@@ -33,6 +33,11 @@ include::xable-bus-options.txt[]
--verbose::
Emit debug messages.
+-m::
+--master-passphrase::
+ Indicates that we are managing the master passphrase instead of the
+ user passphrase.
+
include::intel-nvdimm-security.txt[]
include::../copyright.txt[]
@@ -1028,7 +1028,8 @@ static int action_remove_passphrase(struct ndctl_dimm *dimm,
return -EOPNOTSUPP;
}
- return ndctl_dimm_remove_key(dimm);
+ return ndctl_dimm_remove_key(dimm, param.master_pass ? ND_MASTER_KEY :
+ ND_USER_KEY);
}
static int action_security_freeze(struct ndctl_dimm *dimm,
@@ -1285,6 +1286,12 @@ static const struct option sanitize_options[] = {
OPT_END(),
};
+static const struct option remove_options[] = {
+ BASE_OPTIONS(),
+ MASTER_OPTIONS(),
+ OPT_END(),
+};
+
static int dimm_action(int argc, const char **argv, struct ndctl_ctx *ctx,
int (*action)(struct ndctl_dimm *dimm, struct action_context *actx),
const struct option *options, const char *usage)
@@ -1586,9 +1593,9 @@ int cmd_setup_passphrase(int argc, const char **argv, struct ndctl_ctx *ctx)
int cmd_remove_passphrase(int argc, const char **argv, void *ctx)
{
- int count = dimm_action(argc, argv, ctx, action_remove_passphrase,
- base_options,
- "ndctl remove-passphrase <nmem0> [<nmem1>..<nmemN>] [<options>]");
+ int count = dimm_action(
+ argc, argv, ctx, action_remove_passphrase, remove_options,
+ "ndctl remove-passphrase <nmem0> [<nmem1>..<nmemN>] [<options>]");
fprintf(stderr, "passphrase removed for %d nmem%s.\n", count >= 0 ? count : 0,
count > 1 ? "s" : "");
@@ -589,11 +589,11 @@ static int run_key_op(struct ndctl_dimm *dimm,
return 0;
}
-static int discard_key(struct ndctl_dimm *dimm)
+static int discard_key(struct ndctl_dimm *dimm, enum ndctl_key_type key_type)
{
int rc;
- rc = dimm_remove_key(dimm, ND_USER_KEY);
+ rc = dimm_remove_key(dimm, key_type);
if (rc < 0) {
fprintf(stderr, "Unable to cleanup key.\n");
return rc;
@@ -602,21 +602,25 @@ static int discard_key(struct ndctl_dimm *dimm)
return 0;
}
-int ndctl_dimm_remove_key(struct ndctl_dimm *dimm)
+int ndctl_dimm_remove_key(struct ndctl_dimm *dimm, enum ndctl_key_type key_type)
{
key_serial_t key;
int rc;
- key = check_dimm_key(dimm, true, ND_USER_KEY);
+ key = check_dimm_key(dimm, true, key_type);
if (key < 0)
return key;
- rc = run_key_op(dimm, key, ndctl_dimm_disable_passphrase,
- "remove passphrase");
+ if (key_type == ND_MASTER_KEY)
+ rc = run_key_op(dimm, key, ndctl_dimm_disable_master_passphrase,
+ "remove master passphrase");
+ else
+ rc = run_key_op(dimm, key, ndctl_dimm_disable_passphrase,
+ "remove passphrase");
if (rc < 0)
return rc;
- return discard_key(dimm);
+ return discard_key(dimm, key_type);
}
int ndctl_dimm_secure_erase_key(struct ndctl_dimm *dimm,
@@ -643,7 +647,7 @@ int ndctl_dimm_secure_erase_key(struct ndctl_dimm *dimm,
return rc;
if (key_type == ND_USER_KEY)
- return discard_key(dimm);
+ return discard_key(dimm, key_type);
return 0;
}
@@ -25,7 +25,8 @@ int ndctl_dimm_setup_key(struct ndctl_dimm *dimm, const char *kek,
enum ndctl_key_type key_type);
int ndctl_dimm_update_key(struct ndctl_dimm *dimm, const char *kek,
enum ndctl_key_type key_type);
-int ndctl_dimm_remove_key(struct ndctl_dimm *dimm);
+int ndctl_dimm_remove_key(struct ndctl_dimm *dimm,
+ enum ndctl_key_type key_type);
int ndctl_dimm_secure_erase_key(struct ndctl_dimm *dimm,
enum ndctl_key_type key_type);
int ndctl_dimm_overwrite_key(struct ndctl_dimm *dimm);
@@ -757,6 +757,15 @@ NDCTL_EXPORT int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm,
return write_security(dimm, buf);
}
+NDCTL_EXPORT int ndctl_dimm_disable_master_passphrase(struct ndctl_dimm *dimm,
+ long key)
+{
+ char buf[SYSFS_ATTR_SIZE];
+
+ sprintf(buf, "disable_master %ld\n", key);
+ return write_security(dimm, buf);
+}
+
NDCTL_EXPORT int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm)
{
return write_security(dimm, "freeze");
@@ -462,3 +462,6 @@ LIBNDCTL_26 {
LIBNDCTL_27 {
ndctl_dimm_refresh_flags;
} LIBNDCTL_26;
+LIBNDCTL_28 {
+ ndctl_dimm_disable_master_passphrase;
+} LIBNDCTL_27;
@@ -765,6 +765,7 @@ bool ndctl_dimm_security_is_frozen(struct ndctl_dimm *dimm);
int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm,
long ckey, long nkey);
int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, long key);
+int ndctl_dimm_disable_master_passphrase(struct ndctl_dimm *dimm, long key);
int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm);
int ndctl_dimm_secure_erase(struct ndctl_dimm *dimm, long key);
int ndctl_dimm_overwrite(struct ndctl_dimm *dimm, long key);
The CXL spec supports disabling of master passphrase. This is a new command that previously was not supported through nvdimm. Add the -m option to the existing remove-passphrase to indicate that the passphrase is a master passphrase. Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- v3: - Use -m option just like update-passphrase instead of a new command (Vishal) v2: - Add man page (Vishal) Documentation/ndctl/ndctl-remove-passphrase.txt | 5 +++++ ndctl/dimm.c | 15 +++++++++++---- ndctl/keys.c | 20 ++++++++++++-------- ndctl/keys.h | 3 ++- ndctl/lib/dimm.c | 9 +++++++++ ndctl/lib/libndctl.sym | 3 +++ ndctl/libndctl.h | 1 + 7 files changed, 43 insertions(+), 13 deletions(-)