From: David Howells <dhowells@redhat.com>
To: Dave Jiang <dave.jiang@intel.com>
Cc: alison.schofield@intel.com, keescook@chromium.org,
linux-nvdimm@lists.01.org, dhowells@redhat.com,
keyrings@vger.kernel.org
Subject: Re: [PATCH v5 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms
Date: Thu, 19 Jul 2018 09:22:00 +0100 [thread overview]
Message-ID: <19525.1531988520@warthog.procyon.org.uk> (raw)
In-Reply-To: <0a5ba1eb-01d2-b0f2-5e67-262fdb488bb7@intel.com>
Dave Jiang <dave.jiang@intel.com> wrote:
> Ok stupid question David. I'm attempting to use the logon-type key. I
> have added this line to the request-key.conf:
> create logon nvdimm* * /usr/sbin/nvdimm-upcall %k
Can you show me the whole file?
Let me ask a stupid question too: Why do you need to call request_key()?
As I understand it, you poke an attribute file in sysfs by writing "update" to
it and this triggers a request_key() call. The kernel then links the key it
found across to the internal keyring.
You could instead require that the key be specified directly, ie. you write
"update <keyid>" to the attribute file. The driver can then call key_lookup()
to get the key - or, better still, we should make lookup_user_key() available
so that you can call that - which will do a security check.
Another advantage of doing this is that the old key is still available in the
internal keyring until it gets replaced. So you can do your password change
if you want to do it this way.
On the other hand, requiring both the old and the new passwords to be supplied
is probably better from a security point of view, so you could require them
both to be included in the key.
David
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
next prev parent reply other threads:[~2018-07-19 8:22 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-17 20:54 [PATCH v5 00/12] Adding security support for nvdimm Dave Jiang
2018-07-17 20:54 ` [PATCH v5 01/12] nfit: add support for Intel DSM 1.7 commands Dave Jiang
2018-07-18 17:02 ` Elliott, Robert (Persistent Memory)
2018-07-17 20:54 ` [PATCH v5 02/12] libnvdimm: create keyring to store security keys Dave Jiang
2018-07-17 23:56 ` Eric Biggers
2018-07-17 20:54 ` [PATCH v5 03/12] nfit/libnvdimm: store dimm id as a member to struct nvdimm Dave Jiang
2018-07-18 15:40 ` Elliott, Robert (Persistent Memory)
2018-07-18 15:49 ` Dave Jiang
2018-07-17 20:54 ` [PATCH v5 04/12] nfit/libnvdimm: add unlock of nvdimm support for Intel DIMMs Dave Jiang
2018-07-18 0:00 ` Eric Biggers
2018-07-17 20:54 ` [PATCH v5 05/12] keys: add call key_put_sync() to flush key_gc_work when doing a key_put() Dave Jiang
2018-07-17 23:53 ` Eric Biggers
2018-07-17 23:58 ` Dave Jiang
2018-07-17 20:54 ` [PATCH v5 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms Dave Jiang
2018-07-17 20:54 ` [PATCH v5 07/12] nfit/libnvdimm: add disable passphrase support to Intel nvdimm Dave Jiang
2018-07-17 20:54 ` [PATCH v5 08/12] nfit/libnvdimm: add freeze security " Dave Jiang
2018-07-17 20:54 ` [PATCH v5 09/12] nfit/libnvdimm: add support for issue secure erase DSM " Dave Jiang
2018-07-18 17:27 ` Elliott, Robert (Persistent Memory)
2018-07-18 17:41 ` Dave Jiang
2018-07-19 1:43 ` Elliott, Robert (Persistent Memory)
2018-07-19 6:09 ` Li, Juston
2018-07-19 20:06 ` Dave Jiang
2018-07-17 20:55 ` [PATCH v5 10/12] nfit_test: add context to dimm_dev for nfit_test Dave Jiang
2018-07-17 20:55 ` [PATCH v5 11/12] nfit_test: add test support for Intel nvdimm security DSMs Dave Jiang
2018-07-17 20:55 ` [PATCH v5 12/12] libnvdimm: add documentation for nvdimm security support Dave Jiang
2018-07-17 23:26 ` [PATCH v5 00/12] Adding security support for nvdimm Eric Biggers
2018-07-17 23:37 ` Dave Jiang
2018-07-18 10:40 ` [PATCH v5 05/12] keys: add call key_put_sync() to flush key_gc_work when doing a key_put() David Howells
2018-07-18 10:50 ` [PATCH v5 02/12] libnvdimm: create keyring to store security keys David Howells
2018-07-18 19:40 ` Dave Jiang
2018-07-18 20:38 ` David Howells
2018-07-18 11:14 ` [PATCH v5 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms David Howells
2018-07-18 16:05 ` Dave Jiang
2018-07-18 19:47 ` Dave Jiang
2018-07-18 20:41 ` David Howells
2018-07-18 20:47 ` Dave Jiang
2018-07-19 0:28 ` Dave Jiang
2018-07-19 8:22 ` David Howells [this message]
2018-07-19 21:28 ` Dave Jiang
2018-07-20 0:04 ` Dave Jiang
2018-07-20 15:40 ` David Howells
2018-07-20 16:40 ` Dave Jiang
2018-08-02 11:07 ` David Howells
2018-07-18 11:17 ` [PATCH v5 05/12] keys: add call key_put_sync() to flush key_gc_work when doing a key_put() David Howells
2018-07-18 11:20 ` [PATCH v5 06/12] nfit/libnvdimm: add set passphrase support for Intel nvdimms David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19525.1531988520@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=alison.schofield@intel.com \
--cc=dave.jiang@intel.com \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-nvdimm@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).