[Seagate] Drive Security Life Cycle State

[bluecmd]

The FIPS documentation for Seagate disks reference something called "Drive Security Life Cycle State".

Show status service can be used to determine if the drive is operational under the security constraints of
FIPS. For this purpose TCG Level 0 Discovery mechanism is utilized. TCG Level 0 Discovery mechanism
maybe invoked by the operator to know if drive is in “use” or security “fail” state. If the Drive Security
Life Cycle State is 0x80 then drive is in Use State i.e. security is operational. If the Drive Security Life
Cycle State is 0xFF the drive is in security Fail State i.e. drive is not operational in terms of FIPS services.

I do not know where this is.

[bluecmd]

https://github.com/Seagate/TCGstorageAPI/blob/master/pysed/Tcg.h#L90 has a reference to a bit (which is defined as MBR supported in Ruby I think).

[bluecmd]

Seems to be vendor byte 1 in the Discovery0:

static const char * lifeCycleDocs =
		"Value of the current SED life cycle.  128 is expected value in normal state.";
unsigned Sed::getLifeCycle() {
	if (discovery.hdr)
		return discovery.hdr->vendor[1];
	return 0;
}
[..]

static const char * fipsAMDocs =
		"Retrieves current discovery level 0 flag representing the device is operating in FIPS approved mode\n"
				"for devices reporting this state.";
bool Sed::getFipsApprovedMode() {
	discovery.refresh(transport);
	int fips_operatingmode =(int)discovery.hdr->vendor[14] & 1;
	return fips_operatingmode;
}

[bluecmd]

I tried reading the Security Compliance descriptor list from my Seagate 7E2000 and it only returned empty results.

bluecmd@foo:~/go/src/github.com/bluecmd/go-tcg-storage$ git diff
diff --git a/cmd/tcgsdiag/main.go b/cmd/tcgsdiag/main.go
index 8481e34..cc8f1fe 100644
--- a/cmd/tcgsdiag/main.go
+++ b/cmd/tcgsdiag/main.go
@@ -107,6 +107,14 @@ func main() {
        log.Printf("Drive certificate:")
        spew.Dump(crt)
        fmt.Printf("\n")
+       scl, err := drive.SecurityComplianceList(d)
+       if err != nil {
+               log.Fatalf("drive.SecurityComplianceList: %v", err)
+       }
+       log.Printf("Drive security compliance list:")
+       spew.Dump(scl)
+       fmt.Printf("\n")
+
 
        fmt.Printf("===> TCG AUTO ComID SELF-TEST\n")
        comID := TestComID(d)
diff --git a/pkg/drive/drive.go b/pkg/drive/drive.go
index 23eda04..c6fdd1f 100644
--- a/pkg/drive/drive.go
+++ b/pkg/drive/drive.go
@@ -9,6 +9,8 @@ import (
        "encoding/binary"
        "errors"
        "fmt"
+
+       "github.com/davecgh/go-spew/spew"
 )
 
 var (
@@ -81,3 +83,13 @@ func Certificate(d driveIntf) (*x509.Certificate, error) {
        }
        return x509.ParseCertificate(crtdata)
 }
+
+// Returns a list of security compliance objects from the drive.
+func SecurityComplianceList(d driveIntf) ([]string, error) {
+       raw := make([]byte, 2048)
+       if err := d.IFRecv(SecurityProtocolInformation, 2, &raw); err != nil {
+               return nil, err
+       }
+       spew.Dump(raw)
+       return nil, nil
+}