mirror of https://github.com/wolfSSL/wolfBoot.git
2.4 KiB
2.4 KiB
ATA Security in wolfBoot
Overview
wolfBoot provides secure ATA drive locking and unlocking capabilities through two mechanisms:
- Hardcoded password authentication
- TPM-sealed secret authentication
This integration enables secure storage protection while maintaining compatibility with standard ATA security features.
Key Features
- ATA drive locking/unlocking support
- TPM integration for secure secret storage
- First-boot password initialization
- Master password support for administrative control
- Configurable security policies
Configuration Methods
Hardcoded Password Authentication
Uses a static password defined at compile time for drive locking/unlocking.
Configuration Options
DISK_LOCK=1 # Enable ATA security features
DISK_LOCK_PASSWORD=hardcoded_password # Set static password
Behavior
- First boot: If drive is unlocked, sets configured password
- Subsequent boots: Uses configured password to unlock drive
TPM-Sealed Secret Authentication
Leverages TPM capabilities to securely store and manage drive unlock secrets. For detailed TPM integration information, see TPM.md and measured_boot.md.
Configuration Options
| Option | Description | Usage |
|---|---|---|
WOLFBOOT_TPM_SEAL |
Enable TPM sealing support | Required with DISK_LOCK=1 |
WOLFBOOT_TPM_SEAL_KEY_ID |
Policy signing key identifier | Used for TPM policy binding |
ATA_UNLOCK_DISK_KEY_NV_INDEX |
TPM NV storage index | Location for sealed secret |
WOLFBOOT_DEBUG_REMOVE_SEALED_ON_ERROR |
Error handling behavior | Deletes secret and panics on error |
Behavior
- First boot with no sealed secret:
- Generates random secret
- Seals secret to TPM
- Locks drive with sealed secret
- Subsequent boots:
- Unseals secret from TPM
- Unlocks drive using unsealed secret
Administrative Control
Disabling User Password
Requires existing master password configuration.
# Configuration for password disable
WOLFBOOT_ATA_DISABLE_USER_PASSWORD=1 # Enable password disable
ATA_MASTER_PASSWORD=master_password # Set master password
Operation Flow
- Verifies master password
- Disables user password
- Executes panic sequence
For more information about TPM integration, see: