mbox series

[0/4] sed-opal: keyrings, discovery, revert and key store

Message ID 20220718210156.1535955-1-gjoyce@linux.vnet.ibm.com (mailing list archive)
Headers show
Series sed-opal: keyrings, discovery, revert and key store | expand

Message

Greg Joyce July 18, 2022, 9:01 p.m. UTC 
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

The current TCG SED Opal implementation in the block
driver requires that authentication keys be provided
in an ioctl so that they can be presented to the
underlying SED Opal capable drive. Currently, the key
is typically entered by a user with an application
like sedutil or sedcli. While this process works, it
does not lend itself to automation like unlock by a udev
rule.

Extend the SED block driver so it can alternatively
obtain a key from a sed-opal kernel keyring. The SED
ioctls will indicate the source of the key, either
directly in the ioctl data or from the keyring.

Two new SED ioctls have also been added. These are:
  1) IOC_OPAL_REVERT_LSP to revert LSP state
  2) IOC_OPAL_DISCOVERY to discover drive capabilities/state

Also, for platforms that have a permanent key store, the
platform may provide unique platform dependent functions
to read/write variables. The SED block driver has been
modified to attempt to read a key from the platform key
store. If successful, the key value is saved in the kernel
sed-opal keyring. If the platform does not support a
permanent key store, the read will fail and a key will
not be added to the keyring. This patchset does not include
any providers of the variable read/write functions.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reported-by: kernel test robot <lkp@intel.com>
base-commit: ff6992735ade75aae3e35d16b17da1008d753d28

Greg Joyce (4):
  block: sed-opal: Implement IOC_OPAL_DISCOVERY
  block: sed-opal: Implement IOC_OPAL_REVERT_LSP
  block: sed-opal: keyring support for SED Opal keys
  arch_vars: create arch specific permanent store

 block/Kconfig                 |   1 +
 block/opal_proto.h            |   4 +
 block/sed-opal.c              | 274 +++++++++++++++++++++++++++++++++-
 include/linux/arch_vars.h     |  23 +++
 include/linux/sed-opal.h      |   5 +
 include/uapi/linux/sed-opal.h |  24 ++-
 lib/Makefile                  |   2 +-
 lib/arch_vars.c               |  25 ++++
 8 files changed, 351 insertions(+), 7 deletions(-)
 create mode 100644 include/linux/arch_vars.h
 create mode 100644 lib/arch_vars.c

Comments

Jarkko Sakkinen July 28, 2022, 7:43 a.m. UTC | #1 
On Mon, Jul 18, 2022 at 04:01:52PM -0500, gjoyce@linux.vnet.ibm.com wrote:
> From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> 
> The current TCG SED Opal implementation in the block
> driver requires that authentication keys be provided
> in an ioctl so that they can be presented to the
> underlying SED Opal capable drive. Currently, the key
> is typically entered by a user with an application
> like sedutil or sedcli. While this process works, it
> does not lend itself to automation like unlock by a udev
> rule.


Please explain also what SED Opal is.

> 
> Extend the SED block driver so it can alternatively
> obtain a key from a sed-opal kernel keyring. The SED
> ioctls will indicate the source of the key, either
> directly in the ioctl data or from the keyring.
> 
> Two new SED ioctls have also been added. These are:
>   1) IOC_OPAL_REVERT_LSP to revert LSP state
>   2) IOC_OPAL_DISCOVERY to discover drive capabilities/state
> 
> Also, for platforms that have a permanent key store, the
> platform may provide unique platform dependent functions
> to read/write variables. The SED block driver has been
> modified to attempt to read a key from the platform key
> store. If successful, the key value is saved in the kernel
> sed-opal keyring. If the platform does not support a
> permanent key store, the read will fail and a key will
> not be added to the keyring. This patchset does not include
> any providers of the variable read/write functions.
> 
> Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> Reported-by: kernel test robot <lkp@intel.com>
> base-commit: ff6992735ade75aae3e35d16b17da1008d753d28
> 
> Greg Joyce (4):
>   block: sed-opal: Implement IOC_OPAL_DISCOVERY
>   block: sed-opal: Implement IOC_OPAL_REVERT_LSP
>   block: sed-opal: keyring support for SED Opal keys
>   arch_vars: create arch specific permanent store
> 
>  block/Kconfig                 |   1 +
>  block/opal_proto.h            |   4 +
>  block/sed-opal.c              | 274 +++++++++++++++++++++++++++++++++-
>  include/linux/arch_vars.h     |  23 +++
>  include/linux/sed-opal.h      |   5 +
>  include/uapi/linux/sed-opal.h |  24 ++-
>  lib/Makefile                  |   2 +-
>  lib/arch_vars.c               |  25 ++++
>  8 files changed, 351 insertions(+), 7 deletions(-)
>  create mode 100644 include/linux/arch_vars.h
>  create mode 100644 lib/arch_vars.c
> 
> 
> -- 
> 2.27.0
> 

BR, Jarkko