diff --git a/.gitignore b/.gitignore index e69de29..5dd3810 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/sedutil-1.12.tar.gz diff --git a/56.patch b/56.patch new file mode 100644 index 0000000..70ab6a3 --- /dev/null +++ b/56.patch @@ -0,0 +1,138 @@ +From 5ca6100917a025f6e11ae20838e1e37e7db2d587 Mon Sep 17 00:00:00 2001 +From: JanLuca +Date: Mon, 30 May 2016 00:21:48 +0200 +Subject: [PATCH] Use nvme_ioctl.h for newer kernel versions #55 + +The header linux/nvme.h was replaced by linux/nvme_ioctl.h in kernel versions greater than 4.4: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9d99a8dda154 + +The needed structs and opcodes are copied into a new header file from nvme.h. + +See also: +https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a9cf8284b45110a4d98aea180a89c857e53bf850 +https://www.bountysource.com/issues/29775575-linux-nvme-h-has-been-renamed-in-linux-4-4 +--- + linux/DtaDevLinuxNvme.h | 8 ++- + linux/DtaDevLinuxNvmeStructsOpCodes.h | 95 +++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 1 deletion(-) + create mode 100755 linux/DtaDevLinuxNvmeStructsOpCodes.h + +diff --git a/linux/DtaDevLinuxNvme.h b/linux/DtaDevLinuxNvme.h +index cc55761..7a67385 100755 +--- a/linux/DtaDevLinuxNvme.h ++++ b/linux/DtaDevLinuxNvme.h +@@ -18,7 +18,13 @@ along with sedutil. If not, see . + + * C:E********************************************************************** */ + #pragma once +-#include "linux/nvme.h" ++#include ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0) ++#include ++#include "DtaDevLinuxNvmeStructsOpCodes.h" ++#else ++#include ++#endif + #include "DtaStructures.h" + #include "DtaDevLinuxDrive.h" + +diff --git a/linux/DtaDevLinuxNvmeStructsOpCodes.h b/linux/DtaDevLinuxNvmeStructsOpCodes.h +new file mode 100755 +index 0000000..b781949 +--- /dev/null ++++ b/linux/DtaDevLinuxNvmeStructsOpCodes.h +@@ -0,0 +1,95 @@ ++/* ++ * Definitions for the NVM Express interface ++ * Copyright (c) 2011-2014, Intel Corporation. ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms and conditions of the GNU General Public License, ++ * version 2, as published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for ++ * more details. ++ */ ++#pragma once ++ ++enum nvme_admin_opcode { ++ nvme_admin_delete_sq = 0x00, ++ nvme_admin_create_sq = 0x01, ++ nvme_admin_get_log_page = 0x02, ++ nvme_admin_delete_cq = 0x04, ++ nvme_admin_create_cq = 0x05, ++ nvme_admin_identify = 0x06, ++ nvme_admin_abort_cmd = 0x08, ++ nvme_admin_set_features = 0x09, ++ nvme_admin_get_features = 0x0a, ++ nvme_admin_async_event = 0x0c, ++ nvme_admin_activate_fw = 0x10, ++ nvme_admin_download_fw = 0x11, ++ nvme_admin_format_nvm = 0x80, ++ nvme_admin_security_send = 0x81, ++ nvme_admin_security_recv = 0x82, ++}; ++ ++struct nvme_id_power_state { ++ __le16 max_power; /* centiwatts */ ++ __u8 rsvd2; ++ __u8 flags; ++ __le32 entry_lat; /* microseconds */ ++ __le32 exit_lat; /* microseconds */ ++ __u8 read_tput; ++ __u8 read_lat; ++ __u8 write_tput; ++ __u8 write_lat; ++ __le16 idle_power; ++ __u8 idle_scale; ++ __u8 rsvd19; ++ __le16 active_power; ++ __u8 active_work_scale; ++ __u8 rsvd23[9]; ++}; ++ ++struct nvme_id_ctrl { ++ __le16 vid; ++ __le16 ssvid; ++ char sn[20]; ++ char mn[40]; ++ char fr[8]; ++ __u8 rab; ++ __u8 ieee[3]; ++ __u8 mic; ++ __u8 mdts; ++ __le16 cntlid; ++ __le32 ver; ++ __u8 rsvd84[172]; ++ __le16 oacs; ++ __u8 acl; ++ __u8 aerl; ++ __u8 frmw; ++ __u8 lpa; ++ __u8 elpe; ++ __u8 npss; ++ __u8 avscc; ++ __u8 apsta; ++ __le16 wctemp; ++ __le16 cctemp; ++ __u8 rsvd270[242]; ++ __u8 sqes; ++ __u8 cqes; ++ __u8 rsvd514[2]; ++ __le32 nn; ++ __le16 oncs; ++ __le16 fuses; ++ __u8 fna; ++ __u8 vwc; ++ __le16 awun; ++ __le16 awupf; ++ __u8 nvscc; ++ __u8 rsvd531; ++ __le16 acwu; ++ __u8 rsvd534[2]; ++ __le32 sgls; ++ __u8 rsvd540[1508]; ++ struct nvme_id_power_state psd[32]; ++ __u8 vs[1024]; ++}; diff --git a/sedutil-cli.8 b/sedutil-cli.8 new file mode 100644 index 0000000..dcf5b57 --- /dev/null +++ b/sedutil-cli.8 @@ -0,0 +1,93 @@ +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. +.TH SEDUTIL-CLI "8" "May 2017" "sedutil-cli 1.12" "System Administration Utilities" +.SH NAME +sedutil-cli \- manage self-encrypting drives +.SH SYNOPSIS +.B sedutil\-cli +[\fI\,ACTION\/\fR] [\fI\,OPTION\/\fR]... [\fI\,DEVICE\/\fR] +.SH DESCRIPTION +A utility to manage self encrypting drives that conform +to the Trusted Computing Group OPAL 2.0 SSC specification. +.TP +\fB\-v\fR +increase verbosity, one to five v's +.TP +\fB\-n\fR +no password hashing. Passwords will be sent in clear text! +.TP +\fBACTIONS:\fR +.TP +\fB\-\-scan\fR +Scans the devices on the system, identifying Opal compliant devices +.TP +\fB\-\-query\fR +Display the Discovery 0 response of a device +.TP +\fB\-\-isValidSED\fR +Verify whether the given device is SED or not +.TP +\fB\-\-listLockingRanges\fR +List all Locking Ranges +.TP +\fB\-\-listLockingRange\fR <0...n> +List all Locking Ranges, 0 = GLobal 1..n = LRn +.TP +\fB\-\-eraseLockingRange\fR <0...n> +Erase a Locking Range, 0 = GLobal 1..n = LRn +.TP +\fB\-\-setupLockingRange\fR <0...n> +Setup a new Locking Range, 0 = GLobal 1..n = LRn +.TP +\fB\-\-initialSetup\fR +Setup the device for use with sedutil. is new SID and Admin1 password +.TP +\fB\-\-setSIDPassword\fR +Change the SID password +.TP +\fB\-\-setAdmin1Pwd\fR +Change the Admin1 password +.TP +\fB\-\-setPassword\fR +Change the Enterprise password for userid "EraseMaster" or "BandMaster", 0 <= n <= 1023 +.TP +\fB\-\-setLockingRange\fR <0...n> +Set the status of a Locking Range, 0 = GLobal 1..n = LRn +.TP +\fB\-\-enableLockingRange\fR <0...n> +Enable a Locking Range, 0 = GLobal 1..n = LRn +.TP +\fB\-\-disableLockingRange\fR <0...n> +Disable a Locking Range, 0 = GLobal 1..n = LRn +.TP +\fB\-\-setMBREnable\fR +Enable|Disable MBR shadowing +.TP +\fB\-\-setMBRDone\fR +set|unset MBRDone +.TP +\fB\-\-loadPBAimage\fR +Write to MBR Shadow area +.TP +\fB\-\-revertTPer\fR +set the device back to factory defaults. This **ERASES ALL DATA** +.TP +\fB\-\-revertNoErase\fR +deactivate the Locking SP without erasing the data on GLOBAL RANGE *ONLY* +.TP +\fB\-\-yesIreallywanttoERASEALLmydatausingthePSID\fR +revert the device using the PSID *ERASING* *ALL* the data +.TP +\fB\-\-printDefaultPassword\fR +print MSID +.SH EXAMPLES +sedutil\-cli \fB\-\-scan\fR +.PP +sedutil\-cli \fB\-\-query\fR \fI\,/dev/sdc\/\fP +.PP +sedutil\-cli \fB\-\-yesIreallywanttoERASEALLmydatausingthePSID\fR \fI\,/dev/sdc\/\fP +.PP +sedutil\-cli \fB\-\-initialSetup\fR \fI\,/dev/sdc\/\fP +.SH COPYRIGHT +sedutil v1.12 Copyright 2014\-2016 Bright Plaza Inc. +.SH SEE ALSO +See further documentation in /usr/share/doc/sedutil diff --git a/sedutil.spec b/sedutil.spec new file mode 100644 index 0000000..7c84af7 --- /dev/null +++ b/sedutil.spec @@ -0,0 +1,144 @@ +%global gittag0 1.12 + +%global _hardened_build 1 + +Name: sedutil +Version: %{gittag0} +Release: 3%{?dist} +Summary: Tools to manage the activation and use of self encrypting drives + +# Everything is GPLv3+ except: +# - Common/pbkdf2/* which is GPLv2+, a bundled copy of some gnulib code. +# - Common/Dta*Dump* which is BSD (https://github.com/Drive-Trust-Alliance/sedutil/issues/145) +License: GPLv3+ and GPLv2+ and BSD +URL: https://github.com/Drive-Trust-Alliance/sedutil/wiki +Source0: https://github.com/Drive-Trust-Alliance/%{name}/archive/%{gittag0}/%{name}-%{gittag0}.tar.gz +# Make a manual page from the help output: +#help2man --name=sedutil-cli \ +# --section=8 \ +# --no-info \ +# --version-string=%%{version} \ +# --no-discard-stderr \ +# --output=./dist/Release_x86_64/GNU-Linux/sedutil-cli.8 \ +# ./dist/Release_x86_64/GNU-Linux/sedutil-cli +# Cleaned up with manual edits: +Source1: sedutil-cli.8 +Patch0: https://github.com/Drive-Trust-Alliance/sedutil/pull/56.patch + +# sedutil does not work on big-endian architectures +ExcludeArch: ppc ppc64 s390 s390x + +BuildRequires: ncurses-devel + +# This package uses gnulib. It was granted an exception in: +# https://fedorahosted.org/fpc/ticket/174 +Provides: bundled(gnulib) + +# Replaces msed, but doesn't provide a compatible CLI command +Obsoletes: msed <= 0.23-0.20 + +%description +The Drive Trust Alliance software (sedutil) is an Open Source (GPLv3) +effort to make Self Encrypting Drive technology freely available to +everyone. It is a combination of the two known available Open Source +code bases today: msed and OpalTool. + +sedutil is a Self-Encrypting Drive (SED) management program and +Pre-Boot Authorization (PBA) image that will allow the activation and +use of self encrypting drives that comply with the Trusted Computing +Group Opal 2.0 SSC. + +This package provides the sedutil-cli and linuxpba binaries, but not +the PBA image itself. + +%prep +%setup -q -n sedutil-%{gittag0} +%patch0 -p1 -b .nvme_ioctl +# Adjust the GitVersion.sh script to just use the git tag from the +# checkout so we don't need a full git tree or the git tool itself. +cd linux +sed -i -e's/^GITVER=.*/GITVER=%{gittag0}/' GitVersion.sh +# Remove stray execute permissions from source code +find . -type f -name '*.h' -exec chmod -x {} \; +find . -type f -name '*.cpp' -exec chmod -x {} \; + + +%build +# Always use the x86_64 build configuration, because we override +# CFLAGS etc. for each arch build anyway and the upstream makefiles +# don't have build configs for every arch we support. +cd linux/CLI +make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" CONF=Release_x86_64 + +# Copy in our manual page +cp -p %{SOURCE1} dist/Release_x86_64/GNU-Linux/sedutil-cli.8 + +cd ../../LinuxPBA +make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" CONF=Release + +%install +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +install -p -m755 linux/CLI/dist/Release_x86_64/GNU-Linux/sedutil-cli $RPM_BUILD_ROOT%{_sbindir}/sedutil-cli + +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 +install -p -m644 linux/CLI/dist/Release_x86_64/GNU-Linux/sedutil-cli.8 $RPM_BUILD_ROOT%{_mandir}/man8/sedutil-cli.8 + +mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +install -p -m755 LinuxPBA/dist/Release/GNU-Linux/linuxpba $RPM_BUILD_ROOT%{_libexecdir}/linuxpba + + +%files +%doc README.md Common/Copyright.txt Common/ReadMe.txt linux/PSIDRevert_LINUX.txt +%license Common/LICENSE.txt +%{_sbindir}/sedutil-cli +%{_mandir}/man8/sedutil-cli.8* +%{_libexecdir}/linuxpba + + +%changelog +* Tue May 9 2017 Charles R. Anderson - 1.12-3 +- Remove commented out macros +- Clarify multiple licensing scenario +- Provides: bundled(gnulib) +- Move sedutil-cli to /usr/sbin and linuxbpa to /usr/libexec +- Provide a manual page for sedutil-cli + +* Wed May 3 2017 Charles R. Anderson - 1.12-2 +- Obsolete msed package +- Remove stray execute permissions from source code + +* Wed May 3 2017 Charles R. Anderson - 1.12-1 +- Use nvme_ioctl.h for newer kernel versions (upstream pull request #56) + +* Tue Jan 3 2017 Charles R. Anderson +- update to 1.12 +- sedutil-nvme_ioctl_h.patch for renamed linux/nvme.h header + +* Wed Nov 11 2015 Charles R. Anderson - 1.10-0.1.beta.git350b22c +- switch to DriveTrustAlliance/sedutil upstream where all further development + of msed happens now. + +* Fri Aug 07 2015 Rafael Fonseca - 0.23-0.7.beta.gite38a16d +- disable build on big endian architectures (rhbz#1251520) + +* Mon Jul 27 2015 Charles R. Anderson - 0.23-0.6.beta.gite38a16d +- add comments about upstream pull requests for patches + +* Sun Jul 26 2015 Charles R. Anderson - 0.23-0.5.beta.gite38a16d +- use Github Source0 URL and standard macros for git hash +- patch GitVersion.sh to use a static git tag so we do not need a + full git tree or the git tool for building. +- preserve timestamps of installed files + +* Tue Jul 21 2015 Charles R. Anderson - 0.23-0.4.beta.gite38a16d +- mark LICENSE.txt as a license text +- enable hardened build + +* Tue Jul 21 2015 Charles R. Anderson - 0.23-0.3.beta.gite38a16d +- add more documentation + +* Tue Jul 21 2015 Charles R. Anderson - 0.23-0.2.beta.gite38a16d +- add BR git to properly define GIT_VERSION + +* Mon Jul 20 2015 Charles R. Anderson - 0.23-0.1.beta.gite38a16d +- initial package diff --git a/sources b/sources index e69de29..eb0efb8 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (sedutil-1.12.tar.gz) = f17fbb5a6d71d5bdd59d0fc85eed11036a8e365545133bc1374a733ce1975d6c8dd2cdc500bd46cffbec1f2bef621a98ca392e0dd314734c1ef12c073d70b0de