[PATCH] sed-opal: if key is available from IOC_OPAL_SAVE use it when locking

luca.boccassi@xxxxxxxxx · Fri, 2 Dec 2022 00:36:10 +0000

From: Luca Boccassi <bluca@xxxxxxxxxx>

Usually when closing a crypto device (eg: dm-crypt with LUKS) the
volume key is not required, as it requires root privileges anyway, and
root can deny access to a disk in many ways regardless. Requiring the
volume key to lock the device is a peculiarity of the OPAL
specification.

Given we might already have saved the key if the user requested it via
the 'IOC_OPAL_SAVE' ioctl, we can use that key to lock the device if no
key was provided here and the locking range matches. This allows
integrating OPAL with tools and libraries that are used to the common
behaviour and do not ask for the volume key when closing a device.

If the caller provides a key on the other hand it will still be used as
before, no changes in that case.

Suggested-by: Štěpán Horáček <stepan.horacek@xxxxxxxxx>
Signed-off-by: Luca Boccassi <bluca@xxxxxxxxxx>
---
 block/sed-opal.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 9bdb833e5817..b54bb76e4484 100644
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -2470,6 +2470,35 @@ static int opal_lock_unlock(struct opal_dev *dev,
 		return -EINVAL;
 
 	mutex_lock(&dev->dev_lock);
+
+	/*
+	 * Usually when closing a crypto device (eg: dm-crypt with LUKS) the volume key
+	 * is not required, as it requires root privileges anyway, and root can deny
+	 * access to a disk in many ways regardless. Requiring the volume key to lock
+	 * the device is a peculiarity of the OPAL specification.
+	 * Given we might already have saved the key if the user requested it via the
+	 * 'IOC_OPAL_SAVE' ioctl, we can use that key to lock the device if no key was
+	 * provided here and the locking range matches. This allows integrating OPAL
+	 * with tools and libraries that are used to the common behaviour and do not
+	 * ask for the volume key when closing a device.
+	 */
+	if (lk_unlk->l_state == OPAL_LK && lk_unlk->session.opal_key.key_len == 0) {
+		struct opal_suspend_data *iter;
+
+		setup_opal_dev(dev);
+		list_for_each_entry(iter, &dev->unlk_lst, node) {
+			if (iter->lr == lk_unlk->session.opal_key.lr &&
+					iter->unlk.session.opal_key.key_len > 0) {
+				lk_unlk->session.opal_key.key_len =
+					iter->unlk.session.opal_key.key_len;
+				memcpy(lk_unlk->session.opal_key.key,
+					iter->unlk.session.opal_key.key,
+					iter->unlk.session.opal_key.key_len);
+				break;
+			}
+		}
+	}
+
 	ret = __opal_lock_unlock(dev, lk_unlk);
 	mutex_unlock(&dev->dev_lock);
 
-- 
2.35.1







