From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1atG1l-0001sy-Um
	for mharc-grub-devel@gnu.org; Thu, 21 Apr 2016 10:56:22 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36890)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de>)
	id 1atG1i-0001bo-PM
	for grub-devel@gnu.org; Thu, 21 Apr 2016 10:56:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de>)
	id 1atG1d-0004zK-PW
	for grub-devel@gnu.org; Thu, 21 Apr 2016 10:56:18 -0400
Received: from mx.unixadm.org ([176.9.96.198]:38211)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de>)
	id 1atG1d-0004zC-DE
	for grub-devel@gnu.org; Thu, 21 Apr 2016 10:56:13 -0400
Received: from pkueck-wired.lls.de-cix.net (46-31-127-234.guests.de-cix.net
	[46.31.127.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "phil", Issuer "Unixadm CA" (verified OK))
	by mx.unixadm.org (Postfix) with ESMTPS id 80CCF232EF
	for <grub-devel@gnu.org>; Thu, 21 Apr 2016 16:56:11 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.unixadm.org 80CCF232EF
References: 
Subject: Re: hdparm --security-unlock with password prompt
To: grub-devel@gnu.org
From: Philippe Kueck <a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de>
Message-ID: <5718EA09.700@quarantine.de>
Date: Thu, 21 Apr 2016 16:56:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.7.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------040905060001030908050002"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 176.9.96.198
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel/>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 14:56:20 -0000

This is a multi-part message in MIME format.
--------------040905060001030908050002
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

here's a patch for unlocking the ATA password from grub command line. As
mentioned in [1] it does not prompt for a password at boot but enables
the hdparm module to support the security unlock feature.
In case anyone asks, the patch is GPL.

Kind regards

Philippe

[1] https://www.unixadm.org/needful-things/ataunlock#using-grub2

--------------040905060001030908050002
Content-Type: text/x-patch;
 name="0999-ATA-Security-Unlock.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="0999-ATA-Security-Unlock.patch"

--- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock
+++ grub-2.02~beta2/grub-core/commands/hdparm.c
@@ -34,6 +34,7 @@ static const struct grub_arg_option opti
 			      "(1=3Dlow, ..., 254=3Dhigh, 255=3Doff)."),
 			      0, ARG_TYPE_INT},
   {"power",           'C', 0, N_("Display power mode."), 0, ARG_TYPE_NON=
E},
+  {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STR=
ING},
   {"security-freeze", 'F', 0, N_("Freeze ATA security settings until res=
et."),
 			      0, ARG_TYPE_NONE},
   {"health",          'H', 0, N_("Display SMART health status."), 0, ARG=
_TYPE_NONE},
@@ -66,7 +67,7 @@ static int quiet =3D 0;
 static grub_err_t
 grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd,
 			grub_uint8_t features, grub_uint8_t sectors,
-			void * buffer, int size)
+			void * buffer, int size, int write)
 {
   struct grub_disk_ata_pass_through_parms apt;
   grub_memset (&apt, 0, sizeof (apt));
@@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata,
=20
   apt.buffer =3D buffer;
   apt.size =3D size;
+  apt.write =3D write;
=20
   if (ata->dev->readwrite (ata, &apt, 0))
     return grub_errno;
@@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg
   if (! quiet && msg)
     grub_printf ("%s", msg);
=20
-  grub_err_t err =3D grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0);
+  grub_err_t err =3D grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0)=
;
=20
   if (! quiet && msg)
     grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms
     }
=20
   grub_err_t err =3D grub_hdparm_do_ata_cmd (ata, cmd, features, sectors=
,
-					   NULL, 0);
+					   NULL, 0, 0);
=20
   if (! quiet && msg)
     grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -274,6 +276,11 @@ static int get_int_arg (const struct gru
   return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1);
 }
=20
+static char get_string_arg (const struct grub_arg_list *state)
+{
+  return (state->set ? state->arg : "");
+}
+
 static grub_err_t
 grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
 {
@@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
   int i =3D 0;
   int apm          =3D get_int_arg (&state[i++]);
   int power        =3D state[i++].set;
+  char *passphrase =3D get_string_arg (&state[i++]);
   int sec_freeze   =3D state[i++].set;
   int health       =3D state[i++].set;
   int aam          =3D get_int_arg (&state[i++]);
@@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c
 	grub_printf ("%s\n", err ? ": not supported" : "");
     }
=20
+  if (grub_strcmp(passphrase, "") =3D=3D 0)
+    {
+      // security unlock data: 512 bytes
+      // word 0: 0x00 user password, 0x01 master password
+      // word 1-16: password (32 bytes)
+      // word 17-255: reserved
+      grub_uint16_t sudata[256];
+      grub_memset (&sudata, 0, sizeof(sudata));
+      grub_strncpy((char*)sudata+2, passphrase, 32);
+      if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK,
+		0, 1, sudata, sizeof(sudata), 1)) {
+        if (! quiet) grub_printf ("Unlock failed\n");
+      } else {
+        if (! quiet) grub_printf ("Unlock succeeded\n");
+      }
+    }
+
   if (sec_freeze)
     grub_hdparm_simple_cmd ("Freeze security settings", ata,
                             GRUB_ATA_CMD_SECURITY_FREEZE_LOCK);
@@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
     {
       grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2];
       if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE,
-          0, 0, buf, sizeof (buf)))
+          0, 0, buf, sizeof (buf), 0))
 	grub_printf ("Cannot read ATA IDENTIFY data\n");
       else
 	{
--- grub-2.02~beta2/include/grub/ata.h.ataunlock
+++ grub-2.02~beta2/include/grub/ata.h
@@ -86,6 +86,7 @@ enum grub_ata_commands
     GRUB_ATA_CMD_READ_SECTORS_DMA	=3D 0xc8,
     GRUB_ATA_CMD_READ_SECTORS_DMA_EXT	=3D 0x25,
=20
+    GRUB_ATA_CMD_SECURITY_UNLOCK	=3D 0xf2,
     GRUB_ATA_CMD_SECURITY_FREEZE_LOCK	=3D 0xf5,
     GRUB_ATA_CMD_SET_FEATURES		=3D 0xef,
     GRUB_ATA_CMD_SLEEP			=3D 0xe6,

--------------040905060001030908050002--