Skip to content

Commit 292e737

Browse files
rizlikrizlik
committed
docs: add ATA security documentation
1 parent 843c86b commit 292e737

File tree

1 file changed

+43
-0
lines changed

1 file changed

+43
-0
lines changed

docs/ata_security.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# ATA Security
2+
3+
## Introduction
4+
This document provides an overview of how wolfBoot can leaverage the ATA security features to lock or unlock ATA drive.
5+
The ATA drive may be locked either by using a hardcoded password or by using a secret that is sealed in the TPM.
6+
7+
## Table of Contents
8+
- [ATA Security](#ata-security)
9+
- [Introduction](#introduction)
10+
- [Table of Contents](#table-of-contents)
11+
- [Unlocking the Disk with a Hardcoded Password](#unlocking-the-disk-with-a-hardcoded-password)
12+
- [Unlocking the Disk with a TPM-Sealed Secret](#unlocking-the-disk-with-a-tpm-sealed-secret)
13+
- [Disabling the password](#disabling-the-password)
14+
15+
## Unlocking the Disk with a Hardcoded Password
16+
To unlock the disk using a hardcoded password, use the following options in your .config file:
17+
```
18+
DISK_LOCK=1
19+
DISK_LOCK_PASSWORD=hardcoded_password
20+
```
21+
If the ATA disk has no password set, the disk will be locked with the password provided at the first boot.
22+
23+
## Unlocking the Disk with a TPM-Sealed Secret
24+
wolfBoot allows to seal secret safely in the TPM in a way that it can be unsealed only under specific conditions. Please refer to files TPM.md and measured_boot.md for more information. If the option `WOLFBOOT_TPM_SEAL` is enabled and `DISK_LOCK` is enabled, wolfBoot will use a TPM sealed secret as the password to unlock the disk. The following options controls the sealing and unsealing of the secret:
25+
26+
| Option | Description |
27+
|--------|-------------|
28+
| WOLFBOOT_TPM_SEAL_KEY_ID| The key ID to use for sign the policy |
29+
| ATA_UNLOCK_DISK_KEY_NV_INDEX | The NV index to store the sealed secret. |
30+
| WOLFBOOT_DEBUG_REMOVE_SEALED_ON_ERROR| In case of error, delete the secret and panic() |
31+
32+
In case there are no secret sealed at `ATA_UNLOCK_DISK_KEY_NV_INDEX`, a new random secret will be created and sealed at that index.
33+
In case the ATA drive is not locked, it will be locked at the first boot with the secret sealed in the TPM.
34+
35+
## Disabling the password
36+
37+
If you need to disable the password, a master password should be already set on the device. Then you can use the following option to compile wolfBoot so that it will disable the password from the drive and panic:
38+
39+
```
40+
WOLFBOOT_ATA_DISABLE_USER_PASSWORD=1
41+
ATA_MASTER_PASSWORD=the_master_password
42+
```
43+

0 commit comments

Comments
 (0)