xref: /openbmc/linux/drivers/s390/crypto/zcrypt_ccamisc.c (revision 75b1a8f9d62e50f05d0e4e9f3c8bcde32527ffc1)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  *  Copyright IBM Corp. 2019
4  *  Author(s): Harald Freudenberger <freude@linux.ibm.com>
5  *	       Ingo Franzki <ifranzki@linux.ibm.com>
6  *
7  *  Collection of CCA misc functions used by zcrypt and pkey
8  */
9 
10 #define KMSG_COMPONENT "zcrypt"
11 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
12 
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/slab.h>
16 #include <linux/random.h>
17 #include <asm/zcrypt.h>
18 #include <asm/pkey.h>
19 
20 #include "ap_bus.h"
21 #include "zcrypt_api.h"
22 #include "zcrypt_debug.h"
23 #include "zcrypt_msgtype6.h"
24 #include "zcrypt_ccamisc.h"
25 
26 #define DEBUG_DBG(...)	ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
27 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
28 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
29 #define DEBUG_ERR(...)	ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
30 
31 /* Size of parameter block used for all cca requests/replies */
32 #define PARMBSIZE 512
33 
34 /* Size of vardata block used for some of the cca requests/replies */
35 #define VARDATASIZE 4096
36 
37 struct cca_info_list_entry {
38 	struct list_head list;
39 	u16 cardnr;
40 	u16 domain;
41 	struct cca_info info;
42 };
43 
44 /* a list with cca_info_list_entry entries */
45 static LIST_HEAD(cca_info_list);
46 static DEFINE_SPINLOCK(cca_info_list_lock);
47 
48 /*
49  * Simple check if the token is a valid CCA secure AES data key
50  * token. If keybitsize is given, the bitsize of the key is
51  * also checked. Returns 0 on success or errno value on failure.
52  */
53 int cca_check_secaeskeytoken(debug_info_t *dbg, int dbflvl,
54 			     const u8 *token, int keybitsize)
55 {
56 	struct secaeskeytoken *t = (struct secaeskeytoken *) token;
57 
58 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
59 
60 	if (t->type != TOKTYPE_CCA_INTERNAL) {
61 		if (dbg)
62 			DBF("%s token check failed, type 0x%02x != 0x%02x\n",
63 			    __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
64 		return -EINVAL;
65 	}
66 	if (t->version != TOKVER_CCA_AES) {
67 		if (dbg)
68 			DBF("%s token check failed, version 0x%02x != 0x%02x\n",
69 			    __func__, (int) t->version, TOKVER_CCA_AES);
70 		return -EINVAL;
71 	}
72 	if (keybitsize > 0 && t->bitsize != keybitsize) {
73 		if (dbg)
74 			DBF("%s token check failed, bitsize %d != %d\n",
75 			    __func__, (int) t->bitsize, keybitsize);
76 		return -EINVAL;
77 	}
78 
79 #undef DBF
80 
81 	return 0;
82 }
83 EXPORT_SYMBOL(cca_check_secaeskeytoken);
84 
85 /*
86  * Simple check if the token is a valid CCA secure AES cipher key
87  * token. If keybitsize is given, the bitsize of the key is
88  * also checked. If checkcpacfexport is enabled, the key is also
89  * checked for the export flag to allow CPACF export.
90  * Returns 0 on success or errno value on failure.
91  */
92 int cca_check_secaescipherkey(debug_info_t *dbg, int dbflvl,
93 			      const u8 *token, int keybitsize,
94 			      int checkcpacfexport)
95 {
96 	struct cipherkeytoken *t = (struct cipherkeytoken *) token;
97 	bool keybitsizeok = true;
98 
99 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
100 
101 	if (t->type != TOKTYPE_CCA_INTERNAL) {
102 		if (dbg)
103 			DBF("%s token check failed, type 0x%02x != 0x%02x\n",
104 			    __func__, (int) t->type, TOKTYPE_CCA_INTERNAL);
105 		return -EINVAL;
106 	}
107 	if (t->version != TOKVER_CCA_VLSC) {
108 		if (dbg)
109 			DBF("%s token check failed, version 0x%02x != 0x%02x\n",
110 			    __func__, (int) t->version, TOKVER_CCA_VLSC);
111 		return -EINVAL;
112 	}
113 	if (t->algtype != 0x02) {
114 		if (dbg)
115 			DBF("%s token check failed, algtype 0x%02x != 0x02\n",
116 			    __func__, (int) t->algtype);
117 		return -EINVAL;
118 	}
119 	if (t->keytype != 0x0001) {
120 		if (dbg)
121 			DBF("%s token check failed, keytype 0x%04x != 0x0001\n",
122 			    __func__, (int) t->keytype);
123 		return -EINVAL;
124 	}
125 	if (t->plfver != 0x00 && t->plfver != 0x01) {
126 		if (dbg)
127 			DBF("%s token check failed, unknown plfver 0x%02x\n",
128 			    __func__, (int) t->plfver);
129 		return -EINVAL;
130 	}
131 	if (t->wpllen != 512 && t->wpllen != 576 && t->wpllen != 640) {
132 		if (dbg)
133 			DBF("%s token check failed, unknown wpllen %d\n",
134 			    __func__, (int) t->wpllen);
135 		return -EINVAL;
136 	}
137 	if (keybitsize > 0) {
138 		switch (keybitsize) {
139 		case 128:
140 			if (t->wpllen != (t->plfver ? 640 : 512))
141 				keybitsizeok = false;
142 			break;
143 		case 192:
144 			if (t->wpllen != (t->plfver ? 640 : 576))
145 				keybitsizeok = false;
146 			break;
147 		case 256:
148 			if (t->wpllen != 640)
149 				keybitsizeok = false;
150 			break;
151 		default:
152 			keybitsizeok = false;
153 			break;
154 		}
155 		if (!keybitsizeok) {
156 			if (dbg)
157 				DBF("%s token check failed, bitsize %d\n",
158 				    __func__, keybitsize);
159 			return -EINVAL;
160 		}
161 	}
162 	if (checkcpacfexport && !(t->kmf1 & KMF1_XPRT_CPAC)) {
163 		if (dbg)
164 			DBF("%s token check failed, XPRT_CPAC bit is 0\n",
165 			    __func__);
166 		return -EINVAL;
167 	}
168 
169 #undef DBF
170 
171 	return 0;
172 }
173 EXPORT_SYMBOL(cca_check_secaescipherkey);
174 
175 /*
176  * Simple check if the token is a valid CCA secure ECC private
177  * key token. Returns 0 on success or errno value on failure.
178  */
179 int cca_check_sececckeytoken(debug_info_t *dbg, int dbflvl,
180 			     const u8 *token, size_t keysize,
181 			     int checkcpacfexport)
182 {
183 	struct eccprivkeytoken *t = (struct eccprivkeytoken *) token;
184 
185 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
186 
187 	if (t->type != TOKTYPE_CCA_INTERNAL_PKA) {
188 		if (dbg)
189 			DBF("%s token check failed, type 0x%02x != 0x%02x\n",
190 			    __func__, (int) t->type, TOKTYPE_CCA_INTERNAL_PKA);
191 		return -EINVAL;
192 	}
193 	if (t->len > keysize) {
194 		if (dbg)
195 			DBF("%s token check failed, len %d > keysize %zu\n",
196 			    __func__, (int) t->len, keysize);
197 		return -EINVAL;
198 	}
199 	if (t->secid != 0x20) {
200 		if (dbg)
201 			DBF("%s token check failed, secid 0x%02x != 0x20\n",
202 			    __func__, (int) t->secid);
203 		return -EINVAL;
204 	}
205 	if (checkcpacfexport && !(t->kutc & 0x01)) {
206 		if (dbg)
207 			DBF("%s token check failed, XPRTCPAC bit is 0\n",
208 			    __func__);
209 		return -EINVAL;
210 	}
211 
212 #undef DBF
213 
214 	return 0;
215 }
216 EXPORT_SYMBOL(cca_check_sececckeytoken);
217 
218 /*
219  * Allocate consecutive memory for request CPRB, request param
220  * block, reply CPRB and reply param block and fill in values
221  * for the common fields. Returns 0 on success or errno value
222  * on failure.
223  */
224 static int alloc_and_prep_cprbmem(size_t paramblen,
225 				  u8 **pcprbmem,
226 				  struct CPRBX **preqCPRB,
227 				  struct CPRBX **prepCPRB)
228 {
229 	u8 *cprbmem;
230 	size_t cprbplusparamblen = sizeof(struct CPRBX) + paramblen;
231 	struct CPRBX *preqcblk, *prepcblk;
232 
233 	/*
234 	 * allocate consecutive memory for request CPRB, request param
235 	 * block, reply CPRB and reply param block
236 	 */
237 	cprbmem = kcalloc(2, cprbplusparamblen, GFP_KERNEL);
238 	if (!cprbmem)
239 		return -ENOMEM;
240 
241 	preqcblk = (struct CPRBX *) cprbmem;
242 	prepcblk = (struct CPRBX *) (cprbmem + cprbplusparamblen);
243 
244 	/* fill request cprb struct */
245 	preqcblk->cprb_len = sizeof(struct CPRBX);
246 	preqcblk->cprb_ver_id = 0x02;
247 	memcpy(preqcblk->func_id, "T2", 2);
248 	preqcblk->rpl_msgbl = cprbplusparamblen;
249 	if (paramblen) {
250 		preqcblk->req_parmb =
251 			((u8 __user *) preqcblk) + sizeof(struct CPRBX);
252 		preqcblk->rpl_parmb =
253 			((u8 __user *) prepcblk) + sizeof(struct CPRBX);
254 	}
255 
256 	*pcprbmem = cprbmem;
257 	*preqCPRB = preqcblk;
258 	*prepCPRB = prepcblk;
259 
260 	return 0;
261 }
262 
263 /*
264  * Free the cprb memory allocated with the function above.
265  * If the scrub value is not zero, the memory is filled
266  * with zeros before freeing (useful if there was some
267  * clear key material in there).
268  */
269 static void free_cprbmem(void *mem, size_t paramblen, int scrub)
270 {
271 	if (scrub)
272 		memzero_explicit(mem, 2 * (sizeof(struct CPRBX) + paramblen));
273 	kfree(mem);
274 }
275 
276 /*
277  * Helper function to prepare the xcrb struct
278  */
279 static inline void prep_xcrb(struct ica_xcRB *pxcrb,
280 			     u16 cardnr,
281 			     struct CPRBX *preqcblk,
282 			     struct CPRBX *prepcblk)
283 {
284 	memset(pxcrb, 0, sizeof(*pxcrb));
285 	pxcrb->agent_ID = 0x4341; /* 'CA' */
286 	pxcrb->user_defined = (cardnr == 0xFFFF ? AUTOSELECT : cardnr);
287 	pxcrb->request_control_blk_length =
288 		preqcblk->cprb_len + preqcblk->req_parml;
289 	pxcrb->request_control_blk_addr = (void __user *) preqcblk;
290 	pxcrb->reply_control_blk_length = preqcblk->rpl_msgbl;
291 	pxcrb->reply_control_blk_addr = (void __user *) prepcblk;
292 }
293 
294 /*
295  * Generate (random) CCA AES DATA secure key.
296  */
297 int cca_genseckey(u16 cardnr, u16 domain,
298 		  u32 keybitsize, u8 seckey[SECKEYBLOBSIZE])
299 {
300 	int i, rc, keysize;
301 	int seckeysize;
302 	u8 *mem, *ptr;
303 	struct CPRBX *preqcblk, *prepcblk;
304 	struct ica_xcRB xcrb;
305 	struct kgreqparm {
306 		u8  subfunc_code[2];
307 		u16 rule_array_len;
308 		struct lv1 {
309 			u16 len;
310 			char  key_form[8];
311 			char  key_length[8];
312 			char  key_type1[8];
313 			char  key_type2[8];
314 		} lv1;
315 		struct lv2 {
316 			u16 len;
317 			struct keyid {
318 				u16 len;
319 				u16 attr;
320 				u8  data[SECKEYBLOBSIZE];
321 			} keyid[6];
322 		} lv2;
323 	} __packed * preqparm;
324 	struct kgrepparm {
325 		u8  subfunc_code[2];
326 		u16 rule_array_len;
327 		struct lv3 {
328 			u16 len;
329 			u16 keyblocklen;
330 			struct {
331 				u16 toklen;
332 				u16 tokattr;
333 				u8  tok[0];
334 				/* ... some more data ... */
335 			} keyblock;
336 		} lv3;
337 	} __packed * prepparm;
338 
339 	/* get already prepared memory for 2 cprbs with param block each */
340 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
341 	if (rc)
342 		return rc;
343 
344 	/* fill request cprb struct */
345 	preqcblk->domain = domain;
346 
347 	/* fill request cprb param block with KG request */
348 	preqparm = (struct kgreqparm __force *) preqcblk->req_parmb;
349 	memcpy(preqparm->subfunc_code, "KG", 2);
350 	preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
351 	preqparm->lv1.len = sizeof(struct lv1);
352 	memcpy(preqparm->lv1.key_form,	 "OP      ", 8);
353 	switch (keybitsize) {
354 	case PKEY_SIZE_AES_128:
355 	case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
356 		keysize = 16;
357 		memcpy(preqparm->lv1.key_length, "KEYLN16 ", 8);
358 		break;
359 	case PKEY_SIZE_AES_192:
360 	case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
361 		keysize = 24;
362 		memcpy(preqparm->lv1.key_length, "KEYLN24 ", 8);
363 		break;
364 	case PKEY_SIZE_AES_256:
365 	case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
366 		keysize = 32;
367 		memcpy(preqparm->lv1.key_length, "KEYLN32 ", 8);
368 		break;
369 	default:
370 		DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
371 			  __func__, keybitsize);
372 		rc = -EINVAL;
373 		goto out;
374 	}
375 	memcpy(preqparm->lv1.key_type1,  "AESDATA ", 8);
376 	preqparm->lv2.len = sizeof(struct lv2);
377 	for (i = 0; i < 6; i++) {
378 		preqparm->lv2.keyid[i].len = sizeof(struct keyid);
379 		preqparm->lv2.keyid[i].attr = (i == 2 ? 0x30 : 0x10);
380 	}
381 	preqcblk->req_parml = sizeof(struct kgreqparm);
382 
383 	/* fill xcrb struct */
384 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
385 
386 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
387 	rc = zcrypt_send_cprb(&xcrb);
388 	if (rc) {
389 		DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, errno %d\n",
390 			  __func__, (int) cardnr, (int) domain, rc);
391 		goto out;
392 	}
393 
394 	/* check response returncode and reasoncode */
395 	if (prepcblk->ccp_rtcode != 0) {
396 		DEBUG_ERR("%s secure key generate failure, card response %d/%d\n",
397 			  __func__,
398 			  (int) prepcblk->ccp_rtcode,
399 			  (int) prepcblk->ccp_rscode);
400 		rc = -EIO;
401 		goto out;
402 	}
403 
404 	/* process response cprb param block */
405 	ptr =  ((u8 *) prepcblk) + sizeof(struct CPRBX);
406 	prepcblk->rpl_parmb = (u8 __user *) ptr;
407 	prepparm = (struct kgrepparm *) ptr;
408 
409 	/* check length of the returned secure key token */
410 	seckeysize = prepparm->lv3.keyblock.toklen
411 		- sizeof(prepparm->lv3.keyblock.toklen)
412 		- sizeof(prepparm->lv3.keyblock.tokattr);
413 	if (seckeysize != SECKEYBLOBSIZE) {
414 		DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
415 			  __func__, seckeysize, SECKEYBLOBSIZE);
416 		rc = -EIO;
417 		goto out;
418 	}
419 
420 	/* check secure key token */
421 	rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
422 				      prepparm->lv3.keyblock.tok, 8*keysize);
423 	if (rc) {
424 		rc = -EIO;
425 		goto out;
426 	}
427 
428 	/* copy the generated secure key token */
429 	memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
430 
431 out:
432 	free_cprbmem(mem, PARMBSIZE, 0);
433 	return rc;
434 }
435 EXPORT_SYMBOL(cca_genseckey);
436 
437 /*
438  * Generate an CCA AES DATA secure key with given key value.
439  */
440 int cca_clr2seckey(u16 cardnr, u16 domain, u32 keybitsize,
441 		   const u8 *clrkey, u8 seckey[SECKEYBLOBSIZE])
442 {
443 	int rc, keysize, seckeysize;
444 	u8 *mem, *ptr;
445 	struct CPRBX *preqcblk, *prepcblk;
446 	struct ica_xcRB xcrb;
447 	struct cmreqparm {
448 		u8  subfunc_code[2];
449 		u16 rule_array_len;
450 		char  rule_array[8];
451 		struct lv1 {
452 			u16 len;
453 			u8  clrkey[0];
454 		} lv1;
455 		struct lv2 {
456 			u16 len;
457 			struct keyid {
458 				u16 len;
459 				u16 attr;
460 				u8  data[SECKEYBLOBSIZE];
461 			} keyid;
462 		} lv2;
463 	} __packed * preqparm;
464 	struct lv2 *plv2;
465 	struct cmrepparm {
466 		u8  subfunc_code[2];
467 		u16 rule_array_len;
468 		struct lv3 {
469 			u16 len;
470 			u16 keyblocklen;
471 			struct {
472 				u16 toklen;
473 				u16 tokattr;
474 				u8  tok[0];
475 				/* ... some more data ... */
476 			} keyblock;
477 		} lv3;
478 	} __packed * prepparm;
479 
480 	/* get already prepared memory for 2 cprbs with param block each */
481 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
482 	if (rc)
483 		return rc;
484 
485 	/* fill request cprb struct */
486 	preqcblk->domain = domain;
487 
488 	/* fill request cprb param block with CM request */
489 	preqparm = (struct cmreqparm __force *) preqcblk->req_parmb;
490 	memcpy(preqparm->subfunc_code, "CM", 2);
491 	memcpy(preqparm->rule_array, "AES     ", 8);
492 	preqparm->rule_array_len =
493 		sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
494 	switch (keybitsize) {
495 	case PKEY_SIZE_AES_128:
496 	case PKEY_KEYTYPE_AES_128: /* older ioctls used this */
497 		keysize = 16;
498 		break;
499 	case PKEY_SIZE_AES_192:
500 	case PKEY_KEYTYPE_AES_192: /* older ioctls used this */
501 		keysize = 24;
502 		break;
503 	case PKEY_SIZE_AES_256:
504 	case PKEY_KEYTYPE_AES_256: /* older ioctls used this */
505 		keysize = 32;
506 		break;
507 	default:
508 		DEBUG_ERR("%s unknown/unsupported keybitsize %d\n",
509 			  __func__, keybitsize);
510 		rc = -EINVAL;
511 		goto out;
512 	}
513 	preqparm->lv1.len = sizeof(struct lv1) + keysize;
514 	memcpy(preqparm->lv1.clrkey, clrkey, keysize);
515 	plv2 = (struct lv2 *) (((u8 *) &preqparm->lv2) + keysize);
516 	plv2->len = sizeof(struct lv2);
517 	plv2->keyid.len = sizeof(struct keyid);
518 	plv2->keyid.attr = 0x30;
519 	preqcblk->req_parml = sizeof(struct cmreqparm) + keysize;
520 
521 	/* fill xcrb struct */
522 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
523 
524 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
525 	rc = zcrypt_send_cprb(&xcrb);
526 	if (rc) {
527 		DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
528 			  __func__, (int) cardnr, (int) domain, rc);
529 		goto out;
530 	}
531 
532 	/* check response returncode and reasoncode */
533 	if (prepcblk->ccp_rtcode != 0) {
534 		DEBUG_ERR("%s clear key import failure, card response %d/%d\n",
535 			  __func__,
536 			  (int) prepcblk->ccp_rtcode,
537 			  (int) prepcblk->ccp_rscode);
538 		rc = -EIO;
539 		goto out;
540 	}
541 
542 	/* process response cprb param block */
543 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
544 	prepcblk->rpl_parmb = (u8 __user *) ptr;
545 	prepparm = (struct cmrepparm *) ptr;
546 
547 	/* check length of the returned secure key token */
548 	seckeysize = prepparm->lv3.keyblock.toklen
549 		- sizeof(prepparm->lv3.keyblock.toklen)
550 		- sizeof(prepparm->lv3.keyblock.tokattr);
551 	if (seckeysize != SECKEYBLOBSIZE) {
552 		DEBUG_ERR("%s secure token size mismatch %d != %d bytes\n",
553 			  __func__, seckeysize, SECKEYBLOBSIZE);
554 		rc = -EIO;
555 		goto out;
556 	}
557 
558 	/* check secure key token */
559 	rc = cca_check_secaeskeytoken(zcrypt_dbf_info, DBF_ERR,
560 				      prepparm->lv3.keyblock.tok, 8*keysize);
561 	if (rc) {
562 		rc = -EIO;
563 		goto out;
564 	}
565 
566 	/* copy the generated secure key token */
567 	if (seckey)
568 		memcpy(seckey, prepparm->lv3.keyblock.tok, SECKEYBLOBSIZE);
569 
570 out:
571 	free_cprbmem(mem, PARMBSIZE, 1);
572 	return rc;
573 }
574 EXPORT_SYMBOL(cca_clr2seckey);
575 
576 /*
577  * Derive proteced key from an CCA AES DATA secure key.
578  */
579 int cca_sec2protkey(u16 cardnr, u16 domain,
580 		    const u8 seckey[SECKEYBLOBSIZE],
581 		    u8 *protkey, u32 *protkeylen, u32 *protkeytype)
582 {
583 	int rc;
584 	u8 *mem, *ptr;
585 	struct CPRBX *preqcblk, *prepcblk;
586 	struct ica_xcRB xcrb;
587 	struct uskreqparm {
588 		u8  subfunc_code[2];
589 		u16 rule_array_len;
590 		struct lv1 {
591 			u16 len;
592 			u16 attr_len;
593 			u16 attr_flags;
594 		} lv1;
595 		struct lv2 {
596 			u16 len;
597 			u16 attr_len;
598 			u16 attr_flags;
599 			u8  token[0];	      /* cca secure key token */
600 		} lv2;
601 	} __packed * preqparm;
602 	struct uskrepparm {
603 		u8  subfunc_code[2];
604 		u16 rule_array_len;
605 		struct lv3 {
606 			u16 len;
607 			u16 attr_len;
608 			u16 attr_flags;
609 			struct cpacfkeyblock {
610 				u8  version;  /* version of this struct */
611 				u8  flags[2];
612 				u8  algo;
613 				u8  form;
614 				u8  pad1[3];
615 				u16 len;
616 				u8  key[64];  /* the key (len bytes) */
617 				u16 keyattrlen;
618 				u8  keyattr[32];
619 				u8  pad2[1];
620 				u8  vptype;
621 				u8  vp[32];  /* verification pattern */
622 			} ckb;
623 		} lv3;
624 	} __packed * prepparm;
625 
626 	/* get already prepared memory for 2 cprbs with param block each */
627 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
628 	if (rc)
629 		return rc;
630 
631 	/* fill request cprb struct */
632 	preqcblk->domain = domain;
633 
634 	/* fill request cprb param block with USK request */
635 	preqparm = (struct uskreqparm __force *) preqcblk->req_parmb;
636 	memcpy(preqparm->subfunc_code, "US", 2);
637 	preqparm->rule_array_len = sizeof(preqparm->rule_array_len);
638 	preqparm->lv1.len = sizeof(struct lv1);
639 	preqparm->lv1.attr_len = sizeof(struct lv1) - sizeof(preqparm->lv1.len);
640 	preqparm->lv1.attr_flags = 0x0001;
641 	preqparm->lv2.len = sizeof(struct lv2) + SECKEYBLOBSIZE;
642 	preqparm->lv2.attr_len = sizeof(struct lv2)
643 		- sizeof(preqparm->lv2.len) + SECKEYBLOBSIZE;
644 	preqparm->lv2.attr_flags = 0x0000;
645 	memcpy(preqparm->lv2.token, seckey, SECKEYBLOBSIZE);
646 	preqcblk->req_parml = sizeof(struct uskreqparm) + SECKEYBLOBSIZE;
647 
648 	/* fill xcrb struct */
649 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
650 
651 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
652 	rc = zcrypt_send_cprb(&xcrb);
653 	if (rc) {
654 		DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
655 			  __func__, (int) cardnr, (int) domain, rc);
656 		goto out;
657 	}
658 
659 	/* check response returncode and reasoncode */
660 	if (prepcblk->ccp_rtcode != 0) {
661 		DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
662 			  __func__,
663 			  (int) prepcblk->ccp_rtcode,
664 			  (int) prepcblk->ccp_rscode);
665 		rc = -EIO;
666 		goto out;
667 	}
668 	if (prepcblk->ccp_rscode != 0) {
669 		DEBUG_WARN("%s unwrap secure key warning, card response %d/%d\n",
670 			   __func__,
671 			   (int) prepcblk->ccp_rtcode,
672 			   (int) prepcblk->ccp_rscode);
673 	}
674 
675 	/* process response cprb param block */
676 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
677 	prepcblk->rpl_parmb = (u8 __user *) ptr;
678 	prepparm = (struct uskrepparm *) ptr;
679 
680 	/* check the returned keyblock */
681 	if (prepparm->lv3.ckb.version != 0x01 &&
682 	    prepparm->lv3.ckb.version != 0x02) {
683 		DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
684 			  __func__, (int) prepparm->lv3.ckb.version);
685 		rc = -EIO;
686 		goto out;
687 	}
688 
689 	/* copy the tanslated protected key */
690 	switch (prepparm->lv3.ckb.len) {
691 	case 16+32:
692 		/* AES 128 protected key */
693 		if (protkeytype)
694 			*protkeytype = PKEY_KEYTYPE_AES_128;
695 		break;
696 	case 24+32:
697 		/* AES 192 protected key */
698 		if (protkeytype)
699 			*protkeytype = PKEY_KEYTYPE_AES_192;
700 		break;
701 	case 32+32:
702 		/* AES 256 protected key */
703 		if (protkeytype)
704 			*protkeytype = PKEY_KEYTYPE_AES_256;
705 		break;
706 	default:
707 		DEBUG_ERR("%s unknown/unsupported keylen %d\n",
708 			  __func__, prepparm->lv3.ckb.len);
709 		rc = -EIO;
710 		goto out;
711 	}
712 	memcpy(protkey, prepparm->lv3.ckb.key, prepparm->lv3.ckb.len);
713 	if (protkeylen)
714 		*protkeylen = prepparm->lv3.ckb.len;
715 
716 out:
717 	free_cprbmem(mem, PARMBSIZE, 0);
718 	return rc;
719 }
720 EXPORT_SYMBOL(cca_sec2protkey);
721 
722 /*
723  * AES cipher key skeleton created with CSNBKTB2 with these flags:
724  * INTERNAL, NO-KEY, AES, CIPHER, ANY-MODE, NOEX-SYM, NOEXAASY,
725  * NOEXUASY, XPRTCPAC, NOEX-RAW, NOEX-DES, NOEX-AES, NOEX-RSA
726  * used by cca_gencipherkey() and cca_clr2cipherkey().
727  */
728 static const u8 aes_cipher_key_skeleton[] = {
729 	0x01, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00,
730 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
731 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
732 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
733 	0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
734 	0x00, 0x02, 0x00, 0x01, 0x02, 0xc0, 0x00, 0xff,
735 	0x00, 0x03, 0x08, 0xc8, 0x00, 0x00, 0x00, 0x00 };
736 #define SIZEOF_SKELETON (sizeof(aes_cipher_key_skeleton))
737 
738 /*
739  * Generate (random) CCA AES CIPHER secure key.
740  */
741 int cca_gencipherkey(u16 cardnr, u16 domain, u32 keybitsize, u32 keygenflags,
742 		     u8 *keybuf, size_t *keybufsize)
743 {
744 	int rc;
745 	u8 *mem, *ptr;
746 	struct CPRBX *preqcblk, *prepcblk;
747 	struct ica_xcRB xcrb;
748 	struct gkreqparm {
749 		u8  subfunc_code[2];
750 		u16 rule_array_len;
751 		char rule_array[2*8];
752 		struct {
753 			u16 len;
754 			u8  key_type_1[8];
755 			u8  key_type_2[8];
756 			u16 clear_key_bit_len;
757 			u16 key_name_1_len;
758 			u16 key_name_2_len;
759 			u16 user_data_1_len;
760 			u16 user_data_2_len;
761 			u8  key_name_1[0];
762 			u8  key_name_2[0];
763 			u8  user_data_1[0];
764 			u8  user_data_2[0];
765 		} vud;
766 		struct {
767 			u16 len;
768 			struct {
769 				u16 len;
770 				u16 flag;
771 				u8  kek_id_1[0];
772 			} tlv1;
773 			struct {
774 				u16 len;
775 				u16 flag;
776 				u8  kek_id_2[0];
777 			} tlv2;
778 			struct {
779 				u16 len;
780 				u16 flag;
781 				u8  gen_key_id_1[SIZEOF_SKELETON];
782 			} tlv3;
783 			struct {
784 				u16 len;
785 				u16 flag;
786 				u8  gen_key_id_1_label[0];
787 			} tlv4;
788 			struct {
789 				u16 len;
790 				u16 flag;
791 				u8  gen_key_id_2[0];
792 			} tlv5;
793 			struct {
794 				u16 len;
795 				u16 flag;
796 				u8  gen_key_id_2_label[0];
797 			} tlv6;
798 		} kb;
799 	} __packed * preqparm;
800 	struct gkrepparm {
801 		u8  subfunc_code[2];
802 		u16 rule_array_len;
803 		struct {
804 			u16 len;
805 		} vud;
806 		struct {
807 			u16 len;
808 			struct {
809 				u16 len;
810 				u16 flag;
811 				u8  gen_key[0]; /* 120-136 bytes */
812 			} tlv1;
813 		} kb;
814 	} __packed * prepparm;
815 	struct cipherkeytoken *t;
816 
817 	/* get already prepared memory for 2 cprbs with param block each */
818 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
819 	if (rc)
820 		return rc;
821 
822 	/* fill request cprb struct */
823 	preqcblk->domain = domain;
824 	preqcblk->req_parml = sizeof(struct gkreqparm);
825 
826 	/* prepare request param block with GK request */
827 	preqparm = (struct gkreqparm __force *) preqcblk->req_parmb;
828 	memcpy(preqparm->subfunc_code, "GK", 2);
829 	preqparm->rule_array_len =  sizeof(uint16_t) + 2 * 8;
830 	memcpy(preqparm->rule_array, "AES     OP      ", 2*8);
831 
832 	/* prepare vud block */
833 	preqparm->vud.len = sizeof(preqparm->vud);
834 	switch (keybitsize) {
835 	case 128:
836 	case 192:
837 	case 256:
838 		break;
839 	default:
840 		DEBUG_ERR(
841 			"%s unknown/unsupported keybitsize %d\n",
842 			__func__, keybitsize);
843 		rc = -EINVAL;
844 		goto out;
845 	}
846 	preqparm->vud.clear_key_bit_len = keybitsize;
847 	memcpy(preqparm->vud.key_type_1, "TOKEN   ", 8);
848 	memset(preqparm->vud.key_type_2, ' ', sizeof(preqparm->vud.key_type_2));
849 
850 	/* prepare kb block */
851 	preqparm->kb.len = sizeof(preqparm->kb);
852 	preqparm->kb.tlv1.len = sizeof(preqparm->kb.tlv1);
853 	preqparm->kb.tlv1.flag = 0x0030;
854 	preqparm->kb.tlv2.len = sizeof(preqparm->kb.tlv2);
855 	preqparm->kb.tlv2.flag = 0x0030;
856 	preqparm->kb.tlv3.len = sizeof(preqparm->kb.tlv3);
857 	preqparm->kb.tlv3.flag = 0x0030;
858 	memcpy(preqparm->kb.tlv3.gen_key_id_1,
859 	       aes_cipher_key_skeleton, SIZEOF_SKELETON);
860 	preqparm->kb.tlv4.len = sizeof(preqparm->kb.tlv4);
861 	preqparm->kb.tlv4.flag = 0x0030;
862 	preqparm->kb.tlv5.len = sizeof(preqparm->kb.tlv5);
863 	preqparm->kb.tlv5.flag = 0x0030;
864 	preqparm->kb.tlv6.len = sizeof(preqparm->kb.tlv6);
865 	preqparm->kb.tlv6.flag = 0x0030;
866 
867 	/* patch the skeleton key token export flags inside the kb block */
868 	if (keygenflags) {
869 		t = (struct cipherkeytoken *) preqparm->kb.tlv3.gen_key_id_1;
870 		t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
871 		t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
872 	}
873 
874 	/* prepare xcrb struct */
875 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
876 
877 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
878 	rc = zcrypt_send_cprb(&xcrb);
879 	if (rc) {
880 		DEBUG_ERR(
881 			"%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
882 			__func__, (int) cardnr, (int) domain, rc);
883 		goto out;
884 	}
885 
886 	/* check response returncode and reasoncode */
887 	if (prepcblk->ccp_rtcode != 0) {
888 		DEBUG_ERR(
889 			"%s cipher key generate failure, card response %d/%d\n",
890 			__func__,
891 			(int) prepcblk->ccp_rtcode,
892 			(int) prepcblk->ccp_rscode);
893 		rc = -EIO;
894 		goto out;
895 	}
896 
897 	/* process response cprb param block */
898 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
899 	prepcblk->rpl_parmb = (u8 __user *) ptr;
900 	prepparm = (struct gkrepparm *) ptr;
901 
902 	/* do some plausibility checks on the key block */
903 	if (prepparm->kb.len < 120 + 5 * sizeof(uint16_t) ||
904 	    prepparm->kb.len > 136 + 5 * sizeof(uint16_t)) {
905 		DEBUG_ERR("%s reply with invalid or unknown key block\n",
906 			  __func__);
907 		rc = -EIO;
908 		goto out;
909 	}
910 
911 	/* and some checks on the generated key */
912 	rc = cca_check_secaescipherkey(zcrypt_dbf_info, DBF_ERR,
913 				       prepparm->kb.tlv1.gen_key,
914 				       keybitsize, 1);
915 	if (rc) {
916 		rc = -EIO;
917 		goto out;
918 	}
919 
920 	/* copy the generated vlsc key token */
921 	t = (struct cipherkeytoken *) prepparm->kb.tlv1.gen_key;
922 	if (keybuf) {
923 		if (*keybufsize >= t->len)
924 			memcpy(keybuf, t, t->len);
925 		else
926 			rc = -EINVAL;
927 	}
928 	*keybufsize = t->len;
929 
930 out:
931 	free_cprbmem(mem, PARMBSIZE, 0);
932 	return rc;
933 }
934 EXPORT_SYMBOL(cca_gencipherkey);
935 
936 /*
937  * Helper function, does a the CSNBKPI2 CPRB.
938  */
939 static int _ip_cprb_helper(u16 cardnr, u16 domain,
940 			   const char *rule_array_1,
941 			   const char *rule_array_2,
942 			   const char *rule_array_3,
943 			   const u8 *clr_key_value,
944 			   int clr_key_bit_size,
945 			   u8 *key_token,
946 			   int *key_token_size)
947 {
948 	int rc, n;
949 	u8 *mem, *ptr;
950 	struct CPRBX *preqcblk, *prepcblk;
951 	struct ica_xcRB xcrb;
952 	struct rule_array_block {
953 		u8  subfunc_code[2];
954 		u16 rule_array_len;
955 		char rule_array[0];
956 	} __packed * preq_ra_block;
957 	struct vud_block {
958 		u16 len;
959 		struct {
960 			u16 len;
961 			u16 flag;	     /* 0x0064 */
962 			u16 clr_key_bit_len;
963 		} tlv1;
964 		struct {
965 			u16 len;
966 			u16 flag;	/* 0x0063 */
967 			u8  clr_key[0]; /* clear key value bytes */
968 		} tlv2;
969 	} __packed * preq_vud_block;
970 	struct key_block {
971 		u16 len;
972 		struct {
973 			u16 len;
974 			u16 flag;	  /* 0x0030 */
975 			u8  key_token[0]; /* key skeleton */
976 		} tlv1;
977 	} __packed * preq_key_block;
978 	struct iprepparm {
979 		u8  subfunc_code[2];
980 		u16 rule_array_len;
981 		struct {
982 			u16 len;
983 		} vud;
984 		struct {
985 			u16 len;
986 			struct {
987 				u16 len;
988 				u16 flag;	  /* 0x0030 */
989 				u8  key_token[0]; /* key token */
990 			} tlv1;
991 		} kb;
992 	} __packed * prepparm;
993 	struct cipherkeytoken *t;
994 	int complete = strncmp(rule_array_2, "COMPLETE", 8) ? 0 : 1;
995 
996 	/* get already prepared memory for 2 cprbs with param block each */
997 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
998 	if (rc)
999 		return rc;
1000 
1001 	/* fill request cprb struct */
1002 	preqcblk->domain = domain;
1003 	preqcblk->req_parml = 0;
1004 
1005 	/* prepare request param block with IP request */
1006 	preq_ra_block = (struct rule_array_block __force *) preqcblk->req_parmb;
1007 	memcpy(preq_ra_block->subfunc_code, "IP", 2);
1008 	preq_ra_block->rule_array_len =  sizeof(uint16_t) + 2 * 8;
1009 	memcpy(preq_ra_block->rule_array, rule_array_1, 8);
1010 	memcpy(preq_ra_block->rule_array + 8, rule_array_2, 8);
1011 	preqcblk->req_parml = sizeof(struct rule_array_block) + 2 * 8;
1012 	if (rule_array_3) {
1013 		preq_ra_block->rule_array_len += 8;
1014 		memcpy(preq_ra_block->rule_array + 16, rule_array_3, 8);
1015 		preqcblk->req_parml += 8;
1016 	}
1017 
1018 	/* prepare vud block */
1019 	preq_vud_block = (struct vud_block __force *)
1020 		(preqcblk->req_parmb + preqcblk->req_parml);
1021 	n = complete ? 0 : (clr_key_bit_size + 7) / 8;
1022 	preq_vud_block->len = sizeof(struct vud_block) + n;
1023 	preq_vud_block->tlv1.len = sizeof(preq_vud_block->tlv1);
1024 	preq_vud_block->tlv1.flag = 0x0064;
1025 	preq_vud_block->tlv1.clr_key_bit_len = complete ? 0 : clr_key_bit_size;
1026 	preq_vud_block->tlv2.len = sizeof(preq_vud_block->tlv2) + n;
1027 	preq_vud_block->tlv2.flag = 0x0063;
1028 	if (!complete)
1029 		memcpy(preq_vud_block->tlv2.clr_key, clr_key_value, n);
1030 	preqcblk->req_parml += preq_vud_block->len;
1031 
1032 	/* prepare key block */
1033 	preq_key_block = (struct key_block __force *)
1034 		(preqcblk->req_parmb + preqcblk->req_parml);
1035 	n = *key_token_size;
1036 	preq_key_block->len = sizeof(struct key_block) + n;
1037 	preq_key_block->tlv1.len = sizeof(preq_key_block->tlv1) + n;
1038 	preq_key_block->tlv1.flag = 0x0030;
1039 	memcpy(preq_key_block->tlv1.key_token, key_token, *key_token_size);
1040 	preqcblk->req_parml += preq_key_block->len;
1041 
1042 	/* prepare xcrb struct */
1043 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1044 
1045 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1046 	rc = zcrypt_send_cprb(&xcrb);
1047 	if (rc) {
1048 		DEBUG_ERR(
1049 			"%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1050 			__func__, (int) cardnr, (int) domain, rc);
1051 		goto out;
1052 	}
1053 
1054 	/* check response returncode and reasoncode */
1055 	if (prepcblk->ccp_rtcode != 0) {
1056 		DEBUG_ERR(
1057 			"%s CSNBKPI2 failure, card response %d/%d\n",
1058 			__func__,
1059 			(int) prepcblk->ccp_rtcode,
1060 			(int) prepcblk->ccp_rscode);
1061 		rc = -EIO;
1062 		goto out;
1063 	}
1064 
1065 	/* process response cprb param block */
1066 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1067 	prepcblk->rpl_parmb = (u8 __user *) ptr;
1068 	prepparm = (struct iprepparm *) ptr;
1069 
1070 	/* do some plausibility checks on the key block */
1071 	if (prepparm->kb.len < 120 + 3 * sizeof(uint16_t) ||
1072 	    prepparm->kb.len > 136 + 3 * sizeof(uint16_t)) {
1073 		DEBUG_ERR("%s reply with invalid or unknown key block\n",
1074 			  __func__);
1075 		rc = -EIO;
1076 		goto out;
1077 	}
1078 
1079 	/* do not check the key here, it may be incomplete */
1080 
1081 	/* copy the vlsc key token back */
1082 	t = (struct cipherkeytoken *) prepparm->kb.tlv1.key_token;
1083 	memcpy(key_token, t, t->len);
1084 	*key_token_size = t->len;
1085 
1086 out:
1087 	free_cprbmem(mem, PARMBSIZE, 0);
1088 	return rc;
1089 }
1090 
1091 /*
1092  * Build CCA AES CIPHER secure key with a given clear key value.
1093  */
1094 int cca_clr2cipherkey(u16 card, u16 dom, u32 keybitsize, u32 keygenflags,
1095 		      const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1096 {
1097 	int rc;
1098 	u8 *token;
1099 	int tokensize;
1100 	u8 exorbuf[32];
1101 	struct cipherkeytoken *t;
1102 
1103 	/* fill exorbuf with random data */
1104 	get_random_bytes(exorbuf, sizeof(exorbuf));
1105 
1106 	/* allocate space for the key token to build */
1107 	token = kmalloc(MAXCCAVLSCTOKENSIZE, GFP_KERNEL);
1108 	if (!token)
1109 		return -ENOMEM;
1110 
1111 	/* prepare the token with the key skeleton */
1112 	tokensize = SIZEOF_SKELETON;
1113 	memcpy(token, aes_cipher_key_skeleton, tokensize);
1114 
1115 	/* patch the skeleton key token export flags */
1116 	if (keygenflags) {
1117 		t = (struct cipherkeytoken *) token;
1118 		t->kmf1 |= (u16) (keygenflags & 0x0000FF00);
1119 		t->kmf1 &= (u16) ~(keygenflags & 0x000000FF);
1120 	}
1121 
1122 	/*
1123 	 * Do the key import with the clear key value in 4 steps:
1124 	 * 1/4 FIRST import with only random data
1125 	 * 2/4 EXOR the clear key
1126 	 * 3/4 EXOR the very same random data again
1127 	 * 4/4 COMPLETE the secure cipher key import
1128 	 */
1129 	rc = _ip_cprb_helper(card, dom, "AES     ", "FIRST   ", "MIN3PART",
1130 			     exorbuf, keybitsize, token, &tokensize);
1131 	if (rc) {
1132 		DEBUG_ERR(
1133 			"%s clear key import 1/4 with CSNBKPI2 failed, rc=%d\n",
1134 			__func__, rc);
1135 		goto out;
1136 	}
1137 	rc = _ip_cprb_helper(card, dom, "AES     ", "ADD-PART", NULL,
1138 			     clrkey, keybitsize, token, &tokensize);
1139 	if (rc) {
1140 		DEBUG_ERR(
1141 			"%s clear key import 2/4 with CSNBKPI2 failed, rc=%d\n",
1142 			__func__, rc);
1143 		goto out;
1144 	}
1145 	rc = _ip_cprb_helper(card, dom, "AES     ", "ADD-PART", NULL,
1146 			     exorbuf, keybitsize, token, &tokensize);
1147 	if (rc) {
1148 		DEBUG_ERR(
1149 			"%s clear key import 3/4 with CSNBKPI2 failed, rc=%d\n",
1150 			__func__, rc);
1151 		goto out;
1152 	}
1153 	rc = _ip_cprb_helper(card, dom, "AES     ", "COMPLETE", NULL,
1154 			     NULL, keybitsize, token, &tokensize);
1155 	if (rc) {
1156 		DEBUG_ERR(
1157 			"%s clear key import 4/4 with CSNBKPI2 failed, rc=%d\n",
1158 			__func__, rc);
1159 		goto out;
1160 	}
1161 
1162 	/* copy the generated key token */
1163 	if (keybuf) {
1164 		if (tokensize > *keybufsize)
1165 			rc = -EINVAL;
1166 		else
1167 			memcpy(keybuf, token, tokensize);
1168 	}
1169 	*keybufsize = tokensize;
1170 
1171 out:
1172 	kfree(token);
1173 	return rc;
1174 }
1175 EXPORT_SYMBOL(cca_clr2cipherkey);
1176 
1177 /*
1178  * Derive proteced key from CCA AES cipher secure key.
1179  */
1180 int cca_cipher2protkey(u16 cardnr, u16 domain, const u8 *ckey,
1181 		       u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1182 {
1183 	int rc;
1184 	u8 *mem, *ptr;
1185 	struct CPRBX *preqcblk, *prepcblk;
1186 	struct ica_xcRB xcrb;
1187 	struct aureqparm {
1188 		u8  subfunc_code[2];
1189 		u16 rule_array_len;
1190 		u8  rule_array[8];
1191 		struct {
1192 			u16 len;
1193 			u16 tk_blob_len;
1194 			u16 tk_blob_tag;
1195 			u8  tk_blob[66];
1196 		} vud;
1197 		struct {
1198 			u16 len;
1199 			u16 cca_key_token_len;
1200 			u16 cca_key_token_flags;
1201 			u8  cca_key_token[0]; // 64 or more
1202 		} kb;
1203 	} __packed * preqparm;
1204 	struct aurepparm {
1205 		u8  subfunc_code[2];
1206 		u16 rule_array_len;
1207 		struct {
1208 			u16 len;
1209 			u16 sublen;
1210 			u16 tag;
1211 			struct cpacfkeyblock {
1212 				u8  version;  /* version of this struct */
1213 				u8  flags[2];
1214 				u8  algo;
1215 				u8  form;
1216 				u8  pad1[3];
1217 				u16 keylen;
1218 				u8  key[64];  /* the key (keylen bytes) */
1219 				u16 keyattrlen;
1220 				u8  keyattr[32];
1221 				u8  pad2[1];
1222 				u8  vptype;
1223 				u8  vp[32];  /* verification pattern */
1224 			} ckb;
1225 		} vud;
1226 		struct {
1227 			u16 len;
1228 		} kb;
1229 	} __packed * prepparm;
1230 	int keytoklen = ((struct cipherkeytoken *)ckey)->len;
1231 
1232 	/* get already prepared memory for 2 cprbs with param block each */
1233 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1234 	if (rc)
1235 		return rc;
1236 
1237 	/* fill request cprb struct */
1238 	preqcblk->domain = domain;
1239 
1240 	/* fill request cprb param block with AU request */
1241 	preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1242 	memcpy(preqparm->subfunc_code, "AU", 2);
1243 	preqparm->rule_array_len =
1244 		sizeof(preqparm->rule_array_len)
1245 		+ sizeof(preqparm->rule_array);
1246 	memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1247 	/* vud, tk blob */
1248 	preqparm->vud.len = sizeof(preqparm->vud);
1249 	preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1250 		+ 2 * sizeof(uint16_t);
1251 	preqparm->vud.tk_blob_tag = 0x00C2;
1252 	/* kb, cca token */
1253 	preqparm->kb.len = keytoklen + 3 * sizeof(uint16_t);
1254 	preqparm->kb.cca_key_token_len = keytoklen + 2 * sizeof(uint16_t);
1255 	memcpy(preqparm->kb.cca_key_token, ckey, keytoklen);
1256 	/* now fill length of param block into cprb */
1257 	preqcblk->req_parml = sizeof(struct aureqparm) + keytoklen;
1258 
1259 	/* fill xcrb struct */
1260 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1261 
1262 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1263 	rc = zcrypt_send_cprb(&xcrb);
1264 	if (rc) {
1265 		DEBUG_ERR(
1266 			"%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1267 			__func__, (int) cardnr, (int) domain, rc);
1268 		goto out;
1269 	}
1270 
1271 	/* check response returncode and reasoncode */
1272 	if (prepcblk->ccp_rtcode != 0) {
1273 		DEBUG_ERR(
1274 			"%s unwrap secure key failure, card response %d/%d\n",
1275 			__func__,
1276 			(int) prepcblk->ccp_rtcode,
1277 			(int) prepcblk->ccp_rscode);
1278 		rc = -EIO;
1279 		goto out;
1280 	}
1281 	if (prepcblk->ccp_rscode != 0) {
1282 		DEBUG_WARN(
1283 			"%s unwrap secure key warning, card response %d/%d\n",
1284 			__func__,
1285 			(int) prepcblk->ccp_rtcode,
1286 			(int) prepcblk->ccp_rscode);
1287 	}
1288 
1289 	/* process response cprb param block */
1290 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1291 	prepcblk->rpl_parmb = (u8 __user *) ptr;
1292 	prepparm = (struct aurepparm *) ptr;
1293 
1294 	/* check the returned keyblock */
1295 	if (prepparm->vud.ckb.version != 0x01 &&
1296 	    prepparm->vud.ckb.version != 0x02) {
1297 		DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x\n",
1298 			  __func__, (int) prepparm->vud.ckb.version);
1299 		rc = -EIO;
1300 		goto out;
1301 	}
1302 	if (prepparm->vud.ckb.algo != 0x02) {
1303 		DEBUG_ERR(
1304 			"%s reply param keyblock algo mismatch 0x%02x != 0x02\n",
1305 			__func__, (int) prepparm->vud.ckb.algo);
1306 		rc = -EIO;
1307 		goto out;
1308 	}
1309 
1310 	/* copy the translated protected key */
1311 	switch (prepparm->vud.ckb.keylen) {
1312 	case 16+32:
1313 		/* AES 128 protected key */
1314 		if (protkeytype)
1315 			*protkeytype = PKEY_KEYTYPE_AES_128;
1316 		break;
1317 	case 24+32:
1318 		/* AES 192 protected key */
1319 		if (protkeytype)
1320 			*protkeytype = PKEY_KEYTYPE_AES_192;
1321 		break;
1322 	case 32+32:
1323 		/* AES 256 protected key */
1324 		if (protkeytype)
1325 			*protkeytype = PKEY_KEYTYPE_AES_256;
1326 		break;
1327 	default:
1328 		DEBUG_ERR("%s unknown/unsupported keylen %d\n",
1329 			  __func__, prepparm->vud.ckb.keylen);
1330 		rc = -EIO;
1331 		goto out;
1332 	}
1333 	memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1334 	if (protkeylen)
1335 		*protkeylen = prepparm->vud.ckb.keylen;
1336 
1337 out:
1338 	free_cprbmem(mem, PARMBSIZE, 0);
1339 	return rc;
1340 }
1341 EXPORT_SYMBOL(cca_cipher2protkey);
1342 
1343 /*
1344  * Derive protected key from CCA ECC secure private key.
1345  */
1346 int cca_ecc2protkey(u16 cardnr, u16 domain, const u8 *key,
1347 		    u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1348 {
1349 	int rc;
1350 	u8 *mem, *ptr;
1351 	struct CPRBX *preqcblk, *prepcblk;
1352 	struct ica_xcRB xcrb;
1353 	struct aureqparm {
1354 		u8  subfunc_code[2];
1355 		u16 rule_array_len;
1356 		u8  rule_array[8];
1357 		struct {
1358 			u16 len;
1359 			u16 tk_blob_len;
1360 			u16 tk_blob_tag;
1361 			u8  tk_blob[66];
1362 		} vud;
1363 		struct {
1364 			u16 len;
1365 			u16 cca_key_token_len;
1366 			u16 cca_key_token_flags;
1367 			u8  cca_key_token[0];
1368 		} kb;
1369 	} __packed * preqparm;
1370 	struct aurepparm {
1371 		u8  subfunc_code[2];
1372 		u16 rule_array_len;
1373 		struct {
1374 			u16 len;
1375 			u16 sublen;
1376 			u16 tag;
1377 			struct cpacfkeyblock {
1378 				u8  version;  /* version of this struct */
1379 				u8  flags[2];
1380 				u8  algo;
1381 				u8  form;
1382 				u8  pad1[3];
1383 				u16 keylen;
1384 				u8  key[0];  /* the key (keylen bytes) */
1385 				u16 keyattrlen;
1386 				u8  keyattr[32];
1387 				u8  pad2[1];
1388 				u8  vptype;
1389 				u8  vp[32];  /* verification pattern */
1390 			} ckb;
1391 		} vud;
1392 		struct {
1393 			u16 len;
1394 		} kb;
1395 	} __packed * prepparm;
1396 	int keylen = ((struct eccprivkeytoken *)key)->len;
1397 
1398 	/* get already prepared memory for 2 cprbs with param block each */
1399 	rc = alloc_and_prep_cprbmem(PARMBSIZE, &mem, &preqcblk, &prepcblk);
1400 	if (rc)
1401 		return rc;
1402 
1403 	/* fill request cprb struct */
1404 	preqcblk->domain = domain;
1405 
1406 	/* fill request cprb param block with AU request */
1407 	preqparm = (struct aureqparm __force *) preqcblk->req_parmb;
1408 	memcpy(preqparm->subfunc_code, "AU", 2);
1409 	preqparm->rule_array_len =
1410 		sizeof(preqparm->rule_array_len)
1411 		+ sizeof(preqparm->rule_array);
1412 	memcpy(preqparm->rule_array, "EXPT-SK ", 8);
1413 	/* vud, tk blob */
1414 	preqparm->vud.len = sizeof(preqparm->vud);
1415 	preqparm->vud.tk_blob_len = sizeof(preqparm->vud.tk_blob)
1416 		+ 2 * sizeof(uint16_t);
1417 	preqparm->vud.tk_blob_tag = 0x00C2;
1418 	/* kb, cca token */
1419 	preqparm->kb.len = keylen + 3 * sizeof(uint16_t);
1420 	preqparm->kb.cca_key_token_len = keylen + 2 * sizeof(uint16_t);
1421 	memcpy(preqparm->kb.cca_key_token, key, keylen);
1422 	/* now fill length of param block into cprb */
1423 	preqcblk->req_parml = sizeof(struct aureqparm) + keylen;
1424 
1425 	/* fill xcrb struct */
1426 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1427 
1428 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1429 	rc = zcrypt_send_cprb(&xcrb);
1430 	if (rc) {
1431 		DEBUG_ERR(
1432 			"%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1433 			__func__, (int) cardnr, (int) domain, rc);
1434 		goto out;
1435 	}
1436 
1437 	/* check response returncode and reasoncode */
1438 	if (prepcblk->ccp_rtcode != 0) {
1439 		DEBUG_ERR(
1440 			"%s unwrap secure key failure, card response %d/%d\n",
1441 			__func__,
1442 			(int) prepcblk->ccp_rtcode,
1443 			(int) prepcblk->ccp_rscode);
1444 		rc = -EIO;
1445 		goto out;
1446 	}
1447 	if (prepcblk->ccp_rscode != 0) {
1448 		DEBUG_WARN(
1449 			"%s unwrap secure key warning, card response %d/%d\n",
1450 			__func__,
1451 			(int) prepcblk->ccp_rtcode,
1452 			(int) prepcblk->ccp_rscode);
1453 	}
1454 
1455 	/* process response cprb param block */
1456 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1457 	prepcblk->rpl_parmb = (u8 __user *) ptr;
1458 	prepparm = (struct aurepparm *) ptr;
1459 
1460 	/* check the returned keyblock */
1461 	if (prepparm->vud.ckb.version != 0x02) {
1462 		DEBUG_ERR("%s reply param keyblock version mismatch 0x%02x != 0x02\n",
1463 			  __func__, (int) prepparm->vud.ckb.version);
1464 		rc = -EIO;
1465 		goto out;
1466 	}
1467 	if (prepparm->vud.ckb.algo != 0x81) {
1468 		DEBUG_ERR(
1469 			"%s reply param keyblock algo mismatch 0x%02x != 0x81\n",
1470 			__func__, (int) prepparm->vud.ckb.algo);
1471 		rc = -EIO;
1472 		goto out;
1473 	}
1474 
1475 	/* copy the translated protected key */
1476 	if (prepparm->vud.ckb.keylen > *protkeylen) {
1477 		DEBUG_ERR("%s prot keylen mismatch %d > buffersize %u\n",
1478 			  __func__, prepparm->vud.ckb.keylen, *protkeylen);
1479 		rc = -EIO;
1480 		goto out;
1481 	}
1482 	memcpy(protkey, prepparm->vud.ckb.key, prepparm->vud.ckb.keylen);
1483 	*protkeylen = prepparm->vud.ckb.keylen;
1484 	if (protkeytype)
1485 		*protkeytype = PKEY_KEYTYPE_ECC;
1486 
1487 out:
1488 	free_cprbmem(mem, PARMBSIZE, 0);
1489 	return rc;
1490 }
1491 EXPORT_SYMBOL(cca_ecc2protkey);
1492 
1493 /*
1494  * query cryptographic facility from CCA adapter
1495  */
1496 int cca_query_crypto_facility(u16 cardnr, u16 domain,
1497 			      const char *keyword,
1498 			      u8 *rarray, size_t *rarraylen,
1499 			      u8 *varray, size_t *varraylen)
1500 {
1501 	int rc;
1502 	u16 len;
1503 	u8 *mem, *ptr;
1504 	struct CPRBX *preqcblk, *prepcblk;
1505 	struct ica_xcRB xcrb;
1506 	struct fqreqparm {
1507 		u8  subfunc_code[2];
1508 		u16 rule_array_len;
1509 		char  rule_array[8];
1510 		struct lv1 {
1511 			u16 len;
1512 			u8  data[VARDATASIZE];
1513 		} lv1;
1514 		u16 dummylen;
1515 	} __packed * preqparm;
1516 	size_t parmbsize = sizeof(struct fqreqparm);
1517 	struct fqrepparm {
1518 		u8  subfunc_code[2];
1519 		u8  lvdata[0];
1520 	} __packed * prepparm;
1521 
1522 	/* get already prepared memory for 2 cprbs with param block each */
1523 	rc = alloc_and_prep_cprbmem(parmbsize, &mem, &preqcblk, &prepcblk);
1524 	if (rc)
1525 		return rc;
1526 
1527 	/* fill request cprb struct */
1528 	preqcblk->domain = domain;
1529 
1530 	/* fill request cprb param block with FQ request */
1531 	preqparm = (struct fqreqparm __force *) preqcblk->req_parmb;
1532 	memcpy(preqparm->subfunc_code, "FQ", 2);
1533 	memcpy(preqparm->rule_array, keyword, sizeof(preqparm->rule_array));
1534 	preqparm->rule_array_len =
1535 		sizeof(preqparm->rule_array_len) + sizeof(preqparm->rule_array);
1536 	preqparm->lv1.len = sizeof(preqparm->lv1);
1537 	preqparm->dummylen = sizeof(preqparm->dummylen);
1538 	preqcblk->req_parml = parmbsize;
1539 
1540 	/* fill xcrb struct */
1541 	prep_xcrb(&xcrb, cardnr, preqcblk, prepcblk);
1542 
1543 	/* forward xcrb with request CPRB and reply CPRB to zcrypt dd */
1544 	rc = zcrypt_send_cprb(&xcrb);
1545 	if (rc) {
1546 		DEBUG_ERR("%s zcrypt_send_cprb (cardnr=%d domain=%d) failed, rc=%d\n",
1547 			  __func__, (int) cardnr, (int) domain, rc);
1548 		goto out;
1549 	}
1550 
1551 	/* check response returncode and reasoncode */
1552 	if (prepcblk->ccp_rtcode != 0) {
1553 		DEBUG_ERR("%s unwrap secure key failure, card response %d/%d\n",
1554 			  __func__,
1555 			  (int) prepcblk->ccp_rtcode,
1556 			  (int) prepcblk->ccp_rscode);
1557 		rc = -EIO;
1558 		goto out;
1559 	}
1560 
1561 	/* process response cprb param block */
1562 	ptr = ((u8 *) prepcblk) + sizeof(struct CPRBX);
1563 	prepcblk->rpl_parmb = (u8 __user *) ptr;
1564 	prepparm = (struct fqrepparm *) ptr;
1565 	ptr = prepparm->lvdata;
1566 
1567 	/* check and possibly copy reply rule array */
1568 	len = *((u16 *) ptr);
1569 	if (len > sizeof(u16)) {
1570 		ptr += sizeof(u16);
1571 		len -= sizeof(u16);
1572 		if (rarray && rarraylen && *rarraylen > 0) {
1573 			*rarraylen = (len > *rarraylen ? *rarraylen : len);
1574 			memcpy(rarray, ptr, *rarraylen);
1575 		}
1576 		ptr += len;
1577 	}
1578 	/* check and possible copy reply var array */
1579 	len = *((u16 *) ptr);
1580 	if (len > sizeof(u16)) {
1581 		ptr += sizeof(u16);
1582 		len -= sizeof(u16);
1583 		if (varray && varraylen && *varraylen > 0) {
1584 			*varraylen = (len > *varraylen ? *varraylen : len);
1585 			memcpy(varray, ptr, *varraylen);
1586 		}
1587 		ptr += len;
1588 	}
1589 
1590 out:
1591 	free_cprbmem(mem, parmbsize, 0);
1592 	return rc;
1593 }
1594 EXPORT_SYMBOL(cca_query_crypto_facility);
1595 
1596 static int cca_info_cache_fetch(u16 cardnr, u16 domain, struct cca_info *ci)
1597 {
1598 	int rc = -ENOENT;
1599 	struct cca_info_list_entry *ptr;
1600 
1601 	spin_lock_bh(&cca_info_list_lock);
1602 	list_for_each_entry(ptr, &cca_info_list, list) {
1603 		if (ptr->cardnr == cardnr && ptr->domain == domain) {
1604 			memcpy(ci, &ptr->info, sizeof(*ci));
1605 			rc = 0;
1606 			break;
1607 		}
1608 	}
1609 	spin_unlock_bh(&cca_info_list_lock);
1610 
1611 	return rc;
1612 }
1613 
1614 static void cca_info_cache_update(u16 cardnr, u16 domain,
1615 				  const struct cca_info *ci)
1616 {
1617 	int found = 0;
1618 	struct cca_info_list_entry *ptr;
1619 
1620 	spin_lock_bh(&cca_info_list_lock);
1621 	list_for_each_entry(ptr, &cca_info_list, list) {
1622 		if (ptr->cardnr == cardnr &&
1623 		    ptr->domain == domain) {
1624 			memcpy(&ptr->info, ci, sizeof(*ci));
1625 			found = 1;
1626 			break;
1627 		}
1628 	}
1629 	if (!found) {
1630 		ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
1631 		if (!ptr) {
1632 			spin_unlock_bh(&cca_info_list_lock);
1633 			return;
1634 		}
1635 		ptr->cardnr = cardnr;
1636 		ptr->domain = domain;
1637 		memcpy(&ptr->info, ci, sizeof(*ci));
1638 		list_add(&ptr->list, &cca_info_list);
1639 	}
1640 	spin_unlock_bh(&cca_info_list_lock);
1641 }
1642 
1643 static void cca_info_cache_scrub(u16 cardnr, u16 domain)
1644 {
1645 	struct cca_info_list_entry *ptr;
1646 
1647 	spin_lock_bh(&cca_info_list_lock);
1648 	list_for_each_entry(ptr, &cca_info_list, list) {
1649 		if (ptr->cardnr == cardnr &&
1650 		    ptr->domain == domain) {
1651 			list_del(&ptr->list);
1652 			kfree(ptr);
1653 			break;
1654 		}
1655 	}
1656 	spin_unlock_bh(&cca_info_list_lock);
1657 }
1658 
1659 static void __exit mkvp_cache_free(void)
1660 {
1661 	struct cca_info_list_entry *ptr, *pnext;
1662 
1663 	spin_lock_bh(&cca_info_list_lock);
1664 	list_for_each_entry_safe(ptr, pnext, &cca_info_list, list) {
1665 		list_del(&ptr->list);
1666 		kfree(ptr);
1667 	}
1668 	spin_unlock_bh(&cca_info_list_lock);
1669 }
1670 
1671 /*
1672  * Fetch cca_info values via query_crypto_facility from adapter.
1673  */
1674 static int fetch_cca_info(u16 cardnr, u16 domain, struct cca_info *ci)
1675 {
1676 	int rc, found = 0;
1677 	size_t rlen, vlen;
1678 	u8 *rarray, *varray, *pg;
1679 	struct zcrypt_device_status_ext devstat;
1680 
1681 	memset(ci, 0, sizeof(*ci));
1682 
1683 	/* get first info from zcrypt device driver about this apqn */
1684 	rc = zcrypt_device_status_ext(cardnr, domain, &devstat);
1685 	if (rc)
1686 		return rc;
1687 	ci->hwtype = devstat.hwtype;
1688 
1689 	/* prep page for rule array and var array use */
1690 	pg = (u8 *) __get_free_page(GFP_KERNEL);
1691 	if (!pg)
1692 		return -ENOMEM;
1693 	rarray = pg;
1694 	varray = pg + PAGE_SIZE/2;
1695 	rlen = vlen = PAGE_SIZE/2;
1696 
1697 	/* QF for this card/domain */
1698 	rc = cca_query_crypto_facility(cardnr, domain, "STATICSA",
1699 				       rarray, &rlen, varray, &vlen);
1700 	if (rc == 0 && rlen >= 10*8 && vlen >= 204) {
1701 		memcpy(ci->serial, rarray, 8);
1702 		ci->new_aes_mk_state = (char) rarray[7*8];
1703 		ci->cur_aes_mk_state = (char) rarray[8*8];
1704 		ci->old_aes_mk_state = (char) rarray[9*8];
1705 		if (ci->old_aes_mk_state == '2')
1706 			memcpy(&ci->old_aes_mkvp, varray + 172, 8);
1707 		if (ci->cur_aes_mk_state == '2')
1708 			memcpy(&ci->cur_aes_mkvp, varray + 184, 8);
1709 		if (ci->new_aes_mk_state == '3')
1710 			memcpy(&ci->new_aes_mkvp, varray + 196, 8);
1711 		found++;
1712 	}
1713 	if (!found)
1714 		goto out;
1715 	rlen = vlen = PAGE_SIZE/2;
1716 	rc = cca_query_crypto_facility(cardnr, domain, "STATICSB",
1717 				       rarray, &rlen, varray, &vlen);
1718 	if (rc == 0 && rlen >= 10*8 && vlen >= 240) {
1719 		ci->new_apka_mk_state = (char) rarray[7*8];
1720 		ci->cur_apka_mk_state = (char) rarray[8*8];
1721 		ci->old_apka_mk_state = (char) rarray[9*8];
1722 		if (ci->old_apka_mk_state == '2')
1723 			memcpy(&ci->old_apka_mkvp, varray + 208, 8);
1724 		if (ci->cur_apka_mk_state == '2')
1725 			memcpy(&ci->cur_apka_mkvp, varray + 220, 8);
1726 		if (ci->new_apka_mk_state == '3')
1727 			memcpy(&ci->new_apka_mkvp, varray + 232, 8);
1728 		found++;
1729 	}
1730 
1731 out:
1732 	free_page((unsigned long) pg);
1733 	return found == 2 ? 0 : -ENOENT;
1734 }
1735 
1736 /*
1737  * Fetch cca information about a CCA queue.
1738  */
1739 int cca_get_info(u16 card, u16 dom, struct cca_info *ci, int verify)
1740 {
1741 	int rc;
1742 
1743 	rc = cca_info_cache_fetch(card, dom, ci);
1744 	if (rc || verify) {
1745 		rc = fetch_cca_info(card, dom, ci);
1746 		if (rc == 0)
1747 			cca_info_cache_update(card, dom, ci);
1748 	}
1749 
1750 	return rc;
1751 }
1752 EXPORT_SYMBOL(cca_get_info);
1753 
1754 /*
1755  * Search for a matching crypto card based on the
1756  * Master Key Verification Pattern given.
1757  */
1758 static int findcard(u64 mkvp, u16 *pcardnr, u16 *pdomain,
1759 		    int verify, int minhwtype)
1760 {
1761 	struct zcrypt_device_status_ext *device_status;
1762 	u16 card, dom;
1763 	struct cca_info ci;
1764 	int i, rc, oi = -1;
1765 
1766 	/* mkvp must not be zero, minhwtype needs to be >= 0 */
1767 	if (mkvp == 0 || minhwtype < 0)
1768 		return -EINVAL;
1769 
1770 	/* fetch status of all crypto cards */
1771 	device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1772 				       sizeof(struct zcrypt_device_status_ext),
1773 				       GFP_KERNEL);
1774 	if (!device_status)
1775 		return -ENOMEM;
1776 	zcrypt_device_status_mask_ext(device_status);
1777 
1778 	/* walk through all crypto cards */
1779 	for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1780 		card = AP_QID_CARD(device_status[i].qid);
1781 		dom = AP_QID_QUEUE(device_status[i].qid);
1782 		if (device_status[i].online &&
1783 		    device_status[i].functions & 0x04) {
1784 			/* enabled CCA card, check current mkvp from cache */
1785 			if (cca_info_cache_fetch(card, dom, &ci) == 0 &&
1786 			    ci.hwtype >= minhwtype &&
1787 			    ci.cur_aes_mk_state == '2' &&
1788 			    ci.cur_aes_mkvp == mkvp) {
1789 				if (!verify)
1790 					break;
1791 				/* verify: refresh card info */
1792 				if (fetch_cca_info(card, dom, &ci) == 0) {
1793 					cca_info_cache_update(card, dom, &ci);
1794 					if (ci.hwtype >= minhwtype &&
1795 					    ci.cur_aes_mk_state == '2' &&
1796 					    ci.cur_aes_mkvp == mkvp)
1797 						break;
1798 				}
1799 			}
1800 		} else {
1801 			/* Card is offline and/or not a CCA card. */
1802 			/* del mkvp entry from cache if it exists */
1803 			cca_info_cache_scrub(card, dom);
1804 		}
1805 	}
1806 	if (i >= MAX_ZDEV_ENTRIES_EXT) {
1807 		/* nothing found, so this time without cache */
1808 		for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1809 			if (!(device_status[i].online &&
1810 			      device_status[i].functions & 0x04))
1811 				continue;
1812 			card = AP_QID_CARD(device_status[i].qid);
1813 			dom = AP_QID_QUEUE(device_status[i].qid);
1814 			/* fresh fetch mkvp from adapter */
1815 			if (fetch_cca_info(card, dom, &ci) == 0) {
1816 				cca_info_cache_update(card, dom, &ci);
1817 				if (ci.hwtype >= minhwtype &&
1818 				    ci.cur_aes_mk_state == '2' &&
1819 				    ci.cur_aes_mkvp == mkvp)
1820 					break;
1821 				if (ci.hwtype >= minhwtype &&
1822 				    ci.old_aes_mk_state == '2' &&
1823 				    ci.old_aes_mkvp == mkvp &&
1824 				    oi < 0)
1825 					oi = i;
1826 			}
1827 		}
1828 		if (i >= MAX_ZDEV_ENTRIES_EXT && oi >= 0) {
1829 			/* old mkvp matched, use this card then */
1830 			card = AP_QID_CARD(device_status[oi].qid);
1831 			dom = AP_QID_QUEUE(device_status[oi].qid);
1832 		}
1833 	}
1834 	if (i < MAX_ZDEV_ENTRIES_EXT || oi >= 0) {
1835 		if (pcardnr)
1836 			*pcardnr = card;
1837 		if (pdomain)
1838 			*pdomain = dom;
1839 		rc = (i < MAX_ZDEV_ENTRIES_EXT ? 0 : 1);
1840 	} else
1841 		rc = -ENODEV;
1842 
1843 	kvfree(device_status);
1844 	return rc;
1845 }
1846 
1847 /*
1848  * Search for a matching crypto card based on the Master Key
1849  * Verification Pattern provided inside a secure key token.
1850  */
1851 int cca_findcard(const u8 *key, u16 *pcardnr, u16 *pdomain, int verify)
1852 {
1853 	u64 mkvp;
1854 	int minhwtype = 0;
1855 	const struct keytoken_header *hdr = (struct keytoken_header *) key;
1856 
1857 	if (hdr->type != TOKTYPE_CCA_INTERNAL)
1858 		return -EINVAL;
1859 
1860 	switch (hdr->version) {
1861 	case TOKVER_CCA_AES:
1862 		mkvp = ((struct secaeskeytoken *)key)->mkvp;
1863 		break;
1864 	case TOKVER_CCA_VLSC:
1865 		mkvp = ((struct cipherkeytoken *)key)->mkvp0;
1866 		minhwtype = AP_DEVICE_TYPE_CEX6;
1867 		break;
1868 	default:
1869 		return -EINVAL;
1870 	}
1871 
1872 	return findcard(mkvp, pcardnr, pdomain, verify, minhwtype);
1873 }
1874 EXPORT_SYMBOL(cca_findcard);
1875 
1876 int cca_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1877 		  int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp,
1878 		  int verify)
1879 {
1880 	struct zcrypt_device_status_ext *device_status;
1881 	u32 *_apqns = NULL, _nr_apqns = 0;
1882 	int i, card, dom, curmatch, oldmatch, rc = 0;
1883 	struct cca_info ci;
1884 
1885 	/* fetch status of all crypto cards */
1886 	device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1887 				       sizeof(struct zcrypt_device_status_ext),
1888 				       GFP_KERNEL);
1889 	if (!device_status)
1890 		return -ENOMEM;
1891 	zcrypt_device_status_mask_ext(device_status);
1892 
1893 	/* allocate 1k space for up to 256 apqns */
1894 	_apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1895 	if (!_apqns) {
1896 		kvfree(device_status);
1897 		return -ENOMEM;
1898 	}
1899 
1900 	/* walk through all the crypto apqnss */
1901 	for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1902 		card = AP_QID_CARD(device_status[i].qid);
1903 		dom = AP_QID_QUEUE(device_status[i].qid);
1904 		/* check online state */
1905 		if (!device_status[i].online)
1906 			continue;
1907 		/* check for cca functions */
1908 		if (!(device_status[i].functions & 0x04))
1909 			continue;
1910 		/* check cardnr */
1911 		if (cardnr != 0xFFFF && card != cardnr)
1912 			continue;
1913 		/* check domain */
1914 		if (domain != 0xFFFF && dom != domain)
1915 			continue;
1916 		/* get cca info on this apqn */
1917 		if (cca_get_info(card, dom, &ci, verify))
1918 			continue;
1919 		/* current master key needs to be valid */
1920 		if (mktype == AES_MK_SET && ci.cur_aes_mk_state != '2')
1921 			continue;
1922 		if (mktype == APKA_MK_SET && ci.cur_apka_mk_state != '2')
1923 			continue;
1924 		/* check min hardware type */
1925 		if (minhwtype > 0 && minhwtype > ci.hwtype)
1926 			continue;
1927 		if (cur_mkvp || old_mkvp) {
1928 			/* check mkvps */
1929 			curmatch = oldmatch = 0;
1930 			if (mktype == AES_MK_SET) {
1931 				if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp)
1932 					curmatch = 1;
1933 				if (old_mkvp && ci.old_aes_mk_state == '2' &&
1934 				    old_mkvp == ci.old_aes_mkvp)
1935 					oldmatch = 1;
1936 			} else {
1937 				if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp)
1938 					curmatch = 1;
1939 				if (old_mkvp && ci.old_apka_mk_state == '2' &&
1940 				    old_mkvp == ci.old_apka_mkvp)
1941 					oldmatch = 1;
1942 			}
1943 			if (curmatch + oldmatch < 1)
1944 				continue;
1945 		}
1946 		/* apqn passed all filtering criterons, add to the array */
1947 		if (_nr_apqns < 256)
1948 			_apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16) dom);
1949 	}
1950 
1951 	/* nothing found ? */
1952 	if (!_nr_apqns) {
1953 		kfree(_apqns);
1954 		rc = -ENODEV;
1955 	} else {
1956 		/* no re-allocation, simple return the _apqns array */
1957 		*apqns = _apqns;
1958 		*nr_apqns = _nr_apqns;
1959 		rc = 0;
1960 	}
1961 
1962 	kvfree(device_status);
1963 	return rc;
1964 }
1965 EXPORT_SYMBOL(cca_findcard2);
1966 
1967 void __exit zcrypt_ccamisc_exit(void)
1968 {
1969 	mkvp_cache_free();
1970 }
1971