Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1696481 - Mark CONFIG_LIBNVDIMM=m to support the NVDIMM security unlock flow
Summary: Mark CONFIG_LIBNVDIMM=m to support the NVDIMM security unlock flow
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-04 23:49 UTC by Dan Williams
Modified: 2019-04-08 18:09 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-08 18:09:38 UTC


Attachments (Terms of Use)

Description Dan Williams 2019-04-04 23:49:27 UTC
1. Please describe the problem:

Historically CONFIG_LIBNVDIMM was marked "=y" because there was at least one NVDIMM provider marked "=y". However, that is no longer the case:

CONFIG_ACPI_NFIT=m
CONFIG_X86_PMEM_LEGACY=m

More importantly the CONFIG_LIBNVDIMM=y setting currently defeats the NVDIMM security unlock flow.

The keys required to unlock NVDIMMs are currently loaded via modprobe.conf rule like the following:

install libnvdimm /usr/bin/ndctl load-keys ; /sbin/modprobe --ignore-install libnvdimm $CMDLINE_OPTS

With CONFIG_LIBNVDIMM=y built-in there is no trigger to automate the loading of the keys. For reference the key handling implementation follows that of fscrypt where where a master-key protects the per-NVDIMM key material.

Longer term the CONFIG_NVDIMM_KEYS dependency will be fixed to depend on CONFIG_LIBNVDIMM=m, or otherwise move the specific dependency to its own module.

In the meantime a change to the shipping configuration is needed for pre-v5.2 kernels, and to support CONFIG_NVDIMM_SECURITY=y in post v5.2 kernels.


2. What is the Version-Release number of the kernel:

Latest rawhide:

kernel-5.1.0-0.rc3.git1.1.fc31.x86_64.rpm


3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :

It never worked and the feature was developed on CONFIG_LIBNVDIMM=m builds.


4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

There is no trigger to run the "ndctl load-keys" helper prior to the driver attempting to unlock DIMMs.


5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:

Yes.


6. Are you running any modules that not shipped with directly Fedora's kernel?:

No.

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.

N/A

Comment 1 Jeremy Cline 2019-04-08 18:09:38 UTC
Hi Dan,

CONFIG_LIBNVDIMM=m should arrive in tomorrow's Rawhide build (kernel-5.1.0-0.rc4.git1.1.fc31).


Note You need to log in before you can comment on or make changes to this bug.