From: David Howells <dhowells@redhat.com> To: Dave Jiang <dave.jiang@intel.com> Cc: alison.schofield@intel.com, keescook@chromium.org, linux-nvdimm@lists.01.org, ebiggers3@gmail.com, dhowells@redhat.com, keyrings@vger.kernel.org Subject: Re: [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms Date: Sat, 22 Sep 2018 00:57:16 +0100 [thread overview] Message-ID: <19459.1537574236@warthog.procyon.org.uk> (raw) In-Reply-To: <153549647177.4089.18112512093259339717.stgit@djiang5-desk3.ch.intel.com> Dave Jiang <dave.jiang@intel.com> wrote: > + new_key = key_alloc(&key_type_logon, key->description, > + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, &init_cred, 0, KEY_POS_SEARCH? KEY_USR_VIEW? > + KEY_ALLOC_NOT_IN_QUOTA, NULL); > + ... > + down_read(&key->sem); > + payload = key->payload.data[0]; > + rc = key_instantiate_and_link(new_key, payload->data, key->datalen, payload->datalen, not key->datalen. > + nvdimm_keyring, NULL); Okay, that's a weird way of going about things. I presume you don't want to add key to nvdimm_keyring - maybe in case it gets updated whilst you're using it and your private key isn't in quota? > + up_read(&key->sem); > + if (rc < 0) { > + key_revoke(new_key); > + key_put(new_key); > + return NULL; > + } Just putting it here should work since it didn't get linked to the keyring if any errors occurred. Revoking it too shouldn't be necessary. > + key_invalidate(key); > + key_put(key); Why are you invalidating the user's key? > + keyref = lookup_user_key(id, 0, 0); KEY_NEED_SEARCH? Though I suppose it's not strictly necessary as it's a key that's private to the kernel. > + if (old_keyid != 0) { > + old_key = nvdimm_get_key(dev); > + if (old_key) { > + if (key_serial(old_key) != old_keyid) { Ummm... That's not what I meant. Given the permissions you've set on your private key, userspace shouldn't be able to find it, let alone give you the key ID. What I meant here was to use, say, nvdimm_lookup_user_key() to get a key from userspace that contains the old password. You can use the description of the key to search nvdimm_keyring for the private key and then compare the passwords. Then you don't need to passphrases in the new key. > + rc = nvdimm_check_key_len(key->datalen, update); payload->datalen. > + down_read(&key->sem); This needs to be earlier. The payload attached to the new key can be replaced by keyctl_update() at any time whilst you're not holding the lock, so you cannot use key->payload[*] without holding the lock or the RCU read lock. > + if (update) > + key_invalidate(key); The key doesn't belong to you - should you really be invalidating it? > + else { > + key_link(nvdimm_keyring, key); > + nvdimm->key = key; > + key->perm |= KEY_USR_SEARCH; > + } Um - do you really want to be taking the key into your internal keyring? Why aren't you calling nvdimm_replace_key()? Also, you shouldn't alter the permission - it's not your key. > +static int __parse_update(const char *buf, size_t len, unsigned int *old_id, > + unsigned int *new_id) > +{ Try using sscanf()? David _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com> To: Dave Jiang <dave.jiang@intel.com> Cc: alison.schofield@intel.com, keescook@chromium.org, linux-nvdimm@lists.01.org, ebiggers3@gmail.com, dhowells@redhat.com, keyrings@vger.kernel.org Subject: Re: [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms Date: Fri, 21 Sep 2018 23:57:16 +0000 [thread overview] Message-ID: <19459.1537574236@warthog.procyon.org.uk> (raw) In-Reply-To: <153549647177.4089.18112512093259339717.stgit@djiang5-desk3.ch.intel.com> Dave Jiang <dave.jiang@intel.com> wrote: > + new_key = key_alloc(&key_type_logon, key->description, > + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, &init_cred, 0, KEY_POS_SEARCH? KEY_USR_VIEW? > + KEY_ALLOC_NOT_IN_QUOTA, NULL); > + ... > + down_read(&key->sem); > + payload = key->payload.data[0]; > + rc = key_instantiate_and_link(new_key, payload->data, key->datalen, payload->datalen, not key->datalen. > + nvdimm_keyring, NULL); Okay, that's a weird way of going about things. I presume you don't want to add key to nvdimm_keyring - maybe in case it gets updated whilst you're using it and your private key isn't in quota? > + up_read(&key->sem); > + if (rc < 0) { > + key_revoke(new_key); > + key_put(new_key); > + return NULL; > + } Just putting it here should work since it didn't get linked to the keyring if any errors occurred. Revoking it too shouldn't be necessary. > + key_invalidate(key); > + key_put(key); Why are you invalidating the user's key? > + keyref = lookup_user_key(id, 0, 0); KEY_NEED_SEARCH? Though I suppose it's not strictly necessary as it's a key that's private to the kernel. > + if (old_keyid != 0) { > + old_key = nvdimm_get_key(dev); > + if (old_key) { > + if (key_serial(old_key) != old_keyid) { Ummm... That's not what I meant. Given the permissions you've set on your private key, userspace shouldn't be able to find it, let alone give you the key ID. What I meant here was to use, say, nvdimm_lookup_user_key() to get a key from userspace that contains the old password. You can use the description of the key to search nvdimm_keyring for the private key and then compare the passwords. Then you don't need to passphrases in the new key. > + rc = nvdimm_check_key_len(key->datalen, update); payload->datalen. > + down_read(&key->sem); This needs to be earlier. The payload attached to the new key can be replaced by keyctl_update() at any time whilst you're not holding the lock, so you cannot use key->payload[*] without holding the lock or the RCU read lock. > + if (update) > + key_invalidate(key); The key doesn't belong to you - should you really be invalidating it? > + else { > + key_link(nvdimm_keyring, key); > + nvdimm->key = key; > + key->perm |= KEY_USR_SEARCH; > + } Um - do you really want to be taking the key into your internal keyring? Why aren't you calling nvdimm_replace_key()? Also, you shouldn't alter the permission - it's not your key. > +static int __parse_update(const char *buf, size_t len, unsigned int *old_id, > + unsigned int *new_id) > +{ Try using sscanf()? David
next prev parent reply other threads:[~2018-09-21 23:57 UTC|newest] Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-28 22:47 [PATCH v8 00/12] Adding security support for nvdimm Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-08-28 22:47 ` [PATCH v8 01/12] nfit: add support for Intel DSM 1.7 commands Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-08-28 22:47 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-09-22 0:19 ` Dan Williams 2018-09-22 0:19 ` Dan Williams 2018-09-24 21:04 ` David Howells 2018-09-24 21:04 ` David Howells 2018-09-24 21:12 ` Dave Jiang 2018-09-24 21:12 ` Dave Jiang 2018-08-28 22:47 ` [PATCH v8 03/12] nfit/libnvdimm: store dimm id as a member to struct nvdimm Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-08-28 22:47 ` [PATCH v8 04/12] keys: export lookup_user_key to external users Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-09-21 21:59 ` Dan Williams 2018-09-21 21:59 ` Dan Williams 2018-09-21 22:02 ` Dave Jiang 2018-09-21 22:02 ` Dave Jiang 2018-09-21 23:05 ` David Howells 2018-09-21 23:05 ` David Howells 2018-08-28 22:47 ` [PATCH v8 05/12] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-09-23 0:10 ` Dan Williams 2018-09-23 0:10 ` Dan Williams 2018-08-28 22:47 ` [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms Dave Jiang 2018-08-28 22:47 ` [PATCH v8 07/12] nfit/libnvdimm: add disable passphrase support to Intel nvdimm Dave Jiang 2018-08-28 22:47 ` Dave Jiang 2018-08-28 22:48 ` [PATCH v8 08/12] nfit/libnvdimm: add freeze security " Dave Jiang 2018-08-28 22:48 ` Dave Jiang 2018-08-28 22:48 ` [PATCH v8 09/12] nfit/libnvdimm: add support for issue secure erase DSM " Dave Jiang 2018-08-28 22:48 ` Dave Jiang 2018-08-28 22:48 ` [PATCH v8 10/12] nfit_test: add context to dimm_dev for nfit_test Dave Jiang 2018-08-28 22:48 ` Dave Jiang 2018-08-28 22:48 ` [PATCH v8 11/12] nfit_test: add test support for Intel nvdimm security DSMs Dave Jiang 2018-08-28 22:48 ` Dave Jiang 2018-08-28 22:48 ` [PATCH v8 12/12] libnvdimm: add documentation for nvdimm security support Dave Jiang 2018-08-28 22:48 ` Dave Jiang 2018-09-21 23:07 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys David Howells 2018-09-21 23:07 ` David Howells 2018-09-21 23:20 ` [PATCH v8 05/12] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs David Howells 2018-09-21 23:20 ` David Howells 2018-09-21 23:27 ` Dave Jiang 2018-09-21 23:27 ` Dave Jiang 2018-09-21 23:51 ` Dan Williams 2018-09-21 23:51 ` Dan Williams 2018-09-21 23:57 ` David Howells [this message] 2018-09-21 23:57 ` [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms David Howells 2018-09-22 0:25 ` Dave Jiang 2018-09-22 0:25 ` Dave Jiang 2018-09-22 1:26 ` Dan Williams 2018-09-22 1:26 ` Dan Williams 2018-09-22 0:01 ` [PATCH v8 04/12] keys: export lookup_user_key to external users David Howells 2018-09-22 0:01 ` David Howells 2018-09-24 21:02 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys David Howells 2018-09-24 21:02 ` David Howells 2018-09-24 21:15 ` Dave Jiang 2018-09-24 21:15 ` Dave Jiang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=19459.1537574236@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=alison.schofield@intel.com \ --cc=dave.jiang@intel.com \ --cc=ebiggers3@gmail.com \ --cc=keescook@chromium.org \ --cc=keyrings@vger.kernel.org \ --cc=linux-nvdimm@lists.01.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.