tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

s390/zcrypt: Rework MKVP fields and handling

In general all MKVPs (Master Key Verification Pattern) are binary
data - usually some kind of shortened hash value e.g. sha256.
Some code parts however used some u64 type which made compares
a little bit easier. Anyway this is binary data and so all
fields related to MKVP are now u8[] and function parameters
use (const) u8 * now. The sysfs emit for the MKVPs also has
been adapted to first format the MKVP as hex string into a
buffer and then use %s with sysfs_emit_at() to generate the
sysfs output. The patch also include a simple whitespace fix.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

authored by

Harald Freudenberger and committed by
Vasily Gorbik 227a9197 ecd2fd11

+123 -85
+26 -22
drivers/s390/crypto/pkey_cca.c
··· 87 87 zcrypt_wait_api_operational(); 88 88 89 89 if (hdr->type == TOKTYPE_CCA_INTERNAL) { 90 - u64 cur_mkvp = 0, old_mkvp = 0; 90 + const u8 *ptr_cur_mkvp = NULL; 91 + const u8 *ptr_old_mkvp = NULL; 91 92 int minhwtype = ZCRYPT_CEX3C; 92 93 93 94 if (hdr->version == TOKVER_CCA_AES) { 94 95 struct secaeskeytoken *t = (struct secaeskeytoken *)key; 95 96 96 97 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) 97 - cur_mkvp = t->mkvp; 98 + ptr_cur_mkvp = t->mkvp; 98 99 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP) 99 - old_mkvp = t->mkvp; 100 + ptr_old_mkvp = t->mkvp; 100 101 } else if (hdr->version == TOKVER_CCA_VLSC) { 101 102 struct cipherkeytoken *t = (struct cipherkeytoken *)key; 102 103 103 104 minhwtype = ZCRYPT_CEX6; 104 105 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) 105 - cur_mkvp = t->mkvp0; 106 + ptr_cur_mkvp = t->mkvp0; 106 107 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP) 107 - old_mkvp = t->mkvp0; 108 + ptr_old_mkvp = t->mkvp0; 108 109 } else { 109 110 /* unknown CCA internal token type */ 110 111 return -EINVAL; 111 112 } 112 113 rc = cca_findcard2(_apqns, &_nr_apqns, 0xFFFF, 0xFFFF, 113 114 minhwtype, AES_MK_SET, 114 - cur_mkvp, old_mkvp, xflags); 115 + ptr_cur_mkvp, ptr_old_mkvp, xflags); 115 116 if (rc) 116 117 goto out; 117 118 118 119 } else if (hdr->type == TOKTYPE_CCA_INTERNAL_PKA) { 119 120 struct eccprivkeytoken *t = (struct eccprivkeytoken *)key; 120 - u64 cur_mkvp = 0, old_mkvp = 0; 121 + const u8 *ptr_cur_mkvp = NULL; 122 + const u8 *ptr_old_mkvp = NULL; 121 123 122 124 if (t->secid == 0x20) { 123 125 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) 124 - cur_mkvp = t->mkvp; 126 + ptr_cur_mkvp = t->mkvp; 125 127 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP) 126 - old_mkvp = t->mkvp; 128 + ptr_old_mkvp = t->mkvp; 127 129 } else { 128 130 /* unknown CCA internal 2 token type */ 129 131 return -EINVAL; 130 132 } 131 133 rc = cca_findcard2(_apqns, &_nr_apqns, 0xFFFF, 0xFFFF, 132 134 ZCRYPT_CEX7, APKA_MK_SET, 133 - cur_mkvp, old_mkvp, xflags); 135 + ptr_cur_mkvp, ptr_old_mkvp, xflags); 134 136 if (rc) 135 137 goto out; 136 138 ··· 169 167 zcrypt_wait_api_operational(); 170 168 171 169 if (ktype == PKEY_TYPE_CCA_DATA || ktype == PKEY_TYPE_CCA_CIPHER) { 172 - u64 cur_mkvp = 0, old_mkvp = 0; 170 + const u8 *ptr_cur_mkvp = NULL; 171 + const u8 *ptr_old_mkvp = NULL; 173 172 int minhwtype = ZCRYPT_CEX3C; 174 173 175 174 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) 176 - cur_mkvp = *((u64 *)cur_mkvp); 175 + ptr_cur_mkvp = cur_mkvp; 177 176 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP) 178 - old_mkvp = *((u64 *)alt_mkvp); 177 + ptr_old_mkvp = alt_mkvp; 179 178 if (ktype == PKEY_TYPE_CCA_CIPHER) 180 179 minhwtype = ZCRYPT_CEX6; 181 180 rc = cca_findcard2(_apqns, &_nr_apqns, 0xFFFF, 0xFFFF, 182 181 minhwtype, AES_MK_SET, 183 - cur_mkvp, old_mkvp, xflags); 182 + ptr_cur_mkvp, ptr_old_mkvp, xflags); 184 183 if (rc) 185 184 goto out; 186 185 187 186 } else if (ktype == PKEY_TYPE_CCA_ECC) { 188 - u64 cur_mkvp = 0, old_mkvp = 0; 187 + const u8 *ptr_cur_mkvp = NULL; 188 + const u8 *ptr_old_mkvp = NULL; 189 189 190 190 if (flags & PKEY_FLAGS_MATCH_CUR_MKVP) 191 - cur_mkvp = *((u64 *)cur_mkvp); 191 + ptr_cur_mkvp = cur_mkvp; 192 192 if (flags & PKEY_FLAGS_MATCH_ALT_MKVP) 193 - old_mkvp = *((u64 *)alt_mkvp); 193 + ptr_old_mkvp = alt_mkvp; 194 194 rc = cca_findcard2(_apqns, &_nr_apqns, 0xFFFF, 0xFFFF, 195 195 ZCRYPT_CEX7, APKA_MK_SET, 196 - cur_mkvp, old_mkvp, xflags); 196 + ptr_cur_mkvp, ptr_old_mkvp, xflags); 197 197 if (rc) 198 198 goto out; 199 199 ··· 491 487 *keybitsize = t->bitsize; 492 488 rc = cca_findcard2(apqns, &nr_apqns, *card, *dom, 493 489 ZCRYPT_CEX3C, AES_MK_SET, 494 - t->mkvp, 0, xflags); 490 + t->mkvp, NULL, xflags); 495 491 if (!rc) 496 492 *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 497 493 if (rc == -ENODEV) { 498 494 nr_apqns = ARRAY_SIZE(apqns); 499 495 rc = cca_findcard2(apqns, &nr_apqns, *card, *dom, 500 496 ZCRYPT_CEX3C, AES_MK_SET, 501 - 0, t->mkvp, xflags); 497 + NULL, t->mkvp, xflags); 502 498 if (!rc) 503 499 *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 504 500 } ··· 525 521 *keybitsize = PKEY_SIZE_AES_256; 526 522 rc = cca_findcard2(apqns, &nr_apqns, *card, *dom, 527 523 ZCRYPT_CEX6, AES_MK_SET, 528 - t->mkvp0, 0, xflags); 524 + t->mkvp0, NULL, xflags); 529 525 if (!rc) 530 526 *flags = PKEY_FLAGS_MATCH_CUR_MKVP; 531 527 if (rc == -ENODEV) { 532 528 nr_apqns = ARRAY_SIZE(apqns); 533 529 rc = cca_findcard2(apqns, &nr_apqns, *card, *dom, 534 530 ZCRYPT_CEX6, AES_MK_SET, 535 - 0, t->mkvp0, xflags); 531 + NULL, t->mkvp0, xflags); 536 532 if (!rc) 537 533 *flags = PKEY_FLAGS_MATCH_ALT_MKVP; 538 534 }
+17 -9
drivers/s390/crypto/zcrypt_ccamisc.c
··· 1708 1708 EXPORT_SYMBOL(cca_get_info); 1709 1709 1710 1710 int cca_findcard2(u32 *apqns, u32 *nr_apqns, u16 cardnr, u16 domain, 1711 - int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp, 1712 - u32 xflags) 1711 + int minhwtype, int mktype, 1712 + const u8 *ptr_cur_mkvp, const u8 *ptr_old_mkvp, u32 xflags) 1713 1713 { 1714 1714 struct zcrypt_device_status_ext *device_status; 1715 1715 int i, card, dom, curmatch, oldmatch; ··· 1753 1753 /* check min hardware type */ 1754 1754 if (minhwtype > 0 && minhwtype > ci.hwtype) 1755 1755 continue; 1756 - if (cur_mkvp || old_mkvp) { 1756 + if (ptr_cur_mkvp || ptr_old_mkvp) { 1757 1757 /* check mkvps */ 1758 1758 curmatch = oldmatch = 0; 1759 1759 if (mktype == AES_MK_SET) { 1760 - if (cur_mkvp && cur_mkvp == ci.cur_aes_mkvp) 1760 + if (ptr_cur_mkvp && 1761 + !memcmp(ptr_cur_mkvp, ci.cur_aes_mkvp, 1762 + sizeof(ci.cur_aes_mkvp))) 1761 1763 curmatch = 1; 1762 - if (old_mkvp && ci.old_aes_mk_state == '2' && 1763 - old_mkvp == ci.old_aes_mkvp) 1764 + if (ptr_old_mkvp && 1765 + ci.old_aes_mk_state == '2' && 1766 + !memcmp(ptr_old_mkvp, ci.old_aes_mkvp, 1767 + sizeof(ci.old_aes_mkvp))) 1764 1768 oldmatch = 1; 1765 1769 } else { 1766 - if (cur_mkvp && cur_mkvp == ci.cur_apka_mkvp) 1770 + if (ptr_cur_mkvp && 1771 + !memcmp(ptr_cur_mkvp, ci.cur_apka_mkvp, 1772 + sizeof(ci.cur_apka_mkvp))) 1767 1773 curmatch = 1; 1768 - if (old_mkvp && ci.old_apka_mk_state == '2' && 1769 - old_mkvp == ci.old_apka_mkvp) 1774 + if (ptr_old_mkvp && 1775 + ci.old_apka_mk_state == '2' && 1776 + !memcmp(ptr_old_mkvp, ci.old_apka_mkvp, 1777 + sizeof(ci.old_apka_mkvp))) 1770 1778 oldmatch = 1; 1771 1779 } 1772 1780 if (curmatch + oldmatch < 1)
+12 -12
drivers/s390/crypto/zcrypt_ccamisc.h
··· 47 47 u8 res1[1]; 48 48 u8 flag; /* key flags */ 49 49 u8 res2[1]; 50 - u64 mkvp; /* master key verification pattern */ 50 + u8 mkvp[8]; /* master key verification pattern */ 51 51 u8 key[32]; /* key value (encrypted) */ 52 52 u8 cv[8]; /* control vector */ 53 53 u16 bitsize; /* key bit size */ ··· 64 64 u8 res1[3]; 65 65 u8 kms; /* key material state, 0x03 means wrapped with MK */ 66 66 u8 kvpt; /* key verification pattern type, should be 0x01 */ 67 - u64 mkvp0; /* master key verification pattern, lo part */ 68 - u64 mkvp1; /* master key verification pattern, hi part (unused) */ 67 + u8 mkvp0[8]; /* master key verification pattern, lo part */ 68 + u8 mkvp1[8]; /* master key verification pattern, hi part (unused) */ 69 69 u8 eskwm; /* encrypted section key wrapping method */ 70 70 u8 hashalg; /* hash algorithmus used for wrapping key */ 71 71 u8 plfver; /* pay load format version */ ··· 113 113 u8 ksrc; /* key source */ 114 114 u16 pbitlen; /* length of prime p in bits */ 115 115 u16 ibmadlen; /* IBM associated data length in bytes */ 116 - u64 mkvp; /* master key verification pattern */ 116 + u8 mkvp[8]; /* master key verification pattern */ 117 117 u8 opk[48]; /* encrypted object protection key data */ 118 118 u16 adatalen; /* associated data length in bytes */ 119 119 u16 fseclen; /* formatted section length in bytes */ ··· 227 227 * If no apqn meeting the criteria is found, -ENODEV is returned. 228 228 */ 229 229 int cca_findcard2(u32 *apqns, u32 *nr_apqns, u16 cardnr, u16 domain, 230 - int minhwtype, int mktype, u64 cur_mkvp, u64 old_mkvp, 231 - u32 xflags); 230 + int minhwtype, int mktype, 231 + const u8 *cur_mkvp, const u8 *old_mkvp, u32 xflags); 232 232 233 233 #define AES_MK_SET 0 234 234 #define APKA_MK_SET 1 ··· 245 245 char new_asym_mk_state; /* '1' empty, '2' partially full, '3' full */ 246 246 char cur_asym_mk_state; /* '1' invalid, '2' valid */ 247 247 char old_asym_mk_state; /* '1' invalid, '2' valid */ 248 - u64 new_aes_mkvp; /* truncated sha256 of new aes master key */ 249 - u64 cur_aes_mkvp; /* truncated sha256 of current aes master key */ 250 - u64 old_aes_mkvp; /* truncated sha256 of old aes master key */ 251 - u64 new_apka_mkvp; /* truncated sha256 of new apka master key */ 252 - u64 cur_apka_mkvp; /* truncated sha256 of current apka mk */ 253 - u64 old_apka_mkvp; /* truncated sha256 of old apka mk */ 248 + u8 new_aes_mkvp[8]; /* truncated sha256 of new aes master key */ 249 + u8 cur_aes_mkvp[8]; /* truncated sha256 of current aes master key */ 250 + u8 old_aes_mkvp[8]; /* truncated sha256 of old aes master key */ 251 + u8 new_apka_mkvp[8]; /* truncated sha256 of new apka master key */ 252 + u8 cur_apka_mkvp[8]; /* truncated sha256 of current apka mk */ 253 + u8 old_apka_mkvp[8]; /* truncated sha256 of old apka mk */ 254 254 u8 new_asym_mkvp[16]; /* verify pattern of new asym master key */ 255 255 u8 cur_asym_mkvp[16]; /* verify pattern of current asym master key */ 256 256 u8 old_asym_mkvp[16]; /* verify pattern of old asym master key */
+68 -42
drivers/s390/crypto/zcrypt_cex4.c
··· 103 103 .attrs = cca_card_attrs, 104 104 }; 105 105 106 - /* 107 - * CCA queue additional device attributes 108 - */ 106 + /* 107 + * Simple helper macro to format raw mkvp byte array into hex 108 + */ 109 + #define MKVP_TO_HEXBUF(mkvp, buf) \ 110 + do { \ 111 + BUILD_BUG_ON(sizeof(buf) <= 2 * sizeof(mkvp)); \ 112 + bin2hex(buf, mkvp, sizeof(mkvp)); \ 113 + buf[2 * sizeof(mkvp)] = '\0'; \ 114 + } while (0) 115 + 116 + /* 117 + * CCA queue additional device attributes 118 + */ 109 119 static ssize_t cca_mkvps_show(struct device *dev, 110 120 struct device_attribute *attr, 111 121 char *buf) ··· 124 114 static const char * const cao_state[] = { "invalid", "valid" }; 125 115 struct zcrypt_queue *zq = dev_get_drvdata(dev); 126 116 struct cca_info ci; 117 + char hexbuf[2 * 16 + 1]; 127 118 int n = 0; 128 119 129 120 memset(&ci, 0, sizeof(ci)); ··· 133 122 AP_QID_QUEUE(zq->queue->qid), 134 123 &ci, 0); 135 124 136 - if (ci.new_aes_mk_state >= '1' && ci.new_aes_mk_state <= '3') 137 - n += sysfs_emit_at(buf, n, "AES NEW: %s 0x%016llx\n", 125 + if (ci.new_aes_mk_state >= '1' && ci.new_aes_mk_state <= '3') { 126 + MKVP_TO_HEXBUF(ci.new_aes_mkvp, hexbuf); 127 + n += sysfs_emit_at(buf, n, "AES NEW: %s 0x%s\n", 138 128 new_state[ci.new_aes_mk_state - '1'], 139 - ci.new_aes_mkvp); 140 - else 129 + hexbuf); 130 + } else { 141 131 n += sysfs_emit_at(buf, n, "AES NEW: - -\n"); 132 + } 142 133 143 - if (ci.cur_aes_mk_state >= '1' && ci.cur_aes_mk_state <= '2') 144 - n += sysfs_emit_at(buf, n, "AES CUR: %s 0x%016llx\n", 134 + if (ci.cur_aes_mk_state >= '1' && ci.cur_aes_mk_state <= '2') { 135 + MKVP_TO_HEXBUF(ci.cur_aes_mkvp, hexbuf); 136 + n += sysfs_emit_at(buf, n, "AES CUR: %s 0x%s\n", 145 137 cao_state[ci.cur_aes_mk_state - '1'], 146 - ci.cur_aes_mkvp); 147 - else 138 + hexbuf); 139 + } else { 148 140 n += sysfs_emit_at(buf, n, "AES CUR: - -\n"); 141 + } 149 142 150 - if (ci.old_aes_mk_state >= '1' && ci.old_aes_mk_state <= '2') 151 - n += sysfs_emit_at(buf, n, "AES OLD: %s 0x%016llx\n", 143 + if (ci.old_aes_mk_state >= '1' && ci.old_aes_mk_state <= '2') { 144 + MKVP_TO_HEXBUF(ci.old_aes_mkvp, hexbuf); 145 + n += sysfs_emit_at(buf, n, "AES OLD: %s 0x%s\n", 152 146 cao_state[ci.old_aes_mk_state - '1'], 153 - ci.old_aes_mkvp); 154 - else 147 + hexbuf); 148 + } else { 155 149 n += sysfs_emit_at(buf, n, "AES OLD: - -\n"); 150 + } 156 151 157 - if (ci.new_apka_mk_state >= '1' && ci.new_apka_mk_state <= '3') 158 - n += sysfs_emit_at(buf, n, "APKA NEW: %s 0x%016llx\n", 152 + if (ci.new_apka_mk_state >= '1' && ci.new_apka_mk_state <= '3') { 153 + MKVP_TO_HEXBUF(ci.new_apka_mkvp, hexbuf); 154 + n += sysfs_emit_at(buf, n, "APKA NEW: %s 0x%s\n", 159 155 new_state[ci.new_apka_mk_state - '1'], 160 - ci.new_apka_mkvp); 161 - else 156 + hexbuf); 157 + } else { 162 158 n += sysfs_emit_at(buf, n, "APKA NEW: - -\n"); 159 + } 163 160 164 - if (ci.cur_apka_mk_state >= '1' && ci.cur_apka_mk_state <= '2') 165 - n += sysfs_emit_at(buf, n, "APKA CUR: %s 0x%016llx\n", 161 + if (ci.cur_apka_mk_state >= '1' && ci.cur_apka_mk_state <= '2') { 162 + MKVP_TO_HEXBUF(ci.cur_apka_mkvp, hexbuf); 163 + n += sysfs_emit_at(buf, n, "APKA CUR: %s 0x%s\n", 166 164 cao_state[ci.cur_apka_mk_state - '1'], 167 - ci.cur_apka_mkvp); 168 - else 165 + hexbuf); 166 + } else { 169 167 n += sysfs_emit_at(buf, n, "APKA CUR: - -\n"); 168 + } 170 169 171 - if (ci.old_apka_mk_state >= '1' && ci.old_apka_mk_state <= '2') 172 - n += sysfs_emit_at(buf, n, "APKA OLD: %s 0x%016llx\n", 170 + if (ci.old_apka_mk_state >= '1' && ci.old_apka_mk_state <= '2') { 171 + MKVP_TO_HEXBUF(ci.old_apka_mkvp, hexbuf); 172 + n += sysfs_emit_at(buf, n, "APKA OLD: %s 0x%s\n", 173 173 cao_state[ci.old_apka_mk_state - '1'], 174 - ci.old_apka_mkvp); 175 - else 174 + hexbuf); 175 + } else { 176 176 n += sysfs_emit_at(buf, n, "APKA OLD: - -\n"); 177 + } 177 178 178 - if (ci.new_asym_mk_state >= '1' && ci.new_asym_mk_state <= '3') 179 - n += sysfs_emit_at(buf, n, "ASYM NEW: %s 0x%016llx%016llx\n", 179 + if (ci.new_asym_mk_state >= '1' && ci.new_asym_mk_state <= '3') { 180 + MKVP_TO_HEXBUF(ci.new_asym_mkvp, hexbuf); 181 + n += sysfs_emit_at(buf, n, "ASYM NEW: %s 0x%s\n", 180 182 new_state[ci.new_asym_mk_state - '1'], 181 - *((u64 *)(ci.new_asym_mkvp)), 182 - *((u64 *)(ci.new_asym_mkvp + sizeof(u64)))); 183 - else 183 + hexbuf); 184 + } else { 184 185 n += sysfs_emit_at(buf, n, "ASYM NEW: - -\n"); 186 + } 185 187 186 - if (ci.cur_asym_mk_state >= '1' && ci.cur_asym_mk_state <= '2') 187 - n += sysfs_emit_at(buf, n, "ASYM CUR: %s 0x%016llx%016llx\n", 188 + if (ci.cur_asym_mk_state >= '1' && ci.cur_asym_mk_state <= '2') { 189 + MKVP_TO_HEXBUF(ci.cur_asym_mkvp, hexbuf); 190 + n += sysfs_emit_at(buf, n, "ASYM CUR: %s 0x%s\n", 188 191 cao_state[ci.cur_asym_mk_state - '1'], 189 - *((u64 *)(ci.cur_asym_mkvp)), 190 - *((u64 *)(ci.cur_asym_mkvp + sizeof(u64)))); 191 - else 192 + hexbuf); 193 + } else { 192 194 n += sysfs_emit_at(buf, n, "ASYM CUR: - -\n"); 195 + } 193 196 194 - if (ci.old_asym_mk_state >= '1' && ci.old_asym_mk_state <= '2') 195 - n += sysfs_emit_at(buf, n, "ASYM OLD: %s 0x%016llx%016llx\n", 197 + if (ci.old_asym_mk_state >= '1' && ci.old_asym_mk_state <= '2') { 198 + MKVP_TO_HEXBUF(ci.old_asym_mkvp, hexbuf); 199 + n += sysfs_emit_at(buf, n, "ASYM OLD: %s 0x%s\n", 196 200 cao_state[ci.old_asym_mk_state - '1'], 197 - *((u64 *)(ci.old_asym_mkvp)), 198 - *((u64 *)(ci.old_asym_mkvp + sizeof(u64)))); 199 - else 201 + hexbuf); 202 + } else { 200 203 n += sysfs_emit_at(buf, n, "ASYM OLD: - -\n"); 204 + } 201 205 202 206 return n; 203 207 }