[PATCH v5 0/4] generic and PowerPC SED Opal keystore

[PATCH v5 0/4] generic and PowerPC SED Opal keystore

[gjoyce]

From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Generic functions have been defined for accessing SED Opal keys.
The generic functions are defined as weak so that they may be superseded
by keystore specific versions.

PowerPC/pseries versions of these functions provide read/write access
to SED Opal keys in the PLPKS keystore.

The SED block driver has been modified to read the SED Opal
keystore to populate a key in the SED Opal keyring. Changes to the
SED Opal key will be written to the SED Opal keystore.

Patch 3 "keystore access for SED Opal keys" is dependent on:
        https://lore.kernel.org/keyrings/20220818143045.680972-4-gjoyce@linux.vnet.ibm.com/T/#u

Changelog
v5:	- updated to reflect changes in PLPKS API

v4:
        - scope reduced to cover just SED Opal keys
        - base SED Opal keystore is now in SED block driver
        - removed use of enum to indicate type
        - refactored common code into common function that read and
          write use
        - removed cast to void
        - added use of SED Opal keystore functions to SED block driver

v3:
        - No code changes, but per reviewer requests, adding additional
          mailing lists(keyring, EFI) for wider review.

v2:
        - Include feedback from Gregory Joyce, Eric Richter and
          Murilo Opsfelder Araujo.
        - Include suggestions from Michael Ellerman.
        - Moved a dependency from generic SED code to this patchset.
          This patchset now builds of its own.



Greg Joyce (4):
  block:sed-opal: SED Opal keystore
  powerpc/pseries: PLPKS SED Opal keystore support
  block: sed-opal: keystore access for SED Opal keys
  powerpc/pseries: update SED for PLPKS api changes

 arch/powerpc/platforms/pseries/Kconfig        |   6 +
 arch/powerpc/platforms/pseries/Makefile       |   1 +
 .../powerpc/platforms/pseries/plpks_sed_ops.c | 114 ++++++++++++++++++
 block/Kconfig                                 |   1 +
 block/Makefile                                |   2 +-
 block/sed-opal-key.c                          |  24 ++++
 block/sed-opal.c                              |  18 ++-
 include/linux/sed-opal-key.h                  |  15 +++
 8 files changed, 178 insertions(+), 3 deletions(-)
 create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c
 create mode 100644 block/sed-opal-key.c
 create mode 100644 include/linux/sed-opal-key.h


base-commit: 6a8f57ae2eb07ab39a6f0ccad60c760743051026
-- 
gjoyce@linux.vnet.ibm.com

[PATCH 1/4] block:sed-opal: SED Opal keystore

[gjoyce]

From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Add read and write functions that allow SED Opal keys to stored
in a permanent keystore.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
 block/Makefile               |  2 +-
 block/sed-opal-key.c         | 24 ++++++++++++++++++++++++
 include/linux/sed-opal-key.h | 15 +++++++++++++++
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 block/sed-opal-key.c
 create mode 100644 include/linux/sed-opal-key.h

diff --git a/block/Makefile b/block/Makefile
index 4e01bb71ad6e..464a9f209552 100644
--- a/block/Makefile
+++ b/block/Makefile
@@ -35,7 +35,7 @@ obj-$(CONFIG_BLK_DEV_ZONED)	+= blk-zoned.o
 obj-$(CONFIG_BLK_WBT)		+= blk-wbt.o
 obj-$(CONFIG_BLK_DEBUG_FS)	+= blk-mq-debugfs.o
 obj-$(CONFIG_BLK_DEBUG_FS_ZONED)+= blk-mq-debugfs-zoned.o
-obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o
+obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o sed-opal-key.o
 obj-$(CONFIG_BLK_PM)		+= blk-pm.o
 obj-$(CONFIG_BLK_INLINE_ENCRYPTION)	+= blk-crypto.o blk-crypto-profile.o \
 					   blk-crypto-sysfs.o
diff --git a/block/sed-opal-key.c b/block/sed-opal-key.c
new file mode 100644
index 000000000000..16f380164c44
--- /dev/null
+++ b/block/sed-opal-key.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * SED key operations.
+ *
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * These are the accessor functions (read/write) for SED Opal
+ * keys. Specific keystores can provide overrides.
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/errno.h>
+#include <linux/sed-opal-key.h>
+
+int __weak sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+	return -EOPNOTSUPP;
+}
+
+int __weak sed_write_key(char *keyname, char *key, u_int keylen)
+{
+	return -EOPNOTSUPP;
+}
diff --git a/include/linux/sed-opal-key.h b/include/linux/sed-opal-key.h
new file mode 100644
index 000000000000..c9b1447986d8
--- /dev/null
+++ b/include/linux/sed-opal-key.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * SED key operations.
+ *
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * These are the accessor functions (read/write) for SED Opal
+ * keys. Specific keystores can provide overrides.
+ *
+ */
+
+#include <linux/kernel.h>
+
+int sed_read_key(char *keyname, char *key, u_int *keylen);
+int sed_write_key(char *keyname, char *key, u_int keylen);
-- 
gjoyce@linux.vnet.ibm.com

[PATCH 2/4] powerpc/pseries: PLPKS SED Opal keystore support

[gjoyce]

From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Define operations for SED Opal to read/write keys
from POWER LPAR Platform KeyStore(PLPKS). This allows
non-volatile storage of SED Opal keys.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
 arch/powerpc/platforms/pseries/Makefile       |   1 +
 .../powerpc/platforms/pseries/plpks_sed_ops.c | 126 ++++++++++++++++++
 2 files changed, 127 insertions(+)
 create mode 100644 arch/powerpc/platforms/pseries/plpks_sed_ops.c

diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 53c3b91af2f7..4242aed0d5d3 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,6 +29,7 @@ obj-$(CONFIG_PPC_SVM)		+= svm.o
 obj-$(CONFIG_FA_DUMP)		+= rtas-fadump.o
 obj-$(CONFIG_PSERIES_PLPKS)	+= plpks.o
 obj-$(CONFIG_PPC_SECURE_BOOT)	+= plpks-secvar.o
+obj-$(CONFIG_PSERIES_PLPKS_SED)	+= plpks-sed.o
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PPC_VAS)		+= vas.o vas-sysfs.o
 
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
new file mode 100644
index 000000000000..086934b319a9
--- /dev/null
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * POWER Platform specific code for non-volatile SED key access
+ * Copyright (C) 2022 IBM Corporation
+ *
+ * Define operations for SED Opal to read/write keys
+ * from POWER LPAR Platform KeyStore(PLPKS).
+ *
+ * Self Encrypting Drives(SED) key storage using PLPKS
+ */
+
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/ioctl.h>
+#include <linux/sed-opal-key.h>
+#include "plpks.h"
+
+/*
+ * structure that contains all SED data
+ */
+struct plpks_sed_object_data {
+	u_char version;
+	u_char pad1[7];
+	u_long authority;
+	u_long range;
+	u_int  key_len;
+	u_char key[32];
+};
+
+#define PLPKS_PLATVAR_POLICY            WORLDREADABLE
+#define PLPKS_PLATVAR_OS_COMMON         4
+
+#define PLPKS_SED_OBJECT_DATA_V0        0
+#define PLPKS_SED_MANGLED_LABEL         "/default/pri"
+#define PLPKS_SED_COMPONENT             "sed-opal"
+#define PLPKS_SED_KEY                   "opal-boot-pin"
+
+/*
+ * authority is admin1 and range is global
+ */
+#define PLPKS_SED_AUTHORITY  0x0000000900010001
+#define PLPKS_SED_RANGE      0x0000080200000001
+
+void plpks_init_var(struct plpks_var *var, char *keyname)
+{
+	var->name = keyname;
+	var->namelen = strlen(keyname);
+	if (strcmp(PLPKS_SED_KEY, keyname) == 0) {
+		var->name = PLPKS_SED_MANGLED_LABEL;
+		var->namelen = strlen(keyname);
+	}
+	var->policy = PLPKS_PLATVAR_POLICY;
+	var->os = PLPKS_PLATVAR_OS_COMMON;
+	var->data = NULL;
+	var->datalen = 0;
+	var->component = PLPKS_SED_COMPONENT;
+}
+
+/*
+ * Read the SED Opal key from PLPKS given the label
+ */
+int sed_read_key(char *keyname, char *key, u_int *keylen)
+{
+	struct plpks_var var;
+	struct plpks_sed_object_data data;
+	u_int offset;
+	int ret;
+	u_int len;
+
+	plpks_init_var(&var, keyname);
+	var.data = &data;
+	var.datalen = sizeof(data);
+
+	ret = plpks_read_os_var(&var);
+	if (ret != 0)
+		return ret;
+
+	offset = offsetof(struct plpks_sed_object_data, key);
+	if (offset > var.datalen) {
+		return -EINVAL;
+	}
+
+	len = min(be32_to_cpu(data.key_len), *keylen);
+
+	memcpy(key, data.key, len);
+	kfree(var.data);
+
+	key[len] = '\0';
+	*keylen = len;
+
+	return 0;
+}
+
+/*
+ * Write the SED Opal key to PLPKS given the label
+ */
+int sed_write_key(char *keyname, char *key, u_int keylen)
+{
+	struct plpks_var var;
+	struct plpks_sed_object_data data;
+	struct plpks_var_name vname;
+
+	plpks_init_var(&var, keyname);
+
+	var.datalen = sizeof(struct plpks_sed_object_data);
+	var.data = (u8 *)&data;
+
+	/* initialize SED object */
+	data.version = PLPKS_SED_OBJECT_DATA_V0;
+	data.authority = cpu_to_be64(PLPKS_SED_AUTHORITY);
+	data.range = cpu_to_be64(PLPKS_SED_RANGE);
+	memset(&data.pad1, '\0', sizeof(data.pad1));
+	data.key_len = cpu_to_be32(keylen);
+	memcpy(data.key, (char *)key, keylen);
+
+	/*
+	 * Key update requires remove first. The return value
+	 * is ignored since it's okay if the key doesn't exist.
+	 */
+	vname.namelen = var.namelen;
+	vname.name = var.name;
+	plpks_remove_var(var.component, var.os, vname);
+
+	return plpks_write_var(var);
+}
-- 
gjoyce@linux.vnet.ibm.com

[PATCH 3/4] block: sed-opal: keystore access for SED Opal keys

[gjoyce]

From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Allow for permanent SED authentication keys by
reading/writing to the SED Opal non-volatile keystore.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
 block/sed-opal.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 7f5f235a9048..1e8cfa00b609 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -18,6 +18,7 @@
 #include <linux/uaccess.h>
 #include <uapi/linux/sed-opal.h>
 #include <linux/sed-opal.h>
+#include <linux/sed-opal-key.h>
 #include <linux/string.h>
 #include <linux/kdev_t.h>
 #include <linux/key.h>
@@ -2803,7 +2804,13 @@ static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
 	if (ret)
 		return ret;
 
-	/* update keyring with new password */
+	/* update keyring and key store with new password */
+	ret = sed_write_key(OPAL_AUTH_KEY,
+			    opal_pw->new_user_pw.opal_key.key,
+			    opal_pw->new_user_pw.opal_key.key_len);
+	if (ret != -EOPNOTSUPP)
+		pr_warn("error updating SED key: %d\n", ret);
+
 	ret = update_sed_opal_key(OPAL_AUTH_KEY,
 				  opal_pw->new_user_pw.opal_key.key,
 				  opal_pw->new_user_pw.opal_key.key_len);
@@ -3050,6 +3057,8 @@ EXPORT_SYMBOL_GPL(sed_ioctl);
 static int __init sed_opal_init(void)
 {
 	struct key *kr;
+	char init_sed_key[OPAL_KEY_MAX];
+	int keylen = OPAL_KEY_MAX - 1;
 
 	kr = keyring_alloc(".sed_opal",
 			   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
@@ -3062,6 +3071,11 @@ static int __init sed_opal_init(void)
 
 	sed_opal_keyring = kr;
 
-	return 0;
+	if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
+		memset(init_sed_key, '\0', sizeof(init_sed_key));
+		keylen = OPAL_KEY_MAX - 1;
+	}
+
+	return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key, keylen);
 }
 late_initcall(sed_opal_init);
-- 
gjoyce@linux.vnet.ibm.com

[PATCH 4/4] powerpc/pseries: update SED for PLPKS api changes

[gjoyce]

From: Greg Joyce <gjoyce@linux.vnet.ibm.com>

Changes to the PLPKS API require minor updates to the SED Opal
PLPKS keystore code.

Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
---
 arch/powerpc/platforms/pseries/Kconfig        |  6 +++++
 arch/powerpc/platforms/pseries/Makefile       |  2 +-
 .../powerpc/platforms/pseries/plpks_sed_ops.c | 22 +++++--------------
 block/Kconfig                                 |  1 +
 4 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/arch/powerpc/platforms/pseries/Kconfig b/arch/powerpc/platforms/pseries/Kconfig
index 21b22bf16ce6..c2f8a29e7b9b 100644
--- a/arch/powerpc/platforms/pseries/Kconfig
+++ b/arch/powerpc/platforms/pseries/Kconfig
@@ -163,6 +163,12 @@ config PSERIES_PLPKS
 	# This option is selected by in-kernel consumers that require
 	# access to the PKS.
 
+config PSERIES_PLPKS_SED
+	depends on PPC_PSERIES
+	bool
+	# This option is selected by in-kernel consumers that require
+	# access to the SED PKS keystore.
+
 config PAPR_SCM
 	depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
 	tristate "Support for the PAPR Storage Class Memory interface"
diff --git a/arch/powerpc/platforms/pseries/Makefile b/arch/powerpc/platforms/pseries/Makefile
index 4242aed0d5d3..1476c5e4433c 100644
--- a/arch/powerpc/platforms/pseries/Makefile
+++ b/arch/powerpc/platforms/pseries/Makefile
@@ -29,7 +29,7 @@ obj-$(CONFIG_PPC_SVM)		+= svm.o
 obj-$(CONFIG_FA_DUMP)		+= rtas-fadump.o
 obj-$(CONFIG_PSERIES_PLPKS)	+= plpks.o
 obj-$(CONFIG_PPC_SECURE_BOOT)	+= plpks-secvar.o
-obj-$(CONFIG_PSERIES_PLPKS_SED)	+= plpks-sed.o
+obj-$(CONFIG_PSERIES_PLPKS_SED)	+= plpks_sed_ops.o
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PPC_VAS)		+= vas.o vas-sysfs.o
 
diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
index 086934b319a9..c1d08075e850 100644
--- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
+++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
@@ -14,7 +14,7 @@
 #include <linux/string.h>
 #include <linux/ioctl.h>
 #include <linux/sed-opal-key.h>
-#include "plpks.h"
+#include <asm/plpks.h>
 
 /*
  * structure that contains all SED data
@@ -28,9 +28,6 @@ struct plpks_sed_object_data {
 	u_char key[32];
 };
 
-#define PLPKS_PLATVAR_POLICY            WORLDREADABLE
-#define PLPKS_PLATVAR_OS_COMMON         4
-
 #define PLPKS_SED_OBJECT_DATA_V0        0
 #define PLPKS_SED_MANGLED_LABEL         "/default/pri"
 #define PLPKS_SED_COMPONENT             "sed-opal"
@@ -50,8 +47,8 @@ void plpks_init_var(struct plpks_var *var, char *keyname)
 		var->name = PLPKS_SED_MANGLED_LABEL;
 		var->namelen = strlen(keyname);
 	}
-	var->policy = PLPKS_PLATVAR_POLICY;
-	var->os = PLPKS_PLATVAR_OS_COMMON;
+	var->policy = PLPKS_WORLDREADABLE;
+	var->os = PLPKS_VAR_COMMON;
 	var->data = NULL;
 	var->datalen = 0;
 	var->component = PLPKS_SED_COMPONENT;
@@ -64,28 +61,19 @@ int sed_read_key(char *keyname, char *key, u_int *keylen)
 {
 	struct plpks_var var;
 	struct plpks_sed_object_data data;
-	u_int offset;
 	int ret;
 	u_int len;
 
 	plpks_init_var(&var, keyname);
-	var.data = &data;
+	var.data = (u8 *)&data;
 	var.datalen = sizeof(data);
 
 	ret = plpks_read_os_var(&var);
 	if (ret != 0)
 		return ret;
 
-	offset = offsetof(struct plpks_sed_object_data, key);
-	if (offset > var.datalen) {
-		return -EINVAL;
-	}
-
-	len = min(be32_to_cpu(data.key_len), *keylen);
-
+	len = min_t(u16, be32_to_cpu(data.key_len), var.datalen);
 	memcpy(key, data.key, len);
-	kfree(var.data);
-
 	key[len] = '\0';
 	*keylen = len;
 
diff --git a/block/Kconfig b/block/Kconfig
index 76b23114fdeb..75d4db34df5a 100644
--- a/block/Kconfig
+++ b/block/Kconfig
@@ -182,6 +182,7 @@ config BLK_SED_OPAL
 	bool "Logic for interfacing with Opal enabled SEDs"
 	depends on KEYS
 	select PSERIES_PLPKS if PPC_PSERIES
+	select PSERIES_PLPKS_SED if PPC_PSERIES
 	help
 	Builds Logic for interfacing with Opal enabled controllers.
 	Enabling this option enables users to setup/unlock/lock
-- 
gjoyce@linux.vnet.ibm.com

Re: [PATCH 1/4] block:sed-opal: SED Opal keystore

[Jarkko Sakkinen]

On Fri May 5, 2023 at 10:43 PM EEST,  wrote:
> From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
>
> Add read and write functions that allow SED Opal keys to stored
> in a permanent keystore.

Please be more verbose starting from "Self-Encrypting Drive (SED)",
instead of just "SED", and take time to explain what these keys are.

>
> Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
> ---
>  block/Makefile               |  2 +-
>  block/sed-opal-key.c         | 24 ++++++++++++++++++++++++
>  include/linux/sed-opal-key.h | 15 +++++++++++++++
>  3 files changed, 40 insertions(+), 1 deletion(-)
>  create mode 100644 block/sed-opal-key.c
>  create mode 100644 include/linux/sed-opal-key.h
>
> diff --git a/block/Makefile b/block/Makefile
> index 4e01bb71ad6e..464a9f209552 100644
> --- a/block/Makefile
> +++ b/block/Makefile
> @@ -35,7 +35,7 @@ obj-$(CONFIG_BLK_DEV_ZONED)	+= blk-zoned.o
>  obj-$(CONFIG_BLK_WBT)		+= blk-wbt.o
>  obj-$(CONFIG_BLK_DEBUG_FS)	+= blk-mq-debugfs.o
>  obj-$(CONFIG_BLK_DEBUG_FS_ZONED)+= blk-mq-debugfs-zoned.o
> -obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o
> +obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o sed-opal-key.o
>  obj-$(CONFIG_BLK_PM)		+= blk-pm.o
>  obj-$(CONFIG_BLK_INLINE_ENCRYPTION)	+= blk-crypto.o blk-crypto-profile.o \
>  					   blk-crypto-sysfs.o
> diff --git a/block/sed-opal-key.c b/block/sed-opal-key.c
> new file mode 100644
> index 000000000000..16f380164c44
> --- /dev/null
> +++ b/block/sed-opal-key.c
> @@ -0,0 +1,24 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * SED key operations.
> + *
> + * Copyright (C) 2022 IBM Corporation
> + *
> + * These are the accessor functions (read/write) for SED Opal
> + * keys. Specific keystores can provide overrides.
> + *
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/errno.h>
> +#include <linux/sed-opal-key.h>
> +
> +int __weak sed_read_key(char *keyname, char *key, u_int *keylen)
> +{
> +	return -EOPNOTSUPP;
> +}
> +
> +int __weak sed_write_key(char *keyname, char *key, u_int keylen)
> +{
> +	return -EOPNOTSUPP;
> +}
> diff --git a/include/linux/sed-opal-key.h b/include/linux/sed-opal-key.h
> new file mode 100644
> index 000000000000..c9b1447986d8
> --- /dev/null
> +++ b/include/linux/sed-opal-key.h
> @@ -0,0 +1,15 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * SED key operations.
> + *
> + * Copyright (C) 2022 IBM Corporation
> + *
> + * These are the accessor functions (read/write) for SED Opal
> + * keys. Specific keystores can provide overrides.
> + *
> + */
> +
> +#include <linux/kernel.h>
> +
> +int sed_read_key(char *keyname, char *key, u_int *keylen);
> +int sed_write_key(char *keyname, char *key, u_int keylen);
> -- 
> gjoyce@linux.vnet.ibm.com


BR, Jarkko

Re: [PATCH 4/4] powerpc/pseries: update SED for PLPKS api changes

[Andrew Donnellan]

On Fri, 2023-05-05 at 14:44 -0500, gjoyce@linux.vnet.ibm.com wrote:
> From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> 
> Changes to the PLPKS API require minor updates to the SED Opal
> PLPKS keystore code.
> 
> Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>

[+ Nayna]

This patch will need to be squashed with patch 2.

> ---
>  arch/powerpc/platforms/pseries/Kconfig        |  6 +++++
>  arch/powerpc/platforms/pseries/Makefile       |  2 +-
>  .../powerpc/platforms/pseries/plpks_sed_ops.c | 22 +++++------------
> --
>  block/Kconfig                                 |  1 +
>  4 files changed, 13 insertions(+), 18 deletions(-)
> 
> diff --git a/arch/powerpc/platforms/pseries/Kconfig
> b/arch/powerpc/platforms/pseries/Kconfig
> index 21b22bf16ce6..c2f8a29e7b9b 100644
> --- a/arch/powerpc/platforms/pseries/Kconfig
> +++ b/arch/powerpc/platforms/pseries/Kconfig
> @@ -163,6 +163,12 @@ config PSERIES_PLPKS
>         # This option is selected by in-kernel consumers that require
>         # access to the PKS.
>  
> +config PSERIES_PLPKS_SED
> +       depends on PPC_PSERIES
> +       bool
> +       # This option is selected by in-kernel consumers that require
> +       # access to the SED PKS keystore.
> +
>  config PAPR_SCM
>         depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
>         tristate "Support for the PAPR Storage Class Memory
> interface"
> diff --git a/arch/powerpc/platforms/pseries/Makefile
> b/arch/powerpc/platforms/pseries/Makefile
> index 4242aed0d5d3..1476c5e4433c 100644
> --- a/arch/powerpc/platforms/pseries/Makefile
> +++ b/arch/powerpc/platforms/pseries/Makefile
> @@ -29,7 +29,7 @@ obj-$(CONFIG_PPC_SVM)         += svm.o
>  obj-$(CONFIG_FA_DUMP)          += rtas-fadump.o
>  obj-$(CONFIG_PSERIES_PLPKS)    += plpks.o
>  obj-$(CONFIG_PPC_SECURE_BOOT)  += plpks-secvar.o
> -obj-$(CONFIG_PSERIES_PLPKS_SED)        += plpks-sed.o
> +obj-$(CONFIG_PSERIES_PLPKS_SED)        += plpks_sed_ops.o

I think you could just use obj-$(CONFIG_BLK_SED_OPAL) and then there
wouldn't be a need to introduce a new option? Unless there's going to
be a second consumer.

>  obj-$(CONFIG_SUSPEND)          += suspend.o
>  obj-$(CONFIG_PPC_VAS)          += vas.o vas-sysfs.o
>  
> diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> index 086934b319a9..c1d08075e850 100644
> --- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> @@ -14,7 +14,7 @@
>  #include <linux/string.h>
>  #include <linux/ioctl.h>
>  #include <linux/sed-opal-key.h>
> -#include "plpks.h"
> +#include <asm/plpks.h>
>  
>  /*
>   * structure that contains all SED data
> @@ -28,9 +28,6 @@ struct plpks_sed_object_data {
>         u_char key[32];
>  };
>  
> -#define PLPKS_PLATVAR_POLICY            WORLDREADABLE
> -#define PLPKS_PLATVAR_OS_COMMON         4
> -
>  #define PLPKS_SED_OBJECT_DATA_V0        0
>  #define PLPKS_SED_MANGLED_LABEL         "/default/pri"
>  #define PLPKS_SED_COMPONENT             "sed-opal"
> @@ -50,8 +47,8 @@ void plpks_init_var(struct plpks_var *var, char
> *keyname)
>                 var->name = PLPKS_SED_MANGLED_LABEL;
>                 var->namelen = strlen(keyname);
>         }
> -       var->policy = PLPKS_PLATVAR_POLICY;
> -       var->os = PLPKS_PLATVAR_OS_COMMON;
> +       var->policy = PLPKS_WORLDREADABLE;
> +       var->os = PLPKS_VAR_COMMON;
>         var->data = NULL;
>         var->datalen = 0;
>         var->component = PLPKS_SED_COMPONENT;
> @@ -64,28 +61,19 @@ int sed_read_key(char *keyname, char *key, u_int
> *keylen)
>  {
>         struct plpks_var var;
>         struct plpks_sed_object_data data;
> -       u_int offset;
>         int ret;
>         u_int len;
>  
>         plpks_init_var(&var, keyname);
> -       var.data = &data;
> +       var.data = (u8 *)&data;
>         var.datalen = sizeof(data);
>  
>         ret = plpks_read_os_var(&var);
>         if (ret != 0)
>                 return ret;
>  
> -       offset = offsetof(struct plpks_sed_object_data, key);
> -       if (offset > var.datalen) {
> -               return -EINVAL;
> -       }
> -
> -       len = min(be32_to_cpu(data.key_len), *keylen);
> -
> +       len = min_t(u16, be32_to_cpu(data.key_len), var.datalen);
>         memcpy(key, data.key, len);
> -       kfree(var.data);
> -
>         key[len] = '\0';
>         *keylen = len;
>  
> diff --git a/block/Kconfig b/block/Kconfig
> index 76b23114fdeb..75d4db34df5a 100644
> --- a/block/Kconfig
> +++ b/block/Kconfig
> @@ -182,6 +182,7 @@ config BLK_SED_OPAL
>         bool "Logic for interfacing with Opal enabled SEDs"
>         depends on KEYS
>         select PSERIES_PLPKS if PPC_PSERIES
> +       select PSERIES_PLPKS_SED if PPC_PSERIES
>         help
>         Builds Logic for interfacing with Opal enabled controllers.
>         Enabling this option enables users to setup/unlock/lock

-- 
Andrew Donnellan    OzLabs, ADL Canberra
ajd@linux.ibm.com   IBM Australia Limited

Re: [PATCH 4/4] powerpc/pseries: update SED for PLPKS api changes

[Greg Joyce]

On Mon, 2023-05-15 at 15:52 +1000, Andrew Donnellan wrote:
> On Fri, 2023-05-05 at 14:44 -0500, gjoyce@linux.vnet.ibm.com wrote:
> > From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > 
> > Changes to the PLPKS API require minor updates to the SED Opal
> > PLPKS keystore code.
> > 
> > Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> 
> [+ Nayna]
> 
> This patch will need to be squashed with patch 2.

Thanks. I've squashed the patches and will resend shortly.

> 
> > ---
> >  arch/powerpc/platforms/pseries/Kconfig        |  6 +++++
> >  arch/powerpc/platforms/pseries/Makefile       |  2 +-
> >  .../powerpc/platforms/pseries/plpks_sed_ops.c | 22 +++++--------
> > ----
> > --
> >  block/Kconfig                                 |  1 +
> >  4 files changed, 13 insertions(+), 18 deletions(-)
> > 
> > diff --git a/arch/powerpc/platforms/pseries/Kconfig
> > b/arch/powerpc/platforms/pseries/Kconfig
> > index 21b22bf16ce6..c2f8a29e7b9b 100644
> > --- a/arch/powerpc/platforms/pseries/Kconfig
> > +++ b/arch/powerpc/platforms/pseries/Kconfig
> > @@ -163,6 +163,12 @@ config PSERIES_PLPKS
> >         # This option is selected by in-kernel consumers that
> > require
> >         # access to the PKS.
> >  
> > +config PSERIES_PLPKS_SED
> > +       depends on PPC_PSERIES
> > +       bool
> > +       # This option is selected by in-kernel consumers that
> > require
> > +       # access to the SED PKS keystore.
> > +
> >  config PAPR_SCM
> >         depends on PPC_PSERIES && MEMORY_HOTPLUG && LIBNVDIMM
> >         tristate "Support for the PAPR Storage Class Memory
> > interface"
> > diff --git a/arch/powerpc/platforms/pseries/Makefile
> > b/arch/powerpc/platforms/pseries/Makefile
> > index 4242aed0d5d3..1476c5e4433c 100644
> > --- a/arch/powerpc/platforms/pseries/Makefile
> > +++ b/arch/powerpc/platforms/pseries/Makefile
> > @@ -29,7 +29,7 @@ obj-$(CONFIG_PPC_SVM)         += svm.o
> >  obj-$(CONFIG_FA_DUMP)          += rtas-fadump.o
> >  obj-$(CONFIG_PSERIES_PLPKS)    += plpks.o
> >  obj-$(CONFIG_PPC_SECURE_BOOT)  += plpks-secvar.o
> > -obj-$(CONFIG_PSERIES_PLPKS_SED)        += plpks-sed.o
> > +obj-$(CONFIG_PSERIES_PLPKS_SED)        += plpks_sed_ops.o
> 
> I think you could just use obj-$(CONFIG_BLK_SED_OPAL) and then there
> wouldn't be a need to introduce a new option? Unless there's going to
> be a second consumer.

I was following the model of CONFIG_PPC_SECURE_BOOT. That gives a
littler finer control and flexibilty for using SED and PLPKS. This also
confines use of CONFIG_BLK_SED_OPAL to the base SED OPAL code.

> 
> >  obj-$(CONFIG_SUSPEND)          += suspend.o
> >  obj-$(CONFIG_PPC_VAS)          += vas.o vas-sysfs.o
> >  
> > diff --git a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> > b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> > index 086934b319a9..c1d08075e850 100644
> > --- a/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> > +++ b/arch/powerpc/platforms/pseries/plpks_sed_ops.c
> > @@ -14,7 +14,7 @@
> >  #include <linux/string.h>
> >  #include <linux/ioctl.h>
> >  #include <linux/sed-opal-key.h>
> > -#include "plpks.h"
> > +#include <asm/plpks.h>
> >  
> >  /*
> >   * structure that contains all SED data
> > @@ -28,9 +28,6 @@ struct plpks_sed_object_data {
> >         u_char key[32];
> >  };
> >  
> > -#define PLPKS_PLATVAR_POLICY            WORLDREADABLE
> > -#define PLPKS_PLATVAR_OS_COMMON         4
> > -
> >  #define PLPKS_SED_OBJECT_DATA_V0        0
> >  #define PLPKS_SED_MANGLED_LABEL         "/default/pri"
> >  #define PLPKS_SED_COMPONENT             "sed-opal"
> > @@ -50,8 +47,8 @@ void plpks_init_var(struct plpks_var *var, char
> > *keyname)
> >                 var->name = PLPKS_SED_MANGLED_LABEL;
> >                 var->namelen = strlen(keyname);
> >         }
> > -       var->policy = PLPKS_PLATVAR_POLICY;
> > -       var->os = PLPKS_PLATVAR_OS_COMMON;
> > +       var->policy = PLPKS_WORLDREADABLE;
> > +       var->os = PLPKS_VAR_COMMON;
> >         var->data = NULL;
> >         var->datalen = 0;
> >         var->component = PLPKS_SED_COMPONENT;
> > @@ -64,28 +61,19 @@ int sed_read_key(char *keyname, char *key,
> > u_int
> > *keylen)
> >  {
> >         struct plpks_var var;
> >         struct plpks_sed_object_data data;
> > -       u_int offset;
> >         int ret;
> >         u_int len;
> >  
> >         plpks_init_var(&var, keyname);
> > -       var.data = &data;
> > +       var.data = (u8 *)&data;
> >         var.datalen = sizeof(data);
> >  
> >         ret = plpks_read_os_var(&var);
> >         if (ret != 0)
> >                 return ret;
> >  
> > -       offset = offsetof(struct plpks_sed_object_data, key);
> > -       if (offset > var.datalen) {
> > -               return -EINVAL;
> > -       }
> > -
> > -       len = min(be32_to_cpu(data.key_len), *keylen);
> > -
> > +       len = min_t(u16, be32_to_cpu(data.key_len), var.datalen);
> >         memcpy(key, data.key, len);
> > -       kfree(var.data);
> > -
> >         key[len] = '\0';
> >         *keylen = len;
> >  
> > diff --git a/block/Kconfig b/block/Kconfig
> > index 76b23114fdeb..75d4db34df5a 100644
> > --- a/block/Kconfig
> > +++ b/block/Kconfig
> > @@ -182,6 +182,7 @@ config BLK_SED_OPAL
> >         bool "Logic for interfacing with Opal enabled SEDs"
> >         depends on KEYS
> >         select PSERIES_PLPKS if PPC_PSERIES
> > +       select PSERIES_PLPKS_SED if PPC_PSERIES
> >         help
> >         Builds Logic for interfacing with Opal enabled controllers.
> >         Enabling this option enables users to setup/unlock/lock

Re: [PATCH 1/4] block:sed-opal: SED Opal keystore

[Greg Joyce]

On Thu, 2023-05-11 at 01:50 +0300, Jarkko Sakkinen wrote:
> On Fri May 5, 2023 at 10:43 PM EEST,  wrote:
> > From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > 
> > Add read and write functions that allow SED Opal keys to stored
> > in a permanent keystore.
> 
> Please be more verbose starting from "Self-Encrypting Drive (SED)",
> instead of just "SED", and take time to explain what these keys are.

A further elaboration of SED and the keys will be in the next patchset.

> 
> > Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
> > ---
> >  block/Makefile               |  2 +-
> >  block/sed-opal-key.c         | 24 ++++++++++++++++++++++++
> >  include/linux/sed-opal-key.h | 15 +++++++++++++++
> >  3 files changed, 40 insertions(+), 1 deletion(-)
> >  create mode 100644 block/sed-opal-key.c
> >  create mode 100644 include/linux/sed-opal-key.h
> > 
> > diff --git a/block/Makefile b/block/Makefile
> > index 4e01bb71ad6e..464a9f209552 100644
> > --- a/block/Makefile
> > +++ b/block/Makefile
> > @@ -35,7 +35,7 @@ obj-$(CONFIG_BLK_DEV_ZONED)	+= blk-zoned.o
> >  obj-$(CONFIG_BLK_WBT)		+= blk-wbt.o
> >  obj-$(CONFIG_BLK_DEBUG_FS)	+= blk-mq-debugfs.o
> >  obj-$(CONFIG_BLK_DEBUG_FS_ZONED)+= blk-mq-debugfs-zoned.o
> > -obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o
> > +obj-$(CONFIG_BLK_SED_OPAL)	+= sed-opal.o sed-opal-key.o
> >  obj-$(CONFIG_BLK_PM)		+= blk-pm.o
> >  obj-$(CONFIG_BLK_INLINE_ENCRYPTION)	+= blk-crypto.o blk-
> > crypto-profile.o \
> >  					   blk-crypto-sysfs.o
> > diff --git a/block/sed-opal-key.c b/block/sed-opal-key.c
> > new file mode 100644
> > index 000000000000..16f380164c44
> > --- /dev/null
> > +++ b/block/sed-opal-key.c
> > @@ -0,0 +1,24 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +/*
> > + * SED key operations.
> > + *
> > + * Copyright (C) 2022 IBM Corporation
> > + *
> > + * These are the accessor functions (read/write) for SED Opal
> > + * keys. Specific keystores can provide overrides.
> > + *
> > + */
> > +
> > +#include <linux/kernel.h>
> > +#include <linux/errno.h>
> > +#include <linux/sed-opal-key.h>
> > +
> > +int __weak sed_read_key(char *keyname, char *key, u_int *keylen)
> > +{
> > +	return -EOPNOTSUPP;
> > +}
> > +
> > +int __weak sed_write_key(char *keyname, char *key, u_int keylen)
> > +{
> > +	return -EOPNOTSUPP;
> > +}
> > diff --git a/include/linux/sed-opal-key.h b/include/linux/sed-opal-
> > key.h
> > new file mode 100644
> > index 000000000000..c9b1447986d8
> > --- /dev/null
> > +++ b/include/linux/sed-opal-key.h
> > @@ -0,0 +1,15 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +/*
> > + * SED key operations.
> > + *
> > + * Copyright (C) 2022 IBM Corporation
> > + *
> > + * These are the accessor functions (read/write) for SED Opal
> > + * keys. Specific keystores can provide overrides.
> > + *
> > + */
> > +
> > +#include <linux/kernel.h>
> > +
> > +int sed_read_key(char *keyname, char *key, u_int *keylen);
> > +int sed_write_key(char *keyname, char *key, u_int keylen);
> > -- 
> > gjoyce@linux.vnet.ibm.com
> 
> BR, Jarkko