mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-30 08:02:30 +00:00
b3ed2ce024
Add command definition for security commands defined in Intel DSM specification v1.8 [1]. This includes "get security state", "set passphrase", "unlock unit", "freeze lock", "secure erase", "overwrite", "overwrite query", "master passphrase enable/disable", and "master erase", . Since this adds several Intel definitions, move the relevant bits to their own header. These commands mutate physical data, but that manipulation is not cache coherent. The requirement to flush and invalidate caches makes these commands unsuitable to be called from userspace, so extra logic is added to detect and block these commands from being submitted via the ioctl command submission path. Lastly, the commands may contain sensitive key material that should not be dumped in a standard debug session. Update the nvdimm-command payload-dump facility to move security command payloads behind a default-off compile time switch. [1]: http://pmem.io/documents/NVDIMM_DSM_Interface-V1.8.pdf Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
26 lines
1,010 B
Text
26 lines
1,010 B
Text
# SPDX-License-Identifier: GPL-2.0
|
|
config ACPI_NFIT
|
|
tristate "ACPI NVDIMM Firmware Interface Table (NFIT)"
|
|
depends on PHYS_ADDR_T_64BIT
|
|
depends on BLK_DEV
|
|
depends on ARCH_HAS_PMEM_API
|
|
select LIBNVDIMM
|
|
help
|
|
Infrastructure to probe ACPI 6 compliant platforms for
|
|
NVDIMMs (NFIT) and register a libnvdimm device tree. In
|
|
addition to storage devices this also enables libnvdimm to pass
|
|
ACPI._DSM messages for platform/dimm configuration.
|
|
|
|
To compile this driver as a module, choose M here:
|
|
the module will be called nfit.
|
|
|
|
config NFIT_SECURITY_DEBUG
|
|
bool "Enable debug for NVDIMM security commands"
|
|
depends on ACPI_NFIT
|
|
help
|
|
Some NVDIMM devices and controllers support encryption and
|
|
other security features. The payloads for the commands that
|
|
enable those features may contain sensitive clear-text
|
|
security material. Disable debug of those command payloads
|
|
by default. If you are a kernel developer actively working
|
|
on NVDIMM security enabling say Y, otherwise say N.
|