Commit dcedadfa authored by Dave Jiang's avatar Dave Jiang Committed by Dan Williams

nvdimm/cxl/pmem: Add support for master passphrase disable security command

The original nvdimm_security_ops ->disable() only supports user passphrase
for security disable. The CXL spec introduced the disabling of master
passphrase. Add a ->disable_master() callback to support this new operation
and leaving the old ->disable() mechanism alone. A "disable_master" command
is added for the sysfs attribute in order to allow command to be issued
from userspace. ndctl will need enabling in order to utilize this new
operation.
Reviewed-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: default avatarDave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/166983616454.2734609.14204031148234398086.stgit@djiang5-desk3.ch.intel.comSigned-off-by: default avatarDan Williams <dan.j.williams@intel.com>
parent 9f017333
...@@ -71,8 +71,9 @@ static int cxl_pmem_security_change_key(struct nvdimm *nvdimm, ...@@ -71,8 +71,9 @@ static int cxl_pmem_security_change_key(struct nvdimm *nvdimm,
return rc; return rc;
} }
static int cxl_pmem_security_disable(struct nvdimm *nvdimm, static int __cxl_pmem_security_disable(struct nvdimm *nvdimm,
const struct nvdimm_key_data *key_data) const struct nvdimm_key_data *key_data,
enum nvdimm_passphrase_type ptype)
{ {
struct cxl_nvdimm *cxl_nvd = nvdimm_provider_data(nvdimm); struct cxl_nvdimm *cxl_nvd = nvdimm_provider_data(nvdimm);
struct cxl_memdev *cxlmd = cxl_nvd->cxlmd; struct cxl_memdev *cxlmd = cxl_nvd->cxlmd;
...@@ -80,7 +81,8 @@ static int cxl_pmem_security_disable(struct nvdimm *nvdimm, ...@@ -80,7 +81,8 @@ static int cxl_pmem_security_disable(struct nvdimm *nvdimm,
struct cxl_disable_pass dis_pass; struct cxl_disable_pass dis_pass;
int rc; int rc;
dis_pass.type = CXL_PMEM_SEC_PASS_USER; dis_pass.type = ptype == NVDIMM_MASTER ?
CXL_PMEM_SEC_PASS_MASTER : CXL_PMEM_SEC_PASS_USER;
memcpy(dis_pass.pass, key_data->data, NVDIMM_PASSPHRASE_LEN); memcpy(dis_pass.pass, key_data->data, NVDIMM_PASSPHRASE_LEN);
rc = cxl_mbox_send_cmd(cxlds, CXL_MBOX_OP_DISABLE_PASSPHRASE, rc = cxl_mbox_send_cmd(cxlds, CXL_MBOX_OP_DISABLE_PASSPHRASE,
...@@ -88,6 +90,18 @@ static int cxl_pmem_security_disable(struct nvdimm *nvdimm, ...@@ -88,6 +90,18 @@ static int cxl_pmem_security_disable(struct nvdimm *nvdimm,
return rc; return rc;
} }
static int cxl_pmem_security_disable(struct nvdimm *nvdimm,
const struct nvdimm_key_data *key_data)
{
return __cxl_pmem_security_disable(nvdimm, key_data, NVDIMM_USER);
}
static int cxl_pmem_security_disable_master(struct nvdimm *nvdimm,
const struct nvdimm_key_data *key_data)
{
return __cxl_pmem_security_disable(nvdimm, key_data, NVDIMM_MASTER);
}
static int cxl_pmem_security_freeze(struct nvdimm *nvdimm) static int cxl_pmem_security_freeze(struct nvdimm *nvdimm)
{ {
struct cxl_nvdimm *cxl_nvd = nvdimm_provider_data(nvdimm); struct cxl_nvdimm *cxl_nvd = nvdimm_provider_data(nvdimm);
...@@ -155,6 +169,7 @@ static const struct nvdimm_security_ops __cxl_security_ops = { ...@@ -155,6 +169,7 @@ static const struct nvdimm_security_ops __cxl_security_ops = {
.freeze = cxl_pmem_security_freeze, .freeze = cxl_pmem_security_freeze,
.unlock = cxl_pmem_security_unlock, .unlock = cxl_pmem_security_unlock,
.erase = cxl_pmem_security_passphrase_erase, .erase = cxl_pmem_security_passphrase_erase,
.disable_master = cxl_pmem_security_disable_master,
}; };
const struct nvdimm_security_ops *cxl_security_ops = &__cxl_security_ops; const struct nvdimm_security_ops *cxl_security_ops = &__cxl_security_ops;
......
...@@ -239,7 +239,8 @@ static int check_security_state(struct nvdimm *nvdimm) ...@@ -239,7 +239,8 @@ static int check_security_state(struct nvdimm *nvdimm)
return 0; return 0;
} }
static int security_disable(struct nvdimm *nvdimm, unsigned int keyid) static int security_disable(struct nvdimm *nvdimm, unsigned int keyid,
enum nvdimm_passphrase_type pass_type)
{ {
struct device *dev = &nvdimm->dev; struct device *dev = &nvdimm->dev;
struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev); struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
...@@ -250,8 +251,13 @@ static int security_disable(struct nvdimm *nvdimm, unsigned int keyid) ...@@ -250,8 +251,13 @@ static int security_disable(struct nvdimm *nvdimm, unsigned int keyid)
/* The bus lock should be held at the top level of the call stack */ /* The bus lock should be held at the top level of the call stack */
lockdep_assert_held(&nvdimm_bus->reconfig_mutex); lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable if (!nvdimm->sec.ops || !nvdimm->sec.flags)
|| !nvdimm->sec.flags) return -EOPNOTSUPP;
if (pass_type == NVDIMM_USER && !nvdimm->sec.ops->disable)
return -EOPNOTSUPP;
if (pass_type == NVDIMM_MASTER && !nvdimm->sec.ops->disable_master)
return -EOPNOTSUPP; return -EOPNOTSUPP;
rc = check_security_state(nvdimm); rc = check_security_state(nvdimm);
...@@ -263,11 +269,20 @@ static int security_disable(struct nvdimm *nvdimm, unsigned int keyid) ...@@ -263,11 +269,20 @@ static int security_disable(struct nvdimm *nvdimm, unsigned int keyid)
if (!data) if (!data)
return -ENOKEY; return -ENOKEY;
if (pass_type == NVDIMM_MASTER) {
rc = nvdimm->sec.ops->disable_master(nvdimm, data);
dev_dbg(dev, "key: %d disable_master: %s\n", key_serial(key),
rc == 0 ? "success" : "fail");
} else {
rc = nvdimm->sec.ops->disable(nvdimm, data); rc = nvdimm->sec.ops->disable(nvdimm, data);
dev_dbg(dev, "key: %d disable: %s\n", key_serial(key), dev_dbg(dev, "key: %d disable: %s\n", key_serial(key),
rc == 0 ? "success" : "fail"); rc == 0 ? "success" : "fail");
}
nvdimm_put_key(key); nvdimm_put_key(key);
if (pass_type == NVDIMM_MASTER)
nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER);
else
nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER); nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
return rc; return rc;
} }
...@@ -473,6 +488,7 @@ void nvdimm_security_overwrite_query(struct work_struct *work) ...@@ -473,6 +488,7 @@ void nvdimm_security_overwrite_query(struct work_struct *work)
#define OPS \ #define OPS \
C( OP_FREEZE, "freeze", 1), \ C( OP_FREEZE, "freeze", 1), \
C( OP_DISABLE, "disable", 2), \ C( OP_DISABLE, "disable", 2), \
C( OP_DISABLE_MASTER, "disable_master", 2), \
C( OP_UPDATE, "update", 3), \ C( OP_UPDATE, "update", 3), \
C( OP_ERASE, "erase", 2), \ C( OP_ERASE, "erase", 2), \
C( OP_OVERWRITE, "overwrite", 2), \ C( OP_OVERWRITE, "overwrite", 2), \
...@@ -524,7 +540,10 @@ ssize_t nvdimm_security_store(struct device *dev, const char *buf, size_t len) ...@@ -524,7 +540,10 @@ ssize_t nvdimm_security_store(struct device *dev, const char *buf, size_t len)
rc = nvdimm_security_freeze(nvdimm); rc = nvdimm_security_freeze(nvdimm);
} else if (i == OP_DISABLE) { } else if (i == OP_DISABLE) {
dev_dbg(dev, "disable %u\n", key); dev_dbg(dev, "disable %u\n", key);
rc = security_disable(nvdimm, key); rc = security_disable(nvdimm, key, NVDIMM_USER);
} else if (i == OP_DISABLE_MASTER) {
dev_dbg(dev, "disable_master %u\n", key);
rc = security_disable(nvdimm, key, NVDIMM_MASTER);
} else if (i == OP_UPDATE || i == OP_MASTER_UPDATE) { } else if (i == OP_UPDATE || i == OP_MASTER_UPDATE) {
dev_dbg(dev, "%s %u %u\n", ops[i].name, key, newkey); dev_dbg(dev, "%s %u %u\n", ops[i].name, key, newkey);
rc = security_update(nvdimm, key, newkey, i == OP_UPDATE rc = security_update(nvdimm, key, newkey, i == OP_UPDATE
......
...@@ -183,6 +183,8 @@ struct nvdimm_security_ops { ...@@ -183,6 +183,8 @@ struct nvdimm_security_ops {
int (*overwrite)(struct nvdimm *nvdimm, int (*overwrite)(struct nvdimm *nvdimm,
const struct nvdimm_key_data *key_data); const struct nvdimm_key_data *key_data);
int (*query_overwrite)(struct nvdimm *nvdimm); int (*query_overwrite)(struct nvdimm *nvdimm);
int (*disable_master)(struct nvdimm *nvdimm,
const struct nvdimm_key_data *key_data);
}; };
enum nvdimm_fwa_state { enum nvdimm_fwa_state {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment