pkey: Indicate old mkvp only if old and current mkvp are different

When the CCA master key is set twice with the same master key,
then the old and the current master key are the same and thus the
verification patterns are the same, too. The check to report if a
secure key is currently wrapped by the old master key erroneously
reports old mkvp in this case.

Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 2f92bbed4bf6891f199b34e0002bc12dc9a2e5ea..3e85d665c572957aa491917b1433b5254812b0f6 100644 (file)
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -1079,7 +1079,7 @@ int pkey_verifykey(const struct pkey_seckey *seckey,
        rc = mkvp_cache_fetch(cardnr, domain, mkvp);
        if (rc)
                goto out;
-       if (t->mkvp == mkvp[1]) {
+       if (t->mkvp == mkvp[1] && t->mkvp != mkvp[0]) {
                DEBUG_DBG("%s secure key has old mkvp\n", __func__);
                if (pattributes)
                        *pattributes |= PKEY_VERIFY_ATTR_OLD_MKVP;