driver-api/nvdimm/security.rst

6 ---------------
10 security DSMs: "get security state", "set passphrase", "disable passphrase",
16 ------------------
28 update <old_keyid> <new_keyid> - enable or update passphrase.
29 disable <keyid> - disable enabled security and remove key.
30 freeze - freeze changing of security states.
31 erase <keyid> - delete existing user encryption key.
32 overwrite <keyid> - wipe the entire nvdimm.
33 master_update <keyid> <new_keyid> - enable or update master passphrase.
34 master_erase <keyid> - delete existing user encryption key.
37 -----------------
41 8089-a2-1740-00000133
51 A nvdimm encrypted-key of format enc32 has the description format of:
52 nvdimm:<bus-provider-specific-unique-id>
54 See file ``Documentation/security/keys/trusted-encrypted.rst`` for creating
55 encrypted-keys of enc32 format. TPM usage with a master trusted key is
56 preferred for sealing the encrypted-keys.
59 ------------
62 a locked DIMM can be unlocked. Once unlocked, the DIMM will remain unlocked
64 relevant encrypted-keys into the kernel user keyring during the initramfs phase.
70 ---------
84 ---------
85 The freeze operation does not require any keys. The security config can be
88 7. Disable
89 ----------
90 The security disable command format is:
91 disable <keyid>
97 ---------------
105 ------------
109 Overwrite can be done without a key if security is not enabled. A key serial
110 of 0 can be passed in to indicate no key.
112 The sysfs attribute "security" can be polled to wait on overwrite completion.
113 Overwrite can last tens of minutes or more depending on nvdimm size.
115 An encrypted-key with the current user passphrase that is tied to the nvdimm
119 -----------------
125 is just another encrypted-key.
130 ----------------
136 another encrypted-key.
141 [1]: https://pmem.io/documents/NVDIMM_DSM_Interface-V1.8.pdf
143 [2]: http://www.t13.org/documents/UploadedDocuments/docs2006/e05179r4-ACS-SecurityClarifications.pdf