search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 5.1.15
[linux/fpc-iii.git] / drivers / nvdimm / security.c
bloba570f2263a424e96908c559750454a086a3df3e2
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2018 Intel Corporation. All rights reserved. */
3
4 #include <linux/module.h>
5 #include <linux/device.h>
6 #include <linux/ndctl.h>
7 #include <linux/slab.h>
8 #include <linux/io.h>
9 #include <linux/mm.h>
10 #include <linux/cred.h>
11 #include <linux/key.h>
12 #include <linux/key-type.h>
13 #include <keys/user-type.h>
14 #include <keys/encrypted-type.h>
15 #include "nd-core.h"
16 #include "nd.h"
17
18 #define NVDIMM_BASE_KEY 0
19 #define NVDIMM_NEW_KEY 1
20
21 static bool key_revalidate = true;
22 module_param(key_revalidate, bool, 0444);
23 MODULE_PARM_DESC(key_revalidate, "Require key validation at init.");
24
25 static const char zero_key[NVDIMM_PASSPHRASE_LEN];
26
27 static void *key_data(struct key *key)
28 {
29 struct encrypted_key_payload *epayload = dereference_key_locked(key);
30
31 lockdep_assert_held_read(&key->sem);
32
33 return epayload->decrypted_data;
34 }
35
36 static void nvdimm_put_key(struct key *key)
37 {
38 if (!key)
39 return;
40
41 up_read(&key->sem);
42 key_put(key);
43 }
44
45 /*
46 * Retrieve kernel key for DIMM and request from user space if
47 * necessary. Returns a key held for read and must be put by
48 * nvdimm_put_key() before the usage goes out of scope.
49 */
50 static struct key *nvdimm_request_key(struct nvdimm *nvdimm)
51 {
52 struct key *key = NULL;
53 static const char NVDIMM_PREFIX[] = "nvdimm:";
54 char desc[NVDIMM_KEY_DESC_LEN + sizeof(NVDIMM_PREFIX)];
55 struct device *dev = &nvdimm->dev;
56
57 sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
58 key = request_key(&key_type_encrypted, desc, "");
59 if (IS_ERR(key)) {
60 if (PTR_ERR(key) == -ENOKEY)
61 dev_dbg(dev, "request_key() found no key\n");
62 else
63 dev_dbg(dev, "request_key() upcall failed\n");
64 key = NULL;
65 } else {
66 struct encrypted_key_payload *epayload;
67
68 down_read(&key->sem);
69 epayload = dereference_key_locked(key);
70 if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
71 up_read(&key->sem);
72 key_put(key);
73 key = NULL;
74 }
75 }
76
77 return key;
78 }
79
80 static const void *nvdimm_get_key_payload(struct nvdimm *nvdimm,
81 struct key **key)
82 {
83 *key = nvdimm_request_key(nvdimm);
84 if (!*key)
85 return zero_key;
86
87 return key_data(*key);
88 }
89
90 static struct key *nvdimm_lookup_user_key(struct nvdimm *nvdimm,
91 key_serial_t id, int subclass)
92 {
93 key_ref_t keyref;
94 struct key *key;
95 struct encrypted_key_payload *epayload;
96 struct device *dev = &nvdimm->dev;
97
98 keyref = lookup_user_key(id, 0, 0);
99 if (IS_ERR(keyref))
100 return NULL;
101
102 key = key_ref_to_ptr(keyref);
103 if (key->type != &key_type_encrypted) {
104 key_put(key);
105 return NULL;
106 }
107
108 dev_dbg(dev, "%s: key found: %#x\n", __func__, key_serial(key));
109
110 down_read_nested(&key->sem, subclass);
111 epayload = dereference_key_locked(key);
112 if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
113 up_read(&key->sem);
114 key_put(key);
115 key = NULL;
116 }
117 return key;
118 }
119
120 static const void *nvdimm_get_user_key_payload(struct nvdimm *nvdimm,
121 key_serial_t id, int subclass, struct key **key)
122 {
123 *key = NULL;
124 if (id == 0) {
125 if (subclass == NVDIMM_BASE_KEY)
126 return zero_key;
127 else
128 return NULL;
129 }
130
131 *key = nvdimm_lookup_user_key(nvdimm, id, subclass);
132 if (!*key)
133 return NULL;
134
135 return key_data(*key);
136 }
137
138
139 static int nvdimm_key_revalidate(struct nvdimm *nvdimm)
140 {
141 struct key *key;
142 int rc;
143 const void *data;
144
145 if (!nvdimm->sec.ops->change_key)
146 return -EOPNOTSUPP;
147
148 data = nvdimm_get_key_payload(nvdimm, &key);
149
150 /*
151 * Send the same key to the hardware as new and old key to
152 * verify that the key is good.
