Devel #28
Devel #28
Conversation
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
| e->flags |= *s390_kdsa_functions[e->id].enabled ? ICA_FLAG_SHW : 0; | ||
| break; | ||
| case RSA_ME: /* fall-through */ | ||
| case RSA_CRT: | ||
| if (any_card_online) { |
There was a problem hiding this comment.
I think libica RSA only works with CEX-A, no ? So 'any_card_online' would be neccesary but not sufficient.
There was a problem hiding this comment.
I found this paragraph in the "Device Drivers, Features, and Commands" book:
For both accelerators and CCA coprocessors, it provides Rivest-Shamir-Adleman
(RSA) encryption and RSA decryption functions using clear keys. RSA operations
are supported in both the modulus-exponent and the Chinese-Remainder Theorem
(CRT) variants for any key size in the range 57 - 4096 bit.
So it looks like the zcrypt device driver can use both types of cards for RSA.
There was a problem hiding this comment.
Just tested it: the RSA tests are performed in hw on a CCA coprocessor.
There was a problem hiding this comment.
Yes, the zcrypt dd can use both.
| ICA_PROPERTY_RSA_4096) | ||
|
|
||
| #define ICA_PROPERTY_EC_BP 0x00000001 /* Brainpool curves */ | ||
| #define ICA_PROPERTY_EC_NIST 0x00000002 /* NIST curves */ |
There was a problem hiding this comment.
Is there a whitespace error ? The NIST curves constant is indented differently than the others in the GitHub diff view....
| msa4_switch, msa5_switch, msa8_switch, trng_switch, msa9_switch, | ||
| ecc_via_online_card, any_card_online; | ||
|
|
||
| #define CARD_AVAILABLE 0x01 |
There was a problem hiding this comment.
also here it looks like a whitespace error......
src/s390_crypto.c
Outdated
| goto end; | ||
|
|
||
| /* Did we get something like 'CEX5C\n'? */ | ||
| if (strlen(type) != 6 || strstr(type, "CEX") != &type[0]) |
There was a problem hiding this comment.
didn't we say that strstr might not be the best choice here? I would do a strncmp(type, "CEX", 3) instead.
src/s390_crypto.c
Outdated
| while ((direntp = readdir(sysDir)) != NULL) { | ||
|
|
||
| /* Skip entries that are not like "card01", "card02", etc. */ | ||
| if (strstr(direntp->d_name, "card") != &direntp->d_name[0]) |
| } | ||
|
|
||
| #define AP_PATH "/sys/devices/ap" | ||
| #define MAX_DEV_LEN 280 |
There was a problem hiding this comment.
There is a PATH_MAX define in linux/limits.h.
There was a problem hiding this comment.
Yes, but it's only 255 bytes long and causes a compiler warning:
s390_crypto.c:401:34: warning: '%s' directive output may be truncated writing up to 255 bytes into a region of size 239 [-Wformat-truncation=]
401 | snprintf(dev, MAX_DEV_LEN, "%s/%s/type", AP_PATH, direntp->d_name);
The warning disappears when increasing the array to 280 bytes.
| { | ||
| DIR *sysDir; | ||
| unsigned int ret = 0; | ||
| char dev[MAX_DEV_LEN] = AP_PATH; |
There was a problem hiding this comment.
Why the = AP_PATH ?
You use dev later with snprintf(dev, ...) so the assignment is not needed.
There was a problem hiding this comment.
Yes, but there's this stmt below which needs the path in dev:
if ((sysDir = opendir(dev)) == NULL)
return 0;
|
|
||
| /* Get device type (string like "CEXnT") */ | ||
| snprintf(dev, MAX_DEV_LEN, "%s/%s/type", AP_PATH, direntp->d_name); | ||
| memset(type, 0, sizeof(type)); |
There was a problem hiding this comment.
the memset here is not needed as you check the returncode from get_device_type()
There was a problem hiding this comment.
Yes, that's right.
include/ica_api.h
Outdated
| #define ICA_PROPERTY_RSA_512 0x00000001 | ||
| #define ICA_PROPERTY_RSA_1024 0x00000002 | ||
| #define ICA_PROPERTY_RSA_2048 0x00000004 | ||
| #define ICA_PROPERTY_RSA_4096 0x00000008 |
There was a problem hiding this comment.
do we really need this differentiation ? I know there was a limit on RSA for CEX2 but as far as I know even CEX3 supports RSA up to 4096 and we do not have any CEX2 support in the device driver any more.
There was a problem hiding this comment.
Yes, you are right, today we don't really need it. We could just use ICA_PROPERTY_RSA_ALL. I left the differentiation, because the libica book describes the different RSA key lengths in chapter 5. We may remove the differentiation in the code, but should then also update the book.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Determine available online cards and check if ECC is supported via CCA coprocessor. Set dynamic flag according to available cards. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
ECC is supported on CEX4C or later. Don't try to perform an ECC function on dynamic hardware if already known that no suitable CCA coprocessor available. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Remove routine to search for cards. Information about available dynamic hardware is now correctly provided via the function list. Add a third column to the icainfo output to show dynamic and static hardware separately. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Introduce and use symbolic constants for already existing AES and RSA properties. Add and use new constants for EC-related properties. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
src/ica_api.c
Outdated
| if (any_card_online) | ||
| rc = ioctl(adapter_handle, ICARSAMODEXPO, &rb); | ||
| else | ||
| rc = 1; |
There was a problem hiding this comment.
Is there a reason why you return "1" here, an not ENODEV or similar?
There was a problem hiding this comment.
I agree, ENODEV is better here. Code changed.
src/ica_api.c
Outdated
| if (any_card_online) | ||
| rc = ioctl(adapter_handle, ICARSACRT, &rb); | ||
| else | ||
| rc = 1; |
There was a problem hiding this comment.
I agree, ENODEV is better here. Code changed.
This fix applies to RSA, the same technique is already used for ECC also. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Misc. housekeeping and bug fixes: set dynamic ICA flag according to available online cards, don't call ioctl for ECC functions if ECC is not available via cards, enhance icainfo output to three columns, distinguishing between static and dynamic hardware.