From: David Howells <dhowells@redhat.com> To: Dave Jiang <dave.jiang@intel.com> Cc: alison.schofield@intel.com, keescook@chromium.org, linux-nvdimm@lists.01.org, ebiggers3@gmail.com, dhowells@redhat.com, keyrings@vger.kernel.org Subject: Re: [PATCH v6 04/11] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Date: Thu, 02 Aug 2018 12:58:11 +0100 [thread overview] Message-ID: <19807.1533211091@warthog.procyon.org.uk> (raw) In-Reply-To: <153255233354.51274.8552293701029405599.stgit@djiang5-desk3.ch.intel.com> Dave Jiang <dave.jiang@intel.com> wrote: > + key = key_lookup(nvdimm->key_id); You should not be using key_lookup() as the key ID doesn't pin a reference to the key you're using. If you're going to cache a key, either cache the key pointer directly and check it with key_validate() before you use it or keep the cache in a private kernel keyring and use key_search() each time you want to use it. The latter method allows for the key to be garbage collected automatically if it expires or gets invalidated. You can still follow a negative call for a cached key with a call to nvdimm_request_key(). In the private keyring-using case, you can link the key to the private keyring after you got it. > + payload = key->payload.data[0]; > + rc = nvdimm->security_ops->unlock(nvdimm_bus, nvdimm, > + (void *)payload->data); I would recommend casting to const void * if you can as you're not allowed to change the payload data. David _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com> To: Dave Jiang <dave.jiang@intel.com> Cc: alison.schofield@intel.com, keescook@chromium.org, linux-nvdimm@lists.01.org, ebiggers3@gmail.com, dhowells@redhat.com, keyrings@vger.kernel.org Subject: Re: [PATCH v6 04/11] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Date: Thu, 02 Aug 2018 11:58:11 +0000 [thread overview] Message-ID: <19807.1533211091@warthog.procyon.org.uk> (raw) In-Reply-To: <153255233354.51274.8552293701029405599.stgit@djiang5-desk3.ch.intel.com> Dave Jiang <dave.jiang@intel.com> wrote: > + key = key_lookup(nvdimm->key_id); You should not be using key_lookup() as the key ID doesn't pin a reference to the key you're using. If you're going to cache a key, either cache the key pointer directly and check it with key_validate() before you use it or keep the cache in a private kernel keyring and use key_search() each time you want to use it. The latter method allows for the key to be garbage collected automatically if it expires or gets invalidated. You can still follow a negative call for a cached key with a call to nvdimm_request_key(). In the private keyring-using case, you can link the key to the private keyring after you got it. > + payload = key->payload.data[0]; > + rc = nvdimm->security_ops->unlock(nvdimm_bus, nvdimm, > + (void *)payload->data); I would recommend casting to const void * if you can as you're not allowed to change the payload data. David
next prev parent reply other threads:[~2018-08-02 11:58 UTC|newest] Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-07-25 20:58 [PATCH v6 00/11] Adding security support for nvdimm Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-25 20:58 ` [PATCH v6 01/11] nfit: add support for Intel DSM 1.7 commands Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-25 20:58 ` [PATCH v6 02/11] libnvdimm: create keyring to store security keys Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-25 20:58 ` [PATCH v6 03/11] nfit/libnvdimm: store dimm id as a member to struct nvdimm Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-25 20:58 ` [PATCH v6 04/11] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-31 22:04 ` Alison Schofield 2018-07-31 22:04 ` Alison Schofield 2018-07-31 22:48 ` Jiang, Dave 2018-07-31 22:48 ` Jiang, Dave 2018-07-25 20:58 ` [PATCH v6 05/11] nfit/libnvdimm: add set passphrase support for Intel nvdimms Dave Jiang 2018-07-25 20:58 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 06/11] nfit/libnvdimm: add disable passphrase support to Intel nvdimm Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 07/11] nfit/libnvdimm: add freeze security " Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 08/11] nfit/libnvdimm: add support for issue secure erase DSM " Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 09/11] nfit_test: add context to dimm_dev for nfit_test Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 10/11] nfit_test: add test support for Intel nvdimm security DSMs Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-07-25 20:59 ` [PATCH v6 11/11] libnvdimm: add documentation for nvdimm security support Dave Jiang 2018-07-25 20:59 ` Dave Jiang 2018-08-02 11:58 ` David Howells [this message] 2018-08-02 11:58 ` [PATCH v6 04/11] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs David Howells 2018-08-02 12:00 ` [PATCH v6 05/11] nfit/libnvdimm: add set passphrase support for Intel nvdimms David Howells 2018-08-02 12:00 ` David Howells 2018-08-02 22:29 ` Dave Jiang 2018-08-02 22:29 ` Dave Jiang 2018-08-03 0:28 ` Dave Jiang 2018-08-03 0:28 ` Dave Jiang 2018-08-03 8:32 ` David Howells 2018-08-03 8:32 ` David Howells 2018-08-03 16:07 ` Dave Jiang 2018-08-03 16:07 ` Dave Jiang 2018-08-03 8:28 ` David Howells 2018-08-03 8:28 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=19807.1533211091@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=alison.schofield@intel.com \ --cc=dave.jiang@intel.com \ --cc=ebiggers3@gmail.com \ --cc=keescook@chromium.org \ --cc=keyrings@vger.kernel.org \ --cc=linux-nvdimm@lists.01.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.