s390/pkey: Unify pkey cca, ep11 and pckmo functions signatures

As a preparation step for introducing a common function API between the pkey API module and the handlers (that is the cca, ep11 and pckmo code) this patch unifies the functions signatures exposed by the handlers and reworks all the invocation code of these functions. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

s390/pkey: Unify pkey cca, ep11 and pckmo functions signatures
As a preparation step for introducing a common function API between the pkey API module and the handlers (that is the cca, ep11 and pckmo code) this patch unifies the functions signatures exposed by the handlers and reworks all the invocation code of these functions. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
ea88e171 · Harald Freudenberger · Vasily Gorbik · 86fbf5e2 · ea88e171 · ea88e171
Commit ea88e171 authored Aug 22, 2024 by Harald Freudenberger Committed by Vasily Gorbik Aug 29, 2024
6 changed files
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -109,7 +109,7 @@ static int genseck2(const struct pkey_apqn *apqns, size_t nr_apqns,
 			rc = pkey_cca_gen_key(apqns[i].card,
 					      apqns[i].domain,
 					      u, keytype, keybitsize, flags,
-					      keybuf, keybuflen);
+					      keybuf, keybuflen, NULL);
 		}
 	} else if (pkey_is_ep11_keytype(keytype)) {
 		/* As of now only EP11 AES key generation is supported */
@@ -123,7 +123,7 @@ static int genseck2(const struct pkey_apqn *apqns, size_t nr_apqns,
 			rc = pkey_ep11_gen_key(apqns[i].card,
 					       apqns[i].domain,
 					       u, keytype, keybitsize, flags,
-					       keybuf, keybuflen);
+					       keybuf, keybuflen, NULL);
 		}
 	} else {
 		PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n",
@@ -154,7 +154,7 @@ static int clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
 					      apqns[i].domain,
 					      u, keytype, kbitsize, flags,
 					      clrkey, kbitsize / 8,
-					      keybuf, keybuflen);
+					      keybuf, keybuflen, NULL);
 		}
 	} else if (pkey_is_ep11_keytype(keytype)) {
 		/* As of now only EP11 AES key generation is supported */
@@ -169,7 +169,7 @@ static int clr2seckey2(const struct pkey_apqn *apqns, size_t nr_apqns,
 					       apqns[i].domain,
 					       u, keytype, kbitsize, flags,
 					       clrkey, kbitsize / 8,
-					       keybuf, keybuflen);
+					       keybuf, keybuflen, NULL);
 		}
 	} else {
 		PKEY_DBF_ERR("%s unknown/unsupported keytype %d\n",
@@ -308,6 +308,7 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 		nr_apqns = MAXAPQNSINLIST;
 		rc = pkey_cca_apqns4type(PKEY_TYPE_CCA_DATA,
 					 NULL, NULL, 0, apqns, &nr_apqns);
+		pr_debug("pkey_cca_apqns4type(CCA_DATA)=%d\n", rc);
 		if (rc)
 			goto try_via_ep11;
 		for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) {
@@ -316,7 +317,8 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 					      t->keytype, PKEY_TYPE_CCA_DATA,
 					      8 * keysize, 0,
 					      t->clearkey, t->len,
-					      tmpbuf, &tmplen);
+					      tmpbuf, &tmplen, NULL);
+			pr_debug("pkey_cca_clr2key()=%d\n", rc);
 		}
 		if (rc)
 			goto try_via_ep11;
@@ -326,6 +328,7 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 						  tmpbuf, tmplen,
 						  protkey, protkeylen,
 						  protkeytype);
+			pr_debug("pkey_cca_key2protkey()=%d\n", rc);
 		}
 		if (!rc)
 			break;
@@ -335,6 +338,7 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 		nr_apqns = MAXAPQNSINLIST;
 		rc = pkey_ep11_apqns4type(PKEY_TYPE_EP11_AES,
 					  NULL, NULL, 0, apqns, &nr_apqns);
+		pr_debug("pkey_ep11_apqns4type(EP11_AES)=%d\n", rc);
 		if (rc)
 			continue;
 		for (j = 0, rc = -ENODEV; j < nr_apqns && rc; j++) {
@@ -343,7 +347,8 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 					       t->keytype, PKEY_TYPE_EP11_AES,
 					       8 * keysize, 0,
 					       t->clearkey, t->len,
-					       tmpbuf, &tmplen);
+					       tmpbuf, &tmplen, NULL);
+			pr_debug("pkey_ep11_clr2key()=%d\n", rc);
 		}
 		if (rc)
 			continue;
@@ -353,6 +358,7 @@ static int pckmokey2protkey_fallback(const struct clearkeytoken *t,
 						   tmpbuf, tmplen,
 						   protkey, protkeylen,
 						   protkeytype);
+			pr_debug("pkey_ep11_key2protkey()=%d\n", rc);
 		}
 	}

@@ -367,9 +373,8 @@ static int pckmokey2protkey(const u8 *key, size_t keylen,
 {
 	int rc;

-	rc = pkey_pckmo_key2protkey(key, keylen,
-				    protkey, protkeylen,
-				    protkeytype);
+	rc = pkey_pckmo_key2protkey(0, 0, key, keylen,
+				    protkey, protkeylen, protkeytype);
 	if (rc == -ENODEV) {
 		struct keytoken_header *hdr = (struct keytoken_header *)key;
 		struct clearkeytoken *t = (struct clearkeytoken *)key;
@@ -456,7 +461,7 @@ static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs)
 	keybuflen = sizeof(kgs.seckey.seckey);
 	rc = pkey_cca_gen_key(kgs.cardnr, kgs.domain,
 			      kgs.keytype, PKEY_TYPE_CCA_DATA, 0, 0,
-			      kgs.seckey.seckey, &keybuflen);
+			      kgs.seckey.seckey, &keybuflen, NULL);
 	pr_debug("pkey_cca_gen_key()=%d\n", rc);
 	if (!rc && copy_to_user(ugs, &kgs, sizeof(kgs)))
 		rc = -EFAULT;
@@ -478,7 +483,7 @@ static int pkey_ioctl_clr2seck(struct pkey_clr2seck __user *ucs)
 			      kcs.keytype, PKEY_TYPE_CCA_DATA, 0, 0,
 			      kcs.clrkey.clrkey,
 			      pkey_keytype_aes_to_size(kcs.keytype),
-			      kcs.seckey.seckey, &keybuflen);
+			      kcs.seckey.seckey, &keybuflen, NULL);
 	pr_debug("pkey_cca_clr2key()=%d\n", rc);
 	if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs)))
 		rc = -EFAULT;
@@ -515,10 +520,11 @@ static int pkey_ioctl_clr2protk(struct pkey_clr2protk __user *ucp)
 	if (copy_from_user(&kcp, ucp, sizeof(kcp)))
 		return -EFAULT;
 	kcp.protkey.len = sizeof(kcp.protkey.protkey);
-	rc = pkey_pckmo_clr2protkey(kcp.keytype, kcp.clrkey.clrkey,
-				    kcp.protkey.protkey,
-				    &kcp.protkey.len, &kcp.protkey.type);
-	pr_debug("pkey_pckmo_clr2protkey()=%d\n", rc);
+	rc = pkey_pckmo_clr2key(0, 0, kcp.keytype, 0, 0, 0,
+				kcp.clrkey.clrkey, 0,
+				kcp.protkey.protkey,
+				&kcp.protkey.len, &kcp.protkey.type);
+	pr_debug("pkey_pckmo_clr2key()=%d\n", rc);
 	if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp)))
 		rc = -EFAULT;
 	memzero_explicit(&kcp, sizeof(kcp));
@@ -643,9 +649,10 @@ static int pkey_ioctl_genprotk(struct pkey_genprotk __user *ugp)
 	if (copy_from_user(&kgp, ugp, sizeof(kgp)))
 		return -EFAULT;
 	kgp.protkey.len = sizeof(kgp.protkey.protkey);
-	rc = pkey_pckmo_gen_protkey(kgp.keytype, kgp.protkey.protkey,
-				    &kgp.protkey.len, &kgp.protkey.type);
-	pr_debug("pkey_gen_protkey()=%d\n", rc);
+	rc = pkey_pckmo_gen_key(0, 0, kgp.keytype, 0, 0, 0,
+				kgp.protkey.protkey,
+				&kgp.protkey.len, &kgp.protkey.type);
+	pr_debug("pkey_pckmo_gen_key()=%d\n", rc);
 	if (!rc && copy_to_user(ugp, &kgp, sizeof(kgp)))
 		rc = -EFAULT;
 	memzero_explicit(&kgp, sizeof(kgp));
@@ -660,9 +667,9 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)

 	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
 		return -EFAULT;
-	rc = pkey_pckmo_verify_protkey(kvp.protkey.protkey,
-				       kvp.protkey.len, kvp.protkey.type);
-	pr_debug("pkey_verify_protkey()=%d\n", rc);
+	rc = pkey_pckmo_verifykey(kvp.protkey.protkey, kvp.protkey.len,
+				  0, 0, &kvp.protkey.type, 0, 0);
+	pr_debug("pkey_pckmo_verifykey()=%d\n", rc);
 	memzero_explicit(&kvp, sizeof(kvp));

 	return rc;

--- a/drivers/s390/crypto/pkey_base.h
+++ b/drivers/s390/crypto/pkey_base.h
@@ -97,12 +97,12 @@ int pkey_cca_key2protkey(u16 card, u16 dom,
 int pkey_cca_gen_key(u16 card, u16 dom,
 		     u32 keytype, u32 keysubtype,
 		     u32 keybitsize, u32 flags,
-		     u8 *keybuf, u32 *keybuflen);
+		     u8 *keybuf, u32 *keybuflen, u32 *_keyinfo);
 int pkey_cca_clr2key(u16 card, u16 dom,
 		     u32 keytype, u32 keysubtype,
 		     u32 keybitsize, u32 flags,
 		     const u8 *clrkey, u32 clrkeylen,
-		     u8 *keybuf, u32 *keybuflen);
+		     u8 *keybuf, u32 *keybuflen, u32 *_keyinfo);
 int pkey_cca_verifykey(const u8 *key, u32 keylen,
 		       u16 *card, u16 *dom,
 		       u32 *keytype, u32 *keybitsize, u32 *flags);
@@ -124,12 +124,12 @@ int pkey_ep11_key2protkey(u16 card, u16 dom,
 int pkey_ep11_gen_key(u16 card, u16 dom,
 		      u32 keytype, u32 keysubtype,
 		      u32 keybitsize, u32 flags,
-		      u8 *keybuf, u32 *keybuflen);
+		      u8 *keybuf, u32 *keybuflen, u32 *_keyinfo);
 int pkey_ep11_clr2key(u16 card, u16 dom,
 		      u32 keytype, u32 keysubtype,
 		      u32 keybitsize, u32 flags,
 		      const u8 *clrkey, u32 clrkeylen,
-		      u8 *keybuf, u32 *keybuflen);
+		      u8 *keybuf, u32 *keybuflen, u32 *_keyinfo);
 int pkey_ep11_verifykey(const u8 *key, u32 keylen,
 			u16 *card, u16 *dom,
 			u32 *keytype, u32 *keybitsize, u32 *flags);
@@ -144,14 +144,21 @@ int pkey_ep11_apqns4type(enum pkey_key_type ktype,
 */

 bool pkey_is_pckmo_key(const u8 *key, u32 keylen);
-int pkey_pckmo_key2protkey(const u8 *key, u32 keylen,
+int pkey_pckmo_key2protkey(u16 _card, u16 _dom,
+			   const u8 *key, u32 keylen,
 			   u8 *protkey, u32 *protkeylen, u32 *protkeytype);
-int pkey_pckmo_gen_protkey(u32 keytype,
-			   u8 *protkey, u32 *protkeylen, u32 *protkeytype);
-int pkey_pckmo_clr2protkey(u32 keytype, const u8 *clrkey,
-			   u8 *protkey, u32 *protkeylen, u32 *protkeytype);
-int pkey_pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
-			      u32 protkeytype);
+int pkey_pckmo_gen_key(u16 _card, u16 _dom,
+		       u32 keytype, u32 _keysubtype,
+		       u32 _keybitsize, u32 _flags,
+		       u8 *keybuf, u32 *keybuflen, u32 *keyinfo);
+int pkey_pckmo_clr2key(u16 _card, u16 _dom,
+		       u32 keytype, u32 _keysubtype,
+		       u32 _keybitsize, u32 _flags,
+		       const u8 *clrkey, u32 clrkeylen,
+		       u8 *keybuf, u32 *keybuflen, u32 *keyinfo);
+int pkey_pckmo_verifykey(const u8 *key, u32 keylen,
+			 u16 *_card, u16 *_dom,
+			 u32 *keytype, u32 *_keybitsize, u32 *_flags);

 /*
 * pkey_sysfs.c:

--- a/drivers/s390/crypto/pkey_cca.c
+++ b/drivers/s390/crypto/pkey_cca.c
@@ -112,7 +112,7 @@ int pkey_cca_key2protkey(u16 card, u16 dom,
 int pkey_cca_gen_key(u16 card, u16 dom,
 		     u32 keytype, u32 subtype,
 		     u32 keybitsize, u32 flags,
-		     u8 *keybuf, u32 *keybuflen)
+		     u8 *keybuf, u32 *keybuflen, u32 *_keyinfo)
 {
 	int len, rc;

@@ -173,7 +173,7 @@ int pkey_cca_clr2key(u16 card, u16 dom,
 		     u32 keytype, u32 subtype,
 		     u32 keybitsize, u32 flags,
 		     const u8 *clrkey, u32 clrkeylen,
-		     u8 *keybuf, u32 *keybuflen)
+		     u8 *keybuf, u32 *keybuflen, u32 *_keyinfo)
 {
 	int len, rc;


--- a/drivers/s390/crypto/pkey_ep11.c
+++ b/drivers/s390/crypto/pkey_ep11.c
@@ -71,8 +71,7 @@ int pkey_ep11_key2protkey(u16 card, u16 dom,
 						3, key, keylen, 1))
 			return -EINVAL;
 		rc = ep11_kblob2protkey(card, dom, key, hdr->len,
-					protkey, protkeylen,
-					protkeytype);
+					protkey, protkeylen, protkeytype);
 	} else if (hdr->type == TOKTYPE_NON_CCA &&
 		   hdr->version == TOKVER_EP11_ECC_WITH_HEADER &&
 		   is_ep11_keyblob(key + sizeof(struct ep11kblob_header))) {
@@ -81,8 +80,7 @@ int pkey_ep11_key2protkey(u16 card, u16 dom,
 						3, key, keylen, 1))
 			return -EINVAL;
 		rc = ep11_kblob2protkey(card, dom, key, hdr->len,
-					protkey, protkeylen,
-					protkeytype);
+					protkey, protkeylen, protkeytype);
 	} else if (hdr->type == TOKTYPE_NON_CCA &&
 		   hdr->version == TOKVER_EP11_AES &&
 		   is_ep11_keyblob(key)) {
@@ -90,8 +88,7 @@ int pkey_ep11_key2protkey(u16 card, u16 dom,
 		if (ep11_check_aes_key(pkey_dbf_info, 3, key, keylen, 1))
 			return -EINVAL;
 		rc = ep11_kblob2protkey(card, dom, key, hdr->len,
-					protkey, protkeylen,
-					protkeytype);
+					protkey, protkeylen, protkeytype);
 	} else {
 		PKEY_DBF_ERR("%s unknown/unsupported blob type %d version %d\n",
 			     __func__, hdr->type, hdr->version);
@@ -114,7 +111,7 @@ int pkey_ep11_key2protkey(u16 card, u16 dom,
 int pkey_ep11_gen_key(u16 card, u16 dom,
 		      u32 keytype, u32 subtype,
 		      u32 keybitsize, u32 flags,
-		      u8 *keybuf, u32 *keybuflen)
+		      u8 *keybuf, u32 *keybuflen, u32 *_keyinfo)
 {
 	int len, rc;

@@ -171,7 +168,7 @@ int pkey_ep11_clr2key(u16 card, u16 dom,
 		      u32 keytype, u32 subtype,
 		      u32 keybitsize, u32 flags,
 		      const u8 *clrkey, u32 clrkeylen,
-		      u8 *keybuf, u32 *keybuflen)
+		      u8 *keybuf, u32 *keybuflen, u32 *_keyinfo)
 {
 	int len, rc;


--- a/drivers/s390/crypto/pkey_pckmo.c
+++ b/drivers/s390/crypto/pkey_pckmo.c
@@ -18,9 +18,66 @@
 #include "pkey_base.h"

 /*
- * Check key blob for known and supported here.
+ * Prototypes
 */
+
+static bool is_pckmo_key(const u8 *key, u32 keylen);
+static int pckmo_key2protkey(const u8 *key, u32 keylen,
+			     u8 *protkey, u32 *protkeylen, u32 *protkeytype);
+static int pckmo_gen_protkey(u32 keytype,
+			     u8 *protkey, u32 *protkeylen, u32 *protkeytype);
+static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen,
+			     u8 *protkey, u32 *protkeylen, u32 *protkeytype);
+static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
+				u32 protkeytype);
+
+/*
+ * Wrapper functions
+ */
+
 bool pkey_is_pckmo_key(const u8 *key, u32 keylen)
+{
+	return is_pckmo_key(key, keylen);
+}
+
+int pkey_pckmo_key2protkey(u16 _card, u16 _dom,
+			   const u8 *key, u32 keylen,
+			   u8 *protkey, u32 *protkeylen, u32 *keyinfo)
+{
+	return pckmo_key2protkey(key, keylen,
+				 protkey, protkeylen, keyinfo);
+}
+
+int pkey_pckmo_gen_key(u16 _card, u16 _dom,
+		       u32 keytype, u32 _keysubtype,
+		       u32 _keybitsize, u32 _flags,
+		       u8 *keybuf, u32 *keybuflen, u32 *keyinfo)
+{
+	return pckmo_gen_protkey(keytype,
+				 keybuf, keybuflen, keyinfo);
+}
+
+int pkey_pckmo_clr2key(u16 _card, u16 _dom,
+		       u32 keytype, u32 _keysubtype,
+		       u32 _keybitsize, u32 _flags,
+		       const u8 *clrkey, u32 clrkeylen,
+		       u8 *keybuf, u32 *keybuflen, u32 *keyinfo)
+{
+	return pckmo_clr2protkey(keytype, clrkey, clrkeylen,
+				 keybuf, keybuflen, keyinfo);
+}
+
+int pkey_pckmo_verifykey(const u8 *key, u32 keylen,
+			 u16 *_card, u16 *_dom,
+			 u32 *keytype, u32 *_keybitsize, u32 *_flags)
+{
+	return pckmo_verify_protkey(key, keylen, *keytype);
+}
+
+/*
+ * Check key blob for known and supported here.
+ */
+static bool is_pckmo_key(const u8 *key, u32 keylen)
 {
 	struct keytoken_header *hdr = (struct keytoken_header *)key;
 	struct clearkeytoken *t = (struct clearkeytoken *)key;
@@ -55,8 +112,8 @@ bool pkey_is_pckmo_key(const u8 *key, u32 keylen)
 	}
 }

-int pkey_pckmo_key2protkey(const u8 *key, u32 keylen,
-			   u8 *protkey, u32 *protkeylen, u32 *protkeytype)
+static int pckmo_key2protkey(const u8 *key, u32 keylen,
+			     u8 *protkey, u32 *protkeylen, u32 *protkeytype)
 {
 	struct keytoken_header *hdr = (struct keytoken_header *)key;
 	int rc = -EINVAL;
@@ -73,8 +130,7 @@ int pkey_pckmo_key2protkey(const u8 *key, u32 keylen,
 		if (keylen != sizeof(struct protaeskeytoken))
 			goto out;
 		t = (struct protaeskeytoken *)key;
-		rc = pkey_pckmo_verify_protkey(t->protkey, t->len,
-					       t->keytype);
+		rc = pckmo_verify_protkey(t->protkey, t->len, t->keytype);
 		if (rc)
 			goto out;
 		memcpy(protkey, t->protkey, t->len);
@@ -123,8 +179,8 @@ int pkey_pckmo_key2protkey(const u8 *key, u32 keylen,
 				     __func__, t->len);
 			goto out;
 		}
-		rc = pkey_pckmo_clr2protkey(t->keytype, t->clearkey,
-					    protkey, protkeylen, protkeytype);
+		rc = pckmo_clr2protkey(t->keytype, t->clearkey, t->len,
+				       protkey, protkeylen, protkeytype);
 		break;
 	}
 	default:
@@ -143,8 +199,8 @@ int pkey_pckmo_key2protkey(const u8 *key, u32 keylen,
 * Currently only the generation of AES protected keys
 * is supported.
 */
-int pkey_pckmo_gen_protkey(u32 keytype, u8 *protkey,
-			   u32 *protkeylen, u32 *protkeytype)
+static int pckmo_gen_protkey(u32 keytype, u8 *protkey,
+			     u32 *protkeylen, u32 *protkeytype)
 {
 	u8 clrkey[32];
 	int keysize;
@@ -161,8 +217,8 @@ int pkey_pckmo_gen_protkey(u32 keytype, u8 *protkey,
 	get_random_bytes(clrkey, keysize);

 	/* convert it to a dummy protected key */
-	rc = pkey_pckmo_clr2protkey(keytype, clrkey,
-				    protkey, protkeylen, protkeytype);
+	rc = pckmo_clr2protkey(keytype, clrkey, keysize,
+			       protkey, protkeylen, protkeytype);
 	if (rc)
 		goto out;

@@ -177,8 +233,8 @@ int pkey_pckmo_gen_protkey(u32 keytype, u8 *protkey,
 /*
 * Create a protected key from a clear key value via PCKMO instruction.
 */
-int pkey_pckmo_clr2protkey(u32 keytype, const u8 *clrkey,
-			   u8 *protkey, u32 *protkeylen, u32 *protkeytype)
+static int pckmo_clr2protkey(u32 keytype, const u8 *clrkey, u32 clrkeylen,
+			     u8 *protkey, u32 *protkeylen, u32 *protkeytype)
 {
 	/* mask of available pckmo subfunctions */
 	static cpacf_mask_t pckmo_functions;
@@ -243,6 +299,11 @@ int pkey_pckmo_clr2protkey(u32 keytype, const u8 *clrkey,
 		goto out;
 	}

+	if (clrkeylen && clrkeylen < keysize) {
+		PKEY_DBF_ERR("%s clear key size too small: %u < %d\n",
+			     __func__, clrkeylen, keysize);
+		goto out;
+	}
 	if (*protkeylen < keysize + AES_WK_VP_SIZE) {
 		PKEY_DBF_ERR("%s prot key buffer size too small: %u < %d\n",
 			     __func__, *protkeylen, keysize + AES_WK_VP_SIZE);
@@ -288,8 +349,8 @@ int pkey_pckmo_clr2protkey(u32 keytype, const u8 *clrkey,
 * Verify a protected key blob.
 * Currently only AES protected keys are supported.
 */
-int pkey_pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
-			      u32 protkeytype)
+static int pckmo_verify_protkey(const u8 *protkey, u32 protkeylen,
+				u32 protkeytype)
 {
 	struct {
 		u8 iv[AES_BLOCK_SIZE];

--- a/drivers/s390/crypto/pkey_sysfs.c
+++ b/drivers/s390/crypto/pkey_sysfs.c
@@ -42,9 +42,10 @@ static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
 	protkeytoken.keytype = keytype;

 	protkey.len = sizeof(protkey.protkey);
-	rc = pkey_pckmo_gen_protkey(protkeytoken.keytype,
-				    protkey.protkey, &protkey.len,
-				    &protkey.type);
+	rc = pkey_pckmo_gen_key(0, 0,
+				protkeytoken.keytype, 0, 0, 0,
+				protkey.protkey, &protkey.len,
+				&protkey.type);
 	if (rc)
 		return rc;

@@ -56,9 +57,10 @@ static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf,
 	if (is_xts) {
 		/* xts needs a second protected key, reuse protkey struct */
 		protkey.len = sizeof(protkey.protkey);
-		rc = pkey_pckmo_gen_protkey(protkeytoken.keytype,
-					    protkey.protkey, &protkey.len,
-					    &protkey.type);
+		rc = pkey_pckmo_gen_key(0, 0,
+					protkeytoken.keytype, 0, 0, 0,
+					protkey.protkey, &protkey.len,
+					&protkey.type);
 		if (rc)
 			return rc;

@@ -154,6 +156,7 @@ static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
 					  loff_t off, size_t count)
 {
 	struct pkey_seckey *seckey = (struct pkey_seckey *)buf;
+	u32 buflen;
 	int rc;

 	if (off != 0 || count < sizeof(struct secaeskeytoken))
@@ -162,13 +165,19 @@ static ssize_t pkey_ccadata_aes_attr_read(u32 keytype, bool is_xts, char *buf,
 		if (count < 2 * sizeof(struct secaeskeytoken))
 			return -EINVAL;

-	rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
+	buflen = sizeof(seckey->seckey);
+	rc = pkey_cca_gen_key(-1, -1, keytype,
+			      PKEY_TYPE_CCA_DATA, 0, 0,
+			      seckey->seckey, &buflen, NULL);
 	if (rc)
 		return rc;

 	if (is_xts) {
 		seckey++;
-		rc = cca_genseckey(-1, -1, keytype, seckey->seckey);
+		buflen = sizeof(seckey->seckey);
+		rc = pkey_cca_gen_key(-1, -1, keytype,
+				      PKEY_TYPE_CCA_DATA, 0, 0,
+				      seckey->seckey, &buflen, NULL);
 		if (rc)
 			return rc;

@@ -261,8 +270,9 @@ static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
 					    size_t count)
 {
 	u32 keysize = CCACIPHERTOKENSIZE;
-	u32 nr_apqns, *apqns = NULL;
+	struct pkey_apqn *apqns = NULL;
 	int i, rc, card, dom;
+	size_t nr_apqns;

 	if (off != 0 || count < CCACIPHERTOKENSIZE)
 		return -EINVAL;
@@ -270,33 +280,51 @@ static ssize_t pkey_ccacipher_aes_attr_read(enum pkey_key_size keybits,
 		if (count < 2 * CCACIPHERTOKENSIZE)
 			return -EINVAL;

+	nr_apqns = MAXAPQNSINLIST;
+	apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL);
+	if (!apqns)
+		return -ENOMEM;
+
 	/* build a list of apqns able to generate an cipher key */
-	rc = cca_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
-			   ZCRYPT_CEX6, 0, 0, 0, 0);
-	if (rc)
+	rc = pkey_cca_apqns4type(PKEY_TYPE_CCA_CIPHER,
+				 NULL, NULL, 0,
+				 apqns, &nr_apqns);
+	if (rc) {
+		kfree(apqns);
 		return rc;
+	}

 	memset(buf, 0, is_xts ? 2 * keysize : keysize);

 	/* simple try all apqns from the list */
-	for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
-		card = apqns[i] >> 16;
-		dom = apqns[i] & 0xFFFF;
-		rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
-		if (rc == 0)
-			break;
+	for (i = 0, rc = -ENODEV; rc && i < nr_apqns; i++) {
+		card = apqns[i].card;
+		dom = apqns[i].domain;
+		rc = pkey_cca_gen_key(card, dom,
+				      pkey_aes_bitsize_to_keytype(keybits),
+				      PKEY_TYPE_CCA_CIPHER, keybits, 0,
+				      buf, &keysize, NULL);
 	}
-	if (rc)
+	if (rc) {
+		kfree(apqns);
 		return rc;
+	}

 	if (is_xts) {
 		keysize = CCACIPHERTOKENSIZE;
 		buf += CCACIPHERTOKENSIZE;
-		rc = cca_gencipherkey(card, dom, keybits, 0, buf, &keysize);
-		if (rc == 0)
-			return 2 * CCACIPHERTOKENSIZE;
+		rc = pkey_cca_gen_key(card, dom,
+				      pkey_aes_bitsize_to_keytype(keybits),
+				      PKEY_TYPE_CCA_CIPHER, keybits, 0,
+				      buf, &keysize, NULL);
+		kfree(apqns);
+		if (rc)
+			return rc;
+		return 2 * CCACIPHERTOKENSIZE;
 	}

+	kfree(apqns);
+
 	return CCACIPHERTOKENSIZE;
 }

@@ -384,8 +412,9 @@ static ssize_t pkey_ep11_aes_attr_read(enum pkey_key_size keybits,
 				       size_t count)
 {
 	u32 keysize = MAXEP11AESKEYBLOBSIZE;
-	u32 nr_apqns, *apqns = NULL;
+	struct pkey_apqn *apqns = NULL;
 	int i, rc, card, dom;
+	size_t nr_apqns;

 	if (off != 0 || count < MAXEP11AESKEYBLOBSIZE)
 		return -EINVAL;
@@ -393,37 +422,51 @@ static ssize_t pkey_ep11_aes_attr_read(enum pkey_key_size keybits,
 		if (count < 2 * MAXEP11AESKEYBLOBSIZE)
 			return -EINVAL;

-	/* build a list of apqns able to generate an cipher key */
-	rc = ep11_findcard2(&apqns, &nr_apqns, 0xFFFF, 0xFFFF,
-			    ZCRYPT_CEX7,
-			    ap_is_se_guest() ? EP11_API_V6 : EP11_API_V4,
-			    NULL);
-	if (rc)
+	nr_apqns = MAXAPQNSINLIST;
+	apqns = kmalloc_array(nr_apqns, sizeof(struct pkey_apqn), GFP_KERNEL);
+	if (!apqns)
+		return -ENOMEM;
+
+	/* build a list of apqns able to generate an EP11 AES key */
+	rc = pkey_ep11_apqns4type(PKEY_TYPE_EP11_AES,
+				  NULL, NULL, 0,
+				  apqns, &nr_apqns);
+	if (rc) {
+		kfree(apqns);
 		return rc;
+	}

 	memset(buf, 0, is_xts ? 2 * keysize : keysize);

 	/* simple try all apqns from the list */
-	for (i = 0, rc = -ENODEV; i < nr_apqns; i++) {
-		card = apqns[i] >> 16;
-		dom = apqns[i] & 0xFFFF;
-		rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize,
-				    PKEY_TYPE_EP11_AES);
-		if (rc == 0)
-			break;
+	for (i = 0, rc = -ENODEV; rc && i < nr_apqns; i++) {
+		card = apqns[i].card;
+		dom = apqns[i].domain;
+		rc = pkey_ep11_gen_key(card, dom,
+				       pkey_aes_bitsize_to_keytype(keybits),
+				       PKEY_TYPE_EP11_AES, keybits, 0,
+				       buf, &keysize, NULL);
 	}
-	if (rc)
+	if (rc) {
+		kfree(apqns);
 		return rc;
+	}

 	if (is_xts) {
 		keysize = MAXEP11AESKEYBLOBSIZE;
 		buf += MAXEP11AESKEYBLOBSIZE;
-		rc = ep11_genaeskey(card, dom, keybits, 0, buf, &keysize,
-				    PKEY_TYPE_EP11_AES);
-		if (rc == 0)
-			return 2 * MAXEP11AESKEYBLOBSIZE;
+		rc = pkey_ep11_gen_key(card, dom,
+				       pkey_aes_bitsize_to_keytype(keybits),
+				       PKEY_TYPE_EP11_AES, keybits, 0,
+				       buf, &keysize, NULL);
+		kfree(apqns);
+		if (rc)
+			return rc;
+		return 2 * MAXEP11AESKEYBLOBSIZE;
 	}

+	kfree(apqns);
+
 	return MAXEP11AESKEYBLOBSIZE;
 }