[PATCH v3 3/3] block: sed-opal: keyring support for SED keys

Hannes Reinecke hare at suse.de
Fri Dec 2 17:56:48 AEDT 2022 

On 12/1/22 19:03, Greg Joyce wrote:
> On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote:
>> On 11/30/22 00:25, gjoyce at linux.vnet.ibm.com wrote:
>>> From: Greg Joyce <gjoyce at linux.vnet.ibm.com>
>>>
>>> Extend the SED block driver so it can alternatively
>>> obtain a key from a sed-opal kernel keyring. The SED
>>> ioctls will indicate the source of the key, either
>>> directly in the ioctl data or from the keyring.
>>>
>>> This allows the use of SED commands in scripts such as
>>> udev scripts so that drives may be automatically unlocked
>>> as they become available.
>>>
>>> Signed-off-by: Greg Joyce <gjoyce at linux.vnet.ibm.com>
>>> Reviewed-by: Jonathan Derrick <jonathan.derrick at linux.dev>
>>> ---
>>>    block/Kconfig                 |   1 +
>>>    block/sed-opal.c              | 174
>>> +++++++++++++++++++++++++++++++++-
>>>    include/linux/sed-opal.h      |   3 +
>>>    include/uapi/linux/sed-opal.h |   8 +-
>>>    4 files changed, 183 insertions(+), 3 deletions(-)
>>>   
>>> +	ret = opal_get_key(dev, &opal_lrs->session.opal_key);
>>> +	if (ret)
>>> +		return ret;
>>>    	mutex_lock(&dev->dev_lock);
>>>    	setup_opal_dev(dev);
>>>    	ret = execute_steps(dev, lr_steps, ARRAY_SIZE(lr_steps));
>>> @@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct opal_dev
>>> *dev, struct opal_new_pw *opal_pw)
>>>    	ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps));
>>>    	mutex_unlock(&dev->dev_lock);
>>>    
>>> +	if (ret)
>>> +		return ret;
>>> +
>>> +	/* update keyring with new password */
>>> +	ret = update_sed_opal_key(OPAL_AUTH_KEY,
>>> +				  opal_pw->new_user_pw.opal_key.key,
>>> +				  opal_pw-
>>>> new_user_pw.opal_key.key_len);
>>> +
>>>    	return ret;
>>>    }
>>>    
>> What about key revocation?
>> You only allow to set a new key, but what happens with the old ones?
> 
> My understanding was that key_create_or_update() would not allow
> duplicates so there shouldn't be old ones. Is that incorrect?
> 
Ah, right, you only have one key.
But still, you might want to revoke that one, too, no?
(Think of decommissioning old drives ...)

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare at suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman

More information about the Linuxppc-dev mailing list