summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHolger Dengler <dengler@linux.ibm.com>2026-06-23 16:20:31 +0200
committerVasily Gorbik <gor@linux.ibm.com>2026-07-01 17:10:53 +0200
commit754e9e49b76fd5be339172aa98544182ed3ca75e (patch)
treedaf1cf94f5b100ec43ce3c8052536d4a23e7afef
parentdc59e4fea9d83f03bad6bddf3fa2e52491777482 (diff)
downloadlwn-754e9e49b76fd5be339172aa98544182ed3ca75e.tar.gz
lwn-754e9e49b76fd5be339172aa98544182ed3ca75e.zip
pkey: Move keytype check from pkey api to handler
The PKEY_VERIFYPROTK ioctl takes data from user-space and verifies the contained protected key. While checking the integrity of the ioctl request structure is the responsibility of the generic pkey_api code, the verification of the contained protected key is the responsibility of the pkey handler. The keytype verification (based on the calculated bitsize of the key) is part of the protected key verification and therefore the responsibility of the pkey handler (which already verifies it). Therefore the keytype verification is removed from the generic pkey_api code. As the calculation of the key bitsize is currently wrong, the removal of the keytype check in pkey_api also removes this wrong calculation. For this reason, the commit is flagged with the Fixes: tag. Cc: stable@kernel.org # 6.12+ Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules") Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
-rw-r--r--drivers/s390/crypto/pkey_api.c11
1 files changed, 1 insertions, 10 deletions
diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 28e1007005f2..5d8f63f390a8 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -327,7 +327,6 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
{
struct pkey_verifyprotk kvp;
struct protaeskeytoken *t;
- u32 keytype;
u8 *tmpbuf;
int rc;
@@ -341,14 +340,6 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
return -EINVAL;
}
- keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
- if (!keytype) {
- PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
- __func__, kvp.protkey.len);
- memzero_explicit(&kvp, sizeof(kvp));
- return -EINVAL;
- }
-
/* build a 'protected key token' from the raw protected key */
tmpbuf = kzalloc(sizeof(*t), GFP_KERNEL);
if (!tmpbuf) {
@@ -358,7 +349,7 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
t = (struct protaeskeytoken *)tmpbuf;
t->type = TOKTYPE_NON_CCA;
t->version = TOKVER_PROTECTED_KEY;
- t->keytype = keytype;
+ t->keytype = kvp.protkey.type;
t->len = kvp.protkey.len;
memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len);