Storage Silo Driver I/O Control Codes

Storage silo driver clients use the IOCTLs in this section to communicate with storage silo drivers.

This section consists of the following topics:

In this section

TopicDescription

IOCTL_EHSTOR_BANDMGMT_ACTIVATE

This IOCTL_EHSTOR_BANDMGMT_ACTIVATE request is sent to activate the security features and band management on a storage device. The request includes activation options and the authentication key.

IOCTL_EHSTOR_BANDMGMT_CREATE_BAND

New bands are created on a band-managed storage device with the IOCTL_EHSTOR_BANDMGMT_CREATE_BAND request. A new band is added to the table of band entries, which includes band location and security properties.

IOCTL_EHSTOR_BANDMGMT_DELETE_BAND

A configured band on a storage device is deleted with the IOCTL_EHSTOR_BANDMGMT_DELETE_BAND request. An erase option in the input parameters allows the request to perform a cryptographic erase of the band data.

IOCTL_EHSTOR_BANDMGMT_ENUMERATE_BANDS

This IOCTL_EHSTOR_BANDMGMT_ENUMERATE_BANDS request is sent to retrieve the list of bands for a storage device under band management. Banding information is returned in a table of band entries that includes band location and security properties.

IOCTL_EHSTOR_BANDMGMT_ERASE_BAND

The IOCTL_EHSTOR_BANDMGMT_ERASE_BAND request will cryptographically erase and reset the authentication key of a band. The remaining configuration of the band is left unmodified.

IOCTL_EHSTOR_BANDMGMT_GET_BAND_METADATA

Metadata associated with a band is retrieved with an IOCTL_EHSTOR_BANDMGMT_GET_BAND_METADATA request. The metadata for a band serves as a data area for a key manager application.

IOCTL_EHSTOR_BANDMGMT_QUERY_CAPABILITIES

The IOCTL_EHSTOR_BANDMGMT_QUERY_CAPABILITIES request retrieves the banded security capabilities for a storage device. The IOCTL returns the capabilities as a BAND_MANAGEMENT_CAPABILITIES structure in the system buffer.

IOCTL_EHSTOR_BANDMGMT_REVERT

This IOCTL_EHSTOR_BANDMGMT_REVERT request is sent to deactivate the security features and band management on a storage device. The request includes revert options and the authentication key.

IOCTL_EHSTOR_BANDMGMT_SET_BAND_LOCATION

The location properties of bands in a band-managed storage device are modified with the IOCTL_EHSTOR_BANDMGMT_SET_BAND_LOCATION request.

IOCTL_EHSTOR_BANDMGMT_SET_BAND_METADATA

Metadata associated with a band is set with an IOCTL_EHSTOR_BANDMGMT_SET_BAND_METADATA request. The metadata for a band serves as a data area for a key manager application.

IOCTL_EHSTOR_BANDMGMT_SET_BAND_SECURITY

The security properties of bands in a band-managed storage device are modified with the IOCTL_EHSTOR_BANDMGMT_SET_BAND_SECURITY request.

IOCTL_EHSTOR_DEVICE_ENUMERATE_PDOS

This IOCTL returns a result set containing the enumeration of all active storage Physical Device Objects (PDOs) associated with the given Addressable Command Target (ACT). The client may first probe for the required buffer size by issuing this IOCTL in the following manner:


DeviceIoControl(
    hDevice,
    IOCTL_EHSTOR_DEVICE_ENUMERATE_PDOS,
    &pdoType,
    sizeof(PDO_TYPE),
    NULL,
    0,
    &dwBytesRequired,
    NULL );

With the output buffer parameter set to NULL, the I/O manager clears the IRP_INPUT_OPERATION bit in the IRP flags. Upon detecting this, the storage silo driver can safely set IoStatus.Information to the required buffer size, thus indicating it to the client.

This only works because STATUS_BUFFER_OVERFLOW (0x80000005) is an NT_WARNING() value for which I/O manager copies IoStatus.Information into the lpBytesReturned parameter, returning that value to the client.

Caution is required here because IOCTL_EHSTOR_DEVICE_ENUMERATE_PDOS is defined with METHOD_BUFFERED, therefore I/O manager will attempt to copy this number of bytes into the output buffer.

IOCTL_EHSTOR_DEVICE_GET_AUTHZ_STATE

This IOCTL is used to inform the owning driver for the IEEE 1667 device PDOs that the authorization state has changed. The owning driver may choose to change the state of the disk PDO in response to this IOCTL. In the case of EhStorClass.sys, the disk PDO is added or removed based on the authorization value in the input buffer of this IOCTL. Typically this IOCTL is issued by a UMDF authentication silo driver, such as the password or certificate driver, immediately following a successful silo operation which has changed the authentication state of the silo.

IOCTL_EHSTOR_DEVICE_GET_QUEUE_STATE

The IOCTL_EHSTOR_DEVICE_GET_QUEUE_STATE request is sent by silo drivers and applications to determine the state of a storage device queue. IO requests in the storage device queue are held when the device is temporarily unauthorized. A storage device may become temporarily unauthorized in low power states or when there is a policy that requires locking Enhanced Storage devices such as when the user session is locked.

IOCTL_EHSTOR_DEVICE_QUERY_PROPERTIES

A silo driver sends this IOCTL to the storage device stack to query for storage device properties. The Enhanced Storage Class Driver (EHSTOR) will handle the request and return the available properties.

IOCTL_EHSTOR_DEVICE_SET_AUTHZ_STATE

This IOCTL is used to inform the owning driver for the IEEE 1667 device PDOs that the authorization state has changed. The owning driver may choose to change the state of the disk PDO in response to this IOCTL. In the case of EhStorClass.sys, the disk PDO is added or removed based on the authorization value in the input buffer of this IOCTL. Typically this IOCTL is issued by a UMDF authentication silo driver, such as the password or certificate driver, immediately following a successful silo operation which has changed the authentication state of the silo.

IOCTL_EHSTOR_DEVICE_SET_QUEUE_STATE

The IOCTL_EHSTOR_DEVICE_SET_QUEUE_STATE request is sent by silo drivers and applications to change the state of a storage device queue. IO requests in the storage device queue are held when the device is temporarily unauthorized.

IOCTL_EHSTOR_DEVICE_SILO_COMMAND

This IOCTL issues a silo command to the targeted silo on the device. Both input and output data are structured according to the definition of silo commands, as found in the IEEE 1667 specification document.

IOCTL_EHSTOR_DRIVER_PERFORM_AUTHZ

IOCTL_EHSTOR_DRIVER_PERFORM_AUTHZ is sent by the Enhanced Storage Class Driver (EHSTOR) to the silo driver to initiate on-demand authentication or deauthentication.

IOCTL_EHSTOR_DRIVER_REPORT_CAPABILITIES

This IOCTL is used to inform the enhanced storage (EHSTOR) class driver of the silo driver's capabilities. The silo driver sends this IOCTL with a SILO_DRIVER_CAPABILITES structure that indicates whether authentication and banding are supported along with a list of EHSTOR IOCTLs it will handle.

IOCTL_EHSTOR_DRIVER_UPDATE_LBA_FILTER_TABLE

This IOCTL is used to inform the enhanced storage (EHSTOR) class driver of changes to the LBA filter table. Bands managed by the silo driver are composed of LBA ranges. The silo driver notifies the EHSTOR class driver of updates to the set of bands it controls with this IOCTL.

IOCTL_EHSTOR_TCGDRV_RELINQUISH_SILO

The IOCTL_EHSTOR_TCGDRV_RELINQUISH_SILO request relinquishes control of band management by the Trusted Computing Group (TCG) Storage Silo driver. Applications issue this request to manage a storage silo directly. The band management functionality and API provided by the TCG Storage Silo driver are disabled.

 

 

 

Send comments about this topic to Microsoft

Show: