1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  *  Copyright IBM Corp. 2001, 2022
4  *  Author(s): Robert Burroughs
5  *	       Eric Rossman (edrossma@us.ibm.com)
6  *
7  *  Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8  *  Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9  *				  Ralph Wuerthner <rwuerthn@de.ibm.com>
10  *  MSGTYPE restruct:		  Holger Dengler <hd@linux.vnet.ibm.com>
11  */
12 
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15 
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
23 
24 #include "ap_bus.h"
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
29 
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply	    */
31 
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
33 
34 struct response_type {
35 	struct completion work;
36 	int type;
37 };
38 
39 #define CEXXC_RESPONSE_TYPE_ICA  0
40 #define CEXXC_RESPONSE_TYPE_XCRB 1
41 #define CEXXC_RESPONSE_TYPE_EP11 2
42 
43 MODULE_AUTHOR("IBM Corporation");
44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
45 		   "Copyright IBM Corp. 2001, 2012");
46 MODULE_LICENSE("GPL");
47 
48 struct function_and_rules_block {
49 	unsigned char function_code[2];
50 	unsigned short ulen;
51 	unsigned char only_rule[8];
52 } __packed;
53 
54 /*
55  * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
56  * card in a type6 message. The 3 fields that must be filled in at execution
57  * time are  req_parml, rpl_parml and usage_domain.
58  * Everything about this interface is ascii/big-endian, since the
59  * device does *not* have 'Intel inside'.
60  *
61  * The CPRBX is followed immediately by the parm block.
62  * The parm block contains:
63  * - function code ('PD' 0x5044 or 'PK' 0x504B)
64  * - rule block (one of:)
65  *   + 0x000A 'PKCS-1.2' (MCL2 'PD')
66  *   + 0x000A 'ZERO-PAD' (MCL2 'PK')
67  *   + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
68  *   + 0x000A 'MRP     ' (MCL3 'PK' or CEX2C 'PK')
69  * - VUD block
70  */
71 static const struct CPRBX static_cprbx = {
72 	.cprb_len	=  0x00DC,
73 	.cprb_ver_id	=  0x02,
74 	.func_id	= {0x54, 0x32},
75 };
76 
speed_idx_cca(int req_type)77 int speed_idx_cca(int req_type)
78 {
79 	switch (req_type) {
80 	case 0x4142:
81 	case 0x4149:
82 	case 0x414D:
83 	case 0x4341:
84 	case 0x4344:
85 	case 0x4354:
86 	case 0x4358:
87 	case 0x444B:
88 	case 0x4558:
89 	case 0x4643:
90 	case 0x4651:
91 	case 0x4C47:
92 	case 0x4C4B:
93 	case 0x4C51:
94 	case 0x4F48:
95 	case 0x504F:
96 	case 0x5053:
97 	case 0x5058:
98 	case 0x5343:
99 	case 0x5344:
100 	case 0x5345:
101 	case 0x5350:
102 		return LOW;
103 	case 0x414B:
104 	case 0x4345:
105 	case 0x4349:
106 	case 0x434D:
107 	case 0x4847:
108 	case 0x4849:
109 	case 0x484D:
110 	case 0x4850:
111 	case 0x4851:
112 	case 0x4954:
113 	case 0x4958:
114 	case 0x4B43:
115 	case 0x4B44:
116 	case 0x4B45:
117 	case 0x4B47:
118 	case 0x4B48:
119 	case 0x4B49:
120 	case 0x4B4E:
121 	case 0x4B50:
122 	case 0x4B52:
123 	case 0x4B54:
124 	case 0x4B58:
125 	case 0x4D50:
126 	case 0x4D53:
127 	case 0x4D56:
128 	case 0x4D58:
129 	case 0x5044:
130 	case 0x5045:
131 	case 0x5046:
132 	case 0x5047:
133 	case 0x5049:
134 	case 0x504B:
135 	case 0x504D:
136 	case 0x5254:
137 	case 0x5347:
138 	case 0x5349:
139 	case 0x534B:
140 	case 0x534D:
141 	case 0x5356:
142 	case 0x5358:
143 	case 0x5443:
144 	case 0x544B:
145 	case 0x5647:
146 		return HIGH;
147 	default:
148 		return MEDIUM;
149 	}
150 }
151 
speed_idx_ep11(int req_type)152 int speed_idx_ep11(int req_type)
153 {
154 	switch (req_type) {
155 	case  1:
156 	case  2:
157 	case 36:
158 	case 37:
159 	case 38:
160 	case 39:
161 	case 40:
162 		return LOW;
163 	case 17:
164 	case 18:
165 	case 19:
166 	case 20:
167 	case 21:
168 	case 22:
169 	case 26:
170 	case 30:
171 	case 31:
172 	case 32:
173 	case 33:
174 	case 34:
175 	case 35:
176 		return HIGH;
177 	default:
178 		return MEDIUM;
179 	}
180 }
181 
182 /*
183  * Convert a ICAMEX message to a type6 MEX message.
184  *
185  * @zq: crypto device pointer
186  * @ap_msg: pointer to AP message
187  * @mex: pointer to user input data
188  *
189  * Returns 0 on success or negative errno value.
190  */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
192 				       struct ap_message *ap_msg,
193 				       struct ica_rsa_modexpo *mex)
194 {
195 	static struct type6_hdr static_type6_hdrX = {
196 		.type		=  0x06,
197 		.offset1	=  0x00000058,
198 		.agent_id	= {'C', 'A',},
199 		.function_code	= {'P', 'K'},
200 	};
201 	static struct function_and_rules_block static_pke_fnr = {
202 		.function_code	= {'P', 'K'},
203 		.ulen		= 10,
204 		.only_rule	= {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
205 	};
206 	struct {
207 		struct type6_hdr hdr;
208 		struct CPRBX cprbx;
209 		struct function_and_rules_block fr;
210 		unsigned short length;
211 		char text[0];
212 	} __packed * msg = ap_msg->msg;
213 	int size;
214 
215 	/*
216 	 * The inputdatalength was a selection criteria in the dispatching
217 	 * function zcrypt_rsa_modexpo(). However, make sure the following
218 	 * copy_from_user() never exceeds the allocated buffer space.
