@@ -49,6 +49,7 @@ man1_MANS = \
ndctl-update-security.1 \
ndctl-disable-security.1 \
ndctl-freeze-security.1 \
+ ndctl-secure-erase.1 \
ndctl-list.1
CLEANFILES = $(man1_MANS)
new file mode 100644
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0
+
+ndctl-secure-erase(1)
+=====================
+
+NAME
+----
+ndctl-secure-erase - securely erasing the user data on the NVDIMM
+
+SYNOPSIS
+--------
+[verse]
+'ndctl secure-erase' <dimm>
+
+DESCRIPTION
+-----------
+Provide a generic interface to securely erase NVDIMM. This does not change
+the label storage area. The use of this depends on support from the underlying
+libndctl, kernel, as well as the platform itself.
+
+include::../copyright.txt[]
@@ -50,4 +50,5 @@ int cmd_inject_smart(int argc, const char **argv, void *ctx);
int cmd_update_security(int argc, const char **argv, void *ctx);
int cmd_disable_security(int argc, const char **argv, void *ctx);
int cmd_freeze_security(int argc, const char **argv, void *ctx);
+int cmd_secure_erase(int argc, const char **argv, void *ctx);
#endif /* _NDCTL_BUILTIN_H_ */
@@ -857,6 +857,17 @@ static int action_security_freeze(struct ndctl_dimm *dimm,
return rc;
}
+static int action_secure_erase(struct ndctl_dimm *dimm,
+ struct action_context *actx)
+{
+ int rc;
+
+ rc = ndctl_dimm_secure_erase(dimm);
+ if (rc < 0)
+ error("Failed to secure erase for %s\n",
+ ndctl_dimm_get_devname(dimm));
+ return rc;
+}
static struct parameters {
const char *bus;
const char *outfile;
@@ -1244,3 +1255,13 @@ int cmd_freeze_security(int argc, const char **argv, void *ctx)
count > 1 ? "s" : "");
return count >= 0 ? 0 : EXIT_FAILURE;
}
+
+int cmd_secure_erase(int argc, const char **argv, void *ctx)
+{
+ int count = dimm_action(argc, argv, ctx, action_secure_erase, base_options,
+ "ndctl secure-erase <nmem0> [<nmem1>..<nmemN>] [<options>]");
+
+ fprintf(stderr, "secure erased %d nmem%s.\n", count >= 0 ? count : 0,
+ count > 1 ? "s" : "");
+ return count >= 0 ? 0 : EXIT_FAILURE;
+}
@@ -625,3 +625,8 @@ NDCTL_EXPORT int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm)
{
return ndctl_dimm_write_security(dimm, "freeze");
}
+
+NDCTL_EXPORT int ndctl_dimm_secure_erase(struct ndctl_dimm *dimm)
+{
+ return ndctl_dimm_write_security(dimm, "erase");
+}
@@ -375,4 +375,5 @@ global:
ndctl_dimm_set_change_key;
ndctl_dimm_disable_security;
ndctl_dimm_freeze_security;
+ ndctl_dimm_secure_erase;
} LIBNDCTL_16;
@@ -663,6 +663,7 @@ int ndctl_dimm_get_security_state(struct ndctl_dimm *dimm, char *state);
int ndctl_dimm_set_change_key(struct ndctl_dimm *dimm);
int ndctl_dimm_disable_security(struct ndctl_dimm *dimm);
int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm);
+int ndctl_dimm_secure_erase(struct ndctl_dimm *dimm);
#ifdef __cplusplus
} /* extern "C" */
@@ -91,6 +91,7 @@ static struct cmd_struct commands[] = {
{ "update-security", cmd_update_security },
{ "disable-security", cmd_disable_security },
{ "freeze-security", cmd_freeze_security },
+ { "secure-erase", cmd_secure_erase },
{ "list", cmd_list },
{ "help", cmd_help },
#ifdef ENABLE_TEST
Add support for secure erase to libndctl and also command line option of "secure-erase" for ndctl. This will initiate the request to securely erase a DIMM. ndctl does not actually handle the verification of the security. That is handled by the kernel and the key upcall mechanism. Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- Documentation/ndctl/Makefile.am | 1 + Documentation/ndctl/ndctl-secure-erase.txt | 21 +++++++++++++++++++++ builtin.h | 1 + ndctl/dimm.c | 21 +++++++++++++++++++++ ndctl/lib/dimm.c | 5 +++++ ndctl/lib/libndctl.sym | 1 + ndctl/libndctl.h | 1 + ndctl/ndctl.c | 1 + 8 files changed, 52 insertions(+) create mode 100644 Documentation/ndctl/ndctl-secure-erase.txt