drivers/nvdimm/security.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Copyright(c) 2018 Intel Corporation. All rights reserved. */
   3
   4 #include <linux/module.h>
   5 #include <linux/device.h>
   6 #include <linux/ndctl.h>
   7 #include <linux/slab.h>
   8 #include <linux/io.h>
   9 #include <linux/mm.h>
  10 #include <linux/cred.h>
  11 #include <linux/key.h>
  12 #include <linux/key-type.h>
  13 #include <keys/user-type.h>
  14 #include <keys/encrypted-type.h>
  15 #include "nd-core.h"
  16 #include "nd.h"
  17
  18 #define NVDIMM_BASE_KEY         0
  19 #define NVDIMM_NEW_KEY          1
  20
  21 static bool key_revalidate = true;
  22 module_param(key_revalidate, bool, 0444);
  23 MODULE_PARM_DESC(key_revalidate, "Require key validation at init.");
  24
  25 static void *key_data(struct key *key)
  26 {
  27         struct encrypted_key_payload *epayload = dereference_key_locked(key);
  28
  29         lockdep_assert_held_read(&key->sem);
  30
  31         return epayload->decrypted_data;
  32 }
  33
  34 static void nvdimm_put_key(struct key *key)
  35 {
  36         if (!key)
  37                 return;
  38
  39         up_read(&key->sem);
  40         key_put(key);
  41 }
  42
  43 /*
  44  * Retrieve kernel key for DIMM and request from user space if
  45  * necessary. Returns a key held for read and must be put by
  46  * nvdimm_put_key() before the usage goes out of scope.
  47  */
  48 static struct key *nvdimm_request_key(struct nvdimm *nvdimm)
  49 {
  50         struct key *key = NULL;
  51         static const char NVDIMM_PREFIX[] = "nvdimm:";
  52         char desc[NVDIMM_KEY_DESC_LEN + sizeof(NVDIMM_PREFIX)];
  53         struct device *dev = &nvdimm->dev;
  54
  55         sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
  56         key = request_key(&key_type_encrypted, desc, "");
  57         if (IS_ERR(key)) {
  58                 if (PTR_ERR(key) == -ENOKEY)
  59                         dev_warn(dev, "request_key() found no key\n");
  60                 else
  61                         dev_warn(dev, "request_key() upcall failed\n");
  62                 key = NULL;
  63         } else {
  64                 struct encrypted_key_payload *epayload;
  65
  66                 down_read(&key->sem);
  67                 epayload = dereference_key_locked(key);
  68                 if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
  69                         up_read(&key->sem);
  70                         key_put(key);
  71                         key = NULL;
  72                 }
  73         }
  74
  75         return key;
  76 }
  77
  78 static struct key *nvdimm_lookup_user_key(struct nvdimm *nvdimm,
  79                 key_serial_t id, int subclass)
  80 {
  81         key_ref_t keyref;
  82         struct key *key;
  83         struct encrypted_key_payload *epayload;
  84         struct device *dev = &nvdimm->dev;
  85
  86         keyref = lookup_user_key(id, 0, 0);
  87         if (IS_ERR(keyref))
  88                 return NULL;
  89
  90         key = key_ref_to_ptr(keyref);
  91         if (key->type != &key_type_encrypted) {
  92                 key_put(key);
  93                 return NULL;
  94         }
  95
  96         dev_dbg(dev, "%s: key found: %#x\n", __func__, key_serial(key));
  97
  98         down_read_nested(&key->sem, subclass);
  99         epayload = dereference_key_locked(key);
 100         if (epayload->decrypted_datalen != NVDIMM_PASSPHRASE_LEN) {
 101                 up_read(&key->sem);
 102                 key_put(key);
 103                 key = NULL;
 104         }
 105         return key;
 106 }
 107
 108 static struct key *nvdimm_key_revalidate(struct nvdimm *nvdimm)
 109 {
 110         struct key *key;
 111         int rc;
 112
 113         if (!nvdimm->sec.ops->change_key)
 114                 return NULL;
 115
 116         key = nvdimm_request_key(nvdimm);
 117         if (!key)
 118                 return NULL;
 119
 120         /*
 121          * Send the same key to the hardware as new and old key to
 122          * verify that the key is good.
 123          */
 124         rc = nvdimm->sec.ops->change_key(nvdimm, key_data(key), key_data(key));
 125         if (rc < 0) {
 126                 nvdimm_put_key(key);
 127                 key = NULL;
 128         }
 129         return key;
 130 }
 131
 132 static int __nvdimm_security_unlock(struct nvdimm *nvdimm)
 133 {
 134         struct device *dev = &nvdimm->dev;
 135         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
 136         struct key *key = NULL;
 137         int rc;
 138
 139         /* The bus lock should be held at the top level of the call stack */
 140         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 141
 142         if (!nvdimm->sec.ops || !nvdimm->sec.ops->unlock
 143                         || nvdimm->sec.state < 0)
 144                 return -EIO;
 145
 146         if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
 147                 dev_warn(dev, "Security operation in progress.\n");
 148                 return -EBUSY;
 149         }
 150
 151         /*
 152          * If the pre-OS has unlocked the DIMM, attempt to send the key
 153          * from request_key() to the hardware for verification.  Failure
 154          * to revalidate the key against the hardware results in a
 155          * freeze of the security configuration. I.e. if the OS does not
 156          * have the key, security is being managed pre-OS.
 157          */
 158         if (nvdimm->sec.state == NVDIMM_SECURITY_UNLOCKED) {
 159                 if (!key_revalidate)
 160                         return 0;
 161
 162                 key = nvdimm_key_revalidate(nvdimm);
 163                 if (!key)
 164                         return nvdimm_security_freeze(nvdimm);
 165         } else
 166                 key = nvdimm_request_key(nvdimm);
 167
 168         if (!key)
 169                 return -ENOKEY;
 170
 171         rc = nvdimm->sec.ops->unlock(nvdimm, key_data(key));
 172         dev_dbg(dev, "key: %d unlock: %s\n", key_serial(key),
 173                         rc == 0 ? "success" : "fail");
 174
 175         nvdimm_put_key(key);
 176         nvdimm->sec.state = nvdimm_security_state(nvdimm);
 177         return rc;
 178 }
 179
 180 int nvdimm_security_unlock(struct device *dev)
 181 {
 182         struct nvdimm *nvdimm = to_nvdimm(dev);
 183         int rc;
 184
 185         nvdimm_bus_lock(dev);
 186         rc = __nvdimm_security_unlock(nvdimm);
 187         nvdimm_bus_unlock(dev);
 188         return rc;
 189 }
 190
 191 int nvdimm_security_disable(struct nvdimm *nvdimm, unsigned int keyid)
 192 {
 193         struct device *dev = &nvdimm->dev;
 194         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
 195         struct key *key;
 196         int rc;
 197
 198         /* The bus lock should be held at the top level of the call stack */
 199         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 200
 201         if (!nvdimm->sec.ops || !nvdimm->sec.ops->disable
 202                         || nvdimm->sec.state < 0)
 203                 return -EOPNOTSUPP;
 204
 205         if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
 206                 dev_warn(dev, "Incorrect security state: %d\n",
 207                                 nvdimm->sec.state);
 208                 return -EIO;
 209         }
 210
 211         if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
 212                 dev_warn(dev, "Security operation in progress.\n");
 213                 return -EBUSY;
 214         }
 215
 216         key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
 217         if (!key)
 218                 return -ENOKEY;
 219
 220         rc = nvdimm->sec.ops->disable(nvdimm, key_data(key));
 221         dev_dbg(dev, "key: %d disable: %s\n", key_serial(key),
 222                         rc == 0 ? "success" : "fail");
 223
 224         nvdimm_put_key(key);
 225         nvdimm->sec.state = nvdimm_security_state(nvdimm);
 226         return rc;
 227 }
 228
 229 int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,
 230                 unsigned int new_keyid)
 231 {
 232         struct device *dev = &nvdimm->dev;
 233         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
 234         struct key *key, *newkey;
 235         int rc;
 236
 237         /* The bus lock should be held at the top level of the call stack */
 238         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 239
 240         if (!nvdimm->sec.ops || !nvdimm->sec.ops->change_key
 241                         || nvdimm->sec.state < 0)
 242                 return -EOPNOTSUPP;
 243
 244         if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
 245                 dev_warn(dev, "Incorrect security state: %d\n",
 246                                 nvdimm->sec.state);
 247                 return -EIO;
 248         }
 249
 250         if (keyid == 0)
 251                 key = NULL;
 252         else {
 253                 key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
 254                 if (!key)
 255                         return -ENOKEY;
 256         }
 257
 258         newkey = nvdimm_lookup_user_key(nvdimm, new_keyid, NVDIMM_NEW_KEY);
 259         if (!newkey) {
 260                 nvdimm_put_key(key);
 261                 return -ENOKEY;
 262         }
 263
 264         rc = nvdimm->sec.ops->change_key(nvdimm, key ? key_data(key) : NULL,
 265                         key_data(newkey));
 266         dev_dbg(dev, "key: %d %d update: %s\n",
 267                         key_serial(key), key_serial(newkey),
 268                         rc == 0 ? "success" : "fail");
 269
 270         nvdimm_put_key(newkey);
 271         nvdimm_put_key(key);
 272         nvdimm->sec.state = nvdimm_security_state(nvdimm);
 273         return rc;
 274 }
 275
 276 int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid)
 277 {
 278         struct device *dev = &nvdimm->dev;
 279         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
 280         struct key *key;
 281         int rc;
 282
 283         /* The bus lock should be held at the top level of the call stack */
 284         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 285
 286         if (!nvdimm->sec.ops || !nvdimm->sec.ops->erase
 287                         || nvdimm->sec.state < 0)
 288                 return -EOPNOTSUPP;
 289
 290         if (atomic_read(&nvdimm->busy)) {
 291                 dev_warn(dev, "Unable to secure erase while DIMM active.\n");
 292                 return -EBUSY;
 293         }
 294
 295         if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
 296                 dev_warn(dev, "Incorrect security state: %d\n",
 297                                 nvdimm->sec.state);
 298                 return -EIO;
 299         }
 300
 301         if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
 302                 dev_warn(dev, "Security operation in progress.\n");
 303                 return -EBUSY;
 304         }
 305
 306         key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
 307         if (!key)
 308                 return -ENOKEY;
 309
 310         rc = nvdimm->sec.ops->erase(nvdimm, key_data(key));
 311         dev_dbg(dev, "key: %d erase: %s\n", key_serial(key),
 312                         rc == 0 ? "success" : "fail");
 313
 314         nvdimm_put_key(key);
 315         nvdimm->sec.state = nvdimm_security_state(nvdimm);
 316         return rc;
 317 }
 318
 319 int nvdimm_security_overwrite(struct nvdimm *nvdimm, unsigned int keyid)
 320 {
 321         struct device *dev = &nvdimm->dev;
 322         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);
 323         struct key *key;
 324         int rc;
 325
 326         /* The bus lock should be held at the top level of the call stack */
 327         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 328
 329         if (!nvdimm->sec.ops || !nvdimm->sec.ops->overwrite
 330                         || nvdimm->sec.state < 0)
 331                 return -EOPNOTSUPP;
 332
 333         if (atomic_read(&nvdimm->busy)) {
 334                 dev_warn(dev, "Unable to overwrite while DIMM active.\n");
 335                 return -EBUSY;
 336         }
 337
 338         if (dev->driver == NULL) {
 339                 dev_warn(dev, "Unable to overwrite while DIMM active.\n");
 340                 return -EINVAL;
 341         }
 342
 343         if (nvdimm->sec.state >= NVDIMM_SECURITY_FROZEN) {
 344                 dev_warn(dev, "Incorrect security state: %d\n",
 345                                 nvdimm->sec.state);
 346                 return -EIO;
 347         }
 348
 349         if (test_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags)) {
 350                 dev_warn(dev, "Security operation in progress.\n");
 351                 return -EBUSY;
 352         }
 353
 354         if (keyid == 0)
 355                 key = NULL;
 356         else {
 357                 key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);
 358                 if (!key)
 359                         return -ENOKEY;
 360         }
 361
 362         rc = nvdimm->sec.ops->overwrite(nvdimm, key ? key_data(key) : NULL);
 363         dev_dbg(dev, "key: %d overwrite submission: %s\n", key_serial(key),
 364                         rc == 0 ? "success" : "fail");
 365
 366         nvdimm_put_key(key);
 367         if (rc == 0) {
 368                 set_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
 369                 set_bit(NDD_WORK_PENDING, &nvdimm->flags);
 370                 nvdimm->sec.state = NVDIMM_SECURITY_OVERWRITE;
 371                 /*
 372                  * Make sure we don't lose device while doing overwrite
 373                  * query.
 374                  */
 375                 get_device(dev);
 376                 queue_delayed_work(system_wq, &nvdimm->dwork, 0);
 377         }
 378         return rc;
 379 }
 380
 381 void __nvdimm_security_overwrite_query(struct nvdimm *nvdimm)
 382 {
 383         struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nvdimm->dev);
 384         int rc;
 385         unsigned int tmo;
 386
 387         /* The bus lock should be held at the top level of the call stack */
 388         lockdep_assert_held(&nvdimm_bus->reconfig_mutex);
 389
 390         /*
 391          * Abort and release device if we no longer have the overwrite
 392          * flag set. It means the work has been canceled.
 393          */
 394         if (!test_bit(NDD_WORK_PENDING, &nvdimm->flags))
 395                 return;
 396
 397         tmo = nvdimm->sec.overwrite_tmo;
 398
 399         if (!nvdimm->sec.ops || !nvdimm->sec.ops->query_overwrite
 400                         || nvdimm->sec.state < 0)
 401                 return;
 402
 403         rc = nvdimm->sec.ops->query_overwrite(nvdimm);
 404         if (rc == -EBUSY) {
 405
 406                 /* setup delayed work again */
 407                 tmo += 10;
 408                 queue_delayed_work(system_wq, &nvdimm->dwork, tmo * HZ);
 409                 nvdimm->sec.overwrite_tmo = min(15U * 60U, tmo);
 410                 return;
 411         }
 412
 413         if (rc < 0)
 414                 dev_warn(&nvdimm->dev, "overwrite failed\n");
 415         else
 416                 dev_dbg(&nvdimm->dev, "overwrite completed\n");
 417
 418         if (nvdimm->sec.overwrite_state)
 419                 sysfs_notify_dirent(nvdimm->sec.overwrite_state);
 420         nvdimm->sec.overwrite_tmo = 0;
 421         clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);
 422         clear_bit(NDD_WORK_PENDING, &nvdimm->flags);
 423         put_device(&nvdimm->dev);
 424         nvdimm->sec.state = nvdimm_security_state(nvdimm);
 425 }
 426
 427 void nvdimm_security_overwrite_query(struct work_struct *work)
 428 {
 429         struct nvdimm *nvdimm =
 430                 container_of(work, typeof(*nvdimm), dwork.work);
 431
 432         nvdimm_bus_lock(&nvdimm->dev);
 433         __nvdimm_security_overwrite_query(nvdimm);
 434         nvdimm_bus_unlock(&nvdimm->dev);
 435 }