[SRU,B,C,D,1/1] pkey: Indicate old mkvp only if old and current mkvp are different
diff mbox series

Message ID 1560841387-920-2-git-send-email-frank.heimes@canonical.com
State New
Headers show
Series
  • pkey: Indicate old mkvp only if old and current mkvp are different (LP: 1832625)
Related show

Commit Message

Frank Heimes June 18, 2019, 7:03 a.m. UTC
From: Ingo Franzki <ifranzki@linux.ibm.com>

BugLink: https://bugs.launchpad.net/bugs/1832625

When the CCA master key is set twice with the same master key,
then the old and the current master key are the same and thus the
verification patterns are the same, too. The check to report if a
secure key is currently wrapped by the old master key erroneously
reports old mkvp in this case.

Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
(cherry picked from commit ebb7c695d3bc7a4986b92edc8d9ef43491be183e)
Signed-off-by: Frank Heimes <frank.heimes@canonical.com>
---
 drivers/s390/crypto/pkey_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader June 28, 2019, 12:23 p.m. UTC | #1
On 18.06.19 09:03, frank.heimes@canonical.com wrote:
> From: Ingo Franzki <ifranzki@linux.ibm.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1832625
> 
> When the CCA master key is set twice with the same master key,
> then the old and the current master key are the same and thus the
> verification patterns are the same, too. The check to report if a
> secure key is currently wrapped by the old master key erroneously
> reports old mkvp in this case.
> 
> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
> Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
> (cherry picked from commit ebb7c695d3bc7a4986b92edc8d9ef43491be183e)
> Signed-off-by: Frank Heimes <frank.heimes@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/s390/crypto/pkey_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> index 81bfcc9..03c643a 100644
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -1034,7 +1034,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey,
>  	rc = mkvp_cache_fetch(cardnr, domain, mkvp);
>  	if (rc)
>  		goto out;
> -	if (t->mkvp == mkvp[1]) {
> +	if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) {
>  		DEBUG_DBG("%s secure key has old mkvp\n", __func__);
>  		if (pattributes)
>  			*pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
>
Marcelo Henrique Cerri July 1, 2019, 6:21 p.m. UTC | #2
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>

On Tue, Jun 18, 2019 at 09:03:07AM +0200, frank.heimes@canonical.com wrote:
> From: Ingo Franzki <ifranzki@linux.ibm.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1832625
> 
> When the CCA master key is set twice with the same master key,
> then the old and the current master key are the same and thus the
> verification patterns are the same, too. The check to report if a
> secure key is currently wrapped by the old master key erroneously
> reports old mkvp in this case.
> 
> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
> Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
> (cherry picked from commit ebb7c695d3bc7a4986b92edc8d9ef43491be183e)
> Signed-off-by: Frank Heimes <frank.heimes@canonical.com>
> ---
>  drivers/s390/crypto/pkey_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> index 81bfcc9..03c643a 100644
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -1034,7 +1034,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey,
>  	rc = mkvp_cache_fetch(cardnr, domain, mkvp);
>  	if (rc)
>  		goto out;
> -	if (t->mkvp == mkvp[1]) {
> +	if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) {
>  		DEBUG_DBG("%s secure key has old mkvp\n", __func__);
>  		if (pattributes)
>  			*pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch
diff mbox series

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 81bfcc9..03c643a 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -1034,7 +1034,7 @@  int pkey_verifykey(const struct pkey_seckey *seckey,
 	rc = mkvp_cache_fetch(cardnr, domain, mkvp);
 	if (rc)
 		goto out;
-	if (t->mkvp == mkvp[1]) {
+	if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) {
 		DEBUG_DBG("%s secure key has old mkvp\n", __func__);
 		if (pattributes)
 			*pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;