s390/pkey: Add sysfs attributes to emit protected key blobs

Add binary read-only sysfs attributes for the pkey module that can be used to read random protected keys from. Keys are read from these attributes using a cat-like interface. A typical use case for those keys is to encrypt a swap device using the paes cipher. During processing of /etc/crypttab, the random protected key to encrypt the swap device is read from one of the attributes. The following attributes are added: protkey/aes_128 protkey/aes_192 protkey/aes_256 protkey/aes_128_xts protkey/aes_256_xts Each attribute emits a protected key blob for the corresponding key size and cipher mode. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Ingo Franzki <ifranzki@linux.ibm.com> 2018-08-23 10:59:30 -0400
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-10-10 01:37:14 -0400
commit: d632c0478d64427cfbca999955e02b26986ae09e (patch)
tree: 9ee834f18deae76e23d980e1ad905b529cbd4200
parent: 0534bde7de19a2e66c2b2bf05fcfd00a7cc849fa (diff)
1 files changed, 127 insertions, 0 deletions
diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index fa1044f93f0e..b4d88411b1bd 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -1254,6 +1254,132 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
 /*
 * Sysfs and file io operations
 */
+/*
+ * Sysfs attribute read function for all protected key binary attributes.
+ * The implementation can not deal with partial reads, because a new random
+ * protected key blob is generated with each read. In case of partial reads
+ * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
+ */
+static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
+                                          loff_t off, size_t count)
+{
+        struct protaeskeytoken protkeytoken;
+        struct pkey_protkey protkey;
+        int rc;
+        if (off != 0 || count < sizeof(protkeytoken))
+                return -EINVAL;
+        if (is_xts)
+                if (count < 2 * sizeof(protkeytoken))
+                        return -EINVAL;
+        memset(&protkeytoken, 0, sizeof(protkeytoken));
+        protkeytoken.type = TOKTYPE_NON_CCA;
+        protkeytoken.version = TOKVER_PROTECTED_KEY;
+        protkeytoken.keytype = keytype;
+        rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
+        if (rc)
+                return rc;
+        protkeytoken.len = protkey.len;
+        memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
+        memcpy(buf, &protkeytoken, sizeof(protkeytoken));
+        if (is_xts) {
+                rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
+                if (rc)
+                        return rc;
+                protkeytoken.len = protkey.len;
+                memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
+                memcpy(buf + sizeof(protkeytoken), &protkeytoken,
+                       sizeof(protkeytoken));
+                return 2 * sizeof(protkeytoken);
+        }
+        return sizeof(protkeytoken);
+}
+static ssize_t protkey_aes_128_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
+                                          off, count);
+}
+static ssize_t protkey_aes_192_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
+                                          off, count);
+}
+static ssize_t protkey_aes_256_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
+                                          off, count);
+}
+static ssize_t protkey_aes_128_xts_read(struct file *filp,
+                                        struct kobject *kobj,
+                                        struct bin_attribute *attr,
+                                        char *buf, loff_t off,
+                                        size_t count)
+{
+        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
+                                          off, count);
+}
+static ssize_t protkey_aes_256_xts_read(struct file *filp,
+                                        struct kobject *kobj,
+                                        struct bin_attribute *attr,
+                                        char *buf, loff_t off,
+                                        size_t count)
+{
+        return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
+                                          off, count);
+}
+static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
+static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
+static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
+static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
+static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
+static struct bin_attribute *protkey_attrs[] = {
+        &bin_attr_protkey_aes_128,
+        &bin_attr_protkey_aes_192,
+        &bin_attr_protkey_aes_256,
+        &bin_attr_protkey_aes_128_xts,
+        &bin_attr_protkey_aes_256_xts,
+        NULL
+};
+static struct attribute_group protkey_attr_group = {
+        .name      = "protkey",
+        .bin_attrs = protkey_attrs,
+};
+static const struct attribute_group *pkey_attr_groups[] = {
+        &protkey_attr_group,
+        NULL,
+};
 static const struct file_operations pkey_fops = {
        .owner          = THIS_MODULE,
        .open           = nonseekable_open,
@@ -1266,6 +1392,7 @@ static struct miscdevice pkey_dev = {
        .minor  = MISC_DYNAMIC_MINOR,
        .mode   = 0666,
        .fops   = &pkey_fops,
+        .groups = pkey_attr_groups,
 };
 /*
author	Ingo Franzki <ifranzki@linux.ibm.com>	2018-08-23 10:59:30 -0400
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2018-10-10 01:37:14 -0400
commit	d632c0478d64427cfbca999955e02b26986ae09e (patch)
tree	9ee834f18deae76e23d980e1ad905b529cbd4200
parent	0534bde7de19a2e66c2b2bf05fcfd00a7cc849fa (diff)

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index fa1044f93f0e..b4d88411b1bd 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c
@@ -1254,6 +1254,132 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
1254	/*	1254	/*
1255	* Sysfs and file io operations	1255	* Sysfs and file io operations
1256	*/	1256	*/
		1257
		1258	/*
		1259	* Sysfs attribute read function for all protected key binary attributes.
		1260	* The implementation can not deal with partial reads, because a new random
		1261	* protected key blob is generated with each read. In case of partial reads
		1262	* (i.e. off != 0 or count < key blob size) -EINVAL is returned.
		1263	*/
		1264	static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
		1265	loff_t off, size_t count)
		1266	{
		1267	struct protaeskeytoken protkeytoken;
		1268	struct pkey_protkey protkey;
		1269	int rc;
		1270
		1271	if (off != 0 \|\| count < sizeof(protkeytoken))
		1272	return -EINVAL;
		1273	if (is_xts)
		1274	if (count < 2 * sizeof(protkeytoken))
		1275	return -EINVAL;
		1276
		1277	memset(&protkeytoken, 0, sizeof(protkeytoken));
		1278	protkeytoken.type = TOKTYPE_NON_CCA;
		1279	protkeytoken.version = TOKVER_PROTECTED_KEY;
		1280	protkeytoken.keytype = keytype;
		1281
		1282	rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
		1283	if (rc)
		1284	return rc;
		1285
		1286	protkeytoken.len = protkey.len;
		1287	memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
		1288
		1289	memcpy(buf, &protkeytoken, sizeof(protkeytoken));
		1290
		1291	if (is_xts) {
		1292	rc = pkey_genprotkey(protkeytoken.keytype, &protkey);
		1293	if (rc)
		1294	return rc;
		1295
		1296	protkeytoken.len = protkey.len;
		1297	memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len);
		1298
		1299	memcpy(buf + sizeof(protkeytoken), &protkeytoken,
		1300	sizeof(protkeytoken));
		1301
		1302	return 2 * sizeof(protkeytoken);
		1303	}
		1304
		1305	return sizeof(protkeytoken);
		1306	}
		1307
		1308	static ssize_t protkey_aes_128_read(struct file *filp,
		1309	struct kobject *kobj,
		1310	struct bin_attribute *attr,
		1311	char *buf, loff_t off,
		1312	size_t count)
		1313	{
		1314	return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
		1315	off, count);
		1316	}
		1317
		1318	static ssize_t protkey_aes_192_read(struct file *filp,
		1319	struct kobject *kobj,
		1320	struct bin_attribute *attr,
		1321	char *buf, loff_t off,
		1322	size_t count)
		1323	{
		1324	return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
		1325	off, count);
		1326	}
		1327
		1328	static ssize_t protkey_aes_256_read(struct file *filp,
		1329	struct kobject *kobj,
		1330	struct bin_attribute *attr,
		1331	char *buf, loff_t off,
		1332	size_t count)
		1333	{
		1334	return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
		1335	off, count);
		1336	}
		1337
		1338	static ssize_t protkey_aes_128_xts_read(struct file *filp,
		1339	struct kobject *kobj,
		1340	struct bin_attribute *attr,
		1341	char *buf, loff_t off,
		1342	size_t count)
		1343	{
		1344	return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
		1345	off, count);
		1346	}
		1347
		1348	static ssize_t protkey_aes_256_xts_read(struct file *filp,
		1349	struct kobject *kobj,
		1350	struct bin_attribute *attr,
		1351	char *buf, loff_t off,
		1352	size_t count)
		1353	{
		1354	return pkey_protkey_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
		1355	off, count);
		1356	}
		1357
		1358	static BIN_ATTR_RO(protkey_aes_128, sizeof(struct protaeskeytoken));
		1359	static BIN_ATTR_RO(protkey_aes_192, sizeof(struct protaeskeytoken));
		1360	static BIN_ATTR_RO(protkey_aes_256, sizeof(struct protaeskeytoken));
		1361	static BIN_ATTR_RO(protkey_aes_128_xts, 2 * sizeof(struct protaeskeytoken));
		1362	static BIN_ATTR_RO(protkey_aes_256_xts, 2 * sizeof(struct protaeskeytoken));
		1363
		1364	static struct bin_attribute *protkey_attrs[] = {
		1365	&bin_attr_protkey_aes_128,
		1366	&bin_attr_protkey_aes_192,
		1367	&bin_attr_protkey_aes_256,
		1368	&bin_attr_protkey_aes_128_xts,
		1369	&bin_attr_protkey_aes_256_xts,
		1370	NULL
		1371	};
		1372
		1373	static struct attribute_group protkey_attr_group = {
		1374	.name = "protkey",
		1375	.bin_attrs = protkey_attrs,
		1376	};
		1377
		1378	static const struct attribute_group *pkey_attr_groups[] = {
		1379	&protkey_attr_group,
		1380	NULL,
		1381	};
		1382
1257	static const struct file_operations pkey_fops = {	1383	static const struct file_operations pkey_fops = {
1258	.owner = THIS_MODULE,	1384	.owner = THIS_MODULE,
1259	.open = nonseekable_open,	1385	.open = nonseekable_open,
@@ -1266,6 +1392,7 @@ static struct miscdevice pkey_dev = {
1266	.minor = MISC_DYNAMIC_MINOR,	1392	.minor = MISC_DYNAMIC_MINOR,
1267	.mode = 0666,	1393	.mode = 0666,
1268	.fops = &pkey_fops,	1394	.fops = &pkey_fops,
		1395	.groups = pkey_attr_groups,
1269	};	1396	};
1270		1397
1271	/*	1398	/*