Merge pull request #1 from solidigm/sedcli_1_1

sedcli 1.1 version

Author: PiotrRudnickiAtSolidigm

.gitignore

@@ -1,10 +1,5 @@
 sedcli is made available under the terms of GPL-2.0-or-later license.
-
 libsed is made available under the terms of LGPL-2.1-or-later licens.
 
 Contributions into sedcli are accepted on GPL-2.0-or-later license,
-while contributions into libsed are accepted on LGPL-2.1-or-later
-license.
-All patches must be signedoff by the developer, which indicates that
-submitter agress to the Developer Certificate of Origin
-<https://developercertificate.org/>.
+while contributions into libsed are accepted on LGPL-2.1-or-later license.

LICENSE

@@ -1,6 +1,6 @@
 sedcli - utility for management of Self-Encrypting Drives
 
-Copyright (C) 2018-2019 Intel Corporation
+Copyright (C) 2018-2019, 2023 Solidigm
 
 This program is free software; you can redistribute it and/or modify it
 under the terms of the GNU General Public License, as published

LICENSE.GPL-2.0-or-later

@@ -1,6 +1,6 @@
 libsed - library allowing programmatic management of Self-Encrypting Drives
 
-Copyright (C) 2018-2019 Intel Corporation
+Copyright (C) 2018-2019, 2023 Solidigm
 
 This library is free software; you can redistribute it and/or modify it
 under the terms of the GNU Lesser General Public License as published

LICENSE.LGPL-2.1-or-later

@@ -1,45 +1,36 @@
 # sedcli and libsed overview
 
-TCG Opal is an industry standard allowing Self-Encrypting Drives management,
-i.e. enable locking, configuring users, locking ranges etc.
+TCG Opal is an industry standard allowing Self-Encrypting Drives management, i.e. enable locking, configuring users, locking ranges etc.
 
 Sedcli is an utility for managing NVMe SEDs that are TCG Opal complaint.
 
-Libsed is a library allowing to programatically manage NVMe SEDs that are TCG
-Opal complaint.
+Libsed is a library allowing to programatically manage NVMe SEDs that are TCG Opal complaint.
 
 ## Getting started
 
-In order to get started use following steps (\<sedcli\> denotes top level
-directory for sedcli):
+In order to get started use following steps (\<sedcli\> denotes top level directory for sedcli):
 
 ```
-# download sedcli sources
-git clone https://github.com/sedcli/sedcli.git
-
 # navigate to source directory
 cd <sedcli>/src
 
 # perform build environment configuration and run compilation
+chmod +x ./configure
 ./configure
-make
+make all
 make install
+make install-cert
 
 # invoke sedcli help to available commands and its syntax
-sedcli -H
-
-# alterntively read sedcli man page
-man sedcli
+sedcli --help
 
 ```
 For more information goto [doc](doc) directory.
 
 ## Features
 
-* Interactive management of NVMe SED allowing to: configure locking, change
-lock state, revert disk back to manafactured state
-* Coming soon: auto management with disk key being retrieved from network
-attached Key Management Server that is OASIS KMIP complaint
+* Interactive management of NVMe SED allowing to: configure locking, change lock state, revert disk back to manafactured state
+* Auto management with disk key being retrieved from network attached Key Management Server that is OASIS KMIP complaint
 
 ## Talks and papers
 
@@ -50,16 +41,10 @@ attached Key Management Server that is OASIS KMIP complaint
 We encourage contributions! Patches are accepted via pull request:
 * Contributions into sedcli are accepted on GPL-2.0-or-later license
 * Contributions into libsed are accepted on LGPL-2.1-or-later license
-* Patches must be signedoff by the developer. This indicates that submitter
-agrees to the **Developer Certificate of Origin**
-[DCO](https://developercertificate.org)
 
 ## Maintainers
 
-* Andrzej Jakowski <andrzej.jakowski@intel.com>; 
-github [@AndrzejJakowski](https://github.com/AndrzejJakowski)
-* Revanth Rajashekar <revanth.rajashekar@intel.com>; 
-github [@RevanthRajashekar](https://github.com/RevanthRajashekar)
+* Piotr Rudnicki <piotr.rudnicki@solidigm.com>
 
 Feel free to contact us anytime with questions, feedback or suggestions.
 We would love to hear how you see sedcli going forward.

README.md

@@ -4,7 +4,7 @@ port=5696
 certificate_path=/etc/pykmip/certs/server_cert.pem
 key_path=/etc/pykmip/certs/server_key.pem
 ca_path=/etc/pykmip/certs/ca_cert.pem
-auth_suite=Basic
+auth_suite=TLS1.2
 policy_path=/etc/pykmip/policies
 enable_tls_client_auth=True
 tls_cipher_suites=

certs/server.conf

@@ -44,53 +44,25 @@ backup file to authenticate to the drive and perform necessary updates.
 
 .SH OPTIONS
 
-.IP "\fB\-P -d <device> [-f <file>]\fR or \fB\-\-provision --device <device> [--file <file>]\fR"
-Initial provision NVMe SSD for security or rekey disk. On initial provision
-new DEK key is created and used to take ownership of SSD and activate Opal.
-For reprovisioning (replacing DEK with new key) "--file" options needs to be
-specified. "file" should be a valid sedcli-kmip backup file containing password
-protected DEK key that will be used to authenticate to NVMe SSD during
-reprovisioning process.
-
-.IP "\fB\-B -d <device> -f <file>\fR or \fB\-\-backup --device <device> --file <file>\fR"
-Write encrypted DEK key into password protected file. Backup file may be used
-during rekey process of NVMe SSD or when disk is migrated between platforms.
-It is also possible to use backup file to manually manage locking state of
-NVMe SSD.
-
-.IP "\fB\-L -d <device> -t {RO|RW|LK} [-f <file>]\fR or \fB\-\-lock-unlock --device <device> --accesstype {RO|RW|LK} [--file <file>]\fR"
-Change lock state of NVMe SSD. By default this command uses PEK to unwrap DEK
-key stored on disk itself in Opal datastore region. Following lock states are
-available:
-.IP
-1. Read-Only(RO) - user can only read the data from the disk.
-.IP
-2. Read-Write(RW) - user can read/write data from/to the disk.
-.IP
-3. Locked(LK) - data is locked, user can NOT read/write data from/to the disk.
-
-.IP "\fB\-H\fR or \fB\-\-help\fR"
+.IP "\fB\-\-help\fR"
 Prints global and command specific help on available commands and usage
 
 .IP "To print command specific help use following syntax:"
-.IP "\fBsedcli-kmip <command> -H\fR or \fBsedcli-kmip <command> --help\fR"
+.IP "\fBsedcli-kmip <command> --help\fR"
 .IP "For example:"
-.IP "\fBsedcli-kmip -P -H\fR or \fBsedcli-kmip --provision --help\fR"
+.IP "\fBsedcli-kmip --provision --help\fR"
 
 .SH COPYRIGHT
-Copyright(c) 2018-2020 by the Intel Corporation.
+Copyright (C) 2018-2019, 20222-2023 Solidigm. All Rights Reserved.
 
 .SH AUTHOR
-This manual page was created by Andrzej Jakowski <andrzej.jakowski@intel.com>
-
+This manual page was created by Piotr Rudnicki <piotr.rudnicki@solidigm.com>
 
 .SH FILES
 .PP
 sedcli-kmip
 .PP
 /etc/sedcli/sedcli.conf
-.PP
-/etc/udev/rules.d/63-sedcli.rules
 
 .SH SEE ALSO
 .TP

doc/sedcli-kmip.8

@@ -50,67 +50,23 @@ update Admin1 password for Locking SP.
 
 .SH OPTIONS
 
-.IP "\fB\-D -d <device> [-f {normal|udev}]\fR or \fB\-\-discovery --device <device> [--format {normal|udev}]\fR"
-Performs Level 0 and Level 1 Discovery and prints out the info in human-readable(default) or
-machine friendly format.
-
-.IP "\fB\-O -d <device>\fR or \fB\-\-ownership --device <device>\fR"
-Takes ownership of the device.
-
-.IP "\fB\-A -d <device>\fR or \fB\-\-activate-lsp --device <device>\fR"
-Activates Locking SP.
-
-.IP "\fB\-R -d <device> [-i] [-n]\fR or \fB\-\-revert --device <device> [--psid] [--non-destructive]\fR"
-Performs Destructive or Non-Destructive Revert TPer to Manufactured-Inactivate
-state using either SID or PSID authority.
-
-.IP "\fB\-S -d <device>\fR or \fB\-\-setup-global-range --device <device>\fR"
-Sets Read Lock Enabled (RLE) and Write Lock Enabled (WLE) bis for global locking
-range. This effectively enables locking of all user data. Locking will start
-after power cycle or when explicitly locked using \fb\-\-lock-unlock\fR command.
-
-.IP "\fB\-L -d <device> -t <accesstype>\fR or \fB\-\-lock-unlock --device <device> --accesstype {RO|RW|LK}\fR"
-.IP
-Changes the lock state for the device. Following access modes are available:
-.IP
-1. Read-Only(RO) - user can only read the data from the disk.
-.IP
-2. Read-Write(RW) - user can read/write data from/to the disk.
-.IP
-3. Locked(LK) - data is locked, user can NOT read/write data from/to the disk.
-
-.IP "\fB\-P -d <device>\fR or \fB\-\-set-password --device <device>\fR"
-Updates password for Admin1 authority in Locking SP.
-
-.IP "\fB\-M -d <device> [-e {TRUE|FALSE}] [-m {TRUE|FALSE}]\fR or \fB\-\-mbr-control --device <device> [--enable {TRUE|FALSE}] [--done {TRUE|FALSE}]\fR"
-.IP
-Enable/Disable MBR Shadow and/or Set/Unset MBR Done.
-MBR Done update to TRUE will only take effect when MBR Shadow is enabled.
-
-.IP "\fB\-W -d <device> -f <pba_file> [-o <offset>]\fR or \fB\-\-write-mbr --device <device> --file <pba_file> [--offset <offset>]\fR"
-Write data into MBR shadow region(MBR table).
-MBR shadow should be enabled for the PBA to take effect.
-
-.IP "\fB\-B -d <device> -r {1|0}\fR or \fB\-\-block_sid --device <device> --hwreset {1|0}\fR"
-Issue BlockSID authentication command with Clear Event flag via --hwreset option.
-
-.IP "\fB\-V\fR or \fB\-\-version\fR"
+.IP "\fB\-\-version\fR"
 Prints version of sedcli.
 
-.IP "\fB\-H\fR or \fB\-\-help\fR"
+.IP "\fB\-\-help\fR"
 Prints global help on available commands and usage
 
 .IP "To print command specific help use following syntax:"
-.IP "\fBsedcli <command> -H\fR or \fBsedcli <command> --help\fR"
+.IP "\fBsedcli <command> --help\fR"
 .IP "For example:"
-.IP "\fBsedcli -D -H\fR or \fBsedcli --discovery --help\fR"
+.IP "\fBsedcli --discovery --help\fR"
 
 .SH COPYRIGHT
-Copyright(c) 2018-2020 by the Intel Corporation.
+Copyright (C) 2018-2019, 2022-2023 Solidigm. All Rights Reserved.
 
 .SH AUTHOR
-This manual page was created by Andrzej Jakowski <andrzej.jakowski@intel.com>
+This manual page was created by Piotr Rudnicki <piotr.rudnicki@solidigm.com>
 
 .SH SEE ALSO
 .TP
-sedcli(8)
+sedcli-kmip(8)

doc/sedcli.8

@@ -4,7 +4,7 @@ ACTION!="add", GOTO="sedcli_end"
 ENV{DEVTYPE}!="disk", GOTO="sedcli_end"
 
 # Perform Discovery to detect if disk is SED and its state
-IMPORT{program}="/usr/sbin/sedcli -D -d $env{DEVNAME} -f udev"
+IMPORT{program}="/usr/sbin/sedcli -discovery --device $env{DEVNAME} -f udev"
 
 ENV{DEV_SED_COMPATIBLE}=="ENABLED", GOTO="check_sedcli_lock"
 ENV{DEV_SED_COMPATIBLE}=="DISABLED", GOTO="sedcli_end"
@@ -15,10 +15,10 @@ ENV{DEV_SED_LOCKED}=="ENABLED", GOTO="sedcli_unlock"
 
 LABEL="sedcli_provision"
 # Intial provisioning of the device
-RUN+="/usr/sbin/sedcli-kmip -P -d $env{DEVNAME}", GOTO="sedcli_end"
+RUN+="/usr/sbin/sedcli-kmip --provision --device $env{DEVNAME}", GOTO="sedcli_end"
 
 LABEL="sedcli_unlock"
 # Unlock the device
-RUN+="/usr/sbin/sedcli-kmip -L -d $env{DEVNAME} -t RW", GOTO="sedcli_end"
+RUN+="/usr/sbin/sedcli-kmip --lock-unlock --device $env{DEVNAME} --access-type RW", GOTO="sedcli_end"
 
 LABEL="sedcli_end"