1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright IBM Corp. 2001, 2022
4 * Author(s): Robert Burroughs
5 * Eric Rossman (edrossma@us.ibm.com)
7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9 * Ralph Wuerthner <rwuerthn@de.ibm.com>
10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com>
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
34 struct response_type {
35 struct completion work;
39 #define CEXXC_RESPONSE_TYPE_ICA 0
40 #define CEXXC_RESPONSE_TYPE_XCRB 1
41 #define CEXXC_RESPONSE_TYPE_EP11 2
43 MODULE_AUTHOR("IBM Corporation");
44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
45 "Copyright IBM Corp. 2001, 2012");
46 MODULE_LICENSE("GPL");
48 struct function_and_rules_block {
49 unsigned char function_code[2];
51 unsigned char only_rule[8];
55 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
56 * card in a type6 message. The 3 fields that must be filled in at execution
57 * time are req_parml, rpl_parml and usage_domain.
58 * Everything about this interface is ascii/big-endian, since the
59 * device does *not* have 'Intel inside'.
61 * The CPRBX is followed immediately by the parm block.
62 * The parm block contains:
63 * - function code ('PD' 0x5044 or 'PK' 0x504B)
64 * - rule block (one of:)
65 * + 0x000A 'PKCS-1.2' (MCL2 'PD')
66 * + 0x000A 'ZERO-PAD' (MCL2 'PK')
67 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
68 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK')
71 static const struct CPRBX static_cprbx = {
74 .func_id = {0x54, 0x32},
77 int speed_idx_cca(int req_type)
152 int speed_idx_ep11(int req_type)
183 * Convert a ICAMEX message to a type6 MEX message.
185 * @zq: crypto device pointer
186 * @ap_msg: pointer to AP message
187 * @mex: pointer to user input data
189 * Returns 0 on success or negative errno value.
191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
192 struct ap_message *ap_msg,
193 struct ica_rsa_modexpo *mex)
195 static struct type6_hdr static_type6_hdrX = {
197 .offset1 = 0x00000058,
198 .agent_id = {'C', 'A',},
199 .function_code = {'P', 'K'},
201 static struct function_and_rules_block static_pke_fnr = {
202 .function_code = {'P', 'K'},
204 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
207 struct type6_hdr hdr;
209 struct function_and_rules_block fr;
210 unsigned short length;
212 } __packed * msg = ap_msg->msg;
216 * The inputdatalength was a selection criteria in the dispatching
217 * function zcrypt_rsa_modexpo(). However, make sure the following
218 * copy_from_user() never exceeds the allocated buffer space.
220 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
224 msg->length = mex->inputdatalength + 2;
225 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
228 /* Set up key which is located after the variable length text. */
229 size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
232 size += sizeof(*msg) + mex->inputdatalength;
234 /* message header, cprbx and f&r */
235 msg->hdr = static_type6_hdrX;
236 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
237 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
239 msg->cprbx = static_cprbx;
240 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
241 msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
243 msg->fr = static_pke_fnr;
245 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
252 * Convert a ICACRT message to a type6 CRT message.
254 * @zq: crypto device pointer
255 * @ap_msg: pointer to AP message
256 * @crt: pointer to user input data
258 * Returns 0 on success or negative errno value.
260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
261 struct ap_message *ap_msg,
262 struct ica_rsa_modexpo_crt *crt)
264 static struct type6_hdr static_type6_hdrX = {
266 .offset1 = 0x00000058,
267 .agent_id = {'C', 'A',},
268 .function_code = {'P', 'D'},
270 static struct function_and_rules_block static_pkd_fnr = {
271 .function_code = {'P', 'D'},
273 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
277 struct type6_hdr hdr;
279 struct function_and_rules_block fr;
280 unsigned short length;
282 } __packed * msg = ap_msg->msg;
286 * The inputdatalength was a selection criteria in the dispatching
287 * function zcrypt_rsa_crt(). However, make sure the following
288 * copy_from_user() never exceeds the allocated buffer space.
290 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
294 msg->length = crt->inputdatalength + 2;
295 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
298 /* Set up key which is located after the variable length text. */
299 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
302 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */
304 /* message header, cprbx and f&r */
305 msg->hdr = static_type6_hdrX;
306 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
307 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
309 msg->cprbx = static_cprbx;
310 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
311 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
312 size - sizeof(msg->hdr) - sizeof(msg->cprbx);
314 msg->fr = static_pkd_fnr;
321 * Convert a XCRB message to a type6 CPRB message.
323 * @zq: crypto device pointer
324 * @ap_msg: pointer to AP message
325 * @xcRB: pointer to user input data
327 * Returns 0 on success or -EFAULT, -EINVAL.
329 struct type86_fmt2_msg {
330 struct type86_hdr hdr;
331 struct type86_fmt2_ext fmt2;
334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
335 struct ica_xcRB *xcrb,
337 unsigned short **dom)
339 static struct type6_hdr static_type6_hdrX = {
341 .offset1 = 0x00000058,
344 struct type6_hdr hdr;
346 } __packed * msg = ap_msg->msg;
348 int rcblen = CEIL4(xcrb->request_control_blk_length);
349 int req_sumlen, resp_sumlen;
350 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
353 if (CEIL4(xcrb->request_control_blk_length) <
354 xcrb->request_control_blk_length)
355 return -EINVAL; /* overflow after alignment*/
358 ap_msg->len = sizeof(struct type6_hdr) +
359 CEIL4(xcrb->request_control_blk_length) +
360 xcrb->request_data_length;
361 if (ap_msg->len > ap_msg->bufsize)
366 * sum must be greater (or equal) than the largest operand
368 req_sumlen = CEIL4(xcrb->request_control_blk_length) +
369 xcrb->request_data_length;
370 if ((CEIL4(xcrb->request_control_blk_length) <=
371 xcrb->request_data_length) ?
372 req_sumlen < xcrb->request_data_length :
373 req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
377 if (CEIL4(xcrb->reply_control_blk_length) <
378 xcrb->reply_control_blk_length)
379 return -EINVAL; /* overflow after alignment*/
383 * sum must be greater (or equal) than the largest operand
385 resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
386 xcrb->reply_data_length;
387 if ((CEIL4(xcrb->reply_control_blk_length) <=
388 xcrb->reply_data_length) ?
389 resp_sumlen < xcrb->reply_data_length :
390 resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
394 /* prepare type6 header */
395 msg->hdr = static_type6_hdrX;
396 memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
397 msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
398 if (xcrb->request_data_length) {
399 msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
400 msg->hdr.tocardlen2 = xcrb->request_data_length;
402 msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
403 msg->hdr.fromcardlen2 = xcrb->reply_data_length;
406 if (z_copy_from_user(userspace, &msg->cprbx, xcrb->request_control_blk_addr,
407 xcrb->request_control_blk_length))
409 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
410 xcrb->request_control_blk_length)
412 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
413 memcpy(msg->hdr.function_code, function_code,
414 sizeof(msg->hdr.function_code));
416 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
417 *dom = (unsigned short *)&msg->cprbx.domain;
419 /* check subfunction, US and AU need special flag with NQAP */
420 if (memcmp(function_code, "US", 2) == 0 ||
421 memcmp(function_code, "AU", 2) == 0)
422 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
424 #ifdef CONFIG_ZCRYPT_DEBUG
425 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
426 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
429 /* check CPRB minor version, set info bits in ap_message flag field */
430 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
431 case 0x5432: /* "T2" */
432 ap_msg->flags |= AP_MSG_FLAG_USAGE;
434 case 0x5433: /* "T3" */
435 case 0x5435: /* "T5" */
436 case 0x5436: /* "T6" */
437 case 0x5437: /* "T7" */
438 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
441 ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n",
442 __func__, msg->cprbx.func_id[0],
443 msg->cprbx.func_id[1]);
446 /* copy data block */
447 if (xcrb->request_data_length &&
448 z_copy_from_user(userspace, req_data, xcrb->request_data_address,
449 xcrb->request_data_length))
455 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
456 struct ep11_urb *xcrb,
458 unsigned int *domain)
461 static struct type6_hdr static_type6_ep11_hdr = {
463 .rqid = {0x00, 0x01},
464 .function_code = {0x00, 0x00},
465 .agent_id[0] = 0x58, /* {'X'} */
466 .agent_id[1] = 0x43, /* {'C'} */
467 .offset1 = 0x00000058,
471 struct type6_hdr hdr;
472 struct ep11_cprb cprbx;
473 unsigned char pld_tag; /* fixed value 0x30 */
474 unsigned char pld_lenfmt; /* payload length format */
475 } __packed * msg = ap_msg->msg;
478 unsigned char func_tag; /* fixed value 0x4 */
479 unsigned char func_len; /* fixed value 0x4 */
480 unsigned int func_val; /* function ID */
481 unsigned char dom_tag; /* fixed value 0x4 */
482 unsigned char dom_len; /* fixed value 0x4 */
483 unsigned int dom_val; /* domain id */
484 } __packed * payload_hdr = NULL;
486 if (CEIL4(xcrb->req_len) < xcrb->req_len)
487 return -EINVAL; /* overflow after alignment*/
490 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
491 if (ap_msg->len > ap_msg->bufsize)
494 if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
495 return -EINVAL; /* overflow after alignment*/
497 /* prepare type6 header */
498 msg->hdr = static_type6_ep11_hdr;
499 msg->hdr.tocardlen1 = xcrb->req_len;
500 msg->hdr.fromcardlen1 = xcrb->resp_len;
502 /* Import CPRB data from the ioctl input parameter */
503 if (z_copy_from_user(userspace, &msg->cprbx.cprb_len,
504 (char __force __user *)xcrb->req, xcrb->req_len)) {
508 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
509 switch (msg->pld_lenfmt & 0x03) {
520 lfmt = 1; /* length format #1 */
522 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
523 *fcode = payload_hdr->func_val & 0xFFFF;
525 /* enable special processing based on the cprbs flags special bit */
526 if (msg->cprbx.flags & 0x20)
527 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
529 #ifdef CONFIG_ZCRYPT_DEBUG
530 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
531 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
534 /* set info bits in ap_message flag field */
535 if (msg->cprbx.flags & 0x80)
536 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
538 ap_msg->flags |= AP_MSG_FLAG_USAGE;
540 *domain = msg->cprbx.target_id;
546 * Copy results from a type 86 ICA reply message back to user space.
548 * @zq: crypto device pointer
549 * @reply: reply AP message.
550 * @data: pointer to user output data
551 * @length: size of user output data
553 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
555 struct type86x_reply {
556 struct type86_hdr hdr;
557 struct type86_fmt2_ext fmt2;
559 unsigned char pad[4]; /* 4 byte function code/rules block ? */
560 unsigned short length;
564 struct type86_ep11_reply {
565 struct type86_hdr hdr;
566 struct type86_fmt2_ext fmt2;
567 struct ep11_cprb cprbx;
570 static int convert_type86_ica(struct zcrypt_queue *zq,
571 struct ap_message *reply,
572 char __user *outputdata,
573 unsigned int outputdatalength)
575 static unsigned char static_pad[] = {
577 0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
578 0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
579 0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
580 0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
581 0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
582 0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
583 0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
584 0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
585 0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
586 0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
587 0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
588 0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
589 0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
590 0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
591 0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
592 0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
593 0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
594 0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
595 0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
596 0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
597 0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
598 0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
599 0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
600 0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
601 0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
602 0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
603 0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
604 0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
605 0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
606 0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
607 0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
608 0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
610 struct type86x_reply *msg = reply->msg;
611 unsigned short service_rc, service_rs;
612 unsigned int reply_len, pad_len;
615 service_rc = msg->cprbx.ccp_rtcode;
616 if (unlikely(service_rc != 0)) {
617 service_rs = msg->cprbx.ccp_rscode;
618 if ((service_rc == 8 && service_rs == 66) ||
619 (service_rc == 8 && service_rs == 65) ||
620 (service_rc == 8 && service_rs == 72) ||
621 (service_rc == 8 && service_rs == 770) ||
622 (service_rc == 12 && service_rs == 769)) {
623 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
624 __func__, AP_QID_CARD(zq->queue->qid),
625 AP_QID_QUEUE(zq->queue->qid),
626 (int)service_rc, (int)service_rs);
630 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
631 AP_QID_CARD(zq->queue->qid),
632 AP_QID_QUEUE(zq->queue->qid),
633 (int)service_rc, (int)service_rs);
634 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
635 __func__, AP_QID_CARD(zq->queue->qid),
636 AP_QID_QUEUE(zq->queue->qid),
637 (int)service_rc, (int)service_rs);
638 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
642 reply_len = msg->length - 2;
643 if (reply_len > outputdatalength)
646 * For all encipher requests, the length of the ciphertext (reply_len)
647 * will always equal the modulus length. For MEX decipher requests
648 * the output needs to get padded. Minimum pad size is 10.
