From: Harald Freudenberger <freude@linux.ibm.com>
To: richard.henderson@linaro.org, iii@linux.ibm.com,
david@kernel.org, thuth@redhat.com, berrange@redhat.com
Cc: qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
linux390-list@tuxmaker.boeblingen.de.ibm.com,
linux-s390@vger.kernel.org, dengler@linux.ibm.com,
borntraeger@linux.ibm.com, fcallies@linux.ibm.com,
cohuck@redhat.com
Subject: [PATCH v8 10/18] target/s390x: Support pckmo encrypt AES subfunctions
Date: Wed, 24 Jun 2026 10:10:07 +0200 [thread overview]
Message-ID: <20260624081029.23815-11-freude@linux.ibm.com> (raw)
In-Reply-To: <20260624081029.23815-1-freude@linux.ibm.com>
Support the subfuctions PCKMO-Encrypt-AES-128-Key,
PCKMO-Encrypt-AES-192-Key and PCKMO-Encrypt-AES-256-Key.
These subfunctions derive a protected key from an AES clear key
by encrypting it with an internal AES wrapping key. More
details can be found in the "z/Architecture Prinziples of
Operation" document.
The qemu version provided here is only a fake intended to make
protected key available for developing and testing purpose:
* The protected key is 'derived' from the clear key by xoring
the fixed pattern 0xAAAA... onto the key value.
* The AES Wrapping Key Verification Pattern is a fixed
value of 32 bytes 0xFACEFACE...
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
---
target/s390x/gen-features.c | 3 ++
target/s390x/tcg/cpacf.h | 2 +
target/s390x/tcg/cpacf_aes.c | 66 ++++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 21 ++++++++++
target/s390x/tcg/translate.c | 9 ++++-
5 files changed, 99 insertions(+), 2 deletions(-)
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index f9b1a40c7c..d3e69aaca6 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -934,6 +934,9 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_KMCTR_AES_256,
S390_FEAT_PCC_XTS_AES_128,
S390_FEAT_PCC_XTS_AES_256,
+ S390_FEAT_PCKMO_AES_128,
+ S390_FEAT_PCKMO_AES_192,
+ S390_FEAT_PCKMO_AES_256,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index fdd0d7203e..1350199536 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -41,5 +41,7 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *dst_ptr_reg,
uint64_t *src_ptr_reg, uint64_t *src_len_reg,
uint32_t type, uint8_t fc, uint8_t mod);
+int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc);
#endif
diff --git a/target/s390x/tcg/cpacf_aes.c b/target/s390x/tcg/cpacf_aes.c
index 27681d5670..5db63983ef 100644
--- a/target/s390x/tcg/cpacf_aes.c
+++ b/target/s390x/tcg/cpacf_aes.c
@@ -459,3 +459,69 @@ int cpacf_aes_xts(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return !len ? 0 : 3;
}
+
+/*
+ * Hard coded pattern xored with the AES clear key
+ * to 'produce' the protected key.
+ */
+static const uint8_t protkey_xor_pattern[32] = {
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA };
+
+/*
+ * Hard coded wkvp ("Wrapping Key Verification Pattern")
+ */
+static const uint8_t protkey_wkvp[32] = {
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E,
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E,
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E,
+ 0x0F, 0x0A, 0x0C, 0x0E, 0x0F, 0x0A, 0x0C, 0x0E };
+
+int cpacf_aes_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint8_t fc)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t key[32];
+ int keysize, i;
+ uint64_t addr;
+
+ switch (fc) {
+ case 0x12: /* CPACF_PCKMO_ENC_AES_128_KEY */
+ keysize = 16;
+ break;
+ case 0x13: /* CPACF_PCKMO_ENC_AES_192_KEY */
+ keysize = 24;
+ break;
+ case 0x14: /* CPACF_PCKMO_ENC_AES_256_KEY */
+ keysize = 32;
+ break;
+ default:
+ g_assert_not_reached();
+ }
+
+ /* fetch key from param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ key[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+
+ /* 'derive' the protected key */
+ for (i = 0; i < keysize; i++) {
+ key[i] ^= protkey_xor_pattern[i];
+ }
+
+ /* store the protected key into param block */
+ for (i = 0; i < keysize; i++) {
+ addr = wrap_address(env, param_addr + i);
+ cpu_stb_mmu(env, addr, key[i], oi, ra);
+ }
+ /* followed by the fake wkvp */
+ for (i = 0; i < sizeof(protkey_wkvp); i++) {
+ addr = wrap_address(env, param_addr + keysize + i);
+ cpu_stb_mmu(env, addr, protkey_wkvp[i], oi, ra);
+ }
+
+ return 0;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index f400e29e34..3868e3e074 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -192,6 +192,24 @@ static int cpacf_pcc(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
return rc;
}
+static int cpacf_pckmo(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint8_t fc)
+{
+ int rc = 0;
+
+ switch (fc) {
+ case 0x12: /* CPACF_PCKMO_ENC_AES_128_KEY */
+ case 0x13: /* CPACF_PCKMO_ENC_AES_192_KEY */
+ case 0x14: /* CPACF_PCKMO_ENC_AES_256_KEY */
+ rc = cpacf_aes_pckmo(env, mmu_idx, ra, env->regs[1], fc);
+ break;
+ default:
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ return rc;
+}
+
uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
uint32_t type)
{
@@ -251,6 +269,9 @@ uint32_t HELPER(msa)(CPUS390XState *env, uint32_t r1, uint32_t r2, uint32_t r3,
case S390_FEAT_TYPE_PCC:
rc = cpacf_pcc(env, mmu_idx, ra, fc);
break;
+ case S390_FEAT_TYPE_PCKMO:
+ rc = cpacf_pckmo(env, mmu_idx, ra, fc);
+ break;
case S390_FEAT_TYPE_PPNO:
rc = cpacf_ppno(env, mmu_idx, ra, r1, r2, r3, fc);
break;
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index cef1b55149..d7a99e6c1e 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -2558,6 +2558,7 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
int r2 = have_field(s, r2) ? get_field(s, r2) : 0;
int r3 = have_field(s, r3) ? get_field(s, r3) : 0;
TCGv_i32 t_r1, t_r2, t_r3, type;
+ bool update_cc = true;
switch (s->insn->data) {
case S390_FEAT_TYPE_KMA:
@@ -2589,8 +2590,10 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
gen_program_exception(s, PGM_SPECIFICATION);
return DISAS_NORETURN;
}
- /* FALL THROUGH */
+ break;
case S390_FEAT_TYPE_PCKMO:
+ update_cc = false;
+ /* FALL THROUGH */
case S390_FEAT_TYPE_PCC:
case S390_FEAT_TYPE_KDSA:
break;
@@ -2603,7 +2606,9 @@ static DisasJumpType op_msa(DisasContext *s, DisasOps *o)
t_r3 = tcg_constant_i32(r3);
type = tcg_constant_i32(s->insn->data);
gen_helper_msa(cc_op, tcg_env, t_r1, t_r2, t_r3, type);
- set_cc_static(s);
+ if (update_cc) {
+ set_cc_static(s);
+ }
return DISAS_NEXT;
}
--
2.43.0
next prev parent reply other threads:[~2026-06-24 8:11 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 8:09 [PATCH v8 00/18] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-06-24 8:09 ` [PATCH v8 01/18] target/s390x: Fix wrong address handling in address loops Harald Freudenberger
2026-06-24 10:05 ` Philippe Mathieu-Daudé
2026-06-24 12:56 ` Ilya Leoshkevich
2026-06-24 8:09 ` [PATCH v8 02/18] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 03/18] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
2026-06-24 10:07 ` Philippe Mathieu-Daudé
2026-06-24 8:10 ` [PATCH v8 04/18] target/s390x: Support cpacf sha256 Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 05/18] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 06/18] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 07/18] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 08/18] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 09/18] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
2026-06-24 8:10 ` Harald Freudenberger [this message]
2026-06-24 8:10 ` [PATCH v8 11/18] target/s390x: Support protected key AES ECB " Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 12/18] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 13/18] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 14/18] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 15/18] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 16/18] docs/s390: Document CPACF instructions support Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 17/18] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
2026-06-24 8:10 ` [PATCH v8 18/18] target/s390x: Use generic AES helper functions Harald Freudenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624081029.23815-11-freude@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=fcallies@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=linux390-list@tuxmaker.boeblingen.de.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox