<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Brad,</p>
<p>Interesting info.</p>
<p>FYI below I have a quickly hacked together revision for your
script.</p>
<p>As I don't have any drives with SED capabilities I haven't tested
it, but it should be pretty close.</p>
<p><br>
</p>
<p><code>#!/bin/bash</code><code><br>
</code><code><br>
</code><code>SEDU=/usr/local/bin/sedutil-cli</code><code><br>
</code><code>do_start () {</code><code><br>
</code><code> while read -t5 Line; do</code><code><br>
</code><code> Dev=${Line%% *}</code><code><br>
</code><code> if [[ $Dev =~ '\/dev\/' ]]; then</code><code><br>
</code><code> wasLocked=false</code><code><br>
</code><code> while read -t5 qLine; do</code><code><br>
</code><code> if [[ $qLine =~ 'Locked = Y' ]] ;
then</code><code><br>
</code><code> echo "$Dev Locked"</code><code><br>
</code><code> if [ -z "$KEY" ] ; then</code><code><br>
</code><code> KEY=`get-key-script`</code><code><br>
</code><code> fi;</code><code><br>
</code><code> $SEDU --setlockingrange 0 rw $KEY
$Dev</code><code><br>
</code><code> $SEDU --setMBRDone on $KEY $Dev</code><code><br>
</code><code> /sbin/blockdev --rereadpt $Dev</code><code><br>
</code><code> wasLocked=true;</code><code><br>
</code><code> fi</code><code><br>
</code><code> done < <($SEDU --query $Dev)</code><code><br>
</code><code> if $wasLocked; then</code><code><br>
</code><code> echo "$Dev Already Unlocked"</code><code><br>
</code><code> fi;</code><code><br>
</code><code> fi</code><code><br>
</code><code> done < <( $SEDU --scan )</code><code><br>
</code><code>}</code><code><br>
</code><br>
</p>
<p>Regards</p>
<p>David G<br>
</p>
<br>
<div class="moz-cite-prefix">On 20/01/17 15:54, Brad Campbell wrote:<br>
</div>
<blockquote
cite="mid:504c855d-7c80-eb4c-a1ae-15dc99980053@fnarfbargle.com"
type="cite">G'day all,
<br>
<br>
I run (ran) LUKS/dm-crypt on all my data drives, swap and
basically anything other than boot/root on all my machines.
<br>
<br>
The 6 year old root SSD on my desktop started to crap out
yesterday, so I replaced both root and home drives with a pair of
new Samsung 850's. These shiny new drives support SED, so I
thought I'd have a crack at replacing dm-crypt on the home drive
with SED, and I thought it might be of interest so I made some
notes.
<br>
<br>
My machines are relatively archaic, so I couldn't get sedutil to
compile from source because of way out of date header files. I
didn't actually try very hard, I just used their pre-compiled cli
binary.
<br>
<br>
Because I'm only encrypting a data drive I don't need the pre-boot
environment or any of that complexity. Nor do I need this to come
up in the initramfs.
<br>
<br>
I set the drive up with --initialsetup, then enabled encryption
with --enableLockingRange 0. I thought I'd be clever and not
bother enabling the fake MBR as I didn't need the PBE. *Big*
mistake. Booting a kernel with a locked drive that does not have
the MBR enabled spends about 30 seconds spewing ATA errors into
the logs as it tries over and over again to read the MBR. This is
not a trickle, rather a continuous blast.
<br>
<br>
So, *always* enable the fake mbr (--setMBREnable on) when you
encrypt the drive.
<br>
<br>
To unlock the disk, I've created a little initscript that runs
very early in the boot process that basically contains the
following (excuse the gross bash) :
<br>
<br>
SEDU=/usr/local/bin/sedutil-cli
<br>
do_start () {
<br>
for i in `$SEDU --scan | awk '{print $1}' | grep '/dev/'` ; do
<br>
if [ -n "`$SEDU --query $i | grep 'Locked = Y'`" ] ; then
<br>
echo $i Locked
<br>
if [ -z "$KEY" ] ; then
<br>
KEY=`get-key-script`
<br>
fi;
<br>
$SEDU --setlockingrange 0 rw $KEY $i
<br>
$SEDU --setMBRDone on $KEY $i
<br>
/sbin/blockdev --rereadpt $i
<br>
else
<br>
echo $i Already Unlocked
<br>
fi;
<br>
done;
<br>
}
<br>
<br>
This uses sedutil to get a list of all drives that support SED, it
then iterates them to see if any are locked and if so it proceeds
to unlock them. No point trying to unlock an already unlocked
drive, and as I rarely power cycle my machines on most boots
they'll already be unlocked.
<br>
<br>
It's important to re-read the partition table after unlocking and
swapping the MBRs.
<br>
<br>
The only thing this loses over using dm-crypt is the machine is
now susceptible to power-on attacks. So you can soft-boot it into
another OS and get access to the disk. For my particular threat
model that's not an issue. I'm more worried by someone breaking in
and walking away with the box, and if they do that I'm covered.
<br>
<br>
Encrypting the drive is really just enabling the locking and
setting a key, so there is no data loss or other interaction
required with the disk.
<br>
<br>
Regards,
<br>
Brad
<br>
_______________________________________________
<br>
PLUG discussion list: <a class="moz-txt-link-abbreviated" href="mailto:plug@plug.org.au">plug@plug.org.au</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.plug.org.au/mailman/listinfo/plug">http://lists.plug.org.au/mailman/listinfo/plug</a>
<br>
Committee e-mail: <a class="moz-txt-link-abbreviated" href="mailto:committee@plug.org.au">committee@plug.org.au</a>
<br>
PLUG Membership: <a class="moz-txt-link-freetext" href="http://www.plug.org.au/membership">http://www.plug.org.au/membership</a>
<br>
<br>
</blockquote>
<br>
</body>
</html>