650 * Currently, the cases where padding will be added is for:
651 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
652 * ZERO-PAD and CRT is only supported for PKD requests)
655 pad_len = outputdatalength - reply_len;
659 /* 'restore' padding left in the CEXXC card. */
660 if (copy_to_user(outputdata, static_pad, pad_len - 1))
662 if (put_user(0, outputdata + pad_len - 1))
665 /* Copy the crypto response to user space. */
666 if (copy_to_user(outputdata + pad_len, data, reply_len))
672 * Copy results from a type 86 XCRB reply message back to user space.
674 * @zq: crypto device pointer
675 * @reply: reply AP message.
676 * @xcrb: pointer to XCRB
678 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
680 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
681 struct ap_message *reply,
682 struct ica_xcRB *xcrb)
684 struct type86_fmt2_msg *msg = reply->msg;
685 char *data = reply->msg;
687 /* Copy CPRB to user */
688 if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
689 ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n",
690 __func__, xcrb->reply_control_blk_length,
694 if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
695 data + msg->fmt2.offset1, msg->fmt2.count1))
697 xcrb->reply_control_blk_length = msg->fmt2.count1;
699 /* Copy data buffer to user */
700 if (msg->fmt2.count2) {
701 if (xcrb->reply_data_length < msg->fmt2.count2) {
702 ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n",
703 __func__, xcrb->reply_data_length,
707 if (z_copy_to_user(userspace, xcrb->reply_data_addr,
708 data + msg->fmt2.offset2, msg->fmt2.count2))
711 xcrb->reply_data_length = msg->fmt2.count2;
717 * Copy results from a type 86 EP11 XCRB reply message back to user space.
719 * @zq: crypto device pointer
720 * @reply: reply AP message.
721 * @xcrb: pointer to EP11 user request block
723 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
725 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
726 struct ap_message *reply,
727 struct ep11_urb *xcrb)
729 struct type86_fmt2_msg *msg = reply->msg;
730 char *data = reply->msg;
732 if (xcrb->resp_len < msg->fmt2.count1) {
733 ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n",
734 __func__, (unsigned int)xcrb->resp_len,
739 /* Copy response CPRB to user */
740 if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
741 data + msg->fmt2.offset1, msg->fmt2.count1))
743 xcrb->resp_len = msg->fmt2.count1;
747 static int convert_type86_rng(struct zcrypt_queue *zq,
748 struct ap_message *reply,
752 struct type86_hdr hdr;
753 struct type86_fmt2_ext fmt2;
755 } __packed * msg = reply->msg;
756 char *data = reply->msg;
758 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
760 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
761 return msg->fmt2.count2;
764 static int convert_response_ica(struct zcrypt_queue *zq,
765 struct ap_message *reply,
766 char __user *outputdata,
767 unsigned int outputdatalength)
769 struct type86x_reply *msg = reply->msg;
771 switch (msg->hdr.type) {
772 case TYPE82_RSP_CODE:
773 case TYPE88_RSP_CODE:
774 return convert_error(zq, reply);
775 case TYPE86_RSP_CODE:
776 if (msg->cprbx.ccp_rtcode &&
777 msg->cprbx.ccp_rscode == 0x14f &&
778 outputdatalength > 256) {
779 if (zq->zcard->max_exp_bit_length <= 17) {
780 zq->zcard->max_exp_bit_length = 17;
786 if (msg->hdr.reply_code)
787 return convert_error(zq, reply);
788 if (msg->cprbx.cprb_ver_id == 0x02)
789 return convert_type86_ica(zq, reply,
790 outputdata, outputdatalength);
791 fallthrough; /* wrong cprb version is an unknown response */
793 /* Unknown response type, this should NEVER EVER happen */
795 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
796 AP_QID_CARD(zq->queue->qid),
797 AP_QID_QUEUE(zq->queue->qid),
800 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
801 __func__, AP_QID_CARD(zq->queue->qid),
802 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
803 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
808 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
809 struct ap_message *reply,
810 struct ica_xcRB *xcrb)
812 struct type86x_reply *msg = reply->msg;
814 switch (msg->hdr.type) {
815 case TYPE82_RSP_CODE:
816 case TYPE88_RSP_CODE:
817 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
818 return convert_error(zq, reply);
819 case TYPE86_RSP_CODE:
820 if (msg->hdr.reply_code) {
821 memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
822 return convert_error(zq, reply);
824 if (msg->cprbx.cprb_ver_id == 0x02)
825 return convert_type86_xcrb(userspace, zq, reply, xcrb);
826 fallthrough; /* wrong cprb version is an unknown response */
827 default: /* Unknown response type, this should NEVER EVER happen */
828 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
830 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
831 AP_QID_CARD(zq->queue->qid),
832 AP_QID_QUEUE(zq->queue->qid),
835 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
836 __func__, AP_QID_CARD(zq->queue->qid),
837 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
838 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
843 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
844 struct ap_message *reply, struct ep11_urb *xcrb)
846 struct type86_ep11_reply *msg = reply->msg;
848 switch (msg->hdr.type) {
849 case TYPE82_RSP_CODE:
850 case TYPE87_RSP_CODE:
851 return convert_error(zq, reply);
852 case TYPE86_RSP_CODE:
853 if (msg->hdr.reply_code)
854 return convert_error(zq, reply);
855 if (msg->cprbx.cprb_ver_id == 0x04)
856 return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
857 fallthrough; /* wrong cprb version is an unknown resp */
858 default: /* Unknown response type, this should NEVER EVER happen */
860 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
861 AP_QID_CARD(zq->queue->qid),
862 AP_QID_QUEUE(zq->queue->qid),
865 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
866 __func__, AP_QID_CARD(zq->queue->qid),
867 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
868 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
873 static int convert_response_rng(struct zcrypt_queue *zq,
874 struct ap_message *reply,
877 struct type86x_reply *msg = reply->msg;
879 switch (msg->hdr.type) {
880 case TYPE82_RSP_CODE:
881 case TYPE88_RSP_CODE:
883 case TYPE86_RSP_CODE:
884 if (msg->hdr.reply_code)
886 if (msg->cprbx.cprb_ver_id == 0x02)
887 return convert_type86_rng(zq, reply, data);
888 fallthrough; /* wrong cprb version is an unknown response */
889 default: /* Unknown response type, this should NEVER EVER happen */
891 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
892 AP_QID_CARD(zq->queue->qid),
893 AP_QID_QUEUE(zq->queue->qid),
896 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
897 __func__, AP_QID_CARD(zq->queue->qid),
898 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
899 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
905 * This function is called from the AP bus code after a crypto request
906 * "msg" has finished with the reply message "reply".
907 * It is called from tasklet context.
908 * @aq: pointer to the AP queue
909 * @msg: pointer to the AP message
910 * @reply: pointer to the AP reply message
912 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
913 struct ap_message *msg,
914 struct ap_message *reply)
916 static struct error_hdr error_reply = {
917 .type = TYPE82_RSP_CODE,
918 .reply_code = REP82_ERROR_MACHINE_FAILURE,
920 struct response_type *resp_type =
921 (struct response_type *)msg->private;
922 struct type86x_reply *t86r;
925 /* Copy the reply message to the request message buffer. */
927 goto out; /* ap_msg->rc indicates the error */
929 if (t86r->hdr.type == TYPE86_RSP_CODE &&
930 t86r->cprbx.cprb_ver_id == 0x02) {
931 switch (resp_type->type) {
932 case CEXXC_RESPONSE_TYPE_ICA:
933 len = sizeof(struct type86x_reply) + t86r->length - 2;
934 if (len > reply->bufsize || len > msg->bufsize) {
937 memcpy(msg->msg, reply->msg, len);
941 case CEXXC_RESPONSE_TYPE_XCRB:
942 len = t86r->fmt2.offset2 + t86r->fmt2.count2;
943 if (len > reply->bufsize || len > msg->bufsize) {
946 memcpy(msg->msg, reply->msg, len);
951 memcpy(msg->msg, &error_reply, sizeof(error_reply));
954 memcpy(msg->msg, reply->msg, sizeof(error_reply));
957 complete(&resp_type->work);
961 * This function is called from the AP bus code after a crypto request
962 * "msg" has finished with the reply message "reply".
963 * It is called from tasklet context.
964 * @aq: pointer to the AP queue
965 * @msg: pointer to the AP message
966 * @reply: pointer to the AP reply message
968 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
969 struct ap_message *msg,
970 struct ap_message *reply)
972 static struct error_hdr error_reply = {
973 .type = TYPE82_RSP_CODE,
974 .reply_code = REP82_ERROR_MACHINE_FAILURE,
976 struct response_type *resp_type =
977 (struct response_type *)msg->private;
978 struct type86_ep11_reply *t86r;
981 /* Copy the reply message to the request message buffer. */
983 goto out; /* ap_msg->rc indicates the error */
985 if (t86r->hdr.type == TYPE86_RSP_CODE &&
986 t86r->cprbx.cprb_ver_id == 0x04) {
987 switch (resp_type->type) {
988 case CEXXC_RESPONSE_TYPE_EP11:
989 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
990 if (len > reply->bufsize || len > msg->bufsize) {
993 memcpy(msg->msg, reply->msg, len);
998 memcpy(msg->msg, &error_reply, sizeof(error_reply));
1001 memcpy(msg->msg, reply->msg, sizeof(error_reply));
1004 complete(&resp_type->work);
1007 static atomic_t zcrypt_step = ATOMIC_INIT(0);
1010 * The request distributor calls this function if it picked the CEXxC
1011 * device to handle a modexpo request.
1012 * @zq: pointer to zcrypt_queue structure that identifies the
1013 * CEXxC device to the request distributor
1014 * @mex: pointer to the modexpo request buffer
1016 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1017 struct ica_rsa_modexpo *mex,
1018 struct ap_message *ap_msg)
1020 struct response_type resp_type = {
1021 .type = CEXXC_RESPONSE_TYPE_ICA,
1025 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1028 ap_msg->bufsize = PAGE_SIZE;
1029 ap_msg->receive = zcrypt_msgtype6_receive;
1030 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1031 atomic_inc_return(&zcrypt_step);
1032 ap_msg->private = &resp_type;
1033 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
1036 init_completion(&resp_type.work);
1037 rc = ap_queue_message(zq->queue, ap_msg);
1040 rc = wait_for_completion_interruptible(&resp_type.work);
1044 rc = convert_response_ica(zq, ap_msg,
1046 mex->outputdatalength);
1048 /* Signal pending. */
1049 ap_cancel_message(zq->queue, ap_msg);
1053 free_page((unsigned long)ap_msg->msg);
1054 ap_msg->private = NULL;
1060 * The request distributor calls this function if it picked the CEXxC
1061 * device to handle a modexpo_crt request.
1062 * @zq: pointer to zcrypt_queue structure that identifies the
1063 * CEXxC device to the request distributor
1064 * @crt: pointer to the modexpoc_crt request buffer
1066 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1067 struct ica_rsa_modexpo_crt *crt,
1068 struct ap_message *ap_msg)
1070 struct response_type resp_type = {
1071 .type = CEXXC_RESPONSE_TYPE_ICA,
1075 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1078 ap_msg->bufsize = PAGE_SIZE;
1079 ap_msg->receive = zcrypt_msgtype6_receive;
1080 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1081 atomic_inc_return(&zcrypt_step);
1082 ap_msg->private = &resp_type;
1083 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1086 init_completion(&resp_type.work);
1087 rc = ap_queue_message(zq->queue, ap_msg);
1090 rc = wait_for_completion_interruptible(&resp_type.work);
1094 rc = convert_response_ica(zq, ap_msg,
1096 crt->outputdatalength);
1098 /* Signal pending. */
1099 ap_cancel_message(zq->queue, ap_msg);
1103 free_page((unsigned long)ap_msg->msg);
1104 ap_msg->private = NULL;
1110 * Prepare a CCA AP msg request.
1111 * Prepare a CCA AP msg: fetch the required data from userspace,
1112 * prepare the AP msg, fill some info into the ap_message struct,
1113 * extract some data from the CPRB and give back to the caller.
1114 * This function allocates memory and needs an ap_msg prepared
1115 * by the caller with ap_init_message(). Also the caller has to
1116 * make sure ap_release_message() is always called even on failure.
1118 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1119 struct ap_message *ap_msg,
1120 unsigned int *func_code, unsigned short **dom)
1122 struct response_type resp_type = {
1123 .type = CEXXC_RESPONSE_TYPE_XCRB,
1126 ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1127 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1130 ap_msg->receive = zcrypt_msgtype6_receive;
1131 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1132 atomic_inc_return(&zcrypt_step);
1133 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1134 if (!ap_msg->private)
1136 return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1140 * The request distributor calls this function if it picked the CEXxC
1141 * device to handle a send_cprb request.
1142 * @zq: pointer to zcrypt_queue structure that identifies the
1143 * CEXxC device to the request distributor
1144 * @xcrb: pointer to the send_cprb request buffer
1146 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1147 struct ica_xcRB *xcrb,
1148 struct ap_message *ap_msg)
1151 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1153 struct type6_hdr hdr;
1155 /* ... more data blocks ... */
1156 } __packed * msg = ap_msg->msg;
1159 * Set the queue's reply buffer length minus 128 byte padding
1160 * as reply limit for the card firmware.
1162 msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
1163 zq->reply.bufsize - 128);
1164 if (msg->hdr.fromcardlen2)
1165 msg->hdr.fromcardlen2 =
1166 zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
1168 init_completion(&rtype->work);
1169 rc = ap_queue_message(zq->queue, ap_msg);
1172 rc = wait_for_completion_interruptible(&rtype->work);
1176 rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1178 /* Signal pending. */
1179 ap_cancel_message(zq->queue, ap_msg);
1184 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1185 __func__, AP_QID_CARD(zq->queue->qid),
1186 AP_QID_QUEUE(zq->queue->qid), rc);
1191 * Prepare an EP11 AP msg request.
1192 * Prepare an EP11 AP msg: fetch the required data from userspace,
1193 * prepare the AP msg, fill some info into the ap_message struct,
1194 * extract some data from the CPRB and give back to the caller.
1195 * This function allocates memory and needs an ap_msg prepared
1196 * by the caller with ap_init_message(). Also the caller has to
1197 * make sure ap_release_message() is always called even on failure.
1199 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1200 struct ap_message *ap_msg,
1201 unsigned int *func_code, unsigned int *domain)
1203 struct response_type resp_type = {
1204 .type = CEXXC_RESPONSE_TYPE_EP11,
1207 ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1208 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1211 ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1212 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1213 atomic_inc_return(&zcrypt_step);
1214 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1215 if (!ap_msg->private)
1217 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1222 * The request distributor calls this function if it picked the CEX4P
1223 * device to handle a send_ep11_cprb request.
