When the nvdimm security state is unlocked during unlock, we skip the operation. In this state, we are not able to fetch a key for verification and at the same time the dimm is unlocked. This prevents us from doing any security operations. We will send the freeze security DSM to make the state consistent.
Signed-off-by: Dave Jiang <[email protected]> --- drivers/nvdimm/security.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c index 7b5d7c77514d..6c5423228b31 100644 --- a/drivers/nvdimm/security.c +++ b/drivers/nvdimm/security.c @@ -250,8 +250,19 @@ int nvdimm_security_unlock_dimm(struct nvdimm *nvdimm) if (!nvdimm->security_ops) return 0; - if (nvdimm->state == NVDIMM_SECURITY_UNLOCKED || - nvdimm->state == NVDIMM_SECURITY_UNSUPPORTED || + /* + * If the pre-OS has unlocked the DIMM, we will not be able to + * verify the key against the hardware. Therefore we will not + * retrieve the key and will freeze the security config. This will + * prevent any other security operations. + */ + if (nvdimm->state == NVDIMM_SECURITY_UNLOCKED) { + rc = nvdimm_security_freeze_lock(nvdimm); + if (rc < 0) + return rc; + } + + if (nvdimm->state == NVDIMM_SECURITY_UNSUPPORTED || nvdimm->state == NVDIMM_SECURITY_DISABLED) return 0; _______________________________________________ Linux-nvdimm mailing list [email protected] https://lists.01.org/mailman/listinfo/linux-nvdimm
