From patchwork Fri Nov 9 22:13:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10676619 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A1DF813AD for ; Fri, 9 Nov 2018 22:13:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 936342F0B5 for ; Fri, 9 Nov 2018 22:13:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 856A22F2CD; Fri, 9 Nov 2018 22:13:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2FA612F33C for ; Fri, 9 Nov 2018 22:13:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 0F0BD21A07A92; Fri, 9 Nov 2018 14:13:48 -0800 (PST) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.136; helo=mga12.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CDA8A21184E66 for ; Fri, 9 Nov 2018 14:13:46 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Nov 2018 14:13:45 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,484,1534834800"; d="scan'208";a="272832688" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by orsmga005.jf.intel.com with ESMTP; 09 Nov 2018 14:13:45 -0800 Subject: [PATCH 00/11] Additional patches for nvdimm security support From: Dave Jiang To: dan.j.williams@intel.com, zohar@linux.vnet.ibm.com Date: Fri, 09 Nov 2018 15:13:45 -0700 Message-ID: <154180093865.70506.6858789591063128903.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP The following series adds additional support for nvdimm security. 1. Converted logon keys to encrypted-keys. 2. Add overwrite DSM support 3. Add DSM 1.8 master passphrase support The patch series is based off the branch from here: https://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git/log/?h=for-5.0/nvdimm-security Instead of squashing the previous changes, they are kept for history purposes to document how we arrived to the current iteration. Mimi, Patch 1 requires your ack as it makes changes to encrypted-keys by adding the nvdimm key format type. Dan wanted to restrict the key to 32bytes during creation. I also wouldn't mind if you take a look at patch 2 and make sure I'm providing correct usage of encrypted keys. Thank you! --- Dave Jiang (11): keys-encrypted: add nvdimm key format type to encrypted keys libnvdimm/security: change clear text nvdimm keys to encrypted keys libnvdimm/security: add override module param for key self verification libnvdimm/security: introduce NDD_SECURITY_BUSY flag acpi/nfit, libnvdimm/security: Add security DSM overwrite support tools/testing/nvdimm: Add overwrite support for nfit_test libnvdimm/security: add overwrite status notification libnvdimm/security: add documentation for ovewrite acpi/nfit, libnvdimm/security: add Intel DSM 1.8 master passphrase support tools/testing/nvdimm: add Intel DSM 1.8 support for nfit_test acpi/nfit: prevent indiscriminate DSM payload dumping for security DSMs Documentation/nvdimm/security.txt | 68 +++- drivers/acpi/nfit/Kconfig | 7 drivers/acpi/nfit/core.c | 31 ++ drivers/acpi/nfit/intel.c | 245 +++++++++++++++ drivers/acpi/nfit/intel.h | 22 + drivers/acpi/nfit/nfit.h | 7 drivers/nvdimm/core.c | 3 drivers/nvdimm/dimm.c | 3 drivers/nvdimm/dimm_devs.c | 50 +++ drivers/nvdimm/nd-core.h | 9 - drivers/nvdimm/nd.h | 19 + drivers/nvdimm/region_devs.c | 7 drivers/nvdimm/security.c | 496 +++++++++++++++++------------- include/linux/libnvdimm.h | 22 + security/keys/encrypted-keys/encrypted.c | 29 +- tools/testing/nvdimm/dimm_devs.c | 2 tools/testing/nvdimm/test/nfit.c | 141 +++++++++ 17 files changed, 895 insertions(+), 266 deletions(-) --