xref: /linux/arch/s390/include/uapi/asm/pkey.h (revision 3a39d672e7f48b8d6b91a09afa4b55352773b4b5)
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3  * Userspace interface to the pkey device driver
4  *
5  * Copyright IBM Corp. 2017, 2023
6  *
7  * Author: Harald Freudenberger <freude@de.ibm.com>
8  *
9  */
10 
11 #ifndef _UAPI_PKEY_H
12 #define _UAPI_PKEY_H
13 
14 #include <linux/ioctl.h>
15 #include <linux/types.h>
16 
17 /*
18  * Ioctl calls supported by the pkey device driver
19  */
20 
21 #define PKEY_IOCTL_MAGIC 'p'
22 
23 #define SECKEYBLOBSIZE	64	   /* secure key blob size is always 64 bytes */
24 #define PROTKEYBLOBSIZE 80	/* protected key blob size is always 80 bytes */
25 #define MAXPROTKEYSIZE	64	/* a protected key blob may be up to 64 bytes */
26 #define MAXCLRKEYSIZE	32	   /* a clear key value may be up to 32 bytes */
27 #define MAXAESCIPHERKEYSIZE 136  /* our aes cipher keys have always 136 bytes */
28 #define MINEP11AESKEYBLOBSIZE 256  /* min EP11 AES key blob size  */
29 #define MAXEP11AESKEYBLOBSIZE 336  /* max EP11 AES key blob size */
30 
31 /* Minimum size of a key blob */
32 #define MINKEYBLOBSIZE	SECKEYBLOBSIZE
33 
34 /* defines for the type field within the pkey_protkey struct */
35 #define PKEY_KEYTYPE_AES_128		1
36 #define PKEY_KEYTYPE_AES_192		2
37 #define PKEY_KEYTYPE_AES_256		3
38 #define PKEY_KEYTYPE_ECC		4
39 #define PKEY_KEYTYPE_ECC_P256		5
40 #define PKEY_KEYTYPE_ECC_P384		6
41 #define PKEY_KEYTYPE_ECC_P521		7
42 #define PKEY_KEYTYPE_ECC_ED25519	8
43 #define PKEY_KEYTYPE_ECC_ED448		9
44 #define PKEY_KEYTYPE_AES_XTS_128	10
45 #define PKEY_KEYTYPE_AES_XTS_256	11
46 #define PKEY_KEYTYPE_HMAC_512		12
47 #define PKEY_KEYTYPE_HMAC_1024		13
48 
49 /* the newer ioctls use a pkey_key_type enum for type information */
50 enum pkey_key_type {
51 	PKEY_TYPE_CCA_DATA   = (__u32) 1,
52 	PKEY_TYPE_CCA_CIPHER = (__u32) 2,
53 	PKEY_TYPE_EP11	     = (__u32) 3,
54 	PKEY_TYPE_CCA_ECC    = (__u32) 0x1f,
55 	PKEY_TYPE_EP11_AES   = (__u32) 6,
56 	PKEY_TYPE_EP11_ECC   = (__u32) 7,
57 	PKEY_TYPE_PROTKEY    = (__u32) 8,
58 };
59 
60 /* the newer ioctls use a pkey_key_size enum for key size information */
61 enum pkey_key_size {
62 	PKEY_SIZE_AES_128 = (__u32) 128,
63 	PKEY_SIZE_AES_192 = (__u32) 192,
64 	PKEY_SIZE_AES_256 = (__u32) 256,
65 	PKEY_SIZE_UNKNOWN = (__u32) 0xFFFFFFFF,
66 };
67 
68 /* some of the newer ioctls use these flags */
69 #define PKEY_FLAGS_MATCH_CUR_MKVP  0x00000002
70 #define PKEY_FLAGS_MATCH_ALT_MKVP  0x00000004
71 
72 /* keygenflags defines for CCA AES cipher keys */
73 #define PKEY_KEYGEN_XPRT_SYM  0x00008000
74 #define PKEY_KEYGEN_XPRT_UASY 0x00004000
75 #define PKEY_KEYGEN_XPRT_AASY 0x00002000
76 #define PKEY_KEYGEN_XPRT_RAW  0x00001000
77 #define PKEY_KEYGEN_XPRT_CPAC 0x00000800
78 #define PKEY_KEYGEN_XPRT_DES  0x00000080
79 #define PKEY_KEYGEN_XPRT_AES  0x00000040
80 #define PKEY_KEYGEN_XPRT_RSA  0x00000008
81 
82 /* Struct to hold apqn target info (card/domain pair) */
83 struct pkey_apqn {
84 	__u16 card;
85 	__u16 domain;
86 };
87 
88 /* Struct to hold a CCA AES secure key blob */
89 struct pkey_seckey {
90 	__u8  seckey[SECKEYBLOBSIZE];		  /* the secure key blob */
91 };
92 
93 /* Struct to hold protected key and length info */
94 struct pkey_protkey {
95 	__u32 type;	 /* key type, one of the PKEY_KEYTYPE_AES values */
96 	__u32 len;		/* bytes actually stored in protkey[]	 */
97 	__u8  protkey[MAXPROTKEYSIZE];	       /* the protected key blob */
98 };
99 
100 /* Struct to hold an AES clear key value */
101 struct pkey_clrkey {
102 	__u8  clrkey[MAXCLRKEYSIZE]; /* 16, 24, or 32 byte clear key value */
103 };
104 
105 /*
106  * EP11 key blobs of type PKEY_TYPE_EP11_AES and PKEY_TYPE_EP11_ECC
107  * are ep11 blobs prepended by this header:
108  */
109 struct ep11kblob_header {
110 	__u8  type;	/* always 0x00 */
111 	__u8  hver;	/* header version,  currently needs to be 0x00 */
112 	__u16 len;	/* total length in bytes (including this header) */
113 	__u8  version;	/* PKEY_TYPE_EP11_AES or PKEY_TYPE_EP11_ECC */
114 	__u8  res0;	/* unused */
115 	__u16 bitlen;	/* clear key bit len, 0 for unknown */
116 	__u8  res1[8];	/* unused */
117 } __packed;
118 
119 /*
120  * Generate CCA AES secure key.
121  */
122 struct pkey_genseck {
123 	__u16 cardnr;		    /* in: card to use or FFFF for any	 */
124 	__u16 domain;		    /* in: domain or FFFF for any	 */
125 	__u32 keytype;		    /* in: key type to generate		 */
126 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
127 };
128 #define PKEY_GENSECK _IOWR(PKEY_IOCTL_MAGIC, 0x01, struct pkey_genseck)
129 
130 /*
131  * Construct CCA AES secure key from clear key value
132  */
133 struct pkey_clr2seck {
134 	__u16 cardnr;		    /* in: card to use or FFFF for any	 */
135 	__u16 domain;		    /* in: domain or FFFF for any	 */
136 	__u32 keytype;		    /* in: key type to generate		 */
137 	struct pkey_clrkey clrkey;  /* in: the clear key value		 */
138 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
139 };
140 #define PKEY_CLR2SECK _IOWR(PKEY_IOCTL_MAGIC, 0x02, struct pkey_clr2seck)
141 
142 /*
143  * Fabricate AES protected key from a CCA AES secure key
144  */
145 struct pkey_sec2protk {
146 	__u16 cardnr;		     /* in: card to use or FFFF for any   */
147 	__u16 domain;		     /* in: domain or FFFF for any	  */
148 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
149 	struct pkey_protkey protkey; /* out: the protected key		  */
150 };
151 #define PKEY_SEC2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x03, struct pkey_sec2protk)
152 
153 /*
154  * Fabricate AES protected key from clear key value
155  */
156 struct pkey_clr2protk {
157 	__u32 keytype;		     /* in: key type to generate	  */
158 	struct pkey_clrkey clrkey;   /* in: the clear key value		  */
159 	struct pkey_protkey protkey; /* out: the protected key		  */
160 };
161 #define PKEY_CLR2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x04, struct pkey_clr2protk)
162 
163 /*
164  * Search for matching crypto card based on the Master Key
165  * Verification Pattern provided inside a CCA AES secure key.
166  */
167 struct pkey_findcard {
168 	struct pkey_seckey seckey;	       /* in: the secure key blob */
169 	__u16  cardnr;			       /* out: card number	  */
170 	__u16  domain;			       /* out: domain number	  */
171 };
172 #define PKEY_FINDCARD _IOWR(PKEY_IOCTL_MAGIC, 0x05, struct pkey_findcard)
173 
174 /*
175  * Combined together: findcard + sec2prot
176  */
177 struct pkey_skey2pkey {
178 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
179 	struct pkey_protkey protkey; /* out: the protected key		  */
180 };
181 #define PKEY_SKEY2PKEY _IOWR(PKEY_IOCTL_MAGIC, 0x06, struct pkey_skey2pkey)
182 
183 /*
184  * Verify the given CCA AES secure key for being able to be usable with
185  * the pkey module. Check for correct key type and check for having at
186  * least one crypto card being able to handle this key (master key
187  * or old master key verification pattern matches).
188  * Return some info about the key: keysize in bits, keytype (currently
189  * only AES), flag if key is wrapped with an old MKVP.
190  */
191 struct pkey_verifykey {
192 	struct pkey_seckey seckey;	       /* in: the secure key blob */
193 	__u16  cardnr;			       /* out: card number	  */
194 	__u16  domain;			       /* out: domain number	  */
195 	__u16  keysize;			       /* out: key size in bits   */
196 	__u32  attributes;		       /* out: attribute bits	  */
197 };
198 #define PKEY_VERIFYKEY _IOWR(PKEY_IOCTL_MAGIC, 0x07, struct pkey_verifykey)
199 #define PKEY_VERIFY_ATTR_AES	   0x00000001  /* key is an AES key */
200 #define PKEY_VERIFY_ATTR_OLD_MKVP  0x00000100  /* key has old MKVP value */
201 
202 /*
203  * Generate AES random protected key.
204  */
205 struct pkey_genprotk {
206 	__u32 keytype;			       /* in: key type to generate */
207 	struct pkey_protkey protkey;	       /* out: the protected key   */
208 };
209 
210 #define PKEY_GENPROTK _IOWR(PKEY_IOCTL_MAGIC, 0x08, struct pkey_genprotk)
211 
212 /*
213  * Verify an AES protected key.
214  */
215 struct pkey_verifyprotk {
216 	struct pkey_protkey protkey;	/* in: the protected key to verify */
217 };
218 
219 #define PKEY_VERIFYPROTK _IOW(PKEY_IOCTL_MAGIC, 0x09, struct pkey_verifyprotk)
220 
221 /*
222  * Transform an key blob (of any type) into a protected key
223  */
224 struct pkey_kblob2pkey {
225 	__u8 __user *key;		/* in: the key blob	   */
226 	__u32 keylen;			/* in: the key blob length */
227 	struct pkey_protkey protkey;	/* out: the protected key  */
228 };
229 #define PKEY_KBLOB2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x0A, struct pkey_kblob2pkey)
230 
231 /*
232  * Generate secure key, version 2.
233  * Generate CCA AES secure key, CCA AES cipher key or EP11 AES secure key.
234  * There needs to be a list of apqns given with at least one entry in there.
235  * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain
236  * is not supported. The implementation walks through the list of apqns and
237  * tries to send the request to each apqn without any further checking (like
238  * card type or online state). If the apqn fails, simple the next one in the
239  * list is tried until success (return 0) or the end of the list is reached
240  * (return -1 with errno ENODEV). You may use the PKEY_APQNS4KT ioctl to
241  * generate a list of apqns based on the key type to generate.
242  * The keygenflags argument is passed to the low level generation functions
243  * individual for the key type and has a key type specific meaning. When
244  * generating CCA cipher keys you can use one or more of the PKEY_KEYGEN_*
245  * flags to widen the export possibilities. By default a cipher key is
246  * only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC).
247  * The keygenflag argument for generating an EP11 AES key should either be 0
248  * to use the defaults which are XCP_BLOB_ENCRYPT, XCP_BLOB_DECRYPT and
249  * XCP_BLOB_PROTKEY_EXTRACTABLE or a valid combination of XCP_BLOB_* flags.
250  */
251 struct pkey_genseck2 {
252 	struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets*/
253 	__u32 apqn_entries;	    /* in: # of apqn target list entries  */
254 	enum pkey_key_type type;    /* in: key type to generate		  */
255 	enum pkey_key_size size;    /* in: key size to generate		  */
256 	__u32 keygenflags;	    /* in: key generation flags		  */
257 	__u8 __user *key;	    /* in: pointer to key blob buffer	  */
258 	__u32 keylen;		    /* in: available key blob buffer size */
259 				    /* out: actual key blob size	  */
260 };
261 #define PKEY_GENSECK2 _IOWR(PKEY_IOCTL_MAGIC, 0x11, struct pkey_genseck2)
262 
263 /*
264  * Generate secure key from clear key value, version 2.
265  * Construct an CCA AES secure key, CCA AES cipher key or EP11 AES secure
266  * key from a given clear key value.
267  * There needs to be a list of apqns given with at least one entry in there.
268  * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain
269  * is not supported. The implementation walks through the list of apqns and
270  * tries to send the request to each apqn without any further checking (like
271  * card type or online state). If the apqn fails, simple the next one in the
272  * list is tried until success (return 0) or the end of the list is reached
273  * (return -1 with errno ENODEV). You may use the PKEY_APQNS4KT ioctl to
274  * generate a list of apqns based on the key type to generate.
275  * The keygenflags argument is passed to the low level generation functions
276  * individual for the key type and has a key type specific meaning. When
277  * generating CCA cipher keys you can use one or more of the PKEY_KEYGEN_*
278  * flags to widen the export possibilities. By default a cipher key is
279  * only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC).
280  * The keygenflag argument for generating an EP11 AES key should either be 0
281  * to use the defaults which are XCP_BLOB_ENCRYPT, XCP_BLOB_DECRYPT and
282  * XCP_BLOB_PROTKEY_EXTRACTABLE or a valid combination of XCP_BLOB_* flags.
283  */
284 struct pkey_clr2seck2 {
285 	struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */
286 	__u32 apqn_entries;	    /* in: # of apqn target list entries   */
287 	enum pkey_key_type type;    /* in: key type to generate		   */
288 	enum pkey_key_size size;    /* in: key size to generate		   */
289 	__u32 keygenflags;	    /* in: key generation flags		   */
290 	struct pkey_clrkey clrkey;  /* in: the clear key value		   */
291 	__u8 __user *key;	    /* in: pointer to key blob buffer	   */
292 	__u32 keylen;		    /* in: available key blob buffer size  */
293 				    /* out: actual key blob size	   */
294 };
295 #define PKEY_CLR2SECK2 _IOWR(PKEY_IOCTL_MAGIC, 0x12, struct pkey_clr2seck2)
296 
297 /*
298  * Verify the given secure key, version 2.
299  * Check for correct key type. If cardnr and domain are given (are not
300  * 0xFFFF) also check if this apqn is able to handle this type of key.
301  * If cardnr and/or domain is 0xFFFF, on return these values are filled
302  * with one apqn able to handle this key.
303  * The function also checks for the master key verification patterns
304  * of the key matching to the current or alternate mkvp of the apqn.
305  * For CCA AES secure keys and CCA AES cipher keys this means to check
306  * the key's mkvp against the current or old mkvp of the apqns. The flags
307  * field is updated with some additional info about the apqn mkvp
308  * match: If the current mkvp matches to the key's mkvp then the
309  * PKEY_FLAGS_MATCH_CUR_MKVP bit is set, if the alternate mkvp matches to
310  * the key's mkvp the PKEY_FLAGS_MATCH_ALT_MKVP is set. For CCA keys the
311  * alternate mkvp is the old master key verification pattern.
312  * CCA AES secure keys are also checked to have the CPACF export allowed
313  * bit enabled (XPRTCPAC) in the kmf1 field.
314  * EP11 keys are also supported and the wkvp of the key is checked against
315  * the current wkvp of the apqns. There is no alternate for this type of
316  * key and so on a match the flag PKEY_FLAGS_MATCH_CUR_MKVP always is set.
317  * EP11 keys are also checked to have XCP_BLOB_PROTKEY_EXTRACTABLE set.
318  * The ioctl returns 0 as long as the given or found apqn matches to
319  * matches with the current or alternate mkvp to the key's mkvp. If the given
320  * apqn does not match or there is no such apqn found, -1 with errno
321  * ENODEV is returned.
322  */
323 struct pkey_verifykey2 {
324 	__u8 __user *key;	    /* in: pointer to key blob		 */
325 	__u32 keylen;		    /* in: key blob size		 */
326 	__u16 cardnr;		    /* in/out: card number		 */
327 	__u16 domain;		    /* in/out: domain number		 */
328 	enum pkey_key_type type;    /* out: the key type		 */
329 	enum pkey_key_size size;    /* out: the key size		 */
330 	__u32 flags;		    /* out: additional key info flags	 */
331 };
332 #define PKEY_VERIFYKEY2 _IOWR(PKEY_IOCTL_MAGIC, 0x17, struct pkey_verifykey2)
333 
334 /*
335  * Transform a key blob into a protected key, version 2.
336  * There needs to be a list of apqns given with at least one entry in there.
337  * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain
338  * is not supported. The implementation walks through the list of apqns and
339  * tries to send the request to each apqn without any further checking (like
340  * card type or online state). If the apqn fails, simple the next one in the
341  * list is tried until success (return 0) or the end of the list is reached
342  * (return -1 with errno ENODEV). You may use the PKEY_APQNS4K ioctl to
343  * generate a list of apqns based on the key.
344  * Deriving ECC protected keys from ECC secure keys is not supported with
345  * this ioctl, use PKEY_KBLOB2PROTK3 for this purpose.
346  */
347 struct pkey_kblob2pkey2 {
348 	__u8 __user *key;	     /* in: pointer to key blob		   */
349 	__u32 keylen;		     /* in: key blob size		   */
350 	struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */
351 	__u32 apqn_entries;	     /* in: # of apqn target list entries  */
352 	struct pkey_protkey protkey; /* out: the protected key		   */
353 };
354 #define PKEY_KBLOB2PROTK2 _IOWR(PKEY_IOCTL_MAGIC, 0x1A, struct pkey_kblob2pkey2)
355 
356 /*
357  * Build a list of APQNs based on a key blob given.
358  * Is able to find out which type of secure key is given (CCA AES secure
359  * key, CCA AES cipher key, CCA ECC private key, EP11 AES key, EP11 ECC private
360  * key) and tries to find all matching crypto cards based on the MKVP and maybe
361  * other criteria (like CCA AES cipher keys need a CEX5C or higher, EP11 keys
362  * with BLOB_PKEY_EXTRACTABLE need a CEX7 and EP11 api version 4). The list of
363  * APQNs is further filtered by the key's mkvp which needs to match to either
364  * the current mkvp (CCA and EP11) or the alternate mkvp (old mkvp, CCA adapters
365  * only) of the apqns. The flags argument may be used to limit the matching
366  * apqns. If the PKEY_FLAGS_MATCH_CUR_MKVP is given, only the current mkvp of
367  * each apqn is compared. Likewise with the PKEY_FLAGS_MATCH_ALT_MKVP. If both
368  * are given, it is assumed to return apqns where either the current or the
369  * alternate mkvp matches. At least one of the matching flags needs to be given.
370  * The flags argument for EP11 keys has no further action and is currently
371  * ignored (but needs to be given as PKEY_FLAGS_MATCH_CUR_MKVP) as there is only
372  * the wkvp from the key to match against the apqn's wkvp.
373  * The list of matching apqns is stored into the space given by the apqns
374  * argument and the number of stored entries goes into apqn_entries. If the list
375  * is empty (apqn_entries is 0) the apqn_entries field is updated to the number
376  * of apqn targets found and the ioctl returns with 0. If apqn_entries is > 0
377  * but the number of apqn targets does not fit into the list, the apqn_targets
378  * field is updated with the number of required entries but there are no apqn
379  * values stored in the list and the ioctl returns with ENOSPC. If no matching
380  * APQN is found, the ioctl returns with 0 but the apqn_entries value is 0.
381  */
382 struct pkey_apqns4key {
383 	__u8 __user *key;	   /* in: pointer to key blob		      */
384 	__u32 keylen;		   /* in: key blob size			      */
385 	__u32 flags;		   /* in: match controlling flags	      */
386 	struct pkey_apqn __user *apqns; /* in/out: ptr to list of apqn targets*/
387 	__u32 apqn_entries;	   /* in: max # of apqn entries in the list   */
388 				   /* out: # apqns stored into the list	      */
389 };
390 #define PKEY_APQNS4K _IOWR(PKEY_IOCTL_MAGIC, 0x1B, struct pkey_apqns4key)
391 
392 /*
393  * Build a list of APQNs based on a key type given.
394  * Build a list of APQNs based on a given key type and maybe further
395  * restrict the list by given master key verification patterns.
396  * For different key types there may be different ways to match the
397  * master key verification patterns. For CCA keys (CCA data key and CCA
398  * cipher key) the first 8 bytes of cur_mkvp refer to the current AES mkvp value
399  * of the apqn and the first 8 bytes of the alt_mkvp refer to the old AES mkvp.
400  * For CCA ECC keys it is similar but the match is against the APKA current/old
401  * mkvp. The flags argument controls if the apqns current and/or alternate mkvp
402  * should match. If the PKEY_FLAGS_MATCH_CUR_MKVP is given, only the current
403  * mkvp of each apqn is compared. Likewise with the PKEY_FLAGS_MATCH_ALT_MKVP.
404  * If both are given, it is assumed to return apqns where either the
405  * current or the alternate mkvp matches. If no match flag is given
406  * (flags is 0) the mkvp values are ignored for the match process.
407  * For EP11 keys there is only the current wkvp. So if the apqns should also
408  * match to a given wkvp, then the PKEY_FLAGS_MATCH_CUR_MKVP flag should be
409  * set. The wkvp value is 32 bytes but only the leftmost 16 bytes are compared
410  * against the leftmost 16 byte of the wkvp of the apqn.
411  * The list of matching apqns is stored into the space given by the apqns
412  * argument and the number of stored entries goes into apqn_entries. If the list
413  * is empty (apqn_entries is 0) the apqn_entries field is updated to the number
414  * of apqn targets found and the ioctl returns with 0. If apqn_entries is > 0
415  * but the number of apqn targets does not fit into the list, the apqn_targets
416  * field is updated with the number of required entries but there are no apqn
417  * values stored in the list and the ioctl returns with ENOSPC. If no matching
418  * APQN is found, the ioctl returns with 0 but the apqn_entries value is 0.
419  */
420 struct pkey_apqns4keytype {
421 	enum pkey_key_type type;   /* in: key type			      */
422 	__u8  cur_mkvp[32];	   /* in: current mkvp			      */
423 	__u8  alt_mkvp[32];	   /* in: alternate mkvp		      */
424 	__u32 flags;		   /* in: match controlling flags	      */
425 	struct pkey_apqn __user *apqns; /* in/out: ptr to list of apqn targets*/
426 	__u32 apqn_entries;	   /* in: max # of apqn entries in the list   */
427 				   /* out: # apqns stored into the list	      */
428 };
429 #define PKEY_APQNS4KT _IOWR(PKEY_IOCTL_MAGIC, 0x1C, struct pkey_apqns4keytype)
430 
431 /*
432  * Transform a key blob into a protected key, version 3.
433  * The difference to version 2 of this ioctl is that the protected key
434  * buffer is now explicitly and not within a struct pkey_protkey any more.
435  * So this ioctl is also able to handle EP11 and CCA ECC secure keys and
436  * provide ECC protected keys.
437  * There needs to be a list of apqns given with at least one entry in there.
438  * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain
439  * is not supported. The implementation walks through the list of apqns and
440  * tries to send the request to each apqn without any further checking (like
441  * card type or online state). If the apqn fails, simple the next one in the
442  * list is tried until success (return 0) or the end of the list is reached
443  * (return -1 with errno ENODEV). You may use the PKEY_APQNS4K ioctl to
444  * generate a list of apqns based on the key.
445  */
446 struct pkey_kblob2pkey3 {
447 	__u8 __user *key;	     /* in: pointer to key blob		   */
448 	__u32 keylen;		     /* in: key blob size		   */
449 	struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */
450 	__u32 apqn_entries;	     /* in: # of apqn target list entries  */
451 	__u32 pkeytype;		/* out: prot key type (enum pkey_key_type) */
452 	__u32 pkeylen;	 /* in/out: size of pkey buffer/actual len of pkey */
453 	__u8 __user *pkey;		 /* in: pkey blob buffer space ptr */
454 };
455 #define PKEY_KBLOB2PROTK3 _IOWR(PKEY_IOCTL_MAGIC, 0x1D, struct pkey_kblob2pkey3)
456 
457 #endif /* _UAPI_PKEY_H */
458