219 	 */
220 	if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
221 		return -EINVAL;
222 
223 	/* VUD.ciphertext */
224 	msg->length = mex->inputdatalength + 2;
225 	if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
226 		return -EFAULT;
227 
228 	/* Set up key which is located after the variable length text. */
229 	size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
230 	if (size < 0)
231 		return size;
232 	size += sizeof(*msg) + mex->inputdatalength;
233 
234 	/* message header, cprbx and f&r */
235 	msg->hdr = static_type6_hdrX;
236 	msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
237 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
238 
239 	msg->cprbx = static_cprbx;
240 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
241 	msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
242 
243 	msg->fr = static_pke_fnr;
244 
245 	msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
246 
247 	ap_msg->len = size;
248 	return 0;
249 }
250 
251 /*
252  * Convert a ICACRT message to a type6 CRT message.
253  *
254  * @zq: crypto device pointer
255  * @ap_msg: pointer to AP message
256  * @crt: pointer to user input data
257  *
258  * Returns 0 on success or negative errno value.
259  */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
261 				       struct ap_message *ap_msg,
262 				       struct ica_rsa_modexpo_crt *crt)
263 {
264 	static struct type6_hdr static_type6_hdrX = {
265 		.type		=  0x06,
266 		.offset1	=  0x00000058,
267 		.agent_id	= {'C', 'A',},
268 		.function_code	= {'P', 'D'},
269 	};
270 	static struct function_and_rules_block static_pkd_fnr = {
271 		.function_code	= {'P', 'D'},
272 		.ulen		= 10,
273 		.only_rule	= {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
274 	};
275 
276 	struct {
277 		struct type6_hdr hdr;
278 		struct CPRBX cprbx;
279 		struct function_and_rules_block fr;
280 		unsigned short length;
281 		char text[0];
282 	} __packed * msg = ap_msg->msg;
283 	int size;
284 
285 	/*
286 	 * The inputdatalength was a selection criteria in the dispatching
287 	 * function zcrypt_rsa_crt(). However, make sure the following
288 	 * copy_from_user() never exceeds the allocated buffer space.
289 	 */
290 	if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
291 		return -EINVAL;
292 
293 	/* VUD.ciphertext */
294 	msg->length = crt->inputdatalength + 2;
295 	if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
296 		return -EFAULT;
297 
298 	/* Set up key which is located after the variable length text. */
299 	size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
300 	if (size < 0)
301 		return size;
302 	size += sizeof(*msg) + crt->inputdatalength;	/* total size of msg */
303 
304 	/* message header, cprbx and f&r */
305 	msg->hdr = static_type6_hdrX;
306 	msg->hdr.tocardlen1 = size -  sizeof(msg->hdr);
307 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
308 
309 	msg->cprbx = static_cprbx;
310 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
311 	msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
312 		size - sizeof(msg->hdr) - sizeof(msg->cprbx);
313 
314 	msg->fr = static_pkd_fnr;
315 
316 	ap_msg->len = size;
317 	return 0;
318 }
319 
320 /*
321  * Convert a XCRB message to a type6 CPRB message.
322  *
323  * @zq: crypto device pointer
324  * @ap_msg: pointer to AP message
325  * @xcRB: pointer to user input data
326  *
327  * Returns 0 on success or -EFAULT, -EINVAL.
328  */
329 struct type86_fmt2_msg {
330 	struct type86_hdr hdr;
331 	struct type86_fmt2_ext fmt2;
332 } __packed;
333 
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned short ** dom)334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
335 				      struct ica_xcRB *xcrb,
336 				      unsigned int *fcode,
337 				      unsigned short **dom)
338 {
339 	static struct type6_hdr static_type6_hdrX = {
340 		.type		=  0x06,
341 		.offset1	=  0x00000058,
342 	};
343 	struct {
344 		struct type6_hdr hdr;
345 		struct CPRBX cprbx;
346 	} __packed * msg = ap_msg->msg;
347 
348 	int rcblen = CEIL4(xcrb->request_control_blk_length);
349 	int req_sumlen, resp_sumlen;
350 	char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
351 	char *function_code;
352 
353 	if (CEIL4(xcrb->request_control_blk_length) <
354 			xcrb->request_control_blk_length)
355 		return -EINVAL; /* overflow after alignment*/
356 
357 	/* length checks */
358 	ap_msg->len = sizeof(struct type6_hdr) +
359 		CEIL4(xcrb->request_control_blk_length) +
360 		xcrb->request_data_length;
361 	if (ap_msg->len > ap_msg->bufsize)
362 		return -EINVAL;
363 
364 	/*
365 	 * Overflow check
366 	 * sum must be greater (or equal) than the largest operand
367 	 */
368 	req_sumlen = CEIL4(xcrb->request_control_blk_length) +
369 			xcrb->request_data_length;
370 	if ((CEIL4(xcrb->request_control_blk_length) <=
371 	     xcrb->request_data_length) ?
372 	    req_sumlen < xcrb->request_data_length :
373 	    req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
374 		return -EINVAL;
375 	}
376 
377 	if (CEIL4(xcrb->reply_control_blk_length) <
378 			xcrb->reply_control_blk_length)
379 		return -EINVAL; /* overflow after alignment*/
380 
381 	/*
382 	 * Overflow check
383 	 * sum must be greater (or equal) than the largest operand
384 	 */
385 	resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
386 			xcrb->reply_data_length;
387 	if ((CEIL4(xcrb->reply_control_blk_length) <=
388 	     xcrb->reply_data_length) ?
389 	    resp_sumlen < xcrb->reply_data_length :
390 	    resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
391 		return -EINVAL;
392 	}
393 
394 	/* prepare type6 header */
395 	msg->hdr = static_type6_hdrX;
396 	memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
397 	msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
398 	if (xcrb->request_data_length) {
399 		msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
400 		msg->hdr.tocardlen2 = xcrb->request_data_length;
401 	}
402 	msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
403 	msg->hdr.fromcardlen2 = xcrb->reply_data_length;
404 
405 	/* prepare CPRB */
406 	if (z_copy_from_user(userspace, &msg->cprbx, xcrb->request_control_blk_addr,
407 			     xcrb->request_control_blk_length))
408 		return -EFAULT;
409 	if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
410 	    xcrb->request_control_blk_length)
411 		return -EINVAL;
412 	function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
413 	memcpy(msg->hdr.function_code, function_code,
414 	       sizeof(msg->hdr.function_code));
415 
416 	*fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
417 	*dom = (unsigned short *)&msg->cprbx.domain;
418 
419 	/* check subfunction, US and AU need special flag with NQAP */
420 	if (memcmp(function_code, "US", 2) == 0 ||
421 	    memcmp(function_code, "AU", 2) == 0)
422 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
423 
424 #ifdef CONFIG_ZCRYPT_DEBUG
425 	if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
426 		ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
427 #endif
428 
429 	/* check CPRB minor version, set info bits in ap_message flag field */
430 	switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
431 	case 0x5432: /* "T2" */
432 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
433 		break;
434 	case 0x5433: /* "T3" */
435 	case 0x5435: /* "T5" */
436 	case 0x5436: /* "T6" */
437 	case 0x5437: /* "T7" */
438 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
439 		break;
440 	default:
441 		ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n",
442 			       __func__, msg->cprbx.func_id[0],
443 			       msg->cprbx.func_id[1]);
444 	}
445 
446 	/* copy data block */
447 	if (xcrb->request_data_length &&
448 	    z_copy_from_user(userspace, req_data, xcrb->request_data_address,
449 			     xcrb->request_data_length))
450 		return -EFAULT;
451 
452 	return 0;
453 }
454 
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)455 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
456 					   struct ep11_urb *xcrb,
457 					   unsigned int *fcode,
458 					   unsigned int *domain)
459 {
460 	unsigned int lfmt;
461 	static struct type6_hdr static_type6_ep11_hdr = {
462 		.type		=  0x06,
463 		.rqid		= {0x00, 0x01},
464 		.function_code	= {0x00, 0x00},
465 		.agent_id[0]	=  0x58,	/* {'X'} */
466 		.agent_id[1]	=  0x43,	/* {'C'} */
467 		.offset1	=  0x00000058,
468 	};
469 
470 	struct {
471 		struct type6_hdr hdr;
472 		struct ep11_cprb cprbx;
473 		unsigned char	pld_tag;	/* fixed value 0x30 */
474 		unsigned char	pld_lenfmt;	/* payload length format */
475 	} __packed * msg = ap_msg->msg;
476 
477 	struct pld_hdr {
478 		unsigned char	func_tag;	/* fixed value 0x4 */
479 		unsigned char	func_len;	/* fixed value 0x4 */
480 		unsigned int	func_val;	/* function ID	   */
481 		unsigned char	dom_tag;	/* fixed value 0x4 */
482 		unsigned char	dom_len;	/* fixed value 0x4 */
483 		unsigned int	dom_val;	/* domain id	   */
484 	} __packed * payload_hdr = NULL;
485 
486 	if (CEIL4(xcrb->req_len) < xcrb->req_len)
487 		return -EINVAL; /* overflow after alignment*/
488 
489 	/* length checks */
490 	ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
491 	if (ap_msg->len > ap_msg->bufsize)
492 		return -EINVAL;
493 
494 	if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
495 		return -EINVAL; /* overflow after alignment*/
496 
497 	/* prepare type6 header */
498 	msg->hdr = static_type6_ep11_hdr;
499 	msg->hdr.tocardlen1   = xcrb->req_len;
500 	msg->hdr.fromcardlen1 = xcrb->resp_len;
501 
502 	/* Import CPRB data from the ioctl input parameter */
503 	if (z_copy_from_user(userspace, &msg->cprbx.cprb_len,
504 			     (char __force __user *)xcrb->req, xcrb->req_len)) {
505 		return -EFAULT;
506 	}
507 
508 	if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
509 		switch (msg->pld_lenfmt & 0x03) {
510 		case 1:
511 			lfmt = 2;
512 			break;
513 		case 2:
514 			lfmt = 3;
515 			break;
516 		default:
517 			return -EINVAL;
518 		}
519 	} else {
520 		lfmt = 1; /* length format #1 */
521 	}
522 	payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
523 	*fcode = payload_hdr->func_val & 0xFFFF;
524 
525 	/* enable special processing based on the cprbs flags special bit */
526 	if (msg->cprbx.flags & 0x20)
527 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
528 
529 #ifdef CONFIG_ZCRYPT_DEBUG
530 	if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
531 		ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
532 #endif
533 
534 	/* set info bits in ap_message flag field */
535 	if (msg->cprbx.flags & 0x80)
536 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
537 	else
538 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
539 
540 	*domain = msg->cprbx.target_id;
541 
542 	return 0;
543 }
544 
545 /*
546  * Copy results from a type 86 ICA reply message back to user space.
547  *
548  * @zq: crypto device pointer
549  * @reply: reply AP message.
550  * @data: pointer to user output data
551  * @length: size of user output data
552  *
553  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
554  */
555 struct type86x_reply {
556 	struct type86_hdr hdr;
557 	struct type86_fmt2_ext fmt2;
558 	struct CPRBX cprbx;
559 	unsigned char pad[4];	/* 4 byte function code/rules block ? */
560 	unsigned short length;
561 	char text[];
562 } __packed;
563 
564 struct type86_ep11_reply {
565 	struct type86_hdr hdr;
566 	struct type86_fmt2_ext fmt2;
567 	struct ep11_cprb cprbx;
568 } __packed;
569 
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)570 static int convert_type86_ica(struct zcrypt_queue *zq,
571 			      struct ap_message *reply,
572 			      char __user *outputdata,
573 			      unsigned int outputdatalength)
574 {
575 	static unsigned char static_pad[] = {
576 		0x00, 0x02,
577 		0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
578 		0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
579 		0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
580 		0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
581 		0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
582 		0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
583 		0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
584 		0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
585 		0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
586 		0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
587 		0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
588 		0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
589 		0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
590 		0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
591 		0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
592 		0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
593 		0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
594 		0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
595 		0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
596 		0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
597 		0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
598 		0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
599 		0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
600 		0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
601 		0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
602 		0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
603 		0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
604 		0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
605 		0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
606 		0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
607 		0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
608 		0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
609 	};
610 	struct type86x_reply *msg = reply->msg;
611 	unsigned short service_rc, service_rs;
612 	unsigned int reply_len, pad_len;
613 	char *data;
614 
615 	service_rc = msg->cprbx.ccp_rtcode;
616 	if (unlikely(service_rc != 0)) {
617 		service_rs = msg->cprbx.ccp_rscode;
618 		if ((service_rc == 8 && service_rs == 66) ||
619 		    (service_rc == 8 && service_rs == 65) ||
620 		    (service_rc == 8 && service_rs == 72) ||
621 		    (service_rc == 8 && service_rs == 770) ||
622 		    (service_rc == 12 && service_rs == 769)) {
623 			ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
624 					__func__, AP_QID_CARD(zq->queue->qid),
625 					AP_QID_QUEUE(zq->queue->qid),
626 					(int)service_rc, (int)service_rs);
627 			return -EINVAL;
628 		}
629 		zq->online = 0;
630 		pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
631 		       AP_QID_CARD(zq->queue->qid),
632 		       AP_QID_QUEUE(zq->queue->qid),
633 		       (int)service_rc, (int)service_rs);
634 		ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
635 			       __func__, AP_QID_CARD(zq->queue->qid),
636 			       AP_QID_QUEUE(zq->queue->qid),
637 			       (int)service_rc, (int)service_rs);
638 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
639 		return -EAGAIN;
640 	}
641 	data = msg->text;
642 	reply_len = msg->length - 2;
643 	if (reply_len > outputdatalength)
644 		return -EINVAL;
645 	/*
646 	 * For all encipher requests, the length of the ciphertext (reply_len)
647 	 * will always equal the modulus length. For MEX decipher requests
648 	 * the output needs to get padded. Minimum pad size is 10.
649 	 *
650 	 * Currently, the cases where padding will be added is for:
651 	 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
652 	 *   ZERO-PAD and CRT is only supported for PKD requests)
653 	 * - PCICC, always
654 	 */
655 	pad_len = outputdatalength - reply_len;
656 	if (pad_len > 0) {
657 		if (pad_len < 10)
658 			return -EINVAL;
659 		/* 'restore' padding left in the CEXXC card. */
660 		if (copy_to_user(outputdata, static_pad, pad_len - 1))
661 			return -EFAULT;
662 		if (put_user(0, outputdata + pad_len - 1))
663 			return -EFAULT;
664 	}
665 	/* Copy the crypto response to user space. */
666 	if (copy_to_user(outputdata + pad_len, data, reply_len))
667 		return -EFAULT;
668 	return 0;
669 }
670 
671 /*
672  * Copy results from a type 86 XCRB reply message back to user space.
673  *
674  * @zq: crypto device pointer
675  * @reply: reply AP message.
676  * @xcrb: pointer to XCRB
677  *
678  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
679  */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)680 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
681 			       struct ap_message *reply,
682 			       struct ica_xcRB *xcrb)
683 {
684 	struct type86_fmt2_msg *msg = reply->msg;
685 	char *data = reply->msg;
686 
687 	/* Copy CPRB to user */
688 	if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
689 		ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n",
690 			       __func__, xcrb->reply_control_blk_length,
691 			       msg->fmt2.count1);
692 		return -EMSGSIZE;
693 	}
694 	if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
695 			   data + msg->fmt2.offset1, msg->fmt2.count1))
696 		return -EFAULT;
697 	xcrb->reply_control_blk_length = msg->fmt2.count1;
698 
699 	/* Copy data buffer to user */
700 	if (msg->fmt2.count2) {
701 		if (xcrb->reply_data_length < msg->fmt2.count2) {
702 			ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n",
703 				       __func__, xcrb->reply_data_length,
704 				       msg->fmt2.count2);
705 			return -EMSGSIZE;
706 		}
707 		if (z_copy_to_user(userspace, xcrb->reply_data_addr,
708 				   data + msg->fmt2.offset2, msg->fmt2.count2))
709 			return -EFAULT;
710 	}
711 	xcrb->reply_data_length = msg->fmt2.count2;
712 
713 	return 0;
714 }
715 
716 /*
717  * Copy results from a type 86 EP11 XCRB reply message back to user space.
718  *
719  * @zq: crypto device pointer
720  * @reply: reply AP message.
721  * @xcrb: pointer to EP11 user request block
722  *
723  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
724  */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)725 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
726 				    struct ap_message *reply,
727 				    struct ep11_urb *xcrb)
728 {
729 	struct type86_fmt2_msg *msg = reply->msg;
730 	char *data = reply->msg;
731 
732 	if (xcrb->resp_len < msg->fmt2.count1) {
733 		ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n",
734 			       __func__, (unsigned int)xcrb->resp_len,
735 			       msg->fmt2.count1);
736 		return -EMSGSIZE;
737 	}
738 
739 	/* Copy response CPRB to user */
740 	if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
741 			   data + msg->fmt2.offset1, msg->fmt2.count1))
742 		return -EFAULT;
743 	xcrb->resp_len = msg->fmt2.count1;
744 	return 0;
745 }
746 
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)747 static int convert_type86_rng(struct zcrypt_queue *zq,
748 			      struct ap_message *reply,
749 			      char *buffer)
750 {
751 	struct {
752 		struct type86_hdr hdr;
753 		struct type86_fmt2_ext fmt2;
754 		struct CPRBX cprbx;
755 	} __packed * msg = reply->msg;
756 	char *data = reply->msg;
757 
758 	if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
759 		return -EINVAL;
760 	memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
761 	return msg->fmt2.count2;
762 }
763 
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)764 static int convert_response_ica(struct zcrypt_queue *zq,
765 				struct ap_message *reply,
766 				char __user *outputdata,
767 				unsigned int outputdatalength)
768 {
769 	struct type86x_reply *msg = reply->msg;
770 
771 	switch (msg->hdr.type) {
772 	case TYPE82_RSP_CODE:
773 	case TYPE88_RSP_CODE:
774 		return convert_error(zq, reply);
775 	case TYPE86_RSP_CODE:
776 		if (msg->cprbx.ccp_rtcode &&
777 		    msg->cprbx.ccp_rscode == 0x14f &&
778 		    outputdatalength > 256) {
779 			if (zq->zcard->max_exp_bit_length <= 17) {
780 				zq->zcard->max_exp_bit_length = 17;
781 				return -EAGAIN;
782 			} else {
783 				return -EINVAL;
784 			}
785 		}
786 		if (msg->hdr.reply_code)
787 			return convert_error(zq, reply);
788 		if (msg->cprbx.cprb_ver_id == 0x02)
789 			return convert_type86_ica(zq, reply,
790 						  outputdata, outputdatalength);
791 		fallthrough;	/* wrong cprb version is an unknown response */
792 	default:
793 		/* Unknown response type, this should NEVER EVER happen */
794 		zq->online = 0;
795 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
796 		       AP_QID_CARD(zq->queue->qid),
797 		       AP_QID_QUEUE(zq->queue->qid),
798 		       (int)msg->hdr.type);
799 		ZCRYPT_DBF_ERR(
800 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
801 			__func__, AP_QID_CARD(zq->queue->qid),
802 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
803 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
804 		return -EAGAIN;
805 	}
806 }
807 
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)808 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
809 				 struct ap_message *reply,
810 				 struct ica_xcRB *xcrb)
811 {
812 	struct type86x_reply *msg = reply->msg;
813 
814 	switch (msg->hdr.type) {
815 	case TYPE82_RSP_CODE:
816 	case TYPE88_RSP_CODE:
817 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
818 		return convert_error(zq, reply);
819 	case TYPE86_RSP_CODE:
820 		if (msg->hdr.reply_code) {
821 			memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
822 			return convert_error(zq, reply);
823 		}
824 		if (msg->cprbx.cprb_ver_id == 0x02)
825 			return convert_type86_xcrb(userspace, zq, reply, xcrb);
826 		fallthrough;	/* wrong cprb version is an unknown response */
827 	default: /* Unknown response type, this should NEVER EVER happen */
828 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
829 		zq->online = 0;
830 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
831 		       AP_QID_CARD(zq->queue->qid),
832 		       AP_QID_QUEUE(zq->queue->qid),
833 		       (int)msg->hdr.type);
834 		ZCRYPT_DBF_ERR(
835 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
836 			__func__, AP_QID_CARD(zq->queue->qid),
837 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
838 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
839 		return -EAGAIN;
840 	}
841 }
842 
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)843 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
844 				      struct ap_message *reply, struct ep11_urb *xcrb)
845 {
846 	struct type86_ep11_reply *msg = reply->msg;
847 
848 	switch (msg->hdr.type) {
849 	case TYPE82_RSP_CODE:
850 	case TYPE87_RSP_CODE:
851 		return convert_error(zq, reply);
852 	case TYPE86_RSP_CODE:
853 		if (msg->hdr.reply_code)
854 			return convert_error(zq, reply);
855 		if (msg->cprbx.cprb_ver_id == 0x04)
856 			return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
857 		fallthrough;	/* wrong cprb version is an unknown resp */
858 	default: /* Unknown response type, this should NEVER EVER happen */
859 		zq->online = 0;
860 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
861 		       AP_QID_CARD(zq->queue->qid),
862 		       AP_QID_QUEUE(zq->queue->qid),
863 		       (int)msg->hdr.type);
864 		ZCRYPT_DBF_ERR(
865 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
866 			__func__, AP_QID_CARD(zq->queue->qid),
867 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
868 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
869 		return -EAGAIN;
870 	}
871 }
872 
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)873 static int convert_response_rng(struct zcrypt_queue *zq,
874 				struct ap_message *reply,
875 				char *data)
876 {
877 	struct type86x_reply *msg = reply->msg;
878 
879 	switch (msg->hdr.type) {
880 	case TYPE82_RSP_CODE:
881 	case TYPE88_RSP_CODE:
882 		return -EINVAL;
883 	case TYPE86_RSP_CODE:
884 		if (msg->hdr.reply_code)
885 			return -EINVAL;
886 		if (msg->cprbx.cprb_ver_id == 0x02)
887 			return convert_type86_rng(zq, reply, data);
888 		fallthrough;	/* wrong cprb version is an unknown response */
889 	default: /* Unknown response type, this should NEVER EVER happen */
890 		zq->online = 0;
891 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
892 		       AP_QID_CARD(zq->queue->qid),
893 		       AP_QID_QUEUE(zq->queue->qid),
894 		       (int)msg->hdr.type);
895 		ZCRYPT_DBF_ERR(
896 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
897 			__func__, AP_QID_CARD(zq->queue->qid),
898 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
899 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
900 		return -EAGAIN;
901 	}
902 }
903 
904 /*
905  * This function is called from the AP bus code after a crypto request
906  * "msg" has finished with the reply message "reply".
907  * It is called from tasklet context.
908  * @aq: pointer to the AP queue
909  * @msg: pointer to the AP message
910  * @reply: pointer to the AP reply message
911  */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)912 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
913 				    struct ap_message *msg,
914 				    struct ap_message *reply)
915 {
916 	static struct error_hdr error_reply = {
917 		.type = TYPE82_RSP_CODE,
918 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
919 	};
920 	struct response_type *resp_type =
921 		(struct response_type *)msg->private;
922 	struct type86x_reply *t86r;
923 	int len;
924 
925 	/* Copy the reply message to the request message buffer. */
926 	if (!reply)
927 		goto out;	/* ap_msg->rc indicates the error */
928 	t86r = reply->msg;
929 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
930 	    t86r->cprbx.cprb_ver_id == 0x02) {
931 		switch (resp_type->type) {
932 		case CEXXC_RESPONSE_TYPE_ICA:
933 			len = sizeof(struct type86x_reply) + t86r->length - 2;
934 			if (len > reply->bufsize || len > msg->bufsize) {
935 				msg->rc = -EMSGSIZE;
936 			} else {
937 				memcpy(msg->msg, reply->msg, len);
938 				msg->len = len;
939 			}
940 			break;
941 		case CEXXC_RESPONSE_TYPE_XCRB:
942 			len = t86r->fmt2.offset2 + t86r->fmt2.count2;
943 			if (len > reply->bufsize || len > msg->bufsize) {
944 				msg->rc = -EMSGSIZE;
945 			} else {
946 				memcpy(msg->msg, reply->msg, len);
947 				msg->len = len;
948 			}
949 			break;
950 		default:
951 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
952 		}
953 	} else {
954 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
955 	}
956 out:
957 	complete(&resp_type->work);
958 }
959 
960 /*
961  * This function is called from the AP bus code after a crypto request
962  * "msg" has finished with the reply message "reply".
963  * It is called from tasklet context.
964  * @aq: pointer to the AP queue
965  * @msg: pointer to the AP message
966  * @reply: pointer to the AP reply message
967  */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)968 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
969 					 struct ap_message *msg,
970 					 struct ap_message *reply)
971 {
972 	static struct error_hdr error_reply = {
973 		.type = TYPE82_RSP_CODE,
974 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
975 	};
976 	struct response_type *resp_type =
977 		(struct response_type *)msg->private;
978 	struct type86_ep11_reply *t86r;
979 	int len;
980 
981 	/* Copy the reply message to the request message buffer. */
982 	if (!reply)
983 		goto out;	/* ap_msg->rc indicates the error */
984 	t86r = reply->msg;
985 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
986 	    t86r->cprbx.cprb_ver_id == 0x04) {
987 		switch (resp_type->type) {
988 		case CEXXC_RESPONSE_TYPE_EP11:
989 			len = t86r->fmt2.offset1 + t86r->fmt2.count1;
990 			if (len > reply->bufsize || len > msg->bufsize) {
991 				msg->rc = -EMSGSIZE;
992 			} else {
993 				memcpy(msg->msg, reply->msg, len);
994 				msg->len = len;
995 			}
996 			break;
997 		default:
998 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
999 		}
1000 	} else {
1001 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
1002 	}
1003 out:
1004 	complete(&resp_type->work);
1005 }
1006 
1007 static atomic_t zcrypt_step = ATOMIC_INIT(0);
1008 
1009 /*
1010  * The request distributor calls this function if it picked the CEXxC
1011  * device to handle a modexpo request.
1012  * @zq: pointer to zcrypt_queue structure that identifies the
1013  *	CEXxC device to the request distributor
1014  * @mex: pointer to the modexpo request buffer
1015  */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)1016 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1017 				    struct ica_rsa_modexpo *mex,
1018 				    struct ap_message *ap_msg)
1019 {
1020 	struct response_type resp_type = {
1021 		.type = CEXXC_RESPONSE_TYPE_ICA,
1022 	};
1023 	int rc;
1024 
1025 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1026 	if (!ap_msg->msg)
1027 		return -ENOMEM;
1028 	ap_msg->bufsize = PAGE_SIZE;
1029 	ap_msg->receive = zcrypt_msgtype6_receive;
1030 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1031 		atomic_inc_return(&zcrypt_step);
1032 	ap_msg->private = &resp_type;
1033 	rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
1034 	if (rc)
1035 		goto out_free;
1036 	init_completion(&resp_type.work);
1037 	rc = ap_queue_message(zq->queue, ap_msg);
1038 	if (rc)
1039 		goto out_free;
1040 	rc = wait_for_completion_interruptible(&resp_type.work);
1041 	if (rc == 0) {
1042 		rc = ap_msg->rc;
1043 		if (rc == 0)
1044 			rc = convert_response_ica(zq, ap_msg,
1045 						  mex->outputdata,
1046 						  mex->outputdatalength);
1047 	} else {
1048 		/* Signal pending. */
1049 		ap_cancel_message(zq->queue, ap_msg);
1050 	}
1051 
1052 out_free:
1053 	free_page((unsigned long)ap_msg->msg);
1054 	ap_msg->private = NULL;
1055 	ap_msg->msg = NULL;
1056 	return rc;
1057 }
1058 
1059 /*
1060  * The request distributor calls this function if it picked the CEXxC
1061  * device to handle a modexpo_crt request.
1062  * @zq: pointer to zcrypt_queue structure that identifies the
1063  *	CEXxC device to the request distributor
1064  * @crt: pointer to the modexpoc_crt request buffer
1065  */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1066 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1067 					struct ica_rsa_modexpo_crt *crt,
1068 					struct ap_message *ap_msg)
1069 {
1070 	struct response_type resp_type = {
1071 		.type = CEXXC_RESPONSE_TYPE_ICA,
1072 	};
1073 	int rc;
1074 
1075 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1076 	if (!ap_msg->msg)
1077 		return -ENOMEM;
1078 	ap_msg->bufsize = PAGE_SIZE;
1079 	ap_msg->receive = zcrypt_msgtype6_receive;
1080 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1081 		atomic_inc_return(&zcrypt_step);
1082 	ap_msg->private = &resp_type;
1083 	rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1084 	if (rc)
1085 		goto out_free;
1086 	init_completion(&resp_type.work);
1087 	rc = ap_queue_message(zq->queue, ap_msg);
1088 	if (rc)
1089 		goto out_free;
1090 	rc = wait_for_completion_interruptible(&resp_type.work);
1091 	if (rc == 0) {
1092 		rc = ap_msg->rc;
1093 		if (rc == 0)
1094 			rc = convert_response_ica(zq, ap_msg,
1095 						  crt->outputdata,
1096 						  crt->outputdatalength);
1097 	} else {
1098 		/* Signal pending. */
1099 		ap_cancel_message(zq->queue, ap_msg);
1100 	}
1101 
1102 out_free:
1103 	free_page((unsigned long)ap_msg->msg);
1104 	ap_msg->private = NULL;
1105 	ap_msg->msg = NULL;
1106 	return rc;
1107 }
1108 
1109 /*
1110  * Prepare a CCA AP msg request.
1111  * Prepare a CCA AP msg: fetch the required data from userspace,
1112  * prepare the AP msg, fill some info into the ap_message struct,
1113  * extract some data from the CPRB and give back to the caller.
1114  * This function allocates memory and needs an ap_msg prepared
1115  * by the caller with ap_init_message(). Also the caller has to
1116  * make sure ap_release_message() is always called even on failure.
1117  */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned short ** dom)1118 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1119 		    struct ap_message *ap_msg,
1120 		    unsigned int *func_code, unsigned short **dom)
1121 {
1122 	struct response_type resp_type = {
1123 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1124 	};
1125 
1126 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1127 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1128 	if (!ap_msg->msg)
1129 		return -ENOMEM;
1130 	ap_msg->receive = zcrypt_msgtype6_receive;
1131 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1132 				atomic_inc_return(&zcrypt_step);
1133 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1134 	if (!ap_msg->private)
1135 		return -ENOMEM;
1136 	return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1137 }
1138 
1139 /*
1140  * The request distributor calls this function if it picked the CEXxC
1141  * device to handle a send_cprb request.
1142  * @zq: pointer to zcrypt_queue structure that identifies the
1143  *	CEXxC device to the request distributor
1144  * @xcrb: pointer to the send_cprb request buffer
1145  */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1146 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1147 				      struct ica_xcRB *xcrb,
1148 				      struct ap_message *ap_msg)
1149 {
1150 	int rc;
1151 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1152 	struct {
1153 		struct type6_hdr hdr;
1154 		struct CPRBX cprbx;
1155 		/* ... more data blocks ... */
1156 	} __packed * msg = ap_msg->msg;
1157 
1158 	/*
1159 	 * Set the queue's reply buffer length minus 128 byte padding
1160 	 * as reply limit for the card firmware.
1161 	 */
1162 	msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
1163 				      zq->reply.bufsize - 128);
1164 	if (msg->hdr.fromcardlen2)
1165 		msg->hdr.fromcardlen2 =
1166 			zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
1167 
1168 	init_completion(&rtype->work);
1169 	rc = ap_queue_message(zq->queue, ap_msg);
1170 	if (rc)
1171 		goto out;
1172 	rc = wait_for_completion_interruptible(&rtype->work);
1173 	if (rc == 0) {
1174 		rc = ap_msg->rc;
1175 		if (rc == 0)
1176 			rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1177 	} else {
1178 		/* Signal pending. */
1179 		ap_cancel_message(zq->queue, ap_msg);
1180 	}
1181 
1182 out:
1183 	if (rc)
1184 		ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1185 			       __func__, AP_QID_CARD(zq->queue->qid),
1186 			       AP_QID_QUEUE(zq->queue->qid), rc);
1187 	return rc;
1188 }
1189 
1190 /*
1191  * Prepare an EP11 AP msg request.
1192  * Prepare an EP11 AP msg: fetch the required data from userspace,
1193  * prepare the AP msg, fill some info into the ap_message struct,
1194  * extract some data from the CPRB and give back to the caller.
1195  * This function allocates memory and needs an ap_msg prepared
1196  * by the caller with ap_init_message(). Also the caller has to
1197  * make sure ap_release_message() is always called even on failure.
1198  */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1199 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1200 		     struct ap_message *ap_msg,
1201 		     unsigned int *func_code, unsigned int *domain)
1202 {
1203 	struct response_type resp_type = {
1204 		.type = CEXXC_RESPONSE_TYPE_EP11,
1205 	};
1206 
1207 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1208 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1209 	if (!ap_msg->msg)
1210 		return -ENOMEM;
1211 	ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1212 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1213 				atomic_inc_return(&zcrypt_step);
1214 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1215 	if (!ap_msg->private)
1216 		return -ENOMEM;
1217 	return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1218 					       func_code, domain);
1219 }
1220 
1221 /*
1222  * The request distributor calls this function if it picked the CEX4P
1223  * device to handle a send_ep11_cprb request.
1224  * @zq: pointer to zcrypt_queue structure that identifies the
1225  *	  CEX4P device to the request distributor
1226  * @xcrb: pointer to the ep11 user request block
1227  */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1228 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1229 					   struct ep11_urb *xcrb,
1230 					   struct ap_message *ap_msg)
1231 {
1232 	int rc;
1233 	unsigned int lfmt;
1234 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1235 	struct {
1236 		struct type6_hdr hdr;
1237 		struct ep11_cprb cprbx;
1238 		unsigned char	pld_tag;	/* fixed value 0x30 */
1239 		unsigned char	pld_lenfmt;	/* payload length format */
1240 	} __packed * msg = ap_msg->msg;
1241 	struct pld_hdr {
1242 		unsigned char	func_tag;	/* fixed value 0x4 */
1243 		unsigned char	func_len;	/* fixed value 0x4 */
1244 		unsigned int	func_val;	/* function ID	   */
1245 		unsigned char	dom_tag;	/* fixed value 0x4 */
1246 		unsigned char	dom_len;	/* fixed value 0x4 */
1247 		unsigned int	dom_val;	/* domain id	   */
1248 	} __packed * payload_hdr = NULL;
1249 
1250 	/*
1251 	 * The target domain field within the cprb body/payload block will be
1252 	 * replaced by the usage domain for non-management commands only.
1253 	 * Therefore we check the first bit of the 'flags' parameter for
1254 	 * management command indication.
1255 	 *   0 - non management command
1256 	 *   1 - management command
1257 	 */
1258 	if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1259 		msg->cprbx.target_id = (unsigned int)
1260 					AP_QID_QUEUE(zq->queue->qid);
1261 
1262 		if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1263 			switch (msg->pld_lenfmt & 0x03) {
1264 			case 1:
1265 				lfmt = 2;
1266 				break;
1267 			case 2:
1268 				lfmt = 3;
1269 				break;
1270 			default:
1271 				return -EINVAL;
1272 			}
1273 		} else {
1274 			lfmt = 1; /* length format #1 */
1275 		}
1276 		payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1277 		payload_hdr->dom_val = (unsigned int)
1278 					AP_QID_QUEUE(zq->queue->qid);
1279 	}
1280 
1281 	/*
1282 	 * Set the queue's reply buffer length minus the two prepend headers
1283 	 * as reply limit for the card firmware.
1284 	 */
1285 	msg->hdr.fromcardlen1 = zq->reply.bufsize -
1286 		sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1287 
1288 	init_completion(&rtype->work);
1289 	rc = ap_queue_message(zq->queue, ap_msg);
1290 	if (rc)
1291 		goto out;
1292 	rc = wait_for_completion_interruptible(&rtype->work);
1293 	if (rc == 0) {
1294 		rc = ap_msg->rc;
1295 		if (rc == 0)
1296 			rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1297 	} else {
1298 		/* Signal pending. */
1299 		ap_cancel_message(zq->queue, ap_msg);
1300 	}
1301 
1302 out:
1303 	if (rc)
1304 		ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1305 			       __func__, AP_QID_CARD(zq->queue->qid),
1306 			       AP_QID_QUEUE(zq->queue->qid), rc);
1307 	return rc;
1308 }
1309 
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1310 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1311 		    unsigned int *domain)
1312 {
1313 	struct response_type resp_type = {
1314 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1315 	};
1316 
1317 	ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1318 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1319 	if (!ap_msg->msg)
1320 		return -ENOMEM;
1321 	ap_msg->receive = zcrypt_msgtype6_receive;
1322 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1323 				atomic_inc_return(&zcrypt_step);
1324 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1325 	if (!ap_msg->private)
1326 		return -ENOMEM;
1327 
1328 	rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1329 
1330 	*func_code = HWRNG;
1331 	return 0;
1332 }
1333 
1334 /*
1335  * The request distributor calls this function if it picked the CEXxC
1336  * device to generate random data.
1337  * @zq: pointer to zcrypt_queue structure that identifies the
1338  *	CEXxC device to the request distributor
1339  * @buffer: pointer to a memory page to return random data
1340  */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1341 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1342 				char *buffer, struct ap_message *ap_msg)
1343 {
1344 	struct {
1345 		struct type6_hdr hdr;
1346 		struct CPRBX cprbx;
1347 		char function_code[2];
1348 		short int rule_length;
1349 		char rule[8];
1350 		short int verb_length;
1351 		short int key_length;
1352 	} __packed * msg = ap_msg->msg;
1353 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1354 	int rc;
1355 
1356 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1357 
1358 	init_completion(&rtype->work);
1359 	rc = ap_queue_message(zq->queue, ap_msg);
1360 	if (rc)
1361 		goto out;
1362 	rc = wait_for_completion_interruptible(&rtype->work);
1363 	if (rc == 0) {
1364 		rc = ap_msg->rc;
1365 		if (rc == 0)
1366 			rc = convert_response_rng(zq, ap_msg, buffer);
1367 	} else {
1368 		/* Signal pending. */
1369 		ap_cancel_message(zq->queue, ap_msg);
1370 	}
1371 out:
1372 	return rc;
1373 }
1374 
1375 /*
1376  * The crypto operations for a CEXxC card.
1377  */
1378 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1379 	.owner = THIS_MODULE,
1380 	.name = MSGTYPE06_NAME,
1381 	.variant = MSGTYPE06_VARIANT_NORNG,
1382 	.rsa_modexpo = zcrypt_msgtype6_modexpo,
1383 	.rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1384 	.send_cprb = zcrypt_msgtype6_send_cprb,
1385 };
1386 
1387 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1388 	.owner = THIS_MODULE,
1389 	.name = MSGTYPE06_NAME,
1390 	.variant = MSGTYPE06_VARIANT_DEFAULT,
1391 	.rsa_modexpo = zcrypt_msgtype6_modexpo,
1392 	.rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1393 	.send_cprb = zcrypt_msgtype6_send_cprb,
1394 	.rng = zcrypt_msgtype6_rng,
1395 };
1396 
1397 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1398 	.owner = THIS_MODULE,
1399 	.name = MSGTYPE06_NAME,
1400 	.variant = MSGTYPE06_VARIANT_EP11,
1401 	.rsa_modexpo = NULL,
1402 	.rsa_modexpo_crt = NULL,
1403 	.send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1404 };
1405 
zcrypt_msgtype6_init(void)1406 void __init zcrypt_msgtype6_init(void)
1407 {
1408 	zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1409 	zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1410 	zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1411 }
1412 
zcrypt_msgtype6_exit(void)1413 void __exit zcrypt_msgtype6_exit(void)
1414 {
1415 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1416 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1417 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1418 }
1419