1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * Copyright IBM Corp. 2019 4 * Author(s): Harald Freudenberger <freude@linux.ibm.com> 5 * 6 * Collection of EP11 misc functions used by zcrypt and pkey 7 */ 8 9#define KMSG_COMPONENT "zcrypt" 10#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 11 12#include <linux/init.h> 13#include <linux/module.h> 14#include <linux/slab.h> 15#include <linux/random.h> 16#include <asm/zcrypt.h> 17#include <asm/pkey.h> 18#include <crypto/aes.h> 19 20#include "ap_bus.h" 21#include "zcrypt_api.h" 22#include "zcrypt_debug.h" 23#include "zcrypt_msgtype6.h" 24#include "zcrypt_ep11misc.h" 25#include "zcrypt_ccamisc.h" 26 27#define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__) 28#define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__) 29#define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__) 30#define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__) 31 32/* default iv used here */ 33static const u8 def_iv[16] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 34 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }; 35 36/* ep11 card info cache */ 37struct card_list_entry { 38 struct list_head list; 39 u16 cardnr; 40 struct ep11_card_info info; 41}; 42static LIST_HEAD(card_list); 43static DEFINE_SPINLOCK(card_list_lock); 44 45static int card_cache_fetch(u16 cardnr, struct ep11_card_info *ci) 46{ 47 int rc = -ENOENT; 48 struct card_list_entry *ptr; 49 50 spin_lock_bh(&card_list_lock); 51 list_for_each_entry(ptr, &card_list, list) { 52 if (ptr->cardnr == cardnr) { 53 memcpy(ci, &ptr->info, sizeof(*ci)); 54 rc = 0; 55 break; 56 } 57 } 58 spin_unlock_bh(&card_list_lock); 59 60 return rc; 61} 62 63static void card_cache_update(u16 cardnr, const struct ep11_card_info *ci) 64{ 65 int found = 0; 66 struct card_list_entry *ptr; 67 68 spin_lock_bh(&card_list_lock); 69 list_for_each_entry(ptr, &card_list, list) { 70 if (ptr->cardnr == cardnr) { 71 memcpy(&ptr->info, ci, sizeof(*ci)); 72 found = 1; 73 break; 74 } 75 } 76 if (!found) { 77 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC); 78 if (!ptr) { 79 spin_unlock_bh(&card_list_lock); 80 return; 81 } 82 ptr->cardnr = cardnr; 83 memcpy(&ptr->info, ci, sizeof(*ci)); 84 list_add(&ptr->list, &card_list); 85 } 86 spin_unlock_bh(&card_list_lock); 87} 88 89static void card_cache_scrub(u16 cardnr) 90{ 91 struct card_list_entry *ptr; 92 93 spin_lock_bh(&card_list_lock); 94 list_for_each_entry(ptr, &card_list, list) { 95 if (ptr->cardnr == cardnr) { 96 list_del(&ptr->list); 97 kfree(ptr); 98 break; 99 } 100 } 101 spin_unlock_bh(&card_list_lock); 102} 103 104static void __exit card_cache_free(void) 105{ 106 struct card_list_entry *ptr, *pnext; 107 108 spin_lock_bh(&card_list_lock); 109 list_for_each_entry_safe(ptr, pnext, &card_list, list) { 110 list_del(&ptr->list); 111 kfree(ptr); 112 } 113 spin_unlock_bh(&card_list_lock); 114} 115 116/* 117 * Simple check if the key blob is a valid EP11 AES key blob with header. 118 */ 119int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl, 120 const u8 *key, size_t keylen, int checkcpacfexp) 121{ 122 struct ep11kblob_header *hdr = (struct ep11kblob_header *) key; 123 struct ep11keyblob *kb = (struct ep11keyblob *) (key + sizeof(*hdr)); 124 125#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 126 127 if (keylen < sizeof(*hdr) + sizeof(*kb)) { 128 DBF("%s key check failed, keylen %zu < %zu\n", 129 __func__, keylen, sizeof(*hdr) + sizeof(*kb)); 130 return -EINVAL; 131 } 132 133 if (hdr->type != TOKTYPE_NON_CCA) { 134 if (dbg) 135 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 136 __func__, (int) hdr->type, TOKTYPE_NON_CCA); 137 return -EINVAL; 138 } 139 if (hdr->hver != 0x00) { 140 if (dbg) 141 DBF("%s key check failed, header version 0x%02x != 0x00\n", 142 __func__, (int) hdr->hver); 143 return -EINVAL; 144 } 145 if (hdr->version != TOKVER_EP11_AES_WITH_HEADER) { 146 if (dbg) 147 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 148 __func__, (int) hdr->version, TOKVER_EP11_AES_WITH_HEADER); 149 return -EINVAL; 150 } 151 if (hdr->len > keylen) { 152 if (dbg) 153 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 154 __func__, (int) hdr->len, keylen); 155 return -EINVAL; 156 } 157 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) { 158 if (dbg) 159 DBF("%s key check failed, header len %d < %zu\n", 160 __func__, (int) hdr->len, sizeof(*hdr) + sizeof(*kb)); 161 return -EINVAL; 162 } 163 164 if (kb->version != EP11_STRUCT_MAGIC) { 165 if (dbg) 166 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 167 __func__, (int) kb->version, EP11_STRUCT_MAGIC); 168 return -EINVAL; 169 } 170 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 171 if (dbg) 172 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 173 __func__); 174 return -EINVAL; 175 } 176 177#undef DBF 178 179 return 0; 180} 181EXPORT_SYMBOL(ep11_check_aes_key_with_hdr); 182 183/* 184 * Simple check if the key blob is a valid EP11 ECC key blob with header. 185 */ 186int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl, 187 const u8 *key, size_t keylen, int checkcpacfexp) 188{ 189 struct ep11kblob_header *hdr = (struct ep11kblob_header *) key; 190 struct ep11keyblob *kb = (struct ep11keyblob *) (key + sizeof(*hdr)); 191 192#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 193 194 if (keylen < sizeof(*hdr) + sizeof(*kb)) { 195 DBF("%s key check failed, keylen %zu < %zu\n", 196 __func__, keylen, sizeof(*hdr) + sizeof(*kb)); 197 return -EINVAL; 198 } 199 200 if (hdr->type != TOKTYPE_NON_CCA) { 201 if (dbg) 202 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 203 __func__, (int) hdr->type, TOKTYPE_NON_CCA); 204 return -EINVAL; 205 } 206 if (hdr->hver != 0x00) { 207 if (dbg) 208 DBF("%s key check failed, header version 0x%02x != 0x00\n", 209 __func__, (int) hdr->hver); 210 return -EINVAL; 211 } 212 if (hdr->version != TOKVER_EP11_ECC_WITH_HEADER) { 213 if (dbg) 214 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 215 __func__, (int) hdr->version, TOKVER_EP11_ECC_WITH_HEADER); 216 return -EINVAL; 217 } 218 if (hdr->len > keylen) { 219 if (dbg) 220 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 221 __func__, (int) hdr->len, keylen); 222 return -EINVAL; 223 } 224 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) { 225 if (dbg) 226 DBF("%s key check failed, header len %d < %zu\n", 227 __func__, (int) hdr->len, sizeof(*hdr) + sizeof(*kb)); 228 return -EINVAL; 229 } 230 231 if (kb->version != EP11_STRUCT_MAGIC) { 232 if (dbg) 233 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 234 __func__, (int) kb->version, EP11_STRUCT_MAGIC); 235 return -EINVAL; 236 } 237 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 238 if (dbg) 239 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 240 __func__); 241 return -EINVAL; 242 } 243 244#undef DBF 245 246 return 0; 247} 248EXPORT_SYMBOL(ep11_check_ecc_key_with_hdr); 249 250/* 251 * Simple check if the key blob is a valid EP11 AES key blob with 252 * the header in the session field (old style EP11 AES key). 253 */ 254int ep11_check_aes_key(debug_info_t *dbg, int dbflvl, 255 const u8 *key, size_t keylen, int checkcpacfexp) 256{ 257 struct ep11keyblob *kb = (struct ep11keyblob *) key; 258 259#define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__) 260 261 if (keylen < sizeof(*kb)) { 262 DBF("%s key check failed, keylen %zu < %zu\n", 263 __func__, keylen, sizeof(*kb)); 264 return -EINVAL; 265 } 266 267 if (kb->head.type != TOKTYPE_NON_CCA) { 268 if (dbg) 269 DBF("%s key check failed, type 0x%02x != 0x%02x\n", 270 __func__, (int) kb->head.type, TOKTYPE_NON_CCA); 271 return -EINVAL; 272 } 273 if (kb->head.version != TOKVER_EP11_AES) { 274 if (dbg) 275 DBF("%s key check failed, version 0x%02x != 0x%02x\n", 276 __func__, (int) kb->head.version, TOKVER_EP11_AES); 277 return -EINVAL; 278 } 279 if (kb->head.len > keylen) { 280 if (dbg) 281 DBF("%s key check failed, header len %d keylen %zu mismatch\n", 282 __func__, (int) kb->head.len, keylen); 283 return -EINVAL; 284 } 285 if (kb->head.len < sizeof(*kb)) { 286 if (dbg) 287 DBF("%s key check failed, header len %d < %zu\n", 288 __func__, (int) kb->head.len, sizeof(*kb)); 289 return -EINVAL; 290 } 291 292 if (kb->version != EP11_STRUCT_MAGIC) { 293 if (dbg) 294 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n", 295 __func__, (int) kb->version, EP11_STRUCT_MAGIC); 296 return -EINVAL; 297 } 298 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) { 299 if (dbg) 300 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n", 301 __func__); 302 return -EINVAL; 303 } 304 305#undef DBF 306 307 return 0; 308} 309EXPORT_SYMBOL(ep11_check_aes_key); 310 311/* 312 * Allocate and prepare ep11 cprb plus additional payload. 313 */ 314static inline struct ep11_cprb *alloc_cprb(size_t payload_len) 315{ 316 size_t len = sizeof(struct ep11_cprb) + payload_len; 317 struct ep11_cprb *cprb; 318 319 cprb = kzalloc(len, GFP_KERNEL); 320 if (!cprb) 321 return NULL; 322 323 cprb->cprb_len = sizeof(struct ep11_cprb); 324 cprb->cprb_ver_id = 0x04; 325 memcpy(cprb->func_id, "T4", 2); 326 cprb->ret_code = 0xFFFFFFFF; 327 cprb->payload_len = payload_len; 328 329 return cprb; 330} 331 332/* 333 * Some helper functions related to ASN1 encoding. 334 * Limited to length info <= 2 byte. 335 */ 336 337#define ASN1TAGLEN(x) (2 + (x) + ((x) > 127 ? 1 : 0) + ((x) > 255 ? 1 : 0)) 338 339static int asn1tag_write(u8 *ptr, u8 tag, const u8 *pvalue, u16 valuelen) 340{ 341 ptr[0] = tag; 342 if (valuelen > 255) { 343 ptr[1] = 0x82; 344 *((u16 *)(ptr + 2)) = valuelen; 345 memcpy(ptr + 4, pvalue, valuelen); 346 return 4 + valuelen; 347 } 348 if (valuelen > 127) { 349 ptr[1] = 0x81; 350 ptr[2] = (u8) valuelen; 351 memcpy(ptr + 3, pvalue, valuelen); 352 return 3 + valuelen; 353 } 354 ptr[1] = (u8) valuelen; 355 memcpy(ptr + 2, pvalue, valuelen); 356 return 2 + valuelen; 357} 358 359/* EP11 payload > 127 bytes starts with this struct */ 360struct pl_head { 361 u8 tag; 362 u8 lenfmt; 363 u16 len; 364 u8 func_tag; 365 u8 func_len; 366 u32 func; 367 u8 dom_tag; 368 u8 dom_len; 369 u32 dom; 370} __packed; 371 372/* prep ep11 payload head helper function */ 373static inline void prep_head(struct pl_head *h, 374 size_t pl_size, int api, int func) 375{ 376 h->tag = 0x30; 377 h->lenfmt = 0x82; 378 h->len = pl_size - 4; 379 h->func_tag = 0x04; 380 h->func_len = sizeof(u32); 381 h->func = (api << 16) + func; 382 h->dom_tag = 0x04; 383 h->dom_len = sizeof(u32); 384} 385 386/* prep urb helper function */ 387static inline void prep_urb(struct ep11_urb *u, 388 struct ep11_target_dev *t, int nt, 389 struct ep11_cprb *req, size_t req_len, 390 struct ep11_cprb *rep, size_t rep_len) 391{ 392 u->targets = (u8 __user *) t; 393 u->targets_num = nt; 394 u->req = (u8 __user *) req; 395 u->req_len = req_len; 396 u->resp = (u8 __user *) rep; 397 u->resp_len = rep_len; 398} 399 400/* Check ep11 reply payload, return 0 or suggested errno value. */ 401static int check_reply_pl(const u8 *pl, const char *func) 402{ 403 int len; 404 u32 ret; 405 406 /* start tag */ 407 if (*pl++ != 0x30) { 408 DEBUG_ERR("%s reply start tag mismatch\n", func); 409 return -EIO; 410 } 411 412 /* payload length format */ 413 if (*pl < 127) { 414 len = *pl; 415 pl++; 416 } else if (*pl == 0x81) { 417 pl++; 418 len = *pl; 419 pl++; 420 } else if (*pl == 0x82) { 421 pl++; 422 len = *((u16 *)pl); 423 pl += 2; 424 } else { 425 DEBUG_ERR("%s reply start tag lenfmt mismatch 0x%02hhx\n", 426 func, *pl); 427 return -EIO; 428 } 429 430 /* len should cover at least 3 fields with 32 bit value each */ 431 if (len < 3 * 6) { 432 DEBUG_ERR("%s reply length %d too small\n", func, len); 433 return -EIO; 434 } 435 436 /* function tag, length and value */ 437 if (pl[0] != 0x04 || pl[1] != 0x04) { 438 DEBUG_ERR("%s function tag or length mismatch\n", func); 439 return -EIO; 440 } 441 pl += 6; 442 443 /* dom tag, length and value */ 444 if (pl[0] != 0x04 || pl[1] != 0x04) { 445 DEBUG_ERR("%s dom tag or length mismatch\n", func); 446 return -EIO; 447 } 448 pl += 6; 449 450 /* return value tag, length and value */ 451 if (pl[0] != 0x04 || pl[1] != 0x04) { 452 DEBUG_ERR("%s return value tag or length mismatch\n", func); 453 return -EIO; 454 } 455 pl += 2; 456 ret = *((u32 *)pl); 457 if (ret != 0) { 458 DEBUG_ERR("%s return value 0x%04x != 0\n", func, ret); 459 return -EIO; 460 } 461 462 return 0; 463} 464 465 466/* 467 * Helper function which does an ep11 query with given query type. 468 */ 469static int ep11_query_info(u16 cardnr, u16 domain, u32 query_type, 470 size_t buflen, u8 *buf) 471{ 472 struct ep11_info_req_pl { 473 struct pl_head head; 474 u8 query_type_tag; 475 u8 query_type_len; 476 u32 query_type; 477 u8 query_subtype_tag; 478 u8 query_subtype_len; 479 u32 query_subtype; 480 } __packed * req_pl; 481 struct ep11_info_rep_pl { 482 struct pl_head head; 483 u8 rc_tag; 484 u8 rc_len; 485 u32 rc; 486 u8 data_tag; 487 u8 data_lenfmt; 488 u16 data_len; 489 } __packed * rep_pl; 490 struct ep11_cprb *req = NULL, *rep = NULL; 491 struct ep11_target_dev target; 492 struct ep11_urb *urb = NULL; 493 int api = 1, rc = -ENOMEM; 494 495 /* request cprb and payload */ 496 req = alloc_cprb(sizeof(struct ep11_info_req_pl)); 497 if (!req) 498 goto out; 499 req_pl = (struct ep11_info_req_pl *) (((u8 *) req) + sizeof(*req)); 500 prep_head(&req_pl->head, sizeof(*req_pl), api, 38); /* get xcp info */ 501 req_pl->query_type_tag = 0x04; 502 req_pl->query_type_len = sizeof(u32); 503 req_pl->query_type = query_type; 504 req_pl->query_subtype_tag = 0x04; 505 req_pl->query_subtype_len = sizeof(u32); 506 507 /* reply cprb and payload */ 508 rep = alloc_cprb(sizeof(struct ep11_info_rep_pl) + buflen); 509 if (!rep) 510 goto out; 511 rep_pl = (struct ep11_info_rep_pl *) (((u8 *) rep) + sizeof(*rep)); 512 513 /* urb and target */ 514 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL); 515 if (!urb) 516 goto out; 517 target.ap_id = cardnr; 518 target.dom_id = domain; 519 prep_urb(urb, &target, 1, 520 req, sizeof(*req) + sizeof(*req_pl), 521 rep, sizeof(*rep) + sizeof(*rep_pl) + buflen); 522 523 rc = zcrypt_send_ep11_cprb(urb); 524 if (rc) { 525 DEBUG_ERR( 526 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 527 __func__, (int) cardnr, (int) domain, rc); 528 goto out; 529 } 530 531 rc = check_reply_pl((u8 *)rep_pl, __func__); 532 if (rc) 533 goto out; 534 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 535 DEBUG_ERR("%s unknown reply data format\n", __func__); 536 rc = -EIO; 537 goto out; 538 } 539 if (rep_pl->data_len > buflen) { 540 DEBUG_ERR("%s mismatch between reply data len and buffer len\n", 541 __func__); 542 rc = -ENOSPC; 543 goto out; 544 } 545 546 memcpy(buf, ((u8 *) rep_pl) + sizeof(*rep_pl), rep_pl->data_len); 547 548out: 549 kfree(req); 550 kfree(rep); 551 kfree(urb); 552 return rc; 553} 554 555/* 556 * Provide information about an EP11 card. 557 */ 558int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify) 559{ 560 int rc; 561 struct ep11_module_query_info { 562 u32 API_ord_nr; 563 u32 firmware_id; 564 u8 FW_major_vers; 565 u8 FW_minor_vers; 566 u8 CSP_major_vers; 567 u8 CSP_minor_vers; 568 u8 fwid[32]; 569 u8 xcp_config_hash[32]; 570 u8 CSP_config_hash[32]; 571 u8 serial[16]; 572 u8 module_date_time[16]; 573 u64 op_mode; 574 u32 PKCS11_flags; 575 u32 ext_flags; 576 u32 domains; 577 u32 sym_state_bytes; 578 u32 digest_state_bytes; 579 u32 pin_blob_bytes; 580 u32 SPKI_bytes; 581 u32 priv_key_blob_bytes; 582 u32 sym_blob_bytes; 583 u32 max_payload_bytes; 584 u32 CP_profile_bytes; 585 u32 max_CP_index; 586 } __packed * pmqi = NULL; 587 588 rc = card_cache_fetch(card, info); 589 if (rc || verify) { 590 pmqi = kmalloc(sizeof(*pmqi), GFP_KERNEL); 591 if (!pmqi) 592 return -ENOMEM; 593 rc = ep11_query_info(card, AUTOSEL_DOM, 594 0x01 /* module info query */, 595 sizeof(*pmqi), (u8 *) pmqi); 596 if (rc) { 597 if (rc == -ENODEV) 598 card_cache_scrub(card); 599 goto out; 600 } 601 memset(info, 0, sizeof(*info)); 602 info->API_ord_nr = pmqi->API_ord_nr; 603 info->FW_version = 604 (pmqi->FW_major_vers << 8) + pmqi->FW_minor_vers; 605 memcpy(info->serial, pmqi->serial, sizeof(info->serial)); 606 info->op_mode = pmqi->op_mode; 607 card_cache_update(card, info); 608 } 609 610out: 611 kfree(pmqi); 612 return rc; 613} 614EXPORT_SYMBOL(ep11_get_card_info); 615 616/* 617 * Provide information about a domain within an EP11 card. 618 */ 619int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info) 620{ 621 int rc; 622 struct ep11_domain_query_info { 623 u32 dom_index; 624 u8 cur_WK_VP[32]; 625 u8 new_WK_VP[32]; 626 u32 dom_flags; 627 u64 op_mode; 628 } __packed * p_dom_info; 629 630 p_dom_info = kmalloc(sizeof(*p_dom_info), GFP_KERNEL); 631 if (!p_dom_info) 632 return -ENOMEM; 633 634 rc = ep11_query_info(card, domain, 0x03 /* domain info query */, 635 sizeof(*p_dom_info), (u8 *) p_dom_info); 636 if (rc) 637 goto out; 638 639 memset(info, 0, sizeof(*info)); 640 info->cur_wk_state = '0'; 641 info->new_wk_state = '0'; 642 if (p_dom_info->dom_flags & 0x10 /* left imprint mode */) { 643 if (p_dom_info->dom_flags & 0x02 /* cur wk valid */) { 644 info->cur_wk_state = '1'; 645 memcpy(info->cur_wkvp, p_dom_info->cur_WK_VP, 32); 646 } 647 if (p_dom_info->dom_flags & 0x04 /* new wk present */ 648 || p_dom_info->dom_flags & 0x08 /* new wk committed */) { 649 info->new_wk_state = 650 p_dom_info->dom_flags & 0x08 ? '2' : '1'; 651 memcpy(info->new_wkvp, p_dom_info->new_WK_VP, 32); 652 } 653 } 654 info->op_mode = p_dom_info->op_mode; 655 656out: 657 kfree(p_dom_info); 658 return rc; 659} 660EXPORT_SYMBOL(ep11_get_domain_info); 661 662/* 663 * Default EP11 AES key generate attributes, used when no keygenflags given: 664 * XCP_BLOB_ENCRYPT | XCP_BLOB_DECRYPT | XCP_BLOB_PROTKEY_EXTRACTABLE 665 */ 666#define KEY_ATTR_DEFAULTS 0x00200c00 667 668int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 669 u8 *keybuf, size_t *keybufsize) 670{ 671 struct keygen_req_pl { 672 struct pl_head head; 673 u8 var_tag; 674 u8 var_len; 675 u32 var; 676 u8 keybytes_tag; 677 u8 keybytes_len; 678 u32 keybytes; 679 u8 mech_tag; 680 u8 mech_len; 681 u32 mech; 682 u8 attr_tag; 683 u8 attr_len; 684 u32 attr_header; 685 u32 attr_bool_mask; 686 u32 attr_bool_bits; 687 u32 attr_val_len_type; 688 u32 attr_val_len_value; 689 u8 pin_tag; 690 u8 pin_len; 691 } __packed * req_pl; 692 struct keygen_rep_pl { 693 struct pl_head head; 694 u8 rc_tag; 695 u8 rc_len; 696 u32 rc; 697 u8 data_tag; 698 u8 data_lenfmt; 699 u16 data_len; 700 u8 data[512]; 701 } __packed * rep_pl; 702 struct ep11_cprb *req = NULL, *rep = NULL; 703 struct ep11_target_dev target; 704 struct ep11_urb *urb = NULL; 705 struct ep11keyblob *kb; 706 int api, rc = -ENOMEM; 707 708 switch (keybitsize) { 709 case 128: 710 case 192: 711 case 256: 712 break; 713 default: 714 DEBUG_ERR( 715 "%s unknown/unsupported keybitsize %d\n", 716 __func__, keybitsize); 717 rc = -EINVAL; 718 goto out; 719 } 720 721 /* request cprb and payload */ 722 req = alloc_cprb(sizeof(struct keygen_req_pl)); 723 if (!req) 724 goto out; 725 req_pl = (struct keygen_req_pl *) (((u8 *) req) + sizeof(*req)); 726 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1; 727 prep_head(&req_pl->head, sizeof(*req_pl), api, 21); /* GenerateKey */ 728 req_pl->var_tag = 0x04; 729 req_pl->var_len = sizeof(u32); 730 req_pl->keybytes_tag = 0x04; 731 req_pl->keybytes_len = sizeof(u32); 732 req_pl->keybytes = keybitsize / 8; 733 req_pl->mech_tag = 0x04; 734 req_pl->mech_len = sizeof(u32); 735 req_pl->mech = 0x00001080; /* CKM_AES_KEY_GEN */ 736 req_pl->attr_tag = 0x04; 737 req_pl->attr_len = 5 * sizeof(u32); 738 req_pl->attr_header = 0x10010000; 739 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 740 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 741 req_pl->attr_val_len_type = 0x00000161; /* CKA_VALUE_LEN */ 742 req_pl->attr_val_len_value = keybitsize / 8; 743 req_pl->pin_tag = 0x04; 744 745 /* reply cprb and payload */ 746 rep = alloc_cprb(sizeof(struct keygen_rep_pl)); 747 if (!rep) 748 goto out; 749 rep_pl = (struct keygen_rep_pl *) (((u8 *) rep) + sizeof(*rep)); 750 751 /* urb and target */ 752 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL); 753 if (!urb) 754 goto out; 755 target.ap_id = card; 756 target.dom_id = domain; 757 prep_urb(urb, &target, 1, 758 req, sizeof(*req) + sizeof(*req_pl), 759 rep, sizeof(*rep) + sizeof(*rep_pl)); 760 761 rc = zcrypt_send_ep11_cprb(urb); 762 if (rc) { 763 DEBUG_ERR( 764 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 765 __func__, (int) card, (int) domain, rc); 766 goto out; 767 } 768 769 rc = check_reply_pl((u8 *)rep_pl, __func__); 770 if (rc) 771 goto out; 772 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 773 DEBUG_ERR("%s unknown reply data format\n", __func__); 774 rc = -EIO; 775 goto out; 776 } 777 if (rep_pl->data_len > *keybufsize) { 778 DEBUG_ERR("%s mismatch reply data len / key buffer len\n", 779 __func__); 780 rc = -ENOSPC; 781 goto out; 782 } 783 784 /* copy key blob and set header values */ 785 memcpy(keybuf, rep_pl->data, rep_pl->data_len); 786 *keybufsize = rep_pl->data_len; 787 kb = (struct ep11keyblob *) keybuf; 788 kb->head.type = TOKTYPE_NON_CCA; 789 kb->head.len = rep_pl->data_len; 790 kb->head.version = TOKVER_EP11_AES; 791 kb->head.bitlen = keybitsize; 792 793out: 794 kfree(req); 795 kfree(rep); 796 kfree(urb); 797 return rc; 798} 799EXPORT_SYMBOL(ep11_genaeskey); 800 801static int ep11_cryptsingle(u16 card, u16 domain, 802 u16 mode, u32 mech, const u8 *iv, 803 const u8 *key, size_t keysize, 804 const u8 *inbuf, size_t inbufsize, 805 u8 *outbuf, size_t *outbufsize) 806{ 807 struct crypt_req_pl { 808 struct pl_head head; 809 u8 var_tag; 810 u8 var_len; 811 u32 var; 812 u8 mech_tag; 813 u8 mech_len; 814 u32 mech; 815 /* 816 * maybe followed by iv data 817 * followed by key tag + key blob 818 * followed by plaintext tag + plaintext 819 */ 820 } __packed * req_pl; 821 struct crypt_rep_pl { 822 struct pl_head head; 823 u8 rc_tag; 824 u8 rc_len; 825 u32 rc; 826 u8 data_tag; 827 u8 data_lenfmt; 828 /* data follows */ 829 } __packed * rep_pl; 830 struct ep11_cprb *req = NULL, *rep = NULL; 831 struct ep11_target_dev target; 832 struct ep11_urb *urb = NULL; 833 size_t req_pl_size, rep_pl_size; 834 int n, api = 1, rc = -ENOMEM; 835 u8 *p; 836 837 /* the simple asn1 coding used has length limits */ 838 if (keysize > 0xFFFF || inbufsize > 0xFFFF) 839 return -EINVAL; 840 841 /* request cprb and payload */ 842 req_pl_size = sizeof(struct crypt_req_pl) + (iv ? 16 : 0) 843 + ASN1TAGLEN(keysize) + ASN1TAGLEN(inbufsize); 844 req = alloc_cprb(req_pl_size); 845 if (!req) 846 goto out; 847 req_pl = (struct crypt_req_pl *) (((u8 *) req) + sizeof(*req)); 848 prep_head(&req_pl->head, req_pl_size, api, (mode ? 20 : 19)); 849 req_pl->var_tag = 0x04; 850 req_pl->var_len = sizeof(u32); 851 /* mech is mech + mech params (iv here) */ 852 req_pl->mech_tag = 0x04; 853 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 854 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */ 855 p = ((u8 *) req_pl) + sizeof(*req_pl); 856 if (iv) { 857 memcpy(p, iv, 16); 858 p += 16; 859 } 860 /* key and input data */ 861 p += asn1tag_write(p, 0x04, key, keysize); 862 p += asn1tag_write(p, 0x04, inbuf, inbufsize); 863 864 /* reply cprb and payload, assume out data size <= in data size + 32 */ 865 rep_pl_size = sizeof(struct crypt_rep_pl) + ASN1TAGLEN(inbufsize + 32); 866 rep = alloc_cprb(rep_pl_size); 867 if (!rep) 868 goto out; 869 rep_pl = (struct crypt_rep_pl *) (((u8 *) rep) + sizeof(*rep)); 870 871 /* urb and target */ 872 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL); 873 if (!urb) 874 goto out; 875 target.ap_id = card; 876 target.dom_id = domain; 877 prep_urb(urb, &target, 1, 878 req, sizeof(*req) + req_pl_size, 879 rep, sizeof(*rep) + rep_pl_size); 880 881 rc = zcrypt_send_ep11_cprb(urb); 882 if (rc) { 883 DEBUG_ERR( 884 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 885 __func__, (int) card, (int) domain, rc); 886 goto out; 887 } 888 889 rc = check_reply_pl((u8 *)rep_pl, __func__); 890 if (rc) 891 goto out; 892 if (rep_pl->data_tag != 0x04) { 893 DEBUG_ERR("%s unknown reply data format\n", __func__); 894 rc = -EIO; 895 goto out; 896 } 897 p = ((u8 *) rep_pl) + sizeof(*rep_pl); 898 if (rep_pl->data_lenfmt <= 127) 899 n = rep_pl->data_lenfmt; 900 else if (rep_pl->data_lenfmt == 0x81) 901 n = *p++; 902 else if (rep_pl->data_lenfmt == 0x82) { 903 n = *((u16 *) p); 904 p += 2; 905 } else { 906 DEBUG_ERR("%s unknown reply data length format 0x%02hhx\n", 907 __func__, rep_pl->data_lenfmt); 908 rc = -EIO; 909 goto out; 910 } 911 if (n > *outbufsize) { 912 DEBUG_ERR("%s mismatch reply data len %d / output buffer %zu\n", 913 __func__, n, *outbufsize); 914 rc = -ENOSPC; 915 goto out; 916 } 917 918 memcpy(outbuf, p, n); 919 *outbufsize = n; 920 921out: 922 kfree(req); 923 kfree(rep); 924 kfree(urb); 925 return rc; 926} 927 928static int ep11_unwrapkey(u16 card, u16 domain, 929 const u8 *kek, size_t keksize, 930 const u8 *enckey, size_t enckeysize, 931 u32 mech, const u8 *iv, 932 u32 keybitsize, u32 keygenflags, 933 u8 *keybuf, size_t *keybufsize) 934{ 935 struct uw_req_pl { 936 struct pl_head head; 937 u8 attr_tag; 938 u8 attr_len; 939 u32 attr_header; 940 u32 attr_bool_mask; 941 u32 attr_bool_bits; 942 u32 attr_key_type; 943 u32 attr_key_type_value; 944 u32 attr_val_len; 945 u32 attr_val_len_value; 946 u8 mech_tag; 947 u8 mech_len; 948 u32 mech; 949 /* 950 * maybe followed by iv data 951 * followed by kek tag + kek blob 952 * followed by empty mac tag 953 * followed by empty pin tag 954 * followed by encryted key tag + bytes 955 */ 956 } __packed * req_pl; 957 struct uw_rep_pl { 958 struct pl_head head; 959 u8 rc_tag; 960 u8 rc_len; 961 u32 rc; 962 u8 data_tag; 963 u8 data_lenfmt; 964 u16 data_len; 965 u8 data[512]; 966 } __packed * rep_pl; 967 struct ep11_cprb *req = NULL, *rep = NULL; 968 struct ep11_target_dev target; 969 struct ep11_urb *urb = NULL; 970 struct ep11keyblob *kb; 971 size_t req_pl_size; 972 int api, rc = -ENOMEM; 973 u8 *p; 974 975 /* request cprb and payload */ 976 req_pl_size = sizeof(struct uw_req_pl) + (iv ? 16 : 0) 977 + ASN1TAGLEN(keksize) + 4 + ASN1TAGLEN(enckeysize); 978 req = alloc_cprb(req_pl_size); 979 if (!req) 980 goto out; 981 req_pl = (struct uw_req_pl *) (((u8 *) req) + sizeof(*req)); 982 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1; 983 prep_head(&req_pl->head, req_pl_size, api, 34); /* UnwrapKey */ 984 req_pl->attr_tag = 0x04; 985 req_pl->attr_len = 7 * sizeof(u32); 986 req_pl->attr_header = 0x10020000; 987 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 988 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS; 989 req_pl->attr_key_type = 0x00000100; /* CKA_KEY_TYPE */ 990 req_pl->attr_key_type_value = 0x0000001f; /* CKK_AES */ 991 req_pl->attr_val_len = 0x00000161; /* CKA_VALUE_LEN */ 992 req_pl->attr_val_len_value = keybitsize / 8; 993 /* mech is mech + mech params (iv here) */ 994 req_pl->mech_tag = 0x04; 995 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 996 req_pl->mech = (mech ? mech : 0x00001085); /* CKM_AES_CBC_PAD */ 997 p = ((u8 *) req_pl) + sizeof(*req_pl); 998 if (iv) { 999 memcpy(p, iv, 16); 1000 p += 16; 1001 } 1002 /* kek */ 1003 p += asn1tag_write(p, 0x04, kek, keksize); 1004 /* empty mac key tag */ 1005 *p++ = 0x04; 1006 *p++ = 0; 1007 /* empty pin tag */ 1008 *p++ = 0x04; 1009 *p++ = 0; 1010 /* encrypted key value tag and bytes */ 1011 p += asn1tag_write(p, 0x04, enckey, enckeysize); 1012 1013 /* reply cprb and payload */ 1014 rep = alloc_cprb(sizeof(struct uw_rep_pl)); 1015 if (!rep) 1016 goto out; 1017 rep_pl = (struct uw_rep_pl *) (((u8 *) rep) + sizeof(*rep)); 1018 1019 /* urb and target */ 1020 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL); 1021 if (!urb) 1022 goto out; 1023 target.ap_id = card; 1024 target.dom_id = domain; 1025 prep_urb(urb, &target, 1, 1026 req, sizeof(*req) + req_pl_size, 1027 rep, sizeof(*rep) + sizeof(*rep_pl)); 1028 1029 rc = zcrypt_send_ep11_cprb(urb); 1030 if (rc) { 1031 DEBUG_ERR( 1032 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 1033 __func__, (int) card, (int) domain, rc); 1034 goto out; 1035 } 1036 1037 rc = check_reply_pl((u8 *)rep_pl, __func__); 1038 if (rc) 1039 goto out; 1040 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 1041 DEBUG_ERR("%s unknown reply data format\n", __func__); 1042 rc = -EIO; 1043 goto out; 1044 } 1045 if (rep_pl->data_len > *keybufsize) { 1046 DEBUG_ERR("%s mismatch reply data len / key buffer len\n", 1047 __func__); 1048 rc = -ENOSPC; 1049 goto out; 1050 } 1051 1052 /* copy key blob and set header values */ 1053 memcpy(keybuf, rep_pl->data, rep_pl->data_len); 1054 *keybufsize = rep_pl->data_len; 1055 kb = (struct ep11keyblob *) keybuf; 1056 kb->head.type = TOKTYPE_NON_CCA; 1057 kb->head.len = rep_pl->data_len; 1058 kb->head.version = TOKVER_EP11_AES; 1059 kb->head.bitlen = keybitsize; 1060 1061out: 1062 kfree(req); 1063 kfree(rep); 1064 kfree(urb); 1065 return rc; 1066} 1067 1068static int ep11_wrapkey(u16 card, u16 domain, 1069 const u8 *key, size_t keysize, 1070 u32 mech, const u8 *iv, 1071 u8 *databuf, size_t *datasize) 1072{ 1073 struct wk_req_pl { 1074 struct pl_head head; 1075 u8 var_tag; 1076 u8 var_len; 1077 u32 var; 1078 u8 mech_tag; 1079 u8 mech_len; 1080 u32 mech; 1081 /* 1082 * followed by iv data 1083 * followed by key tag + key blob 1084 * followed by dummy kek param 1085 * followed by dummy mac param 1086 */ 1087 } __packed * req_pl; 1088 struct wk_rep_pl { 1089 struct pl_head head; 1090 u8 rc_tag; 1091 u8 rc_len; 1092 u32 rc; 1093 u8 data_tag; 1094 u8 data_lenfmt; 1095 u16 data_len; 1096 u8 data[1024]; 1097 } __packed * rep_pl; 1098 struct ep11_cprb *req = NULL, *rep = NULL; 1099 struct ep11_target_dev target; 1100 struct ep11_urb *urb = NULL; 1101 struct ep11keyblob *kb; 1102 size_t req_pl_size; 1103 int api, rc = -ENOMEM; 1104 bool has_header = false; 1105 u8 *p; 1106 1107 /* maybe the session field holds a header with key info */ 1108 kb = (struct ep11keyblob *) key; 1109 if (kb->head.type == TOKTYPE_NON_CCA && 1110 kb->head.version == TOKVER_EP11_AES) { 1111 has_header = true; 1112 keysize = kb->head.len < keysize ? kb->head.len : keysize; 1113 } 1114 1115 /* request cprb and payload */ 1116 req_pl_size = sizeof(struct wk_req_pl) + (iv ? 16 : 0) 1117 + ASN1TAGLEN(keysize) + 4; 1118 req = alloc_cprb(req_pl_size); 1119 if (!req) 1120 goto out; 1121 if (!mech || mech == 0x80060001) 1122 req->flags |= 0x20; /* CPACF_WRAP needs special bit */ 1123 req_pl = (struct wk_req_pl *) (((u8 *) req) + sizeof(*req)); 1124 api = (!mech || mech == 0x80060001) ? 4 : 1; /* CKM_IBM_CPACF_WRAP */ 1125 prep_head(&req_pl->head, req_pl_size, api, 33); /* WrapKey */ 1126 req_pl->var_tag = 0x04; 1127 req_pl->var_len = sizeof(u32); 1128 /* mech is mech + mech params (iv here) */ 1129 req_pl->mech_tag = 0x04; 1130 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0); 1131 req_pl->mech = (mech ? mech : 0x80060001); /* CKM_IBM_CPACF_WRAP */ 1132 p = ((u8 *) req_pl) + sizeof(*req_pl); 1133 if (iv) { 1134 memcpy(p, iv, 16); 1135 p += 16; 1136 } 1137 /* key blob */ 1138 p += asn1tag_write(p, 0x04, key, keysize); 1139 /* maybe the key argument needs the head data cleaned out */ 1140 if (has_header) { 1141 kb = (struct ep11keyblob *)(p - keysize); 1142 memset(&kb->head, 0, sizeof(kb->head)); 1143 } 1144 /* empty kek tag */ 1145 *p++ = 0x04; 1146 *p++ = 0; 1147 /* empty mac tag */ 1148 *p++ = 0x04; 1149 *p++ = 0; 1150 1151 /* reply cprb and payload */ 1152 rep = alloc_cprb(sizeof(struct wk_rep_pl)); 1153 if (!rep) 1154 goto out; 1155 rep_pl = (struct wk_rep_pl *) (((u8 *) rep) + sizeof(*rep)); 1156 1157 /* urb and target */ 1158 urb = kmalloc(sizeof(struct ep11_urb), GFP_KERNEL); 1159 if (!urb) 1160 goto out; 1161 target.ap_id = card; 1162 target.dom_id = domain; 1163 prep_urb(urb, &target, 1, 1164 req, sizeof(*req) + req_pl_size, 1165 rep, sizeof(*rep) + sizeof(*rep_pl)); 1166 1167 rc = zcrypt_send_ep11_cprb(urb); 1168 if (rc) { 1169 DEBUG_ERR( 1170 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n", 1171 __func__, (int) card, (int) domain, rc); 1172 goto out; 1173 } 1174 1175 rc = check_reply_pl((u8 *)rep_pl, __func__); 1176 if (rc) 1177 goto out; 1178 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) { 1179 DEBUG_ERR("%s unknown reply data format\n", __func__); 1180 rc = -EIO; 1181 goto out; 1182 } 1183 if (rep_pl->data_len > *datasize) { 1184 DEBUG_ERR("%s mismatch reply data len / data buffer len\n", 1185 __func__); 1186 rc = -ENOSPC; 1187 goto out; 1188 } 1189 1190 /* copy the data from the cprb to the data buffer */ 1191 memcpy(databuf, rep_pl->data, rep_pl->data_len); 1192 *datasize = rep_pl->data_len; 1193 1194out: 1195 kfree(req); 1196 kfree(rep); 1197 kfree(urb); 1198 return rc; 1199} 1200 1201int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 1202 const u8 *clrkey, u8 *keybuf, size_t *keybufsize) 1203{ 1204 int rc; 1205 struct ep11keyblob *kb; 1206 u8 encbuf[64], *kek = NULL; 1207 size_t clrkeylen, keklen, encbuflen = sizeof(encbuf); 1208 1209 if (keybitsize == 128 || keybitsize == 192 || keybitsize == 256) 1210 clrkeylen = keybitsize / 8; 1211 else { 1212 DEBUG_ERR( 1213 "%s unknown/unsupported keybitsize %d\n", 1214 __func__, keybitsize); 1215 return -EINVAL; 1216 } 1217 1218 /* allocate memory for the temp kek */ 1219 keklen = MAXEP11AESKEYBLOBSIZE; 1220 kek = kmalloc(keklen, GFP_ATOMIC); 1221 if (!kek) { 1222 rc = -ENOMEM; 1223 goto out; 1224 } 1225 1226 /* Step 1: generate AES 256 bit random kek key */ 1227 rc = ep11_genaeskey(card, domain, 256, 1228 0x00006c00, /* EN/DECRYPT, WRAP/UNWRAP */ 1229 kek, &keklen); 1230 if (rc) { 1231 DEBUG_ERR( 1232 "%s generate kek key failed, rc=%d\n", 1233 __func__, rc); 1234 goto out; 1235 } 1236 kb = (struct ep11keyblob *) kek; 1237 memset(&kb->head, 0, sizeof(kb->head)); 1238 1239 /* Step 2: encrypt clear key value with the kek key */ 1240 rc = ep11_cryptsingle(card, domain, 0, 0, def_iv, kek, keklen, 1241 clrkey, clrkeylen, encbuf, &encbuflen); 1242 if (rc) { 1243 DEBUG_ERR( 1244 "%s encrypting key value with kek key failed, rc=%d\n", 1245 __func__, rc); 1246 goto out; 1247 } 1248 1249 /* Step 3: import the encrypted key value as a new key */ 1250 rc = ep11_unwrapkey(card, domain, kek, keklen, 1251 encbuf, encbuflen, 0, def_iv, 1252 keybitsize, 0, keybuf, keybufsize); 1253 if (rc) { 1254 DEBUG_ERR( 1255 "%s importing key value as new key failed,, rc=%d\n", 1256 __func__, rc); 1257 goto out; 1258 } 1259 1260out: 1261 kfree(kek); 1262 return rc; 1263} 1264EXPORT_SYMBOL(ep11_clr2keyblob); 1265 1266int ep11_kblob2protkey(u16 card, u16 dom, const u8 *keyblob, size_t keybloblen, 1267 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 1268{ 1269 int rc = -EIO; 1270 u8 *wkbuf = NULL; 1271 size_t wkbuflen, keylen; 1272 struct wk_info { 1273 u16 version; 1274 u8 res1[16]; 1275 u32 pkeytype; 1276 u32 pkeybitsize; 1277 u64 pkeysize; 1278 u8 res2[8]; 1279 u8 pkey[0]; 1280 } __packed * wki; 1281 const u8 *key; 1282 struct ep11kblob_header *hdr; 1283 1284 /* key with or without header ? */ 1285 hdr = (struct ep11kblob_header *) keyblob; 1286 if (hdr->type == TOKTYPE_NON_CCA 1287 && (hdr->version == TOKVER_EP11_AES_WITH_HEADER 1288 || hdr->version == TOKVER_EP11_ECC_WITH_HEADER) 1289 && is_ep11_keyblob(keyblob + sizeof(struct ep11kblob_header))) { 1290 /* EP11 AES or ECC key with header */ 1291 key = keyblob + sizeof(struct ep11kblob_header); 1292 keylen = hdr->len - sizeof(struct ep11kblob_header); 1293 } else if (hdr->type == TOKTYPE_NON_CCA 1294 && hdr->version == TOKVER_EP11_AES 1295 && is_ep11_keyblob(keyblob)) { 1296 /* EP11 AES key (old style) */ 1297 key = keyblob; 1298 keylen = hdr->len; 1299 } else if (is_ep11_keyblob(keyblob)) { 1300 /* raw EP11 key blob */ 1301 key = keyblob; 1302 keylen = keybloblen; 1303 } else 1304 return -EINVAL; 1305 1306 /* alloc temp working buffer */ 1307 wkbuflen = (keylen + AES_BLOCK_SIZE) & (~(AES_BLOCK_SIZE - 1)); 1308 wkbuf = kmalloc(wkbuflen, GFP_ATOMIC); 1309 if (!wkbuf) 1310 return -ENOMEM; 1311 1312 /* ep11 secure key -> protected key + info */ 1313 rc = ep11_wrapkey(card, dom, key, keylen, 1314 0, def_iv, wkbuf, &wkbuflen); 1315 if (rc) { 1316 DEBUG_ERR( 1317 "%s rewrapping ep11 key to pkey failed, rc=%d\n", 1318 __func__, rc); 1319 goto out; 1320 } 1321 wki = (struct wk_info *) wkbuf; 1322 1323 /* check struct version and pkey type */ 1324 if (wki->version != 1 || wki->pkeytype < 1 || wki->pkeytype > 5) { 1325 DEBUG_ERR("%s wk info version %d or pkeytype %d mismatch.\n", 1326 __func__, (int) wki->version, (int) wki->pkeytype); 1327 rc = -EIO; 1328 goto out; 1329 } 1330 1331 /* check protected key type field */ 1332 switch (wki->pkeytype) { 1333 case 1: /* AES */ 1334 switch (wki->pkeysize) { 1335 case 16+32: 1336 /* AES 128 protected key */ 1337 if (protkeytype) 1338 *protkeytype = PKEY_KEYTYPE_AES_128; 1339 break; 1340 case 24+32: 1341 /* AES 192 protected key */ 1342 if (protkeytype) 1343 *protkeytype = PKEY_KEYTYPE_AES_192; 1344 break; 1345 case 32+32: 1346 /* AES 256 protected key */ 1347 if (protkeytype) 1348 *protkeytype = PKEY_KEYTYPE_AES_256; 1349 break; 1350 default: 1351 DEBUG_ERR("%s unknown/unsupported AES pkeysize %d\n", 1352 __func__, (int) wki->pkeysize); 1353 rc = -EIO; 1354 goto out; 1355 } 1356 break; 1357 case 3: /* EC-P */ 1358 case 4: /* EC-ED */ 1359 case 5: /* EC-BP */ 1360 if (protkeytype) 1361 *protkeytype = PKEY_KEYTYPE_ECC; 1362 break; 1363 case 2: /* TDES */ 1364 default: 1365 DEBUG_ERR("%s unknown/unsupported key type %d\n", 1366 __func__, (int) wki->pkeytype); 1367 rc = -EIO; 1368 goto out; 1369 } 1370 1371 /* copy the tanslated protected key */ 1372 if (wki->pkeysize > *protkeylen) { 1373 DEBUG_ERR("%s wk info pkeysize %llu > protkeysize %u\n", 1374 __func__, wki->pkeysize, *protkeylen); 1375 rc = -EINVAL; 1376 goto out; 1377 } 1378 memcpy(protkey, wki->pkey, wki->pkeysize); 1379 *protkeylen = wki->pkeysize; 1380 1381out: 1382 kfree(wkbuf); 1383 return rc; 1384} 1385EXPORT_SYMBOL(ep11_kblob2protkey); 1386 1387int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain, 1388 int minhwtype, int minapi, const u8 *wkvp) 1389{ 1390 struct zcrypt_device_status_ext *device_status; 1391 u32 *_apqns = NULL, _nr_apqns = 0; 1392 int i, card, dom, rc = -ENOMEM; 1393 struct ep11_domain_info edi; 1394 struct ep11_card_info eci; 1395 1396 /* fetch status of all crypto cards */ 1397 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT, 1398 sizeof(struct zcrypt_device_status_ext), 1399 GFP_KERNEL); 1400 if (!device_status) 1401 return -ENOMEM; 1402 zcrypt_device_status_mask_ext(device_status); 1403 1404 /* allocate 1k space for up to 256 apqns */ 1405 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL); 1406 if (!_apqns) { 1407 kvfree(device_status); 1408 return -ENOMEM; 1409 } 1410 1411 /* walk through all the crypto apqnss */ 1412 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) { 1413 card = AP_QID_CARD(device_status[i].qid); 1414 dom = AP_QID_QUEUE(device_status[i].qid); 1415 /* check online state */ 1416 if (!device_status[i].online) 1417 continue; 1418 /* check for ep11 functions */ 1419 if (!(device_status[i].functions & 0x01)) 1420 continue; 1421 /* check cardnr */ 1422 if (cardnr != 0xFFFF && card != cardnr) 1423 continue; 1424 /* check domain */ 1425 if (domain != 0xFFFF && dom != domain) 1426 continue; 1427 /* check min hardware type */ 1428 if (minhwtype && device_status[i].hwtype < minhwtype) 1429 continue; 1430 /* check min api version if given */ 1431 if (minapi > 0) { 1432 if (ep11_get_card_info(card, &eci, 0)) 1433 continue; 1434 if (minapi > eci.API_ord_nr) 1435 continue; 1436 } 1437 /* check wkvp if given */ 1438 if (wkvp) { 1439 if (ep11_get_domain_info(card, dom, &edi)) 1440 continue; 1441 if (edi.cur_wk_state != '1') 1442 continue; 1443 if (memcmp(wkvp, edi.cur_wkvp, 16)) 1444 continue; 1445 } 1446 /* apqn passed all filtering criterons, add to the array */ 1447 if (_nr_apqns < 256) 1448 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom); 1449 } 1450 1451 /* nothing found ? */ 1452 if (!_nr_apqns) { 1453 kfree(_apqns); 1454 rc = -ENODEV; 1455 } else { 1456 /* no re-allocation, simple return the _apqns array */ 1457 *apqns = _apqns; 1458 *nr_apqns = _nr_apqns; 1459 rc = 0; 1460 } 1461 1462 kvfree(device_status); 1463 return rc; 1464} 1465EXPORT_SYMBOL(ep11_findcard2); 1466 1467void __exit zcrypt_ep11misc_exit(void) 1468{ 1469 card_cache_free(); 1470} 1471