From patchwork Thu Dec 13 23:47:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10730083 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A5CA915A6 for ; Thu, 13 Dec 2018 23:48:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93FD92CD07 for ; Thu, 13 Dec 2018 23:48:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 86CB42CD0A; Thu, 13 Dec 2018 23:48:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CB8FA2CD07 for ; Thu, 13 Dec 2018 23:48:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 49835211A2D8C; Thu, 13 Dec 2018 15:48:00 -0800 (PST) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.120; helo=mga04.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8A681211A2D87 for ; Thu, 13 Dec 2018 15:47:58 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Dec 2018 15:47:57 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,350,1539673200"; d="scan'208";a="259327323" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by orsmga004.jf.intel.com with ESMTP; 13 Dec 2018 15:47:57 -0800 Subject: [PATCH v15 00/16] Adding security support for nvdimm From: Dave Jiang To: dan.j.williams@intel.com Date: Thu, 13 Dec 2018 16:47:57 -0700 Message-ID: <154474458351.64529.4227918957466268448.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP The following series implements security support for nvdimm based on Intel DSM spec v1.8. The passphrase is protected by encrypted-key and managed through the kernel key management framework. The security features supported are security state show, passphrase enable/update, passphrase disable, crypto erase, overwrite, and master passphrase enable/update and erase. Instead of allowing the security DSMs being issued via ioctl, the features are managed through a sysfs attribute that accept the relevant keyid for the encrypted-key(s). v15: - Fixed !SMP x86 build. (0-day) - Misc fixes to overwrite (Dan) - Changed NDD_SECURITY_BUSY to NDD_SECURITY_OVERWRITE and NDD_SECURITY_OVERWRITE to NDD_WORK_PENDING. (Dan) - Fixed shutdown path to handle work item cancellation and added bus lock. (Dan) v14: - Cleanup security_store input parsing. (Dan) - Move overwrite query to system workqueue. (Dan) - Add code to cleanup work items on nvdimm removal. (Dan) - Add nvdimm bus locking for overwrite query. (Dan) - Make parameter to determine passphrase type an enum. (Dan) - Remove master passphrase states and reuse existing states. (Dan) - Cleanup C99 initialization. (Dan) - Fix typos and grammar errors in documentation. (Jing) v13: - Rebased to v4.20-rc5 and combined/squashed various patches from the two patch series. Various cleanups from Dan. (Mimi) - Change encrypted-key nvdimm key format to enc32 key format to make it generic for future usages. (Dan) - Output error code for nvdimm_setup_security_events() failure. (Robert) - Make nfit_test output consistent. (Robert) v12: - Add a mutex for the cached key and remove key_get/key_put messiness (Dan) - Move security code to its own C file and wrap under CONFIG_NVDIMM_SECURITY in order to fix issue reported by 0-day build without CONFIG_KEYS. v11: - Dropped keyring usage. (David) - Fixed up scanf handling. (David) - Removed callout info for request_key(). (David) - Included Dan's patches and folded in some changes from Dan. (Dan) - Made security_show a weak function to allow test override. (Dan) v10: - Change usage of strcmp to sysfs_streq. (Dan) - Lock nvdimm bus when doing secure erase. (Dan) - Change dev_info to dev_dbg for dimm unlocked success output. (Dan) v9: - Addressed various misc comments. (David, Dan) - Removed init_cred and replaced with current_cred(). (David) - Changed NVDIMM_PREFIX to char[] constant (David) - Moved NVDIMM_PREFIX to include/uapi/linux/ndctl.h (Dan) - Reworked security_update to use old user key to verify against kernel key and then update with new user key. (David) - Added requirement of disable and erase to require old user key for verify. (Dan) - Updated documentation. (Dave) v8: - Make the keys retained by the kernel user searchable in order to find the key that needs to be updated for key update. v7: - Add CONFIG_KEYS depenency for libnvdimm. (Alison) - Export lookup_user_key(). (David) - Modified "update" to take two key ids and and use lookup_user_key() in order to improve security. (David) - Use key ptrs and key_validate() for cached keys. (David) v6: - Fix intel DSM data structures to use defined size for passphrase (Robert) - Fix memcpy size to use sizeof data structure member (Robert) - Fix defined dimm id length (Robert) - Making intel_security_ops const (Eric) - Remove unused var in nvdimm_key_search() (Eric) - Added wbinvd before secure erase is issued (Robert) - Removed key_put_sync() usage (David) - Use init_cred instead of creating own cred (David) - Exported init_cred symbol - Move keyring to dedicated (David) - Use logon_key_type and friends instead of creating custom (David) - Use key_lookup() with stored key serial (David) - Exported key_lookup() symbol - Mark passed in key data as const (David) - Added comment for change_pass_phrase to explain how it works (David) - Unlink key when it's being removed from keyring. (David) - Removed request_key() from all security ops except update and unlock. - Update will now update the existing key's payload with the new key's retrieved from userspace when the new payload is accepted by nvdimm. v5: - Moved dimm_id initialization (Dan) - Added a key_put_sync() in order to run key_gc_work and cleanup old key. (Dan) - Added check to block security state changes while DIMM is active. (Dan) v4: - flip payload layout for update passphrase to make it easier on userland. v3: - Set x86 wrappers for x86 only bits. (Dan) - Fixed up some verbiage in commit headers. - Put in usage of sysfs_streq() for sysfs inputs. - 0-day build fixes for non-x86 archs. v2: - Move inclusion of intel.h to relevant source files and not in nfit.h. (Dan) - Moved security ring relevant code to dimm_devs.c. (Dan) - Added dimm_id to nfit_mem to avoid recreate per sysfs show call. (Dan) - Added routine to return security_ops based on family supplied. (Dan) - Added nvdimm_key_data struct to wrap raw passphrase string. (Dan) - Allocate firmware package on stack. (Dan) - Added missing frozen state detection when retrieving security state. --- Dan Williams (1): acpi/nfit, libnvdimm: Add unlock of nvdimm support for Intel DIMMs Dave Jiang (15): acpi/nfit: Add support for Intel DSM 1.8 commands acpi/nfit, libnvdimm: Store dimm id as a member to struct nvdimm keys: Export lookup_user_key to external users keys-encrypted: add nvdimm key format type to encrypted keys acpi/nfit, libnvdimm: Introduce nvdimm_security_ops acpi/nfit, libnvdimm: Add freeze security support to Intel nvdimm acpi/nfit, libnvdimm: Add disable passphrase support to Intel nvdimm. acpi/nfit, libnvdimm: Add enable/update passphrase support for Intel nvdimms acpi/nfit, libnvdimm: Add support for issue secure erase DSM to Intel nvdimm acpi/nfit, libnvdimm/security: Add security DSM overwrite support acpi/nfit, libnvdimm/security: add Intel DSM 1.8 master passphrase support tools/testing/nvdimm: Add test support for Intel nvdimm security DSMs tools/testing/nvdimm: Add overwrite support for nfit_test tools/testing/nvdimm: add Intel DSM 1.8 support for nfit_test libnvdimm/security: Add documentation for nvdimm security support Documentation/nvdimm/security.txt | 141 +++++++ Documentation/security/keys/trusted-encrypted.rst | 6 drivers/acpi/nfit/Kconfig | 11 + drivers/acpi/nfit/Makefile | 1 drivers/acpi/nfit/core.c | 93 ++++ drivers/acpi/nfit/intel.c | 390 ++++++++++++++++++ drivers/acpi/nfit/intel.h | 76 ++++ drivers/acpi/nfit/nfit.h | 24 + drivers/nvdimm/Kconfig | 4 drivers/nvdimm/Makefile | 1 drivers/nvdimm/bus.c | 31 + drivers/nvdimm/dimm.c | 16 + drivers/nvdimm/dimm_devs.c | 210 +++++++++- drivers/nvdimm/nd-core.h | 29 + drivers/nvdimm/nd.h | 8 drivers/nvdimm/region_devs.c | 5 drivers/nvdimm/security.c | 454 +++++++++++++++++++++ include/linux/key.h | 3 include/linux/libnvdimm.h | 76 +++- security/keys/encrypted-keys/encrypted.c | 29 + security/keys/internal.h | 2 security/keys/process_keys.c | 1 tools/testing/nvdimm/Kbuild | 3 tools/testing/nvdimm/dimm_devs.c | 41 ++ tools/testing/nvdimm/test/nfit.c | 321 +++++++++++++++ 25 files changed, 1931 insertions(+), 45 deletions(-) create mode 100644 Documentation/nvdimm/security.txt create mode 100644 drivers/acpi/nfit/intel.c create mode 100644 drivers/nvdimm/security.c create mode 100644 tools/testing/nvdimm/dimm_devs.c --