Last active
May 27, 2024 02:32
-
-
Save linux4life798/b4cb83034c4901f0032a55dbd2cd5eac to your computer and use it in GitHub Desktop.
Demonstate how the sedutil-cli command works and how that works with a SED SSD.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssd_show_data() { | |
sudo dd if=/dev/nvme0n1 bs=1 count=9000 status=none | hd | |
} | |
# ssd_write_data <data_message> [location] | |
# | |
# location is the offset in bytes. | |
ssd_write_data() { | |
local data="$1" | |
local location="${2:-0}" # In bytes | |
echo "${data}" | sudo dd of=/dev/nvme0n1 bs=1 seek="${location}" status=none | |
} | |
# Simply write 0's over the 9000 byte region we care about, so that | |
# when we do ssd_show_data, we only see the bytes we wrote with ssd_write_data. | |
ssd_write_zeros() { | |
sudo dd if=/dev/zero of=/dev/nvme0n1 bs=9000 count=1 status=none | |
} | |
# The Geometry info shows the Logical Block Size, which should be 512. | |
sudo ./sedutil-cli --query /dev/nvme0 | |
# Data/encryption doesn't change when we do initial setup. | |
ssd_write_data "Hello world!" | |
ssd_show_data | |
sudo ./sedutil-cli --initialSetup testpw /dev/nvme0 | |
ssd_show_data | |
# The default/global range is 0. Rekeying will effectively clear data. | |
ssd_write_data "Hello world!" | |
ssd_show_data | |
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0 | |
ssd_show_data | |
# Notice that we haven't actually enable "locking", but we still have | |
# data encryption control. | |
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0 | |
# Example: RLKEna = N WLKEna = N RLocked = N WLocked = N | |
# RLKEna ==> Read Lock Enabled (Read Lock mechanism is enabled and RLocked is honored) | |
# WLKEna ==> Write Lock Enabled (Write Lock mechanism is enabled and WLocked is honored) | |
# RLocked ==> Reads Currently Blocked (Reads are blocked right now - not unlocked) | |
# WLocked ==> Writes Currently Blocked (Writes are blocked right now - not unlocked) | |
# Use --enable/disableLockingRange to set enabled state. | |
# Use --setLockingRange to set current state. | |
# Let's activate another range and rekey only that range. | |
ssd_write_data "Range0" 0 | |
ssd_write_data "Range1" 512 | |
ssd_write_data "Range0" 1024 | |
ssd_show_data # 0x200 is 512 in decimal, 0x400 is 1024, BTW. | |
sudo ./sedutil-cli --setupLockingRange 1 1 1 testpw /dev/nvme0 # The units are in 512 blocks. | |
ssd_show_data | |
# Immidiatley, we see that the "Range1" message at 0x200 is gone and random data | |
# fills that entire 512 block. Do note that we still see the Range0 at offset 0 and offset 1024. | |
# If we then rekey our first global (encompasing) range, we | |
# loose both of the Range0 messages at offset 0 and 1024. | |
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0 | |
ssd_show_data | |
# FYI, if you try to remove the new range 1 by doing | |
# sudo ./sedutil-cli --setupLockingRange 1 0 0 testpw /dev/nvme0 | |
# The SSD becomes unreadable. | |
# Let's now lock region 0 to be only RO. | |
ssd_write_zeros | |
ssd_write_data "Range0" 0 | |
ssd_write_data "Range1" 512 | |
ssd_write_data "Range0" 1024 | |
ssd_show_data | |
sudo ./sedutil-cli --enableLockingRange 0 testpw /dev/nvme0 | |
sudo ./sedutil-cli --setLockingRange 0 RO testpw /dev/nvme0 | |
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0 | |
# This should fail to actually commit/write. | |
ssd_write_data "This text won't actually be saved!" 0 | |
ssd_show_data | |
# Notice that we still see Range0 at offset 0. | |
sudo ./sedutil-cli --setLockingRange 0 RW testpw /dev/nvme0 | |
ssd_write_data "This is now modifiable!" 0 | |
ssd_show_data | |
# This factory resets. It can also be done using --yesIreallywanttoERASEALLmydatausingthePSID | |
# and the PSID printed on the SSD. | |
# This will typically rekey the ranges, so the contents seem to be gone. | |
sudo ./sedutil-cli --reverttper testpw /dev/nvme0 | |
ssd_show_data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions | |
# If you need to reset from a previous setup. | |
sudo ./sedutil-cli --reverttper <password> /dev/nvme0 | |
sudo ./sedutil-cli --initialSetup <password> /dev/nvme0 | |
sudo ./sedutil-cli --query /dev/nvme0 | |
sudo ./sedutil-cli --setMBREnable off <password> /dev/nvme0 | |
sudo ./sedutil-cli --setMBRDone off <password> /dev/nvme0 | |
sudo ./sedutil-cli --query /dev/nvme0 | |
sudo ./sedutil-cli --listLockingRanges <password> /dev/nvme0 | |
sudo ./sedutil-cli --rekeyLockingRange 0 <password> /dev/nvme0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment