diff mbox series

[v7,2/3,RESEND] block: sed-opal: keystore access for SED Opal keys

Message ID 20230721211949.3437598-3-gjoyce@linux.vnet.ibm.com (mailing list archive)
State New
Headers show
Series generic and PowerPC SED Opal keystore | expand

Commit Message

Greg Joyce July 21, 2023, 9:19 p.m. UTC
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Allow for permanent SED authentication keys by
reading/writing to the SED Opal non-volatile keystore.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
 block/sed-opal.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

Comments

Hannes Reinecke Aug. 17, 2023, 5:44 a.m. UTC | #1
On 7/21/23 23:19, gjoyce@linux.vnet.ibm.com wrote:
> From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> 
> Allow for permanent SED authentication keys by
> reading/writing to the SED Opal non-volatile keystore.
> 
> Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
> ---
>   block/sed-opal.c | 18 ++++++++++++++++--
>   1 file changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/block/sed-opal.c b/block/sed-opal.c
> index 6d7f25d1711b..fa23a6a60485 100644
> --- a/block/sed-opal.c
> +++ b/block/sed-opal.c
> @@ -18,6 +18,7 @@
>   #include <linux/uaccess.h>
>   #include <uapi/linux/sed-opal.h>
>   #include <linux/sed-opal.h>
> +#include <linux/sed-opal-key.h>
>   #include <linux/string.h>
>   #include <linux/kdev_t.h>
>   #include <linux/key.h>
> @@ -3019,7 +3020,13 @@ static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
>   	if (ret)
>   		return ret;
>   
> -	/* update keyring with new password */
> +	/* update keyring and key store with new password */
> +	ret = sed_write_key(OPAL_AUTH_KEY,
> +			    opal_pw->new_user_pw.opal_key.key,
> +			    opal_pw->new_user_pw.opal_key.key_len);
> +	if (ret != -EOPNOTSUPP)
> +		pr_warn("error updating SED key: %d\n", ret);
> +
>   	ret = update_sed_opal_key(OPAL_AUTH_KEY,
>   				  opal_pw->new_user_pw.opal_key.key,
>   				  opal_pw->new_user_pw.opal_key.key_len);
> @@ -3292,6 +3299,8 @@ EXPORT_SYMBOL_GPL(sed_ioctl);
>   static int __init sed_opal_init(void)
>   {
>   	struct key *kr;
> +	char init_sed_key[OPAL_KEY_MAX];
> +	int keylen = OPAL_KEY_MAX - 1;
>   
>   	kr = keyring_alloc(".sed_opal",
>   			   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
> @@ -3304,6 +3313,11 @@ static int __init sed_opal_init(void)
>   
>   	sed_opal_keyring = kr;
>   
> -	return 0;
> +	if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
> +		memset(init_sed_key, '\0', sizeof(init_sed_key));
> +		keylen = OPAL_KEY_MAX - 1;
> +	}
> +
> +	return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key, keylen);
>   }
>   late_initcall(sed_opal_init);

See the previous patch for comments about 'struct key'.

Cheers,

Hannes
diff mbox series

Patch

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 6d7f25d1711b..fa23a6a60485 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -18,6 +18,7 @@ 
 #include <linux/uaccess.h>
 #include <uapi/linux/sed-opal.h>
 #include <linux/sed-opal.h>
+#include <linux/sed-opal-key.h>
 #include <linux/string.h>
 #include <linux/kdev_t.h>
 #include <linux/key.h>
@@ -3019,7 +3020,13 @@  static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
 	if (ret)
 		return ret;
 
-	/* update keyring with new password */
+	/* update keyring and key store with new password */
+	ret = sed_write_key(OPAL_AUTH_KEY,
+			    opal_pw->new_user_pw.opal_key.key,
+			    opal_pw->new_user_pw.opal_key.key_len);
+	if (ret != -EOPNOTSUPP)
+		pr_warn("error updating SED key: %d\n", ret);
+
 	ret = update_sed_opal_key(OPAL_AUTH_KEY,
 				  opal_pw->new_user_pw.opal_key.key,
 				  opal_pw->new_user_pw.opal_key.key_len);
@@ -3292,6 +3299,8 @@  EXPORT_SYMBOL_GPL(sed_ioctl);
 static int __init sed_opal_init(void)
 {
 	struct key *kr;
+	char init_sed_key[OPAL_KEY_MAX];
+	int keylen = OPAL_KEY_MAX - 1;
 
 	kr = keyring_alloc(".sed_opal",
 			   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
@@ -3304,6 +3313,11 @@  static int __init sed_opal_init(void)
 
 	sed_opal_keyring = kr;
 
-	return 0;
+	if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
+		memset(init_sed_key, '\0', sizeof(init_sed_key));
+		keylen = OPAL_KEY_MAX - 1;
+	}
+
+	return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key, keylen);
 }
 late_initcall(sed_opal_init);