#2512 PR merged: Improve TCG Opal 2 Documentation, fix #2511

Labels: enhancement, documentation, fixed / solved / done

OliverO2 opened issue at 2020-11-08 17:15:

Pull Request Details:
  • Type: Enhancement

  • Impact: Normal

  • Reference to related issue (URL): #2511

  • How was this pull request tested? By reading.

  • Brief description of the changes in this pull request: Added a Quick Start section plus corrections.

jsmeix commented at 2020-11-09 11:04:

@OliverO2
if you like I can merge it as is right now.

I tried to proof-read the whole doc/user-guide/13-tcg-opal-support.adoc
but I cannot because I do not have the needed general understanding
about this area so I would need too much time unitl I could proof-read it.
On a quick first glance I am somewhat confused by the various wordings
for example "SED" versus "Opal disk" (are both same or different things?)
so at least for me its hard to understand how all those things belong to each other.
I understand that it is about to boot from an encrypted disk (something like LUKS)
but I fail to imagine the bigger overall picture so I fail to understand the details.
I think generic information about Opal 2-compliant self-encrypting disk (SED)
is not needed in ReaR's documenation but a link to such generic information
at the beginning of ReaR's documenation could help a lot. Of course I could
use Google and find out things on my own but there are other things with
higher priority that I have to do first (and likely there will always be some
other thing with higher priority that I have to do first).

jsmeix commented at 2020-11-09 11:54:

@OliverO2
can I merge it or do you like to do more improvements?

OliverO2 commented at 2020-11-09 11:57:

I agree, proof-reading it all without ever touching the stuff is a bit tedious. Feedback so far suggests that the overall TCG Opal 2 guide works. The new "Quick Start" section just eases the initial setup.

The section "TCG Opal 2-compliant Self-Encrypting Disks" (which existed before) explains the concepts. So everything should be in there. Regarding the difference between "SED" and "Opal disk", the first sentence of that section is:

An Opal 2-compliant self-encrypting disk (SED) encrypts disk contents in hardware.

The term "SED" refers to any kind of self-encrypting disk. A "TCG Opal 2-compliant disk" or short "Opal disk" is a variant of an SED which implements the Opal 2 standard. There are/were other SED variants on the market using proprietary protocols.

In general, these disks all provide full disk encryption in hardware, similar to what LUKS does in software. The main differences are performance, boot protection and trust. LUKS may show degraded performance with specific access patterns. LUKS also requires a non-encrypted boot partition on most installations which is not tamper-resistant. SEDs operate at full drive/interface performance without buffering issues. They provide a special read-only boot partition (the PBA), which is tamper-proof. The SED's encryption mechanism is closed source, so there are trust issues. Some early models had implementation deficiencies.

OliverO2 commented at 2020-11-09 11:58:

So yes, it can be merged now!

jsmeix commented at 2020-11-09 12:12:

@OliverO2
thank you for your continuous improvements of the Opal disk support in ReaR
in particular even improvements of documentation and not only plain code!

And thank you for your explanation in
https://github.com/rear/rear/pull/2512#issuecomment-723968521

jsmeix commented at 2020-11-09 12:22:

@OliverO2
I could not resist to add the basics of your explanation in
https://github.com/rear/rear/pull/2512#issuecomment-723968521
via
https://github.com/rear/rear/commit/91c754b48849f8474f130521c908102796504544

If you are against it I would remove it.

OliverO2 commented at 2020-11-09 12:33:

@jsmeix That's OK. Thanks for reviewing and merging!


[Export of Github issue for rear/rear.]