* [PATCH] fixup! s390/zcrypt: Rework cca findcard() implementation and callers
@ 2025-04-25 14:39 Harald Freudenberger
2025-04-25 15:34 ` Heiko Carstens
0 siblings, 1 reply; 2+ messages in thread
From: Harald Freudenberger @ 2025-04-25 14:39 UTC (permalink / raw)
To: hca, gor, agordeev; +Cc: linux-s390, dengler, ifranzki, fcallies, seiden
Ci run of the night showed that a CCA secure key which maches
to an old MK on the HSM is not correctly verified. The code
builds up an array with a given apqn array with a fixed arraysize
and calls findcard2() for the CURRENT MK which fails as expected.
So next attempt is made with trying to match the OLD MK with same
apqn array and same arraysize variable. But the previous call hat
set this arraysize variable to 0 and so the 2nd invocation finds
a valid apqn but the arraysize variable tells there is no space
in the array. Fixed and tested.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reported-by: Ingo Franzki ifranzki@linux.ibm.com
---
drivers/s390/crypto/pkey_cca.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/s390/crypto/pkey_cca.c b/drivers/s390/crypto/pkey_cca.c
index fe67946edc9d..6c7897a93f27 100644
--- a/drivers/s390/crypto/pkey_cca.c
+++ b/drivers/s390/crypto/pkey_cca.c
@@ -487,6 +487,7 @@ static int cca_verifykey(const u8 *key, u32 keylen,
if (!rc)
*flags = PKEY_FLAGS_MATCH_CUR_MKVP;
if (rc == -ENODEV) {
+ nr_apqns = ARRAY_SIZE(apqns);
rc = cca_findcard2(apqns, &nr_apqns, *card, *dom,
ZCRYPT_CEX3C, AES_MK_SET,
0, t->mkvp, xflags);
@@ -520,6 +521,7 @@ static int cca_verifykey(const u8 *key, u32 keylen,
if (!rc)
*flags = PKEY_FLAGS_MATCH_CUR_MKVP;
if (rc == -ENODEV) {
+ nr_apqns = ARRAY_SIZE(apqns);
rc = cca_findcard2(apqns, &nr_apqns, *card, *dom,
ZCRYPT_CEX6, AES_MK_SET,
0, t->mkvp0, xflags);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] fixup! s390/zcrypt: Rework cca findcard() implementation and callers
2025-04-25 14:39 [PATCH] fixup! s390/zcrypt: Rework cca findcard() implementation and callers Harald Freudenberger
@ 2025-04-25 15:34 ` Heiko Carstens
0 siblings, 0 replies; 2+ messages in thread
From: Heiko Carstens @ 2025-04-25 15:34 UTC (permalink / raw)
To: Harald Freudenberger
Cc: gor, agordeev, linux-s390, dengler, ifranzki, fcallies, seiden
On Fri, Apr 25, 2025 at 04:39:47PM +0200, Harald Freudenberger wrote:
> Ci run of the night showed that a CCA secure key which maches
> to an old MK on the HSM is not correctly verified. The code
> builds up an array with a given apqn array with a fixed arraysize
> and calls findcard2() for the CURRENT MK which fails as expected.
> So next attempt is made with trying to match the OLD MK with same
> apqn array and same arraysize variable. But the previous call hat
> set this arraysize variable to 0 and so the 2nd invocation finds
> a valid apqn but the arraysize variable tells there is no space
> in the array. Fixed and tested.
>
> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
> Reported-by: Ingo Franzki ifranzki@linux.ibm.com
> ---
> drivers/s390/crypto/pkey_cca.c | 2 ++
> 1 file changed, 2 insertions(+)
Merged into your previous patch. Thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-25 15:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-25 14:39 [PATCH] fixup! s390/zcrypt: Rework cca findcard() implementation and callers Harald Freudenberger
2025-04-25 15:34 ` Heiko Carstens
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).