[bug #51418] Support for opal specification self-encrypting disks and pre-boot authentication

[J Broussard]

URL:
  <http://savannah.gnu.org/bugs/?51418>

                 Summary: Support for opal specification self-encrypting disks
and pre-boot authentication
                 Project: GNU GRUB
            Submitted by: daijizai
            Submitted on: Sat 08 Jul 2017 04:46:15 PM UTC
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Feature Request
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 
                 Release: other
         Reproducibility: None
         Planned Release: None

    _______________________________________________________

Details:

Opal drives load an initial EFI from a secure MBR which then unlocks the drive
and allows access to the disk.

While a GNU Linux solution exists (https://github.com/sedutil/sedutil), it
requires a soft reboot after unlocking from the pre-boot authentication (PBA)
image instead of chainloading the unlocked EFI partition. On some machines
this relocks the disk.

With the inclusion of new OPAL support code in the 4.11 Linux kernel release
it makes sense that new supporting features should be added to recognized
bootloaders to allow the community to take advantage of a feature available to
Windows users for years.

The GRUB project should consider creating an opal compatible PBA image for use
with self-encrypting disks to unlock the drive and chainload the primary grub
installation.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?51418>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/