Closed vlado2222 closed 1 year ago
@vlado2222 thank you very much for that feature request, @miczyg1 would you mind elaborate on that. Am I correct this is not huge effort?
@vlado2222 are you in possesion of above disks? Would you mind to support testing effort if some rc version would appear?
@pietrushnic I have only two self-encrypting drives: SanDisk X400 and Seagate ST8000NM0115. The seagate holds data, so I can't use it for experiments. The biggest problem is that I don't own MSI PRO Z690-A mobo and I don't plan upgrading my PC in near future. It shouldn't be a problem for you to find TCG OPAL compatible drive. Most SSDs in business class laptops do support it. Otherwise, you can buy used Crucial MX100/MX300/MX500 or Samsung 840/850 EVO for less than 25 USD and a used SED HDD can be obtained for similarly low price.
Thank you very much for your efforts! Next time I'll be upgrading my PC I'll definitely look into Dasharo compatible motherboards.
@vlado2222 ok. Thank you for your support and for contibuting this features request.
@vlado2222 thank you very much for that feature request, @miczyg1 would you mind elaborate on that. Am I correct this is not huge effort?
We have some integration of TCG OPAL menu for the firmware, but it has not been tested due to a lack of OPAL SED disks. Not a huge effort to add it to firmware. Question still is if it works out-of-the-box.
@miczyg1
lack of OPAL SED disks
We have a bunch of Samsung PRO and EVO disks at the office, they definitely support TCG OPAL
@mkopec feel free to test: https://github.com/Dasharo/edk2/blob/dasharo/UefiPayloadPkg/UefiPayloadPkg.dsc#L93
OpalPasswordDxe does not build at the moment:
/openssl/crypto/pkcs12/p12_crt.c
/opt/xgcc/lib/gcc/x86_64-elf/8.3.0/../../../../x86_64-elf/bin/ld: /tmp/ccjnwuCn.ltrans0.ltrans.o: in function `DriverCallback':
/home/coreboot/coreboot/payloads/external/tianocore/Dasharo/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c:277: undefined reference to `Tcg2PhysicalPresenceLibGetManagementFlags'
/opt/xgcc/lib/gcc/x86_64-elf/8.3.0/../../../../x86_64-elf/bin/ld: /tmp/ccjnwuCn.ltrans1.ltrans.o: in function `OpalEndOfDxeEventNotify':
/home/coreboot/coreboot/payloads/external/tianocore/Dasharo/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c:442: undefined reference to `Tcg2PhysicalPresenceLibGetManagementFlags'
collect2: error: ld returned 1 exit status
make[2]: *** [GNUmakefile:413: /home/coreboot/coreboot/payloads/external/tianocore/Dasharo/Build/UefiPayloadPkgX64/RELEASE_COREBOOT/X64/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe/DEBUG/OpalPasswordDxe.dll] Error 1
make[2]: Leaving directory '/home/coreboot/coreboot/payloads/external/tianocore/Dasharo/Build/UefiPayloadPkgX64/RELEASE_COREBOOT/X64/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe'
build.py...
: error 7000: Failed to execute command
make tbuild [/home/coreboot/coreboot/payloads/external/tianocore/Dasharo/Build/UefiPayloadPkgX64/RELEASE_COREBOOT/X64/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe]
build.py...
: error F002: Failed to build module
/home/coreboot/coreboot/payloads/external/tianocore/Dasharo/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf [X64, COREBOOT, RELEASE]
- Failed -
Build end time: 11:39:54, Jul.12 2022
Build total time: 00:01:20
Ahh yes, the PPI changes could break it. It looks like the QEMU PPI lib we use is missing the function outlined in the trace. Probably all you have to do is to copy it from SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
to OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.c
There was research that UEFI implemented 'Sanitize' was in some cases badly implemented by vendors. Buggy. As in the GUI made you believe the drive was sanitized but when checking the drive there was still data on it. Be mindful when adding this. It might be feature creep and not worth the trouble if it doesn't work properly.
There was research that UEFI implemented 'Sanitize' was in some cases badly implemented by vendors. Buggy. As in the GUI made you believe the drive was sanitized but when checking the drive there was still data on it. Be mindful when adding this. It might be feature creep and not worth the trouble if it doesn't work properly.
For example here is article about discovered vulnerabilities in SED. In response Samsung and Crucial issued FW update to fix the reported vulnerabilities. Security is a constant cat-and-mouse game... a never-ending race. Even software based encryption can be broken. However software encryption is inherently easier to fix.
If Dasharo successfully implements SED support, they could use it in their advantage and market their motherboards as the only* home consumer grade motherboards with SED support.
Implemented in https://github.com/Dasharo/edk2/pull/27
Note that this implementation does not unlock the disk on resume from sleep, only on power-on, as it is run by the UEFI Payload which is not executed on resume.
It's now possible to enable OPAL in the setup menu. This is what the OPAL menu looks like - NVMe and SATA disks are detected:
You can select a disk and enable OPAL on it:
After a reboot, you'll be prompted to set an admin password:
And now, more options are available:
Set an user password, and this is what the password entry will look like on each boot:
@vlado2222 any chance you could test firmware if we would send you rc binary?
The biggest problem is that I don't own MSI PRO Z690-A mobo and I don't plan upgrading my PC in near future.
I guess we would rely on our own tests and we will close this issue based on that.
I have just tried this on NovaCustom NV41MB device.
The OPAL menu @mkopec has shown is avilable in Setup Menu under: Device Manager - > TCG Drive Management
.
My (non-pro) Samsung disk was also detected as supporting the feature:
Now i need to use password to unlock the disk even before I can enter the BIOS Setup Menu. Is this expected?
After suspend, it fails to unlock I assume as I can see following (which was expected at this point):
Now i need to use password to unlock the disk even before I can enter the BIOS Setup Menu. Is this expected?
Yes, that is expected with the current implementation
After suspend, it fails to unlock I assume as I can see following (which was expected at this point):
That would be expected if the disk was powered off completely while in suspend (d3cold). In the future it's possible to explore disabling d3cold for the disk, since that shouldn't prevent the laptop from going to sleep, and would keep the disk unlocked in standby.
maybe you could test setting /sys/bus/pci/devices/0000:[disk PCIe B:D.F, e.g. 0000:03:00.0]/d3cold_allowed
to 0 and check:
So i run:
cat /sys/bus/pci/devices/0000\:01\:00.0/d3cold_allowed
1
sudo sh -c "echo 0 > /sys/bus/pci/devices/0000\:01\:00.0/d3cold_allowed"
cat /sys/bus/pci/devices/0000\:01\:00.0/d3cold_allowed
0
if the laptop still goes to sleep
It looks like it does
if the disk works after suspend
it works after suspend
Nice. So it should be a pretty simple fix in firmware, I believe
But it would consume a bit more energy this way?
So the SSD itself would consume around 5mW in d3hot according to the spec sheet, so basically negligible. The PCIe link would also stay in a shallower standby state so it may consume a bit more power.
@vlado2222 I understand that your idea to "Implement support for Self-Encrypting Drives (SEDs) with TCG OPAL/TCG Enterprise" is done in this PR called "Opal fixes" so in my opinion this task is ready to move to CLOSED status.
@mkopec I propose to put idea "to explore disabling d3cold for the disk, since that shouldn't prevent the laptop from going to sleep, and would keep the disk unlocked in standby." described here to the backlog.
Yes, this one can be closed already.
The problem you're addressing (if any)
Implement support for Self-Encrypting Drives (SEDs) with TCG OPAL/TCG Enterprise.
Describe the solution you'd like
Menu in BIOS where you can enable/disable encryption, perform disk sanitisation, set drive groups that share the same password, etc. Then during boot-up you have to enter password to unlock a group of drives.
Where is the value to a user, and who might that user be?
There are many SSDs/HDDs which support hardware level encryption and currently I'm not aware of any "home consumer grade" motherboard which supports this.
Describe alternatives you've considered
Alternative is to use software based encryption which might provide better security at the expense of performance because it consumes CPU cycles.
Additional context
examples of SSDs with TCG OPAL: Crucial MX100/MX200/MX300/MX500 Crucial P5 Plus NVMe Samsung 950 PRO; 960 PRO/EVO; 970 PRO/EVO; 980 PRO Samsung 840/850/860/870 EVO SanDisk X400 only drives with SKU starting with SD8TB8U are SED drives some Intel SSDs
examples of HDDs with TCG Enterprise: Western Digital UltraStar series Seagate enterprise drives