* Re: hdparm --security-unlock with password prompt
@ 2016-04-21 14:56 Philippe Kueck
2016-04-21 15:20 ` W K
2016-04-21 18:24 ` Andrei Borzenkov
0 siblings, 2 replies; 7+ messages in thread
From: Philippe Kueck @ 2016-04-21 14:56 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1: Type: text/plain, Size: 352 bytes --]
Hi all,
here's a patch for unlocking the ATA password from grub command line. As
mentioned in [1] it does not prompt for a password at boot but enables
the hdparm module to support the security unlock feature.
In case anyone asks, the patch is GPL.
Kind regards
Philippe
[1] https://www.unixadm.org/needful-things/ataunlock#using-grub2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0999-ATA-Security-Unlock.patch --]
[-- Type: text/x-patch; name="0999-ATA-Security-Unlock.patch", Size: 4116 bytes --]
--- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock
+++ grub-2.02~beta2/grub-core/commands/hdparm.c
@@ -34,6 +34,7 @@ static const struct grub_arg_option opti
"(1=low, ..., 254=high, 255=off)."),
0, ARG_TYPE_INT},
{"power", 'C', 0, N_("Display power mode."), 0, ARG_TYPE_NONE},
+ {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STRING},
{"security-freeze", 'F', 0, N_("Freeze ATA security settings until reset."),
0, ARG_TYPE_NONE},
{"health", 'H', 0, N_("Display SMART health status."), 0, ARG_TYPE_NONE},
@@ -66,7 +67,7 @@ static int quiet = 0;
static grub_err_t
grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd,
grub_uint8_t features, grub_uint8_t sectors,
- void * buffer, int size)
+ void * buffer, int size, int write)
{
struct grub_disk_ata_pass_through_parms apt;
grub_memset (&apt, 0, sizeof (apt));
@@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata,
apt.buffer = buffer;
apt.size = size;
+ apt.write = write;
if (ata->dev->readwrite (ata, &apt, 0))
return grub_errno;
@@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg
if (! quiet && msg)
grub_printf ("%s", msg);
- grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0);
+ grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0);
if (! quiet && msg)
grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms
}
grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, features, sectors,
- NULL, 0);
+ NULL, 0, 0);
if (! quiet && msg)
grub_printf ("%s\n", ! err ? "" : ": not supported");
@@ -274,6 +276,11 @@ static int get_int_arg (const struct gru
return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1);
}
+static char get_string_arg (const struct grub_arg_list *state)
+{
+ return (state->set ? state->arg : "");
+}
+
static grub_err_t
grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
{
@@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
int i = 0;
int apm = get_int_arg (&state[i++]);
int power = state[i++].set;
+ char *passphrase = get_string_arg (&state[i++]);
int sec_freeze = state[i++].set;
int health = state[i++].set;
int aam = get_int_arg (&state[i++]);
@@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c
grub_printf ("%s\n", err ? ": not supported" : "");
}
+ if (grub_strcmp(passphrase, "") == 0)
+ {
+ // security unlock data: 512 bytes
+ // word 0: 0x00 user password, 0x01 master password
+ // word 1-16: password (32 bytes)
+ // word 17-255: reserved
+ grub_uint16_t sudata[256];
+ grub_memset (&sudata, 0, sizeof(sudata));
+ grub_strncpy((char*)sudata+2, passphrase, 32);
+ if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK,
+ 0, 1, sudata, sizeof(sudata), 1)) {
+ if (! quiet) grub_printf ("Unlock failed\n");
+ } else {
+ if (! quiet) grub_printf ("Unlock succeeded\n");
+ }
+ }
+
if (sec_freeze)
grub_hdparm_simple_cmd ("Freeze security settings", ata,
GRUB_ATA_CMD_SECURITY_FREEZE_LOCK);
@@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
{
grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2];
if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE,
- 0, 0, buf, sizeof (buf)))
+ 0, 0, buf, sizeof (buf), 0))
grub_printf ("Cannot read ATA IDENTIFY data\n");
else
{
--- grub-2.02~beta2/include/grub/ata.h.ataunlock
+++ grub-2.02~beta2/include/grub/ata.h
@@ -86,6 +86,7 @@ enum grub_ata_commands
GRUB_ATA_CMD_READ_SECTORS_DMA = 0xc8,
GRUB_ATA_CMD_READ_SECTORS_DMA_EXT = 0x25,
+ GRUB_ATA_CMD_SECURITY_UNLOCK = 0xf2,
GRUB_ATA_CMD_SECURITY_FREEZE_LOCK = 0xf5,
GRUB_ATA_CMD_SET_FEATURES = 0xef,
GRUB_ATA_CMD_SLEEP = 0xe6,
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: hdparm --security-unlock with password prompt
2016-04-21 14:56 hdparm --security-unlock with password prompt Philippe Kueck
@ 2016-04-21 15:20 ` W K
2016-04-21 18:24 ` Andrei Borzenkov
1 sibling, 0 replies; 7+ messages in thread
From: W K @ 2016-04-21 15:20 UTC (permalink / raw)
To: The development of GNU GRUB
[-- Attachment #1: Type: text/plain, Size: 688 bytes --]
On Thu, Apr 21, 2016 at 4:56 PM, Philippe Kueck <
a4obmfyynyjaahcwbylaulqddmkhi@quarantine.de> wrote:
here's a patch for unlocking the ATA password from grub command line.
Thanks a lot for replying Philippe.
> As mentioned in [1] it does not prompt for a password at boot but enables
> the hdparm module to support the security unlock feature.
>
Ah, right. Well, it's a start.
I'm not really a C developer, so I can't supply a patch for the password
prompt, but if we have anyone willing to take the time to add that
functionality, that would be fantastic.
Philippe - any chance you'd take that up ?;]
> In case anyone asks, the patch is GPL.
>
I guess that works, right ?
WK
[-- Attachment #2: Type: text/html, Size: 1640 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: hdparm --security-unlock with password prompt
2016-04-21 14:56 hdparm --security-unlock with password prompt Philippe Kueck
2016-04-21 15:20 ` W K
@ 2016-04-21 18:24 ` Andrei Borzenkov
2016-04-21 20:00 ` Philippe Kueck
1 sibling, 1 reply; 7+ messages in thread
From: Andrei Borzenkov @ 2016-04-21 18:24 UTC (permalink / raw)
To: grub-devel
21.04.2016 17:56, Philippe Kueck пишет:
> Hi all,
>
> here's a patch for unlocking the ATA password from grub command line. As
> mentioned in [1] it does not prompt for a password at boot but enables
> the hdparm module to support the security unlock feature.
> In case anyone asks, the patch is GPL.
>
> Kind regards
>
> Philippe
>
> [1] https://www.unixadm.org/needful-things/ataunlock#using-grub2
>
Unfortunately I do not think we can have optional value, so your example
on this page likely won't work. I.e. how can we distinguish between
missing option value and missing argument? This will need to be two
options - --security-unlock and --security-passphrase (pick your name).
I was under impression that we must supply password to unlock disk.
Could you explain how empty passphrase works?
>
> 0999-ATA-Security-Unlock.patch
>
>
> --- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock
> +++ grub-2.02~beta2/grub-core/commands/hdparm.c
> @@ -34,6 +34,7 @@ static const struct grub_arg_option opti
> "(1=low, ..., 254=high, 255=off)."),
> 0, ARG_TYPE_INT},
> {"power", 'C', 0, N_("Display power mode."), 0, ARG_TYPE_NONE},
> + {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STRING},
> {"security-freeze", 'F', 0, N_("Freeze ATA security settings until reset."),
> 0, ARG_TYPE_NONE},
> {"health", 'H', 0, N_("Display SMART health status."), 0, ARG_TYPE_NONE},
> @@ -66,7 +67,7 @@ static int quiet = 0;
> static grub_err_t
> grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd,
> grub_uint8_t features, grub_uint8_t sectors,
> - void * buffer, int size)
> + void * buffer, int size, int write)
> {
> struct grub_disk_ata_pass_through_parms apt;
> grub_memset (&apt, 0, sizeof (apt));
> @@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata,
>
> apt.buffer = buffer;
> apt.size = size;
> + apt.write = write;
>
> if (ata->dev->readwrite (ata, &apt, 0))
> return grub_errno;
> @@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg
> if (! quiet && msg)
> grub_printf ("%s", msg);
>
> - grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0);
> + grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0);
>
> if (! quiet && msg)
> grub_printf ("%s\n", ! err ? "" : ": not supported");
> @@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms
> }
>
> grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, features, sectors,
> - NULL, 0);
> + NULL, 0, 0);
>
> if (! quiet && msg)
> grub_printf ("%s\n", ! err ? "" : ": not supported");
> @@ -274,6 +276,11 @@ static int get_int_arg (const struct gru
> return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1);
> }
>
> +static char get_string_arg (const struct grub_arg_list *state)
> +{
> + return (state->set ? state->arg : "");
> +}
> +
> static grub_err_t
> grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> @@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
> int i = 0;
> int apm = get_int_arg (&state[i++]);
> int power = state[i++].set;
> + char *passphrase = get_string_arg (&state[i++]);
> int sec_freeze = state[i++].set;
> int health = state[i++].set;
> int aam = get_int_arg (&state[i++]);
> @@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c
> grub_printf ("%s\n", err ? ": not supported" : "");
> }
>
> + if (grub_strcmp(passphrase, "") == 0)
That's rather elaborate way to check for empty string.
> + {
> + // security unlock data: 512 bytes
> + // word 0: 0x00 user password, 0x01 master password
> + // word 1-16: password (32 bytes)
> + // word 17-255: reserved
> + grub_uint16_t sudata[256];
> + grub_memset (&sudata, 0, sizeof(sudata));
> + grub_strncpy((char*)sudata+2, passphrase, 32);
But we just checked that passphrase is empty. What do you copy here?
> + if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK,
> + 0, 1, sudata, sizeof(sudata), 1)) {
> + if (! quiet) grub_printf ("Unlock failed\n");
> + } else {
> + if (! quiet) grub_printf ("Unlock succeeded\n");
> + }
> + }
> +
> if (sec_freeze)
> grub_hdparm_simple_cmd ("Freeze security settings", ata,
> GRUB_ATA_CMD_SECURITY_FREEZE_LOCK);
> @@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c
> {
> grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2];
> if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE,
> - 0, 0, buf, sizeof (buf)))
> + 0, 0, buf, sizeof (buf), 0))
> grub_printf ("Cannot read ATA IDENTIFY data\n");
> else
> {
> --- grub-2.02~beta2/include/grub/ata.h.ataunlock
> +++ grub-2.02~beta2/include/grub/ata.h
> @@ -86,6 +86,7 @@ enum grub_ata_commands
> GRUB_ATA_CMD_READ_SECTORS_DMA = 0xc8,
> GRUB_ATA_CMD_READ_SECTORS_DMA_EXT = 0x25,
>
> + GRUB_ATA_CMD_SECURITY_UNLOCK = 0xf2,
> GRUB_ATA_CMD_SECURITY_FREEZE_LOCK = 0xf5,
> GRUB_ATA_CMD_SET_FEATURES = 0xef,
> GRUB_ATA_CMD_SLEEP = 0xe6,
>
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: hdparm --security-unlock with password prompt
2016-04-21 18:24 ` Andrei Borzenkov
@ 2016-04-21 20:00 ` Philippe Kueck
0 siblings, 0 replies; 7+ messages in thread
From: Philippe Kueck @ 2016-04-21 20:00 UTC (permalink / raw)
To: grub-devel
Hi,
On 21.04.2016 20:24, Andrei Borzenkov wrote:
> Unfortunately I do not think we can have optional value, so your example
> on this page likely won't work. I.e. how can we distinguish between
> missing option value and missing argument? This will need to be two
> options - --security-unlock and --security-passphrase (pick your name).
On my page's first example the user password was missing by mistake. The
user password (or passphrase) is not optional but required, so the
syntax is, depending on ahci or ide mode:
hdparm --security-unlock USERPASSWORD (hd0)
or
hdparm --security-unlock USERPASSWORD (ahci0)
Sorry for the confusion.
Kind regards
Philippe
^ permalink raw reply [flat|nested] 7+ messages in thread
* hdparm --security-unlock with password prompt
@ 2016-04-21 13:48 W K
2016-04-21 13:55 ` Andrei Borzenkov
0 siblings, 1 reply; 7+ messages in thread
From: W K @ 2016-04-21 13:48 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1: Type: text/plain, Size: 466 bytes --]
Hi
I'd like grub to prompt me for a password and unlock my hw encrypted drive.
I found a few threads about it dating back a few years, even a few patches,
but I see the functionality is not there in the most recent grub version
from git. It seems the patch is pretty simple (e.g.
https://www.unixadm.org/software/grub2/0999-ATA-Security-Unlock.patch).
Is there a reason this was not merged ? Can I expect the functionality to
be added in the future ?
Thanks,
WK
[-- Attachment #2: Type: text/html, Size: 962 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* hdparm --security-unlock with password prompt
@ 2016-04-21 13:37 W K
0 siblings, 0 replies; 7+ messages in thread
From: W K @ 2016-04-21 13:37 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1: Type: text/plain, Size: 552 bytes --]
Hi
I'd like grub to prompt me for a password and unlock my hw encrypted drive.
I found a few threads about it dating back a few years, even a few patches,
but I see the functionality is not there in the most recent grub version
from git. It seems the patch is pretty simple (e.g.
https://www.unixadm.org/software/grub2/0999-ATA-Security-Unlock.patch).
Is there a reason this was not merged ? Can I expect the functionality to
be added in the future ?
Thanks,
WK
PS. I'm not subscribing to the list, but will read the replies through the
archives.
[-- Attachment #2: Type: text/html, Size: 797 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-04-21 20:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-21 14:56 hdparm --security-unlock with password prompt Philippe Kueck
2016-04-21 15:20 ` W K
2016-04-21 18:24 ` Andrei Borzenkov
2016-04-21 20:00 ` Philippe Kueck
-- strict thread matches above, loose matches on Subject: below --
2016-04-21 13:48 W K
2016-04-21 13:55 ` Andrei Borzenkov
2016-04-21 13:37 W K
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.