Categorygithub.com/open-source-firmware/go-tcg-storage

# README

go-tcg-storage

Workflow Go Report Card GoDoc Slack License

Go library for interfacing TCG Storage and Security Subsystem Class (SSC) functions on storage devices.

Supported (or planned) standards:

Need support for another standard? Let us know by filing a feature request!

Tools

  • sedlockctl is a tool that helps you manage SED/TCG drives.
    Install it: go install github.com/open-source-firmware/go-tcg-storage/cmd/sedlockctl@main

  • tcgsdiag lets you list a whole lot of diagnostic information about TCG drives.
    Install it: go install github.com/open-source-firmware/go-tcg-storage/cmd/tcgsdiag@main

  • tcgdiskstat is like blkid or lsscsi but for TCG drives.
    Install it: go install github.com/open-source-firmware/go-tcg-storage/cmd/tcgdiskstat@main

Supported Transports

The following transports are supported by the library:

  • NVMe
  • SATA
  • SAS

Need another transport? You can do one of two things:

  1. You can implement the drive interface yourself to talk to your device.
  2. You can file a feature request describing your setup and we can discuss implementing it

Usage

The library consists of multiple libraries in order to abstract away the functionallity the library user does not need to care about. The library does not rely on the in-kernel implementation of TCG Opal[1].

The most low-level interface is the drive interface that implements the IF-SEND and IF-RECV functions that the TCG Storage standards rely on. Likely nobody outside this library will find that library useful.

One abstraction up is the core library that implements the TCG Storage specifications in a quite verbose manner. The guiding principle with the core library is that you should be able to do anything with it, but it might require you to know what functions can be called under what circumstances.

Finally you have the locking library that implements the most likely reason you are reading this. It allows you to get access to, and modify, the locking ranges of a TCG Storage compliant drive without caring much what version of the standards the drive is implementing.

Core Library

import (
	tcg "github.com/open-source-firmware/go-tcg-storage/pkg/core"
	"github.com/open-source-firmware/go-tcg-storage/pkg/core/table"
	"github.com/open-source-firmware/go-tcg-storage/pkg/drive"
)

func main() {
	d, err := drive.Open("/dev/sda")
	defer d.Close()

	d0, err := tcg.Discovery0(d)
        // This will work if your drive implements GET_COMID,
        // otherwise you will need to figure out the ComID and
        // pass it in with WithComID(x)
        cs, err := tcg.NewControlSession(d, d0)
        defer cs.Close()
        s, err := cs.NewSession(tcg.AdminSP)
        defer s.Close()

        // This is how you call a method on your SP:
        rand, err := table.ThisSP_Random(s, 8 /* bytes to generate */)

        // You can authenticate using the MSID like this:
        msidPin, err := table.Admin_C_PIN_MSID_GetPIN(s)
        if err := table.ThisSP_Authenticate(s, tcg.AuthoritySID, msidPin); err != nil {
        	log.Fatalf("Authentication as SID failed!")
        }
        // Session is now elevated
}

Locking Library

The most minimal example looks something like this:


import (
	"github.com/open-source-firmware/go-tcg-storage/pkg/drive"
	"github.com/open-source-firmware/go-tcg-storage/pkg/locking"
)

func main() {
	d, err := drive.Open("/dev/sda")
	defer d.Close()

	cs, lmeta, err := locking.Initialize(d)
	defer cs.Close()
	l, err := locking.NewSession(cs, lmeta, locking.DefaultAuthorityWithMSID)
	defer l.Close()
	fmt.Printf("Authenticated user has %d locking ranges", len(l.Ranges))
}

A slightly more realistic example looks like this:


import (
	"github.com/open-source-firmware/go-tcg-storage/pkg/drive"
	"github.com/open-source-firmware/go-tcg-storage/pkg/locking"
)

func main() {
	d, err := drive.Open("/dev/sda")
	defer d.Close()

        password := []byte{} /* Password for Admin1 or BandMaster0 */
	cs, lmeta, err := locking.Initialize(d,
		locking.WithAuth(locking.DefaultAuthorityWithMSID)
		locking.WithTakeOwnership(password),
		locking.WithHardening())
	defer cs.Close()
	l, err := locking.NewSession(cs, lmeta, locking.DefaultAuthority(password))
	defer l.Close()
	fmt.Printf("Authenticated user has %d locking ranges", len(l.Ranges))
}

Tested drives

These drives have been found to work without issues

ManufacturerModelTransportFeatures
CorsairForce MP510NVMePyrite v1
IntelP4510 (SSDPE2KX020T8O)NVMeOpal v2
IntelP4610 (SSDPE2KE032T8O)NVMeOpal v2
SeagateMomentus Thin (ST500LT015)SATAOpal v2
Seagate7E2000 (ST2000NX0343)SAS3Enterprise
SeagateExos X14 (ST10000NM0608)SAS3Enterprise
SamsungSSD 860SATAOpal v2
SamsungSSD 970 EVO PlusNVMeOpal v2
SamsungSSD 980 Pro (MZVL2250HCHQ)NVMeOpal v2
SamsungPM961 (MZVLW512HMJP-000L7)NVMeOpal v2
SamsungPM983 (MZ1LB1T9HALS-00007)NVMeOpal v2
SamsungPM9A1 (MZVL2256HCHQ-00B00)NVMePyrite v2
SamsungPM9A3 (MZQL23T8HCLS-00A07)NVMeOpal v2
SamsungPM1735 (MZPLJ12THALA-00007)NVMeOpal v2
SabrentRocket 4.0 2TBNVMePyrite v2
ToshibaMG08SCP16TESAS3Enterprise

Samsung PNs ending in "7" seems to indicate Opal v2 features

# Packages

No description provided by the author
No description provided by the author