Re: [PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write

From: "Derrick, Jonathan" <jonathan.derrick@intel.com>
To: "zub@linux.fjfi.cvut.cz" <zub@linux.fjfi.cvut.cz>,
	"sbauer@plzdonthack.me" <sbauer@plzdonthack.me>
Cc: "hch@infradead.org" <hch@infradead.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
	"jonas.rabenstein@studium.uni-erlangen.de" 
	<jonas.rabenstein@studium.uni-erlangen.de>,
	"axboe@kernel.dk" <axboe@kernel.dk>
Subject: Re: [PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write
Date: Thu, 9 May 2019 19:31:12 +0000	[thread overview]
Message-ID: <8342e25cc9d6e84c620d54c6cbe0f7244ebb7de1.camel@intel.com> (raw)
In-Reply-To: <20190505144330.GB1030@hacktheplanet>

[-- Attachment #1: Type: text/plain, Size: 2574 bytes --]

On Sun, 2019-05-05 at 10:43 -0400, Scott Bauer wrote:
> On Fri, May 03, 2019 at 10:32:19PM +0200, David Kozub wrote:
> > On Wed, 1 May 2019, Christoph Hellwig wrote:
> > 
> > > > I successfully tested toggling the MBR done flag and writing
> > > > the shadow MBR
> > > > using some tools I hacked together[4] with a Samsung SSD 850
> > > > EVO drive.
> > > 
> > > Can you submit the tool to util-linux so that we get it into
> > > distros?
> > 
> > There is already Scott's sed-opal-temp[1] and a fork by Jonas that
> > adds
> > support for older version of these new IOCTLs[2]. There was already
> > some
> > discussion of getting that to util-linux.[3]
> > 
> > While I like my hack, sed-opal-temp can do much more (my tool
> > supports just
> > the few things I actually use). But there are two things which sed-
> > opal-temp
> > currently lacks which my hack has:
> > 
> > * It can use a PBKDF2 hash (salted by disk serial number) of the
> > password
> >   rather than the password directly. This makes it compatible with
> > sedutil
> >   and I think it's also better practice (as firmware can contain
> > many
> >   surprises).
> > 
> > * It contains a 'PBA' (pre-boot authorization) tool. A tool
> > intended to be
> >   run from shadow mbr that asks for a password and uses it to
> > unlock all
> >   disks and set shadow mbr done flag, so after restart the computer
> > boots
> >   into the real OS.
> > 
> > @Scott: What are your plans with sed-opal-temp? If you want I can
> > update
> > Jonas' patches to the adapted IOCTLs. What are your thoughts on PW
> > hashing
> > and a PBA tool?
> 
> I will accept any and all patches to sed opal tooling, I am not
> picky. I will
> also give up maintainership of it is someone else feels they can
> (rightfully
> so) do a better job.
> 
> Jon sent me a patch for the tool that will deal with writing to the
> shadow MBR,
> so once we know these patches are going in i'll pull that patch into
> the tool.
> 
> Then I guess that leaves PBKDF2 which I don't think will be too hard
> to pull in.
> 
> With regard to your PBA tool, is that actually being run post-
> uefi/pre-linux?
> IE are we writing your tool into the SMBR and that's what is being
> run on bootup?
> 
> Jon, if you think it's a good idea can you ask David if Revanth or
> you wants
> to take over the tooling? Or if anyone else here wants to own it then
> let me know.
> 

I'll get back to you on this. Let me know if it begins to pick up a lot
of steam and I can prioritize this.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3278 bytes --]