aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/nvdimm/security.c
diff options
context:
space:
mode:
authorDave Jiang <dave.jiang@intel.com>2018-12-07 14:02:12 -0700
committerDan Williams <dan.j.williams@intel.com>2018-12-21 12:44:41 -0800
commit64e77c8c047fb91ea8c7800c1238108a72f0bf9c (patch)
tree59aef33ac371f18b005319560addc9c9c85dea9b /drivers/nvdimm/security.c
parentacpi/nfit, libnvdimm: Add enable/update passphrase support for Intel nvdimms (diff)
downloadlinux-dev-64e77c8c047fb91ea8c7800c1238108a72f0bf9c.tar.xz
linux-dev-64e77c8c047fb91ea8c7800c1238108a72f0bf9c.zip
acpi/nfit, libnvdimm: Add support for issue secure erase DSM to Intel nvdimm
Add support to issue a secure erase DSM to the Intel nvdimm. The required passphrase is acquired from an encrypted key in the kernel user keyring. To trigger the action, "erase <keyid>" is written to the "security" sysfs attribute. Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Diffstat (limited to 'drivers/nvdimm/security.c')
-rw-r--r--drivers/nvdimm/security.c41
1 files changed, 41 insertions, 0 deletions
diff --git a/drivers/nvdimm/security.c b/drivers/nvdimm/security.c
index df7f070e96fb..05677be3c0dd 100644
--- a/drivers/nvdimm/security.c
+++ b/drivers/nvdimm/security.c
@@ -33,6 +33,9 @@ static void *key_data(struct key *key)
static void nvdimm_put_key(struct key *key)
{
+ if (!key)
+ return;
+
up_read(&key->sem);
key_put(key);
}
@@ -259,3 +262,41 @@ int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,
nvdimm->sec.state = nvdimm_security_state(nvdimm);
return rc;
}
+
+int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid)
+{
+ struct device *dev = &nvdimm->dev;
+ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
+ struct key *key;
+ int rc;
+
+ /* The bus lock should be held at the top level of the call stack */
+ lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
+
+ if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase
+ || nvdimm->sec.state < 0)
+ return -EOPNOTSUPP;
+
+ if (atomic_read(&nvdimm->busy)) {
+ dev_warn(dev, "Unable to secure erase while DIMM active.\n");
+ return -EBUSY;
+ }
+
+ if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
+ dev_warn(dev, "Incorrect security state: %d\n",
+ nvdimm->sec.state);
+ return -EIO;
+ }
+
+ key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
+ if (!key)
+ return -ENOKEY;
+
+ rc = nvdimm->sec.ops->erase(nvdimm, key_data(key));
+ dev_dbg(dev, "key: %d erase: %s\n", key_serial(key),
+ rc == 0 ? "success" : "fail");
+
+ nvdimm_put_key(key);
+ nvdimm->sec.state = nvdimm_security_state(nvdimm);
+ return rc;
+}