From: Dave Jiang <email@example.com> To: firstname.lastname@example.org Cc: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: [PATCH v8 12/12] libnvdimm: add documentation for nvdimm security support Date: Tue, 28 Aug 2018 15:48:25 -0700 [thread overview] Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> Add theory of operation for the security support that's going into libnvdimm. Signed-off-by: Dave Jiang <firstname.lastname@example.org> --- Documentation/nvdimm/security.txt | 82 +++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 Documentation/nvdimm/security.txt diff --git a/Documentation/nvdimm/security.txt b/Documentation/nvdimm/security.txt new file mode 100644 index 000000000000..b230447bf237 --- /dev/null +++ b/Documentation/nvdimm/security.txt @@ -0,0 +1,82 @@ +NVDIMM SECURITY +=============== + +1. Introduction +--------------- + +With the introduction of Intel DSM v1.7 specification , security DSMs are +introduced. The spec added the following security DSMs: "get security state", +"set passphrase", "disable passphrase", "unlock unit", "freeze lock", +"secure erase", and "overwrite". A security_ops data structure has been +added to struct dimm in order to support the security operations and generic +APIs are exposed to allow vendor neutral operations. + +2. Sysfs Interface +------------------ +The "security" sysfs attribute is provided in the nvdimm sysfs directory. For +example: +/sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0012:00/ndbus0/nmem0/security + +The "show" function of that attribute will display the security state for +that DIMM. The following states are available: disabled, unlocked, locked, +frozen, and unsupported. + +The "store" function takes several commands when the attribute is written to +in order to support some of the security functionalities: +update - enable security. Add or update current key. +disable - disable enabled security and remove key. +freeze - freeze changing of security states. +erase - generate new ecryption key for DIMM and crypto-scrambles all existing + user data. + +3. Key Management +----------------- + +The key is associted to the payload by the DIMM id. For example: +# cat /sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0012:00/ndbus0/nmem0/nfit/id +8089-a2-1740-00000133 +The DIMM id would be provided along with the key payload (passphrase) to +the kernel. + +The security keys are managed on the basis of a single key per DIMM. The +key "passphrase" is expected to be 32bytes long or padded to 32bytes. This is +similar to the ATA security specification . A key is initially acquired +via the request_key() kernel API call and retrieved from userspace. It is up to +the user to provide an upcall application to retrieve the key in whatever +fashion meets their security requirements. + +The payload provided to the key can be a 32bytes payload or 64bytes payload +when doing an "update". The payload is viewed as 64 bytes in the following +format: +[32 bytes new key data zero padded][32 bytes current key data zero padded] +However, a 32bytes payload can be provided and will be assumed as the old +key to be 32 bytes of 0s and the provided 32bytes payload is the new key. +It is up to the user upcall function how that's presented as the key payload +to the kernel. + +All the other security functions that require a provided key can accept a +32bytes payload or 64bytes. If the payload is 64bytes, then second 32bytes +will be ignored and the first 32bytes contains the expected "passphrase". + +4. Unlocking +------------ +When the DIMMs are being enumerated by the kernel, the kernel will attempt to +retrieve the key from its keyring. If that fails, it will attempt to +acquire the key from the userspace upcall function. This is the only time +a locked DIMM can be unlocked. Once unlocked, the DIMM will remain unlocked +until reboot. + +5. Update +--------- +When doing an update, it is expected that the new key with the 64bit payload of +format described above is added via the keyutils API or utility. The update +command written to the sysfs attribute will be with the format: +update:<old id>:<new id> +If there is no old ID due to a security enabling, then a 0 should be passed in. +It is expected that a user logon key has been injected via keyutils to provide +the payload for the update operation. The kernel will take the new user key, +attempt the update operation with the nvdimm, and replace the existing key's +payload with the new passphrase. + +: http://pmem.io/documents/NVDIMM_DSM_Interface-V1.7.pdf +: http://www.t13.org/documents/UploadedDocuments/docs2006/e05179r4-ACS-SecurityClarifications.pdf _______________________________________________ Linux-nvdimm mailing list Linuxemail@example.com https://lists.01.org/mailman/listinfo/linux-nvdimm
next prev parent reply other threads:[~2018-08-28 22:48 UTC|newest] Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-28 22:47 [PATCH v8 00/12] Adding security support for nvdimm Dave Jiang 2018-08-28 22:47 ` [PATCH v8 01/12] nfit: add support for Intel DSM 1.7 commands Dave Jiang 2018-08-28 22:47 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys Dave Jiang 2018-09-22 0:19 ` Dan Williams 2018-09-24 21:04 ` David Howells 2018-09-24 21:12 ` Dave Jiang 2018-08-28 22:47 ` [PATCH v8 03/12] nfit/libnvdimm: store dimm id as a member to struct nvdimm Dave Jiang 2018-08-28 22:47 ` [PATCH v8 04/12] keys: export lookup_user_key to external users Dave Jiang 2018-09-21 21:59 ` Dan Williams 2018-09-21 22:02 ` Dave Jiang 2018-09-21 23:05 ` David Howells 2018-08-28 22:47 ` [PATCH v8 05/12] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Dave Jiang 2018-09-23 0:10 ` Dan Williams 2018-08-28 22:47 ` [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms Dave Jiang 2018-08-28 22:47 ` [PATCH v8 07/12] nfit/libnvdimm: add disable passphrase support to Intel nvdimm Dave Jiang 2018-08-28 22:48 ` [PATCH v8 08/12] nfit/libnvdimm: add freeze security " Dave Jiang 2018-08-28 22:48 ` [PATCH v8 09/12] nfit/libnvdimm: add support for issue secure erase DSM " Dave Jiang 2018-08-28 22:48 ` [PATCH v8 10/12] nfit_test: add context to dimm_dev for nfit_test Dave Jiang 2018-08-28 22:48 ` [PATCH v8 11/12] nfit_test: add test support for Intel nvdimm security DSMs Dave Jiang 2018-08-28 22:48 ` Dave Jiang [this message] 2018-09-21 23:07 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys David Howells 2018-09-21 23:20 ` [PATCH v8 05/12] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs David Howells 2018-09-21 23:27 ` Dave Jiang 2018-09-21 23:51 ` Dan Williams 2018-09-21 23:57 ` [PATCH v8 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms David Howells 2018-09-22 0:25 ` Dave Jiang 2018-09-22 1:26 ` Dan Williams 2018-09-22 0:01 ` [PATCH v8 04/12] keys: export lookup_user_key to external users David Howells 2018-09-24 21:02 ` [PATCH v8 02/12] libnvdimm: create keyring to store security keys David Howells 2018-09-24 21:15 ` Dave Jiang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH v8 12/12] libnvdimm: add documentation for nvdimm security support' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).