Re: [Qemu-devel] Emulation of TCG OPAL self-encrypting drive

[Stefan Hajnoczi]

On Sat, Jan 05, 2019 at 07:27:03PM +0100, David Kozub wrote:
> Hi,
> 
> Can QEMU emulate an OPAL disk? The only relevant thing I found is a post
> from 2017 about TPM that mentions OPAL:
> https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg04586.html

CCing John Snow (IDE/ATA) and Kevin Wolf (QEMU block layer).

> specifically this bit:
> 
> > Well, at some point somebody's going to want us to implement this,
> > but... they can do that when they do that.
> 
> So I assume it is not implemented. (?)

Right.

> I agree with the sentiment expressed in the mail linked above w.r.t. OPAL
> security. I'm interested in this from SW development/debugging/fiddling
> perspective. A sufficient solution for me would not add any real encryption

QEMU supports LUKS encrypted disk images so no new code is needed for
the actual encryption.

> but would respond to the various OPAL commands send via ATA TRUSTED
> SEND/RECEIVE commands.
> 
> In fact, a more generic solution would work for me: If it was possible to
> send ATA commands from QEMU to a separate process which could then handle
> them as it liked and reply back to QEMU. This could be useful for other
> fiddling/debugging situations too.

Might as well implement it in QEMU so users can easily take advantage of
it without setting up external software.

> Or, just a pass-through to a block device in the host - but a pass-through
> that would allow OPAL commands.

You can pass through a storage controller using PCI passthrough or you
can pass through a SCSI LUN, but there is no ATA passthrough.

> I'm grateful for any hints/ideas. Perhaps something like this is already
> possible with QEMU?
> 
> Best regards,
> David
>

signature.asc
Description: PGP signature