On Tue, Dec 11, 2018 at 07:23:49AM -0800, Matthew Wilcox wrote:
> On Tue, Dec 11, 2018 at 03:00:09PM +0100, gre...@linuxfoundation.org wrote:
> >
> > The patch below does not apply to the 4.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then
On Wed, Dec 12, 2018 at 05:43:22PM -0500, Mike Snitzer wrote:
> > I would expect that dm-snapshot will be used quite a lot for
> > short-lived snapshots (that only live during a database backup or an
> > fsck run). I would hardly call that a "niche use case".
>
> dm-snapshot is only ~60%
On Thu, Dec 13, 2018 at 3:48 PM Dave Jiang wrote:
>
> Add command definition for security commands defined in Intel DSM
> specification v1.8 [1]. This includes "get security state", "set
> passphrase", "unlock unit", "freeze lock", "secure erase", "overwrite",
> "overwrite query", "master
With the implementation of Intel NVDIMM DSM overwrite, we are adding unit
test to nfit_test for testing of overwrite operation.
Signed-off-by: Dave Jiang
---
tools/testing/nvdimm/test/nfit.c | 55 ++
1 file changed, 55 insertions(+)
diff --git
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
Reviewed-by: Jing Lin
Signed-off-by: Dan Williams
---
Documentation/nvdimm/security.txt | 141 +
1 file changed, 141 insertions(+)
create mode 100644
With Intel DSM 1.8 [1] two new security DSMs are introduced. Enable/update
master passphrase and master secure erase. The master passphrase allows
a secure erase to be performed without the user passphrase that is set on
the NVDIMM. The commands of master_update and master_erase are added to
the
Add nfit_test support for DSM functions "Get Security State",
"Set Passphrase", "Disable Passphrase", "Unlock Unit", "Freeze Lock",
and "Secure Erase" for the fake DIMMs.
Also adding a sysfs knob in order to put the DIMMs in "locked" state. The
order of testing DIMM unlocking would be.
1a.
Adding test support for new Intel DSM from v1.8. The ability of simulating
master passphrase update and master secure erase have been added to
nfit_test.
Signed-off-by: Dave Jiang
---
tools/testing/nvdimm/test/nfit.c | 86 ++
1 file changed, 86
Add support to disable passphrase (security) for the Intel nvdimm. The
passphrase used for disabling is pulled from an encrypted-key in the kernel
user keyring. The action is triggered by writing "disable " to the
sysfs attribute "security".
Signed-off-by: Dave Jiang
Signed-off-by: Dan Williams
Add support for enabling and updating passphrase on the Intel nvdimms.
The passphrase is the an encrypted key in the kernel user keyring.
We trigger the update via writing "update " to the
sysfs attribute "security". If no exists (for enabling
security) then a 0 should be used.
Signed-off-by:
Add support to issue a secure erase DSM to the Intel nvdimm. The
required passphrase is acquired from an encrypted key in the kernel user
keyring. To trigger the action, "erase " is written to the
"security" sysfs attribute.
Signed-off-by: Dave Jiang
Signed-off-by: Dan Williams
---
We are adding support for the security calls of ovewrite and query
overwrite introduced from Intel DSM spec v1.7. This will allow triggering
of overwrite on Intel NVDIMMs. The overwrite operation can take tens
of minutes. When the overwrite DSM is issued successfully, the NVDIMMs
will be
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM until a hard reset of the DIMM is
performed. This is triggered by writing "freeze" to the generic
nvdimm/nmemX "security" sysfs attribute.
Signed-off-by: Dave Jiang
Co-developed-by: Dan Williams
Adding nvdimm key format type to encrypted keys in order to limit the size
of the key to 32bytes.
Signed-off-by: Dave Jiang
Acked-by: Mimi Zohar
Signed-off-by: Dan Williams
---
Documentation/security/keys/trusted-encrypted.rst |6
security/keys/encrypted-keys/encrypted.c |
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Acked-by: David Howells
Signed-off-by: Dan Williams
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
From: Dan Williams
Add support to unlock the dimm via the kernel key management APIs. The
passphrase is expected to be pulled from userspace through keyutils.
The key management and sysfs attributes are libnvdimm generic.
Encrypted keys are used to protect the nvdimm passphrase at rest. The
Some NVDIMMs, like the ones defined by the NVDIMM_FAMILY_INTEL command
set, expose a security capability to lock the DIMMs at poweroff and
require a passphrase to unlock them. The security model is derived from
ATA security. In anticipation of other DIMMs implementing a similar
scheme, and to
The following series implements security support for nvdimm based on Intel
DSM spec v1.8. The passphrase is protected by encrypted-key and managed
through the kernel key management framework. The security features
supported are security state show, passphrase enable/update, passphrase
disable,
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
As nvdimm_create() continues to grow parameters relative to NFIT driver
Add command definition for security commands defined in Intel DSM
specification v1.8 [1]. This includes "get security state", "set
passphrase", "unlock unit", "freeze lock", "secure erase", "overwrite",
"overwrite query", "master passphrase enable/disable", and "master
erase", . Since this adds
On Thu, Dec 13, 2018 at 8:49 AM Dave Jiang wrote:
>
> We are adding support for the security calls of ovewrite and query
> overwrite introduced from Intel DSM spec v1.7. This will allow triggering
> of overwrite on Intel NVDIMMs. The overwrite operation can take tens
> of minutes. When the
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
Signed-off-by: Dan Williams
---
Documentation/nvdimm/security.txt | 141 +
1 file changed, 141 insertions(+)
create mode 100644
Adding test support for new Intel DSM from v1.8. The ability of simulating
master passphrase update and master secure erase have been added to
nfit_test.
Signed-off-by: Dave Jiang
---
tools/testing/nvdimm/test/nfit.c | 86 ++
1 file changed, 86
With the implementation of Intel NVDIMM DSM overwrite, we are adding unit
test to nfit_test for testing of overwrite operation.
Signed-off-by: Dave Jiang
---
tools/testing/nvdimm/test/nfit.c | 55 ++
1 file changed, 55 insertions(+)
diff --git
Add support to issue a secure erase DSM to the Intel nvdimm. The
required passphrase is acquired from an encrypted key in the kernel user
keyring. To trigger the action, "erase " is written to the
"security" sysfs attribute.
Signed-off-by: Dave Jiang
Signed-off-by: Dan Williams
---
Adding a flag for nvdimm->flags to support erase functions. While it's ok
to hold the nvdimm_bus lock for secure erase due to minimal time to execute
the command, overwrite requires a significantly longer time and makes this
impossible. The flag will block any drivers from being loaded and DIMMs
With Intel DSM 1.8 [1] two new security DSMs are introduced. Enable/update
master passphrase and master secure erase. The master passphrase allows
a secure erase to be performed without the user passphrase that is set on
the NVDIMM. The commands of master_update and master_erase are added to
the
Add support to disable passphrase (security) for the Intel nvdimm. The
passphrase used for disabling is pulled from an encrypted-key in the kernel
user keyring. The action is triggered by writing "disable " to the
sysfs attribute "security".
Signed-off-by: Dave Jiang
Signed-off-by: Dan Williams
Some NVDIMMs, like the ones defined by the NVDIMM_FAMILY_INTEL command
set, expose a security capability to lock the DIMMs at poweroff and
require a passphrase to unlock them. The security model is derived from
ATA security. In anticipation of other DIMMs implementing a similar
scheme, and to
We are adding support for the security calls of ovewrite and query
overwrite introduced from Intel DSM spec v1.7. This will allow triggering
of overwrite on Intel NVDIMMs. The overwrite operation can take tens
of minutes. When the overwrite DSM is issued successfully, the NVDIMMs
will be
Add nfit_test support for DSM functions "Get Security State",
"Set Passphrase", "Disable Passphrase", "Unlock Unit", "Freeze Lock",
and "Secure Erase" for the fake DIMMs.
Also adding a sysfs knob in order to put the DIMMs in "locked" state. The
order of testing DIMM unlocking would be.
1a.
Add support for enabling and updating passphrase on the Intel nvdimms.
The passphrase is the an encrypted key in the kernel user keyring.
We trigger the update via writing "update " to the
sysfs attribute "security". If no exists (for enabling
security) then a 0 should be used.
Signed-off-by:
From: Dan Williams
Add support to unlock the dimm via the kernel key management APIs. The
passphrase is expected to be pulled from userspace through keyutils.
The key management and sysfs attributes are libnvdimm generic.
Encrypted keys are used to protect the nvdimm passphrase at rest. The
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM until a hard reset of the DIMM is
performed. This is triggered by writing "freeze" to the generic
nvdimm/nmemX "security" sysfs attribute.
Signed-off-by: Dave Jiang
Co-developed-by: Dan Williams
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
As nvdimm_create() continues to grow parameters relative to NFIT driver
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Acked-by: David Howells
Signed-off-by: Dan Williams
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
Adding nvdimm key format type to encrypted keys in order to limit the size
of the key to 32bytes.
Signed-off-by: Dave Jiang
Acked-by: Mimi Zohar
Signed-off-by: Dan Williams
---
Documentation/security/keys/trusted-encrypted.rst |6
security/keys/encrypted-keys/encrypted.c |
Add command definition for security commands defined in Intel DSM
specification v1.8 [1]. This includes "get security state", "set
passphrase", "unlock unit", "freeze lock", "secure erase", "overwrite",
"overwrite query", "master passphrase enable/disable", and "master
erase", . Since this adds
The following series implements security support for nvdimm based on Intel
DSM spec v1.8. The passphrase is protected by encrypted-key and managed
through the kernel key management framework. The security features
supported are security state show, passphrase enable/update, passphrase
disable,
39 matches
Mail list logo
