Bug 1740383
| Summary: | the nvdimm-security.conf dracut module needs spaces in the add_drivers value | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jeff Moyer <jmoyer> |
| Component: | ndctl | Assignee: | Jeff Moyer <jmoyer> |
| Status: | CLOSED ERRATA | QA Contact: | Zhang Yi <yizhan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.7 | CC: | pdinapol, sujith_pandel, tgummels, woodard, yizhan |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:53:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jeff Moyer
2019-08-12 19:22:26 UTC
After setup-passphrase/freeze-security operation, we need include the updated keys to initramfs #dracut --include /etc/ndctl/keys /etc/ndctl/keys --install "ndctl keyctl" -f Pass ndctl basic security operations: setup-passphrase/update-passphrase/remove-passphrase/sanitize-dimm/freeze-security on intel AEP, move to VERIFIED. [root@intel-purley-aep-02 ~]# rpm -qa ndctl ndctl-65-5.el7.x86_64 u[root@intel-purley-aep-02 ~]# uname -r 3.10.0-1111.el7.x86_64 [root@intel-purley-aep-02 ~]# cat /etc/dracut.conf.d/nvdimm-security.conf # Make sure libnvdimm is loaded and ndctl is available in the initramfs install_items+="/bin/ndctl" add_drivers+=" libnvdimm " *** Bug 1782690 has been marked as a duplicate of this bug. *** (In reply to Zhang Yi from comment #4) > After setup-passphrase/freeze-security operation, we need include the > updated keys to initramfs > #dracut --include /etc/ndctl/keys /etc/ndctl/keys --install "ndctl keyctl" -f Hi Yi, Sorry to bring up an old matter, but is there any upstream or RH kbase which calls out that initramfs has to be re-created through dracut with these params while working on security operations of ndctl? Hi Sujith I'm not sure about it, seems only [1] described the unlock operation and mentioned initramfs. @Jeff, could you help confirm it [1] https://github.com/pmem/ndctl/blob/master/Documentation/ndctl/intel-nvdimm-security.txt === UNLOCK Unlock is performed by the kernel, however a preparation step must happen before the unlock DSM can be issued by the kernel. It is expected that from the initramfs, a setup command (ndctl 'load-keys') is executed before the libnvdimm module is loaded by modprobe. This command will inject the 'kek' and the encrypted passphrases into the kernel's user keyring. During the 'probe' of the libnvdimm driver, it will: . Check the security state of the device and see if the DIMM is locked . Request the associated encrypted passphrase from the kernel's user key ring . Use the 'kek' to decrypt the passphrase . Create the unlock DSM, copy the decrypted payload into the DSM . Issue the DSM to unlock the DIMM Thanks Yi (In reply to Sujith from comment #6) > (In reply to Zhang Yi from comment #4) > > After setup-passphrase/freeze-security operation, we need include the > > updated keys to initramfs > > #dracut --include /etc/ndctl/keys /etc/ndctl/keys --install "ndctl keyctl" -f > > Hi Yi, > Sorry to bring up an old matter, but is there any upstream or RH kbase which > calls out that initramfs has to be re-created through dracut with these > params while working on security operations of ndctl? Not that I know of. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1076 |