acpi/nfit, libnvdimm: Add enable/update passphrase support for Intel nvdimms

Add support for enabling and updating passphrase on the Intel nvdimms. The passphrase is the an encrypted key in the kernel user keyring. We trigger the update via writing "update <old_keyid> <new_keyid>" to the sysfs attribute "security". If no <old_keyid> exists (for enabling security) then a 0 should be used. Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2018-12-07 13:29:09 -07:00
parent 03b65b22ad
commit d2a4ac73f5
3 changed files with 69 additions and 7 deletions
--- a/drivers/nvdimm/dimm_devs.c
+++ b/drivers/nvdimm/dimm_devs.c
@@ -392,8 +392,9 @@ static ssize_t security_show(struct device *dev,
 }

 #define OPS						\
-	C( OP_FREEZE,        "freeze",        1),	\
-	C( OP_DISABLE,       "disable",       2)
+	C( OP_FREEZE,		"freeze",	1),	\
+	C( OP_DISABLE,		"disable",	2),	\
+	C( OP_UPDATE,		"update",	3)
 #undef C
 #define C(a, b, c) a
 enum nvdimmsec_op_ids { OPS };
@@ -444,6 +445,9 @@ static ssize_t __security_store(struct device *dev, const char *buf, size_t len)
 	} else if (i == OP_DISABLE) {
 		dev_dbg(dev, "disable %u\n", key);
 		rc = nvdimm_security_disable(nvdimm, key);
+	} else if (i == OP_UPDATE) {
+		dev_dbg(dev, "update %u %u\n", key, newkey);
+		rc = nvdimm_security_update(nvdimm, key, newkey);
 	} else
 		return -EINVAL;

@@ -493,7 +497,8 @@ static umode_t nvdimm_visible(struct kobject *kobj, struct attribute *a, int n)
 	if (nvdimm->sec.state < 0)
 		return 0;
 	/* Are there any state mutation ops? */
-	if (nvdimm->sec.ops->freeze || nvdimm->sec.ops->disable)
+	if (nvdimm->sec.ops->freeze || nvdimm->sec.ops->disable
+			|| nvdimm->sec.ops->change_key)
 		return a->mode;
 	return 0444;
 }