s390/pkey: Add sysfs attributes to emit secure key blobs

Add binary read-only sysfs attributes for the pkey module that can be used to read random ccadata secure keys from. Keys are read from these attributes using a cat-like interface. A typical use case for those keys is to encrypt a swap device using the paes cipher. During processing of /etc/crypttab, the random random ccadata secure key to encrypt the swap device is read from one of the attributes. The following attributes are added: ccadata/aes_128 ccadata/aes_192 ccadata/aes_256 ccadata/aes_128_xts ccadata/aes_256_xts Each attribute emits a secure key blob for the corresponding key size and cipher mode. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Ingo Franzki <ifranzki@linux.ibm.com> 2018-08-24 04:29:43 -0400
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-10-10 01:37:17 -0400
commit: af504452d10ece7c6d68bc9f90f478ebecd7ce76 (patch)
tree: 904566d846351ce6bff8fa1d454dd67f6ae81de1 /drivers/s390/crypto/pkey_api.c
parent: d632c0478d64427cfbca999955e02b26986ae09e (diff)
1 files changed, 104 insertions, 0 deletions
diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index b4d88411b1bd..d0160a18081a 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -1375,8 +1375,112 @@ static struct attribute_group protkey_attr_group = {
        .bin_attrs = protkey_attrs,
 };
+/*
+ * Sysfs attribute read function for all secure key ccadata binary attributes.
+ * The implementation can not deal with partial reads, because a new random
+ * protected key blob is generated with each read. In case of partial reads
+ * (i.e. off != 0 or count < key blob size) -EINVAL is returned.
+ */
+static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
+                                          loff_t off, size_t count)
+{
+        int rc;
+        if (off != 0 || count < sizeof(struct secaeskeytoken))
+                return -EINVAL;
+        if (is_xts)
+                if (count < 2 * sizeof(struct secaeskeytoken))
+                        return -EINVAL;
+        rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
+        if (rc)
+                return rc;
+        if (is_xts) {
+                buf += sizeof(struct pkey_seckey);
+                rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
+                if (rc)
+                        return rc;
+                return 2 * sizeof(struct secaeskeytoken);
+        }
+        return sizeof(struct secaeskeytoken);
+}
+static ssize_t ccadata_aes_128_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
+                                          off, count);
+}
+static ssize_t ccadata_aes_192_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
+                                          off, count);
+}
+static ssize_t ccadata_aes_256_read(struct file *filp,
+                                    struct kobject *kobj,
+                                    struct bin_attribute *attr,
+                                    char *buf, loff_t off,
+                                    size_t count)
+{
+        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
+                                          off, count);
+}
+static ssize_t ccadata_aes_128_xts_read(struct file *filp,
+                                        struct kobject *kobj,
+                                        struct bin_attribute *attr,
+                                        char *buf, loff_t off,
+                                        size_t count)
+{
+        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
+                                          off, count);
+}
+static ssize_t ccadata_aes_256_xts_read(struct file *filp,
+                                        struct kobject *kobj,
+                                        struct bin_attribute *attr,
+                                        char *buf, loff_t off,
+                                        size_t count)
+{
+        return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
+                                          off, count);
+}
+static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
+static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
+static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
+static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
+static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
+static struct bin_attribute *ccadata_attrs[] = {
+        &bin_attr_ccadata_aes_128,
+        &bin_attr_ccadata_aes_192,
+        &bin_attr_ccadata_aes_256,
+        &bin_attr_ccadata_aes_128_xts,
+        &bin_attr_ccadata_aes_256_xts,
+        NULL
+};
+static struct attribute_group ccadata_attr_group = {
+        .name      = "ccadata",
+        .bin_attrs = ccadata_attrs,
+};
 static const struct attribute_group *pkey_attr_groups[] = {
        &protkey_attr_group,
+        &ccadata_attr_group,
        NULL,
 };
author	Ingo Franzki <ifranzki@linux.ibm.com>	2018-08-24 04:29:43 -0400
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2018-10-10 01:37:17 -0400
commit	af504452d10ece7c6d68bc9f90f478ebecd7ce76 (patch)
tree	904566d846351ce6bff8fa1d454dd67f6ae81de1 /drivers/s390/crypto/pkey_api.c
parent	d632c0478d64427cfbca999955e02b26986ae09e (diff)

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index b4d88411b1bd..d0160a18081a 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c
@@ -1375,8 +1375,112 @@ static struct attribute_group protkey_attr_group = {
1375	.bin_attrs = protkey_attrs,	1375	.bin_attrs = protkey_attrs,
1376	};	1376	};
1377		1377
		1378	/*
		1379	* Sysfs attribute read function for all secure key ccadata binary attributes.
		1380	* The implementation can not deal with partial reads, because a new random
		1381	* protected key blob is generated with each read. In case of partial reads
		1382	* (i.e. off != 0 or count < key blob size) -EINVAL is returned.
		1383	*/
		1384	static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
		1385	loff_t off, size_t count)
		1386	{
		1387	int rc;
		1388
		1389	if (off != 0 \|\| count < sizeof(struct secaeskeytoken))
		1390	return -EINVAL;
		1391	if (is_xts)
		1392	if (count < 2 * sizeof(struct secaeskeytoken))
		1393	return -EINVAL;
		1394
		1395	rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
		1396	if (rc)
		1397	return rc;
		1398
		1399	if (is_xts) {
		1400	buf += sizeof(struct pkey_seckey);
		1401	rc = pkey_genseckey(-1, -1, keytype, (struct pkey_seckey *)buf);
		1402	if (rc)
		1403	return rc;
		1404
		1405	return 2 * sizeof(struct secaeskeytoken);
		1406	}
		1407
		1408	return sizeof(struct secaeskeytoken);
		1409	}
		1410
		1411	static ssize_t ccadata_aes_128_read(struct file *filp,
		1412	struct kobject *kobj,
		1413	struct bin_attribute *attr,
		1414	char *buf, loff_t off,
		1415	size_t count)
		1416	{
		1417	return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, false, buf,
		1418	off, count);
		1419	}
		1420
		1421	static ssize_t ccadata_aes_192_read(struct file *filp,
		1422	struct kobject *kobj,
		1423	struct bin_attribute *attr,
		1424	char *buf, loff_t off,
		1425	size_t count)
		1426	{
		1427	return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_192, false, buf,
		1428	off, count);
		1429	}
		1430
		1431	static ssize_t ccadata_aes_256_read(struct file *filp,
		1432	struct kobject *kobj,
		1433	struct bin_attribute *attr,
		1434	char *buf, loff_t off,
		1435	size_t count)
		1436	{
		1437	return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, false, buf,
		1438	off, count);
		1439	}
		1440
		1441	static ssize_t ccadata_aes_128_xts_read(struct file *filp,
		1442	struct kobject *kobj,
		1443	struct bin_attribute *attr,
		1444	char *buf, loff_t off,
		1445	size_t count)
		1446	{
		1447	return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_128, true, buf,
		1448	off, count);
		1449	}
		1450
		1451	static ssize_t ccadata_aes_256_xts_read(struct file *filp,
		1452	struct kobject *kobj,
		1453	struct bin_attribute *attr,
		1454	char *buf, loff_t off,
		1455	size_t count)
		1456	{
		1457	return pkey_ccadata_aes_attr_read(PKEY_KEYTYPE_AES_256, true, buf,
		1458	off, count);
		1459	}
		1460
		1461	static BIN_ATTR_RO(ccadata_aes_128, sizeof(struct secaeskeytoken));
		1462	static BIN_ATTR_RO(ccadata_aes_192, sizeof(struct secaeskeytoken));
		1463	static BIN_ATTR_RO(ccadata_aes_256, sizeof(struct secaeskeytoken));
		1464	static BIN_ATTR_RO(ccadata_aes_128_xts, 2 * sizeof(struct secaeskeytoken));
		1465	static BIN_ATTR_RO(ccadata_aes_256_xts, 2 * sizeof(struct secaeskeytoken));
		1466
		1467	static struct bin_attribute *ccadata_attrs[] = {
		1468	&bin_attr_ccadata_aes_128,
		1469	&bin_attr_ccadata_aes_192,
		1470	&bin_attr_ccadata_aes_256,
		1471	&bin_attr_ccadata_aes_128_xts,
		1472	&bin_attr_ccadata_aes_256_xts,
		1473	NULL
		1474	};
		1475
		1476	static struct attribute_group ccadata_attr_group = {
		1477	.name = "ccadata",
		1478	.bin_attrs = ccadata_attrs,
		1479	};
		1480
1378	static const struct attribute_group *pkey_attr_groups[] = {	1481	static const struct attribute_group *pkey_attr_groups[] = {
1379	&protkey_attr_group,	1482	&protkey_attr_group,
		1483	&ccadata_attr_group,
1380	NULL,	1484	NULL,
1381	};	1485	};
1382		1486