linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
To: Jonathan Derrick <jonathan.derrick@linux.dev>,
	linux-block@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org, brking@linux.vnet.ibm.com,
	msuchanek@suse.de, mpe@ellerman.id.au, nayna@linux.ibm.com,
	axboe@kernel.dk, akpm@linux-foundation.org,
	linux-efi@vger.kernel.org, keyrings@vger.kernel.org,
	dhowells@redhat.com, jarkko@kernel.org
Subject: Re: [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys
Date: Wed, 16 Nov 2022 17:16:34 -0600	[thread overview]
Message-ID: <c13702d0d79628f0cece42e842bf2cc704bd0821.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <9b68f825-675c-ff78-cd83-fb4f9428940b@linux.dev>

On Fri, 2022-10-07 at 12:21 -0600, Jonathan Derrick wrote:
> LGTM besides comment below
> 
> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
> 
> On 8/19/2022 4:31 PM, gjoyce@linux.vnet.ibm.com wrote:
> > From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > 
> > Allow for permanent SED authentication keys by
> > reading/writing to the SED Opal non-volatile keystore.
> > 
> > Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > ---
> >  block/sed-opal.c | 18 ++++++++++++++++--
> >  1 file changed, 16 insertions(+), 2 deletions(-)
> > 
> > diff --git a/block/sed-opal.c b/block/sed-opal.c
> > index 3bdb31cf3e7c..11b0eb3a656b 100644
> > --- a/block/sed-opal.c
> > +++ b/block/sed-opal.c
> > @@ -18,6 +18,7 @@
> >  #include <linux/uaccess.h>
> >  #include <uapi/linux/sed-opal.h>
> >  #include <linux/sed-opal.h>
> > +#include <linux/sed-opal-key.h>
> >  #include <linux/string.h>
> >  #include <linux/kdev_t.h>
> >  #include <linux/key.h>
> > @@ -2697,7 +2698,13 @@ static int opal_set_new_pw(struct opal_dev
> > *dev, struct opal_new_pw *opal_pw)
> >  	if (ret)
> >  		return ret;
> >  
> > -	/* update keyring with new password */
> > +	/* update keyring and arch var with new password */
> > +	ret = sed_write_key(OPAL_AUTH_KEY,
> > +			    opal_pw->new_user_pw.opal_key.key,
> > +			    opal_pw->new_user_pw.opal_key.key_len);
> > +	if (ret != -EOPNOTSUPP)
> > +		pr_warn("error updating SED key: %d\n", ret);
> I cant see any reason this would fail and make the keys inconsistent,
> but it seems
> like update_sed_opal_key() should be dependent on sed_write_key()
> succeeding

The thought was that since the key was already updated on the SED
drive, there should be an attempt to update it in the key store
even in the unlikely event the keyring update failed.

> 
> > +
> >  	ret = update_sed_opal_key(OPAL_AUTH_KEY,
> >  				  opal_pw->new_user_pw.opal_key.key,
> >  				  opal_pw-
> > >new_user_pw.opal_key.key_len);
> > @@ -2920,6 +2927,8 @@ EXPORT_SYMBOL_GPL(sed_ioctl);
> >  static int __init sed_opal_init(void)
> >  {
> >  	struct key *kr;
> > +	char init_sed_key[OPAL_KEY_MAX];
> > +	int keylen = OPAL_KEY_MAX;
> >  
> >  	kr = keyring_alloc(".sed_opal",
> >  			   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
> > current_cred(),
> > @@ -2932,6 +2941,11 @@ static int __init sed_opal_init(void)
> >  
> >  	sed_opal_keyring = kr;
> >  
> > -	return 0;
> > +	if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
> > +		memset(init_sed_key, '\0', sizeof(init_sed_key));
> > +		keylen = OPAL_KEY_MAX;
> > +	}
> > +
> > +	return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key,
> > keylen);
> >  }
> >  late_initcall(sed_opal_init);


      reply	other threads:[~2022-11-16 23:17 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-19 22:31 [PATCH v4 0/3] generic and PowerPC SED Opal keystore gjoyce
2022-08-19 22:31 ` [PATCH v4 1/3] block: sed-opal: " gjoyce
2022-10-07 18:23   ` Jonathan Derrick
2022-08-19 22:31 ` [PATCH v4 2/3] powerpc/pseries: PLPKS SED Opal keystore support gjoyce
2022-10-07 18:22   ` Jonathan Derrick
2022-10-07 19:09   ` Elliott, Robert (Servers)
2022-11-16 23:44     ` Greg Joyce
2022-08-19 22:31 ` [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys gjoyce
2022-10-07 18:21   ` Jonathan Derrick
2022-11-16 23:16     ` Greg Joyce [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c13702d0d79628f0cece42e842bf2cc704bd0821.camel@linux.vnet.ibm.com \
    --to=gjoyce@linux.vnet.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=axboe@kernel.dk \
    --cc=brking@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=jarkko@kernel.org \
    --cc=jonathan.derrick@linux.dev \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=mpe@ellerman.id.au \
    --cc=msuchanek@suse.de \
    --cc=nayna@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).