| Message ID | 154749641859.63704.12807813922780466193.stgit@djiang5-desk3.ch.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ndctl: add security support | expand |
On Mon, Jan 14, 2019 at 12:07 PM Dave Jiang <dave.jiang@intel.com> wrote: > > Add support for freeze security to libndctl and also command line option > of "freeze-security" for ndctl. This will lock the ability to make changes > to the NVDIMM security. > > Signed-off-by: Dave Jiang <dave.jiang@intel.com> > --- > Documentation/ndctl/Makefile.am | 3 ++- > Documentation/ndctl/ndctl-freeze-security.txt | 20 ++++++++++++++++++ > ndctl/builtin.h | 1 + > ndctl/dimm.c | 28 +++++++++++++++++++++++++ > ndctl/lib/dimm.c | 5 ++++ > ndctl/lib/libndctl.sym | 1 + > ndctl/libndctl.h | 1 + > ndctl/ndctl.c | 1 + > 8 files changed, 59 insertions(+), 1 deletion(-) > create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt > > diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am > index 31570a77..a97f193d 100644 > --- a/Documentation/ndctl/Makefile.am > +++ b/Documentation/ndctl/Makefile.am > @@ -50,7 +50,8 @@ man1_MANS = \ > ndctl-monitor.1 \ > ndctl-enable-passphrase.1 \ > ndctl-update-passphrase.1 \ > - ndctl-disable-passphrase.1 > + ndctl-disable-passphrase.1 \ > + ndctl-freeze-security.1 > > CLEANFILES = $(man1_MANS) > > diff --git a/Documentation/ndctl/ndctl-freeze-security.txt b/Documentation/ndctl/ndctl-freeze-security.txt > new file mode 100644 > index 00000000..4e9d2d61 > --- /dev/null > +++ b/Documentation/ndctl/ndctl-freeze-security.txt > @@ -0,0 +1,20 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +ndctl-freeze-security(1) > +======================== > + > +NAME > +---- > +ndctl-freeze-security - enabling or freeze the security for an NVDIMM What is it "enabling"? I would just say: "Set the given DIMM(s) to reject future security operations" > + > +SYNOPSIS > +-------- > +[verse] > +'ndctl freeze-security' <dimm> Code says: ndctl freeze-security <nmem0> [<nmem1>..<nmemN>] [<options>] ...I'm assuming the multiple nmem support is true, but there are no extra options? ...and now that I say that out loud, I think all of these commands should support -v/--verbose to turn on libndctl debug. > + > +DESCRIPTION > +----------- > +Provide a generic interface to freeze the security for NVDIMM. That can go, it reads like a changelog, not a man page. > Once security > +is frozen, no other security operations can succeed until reboot happens. "Prevent any further security operations on the given DIMMs until the next reboot. This is used in scenarios where the administrator has taken all expected security actions for the current boot and wants the DIMM to enforce / lock the current state." An example section might show some before and after "ndctl list" data for the DIMM and perhaps the state changes of the /etc/ndctl/keys directory.
diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am index 31570a77..a97f193d 100644 --- a/Documentation/ndctl/Makefile.am +++ b/Documentation/ndctl/Makefile.am @@ -50,7 +50,8 @@ man1_MANS = \ ndctl-monitor.1 \ ndctl-enable-passphrase.1 \ ndctl-update-passphrase.1 \ - ndctl-disable-passphrase.1 + ndctl-disable-passphrase.1 \ + ndctl-freeze-security.1 CLEANFILES = $(man1_MANS) diff --git a/Documentation/ndctl/ndctl-freeze-security.txt b/Documentation/ndctl/ndctl-freeze-security.txt new file mode 100644 index 00000000..4e9d2d61 --- /dev/null +++ b/Documentation/ndctl/ndctl-freeze-security.txt @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 + +ndctl-freeze-security(1) +======================== + +NAME +---- +ndctl-freeze-security - enabling or freeze the security for an NVDIMM + +SYNOPSIS +-------- +[verse] +'ndctl freeze-security' <dimm> + +DESCRIPTION +----------- +Provide a generic interface to freeze the security for NVDIMM. Once security +is frozen, no other security operations can succeed until reboot happens. + +include::../copyright.txt[] diff --git a/ndctl/builtin.h b/ndctl/builtin.h