1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 * Ingo Franzki <ifranzki@linux.ibm.com>
7 * Collection of CCA misc functions used by zcrypt and pkey
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
26 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
31 /* Size of parameter block used for all cca requests/replies */
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
37 struct cca_info_list_entry {
38 struct list_head list;
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
49 * Simple check if the token is a valid CCA secure AES data key
50 * token. If keybitsize is given, the bitsize of the key is
51 * also checked. Returns 0 on success or errno value on failure.
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 const u8 *token, int keybitsize)
56 struct secaeskeytoken *t = (struct secaeskeytoken *)token;
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
60 if (t->type != TOKTYPE_CCA_INTERNAL) {
62 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
66 if (t->version != TOKVER_CCA_AES) {
68 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 __func__, (int)t->version, TOKVER_CCA_AES);
72 if (keybitsize > 0 && t->bitsize != keybitsize) {
74 DBF("%s token check failed, bitsize %d != %d\n",
75 __func__, (int)t->bitsize, keybitsize);
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
86 * Simple check if the token is a valid CCA secure AES cipher key
87 * token. If keybitsize is given, the bitsize of the key is
88 * also checked. If checkcpacfexport is enabled, the key is also
89 * checked for the export flag to allow CPACF export.
90 * Returns 0 on success or errno value on failure.
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 const u8 *token, int keybitsize,
96 struct cipherkeytoken *t = (struct cipherkeytoken *)token;
97 bool keybitsizeok = true;
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
101 if (t->type != TOKTYPE_CCA_INTERNAL) {
103 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL);
107 if (t->version != TOKVER_CCA_VLSC) {
109 DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 __func__, (int)t->version, TOKVER_CCA_VLSC);
113 if (t->algtype != 0x02) {
115 DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 __func__, (int)t->algtype);
119 if (t->keytype != 0x0001) {
121 DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 __func__, (int)t->keytype);
125 if (t->plfver != 0x00 && t->plfver != 0x01) {
127 DBF("%s token check failed, unknown plfver 0x%02x\n",
128 __func__, (int)t->plfver);
131 if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
133 DBF("%s token check failed, unknown wpllen %d\n",
134 __func__, (int)t->wpllen);
137 if (keybitsize > 0) {
138 switch (keybitsize) {
140 if (t->wpllen != (t->plfver ? 640 : 512))
141 keybitsizeok = false;
144 if (t->wpllen != (t->plfver ? 640 : 576))
145 keybitsizeok = false;
148 if (t->wpllen != 640)
149 keybitsizeok = false;
152 keybitsizeok = false;
157 DBF("%s token check failed, bitsize %d\n",
158 __func__, keybitsize);
162 if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
164 DBF("%s token check failed, XPRT_CPAC bit is 0\n",
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
176 * Simple check if the token is a valid CCA secure ECC private
177 * key token. Returns 0 on success or errno value on failure.
179 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
180 const u8 *token, size_t keysize,
181 int checkcpacfexport)
183 struct eccprivkeytoken *t = (struct eccprivkeytoken *)token;
185 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
187 if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
189 DBF("%s token check failed, type 0x%02x != 0x%02x\n",
190 __func__, (int)t->type, TOKTYPE_CCA_INTERNAL_PKA);
193 if (t->len > keysize) {
195 DBF("%s token check failed, len %d > keysize %zu\n",
196 __func__, (int)t->len, keysize);
199 if (t->secid != 0x20) {
201 DBF("%s token check failed, secid 0x%02x != 0x20\n",
202 __func__, (int)t->secid);
205 if (checkcpacfexport && !(t->kutc & 0x01)) {
207 DBF("%s token check failed, XPRTCPAC bit is 0\n",
216 EXPORT_SYMBOL(cca_check_sececckeytoken);
219 * Allocate consecutive memory for request CPRB, request param
220 * block, reply CPRB and reply param block and fill in values
221 * for the common fields. Returns 0 on success or errno value
224 static int alloc_and_prep_cprbmem(size_t paramblen,
226 struct CPRBX **p_req_cprb,
227 struct CPRBX **p_rep_cprb)
230 size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
231 struct CPRBX *preqcblk, *prepcblk;
234 * allocate consecutive memory for request CPRB, request param
235 * block, reply CPRB and reply param block
237 cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
241 preqcblk = (struct CPRBX *)cprbmem;
242 prepcblk = (struct CPRBX *)(cprbmem + cprbplusparamblen);
244 /* fill request cprb struct */
245 preqcblk->cprb_len = sizeof(struct CPRBX);
246 preqcblk->cprb_ver_id = 0x02;
247 memcpy(preqcblk->func_id, "T2", 2);
248 preqcblk->rpl_msgbl = cprbplusparamblen;
250 preqcblk->req_parmb =
251 ((u8 __user *)preqcblk) + sizeof(struct CPRBX);
252 preqcblk->rpl_parmb =
253 ((u8 __user *)prepcblk) + sizeof(struct CPRBX);
256 *p_cprb_mem = cprbmem;
257 *p_req_cprb = preqcblk;
258 *p_rep_cprb = prepcblk;
264 * Free the cprb memory allocated with the function above.
265 * If the scrub value is not zero, the memory is filled
266 * with zeros before freeing (useful if there was some
267 * clear key material in there).
269 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
272 memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
277 * Helper function to prepare the xcrb struct
279 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
281 struct CPRBX *preqcblk,
282 struct CPRBX *prepcblk)
284 memset(pxcrb, 0, sizeof(*pxcrb));
285 pxcrb->agent_ID = 0x4341; /* 'CA' */
286 pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
287 pxcrb->request_control_blk_length =
288 preqcblk->cprb_len + preqcblk->req_parml;
289 pxcrb->request_control_blk_addr = (void __user *)preqcblk;
290 pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
291 pxcrb->reply_control_blk_addr = (void __user *)prepcblk;
295 * Generate (random) CCA AES DATA secure key.
297 int cca_genseckey(u16 cardnr, u16 domain,
298 u32 keybitsize, u8 *seckey)
303 struct CPRBX *preqcblk, *prepcblk;
304 struct ica_xcRB xcrb;
320 u8 data[SECKEYBLOBSIZE];
323 } __packed * preqparm;
334 /* ... some more data ... */
337 } __packed * prepparm;
339 /* get already prepared memory for 2 cprbs with param block each */
340 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
344 /* fill request cprb struct */
345 preqcblk->domain = domain;
347 /* fill request cprb param block with KG request */
348 preqparm = (struct kgreqparm __force *)preqcblk->req_parmb;
349 memcpy(preqparm->subfunc_code, "KG", 2);
350 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
351 preqparm->lv1.len = sizeof(struct lv1);
352 memcpy(preqparm->lv1.key_form, "OP ", 8);
353 switch (keybitsize) {
354 case PKEY_SIZE_AES_128:
355 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
357 memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
359 case PKEY_SIZE_AES_192:
360 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
362 memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
364 case PKEY_SIZE_AES_256:
365 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
367 memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
370 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
371 __func__, keybitsize);
375 memcpy(preqparm->lv1.key_type1, "AESDATA ", 8);
376 preqparm->lv2.len = sizeof(struct lv2);
377 for (i = 0; i < 6; i++) {
378 preqparm->lv2.keyid[i].len = sizeof(struct keyid);
379 preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
381 preqcblk->req_parml = sizeof(struct kgreqparm);
383 /* fill xcrb struct */
384 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
386 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
387 rc = zcrypt_send_cprb(&xcrb);
389 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
390 __func__, (int)cardnr, (int)domain, rc);
394 /* check response returncode and reasoncode */
395 if (prepcblk->ccp_rtcode != 0) {
396 DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
398 (int)prepcblk->ccp_rtcode,
399 (int)prepcblk->ccp_rscode);
404 /* process response cprb param block */
405 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
406 prepcblk->rpl_parmb = (u8 __user *)ptr;
407 prepparm = (struct kgrepparm *)ptr;
409 /* check length of the returned secure key token */
410 seckeysize = prepparm->lv3.keyblock.toklen
411 - sizeof(prepparm->lv3.keyblock.toklen)
412 - sizeof(prepparm->lv3.keyblock.tokattr);
413 if (seckeysize != SECKEYBLOBSIZE) {
414 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
415 __func__, seckeysize, SECKEYBLOBSIZE);
420 /* check secure key token */
421 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
422 prepparm->lv3.keyblock.tok, 8 * keysize);
428 /* copy the generated secure key token */
429 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
432 free_cprbmem(mem, PARMBSIZE, 0);
435 EXPORT_SYMBOL(cca_genseckey);
438 * Generate an CCA AES DATA secure key with given key value.
440 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
441 const u8 *clrkey, u8 *seckey)
443 int rc, keysize, seckeysize;
445 struct CPRBX *preqcblk, *prepcblk;
446 struct ica_xcRB xcrb;
455 /* followed by struct lv2 */
456 } __packed * preqparm;
462 u8 data[SECKEYBLOBSIZE];
475 /* ... some more data ... */
478 } __packed * prepparm;
480 /* get already prepared memory for 2 cprbs with param block each */
481 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
485 /* fill request cprb struct */
486 preqcblk->domain = domain;
488 /* fill request cprb param block with CM request */
489 preqparm = (struct cmreqparm __force *)preqcblk->req_parmb;
490 memcpy(preqparm->subfunc_code, "CM", 2);
491 memcpy(preqparm->rule_array, "AES ", 8);
492 preqparm->rule_array_len =
493 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
494 switch (keybitsize) {
495 case PKEY_SIZE_AES_128:
496 case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
499 case PKEY_SIZE_AES_192:
500 case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
503 case PKEY_SIZE_AES_256:
504 case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
508 DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
509 __func__, keybitsize);
513 preqparm->lv1.len = sizeof(struct lv1) + keysize;
514 memcpy(preqparm->lv1.clrkey, clrkey, keysize);
515 plv2 = (struct lv2 *)(((u8 *)preqparm) + sizeof(*preqparm) + keysize);
516 plv2->len = sizeof(struct lv2);
517 plv2->keyid.len = sizeof(struct keyid);
518 plv2->keyid.attr = 0x30;
519 preqcblk->req_parml = sizeof(*preqparm) + keysize + sizeof(*plv2);
521 /* fill xcrb struct */
522 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
524 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
525 rc = zcrypt_send_cprb(&xcrb);
527 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
528 __func__, (int)cardnr, (int)domain, rc);
532 /* check response returncode and reasoncode */
533 if (prepcblk->ccp_rtcode != 0) {
534 DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
536 (int)prepcblk->ccp_rtcode,
537 (int)prepcblk->ccp_rscode);
542 /* process response cprb param block */
543 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
544 prepcblk->rpl_parmb = (u8 __user *)ptr;
545 prepparm = (struct cmrepparm *)ptr;
547 /* check length of the returned secure key token */
548 seckeysize = prepparm->lv3.keyblock.toklen
549 - sizeof(prepparm->lv3.keyblock.toklen)
550 - sizeof(prepparm->lv3.keyblock.tokattr);
551 if (seckeysize != SECKEYBLOBSIZE) {
552 DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
553 __func__, seckeysize, SECKEYBLOBSIZE);
558 /* check secure key token */
559 rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
560 prepparm->lv3.keyblock.tok, 8 * keysize);
566 /* copy the generated secure key token */
568 memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
571 free_cprbmem(mem, PARMBSIZE, 1);
574 EXPORT_SYMBOL(cca_clr2seckey);
577 * Derive proteced key from an CCA AES DATA secure key.
579 int cca_sec2protkey(u16 cardnr, u16 domain,
580 const u8 *seckey, u8 *protkey, u32 *protkeylen,
585 struct CPRBX *preqcblk, *prepcblk;
586 struct ica_xcRB xcrb;
599 u8 token[]; /* cca secure key token */
601 } __packed * preqparm;
609 struct cpacfkeyblock {
610 u8 version; /* version of this struct */
616 u8 key[64]; /* the key (len bytes) */
621 u8 vp[32]; /* verification pattern */
624 } __packed * prepparm;
626 /* get already prepared memory for 2 cprbs with param block each */
627 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
631 /* fill request cprb struct */
632 preqcblk->domain = domain;
634 /* fill request cprb param block with USK request */
635 preqparm = (struct uskreqparm __force *)preqcblk->req_parmb;
636 memcpy(preqparm->subfunc_code, "US", 2);
637 preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
638 preqparm->lv1.len = sizeof(struct lv1);
639 preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
640 preqparm->lv1.attr_flags = 0x0001;
641 preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
642 preqparm->lv2.attr_len = sizeof(struct lv2)
643 - sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
644 preqparm->lv2.attr_flags = 0x0000;
645 memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
646 preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
648 /* fill xcrb struct */
649 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
651 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
652 rc = zcrypt_send_cprb(&xcrb);
654 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
655 __func__, (int)cardnr, (int)domain, rc);
659 /* check response returncode and reasoncode */
660 if (prepcblk->ccp_rtcode != 0) {
661 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
663 (int)prepcblk->ccp_rtcode,
664 (int)prepcblk->ccp_rscode);
665 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
671 if (prepcblk->ccp_rscode != 0) {
672 DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
674 (int)prepcblk->ccp_rtcode,
675 (int)prepcblk->ccp_rscode);
678 /* process response cprb param block */
679 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
680 prepcblk->rpl_parmb = (u8 __user *)ptr;
681 prepparm = (struct uskrepparm *)ptr;
683 /* check the returned keyblock */
684 if (prepparm->lv3.ckb.version != 0x01 &&
685 prepparm->lv3.ckb.version != 0x02) {
686 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
687 __func__, (int)prepparm->lv3.ckb.version);
692 /* copy the translated protected key */
693 switch (prepparm->lv3.ckb.len) {
695 /* AES 128 protected key */
697 *protkeytype = PKEY_KEYTYPE_AES_128;
700 /* AES 192 protected key */
702 *protkeytype = PKEY_KEYTYPE_AES_192;
705 /* AES 256 protected key */
707 *protkeytype = PKEY_KEYTYPE_AES_256;
710 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
711 __func__, prepparm->lv3.ckb.len);
715 memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
717 *protkeylen = prepparm->lv3.ckb.len;
720 free_cprbmem(mem, PARMBSIZE, 0);
723 EXPORT_SYMBOL(cca_sec2protkey);
726 * AES cipher key skeleton created with CSNBKTB2 with these flags:
727 * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
728 * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
729 * used by cca_gencipherkey() and cca_clr2cipherkey().
731 static const u8 aes_cipher_key_skeleton[] = {
732 0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
736 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
737 0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
738 0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
739 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
742 * Generate (random) CCA AES CIPHER secure key.
744 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
745 u8 *keybuf, size_t *keybufsize)
749 struct CPRBX *preqcblk, *prepcblk;
750 struct ica_xcRB xcrb;
754 char rule_array[2 * 8];
759 u16 clear_key_bit_len;
764 /* u8 key_name_1[]; */
765 /* u8 key_name_2[]; */
766 /* u8 user_data_1[]; */
767 /* u8 user_data_2[]; */
784 u8 gen_key_id_1[SIZEOF_SKELETON];
789 /* u8 gen_key_id_1_label[]; */
794 /* u8 gen_key_id_2[]; */
799 /* u8 gen_key_id_2_label[]; */
802 } __packed * preqparm;
814 u8 gen_key[]; /* 120-136 bytes */
817 } __packed * prepparm;
818 struct cipherkeytoken *t;
820 /* get already prepared memory for 2 cprbs with param block each */
821 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
825 /* fill request cprb struct */
826 preqcblk->domain = domain;
827 preqcblk->req_parml = sizeof(struct gkreqparm);
829 /* prepare request param block with GK request */
830 preqparm = (struct gkreqparm __force *)preqcblk->req_parmb;
831 memcpy(preqparm->subfunc_code, "GK", 2);
832 preqparm->rule_array_len = sizeof(uint16_t) + 2 * 8;
833 memcpy(preqparm->rule_array, "AES OP ", 2 * 8);
835 /* prepare vud block */
836 preqparm->vud.len = sizeof(preqparm->vud);
837 switch (keybitsize) {
844 "%s unknown/unsupported keybitsize %d\n",
845 __func__, keybitsize);
849 preqparm->vud.clear_key_bit_len = keybitsize;
850 memcpy(preqparm->vud.key_type_1, "TOKEN ", 8);
851 memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
853 /* prepare kb block */
854 preqparm->kb.len = sizeof(preqparm->kb);
855 preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
856 preqparm->kb.tlv1.flag = 0x0030;
857 preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
858 preqparm->kb.tlv2.flag = 0x0030;
859 preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
860 preqparm->kb.tlv3.flag = 0x0030;
861 memcpy(preqparm->kb.tlv3.gen_key_id_1,
862 aes_cipher_key_skeleton, SIZEOF_SKELETON);
863 preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
864 preqparm->kb.tlv4.flag = 0x0030;
865 preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
866 preqparm->kb.tlv5.flag = 0x0030;
867 preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
868 preqparm->kb.tlv6.flag = 0x0030;
870 /* patch the skeleton key token export flags inside the kb block */
872 t = (struct cipherkeytoken *)preqparm->kb.tlv3.gen_key_id_1;
873 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
874 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
877 /* prepare xcrb struct */
878 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
880 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
881 rc = zcrypt_send_cprb(&xcrb);
884 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
885 __func__, (int)cardnr, (int)domain, rc);
889 /* check response returncode and reasoncode */
890 if (prepcblk->ccp_rtcode != 0) {
892 "%s cipher key generate failure, card response %d/%d\n",
894 (int)prepcblk->ccp_rtcode,
895 (int)prepcblk->ccp_rscode);
900 /* process response cprb param block */
901 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
902 prepcblk->rpl_parmb = (u8 __user *)ptr;
903 prepparm = (struct gkrepparm *)ptr;
905 /* do some plausibility checks on the key block */
906 if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
907 prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
908 DEBUG_ERR("%s reply with invalid or unknown key block\n",
914 /* and some checks on the generated key */
915 rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
916 prepparm->kb.tlv1.gen_key,
923 /* copy the generated vlsc key token */
924 t = (struct cipherkeytoken *)prepparm->kb.tlv1.gen_key;
926 if (*keybufsize >= t->len)
927 memcpy(keybuf, t, t->len);
931 *keybufsize = t->len;
934 free_cprbmem(mem, PARMBSIZE, 0);
937 EXPORT_SYMBOL(cca_gencipherkey);
940 * Helper function, does a the CSNBKPI2 CPRB.
942 static int _ip_cprb_helper(u16 cardnr, u16 domain,
943 const char *rule_array_1,
944 const char *rule_array_2,
945 const char *rule_array_3,
946 const u8 *clr_key_value,
947 int clr_key_bit_size,
953 struct CPRBX *preqcblk, *prepcblk;
954 struct ica_xcRB xcrb;
955 struct rule_array_block {
959 } __packed * preq_ra_block;
964 u16 flag; /* 0x0064 */
969 u16 flag; /* 0x0063 */
970 u8 clr_key[]; /* clear key value bytes */
972 } __packed * preq_vud_block;
977 u16 flag; /* 0x0030 */
978 u8 key_token[]; /* key skeleton */
980 } __packed * preq_key_block;
991 u16 flag; /* 0x0030 */
992 u8 key_token[]; /* key token */
995 } __packed * prepparm;
996 struct cipherkeytoken *t;
997 int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
999 /* get already prepared memory for 2 cprbs with param block each */
1000 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1004 /* fill request cprb struct */
1005 preqcblk->domain = domain;
1006 preqcblk->req_parml = 0;
1008 /* prepare request param block with IP request */
1009 preq_ra_block = (struct rule_array_block __force *)preqcblk->req_parmb;
1010 memcpy(preq_ra_block->subfunc_code, "IP", 2);
1011 preq_ra_block->rule_array_len = sizeof(uint16_t) + 2 * 8;
1012 memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1013 memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1014 preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1016 preq_ra_block->rule_array_len += 8;
1017 memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1018 preqcblk->req_parml += 8;
1021 /* prepare vud block */
1022 preq_vud_block = (struct vud_block __force *)
1023 (preqcblk->req_parmb + preqcblk->req_parml);
1024 n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1025 preq_vud_block->len = sizeof(struct vud_block) + n;
1026 preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1027 preq_vud_block->tlv1.flag = 0x0064;
1028 preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1029 preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1030 preq_vud_block->tlv2.flag = 0x0063;
1032 memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1033 preqcblk->req_parml += preq_vud_block->len;
1035 /* prepare key block */
1036 preq_key_block = (struct key_block __force *)
1037 (preqcblk->req_parmb + preqcblk->req_parml);
1038 n = *key_token_size;
1039 preq_key_block->len = sizeof(struct key_block) + n;
1040 preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1041 preq_key_block->tlv1.flag = 0x0030;
1042 memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1043 preqcblk->req_parml += preq_key_block->len;
1045 /* prepare xcrb struct */
1046 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1048 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1049 rc = zcrypt_send_cprb(&xcrb);
1052 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1053 __func__, (int)cardnr, (int)domain, rc);
1057 /* check response returncode and reasoncode */
1058 if (prepcblk->ccp_rtcode != 0) {
1060 "%s CSNBKPI2 failure, card response %d/%d\n",
1062 (int)prepcblk->ccp_rtcode,
1063 (int)prepcblk->ccp_rscode);
1068 /* process response cprb param block */
1069 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1070 prepcblk->rpl_parmb = (u8 __user *)ptr;
1071 prepparm = (struct iprepparm *)ptr;
1073 /* do some plausibility checks on the key block */
1074 if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1075 prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1076 DEBUG_ERR("%s reply with invalid or unknown key block\n",
1082 /* do not check the key here, it may be incomplete */
1084 /* copy the vlsc key token back */
1085 t = (struct cipherkeytoken *)prepparm->kb.tlv1.key_token;
1086 memcpy(key_token, t, t->len);
1087 *key_token_size = t->len;
1090 free_cprbmem(mem, PARMBSIZE, 0);
1095 * Build CCA AES CIPHER secure key with a given clear key value.
1097 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1098 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1104 struct cipherkeytoken *t;
1106 /* fill exorbuf with random data */
1107 get_random_bytes(exorbuf, sizeof(exorbuf));
1109 /* allocate space for the key token to build */
1110 token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1114 /* prepare the token with the key skeleton */
1115 tokensize = SIZEOF_SKELETON;
1116 memcpy(token, aes_cipher_key_skeleton, tokensize);
1118 /* patch the skeleton key token export flags */
1120 t = (struct cipherkeytoken *)token;
1121 t->kmf1 |= (u16)(keygenflags & 0x0000FF00);
1122 t->kmf1 &= (u16)~(keygenflags & 0x000000FF);
1126 * Do the key import with the clear key value in 4 steps:
1127 * 1/4 FIRST import with only random data
1128 * 2/4 EXOR the clear key
1129 * 3/4 EXOR the very same random data again
1130 * 4/4 COMPLETE the secure cipher key import
1132 rc = _ip_cprb_helper(card, dom, "AES ", "FIRST ", "MIN3PART",
1133 exorbuf, keybitsize, token, &tokensize);
1136 "%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1140 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1141 clrkey, keybitsize, token, &tokensize);
1144 "%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1148 rc = _ip_cprb_helper(card, dom, "AES ", "ADD-PART", NULL,
1149 exorbuf, keybitsize, token, &tokensize);
1152 "%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1156 rc = _ip_cprb_helper(card, dom, "AES ", "COMPLETE", NULL,
1157 NULL, keybitsize, token, &tokensize);
1160 "%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1165 /* copy the generated key token */
1167 if (tokensize > *keybufsize)
1170 memcpy(keybuf, token, tokensize);
1172 *keybufsize = tokensize;
1178 EXPORT_SYMBOL(cca_clr2cipherkey);
1181 * Derive proteced key from CCA AES cipher secure key.
1183 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1184 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1188 struct CPRBX *preqcblk, *prepcblk;
1189 struct ica_xcRB xcrb;
1202 u16 cca_key_token_len;
1203 u16 cca_key_token_flags;
1204 u8 cca_key_token[]; /* 64 or more */
1206 } __packed * preqparm;
1214 struct cpacfkeyblock {
1215 u8 version; /* version of this struct */
1221 u8 key[64]; /* the key (keylen bytes) */
1226 u8 vp[32]; /* verification pattern */
1232 } __packed * prepparm;
1233 int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1235 /* get already prepared memory for 2 cprbs with param block each */
1236 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1240 /* fill request cprb struct */
1241 preqcblk->domain = domain;
1243 /* fill request cprb param block with AU request */
1244 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1245 memcpy(preqparm->subfunc_code, "AU", 2);
1246 preqparm->rule_array_len =
1247 sizeof(preqparm->rule_array_len)
1248 + sizeof(preqparm->rule_array);
1249 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1251 preqparm->vud.len = sizeof(preqparm->vud);
1252 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1253 + 2 * sizeof(uint16_t);
1254 preqparm->vud.tk_blob_tag = 0x00C2;
1256 preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1257 preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1258 memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1259 /* now fill length of param block into cprb */
1260 preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1262 /* fill xcrb struct */
1263 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1265 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1266 rc = zcrypt_send_cprb(&xcrb);
1269 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1270 __func__, (int)cardnr, (int)domain, rc);
1274 /* check response returncode and reasoncode */
1275 if (prepcblk->ccp_rtcode != 0) {
1277 "%s unwrap secure key failure, card response %d/%d\n",
1279 (int)prepcblk->ccp_rtcode,
1280 (int)prepcblk->ccp_rscode);
1281 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1287 if (prepcblk->ccp_rscode != 0) {
1289 "%s unwrap secure key warning, card response %d/%d\n",
1291 (int)prepcblk->ccp_rtcode,
1292 (int)prepcblk->ccp_rscode);
1295 /* process response cprb param block */
1296 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1297 prepcblk->rpl_parmb = (u8 __user *)ptr;
1298 prepparm = (struct aurepparm *)ptr;
1300 /* check the returned keyblock */
1301 if (prepparm->vud.ckb.version != 0x01 &&
1302 prepparm->vud.ckb.version != 0x02) {
1303 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1304 __func__, (int)prepparm->vud.ckb.version);
1308 if (prepparm->vud.ckb.algo != 0x02) {
1310 "%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1311 __func__, (int)prepparm->vud.ckb.algo);
1316 /* copy the translated protected key */
1317 switch (prepparm->vud.ckb.keylen) {
1319 /* AES 128 protected key */
1321 *protkeytype = PKEY_KEYTYPE_AES_128;
1324 /* AES 192 protected key */
1326 *protkeytype = PKEY_KEYTYPE_AES_192;
1329 /* AES 256 protected key */
1331 *protkeytype = PKEY_KEYTYPE_AES_256;
1334 DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1335 __func__, prepparm->vud.ckb.keylen);
1339 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1341 *protkeylen = prepparm->vud.ckb.keylen;
1344 free_cprbmem(mem, PARMBSIZE, 0);
1347 EXPORT_SYMBOL(cca_cipher2protkey);
1350 * Derive protected key from CCA ECC secure private key.
1352 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1353 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1357 struct CPRBX *preqcblk, *prepcblk;
1358 struct ica_xcRB xcrb;
1371 u16 cca_key_token_len;
1372 u16 cca_key_token_flags;
1375 } __packed * preqparm;
1383 struct cpacfkeyblock {
1384 u8 version; /* version of this struct */
1390 u8 key[]; /* the key (keylen bytes) */
1391 /* u16 keyattrlen; */
1392 /* u8 keyattr[32]; */
1395 /* u8 vp[32]; verification pattern */
1398 /* followed by a key block */
1399 } __packed * prepparm;
1400 int keylen = ((struct eccprivkeytoken *)key)->len;
1402 /* get already prepared memory for 2 cprbs with param block each */
1403 rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1407 /* fill request cprb struct */
1408 preqcblk->domain = domain;
1410 /* fill request cprb param block with AU request */
1411 preqparm = (struct aureqparm __force *)preqcblk->req_parmb;
1412 memcpy(preqparm->subfunc_code, "AU", 2);
1413 preqparm->rule_array_len =
1414 sizeof(preqparm->rule_array_len)
1415 + sizeof(preqparm->rule_array);
1416 memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1418 preqparm->vud.len = sizeof(preqparm->vud);
1419 preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1420 + 2 * sizeof(uint16_t);
1421 preqparm->vud.tk_blob_tag = 0x00C2;
1423 preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1424 preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1425 memcpy(preqparm->kb.cca_key_token, key, keylen);
1426 /* now fill length of param block into cprb */
1427 preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1429 /* fill xcrb struct */
1430 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1432 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1433 rc = zcrypt_send_cprb(&xcrb);
1436 "%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1437 __func__, (int)cardnr, (int)domain, rc);
1441 /* check response returncode and reasoncode */
1442 if (prepcblk->ccp_rtcode != 0) {
1444 "%s unwrap secure key failure, card response %d/%d\n",
1446 (int)prepcblk->ccp_rtcode,
1447 (int)prepcblk->ccp_rscode);
1448 if (prepcblk->ccp_rtcode == 8 && prepcblk->ccp_rscode == 2290)
1454 if (prepcblk->ccp_rscode != 0) {
1456 "%s unwrap secure key warning, card response %d/%d\n",
1458 (int)prepcblk->ccp_rtcode,
1459 (int)prepcblk->ccp_rscode);
1462 /* process response cprb param block */
1463 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1464 prepcblk->rpl_parmb = (u8 __user *)ptr;
1465 prepparm = (struct aurepparm *)ptr;
1467 /* check the returned keyblock */
1468 if (prepparm->vud.ckb.version != 0x02) {
1469 DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1470 __func__, (int)prepparm->vud.ckb.version);
1474 if (prepparm->vud.ckb.algo != 0x81) {
1476 "%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1477 __func__, (int)prepparm->vud.ckb.algo);
1482 /* copy the translated protected key */
1483 if (prepparm->vud.ckb.keylen > *protkeylen) {
1484 DEBUG_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1485 __func__, prepparm->vud.ckb.keylen, *protkeylen);
1489 memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1490 *protkeylen = prepparm->vud.ckb.keylen;
1492 *protkeytype = PKEY_KEYTYPE_ECC;
1495 free_cprbmem(mem, PARMBSIZE, 0);
1498 EXPORT_SYMBOL(cca_ecc2protkey);
1501 * query cryptographic facility from CCA adapter
1503 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1504 const char *keyword,
1505 u8 *rarray, size_t *rarraylen,
1506 u8 *varray, size_t *varraylen)
1511 struct CPRBX *preqcblk, *prepcblk;
1512 struct ica_xcRB xcrb;
1519 u8 data[VARDATASIZE];
1522 } __packed * preqparm;
1523 size_t parmbsize = sizeof(struct fqreqparm);
1527 } __packed * prepparm;
1529 /* get already prepared memory for 2 cprbs with param block each */
1530 rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1534 /* fill request cprb struct */
1535 preqcblk->domain = domain;
1537 /* fill request cprb param block with FQ request */
1538 preqparm = (struct fqreqparm __force *)preqcblk->req_parmb;
1539 memcpy(preqparm->subfunc_code, "FQ", 2);
1540 memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1541 preqparm->rule_array_len =
1542 sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1543 preqparm->lv1.len = sizeof(preqparm->lv1);
1544 preqparm->dummylen = sizeof(preqparm->dummylen);
1545 preqcblk->req_parml = parmbsize;
1547 /* fill xcrb struct */
1548 prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1550 /* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1551 rc = zcrypt_send_cprb(&xcrb);
1553 DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1554 __func__, (int)cardnr, (int)domain, rc);
1558 /* check response returncode and reasoncode */
1559 if (prepcblk->ccp_rtcode != 0) {
1560 DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1562 (int)prepcblk->ccp_rtcode,
1563 (int)prepcblk->ccp_rscode);
1568 /* process response cprb param block */
1569 ptr = ((u8 *)prepcblk) + sizeof(struct CPRBX);
1570 prepcblk->rpl_parmb = (u8 __user *)ptr;
1571 prepparm = (struct fqrepparm *)ptr;
1572 ptr = prepparm->lvdata;
1574 /* check and possibly copy reply rule array */
1575 len = *((u16 *)ptr);
1576 if (len > sizeof(u16)) {
1579 if (rarray && rarraylen && *rarraylen > 0) {
1580 *rarraylen = (len > *rarraylen ? *rarraylen : len);
1581 memcpy(rarray, ptr, *rarraylen);
1585 /* check and possible copy reply var array */
1586 len = *((u16 *)ptr);
1587 if (len > sizeof(u16)) {
1590 if (varray && varraylen && *varraylen > 0) {
1591 *varraylen = (len > *varraylen ? *varraylen : len);
1592 memcpy(varray, ptr, *varraylen);
1598 free_cprbmem(mem, parmbsize, 0);
1601 EXPORT_SYMBOL(cca_query_crypto_facility);
1603 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1606 struct cca_info_list_entry *ptr;
1608 spin_lock_bh(&cca_info_list_lock);
1609 list_for_each_entry(ptr, &cca_info_list, list) {
1610 if (ptr->cardnr == cardnr && ptr->domain == domain) {
1611 memcpy(ci, &ptr->info, sizeof(*ci));
1616 spin_unlock_bh(&cca_info_list_lock);
1621 static void cca_info_cache_update(u16 cardnr, u16 domain,
1622 const struct cca_info *ci)
1625 struct cca_info_list_entry *ptr;
1627 spin_lock_bh(&cca_info_list_lock);
1628 list_for_each_entry(ptr, &cca_info_list, list) {
1629 if (ptr->cardnr == cardnr &&
1630 ptr->domain == domain) {
1631 memcpy(&ptr->info, ci, sizeof(*ci));
1637 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1639 spin_unlock_bh(&cca_info_list_lock);
1642 ptr->cardnr = cardnr;
1643 ptr->domain = domain;
1644 memcpy(&ptr->info, ci, sizeof(*ci));
1645 list_add(&ptr->list, &cca_info_list);
1647 spin_unlock_bh(&cca_info_list_lock);
1650 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1652 struct cca_info_list_entry *ptr;
1654 spin_lock_bh(&cca_info_list_lock);
1655 list_for_each_entry(ptr, &cca_info_list, list) {
1656 if (ptr->cardnr == cardnr &&
1657 ptr->domain == domain) {
1658 list_del(&ptr->list);
1663 spin_unlock_bh(&cca_info_list_lock);
1666 static void __exit mkvp_cache_free(void)
1668 struct cca_info_list_entry *ptr, *pnext;
1670 spin_lock_bh(&cca_info_list_lock);
1671 list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1672 list_del(&ptr->list);
1675 spin_unlock_bh(&cca_info_list_lock);
1679 * Fetch cca_info values via query_crypto_facility from adapter.
1681 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1685 u8 *rarray, *varray, *pg;
1686 struct zcrypt_device_status_ext devstat;
1688 memset(ci, 0, sizeof(*ci));
1690 /* get first info from zcrypt device driver about this apqn */
1691 rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1694 ci->hwtype = devstat.hwtype;
1696 /* prep page for rule array and var array use */
1697 pg = (u8 *)__get_free_page(GFP_KERNEL);
1701 varray = pg + PAGE_SIZE / 2;
1702 rlen = vlen = PAGE_SIZE / 2;
1704 /* QF for this card/domain */
1705 rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1706 rarray, &rlen, varray, &vlen);
1707 if (rc == 0 && rlen >= 10 * 8 && vlen >= 204) {
1708 memcpy(ci->serial, rarray, 8);
1709 ci->new_asym_mk_state = (char)rarray[4 * 8];
1710 ci->cur_asym_mk_state = (char)rarray[5 * 8];
1711 ci->old_asym_mk_state = (char)rarray[6 * 8];
1712 if (ci->old_asym_mk_state == '2')
1713 memcpy(ci->old_asym_mkvp, varray + 64, 16);
1714 if (ci->cur_asym_mk_state == '2')
1715 memcpy(ci->cur_asym_mkvp, varray + 84, 16);
1716 if (ci->new_asym_mk_state == '3')
1717 memcpy(ci->new_asym_mkvp, varray + 104, 16);
1718 ci->new_aes_mk_state = (char)rarray[7 * 8];
1719 ci->cur_aes_mk_state = (char)rarray[8 * 8];
1720 ci->old_aes_mk_state = (char)rarray[9 * 8];
1721 if (ci->old_aes_mk_state == '2')
1722 memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1723 if (ci->cur_aes_mk_state == '2')
1724 memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1725 if (ci->new_aes_mk_state == '3')
1726 memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1731 rlen = vlen = PAGE_SIZE / 2;
1732 rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1733 rarray, &rlen, varray, &vlen);
1734 if (rc == 0 && rlen >= 13 * 8 && vlen >= 240) {
1735 ci->new_apka_mk_state = (char)rarray[10 * 8];
1736 ci->cur_apka_mk_state = (char)rarray[11 * 8];
1737 ci->old_apka_mk_state = (char)rarray[12 * 8];
1738 if (ci->old_apka_mk_state == '2')
1739 memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1740 if (ci->cur_apka_mk_state == '2')
1741 memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1742 if (ci->new_apka_mk_state == '3')
1743 memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1748 free_page((unsigned long)pg);
1749 return found == 2 ? 0 : -ENOENT;
1753 * Fetch cca information about a CCA queue.
1755 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1759 rc = cca_info_cache_fetch(card, dom, ci);
1761 rc = fetch_cca_info(card, dom, ci);
1763 cca_info_cache_update(card, dom, ci);
1768 EXPORT_SYMBOL(cca_get_info);
1771 * Search for a matching crypto card based on the
1772 * Master Key Verification Pattern given.
1774 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1775 int verify, int minhwtype)
1777 struct zcrypt_device_status_ext *device_status;
1782 /* mkvp must not be zero, minhwtype needs to be >= 0 */
1783 if (mkvp == 0 || minhwtype < 0)
1786 /* fetch status of all crypto cards */
1787 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1788 sizeof(struct zcrypt_device_status_ext),
1792 zcrypt_device_status_mask_ext(device_status);
1794 /* walk through all crypto cards */
1795 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1796 card = AP_QID_CARD(device_status[i].qid);
1797 dom = AP_QID_QUEUE(device_status[i].qid);
1798 if (device_status[i].online &&
1799 device_status[i].functions & 0x04) {
1800 /* enabled CCA card, check current mkvp from cache */
1801 if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1802 ci.hwtype >= minhwtype &&
1803 ci.cur_aes_mk_state == '2' &&
1804 ci.cur_aes_mkvp == mkvp) {
1807 /* verify: refresh card info */
1808 if (fetch_cca_info(card, dom, &ci) == 0) {
1809 cca_info_cache_update(card, dom, &ci);
1810 if (ci.hwtype >= minhwtype &&
1811 ci.cur_aes_mk_state == '2' &&
1812 ci.cur_aes_mkvp == mkvp)
1817 /* Card is offline and/or not a CCA card. */
1818 /* del mkvp entry from cache if it exists */
1819 cca_info_cache_scrub(card, dom);
1822 if (i >= MAX_ZDEV_ENTRIES_EXT) {
1823 /* nothing found, so this time without cache */
1824 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1825 if (!(device_status[i].online &&
1826 device_status[i].functions & 0x04))
1828 card = AP_QID_CARD(device_status[i].qid);
1829 dom = AP_QID_QUEUE(device_status[i].qid);
1830 /* fresh fetch mkvp from adapter */
1831 if (fetch_cca_info(card, dom, &ci) == 0) {
1832 cca_info_cache_update(card, dom, &ci);
1833 if (ci.hwtype >= minhwtype &&
1834 ci.cur_aes_mk_state == '2' &&
1835 ci.cur_aes_mkvp == mkvp)
1837 if (ci.hwtype >= minhwtype &&
1838 ci.old_aes_mk_state == '2' &&
1839 ci.old_aes_mkvp == mkvp &&
1844 if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1845 /* old mkvp matched, use this card then */
1846 card = AP_QID_CARD(device_status[oi].qid);
1847 dom = AP_QID_QUEUE(device_status[oi].qid);
1850 if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1855 rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1860 kvfree(device_status);
1865 * Search for a matching crypto card based on the Master Key
1866 * Verification Pattern provided inside a secure key token.
1868 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1872 const struct keytoken_header *hdr = (struct keytoken_header *)key;
1874 if (hdr->type != TOKTYPE_CCA_INTERNAL)
1877 switch (hdr->version) {
1878 case TOKVER_CCA_AES:
1879 mkvp = ((struct secaeskeytoken *)key)->mkvp;
1881 case TOKVER_CCA_VLSC:
1882 mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1883 minhwtype = AP_DEVICE_TYPE_CEX6;
1889 return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1891 EXPORT_SYMBOL(cca_findcard);
1893 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1894 int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1897 struct zcrypt_device_status_ext *device_status;
1898 u32 *_apqns = NULL, _nr_apqns = 0;
1899 int i, card, dom, curmatch, oldmatch, rc = 0;
1902 /* fetch status of all crypto cards */
1903 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1904 sizeof(struct zcrypt_device_status_ext),
1908 zcrypt_device_status_mask_ext(device_status);
1910 /* allocate 1k space for up to 256 apqns */
1911 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1913 kvfree(device_status);
1917 /* walk through all the crypto apqnss */
1918 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1919 card = AP_QID_CARD(device_status[i].qid);
1920 dom = AP_QID_QUEUE(device_status[i].qid);
1921 /* check online state */
1922 if (!device_status[i].online)
1924 /* check for cca functions */
1925 if (!(device_status[i].functions & 0x04))
1928 if (cardnr != 0xFFFF && card != cardnr)
1931 if (domain != 0xFFFF && dom != domain)
1933 /* get cca info on this apqn */
1934 if (cca_get_info(card, dom, &ci, verify))
1936 /* current master key needs to be valid */
1937 if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1939 if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1941 /* check min hardware type */
1942 if (minhwtype > 0 && minhwtype > ci.hwtype)
1944 if (cur_mkvp || old_mkvp) {
1946 curmatch = oldmatch = 0;
1947 if (mktype == AES_MK_SET) {
1948 if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1950 if (old_mkvp && ci.old_aes_mk_state == '2' &&
1951 old_mkvp == ci.old_aes_mkvp)
1954 if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1956 if (old_mkvp && ci.old_apka_mk_state == '2' &&
1957 old_mkvp == ci.old_apka_mkvp)
1960 if (curmatch + oldmatch < 1)
1963 /* apqn passed all filtering criterons, add to the array */
1964 if (_nr_apqns < 256)
1965 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16)dom);
1968 /* nothing found ? */
1973 /* no re-allocation, simple return the _apqns array */
1975 *nr_apqns = _nr_apqns;
1979 kvfree(device_status);
1982 EXPORT_SYMBOL(cca_findcard2);
1984 void __exit zcrypt_ccamisc_exit(void)