Subject: zkey: Cross check APQNs when validating secure keys
From: Ingo Franzki <>

Summary:     zkey: check master key consistency
Description: Enhances the zkey tool to perform a cross check whether the
             APQNs associated with a secure key have the same master key.
             Display the master key verification pattern of a secure key
             during the zkey validate command. This helps to better identify
             which master key is the correct one, in case of master key 
             Select an appropriate APQN when re-enciphering a secure key.
             Re-enciphering is done using the CCA host library. Special
             handling is required to select an appropriate APQN for use with
             the CCA host library.
Upstream-ID: 7f8e31e8619b32297b432a4882d78af79de37a58
Problem-ID:  SEC1916


             zkey: Cross check APQNs when validating secure keys

             Perform a cross check of the APQNs when a secure AES key is validated.
             When a set of APQNs are associated to a secure key, these APQNs are
             cross checked. If a secure key is validated outside of the key repository,
             or no APQNs are associated to a secure key inside the key repository,
             then all currently available APQNs are cross checked. If a master key
             mismatch is detected, then an error message is issued.

             Signed-off-by: Ingo Franzki <>
             Reviewed-by: Harald Freudenberger <>
             Signed-off-by: Jan Hoeppner <>

Signed-off-by: Ingo Franzki <>
 zkey/keystore.c |   34 ++++++++++++----------------------
 zkey/zkey.c     |    9 +++++++++
 2 files changed, 21 insertions(+), 22 deletions(-)

--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2252,43 +2252,32 @@ struct validate_info {
  * Displays the status of the associated APQNs.
+ * @param[in] keystore the key store
  * @param[in] properties  the properties of the key
- * @param[in] name        the name of the key
+ * @param[in] mkvp        the master key verification pattern of the key
  * @returns 0 in case of success, 1 if at least one of the APQNs is not
- *          available
+ *          available or has a master key mismatch
-static int _keystore_display_apqn_status(struct properties *properties,
-					 const char *name)
+static int _keystore_display_apqn_status(struct keystore *keystore,
+					 struct properties *properties,
+					 u64 mkvp)
-	int i, rc, card, domain, warning = 0;
-	char **apqn_list;
+	int rc, warning = 0;
 	char *apqns;
 	apqns = properties_get(properties, PROP_NAME_APQNS);
 	if (apqns == NULL)
 		return 0;
-	apqn_list = str_list_split(apqns);
-	for (i = 0; apqn_list[i] != NULL; i++) {
-		if (sscanf(apqn_list[i], "%x.%x", &card, &domain) != 2)
-			continue;
-		rc = sysfs_is_apqn_online(card, domain);
-		if (rc != 1) {
-			printf("WARNING: The APQN %02x.%04x associated with "
-			       "key '%s' is %s\n", card, domain, name,
-			       rc == -1 ? "not a CCA card" : "not online");
-			warning = 1;
-		}
-	}
+	rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose);
+	if (rc != 0 && rc != -ENOTSUP)
+		warning = 1;
 	if (warning)
-	str_list_free_string_array(apqn_list);
 	return warning;
@@ -2405,7 +2394,8 @@ static int _keystore_process_validate(st
 	if (info->noapqncheck == 0)
-		if (_keystore_display_apqn_status(properties, name) != 0)
+		if (_keystore_display_apqn_status(keystore, properties,
+						  mkvp) != 0)
 	if (_keystore_display_volume_status(properties, name) != 0)
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1380,6 +1380,15 @@ static int command_validate_file(void)
 	printf("                         %.*s\n", VERIFICATION_PATTERN_LEN / 2,
 	       &vp[VERIFICATION_PATTERN_LEN / 2]);
+	rc = cross_check_apqns(NULL, mkvp, true, g.verbose);
+	if (rc == -EINVAL)
+		return EXIT_FAILURE;
+	if (rc != 0 && rc != -ENOTSUP) {
+		warnx("Your master key setup is improper");
+		goto out;
+	}
 	return rc;