xref: /linux/arch/s390/kernel/cert_store.c (revision 8c994eff8fcfe8ecb1f1dbebed25b4d7bb75be12)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * DIAG 0x320 support and certificate store handling
4  *
5  * Copyright IBM Corp. 2023
6  * Author(s):	Anastasia Eskova <anastasia.eskova@ibm.com>
7  */
8 
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 
11 #include <linux/delay.h>
12 #include <linux/device.h>
13 #include <linux/fs.h>
14 #include <linux/init.h>
15 #include <linux/kernel.h>
16 #include <linux/key-type.h>
17 #include <linux/key.h>
18 #include <linux/keyctl.h>
19 #include <linux/kobject.h>
20 #include <linux/module.h>
21 #include <linux/seq_file.h>
22 #include <linux/slab.h>
23 #include <linux/sysfs.h>
24 #include <crypto/sha2.h>
25 #include <keys/user-type.h>
26 #include <asm/debug.h>
27 #include <asm/diag.h>
28 #include <asm/ebcdic.h>
29 #include <asm/sclp.h>
30 
31 #define DIAG_MAX_RETRIES		10
32 
33 #define VCE_FLAGS_VALID_MASK		0x80
34 
35 #define ISM_LEN_DWORDS			4
36 #define VCSSB_LEN_BYTES			128
37 #define VCSSB_LEN_NO_CERTS		4
38 #define VCB_LEN_NO_CERTS		64
39 #define VC_NAME_LEN_BYTES		64
40 
41 #define CERT_STORE_KEY_TYPE_NAME	"cert_store_key"
42 #define CERT_STORE_KEYRING_NAME		"cert_store"
43 
44 static debug_info_t *cert_store_dbf;
45 static debug_info_t *cert_store_hexdump;
46 
47 #define pr_dbf_msg(fmt, ...) \
48 	debug_sprintf_event(cert_store_dbf, 3, fmt "\n", ## __VA_ARGS__)
49 
50 enum diag320_subcode {
51 	DIAG320_SUBCODES	= 0,
52 	DIAG320_STORAGE		= 1,
53 	DIAG320_CERT_BLOCK	= 2,
54 };
55 
56 enum diag320_rc {
57 	DIAG320_RC_OK		= 0x0001,
58 	DIAG320_RC_CS_NOMATCH	= 0x0306,
59 };
60 
61 /* Verification Certificates Store Support Block (VCSSB). */
62 struct vcssb {
63 	u32 vcssb_length;
64 	u8  pad_0x04[3];
65 	u8  version;
66 	u8  pad_0x08[8];
67 	u32 cs_token;
68 	u8  pad_0x14[12];
69 	u16 total_vc_index_count;
70 	u16 max_vc_index_count;
71 	u8  pad_0x24[28];
72 	u32 max_vce_length;
73 	u32 max_vcxe_length;
74 	u8  pad_0x48[8];
75 	u32 max_single_vcb_length;
76 	u32 total_vcb_length;
77 	u32 max_single_vcxb_length;
78 	u32 total_vcxb_length;
79 	u8  pad_0x60[32];
80 } __packed __aligned(8);
81 
82 /* Verification Certificate Entry (VCE) Header. */
83 struct vce_header {
84 	u32 vce_length;
85 	u8  flags;
86 	u8  key_type;
87 	u16 vc_index;
88 	u8  vc_name[VC_NAME_LEN_BYTES]; /* EBCDIC */
89 	u8  vc_format;
90 	u8  pad_0x49;
91 	u16 key_id_length;
92 	u8  pad_0x4c;
93 	u8  vc_hash_type;
94 	u16 vc_hash_length;
95 	u8  pad_0x50[4];
96 	u32 vc_length;
97 	u8  pad_0x58[8];
98 	u16 vc_hash_offset;
99 	u16 vc_offset;
100 	u8  pad_0x64[28];
101 } __packed __aligned(4);
102 
103 /* Verification Certificate Block (VCB) Header. */
104 struct vcb_header {
105 	u32 vcb_input_length;
106 	u8  pad_0x04[4];
107 	u16 first_vc_index;
108 	u16 last_vc_index;
109 	u32 pad_0x0c;
110 	u32 cs_token;
111 	u8  pad_0x14[12];
112 	u32 vcb_output_length;
113 	u8  pad_0x24[3];
114 	u8  version;
115 	u16 stored_vc_count;
116 	u16 remaining_vc_count;
117 	u8  pad_0x2c[20];
118 } __packed __aligned(4);
119 
120 /* Verification Certificate Block (VCB). */
121 struct vcb {
122 	struct vcb_header vcb_hdr;
123 	u8 vcb_buf[];
124 } __packed __aligned(4);
125 
126 /* Verification Certificate Entry (VCE). */
127 struct vce {
128 	struct vce_header vce_hdr;
129 	u8 cert_data_buf[];
130 } __packed __aligned(4);
131 
132 static void cert_store_key_describe(const struct key *key, struct seq_file *m)
133 {
134 	char ascii[VC_NAME_LEN_BYTES + 1];
135 
136 	/*
137 	 * First 64 bytes of the key description is key name in EBCDIC CP 500.
138 	 * Convert it to ASCII for displaying in /proc/keys.
139 	 */
140 	strscpy(ascii, key->description, sizeof(ascii));
141 	EBCASC_500(ascii, VC_NAME_LEN_BYTES);
142 	seq_puts(m, ascii);
143 
144 	seq_puts(m, &key->description[VC_NAME_LEN_BYTES]);
145 	if (key_is_positive(key))
146 		seq_printf(m, ": %u", key->datalen);
147 }
148 
149 /*
150  * Certificate store key type takes over properties of
151  * user key but cannot be updated.
152  */
153 static struct key_type key_type_cert_store_key = {
154 	.name		= CERT_STORE_KEY_TYPE_NAME,
155 	.preparse	= user_preparse,
156 	.free_preparse	= user_free_preparse,
157 	.instantiate	= generic_key_instantiate,
158 	.revoke		= user_revoke,
159 	.destroy	= user_destroy,
160 	.describe	= cert_store_key_describe,
161 	.read		= user_read,
162 };
163 
164 /* Logging functions. */
165 static void pr_dbf_vcb(const struct vcb *b)
166 {
167 	pr_dbf_msg("VCB Header:");
168 	pr_dbf_msg("vcb_input_length: %d", b->vcb_hdr.vcb_input_length);
169 	pr_dbf_msg("first_vc_index: %d", b->vcb_hdr.first_vc_index);
170 	pr_dbf_msg("last_vc_index: %d", b->vcb_hdr.last_vc_index);
171 	pr_dbf_msg("cs_token: %d", b->vcb_hdr.cs_token);
172 	pr_dbf_msg("vcb_output_length: %d", b->vcb_hdr.vcb_output_length);
173 	pr_dbf_msg("version: %d", b->vcb_hdr.version);
174 	pr_dbf_msg("stored_vc_count: %d", b->vcb_hdr.stored_vc_count);
175 	pr_dbf_msg("remaining_vc_count: %d", b->vcb_hdr.remaining_vc_count);
176 }
177 
178 static void pr_dbf_vce(const struct vce *e)
179 {
180 	unsigned char vc_name[VC_NAME_LEN_BYTES + 1];
181 	char log_string[VC_NAME_LEN_BYTES + 40];
182 
183 	pr_dbf_msg("VCE Header:");
184 	pr_dbf_msg("vce_hdr.vce_length: %d", e->vce_hdr.vce_length);
185 	pr_dbf_msg("vce_hdr.flags: %d", e->vce_hdr.flags);
186 	pr_dbf_msg("vce_hdr.key_type: %d", e->vce_hdr.key_type);
187 	pr_dbf_msg("vce_hdr.vc_index: %d", e->vce_hdr.vc_index);
188 	pr_dbf_msg("vce_hdr.vc_format: %d", e->vce_hdr.vc_format);
189 	pr_dbf_msg("vce_hdr.key_id_length: %d", e->vce_hdr.key_id_length);
190 	pr_dbf_msg("vce_hdr.vc_hash_type: %d", e->vce_hdr.vc_hash_type);
191 	pr_dbf_msg("vce_hdr.vc_hash_length: %d", e->vce_hdr.vc_hash_length);
192 	pr_dbf_msg("vce_hdr.vc_hash_offset: %d", e->vce_hdr.vc_hash_offset);
193 	pr_dbf_msg("vce_hdr.vc_length: %d", e->vce_hdr.vc_length);
194 	pr_dbf_msg("vce_hdr.vc_offset: %d", e->vce_hdr.vc_offset);
195 
196 	/* Certificate name in ASCII. */
197 	memcpy(vc_name, e->vce_hdr.vc_name, VC_NAME_LEN_BYTES);
198 	EBCASC_500(vc_name, VC_NAME_LEN_BYTES);
199 	vc_name[VC_NAME_LEN_BYTES] = '\0';
200 
201 	snprintf(log_string, sizeof(log_string),
202 		 "index: %d vce_hdr.vc_name (ASCII): %s",
203 		 e->vce_hdr.vc_index, vc_name);
204 	debug_text_event(cert_store_hexdump, 3, log_string);
205 
206 	/* Certificate data. */
207 	debug_text_event(cert_store_hexdump, 3, "VCE: Certificate data start");
208 	debug_event(cert_store_hexdump, 3, (u8 *)e->cert_data_buf, 128);
209 	debug_text_event(cert_store_hexdump, 3, "VCE: Certificate data end");
210 	debug_event(cert_store_hexdump, 3,
211 		    (u8 *)e->cert_data_buf + e->vce_hdr.vce_length - 128, 128);
212 }
213 
214 static void pr_dbf_vcssb(const struct vcssb *s)
215 {
216 	debug_text_event(cert_store_hexdump, 3, "DIAG320 Subcode1");
217 	debug_event(cert_store_hexdump, 3, (u8 *)s, VCSSB_LEN_BYTES);
218 
219 	pr_dbf_msg("VCSSB:");
220 	pr_dbf_msg("vcssb_length: %u", s->vcssb_length);
221 	pr_dbf_msg("version: %u", s->version);
222 	pr_dbf_msg("cs_token: %u", s->cs_token);
223 	pr_dbf_msg("total_vc_index_count: %u", s->total_vc_index_count);
224 	pr_dbf_msg("max_vc_index_count: %u", s->max_vc_index_count);
225 	pr_dbf_msg("max_vce_length: %u", s->max_vce_length);
226 	pr_dbf_msg("max_vcxe_length: %u", s->max_vce_length);
227 	pr_dbf_msg("max_single_vcb_length: %u", s->max_single_vcb_length);
228 	pr_dbf_msg("total_vcb_length: %u", s->total_vcb_length);
229 	pr_dbf_msg("max_single_vcxb_length: %u", s->max_single_vcxb_length);
230 	pr_dbf_msg("total_vcxb_length: %u", s->total_vcxb_length);
231 }
232 
233 static int __diag320(unsigned long subcode, void *addr)
234 {
235 	union register_pair rp = { .even = (unsigned long)addr, };
236 
237 	asm volatile(
238 		"	diag	%[rp],%[subcode],0x320\n"
239 		"0:	nopr	%%r7\n"
240 		EX_TABLE(0b, 0b)
241 		: [rp] "+d" (rp.pair)
242 		: [subcode] "d" (subcode)
243 		: "cc", "memory");
244 
245 	return rp.odd;
246 }
247 
248 static int diag320(unsigned long subcode, void *addr)
249 {
250 	diag_stat_inc(DIAG_STAT_X320);
251 
252 	return __diag320(subcode, addr);
253 }
254 
255 /*
256  * Calculate SHA256 hash of the VCE certificate and compare it to hash stored in
257  * VCE. Return -EINVAL if hashes don't match.
258  */
259 static int check_certificate_hash(const struct vce *vce)
260 {
261 	u8 hash[SHA256_DIGEST_SIZE];
262 	u16 vc_hash_length;
263 	u8 *vce_hash;
264 
265 	vce_hash = (u8 *)vce + vce->vce_hdr.vc_hash_offset;
266 	vc_hash_length = vce->vce_hdr.vc_hash_length;
267 	sha256((u8 *)vce + vce->vce_hdr.vc_offset, vce->vce_hdr.vc_length, hash);
268 	if (memcmp(vce_hash, hash, vc_hash_length) == 0)
269 		return 0;
270 
271 	pr_dbf_msg("SHA256 hash of received certificate does not match");
272 	debug_text_event(cert_store_hexdump, 3, "VCE hash:");
273 	debug_event(cert_store_hexdump, 3, vce_hash, SHA256_DIGEST_SIZE);
274 	debug_text_event(cert_store_hexdump, 3, "Calculated hash:");
275 	debug_event(cert_store_hexdump, 3, hash, SHA256_DIGEST_SIZE);
276 
277 	return -EINVAL;
278 }
279 
280 static int check_certificate_valid(const struct vce *vce)
281 {
282 	if (!(vce->vce_hdr.flags & VCE_FLAGS_VALID_MASK)) {
283 		pr_dbf_msg("Certificate entry is invalid");
284 		return -EINVAL;
285 	}
286 	if (vce->vce_hdr.vc_format != 1) {
287 		pr_dbf_msg("Certificate format is not supported");
288 		return -EINVAL;
289 	}
290 	if (vce->vce_hdr.vc_hash_type != 1) {
291 		pr_dbf_msg("Hash type is not supported");
292 		return -EINVAL;
293 	}
294 
295 	return check_certificate_hash(vce);
296 }
297 
298 static struct key *get_user_session_keyring(void)
299 {
300 	key_ref_t us_keyring_ref;
301 
302 	us_keyring_ref = lookup_user_key(KEY_SPEC_USER_SESSION_KEYRING,
303 					 KEY_LOOKUP_CREATE, KEY_NEED_LINK);
304 	if (IS_ERR(us_keyring_ref)) {
305 		pr_dbf_msg("Couldn't get user session keyring: %ld",
306 			   PTR_ERR(us_keyring_ref));
307 		return ERR_PTR(-ENOKEY);
308 	}
309 	key_ref_put(us_keyring_ref);
310 	return key_ref_to_ptr(us_keyring_ref);
311 }
312 
313 /* Invalidate all keys from cert_store keyring. */
314 static int invalidate_keyring_keys(struct key *keyring)
315 {
316 	unsigned long num_keys, key_index;
317 	size_t keyring_payload_len;
318 	key_serial_t *key_array;
319 	struct key *current_key;
320 	int rc;
321 
322 	keyring_payload_len = key_type_keyring.read(keyring, NULL, 0);
323 	num_keys = keyring_payload_len / sizeof(key_serial_t);
324 	key_array = kcalloc(num_keys, sizeof(key_serial_t), GFP_KERNEL);
325 	if (!key_array)
326 		return -ENOMEM;
327 
328 	rc = key_type_keyring.read(keyring, (char *)key_array, keyring_payload_len);
329 	if (rc != keyring_payload_len) {
330 		pr_dbf_msg("Couldn't read keyring payload");
331 		goto out;
332 	}
333 
334 	for (key_index = 0; key_index < num_keys; key_index++) {
335 		current_key = key_lookup(key_array[key_index]);
336 		pr_dbf_msg("Invalidating key %08x", current_key->serial);
337 
338 		key_invalidate(current_key);
339 		key_put(current_key);
340 		rc = key_unlink(keyring, current_key);
341 		if (rc) {
342 			pr_dbf_msg("Couldn't unlink key %08x: %d", current_key->serial, rc);
343 			break;
344 		}
345 	}
346 out:
347 	kfree(key_array);
348 	return rc;
349 }
350 
351 static struct key *find_cs_keyring(void)
352 {
353 	key_ref_t cs_keyring_ref;
354 	struct key *cs_keyring;
355 
356 	cs_keyring_ref = keyring_search(make_key_ref(get_user_session_keyring(), true),
357 					&key_type_keyring, CERT_STORE_KEYRING_NAME,
358 					false);
359 	if (!IS_ERR(cs_keyring_ref)) {
360 		cs_keyring = key_ref_to_ptr(cs_keyring_ref);
361 		key_ref_put(cs_keyring_ref);
362 		goto found;
363 	}
364 	/* Search default locations: thread, process, session keyrings */
365 	cs_keyring = request_key(&key_type_keyring, CERT_STORE_KEYRING_NAME, NULL);
366 	if (IS_ERR(cs_keyring))
367 		return NULL;
368 	key_put(cs_keyring);
369 found:
370 	return cs_keyring;
371 }
372 
373 static void cleanup_cs_keys(void)
374 {
375 	struct key *cs_keyring;
376 
377 	cs_keyring = find_cs_keyring();
378 	if (!cs_keyring)
379 		return;
380 
381 	pr_dbf_msg("Found cert_store keyring. Purging...");
382 	/*
383 	 * Remove cert_store_key_type in case invalidation
384 	 * of old cert_store keys failed (= severe error).
385 	 */
386 	if (invalidate_keyring_keys(cs_keyring))
387 		unregister_key_type(&key_type_cert_store_key);
388 
389 	keyring_clear(cs_keyring);
390 	key_invalidate(cs_keyring);
391 	key_put(cs_keyring);
392 	key_unlink(get_user_session_keyring(), cs_keyring);
393 }
394 
395 static struct key *create_cs_keyring(void)
396 {
397 	static struct key *cs_keyring;
398 
399 	/* Cleanup previous cs_keyring and all associated keys if any. */
400 	cleanup_cs_keys();
401 	cs_keyring = keyring_alloc(CERT_STORE_KEYRING_NAME, GLOBAL_ROOT_UID,
402 				   GLOBAL_ROOT_GID, current_cred(),
403 				   (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ,
404 				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_SET_KEEP,
405 				   NULL, get_user_session_keyring());
406 	if (IS_ERR(cs_keyring)) {
407 		pr_dbf_msg("Can't allocate cert_store keyring");
408 		return NULL;
409 	}
410 
411 	pr_dbf_msg("Successfully allocated cert_store keyring: %08x", cs_keyring->serial);
412 
413 	/*
414 	 * In case a previous clean-up ran into an
415 	 * error and unregistered key type.
416 	 */
417 	register_key_type(&key_type_cert_store_key);
418 
419 	return cs_keyring;
420 }
421 
422 /*
423  * Allocate memory and create key description in format
424  * [key name in EBCDIC]:[VCE index]:[CS token].
425  * Return a pointer to key description or NULL if memory
426  * allocation failed. Memory should be freed by caller.
427  */
428 static char *get_key_description(struct vcssb *vcssb, const struct vce *vce)
429 {
430 	size_t len, name_len;
431 	u32 cs_token;
432 	char *desc;
433 
434 	cs_token = vcssb->cs_token;
435 	/* Description string contains "%64s:%04u:%08u\0". */
436 	name_len = sizeof(vce->vce_hdr.vc_name);
437 	len = name_len + 1 + 4 + 1 + 8 + 1;
438 	desc = kmalloc(len, GFP_KERNEL);
439 	if (!desc)
440 		return NULL;
441 
442 	memcpy(desc, vce->vce_hdr.vc_name, name_len);
443 	sprintf(desc + name_len, ":%04u:%08u", vce->vce_hdr.vc_index, cs_token);
444 
445 	return desc;
446 }
447 
448 /*
449  * Create a key of type "cert_store_key" using the data from VCE for key
450  * payload and key description. Link the key to "cert_store" keyring.
451  */
452 static int create_key_from_vce(struct vcssb *vcssb, struct vce *vce,
453 			       struct key *keyring)
454 {
455 	key_ref_t newkey;
456 	char *desc;
457 	int rc;
458 
459 	desc = get_key_description(vcssb, vce);
460 	if (!desc)
461 		return -ENOMEM;
462 
463 	newkey = key_create_or_update(
464 		make_key_ref(keyring, true), CERT_STORE_KEY_TYPE_NAME,
465 		desc, (u8 *)vce + vce->vce_hdr.vc_offset,
466 		vce->vce_hdr.vc_length,
467 		(KEY_POS_ALL & ~KEY_POS_SETATTR)  | KEY_USR_VIEW | KEY_USR_READ,
468 		KEY_ALLOC_NOT_IN_QUOTA);
469 
470 	rc = PTR_ERR_OR_ZERO(newkey);
471 	if (rc) {
472 		pr_dbf_msg("Couldn't create a key from Certificate Entry (%d)", rc);
473 		rc = -ENOKEY;
474 		goto out;
475 	}
476 
477 	key_ref_put(newkey);
478 out:
479 	kfree(desc);
480 	return rc;
481 }
482 
483 /* Get Verification Certificate Storage Size block with DIAG320 subcode2. */
484 static int get_vcssb(struct vcssb *vcssb)
485 {
486 	int diag320_rc;
487 
488 	memset(vcssb, 0, sizeof(*vcssb));
489 	vcssb->vcssb_length = VCSSB_LEN_BYTES;
490 	diag320_rc = diag320(DIAG320_STORAGE, vcssb);
491 	pr_dbf_vcssb(vcssb);
492 
493 	if (diag320_rc != DIAG320_RC_OK) {
494 		pr_dbf_msg("Diag 320 Subcode 1 returned bad RC: %04x", diag320_rc);
495 		return -EIO;
496 	}
497 	if (vcssb->vcssb_length == VCSSB_LEN_NO_CERTS) {
498 		pr_dbf_msg("No certificates available for current configuration");
499 		return -ENOKEY;
500 	}
501 
502 	return 0;
503 }
504 
505 static u32 get_4k_mult_vcb_size(struct vcssb *vcssb)
506 {
507 	return round_up(vcssb->max_single_vcb_length, PAGE_SIZE);
508 }
509 
510 /* Fill input fields of single-entry VCB that will be read by LPAR. */
511 static void fill_vcb_input(struct vcssb *vcssb, struct vcb *vcb, u16 index)
512 {
513 	memset(vcb, 0, sizeof(*vcb));
514 	vcb->vcb_hdr.vcb_input_length = get_4k_mult_vcb_size(vcssb);
515 	vcb->vcb_hdr.cs_token = vcssb->cs_token;
516 
517 	/* Request single entry. */
518 	vcb->vcb_hdr.first_vc_index = index;
519 	vcb->vcb_hdr.last_vc_index = index;
520 }
521 
522 static void extract_vce_from_sevcb(struct vcb *vcb, struct vce *vce)
523 {
524 	struct vce *extracted_vce;
525 
526 	extracted_vce = (struct vce *)vcb->vcb_buf;
527 	memcpy(vce, vcb->vcb_buf, extracted_vce->vce_hdr.vce_length);
528 	pr_dbf_vce(vce);
529 }
530 
531 static int get_sevcb(struct vcssb *vcssb, u16 index, struct vcb *vcb)
532 {
533 	int rc, diag320_rc;
534 
535 	fill_vcb_input(vcssb, vcb, index);
536 
537 	diag320_rc = diag320(DIAG320_CERT_BLOCK, vcb);
538 	pr_dbf_msg("Diag 320 Subcode2 RC %2x", diag320_rc);
539 	pr_dbf_vcb(vcb);
540 
541 	switch (diag320_rc) {
542 	case DIAG320_RC_OK:
543 		rc = 0;
544 		if (vcb->vcb_hdr.vcb_output_length == VCB_LEN_NO_CERTS) {
545 			pr_dbf_msg("No certificate entry for index %u", index);
546 			rc = -ENOKEY;
547 		} else if (vcb->vcb_hdr.remaining_vc_count != 0) {
548 			/* Retry on insufficient space. */
549 			pr_dbf_msg("Couldn't get all requested certificates");
550 			rc = -EAGAIN;
551 		}
552 		break;
553 	case DIAG320_RC_CS_NOMATCH:
554 		pr_dbf_msg("Certificate Store token mismatch");
555 		rc = -EAGAIN;
556 		break;
557 	default:
558 		pr_dbf_msg("Diag 320 Subcode2 returned bad rc (0x%4x)", diag320_rc);
559 		rc = -EINVAL;
560 		break;
561 	}
562 
563 	return rc;
564 }
565 
566 /*
567  * Allocate memory for single-entry VCB, get VCB via DIAG320 subcode 2 call,
568  * extract VCE and create a key from its' certificate.
569  */
570 static int create_key_from_sevcb(struct vcssb *vcssb, u16 index,
571 				 struct key *keyring)
572 {
573 	struct vcb *vcb;
574 	struct vce *vce;
575 	int rc;
576 
577 	rc = -ENOMEM;
578 	vcb = vmalloc(get_4k_mult_vcb_size(vcssb));
579 	vce = vmalloc(vcssb->max_single_vcb_length - sizeof(vcb->vcb_hdr));
580 	if (!vcb || !vce)
581 		goto out;
582 
583 	rc = get_sevcb(vcssb, index, vcb);
584 	if (rc)
585 		goto out;
586 
587 	extract_vce_from_sevcb(vcb, vce);
588 	rc = check_certificate_valid(vce);
589 	if (rc)
590 		goto out;
591 
592 	rc = create_key_from_vce(vcssb, vce, keyring);
593 	if (rc)
594 		goto out;
595 
596 	pr_dbf_msg("Successfully created key from Certificate Entry %d", index);
597 out:
598 	vfree(vce);
599 	vfree(vcb);
600 	return rc;
601 }
602 
603 /*
604  * Request a single-entry VCB for each VCE available for the partition.
605  * Create a key from it and link it to cert_store keyring. If no keys
606  * could be created (i.e. VCEs were invalid) return -ENOKEY.
607  */
608 static int add_certificates_to_keyring(struct vcssb *vcssb, struct key *keyring)
609 {
610 	int rc, index, count, added;
611 
612 	count = 0;
613 	added = 0;
614 	/* Certificate Store entries indices start with 1 and have no gaps. */
615 	for (index = 1; index < vcssb->total_vc_index_count + 1; index++) {
616 		pr_dbf_msg("Creating key from VCE %u", index);
617 		rc = create_key_from_sevcb(vcssb, index, keyring);
618 		count++;
619 
620 		if (rc == -EAGAIN)
621 			return rc;
622 
623 		if (rc)
624 			pr_dbf_msg("Creating key from VCE %u failed (%d)", index, rc);
625 		else
626 			added++;
627 	}
628 
629 	if (added == 0) {
630 		pr_dbf_msg("Processed %d entries. No keys created", count);
631 		return -ENOKEY;
632 	}
633 
634 	pr_info("Added %d of %d keys to cert_store keyring", added, count);
635 
636 	/*
637 	 * Do not allow to link more keys to certificate store keyring after all
638 	 * the VCEs were processed.
639 	 */
640 	rc = keyring_restrict(make_key_ref(keyring, true), NULL, NULL);
641 	if (rc)
642 		pr_dbf_msg("Failed to set restriction to cert_store keyring (%d)", rc);
643 
644 	return 0;
645 }
646 
647 /*
648  * Check which DIAG320 subcodes are installed.
649  * Return -ENOENT if subcodes 1 or 2 are not available.
650  */
651 static int query_diag320_subcodes(void)
652 {
653 	unsigned long ism[ISM_LEN_DWORDS];
654 	int rc;
655 
656 	rc = diag320(0, ism);
657 	if (rc != DIAG320_RC_OK) {
658 		pr_dbf_msg("DIAG320 subcode query returned %04x", rc);
659 		return -ENOENT;
660 	}
661 
662 	debug_text_event(cert_store_hexdump, 3, "DIAG320 Subcode 0");
663 	debug_event(cert_store_hexdump, 3, ism, sizeof(ism));
664 
665 	if (!test_bit_inv(1, ism) || !test_bit_inv(2, ism)) {
666 		pr_dbf_msg("Not all required DIAG320 subcodes are installed");
667 		return -ENOENT;
668 	}
669 
670 	return 0;
671 }
672 
673 /*
674  * Check if Certificate Store is supported by the firmware and DIAG320 subcodes
675  * 1 and 2 are installed. Create cert_store keyring and link all certificates
676  * available for the current partition to it as "cert_store_key" type
677  * keys. On refresh or error invalidate cert_store keyring and destroy
678  * all keys of "cert_store_key" type.
679  */
680 static int fill_cs_keyring(void)
681 {
682 	struct key *cs_keyring;
683 	struct vcssb *vcssb;
684 	int rc;
685 
686 	rc = -ENOMEM;
687 	vcssb = kmalloc(VCSSB_LEN_BYTES, GFP_KERNEL);
688 	if (!vcssb)
689 		goto cleanup_keys;
690 
691 	rc = -ENOENT;
692 	if (!sclp.has_diag320) {
693 		pr_dbf_msg("Certificate Store is not supported");
694 		goto cleanup_keys;
695 	}
696 
697 	rc = query_diag320_subcodes();
698 	if (rc)
699 		goto cleanup_keys;
700 
701 	rc = get_vcssb(vcssb);
702 	if (rc)
703 		goto cleanup_keys;
704 
705 	rc = -ENOMEM;
706 	cs_keyring = create_cs_keyring();
707 	if (!cs_keyring)
708 		goto cleanup_keys;
709 
710 	rc = add_certificates_to_keyring(vcssb, cs_keyring);
711 	if (rc)
712 		goto cleanup_cs_keyring;
713 
714 	goto out;
715 
716 cleanup_cs_keyring:
717 	key_put(cs_keyring);
718 cleanup_keys:
719 	cleanup_cs_keys();
720 out:
721 	kfree(vcssb);
722 	return rc;
723 }
724 
725 static DEFINE_MUTEX(cs_refresh_lock);
726 static int cs_status_val = -1;
727 
728 static ssize_t cs_status_show(struct kobject *kobj,
729 			      struct kobj_attribute *attr, char *buf)
730 {
731 	if (cs_status_val == -1)
732 		return sysfs_emit(buf, "uninitialized\n");
733 	else if (cs_status_val == 0)
734 		return sysfs_emit(buf, "ok\n");
735 
736 	return sysfs_emit(buf, "failed (%d)\n", cs_status_val);
737 }
738 
739 static struct kobj_attribute cs_status_attr = __ATTR_RO(cs_status);
740 
741 static ssize_t refresh_store(struct kobject *kobj, struct kobj_attribute *attr,
742 			     const char *buf, size_t count)
743 {
744 	int rc, retries;
745 
746 	pr_dbf_msg("Refresh certificate store information requested");
747 	rc = mutex_lock_interruptible(&cs_refresh_lock);
748 	if (rc)
749 		return rc;
750 
751 	for (retries = 0; retries < DIAG_MAX_RETRIES; retries++) {
752 		/* Request certificates from certificate store. */
753 		rc = fill_cs_keyring();
754 		if (rc)
755 			pr_dbf_msg("Failed to refresh certificate store information (%d)", rc);
756 		if (rc != -EAGAIN)
757 			break;
758 	}
759 	cs_status_val = rc;
760 	mutex_unlock(&cs_refresh_lock);
761 
762 	return rc ?: count;
763 }
764 
765 static struct kobj_attribute refresh_attr = __ATTR_WO(refresh);
766 
767 static const struct attribute *cert_store_attrs[] __initconst = {
768 	&cs_status_attr.attr,
769 	&refresh_attr.attr,
770 	NULL,
771 };
772 
773 static struct kobject *cert_store_kobj;
774 
775 static int __init cert_store_init(void)
776 {
777 	int rc = -ENOMEM;
778 
779 	cert_store_dbf = debug_register("cert_store_msg", 10, 1, 64);
780 	if (!cert_store_dbf)
781 		goto cleanup_dbf;
782 
783 	cert_store_hexdump = debug_register("cert_store_hexdump", 3, 1, 128);
784 	if (!cert_store_hexdump)
785 		goto cleanup_dbf;
786 
787 	debug_register_view(cert_store_hexdump, &debug_hex_ascii_view);
788 	debug_register_view(cert_store_dbf, &debug_sprintf_view);
789 
790 	/* Create directory /sys/firmware/cert_store. */
791 	cert_store_kobj = kobject_create_and_add("cert_store", firmware_kobj);
792 	if (!cert_store_kobj)
793 		goto cleanup_dbf;
794 
795 	rc = sysfs_create_files(cert_store_kobj, cert_store_attrs);
796 	if (rc)
797 		goto cleanup_kobj;
798 
799 	register_key_type(&key_type_cert_store_key);
800 
801 	return rc;
802 
803 cleanup_kobj:
804 	kobject_put(cert_store_kobj);
805 cleanup_dbf:
806 	debug_unregister(cert_store_dbf);
807 	debug_unregister(cert_store_hexdump);
808 
809 	return rc;
810 }
811 device_initcall(cert_store_init);
812