Re: [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Jonathan Derrick <jonathan.derrick@linux.dev>
To: gjoyce@linux.vnet.ibm.com, linux-block@vger.kernel.org
Cc: axboe@kernel.dk, linux-efi@vger.kernel.org, nayna@linux.ibm.com,
	dhowells@redhat.com, jarkko@kernel.org, keyrings@vger.kernel.org,
	brking@linux.vnet.ibm.com, akpm@linux-foundation.org,
	msuchanek@suse.de, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys
Date: Fri, 7 Oct 2022 12:21:57 -0600	[thread overview]
Message-ID: <9b68f825-675c-ff78-cd83-fb4f9428940b@linux.dev> (raw)
In-Reply-To: <20220819223138.1457091-4-gjoyce@linux.vnet.ibm.com>

LGTM besides comment below

Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>

On 8/19/2022 4:31 PM, gjoyce@linux.vnet.ibm.com wrote:
> From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> 
> Allow for permanent SED authentication keys by
> reading/writing to the SED Opal non-volatile keystore.
> 
> Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> ---
>  block/sed-opal.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/block/sed-opal.c b/block/sed-opal.c
> index 3bdb31cf3e7c..11b0eb3a656b 100644
> --- a/block/sed-opal.c
> +++ b/block/sed-opal.c
> @@ -18,6 +18,7 @@
>  #include <linux/uaccess.h>
>  #include <uapi/linux/sed-opal.h>
>  #include <linux/sed-opal.h>
> +#include <linux/sed-opal-key.h>
>  #include <linux/string.h>
>  #include <linux/kdev_t.h>
>  #include <linux/key.h>
> @@ -2697,7 +2698,13 @@ static int opal_set_new_pw(struct opal_dev *dev, struct opal_new_pw *opal_pw)
>  	if (ret)
>  		return ret;
>  
> -	/* update keyring with new password */
> +	/* update keyring and arch var with new password */
> +	ret = sed_write_key(OPAL_AUTH_KEY,
> +			    opal_pw->new_user_pw.opal_key.key,
> +			    opal_pw->new_user_pw.opal_key.key_len);
> +	if (ret != -EOPNOTSUPP)
> +		pr_warn("error updating SED key: %d\n", ret);
I cant see any reason this would fail and make the keys inconsistent, but it seems
like update_sed_opal_key() should be dependent on sed_write_key() succeeding

> +
>  	ret = update_sed_opal_key(OPAL_AUTH_KEY,
>  				  opal_pw->new_user_pw.opal_key.key,
>  				  opal_pw->new_user_pw.opal_key.key_len);
> @@ -2920,6 +2927,8 @@ EXPORT_SYMBOL_GPL(sed_ioctl);
>  static int __init sed_opal_init(void)
>  {
>  	struct key *kr;
> +	char init_sed_key[OPAL_KEY_MAX];
> +	int keylen = OPAL_KEY_MAX;
>  
>  	kr = keyring_alloc(".sed_opal",
>  			   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
> @@ -2932,6 +2941,11 @@ static int __init sed_opal_init(void)
>  
>  	sed_opal_keyring = kr;
>  
> -	return 0;
> +	if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
> +		memset(init_sed_key, '\0', sizeof(init_sed_key));
> +		keylen = OPAL_KEY_MAX;
> +	}
> +
> +	return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key, keylen);
>  }
>  late_initcall(sed_opal_init);

next prev parent reply	other threads:[~2022-10-08  1:46 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-19 22:31 [PATCH v4 0/3] generic and PowerPC SED Opal keystore gjoyce
2022-08-19 22:31 ` [PATCH v4 1/3] block: sed-opal: " gjoyce
2022-10-07 18:23   ` Jonathan Derrick
2022-08-19 22:31 ` [PATCH v4 2/3] powerpc/pseries: PLPKS SED Opal keystore support gjoyce
2022-10-07 18:22   ` Jonathan Derrick
2022-10-07 19:09   ` Elliott, Robert (Servers)
2022-11-16 23:44     ` Greg Joyce
2022-08-19 22:31 ` [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys gjoyce
2022-10-07 18:21   ` Jonathan Derrick [this message]
2022-11-16 23:16     ` Greg Joyce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9b68f825-675c-ff78-cd83-fb4f9428940b@linux.dev \
    --to=jonathan.derrick@linux.dev \
    --cc=akpm@linux-foundation.org \
    --cc=axboe@kernel.dk \
    --cc=brking@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=gjoyce@linux.vnet.ibm.com \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=msuchanek@suse.de \
    --cc=nayna@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).