Right now when debug is enabled, we dump the command buffer indescriminately. This exposes the clear text payload for security DSMs. Introducing a kernel config to only dump the payload if the config option is turned on so the production kernels can leave this option off and not expose the passphrases.
Signed-off-by: Dave Jiang <dave.ji...@intel.com> --- drivers/acpi/nfit/Kconfig | 7 +++++++ drivers/acpi/nfit/core.c | 24 +++++++++++++++++++++--- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/drivers/acpi/nfit/Kconfig b/drivers/acpi/nfit/Kconfig index f7c57e33499e..a0a8eabda2e8 100644 --- a/drivers/acpi/nfit/Kconfig +++ b/drivers/acpi/nfit/Kconfig @@ -13,3 +13,10 @@ config ACPI_NFIT To compile this driver as a module, choose M here: the module will be called nfit. + +config NFIT_SECURITY_DEBUG + bool "Turn on debugging for NVDIMM security features" + depends on ACPI_NFIT + help + Turning on debug output for NVDIMM security DSM commands. This + should not be turned on on a production kernel. diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c index 867e6fea3737..baaf5308de35 100644 --- a/drivers/acpi/nfit/core.c +++ b/drivers/acpi/nfit/core.c @@ -405,6 +405,21 @@ static u8 nfit_dsm_revid(unsigned family, unsigned func) return id; } +static bool is_security_cmd(unsigned int cmd, unsigned int func, + unsigned int family) +{ + if (cmd != ND_CMD_CALL) + return false; + + if (family == NVDIMM_FAMILY_INTEL) { + if (func >= NVDIMM_INTEL_GET_SECURITY_STATE && + func <= NVDIMM_INTEL_MASTER_SECURE_ERASE) + return true; + } + + return false; +} + int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc) { @@ -489,9 +504,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, dev_dbg(dev, "%s cmd: %d: func: %d input length: %d\n", dimm_name, cmd, func, in_buf.buffer.length); - print_hex_dump_debug("nvdimm in ", DUMP_PREFIX_OFFSET, 4, 4, - in_buf.buffer.pointer, - min_t(u32, 256, in_buf.buffer.length), true); + if ((call_pkg && !is_security_cmd(cmd, func, call_pkg->nd_family)) || + IS_ENABLED(CONFIG_NFIT_SECURITY_DEBUG)) { + print_hex_dump_debug("nvdimm in ", DUMP_PREFIX_OFFSET, 4, 4, + in_buf.buffer.pointer, + min_t(u32, 256, in_buf.buffer.length), true); + } /* call the BIOS, prefer the named methods over _DSM if available */ if (nvdimm && cmd == ND_CMD_GET_CONFIG_SIZE _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm