| Message ID | 20230721211534.3437070-1-gjoyce@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | sed-opal: keyrings, discovery, revert, key store | expand |
It's been almost 4 weeks since the last resend and there haven't been any comments. Is there anything that needs to be changed for acceptance? Thanks for your input. Greg On Fri, 2023-07-21 at 16:15 -0500, gjoyce@linux.vnet.ibm.com wrote: > From: Greg Joyce <gjoyce@linux.vnet.ibm.com> > > This patchset has gone through numerous rounds of review and > all comments/suggetions have been addressed. The reviews have > covered all relevant areas including reviews by block and keyring > developers as well as the SED Opal maintainer. The last > patchset submission has not solicited any responses in the > six weeks since it was last distributed. The changes are > generally useful and ready for inclusion. > > TCG SED Opal is a specification from The Trusted Computing Group > that allows self encrypting storage devices (SED) to be locked at > power on and require an authentication key to unlock the drive. > > The current SED Opal implementation in the block driver > requires that authentication keys be provided in an ioctl > so that they can be presented to the underlying SED > capable drive. Currently, the key is typically entered by > a user with an application like sedutil or sedcli. While > this process works, it does not lend itself to automation > like unlock by a udev rule. > > The SED block driver has been extended so it can alternatively > obtain a key from a sed-opal kernel keyring. The SED ioctls > will indicate the source of the key, either directly in the > ioctl data or from the keyring. > > Two new SED ioctls have also been added. These are: > 1) IOC_OPAL_REVERT_LSP to revert LSP state > 2) IOC_OPAL_DISCOVERY to discover drive capabilities/state > > change log v5: > - rebase to for-6.5/block > > change log v4: > - rebase to 6.3-rc7 > - replaced "255" magic number with U8_MAX > > change log: > - rebase to 6.x > - added latest reviews > - removed platform functions for persistent key storage > - replaced key update logic with key_create_or_update() > - minor bracing and padding changes > - add error returns > - opal_key structure is application provided but kernel > verified > - added brief description of TCG SED Opal > > > Greg Joyce (3): > block: sed-opal: Implement IOC_OPAL_DISCOVERY > block: sed-opal: Implement IOC_OPAL_REVERT_LSP > block: sed-opal: keyring support for SED keys > > block/Kconfig | 2 + > block/opal_proto.h | 4 + > block/sed-opal.c | 252 > +++++++++++++++++++++++++++++++++- > include/linux/sed-opal.h | 5 + > include/uapi/linux/sed-opal.h | 25 +++- > 5 files changed, 282 insertions(+), 6 deletions(-) > > > base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2
On Wed Aug 16, 2023 at 10:45 PM EEST, Greg Joyce wrote: > It's been almost 4 weeks since the last resend and there haven't been > any comments. Is there anything that needs to be changed for > acceptance? > > Thanks for your input. > > Greg > > On Fri, 2023-07-21 at 16:15 -0500, gjoyce@linux.vnet.ibm.com wrote: > > From: Greg Joyce <gjoyce@linux.vnet.ibm.com> > > > > This patchset has gone through numerous rounds of review and > > all comments/suggetions have been addressed. The reviews have > > covered all relevant areas including reviews by block and keyring > > developers as well as the SED Opal maintainer. The last > > patchset submission has not solicited any responses in the > > six weeks since it was last distributed. The changes are > > generally useful and ready for inclusion. > > > > TCG SED Opal is a specification from The Trusted Computing Group > > that allows self encrypting storage devices (SED) to be locked at > > power on and require an authentication key to unlock the drive. > > > > The current SED Opal implementation in the block driver > > requires that authentication keys be provided in an ioctl > > so that they can be presented to the underlying SED > > capable drive. Currently, the key is typically entered by > > a user with an application like sedutil or sedcli. While > > this process works, it does not lend itself to automation > > like unlock by a udev rule. > > > > The SED block driver has been extended so it can alternatively > > obtain a key from a sed-opal kernel keyring. The SED ioctls > > will indicate the source of the key, either directly in the > > ioctl data or from the keyring. > > > > Two new SED ioctls have also been added. These are: > > 1) IOC_OPAL_REVERT_LSP to revert LSP state > > 2) IOC_OPAL_DISCOVERY to discover drive capabilities/state > > > > change log v5: > > - rebase to for-6.5/block > > > > change log v4: > > - rebase to 6.3-rc7 > > - replaced "255" magic number with U8_MAX > > > > change log: > > - rebase to 6.x > > - added latest reviews > > - removed platform functions for persistent key storage > > - replaced key update logic with key_create_or_update() > > - minor bracing and padding changes > > - add error returns > > - opal_key structure is application provided but kernel > > verified > > - added brief description of TCG SED Opal > > > > > > Greg Joyce (3): > > block: sed-opal: Implement IOC_OPAL_DISCOVERY > > block: sed-opal: Implement IOC_OPAL_REVERT_LSP > > block: sed-opal: keyring support for SED keys > > > > block/Kconfig | 2 + > > block/opal_proto.h | 4 + > > block/sed-opal.c | 252 > > +++++++++++++++++++++++++++++++++- > > include/linux/sed-opal.h | 5 + > > include/uapi/linux/sed-opal.h | 25 +++- > > 5 files changed, 282 insertions(+), 6 deletions(-) > > > > > > base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2 I can give because it looks good to me to all patches: Acked-by: Jarkko Sakkinen <jarkko@kernel.org> ... but should not probably go to my tree. BR, Jarkko
On Wed, 2023-08-16 at 23:41 +0300, Jarkko Sakkinen wrote: > On Wed Aug 16, 2023 at 10:45 PM EEST, Greg Joyce wrote: > > It's been almost 4 weeks since the last resend and there haven't > > been > > any comments. Is there anything that needs to be changed for > > acceptance? > > > > Thanks for your input. > > > > Greg > > > > On Fri, 2023-07-21 at 16:15 -0500, gjoyce@linux.vnet.ibm.com wrote: > > > From: Greg Joyce <gjoyce@linux.vnet.ibm.com> > > > > > > This patchset has gone through numerous rounds of review and > > > all comments/suggetions have been addressed. The reviews have > > > covered all relevant areas including reviews by block and keyring > > > developers as well as the SED Opal maintainer. The last > > > patchset submission has not solicited any responses in the > > > six weeks since it was last distributed. The changes are > > > generally useful and ready for inclusion. > > > > > > TCG SED Opal is a specification from The Trusted Computing Group > > > that allows self encrypting storage devices (SED) to be locked at > > > power on and require an authentication key to unlock the drive. > > > > > > The current SED Opal implementation in the block driver > > > requires that authentication keys be provided in an ioctl > > > so that they can be presented to the underlying SED > > > capable drive. Currently, the key is typically entered by > > > a user with an application like sedutil or sedcli. While > > > this process works, it does not lend itself to automation > > > like unlock by a udev rule. > > > > > > The SED block driver has been extended so it can alternatively > > > obtain a key from a sed-opal kernel keyring. The SED ioctls > > > will indicate the source of the key, either directly in the > > > ioctl data or from the keyring. > > > > > > Two new SED ioctls have also been added. These are: > > > 1) IOC_OPAL_REVERT_LSP to revert LSP state > > > 2) IOC_OPAL_DISCOVERY to discover drive capabilities/state > > > > > > change log v5: > > > - rebase to for-6.5/block > > > > > > change log v4: > > > - rebase to 6.3-rc7 > > > - replaced "255" magic number with U8_MAX > > > > > > change log: > > > - rebase to 6.x > > > - added latest reviews > > > - removed platform functions for persistent key storage > > > - replaced key update logic with key_create_or_update() > > > - minor bracing and padding changes > > > - add error returns > > > - opal_key structure is application provided but kernel > > > verified > > > - added brief description of TCG SED Opal > > > > > > > > > Greg Joyce (3): > > > block: sed-opal: Implement IOC_OPAL_DISCOVERY > > > block: sed-opal: Implement IOC_OPAL_REVERT_LSP > > > block: sed-opal: keyring support for SED keys > > > > > > block/Kconfig | 2 + > > > block/opal_proto.h | 4 + > > > block/sed-opal.c | 252 > > > +++++++++++++++++++++++++++++++++- > > > include/linux/sed-opal.h | 5 + > > > include/uapi/linux/sed-opal.h | 25 +++- > > > 5 files changed, 282 insertions(+), 6 deletions(-) > > > > > > > > > base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2 > > I can give because it looks good to me to all patches: > > Acked-by: Jarkko Sakkinen <jarkko@kernel.org> > > ... but should not probably go to my tree. > > BR, Jarkko Thanks for the ack Jarkko. Any thoughts on which tree it should go to? Greg
On Mon Aug 21, 2023 at 6:26 PM EEST, Greg Joyce wrote: > On Wed, 2023-08-16 at 23:41 +0300, Jarkko Sakkinen wrote: > > On Wed Aug 16, 2023 at 10:45 PM EEST, Greg Joyce wrote: > > > It's been almost 4 weeks since the last resend and there haven't > > > been > > > any comments. Is there anything that needs to be changed for > > > acceptance? > > > > > > Thanks for your input. > > > > > > Greg > > > > > > On Fri, 2023-07-21 at 16:15 -0500, gjoyce@linux.vnet.ibm.com wrote: > > > > From: Greg Joyce <gjoyce@linux.vnet.ibm.com> > > > > > > > > This patchset has gone through numerous rounds of review and > > > > all comments/suggetions have been addressed. The reviews have > > > > covered all relevant areas including reviews by block and keyring > > > > developers as well as the SED Opal maintainer. The last > > > > patchset submission has not solicited any responses in the > > > > six weeks since it was last distributed. The changes are > > > > generally useful and ready for inclusion. > > > > > > > > TCG SED Opal is a specification from The Trusted Computing Group > > > > that allows self encrypting storage devices (SED) to be locked at > > > > power on and require an authentication key to unlock the drive. > > > > > > > > The current SED Opal implementation in the block driver > > > > requires that authentication keys be provided in an ioctl > > > > so that they can be presented to the underlying SED > > > > capable drive. Currently, the key is typically entered by > > > > a user with an application like sedutil or sedcli. While > > > > this process works, it does not lend itself to automation > > > > like unlock by a udev rule. > > > > > > > > The SED block driver has been extended so it can alternatively > > > > obtain a key from a sed-opal kernel keyring. The SED ioctls > > > > will indicate the source of the key, either directly in the > > > > ioctl data or from the keyring. > > > > > > > > Two new SED ioctls have also been added. These are: > > > > 1) IOC_OPAL_REVERT_LSP to revert LSP state > > > > 2) IOC_OPAL_DISCOVERY to discover drive capabilities/state > > > > > > > > change log v5: > > > > - rebase to for-6.5/block > > > > > > > > change log v4: > > > > - rebase to 6.3-rc7 > > > > - replaced "255" magic number with U8_MAX > > > > > > > > change log: > > > > - rebase to 6.x > > > > - added latest reviews > > > > - removed platform functions for persistent key storage > > > > - replaced key update logic with key_create_or_update() > > > > - minor bracing and padding changes > > > > - add error returns > > > > - opal_key structure is application provided but kernel > > > > verified > > > > - added brief description of TCG SED Opal > > > > > > > > > > > > Greg Joyce (3): > > > > block: sed-opal: Implement IOC_OPAL_DISCOVERY > > > > block: sed-opal: Implement IOC_OPAL_REVERT_LSP > > > > block: sed-opal: keyring support for SED keys > > > > > > > > block/Kconfig | 2 + > > > > block/opal_proto.h | 4 + > > > > block/sed-opal.c | 252 > > > > +++++++++++++++++++++++++++++++++- > > > > include/linux/sed-opal.h | 5 + > > > > include/uapi/linux/sed-opal.h | 25 +++- > > > > 5 files changed, 282 insertions(+), 6 deletions(-) > > > > > > > > > > > > base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2 > > > > I can give because it looks good to me to all patches: > > > > Acked-by: Jarkko Sakkinen <jarkko@kernel.org> > > > > ... but should not probably go to my tree. > > > > BR, Jarkko > > Thanks for the ack Jarkko. Any thoughts on which tree it should go to? I get from "scripts/get_maintainer.pl block/sed-opal.c | wl-copy" Jonathan Derrick <jonathan.derrick@linux.dev> (supporter:SECURE ENCRYPTING DEVICE (SED) OPAL DRIVER) Jens Axboe <axboe@kernel.dk> (maintainer:BLOCK LAYER) linux-block@vger.kernel.org (open list:SECURE ENCRYPTING DEVICE (SED) OPAL DRIVER) linux-kernel@vger.kernel.org (open list) You should probably add the corresponding maintainers and linux-block to the loop. I suggest to send a new version of the patch set with my ack's added to the patches. BR, Jarkko
On Fri, 21 Jul 2023 16:15:31 -0500, gjoyce@linux.vnet.ibm.com wrote: > This patchset has gone through numerous rounds of review and > all comments/suggetions have been addressed. The reviews have > covered all relevant areas including reviews by block and keyring > developers as well as the SED Opal maintainer. The last > patchset submission has not solicited any responses in the > six weeks since it was last distributed. The changes are > generally useful and ready for inclusion. > > [...] Applied, thanks! [1/3] block: sed-opal: Implement IOC_OPAL_DISCOVERY commit: 9fb10726ecc5145550180aec4fd0adf0a7b1d634 [2/3] block: sed-opal: Implement IOC_OPAL_REVERT_LSP commit: 5c82efc1aee8eb0919aa67a0d2559de5a326bd7c [3/3] block: sed-opal: keyring support for SED keys commit: 3bfeb61256643281ac4be5b8a57e9d9da3db4335 Best regards,
From: Greg Joyce <gjoyce@linux.vnet.ibm.com> This patchset has gone through numerous rounds of review and all comments/suggetions have been addressed. The reviews have covered all relevant areas including reviews by block and keyring developers as well as the SED Opal maintainer. The last patchset submission has not solicited any responses in the six weeks since it was last distributed. The changes are generally useful and ready for inclusion. TCG SED Opal is a specification from The Trusted Computing Group that allows self encrypting storage devices (SED) to be locked at power on and require an authentication key to unlock the drive. The current SED Opal implementation in the block driver requires that authentication keys be provided in an ioctl so that they can be presented to the underlying SED capable drive. Currently, the key is typically entered by a user with an application like sedutil or sedcli. While this process works, it does not lend itself to automation like unlock by a udev rule. The SED block driver has been extended so it can alternatively obtain a key from a sed-opal kernel keyring. The SED ioctls will indicate the source of the key, either directly in the ioctl data or from the keyring. Two new SED ioctls have also been added. These are: 1) IOC_OPAL_REVERT_LSP to revert LSP state 2) IOC_OPAL_DISCOVERY to discover drive capabilities/state change log v5: - rebase to for-6.5/block change log v4: - rebase to 6.3-rc7 - replaced "255" magic number with U8_MAX change log: - rebase to 6.x - added latest reviews - removed platform functions for persistent key storage - replaced key update logic with key_create_or_update() - minor bracing and padding changes - add error returns - opal_key structure is application provided but kernel verified - added brief description of TCG SED Opal Greg Joyce (3): block: sed-opal: Implement IOC_OPAL_DISCOVERY block: sed-opal: Implement IOC_OPAL_REVERT_LSP block: sed-opal: keyring support for SED keys block/Kconfig | 2 + block/opal_proto.h | 4 + block/sed-opal.c | 252 +++++++++++++++++++++++++++++++++- include/linux/sed-opal.h | 5 + include/uapi/linux/sed-opal.h | 25 +++- 5 files changed, 282 insertions(+), 6 deletions(-) base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2