Commit 8fcc231c authored by Harald Freudenberger's avatar Harald Freudenberger Committed by Vasily Gorbik
Browse files

s390/pkey: Introduce pkey base with handler registry and handler modules 



Introduce pkey base kernel code with a simple pkey handler registry.
Regroup the pkey code into these kernel modules:
- pkey is the pkey api supporting the ioctls, sysfs and in-kernel api.
  Also the pkey base code which offers the handler registry and
  handler wrapping invocation functions is integrated there. This
  module is automatically loaded in via CPU feature if the MSA feature
  is available.
- pkey-cca is the CCA related handler code kernel module a offering
  CCA specific implementation for pkey. This module is loaded in
  via MODULE_DEVICE_TABLE when a CEX[4-8] card becomes available.
- pkey-ep11 is the EP11 related handler code kernel module offering an
  EP11 specific implementation for pkey. This module is loaded in via
  MODULE_DEVICE_TABLE when a CEX[4-8] card becomes available.
- pkey-pckmo is the PCKMO related handler code kernel module. This
  module is loaded in via CPU feature if the MSA feature is available,
  but on init a check for availability of the pckmo instruction is
  performed.

The handler modules register via a pkey_handler struct at the pkey
base code and the pkey customer (that is currently the pkey api code
fetches a handler via pkey handler registry functions and calls the
unified handler functions via the pkey base handler functions.

As a result the pkey-cca, pkey-ep11 and pkey-pckmo modules get
independent from each other and it becomes possible to write new
handlers which offer another kind of implementation without implicit
dependencies to other handler implementations and/or kernel device
drivers.

For each of these 4 kernel modules there is an individual Kconfig
entry: CONFIG_PKEY for the base and api, CONFIG_PKEY_CCA for the PKEY
CCA support handler, CONFIG_PKEY_EP11 for the EP11 support handler and
CONFIG_PKEY_PCKMO for the pckmo support. The both CEX related handler
modules (PKEY CCA and PKEY EP11) have a dependency to the zcrypt api
of the zcrypt device driver.

Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
Reviewed-by: default avatarHolger Dengler <dengler@linux.ibm.com>
Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
parent ea88e171

arch/s390/configs/debug_defconfig

+3 −0
Original line number Diff line number Diff line
@@ -797,6 +797,9 @@ CONFIG_CRYPTO_CHACHA_S390=m 
CONFIG_CRYPTO_HMAC_S390=m

CONFIG_ZCRYPT=m

CONFIG_PKEY=m

CONFIG_PKEY_CCA=m

CONFIG_PKEY_EP11=m

CONFIG_PKEY_PCKMO=m

CONFIG_CRYPTO_PAES_S390=m

CONFIG_CRYPTO_DEV_VIRTIO=m

CONFIG_SYSTEM_BLACKLIST_KEYRING=y

arch/s390/configs/defconfig

+3 −0
Original line number Diff line number Diff line
@@ -784,6 +784,9 @@ CONFIG_CRYPTO_CHACHA_S390=m 
CONFIG_CRYPTO_HMAC_S390=m

CONFIG_ZCRYPT=m

CONFIG_PKEY=m

CONFIG_PKEY_CCA=m

CONFIG_PKEY_EP11=m

CONFIG_PKEY_PCKMO=m

CONFIG_CRYPTO_PAES_S390=m

CONFIG_CRYPTO_DEV_VIRTIO=m

CONFIG_SYSTEM_BLACKLIST_KEYRING=y

arch/s390/include/uapi/asm/pkey.h

+1 −0
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ enum pkey_key_type { 
	PKEY_TYPE_CCA_ECC    = (__u32) 0x1f,

	PKEY_TYPE_EP11_AES   = (__u32) 6,

	PKEY_TYPE_EP11_ECC   = (__u32) 7,

	PKEY_TYPE_PROTKEY    = (__u32) 8,

};



/* the newer ioctls use a pkey_key_size enum for key size information */

drivers/crypto/Kconfig

+68 −7
Original line number Diff line number Diff line
@@ -78,18 +78,79 @@ config ZCRYPT 
config PKEY

	tristate "Kernel API for protected key handling"

	depends on S390

	depends on ZCRYPT

	help

	  With this option enabled the pkey kernel module provides an API

	  With this option enabled the pkey kernel modules provide an API

	  for creation and handling of protected keys. Other parts of the

	  kernel or userspace applications may use these functions.



	  The protected key support is distributed into:

	  - A pkey base and API kernel module (pkey.ko) which offers the

	    infrastructure for the pkey handler kernel modules, the ioctl

	    and the sysfs API and the in-kernel API to the crypto cipher

	    implementations using protected key.

	  - A pkey pckmo kernel module (pkey-pckmo.ko) which is automatically

	    loaded when pckmo support (that is generation of protected keys

	    from clear key values) is available.

	  - A pkey CCA kernel module (pkey-cca.ko) which is automatically

	    loaded when a CEX crypto card is available.

	  - A pkey EP11 kernel module (pkey-ep11.ko) which is automatically

	    loaded when a CEX crypto card is available.



	  Select this option if you want to enable the kernel and userspace

	  API for proteced key handling.

	  API for protected key handling.



config PKEY_CCA

	tristate "PKEY CCA support handler"

	depends on PKEY

	depends on ZCRYPT

	help

	  This is the CCA support handler for deriving protected keys

	  from CCA (secure) keys. Also this handler provides an alternate

	  way to make protected keys from clear key values.



	  The PKEY CCA support handler needs a Crypto Express card (CEX)

	  in CCA mode.



	  If you have selected the PKEY option then you should also enable

	  this option unless you are sure you never need to derive protected

	  keys from CCA key material.



config PKEY_EP11

	tristate "PKEY EP11 support handler"

	depends on PKEY

	depends on ZCRYPT

	help

	  This is the EP11 support handler for deriving protected keys

	  from EP11 (secure) keys. Also this handler provides an alternate

	  way to make protected keys from clear key values.



	  The PKEY EP11 support handler needs a Crypto Express card (CEX)

	  in EP11 mode.



	  If you have selected the PKEY option then you should also enable

	  this option unless you are sure you never need to derive protected

	  keys from EP11 key material.



config PKEY_PCKMO

	tristate "PKEY PCKMO support handler"

	depends on PKEY

	help

	  This is the PCKMO support handler for deriving protected keys

	  from clear key values via invoking the PCKMO instruction.



	  The PCKMO instruction can be enabled and disabled in the crypto

	  settings at the LPAR profile. This handler checks for availability

	  during initialization and if build as a kernel module unloads

	  itself if PCKMO is disabled.



	  The PCKMO way of deriving protected keys from clear key material

	  is especially used during self test of protected key ciphers like

	  PAES but the CCA and EP11 handler provide alternate ways to

	  generate protected keys from clear key values.



	  Please note that creation of protected keys from secure keys

	  requires to have at least one CEX card in coprocessor mode

	  available at runtime.

	  If you have selected the PKEY option then you should also enable

	  this option unless you are sure you never need to derive protected

	  keys from clear key values directly via PCKMO.



config CRYPTO_PAES_S390

	tristate "PAES cipher algorithms"

drivers/s390/crypto/Makefile

+14 −2
Original line number Diff line number Diff line
@@ -13,10 +13,22 @@ obj-$(CONFIG_ZCRYPT) += zcrypt.o 
# adapter drivers depend on ap.o and zcrypt.o

obj-$(CONFIG_ZCRYPT) += zcrypt_cex4.o



# pkey kernel module

pkey-objs := pkey_api.o pkey_cca.o pkey_ep11.o pkey_pckmo.o pkey_sysfs.o

# pkey base and api module

pkey-objs := pkey_base.o pkey_api.o pkey_sysfs.o

obj-$(CONFIG_PKEY) += pkey.o



# pkey cca handler module

pkey-cca-objs := pkey_cca.o

obj-$(CONFIG_PKEY_CCA) += pkey-cca.o



# pkey ep11 handler module

pkey-ep11-objs := pkey_ep11.o

obj-$(CONFIG_PKEY_EP11) += pkey-ep11.o



# pkey pckmo handler module

pkey-pckmo-objs := pkey_pckmo.o

obj-$(CONFIG_PKEY_PCKMO) += pkey-pckmo.o



# adjunct processor matrix

vfio_ap-objs := vfio_ap_drv.o vfio_ap_ops.o

obj-$(CONFIG_VFIO_AP) += vfio_ap.o