From: Harald Freudenberger <freude@linux.ibm.com>
To: herbert@gondor.apana.org.au
Cc: linux-crypto@vger.kernel.org, linux-s390@vger.kernel.org,
hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com
Subject: [PATCH v2 4/4] crypto: s390/paes - Refuse clear key material by default
Date: Thu, 15 Jan 2026 13:00:26 +0100 [thread overview]
Message-ID: <20260115120026.4286-5-freude@linux.ibm.com> (raw)
In-Reply-To: <20260115120026.4286-1-freude@linux.ibm.com>
This patch exploits the new xflag PKEY_XFLAG_NOCLEARKEY from the pkey
layer. So now by default all the paes algorithms refuse the use of
clear key material ("clear key tokens") in the setkey function with
-EINVAL.
With a new kernel module parameter "clrkey" this behavior can be
controlled. By default clrkey is 'N' but for testing purpose on module
load a true value (1, 'Y') may be given to accept clear key tokens.
Note that during selftest clear keys are always used and thus the
xflag PKEY_XFLAG_NOCLEARKEY is NOT set as long as the algorithm is in
a larval state indicated by crypto_skcipher_tested() returning false.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
arch/s390/crypto/paes_s390.c | 93 ++++++++++++++++++++++--------------
1 file changed, 57 insertions(+), 36 deletions(-)
diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c
index 64aef7eb2030..8cfe6166c193 100644
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@@ -40,6 +40,10 @@
#define PAES_256_PROTKEY_SIZE (32 + 32) /* key + verification pattern */
#define PXTS_256_PROTKEY_SIZE (32 + 32 + 32) /* k1 + k2 + verification pattern */
+static bool pkey_clrkey_allowed;
+module_param_named(clrkey, pkey_clrkey_allowed, bool, 0444);
+MODULE_PARM_DESC(clrkey, "Allow clear key material (default N)");
+
static u8 *ctrblk;
static DEFINE_MUTEX(ctrblk_lock);
@@ -192,10 +196,14 @@ static inline int pxts_ctx_setkey(struct s390_pxts_ctx *ctx,
* This function may sleep - don't call in non-sleeping context.
*/
static inline int convert_key(const u8 *key, unsigned int keylen,
- struct paes_protkey *pk)
+ struct paes_protkey *pk, bool tested)
{
+ u32 xflags = PKEY_XFLAG_NOMEMALLOC;
int rc, i;
+ if (tested && !pkey_clrkey_allowed)
+ xflags |= PKEY_XFLAG_NOCLEARKEY;
+
pk->len = sizeof(pk->protkey);
/*
@@ -209,7 +217,7 @@ static inline int convert_key(const u8 *key, unsigned int keylen,
}
rc = pkey_key2protkey(key, keylen,
pk->protkey, &pk->len, &pk->type,
- PKEY_XFLAG_NOMEMALLOC);
+ xflags);
}
out:
@@ -231,7 +239,7 @@ static inline int convert_key(const u8 *key, unsigned int keylen,
* unnecessary additional conversion but never to invalid data on en-
* or decrypt operations.
*/
-static int paes_convert_key(struct s390_paes_ctx *ctx)
+static int paes_convert_key(struct s390_paes_ctx *ctx, bool tested)
{
struct paes_protkey pk;
int rc;
@@ -240,7 +248,7 @@ static int paes_convert_key(struct s390_paes_ctx *ctx)
ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
spin_unlock_bh(&ctx->pk_lock);
- rc = convert_key(ctx->keybuf, ctx->keylen, &pk);
+ rc = convert_key(ctx->keybuf, ctx->keylen, &pk, tested);
/* update context */
spin_lock_bh(&ctx->pk_lock);
@@ -263,7 +271,7 @@ static int paes_convert_key(struct s390_paes_ctx *ctx)
* pk_type, pk_len and the protected key in the tfm context.
* See also comments on function paes_convert_key.
*/
-static int pxts_convert_key(struct s390_pxts_ctx *ctx)
+static int pxts_convert_key(struct s390_pxts_ctx *ctx, bool tested)
{
struct paes_protkey pk0, pk1;
size_t split_keylen;
@@ -273,7 +281,7 @@ static int pxts_convert_key(struct s390_pxts_ctx *ctx)
ctx->pk_state = PK_STATE_CONVERT_IN_PROGRESS;
spin_unlock_bh(&ctx->pk_lock);
- rc = convert_key(ctx->keybuf, ctx->keylen, &pk0);
+ rc = convert_key(ctx->keybuf, ctx->keylen, &pk0, tested);
if (rc)
goto out;
@@ -287,7 +295,7 @@ static int pxts_convert_key(struct s390_pxts_ctx *ctx)
}
split_keylen = ctx->keylen / 2;
rc = convert_key(ctx->keybuf + split_keylen,
- split_keylen, &pk1);
+ split_keylen, &pk1, tested);
if (rc)
goto out;
if (pk0.type != pk1.type) {
@@ -343,6 +351,7 @@ static int ecb_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
unsigned int key_len)
{
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
+ bool tested = crypto_skcipher_tested(tfm);
long fc;
int rc;
@@ -352,7 +361,7 @@ static int ecb_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
goto out;
/* convert key into protected key */
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
@@ -382,7 +391,7 @@ static int ecb_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
static int ecb_paes_do_crypt(struct s390_paes_ctx *ctx,
struct s390_pecb_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
struct ecb_param *param = &req_ctx->param;
struct skcipher_walk *walk = &req_ctx->walk;
@@ -430,7 +439,7 @@ static int ecb_paes_do_crypt(struct s390_paes_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
spin_lock_bh(&ctx->pk_lock);
@@ -450,6 +459,7 @@ static int ecb_paes_crypt(struct skcipher_request *req, unsigned long modifier)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/*
@@ -468,7 +478,7 @@ static int ecb_paes_crypt(struct skcipher_request *req, unsigned long modifier)
/* Try synchronous operation if no active engine usage */
if (!atomic_read(&ctx->via_engine_ctr)) {
- rc = ecb_paes_do_crypt(ctx, req_ctx, false);
+ rc = ecb_paes_do_crypt(ctx, req_ctx, tested, false);
if (rc == 0)
goto out;
}
@@ -531,11 +541,12 @@ static int ecb_paes_do_one_request(struct crypto_engine *engine, void *areq)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/* walk has already been prepared */
- rc = ecb_paes_do_crypt(ctx, req_ctx, true);
+ rc = ecb_paes_do_crypt(ctx, req_ctx, tested, true);
if (rc == -EKEYEXPIRED) {
/*
* Protected key expired, conversion is in process.
@@ -602,6 +613,7 @@ static int cbc_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
unsigned int key_len)
{
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
+ bool tested = crypto_skcipher_tested(tfm);
long fc;
int rc;
@@ -611,7 +623,7 @@ static int cbc_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
goto out;
/* convert raw key into protected key */
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
@@ -641,7 +653,7 @@ static int cbc_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
static int cbc_paes_do_crypt(struct s390_paes_ctx *ctx,
struct s390_pcbc_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
struct cbc_param *param = &req_ctx->param;
struct skcipher_walk *walk = &req_ctx->walk;
@@ -693,7 +705,7 @@ static int cbc_paes_do_crypt(struct s390_paes_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
spin_lock_bh(&ctx->pk_lock);
@@ -713,6 +725,7 @@ static int cbc_paes_crypt(struct skcipher_request *req, unsigned long modifier)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/*
@@ -731,7 +744,7 @@ static int cbc_paes_crypt(struct skcipher_request *req, unsigned long modifier)
/* Try synchronous operation if no active engine usage */
if (!atomic_read(&ctx->via_engine_ctr)) {
- rc = cbc_paes_do_crypt(ctx, req_ctx, false);
+ rc = cbc_paes_do_crypt(ctx, req_ctx, tested, false);
if (rc == 0)
goto out;
}
@@ -794,11 +807,12 @@ static int cbc_paes_do_one_request(struct crypto_engine *engine, void *areq)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/* walk has already been prepared */
- rc = cbc_paes_do_crypt(ctx, req_ctx, true);
+ rc = cbc_paes_do_crypt(ctx, req_ctx, tested, true);
if (rc == -EKEYEXPIRED) {
/*
* Protected key expired, conversion is in process.
@@ -865,6 +879,7 @@ static int ctr_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
unsigned int key_len)
{
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
+ bool tested = crypto_skcipher_tested(tfm);
long fc;
int rc;
@@ -874,7 +889,7 @@ static int ctr_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
goto out;
/* convert raw key into protected key */
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
@@ -919,7 +934,7 @@ static inline unsigned int __ctrblk_init(u8 *ctrptr, u8 *iv, unsigned int nbytes
static int ctr_paes_do_crypt(struct s390_paes_ctx *ctx,
struct s390_pctr_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
struct ctr_param *param = &req_ctx->param;
struct skcipher_walk *walk = &req_ctx->walk;
@@ -979,7 +994,7 @@ static int ctr_paes_do_crypt(struct s390_paes_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc) {
if (locked)
mutex_unlock(&ctrblk_lock);
@@ -1006,7 +1021,7 @@ static int ctr_paes_do_crypt(struct s390_paes_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = paes_convert_key(ctx);
+ rc = paes_convert_key(ctx, tested);
if (rc)
goto out;
spin_lock_bh(&ctx->pk_lock);
@@ -1029,6 +1044,7 @@ static int ctr_paes_crypt(struct skcipher_request *req)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/*
@@ -1046,7 +1062,7 @@ static int ctr_paes_crypt(struct skcipher_request *req)
/* Try synchronous operation if no active engine usage */
if (!atomic_read(&ctx->via_engine_ctr)) {
- rc = ctr_paes_do_crypt(ctx, req_ctx, false);
+ rc = ctr_paes_do_crypt(ctx, req_ctx, tested, false);
if (rc == 0)
goto out;
}
@@ -1099,11 +1115,12 @@ static int ctr_paes_do_one_request(struct crypto_engine *engine, void *areq)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_paes_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/* walk has already been prepared */
- rc = ctr_paes_do_crypt(ctx, req_ctx, true);
+ rc = ctr_paes_do_crypt(ctx, req_ctx, tested, true);
if (rc == -EKEYEXPIRED) {
/*
* Protected key expired, conversion is in process.
@@ -1190,6 +1207,7 @@ static int xts_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
unsigned int in_keylen)
{
struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
+ bool tested = crypto_skcipher_tested(tfm);
u8 ckey[2 * AES_MAX_KEY_SIZE];
unsigned int ckey_len;
long fc;
@@ -1205,7 +1223,7 @@ static int xts_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
goto out;
/* convert raw key(s) into protected key(s) */
- rc = pxts_convert_key(ctx);
+ rc = pxts_convert_key(ctx, tested);
if (rc)
goto out;
@@ -1255,7 +1273,7 @@ static int xts_paes_setkey(struct crypto_skcipher *tfm, const u8 *in_key,
static int xts_paes_do_crypt_fullkey(struct s390_pxts_ctx *ctx,
struct s390_pxts_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
struct xts_full_km_param *param = &req_ctx->param.full_km_param;
struct skcipher_walk *walk = &req_ctx->walk;
@@ -1299,7 +1317,7 @@ static int xts_paes_do_crypt_fullkey(struct s390_pxts_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = pxts_convert_key(ctx);
+ rc = pxts_convert_key(ctx, tested);
if (rc)
goto out;
spin_lock_bh(&ctx->pk_lock);
@@ -1318,7 +1336,8 @@ static inline int __xts_2keys_prep_param(struct s390_pxts_ctx *ctx,
struct xts_km_param *param,
struct skcipher_walk *walk,
unsigned int keylen,
- unsigned int offset, bool maysleep)
+ unsigned int offset,
+ bool tested, bool maysleep)
{
struct xts_pcc_param pcc_param;
unsigned long cc = 1;
@@ -1337,7 +1356,7 @@ static inline int __xts_2keys_prep_param(struct s390_pxts_ctx *ctx,
rc = -EKEYEXPIRED;
break;
}
- rc = pxts_convert_key(ctx);
+ rc = pxts_convert_key(ctx, tested);
if (rc)
break;
continue;
@@ -1351,7 +1370,7 @@ static inline int __xts_2keys_prep_param(struct s390_pxts_ctx *ctx,
static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx,
struct s390_pxts_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
struct xts_km_param *param = &req_ctx->param.km_param;
struct skcipher_walk *walk = &req_ctx->walk;
@@ -1369,7 +1388,7 @@ static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx,
if (!req_ctx->param_init_done) {
rc = __xts_2keys_prep_param(ctx, param, walk,
- keylen, offset, maysleep);
+ keylen, offset, tested, maysleep);
if (rc)
goto out;
req_ctx->param_init_done = true;
@@ -1392,7 +1411,7 @@ static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx,
rc = -EKEYEXPIRED;
goto out;
}
- rc = pxts_convert_key(ctx);
+ rc = pxts_convert_key(ctx, tested);
if (rc)
goto out;
spin_lock_bh(&ctx->pk_lock);
@@ -1408,7 +1427,7 @@ static int xts_paes_do_crypt_2keys(struct s390_pxts_ctx *ctx,
static int xts_paes_do_crypt(struct s390_pxts_ctx *ctx,
struct s390_pxts_req_ctx *req_ctx,
- bool maysleep)
+ bool tested, bool maysleep)
{
int pk_state, rc = 0;
@@ -1436,11 +1455,11 @@ static int xts_paes_do_crypt(struct s390_pxts_ctx *ctx,
switch (ctx->fc) {
case CPACF_KM_PXTS_128:
case CPACF_KM_PXTS_256:
- rc = xts_paes_do_crypt_2keys(ctx, req_ctx, maysleep);
+ rc = xts_paes_do_crypt_2keys(ctx, req_ctx, tested, maysleep);
break;
case CPACF_KM_PXTS_128_FULL:
case CPACF_KM_PXTS_256_FULL:
- rc = xts_paes_do_crypt_fullkey(ctx, req_ctx, maysleep);
+ rc = xts_paes_do_crypt_fullkey(ctx, req_ctx, tested, maysleep);
break;
default:
rc = -EINVAL;
@@ -1457,6 +1476,7 @@ static inline int xts_paes_crypt(struct skcipher_request *req, unsigned long mod
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/*
@@ -1475,7 +1495,7 @@ static inline int xts_paes_crypt(struct skcipher_request *req, unsigned long mod
/* Try synchronous operation if no active engine usage */
if (!atomic_read(&ctx->via_engine_ctr)) {
- rc = xts_paes_do_crypt(ctx, req_ctx, false);
+ rc = xts_paes_do_crypt(ctx, req_ctx, tested, false);
if (rc == 0)
goto out;
}
@@ -1538,11 +1558,12 @@ static int xts_paes_do_one_request(struct crypto_engine *engine, void *areq)
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct s390_pxts_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_walk *walk = &req_ctx->walk;
+ bool tested = crypto_skcipher_tested(tfm);
int rc;
/* walk has already been prepared */
- rc = xts_paes_do_crypt(ctx, req_ctx, true);
+ rc = xts_paes_do_crypt(ctx, req_ctx, tested, true);
if (rc == -EKEYEXPIRED) {
/*
* Protected key expired, conversion is in process.
--
2.43.0
next prev parent reply other threads:[~2026-01-15 12:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 12:00 [PATCH v2 0/4] Paes and Phmac: Refuse clear key material by default Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 1/4] crypto: skcipher - Add new helper function crypto_skcipher_tested Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 2/4] s390/pkey: Support new xflag PKEY_XFLAG_NOCLEARKEY Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 3/4] crypto: s390/phmac - Refuse clear key material by default Harald Freudenberger
2026-01-15 12:00 ` Harald Freudenberger [this message]
2026-01-31 2:57 ` [PATCH v2 0/4] Paes and Phmac: " Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115120026.4286-5-freude@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox