Re: [PATCH v3 3/3] block: sed-opal: keyring support for SED keys
From: Hannes Reinecke <hare@suse.de>
Date: 2022-12-02 06:56:55
Also in:
keyrings, linuxppc-dev
On 12/1/22 19:03, Greg Joyce wrote:
On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote:quoted
On 11/30/22 00:25, gjoyce@linux.vnet.ibm.com wrote:quoted
From: Greg Joyce <redacted> Extend the SED block driver so it can alternatively obtain a key from a sed-opal kernel keyring. The SED ioctls will indicate the source of the key, either directly in the ioctl data or from the keyring. This allows the use of SED commands in scripts such as udev scripts so that drives may be automatically unlocked as they become available. Signed-off-by: Greg Joyce <redacted> Reviewed-by: Jonathan Derrick <jonathan.derrick@linux.dev> --- block/Kconfig | 1 + block/sed-opal.c | 174 +++++++++++++++++++++++++++++++++- include/linux/sed-opal.h | 3 + include/uapi/linux/sed-opal.h | 8 +- 4 files changed, 183 insertions(+), 3 deletions(-) + ret = opal_get_key(dev, &opal_lrs->session.opal_key); + if (ret) + return ret; mutex_lock(&dev->dev_lock); setup_opal_dev(dev); ret = execute_steps(dev, lr_steps, ARRAY_SIZE(lr_steps));@@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct opal_dev*dev, struct opal_new_pw *opal_pw) ret = execute_steps(dev, pw_steps, ARRAY_SIZE(pw_steps)); mutex_unlock(&dev->dev_lock); + if (ret) + return ret; + + /* update keyring with new password */ + ret = update_sed_opal_key(OPAL_AUTH_KEY, + opal_pw->new_user_pw.opal_key.key, + opal_pw-quoted
new_user_pw.opal_key.key_len);+ return ret; }What about key revocation? You only allow to set a new key, but what happens with the old ones?My understanding was that key_create_or_update() would not allow duplicates so there shouldn't be old ones. Is that incorrect?
Ah, right, you only have one key. But still, you might want to revoke that one, too, no? (Think of decommissioning old drives ...) Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman