Commit 73dfc79c authored by Harald Freudenberger's avatar Harald Freudenberger Committed by Heiko Carstens
Browse files

s390/pkey: Add new pkey handler module pkey-uv 



This new pkey handler module supports the conversion of
Ultravisor retrievable secrets to protected keys.
The new module pkey-uv.ko is able to retrieve and verify
protected keys backed up by the Ultravisor layer which is
only available within protected execution environment.

The module is only automatically loaded if there is the
UV CPU feature flagged as available. Additionally on module
init there is a check for protected execution environment
and for UV supporting retrievable secrets. Also if the kernel
is not running as a protected execution guest, the module
unloads itself with errno ENODEV.

The pkey UV module currently supports these Ultravisor
secrets and is able to retrieve a protected key for these
UV secret types:
  - UV_SECRET_AES_128
  - UV_SECRET_AES_192
  - UV_SECRET_AES_256
  - UV_SECRET_AES_XTS_128
  - UV_SECRET_AES_XTS_256
  - UV_SECRET_HMAC_SHA_256
  - UV_SECRET_HMAC_SHA_512
  - UV_SECRET_ECDSA_P256
  - UV_SECRET_ECDSA_P384
  - UV_SECRET_ECDSA_P521
  - UV_SECRET_ECDSA_ED25519
  - UV_SECRET_ECDSA_ED448

Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
Reviewed-by: default avatarHolger Dengler <dengler@linux.ibm.com>
Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
parent eb37a9ae

arch/s390/configs/debug_defconfig

+1 −0
Original line number Diff line number Diff line
@@ -801,6 +801,7 @@ CONFIG_PKEY=m 
CONFIG_PKEY_CCA=m

CONFIG_PKEY_EP11=m

CONFIG_PKEY_PCKMO=m

CONFIG_PKEY_UV=m

CONFIG_CRYPTO_PAES_S390=m

CONFIG_CRYPTO_DEV_VIRTIO=m

CONFIG_SYSTEM_BLACKLIST_KEYRING=y

arch/s390/configs/defconfig

+1 −0
Original line number Diff line number Diff line
@@ -787,6 +787,7 @@ CONFIG_PKEY=m 
CONFIG_PKEY_CCA=m

CONFIG_PKEY_EP11=m

CONFIG_PKEY_PCKMO=m

CONFIG_PKEY_UV=m

CONFIG_CRYPTO_PAES_S390=m

CONFIG_CRYPTO_DEV_VIRTIO=m

CONFIG_SYSTEM_BLACKLIST_KEYRING=y

arch/s390/include/uapi/asm/pkey.h

+1 −0
Original line number Diff line number Diff line
@@ -55,6 +55,7 @@ enum pkey_key_type { 
	PKEY_TYPE_EP11_AES   = (__u32)6,

	PKEY_TYPE_EP11_ECC   = (__u32)7,

	PKEY_TYPE_PROTKEY    = (__u32)8,

	PKEY_TYPE_UVSECRET   = (__u32)9,

};



/* the newer ioctls use a pkey_key_size enum for key size information */

drivers/crypto/Kconfig

+21 −0
Original line number Diff line number Diff line
@@ -95,6 +95,9 @@ config PKEY 
	    loaded when a CEX crypto card is available.

	  - A pkey EP11 kernel module (pkey-ep11.ko) which is automatically

	    loaded when a CEX crypto card is available.

	  - A pkey UV kernel module (pkey-uv.ko) which is automatically

	    loaded when the Ultravisor feature is available within a

	    protected execution environment.



	  Select this option if you want to enable the kernel and userspace

	  API for protected key handling.
@@ -152,6 +155,24 @@ config PKEY_PCKMO 
	  this option unless you are sure you never need to derive protected

	  keys from clear key values directly via PCKMO.



config PKEY_UV

	tristate "PKEY UV support handler"

	depends on PKEY

	depends on S390_UV_UAPI

	help

	  This is the PKEY Ultravisor support handler for deriving protected

	  keys from secrets stored within the Ultravisor (UV).



	  This module works together with the UV device and supports the

	  retrieval of protected keys from secrets stored within the

	  UV firmware layer. This service is only available within

	  a protected execution guest and thus this module will fail upon

	  modprobe if no protected execution environment is detected.



	  Enable this option if you intend to run this kernel with an KVM

	  guest with protected execution and you want to use UV retrievable

	  secrets via PKEY API.



config CRYPTO_PAES_S390

	tristate "PAES cipher algorithms"

	depends on S390

drivers/s390/crypto/Makefile

+4 −0
Original line number Diff line number Diff line
@@ -29,6 +29,10 @@ obj-$(CONFIG_PKEY_EP11) += pkey-ep11.o 
pkey-pckmo-objs := pkey_pckmo.o

obj-$(CONFIG_PKEY_PCKMO) += pkey-pckmo.o



# pkey uv handler module

pkey-uv-objs := pkey_uv.o

obj-$(CONFIG_PKEY_UV) += pkey-uv.o



# adjunct processor matrix

vfio_ap-objs := vfio_ap_drv.o vfio_ap_ops.o

obj-$(CONFIG_VFIO_AP) += vfio_ap.o