cxl/pmem: Enforce keyctl ABI for PMEM security

Preclude the possibility of user tooling sending device secrets in the clear into the kernel by marking the security commands as exclusive. This mandates the usage of the keyctl ABI for managing the device passphrase. Reviewed-by: Davidlohr Bueso <[email protected]> Reviewed-by: Dave Jiang <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Link: https://lore.kernel.org/r/166993221008.1995348.11651567302609703175.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Dan Williams <[email protected]>
author: Dan Williams <[email protected]> 2022-12-01 14:03:30 -0800
committer: Dan Williams <[email protected]> 2022-12-02 23:52:32 -0800
commit: 07cb5f705b4fe9e1386a610da4cb3c063267714f (patch)
tree: a8c8ac96b4b098695fb5b4a821b39ce268c5b4a5
parent: bf3e5da8cb43a671b32fc125fa81b8f6a3677192 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
index 8747db329087..35dd889f1d3a 100644
--- a/drivers/cxl/core/mbox.c
+++ b/drivers/cxl/core/mbox.c
@@ -704,6 +704,16 @@ int cxl_enumerate_cmds(struct cxl_dev_state *cxlds)
 		rc = 0;
 	}
 
+	/*
+	 * Setup permanently kernel exclusive commands, i.e. the
+	 * mechanism is driven through sysfs, keyctl, etc...
+	 */
+	set_bit(CXL_MEM_COMMAND_ID_SET_PASSPHRASE, cxlds->exclusive_cmds);
+	set_bit(CXL_MEM_COMMAND_ID_DISABLE_PASSPHRASE, cxlds->exclusive_cmds);
+	set_bit(CXL_MEM_COMMAND_ID_UNLOCK, cxlds->exclusive_cmds);
+	set_bit(CXL_MEM_COMMAND_ID_PASSPHRASE_SECURE_ERASE,
+		cxlds->exclusive_cmds);
+
 out:
 	kvfree(gsl);
 	return rc;
author	Dan Williams <[email protected]>	2022-12-01 14:03:30 -0800
committer	Dan Williams <[email protected]>	2022-12-02 23:52:32 -0800
commit	07cb5f705b4fe9e1386a610da4cb3c063267714f (patch)
tree	a8c8ac96b4b098695fb5b4a821b39ce268c5b4a5
parent	bf3e5da8cb43a671b32fc125fa81b8f6a3677192 (diff)