23 #define SECKEYBLOBSIZE	64	   /* secure key blob size is always 64 bytes */
24 #define PROTKEYBLOBSIZE 80	/* protected key blob size is always 80 bytes */
25 #define MAXPROTKEYSIZE	64	/* a protected key blob may be up to 64 bytes */
26 #define MAXCLRKEYSIZE	32	   /* a clear key value may be up to 32 bytes */
29 /* Minimum and maximum size of a key blob */
44 /* the newer ioctls use a pkey_key_size enum for key size information */
72 /* Struct to hold a CCA AES secure key blob */
74 	__u8  seckey[SECKEYBLOBSIZE];		  /* the secure key blob */
77 /* Struct to hold protected key and length info */
79 	__u32 type;	 /* key type, one of the PKEY_KEYTYPE_AES values */
81 	__u8  protkey[MAXPROTKEYSIZE];	       /* the protected key blob */
84 /* Struct to hold an AES clear key value */
86 	__u8  clrkey[MAXCLRKEYSIZE]; /* 16, 24, or 32 byte clear key value */
90  * Generate CCA AES secure key.
95 	__u32 keytype;		    /* in: key type to generate		 */
96 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
101  * Construct CCA AES secure key from clear key value
106 	__u32 keytype;		    /* in: key type to generate		 */
107 	struct pkey_clrkey clrkey;  /* in: the clear key value		 */
108 	struct pkey_seckey seckey;  /* out: the secure key blob		 */
113  * Fabricate AES protected key from a CCA AES secure key
118 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
119 	struct pkey_protkey protkey; /* out: the protected key		  */
124  * Fabricate AES protected key from clear key value
127 	__u32 keytype;		     /* in: key type to generate	  */
128 	struct pkey_clrkey clrkey;   /* in: the clear key value		  */
129 	struct pkey_protkey protkey; /* out: the protected key		  */
134  * Search for matching crypto card based on the Master Key
135  * Verification Pattern provided inside a CCA AES secure key.
138 	struct pkey_seckey seckey;	       /* in: the secure key blob */
148 	struct pkey_seckey seckey;   /* in: the secure key blob		  */
149 	struct pkey_protkey protkey; /* out: the protected key		  */
154  * Verify the given CCA AES secure key for being able to be useable with
155  * the pkey module. Check for correct key type and check for having at
156  * least one crypto card being able to handle this key (master key
157  * or old master key verification pattern matches).
158  * Return some info about the key: keysize in bits, keytype (currently
159  * only AES), flag if key is wrapped with an old MKVP.
162 	struct pkey_seckey seckey;	       /* in: the secure key blob */
165 	__u16  keysize;			       /* out: key size in bits   */
169 #define PKEY_VERIFY_ATTR_AES	   0x00000001  /* key is an AES key */
170 #define PKEY_VERIFY_ATTR_OLD_MKVP  0x00000100  /* key has old MKVP value */
173  * Generate AES random protected key.
176 	__u32 keytype;			       /* in: key type to generate */
177 	struct pkey_protkey protkey;	       /* out: the protected key   */
183  * Verify an AES protected key.
186 	struct pkey_protkey protkey;	/* in: the protected key to verify */
192  * Transform an key blob (of any type) into a protected key
195 	__u8 __user *key;		/* in: the key blob	   */  member
196 	__u32 keylen;			/* in: the key blob length */
197 	struct pkey_protkey protkey;	/* out: the protected key  */
202  * Generate secure key, version 2.
203  * Generate either a CCA AES secure key or a CCA AES cipher key.
211  * generate a list of apqns based on the key type to generate.
213  * individual for the key type and has a key type specific meaning. Currently
216  * key is only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC).
221 	enum pkey_key_type type;    /* in: key type to generate		  */
222 	enum pkey_key_size size;    /* in: key size to generate		  */
223 	__u32 keygenflags;	    /* in: key generation flags		  */
224 	__u8 __user *key;	    /* in: pointer to key blob buffer	  */  member
225 	__u32 keylen;		    /* in: available key blob buffer size */
226 				    /* out: actual key blob size	  */
231  * Generate secure key from clear key value, version 2.
232  * Construct a CCA AES secure key or CCA AES cipher key from a given clear key
241  * generate a list of apqns based on the key type to generate.
243  * individual for the key type and has a key type specific meaning. Currently
246  * key is only exportable for CPACF (PKEY_KEYGEN_XPRT_CPAC).
251 	enum pkey_key_type type;    /* in: key type to generate		   */
252 	enum pkey_key_size size;    /* in: key size to generate		   */
253 	__u32 keygenflags;	    /* in: key generation flags		   */
254 	struct pkey_clrkey clrkey;  /* in: the clear key value		   */
255 	__u8 __user *key;	    /* in: pointer to key blob buffer	   */  member
256 	__u32 keylen;		    /* in: available key blob buffer size  */
257 				    /* out: actual key blob size	   */
262  * Verify the given secure key, version 2.
263  * Check for correct key type. If cardnr and domain are given (are not
264  * 0xFFFF) also check if this apqn is able to handle this type of key.
266  * with one apqn able to handle this key.
267  * The function also checks for the master key verification patterns
268  * of the key matching to the current or alternate mkvp of the apqn.
271  * match: If the current mkvp matches to the key's mkvp then the
273  * the key's mkvp the PKEY_FLAGS_MATCH_ALT_MKVP is set. For CCA keys the
274  * alternate mkvp is the old master key verification pattern.
278  * matches with the current or alternate mkvp to the key's mkvp. If the given
283 	__u8 __user *key;	    /* in: pointer to key blob		 */  member
284 	__u32 keylen;		    /* in: key blob size		 */
287 	enum pkey_key_type type;    /* out: the key type		 */
288 	enum pkey_key_size size;    /* out: the key size		 */
289 	__u32 flags;		    /* out: additional key info flags	 */
294  * Transform a key blob (of any type) into a protected key, version 2.
302  * generate a list of apqns based on the key.
305 	__u8 __user *key;	     /* in: pointer to key blob		   */  member
306 	__u32 keylen;		     /* in: key blob size		   */
309 	struct pkey_protkey protkey; /* out: the protected key		   */
314  * Build a list of APQNs based on a key blob given.
315  * Is able to find out which type of secure key is given (CCA AES secure
316  * key or CCA AES cipher key) and tries to find all matching crypto cards
318  * need a CEX5C or higher). The list of APQNs is further filtered by the key's
336 	__u8 __user *key;	   /* in: pointer to key blob		      */  member
337 	__u32 keylen;		   /* in: key blob size			      */
346  * Build a list of APQNs based on a key type given.
347  * Build a list of APQNs based on a given key type and maybe further
348  * restrict the list by given master key verification patterns.
349  * For different key types there may be different ways to match the
350  * master key verification patterns. For CCA keys (CCA data key and CCA
351  * cipher key) the first 8 bytes of cur_mkvp refer to the current mkvp value
369 	enum pkey_key_type type;   /* in: key type			      */