Subject: zkey: Check crypto card level during APQN cross checking From: Ingo Franzki Summary: zkey: Add support for CCA AES CIPHER keys Description: With CCA 5 there is a new secure key type, the so called variable length symmetric cipher key token. This token format can hold AES keys with size 128, 192 and 256 bits together with additional attributes cryptographic bound to the key token. The attributes may limit the usage of the key, for example restrict export or usability scope. So this key type is considered to be even more secure than the traditional secure key token. This key token type is also called "CCA AES CIPHER key", where the formerly used key token is called "CCA AES DATA key". The zkey as well as the zkey-cryptsetup tools are enhanced to support AES CIPHER keys. That is, zkey can manage AES DATA keys, as well as AES CIPHER keys. The key type must be specified at key generation time, the default is to generate AED DATA keys. Upstream-ID: b7bb90c552f9b62c0b4ddc1295e76769149ee6bb Problem-ID: SEC1717 Upstream-Description: zkey: Check crypto card level during APQN cross checking Secure keys of type CCA-AESCIPHER require a CEX6C or newer crypto card. Also check for the minimum required card level during cross checking of APQNs. Also display the card level in the APQN report. Signed-off-by: Ingo Franzki Reviewed-by: Harald Freudenberger Signed-off-by: Jan Hoeppner Signed-off-by: Ingo Franzki --- zkey/keystore.c | 25 +++++++++++++---- zkey/pkey.c | 20 ++++++++++++++ zkey/pkey.h | 1 zkey/utils.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- zkey/utils.h | 6 ++-- zkey/zkey.c | 9 ++++-- 6 files changed, 126 insertions(+), 15 deletions(-) --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -1722,7 +1722,9 @@ int keystore_generate_key(struct keystor if (rc != 0) goto out_free_key_filenames; - rc = cross_check_apqns(apqns, 0, true, keystore->verbose); + rc = cross_check_apqns(apqns, 0, + get_min_card_level_for_keytype(key_type), true, + keystore->verbose); if (rc == -EINVAL) goto out_free_key_filenames; if (rc != 0 && rc != -ENOTSUP && noapqncheck == 0) { @@ -1850,7 +1852,9 @@ int keystore_import_key(struct keystore goto out_free_key; } - rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose); + rc = cross_check_apqns(apqns, mkvp, + get_min_card_level_for_keytype(key_type), true, + keystore->verbose); if (rc == -EINVAL) goto out_free_key; if (rc != 0 && rc != -ENOTSUP && noapqncheck == 0) { @@ -1937,8 +1941,8 @@ int keystore_change_key(struct keystore .nomsg = 0 }; struct key_filenames file_names = { NULL, NULL, NULL }; struct properties *key_props = NULL; + char *apqns_prop, *key_type; size_t secure_key_size; - char *apqns_prop; u8 *secure_key; char temp[30]; u64 mkvp; @@ -2005,9 +2009,12 @@ int keystore_change_key(struct keystore goto out; apqns_prop = properties_get(key_props, PROP_NAME_APQNS); - rc = cross_check_apqns(apqns_prop, mkvp, true, - keystore->verbose); + key_type = properties_get(key_props, PROP_NAME_KEY_TYPE); + rc = cross_check_apqns(apqns_prop, mkvp, + get_min_card_level_for_keytype(key_type), + true, keystore->verbose); free(apqns_prop); + free(key_type); if (rc == -ENOTSUP) rc = 0; if (rc != 0 && noapqncheck == 0) { @@ -2373,12 +2380,17 @@ static int _keystore_display_apqn_status { int rc, warning = 0; char *apqns; + char *key_type; apqns = properties_get(properties, PROP_NAME_APQNS); if (apqns == NULL) return 0; - rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose); + apqns = properties_get(properties, PROP_NAME_APQNS); + key_type = properties_get(properties, PROP_NAME_KEY_TYPE); + rc = cross_check_apqns(apqns, mkvp, + get_min_card_level_for_keytype(key_type), true, + keystore->verbose); if (rc != 0 && rc != -ENOTSUP) warning = 1; @@ -2386,6 +2398,7 @@ static int _keystore_display_apqn_status printf("\n"); free(apqns); + free(key_type); return warning; } /** --- a/zkey/pkey.c +++ b/zkey/pkey.c @@ -1630,3 +1630,23 @@ const char *get_key_type(const u8 *key, return NULL; } + +/** + * Returns the minimum card level for a specific key type + * + * @param[in] key_type the type of the key + * + * @returns the minimum card level, or -1 for unknown key types + */ +int get_min_card_level_for_keytype(const char *key_type) +{ + if (key_type == NULL) + return -1; + + if (strcasecmp(key_type, KEY_TYPE_CCA_AESDATA) == 0) + return 3; + if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0) + return 6; + + return -1; +} --- a/zkey/pkey.h +++ b/zkey/pkey.h @@ -264,5 +264,6 @@ bool is_cca_aes_cipher_key(const u8 *key bool is_xts_key(const u8 *key, size_t key_size); int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize); const char *get_key_type(const u8 *key, size_t key_size); +int get_min_card_level_for_keytype(const char *key_type); #endif --- a/zkey/utils.c +++ b/zkey/utils.c @@ -119,6 +119,49 @@ out: } /** + * Returns the level of the card. For a CEX3C 3 is returned, for a CEX4C 4, + * and so on. + * + * @param[in] card card number + * + * @returns The card level, or -1 of the level can not be determined. + */ +int sysfs_get_card_level(int card) +{ + char *dev_path; + char type[20]; + int rc; + + dev_path = util_path_sysfs("bus/ap/devices/card%02x", card); + if (!util_path_is_dir(dev_path)) { + rc = -1; + goto out; + } + if (util_file_read_line(type, sizeof(type), "%s/type", dev_path) != 0) { + rc = -1; + goto out; + } + if (strncmp(type, "CEX", 3) != 0 || strlen(type) < 5) { + rc = -1; + goto out; + } + if (type[4] != 'C') { + rc = -1; + goto out; + } + if (type[3] < '1' || type[3] > '9') { + rc = -1; + goto out; + } + + rc = type[3] - '0'; + +out: + free(dev_path); + return rc; +} + +/** * Gets the 8 character ASCII serial number string of an card from the sysfs. * * @param[in] card card number @@ -436,12 +479,14 @@ static int print_apqn_mk_info(int card, { struct print_apqn_info *info = (struct print_apqn_info *)handler_data; struct mk_info mk_info; - int rc; + int rc, level; rc = sysfs_get_mkvps(card, domain, &mk_info, info->verbose); if (rc == -ENOTSUP) return rc; + level = sysfs_get_card_level(card); + util_rec_set(info->rec, "APQN", "%02x.%04x", card, domain); if (rc == 0) { @@ -470,6 +515,11 @@ static int print_apqn_mk_info(int card, util_rec_set(info->rec, "OLD", "?"); } + if (level > 0) + util_rec_set(info->rec, "TYPE", "CEX%dC", level); + else + util_rec_set(info->rec, "TYPE", "?"); + util_rec_print(info->rec); return 0; @@ -499,6 +549,7 @@ int print_mk_info(const char *apqns, boo util_rec_def(info.rec, "NEW", UTIL_REC_ALIGN_LEFT, 16, "NEW MK"); util_rec_def(info.rec, "CUR", UTIL_REC_ALIGN_LEFT, 16, "CURRENT MK"); util_rec_def(info.rec, "OLD", UTIL_REC_ALIGN_LEFT, 16, "OLD MK"); + util_rec_def(info.rec, "TYPE", UTIL_REC_ALIGN_LEFT, 6, "TYPE"); util_rec_print_hdr(info.rec); rc = handle_apqns(apqns, print_apqn_mk_info, &info, verbose); @@ -511,6 +562,7 @@ struct cross_check_info { u64 mkvp; u64 new_mkvp; bool key_mkvp; + int min_level; u32 num_cur_match; u32 num_old_match; u32 num_new_match; @@ -525,7 +577,7 @@ static int cross_check_mk_info(int card, struct cross_check_info *info = (struct cross_check_info *)handler_data; struct mk_info mk_info; char temp[200]; - int rc; + int rc, level; rc = sysfs_get_mkvps(card, domain, &mk_info, info->verbose); if (rc == -ENODEV) { @@ -539,6 +591,19 @@ static int cross_check_mk_info(int card, info->num_checked++; + if (info->min_level >= 0) { + level = sysfs_get_card_level(card); + + if (level < info->min_level) { + info->print_mks = 1; + info->mismatch = 1; + sprintf(temp, "WARNING: APQN %02x.