1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #ifndef _ZCRYPT_CCAMISC_H_
11 #define _ZCRYPT_CCAMISC_H_
13 #include <asm/zcrypt.h>
17 #define TOKTYPE_NON_CCA 0x00 /* Non-CCA key token */
18 #define TOKTYPE_CCA_INTERNAL 0x01 /* CCA internal key token */
20 /* For TOKTYPE_NON_CCA: */
21 #define TOKVER_PROTECTED_KEY 0x01 /* Protected key token */
23 /* For TOKTYPE_CCA_INTERNAL: */
24 #define TOKVER_CCA_AES 0x04 /* CCA AES key token */
26 /* header part of a CCA key token */
27 struct keytoken_header {
28 u8 type; /* one of the TOKTYPE values */
30 u8 version; /* one of the TOKVER values */
34 /* inside view of a CCA secure key token (only type 0x01 version 0x04) */
35 struct secaeskeytoken {
36 u8 type; /* 0x01 for internal key token */
38 u8 version; /* should be 0x04 */
40 u8 flag; /* key flags */
42 u64 mkvp; /* master key verification pattern */
43 u8 key[32]; /* key value (encrypted) */
44 u8 cv[8]; /* control vector */
45 u16 bitsize; /* key bit size */
46 u16 keysize; /* key byte size */
47 u8 tvv[4]; /* token validation value */
51 * Simple check if the token is a valid CCA secure AES data key
52 * token. If keybitsize is given, the bitsize of the key is
53 * also checked. Returns 0 on success or errno value on failure.
55 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
56 const u8 *token, int keybitsize);
59 * Generate (random) CCA AES DATA secure key.
61 int cca_genseckey(u16 cardnr, u16 domain, u32 keytype, u8 *seckey);
64 * Generate CCA AES DATA secure key with given clear key value.
66 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keytype,
67 const u8 *clrkey, u8 *seckey);
70 * Derive proteced key from an CCA AES DATA secure key.
72 int cca_sec2protkey(u16 cardnr, u16 domain,
73 const u8 seckey[SECKEYBLOBSIZE],
74 u8 *protkey, u32 *protkeylen,
78 * Query cryptographic facility from CCA adapter
80 int cca_query_crypto_facility(u16 cardnr, u16 domain,
82 u8 *rarray, size_t *rarraylen,
83 u8 *varray, size_t *varraylen);
86 * Search for a matching crypto card based on the Master Key
87 * Verification Pattern provided inside a secure key.
88 * Returns < 0 on failure, 0 if CURRENT MKVP matches and
89 * 1 if OLD MKVP matches.
91 int cca_findcard(const u8 *seckey, u16 *pcardnr, u16 *pdomain, int verify);
93 /* struct to hold info for each CCA queue */
95 char new_mk_state; /* '1' empty, '2' partially full, '3' full */
96 char cur_mk_state; /* '1' invalid, '2' valid */
97 char old_mk_state; /* '1' invalid, '2' valid */
98 u64 new_mkvp; /* truncated sha256 hash of new master key */
99 u64 cur_mkvp; /* truncated sha256 hash of current master key */
100 u64 old_mkvp; /* truncated sha256 hash of old master key */
101 char serial[9]; /* serial number string (8 ascii numbers + 0x00) */
105 * Fetch cca information about an CCA queue.
107 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify);
109 void zcrypt_ccamisc_exit(void);
111 #endif /* _ZCRYPT_CCAMISC_H_ */