1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  *  Copyright IBM Corp. 2001, 2022
4  *  Author(s): Robert Burroughs
5  *	       Eric Rossman (edrossma@us.ibm.com)
6  *
7  *  Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8  *  Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9  *				  Ralph Wuerthner <rwuerthn@de.ibm.com>
10  *  MSGTYPE restruct:		  Holger Dengler <hd@linux.vnet.ibm.com>
11  */
12 
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15 
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
23 
24 #include "ap_bus.h"
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
29 
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply	    */
31 
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
33 
34 struct response_type {
35 	struct completion work;
36 	int type;
37 };
38 
39 #define CEXXC_RESPONSE_TYPE_ICA  0
40 #define CEXXC_RESPONSE_TYPE_XCRB 1
41 #define CEXXC_RESPONSE_TYPE_EP11 2
42 
43 MODULE_AUTHOR("IBM Corporation");
44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
45 		   "Copyright IBM Corp. 2001, 2012");
46 MODULE_LICENSE("GPL");
47 
48 struct function_and_rules_block {
49 	unsigned char function_code[2];
50 	unsigned short ulen;
51 	unsigned char only_rule[8];
52 } __packed;
53 
54 /*
55  * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
56  * card in a type6 message. The 3 fields that must be filled in at execution
57  * time are  req_parml, rpl_parml and usage_domain.
58  * Everything about this interface is ascii/big-endian, since the
59  * device does *not* have 'Intel inside'.
60  *
61  * The CPRBX is followed immediately by the parm block.
62  * The parm block contains:
63  * - function code ('PD' 0x5044 or 'PK' 0x504B)
64  * - rule block (one of:)
65  *   + 0x000A 'PKCS-1.2' (MCL2 'PD')
66  *   + 0x000A 'ZERO-PAD' (MCL2 'PK')
67  *   + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
68  *   + 0x000A 'MRP     ' (MCL3 'PK' or CEX2C 'PK')
69  * - VUD block
70  */
71 static const struct CPRBX static_cprbx = {
72 	.cprb_len	=  0x00DC,
73 	.cprb_ver_id	=  0x02,
74 	.func_id	= {0x54, 0x32},
75 };
76 
speed_idx_cca(int req_type)77 int speed_idx_cca(int req_type)
78 {
79 	switch (req_type) {
80 	case 0x4142:
81 	case 0x4149:
82 	case 0x414D:
83 	case 0x4341:
84 	case 0x4344:
85 	case 0x4354:
86 	case 0x4358:
87 	case 0x444B:
88 	case 0x4558:
89 	case 0x4643:
90 	case 0x4651:
91 	case 0x4C47:
92 	case 0x4C4B:
93 	case 0x4C51:
94 	case 0x4F48:
95 	case 0x504F:
96 	case 0x5053:
97 	case 0x5058:
98 	case 0x5343:
99 	case 0x5344:
100 	case 0x5345:
101 	case 0x5350:
102 		return LOW;
103 	case 0x414B:
104 	case 0x4345:
105 	case 0x4349:
106 	case 0x434D:
107 	case 0x4847:
108 	case 0x4849:
109 	case 0x484D:
110 	case 0x4850:
111 	case 0x4851:
112 	case 0x4954:
113 	case 0x4958:
114 	case 0x4B43:
115 	case 0x4B44:
116 	case 0x4B45:
117 	case 0x4B47:
118 	case 0x4B48:
119 	case 0x4B49:
120 	case 0x4B4E:
121 	case 0x4B50:
122 	case 0x4B52:
123 	case 0x4B54:
124 	case 0x4B58:
125 	case 0x4D50:
126 	case 0x4D53:
127 	case 0x4D56:
128 	case 0x4D58:
129 	case 0x5044:
130 	case 0x5045:
131 	case 0x5046:
132 	case 0x5047:
133 	case 0x5049:
134 	case 0x504B:
135 	case 0x504D:
136 	case 0x5254:
137 	case 0x5347:
138 	case 0x5349:
139 	case 0x534B:
140 	case 0x534D:
141 	case 0x5356:
142 	case 0x5358:
143 	case 0x5443:
144 	case 0x544B:
145 	case 0x5647:
146 		return HIGH;
147 	default:
148 		return MEDIUM;
149 	}
150 }
151 
speed_idx_ep11(int req_type)152 int speed_idx_ep11(int req_type)
153 {
154 	switch (req_type) {
155 	case  1:
156 	case  2:
157 	case 36:
158 	case 37:
159 	case 38:
160 	case 39:
161 	case 40:
162 		return LOW;
163 	case 17:
164 	case 18:
165 	case 19:
166 	case 20:
167 	case 21:
168 	case 22:
169 	case 26:
170 	case 30:
171 	case 31:
172 	case 32:
173 	case 33:
174 	case 34:
175 	case 35:
176 		return HIGH;
177 	default:
178 		return MEDIUM;
179 	}
180 }
181 
182 /*
183  * Convert a ICAMEX message to a type6 MEX message.
184  *
185  * @zq: crypto device pointer
186  * @ap_msg: pointer to AP message
187  * @mex: pointer to user input data
188  *
189  * Returns 0 on success or negative errno value.
190  */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
192 				       struct ap_message *ap_msg,
193 				       struct ica_rsa_modexpo *mex)
194 {
195 	static struct type6_hdr static_type6_hdrX = {
196 		.type		=  0x06,
197 		.offset1	=  0x00000058,
198 		.agent_id	= {'C', 'A',},
199 		.function_code	= {'P', 'K'},
200 	};
201 	static struct function_and_rules_block static_pke_fnr = {
202 		.function_code	= {'P', 'K'},
203 		.ulen		= 10,
204 		.only_rule	= {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
205 	};
206 	struct {
207 		struct type6_hdr hdr;
208 		struct CPRBX cprbx;
209 		struct function_and_rules_block fr;
210 		unsigned short length;
211 		char text[0];
212 	} __packed * msg = ap_msg->msg;
213 	int size;
214 
215 	/*
216 	 * The inputdatalength was a selection criteria in the dispatching
217 	 * function zcrypt_rsa_modexpo(). However, make sure the following
218 	 * copy_from_user() never exceeds the allocated buffer space.
219 	 */
220 	if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
221 		return -EINVAL;
222 
223 	/* VUD.ciphertext */
224 	msg->length = mex->inputdatalength + 2;
225 	if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
226 		return -EFAULT;
227 
228 	/* Set up key which is located after the variable length text. */
229 	size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
230 	if (size < 0)
231 		return size;
232 	size += sizeof(*msg) + mex->inputdatalength;
233 
234 	/* message header, cprbx and f&r */
235 	msg->hdr = static_type6_hdrX;
236 	msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
237 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
238 
239 	msg->cprbx = static_cprbx;
240 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
241 	msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
242 
243 	msg->fr = static_pke_fnr;
244 
245 	msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
246 
247 	ap_msg->len = size;
248 	return 0;
249 }
250 
251 /*
252  * Convert a ICACRT message to a type6 CRT message.
253  *
254  * @zq: crypto device pointer
255  * @ap_msg: pointer to AP message
256  * @crt: pointer to user input data
257  *
258  * Returns 0 on success or negative errno value.
259  */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
261 				       struct ap_message *ap_msg,
262 				       struct ica_rsa_modexpo_crt *crt)
263 {
264 	static struct type6_hdr static_type6_hdrX = {
265 		.type		=  0x06,
266 		.offset1	=  0x00000058,
267 		.agent_id	= {'C', 'A',},
268 		.function_code	= {'P', 'D'},
269 	};
270 	static struct function_and_rules_block static_pkd_fnr = {
271 		.function_code	= {'P', 'D'},
272 		.ulen		= 10,
273 		.only_rule	= {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
274 	};
275 
276 	struct {
277 		struct type6_hdr hdr;
278 		struct CPRBX cprbx;
279 		struct function_and_rules_block fr;
280 		unsigned short length;
281 		char text[0];
282 	} __packed * msg = ap_msg->msg;
283 	int size;
284 
285 	/*
286 	 * The inputdatalength was a selection criteria in the dispatching
287 	 * function zcrypt_rsa_crt(). However, make sure the following
288 	 * copy_from_user() never exceeds the allocated buffer space.
289 	 */
290 	if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
291 		return -EINVAL;
292 
293 	/* VUD.ciphertext */
294 	msg->length = crt->inputdatalength + 2;
295 	if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
296 		return -EFAULT;
297 
298 	/* Set up key which is located after the variable length text. */
299 	size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
300 	if (size < 0)
301 		return size;
302 	size += sizeof(*msg) + crt->inputdatalength;	/* total size of msg */
303 
304 	/* message header, cprbx and f&r */
305 	msg->hdr = static_type6_hdrX;
306 	msg->hdr.tocardlen1 = size -  sizeof(msg->hdr);
307 	msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
308 
309 	msg->cprbx = static_cprbx;
310 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
311 	msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
312 		size - sizeof(msg->hdr) - sizeof(msg->cprbx);
313 
314 	msg->fr = static_pkd_fnr;
315 
316 	ap_msg->len = size;
317 	return 0;
318 }
319 
320 /*
321  * Convert a XCRB message to a type6 CPRB message.
322  *
323  * @zq: crypto device pointer
324  * @ap_msg: pointer to AP message
325  * @xcRB: pointer to user input data
326  *
327  * Returns 0 on success or -EFAULT, -EINVAL.
328  */
329 struct type86_fmt2_msg {
330 	struct type86_hdr hdr;
331 	struct type86_fmt2_ext fmt2;
332 } __packed;
333 
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned short ** dom)334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
335 				      struct ica_xcRB *xcrb,
336 				      unsigned int *fcode,
337 				      unsigned short **dom)
338 {
339 	static struct type6_hdr static_type6_hdrX = {
340 		.type		=  0x06,
341 		.offset1	=  0x00000058,
342 	};
343 	struct {
344 		struct type6_hdr hdr;
345 		union {
346 			struct CPRBX cprbx;
347 			DECLARE_FLEX_ARRAY(u8, userdata);
348 		};
349 	} __packed * msg = ap_msg->msg;
350 
351 	int rcblen = CEIL4(xcrb->request_control_blk_length);
352 	int req_sumlen, resp_sumlen;
353 	char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
354 	char *function_code;
355 
356 	if (CEIL4(xcrb->request_control_blk_length) <
357 			xcrb->request_control_blk_length)
358 		return -EINVAL; /* overflow after alignment*/
359 
360 	/* length checks */
361 	ap_msg->len = sizeof(struct type6_hdr) +
362 		CEIL4(xcrb->request_control_blk_length) +
363 		xcrb->request_data_length;
364 	if (ap_msg->len > ap_msg->bufsize)
365 		return -EINVAL;
366 
367 	/*
368 	 * Overflow check
369 	 * sum must be greater (or equal) than the largest operand
370 	 */
371 	req_sumlen = CEIL4(xcrb->request_control_blk_length) +
372 			xcrb->request_data_length;
373 	if ((CEIL4(xcrb->request_control_blk_length) <=
374 	     xcrb->request_data_length) ?
375 	    req_sumlen < xcrb->request_data_length :
376 	    req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
377 		return -EINVAL;
378 	}
379 
380 	if (CEIL4(xcrb->reply_control_blk_length) <
381 			xcrb->reply_control_blk_length)
382 		return -EINVAL; /* overflow after alignment*/
383 
384 	/*
385 	 * Overflow check
386 	 * sum must be greater (or equal) than the largest operand
387 	 */
388 	resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
389 			xcrb->reply_data_length;
390 	if ((CEIL4(xcrb->reply_control_blk_length) <=
391 	     xcrb->reply_data_length) ?
392 	    resp_sumlen < xcrb->reply_data_length :
393 	    resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
394 		return -EINVAL;
395 	}
396 
397 	/* prepare type6 header */
398 	msg->hdr = static_type6_hdrX;
399 	memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
400 	msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
401 	if (xcrb->request_data_length) {
402 		msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
403 		msg->hdr.tocardlen2 = xcrb->request_data_length;
404 	}
405 	msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
406 	msg->hdr.fromcardlen2 = xcrb->reply_data_length;
407 
408 	/* prepare CPRB */
409 	if (z_copy_from_user(userspace, msg->userdata,
410 			     xcrb->request_control_blk_addr,
411 			     xcrb->request_control_blk_length))
412 		return -EFAULT;
413 	if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
414 	    xcrb->request_control_blk_length)
415 		return -EINVAL;
416 	function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
417 	memcpy(msg->hdr.function_code, function_code,
418 	       sizeof(msg->hdr.function_code));
419 
420 	*fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
421 	*dom = (unsigned short *)&msg->cprbx.domain;
422 
423 	/* check subfunction, US and AU need special flag with NQAP */
424 	if (memcmp(function_code, "US", 2) == 0 ||
425 	    memcmp(function_code, "AU", 2) == 0)
426 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
427 
428 #ifdef CONFIG_ZCRYPT_DEBUG
429 	if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
430 		ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
431 #endif
432 
433 	/* check CPRB minor version, set info bits in ap_message flag field */
434 	switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
435 	case 0x5432: /* "T2" */
436 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
437 		break;
438 	case 0x5433: /* "T3" */
439 	case 0x5435: /* "T5" */
440 	case 0x5436: /* "T6" */
441 	case 0x5437: /* "T7" */
442 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
443 		break;
444 	default:
445 		ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n",
446 			       __func__, msg->cprbx.func_id[0],
447 			       msg->cprbx.func_id[1]);
448 	}
449 
450 	/* copy data block */
451 	if (xcrb->request_data_length &&
452 	    z_copy_from_user(userspace, req_data, xcrb->request_data_address,
453 			     xcrb->request_data_length))
454 		return -EFAULT;
455 
456 	return 0;
457 }
458 
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)459 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
460 					   struct ep11_urb *xcrb,
461 					   unsigned int *fcode,
462 					   unsigned int *domain)
463 {
464 	unsigned int lfmt;
465 	static struct type6_hdr static_type6_ep11_hdr = {
466 		.type		=  0x06,
467 		.rqid		= {0x00, 0x01},
468 		.function_code	= {0x00, 0x00},
469 		.agent_id[0]	=  0x58,	/* {'X'} */
470 		.agent_id[1]	=  0x43,	/* {'C'} */
471 		.offset1	=  0x00000058,
472 	};
473 
474 	struct {
475 		struct type6_hdr hdr;
476 		union {
477 			struct {
478 				struct ep11_cprb cprbx;
479 				unsigned char pld_tag;    /* fixed value 0x30 */
480 				unsigned char pld_lenfmt; /* length format */
481 			} __packed;
482 			DECLARE_FLEX_ARRAY(u8, userdata);
483 		};
484 	} __packed * msg = ap_msg->msg;
485 
486 	struct pld_hdr {
487 		unsigned char	func_tag;	/* fixed value 0x4 */
488 		unsigned char	func_len;	/* fixed value 0x4 */
489 		unsigned int	func_val;	/* function ID	   */
490 		unsigned char	dom_tag;	/* fixed value 0x4 */
491 		unsigned char	dom_len;	/* fixed value 0x4 */
492 		unsigned int	dom_val;	/* domain id	   */
493 	} __packed * payload_hdr = NULL;
494 
495 	if (CEIL4(xcrb->req_len) < xcrb->req_len)
496 		return -EINVAL; /* overflow after alignment*/
497 
498 	/* length checks */
499 	ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
500 	if (ap_msg->len > ap_msg->bufsize)
501 		return -EINVAL;
502 
503 	if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
504 		return -EINVAL; /* overflow after alignment*/
505 
506 	/* prepare type6 header */
507 	msg->hdr = static_type6_ep11_hdr;
508 	msg->hdr.tocardlen1   = xcrb->req_len;
509 	msg->hdr.fromcardlen1 = xcrb->resp_len;
510 
511 	/* Import CPRB data from the ioctl input parameter */
512 	if (z_copy_from_user(userspace, msg->userdata,
513 			     (char __force __user *)xcrb->req, xcrb->req_len)) {
514 		return -EFAULT;
515 	}
516 
517 	if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
518 		switch (msg->pld_lenfmt & 0x03) {
519 		case 1:
520 			lfmt = 2;
521 			break;
522 		case 2:
523 			lfmt = 3;
524 			break;
525 		default:
526 			return -EINVAL;
527 		}
528 	} else {
529 		lfmt = 1; /* length format #1 */
530 	}
531 	payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
532 	*fcode = payload_hdr->func_val & 0xFFFF;
533 
534 	/* enable special processing based on the cprbs flags special bit */
535 	if (msg->cprbx.flags & 0x20)
536 		ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
537 
538 #ifdef CONFIG_ZCRYPT_DEBUG
539 	if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
540 		ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
541 #endif
542 
543 	/* set info bits in ap_message flag field */
544 	if (msg->cprbx.flags & 0x80)
545 		ap_msg->flags |= AP_MSG_FLAG_ADMIN;
546 	else
547 		ap_msg->flags |= AP_MSG_FLAG_USAGE;
548 
549 	*domain = msg->cprbx.target_id;
550 
551 	return 0;
552 }
553 
554 /*
555  * Copy results from a type 86 ICA reply message back to user space.
556  *
557  * @zq: crypto device pointer
558  * @reply: reply AP message.
559  * @data: pointer to user output data
560  * @length: size of user output data
561  *
562  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
563  */
564 struct type86x_reply {
565 	struct type86_hdr hdr;
566 	struct type86_fmt2_ext fmt2;
567 	struct CPRBX cprbx;
568 	unsigned char pad[4];	/* 4 byte function code/rules block ? */
569 	unsigned short length;
570 	char text[];
571 } __packed;
572 
573 struct type86_ep11_reply {
574 	struct type86_hdr hdr;
575 	struct type86_fmt2_ext fmt2;
576 	struct ep11_cprb cprbx;
577 } __packed;
578 
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)579 static int convert_type86_ica(struct zcrypt_queue *zq,
580 			      struct ap_message *reply,
581 			      char __user *outputdata,
582 			      unsigned int outputdatalength)
583 {
584 	static unsigned char static_pad[] = {
585 		0x00, 0x02,
586 		0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
587 		0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
588 		0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
589 		0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
590 		0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
591 		0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
592 		0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
593 		0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
594 		0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
595 		0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
596 		0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
597 		0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
598 		0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
599 		0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
600 		0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
601 		0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
602 		0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
603 		0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
604 		0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
605 		0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
606 		0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
607 		0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
608 		0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
609 		0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
610 		0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
611 		0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
612 		0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
613 		0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
614 		0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
615 		0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
616 		0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
617 		0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
618 	};
619 	struct type86x_reply *msg = reply->msg;
620 	unsigned short service_rc, service_rs;
621 	unsigned int reply_len, pad_len;
622 	char *data;
623 
624 	service_rc = msg->cprbx.ccp_rtcode;
625 	if (unlikely(service_rc != 0)) {
626 		service_rs = msg->cprbx.ccp_rscode;
627 		if ((service_rc == 8 && service_rs == 66) ||
628 		    (service_rc == 8 && service_rs == 65) ||
629 		    (service_rc == 8 && service_rs == 72) ||
630 		    (service_rc == 8 && service_rs == 770) ||
631 		    (service_rc == 12 && service_rs == 769)) {
632 			ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
633 					__func__, AP_QID_CARD(zq->queue->qid),
634 					AP_QID_QUEUE(zq->queue->qid),
635 					(int)service_rc, (int)service_rs);
636 			return -EINVAL;
637 		}
638 		zq->online = 0;
639 		pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
640 		       AP_QID_CARD(zq->queue->qid),
641 		       AP_QID_QUEUE(zq->queue->qid),
642 		       (int)service_rc, (int)service_rs);
643 		ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
644 			       __func__, AP_QID_CARD(zq->queue->qid),
645 			       AP_QID_QUEUE(zq->queue->qid),
646 			       (int)service_rc, (int)service_rs);
647 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
648 		return -EAGAIN;
649 	}
650 	data = msg->text;
651 	reply_len = msg->length - 2;
652 	if (reply_len > outputdatalength)
653 		return -EINVAL;
654 	/*
655 	 * For all encipher requests, the length of the ciphertext (reply_len)
656 	 * will always equal the modulus length. For MEX decipher requests
657 	 * the output needs to get padded. Minimum pad size is 10.
658 	 *
659 	 * Currently, the cases where padding will be added is for:
660 	 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
661 	 *   ZERO-PAD and CRT is only supported for PKD requests)
662 	 * - PCICC, always
663 	 */
664 	pad_len = outputdatalength - reply_len;
665 	if (pad_len > 0) {
666 		if (pad_len < 10)
667 			return -EINVAL;
668 		/* 'restore' padding left in the CEXXC card. */
669 		if (copy_to_user(outputdata, static_pad, pad_len - 1))
670 			return -EFAULT;
671 		if (put_user(0, outputdata + pad_len - 1))
672 			return -EFAULT;
673 	}
674 	/* Copy the crypto response to user space. */
675 	if (copy_to_user(outputdata + pad_len, data, reply_len))
676 		return -EFAULT;
677 	return 0;
678 }
679 
680 /*
681  * Copy results from a type 86 XCRB reply message back to user space.
682  *
683  * @zq: crypto device pointer
684  * @reply: reply AP message.
685  * @xcrb: pointer to XCRB
686  *
687  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
688  */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)689 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
690 			       struct ap_message *reply,
691 			       struct ica_xcRB *xcrb)
692 {
693 	struct type86_fmt2_msg *msg = reply->msg;
694 	char *data = reply->msg;
695 
696 	/* Copy CPRB to user */
697 	if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
698 		ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n",
699 			       __func__, xcrb->reply_control_blk_length,
700 			       msg->fmt2.count1);
701 		return -EMSGSIZE;
702 	}
703 	if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
704 			   data + msg->fmt2.offset1, msg->fmt2.count1))
705 		return -EFAULT;
706 	xcrb->reply_control_blk_length = msg->fmt2.count1;
707 
708 	/* Copy data buffer to user */
709 	if (msg->fmt2.count2) {
710 		if (xcrb->reply_data_length < msg->fmt2.count2) {
711 			ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n",
712 				       __func__, xcrb->reply_data_length,
713 				       msg->fmt2.count2);
714 			return -EMSGSIZE;
715 		}
716 		if (z_copy_to_user(userspace, xcrb->reply_data_addr,
717 				   data + msg->fmt2.offset2, msg->fmt2.count2))
718 			return -EFAULT;
719 	}
720 	xcrb->reply_data_length = msg->fmt2.count2;
721 
722 	return 0;
723 }
724 
725 /*
726  * Copy results from a type 86 EP11 XCRB reply message back to user space.
727  *
728  * @zq: crypto device pointer
729  * @reply: reply AP message.
730  * @xcrb: pointer to EP11 user request block
731  *
732  * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
733  */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)734 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
735 				    struct ap_message *reply,
736 				    struct ep11_urb *xcrb)
737 {
738 	struct type86_fmt2_msg *msg = reply->msg;
739 	char *data = reply->msg;
740 
741 	if (xcrb->resp_len < msg->fmt2.count1) {
742 		ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n",
743 			       __func__, (unsigned int)xcrb->resp_len,
744 			       msg->fmt2.count1);
745 		return -EMSGSIZE;
746 	}
747 
748 	/* Copy response CPRB to user */
749 	if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
750 			   data + msg->fmt2.offset1, msg->fmt2.count1))
751 		return -EFAULT;
752 	xcrb->resp_len = msg->fmt2.count1;
753 	return 0;
754 }
755 
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)756 static int convert_type86_rng(struct zcrypt_queue *zq,
757 			      struct ap_message *reply,
758 			      char *buffer)
759 {
760 	struct {
761 		struct type86_hdr hdr;
762 		struct type86_fmt2_ext fmt2;
763 		struct CPRBX cprbx;
764 	} __packed * msg = reply->msg;
765 	char *data = reply->msg;
766 
767 	if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
768 		return -EINVAL;
769 	memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
770 	return msg->fmt2.count2;
771 }
772 
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)773 static int convert_response_ica(struct zcrypt_queue *zq,
774 				struct ap_message *reply,
775 				char __user *outputdata,
776 				unsigned int outputdatalength)
777 {
778 	struct type86x_reply *msg = reply->msg;
779 
780 	switch (msg->hdr.type) {
781 	case TYPE82_RSP_CODE:
782 	case TYPE88_RSP_CODE:
783 		return convert_error(zq, reply);
784 	case TYPE86_RSP_CODE:
785 		if (msg->cprbx.ccp_rtcode &&
786 		    msg->cprbx.ccp_rscode == 0x14f &&
787 		    outputdatalength > 256) {
788 			if (zq->zcard->max_exp_bit_length <= 17) {
789 				zq->zcard->max_exp_bit_length = 17;
790 				return -EAGAIN;
791 			} else {
792 				return -EINVAL;
793 			}
794 		}
795 		if (msg->hdr.reply_code)
796 			return convert_error(zq, reply);
797 		if (msg->cprbx.cprb_ver_id == 0x02)
798 			return convert_type86_ica(zq, reply,
799 						  outputdata, outputdatalength);
800 		fallthrough;	/* wrong cprb version is an unknown response */
801 	default:
802 		/* Unknown response type, this should NEVER EVER happen */
803 		zq->online = 0;
804 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
805 		       AP_QID_CARD(zq->queue->qid),
806 		       AP_QID_QUEUE(zq->queue->qid),
807 		       (int)msg->hdr.type);
808 		ZCRYPT_DBF_ERR(
809 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
810 			__func__, AP_QID_CARD(zq->queue->qid),
811 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
812 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
813 		return -EAGAIN;
814 	}
815 }
816 
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)817 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
818 				 struct ap_message *reply,
819 				 struct ica_xcRB *xcrb)
820 {
821 	struct type86x_reply *msg = reply->msg;
822 
823 	switch (msg->hdr.type) {
824 	case TYPE82_RSP_CODE:
825 	case TYPE88_RSP_CODE:
826 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
827 		return convert_error(zq, reply);
828 	case TYPE86_RSP_CODE:
829 		if (msg->hdr.reply_code) {
830 			memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
831 			return convert_error(zq, reply);
832 		}
833 		if (msg->cprbx.cprb_ver_id == 0x02)
834 			return convert_type86_xcrb(userspace, zq, reply, xcrb);
835 		fallthrough;	/* wrong cprb version is an unknown response */
836 	default: /* Unknown response type, this should NEVER EVER happen */
837 		xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
838 		zq->online = 0;
839 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
840 		       AP_QID_CARD(zq->queue->qid),
841 		       AP_QID_QUEUE(zq->queue->qid),
842 		       (int)msg->hdr.type);
843 		ZCRYPT_DBF_ERR(
844 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
845 			__func__, AP_QID_CARD(zq->queue->qid),
846 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
847 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
848 		return -EAGAIN;
849 	}
850 }
851 
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)852 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
853 				      struct ap_message *reply, struct ep11_urb *xcrb)
854 {
855 	struct type86_ep11_reply *msg = reply->msg;
856 
857 	switch (msg->hdr.type) {
858 	case TYPE82_RSP_CODE:
859 	case TYPE87_RSP_CODE:
860 		return convert_error(zq, reply);
861 	case TYPE86_RSP_CODE:
862 		if (msg->hdr.reply_code)
863 			return convert_error(zq, reply);
864 		if (msg->cprbx.cprb_ver_id == 0x04)
865 			return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
866 		fallthrough;	/* wrong cprb version is an unknown resp */
867 	default: /* Unknown response type, this should NEVER EVER happen */
868 		zq->online = 0;
869 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
870 		       AP_QID_CARD(zq->queue->qid),
871 		       AP_QID_QUEUE(zq->queue->qid),
872 		       (int)msg->hdr.type);
873 		ZCRYPT_DBF_ERR(
874 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
875 			__func__, AP_QID_CARD(zq->queue->qid),
876 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
877 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
878 		return -EAGAIN;
879 	}
880 }
881 
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)882 static int convert_response_rng(struct zcrypt_queue *zq,
883 				struct ap_message *reply,
884 				char *data)
885 {
886 	struct type86x_reply *msg = reply->msg;
887 
888 	switch (msg->hdr.type) {
889 	case TYPE82_RSP_CODE:
890 	case TYPE88_RSP_CODE:
891 		return -EINVAL;
892 	case TYPE86_RSP_CODE:
893 		if (msg->hdr.reply_code)
894 			return -EINVAL;
895 		if (msg->cprbx.cprb_ver_id == 0x02)
896 			return convert_type86_rng(zq, reply, data);
897 		fallthrough;	/* wrong cprb version is an unknown response */
898 	default: /* Unknown response type, this should NEVER EVER happen */
899 		zq->online = 0;
900 		pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
901 		       AP_QID_CARD(zq->queue->qid),
902 		       AP_QID_QUEUE(zq->queue->qid),
903 		       (int)msg->hdr.type);
904 		ZCRYPT_DBF_ERR(
905 			"%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
906 			__func__, AP_QID_CARD(zq->queue->qid),
907 			AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
908 		ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
909 		return -EAGAIN;
910 	}
911 }
912 
913 /*
914  * This function is called from the AP bus code after a crypto request
915  * "msg" has finished with the reply message "reply".
916  * It is called from tasklet context.
917  * @aq: pointer to the AP queue
918  * @msg: pointer to the AP message
919  * @reply: pointer to the AP reply message
920  */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)921 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
922 				    struct ap_message *msg,
923 				    struct ap_message *reply)
924 {
925 	static struct error_hdr error_reply = {
926 		.type = TYPE82_RSP_CODE,
927 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
928 	};
929 	struct response_type *resp_type =
930 		(struct response_type *)msg->private;
931 	struct type86x_reply *t86r;
932 	int len;
933 
934 	/* Copy the reply message to the request message buffer. */
935 	if (!reply)
936 		goto out;	/* ap_msg->rc indicates the error */
937 	t86r = reply->msg;
938 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
939 	    t86r->cprbx.cprb_ver_id == 0x02) {
940 		switch (resp_type->type) {
941 		case CEXXC_RESPONSE_TYPE_ICA:
942 			len = sizeof(struct type86x_reply) + t86r->length - 2;
943 			if (len > reply->bufsize || len > msg->bufsize) {
944 				msg->rc = -EMSGSIZE;
945 			} else {
946 				memcpy(msg->msg, reply->msg, len);
947 				msg->len = len;
948 			}
949 			break;
950 		case CEXXC_RESPONSE_TYPE_XCRB:
951 			len = t86r->fmt2.offset2 + t86r->fmt2.count2;
952 			if (len > reply->bufsize || len > msg->bufsize) {
953 				msg->rc = -EMSGSIZE;
954 			} else {
955 				memcpy(msg->msg, reply->msg, len);
956 				msg->len = len;
957 			}
958 			break;
959 		default:
960 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
961 		}
962 	} else {
963 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
964 	}
965 out:
966 	complete(&resp_type->work);
967 }
968 
969 /*
970  * This function is called from the AP bus code after a crypto request
971  * "msg" has finished with the reply message "reply".
972  * It is called from tasklet context.
973  * @aq: pointer to the AP queue
974  * @msg: pointer to the AP message
975  * @reply: pointer to the AP reply message
976  */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)977 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
978 					 struct ap_message *msg,
979 					 struct ap_message *reply)
980 {
981 	static struct error_hdr error_reply = {
982 		.type = TYPE82_RSP_CODE,
983 		.reply_code = REP82_ERROR_MACHINE_FAILURE,
984 	};
985 	struct response_type *resp_type =
986 		(struct response_type *)msg->private;
987 	struct type86_ep11_reply *t86r;
988 	int len;
989 
990 	/* Copy the reply message to the request message buffer. */
991 	if (!reply)
992 		goto out;	/* ap_msg->rc indicates the error */
993 	t86r = reply->msg;
994 	if (t86r->hdr.type == TYPE86_RSP_CODE &&
995 	    t86r->cprbx.cprb_ver_id == 0x04) {
996 		switch (resp_type->type) {
997 		case CEXXC_RESPONSE_TYPE_EP11:
998 			len = t86r->fmt2.offset1 + t86r->fmt2.count1;
999 			if (len > reply->bufsize || len > msg->bufsize) {
1000 				msg->rc = -EMSGSIZE;
1001 			} else {
1002 				memcpy(msg->msg, reply->msg, len);
1003 				msg->len = len;
1004 			}
1005 			break;
1006 		default:
1007 			memcpy(msg->msg, &error_reply, sizeof(error_reply));
1008 		}
1009 	} else {
1010 		memcpy(msg->msg, reply->msg, sizeof(error_reply));
1011 	}
1012 out:
1013 	complete(&resp_type->work);
1014 }
1015 
1016 static atomic_t zcrypt_step = ATOMIC_INIT(0);
1017 
1018 /*
1019  * The request distributor calls this function if it picked the CEXxC
1020  * device to handle a modexpo request.
1021  * @zq: pointer to zcrypt_queue structure that identifies the
1022  *	CEXxC device to the request distributor
1023  * @mex: pointer to the modexpo request buffer
1024  */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)1025 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1026 				    struct ica_rsa_modexpo *mex,
1027 				    struct ap_message *ap_msg)
1028 {
1029 	struct response_type resp_type = {
1030 		.type = CEXXC_RESPONSE_TYPE_ICA,
1031 	};
1032 	int rc;
1033 
1034 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1035 	if (!ap_msg->msg)
1036 		return -ENOMEM;
1037 	ap_msg->bufsize = PAGE_SIZE;
1038 	ap_msg->receive = zcrypt_msgtype6_receive;
1039 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1040 		atomic_inc_return(&zcrypt_step);
1041 	ap_msg->private = &resp_type;
1042 	rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
1043 	if (rc)
1044 		goto out_free;
1045 	init_completion(&resp_type.work);
1046 	rc = ap_queue_message(zq->queue, ap_msg);
1047 	if (rc)
1048 		goto out_free;
1049 	rc = wait_for_completion_interruptible(&resp_type.work);
1050 	if (rc == 0) {
1051 		rc = ap_msg->rc;
1052 		if (rc == 0)
1053 			rc = convert_response_ica(zq, ap_msg,
1054 						  mex->outputdata,
1055 						  mex->outputdatalength);
1056 	} else {
1057 		/* Signal pending. */
1058 		ap_cancel_message(zq->queue, ap_msg);
1059 	}
1060 
1061 out_free:
1062 	free_page((unsigned long)ap_msg->msg);
1063 	ap_msg->private = NULL;
1064 	ap_msg->msg = NULL;
1065 	return rc;
1066 }
1067 
1068 /*
1069  * The request distributor calls this function if it picked the CEXxC
1070  * device to handle a modexpo_crt request.
1071  * @zq: pointer to zcrypt_queue structure that identifies the
1072  *	CEXxC device to the request distributor
1073  * @crt: pointer to the modexpoc_crt request buffer
1074  */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1075 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1076 					struct ica_rsa_modexpo_crt *crt,
1077 					struct ap_message *ap_msg)
1078 {
1079 	struct response_type resp_type = {
1080 		.type = CEXXC_RESPONSE_TYPE_ICA,
1081 	};
1082 	int rc;
1083 
1084 	ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1085 	if (!ap_msg->msg)
1086 		return -ENOMEM;
1087 	ap_msg->bufsize = PAGE_SIZE;
1088 	ap_msg->receive = zcrypt_msgtype6_receive;
1089 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1090 		atomic_inc_return(&zcrypt_step);
1091 	ap_msg->private = &resp_type;
1092 	rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1093 	if (rc)
1094 		goto out_free;
1095 	init_completion(&resp_type.work);
1096 	rc = ap_queue_message(zq->queue, ap_msg);
1097 	if (rc)
1098 		goto out_free;
1099 	rc = wait_for_completion_interruptible(&resp_type.work);
1100 	if (rc == 0) {
1101 		rc = ap_msg->rc;
1102 		if (rc == 0)
1103 			rc = convert_response_ica(zq, ap_msg,
1104 						  crt->outputdata,
1105 						  crt->outputdatalength);
1106 	} else {
1107 		/* Signal pending. */
1108 		ap_cancel_message(zq->queue, ap_msg);
1109 	}
1110 
1111 out_free:
1112 	free_page((unsigned long)ap_msg->msg);
1113 	ap_msg->private = NULL;
1114 	ap_msg->msg = NULL;
1115 	return rc;
1116 }
1117 
1118 /*
1119  * Prepare a CCA AP msg request.
1120  * Prepare a CCA AP msg: fetch the required data from userspace,
1121  * prepare the AP msg, fill some info into the ap_message struct,
1122  * extract some data from the CPRB and give back to the caller.
1123  * This function allocates memory and needs an ap_msg prepared
1124  * by the caller with ap_init_message(). Also the caller has to
1125  * make sure ap_release_message() is always called even on failure.
1126  */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned short ** dom)1127 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1128 		    struct ap_message *ap_msg,
1129 		    unsigned int *func_code, unsigned short **dom)
1130 {
1131 	struct response_type resp_type = {
1132 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1133 	};
1134 
1135 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1136 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1137 	if (!ap_msg->msg)
1138 		return -ENOMEM;
1139 	ap_msg->receive = zcrypt_msgtype6_receive;
1140 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1141 				atomic_inc_return(&zcrypt_step);
1142 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1143 	if (!ap_msg->private)
1144 		return -ENOMEM;
1145 	return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1146 }
1147 
1148 /*
1149  * The request distributor calls this function if it picked the CEXxC
1150  * device to handle a send_cprb request.
1151  * @zq: pointer to zcrypt_queue structure that identifies the
1152  *	CEXxC device to the request distributor
1153  * @xcrb: pointer to the send_cprb request buffer
1154  */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1155 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1156 				      struct ica_xcRB *xcrb,
1157 				      struct ap_message *ap_msg)
1158 {
1159 	int rc;
1160 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1161 	struct {
1162 		struct type6_hdr hdr;
1163 		struct CPRBX cprbx;
1164 		/* ... more data blocks ... */
1165 	} __packed * msg = ap_msg->msg;
1166 
1167 	/*
1168 	 * Set the queue's reply buffer length minus 128 byte padding
1169 	 * as reply limit for the card firmware.
1170 	 */
1171 	msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
1172 				      zq->reply.bufsize - 128);
1173 	if (msg->hdr.fromcardlen2)
1174 		msg->hdr.fromcardlen2 =
1175 			zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
1176 
1177 	init_completion(&rtype->work);
1178 	rc = ap_queue_message(zq->queue, ap_msg);
1179 	if (rc)
1180 		goto out;
1181 	rc = wait_for_completion_interruptible(&rtype->work);
1182 	if (rc == 0) {
1183 		rc = ap_msg->rc;
1184 		if (rc == 0)
1185 			rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1186 	} else {
1187 		/* Signal pending. */
1188 		ap_cancel_message(zq->queue, ap_msg);
1189 	}
1190 
1191 out:
1192 	if (rc)
1193 		ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1194 			       __func__, AP_QID_CARD(zq->queue->qid),
1195 			       AP_QID_QUEUE(zq->queue->qid), rc);
1196 	return rc;
1197 }
1198 
1199 /*
1200  * Prepare an EP11 AP msg request.
1201  * Prepare an EP11 AP msg: fetch the required data from userspace,
1202  * prepare the AP msg, fill some info into the ap_message struct,
1203  * extract some data from the CPRB and give back to the caller.
1204  * This function allocates memory and needs an ap_msg prepared
1205  * by the caller with ap_init_message(). Also the caller has to
1206  * make sure ap_release_message() is always called even on failure.
1207  */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1208 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1209 		     struct ap_message *ap_msg,
1210 		     unsigned int *func_code, unsigned int *domain)
1211 {
1212 	struct response_type resp_type = {
1213 		.type = CEXXC_RESPONSE_TYPE_EP11,
1214 	};
1215 
1216 	ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1217 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1218 	if (!ap_msg->msg)
1219 		return -ENOMEM;
1220 	ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1221 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1222 				atomic_inc_return(&zcrypt_step);
1223 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1224 	if (!ap_msg->private)
1225 		return -ENOMEM;
1226 	return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1227 					       func_code, domain);
1228 }
1229 
1230 /*
1231  * The request distributor calls this function if it picked the CEX4P
1232  * device to handle a send_ep11_cprb request.
1233  * @zq: pointer to zcrypt_queue structure that identifies the
1234  *	  CEX4P device to the request distributor
1235  * @xcrb: pointer to the ep11 user request block
1236  */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1237 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1238 					   struct ep11_urb *xcrb,
1239 					   struct ap_message *ap_msg)
1240 {
1241 	int rc;
1242 	unsigned int lfmt;
1243 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1244 	struct {
1245 		struct type6_hdr hdr;
1246 		struct ep11_cprb cprbx;
1247 		unsigned char	pld_tag;	/* fixed value 0x30 */
1248 		unsigned char	pld_lenfmt;	/* payload length format */
1249 	} __packed * msg = ap_msg->msg;
1250 	struct pld_hdr {
1251 		unsigned char	func_tag;	/* fixed value 0x4 */
1252 		unsigned char	func_len;	/* fixed value 0x4 */
1253 		unsigned int	func_val;	/* function ID	   */
1254 		unsigned char	dom_tag;	/* fixed value 0x4 */
1255 		unsigned char	dom_len;	/* fixed value 0x4 */
1256 		unsigned int	dom_val;	/* domain id	   */
1257 	} __packed * payload_hdr = NULL;
1258 
1259 	/*
1260 	 * The target domain field within the cprb body/payload block will be
1261 	 * replaced by the usage domain for non-management commands only.
1262 	 * Therefore we check the first bit of the 'flags' parameter for
1263 	 * management command indication.
1264 	 *   0 - non management command
1265 	 *   1 - management command
1266 	 */
1267 	if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1268 		msg->cprbx.target_id = (unsigned int)
1269 					AP_QID_QUEUE(zq->queue->qid);
1270 
1271 		if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1272 			switch (msg->pld_lenfmt & 0x03) {
1273 			case 1:
1274 				lfmt = 2;
1275 				break;
1276 			case 2:
1277 				lfmt = 3;
1278 				break;
1279 			default:
1280 				return -EINVAL;
1281 			}
1282 		} else {
1283 			lfmt = 1; /* length format #1 */
1284 		}
1285 		payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1286 		payload_hdr->dom_val = (unsigned int)
1287 					AP_QID_QUEUE(zq->queue->qid);
1288 	}
1289 
1290 	/*
1291 	 * Set the queue's reply buffer length minus the two prepend headers
1292 	 * as reply limit for the card firmware.
1293 	 */
1294 	msg->hdr.fromcardlen1 = zq->reply.bufsize -
1295 		sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1296 
1297 	init_completion(&rtype->work);
1298 	rc = ap_queue_message(zq->queue, ap_msg);
1299 	if (rc)
1300 		goto out;
1301 	rc = wait_for_completion_interruptible(&rtype->work);
1302 	if (rc == 0) {
1303 		rc = ap_msg->rc;
1304 		if (rc == 0)
1305 			rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1306 	} else {
1307 		/* Signal pending. */
1308 		ap_cancel_message(zq->queue, ap_msg);
1309 	}
1310 
1311 out:
1312 	if (rc)
1313 		ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1314 			       __func__, AP_QID_CARD(zq->queue->qid),
1315 			       AP_QID_QUEUE(zq->queue->qid), rc);
1316 	return rc;
1317 }
1318 
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1319 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1320 		    unsigned int *domain)
1321 {
1322 	struct response_type resp_type = {
1323 		.type = CEXXC_RESPONSE_TYPE_XCRB,
1324 	};
1325 
1326 	ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1327 	ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1328 	if (!ap_msg->msg)
1329 		return -ENOMEM;
1330 	ap_msg->receive = zcrypt_msgtype6_receive;
1331 	ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1332 				atomic_inc_return(&zcrypt_step);
1333 	ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1334 	if (!ap_msg->private)
1335 		return -ENOMEM;
1336 
1337 	rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1338 
1339 	*func_code = HWRNG;
1340 	return 0;
1341 }
1342 
1343 /*
1344  * The request distributor calls this function if it picked the CEXxC
1345  * device to generate random data.
1346  * @zq: pointer to zcrypt_queue structure that identifies the
1347  *	CEXxC device to the request distributor
1348  * @buffer: pointer to a memory page to return random data
1349  */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1350 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1351 				char *buffer, struct ap_message *ap_msg)
1352 {
1353 	struct {
1354 		struct type6_hdr hdr;
1355 		struct CPRBX cprbx;
1356 		char function_code[2];
1357 		short int rule_length;
1358 		char rule[8];
1359 		short int verb_length;
1360 		short int key_length;
1361 	} __packed * msg = ap_msg->msg;
1362 	struct response_type *rtype = (struct response_type *)(ap_msg->private);
1363 	int rc;
1364 
1365 	msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1366 
1367 	init_completion(&rtype->work);
1368 	rc = ap_queue_message(zq->queue, ap_msg);
1369 	if (rc)
1370 		goto out;
1371 	rc = wait_for_completion_interruptible(&rtype->work);
1372 	if (rc == 0) {
1373 		rc = ap_msg->rc;
1374 		if (rc == 0)
1375 			rc = convert_response_rng(zq, ap_msg, buffer);
1376 	} else {
1377 		/* Signal pending. */
1378 		ap_cancel_message(zq->queue, ap_msg);
1379 	}
1380 out:
1381 	return rc;
1382 }
1383 
1384 /*
1385  * The crypto operations for a CEXxC card.
1386  */
1387 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1388 	.owner = THIS_MODULE,
1389 	.name = MSGTYPE06_NAME,
1390 	.variant = MSGTYPE06_VARIANT_NORNG,
1391 	.rsa_modexpo = zcrypt_msgtype6_modexpo,
1392 	.rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1393 	.send_cprb = zcrypt_msgtype6_send_cprb,
1394 };
1395 
1396 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1397 	.owner = THIS_MODULE,
1398 	.name = MSGTYPE06_NAME,
1399 	.variant = MSGTYPE06_VARIANT_DEFAULT,
1400 	.rsa_modexpo = zcrypt_msgtype6_modexpo,
1401 	.rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1402 	.send_cprb = zcrypt_msgtype6_send_cprb,
1403 	.rng = zcrypt_msgtype6_rng,
1404 };
1405 
1406 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1407 	.owner = THIS_MODULE,
1408 	.name = MSGTYPE06_NAME,
1409 	.variant = MSGTYPE06_VARIANT_EP11,
1410 	.rsa_modexpo = NULL,
1411 	.rsa_modexpo_crt = NULL,
1412 	.send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1413 };
1414 
zcrypt_msgtype6_init(void)1415 void __init zcrypt_msgtype6_init(void)
1416 {
1417 	zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1418 	zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1419 	zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1420 }
1421 
zcrypt_msgtype6_exit(void)1422 void __exit zcrypt_msgtype6_exit(void)
1423 {
1424 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1425 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1426 	zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1427 }
1428