From 84d3820a2f6dcdc752f4d5ac6a32b7e20df35b40 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 9 Apr 2024 10:37:26 +0200
Subject: [PATCH] Add warning about OPAL admin PIN to man page and release
 notes.

---
 docs/v2.7.2-ReleaseNotes | 8 ++++++++
 man/common_options.adoc  | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/docs/v2.7.2-ReleaseNotes b/docs/v2.7.2-ReleaseNotes
index 73df5e5c..1d683534 100644
--- a/docs/v2.7.2-ReleaseNotes
+++ b/docs/v2.7.2-ReleaseNotes
@@ -21,3 +21,11 @@ Changes since version 2.7.1
   as this passphrase already exists.
 
 * Update license for FAQ document to CC BY-SA 4.0.
+
+NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
diff --git a/man/common_options.adoc b/man/common_options.adoc
index 4cd83185..841929bd 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -344,6 +344,14 @@ ifdef::ACTION_LUKSFORMAT[]
 Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2
 format only manages locking range unlock key. This option enables HW based data encryption managed
 by SED OPAL drive only.
++
+*NOTE*: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]