1NDCTL-REMOVE-PASSP(1)                                    NDCTL-REMOVE-PASSP(1)
2
3
4

NAME

6       ndctl-remove-passphrase - Stop a DIMM from locking at power-loss and
7       requiring a passphrase to access media
8

SYNOPSIS

10       ndctl remove-passphrase <nmem0> [<nmem1>..<nmemN>] [<options>]
11

DESCRIPTION

13       Search the user keyring for an encrypted passphrase for the NVDIMM in
14       question. If not found, attempt to load the passphrase blob. After
15       disabling the passphrase, remove the key-ID from the keyring as well as
16       the passphrase blob from the file system.
17

OPTIONS

19       <dimm>
20           A nmemX device name, or a dimm id number. Restrict the operation to
21           the specified dimm(s). The keyword all can be specified to indicate
22           the lack of any restriction, however this is the same as not
23           supplying a --dimm option at all.
24
25       -b, --bus=
26           A bus id number, or a provider string (e.g. "ACPI.NFIT"). Restrict
27           the operation to the specified bus(es). The keyword all can be
28           specified to indicate the lack of any restriction, however this is
29           the same as not supplying a --bus option at all.
30
31       -v, --verbose
32           Emit debug messages.
33

THEORY OF OPERATION

35       The Intel Device Specific Methods (DSM) specification v1.7 and v1.8 [1]
36       introduced the following security management operations: enable
37       passhprase, update passphrase, unlock DIMM, disable security, freeze
38       security, secure (crypto) erase, overwrite, master passphrase enable,
39       master passphrase update, and master passphrase secure erase.
40
41       The security management for NVDIMMs is comprised of two parts. The
42       front end uses the Linux key management framework (trusted and
43       encrypted keys [2]) to store the encrypted passphrases in the
44       kernel-managed keyring. The interface for this is the keyutils utility
45       which uses the key management APIs in the Linux kernel. The back end
46       takes the decrypted payload (which is the DIMM passphrase) and passes
47       it to the DIMM.
48
49       Unlike other DSMs which are composed by libndctl and sent to the kernel
50       via an ioctl, the security DSMs are managed through the security sysfs
51       attribute under the dimm device. A key-ID is written to the security
52       attribute and the kernel pulls the associated key material from the
53       user keyring that is maintained by the kernel.
54
55       The security process begins with the generation of a master key that is
56       used to seal (encrypt) the passphrase for the DIMM. There can either be
57       one common master key that is used to encrypt every DIMM’s passphrase,
58       or a separate key can be generated for each DIMM. The master key is
59       also referred to as the key-encryption-key (kek). The kek can either be
60       generated by the TPM (Trusted Platform Module) on the system, or
61       alternatively, the System Master Key can also be used as the kek
62
63       For testing purposes a user key with randomized payload can also be
64       used as a kek. See [2] for details. To perform any security operations,
65       it is expected that the kek has been added to the kernel’s user keyring
66       as shown in example below:
67
68           # keyctl show
69           Session Keyring
70            736023423 --alswrv      0     0  keyring: _ses
71            675104189 --alswrv      0 65534   \_ keyring: _uid.0
72            680187394 --alswrv      0     0       \_ trusted: nvdimm-master
73
74       Before performing any of the security operations, all the regions
75       associated with the DIMM in question need to be disabled. For the
76       overwrite operation, in addition to the regions, the dimm also needs to
77       be disabled.
78
79       [1] http://pmem.io/documents/NVDIMM_DSM_Interface-V1.8.pdf [2]
80       https://www.kernel.org/doc/Documentation/security/keys/trusted-encrypted.rst
81
82       The following sub-sections describe specifics of each security feature.
83
84   UNLOCK
85       Unlock is performed by the kernel, however a preparation step must
86       happen before the unlock DSM can be issued by the kernel. It is
87       expected that from the initramfs, a setup command (ndctl load-keys) is
88       executed before the libnvdimm module is loaded by modprobe. This
89       command will inject the kek and the encrypted passphrases into the
90       kernel’s user keyring. During the probe of the libnvdimm driver, it
91       will:
92
93        1. Check the security state of the device and see if the DIMM is
94           locked
95
96        2. Request the associated encrypted passphrase from the kernel’s user
97           key ring
98
99        3. Use the kek to decrypt the passphrase
100
101        4. Create the unlock DSM, copy the decrypted payload into the DSM
102
103        5. Issue the DSM to unlock the DIMM
104
105       If the DIMM is already unlocked, the kernel will attempt to revalidate
106       the passphrase. If we fail to revalidate the passphrase, the kernel
107       will freeze the security and disallow any further security
108       configuration changes. A kernel module parameter is available to
109       override this behavior.
110
111   SETUP USER PASSPHRASE
112       To setup the passphrase for a DIMM, it is expected that the kek to be
113       used is present in the kernel’s user keyring. The kek encrypts the DIMM
114       passphrase using the enc32 key format. The plaintext passphrase is
115       never provided by or made visible to the user. It is instead randomly
116       generated by the kernel and userspace does not have access to it. Upon
117       encryption, a binary blob of the passphrase is written to the
118       passphrase blob storage directory (/etc/ndctl/keys). The user is
119       responsible for backing up the passphrase blobs to a secure location.
120
121   UPDATE USER PASSPHRASE
122       The update user passphrase operation uses the same DSM command as
123       enable user passphrase. Most of the work is done on the key management
124       side. The user has the option of providing a new kek for the new
125       passphrase, but continuing to use the existing kek is also acceptable.
126       The following operations are performed for update-passphrase:
127
128        1. Remove the encrypted passphrase from the kernel’s user keyring.
129
130        2. Rename the passphrase blob to old.
131
132        3. Load this old passphrase blob into the keyring with an "old" name.
133
134        4. Create the new passphrase and encrypt with the kek.
135
136        5. Send DSM with the old and new decrypted passphrases.
137
138        6. Remove old passphrase and the passphrase blob from the keyring.
139
140   REMOVE USER PASSPHRASE
141       The key-ID for the passphrase to be removed is written to sysfs. The
142       kernel then sends the DSM to disable security, and the passphrase is
143       then removed from the keyring, and the associated passphrase blob is
144       deleted.
145
146   CRYPTO (SECURE) ERASE
147       This operation is similar to remove-passphrase. The kernel issues a
148       WBINVD instruction before and after the operation to ensure no data
149       corruption from a stale CPU cache. Use ndctl’s sanitize-dimm command
150       with the --crypto-erase option to perform this operation.
151
152   OVERWRITE
153       This is invoked using --overwrite option for ndctl sanitize-dimm. The
154       overwrite operation wipes the entire NVDIMM. The operation can take a
155       significant amount of time. NOTE: When the command returns
156       successfully, it just means overwrite has been successfully started,
157       and not that the overwrite is complete. Subsequently, 'ndctl
158       wait-overwrite’can be used to wait for the NVDIMMs that are performing
159       overwrite. Upon successful completion of an overwrite, the WBINVD
160       instruction is issued by the kernel. If both --crypto-erase and
161       --overwrite options are supplied, then crypto-erase is performed before
162       overwrite.
163
164   SECURITY FREEZE
165       This operation does not require a passphrase. This will cause any
166       security command other than a status query to be locked out until the
167       next boot.
168
169   MASTER PASSPHRASE SETUP, UPDATE, and CRYPTO ERASE
170       These operations are similar to the user passphrase enable and update.
171       The only difference is that a different passphrase is used. The master
172       passphrase has no relation to the master key (kek) which is used for
173       encryption of either passphrase.
174
176       Copyright © 2016 - 2022, Intel Corporation. License GPLv2: GNU GPL
177       version 2 http://gnu.org/licenses/gpl.html. This is free software: you
178       are free to change and redistribute it. There is NO WARRANTY, to the
179       extent permitted by law.
180

SEE ALSO:

182       linkndctl:ndctl-setup-passphrase[1],
183       linkndctl:ndctl-update-passphrase[1]
184
185
186
187                                  03/08/2022             NDCTL-REMOVE-PASSP(1)
Impressum