Chainloading not as smooth as it should be about sedutil HOT 16 OPEN

I have a use case where the reboot after unlocking is beneficial. I currently do this with the UEFI PBA (I can't remember which version). Going by memory, I set up a pair of 850 Pros like this:

• Enable encryption using a rescue disk.
  • Use the same password on both drives.
  • setMBREnable on both drives.
  • Unlock both drives.
  • Soft reboot, keeping the drives unlocked.
• Create a RAID0 (fake) RAID array in the BIOS.
• Install Windows on the RAID0 array.

On a cold boot:

• The PBA env boots.
• I enter my password.
• The machine (soft) reboots.
• The RAID0 array is detected / assembled.
• Windows boots normally.

from sedutil.

I was thinking about the same, but how the current bootloader will detect just enabled (real) SSD? Also, how are you going to setup the shadow bootloader to chainload to real SSD? Another question: after you authenticate over Opal what's happen to the shadow partition - do you still have a chance to later execute command from the booted LinuxPBA?

from sedutil.

@Cysioland Yes, the LinixPBA's reboot the machine. Your not in the bios you're running an OS so the option to chainload is gone. I thought about loading block 0, switching to real mode and then jumping to the bootloader but the system isn't in the same state as it would be when the bios passes control to it so I wasn't sure how reliable it would be, and that wouldn't work at all for UEFI systems.

@juliandroid The linuxPBA systems are a linux system running from ram, so it you wanted to access the disk afer you unlocked you could mount it just like any other running linux system. Once you authenticate with OPAL you lose access to the Shadow MBR once you set the MBRDone flag.

from sedutil.

@r0m30 Many people use OPAL because of having older CPUs, that doesn't support AES-NI. These people also typically have only BIOS machines. If you can do something that has a chance to work, then it may prove itself useful.

from sedutil.

@Cysioland I built the original biosPBA to do just that, the issue with it is that it doesn't have a very robust AHCI driver, I did a lot of googling just to get it working at all. If it works then great, but when it doesn't remote debugging is nearly impossible. The ideal solution would be to integrate the ATA library from the kernel into syslinux but that is a complex task that I don't have the time to do. The code is in the Drive-Trust-Alliance/syslinux repo and there is a prebuilt pba with the code at https://github.com/Drive-Trust-Alliance/exec/blob/master/biospba.img.gz?raw=true I don't remember if you tried it earlier or not. Just make sure you have a working rescue system in case it fails (try it on a USB stick first).

from sedutil.

Wouldn't it be possible to kexec a kernel from the newly mounted drive and avoid in that scenario the reboot ? I am guessing it would even be possible in that case to check the signature of the kernel we are kexecing (according to https://lwn.net/Articles/603116/ this seems doable).

from sedutil.

@Bluebugs
This wouldn't support Windows machines, leaving that aside, the kexe'd kernel wouldn't be running in the rootfs that it expected. You would need to located the boot partition and then implement all of the logic of a bootloader.

from sedutil.

@r0m30 Yes, sorry I didn't care about Windows :)

I am not sure how much is needed to do the kexec, but I am guessing you only need the kernel, the initramfs and the new command line. I don't think you actually need to do a pivot root or whatever as long as you can get the correct command line. I am wondering how that could be passed properly. Maybe it is possible to get that from some EFI variable ?

from sedutil.

@Bluebugs I have to care about Windows, it's the largest install base.

Yes, the kernel, the initramfs and the new command line are probably all I need, but then I'm writing a bootloader/bootmanager. The world doesn't need another of either of those.
If I didn't do a pivot root how would the kernel find it's modules?

I see that you want this to be a simple fix, I don't believe it is.

from sedutil.

@r0m30 Yes, I know you have to care about Windows, I am just pointing out that for Linux there may be some easier solution/path.

And you don't need to do a pivot root when doing a kexec with an initramfs and a customized command line as the kernel will reopen the root directory using its initramfs and the module inside of it. So you don't even need to locate root and have the filesystem support for it at all.

Being a developer, I also know that what seems easy, may end up being more tricky at the end for reason we don't forsee now. Just I believe there is something worth being investigated here.

from sedutil.

I should also point out, that I am sadly lacking in time at the moment, otherwise I would have helped figure this out. Maybe later this year.

from sedutil.

Google says you are correct, there is no need to reinvent a bootloader. There is still the issue of finding the boot partition on the unlocked drive and determining the kernel/initramfs/cmdline that should be used. If you limit the support to Grub2 then that is probably manageable.

I verify every image and executable before I push a new release so this would add to that workload and make the installation documentation more complex. Don't forget our aim is to make SEDs usable by everyone, not just those of us who know way to much about our computers.

We are always happy to accept contributions to the project, I hope you find the time to research and implement this.

from sedutil.

Yes, I will need to see how things are supposed to be done. I am guessing that UEFI does standardize this and that there is maybe enough code around to understand how this is done. Will see. And yes I understand your goal, which are to be useful for everyone, while I am clearly more sellfish here.

As my ultimate goal would be to enable the use of SED, TPM and secure boot all together on a device where I control the key. This would enable a secure boot from a SED with no password to enter. Ideally I would like that process to be reproducable by others and be easy to do for everyone who is using Linux, but yes, first to serve would be me :-) That's how free software work, you do something that you find cool and useful for you, but that may also help someone else and he will keep the ball rolling. Anyway, thanks for your work and thanks for checking if that was doable. Hopefully I will be able to get to it later this year.

from sedutil.

@ryanjaeb Which RAID controller were you using? Surprised to hear that the PBA works with RAID 0.

from sedutil.

@Manouchehri It doesn't work on a RAID array. It's just a dirty trick with the fake RAID on a consumer motherboard. The PBA is still installed on the individual disks, not the RAID array. It was the on-board RAID from this chipset.

It's basically the equivalent of configuring / unlocking several disks and then installing Linux with (mdadm) software RAID.

from sedutil.

@ryanjaeb Thanks, I got sedutil working on both of my 850 Pros as well!

from sedutil.