1 | /* SPDX-License-Identifier: GPL-2.0+ */ |
2 | /* |
3 | * Copyright IBM Corp. 2019 |
4 | * Author(s): Harald Freudenberger <freude@linux.ibm.com> |
5 | * |
6 | * Collection of EP11 misc functions used by zcrypt and pkey |
7 | */ |
8 | |
9 | #ifndef _ZCRYPT_EP11MISC_H_ |
10 | #define _ZCRYPT_EP11MISC_H_ |
11 | |
12 | #include <asm/zcrypt.h> |
13 | #include <asm/pkey.h> |
14 | |
15 | #define EP11_API_V1 1 /* min EP11 API, default if no higher api required */ |
16 | #define EP11_API_V4 4 /* supported EP11 API for the ep11misc cprbs */ |
17 | #define EP11_API_V6 6 /* min EP11 API for some cprbs in SE environment */ |
18 | #define EP11_STRUCT_MAGIC 0x1234 |
19 | #define 0x00200000 |
20 | |
21 | /* |
22 | * Internal used values for the version field of the key header. |
23 | * Should match to the enum pkey_key_type in pkey.h. |
24 | */ |
25 | #define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */ |
26 | #define 0x06 /* EP11 AES key blob with header */ |
27 | #define 0x07 /* EP11 ECC key blob with header */ |
28 | |
29 | /* inside view of an EP11 secure key blob */ |
30 | struct ep11keyblob { |
31 | union { |
32 | u8 session[32]; |
33 | /* only used for PKEY_TYPE_EP11: */ |
34 | struct head; |
35 | }; |
36 | u8 wkvp[16]; /* wrapping key verification pattern */ |
37 | u64 attr; /* boolean key attributes */ |
38 | u64 mode; /* mode bits */ |
39 | u16 version; /* 0x1234, EP11_STRUCT_MAGIC */ |
40 | u8 iv[14]; |
41 | u8 encrypted_key_data[144]; |
42 | u8 mac[32]; |
43 | } __packed; |
44 | |
45 | /* check ep11 key magic to find out if this is an ep11 key blob */ |
46 | static inline bool is_ep11_keyblob(const u8 *key) |
47 | { |
48 | struct ep11keyblob *kb = (struct ep11keyblob *)key; |
49 | |
50 | return (kb->version == EP11_STRUCT_MAGIC); |
51 | } |
52 | |
53 | /* |
54 | * For valid ep11 keyblobs, returns a reference to the wrappingkey verification |
55 | * pattern. Otherwise NULL. |
56 | */ |
57 | const u8 *ep11_kb_wkvp(const u8 *kblob, size_t kbloblen); |
58 | |
59 | /* |
60 | * Simple check if the key blob is a valid EP11 AES key blob with header. |
61 | * If checkcpacfexport is enabled, the key is also checked for the |
62 | * attributes needed to export this key for CPACF use. |
63 | * Returns 0 on success or errno value on failure. |
64 | */ |
65 | int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl, |
66 | const u8 *key, size_t keylen, int checkcpacfexp); |
67 | |
68 | /* |
69 | * Simple check if the key blob is a valid EP11 ECC key blob with header. |
70 | * If checkcpacfexport is enabled, the key is also checked for the |
71 | * attributes needed to export this key for CPACF use. |
72 | * Returns 0 on success or errno value on failure. |
73 | */ |
74 | int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl, |
75 | const u8 *key, size_t keylen, int checkcpacfexp); |
76 | |
77 | /* |
78 | * Simple check if the key blob is a valid EP11 AES key blob with |
79 | * the header in the session field (old style EP11 AES key). |
80 | * If checkcpacfexport is enabled, the key is also checked for the |
81 | * attributes needed to export this key for CPACF use. |
82 | * Returns 0 on success or errno value on failure. |
83 | */ |
84 | int ep11_check_aes_key(debug_info_t *dbg, int dbflvl, |
85 | const u8 *key, size_t keylen, int checkcpacfexp); |
86 | |
87 | /* EP11 card info struct */ |
88 | struct ep11_card_info { |
89 | u32 API_ord_nr; /* API ordinal number */ |
90 | u16 FW_version; /* Firmware major and minor version */ |
91 | char serial[16]; /* serial number string (16 ascii, no 0x00 !) */ |
92 | u64 op_mode; /* card operational mode(s) */ |
93 | }; |
94 | |
95 | /* EP11 domain info struct */ |
96 | struct ep11_domain_info { |
97 | char cur_wk_state; /* '0' invalid, '1' valid */ |
98 | char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */ |
99 | u8 cur_wkvp[32]; /* current wrapping key verification pattern */ |
100 | u8 new_wkvp[32]; /* new wrapping key verification pattern */ |
101 | u64 op_mode; /* domain operational mode(s) */ |
102 | }; |
103 | |
104 | /* |
105 | * Provide information about an EP11 card. |
106 | */ |
107 | int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify); |
108 | |
109 | /* |
110 | * Provide information about a domain within an EP11 card. |
111 | */ |
112 | int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info); |
113 | |
114 | /* |
115 | * Generate (random) EP11 AES secure key. |
116 | */ |
117 | int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, |
118 | u8 *keybuf, size_t *keybufsize, u32 keybufver); |
119 | |
120 | /* |
121 | * Generate EP11 AES secure key with given clear key value. |
122 | */ |
123 | int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags, |
124 | const u8 *clrkey, u8 *keybuf, size_t *keybufsize, |
125 | u32 keytype); |
126 | |
127 | /* |
128 | * Build a list of ep11 apqns meeting the following constrains: |
129 | * - apqn is online and is in fact an EP11 apqn |
130 | * - if cardnr is not FFFF only apqns with this cardnr |
131 | * - if domain is not FFFF only apqns with this domainnr |
132 | * - if minhwtype > 0 only apqns with hwtype >= minhwtype |
133 | * - if minapi > 0 only apqns with API_ord_nr >= minapi |
134 | * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches |
135 | * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping |
136 | * key for this domain. When a wkvp is given there will always be a re-fetch |
137 | * of the domain info for the potential apqn - so this triggers an request |
138 | * reply to each apqn eligible. |
139 | * The array of apqn entries is allocated with kmalloc and returned in *apqns; |
140 | * the number of apqns stored into the list is returned in *nr_apqns. One apqn |
141 | * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and |
142 | * may be casted to struct pkey_apqn. The return value is either 0 for success |
143 | * or a negative errno value. If no apqn meeting the criteria is found, |
144 | * -ENODEV is returned. |
145 | */ |
146 | int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain, |
147 | int minhwtype, int minapi, const u8 *wkvp); |
148 | |
149 | /* |
150 | * Derive proteced key from EP11 key blob (AES and ECC keys). |
151 | */ |
152 | int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, size_t keylen, |
153 | u8 *protkey, u32 *protkeylen, u32 *protkeytype); |
154 | |
155 | void zcrypt_ep11misc_exit(void); |
156 | |
157 | #endif /* _ZCRYPT_EP11MISC_H_ */ |
158 | |