4

Since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.

Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.

What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports Windows and Linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.

Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the hard drive handling this? I know that with normal laptop drives (without SED capability) you can render the hard drive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.

Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.

Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!

Giacomo1968
  • 58,727
TJJ
  • 535

1 Answers1

1

Since unlocking Opal SED is not possible without providing C_PIN_Admin1 (colloquially referred to as password), it has to be stored somewhere. Thus the answer to your question depends on whether you want it stored securely.

Secure storage that can be utilized during S3 resume requires specific support in firmware. TianoCore EDK II implements both a secure storage (LockBox in SMRAM) and an interface for unlocking Opal drive automatically (UnlockOpalPasswordDevices) – see TCG Trusted Boot Chain in EDK II / OPAL Password.

There are several sedutil forks for Linux which allow to store password insecurely (in kernel memory/on unencrypted partition/anywhere the developer could manage) and thus can resume from S3 sleep.

Regarding S3 resume/firmware in general and security considerations in particular see A Tour Beyond BIOS Implementing S3 Resume with EDKII.

ᄂ ᄀ
  • 4,187