/******************************************************************************* *Copyright (c) 2014 PMC-Sierra, Inc. All rights reserved. * *Redistribution and use in source and binary forms, with or without modification, are permitted provided *that the following conditions are met: *1. Redistributions of source code must retain the above copyright notice, this list of conditions and the *following disclaimer. *2. Redistributions in binary form must reproduce the above copyright notice, *this list of conditions and the following disclaimer in the documentation and/or other materials provided *with the distribution. * *THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED *WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS *FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE *FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT *NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR *BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS *SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE * * $FreeBSD$ * *******************************************************************************/ /******************************************************************************* ** ** Version Control Information: ** ** $Revision: 113920 $ ** $Author: mcleanda $ ** $Date: 2012-05-08 11:30:44 -0700 (Tue, 08 May 2012) $ ** $Id: lxencrypt.c 113920 2012-05-08 18:30:44Z mcleanda $ ** *******************************************************************************/ #include #include #include #include #include #include #ifdef ENCRYPT_ENHANCE static atomic_t ioerr_queue_count; /****************************************************************************** careful_write(): Purpose: Parameters: Return: Note: ******************************************************************************/ static int careful_write(char *buf, int offset, int max, const char *fmt, ...) { static char s[PAGE_SIZE]; /* Assumes serialization */ va_list args; int i; if(offset > max) return 0; s[PAGE_SIZE - 1] = '\0'; va_start(args, fmt); i = vsnprintf(s, PAGE_SIZE - 1, fmt, args); if((offset + i) > max) return 0; memcpy(buf + offset, s, i); va_end(args); return i; } /****************************************************************************** set_dek_table_entry(): Purpose: Parameters: Return: Note: ******************************************************************************/ static inline int set_dek_table_entry(struct device *dev, const char *buf, size_t len, dek_table_e table) { int index; struct Scsi_Host *shost = class_to_shost(dev); struct agtiapi_softc *pCard = (struct agtiapi_softc *) shost->hostdata; /* Check permissions */ if(!capable(CAP_SYS_ADMIN)) return -EACCES; if(!pCard->encrypt) return -EINVAL; if(table != DEK_TABLE_0 && table != DEK_TABLE_1) return -EINVAL; sscanf(buf, "%d", &index); if(index >= 0 && index < DEK_MAX_TABLE_ITEMS) { pCard->dek_index[table] = index; return strlen(buf); } return -EINVAL; } /****************************************************************************** set_dek_table_entry0(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t set_dek_table_entry0(struct device *dev, struct device_attribute *attr, const char *buf, size_t len) { return set_dek_table_entry(dev, buf, len, DEK_TABLE_0); } /****************************************************************************** set_dek_table_entry1(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t set_dek_table_entry1(struct device *dev, struct device_attribute *attr, const char *buf, size_t len) { return set_dek_table_entry(dev, buf, len, DEK_TABLE_1); } /****************************************************************************** show_dek_table_entry(): Purpose: Parameters: Return: Note: ******************************************************************************/ static inline int show_dek_table_entry(struct device *dev, char *buf, unsigned int table) { int i = 0, j; unsigned char *p; struct Scsi_Host *sh = class_to_shost(dev); ag_card_t *pCard = (ag_card_t *) sh->hostdata; ag_card_info_t *pCardInfo = pCard->pCardInfo; ag_resource_info_t *pRscInfo = &pCardInfo->tiRscInfo; tiEncryptDekBlob_t *pDekTable = NULL; if(!pCard->encrypt) return -EINVAL; if(table == DEK_TABLE_0) pDekTable = pRscInfo->tiLoLevelResource.loLevelMem.mem[DEK_MEM_INDEX_1].virtPtr; else if(table == DEK_TABLE_1) pDekTable = pRscInfo->tiLoLevelResource.loLevelMem.mem[DEK_MEM_INDEX_2].virtPtr; if(pDekTable == NULL) return -EINVAL; if(pCard->dek_index[table] >= 0 || pCard->dek_index[table] < DEK_MAX_TABLE_ITEMS) { i += careful_write(buf, i, PAGE_SIZE, "%4d: ", pCard->dek_index[table]); p = (unsigned char *) &pDekTable[pCard->dek_index[table]]; for(j = 0; j < sizeof(tiEncryptDekBlob_t); j++) { i += careful_write(buf, i, PAGE_SIZE, "%02x", p[j]); } i += careful_write(buf, i, PAGE_SIZE, "\n"); } else { i += careful_write(buf, i, PAGE_SIZE, "Bad DEK index %d; range: 0 - %d\n", pCard->dek_index[table], DEK_MAX_TABLE_ITEMS); } /* BUG if we return more than a single page of data */ //BUG_ON(i > PAGE_SIZE); if (i > PAGE_SIZE) i = PAGE_SIZE; return i; } /****************************************************************************** show_dek_table_entry0(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_dek_table_entry0(struct device *dev, struct device_attribute *attr, char *buf) { return show_dek_table_entry(dev, buf, DEK_TABLE_0); } /****************************************************************************** show_dek_table_entry1(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_dek_table_entry1(struct device *dev, struct device_attribute *attr, char *buf) { return show_dek_table_entry(dev, buf, DEK_TABLE_1); } /****************************************************************************** show_kek_table(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_kek_table(struct device *dev, struct device_attribute *attr, char *buf) { int i = 0, j, kek_index; unsigned char *p; struct Scsi_Host *sh = class_to_shost(dev); ag_card_t *pCard = (ag_card_t *) sh->hostdata; if(!pCard->encrypt) return -EINVAL; for(kek_index = 0; kek_index < KEK_TABLE_MAX_ENTRY; kek_index++) { i += careful_write(buf, i, PAGE_SIZE, " %4d: %08x ", kek_index, pCard->kek_table[kek_index].wrapperIndex); p = (unsigned char *) &pCard->kek_table[kek_index].kekBlob; for(j = 0; j < sizeof(tiEncryptKekBlob_t); j++) { i += careful_write(buf, i, PAGE_SIZE, "%02x", p[j]); } i += careful_write(buf, i, PAGE_SIZE, "\n"); } i += careful_write(buf, i, PAGE_SIZE, "\n"); /* BUG if we return more than a single page of data */ //BUG_ON(i > PAGE_SIZE); if (i > PAGE_SIZE) i = PAGE_SIZE; return i; } /****************************************************************************** show_dek_kek_map(): Purpose: Parameters: Return: Note: ******************************************************************************/ static inline int show_dek_kek_map(struct device *dev, char *buf, unsigned int table) { int i = 0, dek_index; struct Scsi_Host *sh = class_to_shost(dev); ag_card_t *pCard = (ag_card_t *) sh->hostdata; if(!pCard->encrypt) return -EINVAL; if(table != DEK_TABLE_0 && table != DEK_TABLE_1) return -EINVAL; i += careful_write(buf, i, PAGE_SIZE, "Table %d\n", table); i += careful_write(buf, i, PAGE_SIZE, "=======\n"); for(dek_index = 0; dek_index < DEK_MAX_TABLE_ITEMS; dek_index++) { i += careful_write(buf, i, PAGE_SIZE, " %4d: %08x\n", dek_index, pCard->dek_kek_map[table][dek_index].kekIndex); } i += sprintf(buf + i, "\n"); /* BUG if we return more than a single page of data */ //BUG_ON(i > PAGE_SIZE); if (i > PAGE_SIZE) i = PAGE_SIZE; return i; } /****************************************************************************** show_dek_kek_map0(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_dek_kek_map0(struct device *dev, struct device_attribute *attr, char *buf) { return show_dek_kek_map(dev, buf, 0); } /****************************************************************************** show_dek_kek_map1(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_dek_kek_map1(struct device *dev, struct device_attribute *attr, char *buf) { return show_dek_kek_map(dev, buf, 1); } /****************************************************************************** show_target_dek_map(): Purpose: Parameters: Return: Note: ******************************************************************************/ ssize_t show_target_dek_map(struct device *dev, struct device_attribute *attr, char *buf) { int i = 0; unsigned int chan, device, lun = 0; ag_encrypt_map_t *p; struct list_head *lh; struct Scsi_Host *sh = class_to_shost(dev); ag_card_t *pCard = (ag_card_t *) sh->hostdata; if(!pCard->encrypt) return -EINVAL; for(chan = 0; chan <= AGTIAPI_MAX_CHANNEL_NUM; chan++) { for(device = 0; device < pCard->devDiscover; device++) { #ifdef REPORT_ALL_LUNS for(lun = 0; lun < AGTIAPI_MAX_LUN; lun++) { #endif lh = MAP_TABLE_ENTRY(pCard, chan, device, lun); if(lh) { list_for_each_entry(p, lh, list) { if(p->dekIndex != DEK_INDEX_INVALID) i += careful_write(buf, i, PAGE_SIZE, " %u:%u:%u: %x %8x %8x %16lx %16lx %08x:%08x %1x\n", chan, device, lun, p->dekTable, p->dekIndex, p->kekIndex, p->lbaMin, p->lbaMax, p->keyTag[1], p->keyTag[0], p->keyTagCheck); } } #ifdef REPORT_ALL_LUNS } #endif } } if (i > PAGE_SIZE) i = PAGE_SIZE; return i; } /****************************************************************************** agtiapi_AddDek(): Purpose: Parameters: Return: Note: ******************************************************************************/ static int agtiapi_AddDek(ag_card_t *pCard, bit32 dek_table, bit32 dek_index, bit32 blob_format, bit32 entry_sz, tiEncryptDekBlob_t *dek_blob, U32_64 *addr) { ag_resource_info_t *pRscInfo = &pCard->pCardInfo->tiRscInfo; tiEncryptDekBlob_t *pDekTable; char *p; if (dek_index >= DEK_MAX_TABLE_ITEMS) { printf("%s: Bad dek index 0x%x (MAX: 0x%x).\n", __FUNCTION__, dek_index, DEK_MAX_TABLE_ITEMS); return -E_DEK_INDEX; } switch(dek_table) { case DEK_TABLE_0: pDekTable = pRscInfo->tiLoLevelResource.loLevelMem.mem[DEK_MEM_INDEX_1].virtPtr; break; case DEK_TABLE_1: pDekTable = pRscInfo->tiLoLevelResource.loLevelMem.mem[DEK_MEM_INDEX_2].virtPtr; break; default: printf("%s: Unknown dek table %d\n", __FUNCTION__, dek_table); return -E_DEK_TABLE; } #ifdef __VMKLNX__ *addr = (U32_64) __pa(&pDekTable[0]); #else *addr = (U32_64) virt_to_phys(&pDekTable[0]); #endif p = (char *) &pDekTable[0] + (dek_index * pCard->dek_size); printf("%s: Base: %p, Index: %08x, Virt: %p Size: %d\n", __FUNCTION__, pDekTable, dek_index, &pDekTable[dek_index], pCard->dek_size); memcpy(p, dek_blob, pCard->dek_size); wmb(); /* Flush entry */ ostiCacheFlush(&pCard->tiRoot, NULL, p, pCard->dek_size); return 0; } /****************************************************************************** agtiapi_MapDekKek(): Purpose: Parameters: Return: Note: ******************************************************************************/ static int agtiapi_MapDekKek(ag_card_t *pCard, bit32 dek_table, bit32 dek_index, bit32 kek_index) { if (dek_index >= DEK_MAX_TABLE_ITEMS) { printf("%s: Bad dek index 0x%x (MAX: 0x%x).\n", __FUNCTION__, dek_index, DEK_MAX_TABLE_ITEMS); return -E_DEK_INDEX; } if (dek_table >= DEK_MAX_TABLES) { printf("%s: Bad dek table.\n", __FUNCTION__); return -E_DEK_TABLE; } if (kek_index >= KEK_TABLE_MAX_ENTRY) { printf("%s: Bad kek index.\n", __FUNCTION__); return -E_KEK_INDEX; } pCard->dek_kek_map[dek_table][dek_index].kekIndex = kek_index; return 0; } /****************************************************************************** agtiapi_AddKek(): Purpose: Parameters: Return: Note: ******************************************************************************/ static int agtiapi_AddKek(ag_card_t *pCard, bit32 kek_index, bit32 wrapper_kek_index, tiEncryptKekBlob_t *kek_blob) { if (kek_index >= KEK_TABLE_MAX_ENTRY) { printf("%s: Bad kek index.\n", __FUNCTION__); return -E_KEK_INDEX; } if (wrapper_kek_index >= KEK_TABLE_MAX_ENTRY) { printf("%s: Bad kek wrapper index.\n", __FUNCTION__); return -E_KEK_INDEX; } pCard->kek_table[kek_index].wrapperIndex = wrapper_kek_index; memcpy(&pCard->kek_table[kek_index].kekBlob, kek_blob, sizeof(tiEncryptKekBlob_t)); return 0; } /****************************************************************************** agtiapi_MapDek(): Purpose: Parameters: Return: Note: ******************************************************************************/ static int agtiapi_MapDek(ag_card_t *pCard, EncryptDeviceDekMap_t *dek_map) { int found = 0; bit32 chan, device, lun; bit32 dek_table, dek_index, kek_index; unsigned long long lba_min, lba_max; ag_encrypt_map_t *p, *n; struct list_head *lh; chan = dek_map->channel; device = dek_map->device; lun = dek_map->lun; lba_min = dek_map->dekMapEntry[0].startLBA; lba_max = dek_map->dekMapEntry[0].endLBA; dek_table = dek_map->dekMapEntry[0].dek.dekTable; dek_index = dek_map->dekMapEntry[0].dek.dekIndex; /* Sanity check channel, device, lun */ if (chan > AGTIAPI_MAX_CHANNEL_NUM) { printf("%s: Bad channel %d.\n", __FUNCTION__, chan); return -E_CHANNEL_INDEX; } if (device >= pCard->devDiscover) { printf("%s: Bad device %d.\n", __FUNCTION__, device); return -E_DEVICE_INDEX; } if (lun >= AGTIAPI_MAX_LUN) { printf("%s: Bad lun %d.\n", __FUNCTION__, lun); return -E_LUN_INDEX; } /* Sanity check dek index */ if (dek_index >= DEK_MAX_TABLE_ITEMS) { printf("%s: Bad dek index 0x%x (MAX: 0x%x).\n", __FUNCTION__, dek_index, DEK_MAX_TABLE_ITEMS); return -E_DEK_INDEX; } /* Sanity check dek table */ if (dek_table >= DEK_MAX_TABLES) { printf("%s: Bad dek table %d.\n", __FUNCTION__, dek_table); return -E_DEK_TABLE; } /* Check that lba min and lba max are sane */ if (lba_min >= lba_max) { printf("%s: Bad lba min and lba max: %llx %llx.\n", __FUNCTION__, lba_min, lba_max); return -E_LBA_RANGE; } /* dek_table and dek_index are valid, look up kek */ kek_index = pCard->dek_kek_map[dek_table][dek_index].kekIndex; lh = MAP_TABLE_ENTRY(pCard, chan, device, lun); if (dek_map->dekMapEntry[0].flags & ENCRYPT_DEK_MAP_ENTRY_CLEAR) { /* Delete the entry */ found = 0; list_for_each_entry_safe(p, n, lh, list) { if (p->lbaMin == lba_min && p->lbaMax == lba_max && p->dekTable == dek_table && p->dekIndex == dek_index && p->kekIndex == kek_index) { /* Entry found, unlink and reclaim it */ found = 1; list_del(&p->list); mempool_free(p, pCard->map_mempool); } } if (!found) { printf("%s: Entry %x %x %x %llx %llx not found.\n", __FUNCTION__, dek_table, dek_index, kek_index, lba_min, lba_max); return -E_NOT_FOUND; } } else if (dek_map->dekMapEntry[0].flags & ENCRYPT_DEK_MAP_ENTRY_VALID) { /* Add the entry */ p = (ag_encrypt_map_t *)uma_zalloc(pCard->map_cache, M_WAITOK); //Encryption if (!p) { printf("%s: Unable to allocate from memory pool.\n", __FUNCTION__); return -E_MEMPOOL_ALLOC; } /* Populate it */ p->lbaMin = lba_min; p->lbaMax = lba_max; p->dekTable = dek_table; p->dekIndex = dek_index; p->kekIndex = kek_index; p->keyTagCheck = dek_map->keytag_check; memcpy(&p->keyTag, &dek_map->keytag, sizeof(p->keyTag)); /* Test to see if this new mapping overlaps an existing mapping */ list_for_each_entry(n, lh, list) { /* * Check if the start lba falls in existing range || * Check if the end lba falls in existing range || * Check if the start lba of the existing range falls in the new range */ if (((p->lbaMin >= n->lbaMin) && (p->lbaMin <= n->lbaMax)) || ((p->lbaMax >= n->lbaMin) && (p->lbaMax <= n->lbaMax)) || ((n->lbaMin >= p->lbaMin) && (n->lbaMin <= p->lbaMax))) { printf("%s: WARNING: New entry lba range overlap: %llx - %llx vs %llx - %llx.\n", __FUNCTION__, p->lbaMin, p->lbaMax, n->lbaMin, n->lbaMax); } } /* Link it in to list at the head so it takes precedence */ list_add(&p->list, lh); /* TODO: Decide if/how to refcount each dek/kek index used by the mapping */ } else { printf("%s: Bad flags %08x\n", __FUNCTION__, dek_map->dekMapEntry[0].flags); return -E_FLAGS; } return 0; } #endif #ifdef HIALEAH_ENCRYPTION /****************************************************************************** agtiapi_SetupEncryption(): Purpose: Parameters: Return: Note: ******************************************************************************/ int agtiapi_SetupEncryption(struct agtiapi_softc *pCard) { tiRoot_t *tiRoot = (tiRoot_t *) &pCard->tiRoot; bit32 status = tiSuccess; printf("agtiapi_SetupEncryption: HIALEAH_ENCRYPTION\n"); if (pCard->encrypt == agTRUE) { status = tiCOMEncryptGetInfo(tiRoot); printf("agtiapi_SetupEncryption: HIALEAH_ENCRYPTION tiCOMEncryptGetInfo Status 0x%x\n",status); if(status == 1 ) { status = tiCOMEncryptHilSet(tiRoot ); if (status) { pCard->encrypt = agFALSE; printf("agtiapi_SetupEncryption: HIALEAH_ENCRYPTION not set\n"); } } } return 0; } #ifdef ENCRYPT_ENHANCE /****************************************************************************** agtiapi_SetupEncryptionPools(): Purpose: Parameters: Return: Note: ******************************************************************************/ int agtiapi_SetupEncryptionPools(struct agtiapi_softc *pCard) { /* Configure encryption memory pool */ memset(pCard->map_cache_name, 0, sizeof(pCard->map_cache_name)); snprintf(pCard->map_cache_name, sizeof(pCard->map_cache_name) - 1, "map_cache_%d", pCard->cardNo); //zone allocation pCard->map_cache = uma_zcreate(pCard->map_cache_name, sizeof(ag_encrypt_map_t),NULL, NULL, NULL, NULL, 0, 0); if(!pCard->map_cache) { /* * This error may be due to an existing cache in the kernel * from an earlier kmem_cache that wasn't properly freed */ printf("Unable to create uma_zcreate cache for encryption map mempool.\n"); return -EFAULT; } uma_zone_set_max(pCard->map_cache, ENCRYPTION_MAP_MEMPOOL_SIZE); /* Configure encryption IO error pool */ INIT_LIST_HEAD(&pCard->ioerr_queue); /*#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,34)) // #### pCard->ioerr_queue_lock = SPIN_LOCK_UNLOCKED; #else */ pCard->ioerr_queue_lock = AG_SPIN_UNLOCK(pCard->ioerr_queue_lock); //#endif memset(pCard->ioerr_cache_name, 0, sizeof(pCard->ioerr_cache_name)); snprintf(pCard->ioerr_cache_name, sizeof(pCard->ioerr_cache_name) - 1, "ioerr_cache_%d", pCard->cardNo); pCard->ioerr_cache = uma_zcreate(pCard->ioerr_cache_name, sizeof(ag_encrypt_ioerr_t), NULL, NULL, NULL, NULL, 0, 0); if(!pCard->ioerr_cache) { /* * This error may be due to an existing cache in the kernel * from an earlier kmem_cache that wasn't properly freed */ printf("Unable to create kmem cache for encryption IO error mempool.\n"); return -EFAULT; } uma_zone_set_max(pCard->ioerr_cache, ENCRYPTION_IO_ERR_MEMPOOL_SIZE); /* Set cipher mode to something invalid */ pCard->cipher_mode = CIPHER_MODE_INVALID; return 0; } #endif /****************************************************************************** agtiapi_CleanupEncryption(): Purpose: Parameters: Return: Note: ******************************************************************************/ void agtiapi_CleanupEncryption(struct agtiapi_softc *pCard) { #ifdef ENCRYPT_ENHANCE if(pCard->encrypt_map) { int chan, device, lun; struct list_head *lh; ag_encrypt_map_t *p, *n; for (chan = 0; chan < (AGTIAPI_MAX_CHANNEL_NUM + 1); chan++) { for (device = 0; device < pCard->devDiscover; device++) { for (lun = 0; lun < AGTIAPI_MAX_LUN; lun++) { lh = MAP_TABLE_ENTRY(pCard, chan, device, lun); list_for_each_entry_safe(p, n, lh, list) { // mempool_free(p, pCard->map_mempool); } } } } vfree(pCard->encrypt_map); pCard->encrypt_map = NULL; } #endif } #ifdef ENCRYPT_ENHANCE /****************************************************************************** agtiapi_CleanupEncryptionPools(): Purpose: Parameters: Return: Note: ******************************************************************************/ void agtiapi_CleanupEncryptionPools(struct agtiapi_softc *pCard) { ag_encrypt_ioerr_t *ioerr, *tmp; atomic_set(&ioerr_queue_count); /* * TODO: check "outstanding_encrypted_io_count" for non-zero * and free all mempool items prior to destroying pool */ /* Clean up memory pools */ if (pCard->map_mempool) { mempool_destroy(pCard->map_mempool); printf("Encryption Map mempool released.\n"); pCard->map_mempool = NULL; } /* Clean up kmem cache */ if (pCard->map_cache) { kmem_cache_destroy(pCard->map_cache); printf("Kernel memory cache %s released.\n", pCard->map_cache_name); pCard->map_cache = NULL; } /* Clean up memory pools */ list_for_each_entry_safe(ioerr, tmp, &pCard->ioerr_queue, list) { list_del_init(&ioerr->list); mempool_free(ioerr, pCard->ioerr_mempool); atomic_dec(&ioerr_queue_count); } if (pCard->ioerr_mempool) { mempool_destroy(pCard->ioerr_mempool); printf("Encryption IO Error mempool released.\n"); pCard->ioerr_mempool = NULL; } /* Clean up kmem cache */ if (pCard->ioerr_cache) { kmem_cache_destroy(pCard->ioerr_cache); printf("Kernel memory cache %s released.\n", pCard->ioerr_cache_name); pCard->ioerr_cache = NULL; } } /****************************************************************************** agtiapi_EncryptionIoctl(): Purpose: Parameters: Return: Note: ******************************************************************************/ int agtiapi_EncryptionIoctl(struct agtiapi_softc *pCard, IoctlEncrypt_t *pIoctlPayload) { int rv, rc = 0, skip_wait = 0; tiRoot_t *tiRoot = (tiRoot_t *) &pCard->tiRoot; IoctlTISAEncrypt_t *ioctl_data = &pIoctlPayload->body; pIoctlPayload->hdr.Status = IOCTL_ERR_STATUS_INVALID_CODE; pCard->ioctl_data = (void *) ioctl_data; init_completion(&pCard->ioctl_completion); /* Check that the system is quiesced */ if (atomic_read(&outstanding_encrypted_io_count) != 0) printf("%s: WARNING: Attempting encryption management update with outstanding encrypted IOs!\n", __FUNCTION__); printf("%s: Minor %d\n", __FUNCTION__, pIoctlPayload->hdr.MinorFunction); switch(pIoctlPayload->hdr.MinorFunction) { case IOCTL_MN_ENCRYPTION_GET_INFO: { //IoctlEncryptGetInfo_t *get_info = (IoctlEncryptGetInfo_t *) &ioctl_data->request; rc = tiCOMEncryptGetInfo(tiRoot); } break; case IOCTL_MN_ENCRYPTION_SET_MODE: { u32 reg_val = 0, new_cipher_mode = 0; IoctlEncryptSetMode_t *set_mode = (IoctlEncryptSetMode_t *) &ioctl_data->request; printf("%s: input %08x\n", __FUNCTION__, set_mode->securityCipherMode); /* Set security mode */ if(TI_ENCRYPT_SEC_MODE_FACT_INIT) if(set_mode->securityCipherMode & TI_ENCRYPT_SEC_MODE_FACT_INIT) { reg_val |= TI_ENCRYPT_SEC_MODE_FACT_INIT; pCard->dek_size = DEK_SIZE_PLAIN; } if(set_mode->securityCipherMode & TI_ENCRYPT_SEC_MODE_A) { reg_val |= TI_ENCRYPT_SEC_MODE_A; pCard->dek_size = DEK_SIZE_ENCRYPT; } else if(set_mode->securityCipherMode & TI_ENCRYPT_SEC_MODE_B) { reg_val |= TI_ENCRYPT_SEC_MODE_B; pCard->dek_size = DEK_SIZE_ENCRYPT; } /* Set cipher mode */ if(set_mode->securityCipherMode & TI_ENCRYPT_ATTRIB_CIPHER_XTS) { reg_val |= TI_ENCRYPT_ATTRIB_CIPHER_XTS; new_cipher_mode = TI_ENCRYPT_MODE_XTS_AES; } printf("%s: Setting security cipher mode to: 0x%08x\n", __FUNCTION__, reg_val); pCard->cipher_mode = new_cipher_mode; rc = tiCOMEncryptSetMode(tiRoot, reg_val); } break; case IOCTL_MN_ENCRYPTION_KEK_ADD: { tiEncryptKekBlob_t kek_blob; IoctlEncryptKekAdd_t *kek_add = (IoctlEncryptKekAdd_t *) &ioctl_data->request; printf("%s: Add kek at index 0x%x wrapper 0x%x format 0x%x\n", __FUNCTION__, kek_add->kekIndex, kek_add->wrapperKekIndex, kek_add->blobFormat); /* Copy kek_blob from user pointer to local buffer */ if(access_ok(VERIFY_READ, kek_add->EncryptKekBlob, sizeof(kek_blob))) { printf("%s: Starting copy from user %p to kernel %p\n", __FUNCTION__, kek_add->EncryptKekBlob, &kek_blob); if((rv = copy_from_user(&kek_blob, kek_add->EncryptKekBlob, sizeof(kek_blob))) != 0) { printf("%s: Copy error, %d left\n", __FUNCTION__, rv); return IOCTL_CALL_FAIL; } rc = tiCOMEncryptKekAdd(tiRoot, kek_add->kekIndex, kek_add->wrapperKekIndex, kek_add->blobFormat, &kek_blob); /* Add kek to local kek table (in case of chip reset) */ if(rc == tiSuccess) { if(agtiapi_AddKek(pCard, kek_add->kekIndex, kek_add->wrapperKekIndex, &kek_blob) < 0) { return IOCTL_CALL_FAIL; } } } else { return IOCTL_CALL_FAIL; } } break; case IOCTL_MN_ENCRYPTION_DEK_ADD: { tiEncryptDekBlob_t dek_blob; /* Copied in */ IoctlEncryptDekAdd_t *dek_add = (IoctlEncryptDekAdd_t *) &ioctl_data->request; bit32 kek_index = dek_add->kekIndex; bit32 dek_index = dek_add->dekIndex; bit32 dek_table = dek_add->dekTable; bit32 blob_format = dek_add->dekBlobFormat; bit32 entry_sz = dek_add->dekTableKeyEntrySize; U32_64 addr = 0; bit32 addr_table[2]; memset(addr_table, 0, sizeof(addr_table)); printf("%s: Add dek at index 0x%x, table %x, kek index %x, blob format %x, entry size %x\n", __FUNCTION__, dek_index, dek_table, kek_index, blob_format, entry_sz); /* Copy dek_blob from user pointer to local buffer */ if(access_ok(VERIFY_READ, dek_add->dekBlob, sizeof(dek_blob))) { printf("%s: Starting copy from user %p to kernel %p\n", __FUNCTION__, dek_add->dekBlob, &dek_blob); if((rv = copy_from_user(&dek_blob, dek_add->dekBlob, sizeof(dek_blob))) != 0) { printf("%s: Copy error, %d left\n", __FUNCTION__, rv); return IOCTL_CALL_FAIL; } /* Add DEK to local table */ if (agtiapi_AddDek(pCard, dek_table, dek_index, blob_format, entry_sz, &dek_blob, &addr) < 0) { return IOCTL_CALL_FAIL; } memcpy(addr_table, &addr, sizeof(addr)); /* Add DEK-KEK association in local table */ if (agtiapi_MapDekKek(pCard, dek_table, dek_index, kek_index) < 0) { return IOCTL_CALL_FAIL; } /* Push DEK to chip */ rc = tiCOMEncryptDekAdd(tiRoot, kek_index, dek_table, addr_table[1], addr_table[0], dek_index, 1, blob_format, entry_sz); } else { return IOCTL_CALL_FAIL; } } break; case IOCTL_MN_ENCRYPTION_DEK_INVALID: { IoctlEncryptDekInvalidate_t *dek_to_invalidate = (IoctlEncryptDekInvalidate_t *) &ioctl_data->request; printf("%s: Invalidating dek at index 0x%x, table %x\n", __FUNCTION__, dek_to_invalidate->dek.dekIndex, dek_to_invalidate->dek.dekTable); rc = tiCOMEncryptDekInvalidate(tiRoot, dek_to_invalidate->dek.dekTable, dek_to_invalidate->dek.dekIndex); /* TODO: What to do in local tables? Mark it? */ } break; case IOCTL_MN_ENCRYPTION_KEK_NVRAM: { rc = tiError; } break; case IOCTL_MN_ENCRYPTION_DEK_ASSIGN: { IoctlEncryptDekMapTable_t *p_dek_map = (IoctlEncryptDekMapTable_t *) &ioctl_data->request; /* Fill in host */ p_dek_map->dekMap[0].host = (bit32) pCard->pHost->host_no; printf("%s: Host %u: Mapping %u:%u:%u (%llx to %llx) to dek at index 0x%x, table %x, keytag %08x:%08x\n", __FUNCTION__, p_dek_map->dekMap[0].host, p_dek_map->dekMap[0].channel, p_dek_map->dekMap[0].device, p_dek_map->dekMap[0].lun, p_dek_map->dekMap[0].dekMapEntry[0].startLBA, p_dek_map->dekMap[0].dekMapEntry[0].endLBA, p_dek_map->dekMap[0].dekMapEntry[0].dek.dekIndex, p_dek_map->dekMap[0].dekMapEntry[0].dek.dekTable, p_dek_map->dekMap[0].keytag[1], p_dek_map->dekMap[0].keytag[0]); /* Create a mapping in local tables */ if (agtiapi_MapDek(pCard, &p_dek_map->dekMap[0]) < 0) { pIoctlPayload->hdr.Status = IOCTL_ERR_STATUS_INVALID_CODE; return IOCTL_CALL_FAIL; } rc = tiSuccess; skip_wait = 1; ioctl_data->encryptFunction = encryptSetDekMap; ioctl_data->status = tiSuccess; ioctl_data->subEvent = 0; } break; case IOCTL_MN_ENCRYPTION_ERROR_QUERY: { unsigned long flags, i, query_flag; ag_encrypt_ioerr_t *ioerr, *tmp; IoctlEncryptErrorQuery_t *perr = (IoctlEncryptErrorQuery_t *) &ioctl_data->request; printf("%s: query flag %x\n", __FUNCTION__, perr->query_flag); query_flag = perr->query_flag; /* initialize */ memset(perr, 0, sizeof(IoctlEncryptErrorQuery_t)); error_query_restart: /* Take spinlock */ // spin_lock_irqsave(&pCard->ioerr_queue_lock, flags); AG_SPIN_LOCK_IRQ(&pCard->ioerr_queue_lock, flags); /* Walk list */ i = 0; list_for_each_entry_safe(ioerr, tmp, &pCard->ioerr_queue, list) { if (i >= 32) break; perr->valid_mask |= (1 << i); memcpy(&perr->error[i], &ioerr->ioerr, sizeof(IoctlEncryptIOError_t)); list_del_init(&ioerr->list); mempool_free(ioerr, pCard->ioerr_mempool); i++; atomic_dec(&ioerr_queue_count); } /* Release spinlock */ // spin_unlock_irqrestore(&pCard->ioerr_queue_lock, flags); AG_SPIN_UNLOCK_IRQ(&pCard->ioerr_queue_lock, flags); //for test if (!perr->valid_mask) { /* No encryption IO error events, check flags to see if blocking wait OK */ if (query_flag == ERROR_QUERY_FLAG_BLOCK) { if (wait_event_interruptible(ioerr_waitq, (atomic_read(&ioerr_queue_count)))) { /* Awoken by signal */ return IOCTL_CALL_FAIL; } else { /* Awoken by IO error */ goto error_query_restart; } } } rc = tiSuccess; skip_wait = 1; ioctl_data->encryptFunction = encryptErrorQuery; ioctl_data->status = tiSuccess; ioctl_data->subEvent = 0; } break; default: printf("%s: Unrecognized Minor Function %d\n", __FUNCTION__, pIoctlPayload->hdr.MinorFunction); pIoctlPayload->hdr.Status = IOCTL_ERR_STATUS_INVALID_CODE; return IOCTL_CALL_FAIL; break; } /* Demux rc */ switch(rc) { case tiSuccess: if(!skip_wait) wait_for_completion(&pCard->ioctl_completion); /* Maybe: wait_for_completion_timeout() */ pIoctlPayload->hdr.Status = ioctl_data->status; break; case tiNotSupported: pIoctlPayload->hdr.Status = IOCTL_ERR_STATUS_NOT_SUPPORTED; break; default: printf("%s: Status: %d\n", __FUNCTION__, rc); pIoctlPayload->hdr.Status = IOCTL_ERR_STATUS_INVALID_CODE; break; } printf("%s: Encryption ioctl %d successful.\n", __FUNCTION__, pIoctlPayload->hdr.MinorFunction); return IOCTL_CALL_SUCCESS; } #endif /****************************************************************************** agtiapi_SetupEncryptedIO(): Purpose: Parameters: Return: Note: ******************************************************************************/ int agtiapi_SetupEncryptedIO(struct agtiapi_softc *pCard, ccb_t *pccb, unsigned long long block) { pCard->cipher_mode = TI_ENCRYPT_ATTRIB_CIPHER_XTS; /* Check that cipher mode is set properly */ if (pCard->cipher_mode == CIPHER_MODE_INVALID) { printf("%s: Cipher mode not yet set.