On Fri, Mar 01, 2013 at 04:38:39PM -0700, Chris Murphy wrote:
> Where does TCG OPAL support fit into this? I'm getting a strong sense of
> an almost complete lack of trust by OSS and TCG. But setting aside TPM,
> isn't it possible to support OPAL compliant SED drives? There are now
> consumer drives, and in particular SSDs, that implement this. It seems
> like a waste for the drive to always do encryption, and simply have no
> access for managing it, including lock/unlock.
The big henderance to using TCG Silos is suspend+resume - across a power
reset the drive shuts down and needs to be re-authenticated with before
we can see it again, which means some code has to be run from somewhere
to get the PIN from the user to unlock it, but at the same time we have
to not touch the disk to e.g. page anything in or load any new code. So
you'd need to have a handler for that (that looks reasonable!) pinned in
memory before suspending. That's kind of awful.
Until there's a good solution for that* means it's primarily useful for
optional data drives, not a system disk.
* I know of one solution for it. It is as far from good as possible.
--
Peter
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
