acpi/nfit, libnvdimm/security: add Intel DSM 1.8 master passphrase support

			[NVDIMM_INTEL_SECURE_ERASE] = 2,

			[NVDIMM_INTEL_OVERWRITE] = 2,

			[NVDIMM_INTEL_QUERY_OVERWRITE] = 2,

			[NVDIMM_INTEL_SET_MASTER_PASSPHRASE] = 2,

			[NVDIMM_INTEL_MASTER_SECURE_ERASE] = 2,

		},

	};

	u8 id;

#include "intel.h"

#include "nfit.h"

static enum nvdimm_security_state intel_security_state(struct nvdimm *nvdimm)

static enum nvdimm_security_state intel_security_state(struct nvdimm *nvdimm,

		enum nvdimm_passphrase_type ptype)

{

	struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);

	struct {

	 * The DSM spec states that the security state is indeterminate

	 * until the overwrite DSM completes.

	 */

	if (nvdimm_in_overwrite(nvdimm))

	if (nvdimm_in_overwrite(nvdimm) && ptype == NVDIMM_USER)

		return NVDIMM_SECURITY_OVERWRITE;

	rc = nvdimm_ctl(nvdimm, ND_CMD_CALL, &nd_cmd, sizeof(nd_cmd), NULL);

		return -EIO;

	/* check and see if security is enabled and locked */

	if (ptype == NVDIMM_MASTER) {

		if (nd_cmd.cmd.extended_state & ND_INTEL_SEC_ESTATE_ENABLED)

			return NVDIMM_SECURITY_UNLOCKED;

		else if (nd_cmd.cmd.extended_state &

				ND_INTEL_SEC_ESTATE_PLIMIT)

			return NVDIMM_SECURITY_FROZEN;

	} else {

		if (nd_cmd.cmd.state & ND_INTEL_SEC_STATE_UNSUPPORTED)

			return -ENXIO;

		else if (nd_cmd.cmd.state & ND_INTEL_SEC_STATE_ENABLED) {

			if (nd_cmd.cmd.state & ND_INTEL_SEC_STATE_LOCKED)

				return NVDIMM_SECURITY_LOCKED;

		else if (nd_cmd.cmd.state & ND_INTEL_SEC_STATE_FROZEN ||

				nd_cmd.cmd.state & ND_INTEL_SEC_STATE_PLIMIT)

			else if (nd_cmd.cmd.state & ND_INTEL_SEC_STATE_FROZEN

					|| nd_cmd.cmd.state &

					ND_INTEL_SEC_STATE_PLIMIT)

				return NVDIMM_SECURITY_FROZEN;

			else

				return NVDIMM_SECURITY_UNLOCKED;

		}

	}

	/* this should cover master security disabled as well */

	return NVDIMM_SECURITY_DISABLED;

}

static int intel_security_change_key(struct nvdimm *nvdimm,

		const struct nvdimm_key_data *old_data,

		const struct nvdimm_key_data *new_data)

		const struct nvdimm_key_data *new_data,

		enum nvdimm_passphrase_type ptype)

{

	struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);

	unsigned int cmd = ptype == NVDIMM_MASTER ?

		NVDIMM_INTEL_SET_MASTER_PASSPHRASE :

		NVDIMM_INTEL_SET_PASSPHRASE;

	struct {

		struct nd_cmd_pkg pkg;

		struct nd_intel_set_passphrase cmd;

	} nd_cmd = {

		.pkg = {

			.nd_command = NVDIMM_INTEL_SET_PASSPHRASE,

			.nd_family = NVDIMM_FAMILY_INTEL,

			.nd_size_in = ND_INTEL_PASSPHRASE_SIZE * 2,

			.nd_size_out = ND_INTEL_STATUS_SIZE,

			.nd_fw_size = ND_INTEL_STATUS_SIZE,

			.nd_command = cmd,

		},

	};

	int rc;

	if (!test_bit(NVDIMM_INTEL_SET_PASSPHRASE, &nfit_mem->dsm_mask))

	if (!test_bit(cmd, &nfit_mem->dsm_mask))

		return -ENOTTY;

	if (old_data)

}

static int intel_security_erase(struct nvdimm *nvdimm,

		const struct nvdimm_key_data *key)

		const struct nvdimm_key_data *key,

		enum nvdimm_passphrase_type ptype)

{

	int rc;

	struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);

	unsigned int cmd = ptype == NVDIMM_MASTER ?

		NVDIMM_INTEL_MASTER_SECURE_ERASE : NVDIMM_INTEL_SECURE_ERASE;

	struct {

		struct nd_cmd_pkg pkg;

		struct nd_intel_secure_erase cmd;

			.nd_size_in = ND_INTEL_PASSPHRASE_SIZE,

			.nd_size_out = ND_INTEL_STATUS_SIZE,

			.nd_fw_size = ND_INTEL_STATUS_SIZE,

			.nd_command = NVDIMM_INTEL_SECURE_ERASE,

			.nd_command = cmd,

		},

	};

	if (!test_bit(NVDIMM_INTEL_SECURE_ERASE, &nfit_mem->dsm_mask))

	if (!test_bit(cmd, &nfit_mem->dsm_mask))

		return -ENOTTY;

	/* flush all cache before we erase DIMM */

		return sprintf(buf, "frozen\n");

	case NVDIMM_SECURITY_OVERWRITE:

		return sprintf(buf, "overwrite\n");

	default:

		return -ENOTTY;

	}

	return -ENOTTY;

	C( OP_DISABLE,		"disable",		2),	\

	C( OP_UPDATE,		"update",		3),	\

	C( OP_ERASE,		"erase",		2),	\

	C( OP_OVERWRITE,	"overwrite",	2)

	C( OP_OVERWRITE,	"overwrite",		2),	\

	C( OP_MASTER_UPDATE,	"master_update",	3),	\

	C( OP_MASTER_ERASE,	"master_erase",		2)

#undef C

#define C(a, b, c) a

enum nvdimmsec_op_ids { OPS };

		rc = nvdimm_security_disable(nvdimm, key);

	} else if (i == OP_UPDATE) {

		dev_dbg(dev, "update %u %u\n", key, newkey);

		rc = nvdimm_security_update(nvdimm, key, newkey);

		rc = nvdimm_security_update(nvdimm, key, newkey, NVDIMM_USER);

	} else if (i == OP_ERASE) {

		dev_dbg(dev, "erase %u\n", key);

		rc = nvdimm_security_erase(nvdimm, key);

		rc = nvdimm_security_erase(nvdimm, key, NVDIMM_USER);

	} else if (i == OP_OVERWRITE) {

		dev_dbg(dev, "overwrite %u\n", key);

		rc = nvdimm_security_overwrite(nvdimm, key);

	} else if (i == OP_MASTER_UPDATE) {

		dev_dbg(dev, "master_update %u %u\n", key, newkey);

		rc = nvdimm_security_update(nvdimm, key, newkey,

				NVDIMM_MASTER);

	} else if (i == OP_MASTER_ERASE) {

		dev_dbg(dev, "master_erase %u\n", key);

		rc = nvdimm_security_erase(nvdimm, key,

				NVDIMM_MASTER);

	} else

		return -EINVAL;

	 * Security state must be initialized before device_add() for

	 * attribute visibility.

	 */

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	/* get security state and extended (master) state */

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	nvdimm->sec.ext_state = nvdimm_security_state(nvdimm, NVDIMM_MASTER);

	nd_device_register(dev);

	return nvdimm;

	}

	rc = nvdimm->sec.ops->freeze(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	return rc;

}

	struct {

		const struct nvdimm_security_ops *ops;

		enum nvdimm_security_state state;

		enum nvdimm_security_state ext_state;

		unsigned int overwrite_tmo;

		struct kernfs_node *overwrite_state;

	} sec;

};

static inline enum nvdimm_security_state nvdimm_security_state(

		struct nvdimm *nvdimm)

		struct nvdimm *nvdimm, bool master)

{

	if (!nvdimm->sec.ops)

		return -ENXIO;

	return nvdimm->sec.ops->state(nvdimm);

	return nvdimm->sec.ops->state(nvdimm, master);

}

int nvdimm_security_freeze(struct nvdimm *nvdimm);

#if IS_ENABLED(CONFIG_NVDIMM_KEYS)

int nvdimm_security_disable(struct nvdimm *nvdimm, unsigned int keyid);

int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,

		unsigned int new_keyid);

int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid);

		unsigned int new_keyid,

		enum nvdimm_passphrase_type pass_type);

int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid,

		enum nvdimm_passphrase_type pass_type);

int nvdimm_security_overwrite(struct nvdimm *nvdimm, unsigned int keyid);

void nvdimm_security_overwrite_query(struct work_struct *work);

#else

{

	return -EOPNOTSUPP;

}

static inline int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,

		unsigned int new_keyid)

static inline int nvdimm_security_update(struct nvdimm *nvdimm,

		unsigned int keyid,

		unsigned int new_keyid,

		enum nvdimm_passphrase_type pass_type)

{

	return -EOPNOTSUPP;

}

static inline int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid)

static inline int nvdimm_security_erase(struct nvdimm *nvdimm,

		unsigned int keyid,

		enum nvdimm_passphrase_type pass_type)

{

	return -EOPNOTSUPP;

}

	 * Send the same key to the hardware as new and old key to

	 * verify that the key is good.

	 */

	rc = nvdimm->sec.ops->change_key(nvdimm, key_data(key), key_data(key));

	rc = nvdimm->sec.ops->change_key(nvdimm, key_data(key),

			key_data(key), NVDIMM_USER);

	if (rc < 0) {

		nvdimm_put_key(key);

		key = NULL;

			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	return rc;

}

			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	return rc;

}

int nvdimm_security_update(struct nvdimm *nvdimm, unsigned int keyid,

		unsigned int new_keyid)

		unsigned int new_keyid,

		enum nvdimm_passphrase_type pass_type)

{

	struct device *dev = &nvdimm->dev;

	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);

	}

	rc = nvdimm->sec.ops->change_key(nvdimm, key ? key_data(key) : NULL,

			key_data(newkey));

	dev_dbg(dev, "key: %d %d update: %s\n",

			key_data(newkey), pass_type);

	dev_dbg(dev, "key: %d %d update%s: %s\n",

			key_serial(key), key_serial(newkey),

			pass_type == NVDIMM_MASTER ? "(master)" : "(user)",

			rc == 0 ? "success" : "fail");

	nvdimm_put_key(newkey);

	nvdimm_put_key(key);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	if (pass_type == NVDIMM_MASTER)

		nvdimm->sec.ext_state = nvdimm_security_state(nvdimm,

				NVDIMM_MASTER);

	else

		nvdimm->sec.state = nvdimm_security_state(nvdimm,

				NVDIMM_USER);

	return rc;

}

int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid)

int nvdimm_security_erase(struct nvdimm *nvdimm, unsigned int keyid,

		enum nvdimm_passphrase_type pass_type)

{

	struct device *dev = &nvdimm->dev;

	struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(dev);

		return -EBUSY;

	}

	if (nvdimm->sec.ext_state != NVDIMM_SECURITY_UNLOCKED

			&& pass_type == NVDIMM_MASTER) {

		dev_warn(dev,

			"Attempt to secure erase in wrong master state.\n");

		return -EOPNOTSUPP;

	}

	key = nvdimm_lookup_user_key(nvdimm, keyid, NVDIMM_BASE_KEY);

	if (!key)

		return -ENOKEY;

	rc = nvdimm->sec.ops->erase(nvdimm, key_data(key));

	dev_dbg(dev, "key: %d erase: %s\n", key_serial(key),

	rc = nvdimm->sec.ops->erase(nvdimm, key_data(key), pass_type);

	dev_dbg(dev, "key: %d erase%s: %s\n", key_serial(key),

			pass_type == NVDIMM_MASTER ? "(master)" : "(user)",

			rc == 0 ? "success" : "fail");

	nvdimm_put_key(key);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	return rc;

}

		get_device(dev);

		queue_delayed_work(system_wq, &nvdimm->dwork, 0);

	}

	return rc;

}

	clear_bit(NDD_SECURITY_OVERWRITE, &nvdimm->flags);

	clear_bit(NDD_WORK_PENDING, &nvdimm->flags);

	put_device(&nvdimm->dev);

	nvdimm->sec.state = nvdimm_security_state(nvdimm);

	nvdimm->sec.state = nvdimm_security_state(nvdimm, NVDIMM_USER);

	nvdimm->sec.ext_state = nvdimm_security_state(nvdimm, NVDIMM_MASTER);

}

void nvdimm_security_overwrite_query(struct work_struct *work)