#2956 PR merged: Opalpba authtoken

Labels: enhancement, fixed / solved / done

kernins opened issue at 2023-03-12 18:55:

Relax-and-Recover (ReaR) Pull Request Template

Please fill in the following items before submitting a new pull request:

Pull Request Details:
  • Type: New Feature / Enhancement

  • Impact: Normal

  • Reference to related issue (URL):

  • How was this pull request tested?

QEMU, Latitude 7400 with Samsung 960Pro

  • Brief description of the changes in this pull request:

Adds AuthToken generation & disk-unlocking feature into OpalPBA image.
Nothing fancy atm, just encrypted tokens being stored on/read from plain linux block device (e.g. USB drive, SDCard, etc)

Supports TPM2-assisted encryption, so tokens can be made pretty much secure and tightly bound to device/boot environment.
Supports 2FA authentication (additional password/pin to decrypt token) with basic brute-force protection.
Allows for unattended cold booting optionally restricted to SecureBoot-active environment only.

jsmeix commented at 2023-03-13 09:53:

@kernins
thank you for your contribution to enhance ReaR!

For now I added only some comments what I spotted in general
by a quick look at the code changes in this pull request.

I am not a TCG Opal disk user so I can
neither check what the code does
nor can verify how far it works.

The OPAL_PBA code was implemented by @OliverO2
Perhaps - as time permits - he may have a look here.

kernins commented at 2023-03-13 23:58:

Thanks guys for all your comments & review
I'll go through your suggestions more closely when the time allows

kernins commented at 2023-03-15 02:22:

As of now I deployed this on both of my laptops (960Pro & 990Pro nvmes), both working fine with USB & uSD (mmcblk) medias acting as AT

jsmeix commented at 2023-03-22 13:23:

@kernins
could you tell us when you are done with your code improvements
so we know when you think this pull request is ready to be merged?
No rush - take your time.

In general your code is OK when your code follows
how the already existing code for Opalpba is implemented.

kernins commented at 2023-03-23 08:05:

@kernins could you tell us when you are done with your code improvements so we know when you think this pull request is ready to be merged? No rush - take your time.

In general your code is OK when your code follows how the already existing code for Opalpba is implemented.

For the time being I'm done with this part

jsmeix commented at 2023-03-23 10:28:

@rear/contributors
I would like to merge it next Monday (27. March) afternoon
unless there are objections.

@pcahyna
if your time permits I would appreciate it
if you could have just a quick look at the code.
Perhaps you might spot something that is obviously
a real problem where things could actually go wrong.

jsmeix commented at 2023-03-27 11:38:

@kernins
thank you for your major enhancement
of OpalPBA support in ReaR!


[Export of Github issue for rear/rear.]