* [PATCH 0/5] Disk encryption status handling
@ 2024-03-18 16:25 Blazej Kucman
2024-03-18 16:25 ` [PATCH 1/5] Add reading Opal NVMe encryption information Blazej Kucman
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
The purpose of this series is to add functionality of
reading information about the encryption status of
OPAL NVMe/SATA and SATA drives and use this
information for purposes of IMSM metadata,
which introduces restrictions on the possibility of mixing disks
with encryption enabled and disabled because of security reasons.
Blazej Kucman (5):
Add reading Opal NVMe encryption information
Add reading SATA encryption information
Add key ENCRYPTION_NO_VERIFY to conf
imsm: print disk encryption information
imsm: drive encryption policy implementation
Makefile | 4 +-
config.c | 25 +-
drive_encryption.c | 724 +++++++++++++++++++++++++++++++++++++++++++++
drive_encryption.h | 37 +++
mdadm.conf.5.in | 16 +
mdadm.h | 4 +
super-intel.c | 117 +++++++-
sysfs.c | 29 ++
8 files changed, 947 insertions(+), 9 deletions(-)
create mode 100644 drive_encryption.c
create mode 100644 drive_encryption.h
--
2.35.3
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/5] Add reading Opal NVMe encryption information
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
@ 2024-03-18 16:25 ` Blazej Kucman
2024-03-18 17:56 ` Paul Menzel
2024-03-18 16:25 ` [PATCH 2/5] Add reading SATA " Blazej Kucman
` (3 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
For NVMe devices with Opal support, encryption information, status and
ability are completed based on Opal Level 0 discovery response.
Technical documentation used is given in the implementation.
Ability in general describes what type of encryption is supported,
Status describes in what state the disk with encryption support is.
The current patch only includes only the implementation of reading
encryption information, functions will be used in one of
the next patches.
Motivation for adding this functionality is to block mixing of disks
in IMSM arrays with encryption enabled and disabled.
The main goal is to not allow stealing data by rebuilding array to not
encrypted drive which can be read elsewhere.
Value ENA_OTHER from enum encryption_ability will be used
in the next patch.
Additionally, pr_vrb define is moved from super-intel.c to mdadm.h
so that it can be used globally.
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
Makefile | 4 +-
drive_encryption.c | 362 +++++++++++++++++++++++++++++++++++++++++++++
drive_encryption.h | 32 ++++
mdadm.h | 2 +
super-intel.c | 2 -
5 files changed, 398 insertions(+), 4 deletions(-)
create mode 100644 drive_encryption.c
create mode 100644 drive_encryption.h
diff --git a/Makefile b/Makefile
index cbdba49a..7c221a89 100644
--- a/Makefile
+++ b/Makefile
@@ -170,7 +170,7 @@ OBJS = mdadm.o config.o policy.o mdstat.o ReadMe.o uuid.o util.o maps.o lib.o u
mdopen.o super0.o super1.o super-ddf.o super-intel.o bitmap.o \
super-mbr.o super-gpt.o \
restripe.o sysfs.o sha1.o mapfile.o crc32.o sg_io.o msg.o xmalloc.o \
- platform-intel.o probe_roms.o crc32c.o
+ platform-intel.o probe_roms.o crc32c.o drive_encryption.o
CHECK_OBJS = restripe.o uuid.o sysfs.o maps.o lib.o xmalloc.o dlink.o
@@ -183,7 +183,7 @@ MON_OBJS = mdmon.o monitor.o managemon.o uuid.o util.o maps.o mdstat.o sysfs.o c
Kill.o sg_io.o dlink.o ReadMe.o super-intel.o \
super-mbr.o super-gpt.o \
super-ddf.o sha1.o crc32.o msg.o bitmap.o xmalloc.o \
- platform-intel.o probe_roms.o crc32c.o
+ platform-intel.o probe_roms.o crc32c.o drive_encryption.o
MON_SRCS = $(patsubst %.o,%.c,$(MON_OBJS))
diff --git a/drive_encryption.c b/drive_encryption.c
new file mode 100644
index 00000000..0fa214a9
--- /dev/null
+++ b/drive_encryption.c
@@ -0,0 +1,362 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Read encryption information for Opal and ATA devices.
+ *
+ * Copyright (C) 2024 Intel Corporation
+ * Author: Blazej Kucman <blazej.kucman@intel.com>
+ */
+
+#include "mdadm.h"
+
+#include <asm/types.h>
+#include <linux/nvme_ioctl.h>
+#include "drive_encryption.h"
+
+/*
+ * Opal defines
+ * TCG Storage Opal SSC 2.01 chapter 3.3.3
+ * NVM ExpressTM Revision 1.4c, chapter 5
+ */
+#define TCG_SECP_01 (0x01)
+#define TCG_SECP_00 (0x00)
+#define OPAL_DISCOVERY_COMID (0x0001)
+#define OPAL_LOCKING_FEATURE (0x0002)
+#define OPAL_IO_BUFFER_LEN 2048
+#define OPAL_DISCOVERY_FEATURE_HEADER_LEN (4)
+
+/*
+ * NVMe defines
+ * NVM ExpressTM Revision 1.4c, chapter 5
+ */
+#define NVME_SECURITY_RECV (0x82)
+#define NVME_IDENTIFY (0x06)
+#define NVME_IDENTIFY_RESPONSE_LEN 4096
+#define NVME_OACS_BYTE_POSITION (256)
+#define NVME_IDENTIFY_CONTROLLER_DATA (1)
+
+typedef enum drive_feature_support_status {
+ /* Drive feature is supported. */
+ DRIVE_FEAT_SUP_ST = 0,
+ /* Drive feature is not supported. */
+ DRIVE_FEAT_NOT_SUP_ST,
+ /* Drive feature support check failed. */
+ DRIVE_FEAT_CHECK_FAILED_ST
+} drive_feat_sup_st;
+
+/* TCG Storage Opal SSC 2.01 chapter 3.1.1.3 */
+typedef struct opal_locking_feature {
+ /* feature header */
+ __u16 feature_code;
+ __u8 reserved : 4;
+ __u8 version : 4;
+ __u8 description_length;
+ /* feature description */
+ __u8 locking_supported : 1;
+ __u8 locking_enabled : 1;
+ __u8 locked : 1;
+ __u8 media_encryption : 1;
+ __u8 mbr_enabled : 1;
+ __u8 mbr_done : 1;
+ __u8 mbr_shadowing_not_supported : 1;
+ __u8 hw_reset_for_dor_supported : 1;
+ __u8 reserved1[11];
+} __attribute__((__packed__)) opal_locking_feature_t;
+
+/* TCG Storage Opal SSC 2.01 chapter 3.1.1.1 */
+typedef struct opal_level0_header {
+ __u32 length;
+ __u32 version;
+ __u64 reserved;
+ __u8 vendor_specific[32];
+} opal_level0_header_t;
+
+/**
+ * NVM ExpressTM Revision 1.4c, Figure 249
+ * Structure specifies only OACS filed, which is needed in the current use case.
+ */
+typedef struct nvme_identify_ctrl {
+ __u8 reserved[255];
+ __u16 oacs;
+ __u8 reserved2[3839];
+} nvme_identify_ctrl_t;
+
+/* SCSI Primary Commands - 4 (SPC-4), Table 512 */
+typedef struct supported_security_protocols {
+ __u8 reserved[6];
+ __u16 list_length;
+ __u8 list[504];
+} supported_security_protocols_t;
+
+/**
+ * get_opal_locking_feature_description() - get opal locking feature description.
+ * @response: response from Opal Discovery Level 0.
+ *
+ * Based on the documentation TCG Storage Opal SSC 2.01 chapter 3.1.1,
+ * a Locking feature is searched for in Opal Level 0 Discovery response.
+ *
+ * Return: if locking feature found pointer to struct %opal_locking_feature_t, NULL otherwise.
+ */
+static opal_locking_feature_t *get_opal_locking_feature_description(__u8 *response)
+{
+ opal_level0_header_t *response_header = (opal_level0_header_t *)response;
+ int features_length = __be32_to_cpu(response_header->length);
+ int current_position = sizeof(*response_header);
+
+ while (current_position < features_length) {
+ opal_locking_feature_t *feature;
+
+ feature = (opal_locking_feature_t *)(response + current_position);
+
+ if (__be16_to_cpu(feature->feature_code) == OPAL_LOCKING_FEATURE)
+ return feature;
+
+ current_position += feature->description_length + OPAL_DISCOVERY_FEATURE_HEADER_LEN;
+ }
+
+ return NULL;
+}
+
+/**
+ * nvme_security_recv_ioctl() - nvme security receive ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @sec_protocol: security protocol.
+ * @comm_id: command id.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
+ * NVM ExpressTM Revision 1.4c, chapter 5.25,
+ * read security receive command via ioctl().
+ * On success, @response_buffer is completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t
+nvme_security_recv_ioctl(int disk_fd, __u8 sec_protocol, __u16 comm_id, void *response_buffer,
+ size_t buf_size, const int verbose)
+{
+ struct nvme_admin_cmd nvme_cmd = {0};
+ int status;
+
+ nvme_cmd.opcode = NVME_SECURITY_RECV;
+ nvme_cmd.cdw10 = sec_protocol << 24 | comm_id << 8;
+ nvme_cmd.cdw11 = buf_size;
+ nvme_cmd.data_len = buf_size;
+ nvme_cmd.addr = (__u64)response_buffer;
+
+ status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
+ if (status != 0) {
+ pr_vrb("Failed to read NVMe security receive ioctl() for device /dev/%s, status: %d\n",
+ fd2kname(disk_fd), status);
+ return MDADM_STATUS_ERROR;
+ }
+
+ return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * nvme_identify_ioctl() - NVMe identify ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
+ * NVM ExpressTM Revision 1.4c, chapter 5.25,
+ * read NVMe identify via ioctl().
+ * On success, @response_buffer will be completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t
+nvme_identify_ioctl(int disk_fd, void *response_buffer, size_t buf_size, const int verbose)
+{
+ struct nvme_admin_cmd nvme_cmd = {0};
+ int status;
+
+ nvme_cmd.opcode = NVME_IDENTIFY;
+ nvme_cmd.cdw10 = NVME_IDENTIFY_CONTROLLER_DATA;
+ nvme_cmd.data_len = buf_size;
+ nvme_cmd.addr = (__u64)response_buffer;
+
+ status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
+ if (status != 0) {
+ pr_vrb("Failed to read NVMe identify ioctl() for device /dev/%s, status: %d\n",
+ fd2kname(disk_fd), status);
+ return MDADM_STATUS_ERROR;
+ }
+
+ return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_sec_prot_01h_supported() - check if security protocol 01h supported.
+ * @security_protocols: struct with response from disk (NVMe, SATA) describing supported
+ * security protocols.
+ *
+ * Return: true if TCG_SECP_01 found, false otherwise.
+ */
+static bool is_sec_prot_01h_supported(supported_security_protocols_t *security_protocols)
+{
+ int list_length = be16toh(security_protocols->list_length);
+ int index;
+
+ for (index = 0 ; index < list_length; index++) {
+ if (security_protocols->list[index] == TCG_SECP_01)
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * is_sec_prot_01h_supported_nvme() - check if security protocol 01h supported for given NVMe disk.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
+ */
+static drive_feat_sup_st is_sec_prot_01h_supported_nvme(int disk_fd, const int verbose)
+{
+ supported_security_protocols_t security_protocols = {0};
+
+ /* security_protocol: TCG_SECP_00, comm_id: not applicable */
+ if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_00, 0x0, &security_protocols,
+ sizeof(security_protocols), verbose))
+ return DRIVE_FEAT_CHECK_FAILED_ST;
+
+ if (is_sec_prot_01h_supported(&security_protocols))
+ return DRIVE_FEAT_SUP_ST;
+
+ return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * is_nvme_sec_send_recv_supported() - check if Security Send and Security Receive is supported.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Check if "Optional Admin Command Support" bit 0 is set in NVMe identify.
+ * Bit 0 set to 1 means controller supports the Security Send and Security Receive commands.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if security send/receive supported,
+ * %DRIVE_FEAT_NOT_SUP_ST if not supported, %DRIVE_FEAT_CHECK_FAILED_ST if check failed.
+ */
+static drive_feat_sup_st is_nvme_sec_send_recv_supported(int disk_fd, const int verbose)
+{
+ nvme_identify_ctrl_t nvme_identify = {0};
+ int status = 0;
+
+ status = nvme_identify_ioctl(disk_fd, &nvme_identify, sizeof(nvme_identify), verbose);
+ if (status)
+ return DRIVE_FEAT_CHECK_FAILED_ST;
+
+ if ((__le16_to_cpu(nvme_identify.oacs) & 0x1) == 0x1)
+ return DRIVE_FEAT_SUP_ST;
+
+ return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * get_opal_encryption_locking_informations() - get Opal Locking information.
+ * @buffer: buffer with Opal Level 0 Discovery response.
+ * @information: struct to fill out, describing encryption status of disk.
+ *
+ * If Locking feature frame is in response from Opal Level 0 discovery, &encryption_information_t
+ * structure is completed with status and ability otherwise the status is set to &None.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+static mdadm_status_t get_opal_encryption_informations(__u8 *buffer,
+ encryption_information_t *information)
+{
+ opal_locking_feature_t *opal_locking_feature =
+ get_opal_locking_feature_description(buffer);
+
+ if (!opal_locking_feature)
+ return MDADM_STATUS_ERROR;
+
+ if (opal_locking_feature->locking_supported == 1) {
+ information->ability = ENA_SED;
+
+ if (opal_locking_feature->locking_enabled == 0)
+ information->status = ENS_UNENCRYPTED;
+ else if (opal_locking_feature->locked == 1)
+ information->status = ENS_LOCKED;
+ else
+ information->status = ENS_UNLOCKED;
+ } else {
+ information->ability = ENA_NONE;
+ information->status = ENS_UNENCRYPTED;
+ }
+
+ return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * get_nvme_opal_encryption_informations() - get NVMe Opal encryption information.
+ * @disk_fd: a disk file descriptor.
+ * @information: struct to fill out, describing encryption status of disk.
+ * @verbose: verbose flag.
+ *
+ * In case the disk supports Opal Level 0 discovery, &encryption_information_t structure
+ * is completed with status and ability based on ioctl response,
+ * otherwise the ability is set to %ENA_NONE and &status to %ENS_UNENCRYPTED.
+ * As the current use case does not need the knowledge of Opal support, if there is no support,
+ * %MDADM_STATUS_SUCCESS will be returned, with the values described above.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
+ */
+mdadm_status_t
+get_nvme_opal_encryption_informations(int disk_fd, encryption_information_t *information,
+ const int verbose)
+{
+ __u8 buffer[OPAL_IO_BUFFER_LEN];
+ int sec_send_recv_supported = 0;
+ int protocol_01h_supported = 0;
+ mdadm_status_t status;
+
+ information->ability = ENA_NONE;
+ information->status = ENS_UNENCRYPTED;
+
+ sec_send_recv_supported = is_nvme_sec_send_recv_supported(disk_fd, verbose);
+ if (sec_send_recv_supported == DRIVE_FEAT_CHECK_FAILED_ST)
+ return MDADM_STATUS_ERROR;
+
+ /* Opal not supported */
+ if (sec_send_recv_supported == DRIVE_FEAT_NOT_SUP_ST)
+ return MDADM_STATUS_SUCCESS;
+
+ /**
+ * sec_send_recv_supported determine that it should be possible to read
+ * supported sec protocols
+ */
+ protocol_01h_supported = is_sec_prot_01h_supported_nvme(disk_fd, verbose);
+ if (protocol_01h_supported == DRIVE_FEAT_CHECK_FAILED_ST)
+ return MDADM_STATUS_ERROR;
+
+ /* Opal not supported */
+ if (sec_send_recv_supported == DRIVE_FEAT_SUP_ST &&
+ protocol_01h_supported == DRIVE_FEAT_NOT_SUP_ST)
+ return MDADM_STATUS_SUCCESS;
+
+ if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_01, OPAL_DISCOVERY_COMID, (void *)&buffer,
+ OPAL_IO_BUFFER_LEN, verbose))
+ return MDADM_STATUS_ERROR;
+
+ status = get_opal_encryption_informations((__u8 *)&buffer, information);
+ if (status)
+ pr_vrb("Locking feature description not found in Level 0 discovery response. Device /dev/%s.\n",
+ fd2kname(disk_fd));
+
+ if (information->ability == ENA_NONE)
+ assert(information->status == ENS_UNENCRYPTED);
+
+ return status;
+}
diff --git a/drive_encryption.h b/drive_encryption.h
new file mode 100644
index 00000000..27f1de55
--- /dev/null
+++ b/drive_encryption.h
@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Read encryption information for Opal and ATA devices.
+ *
+ * Copyright (C) 2024 Intel Corporation
+ * Author: Blazej Kucman <blazej.kucman@intel.com>
+ */
+
+typedef enum encryption_status {
+ /* The drive is not currently encrypted. */
+ ENS_UNENCRYPTED = 0,
+ /* The drive is encrypted and the data is not accessible. */
+ ENS_LOCKED,
+ /* The drive is encrypted but the data is accessible in unencrypted form. */
+ ENS_UNLOCKED
+} encryption_status_t;
+
+typedef enum encryption_ability {
+ ENA_NONE = 0,
+ ENA_OTHER,
+ /* Self encrypted drive */
+ ENA_SED
+} encryption_ability_t;
+
+typedef struct encryption_information {
+ encryption_ability_t ability;
+ encryption_status_t status;
+} encryption_information_t;
+
+mdadm_status_t
+get_nvme_opal_encryption_informations(int disk_fd, struct encryption_information *information,
+ const int verbose);
diff --git a/mdadm.h b/mdadm.h
index 3fedca48..141adbd7 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -1912,6 +1912,8 @@ static inline int xasprintf(char **strp, const char *fmt, ...) {
#define pr_info(fmt, args...) printf("%s: "fmt, Name, ##args)
+#define pr_vrb(fmt, arg...) ((void)(verbose && pr_err(fmt, ##arg)))
+
void *xmalloc(size_t len);
void *xrealloc(void *ptr, size_t len);
void *xcalloc(size_t num, size_t size);
diff --git a/super-intel.c b/super-intel.c
index 77140455..806b6248 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -393,8 +393,6 @@ struct md_list {
struct md_list *next;
};
-#define pr_vrb(fmt, arg...) (void) (verbose && pr_err(fmt, ##arg))
-
static __u8 migr_type(struct imsm_dev *dev)
{
if (dev->vol.migr_type == MIGR_VERIFY &&
--
2.35.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/5] Add reading SATA encryption information
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
2024-03-18 16:25 ` [PATCH 1/5] Add reading Opal NVMe encryption information Blazej Kucman
@ 2024-03-18 16:25 ` Blazej Kucman
2024-03-18 16:25 ` [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf Blazej Kucman
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
Functionality reads information about SATA disk encryption.
Technical documentation used is given in the implementation.
The implementation is able to recognized two encryption standards
for SATA drives OPAL and ATA security.
If the SATA drive supports OPAL, encryption status and
ability are completed based on Opal Level 0 discovery response,
for ATA security, based on ATA identify response.
If SATA supports OPAL, ability is set to "SED",
for ATA security to "Other".
SED(Self-Encrypting Drive) is commonly used to describe drive
which using OPAL or Enterprise standards developed by
Trusted Computing Group.
Ability "Other" is used for ATA security because we rely only on
information from ATA identify which describe the overall
state of encryption.
It is allowed to mix disks with different encryption ability
such as "SED" and "Other" and it is not security gap.
Motivation for adding this functionality is to block mixing of disks
in IMSM arrays with encryption enabled and disabled.
The main goal is to not allow stealing data by rebuilding array to not
encrypted drive which can be read elsewhere.
For SATA Opal drives, libata allow_tmp parameter enabled
is required, which is necessary for Opal Security commands to work,
therefore, if the parameter is not enabled, SATA Opal disk cannot
be used in case the encryption will be checked by metadata.
Implemented functions will be used in one of the next patches.
In one of the next patches, a flag will be added to enable
disabling SATA Opal encryption checking due to allow_tpm kernel
setting dependency.
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
drive_encryption.c | 318 +++++++++++++++++++++++++++++++++++++++++++++
drive_encryption.h | 3 +
mdadm.h | 1 +
sysfs.c | 29 +++++
4 files changed, 351 insertions(+)
diff --git a/drive_encryption.c b/drive_encryption.c
index 0fa214a9..8421e374 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -10,8 +10,12 @@
#include <asm/types.h>
#include <linux/nvme_ioctl.h>
+#include <scsi/sg.h>
+#include <scsi/scsi.h>
#include "drive_encryption.h"
+#define DEFAULT_SECTOR_SIZE (512)
+
/*
* Opal defines
* TCG Storage Opal SSC 2.01 chapter 3.3.3
@@ -34,6 +38,35 @@
#define NVME_OACS_BYTE_POSITION (256)
#define NVME_IDENTIFY_CONTROLLER_DATA (1)
+/*
+ * ATA defines
+ * ATA/ATAPI Command Set ATA8-ACS
+ * SCSI / ATA Translation - 3 (SAT-3)
+ * SCSI Primary Commands - 4 (SPC-4)
+ * AT Attachment-8 - ATA Serial Transport (ATA8-AST)
+ * ATA Command Pass-Through
+ */
+#define ATA_IDENTIFY (0xec)
+#define ATA_TRUSTED_RECEIVE (0x5c)
+#define ATA_SECURITY_WORD_POSITION (128)
+#define HDIO_DRIVE_CMD (0x031f)
+#define ATA_TRUSTED_COMPUTING_POS (48)
+#define ATA_PASS_THROUGH_12 (0xa1)
+#define ATA_IDENTIFY_RESPONSE_LEN (512)
+#define ATA_PIO_DATA_IN (4)
+#define SG_CHECK_CONDITION (0x02)
+#define ATA_STATUS_RETURN_DESCRIPTOR (0x09)
+#define ATA_PT_INFORMATION_AVAILABLE_ASCQ (0x1d)
+#define ATA_PT_INFORMATION_AVAILABLE_ASC (0x00)
+#define ATA_INQUIRY_LENGTH (0x0c)
+#define SG_INTERFACE_ID 'S'
+#define SG_IO_TIMEOUT (60000)
+#define SG_SENSE_SIZE (32)
+#define SENSE_DATA_CURRENT_FIXED (0x70)
+#define SENSE_DATA_CURRENT_DESC (0x72)
+#define SENSE_CURRENT_RES_DESC_POS (8)
+#define SG_DRIVER_SENSE (0x08)
+
typedef enum drive_feature_support_status {
/* Drive feature is supported. */
DRIVE_FEAT_SUP_ST = 0,
@@ -87,6 +120,27 @@ typedef struct supported_security_protocols {
__u8 list[504];
} supported_security_protocols_t;
+/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */
+typedef struct ata_security_status {
+ __u16 security_supported : 1;
+ __u16 security_enabled : 1;
+ __u16 security_locked : 1;
+ __u16 security_frozen : 1;
+ __u16 security_count_expired : 1;
+ __u16 enhanced_security_erase_supported : 1;
+ __u16 reserved1 : 2;
+ __u16 security_level : 1;
+ __u16 reserved2 : 7;
+} __attribute__((__packed__)) ata_security_status_t;
+
+/* ATA/ATAPI Command Set - 3 (ACS-3), Table 45 */
+typedef struct ata_trusted_computing {
+ __u16 tc_feature :1;
+ __u16 reserved : 13;
+ __u16 var1 : 1;
+ __u16 var2 : 1;
+} __attribute__((__packed__)) ata_trusted_computing_t;
+
/**
* get_opal_locking_feature_description() - get opal locking feature description.
* @response: response from Opal Discovery Level 0.
@@ -360,3 +414,267 @@ get_nvme_opal_encryption_informations(int disk_fd, encryption_information_t *inf
return status;
}
+
+/**
+ * ata_pass_through12_ioctl() - ata pass through12 ioctl.
+ * @disk_fd: a disk file descriptor.
+ * @ata_command: ata command.
+ * @sec_protocol: security protocol.
+ * @comm_id: additional command id.
+ * @response_buffer: response buffer to fill out.
+ * @buf_size: response buffer size.
+ * @verbose: verbose flag.
+ *
+ * Based on the documentations ATA Command Pass-Through, chapter 13.2.2 and
+ * ATA Translation - 3 (SAT-3), send read ata pass through 12 command via ioctl().
+ * On success, @response_buffer will be completed.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+static mdadm_status_t
+ata_pass_through12_ioctl(int disk_fd, __u8 ata_command, __u8 sec_protocol, __u16 comm_id,
+ void *response_buffer, size_t buf_size, const int verbose)
+{
+ __u8 cdb[ATA_INQUIRY_LENGTH] = {0};
+ __u8 sense[SG_SENSE_SIZE] = {0};
+ __u8 *sense_desc = NULL;
+ sg_io_hdr_t sg = {0};
+
+ /*
+ * ATA Command Pass-Through, chapter 13.2.2
+ * SCSI Primary Commands - 4 (SPC-4)
+ * ATA Translation - 3 (SAT-3)
+ */
+ cdb[0] = ATA_PASS_THROUGH_12;
+ /* protocol, bits 1-4 */
+ cdb[1] = ATA_PIO_DATA_IN << 1;
+ /* Bytes: CK_COND=1, T_DIR = 1, BYTE_BLOCK = 1, Length in Sector Count = 2 */
+ cdb[2] = 0x2E;
+ cdb[3] = sec_protocol;
+ /* Sector count */
+ cdb[4] = buf_size / DEFAULT_SECTOR_SIZE;
+ cdb[6] = (comm_id) & 0xFF;
+ cdb[7] = (comm_id >> 8) & 0xFF;
+ cdb[9] = ata_command;
+
+ sg.interface_id = SG_INTERFACE_ID;
+ sg.cmd_len = sizeof(cdb);
+ sg.mx_sb_len = sizeof(sense);
+ sg.dxfer_direction = SG_DXFER_FROM_DEV;
+ sg.dxfer_len = buf_size;
+ sg.dxferp = response_buffer;
+ sg.cmdp = cdb;
+ sg.sbp = sense;
+ sg.timeout = SG_IO_TIMEOUT;
+ sg.usr_ptr = NULL;
+
+ if (ioctl(disk_fd, SG_IO, &sg) < 0) {
+ pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+ return MDADM_STATUS_ERROR;
+ }
+
+ if ((sg.status && sg.status != SG_CHECK_CONDITION) || sg.host_status ||
+ (sg.driver_status && sg.driver_status != SG_DRIVER_SENSE)) {
+ pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+ pr_vrb("SG_IO error: ATA_12 Status: %d Host Status: %d, Driver Status: %d\n",
+ sg.status, sg.host_status, sg.driver_status);
+ return MDADM_STATUS_ERROR;
+ }
+
+ /* verify expected sense response code */
+ if (!(sense[0] == SENSE_DATA_CURRENT_DESC || sense[0] == SENSE_DATA_CURRENT_FIXED)) {
+ pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s.\n", fd2kname(disk_fd));
+ return MDADM_STATUS_ERROR;
+ }
+
+ sense_desc = sense + SENSE_CURRENT_RES_DESC_POS;
+ /* verify sense data current response with descriptor format */
+ if (sense[0] == SENSE_DATA_CURRENT_DESC &&
+ !(sense_desc[0] == ATA_STATUS_RETURN_DESCRIPTOR &&
+ sense_desc[1] == ATA_INQUIRY_LENGTH)) {
+ pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n",
+ fd2kname(disk_fd), sense[2], sense[3]);
+ return MDADM_STATUS_ERROR;
+ }
+
+ /* verify sense data current response with fixed format */
+ if (sense[0] == SENSE_DATA_CURRENT_FIXED &&
+ !(sense[12] == ATA_PT_INFORMATION_AVAILABLE_ASC &&
+ sense[13] == ATA_PT_INFORMATION_AVAILABLE_ASCQ)) {
+ pr_vrb("Failed ata passthrough12 ioctl. Device: /dev/%s. Sense data ASC: %d, ASCQ: %d.\n",
+ fd2kname(disk_fd), sense[12], sense[13]);
+ return MDADM_STATUS_ERROR;
+ }
+
+ return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_sec_prot_01h_supported_ata() - check if security protocol 01h supported for given SATA disk.
+ * @disk_fd: a disk file descriptor.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed.
+ */
+static drive_feat_sup_st is_sec_prot_01h_supported_ata(int disk_fd, const int verbose)
+{
+ supported_security_protocols_t security_protocols;
+
+ mdadm_status_t result = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_00,
+ 0x0, &security_protocols,
+ sizeof(security_protocols), verbose);
+ if (result)
+ return DRIVE_FEAT_CHECK_FAILED_ST;
+
+ if (is_sec_prot_01h_supported(&security_protocols))
+ return DRIVE_FEAT_SUP_ST;
+
+ return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * is_ata_trusted_computing_supported() - check if ata trusted computing supported.
+ * @buffer: buffer with ATA identify response, not NULL.
+ *
+ * Return: true if trusted computing bit set, false otherwise.
+ */
+bool is_ata_trusted_computing_supported(__u16 *buffer)
+{
+ /* Added due to warnings from the compiler about a possible uninitialized variable below. */
+ assert(buffer);
+
+ __u16 security_tc_frame = __le16_to_cpu(buffer[ATA_TRUSTED_COMPUTING_POS]);
+ ata_trusted_computing_t *security_tc = (ata_trusted_computing_t *)&security_tc_frame;
+
+ if (security_tc->tc_feature == 1)
+ return true;
+
+ return false;
+}
+
+/**
+ * get_ata_standard_security_status() - get ATA disk encryption information from ATA identify.
+ * @buffer: buffer with response from ATA identify, not NULL.
+ * @information: struct to fill out, describing encryption status of disk.
+ *
+ * The function based on the Security status frame from ATA identify,
+ * completed encryption information.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+static mdadm_status_t get_ata_standard_security_status(__u16 *buffer,
+ struct encryption_information *information)
+{
+ /* Added due to warnings from the compiler about a possible uninitialized variable below. */
+ assert(buffer);
+
+ __u16 security_status_frame = __le16_to_cpu(buffer[ATA_SECURITY_WORD_POSITION]);
+ ata_security_status_t *security_status = (ata_security_status_t *)&security_status_frame;
+
+ if (!security_status->security_supported) {
+ information->ability = ENA_NONE;
+ information->status = ENS_UNENCRYPTED;
+
+ return MDADM_STATUS_SUCCESS;
+ }
+
+ information->ability = ENA_OTHER;
+
+ if (security_status->security_enabled == 0)
+ information->status = ENS_UNENCRYPTED;
+ else if (security_status->security_locked == 1)
+ information->status = ENS_LOCKED;
+ else
+ information->status = ENS_UNLOCKED;
+
+ return MDADM_STATUS_SUCCESS;
+}
+
+/**
+ * is_ata_opal() - check if SATA disk support Opal.
+ * @disk_fd: a disk file descriptor.
+ * @buffer: buffer with ATA identify response.
+ * @verbose: verbose flag.
+ *
+ * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
+ * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
+ */
+static drive_feat_sup_st is_ata_opal(int disk_fd, __u16 *buffer_identify, const int verbose)
+{
+ bool tc_status = is_ata_trusted_computing_supported(buffer_identify);
+ drive_feat_sup_st tcg_sec_prot_status;
+
+ if (!tc_status)
+ return DRIVE_FEAT_NOT_SUP_ST;
+
+ tcg_sec_prot_status = is_sec_prot_01h_supported_ata(disk_fd, verbose);
+
+ if (tcg_sec_prot_status == DRIVE_FEAT_CHECK_FAILED_ST) {
+ pr_vrb("Failed to verify if security protocol 01h supported. Device /dev/%s.\n",
+ fd2kname(disk_fd));
+ return DRIVE_FEAT_CHECK_FAILED_ST;
+ }
+
+ if (tc_status && tcg_sec_prot_status == DRIVE_FEAT_SUP_ST)
+ return DRIVE_FEAT_SUP_ST;
+
+ return DRIVE_FEAT_NOT_SUP_ST;
+}
+
+/**
+ * get_ata_encryption_information() - get ATA disk encryption information.
+ * @disk_fd: a disk file descriptor.
+ * @information: struct to fill out, describing encryption status of disk.
+ * @verbose: verbose flag.
+ *
+ * The function reads information about encryption, if the disk supports Opal,
+ * the information is completed based on Opal Level 0 discovery, otherwise,
+ * based on ATA security status frame from ATA identification response.
+ * For possible encryption statuses and abilities,
+ * please refer to enums &encryption_status and &encryption_ability.
+ *
+ * Based on the documentations ATA/ATAPI Command Set ATA8-ACS and
+ * AT Attachment-8 - ATA Serial Transport (ATA8-AST).
+ *
+ * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR on fail.
+ */
+mdadm_status_t
+get_ata_encryption_information(int disk_fd, struct encryption_information *information,
+ const int verbose)
+{
+ __u8 buffer_opal_level0_discovery[OPAL_IO_BUFFER_LEN] = {0};
+ __u16 buffer_identify[ATA_IDENTIFY_RESPONSE_LEN] = {0};
+ drive_feat_sup_st ata_opal_status;
+ mdadm_status_t status;
+
+ /* Get disk ATA identification */
+ status = ata_pass_through12_ioctl(disk_fd, ATA_IDENTIFY, 0x0, 0x0, buffer_identify,
+ sizeof(buffer_identify), verbose);
+ if (status == MDADM_STATUS_ERROR)
+ return MDADM_STATUS_ERROR;
+
+ if (is_ata_trusted_computing_supported(buffer_identify) &&
+ !sysfs_is_libata_allow_tpm_enabled(verbose)) {
+ pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n");
+ return MDADM_STATUS_ERROR;
+ }
+
+ ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose);
+ if (ata_opal_status == DRIVE_FEAT_CHECK_FAILED_ST)
+ return MDADM_STATUS_ERROR;
+
+ if (ata_opal_status == DRIVE_FEAT_NOT_SUP_ST)
+ return get_ata_standard_security_status(buffer_identify, information);
+
+ /* SATA Opal */
+ status = ata_pass_through12_ioctl(disk_fd, ATA_TRUSTED_RECEIVE, TCG_SECP_01,
+ OPAL_DISCOVERY_COMID, buffer_opal_level0_discovery,
+ OPAL_IO_BUFFER_LEN, verbose);
+ if (status != MDADM_STATUS_SUCCESS)
+ return MDADM_STATUS_ERROR;
+
+ return get_opal_encryption_informations(buffer_opal_level0_discovery, information);
+}
diff --git a/drive_encryption.h b/drive_encryption.h
index 27f1de55..01405e1e 100644
--- a/drive_encryption.h
+++ b/drive_encryption.h
@@ -30,3 +30,6 @@ typedef struct encryption_information {
mdadm_status_t
get_nvme_opal_encryption_informations(int disk_fd, struct encryption_information *information,
const int verbose);
+mdadm_status_t
+get_ata_encryption_information(int disk_fd, struct encryption_information *information,
+ const int verbose);
diff --git a/mdadm.h b/mdadm.h
index 141adbd7..f64bb783 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -853,6 +853,7 @@ extern int restore_stripes(int *dest, unsigned long long *offsets,
int source, unsigned long long read_offset,
unsigned long long start, unsigned long long length,
char *src_buf);
+extern bool sysfs_is_libata_allow_tpm_enabled(const int verbose);
#ifndef Sendmail
#define Sendmail "/usr/lib/sendmail -t"
diff --git a/sysfs.c b/sysfs.c
index 230b842e..24790896 100644
--- a/sysfs.c
+++ b/sysfs.c
@@ -1123,3 +1123,32 @@ void sysfsline(char *line)
sr->next = sysfs_rules;
sysfs_rules = sr;
}
+
+/**
+ * sysfs_is_libata_allow_tpm_enabled() - check if libata allow_tmp is enabled.
+ * @verbose: verbose flag.
+ *
+ * Check if libata allow_tmp flag is set, this is required for SATA Opal Security commands to work.
+ *
+ * Return: true if allow_tpm enable, false otherwise.
+ */
+bool sysfs_is_libata_allow_tpm_enabled(const int verbose)
+{
+ const char *path = "/sys/module/libata/parameters/allow_tpm";
+ const char *expected_value = "1";
+ int fd = open(path, O_RDONLY);
+ char buf[3];
+
+ if (!is_fd_valid(fd)) {
+ pr_vrb("Failed open file descriptor to %s. Cannot check libata allow_tpm param.\n",
+ path);
+ return false;
+ }
+
+ sysfs_fd_get_str(fd, buf, sizeof(buf));
+ close(fd);
+
+ if (strncmp(buf, expected_value, 1) == 0)
+ return true;
+ return false;
+}
--
2.35.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
2024-03-18 16:25 ` [PATCH 1/5] Add reading Opal NVMe encryption information Blazej Kucman
2024-03-18 16:25 ` [PATCH 2/5] Add reading SATA " Blazej Kucman
@ 2024-03-18 16:25 ` Blazej Kucman
2024-03-18 18:00 ` Paul Menzel
2024-03-18 16:25 ` [PATCH 4/5] imsm: print disk encryption information Blazej Kucman
2024-03-18 16:25 ` [PATCH 5/5] imsm: drive encryption policy implementation Blazej Kucman
4 siblings, 1 reply; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
Add ENCRYPTION_NO_VERIFY config key and allow to disable
checking encryption status for given type of drives.
The key is introduced because of SATA Opal disks for which
TPM commands must be enabled in libata kernel module,
(libata.allow_tpm=1), otherwise it is impossible to verify
encryption status. TPM commands are disabled by default.
Currently the key only supports the "sata_opal" value,
if necessary, the functionality is ready to support more types of disks.
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
config.c | 25 ++++++++++++++++++++++++-
drive_encryption.c | 16 ++++++++++++----
mdadm.conf.5.in | 13 +++++++++++++
mdadm.h | 1 +
4 files changed, 50 insertions(+), 5 deletions(-)
diff --git a/config.c b/config.c
index 44f7dd2f..b46d71cb 100644
--- a/config.c
+++ b/config.c
@@ -81,7 +81,7 @@ char DefaultAltConfDir[] = CONFFILE2 ".d";
enum linetype { Devices, Array, Mailaddr, Mailfrom, Program, CreateDev,
Homehost, HomeCluster, AutoMode, Policy, PartPolicy, Sysfs,
- MonitorDelay, LTEnd };
+ MonitorDelay, EncryptionNoVerify, LTEnd };
char *keywords[] = {
[Devices] = "devices",
[Array] = "array",
@@ -96,6 +96,7 @@ char *keywords[] = {
[PartPolicy]="part-policy",
[Sysfs] = "sysfs",
[MonitorDelay] = "monitordelay",
+ [EncryptionNoVerify] = "ENCRYPTION_NO_VERIFY",
[LTEnd] = NULL
};
@@ -729,6 +730,19 @@ void monitordelayline(char *line)
}
}
+static bool sata_opal_encryption_no_verify;
+void encryption_no_verify_line(char *line)
+{
+ char *word;
+
+ for (word = dl_next(line); word != line; word = dl_next(word)) {
+ if (strcasecmp(word, "sata_opal") == 0)
+ sata_opal_encryption_no_verify = true;
+ else
+ pr_err("unrecognised word on ENCRYPTION_NO_VERIFY line: %s\n", word);
+ }
+}
+
char auto_yes[] = "yes";
char auto_no[] = "no";
char auto_homehost[] = "homehost";
@@ -913,6 +927,9 @@ void conf_file(FILE *f)
case MonitorDelay:
monitordelayline(line);
break;
+ case EncryptionNoVerify:
+ encryption_no_verify_line(line);
+ break;
default:
pr_err("Unknown keyword %s\n", line);
}
@@ -1075,6 +1092,12 @@ int conf_get_monitor_delay(void)
return monitor_delay;
}
+bool conf_get_sata_opal_encryption_no_verify(void)
+{
+ load_conffile();
+ return sata_opal_encryption_no_verify;
+}
+
struct createinfo *conf_get_create_info(void)
{
load_conffile();
diff --git a/drive_encryption.c b/drive_encryption.c
index 8421e374..5b9cdc00 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -656,10 +656,18 @@ get_ata_encryption_information(int disk_fd, struct encryption_information *infor
if (status == MDADM_STATUS_ERROR)
return MDADM_STATUS_ERROR;
- if (is_ata_trusted_computing_supported(buffer_identify) &&
- !sysfs_is_libata_allow_tpm_enabled(verbose)) {
- pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n");
- return MDADM_STATUS_ERROR;
+ /* Possible OPAL support, further checks require tpm_enabled.*/
+ if (is_ata_trusted_computing_supported(buffer_identify)) {
+ /* OPAL SATA encryption checking disabled. */
+ if (conf_get_sata_opal_encryption_no_verify())
+ return MDADM_STATUS_SUCCESS;
+
+ if (!sysfs_is_libata_allow_tpm_enabled(verbose)) {
+ pr_vrb("Detected SATA drive /dev/%s with Trusted Computing support.\n",
+ fd2kname(disk_fd));
+ pr_vrb("Cannot verify encryption state. Required libata.tpm_enabled=1.\n");
+ return MDADM_STATUS_ERROR;
+ }
}
ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose);
diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in
index 787e51e9..afb0a296 100644
--- a/mdadm.conf.5.in
+++ b/mdadm.conf.5.in
@@ -636,6 +636,17 @@ If multiple
.B MINITORDELAY
lines are provided, only first non-zero value is considered.
+.TP
+.B ENCRYPTION_NO_VERIFY
+The
+.B ENCRYPTION_NO_VERIFY
+disables encryption verification for devices with particular encryption support detected.
+Currently, only verification of SATA OPAL encryption can be disabled.
+It does not disable ATA security encryption verification.
+Available parameter
+.I "sata_opal".
+
+
.SH FILES
.SS {CONFFILE}
@@ -744,6 +755,8 @@ SYSFS uuid=bead5eb6:31c17a27:da120ba2:7dfda40d group_thread_cnt=4
sync_speed_max=1000000
.br
MONITORDELAY 60
+.br
+ENCRYPTION_NO_VERIFY sata_opal
.SH SEE ALSO
.BR mdadm (8),
diff --git a/mdadm.h b/mdadm.h
index f64bb783..9d98693b 100644
--- a/mdadm.h
+++ b/mdadm.h
@@ -1673,6 +1673,7 @@ extern char *conf_get_program(void);
extern char *conf_get_homehost(int *require_homehostp);
extern char *conf_get_homecluster(void);
extern int conf_get_monitor_delay(void);
+extern bool conf_get_sata_opal_encryption_no_verify(void);
extern char *conf_line(FILE *file);
extern char *conf_word(FILE *file, int allow_key);
extern void print_quoted(char *str);
--
2.35.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 4/5] imsm: print disk encryption information
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
` (2 preceding siblings ...)
2024-03-18 16:25 ` [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf Blazej Kucman
@ 2024-03-18 16:25 ` Blazej Kucman
2024-03-18 16:25 ` [PATCH 5/5] imsm: drive encryption policy implementation Blazej Kucman
4 siblings, 0 replies; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
Print SATA/NVMe disk encryption information in detail-platform.
Encryption Ability and Status will be printed for each disk.
There is one exception, Opal SATA drives encryption is not checked when
ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf,
for this reason such drives are treated as with encryption disabled.
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
drive_encryption.c | 36 ++++++++++++++++++++++++++++++++++++
drive_encryption.h | 2 ++
mdadm.conf.5.in | 3 +++
super-intel.c | 42 ++++++++++++++++++++++++++++++++++++++----
4 files changed, 79 insertions(+), 4 deletions(-)
diff --git a/drive_encryption.c b/drive_encryption.c
index 5b9cdc00..8ead9062 100644
--- a/drive_encryption.c
+++ b/drive_encryption.c
@@ -141,6 +141,42 @@ typedef struct ata_trusted_computing {
__u16 var2 : 1;
} __attribute__((__packed__)) ata_trusted_computing_t;
+mapping_t encryption_ability_map[] = {
+ { "None", ENA_NONE },
+ { "Other", ENA_OTHER },
+ { "SED", ENA_SED },
+ { NULL, UnSet }
+};
+
+mapping_t encryption_status_map[] = {
+ { "Unencrypted", ENS_UNENCRYPTED },
+ { "Locked", ENS_LOCKED },
+ { "Unlocked", ENS_UNLOCKED },
+ { NULL, UnSet }
+};
+
+/**
+ * get_encryption_ability_string() - get encryption ability name string.
+ * @ability: encryption ability enum.
+ *
+ * Return: encryption ability string.
+ */
+const char *get_encryption_ability_string(enum encryption_ability ability)
+{
+ return map_num_s(encryption_ability_map, ability);
+}
+
+/**
+ * get_encryption_status_string() - get encryption status name string.
+ * @ability: encryption status enum.
+ *
+ * Return: encryption status string.
+ */
+const char *get_encryption_status_string(enum encryption_status status)
+{
+ return map_num_s(encryption_status_map, status);
+}
+
/**
* get_opal_locking_feature_description() - get opal locking feature description.
* @response: response from Opal Discovery Level 0.
diff --git a/drive_encryption.h b/drive_encryption.h
index 01405e1e..3abcef70 100644
--- a/drive_encryption.h
+++ b/drive_encryption.h
@@ -33,3 +33,5 @@ get_nvme_opal_encryption_informations(int disk_fd, struct encryption_information
mdadm_status_t
get_ata_encryption_information(int disk_fd, struct encryption_information *information,
const int verbose);
+const char *get_encryption_ability_string(enum encryption_ability ability);
+const char *get_encryption_status_string(enum encryption_status status);
diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in
index afb0a296..14302a91 100644
--- a/mdadm.conf.5.in
+++ b/mdadm.conf.5.in
@@ -643,6 +643,9 @@ The
disables encryption verification for devices with particular encryption support detected.
Currently, only verification of SATA OPAL encryption can be disabled.
It does not disable ATA security encryption verification.
+Currently effective only for
+.I IMSM
+metadata.
Available parameter
.I "sata_opal".
diff --git a/super-intel.c b/super-intel.c
index 806b6248..c5eff352 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -27,6 +27,7 @@
#include <scsi/sg.h>
#include <ctype.h>
#include <dirent.h>
+#include "drive_encryption.h"
/* MPB == Metadata Parameter Block */
#define MPB_SIGNATURE "Intel Raid ISM Cfg Sig. "
@@ -2349,12 +2350,41 @@ static int imsm_read_serial(int fd, char *devname, __u8 *serial,
size_t serial_buf_len);
static void fd2devname(int fd, char *name);
-static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_base, int verbose)
+void print_encrytpion_information(int disk_fd, enum sys_dev_type hba_type)
+{
+ struct encryption_information information = {0};
+ mdadm_status_t status = MDADM_STATUS_SUCCESS;
+ const char *indent = " ";
+
+ switch (hba_type) {
+ case SYS_DEV_VMD:
+ case SYS_DEV_NVME:
+ status = get_nvme_opal_encryption_informations(disk_fd, &information, 1);
+ break;
+ case SYS_DEV_SATA:
+ case SYS_DEV_SATA_VMD:
+ status = get_ata_encryption_information(disk_fd, &information, 1);
+ break;
+ default:
+ return;
+ }
+
+ if (status) {
+ pr_err("Failed to get drive encrytpion information.\n");
+ return;
+ }
+
+ printf("%sEncryption(Ability|Status): %s|%s\n", indent,
+ get_encryption_ability_string(information.ability),
+ get_encryption_status_string(information.status));
+}
+
+static int ahci_enumerate_ports(struct sys_dev *hba, int port_count, int host_base, int verbose)
{
/* dump an unsorted list of devices attached to AHCI Intel storage
* controller, as well as non-connected ports
*/
- int hba_len = strlen(hba_path) + 1;
+ int hba_len = strlen(hba->path) + 1;
struct dirent *ent;
DIR *dir;
char *path = NULL;
@@ -2390,7 +2420,7 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b
path = devt_to_devpath(makedev(major, minor), 1, NULL);
if (!path)
continue;
- if (!path_attached_to_hba(path, hba_path)) {
+ if (!path_attached_to_hba(path, hba->path)) {
free(path);
path = NULL;
continue;
@@ -2493,6 +2523,8 @@ static int ahci_enumerate_ports(const char *hba_path, int port_count, int host_b
printf(" (%s)\n", buf);
else
printf(" ()\n");
+
+ print_encrytpion_information(fd, hba->type);
close(fd);
}
free(path);
@@ -2557,6 +2589,8 @@ static int print_nvme_info(struct sys_dev *hba)
else
printf("()\n");
+ print_encrytpion_information(fd, hba->type);
+
skip:
close_fd(&fd);
}
@@ -2812,7 +2846,7 @@ static int detail_platform_imsm(int verbose, int enumerate_only, char *controlle
hba->path, get_sys_dev_type(hba->type));
if (hba->type == SYS_DEV_SATA || hba->type == SYS_DEV_SATA_VMD) {
host_base = ahci_get_port_count(hba->path, &port_count);
- if (ahci_enumerate_ports(hba->path, port_count, host_base, verbose)) {
+ if (ahci_enumerate_ports(hba, port_count, host_base, verbose)) {
if (verbose > 0)
pr_err("failed to enumerate ports on %s controller at %s.\n",
get_sys_dev_type(hba->type), hba->pci_id);
--
2.35.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 5/5] imsm: drive encryption policy implementation
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
` (3 preceding siblings ...)
2024-03-18 16:25 ` [PATCH 4/5] imsm: print disk encryption information Blazej Kucman
@ 2024-03-18 16:25 ` Blazej Kucman
4 siblings, 0 replies; 9+ messages in thread
From: Blazej Kucman @ 2024-03-18 16:25 UTC (permalink / raw
To: mariusz.tkaczyk, jes; +Cc: linux-raid
IMSM cares about drive encryption state.
It is not allowed to mix disks with different encryption state
within one md device. This policy will verify that attempt to use disks
with different encryption states will fail.
Verification is performed for devices NVMe/SATA Opal and SATA.
There is one exception, Opal SATA drives encryption is not checked when
ENCRYPTION_NO_VERIFY key with "sata_opal" value is set in conf,
for this reason such drives are treated as with encryption disabled.
Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
---
super-intel.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/super-intel.c b/super-intel.c
index c5eff352..54d2103a 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -11291,6 +11291,78 @@ test_and_add_drive_controller_policy_imsm(const char * const type, dev_policy_t
return MDADM_STATUS_ERROR;
}
+/**
+ * test_and_add_drive_encryption_policy_imsm() - add disk encryption to policies list.
+ * @type: policy type to search in the list.
+ * @pols: list of currently recorded policies.
+ * @disk_fd: file descriptor of the device to check.
+ * @hba: The hba to which the drive is attached, could be NULL if verification is disabled.
+ * @verbose: verbose flag.
+ *
+ * IMSM cares about drive encryption state. It is not allowed to mix disks with different
+ * encryption state within one md device.
+ * If there is no encryption policy on pols we are free to add first one.
+ * If there is a policy then, new must be the same.
+ */
+static mdadm_status_t
+test_and_add_drive_encryption_policy_imsm(const char * const type, dev_policy_t **pols, int disk_fd,
+ struct sys_dev *hba, const int verbose)
+{
+ struct dev_policy *expected_policy = pol_find(*pols, (char *)type);
+ struct encryption_information information = {0};
+ char *encryption_state = "Unknown";
+ int status = MDADM_STATUS_SUCCESS;
+ bool encryption_checked = true;
+ char devname[PATH_MAX];
+
+ if (!hba)
+ goto check_policy;
+
+ switch (hba->type) {
+ case SYS_DEV_NVME:
+ case SYS_DEV_VMD:
+ status = get_nvme_opal_encryption_informations(disk_fd, &information, verbose);
+ break;
+ case SYS_DEV_SATA:
+ case SYS_DEV_SATA_VMD:
+ status = get_ata_encryption_information(disk_fd, &information, verbose);
+ break;
+ default:
+ encryption_checked = false;
+ }
+
+ if (status) {
+ fd2devname(disk_fd, devname);
+ pr_vrb("Failed to read encryption information of device %s\n", devname);
+ return MDADM_STATUS_ERROR;
+ }
+
+ if (encryption_checked) {
+ if (information.status == ENS_LOCKED) {
+ fd2devname(disk_fd, devname);
+ pr_vrb("Device %s is in Locked state, cannot use. Aborting.\n", devname);
+ return MDADM_STATUS_ERROR;
+ }
+ encryption_state = (char *)get_encryption_status_string(information.status);
+ }
+
+check_policy:
+ if (expected_policy) {
+ if (strcmp(expected_policy->value, encryption_state) == 0)
+ return MDADM_STATUS_SUCCESS;
+
+ fd2devname(disk_fd, devname);
+ pr_vrb("Encryption status \"%s\" detected for disk %s, but \"%s\" status was detected eariler.\n",
+ encryption_state, devname, expected_policy->value);
+ pr_vrb("Disks with different encryption status cannot be used.\n");
+ return MDADM_STATUS_ERROR;
+ }
+
+ pol_add(pols, (char *)type, encryption_state, "imsm");
+
+ return MDADM_STATUS_SUCCESS;
+}
+
struct imsm_drive_policy {
char *type;
mdadm_status_t (*test_and_add_drive_policy)(const char * const type,
@@ -11300,6 +11372,7 @@ struct imsm_drive_policy {
struct imsm_drive_policy imsm_policies[] = {
{"controller", test_and_add_drive_controller_policy_imsm},
+ {"encryption", test_and_add_drive_encryption_policy_imsm}
};
mdadm_status_t test_and_add_drive_policies_imsm(struct dev_policy **pols, int disk_fd,
--
2.35.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/5] Add reading Opal NVMe encryption information
2024-03-18 16:25 ` [PATCH 1/5] Add reading Opal NVMe encryption information Blazej Kucman
@ 2024-03-18 17:56 ` Paul Menzel
2024-03-22 11:55 ` Blazej Kucman
0 siblings, 1 reply; 9+ messages in thread
From: Paul Menzel @ 2024-03-18 17:56 UTC (permalink / raw
To: Blazej Kucman; +Cc: mariusz.tkaczyk, jes, linux-raid
Dear Blazej,
Am 18.03.24 um 17:25 schrieb Blazej Kucman:
> For NVMe devices with Opal support, encryption information, status and
> ability are completed based on Opal Level 0 discovery response.
What do you mean by “are completed”?
> Technical documentation used is given in the implementation.
>
> Ability in general describes what type of encryption is supported,
> Status describes in what state the disk with encryption support is.
> The current patch only includes only the implementation of reading
One *only* is enough?
> encryption information, functions will be used in one of
> the next patches.
>
> Motivation for adding this functionality is to block mixing of disks
> in IMSM arrays with encryption enabled and disabled.
> The main goal is to not allow stealing data by rebuilding array to not
> encrypted drive which can be read elsewhere.
I wouldn’t wrap the line, just because a sentence ends.
> Value ENA_OTHER from enum encryption_ability will be used
> in the next patch.
>
> Additionally, pr_vrb define is moved from super-intel.c to mdadm.h
> so that it can be used globally.
Using “Additionally” in a commit message is a good indicator to make it
a separate commit. ;-)
> Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
> ---
> Makefile | 4 +-
> drive_encryption.c | 362 +++++++++++++++++++++++++++++++++++++++++++++
> drive_encryption.h | 32 ++++
> mdadm.h | 2 +
> super-intel.c | 2 -
> 5 files changed, 398 insertions(+), 4 deletions(-)
> create mode 100644 drive_encryption.c
> create mode 100644 drive_encryption.h
>
> diff --git a/Makefile b/Makefile
> index cbdba49a..7c221a89 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -170,7 +170,7 @@ OBJS = mdadm.o config.o policy.o mdstat.o ReadMe.o uuid.o util.o maps.o lib.o u
> mdopen.o super0.o super1.o super-ddf.o super-intel.o bitmap.o \
> super-mbr.o super-gpt.o \
> restripe.o sysfs.o sha1.o mapfile.o crc32.o sg_io.o msg.o xmalloc.o \
> - platform-intel.o probe_roms.o crc32c.o
> + platform-intel.o probe_roms.o crc32c.o drive_encryption.o
>
> CHECK_OBJS = restripe.o uuid.o sysfs.o maps.o lib.o xmalloc.o dlink.o
>
> @@ -183,7 +183,7 @@ MON_OBJS = mdmon.o monitor.o managemon.o uuid.o util.o maps.o mdstat.o sysfs.o c
> Kill.o sg_io.o dlink.o ReadMe.o super-intel.o \
> super-mbr.o super-gpt.o \
> super-ddf.o sha1.o crc32.o msg.o bitmap.o xmalloc.o \
> - platform-intel.o probe_roms.o crc32c.o
> + platform-intel.o probe_roms.o crc32c.o drive_encryption.o
>
> MON_SRCS = $(patsubst %.o,%.c,$(MON_OBJS))
>
> diff --git a/drive_encryption.c b/drive_encryption.c
> new file mode 100644
> index 00000000..0fa214a9
> --- /dev/null
> +++ b/drive_encryption.c
> @@ -0,0 +1,362 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Read encryption information for Opal and ATA devices.
> + *
> + * Copyright (C) 2024 Intel Corporation
> + * Author: Blazej Kucman <blazej.kucman@intel.com>
> + */
> +
> +#include "mdadm.h"
> +
> +#include <asm/types.h>
> +#include <linux/nvme_ioctl.h>
> +#include "drive_encryption.h"
> +
> +/*
> + * Opal defines
> + * TCG Storage Opal SSC 2.01 chapter 3.3.3
> + * NVM ExpressTM Revision 1.4c, chapter 5
> + */
> +#define TCG_SECP_01 (0x01)
> +#define TCG_SECP_00 (0x00)
> +#define OPAL_DISCOVERY_COMID (0x0001)
> +#define OPAL_LOCKING_FEATURE (0x0002)
> +#define OPAL_IO_BUFFER_LEN 2048
> +#define OPAL_DISCOVERY_FEATURE_HEADER_LEN (4)
> +
> +/*
> + * NVMe defines
> + * NVM ExpressTM Revision 1.4c, chapter 5
> + */
> +#define NVME_SECURITY_RECV (0x82)
> +#define NVME_IDENTIFY (0x06)
> +#define NVME_IDENTIFY_RESPONSE_LEN 4096
> +#define NVME_OACS_BYTE_POSITION (256)
> +#define NVME_IDENTIFY_CONTROLLER_DATA (1)
> +
> +typedef enum drive_feature_support_status {
> + /* Drive feature is supported. */
> + DRIVE_FEAT_SUP_ST = 0,
> + /* Drive feature is not supported. */
> + DRIVE_FEAT_NOT_SUP_ST,
> + /* Drive feature support check failed. */
> + DRIVE_FEAT_CHECK_FAILED_ST
> +} drive_feat_sup_st;
> +
> +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.3 */
> +typedef struct opal_locking_feature {
> + /* feature header */
> + __u16 feature_code;
> + __u8 reserved : 4;
> + __u8 version : 4;
> + __u8 description_length;
> + /* feature description */
> + __u8 locking_supported : 1;
> + __u8 locking_enabled : 1;
> + __u8 locked : 1;
> + __u8 media_encryption : 1;
> + __u8 mbr_enabled : 1;
> + __u8 mbr_done : 1;
> + __u8 mbr_shadowing_not_supported : 1;
> + __u8 hw_reset_for_dor_supported : 1;
> + __u8 reserved1[11];
> +} __attribute__((__packed__)) opal_locking_feature_t;
> +
> +/* TCG Storage Opal SSC 2.01 chapter 3.1.1.1 */
> +typedef struct opal_level0_header {
> + __u32 length;
> + __u32 version;
> + __u64 reserved;
> + __u8 vendor_specific[32];
> +} opal_level0_header_t;
> +
> +/**
> + * NVM ExpressTM Revision 1.4c, Figure 249
> + * Structure specifies only OACS filed, which is needed in the current use case.
> + */
> +typedef struct nvme_identify_ctrl {
> + __u8 reserved[255];
> + __u16 oacs;
> + __u8 reserved2[3839];
> +} nvme_identify_ctrl_t;
> +
> +/* SCSI Primary Commands - 4 (SPC-4), Table 512 */
> +typedef struct supported_security_protocols {
> + __u8 reserved[6];
> + __u16 list_length;
> + __u8 list[504];
> +} supported_security_protocols_t;
> +
> +/**
> + * get_opal_locking_feature_description() - get opal locking feature description.
> + * @response: response from Opal Discovery Level 0.
> + *
> + * Based on the documentation TCG Storage Opal SSC 2.01 chapter 3.1.1,
> + * a Locking feature is searched for in Opal Level 0 Discovery response.
> + *
> + * Return: if locking feature found pointer to struct %opal_locking_feature_t, NULL otherwise.
is found?
> + */
> +static opal_locking_feature_t *get_opal_locking_feature_description(__u8 *response)
> +{
> + opal_level0_header_t *response_header = (opal_level0_header_t *)response;
> + int features_length = __be32_to_cpu(response_header->length);
> + int current_position = sizeof(*response_header);
> +
> + while (current_position < features_length) {
> + opal_locking_feature_t *feature;
> +
> + feature = (opal_locking_feature_t *)(response + current_position);
> +
> + if (__be16_to_cpu(feature->feature_code) == OPAL_LOCKING_FEATURE)
> + return feature;
> +
> + current_position += feature->description_length + OPAL_DISCOVERY_FEATURE_HEADER_LEN;
> + }
> +
> + return NULL;
> +}
> +
> +/**
> + * nvme_security_recv_ioctl() - nvme security receive ioctl.
> + * @disk_fd: a disk file descriptor.
> + * @sec_protocol: security protocol.
> + * @comm_id: command id.
> + * @response_buffer: response buffer to fill out.
> + * @buf_size: response buffer size.
> + * @verbose: verbose flag.
> + *
> + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
> + * NVM ExpressTM Revision 1.4c, chapter 5.25,
> + * read security receive command via ioctl().
> + * On success, @response_buffer is completed.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t
> +nvme_security_recv_ioctl(int disk_fd, __u8 sec_protocol, __u16 comm_id, void *response_buffer,
> + size_t buf_size, const int verbose)
> +{
> + struct nvme_admin_cmd nvme_cmd = {0};
> + int status;
> +
> + nvme_cmd.opcode = NVME_SECURITY_RECV;
> + nvme_cmd.cdw10 = sec_protocol << 24 | comm_id << 8;
> + nvme_cmd.cdw11 = buf_size;
> + nvme_cmd.data_len = buf_size;
> + nvme_cmd.addr = (__u64)response_buffer;
> +
> + status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
> + if (status != 0) {
> + pr_vrb("Failed to read NVMe security receive ioctl() for device /dev/%s, status: %d\n",
> + fd2kname(disk_fd), status);
> + return MDADM_STATUS_ERROR;
> + }
> +
> + return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * nvme_identify_ioctl() - NVMe identify ioctl.
> + * @disk_fd: a disk file descriptor.
> + * @response_buffer: response buffer to fill out.
> + * @buf_size: response buffer size.
> + * @verbose: verbose flag.
> + *
> + * Based on the documentations TCG Storage Opal SSC 2.01 chapter 3.3.3 and
> + * NVM ExpressTM Revision 1.4c, chapter 5.25,
> + * read NVMe identify via ioctl().
> + * On success, @response_buffer will be completed.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t
> +nvme_identify_ioctl(int disk_fd, void *response_buffer, size_t buf_size, const int verbose)
> +{
> + struct nvme_admin_cmd nvme_cmd = {0};
> + int status;
> +
> + nvme_cmd.opcode = NVME_IDENTIFY;
> + nvme_cmd.cdw10 = NVME_IDENTIFY_CONTROLLER_DATA;
> + nvme_cmd.data_len = buf_size;
> + nvme_cmd.addr = (__u64)response_buffer;
> +
> + status = ioctl(disk_fd, NVME_IOCTL_ADMIN_CMD, &nvme_cmd);
> + if (status != 0) {
> + pr_vrb("Failed to read NVMe identify ioctl() for device /dev/%s, status: %d\n",
> + fd2kname(disk_fd), status);
> + return MDADM_STATUS_ERROR;
> + }
> +
> + return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * is_sec_prot_01h_supported() - check if security protocol 01h supported.
> + * @security_protocols: struct with response from disk (NVMe, SATA) describing supported
> + * security protocols.
> + *
> + * Return: true if TCG_SECP_01 found, false otherwise.
> + */
> +static bool is_sec_prot_01h_supported(supported_security_protocols_t *security_protocols)
> +{
> + int list_length = be16toh(security_protocols->list_length);
> + int index;
> +
> + for (index = 0 ; index < list_length; index++) {
> + if (security_protocols->list[index] == TCG_SECP_01)
> + return true;
> + }
> +
> + return false;
> +}
> +
> +/**
> + * is_sec_prot_01h_supported_nvme() - check if security protocol 01h supported for given NVMe disk.
> + * @disk_fd: a disk file descriptor.
> + * @verbose: verbose flag.
> + *
> + * Return: %DRIVE_FEAT_SUP_ST if TCG_SECP_01 supported, %DRIVE_FEAT_NOT_SUP_ST if not supported,
> + * %DRIVE_FEAT_CHECK_FAILED_ST if failed to check.
> + */
> +static drive_feat_sup_st is_sec_prot_01h_supported_nvme(int disk_fd, const int verbose)
> +{
> + supported_security_protocols_t security_protocols = {0};
> +
> + /* security_protocol: TCG_SECP_00, comm_id: not applicable */
> + if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_00, 0x0, &security_protocols,
> + sizeof(security_protocols), verbose))
> + return DRIVE_FEAT_CHECK_FAILED_ST;
> +
> + if (is_sec_prot_01h_supported(&security_protocols))
> + return DRIVE_FEAT_SUP_ST;
> +
> + return DRIVE_FEAT_NOT_SUP_ST;
> +}
> +
> +/**
> + * is_nvme_sec_send_recv_supported() - check if Security Send and Security Receive is supported.
> + * @disk_fd: a disk file descriptor.
> + * @verbose: verbose flag.
> + *
> + * Check if "Optional Admin Command Support" bit 0 is set in NVMe identify.
> + * Bit 0 set to 1 means controller supports the Security Send and Security Receive commands.
> + *
> + * Return: %DRIVE_FEAT_SUP_ST if security send/receive supported,
> + * %DRIVE_FEAT_NOT_SUP_ST if not supported, %DRIVE_FEAT_CHECK_FAILED_ST if check failed.
> + */
> +static drive_feat_sup_st is_nvme_sec_send_recv_supported(int disk_fd, const int verbose)
> +{
> + nvme_identify_ctrl_t nvme_identify = {0};
> + int status = 0;
> +
> + status = nvme_identify_ioctl(disk_fd, &nvme_identify, sizeof(nvme_identify), verbose);
> + if (status)
> + return DRIVE_FEAT_CHECK_FAILED_ST;
> +
> + if ((__le16_to_cpu(nvme_identify.oacs) & 0x1) == 0x1)
> + return DRIVE_FEAT_SUP_ST;
> +
> + return DRIVE_FEAT_NOT_SUP_ST;
> +}
> +
> +/**
> + * get_opal_encryption_locking_informations() - get Opal Locking information.
There is no plural for *information*.
> + * @buffer: buffer with Opal Level 0 Discovery response.
> + * @information: struct to fill out, describing encryption status of disk.
> + *
> + * If Locking feature frame is in response from Opal Level 0 discovery, &encryption_information_t
> + * structure is completed with status and ability otherwise the status is set to &None.
> + * For possible encryption statuses and abilities,
> + * please refer to enums &encryption_status and &encryption_ability.
> + *
> + * Return: %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +static mdadm_status_t get_opal_encryption_informations(__u8 *buffer,
> + encryption_information_t *information)
> +{
> + opal_locking_feature_t *opal_locking_feature =
> + get_opal_locking_feature_description(buffer);
> +
> + if (!opal_locking_feature)
> + return MDADM_STATUS_ERROR;
> +
> + if (opal_locking_feature->locking_supported == 1) {
> + information->ability = ENA_SED;
> +
> + if (opal_locking_feature->locking_enabled == 0)
> + information->status = ENS_UNENCRYPTED;
> + else if (opal_locking_feature->locked == 1)
> + information->status = ENS_LOCKED;
> + else
> + information->status = ENS_UNLOCKED;
> + } else {
> + information->ability = ENA_NONE;
> + information->status = ENS_UNENCRYPTED;
> + }
> +
> + return MDADM_STATUS_SUCCESS;
> +}
> +
> +/**
> + * get_nvme_opal_encryption_informations() - get NVMe Opal encryption information.
> + * @disk_fd: a disk file descriptor.
> + * @information: struct to fill out, describing encryption status of disk.
> + * @verbose: verbose flag.
> + *
> + * In case the disk supports Opal Level 0 discovery, &encryption_information_t structure
> + * is completed with status and ability based on ioctl response,
> + * otherwise the ability is set to %ENA_NONE and &status to %ENS_UNENCRYPTED.
> + * As the current use case does not need the knowledge of Opal support, if there is no support,
> + * %MDADM_STATUS_SUCCESS will be returned, with the values described above.
> + * For possible encryption statuses and abilities,
> + * please refer to enums &encryption_status and &encryption_ability.
> + *
> + * %MDADM_STATUS_SUCCESS on success, %MDADM_STATUS_ERROR otherwise.
> + */
> +mdadm_status_t
> +get_nvme_opal_encryption_informations(int disk_fd, encryption_information_t *information,
> + const int verbose)
> +{
> + __u8 buffer[OPAL_IO_BUFFER_LEN];
> + int sec_send_recv_supported = 0;
> + int protocol_01h_supported = 0;
> + mdadm_status_t status;
> +
> + information->ability = ENA_NONE;
> + information->status = ENS_UNENCRYPTED;
> +
> + sec_send_recv_supported = is_nvme_sec_send_recv_supported(disk_fd, verbose);
> + if (sec_send_recv_supported == DRIVE_FEAT_CHECK_FAILED_ST)
> + return MDADM_STATUS_ERROR;
> +
> + /* Opal not supported */
> + if (sec_send_recv_supported == DRIVE_FEAT_NOT_SUP_ST)
> + return MDADM_STATUS_SUCCESS;
> +
> + /**
> + * sec_send_recv_supported determine that it should be possible to read
> + * supported sec protocols
> + */
> + protocol_01h_supported = is_sec_prot_01h_supported_nvme(disk_fd, verbose);
> + if (protocol_01h_supported == DRIVE_FEAT_CHECK_FAILED_ST)
> + return MDADM_STATUS_ERROR;
> +
> + /* Opal not supported */
> + if (sec_send_recv_supported == DRIVE_FEAT_SUP_ST &&
> + protocol_01h_supported == DRIVE_FEAT_NOT_SUP_ST)
> + return MDADM_STATUS_SUCCESS;
> +
> + if (nvme_security_recv_ioctl(disk_fd, TCG_SECP_01, OPAL_DISCOVERY_COMID, (void *)&buffer,
> + OPAL_IO_BUFFER_LEN, verbose))
> + return MDADM_STATUS_ERROR;
> +
> + status = get_opal_encryption_informations((__u8 *)&buffer, information);
> + if (status)
> + pr_vrb("Locking feature description not found in Level 0 discovery response. Device /dev/%s.\n",
> + fd2kname(disk_fd));
> +
> + if (information->ability == ENA_NONE)
> + assert(information->status == ENS_UNENCRYPTED);
> +
> + return status;
> +}
> diff --git a/drive_encryption.h b/drive_encryption.h
> new file mode 100644
> index 00000000..27f1de55
> --- /dev/null
> +++ b/drive_encryption.h
> @@ -0,0 +1,32 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Read encryption information for Opal and ATA devices.
> + *
> + * Copyright (C) 2024 Intel Corporation
> + * Author: Blazej Kucman <blazej.kucman@intel.com>
> + */
> +
> +typedef enum encryption_status {
> + /* The drive is not currently encrypted. */
> + ENS_UNENCRYPTED = 0,
I’d user longer names like `ENC_STATUS_`.
> + /* The drive is encrypted and the data is not accessible. */
> + ENS_LOCKED,
> + /* The drive is encrypted but the data is accessible in unencrypted form. */
> + ENS_UNLOCKED
> +} encryption_status_t;
> +
> +typedef enum encryption_ability {
> + ENA_NONE = 0,
> + ENA_OTHER,
> + /* Self encrypted drive */
> + ENA_SED
> +} encryption_ability_t;
> +
> +typedef struct encryption_information {
> + encryption_ability_t ability;
> + encryption_status_t status;
> +} encryption_information_t;
> +
> +mdadm_status_t
> +get_nvme_opal_encryption_informations(int disk_fd, struct encryption_information *information,
> + const int verbose);
> diff --git a/mdadm.h b/mdadm.h
> index 3fedca48..141adbd7 100644
> --- a/mdadm.h
> +++ b/mdadm.h
> @@ -1912,6 +1912,8 @@ static inline int xasprintf(char **strp, const char *fmt, ...) {
>
> #define pr_info(fmt, args...) printf("%s: "fmt, Name, ##args)
>
> +#define pr_vrb(fmt, arg...) ((void)(verbose && pr_err(fmt, ##arg)))
> +
> void *xmalloc(size_t len);
> void *xrealloc(void *ptr, size_t len);
> void *xcalloc(size_t num, size_t size);
> diff --git a/super-intel.c b/super-intel.c
> index 77140455..806b6248 100644
> --- a/super-intel.c
> +++ b/super-intel.c
> @@ -393,8 +393,6 @@ struct md_list {
> struct md_list *next;
> };
>
> -#define pr_vrb(fmt, arg...) (void) (verbose && pr_err(fmt, ##arg))
> -
> static __u8 migr_type(struct imsm_dev *dev)
> {
> if (dev->vol.migr_type == MIGR_VERIFY &&
Kind regards,
Paul
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf
2024-03-18 16:25 ` [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf Blazej Kucman
@ 2024-03-18 18:00 ` Paul Menzel
0 siblings, 0 replies; 9+ messages in thread
From: Paul Menzel @ 2024-03-18 18:00 UTC (permalink / raw
To: Blazej Kucman; +Cc: mariusz.tkaczyk, jes, linux-raid
Dear Blazej,
Thank you for your patch.
Am 18.03.24 um 17:25 schrieb Blazej Kucman:
> Add ENCRYPTION_NO_VERIFY config key and allow to disable
> checking encryption status for given type of drives.
>
> The key is introduced because of SATA Opal disks for which
> TPM commands must be enabled in libata kernel module,
> (libata.allow_tpm=1), otherwise it is impossible to verify
> encryption status. TPM commands are disabled by default.
>
> Currently the key only supports the "sata_opal" value,
> if necessary, the functionality is ready to support more types of disks.
Please use 75 characters per line consistently.
Maybe document how to test this feature, preferebly with QEMU.
> Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
> ---
> config.c | 25 ++++++++++++++++++++++++-
> drive_encryption.c | 16 ++++++++++++----
> mdadm.conf.5.in | 13 +++++++++++++
> mdadm.h | 1 +
> 4 files changed, 50 insertions(+), 5 deletions(-)
>
> diff --git a/config.c b/config.c
> index 44f7dd2f..b46d71cb 100644
> --- a/config.c
> +++ b/config.c
> @@ -81,7 +81,7 @@ char DefaultAltConfDir[] = CONFFILE2 ".d";
>
> enum linetype { Devices, Array, Mailaddr, Mailfrom, Program, CreateDev,
> Homehost, HomeCluster, AutoMode, Policy, PartPolicy, Sysfs,
> - MonitorDelay, LTEnd };
> + MonitorDelay, EncryptionNoVerify, LTEnd };
> char *keywords[] = {
> [Devices] = "devices",
> [Array] = "array",
> @@ -96,6 +96,7 @@ char *keywords[] = {
> [PartPolicy]="part-policy",
> [Sysfs] = "sysfs",
> [MonitorDelay] = "monitordelay",
> + [EncryptionNoVerify] = "ENCRYPTION_NO_VERIFY",
> [LTEnd] = NULL
> };
>
> @@ -729,6 +730,19 @@ void monitordelayline(char *line)
> }
> }
>
> +static bool sata_opal_encryption_no_verify;
> +void encryption_no_verify_line(char *line)
> +{
> + char *word;
> +
> + for (word = dl_next(line); word != line; word = dl_next(word)) {
> + if (strcasecmp(word, "sata_opal") == 0)
> + sata_opal_encryption_no_verify = true;
> + else
> + pr_err("unrecognised word on ENCRYPTION_NO_VERIFY line: %s\n", word);
> + }
> +}
> +
> char auto_yes[] = "yes";
> char auto_no[] = "no";
> char auto_homehost[] = "homehost";
> @@ -913,6 +927,9 @@ void conf_file(FILE *f)
> case MonitorDelay:
> monitordelayline(line);
> break;
> + case EncryptionNoVerify:
> + encryption_no_verify_line(line);
> + break;
> default:
> pr_err("Unknown keyword %s\n", line);
> }
> @@ -1075,6 +1092,12 @@ int conf_get_monitor_delay(void)
> return monitor_delay;
> }
>
> +bool conf_get_sata_opal_encryption_no_verify(void)
> +{
> + load_conffile();
> + return sata_opal_encryption_no_verify;
> +}
> +
> struct createinfo *conf_get_create_info(void)
> {
> load_conffile();
> diff --git a/drive_encryption.c b/drive_encryption.c
> index 8421e374..5b9cdc00 100644
> --- a/drive_encryption.c
> +++ b/drive_encryption.c
> @@ -656,10 +656,18 @@ get_ata_encryption_information(int disk_fd, struct encryption_information *infor
> if (status == MDADM_STATUS_ERROR)
> return MDADM_STATUS_ERROR;
>
> - if (is_ata_trusted_computing_supported(buffer_identify) &&
> - !sysfs_is_libata_allow_tpm_enabled(verbose)) {
> - pr_vrb("For SATA with Trusted Computing support, required libata.tpm_enabled=1.\n");
> - return MDADM_STATUS_ERROR;
> + /* Possible OPAL support, further checks require tpm_enabled.*/
> + if (is_ata_trusted_computing_supported(buffer_identify)) {
> + /* OPAL SATA encryption checking disabled. */
> + if (conf_get_sata_opal_encryption_no_verify())
> + return MDADM_STATUS_SUCCESS;
> +
> + if (!sysfs_is_libata_allow_tpm_enabled(verbose)) {
> + pr_vrb("Detected SATA drive /dev/%s with Trusted Computing support.\n",
> + fd2kname(disk_fd));
> + pr_vrb("Cannot verify encryption state. Required libata.tpm_enabled=1.\n");
Require*s*?
> + return MDADM_STATUS_ERROR;
> + }
> }
>
> ata_opal_status = is_ata_opal(disk_fd, buffer_identify, verbose);
> diff --git a/mdadm.conf.5.in b/mdadm.conf.5.in
> index 787e51e9..afb0a296 100644
> --- a/mdadm.conf.5.in
> +++ b/mdadm.conf.5.in
> @@ -636,6 +636,17 @@ If multiple
> .B MINITORDELAY
> lines are provided, only first non-zero value is considered.
>
> +.TP
> +.B ENCRYPTION_NO_VERIFY
> +The
> +.B ENCRYPTION_NO_VERIFY
> +disables encryption verification for devices with particular encryption support detected.
> +Currently, only verification of SATA OPAL encryption can be disabled.
> +It does not disable ATA security encryption verification.
> +Available parameter
> +.I "sata_opal".
> +
> +
> .SH FILES
>
> .SS {CONFFILE}
> @@ -744,6 +755,8 @@ SYSFS uuid=bead5eb6:31c17a27:da120ba2:7dfda40d group_thread_cnt=4
> sync_speed_max=1000000
> .br
> MONITORDELAY 60
> +.br
> +ENCRYPTION_NO_VERIFY sata_opal
>
> .SH SEE ALSO
> .BR mdadm (8),
> diff --git a/mdadm.h b/mdadm.h
> index f64bb783..9d98693b 100644
> --- a/mdadm.h
> +++ b/mdadm.h
> @@ -1673,6 +1673,7 @@ extern char *conf_get_program(void);
> extern char *conf_get_homehost(int *require_homehostp);
> extern char *conf_get_homecluster(void);
> extern int conf_get_monitor_delay(void);
> +extern bool conf_get_sata_opal_encryption_no_verify(void);
> extern char *conf_line(FILE *file);
> extern char *conf_word(FILE *file, int allow_key);
> extern void print_quoted(char *str);
The diff looks good.
Kind regards,
Paul
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/5] Add reading Opal NVMe encryption information
2024-03-18 17:56 ` Paul Menzel
@ 2024-03-22 11:55 ` Blazej Kucman
0 siblings, 0 replies; 9+ messages in thread
From: Blazej Kucman @ 2024-03-22 11:55 UTC (permalink / raw
To: Paul Menzel; +Cc: Blazej Kucman, mariusz.tkaczyk, jes, linux-raid
Hi Paul,
thanks for your review, I sent the corrections in V2.
On Mon, 18 Mar 2024 18:56:42 +0100
Paul Menzel <pmenzel@molgen.mpg.de> wrote:
> Dear Blazej,
>
>
> Am 18.03.24 um 17:25 schrieb Blazej Kucman:
> > For NVMe devices with Opal support, encryption information, status
> > and ability are completed based on Opal Level 0 discovery response.
> >
>
> What do you mean by “are completed”?
>
indeed, this word may not be precise, I meant "determined", I changed
it in V2.
and as for this comment
> Maybe document how to test this feature, preferebly with QEMU.
I added to patch "imsm: print disk encryption information",
example outputs for the new feature usage, for various cases, especially
SATA, it shows how it can be tested.
Thansk,
Blazej
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-03-22 11:55 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-18 16:25 [PATCH 0/5] Disk encryption status handling Blazej Kucman
2024-03-18 16:25 ` [PATCH 1/5] Add reading Opal NVMe encryption information Blazej Kucman
2024-03-18 17:56 ` Paul Menzel
2024-03-22 11:55 ` Blazej Kucman
2024-03-18 16:25 ` [PATCH 2/5] Add reading SATA " Blazej Kucman
2024-03-18 16:25 ` [PATCH 3/5] Add key ENCRYPTION_NO_VERIFY to conf Blazej Kucman
2024-03-18 18:00 ` Paul Menzel
2024-03-18 16:25 ` [PATCH 4/5] imsm: print disk encryption information Blazej Kucman
2024-03-18 16:25 ` [PATCH 5/5] imsm: drive encryption policy implementation Blazej Kucman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).