799 lines
33 KiB
Markdown
799 lines
33 KiB
Markdown
---
|
|
keywords:
|
|
- IT
|
|
- filesystem integritiy
|
|
- authentic filesystem
|
|
---
|
|
# secureboot
|
|
|
|
Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.
|
|
|
|
ref: https://github.com/lcp/mokutil
|
|
|
|
- systemctl reboot --firmware
|
|
- bootctl
|
|
- efibootmgr -v
|
|
- mokutil --sb-state
|
|
- mokutil --list-enrolled
|
|
- mokutil --enable-validation
|
|
|
|
## ubuntu
|
|
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer
|
|
# cryptsetup luks
|
|
crypsetup luksDump /dev/sdaX
|
|
cryptsetup luksChangeKey /dev/sdaX
|
|
cryptsetup luksErase
|
|
|
|
ressource:
|
|
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
|
|
|
|
## lkrg - linux kernel runtime guard
|
|
archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm
|
|
|
|
## data integrity aka bitrot
|
|
ref: https://github.com/rfjakob/cshatag
|
|
General kernel awareness:
|
|
https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst
|
|
the solution so far to omit endusers hardware limitations (like ECC RAM **grml**)
|
|
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst
|
|
So it should be more or less equal to use integrity with or without encryption:
|
|
- RAID1 preferred
|
|
- heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative)
|
|
https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst
|
|
and maybe this gets into production
|
|
- T13/ATA External Path Protection
|
|
|
|
the used strcuture to get this done:
|
|
block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs
|
|
block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs
|
|
|
|
- [ ] cryptsetup benchmark
|
|
- [ ] GPT formatted block devices to get recognized properly under windows
|
|
- [ ] complete header backup
|
|
- [ ] block device sector size
|
|
- [ ] block device support for SCT/ERC `smartctl -l scterc /dev/sdX`
|
|
- [ ] Block device support for write-verify `hdparm -R1 /dev/sdX`
|
|
- [ ] block device support `hdparm --dco-identify /dev/sdX`
|
|
|
|
| Vendor | Code |
|
|
|-----------------|--------------------------------------|
|
|
| Western Digital | Time Limited Error Recovery (TLER) |
|
|
| Seagate | Error Recovery Control (ERC) |
|
|
| Samsung/Hitachi | Command Completion Time Limit (CCTL) |
|
|
|
|
|
|
Odroid HC1 HDD
|
|
```
|
|
smartctl -a /dev/sda | grep SCT
|
|
Model Family: Seagate Samsung SpinPoint M9T
|
|
Device Model: ST1500LM006 HN-M151RAD
|
|
Serial Number: S34QJ9CG700688
|
|
LU WWN Device Id: 5 0004cf 210088b47
|
|
Firmware Version: 2BC10008
|
|
User Capacity: 1.500.301.910.016 bytes [1,50 TB]
|
|
Sector Sizes: 512 bytes logical, 4096 bytes physical
|
|
Rotation Rate: 5400 rpm
|
|
Form Factor: 2.5 inches
|
|
Device is: In smartctl database [for details use: -P show]
|
|
ATA Version is: ATA8-ACS T13/1699-D revision 6
|
|
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
|
|
Local Time is: Thu Jun 9 21:48:00 2022 CEST
|
|
SMART support is: Available - device has SMART capability.
|
|
SMART support is: Enabled
|
|
[..]
|
|
SCT capabilities: (0x003f) SCT Status supported.
|
|
SCT Error Recovery Control supported.
|
|
SCT Feature Control supported.
|
|
SCT Data Table supported.
|
|
hdparm --dco-identify /dev/sda
|
|
|
|
/dev/sda:
|
|
DCO Checksum verified.
|
|
DCO Revision: 0x0002
|
|
The following features can be selectively disabled via DCO:
|
|
Transfer modes:
|
|
mdma0 mdma1 mdma2
|
|
udma0 udma1 udma2 udma3 udma4 udma5 udma6
|
|
Real max sectors: 18446744072344861488
|
|
ATA command/feature sets:
|
|
SMART self_test error_log security PUIS AAM HPA 48_bit
|
|
selective_test
|
|
WRITE_UNC_EXT
|
|
SATA command/feature sets:
|
|
NCQ interface_power_management SSP
|
|
|
|
hdparm -R1 /dev/sda
|
|
|
|
/dev/sda:
|
|
setting write-read-verify to 1
|
|
HDIO_DRIVE_CMD:WRV failed: Input/output error
|
|
write-read-verify = not supported
|
|
|
|
smartctl -l scterc /dev/sda
|
|
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.4.199-odroidxu4] (local build)
|
|
|
|
SCT Error Recovery Control:
|
|
Read: Disabled
|
|
Write: Disabled
|
|
|
|
```
|
|
Lenovo S440 HDD
|
|
```
|
|
=== START OF INFORMATION SECTION ===
|
|
Model Family: Seagate Laptop SSHD
|
|
Device Model: ST500LM000-SSHD-8GB
|
|
Serial Number: W762L1TL
|
|
LU WWN Device Id: 5 000c50 07cb8f1cc
|
|
Firmware Version: LIV5
|
|
User Capacity: 500.107.862.016 bytes [500 GB]
|
|
Sector Sizes: 512 bytes logical, 4096 bytes physical
|
|
Rotation Rate: 5400 rpm
|
|
Form Factor: 2.5 inches
|
|
Device is: In smartctl database 7.3/5319
|
|
ATA Version is: ATA8-ACS, ACS-3 T13/2161-D revision 3b
|
|
SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s)
|
|
Local Time is: Thu Jun 9 22:02:40 2022 CEST
|
|
SMART support is: Available - device has SMART capability.
|
|
SMART support is: Enabled
|
|
|
|
sudo smartctl -a /dev/sda | grep SCT
|
|
SCT capabilities: (0x1081) SCT Status supported.
|
|
|
|
hdparm --dco-identify /dev/sda
|
|
|
|
/dev/sda:
|
|
DCO Checksum verified.
|
|
DCO Revision: 0x0002
|
|
The following features can be selectively disabled via DCO:
|
|
Transfer modes:
|
|
mdma0 mdma1 mdma2
|
|
udma0 udma1 udma2 udma3 udma4 udma5 udma6
|
|
Real max sectors: 976773168
|
|
ATA command/feature sets:
|
|
SMART self_test error_log security PUIS HPA
|
|
selective_test conveyance_test
|
|
WRITE_UNC_EXT
|
|
SATA command/feature sets:
|
|
interface_power_management SSP
|
|
|
|
hdparm -I /dev/sda
|
|
|
|
/dev/sda:
|
|
|
|
ATA device, with non-removable media
|
|
Model Number: ST500LM000-SSHD-8GB
|
|
Serial Number: W762L1TL
|
|
Firmware Revision: LIV5
|
|
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
|
|
Standards:
|
|
Used: unknown (minor revision code 0x001f)
|
|
Supported: 8 7 6 5
|
|
Likely used: 8
|
|
Configuration:
|
|
Logical max current
|
|
cylinders 16383 16383
|
|
heads 15 16
|
|
sectors/track 63 63
|
|
--
|
|
CHS current addressable sectors: 16514064
|
|
LBA user addressable sectors: 268435455
|
|
LBA48 user addressable sectors: 976773168
|
|
Logical Sector size: 512 bytes
|
|
Physical Sector size: 4096 bytes
|
|
Logical Sector-0 offset: 0 bytes
|
|
device size with M = 1024*1024: 476940 MBytes
|
|
device size with M = 1000*1000: 500107 MBytes (500 GB)
|
|
cache/buffer size = unknown
|
|
Form Factor: 2.5 inch
|
|
Nominal Media Rotation Rate: 5400
|
|
Capabilities:
|
|
LBA, IORDY(can be disabled)
|
|
Queue depth: 32
|
|
Standby timer values: spec'd by Standard, no device specific minimum
|
|
R/W multiple sector transfer: Max = 16 Current = 16
|
|
Advanced power management level: disabled
|
|
Recommended acoustic management value: 254, current value: 0
|
|
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
|
|
Cycle time: min=120ns recommended=120ns
|
|
PIO: pio0 pio1 pio2 pio3 pio4
|
|
Cycle time: no flow control=120ns IORDY flow control=120ns
|
|
Commands/features:
|
|
Enabled Supported:
|
|
* SMART feature set
|
|
Security Mode feature set
|
|
* Power Management feature set
|
|
* Write cache
|
|
* Look-ahead
|
|
* Host Protected Area feature set
|
|
* WRITE_BUFFER command
|
|
* READ_BUFFER command
|
|
* DOWNLOAD_MICROCODE
|
|
Advanced Power Management feature set
|
|
Power-Up In Standby feature set
|
|
* SET_FEATURES required to spinup after power up
|
|
SET_MAX security extension
|
|
* 48-bit Address feature set
|
|
* Device Configuration Overlay feature set
|
|
* Mandatory FLUSH_CACHE
|
|
* FLUSH_CACHE_EXT
|
|
* SMART error logging
|
|
* SMART self-test
|
|
* General Purpose Logging feature set
|
|
* 64-bit World wide name
|
|
* IDLE_IMMEDIATE with UNLOAD
|
|
* Write-Read-Verify feature set
|
|
* WRITE_UNCORRECTABLE_EXT command
|
|
* {READ,WRITE}_DMA_EXT_GPL commands
|
|
* Segmented DOWNLOAD_MICROCODE
|
|
* Gen1 signaling speed (1.5Gb/s)
|
|
* Gen2 signaling speed (3.0Gb/s)
|
|
* Gen3 signaling speed (6.0Gb/s)
|
|
* Native Command Queueing (NCQ)
|
|
* Host-initiated interface power management
|
|
* Phy event counters
|
|
* Idle-Unload when NCQ is active
|
|
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
|
|
* DMA Setup Auto-Activate optimization
|
|
* Device-initiated interface power management
|
|
* Software settings preservation
|
|
* SMART Command Transport (SCT) feature set
|
|
unknown 206[7]
|
|
unknown 206[12] (vendor specific)
|
|
Security:
|
|
Master password revision code = 65534
|
|
supported
|
|
not enabled
|
|
not locked
|
|
not frozen
|
|
not expired: security count
|
|
supported: enhanced erase
|
|
98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT.
|
|
Logical Unit WWN Device Identifier: 5000c5007cb8f1cc
|
|
NAA : 5
|
|
IEEE OUI : 000c50
|
|
Unique ID : 07cb8f1cc
|
|
Checksum: correct
|
|
|
|
|
|
sudo hdparm -R1 /dev/sda
|
|
|
|
/dev/sda:
|
|
setting write-read-verify to 1
|
|
write-read-verify = 2
|
|
|
|
```
|
|
m.2 SATA SSD
|
|
```
|
|
ATA device, with non-removable media
|
|
Model Number: TS256GMTS430S
|
|
Serial Number: F129080156
|
|
Firmware Revision: S0423A
|
|
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
|
|
Standards:
|
|
Supported: 9 8 7 6 5
|
|
Likely used: 9
|
|
Configuration:
|
|
Logical max current
|
|
cylinders 16383 16383
|
|
heads 16 16
|
|
sectors/track 63 63
|
|
--
|
|
CHS current addressable sectors: 16514064
|
|
LBA user addressable sectors: 268435455
|
|
LBA48 user addressable sectors: 500118192
|
|
Logical Sector size: 512 bytes
|
|
Physical Sector size: 512 bytes
|
|
Logical Sector-0 offset: 0 bytes
|
|
device size with M = 1024*1024: 244198 MBytes
|
|
device size with M = 1000*1000: 256060 MBytes (256 GB)
|
|
cache/buffer size = unknown
|
|
Nominal Media Rotation Rate: Solid State Device
|
|
Capabilities:
|
|
LBA, IORDY(can be disabled)
|
|
Queue depth: 32
|
|
Standby timer values: spec'd by Standard, no device specific minimum
|
|
R/W multiple sector transfer: Max = 2 Current = 1
|
|
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
|
|
Cycle time: min=120ns recommended=120ns
|
|
PIO: pio0 pio1 pio2 pio3 pio4
|
|
Cycle time: no flow control=120ns IORDY flow control=120ns
|
|
Commands/features:
|
|
Enabled Supported:
|
|
* SMART feature set
|
|
Security Mode feature set
|
|
* Power Management feature set
|
|
* Write cache
|
|
* Look-ahead
|
|
* Host Protected Area feature set
|
|
* WRITE_BUFFER command
|
|
* READ_BUFFER command
|
|
* NOP cmd
|
|
* DOWNLOAD_MICROCODE
|
|
SET_MAX security extension
|
|
* 48-bit Address feature set
|
|
* Mandatory FLUSH_CACHE
|
|
* FLUSH_CACHE_EXT
|
|
* SMART error logging
|
|
* SMART self-test
|
|
* General Purpose Logging feature set
|
|
* WRITE_{DMA|MULTIPLE}_FUA_EXT
|
|
* 64-bit World wide name
|
|
* WRITE_UNCORRECTABLE_EXT command
|
|
* {READ,WRITE}_DMA_EXT_GPL commands
|
|
* Segmented DOWNLOAD_MICROCODE
|
|
* unknown 119[6]
|
|
unknown 119[9]
|
|
* Gen1 signaling speed (1.5Gb/s)
|
|
* Gen2 signaling speed (3.0Gb/s)
|
|
* Gen3 signaling speed (6.0Gb/s)
|
|
* Native Command Queueing (NCQ)
|
|
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
|
|
* DMA Setup Auto-Activate optimization
|
|
* Software settings preservation
|
|
* SANITIZE feature set
|
|
* BLOCK_ERASE_EXT command
|
|
* DOWNLOAD MICROCODE DMA command
|
|
* WRITE BUFFER DMA command
|
|
* READ BUFFER DMA command
|
|
* Data Set Management TRIM supported (limit 8 blocks)
|
|
* Deterministic read ZEROs after TRIM
|
|
Security:
|
|
Master password revision code = 65534
|
|
supported
|
|
not enabled
|
|
not locked
|
|
not frozen
|
|
not expired: security count
|
|
supported: enhanced erase
|
|
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
|
|
Logical Unit WWN Device Identifier: 57c354816d52575c
|
|
NAA : 5
|
|
IEEE OUI : 7c3548
|
|
Unique ID : 16d52575c
|
|
Checksum: correct
|
|
|
|
DCO Checksum verified.
|
|
DCO Revision: 0x0002
|
|
The following features can be selectively disabled via DCO:
|
|
Transfer modes:
|
|
mdma0 mdma1 mdma2
|
|
udma0 udma1 udma2 udma3 udma4 udma5 udma6
|
|
Real max sectors: 500118192
|
|
ATA command/feature sets:
|
|
SMART security HPA 48_bit
|
|
FUA selective_test conveyance_test
|
|
SATA command/feature sets:
|
|
NCQ interface_power_management async_notification SSP
|
|
|
|
```
|
|
deskimini proxmox
|
|
```
|
|
Model Family: Toshiba 2.5" HDD MQ01ABD...
|
|
Device Model: TOSHIBA MQ01ABD100
|
|
Serial Number: 24RNSMGLS
|
|
LU WWN Device Id: 5 000039 55610b282
|
|
Firmware Version: AX001U
|
|
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
|
|
Sector Sizes: 512 bytes logical, 4096 bytes physical
|
|
Rotation Rate: 5400 rpm
|
|
Form Factor: 2.5 inches
|
|
Device is: In smartctl database 7.3/5319
|
|
ATA Version is: ATA8-ACS (minor revision not indicated)
|
|
SATA Version is: SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s)
|
|
Local Time is: Fri Jun 10 19:12:49 2022 CEST
|
|
SMART support is: Available - device has SMART capability.
|
|
SMART support is: Enabled
|
|
AAM feature is: Unavailable
|
|
APM level is: 128 (minimum power consumption without standby)
|
|
Rd look-ahead is: Enabled
|
|
Write cache is: Enabled
|
|
DSN feature is: Unavailable
|
|
ATA Security is: Disabled, NOT FROZEN [SEC1]
|
|
Wt Cache Reorder: Unknown
|
|
|
|
hdparm --dco-identify /dev/sda
|
|
|
|
/dev/sda:
|
|
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|
DCO Checksum verified.
|
|
DCO Revision: 0x0000 -- unknown, treating as 0002
|
|
The following features can be selectively disabled via DCO:
|
|
Transfer modes:
|
|
|
|
Real max sectors: 1
|
|
ATA command/feature sets:
|
|
hdparm -I /dev/sda
|
|
|
|
/dev/sda:
|
|
|
|
ATA device, with non-removable media
|
|
Model Number: TOSHIBA HDWJ110
|
|
Serial Number: 81KZTN3TT
|
|
Firmware Revision: AX1T1A
|
|
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6
|
|
Standards:
|
|
Supported: 8 7 6 5
|
|
Likely used: 8
|
|
Configuration:
|
|
Logical max current
|
|
cylinders 16383 16383
|
|
heads 16 16
|
|
sectors/track 63 63
|
|
--
|
|
CHS current addressable sectors: 16514064
|
|
LBA user addressable sectors: 268435455
|
|
LBA48 user addressable sectors: 1953525168
|
|
Logical Sector size: 512 bytes
|
|
Physical Sector size: 4096 bytes
|
|
Logical Sector-0 offset: 0 bytes
|
|
device size with M = 1024*1024: 953869 MBytes
|
|
device size with M = 1000*1000: 1000204 MBytes (1000 GB)
|
|
cache/buffer size = 8192 KBytes
|
|
Form Factor: 2.5 inch
|
|
Nominal Media Rotation Rate: 5400
|
|
Capabilities:
|
|
LBA, IORDY(can be disabled)
|
|
Queue depth: 32
|
|
Standby timer values: spec'd by Standard, no device specific minimum
|
|
R/W multiple sector transfer: Max = 16 Current = 16
|
|
Advanced power management level: 254
|
|
DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5
|
|
Cycle time: min=120ns recommended=120ns
|
|
PIO: pio0 pio1 pio2 pio3 pio4
|
|
Cycle time: no flow control=120ns IORDY flow control=120ns
|
|
Commands/features:
|
|
Enabled Supported:
|
|
* SMART feature set
|
|
Security Mode feature set
|
|
* Power Management feature set
|
|
* Write cache
|
|
* Look-ahead
|
|
* Host Protected Area feature set
|
|
* WRITE_BUFFER command
|
|
* READ_BUFFER command
|
|
* NOP cmd
|
|
* DOWNLOAD_MICROCODE
|
|
* Advanced Power Management feature set
|
|
Power-Up In Standby feature set
|
|
* SET_FEATURES required to spinup after power up
|
|
SET_MAX security extension
|
|
* 48-bit Address feature set
|
|
* Device Configuration Overlay feature set
|
|
* Mandatory FLUSH_CACHE
|
|
* FLUSH_CACHE_EXT
|
|
* SMART error logging
|
|
* SMART self-test
|
|
* General Purpose Logging feature set
|
|
* WRITE_{DMA|MULTIPLE}_FUA_EXT
|
|
* 64-bit World wide name
|
|
* IDLE_IMMEDIATE with UNLOAD
|
|
* WRITE_UNCORRECTABLE_EXT command
|
|
* {READ,WRITE}_DMA_EXT_GPL commands
|
|
* Segmented DOWNLOAD_MICROCODE
|
|
* Gen1 signaling speed (1.5Gb/s)
|
|
* Gen2 signaling speed (3.0Gb/s)
|
|
* Native Command Queueing (NCQ)
|
|
* Host-initiated interface power management
|
|
* Phy event counters
|
|
* Idle-Unload when NCQ is active
|
|
* DMA Setup Auto-Activate optimization
|
|
* Device-initiated interface power management
|
|
* Software settings preservation
|
|
* SMART Command Transport (SCT) feature set
|
|
* SCT Write Same (AC2)
|
|
* SCT Error Recovery Control (AC3)
|
|
* SCT Features Control (AC4)
|
|
* SCT Data Tables (AC5)
|
|
* DOWNLOAD MICROCODE DMA command
|
|
Security:
|
|
Master password revision code = 65534
|
|
supported
|
|
not enabled
|
|
not locked
|
|
frozen
|
|
not expired: security count
|
|
supported: enhanced erase
|
|
218min for SECURITY ERASE UNIT. 218min for ENHANCED SECURITY ERASE UNIT.
|
|
Logical Unit WWN Device Identifier: 5000039af21081db
|
|
NAA : 5
|
|
IEEE OUI : 000039
|
|
Unique ID : af21081db
|
|
Checksum: correct
|
|
|
|
hdparm -R1 /dev/sda
|
|
|
|
/dev/sda:
|
|
setting write-read-verify to 1
|
|
write-read-verify = 2
|
|
|
|
```
|
|
|
|
```
|
|
=== START OF INFORMATION SECTION ===
|
|
Model Family: Crucial/Micron Client SSDs
|
|
Device Model: CT1000MX500SSD1
|
|
Serial Number: 2211E619654F
|
|
LU WWN Device Id: 5 00a075 1e619654f
|
|
Firmware Version: M3CR043
|
|
User Capacity: 1.000.204.886.016 bytes [1,00 TB]
|
|
Sector Sizes: 512 bytes logical, 4096 bytes physical
|
|
Rotation Rate: Solid State Device
|
|
Form Factor: 2.5 inches
|
|
TRIM Command: Available
|
|
Device is: In smartctl database 7.3/5319
|
|
ATA Version is: ACS-3 T13/2161-D revision 5
|
|
SATA Version is: SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s)
|
|
Local Time is: Fri Jun 10 19:20:34 2022 CEST
|
|
SMART support is: Available - device has SMART capability.
|
|
SMART support is: Enabled
|
|
AAM feature is: Unavailable
|
|
APM level is: 254 (maximum performance)
|
|
Rd look-ahead is: Enabled
|
|
Write cache is: Enabled
|
|
DSN feature is: Unavailable
|
|
ATA Security is: Disabled, NOT FROZEN [SEC1]
|
|
Wt Cache Reorder: Unknown
|
|
|
|
```
|
|
|
|
RPI2
|
|
```
|
|
=== START OF INFORMATION SECTION ===
|
|
Model Family: Western Digital Blue Mobile (SMR)
|
|
Device Model: WDC WD10SPZX-24Z10T0
|
|
Serial Number: WD-WX41A485FYC1
|
|
LU WWN Device Id: 5 0014ee 6b3473413
|
|
Firmware Version: 01.01A01
|
|
User Capacity: 1,000,204,886,016 bytes [1.00 TB]
|
|
Sector Sizes: 512 bytes logical, 4096 bytes physical
|
|
Rotation Rate: 5400 rpm
|
|
Form Factor: 2.5 inches
|
|
TRIM Command: Available, deterministic
|
|
Device is: In smartctl database [for details use: -P show]
|
|
ATA Version is: ACS-3 T13/2161-D revision 5
|
|
SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s)
|
|
Local Time is: Tue Jun 14 21:25:10 2022 CEST
|
|
SMART support is: Available - device has SMART capability.
|
|
SMART support is: Enabled
|
|
AAM feature is: Unavailable
|
|
APM level is: 254 (maximum performance)
|
|
Rd look-ahead is: Enabled
|
|
Write cache is: Enabled
|
|
DSN feature is: Unavailable
|
|
ATA Security is: Disabled, NOT FROZEN [SEC1]
|
|
Wt Cache Reorder: Enabled
|
|
|
|
smartctl -a /dev/sda | grep SCT
|
|
SCT capabilities: (0x303d) SCT Status supported.
|
|
SCT Error Recovery Control supported.
|
|
SCT Feature Control supported.
|
|
SCT Data Table supported.
|
|
|
|
smartctl -l scterc /dev/sda
|
|
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.10.63-v7+] (local build)
|
|
|
|
SCT Error Recovery Control:
|
|
Read: 85 (8.5 seconds)
|
|
Write: 85 (8.5 seconds)
|
|
|
|
hdparm -R1 /dev/sda
|
|
|
|
/dev/sda:
|
|
setting write-read-verify to 1
|
|
HDIO_DRIVE_CMD:WRV failed: Input/output error
|
|
write-read-verify = not supported
|
|
|
|
```
|
|
```
|
|
root@cubietruck:~# smartctl -l scterc /dev/sda
|
|
smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.15.25-sunxi] (local build)
|
|
|
|
SCT Error Recovery Control:
|
|
Read: Disabled
|
|
Write: Disabled
|
|
|
|
root@cubietruck:~# hdparm --dco-identify /dev/sda
|
|
|
|
/dev/sda:
|
|
DCO Checksum verified.
|
|
DCO Revision: 0x0001
|
|
The following features can be selectively disabled via DCO:
|
|
Transfer modes:
|
|
mdma0 mdma1 mdma2
|
|
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
|
|
Real max sectors: 1465149168
|
|
ATA command/feature sets:
|
|
SMART self_test error_log security AAM HPA 48_bit
|
|
(?): FUA selective_test conveyance_test write_read_verify
|
|
(?): WRITE_UNC_EXT
|
|
SATA command/feature sets:
|
|
(?): NCQ interface_power_management SSP
|
|
* SCT Features Control (AC4)
|
|
* SCT Data Tables (AC5)
|
|
unknown 206[12] (vendor specific)
|
|
unknown 206[13] (vendor specific)
|
|
Security:
|
|
Master password revision code = 65534
|
|
supported
|
|
not enabled
|
|
not locked
|
|
not frozen
|
|
not expired: security count
|
|
supported: enhanced erase
|
|
182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT.
|
|
Logical Unit WWN Device Identifier: 5000c5002e9f2ea1
|
|
NAA : 5
|
|
IEEE OUI : 000c50
|
|
Unique ID : 02e9f2ea1
|
|
|
|
root@cubietruck:~# hdparm -I /dev/sda [82/121]
|
|
|
|
/dev/sda:
|
|
|
|
ATA device, with non-removable media
|
|
Model Number: ST9750423AS
|
|
Serial Number: 5WS06X8A
|
|
Firmware Revision: 0001SDM1
|
|
Transport: Serial
|
|
Standards:
|
|
Used: unknown (minor revision code 0x0029)
|
|
Supported: 8 7 6 5
|
|
Likely used: 8
|
|
Configuration:
|
|
Logical max current
|
|
cylinders 16383 16383
|
|
heads 16 16
|
|
sectors/track 63 63
|
|
CHS current addressable sectors: 16514064
|
|
LBA user addressable sectors: 268435455
|
|
LBA48 user addressable sectors: 1465149168
|
|
Logical Sector size: 512 bytes
|
|
Physical Sector size: 4096 bytes
|
|
Logical Sector-0 offset: 0 bytes
|
|
device size with M = 1024*1024: 715404 MBytes
|
|
device size with M = 1000*1000: 750156 MBytes (750 GB)
|
|
cache/buffer size = 16384 KBytes
|
|
Nominal Media Rotation Rate: 5466
|
|
Capabilities:
|
|
LBA, IORDY(can be disabled)
|
|
Queue depth: 32
|
|
Standby timer values: spec'd by Standard, no device specific minimum
|
|
R/W multiple sector transfer: Max = 16 Current = 16
|
|
Advanced power management level: 192
|
|
Recommended acoustic management value: 208, current value: 254
|
|
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
|
|
Cycle time: min=120ns recommended=120ns
|
|
PIO: pio0 pio1 pio2 pio3 pio4
|
|
Cycle time: no flow control=120ns IORDY flow control=120ns
|
|
Commands/features:
|
|
Enabled Supported:
|
|
* SMART feature set
|
|
Security Mode feature set
|
|
* Power Management feature set
|
|
* Write cache
|
|
* Look-ahead
|
|
* Host Protected Area feature set
|
|
* WRITE_BUFFER command
|
|
* READ_BUFFER command
|
|
* NOP cmd
|
|
* DOWNLOAD_MICROCODE
|
|
* Advanced Power Management feature set
|
|
SET_MAX security extension
|
|
* Automatic Acoustic Management feature set
|
|
* 48-bit Address feature set
|
|
* Device Configuration Overlay feature set
|
|
* Mandatory FLUSH_CACHE
|
|
* FLUSH_CACHE_EXT
|
|
* SMART error logging
|
|
* SMART self-test
|
|
* General Purpose Logging feature set
|
|
* WRITE_{DMA|MULTIPLE}_FUA_EXT
|
|
* WRITE_DMA_QUEUED_FUA_EXT
|
|
* 64-bit World wide name
|
|
* IDLE_IMMEDIATE with UNLOAD
|
|
Write-Read-Verify feature set
|
|
* WRITE_UNCORRECTABLE_EXT command
|
|
* {READ,WRITE}_DMA_EXT_GPL commands
|
|
* Segmented DOWNLOAD_MICROCODE
|
|
* {READ,WRITE}_DMA_EXT_GPL commands
|
|
* Segmented DOWNLOAD_MICROCODE
|
|
* Gen1 signaling speed (1.5Gb/s)
|
|
* Gen2 signaling speed (3.0Gb/s)
|
|
* Native Command Queueing (NCQ)
|
|
* Host-initiated interface power management
|
|
* Phy event counters
|
|
* Idle-Unload when NCQ is active
|
|
Device-initiated interface power management
|
|
* Software settings preservation
|
|
* SMART Command Transport (SCT) feature set
|
|
* SCT Read/Write Long (AC1), obsolete
|
|
* SCT Write Same (AC2)
|
|
* SCT Error Recovery Control (AC3)
|
|
* SCT Features Control (AC4)
|
|
* SCT Data Tables (AC5)
|
|
unknown 206[12] (vendor specific)
|
|
unknown 206[13] (vendor specific)
|
|
Security:
|
|
Master password revision code = 65534
|
|
supported
|
|
not enabled
|
|
not locked
|
|
not frozen
|
|
not expired: security count
|
|
supported: enhanced erase
|
|
182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT.
|
|
Logical Unit WWN Device Identifier: 5000c5002e9f2ea1
|
|
NAA : 5
|
|
IEEE OUI : 000c50
|
|
Unique ID : 02e9f2ea1
|
|
Checksum: correct
|
|
|
|
hdparm -R1 /dev/sda
|
|
|
|
/dev/sda:
|
|
setting write-read-verify to 1
|
|
write-read-verify = 2
|
|
|
|
```
|
|
ERC settings: `smartctl -l scterc /dev/sda` or setting `smartctl -l scterc,150,150 /dev/sda`
|
|
|
|
#### related issues
|
|
- https://cateee.net/lkddb/web-lkddb/BLK_DEV_INTEGRITY.html
|
|
- https://kdave.github.io/authenticated-hashes-for-btrfs-part1/
|
|
##### cryptsetup
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8`
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration
|
|
- https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating"
|
|
###### ATA background
|
|
- https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives
|
|
- https://www.smartmontools.org/wiki/FAQ#WhatiserrorrecoverycontrolERCandwhyitisimportanttoenableitfortheSATAdisksinRAID
|
|
##### dm-integrity
|
|
- https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html
|
|
- https://man7.org/linux/man-pages/man8/integritysetup.8.html
|
|
|
|
### package manager integrity
|
|
##### pacman based integrity check
|
|
```
|
|
pacutils: sudo paccheck --md5sum --quiet
|
|
AUR: sudo check-pacman-mtree.lua -a
|
|
```
|
|
|
|
##### apt based integrity check
|
|
|
|
```
|
|
(https://askubuntu.com/posts/891158/timeline)
|
|
|
|
For checking the integrity of an individual file in a package against the repositories, there's no easy way short of downloading the package. The repositories typically provide these files:
|
|
|
|
* `Release{,.gpg}`, `InRelease` \- these provide the hashes of the `Packages` files.
|
|
* The `Packages` file provides hashes of the packages.
|
|
* The `Contents` file, where present, provides filelists of packages.
|
|
|
|
There's no file which provides the hashes of individual files - these are contained in the packages (`DEBIAN/md5sums` in the `control` archive).
|
|
|
|
So, if you don't trust the local system:
|
|
|
|
1. You'll have to download the `Contents` file (if available).
|
|
2. Match the file to the package using that file and download the package.
|
|
3. Then use the `md5sums` to verify the file.
|
|
|
|
If a `Contents` file is not available, and you don't trust the local system, have fun downloading _every_ package to see what provided the file.
|
|
|
|
This does not scale.
|
|
```
|
|
|
|
```
|
|
debsums --silent -a
|
|
```
|
|
```
|
|
#!/usr/bin/bash
|
|
|
|
sed -n '/Conffiles/,/Description/p' /var/lib/dpkg/status | grep -v Conffiles | grep -v Description | awk '{print $2 " " $1}' > dpkg_hash.md5sum
|
|
md5sum -c --quiet dpkg_hash.md5sum
|
|
echo $?
|
|
```
|
|
```
|
|
cd /; for sumfile in /var****/lib/dpkg/info/*.md5sums; do /usr/bin/md5sum --quiet -c "$sumfile"; done;
|
|
```
|
|
At least this gets you a step in front of someone. |