[ltp] X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Henrique de Moraes Holschuh linux-thinkpad@linux-thinkpad.org
Sat, 12 Mar 2016 17:48:36 -0300


On Thu, 10 Mar 2016, Bjørn Mork wrote:
> Uwe Brauer <oub.oub.oub@gmail.com> writes:
> >    > Bjørn Mork <bjorn@mork.no> writes:
> >
> >    > See also http://www.lenovo.com/support/fde
> >
> > Thanks, that looks all innocent and easy, did you try it out?
> 
> I've only ever done it on brand new disks.  It was as easy as
> described.  But Murphy dictates that something will go terribly wrong if
> you depend on it being that easy :)

Especially if there are any SSDs involved.

That said, SSD/HDD-hardware-assisted FDE cannot be trusted for much.  You
can use ATA-SECURITY-PASSWORD based FDE to protect against unsophisticated
thieves retrieving your data, but it won't keep that data safe should the
storage device end up in the hands of someone who is really "curious" about
what could be inside.

TCG OPAL mode is supposed to help fix this since you can send to the device
a really large key (supposedly sealed with the help of the TPM, or stored in
removable media for example) and the device is not supposed to retain any
state about that key.  However, the whole thing is too complex and usually
the implementations are too buggy, so it is not only unsafe in the security
sense (the SSD/HDD firmware is likely to have lots of security
vulnerabilities), but it actually puts your data at risk (SSD/HDD firmware
bugs rendering it unaccessible).

And TCG OPAL support in Linux is... troublesome at *best*.  If the BIOS/UEFI
firmware can manage it all and hand to the O.S. the storage device already
unlocked when booting and when resuming from sleep (and lock it when
suspending), fine.  Otherwise, no go.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh