sedutil icon indicating copy to clipboard operation
sedutil copied to clipboard
verified publisher icon ladar

Add commands for controlling the Makers Authority

Open kadler15 opened this issue 2 years ago • 0 comments

Summary

This change adds new commands for disabling, enabling, and printing the status of the Admin SP Makers Authority:

--disableMakersAuthority <SIDpassword> <device> 
                                revoke the device manufacturer's admin powers
--enableMakersAuthority <SIDpassword> <device> 
                                grant the device manufacturer admin powers
--printMakersAuthorityStatus <device> 
                                print the Makers Authority status

I tried to follow existing tabbing patterns. Unfortunately, the original sedutil was a bit of a mess in those regards, so it's not easy to be consistent.

Also, I only have access to an Opal 2.0 device, and I'm more familiar with that standard, so my Enterprise 1.0 implementation is untested and may contain bugs. I'd appreciate it if someone with access to an Enterprise 1.0 device can test the new commands.

Additional Context

From the TCG Storage Architecture Core Spec:

The members of the Makers authority class permit the manufacturer of the TPer to open an authenticated session to the TPer. The MakerPuK (i.e., Manufacturer) authority only has the Manufacturer Public Key (not the private) and a Certificate attesting to this, which is signed by the Manufacturer.

Initializing FIPS 140-2 or 140-3 validated devices in a FIPS-compliant manner generally requires disabling the Makers Authority (see example security policies from Seagate and Western Digital).

The relevant portions of the Admin SP Authority table in Opal 2.0: image

And in Enterprise 1.0: image

kadler15 avatar Aug 22 '23 16:08 kadler15