1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *) token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int) t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int) t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int) t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int) t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int) t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int) t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int) t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Simple check if the token is a valid CCA secure ECC private
177 * key token. Returns 0 on success or errno value on failure.
179 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
180 const u8 *token, size_t keysize,
181 int checkcpacfexport)
183 struct eccprivkeytoken *t = (struct eccprivkeytoken *) token;
185 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
187 if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
189 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
190 __func__, (int) t->type, TOKTYPE_CCA_INTERNAL_PKA);
193 if (t->len > keysize) {
195 DBF("%s token check failed, len %d > keysize %zu\n",
196 __func__, (int) t->len, keysize);
199 if (t->secid != 0x20) {
201 DBF("%s token check failed, secid 0x%02x != 0x20\n",
202 __func__, (int) t->secid);
205 if (checkcpacfexport && !(t->kutc & 0x01)) {
207 DBF("%s token check failed, XPRTCPAC bit is 0\n",
216 EXPORT_SYMBOL(cca_check_sececckeytoken);
219 * Allocate consecutive memory for request CPRB, request param
220 * block, reply CPRB and reply param block and fill in values
221 * for the common fields. Returns 0 on success or errno value
224 static int alloc_and_prep_cprbmem(size_t paramblen,
226 struct CPRBX **preqCPRB,
227 struct CPRBX **prepCPRB)
230 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
231 struct CPRBX *preqcblk, *prepcblk;
234 * allocate consecutive memory for request CPRB, request param
235 * block, reply CPRB and reply param block
237 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
241 preqcblk = (struct CPRBX *) cprbmem;
242 prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
244 /* fill request cprb struct */
245 preqcblk->cprb_len = sizeof(struct CPRBX);
246 preqcblk->cprb_ver_id = 0x02;
247 memcpy(preqcblk->func_id, "T2", 2);
248 preqcblk->rpl_msgbl = cprbplusparamblen;
250 preqcblk->req_parmb =
251 ((u8 __user *) preqcblk) + sizeof(struct CPRBX);
252 preqcblk->rpl_parmb =
253 ((u8 __user *) prepcblk) + sizeof(struct CPRBX);
257 *preqCPRB = preqcblk;
258 *prepCPRB = prepcblk;
264 * Free the cprb memory allocated with the function above.
265 * If the scrub value is not zero, the memory is filled
266 * with zeros before freeing (useful if there was some
267 * clear key material in there).
269 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
272 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
277 * Helper function to prepare the xcrb struct
279 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
281 struct CPRBX *preqcblk,
282 struct CPRBX *prepcblk)
284 memset(pxcrb, 0, sizeof(*pxcrb));
285 pxcrb->agent_ID = 0x4341; /* 'CA' */
286 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
287 pxcrb->request_control_blk_length =
288 preqcblk->cprb_len + preqcblk->req_parml;
289 pxcrb->request_control_blk_addr = (void __user *) preqcblk;
290 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
291 pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
295 * Generate (random) CCA AES DATA secure key.
297 int cca_genseckey(u16 cardnr, u16 domain,
298 u32 keybitsize, u8 *seckey)
303 struct CPRBX *preqcblk, *prepcblk;
304 struct ica_xcRB xcrb;
320 u8 data[SECKEYBLOBSIZE];
323 } __packed * preqparm;
334 /* ... some more data ... */
337 } __packed * prepparm;
339 /* get already prepared memory for 2 cprbs with param block each */
340 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
344 /* fill request cprb struct */
345 preqcblk->domain = domain;
347 /* fill request cprb param block with KG request */
348 preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
349 memcpy(preqparm->subfunc_code, "KG", 2);
350 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
351 preqparm->lv1.len = sizeof(struct lv1);
352 memcpy(preqparm->lv1.key_form, "OP ", 8);
353 switch (keybitsize) {
354 case PKEY_SIZE_AES_128:
355 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
357 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
359 case PKEY_SIZE_AES_192:
360 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
362 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
364 case PKEY_SIZE_AES_256:
365 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
367 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
370 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
371 __func__, keybitsize);
375 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
376 preqparm->lv2.len = sizeof(struct lv2);
377 for (i = 0; i < 6; i++) {
378 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
379 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
381 preqcblk->req_parml = sizeof(struct kgreqparm);
383 /* fill xcrb struct */
384 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
386 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
387 rc = zcrypt_send_cprb(&xcrb);
389 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
390 __func__, (int) cardnr, (int) domain, rc);
394 /* check response returncode and reasoncode */
395 if (prepcblk->ccp_rtcode != 0) {
396 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
398 (int) prepcblk->ccp_rtcode,
399 (int) prepcblk->ccp_rscode);
404 /* process response cprb param block */
405 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
406 prepcblk->rpl_parmb = (u8 __user *) ptr;
407 prepparm = (struct kgrepparm *) ptr;
409 /* check length of the returned secure key token */
410 seckeysize = prepparm->lv3.keyblock.toklen
411 - sizeof(prepparm->lv3.keyblock.toklen)
412 - sizeof(prepparm->lv3.keyblock.tokattr);
413 if (seckeysize != SECKEYBLOBSIZE) {
414 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
415 __func__, seckeysize, SECKEYBLOBSIZE);
420 /* check secure key token */
421 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
422 prepparm->lv3.keyblock.tok, 8*keysize);
428 /* copy the generated secure key token */
429 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
432 free_cprbmem(mem, PARMBSIZE, 0);
435 EXPORT_SYMBOL(cca_genseckey);
438 * Generate an CCA AES DATA secure key with given key value.