1224 * @zq: pointer to zcrypt_queue structure that identifies the
1225 * CEX4P device to the request distributor
1226 * @xcrb: pointer to the ep11 user request block
1228 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1229 struct ep11_urb *xcrb,
1230 struct ap_message *ap_msg)
1234 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1236 struct type6_hdr hdr;
1237 struct ep11_cprb cprbx;
1238 unsigned char pld_tag; /* fixed value 0x30 */
1239 unsigned char pld_lenfmt; /* payload length format */
1240 } __packed * msg = ap_msg->msg;
1242 unsigned char func_tag; /* fixed value 0x4 */
1243 unsigned char func_len; /* fixed value 0x4 */
1244 unsigned int func_val; /* function ID */
1245 unsigned char dom_tag; /* fixed value 0x4 */
1246 unsigned char dom_len; /* fixed value 0x4 */
1247 unsigned int dom_val; /* domain id */
1248 } __packed * payload_hdr = NULL;
1251 * The target domain field within the cprb body/payload block will be
1252 * replaced by the usage domain for non-management commands only.
1253 * Therefore we check the first bit of the 'flags' parameter for
1254 * management command indication.
1255 * 0 - non management command
1256 * 1 - management command
1258 if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1259 msg->cprbx.target_id = (unsigned int)
1260 AP_QID_QUEUE(zq->queue->qid);
1262 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1263 switch (msg->pld_lenfmt & 0x03) {
1274 lfmt = 1; /* length format #1 */
1276 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1277 payload_hdr->dom_val = (unsigned int)
1278 AP_QID_QUEUE(zq->queue->qid);
1282 * Set the queue's reply buffer length minus the two prepend headers
1283 * as reply limit for the card firmware.
1285 msg->hdr.fromcardlen1 = zq->reply.bufsize -
1286 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1288 init_completion(&rtype->work);
1289 rc = ap_queue_message(zq->queue, ap_msg);
1292 rc = wait_for_completion_interruptible(&rtype->work);
1296 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1298 /* Signal pending. */
1299 ap_cancel_message(zq->queue, ap_msg);
1304 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1305 __func__, AP_QID_CARD(zq->queue->qid),
1306 AP_QID_QUEUE(zq->queue->qid), rc);
1310 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1311 unsigned int *domain)
1313 struct response_type resp_type = {
1314 .type = CEXXC_RESPONSE_TYPE_XCRB,
1317 ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1318 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1321 ap_msg->receive = zcrypt_msgtype6_receive;
1322 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1323 atomic_inc_return(&zcrypt_step);
1324 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1325 if (!ap_msg->private)
1328 rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1335 * The request distributor calls this function if it picked the CEXxC
1336 * device to generate random data.
1337 * @zq: pointer to zcrypt_queue structure that identifies the
1338 * CEXxC device to the request distributor
1339 * @buffer: pointer to a memory page to return random data
1341 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1342 char *buffer, struct ap_message *ap_msg)
1345 struct type6_hdr hdr;
1347 char function_code[2];
1348 short int rule_length;
1350 short int verb_length;
1351 short int key_length;
1352 } __packed * msg = ap_msg->msg;
1353 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1356 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1358 init_completion(&rtype->work);
1359 rc = ap_queue_message(zq->queue, ap_msg);
1362 rc = wait_for_completion_interruptible(&rtype->work);
1366 rc = convert_response_rng(zq, ap_msg, buffer);
1368 /* Signal pending. */
1369 ap_cancel_message(zq->queue, ap_msg);
1376 * The crypto operations for a CEXxC card.
1378 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1379 .owner = THIS_MODULE,
1380 .name = MSGTYPE06_NAME,
1381 .variant = MSGTYPE06_VARIANT_NORNG,
1382 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1383 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1384 .send_cprb = zcrypt_msgtype6_send_cprb,
1387 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1388 .owner = THIS_MODULE,
1389 .name = MSGTYPE06_NAME,
1390 .variant = MSGTYPE06_VARIANT_DEFAULT,
1391 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1392 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1393 .send_cprb = zcrypt_msgtype6_send_cprb,
1394 .rng = zcrypt_msgtype6_rng,
1397 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1398 .owner = THIS_MODULE,
1399 .name = MSGTYPE06_NAME,
1400 .variant = MSGTYPE06_VARIANT_EP11,
1401 .rsa_modexpo = NULL,
1402 .rsa_modexpo_crt = NULL,
1403 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1406 void __init zcrypt_msgtype6_init(void)
1408 zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1409 zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1410 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1413 void __exit zcrypt_msgtype6_exit(void)
1415 zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1416 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1417 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);