On Wed, 23 Aug 2023 09:29:57 +0200 Mariusz Tkaczyk <mariusz.tkaczyk@xxxxxxxxxxxxxxx> wrote: > On Wed, 23 Aug 2023 08:00:51 +0200 > Hannes Reinecke <hare@xxxxxxx> wrote: > > > On 8/22/23 22:54, Jes Sorensen wrote: > > > On 8/21/23 10:16, Mariusz Tkaczyk wrote: > > >> Hello, > > >> IMSM/VROC is going to support self-encrypted drives. With this feature > > >> you need to unlock the drives during boot-up in UEFI first. It is kind of > > >> protection from physical stealing. > > >> > > >> To ensure security, Linux have to respect that. It means that we need to > > >> determine if the drive support locking and do not allow to mix locked and > > >> unlocked drives in one IMSM array. > > >> > > >> To grab that information we will need to impose the "magic commands" to > > >> the drives. There is a libsed library, designed for such purposes: > > >> https://github.com/sedcli/sedcli > > >> > > >> So far I know, this library is not released under distributions (not > > >> handled by package managers) and that will bring not user friendly > > >> dependency- you will need to compile and install the lib first to build > > >> mdadm. > > >> > > >> The sedcli project is maintained in Intel, currently it is not in active > > >> development but there are no plans to drop it, interest around it is > > >> growing as you can see. It seems to be great opportunity for this project > > >> to become integrated with mainstream distributions when mdadm will start > > >> to require it. > > >> > > >> So, my questions are: Are we fine with adding this dependency? Are there > > >> big cons you see? > > >> Obviously, I will make it optional like libudev is. > > >> > > >> I can try to re-implement the functionality I need in mdadm but it is > > >> like reinventing the wheel. > > >> > > >> Any feedback will be appreciated. > > > > > > Hi Mariusz, > > > > > > I am not against adding it to mdadm, though I think a better approach is > > > to try and get the library built as a package for the distros. > > > > > > Did you look into that yet? > > > > > We (as in 'We as an OS distributor') actually evaluated packaging libsed > > some time ago, but decided against it as the original authors (namely > > Intel) apparently disbanded it. So before adding it to a distro there > > needs to be an active maintainer, and one would be looking to Intel here. > > > > Thanks Hannes for feedback. I totally agree with you. I will raise it > internally. > Hello, The maintenance of sedcli has been given to SK Hynix. Intel is no longer an owner. Hannes, you can reconsider the decision of packaging libsed depending on how active new maintainer will be. Thanks to Paul for making this happen. We will watch the upstream activity too to determine if it is reasonable to consider making it as mdadm dependency in the future. Thanks, Mariusz
