feat(locking): Add experimental locking API (#17)

Author: bluecmd

.releaserc.yml

@@ -8,8 +8,13 @@ plugins:
     - prepareCmd: "make build-release"
   - - "@semantic-release/github"
     - assets:
+        - path: "sedlockctl.linux.amd64"
+          label: "sedlockctl (Linux AMD64)"
+        - path: "sedlockctl.linux.arm64"
+          label: "sedlockctl (Linux ARM64)"
         - path: "tcgsdiag.linux.amd64"
           label: "tcgsdiag (Linux AMD64)"
         - path: "tcgsdiag.linux.arm64"
           label: "tcgsdiag (Linux ARM64)"
 
+

Makefile

@@ -5,17 +5,20 @@
 .PHONY: build
 build:
 	go build ${LDFLAGS} -v -o target/tcgsdiag $(CURDIR)/cmd/tcgsdiag
+	go build ${LDFLAGS} -v -o target/sedlockctl $(CURDIR)/cmd/sedlockctl
 
 .PHONY: build-release
 build-release: build-release-amd64 build-release-arm64
 
 .PHONY: build-release-amd64
 build-release-amd64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ${LDFLAGS} -o=tcgsdiag.linux.amd64 $(CURDIR)/cmd/tcgsdiag
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ${LDFLAGS} -o=sedlockctl.linux.amd64 $(CURDIR)/cmd/sedlockctl
 
 .PHONY: build-release-arm64
 build-release-arm64:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build ${LDFLAGS} -o=tcgsdiag.linux.arm64 $(CURDIR)/cmd/tcgsdiag
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build ${LDFLAGS} -o=sedlockctl.linux.arm64 $(CURDIR)/cmd/sedlockctl
 
 .PHONY: test
 test:

cmd/sedlockctl/hash.go

@@ -0,0 +1,18 @@
+// Copyright (c) 2021 by library authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"crypto/sha1"
+	"fmt"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+func HashSedutilDTA(password string, serial string) []byte {
+	// This needs to match https://github.com/Drive-Trust-Alliance/sedutil/
+	salt := fmt.Sprintf("%-20s", serial)
+	return pbkdf2.Key([]byte(password), []byte(salt[:20]), 75000, 32, sha1.New)
+}

cmd/sedlockctl/hash_test.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"bytes"
+	"encoding/hex"
+	"testing"
+)
+
+func TestSedutilHashCompatibility(t *testing.T) {
+	got := HashSedutilDTA("dummy", "S2RBNB0HA12200B")
+	want := []byte{
+		0x4f, 0x2a, 0xcc, 0xfd, 0x1a, 0x17, 0x64, 0xdc, 0x5b, 0x5b, 0xb3, 0x8f, 0x40, 0xf9, 0x06, 0x8d,
+		0x2d, 0x1a, 0x1f, 0x6d, 0xd5, 0x39, 0x27, 0x07, 0xde, 0xa1, 0x4c, 0x3b, 0xb7, 0xde, 0xea, 0xcc,
+	}
+	if !bytes.Equal(want, got) {
+		t.Errorf("Unexpected PBKDF2 hash, got %s want %s", hex.EncodeToString(got), hex.EncodeToString(want))
+	}
+}

cmd/sedlockctl/main.go

@@ -0,0 +1,118 @@
+// Copyright (c) 2021 by library authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/bluecmd/go-tcg-storage/pkg/drive"
+	"github.com/bluecmd/go-tcg-storage/pkg/locking"
+)
+
+var (
+	sidPIN      = flag.String("sid", "", "PIN to authenticate to the AdminSP as SID")
+	sidPINMSID  = flag.Bool("try-sid-msid", false, "Try to use the MSID as PIN to authenticate to the AdminSP in addition to other methods")
+	sidPINHash  = flag.String("sid-hash", "sedutil-dta", "If set, transform the SID PIN using the specified hash function")
+	user        = flag.String("user", "", "Username to authenticate to the LockingSP (admin1 or bandmaster0 is the default)")
+	userPIN     = flag.String("password", "", "PIN used to authenticate ot the LockingSP (MSID is the default)")
+	userPINHash = flag.String("hash", "sedutil-dta", "If set, transform the PIN using the specified hash function")
+)
+
+func main() {
+	flag.Parse()
+
+	if flag.NArg() == 0 {
+		fmt.Printf("Usage: %s [-flags ..] device\n", os.Args[0])
+		return
+	}
+	d, err := drive.Open(flag.Arg(0))
+	if err != nil {
+		log.Fatalf("drive.Open: %v", err)
+	}
+	defer d.Close()
+	snRaw, err := d.SerialNumber()
+	if err != nil {
+		log.Fatalf("drive.SerialNumber: %v", err)
+	}
+	sn := string(snRaw)
+
+	spin := []byte{}
+	if *sidPIN != "" {
+		switch *sidPINHash {
+		case "sedutil-dta":
+			spin = HashSedutilDTA(*sidPIN, sn)
+		default:
+			log.Fatalf("Unknown hash method %q", *sidPINHash)
+		}
+	}
+
+	initOps := []locking.InitializeOpt{}
+	if len(spin) > 0 {
+		initOps = append(initOps, locking.WithAuth(locking.DefaultAdminAuthority(spin)))
+	}
+	if *sidPINMSID {
+		initOps = append(initOps, locking.WithAuth(locking.DefaultAuthorityWithMSID))
+	}
+
+	cs, lmeta, err := locking.Initialize(d, initOps...)
+	if err != nil {
+		log.Fatalf("locking.Initalize: %v", err)
+	}
+	defer cs.Close()
+
+	var auth locking.LockingSPAuthenticator
+	pin := []byte{}
+	if *userPIN != "" {
+		switch *userPINHash {
+		case "sedutil-dta":
+			pin = HashSedutilDTA(*userPIN, sn)
+		default:
+			log.Fatalf("Unknown hash method %q", *userPINHash)
+		}
+	}
+	if *user != "" {
+		var ok bool
+		auth, ok = locking.AuthorityFromName(*user, pin)
+		if !ok {
+			log.Fatalf("Authority %q is not known for this device", *user)
+		}
+	} else {
+		if len(pin) == 0 {
+			auth = locking.DefaultAuthorityWithMSID
+		} else {
+			auth = locking.DefaultAuthority(pin)
+		}
+	}
+
+	l, err := locking.NewSession(cs, lmeta, auth)
+	if err != nil {
+		log.Fatalf("locking.NewSession: %v", err)
+	}
+	defer l.Close()
+
+	if len(l.Ranges) == 0 {
+		log.Fatalf("No available locking ranges as this user\n")
+	}
+	for i, r := range l.Ranges {
+		strr := "whole disk"
+		if r.End > 0 {
+			strr = fmt.Sprintf("%d to %d", r.Start, r.End)
+		}
+		if !r.WriteLockEnabled && !r.ReadLockEnabled {
+			strr = "disabled"
+		} else {
+			if r.WriteLocked {
+				strr += " [write locked]"
+			}
+			if r.ReadLocked {
+				strr += " [read locked]"
+			}
+		}
+		fmt.Printf("Range %3d: %s\n", i, strr)
+	}
+}

go.mod

@@ -4,5 +4,6 @@ go 1.15
 
 require (
 	github.com/davecgh/go-spew v1.1.1
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
 	golang.org/x/sys v0.0.0-20210531080801-fdfd190a6549
 )

go.sum

@@ -1,8 +1,11 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-golang.org/x/sys v0.0.0-20210521203332-0cec03c779c1 h1:lCnv+lfrU9FRPGf8NeRuWAAPjNnema5WtBinMgs1fD8=
-golang.org/x/sys v0.0.0-20210521203332-0cec03c779c1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea h1:+WiDlPBBaO+h9vPNZi8uJ3k4BkKQB7Iow3aqwHVA5hI=
-golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210531080801-fdfd190a6549 h1:OL5GcZ2XPkte3dpfuFQ9o884vrE3BZQhajdntNMruv4=
 golang.org/x/sys v0.0.0-20210531080801-fdfd190a6549/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pkg/core/session.go

@@ -51,8 +51,9 @@ var (
 type ProtocolLevel uint
 
 const (
-	ProtocolLevelEnterprise = 1
-	ProtocolLevelCore       = 2
+	ProtocolLevelUnknown    ProtocolLevel = 0
+	ProtocolLevelEnterprise ProtocolLevel = 1
+	ProtocolLevelCore       ProtocolLevel = 2
 )
 
 func (p *ProtocolLevel) String() string {

pkg/core/table/thissp.go

@@ -7,12 +7,17 @@
 package table
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/bluecmd/go-tcg-storage/pkg/core"
 	"github.com/bluecmd/go-tcg-storage/pkg/core/stream"
 )
 
+var (
+	ErrAuthenticationFailed = errors.New("authentication failed")
+)
+
 func ThisSP_Random(s *core.Session, count uint) ([]byte, error) {
 	mc := s.NewMethodCall(core.InvokeIDThisSP, MethodIDRandom)
 	mc.UInt(count)
@@ -60,7 +65,7 @@ func ThisSP_Authenticate(s *core.Session, authority core.AuthorityObjectUID, pro
 		return core.ErrMalformedMethodResponse
 	}
 	if success == 0 {
-		return fmt.Errorf("authentication failed")
+		return ErrAuthenticationFailed
 	}
 	return nil
 }