Re: [PATCH 3/4] block: sed-opal: keyring support for SED Opal keys

Hannes Reinecke <hare@xxxxxxx> · Tue, 19 Jul 2022 08:49:06 +0200

On 7/18/22 23:01, gjoyce@xxxxxxxxxxxxxxxxxx wrote:
From: Greg Joyce <gjoyce@xxxxxxxxxxxxxxxxxx>

Extend the SED block driver so it can alternatively
obtain a key from a sed-opal kernel keyring. The SED
ioctls will indicate the source of the key, either
directly in the ioctl data or from the keyring.

This allows the use of SED commands in scripts such as
udev scripts so that drives may be automatically unlocked
as they become available.

Signed-off-by: Greg Joyce <gjoyce@xxxxxxxxxxxxxxxxxx>
Reported-by: kernel test robot <lkp@xxxxxxxxx>
---
  block/Kconfig                 |   1 +
  block/sed-opal.c              | 198 +++++++++++++++++++++++++++++++++-
  include/linux/sed-opal.h      |   3 +
  include/uapi/linux/sed-opal.h |   8 +-
  4 files changed, 206 insertions(+), 4 deletions(-)

diff --git a/block/Kconfig b/block/Kconfig
index 50b17e260fa2..f65169e9356b 100644
--- a/block/Kconfig
+++ b/block/Kconfig
@@ -182,6 +182,7 @@ config BLK_DEBUG_FS_ZONED
  
  config BLK_SED_OPAL
  	bool "Logic for interfacing with Opal enabled SEDs"
+	depends on KEYS
  	help
  	Builds Logic for interfacing with Opal enabled controllers.
  	Enabling this option enables users to setup/unlock/lock
diff --git a/block/sed-opal.c b/block/sed-opal.c
index feba36e54ae0..4cfc3458cba5 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -20,6 +20,10 @@
  #include <linux/sed-opal.h>
  #include <linux/string.h>
  #include <linux/kdev_t.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/arch_vars.h>
+#include <keys/user-type.h>
  
  #include "opal_proto.h"
  
@@ -29,6 +33,8 @@
  /* Number of bytes needed by cmd_finalize. */
  #define CMD_FINALIZE_BYTES_NEEDED 7
  
+static struct key *sed_opal_keyring;
+
  struct opal_step {
  	int (*fn)(struct opal_dev *dev, void *data);
  	void *data;
@@ -266,6 +272,107 @@ static void print_buffer(const u8 *ptr, u32 length)
  #endif
  }
  
+/*
+ * Allocate/update a SED Opal key and add it to the SED Opal keyring.
+ */
+static int update_sed_opal_key(const char *desc, u_char *key_data, int keylen)
+{
+	int ret;
+	struct key *key;
+
+	if (!sed_opal_keyring)
+		return -ENOKEY;
+
+	key = key_alloc(&key_type_user, desc, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
+			current_cred(),
+			KEY_USR_VIEW | KEY_USR_SEARCH | KEY_USR_WRITE,
+			0,
+			NULL);
+	if (IS_ERR(key))
+		return PTR_ERR(key);
+
+	ret = key_instantiate_and_link(key, key_data, keylen,
+				       sed_opal_keyring, NULL);
+	key_put(key);
+

Maybe you should consider 'key_create_or_update() here, as it combines 
both operations.
Also the 'key_instantiate_and_link()' operation will always insert the 
key, so you might end up with key duplicates.

Cheers,

Hannes







