1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * pkey pckmo specific code
4 *
5 * Copyright IBM Corp. 2024
6 */
7
8 #define KMSG_COMPONENT "pkey"
9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
10
11 #include <linux/init.h>
12 #include <linux/module.h>
13 #include <linux/cpufeature.h>
14 #include <asm/cpacf.h>
15 #include <crypto/aes.h>
16 #include <linux/random.h>
17
18 #include "zcrypt_ccamisc.h"
19 #include "pkey_base.h"
20
21 MODULE_LICENSE("GPL");
22 MODULE_AUTHOR("IBM Corporation");
23 MODULE_DESCRIPTION("s390 protected key PCKMO handler");
24
25 /*
26 * Check key blob for known and supported here.
27 */
is_pckmo_key(const u8 * key,u32 keylen)28 static bool is_pckmo_key(const u8 *key, u32 keylen)
29 {
30 struct keytoken_header *hdr = (struct keytoken_header *)key;
31 struct clearkeytoken *t = (struct clearkeytoken *)key;
32
33 if (keylen < sizeof(*hdr))
34 return false;
35
36 switch (hdr->type) {
37 case TOKTYPE_NON_CCA:
38 switch (hdr->version) {
39 case TOKVER_CLEAR_KEY:
40 if (pkey_keytype_to_size(t->keytype))
41 return true;
42 return false;
43 case TOKVER_PROTECTED_KEY:
44 return true;
45 default:
46 return false;
47 }
48 default:
49 return false;
50 }
51 }
52
is_pckmo_keytype(enum pkey_key_type keytype)53 static bool is_pckmo_keytype(enum pkey_key_type keytype)
54 {
55 switch (keytype) {
56 case PKEY_TYPE_PROTKEY:
57 return true;
58 default:
59 return false;
60 }
61 }
62
63 /*
64 * Create a protected key from a clear key value via PCKMO instruction.
65 */
pckmo_clr2protkey(u32 keytype,const u8 * clrkey,u32 clrkeylen,u8 * protkey,u32 * protkeylen,u32 * protkeytype)66 static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen,
67 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
68 {
69 /* mask of available pckmo subfunctions */
70 static cpacf_mask_t pckmo_functions;
71
72 int keysize, rc = -EINVAL;
73 u8 paramblock[160];
74 u32 pkeytype = 0;
75 unsigned int fc;
76
77 switch (keytype) {
78 case PKEY_KEYTYPE_AES_128:
79 fc = CPACF_PCKMO_ENC_AES_128_KEY;
80 break;
81 case PKEY_KEYTYPE_AES_192:
82 fc = CPACF_PCKMO_ENC_AES_192_KEY;
83 break;
84 case PKEY_KEYTYPE_AES_256:
85 fc = CPACF_PCKMO_ENC_AES_256_KEY;
86 break;
87 case PKEY_KEYTYPE_ECC_P256:
88 pkeytype = PKEY_KEYTYPE_ECC;
89 fc = CPACF_PCKMO_ENC_ECC_P256_KEY;
90 break;
91 case PKEY_KEYTYPE_ECC_P384:
92 pkeytype = PKEY_KEYTYPE_ECC;
93 fc = CPACF_PCKMO_ENC_ECC_P384_KEY;
94 break;
95 case PKEY_KEYTYPE_ECC_P521:
96 pkeytype = PKEY_KEYTYPE_ECC;
97 fc = CPACF_PCKMO_ENC_ECC_P521_KEY;
98 break;
99 case PKEY_KEYTYPE_ECC_ED25519:
100 pkeytype = PKEY_KEYTYPE_ECC;
101 fc = CPACF_PCKMO_ENC_ECC_ED25519_KEY;
102 break;
103 case PKEY_KEYTYPE_ECC_ED448:
104 pkeytype = PKEY_KEYTYPE_ECC;
105 fc = CPACF_PCKMO_ENC_ECC_ED448_KEY;
106 break;
107 case PKEY_KEYTYPE_AES_XTS_128:
108 fc = CPACF_PCKMO_ENC_AES_XTS_128_DOUBLE_KEY;
109 break;
110 case PKEY_KEYTYPE_AES_XTS_256:
111 fc = CPACF_PCKMO_ENC_AES_XTS_256_DOUBLE_KEY;
112 break;
113 case PKEY_KEYTYPE_HMAC_512:
114 fc = CPACF_PCKMO_ENC_HMAC_512_KEY;
115 break;
116 case PKEY_KEYTYPE_HMAC_1024:
117 fc = CPACF_PCKMO_ENC_HMAC_1024_KEY;
118 break;
119 default:
120 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n",
121 __func__, keytype);
122 goto out;
123 }
124
125 keysize = pkey_keytype_to_size(keytype);
126 pkeytype = pkeytype ?: keytype;
127
128 if (clrkeylen && clrkeylen < keysize) {
129 PKEY_DBF_ERR("%s clear key size too small: %u < %d\n",
130 __func__, clrkeylen, keysize);
131 goto out;
132 }
133 if (*protkeylen < keysize + AES_WK_VP_SIZE) {
134 PKEY_DBF_ERR("%s prot key buffer size too small: %u < %d\n",
135 __func__, *protkeylen, keysize + AES_WK_VP_SIZE);
136 goto out;
137 }
138
139 /* Did we already check for PCKMO ? */
140 if (!pckmo_functions.bytes[0]) {
141 /* no, so check now */
142 if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) {
143 PKEY_DBF_ERR("%s cpacf_query() failed\n", __func__);
144 rc = -ENODEV;
145 goto out;
146 }
147 }
148 /* check for the pckmo subfunction we need now */
149 if (!cpacf_test_func(&pckmo_functions, fc)) {
150 PKEY_DBF_ERR("%s pckmo fc 0x%02x not available\n",
151 __func__, fc);
152 rc = -ENODEV;
153 goto out;
154 }
155
156 /* prepare param block */
157 memset(paramblock, 0, sizeof(paramblock));
158 memcpy(paramblock, clrkey, keysize);
159
160 /* call the pckmo instruction */
161 cpacf_pckmo(fc, paramblock);
162
163 /* copy created protected key to key buffer including the wkvp block */
164 *protkeylen = keysize + AES_WK_VP_SIZE;
165 memcpy(protkey, paramblock, *protkeylen);
166 *protkeytype = pkeytype;
167
168 rc = 0;
169
170 out:
171 pr_debug("rc=%d\n", rc);
172 return rc;
173 }
174
175 /*
176 * Verify a raw protected key blob.
177 */
pckmo_verify_protkey(const u8 * protkey,u32 protkeylen,u32 protkeytype)178 static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
179 u32 protkeytype)
180 {
181 u8 clrkey[16] = { 0 }, tmpkeybuf[16 + AES_WK_VP_SIZE];
182 u32 tmpkeybuflen, tmpkeytype;
183 int keysize, rc = -EINVAL;
184 u8 *wkvp;
185
186 /* check protkey type and size */
187 keysize = pkey_keytype_to_size(protkeytype);
188 if (!keysize) {
189 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", __func__,
190 protkeytype);
191 goto out;
192 }
193 if (protkeylen < keysize + AES_WK_VP_SIZE)
194 goto out;
195
196 /* generate a dummy AES 128 protected key */
197 tmpkeybuflen = sizeof(tmpkeybuf);
198 rc = pckmo_clr2protkey(PKEY_KEYTYPE_AES_128,
199 clrkey, sizeof(clrkey),
200 tmpkeybuf, &tmpkeybuflen, &tmpkeytype);
201 if (rc)
202 goto out;
203 memzero_explicit(tmpkeybuf, 16);
204 wkvp = tmpkeybuf + 16;
205
206 /* compare WK VP from the temp key with that of the given prot key */
207 if (memcmp(wkvp, protkey + keysize, AES_WK_VP_SIZE)) {
208 PKEY_DBF_ERR("%s protected key WK VP mismatch\n", __func__);
209 rc = -EKEYREJECTED;
210 goto out;
211 }
212
213 out:
214 pr_debug("rc=%d\n", rc);
215 return rc;
216 }
217
pckmo_key2protkey(const u8 * key,u32 keylen,u8 * protkey,u32 * protkeylen,u32 * protkeytype)218 static int pckmo_key2protkey(const u8 *key, u32 keylen,
219 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
220 {
221 struct keytoken_header *hdr = (struct keytoken_header *)key;
222 int rc = -EINVAL;
223
224 if (keylen < sizeof(*hdr))
225 return -EINVAL;
226 if (hdr->type != TOKTYPE_NON_CCA)
227 return -EINVAL;
228
229 switch (hdr->version) {
230 case TOKVER_PROTECTED_KEY: {