index 821ea690..f7469598 100644 --- a/ndctl/builtin.h +++ b/ndctl/builtin.h @@ -35,4 +35,5 @@ int cmd_inject_smart(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_setup(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_update(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_disable_passphrase(int argc, const char **argv, struct ndctl_ctx *ctx); +int cmd_freeze_security(int argc, const char **argv, struct ndctl_ctx *ctx); #endif /* _NDCTL_BUILTIN_H_ */ diff --git a/ndctl/dimm.c b/ndctl/dimm.c index 4f0466a1..19301791 100644 --- a/ndctl/dimm.c +++ b/ndctl/dimm.c @@ -876,6 +876,24 @@ static int action_passphrase_disable(struct ndctl_dimm *dimm, return ndctl_dimm_disable_key(dimm, param.key_path); } +static int action_security_freeze(struct ndctl_dimm *dimm, + struct action_context *actx) +{ + int rc; + + if (!ndctl_dimm_security_supported(dimm)) { + error("%s: security operation not supported\n", + ndctl_dimm_get_devname(dimm)); + return -EOPNOTSUPP; + } + + rc = ndctl_dimm_freeze_security(dimm); + if (rc < 0) + error("Failed to freeze security for %s\n", + ndctl_dimm_get_devname(dimm)); + return rc; +} + static int __action_init(struct ndctl_dimm *dimm, enum ndctl_namespace_version version, int chk_only) { @@ -1285,3 +1303,13 @@ int cmd_disable_passphrase(int argc, const char **argv, void *ctx) count > 1 ? "s" : ""); return count >= 0 ? 0 : EXIT_FAILURE; } + +int cmd_freeze_security(int argc, const char **argv, void *ctx) +{ + int count = dimm_action(argc, argv, ctx, action_security_freeze, base_options, + "ndctl freeze-security <nmem0> [<nmem1>..<nmemN>] [<options>]"); + + fprintf(stderr, "security freezed %d nmem%s.\n", count >= 0 ? count : 0, + count > 1 ? "s" : ""); + return count >= 0 ? 0 : EXIT_FAILURE; +} diff --git a/ndctl/lib/dimm.c b/ndctl/lib/dimm.c index 076ccbf6..8f0f0486 100644 --- a/ndctl/lib/dimm.c +++ b/ndctl/lib/dimm.c @@ -672,3 +672,8 @@ NDCTL_EXPORT int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, sprintf(buf, "disable %ld\n", key); return write_security(dimm, buf); } + +NDCTL_EXPORT int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm) +{ + return write_security(dimm, "freeze"); +} diff --git a/ndctl/lib/libndctl.sym b/ndctl/lib/libndctl.sym index 90038e75..a1c56060 100644 --- a/ndctl/lib/libndctl.sym +++ b/ndctl/lib/libndctl.sym @@ -395,4 +395,5 @@ global: ndctl_dimm_update_passphrase; ndctl_dimm_disable_passphrase; ndctl_dimm_disable_key; + ndctl_dimm_freeze_security; } LIBNDCTL_18; diff --git a/ndctl/libndctl.h b/ndctl/libndctl.h index b1192960..3862bbfd 100644 --- a/ndctl/libndctl.h +++ b/ndctl/libndctl.h @@ -702,6 +702,7 @@ bool ndctl_dimm_security_supported(struct ndctl_dimm *dimm); int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm, long ckey, long nkey); int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, long key); +int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm); enum ndctl_key_type { ND_USER_KEY, diff --git a/ndctl/ndctl.c b/ndctl/ndctl.c index 21f1b834..da8dce11 100644 --- a/ndctl/ndctl.c +++ b/ndctl/ndctl.c @@ -91,6 +91,7 @@ static struct cmd_struct commands[] = { { "enable-passphrase", { cmd_passphrase_setup } }, { "update-passphrase", { cmd_passphrase_update } }, { "disable-passphrase", { cmd_disable_passphrase } }, + { "freeze-security", { cmd_freeze_security } }, { "list", { cmd_list } }, { "monitor", { cmd_monitor } }, { "help", { cmd_help } },
Add support for freeze security to libndctl and also command line option of "freeze-security" for ndctl. This will lock the ability to make changes to the NVDIMM security. Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- Documentation/ndctl/Makefile.am | 3 ++- Documentation/ndctl/ndctl-freeze-security.txt | 20 ++++++++++++++++++ ndctl/builtin.h | 1 + ndctl/dimm.c | 28 +++++++++++++++++++++++++ ndctl/lib/dimm.c | 5 ++++ ndctl/lib/libndctl.sym | 1 + ndctl/libndctl.h | 1 + ndctl/ndctl.c | 1 + 8 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt