sed: add '--read-only' to 'sed initialize'

By default 'sed initialize' will set the entire disk to read/write
locked, ie no access is possible. That is all fine if the BIOS supports
TCG Opal, as then the BIOS can unlock the drive before access.
But for BIOS _not_ supporting TCG Opal this results in an inaccessible
drive, and requires the user to use a different drive to boot and
unlock the SED device.
This patch adds a flag '--read-only' to 'nvme sed initlialize' such
that the 'read-lock enable' flag is not set for the locking range,
and the device continues to be readable by the BIOS for booting.

Signed-off-by: Hannes Reinecke <hare@suse.de>

diff --git a/plugins/sed/sed.c b/plugins/sed/sed.c
index 0471e5406fb295eb33a049ee95a6308400516a8c..9e48d83286a22c861024c37737d554e197b93a90 100644 (file)
--- a/plugins/sed/sed.c
+++ b/plugins/sed/sed.c
@@ -23,6 +23,12 @@ OPT_ARGS(no_opts) = {
        OPT_END()
 };
 
+OPT_ARGS(init_opts) = {
+       OPT_FLAG("read-only", 'r', &sedopal_lock_ro,
+                "Set locking range to read-only"),
+       OPT_END()
+};
+
 OPT_ARGS(key_opts) = {
        OPT_FLAG("ask-key", 'k', &sedopal_ask_key,
                        "prompt for SED authentication key"),
@@ -84,7 +90,7 @@ static int sed_opal_initialize(int argc, char **argv, struct command *cmd,
        const char *desc = "Initialize a SED device for locking";
        struct nvme_dev *dev;
 
-       err = sed_opal_open_device(&dev, argc, argv, desc, no_opts);
+       err = sed_opal_open_device(&dev, argc, argv, desc, init_opts);
        if (err)
                return err;
 

diff --git a/plugins/sed/sedopal_cmd.c b/plugins/sed/sedopal_cmd.c
index 017649d65966265c9d33fd9726aa688a41d7b79d..46d2592d56989451acf55cd9a57f10a57926b832 100644 (file)
--- a/plugins/sed/sedopal_cmd.c
+++ b/plugins/sed/sedopal_cmd.c
@@ -34,6 +34,11 @@ bool sedopal_destructive_revert;
  */
 bool sedopal_psid_revert;
 
+/*
+ * Lock read-only
+ */
+bool sedopal_lock_ro;
+
 /*
  * Map method status codes to error text
  */
@@ -206,7 +211,8 @@ int sedopal_cmd_initialize(int fd)
        lr_setup.range_start = 0;
        lr_setup.range_length = 0;
        lr_setup.RLE = true;
-       lr_setup.WLE = true;
+       if (!sedopal_lock_ro)
+               lr_setup.WLE = true;
 
        lr_setup.session.opal_key = key;
        lr_setup.session.sum = 0;

diff --git a/plugins/sed/sedopal_cmd.h b/plugins/sed/sedopal_cmd.h
index 3b6eae27a8ac3841f1071e491d5208903831c699..2be433240cbe6cb8b55757c698a6b3a4eb1c6be5 100644 (file)
--- a/plugins/sed/sedopal_cmd.h
+++ b/plugins/sed/sedopal_cmd.h
@@ -17,6 +17,7 @@ extern bool sedopal_ask_key;
 extern bool sedopal_ask_new_key;
 extern bool sedopal_destructive_revert;
 extern bool sedopal_psid_revert;
+extern bool sedopal_lock_ro;
 
 /*
  * Sub-commands supported by the sedopal command