Add theory of operation for the security support that's going into
Signed-off-by: Dave Jiang <dave.jiang(a)intel.com>
Documentation/nvdimm/security.txt | 82 +++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
create mode 100644 Documentation/nvdimm/security.txt
diff --git a/Documentation/nvdimm/security.txt b/Documentation/nvdimm/security.txt
new file mode 100644
@@ -0,0 +1,82 @@
+With the introduction of Intel DSM v1.7 specification , security DSMs are
+introduced. The spec added the following security DSMs: "get security state",
+"set passphrase", "disable passphrase", "unlock unit",
+"secure erase", and "overwrite". A security_ops data structure has
+added to struct dimm in order to support the security operations and generic
+APIs are exposed to allow vendor neutral operations.
+2. Sysfs Interface
+The "security" sysfs attribute is provided in the nvdimm sysfs directory. For
+The "show" function of that attribute will display the security state for
+that DIMM. The following states are available: disabled, unlocked, locked,
+frozen, and unsupported.
+The "store" function takes several commands when the attribute is written to
+in order to support some of the security functionalities:
+update - enable security. Add or update current key.
+disable - disable enabled security and remove key.
+freeze - freeze changing of security states.
+erase - generate new ecryption key for DIMM and crypto-scrambles all existing
+ user data.
+3. Key Management
+The key is associted to the payload by the DIMM id. For example:
+# cat /sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0012:00/ndbus0/nmem0/nfit/id
+The DIMM id would be provided along with the key payload (passphrase) to
+The security keys are managed on the basis of a single key per DIMM. The
+key "passphrase" is expected to be 32bytes long or padded to 32bytes. This is
+similar to the ATA security specification . A key is initially acquired
+via the request_key() kernel API call and retrieved from userspace. It is up to
+the user to provide an upcall application to retrieve the key in whatever
+fashion meets their security requirements.
+The payload provided to the key can be a 32bytes payload or 64bytes payload
+when doing an "update". The payload is viewed as 64 bytes in the following
+[32 bytes new key data zero padded][32 bytes current key data zero padded]
+However, a 32bytes payload can be provided and will be assumed as the old
+key to be 32 bytes of 0s and the provided 32bytes payload is the new key.
+It is up to the user upcall function how that's presented as the key payload
+to the kernel.
+All the other security functions that require a provided key can accept a
+32bytes payload or 64bytes. If the payload is 64bytes, then second 32bytes
+will be ignored and the first 32bytes contains the expected "passphrase".
+When the DIMMs are being enumerated by the kernel, the kernel will attempt to
+retrieve the key from its keyring. If that fails, it will attempt to
+acquire the key from the userspace upcall function. This is the only time
+a locked DIMM can be unlocked. Once unlocked, the DIMM will remain unlocked
+When doing an update, it is expected that the new key with the 64bit payload of
+format described above is added via the keyutils API or utility. The update
+command written to the sysfs attribute will be with the format:
+update:<old id>:<new id>
+If there is no old ID due to a security enabling, then a 0 should be passed in.
+It is expected that a user logon key has been injected via keyutils to provide
+the payload for the update operation. The kernel will take the new user key,
+attempt the update operation with the nvdimm, and replace the existing key's
+payload with the new passphrase.