forked from sedcli/sedcli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsedcli.8
116 lines (93 loc) · 4.82 KB
/
sedcli.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
.TH sedcli 8
.SH NAME
sedcli \- manage Opal Self-Encrypting Drives (SEDs) NVMe SSDs
.SH SYNOPSIS
\fBsedcli\fR <command> [options...]
.SH DESCRIPTION
Sedcli enables a system Administrator/Operator to manage NVMe SEDs that are TCG
Opal compliant. In Opal terminology SED is called a Trusted Peripheral (TPer)
and provides an Admin Security Provider (Admin SP) and Locking Security Provider
(Locking SP).
.PP
Management of the TCG Opal features require several operations that are performed
as an Administrator within the TCG Opal command set to either the AdminSP or
LockingSP. The AdminSP provides commands that enable the user to perform
administrative operations such as taking ownership of the device, activation of
the LockingSP, and revert the TPer, whereas the LockingSP provides commands that
enable the user to configure and enable locking enforcement on user data either
globally or on a locking range basis after the LockingSP has been activated by
the AdminSP.
.PP
To start Opal management, an Administrator typically needs to perform the
following process at a minimum:
.IP
1. Take ownership of the device (setting a non-MSID credential for the SID
Authority in the AdminSP)
.IP
2. Activate the LockingSP (this will move the Opal feature to the Manufactured
state and copy the SID authority password to the LockingSP Admin1 password)
.IP
3. Enable Read Lock Enabled and Write Lock Enabled on all desired ranges
(e.g. Global Range)
.PP
After these steps are accomplished, the TPer will be Read or Write locked after
power cycle or when explicitly locked using sedcli command.
.PP
In addition to these basic flows, one can perform crypto erase of the TPer
using the SID authority or the PSID authority as part of revert TPer operation.
In case of using the PSID authority the operator needs to provide the credential
that is printed on the disk label. The Revert TPer operation reverts device
back to the Manufactured-Inactive state, which then requires re-configuration
of the Opal management system using the process previously identified (i.e.
take ownership, activate LSP, enable global range). It is also possible to
update Admin1 password for Locking SP.
.SH OPTIONS
.IP "\fB\-D -d <device> [-f {normal|udev}]\fR or \fB\-\-discovery --device <device> [--format {normal|udev}]\fR"
Performs Level 0 and Level 1 Discovery and prints out the info in human-readable(default) or
machine friendly format.
.IP "\fB\-O -d <device>\fR or \fB\-\-ownership --device <device>\fR"
Takes ownership of the device.
.IP "\fB\-A -d <device>\fR or \fB\-\-activate-lsp --device <device>\fR"
Activates Locking SP.
.IP "\fB\-R -d <device> [-i] [-n]\fR or \fB\-\-revert --device <device> [--psid] [--non-destructive]\fR"
Performs Destructive or Non-Destructive Revert TPer to Manufactured-Inactivate
state using either SID or PSID authority.
.IP "\fB\-S -d <device>\fR or \fB\-\-setup-global-range --device <device>\fR"
Sets Read Lock Enabled (RLE) and Write Lock Enabled (WLE) bis for global locking
range. This effectively enables locking of all user data. Locking will start
after power cycle or when explicitly locked using \fb\-\-lock-unlock\fR command.
.IP "\fB\-L -d <device> -t <accesstype>\fR or \fB\-\-lock-unlock --device <device> --accesstype {RO|RW|LK}\fR"
.IP
Changes the lock state for the device. Following access modes are available:
.IP
1. Read-Only(RO) - user can only read the data from the disk.
.IP
2. Read-Write(RW) - user can read/write data from/to the disk.
.IP
3. Locked(LK) - data is locked, user can NOT read/write data from/to the disk.
.IP "\fB\-P -d <device>\fR or \fB\-\-set-password --device <device>\fR"
Updates password for Admin1 authority in Locking SP.
.IP "\fB\-M -d <device> [-e {TRUE|FALSE}] [-m {TRUE|FALSE}]\fR or \fB\-\-mbr-control --device <device> [--enable {TRUE|FALSE}] [--done {TRUE|FALSE}]\fR"
.IP
Enable/Disable MBR Shadow and/or Set/Unset MBR Done.
MBR Done update to TRUE will only take effect when MBR Shadow is enabled.
.IP "\fB\-W -d <device> -f <pba_file> [-o <offset>]\fR or \fB\-\-write-mbr --device <device> --file <pba_file> [--offset <offset>]\fR"
Write data into MBR shadow region(MBR table).
MBR shadow should be enabled for the PBA to take effect.
.IP "\fB\-B -d <device> -r {1|0}\fR or \fB\-\-block_sid --device <device> --hwreset {1|0}\fR"
Issue BlockSID authentication command with Clear Event flag via --hwreset option.
.IP "\fB\-V\fR or \fB\-\-version\fR"
Prints version of sedcli.
.IP "\fB\-H\fR or \fB\-\-help\fR"
Prints global help on available commands and usage
.IP "To print command specific help use following syntax:"
.IP "\fBsedcli <command> -H\fR or \fBsedcli <command> --help\fR"
.IP "For example:"
.IP "\fBsedcli -D -H\fR or \fBsedcli --discovery --help\fR"
.SH COPYRIGHT
Copyright(c) 2018-2020 by the Intel Corporation.
.SH AUTHOR
This manual page was created by Andrzej Jakowski <[email protected]>
.SH SEE ALSO
.TP
sedcli(8)