[PATCH v2 0/6] Disk encryption status handling

[PATCH v2 0/6] Disk encryption status handling

[Blazej Kucman]

The purpose of this series is to add functionality of reading information
about the encryption status of OPAL NVMe/SATA and SATA drives and use this
information for purposes of IMSM metadata, which introduces restrictions
on the possibility of mixing disks with encryption enabled and disabled
because of security reasons.

Changes in V2:
- add separate patch for change location of pr_vrb(),
- add example results for usage of new feature to commit message in patch 5,
- adjust commit messages to 75 characters,
- general fixes after review.

Blazej Kucman (6):
  mdadm: Move pr_vrb define to mdadm.h
  Add reading Opal NVMe encryption information
  Add reading SATA encryption information
  Add key ENCRYPTION_NO_VERIFY to conf
  imsm: print disk encryption information
  imsm: drive encryption policy implementation

 Makefile           |   4 +-
 config.c           |  25 +-
 drive_encryption.c | 724 +++++++++++++++++++++++++++++++++++++++++++++
 drive_encryption.h |  37 +++
 mdadm.conf.5.in    |  16 +
 mdadm.h            |   4 +
 super-intel.c      | 117 +++++++-
 sysfs.c            |  29 ++
 8 files changed, 947 insertions(+), 9 deletions(-)
 create mode 100644 drive_encryption.c
 create mode 100644 drive_encryption.h

-- 
2.35.3

[PATCH v2 1/6] mdadm: Move pr_vrb define to mdadm.h

[Blazej Kucman]

Move pr_vrb define from super-intel.c to mdadm.h to make it widely
available. This change will be used in the next patches.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 mdadm.h       | 2 ++
 super-intel.c | 2 --
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mdadm.h b/mdadm.h
index 3fedca48..141adbd7 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -1912,6 +1912,8 @@ static inline int xasprintf(char **strp, const char *fmt, ...) {
 
 #define pr_info(fmt, args...) printf("%s: "fmt, Name, ##args)
 
+#define pr_vrb(fmt, arg...) ((void)(verbose && pr_err(fmt, ##arg)))
+
 void *xmalloc(size_t len);
 void *xrealloc(void *ptr, size_t len);
 void *xcalloc(size_t num, size_t size);
diff --git a/super-intel.c b/super-intel.c
index 77140455..806b6248 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -393,8 +393,6 @@ struct md_list {
 	struct md_list *next;
 };
 
-#define pr_vrb(fmt, arg...) (void) (verbose && pr_err(fmt, ##arg))
-
 static __u8 migr_type(struct imsm_dev *dev)
 {
 	if (dev->vol.migr_type == MIGR_VERIFY &&
-- 
2.35.3

[PATCH v2 2/6] Add reading Opal NVMe encryption information

[Blazej Kucman]

For NVMe devices with Opal support, encryption information, status and
ability are determined based on Opal Level 0 discovery response. Technical
documentation used is given in the implementation.

Ability in general describes what type of encryption is supported, Status
describes in what state the disk with encryption support is. The current
patch includes only the implementation of reading encryption information,
functions will be used in one of the next patches.

Motivation for adding this functionality is to block mixing of disks in
IMSM arrays with encryption enabled and disabled. The main goal is to not
allow stealing data by rebuilding array to not encrypted drive which can be
read elsewhere.

Value ENA_OTHER from enum encryption_ability will be used in the next
patch.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 Makefile           |   4 +-
 drive_encryption.c | 362 +++++++++++++++++++++++++++++++++++++++++++++
 drive_encryption.h |  32 ++++
 3 files changed, 396 insertions(+), 2 deletions(-)
 create mode 100644 drive_encryption.c
 create mode 100644 drive_encryption.h

diff --git a/Makefile b/Makefile
index cbdba49a..7c221a89 100644
--- a/Makefile
+++ b/Makefile
@@ -170,7 +170,7 @@ OBJS = mdadm.o config.o policy.o mdstat.o  ReadMe.o uuid.o util.o maps.o lib.o u
        mdopen.o super0.o super1.o super-ddf.o super-intel.o bitmap.o \
        super-mbr.o super-gpt.o \
        restripe.o sysfs.o sha1.o mapfile.o crc32.o sg_io.o msg.o xmalloc.o \
-       platform-intel.o probe_roms.o crc32c.o
+       platform-intel.o probe_roms.o crc32c.o drive_encryption.o
 
 CHECK_OBJS = restripe.o uuid.o sysfs.o maps.o lib.o xmalloc.o dlink.o
 
@@ -183,7 +183,7 @@ MON_OBJS = mdmon.o monitor.o managemon.o uuid.o util.o maps.o mdstat.o sysfs.o c
 	Kill.o sg_io.o dlink.o ReadMe.o super-intel.o \
 	super-mbr.o super-gpt.o \
 	super-ddf.o sha1.o crc32.o msg.o bitmap.o xmalloc.o \
-	platform-intel.o probe_roms.o crc32c.o
+	platform-intel.o probe_roms.o crc32c.o drive_encryption.o
 
 MON_SRCS = $(patsubst %.o,%.c,$(MON_OBJS))
 