153 */
154 rc = nvdimm->sec.ops->change_key(nvdimm, data, data, NVDIMM_USER);
155 if (rc < 0) {
156 nvdimm_put_key(key);
157 return rc;
158 }
159
160 nvdimm_put_key(key);
161 nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);
162 return 0;
163 }
164
165 static int __nvdimm_security_unlock(struct nvdimm *nvdimm)
166 {
167 struct device *dev = &nvdimm->dev;
168 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
169 struct key *key;
170 const void *data;
171 int rc;
172
173 /* The bus lock should be held at the top level of the call stack */
174 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
175
176 if (!nvdimm->sec.ops || !nvdimm->sec.ops->unlock
177 || nvdimm->sec.state < 0)
178 return -EIO;
179
180 if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
181 dev_dbg(dev, "Security operation in progress.\n");
182 return -EBUSY;
183 }
184
185 /*
186 * If the pre-OS has unlocked the DIMM, attempt to send the key
187 * from request_key() to the hardware for verification. Failure
188 * to revalidate the key against the hardware results in a
189 * freeze of the security configuration. I.e. if the OS does not
190 * have the key, security is being managed pre-OS.
191 */
192 if (nvdimm->sec.state == NVDIMM_SECURITY_UNLOCKED) {
193 if (!key_revalidate)
194 return 0;
195
196 return nvdimm_key_revalidate(nvdimm);
197 } else
198 data = nvdimm_get_key_payload(nvdimm, &key);
199
200 rc = nvdimm->sec.ops->unlock(nvdimm, data);
201 dev_dbg(dev, "key: %d unlock: %s\n", key_serial(key),
202 rc == 0 ? "success" : "fail");
203
204 nvdimm_put_key(key);
205 nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);
206 return rc;
207 }
208
209 int nvdimm_security_unlock(struct device *dev)
210 {
211 struct nvdimm *nvdimm = to_nvdimm(dev);
212 int rc;
213
214 nvdimm_bus_lock(dev);
215 rc = __nvdimm_security_unlock(nvdimm);
216 nvdimm_bus_unlock(dev);
217 return rc;
218 }
219
220 int nvdimm_security_disable(struct nvdimm *nvdimm, unsigned int keyid)
221 {
222 struct device *dev = &nvdimm->dev;
223 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
224 struct key *key;
225 int rc;
226 const void *data;
227
228 /* The bus lock should be held at the top level of the call stack */
229 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
230
231 if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable
232 || nvdimm->sec.state < 0)
233 return -EOPNOTSUPP;
234
235 if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
236 dev_dbg(dev, "Incorrect security state: %d\n",
237 nvdimm->sec.state);
238 return -EIO;
239 }
240
241 if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
242 dev_dbg(dev, "Security operation in progress.\n");
243 return -EBUSY;
244 }
245
246 data = nvdimm_get_user_key_payload(nvdimm, keyid,
247 NVDIMM_BASE_KEY, &key);
248 if (!data)
249 return -ENOKEY;
250
251 rc = nvdimm->sec.ops->disable(nvdimm, data);
252 dev_dbg(dev, "key: %d disable: %s\n", key_serial(key),
253 rc == 0 ? "success" : "fail");
254
255 nvdimm_put_key(key);
256 nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);
257 return rc;
258 }
259
260 int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,
261 unsigned int new_keyid,
262 enum nvdimm_passphrase_type pass_type)
263 {
264 struct device *dev = &nvdimm->dev;
265 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
266 struct key *key, *newkey;
267 int rc;
268 const void *data, *newdata;
269
270 /* The bus lock should be held at the top level of the call stack */
271 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
272
273 if (!nvdimm->sec.ops || !nvdimm->sec.ops->change_key
274 || nvdimm->sec.state < 0)
275 return -EOPNOTSUPP;
276
277 if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
278 dev_dbg(dev, "Incorrect security state: %d\n",
279 nvdimm->sec.state);
280 return -EIO;
281 }
282
283 data = nvdimm_get_user_key_payload(nvdimm, keyid,
284 NVDIMM_BASE_KEY, &key);
285 if (!data)
286 return -ENOKEY;
287
288 newdata = nvdimm_get_user_key_payload(nvdimm, new_keyid,
289 NVDIMM_NEW_KEY, &newkey);
290 if (!newdata) {
291 nvdimm_put_key(key);
292 return -ENOKEY;
293 }
294
295 rc = nvdimm->sec.ops->change_key(nvdimm, data, newdata, pass_type);
296 dev_dbg(dev, "key: %d %d update%s: %s\n",
297 key_serial(key), key_serial(newkey),
298 pass_type == NVDIMM_MASTER ? "(master)" : "(user)",
299 rc == 0 ? "success" : "fail");
300
301 nvdimm_put_key(newkey);
302 nvdimm_put_key(key);
303 if (pass_type == NVDIMM_MASTER)
304 nvdimm->sec.ext_state = nvdimm_security_state(nvdimm,
305 NVDIMM_MASTER);
306 else
307 nvdimm->sec.state = nvdimm_security_state(nvdimm,
308 NVDIMM_USER);
309 return rc;
310 }
311
312 int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid,
313 enum nvdimm_passphrase_type pass_type)
314 {
315 struct device *dev = &nvdimm->dev;
316 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
317 struct key *key = NULL;
318 int rc;
319 const void *data;
320
321 /* The bus lock should be held at the top level of the call stack */
322 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
323
324 if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase
325 || nvdimm->sec.state < 0)
326 return -EOPNOTSUPP;
327
328 if (atomic_read(&nvdimm->busy)) {
329 dev_dbg(dev, "Unable to secure erase while DIMM active.\n");
330 return -EBUSY;
331 }
332
333 if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
334 dev_dbg(dev, "Incorrect security state: %d\n",
335 nvdimm->sec.state);
336 return -EIO;
337 }
338
339 if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
340 dev_dbg(dev, "Security operation in progress.\n");
341 return -EBUSY;
342 }
343
344 if (nvdimm->sec.ext_state != NVDIMM_SECURITY_UNLOCKED
345 && pass_type == NVDIMM_MASTER) {
346 dev_dbg(dev,
347 "Attempt to secure erase in wrong master state.\n");
348 return -EOPNOTSUPP;
349 }
350
351 data = nvdimm_get_user_key_payload(nvdimm, keyid,
352 NVDIMM_BASE_KEY, &key);
353 if (!data)
354 return -ENOKEY;
355
356 rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type);
357 dev_dbg(dev, "key: %d erase%s: %s\n", key_serial(key),
358 pass_type == NVDIMM_MASTER ? "(master)" : "(user)",
359 rc == 0 ? "success" : "fail");
360
361 nvdimm_put_key(key);
362 nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);
363 return rc;
364 }
365
366 int nvdimm_security_overwrite(struct nvdimm *nvdimm, unsigned int keyid)
367 {
368 struct device *dev = &nvdimm->dev;
369 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
370 struct key *key = NULL;
371 int rc;
372 const void *data;
373
374 /* The bus lock should be held at the top level of the call stack */
375 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
376
377 if (!nvdimm->sec.ops || !nvdimm->sec.ops->overwrite
378 || nvdimm->sec.state < 0)
379 return -EOPNOTSUPP;
380
381 if (atomic_read(&nvdimm->busy)) {
382 dev_dbg(dev, "Unable to overwrite while DIMM active.\n");
383 return -EBUSY;
384 }
385
386 if (dev->driver == NULL) {
387 dev_dbg(dev, "Unable to overwrite while DIMM active.\n");
388 return -EINVAL;
389 }
390
391 if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
392 dev_dbg(dev, "Incorrect security state: %d\n",
393 nvdimm->sec.state);
394 return -EIO;
395 }
396
397 if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
398 dev_dbg(dev, "Security operation in progress.\n");
399 return -EBUSY;
400 }
401
402 data = nvdimm_get_user_key_payload(nvdimm, keyid,
403 NVDIMM_BASE_KEY, &key);
404 if (!data)
405 return -ENOKEY;
406
407 rc = nvdimm->sec.ops->overwrite(nvdimm, data);
408 dev_dbg(dev, "key: %d overwrite submission: %s\n", key_serial(key),
409 rc == 0 ? "success" : "fail");
410
411 nvdimm_put_key(key);
412 if (rc == 0) {
413 set_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
414 set_bit(NDD_WORK_PENDING, &nvdimm->flags);
415 nvdimm->sec.state = NVDIMM_SECURITY_OVERWRITE;
416 /*
417 * Make sure we don't lose device while doing overwrite
418 * query.
419 */
420 get_device(dev);
421 queue_delayed_work(system_wq, &nvdimm->dwork, 0);
422 }
423
424 return rc;
425 }
426
427 void __nvdimm_security_overwrite_query(struct nvdimm *nvdimm)
428 {
429 struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nvdimm->dev);
430 int rc;
431 unsigned int tmo;
432
433 /* The bus lock should be held at the top level of the call stack */
434 lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
435
436 /*
437 * Abort and release device if we no longer have the overwrite
438 * flag set. It means the work has been canceled.
439 */
440 if (!test_bit(NDD_WORK_PENDING, &nvdimm->flags))
441 return;
442
443 tmo = nvdimm->sec.overwrite_tmo;
444
445 if (!nvdimm->sec.ops || !nvdimm->sec.ops->query_overwrite
446 || nvdimm->sec.state < 0)
447 return;
448
449 rc = nvdimm->sec.ops->query_overwrite(nvdimm);
450 if (rc == -EBUSY) {
451
452 /* setup delayed work again */
453 tmo += 10;
454 queue_delayed_work(system_wq, &nvdimm->dwork, tmo * HZ);
455 nvdimm->sec.overwrite_tmo = min(15U * 60U, tmo);
456 return;
457 }
458
459 if (rc < 0)
460 dev_dbg(&nvdimm->dev, "overwrite failed\n");
461 else
462 dev_dbg(&nvdimm->dev, "overwrite completed\n");
463
464 if (nvdimm->sec.overwrite_state)
465 sysfs_notify_dirent(nvdimm->sec.overwrite_state);
466 nvdimm->sec.overwrite_tmo = 0;
467 clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
468 clear_bit(NDD_WORK_PENDING, &nvdimm->flags);
469 put_device(&nvdimm->dev);
470 nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);
471 nvdimm->sec.ext_state = nvdimm_security_state(nvdimm, NVDIMM_MASTER);
472 }
473
474 void nvdimm_security_overwrite_query(struct work_struct *work)
475 {
476 struct nvdimm *nvdimm =
477 container_of(work, typeof(*nvdimm), dwork.work);
478
479 nvdimm_bus_lock(&nvdimm->dev);
480 __nvdimm_security_overwrite_query(nvdimm);
481 nvdimm_bus_unlock(&nvdimm->dev);
482 }
Linux with added FPC-III support