| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 May 2019 19:31:12 +0000
From: "Derrick, Jonathan" <jonathan.derrick@...el.com>
To: "zub@...ux.fjfi.cvut.cz" <zub@...ux.fjfi.cvut.cz>,
"sbauer@...donthack.me" <sbauer@...donthack.me>
CC: "hch@...radead.org" <hch@...radead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-block@...r.kernel.org" <linux-block@...r.kernel.org>,
"jonas.rabenstein@...dium.uni-erlangen.de"
<jonas.rabenstein@...dium.uni-erlangen.de>,
"axboe@...nel.dk" <axboe@...nel.dk>
Subject: Re: [PATCH 0/3] block: sed-opal: add support for shadow MBR done
flag and write
On Sun, 2019-05-05 at 10:43 -0400, Scott Bauer wrote:
> On Fri, May 03, 2019 at 10:32:19PM +0200, David Kozub wrote:
> > On Wed, 1 May 2019, Christoph Hellwig wrote:
> >
> > > > I successfully tested toggling the MBR done flag and writing
> > > > the shadow MBR
> > > > using some tools I hacked together[4] with a Samsung SSD 850
> > > > EVO drive.
> > >
> > > Can you submit the tool to util-linux so that we get it into
> > > distros?
> >
> > There is already Scott's sed-opal-temp[1] and a fork by Jonas that
> > adds
> > support for older version of these new IOCTLs[2]. There was already
> > some
> > discussion of getting that to util-linux.[3]
> >
> > While I like my hack, sed-opal-temp can do much more (my tool
> > supports just
> > the few things I actually use). But there are two things which sed-
> > opal-temp
> > currently lacks which my hack has:
> >
> > * It can use a PBKDF2 hash (salted by disk serial number) of the
> > password
> > rather than the password directly. This makes it compatible with
> > sedutil
> > and I think it's also better practice (as firmware can contain
> > many
> > surprises).
> >
> > * It contains a 'PBA' (pre-boot authorization) tool. A tool
> > intended to be
> > run from shadow mbr that asks for a password and uses it to
> > unlock all
> > disks and set shadow mbr done flag, so after restart the computer
> > boots
> > into the real OS.
> >
> > @Scott: What are your plans with sed-opal-temp? If you want I can
> > update
> > Jonas' patches to the adapted IOCTLs. What are your thoughts on PW
> > hashing
> > and a PBA tool?
>
> I will accept any and all patches to sed opal tooling, I am not
> picky. I will
> also give up maintainership of it is someone else feels they can
> (rightfully
> so) do a better job.
>
> Jon sent me a patch for the tool that will deal with writing to the
> shadow MBR,
> so once we know these patches are going in i'll pull that patch into
> the tool.
>
> Then I guess that leaves PBKDF2 which I don't think will be too hard
> to pull in.
>
> With regard to your PBA tool, is that actually being run post-
> uefi/pre-linux?
> IE are we writing your tool into the SMBR and that's what is being
> run on bootup?
>
> Jon, if you think it's a good idea can you ask David if Revanth or
> you wants
> to take over the tooling? Or if anyone else here wants to own it then
> let me know.
>
I'll get back to you on this. Let me know if it begins to pick up a lot
of steam and I can prioritize this.
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3278 bytes)
Powered by blists - more mailing lists