File s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch of Package s390-tools.12120
Subject: lszcrypt: CEX6S exploitation
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Summary: s390-tools: Exploitation Support for CEX6S
Description: Exploitation Support for CEX6S
Upstream-ID: 31866fbfa4bd89606af2a313427ca06d230e20dc
Problem-ID: SEC1519
Upstream-Description:
lszcrypt: CEX6S exploitation
With z14 there comes a new crypto card 'CEX6S'.
This patch introduces the s390-tools changes needed
to list the new card and show the capabilities correctly.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
zconf/zcrypt/lszcrypt.8 | 6 ++++++
zconf/zcrypt/lszcrypt.c | 37 ++++++++++++++++++++++++++++---------
2 files changed, 34 insertions(+), 9 deletions(-)
--- a/zconf/zcrypt/lszcrypt.8
+++ b/zconf/zcrypt/lszcrypt.8
@@ -85,6 +85,12 @@ EP11 Secure Key
.IP "o"
Long RNG
.RE
+
+.RS 8
+The CCA Secure Key capability may be limited by a hypervisor
+layer. The remarks 'full function set' or 'restricted function set' may
+reflect this. For details about these limitations please check the
+hypervisor documentation.
.TP 8
.B -d, --domains
Shows the usage and control domains of the cryptographic devices.
--- a/zconf/zcrypt/lszcrypt.c
+++ b/zconf/zcrypt/lszcrypt.c
@@ -42,11 +42,19 @@ struct lszcrypt_l *lszcrypt_l = &l;
/*
* Card types
*/
-#define MASK_APSC 0x80000000
-#define MASK_RSA4K 0x60000000
-#define MASK_COPRO 0x10000000
-#define MASK_ACCEL 0x08000000
-#define MASK_EP11 0x04000000
+#define MASK_APSC 0x80000000
+#define MASK_RSA4K 0x60000000
+#define MASK_COPRO 0x10000000
+#define MASK_ACCEL 0x08000000
+#define MASK_EP11 0x04000000
+
+/*
+ * Classification
+ */
+#define MASK_CLASS_FULL 0x00800000
+#define CLASS_FULL "full function set"
+#define MASK_CLASS_STATELESS 0x00400000
+#define CLASS_STATELESS "restricted function set"
/*
* Program configuration
@@ -226,7 +234,7 @@ static void show_capability(const char *
{
unsigned long func_val;
long hwtype, id;
- char *p, *ap, *dev, card[16];
+ char *p, *ap, *dev, card[16], cbuf[256];
/* check if ap driver is available */
ap = util_path_sysfs("bus/ap");
@@ -250,6 +258,11 @@ static void show_capability(const char *
printf("Detailed capability information for %s (hardware type %ld) is not available.\n", card, hwtype);
return;
}
+ cbuf[0] = '\0';
+ if (func_val & MASK_CLASS_FULL)
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_FULL);
+ else if (func_val & MASK_CLASS_STATELESS)
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_STATELESS);
printf("%s provides capability for:\n", card);
switch (hwtype) {
case 6:
@@ -262,11 +275,15 @@ static void show_capability(const char *
case 7:
case 9:
printf("%s\n", CAP_RSA4K);
- printf("%s\n", CAP_CCA);
+ if (cbuf[0])
+ printf("%s (%s)\n", CAP_CCA, cbuf);
+ else
+ printf("%s\n", CAP_CCA);
printf("%s", CAP_RNG);
break;
case 10:
case 11:
+ case 12:
if (func_val & MASK_ACCEL) {
if (func_val & MASK_RSA4K)
printf("%s", CAP_RSA4K);
@@ -274,12 +291,14 @@ static void show_capability(const char *
printf("%s", CAP_RSA2K);
} else if (func_val & MASK_COPRO) {
printf("%s\n", CAP_RSA4K);
- printf("%s\n", CAP_CCA);
+ if (cbuf[0])
+ printf("%s (%s)\n", CAP_CCA, cbuf);
+ else
+ printf("%s\n", CAP_CCA);
printf("%s", CAP_RNG);
} else if (func_val & MASK_EP11) {
printf("%s", CAP_EP11);
} else {
-
printf("Detailed capability information for %s (hardware type %ld) is not available.", card, hwtype);
}
break;
