1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright IBM Corp. 2001, 2022 4 * Author(s): Robert Burroughs 5 * Eric Rossman (edrossma@us.ibm.com) 6 * 7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com) 8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com> 9 * Ralph Wuerthner <rwuerthn@de.ibm.com> 10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com> 11 */ 12 13 #define KMSG_COMPONENT "zcrypt" 14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 15 16 #include <linux/module.h> 17 #include <linux/init.h> 18 #include <linux/err.h> 19 #include <linux/delay.h> 20 #include <linux/slab.h> 21 #include <linux/atomic.h> 22 #include <linux/uaccess.h> 23 24 #include "ap_bus.h" 25 #include "zcrypt_api.h" 26 #include "zcrypt_error.h" 27 #include "zcrypt_msgtype6.h" 28 #include "zcrypt_cca_key.h" 29 30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ 31 32 #define CEIL4(x) ((((x) + 3) / 4) * 4) 33 34 struct response_type { 35 struct completion work; 36 int type; 37 }; 38 39 #define CEXXC_RESPONSE_TYPE_ICA 0 40 #define CEXXC_RESPONSE_TYPE_XCRB 1 41 #define CEXXC_RESPONSE_TYPE_EP11 2 42 43 MODULE_AUTHOR("IBM Corporation"); 44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \ 45 "Copyright IBM Corp. 2001, 2012"); 46 MODULE_LICENSE("GPL"); 47 48 struct function_and_rules_block { 49 unsigned char function_code[2]; 50 unsigned short ulen; 51 unsigned char only_rule[8]; 52 } __packed; 53 54 /* 55 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP 56 * card in a type6 message. The 3 fields that must be filled in at execution 57 * time are req_parml, rpl_parml and usage_domain. 58 * Everything about this interface is ascii/big-endian, since the 59 * device does *not* have 'Intel inside'. 60 * 61 * The CPRBX is followed immediately by the parm block. 62 * The parm block contains: 63 * - function code ('PD' 0x5044 or 'PK' 0x504B) 64 * - rule block (one of:) 65 * + 0x000A 'PKCS-1.2' (MCL2 'PD') 66 * + 0x000A 'ZERO-PAD' (MCL2 'PK') 67 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD') 68 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK') 69 * - VUD block 70 */ 71 static const struct CPRBX static_cprbx = { 72 .cprb_len = 0x00DC, 73 .cprb_ver_id = 0x02, 74 .func_id = {0x54, 0x32}, 75 }; 76 77 int speed_idx_cca(int req_type) 78 { 79 switch (req_type) { 80 case 0x4142: 81 case 0x4149: 82 case 0x414D: 83 case 0x4341: 84 case 0x4344: 85 case 0x4354: 86 case 0x4358: 87 case 0x444B: 88 case 0x4558: 89 case 0x4643: 90 case 0x4651: 91 case 0x4C47: 92 case 0x4C4B: 93 case 0x4C51: 94 case 0x4F48: 95 case 0x504F: 96 case 0x5053: 97 case 0x5058: 98 case 0x5343: 99 case 0x5344: 100 case 0x5345: 101 case 0x5350: 102 return LOW; 103 case 0x414B: 104 case 0x4345: 105 case 0x4349: 106 case 0x434D: 107 case 0x4847: 108 case 0x4849: 109 case 0x484D: 110 case 0x4850: 111 case 0x4851: 112 case 0x4954: 113 case 0x4958: 114 case 0x4B43: 115 case 0x4B44: 116 case 0x4B45: 117 case 0x4B47: 118 case 0x4B48: 119 case 0x4B49: 120 case 0x4B4E: 121 case 0x4B50: 122 case 0x4B52: 123 case 0x4B54: 124 case 0x4B58: 125 case 0x4D50: 126 case 0x4D53: 127 case 0x4D56: 128 case 0x4D58: 129 case 0x5044: 130 case 0x5045: 131 case 0x5046: 132 case 0x5047: 133 case 0x5049: 134 case 0x504B: 135 case 0x504D: 136 case 0x5254: 137 case 0x5347: 138 case 0x5349: 139 case 0x534B: 140 case 0x534D: 141 case 0x5356: 142 case 0x5358: 143 case 0x5443: 144 case 0x544B: 145 case 0x5647: 146 return HIGH; 147 default: 148 return MEDIUM; 149 } 150 } 151 152 int speed_idx_ep11(int req_type) 153 { 154 switch (req_type) { 155 case 1: 156 case 2: 157 case 36: 158 case 37: 159 case 38: 160 case 39: 161 case 40: 162 return LOW; 163 case 17: 164 case 18: 165 case 19: 166 case 20: 167 case 21: 168 case 22: 169 case 26: 170 case 30: 171 case 31: 172 case 32: 173 case 33: 174 case 34: 175 case 35: 176 return HIGH; 177 default: 178 return MEDIUM; 179 } 180 } 181 182 /* 183 * Convert a ICAMEX message to a type6 MEX message. 184 * 185 * @zq: crypto device pointer 186 * @ap_msg: pointer to AP message 187 * @mex: pointer to user input data 188 * 189 * Returns 0 on success or negative errno value. 190 */ 191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq, 192 struct ap_message *ap_msg, 193 struct ica_rsa_modexpo *mex) 194 { 195 static struct type6_hdr static_type6_hdrX = { 196 .type = 0x06, 197 .offset1 = 0x00000058, 198 .agent_id = {'C', 'A',}, 199 .function_code = {'P', 'K'}, 200 }; 201 static struct function_and_rules_block static_pke_fnr = { 202 .function_code = {'P', 'K'}, 203 .ulen = 10, 204 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '} 205 }; 206 struct { 207 struct type6_hdr hdr; 208 struct CPRBX cprbx; 209 struct function_and_rules_block fr; 210 unsigned short length; 211 char text[0]; 212 } __packed * msg = ap_msg->msg; 213 int size; 214 215 /* 216 * The inputdatalength was a selection criteria in the dispatching 217 * function zcrypt_rsa_modexpo(). However, make sure the following 218 * copy_from_user() never exceeds the allocated buffer space. 219 */ 220 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE)) 221 return -EINVAL; 222 223 /* VUD.ciphertext */ 224 msg->length = mex->inputdatalength + 2; 225 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength)) 226 return -EFAULT; 227 228 /* Set up key which is located after the variable length text. */ 229 size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength); 230 if (size < 0) 231 return size; 232 size += sizeof(*msg) + mex->inputdatalength; 233 234 /* message header, cprbx and f&r */ 235 msg->hdr = static_type6_hdrX; 236 msg->hdr.tocardlen1 = size - sizeof(msg->hdr); 237 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr); 238 239 msg->cprbx = static_cprbx; 240 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 241 msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1; 242 243 msg->fr = static_pke_fnr; 244 245 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx); 246 247 ap_msg->len = size; 248 return 0; 249 } 250 251 /* 252 * Convert a ICACRT message to a type6 CRT message. 253 * 254 * @zq: crypto device pointer 255 * @ap_msg: pointer to AP message 256 * @crt: pointer to user input data 257 * 258 * Returns 0 on success or negative errno value. 259 */ 260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq, 261 struct ap_message *ap_msg, 262 struct ica_rsa_modexpo_crt *crt) 263 { 264 static struct type6_hdr static_type6_hdrX = { 265 .type = 0x06, 266 .offset1 = 0x00000058, 267 .agent_id = {'C', 'A',}, 268 .function_code = {'P', 'D'}, 269 }; 270 static struct function_and_rules_block static_pkd_fnr = { 271 .function_code = {'P', 'D'}, 272 .ulen = 10, 273 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'} 274 }; 275 276 struct { 277 struct type6_hdr hdr; 278 struct CPRBX cprbx; 279 struct function_and_rules_block fr; 280 unsigned short length; 281 char text[0]; 282 } __packed * msg = ap_msg->msg; 283 int size; 284 285 /* 286 * The inputdatalength was a selection criteria in the dispatching 287 * function zcrypt_rsa_crt(). However, make sure the following 288 * copy_from_user() never exceeds the allocated buffer space. 289 */ 290 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE)) 291 return -EINVAL; 292 293 /* VUD.ciphertext */ 294 msg->length = crt->inputdatalength + 2; 295 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength)) 296 return -EFAULT; 297 298 /* Set up key which is located after the variable length text. */ 299 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength); 300 if (size < 0) 301 return size; 302 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */ 303 304 /* message header, cprbx and f&r */ 305 msg->hdr = static_type6_hdrX; 306 msg->hdr.tocardlen1 = size - sizeof(msg->hdr); 307 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr); 308 309 msg->cprbx = static_cprbx; 310 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 311 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl = 312 size - sizeof(msg->hdr) - sizeof(msg->cprbx); 313 314 msg->fr = static_pkd_fnr; 315 316 ap_msg->len = size; 317 return 0; 318 } 319 320 /* 321 * Convert a XCRB message to a type6 CPRB message. 322 * 323 * @zq: crypto device pointer 324 * @ap_msg: pointer to AP message 325 * @xcRB: pointer to user input data 326 * 327 * Returns 0 on success or -EFAULT, -EINVAL. 328 */ 329 struct type86_fmt2_msg { 330 struct type86_hdr hdr; 331 struct type86_fmt2_ext fmt2; 332 } __packed; 333 334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg, 335 struct ica_xcRB *xcrb, 336 unsigned int *fcode, 337 unsigned short **dom) 338 { 339 static struct type6_hdr static_type6_hdrX = { 340 .type = 0x06, 341 .offset1 = 0x00000058, 342 }; 343 struct { 344 struct type6_hdr hdr; 345 struct CPRBX cprbx; 346 } __packed * msg = ap_msg->msg; 347 348 int rcblen = CEIL4(xcrb->request_control_blk_length); 349 int req_sumlen, resp_sumlen; 350 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen; 351 char *function_code; 352 353 if (CEIL4(xcrb->request_control_blk_length) < 354 xcrb->request_control_blk_length) 355 return -EINVAL; /* overflow after alignment*/ 356 357 /* length checks */ 358 ap_msg->len = sizeof(struct type6_hdr) + 359 CEIL4(xcrb->request_control_blk_length) + 360 xcrb->request_data_length; 361 if (ap_msg->len > ap_msg->bufsize) 362 return -EINVAL; 363 364 /* 365 * Overflow check 366 * sum must be greater (or equal) than the largest operand 367 */ 368 req_sumlen = CEIL4(xcrb->request_control_blk_length) + 369 xcrb->request_data_length; 370 if ((CEIL4(xcrb->request_control_blk_length) <= 371 xcrb->request_data_length) ? 372 req_sumlen < xcrb->request_data_length : 373 req_sumlen < CEIL4(xcrb->request_control_blk_length)) { 374 return -EINVAL; 375 } 376 377 if (CEIL4(xcrb->reply_control_blk_length) < 378 xcrb->reply_control_blk_length) 379 return -EINVAL; /* overflow after alignment*/ 380 381 /* 382 * Overflow check 383 * sum must be greater (or equal) than the largest operand 384 */ 385 resp_sumlen = CEIL4(xcrb->reply_control_blk_length) + 386 xcrb->reply_data_length; 387 if ((CEIL4(xcrb->reply_control_blk_length) <= 388 xcrb->reply_data_length) ? 389 resp_sumlen < xcrb->reply_data_length : 390 resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) { 391 return -EINVAL; 392 } 393 394 /* prepare type6 header */ 395 msg->hdr = static_type6_hdrX; 396 memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID)); 397 msg->hdr.tocardlen1 = xcrb->request_control_blk_length; 398 if (xcrb->request_data_length) { 399 msg->hdr.offset2 = msg->hdr.offset1 + rcblen; 400 msg->hdr.tocardlen2 = xcrb->request_data_length; 401 } 402 msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length; 403 msg->hdr.fromcardlen2 = xcrb->reply_data_length; 404 405 /* prepare CPRB */ 406 if (z_copy_from_user(userspace, &msg->cprbx, xcrb->request_control_blk_addr, 407 xcrb->request_control_blk_length)) 408 return -EFAULT; 409 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) > 410 xcrb->request_control_blk_length) 411 return -EINVAL; 412 