[ltp] X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Bjørn Mork linux-thinkpad@linux-thinkpad.org
Fri, 11 Mar 2016 09:46:23 +0100 

Yves-Alexis Perez <corsac@debian.org> writes:

> On jeu., 2016-03-10 at 14:48 +0100, Bjørn Mork wrote:
>> But big fat warning: Never trust this!  Make a full backup and be
>> prepared to start from scratch. Firmware can do all sorts of weird and
>> unexpected things.  If you are lucky, you won't have to reinstall.=
  But
>> don't be surprised if you have to.  Make the backup and reserve eno=
ugh
>> time for a full reinstall before starting.
>> 
>> And do not blame me if anything goes wrong ;)
>
> Note that we actually don't even know if the drive really encrypt stuff.

Sure.  But then we don't actually know what the drive firmware does with
our data in any case.  It could make duplicates of everything and send
it to some external part. Or more technically feasible: it could sniff
"interesting stuff" and keep in a protected area until someone with the
right tool downloads it.

Just feeding the paranoia :)  Base line is that you simply have to trust
your drive firmware.  And if the manufacturer says it encrypts, then you
might as well trust that.

If you don't, then by all means use LUKS.  But you still have to trust
your keyboard controller, which is firmware running on the EC...

> One thing to keep in mind, too, is that if it's your boot drive, the only=
 way
> to enter the password is the BIOS interface. When you set a password thro=
ugh
> the BIOS setup menu, it won't actually pass that string to the disk, but
> rather mix it with some data (usually the model number, stuff like that),=
 hash
> it, *and then* pass it to the drive.
>
> That means that you need that derivation algorithm if you ever want to ga=
in
> access to your data. If the BIOS (of your laptop, at least of the same mo=
del)
> didn't unlock the drive and you don't know the algorithm, then you won't =
be
> able to unlock it (for example with hdparm).

Yes.  Luckily someone has done all the hard work for modern ThinkPad
UEFI BIOS implementations:
https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/

Don't know if that holds for older Thinkpads?  Anyone tried it?  Maybe I
should... Will have to find some way to physically attach my X301 SSD to
another computer then, but that is probably wise in any case.


Bjørn