Subject: lszcrypt: CEX6S exploitation From: Harald Freudenberger Summary: s390-tools: Exploitation Support for CEX6S Description: Exploitation Support for CEX6S Upstream-ID: 31866fbfa4bd89606af2a313427ca06d230e20dc Problem-ID: SEC1519 Upstream-Description: lszcrypt: CEX6S exploitation With z14 there comes a new crypto card 'CEX6S'. This patch introduces the s390-tools changes needed to list the new card and show the capabilities correctly. Signed-off-by: Harald Freudenberger Signed-off-by: Michael Holzheu Signed-off-by: Harald Freudenberger --- zconf/zcrypt/lszcrypt.8 | 6 ++++++ zconf/zcrypt/lszcrypt.c | 37 ++++++++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 9 deletions(-) --- a/zconf/zcrypt/lszcrypt.8 +++ b/zconf/zcrypt/lszcrypt.8 @@ -85,6 +85,12 @@ EP11 Secure Key .IP "o" Long RNG .RE + +.RS 8 +The CCA Secure Key capability may be limited by a hypervisor +layer. The remarks 'full function set' or 'restricted function set' may +reflect this. For details about these limitations please check the +hypervisor documentation. .TP 8 .B -d, --domains Shows the usage and control domains of the cryptographic devices. --- a/zconf/zcrypt/lszcrypt.c +++ b/zconf/zcrypt/lszcrypt.c @@ -42,11 +42,19 @@ struct lszcrypt_l *lszcrypt_l = &l; /* * Card types */ -#define MASK_APSC 0x80000000 -#define MASK_RSA4K 0x60000000 -#define MASK_COPRO 0x10000000 -#define MASK_ACCEL 0x08000000 -#define MASK_EP11 0x04000000 +#define MASK_APSC 0x80000000 +#define MASK_RSA4K 0x60000000 +#define MASK_COPRO 0x10000000 +#define MASK_ACCEL 0x08000000 +#define MASK_EP11 0x04000000 + +/* + * Classification + */ +#define MASK_CLASS_FULL 0x00800000 +#define CLASS_FULL "full function set" +#define MASK_CLASS_STATELESS 0x00400000 +#define CLASS_STATELESS "restricted function set" /* * Program configuration @@ -226,7 +234,7 @@ static void show_capability(const char * { unsigned long func_val; long hwtype, id; - char *p, *ap, *dev, card[16]; + char *p, *ap, *dev, card[16], cbuf[256]; /* check if ap driver is available */ ap = util_path_sysfs("bus/ap"); @@ -250,6 +258,11 @@ static void show_capability(const char * printf("Detailed capability information for %s (hardware type %ld) is not available.\n", card, hwtype); return; } + cbuf[0] = '\0'; + if (func_val & MASK_CLASS_FULL) + snprintf(cbuf, sizeof(cbuf), "%s", CLASS_FULL); + else if (func_val & MASK_CLASS_STATELESS) + snprintf(cbuf, sizeof(cbuf), "%s", CLASS_STATELESS); printf("%s provides capability for:\n", card); switch (hwtype) { case 6: @@ -262,11 +275,15 @@ static void show_capability(const char * case 7: case 9: printf("%s\n", CAP_RSA4K); - printf("%s\n", CAP_CCA); + if (cbuf[0]) + printf("%s (%s)\n", CAP_CCA, cbuf); + else + printf("%s\n", CAP_CCA); printf("%s", CAP_RNG); break; case 10: case 11: + case 12: if (func_val & MASK_ACCEL) { if (func_val & MASK_RSA4K) printf("%s", CAP_RSA4K); @@ -274,12 +291,14 @@ static void show_capability(const char * printf("%s", CAP_RSA2K); } else if (func_val & MASK_COPRO) { printf("%s\n", CAP_RSA4K); - printf("%s\n", CAP_CCA); + if (cbuf[0]) + printf("%s (%s)\n", CAP_CCA, cbuf); + else + printf("%s\n", CAP_CCA); printf("%s", CAP_RNG); } else if (func_val & MASK_EP11) { printf("%s", CAP_EP11); } else { - printf("Detailed capability information for %s (hardware type %ld) is not available.", card, hwtype); } break;