On Fri, 2022-12-02 at 07:56 +0100, Hannes Reinecke wrote: > On 12/1/22 19:03, Greg Joyce wrote: > > On Wed, 2022-11-30 at 08:00 +0100, Hannes Reinecke wrote: > > > On 11/30/22 00:25, gjoyce@xxxxxxxxxxxxxxxxxx wrote: > > > > From: Greg Joyce <gjoyce@xxxxxxxxxxxxxxxxxx> > > > > > > > > Extend the SED block driver so it can alternatively > > > > obtain a key from a sed-opal kernel keyring. The SED > > > > ioctls will indicate the source of the key, either > > > > directly in the ioctl data or from the keyring. > > > > > > > > This allows the use of SED commands in scripts such as > > > > udev scripts so that drives may be automatically unlocked > > > > as they become available. > > > > > > > > Signed-off-by: Greg Joyce <gjoyce@xxxxxxxxxxxxxxxxxx> > > > > Reviewed-by: Jonathan Derrick <jonathan.derrick@xxxxxxxxx> > > > > --- > > > > block/Kconfig | 1 + > > > > block/sed-opal.c | 174 > > > > +++++++++++++++++++++++++++++++++- > > > > include/linux/sed-opal.h | 3 + > > > > include/uapi/linux/sed-opal.h | 8 +- > > > > 4 files changed, 183 insertions(+), 3 deletions(-) > > > > > > > > + ret = opal_get_key(dev, &opal_lrs->session.opal_key); > > > > + if (ret) > > > > + return ret; > > > > mutex_lock(&dev->dev_lock); > > > > setup_opal_dev(dev); > > > > ret = execute_steps(dev, lr_steps, > > > > ARRAY_SIZE(lr_steps)); > > > > @@ -2622,6 +2759,14 @@ static int opal_set_new_pw(struct > > > > opal_dev > > > > *dev, struct opal_new_pw *opal_pw) > > > > ret = execute_steps(dev, pw_steps, > > > > ARRAY_SIZE(pw_steps)); > > > > mutex_unlock(&dev->dev_lock); > > > > > > > > + if (ret) > > > > + return ret; > > > > + > > > > + /* update keyring with new password */ > > > > + ret = update_sed_opal_key(OPAL_AUTH_KEY, > > > > + opal_pw- > > > > >new_user_pw.opal_key.key, > > > > + opal_pw- > > > > > new_user_pw.opal_key.key_len); > > > > + > > > > return ret; > > > > } > > > > > > > What about key revocation? > > > You only allow to set a new key, but what happens with the old > > > ones? > > > > My understanding was that key_create_or_update() would not allow > > duplicates so there shouldn't be old ones. Is that incorrect? > > > Ah, right, you only have one key. > But still, you might want to revoke that one, too, no? > (Think of decommissioning old drives ...) > > Cheers, > > Hannes SED Opal allows for disabling locking on a SED drive. Both sedcli and sedutil have commands to support this. This is the method for drive decommisioning (un-provisioning). There is also a mechanism to cryptographically erase the data on the drive if that is desired.