440 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
441 const u8 *clrkey, u8 *seckey)
443 int rc, keysize, seckeysize;
445 struct CPRBX *preqcblk, *prepcblk;
446 struct ica_xcRB xcrb;
460 u8 data[SECKEYBLOBSIZE];
463 } __packed * preqparm;
475 /* ... some more data ... */
478 } __packed * prepparm;
480 /* get already prepared memory for 2 cprbs with param block each */
481 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
485 /* fill request cprb struct */
486 preqcblk->domain = domain;
488 /* fill request cprb param block with CM request */
489 preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
490 memcpy(preqparm->subfunc_code, "CM", 2);
491 memcpy(preqparm->rule_array, "AES ", 8);
492 preqparm->rule_array_len =
493 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
494 switch (keybitsize) {
495 case PKEY_SIZE_AES_128:
496 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
499 case PKEY_SIZE_AES_192:
500 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
503 case PKEY_SIZE_AES_256:
504 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
508 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
509 __func__, keybitsize);
513 preqparm->lv1.len = sizeof(struct lv1) + keysize;
514 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
515 plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
516 plv2->len = sizeof(struct lv2);
517 plv2->keyid.len = sizeof(struct keyid);
518 plv2->keyid.attr = 0x30;
519 preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
521 /* fill xcrb struct */
522 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
524 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
525 rc = zcrypt_send_cprb(&xcrb);
527 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
528 __func__, (int) cardnr, (int) domain, rc);
532 /* check response returncode and reasoncode */
533 if (prepcblk->ccp_rtcode != 0) {
534 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
536 (int) prepcblk->ccp_rtcode,
537 (int) prepcblk->ccp_rscode);
542 /* process response cprb param block */
543 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
544 prepcblk->rpl_parmb = (u8 __user *) ptr;
545 prepparm = (struct cmrepparm *) ptr;
547 /* check length of the returned secure key token */
548 seckeysize = prepparm->lv3.keyblock.toklen
549 - sizeof(prepparm->lv3.keyblock.toklen)
550 - sizeof(prepparm->lv3.keyblock.tokattr);
551 if (seckeysize != SECKEYBLOBSIZE) {
552 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
553 __func__, seckeysize, SECKEYBLOBSIZE);
558 /* check secure key token */
559 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
560 prepparm->lv3.keyblock.tok, 8*keysize);
566 /* copy the generated secure key token */
568 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
571 free_cprbmem(mem, PARMBSIZE, 1);
574 EXPORT_SYMBOL(cca_clr2seckey);
577 * Derive proteced key from an CCA AES DATA secure key.
579 int cca_sec2protkey(u16 cardnr, u16 domain,
580 const u8 *seckey, u8 *protkey, u32 *protkeylen,
585 struct CPRBX *preqcblk, *prepcblk;
586 struct ica_xcRB xcrb;
599 u8 token[]; /* cca secure key token */
601 } __packed * preqparm;
609 struct cpacfkeyblock {
610 u8 version; /* version of this struct */
616 u8 key[64]; /* the key (len bytes) */
621 u8 vp[32]; /* verification pattern */
624 } __packed * prepparm;
626 /* get already prepared memory for 2 cprbs with param block each */
627 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
631 /* fill request cprb struct */
632 preqcblk->domain = domain;
634 /* fill request cprb param block with USK request */
635 preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
636 memcpy(preqparm->subfunc_code, "US", 2);
637 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
638 preqparm->lv1.len = sizeof(struct lv1);
639 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
640 preqparm->lv1.attr_flags = 0x0001;
641 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
642 preqparm->lv2.attr_len = sizeof(struct lv2)
643 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
644 preqparm->lv2.attr_flags = 0x0000;
645 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
646 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
648 /* fill xcrb struct */
649 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
651 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
652 rc = zcrypt_send_cprb(&xcrb);
654 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
655 __func__, (int) cardnr, (int) domain, rc);
659 /* check response returncode and reasoncode */
660 if (prepcblk->ccp_rtcode != 0) {
661 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
663 (int) prepcblk->ccp_rtcode,
664 (int) prepcblk->ccp_rscode);
665 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
671 if (prepcblk->ccp_rscode != 0) {
672 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
674 (int) prepcblk->ccp_rtcode,
675 (int) prepcblk->ccp_rscode);
678 /* process response cprb param block */
679 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
680 prepcblk->rpl_parmb = (u8 __user *) ptr;
681 prepparm = (struct uskrepparm *) ptr;
683 /* check the returned keyblock */
684 if (prepparm->lv3.ckb.version != 0x01 &&
685 prepparm->lv3.ckb.version != 0x02) {
686 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
687 __func__, (int) prepparm->lv3.ckb.version);
692 /* copy the tanslated protected key */
693 switch (prepparm->lv3.ckb.len) {
695 /* AES 128 protected key */
697 *protkeytype = PKEY_KEYTYPE_AES_128;
700 /* AES 192 protected key */
702 *protkeytype = PKEY_KEYTYPE_AES_192;
705 /* AES 256 protected key */
707 *protkeytype = PKEY_KEYTYPE_AES_256;
710 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
711 __func__, prepparm->lv3.ckb.len);
715 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
717 *protkeylen = prepparm->lv3.ckb.len;
720 free_cprbmem(mem, PARMBSIZE, 0);
723 EXPORT_SYMBOL(cca_sec2protkey);
726 * AES cipher key skeleton created with CSNBKTB2 with these flags:
727 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
728 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
729 * used by cca_gencipherkey() and cca_clr2cipherkey().
731 static const u8 aes_cipher_key_skeleton[] = {
732 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
736 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
737 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
738 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
739 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
742 * Generate (random) CCA AES CIPHER secure key.
744 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
745 u8 *keybuf, size_t *keybufsize)
749 struct CPRBX *preqcblk, *prepcblk;
750 struct ica_xcRB xcrb;
754 char rule_array[2*8];
759 u16 clear_key_bit_len;
784 u8 gen_key_id_1[SIZEOF_SKELETON];
789 u8 gen_key_id_1_label[0];
799 u8 gen_key_id_2_label[0];
802 } __packed * preqparm;
814 u8 gen_key[0]; /* 120-136 bytes */
817 } __packed * prepparm;
818 struct cipherkeytoken *t;
820 /* get already prepared memory for 2 cprbs with param block each */
821 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
825 /* fill request cprb struct */
826 preqcblk->domain = domain;
827 preqcblk->req_parml = sizeof(struct gkreqparm);
829 /* prepare request param block with GK request */
830 preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
831 memcpy(preqparm->subfunc_code, "GK", 2);
832 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
833 memcpy(preqparm->rule_array, "AES OP ", 2*8);
835 /* prepare vud block */
836 preqparm->vud.len = sizeof(preqparm->vud);
837 switch (keybitsize) {
844 "%s unknown/unsupported keybitsize %d\n",
845 __func__, keybitsize);
849 preqparm->vud.clear_key_bit_len = keybitsize;
850 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
851 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
853 /* prepare kb block */
854 preqparm->kb.len = sizeof(preqparm->kb);
855 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
856 preqparm->kb.tlv1.flag = 0x0030;
857 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
858 preqparm->kb.tlv2.flag = 0x0030;
859 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
860 preqparm->kb.tlv3.flag = 0x0030;
861 memcpy(preqparm->kb.tlv3.gen_key_id_1,
862 aes_cipher_key_skeleton, SIZEOF_SKELETON);
863 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
864 preqparm->kb.tlv4.flag = 0x0030;
865 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
866 preqparm->kb.tlv5.flag = 0x0030;
867 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
868 preqparm->kb.tlv6.flag = 0x0030;
870 /* patch the skeleton key token export flags inside the kb block */
872 t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
873 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
874 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
877 /* prepare xcrb struct */
878 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
880 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
881 rc = zcrypt_send_cprb(&xcrb);
884 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
885 __func__, (int) cardnr, (int) domain, rc);
889 /* check response returncode and reasoncode */
890 if (prepcblk->ccp_rtcode != 0) {
892 "%s cipher key generate failure, card response %d/%d\n",
894 (int) prepcblk->ccp_rtcode,
895 (int) prepcblk->ccp_rscode);
900 /* process response cprb param block */
901 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
902 prepcblk->rpl_parmb = (u8 __user *) ptr;
903 prepparm = (struct gkrepparm *) ptr;
905 /* do some plausibility checks on the key block */
906 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
907 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
908 DEBUG_ERR("%s reply with invalid or unknown key block\n",
914 /* and some checks on the generated key */
915 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
916 prepparm->kb.tlv1.gen_key,
923 /* copy the generated vlsc key token */
924 t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
926 if (*keybufsize >= t->len)
927 memcpy(keybuf, t, t->len);
931 *keybufsize = t->len;
934 free_cprbmem(mem, PARMBSIZE, 0);
937 EXPORT_SYMBOL(cca_gencipherkey);
940 * Helper function, does a the CSNBKPI2 CPRB.
942 static int _ip_cprb_helper(u16 cardnr, u16 domain,
943 const char *rule_array_1,
944 const char *rule_array_2,
945 const char *rule_array_3,
946 const u8 *clr_key_value,
947 int clr_key_bit_size,
953 struct CPRBX *preqcblk, *prepcblk;
954 struct ica_xcRB xcrb;
955 struct rule_array_block {
959 } __packed * preq_ra_block;
964 u16 flag; /* 0x0064 */
969 u16 flag; /* 0x0063 */
970 u8 clr_key[0]; /* clear key value bytes */
972 } __packed * preq_vud_block;
977 u16 flag; /* 0x0030 */
978 u8 key_token[0]; /* key skeleton */
980 } __packed * preq_key_block;
991 u16 flag; /* 0x0030 */
992 u8 key_token[0]; /* key token */
995 } __packed * prepparm;
996 struct cipherkeytoken *t;
997 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
999 /* get already prepared memory for 2 cprbs with param block each */
1000 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1004 /* fill request cprb struct */
1005 preqcblk->domain = domain;
1006 preqcblk->req_parml = 0;
1008 /* prepare request param block with IP request */
1009 preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
1010 memcpy(preq_ra_block->subfunc_code, "IP", 2);
1011 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
1012 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1013 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1014 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1016 preq_ra_block->rule_array_len += 8;
1017 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1018 preqcblk->req_parml += 8;
1021 /* prepare vud block */
1022 preq_vud_block = (struct vud_block __force *)
1023 (preqcblk->req_parmb + preqcblk->req_parml);
1024 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1025 preq_vud_block->len = sizeof(struct vud_block) + n;
1026 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1027 preq_vud_block->tlv1.flag = 0x0064;
1028 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1029 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1030 preq_vud_block->tlv2.flag = 0x0063;
1032 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1033 preqcblk->req_parml += preq_vud_block->len;
1035 /* prepare key block */
1036 preq_key_block = (struct key_block __force *)
1037 (preqcblk->req_parmb + preqcblk->req_parml);
1038 n = *key_token_size;
1039 preq_key_block->len = sizeof(struct key_block) + n;
1040 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1041 preq_key_block->tlv1.flag = 0x0030;
1042 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1043 preqcblk->req_parml += preq_key_block->len;
1045 /* prepare xcrb struct */
1046 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1048 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1049 rc = zcrypt_send_cprb(&xcrb);
1052 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1053 __func__, (int) cardnr, (int) domain, rc);
1057 /* check response returncode and reasoncode */
1058 if (prepcblk->ccp_rtcode != 0) {
1060 "%s CSNBKPI2 failure, card response %d/%d\n",
1062 (int) prepcblk->ccp_rtcode,
1063 (int) prepcblk->ccp_rscode);
1068 /* process response cprb param block */
1069 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1070 prepcblk->rpl_parmb = (u8 __user *) ptr;
1071 prepparm = (struct iprepparm *) ptr;
1073 /* do some plausibility checks on the key block */
1074 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1075 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1076 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1082 /* do not check the key here, it may be incomplete */
1084 /* copy the vlsc key token back */
1085 t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1086 memcpy(key_token, t, t->len);
1087 *key_token_size = t->len;
1090 free_cprbmem(mem, PARMBSIZE, 0);
1095 * Build CCA AES CIPHER secure key with a given clear key value.
1097 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1098 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1104 struct cipherkeytoken *t;
1106 /* fill exorbuf with random data */
1107 get_random_bytes(exorbuf, sizeof(exorbuf));
1109 /* allocate space for the key token to build */
1110 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1114 /* prepare the token with the key skeleton */
1115 tokensize = SIZEOF_SKELETON;
1116 memcpy(token, aes_cipher_key_skeleton, tokensize);
1118 /* patch the skeleton key token export flags */
1120 t = (struct cipherkeytoken *) token;
1121 t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1122 t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1126 * Do the key import with the clear key value in 4 steps:
1127 * 1/4 FIRST import with only random data
1128 * 2/4 EXOR the clear key
1129 * 3/4 EXOR the very same random data again
1130 * 4/4 COMPLETE the secure cipher key import
1132 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1133 exorbuf, keybitsize, token, &tokensize);
1136 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1140 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1141 clrkey, keybitsize, token, &tokensize);
1144 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1148 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1149 exorbuf, keybitsize, token, &tokensize);
1152 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1156 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1157 NULL, keybitsize, token, &tokensize);
1160 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1165 /* copy the generated key token */
1167 if (tokensize > *keybufsize)
1170 memcpy(keybuf, token, tokensize);
1172 *keybufsize = tokensize;
1178 EXPORT_SYMBOL(cca_clr2cipherkey);
1181 * Derive proteced key from CCA AES cipher secure key.
1183 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1184 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1188 struct CPRBX *preqcblk, *prepcblk;
1189 struct ica_xcRB xcrb;
1202 u16 cca_key_token_len;
1203 u16 cca_key_token_flags;
1204 u8 cca_key_token[0]; // 64 or more
1206 } __packed * preqparm;
1214 struct cpacfkeyblock {
1215 u8 version; /* version of this struct */
1221 u8 key[64]; /* the key (keylen bytes) */
1226 u8 vp[32]; /* verification pattern */
1232 } __packed * prepparm;
1233 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1235 /* get already prepared memory for 2 cprbs with param block each */
1236 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1240 /* fill request cprb struct */
1241 preqcblk->domain = domain;
1243 /* fill request cprb param block with AU request */
1244 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1245 memcpy(preqparm->subfunc_code, "AU", 2);
1246 preqparm->rule_array_len =
1247 sizeof(preqparm->rule_array_len)
1248 + sizeof(preqparm->rule_array);
1249 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1251 preqparm->vud.len = sizeof(preqparm->vud);
1252 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1253 + 2 * sizeof(uint16_t);
1254 preqparm->vud.tk_blob_tag = 0x00C2;
1256 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1257 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1258 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1259 /* now fill length of param block into cprb */
1260 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1262 /* fill xcrb struct */
1263 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1265 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1266 rc = zcrypt_send_cprb(&xcrb);
1269 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1270 __func__, (int) cardnr, (int) domain, rc);
1274 /* check response returncode and reasoncode */
1275 if (prepcblk->ccp_rtcode != 0) {
1277 "%s unwrap secure key failure, card response %d/%d\n",
1279 (int) prepcblk->ccp_rtcode,
1280 (int) prepcblk->ccp_rscode);
1281 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1287 if (prepcblk->ccp_rscode != 0) {
1289 "%s unwrap secure key warning, card response %d/%d\n",
1291 (int) prepcblk->ccp_rtcode,
1292 (int) prepcblk->ccp_rscode);
1295 /* process response cprb param block */
1296 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1297 prepcblk->rpl_parmb = (u8 __user *) ptr;
1298 prepparm = (struct aurepparm *) ptr;
1300 /* check the returned keyblock */
1301 if (prepparm->vud.ckb.version != 0x01 &&
1302 prepparm->vud.ckb.version != 0x02) {
1303 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1304 __func__, (int) prepparm->vud.ckb.version);
1308 if (prepparm->vud.ckb.algo != 0x02) {
1310 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1311 __func__, (int) prepparm->vud.ckb.algo);
1316 /* copy the translated protected key */
1317 switch (prepparm->vud.ckb.keylen) {
1319 /* AES 128 protected key */
1321 *protkeytype = PKEY_KEYTYPE_AES_128;
1324 /* AES 192 protected key */
1326 *protkeytype = PKEY_KEYTYPE_AES_192;
1329 /* AES 256 protected key */
1331 *protkeytype = PKEY_KEYTYPE_AES_256;
1334 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1335 __func__, prepparm->vud.ckb.keylen);
1339 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1341 *protkeylen = prepparm->vud.ckb.keylen;
1344 free_cprbmem(mem, PARMBSIZE, 0);
1347 EXPORT_SYMBOL(cca_cipher2protkey);
1350 * Derive protected key from CCA ECC secure private key.
1352 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1353 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1357 struct CPRBX *preqcblk, *prepcblk;
1358 struct ica_xcRB xcrb;
1371 u16 cca_key_token_len;
1372 u16 cca_key_token_flags;
1373 u8 cca_key_token[0];
1375 } __packed * preqparm;
1383 struct cpacfkeyblock {
1384 u8 version; /* version of this struct */
1390 u8 key[0]; /* the key (keylen bytes) */
1395 u8 vp[32]; /* verification pattern */
1401 } __packed * prepparm;
1402 int keylen = ((struct eccprivkeytoken *)key)->len;
1404 /* get already prepared memory for 2 cprbs with param block each */
1405 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1409 /* fill request cprb struct */
1410 preqcblk->domain = domain;
1412 /* fill request cprb param block with AU request */
1413 preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1414 memcpy(preqparm->subfunc_code, "AU", 2);
1415 preqparm->rule_array_len =
1416 sizeof(preqparm->rule_array_len)
1417 + sizeof(preqparm->rule_array);
1418 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1420 preqparm->vud.len = sizeof(preqparm->vud);
1421 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1422 + 2 * sizeof(uint16_t);
1423 preqparm->vud.tk_blob_tag = 0x00C2;
1425 preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1426 preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1427 memcpy(preqparm->kb.cca_key_token, key, keylen);
1428 /* now fill length of param block into cprb */
1429 preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1431 /* fill xcrb struct */
1432 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1434 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1435 rc = zcrypt_send_cprb(&xcrb);
1438 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1439 __func__, (int) cardnr, (int) domain, rc);
1443 /* check response returncode and reasoncode */
1444 if (prepcblk->ccp_rtcode != 0) {
1446 "%s unwrap secure key failure, card response %d/%d\n",
1448 (int) prepcblk->ccp_rtcode,
1449 (int) prepcblk->ccp_rscode);
1450 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1456 if (prepcblk->ccp_rscode != 0) {
1458 "%s unwrap secure key warning, card response %d/%d\n",
1460 (int) prepcblk->ccp_rtcode,
1461 (int) prepcblk->ccp_rscode);
1464 /* process response cprb param block */
1465 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1466 prepcblk->rpl_parmb = (u8 __user *) ptr;
1467 prepparm = (struct aurepparm *) ptr;
1469 /* check the returned keyblock */
1470 if (prepparm->vud.ckb.version != 0x02) {
1471 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1472 __func__, (int) prepparm->vud.ckb.version);
1476 if (prepparm->vud.ckb.algo != 0x81) {
1478 "%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1479 __func__, (int) prepparm->vud.ckb.algo);
1484 /* copy the translated protected key */
1485 if (prepparm->vud.ckb.keylen > *protkeylen) {
1486 DEBUG_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1487 __func__, prepparm->vud.ckb.keylen, *protkeylen);
1491 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1492 *protkeylen = prepparm->vud.ckb.keylen;
1494 *protkeytype = PKEY_KEYTYPE_ECC;
1497 free_cprbmem(mem, PARMBSIZE, 0);
1500 EXPORT_SYMBOL(cca_ecc2protkey);
1503 * query cryptographic facility from CCA adapter
1505 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1506 const char *keyword,
1507 u8 *rarray, size_t *rarraylen,
1508 u8 *varray, size_t *varraylen)
1513 struct CPRBX *preqcblk, *prepcblk;
1514 struct ica_xcRB xcrb;
1521 u8 data[VARDATASIZE];
1524 } __packed * preqparm;
1525 size_t parmbsize = sizeof(struct fqreqparm);
1529 } __packed * prepparm;
1531 /* get already prepared memory for 2 cprbs with param block each */
1532 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1536 /* fill request cprb struct */
1537 preqcblk->domain = domain;
1539 /* fill request cprb param block with FQ request */
1540 preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
1541 memcpy(preqparm->subfunc_code, "FQ", 2);
1542 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1543 preqparm->rule_array_len =
1544 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1545 preqparm->lv1.len = sizeof(preqparm->lv1);
1546 preqparm->dummylen = sizeof(preqparm->dummylen);
1547 preqcblk->req_parml = parmbsize;
1549 /* fill xcrb struct */
1550 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1552 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1553 rc = zcrypt_send_cprb(&xcrb);
1555 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1556 __func__, (int) cardnr, (int) domain, rc);
1560 /* check response returncode and reasoncode */
1561 if (prepcblk->ccp_rtcode != 0) {
1562 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1564 (int) prepcblk->ccp_rtcode,
