From patchwork Fri Mar 22 11:51:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600011 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8E293F9C0 for ; Fri, 22 Mar 2024 11:51:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108311; cv=none; b=TAteYpwR9ELiAzDjXFLjMbAg/mCUzvEgqCAsEmBwPBj+NwSEVuzIoqnbTfpUH7SUH9wr8RUpnDQ6HTLCpzEKxf9mg/dbXIUC9dL45+UHDXgdpka0p5Nv5qOv+laSn2YfhaZ1PYw9wr0txZ7pV9pVggu8hzQ6tS6YLkvdkqyWJlc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108311; c=relaxed/simple; bh=0V1Ho/wA7BnhZr/EM+OYxDgjeqa6nimIDoRlnbDCwuQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=azZIPZuSFIHjcs8q9rT0BwF5P1ZvnDPpKkuU+SD+LVp3Wl0QH8czZQPTX/PfoS4dR3Lw3Eb7/KF2vuNW3GVmKkRmGB40nJDOvFcbbHMmmVpPpIU+Hq9X0S6ZBaFfDuzBDvEc0iQj8qBcHs6VTktKKO+rUVz4hADUi53F4mrDaDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=kYAo8VLd; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="kYAo8VLd" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108310; x=1742644310; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=0V1Ho/wA7BnhZr/EM+OYxDgjeqa6nimIDoRlnbDCwuQ=; b=kYAo8VLdB0UlegMDdK2cauFfY2OJO7db7kGwwzd90cRL/ot5SA3z+qYi YRgCtPcbVeJQp5krmjfd1jQHXwXMfKhn1xhB876iuTFD//b+F0miBpr35 9P6Ssekyx776IWI26cX9bG1asz7fpBoN+C9YgzhwawCJEPQHhyA3iFdOR 5yg0xXS4ALQbRe17KMi4/Lthi0yCGYYvpIjTeI2K1leVVThj1XEfOtfTt T0k4/3L1rl1iefsvQkPBF787XskOUUvo5aNn4H9B8m8BKFslHPrxUYijv 7Kb7gvHv8+hzchSSvQS6XuN8L4lVDu0/DLYNVxqhQ894XXBrdRcrN7u+i g==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006790" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006790" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001007" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:48 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 1/6] mdadm: Move pr_vrb define to mdadm.h Date: Fri, 22 Mar 2024 12:51:15 +0100 Message-Id: <20240322115120.12325-2-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move pr_vrb define from super-intel.c to mdadm.h to make it widely available. This change will be used in the next patches. Signed-off-by: Blazej Kucman --- mdadm.h | 2 ++ super-intel.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mdadm.h b/mdadm.h index 3fedca48..141adbd7 100644 --- a/mdadm.h +++ b/mdadm.h @@ -1912,6 +1912,8 @@ static inline int xasprintf(char **strp, const char *fmt, ...) { #define pr_info(fmt, args...) printf("%s: "fmt, Name, ##args) +#define pr_vrb(fmt, arg...) ((void)(verbose && pr_err(fmt, ##arg))) + void *xmalloc(size_t len); void *xrealloc(void *ptr, size_t len); void *xcalloc(size_t num, size_t size); diff --git a/super-intel.c b/super-intel.c index 77140455..806b6248 100644 --- a/super-intel.c +++ b/super-intel.c @@ -393,8 +393,6 @@ struct md_list { struct md_list *next; }; -#define pr_vrb(fmt, arg...) (void) (verbose && pr_err(fmt, ##arg)) - static __u8 migr_type(struct imsm_dev *dev) { if (dev->vol.migr_type == MIGR_VERIFY && From patchwork Fri Mar 22 11:51:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600012 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB2B43F9E8 for ; Fri, 22 Mar 2024 11:51:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108313; cv=none; b=NWZy7GA+1R/HQUnz0/mMQvPHaLBFlzbNa4QljP/aLxeyu0uCJPx9T+7E0c42kREjp4PZ1RRUTeBXZilFg+hgxp5wVi6rmQx8/BDM0zfaRNuyfJCKd1Mpe8DNe4L1Lf0OsJxczNpNwccfCyD428baxr3MJUWmJgFMUhw5WpxktdQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108313; c=relaxed/simple; bh=jbR7VCBIREt872zV++70LRHxEMVxyAZR1+fV3Rww5DE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jBhQd8L41nWRj0LyQ5eMMfvE5yta3o4NcgcJnZXs1MDLRqJSIwuWAwhEDLPfJwxgeKoqql69LKWdUXFiR41xHBMigaDeCTbqG3oeglJb7GmloHiUTrqMZ6mhK9EAUYSoCA2cyL+DLhabCGHHBy0ZwTt6mUbdjQNrtxNKtvKcKIs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Gyz5NIjt; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Gyz5NIjt" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108311; x=1742644311; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=jbR7VCBIREt872zV++70LRHxEMVxyAZR1+fV3Rww5DE=; b=Gyz5NIjtVWLN/n/dFP3M9z89Ev+aRceSHn79Y/yk3NsKk+UGzESYHkKR jP5KBnRasCtdorMI5mJN1+YLFJ7VIZGfLNlA+j8t8IiSqa24/UKAp+wm1 20ufQWK8Vu1zwBj9ngKtugeOV6pLbodxFTg0SS666z7XObHtc7Xd+4mdY XbwWhmyTH9ds/4skfgDCxOCwsQjveBHhCris5zE7K12WtBLoQMvPyyaJW BBe1mNVMr5lqU0FRMcDm4QBJbZvHhdnFruQTEX5wZX23XlLRv81RavV0l f2qYd+rvuFJ92IF9J/SDVvC93C4zOMIuTAhdYUjowcTABmJEViX5msRtV g==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006796" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006796" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001009" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:49 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 2/6] Add reading Opal NVMe encryption information Date: Fri, 22 Mar 2024 12:51:16 +0100 Message-Id: <20240322115120.12325-3-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 For NVMe devices with Opal support, encryption information, status and ability are determined based on Opal Level 0 discovery response. Technical documentation used is given in the implementation. Ability in general describes what type of encryption is supported, Status describes in what state the disk with encryption support is. The current patch includes only the implementation of reading encryption information, functions will be used in one of the next patches. Motivation for adding this functionality is to block mixing of disks in IMSM arrays with encryption enabled and disabled. The main goal is to not allow stealing data by rebuilding array to not encrypted drive which can be read elsewhere. Value ENA_OTHER from enum encryption_ability will be used in the next patch. Signed-off-by: Blazej Kucman --- Makefile | 4 +- drive_encryption.c | 362 +++++++++++++++++++++++++++++++++++++++++++++ drive_encryption.h | 32 ++++ 3 files changed, 396 insertions(+), 2 deletions(-) create mode 100644 drive_encryption.c create mode 100644 drive_encryption.h diff --git a/Makefile b/Makefile index cbdba49a..7c221a89 100644 --- a/Makefile +++ b/Makefile @@ -170,7 +170,7 @@ OBJS = mdadm.o config.o policy.o mdstat.o ReadMe.o uuid.o util.o maps.o lib.o u mdopen.o super0.o super1.o super-ddf.o super-intel.o bitmap.o \ super-mbr.o super-gpt.o \ restripe.o sysfs.o sha1.o mapfile.o crc32.o sg_io.o msg.o xmalloc.o \ - platform-intel.o probe_roms.o crc32c.o + platform-intel.o probe_roms.o crc32c.o drive_encryption.o CHECK_OBJS = restripe.o uuid.o sysfs.o maps.o lib.o xmalloc.o dlink.o @@ -183,7 +183,7 @@ MON_OBJS = mdmon.o monitor.o managemon.o uuid.o util.o maps.o mdstat.o sysfs.o c Kill.o sg_io.o dlink.o ReadMe.o super-intel.o \ super-mbr.o super-gpt.o \ super-ddf.o sha1.o crc32.o msg.o bitmap.o xmalloc.o \ - platform-intel.o probe_roms.o crc32c.o + platform-intel.o probe_roms.o crc32c.o drive_encryption.o MON_SRCS = $(patsubst %.o,%.c,$(MON_OBJS)) diff --git a/drive_encryption.c b/drive_encryption.c new file mode 100644 index 00000000..b44585a7 --- /dev/null +++ b/drive_encryption.c @@ -0,0 +1,362 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Read encryption information for Opal and ATA devices. + * + * Copyright (C) 2024 Intel Corporation + * Author: Blazej Kucman + */ + +#include "mdadm.h" + +#include +#include +#include "drive_encryption.h" + +/* + * Opal defines + * TCG Storage Opal SSC 2.01 chapter 3.3.3 + * NVM ExpressTM Revision 1.4c, chapter 5 + */ +#define TCG_SECP_01 (0x01) +#define TCG_SECP_00 (0x00) +#define OPAL_DISCOVERY_COMID (0x0001) +#define OPAL_LOCKING_FEATURE (0x0002) +#define OPAL_IO_BUFFER_LEN 2048 +#define OPAL_DISCOVERY_FEATURE_HEADER_LEN (4) + +/* + * NVMe defines + * NVM ExpressTM Revision 1.4c, chapter 5 + */ +#define NVME_SECURITY_RECV (0x82) +#define NVME_IDENTIFY (0x06) +#define NVME_IDENTIFY_RESPONSE_LEN 4096 +#define NVME_OACS_BYTE_POSITION (256) +#define NVME_IDENTIFY_CONTROLLER_DATA (1) + +typedef enum drive_feature_support_status { + /* Drive feature is supported. */ + DRIVE_FEAT_SUP_ST = 0, + /* Drive feature is not supported. */ + DRIVE_FEAT_NOT_SUP_ST, + /* Drive feature support check failed. */ + DRIVE_FEAT_CHECK_FAILED_ST +} drive_feat_sup_st; + +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.3 */ +typedef struct opal_locking_feature { + /* feature header */ + __u16 feature_code; + __u8 reserved : 4; + __u8 version : 4; + __u8 description_length; + /* feature description */ + __u8 locking_supported : 1; + __u8 locking_enabled : 1; + __u8 locked : 1; + __u8 media_encryption : 1; + __u8 mbr_enabled : 1; + __u8 mbr_done : 1; + __u8 mbr_shadowing_not_supported : 1; + __u8 hw_reset_for_dor_supported : 1; + __u8 reserved1[11]; +} __attribute__((__packed__)) opal_locking_feature_t; + +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.1 */ +typedef struct opal_level0_header { + __u32 length; + __u32 version; + __u64 reserved; + __u8 vendor_specific[32]; +} opal_level0_header_t; + +/** + * NVM ExpressTM Revision 1.4c, Figure 249 + * Structure specifies only OACS filed, which is needed in the current use case. + */ +typedef struct nvme_identify_ctrl { + __u8 reserved[255]; + __u16 oacs; + __u8 reserved2[3839]; +} nvme_identify_ctrl_t; + +/* SCSI Primary Commands - 4 (SPC-4), Table 512 */ +typedef struct supported_security_protocols { + __u8 reserved[6]; + __u16 list_length; + __u8 list[504]; +} supported_security_protocols_t; + +/** + * get_opal_locking_feature_description() - get opal locking feature description. + * @response: response from Opal Discovery Level 0. + * + * Based on the documentation TCG Storage Opal SSC 2.01 chapter 3.1.1, + * a Locking feature is searched for in Opal Level 0 Discovery response. + * + * Return: if locking feature is found, pointer to struct %opal_locking_feature_t, NULL otherwise. + */ +static opal_locking_feature_t *get_opal_locking_feature_description(__u8 *response) +{ + opal_level0_header_t *response_header = (opal_level0_header_t *)response; + int features_length = __be32_to_cpu(response_header->length); + int current_position = sizeof(*response_header); + + while (current_position < features_length) { + opal_locking_feature_t *feature; + + feature = (opal_locking_feature_t *)(response + current_position); + + if (__be16_to_cpu(feature->feature_code) == OPAL_LOCKING_FEATURE) + return feature; + + current_position += feature->description_length + OPAL_DISCOVERY_FEATURE_HEADER_LEN; + } + + return NULL; +} + +/** + * nvme_security_recv_ioctl() - nvme security receive ioctl. + * @disk_fd: a disk file descriptor. + * @sec_protocol: security protocol. + * @comm_id: command id. + * @response_buffer: response buffer to fill out. + * @buf_size: response buffer size. + * @verbose: verbose flag. + * + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and + * NVM ExpressTM Revision 1.4c, chapter 5.25, + * read security receive command via ioctl(). + * On success, @response_buffer is completed. + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise. + */ +static mdadm_status_t +nvme_security_recv_ioctl(int disk_fd, __u8 sec_protocol, __u16 comm_id, void *response_buffer, + size_t buf_size, const int verbose) +{ + struct nvme_admin_cmd nvme_cmd = {0}; + int status; + + nvme_cmd.opcode = NVME_SECURITY_RECV; + nvme_cmd.cdw10 = sec_protocol << 24 | comm_id << 8; + nvme_cmd.cdw11 = buf_size; + nvme_cmd.data_len = buf_size; + nvme_cmd.addr = (__u64)response_buffer; + + status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd); + if (status != 0) { + pr_vrb("Failed to read NVMe security receive ioctl() for device /dev/%s, status: %d\n", + fd2kname(disk_fd), status); + return MDADM_STATUS_ERROR; + } + + return MDADM_STATUS_SUCCESS; +} + +/** + * nvme_identify_ioctl() - NVMe identify ioctl. + * @disk_fd: a disk file descriptor. + * @response_buffer: response buffer to fill out. + * @buf_size: response buffer size. + * @verbose: verbose flag. + * + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and + * NVM ExpressTM Revision 1.4c, chapter 5.25, + * read NVMe identify via ioctl(). + * On success, @response_buffer will be completed. + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise. + */ +static mdadm_status_t +nvme_identify_ioctl(int disk_fd, void *response_buffer, size_t buf_size, const int verbose) +{ + struct nvme_admin_cmd nvme_cmd = {0}; + int status; + + nvme_cmd.opcode = NVME_IDENTIFY; + nvme_cmd.cdw10 = NVME_IDENTIFY_CONTROLLER_DATA; + nvme_cmd.data_len = buf_size; + nvme_cmd.addr = (__u64)response_buffer; + + status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd); + if (status != 0) { + pr_vrb("Failed to read NVMe identify ioctl() for device /dev/%s, status: %d\n", + fd2kname(disk_fd), status); + return MDADM_STATUS_ERROR; + } + + return MDADM_STATUS_SUCCESS; +} + +/** + * is_sec_prot_01h_supported() - check if security protocol 01h supported. + * @security_protocols: struct with response from disk (NVMe, SATA) describing supported + * security protocols. + * + * Return: true if TCG_SECP_01 found, false otherwise. + */ +static bool is_sec_prot_01h_supported(supported_security_protocols_t *security_protocols) +{ + int list_length = be16toh(security_protocols->list_length); + int index; + + for (index = 0 ; index < list_length; index++) { + if (security_protocols->list[index] == TCG_SECP_01) + return true; + } + + return false; +} + +/** + * is_sec_prot_01h_supported_nvme() - check if security protocol 01h supported for given NVMe disk. + * @disk_fd: a disk file descriptor. + * @verbose: verbose flag. + * + * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported, + * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check. + */ +static drive_feat_sup_st is_sec_prot_01h_supported_nvme(int disk_fd, const int verbose) +{ + supported_security_protocols_t security_protocols = {0}; + + /* security_protocol: TCG_SECP_00, comm_id: not applicable */ + if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_00, 0x0, &security_protocols, + sizeof(security_protocols), verbose)) + return DRIVE_FEAT_CHECK_FAILED_ST; + + if (is_sec_prot_01h_supported(&security_protocols)) + return DRIVE_FEAT_SUP_ST; + + return DRIVE_FEAT_NOT_SUP_ST; +} + +/** + * is_nvme_sec_send_recv_supported() - check if Security Send and Security Receive is supported. + * @disk_fd: a disk file descriptor. + * @verbose: verbose flag. + * + * Check if "Optional Admin Command Support" bit 0 is set in NVMe identify. + * Bit 0 set to 1 means controller supports the Security Send and Security Receive commands. + * + * Return: %DRIVE_FEAT_SUP_ST if security send/receive supported, + * %DRIVE_FEAT_NOT_SUP_ST if not supported, %DRIVE_FEAT_CHECK_FAILED_ST if check failed. + */ +static drive_feat_sup_st is_nvme_sec_send_recv_supported(int disk_fd, const int verbose) +{ + nvme_identify_ctrl_t nvme_identify = {0}; + int status = 0; + + status = nvme_identify_ioctl(disk_fd, &nvme_identify, sizeof(nvme_identify), verbose); + if (status) + return DRIVE_FEAT_CHECK_FAILED_ST; + + if ((__le16_to_cpu(nvme_identify.oacs) & 0x1) == 0x1) + return DRIVE_FEAT_SUP_ST; + + return DRIVE_FEAT_NOT_SUP_ST; +} + +/** + * get_opal_encryption_information() - get Opal encryption information. + * @buffer: buffer with Opal Level 0 Discovery response. + * @information: struct to fill out, describing encryption status of disk. + * + * If Locking feature frame is in response from Opal Level 0 discovery, &encryption_information_t + * structure is completed with status and ability otherwise the status is set to &None. + * For possible encryption statuses and abilities, + * please refer to enums &encryption_status and &encryption_ability. + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise. + */ +static mdadm_status_t get_opal_encryption_information(__u8 *buffer, + encryption_information_t *information) +{ + opal_locking_feature_t *opal_locking_feature = + get_opal_locking_feature_description(buffer); + + if (!opal_locking_feature) + return MDADM_STATUS_ERROR; + + if (opal_locking_feature->locking_supported == 1) { + information->ability = ENC_ABILITY_SED; + + if (opal_locking_feature->locking_enabled == 0) + information->status = ENC_STATUS_UNENCRYPTED; + else if (opal_locking_feature->locked == 1) + information->status = ENC_STATUS_LOCKED; + else + information->status = ENC_STATUS_UNLOCKED; + } else { + information->ability = ENC_ABILITY_NONE; + information->status = ENC_STATUS_UNENCRYPTED; + } + + return MDADM_STATUS_SUCCESS; +} + +/** + * get_nvme_opal_encryption_information() - get NVMe Opal encryption information. + * @disk_fd: a disk file descriptor. + * @information: struct to fill out, describing encryption status of disk. + * @verbose: verbose flag. + * + * In case the disk supports Opal Level 0 discovery, &encryption_information_t structure + * is completed with status and ability based on ioctl response, + * otherwise the ability is set to %ENC_ABILITY_NONE and &status to %ENC_STATUS_UNENCRYPTED. + * As the current use case does not need the knowledge of Opal support, if there is no support, + * %MDADM_STATUS_SUCCESS will be returned, with the values described above. + * For possible encryption statuses and abilities, + * please refer to enums &encryption_status and &encryption_ability. + * + * %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise. + */ +mdadm_status_t +get_nvme_opal_encryption_information(int disk_fd, encryption_information_t *information, + const int verbose) +{ + __u8 buffer[OPAL_IO_BUFFER_LEN]; + int sec_send_recv_supported = 0; + int protocol_01h_supported = 0; + mdadm_status_t status; + + information->ability = ENC_ABILITY_NONE; + information->status = ENC_STATUS_UNENCRYPTED; + + sec_send_recv_supported = is_nvme_sec_send_recv_supported(disk_fd, verbose); + if (sec_send_recv_supported == DRIVE_FEAT_CHECK_FAILED_ST) + return MDADM_STATUS_ERROR; + + /* Opal not supported */ + if (sec_send_recv_supported == DRIVE_FEAT_NOT_SUP_ST) + return MDADM_STATUS_SUCCESS; + + /** + * sec_send_recv_supported determine that it should be possible to read + * supported sec protocols + */ + protocol_01h_supported = is_sec_prot_01h_supported_nvme(disk_fd, verbose); + if (protocol_01h_supported == DRIVE_FEAT_CHECK_FAILED_ST) + return MDADM_STATUS_ERROR; + + /* Opal not supported */ + if (sec_send_recv_supported == DRIVE_FEAT_SUP_ST && + protocol_01h_supported == DRIVE_FEAT_NOT_SUP_ST) + return MDADM_STATUS_SUCCESS; + + if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_01, OPAL_DISCOVERY_COMID, (void *)&buffer, + OPAL_IO_BUFFER_LEN, verbose)) + return MDADM_STATUS_ERROR; + + status = get_opal_encryption_information((__u8 *)&buffer, information); + if (status) + pr_vrb("Locking feature description not found in Level 0 discovery response. Device /dev/%s.\n", + fd2kname(disk_fd)); + + if (information->ability == ENC_ABILITY_NONE) + assert(information->status == ENC_STATUS_UNENCRYPTED); + + return status; +} diff --git a/drive_encryption.h b/drive_encryption.h new file mode 100644 index 00000000..82c2c624 --- /dev/null +++ b/drive_encryption.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Read encryption information for Opal and ATA devices. + * + * Copyright (C) 2024 Intel Corporation + * Author: Blazej Kucman + */ + +typedef enum encryption_status { + /* The drive is not currently encrypted. */ + ENC_STATUS_UNENCRYPTED = 0, + /* The drive is encrypted and the data is not accessible. */ + ENC_STATUS_LOCKED, + /* The drive is encrypted but the data is accessible in unencrypted form. */ + ENC_STATUS_UNLOCKED +} encryption_status_t; + +typedef enum encryption_ability { + ENC_ABILITY_NONE = 0, + ENC_ABILITY_OTHER, + /* Self encrypted drive */ + ENC_ABILITY_SED +} encryption_ability_t; + +typedef struct encryption_information { + encryption_ability_t ability; + encryption_status_t status; +} encryption_information_t; + +mdadm_status_t +get_nvme_opal_encryption_information(int disk_fd, struct encryption_information *information, + const int verbose); From patchwork Fri Mar 22 11:51:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600013 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C543F3F9C0 for ; Fri, 22 Mar 2024 11:51:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108315; cv=none; b=nUTkHYfzSGzthgqmhPN2pADwHIp0DMLt/tTgCtihsTSzcbI2R938wFNLaCH2dfLfxhO61CRHsLwde2aWXXLoK3dffwSIW9lOoMeI/yF6moD4apI5F61DuQlD0gBvfWSM4fOf6rE4Eu+S9wr5uDWxFDqoSCvf4ft7LUKAvRCOZ+c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108315; c=relaxed/simple; bh=3Ymyu+/Kal0/6uDot7yNcVGfcpYzSaVGyyToLQp2wUA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=aPsCtYyGqRhNlOmqRLjczO27Cl2QmeDd2xDWGS0fM+tnT6HWVv+urKDj7xrggvyg7FcrQ7fA+y4Of+00xW7Vr0onuzkVjQpbwFXou2uuFe1EORltvrkETZSD4uRadl0h4wCV6OAUv8ok9/yjp8xgz/04bwCUpKW8CxtgazO0WnI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=UKV0EEBX; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="UKV0EEBX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108313; x=1742644313; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=3Ymyu+/Kal0/6uDot7yNcVGfcpYzSaVGyyToLQp2wUA=; b=UKV0EEBXz1/KDCGroK5i0BoopZlHzP0u20mFQKUolE+BiS2saCp5OrLL +KqlaDz2BAC9I80bh+DM2LHCLvW0I/W5ZfMTfOhqHAoCmpXMphY2/ti16 GUrYXQdS0OJH4LoRSa64q6fK3xIu7ze9y66XsPEecLt0dYVGSSdGpcNSG gmOlSAEIQSPATrdQTyjHCyIACoyEhFGHMGAgkkcWAYsYwGrhKQKHnVTty J8g7svp1nQloi9k7kAcSQKtU2NcnnBTdC5Yvxig1zqBJqPjKBU28nWcHu ls4JuGcYnqwDp8hYwqtjrt37ePVcKJDlEFiaOH8WNIbDgXeLosxdHLAKa g==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006799" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006799" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001013" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:51 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 3/6] Add reading SATA encryption information Date: Fri, 22 Mar 2024 12:51:17 +0100 Message-Id: <20240322115120.12325-4-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Functionality reads information about SATA disk encryption. Technical documentation used is given in the implementation. The implementation is able to recognized two encryption standards for SATA drives, OPAL and ATA security. If the SATA drive supports OPAL, encryption status and ability are determined based on Opal Level 0 discovery response, for ATA security, based on ATA identify response. If SATA supports OPAL, ability is set to "SED", for ATA security to "Other". SED(Self-Encrypting Drive) is commonly used to describe drive which using OPAL or Enterprise standards developed by Trusted Computing Group. Ability "Other" is used for ATA security because we rely only on information from ATA identify which describe the overall state of encryption. It is allowed to mix disks with different encryption ability such as "SED" and "Other" and it is not security gap. Motivation for adding this functionality is to block mixing of disks in IMSM arrays with encryption enabled and disabled. The main goal is to not allow stealing data by rebuilding array to not encrypted drive which can be read elsewhere. For SATA Opal drives, libata allow_tmp parameter enabled is required, which is necessary for Opal Security commands to work, therefore, if the parameter is not enabled, SATA Opal disk cannot be used in case the encryption will be checked by metadata. Implemented functions will be used in one of the next patches. In one of the next patches, a flag will be added to enable disabling SATA Opal encryption checking due to allow_tpm kernel setting dependency. Signed-off-by: Blazej Kucman --- drive_encryption.c | 318 +++++++++++++++++++++++++++++++++++++++++++++ drive_encryption.h | 3 + mdadm.h | 1 + sysfs.c | 29 +++++ 4 files changed, 351 insertions(+) diff --git a/drive_encryption.c b/drive_encryption.c index b44585a7..d520f0c7 100644 --- a/drive_encryption.c +++ b/drive_encryption.c @@ -10,8 +10,12 @@ #include #include +#include +#include #include "drive_encryption.h" +#define DEFAULT_SECTOR_SIZE (512) + /* * Opal defines * TCG Storage Opal SSC 2.01 chapter 3.3.3 @@ -34,6 +38,35 @@ #define NVME_OACS_BYTE_POSITION (256) #define NVME_IDENTIFY_CONTROLLER_DATA (1) +/* + * ATA defines + * ATA/ATAPI Command Set ATA8-ACS + * SCSI / ATA Translation - 3 (SAT-3) + * SCSI Primary Commands - 4 (SPC-4) + * AT Attachment-8 - ATA Serial Transport (ATA8-AST) + * ATA Command Pass-Through + */ +#define ATA_IDENTIFY (0xec) +#define ATA_TRUSTED_RECEIVE (0x5c) +#define ATA_SECURITY_WORD_POSITION (128) +#define HDIO_DRIVE_CMD (0x031f) +#define ATA_TRUSTED_COMPUTING_POS (48) +#define ATA_PASS_THROUGH_12 (0xa1) +#define ATA_IDENTIFY_RESPONSE_LEN (512) +#define ATA_PIO_DATA_IN (4) +#define SG_CHECK_CONDITION (0x02) +#define ATA_STATUS_RETURN_DESCRIPTOR (0x09) +#define ATA_PT_INFORMATION_AVAILABLE_ASCQ (0x1d) +#define ATA_PT_INFORMATION_AVAILABLE_ASC (0x00) +#define ATA_INQUIRY_LENGTH (0x0c) +#define SG_INTERFACE_ID 'S' +#define SG_IO_TIMEOUT (60000) +#define SG_SENSE_SIZE (32) +#define SENSE_DATA_CURRENT_FIXED (0x70) +#define SENSE_DATA_CURRENT_DESC (0x72) +#define SENSE_CURRENT_RES_DESC_POS (8) +#define SG_DRIVER_SENSE (0x08) + typedef enum drive_feature_support_status { /* Drive feature is supported. */ DRIVE_FEAT_SUP_ST = 0, @@ -87,6 +120,27 @@ typedef struct supported_security_protocols { __u8 list[504]; } supported_security_protocols_t; +/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */ +typedef struct ata_security_status { + __u16 security_supported : 1; + __u16 security_enabled : 1; + __u16 security_locked : 1; + __u16 security_frozen : 1; + __u16 security_count_expired : 1; + __u16 enhanced_security_erase_supported : 1; + __u16 reserved1 : 2; + __u16 security_level : 1; + __u16 reserved2 : 7; +} __attribute__((__packed__)) ata_security_status_t; + +/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */ +typedef struct ata_trusted_computing { + __u16 tc_feature :1; + __u16 reserved : 13; + __u16 var1 : 1; + __u16 var2 : 1; +} __attribute__((__packed__)) ata_trusted_computing_t; + /** * get_opal_locking_feature_description() - get opal locking feature description. * @response: response from Opal Discovery Level 0. @@ -360,3 +414,267 @@ get_nvme_opal_encryption_information(int disk_fd, encryption_information_t *info return status; } + +/** + * ata_pass_through12_ioctl() - ata pass through12 ioctl. + * @disk_fd: a disk file descriptor. + * @ata_command: ata command. + * @sec_protocol: security protocol. + * @comm_id: additional command id. + * @response_buffer: response buffer to fill out. + * @buf_size: response buffer size. + * @verbose: verbose flag. + * + * Based on the documentations ATA Command Pass-Through, chapter 13.2.2 and + * ATA Translation - 3 (SAT-3), send read ata pass through 12 command via ioctl(). + * On success, @response_buffer will be completed. + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail. + */ +static mdadm_status_t +ata_pass_through12_ioctl(int disk_fd, __u8 ata_command, __u8 sec_protocol, __u16 comm_id, + void *response_buffer, size_t buf_size, const int verbose) +{ + __u8 cdb[ATA_INQUIRY_LENGTH] = {0}; + __u8 sense[SG_SENSE_SIZE] = {0}; + __u8 *sense_desc = NULL; + sg_io_hdr_t sg = {0}; + + /* + * ATA Command Pass-Through, chapter 13.2.2 + * SCSI Primary Commands - 4 (SPC-4) + * ATA Translation - 3 (SAT-3) + */ + cdb[0] = ATA_PASS_THROUGH_12; + /* protocol, bits 1-4 */ + cdb[1] = ATA_PIO_DATA_IN << 1; + /* Bytes: CK_COND=1, T_DIR = 1, BYTE_BLOCK = 1, Length in Sector Count = 2 */ + cdb[2] = 0x2E; + cdb[3] = sec_protocol; + /* Sector count */ + cdb[4] = buf_size / DEFAULT_SECTOR_SIZE; + cdb[6] = (comm_id) & 0xFF; + cdb[7] = (comm_id >> 8) & 0xFF; + cdb[9] = ata_command; + + sg.interface_id = SG_INTERFACE_ID; + sg.cmd_len = sizeof(cdb); + sg.mx_sb_len = sizeof(sense); + sg.dxfer_direction = SG_DXFER_FROM_DEV; + sg.dxfer_len = buf_size; + sg.dxferp = response_buffer; + sg.cmdp = cdb; + sg.sbp = sense; + sg.timeout = SG_IO_TIMEOUT; + sg.usr_ptr = NULL; + + if (ioctl(disk_fd, SG_IO, &sg) < 0) { + pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd)); + return MDADM_STATUS_ERROR; + } + + if ((sg.status && sg.status != SG_CHECK_CONDITION) || sg.host_status || + (sg.driver_status && sg.driver_status != SG_DRIVER_SENSE)) { + pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd)); + pr_vrb("SG_IO error: ATA_12 Status: %d Host Status: %d, Driver Status: %d\n", + sg.status, sg.host_status, sg.driver_status); + return MDADM_STATUS_ERROR; + } + + /* verify expected sense response code */ + if (!(sense[0] == SENSE_DATA_CURRENT_DESC || sense[0] == SENSE_DATA_CURRENT_FIXED)) { + pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd)); + return MDADM_STATUS_ERROR; + } + + sense_desc = sense + SENSE_CURRENT_RES_DESC_POS; + /* verify sense data current response with descriptor format */ + if (sense[0] == SENSE_DATA_CURRENT_DESC && + !(sense_desc[0] == ATA_STATUS_RETURN_DESCRIPTOR && + sense_desc[1] == ATA_INQUIRY_LENGTH)) { + pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n", + fd2kname(disk_fd), sense[2], sense[3]); + return MDADM_STATUS_ERROR; + } + + /* verify sense data current response with fixed format */ + if (sense[0] == SENSE_DATA_CURRENT_FIXED && + !(sense[12] == ATA_PT_INFORMATION_AVAILABLE_ASC && + sense[13] == ATA_PT_INFORMATION_AVAILABLE_ASCQ)) { + pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n", + fd2kname(disk_fd), sense[12], sense[13]); + return MDADM_STATUS_ERROR; + } + + return MDADM_STATUS_SUCCESS; +} + +/** + * is_sec_prot_01h_supported_ata() - check if security protocol 01h supported for given SATA disk. + * @disk_fd: a disk file descriptor. + * @verbose: verbose flag. + * + * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported, + * %DRIVE_FEAT_CHECK_FAILED_ST if failed. + */ +static drive_feat_sup_st is_sec_prot_01h_supported_ata(int disk_fd, const int verbose) +{ + supported_security_protocols_t security_protocols; + + mdadm_status_t result = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_00, + 0x0, &security_protocols, + sizeof(security_protocols), verbose); + if (result) + return DRIVE_FEAT_CHECK_FAILED_ST; + + if (is_sec_prot_01h_supported(&security_protocols)) + return DRIVE_FEAT_SUP_ST; + + return DRIVE_FEAT_NOT_SUP_ST; +} + +/** + * is_ata_trusted_computing_supported() - check if ata trusted computing supported. + * @buffer: buffer with ATA identify response, not NULL. + * + * Return: true if trusted computing bit set, false otherwise. + */ +bool is_ata_trusted_computing_supported(__u16 *buffer) +{ + /* Added due to warnings from the compiler about a possible uninitialized variable below. */ + assert(buffer); + + __u16 security_tc_frame = __le16_to_cpu(buffer[ATA_TRUSTED_COMPUTING_POS]); + ata_trusted_computing_t *security_tc = (ata_trusted_computing_t *)&security_tc_frame; + + if (security_tc->tc_feature == 1) + return true; + + return false; +} + +/** + * get_ata_standard_security_status() - get ATA disk encryption information from ATA identify. + * @buffer: buffer with response from ATA identify, not NULL. + * @information: struct to fill out, describing encryption status of disk. + * + * The function based on the Security status frame from ATA identify, + * completed encryption information. + * For possible encryption statuses and abilities, + * please refer to enums &encryption_status and &encryption_ability. + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail. + */ +static mdadm_status_t get_ata_standard_security_status(__u16 *buffer, + struct encryption_information *information) +{ + /* Added due to warnings from the compiler about a possible uninitialized variable below. */ + assert(buffer); + + __u16 security_status_frame = __le16_to_cpu(buffer[ATA_SECURITY_WORD_POSITION]); + ata_security_status_t *security_status = (ata_security_status_t *)&security_status_frame; + + if (!security_status->security_supported) { + information->ability = ENC_ABILITY_NONE; + information->status = ENC_STATUS_UNENCRYPTED; + + return MDADM_STATUS_SUCCESS; + } + + information->ability = ENC_ABILITY_OTHER; + + if (security_status->security_enabled == 0) + information->status = ENC_STATUS_UNENCRYPTED; + else if (security_status->security_locked == 1) + information->status = ENC_STATUS_LOCKED; + else + information->status = ENC_STATUS_UNLOCKED; + + return MDADM_STATUS_SUCCESS; +} + +/** + * is_ata_opal() - check if SATA disk support Opal. + * @disk_fd: a disk file descriptor. + * @buffer: buffer with ATA identify response. + * @verbose: verbose flag. + * + * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported, + * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check. + */ +static drive_feat_sup_st is_ata_opal(int disk_fd, __u16 *buffer_identify, const int verbose) +{ + bool tc_status = is_ata_trusted_computing_supported(buffer_identify); + drive_feat_sup_st tcg_sec_prot_status; + + if (!tc_status) + return DRIVE_FEAT_NOT_SUP_ST; + + tcg_sec_prot_status = is_sec_prot_01h_supported_ata(disk_fd, verbose); + + if (tcg_sec_prot_status == DRIVE_FEAT_CHECK_FAILED_ST) { + pr_vrb("Failed to verify if security protocol 01h supported. Device /dev/%s.\n", + fd2kname(disk_fd)); + return DRIVE_FEAT_CHECK_FAILED_ST; + } + + if (tc_status && tcg_sec_prot_status == DRIVE_FEAT_SUP_ST) + return DRIVE_FEAT_SUP_ST; + + return DRIVE_FEAT_NOT_SUP_ST; +} + +/** + * get_ata_encryption_information() - get ATA disk encryption information. + * @disk_fd: a disk file descriptor. + * @information: struct to fill out, describing encryption status of disk. + * @verbose: verbose flag. + * + * The function reads information about encryption, if the disk supports Opal, + * the information is completed based on Opal Level 0 discovery, otherwise, + * based on ATA security status frame from ATA identification response. + * For possible encryption statuses and abilities, + * please refer to enums &encryption_status and &encryption_ability. + * + * Based on the documentations ATA/ATAPI Command Set ATA8-ACS and + * AT Attachment-8 - ATA Serial Transport (ATA8-AST). + * + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail. + */ +mdadm_status_t +get_ata_encryption_information(int disk_fd, struct encryption_information *information, + const int verbose) +{ + __u8 buffer_opal_level0_discovery[OPAL_IO_BUFFER_LEN] = {0}; + __u16 buffer_identify[ATA_IDENTIFY_RESPONSE_LEN] = {0}; + drive_feat_sup_st ata_opal_status; + mdadm_status_t status; + + /* Get disk ATA identification */ + status = ata_pass_through12_ioctl(disk_fd, ATA_IDENTIFY, 0x0, 0x0, buffer_identify, + sizeof(buffer_identify), verbose); + if (status == MDADM_STATUS_ERROR) + return MDADM_STATUS_ERROR; + + if (is_ata_trusted_computing_supported(buffer_identify) && + !sysfs_is_libata_allow_tpm_enabled(verbose)) { + pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n"); + return MDADM_STATUS_ERROR; + } + + ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose); + if (ata_opal_status == DRIVE_FEAT_CHECK_FAILED_ST) + return MDADM_STATUS_ERROR; + + if (ata_opal_status == DRIVE_FEAT_NOT_SUP_ST) + return get_ata_standard_security_status(buffer_identify, information); + + /* SATA Opal */ + status = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_01, + OPAL_DISCOVERY_COMID, buffer_opal_level0_discovery, + OPAL_IO_BUFFER_LEN, verbose); + if (status != MDADM_STATUS_SUCCESS) + return MDADM_STATUS_ERROR; + + return get_opal_encryption_information(buffer_opal_level0_discovery, information); +} diff --git a/drive_encryption.h b/drive_encryption.h index 82c2c624..77c7f10f 100644 --- a/drive_encryption.h +++ b/drive_encryption.h @@ -30,3 +30,6 @@ typedef struct encryption_information { mdadm_status_t get_nvme_opal_encryption_information(int disk_fd, struct encryption_information *information, const int verbose); +mdadm_status_t +get_ata_encryption_information(int disk_fd, struct encryption_information *information, + const int verbose); diff --git a/mdadm.h b/mdadm.h index 141adbd7..f64bb783 100644 --- a/mdadm.h +++ b/mdadm.h @@ -853,6 +853,7 @@ extern int restore_stripes(int *dest, unsigned long long *offsets, int source, unsigned long long read_offset, unsigned long long start, unsigned long long length, char *src_buf); +extern bool sysfs_is_libata_allow_tpm_enabled(const int verbose); #ifndef Sendmail #define Sendmail "/usr/lib/sendmail -t" diff --git a/sysfs.c b/sysfs.c index 230b842e..24790896 100644 --- a/sysfs.c +++ b/sysfs.c @@ -1123,3 +1123,32 @@ void sysfsline(char *line) sr->next = sysfs_rules; sysfs_rules = sr; } + +/** + * sysfs_is_libata_allow_tpm_enabled() - check if libata allow_tmp is enabled. + * @verbose: verbose flag. + * + * Check if libata allow_tmp flag is set, this is required for SATA Opal Security commands to work. + * + * Return: true if allow_tpm enable, false otherwise. + */ +bool sysfs_is_libata_allow_tpm_enabled(const int verbose) +{ + const char *path = "/sys/module/libata/parameters/allow_tpm"; + const char *expected_value = "1"; + int fd = open(path, O_RDONLY); + char buf[3]; + + if (!is_fd_valid(fd)) { + pr_vrb("Failed open file descriptor to %s. Cannot check libata allow_tpm param.\n", + path); + return false; + } + + sysfs_fd_get_str(fd, buf, sizeof(buf)); + close(fd); + + if (strncmp(buf, expected_value, 1) == 0) + return true; + return false; +} From patchwork Fri Mar 22 11:51:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600014 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B31FD3FB31 for ; Fri, 22 Mar 2024 11:51:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108315; cv=none; b=KbIM4btrvBgOxNlBBTK696phzrVXAu9M4uoF2xZv/06yWWcRJL94PCzQ5nYz/RBeeNvlb+Yvx9KOB/8XL8HGgPIOQIWjoLbIT/UiDEGIqz2dQBknLOyo5MIL7o8IEAxARVmoHeg+9QB+dzPdXktZireGrt+0aienGwgF6Z0lkPE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108315; c=relaxed/simple; bh=g4oVcQuPIudWX+nj9UjMQ1lbzEaXOBradsXGCz1u1mY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gempe/oIbCKMZeiISk3fRdquwtLbiImfxVRFosDP87P5RuzUNCHvyx+DTDfPGsIiO5Znq5oOBNyUDwe199nnbOUEytYjGQbNNmPKk1HNVSYLeVu+QZtSLikdG5Ute1eZw+zBs5Ks8pqGsI7ZhrfRZSskMgSw5YGlgz08tymJkR0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=V6I1d4sB; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="V6I1d4sB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108314; x=1742644314; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=g4oVcQuPIudWX+nj9UjMQ1lbzEaXOBradsXGCz1u1mY=; b=V6I1d4sBJo0iShLXyIU8WyRi+06qxfqNo2jUXeBQa5OUvPbrKjwHACOY 3sfjLa4+dorNvzTUtEUzs33joVLqMV8OFFcs70prftYjIX1J9OWK8NDtQ U2B59fC5K0If191Lyv5DU2TX37ajtmdsZTJdBpTerH/oOVjp3lG/40mJ5 tUvnUPEWuxRfsBcxOjrw+35sip8ETw0kItFKbLvIOVjCG8UfXBaDGDQNu dwirEbcDTbr2UGF//zO2FtftY7PPu26RiJxF3dJkCCjIjDI5qCm6iBtW2 90wgq7xcC4xXF+Uzzqy3RK4hRrxbC4qJ+PEQgNpd5/C5iBCdHTYqB11ly w==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006802" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006802" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001016" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:52 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 4/6] Add key ENCRYPTION_NO_VERIFY to conf Date: Fri, 22 Mar 2024 12:51:18 +0100 Message-Id: <20240322115120.12325-5-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add ENCRYPTION_NO_VERIFY config key and allow to disable checking encryption status for given type of drives. The key is introduced because of SATA Opal disks for which TPM commands must be enabled in libata kernel module, (libata.allow_tpm=1), otherwise it is impossible to verify encryption status. TPM commands are disabled by default. Currently the key only supports the "sata_opal" value, if necessary, the functionality is ready to support more types of disks. This functionality will be used in the next patches. Signed-off-by: Blazej Kucman --- config.c | 25 ++++++++++++++++++++++++- drive_encryption.c | 16 ++++++++++++---- mdadm.conf.5.in | 13 +++++++++++++ mdadm.h | 1 + 4 files changed, 50 insertions(+), 5 deletions(-) diff --git a/config.c b/config.c index 44f7dd2f..b46d71cb 100644 --- a/config.c +++ b/config.c @@ -81,7 +81,7 @@ char DefaultAltConfDir[] = CONFFILE2 ".d"; enum linetype { Devices, Array, Mailaddr, Mailfrom, Program, CreateDev, Homehost, HomeCluster, AutoMode, Policy, PartPolicy, Sysfs, - MonitorDelay, LTEnd }; + MonitorDelay, EncryptionNoVerify, LTEnd }; char *keywords[] = { [Devices] = "devices", [Array] = "array", @@ -96,6 +96,7 @@ char *keywords[] = { [PartPolicy]="part-policy", [Sysfs] = "sysfs", [MonitorDelay] = "monitordelay", + [EncryptionNoVerify] = "ENCRYPTION_NO_VERIFY", [LTEnd] = NULL }; @@ -729,6 +730,19 @@ void monitordelayline(char *line) } } +static bool sata_opal_encryption_no_verify; +void encryption_no_verify_line(char *line) +{ + char *word; + + for (word = dl_next(line); word != line; word = dl_next(word)) { + if (strcasecmp(word, "sata_opal") == 0) + sata_opal_encryption_no_verify = true; + else + pr_err("unrecognised word on ENCRYPTION_NO_VERIFY line: %s\n", word); + } +} + char auto_yes[] = "yes"; char auto_no[] = "no"; char auto_homehost[] = "homehost"; @@ -913,6 +927,9 @@ void conf_file(FILE *f) case MonitorDelay: monitordelayline(line); break; + case EncryptionNoVerify: + encryption_no_verify_line(line); + break; default: pr_err("Unknown keyword %s\n", line); } @@ -1075,6 +1092,12 @@ int conf_get_monitor_delay(void) return monitor_delay; } +bool conf_get_sata_opal_encryption_no_verify(void) +{ + load_conffile(); + return sata_opal_encryption_no_verify; +} + struct createinfo *conf_get_create_info(void) { load_conffile(); diff --git a/drive_encryption.c b/drive_encryption.c index d520f0c7..6b2bd358 100644 --- a/drive_encryption.c +++ b/drive_encryption.c @@ -656,10 +656,18 @@ get_ata_encryption_information(int disk_fd, struct encryption_information *infor if (status == MDADM_STATUS_ERROR) return MDADM_STATUS_ERROR; - if (is_ata_trusted_computing_supported(buffer_identify) && - !sysfs_is_libata_allow_tpm_enabled(verbose)) { - pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n"); - return MDADM_STATUS_ERROR; + /* Possible OPAL support, further checks require tpm_enabled.*/ + if (is_ata_trusted_computing_supported(buffer_identify)) { + /* OPAL SATA encryption checking disabled. */ + if (conf_get_sata_opal_encryption_no_verify()) + return MDADM_STATUS_SUCCESS; + + if (!sysfs_is_libata_allow_tpm_enabled(verbose)) { + pr_vrb("Detected SATA drive /dev/%s with Trusted Computing support.\n", + fd2kname(disk_fd)); + pr_vrb("Cannot verify encryption state. Requires libata.tpm_enabled=1.\n"); + return MDADM_STATUS_ERROR; + } } ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose); diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in index 787e51e9..afb0a296 100644 --- a/mdadm.conf.5.in +++ b/mdadm.conf.5.in @@ -636,6 +636,17 @@ If multiple .B MINITORDELAY lines are provided, only first non-zero value is considered. +.TP +.B ENCRYPTION_NO_VERIFY +The +.B ENCRYPTION_NO_VERIFY +disables encryption verification for devices with particular encryption support detected. +Currently, only verification of SATA OPAL encryption can be disabled. +It does not disable ATA security encryption verification. +Available parameter +.I "sata_opal". + + .SH FILES .SS {CONFFILE} @@ -744,6 +755,8 @@ SYSFS uuid=bead5eb6:31c17a27:da120ba2:7dfda40d group_thread_cnt=4 sync_speed_max=1000000 .br MONITORDELAY 60 +.br +ENCRYPTION_NO_VERIFY sata_opal .SH SEE ALSO .BR mdadm (8), diff --git a/mdadm.h b/mdadm.h index f64bb783..9d98693b 100644 --- a/mdadm.h +++ b/mdadm.h @@ -1673,6 +1673,7 @@ extern char *conf_get_program(void); extern char *conf_get_homehost(int *require_homehostp); extern char *conf_get_homecluster(void); extern int conf_get_monitor_delay(void); +extern bool conf_get_sata_opal_encryption_no_verify(void); extern char *conf_line(FILE *file); extern char *conf_word(FILE *file, int allow_key); extern void print_quoted(char *str); From patchwork Fri Mar 22 11:51:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600015 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30A993FB85 for ; Fri, 22 Mar 2024 11:51:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108317; cv=none; b=qTtf3cseSRFY+w4s4EC4ShW2B3lLqcdWdDD9FG3h7/rNKCBbcfyo/Olp5NvpHkwmBC8/+HkFz8kjuxwC/eT1sV1X7EXZxn6uvVhlSVWokC5tEJBp17bF8buBJv9MrosN2Q5EWU3Gk9B2VVfW6apx/X44j6iB3qspSpd/e3Ua6rY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108317; c=relaxed/simple; bh=wJXAa/SWHj1HzTYht7D+4xkQX1r3o3J8BK1f1mpEexw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=pBul50V1sY82/50Lh7a+ZclGRG8RkSoPQ0xAh6f7YkwM2pWO50qU8C9KT7WrbdN/Erm8N7hhS6Fw+HG3IAH0cJRnnsO3X+HrSsKKbQWnGGfcESWiczSwta8Uonxjnh7imMiLwWVD6vgcFoTXAEwbP05HG+M03TK+cn10GGenKew= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=CO7D7vUp; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="CO7D7vUp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108315; x=1742644315; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=wJXAa/SWHj1HzTYht7D+4xkQX1r3o3J8BK1f1mpEexw=; b=CO7D7vUpeALxHLj4oNg9jqI/XFSFP7h/MYlwQB14qkJD/8cbIagTr9cn Ut9+fd1BxLVc2cXyq8V/rZXkNLaVrkPLCpnD2ZJ/Jh3SGiUiT62L/Hbc5 AvWsNvt3XUtDimFYaDH80p8B6X8q6Vwt+aA/M+742ka/8taeuIIDHaJNm yLDpjRdzR0bJ6qbxIaUOmf21q+l0VbthXa/Fyjfr9tHn9fq7U57PAHYxZ A9HuPI7KX4D9OBHwM9MwqfaCvIiG0Emy5kJ/gbp+Fy1istraTLyNFM+fT uM6Asp2uWwssP9slCE32v+rFpgIQwS8+6nlNvrC/y4upXTYyRlMt93N1M g==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006805" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006805" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001019" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:54 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 5/6] imsm: print disk encryption information Date: Fri, 22 Mar 2024 12:51:19 +0100 Message-Id: <20240322115120.12325-6-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Print SATA/NVMe disk encryption information in --detail-platform. Encryption Ability and Status will be printed for each disk. There is one exception, Opal SATA drives encryption is not checked when ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf, for this reason such drives are treated as without encryption support. To test this feature, drives SATA/NVMe with Opal support or SATA drives with encryption support have to be used. Example outputs of --detail-platform: Non Opal, encryption enabled, SATA drive: Port0 : /dev/sdc (CVPR050600G3120LGN) Encryption(Ability|Status): Other|Unlocked NVMe drive without Opal support: NVMe under VMD : /dev/nvme2n1 (PHLF737302GB1P0GGN) Encryption(Ability|Status): None|Unencrypted Unencrypted SATA drive with OPAL support: - default allow_tpm, we will get an error from mdadm: Port6 : /dev/sdi (CVTS4246015V180IGN) mdadm: Detected SATA drive /dev/sdi with Trusted Computing support. mdadm: Cannot verify encryption state. Requires libata.tpm_enabled=1. mdadm: Failed to get drive encrytpion information. - default "allow_tpm" and config entry "ENCRYPTION_NO_VERIFY sata_opal": Port6 : /dev/sdi (CVTS4246015V180IGN) Encryption(Ability|Status): None|Unencrypted - added "libata.allow_tpm=1" to boot parameters(requires reboot), the status will be read correctly: Port6 : /dev/sdi (CVTS4246015V180IGN) Encryption(Ability|Status): SED|Unencrypted Signed-off-by: Blazej Kucman --- drive_encryption.c | 36 ++++++++++++++++++++++++++++++++++++ drive_encryption.h | 2 ++ mdadm.conf.5.in | 3 +++ super-intel.c | 42 ++++++++++++++++++++++++++++++++++++++---- 4 files changed, 79 insertions(+), 4 deletions(-) diff --git a/drive_encryption.c b/drive_encryption.c index 6b2bd358..27da9621 100644 --- a/drive_encryption.c +++ b/drive_encryption.c @@ -141,6 +141,42 @@ typedef struct ata_trusted_computing { __u16 var2 : 1; } __attribute__((__packed__)) ata_trusted_computing_t; +mapping_t encryption_ability_map[] = { + { "None", ENC_ABILITY_NONE }, + { "Other", ENC_ABILITY_OTHER }, + { "SED", ENC_ABILITY_SED }, + { NULL, UnSet } +}; + +mapping_t encryption_status_map[] = { + { "Unencrypted", ENC_STATUS_UNENCRYPTED }, + { "Locked", ENC_STATUS_LOCKED }, + { "Unlocked", ENC_STATUS_UNLOCKED }, + { NULL, UnSet } +}; + +/** + * get_encryption_ability_string() - get encryption ability name string. + * @ability: encryption ability enum. + * + * Return: encryption ability string. + */ +const char *get_encryption_ability_string(enum encryption_ability ability) +{ + return map_num_s(encryption_ability_map, ability); +} + +/** + * get_encryption_status_string() - get encryption status name string. + * @ability: encryption status enum. + * + * Return: encryption status string. + */ +const char *get_encryption_status_string(enum encryption_status status) +{ + return map_num_s(encryption_status_map, status); +} + /** * get_opal_locking_feature_description() - get opal locking feature description. * @response: response from Opal Discovery Level 0. diff --git a/drive_encryption.h b/drive_encryption.h index 77c7f10f..0cb8ff1b 100644 --- a/drive_encryption.h +++ b/drive_encryption.h @@ -33,3 +33,5 @@ get_nvme_opal_encryption_information(int disk_fd, struct encryption_information mdadm_status_t get_ata_encryption_information(int disk_fd, struct encryption_information *information, const int verbose); +const char *get_encryption_ability_string(enum encryption_ability ability); +const char *get_encryption_status_string(enum encryption_status status); diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in index afb0a296..14302a91 100644 --- a/mdadm.conf.5.in +++ b/mdadm.conf.5.in @@ -643,6 +643,9 @@ The disables encryption verification for devices with particular encryption support detected. Currently, only verification of SATA OPAL encryption can be disabled. It does not disable ATA security encryption verification. +Currently effective only for +.I IMSM +metadata. Available parameter .I "sata_opal". diff --git a/super-intel.c b/super-intel.c index 806b6248..885d7a91 100644 --- a/super-intel.c +++ b/super-intel.c @@ -27,6 +27,7 @@ #include #include #include +#include "drive_encryption.h" /* MPB == Metadata Parameter Block */ #define MPB_SIGNATURE "Intel Raid ISM Cfg Sig. " @@ -2349,12 +2350,41 @@ static int imsm_read_serial(int fd, char *devname, __u8 *serial, size_t serial_buf_len); static void fd2devname(int fd, char *name); -static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_base, int verbose) +void print_encryption_information(int disk_fd, enum sys_dev_type hba_type) +{ + struct encryption_information information = {0}; + mdadm_status_t status = MDADM_STATUS_SUCCESS; + const char *indent = " "; + + switch (hba_type) { + case SYS_DEV_VMD: + case SYS_DEV_NVME: + status = get_nvme_opal_encryption_information(disk_fd, &information, 1); + break; + case SYS_DEV_SATA: + case SYS_DEV_SATA_VMD: + status = get_ata_encryption_information(disk_fd, &information, 1); + break; + default: + return; + } + + if (status) { + pr_err("Failed to get drive encryption information.\n"); + return; + } + + printf("%sEncryption(Ability|Status): %s|%s\n", indent, + get_encryption_ability_string(information.ability), + get_encryption_status_string(information.status)); +} + +static int ahci_enumerate_ports(struct sys_dev *hba, int port_count, int host_base, int verbose) { /* dump an unsorted list of devices attached to AHCI Intel storage * controller, as well as non-connected ports */ - int hba_len = strlen(hba_path) + 1; + int hba_len = strlen(hba->path) + 1; struct dirent *ent; DIR *dir; char *path = NULL; @@ -2390,7 +2420,7 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b path = devt_to_devpath(makedev(major, minor), 1, NULL); if (!path) continue; - if (!path_attached_to_hba(path, hba_path)) { + if (!path_attached_to_hba(path, hba->path)) { free(path); path = NULL; continue; @@ -2493,6 +2523,8 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b printf(" (%s)\n", buf); else printf(" ()\n"); + + print_encryption_information(fd, hba->type); close(fd); } free(path); @@ -2557,6 +2589,8 @@ static int print_nvme_info(struct sys_dev *hba) else printf("()\n"); + print_encryption_information(fd, hba->type); + skip: close_fd(&fd); } @@ -2812,7 +2846,7 @@ static int detail_platform_imsm(int verbose, int enumerate_only, char *controlle hba->path, get_sys_dev_type(hba->type)); if (hba->type == SYS_DEV_SATA || hba->type == SYS_DEV_SATA_VMD) { host_base = ahci_get_port_count(hba->path, &port_count); - if (ahci_enumerate_ports(hba->path, port_count, host_base, verbose)) { + if (ahci_enumerate_ports(hba, port_count, host_base, verbose)) { if (verbose > 0) pr_err("failed to enumerate ports on %s controller at %s.\n", get_sys_dev_type(hba->type), hba->pci_id); From patchwork Fri Mar 22 11:51:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Blazej Kucman X-Patchwork-Id: 13600016 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60D993FB31 for ; Fri, 22 Mar 2024 11:51:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108317; cv=none; b=U5DwfSNS5T6ec/VfDU5Z4i63jodV4l///E+tjk8cLL8fRGiNKgPwrSTWM3DrOEdISQC8Ch0jSpdPkXmgjRbtXVvzXhCYiR93jmu1C35G/mYseO7JXTm6a87oBflnZ+FFtxe1s3RWO3WqAqyj1VSZdIuuzGGENDdpQvCJvpI4r9A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711108317; c=relaxed/simple; bh=Kp2ouRFUjgUmsxg/96Sv/xQdQut5unKAzW1l5qoHi+A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=IHmz/a9XGdkeNaxDSb+jBZCYD+DwhSFSZKEbJwD6YyfFleyVZbtvNOZ5usQ/8NM/7apsNlWjF8P0CZUkQDkQz643vwQcZeq2Iwm+m0l+BrcFdnQknw5tfGoq0//YIlSThCnihcMzImCD90SxBbKkL71Tztmq+cxj+t8yCSkDpWI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=eA+InolI; arc=none smtp.client-ip=192.198.163.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="eA+InolI" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1711108316; x=1742644316; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Kp2ouRFUjgUmsxg/96Sv/xQdQut5unKAzW1l5qoHi+A=; b=eA+InolIzfCs0abe1vGjwNQkmnCdpJsCBTtQB6rgb0uVgbX30o53r2bT 8+TCsTcMqaOTSepZIqlRjQX1BP+vedJQzrmEVh4VXSy3VOBQ6j0jZspia 0slCzoDP+G1ufmwUOh+2Ia4UqiwST8o1M1kQ+gvKzxTQZzerBSmxdl9B5 7s117HqvcDDz1DQJIHBCFcY6pWCMbEXtaIrG6kBUXLaU+nucdCMnrcPvL GjuMZS+phoYquXKAngz4BbuwbJ/Iw5JqgGtyara8eUVt3xsujlAiSxgTw 5TPsRpIdZqBjNHZshhzbQVS1GJ0EO62IuSbAWGkCf6AHRiKDsbrpHGV9c g==; X-IronPort-AV: E=McAfee;i="6600,9927,11020"; a="6006810" X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="6006810" Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa113.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Mar 2024 04:51:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,145,1708416000"; d="scan'208";a="46001024" Received: from linux-myjy.igk.intel.com ([10.102.108.92]) by fmviesa001.fm.intel.com with ESMTP; 22 Mar 2024 04:51:55 -0700 From: Blazej Kucman To: mariusz.tkaczyk@linux.intel.com, jes@trained-monkey.org Cc: linux-raid@vger.kernel.org Subject: [PATCH v2 6/6] imsm: drive encryption policy implementation Date: Fri, 22 Mar 2024 12:51:20 +0100 Message-Id: <20240322115120.12325-7-blazej.kucman@intel.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240322115120.12325-1-blazej.kucman@intel.com> References: <20240322115120.12325-1-blazej.kucman@intel.com> Precedence: bulk X-Mailing-List: linux-raid@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 IMSM cares about drive encryption state. It is not allowed to mix disks with different encryption state within one md device. This policy will verify that attempt to use disks with different encryption states will fail. Verification is performed for devices NVMe/SATA Opal and SATA. There is one exception, Opal SATA drives encryption is not checked when ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf, for this reason such drives are treated as without encryption support. Signed-off-by: Blazej Kucman --- super-intel.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/super-intel.c b/super-intel.c index 885d7a91..2923a0f8 100644 --- a/super-intel.c +++ b/super-intel.c @@ -11291,6 +11291,78 @@ test_and_add_drive_controller_policy_imsm(const char * const type, dev_policy_t return MDADM_STATUS_ERROR; } +/** + * test_and_add_drive_encryption_policy_imsm() - add disk encryption to policies list. + * @type: policy type to search in the list. + * @pols: list of currently recorded policies. + * @disk_fd: file descriptor of the device to check. + * @hba: The hba to which the drive is attached, could be NULL if verification is disabled. + * @verbose: verbose flag. + * + * IMSM cares about drive encryption state. It is not allowed to mix disks with different + * encryption state within one md device. + * If there is no encryption policy on pols we are free to add first one. + * If there is a policy then, new must be the same. + */ +static mdadm_status_t +test_and_add_drive_encryption_policy_imsm(const char * const type, dev_policy_t **pols, int disk_fd, + struct sys_dev *hba, const int verbose) +{ + struct dev_policy *expected_policy = pol_find(*pols, (char *)type); + struct encryption_information information = {0}; + char *encryption_state = "Unknown"; + int status = MDADM_STATUS_SUCCESS; + bool encryption_checked = true; + char devname[PATH_MAX]; + + if (!hba) + goto check_policy; + + switch (hba->type) { + case SYS_DEV_NVME: + case SYS_DEV_VMD: + status = get_nvme_opal_encryption_information(disk_fd, &information, verbose); + break; + case SYS_DEV_SATA: + case SYS_DEV_SATA_VMD: + status = get_ata_encryption_information(disk_fd, &information, verbose); + break; + default: + encryption_checked = false; + } + + if (status) { + fd2devname(disk_fd, devname); + pr_vrb("Failed to read encryption information of device %s\n", devname); + return MDADM_STATUS_ERROR; + } + + if (encryption_checked) { + if (information.status == ENC_STATUS_LOCKED) { + fd2devname(disk_fd, devname); + pr_vrb("Device %s is in Locked state, cannot use. Aborting.\n", devname); + return MDADM_STATUS_ERROR; + } + encryption_state = (char *)get_encryption_status_string(information.status); + } + +check_policy: + if (expected_policy) { + if (strcmp(expected_policy->value, encryption_state) == 0) + return MDADM_STATUS_SUCCESS; + + fd2devname(disk_fd, devname); + pr_vrb("Encryption status \"%s\" detected for disk %s, but \"%s\" status was detected eariler.\n", + encryption_state, devname, expected_policy->value); + pr_vrb("Disks with different encryption status cannot be used.\n"); + return MDADM_STATUS_ERROR; + } + + pol_add(pols, (char *)type, encryption_state, "imsm"); + + return MDADM_STATUS_SUCCESS; +} + struct imsm_drive_policy { char *type; mdadm_status_t (*test_and_add_drive_policy)(const char * const type, @@ -11300,6 +11372,7 @@ struct imsm_drive_policy { struct imsm_drive_policy imsm_policies[] = { {"controller", test_and_add_drive_controller_policy_imsm}, + {"encryption", test_and_add_drive_encryption_policy_imsm} }; mdadm_status_t test_and_add_drive_policies_imsm(struct dev_policy **pols, int disk_fd,