Eric Dong of Intel has updated UEFI’s TCG OVAL support, used with SEDs, how the UEFI-based system will work with the locked SEDs, when the user has no valid password:
[Patch] SecurityPkg OpalPasswordDxe: Enhance input password process.
Enhance the input password process, when device in unlock status and user press ESC, shutdown the device. If user reach the max try number, shutdown the device.
+ L”Confirm: Not unlock device and continue boot?.”,
+ L”Press ENTER to confirm, Press Esc to input password”,
+ L”Warning: system in unkown status, must shutdown!”,
+ L”Press ENTER to shutdown.”,
– L”Opal password retry count is expired. Keep lock and continue boot.”,
+ L”Opal password retry count exceeds the limit. Must shutdown!”,
L”Press ENTER to continue”,
For more information, see the patch on the edk2-devel list:
The presentation PDFs (no A/V) are now available for the NVMe Flash Memory Summit, as well as NVME’s presentations from IDF.
The Flash Memory Summit presentations ZIP includes all of the PDFs of that conference, including one on NVMe security, discussing OVAL, Self Encrypting Drives (SEDs), integration with Trustworthy Computing standards, among other things.
This week at the Flash Memory Summit, the Trusted Computing Group (TCG) and NVM Express (NVMe), put out a new joint white paper called “TCG Storage, Opal, and NVMe“. Opal is a set of specs from the TCG, designed to add TCG-style security to NVMe-based storage devices (‘self-encrypting drives’ (SED’), by adding new technology layers to manage encryption of user data, to enable features beyond ‘data at rest protection’. The ‘family’ of Opal specs include 3 levels: Opal, Opalite, and Pyrite, which provides a range of capabilities for vendors to choose from.
From their whitepaper’s summary, Oval offers these values to NVMe:
* Avoids the need to add security to NVM Express standard, or rely on proprietary functionality
* Leverages the existing storage security industry standard for a consistent set of requirements
* Commonly associated features enable a more consistent and secure overall solution
* Simplifies ecosystem enabling, validation, product identification, SKU management
* Reduces standardization to a more streamlined process
* Provides an extensible interface for additional value-adds to Opal/Opalite/Pyrite functionality, as well as other storage security features
I’m not sure if UEFI 2.5 has this ability or not. UEFI 2.5 did add some new NVMe and crypto storage interfaces, though.
PS: Going off-topic(?) a bit, but for NVMe and Linux, check out this doc from June: