1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright IBM Corp. 2001, 2022
4 * Author(s): Robert Burroughs
5 * Eric Rossman (edrossma@us.ibm.com)
6 *
7 * Hotplug & misc device support: Jochen Roehrig (roehrig@de.ibm.com)
8 * Major cleanup & driver split: Martin Schwidefsky <schwidefsky@de.ibm.com>
9 * Ralph Wuerthner <rwuerthn@de.ibm.com>
10 * MSGTYPE restruct: Holger Dengler <hd@linux.vnet.ibm.com>
11 */
12
13 #define KMSG_COMPONENT "zcrypt"
14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
15
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/err.h>
19 #include <linux/delay.h>
20 #include <linux/slab.h>
21 #include <linux/atomic.h>
22 #include <linux/uaccess.h>
23
24 #include "ap_bus.h"
25 #include "zcrypt_api.h"
26 #include "zcrypt_error.h"
27 #include "zcrypt_msgtype6.h"
28 #include "zcrypt_cca_key.h"
29
30 #define CEXXC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
31
32 #define CEIL4(x) ((((x) + 3) / 4) * 4)
33
34 struct response_type {
35 struct completion work;
36 int type;
37 };
38
39 #define CEXXC_RESPONSE_TYPE_ICA 0
40 #define CEXXC_RESPONSE_TYPE_XCRB 1
41 #define CEXXC_RESPONSE_TYPE_EP11 2
42
43 MODULE_AUTHOR("IBM Corporation");
44 MODULE_DESCRIPTION("Cryptographic Coprocessor (message type 6), " \
45 "Copyright IBM Corp. 2001, 2012");
46 MODULE_LICENSE("GPL");
47
48 struct function_and_rules_block {
49 unsigned char function_code[2];
50 unsigned short ulen;
51 unsigned char only_rule[8];
52 } __packed;
53
54 /*
55 * The following is used to initialize the CPRBX passed to the CEXxC/CEXxP
56 * card in a type6 message. The 3 fields that must be filled in at execution
57 * time are req_parml, rpl_parml and usage_domain.
58 * Everything about this interface is ascii/big-endian, since the
59 * device does *not* have 'Intel inside'.
60 *
61 * The CPRBX is followed immediately by the parm block.
62 * The parm block contains:
63 * - function code ('PD' 0x5044 or 'PK' 0x504B)
64 * - rule block (one of:)
65 * + 0x000A 'PKCS-1.2' (MCL2 'PD')
66 * + 0x000A 'ZERO-PAD' (MCL2 'PK')
67 * + 0x000A 'ZERO-PAD' (MCL3 'PD' or CEX2C 'PD')
68 * + 0x000A 'MRP ' (MCL3 'PK' or CEX2C 'PK')
69 * - VUD block
70 */
71 static const struct CPRBX static_cprbx = {
72 .cprb_len = 0x00DC,
73 .cprb_ver_id = 0x02,
74 .func_id = {0x54, 0x32},
75 };
76
speed_idx_cca(int req_type)77 int speed_idx_cca(int req_type)
78 {
79 switch (req_type) {
80 case 0x4142:
81 case 0x4149:
82 case 0x414D:
83 case 0x4341:
84 case 0x4344:
85 case 0x4354:
86 case 0x4358:
87 case 0x444B:
88 case 0x4558:
89 case 0x4643:
90 case 0x4651:
91 case 0x4C47:
92 case 0x4C4B:
93 case 0x4C51:
94 case 0x4F48:
95 case 0x504F:
96 case 0x5053:
97 case 0x5058:
98 case 0x5343:
99 case 0x5344:
100 case 0x5345:
101 case 0x5350:
102 return LOW;
103 case 0x414B:
104 case 0x4345:
105 case 0x4349:
106 case 0x434D:
107 case 0x4847:
108 case 0x4849:
109 case 0x484D:
110 case 0x4850:
111 case 0x4851:
112 case 0x4954:
113 case 0x4958:
114 case 0x4B43:
115 case 0x4B44:
116 case 0x4B45:
117 case 0x4B47:
118 case 0x4B48:
119 case 0x4B49:
120 case 0x4B4E:
121 case 0x4B50:
122 case 0x4B52:
123 case 0x4B54:
124 case 0x4B58:
125 case 0x4D50:
126 case 0x4D53:
127 case 0x4D56:
128 case 0x4D58:
129 case 0x5044:
130 case 0x5045:
131 case 0x5046:
132 case 0x5047:
133 case 0x5049:
134 case 0x504B:
135 case 0x504D:
136 case 0x5254:
137 case 0x5347:
138 case 0x5349:
139 case 0x534B:
140 case 0x534D:
141 case 0x5356:
142 case 0x5358:
143 case 0x5443:
144 case 0x544B:
145 case 0x5647:
146 return HIGH;
147 default:
148 return MEDIUM;
149 }
150 }
151
speed_idx_ep11(int req_type)152 int speed_idx_ep11(int req_type)
153 {
154 switch (req_type) {
155 case 1:
156 case 2:
157 case 36:
158 case 37:
159 case 38:
160 case 39:
161 case 40:
162 return LOW;
163 case 17:
164 case 18:
165 case 19:
166 case 20:
167 case 21:
168 case 22:
169 case 26:
170 case 30:
171 case 31:
172 case 32:
173 case 33:
174 case 34:
175 case 35:
176 return HIGH;
177 default:
178 return MEDIUM;
179 }
180 }
181
182 /*
183 * Convert a ICAMEX message to a type6 MEX message.
184 *
185 * @zq: crypto device pointer
186 * @ap_msg: pointer to AP message
187 * @mex: pointer to user input data
188 *
189 * Returns 0 on success or negative errno value.
190 */
icamex_msg_to_type6mex_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo * mex)191 static int icamex_msg_to_type6mex_msgx(struct zcrypt_queue *zq,
192 struct ap_message *ap_msg,
193 struct ica_rsa_modexpo *mex)
194 {
195 static struct type6_hdr static_type6_hdrX = {
196 .type = 0x06,
197 .offset1 = 0x00000058,
198 .agent_id = {'C', 'A',},
199 .function_code = {'P', 'K'},
200 };
201 static struct function_and_rules_block static_pke_fnr = {
202 .function_code = {'P', 'K'},
203 .ulen = 10,
204 .only_rule = {'M', 'R', 'P', ' ', ' ', ' ', ' ', ' '}
205 };
206 struct {
207 struct type6_hdr hdr;
208 struct CPRBX cprbx;
209 struct function_and_rules_block fr;
210 unsigned short length;
211 char text[0];
212 } __packed * msg = ap_msg->msg;
213 int size;
214
215 /*
216 * The inputdatalength was a selection criteria in the dispatching
217 * function zcrypt_rsa_modexpo(). However, make sure the following
218 * copy_from_user() never exceeds the allocated buffer space.
219 */
220 if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
221 return -EINVAL;
222
223 /* VUD.ciphertext */
224 msg->length = mex->inputdatalength + 2;
225 if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
226 return -EFAULT;
227
228 /* Set up key which is located after the variable length text. */
229 size = zcrypt_type6_mex_key_en(mex, msg->text + mex->inputdatalength);
230 if (size < 0)
231 return size;
232 size += sizeof(*msg) + mex->inputdatalength;
233
234 /* message header, cprbx and f&r */
235 msg->hdr = static_type6_hdrX;
236 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
237 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
238
239 msg->cprbx = static_cprbx;
240 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
241 msg->cprbx.rpl_msgbl = msg->hdr.fromcardlen1;
242
243 msg->fr = static_pke_fnr;
244
245 msg->cprbx.req_parml = size - sizeof(msg->hdr) - sizeof(msg->cprbx);
246
247 ap_msg->len = size;
248 return 0;
249 }
250
251 /*
252 * Convert a ICACRT message to a type6 CRT message.
253 *
254 * @zq: crypto device pointer
255 * @ap_msg: pointer to AP message
256 * @crt: pointer to user input data
257 *
258 * Returns 0 on success or negative errno value.
259 */
icacrt_msg_to_type6crt_msgx(struct zcrypt_queue * zq,struct ap_message * ap_msg,struct ica_rsa_modexpo_crt * crt)260 static int icacrt_msg_to_type6crt_msgx(struct zcrypt_queue *zq,
261 struct ap_message *ap_msg,
262 struct ica_rsa_modexpo_crt *crt)
263 {
264 static struct type6_hdr static_type6_hdrX = {
265 .type = 0x06,
266 .offset1 = 0x00000058,
267 .agent_id = {'C', 'A',},
268 .function_code = {'P', 'D'},
269 };
270 static struct function_and_rules_block static_pkd_fnr = {
271 .function_code = {'P', 'D'},
272 .ulen = 10,
273 .only_rule = {'Z', 'E', 'R', 'O', '-', 'P', 'A', 'D'}
274 };
275
276 struct {
277 struct type6_hdr hdr;
278 struct CPRBX cprbx;
279 struct function_and_rules_block fr;
280 unsigned short length;
281 char text[0];
282 } __packed * msg = ap_msg->msg;
283 int size;
284
285 /*
286 * The inputdatalength was a selection criteria in the dispatching
287 * function zcrypt_rsa_crt(). However, make sure the following
288 * copy_from_user() never exceeds the allocated buffer space.
289 */
290 if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
291 return -EINVAL;
292
293 /* VUD.ciphertext */
294 msg->length = crt->inputdatalength + 2;
295 if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))
296 return -EFAULT;
297
298 /* Set up key which is located after the variable length text. */
299 size = zcrypt_type6_crt_key(crt, msg->text + crt->inputdatalength);
300 if (size < 0)
301 return size;
302 size += sizeof(*msg) + crt->inputdatalength; /* total size of msg */
303
304 /* message header, cprbx and f&r */
305 msg->hdr = static_type6_hdrX;
306 msg->hdr.tocardlen1 = size - sizeof(msg->hdr);
307 msg->hdr.fromcardlen1 = CEXXC_MAX_ICA_RESPONSE_SIZE - sizeof(msg->hdr);
308
309 msg->cprbx = static_cprbx;
310 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
311 msg->cprbx.req_parml = msg->cprbx.rpl_msgbl =
312 size - sizeof(msg->hdr) - sizeof(msg->cprbx);
313
314 msg->fr = static_pkd_fnr;
315
316 ap_msg->len = size;
317 return 0;
318 }
319
320 /*
321 * Convert a XCRB message to a type6 CPRB message.
322 *
323 * @zq: crypto device pointer
324 * @ap_msg: pointer to AP message
325 * @xcRB: pointer to user input data
326 *
327 * Returns 0 on success or -EFAULT, -EINVAL.
328 */
329 struct type86_fmt2_msg {
330 struct type86_hdr hdr;
331 struct type86_fmt2_ext fmt2;
332 } __packed;
333
xcrb_msg_to_type6cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ica_xcRB * xcrb,unsigned int * fcode,unsigned short ** dom)334 static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg,
335 struct ica_xcRB *xcrb,
336 unsigned int *fcode,
337 unsigned short **dom)
338 {
339 static struct type6_hdr static_type6_hdrX = {
340 .type = 0x06,
341 .offset1 = 0x00000058,
342 };
343 struct {
344 struct type6_hdr hdr;
345 union {
346 struct CPRBX cprbx;
347 DECLARE_FLEX_ARRAY(u8, userdata);
348 };
349 } __packed * msg = ap_msg->msg;
350
351 int rcblen = CEIL4(xcrb->request_control_blk_length);
352 int req_sumlen, resp_sumlen;
353 char *req_data = ap_msg->msg + sizeof(struct type6_hdr) + rcblen;
354 char *function_code;
355
356 if (CEIL4(xcrb->request_control_blk_length) <
357 xcrb->request_control_blk_length)
358 return -EINVAL; /* overflow after alignment*/
359
360 /* length checks */
361 ap_msg->len = sizeof(struct type6_hdr) +
362 CEIL4(xcrb->request_control_blk_length) +
363 xcrb->request_data_length;
364 if (ap_msg->len > ap_msg->bufsize)
365 return -EINVAL;
366
367 /*
368 * Overflow check
369 * sum must be greater (or equal) than the largest operand
370 */
371 req_sumlen = CEIL4(xcrb->request_control_blk_length) +
372 xcrb->request_data_length;
373 if ((CEIL4(xcrb->request_control_blk_length) <=
374 xcrb->request_data_length) ?
375 req_sumlen < xcrb->request_data_length :
376 req_sumlen < CEIL4(xcrb->request_control_blk_length)) {
377 return -EINVAL;
378 }
379
380 if (CEIL4(xcrb->reply_control_blk_length) <
381 xcrb->reply_control_blk_length)
382 return -EINVAL; /* overflow after alignment*/
383
384 /*
385 * Overflow check
386 * sum must be greater (or equal) than the largest operand
387 */
388 resp_sumlen = CEIL4(xcrb->reply_control_blk_length) +
389 xcrb->reply_data_length;
390 if ((CEIL4(xcrb->reply_control_blk_length) <=
391 xcrb->reply_data_length) ?
392 resp_sumlen < xcrb->reply_data_length :
393 resp_sumlen < CEIL4(xcrb->reply_control_blk_length)) {
394 return -EINVAL;
395 }
396
397 /* prepare type6 header */
398 msg->hdr = static_type6_hdrX;
399 memcpy(msg->hdr.agent_id, &xcrb->agent_ID, sizeof(xcrb->agent_ID));
400 msg->hdr.tocardlen1 = xcrb->request_control_blk_length;
401 if (xcrb->request_data_length) {
402 msg->hdr.offset2 = msg->hdr.offset1 + rcblen;
403 msg->hdr.tocardlen2 = xcrb->request_data_length;
404 }
405 msg->hdr.fromcardlen1 = xcrb->reply_control_blk_length;
406 msg->hdr.fromcardlen2 = xcrb->reply_data_length;
407
408 /* prepare CPRB */
409 if (z_copy_from_user(userspace, msg->userdata,
410 xcrb->request_control_blk_addr,
411 xcrb->request_control_blk_length))
412 return -EFAULT;
413 if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) >
414 xcrb->request_control_blk_length)
415 return -EINVAL;
416 function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len;
417 memcpy(msg->hdr.function_code, function_code,
418 sizeof(msg->hdr.function_code));
419
420 *fcode = (msg->hdr.function_code[0] << 8) | msg->hdr.function_code[1];
421 *dom = (unsigned short *)&msg->cprbx.domain;
422
423 /* check subfunction, US and AU need special flag with NQAP */
424 if (memcmp(function_code, "US", 2) == 0 ||
425 memcmp(function_code, "AU", 2) == 0)
426 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
427
428 #ifdef CONFIG_ZCRYPT_DEBUG
429 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
430 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
431 #endif
432
433 /* check CPRB minor version, set info bits in ap_message flag field */
434 switch (*(unsigned short *)(&msg->cprbx.func_id[0])) {
435 case 0x5432: /* "T2" */
436 ap_msg->flags |= AP_MSG_FLAG_USAGE;
437 break;
438 case 0x5433: /* "T3" */
439 case 0x5435: /* "T5" */
440 case 0x5436: /* "T6" */
441 case 0x5437: /* "T7" */
442 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
443 break;
444 default:
445 ZCRYPT_DBF_DBG("%s unknown CPRB minor version '%c%c'\n",
446 __func__, msg->cprbx.func_id[0],
447 msg->cprbx.func_id[1]);
448 }
449
450 /* copy data block */
451 if (xcrb->request_data_length &&
452 z_copy_from_user(userspace, req_data, xcrb->request_data_address,
453 xcrb->request_data_length))
454 return -EFAULT;
455
456 return 0;
457 }
458
xcrb_msg_to_type6_ep11cprb_msgx(bool userspace,struct ap_message * ap_msg,struct ep11_urb * xcrb,unsigned int * fcode,unsigned int * domain)459 static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap_msg,
460 struct ep11_urb *xcrb,
461 unsigned int *fcode,
462 unsigned int *domain)
463 {
464 unsigned int lfmt;
465 static struct type6_hdr static_type6_ep11_hdr = {
466 .type = 0x06,
467 .rqid = {0x00, 0x01},
468 .function_code = {0x00, 0x00},
469 .agent_id[0] = 0x58, /* {'X'} */
470 .agent_id[1] = 0x43, /* {'C'} */
471 .offset1 = 0x00000058,
472 };
473
474 struct {
475 struct type6_hdr hdr;
476 union {
477 struct {
478 struct ep11_cprb cprbx;
479 unsigned char pld_tag; /* fixed value 0x30 */
480 unsigned char pld_lenfmt; /* length format */
481 } __packed;
482 DECLARE_FLEX_ARRAY(u8, userdata);
483 };
484 } __packed * msg = ap_msg->msg;
485
486 struct pld_hdr {
487 unsigned char func_tag; /* fixed value 0x4 */
488 unsigned char func_len; /* fixed value 0x4 */
489 unsigned int func_val; /* function ID */
490 unsigned char dom_tag; /* fixed value 0x4 */
491 unsigned char dom_len; /* fixed value 0x4 */
492 unsigned int dom_val; /* domain id */
493 } __packed * payload_hdr = NULL;
494
495 if (CEIL4(xcrb->req_len) < xcrb->req_len)
496 return -EINVAL; /* overflow after alignment*/
497
498 /* length checks */
499 ap_msg->len = sizeof(struct type6_hdr) + CEIL4(xcrb->req_len);
500 if (ap_msg->len > ap_msg->bufsize)
501 return -EINVAL;
502
503 if (CEIL4(xcrb->resp_len) < xcrb->resp_len)
504 return -EINVAL; /* overflow after alignment*/
505
506 /* prepare type6 header */
507 msg->hdr = static_type6_ep11_hdr;
508 msg->hdr.tocardlen1 = xcrb->req_len;
509 msg->hdr.fromcardlen1 = xcrb->resp_len;
510
511 /* Import CPRB data from the ioctl input parameter */
512 if (z_copy_from_user(userspace, msg->userdata,
513 (char __force __user *)xcrb->req, xcrb->req_len)) {
514 return -EFAULT;
515 }
516
517 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
518 switch (msg->pld_lenfmt & 0x03) {
519 case 1:
520 lfmt = 2;
521 break;
522 case 2:
523 lfmt = 3;
524 break;
525 default:
526 return -EINVAL;
527 }
528 } else {
529 lfmt = 1; /* length format #1 */
530 }
531 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
532 *fcode = payload_hdr->func_val & 0xFFFF;
533
534 /* enable special processing based on the cprbs flags special bit */
535 if (msg->cprbx.flags & 0x20)
536 ap_msg->flags |= AP_MSG_FLAG_SPECIAL;
537
538 #ifdef CONFIG_ZCRYPT_DEBUG
539 if (ap_msg->fi.flags & AP_FI_FLAG_TOGGLE_SPECIAL)
540 ap_msg->flags ^= AP_MSG_FLAG_SPECIAL;
541 #endif
542
543 /* set info bits in ap_message flag field */
544 if (msg->cprbx.flags & 0x80)
545 ap_msg->flags |= AP_MSG_FLAG_ADMIN;
546 else
547 ap_msg->flags |= AP_MSG_FLAG_USAGE;
548
549 *domain = msg->cprbx.target_id;
550
551 return 0;
552 }
553
554 /*
555 * Copy results from a type 86 ICA reply message back to user space.
556 *
557 * @zq: crypto device pointer
558 * @reply: reply AP message.
559 * @data: pointer to user output data
560 * @length: size of user output data
561 *
562 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
563 */
564 struct type86x_reply {
565 struct type86_hdr hdr;
566 struct type86_fmt2_ext fmt2;
567 struct CPRBX cprbx;
568 unsigned char pad[4]; /* 4 byte function code/rules block ? */
569 unsigned short length;
570 char text[];
571 } __packed;
572
573 struct type86_ep11_reply {
574 struct type86_hdr hdr;
575 struct type86_fmt2_ext fmt2;
576 struct ep11_cprb cprbx;
577 } __packed;
578
convert_type86_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)579 static int convert_type86_ica(struct zcrypt_queue *zq,
580 struct ap_message *reply,
581 char __user *outputdata,
582 unsigned int outputdatalength)
583 {
584 static unsigned char static_pad[] = {
585 0x00, 0x02,
586 0x1B, 0x7B, 0x5D, 0xB5, 0x75, 0x01, 0x3D, 0xFD,
587 0x8D, 0xD1, 0xC7, 0x03, 0x2D, 0x09, 0x23, 0x57,
588 0x89, 0x49, 0xB9, 0x3F, 0xBB, 0x99, 0x41, 0x5B,
589 0x75, 0x21, 0x7B, 0x9D, 0x3B, 0x6B, 0x51, 0x39,
590 0xBB, 0x0D, 0x35, 0xB9, 0x89, 0x0F, 0x93, 0xA5,
591 0x0B, 0x47, 0xF1, 0xD3, 0xBB, 0xCB, 0xF1, 0x9D,
592 0x23, 0x73, 0x71, 0xFF, 0xF3, 0xF5, 0x45, 0xFB,
593 0x61, 0x29, 0x23, 0xFD, 0xF1, 0x29, 0x3F, 0x7F,
594 0x17, 0xB7, 0x1B, 0xA9, 0x19, 0xBD, 0x57, 0xA9,
595 0xD7, 0x95, 0xA3, 0xCB, 0xED, 0x1D, 0xDB, 0x45,
596 0x7D, 0x11, 0xD1, 0x51, 0x1B, 0xED, 0x71, 0xE9,
597 0xB1, 0xD1, 0xAB, 0xAB, 0x21, 0x2B, 0x1B, 0x9F,
598 0x3B, 0x9F, 0xF7, 0xF7, 0xBD, 0x63, 0xEB, 0xAD,
599 0xDF, 0xB3, 0x6F, 0x5B, 0xDB, 0x8D, 0xA9, 0x5D,
600 0xE3, 0x7D, 0x77, 0x49, 0x47, 0xF5, 0xA7, 0xFD,
601 0xAB, 0x2F, 0x27, 0x35, 0x77, 0xD3, 0x49, 0xC9,
602 0x09, 0xEB, 0xB1, 0xF9, 0xBF, 0x4B, 0xCB, 0x2B,
603 0xEB, 0xEB, 0x05, 0xFF, 0x7D, 0xC7, 0x91, 0x8B,
604 0x09, 0x83, 0xB9, 0xB9, 0x69, 0x33, 0x39, 0x6B,
605 0x79, 0x75, 0x19, 0xBF, 0xBB, 0x07, 0x1D, 0xBD,
606 0x29, 0xBF, 0x39, 0x95, 0x93, 0x1D, 0x35, 0xC7,
607 0xC9, 0x4D, 0xE5, 0x97, 0x0B, 0x43, 0x9B, 0xF1,
608 0x16, 0x93, 0x03, 0x1F, 0xA5, 0xFB, 0xDB, 0xF3,
609 0x27, 0x4F, 0x27, 0x61, 0x05, 0x1F, 0xB9, 0x23,
610 0x2F, 0xC3, 0x81, 0xA9, 0x23, 0x71, 0x55, 0x55,
611 0xEB, 0xED, 0x41, 0xE5, 0xF3, 0x11, 0xF1, 0x43,
612 0x69, 0x03, 0xBD, 0x0B, 0x37, 0x0F, 0x51, 0x8F,
613 0x0B, 0xB5, 0x89, 0x5B, 0x67, 0xA9, 0xD9, 0x4F,
614 0x01, 0xF9, 0x21, 0x77, 0x37, 0x73, 0x79, 0xC5,
615 0x7F, 0x51, 0xC1, 0xCF, 0x97, 0xA1, 0x75, 0xAD,
616 0x35, 0x9D, 0xD3, 0xD3, 0xA7, 0x9D, 0x5D, 0x41,
617 0x6F, 0x65, 0x1B, 0xCF, 0xA9, 0x87, 0x91, 0x09
618 };
619 struct type86x_reply *msg = reply->msg;
620 unsigned short service_rc, service_rs;
621 unsigned int reply_len, pad_len;
622 char *data;
623
624 service_rc = msg->cprbx.ccp_rtcode;
625 if (unlikely(service_rc != 0)) {
626 service_rs = msg->cprbx.ccp_rscode;
627 if ((service_rc == 8 && service_rs == 66) ||
628 (service_rc == 8 && service_rs == 65) ||
629 (service_rc == 8 && service_rs == 72) ||
630 (service_rc == 8 && service_rs == 770) ||
631 (service_rc == 12 && service_rs == 769)) {
632 ZCRYPT_DBF_WARN("%s dev=%02x.%04x rc/rs=%d/%d => rc=EINVAL\n",
633 __func__, AP_QID_CARD(zq->queue->qid),
634 AP_QID_QUEUE(zq->queue->qid),
635 (int)service_rc, (int)service_rs);
636 return -EINVAL;
637 }
638 zq->online = 0;
639 pr_err("Crypto dev=%02x.%04x rc/rs=%d/%d online=0 rc=EAGAIN\n",
640 AP_QID_CARD(zq->queue->qid),
641 AP_QID_QUEUE(zq->queue->qid),
642 (int)service_rc, (int)service_rs);
643 ZCRYPT_DBF_ERR("%s dev=%02x.%04x rc/rs=%d/%d => online=0 rc=EAGAIN\n",
644 __func__, AP_QID_CARD(zq->queue->qid),
645 AP_QID_QUEUE(zq->queue->qid),
646 (int)service_rc, (int)service_rs);
647 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
648 return -EAGAIN;
649 }
650 data = msg->text;
651 reply_len = msg->length - 2;
652 if (reply_len > outputdatalength)
653 return -EINVAL;
654 /*
655 * For all encipher requests, the length of the ciphertext (reply_len)
656 * will always equal the modulus length. For MEX decipher requests
657 * the output needs to get padded. Minimum pad size is 10.
658 *
659 * Currently, the cases where padding will be added is for:
660 * - PCIXCC_MCL2 using a CRT form token (since PKD didn't support
661 * ZERO-PAD and CRT is only supported for PKD requests)
662 * - PCICC, always
663 */
664 pad_len = outputdatalength - reply_len;
665 if (pad_len > 0) {
666 if (pad_len < 10)
667 return -EINVAL;
668 /* 'restore' padding left in the CEXXC card. */
669 if (copy_to_user(outputdata, static_pad, pad_len - 1))
670 return -EFAULT;
671 if (put_user(0, outputdata + pad_len - 1))
672 return -EFAULT;
673 }
674 /* Copy the crypto response to user space. */
675 if (copy_to_user(outputdata + pad_len, data, reply_len))
676 return -EFAULT;
677 return 0;
678 }
679
680 /*
681 * Copy results from a type 86 XCRB reply message back to user space.
682 *
683 * @zq: crypto device pointer
684 * @reply: reply AP message.
685 * @xcrb: pointer to XCRB
686 *
687 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
688 */
convert_type86_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)689 static int convert_type86_xcrb(bool userspace, struct zcrypt_queue *zq,
690 struct ap_message *reply,
691 struct ica_xcRB *xcrb)
692 {
693 struct type86_fmt2_msg *msg = reply->msg;
694 char *data = reply->msg;
695
696 /* Copy CPRB to user */
697 if (xcrb->reply_control_blk_length < msg->fmt2.count1) {
698 ZCRYPT_DBF_DBG("%s reply_control_blk_length %u < required %u => EMSGSIZE\n",
699 __func__, xcrb->reply_control_blk_length,
700 msg->fmt2.count1);
701 return -EMSGSIZE;
702 }
703 if (z_copy_to_user(userspace, xcrb->reply_control_blk_addr,
704 data + msg->fmt2.offset1, msg->fmt2.count1))
705 return -EFAULT;
706 xcrb->reply_control_blk_length = msg->fmt2.count1;
707
708 /* Copy data buffer to user */
709 if (msg->fmt2.count2) {
710 if (xcrb->reply_data_length < msg->fmt2.count2) {
711 ZCRYPT_DBF_DBG("%s reply_data_length %u < required %u => EMSGSIZE\n",
712 __func__, xcrb->reply_data_length,
713 msg->fmt2.count2);
714 return -EMSGSIZE;
715 }
716 if (z_copy_to_user(userspace, xcrb->reply_data_addr,
717 data + msg->fmt2.offset2, msg->fmt2.count2))
718 return -EFAULT;
719 }
720 xcrb->reply_data_length = msg->fmt2.count2;
721
722 return 0;
723 }
724
725 /*
726 * Copy results from a type 86 EP11 XCRB reply message back to user space.
727 *
728 * @zq: crypto device pointer
729 * @reply: reply AP message.
730 * @xcrb: pointer to EP11 user request block
731 *
732 * Returns 0 on success or -EINVAL, -EFAULT, -EAGAIN in case of an error.
733 */
convert_type86_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)734 static int convert_type86_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
735 struct ap_message *reply,
736 struct ep11_urb *xcrb)
737 {
738 struct type86_fmt2_msg *msg = reply->msg;
739 char *data = reply->msg;
740
741 if (xcrb->resp_len < msg->fmt2.count1) {
742 ZCRYPT_DBF_DBG("%s resp_len %u < required %u => EMSGSIZE\n",
743 __func__, (unsigned int)xcrb->resp_len,
744 msg->fmt2.count1);
745 return -EMSGSIZE;
746 }
747
748 /* Copy response CPRB to user */
749 if (z_copy_to_user(userspace, (char __force __user *)xcrb->resp,
750 data + msg->fmt2.offset1, msg->fmt2.count1))
751 return -EFAULT;
752 xcrb->resp_len = msg->fmt2.count1;
753 return 0;
754 }
755
convert_type86_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * buffer)756 static int convert_type86_rng(struct zcrypt_queue *zq,
757 struct ap_message *reply,
758 char *buffer)
759 {
760 struct {
761 struct type86_hdr hdr;
762 struct type86_fmt2_ext fmt2;
763 struct CPRBX cprbx;
764 } __packed * msg = reply->msg;
765 char *data = reply->msg;
766
767 if (msg->cprbx.ccp_rtcode != 0 || msg->cprbx.ccp_rscode != 0)
768 return -EINVAL;
769 memcpy(buffer, data + msg->fmt2.offset2, msg->fmt2.count2);
770 return msg->fmt2.count2;
771 }
772
convert_response_ica(struct zcrypt_queue * zq,struct ap_message * reply,char __user * outputdata,unsigned int outputdatalength)773 static int convert_response_ica(struct zcrypt_queue *zq,
774 struct ap_message *reply,
775 char __user *outputdata,
776 unsigned int outputdatalength)
777 {
778 struct type86x_reply *msg = reply->msg;
779
780 switch (msg->hdr.type) {
781 case TYPE82_RSP_CODE:
782 case TYPE88_RSP_CODE:
783 return convert_error(zq, reply);
784 case TYPE86_RSP_CODE:
785 if (msg->cprbx.ccp_rtcode &&
786 msg->cprbx.ccp_rscode == 0x14f &&
787 outputdatalength > 256) {
788 if (zq->zcard->max_exp_bit_length <= 17) {
789 zq->zcard->max_exp_bit_length = 17;
790 return -EAGAIN;
791 } else {
792 return -EINVAL;
793 }
794 }
795 if (msg->hdr.reply_code)
796 return convert_error(zq, reply);
797 if (msg->cprbx.cprb_ver_id == 0x02)
798 return convert_type86_ica(zq, reply,
799 outputdata, outputdatalength);
800 fallthrough; /* wrong cprb version is an unknown response */
801 default:
802 /* Unknown response type, this should NEVER EVER happen */
803 zq->online = 0;
804 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
805 AP_QID_CARD(zq->queue->qid),
806 AP_QID_QUEUE(zq->queue->qid),
807 (int)msg->hdr.type);
808 ZCRYPT_DBF_ERR(
809 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
810 __func__, AP_QID_CARD(zq->queue->qid),
811 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
812 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
813 return -EAGAIN;
814 }
815 }
816
convert_response_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ica_xcRB * xcrb)817 static int convert_response_xcrb(bool userspace, struct zcrypt_queue *zq,
818 struct ap_message *reply,
819 struct ica_xcRB *xcrb)
820 {
821 struct type86x_reply *msg = reply->msg;
822
823 switch (msg->hdr.type) {
824 case TYPE82_RSP_CODE:
825 case TYPE88_RSP_CODE:
826 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
827 return convert_error(zq, reply);
828 case TYPE86_RSP_CODE:
829 if (msg->hdr.reply_code) {
830 memcpy(&xcrb->status, msg->fmt2.apfs, sizeof(u32));
831 return convert_error(zq, reply);
832 }
833 if (msg->cprbx.cprb_ver_id == 0x02)
834 return convert_type86_xcrb(userspace, zq, reply, xcrb);
835 fallthrough; /* wrong cprb version is an unknown response */
836 default: /* Unknown response type, this should NEVER EVER happen */
837 xcrb->status = 0x0008044DL; /* HDD_InvalidParm */
838 zq->online = 0;
839 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
840 AP_QID_CARD(zq->queue->qid),
841 AP_QID_QUEUE(zq->queue->qid),
842 (int)msg->hdr.type);
843 ZCRYPT_DBF_ERR(
844 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
845 __func__, AP_QID_CARD(zq->queue->qid),
846 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
847 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
848 return -EAGAIN;
849 }
850 }
851
convert_response_ep11_xcrb(bool userspace,struct zcrypt_queue * zq,struct ap_message * reply,struct ep11_urb * xcrb)852 static int convert_response_ep11_xcrb(bool userspace, struct zcrypt_queue *zq,
853 struct ap_message *reply, struct ep11_urb *xcrb)
854 {
855 struct type86_ep11_reply *msg = reply->msg;
856
857 switch (msg->hdr.type) {
858 case TYPE82_RSP_CODE:
859 case TYPE87_RSP_CODE:
860 return convert_error(zq, reply);
861 case TYPE86_RSP_CODE:
862 if (msg->hdr.reply_code)
863 return convert_error(zq, reply);
864 if (msg->cprbx.cprb_ver_id == 0x04)
865 return convert_type86_ep11_xcrb(userspace, zq, reply, xcrb);
866 fallthrough; /* wrong cprb version is an unknown resp */
867 default: /* Unknown response type, this should NEVER EVER happen */
868 zq->online = 0;
869 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
870 AP_QID_CARD(zq->queue->qid),
871 AP_QID_QUEUE(zq->queue->qid),
872 (int)msg->hdr.type);
873 ZCRYPT_DBF_ERR(
874 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
875 __func__, AP_QID_CARD(zq->queue->qid),
876 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
877 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
878 return -EAGAIN;
879 }
880 }
881
convert_response_rng(struct zcrypt_queue * zq,struct ap_message * reply,char * data)882 static int convert_response_rng(struct zcrypt_queue *zq,
883 struct ap_message *reply,
884 char *data)
885 {
886 struct type86x_reply *msg = reply->msg;
887
888 switch (msg->hdr.type) {
889 case TYPE82_RSP_CODE:
890 case TYPE88_RSP_CODE:
891 return -EINVAL;
892 case TYPE86_RSP_CODE:
893 if (msg->hdr.reply_code)
894 return -EINVAL;
895 if (msg->cprbx.cprb_ver_id == 0x02)
896 return convert_type86_rng(zq, reply, data);
897 fallthrough; /* wrong cprb version is an unknown response */
898 default: /* Unknown response type, this should NEVER EVER happen */
899 zq->online = 0;
900 pr_err("Crypto dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
901 AP_QID_CARD(zq->queue->qid),
902 AP_QID_QUEUE(zq->queue->qid),
903 (int)msg->hdr.type);
904 ZCRYPT_DBF_ERR(
905 "%s dev=%02x.%04x unknown response type 0x%02x => online=0 rc=EAGAIN\n",
906 __func__, AP_QID_CARD(zq->queue->qid),
907 AP_QID_QUEUE(zq->queue->qid), (int)msg->hdr.type);
908 ap_send_online_uevent(&zq->queue->ap_dev, zq->online);
909 return -EAGAIN;
910 }
911 }
912
913 /*
914 * This function is called from the AP bus code after a crypto request
915 * "msg" has finished with the reply message "reply".
916 * It is called from tasklet context.
917 * @aq: pointer to the AP queue
918 * @msg: pointer to the AP message
919 * @reply: pointer to the AP reply message
920 */
zcrypt_msgtype6_receive(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)921 static void zcrypt_msgtype6_receive(struct ap_queue *aq,
922 struct ap_message *msg,
923 struct ap_message *reply)
924 {
925 static struct error_hdr error_reply = {
926 .type = TYPE82_RSP_CODE,
927 .reply_code = REP82_ERROR_MACHINE_FAILURE,
928 };
929 struct response_type *resp_type =
930 (struct response_type *)msg->private;
931 struct type86x_reply *t86r;
932 int len;
933
934 /* Copy the reply message to the request message buffer. */
935 if (!reply)
936 goto out; /* ap_msg->rc indicates the error */
937 t86r = reply->msg;
938 if (t86r->hdr.type == TYPE86_RSP_CODE &&
939 t86r->cprbx.cprb_ver_id == 0x02) {
940 switch (resp_type->type) {
941 case CEXXC_RESPONSE_TYPE_ICA:
942 len = sizeof(struct type86x_reply) + t86r->length - 2;
943 if (len > reply->bufsize || len > msg->bufsize) {
944 msg->rc = -EMSGSIZE;
945 } else {
946 memcpy(msg->msg, reply->msg, len);
947 msg->len = len;
948 }
949 break;
950 case CEXXC_RESPONSE_TYPE_XCRB:
951 len = t86r->fmt2.offset2 + t86r->fmt2.count2;
952 if (len > reply->bufsize || len > msg->bufsize) {
953 msg->rc = -EMSGSIZE;
954 } else {
955 memcpy(msg->msg, reply->msg, len);
956 msg->len = len;
957 }
958 break;
959 default:
960 memcpy(msg->msg, &error_reply, sizeof(error_reply));
961 }
962 } else {
963 memcpy(msg->msg, reply->msg, sizeof(error_reply));
964 }
965 out:
966 complete(&resp_type->work);
967 }
968
969 /*
970 * This function is called from the AP bus code after a crypto request
971 * "msg" has finished with the reply message "reply".
972 * It is called from tasklet context.
973 * @aq: pointer to the AP queue
974 * @msg: pointer to the AP message
975 * @reply: pointer to the AP reply message
976 */
zcrypt_msgtype6_receive_ep11(struct ap_queue * aq,struct ap_message * msg,struct ap_message * reply)977 static void zcrypt_msgtype6_receive_ep11(struct ap_queue *aq,
978 struct ap_message *msg,
979 struct ap_message *reply)
980 {
981 static struct error_hdr error_reply = {
982 .type = TYPE82_RSP_CODE,
983 .reply_code = REP82_ERROR_MACHINE_FAILURE,
984 };
985 struct response_type *resp_type =
986 (struct response_type *)msg->private;
987 struct type86_ep11_reply *t86r;
988 int len;
989
990 /* Copy the reply message to the request message buffer. */
991 if (!reply)
992 goto out; /* ap_msg->rc indicates the error */
993 t86r = reply->msg;
994 if (t86r->hdr.type == TYPE86_RSP_CODE &&
995 t86r->cprbx.cprb_ver_id == 0x04) {
996 switch (resp_type->type) {
997 case CEXXC_RESPONSE_TYPE_EP11:
998 len = t86r->fmt2.offset1 + t86r->fmt2.count1;
999 if (len > reply->bufsize || len > msg->bufsize) {
1000 msg->rc = -EMSGSIZE;
1001 } else {
1002 memcpy(msg->msg, reply->msg, len);
1003 msg->len = len;
1004 }
1005 break;
1006 default:
1007 memcpy(msg->msg, &error_reply, sizeof(error_reply));
1008 }
1009 } else {
1010 memcpy(msg->msg, reply->msg, sizeof(error_reply));
1011 }
1012 out:
1013 complete(&resp_type->work);
1014 }
1015
1016 static atomic_t zcrypt_step = ATOMIC_INIT(0);
1017
1018 /*
1019 * The request distributor calls this function if it picked the CEXxC
1020 * device to handle a modexpo request.
1021 * @zq: pointer to zcrypt_queue structure that identifies the
1022 * CEXxC device to the request distributor
1023 * @mex: pointer to the modexpo request buffer
1024 */
zcrypt_msgtype6_modexpo(struct zcrypt_queue * zq,struct ica_rsa_modexpo * mex,struct ap_message * ap_msg)1025 static long zcrypt_msgtype6_modexpo(struct zcrypt_queue *zq,
1026 struct ica_rsa_modexpo *mex,
1027 struct ap_message *ap_msg)
1028 {
1029 struct response_type resp_type = {
1030 .type = CEXXC_RESPONSE_TYPE_ICA,
1031 };
1032 int rc;
1033
1034 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1035 if (!ap_msg->msg)
1036 return -ENOMEM;
1037 ap_msg->bufsize = PAGE_SIZE;
1038 ap_msg->receive = zcrypt_msgtype6_receive;
1039 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1040 atomic_inc_return(&zcrypt_step);
1041 ap_msg->private = &resp_type;
1042 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex);
1043 if (rc)
1044 goto out_free;
1045 init_completion(&resp_type.work);
1046 rc = ap_queue_message(zq->queue, ap_msg);
1047 if (rc)
1048 goto out_free;
1049 rc = wait_for_completion_interruptible(&resp_type.work);
1050 if (rc == 0) {
1051 rc = ap_msg->rc;
1052 if (rc == 0)
1053 rc = convert_response_ica(zq, ap_msg,
1054 mex->outputdata,
1055 mex->outputdatalength);
1056 } else {
1057 /* Signal pending. */
1058 ap_cancel_message(zq->queue, ap_msg);
1059 }
1060
1061 out_free:
1062 free_page((unsigned long)ap_msg->msg);
1063 ap_msg->private = NULL;
1064 ap_msg->msg = NULL;
1065 return rc;
1066 }
1067
1068 /*
1069 * The request distributor calls this function if it picked the CEXxC
1070 * device to handle a modexpo_crt request.
1071 * @zq: pointer to zcrypt_queue structure that identifies the
1072 * CEXxC device to the request distributor
1073 * @crt: pointer to the modexpoc_crt request buffer
1074 */
zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue * zq,struct ica_rsa_modexpo_crt * crt,struct ap_message * ap_msg)1075 static long zcrypt_msgtype6_modexpo_crt(struct zcrypt_queue *zq,
1076 struct ica_rsa_modexpo_crt *crt,
1077 struct ap_message *ap_msg)
1078 {
1079 struct response_type resp_type = {
1080 .type = CEXXC_RESPONSE_TYPE_ICA,
1081 };
1082 int rc;
1083
1084 ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL);
1085 if (!ap_msg->msg)
1086 return -ENOMEM;
1087 ap_msg->bufsize = PAGE_SIZE;
1088 ap_msg->receive = zcrypt_msgtype6_receive;
1089 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1090 atomic_inc_return(&zcrypt_step);
1091 ap_msg->private = &resp_type;
1092 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt);
1093 if (rc)
1094 goto out_free;
1095 init_completion(&resp_type.work);
1096 rc = ap_queue_message(zq->queue, ap_msg);
1097 if (rc)
1098 goto out_free;
1099 rc = wait_for_completion_interruptible(&resp_type.work);
1100 if (rc == 0) {
1101 rc = ap_msg->rc;
1102 if (rc == 0)
1103 rc = convert_response_ica(zq, ap_msg,
1104 crt->outputdata,
1105 crt->outputdatalength);
1106 } else {
1107 /* Signal pending. */
1108 ap_cancel_message(zq->queue, ap_msg);
1109 }
1110
1111 out_free:
1112 free_page((unsigned long)ap_msg->msg);
1113 ap_msg->private = NULL;
1114 ap_msg->msg = NULL;
1115 return rc;
1116 }
1117
1118 /*
1119 * Prepare a CCA AP msg request.
1120 * Prepare a CCA AP msg: fetch the required data from userspace,
1121 * prepare the AP msg, fill some info into the ap_message struct,
1122 * extract some data from the CPRB and give back to the caller.
1123 * This function allocates memory and needs an ap_msg prepared
1124 * by the caller with ap_init_message(). Also the caller has to
1125 * make sure ap_release_message() is always called even on failure.
1126 */
prep_cca_ap_msg(bool userspace,struct ica_xcRB * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned short ** dom)1127 int prep_cca_ap_msg(bool userspace, struct ica_xcRB *xcrb,
1128 struct ap_message *ap_msg,
1129 unsigned int *func_code, unsigned short **dom)
1130 {
1131 struct response_type resp_type = {
1132 .type = CEXXC_RESPONSE_TYPE_XCRB,
1133 };
1134
1135 ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1136 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1137 if (!ap_msg->msg)
1138 return -ENOMEM;
1139 ap_msg->receive = zcrypt_msgtype6_receive;
1140 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1141 atomic_inc_return(&zcrypt_step);
1142 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1143 if (!ap_msg->private)
1144 return -ENOMEM;
1145 return xcrb_msg_to_type6cprb_msgx(userspace, ap_msg, xcrb, func_code, dom);
1146 }
1147
1148 /*
1149 * The request distributor calls this function if it picked the CEXxC
1150 * device to handle a send_cprb request.
1151 * @zq: pointer to zcrypt_queue structure that identifies the
1152 * CEXxC device to the request distributor
1153 * @xcrb: pointer to the send_cprb request buffer
1154 */
zcrypt_msgtype6_send_cprb(bool userspace,struct zcrypt_queue * zq,struct ica_xcRB * xcrb,struct ap_message * ap_msg)1155 static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
1156 struct ica_xcRB *xcrb,
1157 struct ap_message *ap_msg)
1158 {
1159 int rc;
1160 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1161 struct {
1162 struct type6_hdr hdr;
1163 struct CPRBX cprbx;
1164 /* ... more data blocks ... */
1165 } __packed * msg = ap_msg->msg;
1166
1167 /*
1168 * Set the queue's reply buffer length minus 128 byte padding
1169 * as reply limit for the card firmware.
1170 */
1171 msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
1172 zq->reply.bufsize - 128);
1173 if (msg->hdr.fromcardlen2)
1174 msg->hdr.fromcardlen2 =
1175 zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
1176
1177 init_completion(&rtype->work);
1178 rc = ap_queue_message(zq->queue, ap_msg);
1179 if (rc)
1180 goto out;
1181 rc = wait_for_completion_interruptible(&rtype->work);
1182 if (rc == 0) {
1183 rc = ap_msg->rc;
1184 if (rc == 0)
1185 rc = convert_response_xcrb(userspace, zq, ap_msg, xcrb);
1186 } else {
1187 /* Signal pending. */
1188 ap_cancel_message(zq->queue, ap_msg);
1189 }
1190
1191 out:
1192 if (rc)
1193 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1194 __func__, AP_QID_CARD(zq->queue->qid),
1195 AP_QID_QUEUE(zq->queue->qid), rc);
1196 return rc;
1197 }
1198
1199 /*
1200 * Prepare an EP11 AP msg request.
1201 * Prepare an EP11 AP msg: fetch the required data from userspace,
1202 * prepare the AP msg, fill some info into the ap_message struct,
1203 * extract some data from the CPRB and give back to the caller.
1204 * This function allocates memory and needs an ap_msg prepared
1205 * by the caller with ap_init_message(). Also the caller has to
1206 * make sure ap_release_message() is always called even on failure.
1207 */
prep_ep11_ap_msg(bool userspace,struct ep11_urb * xcrb,struct ap_message * ap_msg,unsigned int * func_code,unsigned int * domain)1208 int prep_ep11_ap_msg(bool userspace, struct ep11_urb *xcrb,
1209 struct ap_message *ap_msg,
1210 unsigned int *func_code, unsigned int *domain)
1211 {
1212 struct response_type resp_type = {
1213 .type = CEXXC_RESPONSE_TYPE_EP11,
1214 };
1215
1216 ap_msg->bufsize = atomic_read(&ap_max_msg_size);
1217 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1218 if (!ap_msg->msg)
1219 return -ENOMEM;
1220 ap_msg->receive = zcrypt_msgtype6_receive_ep11;
1221 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1222 atomic_inc_return(&zcrypt_step);
1223 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1224 if (!ap_msg->private)
1225 return -ENOMEM;
1226 return xcrb_msg_to_type6_ep11cprb_msgx(userspace, ap_msg, xcrb,
1227 func_code, domain);
1228 }
1229
1230 /*
1231 * The request distributor calls this function if it picked the CEX4P
1232 * device to handle a send_ep11_cprb request.
1233 * @zq: pointer to zcrypt_queue structure that identifies the
1234 * CEX4P device to the request distributor
1235 * @xcrb: pointer to the ep11 user request block
1236 */
zcrypt_msgtype6_send_ep11_cprb(bool userspace,struct zcrypt_queue * zq,struct ep11_urb * xcrb,struct ap_message * ap_msg)1237 static long zcrypt_msgtype6_send_ep11_cprb(bool userspace, struct zcrypt_queue *zq,
1238 struct ep11_urb *xcrb,
1239 struct ap_message *ap_msg)
1240 {
1241 int rc;
1242 unsigned int lfmt;
1243 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1244 struct {
1245 struct type6_hdr hdr;
1246 struct ep11_cprb cprbx;
1247 unsigned char pld_tag; /* fixed value 0x30 */
1248 unsigned char pld_lenfmt; /* payload length format */
1249 } __packed * msg = ap_msg->msg;
1250 struct pld_hdr {
1251 unsigned char func_tag; /* fixed value 0x4 */
1252 unsigned char func_len; /* fixed value 0x4 */
1253 unsigned int func_val; /* function ID */
1254 unsigned char dom_tag; /* fixed value 0x4 */
1255 unsigned char dom_len; /* fixed value 0x4 */
1256 unsigned int dom_val; /* domain id */
1257 } __packed * payload_hdr = NULL;
1258
1259 /*
1260 * The target domain field within the cprb body/payload block will be
1261 * replaced by the usage domain for non-management commands only.
1262 * Therefore we check the first bit of the 'flags' parameter for
1263 * management command indication.
1264 * 0 - non management command
1265 * 1 - management command
1266 */
1267 if (!((msg->cprbx.flags & 0x80) == 0x80)) {
1268 msg->cprbx.target_id = (unsigned int)
1269 AP_QID_QUEUE(zq->queue->qid);
1270
1271 if ((msg->pld_lenfmt & 0x80) == 0x80) { /*ext.len.fmt 2 or 3*/
1272 switch (msg->pld_lenfmt & 0x03) {
1273 case 1:
1274 lfmt = 2;
1275 break;
1276 case 2:
1277 lfmt = 3;
1278 break;
1279 default:
1280 return -EINVAL;
1281 }
1282 } else {
1283 lfmt = 1; /* length format #1 */
1284 }
1285 payload_hdr = (struct pld_hdr *)((&msg->pld_lenfmt) + lfmt);
1286 payload_hdr->dom_val = (unsigned int)
1287 AP_QID_QUEUE(zq->queue->qid);
1288 }
1289
1290 /*
1291 * Set the queue's reply buffer length minus the two prepend headers
1292 * as reply limit for the card firmware.
1293 */
1294 msg->hdr.fromcardlen1 = zq->reply.bufsize -
1295 sizeof(struct type86_hdr) - sizeof(struct type86_fmt2_ext);
1296
1297 init_completion(&rtype->work);
1298 rc = ap_queue_message(zq->queue, ap_msg);
1299 if (rc)
1300 goto out;
1301 rc = wait_for_completion_interruptible(&rtype->work);
1302 if (rc == 0) {
1303 rc = ap_msg->rc;
1304 if (rc == 0)
1305 rc = convert_response_ep11_xcrb(userspace, zq, ap_msg, xcrb);
1306 } else {
1307 /* Signal pending. */
1308 ap_cancel_message(zq->queue, ap_msg);
1309 }
1310
1311 out:
1312 if (rc)
1313 ZCRYPT_DBF_DBG("%s send cprb at dev=%02x.%04x rc=%d\n",
1314 __func__, AP_QID_CARD(zq->queue->qid),
1315 AP_QID_QUEUE(zq->queue->qid), rc);
1316 return rc;
1317 }
1318
prep_rng_ap_msg(struct ap_message * ap_msg,int * func_code,unsigned int * domain)1319 int prep_rng_ap_msg(struct ap_message *ap_msg, int *func_code,
1320 unsigned int *domain)
1321 {
1322 struct response_type resp_type = {
1323 .type = CEXXC_RESPONSE_TYPE_XCRB,
1324 };
1325
1326 ap_msg->bufsize = AP_DEFAULT_MAX_MSG_SIZE;
1327 ap_msg->msg = kmalloc(ap_msg->bufsize, GFP_KERNEL);
1328 if (!ap_msg->msg)
1329 return -ENOMEM;
1330 ap_msg->receive = zcrypt_msgtype6_receive;
1331 ap_msg->psmid = (((unsigned long long)current->pid) << 32) +
1332 atomic_inc_return(&zcrypt_step);
1333 ap_msg->private = kmemdup(&resp_type, sizeof(resp_type), GFP_KERNEL);
1334 if (!ap_msg->private)
1335 return -ENOMEM;
1336
1337 rng_type6cprb_msgx(ap_msg, ZCRYPT_RNG_BUFFER_SIZE, domain);
1338
1339 *func_code = HWRNG;
1340 return 0;
1341 }
1342
1343 /*
1344 * The request distributor calls this function if it picked the CEXxC
1345 * device to generate random data.
1346 * @zq: pointer to zcrypt_queue structure that identifies the
1347 * CEXxC device to the request distributor
1348 * @buffer: pointer to a memory page to return random data
1349 */
zcrypt_msgtype6_rng(struct zcrypt_queue * zq,char * buffer,struct ap_message * ap_msg)1350 static long zcrypt_msgtype6_rng(struct zcrypt_queue *zq,
1351 char *buffer, struct ap_message *ap_msg)
1352 {
1353 struct {
1354 struct type6_hdr hdr;
1355 struct CPRBX cprbx;
1356 char function_code[2];
1357 short int rule_length;
1358 char rule[8];
1359 short int verb_length;
1360 short int key_length;
1361 } __packed * msg = ap_msg->msg;
1362 struct response_type *rtype = (struct response_type *)(ap_msg->private);
1363 int rc;
1364
1365 msg->cprbx.domain = AP_QID_QUEUE(zq->queue->qid);
1366
1367 init_completion(&rtype->work);
1368 rc = ap_queue_message(zq->queue, ap_msg);
1369 if (rc)
1370 goto out;
1371 rc = wait_for_completion_interruptible(&rtype->work);
1372 if (rc == 0) {
1373 rc = ap_msg->rc;
1374 if (rc == 0)
1375 rc = convert_response_rng(zq, ap_msg, buffer);
1376 } else {
1377 /* Signal pending. */
1378 ap_cancel_message(zq->queue, ap_msg);
1379 }
1380 out:
1381 return rc;
1382 }
1383
1384 /*
1385 * The crypto operations for a CEXxC card.
1386 */
1387 static struct zcrypt_ops zcrypt_msgtype6_norng_ops = {
1388 .owner = THIS_MODULE,
1389 .name = MSGTYPE06_NAME,
1390 .variant = MSGTYPE06_VARIANT_NORNG,
1391 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1392 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1393 .send_cprb = zcrypt_msgtype6_send_cprb,
1394 };
1395
1396 static struct zcrypt_ops zcrypt_msgtype6_ops = {
1397 .owner = THIS_MODULE,
1398 .name = MSGTYPE06_NAME,
1399 .variant = MSGTYPE06_VARIANT_DEFAULT,
1400 .rsa_modexpo = zcrypt_msgtype6_modexpo,
1401 .rsa_modexpo_crt = zcrypt_msgtype6_modexpo_crt,
1402 .send_cprb = zcrypt_msgtype6_send_cprb,
1403 .rng = zcrypt_msgtype6_rng,
1404 };
1405
1406 static struct zcrypt_ops zcrypt_msgtype6_ep11_ops = {
1407 .owner = THIS_MODULE,
1408 .name = MSGTYPE06_NAME,
1409 .variant = MSGTYPE06_VARIANT_EP11,
1410 .rsa_modexpo = NULL,
1411 .rsa_modexpo_crt = NULL,
1412 .send_ep11_cprb = zcrypt_msgtype6_send_ep11_cprb,
1413 };
1414
zcrypt_msgtype6_init(void)1415 void __init zcrypt_msgtype6_init(void)
1416 {
1417 zcrypt_msgtype_register(&zcrypt_msgtype6_norng_ops);
1418 zcrypt_msgtype_register(&zcrypt_msgtype6_ops);
1419 zcrypt_msgtype_register(&zcrypt_msgtype6_ep11_ops);
1420 }
1421
zcrypt_msgtype6_exit(void)1422 void __exit zcrypt_msgtype6_exit(void)
1423 {
1424 zcrypt_msgtype_unregister(&zcrypt_msgtype6_norng_ops);
1425 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ops);
1426 zcrypt_msgtype_unregister(&zcrypt_msgtype6_ep11_ops);
1427 }
1428