1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * pkey pckmo specific code 4 * 5 * Copyright IBM Corp. 2024 6 */ 7 8 #define KMSG_COMPONENT "pkey" 9 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 11 #include <linux/init.h> 12 #include <linux/module.h> 13 #include <linux/cpufeature.h> 14 #include <asm/cpacf.h> 15 #include <crypto/aes.h> 16 #include <linux/random.h> 17 18 #include "zcrypt_api.h" 19 #include "zcrypt_ccamisc.h" 20 #include "pkey_base.h" 21 22 MODULE_LICENSE("GPL"); 23 MODULE_AUTHOR("IBM Corporation"); 24 MODULE_DESCRIPTION("s390 protected key PCKMO handler"); 25 26 /* 27 * Check key blob for known and supported here. 28 */ 29 static bool is_pckmo_key(const u8 *key, u32 keylen) 30 { 31 struct keytoken_header *hdr = (struct keytoken_header *)key; 32 struct clearkeytoken *t = (struct clearkeytoken *)key; 33 34 if (keylen < sizeof(*hdr)) 35 return false; 36 37 switch (hdr->type) { 38 case TOKTYPE_NON_CCA: 39 switch (hdr->version) { 40 case TOKVER_CLEAR_KEY: 41 switch (t->keytype) { 42 case PKEY_KEYTYPE_AES_128: 43 case PKEY_KEYTYPE_AES_192: 44 case PKEY_KEYTYPE_AES_256: 45 case PKEY_KEYTYPE_ECC_P256: 46 case PKEY_KEYTYPE_ECC_P384: 47 case PKEY_KEYTYPE_ECC_P521: 48 case PKEY_KEYTYPE_ECC_ED25519: 49 case PKEY_KEYTYPE_ECC_ED448: 50 case PKEY_KEYTYPE_AES_XTS_128: 51 case PKEY_KEYTYPE_AES_XTS_256: 52 case PKEY_KEYTYPE_HMAC_512: 53 case PKEY_KEYTYPE_HMAC_1024: 54 return true; 55 default: 56 return false; 57 } 58 case TOKVER_PROTECTED_KEY: 59 return true; 60 default: 61 return false; 62 } 63 default: 64 return false; 65 } 66 } 67 68 static bool is_pckmo_keytype(enum pkey_key_type keytype) 69 { 70 switch (keytype) { 71 case PKEY_TYPE_PROTKEY: 72 return true; 73 default: 74 return false; 75 } 76 } 77 78 /* 79 * Create a protected key from a clear key value via PCKMO instruction. 80 */ 81 static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen, 82 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 83 { 84 /* mask of available pckmo subfunctions */ 85 static cpacf_mask_t pckmo_functions; 86 87 int keysize, rc = -EINVAL; 88 u8 paramblock[160]; 89 u32 pkeytype; 90 long fc; 91 92 switch (keytype) { 93 case PKEY_KEYTYPE_AES_128: 94 /* 16 byte key, 32 byte aes wkvp, total 48 bytes */ 95 keysize = 16; 96 pkeytype = keytype; 97 fc = CPACF_PCKMO_ENC_AES_128_KEY; 98 break; 99 case PKEY_KEYTYPE_AES_192: 100 /* 24 byte key, 32 byte aes wkvp, total 56 bytes */ 101 keysize = 24; 102 pkeytype = keytype; 103 fc = CPACF_PCKMO_ENC_AES_192_KEY; 104 break; 105 case PKEY_KEYTYPE_AES_256: 106 /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 107 keysize = 32; 108 pkeytype = keytype; 109 fc = CPACF_PCKMO_ENC_AES_256_KEY; 110 break; 111 case PKEY_KEYTYPE_ECC_P256: 112 /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 113 keysize = 32; 114 pkeytype = PKEY_KEYTYPE_ECC; 115 fc = CPACF_PCKMO_ENC_ECC_P256_KEY; 116 break; 117 case PKEY_KEYTYPE_ECC_P384: 118 /* 48 byte key, 32 byte aes wkvp, total 80 bytes */ 119 keysize = 48; 120 pkeytype = PKEY_KEYTYPE_ECC; 121 fc = CPACF_PCKMO_ENC_ECC_P384_KEY; 122 break; 123 case PKEY_KEYTYPE_ECC_P521: 124 /* 80 byte key, 32 byte aes wkvp, total 112 bytes */ 125 keysize = 80; 126 pkeytype = PKEY_KEYTYPE_ECC; 127 fc = CPACF_PCKMO_ENC_ECC_P521_KEY; 128 break; 129 case PKEY_KEYTYPE_ECC_ED25519: 130 /* 32 byte key, 32 byte aes wkvp, total 64 bytes */ 131 keysize = 32; 132 pkeytype = PKEY_KEYTYPE_ECC; 133 fc = CPACF_PCKMO_ENC_ECC_ED25519_KEY; 134 break; 135 case PKEY_KEYTYPE_ECC_ED448: 136 /* 64 byte key, 32 byte aes wkvp, total 96 bytes */ 137 keysize = 64; 138 pkeytype = PKEY_KEYTYPE_ECC; 139 fc = CPACF_PCKMO_ENC_ECC_ED448_KEY; 140 break; 141 case PKEY_KEYTYPE_AES_XTS_128: 142 /* 2x16 byte keys, 32 byte aes wkvp, total 64 bytes */ 143 keysize = 32; 144 pkeytype = PKEY_KEYTYPE_AES_XTS_128; 145 fc = CPACF_PCKMO_ENC_AES_XTS_128_DOUBLE_KEY; 146 break; 147 case PKEY_KEYTYPE_AES_XTS_256: 148 /* 2x32 byte keys, 32 byte aes wkvp, total 96 bytes */ 149 keysize = 64; 150 pkeytype = PKEY_KEYTYPE_AES_XTS_256; 151 fc = CPACF_PCKMO_ENC_AES_XTS_256_DOUBLE_KEY; 152 break; 153 case PKEY_KEYTYPE_HMAC_512: 154 /* 64 byte key, 32 byte aes wkvp, total 96 bytes */ 155 keysize = 64; 156 pkeytype = PKEY_KEYTYPE_HMAC_512; 157 fc = CPACF_PCKMO_ENC_HMAC_512_KEY; 158 break; 159 case PKEY_KEYTYPE_HMAC_1024: 160 /* 128 byte key, 32 byte aes wkvp, total 160 bytes */ 161 keysize = 128; 162 pkeytype = PKEY_KEYTYPE_HMAC_1024; 163 fc = CPACF_PCKMO_ENC_HMAC_1024_KEY; 164 break; 165 default: 166 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", 167 __func__, keytype); 168 goto out; 169 } 170 171 if (clrkeylen && clrkeylen < keysize) { 172 PKEY_DBF_ERR("%s clear key size too small: %u < %d\n", 173 __func__, clrkeylen, keysize); 174 goto out; 175 } 176 if (*protkeylen < keysize + AES_WK_VP_SIZE) { 177 PKEY_DBF_ERR("%s prot key buffer size too small: %u < %d\n", 178 __func__, *protkeylen, keysize + AES_WK_VP_SIZE); 179 goto out; 180 } 181 182 /* Did we already check for PCKMO ? */ 183 if (!pckmo_functions.bytes[0]) { 184 /* no, so check now */ 185 if (!cpacf_query(CPACF_PCKMO, &pckmo_functions)) { 186 PKEY_DBF_ERR("%s cpacf_query() failed\n", __func__); 187 rc = -ENODEV; 188 goto out; 189 } 190 } 191 /* check for the pckmo subfunction we need now */ 192 if (!cpacf_test_func(&pckmo_functions, fc)) { 193 PKEY_DBF_ERR("%s pckmo functions not available\n", __func__); 194 rc = -ENODEV; 195 goto out; 196 } 197 198 /* prepare param block */ 199 memset(paramblock, 0, sizeof(paramblock)); 200 memcpy(paramblock, clrkey, keysize); 201 202 /* call the pckmo instruction */ 203 cpacf_pckmo(fc, paramblock); 204 205 /* copy created protected key to key buffer including the wkvp block */ 206 *protkeylen = keysize + AES_WK_VP_SIZE; 207 memcpy(protkey, paramblock, *protkeylen); 208 *protkeytype = pkeytype; 209 210 rc = 0; 211 212 out: 213 pr_debug("rc=%d\n", rc); 214 return rc; 215 } 216 217 /* 218 * Verify a raw protected key blob. 219 * Currently only AES protected keys are supported. 220 */ 221 static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen, 222 u32 protkeytype) 223 { 224 struct { 225 u8 iv[AES_BLOCK_SIZE]; 226 u8 key[MAXPROTKEYSIZE]; 227 } param; 228 u8 null_msg[AES_BLOCK_SIZE]; 229 u8 dest_buf[AES_BLOCK_SIZE]; 230 unsigned int k, pkeylen; 231 unsigned long fc; 232 int rc = -EINVAL; 233 234 switch (protkeytype) { 235 case PKEY_KEYTYPE_AES_128: 236 pkeylen = 16 + AES_WK_VP_SIZE; 237 fc = CPACF_KMC_PAES_128; 238 break; 239 case PKEY_KEYTYPE_AES_192: 240 pkeylen = 24 + AES_WK_VP_SIZE; 241 fc = CPACF_KMC_PAES_192; 242 break; 243 case PKEY_KEYTYPE_AES_256: 244 pkeylen = 32 + AES_WK_VP_SIZE; 245 fc = CPACF_KMC_PAES_256; 246 break; 247 default: 248 PKEY_DBF_ERR("%s unknown/unsupported keytype %u\n", __func__, 249 protkeytype); 250 goto out; 251 } 252 if (protkeylen != pkeylen) { 253 PKEY_DBF_ERR("%s invalid protected key size %u for keytype %u\n", 254 __func__, protkeylen, protkeytype); 255 goto out; 256 } 257 258 memset(null_msg, 0, sizeof(null_msg)); 259 260 memset(param.iv, 0, sizeof(param.iv)); 261 memcpy(param.key, protkey, protkeylen); 262 263 k = cpacf_kmc(fc | CPACF_ENCRYPT, ¶m, null_msg, dest_buf, 264 sizeof(null_msg)); 265 if (k != sizeof(null_msg)) { 266 PKEY_DBF_ERR("%s protected key is not valid\n", __func__); 267 rc = -EKEYREJECTED; 268 goto out; 269 } 270 271 rc = 0; 272 273 out: 274 pr_debug("rc=%d\n", rc); 275 return rc; 276 } 277 278 static int pckmo_key2protkey(const u8 *key, u32 keylen, 279 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 280 { 281 struct keytoken_header *hdr = (struct keytoken_header *)key; 282 int rc = -EINVAL; 283 284 if (keylen < sizeof(*hdr)) 285 return -EINVAL; 286 if (hdr->type != TOKTYPE_NON_CCA) 287 return -EINVAL; 288 289 switch (hdr->version) { 290 case TOKVER_PROTECTED_KEY: { 291 struct protkeytoken *t = (struct protkeytoken *)key; 292 293 if (keylen < sizeof(*t)) 294 goto out; 295 switch (t->keytype) { 296 case PKEY_KEYTYPE_AES_128: 297 case PKEY_KEYTYPE_AES_192: 298 case PKEY_KEYTYPE_AES_256: 299 if (keylen != sizeof(struct protaeskeytoken)) 300 goto out; 301 rc = pckmo_verify_protkey(t->protkey, t->len, 302 t->keytype); 303 if (rc) 304 goto out; 305 break; 306 case PKEY_KEYTYPE_AES_XTS_128: 307 if (t->len != 64 || keylen != sizeof(*t) + t->len) 308 goto out; 309 break; 310 case PKEY_KEYTYPE_AES_XTS_256: 311 case PKEY_KEYTYPE_HMAC_512: 312 if (t->len != 96 || keylen != sizeof(*t) + t->len) 313 goto out; 314 break; 315 case PKEY_KEYTYPE_HMAC_1024: 316 if (t->len != 160 || keylen != sizeof(*t) + t->len) 317 goto out; 318 break; 319 default: 320 PKEY_DBF_ERR("%s protected key token: unknown keytype %u\n", 321 __func__, t->keytype); 322 goto out; 323 } 324 memcpy(protkey, t->protkey, t->len); 325 *protkeylen = t->len; 326 *protkeytype = t->keytype; 327 break; 328 } 329 case TOKVER_CLEAR_KEY: { 330 struct clearkeytoken *t = (struct clearkeytoken *)key; 331 u32 keysize = 0; 332 333 if (keylen < sizeof(struct clearkeytoken) || 334 keylen != sizeof(*t) + t->len) 335 goto out; 336 switch (t->keytype) { 337 case PKEY_KEYTYPE_AES_128: 338 case PKEY_KEYTYPE_AES_192: 339 case PKEY_KEYTYPE_AES_256: 340 keysize = pkey_keytype_aes_to_size(t->keytype); 341 break; 342 case PKEY_KEYTYPE_ECC_P256: 343 keysize = 32; 344 break; 345 case PKEY_KEYTYPE_ECC_P384: 346 keysize = 48; 347 break; 348 case PKEY_KEYTYPE_ECC_P521: 349 keysize = 80; 350 break; 351 case PKEY_KEYTYPE_ECC_ED25519: 352 keysize = 32; 353 break; 354 case PKEY_KEYTYPE_ECC_ED448: 355 keysize = 64; 356 break; 357 case PKEY_KEYTYPE_AES_XTS_128: 358 keysize = 32; 359 break; 360 case PKEY_KEYTYPE_AES_XTS_256: 361 keysize = 64; 362 break; 363 case PKEY_KEYTYPE_HMAC_512: 364 keysize = 64; 365 break; 366 case PKEY_KEYTYPE_HMAC_1024: 367 keysize = 128; 368 break; 369 default: 370 break; 371 } 372 if (!keysize) { 373 PKEY_DBF_ERR("%s clear key token: unknown keytype %u\n", 374 __func__, t->keytype); 375 goto out; 376 } 377 if (t->len != keysize) { 378 PKEY_DBF_ERR("%s clear key token: invalid key len %u\n", 379 __func__, t->len); 380 goto out; 381 } 382 rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len, 383 protkey, protkeylen, protkeytype); 384 break; 385 } 386 default: 387 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n", 388 __func__, hdr->version); 389 break; 390 } 391 392 out: 393 pr_debug("rc=%d\n", rc); 394 return rc; 395 } 396 397 /* 398 * Generate a random protected key. 399 * Currently only the generation of AES protected keys 400 * is supported. 401 */ 402 static int pckmo_gen_protkey(u32 keytype, u32 subtype, 403 u8 *protkey, u32 *protkeylen, u32 *protkeytype) 404 { 405 u8 clrkey[128]; 406 int keysize; 407 int rc; 408 409 switch (keytype) { 410 case PKEY_KEYTYPE_AES_128: 411 case PKEY_KEYTYPE_AES_192: 412 case PKEY_KEYTYPE_AES_256: 413 keysize = pkey_keytype_aes_to_size(keytype); 414 break; 415 case PKEY_KEYTYPE_AES_XTS_128: 416 keysize = 32; 417 break; 418 case PKEY_KEYTYPE_AES_XTS_256: 419 case PKEY_KEYTYPE_HMAC_512: 420 keysize = 64; 421 break; 422 case PKEY_KEYTYPE_HMAC_1024: 423 keysize = 128; 424 break; 425 default: 426 PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n", 427 __func__, keytype); 428 return -EINVAL; 429 } 430 if (subtype != PKEY_TYPE_PROTKEY) { 431 PKEY_DBF_ERR("%s unknown/unsupported subtype %d\n", 432 __func__, subtype); 433 return -EINVAL; 434 } 435 436 /* generate a dummy random clear key */ 437 get_random_bytes(clrkey, keysize); 438 439 /* convert it to a dummy protected key */ 440 rc = pckmo_clr2protkey(keytype, clrkey, keysize, 441 protkey, protkeylen, protkeytype); 442 if (rc) 443 goto out; 444 445 /* replace the key part of the protected key with random bytes */ 446 get_random_bytes(protkey, keysize); 447 448 out: 449 pr_debug("rc=%d\n", rc); 450 return rc; 451 } 452 453 /* 454 * Verify a protected key token blob. 455 * Currently only AES protected keys are supported. 456 */ 457 static int pckmo_verify_key(const u8 *key, u32 keylen) 458 { 459 struct keytoken_header *hdr = (struct keytoken_header *)key; 460 int rc = -EINVAL; 461 462 if (keylen < sizeof(*hdr)) 463 return -EINVAL; 464 if (hdr->type != TOKTYPE_NON_CCA) 465 return -EINVAL; 466 467 switch (hdr->version) { 468 case TOKVER_PROTECTED_KEY: { 469 struct protaeskeytoken *t; 470 471 if (keylen != sizeof(struct protaeskeytoken)) 472 goto out; 473 t = (struct protaeskeytoken *)key; 474 rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype); 475 break; 476 } 477 default: 478 PKEY_DBF_ERR("%s unknown non-CCA token version %d\n", 479 __func__, hdr->version); 480 break; 481 } 482 483 out: 484 pr_debug("rc=%d\n", rc); 485 return rc; 486 } 487 488 /* 489 * Wrapper functions used for the pkey handler struct 490 */ 491 492 static int pkey_pckmo_key2protkey(const struct pkey_apqn *_apqns, 493 size_t _nr_apqns, 494 const u8 *key, u32 keylen, 495 u8 *protkey, u32 *protkeylen, u32 *keyinfo) 496 { 497 return pckmo_key2protkey(key, keylen, 498 protkey, protkeylen, keyinfo); 499 } 500 501 static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns, 502 u32 keytype, u32 keysubtype, 503 u32 _keybitsize, u32 _flags, 504 u8 *keybuf, u32 *keybuflen, u32 *keyinfo) 505 { 506 return pckmo_gen_protkey(keytype, keysubtype, 507 keybuf, keybuflen, keyinfo); 508 } 509 510 static int pkey_pckmo_verifykey(const u8 *key, u32 keylen, 511 u16 *_card, u16 *_dom, 512 u32 *_keytype, u32 *_keybitsize, u32 *_flags) 513 { 514 return pckmo_verify_key(key, keylen); 515 } 516 517 static struct pkey_handler pckmo_handler = { 518 .module = THIS_MODULE, 519 .name = "PKEY PCKMO handler", 520 .is_supported_key = is_pckmo_key, 521 .is_supported_keytype = is_pckmo_keytype, 522 .key_to_protkey = pkey_pckmo_key2protkey, 523 .gen_key = pkey_pckmo_gen_key, 524 .verify_key = pkey_pckmo_verifykey, 525 }; 526 527 /* 528 * Module init 529 */ 530 static int __init pkey_pckmo_init(void) 531 { 532 cpacf_mask_t func_mask; 533 534 /* 535 * The pckmo instruction should be available - even if we don't 536 * actually invoke it. This instruction comes with MSA 3 which 537 * is also the minimum level for the kmc instructions which 538 * are able to work with protected keys. 539 */ 540 if (!cpacf_query(CPACF_PCKMO, &func_mask)) 541 return -ENODEV; 542 543 /* register this module as pkey handler for all the pckmo stuff */ 544 return pkey_handler_register(&pckmo_handler); 545 } 546 547 /* 548 * Module exit 549 */ 550 static void __exit pkey_pckmo_exit(void) 551 { 552 /* unregister this module as pkey handler */ 553 pkey_handler_unregister(&pckmo_handler); 554 } 555 556 module_cpu_feature_match(S390_CPU_FEATURE_MSA, pkey_pckmo_init); 557 module_exit(pkey_pckmo_exit); 558