[PATCH 0/1] add ioctl IOC_OPAL_SET_SID_PW

[PATCH 0/1] add ioctl IOC_OPAL_SET_SID_PW

[gjoyce]

From: Greg Joyce <gjoyce@linux.ibm.com>

After a SED drive is provisioned, there is no way to change the SID
password via the ioctl() interface. A new ioctl IOC_OPAL_SET_SID_PW
will allow the password to be changed. The valid current password is
required.

Greg Joyce (1):
  block: sed-opal: add ioctl IOC_OPAL_SET_SID_PW

 block/sed-opal.c              | 26 ++++++++++++++++++++++++++
 include/linux/sed-opal.h      |  1 +
 include/uapi/linux/sed-opal.h |  1 +
 3 files changed, 28 insertions(+)

-- 
gjoyce@linux.ibm.com

[PATCH 1/1] block: sed-opal: add ioctl IOC_OPAL_SET_SID_PW

[gjoyce]

From: Greg Joyce <gjoyce@linux.ibm.com>

After a SED drive is provisioned, there is no way to change the SID
password via the ioctl() interface. A new ioctl IOC_OPAL_SET_SID_PW
will allow the password to be changed. The valid current password is
required.

Signed-off-by: Greg Joyce <gjoyce@linux.ibm.com>
---
 block/sed-opal.c              | 26 ++++++++++++++++++++++++++
 include/linux/sed-opal.h      |  1 +
 include/uapi/linux/sed-opal.h |  1 +
 3 files changed, 28 insertions(+)

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 598fd3e7fcc8..5a28f23f7f22 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -3037,6 +3037,29 @@ static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
 	return ret;
 }
 
+static int opal_set_new_sid_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
+{
+	int ret;
+	struct opal_key *newkey = &opal_pw->new_user_pw.opal_key;
+	struct opal_key *oldkey = &opal_pw->session.opal_key;
+
+	const struct opal_step pw_steps[] = {
+		{ start_SIDASP_opal_session, oldkey },
+		{ set_sid_cpin_pin, newkey },
+		{ end_opal_session, }
+	};
+
+	if (!dev)
+		return -ENODEV;
+
+	mutex_lock(&dev->dev_lock);
+	setup_opal_dev(dev);
+	ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps));
+	mutex_unlock(&dev->dev_lock);
+
+	return ret;
+}
+
 static int opal_activate_user(struct opal_dev *dev,
 			      struct opal_session_info *opal_session)
 {
@@ -3286,6 +3309,9 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg)
 	case IOC_OPAL_DISCOVERY:
 		ret = opal_get_discv(dev, p);
 		break;
+	case IOC_OPAL_SET_SID_PW:
+		ret = opal_set_new_sid_pw(dev, p);
+		break;
 
 	default:
 		break;
diff --git a/include/linux/sed-opal.h b/include/linux/sed-opal.h
index 2ac50822554e..80f33a93f944 100644
--- a/include/linux/sed-opal.h
+++ b/include/linux/sed-opal.h
@@ -52,6 +52,7 @@ static inline bool is_sed_ioctl(unsigned int cmd)
 	case IOC_OPAL_GET_GEOMETRY:
 	case IOC_OPAL_DISCOVERY:
 	case IOC_OPAL_REVERT_LSP:
+	case IOC_OPAL_SET_SID_PW:
 		return true;
 	}
 	return false;
diff --git a/include/uapi/linux/sed-opal.h b/include/uapi/linux/sed-opal.h
index d3994b7716bc..9025dd5a4f0f 100644
--- a/include/uapi/linux/sed-opal.h
+++ b/include/uapi/linux/sed-opal.h
@@ -215,5 +215,6 @@ struct opal_revert_lsp {
 #define IOC_OPAL_GET_GEOMETRY       _IOR('p', 238, struct opal_geometry)
 #define IOC_OPAL_DISCOVERY          _IOW('p', 239, struct opal_discovery)
 #define IOC_OPAL_REVERT_LSP         _IOW('p', 240, struct opal_revert_lsp)
+#define IOC_OPAL_SET_SID_PW         _IOW('p', 241, struct opal_new_pw)
 
 #endif /* _UAPI_SED_OPAL_H */
-- 
gjoyce@linux.ibm.com

Re: [PATCH 1/1] block: sed-opal: add ioctl IOC_OPAL_SET_SID_PW

[Michal Suchánek]

Hello,

is there a corresponding change to an userspace tool to make use of
this?

Thanks

Michal

On Fri, Aug 16, 2024 at 10:35:57AM -0500, gjoyce@linux.ibm.com wrote:
> From: Greg Joyce <gjoyce@linux.ibm.com>
> 
> After a SED drive is provisioned, there is no way to change the SID
> password via the ioctl() interface. A new ioctl IOC_OPAL_SET_SID_PW
> will allow the password to be changed. The valid current password is
> required.
> 
> Signed-off-by: Greg Joyce <gjoyce@linux.ibm.com>
> ---
>  block/sed-opal.c              | 26 ++++++++++++++++++++++++++
>  include/linux/sed-opal.h      |  1 +
>  include/uapi/linux/sed-opal.h |  1 +
>  3 files changed, 28 insertions(+)
> 
> diff --git a/block/sed-opal.c b/block/sed-opal.c
> index 598fd3e7fcc8..5a28f23f7f22 100644
> --- a/block/sed-opal.c
> +++ b/block/sed-opal.c
> @@ -3037,6 +3037,29 @@ static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
>  	return ret;
>  }
>  
> +static int opal_set_new_sid_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
> +{
> +	int ret;
> +	struct opal_key *newkey = &opal_pw->new_user_pw.opal_key;
> +	struct opal_key *oldkey = &opal_pw->session.opal_key;
> +
> +	const struct opal_step pw_steps[] = {
> +		{ start_SIDASP_opal_session, oldkey },
> +		{ set_sid_cpin_pin, newkey },
> +		{ end_opal_session, }
> +	};
> +
> +	if (!dev)
> +		return -ENODEV;
> +
> +	mutex_lock(&dev->dev_lock);
> +	setup_opal_dev(dev);
> +	ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps));
> +	mutex_unlock(&dev->dev_lock);
> +
> +	return ret;
> +}
> +
>  static int opal_activate_user(struct opal_dev *dev,
>  			      struct opal_session_info *opal_session)
>  {
> @@ -3286,6 +3309,9 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg)
>  	case IOC_OPAL_DISCOVERY:
>  		ret = opal_get_discv(dev, p);
>  		break;
> +	case IOC_OPAL_SET_SID_PW:
> +		ret = opal_set_new_sid_pw(dev, p);
> +		break;
>  
>  	default:
>  		break;
> diff --git a/include/linux/sed-opal.h b/include/linux/sed-opal.h
> index 2ac50822554e..80f33a93f944 100644
> --- a/include/linux/sed-opal.h
> +++ b/include/linux/sed-opal.h
> @@ -52,6 +52,7 @@ static inline bool is_sed_ioctl(unsigned int cmd)
>  	case IOC_OPAL_GET_GEOMETRY:
>  	case IOC_OPAL_DISCOVERY:
>  	case IOC_OPAL_REVERT_LSP:
> +	case IOC_OPAL_SET_SID_PW:
>  		return true;
>  	}
>  	return false;
> diff --git a/include/uapi/linux/sed-opal.h b/include/uapi/linux/sed-opal.h
> index d3994b7716bc..9025dd5a4f0f 100644
> --- a/include/uapi/linux/sed-opal.h
> +++ b/include/uapi/linux/sed-opal.h
> @@ -215,5 +215,6 @@ struct opal_revert_lsp {
>  #define IOC_OPAL_GET_GEOMETRY       _IOR('p', 238, struct opal_geometry)
>  #define IOC_OPAL_DISCOVERY          _IOW('p', 239, struct opal_discovery)
>  #define IOC_OPAL_REVERT_LSP         _IOW('p', 240, struct opal_revert_lsp)
> +#define IOC_OPAL_SET_SID_PW         _IOW('p', 241, struct opal_new_pw)
>  
>  #endif /* _UAPI_SED_OPAL_H */
> -- 
> gjoyce@linux.ibm.com
> 

Re: [PATCH 1/1] block: sed-opal: add ioctl IOC_OPAL_SET_SID_PW

[Greg Joyce]

Yes, I'll have a pull request for nvme-cli later today or Monday at the
latest. The changes will be dependent on IOC_OPAL_SET_SID_PW being
defined so that the cli isn't dependent on kernel version.

Greg

On Fri, 2024-08-16 at 17:40 +0200, Michal Suchánek wrote:
> Hello,
> 
> is there a corresponding change to an userspace tool to make use of
> this?
> 
> Thanks
> 
> Michal
> 
> On Fri, Aug 16, 2024 at 10:35:57AM -0500, gjoyce@linux.ibm.com wrote:
> > From: Greg Joyce <gjoyce@linux.ibm.com>
> > 
> > After a SED drive is provisioned, there is no way to change the SID
> > password via the ioctl() interface. A new ioctl IOC_OPAL_SET_SID_PW
> > will allow the password to be changed. The valid current password
> > is
> > required.
> > 
> > Signed-off-by: Greg Joyce <gjoyce@linux.ibm.com>
> > ---
> >  block/sed-opal.c              | 26 ++++++++++++++++++++++++++
> >  include/linux/sed-opal.h      |  1 +
> >  include/uapi/linux/sed-opal.h |  1 +
> >  3 files changed, 28 insertions(+)
> > 
> > diff --git a/block/sed-opal.c b/block/sed-opal.c
> > index 598fd3e7fcc8..5a28f23f7f22 100644
> > --- a/block/sed-opal.c
> > +++ b/block/sed-opal.c
> > @@ -3037,6 +3037,29 @@ static int opal_set_new_pw(struct opal_dev
> > *dev, struct opal_new_pw *opal_pw)
> >  	return ret;
> >  }
> >  
> > +static int opal_set_new_sid_pw(struct opal_dev *dev, struct
> > opal_new_pw *opal_pw)
> > +{
> > +	int ret;
> > +	struct opal_key *newkey = &opal_pw->new_user_pw.opal_key;
> > +	struct opal_key *oldkey = &opal_pw->session.opal_key;
> > +
> > +	const struct opal_step pw_steps[] = {
> > +		{ start_SIDASP_opal_session, oldkey },
> > +		{ set_sid_cpin_pin, newkey },
> > +		{ end_opal_session, }
> > +	};
> > +
> > +	if (!dev)
> > +		return -ENODEV;
> > +
> > +	mutex_lock(&dev->dev_lock);
> > +	setup_opal_dev(dev);
> > +	ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps));
> > +	mutex_unlock(&dev->dev_lock);
> > +
> > +	return ret;
> > +}
> > +
> >  static int opal_activate_user(struct opal_dev *dev,
> >  			      struct opal_session_info
> > *opal_session)
> >  {
> > @@ -3286,6 +3309,9 @@ int sed_ioctl(struct opal_dev *dev, unsigned
> > int cmd, void __user *arg)
> >  	case IOC_OPAL_DISCOVERY:
> >  		ret = opal_get_discv(dev, p);
> >  		break;
> > +	case IOC_OPAL_SET_SID_PW:
> > +		ret = opal_set_new_sid_pw(dev, p);
> > +		break;
> >  
> >  	default:
> >  		break;
> > diff --git a/include/linux/sed-opal.h b/include/linux/sed-opal.h
> > index 2ac50822554e..80f33a93f944 100644
> > --- a/include/linux/sed-opal.h
> > +++ b/include/linux/sed-opal.h
> > @@ -52,6 +52,7 @@ static inline bool is_sed_ioctl(unsigned int cmd)
> >  	case IOC_OPAL_GET_GEOMETRY:
> >  	case IOC_OPAL_DISCOVERY:
> >  	case IOC_OPAL_REVERT_LSP:
> > +	case IOC_OPAL_SET_SID_PW:
> >  		return true;
> >  	}
> >  	return false;
> > diff --git a/include/uapi/linux/sed-opal.h
> > b/include/uapi/linux/sed-opal.h
> > index d3994b7716bc..9025dd5a4f0f 100644
> > --- a/include/uapi/linux/sed-opal.h
> > +++ b/include/uapi/linux/sed-opal.h
> > @@ -215,5 +215,6 @@ struct opal_revert_lsp {
> >  #define IOC_OPAL_GET_GEOMETRY       _IOR('p', 238, struct
> > opal_geometry)
> >  #define IOC_OPAL_DISCOVERY          _IOW('p', 239, struct
> > opal_discovery)
> >  #define IOC_OPAL_REVERT_LSP         _IOW('p', 240, struct
> > opal_revert_lsp)
> > +#define IOC_OPAL_SET_SID_PW         _IOW('p', 241, struct
> > opal_new_pw)
> >  
> >  #endif /* _UAPI_SED_OPAL_H */
> > -- 
> > gjoyce@linux.ibm.com
> >