@@ -18,6 +18,58 @@
#include "intel.h"
#include "nfit.h"
+static int intel_dimm_security_disable(struct nvdimm_bus *nvdimm_bus,
+ struct nvdimm *nvdimm, const struct nvdimm_key_data *nkey)
+{
+ struct nvdimm_bus_descriptor *nd_desc = to_nd_desc(nvdimm_bus);
+ int cmd_rc, rc = 0;
+ struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
+ struct {
+ struct nd_cmd_pkg pkg;
+ struct nd_intel_disable_passphrase cmd;
+ } nd_cmd = {
+ .pkg = {
+ .nd_command = NVDIMM_INTEL_DISABLE_PASSPHRASE,
+ .nd_family = NVDIMM_FAMILY_INTEL,
+ .nd_size_in = ND_INTEL_PASSPHRASE_SIZE,
+ .nd_size_out = ND_INTEL_STATUS_SIZE,
+ .nd_fw_size = ND_INTEL_STATUS_SIZE,
+ },
+ .cmd = {
+ .status = 0,
+ },
+ };
+
+ if (!test_bit(NVDIMM_INTEL_DISABLE_PASSPHRASE, &nfit_mem->dsm_mask))
+ return -ENOTTY;
+
+ memcpy(nd_cmd.cmd.passphrase, nkey->data,
+ sizeof(nd_cmd.cmd.passphrase));
+ rc = nd_desc->ndctl(nd_desc, nvdimm, ND_CMD_CALL, &nd_cmd,
+ sizeof(nd_cmd), &cmd_rc);
+ if (rc < 0)
+ goto out;
+ if (cmd_rc < 0) {
+ rc = cmd_rc;
+ goto out;
+ }
+
+ switch (nd_cmd.cmd.status) {
+ case 0:
+ break;
+ case ND_INTEL_STATUS_INVALID_PASS:
+ rc = -EINVAL;
+ goto out;
+ case ND_INTEL_STATUS_INVALID_STATE:
+ default:
+ rc = -ENXIO;
+ goto out;
+ }
+
+ out:
+ return rc;
+}
+
/*
* The update passphrase takes the old passphrase and the new passphrase
* and send those to the nvdimm. The nvdimm will verify the old
@@ -217,4 +269,5 @@ const struct nvdimm_security_ops intel_security_ops = {
.state = intel_dimm_security_state,
.unlock = intel_dimm_security_unlock,
.change_key = intel_dimm_security_update_passphrase,
+ .disable = intel_dimm_security_disable,
};
@@ -160,6 +160,7 @@ struct key *nvdimm_get_and_verify_key(struct device *dev,
if (rc < 0)
key = ERR_PTR(rc);
return key;
+
}
static int nvdimm_check_key_len(unsigned short len)
@@ -182,6 +183,57 @@ int nvdimm_security_get_state(struct device *dev)
&nvdimm->state);
}
+static int nvdimm_security_disable(struct device *dev, unsigned int keyid)
+{
+ struct nvdimm *nvdimm = to_nvdimm(dev);
+ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
+ struct key *key;
+ int rc;
+ struct user_key_payload *payload;
+ bool is_userkey = false;
+
+ if (!nvdimm->security_ops)
+ return -EOPNOTSUPP;
+
+ if (nvdimm->state == NVDIMM_SECURITY_UNSUPPORTED)
+ return -EOPNOTSUPP;
+
+ /* look for a key from keyring if exists and remove */
+ key = nvdimm_get_and_verify_key(dev, old_keyid);
+ if (IS_ERR(old_key))
+ return PTR_ERR(old_key);
+ if (!key) {
+ /* get old user key */
+ key = nvdimm_lookup_user_key(dev, keyid);
+ if (!key)
+ return -ENOKEY;
+ is_userkey = true;
+ }
+
+ down_read(&key->sem);
+ payload = key->payload.data[0];
+
+ rc = nvdimm->security_ops->disable(nvdimm_bus, nvdimm,
+ (void *)payload->data);
+ up_read(&key->sem);
+ if (rc < 0) {
+ dev_warn(dev, "unlock failed\n");
+ goto out;
+ }
+
+ /* If we succeed then remove the key */
+ if (!is_userkey) {
+ key_unlink(nvdimm_keyring, key);
+ key_invalidate(key);
+ nvdimm->key = NULL;
+ }
+
+ out:
+ key_put(key);
+ nvdimm_security_get_state(dev);
+ return rc;
+}
+
int nvdimm_security_unlock_dimm(struct device *dev)
{
struct nvdimm *nvdimm = to_nvdimm(dev);
@@ -739,6 +791,9 @@ static ssize_t security_store(struct device *dev,
if (sysfs_streq(cmd, "update")) {
dev_dbg(dev, "update %u %u\n", old_key, new_key);
rc = nvdimm_security_change_key(dev, old_key, new_key);
+ } else if (sysfs_streq(cmd, "disable")) {
+ dev_dbg(dev, "disable %u\n", old_key);
+ rc = nvdimm_security_disable(dev, old_key);
} else
return -EINVAL;
@@ -182,6 +182,9 @@ struct nvdimm_security_ops {
struct nvdimm *nvdimm,
const struct nvdimm_key_data *old_data,
const struct nvdimm_key_data *new_data);
+ int (*disable)(struct nvdimm_bus *nvdimm_bus,
+ struct nvdimm *nvdimm,
+ const struct nvdimm_key_data *nkey);
};
void badrange_init(struct badrange *badrange);