• Harald Freudenberger's avatar
    s390/zcrypt: Support for CCA APKA master keys · 32ca04bb
    Harald Freudenberger authored
    Support for CCA APKA (used for CCA ECC keys) master keys.
    The existing mkvps sysfs attribute for each queue for cards
    in CCA mode is extended to show the APKA master key register
    states and verification pattern:
    
    Improve the mkvps sysfs attribute to display the APKA
    master key verification patterns for old, current and new
    master key registers. The APKA master key is used to
    encrypt CCA ECC secure keys. The syntax is analog to the
    existing AES mk verification patterns:
    
        APKA NEW: <new_apka_mk_state> <new_apka_mk_mkvp>
        APKA CUR: <cur_apka_mk_state> <cur_apka_mk_mkvp>
        APKA OLD: <old_apka_mk_state> <old_apka_mk_mkvp>
      with
        <new_apka_mk_state>: 'empty' or 'partial' or 'full'
        <cur_apka_mk_state>: 'valid' or 'invalid'
        <old_apka_mk_state>: 'valid' or 'invalid'
        <new_apka_mk_mkvp>, <cur_apka_mk_mkvp>, <old_apka_mk_mkvp>
          8 byte hex string with leading 0x
    
    MKVP means Master Key Verification Pattern and is a folded hash over
    the key value. Only the states 'full' and 'valid' result in displaying
    a useful mkvp, otherwise a mkvp of all bytes zero is shown. If for any
    reason the FQ fails and the (cached) information is not available, the
    state '-' will be shown with the mkvp value also '-'. The values shown
    here are the very same as the cca panel tools displays.
    
    The internal function cca_findcard2() also supports to match
    against the APKA master key verification patterns and the pkey
    kernel module which uses this function needed compatible rewrite
    of these invocations.
    Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
    Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
    32ca04bb
zcrypt_cex4.c 20.3 KB