On Sun, 2019-05-05 at 10:43 -0400, Scott Bauer wrote: > On Fri, May 03, 2019 at 10:32:19PM +0200, David Kozub wrote: > > On Wed, 1 May 2019, Christoph Hellwig wrote: > > > > > > I successfully tested toggling the MBR done flag and writing > > > > the shadow MBR > > > > using some tools I hacked together[4] with a Samsung SSD 850 > > > > EVO drive. > > > > > > Can you submit the tool to util-linux so that we get it into > > > distros? > > > > There is already Scott's sed-opal-temp[1] and a fork by Jonas that > > adds > > support for older version of these new IOCTLs[2]. There was already > > some > > discussion of getting that to util-linux.[3] > > > > While I like my hack, sed-opal-temp can do much more (my tool > > supports just > > the few things I actually use). But there are two things which sed- > > opal-temp > > currently lacks which my hack has: > > > > * It can use a PBKDF2 hash (salted by disk serial number) of the > > password > > rather than the password directly. This makes it compatible with > > sedutil > > and I think it's also better practice (as firmware can contain > > many > > surprises). > > > > * It contains a 'PBA' (pre-boot authorization) tool. A tool > > intended to be > > run from shadow mbr that asks for a password and uses it to > > unlock all > > disks and set shadow mbr done flag, so after restart the computer > > boots > > into the real OS. > > > > @Scott: What are your plans with sed-opal-temp? If you want I can > > update > > Jonas' patches to the adapted IOCTLs. What are your thoughts on PW > > hashing > > and a PBA tool? > > I will accept any and all patches to sed opal tooling, I am not > picky. I will > also give up maintainership of it is someone else feels they can > (rightfully > so) do a better job. > > Jon sent me a patch for the tool that will deal with writing to the > shadow MBR, > so once we know these patches are going in i'll pull that patch into > the tool. > > Then I guess that leaves PBKDF2 which I don't think will be too hard > to pull in. > > With regard to your PBA tool, is that actually being run post- > uefi/pre-linux? > IE are we writing your tool into the SMBR and that's what is being > run on bootup? > > Jon, if you think it's a good idea can you ask David if Revanth or > you wants > to take over the tooling? Or if anyone else here wants to own it then > let me know. > I'll get back to you on this. Let me know if it begins to pick up a lot of steam and I can prioritize this.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
