Add warning about OPAL admin PIN to man page and release notes.

2 files changed, 16 insertions, 0 deletions

diff --git a/docs/v2.7.2-ReleaseNotes b/docs/v2.7.2-ReleaseNotes
index 73df5e5c..1d683534 100644
--- a/docs/v2.7.2-ReleaseNotes
+++ b/docs/v2.7.2-ReleaseNotes
@@ -21,3 +21,11 @@ Changes since version 2.7.1
   as this passphrase already exists.
 
 * Update license for FAQ document to CC BY-SA 4.0.
+
+NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
diff --git a/man/common_options.adoc b/man/common_options.adoc
index 4cd83185..841929bd 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -344,6 +344,14 @@ ifdef::ACTION_LUKSFORMAT[]
 Format LUKS2 device with HW based encryption configured on SED OPAL locking range only. LUKS2
 format only manages locking range unlock key. This option enables HW based data encryption managed
 by SED OPAL drive only.
++
+*NOTE*: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.
 endif::[]
 
 ifdef::ACTION_REENCRYPT[]