1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Allocate consecutive memory for request CPRB, request param
177 * block, reply CPRB and reply param block and fill in values
178 * for the common fields. Returns 0 on success or errno value
181 static int alloc_and_prep_cprbmem(size_t paramblen,
183 struct CPRBX **preqCPRB,
184 struct CPRBX **prepCPRB)
187 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
188 struct CPRBX *preqcblk, *prepcblk;
191 * allocate consecutive memory for request CPRB, request param
192 * block, reply CPRB and reply param block
194 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
198 preqcblk = (struct CPRBX *) cprbmem;
199 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
201 /* fill request cprb struct */
202 preqcblk->cprb_len = sizeof(struct CPRBX);
203 preqcblk->cprb_ver_id = 0x02;
204 memcpy(preqcblk->func_id, "T2", 2);
205 preqcblk->rpl_msgbl = cprbplusparamblen;
207 preqcblk->req_parmb =
208 ((u8 __user *) preqcblk) + sizeof(struct CPRBX);
209 preqcblk->rpl_parmb =
210 ((u8 __user *) prepcblk) + sizeof(struct CPRBX);
214 *preqCPRB = preqcblk;
215 *prepCPRB = prepcblk;
221 * Free the cprb memory allocated with the function above.
222 * If the scrub value is not zero, the memory is filled
223 * with zeros before freeing (useful if there was some
224 * clear key material in there).
226 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
229 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
234 * Helper function to prepare the xcrb struct
236 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
238 struct CPRBX *preqcblk,
239 struct CPRBX *prepcblk)
241 memset(pxcrb, 0, sizeof(*pxcrb));
242 pxcrb->agent_ID = 0x4341; /* 'CA' */
243 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
244 pxcrb->request_control_blk_length =
245 preqcblk->cprb_len + preqcblk->req_parml;
246 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
247 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
248 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
252 * Generate (random) CCA AES DATA secure key.
254 int cca_genseckey(u16 cardnr, u16 domain,
255 u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
260 struct CPRBX *preqcblk, *prepcblk;
261 struct ica_xcRB xcrb;
277 u8 data[SECKEYBLOBSIZE];
280 } __packed * preqparm;
291 /* ... some more data ... */
294 } __packed * prepparm;
296 /* get already prepared memory for 2 cprbs with param block each */
297 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
301 /* fill request cprb struct */
302 preqcblk->domain = domain;
304 /* fill request cprb param block with KG request */
305 preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
306 memcpy(preqparm->subfunc_code, "KG", 2);
307 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
308 preqparm->lv1.len = sizeof(struct lv1);
309 memcpy(preqparm->lv1.key_form, "OP ", 8);
310 switch (keybitsize) {
311 case PKEY_SIZE_AES_128:
312 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
314 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
316 case PKEY_SIZE_AES_192:
317 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
319 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
321 case PKEY_SIZE_AES_256:
322 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
324 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
327 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
328 __func__, keybitsize);
332 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
333 preqparm->lv2.len = sizeof(struct lv2);
334 for (i = 0; i < 6; i++) {
335 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
336 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
338 preqcblk->req_parml = sizeof(struct kgreqparm);
340 /* fill xcrb struct */
341 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
343 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
344 rc = zcrypt_send_cprb(&xcrb);
346 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
347 __func__, (int) cardnr, (int) domain, rc);
351 /* check response returncode and reasoncode */
352 if (prepcblk->ccp_rtcode != 0) {
353 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
355 (int) prepcblk->ccp_rtcode,
356 (int) prepcblk->ccp_rscode);
361 /* process response cprb param block */
362 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
363 prepcblk->rpl_parmb = (u8 __user *) ptr;
364 prepparm = (struct kgrepparm *) ptr;
366 /* check length of the returned secure key token */
367 seckeysize = prepparm->lv3.keyblock.toklen
368 - sizeof(prepparm->lv3.keyblock.toklen)
369 - sizeof(prepparm->lv3.keyblock.tokattr);
370 if (seckeysize != SECKEYBLOBSIZE) {
371 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
372 __func__, seckeysize, SECKEYBLOBSIZE);
377 /* check secure key token */
378 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
379 prepparm->lv3.keyblock.tok, 8*keysize);
385 /* copy the generated secure key token */
386 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
389 free_cprbmem(mem, PARMBSIZE, 0);
392 EXPORT_SYMBOL(cca_genseckey);
395 * Generate an CCA AES DATA secure key with given key value.
397 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
398 const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
400 int rc, keysize, seckeysize;
402 struct CPRBX *preqcblk, *prepcblk;
403 struct ica_xcRB xcrb;
417 u8 data[SECKEYBLOBSIZE];
420 } __packed * preqparm;
432 /* ... some more data ... */
435 } __packed * prepparm;
437 /* get already prepared memory for 2 cprbs with param block each */
438 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
442 /* fill request cprb struct */
443 preqcblk->domain = domain;
445 /* fill request cprb param block with CM request */
446 preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
447 memcpy(preqparm->subfunc_code, "CM", 2);
448 memcpy(preqparm->rule_array, "AES ", 8);
449 preqparm->rule_array_len =
450 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
451 switch (keybitsize) {
452 case PKEY_SIZE_AES_128:
453 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
456 case PKEY_SIZE_AES_192:
457 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
460 case PKEY_SIZE_AES_256:
461 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
465 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
466 __func__, keybitsize);
470 preqparm->lv1.len = sizeof(struct lv1) + keysize;
471 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
472 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
473 plv2->len = sizeof(struct lv2);
474 plv2->keyid.len = sizeof(struct keyid);
475 plv2->keyid.attr = 0x30;
476 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
478 /* fill xcrb struct */
479 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
481 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
482 rc = zcrypt_send_cprb(&xcrb);
484 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
485 __func__, (int) cardnr, (int) domain, rc);
489 /* check response returncode and reasoncode */
490 if (prepcblk->ccp_rtcode != 0) {
491 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
493 (int) prepcblk->ccp_rtcode,
494 (int) prepcblk->ccp_rscode);
499 /* process response cprb param block */
500 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
501 prepcblk->rpl_parmb = (u8 __user *) ptr;
502 prepparm = (struct cmrepparm *) ptr;
504 /* check length of the returned secure key token */
505 seckeysize = prepparm->lv3.keyblock.toklen
506 - sizeof(prepparm->lv3.keyblock.toklen)
507 - sizeof(prepparm->lv3.keyblock.tokattr);
508 if (seckeysize != SECKEYBLOBSIZE) {
509 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
510 __func__, seckeysize, SECKEYBLOBSIZE);
515 /* check secure key token */
516 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
517 prepparm->lv3.keyblock.tok, 8*keysize);
523 /* copy the generated secure key token */
525 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
528 free_cprbmem(mem, PARMBSIZE, 1);
531 EXPORT_SYMBOL(cca_clr2seckey);
534 * Derive proteced key from an CCA AES DATA secure key.
536 int cca_sec2protkey(u16 cardnr, u16 domain,
537 const u8 seckey[SECKEYBLOBSIZE],
538 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
542 struct CPRBX *preqcblk, *prepcblk;
543 struct ica_xcRB xcrb;
556 u8 token[0]; /* cca secure key token */
558 } __packed * preqparm;
566 struct cpacfkeyblock {
567 u8 version; /* version of this struct */
573 u8 key[64]; /* the key (len bytes) */
578 u8 vp[32]; /* verification pattern */
581 } __packed * prepparm;
583 /* get already prepared memory for 2 cprbs with param block each */
584 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
588 /* fill request cprb struct */
589 preqcblk->domain = domain;
591 /* fill request cprb param block with USK request */
592 preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
593 memcpy(preqparm->subfunc_code, "US", 2);
594 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
595 preqparm->lv1.len = sizeof(struct lv1);
596 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
597 preqparm->lv1.attr_flags = 0x0001;
598 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
599 preqparm->lv2.attr_len = sizeof(struct lv2)
600 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
601 preqparm->lv2.attr_flags = 0x0000;
602 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
603 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
605 /* fill xcrb struct */
606 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
608 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
609 rc = zcrypt_send_cprb(&xcrb);
611 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
612 __func__, (int) cardnr, (int) domain, rc);
616 /* check response returncode and reasoncode */
617 if (prepcblk->ccp_rtcode != 0) {
618 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
620 (int) prepcblk->ccp_rtcode,
621 (int) prepcblk->ccp_rscode);
625 if (prepcblk->ccp_rscode != 0) {
626 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
628 (int) prepcblk->ccp_rtcode,
629 (int) prepcblk->ccp_rscode);
632 /* process response cprb param block */
633 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
634 prepcblk->rpl_parmb = (u8 __user *) ptr;
635 prepparm = (struct uskrepparm *) ptr;
637 /* check the returned keyblock */
638 if (prepparm->lv3.ckb.version != 0x01 &&
639 prepparm->lv3.ckb.version != 0x02) {
640 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
641 __func__, (int) prepparm->lv3.ckb.version);
646 /* copy the tanslated protected key */
647 switch (prepparm->lv3.ckb.len) {
649 /* AES 128 protected key */
651 *protkeytype = PKEY_KEYTYPE_AES_128;
654 /* AES 192 protected key */
656 *protkeytype = PKEY_KEYTYPE_AES_192;
659 /* AES 256 protected key */
661 *protkeytype = PKEY_KEYTYPE_AES_256;
664 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
665 __func__, prepparm->lv3.ckb.len);
669 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
671 *protkeylen = prepparm->lv3.ckb.len;
674 free_cprbmem(mem, PARMBSIZE, 0);
677 EXPORT_SYMBOL(cca_sec2protkey);
680 * AES cipher key skeleton created with CSNBKTB2 with these flags:
681 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
682 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
683 * used by cca_gencipherkey() and cca_clr2cipherkey().
685 static const u8 aes_cipher_key_skeleton[] = {
686 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
690 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
691 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
692 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
693 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
696 * Generate (random) CCA AES CIPHER secure key.
698 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
699 u8 *keybuf, size_t *keybufsize)
703 struct CPRBX *preqcblk, *prepcblk;
704 struct ica_xcRB xcrb;
708 char rule_array[2*8];
713 u16 clear_key_bit_len;
738 u8 gen_key_id_1[SIZEOF_SKELETON];
743 u8 gen_key_id_1_label[0];
753 u8 gen_key_id_2_label[0];
756 } __packed * preqparm;
768 u8 gen_key[0]; /* 120-136 bytes */
771 } __packed * prepparm;
772 struct cipherkeytoken *t;
774 /* get already prepared memory for 2 cprbs with param block each */
775 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
779 /* fill request cprb struct */
780 preqcblk->domain = domain;
781 preqcblk->req_parml = sizeof(struct gkreqparm);
783 /* prepare request param block with GK request */
784 preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
785 memcpy(preqparm->subfunc_code, "GK", 2);
786 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
787 memcpy(preqparm->rule_array, "AES OP ", 2*8);
789 /* prepare vud block */
790 preqparm->vud.len = sizeof(preqparm->vud);
791 switch (keybitsize) {
798 "%s unknown/unsupported keybitsize %d\n",
799 __func__, keybitsize);
803 preqparm->vud.clear_key_bit_len = keybitsize;
804 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
805 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
807 /* prepare kb block */
808 preqparm->kb.len = sizeof(preqparm->kb);
809 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
810 preqparm->kb.tlv1.flag = 0x0030;
811 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
812 preqparm->kb.tlv2.flag = 0x0030;
813 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
814 preqparm->kb.tlv3.flag = 0x0030;
815 memcpy(preqparm->kb.tlv3.gen_key_id_1,
816 aes_cipher_key_skeleton, SIZEOF_SKELETON);
817 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
818 preqparm->kb.tlv4.flag = 0x0030;
819 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
820 preqparm->kb.tlv5.flag = 0x0030;
821 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
822 preqparm->kb.tlv6.flag = 0x0030;
824 /* patch the skeleton key token export flags inside the kb block */
826 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
827 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
828 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
831 /* prepare xcrb struct */
832 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
834 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
835 rc = zcrypt_send_cprb(&xcrb);
838 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
839 __func__, (int) cardnr, (int) domain, rc);
843 /* check response returncode and reasoncode */
844 if (prepcblk->ccp_rtcode != 0) {
846 "%s cipher key generate failure, card response %d/%d\n",
848 (int) prepcblk->ccp_rtcode,
849 (int) prepcblk->ccp_rscode);
854 /* process response cprb param block */
855 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
856 prepcblk->rpl_parmb = (u8 __user *) ptr;
857 prepparm = (struct gkrepparm *) ptr;
859 /* do some plausibility checks on the key block */
860 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
861 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
862 DEBUG_ERR("%s reply with invalid or unknown key block\n",
868 /* and some checks on the generated key */
869 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
870 prepparm->kb.tlv1.gen_key,
877 /* copy the generated vlsc key token */
878 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
880 if (*keybufsize >= t->len)
881 memcpy(keybuf, t, t->len);
885 *keybufsize = t->len;
888 free_cprbmem(mem, PARMBSIZE, 0);
891 EXPORT_SYMBOL(cca_gencipherkey);
894 * Helper function, does a the CSNBKPI2 CPRB.
896 static int _ip_cprb_helper(u16 cardnr, u16 domain,
897 const char *rule_array_1,
898 const char *rule_array_2,
899 const char *rule_array_3,
900 const u8 *clr_key_value,
901 int clr_key_bit_size,
907 struct CPRBX *preqcblk, *prepcblk;
908 struct ica_xcRB xcrb;
909 struct rule_array_block {
913 } __packed * preq_ra_block;
918 u16 flag; /* 0x0064 */
923 u16 flag; /* 0x0063 */
924 u8 clr_key[0]; /* clear key value bytes */
926 } __packed * preq_vud_block;
931 u16 flag; /* 0x0030 */
932 u8 key_token[0]; /* key skeleton */
934 } __packed * preq_key_block;
945 u16 flag; /* 0x0030 */
946 u8 key_token[0]; /* key token */
949 } __packed * prepparm;
950 struct cipherkeytoken *t;
951 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
953 /* get already prepared memory for 2 cprbs with param block each */
954 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
958 /* fill request cprb struct */
959 preqcblk->domain = domain;
960 preqcblk->req_parml = 0;
962 /* prepare request param block with IP request */
963 preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
964 memcpy(preq_ra_block->subfunc_code, "IP", 2);
965 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
966 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
967 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
968 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
970 preq_ra_block->rule_array_len += 8;
971 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
972 preqcblk->req_parml += 8;
975 /* prepare vud block */
976 preq_vud_block = (struct vud_block __force *)
977 (preqcblk->req_parmb + preqcblk->req_parml);
978 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
979 preq_vud_block->len = sizeof(struct vud_block) + n;
980 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
981 preq_vud_block->tlv1.flag = 0x0064;
982 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
983 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
984 preq_vud_block->tlv2.flag = 0x0063;
986 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
987 preqcblk->req_parml += preq_vud_block->len;
989 /* prepare key block */
990 preq_key_block = (struct key_block __force *)
991 (preqcblk->req_parmb + preqcblk->req_parml);
993 preq_key_block->len = sizeof(struct key_block) + n;
994 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
995 preq_key_block->tlv1.flag = 0x0030;
996 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
997 preqcblk->req_parml += preq_key_block->len;
999 /* prepare xcrb struct */
1000 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1002 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1003 rc = zcrypt_send_cprb(&xcrb);
1006 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1007 __func__, (int) cardnr, (int) domain, rc);
1011 /* check response returncode and reasoncode */
1012 if (prepcblk->ccp_rtcode != 0) {
1014 "%s CSNBKPI2 failure, card response %d/%d\n",
1016 (int) prepcblk->ccp_rtcode,
1017 (int) prepcblk->ccp_rscode);
1022 /* process response cprb param block */
1023 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1024 prepcblk->rpl_parmb = (u8 __user *) ptr;
1025 prepparm = (struct iprepparm *) ptr;
1027 /* do some plausibility checks on the key block */
1028 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1029 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1030 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1036 /* do not check the key here, it may be incomplete */
1038 /* copy the vlsc key token back */
1039 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1040 memcpy(key_token, t, t->len);
1041 *key_token_size = t->len;
1044 free_cprbmem(mem, PARMBSIZE, 0);
1049 * Build CCA AES CIPHER secure key with a given clear key value.
1051 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1052 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1058 struct cipherkeytoken *t;
1060 /* fill exorbuf with random data */
1061 get_random_bytes(exorbuf, sizeof(exorbuf));
1063 /* allocate space for the key token to build */
1064 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1068 /* prepare the token with the key skeleton */
1069 tokensize = SIZEOF_SKELETON;
1070 memcpy(token, aes_cipher_key_skeleton, tokensize);
1072 /* patch the skeleton key token export flags */
1074 t = (struct cipherkeytoken *) token;
1075 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1076 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1080 * Do the key import with the clear key value in 4 steps:
1081 * 1/4 FIRST import with only random data
1082 * 2/4 EXOR the clear key
1083 * 3/4 EXOR the very same random data again
1084 * 4/4 COMPLETE the secure cipher key import
1086 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1087 exorbuf, keybitsize, token, &tokensize);
1090 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1094 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1095 clrkey, keybitsize, token, &tokensize);
1098 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1102 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1103 exorbuf, keybitsize, token, &tokensize);
1106 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1110 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1111 NULL, keybitsize, token, &tokensize);
1114 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1119 /* copy the generated key token */
1121 if (tokensize > *keybufsize)
1124 memcpy(keybuf, token, tokensize);
1126 *keybufsize = tokensize;
1132 EXPORT_SYMBOL(cca_clr2cipherkey);
1135 * Derive proteced key from CCA AES cipher secure key.
1137 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1138 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1142 struct CPRBX *preqcblk, *prepcblk;
1143 struct ica_xcRB xcrb;
1156 u16 cca_key_token_len;
1157 u16 cca_key_token_flags;
1158 u8 cca_key_token[0]; // 64 or more
1160 } __packed * preqparm;
1168 struct cpacfkeyblock {
1169 u8 version; /* version of this struct */
1175 u8 key[64]; /* the key (keylen bytes) */
1180 u8 vp[32]; /* verification pattern */
1186 } __packed * prepparm;
1187 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1189 /* get already prepared memory for 2 cprbs with param block each */
1190 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1194 /* fill request cprb struct */
1195 preqcblk->domain = domain;
1197 /* fill request cprb param block with AU request */
1198 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1199 memcpy(preqparm->subfunc_code, "AU", 2);
1200 preqparm->rule_array_len =
1201 sizeof(preqparm->rule_array_len)
1202 + sizeof(preqparm->rule_array);
1203 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1205 preqparm->vud.len = sizeof(preqparm->vud);
1206 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1207 + 2 * sizeof(uint16_t);
1208 preqparm->vud.tk_blob_tag = 0x00C2;
1210 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1211 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1212 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1213 /* now fill length of param block into cprb */
1214 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1216 /* fill xcrb struct */
1217 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1219 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1220 rc = zcrypt_send_cprb(&xcrb);
1223 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1224 __func__, (int) cardnr, (int) domain, rc);
1228 /* check response returncode and reasoncode */
1229 if (prepcblk->ccp_rtcode != 0) {
1231 "%s unwrap secure key failure, card response %d/%d\n",
1233 (int) prepcblk->ccp_rtcode,
1234 (int) prepcblk->ccp_rscode);
1238 if (prepcblk->ccp_rscode != 0) {
1240 "%s unwrap secure key warning, card response %d/%d\n",
1242 (int) prepcblk->ccp_rtcode,
1243 (int) prepcblk->ccp_rscode);
1246 /* process response cprb param block */
1247 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1248 prepcblk->rpl_parmb = (u8 __user *) ptr;
1249 prepparm = (struct aurepparm *) ptr;
1251 /* check the returned keyblock */
1252 if (prepparm->vud.ckb.version != 0x01 &&
1253 prepparm->vud.ckb.version != 0x02) {
1254 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1255 __func__, (int) prepparm->vud.ckb.version);
1259 if (prepparm->vud.ckb.algo != 0x02) {
1261 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1262 __func__, (int) prepparm->vud.ckb.algo);
1267 /* copy the translated protected key */
1268 switch (prepparm->vud.ckb.keylen) {
1270 /* AES 128 protected key */
1272 *protkeytype = PKEY_KEYTYPE_AES_128;
1275 /* AES 192 protected key */
1277 *protkeytype = PKEY_KEYTYPE_AES_192;
1280 /* AES 256 protected key */
1282 *protkeytype = PKEY_KEYTYPE_AES_256;
1285 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1286 __func__, prepparm->vud.ckb.keylen);
1290 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1292 *protkeylen = prepparm->vud.ckb.keylen;
1295 free_cprbmem(mem, PARMBSIZE, 0);
1298 EXPORT_SYMBOL(cca_cipher2protkey);
1301 * query cryptographic facility from CCA adapter
1303 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1304 const char *keyword,
1305 u8 *rarray, size_t *rarraylen,
1306 u8 *varray, size_t *varraylen)
1311 struct CPRBX *preqcblk, *prepcblk;
1312 struct ica_xcRB xcrb;
1319 u8 data[VARDATASIZE];
1322 } __packed * preqparm;
1323 size_t parmbsize = sizeof(struct fqreqparm);
1327 } __packed * prepparm;
1329 /* get already prepared memory for 2 cprbs with param block each */
1330 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1334 /* fill request cprb struct */
1335 preqcblk->domain = domain;
1337 /* fill request cprb param block with FQ request */
1338 preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
1339 memcpy(preqparm->subfunc_code, "FQ", 2);
1340 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1341 preqparm->rule_array_len =
1342 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1343 preqparm->lv1.len = sizeof(preqparm->lv1);
1344 preqparm->dummylen = sizeof(preqparm->dummylen);
1345 preqcblk->req_parml = parmbsize;
1347 /* fill xcrb struct */
1348 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1350 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1351 rc = zcrypt_send_cprb(&xcrb);
1353 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1354 __func__, (int) cardnr, (int) domain, rc);
1358 /* check response returncode and reasoncode */
1359 if (prepcblk->ccp_rtcode != 0) {
1360 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1362 (int) prepcblk->ccp_rtcode,
1363 (int) prepcblk->ccp_rscode);
1368 /* process response cprb param block */
1369 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1370 prepcblk->rpl_parmb = (u8 __user *) ptr;
1371 prepparm = (struct fqrepparm *) ptr;
1372 ptr = prepparm->lvdata;
1374 /* check and possibly copy reply rule array */
1375 len = *((u16 *) ptr);
1376 if (len > sizeof(u16)) {
1379 if (rarray && rarraylen && *rarraylen > 0) {
1380 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1381 memcpy(rarray, ptr, *rarraylen);
1385 /* check and possible copy reply var array */
1386 len = *((u16 *) ptr);
1387 if (len > sizeof(u16)) {
1390 if (varray && varraylen && *varraylen > 0) {
1391 *varraylen = (len > *varraylen ? *varraylen : len);
1392 memcpy(varray, ptr, *varraylen);
1398 free_cprbmem(mem, parmbsize, 0);
1401 EXPORT_SYMBOL(cca_query_crypto_facility);
1403 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1406 struct cca_info_list_entry *ptr;
1408 spin_lock_bh(&cca_info_list_lock);
1409 list_for_each_entry(ptr, &cca_info_list, list) {
1410 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1411 memcpy(ci, &ptr->info, sizeof(*ci));
1416 spin_unlock_bh(&cca_info_list_lock);
1421 static void cca_info_cache_update(u16 cardnr, u16 domain,
1422 const struct cca_info *ci)
1425 struct cca_info_list_entry *ptr;
1427 spin_lock_bh(&cca_info_list_lock);
1428 list_for_each_entry(ptr, &cca_info_list, list) {
1429 if (ptr->cardnr == cardnr &&
1430 ptr->domain == domain) {
1431 memcpy(&ptr->info, ci, sizeof(*ci));
1437 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1439 spin_unlock_bh(&cca_info_list_lock);
1442 ptr->cardnr = cardnr;
1443 ptr->domain = domain;
1444 memcpy(&ptr->info, ci, sizeof(*ci));
1445 list_add(&ptr->list, &cca_info_list);
1447 spin_unlock_bh(&cca_info_list_lock);
1450 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1452 struct cca_info_list_entry *ptr;
1454 spin_lock_bh(&cca_info_list_lock);
1455 list_for_each_entry(ptr, &cca_info_list, list) {
1456 if (ptr->cardnr == cardnr &&
1457 ptr->domain == domain) {
1458 list_del(&ptr->list);
1463 spin_unlock_bh(&cca_info_list_lock);
1466 static void __exit mkvp_cache_free(void)
1468 struct cca_info_list_entry *ptr, *pnext;
1470 spin_lock_bh(&cca_info_list_lock);
1471 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1472 list_del(&ptr->list);
1475 spin_unlock_bh(&cca_info_list_lock);
1479 * Fetch cca_info values via query_crypto_facility from adapter.
1481 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1485 u8 *rarray, *varray, *pg;
1486 struct zcrypt_device_status_ext devstat;
1488 memset(ci, 0, sizeof(*ci));
1490 /* get first info from zcrypt device driver about this apqn */
1491 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1494 ci->hwtype = devstat.hwtype;
1496 /* prep page for rule array and var array use */
1497 pg = (u8 *) __get_free_page(GFP_KERNEL);
1501 varray = pg + PAGE_SIZE/2;
1502 rlen = vlen = PAGE_SIZE/2;
1504 /* QF for this card/domain */
1505 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1506 rarray, &rlen, varray, &vlen);
1507 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1508 memcpy(ci->serial, rarray, 8);
1509 ci->new_mk_state = (char) rarray[7*8];
1510 ci->cur_mk_state = (char) rarray[8*8];
1511 ci->old_mk_state = (char) rarray[9*8];
1512 if (ci->old_mk_state == '2')
1513 memcpy(&ci->old_mkvp, varray + 172, 8);
1514 if (ci->cur_mk_state == '2')
1515 memcpy(&ci->cur_mkvp, varray + 184, 8);
1516 if (ci->new_mk_state == '3')
1517 memcpy(&ci->new_mkvp, varray + 196, 8);
1521 free_page((unsigned long) pg);
1523 return found ? 0 : -ENOENT;
1527 * Fetch cca information about a CCA queue.
1529 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1533 rc = cca_info_cache_fetch(card, dom, ci);
1535 rc = fetch_cca_info(card, dom, ci);
1537 cca_info_cache_update(card, dom, ci);
1542 EXPORT_SYMBOL(cca_get_info);
1545 * Search for a matching crypto card based on the
1546 * Master Key Verification Pattern given.
1548 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1549 int verify, int minhwtype)
1551 struct zcrypt_device_status_ext *device_status;
1556 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1557 if (mkvp == 0 || minhwtype < 0)
1560 /* fetch status of all crypto cards */
1561 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1562 sizeof(struct zcrypt_device_status_ext),
1566 zcrypt_device_status_mask_ext(device_status);
1568 /* walk through all crypto cards */
1569 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1570 card = AP_QID_CARD(device_status[i].qid);
1571 dom = AP_QID_QUEUE(device_status[i].qid);
1572 if (device_status[i].online &&
1573 device_status[i].functions & 0x04) {
1574 /* enabled CCA card, check current mkvp from cache */
1575 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1576 ci.hwtype >= minhwtype &&
1577 ci.cur_mk_state == '2' &&
1578 ci.cur_mkvp == mkvp) {
1581 /* verify: refresh card info */
1582 if (fetch_cca_info(card, dom, &ci) == 0) {
1583 cca_info_cache_update(card, dom, &ci);
1584 if (ci.hwtype >= minhwtype &&
1585 ci.cur_mk_state == '2' &&
1586 ci.cur_mkvp == mkvp)
1591 /* Card is offline and/or not a CCA card. */
1592 /* del mkvp entry from cache if it exists */
1593 cca_info_cache_scrub(card, dom);
1596 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1597 /* nothing found, so this time without cache */
1598 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1599 if (!(device_status[i].online &&
1600 device_status[i].functions & 0x04))
1602 card = AP_QID_CARD(device_status[i].qid);
1603 dom = AP_QID_QUEUE(device_status[i].qid);
1604 /* fresh fetch mkvp from adapter */
1605 if (fetch_cca_info(card, dom, &ci) == 0) {
1606 cca_info_cache_update(card, dom, &ci);
1607 if (ci.hwtype >= minhwtype &&
1608 ci.cur_mk_state == '2' &&
1609 ci.cur_mkvp == mkvp)
1611 if (ci.hwtype >= minhwtype &&
1612 ci.old_mk_state == '2' &&
1613 ci.old_mkvp == mkvp &&
1618 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1619 /* old mkvp matched, use this card then */
1620 card = AP_QID_CARD(device_status[oi].qid);
1621 dom = AP_QID_QUEUE(device_status[oi].qid);
1624 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1629 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1633 kvfree(device_status);
1638 * Search for a matching crypto card based on the Master Key
1639 * Verification Pattern provided inside a secure key token.
1641 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1645 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1647 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1650 switch (hdr->version) {
1651 case TOKVER_CCA_AES:
1652 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1654 case TOKVER_CCA_VLSC:
1655 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1656 minhwtype = AP_DEVICE_TYPE_CEX6;
1662 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1664 EXPORT_SYMBOL(cca_findcard);
1666 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1667 int minhwtype, u64 cur_mkvp, u64 old_mkvp, int verify)
1669 struct zcrypt_device_status_ext *device_status;
1670 u32 *_apqns = NULL, _nr_apqns = 0;
1671 int i, card, dom, curmatch, oldmatch, rc = 0;
1674 /* fetch status of all crypto cards */
1675 device_status = kmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1676 sizeof(struct zcrypt_device_status_ext),
1680 zcrypt_device_status_mask_ext(device_status);
1682 /* allocate 1k space for up to 256 apqns */
1683 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1685 kvfree(device_status);
1689 /* walk through all the crypto apqnss */
1690 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1691 card = AP_QID_CARD(device_status[i].qid);
1692 dom = AP_QID_QUEUE(device_status[i].qid);
1693 /* check online state */
1694 if (!device_status[i].online)
1696 /* check for cca functions */
1697 if (!(device_status[i].functions & 0x04))
1700 if (cardnr != 0xFFFF && card != cardnr)
1703 if (domain != 0xFFFF && dom != domain)
1705 /* get cca info on this apqn */
1706 if (cca_get_info(card, dom, &ci, verify))
1708 /* current master key needs to be valid */
1709 if (ci.cur_mk_state != '2')
1711 /* check min hardware type */
1712 if (minhwtype > 0 && minhwtype > ci.hwtype)
1714 if (cur_mkvp || old_mkvp) {
1716 curmatch = oldmatch = 0;
1717 if (cur_mkvp && cur_mkvp == ci.cur_mkvp)
1719 if (old_mkvp && ci.old_mk_state == '2' &&
1720 old_mkvp == ci.old_mkvp)
1722 if ((cur_mkvp || old_mkvp) &&
1723 (curmatch + oldmatch < 1))
1726 /* apqn passed all filtering criterons, add to the array */
1727 if (_nr_apqns < 256)
1728 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom);
1731 /* nothing found ? */
1736 /* no re-allocation, simple return the _apqns array */
1738 *nr_apqns = _nr_apqns;
1742 kfree(device_status);
1745 EXPORT_SYMBOL(cca_findcard2);
1747 void __exit zcrypt_ccamisc_exit(void)