On Fri, Oct 12, 2018 at 11:24 AM Dave Jiang <[email protected]> wrote: > > When the nvdimm security state is unlocked during unlock, we skip the > operation. In this state, we are not able to fetch a key for verification > and at the same time the dimm is unlocked. This prevents us from doing > any security operations. We will send the freeze security DSM to make the > state consistent. > > Signed-off-by: Dave Jiang <[email protected]> > --- > drivers/nvdimm/security.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c > index 7b5d7c77514d..6c5423228b31 100644 > --- a/drivers/nvdimm/security.c > +++ b/drivers/nvdimm/security.c > @@ -250,8 +250,19 @@ int nvdimm_security_unlock_dimm(struct nvdimm *nvdimm) > if (!nvdimm->security_ops) > return 0; > > - if (nvdimm->state == NVDIMM_SECURITY_UNLOCKED || > - nvdimm->state == NVDIMM_SECURITY_UNSUPPORTED || > + /* > + * If the pre-OS has unlocked the DIMM, we will not be able to > + * verify the key against the hardware. Therefore we will not > + * retrieve the key and will freeze the security config. This will > + * prevent any other security operations. > + */
I think we should try to retrieve the key if the DIMM is unlocked and verify it with a 'change-key-to-self' check. If either of those steps fail then freeze the dimm. _______________________________________________ Linux-nvdimm mailing list [email protected] https://lists.01.org/mailman/listinfo/linux-nvdimm
