From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
To: Hannes Reinecke <hare@suse.de>, linux-block@vger.kernel.org
Cc: axboe@kernel.dk, nayna@linux.ibm.com, keyrings@vger.kernel.org,
jonathan.derrick@linux.dev, brking@linux.vnet.ibm.com,
akpm@linux-foundation.org, msuchanek@suse.de,
linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v3 3/3] block: sed-opal: keyring support for SED keys
Date: Fri, 02 Dec 2022 09:18:59 -0600 [thread overview]
Message-ID: <e53f14006d4a26f9b8e14d30683e4006ed2fa35f.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <4a3b6a0f-be1b-e0b1-941b-6701a42e9a2c@suse.de>
On Fri, 2022-12-02 at 07:56 +0100, Hannes Reinecke wrote:
> On 12/1/22 19:03, Greg Joyce wrote:
> > On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote:
> > > On 11/30/22 00:25, gjoyce@linux.vnet.ibm.com wrote:
> > > > From: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > > >
> > > > Extend the SED block driver so it can alternatively
> > > > obtain a key from a sed-opal kernel keyring. The SED
> > > > ioctls will indicate the source of the key, either
> > > > directly in the ioctl data or from the keyring.
> > > >
> > > > This allows the use of SED commands in scripts such as
> > > > udev scripts so that drives may be automatically unlocked
> > > > as they become available.
> > > >
> > > > Signed-off-by: Greg Joyce <gjoyce@linux.vnet.ibm.com>
> > > > Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
> > > > ---
> > > > block/Kconfig | 1 +
> > > > block/sed-opal.c | 174
> > > > +++++++++++++++++++++++++++++++++-
> > > > include/linux/sed-opal.h | 3 +
> > > > include/uapi/linux/sed-opal.h | 8 +-
> > > > 4 files changed, 183 insertions(+), 3 deletions(-)
> > > >
> > > > + ret = opal_get_key(dev, &opal_lrs->session.opal_key);
> > > > + if (ret)
> > > > + return ret;
> > > > mutex_lock(&dev->dev_lock);
> > > > setup_opal_dev(dev);
> > > > ret = execute_steps(dev, lr_steps,
> > > > ARRAY_SIZE(lr_steps));
> > > > @@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct
> > > > opal_dev
> > > > *dev, struct opal_new_pw *opal_pw)
> > > > ret = execute_steps(dev, pw_steps,
> > > > ARRAY_SIZE(pw_steps));
> > > > mutex_unlock(&dev->dev_lock);
> > > >
> > > > + if (ret)
> > > > + return ret;
> > > > +
> > > > + /* update keyring with new password */
> > > > + ret = update_sed_opal_key(OPAL_AUTH_KEY,
> > > > + opal_pw-
> > > > >new_user_pw.opal_key.key,
> > > > + opal_pw-
> > > > > new_user_pw.opal_key.key_len);
> > > > +
> > > > return ret;
> > > > }
> > > >
> > > What about key revocation?
> > > You only allow to set a new key, but what happens with the old
> > > ones?
> >
> > My understanding was that key_create_or_update() would not allow
> > duplicates so there shouldn't be old ones. Is that incorrect?
> >
> Ah, right, you only have one key.
> But still, you might want to revoke that one, too, no?
> (Think of decommissioning old drives ...)
>
> Cheers,
>
> Hannes
SED Opal allows for disabling locking on a SED drive. Both sedcli and
sedutil have commands to support this. This is the method for drive
decommisioning (un-provisioning). There is also a mechanism to
cryptographically erase the data on the drive if that is desired.
prev parent reply other threads:[~2022-12-02 15:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-29 23:25 [PATCH v3 0/3] sed-opal: keyrings, discovery, revert, key store gjoyce
2022-11-29 23:25 ` [PATCH v3 1/3] block: sed-opal: Implement IOC_OPAL_DISCOVERY gjoyce
2022-11-30 6:52 ` Hannes Reinecke
2022-11-29 23:25 ` [PATCH v3 2/3] block: sed-opal: Implement IOC_OPAL_REVERT_LSP gjoyce
2022-11-30 6:53 ` Hannes Reinecke
2022-11-29 23:25 ` [PATCH v3 3/3] block: sed-opal: keyring support for SED keys gjoyce
2022-11-30 7:00 ` Hannes Reinecke
2022-11-30 15:19 ` Greg Joyce
2022-12-01 3:46 ` Ben Boeckel
2022-12-01 15:29 ` Greg Joyce
2022-12-01 16:12 ` Ben Boeckel
2022-12-01 16:58 ` Greg Joyce
2022-12-01 17:00 ` Greg Joyce
2022-12-01 18:03 ` Greg Joyce
2022-12-02 6:56 ` Hannes Reinecke
2022-12-02 15:18 ` Greg Joyce [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e53f14006d4a26f9b8e14d30683e4006ed2fa35f.camel@linux.vnet.ibm.com \
--to=gjoyce@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=brking@linux.vnet.ibm.com \
--cc=hare@suse.de \
--cc=jonathan.derrick@linux.dev \
--cc=keyrings@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=msuchanek@suse.de \
--cc=nayna@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).