Trusted Computing Group Storage Work Group Opal Security Subsystem Class (SSC) Specification FAQ August 2015 Q. What is the Storage Work Group? A. The Storage Work Group is an entity within the Trusted Computing Group. It consists of TCG member companies with interests in the implementation of the Trusted Computing Group’s specifications for storage devices. For more information on the Storage Work Group, please refer to www.trustedcomputinggroup.org. Q. What is the purpose of the Storage Work Group? A. The Storage Work Group builds upon existing TCG philosophy in the development of specifications that provide a comprehensive architecture for storage devices. The Storage Work Group’s objective is to define specifications and accompanying documents for building and managing storage devices that enforce policy controls as set by hosts across a wide range of storage transport command protocols. Q. How is the Storage Work Group organized? A. The Storage Work Group operates under the auspices of the TCG. Membership in the Storage Work Group is determined by TCG bylaws and is open to all TCG members. Q. Who is participating in the Storage Work Group? A. Participation in the Storage Work Group includes storage device manufacturers, storage subsystem manufacturers, software vendors, and designers of custom, highly integrated components. Storage and security management and storage integration vendors also participate. A complete list of current TCG members is available at www.trustedcomputinggroup.org. Q. What is the output of this Work Group? A. The Storage Work Group deliverables include specifications that define security functionality requirements for storage devices and managing hosts; test cases and certification process documents; and informative supporting documents. Q. What is the Core Specification? A. The Core Specification, officially known as TCG Storage Architecture Core Specification, developed by the Storage Work Group provides a comprehensive definition of TCG-related functions for a TCG storage device. 

Q. What is a Security Subsystem Class (SSC)? A. The Core Specification can be further broken down in multiple subsets of functionality called Security Subsystem Classes (SSCs). SSCs explicitly define the minimum acceptable Core Specification capabilities of a storage device in a specific “class” and potentially expand functionality beyond what is defined in the Core Specification. Q. What is the Opal SSC? A. The Opal SSC specification is predicated on ease of implementation and integration. This SSC defines the functionality for implementing the Core Specification on storage devices. Q. What is the audience for this specification? A. The target audience includes system integrators, security software vendors, test suites vendors, OEMs, and storage device manufacturers. Q. What features are specified by the Opal SSC? A. The Opal SSC provides data-at-rest protection of user data via data encryption and access controls, secure boot capability (pre-boot authentication), and fast repurposing of the storage device. Q. How is user data protected? A. The Opal SSC specifies multiple storage ranges with each having its own authentication and encryption key. The range start, range length, read/write locks as well as the user read/write access control for each range are configurable. Q. Why do we need Opal SSC devices? A. Opal SSC specifies a hardware based data encryption solution to the problem of data breach caused by lost or stolen storage devices. Q. Do Opal SSC devices require a TPM? A. No. Opal SSC storage devices do not require a TPM. For additional protection, integrating these storage devices in systems with activated TPM is recommended. Q. What’s new in Opal SSC v2.00 Specification? A. Opal SSC v2.00 includes the following new and enhanced capabilities: • LBA Range Alignment: Configuration options for LBA range alignment in storage devices with more than 1 logical block per physical block on the media and where the first logical block may not line up exactly with the beginning of a physical block. • Byte Table Access Granularity: Writing to byte tables, such as the DataStore table and the MBR table in the Locking SP, can now be required to be done in blocks of granularity larger than a byte. • Admin Authorities: The minimum supported number of Admin Authorities in the Locking SP has been increased to 4. New Admin Authorities (a minimum of 1) have been added to the Admin SP. • User Authorities: The minimum supported number of User Authorities has been increased to 8. A configuration option for disallowing User Authorities to change their C_PIN values has been added. • LBA Ranges: The minimum number of supported LBA ranges has been increased to 8. • Methods and Commands: More methods and commands are now Mandatory in Opal SSC v2.00, including the Protocol Stack Reset and TPer Reset commands, and the Authenticate, Random and Revert methods (on both the Locking SP and the Admin SP). • Columns and Tables: More columns of certain tables are now Mandatory in Opal SSC v2.00. This 

includes the CommonName column in the Authority and Locking tables of the Locking SP, and the GUDID column in the TPerInfo table of the Admin SP. A new SecretProtect table has been added to the Locking SP. • Default SID PIN Value: The initial value of C_PIN_SID may be Vendor Unique (instead of being set to C_PIN_MSID). • DataStore Table: The minimum size of the DataStore table has been increased to 10MB (from 1KB). The Additional DataStore Tables Feature Set has been made Mandatory. Q. Is the Opal SSC v2.00 a superset of the Opal SSC v1.00? A. Yes. The Opal SSC v2.00 specification extends the existing features of Opal SSC v1.00 and adds additional features. Q. Is the Opal SSC v2.00 specification backwards compatible with the previous Opal SSC v1.00 specification? A. No. The Opal SSC v2.00 specification itself is not backwards compatible. However, Opal SSC v2.00 allows a storage device vendor to implement a device based on Opal SSC v2.00 in a way that is backwards compatible with Opal SSC v1.00. Q. Why was the backwards incompatibility introduced in Opal SSC v2.00? A. The Opal SSC v2.00 specification was extended to allow storage devices with physical block size restrictions to be supported. Q. How can I tell if a storage device supports both versions of the Opal specifications? A. The storage device will report the Opal SSC Feature Descriptors for both specifications. Q. What are the benefits of the Opal SSC v2.00 specification? A. Opal SSC v2.00 will accommodate a wider range of storage devices. The addition of new features allows delivery of a richer set of solutions around self-encrypting drives. Q. What is a Feature Set? A. A Feature Set defines additional functionality that extends an SSC. Q. Are there any Mandatory Feature Sets for Opal SSC v2.00? A. Yes. The Additional DataStore Tables Feature Set is Mandatory for Opal SSC v2.00. Q. Can Opal SSC v2.00 storage devices work with host software designed for Opal SSC v1.00? A. Yes, if the storage device was implemented to support both the Opal SSC v1.00 and Opal SSC v2.00 specifications. Q. How does a storage device vendor implement a device based on Opal SSC v2.00 so that it is compatible with Opal SSC v1.00? A. An Opal SSC v2.00 implementation is compatible with Opal SSC v1.00 only if the geometry reported by the Geometry Reporting Feature does not specify any alignment restrictions; the TPer does not specify any granularity restrictions for byte tables; and the “Initial C_PIN_SID PIN Indicator” and “Behavior of C_PIN_SID PIN upon TPer Revert” fields are both 0x00 in the Opal SSC V2.00 Level 0 Feature Descriptor. The storage device will report the Opal SSC Feature Descriptors for both specifications. Q. What’s new in Opal SSC v2.01 Specification? A. The Opal SSC v2.01 specification adds one new mandatory Feature Set and introduces some editorial changes. The specification now references the updated TCG Storage Architecture Core Specification, Version 2.01 and the updated TCG Storage Interface Interactions Specification, Version 1.04. Q. Are there any additional Mandatory Feature Sets for Opal SSC v2.01? 

A. Yes. The TCG Storage Opal SSC Feature Set: PSID was added and is now Mandatory for Opal SSC v2.01. Contact: Anne Price +1 (602)840-6495 press@trustedcomputinggroup.org