Re: [PATCH v10 02/12] ndctl: add passphrase update to ndctl

Wed, 30 Jan 2019 10:56:49 -0800 


On Tue, 2019-01-29 at 18:59 -0800, Dan Williams wrote:
> On Tue, Jan 29, 2019 at 6:35 PM Verma, Vishal L
> <vishal.l.ve...@intel.com> wrote:
> > On Thu, 2019-01-24 at 16:07 -0700, Dave Jiang wrote:
> [..]
> > > +
> > > +The updated key blobs will be created by ndctl in {ndctl_keysdir} 
> > > directory
> > > +with the file name of "nvdimm_<dimm unique id>_<hostname>.blob".
> > > +
> > > +OPTIONS
> > > +-------
> > > +<dimm>::
> > > +include::xable-dimm-options.txt[]
> > > +
> > > +-k::
> > > +--key_handle=::
> > > +     The new encryption key (master) key handle, used for sealing the 
> > > DIMM
> > 
> > This doesn't read right. Maybe all of "master key" should have been in
> > parenthesis? Or the second 'key' is extraneous? (This applies to the
> > above man page as well).
> > 
> > > +     encrypted keys. The format is <key type>:<key description>.
> > 
> > Did you mean DIMM's encrypted keys? Or did you mean "used for sealing
> > (encrypting) the DIMM's keys?
> 
> For this exact concern I think the word "key" should be reserved in
> the documentation for only referring to the key-encryption-key used to
> generate / protect the encrypted passphrase material.
> 
> Yes, keyctl refers to the encrypted passphrase material as "keys" and
> "key blobs", but that's a keyctl internal concern. For ndctl, it's
> only concerned about the "key" used to generate a "passphrase". So the
> ask is to audit the man pages and make sure any usage of "key" is
> referring to the KEK and everything is else only refers to
> "passphrase", or "passphrase blob" etc.

Yes I think that makes sense and should clarify everything a lot!

> 
> > And is there one key that will be sealed, or multiple?
> 
> It could be one key for all passphrases, a key per passphrase, or
> anything in between. This is the motivation to follow on to this set
> with a capable configuration file that can record the
> key-to-passphrase relationship.

_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Reply via email to