tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

s390/pkey: Support new xflag PKEY_XFLAG_NOCLEARKEY

Introduce a new xflag PKEY_XFLAG_NOCLEARKEY which when given refuses
the conversion of "clear key tokens" to protected key material.

Some algorithms (PAES, PHMAC) have the need to construct "clear key
tokens" to be used during selftest. But in general these algorithms
should only support clear key material for testing purpose. So now the
algorithm implementation can signal via xflag PKEY_XFLAG_NOCLEARKEY
that a conversion of clear key material to protected key is not
acceptable and thus the pkey layer (usually one of the handler
modules) refuses clear key material with -EINVAL.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Harald Freudenberger and committed by
Herbert Xu 2dfca611 cf0840cc

+26 -4
+7 -1
arch/s390/include/asm/pkey.h
··· 21 21 * @param keylen size of the key blob in bytes 22 22 * @param protkey pointer to buffer receiving the protected key 23 23 * @param xflags additional execution flags (see PKEY_XFLAG_* definitions below) 24 - * As of now the only supported flag is PKEY_XFLAG_NOMEMALLOC. 24 + * As of now the only supported flags are PKEY_XFLAG_NOMEMALLOC 25 + * and PKEY_XFLAG_NOCLEARKEY. 25 26 * @return 0 on success, negative errno value on failure 26 27 */ 27 28 int pkey_key2protkey(const u8 *key, u32 keylen, ··· 38 37 * also the CRYPTO_ALG_ALLOCATES_MEMORY flag in crypto.h. 39 38 */ 40 39 #define PKEY_XFLAG_NOMEMALLOC 0x0001 40 + 41 + /* 42 + * Do not accept a clear key token as source for a protected key. 43 + */ 44 + #define PKEY_XFLAG_NOCLEARKEY 0x0002 41 45 42 46 #endif /* _KAPI_PKEY_H */
+5
drivers/s390/crypto/pkey_cca.c
··· 390 390 int i, len, rc; 391 391 u32 xflags; 392 392 393 + if (pflags & PKEY_XFLAG_NOCLEARKEY) { 394 + PKEY_DBF_ERR("%s clear key but xflag NOCLEARKEY\n", __func__); 395 + return -EINVAL; 396 + } 397 + 393 398 xflags = pflags & PKEY_XFLAG_NOMEMALLOC ? ZCRYPT_XFLAG_NOMEMALLOC : 0; 394 399 395 400 /* check keytype, subtype, clrkeylen, keybitsize */
+5
drivers/s390/crypto/pkey_ep11.c
··· 358 358 int i, len, rc; 359 359 u32 xflags; 360 360 361 + if (pflags & PKEY_XFLAG_NOCLEARKEY) { 362 + PKEY_DBF_ERR("%s clear key but xflag NOCLEARKEY\n", __func__); 363 + return -EINVAL; 364 + } 365 + 361 366 xflags = pflags & PKEY_XFLAG_NOMEMALLOC ? ZCRYPT_XFLAG_NOMEMALLOC : 0; 362 367 363 368 /* check keytype, subtype, clrkeylen, keybitsize */
+9 -3
drivers/s390/crypto/pkey_pckmo.c
··· 215 215 } 216 216 217 217 static int pckmo_key2protkey(const u8 *key, u32 keylen, 218 - u8 *protkey, u32 *protkeylen, u32 *protkeytype) 218 + u8 *protkey, u32 *protkeylen, u32 *protkeytype, 219 + u32 xflags) 219 220 { 220 221 struct keytoken_header *hdr = (struct keytoken_header *)key; 221 222 int rc = -EINVAL; ··· 267 266 struct clearkeytoken *t = (struct clearkeytoken *)key; 268 267 u32 keysize; 269 268 269 + if (xflags & PKEY_XFLAG_NOCLEARKEY) { 270 + PKEY_DBF_ERR("%s clear key token but xflag NOCLEARKEY\n", 271 + __func__); 272 + goto out; 273 + } 270 274 if (keylen < sizeof(*t) || 271 275 keylen < sizeof(*t) + t->len) 272 276 goto out; ··· 412 406 size_t _nr_apqns, 413 407 const u8 *key, u32 keylen, 414 408 u8 *protkey, u32 *protkeylen, u32 *keyinfo, 415 - u32 _xflags __always_unused) 409 + u32 xflags) 416 410 { 417 411 return pckmo_key2protkey(key, keylen, 418 - protkey, protkeylen, keyinfo); 412 + protkey, protkeylen, keyinfo, xflags); 419 413 } 420 414 421 415 static int pkey_pckmo_gen_key(const struct pkey_apqn *_apqns, size_t _nr_apqns,