summaryrefslogtreecommitdiff
path: root/arch/s390/include/asm/pkey.h
blob: 9b6e79077866b253f211820a7e64074ffee81f50 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Kernelspace interface to the pkey device driver
 *
 * Copyright IBM Corp. 2016
 *
 * Author: Harald Freudenberger <freude@de.ibm.com>
 *
 */

#ifndef _KAPI_PKEY_H
#define _KAPI_PKEY_H

#include <linux/ioctl.h>
#include <linux/types.h>
#include <uapi/asm/pkey.h>

/*
 * Generate (AES) random secure key.
 * @param cardnr may be -1 (use default card)
 * @param domain may be -1 (use default domain)
 * @param keytype one of the PKEY_KEYTYPE values
 * @param seckey pointer to buffer receiving the secure key
 * @return 0 on success, negative errno value on failure
 */
int pkey_genseckey(__u16 cardnr, __u16 domain,
		   __u32 keytype, struct pkey_seckey *seckey);

/*
 * Generate (AES) secure key with given key value.
 * @param cardnr may be -1 (use default card)
 * @param domain may be -1 (use default domain)
 * @param keytype one of the PKEY_KEYTYPE values
 * @param clrkey pointer to buffer with clear key data
 * @param seckey pointer to buffer receiving the secure key
 * @return 0 on success, negative errno value on failure
 */
int pkey_clr2seckey(__u16 cardnr, __u16 domain, __u32 keytype,
		    const struct pkey_clrkey *clrkey,
		    struct pkey_seckey *seckey);

/*
 * Derive (AES) proteced key from the (AES) secure key blob.
 * @param cardnr may be -1 (use default card)
 * @param domain may be -1 (use default domain)
 * @param seckey pointer to buffer with the input secure key
 * @param protkey pointer to buffer receiving the protected key and
 *	  additional info (type, length)
 * @return 0 on success, negative errno value on failure
 */
int pkey_sec2protkey(__u16 cardnr, __u16 domain,
		     const struct pkey_seckey *seckey,
		     struct pkey_protkey *protkey);

/*
 * Derive (AES) protected key from a given clear key value.
 * @param keytype one of the PKEY_KEYTYPE values
 * @param clrkey pointer to buffer with clear key data
 * @param protkey pointer to buffer receiving the protected key and
 *	  additional info (type, length)
 * @return 0 on success, negative errno value on failure
 */
int pkey_clr2protkey(__u32 keytype,
		     const struct pkey_clrkey *clrkey,
		     struct pkey_protkey *protkey);

/*
 * Search for a matching crypto card based on the Master Key
 * Verification Pattern provided inside a secure key.
 * @param seckey pointer to buffer with the input secure key
 * @param cardnr pointer to cardnr, receives the card number on success
 * @param domain pointer to domain, receives the domain number on success
 * @param verify if set, always verify by fetching verification pattern
 *	  from card
 * @return 0 on success, negative errno value on failure. If no card could be
 *	   found, -ENODEV is returned.
 */
int pkey_findcard(const struct pkey_seckey *seckey,
		  __u16 *cardnr, __u16 *domain, int verify);

/*
 * Find card and transform secure key to protected key.
 * @param seckey pointer to buffer with the input secure key
 * @param protkey pointer to buffer receiving the protected key and
 *	  additional info (type, length)
 * @return 0 on success, negative errno value on failure
 */
int pkey_skey2pkey(const struct pkey_seckey *seckey,
		   struct pkey_protkey *protkey);

/*
 * Verify the given secure key for being able to be useable with
 * the pkey module. Check for correct key type and check for having at
 * least one crypto card being able to handle this key (master key
 * or old master key verification pattern matches).
 * Return some info about the key: keysize in bits, keytype (currently
 * only AES), flag if key is wrapped with an old MKVP.
 * @param seckey pointer to buffer with the input secure key
 * @param pcardnr pointer to cardnr, receives the card number on success
 * @param pdomain pointer to domain, receives the domain number on success
 * @param pkeysize pointer to keysize, receives the bitsize of the key
 * @param pattributes pointer to attributes, receives additional info
 *	  PKEY_VERIFY_ATTR_AES if the key is an AES key
 *	  PKEY_VERIFY_ATTR_OLD_MKVP if key has old mkvp stored in
 * @return 0 on success, negative errno value on failure. If no card could
 *	   be found which is able to handle this key, -ENODEV is returned.
 */
int pkey_verifykey(const struct pkey_seckey *seckey,
		   u16 *pcardnr, u16 *pdomain,
		   u16 *pkeysize, u32 *pattributes);

/*
 * In-kernel API: Generate (AES) random protected key.
 * @param keytype one of the PKEY_KEYTYPE values
 * @param protkey pointer to buffer receiving the protected key
 * @return 0 on success, negative errno value on failure
 */
int pkey_genprotkey(__u32 keytype, struct pkey_protkey *protkey);

/*
 * In-kernel API: Verify an (AES) protected key.
 * @param protkey pointer to buffer containing the protected key to verify
 * @return 0 on success, negative errno value on failure. In case the protected
 * key is not valid -EKEYREJECTED is returned
 */
int pkey_verifyprotkey(const struct pkey_protkey *protkey);

/*
 * In-kernel API: Transform an key blob (of any type) into a protected key.
 * @param key pointer to a buffer containing the key blob
 * @param keylen size of the key blob in bytes
 * @param protkey pointer to buffer receiving the protected key
 * @return 0 on success, negative errno value on failure
 */
int pkey_keyblob2pkey(const __u8 *key, __u32 keylen,
		      struct pkey_protkey *protkey);

#endif /* _KAPI_PKEY_H */