support for Self-Encrypting Drives (SED) with TCG OPAL/TCG Enterprise #161
Comments
|
@vlado2222 thank you very much for that feature request, @miczyg1 would you mind elaborate on that. Am I correct this is not huge effort? @vlado2222 are you in possesion of above disks? Would you mind to support testing effort if some rc version would appear? |
|
@pietrushnic I have only two self-encrypting drives: SanDisk X400 and Seagate ST8000NM0115. The seagate holds data, so I can't use it for experiments. The biggest problem is that I don't own MSI PRO Z690-A mobo and I don't plan upgrading my PC in near future. It shouldn't be a problem for you to find TCG OPAL compatible drive. Most SSDs in business class laptops do support it. Otherwise, you can buy used Crucial MX100/MX300/MX500 or Samsung 840/850 EVO for less than 25 USD and a used SED HDD can be obtained for similarly low price. Thank you very much for your efforts! Next time I'll be upgrading my PC I'll definitely look into Dasharo compatible motherboards. |
|
@vlado2222 ok. Thank you for your support and for contibuting this features request. |
We have some integration of TCG OPAL menu for the firmware, but it has not been tested due to a lack of OPAL SED disks. Not a huge effort to add it to firmware. Question still is if it works out-of-the-box. |
We have a bunch of Samsung PRO and EVO disks at the office, they definitely support TCG OPAL |
|
OpalPasswordDxe does not build at the moment: |
|
Ahh yes, the PPI changes could break it. It looks like the QEMU PPI lib we use is missing the function outlined in the trace. Probably all you have to do is to copy it from |
|
There was research that UEFI implemented 'Sanitize' was in some cases badly implemented by vendors. Buggy. As in the GUI made you believe the drive was sanitized but when checking the drive there was still data on it. Be mindful when adding this. It might be feature creep and not worth the trouble if it doesn't work properly. |
For example here is article about discovered vulnerabilities in SED. In response Samsung and Crucial issued FW update to fix the reported vulnerabilities. Security is a constant cat-and-mouse game... a never-ending race. Even software based encryption can be broken. However software encryption is inherently easier to fix. If Dasharo successfully implements SED support, they could use it in their advantage and market their motherboards as the only* home consumer grade motherboards with SED support. |
|
Implemented in Dasharo/edk2#27 Note that this implementation does not unlock the disk on resume from sleep, only on power-on, as it is run by the UEFI Payload which is not executed on resume. It's now possible to enable OPAL in the setup menu. This is what the OPAL menu looks like - NVMe and SATA disks are detected: You can select a disk and enable OPAL on it: After a reboot, you'll be prompted to set an admin password: And now, more options are available: Set an user password, and this is what the password entry will look like on each boot: |
|
@vlado2222 any chance you could test firmware if we would send you rc binary? |
I guess we would rely on our own tests and we will close this issue based on that. |
|
I have just tried this on NovaCustom NV41MB device. The OPAL menu @mkopec has shown is avilable in Setup Menu under: My (non-pro) Samsung disk was also detected as supporting the feature:
Now i need to use password to unlock the disk even before I can enter the BIOS Setup Menu. Is this expected? After suspend, it fails to unlock I assume as I can see following (which was expected at this point):
|
Yes, that is expected with the current implementation
That would be expected if the disk was powered off completely while in suspend (d3cold). In the future it's possible to explore disabling d3cold for the disk, since that shouldn't prevent the laptop from going to sleep, and would keep the disk unlocked in standby. maybe you could test setting
|
|
So i run:
It looks like it does
it works after suspend |
|
Nice. So it should be a pretty simple fix in firmware, I believe |
|
But it would consume a bit more energy this way? |
|
So the SSD itself would consume around 5mW in d3hot according to the spec sheet, so basically negligible. The PCIe link would also stay in a shallower standby state so it may consume a bit more power. |
|
|
Yes, this one can be closed already. |
The problem you're addressing (if any)
Implement support for Self-Encrypting Drives (SEDs) with TCG OPAL/TCG Enterprise.
Describe the solution you'd like
Menu in BIOS where you can enable/disable encryption, perform disk sanitisation, set drive groups that share the same password, etc.
Then during boot-up you have to enter password to unlock a group of drives.
Where is the value to a user, and who might that user be?
There are many SSDs/HDDs which support hardware level encryption and currently I'm not aware of any "home consumer grade" motherboard which supports this.
Describe alternatives you've considered
Alternative is to use software based encryption which might provide better security at the expense of performance because it consumes CPU cycles.
Additional context
examples of SSDs with TCG OPAL:
Crucial MX100/MX200/MX300/MX500
Crucial P5 Plus NVMe
Samsung 950 PRO; 960 PRO/EVO; 970 PRO/EVO; 980 PRO
Samsung 840/850/860/870 EVO
SanDisk X400* only drives with SKU starting with SD8TB8U are SED drives*
some Intel SSDs
examples of HDDs with TCG Enterprise:
Western Digital UltraStar series
Seagate enterprise drives
The text was updated successfully, but these errors were encountered: