xref: /kernel/linux/linux-5.10/drivers/nvdimm/security.c

50 static struct key *nvdimm_request_key(struct nvdimm *nvdimm)
53 	static const char NVDIMM_PREFIX[] = "nvdimm:";
55 	struct device *dev = &nvdimm->dev;
57 	sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
80 static const void *nvdimm_get_key_payload(struct nvdimm *nvdimm,
83 	*key = nvdimm_request_key(nvdimm);
90 static struct key *nvdimm_lookup_user_key(struct nvdimm *nvdimm,
96 	struct device *dev = &nvdimm->dev;
120 static const void *nvdimm_get_user_key_payload(struct nvdimm *nvdimm,
131 	*key = nvdimm_lookup_user_key(nvdimm, id, subclass);
139 static int nvdimm_key_revalidate(struct nvdimm *nvdimm)
145 	if (!nvdimm->sec.ops->change_key)
148 	data = nvdimm_get_key_payload(nvdimm, &key);
154 	rc = nvdimm->sec.ops->change_key(nvdimm, data, data, NVDIMM_USER);
161 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
165 static int __nvdimm_security_unlock(struct nvdimm *nvdimm)
167 	struct device *dev = &nvdimm->dev;
176 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->unlock
177 			|| !nvdimm->sec.flags)
181 	if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))
184 	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
196 	if (test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.flags)) {
200 		return nvdimm_key_revalidate(nvdimm);
202 		data = nvdimm_get_key_payload(nvdimm, &key);
204 	rc = nvdimm->sec.ops->unlock(nvdimm, data);
209 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
215 	struct nvdimm *nvdimm = to_nvdimm(dev);
219 	rc = __nvdimm_security_unlock(nvdimm);
224 static int check_security_state(struct nvdimm *nvdimm)
226 	struct device *dev = &nvdimm->dev;
228 	if (test_bit(NVDIMM_SECURITY_FROZEN, &nvdimm->sec.flags)) {
230 				nvdimm->sec.flags);
234 	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
242 static int security_disable(struct nvdimm *nvdimm, unsigned int keyid)
244 	struct device *dev = &nvdimm->dev;
253 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable
254 			|| !nvdimm->sec.flags)
257 	rc = check_security_state(nvdimm);
261 	data = nvdimm_get_user_key_payload(nvdimm, keyid,
266 	rc = nvdimm->sec.ops->disable(nvdimm, data);
271 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
275 static int security_update(struct nvdimm *nvdimm, unsigned int keyid,
279 	struct device *dev = &nvdimm->dev;
288 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->change_key
289 			|| !nvdimm->sec.flags)
292 	rc = check_security_state(nvdimm);
296 	data = nvdimm_get_user_key_payload(nvdimm, keyid,
301 	newdata = nvdimm_get_user_key_payload(nvdimm, new_keyid,
308 	rc = nvdimm->sec.ops->change_key(nvdimm, data, newdata, pass_type);
317 		nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm,
320 		nvdimm->sec.flags = nvdimm_security_flags(nvdimm,
325 static int security_erase(struct nvdimm *nvdimm, unsigned int keyid,
328 	struct device *dev = &nvdimm->dev;
337 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase
338 			|| !nvdimm->sec.flags)
341 	rc = check_security_state(nvdimm);
345 	if (!test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.ext_flags)
352 	data = nvdimm_get_user_key_payload(nvdimm, keyid,
357 	rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type);
363 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
367 static int security_overwrite(struct nvdimm *nvdimm, unsigned int keyid)
369 	struct device *dev = &nvdimm->dev;
378 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->overwrite
379 			|| !nvdimm->sec.flags)
382 	rc = check_security_state(nvdimm);
386 	data = nvdimm_get_user_key_payload(nvdimm, keyid,
391 	rc = nvdimm->sec.ops->overwrite(nvdimm, data);
397 		set_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
398 		set_bit(NDD_WORK_PENDING, &nvdimm->flags);
399 		set_bit(NVDIMM_SECURITY_OVERWRITE, &nvdimm->sec.flags);
405 		queue_delayed_work(system_wq, &nvdimm->dwork, 0);
411 void __nvdimm_security_overwrite_query(struct nvdimm *nvdimm)
413 	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nvdimm->dev);
424 	if (!test_bit(NDD_WORK_PENDING, &nvdimm->flags))
427 	tmo = nvdimm->sec.overwrite_tmo;
429 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->query_overwrite
430 			|| !nvdimm->sec.flags)
433 	rc = nvdimm->sec.ops->query_overwrite(nvdimm);
438 		queue_delayed_work(system_wq, &nvdimm->dwork, tmo * HZ);
439 		nvdimm->sec.overwrite_tmo = min(15U * 60U, tmo);
444 		dev_dbg(&nvdimm->dev, "overwrite failed\n");
446 		dev_dbg(&nvdimm->dev, "overwrite completed\n");
453 	nvdimm->sec.overwrite_tmo = 0;
454 	clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
455 	clear_bit(NDD_WORK_PENDING, &nvdimm->flags);
456 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
457 	nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER);
458 	if (nvdimm->sec.overwrite_state)
459 		sysfs_notify_dirent(nvdimm->sec.overwrite_state);
460 	put_device(&nvdimm->dev);
465 	struct nvdimm *nvdimm =
466 		container_of(work, typeof(*nvdimm), dwork.work);
468 	nvdimm_bus_lock(&nvdimm->dev);
469 	__nvdimm_security_overwrite_query(nvdimm);
470 	nvdimm_bus_unlock(&nvdimm->dev);
497 	struct nvdimm *nvdimm = to_nvdimm(dev);
524 		rc = nvdimm_security_freeze(nvdimm);
527 		rc = security_disable(nvdimm, key);
530 		rc = security_update(nvdimm, key, newkey, i == OP_UPDATE
534 		if (atomic_read(&nvdimm->busy)) {
538 		rc = security_erase(nvdimm, key, i == OP_ERASE
542 		if (atomic_read(&nvdimm->busy)) {
546 		rc = security_overwrite(nvdimm, key);

Indexes created Thu Nov 07 10:32:03 CST 2024