ndctlutility and the following sub-commands:
ndctl setup-passphraseis used to setup and enable a security passphrase for one or more NVDIMMs.
ndctl update-passphrasecommand updates the security passphrase for one or more NVDIMMs that have previously been setup using the
ndctl setup-passphrasecommand. Prerequisites for this command to succeed:
setup-passphrasehas successfully been executed on the NVDIMM(s) and the NVDIMM is unlocked
ndctl remove-passphrasecommand prevents a DIMM from locking at power-loss and requiring a passphrase to access media.
ndctl remove-passphrase. The kernel issues a WBINVD instruction before and after the operation to ensure no data corruption from a stale CPU cache. Use the
ndctl sanitize-dimmcommand with the
--crypto-eraseoption to perform this operation.
ndctl sanitize-dimmcommand performs cryptographic destruction of the contents on the given NVDIMM(s). It scrambles the data, and any metadata or info-blocks, but it doesn’t modify namespace labels. Therefore, any namespaces on regions associated with the given NVDIMM will be retained, but they will end up in the raw mode.
crypto-erase, but additionally, an overwrite option is available which overwrites not only the data area, but also the label area, thus losing record of any namespaces the given NVDIMM participates in.
ndctl sanitize-dimm [--crypto-erase][--overwrite]. The command supports two different methods of performing the cryptographic erase. The default is
crypto-erase, but additionally, an
overwriteoption is available which overwrites not only the data area, but also the label area, thus losing record of any namespaces the given NVDIMM participates in.
ndctl wait-overwritecommand to wait for the NVDIMMs that are performing overwrite. Upon successful completion of an overwrite, the WBINVD instruction is issued by the kernel. If both
–overwriteoptions are supplied, then crypto-erase is performed before overwrite.
ndctl freeze-securitycommand does not require a passphrase. This will cause any security command other than a status query to be locked out until the next boot. This is used in scenarios where the administrator has taken all expected security actions for the current boot and wants the NVDIMMs to enforce/lock the current state until system reboot.
ndctl load-keysis executed before the libnvdimm module is loaded by modprobe. See the 'Loading Keys' section. This command will inject the kek and the encrypted passphrases into the kernel’s user keyring. During the probe of the libnvdimm driver, it will:
load-keyscommand loads the master key (kek) and the encrypted passphrases for all NVDIMMs into the user keyring maintained by the kernel. The command is expected to be called during initialization and before the libnvdimm kernel module is loaded, typically from an initrd. This is typically set up using a modprobe config that calls the command before module load.
-mflag to differentiate between user and master passphrase operations. The master passphrase has no relation to the master key (kek) which is used for encryption of either passphrase. More information about the master key can be found in the kernel documentation at https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html.