On Mon, Jan 14, 2019 at 12:07 PM Dave Jiang <[email protected]> wrote:
>
> Add support for freeze security to libndctl and also command line option
> of "freeze-security" for ndctl. This will lock the ability to make changes
> to the NVDIMM security.
>
> Signed-off-by: Dave Jiang <[email protected]>
> ---
> Documentation/ndctl/Makefile.am | 3 ++-
> Documentation/ndctl/ndctl-freeze-security.txt | 20 ++++++++++++++++++
> ndctl/builtin.h | 1 +
> ndctl/dimm.c | 28
> +++++++++++++++++++++++++
> ndctl/lib/dimm.c | 5 ++++
> ndctl/lib/libndctl.sym | 1 +
> ndctl/libndctl.h | 1 +
> ndctl/ndctl.c | 1 +
> 8 files changed, 59 insertions(+), 1 deletion(-)
> create mode 100644 Documentation/ndctl/ndctl-freeze-security.txt
>
> diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am
> index 31570a77..a97f193d 100644
> --- a/Documentation/ndctl/Makefile.am
> +++ b/Documentation/ndctl/Makefile.am
> @@ -50,7 +50,8 @@ man1_MANS = \
> ndctl-monitor.1 \
> ndctl-enable-passphrase.1 \
> ndctl-update-passphrase.1 \
> - ndctl-disable-passphrase.1
> + ndctl-disable-passphrase.1 \
> + ndctl-freeze-security.1
>
> CLEANFILES = $(man1_MANS)
>
> diff --git a/Documentation/ndctl/ndctl-freeze-security.txt
> b/Documentation/ndctl/ndctl-freeze-security.txt
> new file mode 100644
> index 00000000..4e9d2d61
> --- /dev/null
> +++ b/Documentation/ndctl/ndctl-freeze-security.txt
> @@ -0,0 +1,20 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +ndctl-freeze-security(1)
> +========================
> +
> +NAME
> +----
> +ndctl-freeze-security - enabling or freeze the security for an NVDIMM
What is it "enabling"?
I would just say:
"Set the given DIMM(s) to reject future security operations"
> +
> +SYNOPSIS
> +--------
> +[verse]
> +'ndctl freeze-security' <dimm>
Code says:
ndctl freeze-security <nmem0> [<nmem1>..<nmemN>] [<options>]
...I'm assuming the multiple nmem support is true, but there are no
extra options?
...and now that I say that out loud, I think all of these commands
should support -v/--verbose to turn on libndctl debug.
> +
> +DESCRIPTION
> +-----------
> +Provide a generic interface to freeze the security for NVDIMM.
That can go, it reads like a changelog, not a man page.
> Once security
> +is frozen, no other security operations can succeed until reboot happens.
"Prevent any further security operations on the given DIMMs until the
next reboot. This is used in scenarios where the administrator has
taken all expected security actions for the current boot and wants the
DIMM to enforce / lock the current state."
An example section might show some before and after "ndctl list" data
for the DIMM and perhaps the state changes of the /etc/ndctl/keys
directory.
_______________________________________________
Linux-nvdimm mailing list
[email protected]
https://lists.01.org/mailman/listinfo/linux-nvdimm
