) {
1662 case TOKVER_CCA_AES:
1663 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1665 case TOKVER_CCA_VLSC:
1666 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1667 minhwtype = AP_DEVICE_TYPE_CEX6;
1673 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1675 EXPORT_SYMBOL(cca_findcard);
1677 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1678 int minhwtype, u64 cur_mkvp, u64 old_mkvp, int verify)
1680 struct zcrypt_device_status_ext *device_status;
1681 int i, n, card, dom, curmatch, oldmatch, rc = 0;
1687 /* fetch status of all crypto cards */
1688 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1689 sizeof(struct zcrypt_device_status_ext),
1693 zcrypt_device_status_mask_ext(device_status);
1695 /* loop two times: first gather eligible apqns, then store them */
1698 /* walk through all the crypto cards */
1699 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1700 card = AP_QID_CARD(device_status[i].qid);
1701 dom = AP_QID_QUEUE(device_status[i].qid);
1702 /* check online state */
1703 if (!device_status[i].online)
1705 /* check for cca functions */
1706 if (!(device_status[i].functions & 0x04))
1709 if (cardnr != 0xFFFF && card != cardnr)
1712 if (domain != 0xFFFF && dom != domain)
1714 /* get cca info on this apqn */
1715 if (cca_get_info(card, dom, &ci, verify))
1717 /* current master key needs to be valid */
1718 if (ci.cur_mk_state != '2')
1720 /* check min hardware type */
1721 if (minhwtype > 0 && minhwtype > ci.hwtype)
1723 if (cur_mkvp || old_mkvp) {
1725 curmatch = oldmatch = 0;
1726 if (cur_mkvp && cur_mkvp == ci.cur_mkvp)
1728 if (old_mkvp && ci.old_mk_state == '2' &&
1729 old_mkvp == ci.old_mkvp)
1731 if ((cur_mkvp || old_mkvp) &&
1732 (curmatch + oldmatch < 1))
1735 /* apqn passed all filtering criterons */
1736 if (*apqns && n < *nr_apqns)
1737 (*apqns)[n] = (((u16)card) << 16) | ((u16) dom);
1740 /* loop 2nd time: array has been filled */
1743 /* loop 1st time: have # of eligible apqns in n */
1745 rc = -ENODEV; /* no eligible apqns found */
1749 /* allocate array to store n apqns into */
1750 *apqns = kmalloc_array(n, sizeof(u32), GFP_KERNEL);
1758 kfree(device_status);
1761 EXPORT_SYMBOL(cca_findcard2);
1763 void __exit zcrypt_ccamisc_exit(void)
projects / linux-2.6-microblaze.git / blob