Message ID | 154777861562.42557.12388414625709189905.stgit@djiang5-desk3.ch.intel.com (mailing list archive) |
---|---|
Headers | show |
Series | ndctl: add security support | expand |
On 1/17/19 7:38 PM, Dave Jiang wrote: > The following series implements mechanisms that utilize the sysfs knobs > provided by the kernel in order to support the Intel DSM v1.8 spec > that provides security to NVDIMM. The following abilities are added: > 1. display security state > 2. enable/update passphrase > 3. disable passphrase > 4. freeze security > 5. secure erase > 6. overwrite > 7. master passphrase enable/update > > v9: > - Add install-encrypt-key command. (Dan) > - Change enable-passphrase to setup-passphrase. (Dan) > - Change disable-passphrase to remove-passphrase. (Dan) > - Change ndctl_dimm_get_security() to return state directly and remove > ndctl_dimm_security_supported(). (Dan) > - Remove ND_SECURITY_UNSUPPORTED state > - change ND_SECURITY_* to NDCTL_SECURITY_* > - Fix man page issues (Dan, Jane) > - Define NDCTL_KEYSDIR in config.h (Dan) > - Break check_key_run_and_discard() to 3 helper functions. (Dan) > - Remove key path input parameter. (Dan) > - Remove master key input parameter. (Dan) > - Fixup various issues in security unit test script. (Vishal) Left out one thing: - Moved the load key script to an ndctl command load-keys. (Dan) > > v8: > - Additional cleanup on test script. (Vishal) > - Change load-keys script into internal command for ndctl. (Dan) > > v7: > - Added option to provide path to key directory. (Vishal) > - Cleaned up shell scripts. (Vishal) > - Cleaned up documentation. (Vishal) > - Addressed various comments from Vishal. > > v6: > - Fix spelling and grammar errors for documentation. (Jing) > - Change bool for indicate master passphrase and old passphrase to enum. > - Fix key load script master key name. > - Update to match v15 of kernel patch series. > > v5: > - Updated to match latest kernel interface (encrypted keys) > - Added overwrite support > - Added support for DSM v1.8 master passphrase operations > - Removed upcall related code > - Moved security state to enum (Dan) > - Change security output "security_state" to just "security". (Dan) > - Break out enable and update passphrase operation. (Dan) > - Security build can be compiled out when keyutils does not exist. (Dan) > - Move all keyutils related operations to libndctl. (Dan) > > v4: > - Updated to match latest kernel interface. > - Added unit test for all security calls > > v3: > - Added support to inject keys in order to update nvdimm security. > > v2: > - Fixup the upcall util to match recent kernel updates for nvdimm security. > > --- > > Dave Jiang (13): > ndctl: add support for display security state > ndctl: add command for ndctl to receive the key encryption key (master) > ndctl: add passphrase update to ndctl > ndctl: add disable security support > ndctl: add support for freeze security > ndctl: add support for sanitize dimm > ndctl: add unit test for security ops (minus overwrite) > ndctl: add modprobe conf file and load-keys ndctl command > ndctl: add overwrite operation support > ndctl: add wait-overwrite support > ndctl: master phassphrase management support > ndctl: add master secure erase support > ndctl: documentation for security and key management > > > Documentation/ndctl/Makefile.am | 10 > Documentation/ndctl/intel-nvdimm-security.txt | 139 +++++ > Documentation/ndctl/ndctl-freeze-security.txt | 60 ++ > Documentation/ndctl/ndctl-install-encrypt-key.txt | 31 + > Documentation/ndctl/ndctl-list.txt | 8 > Documentation/ndctl/ndctl-load-keys.txt | 43 ++ > Documentation/ndctl/ndctl-remove-passphrase.txt | 28 + > Documentation/ndctl/ndctl-sanitize-dimm.txt | 48 ++ > Documentation/ndctl/ndctl-setup-passphrase.txt | 41 + > Documentation/ndctl/ndctl-update-passphrase.txt | 43 ++ > Documentation/ndctl/ndctl-wait-overwrite.txt | 31 + > Makefile.am | 4 > configure.ac | 17 + > contrib/nvdimm-security.conf | 1 > ndctl.spec.in | 3 > ndctl/Makefile.am | 5 > ndctl/builtin.h | 8 > ndctl/dimm.c | 232 ++++++++ > ndctl/kek.c | 133 +++++ > ndctl/lib/Makefile.am | 8 > ndctl/lib/dimm.c | 183 +++++++ > ndctl/lib/keys.c | 581 +++++++++++++++++++++ > ndctl/lib/libndctl.c | 31 + > ndctl/lib/libndctl.sym | 16 + > ndctl/lib/private.h | 1 > ndctl/libndctl.h | 79 +++ > ndctl/load-keys.c | 257 +++++++++ > ndctl/ndctl.c | 8 > test/Makefile.am | 4 > test/security.sh | 223 ++++++++ > util/json.c | 17 + > 31 files changed, 2280 insertions(+), 13 deletions(-) > create mode 100644 Documentation/ndctl/intel-nvdimm-security.txt > create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt > create mode 100644 Documentation/ndctl/ndctl-install-encrypt-key.txt > create mode 100644 Documentation/ndctl/ndctl-load-keys.txt > create mode 100644 Documentation/ndctl/ndctl-remove-passphrase.txt > create mode 100644 Documentation/ndctl/ndctl-sanitize-dimm.txt > create mode 100644 Documentation/ndctl/ndctl-setup-passphrase.txt > create mode 100644 Documentation/ndctl/ndctl-update-passphrase.txt > create mode 100644 Documentation/ndctl/ndctl-wait-overwrite.txt > create mode 100644 contrib/nvdimm-security.conf > create mode 100644 ndctl/kek.c > create mode 100644 ndctl/lib/keys.c > create mode 100644 ndctl/load-keys.c > create mode 100755 test/security.sh > > -- >