On 7/30/2018 3:11 PM, Vishal Verma wrote:
The emulation for smart injection commands for nfit neglected to check
the smart field validity flags before injecting to that field. This is
required as a way to distinguish un-injection vs. leave-alone.
The emulation was also missing support for un-i
On 7/31/2018 7:32 AM, Stefan Hajnoczi wrote:
dax_pmem_percpu_exit() waits for dax_pmem_percpu_release() to invoke the
dax_pmem->cmp completion. Unfortunately this approach to cleaning up
the percpu_ref only works after devm_memremap_pages() was successful.
If devm_add_action_or_reset() or dev
On 07/31/2018 04:46 AM, Zhang Yi wrote:
> It should be prevent user map an illegal vma range which larger than
> dax device phiscal resourse, as we don't have swap logic while page
> faulting in dax device.
This patch prevents a user mapping an illegal vma range that is larger
than a dax device
On 08/02/2018 05:00 AM, David Howells wrote:
> Dave Jiang wrote:
>
>> +/* request new key from userspace */
>> +key = nvdimm_request_key(dev, update);
>> +if (!key) {
>> +dev_dbg(dev, "%s: failed to acquire new key\n"
On 08/02/2018 03:29 PM, Dave Jiang wrote:
>
>
> On 08/02/2018 05:00 AM, David Howells wrote:
>> Dave Jiang wrote:
>>
>>> + /* request new key from userspace */
>>> + key = nvdimm_request_key(dev, update);
>>> + if (!key) {
>>>
On 08/03/2018 01:32 AM, David Howells wrote:
> Dave Jiang wrote:
>
>> I think I'm a little confused on what to do once I pass in the new key
>> id through update. How do I retrieve the new key in kernel that I added
>> from userspace and not use key_lookup(
are package on stack. (Dan)
- Added missing frozen state detection when retrieving security state.
---
Dave Jiang (12):
nfit: add support for Intel DSM 1.7 commands
libnvdimm: create keyring to store security keys
nfit/libnvdimm: store dimm id as a member to struct nvdimm
Prepping the libnvdimm to support security management by adding a keyring
in order to provide passphrase management through the kernel key management
APIs.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/nvdimm/core.c |7 ++-
drivers/nvdimm/dimm_devs.c | 29
"security"
attribute. libnvdimm will generically support the key_change API call.
Signed-off-by: Dave Jiang
---
drivers/acpi/nfit/intel.c | 68
drivers/nvdimm/dimm_devs.c | 255
include/linux/libnvdimm.h |5 +
3 files ch
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/c
pace and the result can cause system crash. So
blocking security commands in the ioctl path.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/core.c | 28 ++-
drivers/acpi/nfit/intel.h | 67 +
drivers/acpi/nf
Add support to allow query the security status of the Intel nvdimms and
also unlock the dimm via the kernel key management APIs. The passphrase is
expected to be pulled from userspace through keyutils. Moving the Intel
related bits to its own source file as well.
Signed-off-by: Dave Jiang
le API call.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 53
drivers/nvdimm/dimm_devs.c | 45 +
include/linux/libnvdimm.h |3 ++
3 files changed, 100 insertions(+),
Add support to issue a secure erase DSM to the Intel nvdimm. The
required passphrase is acquired from userspace through the kernel key
management. To trigger the action, "erase" is written to the "security"
sysfs attribute. libnvdimm will support the erase generic API call.
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Cc: David Howells
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
security/keys/process_keys.c |1 +
3 files changed, 4
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
---
Documentation/nvdimm/security.txt | 78 +
1 file changed, 78 insertions(+)
create mode 100644 Documentation/nvdimm/security.txt
diff --
t;locked" state. The
order of testing DIMM unlocking would be.
1a. Disable DIMM X.
1b. Set Passphrase to DIMM X.
2. Write to
/sys/devices/platform/nfit_test.0/nfit_test_dimm/test_dimmX/lock_dimm
3. Renable DIMM X
4. Check DIMM X state via sysfs "security" attribute for nmemX.
Signed
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM unless a reboot is done. This is triggered
by writing "freeze" to the "security" sysfs attribute. libnvdimm will
support the generic freeze_lock API call.
Signed-off-by: Dav
nfit_mem to be a member of struct nfit_dimm_dev instead of
saving as private driver data of that device. This is in preparation for
adding security DSM support and allowing the locking of DIMMs for testing
via sideband.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
tools/testing/nvdimm/test
From: Ross Zwisler
If the refcount of a page is lowered between the time that it is returned
by dax_busy_page() and when the refcount is again checked in
ext4_break_layouts() => ___wait_var_event(), the waiting function
ext4_wait_dax_page() will never be called. This means that
ext4_break_layout
d refcount.
Signed-off-by: Dave Jiang
---
fs/xfs/xfs_file.c |7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index a3e7767a5715..666c93fe5284 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -721,12 +721,10 @@ xfs_file_wri
On 08/03/2018 05:08 AM, Ocean He wrote:
> From: Ocean He
>
> The id check was not executed immediately following ida_simple_get. Just
> change the codes position, without function change.
>
> Signed-off-by: Ocean He
Applied.
> ---
> drivers/nvdimm/bus.c | 4 ++--
> 1 file changed, 2 inser
On 08/07/2018 12:25 PM, Verma, Vishal L wrote:
>
> On Tue, 2018-08-07 at 02:15 -0400, Ocean He wrote:
>> From: Ocean He
>
> Just some minor nits in commit message wording:
>
>>
>> Add detail explanation why it's ok to return 0 if fail to find NFIT at
> detailed ^for
On 08/02/2018 02:32 AM, Zhang,Yi wrote:
>
>
> On 2018年08月02日 03:40, Dave Jiang wrote:
>>
>> On 07/31/2018 04:46 AM, Zhang Yi wrote:
>>> It should be prevent user map an illegal vma range which larger than
>>> dax device phiscal resourse, as we don'
On 08/08/2018 01:53 AM, Jan Kara wrote:
> On Tue 07-08-18 15:11:43, Dave Jiang wrote:
>> This patch is the duplicate of ross's fix for ext4 for xfs.
>>
>> If the refcount of a page is lowered between the time that it is returned
>> by dax_busy_page() and when
From: Ross Zwisler
If the refcount of a page is lowered between the time that it is returned
by dax_busy_page() and when the refcount is again checked in
ext4_break_layouts() => ___wait_var_event(), the waiting function
ext4_wait_dax_page() will never be called. This means that
ext4_break_layout
d refcount.
Signed-off-by: Dave Jiang
---
v2:
- Rename parameter from did_unlock to retry (Jan)
fs/xfs/xfs_file.c |9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index a3e7767a5715..cd6f0d8c4922 100644
--- a/fs/xfs/xfs_file.c
d refcount.
Signed-off-by: Dave Jiang
Reviewed-by: Jan Kara
---
Sorry resend, forgot to add Jan's reviewed-by.
v2:
- Rename parameter from did_unlock to retry (Jan)
fs/xfs/xfs_file.c |9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/xfs/xfs_file
On 08/09/2018 01:57 AM, Jan Kara wrote:
> On Wed 08-08-18 10:26:36, Dave Jiang wrote:
>> This patch is the duplicate of ross's fix for ext4 for xfs.
>>
>> If the refcount of a page is lowered between the time that it is returned
>> by dax_busy_page() and when
On 08/10/2018 08:48 AM, Darrick J. Wong wrote:
> On Wed, Aug 08, 2018 at 10:31:40AM -0700, Dave Jiang wrote:
>> This patch is the duplicate of ross's fix for ext4 for xfs.
>>
>> If the refcount of a page is lowered between the time that it is returned
>> by dax_b
On 08/10/2018 09:02 AM, Darrick J. Wong wrote:
> On Fri, Aug 10, 2018 at 08:54:00AM -0700, Dave Jiang wrote:
>>
>>
>> On 08/10/2018 08:48 AM, Darrick J. Wong wrote:
>>> On Wed, Aug 08, 2018 at 10:31:40AM -0700, Dave Jiang wrote:
>>>> This patch is th
On 08/09/2018 07:53 PM, Theodore Y. Ts'o wrote:
> On Tue, Jul 31, 2018 at 01:27:15PM -0700, Dave Jiang wrote:
>>
>> On 7/31/2018 12:36 PM, Ross Zwisler wrote:
>>> On Mon, Jul 30, 2018 at 07:53:12PM -0400, Theodore Y. Ts'o wrote:
>>>> In newer kerne
On 08/10/2018 11:31 AM, Eric Sandeen wrote:
> On 8/8/18 12:31 PM, Dave Jiang wrote:
>> This patch is the duplicate of ross's fix for ext4 for xfs.
>>
>> If the refcount of a page is lowered between the time that it is returned
>> by dax_busy_page() and when
++---
> ndctl/lib/inject.c | 12 +++-
> ndctl/lib/libndctl.c | 3 +++
> ndctl/test.c | 2 ++
> test/libndctl.c | 1 +
> 5 files changed, 23 insertions(+), 12 deletions(-)
>
Reviewed-by: Dave Jiang
___
Linux-nv
4 bytes to the buffer the user space allocates
> so that the kernel's overrun doesn't corrupt the application's heap.
>
> See kernel patch for more details:
>
> https://patchwork.kernel.org/patch/10563103/
>
> Signed-off-by: Keith Busch
Reviewed-by: Dave J
On 08/18/2018 04:15 PM, Linus Torvalds wrote:
> On Fri, Aug 17, 2018 at 9:17 AM Jiang, Dave wrote:
>>
>> Please pull to receive libnvdimm contributions for v4.19-rc1
>
> So I don't care about the libnvdimm code itself, but when you guys add
> code to the core mm/ code, I start looking.
>
> An
On 08/20/2018 10:53 AM, Verma, Vishal L wrote:
>
> On Mon, 2018-08-13 at 20:02 +0800, Zhang Yi wrote:
>> This patch prevents a user mapping an illegal vma range that is larger
>> than a dax device physical resource.
>>
>> When qemu maps the dax device for virtual nvdimm's backend device, the
>>
On 08/21/2018 10:37 AM, Stephen Bates wrote:
> Hi Dave
>
> I hope you are well. Logan and I were looking at adding DMA support to PMEM
> and then were informed you have proposed some patches to do just that for the
> ioat DMA engine. The latest version of those I can see were the v7 from
> A
curity_ops based on family supplied. (Dan)
- Added nvdimm_key_data struct to wrap raw passphrase string. (Dan)
- Allocate firmware package on stack. (Dan)
- Added missing frozen state detection when retrieving security state.
---
Dave Jiang (12):
nfit: add support for Intel DSM 1.7 commands
Prepping the libnvdimm to support security management by adding a keyring
in order to provide passphrase management through the kernel key management
APIs.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/nvdimm/core.c |7 ++-
drivers/nvdimm/dimm_devs.c | 29
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/c
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Cc: David Howells
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
security/keys/process_keys.c |1 +
3 files changed, 4
pace and the result can cause system crash. So
blocking security commands in the ioctl path.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/core.c | 28 ++-
drivers/acpi/nfit/intel.h | 67 +
drivers/acpi/nf
Add support to allow query the security status of the Intel nvdimms and
also unlock the dimm via the kernel key management APIs. The passphrase is
expected to be pulled from userspace through keyutils. Moving the Intel
related bits to its own source file as well.
Signed-off-by: Dave Jiang
"security"
attribute. libnvdimm will generically support the key_change API call.
Signed-off-by: Dave Jiang
---
drivers/acpi/nfit/intel.c | 68
drivers/nvdimm/dimm_devs.c | 256
include/linux/libnvdimm.h |5 +
3 files ch
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM unless a reboot is done. This is triggered
by writing "freeze" to the "security" sysfs attribute. libnvdimm will
support the generic freeze_lock API call.
Signed-off-by: Dav
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
---
Documentation/nvdimm/security.txt | 82 +
1 file changed, 82 insertions(+)
create mode 100644 Documentation/nvdimm/security.txt
diff --
le API call.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 53
drivers/nvdimm/dimm_devs.c | 45 +
include/linux/libnvdimm.h |3 ++
3 files changed, 100 insertions(+),
t;locked" state. The
order of testing DIMM unlocking would be.
1a. Disable DIMM X.
1b. Set Passphrase to DIMM X.
2. Write to
/sys/devices/platform/nfit_test.0/nfit_test_dimm/test_dimmX/lock_dimm
3. Renable DIMM X
4. Check DIMM X state via sysfs "security" attribute for nmemX.
Signed
nfit_mem to be a member of struct nfit_dimm_dev instead of
saving as private driver data of that device. This is in preparation for
adding security DSM support and allowing the locking of DIMMs for testing
via sideband.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
tools/testing/nvdimm/test
Add support to issue a secure erase DSM to the Intel nvdimm. The
required passphrase is acquired from userspace through the kernel key
management. To trigger the action, "erase" is written to the "security"
sysfs attribute. libnvdimm will support the erase generic API call.
Adding libndctl API call for retrieving security state for a DIMM and also
adding support to ndctl list for displaying security state.
Signed-off-by: Dave Jiang
---
Documentation/ndctl/ndctl-list.txt |8
ndctl/lib/dimm.c | 16
ndctl/lib
Add support for disable security to libndctl and also command line option
of "disable-security" for ndctl. This provides a way to disable security
on the nvdimm. ndctl does not handle the actual processing of the
passphrase. It only starts the request.
Signed-off-by:
Add support to secure erase to libndctl and also command line option
of "sanitize" for ndctl. This will initiate the request to crypto
erase a DIMM. ndctl does not actually handle the verification of the
security. That is handled by the kernel and the key upcall mechanism.
Signed-of
y in place.
Signed-off-by: Dave Jiang
---
Documentation/ndctl/Makefile.am |3 -
Documentation/ndctl/ndctl-update-security.txt | 56 +++
builtin.h |1
configure.ac |1
ndc
Add support for freeze security to libndctl and also command line option
of "freeze-security" for ndctl. This will lock the ability to make changes
to the NVDIMM security.
Signed-off-by: Dave Jiang
---
Documentation/ndctl/Makefile.am |3 ++-
Documentation/ndctl/nd
. secure erase
Also a reference helper app is provided to retrieve security information
through the keyutils and kernel key management API.
v3:
- Added support to inject keys in order to update nvdimm security.
v2:
- Fixup the upcall util to match recent kernel updates for nvdimm security.
---
Dave
Adding a reference upcall helper for request-key in order to retrieve the
security passphrase from userspace to provide to the kernel. The reference
app uses keyutils API to respond to the upcall from the kernel and is
invoked by /sbin/request-key of the keyutils.
Signed-off-by: Dave Jiang
vmf_insert_pfn_pmd() in the
original patch.
Fixes: e1fb4a08649 ("dax: remove VM_MIXEDMAP for fsdax and device dax")
Reported-by: Vishal Verma
Signed-off-by: Dave Jiang
---
mm/huge_memory.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/huge_memory.c b/mm/huge_memo
vmf_insert_pfn_pmd() in the
original patch.
Fixes: e1fb4a08649 ("dax: remove VM_MIXEDMAP for fsdax and device dax")
Reported-by: Vishal Verma
Signed-off-by: Dave Jiang
---
mm/huge_memory.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/huge_memory.c b/mm/huge_memo
Please ignore this email. It had malformed mail header. I have resent a
non-broken one, which looks like has been ack'ed by Jeff.
On 08/30/2018 01:05 PM, Dave Jiang wrote:
> It looks like I missed the PUD path when doing VM_MIXEDMAP removal.
> This can be triggered by:
> 1. Boot
On 08/30/2018 09:20 AM, Matthew Wilcox wrote:
>
> This patch got caught in the crossfire and didn't make it into 4.18
> as planned. Can it make 4.19 please?
>
> >8
>
> Use my_zero_pfn instead of ZERO_PAGE, and pass the vaddr to it so it
> works on MIPS and s390.
>
> Signed-off-by:
On 08/30/2018 03:32 AM, Andy Shevchenko wrote:
> Switch to bitmap_zalloc() to show clearly what we are allocating.
> Besides that it returns pointer of bitmap type instead of opaque void *.
>
> Signed-off-by: Andy Shevchenko
Applied
> ---
> drivers/nvdimm/label.c | 7 +++
> 1 file chang
On 08/30/2018 04:56 AM, Andy Shevchenko wrote:
> On Mon, Jun 11, 2018 at 04:47:21PM +0300, Andy Shevchenko wrote:
>> kstrndup() takes care of '\0' terminator for the strings.
>>
>> Use it here instead of kmemdup() + explicit terminating the input string.
>>
>
> Any comments on this?
Applied. S
80356ef630 ("x86/asm/memcpy_mcsafe: Define copy_to_iter_mcsafe()")
Reported-by: Fan Du
Signed-off-by: Dave Jiang
Reviewed-by: Vishal Verma
---
include/linux/uio.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/uio.h b/include/linux/uio.h
index 409c845d4
On 09/05/2018 01:31 PM, Dave Jiang wrote:
> copy_to_iter_mcsafe() is passing in the is_source parameter as "false"
> to check_copy_size(). This is different than what copy_to_iter() does.
> Also, the addr parameter passed to check_copy_size() is the source so
> therefore w
noop_set_page_dirty and
noop_invalidatepage for device dax to prevent fallback to
__set_page_dirty_buffers() and block_invalidatepage() respectively.
Fixes: 2232c6382a ("device-dax: Enable page_mapping()")
Reported-by: Vishal Verma
Suggested-by: Dan Williams
Signed-off-by: Dave Jiang
---
d
On 09/21/2018 02:59 PM, Dan Williams wrote:
> On Tue, Aug 28, 2018 at 3:47 PM Dave Jiang wrote:
>>
>> Export lookup_user_key() symbol in order to allow nvdimm passphrase
>> update to retrieve user injected keys.
>>
>> Signed-off-by: Dave Jiang
>> Cc:
On 09/21/2018 04:20 PM, David Howells wrote:
> Dave Jiang wrote:
>
>> +depends on KEYS
>
> That needs to be in patch 2 where you create a keyring.
>
>> +char desc[NVDIMM_KEY_DESC_LEN + strlen(NVDIMM_PREFIX)];
>
> You should be using sizeof() not str
On 09/21/2018 04:57 PM, David Howells wrote:
> Dave Jiang wrote:
>
>> +new_key = key_alloc(&key_type_logon, key->description,
>> +GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, &init_cred, 0,
>
> KEY_POS_SEARCH? KEY_USR_VIEW?
>
>>
On 09/24/2018 02:04 PM, David Howells wrote:
> Dan Williams wrote:
>
>> I think you want to use prepare_kernel_cred(), not export init_cred.
>
> That only works if the searching is done with the creds generated by
> prepare_kernel_cred(). He probably does want init_cred, or at least
> curren
On 09/24/2018 02:02 PM, David Howells wrote:
> Dave Jiang wrote:
>
>> +GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, &init_cred,
>
> Hmmm... I wonder if current_cred() would suffice since you must be called
> from something that has the ability to load modul
Prepping the libnvdimm to support security management by adding a keyring
in order to provide passphrase management through the kernel key management
APIs.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/nvdimm/Kconfig |1 +
drivers/nvdimm/core.c |7
pace and the result can cause system crash. So
blocking security commands in the ioctl path.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/core.c | 28 ++-
drivers/acpi/nfit/intel.h | 67 +
drivers/acpi/nf
ct to wrap raw passphrase string. (Dan)
- Allocate firmware package on stack. (Dan)
- Added missing frozen state detection when retrieving security state.
---
Dave Jiang (12):
nfit: add support for Intel DSM 1.7 commands
libnvdimm: create keyring to store security keys
nfit/libn
Add support to allow query the security status of the Intel nvdimms and
also unlock the dimm via the kernel key management APIs. The passphrase is
expected to be pulled from userspace through keyutils. Moving the Intel
related bits to its own source file as well.
Signed-off-by: Dave Jiang
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/c
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM unless a reboot is done. This is triggered
by writing "freeze" to the "security" sysfs attribute. libnvdimm will
support the generic freeze_lock API call.
Signed-off-by: Dav
isable
API call. The kernel will verify the passphrase of the user key against
the cached kernel key. If no kernel key exists, then the user key will be
tried for the op.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 53 ++
nfit_mem to be a member of struct nfit_dimm_dev instead of
saving as private driver data of that device. This is in preparation for
adding security DSM support and allowing the locking of DIMMs for testing
via sideband.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
tools/testing/nvdimm/test
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Acked-by: David Howells
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
security/keys/process_keys.c |1 +
3 files
should be used. The state of the security can also be read via the
"security" attribute. libnvdimm will generically support the key_change
API call.
Signed-off-by: Dave Jiang
---
drivers/acpi/nfit/intel.c | 68
drivers/nvdimm/dimm_devs.c | 248 +
he user key provided will be verified against the cached kernel
key. If no kernel key exists, then the user key will be attempted for the
operation.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 58
drivers/nvdim
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
---
Documentation/nvdimm/security.txt | 99 +
1 file changed, 99 insertions(+)
create mode 100644 Documentation/nvdimm/security.txt
diff --
t;locked" state. The
order of testing DIMM unlocking would be.
1a. Disable DIMM X.
1b. Set Passphrase to DIMM X.
2. Write to
/sys/devices/platform/nfit_test.0/nfit_test_dimm/test_dimmX/lock_dimm
3. Renable DIMM X
4. Check DIMM X state via sysfs "security" attribute for nmemX.
Signed
retrieving security state.
---
Dave Jiang (12):
nfit: add support for Intel DSM 1.7 commands
libnvdimm: create keyring to store security keys
nfit/libnvdimm: store dimm id as a member to struct nvdimm
keys: export lookup_user_key to external users
nfit/libnvdimm: add unl
The generated dimm id is needed for the sysfs attribute as well as being
used as the identifier/description for the security key. Since it's
constant and should never change, store it as a member of struct nvdimm.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/c
pace and the result can cause system crash. So
blocking security commands in the ioctl path.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/core.c | 28 ++-
drivers/acpi/nfit/intel.h | 67 +
drivers/acpi/nf
Export lookup_user_key() symbol in order to allow nvdimm passphrase
update to retrieve user injected keys.
Signed-off-by: Dave Jiang
Acked-by: David Howells
---
include/linux/key.h |3 +++
security/keys/internal.h |2 --
security/keys/process_keys.c |1 +
3 files
Add support for freeze security on Intel nvdimm. This locks out any
changes to security for the DIMM unless a reboot is done. This is triggered
by writing "freeze" to the "security" sysfs attribute. libnvdimm will
support the generic freeze_lock API call.
Signed-off-by: Dav
Add support to allow query the security status of the Intel nvdimms and
also unlock the dimm via the kernel key management APIs. The passphrase is
expected to be pulled from userspace through keyutils. Moving the Intel
related bits to its own source file as well.
Signed-off-by: Dave Jiang
nfit_mem to be a member of struct nfit_dimm_dev instead of
saving as private driver data of that device. This is in preparation for
adding security DSM support and allowing the locking of DIMMs for testing
via sideband.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
tools/testing/nvdimm/test
he user key provided will be verified against the cached kernel
key. If no kernel key exists, then the user key will be attempted for the
operation.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 58 ++
drivers/nvdim
Add theory of operation for the security support that's going into
libnvdimm.
Signed-off-by: Dave Jiang
---
Documentation/nvdimm/security.txt | 99 +
1 file changed, 99 insertions(+)
create mode 100644 Documentation/nvdimm/security.txt
diff --
isable
API call. The kernel will verify the passphrase of the user key against
the cached kernel key. If no kernel key exists, then the user key will be
tried for the op.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/acpi/nfit/intel.c | 53 ++
should be used. The state of the security can also be read via the
"security" attribute. libnvdimm will generically support the key_change
API call.
Signed-off-by: Dave Jiang
---
drivers/acpi/nfit/intel.c | 68
drivers/nvdimm/dimm_devs.c | 248 +
Prepping the libnvdimm to support security management by adding a keyring
in order to provide passphrase management through the kernel key management
APIs.
Signed-off-by: Dave Jiang
Reviewed-by: Dan Williams
---
drivers/nvdimm/Kconfig |1 +
drivers/nvdimm/core.c |7
t;locked" state. The
order of testing DIMM unlocking would be.
1a. Disable DIMM X.
1b. Set Passphrase to DIMM X.
2. Write to
/sys/devices/platform/nfit_test.0/nfit_test_dimm/test_dimmX/lock_dimm
3. Renable DIMM X
4. Check DIMM X state via sysfs "security" attribute for nmemX.
Signed
Add overwrite command usages to security documentation.
Signed-off-by: Dave Jiang
---
Documentation/nvdimm/security.txt | 11 +++
1 file changed, 11 insertions(+)
diff --git a/Documentation/nvdimm/security.txt
b/Documentation/nvdimm/security.txt
index 50cbb6cb96a1..ded5f0e3f7c3
Adding sysfs notification for when overwrite has completed to allow
user monitoring app to be aware of overwrite completion status.
Signed-off-by: Dave Jiang
---
drivers/acpi/nfit/core.c |5 +
drivers/nvdimm/dimm_devs.c | 12
drivers/nvdimm/nd-core.h |1 +
include
1 - 100 of 956 matches
Mail list logo
