Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No password prompt on reboot after locking SSD(Crucial MX500) with sedutil-cli, Error: is OPAL Failed. #59

Open
ungular opened this issue Dec 2, 2023 · 8 comments

Comments

@ungular
Copy link

ungular commented Dec 2, 2023

  • On reboot, after activating the SSD(Crucial MX500) locking with the "sedutil-cli" tool, the unlocking password prompt does not appear.
  • the locking process goes as expected, following the steps in the instructions on the page https://sedutil.com
  • checking PBA again with "linuxpba" from "sedutil-cli", the SSD appears as "is OPAL Failed".
  • after removing OPAL with "reverttper" command and repeat the locking procedure, after running the "sedutil-cli --setlockingrange 0 lk debug /dev/drive" command, linuxpba test returns "is OPAL Failed" for our SSD.
@Blacklands
Copy link

The MX500 definitely works with sedutil, I've been using multiple of them in multiple systems for years. I assume you're trying to boot from it using the Shadow MBR and the PBA image? That should work fine, although it seems that some hardware configurations (motherboard and its BIOS mostly?) might have issues with that?

Also, if you want to completely reset your drive and start over, try PSID reverting it (this should erase all your data, be aware of that!).

@ungular
Copy link
Author

ungular commented Dec 3, 2023

The MX500 definitely works with sedutil, I've been using multiple of them in multiple systems for years. I assume you're trying to boot from it using the Shadow MBR and the PBA image? That should work fine, although it seems that some hardware configurations (motherboard and its BIOS mostly?) might have issues with that?

Also, if you want to completely reset your drive and start over, try PSID reverting it (this should erase all your data, be aware of that!).

loading pba as follow:

gunzip /usr/sedutil/UEFI64-1.15.img.gz 
#sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-1.15.img /dev/drive 

how BIOS should be configured? now it's UEFI , secure boot: Off

what if i skip this command setlockingrange 0 lk...?

@ungular
Copy link
Author

ungular commented Dec 3, 2023

  1. locked with sedutil-cli
  2. reboot -> no password prompt
  3. open again sedutil -> run: sedutil-cli --query -> result:
    Locking function (0x0002) Locked=Y, LockingEnabled=Y, LockingSupported=Y, MBRDone=N, MBREnabled=Y, MBRAbsent=N, MediaEncrypt=Y
  4. run linuxpba: is OPAL Failed
  5. poweroff result :
    ...unmount: devtmpfs busy - remounted read-only unmount: can't unmount /: Invalid argument...

@ungular
Copy link
Author

ungular commented Dec 5, 2023

it seems that the motherboard does not support TPM, a relevant error message would be welcome here.

@Blacklands
Copy link

Blacklands commented Dec 5, 2023

I don't think you need a TPM (we're talking about a Trusted Platform Module, right?) for this. Where did you find that written? First time I'm hearing it I think.

So can you unlock the drive via sedutil in the terminal? Have you tried that? And just during the boot process with the PBA it doesn't work?

Some systems apparently have issues with the boot process, for example some end up power-cycling the drive on a reboot which just locks it again (that doesn't seem to be the case here though?).
You can get is OPAL Failed for multiple reasons, including just typing a wrong password. The current implementation just gives you a single try and then reboots, always.

Also, Secure Boot sadly isn't supported so yeah that needs to be turned off.

@ungular
Copy link
Author

ungular commented Dec 6, 2023

I don't think you need a TPM (we're talking about a Trusted Platform Module, right?) for this. Where did you find that written? First time I'm hearing it I think.

yes, TPM 2.0.
I tried locking from Windows according to the manufacturer's instructions, but it seems that Bitlocker doesn't work without TPM, hence I deduced that TPM is mandatory.

So can you unlock the drive via sedutil in the terminal? Have you tried that? And just during the boot process with the PBA it doesn't work?

i'm able to unlock the ssd successfully via sedutil.
also for initial setup all the commands runs successfully. poweroff
at boot, password prompt does not appear.
when test again with linuxpba shows is OPAL Failed for ssd via sedutil.

Some systems apparently have issues with the boot process, for example some end up power-cycling the drive on a reboot which just locks it again (that doesn't seem to be the case here though?).

so i'm going to research this now.

@Blacklands
Copy link

Blacklands commented Dec 6, 2023

Oh yeah, BitLocker can work with Self-Encrypting Drives but it wants TPM I guess. Afaik the drives themselves don't need it, everything is done on the drive itself. And sedutil just sends commands to the drives and parses what comes back from them.

I probably can't help you further, sorry. :/ I haven't had any problem like this so far, personally. Good luck with your research!

@don-dolarson
Copy link

don-dolarson commented Jan 4, 2024

I've just tried to set PBA up on my BIOS PC and a Kingston KC600 mSATA OPAL 2.0 drive using the RESCUE32 and BIOS32 images but couldn't get it to work by following the instructions here (which went smoothly btw), because of the problem below when booting the machine after powering it off. Tried this fork instead and problem went away. RESCUE32 from this fork is slow, has glitches when issuing the linuxpba command, and the unpacked BIOS image take less space for some reason. Maybe that's why I can't get it to work. Try the other fork.

SYSLINUX 6.03 EDD 2014-10-06 Copyright (C) 1994-2014 H. Peter Anvin et al
Failed to load ldlinux.c32
Boot failed: please change disks and press a key to continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants