go-tcg-storage: State of the Project and the Future

A quick tour of go-tcg-storage, the pure-Go library for driving TCG Storage self-encrypting drives. Where the project stands today, what might be next, and a perspective from someone stepping up to help maintain it.

TCG Storage self-encrypting drives (SEDs) put full-disk encryption in the drive controller itself, exposed through the Trusted Computing Group's Security Subsystem Classes — Opal, Pyrite, Enterprise, and Ruby. In practice, managing them means wrestling with ComIDs, locking ranges, pre-boot authentication and shadow MBR, usually via legacy tooling like sedutil or vendor specific tools.

go-tcg-storage takes a different path: a pure-Go, kernel-independent implementation of the TCG Storage stack, layered from a low-level drive interface (IF-SEND/IF-RECV over NVMe, SATA, and SAS) up through a core session library to a high-level locking API.

This lightning talk covers three things: (1) a short primer on TCG Storage and why an open, library matters for firmware and boot security; (2) the current state of go-tcg-storage — what works, which drives and SSCs are covered, and where the rough edges are; and (3) the roadmap: broader SSC and transport coverage, PBA workflows, release and packaging, testing, and documentation.