Re: [PATCH 2/3] cryptodisk: add OS provided secret support

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] cryptodisk: add OS provided secret support

From:	James Bottomley
Subject:	Re: [PATCH 2/3] cryptodisk: add OS provided secret support
Date:	Fri, 13 Nov 2020 07:49:05 -0800
User-agent:	Evolution 3.34.4

On Fri, 2020-11-13 at 13:23 +0000, Dr. David Alan Gilbert wrote:
> * James Bottomley (jejb@linux.ibm.com) wrote:
[...]
> > @@ -1117,11 +1151,28 @@ grub_cmd_cryptomount (grub_extcmd_context_t
> > ctxt, int argc, char **args)
> >    else if (state[1].set || (argc == 0 && state[2].set))
> >      {
> >        search_uuid = NULL;
> > +      os_passwd = NULL;
> >        check_boot = state[2].set;
> >        grub_device_iterate (&grub_cryptodisk_scan_device, NULL);
> >        search_uuid = NULL;
> >        return GRUB_ERR_NONE;
> >      }
> > +  else if (state[3].set)
> > +    {
> > +      /* do we have a secret? */
> > +      if (os_secret_area == NULL)
> > +   return grub_error (GRUB_ERR_INVALID_COMMAND, "No OS secret is
> > provisioned");
> > +
> > +      os_passwd = os_secret_area;
> > +      search_uuid = NULL;
> > +      grub_device_iterate (&grub_cryptodisk_scan_device, NULL);
> > +      os_passwd = NULL;
> > +
> > +      if (!have_it)
> > +   return grub_error (GRUB_ERR_ACCESS_DENIED, "SEV password failed
> > to unlock any volumes");
> 
> That's the only place you break the generality and admit to it being
> a SEV password I think.

Yes, I think it reflects the fact that there's likely a missing
callback into the secret setting module so the message can be very
specific and also that module can handle the secret destruction policy.

James

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption, James Bottomley, 2020/11/12
- [PATCH 1/3] cryptodisk: make the password getter and additional argument to recover_key, James Bottomley, 2020/11/12
  - Re: [PATCH 1/3] cryptodisk: make the password getter and additional argument to recover_key, Glenn Washburn, 2020/11/13
    - Re: [PATCH 1/3] cryptodisk: make the password getter and additional argument to recover_key, James Bottomley, 2020/11/13
- [PATCH 2/3] cryptodisk: add OS provided secret support, James Bottomley, 2020/11/12
  - Re: [PATCH 2/3] cryptodisk: add OS provided secret support, Dr. David Alan Gilbert, 2020/11/13
    - Re: [PATCH 2/3] cryptodisk: add OS provided secret support, James Bottomley <=
- [PATCH 3/3] efi: Add API for retrieving the AMD SEV injected secret for cryptodisk, James Bottomley, 2020/11/12
- Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption, Dr. David Alan Gilbert, 2020/11/13
  - Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption, James Bottomley, 2020/11/13
    - Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption, Dr. David Alan Gilbert, 2020/11/13
    - Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption, James Bottomley, 2020/11/13

Prev by Date: Re: [PATCH 1/3] cryptodisk: make the password getter and additional argument to recover_key
Next by Date: Re: [PATCH 1/2] Warn on small MBR gaps on complicated setups
Previous by thread: Re: [PATCH 2/3] cryptodisk: add OS provided secret support
Next by thread: [PATCH 3/3] efi: Add API for retrieving the AMD SEV injected secret for cryptodisk
Index(es):
- Date
- Thread