[v7,00/12] ndctl: add security support
mbox series

Message ID 154705633843.23227.15903675663299735878.stgit@djiang5-desk3.ch.intel.com
Headers show
Series
  • ndctl: add security support
Related show

Message

Dave Jiang Jan. 9, 2019, 5:53 p.m. UTC
The following series implements mechanisms that utilize the sysfs knobs
provided by the kernel in order to support the Intel DSM v1.8 spec
that provides security to NVDIMM. The following abilities are added:
1. display security state
2. enable/update passphrase
3. disable passphrase
4. freeze security
5. secure erase
6. overwrite
7. master passphrase enable/update

v7:
- Added option to provide path to key directory. (Vishal)
- Cleaned up shell scripts. (Vishal)
- Cleaned up documentation. (Vishal)
- Addressed various comments from Vishal.

v6:
- Fix spelling and grammar errors for documentation. (Jing)
- Change bool for indicate master passphrase and old passphrase to enum.
- Fix key load script master key name.
- Update to match v15 of kernel patch series.

v5:
- Updated to match latest kernel interface (encrypted keys)
- Added overwrite support
- Added support for DSM v1.8 master passphrase operations
- Removed upcall related code
- Moved security state to enum (Dan)
- Change security output "security_state" to just "security". (Dan)
- Break out enable and update passphrase operation. (Dan)
- Security build can be compiled out when keyutils does not exist. (Dan)
- Move all keyutils related operations to libndctl. (Dan)

v4:
- Updated to match latest kernel interface.
- Added unit test for all security calls

v3:
- Added support to inject keys in order to update nvdimm security.

v2:
- Fixup the upcall util to match recent kernel updates for nvdimm security.

---

Dave Jiang (12):
      ndctl: add support for display security state
      ndctl: add passphrase update to ndctl
      ndctl: add disable security support
      ndctl: add support for freeze security
      ndctl: add support for sanitize dimm
      ndctl: add unit test for security ops (minus overwrite)
      ndctl: setup modprobe rules
      ndctl: add overwrite operation support
      ndctl: add wait-overwrite support
      ndctl: master phassphrase management support
      ndctl: add master secure erase support
      ndctl: documentation for security and key management


 Documentation/ndctl/Makefile.am                  |    8 
 Documentation/ndctl/intel-nvdimm-security.txt    |  140 ++++++
 Documentation/ndctl/ndctl-disable-passphrase.txt |   34 +
 Documentation/ndctl/ndctl-enable-passphrase.txt  |   49 ++
 Documentation/ndctl/ndctl-freeze-security.txt    |   22 +
 Documentation/ndctl/ndctl-list.txt               |    8 
 Documentation/ndctl/ndctl-sanitize-dimm.txt      |   49 ++
 Documentation/ndctl/ndctl-update-passphrase.txt  |   45 ++
 Documentation/ndctl/ndctl-wait-overwrite.txt     |   31 +
 Makefile.am                                      |   10 
 configure.ac                                     |   19 +
 contrib/ndctl-loadkeys.sh                        |   25 +
 contrib/nvdimm_modprobe.conf                     |    1 
 ndctl.spec.in                                    |    2 
 ndctl/Makefile.am                                |    3 
 ndctl/builtin.h                                  |    6 
 ndctl/dimm.c                                     |  259 +++++++++++
 ndctl/lib/Makefile.am                            |    8 
 ndctl/lib/dimm.c                                 |  202 +++++++++
 ndctl/lib/keys.c                                 |  512 ++++++++++++++++++++++
 ndctl/lib/libndctl.sym                           |   19 +
 ndctl/libndctl.h                                 |   79 +++
 ndctl/ndctl.c                                    |    6 
 test/Makefile.am                                 |    4 
 test/security.sh                                 |  203 +++++++++
 util/json.c                                      |   31 +
 26 files changed, 1762 insertions(+), 13 deletions(-)
 create mode 100644 Documentation/ndctl/intel-nvdimm-security.txt
 create mode 100644 Documentation/ndctl/ndctl-disable-passphrase.txt
 create mode 100644 Documentation/ndctl/ndctl-enable-passphrase.txt
 create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt
 create mode 100644 Documentation/ndctl/ndctl-sanitize-dimm.txt
 create mode 100644 Documentation/ndctl/ndctl-update-passphrase.txt
 create mode 100644 Documentation/ndctl/ndctl-wait-overwrite.txt
 create mode 100755 contrib/ndctl-loadkeys.sh
 create mode 100644 contrib/nvdimm_modprobe.conf
 create mode 100644 ndctl/lib/keys.c
 create mode 100755 test/security.sh

--

Comments

Jane Chu Jan. 11, 2019, 11:18 p.m. UTC | #1
Hi, Dave,

Where is your ndctl git tree that might clone from to test the
security features?

Thanks!
-jane

On 1/9/2019 9:53 AM, Dave Jiang wrote:
> The following series implements mechanisms that utilize the sysfs knobs
> provided by the kernel in order to support the Intel DSM v1.8 spec
> that provides security to NVDIMM. The following abilities are added:
> 1. display security state
> 2. enable/update passphrase
> 3. disable passphrase
> 4. freeze security
> 5. secure erase
> 6. overwrite
> 7. master passphrase enable/update
>
Verma, Vishal L Jan. 11, 2019, 11:36 p.m. UTC | #2
On Fri, 2019-01-11 at 15:18 -0800, Jane Chu wrote:
> Hi, Dave,
> 
> Where is your ndctl git tree that might clone from to test the
> security features?

Hi Jane,

I pushed out a for-v64-security branch with this (v7) series:

https://github.com/pmem/ndctl/tree/for-v64-security

I believe Dave plans to have v8 out early next week with a few changes,
most notably the loadkeys script becomes a first class ndctl command.

	-Vishal

> 
> Thanks!
> -jane
> 
> On 1/9/2019 9:53 AM, Dave Jiang wrote:
> > The following series implements mechanisms that utilize the sysfs
> > knobs
> > provided by the kernel in order to support the Intel DSM v1.8 spec
> > that provides security to NVDIMM. The following abilities are
> > added:
> > 1. display security state
> > 2. enable/update passphrase
> > 3. disable passphrase
> > 4. freeze security
> > 5. secure erase
> > 6. overwrite
> > 7. master passphrase enable/update
> > 
> 
> _______________________________________________
> Linux-nvdimm mailing list
> Linux-nvdimm@lists.01.org
> https://lists.01.org/mailman/listinfo/linux-nvdimm
Jane Chu Jan. 16, 2019, 6:02 p.m. UTC | #3
Hi, Vishal,

On 1/11/2019 3:36 PM, Verma, Vishal L wrote:
> On Fri, 2019-01-11 at 15:18 -0800, Jane Chu wrote:
>> Hi, Dave,
>>
>> Where is your ndctl git tree that might clone from to test the
>> security features?
> Hi Jane,
>
> I pushed out a for-v64-security branch with this (v7) series:
>
> https://github.com/pmem/ndctl/tree/for-v64-security
>
> I believe Dave plans to have v8 out early next week with a few changes,
> most notably the loadkeys script becomes a first class ndctl command.

Just thought I might get a quick answer here although I haven't
gone thru all my homework.

I'm seeing "FAIL: security.sh" from "make KVER=5.0.0 check" on a NVDIMM system,
the security.sh.log indicates

+ '[' '!' -f /usr/bin/keyctl ']'
+ '[' '!' -d /etc/ndctl/keys ']'
+ echo '/etc/ndctl/keys directory does not exist.'
/etc/ndctl/keys directory does not exist.
+ exit 1

Indeed, what step did I miss?

Thanks!
-jane

>
> 	-Vishal
>
>> Thanks!
>> -jane
>>
>> On 1/9/2019 9:53 AM, Dave Jiang wrote:
>>> The following series implements mechanisms that utilize the sysfs
>>> knobs
>>> provided by the kernel in order to support the Intel DSM v1.8 spec
>>> that provides security to NVDIMM. The following abilities are
>>> added:
>>> 1. display security state
>>> 2. enable/update passphrase
>>> 3. disable passphrase
>>> 4. freeze security
>>> 5. secure erase
>>> 6. overwrite
>>> 7. master passphrase enable/update
>>>
>> _______________________________________________
>> Linux-nvdimm mailing list
>> Linux-nvdimm@lists.01.org
>> https://lists.01.org/mailman/listinfo/linux-nvdimm
Verma, Vishal L Jan. 16, 2019, 6:04 p.m. UTC | #4
On Wed, 2019-01-16 at 10:02 -0800, Jane Chu wrote:

Hi, Vishal,


On 1/11/2019 3:36 PM, Verma, Vishal L wrote:

On Fri, 2019-01-11 at 15:18 -0800, Jane Chu wrote:


Hi, Dave,


Where is your ndctl git tree that might clone from to test the

security features?


Hi Jane,


I pushed out a for-v64-security branch with this (v7) series:


https://github.com/pmem/ndctl/tree/for-v64-security


I believe Dave plans to have v8 out early next week with a few changes,

most notably the loadkeys script becomes a first class ndctl command.

Just thought I might get a quick answer here although I haven't

gone thru all my homework.


I'm seeing "FAIL: security.sh" from "make KVER=5.0.0 check" on a NVDIMM system,

the security.sh.log indicates


+ '[' '!' -f /usr/bin/keyctl ']'

+ '[' '!' -d /etc/ndctl/keys ']'

+ echo '/etc/ndctl/keys directory does not exist.'

/etc/ndctl/keys directory does not exist.

+ exit 1


Indeed, what step did I miss?

Hi Jane,

I ran into a similar problem running the test, and indeed a few others after you fix this. We should have a new revision out soon that addresses these.

-Vishal
Dave Jiang Jan. 16, 2019, 8:19 p.m. UTC | #5
On 1/16/19 11:02 AM, Jane Chu wrote:
> Hi, Vishal,
> 
> On 1/11/2019 3:36 PM, Verma, Vishal L wrote:
>> On Fri, 2019-01-11 at 15:18 -0800, Jane Chu wrote:
>>> Hi, Dave,
>>>
>>> Where is your ndctl git tree that might clone from to test the
>>> security features?
>> Hi Jane,
>>
>> I pushed out a for-v64-security branch with this (v7) series:
>>
>> https://github.com/pmem/ndctl/tree/for-v64-security
>>
>> I believe Dave plans to have v8 out early next week with a few changes,
>> most notably the loadkeys script becomes a first class ndctl command.
> 
> Just thought I might get a quick answer here although I haven't 
> gone thru all my homework.
> 
> I'm seeing "FAIL: security.sh" from "make KVER=5.0.0 check" on a NVDIMM system,
> the security.sh.log indicates
> 
> + '[' '!' -f /usr/bin/keyctl ']'
> + '[' '!' -d /etc/ndctl/keys ']'
> + echo '/etc/ndctl/keys directory does not exist.'
> /etc/ndctl/keys directory does not exist.
> + exit 1
> 
> Indeed, what step did I miss?

Jane,
For now just go ahead and create the /etc/ndctl/keys directory to try
the test. Also, we discovered that the security test needs to be run as
a root user or sudo -i, just sudo will not do due to not having access
to the root user key ring. As Vishal said there's an update coming which
addresses several issues we found in the script.

> 
> Thanks!
> -jane
> 
>> 	-Vishal
>>
>>> Thanks!
>>> -jane
>>>
>>> On 1/9/2019 9:53 AM, Dave Jiang wrote:
>>>> The following series implements mechanisms that utilize the sysfs
>>>> knobs
>>>> provided by the kernel in order to support the Intel DSM v1.8 spec
>>>> that provides security to NVDIMM. The following abilities are
>>>> added:
>>>> 1. display security state
>>>> 2. enable/update passphrase
>>>> 3. disable passphrase
>>>> 4. freeze security
>>>> 5. secure erase
>>>> 6. overwrite
>>>> 7. master passphrase enable/update
>>>>
>>> _______________________________________________
>>> Linux-nvdimm mailing list
>>> Linux-nvdimm@lists.01.org
>>> https://lists.01.org/mailman/listinfo/linux-nvdimm
Jane Chu Jan. 16, 2019, 9:21 p.m. UTC | #6
On 1/16/2019 12:19 PM, Dave Jiang wrote:
> 
> 
> On 1/16/19 11:02 AM, Jane Chu wrote:
>> Hi, Vishal,
>>
>> On 1/11/2019 3:36 PM, Verma, Vishal L wrote:
>>> On Fri, 2019-01-11 at 15:18 -0800, Jane Chu wrote:
>>>> Hi, Dave,
>>>>
>>>> Where is your ndctl git tree that might clone from to test the
>>>> security features?
>>> Hi Jane,
>>>
>>> I pushed out a for-v64-security branch with this (v7) series:
>>>
>>> https://github.com/pmem/ndctl/tree/for-v64-security
>>>
>>> I believe Dave plans to have v8 out early next week with a few changes,
>>> most notably the loadkeys script becomes a first class ndctl command.
>>
>> Just thought I might get a quick answer here although I haven't
>> gone thru all my homework.
>>
>> I'm seeing "FAIL: security.sh" from "make KVER=5.0.0 check" on a NVDIMM system,
>> the security.sh.log indicates
>>
>> + '[' '!' -f /usr/bin/keyctl ']'
>> + '[' '!' -d /etc/ndctl/keys ']'
>> + echo '/etc/ndctl/keys directory does not exist.'
>> /etc/ndctl/keys directory does not exist.
>> + exit 1
>>
>> Indeed, what step did I miss?
> 
> Jane,
> For now just go ahead and create the /etc/ndctl/keys directory to try
> the test. Also, we discovered that the security test needs to be run as
> a root user or sudo -i, just sudo will not do due to not having access
> to the root user key ring. As Vishal said there's an update coming which
> addresses several issues we found in the script.

Thanks Dave!  Will try the trick with the upcoming update.

thanks,
-jane

>>
>> Thanks!
>> -jane
>>
>>> 	-Vishal
>>>
>>>> Thanks!
>>>> -jane
>>>>
>>>> On 1/9/2019 9:53 AM, Dave Jiang wrote:
>>>>> The following series implements mechanisms that utilize the sysfs
>>>>> knobs
>>>>> provided by the kernel in order to support the Intel DSM v1.8 spec
>>>>> that provides security to NVDIMM. The following abilities are
>>>>> added:
>>>>> 1. display security state
>>>>> 2. enable/update passphrase
>>>>> 3. disable passphrase
>>>>> 4. freeze security
>>>>> 5. secure erase
>>>>> 6. overwrite
>>>>> 7. master passphrase enable/update
>>>>>
>>>> _______________________________________________
>>>> Linux-nvdimm mailing list
>>>> Linux-nvdimm@lists.01.org
>>>> https://lists.01.org/mailman/listinfo/linux-nvdimm