From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1atJH5-0007aq-Hd for mharc-grub-devel@gnu.org; Thu, 21 Apr 2016 14:24:23 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38314) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1atJH2-0007WC-K5 for grub-devel@gnu.org; Thu, 21 Apr 2016 14:24:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1atJGz-0001Yx-CY for grub-devel@gnu.org; Thu, 21 Apr 2016 14:24:20 -0400 Received: from mail-lb0-x229.google.com ([2a00:1450:4010:c04::229]:35831) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1atJGy-0001Ys-Py for grub-devel@gnu.org; Thu, 21 Apr 2016 14:24:17 -0400 Received: by mail-lb0-x229.google.com with SMTP id os9so31667973lbb.2 for ; Thu, 21 Apr 2016 11:24:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=GdxAqjhU+NNZOt89dPMxcnSDi8SH+wYTiDPL57kM4xY=; b=Yi1HMXoSwYD3ETxzrgQsijlNy51uF8xPSPuCK2CTFRHllxPF/MgPW+LSq9uIxSkH4D HYQ62dY6ObnP6f8bls8V7ge3FNK0ZMJv3TUap+je4/3xbOQCZ0NFVNkBdDSuYeouf1Od bo0+YnIx04dSiGEEGCtNqaS60vN8sVonUVg45BSKBXnk6M9Bz1EU8sTGKp47Putcn1xm oyr8dgW+pPRkikEhVEa1dHz2HCHPsf7SS0Hmfisxxum6wEcNheAEdNbWqA6CyazvQQeO 66J+FD58SWcUZOW6B6ZcXtNghJENM9O17A5H7nQnMwI1I09oZ3g1deUOtr4b6CeYmite n83g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=GdxAqjhU+NNZOt89dPMxcnSDi8SH+wYTiDPL57kM4xY=; b=AnTy88lcs1rmI2R4Itd2oy3tPi+MWtsGpiNeiNd76FDHcp6J6TnearJ1y58+dfUCoA JgqqxsMlEWAw1Xs0Fj4wou7hG245NaQu5DGQnf4XxFc7kVW+7qJjBaiLHLAi/YDA2NOj jqpKEEr3xuV/Y8tPqrJokz5ahmVPAGSSFHf5hG9dL235YXU4plm4yoErpMkWArn9XRho rS4+J9+jqnUA5sS5LWkT9XCYXZ+WZAczvBJMwYMdHd29m9DTxNL0rgsHpxSBhrUn3FC+ 9FeFWKyHyZVQZZN19fVDcGx6nZoSlPKIGcrHw1F/OhwrJiADkY+61oKJ72hSbFPXfrrX 8mfA== X-Gm-Message-State: AOPr4FXvdpFY7ZpNxYvC58p81vQWFRM5SZCMazM+/hZPrY9m5xD/IqEdO1bnhs7hND69ug== X-Received: by 10.112.144.202 with SMTP id so10mr7225873lbb.108.1461263055494; Thu, 21 Apr 2016 11:24:15 -0700 (PDT) Received: from [192.168.1.42] (ppp109-252-90-50.pppoe.spdop.ru. [109.252.90.50]) by smtp.gmail.com with ESMTPSA id k19sm806961lfe.8.2016.04.21.11.24.14 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 21 Apr 2016 11:24:14 -0700 (PDT) Subject: Re: hdparm --security-unlock with password prompt To: grub-devel@gnu.org References: <5718EA09.700@quarantine.de> From: Andrei Borzenkov X-Enigmail-Draft-Status: N1110 Message-ID: <57191ACD.8080002@gmail.com> Date: Thu, 21 Apr 2016 21:24:13 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <5718EA09.700@quarantine.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:4010:c04::229 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2016 18:24:21 -0000 21.04.2016 17:56, Philippe Kueck пишет: > Hi all, > > here's a patch for unlocking the ATA password from grub command line. As > mentioned in [1] it does not prompt for a password at boot but enables > the hdparm module to support the security unlock feature. > In case anyone asks, the patch is GPL. > > Kind regards > > Philippe > > [1] https://www.unixadm.org/needful-things/ataunlock#using-grub2 > Unfortunately I do not think we can have optional value, so your example on this page likely won't work. I.e. how can we distinguish between missing option value and missing argument? This will need to be two options - --security-unlock and --security-passphrase (pick your name). I was under impression that we must supply password to unlock disk. Could you explain how empty passphrase works? > > 0999-ATA-Security-Unlock.patch > > > --- grub-2.02~beta2/grub-core/commands/hdparm.c.ataunlock > +++ grub-2.02~beta2/grub-core/commands/hdparm.c > @@ -34,6 +34,7 @@ static const struct grub_arg_option opti > "(1=low, ..., 254=high, 255=off)."), > 0, ARG_TYPE_INT}, > {"power", 'C', 0, N_("Display power mode."), 0, ARG_TYPE_NONE}, > + {"security-unlock", -1, 0, N_("Unlock ATA security."), 0, ARG_TYPE_STRING}, > {"security-freeze", 'F', 0, N_("Freeze ATA security settings until reset."), > 0, ARG_TYPE_NONE}, > {"health", 'H', 0, N_("Display SMART health status."), 0, ARG_TYPE_NONE}, > @@ -66,7 +67,7 @@ static int quiet = 0; > static grub_err_t > grub_hdparm_do_ata_cmd (grub_ata_t ata, grub_uint8_t cmd, > grub_uint8_t features, grub_uint8_t sectors, > - void * buffer, int size) > + void * buffer, int size, int write) > { > struct grub_disk_ata_pass_through_parms apt; > grub_memset (&apt, 0, sizeof (apt)); > @@ -78,6 +79,7 @@ grub_hdparm_do_ata_cmd (grub_ata_t ata, > > apt.buffer = buffer; > apt.size = size; > + apt.write = write; > > if (ata->dev->readwrite (ata, &apt, 0)) > return grub_errno; > @@ -136,7 +138,7 @@ grub_hdparm_simple_cmd (const char * msg > if (! quiet && msg) > grub_printf ("%s", msg); > > - grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0); > + grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, 0, 0, NULL, 0, 0); > > if (! quiet && msg) > grub_printf ("%s\n", ! err ? "" : ": not supported"); > @@ -157,7 +159,7 @@ grub_hdparm_set_val_cmd (const char * ms > } > > grub_err_t err = grub_hdparm_do_ata_cmd (ata, cmd, features, sectors, > - NULL, 0); > + NULL, 0, 0); > > if (! quiet && msg) > grub_printf ("%s\n", ! err ? "" : ": not supported"); > @@ -274,6 +276,11 @@ static int get_int_arg (const struct gru > return (state->set ? (int)grub_strtoul (state->arg, 0, 0) : -1); > } > > +static char get_string_arg (const struct grub_arg_list *state) > +{ > + return (state->set ? state->arg : ""); > +} > + > static grub_err_t > grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args) > { > @@ -298,6 +305,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c > int i = 0; > int apm = get_int_arg (&state[i++]); > int power = state[i++].set; > + char *passphrase = get_string_arg (&state[i++]); > int sec_freeze = state[i++].set; > int health = state[i++].set; > int aam = get_int_arg (&state[i++]); > @@ -368,6 +376,23 @@ grub_cmd_hdparm (grub_extcmd_context_t c > grub_printf ("%s\n", err ? ": not supported" : ""); > } > > + if (grub_strcmp(passphrase, "") == 0) That's rather elaborate way to check for empty string. > + { > + // security unlock data: 512 bytes > + // word 0: 0x00 user password, 0x01 master password > + // word 1-16: password (32 bytes) > + // word 17-255: reserved > + grub_uint16_t sudata[256]; > + grub_memset (&sudata, 0, sizeof(sudata)); > + grub_strncpy((char*)sudata+2, passphrase, 32); But we just checked that passphrase is empty. What do you copy here? > + if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_SECURITY_UNLOCK, > + 0, 1, sudata, sizeof(sudata), 1)) { > + if (! quiet) grub_printf ("Unlock failed\n"); > + } else { > + if (! quiet) grub_printf ("Unlock succeeded\n"); > + } > + } > + > if (sec_freeze) > grub_hdparm_simple_cmd ("Freeze security settings", ata, > GRUB_ATA_CMD_SECURITY_FREEZE_LOCK); > @@ -377,7 +402,7 @@ grub_cmd_hdparm (grub_extcmd_context_t c > { > grub_uint16_t buf[GRUB_DISK_SECTOR_SIZE / 2]; > if (grub_hdparm_do_ata_cmd (ata, GRUB_ATA_CMD_IDENTIFY_DEVICE, > - 0, 0, buf, sizeof (buf))) > + 0, 0, buf, sizeof (buf), 0)) > grub_printf ("Cannot read ATA IDENTIFY data\n"); > else > { > --- grub-2.02~beta2/include/grub/ata.h.ataunlock > +++ grub-2.02~beta2/include/grub/ata.h > @@ -86,6 +86,7 @@ enum grub_ata_commands > GRUB_ATA_CMD_READ_SECTORS_DMA = 0xc8, > GRUB_ATA_CMD_READ_SECTORS_DMA_EXT = 0x25, > > + GRUB_ATA_CMD_SECURITY_UNLOCK = 0xf2, > GRUB_ATA_CMD_SECURITY_FREEZE_LOCK = 0xf5, > GRUB_ATA_CMD_SET_FEATURES = 0xef, > GRUB_ATA_CMD_SLEEP = 0xe6, > > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel