1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * Userspace interface to the pkey device driver 4 * 5 * Copyright IBM Corp. 2017, 2023 6 * 7 * Author: Harald Freudenberger <freude@de.ibm.com> 8 * 9 */ 10 11 #ifndef _UAPI_PKEY_H 12 #define _UAPI_PKEY_H 13 14 #include <linux/ioctl.h> 15 #include <linux/types.h> 16 17 /* 18 * Ioctl calls supported by the pkey device driver 19 */ 20 21 #define PKEY_IOCTL_MAGIC 'p' 22 23 #define SECKEYBLOBSIZE 64 /* secure key blob size is always 64 bytes */ 24 #define PROTKEYBLOBSIZE 80 /* protected key blob size is always 80 bytes */ 25 #define MAXPROTKEYSIZE 64 /* a protected key blob may be up to 64 bytes */ 26 #define MAXCLRKEYSIZE 32 /* a clear key value may be up to 32 bytes */ 27 #define MAXAESCIPHERKEYSIZE 136 /* our aes cipher keys have always 136 bytes */ 28 #define MINEP11AESKEYBLOBSIZE 256 /* min EP11 AES key blob size */ 29 #define MAXEP11AESKEYBLOBSIZE 336 /* max EP11 AES key blob size */ 30 31 /* Minimum size of a key blob */ 32 #define MINKEYBLOBSIZE SECKEYBLOBSIZE 33 34 /* defines for the type field within the pkey_protkey struct */ 35 #define PKEY_KEYTYPE_AES_128 1 36 #define PKEY_KEYTYPE_AES_192 2 37 #define PKEY_KEYTYPE_AES_256 3 38 #define PKEY_KEYTYPE_ECC 4 39 #define PKEY_KEYTYPE_ECC_P256 5 40 #define PKEY_KEYTYPE_ECC_P384 6 41 #define PKEY_KEYTYPE_ECC_P521 7 42 #define PKEY_KEYTYPE_ECC_ED25519 8 43 #define PKEY_KEYTYPE_ECC_ED448 9 44 #define PKEY_KEYTYPE_AES_XTS_128 10 45 #define PKEY_KEYTYPE_AES_XTS_256 11 46 #define PKEY_KEYTYPE_HMAC_512 12 47 #define PKEY_KEYTYPE_HMAC_1024 13 48 49 /* the newer ioctls use a pkey_key_type enum for type information */ 50 enum pkey_key_type { 51 PKEY_TYPE_CCA_DATA = (__u32)1, 52 PKEY_TYPE_CCA_CIPHER = (__u32)2, 53 PKEY_TYPE_EP11 = (__u32)3, 54 PKEY_TYPE_CCA_ECC = (__u32)0x1f, 55 PKEY_TYPE_EP11_AES = (__u32)6, 56 PKEY_TYPE_EP11_ECC = (__u32)7, 57 PKEY_TYPE_PROTKEY = (__u32)8, 58 PKEY_TYPE_UVSECRET = (__u32)9, 59 }; 60 61 /* the newer ioctls use a pkey_key_size enum for key size information */ 62 enum pkey_key_size { 63 PKEY_SIZE_AES_128 = (__u32)128, 64 PKEY_SIZE_AES_192 = (__u32)192, 65 PKEY_SIZE_AES_256 = (__u32)256, 66 PKEY_SIZE_UNKNOWN = (__u32)0xFFFFFFFF, 67 }; 68 69 /* some of the newer ioctls use these flags */ 70 #define PKEY_FLAGS_MATCH_CUR_MKVP 0x00000002 71 #define PKEY_FLAGS_MATCH_ALT_MKVP 0x00000004 72 73 /* keygenflags defines for CCA AES cipher keys */ 74 #define PKEY_KEYGEN_XPRT_SYM 0x00008000 75 #define PKEY_KEYGEN_XPRT_UASY 0x00004000 76 #define PKEY_KEYGEN_XPRT_AASY 0x00002000 77 #define PKEY_KEYGEN_XPRT_RAW 0x00001000 78 #define PKEY_KEYGEN_XPRT_CPAC 0x00000800 79 #define PKEY_KEYGEN_XPRT_DES 0x00000080 80 #define PKEY_KEYGEN_XPRT_AES 0x00000040 81 #define PKEY_KEYGEN_XPRT_RSA 0x00000008 82 83 /* Struct to hold apqn target info (card/domain pair) */ 84 struct pkey_apqn { 85 __u16 card; 86 __u16 domain; 87 }; 88 89 /* Struct to hold a CCA AES secure key blob */ 90 struct pkey_seckey { 91 __u8 seckey[SECKEYBLOBSIZE]; /* the secure key blob */ 92 }; 93 94 /* Struct to hold protected key and length info */ 95 struct pkey_protkey { 96 __u32 type; /* key type, one of the PKEY_KEYTYPE_AES values */ 97 __u32 len; /* bytes actually stored in protkey[] */ 98 __u8 protkey[MAXPROTKEYSIZE]; /* the protected key blob */ 99 }; 100 101 /* Struct to hold an AES clear key value */ 102 struct pkey_clrkey { 103 __u8 clrkey[MAXCLRKEYSIZE]; /* 16, 24, or 32 byte clear key value */ 104 }; 105 106 /* 107 * EP11 key blobs of type PKEY_TYPE_EP11_AES and PKEY_TYPE_EP11_ECC 108 * are ep11 blobs prepended by this header: 109 */ 110 struct ep11kblob_header { 111 __u8 type; /* always 0x00 */ 112 __u8 hver; /* header version, currently needs to be 0x00 */ 113 __u16 len; /* total length in bytes (including this header) */ 114 __u8 version; /* PKEY_TYPE_EP11_AES or PKEY_TYPE_EP11_ECC */ 115 __u8 res0; /* unused */ 116 __u16 bitlen; /* clear key bit len, 0 for unknown */ 117 __u8 res1[8]; /* unused */ 118 } __packed; 119 120 /* 121 * Generate CCA AES secure key. 122 */ 123 struct pkey_genseck { 124 __u16 cardnr; /* in: card to use or FFFF for any */ 125 __u16 domain; /* in: domain or FFFF for any */ 126 __u32 keytype; /* in: key type to generate */ 127 struct pkey_seckey seckey; /* out: the secure key blob */ 128 }; 129 130 #define PKEY_GENSECK _IOWR(PKEY_IOCTL_MAGIC, 0x01, struct pkey_genseck) 131 132 /* 133 * Construct CCA AES secure key from clear key value 134 */ 135 struct pkey_clr2seck { 136 __u16 cardnr; /* in: card to use or FFFF for any */ 137 __u16 domain; /* in: domain or FFFF for any */ 138 __u32 keytype; /* in: key type to generate */ 139 struct pkey_clrkey clrkey; /* in: the clear key value */ 140 struct pkey_seckey seckey; /* out: the secure key blob */ 141 }; 142 143 #define PKEY_CLR2SECK _IOWR(PKEY_IOCTL_MAGIC, 0x02, struct pkey_clr2seck) 144 145 /* 146 * Fabricate AES protected key from a CCA AES secure key 147 */ 148 struct pkey_sec2protk { 149 __u16 cardnr; /* in: card to use or FFFF for any */ 150 __u16 domain; /* in: domain or FFFF for any */ 151 struct pkey_seckey seckey; /* in: the secure key blob */ 152 struct pkey_protkey protkey; /* out: the protected key */ 153 }; 154 155 #define PKEY_SEC2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x03, struct pkey_sec2protk) 156 157 /* 158 * Fabricate AES protected key from clear key value 159 */ 160 struct pkey_clr2protk { 161 __u32 keytype; /* in: key type to generate */ 162 struct pkey_clrkey clrkey; /* in: the clear key value */ 163 struct pkey_protkey protkey; /* out: the protected key */ 164 }; 165 166 #define PKEY_CLR2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x04, struct pkey_clr2protk) 167 168 /* 169 * Search for matching crypto card based on the Master Key 170 * Verification Pattern provided inside a CCA AES secure key. 171 */ 172 struct pkey_findcard { 173 struct pkey_seckey seckey; /* in: the secure key blob */ 174 __u16 cardnr; /* out: card number */ 175 __u16 domain; /* out: domain number */ 176 }; 177 178 #define PKEY_FINDCARD _IOWR(PKEY_IOCTL_MAGIC, 0x05, struct pkey_findcard) 179 180 /* 181 * Combined together: findcard + sec2prot 182 */ 183 struct pkey_skey2pkey { 184 struct pkey_seckey seckey; /* in: the secure key blob */ 185 struct pkey_protkey protkey; /* out: the protected key */ 186 }; 187 188 #define PKEY_SKEY2PKEY _IOWR(PKEY_IOCTL_MAGIC, 0x06, struct pkey_skey2pkey) 189 190 /* 191 * Verify the given CCA AES secure key for being able to be usable with 192 * the pkey module. Check for correct key type and check for having at 193 * least one crypto card being able to handle this key (master key 194 * or old master key verification pattern matches). 195 * Return some info about the key: keysize in bits, keytype (currently 196 * only AES), flag if key is wrapped with an old MKVP. 197 */ 198 struct pkey_verifykey { 199 struct pkey_seckey seckey; /* in: the secure key blob */ 200 __u16 cardnr; /* out: card number */ 201 __u16 domain; /* out: domain number */ 202 __u16 keysize; /* out: key size in bits */ 203 __u32 attributes; /* out: attribute bits */ 204 }; 205 206 #define PKEY_VERIFYKEY _IOWR(PKEY_IOCTL_MAGIC, 0x07, struct pkey_verifykey) 207 #define PKEY_VERIFY_ATTR_AES 0x00000001 /* key is an AES key */ 208 #define PKEY_VERIFY_ATTR_OLD_MKVP 0x00000100 /* key has old MKVP value */ 209 210 /* 211 * Generate AES random protected key. 212 */ 213 struct pkey_genprotk { 214 __u32 keytype; /* in: key type to generate */ 215 struct pkey_protkey protkey; /* out: the protected key */ 216 }; 217 218 #define PKEY_GENPROTK _IOWR(PKEY_IOCTL_MAGIC, 0x08, struct pkey_genprotk) 219 220 /* 221 * Verify an AES protected key. 222 */ 223 struct pkey_verifyprotk { 224 struct pkey_protkey protkey; /* in: the protected key to verify */ 225 }; 226 227 #define PKEY_VERIFYPROTK _IOW(PKEY_IOCTL_MAGIC, 0x09, struct pkey_verifyprotk) 228 229 /* 230 * Transform an key blob (of any type) into a protected key 231 */ 232 struct pkey_kblob2pkey { 233 __u8 __user *key; /* in: the key blob */ 234 __u32 keylen; /* in: the key blob length */ 235 struct pkey_protkey protkey; /* out: the protected key */ 236 }; 237 238 #define PKEY_KBLOB2PROTK _IOWR(PKEY_IOCTL_MAGIC, 0x0A, struct pkey_kblob2pkey) 239 240 /* 241 * Generate secure key, version 2. 242 * Generate CCA AES secure key, CCA AES cipher key or EP11 AES secure key. 243 * There needs to be a list of apqns given with at least one entry in there. 244 * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain 245 * is not supported. The implementation walks through the list of apqns and 246 * tries to send the request to each apqn without any further checking (like 247 * card type or online state). If the apqn fails, simple the next one in the 248 * list is tried until success (return 0) or the end of the list is reached 249 * (return -1 with errno ENODEV). You may use the PKEY_APQNS4KT ioctl to 250 * generate a list of apqns based on the key type to generate. 251 * The keygenflags argument is passed to the low level generation functions 252 * individual for the key type and has a key type specific meaning. When 253 * generating CCA cipher keys you can use one or more of the PKEY_KEYGEN_* 254 * flags to widen the export possibilities. By default a cipher key is 255 * only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC). 256 * The keygenflag argument for generating an EP11 AES key should either be 0 257 * to use the defaults which are XCP_BLOB_ENCRYPT, XCP_BLOB_DECRYPT and 258 * XCP_BLOB_PROTKEY_EXTRACTABLE or a valid combination of XCP_BLOB_* flags. 259 */ 260 struct pkey_genseck2 { 261 struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets*/ 262 __u32 apqn_entries; /* in: # of apqn target list entries */ 263 enum pkey_key_type type; /* in: key type to generate */ 264 enum pkey_key_size size; /* in: key size to generate */ 265 __u32 keygenflags; /* in: key generation flags */ 266 __u8 __user *key; /* in: pointer to key blob buffer */ 267 __u32 keylen; /* in: available key blob buffer size */ 268 /* out: actual key blob size */ 269 }; 270 271 #define PKEY_GENSECK2 _IOWR(PKEY_IOCTL_MAGIC, 0x11, struct pkey_genseck2) 272 273 /* 274 * Generate secure key from clear key value, version 2. 275 * Construct an CCA AES secure key, CCA AES cipher key or EP11 AES secure 276 * key from a given clear key value. 277 * There needs to be a list of apqns given with at least one entry in there. 278 * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain 279 * is not supported. The implementation walks through the list of apqns and 280 * tries to send the request to each apqn without any further checking (like 281 * card type or online state). If the apqn fails, simple the next one in the 282 * list is tried until success (return 0) or the end of the list is reached 283 * (return -1 with errno ENODEV). You may use the PKEY_APQNS4KT ioctl to 284 * generate a list of apqns based on the key type to generate. 285 * The keygenflags argument is passed to the low level generation functions 286 * individual for the key type and has a key type specific meaning. When 287 * generating CCA cipher keys you can use one or more of the PKEY_KEYGEN_* 288 * flags to widen the export possibilities. By default a cipher key is 289 * only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC). 290 * The keygenflag argument for generating an EP11 AES key should either be 0 291 * to use the defaults which are XCP_BLOB_ENCRYPT, XCP_BLOB_DECRYPT and 292 * XCP_BLOB_PROTKEY_EXTRACTABLE or a valid combination of XCP_BLOB_* flags. 293 */ 294 struct pkey_clr2seck2 { 295 struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */ 296 __u32 apqn_entries; /* in: # of apqn target list entries */ 297 enum pkey_key_type type; /* in: key type to generate */ 298 enum pkey_key_size size; /* in: key size to generate */ 299 __u32 keygenflags; /* in: key generation flags */ 300 struct pkey_clrkey clrkey; /* in: the clear key value */ 301 __u8 __user *key; /* in: pointer to key blob buffer */ 302 __u32 keylen; /* in: available key blob buffer size */ 303 /* out: actual key blob size */ 304 }; 305 306 #define PKEY_CLR2SECK2 _IOWR(PKEY_IOCTL_MAGIC, 0x12, struct pkey_clr2seck2) 307 308 /* 309 * Verify the given secure key, version 2. 310 * Check for correct key type. If cardnr and domain are given (are not 311 * 0xFFFF) also check if this apqn is able to handle this type of key. 312 * If cardnr and/or domain is 0xFFFF, on return these values are filled 313 * with one apqn able to handle this key. 314 * The function also checks for the master key verification patterns 315 * of the key matching to the current or alternate mkvp of the apqn. 316 * For CCA AES secure keys and CCA AES cipher keys this means to check 317 * the key's mkvp against the current or old mkvp of the apqns. The flags 318 * field is updated with some additional info about the apqn mkvp 319 * match: If the current mkvp matches to the key's mkvp then the 320 * PKEY_FLAGS_MATCH_CUR_MKVP bit is set, if the alternate mkvp matches to 321 * the key's mkvp the PKEY_FLAGS_MATCH_ALT_MKVP is set. For CCA keys the 322 * alternate mkvp is the old master key verification pattern. 323 * CCA AES secure keys are also checked to have the CPACF export allowed 324 * bit enabled (XPRTCPAC) in the kmf1 field. 325 * EP11 keys are also supported and the wkvp of the key is checked against 326 * the current wkvp of the apqns. There is no alternate for this type of 327 * key and so on a match the flag PKEY_FLAGS_MATCH_CUR_MKVP always is set. 328 * EP11 keys are also checked to have XCP_BLOB_PROTKEY_EXTRACTABLE set. 329 * The ioctl returns 0 as long as the given or found apqn matches to 330 * matches with the current or alternate mkvp to the key's mkvp. If the given 331 * apqn does not match or there is no such apqn found, -1 with errno 332 * ENODEV is returned. 333 */ 334 struct pkey_verifykey2 { 335 __u8 __user *key; /* in: pointer to key blob */ 336 __u32 keylen; /* in: key blob size */ 337 __u16 cardnr; /* in/out: card number */ 338 __u16 domain; /* in/out: domain number */ 339 enum pkey_key_type type; /* out: the key type */ 340 enum pkey_key_size size; /* out: the key size */ 341 __u32 flags; /* out: additional key info flags */ 342 }; 343 344 #define PKEY_VERIFYKEY2 _IOWR(PKEY_IOCTL_MAGIC, 0x17, struct pkey_verifykey2) 345 346 /* 347 * Transform a key blob into a protected key, version 2. 348 * There needs to be a list of apqns given with at least one entry in there. 349 * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain 350 * is not supported. The implementation walks through the list of apqns and 351 * tries to send the request to each apqn without any further checking (like 352 * card type or online state). If the apqn fails, simple the next one in the 353 * list is tried until success (return 0) or the end of the list is reached 354 * (return -1 with errno ENODEV). You may use the PKEY_APQNS4K ioctl to 355 * generate a list of apqns based on the key. 356 * Deriving ECC protected keys from ECC secure keys is not supported with 357 * this ioctl, use PKEY_KBLOB2PROTK3 for this purpose. 358 */ 359 struct pkey_kblob2pkey2 { 360 __u8 __user *key; /* in: pointer to key blob */ 361 __u32 keylen; /* in: key blob size */ 362 struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */ 363 __u32 apqn_entries; /* in: # of apqn target list entries */ 364 struct pkey_protkey protkey; /* out: the protected key */ 365 }; 366 367 #define PKEY_KBLOB2PROTK2 _IOWR(PKEY_IOCTL_MAGIC, 0x1A, struct pkey_kblob2pkey2) 368 369 /* 370 * Build a list of APQNs based on a key blob given. 371 * Is able to find out which type of secure key is given (CCA AES secure 372 * key, CCA AES cipher key, CCA ECC private key, EP11 AES key, EP11 ECC private 373 * key) and tries to find all matching crypto cards based on the MKVP and maybe 374 * other criteria (like CCA AES cipher keys need a CEX5C or higher, EP11 keys 375 * with BLOB_PKEY_EXTRACTABLE need a CEX7 and EP11 api version 4). The list of 376 * APQNs is further filtered by the key's mkvp which needs to match to either 377 * the current mkvp (CCA and EP11) or the alternate mkvp (old mkvp, CCA adapters 378 * only) of the apqns. The flags argument may be used to limit the matching 379 * apqns. If the PKEY_FLAGS_MATCH_CUR_MKVP is given, only the current mkvp of 380 * each apqn is compared. Likewise with the PKEY_FLAGS_MATCH_ALT_MKVP. If both 381 * are given, it is assumed to return apqns where either the current or the 382 * alternate mkvp matches. At least one of the matching flags needs to be given. 383 * The flags argument for EP11 keys has no further action and is currently 384 * ignored (but needs to be given as PKEY_FLAGS_MATCH_CUR_MKVP) as there is only 385 * the wkvp from the key to match against the apqn's wkvp. 386 * The list of matching apqns is stored into the space given by the apqns 387 * argument and the number of stored entries goes into apqn_entries. If the list 388 * is empty (apqn_entries is 0) the apqn_entries field is updated to the number 389 * of apqn targets found and the ioctl returns with 0. If apqn_entries is > 0 390 * but the number of apqn targets does not fit into the list, the apqn_targets 391 * field is updated with the number of required entries but there are no apqn 392 * values stored in the list and the ioctl returns with ENOSPC. If no matching 393 * APQN is found, the ioctl returns with 0 but the apqn_entries value is 0. 394 */ 395 struct pkey_apqns4key { 396 __u8 __user *key; /* in: pointer to key blob */ 397 __u32 keylen; /* in: key blob size */ 398 __u32 flags; /* in: match controlling flags */ 399 struct pkey_apqn __user *apqns; /* in/out: ptr to list of apqn targets*/ 400 __u32 apqn_entries; /* in: max # of apqn entries in the list */ 401 /* out: # apqns stored into the list */ 402 }; 403 404 #define PKEY_APQNS4K _IOWR(PKEY_IOCTL_MAGIC, 0x1B, struct pkey_apqns4key) 405 406 /* 407 * Build a list of APQNs based on a key type given. 408 * Build a list of APQNs based on a given key type and maybe further 409 * restrict the list by given master key verification patterns. 