diff options
| author | Harald Freudenberger <freude@linux.ibm.com> | 2019-09-27 11:16:42 +0200 |
|---|---|---|
| committer | Vasily Gorbik <gor@linux.ibm.com> | 2020-01-30 13:07:55 +0100 |
| commit | 888edbc48857c7189592fb0be3ab09994247199c (patch) | |
| tree | 3ae7f3d19381a6e1c15a85c22140b90916581383 /arch/s390/crypto | |
| parent | 6f3196b74d64fe4b0a51cefa6f2f80f7f55bcf49 (diff) | |
s390/pkey: Add support for key blob with clear key value
This patch adds support for a new key blob format to the
pkey kernel module. The new key blob comprises a clear
key value together with key type information.
The implementation tries to derive an protected key
from the blob with the clear key value inside with
1) the PCKMO instruction. This may fail as the LPAR
profile may disable this way.
2) Generate an CCA AES secure data key with exact the
clear key value. This requires to have a working
crypto card in CCA Coprocessor mode. Then derive
an protected key from the CCA AES secure key again
with the help of a working crypto card in CCA mode.
If both way fail, the transformation of the clear key
blob into a protected key will fail. For the PAES cipher
this would result in a failure at setkey() invocation.
A clear key value exposed in main memory is a security
risk. The intention of this new 'clear key blob' support
for pkey is to provide self-tests for the PAES cipher key
implementation. These known answer tests obviously need
to be run with well known key values. So with the clear
key blob format there is a way to provide knwon answer
tests together with an pkey clear key blob for the
in-kernel self tests done at cipher registration.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Diffstat (limited to 'arch/s390/crypto')
0 files changed, 0 insertions, 0 deletions