From: rafael.antognolli@intel.com (Rafael Antognolli)
Subject: [PATCH 0/2] Add Opal unlock support to NVMe.
Date: Tue, 26 Apr 2016 14:33:49 -0700 [thread overview]
Message-ID: <20160426213349.GA17078@intel.com> (raw)
In-Reply-To: <94D0CD8314A33A4D9D801C0FE68B40295C43485D@G9W0745.americas.hpqcorp.net>
On Mon, Apr 25, 2016@08:29:22PM -0700, Elliott, Robert (Persistent Memory) wrote:
>
>
> > -----Original Message-----
> > From: linux-block-owner at vger.kernel.org [mailto:linux-block-
> > owner at vger.kernel.org] On Behalf Of Christoph Hellwig
> > Sent: Monday, April 25, 2016 3:24 AM
> > To: Rafael Antognolli <rafael.antognolli at intel.com>
> > Cc: linux-nvme at lists.infradead.org; linux-kernel at vger.kernel.org;
> > linux-block at vger.kernel.org
> > Subject: Re: [PATCH 0/2] Add Opal unlock support to NVMe.
> >
> > On Fri, Apr 22, 2016@04:12:10PM -0700, Rafael Antognolli wrote:
> > > This patch series implement a small set of the Opal protocol for
> > > self encrypting devices. It's implemented only what is needed for
> > > saving a password and unlocking a given "locking range". The
> > > password is saved on the driver and replayed back to the device
> > > on resume from suspend to RAM. It is specifically supporting
> > > the single user mode.
>
> Passwords stored in memory are subject to cold boot attacks.
>
> Could you tie this into the keyring infrastructure, so it would
> least be no worse than other kernel modules? This would allow
> support for TPM-based keys (if present) to resist more attacks.
> If register-based key storage or other techniques prove viable,
> they would probably show up there first.
I'll take a look at it.
> > > It is not planned to implement the full Opal protocol (at least
> > > not for now).
> >
> > I think the OPAL code should be a generic library outside the NVMe
> > code so that we can use it for SATA and SAS as well, just with a
> > little glue code for the Security Send / Receive commands to wire
> > it up to NVMe.
>
> NVDIMMs would benefit from that as well.
Yes, I can definitely change it to be that generic.
Thank you,
Rafael
next prev parent reply other threads:[~2016-04-26 21:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-22 23:12 [PATCH 0/2] Add Opal unlock support to NVMe Rafael Antognolli
2016-04-22 23:12 ` [PATCH 1/2] Add optane OPAL unlocking code Rafael Antognolli
2016-04-22 23:12 ` [PATCH 2/2] NVMe: Add ioctls to save and unlock an Opal locking range Rafael Antognolli
2016-04-25 8:24 ` [PATCH 0/2] Add Opal unlock support to NVMe Christoph Hellwig
2016-04-25 8:39 ` Hannes Reinecke
2016-04-26 3:29 ` Elliott, Robert (Persistent Memory)
2016-04-26 21:33 ` Rafael Antognolli [this message]
2016-05-18 23:54 ` Rafael Antognolli
2016-06-20 18:24 ` Jethro Beekman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160426213349.GA17078@intel.com \
--to=rafael.antognolli@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox