From patchwork Mon Jan 14 20:06:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 10763363 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A6E3114E5 for ; Mon, 14 Jan 2019 20:16:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 96A5E2864F for ; Mon, 14 Jan 2019 20:16:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8A973292C8; Mon, 14 Jan 2019 20:16:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1ED0E28F37 for ; Mon, 14 Jan 2019 20:16:38 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 91913211B737E; Mon, 14 Jan 2019 12:16:33 -0800 (PST) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.136; helo=mga12.intel.com; envelope-from=dave.jiang@intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 58F0E21959CB2 for ; Mon, 14 Jan 2019 12:06:59 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jan 2019 12:06:59 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,478,1539673200"; d="scan'208";a="116705174" Received: from djiang5-desk3.ch.intel.com ([143.182.136.93]) by fmsmga008.fm.intel.com with ESMTP; 14 Jan 2019 12:06:58 -0800 Subject: [PATCH v8 04/12] ndctl: add support for freeze security From: Dave Jiang To: vishal.l.verma@intel.com, dan.j.williams@intel.com Date: Mon, 14 Jan 2019 13:06:58 -0700 Message-ID: <154749641859.63704.12807813922780466193.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <154749627829.63704.2987015129166185725.stgit@djiang5-desk3.ch.intel.com> References: <154749627829.63704.2987015129166185725.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-nvdimm@lists.01.org Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP Add support for freeze security to libndctl and also command line option of "freeze-security" for ndctl. This will lock the ability to make changes to the NVDIMM security. Signed-off-by: Dave Jiang --- Documentation/ndctl/Makefile.am | 3 ++- Documentation/ndctl/ndctl-freeze-security.txt | 20 ++++++++++++++++++ ndctl/builtin.h | 1 + ndctl/dimm.c | 28 +++++++++++++++++++++++++ ndctl/lib/dimm.c | 5 ++++ ndctl/lib/libndctl.sym | 1 + ndctl/libndctl.h | 1 + ndctl/ndctl.c | 1 + 8 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am index 31570a77..a97f193d 100644 --- a/Documentation/ndctl/Makefile.am +++ b/Documentation/ndctl/Makefile.am @@ -50,7 +50,8 @@ man1_MANS = \ ndctl-monitor.1 \ ndctl-enable-passphrase.1 \ ndctl-update-passphrase.1 \ - ndctl-disable-passphrase.1 + ndctl-disable-passphrase.1 \ + ndctl-freeze-security.1 CLEANFILES = $(man1_MANS) diff --git a/Documentation/ndctl/ndctl-freeze-security.txt b/Documentation/ndctl/ndctl-freeze-security.txt new file mode 100644 index 00000000..4e9d2d61 --- /dev/null +++ b/Documentation/ndctl/ndctl-freeze-security.txt @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 + +ndctl-freeze-security(1) +======================== + +NAME +---- +ndctl-freeze-security - enabling or freeze the security for an NVDIMM + +SYNOPSIS +-------- +[verse] +'ndctl freeze-security' + +DESCRIPTION +----------- +Provide a generic interface to freeze the security for NVDIMM. Once security +is frozen, no other security operations can succeed until reboot happens. + +include::../copyright.txt[] diff --git a/ndctl/builtin.h b/ndctl/builtin.h index 821ea690..f7469598 100644 --- a/ndctl/builtin.h +++ b/ndctl/builtin.h @@ -35,4 +35,5 @@ int cmd_inject_smart(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_setup(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_passphrase_update(int argc, const char **argv, struct ndctl_ctx *ctx); int cmd_disable_passphrase(int argc, const char **argv, struct ndctl_ctx *ctx); +int cmd_freeze_security(int argc, const char **argv, struct ndctl_ctx *ctx); #endif /* _NDCTL_BUILTIN_H_ */ diff --git a/ndctl/dimm.c b/ndctl/dimm.c index 4f0466a1..19301791 100644 --- a/ndctl/dimm.c +++ b/ndctl/dimm.c @@ -876,6 +876,24 @@ static int action_passphrase_disable(struct ndctl_dimm *dimm, return ndctl_dimm_disable_key(dimm, param.key_path); } +static int action_security_freeze(struct ndctl_dimm *dimm, + struct action_context *actx) +{ + int rc; + + if (!ndctl_dimm_security_supported(dimm)) { + error("%s: security operation not supported\n", + ndctl_dimm_get_devname(dimm)); + return -EOPNOTSUPP; + } + + rc = ndctl_dimm_freeze_security(dimm); + if (rc < 0) + error("Failed to freeze security for %s\n", + ndctl_dimm_get_devname(dimm)); + return rc; +} + static int __action_init(struct ndctl_dimm *dimm, enum ndctl_namespace_version version, int chk_only) { @@ -1285,3 +1303,13 @@ int cmd_disable_passphrase(int argc, const char **argv, void *ctx) count > 1 ? "s" : ""); return count >= 0 ? 0 : EXIT_FAILURE; } + +int cmd_freeze_security(int argc, const char **argv, void *ctx) +{ + int count = dimm_action(argc, argv, ctx, action_security_freeze, base_options, + "ndctl freeze-security [..] []"); + + fprintf(stderr, "security freezed %d nmem%s.\n", count >= 0 ? count : 0, + count > 1 ? "s" : ""); + return count >= 0 ? 0 : EXIT_FAILURE; +} diff --git a/ndctl/lib/dimm.c b/ndctl/lib/dimm.c index 076ccbf6..8f0f0486 100644 --- a/ndctl/lib/dimm.c +++ b/ndctl/lib/dimm.c @@ -672,3 +672,8 @@ NDCTL_EXPORT int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, sprintf(buf, "disable %ld\n", key); return write_security(dimm, buf); } + +NDCTL_EXPORT int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm) +{ + return write_security(dimm, "freeze"); +} diff --git a/ndctl/lib/libndctl.sym b/ndctl/lib/libndctl.sym index 90038e75..a1c56060 100644 --- a/ndctl/lib/libndctl.sym +++ b/ndctl/lib/libndctl.sym @@ -395,4 +395,5 @@ global: ndctl_dimm_update_passphrase; ndctl_dimm_disable_passphrase; ndctl_dimm_disable_key; + ndctl_dimm_freeze_security; } LIBNDCTL_18; diff --git a/ndctl/libndctl.h b/ndctl/libndctl.h index b1192960..3862bbfd 100644 --- a/ndctl/libndctl.h +++ b/ndctl/libndctl.h @@ -702,6 +702,7 @@ bool ndctl_dimm_security_supported(struct ndctl_dimm *dimm); int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm, long ckey, long nkey); int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, long key); +int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm); enum ndctl_key_type { ND_USER_KEY, diff --git a/ndctl/ndctl.c b/ndctl/ndctl.c index 21f1b834..da8dce11 100644 --- a/ndctl/ndctl.c +++ b/ndctl/ndctl.c @@ -91,6 +91,7 @@ static struct cmd_struct commands[] = { { "enable-passphrase", { cmd_passphrase_setup } }, { "update-passphrase", { cmd_passphrase_update } }, { "disable-passphrase", { cmd_disable_passphrase } }, + { "freeze-security", { cmd_freeze_security } }, { "list", { cmd_list } }, { "monitor", { cmd_monitor } }, { "help", { cmd_help } },