forked from sedcli/sedcli
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathsedcli.8
More file actions
72 lines (59 loc) · 2.61 KB
/
sedcli.8
File metadata and controls
72 lines (59 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
.TH sedcli 8
.SH NAME
sedcli \- manage Opal Self-Encrypting Drives (SEDs) NVMe SSDs
.SH SYNOPSIS
\fBsedcli\fR <command> [options...]
.SH DESCRIPTION
Sedcli enables a system Administrator/Operator to manage NVMe SEDs that are TCG
Opal compliant. In Opal terminology SED is called a Trusted Peripheral (TPer)
and provides an Admin Security Provider (Admin SP) and Locking Security Provider
(Locking SP).
.PP
Management of the TCG Opal features require several operations that are performed
as an Administrator within the TCG Opal command set to either the AdminSP or
LockingSP. The AdminSP provides commands that enable the user to perform
administrative operations such as taking ownership of the device, activation of
the LockingSP, and revert the TPer, whereas the LockingSP provides commands that
enable the user to configure and enable locking enforcement on user data either
globally or on a locking range basis after the LockingSP has been activated by
the AdminSP.
.PP
To start Opal management, an Administrator typically needs to perform the
following process at a minimum:
.IP
1. Take ownership of the device (setting a non-MSID credential for the SID
Authority in the AdminSP)
.IP
2. Activate the LockingSP (this will move the Opal feature to the Manufactured
state and copy the SID authority password to the LockingSP Admin1 password)
.IP
3. Enable Read Lock Enabled and Write Lock Enabled on all desired ranges
(e.g. Global Range)
.PP
After these steps are accomplished, the TPer will be Read or Write locked after
power cycle or when explicitly locked using sedcli command.
.PP
In addition to these basic flows, one can perform crypto erase of the TPer
using the SID authority or the PSID authority as part of revert TPer operation.
In case of using the PSID authority the operator needs to provide the credential
that is printed on the disk label. The Revert TPer operation reverts device
back to the Manufactured-Inactive state, which then requires re-configuration
of the Opal management system using the process previously identified (i.e.
take ownership, activate LSP, enable global range). It is also possible to
update Admin1 password for Locking SP.
.SH OPTIONS
.IP "\fB\-\-version\fR"
Prints version of sedcli.
.IP "\fB\-\-help\fR"
Prints global help on available commands and usage
.IP "To print command specific help use following syntax:"
.IP "\fBsedcli <command> --help\fR"
.IP "For example:"
.IP "\fBsedcli --discovery --help\fR"
.SH COPYRIGHT
Copyright (C) 2018-2019, 2022-2023 Solidigm. All Rights Reserved.
.SH AUTHOR
This manual page was created by Piotr Rudnicki <piotr.rudnicki@solidigm.com>
.SH SEE ALSO
.TP
sedcli-kmip(8)