Thread (16 messages) 16 messages, 3 authors, 2022-12-02

Re: [PATCH v3 3/3] block: sed-opal: keyring support for SED keys

From: Hannes Reinecke <hare@suse.de>
Date: 2022-12-02 06:56:55
Also in: keyrings, linuxppc-dev

On 12/1/22 19:03, Greg Joyce wrote:
On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote:
quoted
On 11/30/22 00:25, gjoyce@linux.vnet.ibm.com wrote:
quoted
From: Greg Joyce <redacted>

Extend the SED block driver so it can alternatively
obtain a key from a sed-opal kernel keyring. The SED
ioctls will indicate the source of the key, either
directly in the ioctl data or from the keyring.

This allows the use of SED commands in scripts such as
udev scripts so that drives may be automatically unlocked
as they become available.

Signed-off-by: Greg Joyce <redacted>
Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev>
---
   block/Kconfig                 |   1 +
   block/sed-opal.c              | 174
+++++++++++++++++++++++++++++++++-
   include/linux/sed-opal.h      |   3 +
   include/uapi/linux/sed-opal.h |   8 +-
   4 files changed, 183 insertions(+), 3 deletions(-)
  
+	ret = opal_get_key(dev, &opal_lrs->session.opal_key);
+	if (ret)
+		return ret;
   	mutex_lock(&dev->dev_lock);
   	setup_opal_dev(dev);
   	ret = execute_steps(dev, lr_steps, ARRAY_SIZE(lr_steps));
@@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct opal_dev
*dev, struct opal_new_pw *opal_pw)
   	ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps));
   	mutex_unlock(&dev->dev_lock);
   
+	if (ret)
+		return ret;
+
+	/* update keyring with new password */
+	ret = update_sed_opal_key(OPAL_AUTH_KEY,
+				  opal_pw->new_user_pw.opal_key.key,
+				  opal_pw-
quoted
new_user_pw.opal_key.key_len);
+
   	return ret;
   }
   
What about key revocation?
You only allow to set a new key, but what happens with the old ones?
My understanding was that key_create_or_update() would not allow
duplicates so there shouldn't be old ones. Is that incorrect?
Ah, right, you only have one key.
But still, you might want to revoke that one, too, no?
(Think of decommissioning old drives ...)

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help