410 * For different key types there may be different ways to match the 411 * master key verification patterns. For CCA keys (CCA data key and CCA 412 * cipher key) the first 8 bytes of cur_mkvp refer to the current AES mkvp value 413 * of the apqn and the first 8 bytes of the alt_mkvp refer to the old AES mkvp. 414 * For CCA ECC keys it is similar but the match is against the APKA current/old 415 * mkvp. The flags argument controls if the apqns current and/or alternate mkvp 416 * should match. If the PKEY_FLAGS_MATCH_CUR_MKVP is given, only the current 417 * mkvp of each apqn is compared. Likewise with the PKEY_FLAGS_MATCH_ALT_MKVP. 418 * If both are given, it is assumed to return apqns where either the 419 * current or the alternate mkvp matches. If no match flag is given 420 * (flags is 0) the mkvp values are ignored for the match process. 421 * For EP11 keys there is only the current wkvp. So if the apqns should also 422 * match to a given wkvp, then the PKEY_FLAGS_MATCH_CUR_MKVP flag should be 423 * set. The wkvp value is 32 bytes but only the leftmost 16 bytes are compared 424 * against the leftmost 16 byte of the wkvp of the apqn. 425 * The list of matching apqns is stored into the space given by the apqns 426 * argument and the number of stored entries goes into apqn_entries. If the list 427 * is empty (apqn_entries is 0) the apqn_entries field is updated to the number 428 * of apqn targets found and the ioctl returns with 0. If apqn_entries is > 0 429 * but the number of apqn targets does not fit into the list, the apqn_targets 430 * field is updated with the number of required entries but there are no apqn 431 * values stored in the list and the ioctl returns with ENOSPC. If no matching 432 * APQN is found, the ioctl returns with 0 but the apqn_entries value is 0. 433 */ 434 struct pkey_apqns4keytype { 435 enum pkey_key_type type; /* in: key type */ 436 __u8 cur_mkvp[32]; /* in: current mkvp */ 437 __u8 alt_mkvp[32]; /* in: alternate mkvp */ 438 __u32 flags; /* in: match controlling flags */ 439 struct pkey_apqn __user *apqns; /* in/out: ptr to list of apqn targets*/ 440 __u32 apqn_entries; /* in: max # of apqn entries in the list */ 441 /* out: # apqns stored into the list */ 442 }; 443 444 #define PKEY_APQNS4KT _IOWR(PKEY_IOCTL_MAGIC, 0x1C, struct pkey_apqns4keytype) 445 446 /* 447 * Transform a key blob into a protected key, version 3. 448 * The difference to version 2 of this ioctl is that the protected key 449 * buffer is now explicitly and not within a struct pkey_protkey any more. 450 * So this ioctl is also able to handle EP11 and CCA ECC secure keys and 451 * provide ECC protected keys. 452 * There needs to be a list of apqns given with at least one entry in there. 453 * All apqns in the list need to be exact apqns, 0xFFFF as ANY card or domain 454 * is not supported. The implementation walks through the list of apqns and 455 * tries to send the request to each apqn without any further checking (like 456 * card type or online state). If the apqn fails, simple the next one in the 457 * list is tried until success (return 0) or the end of the list is reached 458 * (return -1 with errno ENODEV). You may use the PKEY_APQNS4K ioctl to 459 * generate a list of apqns based on the key. 460 */ 461 struct pkey_kblob2pkey3 { 462 __u8 __user *key; /* in: pointer to key blob */ 463 __u32 keylen; /* in: key blob size */ 464 struct pkey_apqn __user *apqns; /* in: ptr to list of apqn targets */ 465 __u32 apqn_entries; /* in: # of apqn target list entries */ 466 __u32 pkeytype; /* out: prot key type (enum pkey_key_type) */ 467 __u32 pkeylen; /* in/out: size of pkey buffer/actual len of pkey */ 468 __u8 __user *pkey; /* in: pkey blob buffer space ptr */ 469 }; 470 471 #define PKEY_KBLOB2PROTK3 _IOWR(PKEY_IOCTL_MAGIC, 0x1D, struct pkey_kblob2pkey3) 472 473 #endif /* _UAPI_PKEY_H */ 474