1565 (int) prepcblk->ccp_rscode);
1570 /* process response cprb param block */
1571 ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1572 prepcblk->rpl_parmb = (u8 __user *) ptr;
1573 prepparm = (struct fqrepparm *) ptr;
1574 ptr = prepparm->lvdata;
1576 /* check and possibly copy reply rule array */
1577 len = *((u16 *) ptr);
1578 if (len > sizeof(u16)) {
1581 if (rarray && rarraylen && *rarraylen > 0) {
1582 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1583 memcpy(rarray, ptr, *rarraylen);
1587 /* check and possible copy reply var array */
1588 len = *((u16 *) ptr);
1589 if (len > sizeof(u16)) {
1592 if (varray && varraylen && *varraylen > 0) {
1593 *varraylen = (len > *varraylen ? *varraylen : len);
1594 memcpy(varray, ptr, *varraylen);
1600 free_cprbmem(mem, parmbsize, 0);
1603 EXPORT_SYMBOL(cca_query_crypto_facility);
1605 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1608 struct cca_info_list_entry *ptr;
1610 spin_lock_bh(&cca_info_list_lock);
1611 list_for_each_entry(ptr, &cca_info_list, list) {
1612 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1613 memcpy(ci, &ptr->info, sizeof(*ci));
1618 spin_unlock_bh(&cca_info_list_lock);
1623 static void cca_info_cache_update(u16 cardnr, u16 domain,
1624 const struct cca_info *ci)
1627 struct cca_info_list_entry *ptr;
1629 spin_lock_bh(&cca_info_list_lock);
1630 list_for_each_entry(ptr, &cca_info_list, list) {
1631 if (ptr->cardnr == cardnr &&
1632 ptr->domain == domain) {
1633 memcpy(&ptr->info, ci, sizeof(*ci));
1639 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1641 spin_unlock_bh(&cca_info_list_lock);
1644 ptr->cardnr = cardnr;
1645 ptr->domain = domain;
1646 memcpy(&ptr->info, ci, sizeof(*ci));
1647 list_add(&ptr->list, &cca_info_list);
1649 spin_unlock_bh(&cca_info_list_lock);
1652 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1654 struct cca_info_list_entry *ptr;
1656 spin_lock_bh(&cca_info_list_lock);
1657 list_for_each_entry(ptr, &cca_info_list, list) {
1658 if (ptr->cardnr == cardnr &&
1659 ptr->domain == domain) {
1660 list_del(&ptr->list);
1665 spin_unlock_bh(&cca_info_list_lock);
1668 static void __exit mkvp_cache_free(void)
1670 struct cca_info_list_entry *ptr, *pnext;
1672 spin_lock_bh(&cca_info_list_lock);
1673 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1674 list_del(&ptr->list);
1677 spin_unlock_bh(&cca_info_list_lock);
1681 * Fetch cca_info values via query_crypto_facility from adapter.
1683 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1687 u8 *rarray, *varray, *pg;
1688 struct zcrypt_device_status_ext devstat;
1690 memset(ci, 0, sizeof(*ci));
1692 /* get first info from zcrypt device driver about this apqn */
1693 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1696 ci->hwtype = devstat.hwtype;
1698 /* prep page for rule array and var array use */
1699 pg = (u8 *) __get_free_page(GFP_KERNEL);
1703 varray = pg + PAGE_SIZE/2;
1704 rlen = vlen = PAGE_SIZE/2;
1706 /* QF for this card/domain */
1707 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1708 rarray, &rlen, varray, &vlen);
1709 if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1710 memcpy(ci->serial, rarray, 8);
1711 ci->new_aes_mk_state = (char) rarray[7*8];
1712 ci->cur_aes_mk_state = (char) rarray[8*8];
1713 ci->old_aes_mk_state = (char) rarray[9*8];
1714 if (ci->old_aes_mk_state == '2')
1715 memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1716 if (ci->cur_aes_mk_state == '2')
1717 memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1718 if (ci->new_aes_mk_state == '3')
1719 memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1724 rlen = vlen = PAGE_SIZE/2;
1725 rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1726 rarray, &rlen, varray, &vlen);
1727 if (rc == 0 && rlen >= 13*8 && vlen >= 240) {
1728 ci->new_apka_mk_state = (char) rarray[10*8];
1729 ci->cur_apka_mk_state = (char) rarray[11*8];
1730 ci->old_apka_mk_state = (char) rarray[12*8];
1731 if (ci->old_apka_mk_state == '2')
1732 memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1733 if (ci->cur_apka_mk_state == '2')
1734 memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1735 if (ci->new_apka_mk_state == '3')
1736 memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1741 free_page((unsigned long) pg);
1742 return found == 2 ? 0 : -ENOENT;
1746 * Fetch cca information about a CCA queue.
1748 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1752 rc = cca_info_cache_fetch(card, dom, ci);
1754 rc = fetch_cca_info(card, dom, ci);
1756 cca_info_cache_update(card, dom, ci);
1761 EXPORT_SYMBOL(cca_get_info);
1764 * Search for a matching crypto card based on the
1765 * Master Key Verification Pattern given.
1767 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1768 int verify, int minhwtype)
1770 struct zcrypt_device_status_ext *device_status;
1775 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1776 if (mkvp == 0 || minhwtype < 0)
1779 /* fetch status of all crypto cards */
1780 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1781 sizeof(struct zcrypt_device_status_ext),
1785 zcrypt_device_status_mask_ext(device_status);
1787 /* walk through all crypto cards */
1788 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1789 card = AP_QID_CARD(device_status[i].qid);
1790 dom = AP_QID_QUEUE(device_status[i].qid);
1791 if (device_status[i].online &&
1792 device_status[i].functions & 0x04) {
1793 /* enabled CCA card, check current mkvp from cache */
1794 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1795 ci.hwtype >= minhwtype &&
1796 ci.cur_aes_mk_state == '2' &&
1797 ci.cur_aes_mkvp == mkvp) {
1800 /* verify: refresh card info */
1801 if (fetch_cca_info(card, dom, &ci) == 0) {
1802 cca_info_cache_update(card, dom, &ci);
1803 if (ci.hwtype >= minhwtype &&
1804 ci.cur_aes_mk_state == '2' &&
1805 ci.cur_aes_mkvp == mkvp)
1810 /* Card is offline and/or not a CCA card. */
1811 /* del mkvp entry from cache if it exists */
1812 cca_info_cache_scrub(card, dom);
1815 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1816 /* nothing found, so this time without cache */
1817 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1818 if (!(device_status[i].online &&
1819 device_status[i].functions & 0x04))
1821 card = AP_QID_CARD(device_status[i].qid);
1822 dom = AP_QID_QUEUE(device_status[i].qid);
1823 /* fresh fetch mkvp from adapter */
1824 if (fetch_cca_info(card, dom, &ci) == 0) {
1825 cca_info_cache_update(card, dom, &ci);
1826 if (ci.hwtype >= minhwtype &&
1827 ci.cur_aes_mk_state == '2' &&
1828 ci.cur_aes_mkvp == mkvp)
1830 if (ci.hwtype >= minhwtype &&
1831 ci.old_aes_mk_state == '2' &&
1832 ci.old_aes_mkvp == mkvp &&
1837 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1838 /* old mkvp matched, use this card then */
1839 card = AP_QID_CARD(device_status[oi].qid);
1840 dom = AP_QID_QUEUE(device_status[oi].qid);
1843 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1848 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1852 kvfree(device_status);
1857 * Search for a matching crypto card based on the Master Key
1858 * Verification Pattern provided inside a secure key token.
1860 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1864 const struct keytoken_header *hdr = (struct keytoken_header *) key;
1866 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1869 switch (hdr->version) {
1870 case TOKVER_CCA_AES:
1871 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1873 case TOKVER_CCA_VLSC:
1874 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1875 minhwtype = AP_DEVICE_TYPE_CEX6;
1881 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1883 EXPORT_SYMBOL(cca_findcard);
1885 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1886 int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1889 struct zcrypt_device_status_ext *device_status;
1890 u32 *_apqns = NULL, _nr_apqns = 0;
1891 int i, card, dom, curmatch, oldmatch, rc = 0;
1894 /* fetch status of all crypto cards */
1895 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1896 sizeof(struct zcrypt_device_status_ext),
1900 zcrypt_device_status_mask_ext(device_status);
1902 /* allocate 1k space for up to 256 apqns */
1903 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1905 kvfree(device_status);
1909 /* walk through all the crypto apqnss */
1910 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1911 card = AP_QID_CARD(device_status[i].qid);
1912 dom = AP_QID_QUEUE(device_status[i].qid);
1913 /* check online state */
1914 if (!device_status[i].online)
1916 /* check for cca functions */
1917 if (!(device_status[i].functions & 0x04))
1920 if (cardnr != 0xFFFF && card != cardnr)
1923 if (domain != 0xFFFF && dom != domain)
1925 /* get cca info on this apqn */
1926 if (cca_get_info(card, dom, &ci, verify))
1928 /* current master key needs to be valid */
1929 if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1931 if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1933 /* check min hardware type */
1934 if (minhwtype > 0 && minhwtype > ci.hwtype)
1936 if (cur_mkvp || old_mkvp) {
1938 curmatch = oldmatch = 0;
1939 if (mktype == AES_MK_SET) {
1940 if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1942 if (old_mkvp && ci.old_aes_mk_state == '2' &&
1943 old_mkvp == ci.old_aes_mkvp)
1946 if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1948 if (old_mkvp && ci.old_apka_mk_state == '2' &&
1949 old_mkvp == ci.old_apka_mkvp)
1952 if (curmatch + oldmatch < 1)
1955 /* apqn passed all filtering criterons, add to the array */
1956 if (_nr_apqns < 256)
1957 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom);
1960 /* nothing found ? */
1965 /* no re-allocation, simple return the _apqns array */
1967 *nr_apqns = _nr_apqns;
1971 kvfree(device_status);
1974 EXPORT_SYMBOL(cca_findcard2);
1976 void __exit zcrypt_ccamisc_exit(void)