[PATCH v3 3/3] block: sed-opal: keyring support for SED keys

Greg Joyce gjoyce at linux.vnet.ibm.com
Sat Dec 3 02:18:59 AEDT 2022 

On Fri, 2022-12-02 at 07:56 +0100, Hannes Reinecke wrote:
> On 12/1/22 19:03, Greg Joyce wrote:
> > On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote:
> > > On 11/30/22 00:25, gjoyce at linux.vnet.ibm.com wrote:
> > > > From: Greg Joyce <gjoyce at linux.vnet.ibm.com>
> > > > 
> > > > Extend the SED block driver so it can alternatively
> > > > obtain a key from a sed-opal kernel keyring. The SED
> > > > ioctls will indicate the source of the key, either
> > > > directly in the ioctl data or from the keyring.
> > > > 
> > > > This allows the use of SED commands in scripts such as
> > > > udev scripts so that drives may be automatically unlocked
> > > > as they become available.
> > > > 
> > > > Signed-off-by: Greg Joyce <gjoyce at linux.vnet.ibm.com>
> > > > Reviewed-by: Jonathan Derrick <jonathan.derrick at linux.dev>
> > > > ---
> > > >    block/Kconfig                 |   1 +
> > > >    block/sed-opal.c              | 174
> > > > +++++++++++++++++++++++++++++++++-
> > > >    include/linux/sed-opal.h      |   3 +
> > > >    include/uapi/linux/sed-opal.h |   8 +-
> > > >    4 files changed, 183 insertions(+), 3 deletions(-)
> > > >   
> > > > +	ret = opal_get_key(dev, &opal_lrs->session.opal_key);
> > > > +	if (ret)
> > > > +		return ret;
> > > >    	mutex_lock(&dev->dev_lock);
> > > >    	setup_opal_dev(dev);
> > > >    	ret = execute_steps(dev, lr_steps,
> > > > ARRAY_SIZE(lr_steps));
> > > > @@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct
> > > > opal_dev
> > > > *dev, struct opal_new_pw *opal_pw)
> > > >    	ret = execute_steps(dev, pw_steps,
> > > > ARRAY_SIZE(pw_steps));
> > > >    	mutex_unlock(&dev->dev_lock);
> > > >    
> > > > +	if (ret)
> > > > +		return ret;
> > > > +
> > > > +	/* update keyring with new password */
> > > > +	ret = update_sed_opal_key(OPAL_AUTH_KEY,
> > > > +				  opal_pw-
> > > > >new_user_pw.opal_key.key,
> > > > +				  opal_pw-
> > > > > new_user_pw.opal_key.key_len);
> > > > +
> > > >    	return ret;
> > > >    }
> > > >    
> > > What about key revocation?
> > > You only allow to set a new key, but what happens with the old
> > > ones?
> > 
> > My understanding was that key_create_or_update() would not allow
> > duplicates so there shouldn't be old ones. Is that incorrect?
> > 
> Ah, right, you only have one key.
> But still, you might want to revoke that one, too, no?
> (Think of decommissioning old drives ...)
> 
> Cheers,
>  
> Hannes

SED Opal allows for disabling locking on a SED drive. Both sedcli and
sedutil have commands to support this. This is the method for drive
decommisioning (un-provisioning). There is also a mechanism to
cryptographically erase the data on the drive if that is desired.

More information about the Linuxppc-dev mailing list