linux4life798/sedutil-experimentation.bash

## sedutil-experimentation.bash
ssd_show_data() {
	sudo dd if=/dev/nvme0n1 bs=1 count=9000 status=none | hd
}

# ssd_write_data <data_message> [location]
#
# location is the offset in bytes.
ssd_write_data() {
	local data="$1"
	local location="${2:-0}" # In bytes

	echo "${data}" | sudo dd of=/dev/nvme0n1 bs=1 seek="${location}" status=none
}

# Simply write 0's over the 9000 byte region we care about, so that
# when we do ssd_show_data, we only see the bytes we wrote with ssd_write_data.
ssd_write_zeros() {
	sudo dd if=/dev/zero of=/dev/nvme0n1 bs=9000 count=1 status=none
}


# The Geometry info shows the Logical Block Size, which should be 512.
sudo ./sedutil-cli --query /dev/nvme0


# Data/encryption doesn't change when we do initial setup.
ssd_write_data "Hello world!"
ssd_show_data
sudo ./sedutil-cli --initialSetup testpw /dev/nvme0
ssd_show_data


# The default/global range is 0. Rekeying will effectively clear data.
ssd_write_data "Hello world!"
ssd_show_data
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
ssd_show_data


# Notice that we haven't actually enable "locking", but we still have
# data encryption control.
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
# Example: RLKEna = N  WLKEna = N  RLocked = N  WLocked = N
# RLKEna  ==> Read Lock Enabled        (Read Lock mechanism is enabled and RLocked is honored)
# WLKEna  ==> Write Lock Enabled       (Write Lock mechanism is enabled and WLocked is honored)
# RLocked ==> Reads Currently Blocked  (Reads are blocked right now - not unlocked)
# WLocked ==> Writes Currently Blocked (Writes are blocked right now - not unlocked)
# Use --enable/disableLockingRange to set enabled state.
# Use --setLockingRange to set current state.

# Let's activate another range and rekey only that range.
ssd_write_data "Range0" 0
ssd_write_data "Range1" 512
ssd_write_data "Range0" 1024
ssd_show_data # 0x200 is 512 in decimal, 0x400 is 1024, BTW.
sudo ./sedutil-cli --setupLockingRange 1 1 1 testpw /dev/nvme0 # The units are in 512 blocks.
ssd_show_data
# Immidiatley, we see that the "Range1" message at 0x200 is gone and random data
# fills that entire 512 block. Do note that we still see the Range0 at offset 0 and offset 1024.
# If we then rekey our first global (encompasing) range, we
# loose both of the Range0 messages at offset 0 and 1024.
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
ssd_show_data

# FYI, if you try to remove the new range 1 by doing
# sudo ./sedutil-cli --setupLockingRange 1 0 0 testpw /dev/nvme0
# The SSD becomes unreadable.

# Let's now lock region 0 to be only RO.
ssd_write_zeros
ssd_write_data "Range0" 0
ssd_write_data "Range1" 512
ssd_write_data "Range0" 1024
ssd_show_data
sudo ./sedutil-cli --enableLockingRange 0 testpw /dev/nvme0
sudo ./sedutil-cli --setLockingRange 0 RO testpw /dev/nvme0
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
# This should fail to actually commit/write.
ssd_write_data "This text won't actually be saved!" 0
ssd_show_data
# Notice that we still see Range0 at offset 0.
sudo ./sedutil-cli --setLockingRange 0 RW testpw /dev/nvme0
ssd_write_data "This is now modifiable!" 0
ssd_show_data

# This factory resets. It can also be done using --yesIreallywanttoERASEALLmydatausingthePSID
# and the PSID printed on the SSD.
# This will typically rekey the ranges, so the contents seem to be gone.
sudo ./sedutil-cli --reverttper testpw /dev/nvme0

ssd_show_data

## sedutil-standard-encryption-enable.bash
# https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions

# If you need to reset from a previous setup.
sudo ./sedutil-cli --reverttper <password> /dev/nvme0
sudo ./sedutil-cli --initialSetup <password> /dev/nvme0

sudo ./sedutil-cli --query /dev/nvme0
sudo ./sedutil-cli --setMBREnable off <password> /dev/nvme0
sudo ./sedutil-cli --setMBRDone off <password> /dev/nvme0
sudo ./sedutil-cli --query /dev/nvme0

sudo ./sedutil-cli --listLockingRanges <password> /dev/nvme0
sudo ./sedutil-cli --rekeyLockingRange 0 <password> /dev/nvme0
	ssd_show_data() {
	sudo dd if=/dev/nvme0n1 bs=1 count=9000 status=none \| hd
	}

	# ssd_write_data <data_message> [location]
	#
	# location is the offset in bytes.
	ssd_write_data() {
	local data="$1"
	local location="${2:-0}" # In bytes

	echo "${data}" \| sudo dd of=/dev/nvme0n1 bs=1 seek="${location}" status=none
	}

	# Simply write 0's over the 9000 byte region we care about, so that
	# when we do ssd_show_data, we only see the bytes we wrote with ssd_write_data.
	ssd_write_zeros() {
	sudo dd if=/dev/zero of=/dev/nvme0n1 bs=9000 count=1 status=none
	}


	# The Geometry info shows the Logical Block Size, which should be 512.
	sudo ./sedutil-cli --query /dev/nvme0


	# Data/encryption doesn't change when we do initial setup.
	ssd_write_data "Hello world!"
	ssd_show_data
	sudo ./sedutil-cli --initialSetup testpw /dev/nvme0
	ssd_show_data


	# The default/global range is 0. Rekeying will effectively clear data.
	ssd_write_data "Hello world!"
	ssd_show_data
	sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
	ssd_show_data


	# Notice that we haven't actually enable "locking", but we still have
	# data encryption control.
	sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
	# Example: RLKEna = N WLKEna = N RLocked = N WLocked = N
	# RLKEna ==> Read Lock Enabled (Read Lock mechanism is enabled and RLocked is honored)
	# WLKEna ==> Write Lock Enabled (Write Lock mechanism is enabled and WLocked is honored)
	# RLocked ==> Reads Currently Blocked (Reads are blocked right now - not unlocked)
	# WLocked ==> Writes Currently Blocked (Writes are blocked right now - not unlocked)
	# Use --enable/disableLockingRange to set enabled state.
	# Use --setLockingRange to set current state.

	# Let's activate another range and rekey only that range.
	ssd_write_data "Range0" 0
	ssd_write_data "Range1" 512
	ssd_write_data "Range0" 1024
	ssd_show_data # 0x200 is 512 in decimal, 0x400 is 1024, BTW.
	sudo ./sedutil-cli --setupLockingRange 1 1 1 testpw /dev/nvme0 # The units are in 512 blocks.
	ssd_show_data
	# Immidiatley, we see that the "Range1" message at 0x200 is gone and random data
	# fills that entire 512 block. Do note that we still see the Range0 at offset 0 and offset 1024.
	# If we then rekey our first global (encompasing) range, we
	# loose both of the Range0 messages at offset 0 and 1024.
	sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
	ssd_show_data

	# FYI, if you try to remove the new range 1 by doing
	# sudo ./sedutil-cli --setupLockingRange 1 0 0 testpw /dev/nvme0
	# The SSD becomes unreadable.

	# Let's now lock region 0 to be only RO.
	ssd_write_zeros
	ssd_write_data "Range0" 0
	ssd_write_data "Range1" 512
	ssd_write_data "Range0" 1024
	ssd_show_data
	sudo ./sedutil-cli --enableLockingRange 0 testpw /dev/nvme0
	sudo ./sedutil-cli --setLockingRange 0 RO testpw /dev/nvme0
	sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
	# This should fail to actually commit/write.
	ssd_write_data "This text won't actually be saved!" 0
	ssd_show_data
	# Notice that we still see Range0 at offset 0.
	sudo ./sedutil-cli --setLockingRange 0 RW testpw /dev/nvme0
	ssd_write_data "This is now modifiable!" 0
	ssd_show_data

	# This factory resets. It can also be done using --yesIreallywanttoERASEALLmydatausingthePSID
	# and the PSID printed on the SSD.
	# This will typically rekey the ranges, so the contents seem to be gone.
	sudo ./sedutil-cli --reverttper testpw /dev/nvme0

	ssd_show_data
	# https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions

	# If you need to reset from a previous setup.
	sudo ./sedutil-cli --reverttper <password> /dev/nvme0
	sudo ./sedutil-cli --initialSetup <password> /dev/nvme0

	sudo ./sedutil-cli --query /dev/nvme0
	sudo ./sedutil-cli --setMBREnable off <password> /dev/nvme0
	sudo ./sedutil-cli --setMBRDone off <password> /dev/nvme0
	sudo ./sedutil-cli --query /dev/nvme0

	sudo ./sedutil-cli --listLockingRanges <password> /dev/nvme0
	sudo ./sedutil-cli --rekeyLockingRange 0 <password> /dev/nvme0