%04x: The card level " + "is less than CEX%dC.", card, domain, + info->min_level); + util_print_indented(temp, 0); + } + } + if (mk_info.new_mk.mk_state == MK_STATE_PARTIAL) { info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The NEW master key " @@ -662,6 +727,8 @@ static int cross_check_mk_info(int card, * @param[in] mkvp The master key verification pattern of a secure key. * If this is all zero, then the master keys are not * matched against it. + * @param[in] min_level The minimum card level required. If min_level is -1 then + * the card level is not checked. * @param[in] print_mks if true, then a the full master key info of all * specified APQns is printed, in case of a mismatch. * @param[in] verbose if true, verbose messages are printed @@ -671,7 +738,8 @@ static int cross_check_mk_info(int card, * -ENOTSUP is returned when the mkvps sysfs attribute is not * available, because the zcrypt kernel module is on an older level. */ -int cross_check_apqns(const char *apqns, u64 mkvp, bool print_mks, bool verbose) +int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, + bool print_mks, bool verbose) { struct cross_check_info info; char temp[200]; @@ -680,10 +748,12 @@ int cross_check_apqns(const char *apqns, memset(&info, 0, sizeof(info)); info.key_mkvp = mkvp != 0; info.mkvp = mkvp; + info.min_level = min_level; info.verbose = verbose; - pr_verbose(verbose, "Cross checking APQNs with mkvp 0x%016llx: %s", - mkvp, apqns != NULL ? apqns : "ANY"); + pr_verbose(verbose, "Cross checking APQNs with mkvp 0x%016llx and " + "min-level %d: %s", mkvp, min_level, + apqns != NULL ? apqns : "ANY"); rc = handle_apqns(apqns, cross_check_mk_info, &info, verbose); if (rc != 0) --- a/zkey/utils.h +++ b/zkey/utils.h @@ -18,6 +18,8 @@ int sysfs_is_card_online(int card); int sysfs_is_apqn_online(int card, int domain); +int sysfs_get_card_level(int card); + int sysfs_get_serialnr(int card, char serialnr[9], bool verbose); #define MK_STATE_EMPTY 0 @@ -48,7 +50,7 @@ int handle_apqns(const char *apqns, apqn int print_mk_info(const char *apqns, bool verbose); -int cross_check_apqns(const char *apqns, u64 mkvp, bool print_mks, - bool verbose); +int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, + bool print_mks, bool verbose); #endif --- a/zkey/zkey.c +++ b/zkey/zkey.c @@ -1122,7 +1122,9 @@ static int command_generate(void) return EXIT_FAILURE; } - rc = cross_check_apqns(NULL, 0, true, g.verbose); + rc = cross_check_apqns(NULL, 0, + get_min_card_level_for_keytype(g.key_type), + true, g.verbose); if (rc == -EINVAL) return EXIT_FAILURE; if (rc != 0 && rc != -ENOTSUP) { @@ -1447,7 +1449,10 @@ static int command_validate_file(void) printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2, &vp[VERIFICATION_PATTERN_LEN / 2]); - rc = cross_check_apqns(NULL, mkvp, true, g.verbose); + rc = cross_check_apqns(NULL, mkvp, + get_min_card_level_for_keytype( + get_key_type(secure_key, secure_key_size)), + true, g.verbose); if (rc == -EINVAL) return EXIT_FAILURE; if (rc != 0 && rc != -ENOTSUP) {