* [ndctl PATCH] test/cxl-security.sh: test dimm unlock with a large serial number
@ 2026-07-02 0:34 Alison Schofield
2026-07-03 6:34 ` Richard Cheng
0 siblings, 1 reply; 2+ messages in thread
From: Alison Schofield @ 2026-07-02 0:34 UTC (permalink / raw)
To: nvdimm, linux-cxl; +Cc: Alison Schofield
The existing CXL unlock test exposed the hexadecimal-vs-decimal key
description mismatch once cxl_test mock serial numbers were extended
to 10 and above. Serials with bit 63 set expose a second formatting
problem in that the kernel formats the decimal serial as signed,
rendering it as a negative value.
Extend the existing "unlock dimm" test to repeat the unlock against a
mock memdev with a full-width serial that has bit 63 set. Refactor the
common unlock sequence into an unlock_dimm() helper so the signedness
case follows the same test flow as the original key lookup case.
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
test/cxl-security | 24 ++++++++++++++++++++++++
test/security.sh | 16 ++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/test/cxl-security b/test/cxl-security
index 9a28ffd82b0b..39b7e001ce08 100644
--- a/test/cxl-security
+++ b/test/cxl-security
@@ -9,6 +9,30 @@ detect()
[ -n "$id" ] || err "$LINENO"
}
+# Select the mock memdev whose serial has bit 63 set. Match on the hex
+# spelling of 'id' because the value exceeds signed 64-bit shell arithmetic.
+# A 16-digit hex value with a leading nibble of 8-f has bit 63 set.
+detect_big_serial()
+{
+ local d i hex
+
+ dev=""
+ for d in $($NDCTL list -b "$CXL_TEST_BUS" -D | jq -r '.[].dev'); do
+ i="$($NDCTL list -b "$CXL_TEST_BUS" -D -d "$d" | \
+ jq -r '.[0].id')"
+ hex="$(printf '%x' "$i" 2>/dev/null)" || continue
+ case "${#hex}:${hex:0:1}" in
+ 16:[89a-fA-F])
+ dev="$d"
+ id="$i"
+ break
+ ;;
+ esac
+ done
+
+ [ -n "$dev" ] || err "$LINENO: no serial with bit 63 set found"
+}
+
lock_dimm()
{
$NDCTL disable-dimm "$dev"
diff --git a/test/security.sh b/test/security.sh
index d3a840c23276..72bb570142ed 100755
--- a/test/security.sh
+++ b/test/security.sh
@@ -144,7 +144,7 @@ test_3_security_setup_and_erase()
erase_security
}
-test_4_security_unlock()
+unlock_dimm()
{
setup_passphrase
lock_dimm
@@ -158,6 +158,18 @@ test_4_security_unlock()
remove_passphrase
}
+test_4_security_unlock()
+{
+ unlock_dimm
+
+ if [ "$1" = "cxl" ] && check_min_kver "7.3"; then
+ detect_big_serial
+ unlock_dimm
+ # Restore the default device selection for later tests.
+ detect
+ fi
+}
+
# This should always be the last nvdimm security test.
# with security frozen, nfit_test must be removed and is no longer usable
test_5_security_freeze()
@@ -241,7 +253,7 @@ test_2_security_setup_and_update
echo "Test 3, security setup and erase"
test_3_security_setup_and_erase
echo "Test 4, unlock dimm"
-test_4_security_unlock
+test_4_security_unlock "$1"
# Freeze should always be the last nvdimm security test because it locks
# security state and require nfit_test module unload. However, this does
base-commit: 5fcbbee57319e718bf522436ea6595bd0f71296c
--
2.37.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [ndctl PATCH] test/cxl-security.sh: test dimm unlock with a large serial number
2026-07-02 0:34 [ndctl PATCH] test/cxl-security.sh: test dimm unlock with a large serial number Alison Schofield
@ 2026-07-03 6:34 ` Richard Cheng
0 siblings, 0 replies; 2+ messages in thread
From: Richard Cheng @ 2026-07-03 6:34 UTC (permalink / raw)
To: Alison Schofield; +Cc: nvdimm, linux-cxl
On Wed, Jul 01, 2026 at 05:34:03PM +0800, Alison Schofield wrote:
> The existing CXL unlock test exposed the hexadecimal-vs-decimal key
> description mismatch once cxl_test mock serial numbers were extended
> to 10 and above. Serials with bit 63 set expose a second formatting
> problem in that the kernel formats the decimal serial as signed,
> rendering it as a negative value.
>
> Extend the existing "unlock dimm" test to repeat the unlock against a
> mock memdev with a full-width serial that has bit 63 set. Refactor the
> common unlock sequence into an unlock_dimm() helper so the signedness
> case follows the same test flow as the original key lookup case.
>
> Signed-off-by: Alison Schofield <alison.schofield@intel.com>
> ---
> test/cxl-security | 24 ++++++++++++++++++++++++
> test/security.sh | 16 ++++++++++++++--
> 2 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/test/cxl-security b/test/cxl-security
> index 9a28ffd82b0b..39b7e001ce08 100644
> --- a/test/cxl-security
> +++ b/test/cxl-security
> @@ -9,6 +9,30 @@ detect()
> [ -n "$id" ] || err "$LINENO"
> }
>
> +# Select the mock memdev whose serial has bit 63 set. Match on the hex
> +# spelling of 'id' because the value exceeds signed 64-bit shell arithmetic.
> +# A 16-digit hex value with a leading nibble of 8-f has bit 63 set.
> +detect_big_serial()
> +{
> + local d i hex
> +
> + dev=""
> + for d in $($NDCTL list -b "$CXL_TEST_BUS" -D | jq -r '.[].dev'); do
> + i="$($NDCTL list -b "$CXL_TEST_BUS" -D -d "$d" | \
> + jq -r '.[0].id')"
> + hex="$(printf '%x' "$i" 2>/dev/null)" || continue
> + case "${#hex}:${hex:0:1}" in
> + 16:[89a-fA-F])
> + dev="$d"
> + id="$i"
> + break
> + ;;
> + esac
> + done
> +
> + [ -n "$dev" ] || err "$LINENO: no serial with bit 63 set found"
> +}
> +
> lock_dimm()
> {
> $NDCTL disable-dimm "$dev"
> diff --git a/test/security.sh b/test/security.sh
> index d3a840c23276..72bb570142ed 100755
> --- a/test/security.sh
> +++ b/test/security.sh
> @@ -144,7 +144,7 @@ test_3_security_setup_and_erase()
> erase_security
> }
>
Hi Alison,
Just a question,
Does this cover the reboot or load-keys path?
setup_passphrase() leave the large-serial key resident in the keyring,
the this only tests lookup of an already-loaded key.
The failure being addressed occurs after reboot, when the key ring is empty
and ndctl load-keys reconstructs the key from the persistent blob.
test_6_load_keys() exercise() that path, but only after detect restores the default device.
Could this case unlink the large-serial key, run ndctl load-keys, and then
enable and verify that the device unlocks? That would excercise the
persistence boundary relevant to the reported failure.
--Richard
> -test_4_security_unlock()
> +unlock_dimm()
> {
> setup_passphrase
> lock_dimm
> @@ -158,6 +158,18 @@ test_4_security_unlock()
> remove_passphrase
> }
>
> +test_4_security_unlock()
> +{
> + unlock_dimm
> +
> + if [ "$1" = "cxl" ] && check_min_kver "7.3"; then
> + detect_big_serial
> + unlock_dimm
> + # Restore the default device selection for later tests.
> + detect
> + fi
> +}
> +
> # This should always be the last nvdimm security test.
> # with security frozen, nfit_test must be removed and is no longer usable
> test_5_security_freeze()
> @@ -241,7 +253,7 @@ test_2_security_setup_and_update
> echo "Test 3, security setup and erase"
> test_3_security_setup_and_erase
> echo "Test 4, unlock dimm"
> -test_4_security_unlock
> +test_4_security_unlock "$1"
>
> # Freeze should always be the last nvdimm security test because it locks
> # security state and require nfit_test module unload. However, this does
>
> base-commit: 5fcbbee57319e718bf522436ea6595bd0f71296c
> --
> 2.37.3
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-03 6:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 0:34 [ndctl PATCH] test/cxl-security.sh: test dimm unlock with a large serial number Alison Schofield
2026-07-03 6:34 ` Richard Cheng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox