From: Jonathan Cameron <Jonathan.Cameron@Huawei.com>
To: Dave Jiang <dave.jiang@intel.com>
Cc: <linux-cxl@vger.kernel.org>, <nvdimm@lists.linux.dev>,
<dan.j.williams@intel.com>, <ira.weiny@intel.com>,
<vishal.l.verma@intel.com>, <alison.schofield@intel.com>,
<dave@stgolabs.net>
Subject: Re: [PATCH v3 17/18] libnvdimm: Introduce CONFIG_NVDIMM_SECURITY_TEST flag
Date: Fri, 11 Nov 2022 10:43:34 +0000 [thread overview]
Message-ID: <20221111104334.00003fcf@Huawei.com> (raw)
In-Reply-To: <166792842000.3767969.18296572896453551207.stgit@djiang5-desk3.ch.intel.com>
On Tue, 08 Nov 2022 10:27:00 -0700
Dave Jiang <dave.jiang@intel.com> wrote:
> nfit_test overrode the security_show() sysfs attribute function in nvdimm
> dimm_devs in order to allow testing of security unlock. With the
> introduction of CXL security commands, the trick to override
> security_show() becomes significantly more complicated. By introdcing a
> security flag CONFIG_NVDIMM_SECURITY_TEST, libnvdimm can just toggle the
> check via a compile option. In addition the original override can can be
> removed from tools/testing/nvdimm/.
>
> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Trivial comment inline you may want to address.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> ---
> drivers/nvdimm/Kconfig | 13 +++++++++++++
> drivers/nvdimm/dimm_devs.c | 9 ++++++++-
> drivers/nvdimm/security.c | 4 ++++
> tools/testing/nvdimm/Kbuild | 1 -
> tools/testing/nvdimm/dimm_devs.c | 30 ------------------------------
> 5 files changed, 25 insertions(+), 32 deletions(-)
> delete mode 100644 tools/testing/nvdimm/dimm_devs.c
>
> diff --git a/drivers/nvdimm/Kconfig b/drivers/nvdimm/Kconfig
> index 5a29046e3319..0a13c53c926f 100644
> --- a/drivers/nvdimm/Kconfig
> +++ b/drivers/nvdimm/Kconfig
> @@ -114,4 +114,17 @@ config NVDIMM_TEST_BUILD
> core devm_memremap_pages() implementation and other
> infrastructure.
>
> +config NVDIMM_SECURITY_TEST
> + bool "Nvdimm security test code toggle"
> + depends on NVDIMM_KEYS
> + help
> + Debug flag for security testing when using nfit_test or cxl_test
> + modules in tools/testing/.
> +
> + Select Y if using nfit_test or cxl_test for security testing.
> + Accidentally selecting this option when not using cxl_test
I'd drop the "Accidentally"
Selecting this option when ...
> + introduces 1 mailbox request to the CXL device to get security
> + status for DIMM unlock operation or sysfs attribute "security"
> + read.
> +
> endif
> diff --git a/drivers/nvdimm/dimm_devs.c b/drivers/nvdimm/dimm_devs.c
> index c7c980577491..1fc081dcf631 100644
> --- a/drivers/nvdimm/dimm_devs.c
> +++ b/drivers/nvdimm/dimm_devs.c
> @@ -349,11 +349,18 @@ static ssize_t available_slots_show(struct device *dev,
> }
> static DEVICE_ATTR_RO(available_slots);
>
> -__weak ssize_t security_show(struct device *dev,
> +ssize_t security_show(struct device *dev,
> struct device_attribute *attr, char *buf)
> {
> struct nvdimm *nvdimm = to_nvdimm(dev);
>
> + /*
> + * For the test version we need to poll the "hardware" in order
> + * to get the updated status for unlock testing.
> + */
> + if (IS_ENABLED(CONFIG_NVDIMM_SECURITY_TEST))
> + nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
> +
> if (test_bit(NVDIMM_SECURITY_OVERWRITE, &nvdimm->sec.flags))
> return sprintf(buf, "overwrite\n");
> if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))
> diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c
> index 92af4c3ca0d3..12a3926f4289 100644
> --- a/drivers/nvdimm/security.c
> +++ b/drivers/nvdimm/security.c
> @@ -177,6 +177,10 @@ static int __nvdimm_security_unlock(struct nvdimm *nvdimm)
> || !nvdimm->sec.flags)
> return -EIO;
>
> + /* While nfit_test does not need this, cxl_test does */
> + if (IS_ENABLED(CONFIG_NVDIMM_SECURITY_TEST))
> + nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
> +
> /* No need to go further if security is disabled */
> if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))
> return 0;
> diff --git a/tools/testing/nvdimm/Kbuild b/tools/testing/nvdimm/Kbuild
> index 5eb5c23b062f..8153251ea389 100644
> --- a/tools/testing/nvdimm/Kbuild
> +++ b/tools/testing/nvdimm/Kbuild
> @@ -79,7 +79,6 @@ libnvdimm-$(CONFIG_BTT) += $(NVDIMM_SRC)/btt_devs.o
> libnvdimm-$(CONFIG_NVDIMM_PFN) += $(NVDIMM_SRC)/pfn_devs.o
> libnvdimm-$(CONFIG_NVDIMM_DAX) += $(NVDIMM_SRC)/dax_devs.o
> libnvdimm-$(CONFIG_NVDIMM_KEYS) += $(NVDIMM_SRC)/security.o
> -libnvdimm-y += dimm_devs.o
> libnvdimm-y += libnvdimm_test.o
> libnvdimm-y += config_check.o
>
> diff --git a/tools/testing/nvdimm/dimm_devs.c b/tools/testing/nvdimm/dimm_devs.c
> deleted file mode 100644
> index 57bd27dedf1f..000000000000
> --- a/tools/testing/nvdimm/dimm_devs.c
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -// SPDX-License-Identifier: GPL-2.0
> -/* Copyright Intel Corp. 2018 */
> -#include <linux/init.h>
> -#include <linux/module.h>
> -#include <linux/moduleparam.h>
> -#include <linux/nd.h>
> -#include "pmem.h"
> -#include "pfn.h"
> -#include "nd.h"
> -#include "nd-core.h"
> -
> -ssize_t security_show(struct device *dev,
> - struct device_attribute *attr, char *buf)
> -{
> - struct nvdimm *nvdimm = to_nvdimm(dev);
> -
> - /*
> - * For the test version we need to poll the "hardware" in order
> - * to get the updated status for unlock testing.
> - */
> - nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
> -
> - if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))
> - return sprintf(buf, "disabled\n");
> - if (test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.flags))
> - return sprintf(buf, "unlocked\n");
> - if (test_bit(NVDIMM_SECURITY_LOCKED, &nvdimm->sec.flags))
> - return sprintf(buf, "locked\n");
> - return -ENOTTY;
> -}
>
>
next prev parent reply other threads:[~2022-11-11 10:43 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 17:25 [PATCH v3 00/18] Introduce security commands for CXL pmem device Dave Jiang
2022-11-08 17:25 ` [PATCH v3 01/18] cxl/pmem: Introduce nvdimm_security_ops with ->get_flags() operation Dave Jiang
2022-11-08 17:25 ` [PATCH v3 02/18] tools/testing/cxl: Add "Get Security State" opcode support Dave Jiang
2022-11-08 17:25 ` [PATCH v3 03/18] cxl/pmem: Add "Set Passphrase" security command support Dave Jiang
2022-11-08 17:25 ` [PATCH v3 04/18] tools/testing/cxl: Add "Set Passphrase" opcode support Dave Jiang
2022-11-08 17:25 ` [PATCH v3 05/18] cxl/pmem: Add Disable Passphrase security command support Dave Jiang
2022-11-08 17:25 ` [PATCH v3 06/18] tools/testing/cxl: Add "Disable" security opcode support Dave Jiang
2022-11-08 17:26 ` [PATCH v3 07/18] cxl/pmem: Add "Freeze Security State" security command support Dave Jiang
2022-11-08 17:26 ` [PATCH v3 08/18] tools/testing/cxl: Add "Freeze Security State" security opcode support Dave Jiang
2022-11-11 10:31 ` Jonathan Cameron
2022-11-08 17:26 ` [PATCH v3 09/18] cxl/pmem: Add "Unlock" security command support Dave Jiang
2022-11-08 17:26 ` [PATCH v3 10/18] tools/testing/cxl: Add "Unlock" security opcode support Dave Jiang
2022-11-08 17:26 ` [PATCH v3 11/18] cxl/pmem: Add "Passphrase Secure Erase" security command support Dave Jiang
2022-11-11 10:33 ` Jonathan Cameron
2022-11-08 17:26 ` [PATCH v3 12/18] tools/testing/cxl: Add "passphrase secure erase" opcode support Dave Jiang
2022-11-11 10:37 ` Jonathan Cameron
2022-11-14 18:15 ` Dave Jiang
2022-11-08 17:26 ` [PATCH v3 13/18] nvdimm/cxl/pmem: Add support for master passphrase disable security command Dave Jiang
2022-11-11 10:39 ` Jonathan Cameron
2022-11-08 17:26 ` [PATCH v3 14/18] cxl/pmem: add id attribute to CXL based nvdimm Dave Jiang
2022-11-11 10:39 ` Jonathan Cameron
2022-11-08 17:26 ` [PATCH v3 15/18] tools/testing/cxl: add mechanism to lock mem device for testing Dave Jiang
2022-11-11 10:40 ` Jonathan Cameron
2022-11-08 17:26 ` [PATCH v3 16/18] cxl/pmem: add provider name to cxl pmem dimm attribute group Dave Jiang
2022-11-11 10:41 ` Jonathan Cameron
2022-11-08 17:27 ` [PATCH v3 17/18] libnvdimm: Introduce CONFIG_NVDIMM_SECURITY_TEST flag Dave Jiang
2022-11-11 10:43 ` Jonathan Cameron [this message]
2022-11-08 17:27 ` [PATCH v3 18/18] cxl: add dimm_id support for __nvdimm_create() Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221111104334.00003fcf@Huawei.com \
--to=jonathan.cameron@huawei.com \
--cc=alison.schofield@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=nvdimm@lists.linux.dev \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox