[PATCH v1 0/7] SED OPAL Library

Scott Bauer scott.bauer at intel.com
Wed Nov 16 15:17:25 PST 2016

Changes from V0->V1:
1) Split the Nvme patche into two different patches (SEC_OPS and unlock)
2) Created work queues to send commands to the controllers:
  2a) Allows us to use correct blk API (blk_execute_rq_nowait)
  2b) Commands are no longer being sent in an IRQ but in the system_wq
3) Clean up left-over crud in nvme: pci.c and core.c
4) Implement fixes suggested by Jonathan Derrick
5) Actually allow a user to enable the Global Locking Range

This Patch series implements a large portion of the Opal protocol for
self encrypting devices. The driver has the capability of storing a
locking range's password, either directly in the driver, or in the
Kernel's key managment. The password can then be replayed during a
resume from previous suspend-to-RAM.

The driver also supports logic to bring the device out of a factory
default-inactive state into a functional Opal state.

The following logic is supported in order to bring the tper into a
working state:

1) Taking Ownership of the drive (Setting the Admin CPIN).
2) Activating the Locking SP (In Single User Mode or Normal Mode).
3) Setting up Locking Ranges (Single User or Normal Mode).
4) Adding users to Locking Ranges (Normal Mode Only).
5) Locking or Unlocking Locking Rangs (Single User Mode or Normal Mode).
6) Reverting the TPer (Restore to factory default).
7) Setting LR/User passwords (Single User Mode or Normal Mode).
8) Eabling/disabling Shadow MBR.
9) Enabling Users in the LockingSP (Normal Mode Only).
10) Saving Password for resume from suspend.

Each command above is exported through an ioctl in the block layer.

We have userland tooling staged in nvme-cli which can be used for

Once we've fixed any nits and issues we will merge the userland tooling
into the master branch of nvme-cli.

I have a series of test scripts I've been using which can be helpful if
people want to test or immediately start using and testing the code:


Scott Bauer (7):
  Include: Add definitions for sed
  lib: Add Sed-opal library
  lib: Add Sed to Kconfig and Makefile
  include: Add sec_ops to block device operations
  nvme: Implement SED Security Operations
  nvme: Implement SED Unlock from suspend
  block: ioctl: Wire up Sed to block ioctls

 block/compat_ioctl.c          |   14 +
 block/ioctl.c                 |  200 ++-
 drivers/nvme/host/core.c      |  118 ++
 drivers/nvme/host/nvme.h      |    4 +-
 drivers/nvme/host/pci.c       |    7 +-
 include/linux/blkdev.h        |    1 +
 include/linux/sed-opal.h      |   58 +
 include/linux/sed.h           |   91 ++
 include/uapi/linux/sed-opal.h |  118 ++
 include/uapi/linux/sed.h      |   55 +
 lib/Kconfig                   |   12 +
 lib/Makefile                  |    7 +
 lib/sed-opal.c                | 3338 +++++++++++++++++++++++++++++++++++++++++
 lib/sed-opal_internal.h       |  587 ++++++++
 lib/sed-opal_key.c            |   46 +
 lib/sed.c                     |  250 +++
 16 files changed, 4903 insertions(+), 3 deletions(-)
 create mode 100644 include/linux/sed-opal.h
 create mode 100644 include/linux/sed.h
 create mode 100644 include/uapi/linux/sed-opal.h
 create mode 100644 include/uapi/linux/sed.h
 create mode 100644 lib/sed-opal.c
 create mode 100644 lib/sed-opal_internal.h
 create mode 100644 lib/sed-opal_key.c
 create mode 100644 lib/sed.c

More information about the Linux-nvme mailing list