On Tue, Jan 29, 2019 at 6:35 PM Verma, Vishal L
<vishal.l.ve...@intel.com> wrote:
> On Thu, 2019-01-24 at 16:07 -0700, Dave Jiang wrote:
[..]
> > +
> > +The updated key blobs will be created by ndctl in {ndctl_keysdir} directory
> > +with the file name of "nvdimm_<dimm unique id>_<hostname>.blob".
> > +
> > +OPTIONS
> > +-------
> > +<dimm>::
> > +include::xable-dimm-options.txt[]
> > +
> > +-k::
> > +--key_handle=::
> > + The new encryption key (master) key handle, used for sealing the DIMM
>
> This doesn't read right. Maybe all of "master key" should have been in
> parenthesis? Or the second 'key' is extraneous? (This applies to the
> above man page as well).
>
> > + encrypted keys. The format is <key type>:<key description>.
>
> Did you mean DIMM's encrypted keys? Or did you mean "used for sealing
> (encrypting) the DIMM's keys?
For this exact concern I think the word "key" should be reserved in
the documentation for only referring to the key-encryption-key used to
generate / protect the encrypted passphrase material.
Yes, keyctl refers to the encrypted passphrase material as "keys" and
"key blobs", but that's a keyctl internal concern. For ndctl, it's
only concerned about the "key" used to generate a "passphrase". So the
ask is to audit the man pages and make sure any usage of "key" is
referring to the KEK and everything is else only refers to
"passphrase", or "passphrase blob" etc.
> And is there one key that will be sealed, or multiple?
It could be one key for all passphrases, a key per passphrase, or
anything in between. This is the motivation to follow on to this set
with a capable configuration file that can record the
key-to-passphrase relationship.
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
