[PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Dave Jiang]

Add support for nvdimm key management.

Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
 request-key.conf |    1 +
 1 file changed, 1 insertion(+)

diff --git a/request-key.conf b/request-key.conf
index ff16a95..b76c414 100644
--- a/request-key.conf
+++ b/request-key.conf
@@ -39,3 +39,4 @@ create  user    debug:*         revoked         /bin/keyctl reject %k 30 %c %S
 create	user	debug:loop:*	*		|/bin/cat
 create	user	debug:*		*		/usr/share/keyutils/request-key-debug.sh %k %d %c %S
 negate	*	*		*		/bin/keyctl negate %k 30 %S
+create  logon   nvdimm*         *               /usr/sbin/nvdimm-upcall %k

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Dan Williams]

On Fri, Oct 12, 2018 at 11:08 AM Dave Jiang <dave.jiang@intel.com> wrote:
>
> Add support for nvdimm key management.

Kind of sad that we need to edit this top-level conf file. David,
could you clarify why /etc/request.d can't be used for kernel upcalls?
Otherwise, assuming that's not an acceptable approach:

Reviewed-by: Dan Williams <dan.j.williams@intel.com>

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[David Howells]

You should take a look at this patch:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?h=next&id_2f3c34b0b23e5d2ea4564ac990827c47999992

on the keyutils next branch.  You should add a file into:

	/etc/request-key.d/

with this line:

	+create  logon   nvdimm*         *               /usr/sbin/nvdimm-upcall %k

in it.  Do you actually want to say "nvdimm:*", btw?

David

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Dave Jiang]

On 10/12/2018 01:37 PM, David Howells wrote:
> You should take a look at this patch:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?h=next&id_2f3c34b0b23e5d2ea4564ac990827c47999992

Ah that's great! Do you know when this will be released? Would also be
interested to know when Fedora will pick up this release.

> 
> on the keyutils next branch.  You should add a file into:
> 
> 	/etc/request-key.d/
> 
> with this line:
> 
> 	+create  logon   nvdimm*         *               /usr/sbin/nvdimm-upcall %k
> 
> in it.  Do you actually want to say "nvdimm:*", btw?

Yes. Good catch. I'll update that and also have ndctl package to install
/etc/request-key.d/nvdimm.conf with that instead.

Thanks.

> 
> David
> 

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Dan Williams]

On Fri, Oct 12, 2018 at 1:37 PM David Howells <dhowells@redhat.com> wrote:
>
> You should take a look at this patch:
>
>         https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?h=next&id_2f3c34b0b23e5d2ea4564ac990827c47999992
>
> on the keyutils next branch.  You should add a file into:
>
>         /etc/request-key.d/
>
> with this line:
>
>         +create  logon   nvdimm*         *               /usr/sbin/nvdimm-upcall %k
>
> in it.  Do you actually want to say "nvdimm:*", btw?

Thanks David. I also saw your recent pull request add TPM support.
That's something we're interested in as a follow-on for the nvdimm
keys so we can perhaps minimize a plain text key floating around in
kernel space.

So next time I'll pay closer attention to latest upstream before
shooting off snarky comments.

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[David Howells]

Dave Jiang <dave.jiang@intel.com> wrote:

> > You should take a look at this patch:
> > 
> > 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?h=next&id_2f3c34b0b23e5d2ea4564ac990827c47999992
> 
> Ah that's great! Do you know when this will be released? Would also be
> interested to know when Fedora will pick up this release.

If you can give that a test for me, that'd be great.

David

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Dave Jiang]

On 10/15/2018 07:11 AM, David Howells wrote:
> Dave Jiang <dave.jiang@intel.com> wrote:
> 
>>> You should take a look at this patch:
>>>
>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?h=next&id_2f3c34b0b23e5d2ea4564ac990827c47999992
>>
>> Ah that's great! Do you know when this will be released? Would also be
>> interested to know when Fedora will pick up this release.
> 
> If you can give that a test for me, that'd be great.

Tested. Works. Thanks!

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[David Howells]

Dave Jiang <dave.jiang@intel.com> wrote:

> Tested. Works. Thanks!

Excellent!  Can I put you down as a Tested-by line?

David

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[Jiang, Dave]

> On Oct 17, 2018, at 1:20 AM, David Howells <dhowells@redhat.com> wrote:
> 
> Dave Jiang <dave.jiang@intel.com> wrote:
> 
>> Tested. Works. Thanks!
> 
> Excellent!  Can I put you down as a Tested-by line?

Yes. Thank you. 
> 
> David

Re: [PATCH 2/2] conf: add upcall line for nvdimm in request-key.conf

[David Howells]

Dave Jiang <dave.jiang@intel.com> wrote:

> Add support for nvdimm key management.

I'm not going to apply this as you said you could make your change to the
nvdimm package.  You will need to have a dependency there on keyutils-1.5.12.

David