From: Dave Jiang <dave.jiang@intel.com>
To: vishal.l.verma@intel.com, dan.j.williams@intel.com
Cc: linux-nvdimm@lists.01.org
Subject: [PATCH v10 04/12] ndctl: add support for freeze security
Date: Thu, 24 Jan 2019 16:07:26 -0700 [thread overview]
Message-ID: <154837124676.37086.14569414098343817192.stgit@djiang5-desk3.ch.intel.com> (raw)
In-Reply-To: <154837084784.37086.4597479371733088393.stgit@djiang5-desk3.ch.intel.com>
Add support for freeze security to libndctl and also command line option
of "freeze-security" for ndctl. This will lock the ability to make changes
to the NVDIMM security.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
---
Documentation/ndctl/Makefile.am | 3 +
Documentation/ndctl/ndctl-freeze-security.txt | 58 +++++++++++++++++++++++++
ndctl/builtin.h | 1
ndctl/dimm.c | 28 ++++++++++++
ndctl/lib/dimm.c | 5 ++
ndctl/lib/libndctl.sym | 1
ndctl/libndctl.h | 1
ndctl/ndctl.c | 1
8 files changed, 97 insertions(+), 1 deletion(-)
create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt
diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am
index 3b543216..0327726b 100644
--- a/Documentation/ndctl/Makefile.am
+++ b/Documentation/ndctl/Makefile.am
@@ -50,7 +50,8 @@ man1_MANS = \
ndctl-monitor.1 \
ndctl-setup-passphrase.1 \
ndctl-update-passphrase.1 \
- ndctl-remove-passphrase.1
+ ndctl-remove-passphrase.1 \
+ ndctl-freeze-security.1
CLEANFILES = $(man1_MANS)
diff --git a/Documentation/ndctl/ndctl-freeze-security.txt b/Documentation/ndctl/ndctl-freeze-security.txt
new file mode 100644
index 00000000..d14b8a39
--- /dev/null
+++ b/Documentation/ndctl/ndctl-freeze-security.txt
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: GPL-2.0
+
+ndctl-freeze-security(1)
+========================
+
+NAME
+----
+ndctl-freeze-security - Set the given DIMM(s) to reject future security operations
+
+SYNOPSIS
+--------
+[verse]
+'ndctl freeze-security' <nmem0> [<nmem1>..<nmemN>] [<options>]
+
+DESCRIPTION
+-----------
+Prevent any further security operations on the given DIMMs until the
+next reboot. This is used in scenarios where the administrator has
+taken all expected security actions for the current boot and wants the
+DIMM to enforce / lock the current state.
+
+EXAMPLES
+--------
+
+[verse]
+ndctl list -d nmem0
+[
+ {
+ "dev":"nmem0",
+ "id":"cdab-0a-07e0-ffffffff",
+ "handle":0,
+ "phys_id":0,
+ "security":"unlocked"
+ }
+]
+
+[verse]
+ndctl freeze-security nmem0
+security freezed 1 nmem.
+
+[verse]
+ndctl list -d nmem0
+[
+ {
+ "dev":"nmem0",
+ "id":"cdab-0a-07e0-ffffffff",
+ "handle":0,
+ "phys_id":0,
+ "security":"frozen"
+ }
+]
+
+OPTIONS
+-------
+<dimm>::
+include::xable-dimm-options.txt[]
+
+include::../copyright.txt[]
diff --git a/ndctl/builtin.h b/ndctl/builtin.h
index 9deb175b..0f567b9b 100644
--- a/ndctl/builtin.h
+++ b/ndctl/builtin.h
@@ -35,4 +35,5 @@ int cmd_inject_smart(int argc, const char **argv, struct ndctl_ctx *ctx);
int cmd_passphrase_setup(int argc, const char **argv, struct ndctl_ctx *ctx);
int cmd_passphrase_update(int argc, const char **argv, struct ndctl_ctx *ctx);
int cmd_passphrase_remove(int argc, const char **argv, struct ndctl_ctx *ctx);
+int cmd_freeze_security(int argc, const char **argv, struct ndctl_ctx *ctx);
#endif /* _NDCTL_BUILTIN_H_ */
diff --git a/ndctl/dimm.c b/ndctl/dimm.c
index 045f9408..7105c539 100644
--- a/ndctl/dimm.c
+++ b/ndctl/dimm.c
@@ -877,6 +877,24 @@ static int action_passphrase_remove(struct ndctl_dimm *dimm,
return ndctl_dimm_remove_key(dimm);
}
+static int action_security_freeze(struct ndctl_dimm *dimm,
+ struct action_context *actx)
+{
+ int rc;
+
+ if (ndctl_dimm_get_security(dimm) < 0) {
+ error("%s: security operation not supported\n",
+ ndctl_dimm_get_devname(dimm));
+ return -EOPNOTSUPP;
+ }
+
+ rc = ndctl_dimm_freeze_security(dimm);
+ if (rc < 0)
+ error("Failed to freeze security for %s\n",
+ ndctl_dimm_get_devname(dimm));
+ return rc;
+}
+
static int __action_init(struct ndctl_dimm *dimm,
enum ndctl_namespace_version version, int chk_only)
{
@@ -1265,3 +1283,13 @@ int cmd_passphrase_remove(int argc, const char **argv, void *ctx)
count > 1 ? "s" : "");
return count >= 0 ? 0 : EXIT_FAILURE;
}
+
+int cmd_freeze_security(int argc, const char **argv, void *ctx)
+{
+ int count = dimm_action(argc, argv, ctx, action_security_freeze, base_options,
+ "ndctl freeze-security <nmem0> [<nmem1>..<nmemN>] [<options>]");
+
+ fprintf(stderr, "security freezed %d nmem%s.\n", count >= 0 ? count : 0,
+ count > 1 ? "s" : "");
+ return count >= 0 ? 0 : EXIT_FAILURE;
+}
diff --git a/ndctl/lib/dimm.c b/ndctl/lib/dimm.c
index a944c9af..0a7eaaef 100644
--- a/ndctl/lib/dimm.c
+++ b/ndctl/lib/dimm.c
@@ -664,3 +664,8 @@ NDCTL_EXPORT int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm,
sprintf(buf, "disable %ld\n", key);
return write_security(dimm, buf);
}
+
+NDCTL_EXPORT int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm)
+{
+ return write_security(dimm, "freeze");
+}
diff --git a/ndctl/lib/libndctl.sym b/ndctl/lib/libndctl.sym
index 79b7f9e1..d882939c 100644
--- a/ndctl/lib/libndctl.sym
+++ b/ndctl/lib/libndctl.sym
@@ -393,4 +393,5 @@ global:
ndctl_dimm_get_security;
ndctl_dimm_update_passphrase;
ndctl_dimm_disable_passphrase;
+ ndctl_dimm_freeze_security;
} LIBNDCTL_18;
diff --git a/ndctl/libndctl.h b/ndctl/libndctl.h
index 0253abf5..7afbca58 100644
--- a/ndctl/libndctl.h
+++ b/ndctl/libndctl.h
@@ -701,6 +701,7 @@ enum ndctl_security_state ndctl_dimm_get_security(struct ndctl_dimm *dimm);
int ndctl_dimm_update_passphrase(struct ndctl_dimm *dimm,
long ckey, long nkey);
int ndctl_dimm_disable_passphrase(struct ndctl_dimm *dimm, long key);
+int ndctl_dimm_freeze_security(struct ndctl_dimm *dimm);
#define ND_KEY_DESC_SIZE 128
#define ND_KEY_CMD_SIZE 128
diff --git a/ndctl/ndctl.c b/ndctl/ndctl.c
index 9f4ab234..07903981 100644
--- a/ndctl/ndctl.c
+++ b/ndctl/ndctl.c
@@ -91,6 +91,7 @@ static struct cmd_struct commands[] = {
{ "setup-passphrase", { cmd_passphrase_setup } },
{ "update-passphrase", { cmd_passphrase_update } },
{ "remove-passphrase", { cmd_passphrase_remove } },
+ { "freeze-security", { cmd_freeze_security } },
{ "list", { cmd_list } },
{ "monitor", { cmd_monitor } },
{ "help", { cmd_help } },
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
next prev parent reply other threads:[~2019-01-24 23:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-24 23:07 [PATCH v10 00/12] ndctl: add security support Dave Jiang
2019-01-24 23:07 ` [PATCH v10 01/12] ndctl: add support for display security state Dave Jiang
2019-01-24 23:07 ` [PATCH v10 02/12] ndctl: add passphrase update to ndctl Dave Jiang
2019-01-30 2:35 ` Verma, Vishal L
2019-01-30 2:59 ` Dan Williams
2019-01-30 18:56 ` Verma, Vishal L
2019-01-24 23:07 ` [PATCH v10 03/12] ndctl: add disable security support Dave Jiang
2019-01-31 0:52 ` Verma, Vishal L
2019-01-24 23:07 ` Dave Jiang [this message]
2019-01-24 23:07 ` [PATCH v10 05/12] ndctl: add support for sanitize dimm Dave Jiang
2019-01-24 23:07 ` [PATCH v10 06/12] ndctl: add unit test for security ops (minus overwrite) Dave Jiang
2019-01-24 23:07 ` [PATCH v10 07/12] ndctl: add modprobe conf file and load-keys ndctl command Dave Jiang
2019-01-24 23:07 ` [PATCH v10 08/12] ndctl: add overwrite operation support Dave Jiang
2019-01-24 23:07 ` [PATCH v10 09/12] ndctl: add wait-overwrite support Dave Jiang
2019-01-24 23:08 ` [PATCH v10 10/12] ndctl: master phassphrase management support Dave Jiang
2019-01-24 23:08 ` [PATCH v10 11/12] ndctl: add master secure erase support Dave Jiang
2019-01-24 23:08 ` [PATCH v10 12/12] ndctl: documentation for security and key management Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=154837124676.37086.14569414098343817192.stgit@djiang5-desk3.ch.intel.com \
--to=dave.jiang@intel.com \
--cc=dan.j.williams@intel.com \
--cc=linux-nvdimm@lists.01.org \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.