Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/necauqua/opal-uefi-greeter

An UEFI application that unlocks a SED and starts an OS from it. Written in Rust
https://github.com/necauqua/opal-uefi-greeter

Last synced: 10 minutes ago
JSON representation

An UEFI application that unlocks a SED and starts an OS from it. Written in Rust

Host: GitHub
URL: https://github.com/necauqua/opal-uefi-greeter
Owner: necauqua
License: mit
Created: 2021-11-22T05:34:37.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2021-11-22T05:45:43.000Z (almost 3 years ago)
Last Synced: 2024-08-04T08:08:15.159Z (3 months ago)
Language: Rust
Size: 27.3 KB
Stars: 38
Watchers: 5
Forks: 9
Open Issues: 0
Metadata Files:
- Readme: readme.md
- License: LICENSE

Awesome Lists containing this project

README

opal-uefi-greeter
-

This is an UEFI application written in Rust that unlocks a SED and then launches
another UEFI application from the unlocked drive - typically some bootloader or the Linux efistub.

It's designed to be a simple minimalist PBA for self-encrypting drives that does not
include a whole another little Linux nor requires warm-rebooting to launch the system
after unlocking - it's just an UEFI bootloader passthrough.

Currently, it only supports NVMe drives, SATA support is coming soon.

Also, enterprise drives are not supported, although some bits of code are in place
to soon enable that - I cannot test that myself though.

It uses the same hashing algorithm and salt as the `sedutil-cli` does, so your SED
has to be configured with it, or with the same algorithm as well.

At some point in the future, some minimalist configurable graphics interface (similar to
`lightdm-mini-greeter`) will be made as part of this project as well, currently the password
is requested just through the UEFI text I/O.

## Using it
You have to be familiar with [sedutil-cli](https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive).

Run the `./build-pba.sh` script or follow the steps from it manually - make sure
you have all the programs it uses (e.g. gdisk) and have set up Rust nightly.

This will yield an .img file that you have to use with `--loadpbaimage` argument
when setting up self-encrypted drive with the link above.

This image also contains the `config` file copied from `config-example` file in this repo.
You would want to edit that (by editing `config-example` before making the image or by mounting the image)
to specify the UEFI image that will be run - either specify the image of your bootloader (e.g. `\EFI\Microsoft\Boot\bootmgfw.efi` for Windows or `\EFI\BOOT\BOOTX64.efi` to launch the default bootloader such as grub, if present on the encrypted drive) or you can have an EFISTUB setup by specifying the `vmlinuz-linux`
itself as the UEFI image and giving it kernel arguments in the `config` file.

If you have multiple SEDs - only one of them has to have the image! This is true
even without using this project I believe. Also, a reminder that this project currently only supports
NVMe drives with OPAL v2 support, no enterprise.

## License
As with most of my projects, just MIT, no idea about the Rust dual-licensing stuff.

## Socials
Follow me on [twitter](https://twitter.com/necauqua) and [twitch](https://twitch.tv/necauqua) - I do dev streams sometimes.