sed-opal-unlocker icon indicating copy to clipboard operation
sed-opal-unlocker copied to clipboard

Published 20 hours ago verified publisher icon dex6

Custom PBA Image

Open leonardohn opened this issue 5 years ago • 6 comments

Considering that sedutil is weird (e.g. linuxpba suddenly reboots after writing a password which is not "debug") and it's PBA is quite slow to boot, it would be nice to have a PBA image based on sed-opal-unlocker available for the public.

I would like to propose to build a minimal linux kernel containing only sed-opal-unlocker and busybox embedded on the initramfs, compressed using a faster algorithm than lzma (lz4, perhaps?), so that it could boot instantly on NVMe devices (and maybe on SATA).

What do you think about it?

leonardohn avatar Apr 14 '20 19:04 leonardohn

Thanks for your interest in this project.

The idea is great and to be honest, I'm already using something like that for a few months... a PBA image in form of EFI system partition containing multiplicated EFI executable (very minimal kernel with embedded initramfs with busybox + sed-opal-unlocker + plymouth + efibootmgr + kexec + somescripts; all lz4-ed) and I find it working really well.

It's probably as far from being general as you can possibly get, though. The image must be built on user's computer (embeds encrypted secrets and depends on /boot/efi/ structure); it's Gentoo-based (unlikely to build on other distros); it assumes user replaced vendor's Secure Boot keys with his/her own (everything is signed with custom keys). Even the Plymouth theme is acceptable only for Thinkpad users ;-)

But I guess that's a good starting point. I promise I'll publish it someday in my laptop-notes repo; it already contains some design notes. I did finish the scripts, however I chronically lack time (and some motivation as well) to clean them out and publish... I hope this will happen in a month or two, but I cannot guarantee anything.

dex6 avatar Apr 16 '20 17:04 dex6

Although I'm not having spare time to help right now, I've already tried some options to automate the PBA image generation using petitboot. They already provide some useful packages out of the box, so it won't take time to have a working image. My suggestion would be to use the initramfs outside the kernel (as a cpio.lz4), so the user can modify it as needed.

Are you currently building your PBA using gentoo-sources or vanilla-sources?

leonardohn avatar May 08 '20 15:05 leonardohn

Nice ideas! I also don't like the existing PBA as it

  • forces long POST process (two reboots or more if you type a wrong password)
  • gives ugly UI with tiny font
  • gives you literally once chance to enter correct password
  • you're not notified is it was successful unless you record screen with high speed camera
  • will not work on AMD machines (need custom sedutil)
  • will cause sleep problems (for AMD, need to compile custom sedutil's merge of another sedutil fork) I wasn't able to use BIOS unlocking on an NVME drive either, looks like every single component works with SED drive in a different way (BIOS, Windows, sedutil, sedutil hash fork, sedutil S3 fork, sedutil AMD fork) and passwords in both normal and "-n" mode can't be reused between them. I'm happy to use sed-opal-unlocker instead, the key is read from the fingerprint USB drive. It just needs correct "Before" and "After" dependencies in regards of mounting USB drive and the SED drive. I'd love to have a GRUB/UEFI/Ventoy module to do this job after POST and before OS. Or PBA that can continue booting? I am not knowledgeable on the subject. Currently, I have to login Linux first to unlock drive for Windows, for example.

gitthangbaby avatar Sep 07 '20 15:09 gitthangbaby

@leonardohn @gitthangbaby If you are still interested, I got it working on initramfs via normal EFI system partition: no PBA/ShadowMBR, no extra reboot after unlocking, and even Secure Boot all the way. This still needs polishing before it can be released, but it certainly is working on my server, can even ssh in to type the password. See #3 for updates.

Tronic avatar Oct 03 '21 22:10 Tronic

See #3 for updates.

interesting. does this mean the parts of disk can stay unencrypted? because i 've had an initram or post-init solution with such convenience (however using 2nd non TCG drive for execution), but i realized i'd love Windows to unlock parts of the target drive too (which doesn't work without some expensive tools like Winmagic(?); wouldn't survive resume; and Bitlocker also didn't provide hardware support despite manufacturer claim). But if partitions can be locked, then i could simply mark Windows and LinuxBoot partition as unecnrypted. That'd be pretty cool!

gitthangbaby avatar Oct 04 '21 05:10 gitthangbaby

@gitthangbaby Well, technically all data is always encrypted, but yes, anything not included in your enabled LockingRanges can stays unlocked after power loss.

Do note that setupLockingRange may destroy data, so migrate your data elsewhere while setting this up:

sedutil-cli --setupLockingRange 1 [Admin1 password] [start sector] [sector COUNT] /dev/nvme0n1
sedutil-cli --enableLockingRange 1 [Admin1 password] /dev/nvme0n1

# Unlock immediately (e.g. on initramfs)
sedutil-cli --setLockingRange 1 RW [Admin1 password] /dev/nvme0n1

# Lock immediately (not safe on a running system, locking happens automatically on power loss anyway)
sedutil-cli --setLockingRange 1 LK [Admin1 password] /dev/nvme0n1

Since sed-opal-unlocker is currently hardcoded to use LockingRange 0, i.e. the whole disk, you will need to edit source code to enable what was done with sedutil-cli --setLockingRange in the commands above.

Tronic avatar Oct 04 '21 06:10 Tronic