diff --git a/drive_encryption.c b/drive_encryption.c
new file mode 100644
index 00000000..b44585a7
--- /dev/null
+++ b/drive_encryption.c
@@ -0,0 +1,362 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Read encryption information for Opal and ATA devices.
+ *
+ * Copyright (C) 2024 Intel Corporation
+ *	Author: Blazej Kucman <blazej.kucman@intel.com>
+ */
+
+#include "mdadm.h"
+
+#include <asm/types.h>
+#include <linux/nvme_ioctl.h>
+#include "drive_encryption.h"
+
+/*
+ * Opal defines
+ * TCG Storage Opal SSC 2.01 chapter 3.3.3
+ * NVM ExpressTM Revision 1.4c, chapter 5
+ */
+#define TCG_SECP_01 (0x01)
+#define TCG_SECP_00 (0x00)
+#define OPAL_DISCOVERY_COMID (0x0001)
+#define OPAL_LOCKING_FEATURE (0x0002)
+#define OPAL_IO_BUFFER_LEN 2048
+#define OPAL_DISCOVERY_FEATURE_HEADER_LEN (4)
+
+/*
+ * NVMe defines
+ * NVM ExpressTM Revision 1.4c, chapter 5
+ */
+#define NVME_SECURITY_RECV (0x82)
+#define NVME_IDENTIFY (0x06)
+#define NVME_IDENTIFY_RESPONSE_LEN 4096
+#define NVME_OACS_BYTE_POSITION (256)
+#define NVME_IDENTIFY_CONTROLLER_DATA (1)
+
+typedef enum drive_feature_support_status {
+	/* Drive feature is supported. */
+	DRIVE_FEAT_SUP_ST = 0,
+	/* Drive feature is not supported. */
+	DRIVE_FEAT_NOT_SUP_ST,
+	/* Drive feature support check failed. */
+	DRIVE_FEAT_CHECK_FAILED_ST
+} drive_feat_sup_st;
+
+/* TCG Storage Opal SSC 2.01 chapter 3.1.1.3 */
+typedef struct opal_locking_feature {
+	/* feature header */
+	__u16 feature_code;
+	__u8 reserved : 4;
+	__u8 version : 4;
+	__u8 description_length;
+	/* feature description */
+	__u8 locking_supported : 1;
+	__u8 locking_enabled : 1;
+	__u8 locked : 1;
+	__u8 media_encryption : 1;
+	__u8 mbr_enabled : 1;
+	__u8 mbr_done : 1;
+	__u8 mbr_shadowing_not_supported : 1;
+	__u8 hw_reset_for_dor_supported : 1;
+	__u8 reserved1[11];
+} __attribute__((__packed__)) opal_locking_feature_t;
+
+/* TCG Storage Opal SSC 2.01 chapter 3.1.1.1 */
+typedef struct opal_level0_header {
+	__u32 length;
+	__u32 version;
+	__u64 reserved;
+	__u8 vendor_specific[32];
+} opal_level0_header_t;
+
+/**
+ * NVM ExpressTM Revision 1.4c, Figure 249
+ * Structure specifies only OACS filed, which is needed in the current use case.
+ */
+typedef struct nvme_identify_ctrl {
+	__u8 reserved[255];
+	__u16 oacs;
+	__u8 reserved2[3839];
+} nvme_identify_ctrl_t;
+
+/* SCSI Primary Commands - 4 (SPC-4), Table 512 */
+typedef struct supported_security_protocols {
+	__u8  reserved[6];
+	__u16 list_length;
+	__u8  list[504];
+} supported_security_protocols_t;
+
+/**
+ * get_opal_locking_feature_description() - get opal locking feature description.
+ * @response: response from Opal Discovery Level 0.
+ *
+ * Based on the documentation TCG Storage Opal SSC 2.01 chapter 3.1.1,
+ * a Locking feature is searched for in Opal Level 0 Discovery response.
+ *
+ * Return: if locking feature is found, pointer to struct %opal_locking_feature_t, NULL otherwise.
+ */
+static opal_locking_feature_t *get_opal_locking_feature_description(__u8 *response)
+{
+	opal_level0_header_t *response_header = (opal_level0_header_t *)response;
+	int features_length = __be32_to_cpu(response_header->length);
+	int current_position = sizeof(*response_header);
+
+	while (current_position < features_length) {
+		opal_locking_feature_t *feature;
+
+		feature = (opal_locking_feature_t *)(response + current_position);
+
+		if (__be16_to_cpu(feature->feature_code) == OPAL_LOCKING_FEATURE)
+			return feature;
+
+		current_position += feature->description_length + OPAL_DISCOVERY_FEATURE_HEADER_LEN;
+	}
+
+	return NULL;
+}
+
+/**
+ * nvme_security_recv_ioctl() - nvme security receive ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @sec_protocol: security protocol.
+ * @comm_id: command id.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
+ * NVM ExpressTM Revision 1.4c, chapter 5.25,
+ * read security receive command via ioctl().
+ * On success, @response_buffer is completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t
+nvme_security_recv_ioctl(int disk_fd, __u8 sec_protocol, __u16 comm_id, void *response_buffer,
+			 size_t buf_size, const int verbose)
+{
+	struct nvme_admin_cmd nvme_cmd = {0};
+	int status;
+
+	nvme_cmd.opcode = NVME_SECURITY_RECV;
+	nvme_cmd.cdw10 = sec_protocol << 24 | comm_id << 8;
+	nvme_cmd.cdw11 = buf_size;
+	nvme_cmd.data_len = buf_size;
+	nvme_cmd.addr = (__u64)response_buffer;
+
+	status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
+	if (status != 0) {
+		pr_vrb("Failed to read NVMe security receive ioctl() for device /dev/%s, status: %d\n",
+		       fd2kname(disk_fd), status);
+		return MDADM_STATUS_ERROR;
+	}
+
+	return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * nvme_identify_ioctl() - NVMe identify ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
+ * NVM ExpressTM Revision 1.4c, chapter 5.25,
+ * read NVMe identify via ioctl().
+ * On success, @response_buffer will be completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t
+nvme_identify_ioctl(int disk_fd, void *response_buffer, size_t buf_size, const int verbose)
+{
+	struct nvme_admin_cmd nvme_cmd = {0};
+	int status;
+
+	nvme_cmd.opcode = NVME_IDENTIFY;
+	nvme_cmd.cdw10 = NVME_IDENTIFY_CONTROLLER_DATA;
+	nvme_cmd.data_len = buf_size;
+	nvme_cmd.addr = (__u64)response_buffer;
+
+	status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
+	if (status != 0) {
+		pr_vrb("Failed to read NVMe identify ioctl() for device /dev/%s, status: %d\n",
+		       fd2kname(disk_fd), status);
+		return MDADM_STATUS_ERROR;
+	}
+
+	return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_sec_prot_01h_supported() - check if security protocol 01h supported.
+ * @security_protocols: struct with response from disk (NVMe, SATA) describing supported
+ * security protocols.
+ *
+ * Return: true if TCG_SECP_01 found, false otherwise.
+ */
+static bool is_sec_prot_01h_supported(supported_security_protocols_t *security_protocols)
+{
+	int list_length = be16toh(security_protocols->list_length);
+	int index;
+
+	for (index = 0 ; index < list_length; index++) {
+		if (security_protocols->list[index] == TCG_SECP_01)
+			return true;
+	}
+
+	return false;
+}
+
+/**
+ * is_sec_prot_01h_supported_nvme() - check if security protocol 01h supported for given NVMe disk.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
+ */
+static drive_feat_sup_st is_sec_prot_01h_supported_nvme(int disk_fd, const int verbose)
+{
+	supported_security_protocols_t security_protocols = {0};
+
+	/* security_protocol: TCG_SECP_00, comm_id: not applicable */
+	if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_00, 0x0, &security_protocols,
+				     sizeof(security_protocols), verbose))
+		return DRIVE_FEAT_CHECK_FAILED_ST;
+
+	if (is_sec_prot_01h_supported(&security_protocols))
+		return DRIVE_FEAT_SUP_ST;
+
+	return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * is_nvme_sec_send_recv_supported() - check if Security Send and Security Receive is supported.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Check if "Optional Admin Command Support" bit 0 is set in NVMe identify.
+ * Bit 0 set to 1 means controller supports the Security Send and Security Receive commands.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if security send/receive supported,
+ * %DRIVE_FEAT_NOT_SUP_ST if not supported, %DRIVE_FEAT_CHECK_FAILED_ST if check failed.
+ */
+static drive_feat_sup_st is_nvme_sec_send_recv_supported(int disk_fd, const int verbose)
+{
+	nvme_identify_ctrl_t nvme_identify = {0};
+	int status = 0;
+
+	status = nvme_identify_ioctl(disk_fd, &nvme_identify, sizeof(nvme_identify), verbose);
+	if (status)
+		return DRIVE_FEAT_CHECK_FAILED_ST;
+
+	if ((__le16_to_cpu(nvme_identify.oacs) & 0x1) == 0x1)
+		return DRIVE_FEAT_SUP_ST;
+
+	return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * get_opal_encryption_information() - get Opal encryption information.
+ * @buffer: buffer with Opal Level 0 Discovery response.
+ * @information: struct to fill out, describing encryption status of disk.
+ *
+ * If Locking feature frame is in response from Opal Level 0 discovery, &encryption_information_t
+ * structure is completed with status and ability otherwise the status is set to &None.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t get_opal_encryption_information(__u8 *buffer,
+						      encryption_information_t *information)
+{
+	opal_locking_feature_t *opal_locking_feature =
+					get_opal_locking_feature_description(buffer);
+
+	if (!opal_locking_feature)
+		return MDADM_STATUS_ERROR;
+
+	if (opal_locking_feature->locking_supported == 1) {
+		information->ability = ENC_ABILITY_SED;
+
+		if (opal_locking_feature->locking_enabled == 0)
+			information->status = ENC_STATUS_UNENCRYPTED;
+		else if (opal_locking_feature->locked == 1)
+			information->status = ENC_STATUS_LOCKED;
+		else
+			information->status = ENC_STATUS_UNLOCKED;
+	} else {
+		information->ability = ENC_ABILITY_NONE;
+		information->status = ENC_STATUS_UNENCRYPTED;
+	}
+
+	return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * get_nvme_opal_encryption_information() - get NVMe Opal encryption information.
+ * @disk_fd: a disk file descriptor.
+ * @information: struct to fill out, describing encryption status of disk.
+ * @verbose: verbose flag.
+ *
+ * In case the disk supports Opal Level 0 discovery, &encryption_information_t structure
+ * is completed with status and ability based on ioctl response,
+ * otherwise the ability is set to %ENC_ABILITY_NONE and &status to %ENC_STATUS_UNENCRYPTED.
+ * As the current use case does not need the knowledge of Opal support, if there is no support,
+ * %MDADM_STATUS_SUCCESS will be returned, with the values described above.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+mdadm_status_t
+get_nvme_opal_encryption_information(int disk_fd, encryption_information_t *information,
+				     const int verbose)
+{
+	__u8 buffer[OPAL_IO_BUFFER_LEN];
+	int sec_send_recv_supported = 0;
+	int protocol_01h_supported = 0;
+	mdadm_status_t status;
+
+	information->ability = ENC_ABILITY_NONE;
+	information->status = ENC_STATUS_UNENCRYPTED;
+
+	sec_send_recv_supported = is_nvme_sec_send_recv_supported(disk_fd, verbose);
+	if (sec_send_recv_supported == DRIVE_FEAT_CHECK_FAILED_ST)
+		return MDADM_STATUS_ERROR;
+
+	/* Opal not supported */
+	if (sec_send_recv_supported == DRIVE_FEAT_NOT_SUP_ST)
+		return MDADM_STATUS_SUCCESS;
+
+	/**
+	 * sec_send_recv_supported determine that it should be possible to read
+	 * supported sec protocols
+	 */
+	protocol_01h_supported = is_sec_prot_01h_supported_nvme(disk_fd, verbose);
+	if (protocol_01h_supported == DRIVE_FEAT_CHECK_FAILED_ST)
+		return MDADM_STATUS_ERROR;
+
+	/* Opal not supported */
+	if (sec_send_recv_supported == DRIVE_FEAT_SUP_ST &&
+	    protocol_01h_supported == DRIVE_FEAT_NOT_SUP_ST)
+		return MDADM_STATUS_SUCCESS;
+
+	if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_01, OPAL_DISCOVERY_COMID, (void *)&buffer,
+				     OPAL_IO_BUFFER_LEN, verbose))
+		return MDADM_STATUS_ERROR;
+
+	status = get_opal_encryption_information((__u8 *)&buffer, information);
+	if (status)
+		pr_vrb("Locking feature description not found in Level 0 discovery response. Device /dev/%s.\n",
+		       fd2kname(disk_fd));
+
+	if (information->ability == ENC_ABILITY_NONE)
+		assert(information->status == ENC_STATUS_UNENCRYPTED);
+
+	return status;
+}
diff --git a/drive_encryption.h b/drive_encryption.h
new file mode 100644
index 00000000..82c2c624
--- /dev/null
+++ b/drive_encryption.h
@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Read encryption information for Opal and ATA devices.
+ *
+ * Copyright (C) 2024 Intel Corporation
+ *	Author: Blazej Kucman <blazej.kucman@intel.com>
+ */
+
+typedef enum encryption_status {
+	/* The drive is not currently encrypted. */
+	ENC_STATUS_UNENCRYPTED = 0,
+	/* The drive is encrypted and the data is not accessible. */
+	ENC_STATUS_LOCKED,
+	/* The drive is encrypted but the data is accessible in unencrypted form. */
+	ENC_STATUS_UNLOCKED
+} encryption_status_t;
+
+typedef enum encryption_ability {
+	ENC_ABILITY_NONE = 0,
+	ENC_ABILITY_OTHER,
+	/* Self encrypted drive */
+	ENC_ABILITY_SED
+} encryption_ability_t;
+
+typedef struct encryption_information {
+	encryption_ability_t ability;
+	encryption_status_t status;
+} encryption_information_t;
+
+mdadm_status_t
+get_nvme_opal_encryption_information(int disk_fd, struct encryption_information *information,
+				     const int verbose);
-- 
2.35.3

[PATCH v2 3/6] Add reading SATA encryption information

[Blazej Kucman]

Functionality reads information about SATA disk encryption. Technical
documentation used is given in the implementation.

The implementation is able to recognized two encryption standards for SATA
drives, OPAL and ATA security.

If the SATA drive supports OPAL, encryption status and ability are
determined based on Opal Level 0 discovery response, for ATA security,
based on ATA identify response. If SATA supports OPAL, ability is set to
"SED", for ATA security to "Other".

SED(Self-Encrypting Drive) is commonly used to describe drive which using
OPAL or Enterprise standards developed by Trusted Computing Group. Ability
"Other" is used for ATA security because we rely only on information from
ATA identify which describe the overall state of encryption.

It is allowed to mix disks with different encryption ability such as "SED"
and "Other" and it is not security gap.

Motivation for adding this functionality is to block mixing of disks in
IMSM arrays with encryption enabled and disabled. The main goal is to not
allow stealing data by rebuilding array to not encrypted drive which can be
read elsewhere.

For SATA Opal drives, libata allow_tmp parameter enabled is required, which
is necessary for Opal Security commands to work, therefore, if the
parameter is not enabled, SATA Opal disk cannot be used in case the
encryption will be checked by metadata.

Implemented functions will be used in one of the next patches. In one of
the next patches, a flag will be added to enable disabling SATA Opal
encryption checking due to allow_tpm kernel setting dependency.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 drive_encryption.c | 318 +++++++++++++++++++++++++++++++++++++++++++++
 drive_encryption.h |   3 +
 mdadm.h            |   1 +
 sysfs.c            |  29 +++++
 4 files changed, 351 insertions(+)

diff --git a/drive_encryption.c b/drive_encryption.c
index b44585a7..d520f0c7 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -10,8 +10,12 @@
 
 #include <asm/types.h>
 #include <linux/nvme_ioctl.h>
+#include <scsi/sg.h>
+#include <scsi/scsi.h>
 #include "drive_encryption.h"
 
+#define DEFAULT_SECTOR_SIZE (512)
+
 /*
  * Opal defines
  * TCG Storage Opal SSC 2.01 chapter 3.3.3
@@ -34,6 +38,35 @@
 #define NVME_OACS_BYTE_POSITION (256)
 #define NVME_IDENTIFY_CONTROLLER_DATA (1)
 
+/*
+ * ATA defines
+ * ATA/ATAPI Command Set ATA8-ACS
+ * SCSI / ATA Translation - 3 (SAT-3)
+ * SCSI Primary Commands - 4 (SPC-4)
+ * AT Attachment-8 - ATA Serial Transport (ATA8-AST)
+ * ATA Command Pass-Through
+ */
+#define ATA_IDENTIFY (0xec)
+#define ATA_TRUSTED_RECEIVE (0x5c)
+#define ATA_SECURITY_WORD_POSITION (128)
+#define HDIO_DRIVE_CMD (0x031f)
+#define ATA_TRUSTED_COMPUTING_POS (48)
+#define ATA_PASS_THROUGH_12 (0xa1)
+#define ATA_IDENTIFY_RESPONSE_LEN (512)
+#define ATA_PIO_DATA_IN (4)
+#define SG_CHECK_CONDITION (0x02)
+#define ATA_STATUS_RETURN_DESCRIPTOR (0x09)
+#define ATA_PT_INFORMATION_AVAILABLE_ASCQ (0x1d)
+#define ATA_PT_INFORMATION_AVAILABLE_ASC (0x00)
+#define ATA_INQUIRY_LENGTH (0x0c)
+#define SG_INTERFACE_ID 'S'
+#define SG_IO_TIMEOUT (60000)
+#define SG_SENSE_SIZE (32)
+#define SENSE_DATA_CURRENT_FIXED (0x70)
+#define SENSE_DATA_CURRENT_DESC (0x72)
+#define SENSE_CURRENT_RES_DESC_POS (8)
+#define SG_DRIVER_SENSE	(0x08)
+
 typedef enum drive_feature_support_status {
 	/* Drive feature is supported. */
 	DRIVE_FEAT_SUP_ST = 0,
@@ -87,6 +120,27 @@ typedef struct supported_security_protocols {
 	__u8  list[504];
 } supported_security_protocols_t;
 
+/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */
+typedef struct ata_security_status {
+	__u16 security_supported : 1;
+	__u16 security_enabled : 1;
+	__u16 security_locked : 1;
+	__u16 security_frozen : 1;
+	__u16 security_count_expired : 1;
+	__u16 enhanced_security_erase_supported : 1;
+	__u16 reserved1 : 2;
+	__u16 security_level : 1;
+	__u16 reserved2 : 7;
+} __attribute__((__packed__)) ata_security_status_t;
+
+/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */
+typedef struct ata_trusted_computing {
+	__u16 tc_feature :1;
+	__u16 reserved : 13;
+	__u16 var1 : 1;
+	__u16 var2 : 1;
+} __attribute__((__packed__)) ata_trusted_computing_t;
+
 /**
  * get_opal_locking_feature_description() - get opal locking feature description.
  * @response: response from Opal Discovery Level 0.
@@ -360,3 +414,267 @@ get_nvme_opal_encryption_information(int disk_fd, encryption_information_t *info
 
 	return status;
 }
+
+/**
+ * ata_pass_through12_ioctl() - ata pass through12 ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @ata_command: ata command.
+ * @sec_protocol: security protocol.
+ * @comm_id: additional command id.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations ATA Command Pass-Through, chapter 13.2.2 and
+ * ATA Translation - 3 (SAT-3), send read ata pass through 12 command via ioctl().
+ * On success, @response_buffer will be completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+static mdadm_status_t
+ata_pass_through12_ioctl(int disk_fd, __u8 ata_command,  __u8 sec_protocol, __u16 comm_id,
+			 void *response_buffer, size_t buf_size, const int verbose)
+{
+	__u8 cdb[ATA_INQUIRY_LENGTH] = {0};
+	__u8 sense[SG_SENSE_SIZE] = {0};
+	__u8 *sense_desc = NULL;
+	sg_io_hdr_t sg = {0};
+
+	/*
+	 * ATA Command Pass-Through, chapter 13.2.2
+	 * SCSI Primary Commands - 4 (SPC-4)
+	 * ATA Translation - 3 (SAT-3)
+	 */
+	cdb[0] = ATA_PASS_THROUGH_12;
+	/* protocol, bits 1-4 */
+	cdb[1] = ATA_PIO_DATA_IN << 1;
+	/* Bytes: CK_COND=1, T_DIR = 1, BYTE_BLOCK = 1, Length in Sector Count = 2 */
+	cdb[2] = 0x2E;
+	cdb[3] = sec_protocol;
+	/* Sector count */
+	cdb[4] = buf_size / DEFAULT_SECTOR_SIZE;
+	cdb[6] = (comm_id) & 0xFF;
+	cdb[7] = (comm_id >> 8) & 0xFF;
+	cdb[9] = ata_command;
+
+	sg.interface_id = SG_INTERFACE_ID;
+	sg.cmd_len = sizeof(cdb);
+	sg.mx_sb_len = sizeof(sense);
+	sg.dxfer_direction = SG_DXFER_FROM_DEV;
+	sg.dxfer_len = buf_size;
+	sg.dxferp = response_buffer;
+	sg.cmdp = cdb;
+	sg.sbp = sense;
+	sg.timeout = SG_IO_TIMEOUT;
+	sg.usr_ptr = NULL;
+
+	if (ioctl(disk_fd, SG_IO, &sg) < 0) {
+		pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+		return MDADM_STATUS_ERROR;
+	}
+
+	if ((sg.status && sg.status != SG_CHECK_CONDITION) || sg.host_status ||
+	    (sg.driver_status && sg.driver_status != SG_DRIVER_SENSE)) {
+		pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+		pr_vrb("SG_IO error: ATA_12 Status: %d Host Status: %d, Driver Status: %d\n",
+		       sg.status, sg.host_status, sg.driver_status);
+		return MDADM_STATUS_ERROR;
+	}
+
+	/* verify expected sense response code */
+	if (!(sense[0] == SENSE_DATA_CURRENT_DESC || sense[0] == SENSE_DATA_CURRENT_FIXED)) {
+		pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+		return MDADM_STATUS_ERROR;
+	}
+
+	sense_desc = sense + SENSE_CURRENT_RES_DESC_POS;
+	/* verify sense data current response with descriptor format */
+	if (sense[0] == SENSE_DATA_CURRENT_DESC &&
+	    !(sense_desc[0] == ATA_STATUS_RETURN_DESCRIPTOR &&
+	    sense_desc[1] == ATA_INQUIRY_LENGTH)) {
+		pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n",
+		       fd2kname(disk_fd), sense[2], sense[3]);
+		return MDADM_STATUS_ERROR;
+	}
+
+	/* verify sense data current response with fixed format */
+	if (sense[0] == SENSE_DATA_CURRENT_FIXED &&
+	    !(sense[12] == ATA_PT_INFORMATION_AVAILABLE_ASC &&
+	    sense[13] == ATA_PT_INFORMATION_AVAILABLE_ASCQ)) {
+		pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n",
+		       fd2kname(disk_fd), sense[12], sense[13]);
+		return MDADM_STATUS_ERROR;
+	}
+
+	return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_sec_prot_01h_supported_ata() - check if security protocol 01h supported for given SATA disk.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed.
+ */
+static drive_feat_sup_st is_sec_prot_01h_supported_ata(int disk_fd, const int verbose)
+{
+	supported_security_protocols_t security_protocols;
+
+	mdadm_status_t result = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_00,
+							 0x0, &security_protocols,
+							 sizeof(security_protocols), verbose);
+	if (result)
+		return DRIVE_FEAT_CHECK_FAILED_ST;
+
+	if (is_sec_prot_01h_supported(&security_protocols))
+		return DRIVE_FEAT_SUP_ST;
+
+	return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * is_ata_trusted_computing_supported() - check if ata trusted computing supported.
+ * @buffer: buffer with ATA identify response, not NULL.
+ *
+ * Return: true if trusted computing bit set, false otherwise.
+ */
+bool is_ata_trusted_computing_supported(__u16 *buffer)
+{
+	/* Added due to warnings from the compiler about a possible uninitialized variable below. */
+	assert(buffer);
+
+	__u16 security_tc_frame = __le16_to_cpu(buffer[ATA_TRUSTED_COMPUTING_POS]);
+	ata_trusted_computing_t *security_tc = (ata_trusted_computing_t *)&security_tc_frame;
+
+	if (security_tc->tc_feature == 1)
+		return true;
+
+	return false;
+}
+
+/**
+ * get_ata_standard_security_status() - get ATA disk encryption information from ATA identify.
+ * @buffer: buffer with response from ATA identify, not NULL.
+ * @information: struct to fill out, describing encryption status of disk.
+ *
+ * The function based on the Security status frame from ATA identify,
+ * completed encryption information.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+static mdadm_status_t get_ata_standard_security_status(__u16 *buffer,
+						       struct encryption_information *information)
+{
+	/* Added due to warnings from the compiler about a possible uninitialized variable below. */
+	assert(buffer);
+
+	__u16 security_status_frame = __le16_to_cpu(buffer[ATA_SECURITY_WORD_POSITION]);
+	ata_security_status_t *security_status = (ata_security_status_t *)&security_status_frame;
+
+	if (!security_status->security_supported) {
+		information->ability = ENC_ABILITY_NONE;
+		information->status = ENC_STATUS_UNENCRYPTED;
+
+		return MDADM_STATUS_SUCCESS;
+	}
+
+	information->ability = ENC_ABILITY_OTHER;
+
+	if (security_status->security_enabled == 0)
+		information->status = ENC_STATUS_UNENCRYPTED;
+	else if (security_status->security_locked == 1)
+		information->status = ENC_STATUS_LOCKED;
+	else
+		information->status = ENC_STATUS_UNLOCKED;
+
+	return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_ata_opal() - check if SATA disk support Opal.
+ * @disk_fd: a disk file descriptor.
+ * @buffer: buffer with ATA identify response.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
+ */
+static drive_feat_sup_st is_ata_opal(int disk_fd, __u16 *buffer_identify, const int verbose)
+{
+	bool tc_status = is_ata_trusted_computing_supported(buffer_identify);
+	drive_feat_sup_st tcg_sec_prot_status;
+
+	if (!tc_status)
+		return DRIVE_FEAT_NOT_SUP_ST;
+
+	tcg_sec_prot_status = is_sec_prot_01h_supported_ata(disk_fd, verbose);
+
+	if (tcg_sec_prot_status == DRIVE_FEAT_CHECK_FAILED_ST) {
+		pr_vrb("Failed to verify if security protocol 01h supported. Device /dev/%s.\n",
+		       fd2kname(disk_fd));
+		return DRIVE_FEAT_CHECK_FAILED_ST;
+	}
+
+	if (tc_status && tcg_sec_prot_status == DRIVE_FEAT_SUP_ST)
+		return DRIVE_FEAT_SUP_ST;
+
+	return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * get_ata_encryption_information() - get ATA disk encryption information.
+ * @disk_fd: a disk file descriptor.
+ * @information: struct to fill out, describing encryption status of disk.
+ * @verbose: verbose flag.
+ *
+ * The function reads information about encryption, if the disk supports Opal,
+ * the information is completed based on Opal Level 0 discovery, otherwise,
+ * based on ATA security status frame from ATA identification response.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Based on the documentations ATA/ATAPI Command Set ATA8-ACS and
+ * AT Attachment-8 - ATA Serial Transport (ATA8-AST).
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+mdadm_status_t
+get_ata_encryption_information(int disk_fd, struct encryption_information *information,
+			       const int verbose)
+{
+	__u8 buffer_opal_level0_discovery[OPAL_IO_BUFFER_LEN] = {0};
+	__u16 buffer_identify[ATA_IDENTIFY_RESPONSE_LEN] = {0};
+	drive_feat_sup_st ata_opal_status;
+	mdadm_status_t status;
+
+	/* Get disk ATA identification */
+	status = ata_pass_through12_ioctl(disk_fd, ATA_IDENTIFY, 0x0, 0x0, buffer_identify,
+					  sizeof(buffer_identify), verbose);
+	if (status == MDADM_STATUS_ERROR)
+		return MDADM_STATUS_ERROR;
+
+	if (is_ata_trusted_computing_supported(buffer_identify) &&
+	    !sysfs_is_libata_allow_tpm_enabled(verbose)) {
+		pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n");
+		return MDADM_STATUS_ERROR;
+	}
+
+	ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose);
+	if (ata_opal_status == DRIVE_FEAT_CHECK_FAILED_ST)
+		return MDADM_STATUS_ERROR;
+
+	if (ata_opal_status == DRIVE_FEAT_NOT_SUP_ST)
+		return get_ata_standard_security_status(buffer_identify, information);
+
+	/* SATA Opal */
+	status = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_01,
+					  OPAL_DISCOVERY_COMID, buffer_opal_level0_discovery,
+					  OPAL_IO_BUFFER_LEN, verbose);
+	if (status != MDADM_STATUS_SUCCESS)
+		return MDADM_STATUS_ERROR;
+
+	return get_opal_encryption_information(buffer_opal_level0_discovery, information);
+}
diff --git a/drive_encryption.h b/drive_encryption.h
index 82c2c624..77c7f10f 100644
--- a/drive_encryption.h
+++ b/drive_encryption.h
@@ -30,3 +30,6 @@ typedef struct encryption_information {
 mdadm_status_t
 get_nvme_opal_encryption_information(int disk_fd, struct encryption_information *information,
 				     const int verbose);
+mdadm_status_t
+get_ata_encryption_information(int disk_fd, struct encryption_information *information,
+			       const int verbose);
diff --git a/mdadm.h b/mdadm.h
index 141adbd7..f64bb783 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -853,6 +853,7 @@ extern int restore_stripes(int *dest, unsigned long long *offsets,
 			   int source, unsigned long long read_offset,
 			   unsigned long long start, unsigned long long length,
 			   char *src_buf);
+extern bool sysfs_is_libata_allow_tpm_enabled(const int verbose);
 
 #ifndef Sendmail
 #define Sendmail "/usr/lib/sendmail -t"
diff --git a/sysfs.c b/sysfs.c
index 230b842e..24790896 100644
--- a/sysfs.c
+++ b/sysfs.c
@@ -1123,3 +1123,32 @@ void sysfsline(char *line)
 	sr->next = sysfs_rules;
 	sysfs_rules = sr;
 }
+
+/**
+ * sysfs_is_libata_allow_tpm_enabled() - check if libata allow_tmp is enabled.
+ * @verbose: verbose flag.
+ *
+ * Check if libata allow_tmp flag is set, this is required for SATA Opal Security commands to work.
+ *
+ * Return: true if allow_tpm enable, false otherwise.
+ */
+bool sysfs_is_libata_allow_tpm_enabled(const int verbose)
+{
+	const char *path = "/sys/module/libata/parameters/allow_tpm";
+	const char *expected_value = "1";
+	int fd = open(path, O_RDONLY);
+	char buf[3];
+
+	if (!is_fd_valid(fd)) {
+		pr_vrb("Failed open file descriptor to %s. Cannot check libata allow_tpm param.\n",
+		       path);
+		return false;
+	}
+
+	sysfs_fd_get_str(fd, buf, sizeof(buf));
+	close(fd);
+
+	if (strncmp(buf, expected_value, 1) == 0)
+		return true;
+	return false;
+}
-- 
2.35.3

[PATCH v2 4/6] Add key ENCRYPTION_NO_VERIFY to conf

[Blazej Kucman]

Add ENCRYPTION_NO_VERIFY config key and allow to disable checking
encryption status for given type of drives.

The key is introduced because of SATA Opal disks for which TPM commands
must be enabled in libata kernel module, (libata.allow_tpm=1), otherwise
it is impossible to verify encryption status. TPM commands are disabled by
default.

Currently the key only supports the "sata_opal" value, if necessary,
the functionality is ready to support more types of disks. This
functionality will be used in the next patches.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 config.c           | 25 ++++++++++++++++++++++++-
 drive_encryption.c | 16 ++++++++++++----
 mdadm.conf.5.in    | 13 +++++++++++++
 mdadm.h            |  1 +
 4 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/config.c b/config.c
index 44f7dd2f..b46d71cb 100644
--- a/config.c
+++ b/config.c
@@ -81,7 +81,7 @@ char DefaultAltConfDir[] = CONFFILE2 ".d";
 
 enum linetype { Devices, Array, Mailaddr, Mailfrom, Program, CreateDev,
 		Homehost, HomeCluster, AutoMode, Policy, PartPolicy, Sysfs,
-		MonitorDelay, LTEnd };
+		MonitorDelay, EncryptionNoVerify, LTEnd };
 char *keywords[] = {
 	[Devices]  = "devices",
 	[Array]    = "array",
@@ -96,6 +96,7 @@ char *keywords[] = {
 	[PartPolicy]="part-policy",
 	[Sysfs]    = "sysfs",
 	[MonitorDelay] = "monitordelay",
+	[EncryptionNoVerify] = "ENCRYPTION_NO_VERIFY",
 	[LTEnd]    = NULL
 };
 
@@ -729,6 +730,19 @@ void monitordelayline(char *line)
 	}
 }
 
+static bool sata_opal_encryption_no_verify;
+void encryption_no_verify_line(char *line)
+{
+	char *word;
+
+	for (word = dl_next(line); word != line; word = dl_next(word)) {
+		if (strcasecmp(word, "sata_opal") == 0)
+			sata_opal_encryption_no_verify = true;
+		else
+			pr_err("unrecognised word on ENCRYPTION_NO_VERIFY line: %s\n", word);
+	}
+}
+
 char auto_yes[] = "yes";
 char auto_no[] = "no";
 char auto_homehost[] = "homehost";
@@ -913,6 +927,9 @@ void conf_file(FILE *f)
 		case MonitorDelay:
 			monitordelayline(line);
 			break;
+		case EncryptionNoVerify:
+			encryption_no_verify_line(line);
+			break;
 		default:
 			pr_err("Unknown keyword %s\n", line);
 		}
@@ -1075,6 +1092,12 @@ int conf_get_monitor_delay(void)
 	return monitor_delay;
 }
 
+bool conf_get_sata_opal_encryption_no_verify(void)
+{
+	load_conffile();
+	return sata_opal_encryption_no_verify;
+}
+
 struct createinfo *conf_get_create_info(void)
 {
 	load_conffile();
diff --git a/drive_encryption.c b/drive_encryption.c
index d520f0c7..6b2bd358 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -656,10 +656,18 @@ get_ata_encryption_information(int disk_fd, struct encryption_information *infor
 	if (status == MDADM_STATUS_ERROR)
 		return MDADM_STATUS_ERROR;
 
-	if (is_ata_trusted_computing_supported(buffer_identify) &&
-	    !sysfs_is_libata_allow_tpm_enabled(verbose)) {
-		pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n");
-		return MDADM_STATUS_ERROR;
+	/* Possible OPAL support, further checks require tpm_enabled.*/
+	if (is_ata_trusted_computing_supported(buffer_identify)) {
+		/* OPAL SATA encryption checking disabled. */
+		if (conf_get_sata_opal_encryption_no_verify())
+			return MDADM_STATUS_SUCCESS;
+
+		if (!sysfs_is_libata_allow_tpm_enabled(verbose)) {
+			pr_vrb("Detected SATA drive /dev/%s with Trusted Computing support.\n",
+			       fd2kname(disk_fd));
+			pr_vrb("Cannot verify encryption state. Requires libata.tpm_enabled=1.\n");
+			return MDADM_STATUS_ERROR;
+		}
 	}
 
 	ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose);
diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in
index 787e51e9..afb0a296 100644
--- a/mdadm.conf.5.in
+++ b/mdadm.conf.5.in
@@ -636,6 +636,17 @@ If multiple
 .B MINITORDELAY
 lines are provided, only first non-zero value is considered.
 
+.TP
+.B ENCRYPTION_NO_VERIFY
+The
+.B ENCRYPTION_NO_VERIFY
+disables encryption verification for devices with particular encryption support detected.
+Currently, only verification of SATA OPAL encryption can be disabled.
+It does not disable ATA security encryption verification.
+Available parameter
+.I "sata_opal".
+
+
 .SH FILES
 
 .SS {CONFFILE}
@@ -744,6 +755,8 @@ SYSFS uuid=bead5eb6:31c17a27:da120ba2:7dfda40d group_thread_cnt=4
 sync_speed_max=1000000
 .br
 MONITORDELAY 60
+.br
+ENCRYPTION_NO_VERIFY sata_opal
 
 .SH SEE ALSO
 .BR mdadm (8),
diff --git a/mdadm.h b/mdadm.h
index f64bb783..9d98693b 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -1673,6 +1673,7 @@ extern char *conf_get_program(void);
 extern char *conf_get_homehost(int *require_homehostp);
 extern char *conf_get_homecluster(void);
 extern int conf_get_monitor_delay(void);
+extern bool conf_get_sata_opal_encryption_no_verify(void);
 extern char *conf_line(FILE *file);
 extern char *conf_word(FILE *file, int allow_key);
 extern void print_quoted(char *str);
-- 
2.35.3

[PATCH v2 5/6] imsm: print disk encryption information

[Blazej Kucman]

Print SATA/NVMe disk encryption information in --detail-platform.
Encryption Ability and Status will be printed for each disk.

There is one exception, Opal SATA drives encryption is not checked when
ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf, for this
reason such drives are treated as without encryption support.

To test this feature, drives SATA/NVMe with Opal support or SATA drives
with encryption support have to be used.

Example outputs of --detail-platform:

Non Opal, encryption enabled, SATA drive:
Port0 : /dev/sdc (CVPR050600G3120LGN)
        Encryption(Ability|Status): Other|Unlocked

NVMe drive without Opal support:
NVMe under VMD : /dev/nvme2n1 (PHLF737302GB1P0GGN)
        Encryption(Ability|Status): None|Unencrypted

Unencrypted SATA drive with OPAL support:

- default allow_tpm, we will get an error from mdadm:
          Port6 : /dev/sdi (CVTS4246015V180IGN)
mdadm: Detected SATA drive /dev/sdi with Trusted Computing support.
mdadm: Cannot verify encryption state. Requires libata.tpm_enabled=1.
mdadm: Failed to get drive encrytpion information.

-  default "allow_tpm" and config entry "ENCRYPTION_NO_VERIFY sata_opal":
Port6 : /dev/sdi (CVTS4246015V180IGN)
        Encryption(Ability|Status): None|Unencrypted

- added "libata.allow_tpm=1" to boot parameters(requires reboot),
the status will be read correctly:
Port6 : /dev/sdi (CVTS4246015V180IGN)
        Encryption(Ability|Status): SED|Unencrypted

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 drive_encryption.c | 36 ++++++++++++++++++++++++++++++++++++
 drive_encryption.h |  2 ++
 mdadm.conf.5.in    |  3 +++
 super-intel.c      | 42 ++++++++++++++++++++++++++++++++++++++----
 4 files changed, 79 insertions(+), 4 deletions(-)

diff --git a/drive_encryption.c b/drive_encryption.c
index 6b2bd358..27da9621 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -141,6 +141,42 @@ typedef struct ata_trusted_computing {
 	__u16 var2 : 1;
 } __attribute__((__packed__)) ata_trusted_computing_t;
 
+mapping_t encryption_ability_map[] = {
+	{ "None", ENC_ABILITY_NONE },
+	{ "Other", ENC_ABILITY_OTHER },
+	{ "SED", ENC_ABILITY_SED },
+	{ NULL, UnSet }
+};
+
+mapping_t encryption_status_map[] = {
+	{ "Unencrypted", ENC_STATUS_UNENCRYPTED },
+	{ "Locked", ENC_STATUS_LOCKED },
+	{ "Unlocked", ENC_STATUS_UNLOCKED },
+	{ NULL, UnSet }
+};
+
+/**
+ * get_encryption_ability_string() - get encryption ability name string.
+ * @ability: encryption ability enum.
+ *
+ * Return: encryption ability string.
+ */
+const char *get_encryption_ability_string(enum encryption_ability ability)
+{
+	return map_num_s(encryption_ability_map, ability);
+}
+
+/**
+ * get_encryption_status_string() - get encryption status name string.
+ * @ability: encryption status enum.
+ *
+ * Return: encryption status string.
+ */
+const char *get_encryption_status_string(enum encryption_status status)
+{
+	return map_num_s(encryption_status_map, status);
+}
+
 /**
  * get_opal_locking_feature_description() - get opal locking feature description.
  * @response: response from Opal Discovery Level 0.
diff --git a/drive_encryption.h b/drive_encryption.h
index 77c7f10f..0cb8ff1b 100644
--- a/drive_encryption.h
+++ b/drive_encryption.h
@@ -33,3 +33,5 @@ get_nvme_opal_encryption_information(int disk_fd, struct encryption_information
 mdadm_status_t
 get_ata_encryption_information(int disk_fd, struct encryption_information *information,
 			       const int verbose);
+const char *get_encryption_ability_string(enum encryption_ability ability);
+const char *get_encryption_status_string(enum encryption_status status);
diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in
index afb0a296..14302a91 100644
--- a/mdadm.conf.5.in
+++ b/mdadm.conf.5.in
@@ -643,6 +643,9 @@ The
 disables encryption verification for devices with particular encryption support detected.
 Currently, only verification of SATA OPAL encryption can be disabled.
 It does not disable ATA security encryption verification.
+Currently effective only for
+.I IMSM
+metadata.
 Available parameter
 .I "sata_opal".
 
diff --git a/super-intel.c b/super-intel.c
index 806b6248..885d7a91 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -27,6 +27,7 @@
 #include <scsi/sg.h>
 #include <ctype.h>
 #include <dirent.h>
+#include "drive_encryption.h"
 
 /* MPB == Metadata Parameter Block */
 #define MPB_SIGNATURE "Intel Raid ISM Cfg Sig. "
@@ -2349,12 +2350,41 @@ static int imsm_read_serial(int fd, char *devname, __u8 *serial,
 			    size_t serial_buf_len);
 static void fd2devname(int fd, char *name);
 
-static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_base, int verbose)
+void print_encryption_information(int disk_fd, enum sys_dev_type hba_type)
+{
+	struct encryption_information information = {0};
+	mdadm_status_t status = MDADM_STATUS_SUCCESS;
+	const char *indent = "                  ";
+
+	switch (hba_type) {
+	case SYS_DEV_VMD:
+	case SYS_DEV_NVME:
+		status = get_nvme_opal_encryption_information(disk_fd, &information, 1);
+		break;
+	case SYS_DEV_SATA:
+	case SYS_DEV_SATA_VMD:
+		status = get_ata_encryption_information(disk_fd, &information, 1);
+		break;
+	default:
+		return;
+	}
+
+	if (status) {
+		pr_err("Failed to get drive encryption information.\n");
+		return;
+	}
+
+	printf("%sEncryption(Ability|Status): %s|%s\n", indent,
+	       get_encryption_ability_string(information.ability),
+	       get_encryption_status_string(information.status));
+}
+
+static int ahci_enumerate_ports(struct sys_dev *hba, int port_count, int host_base, int verbose)
 {
 	/* dump an unsorted list of devices attached to AHCI Intel storage
 	 * controller, as well as non-connected ports
 	 */
-	int hba_len = strlen(hba_path) + 1;
+	int hba_len = strlen(hba->path) + 1;
 	struct dirent *ent;
 	DIR *dir;
 	char *path = NULL;
@@ -2390,7 +2420,7 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b
 		path = devt_to_devpath(makedev(major, minor), 1, NULL);
 		if (!path)
 			continue;
-		if (!path_attached_to_hba(path, hba_path)) {
+		if (!path_attached_to_hba(path, hba->path)) {
 			free(path);
 			path = NULL;
 			continue;
@@ -2493,6 +2523,8 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b
 				printf(" (%s)\n", buf);
 			else
 				printf(" ()\n");
+
+			print_encryption_information(fd, hba->type);
 			close(fd);
 		}
 		free(path);
@@ -2557,6 +2589,8 @@ static int print_nvme_info(struct sys_dev *hba)
 		else
 			printf("()\n");
 
+		print_encryption_information(fd, hba->type);
+
 skip:
 		close_fd(&fd);
 	}
@@ -2812,7 +2846,7 @@ static int detail_platform_imsm(int verbose, int enumerate_only, char *controlle
 				hba->path, get_sys_dev_type(hba->type));
 			if (hba->type == SYS_DEV_SATA || hba->type == SYS_DEV_SATA_VMD) {
 				host_base = ahci_get_port_count(hba->path, &port_count);
-				if (ahci_enumerate_ports(hba->path, port_count, host_base, verbose)) {
+				if (ahci_enumerate_ports(hba, port_count, host_base, verbose)) {
 					if (verbose > 0)
 						pr_err("failed to enumerate ports on %s controller at %s.\n",
 							get_sys_dev_type(hba->type), hba->pci_id);
-- 
2.35.3

[PATCH v2 6/6] imsm: drive encryption policy implementation

[Blazej Kucman]

IMSM cares about drive encryption state. It is not allowed to mix disks
with different encryption state within one md device. This policy will
verify that attempt to use disks with different encryption states will
fail. Verification is performed for devices NVMe/SATA Opal and SATA.

There is one exception, Opal SATA drives encryption is not checked when
ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf, for this
reason such drives are treated as without encryption support.

Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
 super-intel.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/super-intel.c b/super-intel.c
index 885d7a91..2923a0f8 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -11291,6 +11291,78 @@ test_and_add_drive_controller_policy_imsm(const char * const type, dev_policy_t
 	return MDADM_STATUS_ERROR;
 }
 
+/**
+ * test_and_add_drive_encryption_policy_imsm() - add disk encryption to policies list.
+ * @type: policy type to search in the list.
+ * @pols: list of currently recorded policies.
+ * @disk_fd: file descriptor of the device to check.
+ * @hba: The hba to which the drive is attached, could be NULL if verification is disabled.
+ * @verbose: verbose flag.
+ *
+ * IMSM cares about drive encryption state. It is not allowed to mix disks with different
+ * encryption state within one md device.
+ * If there is no encryption policy on pols we are free to add first one.
+ * If there is a policy then, new must be the same.
+ */
+static mdadm_status_t
+test_and_add_drive_encryption_policy_imsm(const char * const type, dev_policy_t **pols, int disk_fd,
+					  struct sys_dev *hba, const int verbose)
+{
+	struct dev_policy *expected_policy = pol_find(*pols, (char *)type);
+	struct encryption_information information = {0};
+	char *encryption_state = "Unknown";
+	int status = MDADM_STATUS_SUCCESS;
+	bool encryption_checked = true;
+	char devname[PATH_MAX];
+
+	if (!hba)
+		goto check_policy;
+
+	switch (hba->type) {
+	case SYS_DEV_NVME:
+	case SYS_DEV_VMD:
+		status = get_nvme_opal_encryption_information(disk_fd, &information, verbose);
+		break;
+	case SYS_DEV_SATA:
+	case SYS_DEV_SATA_VMD:
+		status = get_ata_encryption_information(disk_fd, &information, verbose);
+		break;
+	default:
+		encryption_checked = false;
+	}
+
+	if (status) {
+		fd2devname(disk_fd, devname);
+		pr_vrb("Failed to read encryption information of device %s\n", devname);
+		return MDADM_STATUS_ERROR;
+	}
+
+	if (encryption_checked) {
+		if (information.status == ENC_STATUS_LOCKED) {
+			fd2devname(disk_fd, devname);
+			pr_vrb("Device %s is in Locked state, cannot use. Aborting.\n", devname);
+			return MDADM_STATUS_ERROR;
+		}
+		encryption_state = (char *)get_encryption_status_string(information.status);
+	}
+
+check_policy:
+	if (expected_policy) {
+		if (strcmp(expected_policy->value, encryption_state) == 0)
+			return MDADM_STATUS_SUCCESS;
+
+		fd2devname(disk_fd, devname);
+		pr_vrb("Encryption status \"%s\" detected for disk %s, but \"%s\" status was detected eariler.\n",
+		       encryption_state, devname, expected_policy->value);
+		pr_vrb("Disks with different encryption status cannot be used.\n");
+		return MDADM_STATUS_ERROR;
+	}
+
+	pol_add(pols, (char *)type, encryption_state, "imsm");
+
+	return MDADM_STATUS_SUCCESS;
+}
+
 struct imsm_drive_policy {
 	char *type;
 	mdadm_status_t (*test_and_add_drive_policy)(const char * const type,
@@ -11300,6 +11372,7 @@ struct imsm_drive_policy {
 
 struct imsm_drive_policy imsm_policies[] = {
 	{"controller", test_and_add_drive_controller_policy_imsm},
+	{"encryption", test_and_add_drive_encryption_policy_imsm}
 };
 
 mdadm_status_t test_and_add_drive_policies_imsm(struct dev_policy **pols, int disk_fd,
-- 
2.35.3

Re: [PATCH v2 0/6] Disk encryption status handling

[Mariusz Tkaczyk]

On Fri, 22 Mar 2024 12:51:14 +0100
Blazej Kucman <blazej.kucman@intel.com> wrote:

> The purpose of this series is to add functionality of reading information
> about the encryption status of OPAL NVMe/SATA and SATA drives and use this
> information for purposes of IMSM metadata, which introduces restrictions
> on the possibility of mixing disks with encryption enabled and disabled
> because of security reasons.
> 
> Changes in V2:
> - add separate patch for change location of pr_vrb(),
> - add example results for usage of new feature to commit message in patch 5,
> - adjust commit messages to 75 characters,
> - general fixes after review.
>

No more questions from community..
Applied!

Thanks,
Mariusz

Re: [PATCH v2 2/6] Add reading Opal NVMe encryption information

[Xiao Ni]

On Fri, Mar 22, 2024 at 7:52 PM Blazej Kucman <blazej.kucman@intel.com> wrote:
>
> For NVMe devices with Opal support, encryption information, status and
> ability are determined based on Opal Level 0 discovery response. Technical
> documentation used is given in the implementation.
>
> Ability in general describes what type of encryption is supported, Status
> describes in what state the disk with encryption support is. The current
> patch includes only the implementation of reading encryption information,
> functions will be used in one of the next patches.
>
> Motivation for adding this functionality is to block mixing of disks in
> IMSM arrays with encryption enabled and disabled. The main goal is to not
> allow stealing data by rebuilding array to not encrypted drive which can be
> read elsewhere.
>
> Value ENA_OTHER from enum encryption_ability will be used in the next
> patch.
>
> Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
> ---
>  Makefile           |   4 +-
>  drive_encryption.c | 362 +++++++++++++++++++++++++++++++++++++++++++++
>  drive_encryption.h |  32 ++++
>  3 files changed, 396 insertions(+), 2 deletions(-)
>  create mode 100644 drive_encryption.c
>  create mode 100644 drive_encryption.h
>
> diff --git a/Makefile b/Makefile
> index cbdba49a..7c221a89 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -170,7 +170,7 @@ OBJS = mdadm.o config.o policy.o mdstat.o  ReadMe.o uuid.o util.o maps.o lib.o u
>         mdopen.o super0.o super1.o super-ddf.o super-intel.o bitmap.o \
>         super-mbr.o super-gpt.o \
>         restripe.o sysfs.o sha1.o mapfile.o crc32.o sg_io.o msg.o xmalloc.o \
> -       platform-intel.o probe_roms.o crc32c.o
> +       platform-intel.o probe_roms.o crc32c.o drive_encryption.o
>
>  CHECK_OBJS = restripe.o uuid.o sysfs.o maps.o lib.o xmalloc.o dlink.o
>
> @@ -183,7 +183,7 @@ MON_OBJS = mdmon.o monitor.o managemon.o uuid.o util.o maps.o mdstat.o sysfs.o c
>         Kill.o sg_io.o dlink.o ReadMe.o super-intel.o \
>         super-mbr.o super-gpt.o \
>         super-ddf.o sha1.o crc32.o msg.o bitmap.o xmalloc.o \
> -       platform-intel.o probe_roms.o crc32c.o
> +       platform-intel.o probe_roms.o crc32c.o drive_encryption.o
>
>  MON_SRCS = $(patsubst %.o,%.c,$(MON_OBJS))
>
> diff --git a/drive_encryption.c b/drive_encryption.c
> new file mode 100644
> index 00000000..b44585a7
> --- /dev/null
> +++ b/drive_encryption.c
> @@ -0,0 +1,362 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Read encryption information for Opal and ATA devices.
> + *
> + * Copyright (C) 2024 Intel Corporation
> + *     Author: Blazej Kucman <blazej.kucman@intel.com>
> + */
> +
> +#include "mdadm.h"
> +
> +#include <asm/types.h>
> +#include <linux/nvme_ioctl.h>
> +#include "drive_encryption.h"
> +
> +/*
> + * Opal defines
> + * TCG Storage Opal SSC 2.01 chapter 3.3.3
> + * NVM ExpressTM Revision 1.4c, chapter 5
> + */
> +#define TCG_SECP_01 (0x01)
> +#define TCG_SECP_00 (0x00)
> +#define OPAL_DISCOVERY_COMID (0x0001)
> +#define OPAL_LOCKING_FEATURE (0x0002)
> +#define OPAL_IO_BUFFER_LEN 2048
> +#define OPAL_DISCOVERY_FEATURE_HEADER_LEN (4)
> +
> +/*
> + * NVMe defines
> + * NVM ExpressTM Revision 1.4c, chapter 5
> + */
> +#define NVME_SECURITY_RECV (0x82)
> +#define NVME_IDENTIFY (0x06)
> +#define NVME_IDENTIFY_RESPONSE_LEN 4096
> +#define NVME_OACS_BYTE_POSITION (256)
> +#define NVME_IDENTIFY_CONTROLLER_DATA (1)
> +
> +typedef enum drive_feature_support_status {
> +       /* Drive feature is supported. */
> +       DRIVE_FEAT_SUP_ST = 0,
> +       /* Drive feature is not supported. */
> +       DRIVE_FEAT_NOT_SUP_ST,
> +       /* Drive feature support check failed. */
> +       DRIVE_FEAT_CHECK_FAILED_ST
> +} drive_feat_sup_st;
> +
> +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.3 */
> +typedef struct opal_locking_feature {
> +       /* feature header */
> +       __u16 feature_code;
> +       __u8 reserved : 4;
> +       __u8 version : 4;
> +       __u8 description_length;
> +       /* feature description */
> +       __u8 locking_supported : 1;
> +       __u8 locking_enabled : 1;
> +       __u8 locked : 1;
> +       __u8 media_encryption : 1;
> +       __u8 mbr_enabled : 1;
> +       __u8 mbr_done : 1;
> +       __u8 mbr_shadowing_not_supported : 1;
> +       __u8 hw_reset_for_dor_supported : 1;
> +       __u8 reserved1[11];
> +} __attribute__((__packed__)) opal_locking_feature_t;
> +
> +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.1 */
> +typedef struct opal_level0_header {
> +       __u32 length;
> +       __u32 version;
> +       __u64 reserved;
> +       __u8 vendor_specific[32];
> +} opal_level0_header_t;
> +
> +/**
> + * NVM ExpressTM Revision 1.4c, Figure 249
> + * Structure specifies only OACS filed, which is needed in the current use case.
> + */
> +typedef struct nvme_identify_ctrl {
> +       __u8 reserved[255];
> +       __u16 oacs;
> +       __u8 reserved2[3839];
> +} nvme_identify_ctrl_t;
> +
> +/* SCSI Primary Commands - 4 (SPC-4), Table 512 */
> +typedef struct supported_security_protocols {
> +       __u8  reserved[6];
> +       __u16 list_length;
> +       __u8  list[504];
> +} supported_security_protocols_t;
> +
> +/**
> + * get_opal_locking_feature_description() - get opal locking feature description.
> + * @response: response from Opal Discovery Level 0.
> + *
> + * Based on the documentation TCG Storage Opal SSC 2.01 chapter 3.1.1,
> + * a Locking feature is searched for in Opal Level 0 Discovery response.
> + *
> + * Return: if locking feature is found, pointer to struct %opal_locking_feature_t, NULL otherwise.
> + */
> +static opal_locking_feature_t *get_opal_locking_feature_description(__u8 *response)
> +{
> +       opal_level0_header_t *response_header = (opal_level0_header_t *)response;
> +       int features_length = __be32_to_cpu(response_header->length);
> +       int current_position = sizeof(*response_header);
> +
> +       while (current_position < features_length) {
> +               opal_locking_feature_t *feature;
> +
> +               feature = (opal_locking_feature_t *)(response + current_position);
> +
> +               if (__be16_to_cpu(feature->feature_code) == OPAL_LOCKING_FEATURE)
> +                       return feature;
> +
> +               current_position += feature->description_length + OPAL_DISCOVERY_FEATURE_HEADER_LEN;
> +       }
> +
> +       return NULL;
> +}
> +
> +/**
> + * nvme_security_recv_ioctl() - nvme security receive ioctl.
> + * @disk_fd: a disk file descriptor.
> + * @sec_protocol: security protocol.
> + * @comm_id: command id.
> + * @response_buffer: response buffer to fill out.
> + * @buf_size: response buffer size.
> + * @verbose: verbose flag.
> + *
> + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
> + * NVM ExpressTM Revision 1.4c, chapter 5.25,
> + * read security receive command via ioctl().
> + * On success, @response_buffer is completed.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t
> +nvme_security_recv_ioctl(int disk_fd, __u8 sec_protocol, __u16 comm_id, void *response_buffer,
> +                        size_t buf_size, const int verbose)
> +{
> +       struct nvme_admin_cmd nvme_cmd = {0};
> +       int status;
> +
> +       nvme_cmd.opcode = NVME_SECURITY_RECV;
> +       nvme_cmd.cdw10 = sec_protocol << 24 | comm_id << 8;
> +       nvme_cmd.cdw11 = buf_size;
> +       nvme_cmd.data_len = buf_size;
> +       nvme_cmd.addr = (__u64)response_buffer;

Hi all

In i686 platform, it reports error:

drive_encryption.c: In function ‘nvme_security_recv_ioctl’:
drive_encryption.c:236:25: error: cast from pointer to integer of
different size [-Werror=pointer-to-int-cast]
  236 |         nvme_cmd.addr = (__u64)response_buffer;
      |                         ^
drive_encryption.c: In function ‘nvme_identify_ioctl’:
drive_encryption.c:271:25: error: cast from pointer to integer of
different size [-Werror=pointer-to-int-cast]
  271 |         nvme_cmd.addr = (__u64)response_buffer;
      |                         ^
cc1: all warnings being treated as errors
make: *** [Makefile:211: drive_encryption.o] Error 1

The pointer should be 32bit and it tries to convert to 64 bit.

Best Regards
Xiao

> +
> +       status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
> +       if (status != 0) {
> +               pr_vrb("Failed to read NVMe security receive ioctl() for device /dev/%s, status: %d\n",
> +                      fd2kname(disk_fd), status);
> +               return MDADM_STATUS_ERROR;
> +       }
> +
> +       return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * nvme_identify_ioctl() - NVMe identify ioctl.
> + * @disk_fd: a disk file descriptor.
> + * @response_buffer: response buffer to fill out.
> + * @buf_size: response buffer size.
> + * @verbose: verbose flag.
> + *
> + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
> + * NVM ExpressTM Revision 1.4c, chapter 5.25,
> + * read NVMe identify via ioctl().
> + * On success, @response_buffer will be completed.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t
> +nvme_identify_ioctl(int disk_fd, void *response_buffer, size_t buf_size, const int verbose)
> +{
> +       struct nvme_admin_cmd nvme_cmd = {0};
> +       int status;
> +
> +       nvme_cmd.opcode = NVME_IDENTIFY;
> +       nvme_cmd.cdw10 = NVME_IDENTIFY_CONTROLLER_DATA;
> +       nvme_cmd.data_len = buf_size;
> +       nvme_cmd.addr = (__u64)response_buffer;
> +
> +       status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
> +       if (status != 0) {
> +               pr_vrb("Failed to read NVMe identify ioctl() for device /dev/%s, status: %d\n",
> +                      fd2kname(disk_fd), status);
> +               return MDADM_STATUS_ERROR;
> +       }
> +
> +       return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * is_sec_prot_01h_supported() - check if security protocol 01h supported.
> + * @security_protocols: struct with response from disk (NVMe, SATA) describing supported
> + * security protocols.
> + *
> + * Return: true if TCG_SECP_01 found, false otherwise.
> + */
> +static bool is_sec_prot_01h_supported(supported_security_protocols_t *security_protocols)
> +{
> +       int list_length = be16toh(security_protocols->list_length);
> +       int index;
> +
> +       for (index = 0 ; index < list_length; index++) {
> +               if (security_protocols->list[index] == TCG_SECP_01)
> +                       return true;
> +       }
> +
> +       return false;
> +}
> +
> +/**
> + * is_sec_prot_01h_supported_nvme() - check if security protocol 01h supported for given NVMe disk.
> + * @disk_fd: a disk file descriptor.
> + * @verbose: verbose flag.
> + *
> + * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
> + * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
> + */
> +static drive_feat_sup_st is_sec_prot_01h_supported_nvme(int disk_fd, const int verbose)
> +{
> +       supported_security_protocols_t security_protocols = {0};
> +
> +       /* security_protocol: TCG_SECP_00, comm_id: not applicable */
> +       if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_00, 0x0, &security_protocols,
> +                                    sizeof(security_protocols), verbose))
> +               return DRIVE_FEAT_CHECK_FAILED_ST;
> +
> +       if (is_sec_prot_01h_supported(&security_protocols))
> +               return DRIVE_FEAT_SUP_ST;
> +
> +       return DRIVE_FEAT_NOT_SUP_ST;
> +}
> +
> +/**
> + * is_nvme_sec_send_recv_supported() - check if Security Send and Security Receive is supported.
> + * @disk_fd: a disk file descriptor.
> + * @verbose: verbose flag.
> + *
> + * Check if "Optional Admin Command Support" bit 0 is set in NVMe identify.
> + * Bit 0 set to 1 means controller supports the Security Send and Security Receive commands.
> + *
> + * Return: %DRIVE_FEAT_SUP_ST if security send/receive supported,
> + * %DRIVE_FEAT_NOT_SUP_ST if not supported, %DRIVE_FEAT_CHECK_FAILED_ST if check failed.
> + */
> +static drive_feat_sup_st is_nvme_sec_send_recv_supported(int disk_fd, const int verbose)
> +{
> +       nvme_identify_ctrl_t nvme_identify = {0};
> +       int status = 0;
> +
> +       status = nvme_identify_ioctl(disk_fd, &nvme_identify, sizeof(nvme_identify), verbose);
> +       if (status)
> +               return DRIVE_FEAT_CHECK_FAILED_ST;
> +
> +       if ((__le16_to_cpu(nvme_identify.oacs) & 0x1) == 0x1)
> +               return DRIVE_FEAT_SUP_ST;
> +
> +       return DRIVE_FEAT_NOT_SUP_ST;
> +}
> +
> +/**
> + * get_opal_encryption_information() - get Opal encryption information.
> + * @buffer: buffer with Opal Level 0 Discovery response.
> + * @information: struct to fill out, describing encryption status of disk.
> + *
> + * If Locking feature frame is in response from Opal Level 0 discovery, &encryption_information_t
> + * structure is completed with status and ability otherwise the status is set to &None.
> + * For possible encryption statuses and abilities,
> + * please refer to enums &encryption_status and &encryption_ability.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t get_opal_encryption_information(__u8 *buffer,
> +                                                     encryption_information_t *information)
> +{
> +       opal_locking_feature_t *opal_locking_feature =
> +                                       get_opal_locking_feature_description(buffer);
> +
> +       if (!opal_locking_feature)
> +               return MDADM_STATUS_ERROR;
> +
> +       if (opal_locking_feature->locking_supported == 1) {
> +               information->ability = ENC_ABILITY_SED;
> +
> +               if (opal_locking_feature->locking_enabled == 0)
> +                       information->status = ENC_STATUS_UNENCRYPTED;
> +               else if (opal_locking_feature->locked == 1)
> +                       information->status = ENC_STATUS_LOCKED;
> +               else
> +                       information->status = ENC_STATUS_UNLOCKED;
> +       } else {
> +               information->ability = ENC_ABILITY_NONE;
> +               information->status = ENC_STATUS_UNENCRYPTED;
> +       }
> +
> +       return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * get_nvme_opal_encryption_information() - get NVMe Opal encryption information.
> + * @disk_fd: a disk file descriptor.
> + * @information: struct to fill out, describing encryption status of disk.
> + * @verbose: verbose flag.
> + *
> + * In case the disk supports Opal Level 0 discovery, &encryption_information_t structure
> + * is completed with status and ability based on ioctl response,
> + * otherwise the ability is set to %ENC_ABILITY_NONE and &status to %ENC_STATUS_UNENCRYPTED.
> + * As the current use case does not need the knowledge of Opal support, if there is no support,
> + * %MDADM_STATUS_SUCCESS will be returned, with the values described above.
> + * For possible encryption statuses and abilities,
> + * please refer to enums &encryption_status and &encryption_ability.
> + *
> + * %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +mdadm_status_t
> +get_nvme_opal_encryption_information(int disk_fd, encryption_information_t *information,
> +                                    const int verbose)
> +{
> +       __u8 buffer[OPAL_IO_BUFFER_LEN];
> +       int sec_send_recv_supported = 0;
> +       int protocol_01h_supported = 0;
> +       mdadm_status_t status;
> +
> +       information->ability = ENC_ABILITY_NONE;
> +       information->status = ENC_STATUS_UNENCRYPTED;
> +
> +       sec_send_recv_supported = is_nvme_sec_send_recv_supported(disk_fd, verbose);
> +       if (sec_send_recv_supported == DRIVE_FEAT_CHECK_FAILED_ST)
> +               return MDADM_STATUS_ERROR;
> +
> +       /* Opal not supported */
> +       if (sec_send_recv_supported == DRIVE_FEAT_NOT_SUP_ST)
> +               return MDADM_STATUS_SUCCESS;
> +
> +       /**
> +        * sec_send_recv_supported determine that it should be possible to read
> +        * supported sec protocols
> +        */
> +       protocol_01h_supported = is_sec_prot_01h_supported_nvme(disk_fd, verbose);
> +       if (protocol_01h_supported == DRIVE_FEAT_CHECK_FAILED_ST)
> +               return MDADM_STATUS_ERROR;
> +
> +       /* Opal not supported */
> +       if (sec_send_recv_supported == DRIVE_FEAT_SUP_ST &&
> +           protocol_01h_supported == DRIVE_FEAT_NOT_SUP_ST)
> +               return MDADM_STATUS_SUCCESS;
> +
> +       if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_01, OPAL_DISCOVERY_COMID, (void *)&buffer,
> +                                    OPAL_IO_BUFFER_LEN, verbose))
> +               return MDADM_STATUS_ERROR;
> +
> +       status = get_opal_encryption_information((__u8 *)&buffer, information);
> +       if (status)
> +               pr_vrb("Locking feature description not found in Level 0 discovery response. Device /dev/%s.\n",
> +                      fd2kname(disk_fd));
> +
> +       if (information->ability == ENC_ABILITY_NONE)
> +               assert(information->status == ENC_STATUS_UNENCRYPTED);
> +
> +       return status;
> +}
> diff --git a/drive_encryption.h b/drive_encryption.h
> new file mode 100644
> index 00000000..82c2c624
> --- /dev/null
> +++ b/drive_encryption.h
> @@ -0,0 +1,32 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Read encryption information for Opal and ATA devices.
> + *
> + * Copyright (C) 2024 Intel Corporation
> + *     Author: Blazej Kucman <blazej.kucman@intel.com>
> + */
> +
> +typedef enum encryption_status {
> +       /* The drive is not currently encrypted. */
> +       ENC_STATUS_UNENCRYPTED = 0,
> +       /* The drive is encrypted and the data is not accessible. */
> +       ENC_STATUS_LOCKED,
> +       /* The drive is encrypted but the data is accessible in unencrypted form. */
> +       ENC_STATUS_UNLOCKED
> +} encryption_status_t;
> +
> +typedef enum encryption_ability {
> +       ENC_ABILITY_NONE = 0,
> +       ENC_ABILITY_OTHER,
> +       /* Self encrypted drive */
> +       ENC_ABILITY_SED
> +} encryption_ability_t;
> +
> +typedef struct encryption_information {
> +       encryption_ability_t ability;
> +       encryption_status_t status;
> +} encryption_information_t;
> +
> +mdadm_status_t
> +get_nvme_opal_encryption_information(int disk_fd, struct encryption_information *information,
> +                                    const int verbose);
> --
> 2.35.3
>
>

Re: [PATCH v2 2/6] Add reading Opal NVMe encryption information

[Blazej Kucman]

On Wed, 15 May 2024 11:20:33 +0800
Xiao Ni <xni@redhat.com> wrote:

>
> Hi all
> 
> In i686 platform, it reports error:
> 
> drive_encryption.c: In function ‘nvme_security_recv_ioctl’:
> drive_encryption.c:236:25: error: cast from pointer to integer of
> different size [-Werror=pointer-to-int-cast]
>   236 |         nvme_cmd.addr = (__u64)response_buffer;
>       |                         ^
> drive_encryption.c: In function ‘nvme_identify_ioctl’:
> drive_encryption.c:271:25: error: cast from pointer to integer of
> different size [-Werror=pointer-to-int-cast]
>   271 |         nvme_cmd.addr = (__u64)response_buffer;
>       |                         ^
> cc1: all warnings being treated as errors
> make: *** [Makefile:211: drive_encryption.o] Error 1
> 
> The pointer should be 32bit and it tries to convert to 64 bit.
> 
> Best Regards
> Xiao
> 

Hi Xiao,
Thanks for reporting the issue, I'm already working on a fix,
I'm currently in the fix testing phase.

Thanks,
Blazej

Re: [PATCH v2 2/6] Add reading Opal NVMe encryption information

[Blazej Kucman]

On Wed, 15 May 2024 16:26:56 +0200
Blazej Kucman <blazej.kucman@linux.intel.com> wrote:

> On Wed, 15 May 2024 11:20:33 +0800
> Xiao Ni <xni@redhat.com> wrote:
> 
> >
> > Hi all
> > 
> > In i686 platform, it reports error:
> > 
> > drive_encryption.c: In function ‘nvme_security_recv_ioctl’:
> > drive_encryption.c:236:25: error: cast from pointer to integer of
> > different size [-Werror=pointer-to-int-cast]
> >   236 |         nvme_cmd.addr = (__u64)response_buffer;
> >       |                         ^
> > drive_encryption.c: In function ‘nvme_identify_ioctl’:
> > drive_encryption.c:271:25: error: cast from pointer to integer of
> > different size [-Werror=pointer-to-int-cast]
> >   271 |         nvme_cmd.addr = (__u64)response_buffer;
> >       |                         ^
> > cc1: all warnings being treated as errors
> > make: *** [Makefile:211: drive_encryption.o] Error 1
> > 
> > The pointer should be 32bit and it tries to convert to 64 bit.
> > 
> > Best Regards
> > Xiao
> >   
> 
> Hi Xiao,
> Thanks for reporting the issue, I'm already working on a fix,
> I'm currently in the fix testing phase.
> 
> Thanks,
> Blazej
> 

Hi Xiao,
I sent fix to review.
https://github.com/md-raid-utilities/mdadm/pull/9

Regards,
Blazej