^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * pkey device driver
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright IBM Corp. 2017,2019
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Author(s): Harald Freudenberger
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #define KMSG_COMPONENT "pkey"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/fs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/miscdevice.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/kallsyms.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <linux/debugfs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <linux/random.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include <linux/cpufeature.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) #include <asm/zcrypt.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #include <asm/cpacf.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) #include <asm/pkey.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #include <crypto/aes.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) #include "zcrypt_api.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) #include "zcrypt_ccamisc.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) #include "zcrypt_ep11misc.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) MODULE_LICENSE("GPL");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) MODULE_AUTHOR("IBM Corporation");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) MODULE_DESCRIPTION("s390 protected key interface");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) #define KEYBLOBBUFSIZE 8192 /* key buffer size used for internal processing */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) #define PROTKEYBLOBBUFSIZE 256 /* protected key buffer size used internal */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) #define MAXAPQNSINLIST 64 /* max 64 apqns within a apqn list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * debug feature data and functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) static debug_info_t *debug_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) #define DEBUG_DBG(...) debug_sprintf_event(debug_info, 6, ##__VA_ARGS__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) #define DEBUG_INFO(...) debug_sprintf_event(debug_info, 5, ##__VA_ARGS__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) #define DEBUG_WARN(...) debug_sprintf_event(debug_info, 4, ##__VA_ARGS__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #define DEBUG_ERR(...) debug_sprintf_event(debug_info, 3, ##__VA_ARGS__)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) static void __init pkey_debug_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) /* 5 arguments per dbf entry (including the format string ptr) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) debug_info = debug_register("pkey", 1, 1, 5 * sizeof(long));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) debug_register_view(debug_info, &debug_sprintf_view);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) debug_set_level(debug_info, 3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) static void __exit pkey_debug_exit(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) debug_unregister(debug_info);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) /* inside view of a protected key token (only type 0x00 version 0x01) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) struct protaeskeytoken {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) u8 type; /* 0x00 for PAES specific key tokens */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) u8 res0[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) u8 version; /* should be 0x01 for protected AES key token */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) u8 res1[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) u32 keytype; /* key type, one of the PKEY_KEYTYPE values */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) u32 len; /* bytes actually stored in protkey[] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) u8 protkey[MAXPROTKEYSIZE]; /* the protected key blob */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) } __packed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) /* inside view of a clear key token (type 0x00 version 0x02) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) struct clearaeskeytoken {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) u8 type; /* 0x00 for PAES specific key tokens */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) u8 res0[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) u8 version; /* 0x02 for clear AES key token */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) u8 res1[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) u32 keytype; /* key type, one of the PKEY_KEYTYPE values */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) u32 len; /* bytes actually stored in clearkey[] */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) u8 clearkey[]; /* clear key value */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) } __packed;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) * Create a protected key from a clear key value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) static int pkey_clr2protkey(u32 keytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) const struct pkey_clrkey *clrkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) /* mask of available pckmo subfunctions */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) static cpacf_mask_t pckmo_functions;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) long fc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) int keysize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) u8 paramblock[64];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) switch (keytype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) case PKEY_KEYTYPE_AES_128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) keysize = 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) fc = CPACF_PCKMO_ENC_AES_128_KEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) case PKEY_KEYTYPE_AES_192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) keysize = 24;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) fc = CPACF_PCKMO_ENC_AES_192_KEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) case PKEY_KEYTYPE_AES_256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) keysize = 32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) fc = CPACF_PCKMO_ENC_AES_256_KEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) DEBUG_ERR("%s unknown/unsupported keytype %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) __func__, keytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) /* Did we already check for PCKMO ? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) if (!pckmo_functions.bytes[0]) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) /* no, so check now */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) if (!cpacf_query(CPACF_PCKMO, &pckmo_functions))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) /* check for the pckmo subfunction we need now */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) if (!cpacf_test_func(&pckmo_functions, fc)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) DEBUG_ERR("%s pckmo functions not available\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) /* prepare param block */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) memset(paramblock, 0, sizeof(paramblock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) memcpy(paramblock, clrkey->clrkey, keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) /* call the pckmo instruction */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) cpacf_pckmo(fc, paramblock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) /* copy created protected key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) protkey->type = keytype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) protkey->len = keysize + 32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) memcpy(protkey->protkey, paramblock, keysize + 32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) * Find card and transform secure key into protected key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) static int pkey_skey2pkey(const u8 *key, struct pkey_protkey *pkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) int rc, verify;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) u16 cardnr, domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) * The cca_xxx2protkey call may fail when a card has been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) * addressed where the master key was changed after last fetch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) * of the mkvp into the cache. Try 3 times: First witout verify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) * then with verify and last round with verify and old master
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * key verification pattern match not ignored.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) for (verify = 0; verify < 3; verify++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) rc = cca_findcard(key, &cardnr, &domain, verify);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) if (rc > 0 && verify < 2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) switch (hdr->version) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) case TOKVER_CCA_AES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) rc = cca_sec2protkey(cardnr, domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) key, pkey->protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) &pkey->len, &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) case TOKVER_CCA_VLSC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) rc = cca_cipher2protkey(cardnr, domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) key, pkey->protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) &pkey->len, &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) * Construct EP11 key with given clear key value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) static int pkey_clr2ep11key(const u8 *clrkey, size_t clrkeylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) u8 *keybuf, size_t *keybuflen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) int i, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) u16 card, dom;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) u32 nr_apqns, *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) /* build a list of apqns suitable for ep11 keys with cpacf support */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) ZCRYPT_CEX7, EP11_API_V, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) /* go through the list of apqns and try to bild an ep11 key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) card = apqns[i] >> 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) dom = apqns[i] & 0xFFFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) rc = ep11_clr2keyblob(card, dom, clrkeylen * 8,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 0, clrkey, keybuf, keybuflen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) * Find card and transform EP11 secure key into protected key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) static int pkey_ep11key2pkey(const u8 *key, struct pkey_protkey *pkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) int i, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) u16 card, dom;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) u32 nr_apqns, *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) struct ep11keyblob *kb = (struct ep11keyblob *) key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) /* build a list of apqns suitable for this key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) /* go through the list of apqns and try to derive an pkey */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) for (rc = -ENODEV, i = 0; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) card = apqns[i] >> 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) dom = apqns[i] & 0xFFFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) pkey->len = sizeof(pkey->protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) rc = ep11_kblob2protkey(card, dom, key, kb->head.len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) pkey->protkey, &pkey->len, &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) DEBUG_DBG("%s failed rc=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) * Verify key and give back some info about the key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) static int pkey_verifykey(const struct pkey_seckey *seckey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) u16 *pcardnr, u16 *pdomain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) u16 *pkeysize, u32 *pattributes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) struct secaeskeytoken *t = (struct secaeskeytoken *) seckey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) u16 cardnr, domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) /* check the secure key for valid AES secure key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) rc = cca_check_secaeskeytoken(debug_info, 3, (u8 *) seckey, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) if (pattributes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) *pattributes = PKEY_VERIFY_ATTR_AES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) if (pkeysize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) *pkeysize = t->bitsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) /* try to find a card which can handle this key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) rc = cca_findcard(seckey->seckey, &cardnr, &domain, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) if (rc > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) /* key mkvp matches to old master key mkvp */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) DEBUG_DBG("%s secure key has old mkvp\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) if (pattributes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) if (pcardnr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) *pcardnr = cardnr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) if (pdomain)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) *pdomain = domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) DEBUG_DBG("%s rc=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) * Generate a random protected key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) static int pkey_genprotkey(u32 keytype, struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) struct pkey_clrkey clrkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) int keysize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) switch (keytype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) case PKEY_KEYTYPE_AES_128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) keysize = 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) case PKEY_KEYTYPE_AES_192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) keysize = 24;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) case PKEY_KEYTYPE_AES_256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) keysize = 32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) keytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) /* generate a dummy random clear key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) get_random_bytes(clrkey.clrkey, keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) /* convert it to a dummy protected key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) rc = pkey_clr2protkey(keytype, &clrkey, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) /* replace the key part of the protected key with random bytes */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) get_random_bytes(protkey->protkey, keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) * Verify if a protected key is still valid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) static int pkey_verifyprotkey(const struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) unsigned long fc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) u8 iv[AES_BLOCK_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) u8 key[MAXPROTKEYSIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) } param;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) u8 null_msg[AES_BLOCK_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) u8 dest_buf[AES_BLOCK_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) unsigned int k;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) switch (protkey->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) case PKEY_KEYTYPE_AES_128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) fc = CPACF_KMC_PAES_128;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) case PKEY_KEYTYPE_AES_192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) fc = CPACF_KMC_PAES_192;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) case PKEY_KEYTYPE_AES_256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) fc = CPACF_KMC_PAES_256;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) DEBUG_ERR("%s unknown/unsupported keytype %d\n", __func__,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) protkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) memset(null_msg, 0, sizeof(null_msg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) memset(param.iv, 0, sizeof(param.iv));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) memcpy(param.key, protkey->protkey, sizeof(param.key));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) k = cpacf_kmc(fc | CPACF_ENCRYPT, ¶m, null_msg, dest_buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) sizeof(null_msg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) if (k != sizeof(null_msg)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) DEBUG_ERR("%s protected key is not valid\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) return -EKEYREJECTED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) * Transform a non-CCA key token into a protected key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) static int pkey_nonccatok2pkey(const u8 *key, u32 keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) int rc = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) u8 *tmpbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) switch (hdr->version) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) case TOKVER_PROTECTED_KEY: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) struct protaeskeytoken *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) if (keylen != sizeof(struct protaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) t = (struct protaeskeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) protkey->len = t->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) protkey->type = t->keytype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) memcpy(protkey->protkey, t->protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) sizeof(protkey->protkey));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) rc = pkey_verifyprotkey(protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) case TOKVER_CLEAR_KEY: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) struct clearaeskeytoken *t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) struct pkey_clrkey ckey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) union u_tmpbuf {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) u8 skey[SECKEYBLOBSIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) u8 ep11key[MAXEP11AESKEYBLOBSIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) size_t tmpbuflen = sizeof(union u_tmpbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) if (keylen < sizeof(struct clearaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) t = (struct clearaeskeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) if (keylen != sizeof(*t) + t->len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) if ((t->keytype == PKEY_KEYTYPE_AES_128 && t->len == 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) || (t->keytype == PKEY_KEYTYPE_AES_192 && t->len == 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) || (t->keytype == PKEY_KEYTYPE_AES_256 && t->len == 32))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) memcpy(ckey.clrkey, t->clearkey, t->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) /* alloc temp key buffer space */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) tmpbuf = kmalloc(tmpbuflen, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) if (!tmpbuf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) /* try direct way with the PCKMO instruction */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) rc = pkey_clr2protkey(t->keytype, &ckey, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) /* PCKMO failed, so try the CCA secure key way */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) rc = cca_clr2seckey(0xFFFF, 0xFFFF, t->keytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) ckey.clrkey, tmpbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) rc = pkey_skey2pkey(tmpbuf, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) /* if the CCA way also failed, let's try via EP11 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) rc = pkey_clr2ep11key(ckey.clrkey, t->len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) tmpbuf, &tmpbuflen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) rc = pkey_ep11key2pkey(tmpbuf, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) /* now we should really have an protected key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) DEBUG_ERR("%s unable to build protected key from clear",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) case TOKVER_EP11_AES: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) /* check ep11 key for exportable as protected key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) rc = ep11_check_aes_key(debug_info, 3, key, keylen, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) rc = pkey_ep11key2pkey(key, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) case TOKVER_EP11_AES_WITH_HEADER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) /* check ep11 key with header for exportable as protected key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) rc = ep11_check_aes_key_with_hdr(debug_info, 3, key, keylen, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) rc = pkey_ep11key2pkey(key + sizeof(struct ep11kblob_header),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) DEBUG_ERR("%s unknown/unsupported non-CCA token version %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) __func__, hdr->version);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) rc = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) kfree(tmpbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) * Transform a CCA internal key token into a protected key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) static int pkey_ccainttok2pkey(const u8 *key, u32 keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) switch (hdr->version) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) case TOKVER_CCA_AES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) if (keylen != sizeof(struct secaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) case TOKVER_CCA_VLSC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) DEBUG_ERR("%s unknown/unsupported CCA internal token version %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) __func__, hdr->version);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) return pkey_skey2pkey(key, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) * Transform a key blob (of any type) into a protected key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) int pkey_keyblob2pkey(const u8 *key, u32 keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) struct pkey_protkey *protkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) if (keylen < sizeof(struct keytoken_header)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) DEBUG_ERR("%s invalid keylen %d\n", __func__, keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) switch (hdr->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) case TOKTYPE_NON_CCA:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) rc = pkey_nonccatok2pkey(key, keylen, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) case TOKTYPE_CCA_INTERNAL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) rc = pkey_ccainttok2pkey(key, keylen, protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) DEBUG_ERR("%s unknown/unsupported blob type %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) __func__, hdr->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) DEBUG_DBG("%s rc=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) EXPORT_SYMBOL(pkey_keyblob2pkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) static int pkey_genseckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) enum pkey_key_type ktype, enum pkey_key_size ksize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) u32 kflags, u8 *keybuf, size_t *keybufsize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) int i, card, dom, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) /* check for at least one apqn given */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) if (!apqns || !nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) /* check key type and size */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) switch (ktype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) case PKEY_TYPE_CCA_DATA:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) case PKEY_TYPE_CCA_CIPHER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) if (*keybufsize < SECKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) case PKEY_TYPE_EP11:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) if (*keybufsize < MINEP11AESKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) switch (ksize) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) case PKEY_SIZE_AES_128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) case PKEY_SIZE_AES_192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) case PKEY_SIZE_AES_256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) card = apqns[i].card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) dom = apqns[i].domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) if (ktype == PKEY_TYPE_EP11) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) rc = ep11_genaeskey(card, dom, ksize, kflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) keybuf, keybufsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) } else if (ktype == PKEY_TYPE_CCA_DATA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) rc = cca_genseckey(card, dom, ksize, keybuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) } else /* TOKVER_CCA_VLSC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) rc = cca_gencipherkey(card, dom, ksize, kflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) keybuf, keybufsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) static int pkey_clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) enum pkey_key_type ktype, enum pkey_key_size ksize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) u32 kflags, const u8 *clrkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) u8 *keybuf, size_t *keybufsize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) int i, card, dom, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) /* check for at least one apqn given */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) if (!apqns || !nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) /* check key type and size */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) switch (ktype) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) case PKEY_TYPE_CCA_DATA:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) case PKEY_TYPE_CCA_CIPHER:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) if (*keybufsize < SECKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) case PKEY_TYPE_EP11:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) if (*keybufsize < MINEP11AESKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) switch (ksize) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) case PKEY_SIZE_AES_128:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) case PKEY_SIZE_AES_192:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) case PKEY_SIZE_AES_256:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) card = apqns[i].card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) dom = apqns[i].domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) if (ktype == PKEY_TYPE_EP11) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) rc = ep11_clr2keyblob(card, dom, ksize, kflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) clrkey, keybuf, keybufsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) } else if (ktype == PKEY_TYPE_CCA_DATA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) rc = cca_clr2seckey(card, dom, ksize,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) clrkey, keybuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) *keybufsize = (rc ? 0 : SECKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) } else /* TOKVER_CCA_VLSC */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) rc = cca_clr2cipherkey(card, dom, ksize, kflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) clrkey, keybuf, keybufsize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) static int pkey_verifykey2(const u8 *key, size_t keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) u16 *cardnr, u16 *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) enum pkey_key_type *ktype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) enum pkey_key_size *ksize, u32 *flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) u32 _nr_apqns, *_apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) if (keylen < sizeof(struct keytoken_header))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) if (hdr->type == TOKTYPE_CCA_INTERNAL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) && hdr->version == TOKVER_CCA_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) struct secaeskeytoken *t = (struct secaeskeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) rc = cca_check_secaeskeytoken(debug_info, 3, key, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) if (ktype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) *ktype = PKEY_TYPE_CCA_DATA;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) if (ksize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) *ksize = (enum pkey_key_size) t->bitsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) ZCRYPT_CEX3C, AES_MK_SET, t->mkvp, 0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) if (rc == 0 && flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) if (rc == -ENODEV) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) rc = cca_findcard2(&_apqns, &_nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) *cardnr, *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) ZCRYPT_CEX3C, AES_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) 0, t->mkvp, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) if (rc == 0 && flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) *cardnr = ((struct pkey_apqn *)_apqns)->card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) *domain = ((struct pkey_apqn *)_apqns)->domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) } else if (hdr->type == TOKTYPE_CCA_INTERNAL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) && hdr->version == TOKVER_CCA_VLSC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) struct cipherkeytoken *t = (struct cipherkeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) rc = cca_check_secaescipherkey(debug_info, 3, key, 0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) if (ktype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) *ktype = PKEY_TYPE_CCA_CIPHER;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) if (ksize) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) *ksize = PKEY_SIZE_UNKNOWN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) if (!t->plfver && t->wpllen == 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) *ksize = PKEY_SIZE_AES_128;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) else if (!t->plfver && t->wpllen == 576)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) *ksize = PKEY_SIZE_AES_192;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) else if (!t->plfver && t->wpllen == 640)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) *ksize = PKEY_SIZE_AES_256;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) rc = cca_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) ZCRYPT_CEX6, AES_MK_SET, t->mkvp0, 0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) if (rc == 0 && flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) if (rc == -ENODEV) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) rc = cca_findcard2(&_apqns, &_nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) *cardnr, *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) ZCRYPT_CEX6, AES_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) 0, t->mkvp0, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) if (rc == 0 && flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) *flags = PKEY_FLAGS_MATCH_ALT_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) *cardnr = ((struct pkey_apqn *)_apqns)->card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) *domain = ((struct pkey_apqn *)_apqns)->domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) } else if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) && hdr->version == TOKVER_EP11_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) struct ep11keyblob *kb = (struct ep11keyblob *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) rc = ep11_check_aes_key(debug_info, 3, key, keylen, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) if (ktype)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) *ktype = PKEY_TYPE_EP11;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) if (ksize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) *ksize = kb->head.keybitlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) if (flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) *cardnr = ((struct pkey_apqn *)_apqns)->card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) *domain = ((struct pkey_apqn *)_apqns)->domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) rc = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) kfree(_apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) static int pkey_keyblob2pkey2(const struct pkey_apqn *apqns, size_t nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) const u8 *key, size_t keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) struct pkey_protkey *pkey)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) int i, card, dom, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) /* check for at least one apqn given */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) if (!apqns || !nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) if (keylen < sizeof(struct keytoken_header))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) if (hdr->type == TOKTYPE_CCA_INTERNAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) if (hdr->version == TOKVER_CCA_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) if (keylen != sizeof(struct secaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) if (cca_check_secaeskeytoken(debug_info, 3, key, 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) } else if (hdr->version == TOKVER_CCA_VLSC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) if (cca_check_secaescipherkey(debug_info, 3, key, 0, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) DEBUG_ERR("%s unknown CCA internal token version %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) __func__, hdr->version);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) } else if (hdr->type == TOKTYPE_NON_CCA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) if (hdr->version == TOKVER_EP11_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) if (keylen < sizeof(struct ep11keyblob))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) if (ep11_check_aes_key(debug_info, 3, key, keylen, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) return pkey_nonccatok2pkey(key, keylen, pkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) DEBUG_ERR("%s unknown/unsupported blob type %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) __func__, hdr->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) card = apqns[i].card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) dom = apqns[i].domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) if (hdr->type == TOKTYPE_CCA_INTERNAL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) && hdr->version == TOKVER_CCA_AES)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) rc = cca_sec2protkey(card, dom, key, pkey->protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) &pkey->len, &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) else if (hdr->type == TOKTYPE_CCA_INTERNAL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) && hdr->version == TOKVER_CCA_VLSC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) rc = cca_cipher2protkey(card, dom, key, pkey->protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) &pkey->len, &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) else { /* EP11 AES secure key blob */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) struct ep11keyblob *kb = (struct ep11keyblob *) key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) pkey->len = sizeof(pkey->protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) rc = ep11_kblob2protkey(card, dom, key, kb->head.len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) pkey->protkey, &pkey->len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) &pkey->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) static int pkey_apqns4key(const u8 *key, size_t keylen, u32 flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) struct pkey_apqn *apqns, size_t *nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) u32 _nr_apqns, *_apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) if (keylen < sizeof(struct keytoken_header) || flags == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) && (hdr->version == TOKVER_EP11_AES_WITH_HEADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) || hdr->version == TOKVER_EP11_ECC_WITH_HEADER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) int minhwtype = 0, api = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) struct ep11keyblob *kb = (struct ep11keyblob *)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) (key + sizeof(struct ep11kblob_header));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) if (flags != PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) if (kb->attr & EP11_BLOB_PKEY_EXTRACTABLE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) minhwtype = ZCRYPT_CEX7;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) api = EP11_API_V;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) minhwtype, api, kb->wkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) } else if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) && hdr->version == TOKVER_EP11_AES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) && is_ep11_keyblob(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) int minhwtype = 0, api = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) struct ep11keyblob *kb = (struct ep11keyblob *) key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) if (flags != PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) if (kb->attr & EP11_BLOB_PKEY_EXTRACTABLE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) minhwtype = ZCRYPT_CEX7;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) api = EP11_API_V;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) minhwtype, api, kb->wkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) } else if (hdr->type == TOKTYPE_CCA_INTERNAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) int minhwtype = ZCRYPT_CEX3C;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) u64 cur_mkvp = 0, old_mkvp = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) if (hdr->version == TOKVER_CCA_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) struct secaeskeytoken *t = (struct secaeskeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) cur_mkvp = t->mkvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) old_mkvp = t->mkvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) } else if (hdr->version == TOKVER_CCA_VLSC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) struct cipherkeytoken *t = (struct cipherkeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) minhwtype = ZCRYPT_CEX6;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) cur_mkvp = t->mkvp0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) old_mkvp = t->mkvp0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) /* unknown cca internal token type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) minhwtype, AES_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) cur_mkvp, old_mkvp, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) u64 cur_mkvp = 0, old_mkvp = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) struct eccprivkeytoken *t = (struct eccprivkeytoken *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) if (t->secid == 0x20) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) cur_mkvp = t->mkvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910) if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) old_mkvp = t->mkvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) /* unknown cca internal 2 token type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) ZCRYPT_CEX7, APKA_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) cur_mkvp, old_mkvp, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) if (apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) if (*nr_apqns < _nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) rc = -ENOSPC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) *nr_apqns = _nr_apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) kfree(_apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) static int pkey_apqns4keytype(enum pkey_key_type ktype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) u8 cur_mkvp[32], u8 alt_mkvp[32], u32 flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) struct pkey_apqn *apqns, size_t *nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) u32 _nr_apqns, *_apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) if (ktype == PKEY_TYPE_CCA_DATA || ktype == PKEY_TYPE_CCA_CIPHER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) u64 cur_mkvp = 0, old_mkvp = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) int minhwtype = ZCRYPT_CEX3C;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) cur_mkvp = *((u64 *) cur_mkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) old_mkvp = *((u64 *) alt_mkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) if (ktype == PKEY_TYPE_CCA_CIPHER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953) minhwtype = ZCRYPT_CEX6;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) minhwtype, AES_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) cur_mkvp, old_mkvp, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959) } else if (ktype == PKEY_TYPE_CCA_ECC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) u64 cur_mkvp = 0, old_mkvp = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) cur_mkvp = *((u64 *) cur_mkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964) if (flags & PKEY_FLAGS_MATCH_ALT_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) old_mkvp = *((u64 *) alt_mkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) rc = cca_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) ZCRYPT_CEX7, APKA_MK_SET,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968) cur_mkvp, old_mkvp, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972) } else if (ktype == PKEY_TYPE_EP11 ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) ktype == PKEY_TYPE_EP11_AES ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) ktype == PKEY_TYPE_EP11_ECC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) u8 *wkvp = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) if (flags & PKEY_FLAGS_MATCH_CUR_MKVP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) wkvp = cur_mkvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) rc = ep11_findcard2(&_apqns, &_nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) ZCRYPT_CEX7, EP11_API_V, wkvp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) if (apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988) if (*nr_apqns < _nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) rc = -ENOSPC;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) memcpy(apqns, _apqns, _nr_apqns * sizeof(u32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) *nr_apqns = _nr_apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996) kfree(_apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 999)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000) static int pkey_keyblob2pkey3(const struct pkey_apqn *apqns, size_t nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001) const u8 *key, size_t keylen, u32 *protkeytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002) u8 *protkey, u32 *protkeylen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004) int i, card, dom, rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005) struct keytoken_header *hdr = (struct keytoken_header *)key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007) /* check for at least one apqn given */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008) if (!apqns || !nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011) if (keylen < sizeof(struct keytoken_header))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014) if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015) && hdr->version == TOKVER_EP11_AES_WITH_HEADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016) && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017) /* EP11 AES key blob with header */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018) if (ep11_check_aes_key_with_hdr(debug_info, 3, key, keylen, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) } else if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) && hdr->version == TOKVER_EP11_ECC_WITH_HEADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) && is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) /* EP11 ECC key blob with header */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) if (ep11_check_ecc_key_with_hdr(debug_info, 3, key, keylen, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) } else if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) && hdr->version == TOKVER_EP11_AES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) && is_ep11_keyblob(key)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) /* EP11 AES key blob with header in session field */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) if (ep11_check_aes_key(debug_info, 3, key, keylen, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) } else if (hdr->type == TOKTYPE_CCA_INTERNAL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) if (hdr->version == TOKVER_CCA_AES) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) /* CCA AES data key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) if (keylen != sizeof(struct secaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) if (cca_check_secaeskeytoken(debug_info, 3, key, 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) } else if (hdr->version == TOKVER_CCA_VLSC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) /* CCA AES cipher key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) if (keylen < hdr->len || keylen > MAXCCAVLSCTOKENSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) if (cca_check_secaescipherkey(debug_info, 3, key, 0, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) DEBUG_ERR("%s unknown CCA internal token version %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) __func__, hdr->version);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050) } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051) /* CCA ECC (private) key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052) if (keylen < sizeof(struct eccprivkeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054) if (cca_check_sececckeytoken(debug_info, 3, key, keylen, 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056) } else if (hdr->type == TOKTYPE_NON_CCA) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) struct pkey_protkey pkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) rc = pkey_nonccatok2pkey(key, keylen, &pkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) memcpy(protkey, pkey.protkey, pkey.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) *protkeylen = pkey.len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) *protkeytype = pkey.type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) DEBUG_ERR("%s unknown/unsupported blob type %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) __func__, hdr->type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) for (rc = -ENODEV, i = 0; rc && i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) card = apqns[i].card;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) dom = apqns[i].domain;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) && (hdr->version == TOKVER_EP11_AES_WITH_HEADER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) || hdr->version == TOKVER_EP11_ECC_WITH_HEADER)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) && is_ep11_keyblob(key + sizeof(struct ep11kblob_header)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) rc = ep11_kblob2protkey(card, dom, key, hdr->len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) protkey, protkeylen, protkeytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) else if (hdr->type == TOKTYPE_NON_CCA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) && hdr->version == TOKVER_EP11_AES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) && is_ep11_keyblob(key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) rc = ep11_kblob2protkey(card, dom, key, hdr->len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) protkey, protkeylen, protkeytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) else if (hdr->type == TOKTYPE_CCA_INTERNAL &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) hdr->version == TOKVER_CCA_AES)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) rc = cca_sec2protkey(card, dom, key, protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) protkeylen, protkeytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) else if (hdr->type == TOKTYPE_CCA_INTERNAL &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) hdr->version == TOKVER_CCA_VLSC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) rc = cca_cipher2protkey(card, dom, key, protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) protkeylen, protkeytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) rc = cca_ecc2protkey(card, dom, key, protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097) protkeylen, protkeytype);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) * File io functions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) static void *_copy_key_from_user(void __user *ukey, size_t keylen)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) if (!ukey || keylen < MINKEYBLOBSIZE || keylen > KEYBLOBBUFSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) return memdup_user(ukey, keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) if (!uapqns || nr_apqns == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122) return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125) static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126) unsigned long arg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) switch (cmd) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) case PKEY_GENSECK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) struct pkey_genseck __user *ugs = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133) struct pkey_genseck kgs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135) if (copy_from_user(&kgs, ugs, sizeof(kgs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137) rc = cca_genseckey(kgs.cardnr, kgs.domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138) kgs.keytype, kgs.seckey.seckey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139) DEBUG_DBG("%s cca_genseckey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) if (copy_to_user(ugs, &kgs, sizeof(kgs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146) case PKEY_CLR2SECK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147) struct pkey_clr2seck __user *ucs = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148) struct pkey_clr2seck kcs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150) if (copy_from_user(&kcs, ucs, sizeof(kcs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152) rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) kcs.clrkey.clrkey, kcs.seckey.seckey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) if (copy_to_user(ucs, &kcs, sizeof(kcs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159) memzero_explicit(&kcs, sizeof(kcs));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) case PKEY_SEC2PROTK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) struct pkey_sec2protk __user *usp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) struct pkey_sec2protk ksp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) if (copy_from_user(&ksp, usp, sizeof(ksp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) rc = cca_sec2protkey(ksp.cardnr, ksp.domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) ksp.seckey.seckey, ksp.protkey.protkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) &ksp.protkey.len, &ksp.protkey.type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) DEBUG_DBG("%s cca_sec2protkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174) if (copy_to_user(usp, &ksp, sizeof(ksp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) case PKEY_CLR2PROTK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179) struct pkey_clr2protk __user *ucp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180) struct pkey_clr2protk kcp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182) if (copy_from_user(&kcp, ucp, sizeof(kcp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184) rc = pkey_clr2protkey(kcp.keytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185) &kcp.clrkey, &kcp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186) DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189) if (copy_to_user(ucp, &kcp, sizeof(kcp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) memzero_explicit(&kcp, sizeof(kcp));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194) case PKEY_FINDCARD: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) struct pkey_findcard __user *ufc = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) struct pkey_findcard kfc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) if (copy_from_user(&kfc, ufc, sizeof(kfc)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) rc = cca_findcard(kfc.seckey.seckey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) &kfc.cardnr, &kfc.domain, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) DEBUG_DBG("%s cca_findcard()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203) if (rc < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205) if (copy_to_user(ufc, &kfc, sizeof(kfc)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) case PKEY_SKEY2PKEY: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) struct pkey_skey2pkey __user *usp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) struct pkey_skey2pkey ksp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) if (copy_from_user(&ksp, usp, sizeof(ksp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) rc = pkey_skey2pkey(ksp.seckey.seckey, &ksp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216) DEBUG_DBG("%s pkey_skey2pkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) if (copy_to_user(usp, &ksp, sizeof(ksp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) case PKEY_VERIFYKEY: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) struct pkey_verifykey __user *uvk = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) struct pkey_verifykey kvk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) if (copy_from_user(&kvk, uvk, sizeof(kvk)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230) &kvk.keysize, &kvk.attributes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) DEBUG_DBG("%s pkey_verifykey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) if (copy_to_user(uvk, &kvk, sizeof(kvk)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) case PKEY_GENPROTK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) struct pkey_genprotk __user *ugp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) struct pkey_genprotk kgp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) if (copy_from_user(&kgp, ugp, sizeof(kgp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) rc = pkey_genprotkey(kgp.keytype, &kgp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) DEBUG_DBG("%s pkey_genprotkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) if (copy_to_user(ugp, &kgp, sizeof(kgp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) case PKEY_VERIFYPROTK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) struct pkey_verifyprotk __user *uvp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) struct pkey_verifyprotk kvp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) if (copy_from_user(&kvp, uvp, sizeof(kvp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) rc = pkey_verifyprotkey(&kvp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) DEBUG_DBG("%s pkey_verifyprotkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) case PKEY_KBLOB2PROTK: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) struct pkey_kblob2pkey __user *utp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) struct pkey_kblob2pkey ktp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) if (copy_from_user(&ktp, utp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) kkey = _copy_key_from_user(ktp.key, ktp.keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) if (IS_ERR(kkey))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) return PTR_ERR(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272) rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) if (copy_to_user(utp, &ktp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) case PKEY_GENSECK2: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) struct pkey_genseck2 __user *ugs = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) struct pkey_genseck2 kgs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) struct pkey_apqn *apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) size_t klen = KEYBLOBBUFSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) if (copy_from_user(&kgs, ugs, sizeof(kgs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) apqns = _copy_apqns_from_user(kgs.apqns, kgs.apqn_entries);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) if (IS_ERR(apqns))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) return PTR_ERR(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) kkey = kmalloc(klen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) if (!kkey) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) rc = pkey_genseckey2(apqns, kgs.apqn_entries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) kgs.type, kgs.size, kgs.keygenflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) kkey, &klen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) DEBUG_DBG("%s pkey_genseckey2()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) if (kgs.key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) if (kgs.keylen < klen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) if (copy_to_user(kgs.key, kkey, klen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317) kgs.keylen = klen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318) if (copy_to_user(ugs, &kgs, sizeof(kgs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319) rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) case PKEY_CLR2SECK2: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) struct pkey_clr2seck2 __user *ucs = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) struct pkey_clr2seck2 kcs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) struct pkey_apqn *apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) size_t klen = KEYBLOBBUFSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) if (copy_from_user(&kcs, ucs, sizeof(kcs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) if (IS_ERR(apqns))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) return PTR_ERR(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335) kkey = kmalloc(klen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336) if (!kkey) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340) rc = pkey_clr2seckey2(apqns, kcs.apqn_entries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341) kcs.type, kcs.size, kcs.keygenflags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342) kcs.clrkey.clrkey, kkey, &klen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) DEBUG_DBG("%s pkey_clr2seckey2()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) if (kcs.key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) if (kcs.keylen < klen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) if (copy_to_user(kcs.key, kkey, klen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) kcs.keylen = klen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) if (copy_to_user(ucs, &kcs, sizeof(kcs)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) memzero_explicit(&kcs, sizeof(kcs));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) case PKEY_VERIFYKEY2: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) struct pkey_verifykey2 __user *uvk = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368) struct pkey_verifykey2 kvk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) if (copy_from_user(&kvk, uvk, sizeof(kvk)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373) kkey = _copy_key_from_user(kvk.key, kvk.keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) if (IS_ERR(kkey))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) return PTR_ERR(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) rc = pkey_verifykey2(kkey, kvk.keylen,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377) &kvk.cardnr, &kvk.domain,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) &kvk.type, &kvk.size, &kvk.flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) DEBUG_DBG("%s pkey_verifykey2()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383) if (copy_to_user(uvk, &kvk, sizeof(kvk)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) case PKEY_KBLOB2PROTK2: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) struct pkey_kblob2pkey2 __user *utp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) struct pkey_kblob2pkey2 ktp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) struct pkey_apqn *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) if (copy_from_user(&ktp, utp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) if (IS_ERR(apqns))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) return PTR_ERR(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) kkey = _copy_key_from_user(ktp.key, ktp.keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) if (IS_ERR(kkey)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1400) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1401) return PTR_ERR(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1402) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1403) rc = pkey_keyblob2pkey2(apqns, ktp.apqn_entries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1404) kkey, ktp.keylen, &ktp.protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1405) DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1406) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1407) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1408) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1409) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1410) if (copy_to_user(utp, &ktp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1411) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1412) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1413) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1414) case PKEY_APQNS4K: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1415) struct pkey_apqns4key __user *uak = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1416) struct pkey_apqns4key kak;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1417) struct pkey_apqn *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1418) size_t nr_apqns, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1419) u8 *kkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1420)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1421) if (copy_from_user(&kak, uak, sizeof(kak)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1422) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1423) nr_apqns = kak.apqn_entries;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1424) if (nr_apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1425) apqns = kmalloc_array(nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1426) sizeof(struct pkey_apqn),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1427) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1428) if (!apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1429) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1430) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1431) kkey = _copy_key_from_user(kak.key, kak.keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1432) if (IS_ERR(kkey)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1433) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1434) return PTR_ERR(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1435) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1436) rc = pkey_apqns4key(kkey, kak.keylen, kak.flags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1437) apqns, &nr_apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1438) DEBUG_DBG("%s pkey_apqns4key()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1439) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1440) if (rc && rc != -ENOSPC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1441) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1442) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1443) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1444) if (!rc && kak.apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1445) if (nr_apqns > kak.apqn_entries) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1446) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1447) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1448) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1449) len = nr_apqns * sizeof(struct pkey_apqn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1450) if (len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1451) if (copy_to_user(kak.apqns, apqns, len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1452) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1453) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1454) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1455) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1456) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1457) kak.apqn_entries = nr_apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1458) if (copy_to_user(uak, &kak, sizeof(kak)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1459) rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1460) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1461) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1462) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1463) case PKEY_APQNS4KT: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1464) struct pkey_apqns4keytype __user *uat = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1465) struct pkey_apqns4keytype kat;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1466) struct pkey_apqn *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1467) size_t nr_apqns, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1468)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1469) if (copy_from_user(&kat, uat, sizeof(kat)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1470) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1471) nr_apqns = kat.apqn_entries;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1472) if (nr_apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1473) apqns = kmalloc_array(nr_apqns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1474) sizeof(struct pkey_apqn),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1475) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1476) if (!apqns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1477) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1478) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1479) rc = pkey_apqns4keytype(kat.type, kat.cur_mkvp, kat.alt_mkvp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1480) kat.flags, apqns, &nr_apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1481) DEBUG_DBG("%s pkey_apqns4keytype()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1482) if (rc && rc != -ENOSPC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1483) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1484) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1485) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1486) if (!rc && kat.apqns) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1487) if (nr_apqns > kat.apqn_entries) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1488) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1489) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1490) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1491) len = nr_apqns * sizeof(struct pkey_apqn);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1492) if (len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1493) if (copy_to_user(kat.apqns, apqns, len)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1494) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1495) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1496) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1498) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1499) kat.apqn_entries = nr_apqns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1500) if (copy_to_user(uat, &kat, sizeof(kat)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1501) rc = -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1502) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1503) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1504) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1505) case PKEY_KBLOB2PROTK3: {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1506) struct pkey_kblob2pkey3 __user *utp = (void __user *) arg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1507) struct pkey_kblob2pkey3 ktp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1508) struct pkey_apqn *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1509) u32 protkeylen = PROTKEYBLOBBUFSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1510) u8 *kkey, *protkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1511)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1512) if (copy_from_user(&ktp, utp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1513) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1514) apqns = _copy_apqns_from_user(ktp.apqns, ktp.apqn_entries);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1515) if (IS_ERR(apqns))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1516) return PTR_ERR(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1517) kkey = _copy_key_from_user(ktp.key, ktp.keylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1518) if (IS_ERR(kkey)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1519) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1520) return PTR_ERR(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1521) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1522) protkey = kmalloc(protkeylen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1523) if (!protkey) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1524) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1525) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1526) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1527) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1528) rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries, kkey,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1529) ktp.keylen, &ktp.pkeytype,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1530) protkey, &protkeylen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1531) DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1532) kfree(apqns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1533) kfree(kkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1534) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1535) kfree(protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1536) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1537) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1538) if (ktp.pkey && ktp.pkeylen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1539) if (protkeylen > ktp.pkeylen) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1540) kfree(protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1541) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1542) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1543) if (copy_to_user(ktp.pkey, protkey, protkeylen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1544) kfree(protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1545) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1546) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1547) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1548) kfree(protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1549) ktp.pkeylen = protkeylen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1550) if (copy_to_user(utp, &ktp, sizeof(ktp)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1551) return -EFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1552) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1553) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1554) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1555) /* unknown/unsupported ioctl cmd */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1556) return -ENOTTY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1557) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1558)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1559) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1560) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1561)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1562) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1563) * Sysfs and file io operations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1564) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1565)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1566) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1567) * Sysfs attribute read function for all protected key binary attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1568) * The implementation can not deal with partial reads, because a new random
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1569) * protected key blob is generated with each read. In case of partial reads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1570) * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1571) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1572) static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1573) loff_t off, size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1574) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1575) struct protaeskeytoken protkeytoken;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1576) struct pkey_protkey protkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1577) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1578)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1579) if (off != 0 || count < sizeof(protkeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1580) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1581) if (is_xts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1582) if (count < 2 * sizeof(protkeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1583) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1584)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1585) memset(&protkeytoken, 0, sizeof(protkeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1586) protkeytoken.type = TOKTYPE_NON_CCA;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1587) protkeytoken.version = TOKVER_PROTECTED_KEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1588) protkeytoken.keytype = keytype;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1589)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1590) rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1591) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1592) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1593)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1594) protkeytoken.len = protkey.len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1595) memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1596)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1597) memcpy(buf, &protkeytoken, sizeof(protkeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1598)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1599) if (is_xts) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1600) rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1601) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1602) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1603)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1604) protkeytoken.len = protkey.len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1605) memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1607) memcpy(buf + sizeof(protkeytoken), &protkeytoken,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1608) sizeof(protkeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1609)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1610) return 2 * sizeof(protkeytoken);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1611) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1612)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1613) return sizeof(protkeytoken);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1614) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1615)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1616) static ssize_t protkey_aes_128_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1617) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1618) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1619) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1620) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1621) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1622) return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1623) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1624) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1625)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1626) static ssize_t protkey_aes_192_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1627) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1628) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1629) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1630) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1631) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1632) return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1633) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1634) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1635)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1636) static ssize_t protkey_aes_256_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1637) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1638) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1639) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1640) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1641) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1642) return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1643) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1644) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1645)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1646) static ssize_t protkey_aes_128_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1647) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1648) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1649) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1650) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1651) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1652) return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1653) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1654) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1655)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1656) static ssize_t protkey_aes_256_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1657) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1658) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1659) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1660) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1661) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1662) return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1663) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1664) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1665)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1666) static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1667) static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1668) static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1669) static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1670) static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1671)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1672) static struct bin_attribute *protkey_attrs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1673) &bin_attr_protkey_aes_128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1674) &bin_attr_protkey_aes_192,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1675) &bin_attr_protkey_aes_256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1676) &bin_attr_protkey_aes_128_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1677) &bin_attr_protkey_aes_256_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1678) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1679) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1680)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1681) static struct attribute_group protkey_attr_group = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1682) .name = "protkey",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1683) .bin_attrs = protkey_attrs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1684) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1685)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1686) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1687) * Sysfs attribute read function for all secure key ccadata binary attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1688) * The implementation can not deal with partial reads, because a new random
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1689) * protected key blob is generated with each read. In case of partial reads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1690) * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1691) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1692) static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1693) loff_t off, size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1694) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1695) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1696) struct pkey_seckey *seckey = (struct pkey_seckey *) buf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1697)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1698) if (off != 0 || count < sizeof(struct secaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1699) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1700) if (is_xts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1701) if (count < 2 * sizeof(struct secaeskeytoken))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1702) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1704) rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1705) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1706) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1708) if (is_xts) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1709) seckey++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1710) rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1711) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1712) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1713)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1714) return 2 * sizeof(struct secaeskeytoken);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1715) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1716)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1717) return sizeof(struct secaeskeytoken);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1718) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1719)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1720) static ssize_t ccadata_aes_128_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1721) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1722) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1723) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1724) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1725) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1726) return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1727) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1728) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1729)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1730) static ssize_t ccadata_aes_192_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1731) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1732) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1733) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1734) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1735) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1736) return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1737) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1738) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1739)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1740) static ssize_t ccadata_aes_256_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1741) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1742) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1743) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1744) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1745) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1746) return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1747) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1748) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1749)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1750) static ssize_t ccadata_aes_128_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1751) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1752) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1753) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1754) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1755) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1756) return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1757) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1758) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1759)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1760) static ssize_t ccadata_aes_256_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1761) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1762) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1763) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1764) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1765) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1766) return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1767) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1768) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1769)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1770) static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1771) static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1772) static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1773) static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1774) static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1775)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1776) static struct bin_attribute *ccadata_attrs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1777) &bin_attr_ccadata_aes_128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1778) &bin_attr_ccadata_aes_192,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1779) &bin_attr_ccadata_aes_256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1780) &bin_attr_ccadata_aes_128_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1781) &bin_attr_ccadata_aes_256_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1782) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1783) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1784)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1785) static struct attribute_group ccadata_attr_group = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1786) .name = "ccadata",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1787) .bin_attrs = ccadata_attrs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1788) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1789)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1790) #define CCACIPHERTOKENSIZE (sizeof(struct cipherkeytoken) + 80)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1791)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1792) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1793) * Sysfs attribute read function for all secure key ccacipher binary attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1794) * The implementation can not deal with partial reads, because a new random
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1795) * secure key blob is generated with each read. In case of partial reads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1796) * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1797) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1798) static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1799) bool is_xts, char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1800) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1801) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1802) int i, rc, card, dom;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1803) u32 nr_apqns, *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1804) size_t keysize = CCACIPHERTOKENSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1805)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1806) if (off != 0 || count < CCACIPHERTOKENSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1807) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1808) if (is_xts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1809) if (count < 2 * CCACIPHERTOKENSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1810) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1811)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1812) /* build a list of apqns able to generate an cipher key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1813) rc = cca_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1814) ZCRYPT_CEX6, 0, 0, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1815) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1816) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1817)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1818) memset(buf, 0, is_xts ? 2 * keysize : keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1819)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1820) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1821) for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1822) card = apqns[i] >> 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1823) dom = apqns[i] & 0xFFFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1824) rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1825) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1826) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1827) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1828) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1829) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1830)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1831) if (is_xts) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1832) keysize = CCACIPHERTOKENSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1833) buf += CCACIPHERTOKENSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1834) rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1835) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1836) return 2 * CCACIPHERTOKENSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1837) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1838)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1839) return CCACIPHERTOKENSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1840) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1841)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1842) static ssize_t ccacipher_aes_128_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1843) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1844) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1845) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1846) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1847) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1848) return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1849) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1850) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1851)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1852) static ssize_t ccacipher_aes_192_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1853) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1854) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1855) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1856) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1857) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1858) return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1859) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1860) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1861)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1862) static ssize_t ccacipher_aes_256_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1863) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1864) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1865) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1866) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1867) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1868) return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1869) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1870) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1871)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1872) static ssize_t ccacipher_aes_128_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1873) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1874) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1875) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1876) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1877) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1878) return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1879) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1880) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1881)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1882) static ssize_t ccacipher_aes_256_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1883) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1884) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1885) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1886) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1887) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1888) return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1889) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1890) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1891)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1892) static BIN_ATTR_RO(ccacipher_aes_128, CCACIPHERTOKENSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1893) static BIN_ATTR_RO(ccacipher_aes_192, CCACIPHERTOKENSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1894) static BIN_ATTR_RO(ccacipher_aes_256, CCACIPHERTOKENSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1895) static BIN_ATTR_RO(ccacipher_aes_128_xts, 2 * CCACIPHERTOKENSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1896) static BIN_ATTR_RO(ccacipher_aes_256_xts, 2 * CCACIPHERTOKENSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1897)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1898) static struct bin_attribute *ccacipher_attrs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1899) &bin_attr_ccacipher_aes_128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1900) &bin_attr_ccacipher_aes_192,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1901) &bin_attr_ccacipher_aes_256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1902) &bin_attr_ccacipher_aes_128_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1903) &bin_attr_ccacipher_aes_256_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1904) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1905) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1906)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1907) static struct attribute_group ccacipher_attr_group = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1908) .name = "ccacipher",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1909) .bin_attrs = ccacipher_attrs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1910) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1911)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1912) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1913) * Sysfs attribute read function for all ep11 aes key binary attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1914) * The implementation can not deal with partial reads, because a new random
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1915) * secure key blob is generated with each read. In case of partial reads
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1916) * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1917) * This function and the sysfs attributes using it provide EP11 key blobs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1918) * padded to the upper limit of MAXEP11AESKEYBLOBSIZE which is currently
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1919) * 320 bytes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1920) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1921) static ssize_t pkey_ep11_aes_attr_read(enum pkey_key_size keybits,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1922) bool is_xts, char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1923) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1924) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1925) int i, rc, card, dom;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1926) u32 nr_apqns, *apqns = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1927) size_t keysize = MAXEP11AESKEYBLOBSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1928)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1929) if (off != 0 || count < MAXEP11AESKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1930) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1931) if (is_xts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1932) if (count < 2 * MAXEP11AESKEYBLOBSIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1933) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1934)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1935) /* build a list of apqns able to generate an cipher key */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1936) rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1937) ZCRYPT_CEX7, EP11_API_V, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1938) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1939) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1940)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1941) memset(buf, 0, is_xts ? 2 * keysize : keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1942)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1943) /* simple try all apqns from the list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1944) for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1945) card = apqns[i] >> 16;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1946) dom = apqns[i] & 0xFFFF;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1947) rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1948) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1949) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1950) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1951) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1952) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1954) if (is_xts) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1955) keysize = MAXEP11AESKEYBLOBSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1956) buf += MAXEP11AESKEYBLOBSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1957) rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1958) if (rc == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1959) return 2 * MAXEP11AESKEYBLOBSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1960) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1961)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1962) return MAXEP11AESKEYBLOBSIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1963) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1964)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1965) static ssize_t ep11_aes_128_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1966) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1967) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1968) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1969) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1970) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1971) return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1972) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1973) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1974)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1975) static ssize_t ep11_aes_192_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1976) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1977) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1978) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1979) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1980) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1981) return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1982) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1983) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1984)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1985) static ssize_t ep11_aes_256_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1986) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1987) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1988) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1989) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1990) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1991) return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1992) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1993) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1994)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1995) static ssize_t ep11_aes_128_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1996) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1997) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1998) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1999) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2000) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2001) return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2002) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2003) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2004)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2005) static ssize_t ep11_aes_256_xts_read(struct file *filp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2006) struct kobject *kobj,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2007) struct bin_attribute *attr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2008) char *buf, loff_t off,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2009) size_t count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2010) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2011) return pkey_ep11_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2012) off, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2013) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2014)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2015) static BIN_ATTR_RO(ep11_aes_128, MAXEP11AESKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2016) static BIN_ATTR_RO(ep11_aes_192, MAXEP11AESKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2017) static BIN_ATTR_RO(ep11_aes_256, MAXEP11AESKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2018) static BIN_ATTR_RO(ep11_aes_128_xts, 2 * MAXEP11AESKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2019) static BIN_ATTR_RO(ep11_aes_256_xts, 2 * MAXEP11AESKEYBLOBSIZE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2020)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2021) static struct bin_attribute *ep11_attrs[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2022) &bin_attr_ep11_aes_128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2023) &bin_attr_ep11_aes_192,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2024) &bin_attr_ep11_aes_256,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2025) &bin_attr_ep11_aes_128_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2026) &bin_attr_ep11_aes_256_xts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2027) NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2028) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2029)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2030) static struct attribute_group ep11_attr_group = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2031) .name = "ep11",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2032) .bin_attrs = ep11_attrs,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2033) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2034)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2035) static const struct attribute_group *pkey_attr_groups[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2036) &protkey_attr_group,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2037) &ccadata_attr_group,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2038) &ccacipher_attr_group,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2039) &ep11_attr_group,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2040) NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2041) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2042)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2043) static const struct file_operations pkey_fops = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2044) .owner = THIS_MODULE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2045) .open = nonseekable_open,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2046) .llseek = no_llseek,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2047) .unlocked_ioctl = pkey_unlocked_ioctl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2048) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2049)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2050) static struct miscdevice pkey_dev = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2051) .name = "pkey",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2052) .minor = MISC_DYNAMIC_MINOR,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2053) .mode = 0666,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2054) .fops = &pkey_fops,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2055) .groups = pkey_attr_groups,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2056) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2057)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2058) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2059) * Module init
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2060) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2061) static int __init pkey_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2062) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2063) cpacf_mask_t func_mask;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2064)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2065) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2066) * The pckmo instruction should be available - even if we don't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2067) * actually invoke it. This instruction comes with MSA 3 which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2068) * is also the minimum level for the kmc instructions which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2069) * are able to work with protected keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2070) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2071) if (!cpacf_query(CPACF_PCKMO, &func_mask))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2072) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2073)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2074) /* check for kmc instructions available */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2075) if (!cpacf_query(CPACF_KMC, &func_mask))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2076) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2077) if (!cpacf_test_func(&func_mask, CPACF_KMC_PAES_128) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2078) !cpacf_test_func(&func_mask, CPACF_KMC_PAES_192) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2079) !cpacf_test_func(&func_mask, CPACF_KMC_PAES_256))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2080) return -ENODEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2081)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2082) pkey_debug_init();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2083)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2084) return misc_register(&pkey_dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2085) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2086)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2087) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2088) * Module exit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2089) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2090) static void __exit pkey_exit(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2091) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2092) misc_deregister(&pkey_dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2093) pkey_debug_exit();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2094) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2095)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2096) module_cpu_feature_match(MSA, pkey_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2097) module_exit(pkey_exit);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags