#2455 PR merged: OPALPBA: Provide a permanent unlocking mode as a workaround

Labels: enhancement, cleanup, fixed / solved / done

OliverO2 opened issue at 2020-07-10 10:32:

Pull Request Details:

  • Type: Enhancement

  • Impact: Normal

  • Reference to related issue (URL): #2425

  • How was this pull request tested? On Ubuntu 20.04 LTS

  • Brief description of the changes in this pull request:

    The fix in #2426 did not resolve the issue. The machine affected, an HPE ML10Gen9 server, still hung frequently, but not always, when trying to transfer control to the kernel after unlocking.

    After some more research, it turned out that the only reliable way to boot was using a power cycle after Opal disks were unlocked. It looks like the firmware did not initialize properly during a 'simple' reboot and got screwed by the changed state of the boot disk after unlocking.

    A reboot including a power cycle could be achieved on this machine via the reboot=efi kernel parameter. However, TCG Opal 2 disks enter their locked state when power is turned off.

    To allow a reboot with unlocked disks nonetheless, this PR introduces a new unlocking mode "permanent", configurable via OPAL_PBA_UNLOCK_MODE. The "permanent" mode unlocks devices and deactivates locking until a reactivation command is issued. Reactivating locking is then the responsibility of the user and is best accomplished via a systemd service at boot time on the original system (or when leaving hibernate state if that is required).

    Comments in default.conf explain the options and weaknesses of this workaround and an example configuration. When creating a PBA with "permanent" unlocking, a warning message is issued so that the user is made aware of the situation.

    The original attempt to fix the issue (ee6eb63d) has been reverted as it failed to provide a working solution.

    Finally, some code safeguarding against disk access errors has been moved to the internal base function.

    [Addition] Enhance security by disabling emergency shell access via a keyboard interrupt and switching to a password hash for OPAL_PBA_DEBUG_PASSWORD.

jsmeix commented at 2020-07-13 14:20:

@OliverO2
if it is OK for you I would merge it tomorrow afternoon.

OliverO2 commented at 2020-07-13 14:22:

@jsmeix
Absolutely, sounds good! :-)

[Export of Github issue for rear/rear.]