23 #define SECKEYBLOBSIZE	64	   /* secure key blob size is always 64 bytes */
24 #define PROTKEYBLOBSIZE 80	/* protected key blob size is always 80 bytes */
25 #define MAXPROTKEYSIZE	64	/* a protected key blob may be up to 64 bytes */
26 #define MAXCLRKEYSIZE	32	   /* a clear key value may be up to 32 bytes */
28 #define MINEP11AESKEYBLOBSIZE 256  /* min EP11 AES key blob size  */
29 #define MAXEP11AESKEYBLOBSIZE 336  /* max EP11 AES key blob size */
31 /* Minimum size of a key blob */
55 /* the newer ioctls use a pkey_key_size enum for key size information */
83 /* Struct to hold a CCA AES secure key blob */
85 	__u8  seckey[SECKEYBLOBSIZE];		  /* the secure key blob */
88 /* Struct to hold protected key and length info */
90 	__u32 type;	 /* key type, one of the PKEY_KEYTYPE_AES values */
92 	__u8  protkey[MAXPROTKEYSIZE];	       /* the protected key blob */
95 /* Struct to hold an AES clear key value */
97 	__u8  clrkey[MAXCLRKEYSIZE]; /* 16, 24, or 32 byte clear key value */
101  * EP11 key blobs of type PKEY_TYPE_EP11_AES and PKEY_TYPE_EP11_ECC
110 	__u16 bitlen;	/* clear key bit len, 0 for unknown */
115  * Generate CCA AES secure key.
120 	__u32 keytype;		    /* in: key type to generate		 */
121 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
126  * Construct CCA AES secure key from clear key value
131 	__u32 keytype;		    /* in: key type to generate		 */
132 	struct pkey_clrkey clrkey;  /* in: the clear key value		 */
133 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
138  * Fabricate AES protected key from a CCA AES secure key
143 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
144 	struct pkey_protkey protkey; /* out: the protected key		  */
149  * Fabricate AES protected key from clear key value
152 	__u32 keytype;		     /* in: key type to generate	  */
153 	struct pkey_clrkey clrkey;   /* in: the clear key value		  */
154 	struct pkey_protkey protkey; /* out: the protected key		  */
160  * Verification Pattern provided inside a CCA AES secure key.
163 	struct pkey_seckey seckey;	       /* in: the secure key blob */
173 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
174 	struct pkey_protkey protkey; /* out: the protected key		  */
179  * Verify the given CCA AES secure key for being able to be usable with
180  * the pkey module. Check for correct key type and check for having at
181  * least one crypto card being able to handle this key (master key
182  * or old master key verification pattern matches).
183  * Return some info about the key: keysize in bits, keytype (currently
184  * only AES), flag if key is wrapped with an old MKVP.
187 	struct pkey_seckey seckey;	       /* in: the secure key blob */
190 	__u16  keysize;			       /* out: key size in bits   */
194 #define PKEY_VERIFY_ATTR_AES	   0x00000001  /* key is an AES key */
195 #define PKEY_VERIFY_ATTR_OLD_MKVP  0x00000100  /* key has old MKVP value */
198  * Generate AES random protected key.
201 	__u32 keytype;			       /* in: key type to generate */
202 	struct pkey_protkey protkey;	       /* out: the protected key   */
208  * Verify an AES protected key.
211 	struct pkey_protkey protkey;	/* in: the protected key to verify */
217  * Transform an key blob (of any type) into a protected key
220 	__u8 __user *key;		/* in: the key blob	   */
221 	__u32 keylen;			/* in: the key blob length */
222 	struct pkey_protkey protkey;	/* out: the protected key  */
227  * Generate secure key, version 2.
228  * Generate CCA AES secure key, CCA AES cipher key or EP11 AES secure key.
236  * generate a list of apqns based on the key type to generate.
238  * individual for the key type and has a key type specific meaning. When
240  * flags to widen the export possibilities. By default a cipher key is
242  * The keygenflag argument for generating an EP11 AES key should either be 0
249 	enum pkey_key_type type;    /* in: key type to generate		  */
250 	enum pkey_key_size size;    /* in: key size to generate		  */
251 	__u32 keygenflags;	    /* in: key generation flags		  */
252 	__u8 __user *key;	    /* in: pointer to key blob buffer	  */
253 	__u32 keylen;		    /* in: available key blob buffer size */
254 				    /* out: actual key blob size	  */
259  * Generate secure key from clear key value, version 2.
260  * Construct an CCA AES secure key, CCA AES cipher key or EP11 AES secure
261  * key from a given clear key value.
269  * generate a list of apqns based on the key type to generate.
271  * individual for the key type and has a key type specific meaning. When
273  * flags to widen the export possibilities. By default a cipher key is
275  * The keygenflag argument for generating an EP11 AES key should either be 0
282 	enum pkey_key_type type;    /* in: key type to generate		   */
283 	enum pkey_key_size size;    /* in: key size to generate		   */
284 	__u32 keygenflags;	    /* in: key generation flags		   */
285 	struct pkey_clrkey clrkey;  /* in: the clear key value		   */
286 	__u8 __user *key;	    /* in: pointer to key blob buffer	   */
287 	__u32 keylen;		    /* in: available key blob buffer size  */
288 				    /* out: actual key blob size	   */
293  * Verify the given secure key, version 2.
294  * Check for correct key type. If cardnr and domain are given (are not
295  * 0xFFFF) also check if this apqn is able to handle this type of key.
297  * with one apqn able to handle this key.
298  * The function also checks for the master key verification patterns
299  * of the key matching to the current or alternate mkvp of the apqn.
301  * the key's mkvp against the current or old mkvp of the apqns. The flags
303  * match: If the current mkvp matches to the key's mkvp then the
305  * the key's mkvp the PKEY_FLAGS_MATCH_ALT_MKVP is set. For CCA keys the
306  * alternate mkvp is the old master key verification pattern.
309  * EP11 keys are also supported and the wkvp of the key is checked against
311  * key and so on a match the flag PKEY_FLAGS_MATCH_CUR_MKVP always is set.
314  * matches with the current or alternate mkvp to the key's mkvp. If the given
319 	__u8 __user *key;	    /* in: pointer to key blob		 */
320 	__u32 keylen;		    /* in: key blob size		 */
323 	enum pkey_key_type type;    /* out: the key type		 */
324 	enum pkey_key_size size;    /* out: the key size		 */
325 	__u32 flags;		    /* out: additional key info flags	 */
330  * Transform a key blob into a protected key, version 2.
338  * generate a list of apqns based on the key.
343 	__u8 __user *key;	     /* in: pointer to key blob		   */
344 	__u32 keylen;		     /* in: key blob size		   */
347 	struct pkey_protkey protkey; /* out: the protected key		   */
352  * Build a list of APQNs based on a key blob given.
353  * Is able to find out which type of secure key is given (CCA AES secure
354  * key, CCA AES cipher key, CCA ECC private key, EP11 AES key, EP11 ECC private
355  * key) and tries to find all matching crypto cards based on the MKVP and maybe
358  * APQNs is further filtered by the key's mkvp which needs to match to either
367  * the wkvp from the key to match against the apqn's wkvp.
378 	__u8 __user *key;	   /* in: pointer to key blob		      */
379 	__u32 keylen;		   /* in: key blob size			      */
388  * Build a list of APQNs based on a key type given.
389  * Build a list of APQNs based on a given key type and maybe further
390  * restrict the list by given master key verification patterns.
391  * For different key types there may be different ways to match the
392  * master key verification patterns. For CCA keys (CCA data key and CCA
393  * cipher key) the first 8 bytes of cur_mkvp refer to the current AES mkvp value
416 	enum pkey_key_type type;   /* in: key type			      */
427  * Transform a key blob into a protected key, version 3.
428  * The difference to version 2 of this ioctl is that the protected key
439  * generate a list of apqns based on the key.
442 	__u8 __user *key;	     /* in: pointer to key blob		   */
443 	__u32 keylen;		     /* in: key blob size		   */
446 	__u32 pkeytype;		/* out: prot key type (enum pkey_key_type) */

Indexes created Sat May 25 20:21:57 MDT 2024