* [ndctl PATCH] ndctl: do not try to load a key already on the kernel keyring
@ 2021-06-19 1:40 Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: remove key from kernel keyring if blob storage fails Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: return -errno when keyctl_read_alloc() fails Alison Schofield
0 siblings, 2 replies; 3+ messages in thread
From: Alison Schofield @ 2021-06-19 1:40 UTC (permalink / raw)
To: Vishal Verma, Dan Williams; +Cc: Alison Schofield, nvdimm
During a bulk load of kernel keys, an attempt to load a key that is
already on the kernel keyring emits this ndctl error message:
add_key failed: Invalid argument
and this message in the kernel log:
encrypted_key: keyword 'load' not allowed when called from .update method
Avoid these error messages by checking the kernel keyring before
trying to load.
Fixes: 9925be9d6793 ("ndctl: add a load-keys command and a modprobe config")
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
ndctl/load-keys.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/ndctl/load-keys.c b/ndctl/load-keys.c
index 26648fe..9124d5b 100644
--- a/ndctl/load-keys.c
+++ b/ndctl/load-keys.c
@@ -132,6 +132,16 @@ static int load_dimm_keys(struct loadkeys *lk_ctx)
continue;
}
+ /* Skip if key is already on kernel keyring */
+ key = keyctl_search(KEY_SPEC_USER_KEYRING, "encrypted",
+ desc, 0);
+
+ if (key > 0) {
+ free(fname);
+ free(blob);
+ continue;
+ }
+
key = add_key("encrypted", desc, blob, size,
KEY_SPEC_USER_KEYRING);
if (key < 0)
base-commit: 4e646fa490ba4b782afa188dd8818b94c419924e
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [ndctl PATCH] ndctl: remove key from kernel keyring if blob storage fails
2021-06-19 1:40 [ndctl PATCH] ndctl: do not try to load a key already on the kernel keyring Alison Schofield
@ 2021-06-19 1:40 ` Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: return -errno when keyctl_read_alloc() fails Alison Schofield
1 sibling, 0 replies; 3+ messages in thread
From: Alison Schofield @ 2021-06-19 1:40 UTC (permalink / raw)
To: Vishal Verma, Dan Williams; +Cc: Alison Schofield, nvdimm
When a new passphrase key is created, the encrypted blob is always
written to storage. If the write to storage fails the passphrase is
not applied to the NVDIMM. That is all good. The unused key however
is left lingering on the kernel keyring. That blocks subsequent
attempts to add a passphrase key for the same NVDIMM. (presumably
after correcting the storage issue)
Unlink the key from the kernel keyring upon failures in key storage.
Fixes: 86b078b44275 ("ndctl: add passphrase management commands")
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
ndctl/util/keys.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ndctl/util/keys.c b/ndctl/util/keys.c
index 30cb4c8..dbd622a 100644
--- a/ndctl/util/keys.c
+++ b/ndctl/util/keys.c
@@ -264,6 +264,7 @@ static key_serial_t dimm_create_key(struct ndctl_dimm *dimm,
rc = -errno;
fprintf(stderr, "Unable to open file %s: %s\n",
path, strerror(errno));
+ keyctl_unlink(key, KEY_SPEC_USER_KEYRING);
free(buffer);
return rc;
}
@@ -276,6 +277,7 @@ static key_serial_t dimm_create_key(struct ndctl_dimm *dimm,
rc = -EIO;
fprintf(stderr, "Failed to write to %s: %s\n",
path, strerror(-rc));
+ keyctl_unlink(key, KEY_SPEC_USER_KEYRING);
fclose(fp);
free(buffer);
return rc;
base-commit: 4e646fa490ba4b782afa188dd8818b94c419924e
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* [ndctl PATCH] ndctl: return -errno when keyctl_read_alloc() fails
2021-06-19 1:40 [ndctl PATCH] ndctl: do not try to load a key already on the kernel keyring Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: remove key from kernel keyring if blob storage fails Alison Schofield
@ 2021-06-19 1:40 ` Alison Schofield
1 sibling, 0 replies; 3+ messages in thread
From: Alison Schofield @ 2021-06-19 1:40 UTC (permalink / raw)
To: Vishal Verma, Dan Williams; +Cc: Alison Schofield, nvdimm
When keyctl_read_alloc() fails during key creation a stale rc
value is returned as a key serial number, rather than the errno
from keyctl_read_alloc(). The nvdimm driver eventually discovers
it's a bad key serial number, and the entire operation fails as
it should.
Fail immediately by using the available errno correctly.
Fixes: 86b078b44275 ("ndctl: add passphrase management commands")
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
ndctl/util/keys.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ndctl/util/keys.c b/ndctl/util/keys.c
index 30cb4c8..d1cc890 100644
--- a/ndctl/util/keys.c
+++ b/ndctl/util/keys.c
@@ -254,6 +254,7 @@ static key_serial_t dimm_create_key(struct ndctl_dimm *dimm,
size = keyctl_read_alloc(key, &buffer);
if (size < 0) {
+ rc = -errno;
fprintf(stderr, "keyctl_read_alloc failed: %s\n", strerror(errno));
keyctl_unlink(key, KEY_SPEC_USER_KEYRING);
return rc;
base-commit: 4e646fa490ba4b782afa188dd8818b94c419924e
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-19 1:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-19 1:40 [ndctl PATCH] ndctl: do not try to load a key already on the kernel keyring Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: remove key from kernel keyring if blob storage fails Alison Schofield
2021-06-19 1:40 ` [ndctl PATCH] ndctl: return -errno when keyctl_read_alloc() fails Alison Schofield
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).