View Issue Details

IDProjectCategoryView StatusLast Update
0017844CentOS-8kernelpublic2020-11-12 23:55
Reporterladar 
PrioritylowSeveritycrashReproducibilityalways
Status acknowledgedResolutionopen 
Product Version8.2.2004 
Target VersionFixed in Version 
Summary0017844: SED OPAL kernel support is needed or disks don't get a good night's rest.
DescriptionI've already reported this issue to Red Hat, since the problem is inherited through
their kernel configuration. But am reporting it here in the hope that CentOS
will be faster to fix it. That said, the rambling description goes something like:

My hard drive is tired, but the kernel won't let it sleep. That's because
my hard drive is one of those self encrypting drives. Which means it goes to
sleep like every other hard drive. But when it wakes up, it likes to play the
morning after game. It wants to know if its partner, the kernel, remembers
its name. And if it doesn't, then Miss Disk will play hard to get. I don't
know what happens next. But I do know its a total system crash. And that's bad.

The good news is they don't need couples therapy. All Miss Disk needs is for
the kernel to be compiled with CONFIG_BLK_SED_OPAL="y" ... I verified this the
hard way. By recompiling a kernel myself. It was painful.

If there is any bad news, it's that support for self encrypting OPAL drives
can't be compiled as a standalone module. So I'm hoping the you can enable this
flag for me.

I'm not quite sure why this kernel flag is unset. I checked every Fedora release from
Core 25 through Core 33 and all of them had this flag enabled already.


### The problem is that without kernel support for SED OPAL drives.
[ladar@crossroads ~]$ sudo /usr/local/sbin/sedutil-cli -s --prepareForS3Sleep 0 Admin1 /dev/nvme0n1


Please enter password *********************************
Error saving the password to the kernel errno = 25
[ladar@crossroads ~]$
###

I get the above error, and if the system does go to sleep, it will slumber just fine, only to blink and
crash when it wakes back up.

### With kernel support for SED OPAL drives enabled.
[ladar@crossroads ~]$ sudo /usr/local/sbin/sedutil-cli -s --prepareForS3Sleep 0 Admin1 /dev/nvme0n1


Please enter password *********************************
[ladar@crossroads ~]$
###

After this, I can put the system to sleep, and wake it back up again, all
without issue.

For those who stumble upon this bug report, once the kernel has OPAL support,
the drive can be prepared for its nap automatically by a systemd service:

### /etc/systemd/system/sedutil-sleep.service
[Unit]
Description=sedutil-sleep

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 1 User1 <HASHED_PASSWORD> /dev/nvme0n1
RemainAfterExit=true

[Install]
WantedBy=multi-user.target
###

In this example, the service file would have the hashed user password at
locking range 1, and would supply that hash to kernel so it can properly
wake up the drive when needed.

### The CentOS and CentOS kernels I checked.
[ladar@centos8 ~]$ cat /boot/config-4.18.0-193.28.1.el8_2.x86_64 | grep OPAL
# CONFIG_BLK_SED_OPAL is not set
[ladar@centos8 ~]$ cat /boot/config-4.18.0-193.19.1.el8_2.centos.plus.x86_64 | grep OPAL
# CONFIG_BLK_SED_OPAL is not set
[ladar@centos8 ~]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="8"
###

When I recompiled a kernel for testing, I simply patched the kernel-plus.spec
file. But that may not be ideal. I'm only providing a recompile/patch in case others
want to try out this fix.

On a separate, but related note of some importance, I couldn't find the
kernel-plus-4.18.0-193.19.1.el8_2.centos.plus.src.rpm source RPM in any
of the usual places. I had to dig just to find the
kernel-plus-4.18.0-193.14.2.el8_2.centos.plus.src.rpm source RPM. I believe
its available via this URL:

https://koji.mbox.centos.org/pkgs/packages/kernel-plus/4.18.0/193.19.1.el8_2.centos.plus/src/kernel-plus-4.18.0-193.19.1.el8_2.centos.plus.src.rpm

But as an outsider, I get a 403 error. I can access this page
:
https://koji.mbox.centos.org/koji/buildinfo?buildID=13615

Which is a bit of a tease... Moving on. Myrebuild script...

### Kernel patch and rebuild script using the CentOS plus kernel.
sudo dnf --assumeyes --enablerepo=PowerTools install asciidoc audit-libs-devel autoconf automake bash bc binutils binutils-devel bison byacc cmake ctags diffstat diffutils dwarves elfutils elfutils-devel elfutils-libelf-devel expect findutils flex gawk gcc gcc-c++ gdb gettext git glibc-devel gzip hmaccalc hostname intltool java-devel jna kabi-dw libbpf-devel libcap-devel libcap-ng-devel libtool llvm-toolset ltrace m4 make module-init-tools ncurses-devel net-tools newt-devel numactl-devel openssl openssl-devel patch patchutils pciutils-devel perl perl-devel perl-ExtUtils-Embed perl-Fedora-VSP perl-generators pesign pkgconf pkgconf-m4 pkgconf-pkg-config python3-devel python3-docutils redhat-rpm-config rpm-build rpmdevtools rpmlint rpm-sign rsync sh-utils source-highlight strace systemtap tar valgrind valgrind-devel xmlto xz zlib-devel

## Start the build phase.
mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

# Download the kernel source.
cd ~/rpmbuild/SRPMS/

# In this case using CentOS kernel-plus v4.18.0-193.14.2.
curl -O https://mirror.ams1.nl.leaseweb.net/centos-vault/8.2.2004/centosplus/Source/SPackages/kernel-plus-4.18.0-193.14.2.el8_2.centos.plus.src.rpm
(printf "6693d033cf0c09910505acca2b41bb71307731d539466fb93fb798312e660de5 kernel-plus-4.18.0-193.14.2.el8_2.centos.plus.src.rpm" | sha256sum -c) || (printf "\\n\\nSource RPM did not match the expected hash value.\\n\\n" ; exit 1)
chown $USER:$USER kernel-plus-4.18.0-193.14.2.el8_2.centos.plus.src.rpm
rpm -i kernel-plus-4.18.0-193.14.2.el8_2.centos.plus.src.rpm

# We need to prep the spec file.
cd ~/rpmbuild/SPECS/

# This is where the magic happens. We enable SED OPAL block devices.
patch -p1 <<-EOF
diff --git a/kernel-plus.spec b/kernel-plus.spec
index 770a5c8..12331be 100644
--- a/kernel-plus.spec
+++ b/kernel-plus.spec
@@ -1113,6 +1113,9 @@ do
 done
 %endif

+# Enable the SED OPAL block device driver.
+sed -i "s/.*CONFIG_BLK_SED_OPAL.*/CONFIG_BLK_SED_OPAL=y/g" *.config
+
 cp %{SOURCE42} .
 ./process_configs.sh -w -c %{name} %{rpmversion}
EOF

# I decided to give the custom kernel this build ID, so it would be easy
# to spot on a GRUB boot menu.
export BUILDID="_oo00800oo_"

# And finally to kickoff the build and produce freshly baked kernel RPMs.
rpmbuild -ba --define="buildid $BUILDID" --target=$(uname -m) kernel-plus.spec
###

The script above was tested and a working kernel built using the "generic/centos8" vagrant
box.

Finally some GitHub issues which may help.

https://github.com/ladar/sedutil/issues/13
https://github.com/Drive-Trust-Alliance/sedutil/issues/90

And my report to the upstream authorities.

https://bugzilla.redhat.com/show_bug.cgi?id=1897014
TagsNo tags attached.

Activities

toracat

toracat

2020-11-12 23:55

manager   ~0037893

The distro kernel cannot be modified (other than debranding). It has to wait for RHEL kernels to include the change you have filed upstream.

In the meantime the plus kernel can accommodate the request. I will try to enable CONFIG_BLK_SED_OPAL in the next kernel-plus update.

Issue History

Date Modified Username Field Change
2020-11-12 05:32 ladar New Issue
2020-11-12 23:55 toracat Status new => acknowledged
2020-11-12 23:55 toracat Note Added: 0037893