Loading...
1/* SPDX-License-Identifier: GPL-2.0+ */
2/*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 *
6 * Collection of EP11 misc functions used by zcrypt and pkey
7 */
8
9#ifndef _ZCRYPT_EP11MISC_H_
10#define _ZCRYPT_EP11MISC_H_
11
12#include <asm/zcrypt.h>
13#include <asm/pkey.h>
14
15#define EP11_API_V 4 /* highest known and supported EP11 API version */
16#define EP11_STRUCT_MAGIC 0x1234
17#define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
18
19/*
20 * Internal used values for the version field of the key header.
21 * Should match to the enum pkey_key_type in pkey.h.
22 */
23#define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */
24#define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
25#define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
26
27/* inside view of an EP11 secure key blob */
28struct ep11keyblob {
29 union {
30 u8 session[32];
31 /* only used for PKEY_TYPE_EP11: */
32 struct {
33 u8 type; /* 0x00 (TOKTYPE_NON_CCA) */
34 u8 res0; /* unused */
35 u16 len; /* total length in bytes of this blob */
36 u8 version; /* 0x03 (TOKVER_EP11_AES) */
37 u8 res1; /* unused */
38 u16 keybitlen; /* clear key bit len, 0 for unknown */
39 } head;
40 };
41 u8 wkvp[16]; /* wrapping key verification pattern */
42 u64 attr; /* boolean key attributes */
43 u64 mode; /* mode bits */
44 u16 version; /* 0x1234, EP11_STRUCT_MAGIC */
45 u8 iv[14];
46 u8 encrypted_key_data[144];
47 u8 mac[32];
48} __packed;
49
50/* check ep11 key magic to find out if this is an ep11 key blob */
51static inline bool is_ep11_keyblob(const u8 *key)
52{
53 struct ep11keyblob *kb = (struct ep11keyblob *)key;
54
55 return (kb->version == EP11_STRUCT_MAGIC);
56}
57
58/*
59 * Simple check if the key blob is a valid EP11 AES key blob with header.
60 * If checkcpacfexport is enabled, the key is also checked for the
61 * attributes needed to export this key for CPACF use.
62 * Returns 0 on success or errno value on failure.
63 */
64int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
65 const u8 *key, size_t keylen, int checkcpacfexp);
66
67/*
68 * Simple check if the key blob is a valid EP11 ECC key blob with header.
69 * If checkcpacfexport is enabled, the key is also checked for the
70 * attributes needed to export this key for CPACF use.
71 * Returns 0 on success or errno value on failure.
72 */
73int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
74 const u8 *key, size_t keylen, int checkcpacfexp);
75
76/*
77 * Simple check if the key blob is a valid EP11 AES key blob with
78 * the header in the session field (old style EP11 AES key).
79 * If checkcpacfexport is enabled, the key is also checked for the
80 * attributes needed to export this key for CPACF use.
81 * Returns 0 on success or errno value on failure.
82 */
83int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
84 const u8 *key, size_t keylen, int checkcpacfexp);
85
86/* EP11 card info struct */
87struct ep11_card_info {
88 u32 API_ord_nr; /* API ordinal number */
89 u16 FW_version; /* Firmware major and minor version */
90 char serial[16]; /* serial number string (16 ascii, no 0x00 !) */
91 u64 op_mode; /* card operational mode(s) */
92};
93
94/* EP11 domain info struct */
95struct ep11_domain_info {
96 char cur_wk_state; /* '0' invalid, '1' valid */
97 char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */
98 u8 cur_wkvp[32]; /* current wrapping key verification pattern */
99 u8 new_wkvp[32]; /* new wrapping key verification pattern */
100 u64 op_mode; /* domain operational mode(s) */
101};
102
103/*
104 * Provide information about an EP11 card.
105 */
106int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
107
108/*
109 * Provide information about a domain within an EP11 card.
110 */
111int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
112
113/*
114 * Generate (random) EP11 AES secure key.
115 */
116int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
117 u8 *keybuf, size_t *keybufsize);
118
119/*
120 * Generate EP11 AES secure key with given clear key value.
121 */
122int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
123 const u8 *clrkey, u8 *keybuf, size_t *keybufsize);
124
125/*
126 * Build a list of ep11 apqns meeting the following constrains:
127 * - apqn is online and is in fact an EP11 apqn
128 * - if cardnr is not FFFF only apqns with this cardnr
129 * - if domain is not FFFF only apqns with this domainnr
130 * - if minhwtype > 0 only apqns with hwtype >= minhwtype
131 * - if minapi > 0 only apqns with API_ord_nr >= minapi
132 * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
133 * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
134 * key for this domain. When a wkvp is given there will aways be a re-fetch
135 * of the domain info for the potential apqn - so this triggers an request
136 * reply to each apqn eligible.
137 * The array of apqn entries is allocated with kmalloc and returned in *apqns;
138 * the number of apqns stored into the list is returned in *nr_apqns. One apqn
139 * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
140 * may be casted to struct pkey_apqn. The return value is either 0 for success
141 * or a negative errno value. If no apqn meeting the criterias is found,
142 * -ENODEV is returned.
143 */
144int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
145 int minhwtype, int minapi, const u8 *wkvp);
146
147/*
148 * Derive proteced key from EP11 key blob (AES and ECC keys).
149 */
150int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, size_t keylen,
151 u8 *protkey, u32 *protkeylen, u32 *protkeytype);
152
153void zcrypt_ep11misc_exit(void);
154
155#endif /* _ZCRYPT_EP11MISC_H_ */
1/* SPDX-License-Identifier: GPL-2.0+ */
2/*
3 * Copyright IBM Corp. 2019
4 * Author(s): Harald Freudenberger <freude@linux.ibm.com>
5 *
6 * Collection of EP11 misc functions used by zcrypt and pkey
7 */
8
9#ifndef _ZCRYPT_EP11MISC_H_
10#define _ZCRYPT_EP11MISC_H_
11
12#include <asm/zcrypt.h>
13#include <asm/pkey.h>
14
15#define EP11_API_V1 1 /* min EP11 API, default if no higher api required */
16#define EP11_API_V4 4 /* supported EP11 API for the ep11misc cprbs */
17#define EP11_API_V6 6 /* min EP11 API for some cprbs in SE environment */
18#define EP11_STRUCT_MAGIC 0x1234
19#define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
20
21/*
22 * Internal used values for the version field of the key header.
23 * Should match to the enum pkey_key_type in pkey.h.
24 */
25#define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */
26#define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
27#define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
28
29/* inside view of an EP11 secure key blob */
30struct ep11keyblob {
31 union {
32 u8 session[32];
33 /* only used for PKEY_TYPE_EP11: */
34 struct ep11kblob_header head;
35 };
36 u8 wkvp[16]; /* wrapping key verification pattern */
37 u64 attr; /* boolean key attributes */
38 u64 mode; /* mode bits */
39 u16 version; /* 0x1234, EP11_STRUCT_MAGIC */
40 u8 iv[14];
41 u8 encrypted_key_data[144];
42 u8 mac[32];
43} __packed;
44
45/* check ep11 key magic to find out if this is an ep11 key blob */
46static inline bool is_ep11_keyblob(const u8 *key)
47{
48 struct ep11keyblob *kb = (struct ep11keyblob *)key;
49
50 return (kb->version == EP11_STRUCT_MAGIC);
51}
52
53/*
54 * For valid ep11 keyblobs, returns a reference to the wrappingkey verification
55 * pattern. Otherwise NULL.
56 */
57const u8 *ep11_kb_wkvp(const u8 *kblob, u32 kbloblen);
58
59/*
60 * Simple check if the key blob is a valid EP11 AES key blob with header.
61 * If checkcpacfexport is enabled, the key is also checked for the
62 * attributes needed to export this key for CPACF use.
63 * Returns 0 on success or errno value on failure.
64 */
65int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
66 const u8 *key, u32 keylen, int checkcpacfexp);
67
68/*
69 * Simple check if the key blob is a valid EP11 ECC key blob with header.
70 * If checkcpacfexport is enabled, the key is also checked for the
71 * attributes needed to export this key for CPACF use.
72 * Returns 0 on success or errno value on failure.
73 */
74int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
75 const u8 *key, u32 keylen, int checkcpacfexp);
76
77/*
78 * Simple check if the key blob is a valid EP11 AES key blob with
79 * the header in the session field (old style EP11 AES key).
80 * If checkcpacfexport is enabled, the key is also checked for the
81 * attributes needed to export this key for CPACF use.
82 * Returns 0 on success or errno value on failure.
83 */
84int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
85 const u8 *key, u32 keylen, int checkcpacfexp);
86
87/* EP11 card info struct */
88struct ep11_card_info {
89 u32 API_ord_nr; /* API ordinal number */
90 u16 FW_version; /* Firmware major and minor version */
91 char serial[16]; /* serial number string (16 ascii, no 0x00 !) */
92 u64 op_mode; /* card operational mode(s) */
93};
94
95/* EP11 domain info struct */
96struct ep11_domain_info {
97 char cur_wk_state; /* '0' invalid, '1' valid */
98 char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */
99 u8 cur_wkvp[32]; /* current wrapping key verification pattern */
100 u8 new_wkvp[32]; /* new wrapping key verification pattern */
101 u64 op_mode; /* domain operational mode(s) */
102};
103
104/*
105 * Provide information about an EP11 card.
106 */
107int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
108
109/*
110 * Provide information about a domain within an EP11 card.
111 */
112int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
113
114/*
115 * Generate (random) EP11 AES secure key.
116 */
117int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
118 u8 *keybuf, u32 *keybufsize, u32 keybufver);
119
120/*
121 * Generate EP11 AES secure key with given clear key value.
122 */
123int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
124 const u8 *clrkey, u8 *keybuf, u32 *keybufsize,
125 u32 keytype);
126
127/*
128 * Build a list of ep11 apqns meeting the following constrains:
129 * - apqn is online and is in fact an EP11 apqn
130 * - if cardnr is not FFFF only apqns with this cardnr
131 * - if domain is not FFFF only apqns with this domainnr
132 * - if minhwtype > 0 only apqns with hwtype >= minhwtype
133 * - if minapi > 0 only apqns with API_ord_nr >= minapi
134 * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
135 * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
136 * key for this domain. When a wkvp is given there will always be a re-fetch
137 * of the domain info for the potential apqn - so this triggers an request
138 * reply to each apqn eligible.
139 * The array of apqn entries is allocated with kmalloc and returned in *apqns;
140 * the number of apqns stored into the list is returned in *nr_apqns. One apqn
141 * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
142 * may be casted to struct pkey_apqn. The return value is either 0 for success
143 * or a negative errno value. If no apqn meeting the criteria is found,
144 * -ENODEV is returned.
145 */
146int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
147 int minhwtype, int minapi, const u8 *wkvp);
148
149/*
150 * Derive proteced key from EP11 key blob (AES and ECC keys).
151 */
152int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, u32 keylen,
153 u8 *protkey, u32 *protkeylen, u32 *protkeytype);
154
155void zcrypt_ep11misc_exit(void);
156
157#endif /* _ZCRYPT_EP11MISC_H_ */