sedutil
sedutil copied to clipboard
ChubbyAnt
Add auto-unlocking support
I would very much like you to consider merging this, as non-interactive authentication is IMHO the one killer feature still missing from sedutil PBA. The original PR, aimed at original DTA sedutil, can be found here: https://github.com/Drive-Trust-Alliance/sedutil/pull/86.
If the original author is no longer around or not interested in adapting this to the current master, I am willing to step in.
Original PR description follows.
This will allow the SSD to be unlocked with any combination of:
- USB device plugged at boot time
- Reading from a TPM NVRAM slot (with or without a password)
- Using a Yubikey Challenge/Response (requires a password)
This gives much more flexibility in unlocking the SSD and allows the actual SSD encryption password to be completely random (which is more secure) while still allowing an easy way to unlock the SSD as long as a second factor is present and conditions are met.
Brilliant! I am looking for this Auto unlocking as well! I have built the USB boot disk with sedutil.com instruction, Please how can I load this Auto unlocking function? Thanks
I would very much like you to consider merging this, as non-interactive authentication is IMHO the one killer feature still missing from sedutil PBA. The original PR, aimed at original DTA sedutil, can be found here: Drive-Trust-Alliance#86.
If the original author is no longer around or not interested in adapting this to the current master, I am willing to step in.
Original PR description follows.
This will allow the SSD to be unlocked with any combination of:
* USB device plugged at boot time * Reading from a TPM NVRAM slot (with or without a password) * Using a Yubikey Challenge/Response (requires a password)This gives much more flexibility in unlocking the SSD and allows the actual SSD encryption password to be completely random (which is more secure) while still allowing an easy way to unlock the SSD as long as a second factor is present and conditions are met.
I think the original author is dead jim, If you could step in, that would be amazing.
Shameless plug; I have written a Go library to replace having to use sedutil - https://github.com/bluecmd/go-tcg-storage - and I am implementing a PBA based on u-root at my place of work (https://github.com/elastx/elx-pba). Happy to accept contributions there if you want! We will use machine UUID to unlock disks, but happy to include support for TPMs etc if somebody else wants to write and maintain it.
We currently use sedutil-cli to do the initial setup and our own PBA image to do the "every day" unlocking.
I am available at the Open Source Firmware Slack (https://slack.osfw.dev/) if anyone wants to discuss this more!
