Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No commits in 2 years. Is project still active? #292

Open
gkohri opened this issue Jun 29, 2019 · 15 comments
Open

No commits in 2 years. Is project still active? #292

gkohri opened this issue Jun 29, 2019 · 15 comments

Comments

@gkohri
Copy link

@gkohri gkohri commented Jun 29, 2019

I am interested in using this on my computers, but I notice there have not been any commits for almost 2 years. Is the project still active? Hope so, but would like to know future plans before I commit to using it.

@ladar

This comment has been minimized.

Copy link

@ladar ladar commented Jul 10, 2019

@gkohri yes the project is still active in the sense that a majority of Linux distros rely on this code for SED support. While @r0m30 doesn't appear to be active on GitHub, or making commits to this repo, there are a number of other people making improvements/modifications in various forks. You just need to find the one that suits your needs (or make your own).

In my case, I created my own fork because I wanted to a version that used SHA512 instead of SHA1, and which forced the recovery/PBA images to boot using 720p. The text on my 4k screen in its native resolution was unreadable (from more than 2 inches away). While I was at it, I cleaned up prompts/messages, and modified the PBA to handle bad password entries better. Namely, 3 attempts per boot then shutdown. Unlike the official images which reboot regardless of whether you enter the correct password, or other versions I tested which allowed an unlimited number of attempts.

If your so inclined, my version is here:

http://github.com/ladar/sedutil/

Which I built on top of the @ckamm fork:

https://github.com/ckamm/sedutil/

Which was in turn built on top of the @CyrilVanErsche fork:

https://github.com/CyrilVanErsche/sedutil/

If none of those match your particular pallette, I'd suggest looking at this page, which should be helpful in your search for something with the right flavour:

https://github.com/Drive-Trust-Alliance/sedutil/network

@gkohri

This comment has been minimized.

Copy link
Author

@gkohri gkohri commented Jul 10, 2019

Thanks for the info, ladar, your fork sound interesting.

One question: Once a PBA has been installed using an older version of sedutil-cli, is it possible to switch the PBA from the older version to your version? Or does the difference in hash functions make the change impossible without losing all data on the disk? (I also find the small print and rebooting even when the password is wrong annoying.)

@ckamm

This comment has been minimized.

Copy link

@ckamm ckamm commented Jul 10, 2019

@ladar I'm glad you continued with improvements and made a proper release! Looks good, I'll use your version in the future.

Maybe one could avoid the SHA1 vs SHA512 issue by having a command line switch in the tool and trying both hashing variants in the boot images?

@ckamm

This comment has been minimized.

Copy link

@ckamm ckamm commented Jul 10, 2019

@gkohri It's possible to migrate to the new hash without losing data but it's currently fiddly. You'd probably output the SHA1 and SHA512 hashed passwords and do a password change with hashing disabled. (haven't tried)

@ladar

This comment has been minimized.

Copy link

@ladar ladar commented Jul 10, 2019

My repo has the code for SHA1 and SHA512, so switching between them only requires changing 1 line of code. I compiled SHA1 and SHA512 versions, precisely because I knew there would be people like you.

In theory you should be able to boot using the SHA1 recovery image I posted, then load the PBA image it contains, and live happily ever after, without having to remove the crypto.

Maybe one could avoid the SHA1 vs SHA512 issue by having a command line switch in the tool and trying both hashing variants in the boot images?

My original plan was to try every password attempt via SHA512 first, and if it failed, retry it using SHA1. Adding support for that to the PBA looked pretty easy (at a glance). But I was worried the CLI tools wouldn't work, which would defeat the point, as users couldn't load the PBA via the recovery image. And I never got around to seeing how hard it would be to have the CLI tools retry failed passwords.

I imagine writing the code wouldn't be that hard. So if you do, please send me a pull request. What really stopped me from doing it was having to test every image twice, when I only have 1 laptop with OPAL 2.0 drives right now. Plus I spent waaay too much time getting this far...

I tested switching the 1 line of code between SHA1 and SHA512 though. I had to do that so I could use my SHA1 builds to unlock (via PBA), and eventuall remove the OPAL config I setup using the official builds. But once I switched to SHA512, I was to painful to go back and test every version using both setups.

@ladar

This comment has been minimized.

Copy link

@ladar ladar commented Jul 10, 2019

@gkohri @ckamm yes it's possible to switch hash algos without losing data, but the process is a bit cumbersome (especially for the novice). If you want to switch, you need to boot from a SHA1 compatible recovery image, and remove OPAL completely:

sedutil-cli -–disablelockingrange 0 <password> <drive>  
sedutil-cli –-setmbrenable off <userid> <password> <drive>
sedutil-cli --revertnoerase <password> <drive>
sedutil-cli --reverttper <password> <drive> 

Note the userid is only required if your using @ckamm 's version, or my own, and not the DTA recovery image. Once your done removing OPAL, power down the computer, and boot it using a recovery image with SHA512. From there you should be able to setup the drive as if it were new. This process includes loading the bundled PBA image with SHA512 from the recovery image. I went through variations of this process a painful number of times, without a problem, but it was certainly scary.

Of course, the above only works if you have a drive that with a compliant firmware. Supposedly some drives have buggy implementations which could result the removal process wiping your drive. Hence why it was easier to just build SHA1 & SHA512 images, rather than help every layman through this process and get the inevitable complaints when someone does end up losing all their data...

https://github.com/Drive-Trust-Alliance/sedutil/wiki/Remove-OPAL

@ShuaiTony

This comment has been minimized.

Copy link

@ShuaiTony ShuaiTony commented Jul 16, 2019

Is anyone trying to send commands to the nvme device? I see that it is not implemented in software (test at windows).

@maenpaa24

This comment has been minimized.

Copy link

@maenpaa24 maenpaa24 commented Jul 16, 2019

at least in linux I believe you have nvme-cli to send commands to the device.

https://github.com/linux-nvme/nvme-cli.git

@ShuaiTony

This comment has been minimized.

Copy link

@ShuaiTony ShuaiTony commented Jul 16, 2019

Yeah, I have successfully tested nvme devices on Linux, but my customers want it to work well on Windows, and I don't know how to do it.

@lukefor

This comment has been minimized.

Copy link

@lukefor lukefor commented Aug 2, 2019

@ShuaiTony You can find windows nvme support in my fork here https://github.com/lukefor/sedutil/tree/windows_nvme

@ShuaiTony

This comment has been minimized.

Copy link

@ShuaiTony ShuaiTony commented Aug 5, 2019

@lukefor Yeah,thank you very much for your answer. It's just what I need. Thanks again!

@DrEmpiricism

This comment has been minimized.

Copy link

@DrEmpiricism DrEmpiricism commented Aug 29, 2019

@gkohri yes the project is still active in the sense that a majority of Linux distros rely on this code for SED support. While @r0m30 doesn't appear to be active on GitHub, or making commits to this repo, there are a number of other people making improvements/modifications in various forks. You just need to find the one that suits your needs (or make your own).

In my case, I created my own fork because I wanted to a version that used SHA512 instead of SHA1, and which forced the recovery/PBA images to boot using 720p. The text on my 4k screen in its native resolution was unreadable (from more than 2 inches away). While I was at it, I cleaned up prompts/messages, and modified the PBA to handle bad password entries better. Namely, 3 attempts per boot then shutdown. Unlike the official images which reboot regardless of whether you enter the correct password, or other versions I tested which allowed an unlimited number of attempts.

If your so inclined, my version is here:

http://github.com/ladar/sedutil/

Which I built on top of the @ckamm fork:

https://github.com/ckamm/sedutil/

Which was in turn built on top of the @CyrilVanErsche fork:

https://github.com/CyrilVanErsche/sedutil/

If none of those match your particular pallette, I'd suggest looking at this page, which should be helpful in your search for something with the right flavour:

https://github.com/Drive-Trust-Alliance/sedutil/network

Just stumbled upon this. Your fork, and modifications to the PBA, are very nice improvements over the default images. They're much cleaner and the increase in resolution to 720p is very nice, too.

I will be using your fork from here on out.

@ladar

This comment has been minimized.

Copy link

@ladar ladar commented Aug 29, 2019

@DrEmpiricism thank you. If you find anything I might have missed, please submit a pull request to my repo.

I'd still like to tackle chain loading support for Linux at some point, but I just haven't had the time.

@patrickdung

This comment has been minimized.

Copy link

@patrickdung patrickdung commented Jan 13, 2020

There are many forks from different people.
If DTA would accept or use the patches from other people, it would be good.
The original DTA branch haven't make any update for two years. I think other people should fork it and focus on maintaining one forked repository, instead of maintaining several diverse repositories.

@macpijan

This comment has been minimized.

Copy link

@macpijan macpijan commented Mar 12, 2020

That would actually be great. I can see tons of fork with individual fixes / improvements out there.

At a first glance, the https://github.com/ChubbyAnt/sedutil stands out. Maybe because the have a nice web page https://sedutil.com/ :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
9 participants
You can’t perform that action at this time.