Skip to content

sed: add '--read-only' to 'sed initialize' #2574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
igaw merged 1 commit into from
Dec 16, 2024
Merged

sed: add '--read-only' to 'sed initialize' #2574

igaw merged 1 commit into from
Dec 16, 2024

Conversation

@hreinecke
Copy link
Collaborator

@hreinecke hreinecke commented Nov 15, 2024

By default 'sed initialize' will set the entire disk to read/write locked, ie no access is possible. That is all fine if the BIOS supports TCG Opal, as then the BIOS can unlock the drive before access. But for BIOS not supporting TCG Opal this results in an inaccessible drive, and requires the user to use a different drive to boot and unlock the SED device.
This patch adds a flag '--read-only' to 'nvme sed initlialize' such that the 'read-lock enable' flag is not set for the locking range, and the device continues to be readable by the BIOS for booting.

@hreinecke
sed: add '--read-only' to 'sed initialize'
f1dbd1d 
By default 'sed initialize' will set the entire disk to read/write
locked, ie no access is possible. That is all fine if the BIOS supports
TCG Opal, as then the BIOS can unlock the drive before access.
But for BIOS _not_ supporting TCG Opal this results in an inaccessible
drive, and requires the user to use a different drive to boot and
unlock the SED device.
This patch adds a flag '--read-only' to 'nvme sed initlialize' such
that the 'read-lock enable' flag is not set for the locking range,
and the device continues to be readable by the BIOS for booting.

Signed-off-by: Hannes Reinecke <[email protected]>
@igaw
Copy link
Collaborator

igaw commented Nov 15, 2024

looks good to me.

@gjoyce-ibm could have a look too? thanks!

@gjoyce-ibm
Copy link
Contributor

gjoyce-ibm commented Nov 15, 2024

looks good to me.

@gjoyce-ibm could have a look too? thanks!

@igaw The code changes look good. My only question would be on the utility of this:

  1. SED is supposed to protect data at rest. If the drive is locked read only the drive could be moved to another system and the data would be exposed.
  2. Can Linux by default boot on a read only boot device? Even if boot succeeds, the drive would need to changed to read/write at some point.
  3. This might also suggest that "lock" and "unlock" sub-commands need to support read/write rather than "initialize".

The other possibility for unlocking at boot time is to use a shadow mbr and boot something that can prompt for or otherwise provide the SED password to unlock the drive.

@igaw
Copy link
Collaborator

igaw commented Dec 2, 2024

As far I understand @hreinecke use case is, that the boot partition is currently not readable, which means it's impossible to boot from it. Thus the idea here is allow reading from it and boot. Eventually, the rootfs needs to be accesses but for this is where the rest of the disk needs to be accessed. Anyway, I have really wrapped my head around the use case.

re 1. this seems to be acceptable because no secrets on this part of the disk. just boot loader etc.
re 2. yes, this is possible as long there is a ramdisk based filesystem for volatile state, e.g. /var /tmp. Embedded systems do that all the time. also the distros are moving into read only rootfs.
re 3. don't know. :)

@igaw igaw merged commit 73fe6ad into linux-nvme:master Dec 16, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hreinecke @igaw @gjoyce-ibm