zcrypt_ep11misc.h 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
  1. /* SPDX-License-Identifier: GPL-2.0+ */
  2. /*
  3. * Copyright IBM Corp. 2019
  4. * Author(s): Harald Freudenberger <freude@linux.ibm.com>
  5. *
  6. * Collection of EP11 misc functions used by zcrypt and pkey
  7. */
  8. #ifndef _ZCRYPT_EP11MISC_H_
  9. #define _ZCRYPT_EP11MISC_H_
  10. #include <asm/zcrypt.h>
  11. #include <asm/pkey.h>
  12. #define EP11_API_V1 1 /* min EP11 API, default if no higher api required */
  13. #define EP11_API_V4 4 /* supported EP11 API for the ep11misc cprbs */
  14. #define EP11_API_V6 6 /* min EP11 API for some cprbs in SE environment */
  15. #define EP11_STRUCT_MAGIC 0x1234
  16. #define EP11_BLOB_PKEY_EXTRACTABLE 0x00200000
  17. /*
  18. * Internal used values for the version field of the key header.
  19. * Should match to the enum pkey_key_type in pkey.h.
  20. */
  21. #define TOKVER_EP11_AES 0x03 /* EP11 AES key blob (old style) */
  22. #define TOKVER_EP11_AES_WITH_HEADER 0x06 /* EP11 AES key blob with header */
  23. #define TOKVER_EP11_ECC_WITH_HEADER 0x07 /* EP11 ECC key blob with header */
  24. /* inside view of an EP11 secure key blob */
  25. struct ep11keyblob {
  26. union {
  27. u8 session[32];
  28. /* only used for PKEY_TYPE_EP11: */
  29. struct ep11kblob_header head;
  30. };
  31. u8 wkvp[16]; /* wrapping key verification pattern */
  32. u64 attr; /* boolean key attributes */
  33. u64 mode; /* mode bits */
  34. u16 version; /* 0x1234, EP11_STRUCT_MAGIC */
  35. u8 iv[14];
  36. u8 encrypted_key_data[144];
  37. u8 mac[32];
  38. } __packed;
  39. /* check ep11 key magic to find out if this is an ep11 key blob */
  40. static inline bool is_ep11_keyblob(const u8 *key)
  41. {
  42. struct ep11keyblob *kb = (struct ep11keyblob *)key;
  43. return (kb->version == EP11_STRUCT_MAGIC);
  44. }
  45. /*
  46. * For valid ep11 keyblobs, returns a reference to the wrappingkey verification
  47. * pattern. Otherwise NULL.
  48. */
  49. const u8 *ep11_kb_wkvp(const u8 *kblob, u32 kbloblen);
  50. /*
  51. * Simple check if the key blob is a valid EP11 AES key blob with header.
  52. * If checkcpacfexport is enabled, the key is also checked for the
  53. * attributes needed to export this key for CPACF use.
  54. * Returns 0 on success or errno value on failure.
  55. */
  56. int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
  57. const u8 *key, u32 keylen, int checkcpacfexp);
  58. /*
  59. * Simple check if the key blob is a valid EP11 ECC key blob with header.
  60. * If checkcpacfexport is enabled, the key is also checked for the
  61. * attributes needed to export this key for CPACF use.
  62. * Returns 0 on success or errno value on failure.
  63. */
  64. int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
  65. const u8 *key, u32 keylen, int checkcpacfexp);
  66. /*
  67. * Simple check if the key blob is a valid EP11 AES key blob with
  68. * the header in the session field (old style EP11 AES key).
  69. * If checkcpacfexport is enabled, the key is also checked for the
  70. * attributes needed to export this key for CPACF use.
  71. * Returns 0 on success or errno value on failure.
  72. */
  73. int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
  74. const u8 *key, u32 keylen, int checkcpacfexp);
  75. /* EP11 card info struct */
  76. struct ep11_card_info {
  77. u32 API_ord_nr; /* API ordinal number */
  78. u16 FW_version; /* Firmware major and minor version */
  79. char serial[16]; /* serial number string (16 ascii, no 0x00 !) */
  80. u64 op_mode; /* card operational mode(s) */
  81. };
  82. /* EP11 domain info struct */
  83. struct ep11_domain_info {
  84. char cur_wk_state; /* '0' invalid, '1' valid */
  85. char new_wk_state; /* '0' empty, '1' uncommitted, '2' committed */
  86. u8 cur_wkvp[32]; /* current wrapping key verification pattern */
  87. u8 new_wkvp[32]; /* new wrapping key verification pattern */
  88. u64 op_mode; /* domain operational mode(s) */
  89. };
  90. /*
  91. * Provide information about an EP11 card.
  92. */
  93. int ep11_get_card_info(u16 card, struct ep11_card_info *info, u32 xflags);
  94. /*
  95. * Provide information about a domain within an EP11 card.
  96. */
  97. int ep11_get_domain_info(u16 card, u16 domain,
  98. struct ep11_domain_info *info, u32 xflags);
  99. /*
  100. * Generate (random) EP11 AES secure key.
  101. */
  102. int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
  103. u8 *keybuf, u32 *keybufsize, u32 keybufver, u32 xflags);
  104. /*
  105. * Generate EP11 AES secure key with given clear key value.
  106. */
  107. int ep11_clr2keyblob(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
  108. const u8 *clrkey, u8 *keybuf, u32 *keybufsize,
  109. u32 keytype, u32 xflags);
  110. /*
  111. * Build a list of ep11 apqns meeting the following constrains:
  112. * - apqn is online and is in fact an EP11 apqn
  113. * - if cardnr is not FFFF only apqns with this cardnr
  114. * - if domain is not FFFF only apqns with this domainnr
  115. * - if minhwtype > 0 only apqns with hwtype >= minhwtype
  116. * - if minapi > 0 only apqns with API_ord_nr >= minapi
  117. * - if wkvp != NULL only apqns where the wkvp (EP11_WKVPLEN bytes) matches
  118. * to the first EP11_WKVPLEN bytes of the wkvp of the current wrapping
  119. * key for this domain. When a wkvp is given there will always be a re-fetch
  120. * of the domain info for the potential apqn - so this triggers an request
  121. * reply to each apqn eligible.
  122. * The caller should set *nr_apqns to the nr of elements available in *apqns.
  123. * On return *nr_apqns is then updated with the nr of apqns filled into *apqns.
  124. * The return value is either 0 for success or a negative errno value.
  125. * If no apqn meeting the criteria is found, -ENODEV is returned.
  126. */
  127. int ep11_findcard2(u32 *apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
  128. int minhwtype, int minapi, const u8 *wkvp, u32 xflags);
  129. /*
  130. * Derive proteced key from EP11 key blob (AES and ECC keys).
  131. */
  132. int ep11_kblob2protkey(u16 card, u16 dom, const u8 *key, u32 keylen,
  133. u8 *protkey, u32 *protkeylen, u32 *protkeytype,
  134. u32 xflags);
  135. int zcrypt_ep11misc_init(void);
  136. void zcrypt_ep11misc_exit(void);
  137. #endif /* _ZCRYPT_EP11MISC_H_ */