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len; 413 memcpy(msg->hdr.function_code, function_code, 414 sizeof(msg->hdr.function_code)); 415 416 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1]; 417 *dom = (unsigned short *)&msg->cprbx.domain; 418 419 /* check subfunction, US and AU need special flag with NQAP */ 420 if (memcmp(function_code, "US", 2) == 0 || 421 memcmp(function_code, "AU", 2) == 0) 422 ap_msg->flags |= AP_MSG_FLAG_SPECIAL; 423 424 #ifdef CONFIG_ZCRYPT_DEBUG 425 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL) 426 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL; 427 #endif 428 429 /* check CPRB minor version, set info bits in ap_message flag field */ 430 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) { 431 case 0x5432: /* "T2" */ 432 ap_msg->flags |= AP_MSG_FLAG_USAGE; 433 break; 434 case 0x5433: /* "T3" */ 435 case 0x5435: /* "T5" */ 436 case 0x5436: /* "T6" */ 437 case 0x5437: /* "T7" */ 438 ap_msg->flags |= AP_MSG_FLAG_ADMIN; 439 break; 440 default: 441 ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n", 442 __func__, msg->cprbx.func_id[0], 443 msg->cprbx.func_id[1]); 444 } 445 446 /* copy data block */ 447 if (xcrb->request_data_length && 448 z_copy_from_user(userspace, req_data, xcrb->request_data_address, 449 xcrb->request_data_length)) 450 return -EFAULT; 451 452 return 0; 453 } 454 455 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg, 456 struct ep11_urb *xcrb, 457 unsigned int *fcode, 458 unsigned int *domain) 459 { 460 unsigned int lfmt; 461 static struct type6_hdr static_type6_ep11_hdr = { 462 .type = 0x06, 463 .rqid = {0x00, 0x01}, 464 .function_code = {0x00, 0x00}, 465 .agent_id[0] = 0x58, /* {'X'} */ 466 .agent_id[1] = 0x43, /* {'C'} */ 467 .offset1 = 0x00000058, 468 }; 469 470 struct { 471 struct type6_hdr hdr; 472 struct ep11_cprb cprbx; 473 unsigned char pld_tag; /* fixed value 0x30 */ 474 unsigned char pld_lenfmt; /* payload length format */ 475 } __packed * msg = ap_msg->msg; 476 477 struct pld_hdr { 478 unsigned char func_tag; /* fixed value 0x4 */ 479 unsigned char func_len; /* fixed value 0x4 */ 480 unsigned int func_val; /* function ID */ 481 unsigned char dom_tag; /* fixed value 0x4 */ 482 unsigned char dom_len; /* fixed value 0x4 */ 483 unsigned int dom_val; /* domain id */ 484 } __packed * payload_hdr = NULL; 485 486 if (CEIL4(xcrb->req_len) < xcrb->req_len) 487 return -EINVAL; /* overflow after alignment*/ 488 489 /* length checks */ 490 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len); 491 if (ap_msg->len > ap_msg->bufsize) 492 return -EINVAL; 493 494 if (CEIL4(xcrb->resp_len) < xcrb->resp_len) 495 return -EINVAL; /* overflow after alignment*/ 496 497 /* prepare type6 header */ 498 msg->hdr = static_type6_ep11_hdr; 499 msg->hdr.tocardlen1 = xcrb->req_len; 500 msg->hdr.fromcardlen1 = xcrb->resp_len; 501 502 /* Import CPRB data from the ioctl input parameter */ 503 if (z_copy_from_user(userspace, &msg->cprbx.cprb_len, 504 (char __force __user *)xcrb->req, xcrb->req_len)) { 505 return -EFAULT; 506 } 507 508 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/ 509 switch (msg->pld_lenfmt & 0x03) { 510 case 1: 511 lfmt = 2; 512 break; 513 case 2: 514 lfmt = 3; 515 break; 516 default: 517 return -EINVAL; 518 } 519 } else { 520 lfmt = 1; /* length format #1 */ 521 } 522 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt); 523 *fcode = payload_hdr->func_val & 0xFFFF; 524 525 /* enable special processing based on the cprbs flags special bit */ 526 if (msg->cprbx.flags & 0x20) 527 ap_msg->flags |= AP_MSG_FLAG_SPECIAL; 528 529 #ifdef CONFIG_ZCRYPT_DEBUG 530 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL) 531 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL; 532 #endif 533 534 /* set info bits in ap_message flag field */ 535 if (msg->cprbx.flags & 0x80) 536 ap_msg->flags |= AP_MSG_FLAG_ADMIN; 537 else 538 ap_msg->flags |= AP_MSG_FLAG_USAGE; 539 540 *domain = msg->cprbx.target_id; 541 542 return 0; 543 } 544 545 /* 546 * Copy results from a type 86 ICA reply message back to user space. 547 * 548 * @zq: crypto device pointer 549 * @reply: reply AP message. 550 * @data: pointer to user output data 551 * @length: size of user output data 552 * 553 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 554 */ 555 struct type86x_reply { 556 struct type86_hdr hdr; 557 struct type86_fmt2_ext fmt2; 558 struct CPRBX cprbx; 559 unsigned char pad[4]; /* 4 byte function code/rules block ? */ 560 unsigned short length; 561 char text[]; 562 } __packed; 563 564 struct type86_ep11_reply { 565 struct type86_hdr hdr; 566 struct type86_fmt2_ext fmt2; 567 struct ep11_cprb cprbx; 568 } __packed; 569 570 static int convert_type86_ica(struct zcrypt_queue *zq, 571 struct ap_message *reply, 572 char __user *outputdata, 573 unsigned int outputdatalength) 574 { 575 static unsigned char static_pad[] = { 576 0x00, 0x02, 577 0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD, 578 0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57, 579 0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B, 580 0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39, 581 0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5, 582 0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D, 583 0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB, 584 0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F, 585 0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9, 586 0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45, 587 0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9, 588 0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F, 589 0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD, 590 0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D, 591 0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD, 592 0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9, 593 0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B, 594 0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B, 595 0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B, 596 0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD, 597 0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7, 598 0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1, 599 0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3, 600 0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23, 601 0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55, 602 0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43, 603 0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F, 604 0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F, 605 0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5, 606 0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD, 607 0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41, 608 0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09 609 }; 610 struct type86x_reply *msg = reply->msg; 611 unsigned short service_rc, service_rs; 612 unsigned int reply_len, pad_len; 613 char *data; 614 615 service_rc = msg->cprbx.ccp_rtcode; 616 if (unlikely(service_rc != 0)) { 617 service_rs = msg->cprbx.ccp_rscode; 618 if ((service_rc == 8 && service_rs == 66) || 619 (service_rc == 8 && service_rs == 65) || 620 (service_rc == 8 && service_rs == 72) || 621 (service_rc == 8 && service_rs == 770) || 622 (service_rc == 12 && service_rs == 769)) { 623 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n", 624 __func__, AP_QID_CARD(zq->queue->qid), 625 AP_QID_QUEUE(zq->queue->qid), 626 (int)service_rc, (int)service_rs); 627 return -EINVAL; 628 } 629 zq->online = 0; 630 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n", 631 AP_QID_CARD(zq->queue->qid), 632 AP_QID_QUEUE(zq->queue->qid), 633 (int)service_rc, (int)service_rs); 634 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n", 635 __func__, AP_QID_CARD(zq->queue->qid), 636 AP_QID_QUEUE(zq->queue->qid), 637 (int)service_rc, (int)service_rs); 638 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 639 return -EAGAIN; 640 } 641 data = msg->text; 642 reply_len = msg->length - 2; 643 if (reply_len > outputdatalength) 644 return -EINVAL; 645 /* 646 * For all encipher requests, the length of the ciphertext (reply_len) 647 * will always equal the modulus length. For MEX decipher requests 648 * the output needs to get padded. Minimum pad size is 10. 649 * 650 * Currently, the cases where padding will be added is for: 651 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support 652 * ZERO-PAD and CRT is only supported for PKD requests) 653 * - PCICC, always 654 */ 655 pad_len = outputdatalength - reply_len; 656 if (pad_len > 0) { 657 if (pad_len < 10) 658 return -EINVAL; 659 /* 'restore' padding left in the CEXXC card. */ 660 if (copy_to_user(outputdata, static_pad, pad_len - 1)) 661 return -EFAULT; 662 if (put_user(0, outputdata + pad_len - 1)) 663 return -EFAULT; 664 } 665 /* Copy the crypto response to user space. */ 666 if (copy_to_user(outputdata + pad_len, data, reply_len)) 667 return -EFAULT; 668 return 0; 669 } 670 671 /* 672 * Copy results from a type 86 XCRB reply message back to user space. 673 * 674 * @zq: crypto device pointer 675 * @reply: reply AP message. 676 * @xcrb: pointer to XCRB 677 * 678 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 679 */ 680 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq, 681 struct ap_message *reply, 682 struct ica_xcRB *xcrb) 683 { 684 struct type86_fmt2_msg *msg = reply->msg; 685 char *data = reply->msg; 686 687 /* Copy CPRB to user */ 688 if (xcrb->reply_control_blk_length < msg->fmt2.count1) { 689 ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n", 690 __func__, xcrb->reply_control_blk_length, 691 msg->fmt2.count1); 692 return -EMSGSIZE; 693 } 694 if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr, 695 data + msg->fmt2.offset1, msg->fmt2.count1)) 696 return -EFAULT; 697 xcrb->reply_control_blk_length = msg->fmt2.count1; 698 699 /* Copy data buffer to user */ 700 if (msg->fmt2.count2) { 701 if (xcrb->reply_data_length < msg->fmt2.count2) { 702 ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n", 703 __func__, xcrb->reply_data_length, 704 msg->fmt2.count2); 705 return -EMSGSIZE; 706 } 707 if (z_copy_to_user(userspace, xcrb->reply_data_addr, 708 data + msg->fmt2.offset2, msg->fmt2.count2)) 709 return -EFAULT; 710 } 711 xcrb->reply_data_length = msg->fmt2.count2; 712 713 return 0; 714 } 715 716 /* 717 * Copy results from a type 86 EP11 XCRB reply message back to user space. 718 * 719 * @zq: crypto device pointer 720 * @reply: reply AP message. 721 * @xcrb: pointer to EP11 user request block 722 * 723 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error. 724 */ 725 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq, 726 struct ap_message *reply, 727 struct ep11_urb *xcrb) 728 { 729 struct type86_fmt2_msg *msg = reply->msg; 730 char *data = reply->msg; 731 732 if (xcrb->resp_len < msg->fmt2.count1) { 733 ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n", 734 __func__, (unsigned int)xcrb->resp_len, 735 msg->fmt2.count1); 736 return -EMSGSIZE; 737 } 738 739 /* Copy response CPRB to user */ 740 if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp, 741 data + msg->fmt2.offset1, msg->fmt2.count1)) 742 return -EFAULT; 743 xcrb->resp_len = msg->fmt2.count1; 744 return 0; 745 } 746 747 static int convert_type86_rng(struct zcrypt_queue *zq, 748 struct ap_message *reply, 749 char *buffer) 750 { 751 struct { 752 struct type86_hdr hdr; 753 struct type86_fmt2_ext fmt2; 754 struct CPRBX cprbx; 755 } __packed * msg = reply->msg; 756 char *data = reply->msg; 757 758 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0) 759 return -EINVAL; 760 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2); 761 return msg->fmt2.count2; 762 } 763 764 static int convert_response_ica(struct zcrypt_queue *zq, 765 struct ap_message *reply, 766 char __user *outputdata, 767 unsigned int outputdatalength) 768 { 769 struct type86x_reply *msg = reply->msg; 770 771 switch (msg->hdr.type) { 772 case TYPE82_RSP_CODE: 773 case TYPE88_RSP_CODE: 774 return convert_error(zq, reply); 775 case TYPE86_RSP_CODE: 776 if (msg->cprbx.ccp_rtcode && 777 msg->cprbx.ccp_rscode == 0x14f && 778 outputdatalength > 256) { 779 if (zq->zcard->max_exp_bit_length <= 17) { 780 zq->zcard->max_exp_bit_length = 17; 781 return -EAGAIN; 782 } else { 783 return -EINVAL; 784 } 785 } 786 if (msg->hdr.reply_code) 787 return convert_error(zq, reply); 788 if (msg->cprbx.cprb_ver_id == 0x02) 789 return convert_type86_ica(zq, reply, 790 outputdata, outputdatalength); 791 fallthrough; /* wrong cprb version is an unknown response */ 792 default: 793 /* Unknown response type, this should NEVER EVER happen */ 794 zq->online = 0; 795 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 796 AP_QID_CARD(zq->queue->qid), 797 AP_QID_QUEUE(zq->queue->qid), 798 (int)msg->hdr.type); 799 ZCRYPT_DBF_ERR( 800 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 801 __func__, AP_QID_CARD(zq->queue->qid), 802 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type); 803 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 804 return -EAGAIN; 805 } 806 } 807 808 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq, 809 struct ap_message *reply, 810 struct ica_xcRB *xcrb) 811 { 812 struct type86x_reply *msg = reply->msg; 813 814 switch (msg->hdr.type) { 815 case TYPE82_RSP_CODE: 816 case TYPE88_RSP_CODE: 817 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */ 818 return convert_error(zq, reply); 819 case TYPE86_RSP_CODE: 820 if (msg->hdr.reply_code) { 821 memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32)); 822 return convert_error(zq, reply); 823 } 824 if (msg->cprbx.cprb_ver_id == 0x02) 825 return convert_type86_xcrb(userspace, zq, reply, xcrb); 826 fallthrough; /* wrong cprb version is an unknown response */ 827 default: /* Unknown response type, this should NEVER EVER happen */ 828 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */ 829 zq->online = 0; 830 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 831 AP_QID_CARD(zq->queue->qid), 832 AP_QID_QUEUE(zq->queue->qid), 833 (int)msg->hdr.type); 834 ZCRYPT_DBF_ERR( 835 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 836 __func__, AP_QID_CARD(zq->queue->qid), 837 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type); 838 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 839 return -EAGAIN; 840 } 841 } 842 843 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq, 844 struct ap_message *reply, struct ep11_urb *xcrb) 845 { 846 struct type86_ep11_reply *msg = reply->msg; 847 848 switch (msg->hdr.type) { 849 case TYPE82_RSP_CODE: 850 case TYPE87_RSP_CODE: 851 return convert_error(zq, reply); 852 case TYPE86_RSP_CODE: 853 if (msg->hdr.reply_code) 854 return convert_error(zq, reply); 855 if (msg->cprbx.cprb_ver_id == 0x04) 856 return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb); 857 fallthrough; /* wrong cprb version is an unknown resp */ 858 default: /* Unknown response type, this should NEVER EVER happen */ 859 zq->online = 0; 860 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 861 AP_QID_CARD(zq->queue->qid), 862 AP_QID_QUEUE(zq->queue->qid), 863 (int)msg->hdr.type); 864 ZCRYPT_DBF_ERR( 865 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 866 __func__, AP_QID_CARD(zq->queue->qid), 867 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type); 868 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 869 return -EAGAIN; 870 } 871 } 872 873 static int convert_response_rng(struct zcrypt_queue *zq, 874 struct ap_message *reply, 875 char *data) 876 { 877 struct type86x_reply *msg = reply->msg; 878 879 switch (msg->hdr.type) { 880 case TYPE82_RSP_CODE: 881 case TYPE88_RSP_CODE: 882 return -EINVAL; 883 case TYPE86_RSP_CODE: 884 if (msg->hdr.reply_code) 885 return -EINVAL; 886 if (msg->cprbx.cprb_ver_id == 0x02) 887 return convert_type86_rng(zq, reply, data); 888 fallthrough; /* wrong cprb version is an unknown response */ 889 default: /* Unknown response type, this should NEVER EVER happen */ 890 zq->online = 0; 891 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 892 AP_QID_CARD(zq->queue->qid), 893 AP_QID_QUEUE(zq->queue->qid), 894 (int)msg->hdr.type); 895 ZCRYPT_DBF_ERR( 896 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n", 897 __func__, AP_QID_CARD(zq->queue->qid), 898 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type); 899 ap_send_online_uevent(&zq->queue->ap_dev, zq->online); 900 return -EAGAIN; 901 } 902 } 903 904 /* 905 * This function is called from the AP bus code after a crypto request 906 * "msg" has finished with the reply message "reply". 907 * It is called from tasklet context. 908 * @aq: pointer to the AP queue 909 * @msg: pointer to the AP message 910 * @reply: pointer to the AP reply message 911 */ 912 static void zcrypt_msgtype6_receive(struct ap_queue *aq, 913 struct ap_message *msg, 914 struct ap_message *reply) 915 { 916 static struct error_hdr error_reply = { 917 .type = TYPE82_RSP_CODE, 918 .reply_code = REP82_ERROR_MACHINE_FAILURE, 919 }; 920 struct response_type *resp_type = 921 (struct response_type *)msg->private; 922 struct type86x_reply *t86r; 923 int len; 924 925 /* Copy the reply message to the request message buffer. */ 926 if (!reply) 927 goto out; /* ap_msg->rc indicates the error */ 928 t86r = reply->msg; 929 if (t86r->hdr.type == TYPE86_RSP_CODE && 930 t86r->cprbx.cprb_ver_id == 0x02) { 931 switch (resp_type->type) { 932 case CEXXC_RESPONSE_TYPE_ICA: 933 len = sizeof(struct type86x_reply) + t86r->length - 2; 934 if (len > reply->bufsize || len > msg->bufsize) { 935 msg->rc = -EMSGSIZE; 936 } else { 937 memcpy(msg->msg, reply->msg, len); 938 msg->len = len; 939 } 940 break; 941 case CEXXC_RESPONSE_TYPE_XCRB: 942 len = t86r->fmt2.offset2 + t86r->fmt2.count2; 943 if (len > reply->bufsize || len > msg->bufsize) { 944 msg->rc = -EMSGSIZE; 945 } else { 946 memcpy(msg->msg, reply->msg, len); 947 msg->len = len; 948 } 949 break; 950 default: 951 memcpy(msg->msg, &error_reply, sizeof(error_reply)); 952 } 953 } else { 954 memcpy(msg->msg, reply->msg, sizeof(error_reply)); 955 } 956 out: 957 complete(&resp_type->work); 958 } 959 960 /* 961 * This function is called from the AP bus code after a crypto request 962 * "msg" has finished with the reply message "reply". 963 * It is called from tasklet context. 964 * @aq: pointer to the AP queue 965 * @msg: pointer to the AP message 966 * @reply: pointer to the AP reply message 967 */ 968 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq, 969 struct ap_message *msg, 970 struct ap_message *reply) 971 { 972 static struct error_hdr error_reply = { 973 .type = TYPE82_RSP_CODE, 974 .reply_code = REP82_ERROR_MACHINE_FAILURE, 975 }; 976 struct response_type *resp_type = 977 (struct response_type *)msg->private; 978 struct type86_ep11_reply *t86r; 979 int len; 980 981 /* Copy the reply message to the request message buffer. */ 982 if (!reply) 983 goto out; /* ap_msg->rc indicates the error */ 984 t86r = reply->msg; 985 if (t86r->hdr.type == TYPE86_RSP_CODE && 986 t86r->cprbx.cprb_ver_id == 0x04) { 987 switch (resp_type->type) { 988 case CEXXC_RESPONSE_TYPE_EP11: 989 len = t86r->fmt2.offset1 + t86r->fmt2.count1; 990 if (len > reply->bufsize || len > msg->bufsize) { 991 msg->rc = -EMSGSIZE; 992 } else { 993 memcpy(msg->msg, reply->msg, len); 994 msg->len = len; 995 } 996 break; 997 default: 998 memcpy(msg->msg, &error_reply, sizeof(error_reply)); 999 } 1000 } else { 1001 memcpy(msg->msg, reply->msg, sizeof(error_reply)); 1002 } 1003 out: 1004 complete(&resp_type->work); 1005 } 1006 1007 static atomic_t zcrypt_step = ATOMIC_INIT(0); 1008 1009 /* 1010 * The request distributor calls this function if it picked the CEXxC 1011 * device to handle a modexpo request. 1012 * @zq: pointer to zcrypt_queue structure that identifies the 1013 * CEXxC device to the request distributor 1014 * @mex: pointer to the modexpo request buffer 1015 */ 1016 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq, 1017 struct ica_rsa_modexpo *mex, 1018 struct ap_message *ap_msg) 1019 { 1020 struct response_type resp_type = { 1021 .type = CEXXC_RESPONSE_TYPE_ICA, 1022 }; 1023 int rc; 1024 1025 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); 1026 if (!ap_msg->msg) 1027 return -ENOMEM; 1028 ap_msg->bufsize = PAGE_SIZE; 1029 ap_msg->receive = zcrypt_msgtype6_receive; 1030 ap_msg->psmid = (((unsigned long long)current->pid) << 32) + 1031 atomic_inc_return(&zcrypt_step); 1032 ap_msg->private = &resp_type; 1033 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex); 1034 if (rc) 1035 goto out_free; 1036 init_completion(&resp_type.work); 1037 rc = ap_queue_message(zq->queue, ap_msg); 1038 if (rc) 1039 goto out_free; 1040 rc = wait_for_completion_interruptible(&resp_type.work); 1041 if (rc == 0) { 1042 rc = ap_msg->rc; 1043 if (rc == 0) 1044 rc = convert_response_ica(zq, ap_msg, 1045 mex->outputdata, 1046 mex->outputdatalength); 1047 } else { 1048 /* Signal pending. */ 1049 ap_cancel_message(zq->queue, ap_msg); 1050 } 1051 1052 out_free: 1053 free_page((unsigned long)ap_msg->msg); 1054 ap_msg->private = NULL; 1055 ap_msg->msg = NULL; 1056 return rc; 1057 } 1058 1059 /* 1060 * The request distributor calls this function if it picked the CEXxC 1061 * device to handle a modexpo_crt request. 1062 * @zq: pointer to zcrypt_queue structure that identifies the 1063 * CEXxC device to the request distributor 1064 * @crt: pointer to the modexpoc_crt request buffer 1065 */ 1066 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq, 1067 struct ica_rsa_modexpo_crt *crt, 1068 struct ap_message *ap_msg) 1069 { 1070 struct response_type resp_type = { 1071 .type = CEXXC_RESPONSE_TYPE_ICA, 1072 }; 1073 int rc; 1074 1075 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); 1076 if (!ap_msg->msg) 1077 return -ENOMEM; 1078 ap_msg->bufsize = PAGE_SIZE; 1079 ap_msg->receive = zcrypt_msgtype6_receive; 1080 ap_msg->psmid = (((unsigned long long)current->pid) << 32) + 1081 atomic_inc_return(&zcrypt_step); 1082 ap_msg->private = &resp_type; 1083 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt); 1084 if (rc) 1085 goto out_free; 1086 init_completion(&resp_type.work); 1087 rc = ap_queue_message(zq->queue, ap_msg); 1088 if (rc) 1089 goto out_free; 1090 rc = wait_for_completion_interruptible(&resp_type.work); 1091 if (rc == 0) { 1092 rc = ap_msg->rc; 1093 if (rc == 0) 1094 rc = convert_response_ica(zq, ap_msg, 1095 crt->outputdata, 1096 crt->outputdatalength); 1097 } else { 1098 /* Signal pending. */ 1099 ap_cancel_message(zq->queue, ap_msg); 1100 } 1101 1102 out_free: 1103 free_page((unsigned long)ap_msg->msg); 1104 ap_msg->private = NULL; 1105 ap_msg->msg = NULL; 1106 return rc; 1107 } 1108 1109 /* 1110 * Prepare a CCA AP msg request. 1111 * Prepare a CCA AP msg: fetch the required data from userspace, 1112 * prepare the AP msg, fill some info into the ap_message struct, 1113 * extract some data from the CPRB and give back to the caller. 1114 * This function allocates memory and needs an ap_msg prepared 1115 * by the caller with ap_init_message(). Also the caller has to 1116 * make sure ap_release_message() is always called even on failure. 1117 */ 1118 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb, 1119 struct ap_message *ap_msg, 1120 unsigned int *func_code, unsigned short **dom) 1121 { 1122 struct response_type resp_type = { 1123 .type = CEXXC_RESPONSE_TYPE_XCRB, 1124 }; 1125 1126 ap_msg->bufsize = atomic_read(&ap_max_msg_size); 1127 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1128 if (!ap_msg->msg) 1129 return -ENOMEM; 1130 ap_msg->receive = zcrypt_msgtype6_receive; 1131 ap_msg->psmid = (((unsigned long long)current->pid) << 32) + 1132 atomic_inc_return(&zcrypt_step); 1133 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1134 if (!ap_msg->private) 1135 return -ENOMEM; 1136 return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom); 1137 } 1138 1139 /* 1140 * The request distributor calls this function if it picked the CEXxC 1141 * device to handle a send_cprb request. 1142 * @zq: pointer to zcrypt_queue structure that identifies the 1143 * CEXxC device to the request distributor 1144 * @xcrb: pointer to the send_cprb request buffer 1145 */ 1146 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq, 1147 struct ica_xcRB *xcrb, 1148 struct ap_message *ap_msg) 1149 { 1150 int rc; 1151 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1152 struct { 1153 struct type6_hdr hdr; 1154 struct CPRBX cprbx; 1155 /* ... more data blocks ... */ 1156 } __packed * msg = ap_msg->msg; 1157 1158 /* 1159 * Set the queue's reply buffer length minus 128 byte padding 1160 * as reply limit for the card firmware. 1161 */ 1162 msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1, 1163 zq->reply.bufsize - 128); 1164 if (msg->hdr.fromcardlen2) 1165 msg->hdr.fromcardlen2 = 1166 zq->reply.bufsize - msg->hdr.fromcardlen1 - 128; 1167 1168 init_completion(&rtype->work); 1169 rc = ap_queue_message(zq->queue, ap_msg); 1170 if (rc) 1171 goto out; 1172 rc = wait_for_completion_interruptible(&rtype->work); 1173 if (rc == 0) { 1174 rc = ap_msg->rc; 1175 if (rc == 0) 1176 rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb); 1177 } else { 1178 /* Signal pending. */ 1179 ap_cancel_message(zq->queue, ap_msg); 1180 } 1181 1182 out: 1183 if (rc) 1184 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n", 1185 __func__, AP_QID_CARD(zq->queue->qid), 1186 AP_QID_QUEUE(zq->queue->qid), rc); 1187 return rc; 1188 } 1189 1190 /* 1191 * Prepare an EP11 AP msg request. 1192 * Prepare an EP11 AP msg: fetch the required data from userspace, 1193 * prepare the AP msg, fill some info into the ap_message struct, 1194 * extract some data from the CPRB and give back to the caller. 1195 * This function allocates memory and needs an ap_msg prepared 1196 * by the caller with ap_init_message(). Also the caller has to 1197 * make sure ap_release_message() is always called even on failure. 1198 */ 1199 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb, 1200 struct ap_message *ap_msg, 1201 unsigned int *func_code, unsigned int *domain) 1202 { 1203 struct response_type resp_type = { 1204 .type = CEXXC_RESPONSE_TYPE_EP11, 1205 }; 1206 1207 ap_msg->bufsize = atomic_read(&ap_max_msg_size); 1208 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1209 if (!ap_msg->msg) 1210 return -ENOMEM; 1211 ap_msg->receive = zcrypt_msgtype6_receive_ep11; 1212 ap_msg->psmid = (((unsigned long long)current->pid) << 32) + 1213 atomic_inc_return(&zcrypt_step); 1214 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1215 if (!ap_msg->private) 1216 return -ENOMEM; 1217 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb, 1218 func_code, domain); 1219 } 1220 1221 /* 1222 * The request distributor calls this function if it picked the CEX4P 1223 * device to handle a send_ep11_cprb request. 1224 * @zq: pointer to zcrypt_queue structure that identifies the 1225 * CEX4P device to the request distributor 1226 * @xcrb: pointer to the ep11 user request block 1227 */ 1228 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq, 1229 struct ep11_urb *xcrb, 1230 struct ap_message *ap_msg) 1231 { 1232 int rc; 1233 unsigned int lfmt; 1234 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1235 struct { 1236 struct type6_hdr hdr; 1237 struct ep11_cprb cprbx; 1238 unsigned char pld_tag; /* fixed value 0x30 */ 1239 unsigned char pld_lenfmt; /* payload length format */ 1240 } __packed * msg = ap_msg->msg; 1241 struct pld_hdr { 1242 unsigned char func_tag; /* fixed value 0x4 */ 1243 unsigned char func_len; /* fixed value 0x4 */ 1244 unsigned int func_val; /* function ID */ 1245 unsigned char dom_tag; /* fixed value 0x4 */ 1246 unsigned char dom_len; /* fixed value 0x4 */ 1247 unsigned int dom_val; /* domain id */ 1248 } __packed * payload_hdr = NULL; 1249 1250 /* 1251 * The target domain field within the cprb body/payload block will be 1252 * replaced by the usage domain for non-management commands only. 1253 * Therefore we check the first bit of the 'flags' parameter for 1254 * management command indication. 1255 * 0 - non management command 1256 * 1 - management command 1257 */ 1258 if (!((msg->cprbx.flags & 0x80) == 0x80)) { 1259 msg->cprbx.target_id = (unsigned int) 1260 AP_QID_QUEUE(zq->queue->qid); 1261 1262 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/ 1263 switch (msg->pld_lenfmt & 0x03) { 1264 case 1: 1265 lfmt = 2; 1266 break; 1267 case 2: 1268 lfmt = 3; 1269 break; 1270 default: 1271 return -EINVAL; 1272 } 1273 } else { 1274 lfmt = 1; /* length format #1 */ 1275 } 1276 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt); 1277 payload_hdr->dom_val = (unsigned int) 1278 AP_QID_QUEUE(zq->queue->qid); 1279 } 1280 1281 /* 1282 * Set the queue's reply buffer length minus the two prepend headers 1283 * as reply limit for the card firmware. 1284 */ 1285 msg->hdr.fromcardlen1 = zq->reply.bufsize - 1286 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext); 1287 1288 init_completion(&rtype->work); 1289 rc = ap_queue_message(zq->queue, ap_msg); 1290 if (rc) 1291 goto out; 1292 rc = wait_for_completion_interruptible(&rtype->work); 1293 if (rc == 0) { 1294 rc = ap_msg->rc; 1295 if (rc == 0) 1296 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb); 1297 } else { 1298 /* Signal pending. */ 1299 ap_cancel_message(zq->queue, ap_msg); 1300 } 1301 1302 out: 1303 if (rc) 1304 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n", 1305 __func__, AP_QID_CARD(zq->queue->qid), 1306 AP_QID_QUEUE(zq->queue->qid), rc); 1307 return rc; 1308 } 1309 1310 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code, 1311 unsigned int *domain) 1312 { 1313 struct response_type resp_type = { 1314 .type = CEXXC_RESPONSE_TYPE_XCRB, 1315 }; 1316 1317 ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE; 1318 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL); 1319 if (!ap_msg->msg) 1320 return -ENOMEM; 1321 ap_msg->receive = zcrypt_msgtype6_receive; 1322 ap_msg->psmid = (((unsigned long long)current->pid) << 32) + 1323 atomic_inc_return(&zcrypt_step); 1324 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL); 1325 if (!ap_msg->private) 1326 return -ENOMEM; 1327 1328 rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain); 1329 1330 *func_code = HWRNG; 1331 return 0; 1332 } 1333 1334 /* 1335 * The request distributor calls this function if it picked the CEXxC 1336 * device to generate random data. 1337 * @zq: pointer to zcrypt_queue structure that identifies the 1338 * CEXxC device to the request distributor 1339 * @buffer: pointer to a memory page to return random data 1340 */ 1341 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq, 1342 char *buffer, struct ap_message *ap_msg) 1343 { 1344 struct { 1345 struct type6_hdr hdr; 1346 struct CPRBX cprbx; 1347 char function_code[2]; 1348 short int rule_length; 1349 char rule[8]; 1350 short int verb_length; 1351 short int key_length; 1352 } __packed * msg = ap_msg->msg; 1353 struct response_type *rtype = (struct response_type *)(ap_msg->private); 1354 int rc; 1355 1356 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid); 1357 1358 init_completion(&rtype->work); 1359 rc = ap_queue_message(zq->queue, ap_msg); 1360 if (rc) 1361 goto out; 1362 rc = wait_for_completion_interruptible(&rtype->work); 1363 if (rc == 0) { 1364 rc = ap_msg->rc; 1365 if (rc == 0) 1366 rc = convert_response_rng(zq, ap_msg, buffer); 1367 } else { 1368 /* Signal pending. */ 1369 ap_cancel_message(zq->queue, ap_msg); 1370 } 1371 out: 1372 return rc; 1373 } 1374 1375 /* 1376 * The crypto operations for a CEXxC card. 1377 */ 1378 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = { 1379 .owner = THIS_MODULE, 1380 .name = MSGTYPE06_NAME, 1381 .variant = MSGTYPE06_VARIANT_NORNG, 1382 .rsa_modexpo = zcrypt_msgtype6_modexpo, 1383 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt, 1384 .send_cprb = zcrypt_msgtype6_send_cprb, 1385 }; 1386 1387 static struct zcrypt_ops zcrypt_msgtype6_ops = { 1388 .owner = THIS_MODULE, 1389 .name = MSGTYPE06_NAME, 1390 .variant = MSGTYPE06_VARIANT_DEFAULT, 1391 .rsa_modexpo = zcrypt_msgtype6_modexpo, 1392 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt, 1393 .send_cprb = zcrypt_msgtype6_send_cprb, 1394 .rng = zcrypt_msgtype6_rng, 1395 }; 1396 1397 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = { 1398 .owner = THIS_MODULE, 1399 .name = MSGTYPE06_NAME, 1400 .variant = MSGTYPE06_VARIANT_EP11, 1401 .rsa_modexpo = NULL, 1402 .rsa_modexpo_crt = NULL, 1403 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb, 1404 }; 1405 1406 void __init zcrypt_msgtype6_init(void) 1407 { 1408 zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops); 1409 zcrypt_msgtype_register(&zcrypt_msgtype6_ops); 1410 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops); 1411 } 1412 1413 void __exit zcrypt_msgtype6_exit(void) 1414 { 1415 zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops); 1416 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops); 1417 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops); 1418 } 1419