zcrypt_ep11misc.c (36780B)
1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * Copyright IBM Corp. 2019 4 * Author(s): Harald Freudenberger <freude@linux.ibm.com> 5 * 6 * Collection of EP11 misc functions used by zcrypt and pkey 7 */ 8 9#define KMSG_COMPONENT "zcrypt" 10#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 11 12#include <linux/init.h> 13#include <linux/module.h> 14#include <linux/slab.h> 15#include <linux/random.h> 16#include <asm/zcrypt.h> 17#include <asm/pkey.h> 18#include <crypto/aes.h> 19 20#include "ap_bus.h" 21#include "zcrypt_api.h" 22#include "zcrypt_debug.h" 23#include "zcrypt_msgtype6.h" 24#include "zcrypt_ep11misc.h" 25#include "zcrypt_ccamisc.h" 26 27#define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__) 28#define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__) 29#define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__) 30#define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__) 31 32/* default iv used here */ 33static const u8 def_iv[16] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 34 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }; 35 36/* ep11 card info cache */ 37struct card_list_entry { 38 struct list_head list; 39 u16 cardnr; 40 struct ep11_card_info info; 41}; 42static LIST_HEAD(card_list); 43static DEFINE_SPINLOCK(card_list_lock); 44 45static int card_cache_fetch(u16 cardnr, struct ep11_card_info *ci) 46{ 47 int rc = -ENOENT; 48 struct card_list_entry *ptr; 49 50 spin_lock_bh(&card_list_lock); 51 list_for_each_entry(ptr, &card_list, list) { 52 if (ptr->cardnr == cardnr) { 53 memcpy(ci, &ptr->info, sizeof(*ci)); 54 rc = 0; 55 break; 56 } 57 } 58 spin_unlock_bh(&card_list_lock); 59 60 return rc; 61} 62 63static void card_cache_update(u16 cardnr, const struct ep11_card_info *ci) 64{ 65 int found = 0; 66 struct card_list_entry *ptr; 67 68 spin_lock_bh(&card_list_lock); 69 list_for_each_entry(ptr, &card_list, list) { 70 if (ptr->cardnr == cardnr) { 71 memcpy(&ptr->info, ci, sizeof(*ci)); 72 found = 1; 73 break; 74 } 75 } 76 if (!found) { 77 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC); 78 if (!ptr) { 79 spin_unlock_bh(&card_list_lock); 80 return; 81 } 82 ptr->cardnr = cardnr; 83 memcpy(&ptr->info, ci, sizeof(*ci)); 84 list_add(&ptr->list, &card_list); 85 } 86 spin_unlock_bh(&card_list_lock); 87} 88 89static void card_cache_scrub(u16 cardnr) 90{ 91 struct card_list_entry *ptr; 92 93 spin_lock_bh(&card_list_lock); 94 list_for_each_entry(ptr, &card_list, list) { 95 if (ptr->cardnr == cardnr) { 96 list_del(&ptr->list); 97 kfree(ptr); 98 break; 99 } 100 } 101 spin_unlock_bh(&card_list_lock); 102} 103 104static void __exit card_cache_free(void) 105{ 106 struct card_list_entry *ptr, *pnext; 107 108 spin_lock_bh(&card_list_lock); 109 list_for_each_entry_safe(ptr, pnext, &card_list, list) { 110 list_del(&ptr->list); 111 kfree(ptr); 112 } 113 spin_unlock_bh(&card_list_lock); 114} 115 116/* 117 * Simple check if the key blob is a valid EP11 AES key blob with header. 118 */ 119int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl, 120 const u8 *key, size_t keylen, int checkcpacfexp) 121{ 122 struct ep11kblob_header *hdr = (struct ep11kblob_header *)key; 123 struct ep11keyblob *kb = (struct ep11keyblob *)(key + sizeof(*hdr)); 124 125#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 126 127 if (keylen < sizeof(*hdr) + sizeof(*kb)) { 128 DBF("%s key check failed, keylen %zu < %zu\n", 129 __func__, keylen, sizeof(*hdr) + sizeof(*kb)); 130 return -EINVAL; 131 } 132 133 if (hdr->type != TOKTYPE_NON_CCA) { 134 if (dbg) 135 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 136 __func__, (int)hdr->type, TOKTYPE_NON_CCA); 137 return -EINVAL; 138 } 139 if (hdr->hver != 0x00) { 140 if (dbg) 141 DBF("%s key check failed, header version 0x%02x != 0x00\n", 142 __func__, (int)hdr->hver); 143 return -EINVAL; 144 } 145 if (hdr->version != TOKVER_EP11_AES_WITH_HEADER) { 146 if (dbg) 147 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 148 __func__, (int)hdr->version, TOKVER_EP11_AES_WITH_HEADER); 149 return -EINVAL; 150 } 151 if (hdr->len > keylen) { 152 if (dbg) 153 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 154 __func__, (int)hdr->len, keylen); 155 return -EINVAL; 156 } 157 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) { 158 if (dbg) 159 DBF("%s key check failed, header len %d < %zu\n", 160 __func__, (int)hdr->len, sizeof(*hdr) + sizeof(*kb)); 161 return -EINVAL; 162 } 163 164 if (kb->version != EP11_STRUCT_MAGIC) { 165 if (dbg) 166 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 167 __func__, (int)kb->version, EP11_STRUCT_MAGIC); 168 return -EINVAL; 169 } 170 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 171 if (dbg) 172 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 173 __func__); 174 return -EINVAL; 175 } 176 177#undef DBF 178 179 return 0; 180} 181EXPORT_SYMBOL(ep11_check_aes_key_with_hdr); 182 183/* 184 * Simple check if the key blob is a valid EP11 ECC key blob with header. 185 */ 186int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl, 187 const u8 *key, size_t keylen, int checkcpacfexp) 188{ 189 struct ep11kblob_header *hdr = (struct ep11kblob_header *)key; 190 struct ep11keyblob *kb = (struct ep11keyblob *)(key + sizeof(*hdr)); 191 192#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 193 194 if (keylen < sizeof(*hdr) + sizeof(*kb)) { 195 DBF("%s key check failed, keylen %zu < %zu\n", 196 __func__, keylen, sizeof(*hdr) + sizeof(*kb)); 197 return -EINVAL; 198 } 199 200 if (hdr->type != TOKTYPE_NON_CCA) { 201 if (dbg) 202 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 203 __func__, (int)hdr->type, TOKTYPE_NON_CCA); 204 return -EINVAL; 205 } 206 if (hdr->hver != 0x00) { 207 if (dbg) 208 DBF("%s key check failed, header version 0x%02x != 0x00\n", 209 __func__, (int)hdr->hver); 210 return -EINVAL; 211 } 212 if (hdr->version != TOKVER_EP11_ECC_WITH_HEADER) { 213 if (dbg) 214 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 215 __func__, (int)hdr->version, TOKVER_EP11_ECC_WITH_HEADER); 216 return -EINVAL; 217 } 218 if (hdr->len > keylen) { 219 if (dbg) 220 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 221 __func__, (int)hdr->len, keylen); 222 return -EINVAL; 223 } 224 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) { 225 if (dbg) 226 DBF("%s key check failed, header len %d < %zu\n", 227 __func__, (int)hdr->len, sizeof(*hdr) + sizeof(*kb)); 228 return -EINVAL; 229 } 230 231 if (kb->version != EP11_STRUCT_MAGIC) { 232 if (dbg) 233 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 234 __func__, (int)kb->version, EP11_STRUCT_MAGIC); 235 return -EINVAL; 236 } 237 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 238 if (dbg) 239 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 240 __func__); 241 return -EINVAL; 242 } 243 244#undef DBF 245 246 return 0; 247} 248EXPORT_SYMBOL(ep11_check_ecc_key_with_hdr); 249 250/* 251 * Simple check if the key blob is a valid EP11 AES key blob with 252 * the header in the session field (old style EP11 AES key). 253 */ 254int ep11_check_aes_key(debug_info_t *dbg, int dbflvl, 255 const u8 *key, size_t keylen, int checkcpacfexp) 256{ 257 struct ep11keyblob *kb = (struct ep11keyblob *)key; 258 259#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 260 261 if (keylen < sizeof(*kb)) { 262 DBF("%s key check failed, keylen %zu < %zu\n", 263 __func__, keylen, sizeof(*kb)); 264 return -EINVAL; 265 } 266 267 if (kb->head.type != TOKTYPE_NON_CCA) { 268 if (dbg) 269 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 270 __func__, (int)kb->head.type, TOKTYPE_NON_CCA); 271 return -EINVAL; 272 } 273 if (kb->head.version != TOKVER_EP11_AES) { 274 if (dbg) 275 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 276 __func__, (int)kb->head.version, TOKVER_EP11_AES); 277 return -EINVAL; 278 } 279 if (kb->head.len > keylen) { 280 if (dbg) 281 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 282 __func__, (int)kb->head.len, keylen); 283 return -EINVAL; 284 } 285 if (kb->head.len < sizeof(*kb)) { 286 if (dbg) 287 DBF("%s key check failed, header len %d < %zu\n", 288 __func__, (int)kb->head.len, sizeof(*kb)); 289 return -EINVAL; 290 } 291 292 if (kb->version != EP11_STRUCT_MAGIC) { 293 if (dbg) 294 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 295 __func__, (int)kb->version, EP11_STRUCT_MAGIC); 296 return -EINVAL; 297 } 298 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 299 if (dbg) 300 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 301 __func__); 302 return -EINVAL; 303 } 304 305#undef DBF 306 307 return 0; 308} 309EXPORT_SYMBOL(ep11_check_aes_key); 310 311/* 312 * Allocate and prepare ep11 cprb plus additional payload. 313 */ 314static inline struct ep11_cprb *alloc_cprb(size_t payload_len) 315{ 316 size_t len = sizeof(struct ep11_cprb) + payload_len; 317 struct ep11_cprb *cprb; 318 319 cprb = kzalloc(len, GFP_KERNEL); 320 if (!cprb) 321 return NULL; 322 323 cprb->cprb_len = sizeof(struct ep11_cprb); 324 cprb->cprb_ver_id = 0x04; 325 memcpy(cprb->func_id, "T4", 2); 326 cprb->ret_code = 0xFFFFFFFF; 327 cprb->payload_len = payload_len; 328 329 return cprb; 330} 331 332/* 333 * Some helper functions related to ASN1 encoding. 334 * Limited to length info <= 2 byte. 335 */ 336 337#define ASN1TAGLEN(x) (2 + (x) + ((x) > 127 ? 1 : 0) + ((x) > 255 ? 1 : 0)) 338 339static int asn1tag_write(u8 *ptr, u8 tag, const u8 *pvalue, u16 valuelen) 340{ 341 ptr[0] = tag; 342 if (valuelen > 255) { 343 ptr[1] = 0x82; 344 *((u16 *)(ptr + 2)) = valuelen; 345 memcpy(ptr + 4, pvalue, valuelen); 346 return 4 + valuelen; 347 } 348 if (valuelen > 127) { 349 ptr[1] = 0x81; 350 ptr[2] = (u8)valuelen; 351 memcpy(ptr + 3, pvalue, valuelen); 352 return 3 + valuelen; 353 } 354 ptr[1] = (u8)valuelen; 355 memcpy(ptr + 2, pvalue, valuelen); 356 return 2 + valuelen; 357} 358 359/* EP11 payload > 127 bytes starts with this struct */ 360struct pl_head { 361 u8 tag; 362 u8 lenfmt; 363 u16 len; 364 u8 func_tag; 365 u8 func_len; 366 u32 func; 367 u8 dom_tag; 368 u8 dom_len; 369 u32 dom; 370} __packed; 371 372/* prep ep11 payload head helper function */ 373static inline void prep_head(struct pl_head *h, 374 size_t pl_size, int api, int func) 375{ 376 h->tag = 0x30; 377 h->lenfmt = 0x82; 378 h->len = pl_size - 4; 379 h->func_tag = 0x04; 380 h->func_len = sizeof(u32); 381 h->func = (api << 16) + func; 382 h->dom_tag = 0x04; 383 h->dom_len = sizeof(u32); 384} 385 386/* prep urb helper function */ 387static inline void prep_urb(struct ep11_urb *u, 388 struct ep11_target_dev *t, int nt, 389 struct ep11_cprb *req, size_t req_len, 390 struct ep11_cprb *rep, size_t rep_len) 391{ 392 u->targets = (u8 __user *)t; 393 u->targets_num = nt; 394 u->req = (u8 __user *)req; 395 u->req_len = req_len; 396 u->resp = (u8 __user *)rep; 397 u->resp_len = rep_len; 398} 399 400/* Check ep11 reply payload, return 0 or suggested errno value. */ 401static int check_reply_pl(const u8 *pl, const char *func) 402{ 403 int len; 404 u32 ret; 405 406 /* start tag */ 407 if (*pl++ != 0x30) { 408 DEBUG_ERR("%s reply start tag mismatch\n", func); 409 return -EIO; 410 } 411 412 /* payload length format */ 413 if (*pl < 127) { 414 len = *pl; 415 pl++; 416 } else if (*pl == 0x81) { 417 pl++; 418 len = *pl; 419 pl++; 420 } else if (*pl == 0x82) { 421 pl++; 422 len = *((u16 *)pl); 423 pl += 2; 424 } else { 425 DEBUG_ERR("%s reply start tag lenfmt mismatch 0x%02hhx\n", 426 func, *pl); 427 return -EIO; 428 } 429 430 /* len should cover at least 3 fields with 32 bit value each */ 431 if (len < 3 * 6) { 432 DEBUG_ERR("%s reply length %d too small\n", func, len); 433 return -EIO; 434 } 435 436 /* function tag, length and value */ 437 if (pl[0] != 0x04 || pl[1] != 0x04) { 438 DEBUG_ERR("%s function tag or length mismatch\n", func); 439 return -EIO; 440 } 441 pl += 6; 442 443 /* dom tag, length and value */ 444 if (pl[0] != 0x04 || pl[1] != 0x04) { 445 DEBUG_ERR("%s dom tag or length mismatch\n", func); 446 return -EIO; 447 } 448 pl += 6; 449 450 /* return value tag, length and value */ 451 if (pl[0] != 0x04 || pl[1] != 0x04) { 452 DEBUG_ERR("%s return value tag or length mismatch\n", func); 453 return -EIO; 454 } 455 pl += 2; 456 ret = *((u32 *)pl); 457 if (ret != 0) { 458 DEBUG_ERR("%s return value 0x%04x != 0\n", func, ret); 459 return -EIO; 460 } 461 462 return 0; 463} 464 465/* 466 * Helper function which does an ep11 query with given query type. 467 */ 468static int ep11_query_info(u16 cardnr, u16 domain, u32 query_type, 469 size_t buflen, u8 *buf) 470{ 471 struct ep11_info_req_pl { 472 struct pl_head head; 473 u8 query_type_tag; 474 u8 query_type_len; 475 u32 query_type; 476 u8 query_subtype_tag; 477 u8 query_subtype_len; 478 u32 query_subtype; 479 } __packed * req_pl; 480 struct ep11_info_rep_pl { 481 struct pl_head head; 482 u8 rc_tag; 483 u8 rc_len; 484 u32 rc; 485 u8 data_tag; 486 u8 data_lenfmt; 487 u16 data_len; 488 } __packed * rep_pl; 489 struct ep11_cprb *req = NULL, *rep = NULL; 490 struct ep11_target_dev target; 491 struct ep11_urb *urb = NULL; 492 int api = 1, rc = -ENOMEM; 493 494 /* request cprb and payload */ 495 req = alloc_cprb(sizeof(struct ep11_info_req_pl)); 496 if (!req) 497 goto out; 498 req_pl = (struct ep11_info_req_pl *)(((u8 *)req) + sizeof(*req)); 499 prep_head(&req_pl->head, sizeof(*req_pl), api, 38); /* get xcp info */ 500 req_pl->query_type_tag = 0x04; 501 req_pl->query_type_len = sizeof(u32); 502 req_pl->query_type = query_type; 503 req_pl->query_subtype_tag = 0x04; 504 req_pl->query_subtype_len = sizeof(u32); 505 506 /* reply cprb and payload */ 507 rep = alloc_cprb(sizeof(struct ep11_info_rep_pl) + buflen); 508 if (!rep) 509 goto out; 510 rep_pl = (struct ep11_info_rep_pl *)(((u8 *)rep) + sizeof(*rep)); 511 512 /* urb and target */ 513 urb = kmalloc(sizeof(*urb), GFP_KERNEL); 514 if (!urb) 515 goto out; 516 target.ap_id = cardnr; 517 target.dom_id = domain; 518 prep_urb(urb, &target, 1, 519 req, sizeof(*req) + sizeof(*req_pl), 520 rep, sizeof(*rep) + sizeof(*rep_pl) + buflen); 521 522 rc = zcrypt_send_ep11_cprb(urb); 523 if (rc) { 524 DEBUG_ERR( 525 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 526 __func__, (int)cardnr, (int)domain, rc); 527 goto out; 528 } 529 530 rc = check_reply_pl((u8 *)rep_pl, __func__); 531 if (rc) 532 goto out; 533 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 534 DEBUG_ERR("%s unknown reply data format\n", __func__); 535 rc = -EIO; 536 goto out; 537 } 538 if (rep_pl->data_len > buflen) { 539 DEBUG_ERR("%s mismatch between reply data len and buffer len\n", 540 __func__); 541 rc = -ENOSPC; 542 goto out; 543 } 544 545 memcpy(buf, ((u8 *)rep_pl) + sizeof(*rep_pl), rep_pl->data_len); 546 547out: 548 kfree(req); 549 kfree(rep); 550 kfree(urb); 551 return rc; 552} 553 554/* 555 * Provide information about an EP11 card. 556 */ 557int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify) 558{ 559 int rc; 560 struct ep11_module_query_info { 561 u32 API_ord_nr; 562 u32 firmware_id; 563 u8 FW_major_vers; 564 u8 FW_minor_vers; 565 u8 CSP_major_vers; 566 u8 CSP_minor_vers; 567 u8 fwid[32]; 568 u8 xcp_config_hash[32]; 569 u8 CSP_config_hash[32]; 570 u8 serial[16]; 571 u8 module_date_time[16]; 572 u64 op_mode; 573 u32 PKCS11_flags; 574 u32 ext_flags; 575 u32 domains; 576 u32 sym_state_bytes; 577 u32 digest_state_bytes; 578 u32 pin_blob_bytes; 579 u32 SPKI_bytes; 580 u32 priv_key_blob_bytes; 581 u32 sym_blob_bytes; 582 u32 max_payload_bytes; 583 u32 CP_profile_bytes; 584 u32 max_CP_index; 585 } __packed * pmqi = NULL; 586 587 rc = card_cache_fetch(card, info); 588 if (rc || verify) { 589 pmqi = kmalloc(sizeof(*pmqi), GFP_KERNEL); 590 if (!pmqi) 591 return -ENOMEM; 592 rc = ep11_query_info(card, AUTOSEL_DOM, 593 0x01 /* module info query */, 594 sizeof(*pmqi), (u8 *)pmqi); 595 if (rc) { 596 if (rc == -ENODEV) 597 card_cache_scrub(card); 598 goto out; 599 } 600 memset(info, 0, sizeof(*info)); 601 info->API_ord_nr = pmqi->API_ord_nr; 602 info->FW_version = 603 (pmqi->FW_major_vers << 8) + pmqi->FW_minor_vers; 604 memcpy(info->serial, pmqi->serial, sizeof(info->serial)); 605 info->op_mode = pmqi->op_mode; 606 card_cache_update(card, info); 607 } 608 609out: 610 kfree(pmqi); 611 return rc; 612} 613EXPORT_SYMBOL(ep11_get_card_info); 614 615/* 616 * Provide information about a domain within an EP11 card. 617 */ 618int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info) 619{ 620 int rc; 621 struct ep11_domain_query_info { 622 u32 dom_index; 623 u8 cur_WK_VP[32]; 624 u8 new_WK_VP[32]; 625 u32 dom_flags; 626 u64 op_mode; 627 } __packed * p_dom_info; 628 629 p_dom_info = kmalloc(sizeof(*p_dom_info), GFP_KERNEL); 630 if (!p_dom_info) 631 return -ENOMEM; 632 633 rc = ep11_query_info(card, domain, 0x03 /* domain info query */, 634 sizeof(*p_dom_info), (u8 *)p_dom_info); 635 if (rc) 636 goto out; 637 638 memset(info, 0, sizeof(*info)); 639 info->cur_wk_state = '0'; 640 info->new_wk_state = '0'; 641 if (p_dom_info->dom_flags & 0x10 /* left imprint mode */) { 642 if (p_dom_info->dom_flags & 0x02 /* cur wk valid */) { 643 info->cur_wk_state = '1'; 644 memcpy(info->cur_wkvp, p_dom_info->cur_WK_VP, 32); 645 } 646 if (p_dom_info->dom_flags & 0x04 || /* new wk present */ 647 p_dom_info->dom_flags & 0x08 /* new wk committed */) { 648 info->new_wk_state = 649 p_dom_info->dom_flags & 0x08 ? '2' : '1'; 650 memcpy(info->new_wkvp, p_dom_info->new_WK_VP, 32); 651 } 652 } 653 info->op_mode = p_dom_info->op_mode; 654 655out: 656 kfree(p_dom_info); 657 return rc; 658} 659EXPORT_SYMBOL(ep11_get_domain_info); 660 661/* 662 * Default EP11 AES key generate attributes, used when no keygenflags given: 663 * XCP_BLOB_ENCRYPT | XCP_BLOB_DECRYPT | XCP_BLOB_PROTKEY_EXTRACTABLE 664 */ 665#define KEY_ATTR_DEFAULTS 0x00200c00 666 667int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 668 u8 *keybuf, size_t *keybufsize) 669{ 670 struct keygen_req_pl { 671 struct pl_head head; 672 u8 var_tag; 673 u8 var_len; 674 u32 var; 675 u8 keybytes_tag; 676 u8 keybytes_len; 677 u32 keybytes; 678 u8 mech_tag; 679 u8 mech_len; 680 u32 mech; 681 u8 attr_tag; 682 u8 attr_len; 683 u32 attr_header; 684 u32 attr_bool_mask; 685 u32 attr_bool_bits; 686 u32 attr_val_len_type; 687 u32 attr_val_len_value; 688 u8 pin_tag; 689 u8 pin_len; 690 } __packed * req_pl; 691 struct keygen_rep_pl { 692 struct pl_head head; 693 u8 rc_tag; 694 u8 rc_len; 695 u32 rc; 696 u8 data_tag; 697 u8 data_lenfmt; 698 u16 data_len; 699 u8 data[512]; 700 } __packed * rep_pl; 701 struct ep11_cprb *req = NULL, *rep = NULL; 702 struct ep11_target_dev target; 703 struct ep11_urb *urb = NULL; 704 struct ep11keyblob *kb; 705 int api, rc = -ENOMEM; 706 707 switch (keybitsize) { 708 case 128: 709 case 192: 710 case 256: 711 break; 712 default: 713 DEBUG_ERR( 714 "%s unknown/unsupported keybitsize %d\n", 715 __func__, keybitsize); 716 rc = -EINVAL; 717 goto out; 718 } 719 720 /* request cprb and payload */ 721 req = alloc_cprb(sizeof(struct keygen_req_pl)); 722 if (!req) 723 goto out; 724 req_pl = (struct keygen_req_pl *)(((u8 *)req) + sizeof(*req)); 725 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1; 726 prep_head(&req_pl->head, sizeof(*req_pl), api, 21); /* GenerateKey */ 727 req_pl->var_tag = 0x04; 728 req_pl->var_len = sizeof(u32); 729 req_pl->keybytes_tag = 0x04; 730 req_pl->keybytes_len = sizeof(u32); 731 req_pl->keybytes = keybitsize / 8; 732 req_pl->mech_tag = 0x04; 733 req_pl->mech_len = sizeof(u32); 734 req_pl->mech = 0x00001080; /* CKM_AES_KEY_GEN */ 735 req_pl->attr_tag = 0x04; 736 req_pl->attr_len = 5 * sizeof(u32); 737 req_pl->attr_header = 0x10010000; 738 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 739 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 740 req_pl->attr_val_len_type = 0x00000161; /* CKA_VALUE_LEN */ 741 req_pl->attr_val_len_value = keybitsize / 8; 742 req_pl->pin_tag = 0x04; 743 744 /* reply cprb and payload */ 745 rep = alloc_cprb(sizeof(struct keygen_rep_pl)); 746 if (!rep) 747 goto out; 748 rep_pl = (struct keygen_rep_pl *)(((u8 *)rep) + sizeof(*rep)); 749 750 /* urb and target */ 751 urb = kmalloc(sizeof(*urb), GFP_KERNEL); 752 if (!urb) 753 goto out; 754 target.ap_id = card; 755 target.dom_id = domain; 756 prep_urb(urb, &target, 1, 757 req, sizeof(*req) + sizeof(*req_pl), 758 rep, sizeof(*rep) + sizeof(*rep_pl)); 759 760 rc = zcrypt_send_ep11_cprb(urb); 761 if (rc) { 762 DEBUG_ERR( 763 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 764 __func__, (int)card, (int)domain, rc); 765 goto out; 766 } 767 768 rc = check_reply_pl((u8 *)rep_pl, __func__); 769 if (rc) 770 goto out; 771 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 772 DEBUG_ERR("%s unknown reply data format\n", __func__); 773 rc = -EIO; 774 goto out; 775 } 776 if (rep_pl->data_len > *keybufsize) { 777 DEBUG_ERR("%s mismatch reply data len / key buffer len\n", 778 __func__); 779 rc = -ENOSPC; 780 goto out; 781 } 782 783 /* copy key blob and set header values */ 784 memcpy(keybuf, rep_pl->data, rep_pl->data_len); 785 *keybufsize = rep_pl->data_len; 786 kb = (struct ep11keyblob *)keybuf; 787 kb->head.type = TOKTYPE_NON_CCA; 788 kb->head.len = rep_pl->data_len; 789 kb->head.version = TOKVER_EP11_AES; 790 kb->head.keybitlen = keybitsize; 791 792out: 793 kfree(req); 794 kfree(rep); 795 kfree(urb); 796 return rc; 797} 798EXPORT_SYMBOL(ep11_genaeskey); 799 800static int ep11_cryptsingle(u16 card, u16 domain, 801 u16 mode, u32 mech, const u8 *iv, 802 const u8 *key, size_t keysize, 803 const u8 *inbuf, size_t inbufsize, 804 u8 *outbuf, size_t *outbufsize) 805{ 806 struct crypt_req_pl { 807 struct pl_head head; 808 u8 var_tag; 809 u8 var_len; 810 u32 var; 811 u8 mech_tag; 812 u8 mech_len; 813 u32 mech; 814 /* 815 * maybe followed by iv data 816 * followed by key tag + key blob 817 * followed by plaintext tag + plaintext 818 */ 819 } __packed * req_pl; 820 struct crypt_rep_pl { 821 struct pl_head head; 822 u8 rc_tag; 823 u8 rc_len; 824 u32 rc; 825 u8 data_tag; 826 u8 data_lenfmt; 827 /* data follows */ 828 } __packed * rep_pl; 829 struct ep11_cprb *req = NULL, *rep = NULL; 830 struct ep11_target_dev target; 831 struct ep11_urb *urb = NULL; 832 size_t req_pl_size, rep_pl_size; 833 int n, api = 1, rc = -ENOMEM; 834 u8 *p; 835 836 /* the simple asn1 coding used has length limits */ 837 if (keysize > 0xFFFF || inbufsize > 0xFFFF) 838 return -EINVAL; 839 840 /* request cprb and payload */ 841 req_pl_size = sizeof(struct crypt_req_pl) + (iv ? 16 : 0) 842 + ASN1TAGLEN(keysize) + ASN1TAGLEN(inbufsize); 843 req = alloc_cprb(req_pl_size); 844 if (!req) 845 goto out; 846 req_pl = (struct crypt_req_pl *)(((u8 *)req) + sizeof(*req)); 847 prep_head(&req_pl->head, req_pl_size, api, (mode ? 20 : 19)); 848 req_pl->var_tag = 0x04; 849 req_pl->var_len = sizeof(u32); 850 /* mech is mech + mech params (iv here) */ 851 req_pl->mech_tag = 0x04; 852 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 853 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */ 854 p = ((u8 *)req_pl) + sizeof(*req_pl); 855 if (iv) { 856 memcpy(p, iv, 16); 857 p += 16; 858 } 859 /* key and input data */ 860 p += asn1tag_write(p, 0x04, key, keysize); 861 p += asn1tag_write(p, 0x04, inbuf, inbufsize); 862 863 /* reply cprb and payload, assume out data size <= in data size + 32 */ 864 rep_pl_size = sizeof(struct crypt_rep_pl) + ASN1TAGLEN(inbufsize + 32); 865 rep = alloc_cprb(rep_pl_size); 866 if (!rep) 867 goto out; 868 rep_pl = (struct crypt_rep_pl *)(((u8 *)rep) + sizeof(*rep)); 869 870 /* urb and target */ 871 urb = kmalloc(sizeof(*urb), GFP_KERNEL); 872 if (!urb) 873 goto out; 874 target.ap_id = card; 875 target.dom_id = domain; 876 prep_urb(urb, &target, 1, 877 req, sizeof(*req) + req_pl_size, 878 rep, sizeof(*rep) + rep_pl_size); 879 880 rc = zcrypt_send_ep11_cprb(urb); 881 if (rc) { 882 DEBUG_ERR( 883 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 884 __func__, (int)card, (int)domain, rc); 885 goto out; 886 } 887 888 rc = check_reply_pl((u8 *)rep_pl, __func__); 889 if (rc) 890 goto out; 891 if (rep_pl->data_tag != 0x04) { 892 DEBUG_ERR("%s unknown reply data format\n", __func__); 893 rc = -EIO; 894 goto out; 895 } 896 p = ((u8 *)rep_pl) + sizeof(*rep_pl); 897 if (rep_pl->data_lenfmt <= 127) { 898 n = rep_pl->data_lenfmt; 899 } else if (rep_pl->data_lenfmt == 0x81) { 900 n = *p++; 901 } else if (rep_pl->data_lenfmt == 0x82) { 902 n = *((u16 *)p); 903 p += 2; 904 } else { 905 DEBUG_ERR("%s unknown reply data length format 0x%02hhx\n", 906 __func__, rep_pl->data_lenfmt); 907 rc = -EIO; 908 goto out; 909 } 910 if (n > *outbufsize) { 911 DEBUG_ERR("%s mismatch reply data len %d / output buffer %zu\n", 912 __func__, n, *outbufsize); 913 rc = -ENOSPC; 914 goto out; 915 } 916 917 memcpy(outbuf, p, n); 918 *outbufsize = n; 919 920out: 921 kfree(req); 922 kfree(rep); 923 kfree(urb); 924 return rc; 925} 926 927static int ep11_unwrapkey(u16 card, u16 domain, 928 const u8 *kek, size_t keksize, 929 const u8 *enckey, size_t enckeysize, 930 u32 mech, const u8 *iv, 931 u32 keybitsize, u32 keygenflags, 932 u8 *keybuf, size_t *keybufsize) 933{ 934 struct uw_req_pl { 935 struct pl_head head; 936 u8 attr_tag; 937 u8 attr_len; 938 u32 attr_header; 939 u32 attr_bool_mask; 940 u32 attr_bool_bits; 941 u32 attr_key_type; 942 u32 attr_key_type_value; 943 u32 attr_val_len; 944 u32 attr_val_len_value; 945 u8 mech_tag; 946 u8 mech_len; 947 u32 mech; 948 /* 949 * maybe followed by iv data 950 * followed by kek tag + kek blob 951 * followed by empty mac tag 952 * followed by empty pin tag 953 * followed by encryted key tag + bytes 954 */ 955 } __packed * req_pl; 956 struct uw_rep_pl { 957 struct pl_head head; 958 u8 rc_tag; 959 u8 rc_len; 960 u32 rc; 961 u8 data_tag; 962 u8 data_lenfmt; 963 u16 data_len; 964 u8 data[512]; 965 } __packed * rep_pl; 966 struct ep11_cprb *req = NULL, *rep = NULL; 967 struct ep11_target_dev target; 968 struct ep11_urb *urb = NULL; 969 struct ep11keyblob *kb; 970 size_t req_pl_size; 971 int api, rc = -ENOMEM; 972 u8 *p; 973 974 /* request cprb and payload */ 975 req_pl_size = sizeof(struct uw_req_pl) + (iv ? 16 : 0) 976 + ASN1TAGLEN(keksize) + 4 + ASN1TAGLEN(enckeysize); 977 req = alloc_cprb(req_pl_size); 978 if (!req) 979 goto out; 980 req_pl = (struct uw_req_pl *)(((u8 *)req) + sizeof(*req)); 981 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1; 982 prep_head(&req_pl->head, req_pl_size, api, 34); /* UnwrapKey */ 983 req_pl->attr_tag = 0x04; 984 req_pl->attr_len = 7 * sizeof(u32); 985 req_pl->attr_header = 0x10020000; 986 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 987 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 988 req_pl->attr_key_type = 0x00000100; /* CKA_KEY_TYPE */ 989 req_pl->attr_key_type_value = 0x0000001f; /* CKK_AES */ 990 req_pl->attr_val_len = 0x00000161; /* CKA_VALUE_LEN */ 991 req_pl->attr_val_len_value = keybitsize / 8; 992 /* mech is mech + mech params (iv here) */ 993 req_pl->mech_tag = 0x04; 994 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 995 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */ 996 p = ((u8 *)req_pl) + sizeof(*req_pl); 997 if (iv) { 998 memcpy(p, iv, 16); 999 p += 16; 1000 } 1001 /* kek */ 1002 p += asn1tag_write(p, 0x04, kek, keksize); 1003 /* empty mac key tag */ 1004 *p++ = 0x04; 1005 *p++ = 0; 1006 /* empty pin tag */ 1007 *p++ = 0x04; 1008 *p++ = 0; 1009 /* encrypted key value tag and bytes */ 1010 p += asn1tag_write(p, 0x04, enckey, enckeysize); 1011 1012 /* reply cprb and payload */ 1013 rep = alloc_cprb(sizeof(struct uw_rep_pl)); 1014 if (!rep) 1015 goto out; 1016 rep_pl = (struct uw_rep_pl *)(((u8 *)rep) + sizeof(*rep)); 1017 1018 /* urb and target */ 1019 urb = kmalloc(sizeof(*urb), GFP_KERNEL); 1020 if (!urb) 1021 goto out; 1022 target.ap_id = card; 1023 target.dom_id = domain; 1024 prep_urb(urb, &target, 1, 1025 req, sizeof(*req) + req_pl_size, 1026 rep, sizeof(*rep) + sizeof(*rep_pl)); 1027 1028 rc = zcrypt_send_ep11_cprb(urb); 1029 if (rc) { 1030 DEBUG_ERR( 1031 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 1032 __func__, (int)card, (int)domain, rc); 1033 goto out; 1034 } 1035 1036 rc = check_reply_pl((u8 *)rep_pl, __func__); 1037 if (rc) 1038 goto out; 1039 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 1040 DEBUG_ERR("%s unknown reply data format\n", __func__); 1041 rc = -EIO; 1042 goto out; 1043 } 1044 if (rep_pl->data_len > *keybufsize) { 1045 DEBUG_ERR("%s mismatch reply data len / key buffer len\n", 1046 __func__); 1047 rc = -ENOSPC; 1048 goto out; 1049 } 1050 1051 /* copy key blob and set header values */ 1052 memcpy(keybuf, rep_pl->data, rep_pl->data_len); 1053 *keybufsize = rep_pl->data_len; 1054 kb = (struct ep11keyblob *)keybuf; 1055 kb->head.type = TOKTYPE_NON_CCA; 1056 kb->head.len = rep_pl->data_len; 1057 kb->head.version = TOKVER_EP11_AES; 1058 kb->head.keybitlen = keybitsize; 1059 1060out: 1061 kfree(req); 1062 kfree(rep); 1063 kfree(urb); 1064 return rc; 1065} 1066 1067static int ep11_wrapkey(u16 card, u16 domain, 1068 const u8 *key, size_t keysize, 1069 u32 mech, const u8 *iv, 1070 u8 *databuf, size_t *datasize) 1071{ 1072 struct wk_req_pl { 1073 struct pl_head head; 1074 u8 var_tag; 1075 u8 var_len; 1076 u32 var; 1077 u8 mech_tag; 1078 u8 mech_len; 1079 u32 mech; 1080 /* 1081 * followed by iv data 1082 * followed by key tag + key blob 1083 * followed by dummy kek param 1084 * followed by dummy mac param 1085 */ 1086 } __packed * req_pl; 1087 struct wk_rep_pl { 1088 struct pl_head head; 1089 u8 rc_tag; 1090 u8 rc_len; 1091 u32 rc; 1092 u8 data_tag; 1093 u8 data_lenfmt; 1094 u16 data_len; 1095 u8 data[1024]; 1096 } __packed * rep_pl; 1097 struct ep11_cprb *req = NULL, *rep = NULL; 1098 struct ep11_target_dev target; 1099 struct ep11_urb *urb = NULL; 1100 struct ep11keyblob *kb; 1101 size_t req_pl_size; 1102 int api, rc = -ENOMEM; 1103 bool has_header = false; 1104 u8 *p; 1105 1106 /* maybe the session field holds a header with key info */ 1107 kb = (struct ep11keyblob *)key; 1108 if (kb->head.type == TOKTYPE_NON_CCA && 1109 kb->head.version == TOKVER_EP11_AES) { 1110 has_header = true; 1111 keysize = min_t(size_t, kb->head.len, keysize); 1112 } 1113 1114 /* request cprb and payload */ 1115 req_pl_size = sizeof(struct wk_req_pl) + (iv ? 16 : 0) 1116 + ASN1TAGLEN(keysize) + 4; 1117 req = alloc_cprb(req_pl_size); 1118 if (!req) 1119 goto out; 1120 if (!mech || mech == 0x80060001) 1121 req->flags |= 0x20; /* CPACF_WRAP needs special bit */ 1122 req_pl = (struct wk_req_pl *)(((u8 *)req) + sizeof(*req)); 1123 api = (!mech || mech == 0x80060001) ? 4 : 1; /* CKM_IBM_CPACF_WRAP */ 1124 prep_head(&req_pl->head, req_pl_size, api, 33); /* WrapKey */ 1125 req_pl->var_tag = 0x04; 1126 req_pl->var_len = sizeof(u32); 1127 /* mech is mech + mech params (iv here) */ 1128 req_pl->mech_tag = 0x04; 1129 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 1130 req_pl->mech = (mech ? mech : 0x80060001); /* CKM_IBM_CPACF_WRAP */ 1131 p = ((u8 *)req_pl) + sizeof(*req_pl); 1132 if (iv) { 1133 memcpy(p, iv, 16); 1134 p += 16; 1135 } 1136 /* key blob */ 1137 p += asn1tag_write(p, 0x04, key, keysize); 1138 /* maybe the key argument needs the head data cleaned out */ 1139 if (has_header) { 1140 kb = (struct ep11keyblob *)(p - keysize); 1141 memset(&kb->head, 0, sizeof(kb->head)); 1142 } 1143 /* empty kek tag */ 1144 *p++ = 0x04; 1145 *p++ = 0; 1146 /* empty mac tag */ 1147 *p++ = 0x04; 1148 *p++ = 0; 1149 1150 /* reply cprb and payload */ 1151 rep = alloc_cprb(sizeof(struct wk_rep_pl)); 1152 if (!rep) 1153 goto out; 1154 rep_pl = (struct wk_rep_pl *)(((u8 *)rep) + sizeof(*rep)); 1155 1156 /* urb and target */ 1157 urb = kmalloc(sizeof(*urb), GFP_KERNEL); 1158 if (!urb) 1159 goto out; 1160 target.ap_id = card; 1161 target.dom_id = domain; 1162 prep_urb(urb, &target, 1, 1163 req, sizeof(*req) + req_pl_size, 1164 rep, sizeof(*rep) + sizeof(*rep_pl)); 1165 1166 rc = zcrypt_send_ep11_cprb(urb); 1167 if (rc) { 1168 DEBUG_ERR( 1169 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 1170 __func__, (int)card, (int)domain, rc); 1171 goto out; 1172 } 1173 1174 rc = check_reply_pl((u8 *)rep_pl, __func__); 1175 if (rc) 1176 goto out; 1177 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 1178 DEBUG_ERR("%s unknown reply data format\n", __func__); 1179 rc = -EIO; 1180 goto out; 1181 } 1182 if (rep_pl->data_len > *datasize) { 1183 DEBUG_ERR("%s mismatch reply data len / data buffer len\n", 1184 __func__); 1185 rc = -ENOSPC; 1186 goto out; 1187 } 1188 1189 /* copy the data from the cprb to the data buffer */ 1190 memcpy(databuf, rep_pl->data, rep_pl->data_len); 1191 *datasize = rep_pl->data_len; 1192 1193out: 1194 kfree(req); 1195 kfree(rep); 1196 kfree(urb); 1197 return rc; 1198} 1199 1200int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 1201 const u8 *clrkey, u8 *keybuf, size_t *keybufsize) 1202{ 1203 int rc; 1204 struct ep11keyblob *kb; 1205 u8 encbuf[64], *kek = NULL; 1206 size_t clrkeylen, keklen, encbuflen = sizeof(encbuf); 1207 1208 if (keybitsize == 128 || keybitsize == 192 || keybitsize == 256) { 1209 clrkeylen = keybitsize / 8; 1210 } else { 1211 DEBUG_ERR( 1212 "%s unknown/unsupported keybitsize %d\n", 1213 __func__, keybitsize); 1214 return -EINVAL; 1215 } 1216 1217 /* allocate memory for the temp kek */ 1218 keklen = MAXEP11AESKEYBLOBSIZE; 1219 kek = kmalloc(keklen, GFP_ATOMIC); 1220 if (!kek) { 1221 rc = -ENOMEM; 1222 goto out; 1223 } 1224 1225 /* Step 1: generate AES 256 bit random kek key */ 1226 rc = ep11_genaeskey(card, domain, 256, 1227 0x00006c00, /* EN/DECRYPT, WRAP/UNWRAP */ 1228 kek, &keklen); 1229 if (rc) { 1230 DEBUG_ERR( 1231 "%s generate kek key failed, rc=%d\n", 1232 __func__, rc); 1233 goto out; 1234 } 1235 kb = (struct ep11keyblob *)kek; 1236 memset(&kb->head, 0, sizeof(kb->head)); 1237 1238 /* Step 2: encrypt clear key value with the kek key */ 1239 rc = ep11_cryptsingle(card, domain, 0, 0, def_iv, kek, keklen, 1240 clrkey, clrkeylen, encbuf, &encbuflen); 1241 if (rc) { 1242 DEBUG_ERR( 1243 "%s encrypting key value with kek key failed, rc=%d\n", 1244 __func__, rc); 1245 goto out; 1246 } 1247 1248 /* Step 3: import the encrypted key value as a new key */ 1249 rc = ep11_unwrapkey(card, domain, kek, keklen, 1250 encbuf, encbuflen, 0, def_iv, 1251 keybitsize, 0, keybuf, keybufsize); 1252 if (rc) { 1253 DEBUG_ERR( 1254 "%s importing key value as new key failed,, rc=%d\n", 1255 __func__, rc); 1256 goto out; 1257 } 1258 1259out: 1260 kfree(kek); 1261 return rc; 1262} 1263EXPORT_SYMBOL(ep11_clr2keyblob); 1264 1265int ep11_kblob2protkey(u16 card, u16 dom, const u8 *keyblob, size_t keybloblen, 1266 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 1267{ 1268 int rc = -EIO; 1269 u8 *wkbuf = NULL; 1270 size_t wkbuflen, keylen; 1271 struct wk_info { 1272 u16 version; 1273 u8 res1[16]; 1274 u32 pkeytype; 1275 u32 pkeybitsize; 1276 u64 pkeysize; 1277 u8 res2[8]; 1278 u8 pkey[0]; 1279 } __packed * wki; 1280 const u8 *key; 1281 struct ep11kblob_header *hdr; 1282 1283 /* key with or without header ? */ 1284 hdr = (struct ep11kblob_header *)keyblob; 1285 if (hdr->type == TOKTYPE_NON_CCA && 1286 (hdr->version == TOKVER_EP11_AES_WITH_HEADER || 1287 hdr->version == TOKVER_EP11_ECC_WITH_HEADER) && 1288 is_ep11_keyblob(keyblob + sizeof(struct ep11kblob_header))) { 1289 /* EP11 AES or ECC key with header */ 1290 key = keyblob + sizeof(struct ep11kblob_header); 1291 keylen = hdr->len - sizeof(struct ep11kblob_header); 1292 } else if (hdr->type == TOKTYPE_NON_CCA && 1293 hdr->version == TOKVER_EP11_AES && 1294 is_ep11_keyblob(keyblob)) { 1295 /* EP11 AES key (old style) */ 1296 key = keyblob; 1297 keylen = hdr->len; 1298 } else if (is_ep11_keyblob(keyblob)) { 1299 /* raw EP11 key blob */ 1300 key = keyblob; 1301 keylen = keybloblen; 1302 } else { 1303 return -EINVAL; 1304 } 1305 1306 /* alloc temp working buffer */ 1307 wkbuflen = (keylen + AES_BLOCK_SIZE) & (~(AES_BLOCK_SIZE - 1)); 1308 wkbuf = kmalloc(wkbuflen, GFP_ATOMIC); 1309 if (!wkbuf) 1310 return -ENOMEM; 1311 1312 /* ep11 secure key -> protected key + info */ 1313 rc = ep11_wrapkey(card, dom, key, keylen, 1314 0, def_iv, wkbuf, &wkbuflen); 1315 if (rc) { 1316 DEBUG_ERR( 1317 "%s rewrapping ep11 key to pkey failed, rc=%d\n", 1318 __func__, rc); 1319 goto out; 1320 } 1321 wki = (struct wk_info *)wkbuf; 1322 1323 /* check struct version and pkey type */ 1324 if (wki->version != 1 || wki->pkeytype < 1 || wki->pkeytype > 5) { 1325 DEBUG_ERR("%s wk info version %d or pkeytype %d mismatch.\n", 1326 __func__, (int)wki->version, (int)wki->pkeytype); 1327 rc = -EIO; 1328 goto out; 1329 } 1330 1331 /* check protected key type field */ 1332 switch (wki->pkeytype) { 1333 case 1: /* AES */ 1334 switch (wki->pkeysize) { 1335 case 16 + 32: 1336 /* AES 128 protected key */ 1337 if (protkeytype) 1338 *protkeytype = PKEY_KEYTYPE_AES_128; 1339 break; 1340 case 24 + 32: 1341 /* AES 192 protected key */ 1342 if (protkeytype) 1343 *protkeytype = PKEY_KEYTYPE_AES_192; 1344 break; 1345 case 32 + 32: 1346 /* AES 256 protected key */ 1347 if (protkeytype) 1348 *protkeytype = PKEY_KEYTYPE_AES_256; 1349 break; 1350 default: 1351 DEBUG_ERR("%s unknown/unsupported AES pkeysize %d\n", 1352 __func__, (int)wki->pkeysize); 1353 rc = -EIO; 1354 goto out; 1355 } 1356 break; 1357 case 3: /* EC-P */ 1358 case 4: /* EC-ED */ 1359 case 5: /* EC-BP */ 1360 if (protkeytype) 1361 *protkeytype = PKEY_KEYTYPE_ECC; 1362 break; 1363 case 2: /* TDES */ 1364 default: 1365 DEBUG_ERR("%s unknown/unsupported key type %d\n", 1366 __func__, (int)wki->pkeytype); 1367 rc = -EIO; 1368 goto out; 1369 } 1370 1371 /* copy the tanslated protected key */ 1372 if (wki->pkeysize > *protkeylen) { 1373 DEBUG_ERR("%s wk info pkeysize %llu > protkeysize %u\n", 1374 __func__, wki->pkeysize, *protkeylen); 1375 rc = -EINVAL; 1376 goto out; 1377 } 1378 memcpy(protkey, wki->pkey, wki->pkeysize); 1379 *protkeylen = wki->pkeysize; 1380 1381out: 1382 kfree(wkbuf); 1383 return rc; 1384} 1385EXPORT_SYMBOL(ep11_kblob2protkey); 1386 1387int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain, 1388 int minhwtype, int minapi, const u8 *wkvp) 1389{ 1390 struct zcrypt_device_status_ext *device_status; 1391 u32 *_apqns = NULL, _nr_apqns = 0; 1392 int i, card, dom, rc = -ENOMEM; 1393 struct ep11_domain_info edi; 1394 struct ep11_card_info eci; 1395 1396 /* fetch status of all crypto cards */ 1397 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT, 1398 sizeof(struct zcrypt_device_status_ext), 1399 GFP_KERNEL); 1400 if (!device_status) 1401 return -ENOMEM; 1402 zcrypt_device_status_mask_ext(device_status); 1403 1404 /* allocate 1k space for up to 256 apqns */ 1405 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL); 1406 if (!_apqns) { 1407 kvfree(device_status); 1408 return -ENOMEM; 1409 } 1410 1411 /* walk through all the crypto apqnss */ 1412 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) { 1413 card = AP_QID_CARD(device_status[i].qid); 1414 dom = AP_QID_QUEUE(device_status[i].qid); 1415 /* check online state */ 1416 if (!device_status[i].online) 1417 continue; 1418 /* check for ep11 functions */ 1419 if (!(device_status[i].functions & 0x01)) 1420 continue; 1421 /* check cardnr */ 1422 if (cardnr != 0xFFFF && card != cardnr) 1423 continue; 1424 /* check domain */ 1425 if (domain != 0xFFFF && dom != domain) 1426 continue; 1427 /* check min hardware type */ 1428 if (minhwtype && device_status[i].hwtype < minhwtype) 1429 continue; 1430 /* check min api version if given */ 1431 if (minapi > 0) { 1432 if (ep11_get_card_info(card, &eci, 0)) 1433 continue; 1434 if (minapi > eci.API_ord_nr) 1435 continue; 1436 } 1437 /* check wkvp if given */ 1438 if (wkvp) { 1439 if (ep11_get_domain_info(card, dom, &edi)) 1440 continue; 1441 if (edi.cur_wk_state != '1') 1442 continue; 1443 if (memcmp(wkvp, edi.cur_wkvp, 16)) 1444 continue; 1445 } 1446 /* apqn passed all filtering criterons, add to the array */ 1447 if (_nr_apqns < 256) 1448 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16)dom); 1449 } 1450 1451 /* nothing found ? */ 1452 if (!_nr_apqns) { 1453 kfree(_apqns); 1454 rc = -ENODEV; 1455 } else { 1456 /* no re-allocation, simple return the _apqns array */ 1457 *apqns = _apqns; 1458 *nr_apqns = _nr_apqns; 1459 rc = 0; 1460 } 1461 1462 kvfree(device_status); 1463 return rc; 1464} 1465EXPORT_SYMBOL(ep11_findcard2); 1466 1467void __exit zcrypt_ep11misc_exit(void) 1468{ 1469 card_cache_free(); 1470}