OSCL-LXR |
|
|
|
|||
0001 /* SPDX-License-Identifier: GPL-2.0+ */ 0002 /* 0003 * Copyright IBM Corp. 2019 0004 * Author(s): Harald Freudenberger <freude@linux.ibm.com> 0005 * 0006 * Collection of EP11 misc functions used by zcrypt and pkey 0007 */ 0008 0009 #ifndef _ZCRYPT_EP11MISC_H_ 0010 #define _ZCRYPT_EP11MISC_H_ 0011 0012 #include <asm/zcrypt.h> 0013 #include <asm/pkey.h> 0014 0015 #define EP11_API_V 4 /* highest known and supported EP11 API version */ 0016 #define EP11_STRUCT_MAGIC 0x1234 0017 #define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000 0018 0019 /* 0020 * Internal used values for the version field of the key header. 0021 * Should match to the enum pkey_key_type in pkey.h. 0022 */ 0023 #define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */ 0024 #define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */ 0025 #define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */ 0026 0027 /* inside view of an EP11 secure key blob */ 0028 struct ep11keyblob { 0029 union { 0030 u8 session[32]; 0031 /* only used for PKEY_TYPE_EP11: */ 0032 struct { 0033 u8 type; /* 0x00 (TOKTYPE_NON_CCA) */ 0034 u8 res0; /* unused */ 0035 u16 len; /* total length in bytes of this blob */ 0036 u8 version; /* 0x03 (TOKVER_EP11_AES) */ 0037 u8 res1; /* unused */ 0038 u16 keybitlen; /* clear key bit len, 0 for unknown */ 0039 } head; 0040 }; 0041 u8 wkvp[16]; /* wrapping key verification pattern */ 0042 u64 attr; /* boolean key attributes */ 0043 u64 mode; /* mode bits */ 0044 u16 version; /* 0x1234, EP11_STRUCT_MAGIC */ 0045 u8 iv[14]; 0046 u8 encrypted_key_data[144]; 0047 u8 mac[32]; 0048 } __packed; 0049 0050 /* check ep11 key magic to find out if this is an ep11 key blob */ 0051 static inline bool is_ep11_keyblob(const u8 *key) 0052 { 0053 struct ep11keyblob *kb = (struct ep11keyblob *)key; 0054 0055 return (kb->version == EP11_STRUCT_MAGIC); 0056 } 0057 0058 /* 0059 * Simple check if the key blob is a valid EP11 AES key blob with header. 0060 * If checkcpacfexport is enabled, the key is also checked for the 0061 * attributes needed to export this key for CPACF use. 0062 * Returns 0 on success or errno value on failure. 0063 */ 0064 int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl, 0065 const u8 *key, size_t keylen, int checkcpacfexp); 0066 0067 /* 0068 * Simple check if the key blob is a valid EP11 ECC key blob with header. 0069 * If checkcpacfexport is enabled, the key is also checked for the 0070 * attributes needed to export this key for CPACF use. 0071 * Returns 0 on success or errno value on failure. 0072 */ 0073 int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl, 0074 const u8 *key, size_t keylen, int checkcpacfexp); 0075 0076 /* 0077 * Simple check if the key blob is a valid EP11 AES key blob with 0078 * the header in the session field (old style EP11 AES key). 0079 * If checkcpacfexport is enabled, the key is also checked for the 0080 * attributes needed to export this key for CPACF use. 0081 * Returns 0 on success or errno value on failure. 0082 */ 0083 int ep11_check_aes_key(debug_info_t *dbg, int dbflvl, 0084 const u8 *key, size_t keylen, int checkcpacfexp); 0085 0086 /* EP11 card info struct */ 0087 struct ep11_card_info { 0088 u32 API_ord_nr; /* API ordinal number */ 0089 u16 FW_version; /* Firmware major and minor version */ 0090 char serial[16]; /* serial number string (16 ascii, no 0x00 !) */ 0091 u64 op_mode; /* card operational mode(s) */ 0092 }; 0093 0094 /* EP11 domain info struct */ 0095 struct ep11_domain_info { 0096 char cur_wk_state; /* '0' invalid, '1' valid */ 0097 char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */ 0098 u8 cur_wkvp[32]; /* current wrapping key verification pattern */ 0099 u8 new_wkvp[32]; /* new wrapping key verification pattern */ 0100 u64 op_mode; /* domain operational mode(s) */ 0101 }; 0102 0103 /* 0104 * Provide information about an EP11 card. 0105 */ 0106 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify); 0107 0108 /* 0109 * Provide information about a domain within an EP11 card. 0110 */ 0111 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info); 0112 0113 /* 0114 * Generate (random) EP11 AES secure key. 0115 */ 0116 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, 0117 u8 *keybuf, size_t *keybufsize); 0118 0119 /* 0120 * Generate EP11 AES secure key with given clear key value. 0121 */ 0122 int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags, 0123 const u8 *clrkey, u8 *keybuf, size_t *keybufsize); 0124 0125 /* 0126 * Build a list of ep11 apqns meeting the following constrains: 0127 * - apqn is online and is in fact an EP11 apqn 0128 * - if cardnr is not FFFF only apqns with this cardnr 0129 * - if domain is not FFFF only apqns with this domainnr 0130 * - if minhwtype > 0 only apqns with hwtype >= minhwtype 0131 * - if minapi > 0 only apqns with API_ord_nr >= minapi 0132 * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches 0133 * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping 0134 * key for this domain. When a wkvp is given there will aways be a re-fetch 0135 * of the domain info for the potential apqn - so this triggers an request 0136 * reply to each apqn eligible. 0137 * The array of apqn entries is allocated with kmalloc and returned in *apqns; 0138 * the number of apqns stored into the list is returned in *nr_apqns. One apqn 0139 * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and 0140 * may be casted to struct pkey_apqn. The return value is either 0 for success 0141 * or a negative errno value. If no apqn meeting the criterias is found, 0142 * -ENODEV is returned. 0143 */ 0144 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain, 0145 int minhwtype, int minapi, const u8 *wkvp); 0146 0147 /* 0148 * Derive proteced key from EP11 key blob (AES and ECC keys). 0149 */ 0150 int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, size_t keylen, 0151 u8 *protkey, u32 *protkeylen, u32 *protkeytype); 0152 0153 void zcrypt_ep11misc_exit(void); 0154 0155 #endif /* _ZCRYPT_EP11MISC_H_ */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.1.0 LXR engine. The LXR team |
|