Demonstate how the sedutil-cli command works and how that works with a SED SSD.

sed-nvme-cli-test.md

Functions

ssd_show_data() {
	local location="${1:-0}" # In bytes

	sudo dd if=/dev/nvme0n1 bs=1 count=9000 skip="${location}" status=none | hd
}

# ssd_write_data <data_message> [location]
#
# location is the offset in bytes.
ssd_write_data() {
	local data="$1"
	local location="${2:-0}" # In bytes
	
	echo "${data}" | sudo dd of=/dev/nvme0n1 bs=1 seek="${location}" status=none
}

# Simply write 0's over the 9000 byte region we care about, so that
# when we do ssd_show_data, we only see the bytes we wrote with ssd_write_data.
ssd_write_zeros() {
	sudo dd if=/dev/zero of=/dev/nvme0n1 bs=9000 count=1 status=none
}

Set 4K Block Size

sudo nvme format --lbaf=1 /dev/nvme0

Test Normal Crypto Erasure

This is without initializing locking mechanism.

ssd_write_data 'Hello world!'
ssd_show_data

sudo nvme format --ses=2 /dev/nvme0n1 --force
ssd_show_data

More Comprehensive Test

for gb in 0 256 512 1024; do
	ssd_write_data 'Hello world!' "$(( gb * 1024 * 1024 * 1024 ))"
done

for gb in 0 256 512 1024; do
	echo "Checking at $gb GBs."
	ssd_show_data "$(( gb * 1024 * 1024 * 1024 ))"
done

sudo nvme format --ses=2 /dev/nvme0n1 --force

for gb in 0 256 512 1024; do
	echo "Checking at $gb GBs."
	ssd_show_data "$(( gb * 1024 * 1024 * 1024 ))"
done

Test Initialize

ssd_show_data
ssd_write_data 'Hello world!'
ssd_show_data

sudo nvme sed discover /dev/nvme0n1
sudo nvme sed initialize /dev/nvme0n1
sudo nvme sed discover /dev/nvme0n1

ssd_show_data
# I still see the data, so no encryption was reset.

# Disable the locking feature
# Adding '-e' to revert will trigger crypto erasure.
sudo nvme sed revert /dev/nvme0n1
sudo nvme sed discover /dev/nvme0n1 
ssd_show_data
# I still see the data, so no encryption was reset.

Trying Normal Crypto Erasure Function

ssd_write_data 'Hello world!'
ssd_show_data
sudo nvme format --ses=2 /dev/nvme0n1
ssd_show_data
# Zeros

Try to Block Crypto Erasure Using Locking Password

sudo nvme sed initialize /dev/nvme0n1
ssd_write_data 'Hello world!'
ssd_show_data

sudo nvme format --ses=2 /dev/nvme0n1
# Success formatting namespace:1
ssd_show_data
# Zeros

It does not appear that simply taking ownership with password blocks the normal erasure.

ssd_write_data 'Hello world!'
ssd_show_data
sudo nvme sed lock /dev/nvme0n1
sudo nvme format --ses=2 /dev/nvme0n1 --force
# NVMe status: Invalid Format: The LBA Format specified is not supported(0x410a)
sudo nvme sed unlock /dev/nvme0n1
# No password needed.

---

I think using the normal default drive encryption is sufficient. To setup a SED drive for use, simple run the above test, where we write a bunch of data at parts of the disk, call sudo nvme format --ses=2 /dev/nvme0n1 --force, and then ensure that the data written is gone.

sedutil-experimentation.bash

ssd_show_data() {
	sudo dd if=/dev/nvme0n1 bs=1 count=9000 status=none | hd
}

# ssd_write_data <data_message> [location]
#
# location is the offset in bytes.
ssd_write_data() {
	local data="$1"
	local location="${2:-0}" # In bytes
	
	echo "${data}" | sudo dd of=/dev/nvme0n1 bs=1 seek="${location}" status=none
}

# Simply write 0's over the 9000 byte region we care about, so that
# when we do ssd_show_data, we only see the bytes we wrote with ssd_write_data.
ssd_write_zeros() {
	sudo dd if=/dev/zero of=/dev/nvme0n1 bs=9000 count=1 status=none
}


# The Geometry info shows the Logical Block Size, which should be 512.
sudo ./sedutil-cli --query /dev/nvme0


# Data/encryption doesn't change when we do initial setup.
ssd_write_data "Hello world!"
ssd_show_data
sudo ./sedutil-cli --initialSetup testpw /dev/nvme0
ssd_show_data


# The default/global range is 0. Rekeying will effectively clear data.
ssd_write_data "Hello world!"
ssd_show_data
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
ssd_show_data


# Notice that we haven't actually enable "locking", but we still have
# data encryption control.
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
# Example: RLKEna = N  WLKEna = N  RLocked = N  WLocked = N
# RLKEna  ==> Read Lock Enabled        (Read Lock mechanism is enabled and RLocked is honored)
# WLKEna  ==> Write Lock Enabled       (Write Lock mechanism is enabled and WLocked is honored)
# RLocked ==> Reads Currently Blocked  (Reads are blocked right now - not unlocked)
# WLocked ==> Writes Currently Blocked (Writes are blocked right now - not unlocked)
# Use --enable/disableLockingRange to set enabled state.
# Use --setLockingRange to set current state.

# Let's activate another range and rekey only that range.
ssd_write_data "Range0" 0
ssd_write_data "Range1" 512
ssd_write_data "Range0" 1024
ssd_show_data # 0x200 is 512 in decimal, 0x400 is 1024, BTW.
sudo ./sedutil-cli --setupLockingRange 1 1 1 testpw /dev/nvme0 # The units are in 512 blocks.
ssd_show_data
# Immidiatley, we see that the "Range1" message at 0x200 is gone and random data
# fills that entire 512 block. Do note that we still see the Range0 at offset 0 and offset 1024.
# If we then rekey our first global (encompasing) range, we
# loose both of the Range0 messages at offset 0 and 1024.
sudo ./sedutil-cli --rekeyLockingRange 0 testpw /dev/nvme0
ssd_show_data

# FYI, if you try to remove the new range 1 by doing
# sudo ./sedutil-cli --setupLockingRange 1 0 0 testpw /dev/nvme0
# The SSD becomes unreadable.

# Let's now lock region 0 to be only RO.
ssd_write_zeros
ssd_write_data "Range0" 0
ssd_write_data "Range1" 512
ssd_write_data "Range0" 1024
ssd_show_data
sudo ./sedutil-cli --enableLockingRange 0 testpw /dev/nvme0
sudo ./sedutil-cli --setLockingRange 0 RO testpw /dev/nvme0
sudo ./sedutil-cli --listLockingRanges testpw /dev/nvme0
# This should fail to actually commit/write.
ssd_write_data "This text won't actually be saved!" 0
ssd_show_data
# Notice that we still see Range0 at offset 0.
sudo ./sedutil-cli --setLockingRange 0 RW testpw /dev/nvme0
ssd_write_data "This is now modifiable!" 0
ssd_show_data

# This factory resets. It can also be done using --yesIreallywanttoERASEALLmydatausingthePSID
# and the PSID printed on the SSD.
# This will typically rekey the ranges, so the contents seem to be gone.
sudo ./sedutil-cli --reverttper testpw /dev/nvme0

ssd_show_data

sedutil-standard-encryption-enable.bash

# https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions

# If you need to reset from a previous setup.
sudo ./sedutil-cli --reverttper <password> /dev/nvme0
sudo ./sedutil-cli --initialSetup <password> /dev/nvme0

sudo ./sedutil-cli --query /dev/nvme0
sudo ./sedutil-cli --setMBREnable off <password> /dev/nvme0
sudo ./sedutil-cli --setMBRDone off <password> /dev/nvme0
sudo ./sedutil-cli --query /dev/nvme0

sudo ./sedutil-cli --listLockingRanges <password> /dev/nvme0
sudo ./sedutil-cli --rekeyLockingRange 0 <password> /dev/nvme0