ladar / sedutil

Use sedutil for setting up and using self encrypting drives (SEDs) that comply with the TCG OPAL 2.00 standard. This includes the requisite pre-boot authentication image.
https://trustedcomputinggroup.org/work-groups/storage/
80 stars 24 forks source link

Rescue and PBA images DPI issue #27

Open derinsh0 opened 2 years ago

derinsh0 commented 2 years ago

First I want to thank you for having maintained and written clear instructions on your sedutil fork. Previously I tried ChubbyAnt's and DTAs instruction on my NVME without success. I settled on lockingrange 1 as well, to sacrifice the (as I know it) arguable security benefit of hiding the bootloader to an easier recovery process.

The latest release comments specifies switching to a hidpi font. This does not work well on my 1440p resolution, as letter are huge and the drive scan is unreadable.

ladar commented 2 years ago

@psisis my laptop has a 4K screen, so the default text was microscopic. I spent more time than I want to admit looking for a good solution that would scale the console mode resolution to a reasonable size for every screen. But I couldn't find a combination of kernel modules, boot command line options that worked accross every system I was testing with. So, if I'm remembering things correctly, I ended up adding the console font files to the boot image, and then added a simple init script which set the console font to Uni1-VGA32x16.psf which seemed to look best on my computers. It made the text readable, although it is still on the small size.

I think part of the problem is the current code is built around using a slightly older Linux kernel, and which is in turn tied to an older busybox environment. I experimented with updating it, but the kernel, busybox profile, are all tightly coupled, and if I recall, I had trouble getting the newer build profiles to work properly using syslinux. All of the examples I found either didn't work, or used GRUB. And I was worried switching to GRUB might allow someone to escape out to a shell during boot. The current config locks down the process so that it should be impossible to avoid booting into the PBA password program and I don't know how to replicate that with GRUB.

Long story short, updating to a newer BusyBox profile would require help from someone more familiar with building BusyBox images, or someone who can invest the time. There is also no gurantee that a newer kernel/busybox image will provide a good solution, but I think newer kernels do a better job of supporting kernel modesetting in text mode, which would allow us to set a screen resolution which isn't tied to a specific monitor/GPU.

With the current environment you might be able to imporve things by setting up an edid monitor profile, but it would be tied to a specific screen. You can also try passing options to the kernel driver for your GPU. I had some success playing with those options, but quickly realized that setting boot parameters this would improve things for a specific system, but make it worse on a different system. To make matters worse, I also found that if you switched between UEFI and BIOS booting, options which worked one way, made the screen unreadable via a different boot method. If the PBA ws setup this way, we'd get horribly unpredictable results. And eventually someone would switch modes, only to think there computer was broken.

If anyone knows how to fix this issue properly please speak up!