From cfd68b33094e1a92249850ff3c3c92ae9112a541 Mon Sep 17 00:00:00 2001 From: Juergen Christ Date: Wed, 9 Mar 2022 14:30:05 +0100 Subject: s390/zcrypt: Filter admin CPRBs on custom devices Add a filter for custom devices to check for allowed control domains of admin CPRBs. This filter only applies to custom devices and not to the main device. Signed-off-by: Juergen Christ Signed-off-by: Vasily Gorbik --- drivers/s390/crypto/zcrypt_api.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c index 5cfe5cf44ba1..aa6dc3c0c353 100644 --- a/drivers/s390/crypto/zcrypt_api.c +++ b/drivers/s390/crypto/zcrypt_api.c @@ -923,11 +923,22 @@ static long _zcrypt_send_cprb(bool userspace, struct ap_perms *perms, if (rc) goto out; + tdom = *domain; + if (perms != &ap_perms && tdom < AP_DOMAINS) { + if (ap_msg.flags & AP_MSG_FLAG_ADMIN) { + if (!test_bit_inv(tdom, perms->adm)) { + rc = -ENODEV; + goto out; + } + } else if ((ap_msg.flags & AP_MSG_FLAG_USAGE) == 0) { + rc = -EOPNOTSUPP; + goto out; + } + } /* * If a valid target domain is set and this domain is NOT a usage * domain but a control only domain, autoselect target domain. */ - tdom = *domain; if (tdom < AP_DOMAINS && !ap_test_config_usage_domain(tdom) && ap_test_config_ctrl_domain(tdom)) @@ -1105,6 +1116,18 @@ static long _zcrypt_send_ep11_cprb(bool userspace, struct ap_perms *perms, if (rc) goto out_free; + if (perms != &ap_perms && domain < AUTOSEL_DOM) { + if (ap_msg.flags & AP_MSG_FLAG_ADMIN) { + if (!test_bit_inv(domain, perms->adm)) { + rc = -ENODEV; + goto out_free; + } + } else if ((ap_msg.flags & AP_MSG_FLAG_USAGE) == 0) { + rc = -EOPNOTSUPP; + goto out_free; + } + } + pref_zc = NULL; pref_zq = NULL; spin_lock(&zcrypt_list_lock); -- cgit v1.2.1