[PATCH v5 0/3 RESEND] sed-opal: keyrings, discovery, revert, key store

Jarkko Sakkinen jarkko at kernel.org
Tue Aug 22 23:25:37 AEST 2023


On Mon Aug 21, 2023 at 6:26 PM EEST, Greg Joyce wrote:
> On Wed, 2023-08-16 at 23:41 +0300, Jarkko Sakkinen wrote:
> > On Wed Aug 16, 2023 at 10:45 PM EEST, Greg Joyce wrote:
> > > It's been almost 4 weeks since the last resend and there haven't
> > > been
> > > any comments. Is there anything that needs to be changed for
> > > acceptance?
> > > 
> > > Thanks for your input.
> > > 
> > > Greg
> > > 
> > > On Fri, 2023-07-21 at 16:15 -0500, gjoyce at linux.vnet.ibm.com wrote:
> > > > From: Greg Joyce <gjoyce at linux.vnet.ibm.com>
> > > > 
> > > > This patchset has gone through numerous rounds of review and
> > > > all comments/suggetions have been addressed. The reviews have
> > > > covered all relevant areas including reviews by block and keyring
> > > > developers as well as the SED Opal maintainer. The last
> > > > patchset submission has not solicited any responses in the
> > > > six weeks since it was last distributed. The changes are
> > > > generally useful and ready for inclusion.
> > > > 
> > > > TCG SED Opal is a specification from The Trusted Computing Group
> > > > that allows self encrypting storage devices (SED) to be locked at
> > > > power on and require an authentication key to unlock the drive.
> > > > 
> > > > The current SED Opal implementation in the block driver
> > > > requires that authentication keys be provided in an ioctl
> > > > so that they can be presented to the underlying SED
> > > > capable drive. Currently, the key is typically entered by
> > > > a user with an application like sedutil or sedcli. While
> > > > this process works, it does not lend itself to automation
> > > > like unlock by a udev rule.
> > > > 
> > > > The SED block driver has been extended so it can alternatively
> > > > obtain a key from a sed-opal kernel keyring. The SED ioctls
> > > > will indicate the source of the key, either directly in the
> > > > ioctl data or from the keyring.
> > > > 
> > > > Two new SED ioctls have also been added. These are:
> > > >   1) IOC_OPAL_REVERT_LSP to revert LSP state
> > > >   2) IOC_OPAL_DISCOVERY to discover drive capabilities/state
> > > > 
> > > > change log v5:
> > > >         - rebase to for-6.5/block
> > > > 
> > > > change log v4:
> > > >         - rebase to 6.3-rc7
> > > >         - replaced "255" magic number with U8_MAX
> > > > 
> > > > change log:
> > > >         - rebase to 6.x
> > > >         - added latest reviews
> > > >         - removed platform functions for persistent key storage
> > > >         - replaced key update logic with key_create_or_update()
> > > >         - minor bracing and padding changes
> > > >         - add error returns
> > > >         - opal_key structure is application provided but kernel
> > > >           verified
> > > >         - added brief description of TCG SED Opal
> > > > 
> > > > 
> > > > Greg Joyce (3):
> > > >   block: sed-opal: Implement IOC_OPAL_DISCOVERY
> > > >   block: sed-opal: Implement IOC_OPAL_REVERT_LSP
> > > >   block: sed-opal: keyring support for SED keys
> > > > 
> > > >  block/Kconfig                 |   2 +
> > > >  block/opal_proto.h            |   4 +
> > > >  block/sed-opal.c              | 252
> > > > +++++++++++++++++++++++++++++++++-
> > > >  include/linux/sed-opal.h      |   5 +
> > > >  include/uapi/linux/sed-opal.h |  25 +++-
> > > >  5 files changed, 282 insertions(+), 6 deletions(-)
> > > > 
> > > > 
> > > > base-commit: 1341c7d2ccf42ed91aea80b8579d35bc1ea381e2
> > 
> > I can give because it looks good to me to all patches:
> > 
> > Acked-by: Jarkko Sakkinen <jarkko at kernel.org>
> > 
> > ... but should not probably go to my tree.
> > 
> > BR, Jarkko
>
> Thanks for the ack Jarkko. Any thoughts on which tree it should go to?

I get from "scripts/get_maintainer.pl block/sed-opal.c | wl-copy"

Jonathan Derrick <jonathan.derrick at linux.dev> (supporter:SECURE ENCRYPTING DEVICE (SED) OPAL DRIVER)
Jens Axboe <axboe at kernel.dk> (maintainer:BLOCK LAYER)
linux-block at vger.kernel.org (open list:SECURE ENCRYPTING DEVICE (SED) OPAL DRIVER)
linux-kernel at vger.kernel.org (open list)

You should probably add the corresponding maintainers and linux-block to
the loop. I suggest to send a new version of the patch set with my ack's
added to the patches.

BR, Jarkko


More information about the Linuxppc-dev mailing list