[arch-general] Rerun bootloader from initramfs

Mauro Santos registo.mailling at gmail.com
Fri Nov 20 18:29:46 UTC 2015


On 20-11-2015 17:57, Jayesh Badwaik wrote:
> On Friday, November 20, 2015 05:46:18 PM Mauro Santos wrote:
>> Not really, BIOS is old and it doesn't know anything about OPAL drives.
>> I don't know about UEFI machines but I suspect not many know about
>> SEDs/OPAL either.
> By BIOS, I meant UEFI, sorry about that. My UEFI is from 2013 (Dell Latitude) 
> and it knows enough about SEDs. I use SSDs and I use Hardware Based Encryption 
> with it (Samsung 850 Evo). 
> 
>> On the other hand, you don't know what kind of treatment the BIOS would
>> do to the password before sending it to the SED, one bios could send it
>> plaintext, others could send key scancodes, you don't want to get
>> anywhere near that kind of nonsense. This would mean that you might not
>> be able to unlock the disk if you move it to another machine.
> That is something I have never paid any attention to. But I can set a password 
> through the linux's hdparm utility, and then you can unlock it from the the 
> BIOS and vice-versa. So, I think that makes it standard enough, but not sure. 
> 

This is starting to get off-topic but here goes, if you say you can lock
your ssd with hdparm and unlock it with the UEFI firmware then what you
are using is a plain old ata security password, which in the case of
Samsung they claim will encrypt the media encryption key (MEK).

This method of providing a password to protect the MEK is not standard
and I guess they do it as a convenience for the user. What I've been
talking about from the start is SEDs that support TCG Opal[1].

[1] https://en.wikipedia.org/wiki/Opal_Storage_Specification

-- 
Mauro Santos


More information about the arch-general mailing list