libsed in mdadm

libsed in mdadm

[Mariusz Tkaczyk]

Hello,
IMSM/VROC is going to support self-encrypted drives. With this feature you need
to unlock the drives during boot-up in UEFI first. It is kind of protection
from physical stealing.

To ensure security, Linux have to respect that. It means that we need to
determine if the drive support locking and do not allow to mix locked and
unlocked drives in one IMSM array.

To grab that information we will need to impose the "magic commands" to the
drives. There is a libsed library, designed for such purposes:
https://github.com/sedcli/sedcli

So far I know, this library is not released under distributions (not handled by
package managers) and that will bring not user friendly dependency- you will
need to compile and install the lib first to build mdadm.

The sedcli project is maintained in Intel, currently it is not in active
development but there are no plans to drop it, interest around it is growing as
you can see. It seems to be great opportunity for this project to
become integrated with mainstream distributions when mdadm will start to
require it.

So, my questions are: Are we fine with adding this dependency? Are there big
cons you see?
Obviously, I will make it optional like libudev is.

I can try to re-implement the functionality I need in mdadm but it is like
reinventing the wheel.

Any feedback will be appreciated.
Mariusz

Re: libsed in mdadm

[Jes Sorensen]

On 8/21/23 10:16, Mariusz Tkaczyk wrote:
> Hello,
> IMSM/VROC is going to support self-encrypted drives. With this feature you need
> to unlock the drives during boot-up in UEFI first. It is kind of protection
> from physical stealing.
> 
> To ensure security, Linux have to respect that. It means that we need to
> determine if the drive support locking and do not allow to mix locked and
> unlocked drives in one IMSM array.
> 
> To grab that information we will need to impose the "magic commands" to the
> drives. There is a libsed library, designed for such purposes:
> https://github.com/sedcli/sedcli
> 
> So far I know, this library is not released under distributions (not handled by
> package managers) and that will bring not user friendly dependency- you will
> need to compile and install the lib first to build mdadm.
> 
> The sedcli project is maintained in Intel, currently it is not in active
> development but there are no plans to drop it, interest around it is growing as
> you can see. It seems to be great opportunity for this project to
> become integrated with mainstream distributions when mdadm will start to
> require it.
> 
> So, my questions are: Are we fine with adding this dependency? Are there big
> cons you see?
> Obviously, I will make it optional like libudev is.
> 
> I can try to re-implement the functionality I need in mdadm but it is like
> reinventing the wheel.
> 
> Any feedback will be appreciated.

Hi Mariusz,

I am not against adding it to mdadm, though I think a better approach is
to try and get the library built as a package for the distros.

Did you look into that yet?

Thanks,
Jes

Re: libsed in mdadm

[Hannes Reinecke]

On 8/22/23 22:54, Jes Sorensen wrote:
> On 8/21/23 10:16, Mariusz Tkaczyk wrote:
>> Hello,
>> IMSM/VROC is going to support self-encrypted drives. With this feature you need
>> to unlock the drives during boot-up in UEFI first. It is kind of protection
>> from physical stealing.
>>
>> To ensure security, Linux have to respect that. It means that we need to
>> determine if the drive support locking and do not allow to mix locked and
>> unlocked drives in one IMSM array.
>>
>> To grab that information we will need to impose the "magic commands" to the
>> drives. There is a libsed library, designed for such purposes:
>> https://github.com/sedcli/sedcli
>>
>> So far I know, this library is not released under distributions (not handled by
>> package managers) and that will bring not user friendly dependency- you will
>> need to compile and install the lib first to build mdadm.
>>
>> The sedcli project is maintained in Intel, currently it is not in active
>> development but there are no plans to drop it, interest around it is growing as
>> you can see. It seems to be great opportunity for this project to
>> become integrated with mainstream distributions when mdadm will start to
>> require it.
>>
>> So, my questions are: Are we fine with adding this dependency? Are there big
>> cons you see?
>> Obviously, I will make it optional like libudev is.
>>
>> I can try to re-implement the functionality I need in mdadm but it is like
>> reinventing the wheel.
>>
>> Any feedback will be appreciated.
> 
> Hi Mariusz,
> 
> I am not against adding it to mdadm, though I think a better approach is
> to try and get the library built as a package for the distros.
> 
> Did you look into that yet?
> 
We (as in 'We as an OS distributor') actually evaluated packaging libsed 
some time ago, but decided against it as the original authors (namely 
Intel) apparently disbanded it. So before adding it to a distro there 
needs to be an active maintainer, and one would be looking to Intel here.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman

Re: libsed in mdadm

[Mariusz Tkaczyk]

On Wed, 23 Aug 2023 08:00:51 +0200
Hannes Reinecke <hare@suse.de> wrote:

> On 8/22/23 22:54, Jes Sorensen wrote:
> > On 8/21/23 10:16, Mariusz Tkaczyk wrote:  
> >> Hello,
> >> IMSM/VROC is going to support self-encrypted drives. With this feature you
> >> need to unlock the drives during boot-up in UEFI first. It is kind of
> >> protection from physical stealing.
> >>
> >> To ensure security, Linux have to respect that. It means that we need to
> >> determine if the drive support locking and do not allow to mix locked and
> >> unlocked drives in one IMSM array.
> >>
> >> To grab that information we will need to impose the "magic commands" to the
> >> drives. There is a libsed library, designed for such purposes:
> >> https://github.com/sedcli/sedcli
> >>
> >> So far I know, this library is not released under distributions (not
> >> handled by package managers) and that will bring not user friendly
> >> dependency- you will need to compile and install the lib first to build
> >> mdadm.
> >>
> >> The sedcli project is maintained in Intel, currently it is not in active
> >> development but there are no plans to drop it, interest around it is
> >> growing as you can see. It seems to be great opportunity for this project
> >> to become integrated with mainstream distributions when mdadm will start to
> >> require it.
> >>
> >> So, my questions are: Are we fine with adding this dependency? Are there
> >> big cons you see?
> >> Obviously, I will make it optional like libudev is.
> >>
> >> I can try to re-implement the functionality I need in mdadm but it is like
> >> reinventing the wheel.
> >>
> >> Any feedback will be appreciated.  
> > 
> > Hi Mariusz,
> > 
> > I am not against adding it to mdadm, though I think a better approach is
> > to try and get the library built as a package for the distros.
> > 
> > Did you look into that yet?
> >   
> We (as in 'We as an OS distributor') actually evaluated packaging libsed 
> some time ago, but decided against it as the original authors (namely 
> Intel) apparently disbanded it. So before adding it to a distro there 
> needs to be an active maintainer, and one would be looking to Intel here.
> 

Thanks Hannes for feedback. I totally agree with you. I will raise it
internally.

Thanks,
Mariusz

Re: libsed in mdadm

[Mariusz Tkaczyk]

On Wed, 23 Aug 2023 09:29:57 +0200
Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> wrote:

> On Wed, 23 Aug 2023 08:00:51 +0200
> Hannes Reinecke <hare@suse.de> wrote:
> 
> > On 8/22/23 22:54, Jes Sorensen wrote:  
> > > On 8/21/23 10:16, Mariusz Tkaczyk wrote:    
> > >> Hello,
> > >> IMSM/VROC is going to support self-encrypted drives. With this feature
> > >> you need to unlock the drives during boot-up in UEFI first. It is kind of
> > >> protection from physical stealing.
> > >>
> > >> To ensure security, Linux have to respect that. It means that we need to
> > >> determine if the drive support locking and do not allow to mix locked and
> > >> unlocked drives in one IMSM array.
> > >>
> > >> To grab that information we will need to impose the "magic commands" to
> > >> the drives. There is a libsed library, designed for such purposes:
> > >> https://github.com/sedcli/sedcli
> > >>
> > >> So far I know, this library is not released under distributions (not
> > >> handled by package managers) and that will bring not user friendly
> > >> dependency- you will need to compile and install the lib first to build
> > >> mdadm.
> > >>
> > >> The sedcli project is maintained in Intel, currently it is not in active
> > >> development but there are no plans to drop it, interest around it is
> > >> growing as you can see. It seems to be great opportunity for this project
> > >> to become integrated with mainstream distributions when mdadm will start
> > >> to require it.
> > >>
> > >> So, my questions are: Are we fine with adding this dependency? Are there
> > >> big cons you see?
> > >> Obviously, I will make it optional like libudev is.
> > >>
> > >> I can try to re-implement the functionality I need in mdadm but it is
> > >> like reinventing the wheel.
> > >>
> > >> Any feedback will be appreciated.    
> > > 
> > > Hi Mariusz,
> > > 
> > > I am not against adding it to mdadm, though I think a better approach is
> > > to try and get the library built as a package for the distros.
> > > 
> > > Did you look into that yet?
> > >     
> > We (as in 'We as an OS distributor') actually evaluated packaging libsed 
> > some time ago, but decided against it as the original authors (namely 
> > Intel) apparently disbanded it. So before adding it to a distro there 
> > needs to be an active maintainer, and one would be looking to Intel here.
> >   
> 
> Thanks Hannes for feedback. I totally agree with you. I will raise it
> internally.
> 
Hello,
The maintenance of sedcli has been given to SK Hynix. Intel is no longer
an owner. Hannes, you can reconsider the decision of packaging libsed
depending on how active new maintainer will be.
Thanks to Paul for making this happen.

We will watch the upstream activity too to determine if it is reasonable to
consider making it as mdadm dependency in the future.

Thanks,
Mariusz