No password prompt on reboot after locking SSD(Crucial MX500) with sedutil-cli, Error: is OPAL Failed.

[ungular]

• On reboot, after activating the SSD(Crucial MX500) locking with the "sedutil-cli" tool, the unlocking password prompt does not appear.
• the locking process goes as expected, following the steps in the instructions on the page https://sedutil.com
• checking PBA again with "linuxpba" from "sedutil-cli", the SSD appears as "is OPAL Failed".
• after removing OPAL with "reverttper" command and repeat the locking procedure, after running the "sedutil-cli --setlockingrange 0 lk debug /dev/drive" command, linuxpba test returns "is OPAL Failed" for our SSD.

[Blacklands]

The MX500 definitely works with sedutil, I've been using multiple of them in multiple systems for years. I assume you're trying to boot from it using the Shadow MBR and the PBA image? That should work fine, although it seems that some hardware configurations (motherboard and its BIOS mostly?) might have issues with that?

Also, if you want to completely reset your drive and start over, try PSID reverting it (this should erase all your data, be aware of that!).

[ungular]

The MX500 definitely works with sedutil, I've been using multiple of them in multiple systems for years. I assume you're trying to boot from it using the Shadow MBR and the PBA image? That should work fine, although it seems that some hardware configurations (motherboard and its BIOS mostly?) might have issues with that?

Also, if you want to completely reset your drive and start over, try PSID reverting it (this should erase all your data, be aware of that!).

loading pba as follow:

gunzip /usr/sedutil/UEFI64-1.15.img.gz 
#sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-1.15.img /dev/drive 

how BIOS should be configured? now it's UEFI , secure boot: Off

what if i skip this command setlockingrange 0 lk...?

[ungular]

1. locked with sedutil-cli
2. reboot -> no password prompt
3. open again sedutil -> run: sedutil-cli --query -> result: Locking function (0x0002) Locked=Y, LockingEnabled=Y, LockingSupported=Y, MBRDone=N, MBREnabled=Y, MBRAbsent=N, MediaEncrypt=Y
4. run linuxpba: is OPAL Failed
5. poweroff result : ...unmount: devtmpfs busy - remounted read-only unmount: can't unmount /: Invalid argument...

[ungular]

it seems that the motherboard does not support TPM, a relevant error message would be welcome here.

[Blacklands]

I don't think you need a TPM (we're talking about a Trusted Platform Module, right?) for this. Where did you find that written? First time I'm hearing it I think.

So can you unlock the drive via sedutil in the terminal? Have you tried that? And just during the boot process with the PBA it doesn't work?

Some systems apparently have issues with the boot process, for example some end up power-cycling the drive on a reboot which just locks it again (that doesn't seem to be the case here though?). You can get is OPAL Failed for multiple reasons, including just typing a wrong password. The current implementation just gives you a single try and then reboots, always.

Also, Secure Boot sadly isn't supported so yeah that needs to be turned off.

[ungular]

I don't think you need a TPM (we're talking about a Trusted Platform Module, right?) for this. Where did you find that written? First time I'm hearing it I think.

yes, TPM 2.0. I tried locking from Windows according to the manufacturer's instructions, but it seems that Bitlocker doesn't work without TPM, hence I deduced that TPM is mandatory.

So can you unlock the drive via sedutil in the terminal? Have you tried that? And just during the boot process with the PBA it doesn't work?

i'm able to unlock the ssd successfully via sedutil. also for initial setup all the commands runs successfully. poweroff at boot, password prompt does not appear. when test again with linuxpba shows is OPAL Failed for ssd via sedutil.

Some systems apparently have issues with the boot process, for example some end up power-cycling the drive on a reboot which just locks it again (that doesn't seem to be the case here though?).

so i'm going to research this now.

[Blacklands]

Oh yeah, BitLocker can work with Self-Encrypting Drives but it wants TPM I guess. Afaik the drives themselves don't need it, everything is done on the drive itself. And sedutil just sends commands to the drives and parses what comes back from them.

I probably can't help you further, sorry. :/ I haven't had any problem like this so far, personally. Good luck with your research!

[don-dolarson]

I've just tried to set PBA up on my BIOS PC and a Kingston KC600 mSATA OPAL 2.0 drive using the RESCUE32 and BIOS32 images but couldn't get it to work by following the instructions here (which went smoothly btw), because of the problem below when booting the machine after powering it off. Tried this fork instead and problem went away. RESCUE32 from this fork is slow, has glitches when issuing the linuxpba command, and the unpacked BIOS image take less space for some reason. Maybe that's why I can't get it to work. Try the other fork.

SYSLINUX 6.03 EDD 2014-10-06 Copyright (C) 1994-2014 H. Peter Anvin et al
Failed to load ldlinux.c32
Boot failed: please change disks and press a key to continue.