1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2001, 2012
4 * Author(s): Robert Burroughs
5 * Eric Rossman (edrossma@us.ibm.com)
7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9 * Ralph Wuerthner <rwuerthn@de.ibm.com>
10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com>
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
32 #define CEIL4(x) ((((x)+3)/4)*4)
34 struct response_type {
35 struct completion work;
38 #define CEXXC_RESPONSE_TYPE_ICA 0
39 #define CEXXC_RESPONSE_TYPE_XCRB 1
40 #define CEXXC_RESPONSE_TYPE_EP11 2
42 MODULE_AUTHOR("IBM Corporation");
43 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
44 "Copyright IBM Corp. 2001, 2012");
45 MODULE_LICENSE("GPL");
49 * Note that all shorts, ints and longs are little-endian.
50 * All pointer fields are 32-bits long, and mean nothing
52 * A request CPRB is followed by a request_parameter_block.
54 * The request (or reply) parameter block is organized thus:
60 unsigned short cprb_len; /* CPRB length */
61 unsigned char cprb_ver_id; /* CPRB version id. */
62 unsigned char pad_000; /* Alignment pad byte. */
63 unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */
64 unsigned char srpi_verb; /* SRPI verb type */
65 unsigned char flags; /* flags */
66 unsigned char func_id[2]; /* function id */
67 unsigned char checkpoint_flag; /* */
68 unsigned char resv2; /* reserved */
69 unsigned short req_parml; /* request parameter buffer */
70 /* length 16-bit little endian */
71 unsigned char req_parmp[4]; /* request parameter buffer *
72 * pointer (means nothing: the *
73 * parameter buffer follows *
75 unsigned char req_datal[4]; /* request data buffer */
77 unsigned char req_datap[4]; /* request data buffer */
79 unsigned short rpl_parml; /* reply parameter buffer */
80 /* length 16-bit little endian */
81 unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */
82 unsigned char rpl_parmp[4]; /* reply parameter buffer *
83 * pointer (means nothing: the *
84 * parameter buffer follows *
86 unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */
87 unsigned char rpl_datap[4]; /* reply data buffer */
89 unsigned short ccp_rscode; /* server reason code ULESHORT */
90 unsigned short ccp_rtcode; /* server return code ULESHORT */
91 unsigned char repd_parml[2]; /* replied parameter len ULESHORT*/
92 unsigned char mac_data_len[2]; /* Mac Data Length ULESHORT */
93 unsigned char repd_datal[4]; /* replied data length ULELONG */
94 unsigned char req_pc[2]; /* PC identifier */
95 unsigned char res_origin[8]; /* resource origin */
96 unsigned char mac_value[8]; /* Mac Value */
97 unsigned char logon_id[8]; /* Logon Identifier */
98 unsigned char usage_domain[2]; /* cdx */
99 unsigned char resv3[18]; /* reserved for requestor */
100 unsigned short svr_namel; /* server name length ULESHORT */
101 unsigned char svr_name[8]; /* server name */
104 struct function_and_rules_block {
105 unsigned char function_code[2];
107 unsigned char only_rule[8];
111 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
112 * card in a type6 message. The 3 fields that must be filled in at execution
113 * time are req_parml, rpl_parml and usage_domain.
114 * Everything about this interface is ascii/big-endian, since the
115 * device does *not* have 'Intel inside'.
117 * The CPRBX is followed immediately by the parm block.
118 * The parm block contains:
119 * - function code ('PD' 0x5044 or 'PK' 0x504B)
120 * - rule block (one of:)
121 * + 0x000A 'PKCS-1.2' (MCL2 'PD')
122 * + 0x000A 'ZERO-PAD' (MCL2 'PK')
123 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
124 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK')
127 static const struct CPRBX static_cprbx = {
130 .func_id = {0x54, 0x32},
133 int speed_idx_cca(int req_type)
208 int speed_idx_ep11(int req_type)
240 * Convert a ICAMEX message to a type6 MEX message.
242 * @zq: crypto device pointer
243 * @ap_msg: pointer to AP message
244 * @mex: pointer to user input data
246 * Returns 0 on success or negative errno value.
248 static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,
249 struct ap_message *ap_msg,
250 struct ica_rsa_modexpo *mex)
252 static struct type6_hdr static_type6_hdrX = {
254 .offset1 = 0x00000058,
255 .agent_id = {'C', 'A',},
256 .function_code = {'P', 'K'},
258 static struct function_and_rules_block static_pke_fnr = {
259 .function_code = {'P', 'K'},
261 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
264 struct type6_hdr hdr;
266 struct function_and_rules_block fr;
267 unsigned short length;
269 } __packed * msg = ap_msg->msg;
273 * The inputdatalength was a selection criteria in the dispatching
274 * function zcrypt_rsa_modexpo(). However, make sure the following
275 * copy_from_user() never exceeds the allocated buffer space.
277 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
281 msg->length = mex->inputdatalength + 2;
282 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
285 /* Set up key which is located after the variable length text. */
286 size = zcrypt_type6_mex_key_en(mex, msg->text+mex->inputdatalength);
289 size += sizeof(*msg) + mex->inputdatalength;
291 /* message header, cprbx and f&r */
292 msg->hdr = static_type6_hdrX;
293 msg->hdr.ToCardLen1 = size - sizeof(msg->hdr);
294 msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
296 msg->cprbx = static_cprbx;
297 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
298 msg->cprbx.rpl_msgbl = msg->hdr.FromCardLen1;
300 msg->fr = static_pke_fnr;
302 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
309 * Convert a ICACRT message to a type6 CRT message.
311 * @zq: crypto device pointer
312 * @ap_msg: pointer to AP message
313 * @crt: pointer to user input data
315 * Returns 0 on success or negative errno value.
317 static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq,
318 struct ap_message *ap_msg,
319 struct ica_rsa_modexpo_crt *crt)
321 static struct type6_hdr static_type6_hdrX = {
323 .offset1 = 0x00000058,
324 .agent_id = {'C', 'A',},
325 .function_code = {'P', 'D'},
327 static struct function_and_rules_block static_pkd_fnr = {
328 .function_code = {'P', 'D'},
330 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
334 struct type6_hdr hdr;
336 struct function_and_rules_block fr;
337 unsigned short length;
339 } __packed * msg = ap_msg->msg;
343 * The inputdatalength was a selection criteria in the dispatching
344 * function zcrypt_rsa_crt(). However, make sure the following
345 * copy_from_user() never exceeds the allocated buffer space.
347 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
351 msg->length = crt->inputdatalength + 2;
352 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
355 /* Set up key which is located after the variable length text. */
356 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
359 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */
361 /* message header, cprbx and f&r */
362 msg->hdr = static_type6_hdrX;
363 msg->hdr.ToCardLen1 = size - sizeof(msg->hdr);
364 msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
366 msg->cprbx = static_cprbx;
367 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
368 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
369 size - sizeof(msg->hdr) - sizeof(msg->cprbx);
371 msg->fr = static_pkd_fnr;
378 * Convert a XCRB message to a type6 CPRB message.
380 * @zq: crypto device pointer
381 * @ap_msg: pointer to AP message
382 * @xcRB: pointer to user input data
384 * Returns 0 on success or -EFAULT, -EINVAL.
386 struct type86_fmt2_msg {
387 struct type86_hdr hdr;
388 struct type86_fmt2_ext fmt2;
391 static int XCRB_msg_to_type6CPRB_msgX(bool userspace, struct ap_message *ap_msg,
392 struct ica_xcRB *xcRB,
394 unsigned short **dom)
396 static struct type6_hdr static_type6_hdrX = {
398 .offset1 = 0x00000058,
401 struct type6_hdr hdr;
403 } __packed * msg = ap_msg->msg;
405 int rcblen = CEIL4(xcRB->request_control_blk_length);
406 int replylen, req_sumlen, resp_sumlen;
407 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
410 if (CEIL4(xcRB->request_control_blk_length) <
411 xcRB->request_control_blk_length)
412 return -EINVAL; /* overflow after alignment*/
415 ap_msg->len = sizeof(struct type6_hdr) +
416 CEIL4(xcRB->request_control_blk_length) +
417 xcRB->request_data_length;
418 if (ap_msg->len > MSGTYPE06_MAX_MSG_SIZE)
423 * sum must be greater (or equal) than the largest operand
425 req_sumlen = CEIL4(xcRB->request_control_blk_length) +
426 xcRB->request_data_length;
427 if ((CEIL4(xcRB->request_control_blk_length) <=
428 xcRB->request_data_length) ?
429 (req_sumlen < xcRB->request_data_length) :
430 (req_sumlen < CEIL4(xcRB->request_control_blk_length))) {
434 if (CEIL4(xcRB->reply_control_blk_length) <
435 xcRB->reply_control_blk_length)
436 return -EINVAL; /* overflow after alignment*/
438 replylen = sizeof(struct type86_fmt2_msg) +
439 CEIL4(xcRB->reply_control_blk_length) +
440 xcRB->reply_data_length;
441 if (replylen > MSGTYPE06_MAX_MSG_SIZE)
446 * sum must be greater (or equal) than the largest operand
448 resp_sumlen = CEIL4(xcRB->reply_control_blk_length) +
449 xcRB->reply_data_length;
450 if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ?
451 (resp_sumlen < xcRB->reply_data_length) :
452 (resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) {
456 /* prepare type6 header */
457 msg->hdr = static_type6_hdrX;
458 memcpy(msg->hdr.agent_id, &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
459 msg->hdr.ToCardLen1 = xcRB->request_control_blk_length;
460 if (xcRB->request_data_length) {
461 msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
462 msg->hdr.ToCardLen2 = xcRB->request_data_length;
464 msg->hdr.FromCardLen1 = xcRB->reply_control_blk_length;
465 msg->hdr.FromCardLen2 = xcRB->reply_data_length;
468 if (z_copy_from_user(userspace, &(msg->cprbx), xcRB->request_control_blk_addr,
469 xcRB->request_control_blk_length))
471 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
472 xcRB->request_control_blk_length)
474 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
475 memcpy(msg->hdr.function_code, function_code,
476 sizeof(msg->hdr.function_code));
478 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
479 *dom = (unsigned short *)&msg->cprbx.domain;
481 if (memcmp(function_code, "US", 2) == 0
482 || memcmp(function_code, "AU", 2) == 0)
483 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
485 #ifdef CONFIG_ZCRYPT_DEBUG
486 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
487 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
490 /* copy data block */
491 if (xcRB->request_data_length &&
492 z_copy_from_user(userspace, req_data, xcRB->request_data_address,
493 xcRB->request_data_length))
499 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
500 struct ep11_urb *xcRB,
504 static struct type6_hdr static_type6_ep11_hdr = {
506 .rqid = {0x00, 0x01},
507 .function_code = {0x00, 0x00},
508 .agent_id[0] = 0x58, /* {'X'} */
509 .agent_id[1] = 0x43, /* {'C'} */
510 .offset1 = 0x00000058,
514 struct type6_hdr hdr;
515 struct ep11_cprb cprbx;
516 unsigned char pld_tag; /* fixed value 0x30 */
517 unsigned char pld_lenfmt; /* payload length format */
518 } __packed * msg = ap_msg->msg;
521 unsigned char func_tag; /* fixed value 0x4 */
522 unsigned char func_len; /* fixed value 0x4 */
523 unsigned int func_val; /* function ID */
524 unsigned char dom_tag; /* fixed value 0x4 */
525 unsigned char dom_len; /* fixed value 0x4 */
526 unsigned int dom_val; /* domain id */
527 } __packed * payload_hdr = NULL;
529 if (CEIL4(xcRB->req_len) < xcRB->req_len)
530 return -EINVAL; /* overflow after alignment*/
533 ap_msg->len = sizeof(struct type6_hdr) + xcRB->req_len;
534 if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE -
535 (sizeof(struct type6_hdr)))
538 if (CEIL4(xcRB->resp_len) < xcRB->resp_len)
539 return -EINVAL; /* overflow after alignment*/
541 if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE -
542 (sizeof(struct type86_fmt2_msg)))
545 /* prepare type6 header */
546 msg->hdr = static_type6_ep11_hdr;
547 msg->hdr.ToCardLen1 = xcRB->req_len;
548 msg->hdr.FromCardLen1 = xcRB->resp_len;
550 /* Import CPRB data from the ioctl input parameter */
551 if (z_copy_from_user(userspace, &(msg->cprbx.cprb_len),
552 (char __force __user *)xcRB->req, xcRB->req_len)) {
556 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
557 switch (msg->pld_lenfmt & 0x03) {
568 lfmt = 1; /* length format #1 */
570 payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt);
571 *fcode = payload_hdr->func_val & 0xFFFF;
573 /* enable special processing based on the cprbs flags special bit */
574 if (msg->cprbx.flags & 0x20)
575 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
577 #ifdef CONFIG_ZCRYPT_DEBUG
578 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
579 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
586 * Copy results from a type 86 ICA reply message back to user space.
588 * @zq: crypto device pointer
589 * @reply: reply AP message.
590 * @data: pointer to user output data
591 * @length: size of user output data
593 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
595 struct type86x_reply {
596 struct type86_hdr hdr;
597 struct type86_fmt2_ext fmt2;
599 unsigned char pad[4]; /* 4 byte function code/rules block ? */
600 unsigned short length;
604 struct type86_ep11_reply {
605 struct type86_hdr hdr;
606 struct type86_fmt2_ext fmt2;
607 struct ep11_cprb cprbx;
610 static int convert_type86_ica(struct zcrypt_queue *zq,
611 struct ap_message *reply,
612 char __user *outputdata,
613 unsigned int outputdatalength)
615 static unsigned char static_pad[] = {
617 0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
618 0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
619 0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
620 0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
621 0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
622 0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
623 0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
624 0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
625 0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
626 0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
627 0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
628 0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
629 0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
630 0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
631 0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
632 0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
633 0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
634 0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
635 0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
636 0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
637 0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
638 0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
639 0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
640 0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
641 0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
642 0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
643 0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
644 0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
645 0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
646 0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
647 0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
648 0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
650 struct type86x_reply *msg = reply->msg;
651 unsigned short service_rc, service_rs;
652 unsigned int reply_len, pad_len;
655 service_rc = msg->cprbx.ccp_rtcode;
656 if (unlikely(service_rc != 0)) {
657 service_rs = msg->cprbx.ccp_rscode;
658 if ((service_rc == 8 && service_rs == 66) ||
659 (service_rc == 8 && service_rs == 65) ||
660 (service_rc == 8 && service_rs == 72) ||
661 (service_rc == 8 && service_rs == 770) ||
662 (service_rc == 12 && service_rs == 769)) {
663 ZCRYPT_DBF_WARN("dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
664 AP_QID_CARD(zq->queue->qid),
665 AP_QID_QUEUE(zq->queue->qid),
666 (int) service_rc, (int) service_rs);
670 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
671 AP_QID_CARD(zq->queue->qid),
672 AP_QID_QUEUE(zq->queue->qid),
673 (int) service_rc, (int) service_rs);
674 ZCRYPT_DBF_ERR("dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
675 AP_QID_CARD(zq->queue->qid),
676 AP_QID_QUEUE(zq->queue->qid),
677 (int) service_rc, (int) service_rs);
678 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
682 reply_len = msg->length - 2;
683 if (reply_len > outputdatalength)
686 * For all encipher requests, the length of the ciphertext (reply_len)
687 * will always equal the modulus length. For MEX decipher requests
688 * the output needs to get padded. Minimum pad size is 10.
690 * Currently, the cases where padding will be added is for:
691 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
692 * ZERO-PAD and CRT is only supported for PKD requests)
695 pad_len = outputdatalength - reply_len;
699 /* 'restore' padding left in the CEXXC card. */
700 if (copy_to_user(outputdata, static_pad, pad_len - 1))
702 if (put_user(0, outputdata + pad_len - 1))
705 /* Copy the crypto response to user space. */
706 if (copy_to_user(outputdata + pad_len, data, reply_len))
712 * Copy results from a type 86 XCRB reply message back to user space.
714 * @zq: crypto device pointer
715 * @reply: reply AP message.
716 * @xcRB: pointer to XCRB
718 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
720 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
721 struct ap_message *reply,
722 struct ica_xcRB *xcRB)
724 struct type86_fmt2_msg *msg = reply->msg;
725 char *data = reply->msg;
727 /* Copy CPRB to user */
728 if (z_copy_to_user(userspace, xcRB->reply_control_blk_addr,
729 data + msg->fmt2.offset1, msg->fmt2.count1))
731 xcRB->reply_control_blk_length = msg->fmt2.count1;
733 /* Copy data buffer to user */
734 if (msg->fmt2.count2)
735 if (z_copy_to_user(userspace, xcRB->reply_data_addr,
736 data + msg->fmt2.offset2, msg->fmt2.count2))
738 xcRB->reply_data_length = msg->fmt2.count2;
743 * Copy results from a type 86 EP11 XCRB reply message back to user space.
745 * @zq: crypto device pointer
746 * @reply: reply AP message.
747 * @xcRB: pointer to EP11 user request block
749 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
751 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
752 struct ap_message *reply,
753 struct ep11_urb *xcRB)
755 struct type86_fmt2_msg *msg = reply->msg;
756 char *data = reply->msg;
758 if (xcRB->resp_len < msg->fmt2.count1)
761 /* Copy response CPRB to user */
762 if (z_copy_to_user(userspace, (char __force __user *)xcRB->resp,
763 data + msg->fmt2.offset1, msg->fmt2.count1))
765 xcRB->resp_len = msg->fmt2.count1;
769 static int convert_type86_rng(struct zcrypt_queue *zq,
770 struct ap_message *reply,
774 struct type86_hdr hdr;
775 struct type86_fmt2_ext fmt2;
777 } __packed * msg = reply->msg;
778 char *data = reply->msg;
780 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
782 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
783 return msg->fmt2.count2;
786 static int convert_response_ica(struct zcrypt_queue *zq,
787 struct ap_message *reply,
788 char __user *outputdata,
789 unsigned int outputdatalength)
791 struct type86x_reply *msg = reply->msg;
793 switch (msg->hdr.type) {
794 case TYPE82_RSP_CODE:
795 case TYPE88_RSP_CODE:
796 return convert_error(zq, reply);
797 case TYPE86_RSP_CODE:
798 if (msg->cprbx.ccp_rtcode &&
799 (msg->cprbx.ccp_rscode == 0x14f) &&
800 (outputdatalength > 256)) {
801 if (zq->zcard->max_exp_bit_length <= 17) {
802 zq->zcard->max_exp_bit_length = 17;
807 if (msg->hdr.reply_code)
808 return convert_error(zq, reply);
809 if (msg->cprbx.cprb_ver_id == 0x02)
810 return convert_type86_ica(zq, reply,
811 outputdata, outputdatalength);
812 fallthrough; /* wrong cprb version is an unknown response */
814 /* Unknown response type, this should NEVER EVER happen */
816 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
817 AP_QID_CARD(zq->queue->qid),
818 AP_QID_QUEUE(zq->queue->qid),
819 (int) msg->hdr.type);
820 ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
821 AP_QID_CARD(zq->queue->qid),
822 AP_QID_QUEUE(zq->queue->qid),
823 (int) msg->hdr.type);
824 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
829 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
830 struct ap_message *reply,
831 struct ica_xcRB *xcRB)
833 struct type86x_reply *msg = reply->msg;
835 switch (msg->hdr.type) {
836 case TYPE82_RSP_CODE:
837 case TYPE88_RSP_CODE:
838 xcRB->status = 0x0008044DL; /* HDD_InvalidParm */
839 return convert_error(zq, reply);
840 case TYPE86_RSP_CODE:
841 if (msg->hdr.reply_code) {
842 memcpy(&(xcRB->status), msg->fmt2.apfs, sizeof(u32));
843 return convert_error(zq, reply);
845 if (msg->cprbx.cprb_ver_id == 0x02)
846 return convert_type86_xcrb(userspace, zq, reply, xcRB);
847 fallthrough; /* wrong cprb version is an unknown response */
848 default: /* Unknown response type, this should NEVER EVER happen */
849 xcRB->status = 0x0008044DL; /* HDD_InvalidParm */
851 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
852 AP_QID_CARD(zq->queue->qid),
853 AP_QID_QUEUE(zq->queue->qid),
854 (int) msg->hdr.type);
855 ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
856 AP_QID_CARD(zq->queue->qid),
857 AP_QID_QUEUE(zq->queue->qid),
858 (int) msg->hdr.type);
859 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
864 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
865 struct ap_message *reply, struct ep11_urb *xcRB)
867 struct type86_ep11_reply *msg = reply->msg;
869 switch (msg->hdr.type) {
870 case TYPE82_RSP_CODE:
871 case TYPE87_RSP_CODE:
872 return convert_error(zq, reply);
873 case TYPE86_RSP_CODE:
874 if (msg->hdr.reply_code)
875 return convert_error(zq, reply);
876 if (msg->cprbx.cprb_ver_id == 0x04)
877 return convert_type86_ep11_xcrb(userspace, zq, reply, xcRB);
878 fallthrough; /* wrong cprb version is an unknown resp */
879 default: /* Unknown response type, this should NEVER EVER happen */
881 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
882 AP_QID_CARD(zq->queue->qid),
883 AP_QID_QUEUE(zq->queue->qid),
884 (int) msg->hdr.type);
885 ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
886 AP_QID_CARD(zq->queue->qid),
887 AP_QID_QUEUE(zq->queue->qid),
888 (int) msg->hdr.type);
889 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
894 static int convert_response_rng(struct zcrypt_queue *zq,
895 struct ap_message *reply,
898 struct type86x_reply *msg = reply->msg;
900 switch (msg->hdr.type) {
901 case TYPE82_RSP_CODE:
902 case TYPE88_RSP_CODE:
904 case TYPE86_RSP_CODE:
905 if (msg->hdr.reply_code)
907 if (msg->cprbx.cprb_ver_id == 0x02)
908 return convert_type86_rng(zq, reply, data);
909 fallthrough; /* wrong cprb version is an unknown response */
910 default: /* Unknown response type, this should NEVER EVER happen */
912 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
913 AP_QID_CARD(zq->queue->qid),
914 AP_QID_QUEUE(zq->queue->qid),
915 (int) msg->hdr.type);
916 ZCRYPT_DBF_ERR("dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
917 AP_QID_CARD(zq->queue->qid),
918 AP_QID_QUEUE(zq->queue->qid),
919 (int) msg->hdr.type);
920 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
926 * This function is called from the AP bus code after a crypto request
927 * "msg" has finished with the reply message "reply".
928 * It is called from tasklet context.
929 * @aq: pointer to the AP queue
930 * @msg: pointer to the AP message
931 * @reply: pointer to the AP reply message
933 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
934 struct ap_message *msg,
935 struct ap_message *reply)
937 static struct error_hdr error_reply = {
938 .type = TYPE82_RSP_CODE,
939 .reply_code = REP82_ERROR_MACHINE_FAILURE,
941 struct response_type *resp_type =
942 (struct response_type *) msg->private;
943 struct type86x_reply *t86r;
946 /* Copy the reply message to the request message buffer. */
948 goto out; /* ap_msg->rc indicates the error */
950 if (t86r->hdr.type == TYPE86_RSP_CODE &&
951 t86r->cprbx.cprb_ver_id == 0x02) {
952 switch (resp_type->type) {
953 case CEXXC_RESPONSE_TYPE_ICA:
954 len = sizeof(struct type86x_reply) + t86r->length - 2;
955 len = min_t(int, CEXXC_MAX_ICA_RESPONSE_SIZE, len);
956 memcpy(msg->msg, reply->msg, len);
958 case CEXXC_RESPONSE_TYPE_XCRB:
959 len = t86r->fmt2.offset2 + t86r->fmt2.count2;
960 len = min_t(int, MSGTYPE06_MAX_MSG_SIZE, len);
961 memcpy(msg->msg, reply->msg, len);
964 memcpy(msg->msg, &error_reply, sizeof(error_reply));
967 memcpy(msg->msg, reply->msg, sizeof(error_reply));
969 complete(&(resp_type->work));
973 * This function is called from the AP bus code after a crypto request
974 * "msg" has finished with the reply message "reply".
975 * It is called from tasklet context.
976 * @aq: pointer to the AP queue
977 * @msg: pointer to the AP message
978 * @reply: pointer to the AP reply message
980 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
981 struct ap_message *msg,
982 struct ap_message *reply)
984 static struct error_hdr error_reply = {
985 .type = TYPE82_RSP_CODE,
986 .reply_code = REP82_ERROR_MACHINE_FAILURE,
988 struct response_type *resp_type =
989 (struct response_type *)msg->private;
990 struct type86_ep11_reply *t86r;
993 /* Copy the reply message to the request message buffer. */
995 goto out; /* ap_msg->rc indicates the error */
997 if (t86r->hdr.type == TYPE86_RSP_CODE &&
998 t86r->cprbx.cprb_ver_id == 0x04) {
999 switch (resp_type->type) {
1000 case CEXXC_RESPONSE_TYPE_EP11:
1001 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
1002 len = min_t(int, MSGTYPE06_MAX_MSG_SIZE, len);
1003 memcpy(msg->msg, reply->msg, len);
1006 memcpy(msg->msg, &error_reply, sizeof(error_reply));
1009 memcpy(msg->msg, reply->msg, sizeof(error_reply));
1012 complete(&(resp_type->work));
1015 static atomic_t zcrypt_step = ATOMIC_INIT(0);
1018 * The request distributor calls this function if it picked the CEXxC
1019 * device to handle a modexpo request.
1020 * @zq: pointer to zcrypt_queue structure that identifies the
1021 * CEXxC device to the request distributor
1022 * @mex: pointer to the modexpo request buffer
1024 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1025 struct ica_rsa_modexpo *mex,
1026 struct ap_message *ap_msg)
1028 struct response_type resp_type = {
1029 .type = CEXXC_RESPONSE_TYPE_ICA,
1033 ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL);
1036 ap_msg->receive = zcrypt_msgtype6_receive;
1037 ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1038 atomic_inc_return(&zcrypt_step);
1039 ap_msg->private = &resp_type;
1040 rc = ICAMEX_msg_to_type6MEX_msgX(zq, ap_msg, mex);
1043 init_completion(&resp_type.work);
1044 rc = ap_queue_message(zq->queue, ap_msg);
1047 rc = wait_for_completion_interruptible(&resp_type.work);
1051 rc = convert_response_ica(zq, ap_msg,
1053 mex->outputdatalength);
1055 /* Signal pending. */
1056 ap_cancel_message(zq->queue, ap_msg);
1058 free_page((unsigned long) ap_msg->msg);
1059 ap_msg->private = NULL;
1065 * The request distributor calls this function if it picked the CEXxC
1066 * device to handle a modexpo_crt request.
1067 * @zq: pointer to zcrypt_queue structure that identifies the
1068 * CEXxC device to the request distributor
1069 * @crt: pointer to the modexpoc_crt request buffer
1071 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1072 struct ica_rsa_modexpo_crt *crt,
1073 struct ap_message *ap_msg)
1075 struct response_type resp_type = {
1076 .type = CEXXC_RESPONSE_TYPE_ICA,
1080 ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL);
1083 ap_msg->receive = zcrypt_msgtype6_receive;
1084 ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1085 atomic_inc_return(&zcrypt_step);
1086 ap_msg->private = &resp_type;
1087 rc = ICACRT_msg_to_type6CRT_msgX(zq, ap_msg, crt);
1090 init_completion(&resp_type.work);
1091 rc = ap_queue_message(zq->queue, ap_msg);
1094 rc = wait_for_completion_interruptible(&resp_type.work);
1098 rc = convert_response_ica(zq, ap_msg,
1100 crt->outputdatalength);
1102 /* Signal pending. */
1103 ap_cancel_message(zq->queue, ap_msg);
1106 free_page((unsigned long) ap_msg->msg);
1107 ap_msg->private = NULL;
1113 * Fetch function code from cprb.
1114 * Extracting the fc requires to copy the cprb from userspace.
1115 * So this function allocates memory and needs an ap_msg prepared
1116 * by the caller with ap_init_message(). Also the caller has to
1117 * make sure ap_release_message() is always called even on failure.
1119 unsigned int get_cprb_fc(bool userspace, struct ica_xcRB *xcRB,
1120 struct ap_message *ap_msg,
1121 unsigned int *func_code, unsigned short **dom)
1123 struct response_type resp_type = {
1124 .type = CEXXC_RESPONSE_TYPE_XCRB,
1127 ap_msg->msg = kmalloc(MSGTYPE06_MAX_MSG_SIZE, GFP_KERNEL);
1130 ap_msg->receive = zcrypt_msgtype6_receive;
1131 ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1132 atomic_inc_return(&zcrypt_step);
1133 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1134 if (!ap_msg->private)
1136 return XCRB_msg_to_type6CPRB_msgX(userspace, ap_msg, xcRB, func_code, dom);
1140 * The request distributor calls this function if it picked the CEXxC
1141 * device to handle a send_cprb request.
1142 * @zq: pointer to zcrypt_queue structure that identifies the
1143 * CEXxC device to the request distributor
1144 * @xcRB: pointer to the send_cprb request buffer
1146 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1147 struct ica_xcRB *xcRB,
1148 struct ap_message *ap_msg)
1151 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1153 init_completion(&rtype->work);
1154 rc = ap_queue_message(zq->queue, ap_msg);
1157 rc = wait_for_completion_interruptible(&rtype->work);
1161 rc = convert_response_xcrb(userspace, zq, ap_msg, xcRB);
1163 /* Signal pending. */
1164 ap_cancel_message(zq->queue, ap_msg);
1170 * Fetch function code from ep11 cprb.
1171 * Extracting the fc requires to copy the ep11 cprb from userspace.
1172 * So this function allocates memory and needs an ap_msg prepared
1173 * by the caller with ap_init_message(). Also the caller has to
1174 * make sure ap_release_message() is always called even on failure.
1176 unsigned int get_ep11cprb_fc(bool userspace, struct ep11_urb *xcrb,
1177 struct ap_message *ap_msg,
1178 unsigned int *func_code)
1180 struct response_type resp_type = {
1181 .type = CEXXC_RESPONSE_TYPE_EP11,
1184 ap_msg->msg = kmalloc(MSGTYPE06_MAX_MSG_SIZE, GFP_KERNEL);
1187 ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1188 ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1189 atomic_inc_return(&zcrypt_step);
1190 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1191 if (!ap_msg->private)
1193 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb, func_code);
1197 * The request distributor calls this function if it picked the CEX4P
1198 * device to handle a send_ep11_cprb request.
1199 * @zq: pointer to zcrypt_queue structure that identifies the
1200 * CEX4P device to the request distributor
1201 * @xcRB: pointer to the ep11 user request block
1203 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1204 struct ep11_urb *xcrb,
1205 struct ap_message *ap_msg)
1209 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1211 struct type6_hdr hdr;
1212 struct ep11_cprb cprbx;
1213 unsigned char pld_tag; /* fixed value 0x30 */
1214 unsigned char pld_lenfmt; /* payload length format */
1215 } __packed * msg = ap_msg->msg;
1217 unsigned char func_tag; /* fixed value 0x4 */
1218 unsigned char func_len; /* fixed value 0x4 */
1219 unsigned int func_val; /* function ID */
1220 unsigned char dom_tag; /* fixed value 0x4 */
1221 unsigned char dom_len; /* fixed value 0x4 */
1222 unsigned int dom_val; /* domain id */
1223 } __packed * payload_hdr = NULL;
1227 * The target domain field within the cprb body/payload block will be
1228 * replaced by the usage domain for non-management commands only.
1229 * Therefore we check the first bit of the 'flags' parameter for
1230 * management command indication.
1231 * 0 - non management command
1232 * 1 - management command
1234 if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1235 msg->cprbx.target_id = (unsigned int)
1236 AP_QID_QUEUE(zq->queue->qid);
1238 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1239 switch (msg->pld_lenfmt & 0x03) {
1250 lfmt = 1; /* length format #1 */
1252 payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt);
1253 payload_hdr->dom_val = (unsigned int)
1254 AP_QID_QUEUE(zq->queue->qid);
1257 init_completion(&rtype->work);
1258 rc = ap_queue_message(zq->queue, ap_msg);
1261 rc = wait_for_completion_interruptible(&rtype->work);
1265 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1267 /* Signal pending. */
1268 ap_cancel_message(zq->queue, ap_msg);
1273 unsigned int get_rng_fc(struct ap_message *ap_msg, int *func_code,
1274 unsigned int *domain)
1276 struct response_type resp_type = {
1277 .type = CEXXC_RESPONSE_TYPE_XCRB,
1280 ap_msg->msg = kmalloc(MSGTYPE06_MAX_MSG_SIZE, GFP_KERNEL);
1283 ap_msg->receive = zcrypt_msgtype6_receive;
1284 ap_msg->psmid = (((unsigned long long) current->pid) << 32) +
1285 atomic_inc_return(&zcrypt_step);
1286 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1287 if (!ap_msg->private)
1290 rng_type6CPRB_msgX(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1297 * The request distributor calls this function if it picked the CEXxC
1298 * device to generate random data.
1299 * @zq: pointer to zcrypt_queue structure that identifies the
1300 * CEXxC device to the request distributor
1301 * @buffer: pointer to a memory page to return random data
1303 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1304 char *buffer, struct ap_message *ap_msg)
1307 struct type6_hdr hdr;
1309 char function_code[2];
1310 short int rule_length;
1312 short int verb_length;
1313 short int key_length;
1314 } __packed * msg = ap_msg->msg;
1315 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1318 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1320 init_completion(&rtype->work);
1321 rc = ap_queue_message(zq->queue, ap_msg);
1324 rc = wait_for_completion_interruptible(&rtype->work);
1328 rc = convert_response_rng(zq, ap_msg, buffer);
1330 /* Signal pending. */
1331 ap_cancel_message(zq->queue, ap_msg);
1337 * The crypto operations for a CEXxC card.
1339 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1340 .owner = THIS_MODULE,
1341 .name = MSGTYPE06_NAME,
1342 .variant = MSGTYPE06_VARIANT_NORNG,
1343 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1344 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1345 .send_cprb = zcrypt_msgtype6_send_cprb,
1348 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1349 .owner = THIS_MODULE,
1350 .name = MSGTYPE06_NAME,
1351 .variant = MSGTYPE06_VARIANT_DEFAULT,
1352 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1353 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1354 .send_cprb = zcrypt_msgtype6_send_cprb,
1355 .rng = zcrypt_msgtype6_rng,
1358 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1359 .owner = THIS_MODULE,
1360 .name = MSGTYPE06_NAME,
1361 .variant = MSGTYPE06_VARIANT_EP11,
1362 .rsa_modexpo = NULL,
1363 .rsa_modexpo_crt = NULL,
1364 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1367 void __init zcrypt_msgtype6_init(void)
1369 zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1370 zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1371 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1374 void __exit zcrypt_msgtype6_exit(void)
1376 zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1377 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1378 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);