33 KiB
33 KiB
| keywords | |||
|---|---|---|---|
|
secureboot
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
ref: https://github.com/lcp/mokutil
- systemctl reboot --firmware
- bootctl
- efibootmgr -v
- mokutil --sb-state
- mokutil --list-enrolled
- mokutil --enable-validation
ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
cryptsetup luks
crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase
ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
lkrg - linux kernel runtime guard
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
data integrity aka bitrot
ref: https://github.com/rfjakob/cshatag General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM grml) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption:
- RAID1 preferred
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst and maybe this gets into production
- T13/ATA External Path Protection
the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
- cryptsetup benchmark
- GPT formatted block devices to get recognized properly under windows
- complete header backup
- block device sector size
- block device support for SCT/ERC
smartctl -l scterc /dev/sdX - Block device support for write-verify
hdparm -R1 /dev/sdX - block device support
hdparm --dco-identify /dev/sdX
| Vendor | Code |
|---|---|
| Western Digital | Time Limited Error Recovery (TLER) |
| Seagate | Error Recovery Control (ERC) |
| Samsung/Hitachi | Command Completion Time Limit (CCTL) |
Odroid HC1 HDD
smartctl -a /dev/sda | grep SCT
Model Family: Seagate Samsung SpinPoint M9T
Device Model: ST1500LM006 HN-M151RAD
Serial Number: S34QJ9CG700688
LU WWN Device Id: 5 0004cf 210088b47
Firmware Version: 2BC10008
User Capacity: 1.500.301.910.016 bytes [1,50 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database [for details use: -P show]
ATA Version is: ATA8-ACS T13/1699-D revision 6
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Thu Jun 9 21:48:00 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
[..]
SCT capabilities: (0x003f) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.
hdparm --dco-identify /dev/sda
/dev/sda:
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 18446744072344861488
ATA command/feature sets:
SMART self_test error_log security PUIS AAM HPA 48_bit
selective_test
WRITE_UNC_EXT
SATA command/feature sets:
NCQ interface_power_management SSP
hdparm -R1 /dev/sda
/dev/sda:
setting write-read-verify to 1
HDIO_DRIVE_CMD:WRV failed: Input/output error
write-read-verify = not supported
smartctl -l scterc /dev/sda
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.4.199-odroidxu4] (local build)
SCT Error Recovery Control:
Read: Disabled
Write: Disabled
Lenovo S440 HDD
=== START OF INFORMATION SECTION ===
Model Family: Seagate Laptop SSHD
Device Model: ST500LM000-SSHD-8GB
Serial Number: W762L1TL
LU WWN Device Id: 5 000c50 07cb8f1cc
Firmware Version: LIV5
User Capacity: 500.107.862.016 bytes [500 GB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database 7.3/5319
ATA Version is: ATA8-ACS, ACS-3 T13/2161-D revision 3b
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Thu Jun 9 22:02:40 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
sudo smartctl -a /dev/sda | grep SCT
SCT capabilities: (0x1081) SCT Status supported.
hdparm --dco-identify /dev/sda
/dev/sda:
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 976773168
ATA command/feature sets:
SMART self_test error_log security PUIS HPA
selective_test conveyance_test
WRITE_UNC_EXT
SATA command/feature sets:
interface_power_management SSP
hdparm -I /dev/sda
/dev/sda:
ATA device, with non-removable media
Model Number: ST500LM000-SSHD-8GB
Serial Number: W762L1TL
Firmware Revision: LIV5
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Used: unknown (minor revision code 0x001f)
Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical max current
cylinders 16383 16383
heads 15 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 976773168
Logical Sector size: 512 bytes
Physical Sector size: 4096 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 476940 MBytes
device size with M = 1000*1000: 500107 MBytes (500 GB)
cache/buffer size = unknown
Form Factor: 2.5 inch
Nominal Media Rotation Rate: 5400
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: disabled
Recommended acoustic management value: 254, current value: 0
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* DOWNLOAD_MICROCODE
Advanced Power Management feature set
Power-Up In Standby feature set
* SET_FEATURES required to spinup after power up
SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* 64-bit World wide name
* IDLE_IMMEDIATE with UNLOAD
* Write-Read-Verify feature set
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Gen3 signaling speed (6.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Idle-Unload when NCQ is active
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
* DMA Setup Auto-Activate optimization
* Device-initiated interface power management
* Software settings preservation
* SMART Command Transport (SCT) feature set
unknown 206[7]
unknown 206[12] (vendor specific)
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000c5007cb8f1cc
NAA : 5
IEEE OUI : 000c50
Unique ID : 07cb8f1cc
Checksum: correct
sudo hdparm -R1 /dev/sda
/dev/sda:
setting write-read-verify to 1
write-read-verify = 2
m.2 SATA SSD
ATA device, with non-removable media
Model Number: TS256GMTS430S
Serial Number: F129080156
Firmware Revision: S0423A
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Supported: 9 8 7 6 5
Likely used: 9
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 500118192
Logical Sector size: 512 bytes
Physical Sector size: 512 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 244198 MBytes
device size with M = 1000*1000: 256060 MBytes (256 GB)
cache/buffer size = unknown
Nominal Media Rotation Rate: Solid State Device
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 2 Current = 1
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
SET_MAX security extension
* 48-bit Address feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* 64-bit World wide name
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* unknown 119[6]
unknown 119[9]
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Gen3 signaling speed (6.0Gb/s)
* Native Command Queueing (NCQ)
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
* DMA Setup Auto-Activate optimization
* Software settings preservation
* SANITIZE feature set
* BLOCK_ERASE_EXT command
* DOWNLOAD MICROCODE DMA command
* WRITE BUFFER DMA command
* READ BUFFER DMA command
* Data Set Management TRIM supported (limit 8 blocks)
* Deterministic read ZEROs after TRIM
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 57c354816d52575c
NAA : 5
IEEE OUI : 7c3548
Unique ID : 16d52575c
Checksum: correct
DCO Checksum verified.
DCO Revision: 0x0002
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6
Real max sectors: 500118192
ATA command/feature sets:
SMART security HPA 48_bit
FUA selective_test conveyance_test
SATA command/feature sets:
NCQ interface_power_management async_notification SSP
deskimini proxmox
Model Family: Toshiba 2.5" HDD MQ01ABD...
Device Model: TOSHIBA MQ01ABD100
Serial Number: 24RNSMGLS
LU WWN Device Id: 5 000039 55610b282
Firmware Version: AX001U
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
Device is: In smartctl database 7.3/5319
ATA Version is: ATA8-ACS (minor revision not indicated)
SATA Version is: SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Fri Jun 10 19:12:49 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 128 (minimum power consumption without standby)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
hdparm --dco-identify /dev/sda
/dev/sda:
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DCO Checksum verified.
DCO Revision: 0x0000 -- unknown, treating as 0002
The following features can be selectively disabled via DCO:
Transfer modes:
Real max sectors: 1
ATA command/feature sets:
hdparm -I /dev/sda
/dev/sda:
ATA device, with non-removable media
Model Number: TOSHIBA HDWJ110
Serial Number: 81KZTN3TT
Firmware Revision: AX1T1A
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6
Standards:
Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 1953525168
Logical Sector size: 512 bytes
Physical Sector size: 4096 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 953869 MBytes
device size with M = 1000*1000: 1000204 MBytes (1000 GB)
cache/buffer size = 8192 KBytes
Form Factor: 2.5 inch
Nominal Media Rotation Rate: 5400
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: 254
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
* Advanced Power Management feature set
Power-Up In Standby feature set
* SET_FEATURES required to spinup after power up
SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* 64-bit World wide name
* IDLE_IMMEDIATE with UNLOAD
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Idle-Unload when NCQ is active
* DMA Setup Auto-Activate optimization
* Device-initiated interface power management
* Software settings preservation
* SMART Command Transport (SCT) feature set
* SCT Write Same (AC2)
* SCT Error Recovery Control (AC3)
* SCT Features Control (AC4)
* SCT Data Tables (AC5)
* DOWNLOAD MICROCODE DMA command
Security:
Master password revision code = 65534
supported
not enabled
not locked
frozen
not expired: security count
supported: enhanced erase
218min for SECURITY ERASE UNIT. 218min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000039af21081db
NAA : 5
IEEE OUI : 000039
Unique ID : af21081db
Checksum: correct
hdparm -R1 /dev/sda
/dev/sda:
setting write-read-verify to 1
write-read-verify = 2
=== START OF INFORMATION SECTION ===
Model Family: Crucial/Micron Client SSDs
Device Model: CT1000MX500SSD1
Serial Number: 2211E619654F
LU WWN Device Id: 5 00a075 1e619654f
Firmware Version: M3CR043
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: Solid State Device
Form Factor: 2.5 inches
TRIM Command: Available
Device is: In smartctl database 7.3/5319
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s)
Local Time is: Fri Jun 10 19:20:34 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Unknown
RPI2
=== START OF INFORMATION SECTION ===
Model Family: Western Digital Blue Mobile (SMR)
Device Model: WDC WD10SPZX-24Z10T0
Serial Number: WD-WX41A485FYC1
LU WWN Device Id: 5 0014ee 6b3473413
Firmware Version: 01.01A01
User Capacity: 1,000,204,886,016 bytes [1.00 TB]
Sector Sizes: 512 bytes logical, 4096 bytes physical
Rotation Rate: 5400 rpm
Form Factor: 2.5 inches
TRIM Command: Available, deterministic
Device is: In smartctl database [for details use: -P show]
ATA Version is: ACS-3 T13/2161-D revision 5
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
Local Time is: Tue Jun 14 21:25:10 2022 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
AAM feature is: Unavailable
APM level is: 254 (maximum performance)
Rd look-ahead is: Enabled
Write cache is: Enabled
DSN feature is: Unavailable
ATA Security is: Disabled, NOT FROZEN [SEC1]
Wt Cache Reorder: Enabled
smartctl -a /dev/sda | grep SCT
SCT capabilities: (0x303d) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.
smartctl -l scterc /dev/sda
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.10.63-v7+] (local build)
SCT Error Recovery Control:
Read: 85 (8.5 seconds)
Write: 85 (8.5 seconds)
hdparm -R1 /dev/sda
/dev/sda:
setting write-read-verify to 1
HDIO_DRIVE_CMD:WRV failed: Input/output error
write-read-verify = not supported
root@cubietruck:~# smartctl -l scterc /dev/sda
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.15.25-sunxi] (local build)
SCT Error Recovery Control:
Read: Disabled
Write: Disabled
root@cubietruck:~# hdparm --dco-identify /dev/sda
/dev/sda:
DCO Checksum verified.
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
Real max sectors: 1465149168
ATA command/feature sets:
SMART self_test error_log security AAM HPA 48_bit
(?): FUA selective_test conveyance_test write_read_verify
(?): WRITE_UNC_EXT
SATA command/feature sets:
(?): NCQ interface_power_management SSP
* SCT Features Control (AC4)
* SCT Data Tables (AC5)
unknown 206[12] (vendor specific)
unknown 206[13] (vendor specific)
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000c5002e9f2ea1
NAA : 5
IEEE OUI : 000c50
Unique ID : 02e9f2ea1
root@cubietruck:~# hdparm -I /dev/sda [82/121]
/dev/sda:
ATA device, with non-removable media
Model Number: ST9750423AS
Serial Number: 5WS06X8A
Firmware Revision: 0001SDM1
Transport: Serial
Standards:
Used: unknown (minor revision code 0x0029)
Supported: 8 7 6 5
Likely used: 8
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 1465149168
Logical Sector size: 512 bytes
Physical Sector size: 4096 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 715404 MBytes
device size with M = 1000*1000: 750156 MBytes (750 GB)
cache/buffer size = 16384 KBytes
Nominal Media Rotation Rate: 5466
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: 192
Recommended acoustic management value: 208, current value: 254
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
* Advanced Power Management feature set
SET_MAX security extension
* Automatic Acoustic Management feature set
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* WRITE_DMA_QUEUED_FUA_EXT
* 64-bit World wide name
* IDLE_IMMEDIATE with UNLOAD
Write-Read-Verify feature set
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Idle-Unload when NCQ is active
Device-initiated interface power management
* Software settings preservation
* SMART Command Transport (SCT) feature set
* SCT Read/Write Long (AC1), obsolete
* SCT Write Same (AC2)
* SCT Error Recovery Control (AC3)
* SCT Features Control (AC4)
* SCT Data Tables (AC5)
unknown 206[12] (vendor specific)
unknown 206[13] (vendor specific)
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 5000c5002e9f2ea1
NAA : 5
IEEE OUI : 000c50
Unique ID : 02e9f2ea1
Checksum: correct
hdparm -R1 /dev/sda
/dev/sda:
setting write-read-verify to 1
write-read-verify = 2
ERC settings: smartctl -l scterc /dev/sda or setting smartctl -l scterc,150,150 /dev/sda
related issues
- https://cateee.net/lkddb/web-lkddb/BLK_DEV_INTEGRITY.html
- https://kdave.github.io/authenticated-hashes-for-btrfs-part1/
cryptsetup
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate
--tag-size 8 - https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
ATA background
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives
- https://www.smartmontools.org/wiki/FAQ#WhatiserrorrecoverycontrolERCandwhyitisimportanttoenableitfortheSATAdisksinRAID
dm-integrity
- https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html
- https://man7.org/linux/man-pages/man8/integritysetup.8.html
package manager integrity
pacman based integrity check
pacutils: sudo paccheck --md5sum --quiet
AUR: sudo check-pacman-mtree.lua -a
apt based integrity check
(https://askubuntu.com/posts/891158/timeline)
For checking the integrity of an individual file in a package against the repositories, there's no easy way short of downloading the package. The repositories typically provide these files:
* `Release{,.gpg}`, `InRelease` \- these provide the hashes of the `Packages` files.
* The `Packages` file provides hashes of the packages.
* The `Contents` file, where present, provides filelists of packages.
There's no file which provides the hashes of individual files - these are contained in the packages (`DEBIAN/md5sums` in the `control` archive).
So, if you don't trust the local system:
1. You'll have to download the `Contents` file (if available).
2. Match the file to the package using that file and download the package.
3. Then use the `md5sums` to verify the file.
If a `Contents` file is not available, and you don't trust the local system, have fun downloading _every_ package to see what provided the file.
This does not scale.
debsums --silent -a
#!/usr/bin/bash
sed -n '/Conffiles/,/Description/p' /var/lib/dpkg/status | grep -v Conffiles | grep -v Description | awk '{print $2 " " $1}' > dpkg_hash.md5sum
md5sum -c --quiet dpkg_hash.md5sum
echo $?
cd /; for sumfile in /var****/lib/dpkg/info/*.md5sums; do /usr/bin/md5sum --quiet -c "$sumfile"; done;
At least this gets you a step in front of someone.