1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright IBM Corp. 2001, 2023
4 * Author(s): Robert Burroughs
5 * Eric Rossman (edrossma@us.ibm.com)
6 *
7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9 * Ralph Wuerthner <rwuerthn@de.ibm.com>
10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com>
11 */
12
13 #define pr_fmt(fmt) "zcrypt: " fmt
14
15 #include <linux/module.h>
16 #include <linux/init.h>
17 #include <linux/err.h>
18 #include <linux/delay.h>
19 #include <linux/slab.h>
20 #include <linux/atomic.h>
21 #include <linux/uaccess.h>
22
23 #include "ap_bus.h"
24 #include "zcrypt_api.h"
25 #include "zcrypt_error.h"
26 #include "zcrypt_msgtype6.h"
27 #include "zcrypt_cca_key.h"
28
29 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
30
31 #define CEIL4(x) ((((x) + 3) / 4) * 4)
32
33 #define CEXXC_RESPONSE_TYPE_ICA 0
34 #define CEXXC_RESPONSE_TYPE_XCRB 1
35 #define CEXXC_RESPONSE_TYPE_EP11 2
36
37 MODULE_AUTHOR("IBM Corporation");
38 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
39 "Copyright IBM Corp. 2001, 2023");
40 MODULE_LICENSE("GPL");
41
42 struct function_and_rules_block {
43 unsigned char function_code[2];
44 unsigned short ulen;
45 unsigned char only_rule[8];
46 } __packed;
47
48 /*
49 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
50 * card in a type6 message. The 3 fields that must be filled in at execution
51 * time are req_parml, rpl_parml and usage_domain.
52 * Everything about this interface is ascii/big-endian, since the
53 * device does *not* have 'Intel inside'.
54 *
55 * The CPRBX is followed immediately by the parm block.
56 * The parm block contains:
57 * - function code ('PD' 0x5044 or 'PK' 0x504B)
58 * - rule block (one of:)
59 * + 0x000A 'PKCS-1.2' (MCL2 'PD')
60 * + 0x000A 'ZERO-PAD' (MCL2 'PK')
61 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
62 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK')
63 * - VUD block
64 */
65 static const struct CPRBX static_cprbx = {
66 .cprb_len = 0x00DC,
67 .cprb_ver_id = 0x02,
68 .func_id = {'T', '2'},
69 };
70
speed_idx_cca(int req_type)71 int speed_idx_cca(int req_type)
72 {
73 switch (req_type) {
74 case 0x4142:
75 case 0x4149:
76 case 0x414D:
77 case 0x4341:
78 case 0x4344:
79 case 0x4354:
80 case 0x4358:
81 case 0x444B:
82 case 0x4558:
83 case 0x4643:
84 case 0x4651:
85 case 0x4C47:
86 case 0x4C4B:
87 case 0x4C51:
88 case 0x4F48:
89 case 0x504F:
90 case 0x5053:
91 case 0x5058:
92 case 0x5343:
93 case 0x5344:
94 case 0x5345:
95 case 0x5350:
96 return LOW;
97 case 0x414B:
98 case 0x4345:
99 case 0x4349:
100 case 0x434D:
101 case 0x4847:
102 case 0x4849:
103 case 0x484D:
104 case 0x4850:
105 case 0x4851:
106 case 0x4954:
107 case 0x4958:
108 case 0x4B43:
109 case 0x4B44:
110 case 0x4B45:
111 case 0x4B47:
112 case 0x4B48:
113 case 0x4B49:
114 case 0x4B4E:
115 case 0x4B50:
116 case 0x4B52:
117 case 0x4B54:
118 case 0x4B58:
119 case 0x4D50:
120 case 0x4D53:
121 case 0x4D56:
122 case 0x4D58:
123 case 0x5044:
124 case 0x5045:
125 case 0x5046:
126 case 0x5047:
127 case 0x5049:
128 case 0x504B:
129 case 0x504D:
130 case 0x5254:
131 case 0x5347:
132 case 0x5349:
133 case 0x534B:
134 case 0x534D:
135 case 0x5356:
136 case 0x5358:
137 case 0x5443:
138 case 0x544B:
139 case 0x5647:
140 return HIGH;
141 default:
142 return MEDIUM;
143 }
144 }
145
speed_idx_ep11(int req_type)146 int speed_idx_ep11(int req_type)
147 {
148 switch (req_type) {
149 case 1:
150 case 2:
151 case 36:
152 case 37:
153 case 38:
154 case 39:
155 case 40:
156 return LOW;
157 case 17:
158 case 18:
159 case 19:
160 case 20:
161 case 21:
162 case 22:
163 case 26:
164 case 30:
165 case 31:
166 case 32:
167 case 33:
168 case 34:
169 case 35:
170 return HIGH;
171 default:
172 return MEDIUM;
173 }
174 }
175
176 /*
177 * Convert a ICAMEX message to a type6 MEX message.
178 *
179 * @zq: crypto device pointer
180 * @ap_msg: pointer to AP message
181 * @mex: pointer to user input data
182 *
183 * Returns 0 on success or negative errno value.
184 */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)185 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
186 struct ap_message *ap_msg,
187 struct ica_rsa_modexpo *mex)
188 {
189 static struct type6_hdr static_type6_hdrX = {
190 .type = 0x06,
191 .offset1 = 0x00000058,
192 .agent_id = {'C', 'A',},
193 .function_code = {'P', 'K'},
194 };
195 static struct function_and_rules_block static_pke_fnr = {
196 .function_code = {'P', 'K'},
197 .ulen = 10,
198 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
199 };
200 struct {
201 struct type6_hdr hdr;
202 struct CPRBX cprbx;
203 struct function_and_rules_block fr;
204 unsigned short length;
205 char text[];
206 } __packed * msg = ap_msg->msg;
207 int size;
208
209 /*
210 * The inputdatalength was a selection criteria in the dispatching
211 * function zcrypt_rsa_modexpo(). However, make sure the following
212 * copy_from_user() never exceeds the allocated buffer space.
213 */
214 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
215 return -EINVAL;
216
217 /* VUD.ciphertext */
218 msg->length = mex->inputdatalength + 2;
219 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
220 return -EFAULT;
221
222 /* Set up key which is located after the variable length text. */
223 size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
224 if (size < 0)
225 return size;
226 size += sizeof(*msg) + mex->inputdatalength;
227
228 /* message header, cprbx and f&r */
229 msg->hdr = static_type6_hdrX;
230 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
231 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
232
233 msg->cprbx = static_cprbx;
234 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
235 msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
236
237 msg->fr = static_pke_fnr;
238
239 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
240
241 ap_msg->len = size;
242 return 0;
243 }
244
245 /*
246 * Convert a ICACRT message to a type6 CRT message.
247 *
248 * @zq: crypto device pointer
249 * @ap_msg: pointer to AP message
250 * @crt: pointer to user input data
251 *
252 * Returns 0 on success or negative errno value.
253 */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)254 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
255 struct ap_message *ap_msg,
256 struct ica_rsa_modexpo_crt *crt)
257 {
258 static struct type6_hdr static_type6_hdrX = {
259 .type = 0x06,
260 .offset1 = 0x00000058,
261 .agent_id = {'C', 'A',},
262 .function_code = {'P', 'D'},
263 };
264 static struct function_and_rules_block static_pkd_fnr = {
265 .function_code = {'P', 'D'},
266 .ulen = 10,
267 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
268 };
269
270 struct {
271 struct type6_hdr hdr;
272 struct CPRBX cprbx;
273 struct function_and_rules_block fr;
274 unsigned short length;
275 char text[];
276 } __packed * msg = ap_msg->msg;
277 int size;
278
279 /*
280 * The inputdatalength was a selection criteria in the dispatching
281 * function zcrypt_rsa_crt(). However, make sure the following
282 * copy_from_user() never exceeds the allocated buffer space.
283 */
284 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
285 return -EINVAL;
286
287 /* VUD.ciphertext */
288 msg->length = crt->inputdatalength + 2;
289 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
290 return -EFAULT;
291
292 /* Set up key which is located after the variable length text. */
293 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
294 if (size < 0)
295 return size;
296 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */
297
298 /* message header, cprbx and f&r */
299 msg->hdr = static_type6_hdrX;
300 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
301 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
302
303 msg->cprbx = static_cprbx;
304 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
305 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
306 size - sizeof(msg->hdr) - sizeof(msg->cprbx);
307
308 msg->fr = static_pkd_fnr;
309
310 ap_msg->len = size;
311 return 0;
312 }
313
314 /*
315 * Convert a XCRB message to a type6 CPRB message.
316 *
317 * @zq: crypto device pointer
318 * @ap_msg: pointer to AP message
319 * @xcRB: pointer to user input data
320 *
321 * Returns 0 on success or -EFAULT, -EINVAL.
322 */
323 struct type86_fmt2_msg {
324 struct type86_hdr hdr;
325 struct type86_fmt2_ext fmt2;
326 } __packed;
327
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned int * domain)328 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
329 struct ica_xcRB *xcrb,
330 unsigned int *fcode,
331 unsigned int *domain)
332 {
333 static struct type6_hdr static_type6_hdrX = {
334 .type = 0x06,
335 .offset1 = 0x00000058,
336 };
337 struct {
338 struct type6_hdr hdr;
339 union {
340 struct CPRBX cprbx;
341 DECLARE_FLEX_ARRAY(u8, userdata);
342 };
343 } __packed * msg = ap_msg->msg;
344
345 int rcblen = CEIL4(xcrb->request_control_blk_length);
346 int req_sumlen, resp_sumlen;
347 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
348 char *function_code;
349
350 if (CEIL4(xcrb->request_control_blk_length) <
351 xcrb->request_control_blk_length)
352 return -EINVAL; /* overflow after alignment*/
353
354 /* length checks */
355 ap_msg->len = sizeof(struct type6_hdr) +
356 CEIL4(xcrb->request_control_blk_length) +
357 xcrb->request_data_length;
358 if (ap_msg->len > ap_msg->bufsize)
359 return -EINVAL;
360
361 /*
362 * Overflow check
363 * sum must be greater (or equal) than the largest operand
364 */
365 req_sumlen = CEIL4(xcrb->request_control_blk_length) +
366 xcrb->request_data_length;
367 if ((CEIL4(xcrb->request_control_blk_length) <=
368 xcrb->request_data_length) ?
369 req_sumlen < xcrb->request_data_length :
370 req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
371 return -EINVAL;
372 }
373
374 if (CEIL4(xcrb->reply_control_blk_length) <
375 xcrb->reply_control_blk_length)
376 return -EINVAL; /* overflow after alignment*/
377
378 /*
379 * Overflow check
380 * sum must be greater (or equal) than the largest operand
381 */
382 resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
383 xcrb->reply_data_length;
384 if ((CEIL4(xcrb->reply_control_blk_length) <=
385 xcrb->reply_data_length) ?
386 resp_sumlen < xcrb->reply_data_length :
387 resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
388 return -EINVAL;
389 }
390
391 /* prepare type6 header */
392 msg->hdr = static_type6_hdrX;
393 memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
394 msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
395 if (xcrb->request_data_length) {
396 msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
397 msg->hdr.tocardlen2 = xcrb->request_data_length;
398 }
399 msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
400 msg->hdr.fromcardlen2 = xcrb->reply_data_length;
401
402 /* prepare CPRB */
403 if (z_copy_from_user(userspace, msg->userdata,
404 xcrb->request_control_blk_addr,
405 xcrb->request_control_blk_length))
406 return -EFAULT;
407 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
408 xcrb->request_control_blk_length)
409 return -EINVAL;
410 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
411 memcpy(msg->hdr.function_code, function_code,
412 sizeof(msg->hdr.function_code));
413
414 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
415 if (domain)
416 *domain = msg->cprbx.domain;
417
418 /* check subfunction, US and AU need special flag with NQAP */
419 if (memcmp(function_code, "US", 2) == 0 ||
420 memcmp(function_code, "AU", 2) == 0)
421 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
422
423 /* check CPRB minor version, set info bits in ap_message flag field */
424 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
425 case 0x5432: /* "T2" */
426 ap_msg->flags |= AP_MSG_FLAG_USAGE;
427 break;
428 case 0x5433: /* "T3" */
429 case 0x5435: /* "T5" */
430 case 0x5436: /* "T6" */
431 case 0x5437: /* "T7" */
432 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
433 break;
434 default:
435 pr_debug("unknown CPRB minor version '%c%c'\n",
436 msg->cprbx.func_id[0], msg->cprbx.func_id[1]);
437 }
438
439 /* copy data block */
440 if (xcrb->request_data_length &&
441 z_copy_from_user(userspace, req_data, xcrb->request_data_address,
442 xcrb->request_data_length))
443 return -EFAULT;
444
445 return 0;
446 }
447
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)448 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
449 struct ep11_urb *xcrb,
450 unsigned int *fcode,
451 unsigned int *domain)
452 {
453 unsigned int lfmt;
454 static struct type6_hdr static_type6_ep11_hdr = {
455 .type = 0x06,
456 .rqid = {0x00, 0x01},
457 .function_code = {0x00, 0x00},
458 .agent_id = {'X', 'C'},
459 .offset1 = 0x00000058,
460 };
461
462 struct {
463 struct type6_hdr hdr;
464 union {
465 struct {
466 struct ep11_cprb cprbx;
467 unsigned char pld_tag; /* fixed value 0x30 */
468 unsigned char pld_lenfmt; /* length format */
469 } __packed;
470 DECLARE_FLEX_ARRAY(u8, userdata);
471 };
472 } __packed * msg = ap_msg->msg;
473
474 struct pld_hdr {
475 unsigned char func_tag; /* fixed value 0x4 */
476 unsigned char func_len; /* fixed value 0x4 */
477 unsigned int func_val; /* function ID */
478 unsigned char dom_tag; /* fixed value 0x4 */
479 unsigned char dom_len; /* fixed value 0x4 */
480 unsigned int dom_val; /* domain id */
481 } __packed * payload_hdr = NULL;
482
483 if (CEIL4(xcrb->req_len) < xcrb->req_len)
484 return -EINVAL; /* overflow after alignment*/
485
486 /* length checks */
487 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
488 if (ap_msg->len > ap_msg->bufsize)
489 return -EINVAL;
490
491 if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
492 return -EINVAL; /* overflow after alignment*/
493
494 /* prepare type6 header */
495 msg->hdr = static_type6_ep11_hdr;
496 msg->hdr.tocardlen1 = xcrb->req_len;
497 msg->hdr.fromcardlen1 = xcrb->resp_len;
498
499 /* Import CPRB data from the ioctl input parameter */
500 if (z_copy_from_user(userspace, msg->userdata,
501 (char __force __user *)xcrb->req, xcrb->req_len)) {
502 return -EFAULT;
503 }
504
505 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
506 switch (msg->pld_lenfmt & 0x03) {
507 case 1:
508 lfmt = 2;
509 break;
510 case 2:
511 lfmt = 3;
512 break;
513 default:
514 return -EINVAL;
515 }
516 } else {
517 lfmt = 1; /* length format #1 */
518 }
519 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
520 *fcode = payload_hdr->func_val & 0xFFFF;
521
522 /* enable special processing based on the cprbs flags special bit */
523 if (msg->cprbx.flags & 0x20)
524 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
525
526 /* set info bits in ap_message flag field */
527 if (msg->cprbx.flags & 0x80)
528 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
529 else
530 ap_msg->flags |= AP_MSG_FLAG_USAGE;
531
532 if (domain)
533 *domain = msg->cprbx.target_id;
534
535 return 0;
536 }
537
538 /*
539 * Copy results from a type 86 ICA reply message back to user space.
540 *
541 * @zq: crypto device pointer
542 * @reply: reply AP message.
543 * @data: pointer to user output data
544 * @length: size of user output data
545 *
546 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
547 */
548 struct type86x_reply {
549 struct type86_hdr hdr;
550 struct type86_fmt2_ext fmt2;
551 struct CPRBX cprbx;
552 unsigned char pad[4]; /* 4 byte function code/rules block ? */
553 unsigned short length; /* length of data including length field size */
554 char data[];
555 } __packed;
556
557 struct type86_ep11_reply {
558 struct type86_hdr hdr;
559 struct type86_fmt2_ext fmt2;
560 struct ep11_cprb cprbx;
561 } __packed;
562
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)563 static int convert_type86_ica(struct zcrypt_queue *zq,
564 struct ap_message *reply,
565 char __user *outputdata,
566 unsigned int outputdatalength)
567 {
568 struct type86x_reply *msg = reply->msg;
569 unsigned short service_rc, service_rs;
570 unsigned int data_len;
571
572 service_rc = msg->cprbx.ccp_rtcode;
573 if (unlikely(service_rc != 0)) {
574 service_rs = msg->cprbx.ccp_rscode;
575 if ((service_rc == 8 && service_rs == 66) ||
576 (service_rc == 8 && service_rs == 65) ||
577 (service_rc == 8 && service_rs == 72) ||
578 (service_rc == 8 && service_rs == 770) ||
579 (service_rc == 12 && service_rs == 769)) {
580 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
581 __func__, AP_QID_CARD(zq->queue->qid),
582 AP_QID_QUEUE(zq->queue->qid),
583 (int)service_rc, (int)service_rs);
584 return -EINVAL;
585 }
586 zq->online = 0;
587 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
588 AP_QID_CARD(zq->queue->qid),
589 AP_QID_QUEUE(zq->queue->qid),
590 (int)service_rc, (int)service_rs);
591 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
592 __func__, AP_QID_CARD(zq->queue->qid),
593 AP_QID_QUEUE(zq->queue->qid),
594 (int)service_rc, (int)service_rs);
595 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
596 return -EAGAIN;
597 }
598 data_len = msg->length - sizeof(msg->length);
599 if (data_len > outputdatalength)
600 return -EMSGSIZE;
601
602 /* Copy the crypto response to user space. */
603 if (copy_to_user(outputdata, msg->data, data_len))
604 return -EFAULT;
605 return 0;
606 }
607
608 /*
609 * Copy results from a type 86 XCRB reply message back to user space.
610 *
611 * @zq: crypto device pointer
612 * @reply: reply AP message.
613 * @xcrb: pointer to XCRB
614 *
615 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
616 */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)617 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
618 struct ap_message *reply,
619 struct ica_xcRB *xcrb)
620 {
621 struct type86_fmt2_msg *msg = reply->msg;
622 char *data = reply->msg;
623
624 /* Copy CPRB to user */
625 if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
626 pr_debug("reply_control_blk_length %u < required %u => EMSGSIZE\n",
627 xcrb->reply_control_blk_length, msg->fmt2.count1);
628 return -EMSGSIZE;
629 }
630 if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
631 data + msg->fmt2.offset1, msg->fmt2.count1))
632 return -EFAULT;
633 xcrb->reply_control_blk_length = msg->fmt2.count1;
634
635 /* Copy data buffer to user */
636 if (msg->fmt2.count2) {
637 if (xcrb->reply_data_length < msg->fmt2.count2) {
638 pr_debug("reply_data_length %u < required %u => EMSGSIZE\n",
639 xcrb->reply_data_length, msg->fmt2.count2);
640 return -EMSGSIZE;
641 }
642 if (z_copy_to_user(userspace, xcrb->reply_data_addr,
643 data + msg->fmt2.offset2, msg->fmt2.count2))
644 return -EFAULT;
645 }
646 xcrb->reply_data_length = msg->fmt2.count2;
647
648 return 0;
649 }
650
651 /*
652 * Copy results from a type 86 EP11 XCRB reply message back to user space.
653 *
654 * @zq: crypto device pointer
655 * @reply: reply AP message.
656 * @xcrb: pointer to EP11 user request block
657 *
658 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
659 */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)660 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
661 struct ap_message *reply,
662 struct ep11_urb *xcrb)
663 {
664 struct type86_fmt2_msg *msg = reply->msg;
665 char *data = reply->msg;
666
667 if (xcrb->resp_len < msg->fmt2.count1) {
668 pr_debug("resp_len %u < required %u => EMSGSIZE\n",
669 (unsigned int)xcrb->resp_len, msg->fmt2.count1);
670 return -EMSGSIZE;
671 }
672
673 /* Copy response CPRB to user */
674 if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
675 data + msg->fmt2.offset1, msg->fmt2.count1))
676 return -EFAULT;
677 xcrb->resp_len = msg->fmt2.count1;
678 return 0;
679 }
680
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)681 static int convert_type86_rng(struct zcrypt_queue *zq,
682 struct ap_message *reply,
683 char *buffer)
684 {
685 struct {
686 struct type86_hdr hdr;
687 struct type86_fmt2_ext fmt2;
688 struct CPRBX cprbx;
689 } __packed * msg = reply->msg;
690 char *data = reply->msg;
691
692 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
693 return -EINVAL;
694 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
695 return msg->fmt2.count2;
696 }
697
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)698 static int convert_response_ica(struct zcrypt_queue *zq,
699 struct ap_message *reply,
700 char __user *outputdata,
701 unsigned int outputdatalength)
702 {
703 struct type86x_reply *msg = reply->msg;
704
705 switch (msg->hdr.type) {
706 case TYPE82_RSP_CODE:
707 case TYPE88_RSP_CODE:
708 return convert_error(zq, reply);
709 case TYPE86_RSP_CODE:
710 if (msg->cprbx.ccp_rtcode &&
711 msg->cprbx.ccp_rscode == 0x14f &&
712 outputdatalength > 256) {
713 if (zq->zcard->max_exp_bit_length <= 17) {
714 zq->zcard->max_exp_bit_length = 17;
715 return -EAGAIN;
716 } else {
717 return -EINVAL;
718 }
719 }
720 if (msg->hdr.reply_code)
721 return convert_error(zq, reply);
722 if (msg->cprbx.cprb_ver_id == 0x02)
723 return convert_type86_ica(zq, reply,
724 outputdata, outputdatalength);
725 fallthrough; /* wrong cprb version is an unknown response */
726 default:
727 /* Unknown response type, this should NEVER EVER happen */
728 zq->online = 0;
729 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
730 AP_QID_CARD(zq->queue->qid),
731 AP_QID_QUEUE(zq->queue->qid),
732 (int)msg->hdr.type);
733 ZCRYPT_DBF_ERR(
734 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
735 __func__, AP_QID_CARD(zq->queue->qid),
736 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
737 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
738 return -EAGAIN;
739 }
740 }
741
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)742 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
743 struct ap_message *reply,
744 struct ica_xcRB *xcrb)
745 {
746 struct type86x_reply *msg = reply->msg;
747
748 switch (msg->hdr.type) {
749 case TYPE82_RSP_CODE:
750 case TYPE88_RSP_CODE:
751 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
752 return convert_error(zq, reply);
753 case TYPE86_RSP_CODE:
754 if (msg->hdr.reply_code) {
755 xcrb->status = msg->fmt2.apfs;
756 return convert_error(zq, reply);
757 }
758 if (msg->cprbx.cprb_ver_id == 0x02)
759 return convert_type86_xcrb(userspace, zq, reply, xcrb);
760 fallthrough; /* wrong cprb version is an unknown response */
761 default: /* Unknown response type, this should NEVER EVER happen */
762 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
763 zq->online = 0;
764 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
765 AP_QID_CARD(zq->queue->qid),
766 AP_QID_QUEUE(zq->queue->qid),
767 (int)msg->hdr.type);
768 ZCRYPT_DBF_ERR(
769 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
770 __func__, AP_QID_CARD(zq->queue->qid),
771 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
772 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
773 return -EAGAIN;
774 }
775 }
776
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)777 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
778 struct ap_message *reply, struct ep11_urb *xcrb)
779 {
780 struct type86_ep11_reply *msg = reply->msg;
781
782 switch (msg->hdr.type) {
783 case TYPE82_RSP_CODE:
784 case TYPE87_RSP_CODE:
785 return convert_error(zq, reply);
786 case TYPE86_RSP_CODE:
787 if (msg->hdr.reply_code)
788 return convert_error(zq, reply);
789 if (msg->cprbx.cprb_ver_id == 0x04)
790 return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
791 fallthrough; /* wrong cprb version is an unknown resp */
792 default: /* Unknown response type, this should NEVER EVER happen */
793 zq->online = 0;
794 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
795 AP_QID_CARD(zq->queue->qid),
796 AP_QID_QUEUE(zq->queue->qid),
797 (int)msg->hdr.type);
798 ZCRYPT_DBF_ERR(
799 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
800 __func__, AP_QID_CARD(zq->queue->qid),
801 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
802 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
803 return -EAGAIN;
804 }
805 }
806
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)807 static int convert_response_rng(struct zcrypt_queue *zq,
808 struct ap_message *reply,
809 char *data)
810 {
811 struct type86x_reply *msg = reply->msg;
812
813 switch (msg->hdr.type) {
814 case TYPE82_RSP_CODE:
815 case TYPE88_RSP_CODE:
816 return -EINVAL;
817 case TYPE86_RSP_CODE:
818 if (msg->hdr.reply_code)
819 return -EINVAL;
820 if (msg->cprbx.cprb_ver_id == 0x02)
821 return convert_type86_rng(zq, reply, data);
822 fallthrough; /* wrong cprb version is an unknown response */
823 default: /* Unknown response type, this should NEVER EVER happen */
824 zq->online = 0;
825 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
826 AP_QID_CARD(zq->queue->qid),
827 AP_QID_QUEUE(zq->queue->qid),
828 (int)msg->hdr.type);
829 ZCRYPT_DBF_ERR(
830 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
831 __func__, AP_QID_CARD(zq->queue->qid),
832 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
833 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
834 return -EAGAIN;
835 }
836 }
837
838 /*
839 * This function is called from the AP bus code after a crypto request
840 * "msg" has finished with the reply message "reply".
841 * It is called from tasklet context.
842 * @aq: pointer to the AP queue
843 * @msg: pointer to the AP message
844 * @reply: pointer to the AP reply message
845 */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)846 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
847 struct ap_message *msg,
848 struct ap_message *reply)
849 {
850 static struct error_hdr error_reply = {
851 .type = TYPE82_RSP_CODE,
852 .reply_code = REP82_ERROR_MACHINE_FAILURE,
853 };
854 struct ap_response_type *resp_type = &msg->response;
855 struct type86x_reply *t86r;
856 int len;
857
858 /* Copy the reply message to the request message buffer. */
859 if (!reply)
860 goto out; /* ap_msg->rc indicates the error */
861 t86r = reply->msg;
862 if (t86r->hdr.type == TYPE86_RSP_CODE &&
863 t86r->cprbx.cprb_ver_id == 0x02) {
864 switch (resp_type->type) {
865 case CEXXC_RESPONSE_TYPE_ICA:
866 len = sizeof(struct type86x_reply) + t86r->length;
867 if (len > reply->bufsize || len > msg->bufsize ||
868 len != reply->len) {
869 pr_debug("len mismatch => EMSGSIZE\n");
870 msg->rc = -EMSGSIZE;
871 goto out;
872 }
873 memcpy(msg->msg, reply->msg, len);
874 msg->len = len;
875 break;
876 case CEXXC_RESPONSE_TYPE_XCRB:
877 if (t86r->fmt2.count2)
878 len = t86r->fmt2.offset2 + t86r->fmt2.count2;
879 else
880 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
881 if (len > reply->bufsize || len > msg->bufsize ||
882 len != reply->len) {
883 pr_debug("len mismatch => EMSGSIZE\n");
884 msg->rc = -EMSGSIZE;
885 goto out;
886 }
887 memcpy(msg->msg, reply->msg, len);
888 msg->len = len;
889 break;
890 default:
891 memcpy(msg->msg, &error_reply, sizeof(error_reply));
892 msg->len = sizeof(error_reply);
893 }
894 } else {
895 memcpy(msg->msg, reply->msg, sizeof(error_reply));
896 msg->len = sizeof(error_reply);
897 }
898 out:
899 complete(&resp_type->work);
900 }
901
902 /*
903 * This function is called from the AP bus code after a crypto request
904 * "msg" has finished with the reply message "reply".
905 * It is called from tasklet context.
906 * @aq: pointer to the AP queue
907 * @msg: pointer to the AP message
908 * @reply: pointer to the AP reply message
909 */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)910 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
911 struct ap_message *msg,
912 struct ap_message *reply)
913 {
914 static struct error_hdr error_reply = {
915 .type = TYPE82_RSP_CODE,
916 .reply_code = REP82_ERROR_MACHINE_FAILURE,
917 };
918 struct ap_response_type *resp_type = &msg->response;
919 struct type86_ep11_reply *t86r;
920 int len;
921
922 /* Copy the reply message to the request message buffer. */
923 if (!reply)
924 goto out; /* ap_msg->rc indicates the error */
925 t86r = reply->msg;
926 if (t86r->hdr.type == TYPE86_RSP_CODE &&
927 t86r->cprbx.cprb_ver_id == 0x04) {
928 switch (resp_type->type) {
929 case CEXXC_RESPONSE_TYPE_EP11:
930 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
931 if (len > reply->bufsize || len > msg->bufsize ||
932 len != reply->len) {
933 pr_debug("len mismatch => EMSGSIZE\n");
934 msg->rc = -EMSGSIZE;
935 goto out;
936 }
937 memcpy(msg->msg, reply->msg, len);
938 msg->len = len;
939 break;
940 default:
941 memcpy(msg->msg, &error_reply, sizeof(error_reply));
942 msg->len = sizeof(error_reply);
943 }
944 } else {
945 memcpy(msg->msg, reply->msg, sizeof(error_reply));
946 msg->len = sizeof(error_reply);
947 }
948 out:
949 complete(&resp_type->work);
950 }
951
952 static atomic_t zcrypt_step = ATOMIC_INIT(0);
953
954 /*
955 * The request distributor calls this function if it picked the CEXxC
956 * device to handle a modexpo request.
957 * This function assumes that ap_msg has been initialized with
958 * ap_init_apmsg() and thus a valid buffer with the size of
959 * ap_msg->bufsize is available within ap_msg. Also the caller has
960 * to make sure ap_release_apmsg() is always called even on failure.
961 * @zq: pointer to zcrypt_queue structure that identifies the
962 * CEXxC device to the request distributor
963 * @mex: pointer to the modexpo request buffer
964 */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)965 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
966 struct ica_rsa_modexpo *mex,
967 struct ap_message *ap_msg)
968 {
969 struct ap_response_type *resp_type = &ap_msg->response;
970 int rc;
971
972 ap_msg->receive = zcrypt_msgtype6_receive;
973 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
974 atomic_inc_return(&zcrypt_step);
975 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
976 if (rc)
977 goto out;
978 resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
979 init_completion(&resp_type->work);
980 rc = ap_queue_message(zq->queue, ap_msg);
981 if (rc)
982 goto out;
983 rc = wait_for_completion_interruptible(&resp_type->work);
984 if (rc == 0) {
985 rc = ap_msg->rc;
986 if (rc == 0)
987 rc = convert_response_ica(zq, ap_msg,
988 mex->outputdata,
989 mex->outputdatalength);
990 } else {
991 /* Signal pending. */
992 ap_cancel_message(zq->queue, ap_msg);
993 }
994
995 out:
996 return rc;
997 }
998
999 /*
1000 * The request distributor calls this function if it picked the CEXxC
1001 * device to handle a modexpo_crt request.
1002 * This function assumes that ap_msg has been initialized with
1003 * ap_init_apmsg() and thus a valid buffer with the size of
1004 * ap_msg->bufsize is available within ap_msg. Also the caller has
1005 * to make sure ap_release_apmsg() is always called even on failure.
1006 * @zq: pointer to zcrypt_queue structure that identifies the
1007 * CEXxC device to the request distributor
1008 * @crt: pointer to the modexpoc_crt request buffer
1009 */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1010 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1011 struct ica_rsa_modexpo_crt *crt,
1012 struct ap_message *ap_msg)
1013 {
1014 struct ap_response_type *resp_type = &ap_msg->response;
1015 int rc;
1016
1017 ap_msg->receive = zcrypt_msgtype6_receive;
1018 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1019 atomic_inc_return(&zcrypt_step);
1020 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1021 if (rc)
1022 goto out;
1023 resp_type->type = CEXXC_RESPONSE_TYPE_ICA;
1024 init_completion(&resp_type->work);
1025 rc = ap_queue_message(zq->queue, ap_msg);
1026 if (rc)
1027 goto out;
1028 rc = wait_for_completion_interruptible(&resp_type->work);
1029 if (rc == 0) {
1030 rc = ap_msg->rc;
1031 if (rc == 0)
1032 rc = convert_response_ica(zq, ap_msg,
1033 crt->outputdata,
1034 crt->outputdatalength);
1035 } else {
1036 /* Signal pending. */
1037 ap_cancel_message(zq->queue, ap_msg);
1038 }
1039
1040 out:
1041 return rc;
1042 }
1043
1044 /*
1045 * Prepare a CCA AP msg request.
1046 * Prepare a CCA AP msg: fetch the required data from userspace,
1047 * prepare the AP msg, fill some info into the ap_message struct,
1048 * extract some data from the CPRB and give back to the caller.
1049 * This function assumes that ap_msg has been initialized with
1050 * ap_init_apmsg() and thus a valid buffer with the size of
1051 * ap_msg->bufsize is available within ap_msg. Also the caller has
1052 * to make sure ap_release_apmsg() is always called even on failure.
1053 */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1054 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1055 struct ap_message *ap_msg,
1056 unsigned int *func_code, unsigned int *domain)
1057 {
1058 struct ap_response_type *resp_type = &ap_msg->response;
1059
1060 ap_msg->receive = zcrypt_msgtype6_receive;
1061 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1062 atomic_inc_return(&zcrypt_step);
1063 resp_type->type = CEXXC_RESPONSE_TYPE_XCRB;
1064 return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg,
1065 xcrb, func_code, domain);
1066 }
1067
1068 /*
1069 * The request distributor calls this function if it picked the CEXxC
1070 * device to handle a send_cprb request.
1071 * @zq: pointer to zcrypt_queue structure that identifies the
1072 * CEXxC device to the request distributor
1073 * @xcrb: pointer to the send_cprb request buffer
1074 */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1075 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1076 struct ica_xcRB *xcrb,
1077 struct ap_message *ap_msg)
1078 {
1079 struct ap_response_type *resp_type = &ap_msg->response;
1080 struct {
1081 struct type6_hdr hdr;
1082 struct CPRBX cprbx;
1083 /* ... more data blocks ... */
1084 } __packed * msg = ap_msg->msg;
1085 unsigned int max_payload_size;
1086 int rc, delta;
1087
1088 /* calculate maximum payload for this card and msg type */
1089 max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
1090
1091 /* limit each of the two from fields to the maximum payload size */
1092 msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
1093 msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
1094
1095 /* calculate delta if the sum of both exceeds max payload size */
1096 delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
1097 - max_payload_size;
1098 if (delta > 0) {
1099 /*
1100 * Sum exceeds maximum payload size, prune fromcardlen1
1101 * (always trust fromcardlen2)
1102 */
1103 if (delta > msg->hdr.fromcardlen1) {
1104 rc = -EINVAL;
1105 goto out;
1106 }
1107 msg->hdr.fromcardlen1 -= delta;
1108 }
1109
1110 /* update domain field within the CPRB struct */
1111 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1112
1113 init_completion(&resp_type->work);
1114 rc = ap_queue_message(zq->queue, ap_msg);
1115 if (rc)
1116 goto out;
1117 rc = wait_for_completion_interruptible(&resp_type->work);
1118 if (rc == 0) {
1119 rc = ap_msg->rc;
1120 if (rc == 0)
1121 rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1122 } else {
1123 /* Signal pending. */
1124 ap_cancel_message(zq->queue, ap_msg);
1125 }
1126
1127 if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1128 rc = -EIO; /* do not retry administrative requests */
1129
1130 out:
1131 if (rc)
1132 pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1133 AP_QID_CARD(zq->queue->qid),
1134 AP_QID_QUEUE(zq->queue->qid), rc);
1135 return rc;
1136 }
1137
1138 /*
1139 * Prepare an EP11 AP msg request.
1140 * Prepare an EP11 AP msg: fetch the required data from userspace,
1141 * prepare the AP msg, fill some info into the ap_message struct,
1142 * extract some data from the CPRB and give back to the caller.
1143 * This function assumes that ap_msg has been initialized with
1144 * ap_init_apmsg() and thus a valid buffer with the size of
1145 * ap_msg->bufsize is available within ap_msg. Also the caller has
1146 * to make sure ap_release_apmsg() is always called even on failure.
1147 */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1148 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1149 struct ap_message *ap_msg,
1150 unsigned int *func_code, unsigned int *domain)
1151 {
1152 struct ap_response_type *resp_type = &ap_msg->response;
1153
1154 ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1155 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1156 atomic_inc_return(&zcrypt_step);
1157 resp_type->type = CEXXC_RESPONSE_TYPE_EP11;
1158 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1159 func_code, domain);
1160 }
1161
1162 /*
1163 * The request distributor calls this function if it picked the CEX4P
1164 * device to handle a send_ep11_cprb request.
1165 * @zq: pointer to zcrypt_queue structure that identifies the
1166 * CEX4P device to the request distributor
1167 * @xcrb: pointer to the ep11 user request block
1168 */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1169 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1170 struct ep11_urb *xcrb,
1171 struct ap_message *ap_msg)
1172 {
1173 int rc;
1174 unsigned int lfmt;
1175 struct ap_response_type *resp_type = &ap_msg->response;
1176 struct {
1177 struct type6_hdr hdr;
1178 struct ep11_cprb cprbx;
1179 unsigned char pld_tag; /* fixed value 0x30 */
1180 unsigned char pld_lenfmt; /* payload length format */
1181 } __packed * msg = ap_msg->msg;
1182 struct pld_hdr {
1183 unsigned char func_tag; /* fixed value 0x4 */
1184 unsigned char func_len; /* fixed value 0x4 */
1185 unsigned int func_val; /* function ID */
1186 unsigned char dom_tag; /* fixed value 0x4 */
1187 unsigned char dom_len; /* fixed value 0x4 */
1188 unsigned int dom_val; /* domain id */
1189 } __packed * payload_hdr = NULL;
1190
1191 /*
1192 * The target domain field within the cprb body/payload block will be
1193 * replaced by the usage domain for non-management commands only.
1194 * Therefore we check the first bit of the 'flags' parameter for
1195 * management command indication.
1196 * 0 - non management command
1197 * 1 - management command
1198 */
1199 if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1200 msg->cprbx.target_id = (unsigned int)
1201 AP_QID_QUEUE(zq->queue->qid);
1202
1203 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1204 switch (msg->pld_lenfmt & 0x03) {
1205 case 1:
1206 lfmt = 2;
1207 break;
1208 case 2:
1209 lfmt = 3;
1210 break;
1211 default:
1212 return -EINVAL;
1213 }
1214 } else {
1215 lfmt = 1; /* length format #1 */
1216 }
1217 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1218 payload_hdr->dom_val = AP_QID_QUEUE(zq->queue->qid);
1219 }
1220
1221 /*
1222 * Set the queue's reply buffer length minus the two prepend headers
1223 * as reply limit for the card firmware.
1224 */
1225 msg->hdr.fromcardlen1 = zq->reply.bufsize -
1226 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1227
1228 init_completion(&resp_type->work);
1229 rc = ap_queue_message(zq->queue, ap_msg);
1230 if (rc)
1231 goto out;
1232 rc = wait_for_completion_interruptible(&resp_type->work);
1233 if (rc == 0) {
1234 rc = ap_msg->rc;
1235 if (rc == 0)
1236 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1237 } else {
1238 /* Signal pending. */
1239 ap_cancel_message(zq->queue, ap_msg);
1240 }
1241
1242 if (rc == -EAGAIN && ap_msg->flags & AP_MSG_FLAG_ADMIN)
1243 rc = -EIO; /* do not retry administrative requests */
1244
1245 out:
1246 if (rc)
1247 pr_debug("send cprb at dev=%02x.%04x rc=%d\n",
1248 AP_QID_CARD(zq->queue->qid),
1249 AP_QID_QUEUE(zq->queue->qid), rc);
1250 return rc;
1251 }
1252
1253 /*
1254 * Prepare a type6 CPRB message for random number generation
1255 *
1256 * @ap_dev: AP device pointer
1257 * @ap_msg: pointer to AP message
1258 */
rng_type6cprb_msgx(struct ap_message * ap_msg,unsigned int random_number_length,unsigned int * domain)1259 static inline void rng_type6cprb_msgx(struct ap_message *ap_msg,
1260 unsigned int random_number_length,
1261 unsigned int *domain)
1262 {
1263 struct {
1264 struct type6_hdr hdr;
1265 struct CPRBX cprbx;
1266 char function_code[2];
1267 short int rule_length;
1268 char rule[8];
1269 short int verb_length;
1270 short int key_length;
1271 } __packed * msg = ap_msg->msg;
1272 static struct type6_hdr static_type6_hdrX = {
1273 .type = 0x06,
1274 .offset1 = 0x00000058,
1275 .agent_id = {'C', 'A'},
1276 .function_code = {'R', 'L'},
1277 .tocardlen1 = sizeof(*msg) - sizeof(msg->hdr),
1278 .fromcardlen1 = sizeof(*msg) - sizeof(msg->hdr),
1279 };
1280 static struct CPRBX local_cprbx = {
1281 .cprb_len = 0x00dc,
1282 .cprb_ver_id = 0x02,
1283 .func_id = {'T', '2'},
1284 .req_parml = sizeof(*msg) - sizeof(msg->hdr) -
1285 sizeof(msg->cprbx),
1286 .rpl_msgbl = sizeof(*msg) - sizeof(msg->hdr),
1287 };
1288
1289 msg->hdr = static_type6_hdrX;
1290 msg->hdr.fromcardlen2 = random_number_length;
1291 msg->cprbx = local_cprbx;
1292 msg->cprbx.rpl_datal = random_number_length;
1293 memcpy(msg->function_code, msg->hdr.function_code, 0x02);
1294 msg->rule_length = 0x0a;
1295 memcpy(msg->rule, "RANDOM ", 8);
1296 msg->verb_length = 0x02;
1297 msg->key_length = 0x02;
1298 ap_msg->len = sizeof(*msg);
1299 if (domain)
1300 *domain = msg->cprbx.domain;
1301 }
1302
1303 /*
1304 * Prepare a CEXXC get random request ap message.
1305 * This function assumes that ap_msg has been initialized with
1306 * ap_init_apmsg() and thus a valid buffer with the size of
1307 * ap_max_msg_size is available within ap_msg. Also the caller has
1308 * to make sure ap_release_apmsg() is always called even on failure.
1309 */
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1310 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1311 unsigned int *domain)
1312 {
1313 struct ap_response_type *resp_type = &ap_msg->response;
1314
1315 if (ap_msg->bufsize < AP_DEFAULT_MAX_MSG_SIZE)
1316 return -EMSGSIZE;
1317 ap_msg->receive = zcrypt_msgtype6_receive;
1318 ap_msg->psmid = (((unsigned long)current->pid) << 32) +
1319 atomic_inc_return(&zcrypt_step);
1320
1321 resp_type->type = CEXXC_RESPONSE_TYPE_XCRB;
1322
1323 rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1324
1325 *func_code = HWRNG;
1326 return 0;
1327 }
1328
1329 /*
1330 * The request distributor calls this function if it picked the CEXxC
1331 * device to generate random data.
1332 * @zq: pointer to zcrypt_queue structure that identifies the
1333 * CEXxC device to the request distributor
1334 * @buffer: pointer to a memory page to return random data
1335 */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1336 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1337 char *buffer, struct ap_message *ap_msg)
1338 {
1339 struct {
1340 struct type6_hdr hdr;
1341 struct CPRBX cprbx;
1342 char function_code[2];
1343 short int rule_length;
1344 char rule[8];
1345 short int verb_length;
1346 short int key_length;
1347 } __packed * msg = ap_msg->msg;
1348 struct ap_response_type *resp_type = &ap_msg->response;
1349 int rc;
1350
1351 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1352
1353 init_completion(&resp_type->work);
1354 rc = ap_queue_message(zq->queue, ap_msg);
1355 if (rc)
1356 goto out;
1357 rc = wait_for_completion_interruptible(&resp_type->work);
1358 if (rc == 0) {
1359 rc = ap_msg->rc;
1360 if (rc == 0)
1361 rc = convert_response_rng(zq, ap_msg, buffer);
1362 } else {
1363 /* Signal pending. */
1364 ap_cancel_message(zq->queue, ap_msg);
1365 }
1366 out:
1367 return rc;
1368 }
1369
1370 /*
1371 * The crypto operations for a CEXxC card.
1372 */
1373
1374 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1375 .owner = THIS_MODULE,
1376 .name = MSGTYPE06_NAME,
1377 .variant = MSGTYPE06_VARIANT_DEFAULT,
1378 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1379 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1380 .send_cprb = zcrypt_msgtype6_send_cprb,
1381 .rng = zcrypt_msgtype6_rng,
1382 };
1383
1384 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1385 .owner = THIS_MODULE,
1386 .name = MSGTYPE06_NAME,
1387 .variant = MSGTYPE06_VARIANT_EP11,
1388 .rsa_modexpo = NULL,
1389 .rsa_modexpo_crt = NULL,
1390 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1391 };
1392
zcrypt_msgtype6_init(void)1393 void __init zcrypt_msgtype6_init(void)
1394 {
1395 zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1396 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1397 }
1398
zcrypt_msgtype6_exit(void)1399 void __exit zcrypt_msgtype6_exit(void)
1400 {
1401 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1402 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1403 }
1404