Granular user locking range control (with ACEs) #38
Description
I like the addition of being able to add users to be able to read and write lock the global locking range.
It would be great to be able to control which users can unlock which ranges. This has the benefit of effectively supporting multi-tenancy on consumer level hardware (on enterprise hardware one would just add namespaces and configure OPAL on them seperately), as each locking range's crypto can be bound to the passphrase of the user (as I understand it anyway). If the key for only one locking range is in the SED's memory, only the data in this locking will be accessible if the firmware is compromised remotely (instead of the admin key being in memory thus granting an attacker control over the whole device).
From the OPAL spec it looks like this can be done with ACE_Locking_RangeNNNN_Set_RdLocked but I see that the command --addUserToLockingACEs only adds access to the global locking range with ACE_Locking_Range_GLOBAL_Set_RdLocked.
Would such a thing able to be added (if I understand OPAL correctly)?