1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright IBM Corp. 2001, 2012 4 * Author(s): Robert Burroughs 5 * Eric Rossman (edrossma@us.ibm.com) 6 * 7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com) 8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com> 9 * Ralph Wuerthner <rwuerthn@de.ibm.com> 10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com> 11 */ 12 13 #define KMSG_COMPONENT "zcrypt" 14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 15 16 #include <linux/module.h> 17 #include <linux/init.h> 18 #include <linux/err.h> 19 #include <linux/delay.h> 20 #include <linux/slab.h> 21 #include <linux/atomic.h> 22 #include <linux/uaccess.h> 23 24 #include "ap_bus.h" 25 #include "zcrypt_api.h" 26 #include "zcrypt_error.h" 27 #include "zcrypt_msgtype6.h" 28 #include "zcrypt_cca_key.h" 29 30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ 31 32 #define CEIL4(x) ((((x)+3)/4)*4) 33 34 struct response_type { 35 struct completion work; 36 int type; 37 }; 38 #define CEXXC_RESPONSE_TYPE_ICA 0 39 #define CEXXC_RESPONSE_TYPE_XCRB 1 40 #define CEXXC_RESPONSE_TYPE_EP11 2 41 42 MODULE_AUTHOR("IBM Corporation"); 43 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \ 44 "Copyright IBM Corp. 2001, 2012"); 45 MODULE_LICENSE("GPL"); 46 47 /* 48 * CPRB 49 * Note that all shorts, ints and longs are little-endian. 50 * All pointer fields are 32-bits long, and mean nothing 51 * 52 * A request CPRB is followed by a request_parameter_block. 53 * 54 * The request (or reply) parameter block is organized thus: 55 * function code 56 * VUD block 57 * key block 58 */ 59 struct CPRB { 60 unsigned short cprb_len; /* CPRB length */ 61 unsigned char cprb_ver_id; /* CPRB version id. */ 62 unsigned char pad_000; /* Alignment pad byte. */ 63 unsigned char srpi_rtcode[4]; /* SRPI return code LELONG */ 64 unsigned char srpi_verb; /* SRPI verb type */ 65 unsigned char flags; /* flags */ 66 unsigned char func_id[2]; /* function id */ 67 unsigned char checkpoint_flag; /* */ 68 unsigned char resv2; /* reserved */ 69 unsigned short req_parml; /* request parameter buffer */ 70 /* length 16-bit little endian */ 71 unsigned char req_parmp[4]; /* request parameter buffer * 72 * pointer (means nothing: the * 73 * parameter buffer follows * 74 * the CPRB). */ 75 unsigned char req_datal[4]; /* request data buffer */ 76 /* length ULELONG */ 77 unsigned char req_datap[4]; /* request data buffer */ 78 /* pointer */ 79 unsigned short rpl_parml; /* reply parameter buffer */ 80 /* length 16-bit little endian */ 81 unsigned char pad_001[2]; /* Alignment pad bytes. ULESHORT */ 82 unsigned char rpl_parmp[4]; /* reply parameter buffer * 83 * pointer (means nothing: the * 84 * parameter buffer follows * 85 * the CPRB). */ 86 unsigned char rpl_datal[4]; /* reply data buffer len ULELONG */ 87 unsigned char rpl_datap[4]; /* reply data buffer */ 88 /* pointer */ 89 unsigned short ccp_rscode; /* server reason code ULESHORT */ 90 unsigned short ccp_rtcode; /* server return code ULESHORT */ 91 unsigned char repd_parml[2]; /* replied parameter len ULESHORT*/ 92 unsigned char mac_data_len[2]; /* Mac Data Length ULESHORT */ 93 unsigned char repd_datal[4]; /* replied data length ULELONG */ 94 unsigned char req_pc[2]; /* PC identifier */ 95 unsigned char res_origin[8]; /* resource origin */ 96 unsigned char mac_value[8]; /* Mac Value */ 97 unsigned char logon_id[8]; /* Logon Identifier */ 98 unsigned char usage_domain[2]; /* cdx */ 99 unsigned char resv3[18]; /* reserved for requestor */ 100 unsigned short svr_namel; /* server name length ULESHORT */ 101 unsigned char svr_name[8]; /* server name */ 102 } __packed; 103 104 struct function_and_rules_block { 105 unsigned char function_code[2]; 106 unsigned short ulen; 107 unsigned char only_rule[8]; 108 } __packed; 109 110 /* 111 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP 112 * card in a type6 message. The 3 fields that must be filled in at execution 113 * time are req_parml, rpl_parml and usage_domain. 114 * Everything about this interface is ascii/big-endian, since the 115 * device does *not* have 'Intel inside'. 116 * 117 * The CPRBX is followed immediately by the parm block. 118 * The parm block contains: 119 * - function code ('PD' 0x5044 or 'PK' 0x504B) 120 * - rule block (one of:) 121 * + 0x000A 'PKCS-1.2' (MCL2 'PD') 122 * + 0x000A 'ZERO-PAD' (MCL2 'PK') 123 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD') 124 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK') 125 * - VUD block 126 */ 127 static const struct CPRBX static_cprbx = { 128 .cprb_len = 0x00DC, 129 .cprb_ver_id = 0x02, 130 .func_id = {0x54, 0x32}, 131 }; 132 133 int speed_idx_cca(int req_type) 134 { 135 switch (req_type) { 136 case 0x4142: 137 case 0x4149: 138 case 0x414D: 139 case 0x4341: 140 case 0x4344: 141 case 0x4354: 142 case 0x4358: 143 case 0x444B: 144 case 0x4558: 145 case 0x4643: 146 case 0x4651: 147 case 0x4C47: 148 case 0x4C4B: 149 case 0x4C51: 150 case 0x4F48: 151 case 0x504F: 152 case 0x5053: 153 case 0x5058: 154 case 0x5343: 155 case 0x5344: 156 case 0x5345: 157 case 0x5350: 158 return LOW; 159 case 0x414B: 160 case 0x4345: 161 case 0x4349: 162 case 0x434D: 163 case 0x4847: 164 case 0x4849: 165 case 0x484D: 166 case 0x4850: 167 case 0x4851: 168 case 0x4954: 169 case 0x4958: 170 case 0x4B43: 171 case 0x4B44: 172 case 0x4B45: 173 case 0x4B47: 174 case 0x4B48: 175 case 0x4B49: 176 case 0x4B4E: 177 case 0x4B50: 178 case 0x4B52: 179 case 0x4B54: 180 case 0x4B58: 181 case 0x4D50: 182 case 0x4D53: 183 case 0x4D56: 184 case 0x4D58: 185 case 0x5044: 186 case 0x5045: 187 case 0x5046: 188 case 0x5047: 189 case 0x5049: 190 case 0x504B: 191 case 0x504D: 192 case 0x5254: 193 case 0x5347: 194 case 0x5349: 195 case 0x534B: 196 case 0x534D: 197 case 0x5356: 198 case 0x5358: 199 case 0x5443: 200 case 0x544B: 201 case 0x5647: 202 return HIGH; 203 default: 204 return MEDIUM; 205 } 206 } 207 208 int speed_idx_ep11(int req_type) 209 { 210 switch (req_type) { 211 case 1: 212 case 2: 213 case 36: 214 case 37: 215 case 38: 216 case 39: 217 case 40: 218 return LOW; 219 case 17: 220 case 18: 221 case 19: 222 case 20: 223 case 21: 224 case 22: 225 case 26: 226 case 30: 227 case 31: 228 case 32: 229 case 33: 230 case 34: 231 case 35: 232 return HIGH; 233 default: 234 return MEDIUM; 235 } 236 } 237 238 239 /* 240 * Convert a ICAMEX message to a type6 MEX message. 241 * 242 * @zq: crypto device pointer 243 * @ap_msg: pointer to AP message 244 * @mex: pointer to user input data 245 * 246 * Returns 0 on success or negative errno value. 247 */ 248 static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq, 249 struct ap_message *ap_msg, 250 struct ica_rsa_modexpo *mex) 251 { 252 static struct type6_hdr static_type6_hdrX = { 253 .type = 0x06, 254 .offset1 = 0x00000058, 255 .agent_id = {'C', 'A',}, 256 .function_code = {'P', 'K'}, 257 }; 258 static struct function_and_rules_block static_pke_fnr = { 259 .function_code = {'P', 'K'}, 260 .ulen = 10, 261 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '} 262 }; 263 struct { 264 struct type6_hdr hdr; 265 struct CPRBX cprbx; 266 struct function_and_rules_block fr; 267 unsigned short length; 268 char text[0]; 269 } __packed * msg = ap_msg->msg; 270 int size; 271 272 /* 273 * The inputdatalength was a selection criteria in the dispatching 274 * function zcrypt_rsa_modexpo(). However, make sure the following 275 * copy_from_user() never exceeds the allocated buffer space. 276 */ 277 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE)) 278 return -EINVAL; 279 280 /* VUD.ciphertext */ 281 msg->length = mex->inputdatalength + 2; 282 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength)) 283 return -EFAULT; 284 285 /* Set up key which is located after the variable length text. */ 286 size = zcrypt_type6_mex_key_en(mex, msg->text+mex->inputdatalength); 287 if (size < 0) 288 return size; 289 size += sizeof(*msg) + mex->inputdatalength; 290 291 /* message header, cprbx and f&r */ 292 msg->hdr = static_type6_hdrX; 293 msg->hdr.ToCardLen1 = size - sizeof(msg->hdr); 294 msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr); 295 296 msg->cprbx = static_cprbx; 297 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 298 msg->cprbx.rpl_msgbl = msg->hdr.FromCardLen1; 299 300 msg->fr = static_pke_fnr; 301 302 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx); 303 304 ap_msg->len = size; 305 return 0; 306 } 307 308 /* 309 * Convert a ICACRT message to a type6 CRT message. 310 * 311 * @zq: crypto device pointer 312 * @ap_msg: pointer to AP message 313 * @crt: pointer to user input data 314 * 315 * Returns 0 on success or negative errno value. 316 */ 317 static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq, 318 struct ap_message *ap_msg, 319 struct ica_rsa_modexpo_crt *crt) 320 { 321 static struct type6_hdr static_type6_hdrX = { 322 .type = 0x06, 323 .offset1 = 0x00000058, 324 .agent_id = {'C', 'A',}, 325 .function_code = {'P', 'D'}, 326 }; 327 static struct function_and_rules_block static_pkd_fnr = { 328 .function_code = {'P', 'D'}, 329 .ulen = 10, 330 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'} 331 }; 332 333 struct { 334 struct type6_hdr hdr; 335 struct CPRBX cprbx; 336 struct function_and_rules_block fr; 337 unsigned short length; 338 char text[0]; 339 } __packed * msg = ap_msg->msg; 340 int size; 341 342 /* 343 * The inputdatalength was a selection criteria in the dispatching 344 * function zcrypt_rsa_crt(). However, make sure the following 345 * copy_from_user() never exceeds the allocated buffer space. 346 */ 347 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE)) 348 return -EINVAL; 349 350 /* VUD.ciphertext */ 351 msg->length = crt->inputdatalength + 2; 352 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength)) 353 return -EFAULT; 354 355 /* Set up key which is located after the variable length text. */ 356 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength); 357 if (size < 0) 358 return size; 359 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */ 360 361 /* message header, cprbx and f&r */ 362 msg->hdr = static_type6_hdrX; 363 msg->hdr.ToCardLen1 = size - sizeof(msg->hdr); 364 msg->hdr.FromCardLen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr); 365 366 msg->cprbx = static_cprbx; 367 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 368 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl = 369 size - sizeof(msg->hdr) - sizeof(msg->cprbx); 370 371 msg->fr = static_pkd_fnr; 372 373 ap_msg->len = size; 374 return 0; 375 } 376 377 /* 378 * Convert a XCRB message to a type6 CPRB message. 379 * 380 * @zq: crypto device pointer 381 * @ap_msg: pointer to AP message 382 * @xcRB: pointer to user input data 383 * 384 * Returns 0 on success or -EFAULT, -EINVAL. 385 */ 386 struct type86_fmt2_msg { 387 struct type86_hdr hdr; 388 struct type86_fmt2_ext fmt2; 389 } __packed; 390 391 static int XCRB_msg_to_type6CPRB_msgX(bool userspace, struct ap_message *ap_msg, 392 struct ica_xcRB *xcRB, 393 unsigned int *fcode, 394 unsigned short **dom) 395 { 396 static struct type6_hdr static_type6_hdrX = { 397 .type = 0x06, 398 .offset1 = 0x00000058, 399 }; 400 struct { 401 struct type6_hdr hdr; 402 struct CPRBX cprbx; 403 } __packed * msg = ap_msg->msg; 404 405 int rcblen = CEIL4(xcRB->request_control_blk_length); 406 int req_sumlen, resp_sumlen; 407 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen; 408 char *function_code; 409 410 if (CEIL4(xcRB->request_control_blk_length) < 411 xcRB->request_control_blk_length) 412 return -EINVAL; /* overflow after alignment*/ 413 414 /* length checks */ 415 ap_msg->len = sizeof(struct type6_hdr) + 416 CEIL4(xcRB->request_control_blk_length) + 417 xcRB->request_data_length; 418 if (ap_msg->len > ap_msg->bufsize) 419 return -EINVAL; 420 421 /* 422 * Overflow check 423 * sum must be greater (or equal) than the largest operand 424 */ 425 req_sumlen = CEIL4(xcRB->request_control_blk_length) + 426 xcRB->request_data_length; 427 if ((CEIL4(xcRB->request_control_blk_length) <= 428 xcRB->request_data_length) ? 429 (req_sumlen < xcRB->request_data_length) : 430 (req_sumlen < CEIL4(xcRB->request_control_blk_length))) { 431 return -EINVAL; 432 } 433 434 if (CEIL4(xcRB->reply_control_blk_length) < 435 xcRB->reply_control_blk_length) 436 return -EINVAL; /* overflow after alignment*/ 437 438 /* 439 * Overflow check 440 * sum must be greater (or equal) than the largest operand 441 */ 442 resp_sumlen = CEIL4(xcRB->reply_control_blk_length) + 443 xcRB->reply_data_length; 444 if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ? 445 (resp_sumlen < xcRB->reply_data_length) : 446 (resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) { 447 return -EINVAL; 448 } 449 450 /* prepare type6 header */ 451 msg->hdr = static_type6_hdrX; 452 memcpy(msg->hdr.agent_id, &(xcRB->agent_ID), sizeof(xcRB->agent_ID)); 453 msg->hdr.ToCardLen1 = xcRB->request_control_blk_length; 454 if (xcRB->request_data_length) { 455 msg->hdr.offset2 = msg->hdr.offset1 + rcblen; 456 msg->hdr.ToCardLen2 = xcRB->request_data_length; 457 } 458 msg->hdr.FromCardLen1 = xcRB->reply_control_blk_length; 459 msg->hdr.FromCardLen2 = xcRB->reply_data_length; 460 461 /* prepare CPRB */ 462 if (z_copy_from_user(userspace, &(msg->cprbx), xcRB->request_control_blk_addr, 463 xcRB->request_control_blk_length)) 464 return -EFAULT; 465 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) > 466 xcRB->request_control_blk_length) 467 return -EINVAL; 468 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len; 469 memcpy(msg->hdr.function_code, function_code, 470 sizeof(msg->hdr.function_code)); 471 472 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1]; 473 *dom = (unsigned short *)&msg->cprbx.domain; 474 475 /* check subfunction, US and AU need special flag with NQAP */ 476 if (memcmp(function_code, "US", 2) == 0 477 || memcmp(function_code, "AU", 2) == 0) 478 ap_msg->flags |= AP_MSG_FLAG_SPECIAL; 479 480 #ifdef CONFIG_ZCRYPT_DEBUG 481 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL) 482 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL; 483 #endif 484 485 /* check CPRB minor version, set info bits in ap_message flag field */ 486 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) { 487 case 0x5432: /* "T2" */ 488 ap_msg->flags |= AP_MSG_FLAG_USAGE; 489 break; 490 case 0x5433: /* "T3" */ 491 case 0x5435: /* "T5" */ 492 case 0x5436: /* "T6" */ 493 case 0x5437: /* "T7" */ 494 ap_msg->flags |= AP_MSG_FLAG_ADMIN; 495 break; 496 default: 497 ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n", 498 __func__, msg->cprbx.func_id[0], 499 msg->cprbx.func_id[1]); 500 } 501 502 /* copy data block */ 503 if (xcRB->request_data_length && 504 z_copy_from_user(userspace, req_data, xcRB->request_data_address, 505 xcRB->request_data_length)) 506 return -EFAULT; 507 508 return 0; 509 } 510 511 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg, 512 struct ep11_urb *xcRB, 513 unsigned int *fcode, 514 unsigned int *domain) 515 { 516 unsigned int lfmt; 517 static struct type6_hdr static_type6_ep11_hdr = { 518 .type = 0x06, 519 .rqid = {0x00, 0x01}, 520 .function_code = {0x00, 0x00}, 521 .agent_id[0] = 0x58, /* {'X'} */ 522 .agent_id[1] = 0x43, /* {'C'} */ 523 .offset1 = 0x00000058, 524 }; 525 526 struct { 527 struct type6_hdr hdr; 528 struct ep11_cprb cprbx; 529 unsigned char pld_tag; /* fixed value 0x30 */ 530 unsigned char pld_lenfmt; /* payload length format */ 531 } __packed * msg = ap_msg->msg; 532 533 struct pld_hdr { 534 unsigned char func_tag; /* fixed value 0x4 */ 535 unsigned char func_len; /* fixed value 0x4 */ 536 unsigned int func_val; /* function ID */ 537 unsigned char dom_tag; /* fixed value 0x4 */ 538 unsigned char dom_len; /* fixed value 0x4 */ 539 unsigned int dom_val; /* domain id */ 540 } __packed * payload_hdr = NULL; 541 542 if (CEIL4(xcRB->req_len) < xcRB->req_len) 543 return -EINVAL; /* overflow after alignment*/ 544 545 /* length checks */ 546 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcRB->req_len); 547 if (ap_msg->len > ap_msg->bufsize) 548 return -EINVAL; 549 550 if (CEIL4(xcRB->resp_len) < xcRB->resp_len) 551 return -EINVAL; /* overflow after alignment*/ 552 553 /* prepare type6 header */ 554 msg->hdr = static_type6_ep11_hdr; 555 msg->hdr.ToCardLen1 = xcRB->req_len; 556 msg->hdr.FromCardLen1 = xcRB->resp_len; 557 558 /* Import CPRB data from the ioctl input parameter */ 559 if (z_copy_from_user(userspace, &(msg->cprbx.cprb_len), 560 (char __force __user *)xcRB->req, xcRB->req_len)) { 561 return -EFAULT; 562 } 563 564 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/ 565 switch (msg->pld_lenfmt & 0x03) { 566 case 1: 567 lfmt = 2; 568 break; 569 case 2: 570 lfmt = 3; 571 break; 572 default: 573 return -EINVAL; 574 } 575 } else { 576 lfmt = 1; /* length format #1 */ 577 } 578 payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt); 579 *fcode = payload_hdr->func_val & 0xFFFF; 580 581 /* enable special processing based on the cprbs flags special bit */ 582 if (msg->cprbx.flags & 0x20) 583 ap_msg->flags |= AP_MSG_FLAG_SPECIAL; 584 585 #ifdef CONFIG_ZCRYPT_DEBUG 586 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL) 587 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL; 588 #endif 589 590 /* set info bits in ap_message flag field */ 591 if (msg->cprbx.flags & 0x80) 592 ap_msg->flags |= AP_MSG_FLAG_ADMIN; 593 else 594 ap_msg->flags |= AP_MSG_FLAG_USAGE; 595 596 *domain = msg->cprbx.target_id; 597 598 return 0; 599 } 600 601 /* 602 * Copy results from a type 86 ICA reply message back to user space. 603 * 604 * @zq: crypto device pointer 605 * @reply: reply AP message. 606 * @data: pointer to user output data 607 * @length: size of user output data 608 * 609 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 610 */ 611 struct type86x_reply { 612 struct type86_hdr hdr; 613 struct type86_fmt2_ext fmt2; 614 struct CPRBX cprbx; 615 unsigned char pad[4]; /* 4 byte function code/rules block ? */ 616 unsigned short length; 617 char text[]; 618 } __packed; 619 620 struct type86_ep11_reply { 621 struct type86_hdr hdr; 622 struct type86_fmt2_ext fmt2; 623 struct ep11_cprb cprbx; 624 } __packed; 625 626 static int convert_type86_ica(struct zcrypt_queue *zq, 627 struct ap_message *reply, 628 char __user *outputdata, 629 unsigned int outputdatalength) 630 { 631 static unsigned char static_pad[] = { 632 0x00, 0x02, 633 0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD, 634 0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57, 635 0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B, 636 0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39, 637 0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5, 638 0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D, 639 0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB, 640 0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F, 641 0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9, 642 0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45, 643 0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9, 644 0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F, 645 0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD, 646 0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D, 647 0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD, 648 0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9, 649 0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B, 650 0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B, 651 0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B, 652 0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD, 653 0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7, 654 0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1, 655 0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3, 656 0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23, 657 0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55, 658 0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43, 659 0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F, 660 0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F, 661 0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5, 662 0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD, 663 0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41, 664 0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09 665 }; 666 struct type86x_reply *msg = reply->msg; 667 unsigned short service_rc, service_rs; 668 unsigned int reply_len, pad_len; 669 char *data; 670 671 service_rc = msg->cprbx.ccp_rtcode; 672 if (unlikely(service_rc != 0)) { 673 service_rs = msg->cprbx.ccp_rscode; 674 if ((service_rc == 8 && service_rs == 66) || 675 (service_rc == 8 && service_rs == 65) || 676 (service_rc == 8 && service_rs == 72) || 677 (service_rc == 8 && service_rs == 770) || 678 (service_rc == 12 && service_rs == 769)) { 679 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n", 680 __func__, AP_QID_CARD(zq->queue->qid), 681 AP_QID_QUEUE(zq->queue->qid), 682 (int) service_rc, (int) service_rs); 683 return -EINVAL; 684 } 685 zq->online = 0; 686 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n", 687 AP_QID_CARD(zq->queue->qid), 688 AP_QID_QUEUE(zq->queue->qid), 689 (int) service_rc, (int) service_rs); 690 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n", 691 __func__, AP_QID_CARD(zq->queue->qid), 692 AP_QID_QUEUE(zq->queue->qid), 693 (int) service_rc, (int) service_rs); 694 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 695 return -EAGAIN; 696 } 697 data = msg->text; 698 reply_len = msg->length - 2; 699 if (reply_len > outputdatalength) 700 return -EINVAL; 701 /* 702 * For all encipher requests, the length of the ciphertext (reply_len) 703 * will always equal the modulus length. For MEX decipher requests 704 * the output needs to get padded. Minimum pad size is 10. 705 * 706 * Currently, the cases where padding will be added is for: 707 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support 708 * ZERO-PAD and CRT is only supported for PKD requests) 709 * - PCICC, always 710 */ 711 pad_len = outputdatalength - reply_len; 712 if (pad_len > 0) { 713 if (pad_len < 10) 714 return -EINVAL; 715 /* 'restore' padding left in the CEXXC card. */ 716 if (copy_to_user(outputdata, static_pad, pad_len - 1)) 717 return -EFAULT; 718 if (put_user(0, outputdata + pad_len - 1)) 719 return -EFAULT; 720 } 721 /* Copy the crypto response to user space. */ 722 if (copy_to_user(outputdata + pad_len, data, reply_len)) 723 return -EFAULT; 724 return 0; 725 } 726 727 /* 728 * Copy results from a type 86 XCRB reply message back to user space. 729 * 730 * @zq: crypto device pointer 731 * @reply: reply AP message. 732 * @xcRB: pointer to XCRB 733 * 734 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 735 */ 736 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq, 737 struct ap_message *reply, 738 struct ica_xcRB *xcRB) 739 { 740 struct type86_fmt2_msg *msg = reply->msg; 741 char *data = reply->msg; 742 743 /* Copy CPRB to user */ 744 if (xcRB->reply_control_blk_length < msg->fmt2.count1) { 745 ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n", 746 __func__, xcRB->reply_control_blk_length, 747 msg->fmt2.count1); 748 return -EMSGSIZE; 749 } 750 if (z_copy_to_user(userspace, xcRB->reply_control_blk_addr, 751 data + msg->fmt2.offset1, msg->fmt2.count1)) 752 return -EFAULT; 753 xcRB->reply_control_blk_length = msg->fmt2.count1; 754 755 /* Copy data buffer to user */ 756 if (msg->fmt2.count2) { 757 if (xcRB->reply_data_length < msg->fmt2.count2) { 758 ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n", 759 __func__, xcRB->reply_data_length, 760 msg->fmt2.count2); 761 return -EMSGSIZE; 762 } 763 if (z_copy_to_user(userspace, xcRB->reply_data_addr, 764 data + msg->fmt2.offset2, msg->fmt2.count2)) 765 return -EFAULT; 766 } 767 xcRB->reply_data_length = msg->fmt2.count2; 768 769 return 0; 770 } 771 772 /* 773 * Copy results from a type 86 EP11 XCRB reply message back to user space. 774 * 775 * @zq: crypto device pointer 776 * @reply: reply AP message. 777 * @xcRB: pointer to EP11 user request block 778 * 779 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 780 */ 781 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq, 782 struct ap_message *reply, 783 struct ep11_urb *xcRB) 784 { 785 struct type86_fmt2_msg *msg = reply->msg; 786 char *data = reply->msg; 787 788 if (xcRB->resp_len < msg->fmt2.count1) { 789 ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n", 790 __func__, (unsigned int)xcRB->resp_len, 791 msg->fmt2.count1); 792 return -EMSGSIZE; 793 } 794 795 /* Copy response CPRB to user */ 796 if (z_copy_to_user(userspace, (char __force __user *)xcRB->resp, 797 data + msg->fmt2.offset1, msg->fmt2.count1)) 798 return -EFAULT; 799 xcRB->resp_len = msg->fmt2.count1; 800 return 0; 801 } 802 803 static int convert_type86_rng(struct zcrypt_queue *zq, 804 struct ap_message *reply, 805 char *buffer) 806 { 807 struct { 808 struct type86_hdr hdr; 809 struct type86_fmt2_ext fmt2; 810 struct CPRBX cprbx; 811 } __packed * msg = reply->msg; 812 char *data = reply->msg; 813 814 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0) 815 return -EINVAL; 816 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2); 817 return msg->fmt2.count2; 818 } 819 820 static int convert_response_ica(struct zcrypt_queue *zq, 821 struct ap_message *reply, 822 char __user *outputdata, 823 unsigned int outputdatalength) 824 { 825 struct type86x_reply *msg = reply->msg; 826 827 switch (msg->hdr.type) { 828 case TYPE82_RSP_CODE: 829 case TYPE88_RSP_CODE: 830 return convert_error(zq, reply); 831 case TYPE86_RSP_CODE: 832 if (msg->cprbx.ccp_rtcode && 833 (msg->cprbx.ccp_rscode == 0x14f) && 834 (outputdatalength > 256)) { 835 if (zq->zcard->max_exp_bit_length <= 17) { 836 zq->zcard->max_exp_bit_length = 17; 837 return -EAGAIN; 838 } else 839 return -EINVAL; 840 } 841 if (msg->hdr.reply_code) 842 return convert_error(zq, reply); 843 if (msg->cprbx.cprb_ver_id == 0x02) 844 return convert_type86_ica(zq, reply, 845 outputdata, outputdatalength); 846 fallthrough; /* wrong cprb version is an unknown response */ 847 default: 848 /* Unknown response type, this should NEVER EVER happen */ 849 zq->online = 0; 850 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 851 AP_QID_CARD(zq->queue->qid), 852 AP_QID_QUEUE(zq->queue->qid), 853 (int) msg->hdr.type); 854 ZCRYPT_DBF_ERR( 855 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 856 __func__, AP_QID_CARD(zq->queue->qid), 857 AP_QID_QUEUE(zq->queue->qid), (int) msg->hdr.type); 858 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 859 return -EAGAIN; 860 } 861 } 862 863 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq, 864 struct ap_message *reply, 865 struct ica_xcRB *xcRB) 866 { 867 struct type86x_reply *msg = reply->msg; 868 869 switch (msg->hdr.type) { 870 case TYPE82_RSP_CODE: 871 case TYPE88_RSP_CODE: 872 xcRB->status = 0x0008044DL; /* HDD_InvalidParm */ 873 return convert_error(zq, reply); 874 case TYPE86_RSP_CODE: 875 if (msg->hdr.reply_code) { 876 memcpy(&(xcRB->status), msg->fmt2.apfs, sizeof(u32)); 877 return convert_error(zq, reply); 878 } 879 if (msg->cprbx.cprb_ver_id == 0x02) 880 return convert_type86_xcrb(userspace, zq, reply, xcRB); 881 fallthrough; /* wrong cprb version is an unknown response */ 882 default: /* Unknown response type, this should NEVER EVER happen */ 883 xcRB->status = 0x0008044DL; /* HDD_InvalidParm */ 884 zq->online = 0; 885 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 886 AP_QID_CARD(zq->queue->qid), 887 AP_QID_QUEUE(zq->queue->qid), 888 (int) msg->hdr.type); 889 ZCRYPT_DBF_ERR( 890 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 891 __func__, AP_QID_CARD(zq->queue->qid), 892 AP_QID_QUEUE(zq->queue->qid), (int) msg->hdr.type); 893 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 894 return -EAGAIN; 895 } 896 } 897 898 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq, 899 struct ap_message *reply, struct ep11_urb *xcRB) 900 { 901 struct type86_ep11_reply *msg = reply->msg; 902 903 switch (msg->hdr.type) { 904 case TYPE82_RSP_CODE: 905 case TYPE87_RSP_CODE: 906 return convert_error(zq, reply); 907 case TYPE86_RSP_CODE: 908 if (msg->hdr.reply_code) 909 return convert_error(zq, reply); 910 if (msg->cprbx.cprb_ver_id == 0x04) 911 return convert_type86_ep11_xcrb(userspace, zq, reply, xcRB); 912 fallthrough; /* wrong cprb version is an unknown resp */ 913 default: /* Unknown response type, this should NEVER EVER happen */ 914 zq->online = 0; 915 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 916 AP_QID_CARD(zq->queue->qid), 917 AP_QID_QUEUE(zq->queue->qid), 918 (int) msg->hdr.type); 919 ZCRYPT_DBF_ERR( 920 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 921 __func__, AP_QID_CARD(zq->queue->qid), 922 AP_QID_QUEUE(zq->queue->qid), (int) msg->hdr.type); 923 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 924 return -EAGAIN; 925 } 926 } 927 928 static int convert_response_rng(struct zcrypt_queue *zq, 929 struct ap_message *reply, 930 char *data) 931 { 932 struct type86x_reply *msg = reply->msg; 933 934 switch (msg->hdr.type) { 935 case TYPE82_RSP_CODE: 936 case TYPE88_RSP_CODE: 937 return -EINVAL; 938 case TYPE86_RSP_CODE: 939 if (msg->hdr.reply_code) 940 return -EINVAL; 941 if (msg->cprbx.cprb_ver_id == 0x02) 942 return convert_type86_rng(zq, reply, data); 943 fallthrough; /* wrong cprb version is an unknown response */ 944 default: /* Unknown response type, this should NEVER EVER happen */ 945 zq->online = 0; 946 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 947 AP_QID_CARD(zq->queue->qid), 948 AP_QID_QUEUE(zq->queue->qid), 949 (int) msg->hdr.type); 950 ZCRYPT_DBF_ERR( 951 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 952 __func__, AP_QID_CARD(zq->queue->qid), 953 AP_QID_QUEUE(zq->queue->qid), (int) msg->hdr.type); 954 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 955 return -EAGAIN; 956 } 957 } 958 959 /* 960 * This function is called from the AP bus code after a crypto request 961 * "msg" has finished with the reply message "reply". 962 * It is called from tasklet context. 963 * @aq: pointer to the AP queue 964 * @msg: pointer to the AP message 965 * @reply: pointer to the AP reply message 966 */ 967 static void zcrypt_msgtype6_receive(struct ap_queue *aq, 968 struct ap_message *msg, 969 struct ap_message *reply) 970 { 971 static struct error_hdr error_reply = { 972 .type = TYPE82_RSP_CODE, 973 .reply_code = REP82_ERROR_MACHINE_FAILURE, 974 }; 975 struct response_type *resp_type = 976 (struct response_type *) msg->private; 977 struct type86x_reply *t86r; 978 int len; 979 980 /* Copy the reply message to the request message buffer. */ 981 if (!reply) 982 goto out; /* ap_msg->rc indicates the error */ 983 t86r = reply->msg; 984 if (t86r->hdr.type == TYPE86_RSP_CODE && 985 t86r->cprbx.cprb_ver_id == 0x02) { 986 switch (resp_type->type) { 987 case CEXXC_RESPONSE_TYPE_ICA: 988 len = sizeof(struct type86x_reply) + t86r->length - 2; 989 if (len > reply->bufsize || len > msg->bufsize) { 990 msg->rc = -EMSGSIZE; 991 } else { 992 memcpy(msg->msg, reply->msg, len); 993 msg->len = len; 994 } 995 break; 996 case CEXXC_RESPONSE_TYPE_XCRB: 997 len = t86r->fmt2.offset2 + t86r->fmt2.count2; 998 if (len > reply->bufsize || len > msg->bufsize) { 999 msg->rc = -EMSGSIZE; 1000 } else { 1001 memcpy(msg->msg, reply->msg, len); 1002 msg->len = len; 1003 } 1004 break; 1005 default: 1006 memcpy(msg->msg, &error_reply, sizeof(error_reply)); 1007 } 1008 } else 1009 memcpy(msg->msg, reply->msg, sizeof(error_reply)); 1010 out: 1011 complete(&(resp_type->work)); 1012 } 1013 1014 /* 1015 * This function is called from the AP bus code after a crypto request 1016 * "msg" has finished with the reply message "reply". 1017 * It is called from tasklet context. 1018 * @aq: pointer to the AP queue 1019 * @msg: pointer to the AP message 1020 * @reply: pointer to the AP reply message 1021 */ 1022 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq, 1023 struct ap_message *msg, 1024 struct ap_message *reply) 1025 { 1026 static struct error_hdr error_reply = { 1027 .type = TYPE82_RSP_CODE, 1028 .reply_code = REP82_ERROR_MACHINE_FAILURE, 1029 }; 1030 struct response_type *resp_type = 1031 (struct response_type *)msg->private; 1032 struct type86_ep11_reply *t86r; 1033 int len; 1034 1035 /* Copy the reply message to the request message buffer. */ 1036 if (!reply) 1037 goto out; /* ap_msg->rc indicates the error */ 1038 t86r = reply->msg; 1039 if (t86r->hdr.type == TYPE86_RSP_CODE && 1040 t86r->cprbx.cprb_ver_id == 0x04) { 1041 switch (resp_type->type) { 1042 case CEXXC_RESPONSE_TYPE_EP11: 1043 len = t86r->fmt2.offset1 + t86r->fmt2.count1; 1044 if (len > reply->bufsize || len > msg->bufsize) { 1045 msg->rc = -EMSGSIZE; 1046 } else { 1047 memcpy(msg->msg, reply->msg, len); 1048 msg->len = len; 1049 } 1050 break; 1051 default: 1052 memcpy(msg->msg, &error_reply, sizeof(error_reply)); 1053 } 1054 } else { 1055 memcpy(msg->msg, reply->msg, sizeof(error_reply)); 1056 } 1057 out: 1058 complete(&(resp_type->work)); 1059 } 1060 1061 static atomic_t zcrypt_step = ATOMIC_INIT(0); 1062 1063 /* 1064 * The request distributor calls this function if it picked the CEXxC 1065 * device to handle a modexpo request. 1066 * @zq: pointer to zcrypt_queue structure that identifies the 1067 * CEXxC device to the request distributor 1068 * @mex: pointer to the modexpo request buffer 1069 */ 1070 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq, 1071 struct ica_rsa_modexpo *mex, 1072 struct ap_message *ap_msg) 1073 { 1074 struct response_type resp_type = { 1075 .type = CEXXC_RESPONSE_TYPE_ICA, 1076 }; 1077 int rc; 1078 1079 ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL); 1080 if (!ap_msg->msg) 1081 return -ENOMEM; 1082 ap_msg->bufsize = PAGE_SIZE; 1083 ap_msg->receive = zcrypt_msgtype6_receive; 1084 ap_msg->psmid = (((unsigned long long) current->pid) << 32) + 1085 atomic_inc_return(&zcrypt_step); 1086 ap_msg->private = &resp_type; 1087 rc = ICAMEX_msg_to_type6MEX_msgX(zq, ap_msg, mex); 1088 if (rc) 1089 goto out_free; 1090 init_completion(&resp_type.work); 1091 rc = ap_queue_message(zq->queue, ap_msg); 1092 if (rc) 1093 goto out_free; 1094 rc = wait_for_completion_interruptible(&resp_type.work); 1095 if (rc == 0) { 1096 rc = ap_msg->rc; 1097 if (rc == 0) 1098 rc = convert_response_ica(zq, ap_msg, 1099 mex->outputdata, 1100 mex->outputdatalength); 1101 } else 1102 /* Signal pending. */ 1103 ap_cancel_message(zq->queue, ap_msg); 1104 out_free: 1105 free_page((unsigned long) ap_msg->msg); 1106 ap_msg->private = NULL; 1107 ap_msg->msg = NULL; 1108 return rc; 1109 } 1110 1111 /* 1112 * The request distributor calls this function if it picked the CEXxC 1113 * device to handle a modexpo_crt request. 1114 * @zq: pointer to zcrypt_queue structure that identifies the 1115 * CEXxC device to the request distributor 1116 * @crt: pointer to the modexpoc_crt request buffer 1117 */ 1118 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq, 1119 struct ica_rsa_modexpo_crt *crt, 1120 struct ap_message *ap_msg) 1121 { 1122 struct response_type resp_type = { 1123 .type = CEXXC_RESPONSE_TYPE_ICA, 1124 }; 1125 int rc; 1126 1127 ap_msg->msg = (void *) get_zeroed_page(GFP_KERNEL); 1128 if (!ap_msg->msg) 1129 return -ENOMEM; 1130 ap_msg->bufsize = PAGE_SIZE; 1131 ap_msg->receive = zcrypt_msgtype6_receive; 1132 ap_msg->psmid = (((unsigned long long) current->pid) << 32) + 1133 atomic_inc_return(&zcrypt_step); 1134 ap_msg->private = &resp_type; 1135 rc = ICACRT_msg_to_type6CRT_msgX(zq, ap_msg, crt); 1136 if (rc) 1137 goto out_free; 1138 init_completion(&resp_type.work); 1139 rc = ap_queue_message(zq->queue, ap_msg); 1140 if (rc) 1141 goto out_free; 1142 rc = wait_for_completion_interruptible(&resp_type.work); 1143 if (rc == 0) { 1144 rc = ap_msg->rc; 1145 if (rc == 0) 1146 rc = convert_response_ica(zq, ap_msg, 1147 crt->outputdata, 1148 crt->outputdatalength); 1149 } else { 1150 /* Signal pending. */ 1151 ap_cancel_message(zq->queue, ap_msg); 1152 } 1153 out_free: 1154 free_page((unsigned long) ap_msg->msg); 1155 ap_msg->private = NULL; 1156 ap_msg->msg = NULL; 1157 return rc; 1158 } 1159 1160 /* 1161 * Prepare a CCA AP msg request. 1162 * Prepare a CCA AP msg: fetch the required data from userspace, 1163 * prepare the AP msg, fill some info into the ap_message struct, 1164 * extract some data from the CPRB and give back to the caller. 1165 * This function allocates memory and needs an ap_msg prepared 1166 * by the caller with ap_init_message(). Also the caller has to 1167 * make sure ap_release_message() is always called even on failure. 1168 */ 1169 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcRB, 1170 struct ap_message *ap_msg, 1171 unsigned int *func_code, unsigned short **dom) 1172 { 1173 struct response_type resp_type = { 1174 .type = CEXXC_RESPONSE_TYPE_XCRB, 1175 }; 1176 1177 ap_msg->bufsize = atomic_read(&ap_max_msg_size); 1178 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1179 if (!ap_msg->msg) 1180 return -ENOMEM; 1181 ap_msg->receive = zcrypt_msgtype6_receive; 1182 ap_msg->psmid = (((unsigned long long) current->pid) << 32) + 1183 atomic_inc_return(&zcrypt_step); 1184 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1185 if (!ap_msg->private) 1186 return -ENOMEM; 1187 return XCRB_msg_to_type6CPRB_msgX(userspace, ap_msg, xcRB, func_code, dom); 1188 } 1189 1190 /* 1191 * The request distributor calls this function if it picked the CEXxC 1192 * device to handle a send_cprb request. 1193 * @zq: pointer to zcrypt_queue structure that identifies the 1194 * CEXxC device to the request distributor 1195 * @xcRB: pointer to the send_cprb request buffer 1196 */ 1197 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq, 1198 struct ica_xcRB *xcRB, 1199 struct ap_message *ap_msg) 1200 { 1201 int rc; 1202 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1203 struct { 1204 struct type6_hdr hdr; 1205 struct CPRBX cprbx; 1206 /* ... more data blocks ... */ 1207 } __packed * msg = ap_msg->msg; 1208 1209 /* 1210 * Set the queue's reply buffer length minus 128 byte padding 1211 * as reply limit for the card firmware. 1212 */ 1213 msg->hdr.FromCardLen1 = min_t(unsigned int, msg->hdr.FromCardLen1, 1214 zq->reply.bufsize - 128); 1215 if (msg->hdr.FromCardLen2) 1216 msg->hdr.FromCardLen2 = 1217 zq->reply.bufsize - msg->hdr.FromCardLen1 - 128; 1218 1219 init_completion(&rtype->work); 1220 rc = ap_queue_message(zq->queue, ap_msg); 1221 if (rc) 1222 goto out; 1223 rc = wait_for_completion_interruptible(&rtype->work); 1224 if (rc == 0) { 1225 rc = ap_msg->rc; 1226 if (rc == 0) 1227 rc = convert_response_xcrb(userspace, zq, ap_msg, xcRB); 1228 } else 1229 /* Signal pending. */ 1230 ap_cancel_message(zq->queue, ap_msg); 1231 out: 1232 if (rc) 1233 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n", 1234 __func__, AP_QID_CARD(zq->queue->qid), 1235 AP_QID_QUEUE(zq->queue->qid), rc); 1236 return rc; 1237 } 1238 1239 /* 1240 * Prepare an EP11 AP msg request. 1241 * Prepare an EP11 AP msg: fetch the required data from userspace, 1242 * prepare the AP msg, fill some info into the ap_message struct, 1243 * extract some data from the CPRB and give back to the caller. 1244 * This function allocates memory and needs an ap_msg prepared 1245 * by the caller with ap_init_message(). Also the caller has to 1246 * make sure ap_release_message() is always called even on failure. 1247 */ 1248 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb, 1249 struct ap_message *ap_msg, 1250 unsigned int *func_code, unsigned int *domain) 1251 { 1252 struct response_type resp_type = { 1253 .type = CEXXC_RESPONSE_TYPE_EP11, 1254 }; 1255 1256 ap_msg->bufsize = atomic_read(&ap_max_msg_size); 1257 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1258 if (!ap_msg->msg) 1259 return -ENOMEM; 1260 ap_msg->receive = zcrypt_msgtype6_receive_ep11; 1261 ap_msg->psmid = (((unsigned long long) current->pid) << 32) + 1262 atomic_inc_return(&zcrypt_step); 1263 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1264 if (!ap_msg->private) 1265 return -ENOMEM; 1266 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb, 1267 func_code, domain); 1268 } 1269 1270 /* 1271 * The request distributor calls this function if it picked the CEX4P 1272 * device to handle a send_ep11_cprb request. 1273 * @zq: pointer to zcrypt_queue structure that identifies the 1274 * CEX4P device to the request distributor 1275 * @xcRB: pointer to the ep11 user request block 1276 */ 1277 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq, 1278 struct ep11_urb *xcrb, 1279 struct ap_message *ap_msg) 1280 { 1281 int rc; 1282 unsigned int lfmt; 1283 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1284 struct { 1285 struct type6_hdr hdr; 1286 struct ep11_cprb cprbx; 1287 unsigned char pld_tag; /* fixed value 0x30 */ 1288 unsigned char pld_lenfmt; /* payload length format */ 1289 } __packed * msg = ap_msg->msg; 1290 struct pld_hdr { 1291 unsigned char func_tag; /* fixed value 0x4 */ 1292 unsigned char func_len; /* fixed value 0x4 */ 1293 unsigned int func_val; /* function ID */ 1294 unsigned char dom_tag; /* fixed value 0x4 */ 1295 unsigned char dom_len; /* fixed value 0x4 */ 1296 unsigned int dom_val; /* domain id */ 1297 } __packed * payload_hdr = NULL; 1298 1299 /* 1300 * The target domain field within the cprb body/payload block will be 1301 * replaced by the usage domain for non-management commands only. 1302 * Therefore we check the first bit of the 'flags' parameter for 1303 * management command indication. 1304 * 0 - non management command 1305 * 1 - management command 1306 */ 1307 if (!((msg->cprbx.flags & 0x80) == 0x80)) { 1308 msg->cprbx.target_id = (unsigned int) 1309 AP_QID_QUEUE(zq->queue->qid); 1310 1311 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/ 1312 switch (msg->pld_lenfmt & 0x03) { 1313 case 1: 1314 lfmt = 2; 1315 break; 1316 case 2: 1317 lfmt = 3; 1318 break; 1319 default: 1320 return -EINVAL; 1321 } 1322 } else { 1323 lfmt = 1; /* length format #1 */ 1324 } 1325 payload_hdr = (struct pld_hdr *)((&(msg->pld_lenfmt))+lfmt); 1326 payload_hdr->dom_val = (unsigned int) 1327 AP_QID_QUEUE(zq->queue->qid); 1328 } 1329 1330 /* 1331 * Set the queue's reply buffer length minus the two prepend headers 1332 * as reply limit for the card firmware. 1333 */ 1334 msg->hdr.FromCardLen1 = zq->reply.bufsize - 1335 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext); 1336 1337 init_completion(&rtype->work); 1338 rc = ap_queue_message(zq->queue, ap_msg); 1339 if (rc) 1340 goto out; 1341 rc = wait_for_completion_interruptible(&rtype->work); 1342 if (rc == 0) { 1343 rc = ap_msg->rc; 1344 if (rc == 0) 1345 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb); 1346 } else 1347 /* Signal pending. */ 1348 ap_cancel_message(zq->queue, ap_msg); 1349 out: 1350 if (rc) 1351 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n", 1352 __func__, AP_QID_CARD(zq->queue->qid), 1353 AP_QID_QUEUE(zq->queue->qid), rc); 1354 return rc; 1355 } 1356 1357 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code, 1358 unsigned int *domain) 1359 { 1360 struct response_type resp_type = { 1361 .type = CEXXC_RESPONSE_TYPE_XCRB, 1362 }; 1363 1364 ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE; 1365 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1366 if (!ap_msg->msg) 1367 return -ENOMEM; 1368 ap_msg->receive = zcrypt_msgtype6_receive; 1369 ap_msg->psmid = (((unsigned long long) current->pid) << 32) + 1370 atomic_inc_return(&zcrypt_step); 1371 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1372 if (!ap_msg->private) 1373 return -ENOMEM; 1374 1375 rng_type6CPRB_msgX(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain); 1376 1377 *func_code = HWRNG; 1378 return 0; 1379 } 1380 1381 /* 1382 * The request distributor calls this function if it picked the CEXxC 1383 * device to generate random data. 1384 * @zq: pointer to zcrypt_queue structure that identifies the 1385 * CEXxC device to the request distributor 1386 * @buffer: pointer to a memory page to return random data 1387 */ 1388 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq, 1389 char *buffer, struct ap_message *ap_msg) 1390 { 1391 struct { 1392 struct type6_hdr hdr; 1393 struct CPRBX cprbx; 1394 char function_code[2]; 1395 short int rule_length; 1396 char rule[8]; 1397 short int verb_length; 1398 short int key_length; 1399 } __packed * msg = ap_msg->msg; 1400 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1401 int rc; 1402 1403 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 1404 1405 init_completion(&rtype->work); 1406 rc = ap_queue_message(zq->queue, ap_msg); 1407 if (rc) 1408 goto out; 1409 rc = wait_for_completion_interruptible(&rtype->work); 1410 if (rc == 0) { 1411 rc = ap_msg->rc; 1412 if (rc == 0) 1413 rc = convert_response_rng(zq, ap_msg, buffer); 1414 } else 1415 /* Signal pending. */ 1416 ap_cancel_message(zq->queue, ap_msg); 1417 out: 1418 return rc; 1419 } 1420 1421 /* 1422 * The crypto operations for a CEXxC card. 1423 */ 1424 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = { 1425 .owner = THIS_MODULE, 1426 .name = MSGTYPE06_NAME, 1427 .variant = MSGTYPE06_VARIANT_NORNG, 1428 .rsa_modexpo = zcrypt_msgtype6_modexpo, 1429 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt, 1430 .send_cprb = zcrypt_msgtype6_send_cprb, 1431 }; 1432 1433 static struct zcrypt_ops zcrypt_msgtype6_ops = { 1434 .owner = THIS_MODULE, 1435 .name = MSGTYPE06_NAME, 1436 .variant = MSGTYPE06_VARIANT_DEFAULT, 1437 .rsa_modexpo = zcrypt_msgtype6_modexpo, 1438 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt, 1439 .send_cprb = zcrypt_msgtype6_send_cprb, 1440 .rng = zcrypt_msgtype6_rng, 1441 }; 1442 1443 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = { 1444 .owner = THIS_MODULE, 1445 .name = MSGTYPE06_NAME, 1446 .variant = MSGTYPE06_VARIANT_EP11, 1447 .rsa_modexpo = NULL, 1448 .rsa_modexpo_crt = NULL, 1449 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb, 1450 }; 1451 1452 void __init zcrypt_msgtype6_init(void) 1453 { 1454 zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops); 1455 zcrypt_msgtype_register(&zcrypt_msgtype6_ops); 1456 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops); 1457 } 1458 1459 void __exit zcrypt_msgtype6_exit(void) 1460 { 1461 zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops); 1462 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops); 1463 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops); 1464 } 1465