diff options
author | Felix Beck <felix.beck@de.ibm.com> | 2011-01-05 12:47:45 +0100 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2011-01-05 12:47:27 +0100 |
commit | 3e309a66f52e042881f76cbfb9b6c2aa70163e02 (patch) | |
tree | 50633ef9552e511be7ff113d6b2bc77f3f67d549 /drivers/s390/crypto | |
parent | b1f933da570576d1f290ea4dc9b896404cbd285d (diff) | |
download | op-kernel-dev-3e309a66f52e042881f76cbfb9b6c2aa70163e02.zip op-kernel-dev-3e309a66f52e042881f76cbfb9b6c2aa70163e02.tar.gz |
[S390] zcrypt: support for 4096 bit keys for cex3a
Definitions for CEX3 card types are changed to support 4096 bit RSA
keys. Also new structs for the accelerator mode are needed.
Additionaly when checking the length of key parts, the case for bigger
(4096 bit) keys is needed.
Signed-off-by: Felix Beck <felix.beck@de.ibm.com>
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/crypto')
-rw-r--r-- | drivers/s390/crypto/zcrypt_cex2a.c | 78 | ||||
-rw-r--r-- | drivers/s390/crypto/zcrypt_cex2a.h | 25 |
2 files changed, 87 insertions, 16 deletions
diff --git a/drivers/s390/crypto/zcrypt_cex2a.c b/drivers/s390/crypto/zcrypt_cex2a.c index 9c409ef..def0901 100644 --- a/drivers/s390/crypto/zcrypt_cex2a.c +++ b/drivers/s390/crypto/zcrypt_cex2a.c @@ -41,7 +41,7 @@ #define CEX2A_MIN_MOD_SIZE 1 /* 8 bits */ #define CEX2A_MAX_MOD_SIZE 256 /* 2048 bits */ #define CEX3A_MIN_MOD_SIZE CEX2A_MIN_MOD_SIZE -#define CEX3A_MAX_MOD_SIZE CEX2A_MAX_MOD_SIZE +#define CEX3A_MAX_MOD_SIZE 512 /* 4096 bits */ #define CEX2A_SPEED_RATING 970 #define CEX3A_SPEED_RATING 900 /* Fixme: Needs finetuning */ @@ -49,8 +49,10 @@ #define CEX2A_MAX_MESSAGE_SIZE 0x390 /* sizeof(struct type50_crb2_msg) */ #define CEX2A_MAX_RESPONSE_SIZE 0x110 /* max outputdatalength + type80_hdr */ -#define CEX3A_MAX_MESSAGE_SIZE CEX2A_MAX_MESSAGE_SIZE -#define CEX3A_MAX_RESPONSE_SIZE CEX2A_MAX_RESPONSE_SIZE +#define CEX3A_MAX_RESPONSE_SIZE 0x210 /* 512 bit modulus + * (max outputdatalength) + + * type80_hdr*/ +#define CEX3A_MAX_MESSAGE_SIZE sizeof(struct type50_crb3_msg) #define CEX2A_CLEANUP_TIME (15*HZ) #define CEX3A_CLEANUP_TIME CEX2A_CLEANUP_TIME @@ -110,7 +112,7 @@ static int ICAMEX_msg_to_type50MEX_msg(struct zcrypt_device *zdev, mod = meb1->modulus + sizeof(meb1->modulus) - mod_len; exp = meb1->exponent + sizeof(meb1->exponent) - mod_len; inp = meb1->message + sizeof(meb1->message) - mod_len; - } else { + } else if (mod_len <= 256) { struct type50_meb2_msg *meb2 = ap_msg->message; memset(meb2, 0, sizeof(*meb2)); ap_msg->length = sizeof(*meb2); @@ -120,6 +122,17 @@ static int ICAMEX_msg_to_type50MEX_msg(struct zcrypt_device *zdev, mod = meb2->modulus + sizeof(meb2->modulus) - mod_len; exp = meb2->exponent + sizeof(meb2->exponent) - mod_len; inp = meb2->message + sizeof(meb2->message) - mod_len; + } else { + /* mod_len > 256 = 4096 bit RSA Key */ + struct type50_meb3_msg *meb3 = ap_msg->message; + memset(meb3, 0, sizeof(*meb3)); + ap_msg->length = sizeof(*meb3); + meb3->header.msg_type_code = TYPE50_TYPE_CODE; + meb3->header.msg_len = sizeof(*meb3); + meb3->keyblock_type = TYPE50_MEB3_FMT; + mod = meb3->modulus + sizeof(meb3->modulus) - mod_len; + exp = meb3->exponent + sizeof(meb3->exponent) - mod_len; + inp = meb3->message + sizeof(meb3->message) - mod_len; } if (copy_from_user(mod, mex->n_modulus, mod_len) || @@ -142,7 +155,7 @@ static int ICACRT_msg_to_type50CRT_msg(struct zcrypt_device *zdev, struct ap_message *ap_msg, struct ica_rsa_modexpo_crt *crt) { - int mod_len, short_len, long_len, long_offset; + int mod_len, short_len, long_len, long_offset, limit; unsigned char *p, *q, *dp, *dq, *u, *inp; mod_len = crt->inputdatalength; @@ -152,14 +165,20 @@ static int ICACRT_msg_to_type50CRT_msg(struct zcrypt_device *zdev, /* * CEX2A cannot handle p, dp, or U > 128 bytes. * If we have one of these, we need to do extra checking. + * For CEX3A the limit is 256 bytes. */ - if (long_len > 128) { + if (zdev->max_mod_size == CEX3A_MAX_MOD_SIZE) + limit = 256; + else + limit = 128; + + if (long_len > limit) { /* * zcrypt_rsa_crt already checked for the leading * zeroes of np_prime, bp_key and u_mult_inc. */ - long_offset = long_len - 128; - long_len = 128; + long_offset = long_len - limit; + long_len = limit; } else long_offset = 0; @@ -180,7 +199,7 @@ static int ICACRT_msg_to_type50CRT_msg(struct zcrypt_device *zdev, dq = crb1->dq + sizeof(crb1->dq) - short_len; u = crb1->u + sizeof(crb1->u) - long_len; inp = crb1->message + sizeof(crb1->message) - mod_len; - } else { + } else if (long_len <= 128) { struct type50_crb2_msg *crb2 = ap_msg->message; memset(crb2, 0, sizeof(*crb2)); ap_msg->length = sizeof(*crb2); @@ -193,6 +212,20 @@ static int ICACRT_msg_to_type50CRT_msg(struct zcrypt_device *zdev, dq = crb2->dq + sizeof(crb2->dq) - short_len; u = crb2->u + sizeof(crb2->u) - long_len; inp = crb2->message + sizeof(crb2->message) - mod_len; + } else { + /* long_len >= 256 */ + struct type50_crb3_msg *crb3 = ap_msg->message; + memset(crb3, 0, sizeof(*crb3)); + ap_msg->length = sizeof(*crb3); + crb3->header.msg_type_code = TYPE50_TYPE_CODE; + crb3->header.msg_len = sizeof(*crb3); + crb3->keyblock_type = TYPE50_CRB3_FMT; + p = crb3->p + sizeof(crb3->p) - long_len; + q = crb3->q + sizeof(crb3->q) - short_len; + dp = crb3->dp + sizeof(crb3->dp) - long_len; + dq = crb3->dq + sizeof(crb3->dq) - short_len; + u = crb3->u + sizeof(crb3->u) - long_len; + inp = crb3->message + sizeof(crb3->message) - mod_len; } if (copy_from_user(p, crt->np_prime + long_offset, long_len) || @@ -203,7 +236,6 @@ static int ICACRT_msg_to_type50CRT_msg(struct zcrypt_device *zdev, copy_from_user(inp, crt->inputdata, mod_len)) return -EFAULT; - return 0; } @@ -230,7 +262,10 @@ static int convert_type80(struct zcrypt_device *zdev, zdev->online = 0; return -EAGAIN; /* repeat the request on a different device. */ } - BUG_ON(t80h->len > CEX2A_MAX_RESPONSE_SIZE); + if (zdev->user_space_type == ZCRYPT_CEX2A) + BUG_ON(t80h->len > CEX2A_MAX_RESPONSE_SIZE); + else + BUG_ON(t80h->len > CEX3A_MAX_RESPONSE_SIZE); data = reply->message + t80h->len - outputdatalength; if (copy_to_user(outputdata, data, outputdatalength)) return -EFAULT; @@ -282,7 +317,10 @@ static void zcrypt_cex2a_receive(struct ap_device *ap_dev, } t80h = reply->message; if (t80h->type == TYPE80_RSP_CODE) { - length = min(CEX2A_MAX_RESPONSE_SIZE, (int) t80h->len); + if (ap_dev->device_type == AP_DEVICE_TYPE_CEX2A) + length = min(CEX2A_MAX_RESPONSE_SIZE, (int) t80h->len); + else + length = min(CEX3A_MAX_RESPONSE_SIZE, (int) t80h->len); memcpy(msg->message, reply->message, length); } else memcpy(msg->message, reply->message, sizeof error_reply); @@ -307,7 +345,10 @@ static long zcrypt_cex2a_modexpo(struct zcrypt_device *zdev, int rc; ap_init_message(&ap_msg); - ap_msg.message = kmalloc(CEX2A_MAX_MESSAGE_SIZE, GFP_KERNEL); + if (zdev->user_space_type == ZCRYPT_CEX2A) + ap_msg.message = kmalloc(CEX2A_MAX_MESSAGE_SIZE, GFP_KERNEL); + else + ap_msg.message = kmalloc(CEX3A_MAX_MESSAGE_SIZE, GFP_KERNEL); if (!ap_msg.message) return -ENOMEM; ap_msg.psmid = (((unsigned long long) current->pid) << 32) + @@ -345,7 +386,10 @@ static long zcrypt_cex2a_modexpo_crt(struct zcrypt_device *zdev, int rc; ap_init_message(&ap_msg); - ap_msg.message = kmalloc(CEX2A_MAX_MESSAGE_SIZE, GFP_KERNEL); + if (zdev->user_space_type == ZCRYPT_CEX2A) + ap_msg.message = kmalloc(CEX2A_MAX_MESSAGE_SIZE, GFP_KERNEL); + else + ap_msg.message = kmalloc(CEX3A_MAX_MESSAGE_SIZE, GFP_KERNEL); if (!ap_msg.message) return -ENOMEM; ap_msg.psmid = (((unsigned long long) current->pid) << 32) + @@ -404,8 +448,10 @@ static int zcrypt_cex2a_probe(struct ap_device *ap_dev) return -ENOMEM; zdev->user_space_type = ZCRYPT_CEX3A; zdev->type_string = "CEX3A"; - zdev->min_mod_size = CEX3A_MIN_MOD_SIZE; - zdev->max_mod_size = CEX3A_MAX_MOD_SIZE; + zdev->min_mod_size = CEX2A_MIN_MOD_SIZE; + zdev->max_mod_size = CEX2A_MAX_MOD_SIZE; + if (ap_4096_commands_available(ap_dev->qid)) + zdev->max_mod_size = CEX3A_MAX_MOD_SIZE; zdev->short_crt = 1; zdev->speed_rating = CEX3A_SPEED_RATING; break; diff --git a/drivers/s390/crypto/zcrypt_cex2a.h b/drivers/s390/crypto/zcrypt_cex2a.h index 8f69d1d..0350665 100644 --- a/drivers/s390/crypto/zcrypt_cex2a.h +++ b/drivers/s390/crypto/zcrypt_cex2a.h @@ -51,8 +51,10 @@ struct type50_hdr { #define TYPE50_MEB1_FMT 0x0001 #define TYPE50_MEB2_FMT 0x0002 +#define TYPE50_MEB3_FMT 0x0003 #define TYPE50_CRB1_FMT 0x0011 #define TYPE50_CRB2_FMT 0x0012 +#define TYPE50_CRB3_FMT 0x0013 /* Mod-Exp, with a small modulus */ struct type50_meb1_msg { @@ -74,6 +76,16 @@ struct type50_meb2_msg { unsigned char message[256]; } __attribute__((packed)); +/* Mod-Exp, with a larger modulus */ +struct type50_meb3_msg { + struct type50_hdr header; + unsigned short keyblock_type; /* 0x0003 */ + unsigned char reserved[6]; + unsigned char exponent[512]; + unsigned char modulus[512]; + unsigned char message[512]; +} __attribute__((packed)); + /* CRT, with a small modulus */ struct type50_crb1_msg { struct type50_hdr header; @@ -100,6 +112,19 @@ struct type50_crb2_msg { unsigned char message[256]; } __attribute__((packed)); +/* CRT, with a larger modulus */ +struct type50_crb3_msg { + struct type50_hdr header; + unsigned short keyblock_type; /* 0x0013 */ + unsigned char reserved[6]; + unsigned char p[256]; + unsigned char q[256]; + unsigned char dp[256]; + unsigned char dq[256]; + unsigned char u[256]; + unsigned char message[512]; +} __attribute__((packed)); + /** * The type 80 response family is associated with a CEX2A card. * |