On Mon, Jul 2, 2018 at 6:45 PM, Elliott, Robert (Persistent Memory)
<[email protected]> wrote:
>
>
>> -----Original Message-----
>> From: Linux-nvdimm [mailto:[email protected]] On Behalf Of 
>> Dave Jiang
>> Sent: Monday, July 2, 2018 6:39 PM
>> To: [email protected]
>> Cc: [email protected]; [email protected]; 
>> [email protected]; [email protected];
>> [email protected]
>> Subject: [PATCH 04/11] nfit/libnvdimm: add unlock of nvdimm support for 
>> Intel DIMMs
>>
>> Adding support to allow query the security status of the Intel nvdimms and
>> also unlock the dimm via the kernel key management APIs. The passphrase is
>> expected to be pulled from userspace through keyutils. Moving the Intel
>> related bits to its own source file as well.
>>
> ...
>> +static int intel_dimm_security_unlock(struct nvdimm_bus *nvdimm_bus,
>> +struct nvdimm *nvdimm, const char *passphrase)
>> +{
> +struct nd_intel_unlock_unit *cmd;
> +struct nd_cmd_pkg *pkg;
> ...
>> +pkg_size = sizeof(*pkg) + sizeof(*cmd);
>> +pkg = kzalloc(pkg_size, GFP_KERNEL);
>> +if (!pkg)
>> +return -ENOMEM;
>> +
>> +pkg->nd_command = NVDIMM_INTEL_UNLOCK_UNIT;
>> +pkg->nd_family = NVDIMM_FAMILY_INTEL;
>> +pkg->nd_size_in = ND_INTEL_PASSPHRASE_SIZE;
>> +pkg->nd_size_out = ND_INTEL_STATUS_SIZE;
>> +pkg->nd_fw_size = ND_INTEL_STATUS_SIZE;
>> +cmd = (struct nd_intel_unlock_unit *)&pkg->nd_payload;
>> +memcpy(cmd->passphrase, passphrase, ND_INTEL_PASSPHRASE_SIZE);
>> +rc = nd_desc->ndctl(nd_desc, nvdimm, ND_CMD_CALL, pkg,
>> +sizeof(pkg_size), &cmd_rc);
> ...
>> +kfree(pkg);
>
> Since it contains a high-value password, I recommend zeroing cmd->passphrase
> before calling kfree() so that data isn't seen by a subsequent kmalloc()
> caller (and make sure the compiler cannot optimize away the clearing code).
> clear)
>
> Also, check if the ndctl() call chain makes any copies of cmd->passphrase
> and ensure they are cleared.

If an attacker can run arbitrary code in the kernel they can get the
key from the ring directly, or turn on ACPI debug. A platform could
arrange for the DIMMs to be unlocked pre-OS to minimize passphrase
exposure, but once you need to unlock from the OS at runtime there is
this exposure. Now, there may be ways we could protect the key the TPM
to minimize exposure, but there would always be the in-flight risk,
especially with ACPI debug.
_______________________________________________
Linux-nvdimm mailing list
[email protected]
https://lists.01.org/mailman/listinfo/linux-nvdimm

Reply via email to