\n", __FUNCTION__); return -E_BAD_CIPHER_MODE; } memset(&(pccb->tiSuperScsiRequest.Encrypt), 0, sizeof(pccb->tiSuperScsiRequest.Encrypt)); pccb->tiSuperScsiRequest.Encrypt.keyTagCheck = FALSE; pccb->tiSuperScsiRequest.Encrypt.encryptMode = pCard->cipher_mode; pccb->tiSuperScsiRequest.Encrypt.tweakVal_W0 = block; if(pccb->tiSuperScsiRequest.scsiCmnd.cdb[0] == READ_16 || pccb->tiSuperScsiRequest.scsiCmnd.cdb[0] == WRITE_16) { pccb->tiSuperScsiRequest.Encrypt.tweakVal_W0 = ((pccb->tiSuperScsiRequest.scsiCmnd.cdb[6] << 24 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[7] << 16 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[8] << 8 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[9])); pccb->tiSuperScsiRequest.Encrypt.tweakVal_W1 = ((pccb->tiSuperScsiRequest.scsiCmnd.cdb[2] << 24 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[3] << 16 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[4] << 8 ) | (pccb->tiSuperScsiRequest.scsiCmnd.cdb[5])); } /* Mark IO as valid encrypted IO */ pccb->flags |= ENCRYPTED_IO; pccb->tiSuperScsiRequest.flags = TI_SCSI_INITIATOR_ENCRYPT; /* Bump refcount (atomic) */ atomic_inc(&outstanding_encrypted_io_count); return 0; } /****************************************************************************** agtiapi_CleanupEncryptedIO(): Purpose: Parameters: Return: Note: ******************************************************************************/ void agtiapi_CleanupEncryptedIO(struct agtiapi_softc *pCard, ccb_t *pccb) { if ((pccb->flags & ENCRYPTED_IO)) { /* Decrement refcount */ atomic_dec(&outstanding_encrypted_io_count); } pccb->tiSuperScsiRequest.flags &= ~TI_SCSI_INITIATOR_ENCRYPT; pccb->flags &= ~ENCRYPTED_IO; } #ifdef ENCRYPT_ENHANCE /****************************************************************************** agtiapi_HandleEncryptedIOFailure(): Purpose: Parameters: Return: Note: ******************************************************************************/ void agtiapi_HandleEncryptedIOFailure(ag_device_t *pDev, ccb_t *pccb) { unsigned long flags, qdepth; struct scsi_cmnd *cmd; ag_encrypt_ioerr_t *perr; ag_card_t *pCard; cmd = pccb->cmd; if (!cmd) { printf("%s: Malformed pccb %p.\n", __FUNCTION__, pccb); return; } pCard = pDev->pCard; /* Sanity check */ if (!(pccb->flags & ENCRYPTED_IO)) { printf("%s: Skipping IO %lx: Not Encrypted.\n", __FUNCTION__, cmd->serial_number); return; } /* Check queue depth against max */ qdepth = atomic_read(&ioerr_queue_count); if (qdepth >= IOERR_QUEUE_DEPTH_MAX) { printf("%s: Not queueing IO error due to queue full: %lu entries.\n", __FUNCTION__, qdepth); return; } /* Get a container for the ag_encrypt_ioerr_t item from the mempool */ // perr = mempool_alloc(pCard->ioerr_mempool, GFP_ATOMIC); p = (ag_encrypt_map_t *)uma_zalloc(pCard->map_cache, M_WAITOK); //Encryption if (!perr) { printf("%s: Mempool allocation failure.\n", __FUNCTION__); return; } /* Populate ag_encrypt_ioerr_t container */ perr->ioerr.error_id = cmd->serial_number; perr->ioerr.timestamp = cmd->jiffies_at_alloc; perr->ioerr.host = (unsigned int) cmd->device->host->host_no; perr->ioerr.channel = cmd->device->channel; perr->ioerr.device = cmd->device->id; perr->ioerr.lun = cmd->device->lun; perr->ioerr.scsi_cmd = (unsigned int) cmd->cmnd[0]; perr->ioerr.dek_index = pccb->tiSuperScsiRequest.Encrypt.dekInfo.dekIndex; perr->ioerr.dek_table = pccb->tiSuperScsiRequest.Encrypt.dekInfo.dekTable; perr->ioerr.kek_index = pccb->tiSuperScsiRequest.Encrypt.kekIndex; perr->ioerr.keytag_check = pccb->tiSuperScsiRequest.Encrypt.keyTagCheck; perr->ioerr.encrypt_mode = pccb->tiSuperScsiRequest.Encrypt.encryptMode; perr->ioerr.keytag[0] = pccb->tiSuperScsiRequest.Encrypt.keyTag_W0; perr->ioerr.keytag[1] = pccb->tiSuperScsiRequest.Encrypt.keyTag_W1; switch(pccb->scsiStatus) { case tiDetailDekKeyCacheMiss: case tiDetailDekIVMismatch: perr->ioerr.error_type = pccb->scsiStatus; break; default: printf("%s: Unrecognized encrypted IO completion error status: %d\n", __FUNCTION__, pccb->scsiStatus); perr->ioerr.error_type = 0xffffffff; break; } /* Link IO err into queue */ AG_SPIN_LOCK_IRQ(&pCard->ioerr_queue_lock, flags); list_add_tail(&perr->list, &pCard->ioerr_queue); AG_SPIN_UNLOCK_IRQ(&pCard->ioerr_queue_lock, flags); /* Notify any wait queue waiters that an IO error has occurred */ atomic_inc(&ioerr_queue_count); wake_up_interruptible(&ioerr_waitq); } #endif #endif