231 struct protkeytoken *t = (struct protkeytoken *)key;
232 u32 keysize;
233
234 if (keylen < sizeof(*t))
235 goto out;
236 keysize = pkey_keytype_to_size(t->keytype);
237 if (!keysize) {
238 PKEY_DBF_ERR("%s protected key token: unknown keytype %u\n",
239 __func__, t->keytype);
240 goto out;
241 }
242 switch (t->keytype) {
243 case PKEY_KEYTYPE_AES_128:
244 case PKEY_KEYTYPE_AES_192:
245 case PKEY_KEYTYPE_AES_256:
246 if (t->len != keysize + AES_WK_VP_SIZE ||
247 keylen < sizeof(struct protaeskeytoken))
248 goto out;
249 rc = pckmo_verify_protkey(t->protkey, t->len,
250 t->keytype);
251 if (rc)
252 goto out;
253 break;
254 default:
255 if (t->len != keysize + AES_WK_VP_SIZE ||
256 keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
257 goto out;
258 break;
259 }
260 memcpy(protkey, t->protkey, t->len);
261 *protkeylen = t->len;
262 *protkeytype = t->keytype;
263 rc = 0;
264 break;
265 }
266 case TOKVER_CLEAR_KEY: {
267 struct clearkeytoken *t = (struct clearkeytoken *)key;
268 u32 keysize;
269
270 if (keylen < sizeof(*t) ||
271 keylen < sizeof(*t) + t->len)
272 goto out;
273 keysize = pkey_keytype_to_size(t->keytype);
274 if (!keysize) {
275 PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n",
276 __func__, t->keytype);
277 goto out;
278 }
279 if (t->len != keysize) {
280 PKEY_DBF_ERR("%s clear key token: invalid key len %u\n",
281 __func__, t->len);
282 goto out;
283 }
284 rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len,
285 protkey, protkeylen, protkeytype);
286 break;
287 }
288 default:
289 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
290 __func__, hdr->version);
291 break;
292 }
293
294 out:
295 pr_debug("rc=%d\n", rc);
296 return rc;
297 }
298
299 /*
300 * Generate a random protected key.
301 */
pckmo_gen_protkey(u32 keytype,u32 subtype,u8 * protkey,u32 * protkeylen,u32 * protkeytype)302 static int pckmo_gen_protkey(u32 keytype, u32 subtype,
303 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
304 {
305 u8 clrkey[128];
306 int keysize;
307 int rc;
308
309 keysize = pkey_keytype_to_size(keytype);
310 if (!keysize) {
311 PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n",
312 __func__, keytype);
313 return -EINVAL;
314 }
315 if (subtype != PKEY_TYPE_PROTKEY) {
316 PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n",
317 __func__, subtype);
318 return -EINVAL;
319 }
320
321 switch (keytype) {
322 case PKEY_KEYTYPE_AES_128:
323 case PKEY_KEYTYPE_AES_192:
324 case PKEY_KEYTYPE_AES_256:
325 case PKEY_KEYTYPE_AES_XTS_128:
326 case PKEY_KEYTYPE_AES_XTS_256:
327 case PKEY_KEYTYPE_HMAC_512:
328 case PKEY_KEYTYPE_HMAC_1024:
329 break;
330 default:
331 PKEY_DBF_ERR("%s unsupported keytype %d\n",
332 __func__, keytype);
333 return -EINVAL;
334 }
335
336 /* generate a dummy random clear key */
337 get_random_bytes(clrkey, keysize);
338
339 /* convert it to a dummy protected key */
340 rc = pckmo_clr2protkey(keytype, clrkey, keysize,
341 protkey, protkeylen, protkeytype);
342 if (rc)
343 goto out;
344
345 /* replace the key part of the protected key with random bytes */
346 get_random_bytes(protkey, keysize);
347
348 out:
349 pr_debug("rc=%d\n", rc);
350 return rc;
351 }
352
353 /*
354 * Verify a protected key token blob.
355 */
pckmo_verify_key(const u8 * key,u32 keylen)356 static int pckmo_verify_key(const u8 *key, u32 keylen)
357 {
358 struct keytoken_header *hdr = (struct keytoken_header *)key;
359 int rc = -EINVAL;
360
361 if (keylen < sizeof(*hdr))
362 return -EINVAL;
363 if (hdr->type != TOKTYPE_NON_CCA)
364 return -EINVAL;
365
366 switch (hdr->version) {
367 case TOKVER_PROTECTED_KEY: {
368 struct protkeytoken *t = (struct protkeytoken *)key;
369 u32 keysize;
370
371 if (keylen < sizeof(*t))
372 goto out;
373 keysize = pkey_keytype_to_size(t->keytype);
374 if (!keysize || t->len != keysize + AES_WK_VP_SIZE)
375 goto out;
376 switch (t->keytype) {
377 case PKEY_KEYTYPE_AES_128:
378 case PKEY_KEYTYPE_AES_192:
379 case PKEY_KEYTYPE_AES_256:
380 if (keylen < sizeof(struct protaeskeytoken))
381 goto out;
382 break;
383 default:
384 if (keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
385 goto out;
386 break;
387 }
388 rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype);
389 break;
390 }
391 default:
392 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
393 __func__, hdr->version);
394 break;
395 }
396
397 out:
398 pr_debug("rc=%d\n", rc);
399 return rc;
400 }
401
402 /*
403 * Wrapper functions used for the pkey handler struct
404 */
405
pkey_pckmo_key2protkey(const struct pkey_apqn * _apqns,size_t _nr_apqns,const u8 * key,u32 keylen,u8 * protkey,u32 * protkeylen,u32 * keyinfo)406 static int pkey_pckmo_key2protkey(const struct pkey_apqn *_apqns,
407 size_t _nr_apqns,
408 const u8 *key, u32 keylen,
409 u8 *protkey, u32 *protkeylen, u32 *keyinfo)
410 {
411 return pckmo_key2protkey(key, keylen,
412 protkey, protkeylen, keyinfo);
413 }
414
pkey_pckmo_gen_key(const struct pkey_apqn * _apqns,size_t _nr_apqns,u32 keytype,u32 keysubtype,u32 _keybitsize,u32 _flags,u8 * keybuf,u32 * keybuflen,u32 * keyinfo)415 static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns,
416 u32 keytype, u32 keysubtype,
417 u32 _keybitsize, u32 _flags,
418 u8 *keybuf, u32 *keybuflen, u32 *keyinfo)
419 {
420 return pckmo_gen_protkey(keytype, keysubtype,
421 keybuf, keybuflen, keyinfo);
422 }
423
pkey_pckmo_verifykey(const u8 * key,u32 keylen,u16 * _card,u16 * _dom,u32 * _keytype,u32 * _keybitsize,u32 * _flags)424 static int pkey_pckmo_verifykey(const u8 *key, u32 keylen,
425 u16 *_card, u16 *_dom,
426 u32 *_keytype, u32 *_keybitsize, u32 *_flags)
427 {
428 return pckmo_verify_key(key, keylen);
429 }
430
431 static struct pkey_handler pckmo_handler = {
432 .module = THIS_MODULE,
433 .name = "PKEY PCKMO handler",
434 .is_supported_key = is_pckmo_key,
435 .is_supported_keytype = is_pckmo_keytype,
436 .key_to_protkey = pkey_pckmo_key2protkey,
437 .gen_key = pkey_pckmo_gen_key,
438 .verify_key = pkey_pckmo_verifykey,
439 };
440
441 /*
442 * Module init
443 */
pkey_pckmo_init(void)444 static int __init pkey_pckmo_init(void)
445 {
446 cpacf_mask_t func_mask;
447
448 /*
449 * The pckmo instruction should be available - even if we don't
450 * actually invoke it. This instruction comes with MSA 3 which
451 * is also the minimum level for the kmc instructions which
452 * are able to work with protected keys.
453 */
454 if (!cpacf_query(CPACF_PCKMO, &func_mask))
455 return -ENODEV;
456
457 /* register this module as pkey handler for all the pckmo stuff */
458 return pkey_handler_register(&pckmo_handler);
459 }
460
461 /*
462 * Module exit
463 */
pkey_pckmo_exit(void)464 static void __exit pkey_pckmo_exit(void)
465 {
466 /* unregister this module as pkey handler */
467 pkey_handler_unregister(&pckmo_handler);
468 }
469
470 module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_pckmo_init);
471 module_exit(pkey_pckmo_exit);
472