security.c 13.7 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// SPDX-License-Identifier: GPL-2.0
/* Copyright(c) 2018 Intel Corporation. All rights reserved. */

#include <linux/module.h>
#include <linux/device.h>
#include <linux/ndctl.h>
#include <linux/slab.h>
#include <linux/io.h>
#include <linux/mm.h>
#include <linux/cred.h>
#include <linux/key.h>
#include <linux/key-type.h>
#include <keys/user-type.h>
#include <keys/encrypted-type.h>
#include "nd-core.h"
#include "nd.h"

18
19
20
#define NVDIMM_BASE_KEY		0
#define NVDIMM_NEW_KEY		1

21
22
23
24
static bool key_revalidate = true;
module_param(key_revalidate, bool, 0444);
MODULE_PARM_DESC(key_revalidate, "Require key validation at init.");

25
26
static const char zero_key[NVDIMM_PASSPHRASE_LEN];

27
28
29
30
31
32
33
34
35
36
37
static void *key_data(struct key *key)
{
	struct encrypted_key_payload *epayload = dereference_key_locked(key);

	lockdep_assert_held_read(&key->sem);

	return epayload->decrypted_data;
}

static void nvdimm_put_key(struct key *key)
{
38
39
40
	if (!key)
		return;

41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
	up_read(&key->sem);
	key_put(key);
}

/*
 * Retrieve kernel key for DIMM and request from user space if
 * necessary. Returns a key held for read and must be put by
 * nvdimm_put_key() before the usage goes out of scope.
 */
static struct key *nvdimm_request_key(struct nvdimm *nvdimm)
{
	struct key *key = NULL;
	static const char NVDIMM_PREFIX[] = "nvdimm:";
	char desc[NVDIMM_KEY_DESC_LEN + sizeof(NVDIMM_PREFIX)];
	struct device *dev = &nvdimm->dev;

	sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
58
	key = request_key(&key_type_encrypted, desc, "");
59
60
	if (IS_ERR(key)) {
		if (PTR_ERR(key) == -ENOKEY)
61
			dev_dbg(dev, "request_key() found no key\n");
62
		else
63
			dev_dbg(dev, "request_key() upcall failed\n");
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
		key = NULL;
	} else {
		struct encrypted_key_payload *epayload;

		down_read(&key->sem);
		epayload = dereference_key_locked(key);
		if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
			up_read(&key->sem);
			key_put(key);
			key = NULL;
		}
	}

	return key;
}

80
81
82
83
84
85
86
87
88
89
static const void *nvdimm_get_key_payload(struct nvdimm *nvdimm,
		struct key **key)
{
	*key = nvdimm_request_key(nvdimm);
	if (!*key)
		return zero_key;

	return key_data(*key);
}

90
static struct key *nvdimm_lookup_user_key(struct nvdimm *nvdimm,
91
		key_serial_t id, int subclass)
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
{
	key_ref_t keyref;
	struct key *key;
	struct encrypted_key_payload *epayload;
	struct device *dev = &nvdimm->dev;

	keyref = lookup_user_key(id, 0, 0);
	if (IS_ERR(keyref))
		return NULL;

	key = key_ref_to_ptr(keyref);
	if (key->type != &key_type_encrypted) {
		key_put(key);
		return NULL;
	}

108
	dev_dbg(dev, "%s: key found: %#x\n", __func__, key_serial(key));
109

110
	down_read_nested(&key->sem, subclass);
111
112
113
114
115
116
117
118
119
	epayload = dereference_key_locked(key);
	if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
		up_read(&key->sem);
		key_put(key);
		key = NULL;
	}
	return key;
}

120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
static const void *nvdimm_get_user_key_payload(struct nvdimm *nvdimm,
		key_serial_t id, int subclass, struct key **key)
{
	*key = NULL;
	if (id == 0) {
		if (subclass == NVDIMM_BASE_KEY)
			return zero_key;
		else
			return NULL;
	}

	*key = nvdimm_lookup_user_key(nvdimm, id, subclass);
	if (!*key)
		return NULL;

	return key_data(*key);
}


static int nvdimm_key_revalidate(struct nvdimm *nvdimm)
140
141
142
{
	struct key *key;
	int rc;
143
	const void *data;
144
145

	if (!nvdimm->sec.ops->change_key)
146
		return -EOPNOTSUPP;
147

148
	data = nvdimm_get_key_payload(nvdimm, &key);
149
150
151
152
153

	/*
	 * Send the same key to the hardware as new and old key to
	 * verify that the key is good.
	 */
154
	rc = nvdimm->sec.ops->change_key(nvdimm, data, data, NVDIMM_USER);
155
156
	if (rc < 0) {
		nvdimm_put_key(key);
157
		return rc;
158
	}
159
160

	nvdimm_put_key(key);
161
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
162
	return 0;
163
164
165
166
167
168
}

static int __nvdimm_security_unlock(struct nvdimm *nvdimm)
{
	struct device *dev = &nvdimm->dev;
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
169
170
	struct key *key;
	const void *data;
171
172
173
174
175
176
	int rc;

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->unlock
177
			|| !nvdimm->sec.flags)
178
179
		return -EIO;

180
181
182
183
	/* No need to go further if security is disabled */
	if (test_bit(NVDIMM_SECURITY_DISABLED, &nvdimm->sec.flags))
		return 0;

184
	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
185
		dev_dbg(dev, "Security operation in progress.\n");
186
187
188
		return -EBUSY;
	}

189
190
191
192
193
194
195
	/*
	 * If the pre-OS has unlocked the DIMM, attempt to send the key
	 * from request_key() to the hardware for verification.  Failure
	 * to revalidate the key against the hardware results in a
	 * freeze of the security configuration. I.e. if the OS does not
	 * have the key, security is being managed pre-OS.
	 */
196
	if (test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.flags)) {
197
198
199
		if (!key_revalidate)
			return 0;

200
		return nvdimm_key_revalidate(nvdimm);
201
	} else
202
		data = nvdimm_get_key_payload(nvdimm, &key);
203

204
	rc = nvdimm->sec.ops->unlock(nvdimm, data);
205
206
207
208
	dev_dbg(dev, "key: %d unlock: %s\n", key_serial(key),
			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);
209
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
210
211
212
213
214
215
216
217
218
219
220
221
222
	return rc;
}

int nvdimm_security_unlock(struct device *dev)
{
	struct nvdimm *nvdimm = to_nvdimm(dev);
	int rc;

	nvdimm_bus_lock(dev);
	rc = __nvdimm_security_unlock(nvdimm);
	nvdimm_bus_unlock(dev);
	return rc;
}
223

224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
static int check_security_state(struct nvdimm *nvdimm)
{
	struct device *dev = &nvdimm->dev;

	if (test_bit(NVDIMM_SECURITY_FROZEN, &nvdimm->sec.flags)) {
		dev_dbg(dev, "Incorrect security state: %#lx\n",
				nvdimm->sec.flags);
		return -EIO;
	}

	if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
		dev_dbg(dev, "Security operation in progress.\n");
		return -EBUSY;
	}

	return 0;
}

242
static int security_disable(struct nvdimm *nvdimm, unsigned int keyid)
243
244
245
246
247
{
	struct device *dev = &nvdimm->dev;
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
	struct key *key;
	int rc;
248
	const void *data;
249
250
251
252
253

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable
254
			|| !nvdimm->sec.flags)
255
256
		return -EOPNOTSUPP;

257
258
259
	rc = check_security_state(nvdimm);
	if (rc)
		return rc;
260

261
262
263
	data = nvdimm_get_user_key_payload(nvdimm, keyid,
			NVDIMM_BASE_KEY, &key);
	if (!data)
264
265
		return -ENOKEY;

266
	rc = nvdimm->sec.ops->disable(nvdimm, data);
267
268
269
270
	dev_dbg(dev, "key: %d disable: %s\n", key_serial(key),
			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);
271
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
272
273
	return rc;
}
274

275
static int security_update(struct nvdimm *nvdimm, unsigned int keyid,
276
277
		unsigned int new_keyid,
		enum nvdimm_passphrase_type pass_type)
278
279
280
281
282
{
	struct device *dev = &nvdimm->dev;
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
	struct key *key, *newkey;
	int rc;
283
	const void *data, *newdata;
284
285
286
287
288

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->change_key
289
			|| !nvdimm->sec.flags)
290
291
		return -EOPNOTSUPP;

292
293
294
	rc = check_security_state(nvdimm);
	if (rc)
		return rc;
295

296
297
298
299
	data = nvdimm_get_user_key_payload(nvdimm, keyid,
			NVDIMM_BASE_KEY, &key);
	if (!data)
		return -ENOKEY;
300

301
302
303
	newdata = nvdimm_get_user_key_payload(nvdimm, new_keyid,
			NVDIMM_NEW_KEY, &newkey);
	if (!newdata) {
304
305
306
307
		nvdimm_put_key(key);
		return -ENOKEY;
	}

308
	rc = nvdimm->sec.ops->change_key(nvdimm, data, newdata, pass_type);
309
	dev_dbg(dev, "key: %d %d update%s: %s\n",
310
			key_serial(key), key_serial(newkey),
311
			pass_type == NVDIMM_MASTER ? "(master)" : "(user)",
312
313
314
315
			rc == 0 ? "success" : "fail");

	nvdimm_put_key(newkey);
	nvdimm_put_key(key);
316
	if (pass_type == NVDIMM_MASTER)
317
		nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm,
318
319
				NVDIMM_MASTER);
	else
320
		nvdimm->sec.flags = nvdimm_security_flags(nvdimm,
321
				NVDIMM_USER);
322
323
	return rc;
}
324

325
static int security_erase(struct nvdimm *nvdimm, unsigned int keyid,
326
		enum nvdimm_passphrase_type pass_type)
327
328
329
{
	struct device *dev = &nvdimm->dev;
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
330
	struct key *key = NULL;
331
	int rc;
332
	const void *data;
333
334
335
336
337

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase
338
			|| !nvdimm->sec.flags)
339
340
		return -EOPNOTSUPP;

341
342
343
	rc = check_security_state(nvdimm);
	if (rc)
		return rc;
344

345
	if (!test_bit(NVDIMM_SECURITY_UNLOCKED, &nvdimm->sec.ext_flags)
346
			&& pass_type == NVDIMM_MASTER) {
347
		dev_dbg(dev,
348
349
350
351
			"Attempt to secure erase in wrong master state.\n");
		return -EOPNOTSUPP;
	}

352
353
354
355
	data = nvdimm_get_user_key_payload(nvdimm, keyid,
			NVDIMM_BASE_KEY, &key);
	if (!data)
		return -ENOKEY;
356

357
	rc = nvdimm->sec.ops->erase(nvdimm, data, pass_type);
358
359
	dev_dbg(dev, "key: %d erase%s: %s\n", key_serial(key),
			pass_type == NVDIMM_MASTER ? "(master)" : "(user)",
360
361
362
			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);
363
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
364
365
	return rc;
}
366

367
static int security_overwrite(struct nvdimm *nvdimm, unsigned int keyid)
368
369
370
{
	struct device *dev = &nvdimm->dev;
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
371
	struct key *key = NULL;
372
	int rc;
373
	const void *data;
374
375
376
377
378

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->overwrite
379
			|| !nvdimm->sec.flags)
380
381
382
		return -EOPNOTSUPP;

	if (dev->driver == NULL) {
383
		dev_dbg(dev, "Unable to overwrite while DIMM active.\n");
384
385
386
		return -EINVAL;
	}

387
388
389
	rc = check_security_state(nvdimm);
	if (rc)
		return rc;
390

391
392
393
394
	data = nvdimm_get_user_key_payload(nvdimm, keyid,
			NVDIMM_BASE_KEY, &key);
	if (!data)
		return -ENOKEY;
395

396
	rc = nvdimm->sec.ops->overwrite(nvdimm, data);
397
398
399
400
401
402
403
	dev_dbg(dev, "key: %d overwrite submission: %s\n", key_serial(key),
			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);
	if (rc == 0) {
		set_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
		set_bit(NDD_WORK_PENDING, &nvdimm->flags);
404
		set_bit(NVDIMM_SECURITY_OVERWRITE, &nvdimm->sec.flags);
405
406
407
408
409
410
411
		/*
		 * Make sure we don't lose device while doing overwrite
		 * query.
		 */
		get_device(dev);
		queue_delayed_work(system_wq, &nvdimm->dwork, 0);
	}
412

413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
	return rc;
}

void __nvdimm_security_overwrite_query(struct nvdimm *nvdimm)
{
	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nvdimm->dev);
	int rc;
	unsigned int tmo;

	/* The bus lock should be held at the top level of the call stack */
	lockdep_assert_held(&nvdimm_bus->reconfig_mutex);

	/*
	 * Abort and release device if we no longer have the overwrite
	 * flag set. It means the work has been canceled.
	 */
	if (!test_bit(NDD_WORK_PENDING, &nvdimm->flags))
		return;

	tmo = nvdimm->sec.overwrite_tmo;

	if (!nvdimm->sec.ops || !nvdimm->sec.ops->query_overwrite
435
			|| !nvdimm->sec.flags)
436
437
438
439
440
441
442
443
444
445
446
447
448
		return;

	rc = nvdimm->sec.ops->query_overwrite(nvdimm);
	if (rc == -EBUSY) {

		/* setup delayed work again */
		tmo += 10;
		queue_delayed_work(system_wq, &nvdimm->dwork, tmo * HZ);
		nvdimm->sec.overwrite_tmo = min(15U * 60U, tmo);
		return;
	}

	if (rc < 0)
449
		dev_dbg(&nvdimm->dev, "overwrite failed\n");
450
451
452
453
454
455
456
457
458
	else
		dev_dbg(&nvdimm->dev, "overwrite completed\n");

	if (nvdimm->sec.overwrite_state)
		sysfs_notify_dirent(nvdimm->sec.overwrite_state);
	nvdimm->sec.overwrite_tmo = 0;
	clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
	clear_bit(NDD_WORK_PENDING, &nvdimm->flags);
	put_device(&nvdimm->dev);
459
460
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_USER);
	nvdimm->sec.flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER);
461
462
463
464
465
466
467
468
469
470
471
}

void nvdimm_security_overwrite_query(struct work_struct *work)
{
	struct nvdimm *nvdimm =
		container_of(work, typeof(*nvdimm), dwork.work);

	nvdimm_bus_lock(&nvdimm->dev);
	__nvdimm_security_overwrite_query(nvdimm);
	nvdimm_bus_unlock(&nvdimm->dev);
}
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553

#define OPS							\
	C( OP_FREEZE,		"freeze",		1),	\
	C( OP_DISABLE,		"disable",		2),	\
	C( OP_UPDATE,		"update",		3),	\
	C( OP_ERASE,		"erase",		2),	\
	C( OP_OVERWRITE,	"overwrite",		2),	\
	C( OP_MASTER_UPDATE,	"master_update",	3),	\
	C( OP_MASTER_ERASE,	"master_erase",		2)
#undef C
#define C(a, b, c) a
enum nvdimmsec_op_ids { OPS };
#undef C
#define C(a, b, c) { b, c }
static struct {
	const char *name;
	int args;
} ops[] = { OPS };
#undef C

#define SEC_CMD_SIZE 32
#define KEY_ID_SIZE 10

ssize_t nvdimm_security_store(struct device *dev, const char *buf, size_t len)
{
	struct nvdimm *nvdimm = to_nvdimm(dev);
	ssize_t rc;
	char cmd[SEC_CMD_SIZE+1], keystr[KEY_ID_SIZE+1],
		nkeystr[KEY_ID_SIZE+1];
	unsigned int key, newkey;
	int i;

	rc = sscanf(buf, "%"__stringify(SEC_CMD_SIZE)"s"
			" %"__stringify(KEY_ID_SIZE)"s"
			" %"__stringify(KEY_ID_SIZE)"s",
			cmd, keystr, nkeystr);
	if (rc < 1)
		return -EINVAL;
	for (i = 0; i < ARRAY_SIZE(ops); i++)
		if (sysfs_streq(cmd, ops[i].name))
			break;
	if (i >= ARRAY_SIZE(ops))
		return -EINVAL;
	if (ops[i].args > 1)
		rc = kstrtouint(keystr, 0, &key);
	if (rc >= 0 && ops[i].args > 2)
		rc = kstrtouint(nkeystr, 0, &newkey);
	if (rc < 0)
		return rc;

	if (i == OP_FREEZE) {
		dev_dbg(dev, "freeze\n");
		rc = nvdimm_security_freeze(nvdimm);
	} else if (i == OP_DISABLE) {
		dev_dbg(dev, "disable %u\n", key);
		rc = security_disable(nvdimm, key);
	} else if (i == OP_UPDATE || i == OP_MASTER_UPDATE) {
		dev_dbg(dev, "%s %u %u\n", ops[i].name, key, newkey);
		rc = security_update(nvdimm, key, newkey, i == OP_UPDATE
				? NVDIMM_USER : NVDIMM_MASTER);
	} else if (i == OP_ERASE || i == OP_MASTER_ERASE) {
		dev_dbg(dev, "%s %u\n", ops[i].name, key);
		if (atomic_read(&nvdimm->busy)) {
			dev_dbg(dev, "Unable to secure erase while DIMM active.\n");
			return -EBUSY;
		}
		rc = security_erase(nvdimm, key, i == OP_ERASE
				? NVDIMM_USER : NVDIMM_MASTER);
	} else if (i == OP_OVERWRITE) {
		dev_dbg(dev, "overwrite %u\n", key);
		if (atomic_read(&nvdimm->busy)) {
			dev_dbg(dev, "Unable to overwrite while DIMM active.\n");
			return -EBUSY;
		}
		rc = security_overwrite(nvdimm, key);
	} else
		return -EINVAL;

	if (rc == 0)
		rc = len;
	return rc;
}