#1659 PR merged: Support TCG Opal 2-compliant self-encrypting disks and RAWDISK output¶

Labels: enhancement, documentation, fixed / solved / done

OliverO2 opened issue at 2017-12-21 23:28:¶

This PR introduces

1. support for TCG Opal 2-compliant self-encrypting disks (SEDs), and
2. a RAWDISK output method (fixes #1578) with UEFI/Legacy BIOS dual boot capability.

Documentation:

• User Guide Chapter 13: Support for TCG Opal 2-compliant Self-Encrypting Disks
• rear(8) manual page: SUPPORT FOR SELF-ENCRYPTING DISKS
• default.conf: Support for TCG Opal 2...
• User Guide Chapter 3: OUTPUT=RAWDISK
• rear(8) manual page: OUTPUT=RAWDISK
• default.conf: OUTPUT=RAWDISK stuff

This PR introduces only minor changes to existing ReaR code as most of it is extra functionality. The code has been tested successfully on Ubuntu 16.04.3 LTS.

In the hope of simplifying development and maintenance, the new code does not carry the backward-compatibiltiy overhead present in other parts or ReaR. The extra capabilities are meant to be used on rather recent systems and should not break any existing functionality.

Notes¶

PBA System¶

The new mkopalpba workflow generates a complete Pre-Boot Authentication (PBA) system to unlock self-encrypting boot disks. Unlike the implementation of Drive-Trust-Alliance/sedutil, this PBA system does not require downloading and building an entire Linux distribution from scratch. Instead, it builds upon ReaR's capabilities to create a rescue system, adapted to create a minimal system equipped with the required unlocking functionality.

PBA usability is best when a Plymouth boot splash is installed on the original system, but the PBA will also work without one. It has been tested with systemd only, but init stuff is also provided (test feedback welcome).

General Configuration Variables¶

New:

• EXCLUDE_RUNTIME_LOGFILE: See default.conf.

Changed:

• USE_DHCLIENT: Can now be explicitly disabled. Previously, only explicitly enabling or auto-detection was available.

General Use Functionality¶

The following code could be integrated into generic ReaR at some point in the future:

• usr/share/rear/build/OPALPBA/Linux-i386/810_deduplicate_files.sh

• From usr/share/rear/lib/opal-functions.sh:

  • opal_disk_partition_information()
  • opal_disk_has_partitions()
  • opal_disk_has_mounted_partitions()
  • opal_bytes_to_mib()

TODO¶

Boot scripts¶

Currently, usr/share/rear/skel/default/etc/scripts/unlock-opal-disks selectively includes setup scripts from usr/share/rear/skel/default/etc/scripts/system-setup.d. Advantage of this approach: It requires no restructuring of existing ReaR code. Disadvantage: Code in unlock-opal-disks is vulnerable to the renaming of setup scripts.

A future solution (which I'd propose in a subsequent PR once this one is accepted) could use two different directories with

1. setup scripts for a minimal system,
2. setup scripts for a complete rescue system.

jsmeix commented at 2018-01-04 14:19:¶

@OliverO2
this pull request is big so that I cannot review it in full detail.

My main concern is whether or not changes in existing scripts
might result incompatible behavioural changes anywhere else.

For example I wonder how your new
skel/default/usr/lib/systemd/system/
scripts for TCG Opal pre-boot authentication
are ignored/skipped when TCG Opal pre-boot authentication
is not wanted.

In some of your added scripts that are run in any case like
layout/prepare/GNU/Linux/180_include_opaldisk_code.sh
a topmost test seems to be missing whether or not
TCG Opal 2 and/or OUTPUT=RAWDISK is used.
I assume e.g. in your
layout/save/GNU/Linux/190_opaldisk_layout.sh
and
prep/default/380_include_opal_tools.sh
such a topmost test is implemented as

has_binary sedutil-cli || return 0

OliverO2 commented at 2018-01-04 14:49:¶

@jsmeix

For example I wonder how your new
skel/default/usr/lib/systemd/system/
scripts for TCG Opal pre-boot authentication
are ignored/skipped when TCG Opal pre-boot authentication
is not wanted.

There are three systemd units:

• sysinit-opalpba.target, which only becomes active if requested via the kernel command line (cf. KERNEL_CMDLINE setting in usr/share/rear/prep/OPALPBA/Linux-i386/001_configure_workflow.sh)
• sysinit-opalpba.service, which only becomes active if requested by sysinit-opalpba.target
• plymouth-start.service, which only becomes active if requested by sysinit-opalpba.service, and only if plymouth is installed

So there is no effect on the standard boot procedure, which uses the default sysinit.target.

In some of your added scripts that are run in any case like
layout/prepare/GNU/Linux/180_include_opaldisk_code.sh
a topmost test seems to be missing

Like other scripts in layout/prepare, the script layout/prepare/GNU/Linux/180_include_opaldisk_code.sh only defines functions, so there is nothing actually running. There are generally no conditions in layout/prepare (cf. 150_include_drbd_code.sh or 170_include_hpraid_code.sh) as these functions are only called if their corresponding entries are present in $DISKLAYOUT_FILE. So in our case, the condition in usr/share/rear/layout/save/GNU/Linux/190_opaldisk_layout.sh should be sufficient, right?

gdha commented at 2018-01-08 13:09:¶

@OliverO2 You Debian packaging/debian/control patch has a conflict with your DEV tree

gdha commented at 2018-01-08 15:01:¶

@jsmeix @gozora @schabrolles @schlomo @OliverO2 If no-one object I would just merge it so we have plenty of time to get feedback from the user community

OliverO2 commented at 2018-01-08 15:05:¶

@gdha No objections on my part ;-).

schlomo commented at 2018-01-08 15:15:¶

👍

jsmeix commented at 2018-01-09 08:59:¶

I already had approved it.

---

[Export of Github issue for rear/rear.]