Re: hdparm --security-unlock with password prompt

Re: hdparm --security-unlock with password prompt

[Philippe Kueck]

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

Hi all,

here's a patch for unlocking the ATA password from grub command line. As
mentioned in [1] it does not prompt for a password at boot but enables
the hdparm module to support the security unlock feature.
In case anyone asks, the patch is GPL.

Kind regards

Philippe

[1] https://www.unixadm.org/needful-things/ataunlock#using-grub2

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0999-ATA-Security-Unlock.patch --]
[-- Type: text/x-patch; name="0999-ATA-Security-Unlock.patch", Size: 4116 bytes --]

--- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock
+++ grub-2.02~beta2/grub-core/commands/hdparm.c
@@ -34,6 +34,7 @@ static const struct grub_arg_option opti
 			      "(1=low, ..., 254=high, 255=off)."),
 			      0, ARG_TYPE_INT},
   {"power",           'C', 0, N_("Display power mode."), 0, ARG_TYPE_NONE},
+  {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STRING},
   {"security-freeze", 'F', 0, N_("Freeze ATA security settings until reset."),
 			      0, ARG_TYPE_NONE},
   {"health",          'H', 0, N_("Display SMART health status."), 0, ARG_TYPE_NONE},
@@ -66,7 +67,7 @@ static int quiet = 0;
 static grub_err_t
 grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd,
 			grub_uint8_t features, grub_uint8_t sectors,
-			void * buffer, int size)
+			void * buffer, int size, int write)
 {
   struct grub_disk_ata_pass_through_parms apt;
   grub_memset (&apt, 0, sizeof (apt));
@@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata,
 
   apt.buffer = buffer;
   apt.size = size;
+  apt.write = write;
 
   if (ata->dev->readwrite (ata, &apt, 0))
     return grub_errno;
@@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg
   if (! quiet && msg)
     grub_printf ("%s", msg);
 
-  grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0);
+  grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0);
 
   if (! quiet && msg)
     grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms
     }
 
   grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, features, sectors,
-					   NULL, 0);
+					   NULL, 0, 0);
 
   if (! quiet && msg)
     grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -274,6 +276,11 @@ static int get_int_arg (const struct gru
   return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1);
 }
 
+static char get_string_arg (const struct grub_arg_list *state)
+{
+  return (state->set ? state->arg : "");
+}
+
 static grub_err_t
 grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
 {
@@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
   int i = 0;
   int apm          = get_int_arg (&state[i++]);
   int power        = state[i++].set;
+  char *passphrase = get_string_arg (&state[i++]);
   int sec_freeze   = state[i++].set;
   int health       = state[i++].set;
   int aam          = get_int_arg (&state[i++]);
@@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c
 	grub_printf ("%s\n", err ? ": not supported" : "");
     }
 
+  if (grub_strcmp(passphrase, "") == 0)
+    {
+      // security unlock data: 512 bytes
+      // word 0: 0x00 user password, 0x01 master password
+      // word 1-16: password (32 bytes)
+      // word 17-255: reserved
+      grub_uint16_t sudata[256];
+      grub_memset (&sudata, 0, sizeof(sudata));
+      grub_strncpy((char*)sudata+2, passphrase, 32);
+      if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK,
+		0, 1, sudata, sizeof(sudata), 1)) {
+        if (! quiet) grub_printf ("Unlock failed\n");
+      } else {
+        if (! quiet) grub_printf ("Unlock succeeded\n");
+      }
+    }
+
   if (sec_freeze)
     grub_hdparm_simple_cmd ("Freeze security settings", ata,
                             GRUB_ATA_CMD_SECURITY_FREEZE_LOCK);
@@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
     {
       grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2];
       if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE,
-          0, 0, buf, sizeof (buf)))
+          0, 0, buf, sizeof (buf), 0))
 	grub_printf ("Cannot read ATA IDENTIFY data\n");
       else
 	{
--- grub-2.02~beta2/include/grub/ata.h.ataunlock
+++ grub-2.02~beta2/include/grub/ata.h
@@ -86,6 +86,7 @@ enum grub_ata_commands
     GRUB_ATA_CMD_READ_SECTORS_DMA	= 0xc8,
     GRUB_ATA_CMD_READ_SECTORS_DMA_EXT	= 0x25,
 
+    GRUB_ATA_CMD_SECURITY_UNLOCK	= 0xf2,
     GRUB_ATA_CMD_SECURITY_FREEZE_LOCK	= 0xf5,
     GRUB_ATA_CMD_SET_FEATURES		= 0xef,
     GRUB_ATA_CMD_SLEEP			= 0xe6,

Re: hdparm --security-unlock with password prompt

[W K]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

On Thu, Apr 21, 2016 at 4:56 PM, Philippe Kueck <
a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de> wrote:

here's a patch for unlocking the ATA password from grub command line.


Thanks a lot for replying Philippe.


> As mentioned in [1] it does not prompt for a password at boot but enables
> the hdparm module to support the security unlock feature.
>

Ah, right. Well, it's a start.

I'm not really a C developer, so I can't supply a patch for the password
prompt, but if we have anyone willing to take the time to add that
functionality, that would be fantastic.

Philippe - any chance you'd take that up ?;]


> In case anyone asks, the patch is GPL.
>

I guess that works, right ?

WK

[-- Attachment #2: Type: text/html, Size: 1640 bytes --]

Re: hdparm --security-unlock with password prompt

[Andrei Borzenkov]

21.04.2016 17:56, Philippe Kueck пишет:
> Hi all,
> 
> here's a patch for unlocking the ATA password from grub command line. As
> mentioned in [1] it does not prompt for a password at boot but enables
> the hdparm module to support the security unlock feature.
> In case anyone asks, the patch is GPL.
> 
> Kind regards
> 
> Philippe
> 
> [1] https://www.unixadm.org/needful-things/ataunlock#using-grub2
> 

Unfortunately I do not think we can have optional value, so your example
on this page likely won't work. I.e. how can we distinguish between
missing option value and missing argument? This will need to be two
options - --security-unlock and --security-passphrase (pick your name).

I was under impression that we must supply password to unlock disk.
Could you explain how empty passphrase works?

> 
> 0999-ATA-Security-Unlock.patch
> 
> 
> --- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock
> +++ grub-2.02~beta2/grub-core/commands/hdparm.c
> @@ -34,6 +34,7 @@ static const struct grub_arg_option opti
>  			      "(1=low, ..., 254=high, 255=off)."),
>  			      0, ARG_TYPE_INT},
>    {"power",           'C', 0, N_("Display power mode."), 0, ARG_TYPE_NONE},
> +  {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STRING},
>    {"security-freeze", 'F', 0, N_("Freeze ATA security settings until reset."),
>  			      0, ARG_TYPE_NONE},
>    {"health",          'H', 0, N_("Display SMART health status."), 0, ARG_TYPE_NONE},
> @@ -66,7 +67,7 @@ static int quiet = 0;
>  static grub_err_t
>  grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd,
>  			grub_uint8_t features, grub_uint8_t sectors,
> -			void * buffer, int size)
> +			void * buffer, int size, int write)
>  {
>    struct grub_disk_ata_pass_through_parms apt;
>    grub_memset (&apt, 0, sizeof (apt));
> @@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata,
>  
>    apt.buffer = buffer;
>    apt.size = size;
> +  apt.write = write;
>  
>    if (ata->dev->readwrite (ata, &apt, 0))
>      return grub_errno;
> @@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg
>    if (! quiet && msg)
>      grub_printf ("%s", msg);
>  
> -  grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0);
> +  grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0);
>  
>    if (! quiet && msg)
>      grub_printf ("%s\n", ! err ? "" : ": not supported");
> @@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms
>      }
>  
>    grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, features, sectors,
> -					   NULL, 0);
> +					   NULL, 0, 0);
>  
>    if (! quiet && msg)
>      grub_printf ("%s\n", ! err ? "" : ": not supported");
> @@ -274,6 +276,11 @@ static int get_int_arg (const struct gru
>    return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1);
>  }
>  
> +static char get_string_arg (const struct grub_arg_list *state)
> +{
> +  return (state->set ? state->arg : "");
> +}
> +
>  static grub_err_t
>  grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
>  {
> @@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
>    int i = 0;
>    int apm          = get_int_arg (&state[i++]);
>    int power        = state[i++].set;
> +  char *passphrase = get_string_arg (&state[i++]);
>    int sec_freeze   = state[i++].set;
>    int health       = state[i++].set;
>    int aam          = get_int_arg (&state[i++]);
> @@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c
>  	grub_printf ("%s\n", err ? ": not supported" : "");
>      }
>  
> +  if (grub_strcmp(passphrase, "") == 0)

That's rather elaborate way to check for empty string.

> +    {
> +      // security unlock data: 512 bytes
> +      // word 0: 0x00 user password, 0x01 master password
> +      // word 1-16: password (32 bytes)
> +      // word 17-255: reserved
> +      grub_uint16_t sudata[256];
> +      grub_memset (&sudata, 0, sizeof(sudata));
> +      grub_strncpy((char*)sudata+2, passphrase, 32);

But we just checked that passphrase is empty. What do you copy here?

> +      if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK,
> +		0, 1, sudata, sizeof(sudata), 1)) {
> +        if (! quiet) grub_printf ("Unlock failed\n");
> +      } else {
> +        if (! quiet) grub_printf ("Unlock succeeded\n");
> +      }
> +    }
> +
>    if (sec_freeze)
>      grub_hdparm_simple_cmd ("Freeze security settings", ata,
>                              GRUB_ATA_CMD_SECURITY_FREEZE_LOCK);
> @@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
>      {
>        grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2];
>        if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE,
> -          0, 0, buf, sizeof (buf)))
> +          0, 0, buf, sizeof (buf), 0))
>  	grub_printf ("Cannot read ATA IDENTIFY data\n");
>        else
>  	{
> --- grub-2.02~beta2/include/grub/ata.h.ataunlock
> +++ grub-2.02~beta2/include/grub/ata.h
> @@ -86,6 +86,7 @@ enum grub_ata_commands
>      GRUB_ATA_CMD_READ_SECTORS_DMA	= 0xc8,
>      GRUB_ATA_CMD_READ_SECTORS_DMA_EXT	= 0x25,
>  
> +    GRUB_ATA_CMD_SECURITY_UNLOCK	= 0xf2,
>      GRUB_ATA_CMD_SECURITY_FREEZE_LOCK	= 0xf5,
>      GRUB_ATA_CMD_SET_FEATURES		= 0xef,
>      GRUB_ATA_CMD_SLEEP			= 0xe6,
> 
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

Re: hdparm --security-unlock with password prompt

[Philippe Kueck]

Hi,

On 21.04.2016 20:24, Andrei Borzenkov wrote:
> Unfortunately I do not think we can have optional value, so your example
> on this page likely won't work. I.e. how can we distinguish between
> missing option value and missing argument? This will need to be two
> options - --security-unlock and --security-passphrase (pick your name).

On my page's first example the user password was missing by mistake. The
user password (or passphrase) is not optional but required, so the
syntax is, depending on ahci or ide mode:

  hdparm --security-unlock USERPASSWORD (hd0)

or

  hdparm --security-unlock USERPASSWORD (ahci0)

Sorry for the confusion.

Kind regards

Philippe

Re: hdparm --security-unlock with password prompt

[Andrei Borzenkov]

On Thu, Apr 21, 2016 at 4:48 PM, W K <wmknapik@gmail.com> wrote:
> Hi
>
> I'd like grub to prompt me for a password and unlock my hw encrypted drive.
>
> I found a few threads about it dating back a few years, even a few patches,
> but I see the functionality is not there in the most recent grub version
> from git. It seems the patch is pretty simple (e.g.
> https://www.unixadm.org/software/grub2/0999-ATA-Security-Unlock.patch).
>
> Is there a reason this was not merged ? Can I expect the functionality to be
> added in the future ?
>

Author of this patch will need to submit it here.

hdparm --security-unlock with password prompt

[W K]

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

Hi

I'd like grub to prompt me for a password and unlock my hw encrypted drive.

I found a few threads about it dating back a few years, even a few patches,
but I see the functionality is not there in the most recent grub version
from git. It seems the patch is pretty simple (e.g.
https://www.unixadm.org/software/grub2/0999-ATA-Security-Unlock.patch).

Is there a reason this was not merged ? Can I expect the functionality to
be added in the future ?

Thanks,
WK

[-- Attachment #2: Type: text/html, Size: 962 bytes --]

hdparm --security-unlock with password prompt

[W K]

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

Hi

I'd like grub to prompt me for a password and unlock my hw encrypted drive.

I found a few threads about it dating back a few years, even a few patches,
but I see the functionality is not there in the most recent grub version
from git. It seems the patch is pretty simple (e.g.
https://www.unixadm.org/software/grub2/0999-ATA-Security-Unlock.patch).

Is there a reason this was not merged ? Can I expect the functionality to
be added in the future ?

Thanks,
WK

PS. I'm not subscribing to the list, but will read the replies through the
archives.

[-- Attachment #2: Type: text/html, Size: 797 bytes --]