s390/pkey/zcrypt: Support EP11 AES secure keys

Extend the low level ep11 misc functions implementation by several functions to support EP11 key objects for paes and pkey: - EP11 AES secure key generation - EP11 AES secure key generation from given clear key value - EP11 AES secure key blob check - findcard function returns list of apqns based on given criterias - EP11 AES secure key derive to CPACF protected key Extend the pkey module to be able to generate and handle EP11 secure keys and also use them as base for deriving protected keys for CPACF usage. These ioctls are extended to support EP11 keys: PKEY_GENSECK2, PKEY_CLR2SECK2, PKEY_VERIFYKEY2, PKEY_APQNS4K, PKEY_APQNS4KT, PKEY_KBLOB2PROTK2. Additionally the 'clear key' token to protected key now uses an EP11 card if the other ways (via PCKMO, via CCA) fail. The PAES cipher implementation needed a new upper limit for the max key size, but is now also working with EP11 keys. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
author: Harald Freudenberger <freude@linux.ibm.com> 2019-12-06 14:21:38 +0100
committer: Vasily Gorbik <gor@linux.ibm.com> 2020-01-30 13:07:56 +0100
commit: 55d0a513a0e202c68af2c8f4b1e923a345227bbb (patch)
tree: 83e6225c32d3aa06a8c3f55d9997fb7b487d397f /drivers/s390/crypto/zcrypt_ep11misc.h
parent: s390/zcrypt: extend EP11 card and queue sysfs attributes (diff)
download: linux-dev-55d0a513a0e202c68af2c8f4b1e923a345227bbb.tar.xz
linux-dev-55d0a513a0e202c68af2c8f4b1e923a345227bbb.zip
1 files changed, 80 insertions, 0 deletions
diff --git a/drivers/s390/crypto/zcrypt_ep11misc.h b/drivers/s390/crypto/zcrypt_ep11misc.h
index 9559a81eac5e..e3ed5ed1de86 100644
--- a/drivers/s390/crypto/zcrypt_ep11misc.h
+++ b/drivers/s390/crypto/zcrypt_ep11misc.h
@@ -12,6 +12,46 @@
 #include <asm/zcrypt.h>
 #include <asm/pkey.h>
 
+#define TOKVER_EP11_AES  0x03  /* EP11 AES key blob */
+
+#define EP11_API_V 4  /* highest known and supported EP11 API version */
+
+#define EP11_STRUCT_MAGIC 0x1234
+#define EP11_BLOB_PKEY_EXTRACTABLE 0x200000
+
+/* inside view of an EP11 secure key blob */
+struct ep11keyblob {
+	union {
+		u8 session[32];
+		struct {
+			u8  type;      /* 0x00 (TOKTYPE_NON_CCA) */
+			u8  res0;      /* unused */
+			u16 len;       /* total length in bytes of this blob */
+			u8  version;   /* 0x06 (TOKVER_EP11_AES) */
+			u8  res1;      /* unused */
+			u16 keybitlen; /* clear key bit len, 0 for unknown */
+		} head;
+	};
+	u8  wkvp[16];  /* wrapping key verification pattern */
+	u64 attr;      /* boolean key attributes */
+	u64 mode;      /* mode bits */
+	u16 version;   /* 0x1234, EP11_STRUCT_MAGIC */
+	u8  iv[14];
+	u8  encrypted_key_data[144];
+	u8  mac[32];
+} __packed;
+
+/*
+ * Simple check if the key blob is a valid EP11 secure AES key.
+ * If keybitsize is given, the bitsize of the key is also checked.
+ * If checkcpacfexport is enabled, the key is also checked for the
+ * attributes needed to export this key for CPACF use.
+ * Returns 0 on success or errno value on failure.
+ */
+int ep11_check_aeskeyblob(debug_info_t *dbg, int dbflvl,
+			  const u8 *key, int keybitsize,
+			  int checkcpacfexport);
+
 /* EP11 card info struct */
 struct ep11_card_info {
 	u32  API_ord_nr;    /* API ordinal number */
@@ -39,6 +79,46 @@ int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
  */
 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
 
+/*
+ * Generate (random) EP11 AES secure key.
+ */
+int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
+		   u8 *keybuf, size_t *keybufsize);
+
+/*
+ * Generate EP11 AES secure key with given clear key value.
+ */
+int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
+		     const u8 *clrkey, u8 *keybuf, size_t *keybufsize);
+
+/*
+ * Derive proteced key from EP11 AES secure key blob.
+ */
+int ep11_key2protkey(u16 cardnr, u16 domain, const u8 *key, size_t keylen,
+		     u8 *protkey, u32 *protkeylen, u32 *protkeytype);
+
+/*
+ * Build a list of ep11 apqns meeting the following constrains:
+ * - apqn is online and is in fact an EP11 apqn
+ * - if cardnr is not FFFF only apqns with this cardnr
+ * - if domain is not FFFF only apqns with this domainnr
+ * - if minhwtype > 0 only apqns with hwtype >= minhwtype
+ * - if minapi > 0 only apqns with API_ord_nr >= minapi
+ * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
+ *   to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
+ *   key for this domain. When a wkvp is given there will aways be a re-fetch
+ *   of the domain info for the potential apqn - so this triggers an request
+ *   reply to each apqn eligible.
+ * The array of apqn entries is allocated with kmalloc and returned in *apqns;
+ * the number of apqns stored into the list is returned in *nr_apqns. One apqn
+ * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
+ * may be casted to struct pkey_apqn. The return value is either 0 for success
+ * or a negative errno value. If no apqn meeting the criterias is found,
+ * -ENODEV is returned.
+ */
+int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
+		   int minhwtype, int minapi, const u8 *wkvp);
+
 void zcrypt_ep11misc_exit(void);
 
 #endif /* _ZCRYPT_EP11MISC_H_ */
author	Harald Freudenberger <freude@linux.ibm.com>	2019-12-06 14:21:38 +0100
committer	Vasily Gorbik <gor@linux.ibm.com>	2020-01-30 13:07:56 +0100
commit	55d0a513a0e202c68af2c8f4b1e923a345227bbb (patch)
tree	83e6225c32d3aa06a8c3f55d9997fb7b487d397f /drivers/s390/crypto/zcrypt_ep11misc.h
parent	s390/zcrypt: extend EP11 card and queue sysfs attributes (diff)
download	linux-dev-55d0a513a0e202c68af2c8f4b1e923a345227bbb.tar.xz linux-dev-55d0a513a0e202c68af2c8f4b1e923a345227bbb.zip