-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Devel #28
Devel #28
Conversation
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
e->flags |= *s390_kdsa_functions[e->id].enabled ? ICA_FLAG_SHW : 0; | ||
break; | ||
case RSA_ME: /* fall-through */ | ||
case RSA_CRT: | ||
if (any_card_online) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think libica RSA only works with CEX-A, no ? So 'any_card_online' would be neccesary but not sufficient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found this paragraph in the "Device Drivers, Features, and Commands" book:
For both accelerators and CCA coprocessors, it provides Rivest-Shamir-Adleman
(RSA) encryption and RSA decryption functions using clear keys. RSA operations
are supported in both the modulus-exponent and the Chinese-Remainder Theorem
(CRT) variants for any key size in the range 57 - 4096 bit.
So it looks like the zcrypt device driver can use both types of cards for RSA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just tested it: the RSA tests are performed in hw on a CCA coprocessor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the zcrypt dd can use both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ICA_PROPERTY_RSA_4096) | ||
|
||
#define ICA_PROPERTY_EC_BP 0x00000001 /* Brainpool curves */ | ||
#define ICA_PROPERTY_EC_NIST 0x00000002 /* NIST curves */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a whitespace error ? The NIST curves constant is indented differently than the others in the GitHub diff view....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will fix this.
msa4_switch, msa5_switch, msa8_switch, trng_switch, msa9_switch, | ||
ecc_via_online_card, any_card_online; | ||
|
||
#define CARD_AVAILABLE 0x01 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also here it looks like a whitespace error......
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will fix it.
src/s390_crypto.c
Outdated
goto end; | ||
|
||
/* Did we get something like 'CEX5C\n'? */ | ||
if (strlen(type) != 6 || strstr(type, "CEX") != &type[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
didn't we say that strstr might not be the best choice here? I would do a strncmp(type, "CEX", 3)
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
src/s390_crypto.c
Outdated
while ((direntp = readdir(sysDir)) != NULL) { | ||
|
||
/* Skip entries that are not like "card01", "card02", etc. */ | ||
if (strstr(direntp->d_name, "card") != &direntp->d_name[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strncmp(... ,"card", 4)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
} | ||
|
||
#define AP_PATH "/sys/devices/ap" | ||
#define MAX_DEV_LEN 280 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a PATH_MAX define in linux/limits.h.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but it's only 255 bytes long and causes a compiler warning:
s390_crypto.c:401:34: warning: '%s' directive output may be truncated writing up to 255 bytes into a region of size 239 [-Wformat-truncation=]
401 | snprintf(dev, MAX_DEV_LEN, "%s/%s/type", AP_PATH, direntp->d_name);
The warning disappears when increasing the array to 280 bytes.
{ | ||
DIR *sysDir; | ||
unsigned int ret = 0; | ||
char dev[MAX_DEV_LEN] = AP_PATH; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the = AP_PATH ?
You use dev later with snprintf(dev, ...) so the assignment is not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but there's this stmt below which needs the path in dev:
if ((sysDir = opendir(dev)) == NULL)
return 0;
|
||
/* Get device type (string like "CEXnT") */ | ||
snprintf(dev, MAX_DEV_LEN, "%s/%s/type", AP_PATH, direntp->d_name); | ||
memset(type, 0, sizeof(type)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the memset here is not needed as you check the returncode from get_device_type()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's right.
include/ica_api.h
Outdated
#define ICA_PROPERTY_RSA_512 0x00000001 | ||
#define ICA_PROPERTY_RSA_1024 0x00000002 | ||
#define ICA_PROPERTY_RSA_2048 0x00000004 | ||
#define ICA_PROPERTY_RSA_4096 0x00000008 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we really need this differentiation ? I know there was a limit on RSA for CEX2 but as far as I know even CEX3 supports RSA up to 4096 and we do not have any CEX2 support in the device driver any more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right, today we don't really need it. We could just use ICA_PROPERTY_RSA_ALL. I left the differentiation, because the libica book describes the different RSA key lengths in chapter 5. We may remove the differentiation in the code, but should then also update the book.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Determine available online cards and check if ECC is supported via CCA coprocessor. Set dynamic flag according to available cards. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
ECC is supported on CEX4C or later. Don't try to perform an ECC function on dynamic hardware if already known that no suitable CCA coprocessor available. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Remove routine to search for cards. Information about available dynamic hardware is now correctly provided via the function list. Add a third column to the icainfo output to show dynamic and static hardware separately. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Introduce and use symbolic constants for already existing AES and RSA properties. Add and use new constants for EC-related properties. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
src/ica_api.c
Outdated
if (any_card_online) | ||
rc = ioctl(adapter_handle, ICARSAMODEXPO, &rb); | ||
else | ||
rc = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason why you return "1" here, an not ENODEV or similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, ENODEV is better here. Code changed.
src/ica_api.c
Outdated
if (any_card_online) | ||
rc = ioctl(adapter_handle, ICARSACRT, &rb); | ||
else | ||
rc = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, ENODEV is better here. Code changed.
This fix applies to RSA, the same technique is already used for ECC also. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Misc. housekeeping and bug fixes: set dynamic ICA flag according to available online cards, don't call ioctl for ECC functions if ECC is not available via cards, enhance icainfo output to three columns, distinguishing between static and dynamic hardware.