s390/pkey: Add sysfs attributes to emit AES CIPHER key blobs
Now that the pkey kernel module also supports CCA AES CIPHER keys: Add binary read-only sysfs attributes for the pkey module that can be used to read random CCA AES CIPHER secure keys from, similar to the already existing sysfs attributes for AES DATA and random protected keys. Keys are read from these attributes using a cat-like interface. A typical use case for those keys is to encrypt a swap device using the paes cipher. During processing of /etc/crypttab, the CCA random AES CIPHER secure key to encrypt the swap device is read from one of the attributes. The following attributes are added: ccacipher/ccacipher_aes_128 ccacipher/ccacipher_aes_192 ccacipher/ccacipher_aes_256 ccacipher/ccacipher_aes_128_xts ccacipher/ccacipher_aes_256_xts Each attribute emits a secure key blob for the corresponding key size and cipher mode. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
This commit is contained in:
parent
d590284419
commit
f71fee2711
|
@ -1363,9 +1363,122 @@ static struct attribute_group ccadata_attr_group = {
|
||||||
.bin_attrs = ccadata_attrs,
|
.bin_attrs = ccadata_attrs,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#define CCACIPHERTOKENSIZE (sizeof(struct cipherkeytoken) + 80)
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Sysfs attribute read function for all secure key ccacipher binary attributes.
|
||||||
|
* The implementation can not deal with partial reads, because a new random
|
||||||
|
* secure key blob is generated with each read. In case of partial reads
|
||||||
|
* (i.e. off != 0 or count < key blob size) -EINVAL is returned.
|
||||||
|
*/
|
||||||
|
static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
|
||||||
|
bool is_xts, char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
size_t keysize;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
if (off != 0 || count < CCACIPHERTOKENSIZE)
|
||||||
|
return -EINVAL;
|
||||||
|
if (is_xts)
|
||||||
|
if (count < 2 * CCACIPHERTOKENSIZE)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
keysize = CCACIPHERTOKENSIZE;
|
||||||
|
rc = cca_gencipherkey(-1, -1, keybits, 0, buf, &keysize);
|
||||||
|
if (rc)
|
||||||
|
return rc;
|
||||||
|
memset(buf + keysize, 0, CCACIPHERTOKENSIZE - keysize);
|
||||||
|
|
||||||
|
if (is_xts) {
|
||||||
|
keysize = CCACIPHERTOKENSIZE;
|
||||||
|
rc = cca_gencipherkey(-1, -1, keybits, 0,
|
||||||
|
buf + CCACIPHERTOKENSIZE, &keysize);
|
||||||
|
if (rc)
|
||||||
|
return rc;
|
||||||
|
memset(buf + CCACIPHERTOKENSIZE + keysize, 0,
|
||||||
|
CCACIPHERTOKENSIZE - keysize);
|
||||||
|
|
||||||
|
return 2 * CCACIPHERTOKENSIZE;
|
||||||
|
}
|
||||||
|
|
||||||
|
return CCACIPHERTOKENSIZE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t ccacipher_aes_128_read(struct file *filp,
|
||||||
|
struct kobject *kobj,
|
||||||
|
struct bin_attribute *attr,
|
||||||
|
char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, false, buf,
|
||||||
|
off, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t ccacipher_aes_192_read(struct file *filp,
|
||||||
|
struct kobject *kobj,
|
||||||
|
struct bin_attribute *attr,
|
||||||
|
char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_192, false, buf,
|
||||||
|
off, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t ccacipher_aes_256_read(struct file *filp,
|
||||||
|
struct kobject *kobj,
|
||||||
|
struct bin_attribute *attr,
|
||||||
|
char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, false, buf,
|
||||||
|
off, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t ccacipher_aes_128_xts_read(struct file *filp,
|
||||||
|
struct kobject *kobj,
|
||||||
|
struct bin_attribute *attr,
|
||||||
|
char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_128, true, buf,
|
||||||
|
off, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t ccacipher_aes_256_xts_read(struct file *filp,
|
||||||
|
struct kobject *kobj,
|
||||||
|
struct bin_attribute *attr,
|
||||||
|
char *buf, loff_t off,
|
||||||
|
size_t count)
|
||||||
|
{
|
||||||
|
return pkey_ccacipher_aes_attr_read(PKEY_SIZE_AES_256, true, buf,
|
||||||
|
off, count);
|
||||||
|
}
|
||||||
|
|
||||||
|
static BIN_ATTR_RO(ccacipher_aes_128, CCACIPHERTOKENSIZE);
|
||||||
|
static BIN_ATTR_RO(ccacipher_aes_192, CCACIPHERTOKENSIZE);
|
||||||
|
static BIN_ATTR_RO(ccacipher_aes_256, CCACIPHERTOKENSIZE);
|
||||||
|
static BIN_ATTR_RO(ccacipher_aes_128_xts, 2 * CCACIPHERTOKENSIZE);
|
||||||
|
static BIN_ATTR_RO(ccacipher_aes_256_xts, 2 * CCACIPHERTOKENSIZE);
|
||||||
|
|
||||||
|
static struct bin_attribute *ccacipher_attrs[] = {
|
||||||
|
&bin_attr_ccacipher_aes_128,
|
||||||
|
&bin_attr_ccacipher_aes_192,
|
||||||
|
&bin_attr_ccacipher_aes_256,
|
||||||
|
&bin_attr_ccacipher_aes_128_xts,
|
||||||
|
&bin_attr_ccacipher_aes_256_xts,
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct attribute_group ccacipher_attr_group = {
|
||||||
|
.name = "ccacipher",
|
||||||
|
.bin_attrs = ccacipher_attrs,
|
||||||
|
};
|
||||||
|
|
||||||
static const struct attribute_group *pkey_attr_groups[] = {
|
static const struct attribute_group *pkey_attr_groups[] = {
|
||||||
&protkey_attr_group,
|
&protkey_attr_group,
|
||||||
&ccadata_attr_group,
|
&ccadata_attr_group,
|
||||||
|
&ccacipher_attr_group,
|
||||||
NULL,
|
NULL,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue