Unprotected areas:

To allow system to boot from protected SED media BCVE leaves two LBA ranges unprotected:

  • GPT primary header
  • EFI system partition

The rest of the sectors are protected by a global range.

General system requirements:

  • For boot disk media, only GPT disk layouts and UEFI BIOS implementations are supported.
  • EFI_STORAGE_SECURITY_COMMAND_PROTOCOL must be supported by the BIOS (UEFI v2.5).
  • Only Ata and NvmExpress devices are supported
  • SATA controller must be set to AHCI mode.

Security considerations

  • The SED password is not affected by anti-hammering techniques provided by the storage media. Because it is easier this way to provider consistent user experience.
  • BCVE has no reliable way to verify that data sectors on SED media are encrypted and encryption keys are non-extractible and non-recoverable.
  • BCVE has no means to inject or extract encryption key to/from the disk controller. This means that rescue decryption has little to none difference from regular decryption.

Moving or resizing EFI system partition while SED locking is enabled can lead to damaging EFI system partition and surrounding data.