1 // SPDX-License-Identifier: GPL-2.0
12 #include <linux/key-type.h>
13 #include <keys/user-type.h>
14 #include <keys/encrypted-type.h>
15 #include "nd-core.h"
31 	lockdep_assert_held_read(&key->sem);  in key_data()
33 	return epayload->decrypted_data;  in key_data()
41 	up_read(&key->sem);  in nvdimm_put_key()
55 	struct device *dev = &nvdimm->dev;  in nvdimm_request_key()
57 	sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);  in nvdimm_request_key()
60 		if (PTR_ERR(key) == -ENOKEY)  in nvdimm_request_key()
68 		down_read(&key->sem);  in nvdimm_request_key()
70 		if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {  in nvdimm_request_key()
71 			up_read(&key->sem);  in nvdimm_request_key()
96 	struct device *dev = &nvdimm->dev;  in nvdimm_lookup_user_key()
103 	if (key->type != &key_type_encrypted) {  in nvdimm_lookup_user_key()
110 	down_read_nested(&key->sem, subclass);  in nvdimm_lookup_user_key()
112 	if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {  in nvdimm_lookup_user_key()
113 		up_read(&key->sem);  in nvdimm_lookup_user_key()
145 	if (!nvdimm->sec.ops->change_key)  in nvdimm_key_revalidate()
146 		return -EOPNOTSUPP;  in nvdimm_key_revalidate()
154 	rc = nvdimm->sec.ops->change_key(nvdimm, data, data, NVDIMM_USER);  in nvdimm_key_revalidate()
161 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);  in nvdimm_key_revalidate()
167 	struct device *dev = &nvdimm->dev;  in __nvdimm_security_unlock()
174 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in __nvdimm_security_unlock()
176 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->unlock  in __nvdimm_security_unlock()
177 			|| !nvdimm->sec.flags)  in __nvdimm_security_unlock()
178 		return -EIO;  in __nvdimm_security_unlock()
181 	if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))  in __nvdimm_security_unlock()
184 	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {  in __nvdimm_security_unlock()
186 		return -EBUSY;  in __nvdimm_security_unlock()
190 	 * If the pre-OS has unlocked the DIMM, attempt to send the key  in __nvdimm_security_unlock()
194 	 * have the key, security is being managed pre-OS.  in __nvdimm_security_unlock()
196 	if (test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.flags)) {  in __nvdimm_security_unlock()
204 	rc = nvdimm->sec.ops->unlock(nvdimm, data);  in __nvdimm_security_unlock()
205 	dev_dbg(dev, "key: %d unlock: %s\n", key_serial(key),  in __nvdimm_security_unlock()
209 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);  in __nvdimm_security_unlock()
226 	struct device *dev = &nvdimm->dev;  in check_security_state()
228 	if (test_bit(NVDIMM_SECURITY_FROZEN, &nvdimm->sec.flags)) {  in check_security_state()
230 				nvdimm->sec.flags);  in check_security_state()
231 		return -EIO;  in check_security_state()
234 	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {  in check_security_state()
236 		return -EBUSY;  in check_security_state()
244 	struct device *dev = &nvdimm->dev;  in security_disable()
251 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in security_disable()
253 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable  in security_disable()
254 			|| !nvdimm->sec.flags)  in security_disable()
255 		return -EOPNOTSUPP;  in security_disable()
264 		return -ENOKEY;  in security_disable()
266 	rc = nvdimm->sec.ops->disable(nvdimm, data);  in security_disable()
271 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);  in security_disable()
279 	struct device *dev = &nvdimm->dev;  in security_update()
286 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in security_update()
288 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->change_key  in security_update()
289 			|| !nvdimm->sec.flags)  in security_update()
290 		return -EOPNOTSUPP;  in security_update()
299 		return -ENOKEY;  in security_update()
305 		return -ENOKEY;  in security_update()
308 	rc = nvdimm->sec.ops->change_key(nvdimm, data, newdata, pass_type);  in security_update()
317 		nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm,  in security_update()
320 		nvdimm->sec.flags = nvdimm_security_flags(nvdimm,  in security_update()
328 	struct device *dev = &nvdimm->dev;  in security_erase()
335 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in security_erase()
337 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase  in security_erase()
338 			|| !nvdimm->sec.flags)  in security_erase()
339 		return -EOPNOTSUPP;  in security_erase()
345 	if (!test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.ext_flags)  in security_erase()
349 		return -EOPNOTSUPP;  in security_erase()
355 		return -ENOKEY;  in security_erase()
357 	rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type);  in security_erase()
363 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);  in security_erase()
369 	struct device *dev = &nvdimm->dev;  in security_overwrite()
376 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in security_overwrite()
378 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->overwrite  in security_overwrite()
379 			|| !nvdimm->sec.flags)  in security_overwrite()
380 		return -EOPNOTSUPP;  in security_overwrite()
389 		return -ENOKEY;  in security_overwrite()
391 	rc = nvdimm->sec.ops->overwrite(nvdimm, data);  in security_overwrite()
397 		set_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);  in security_overwrite()
398 		set_bit(NDD_WORK_PENDING, &nvdimm->flags);  in security_overwrite()
399 		set_bit(NVDIMM_SECURITY_OVERWRITE, &nvdimm->sec.flags);  in security_overwrite()
405 		queue_delayed_work(system_wq, &nvdimm->dwork, 0);  in security_overwrite()
413 	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nvdimm->dev);  in __nvdimm_security_overwrite_query()
418 	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);  in __nvdimm_security_overwrite_query()
424 	if (!test_bit(NDD_WORK_PENDING, &nvdimm->flags))  in __nvdimm_security_overwrite_query()
427 	tmo = nvdimm->sec.overwrite_tmo;  in __nvdimm_security_overwrite_query()
429 	if (!nvdimm->sec.ops || !nvdimm->sec.ops->query_overwrite  in __nvdimm_security_overwrite_query()
430 			|| !nvdimm->sec.flags)  in __nvdimm_security_overwrite_query()
433 	rc = nvdimm->sec.ops->query_overwrite(nvdimm);  in __nvdimm_security_overwrite_query()
434 	if (rc == -EBUSY) {  in __nvdimm_security_overwrite_query()
438 		queue_delayed_work(system_wq, &nvdimm->dwork, tmo * HZ);  in __nvdimm_security_overwrite_query()
439 		nvdimm->sec.overwrite_tmo = min(15U * 60U, tmo);  in __nvdimm_security_overwrite_query()
444 		dev_dbg(&nvdimm->dev, "overwrite failed\n");  in __nvdimm_security_overwrite_query()
446 		dev_dbg(&nvdimm->dev, "overwrite completed\n");  in __nvdimm_security_overwrite_query()
453 	nvdimm->sec.overwrite_tmo = 0;  in __nvdimm_security_overwrite_query()
454 	clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);  in __nvdimm_security_overwrite_query()
455 	clear_bit(NDD_WORK_PENDING, &nvdimm->flags);  in __nvdimm_security_overwrite_query()
456 	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);  in __nvdimm_security_overwrite_query()
457 	nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER);  in __nvdimm_security_overwrite_query()
458 	if (nvdimm->sec.overwrite_state)  in __nvdimm_security_overwrite_query()
459 		sysfs_notify_dirent(nvdimm->sec.overwrite_state);  in __nvdimm_security_overwrite_query()
460 	put_device(&nvdimm->dev);  in __nvdimm_security_overwrite_query()
468 	nvdimm_bus_lock(&nvdimm->dev);  in nvdimm_security_overwrite_query()
470 	nvdimm_bus_unlock(&nvdimm->dev);  in nvdimm_security_overwrite_query()
509 		return -EINVAL;  in nvdimm_security_store()
514 		return -EINVAL;  in nvdimm_security_store()
534 		if (atomic_read(&nvdimm->busy)) {  in nvdimm_security_store()
536 			return -EBUSY;  in nvdimm_security_store()
542 		if (atomic_read(&nvdimm->busy)) {  in nvdimm_security_store()
544 			return -EBUSY;  in nvdimm_security_store()
548 		return -EINVAL;  in nvdimm_security_store()