xref: /linux/drivers/s390/crypto/pkey_pckmo.c (revision 364eeb79a213fcf9164208b53764223ad522d6b3)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  pkey pckmo specific code
4  *
5  *  Copyright IBM Corp. 2024
6  */
7 
8 #define KMSG_COMPONENT "pkey"
9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
10 
11 #include <linux/init.h>
12 #include <linux/module.h>
13 #include <linux/cpufeature.h>
14 #include <asm/cpacf.h>
15 #include <crypto/aes.h>
16 #include <linux/random.h>
17 
18 #include "zcrypt_ccamisc.h"
19 #include "pkey_base.h"
20 
21 MODULE_LICENSE("GPL");
22 MODULE_AUTHOR("IBM Corporation");
23 MODULE_DESCRIPTION("s390 protected key PCKMO handler");
24 
25 /*
26  * Check key blob for known and supported here.
27  */
28 static bool is_pckmo_key(const u8 *key, u32 keylen)
29 {
30 	struct keytoken_header *hdr = (struct keytoken_header *)key;
31 	struct clearkeytoken *t = (struct clearkeytoken *)key;
32 
33 	if (keylen < sizeof(*hdr))
34 		return false;
35 
36 	switch (hdr->type) {
37 	case TOKTYPE_NON_CCA:
38 		switch (hdr->version) {
39 		case TOKVER_CLEAR_KEY:
40 			if (pkey_keytype_to_size(t->keytype))
41 				return true;
42 			return false;
43 		case TOKVER_PROTECTED_KEY:
44 			return true;
45 		default:
46 			return false;
47 		}
48 	default:
49 		return false;
50 	}
51 }
52 
53 static bool is_pckmo_keytype(enum pkey_key_type keytype)
54 {
55 	switch (keytype) {
56 	case PKEY_TYPE_PROTKEY:
57 		return true;
58 	default:
59 		return false;
60 	}
61 }
62 
63 /*
64  * Create a protected key from a clear key value via PCKMO instruction.
65  */
66 static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen,
67 			     u8 *protkey, u32 *protkeylen, u32 *protkeytype)
68 {
69 	/* mask of available pckmo subfunctions */
70 	static cpacf_mask_t pckmo_functions;
71 
72 	int keysize, rc = -EINVAL;
73 	u8 paramblock[160];
74 	u32 pkeytype = 0;
75 	unsigned int fc;
76 
77 	switch (keytype) {
78 	case PKEY_KEYTYPE_AES_128:
79 		fc = CPACF_PCKMO_ENC_AES_128_KEY;
80 		break;
81 	case PKEY_KEYTYPE_AES_192:
82 		fc = CPACF_PCKMO_ENC_AES_192_KEY;
83 		break;
84 	case PKEY_KEYTYPE_AES_256:
85 		fc = CPACF_PCKMO_ENC_AES_256_KEY;
86 		break;
87 	case PKEY_KEYTYPE_ECC_P256:
88 		pkeytype = PKEY_KEYTYPE_ECC;
89 		fc = CPACF_PCKMO_ENC_ECC_P256_KEY;
90 		break;
91 	case PKEY_KEYTYPE_ECC_P384:
92 		pkeytype = PKEY_KEYTYPE_ECC;
93 		fc = CPACF_PCKMO_ENC_ECC_P384_KEY;
94 		break;
95 	case PKEY_KEYTYPE_ECC_P521:
96 		pkeytype = PKEY_KEYTYPE_ECC;
97 		fc = CPACF_PCKMO_ENC_ECC_P521_KEY;
98 		break;
99 	case PKEY_KEYTYPE_ECC_ED25519:
100 		pkeytype = PKEY_KEYTYPE_ECC;
101 		fc = CPACF_PCKMO_ENC_ECC_ED25519_KEY;
102 		break;
103 	case PKEY_KEYTYPE_ECC_ED448:
104 		pkeytype = PKEY_KEYTYPE_ECC;
105 		fc = CPACF_PCKMO_ENC_ECC_ED448_KEY;
106 		break;
107 	case PKEY_KEYTYPE_AES_XTS_128:
108 		fc = CPACF_PCKMO_ENC_AES_XTS_128_DOUBLE_KEY;
109 		break;
110 	case PKEY_KEYTYPE_AES_XTS_256:
111 		fc = CPACF_PCKMO_ENC_AES_XTS_256_DOUBLE_KEY;
112 		break;
113 	case PKEY_KEYTYPE_HMAC_512:
114 		fc = CPACF_PCKMO_ENC_HMAC_512_KEY;
115 		break;
116 	case PKEY_KEYTYPE_HMAC_1024:
117 		fc = CPACF_PCKMO_ENC_HMAC_1024_KEY;
118 		break;
119 	default:
120 		PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n",
121 			     __func__, keytype);
122 		goto out;
123 	}
124 
125 	keysize = pkey_keytype_to_size(keytype);
126 	pkeytype = pkeytype ?: keytype;
127 
128 	if (clrkeylen && clrkeylen < keysize) {
129 		PKEY_DBF_ERR("%s clear key size too small: %u < %d\n",
130 			     __func__, clrkeylen, keysize);
131 		goto out;
132 	}
133 	if (*protkeylen < keysize + AES_WK_VP_SIZE) {
134 		PKEY_DBF_ERR("%s prot key buffer size too small: %u < %d\n",
135 			     __func__, *protkeylen, keysize + AES_WK_VP_SIZE);
136 		goto out;
137 	}
138 
139 	/* Did we already check for PCKMO ? */
140 	if (!pckmo_functions.bytes[0]) {
141 		/* no, so check now */
142 		if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) {
143 			PKEY_DBF_ERR("%s cpacf_query() failed\n", __func__);
144 			rc = -ENODEV;
145 			goto out;
146 		}
147 	}
148 	/* check for the pckmo subfunction we need now */
149 	if (!cpacf_test_func(&pckmo_functions, fc)) {
150 		PKEY_DBF_ERR("%s pckmo fc 0x%02x not available\n",
151 			     __func__, fc);
152 		rc = -ENODEV;
153 		goto out;
154 	}
155 
156 	/* prepare param block */
157 	memset(paramblock, 0, sizeof(paramblock));
158 	memcpy(paramblock, clrkey, keysize);
159 
160 	/* call the pckmo instruction */
161 	cpacf_pckmo(fc, paramblock);
162 
163 	/* copy created protected key to key buffer including the wkvp block */
164 	*protkeylen = keysize + AES_WK_VP_SIZE;
165 	memcpy(protkey, paramblock, *protkeylen);
166 	*protkeytype = pkeytype;
167 
168 	rc = 0;
169 
170 out:
171 	pr_debug("rc=%d\n", rc);
172 	return rc;
173 }
174 
175 /*
176  * Verify a raw protected key blob.
177  */
178 static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
179 				u32 protkeytype)
180 {
181 	u8 clrkey[16] = { 0 }, tmpkeybuf[16 + AES_WK_VP_SIZE];
182 	u32 tmpkeybuflen, tmpkeytype;
183 	int keysize, rc = -EINVAL;
184 	u8 *wkvp;
185 
186 	/* check protkey type and size */
187 	keysize = pkey_keytype_to_size(protkeytype);
188 	if (!keysize) {
189 		PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", __func__,
190 			     protkeytype);
191 		goto out;
192 	}
193 	if (protkeylen < keysize + AES_WK_VP_SIZE)
194 		goto out;
195 
196 	/* generate a dummy AES 128 protected key */
197 	tmpkeybuflen = sizeof(tmpkeybuf);
198 	rc = pckmo_clr2protkey(PKEY_KEYTYPE_AES_128,
199 			       clrkey, sizeof(clrkey),
200 			       tmpkeybuf, &tmpkeybuflen, &tmpkeytype);
201 	if (rc)
202 		goto out;
203 	memzero_explicit(tmpkeybuf, 16);
204 	wkvp = tmpkeybuf + 16;
205 
206 	/* compare WK VP from the temp key with that of the given prot key */
207 	if (memcmp(wkvp, protkey + keysize, AES_WK_VP_SIZE)) {
208 		PKEY_DBF_ERR("%s protected key WK VP mismatch\n", __func__);
209 		rc = -EKEYREJECTED;
210 		goto out;
211 	}
212 
213 out:
214 	pr_debug("rc=%d\n", rc);
215 	return rc;
216 }
217 
218 static int pckmo_key2protkey(const u8 *key, u32 keylen,
219 			     u8 *protkey, u32 *protkeylen, u32 *protkeytype)
220 {
221 	struct keytoken_header *hdr = (struct keytoken_header *)key;
222 	int rc = -EINVAL;
223 
224 	if (keylen < sizeof(*hdr))
225 		return -EINVAL;
226 	if (hdr->type != TOKTYPE_NON_CCA)
227 		return -EINVAL;
228 
229 	switch (hdr->version) {
230 	case TOKVER_PROTECTED_KEY: {
231 		struct protkeytoken *t = (struct protkeytoken *)key;
232 		u32 keysize;
233 
234 		if (keylen < sizeof(*t))
235 			goto out;
236 		keysize = pkey_keytype_to_size(t->keytype);
237 		if (!keysize) {
238 			PKEY_DBF_ERR("%s protected key token: unknown keytype %u\n",
239 				     __func__, t->keytype);
240 			goto out;
241 		}
242 		switch (t->keytype) {
243 		case PKEY_KEYTYPE_AES_128:
244 		case PKEY_KEYTYPE_AES_192:
245 		case PKEY_KEYTYPE_AES_256:
246 			if (t->len != keysize + AES_WK_VP_SIZE ||
247 			    keylen < sizeof(struct protaeskeytoken))
248 				goto out;
249 			rc = pckmo_verify_protkey(t->protkey, t->len,
250 						  t->keytype);
251 			if (rc)
252 				goto out;
253 			break;
254 		default:
255 			if (t->len != keysize + AES_WK_VP_SIZE ||
256 			    keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
257 				goto out;
258 			break;
259 		}
260 		memcpy(protkey, t->protkey, t->len);
261 		*protkeylen = t->len;
262 		*protkeytype = t->keytype;
263 		rc = 0;
264 		break;
265 	}
266 	case TOKVER_CLEAR_KEY: {
267 		struct clearkeytoken *t = (struct clearkeytoken *)key;
268 		u32 keysize;
269 
270 		if (keylen < sizeof(*t) ||
271 		    keylen < sizeof(*t) + t->len)
272 			goto out;
273 		keysize = pkey_keytype_to_size(t->keytype);
274 		if (!keysize) {
275 			PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n",
276 				     __func__, t->keytype);
277 			goto out;
278 		}
279 		if (t->len != keysize) {
280 			PKEY_DBF_ERR("%s clear key token: invalid key len %u\n",
281 				     __func__, t->len);
282 			goto out;
283 		}
284 		rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len,
285 				       protkey, protkeylen, protkeytype);
286 		break;
287 	}
288 	default:
289 		PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
290 			     __func__, hdr->version);
291 		break;
292 	}
293 
294 out:
295 	pr_debug("rc=%d\n", rc);
296 	return rc;
297 }
298 
299 /*
300  * Generate a random protected key.
301  */
302 static int pckmo_gen_protkey(u32 keytype, u32 subtype,
303 			     u8 *protkey, u32 *protkeylen, u32 *protkeytype)
304 {
305 	u8 clrkey[128];
306 	int keysize;
307 	int rc;
308 
309 	keysize = pkey_keytype_to_size(keytype);
310 	if (!keysize) {
311 		PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n",
312 			     __func__, keytype);
313 		return -EINVAL;
314 	}
315 	if (subtype != PKEY_TYPE_PROTKEY) {
316 		PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n",
317 			     __func__, subtype);
318 		return -EINVAL;
319 	}
320 
321 	switch (keytype) {
322 	case PKEY_KEYTYPE_AES_128:
323 	case PKEY_KEYTYPE_AES_192:
324 	case PKEY_KEYTYPE_AES_256:
325 	case PKEY_KEYTYPE_AES_XTS_128:
326 	case PKEY_KEYTYPE_AES_XTS_256:
327 	case PKEY_KEYTYPE_HMAC_512:
328 	case PKEY_KEYTYPE_HMAC_1024:
329 		break;
330 	default:
331 		PKEY_DBF_ERR("%s unsupported keytype %d\n",
332 			     __func__, keytype);
333 		return -EINVAL;
334 	}
335 
336 	/* generate a dummy random clear key */
337 	get_random_bytes(clrkey, keysize);
338 
339 	/* convert it to a dummy protected key */
340 	rc = pckmo_clr2protkey(keytype, clrkey, keysize,
341 			       protkey, protkeylen, protkeytype);
342 	if (rc)
343 		goto out;
344 
345 	/* replace the key part of the protected key with random bytes */
346 	get_random_bytes(protkey, keysize);
347 
348 out:
349 	pr_debug("rc=%d\n", rc);
350 	return rc;
351 }
352 
353 /*
354  * Verify a protected key token blob.
355  */
356 static int pckmo_verify_key(const u8 *key, u32 keylen)
357 {
358 	struct keytoken_header *hdr = (struct keytoken_header *)key;
359 	int rc = -EINVAL;
360 
361 	if (keylen < sizeof(*hdr))
362 		return -EINVAL;
363 	if (hdr->type != TOKTYPE_NON_CCA)
364 		return -EINVAL;
365 
366 	switch (hdr->version) {
367 	case TOKVER_PROTECTED_KEY: {
368 		struct protkeytoken *t = (struct protkeytoken *)key;
369 		u32 keysize;
370 
371 		if (keylen < sizeof(*t))
372 			goto out;
373 		keysize = pkey_keytype_to_size(t->keytype);
374 		if (!keysize || t->len != keysize + AES_WK_VP_SIZE)
375 			goto out;
376 		switch (t->keytype) {
377 		case PKEY_KEYTYPE_AES_128:
378 		case PKEY_KEYTYPE_AES_192:
379 		case PKEY_KEYTYPE_AES_256:
380 			if (keylen < sizeof(struct protaeskeytoken))
381 				goto out;
382 			break;
383 		default:
384 			if (keylen < sizeof(*t) + keysize + AES_WK_VP_SIZE)
385 				goto out;
386 			break;
387 		}
388 		rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype);
389 		break;
390 	}
391 	default:
392 		PKEY_DBF_ERR("%s unknown non-CCA token version %d\n",
393 			     __func__, hdr->version);
394 		break;
395 	}
396 
397 out:
398 	pr_debug("rc=%d\n", rc);
399 	return rc;
400 }
401 
402 /*
403  * Wrapper functions used for the pkey handler struct
404  */
405 
406 static int pkey_pckmo_key2protkey(const struct pkey_apqn *_apqns,
407 				  size_t _nr_apqns,
408 				  const u8 *key, u32 keylen,
409 				  u8 *protkey, u32 *protkeylen, u32 *keyinfo)
410 {
411 	return pckmo_key2protkey(key, keylen,
412 				 protkey, protkeylen, keyinfo);
413 }
414 
415 static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns,
416 			      u32 keytype, u32 keysubtype,
417 			      u32 _keybitsize, u32 _flags,
418 			      u8 *keybuf, u32 *keybuflen, u32 *keyinfo)
419 {
420 	return pckmo_gen_protkey(keytype, keysubtype,
421 				 keybuf, keybuflen, keyinfo);
422 }
423 
424 static int pkey_pckmo_verifykey(const u8 *key, u32 keylen,
425 				u16 *_card, u16 *_dom,
426 				u32 *_keytype, u32 *_keybitsize, u32 *_flags)
427 {
428 	return pckmo_verify_key(key, keylen);
429 }
430 
431 static struct pkey_handler pckmo_handler = {
432 	.module		      = THIS_MODULE,
433 	.name		      = "PKEY PCKMO handler",
434 	.is_supported_key     = is_pckmo_key,
435 	.is_supported_keytype = is_pckmo_keytype,
436 	.key_to_protkey	      = pkey_pckmo_key2protkey,
437 	.gen_key	      = pkey_pckmo_gen_key,
438 	.verify_key	      = pkey_pckmo_verifykey,
439 };
440 
441 /*
442  * Module init
443  */
444 static int __init pkey_pckmo_init(void)
445 {
446 	cpacf_mask_t func_mask;
447 
448 	/*
449 	 * The pckmo instruction should be available - even if we don't
450 	 * actually invoke it. This instruction comes with MSA 3 which
451 	 * is also the minimum level for the kmc instructions which
452 	 * are able to work with protected keys.
453 	 */
454 	if (!cpacf_query(CPACF_PCKMO, &func_mask))
455 		return -ENODEV;
456 
457 	/* register this module as pkey handler for all the pckmo stuff */
458 	return pkey_handler_register(&pckmo_handler);
459 }
460 
461 /*
462  * Module exit
463  */
464 static void __exit pkey_pckmo_exit(void)
465 {
466 	/* unregister this module as pkey handler */
467 	pkey_handler_unregister(&pckmo_handler);
468 }
469 
470 module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_pckmo_init);
471 module_exit(pkey_pckmo_exit);
472