From patchwork Wed Jan 9 17:54:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10754723 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6731014E5 for ; Wed, 9 Jan 2019 17:54:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 582B6284E8 for ; Wed, 9 Jan 2019 17:54:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4BF2828509; Wed, 9 Jan 2019 17:54:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A06BC284E8 for ; Wed, 9 Jan 2019 17:54:10 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 94415211B5A3F; Wed, 9 Jan 2019 09:54:10 -0800 (PST) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CAE47211AEA4E for ; Wed, 9 Jan 2019 09:54:08 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jan 2019 09:54:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,458,1539673200"; d="scan'208";a="133100941" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by fmsmga002.fm.intel.com with ESMTP; 09 Jan 2019 09:54:08 -0800 Subject: [PATCH v7 03/12] ndctl: add disable security support From: Dave Jiang To: vishal.l.verma@intel.com, dan.j.williams@intel.com Date: Wed, 09 Jan 2019 10:54:08 -0700 Message-ID: <154705644837.23227.5730479339395960908.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <154705633843.23227.15903675663299735878.stgit@djiang5-desk3.ch.intel.com> References: <154705633843.23227.15903675663299735878.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Add support for disable security to libndctl and also command line option of "disable-passphrase" for ndctl. This provides a way to disable security on the nvdimm. Signed-off-by: Dave Jiang --- Documentation/ndctl/Makefile.am | 3 +- Documentation/ndctl/ndctl-disable-passphrase.txt | 32 +++++++++++++++++++ ndctl/builtin.h | 1 + ndctl/dimm.c | 38 ++++++++++++++++++++-- ndctl/lib/dimm.c | 9 +++++ ndctl/lib/keys.c | 29 +++++++++++++++++ ndctl/lib/libndctl.sym | 2 + ndctl/libndctl.h | 8 +++++ ndctl/ndctl.c | 1 + 9 files changed, 119 insertions(+), 4 deletions(-) create mode 100644 Documentation/ndctl/ndctl-disable-passphrase.txt diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am index 7ad6666b..31570a77 100644 --- a/Documentation/ndctl/Makefile.am +++ b/Documentation/ndctl/Makefile.am @@ -49,7 +49,8 @@ man1_MANS = \ ndctl-list.1 \ ndctl-monitor.1 \ ndctl-enable-passphrase.1 \ - ndctl-update-passphrase.1 + ndctl-update-passphrase.1 \ + ndctl-disable-passphrase.1 CLEANFILES = $(man1_MANS) diff --git a/Documentation/ndctl/ndctl-disable-passphrase.txt b/Documentation/ndctl/ndctl-disable-passphrase.txt new file mode 100644 index 00000000..3c8bfe47 --- /dev/null +++ b/Documentation/ndctl/ndctl-disable-passphrase.txt @@ -0,0 +1,32 @@ +// SPDX-License-Identifier: GPL-2.0 + +ndctl-disable-passphrase(1) +=========================== + +NAME +---- +ndctl-disable-passphrase - disabling passphrase for an NVDIMM + +SYNOPSIS +-------- +[verse] +'ndctl disable-passphrase' [] + +DESCRIPTION +----------- +Provide a generic interface for disabling passphrase for NVDIMM. +Ndctl will search the user key ring for the associated DIMM. If no key is +found, it will attempt to load the key blob from the expected location. Ndctl +will remove the key and the key blob once passphrase is disabled. + +OPTIONS +------- +:: +include::xable-dimm-options.txt[] + +-p:: +--key-path=:: + Path to where key related files resides. This parameter is optional + and the default is set to /etc/ndctl/keys. + +include::../copyright.txt[] diff --git a/ndctl/builtin.h b/ndctl/builtin.h index 231fda25..821ea690 100644 --- a/ndctl/builtin.h +++ b/ndctl/builtin.h @@ -34,4 +34,5 @@ int cmd_update_firmware(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_inject_smart(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_setup(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_update(int argc, const char **argv, struct ndctl_ctx *ctx); +int cmd_disable_passphrase(int argc, const char **argv, struct ndctl_ctx *ctx); #endif /* _NDCTL_BUILTIN_H_ */ diff --git a/ndctl/dimm.c b/ndctl/dimm.c index 1ab6b29f..4f0466a1 100644 --- a/ndctl/dimm.c +++ b/ndctl/dimm.c @@ -864,6 +864,18 @@ static int action_key_update(struct ndctl_dimm *dimm, param.key_path); } +static int action_passphrase_disable(struct ndctl_dimm *dimm, + struct action_context *actx) +{ + if (!ndctl_dimm_security_supported(dimm)) { + error("%s: security operation not supported\n", + ndctl_dimm_get_devname(dimm)); + return -EOPNOTSUPP; + } + + return ndctl_dimm_disable_key(dimm, param.key_path); +} + static int __action_init(struct ndctl_dimm *dimm, enum ndctl_namespace_version version, int chk_only) { @@ -953,12 +965,14 @@ OPT_BOOLEAN('f', "force", ¶m.force, \ OPT_STRING('V', "label-version", ¶m.labelversion, "version-number", \ "namespace label specification version (default: 1.1)") -#define KEY_OPTIONS() \ -OPT_STRING('m', "master-key", ¶m.master_key, ":", \ - "master key for security"), \ +#define KEY_BASE_OPTIONS() \ OPT_FILENAME('p', "key-path", ¶m.key_path, "key-path", \ "override the default key path") +#define KEY_OPTIONS() \ +OPT_STRING('m', "master-key", ¶m.master_key, ":", \ + "master key for security") + static const struct option read_options[] = { BASE_OPTIONS(), READ_OPTIONS(), @@ -988,8 +1002,15 @@ static const struct option init_options[] = { OPT_END(), }; +static const struct option key_base_options[] = { + BASE_OPTIONS(), + KEY_BASE_OPTIONS(), + OPT_END(), +}; + static const struct option key_options[] = { BASE_OPTIONS(), + KEY_BASE_OPTIONS(), KEY_OPTIONS(), OPT_END(), }; @@ -1253,3 +1274,14 @@ int cmd_passphrase_setup(int argc, const char **argv, struct ndctl_ctx *ctx) count > 1 ? "s" : ""); return count >= 0 ? 0 : EXIT_FAILURE; } + +int cmd_disable_passphrase(int argc, const char **argv, void *ctx) +{ + int count = dimm_action(argc, argv, ctx, action_passphrase_disable, + key_base_options, + "ndctl disable-passphrase [..] []"); + + fprintf(stderr, "passphrase disabled %d nmem%s.\n", count >= 0 ? count : 0, + count > 1 ? "s" : ""); + return count >= 0 ? 0 : EXIT_FAILURE; +} diff --git a/ndctl/lib/dimm.c b/ndctl/lib/dimm.c index b64c9568..076ccbf6 100644 --- a/ndctl/lib/dimm.c +++ b/ndctl/lib/dimm.c @@ -663,3 +663,12 @@ NDCTL_EXPORT int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm, sprintf(buf, "update %ld %ld\n", ckey, nkey); return write_security(dimm, buf); } + +NDCTL_EXPORT int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, + long key) +{ + char buf[SYSFS_ATTR_SIZE]; + + sprintf(buf, "disable %ld\n", key); + return write_security(dimm, buf); +} diff --git a/ndctl/lib/keys.c b/ndctl/lib/keys.c index d6eb2690..2bfc7a05 100644 --- a/ndctl/lib/keys.c +++ b/ndctl/lib/keys.c @@ -392,3 +392,32 @@ NDCTL_EXPORT int ndctl_dimm_update_key(struct ndctl_dimm *dimm, return 0; } + +NDCTL_EXPORT int ndctl_dimm_disable_key(struct ndctl_dimm *dimm, + const char *keypath) +{ + struct ndctl_ctx *ctx = ndctl_dimm_get_ctx(dimm); + key_serial_t key; + int rc; + + key = dimm_check_key(dimm, false); + if (key < 0) { + key = dimm_load_key(dimm, false, keypath); + if (key < 0) { + err(ctx, "Unable to load key\n"); + return -ENOKEY; + } + } + + rc = ndctl_dimm_disable_passphrase(dimm, key); + if (rc < 0) { + err(ctx, "Failed to disable security for %s\n", + ndctl_dimm_get_devname(dimm)); + return rc; + } + + rc = dimm_remove_key(dimm, false, keypath); + if (rc < 0) + err(ctx, "Unable to cleanup key.\n"); + return 0; +} diff --git a/ndctl/lib/libndctl.sym b/ndctl/lib/libndctl.sym index a790b1ea..90038e75 100644 --- a/ndctl/lib/libndctl.sym +++ b/ndctl/lib/libndctl.sym @@ -393,4 +393,6 @@ global: ndctl_dimm_enable_key; ndctl_dimm_update_key; ndctl_dimm_update_passphrase; + ndctl_dimm_disable_passphrase; + ndctl_dimm_disable_key; } LIBNDCTL_18; diff --git a/ndctl/libndctl.h b/ndctl/libndctl.h index 87384f71..cb58f89c 100644 --- a/ndctl/libndctl.h +++ b/ndctl/libndctl.h @@ -701,6 +701,7 @@ int ndctl_dimm_get_security(struct ndctl_dimm *dimm, bool ndctl_dimm_security_supported(struct ndctl_dimm *dimm); int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm, long ckey, long nkey); +int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, long key); enum ndctl_key_type { ND_USER_KEY, @@ -712,6 +713,7 @@ int ndctl_dimm_enable_key(struct ndctl_dimm *dimm, const char *master, const char *keypath); int ndctl_dimm_update_key(struct ndctl_dimm *dimm, const char *master, const char *keypath); +int ndctl_dimm_disable_key(struct ndctl_dimm *dimm, const char *keypath); #else static inline int ndctl_dimm_enable_key(struct ndctl_dimm *dimm, const char *master, const char *keypath) @@ -724,6 +726,12 @@ static inline int ndctl_dimm_update_key(struct ndctl_dimm *dimm, { return -EOPNOTSUPP; } + +static inline int ndctl_dimm_disable_key(struct ndctl_dimm *dimm, + const char *keypath) +{ + return -EOPNOTSUPP; +} #endif #ifdef __cplusplus diff --git a/ndctl/ndctl.c b/ndctl/ndctl.c index 9d109b34..21f1b834 100644 --- a/ndctl/ndctl.c +++ b/ndctl/ndctl.c @@ -90,6 +90,7 @@ static struct cmd_struct commands[] = { { "start-scrub", { cmd_start_scrub } }, { "enable-passphrase", { cmd_passphrase_setup } }, { "update-passphrase", { cmd_passphrase_update } }, + { "disable-passphrase", { cmd_disable_passphrase } }, { "list", { cmd_list } }, { "monitor", { cmd_monitor } }, { "help", { cmd_help } },