LKML Archive on
help / color / mirror / Atom feed
From: Scott Bauer <>
To: David Kozub <>
Cc: Christoph Hellwig <>,
	Jens Axboe <>,
	Jonathan Derrick <>,,,
	Jonas Rabenstein <>
Subject: Re: [PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write
Date: Sun, 5 May 2019 10:43:30 -0400	[thread overview]
Message-ID: <20190505144330.GB1030@hacktheplanet> (raw)
In-Reply-To: <>

On Fri, May 03, 2019 at 10:32:19PM +0200, David Kozub wrote:
> On Wed, 1 May 2019, Christoph Hellwig wrote:
> > > I successfully tested toggling the MBR done flag and writing the shadow MBR
> > > using some tools I hacked together[4] with a Samsung SSD 850 EVO drive.
> > 
> > Can you submit the tool to util-linux so that we get it into distros?
> There is already Scott's sed-opal-temp[1] and a fork by Jonas that adds
> support for older version of these new IOCTLs[2]. There was already some
> discussion of getting that to util-linux.[3]
> While I like my hack, sed-opal-temp can do much more (my tool supports just
> the few things I actually use). But there are two things which sed-opal-temp
> currently lacks which my hack has:
> * It can use a PBKDF2 hash (salted by disk serial number) of the password
>   rather than the password directly. This makes it compatible with sedutil
>   and I think it's also better practice (as firmware can contain many
>   surprises).
> * It contains a 'PBA' (pre-boot authorization) tool. A tool intended to be
>   run from shadow mbr that asks for a password and uses it to unlock all
>   disks and set shadow mbr done flag, so after restart the computer boots
>   into the real OS.
> @Scott: What are your plans with sed-opal-temp? If you want I can update
> Jonas' patches to the adapted IOCTLs. What are your thoughts on PW hashing
> and a PBA tool?

I will accept any and all patches to sed opal tooling, I am not picky. I will
also give up maintainership of it is someone else feels they can (rightfully
so) do a better job.

Jon sent me a patch for the tool that will deal with writing to the shadow MBR,
so once we know these patches are going in i'll pull that patch into the tool.

Then I guess that leaves PBKDF2 which I don't think will be too hard to pull in.

With regard to your PBA tool, is that actually being run post-uefi/pre-linux?
IE are we writing your tool into the SMBR and that's what is being run on bootup?

Jon, if you think it's a good idea can you ask David if Revanth or you wants
to take over the tooling? Or if anyone else here wants to own it then let me know.

  reply	other threads:[~2019-05-05 14:43 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-30 23:20 David Kozub
2019-04-30 23:20 ` [PATCH 1/3] block: sed-opal: add ioctl for done-mark of shadow mbr David Kozub
2019-05-01 10:36   ` David Kozub
2019-05-01 13:46   ` Christoph Hellwig
2019-05-05 14:16   ` Scott Bauer
2019-05-06 20:02   ` Derrick, Jonathan
2019-04-30 23:20 ` [PATCH 2/3] block: sed-opal: ioctl for writing to " David Kozub
2019-05-01 13:48   ` Christoph Hellwig
2019-05-05 14:22   ` Scott Bauer
2019-04-30 23:20 ` [PATCH 3/3] block: sed-opal: check size of " David Kozub
2019-05-05 14:27   ` Scott Bauer
2019-05-06 20:15   ` Derrick, Jonathan
2019-05-01 13:49 ` [PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write Christoph Hellwig
2019-05-03 20:32   ` David Kozub
2019-05-05 14:43     ` Scott Bauer [this message]
2019-05-09 19:31       ` Derrick, Jonathan
2019-05-13 22:12       ` David Kozub
2019-05-02 12:30 ` Scott Bauer
2019-05-02 16:03   ` David Kozub

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190505144330.GB1030@hacktheplanet \ \ \ \ \ \ \ \ \
    --subject='Re: [PATCH 0/3] block: sed-opal: add support for shadow MBR done flag and write' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).