xref: /linux/drivers/s390/crypto/zcrypt_ep11misc.h (revision a4eb44a6435d6d8f9e642407a4a06f65eb90ca04)
1 /* SPDX-License-Identifier: GPL-2.0+ */
2 /*
3  *  Copyright IBM Corp. 2019
4  *  Author(s): Harald Freudenberger <freude@linux.ibm.com>
5  *
6  *  Collection of EP11 misc functions used by zcrypt and pkey
7  */
8 
9 #ifndef _ZCRYPT_EP11MISC_H_
10 #define _ZCRYPT_EP11MISC_H_
11 
12 #include <asm/zcrypt.h>
13 #include <asm/pkey.h>
14 
15 #define EP11_API_V 4  /* highest known and supported EP11 API version */
16 #define EP11_STRUCT_MAGIC 0x1234
17 #define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
18 
19 /*
20  * Internal used values for the version field of the key header.
21  * Should match to the enum pkey_key_type in pkey.h.
22  */
23 #define TOKVER_EP11_AES  0x03  /* EP11 AES key blob (old style) */
24 #define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
25 #define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
26 
27 /* inside view of an EP11 secure key blob */
28 struct ep11keyblob {
29 	union {
30 		u8 session[32];
31 		/* only used for PKEY_TYPE_EP11: */
32 		struct {
33 			u8  type;      /* 0x00 (TOKTYPE_NON_CCA) */
34 			u8  res0;      /* unused */
35 			u16 len;       /* total length in bytes of this blob */
36 			u8  version;   /* 0x03 (TOKVER_EP11_AES) */
37 			u8  res1;      /* unused */
38 			u16 keybitlen; /* clear key bit len, 0 for unknown */
39 		} head;
40 	};
41 	u8  wkvp[16];  /* wrapping key verification pattern */
42 	u64 attr;      /* boolean key attributes */
43 	u64 mode;      /* mode bits */
44 	u16 version;   /* 0x1234, EP11_STRUCT_MAGIC */
45 	u8  iv[14];
46 	u8  encrypted_key_data[144];
47 	u8  mac[32];
48 } __packed;
49 
50 /* check ep11 key magic to find out if this is an ep11 key blob */
51 static inline bool is_ep11_keyblob(const u8 *key)
52 {
53 	struct ep11keyblob *kb = (struct ep11keyblob *) key;
54 
55 	return (kb->version == EP11_STRUCT_MAGIC);
56 }
57 
58 /*
59  * Simple check if the key blob is a valid EP11 AES key blob with header.
60  * If checkcpacfexport is enabled, the key is also checked for the
61  * attributes needed to export this key for CPACF use.
62  * Returns 0 on success or errno value on failure.
63  */
64 int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
65 				const u8 *key, size_t keylen, int checkcpacfexp);
66 
67 /*
68  * Simple check if the key blob is a valid EP11 ECC key blob with header.
69  * If checkcpacfexport is enabled, the key is also checked for the
70  * attributes needed to export this key for CPACF use.
71  * Returns 0 on success or errno value on failure.
72  */
73 int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
74 				const u8 *key, size_t keylen, int checkcpacfexp);
75 
76 /*
77  * Simple check if the key blob is a valid EP11 AES key blob with
78  * the header in the session field (old style EP11 AES key).
79  * If checkcpacfexport is enabled, the key is also checked for the
80  * attributes needed to export this key for CPACF use.
81  * Returns 0 on success or errno value on failure.
82  */
83 int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
84 		       const u8 *key, size_t keylen, int checkcpacfexp);
85 
86 /* EP11 card info struct */
87 struct ep11_card_info {
88 	u32  API_ord_nr;    /* API ordinal number */
89 	u16  FW_version;    /* Firmware major and minor version */
90 	char serial[16];    /* serial number string (16 ascii, no 0x00 !) */
91 	u64  op_mode;	    /* card operational mode(s) */
92 };
93 
94 /* EP11 domain info struct */
95 struct ep11_domain_info {
96 	char cur_wk_state;  /* '0' invalid, '1' valid */
97 	char new_wk_state;  /* '0' empty, '1' uncommitted, '2' committed */
98 	u8   cur_wkvp[32];  /* current wrapping key verification pattern */
99 	u8   new_wkvp[32];  /* new wrapping key verification pattern */
100 	u64  op_mode;	    /* domain operational mode(s) */
101 };
102 
103 /*
104  * Provide information about an EP11 card.
105  */
106 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify);
107 
108 /*
109  * Provide information about a domain within an EP11 card.
110  */
111 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info);
112 
113 /*
114  * Generate (random) EP11 AES secure key.
115  */
116 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
117 		   u8 *keybuf, size_t *keybufsize);
118 
119 /*
120  * Generate EP11 AES secure key with given clear key value.
121  */
122 int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
123 		     const u8 *clrkey, u8 *keybuf, size_t *keybufsize);
124 
125 /*
126  * Build a list of ep11 apqns meeting the following constrains:
127  * - apqn is online and is in fact an EP11 apqn
128  * - if cardnr is not FFFF only apqns with this cardnr
129  * - if domain is not FFFF only apqns with this domainnr
130  * - if minhwtype > 0 only apqns with hwtype >= minhwtype
131  * - if minapi > 0 only apqns with API_ord_nr >= minapi
132  * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
133  *   to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
134  *   key for this domain. When a wkvp is given there will aways be a re-fetch
135  *   of the domain info for the potential apqn - so this triggers an request
136  *   reply to each apqn eligible.
137  * The array of apqn entries is allocated with kmalloc and returned in *apqns;
138  * the number of apqns stored into the list is returned in *nr_apqns. One apqn
139  * entry is simple a 32 bit value with 16 bit cardnr and 16 bit domain nr and
140  * may be casted to struct pkey_apqn. The return value is either 0 for success
141  * or a negative errno value. If no apqn meeting the criterias is found,
142  * -ENODEV is returned.
143  */
144 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
145 		   int minhwtype, int minapi, const u8 *wkvp);
146 
147 /*
148  * Derive proteced key from EP11 key blob (AES and ECC keys).
149  */
150 int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, size_t keylen,
151 		       u8 *protkey, u32 *protkeylen, u32 *protkeytype);
152 
153 void zcrypt_ep11misc_exit(void);
154 
155 #endif /* _ZCRYPT_EP11MISC_H_ */
156