From: gjoyce@linux.vnet.ibm.com
To: linux-block@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org, jonathan.derrick@linux.dev,
brking@linux.vnet.ibm.com, msuchanek@suse.de, mpe@ellerman.id.au,
axboe@kernel.dk, akpm@linux-foundation.org,
gjoyce@linux.vnet.ibm.com, linux-efi@vger.kernel.org,
keyrings@vger.kernel.org, me@benboeckel.net, elliott@hpe.com
Subject: [PATCH v4 0/3] sed-opal: keyrings, discovery, revert, key store
Date: Fri, 5 May 2023 14:41:48 -0500 [thread overview]
Message-ID: <20230505194151.2078678-1-gjoyce@linux.vnet.ibm.com> (raw)
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
TCG SED Opal is a specification from The Trusted Computing Group
that allows self encrypting storage devices (SED) to be locked at
power on and require an authentication key to unlock the drive.
The current SED Opal implementation in the block driver
requires that authentication keys be provided in an ioctl
so that they can be presented to the underlying SED
capable drive. Currently, the key is typically entered by
a user with an application like sedutil or sedcli. While
this process works, it does not lend itself to automation
like unlock by a udev rule.
The SED block driver has been extended so it can alternatively
obtain a key from a sed-opal kernel keyring. The SED ioctls
will indicate the source of the key, either directly in the
ioctl data or from the keyring.
Two new SED ioctls have also been added. These are:
1) IOC_OPAL_REVERT_LSP to revert LSP state
2) IOC_OPAL_DISCOVERY to discover drive capabilities/state
change log v4:
- rebase to 6.3-rc7
- replaced "255" magic number with U8_MAX
change log:
- rebase to 6.x
- added latest reviews
- removed platform functions for persistent key storage
- replaced key update logic with key_create_or_update()
- minor bracing and padding changes
- add error returns
- opal_key structure is application provided but kernel
verified
- added brief description of TCG SED Opal
Greg Joyce (3):
block: sed-opal: Implement IOC_OPAL_DISCOVERY
block: sed-opal: Implement IOC_OPAL_REVERT_LSP
block: sed-opal: keyring support for SED keys
block/Kconfig | 2 +
block/opal_proto.h | 4 +
block/sed-opal.c | 252 +++++++++++++++++++++++++++++++++-
include/linux/sed-opal.h | 5 +
include/uapi/linux/sed-opal.h | 25 +++-
5 files changed, 282 insertions(+), 6 deletions(-)
Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
base-commit: 6a8f57ae2eb07ab39a6f0ccad60c760743051026
--
gjoyce@linux.vnet.ibm.com
WARNING: multiple messages have this Message-ID (diff)
From: gjoyce@linux.vnet.ibm.com
To: linux-block@vger.kernel.org
Cc: axboe@kernel.dk, linux-efi@vger.kernel.org,
gjoyce@linux.vnet.ibm.com, me@benboeckel.net,
keyrings@vger.kernel.org, jonathan.derrick@linux.dev,
brking@linux.vnet.ibm.com, akpm@linux-foundation.org,
msuchanek@suse.de, linuxppc-dev@lists.ozlabs.org,
elliott@hpe.com
Subject: [PATCH v4 0/3] sed-opal: keyrings, discovery, revert, key store
Date: Fri, 5 May 2023 14:41:48 -0500 [thread overview]
Message-ID: <20230505194151.2078678-1-gjoyce@linux.vnet.ibm.com> (raw)
From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
TCG SED Opal is a specification from The Trusted Computing Group
that allows self encrypting storage devices (SED) to be locked at
power on and require an authentication key to unlock the drive.
The current SED Opal implementation in the block driver
requires that authentication keys be provided in an ioctl
so that they can be presented to the underlying SED
capable drive. Currently, the key is typically entered by
a user with an application like sedutil or sedcli. While
this process works, it does not lend itself to automation
like unlock by a udev rule.
The SED block driver has been extended so it can alternatively
obtain a key from a sed-opal kernel keyring. The SED ioctls
will indicate the source of the key, either directly in the
ioctl data or from the keyring.
Two new SED ioctls have also been added. These are:
1) IOC_OPAL_REVERT_LSP to revert LSP state
2) IOC_OPAL_DISCOVERY to discover drive capabilities/state
change log v4:
- rebase to 6.3-rc7
- replaced "255" magic number with U8_MAX
change log:
- rebase to 6.x
- added latest reviews
- removed platform functions for persistent key storage
- replaced key update logic with key_create_or_update()
- minor bracing and padding changes
- add error returns
- opal_key structure is application provided but kernel
verified
- added brief description of TCG SED Opal
Greg Joyce (3):
block: sed-opal: Implement IOC_OPAL_DISCOVERY
block: sed-opal: Implement IOC_OPAL_REVERT_LSP
block: sed-opal: keyring support for SED keys
block/Kconfig | 2 +
block/opal_proto.h | 4 +
block/sed-opal.c | 252 +++++++++++++++++++++++++++++++++-
include/linux/sed-opal.h | 5 +
include/uapi/linux/sed-opal.h | 25 +++-
5 files changed, 282 insertions(+), 6 deletions(-)
Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
base-commit: 6a8f57ae2eb07ab39a6f0ccad60c760743051026
--
gjoyce@linux.vnet.ibm.com
next reply other threads:[~2023-05-05 19:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 19:41 gjoyce [this message]
2023-05-05 19:41 ` [PATCH v4 0/3] sed-opal: keyrings, discovery, revert, key store gjoyce
2023-05-05 19:41 ` [PATCH v4 1/3] block: sed-opal: Implement IOC_OPAL_DISCOVERY gjoyce
2023-05-05 19:41 ` gjoyce
2023-05-05 19:41 ` [PATCH v4 2/3] block: sed-opal: Implement IOC_OPAL_REVERT_LSP gjoyce
2023-05-05 19:41 ` gjoyce
2023-05-05 19:41 ` [PATCH v4 3/3] block: sed-opal: keyring support for SED keys gjoyce
2023-05-05 19:41 ` gjoyce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230505194151.2078678-1-gjoyce@linux.vnet.ibm.com \
--to=gjoyce@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=brking@linux.vnet.ibm.com \
--cc=elliott@hpe.com \
--cc=jonathan.derrick@linux.dev \
--cc=keyrings@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=me@benboeckel.net \
--cc=mpe@ellerman.id.au \
--cc=msuchanek@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.