Re: [PATCH v4 3/3] block: sed-opal: keystore access for SED Opal keys

Fri, 07 Oct 2022 18:45:56 -0700 

LGTM besides comment below

Reviewed-by: Jonathan Derrick <jonathan.derr...@linux.dev>

On 8/19/2022 4:31 PM, gjo...@linux.vnet.ibm.com wrote:
> From: Greg Joyce <gjo...@linux.vnet.ibm.com>
> 
> Allow for permanent SED authentication keys by
> reading/writing to the SED Opal non-volatile keystore.
> 
> Signed-off-by: Greg Joyce <gjo...@linux.vnet.ibm.com>
> ---
>  block/sed-opal.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/block/sed-opal.c b/block/sed-opal.c
> index 3bdb31cf3e7c..11b0eb3a656b 100644
> --- a/block/sed-opal.c
> +++ b/block/sed-opal.c
> @@ -18,6 +18,7 @@
>  #include <linux/uaccess.h>
>  #include <uapi/linux/sed-opal.h>
>  #include <linux/sed-opal.h>
> +#include <linux/sed-opal-key.h>
>  #include <linux/string.h>
>  #include <linux/kdev_t.h>
>  #include <linux/key.h>
> @@ -2697,7 +2698,13 @@ static int opal_set_new_pw(struct opal_dev *dev, 
> struct opal_new_pw *opal_pw)
>       if (ret)
>               return ret;
>  
> -     /* update keyring with new password */
> +     /* update keyring and arch var with new password */
> +     ret = sed_write_key(OPAL_AUTH_KEY,
> +                         opal_pw->new_user_pw.opal_key.key,
> +                         opal_pw->new_user_pw.opal_key.key_len);
> +     if (ret != -EOPNOTSUPP)
> +             pr_warn("error updating SED key: %d\n", ret);
I cant see any reason this would fail and make the keys inconsistent, but it 
seems
like update_sed_opal_key() should be dependent on sed_write_key() succeeding

> +
>       ret = update_sed_opal_key(OPAL_AUTH_KEY,
>                                 opal_pw->new_user_pw.opal_key.key,
>                                 opal_pw->new_user_pw.opal_key.key_len);
> @@ -2920,6 +2927,8 @@ EXPORT_SYMBOL_GPL(sed_ioctl);
>  static int __init sed_opal_init(void)
>  {
>       struct key *kr;
> +     char init_sed_key[OPAL_KEY_MAX];
> +     int keylen = OPAL_KEY_MAX;
>  
>       kr = keyring_alloc(".sed_opal",
>                          GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
> @@ -2932,6 +2941,11 @@ static int __init sed_opal_init(void)
>  
>       sed_opal_keyring = kr;
>  
> -     return 0;
> +     if (sed_read_key(OPAL_AUTH_KEY, init_sed_key, &keylen) < 0) {
> +             memset(init_sed_key, '\0', sizeof(init_sed_key));
> +             keylen = OPAL_KEY_MAX;
> +     }
> +
> +     return update_sed_opal_key(OPAL_AUTH_KEY, init_sed_key, keylen);
>  }
>  late_initcall(sed_opal_init);

Reply via email to