From patchwork Thu Mar 28 22:24:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10876037 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 277AA1669 for ; Thu, 28 Mar 2019 22:24:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0EAA828715 for ; Thu, 28 Mar 2019 22:24:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0294728A3B; Thu, 28 Mar 2019 22:24:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 63A1F28715 for ; Thu, 28 Mar 2019 22:24:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3CAFE211EB830; Thu, 28 Mar 2019 15:24:33 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7403A21959CB2 for ; Thu, 28 Mar 2019 15:24:31 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 15:24:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,282,1549958400"; d="scan'208";a="159376018" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by fmsmga001.fm.intel.com with ESMTP; 28 Mar 2019 15:24:30 -0700 Subject: [PATCH v2 1/3] ndctl: fix load-keys for user master-key From: Dave Jiang To: vishal.l.verma@intel.com Date: Thu, 28 Mar 2019 15:24:30 -0700 Message-ID: <155381182887.13778.15556671056565903543.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP load-keys incorrectly assumes that all keys have TPM handles. TPM handle is only for trusted-keys. Fix in order to allow user master-key to operate. Signed-off-by: Dave Jiang --- v2: - Make output go to stderr. (Dan) ndctl/load-keys.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ndctl/load-keys.c b/ndctl/load-keys.c index 8e4998f2..7d86a94b 100644 --- a/ndctl/load-keys.c +++ b/ndctl/load-keys.c @@ -213,10 +213,8 @@ static int load_keys(struct loadkeys *lk_ctx, const char *keypath, if (!tpmhandle) { rc = check_tpm_handle(lk_ctx); - if (rc < 0) { - rc = -errno; - goto erropen; - } + if (rc < 0) + fprintf(stderr, "No TPM handle discovered.\n"); } rc = load_master_key(lk_ctx, param.key_path); From patchwork Thu Mar 28 22:25:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10876039 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 27455922 for ; Thu, 28 Mar 2019 22:25:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E63628B45 for ; Thu, 28 Mar 2019 22:25:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0053528FE8; Thu, 28 Mar 2019 22:25:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 97A5A28B45 for ; Thu, 28 Mar 2019 22:25:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 651BC211EB833; Thu, 28 Mar 2019 15:25:03 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 221C1211E9FBD for ; Thu, 28 Mar 2019 15:25:02 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 15:25:01 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,282,1549958400"; d="scan'208";a="146150350" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by orsmga002.jf.intel.com with ESMTP; 28 Mar 2019 15:25:01 -0700 Subject: [PATCH v2 2/3] ndctl: fix key blob loading for user keys From: Dave Jiang To: vishal.l.verma@intel.com Date: Thu, 28 Mar 2019 15:25:00 -0700 Message-ID: <155381187566.13778.2000981616955564046.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <155381182887.13778.15556671056565903543.stgit@djiang5-desk3.ch.intel.com> References: <155381182887.13778.15556671056565903543.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP The syntax for loading user master key is different than loading a trusted key. Fix so we can load user key properly. Signed-off-by: Dave Jiang --- v2: No change ndctl/load-keys.c | 13 +++++-------- ndctl/util/keys.c | 20 +++++++++++++++----- ndctl/util/keys.h | 10 ++++++++-- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/ndctl/load-keys.c b/ndctl/load-keys.c index 7d86a94b..981f80f1 100644 --- a/ndctl/load-keys.c +++ b/ndctl/load-keys.c @@ -25,12 +25,7 @@ static struct parameters { const char *tpm_handle; } param; -enum key_type { - KEY_USER = 0, - KEY_TRUSTED, -}; - -static const char *key_names[] = {"user", "trusted"}; +static const char *key_names[] = {"user", "trusted", "encrypted"}; static struct loadkeys { enum key_type key_type; @@ -44,6 +39,7 @@ static int load_master_key(struct loadkeys *lk_ctx, const char *keypath) char *blob; int size, rc; char path[PATH_MAX]; + enum key_type; rc = sprintf(path, "%s/nvdimm-master.blob", keypath); if (rc < 0) @@ -65,7 +61,8 @@ static int load_master_key(struct loadkeys *lk_ctx, const char *keypath) return -errno; } - blob = ndctl_load_key_blob(path, &size, param.tpm_handle, -1); + blob = ndctl_load_key_blob(path, &size, param.tpm_handle, -1, + lk_ctx->key_type); if (!blob) return -ENOMEM; @@ -122,7 +119,7 @@ static int load_dimm_keys(struct loadkeys *lk_ctx) } blob = ndctl_load_key_blob(dent->d_name, &size, NULL, - lk_ctx->dirfd); + lk_ctx->dirfd, KEY_ENCRYPTED); if (!blob) { free(fname); continue; diff --git a/ndctl/util/keys.c b/ndctl/util/keys.c index 622533d7..a621a5f5 100644 --- a/ndctl/util/keys.c +++ b/ndctl/util/keys.c @@ -103,13 +103,17 @@ static int get_key_desc(struct ndctl_dimm *dimm, char *desc, } char *ndctl_load_key_blob(const char *path, int *size, const char *postfix, - int dirfd) + int dirfd, enum key_type key_type) { struct stat st; ssize_t read_bytes = 0; int rc, fd; char *blob, *pl, *rdptr; char prefix[] = "load "; + bool need_prefix = false; + + if (key_type == KEY_ENCRYPTED || key_type == KEY_TRUSTED) + need_prefix = true; fd = openat(dirfd, path, O_RDONLY); if (fd < 0) { @@ -133,7 +137,10 @@ char *ndctl_load_key_blob(const char *path, int *size, const char *postfix, return NULL; } - *size = st.st_size + sizeof(prefix) - 1; + *size = st.st_size; + if (need_prefix) + *size += strlen(prefix); + /* * We need to increment postfix and space. * "keyhandle=" is 10 bytes, plus null termination. @@ -146,8 +153,11 @@ char *ndctl_load_key_blob(const char *path, int *size, const char *postfix, return NULL; } - memcpy(blob, prefix, sizeof(prefix) - 1); - pl = blob + sizeof(prefix) - 1; + if (need_prefix) { + memcpy(blob, prefix, strlen(prefix)); + pl = blob + strlen(prefix); + } else + pl = blob; rdptr = pl; do { @@ -300,7 +310,7 @@ static key_serial_t dimm_load_key(struct ndctl_dimm *dimm, if (rc < 0) return rc; - blob = ndctl_load_key_blob(path, &size, NULL, -1); + blob = ndctl_load_key_blob(path, &size, NULL, -1, KEY_ENCRYPTED); if (!blob) return -ENOMEM; diff --git a/ndctl/util/keys.h b/ndctl/util/keys.h index eab78d2f..9bc995ac 100644 --- a/ndctl/util/keys.h +++ b/ndctl/util/keys.h @@ -12,9 +12,15 @@ enum ndctl_key_type { ND_ZERO_KEY, }; +enum key_type { + KEY_USER = 0, + KEY_TRUSTED, + KEY_ENCRYPTED, +}; + #ifdef ENABLE_KEYUTILS char *ndctl_load_key_blob(const char *path, int *size, const char *postfix, - int dirfd); + int dirfd, enum key_type key_type); int ndctl_dimm_setup_key(struct ndctl_dimm *dimm, const char *kek, enum ndctl_key_type key_type); int ndctl_dimm_update_key(struct ndctl_dimm *dimm, const char *kek, @@ -25,7 +31,7 @@ int ndctl_dimm_secure_erase_key(struct ndctl_dimm *dimm, int ndctl_dimm_overwrite_key(struct ndctl_dimm *dimm); #else char *ndctl_load_key_blob(const char *path, int *size, const char *postfix, - int dirfd) + int dirfd, enum key_type key_type) { return NULL; } From patchwork Thu Mar 28 22:26:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10876041 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 29BC51669 for ; Thu, 28 Mar 2019 22:26:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10E4628B45 for ; Thu, 28 Mar 2019 22:26:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 042EE28FE8; Thu, 28 Mar 2019 22:26:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9CC2428B45 for ; Thu, 28 Mar 2019 22:26:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8E589211EB834; Thu, 28 Mar 2019 15:26:08 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 924C7211E9FBD for ; Thu, 28 Mar 2019 15:26:06 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 15:26:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,282,1549958400"; d="scan'208";a="333002027" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by fmsmga005.fm.intel.com with ESMTP; 28 Mar 2019 15:26:05 -0700 Subject: [PATCH v2 3/3] ndctl: add unit test for load-keys From: Dave Jiang To: vishal.l.verma@intel.com Date: Thu, 28 Mar 2019 15:26:05 -0700 Message-ID: <155381190641.13778.16998322434894711396.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <155381182887.13778.15556671056565903543.stgit@djiang5-desk3.ch.intel.com> References: <155381182887.13778.15556671056565903543.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Add to security.sh to test load-keys for user keys. Signed-off-by: Dave Jiang --- V2: - Add quotes around $masterkey. (Vishal) - Change fail to failed in output. (Vishal) test/security.sh | 68 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 61 insertions(+), 7 deletions(-) diff --git a/test/security.sh b/test/security.sh index 1b7a9a1a..8a36265f 100755 --- a/test/security.sh +++ b/test/security.sh @@ -6,8 +6,10 @@ rc=77 dev="" id="" keypath="/etc/ndctl/keys" -masterkey="nvdimm-master-test" -masterpath="$keypath/$masterkey" +masterkey="nvdimm-master" +masterpath="$keypath/$masterkey.blob" +backup_key=0 +backup_handle=0 . ./common @@ -32,6 +34,15 @@ setup_keys() mkdir -p "$keypath" fi + if [ -f "$masterpath" ]; then + mv "$masterpath" "$masterpath.bak" + $backup_key=1 + fi + if [ -f "$keypath/tpm.handle" ]; then + mv "$keypath/tpm.handle" "$keypath/tmp.handle.bak" + $backup_handle=1 + fi + dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user "$masterkey" @u keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" } @@ -43,16 +54,25 @@ test_cleanup() fi if keyctl search @u user "$masterkey"; then - keyctl unlink "$(keyctl search @u user $masterkey)" + keyctl unlink "$(keyctl search @u user "$masterkey")" fi if [ -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob ]; then rm -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob fi +} +post_cleanup() +{ if [ -f $masterpath ]; then rm -f "$masterpath" fi + if [ "$backup_key" -eq 1 ]; then + mv "$masterpath.bak" "$masterpath" + fi + if [ "$backup_handle" -eq 1 ]; then + mv "$keypath/tpm.handle.bak" "$keypath/tmp.handle" + fi } lock_dimm() @@ -168,8 +188,8 @@ test_4_security_unlock() remove_passphrase } -# this should always be the last test. with security frozen, nfit_test must -# be removed and is no longer usable +# This should always be the last nvdimm security test. +# with security frozen, nfit_test must be removed and is no longer usable test_5_security_freeze() { setup_passphrase @@ -188,6 +208,33 @@ test_5_security_freeze() fi } +test_6_load_keys() +{ + if keyctl search @u encrypted nvdimm:"$id"; then + keyctl unlink "$(keyctl search @u encrypted nvdimm:"$id")" + fi + + if keyctl search @u user "$masterkey"; then + keyctl unlink "$(keyctl search @u user "$masterkey")" + fi + + $NDCTL load-keys + + if keyctl search @u user "$masterkey"; then + echo "master key loaded" + else + echo "master key failed to loaded" + err "$LINENO" + fi + + if keyctl search @u encrypted nvdimm:"$id"; then + echo "dimm key loaded" + else + echo "dimm key failed to load" + err "$LINENO" + fi +} + check_min_kver "5.0" || do_skip "may lack security handling" uid="$(keyctl show | grep -Eo "_uid.[0-9]+" | head -1 | cut -d. -f2-)" if [ "$uid" -ne 0 ]; then @@ -210,11 +257,18 @@ test_3_security_setup_and_erase echo "Test 4, unlock dimm" test_4_security_unlock -# Freeze should always be run last because it locks security state and require -# nfit_test module unload. +# Freeze should always be the last nvdimm security test because it locks +# security state and require nfit_test module unload. However, this does +# not impact any key management testing via libkeyctl. echo "Test 5, freeze security" test_5_security_freeze +# Load-keys is independent of actual nvdimm security and is part of key +# mangement testing. +echo "Test 6, test load-keys" +test_6_load_keys + test_cleanup +post_cleanup _cleanup exit 0