With /etc/modprobe.d/nvdimm-security.conf udev rule, "ndctl load-keys" is invoked regardless whether sys-admin has created nvdimm-master key or not. When there is no intention to exercise nvdimm secure lock and the master key isn't created, the udev rule generates failure messages upon reboot/reload libnvdimm.

Although the failure messages are benign and can be safely ignored in this case, but database customers who may not be savvy with kernel features could be alarmed and follow up with customer calls. And we'd like to avoid the unnecessary customer calls.

Is there a way for the udev rule to conditionally run "ndctl load-keys" IFF the master key was ever created? Is it sufficient to make decision based on whether the /etc/ndctl/keys/nvdimm-master.blob file exists? what about the TPM case?

Thanks!

Hmm, any one? Does it make sense to update the udev rule such that "load-keys" is run only if a master exists somewhere?
Thanks!