sed-opal: allow user authority to get locking range attributes.

Extend ACE set of locking range attributes accessible to user
authority. This patch allows user authority to get following
locking range attribues when user get added to locking range via
IOC_OPAL_ADD_USR_TO_LR:

locking range start
locking range end
read lock enabled
write lock enabled
read locked
write locked
lock on reset
active key

Note: Admin1 authority always remains in the ACE. Otherwise
it breaks current userspace expecting Admin1 in the ACE (sedutils).

See TCG OPAL2 s.4.3.1.7 "ACE_Locking_RangeNNNN_Get_RangeStartToActiveKey".

Signed-off-by: Ondrej Kozina <okozina@redhat.com>
Tested-by: Luca Boccassi <bluca@debian.org>
Tested-by: Milan Broz <gmazyland@gmail.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20230405111223.272816-4-okozina@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/block/opal_proto.h b/block/opal_proto.h
index b045cbb9d76ec5e47a573b67d218ca6de751c0ae..a4e56845dd8267e70adf2844898373812f7b07ee 100644 (file)
--- a/block/opal_proto.h
+++ b/block/opal_proto.h
@@ -114,6 +114,7 @@ enum opal_uid {
        /* tables */
        OPAL_TABLE_TABLE,
        OPAL_LOCKINGRANGE_GLOBAL,
+       OPAL_LOCKINGRANGE_ACE_START_TO_KEY,
        OPAL_LOCKINGRANGE_ACE_RDLOCKED,
        OPAL_LOCKINGRANGE_ACE_WRLOCKED,
        OPAL_MBRCONTROL,

diff --git a/block/sed-opal.c b/block/sed-opal.c
index 4d0253bc2bfddf6d915d1fae5482d021e613bfe4..38cc02b708ac7ba24f9f22a6f632e2da697b0f20 100644 (file)
--- a/block/sed-opal.c
+++ b/block/sed-opal.c
@@ -132,6 +132,8 @@ static const u8 opaluid[][OPAL_UID_LENGTH] = {
                { 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01 },
        [OPAL_LOCKINGRANGE_GLOBAL] =
                { 0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x01 },
+       [OPAL_LOCKINGRANGE_ACE_START_TO_KEY] =
+               { 0x00, 0x00, 0x00, 0x08, 0x00, 0x03, 0xD0, 0x01 },
        [OPAL_LOCKINGRANGE_ACE_RDLOCKED] =
                { 0x00, 0x00, 0x00, 0x08, 0x00, 0x03, 0xE0, 0x01 },
        [OPAL_LOCKINGRANGE_ACE_WRLOCKED] =
@@ -1859,6 +1861,27 @@ static int add_user_to_lr(struct opal_dev *dev, void *data)
        return finalize_and_send(dev, parse_and_check_status);
 }
 
+static int add_user_to_lr_ace(struct opal_dev *dev, void *data)
+{
+       int err;
+       struct opal_lock_unlock *lkul = data;
+       const u8 users[] = {
+               OPAL_ADMIN1,
+               lkul->session.who
+       };
+
+       err = set_lr_boolean_ace(dev, OPAL_LOCKINGRANGE_ACE_START_TO_KEY,
+                                lkul->session.opal_key.lr, users,
+                                ARRAY_SIZE(users));
+
+       if (err) {
+               pr_debug("Error building add user to locking ranges ACEs.\n");
+               return err;
+       }
+
+       return finalize_and_send(dev, parse_and_check_status);
+}
+
 static int lock_unlock_locking_range(struct opal_dev *dev, void *data)
 {
        u8 lr_buffer[OPAL_UID_LENGTH];
@@ -2396,6 +2419,7 @@ static int opal_add_user_to_lr(struct opal_dev *dev,
        const struct opal_step steps[] = {
                { start_admin1LSP_opal_session, &lk_unlk->session.opal_key },
                { add_user_to_lr, lk_unlk },
+               { add_user_to_lr_ace, lk_unlk },
                { end_opal_session, }
        };
        int ret;