#
ad0faae6 |
|
08-Feb-2022 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: introduce ctfm field in struct CPRBX Modify the CPRBX struct to expose a new field ctfm for use with hardware command filtering within a CEX8 crypto card in CCA coprocessor mode. The field replaces a reserved byte padding field so that the layout of the struct and the size does not change. The new field is used only by user space applications which may use this to expose the HW filtering facilities in the crypto firmware layers. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
|
#
2004b57c |
|
04-Apr-2022 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: code cleanup This patch tries to fix as much as possible of the checkpatch.pl --strict findings: CHECK: Logical continuations should be on the previous line CHECK: No space is necessary after a cast CHECK: Alignment should match open parenthesis CHECK: 'useable' may be misspelled - perhaps 'usable'? WARNING: Possible repeated word: 'is' CHECK: spaces preferred around that '*' (ctx:VxV) CHECK: Comparison to NULL could be written "!msg" CHECK: Prefer kzalloc(sizeof(*zc)...) over kzalloc(sizeof(struct...)...) CHECK: Unnecessary parentheses around resp_type->work CHECK: Avoid CamelCase: <xcRB> There is no functional change comming with this patch, only code cleanup, renaming, whitespaces, indenting, ... but no semantic change in any way. Also the API (zcrypt and pkey header file) is semantically unchanged. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Jürgen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
|
#
6acb086d |
|
01-Apr-2022 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: cleanup CPRB struct definitions This patch does a little cleanup on the CPRBX struct in zcrypt.h and the redundant CPRB struct definition in zcrypt_msgtype6.c. Especially some of the misleading fields from the CPRBX struct have been removed. There is no semantic change coming with this patch. The field names changed in the XCRB struct are only related to reserved fields which should never been used. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Jürgen Christ <jchrist@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
|
#
985214af |
|
16-Nov-2021 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: CEX8S exploitation support This patch adds CEX8 exploitation support for the AP bus code, the zcrypt device driver zoo and the vfio device driver. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Jürgen Christ <jchrist@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
|
#
74ecbef7 |
|
29-Apr-2020 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: code beautification and struct field renames Some beautifications related to the internal only used struct ap_message and related code. Instead of one int carrying only the special flag now a u32 flags field is used. At struct CPRBX the pointers to additional data are now marked with __user. This caused some changes needed on code, where these structs are also used within the zcrypt misc functions. The ica_rsa_* structs now use the generic types __u8, __u32, ... instead of char, unsigned int. zcrypt_msg6 and zcrypt_msg50 use min_t() instead of min(). Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
|
#
a7367997 |
|
30-Aug-2019 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: ep11 structs rework, export zcrypt_send_ep11_cprb Minor rework for struct ep11_cprb and struct ep11_urb. Use of u8, u16, u32 instead of unsigned char. Declare pointers to mem from userspace with __user to give sparse a chance to check. Export zcrypt_send_ep11_cprb() function as this function will be called by code in progress which will build ep11 cprbs within the zcrypt device driver zoo and send them to EP11 crypto cards. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
|
#
8f291ebf |
|
30-Aug-2019 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: enable card/domain autoselect on ep11 cprbs For EP11 CPRBs there was only to choose between specify one or more ep11 targets or not give a target at all. Without any target the zcrypt code assumed AUTOSELECT. For EP11 this ended up in choosing any EP11 APQN with regards to the weight. However, CCA CPRBs can have a more fine granular target addressing. The caller can give 0xFFFF as AUTOSELECT for the card and/or the domain. So it's possible to address any card but domain given or any domain but card given. This patch now introduces the very same for EP11 CPRB handling. An EP11 target entry now may contain 0xFFFF as card and/or domain value with the meaning of ANY card or domain. So now the same behavior as with CCA CPRBs becomes possible: Address any card with given domain or address any domain within given card. For convenience the zcrypt.h header file now has two new defines AUTOSEL_AP and AUTOSEL_DOM covering the 0xFFFF value to address card any and domain any. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
|
#
cf2957f3 |
|
16-Aug-2019 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: CEX7S exploitation support This patch adds CEX7 exploitation support for the AP bus code, the zcrypt device driver zoo and the vfio device driver. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
|
#
061c9962 |
|
21-Jul-2019 |
Masahiro Yamada <yamada.masahiro@socionext.com> |
s390: use __u{16,32,64} instead of uint{16,32,64}_t in uapi header When CONFIG_UAPI_HEADER_TEST=y, exported headers are compile-tested to make sure they can be included from user-space. Currently, zcrypt.h is excluded from the test coverage. To make it join the compile-test, we need to fix the build errors attached below. For a case like this, we decided to use __u{8,16,32,64} variable types in this discussion: https://lkml.org/lkml/2019/6/5/18 Build log: CC usr/include/asm/zcrypt.h.s In file included from <command-line>:32:0: ./usr/include/asm/zcrypt.h:163:2: error: unknown type name ‘uint16_t’ uint16_t cprb_len; ^~~~~~~~ ./usr/include/asm/zcrypt.h:168:2: error: unknown type name ‘uint32_t’ uint32_t source_id; ^~~~~~~~ ./usr/include/asm/zcrypt.h:169:2: error: unknown type name ‘uint32_t’ uint32_t target_id; ^~~~~~~~ ./usr/include/asm/zcrypt.h:170:2: error: unknown type name ‘uint32_t’ uint32_t ret_code; ^~~~~~~~ ./usr/include/asm/zcrypt.h:171:2: error: unknown type name ‘uint32_t’ uint32_t reserved1; ^~~~~~~~ ./usr/include/asm/zcrypt.h:172:2: error: unknown type name ‘uint32_t’ uint32_t reserved2; ^~~~~~~~ ./usr/include/asm/zcrypt.h:173:2: error: unknown type name ‘uint32_t’ uint32_t payload_len; ^~~~~~~~ ./usr/include/asm/zcrypt.h:182:2: error: unknown type name ‘uint16_t’ uint16_t ap_id; ^~~~~~~~ ./usr/include/asm/zcrypt.h:183:2: error: unknown type name ‘uint16_t’ uint16_t dom_id; ^~~~~~~~ ./usr/include/asm/zcrypt.h:198:2: error: unknown type name ‘uint16_t’ uint16_t targets_num; ^~~~~~~~ ./usr/include/asm/zcrypt.h:199:2: error: unknown type name ‘uint64_t’ uint64_t targets; ^~~~~~~~ ./usr/include/asm/zcrypt.h:200:2: error: unknown type name ‘uint64_t’ uint64_t weight; ^~~~~~~~ ./usr/include/asm/zcrypt.h:201:2: error: unknown type name ‘uint64_t’ uint64_t req_no; ^~~~~~~~ ./usr/include/asm/zcrypt.h:202:2: error: unknown type name ‘uint64_t’ uint64_t req_len; ^~~~~~~~ ./usr/include/asm/zcrypt.h:203:2: error: unknown type name ‘uint64_t’ uint64_t req; ^~~~~~~~ ./usr/include/asm/zcrypt.h:204:2: error: unknown type name ‘uint64_t’ uint64_t resp_len; ^~~~~~~~ ./usr/include/asm/zcrypt.h:205:2: error: unknown type name ‘uint64_t’ uint64_t resp; ^~~~~~~~ Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
|
#
be534791 |
|
19-Nov-2018 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: improve special ap message cmd handling There exist very few ap messages which need to have the 'special' flag enabled. This flag tells the firmware layer to do some pre- and maybe postprocessing. However, it may happen that this special flag is enabled but the firmware is unable to deal with this kind of message and thus returns with reply code 0x41. For example older firmware may not know the newest messages triggered by the zcrypt device driver and thus react with reject and the named reply code. Unfortunately this reply code is not known to the zcrypt error routines and thus default behavior is to switch the ap queue offline. This patch now makes the ap error routine aware of the reply code and so userspace is informed about the bad processing result but the queue is not switched to offline state any more. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
ee410de8 |
|
04-Oct-2018 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: zcrypt device driver cleanup Some cleanup in the s390 zcrypt device driver: - Removed fragments of pcixx crypto card code. This code can't be reached anymore because the hardware detection function does not recognize crypto cards < CEX2 since commit f56545430736 ("s390/zcrypt: Introduce QACT support for AP bus devices.") - Rename of some files and driver names which where still reflecting pcixx support to cex2a/cex2c. - Removed all the zcrypt version strings in the file headers. There is only one place left - the zcrypt.h header file is now the only place for zcrypt device driver version info. - Zcrypt version pump up from 2.2.0 to 2.2.1. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
00fab235 |
|
17-Sep-2018 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: multiple zcrypt device nodes support This patch is an extension to the zcrypt device driver to provide, support and maintain multiple zcrypt device nodes. The individual zcrypt device nodes can be restricted in terms of crypto cards, domains and available ioctls. Such a device node can be used as a base for container solutions like docker to control and restrict the access to crypto resources. The handling is done with a new sysfs subdir /sys/class/zcrypt. Echoing a name (or an empty sting) into the attribute "create" creates a new zcrypt device node. In /sys/class/zcrypt a new link will appear which points to the sysfs device tree of this new device. The attribute files "ioctlmask", "apmask" and "aqmask" in this directory are used to customize this new zcrypt device node instance. Finally the zcrypt device node can be destroyed by echoing the name into /sys/class/zcrypt/destroy. The internal structs holding the device info are reference counted - so a destroy will not hard remove a device but only marks it as removable when the reference counter drops to zero. The mask values are bitmaps in big endian order starting with bit 0. So adapter number 0 is the leftmost bit, mask is 0x8000... The sysfs attributes accept 2 different formats: * Absolute hex string starting with 0x like "0x12345678" does set the mask starting from left to right. If the given string is shorter than the mask it is padded with 0s on the right. If the string is longer than the mask an error comes back (EINVAL). * Relative format - a concatenation (done with ',') of the terms +<bitnr>[-<bitnr>] or -<bitnr>[-<bitnr>]. <bitnr> may be any valid number (hex, decimal or octal) in the range 0...255. Here are some examples: "+0-15,+32,-128,-0xFF" "-0-255,+1-16,+0x128" "+1,+2,+3,+4,-5,-7-10" A simple usage examples: # create new zcrypt device 'my_zcrypt': echo "my_zcrypt" >/sys/class/zcrypt/create # go into the device dir of this new device echo "my_zcrypt" >create cd my_zcrypt/ ls -l total 0 -rw-r--r-- 1 root root 4096 Jul 20 15:23 apmask -rw-r--r-- 1 root root 4096 Jul 20 15:23 aqmask -r--r--r-- 1 root root 4096 Jul 20 15:23 dev -rw-r--r-- 1 root root 4096 Jul 20 15:23 ioctlmask lrwxrwxrwx 1 root root 0 Jul 20 15:23 subsystem -> ../../../../class/zcrypt ... # customize this zcrypt node clone # enable only adapter 0 and 2 echo "0xa0" >apmask # enable only domain 6 echo "+6" >aqmask # enable all 256 ioctls echo "+0-255" >ioctls # now the /dev/my_zcrypt may be used # finally destroy it echo "my_zcrypt" >/sys/class/zcrypt/destroy Please note that a very similar 'filtering behavior' also applies to the parent z90crypt device. The two mask attributes apmask and aqmask in /sys/bus/ap act the very same for the z90crypt device node. However the implementation here is totally different as the ap bus acts on bind/unbind of queue devices and associated drivers but the effect is still the same. So there are two filters active for each additional zcrypt device node: The adapter/domain needs to be enabled on the ap bus level and it needs to be active on the zcrypt device node level. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
ac2b96f3 |
|
16-Aug-2018 |
Harald Freudenberger <freude@linux.ibm.com> |
s390/zcrypt: code beautify Code beautify by following most of the checkpatch suggestions: - SPDX license identifier line complains by checkpatch - missing space or newline complains by checkpatch - octal numbers for permssions complains by checkpatch - renaming of static sysfs functions complains by checkpatch - fix of block comment complains by checkpatch - fix printf like calls where function name instead of %s __func__ was used - __packed instead of __attribute__((packed)) - init to zero for static variables removed - use of DEVICE_ATTR_RO and DEVICE_ATTR_RW macros No functional code changes or API changes! Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
af4a7227 |
|
09-Apr-2018 |
Harald Freudenberger <freude@linux.vnet.ibm.com> |
s390/zcrypt: Support up to 256 crypto adapters. There was an artificial restriction on the card/adapter id to only 6 bits but all the AP commands do support adapter ids with 8 bit. This patch removes this restriction to 64 adapters and now up to 256 adapter can get addressed. Some of the ioctl calls work on the max number of cards possible (which was 64). These ioctls are now deprecated but still supported. All the defines, structs and ioctl interface declarations have been kept for compabibility. There are now new ioctls (and defines for these) with an additional '2' appended which provide the extended versions with 256 cards supported. Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
2a80786d |
|
04-Apr-2018 |
Harald Freudenberger <freude@linux.vnet.ibm.com> |
s390/zcrypt: Remove deprecated ioctls. This patch removes the old status calls which have been marked as deprecated since at least 2 years now. There is no known application or library relying on these ioctls any more. Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
94bf2f28 |
|
24-Nov-2017 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
s390: include: Remove redundant license text Now that the SPDX tag is in all arch/s390/include/ files, that identifies the license in a specific and legally-defined manner. So the extra GPL text wording can be removed as it is no longer needed at all. This is done on a quest to remove the 700+ different ways that files in the kernel describe the GPL license text. And there's unneeded stuff like the address (sometimes incorrect) for the FSF which is never needed. No copyright headers or other non-license-description text was removed. Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Christian Borntraeger <borntraeger@de.ibm.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Halil Pasic <pasic@linux.vnet.ibm.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
e2be04c7 |
|
01-Nov-2017 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
License cleanup: add SPDX license identifier to uapi header files with a license Many user space API headers have licensing information, which is either incomplete, badly formatted or just a shorthand for referring to the license under which the file is supposed to be. This makes it hard for compliance tools to determine the correct license. Update these files with an SPDX license identifier. The identifier was chosen based on the license information in the file. GPL/LGPL licensed headers get the matching GPL/LGPL SPDX license identifier with the added 'WITH Linux-syscall-note' exception, which is the officially assigned exception identifier for the kernel syscall exception: NOTE! This copyright does *not* cover user programs that use kernel services by normal system calls - this is merely considered normal use of the kernel, and does *not* fall under the heading of "derived work". This exception makes it possible to include GPL headers into non GPL code, without confusing license compliance tools. Headers which have either explicit dual licensing or are just licensed under a non GPL license are updated with the corresponding SPDX identifier and the GPLv2 with syscall exception identifier. The format is: ((GPL-2.0 WITH Linux-syscall-note) OR SPDX-ID-OF-OTHER-LICENSE) SPDX license identifiers are a legally binding shorthand, which can be used instead of the full boiler plate text. The update does not remove existing license information as this has to be done on a case by case basis and the copyright holders might have to be consulted. This will happen in a separate step. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. See the previous patch in this series for the methodology of how this patch was researched. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
b886a9d1 |
|
25-Aug-2016 |
Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com> |
s390/zcrypt: Introduce new zcrypt device status API Introduce new ioctl (ZDEVICESTATUS) to provide detailed information, like hardware type, domains, status and functionality of available crypto devices. Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
91f3e3ea |
|
20-Nov-2013 |
Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com> |
s390/zcrypt: add support for EP11 coprocessor cards This feature extends the generic cryptographic device driver (zcrypt) with a new capability to service EP11 requests for the Crypto Express4S card in EP11 (Enterprise PKCS#11 mode) coprocessor mode. Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
#
9807f759 |
|
09-Oct-2012 |
David Howells <dhowells@redhat.com> |
UAPI: (Scripted) Disintegrate arch/s390/include/asm Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
|