将 SED 配置为 S3 暂停

tag-icon tag-icon hard-drive suspend power-management encryption spindown
将 SED 配置为 S3 暂停

我以前问过这个问题(这里这里

我的问题是,我的自加密磁盘 (SED) 即使在挂起时也必须停止旋转!我试过了,但它不起作用,磁盘无论如何都会旋转!问题是,如果磁盘旋转停止,因为它处于暂停状态,它不会显示“解密”提示,并在 RAM 上重新启动,但由于磁盘上的 IO 错误而崩溃!(这就是磁盘应该做的!)

有人知道如何不(即永远不)降低硬盘转速吗?(是的,这违背了所有逻辑,但这是特殊情况)

多谢 !

这有用吗?

sudo hdparm -I /dev/sda
[sudo] password for xqua: 

/dev/sda:

ATA device, with non-removable media
    Model Number:       ST500LT015-9WU142                       
    Serial Number:      W0VBZQQ7
    Firmware Revision:  0001SDM7
    Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6
Standards:
    Used: unknown (minor revision code 0x0029) 
    Supported: 8 7 6 5 
    Likely used: 8
Configuration:
    Logical     max current
    cylinders   16383   16383
    heads       16  16
    sectors/track   63  63
    --
    CHS current addressable sectors:   16514064
    LBA    user addressable sectors:  268435455
    LBA48  user addressable sectors:  976773168
    Logical  Sector size:                   512 bytes
    Physical Sector size:                  4096 bytes
    Logical Sector-0 offset:                  0 bytes
    device size with M = 1024*1024:      476940 MBytes
    device size with M = 1000*1000:      500107 MBytes (500 GB)
    cache/buffer size  = 16384 KBytes
    Form Factor: 2.5 inch
    Nominal Media Rotation Rate: 5400
Capabilities:
    LBA, IORDY(can be disabled)
    Queue depth: 32
    Standby timer values: spec'd by Standard, no device specific minimum
    R/W multiple sector transfer: Max = 1   Current = 1
    Advanced power management level: 254
    Recommended acoustic management value: 208, current value: 0
    DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 
         Cycle time: min=120ns recommended=120ns
    PIO: pio0 pio1 pio2 pio3 pio4 
         Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
    Enabled Supported:
       *    SMART feature set
       *    Power Management feature set
       *    Write cache
       *    Look-ahead
       *    Host Protected Area feature set
       *    WRITE_BUFFER command
       *    READ_BUFFER command
       *    NOP cmd
       *    DOWNLOAD_MICROCODE
       *    Advanced Power Management feature set
            Power-Up In Standby feature set
       *    SET_FEATURES required to spinup after power up
            SET_MAX security extension
       *    48-bit Address feature set
       *    Device Configuration Overlay feature set
       *    Mandatory FLUSH_CACHE
       *    FLUSH_CACHE_EXT
       *    SMART error logging
       *    SMART self-test
       *    General Purpose Logging feature set
       *    WRITE_{DMA|MULTIPLE}_FUA_EXT
       *    64-bit World wide name
       *    IDLE_IMMEDIATE with UNLOAD
       *    Write-Read-Verify feature set
       *    WRITE_UNCORRECTABLE_EXT command
       *    {READ,WRITE}_DMA_EXT_GPL commands
       *    Segmented DOWNLOAD_MICROCODE
       *    Gen1 signaling speed (1.5Gb/s)
       *    Gen2 signaling speed (3.0Gb/s)
       *    Native Command Queueing (NCQ)
       *    Host-initiated interface power management
       *    Phy event counters
       *    Idle-Unload when NCQ is active
            Device-initiated interface power management
       *    Software settings preservation
       *    SMART Command Transport (SCT) feature set
       *    SCT Write Same (AC2)
       *    SCT Features Control (AC4)
       *    SCT Data Tables (AC5)
            unknown 206[12] (vendor specific)
       *    reserved 69[4]
       *    reserved 69[7]
Logical Unit WWN Device Identifier: 5000c5006a036439
    NAA     : 5
    IEEE OUI    : 000c50
    Unique ID   : 06a036439
Checksum: correct

答案1

根据,

http://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/

对于 SED,主要缺点是一旦驱动器被解锁,它就会保持解锁状态,直到驱动器的电源被切断。换句话说,如果您只是重新启动计算机或将其置于睡眠状态,驱动器将保持解锁状态。直到您完全关闭计算机后,它才会再次要求输入身份验证密钥。

然后继续讨论支持 SED 和驱动器配合使用的主板。

现在,当系统正常进入暂停状态时,该总线的电源将被切断,这解释了您遇到的情况,因为在这种情况下系统应该会要求您输入密码。SED 驱动器的意图似乎是,SED 主板能够智能地保持驱动器处于活动状态,以防止其锁定。

因此,根据这些信息,我怀疑您的主板不支持 SED 或配置不正确。

答案2

将 SED 配置为 S3 暂停

我们需要:

  1. 配置 Linux 内核以允许访问 sed 配置,
  2. 编译修改版的 sedutil
  3. 制作一个 systemd 服务将哈希密码存储在内核本身上,以便在唤醒时可以解锁驱动器。

附言:
I. 必须先使用 sedutil 设置驱动器。II
. 在 Debian Stable 上测试。III
. 开始之前,请备份所有数据。

配置Linux内核以允许访问SED:

编辑 /etc/default/grub 并添加“libata.allow_tpm=1”作为启动参数。例如:
sudo vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="libata.allow_tpm=1"

sudo update-grub

编译修改版的 sedutil

  • 安装依赖项
    sudo apt install build-essential autoconf pkg-config libc6-dev make g++-multilib m4 libtool ncurses-dev unzip zip git python zlib1g-dev wget bsdmainutils automake curl bc rsync cpio git nasm
  • 打开终端并运行:
    git clone --branch s3-sleep-support https://github.com/badicsalex/sedutil.git
    cd sedutil
    autoreconf --install
    make all
    sudo mv sedutil-cli /opt/sedutil-cli

创建 Systemd 服务

  • 查找散列加密密钥:
    sedutil-cli --printPasswordHash <password> <device, for example:/dev/sda>

  • 制作文件 /etc/systemd/system/sedutil-sleep.service,内容如下:

[单元]
描述=sedutil-sleep

[服务]
类型=oneshot
ExecStart=-+/opt/sedutil-cli -n -x --prepareForS3Sleep 0 <hash> <设备>
RemainAfterExit=true

[安装]
WantedBy=multi-user.target

  • 启用并启动服务
    systemctl enable sedutil-sleep.service
    systemclt start sedutil-sleep.service

参考:

sedutil 站点
Arch Linux 文档
第 90 期

相关内容