From 73fe6ad745b9513b6f774f58f71b55b51cc551de Mon Sep 17 00:00:00 2001 From: Hannes Reinecke Date: Fri, 15 Nov 2024 08:25:34 +0100 Subject: [PATCH] sed: add '--read-only' to 'sed initialize' By default 'sed initialize' will set the entire disk to read/write locked, ie no access is possible. That is all fine if the BIOS supports TCG Opal, as then the BIOS can unlock the drive before access. But for BIOS _not_ supporting TCG Opal this results in an inaccessible drive, and requires the user to use a different drive to boot and unlock the SED device. This patch adds a flag '--read-only' to 'nvme sed initlialize' such that the 'read-lock enable' flag is not set for the locking range, and the device continues to be readable by the BIOS for booting. Signed-off-by: Hannes Reinecke --- plugins/sed/sed.c | 8 +++++++- plugins/sed/sedopal_cmd.c | 8 +++++++- plugins/sed/sedopal_cmd.h | 1 + 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/plugins/sed/sed.c b/plugins/sed/sed.c index 0471e540..9e48d832 100644 --- a/plugins/sed/sed.c +++ b/plugins/sed/sed.c @@ -23,6 +23,12 @@ OPT_ARGS(no_opts) = { OPT_END() }; +OPT_ARGS(init_opts) = { + OPT_FLAG("read-only", 'r', &sedopal_lock_ro, + "Set locking range to read-only"), + OPT_END() +}; + OPT_ARGS(key_opts) = { OPT_FLAG("ask-key", 'k', &sedopal_ask_key, "prompt for SED authentication key"), @@ -84,7 +90,7 @@ static int sed_opal_initialize(int argc, char **argv, struct command *cmd, const char *desc = "Initialize a SED device for locking"; struct nvme_dev *dev; - err = sed_opal_open_device(&dev, argc, argv, desc, no_opts); + err = sed_opal_open_device(&dev, argc, argv, desc, init_opts); if (err) return err; diff --git a/plugins/sed/sedopal_cmd.c b/plugins/sed/sedopal_cmd.c index 017649d6..46d2592d 100644 --- a/plugins/sed/sedopal_cmd.c +++ b/plugins/sed/sedopal_cmd.c @@ -34,6 +34,11 @@ bool sedopal_destructive_revert; */ bool sedopal_psid_revert; +/* + * Lock read-only + */ +bool sedopal_lock_ro; + /* * Map method status codes to error text */ @@ -206,7 +211,8 @@ int sedopal_cmd_initialize(int fd) lr_setup.range_start = 0; lr_setup.range_length = 0; lr_setup.RLE = true; - lr_setup.WLE = true; + if (!sedopal_lock_ro) + lr_setup.WLE = true; lr_setup.session.opal_key = key; lr_setup.session.sum = 0; diff --git a/plugins/sed/sedopal_cmd.h b/plugins/sed/sedopal_cmd.h index 3b6eae27..2be43324 100644 --- a/plugins/sed/sedopal_cmd.h +++ b/plugins/sed/sedopal_cmd.h @@ -17,6 +17,7 @@ extern bool sedopal_ask_key; extern bool sedopal_ask_new_key; extern bool sedopal_destructive_revert; extern bool sedopal_psid_revert; +extern bool sedopal_lock_ro; /* * Sub-commands supported by the sedopal command -- 2.50.1