On Thu, 2019-01-17 at 19:38 -0700, Dave Jiang wrote: > Add command that allows the user to provide the master encryption key name > to be installed in the key material directory where ndctl can refer to > for later security operations. > > Signed-off-by: Dave Jiang <dave.ji...@intel.com> > --- > Documentation/ndctl/Makefile.am | 3 > Documentation/ndctl/ndctl-install-encrypt-key.txt | 31 +++++ > configure.ac | 3 > ndctl/Makefile.am | 4 - > ndctl/builtin.h | 1 > ndctl/kek.c | 133 > +++++++++++++++++++++ > ndctl/lib/libndctl.c | 31 +++++ > ndctl/lib/libndctl.sym | 1 > ndctl/lib/private.h | 1 > ndctl/libndctl.h | 1 > ndctl/ndctl.c | 1 > 11 files changed, 208 insertions(+), 2 deletions(-) > create mode 100644 Documentation/ndctl/ndctl-install-encrypt-key.txt > create mode 100644 ndctl/kek.c > > diff --git a/Documentation/ndctl/Makefile.am b/Documentation/ndctl/Makefile.am > index a30b139b..7cb7bd6b 100644 > --- a/Documentation/ndctl/Makefile.am > +++ b/Documentation/ndctl/Makefile.am > @@ -47,7 +47,8 @@ man1_MANS = \ > ndctl-inject-smart.1 \ > ndctl-update-firmware.1 \ > ndctl-list.1 \ > - ndctl-monitor.1 > + ndctl-monitor.1 \ > + ndctl-install-encrypt-key.1
I think Dan's feedback was to call this command setup-passphrase? By 'install-encrypt-key' it seems unclear whether you mean "install encrypted key" vs. "install a key and encrypt it" Alternatively, the command can simply be 'install-kek', and the synopsis/description can expand on what 'kek' is and how it is used. > > CLEANFILES = $(man1_MANS) > > diff --git a/Documentation/ndctl/ndctl-install-encrypt-key.txt > b/Documentation/ndctl/ndctl-install-encrypt-key.txt > new file mode 100644 > index 00000000..d00463e3 > --- /dev/null > +++ b/Documentation/ndctl/ndctl-install-encrypt-key.txt > @@ -0,0 +1,31 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +ndctl-install-encrypt-key(1) > +============================ > + > +NAME > +---- > +ndctl-install-encrypt-key - store encryption key name for nvdimm bus "store the encryption key handle for an nvdimm bus" > + > +SYNOPSIS > +-------- > +[verse] > +'ndctl install-encrypt-key <ndbus0> [<ndbus1>..<ndbusN>] [-k <master > encryption key] [<options>] > + > +Take the provided master encryption key handle and store it in a file that This sentence seems incomplete? > +A file would be created for the designated bus provider. > +i.e. /etc/ndctl/keys/nfit_test.0.kek With the makefile-vars-in-man-pages patch[1], all instances of hard coding this path in the documentation can now be converted to use the new scheme, and that should keep the man pages in sync with the actual build options. [1]: https://patchwork.kernel.org/patch/10771507/ > +The command only succeeds on bus(es) that contain nvdimms with security > support. This should be implied and is true for any command - the command will only work if the underlying feature is supported by the DIMM/platform, so I think we can omit this sentence. I think you had a 'Description' section before, I think it is valuable to retain it and add a blurb about the keyctl steps that might be needed before invoking this command. > + > +OPTIONS > +------- > +-k:: > +--kek=:: > + Key encryption key (master key) handle. The key handle has the format > + of <key type>:<key name>. i.e. trusted:nvdimm-master. > + > +-v:: > +--verbose:: > + Turn on debug output > + > +include::../copyright.txt[] > > _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm
