Trusted Computing Group Storage Work Group
Opal Security Subsystem Class (SSC) Specification FAQ
August 2015
Q. What is the Storage Work Group?
A. The Storage Work Group is an entity within the Trusted Computing Group. It consists of TCG member
companies with interests in the implementation of the Trusted Computing Group’s specifications for storage
devices. For more information on the Storage Work Group, please refer to www.trustedcomputinggroup.org.
Q. What is the purpose of the Storage Work Group?
A. The Storage Work Group builds upon existing TCG philosophy in the development of specifications that
provide a comprehensive architecture for storage devices. The Storage Work Group’s objective is to define
specifications and accompanying documents for building and managing storage devices that enforce policy
controls as set by hosts across a wide range of storage transport command protocols.
Q. How is the Storage Work Group organized?
A. The Storage Work Group operates under the auspices of the TCG. Membership in the Storage Work Group is
determined by TCG bylaws and is open to all TCG members.
Q. Who is participating in the Storage Work Group?
A. Participation in the Storage Work Group includes storage device manufacturers, storage subsystem
manufacturers, software vendors, and designers of custom, highly integrated components. Storage and security
management and storage integration vendors also participate. A complete list of current TCG members is
available at www.trustedcomputinggroup.org.
Q. What is the output of this Work Group?
A. The Storage Work Group deliverables include specifications that define security functionality requirements for
storage devices and managing hosts; test cases and certification process documents; and informative supporting
documents.
Q. What is the Core Specification?
A. The Core Specification, officially known as TCG Storage Architecture Core Specification, developed by the
Storage Work Group provides a comprehensive definition of TCG-related functions for a TCG storage device.
Q. What is a Security Subsystem Class (SSC)?
A. The Core Specification can be further broken down in multiple subsets of functionality called Security
Subsystem Classes (SSCs). SSCs explicitly define the minimum acceptable Core Specification capabilities of a
storage device in a specific “class” and potentially expand functionality beyond what is defined in the Core
Specification.
Q. What is the Opal SSC?
A. The Opal SSC specification is predicated on ease of implementation and integration. This SSC defines the
functionality for implementing the Core Specification on storage devices.
Q. What is the audience for this specification?
A. The target audience includes system integrators, security software vendors, test suites vendors, OEMs, and
storage device manufacturers.
Q. What features are specified by the Opal SSC?
A. The Opal SSC provides data-at-rest protection of user data via data encryption and access controls, secure
boot capability (pre-boot authentication), and fast repurposing of the storage device.
Q. How is user data protected?
A. The Opal SSC specifies multiple storage ranges with each having its own authentication and encryption key.
The range start, range length, read/write locks as well as the user read/write access control for each range are
configurable.
Q. Why do we need Opal SSC devices?
A. Opal SSC specifies a hardware based data encryption solution to the problem of data breach caused by lost or
stolen storage devices.
Q. Do Opal SSC devices require a TPM?
A. No. Opal SSC storage devices do not require a TPM. For additional protection, integrating these storage
devices in systems with activated TPM is recommended.
Q. What’s new in Opal SSC v2.00 Specification?
A. Opal SSC v2.00 includes the following new and enhanced capabilities:
• LBA Range Alignment: Configuration options for LBA range alignment in storage devices with more than
1 logical block per physical block on the media and where the first logical block may not line up exactly
with the beginning of a physical block.
• Byte Table Access Granularity: Writing to byte tables, such as the DataStore table and the MBR table in
the Locking SP, can now be required to be done in blocks of granularity larger than a byte.
• Admin Authorities: The minimum supported number of Admin Authorities in the Locking SP has been
increased to 4. New Admin Authorities (a minimum of 1) have been added to the Admin SP.
• User Authorities: The minimum supported number of User Authorities has been increased to 8. A
configuration option for disallowing User Authorities to change their C_PIN values has been added.
• LBA Ranges: The minimum number of supported LBA ranges has been increased to 8.
• Methods and Commands: More methods and commands are now Mandatory in Opal SSC v2.00,
including the Protocol Stack Reset and TPer Reset commands, and the Authenticate, Random and
Revert methods (on both the Locking SP and the Admin SP).
• Columns and Tables: More columns of certain tables are now Mandatory in Opal SSC v2.00. This
includes the CommonName column in the Authority and Locking tables of the Locking SP, and the
GUDID column in the TPerInfo table of the Admin SP. A new SecretProtect table has been added to the
Locking SP.
• Default SID PIN Value: The initial value of C_PIN_SID may be Vendor Unique (instead of being set to
C_PIN_MSID).
• DataStore Table: The minimum size of the DataStore table has been increased to 10MB (from 1KB). The
Additional DataStore Tables Feature Set has been made Mandatory.
Q. Is the Opal SSC v2.00 a superset of the Opal SSC v1.00?
A. Yes. The Opal SSC v2.00 specification extends the existing features of Opal SSC v1.00 and adds additional
features.
Q. Is the Opal SSC v2.00 specification backwards compatible with the previous Opal SSC v1.00
specification?
A. No. The Opal SSC v2.00 specification itself is not backwards compatible. However, Opal SSC v2.00 allows a
storage device vendor to implement a device based on Opal SSC v2.00 in a way that is backwards compatible
with Opal SSC v1.00.
Q. Why was the backwards incompatibility introduced in Opal SSC v2.00?
A. The Opal SSC v2.00 specification was extended to allow storage devices with physical block size restrictions to
be supported.
Q. How can I tell if a storage device supports both versions of the Opal specifications?
A. The storage device will report the Opal SSC Feature Descriptors for both specifications.
Q. What are the benefits of the Opal SSC v2.00 specification?
A. Opal SSC v2.00 will accommodate a wider range of storage devices. The addition of new features allows
delivery of a richer set of solutions around self-encrypting drives.
Q. What is a Feature Set?
A. A Feature Set defines additional functionality that extends an SSC.
Q. Are there any Mandatory Feature Sets for Opal SSC v2.00?
A. Yes. The Additional DataStore Tables Feature Set is Mandatory for Opal SSC v2.00.
Q. Can Opal SSC v2.00 storage devices work with host software designed for Opal SSC v1.00?
A. Yes, if the storage device was implemented to support both the Opal SSC v1.00 and Opal SSC v2.00
specifications.
Q. How does a storage device vendor implement a device based on Opal SSC v2.00 so that it is
compatible with Opal SSC v1.00?
A. An Opal SSC v2.00 implementation is compatible with Opal SSC v1.00 only if the geometry reported by the
Geometry Reporting Feature does not specify any alignment restrictions; the TPer does not specify any
granularity restrictions for byte tables; and the “Initial C_PIN_SID PIN Indicator” and “Behavior of C_PIN_SID PIN
upon TPer Revert” fields are both 0x00 in the Opal SSC V2.00 Level 0 Feature Descriptor. The storage device will
report the Opal SSC Feature Descriptors for both specifications.
Q. What’s new in Opal SSC v2.01 Specification?
A. The Opal SSC v2.01 specification adds one new mandatory Feature Set and introduces some editorial
changes. The specification now references the updated TCG Storage Architecture Core Specification, Version
2.01 and the updated TCG Storage Interface Interactions Specification, Version 1.04.
Q. Are there any additional Mandatory Feature Sets for Opal SSC v2.01?
A. Yes. The TCG Storage Opal SSC Feature Set: PSID was added and is now Mandatory for Opal SSC v2.01.
Contact:
Anne Price
+1 (602)840-6495
press@trustedcomputinggroup.org