From patchwork Wed Sep 21 21:02:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 12984150 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EBFA7C for ; Wed, 21 Sep 2022 21:02:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663794163; x=1695330163; h=subject:from:to:cc:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=GULeu/RFvUc9KSKnjHluC8brt8xJw9osYPaSSwzRAas=; b=NBhy/mPt93tbMZoRgX4WGICBNSb+rcUsO9+C7FLUY/7nIH/TmwjGr+O1 o7c9BK4rld3CU/uf3FmtRBLRIsCifpHaNNmi5N2Fe88O69gVSHWCc6dr7 k4uv3TG3j3oQMwy9j1dRqK3eOtPxatMIw3p+feQNDLfnfyM/ZW7yXUqPc En7E7jLkMOx+NGZ8RRMnd4WLBgFNoTlwRBRcCaqe1OYRKbHa5PuMMr+2j DN6tSpZOen1TuUTTXQIquqpSeOAUpSU9DZr0VDkz6jg6j818HtOb3kXck r2N3oOimDN/WYj9iWs0ODKEz7kdiFPDyhW7FfRazU8N5G0MsiN6avZ2CO w==; X-IronPort-AV: E=McAfee;i="6500,9779,10477"; a="279848610" X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="279848610" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:42 -0700 X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="681934762" Received: from djiang5-desk3.ch.intel.com ([143.182.136.137]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:42 -0700 Subject: [PATCH 1/4] ndctl: add cxl bus detection From: Dave Jiang To: linux-cxl@vger.kernel.org, nvdimm@lists.linux.dev Cc: vishal.l.verma@intel.com Date: Wed, 21 Sep 2022 14:02:42 -0700 Message-ID: <166379416245.433612.3109623615684575549.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> References: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/1.4 Precedence: bulk X-Mailing-List: nvdimm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add helper function to detect that the bus is cxl based. Signed-off-by: Dave Jiang Reviewed-by: Alison Schofield --- ndctl/lib/libndctl.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ ndctl/lib/libndctl.sym | 1 + ndctl/lib/private.h | 1 + ndctl/libndctl.h | 1 + 4 files changed, 56 insertions(+) diff --git a/ndctl/lib/libndctl.c b/ndctl/lib/libndctl.c index ad54f0626510..10422e24d38b 100644 --- a/ndctl/lib/libndctl.c +++ b/ndctl/lib/libndctl.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -876,6 +877,48 @@ static enum ndctl_fwa_method fwa_method_to_method(const char *fwa_method) return NDCTL_FWA_METHOD_RESET; } +static int is_ndbus_cxl(const char *ctl_base) +{ + char *path, *ppath, *subsys; + char tmp_path[PATH_MAX]; + int rc; + + /* get the real path of ctl_base */ + path = realpath(ctl_base, NULL); + if (!path) + return -errno; + + /* setup to get the nd bridge device backing the ctl */ + sprintf(tmp_path, "%s/device", path); + free(path); + + path = realpath(tmp_path, NULL); + if (!path) + return -errno; + + /* get the parent dir of the ndbus, which should be the nvdimm-bridge */ + ppath = dirname(path); + + /* setup to get the subsystem of the nvdimm-bridge */ + sprintf(tmp_path, "%s/%s", ppath, "subsystem"); + free(path); + + path = realpath(tmp_path, NULL); + if (!path) + return -errno; + + subsys = basename(path); + + /* check if subsystem is cxl */ + if (!strcmp(subsys, "cxl")) + rc = 1; + else + rc = 0; + + free(path); + return rc; +} + static void *add_bus(void *parent, int id, const char *ctl_base) { char buf[SYSFS_ATTR_SIZE]; @@ -919,6 +962,11 @@ static void *add_bus(void *parent, int id, const char *ctl_base) else bus->has_of_node = 1; + if (is_ndbus_cxl(ctl_base)) + bus->has_cxl = 1; + else + bus->has_cxl = 0; + sprintf(path, "%s/device/nfit/dsm_mask", ctl_base); if (sysfs_read_attr(ctx, path, buf) < 0) bus->nfit_dsm_mask = 0; @@ -1050,6 +1098,11 @@ NDCTL_EXPORT int ndctl_bus_has_of_node(struct ndctl_bus *bus) return bus->has_of_node; } +NDCTL_EXPORT int ndctl_bus_has_cxl(struct ndctl_bus *bus) +{ + return bus->has_cxl; +} + NDCTL_EXPORT int ndctl_bus_is_papr_scm(struct ndctl_bus *bus) { char buf[SYSFS_ATTR_SIZE]; diff --git a/ndctl/lib/libndctl.sym b/ndctl/lib/libndctl.sym index c933163c0380..3a3e8bbd63ef 100644 --- a/ndctl/lib/libndctl.sym +++ b/ndctl/lib/libndctl.sym @@ -465,4 +465,5 @@ LIBNDCTL_27 { LIBNDCTL_28 { ndctl_dimm_disable_master_passphrase; + ndctl_bus_has_cxl; } LIBNDCTL_27; diff --git a/ndctl/lib/private.h b/ndctl/lib/private.h index e5c56295556d..46bc8908bd90 100644 --- a/ndctl/lib/private.h +++ b/ndctl/lib/private.h @@ -163,6 +163,7 @@ struct ndctl_bus { int regions_init; int has_nfit; int has_of_node; + int has_cxl; char *bus_path; char *bus_buf; size_t buf_len; diff --git a/ndctl/libndctl.h b/ndctl/libndctl.h index c52e82a6f826..91ef0f42f654 100644 --- a/ndctl/libndctl.h +++ b/ndctl/libndctl.h @@ -133,6 +133,7 @@ struct ndctl_bus *ndctl_bus_get_next(struct ndctl_bus *bus); struct ndctl_ctx *ndctl_bus_get_ctx(struct ndctl_bus *bus); int ndctl_bus_has_nfit(struct ndctl_bus *bus); int ndctl_bus_has_of_node(struct ndctl_bus *bus); +int ndctl_bus_has_cxl(struct ndctl_bus *bus); int ndctl_bus_is_papr_scm(struct ndctl_bus *bus); unsigned int ndctl_bus_get_major(struct ndctl_bus *bus); unsigned int ndctl_bus_get_minor(struct ndctl_bus *bus); From patchwork Wed Sep 21 21:02:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 12984151 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C4F57C for ; Wed, 21 Sep 2022 21:02:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663794168; x=1695330168; h=subject:from:to:cc:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ZhWQONEsjwWmD5xXRq7QVScsHxlSfo61SS3x1MMKs5c=; b=fuQOYjlJgMI2J0a9+BmYfPfOb4CqYtT+MbGEljOtLZM2T3n0yC7oJ8tH maJWK3iJIIcgzpBp1EU1ZspXv1pnn9MyCdwTeOfKKPyfKi3uBhFRqEdeB oisuNwOF9KLE9NxuMKv7nv8ufQFL6XkLhf0PAgc8SwfClyEFVuLTpLPX/ XLQQIftOG9a5fr0i+uJ4SnH1i+Z4vq8RJEmGGPduJsXZy0zOmggpRTnCV C2U2uoIMAgGnyOB+Vd7LAWTZGy9idqSQ5g+PoW3w49bhdyc4gBtBNrcuo 140QXLPTIofhsxz/MAqP6Qksd1JJnGYEqQRa33IL6cFIIn7MzOPojD+FD w==; X-IronPort-AV: E=McAfee;i="6500,9779,10477"; a="279848626" X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="279848626" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:48 -0700 X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="681934786" Received: from djiang5-desk3.ch.intel.com ([143.182.136.137]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:48 -0700 Subject: [PATCH 2/4] ndctl/libndctl: Add bus_prefix for cxl From: Dave Jiang To: linux-cxl@vger.kernel.org, nvdimm@lists.linux.dev Cc: vishal.l.verma@intel.com Date: Wed, 21 Sep 2022 14:02:47 -0700 Message-ID: <166379416797.433612.11380777795382753298.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> References: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/1.4 Precedence: bulk X-Mailing-List: nvdimm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 With support of being able to detect the cxl bus, setup the bus_prefix for cxl bus. Signed-off-by: Dave Jiang --- ndctl/lib/libndctl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ndctl/lib/libndctl.c b/ndctl/lib/libndctl.c index 10422e24d38b..d2e800bc840a 100644 --- a/ndctl/lib/libndctl.c +++ b/ndctl/lib/libndctl.c @@ -2012,6 +2012,12 @@ static void *add_dimm(void *parent, int id, const char *dimm_base) goto out; } rc = add_papr_dimm(dimm, dimm_base); + } else if (ndctl_bus_has_cxl(bus)) { + dimm->bus_prefix = strdup("cxl"); + if (!dimm->bus_prefix) { + rc = -ENOMEM; + goto out; + } } if (rc == -ENODEV) { From patchwork Wed Sep 21 21:02:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 12984152 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 696067C for ; Wed, 21 Sep 2022 21:02:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663794174; x=1695330174; h=subject:from:to:cc:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=Y30YXkRh4cbpEprKVR9xFEyO8hqXIzBu1K5s03TlUmg=; b=M97NOTXd01taWXQXqEu5qQIZouYxkns7ed3lcWcoqW0rnD04qbCzoLDj mgRD/U0uprP+ZaXY9ZivBcws2SJaWtA/Ard9dqAiXV92Ea+8Iz0kjqAi6 7aAY9xUqTW1gQoP80dMCnSxk12q1TE6Yi+O845xXl4upU5LeYCLsZF6CS b0ucAV6B5f94PeKCyDzvCV3NzRrS4O2m6fHGdSg2bVRu+c5/hmAp5uXkt 17oyj70vqZpOWrOHt1BAuMsLk4TnMzXxuCmH55TqRPX8q1Xw/NGPZuxTY WoVZupGOlKNqh61y0e9hQKY33cNadh+2YKJRf1J0eWCpenNMdVasLPJpt Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10477"; a="280496837" X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="280496837" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:53 -0700 X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="681934802" Received: from djiang5-desk3.ch.intel.com ([143.182.136.137]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:53 -0700 Subject: [PATCH 3/4] ndctl/libndctl: Add retrieving of unique_id for cxl mem dev From: Dave Jiang To: linux-cxl@vger.kernel.org, nvdimm@lists.linux.dev Cc: vishal.l.verma@intel.com Date: Wed, 21 Sep 2022 14:02:53 -0700 Message-ID: <166379417347.433612.4934530706825880453.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> References: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/1.4 Precedence: bulk X-Mailing-List: nvdimm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 With bus_prefix, retrieve the unique_id of cxl mem device. This will allow selecting a specific cxl mem device for the security test code. Signed-off-by: Dave Jiang --- ndctl/lib/libndctl.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ndctl/lib/libndctl.c b/ndctl/lib/libndctl.c index d2e800bc840a..c569178b9a3a 100644 --- a/ndctl/lib/libndctl.c +++ b/ndctl/lib/libndctl.c @@ -1749,6 +1749,33 @@ NDCTL_EXPORT void ndctl_dimm_refresh_flags(struct ndctl_dimm *dimm) parse_papr_flags(dimm, buf); } +static int populate_cxl_dimm_attributes(struct ndctl_dimm *dimm, + const char *dimm_base) +{ + int rc = 0; + char buf[SYSFS_ATTR_SIZE]; + struct ndctl_ctx *ctx = dimm->bus->ctx; + char *path = calloc(1, strlen(dimm_base) + 100); + const char *bus_prefix = dimm->bus_prefix; + + if (!path) + return -ENOMEM; + + sprintf(path, "%s/%s/id", dimm_base, bus_prefix); + if (sysfs_read_attr(ctx, path, buf) == 0) { + dimm->unique_id = strdup(buf); + if (!dimm->unique_id) { + rc = -ENOMEM; + goto err_read; + } + } + + err_read: + + free(path); + return rc; +} + static int populate_dimm_attributes(struct ndctl_dimm *dimm, const char *dimm_base) { @@ -2018,6 +2045,7 @@ static void *add_dimm(void *parent, int id, const char *dimm_base) rc = -ENOMEM; goto out; } + rc = populate_cxl_dimm_attributes(dimm, dimm_base); } if (rc == -ENODEV) { From patchwork Wed Sep 21 21:02:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Jiang X-Patchwork-Id: 12984153 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1BC97C for ; Wed, 21 Sep 2022 21:03:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663794181; x=1695330181; h=subject:from:to:cc:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6NNWNNzK4UffdcdjarrsFINSPx7MqoYkv1uX3Kiwe1U=; b=TUo0/t0XniHueeFou7GLpk98ocV1PcWSHI9eIZ8MzP35uFNqoiGBGPXK SVu3AunLK71HmZODcVH1XGqFtq+tqCkxz/PwV/FqcjBZBvpY2fXKGBqv5 XvtfUo8ufV/ZiIsj8WxQMh7ZeIkdAu62I+zosy5l2f7tW9HETdJVX58DL hqLchuCu1JkJeHLqQ+jA2BktZpY6LxXM+Ffj8lGR5Oin+em8HGWfDhnB7 XrLrTug9lEudBIhyp3WcabSkjLBECz7A8UIxXfngI0HGR6ILeUDbcior5 hT0wzjJS9n55O2lE/UMPd5PhSls1HJeAYYGJCIEXxxzyY2Eqbs3pVi0xi A==; X-IronPort-AV: E=McAfee;i="6500,9779,10477"; a="279848680" X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="279848680" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:03:01 -0700 X-IronPort-AV: E=Sophos;i="5.93,334,1654585200"; d="scan'208";a="614959299" Received: from djiang5-desk3.ch.intel.com ([143.182.136.137]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Sep 2022 14:02:59 -0700 Subject: [PATCH 4/4] ndctl/test: Add CXL test for security From: Dave Jiang To: linux-cxl@vger.kernel.org, nvdimm@lists.linux.dev Cc: vishal.l.verma@intel.com Date: Wed, 21 Sep 2022 14:02:58 -0700 Message-ID: <166379417897.433612.16268594042547006566.stgit@djiang5-desk3.ch.intel.com> In-Reply-To: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> References: <166379397620.433612.13099557870939895846.stgit@djiang5-desk3.ch.intel.com> User-Agent: StGit/1.4 Precedence: bulk X-Mailing-List: nvdimm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create security-cxl.sh based off of security.sh for nfit security testing. The test will test a cxl_test based security commands enabling through nvdimm. Signed-off-by: Dave Jiang --- test/common | 7 + test/meson.build | 7 + test/security-cxl.sh | 282 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 296 insertions(+) create mode 100755 test/security-cxl.sh diff --git a/test/common b/test/common index 65615cc09a3e..e13b79728b0c 100644 --- a/test/common +++ b/test/common @@ -47,6 +47,7 @@ fi # NFIT_TEST_BUS0="nfit_test.0" NFIT_TEST_BUS1="nfit_test.1" +CXL_TEST_BUS="cxl_test" ACPI_BUS="ACPI.NFIT" E820_BUS="e820" @@ -125,6 +126,12 @@ _cleanup() modprobe -r nfit_test } +_cxl_cleanup() +{ + $NDCTL disable-region -b $CXL_TEST_BUS all + modprobe -r cxl_test +} + # json2var # stdin: json # diff --git a/test/meson.build b/test/meson.build index 5953c286d13f..485deb89bbe2 100644 --- a/test/meson.build +++ b/test/meson.build @@ -219,6 +219,13 @@ if get_option('keyutils').enabled() ] endif +if get_option('keyutils').enabled() + security_cxl = find_program('security-cxl.sh') + tests += [ + [ 'security-cxl.sh', security_cxl, 'ndctl' ] + ] +endif + foreach t : tests test(t[0], t[1], is_parallel : false, diff --git a/test/security-cxl.sh b/test/security-cxl.sh new file mode 100755 index 000000000000..0ec9b335bf41 --- /dev/null +++ b/test/security-cxl.sh @@ -0,0 +1,282 @@ +#!/bin/bash -Ex +# SPDX-License-Identifier: GPL-2.0 +# Copyright (C) 2022 Intel Corporation. All rights reserved. + +rc=77 +dev="" +id="" +keypath="/etc/ndctl/keys" +masterkey="nvdimm-master" +masterpath="$keypath/$masterkey.blob" +backup_key=0 +backup_handle=0 + +. $(dirname $0)/common + +trap 'err $LINENO' ERR + +setup() +{ + $NDCTL disable-region -b "$CXL_TEST_BUS" all +} + +detect() +{ + dev="$($NDCTL list -b "$CXL_TEST_BUS" -D | jq -r 'sort_by(.id) | .[0].dev')" + [ -n "$dev" ] || err "$LINENO" + id="$($NDCTL list -b "$CXL_TEST_BUS" -D | jq -r 'sort_by(.id) | .[0].id')" + [ -n "$id" ] || err "$LINENO" +} + +setup_keys() +{ + if [ ! -d "$keypath" ]; then + mkdir -p "$keypath" + fi + + if [ -f "$masterpath" ]; then + mv "$masterpath" "$masterpath.bak" + backup_key=1 + fi + if [ -f "$keypath/tpm.handle" ]; then + mv "$keypath/tpm.handle" "$keypath/tpm.handle.bak" + backup_handle=1 + fi + + dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user "$masterkey" @u + keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" +} + +test_cleanup() +{ + if keyctl search @u encrypted nvdimm:"$id"; then + keyctl unlink "$(keyctl search @u encrypted nvdimm:"$id")" + fi + + if keyctl search @u user "$masterkey"; then + keyctl unlink "$(keyctl search @u user "$masterkey")" + fi + + if [ -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob ]; then + rm -f "$keypath"/nvdimm_"$id"_"$(hostname)".blob + fi +} + +post_cleanup() +{ + if [ -f $masterpath ]; then + rm -f "$masterpath" + fi + if [ "$backup_key" -eq 1 ]; then + mv "$masterpath.bak" "$masterpath" + fi + if [ "$backup_handle" -eq 1 ]; then + mv "$keypath/tpm.handle.bak" "$keypath/tpm.handle" + fi +} + +lock_dimm() +{ + $NDCTL disable-dimm "$dev" + test_dimm_path="" + + nmem_rpath=$(readlink -f "/sys/bus/nd/devices/${dev}") + nmem_bus=$(dirname ${nmem_rpath}); + bus_provider_path="${nmem_bus}/provider" + test -e "$bus_provider_path" || err "$LINENO" + bus_provider=$(cat ${bus_provider_path}) + + [[ "$bus_provider" == "$CXL_TEST_BUS" ]] || err "$LINENO" + bus="cxl" + nmem_provider_path="/sys/bus/nd/devices/${dev}/${bus}/provider" + nmem_provider=$(cat ${nmem_provider_path}) + + test_dimm_path=$(readlink -f /sys/bus/$bus/devices/${nmem_provider}) + test_dimm_path=$(dirname $(dirname ${test_dimm_path}))/security_lock + + test -e "$test_dimm_path" + + # now lock the dimm + echo 1 > "${test_dimm_path}" + sstate="$(get_security_state)" + if [ "$sstate" != "locked" ]; then + echo "Incorrect security state: $sstate expected: locked" + err "$LINENO" + fi +} + +get_frozen_state() +{ + $NDCTL list -i -b "$CXL_TEST_BUS" -d "$dev" | jq -r .[].dimms[0].security_frozen +} + +get_security_state() +{ + $NDCTL list -i -b "$CXL_TEST_BUS" -d "$dev" | jq -r .[].dimms[0].security +} + +setup_passphrase() +{ + $NDCTL setup-passphrase "$dev" -k user:"$masterkey" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err "$LINENO" + fi +} + +remove_passphrase() +{ + $NDCTL remove-passphrase "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "disabled" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err "$LINENO" + fi +} + +erase_security() +{ + $NDCTL sanitize-dimm -c "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "disabled" ]; then + echo "Incorrect security state: $sstate expected: disabled" + err "$LINENO" + fi +} + +update_security() +{ + $NDCTL update-passphrase "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err "$LINENO" + fi +} + +freeze_security() +{ + $NDCTL freeze-security "$dev" +} + +test_1_security_setup_and_remove() +{ + setup_passphrase + remove_passphrase +} + +test_2_security_setup_and_update() +{ + setup_passphrase + update_security + remove_passphrase +} + +test_3_security_setup_and_erase() +{ + setup_passphrase + erase_security +} + +test_4_security_unlock() +{ + setup_passphrase + lock_dimm + $NDCTL enable-dimm "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err "$LINENO" + fi + $NDCTL disable-region -b "$CXL_TEST_BUS" all + remove_passphrase +} + +# This should always be the last nvdimm security test. +# with security frozen, cxl_test must be removed and is no longer usable +test_5_security_freeze() +{ + setup_passphrase + freeze_security + sstate="$(get_security_state)" + fstate="$(get_frozen_state)" + if [ "$fstate" != "true" ]; then + echo "Incorrect security state: expected: frozen" + err "$LINENO" + fi + + # need to simulate a soft reboot here to clean up + lock_dimm + $NDCTL enable-dimm "$dev" + sstate="$(get_security_state)" + if [ "$sstate" != "unlocked" ]; then + echo "Incorrect security state: $sstate expected: unlocked" + err "$LINENO" + fi +} + +test_6_load_keys() +{ + if keyctl search @u encrypted nvdimm:"$id"; then + keyctl unlink "$(keyctl search @u encrypted nvdimm:"$id")" + fi + + if keyctl search @u user "$masterkey"; then + keyctl unlink "$(keyctl search @u user "$masterkey")" + fi + + $NDCTL load-keys + + if keyctl search @u user "$masterkey"; then + echo "master key loaded" + else + echo "master key failed to loaded" + err "$LINENO" + fi + + if keyctl search @u encrypted nvdimm:"$id"; then + echo "dimm key loaded" + else + echo "dimm key failed to load" + err "$LINENO" + fi +} + +check_min_kver "5.0" || do_skip "may lack security handling" +uid="$(keyctl show | grep -Eo "_uid.[0-9]+" | head -1 | cut -d. -f2-)" +if [ "$uid" -ne 0 ]; then + do_skip "run as root or with a sudo login shell for test to work" +fi + +modprobe cxl_test +setup +check_prereq "keyctl" +rc=1 +detect +test_cleanup +setup_keys +echo "Test 1, security setup and remove" +test_1_security_setup_and_remove +echo "Test 2, security setup, update, and remove" +test_2_security_setup_and_update +echo "Test 3, security setup and erase" +test_3_security_setup_and_erase +echo "Test 4, unlock dimm" +test_4_security_unlock + +# Freeze should always be the last nvdimm security test because it locks +# security state and require cxl_test module unload. However, this does +# not impact any key management testing via libkeyctl. +echo "Test 5, freeze security" +test_5_security_freeze + +# Load-keys is independent of actual nvdimm security and is part of key +# mangement testing. +echo "Test 6, test load-keys" +test_6_load_keys + +test_cleanup +post_cleanup +_cxl_cleanup +exit 0