Add RevertEnterprise functionality

Signed-off-by: Christopher Meis <[email protected]>

Author: ChriMarMe

cmd/gosedctl/README.md

@@ -54,6 +54,7 @@ Flags:
 ```
 
 ## Command documentation - Enterprise SSC
+initial-setup-enterprise:
 ```
 gosedctl initial-setup-enterprise --device=STRING --sid-password=STRING --band-master-0-pw=STRING --erase-master-pw=STRING
 
@@ -68,6 +69,20 @@ Flags:
   -e, --erase-master-pw=STRING     Password for EraseMaster authority for erase operations of ranges.
 ```
 
+revert-enterprise:
+```
+gosedctl revert-enterprise --device=STRING --sid-password=STRING --erase-password=STRING
+
+delete after use
+
+Flags:
+  -h, --help                     Show context-sensitive help.
+
+  -d, --device=STRING            Path to SED device (e.g. /dev/nvme0)
+  -p, --sid-password=STRING      Password to SID authority
+  -e, --erase-password=STRING    Password to authenticate as EaseMaster
+```
+
 ## Roadmap
 The intent of this command is to replace all other commands functionality and provide one binary with all capabilities.
 

cmd/gosedctl/cmd.go

@@ -44,13 +44,20 @@ type initialSetupEnterpriseCmd struct {
 	EraseMasterPW string `flag:"" required:"" short:"e" help:"Password for EraseMaster authority for erase operations of ranges."`
 }
 
+type resetDeviceEnterprise struct {
+	Device        string `flag:"" required:"" short:"d" help:"Path to SED device (e.g. /dev/nvme0)"`
+	SIDPassword   string `flag:"" required:"" short:"p" help:"Password to SID authority"`
+	ErasePassword string `flag:"" required:"" short:"e" help:"Password to authenticate as EaseMaster"`
+}
+
 // cli is the main command line interface struct required by kong command line parser
 var cli struct {
 	InitialSetup           initialSetupCmd           `cmd:"" help:"Take ownership of a given OPAL SSC device"`
 	LoadPBA                loadPBAImageCmd           `cmd:"" help:"Load PBA image to shadow MBR"`
 	RevertNoerase          revertNoeraseCmd          `cmd:"" help:""`
 	RevertTper             revertTPerCmd             `cmd:"" help:""`
 	InitialSetupEnterprise initialSetupEnterpriseCmd `cmd:"" help:"Take ownership of a given Enterprise SSC device"`
+	RevertEnterprise       resetDeviceEnterprise     `cmd:"" help:"delete after use"`
 }
 
 // Run executes when the initial-setup command is invoked
@@ -358,3 +365,85 @@ func (i *initialSetupEnterpriseCmd) Run(ctx *context) error {
 
 	return nil
 }
+
+func (r *resetDeviceEnterprise) Run(ctx *context) error {
+	coreObj, err := core.NewCore(r.Device)
+	if err != nil {
+		return fmt.Errorf("NewCore(%s) failed: %v", r.Device, err)
+	}
+
+	comID, _, err := core.FindComID(coreObj.DriveIntf, coreObj.DiskInfo.Level0Discovery)
+	if err != nil {
+		return fmt.Errorf("FindComID() failed: %v", err)
+	}
+
+	cs, err := core.NewControlSession(coreObj.DriveIntf, coreObj.Level0Discovery, core.WithComID(comID))
+	if err != nil {
+		return fmt.Errorf("NewControllSession() failed: %v", err)
+	}
+	defer cs.Close()
+
+	serial, err := coreObj.SerialNumber()
+	if err != nil {
+		return fmt.Errorf("coreObj.SerialNumber() failed: %v", err)
+	}
+
+	salt := fmt.Sprintf("%-20s", serial)
+	eraseHash := pbkdf2.Key(([]byte(r.ErasePassword)), []byte(salt[:20]), 75000, 32, sha1.New)
+
+	lockingSession, err := cs.NewSession(uid.EnterpriseLockingSP)
+	if err != nil {
+		return err
+	}
+
+	if err := table.ThisSP_Authenticate(lockingSession, uid.EraseMaster, eraseHash); err != nil {
+		return fmt.Errorf("authenticating as EraseMaster failed: %v", err)
+	}
+
+	if err := table.EraseBand(lockingSession, uid.InvokingID(uid.Band1Enterprise)); err != nil {
+		return fmt.Errorf("failed to erase global range: %v", err)
+	}
+
+	if err := lockingSession.Close(); err != nil {
+		return fmt.Errorf("failed to close lockingSession: %v", err)
+	}
+
+	adminSession, err := cs.NewSession(uid.AdminSP)
+	if err != nil {
+		return fmt.Errorf("failed to open session to AdminSP: %v", err)
+	}
+
+	adminHash := pbkdf2.Key(([]byte(r.SIDPassword)), []byte(salt[:20]), 75000, 32, sha1.New)
+
+	if err := table.ThisSP_Authenticate(adminSession, uid.AuthoritySID, adminHash); err != nil {
+		return fmt.Errorf("failed to authenticate to AdminSP: %v", err)
+	}
+
+	msid, err := table.Admin_C_PIN_MSID_GetPIN(adminSession)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve MSID: %v", err)
+	}
+
+	if err := table.Admin_C_Pin_SID_SetPIN(adminSession, msid); err != nil {
+		return fmt.Errorf("failed to set AdminSP credential to MSID: %v", err)
+	}
+
+	if err := adminSession.Close(); err != nil {
+		return fmt.Errorf("failed to close Session to AdminSP")
+	}
+
+	lockingSession, err = cs.NewSession(uid.EnterpriseLockingSP)
+	if err != nil {
+		return err
+	}
+
+	if err := table.ThisSP_Authenticate(lockingSession, uid.LockingAuthorityBandMaster0, adminHash); err != nil {
+		return fmt.Errorf("authenticating as EraseMaster failed: %v", err)
+	}
+
+	if err := table.SetBandMaster0Pin(lockingSession, msid); err != nil {
+		return fmt.Errorf("failed to set BandMaster0 Pin to MSID")
+	}
+
+	return nil
+}

pkg/core/table/locking.go

@@ -602,6 +602,19 @@ func SetEraseMasterPin(s *core.Session, erasePinHash []byte) error {
 	return nil
 }
 
+func EraseBand(s *core.Session, band uid.InvokingID) error {
+	if s.ProtocolLevel != core.ProtocolLevelEnterprise {
+		return fmt.Errorf("invalid Protocol Level for operation")
+	}
+
+	mc := method.NewMethodCall(band, uid.MethodIDEraseEnterprise, s.MethodFlags)
+
+	if _, err := s.ExecuteMethod(mc); err != nil {
+		return err
+	}
+	return nil
+}
+
 func EnableGlobalRangeEnterprise(s *core.Session) error {
 	mc := NewSetCall(s, uid.GlobalRangeRowUID)
 	mc.Token(stream.StartName)

pkg/core/uid/methods.go

@@ -15,6 +15,9 @@ var (
 	MethodIDSMSyncTrustedSession  = MethodID{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x05}
 	MethodIDSMCloseSession        = MethodID{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x06}
 
+	// Erase method for Enterprise SSC
+	MethodIDEraseEnterprise = MethodID{0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x08, 0x03}
+
 	// Opal 2.0 Method
 	MethodIDAdmin_Activate = MethodID{0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x02, 0x03}
 

pkg/core/uid/uid.go

@@ -33,6 +33,7 @@ var (
 
 var (
 	GlobalRangeRowUID RowUID = [8]byte{0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x01}
+	Band1Enterprise   RowUID = [8]byte{0x00, 0x00, 0x08, 0x02, 0x00, 0x00, 0x00, 0x02}
 )
 
 var (