• Harald Freudenberger's avatar
    s390/pkey: support CCA and EP11 secure ECC private keys · fa6999e3
    Harald Freudenberger authored
    This patch extends the pkey kernel module to support CCA
    and EP11 secure ECC (private) keys as source for deriving
    ECC protected (private) keys.
    
    There is yet another new ioctl to support this: PKEY_KBLOB2PROTK3
    can handle all the old keys plus CCA and EP11 secure ECC keys.
    For details see ioctl description in pkey.h.
    
    The CPACF unit currently only supports a subset of 5
    different ECC curves (P-256, P-384, P-521, ED25519, ED448) and
    so only keys of this curve type can be transformed into
    protected keys. However, the pkey and the cca/ep11 low level
    functions do not check this but simple pass-through the key
    blob to the firmware onto the crypto cards. So most likely
    the failure will be a response carrying an error code
    resulting in user space errno value EIO instead of EINVAL.
    
    Deriving a protected key from an EP11 ECC secure key
    requires a CEX7 in EP11 mode. Deriving a protected key from
    an CCA ECC secure key requires a CEX7 in CCA mode.
    
    Together with this new ioctl the ioctls for querying lists
    of apqns (PKEY_APQNS4K and PKEY_APQNS4KT) have been extended
    to support EP11 and CCA ECC secure key type and key blobs.
    
    Together with this ioctl there comes a new struct ep11kblob_header
    which is to be prepended onto the EP11 key blob. See details
    in pkey.h for the fields in there. The older EP11 AES key blob
    with some info stored in the (unused) session field is also
    supported with this new ioctl.
    Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
    Reviewed-by: default avatarIngo Franzki <ifranzki@linux.ibm.com>
    Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
    fa6999e3
zcrypt_ep11misc.c 36 KB