xref: /linux/drivers/s390/crypto/zcrypt_msgtype6.c (revision 3a39d672e7f48b8d6b91a09afa4b55352773b4b5)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  *  Copyright IBM Corp. 2001, 2023
4  *  Author(s): Robert Burroughs
5  *	       Eric Rossman (edrossma@us.ibm.com)
6  *
7  *  Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8  *  Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9  *				  Ralph Wuerthner <rwuerthn@de.ibm.com>
10  *  MSGTYPE restruct:		  Holger Dengler <hd@linux.vnet.ibm.com>
11  */
12 
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15 
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
23 
24 #include "ap_bus.h"
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
29 
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply	    */
31 
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
33 
34 struct response_type {
35 	struct completion work;
36 	int type;
37 };
38 
39 #define CEXXC_RESPONSE_TYPE_ICA  0
40 #define CEXXC_RESPONSE_TYPE_XCRB 1
41 #define CEXXC_RESPONSE_TYPE_EP11 2
42 
43 MODULE_AUTHOR("IBM Corporation");
44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
45 		   "Copyright IBM Corp. 2001, 2023");
46 MODULE_LICENSE("GPL");
47 
48 struct function_and_rules_block {
49 	unsigned char function_code[2];
50 	unsigned short ulen;
51 	unsigned char only_rule[8];
52 } __packed;
53 
54 /*
55  * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
56  * card in a type6 message. The 3 fields that must be filled in at execution
57  * time are  req_parml, rpl_parml and usage_domain.
58  * Everything about this interface is ascii/big-endian, since the
59  * device does *not* have 'Intel inside'.
60  *
61  * The CPRBX is followed immediately by the parm block.
62  * The parm block contains:
63  * - function code ('PD' 0x5044 or 'PK' 0x504B)
64  * - rule block (one of:)
65  *   + 0x000A 'PKCS-1.2' (MCL2 'PD')
66  *   + 0x000A 'ZERO-PAD' (MCL2 'PK')
67  *   + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
68  *   + 0x000A 'MRP     ' (MCL3 'PK' or CEX2C 'PK')
69  * - VUD block
70  */
71 static const struct CPRBX static_cprbx = {
72 	.cprb_len	=  0x00DC,
73 	.cprb_ver_id	=  0x02,
74 	.func_id	= {0x54, 0x32},
75 };
76 
speed_idx_cca(int req_type)77 int speed_idx_cca(int req_type)
78 {
79 	switch (req_type) {
80 	case 0x4142:
81 	case 0x4149:
82 	case 0x414D:
83 	case 0x4341:
84 	case 0x4344:
85 	case 0x4354:
86 	case 0x4358:
87 	case 0x444B:
88 	case 0x4558:
89 	case 0x4643:
90 	case 0x4651:
91 	case 0x4C47:
92 	case 0x4C4B:
93 	case 0x4C51:
94 	case 0x4F48:
95 	case 0x504F:
96 	case 0x5053:
97 	case 0x5058:
98 	case 0x5343:
99 	case 0x5344:
100 	case 0x5345:
101 	case 0x5350:
102 		return LOW;
103 	case 0x414B:
104 	case 0x4345:
105 	case 0x4349:
106 	case 0x434D:
107 	case 0x4847:
108 	case 0x4849:
109 	case 0x484D:
110 	case 0x4850:
111 	case 0x4851:
112 	case 0x4954:
113 	case 0x4958:
114 	case 0x4B43:
115 	case 0x4B44:
116 	case 0x4B45:
117 	case 0x4B47:
118 	case 0x4B48:
119 	case 0x4B49:
120 	case 0x4B4E:
121 	case 0x4B50:
122 	case 0x4B52:
123 	case 0x4B54:
124 	case 0x4B58:
125 	case 0x4D50:
126 	case 0x4D53:
127 	case 0x4D56:
128 	case 0x4D58:
129 	case 0x5044:
130 	case 0x5045:
131 	case 0x5046:
132 	case 0x5047:
133 	case 0x5049:
134 	case 0x504B:
135 	case 0x504D:
136 	case 0x5254:
137 	case 0x5347:
138 	case 0x5349:
139 	case 0x534B:
140 	case 0x534D:
141 	case 0x5356:
142 	case 0x5358:
143 	case 0x5443:
144 	case 0x544B:
145 	case 0x5647:
146 		return HIGH;
147 	default:
148 		return MEDIUM;
149 	}
150 }
151 
speed_idx_ep11(int req_type)152 int speed_idx_ep11(int req_type)
153 {
154 	switch (req_type) {
155 	case  1:
156 	case  2:
157 	case 36:
158 	case 37:
159 	case 38:
160 	case 39:
161 	case 40:
162 		return LOW;
163 	case 17:
164 	case 18:
165 	case 19:
166 	case 20:
167 	case 21:
168 	case 22:
169 	case 26:
170 	case 30:
171 	case 31:
172 	case 32:
173 	case 33:
174 	case 34:
175 	case 35:
176 		return HIGH;
177 	default:
178 		return MEDIUM;
179 	}
180 }
181 
182 /*
183  * Convert a ICAMEX message to a type6 MEX message.
184  *
185  * @zq: crypto device pointer
186  * @ap_msg: pointer to AP message
187  * @mex: pointer to user input data
188  *
189  * Returns 0 on success or negative errno value.
190  */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
192 				       struct ap_message *ap_msg,
193 				       struct ica_rsa_modexpo *mex)
194 {
195 	static struct type6_hdr static_type6_hdrX = {
196 		.type		=  0x06,
197 		.offset1	=  0x00000058,
198 		.agent_id	= {'C', 'A',},
199 		.function_code	= {'P', 'K'},
200 	};
201 	static struct function_and_rules_block static_pke_fnr = {
202 		.function_code	= {'P', 'K'},
203 		.ulen		= 10,
204 		.only_rule	= {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
205 	};
206 	struct {
207 		struct type6_hdr hdr;
208 		struct CPRBX cprbx;
209 		struct function_and_rules_block fr;
210 		unsigned short length;
211 		char text[];
212 	} __packed * msg = ap_msg->msg;
213 	int size;
214 
215 	/*
216 	 * The inputdatalength was a selection criteria in the dispatching
217 	 * function zcrypt_rsa_modexpo(). However, make sure the following
218 	 * copy_from_user() never exceeds the allocated buffer space.
219 	 */
220 	if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
221 		return -EINVAL;
222 
223 	/* VUD.ciphertext */
224 	msg->length = mex->inputdatalength + 2;
225 	if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
226 		return -EFAULT;
227 
228 	/* Set up key which is located after the variable length text. */
229 	size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
230 	if (size < 0)
231 		return size;
232 	size += sizeof(*msg) + mex->inputdatalength;
233 
234 	/* message header, cprbx and f&r */
235 	msg->hdr = static_type6_hdrX;
236 	msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
237 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
238 
239 	msg->cprbx = static_cprbx;
240 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
241 	msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
242 
243 	msg->fr = static_pke_fnr;
244 
245 	msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
246 
247 	ap_msg->len = size;
248 	return 0;
249 }
250 
251 /*
252  * Convert a ICACRT message to a type6 CRT message.
253  *
254  * @zq: crypto device pointer
255  * @ap_msg: pointer to AP message
256  * @crt: pointer to user input data
257  *
258  * Returns 0 on success or negative errno value.
259  */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
261 				       struct ap_message *ap_msg,
262 				       struct ica_rsa_modexpo_crt *crt)
263 {
264 	static struct type6_hdr static_type6_hdrX = {
265 		.type		=  0x06,
266 		.offset1	=  0x00000058,
267 		.agent_id	= {'C', 'A',},
268 		.function_code	= {'P', 'D'},
269 	};
270 	static struct function_and_rules_block static_pkd_fnr = {
271 		.function_code	= {'P', 'D'},
272 		.ulen		= 10,
273 		.only_rule	= {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
274 	};
275 
276 	struct {
277 		struct type6_hdr hdr;
278 		struct CPRBX cprbx;
279 		struct function_and_rules_block fr;
280 		unsigned short length;
281 		char text[];
282 	} __packed * msg = ap_msg->msg;
283 	int size;
284 
285 	/*
286 	 * The inputdatalength was a selection criteria in the dispatching
287 	 * function zcrypt_rsa_crt(). However, make sure the following
288 	 * copy_from_user() never exceeds the allocated buffer space.
289 	 */
290 	if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
291 		return -EINVAL;
292 
293 	/* VUD.ciphertext */
294 	msg->length = crt->inputdatalength + 2;
295 	if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
296 		return -EFAULT;
297 
298 	/* Set up key which is located after the variable length text. */
299 	size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
300 	if (size < 0)
301 		return size;
302 	size += sizeof(*msg) + crt->inputdatalength;	/* total size of msg */
303 
304 	/* message header, cprbx and f&r */
305 	msg->hdr = static_type6_hdrX;
306 	msg->hdr.tocardlen1 = size -  sizeof(msg->hdr);
307 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
308 
309 	msg->cprbx = static_cprbx;
310 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
311 	msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
312 		size - sizeof(msg->hdr) - sizeof(msg->cprbx);
313 
314 	msg->fr = static_pkd_fnr;
315 
316 	ap_msg->len = size;
317 	return 0;
318 }
319 
320 /*
321  * Convert a XCRB message to a type6 CPRB message.
322  *
323  * @zq: crypto device pointer
324  * @ap_msg: pointer to AP message
325  * @xcRB: pointer to user input data
326  *
327  * Returns 0 on success or -EFAULT, -EINVAL.
328  */
329 struct type86_fmt2_msg {
330 	struct type86_hdr hdr;
331 	struct type86_fmt2_ext fmt2;
332 } __packed;
333 
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned short ** dom)334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
335 				      struct ica_xcRB *xcrb,
336 				      unsigned int *fcode,
337 				      unsigned short **dom)
338 {
339 	static struct type6_hdr static_type6_hdrX = {
340 		.type		=  0x06,
341 		.offset1	=  0x00000058,
342 	};
343 	struct {
344 		struct type6_hdr hdr;
345 		union {
346 			struct CPRBX cprbx;
347 			DECLARE_FLEX_ARRAY(u8, userdata);
348 		};
349 	} __packed * msg = ap_msg->msg;
350 
351 	int rcblen = CEIL4(xcrb->request_control_blk_length);
352 	int req_sumlen, resp_sumlen;
353 	char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
354 	char *function_code;
355 
356 	if (CEIL4(xcrb->request_control_blk_length) <
357 			xcrb->request_control_blk_length)
358 		return -EINVAL; /* overflow after alignment*/
359 
360 	/* length checks */
361 	ap_msg->len = sizeof(struct type6_hdr) +
362 		CEIL4(xcrb->request_control_blk_length) +
363 		xcrb->request_data_length;
364 	if (ap_msg->len > ap_msg->bufsize)
365 		return -EINVAL;
366 
367 	/*
368 	 * Overflow check
369 	 * sum must be greater (or equal) than the largest operand
370 	 */
371 	req_sumlen = CEIL4(xcrb->request_control_blk_length) +
372 			xcrb->request_data_length;
373 	if ((CEIL4(xcrb->request_control_blk_length) <=
374 	     xcrb->request_data_length) ?
375 	    req_sumlen < xcrb->request_data_length :
376 	    req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
377 		return -EINVAL;
378 	}
379 
380 	if (CEIL4(xcrb->reply_control_blk_length) <
381 			xcrb->reply_control_blk_length)
382 		return -EINVAL; /* overflow after alignment*/
383 
384 	/*
385 	 * Overflow check
386 	 * sum must be greater (or equal) than the largest operand
387 	 */
388 	resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
389 			xcrb->reply_data_length;
390 	if ((CEIL4(xcrb->reply_control_blk_length) <=
391 	     xcrb->reply_data_length) ?
392 	    resp_sumlen < xcrb->reply_data_length :
393 	    resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
394 		return -EINVAL;
395 	}
396 
397 	/* prepare type6 header */
398 	msg->hdr = static_type6_hdrX;
399 	memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
400 	msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
401 	if (xcrb->request_data_length) {
402 		msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
403 		msg->hdr.tocardlen2 = xcrb->request_data_length;
404 	}
405 	msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
406 	msg->hdr.fromcardlen2 = xcrb->reply_data_length;
407 
408 	/* prepare CPRB */
409 	if (z_copy_from_user(userspace, msg->userdata,
410 			     xcrb->request_control_blk_addr,
411 			     xcrb->request_control_blk_length))
412 		return -EFAULT;
413 	if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
414 	    xcrb->request_control_blk_length)
415 		return -EINVAL;
416 	function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
417 	memcpy(msg->hdr.function_code, function_code,
418 	       sizeof(msg->hdr.function_code));
419 
420 	*fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
421 	*dom = (unsigned short *)&msg->cprbx.domain;
422 
423 	/* check subfunction, US and AU need special flag with NQAP */
424 	if (memcmp(function_code, "US", 2) == 0 ||
425 	    memcmp(function_code, "AU", 2) == 0)
426 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
427 
428 	/* check CPRB minor version, set info bits in ap_message flag field */
429 	switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
430 	case 0x5432: /* "T2" */
431 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
432 		break;
433 	case 0x5433: /* "T3" */
434 	case 0x5435: /* "T5" */
435 	case 0x5436: /* "T6" */
436 	case 0x5437: /* "T7" */
437 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
438 		break;
439 	default:
440 		pr_debug("unknown CPRB minor version '%c%c'\n",
441 			 msg->cprbx.func_id[0], msg->cprbx.func_id[1]);
442 	}
443 
444 	/* copy data block */
445 	if (xcrb->request_data_length &&
446 	    z_copy_from_user(userspace, req_data, xcrb->request_data_address,
447 			     xcrb->request_data_length))
448 		return -EFAULT;
449 
450 	return 0;
451 }
452 
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)453 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
454 					   struct ep11_urb *xcrb,
455 					   unsigned int *fcode,
456 					   unsigned int *domain)
457 {
458 	unsigned int lfmt;
459 	static struct type6_hdr static_type6_ep11_hdr = {
460 		.type		=  0x06,
461 		.rqid		= {0x00, 0x01},
462 		.function_code	= {0x00, 0x00},
463 		.agent_id[0]	=  0x58,	/* {'X'} */
464 		.agent_id[1]	=  0x43,	/* {'C'} */
465 		.offset1	=  0x00000058,
466 	};
467 
468 	struct {
469 		struct type6_hdr hdr;
470 		union {
471 			struct {
472 				struct ep11_cprb cprbx;
473 				unsigned char pld_tag;    /* fixed value 0x30 */
474 				unsigned char pld_lenfmt; /* length format */
475 			} __packed;
476 			DECLARE_FLEX_ARRAY(u8, userdata);
477 		};
478 	} __packed * msg = ap_msg->msg;
479 
480 	struct pld_hdr {
481 		unsigned char	func_tag;	/* fixed value 0x4 */
482 		unsigned char	func_len;	/* fixed value 0x4 */
483 		unsigned int	func_val;	/* function ID	   */
484 		unsigned char	dom_tag;	/* fixed value 0x4 */
485 		unsigned char	dom_len;	/* fixed value 0x4 */
486 		unsigned int	dom_val;	/* domain id	   */
487 	} __packed * payload_hdr = NULL;
488 
489 	if (CEIL4(xcrb->req_len) < xcrb->req_len)
490 		return -EINVAL; /* overflow after alignment*/
491 
492 	/* length checks */
493 	ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
494 	if (ap_msg->len > ap_msg->bufsize)
495 		return -EINVAL;
496 
497 	if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
498 		return -EINVAL; /* overflow after alignment*/
499 
500 	/* prepare type6 header */
501 	msg->hdr = static_type6_ep11_hdr;
502 	msg->hdr.tocardlen1   = xcrb->req_len;
503 	msg->hdr.fromcardlen1 = xcrb->resp_len;
504 
505 	/* Import CPRB data from the ioctl input parameter */
506 	if (z_copy_from_user(userspace, msg->userdata,
507 			     (char __force __user *)xcrb->req, xcrb->req_len)) {
508 		return -EFAULT;
509 	}
510 
511 	if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
512 		switch (msg->pld_lenfmt & 0x03) {
513 		case 1:
514 			lfmt = 2;
515 			break;
516 		case 2:
517 			lfmt = 3;
518 			break;
519 		default:
520 			return -EINVAL;
521 		}
522 	} else {
523 		lfmt = 1; /* length format #1 */
524 	}
525 	payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
526 	*fcode = payload_hdr->func_val & 0xFFFF;
527 
528 	/* enable special processing based on the cprbs flags special bit */
529 	if (msg->cprbx.flags & 0x20)
530 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
531 
532 	/* set info bits in ap_message flag field */
533 	if (msg->cprbx.flags & 0x80)
534 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
535 	else
536 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
537 
538 	*domain = msg->cprbx.target_id;
539 
540 	return 0;
541 }
542 
543 /*
544  * Copy results from a type 86 ICA reply message back to user space.
545  *
546  * @zq: crypto device pointer
547  * @reply: reply AP message.
548  * @data: pointer to user output data
549  * @length: size of user output data
550  *
551  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
552  */
553 struct type86x_reply {
554 	struct type86_hdr hdr;
555 	struct type86_fmt2_ext fmt2;
556 	struct CPRBX cprbx;
557 	unsigned char pad[4];	/* 4 byte function code/rules block ? */
558 	unsigned short length;	/* length of data including length field size */
559 	char data[];
560 } __packed;
561 
562 struct type86_ep11_reply {
563 	struct type86_hdr hdr;
564 	struct type86_fmt2_ext fmt2;
565 	struct ep11_cprb cprbx;
566 } __packed;
567 
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)568 static int convert_type86_ica(struct zcrypt_queue *zq,
569 			      struct ap_message *reply,
570 			      char __user *outputdata,
571 			      unsigned int outputdatalength)
572 {
573 	struct type86x_reply *msg = reply->msg;
574 	unsigned short service_rc, service_rs;
575 	unsigned int data_len;
576 
577 	service_rc = msg->cprbx.ccp_rtcode;
578 	if (unlikely(service_rc != 0)) {
579 		service_rs = msg->cprbx.ccp_rscode;
580 		if ((service_rc == 8 && service_rs == 66) ||
581 		    (service_rc == 8 && service_rs == 65) ||
582 		    (service_rc == 8 && service_rs == 72) ||
583 		    (service_rc == 8 && service_rs == 770) ||
584 		    (service_rc == 12 && service_rs == 769)) {
585 			ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
586 					__func__, AP_QID_CARD(zq->queue->qid),
587 					AP_QID_QUEUE(zq->queue->qid),
588 					(int)service_rc, (int)service_rs);
589 			return -EINVAL;
590 		}
591 		zq->online = 0;
592 		pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
593 		       AP_QID_CARD(zq->queue->qid),
594 		       AP_QID_QUEUE(zq->queue->qid),
595 		       (int)service_rc, (int)service_rs);
596 		ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
597 			       __func__, AP_QID_CARD(zq->queue->qid),
598 			       AP_QID_QUEUE(zq->queue->qid),
599 			       (int)service_rc, (int)service_rs);
600 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
601 		return -EAGAIN;
602 	}
603 	data_len = msg->length - sizeof(msg->length);
604 	if (data_len > outputdatalength)
605 		return -EMSGSIZE;
606 
607 	/* Copy the crypto response to user space. */
608 	if (copy_to_user(outputdata, msg->data, data_len))
609 		return -EFAULT;
610 	return 0;
611 }
612 
613 /*
614  * Copy results from a type 86 XCRB reply message back to user space.
615  *
616  * @zq: crypto device pointer
617  * @reply: reply AP message.
618  * @xcrb: pointer to XCRB
619  *
620  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
621  */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)622 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
623 			       struct ap_message *reply,
624 			       struct ica_xcRB *xcrb)
625 {
626 	struct type86_fmt2_msg *msg = reply->msg;
627 	char *data = reply->msg;
628 
629 	/* Copy CPRB to user */
630 	if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
631 		pr_debug("reply_control_blk_length %u < required %u => EMSGSIZE\n",
632 			 xcrb->reply_control_blk_length, msg->fmt2.count1);
633 		return -EMSGSIZE;
634 	}
635 	if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
636 			   data + msg->fmt2.offset1, msg->fmt2.count1))
637 		return -EFAULT;
638 	xcrb->reply_control_blk_length = msg->fmt2.count1;
639 
640 	/* Copy data buffer to user */
641 	if (msg->fmt2.count2) {
642 		if (xcrb->reply_data_length < msg->fmt2.count2) {
643 			pr_debug("reply_data_length %u < required %u => EMSGSIZE\n",
644 				 xcrb->reply_data_length, msg->fmt2.count2);
645 			return -EMSGSIZE;
646 		}
647 		if (z_copy_to_user(userspace, xcrb->reply_data_addr,
648 				   data + msg->fmt2.offset2, msg->fmt2.count2))
649 			return -EFAULT;
650 	}
651 	xcrb->reply_data_length = msg->fmt2.count2;
652 
653 	return 0;
654 }
655 
656 /*
657  * Copy results from a type 86 EP11 XCRB reply message back to user space.
658  *
659  * @zq: crypto device pointer
660  * @reply: reply AP message.
661  * @xcrb: pointer to EP11 user request block
662  *
663  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
664  */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)665 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
666 				    struct ap_message *reply,
667 				    struct ep11_urb *xcrb)
668 {
669 	struct type86_fmt2_msg *msg = reply->msg;
670 	char *data = reply->msg;
671 
672 	if (xcrb->resp_len < msg->fmt2.count1) {
673 		pr_debug("resp_len %u < required %u => EMSGSIZE\n",
674 			 (unsigned int)xcrb->resp_len, msg->fmt2.count1);
675 		return -EMSGSIZE;
676 	}
677 
678 	/* Copy response CPRB to user */
679 	if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
680 			   data + msg->fmt2.offset1, msg->fmt2.count1))
681 		return -EFAULT;
682 	xcrb->resp_len = msg->fmt2.count1;
683 	return 0;
684 }
685 
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)686 static int convert_type86_rng(struct zcrypt_queue *zq,
687 			      struct ap_message *reply,
688 			      char *buffer)
689 {
690 	struct {
691 		struct type86_hdr hdr;
692 		struct type86_fmt2_ext fmt2;
693 		struct CPRBX cprbx;
694 	} __packed * msg = reply->msg;
695 	char *data = reply->msg;
696 
697 	if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
698 		return -EINVAL;
699 	memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
700 	return msg->fmt2.count2;
701 }
702 
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)703 static int convert_response_ica(struct zcrypt_queue *zq,
704 				struct ap_message *reply,
705 				char __user *outputdata,
706 				unsigned int outputdatalength)
707 {
708 	struct type86x_reply *msg = reply->msg;
709 
710 	switch (msg->hdr.type) {
711 	case TYPE82_RSP_CODE:
712 	case TYPE88_RSP_CODE:
713 		return convert_error(zq, reply);
714 	case TYPE86_RSP_CODE:
715 		if (msg->cprbx.ccp_rtcode &&
716 		    msg->cprbx.ccp_rscode == 0x14f &&
717 		    outputdatalength > 256) {
718 			if (zq->zcard->max_exp_bit_length <= 17) {
719 				zq->zcard->max_exp_bit_length = 17;
720 				return -EAGAIN;
721 			} else {
722 				return -EINVAL;
723 			}
724 		}
725 		if (msg->hdr.reply_code)
726 			return convert_error(zq, reply);
727 		if (msg->cprbx.cprb_ver_id == 0x02)
728 			return convert_type86_ica(zq, reply,
729 						  outputdata, outputdatalength);
730 		fallthrough;	/* wrong cprb version is an unknown response */
731 	default:
732 		/* Unknown response type, this should NEVER EVER happen */
733 		zq->online = 0;
734 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
735 		       AP_QID_CARD(zq->queue->qid),
736 		       AP_QID_QUEUE(zq->queue->qid),
737 		       (int)msg->hdr.type);
738 		ZCRYPT_DBF_ERR(
739 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
740 			__func__, AP_QID_CARD(zq->queue->qid),
741 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
742 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
743 		return -EAGAIN;
744 	}
745 }
746 
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)747 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
748 				 struct ap_message *reply,
749 				 struct ica_xcRB *xcrb)
750 {
751 	struct type86x_reply *msg = reply->msg;
752 
753 	switch (msg->hdr.type) {
754 	case TYPE82_RSP_CODE:
755 	case TYPE88_RSP_CODE:
756 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
757 		return convert_error(zq, reply);
758 	case TYPE86_RSP_CODE:
759 		if (msg->hdr.reply_code) {
760 			memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
761 			return convert_error(zq, reply);
762 		}
763 		if (msg->cprbx.cprb_ver_id == 0x02)
764 			return convert_type86_xcrb(userspace, zq, reply, xcrb);
765 		fallthrough;	/* wrong cprb version is an unknown response */
766 	default: /* Unknown response type, this should NEVER EVER happen */
767 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
768 		zq->online = 0;
769 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
770 		       AP_QID_CARD(zq->queue->qid),
771 		       AP_QID_QUEUE(zq->queue->qid),
772 		       (int)msg->hdr.type);
773 		ZCRYPT_DBF_ERR(
774 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
775 			__func__, AP_QID_CARD(zq->queue->qid),
776 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
777 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
778 		return -EAGAIN;
779 	}
780 }
781 
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)782 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
783 				      struct ap_message *reply, struct ep11_urb *xcrb)
784 {
785 	struct type86_ep11_reply *msg = reply->msg;
786 
787 	switch (msg->hdr.type) {
788 	case TYPE82_RSP_CODE:
789 	case TYPE87_RSP_CODE:
790 		return convert_error(zq, reply);
791 	case TYPE86_RSP_CODE:
792 		if (msg->hdr.reply_code)
793 			return convert_error(zq, reply);
794 		if (msg->cprbx.cprb_ver_id == 0x04)
795 			return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
796 		fallthrough;	/* wrong cprb version is an unknown resp */
797 	default: /* Unknown response type, this should NEVER EVER happen */
798 		zq->online = 0;
799 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
800 		       AP_QID_CARD(zq->queue->qid),
801 		       AP_QID_QUEUE(zq->queue->qid),
802 		       (int)msg->hdr.type);
803 		ZCRYPT_DBF_ERR(
804 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
805 			__func__, AP_QID_CARD(zq->queue->qid),
806 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
807 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
808 		return -EAGAIN;
809 	}
810 }
811 
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)812 static int convert_response_rng(struct zcrypt_queue *zq,
813 				struct ap_message *reply,
814 				char *data)
815 {
816 	struct type86x_reply *msg = reply->msg;
817 
818 	switch (msg->hdr.type) {
819 	case TYPE82_RSP_CODE:
820 	case TYPE88_RSP_CODE:
821 		return -EINVAL;
822 	case TYPE86_RSP_CODE:
823 		if (msg->hdr.reply_code)
824 			return -EINVAL;
825 		if (msg->cprbx.cprb_ver_id == 0x02)
826 			return convert_type86_rng(zq, reply, data);
827 		fallthrough;	/* wrong cprb version is an unknown response */
828 	default: /* Unknown response type, this should NEVER EVER happen */
829 		zq->online = 0;
830 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
831 		       AP_QID_CARD(zq->queue->qid),
832 		       AP_QID_QUEUE(zq->queue->qid),
833 		       (int)msg->hdr.type);
834 		ZCRYPT_DBF_ERR(
835 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
836 			__func__, AP_QID_CARD(zq->queue->qid),
837 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
838 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
839 		return -EAGAIN;
840 	}
841 }
842 
843 /*
844  * This function is called from the AP bus code after a crypto request
845  * "msg" has finished with the reply message "reply".
846  * It is called from tasklet context.
847  * @aq: pointer to the AP queue
848  * @msg: pointer to the AP message
849  * @reply: pointer to the AP reply message
850  */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)851 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
852 				    struct ap_message *msg,
853 				    struct ap_message *reply)
854 {
855 	static struct error_hdr error_reply = {
856 		.type = TYPE82_RSP_CODE,
857 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
858 	};
859 	struct response_type *resp_type = msg->private;
860 	struct type86x_reply *t86r;
861 	int len;
862 
863 	/* Copy the reply message to the request message buffer. */
864 	if (!reply)
865 		goto out;	/* ap_msg->rc indicates the error */
866 	t86r = reply->msg;
867 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
868 	    t86r->cprbx.cprb_ver_id == 0x02) {
869 		switch (resp_type->type) {
870 		case CEXXC_RESPONSE_TYPE_ICA:
871 			len = sizeof(struct type86x_reply) + t86r->length;
872 			if (len > reply->bufsize || len > msg->bufsize ||
873 			    len != reply->len) {
874 				pr_debug("len mismatch => EMSGSIZE\n");
875 				msg->rc = -EMSGSIZE;
876 				goto out;
877 			}
878 			memcpy(msg->msg, reply->msg, len);
879 			msg->len = len;
880 			break;
881 		case CEXXC_RESPONSE_TYPE_XCRB:
882 			if (t86r->fmt2.count2)
883 				len = t86r->fmt2.offset2 + t86r->fmt2.count2;
884 			else
885 				len = t86r->fmt2.offset1 + t86r->fmt2.count1;
886 			if (len > reply->bufsize || len > msg->bufsize ||
887 			    len != reply->len) {
888 				pr_debug("len mismatch => EMSGSIZE\n");
889 				msg->rc = -EMSGSIZE;
890 				goto out;
891 			}
892 			memcpy(msg->msg, reply->msg, len);
893 			msg->len = len;
894 			break;
895 		default:
896 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
897 			msg->len = sizeof(error_reply);
898 		}
899 	} else {
900 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
901 		msg->len = sizeof(error_reply);
902 	}
903 out:
904 	complete(&resp_type->work);
905 }
906 
907 /*
908  * This function is called from the AP bus code after a crypto request
909  * "msg" has finished with the reply message "reply".
910  * It is called from tasklet context.
911  * @aq: pointer to the AP queue
912  * @msg: pointer to the AP message
913  * @reply: pointer to the AP reply message
914  */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)915 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
916 					 struct ap_message *msg,
917 					 struct ap_message *reply)
918 {
919 	static struct error_hdr error_reply = {
920 		.type = TYPE82_RSP_CODE,
921 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
922 	};
923 	struct response_type *resp_type = msg->private;
924 	struct type86_ep11_reply *t86r;
925 	int len;
926 
927 	/* Copy the reply message to the request message buffer. */
928 	if (!reply)
929 		goto out;	/* ap_msg->rc indicates the error */
930 	t86r = reply->msg;
931 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
932 	    t86r->cprbx.cprb_ver_id == 0x04) {
933 		switch (resp_type->type) {
934 		case CEXXC_RESPONSE_TYPE_EP11:
935 			len = t86r->fmt2.offset1 + t86r->fmt2.count1;
936 			if (len > reply->bufsize || len > msg->bufsize ||
937 			    len != reply->len) {
938 				pr_debug("len mismatch => EMSGSIZE\n");
939 				msg->rc = -EMSGSIZE;
940 				goto out;
941 			}
942 			memcpy(msg->msg, reply->msg, len);
943 			msg->len = len;
944 			break;
945 		default:
946 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
947 			msg->len = sizeof(error_reply);
948 		}
949 	} else {
950 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
951 		msg->len = sizeof(error_reply);
952 	}
953 out:
954 	complete(&resp_type->work);
955 }
956 
957 static atomic_t zcrypt_step = ATOMIC_INIT(0);
958 
959 /*
960  * The request distributor calls this function if it picked the CEXxC
961  * device to handle a modexpo request.
962  * @zq: pointer to zcrypt_queue structure that identifies the
963  *	CEXxC device to the request distributor
964  * @mex: pointer to the modexpo request buffer
965  */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)966 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
967 				    struct ica_rsa_modexpo *mex,
968 				    struct ap_message *ap_msg)
969 {
970 	struct response_type resp_type = {
971 		.type = CEXXC_RESPONSE_TYPE_ICA,
972 	};
973 	int rc;
974 
975 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
976 	if (!ap_msg->msg)
977 		return -ENOMEM;
978 	ap_msg->bufsize = PAGE_SIZE;
979 	ap_msg->receive = zcrypt_msgtype6_receive;
980 	ap_msg->psmid = (((unsigned long)current->pid) << 32) +
981 		atomic_inc_return(&zcrypt_step);
982 	ap_msg->private = &resp_type;
983 	rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
984 	if (rc)
985 		goto out_free;
986 	init_completion(&resp_type.work);
987 	rc = ap_queue_message(zq->queue, ap_msg);
988 	if (rc)
989 		goto out_free;
990 	rc = wait_for_completion_interruptible(&resp_type.work);
991 	if (rc == 0) {
992 		rc = ap_msg->rc;
993 		if (rc == 0)
994 			rc = convert_response_ica(zq, ap_msg,
995 						  mex->outputdata,
996 						  mex->outputdatalength);
997 	} else {
998 		/* Signal pending. */
999 		ap_cancel_message(zq->queue, ap_msg);
1000 	}
1001 
1002 out_free:
1003 	free_page((unsigned long)ap_msg->msg);
1004 	ap_msg->private = NULL;
1005 	ap_msg->msg = NULL;
1006 	return rc;
1007 }
1008 
1009 /*
1010  * The request distributor calls this function if it picked the CEXxC
1011  * device to handle a modexpo_crt request.
1012  * @zq: pointer to zcrypt_queue structure that identifies the
1013  *	CEXxC device to the request distributor
1014  * @crt: pointer to the modexpoc_crt request buffer
1015  */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1016 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1017 					struct ica_rsa_modexpo_crt *crt,
1018 					struct ap_message *ap_msg)
1019 {
1020 	struct response_type resp_type = {
1021 		.type = CEXXC_RESPONSE_TYPE_ICA,
1022 	};
1023 	int rc;
1024 
1025 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1026 	if (!ap_msg->msg)
1027 		return -ENOMEM;
1028 	ap_msg->bufsize = PAGE_SIZE;
1029 	ap_msg->receive = zcrypt_msgtype6_receive;
1030 	ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1031 		atomic_inc_return(&zcrypt_step);
1032 	ap_msg->private = &resp_type;
1033 	rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1034 	if (rc)
1035 		goto out_free;
1036 	init_completion(&resp_type.work);
1037 	rc = ap_queue_message(zq->queue, ap_msg);
1038 	if (rc)
1039 		goto out_free;
1040 	rc = wait_for_completion_interruptible(&resp_type.work);
1041 	if (rc == 0) {
1042 		rc = ap_msg->rc;
1043 		if (rc == 0)
1044 			rc = convert_response_ica(zq, ap_msg,
1045 						  crt->outputdata,
1046 						  crt->outputdatalength);
1047 	} else {
1048 		/* Signal pending. */
1049 		ap_cancel_message(zq->queue, ap_msg);
1050 	}
1051 
1052 out_free:
1053 	free_page((unsigned long)ap_msg->msg);
1054 	ap_msg->private = NULL;
1055 	ap_msg->msg = NULL;
1056 	return rc;
1057 }
1058 
1059 /*
1060  * Prepare a CCA AP msg request.
1061  * Prepare a CCA AP msg: fetch the required data from userspace,
1062  * prepare the AP msg, fill some info into the ap_message struct,
1063  * extract some data from the CPRB and give back to the caller.
1064  * This function allocates memory and needs an ap_msg prepared
1065  * by the caller with ap_init_message(). Also the caller has to
1066  * make sure ap_release_message() is always called even on failure.
1067  */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned short ** dom)1068 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1069 		    struct ap_message *ap_msg,
1070 		    unsigned int *func_code, unsigned short **dom)
1071 {
1072 	struct response_type resp_type = {
1073 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1074 	};
1075 
1076 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1077 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1078 	if (!ap_msg->msg)
1079 		return -ENOMEM;
1080 	ap_msg->receive = zcrypt_msgtype6_receive;
1081 	ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1082 				atomic_inc_return(&zcrypt_step);
1083 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1084 	if (!ap_msg->private)
1085 		return -ENOMEM;
1086 	return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1087 }
1088 
1089 /*
1090  * The request distributor calls this function if it picked the CEXxC
1091  * device to handle a send_cprb request.
1092  * @zq: pointer to zcrypt_queue structure that identifies the
1093  *	CEXxC device to the request distributor
1094  * @xcrb: pointer to the send_cprb request buffer
1095  */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1096 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1097 				      struct ica_xcRB *xcrb,
1098 				      struct ap_message *ap_msg)
1099 {
1100 	struct response_type *rtype = ap_msg->private;
1101 	struct {
1102 		struct type6_hdr hdr;
1103 		struct CPRBX cprbx;
1104 		/* ... more data blocks ... */
1105 	} __packed * msg = ap_msg->msg;
1106 	unsigned int max_payload_size;
1107 	int rc, delta;
1108 
1109 	/* calculate maximum payload for this card and msg type */
1110 	max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
1111 
1112 	/* limit each of the two from fields to the maximum payload size */
1113 	msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
1114 	msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
1115 
1116 	/* calculate delta if the sum of both exceeds max payload size */
1117 	delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
1118 		- max_payload_size;
1119 	if (delta > 0) {
1120 		/*
1121 		 * Sum exceeds maximum payload size, prune fromcardlen1
1122 		 * (always trust fromcardlen2)
1123 		 */
1124 		if (delta > msg->hdr.fromcardlen1) {
1125 			rc = -EINVAL;
1126 			goto out;
1127 		}
1128 		msg->hdr.fromcardlen1 -= delta;
1129 	}
1130 
1131 	init_completion(&rtype->work);
1132 	rc = ap_queue_message(zq->queue, ap_msg);
1133 	if (rc)
1134 		goto out;
1135 	rc = wait_for_completion_interruptible(&rtype->work);
1136 	if (rc == 0) {
1137 		rc = ap_msg->rc;
1138 		if (rc == 0)
1139 			rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1140 	} else {
1141 		/* Signal pending. */
1142 		ap_cancel_message(zq->queue, ap_msg);
1143 	}
1144 
1145 	if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1146 		rc = -EIO; /* do not retry administrative requests */
1147 
1148 out:
1149 	if (rc)
1150 		pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1151 			 AP_QID_CARD(zq->queue->qid),
1152 			 AP_QID_QUEUE(zq->queue->qid), rc);
1153 	return rc;
1154 }
1155 
1156 /*
1157  * Prepare an EP11 AP msg request.
1158  * Prepare an EP11 AP msg: fetch the required data from userspace,
1159  * prepare the AP msg, fill some info into the ap_message struct,
1160  * extract some data from the CPRB and give back to the caller.
1161  * This function allocates memory and needs an ap_msg prepared
1162  * by the caller with ap_init_message(). Also the caller has to
1163  * make sure ap_release_message() is always called even on failure.
1164  */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1165 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1166 		     struct ap_message *ap_msg,
1167 		     unsigned int *func_code, unsigned int *domain)
1168 {
1169 	struct response_type resp_type = {
1170 		.type = CEXXC_RESPONSE_TYPE_EP11,
1171 	};
1172 
1173 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1174 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1175 	if (!ap_msg->msg)
1176 		return -ENOMEM;
1177 	ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1178 	ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1179 				atomic_inc_return(&zcrypt_step);
1180 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1181 	if (!ap_msg->private)
1182 		return -ENOMEM;
1183 	return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1184 					       func_code, domain);
1185 }
1186 
1187 /*
1188  * The request distributor calls this function if it picked the CEX4P
1189  * device to handle a send_ep11_cprb request.
1190  * @zq: pointer to zcrypt_queue structure that identifies the
1191  *	  CEX4P device to the request distributor
1192  * @xcrb: pointer to the ep11 user request block
1193  */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1194 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1195 					   struct ep11_urb *xcrb,
1196 					   struct ap_message *ap_msg)
1197 {
1198 	int rc;
1199 	unsigned int lfmt;
1200 	struct response_type *rtype = ap_msg->private;
1201 	struct {
1202 		struct type6_hdr hdr;
1203 		struct ep11_cprb cprbx;
1204 		unsigned char	pld_tag;	/* fixed value 0x30 */
1205 		unsigned char	pld_lenfmt;	/* payload length format */
1206 	} __packed * msg = ap_msg->msg;
1207 	struct pld_hdr {
1208 		unsigned char	func_tag;	/* fixed value 0x4 */
1209 		unsigned char	func_len;	/* fixed value 0x4 */
1210 		unsigned int	func_val;	/* function ID	   */
1211 		unsigned char	dom_tag;	/* fixed value 0x4 */
1212 		unsigned char	dom_len;	/* fixed value 0x4 */
1213 		unsigned int	dom_val;	/* domain id	   */
1214 	} __packed * payload_hdr = NULL;
1215 
1216 	/*
1217 	 * The target domain field within the cprb body/payload block will be
1218 	 * replaced by the usage domain for non-management commands only.
1219 	 * Therefore we check the first bit of the 'flags' parameter for
1220 	 * management command indication.
1221 	 *   0 - non management command
1222 	 *   1 - management command
1223 	 */
1224 	if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1225 		msg->cprbx.target_id = (unsigned int)
1226 					AP_QID_QUEUE(zq->queue->qid);
1227 
1228 		if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1229 			switch (msg->pld_lenfmt & 0x03) {
1230 			case 1:
1231 				lfmt = 2;
1232 				break;
1233 			case 2:
1234 				lfmt = 3;
1235 				break;
1236 			default:
1237 				return -EINVAL;
1238 			}
1239 		} else {
1240 			lfmt = 1; /* length format #1 */
1241 		}
1242 		payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1243 		payload_hdr->dom_val = (unsigned int)
1244 					AP_QID_QUEUE(zq->queue->qid);
1245 	}
1246 
1247 	/*
1248 	 * Set the queue's reply buffer length minus the two prepend headers
1249 	 * as reply limit for the card firmware.
1250 	 */
1251 	msg->hdr.fromcardlen1 = zq->reply.bufsize -
1252 		sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1253 
1254 	init_completion(&rtype->work);
1255 	rc = ap_queue_message(zq->queue, ap_msg);
1256 	if (rc)
1257 		goto out;
1258 	rc = wait_for_completion_interruptible(&rtype->work);
1259 	if (rc == 0) {
1260 		rc = ap_msg->rc;
1261 		if (rc == 0)
1262 			rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1263 	} else {
1264 		/* Signal pending. */
1265 		ap_cancel_message(zq->queue, ap_msg);
1266 	}
1267 
1268 	if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1269 		rc = -EIO; /* do not retry administrative requests */
1270 
1271 out:
1272 	if (rc)
1273 		pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1274 			 AP_QID_CARD(zq->queue->qid),
1275 			 AP_QID_QUEUE(zq->queue->qid), rc);
1276 	return rc;
1277 }
1278 
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1279 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1280 		    unsigned int *domain)
1281 {
1282 	struct response_type resp_type = {
1283 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1284 	};
1285 
1286 	ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1287 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1288 	if (!ap_msg->msg)
1289 		return -ENOMEM;
1290 	ap_msg->receive = zcrypt_msgtype6_receive;
1291 	ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1292 				atomic_inc_return(&zcrypt_step);
1293 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1294 	if (!ap_msg->private)
1295 		return -ENOMEM;
1296 
1297 	rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1298 
1299 	*func_code = HWRNG;
1300 	return 0;
1301 }
1302 
1303 /*
1304  * The request distributor calls this function if it picked the CEXxC
1305  * device to generate random data.
1306  * @zq: pointer to zcrypt_queue structure that identifies the
1307  *	CEXxC device to the request distributor
1308  * @buffer: pointer to a memory page to return random data
1309  */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1310 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1311 				char *buffer, struct ap_message *ap_msg)
1312 {
1313 	struct {
1314 		struct type6_hdr hdr;
1315 		struct CPRBX cprbx;
1316 		char function_code[2];
1317 		short int rule_length;
1318 		char rule[8];
1319 		short int verb_length;
1320 		short int key_length;
1321 	} __packed * msg = ap_msg->msg;
1322 	struct response_type *rtype = ap_msg->private;
1323 	int rc;
1324 
1325 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1326 
1327 	init_completion(&rtype->work);
1328 	rc = ap_queue_message(zq->queue, ap_msg);
1329 	if (rc)
1330 		goto out;
1331 	rc = wait_for_completion_interruptible(&rtype->work);
1332 	if (rc == 0) {
1333 		rc = ap_msg->rc;
1334 		if (rc == 0)
1335 			rc = convert_response_rng(zq, ap_msg, buffer);
1336 	} else {
1337 		/* Signal pending. */
1338 		ap_cancel_message(zq->queue, ap_msg);
1339 	}
1340 out:
1341 	return rc;
1342 }
1343 
1344 /*
1345  * The crypto operations for a CEXxC card.
1346  */
1347 
1348 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1349 	.owner = THIS_MODULE,
1350 	.name = MSGTYPE06_NAME,
1351 	.variant = MSGTYPE06_VARIANT_DEFAULT,
1352 	.rsa_modexpo = zcrypt_msgtype6_modexpo,
1353 	.rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1354 	.send_cprb = zcrypt_msgtype6_send_cprb,
1355 	.rng = zcrypt_msgtype6_rng,
1356 };
1357 
1358 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1359 	.owner = THIS_MODULE,
1360 	.name = MSGTYPE06_NAME,
1361 	.variant = MSGTYPE06_VARIANT_EP11,
1362 	.rsa_modexpo = NULL,
1363 	.rsa_modexpo_crt = NULL,
1364 	.send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1365 };
1366 
zcrypt_msgtype6_init(void)1367 void __init zcrypt_msgtype6_init(void)
1368 {
1369 	zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1370 	zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1371 }
1372 
zcrypt_msgtype6_exit(void)1373 void __exit zcrypt_msgtype6_exit(void)
1374 {
1375 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1376 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1377 }
1378