PBA does not detect Samsung EVO 960 1TB NVMe in Dell XPS 9550

[MisterMuezza]

None of the PBAs from https://github.com/Drive-Trust-Alliance/exec detected my Samsung EVO 960 1TB NVMe in a Dell XPS 9550. The only drive visible was /dev/sda which is the USB I was booting off. I tried:

• LINUXPBADebug.img.gz Release 1.12
• LINUXPBARelease.img.gz Release 1.12
• UEFI64_Debug.img.gz Release 1.12
• UEFI64_Release.img.gz Release 1.12
• biospba.img.gz Release 1.10

Surprisingly, the rescue image Rescue.img.gz Release 1.12 did detect the SSD as /dev/nvme0n1. As a workaround, I flashed the rescue image in the PBA and whenever powering on and I am running the required commands to unlock the drive manually:

sedutil-cli --setLockingRange 0 rw PASS /dev/nvme0n1 sedutil-cli --setMBRDone on PASS /dev/nvme0n1

[eilersKevin]

Unfortunately only devices adhering to the sdXn naming convention are currently found by the PBA and the 'sedutil-cli --scan' command although they can be modified by sedutil-cli if addressed directly. See issues #101 and #106.

[MisterMuezza]

@eilersKevin thanks for your feedback. I read through all of the issues including #101 and #106 and the issue in my case is not just that sedutil-cli --scan does not look for the NVMe under /dev/nvme0n1, it's that the device file /dev/nvme0n1 does not exist at all - I tried both ls /dev/nvme* and sedutil-cli --query /dev/nvme0n1.

[eilersKevin]

Oh OK, I thought it is just the filemask that limits the search both for --scan and the PBA to sdXn that is the culprit here.

[jds7717]

I had this exact same experience on a Dell Precision 5520 with the Samsung 960 Pro 512GB. Did you ever find a solution?

[MisterMuezza]

@jds7717 As mentioned in the original description, I am using the Rescue image instead of the standard PBAs. The downside is that you have to manually type in the commands to unlock the drive every time you power on the laptop.

[jds7717]

Ah... I didn't make that connection, thanks. Doesn't unlocking via the rescue image require you to enter your password on the command line?

[MisterMuezza]

It does and it's not ideal.

[jojolepirate]

In order to make nvme drive unlocking work in the PBA, two things have to be done:

1. Merge with pull request #108 to enable nvme scan in sedutil and in the pba Now the pba looks for all drives in /sys/block and tries to unlock them. But that's not enough as the PBA does not include the nvme driver in the kernel.
2. Modify images/buildroot/PBA64/kernel.config and set CONFIG_BLK_DEV_NVME=y Do the same for PBA32 if you are using the 32 bit version.

Now rebuild everything (pbaroot and LinuxPBA), build the UEFI image, and it should work.

[jojolepirate]

I have created a repo with the modifications from my previous post allowing NVME unlock in the PBA: https://github.com/jojolepirate/sedutil This repo contains built images in the Releases section (1.12-nvmepba). I am currently using the UEFI64 image from this repo to unlock my NVME boot drive. I hope it works for you guys!

[deyab]

@jojolepirate Thanks for the build. I have used it successfully for the following configuration HP ZBook 17 G3 running Windows 10. Samsung 960 EVO. I have used 1.12.1-nvmepba Testing the PBA wasn't of any use. If I use the PBA to boot, it just goes through messages real fast, so I wasn't sure if the PBA is going to work or not. But I tried it anyways, and it worked.

Steps: In BIOS I have secure boot disabled, but UEFI enabled Have the PBA on the SSD (or another drive attached to the system) Boot from the Rescue image, do initial setup of the nvme drive which is recognized Mount the drive to access the PBA (just copy to /root/). Used UEFI64_Release-1.12.1.img I had it on a HDD attached to the laptop. So, like: mount -t ntfs /dev/sda2 /mnt/sda2 copy UEFI64_Release-1.12.1.img to /root/ umount /mnt/sda2 Flash the said PBA to the nvme drive Reboot. All done.

Thanks again! Hope this (or some other solution) gets merged to the master and make life easier for so many people as nvme drives are becoming quite mainstream. My laptop even supports 2 nvme drives.

[kylemanna]

Thanks @jojolepirate I used your branch to start my own after I couldn't build easily. I ran in two some problems with the sedutil-cli and linuxpba binary being linked against the system binaries and not using the buildroot toolchain. I was able to fix that in addition to use your changes to make NVMe work.

I can now boot my Dell Precision 5510 with Samsung EVO 960 1TB and see the drive via UEFI and the rescue image sees the drive.

Pre-built images: https://github.com/kylemanna/sedutil/releases/tag/1.12-nvmepba-docker

I'd like to explore breaking up my changes in to changes that can be merged back in to this upstream repo.

[github6699]

Hi kylemanna,

I have a 960 Pro 1TB and I have been using your images and the only drive being recognized is my Samsung 850 Pro when I do the scan command, it's the same result with either the rescue image or the PBA Debug, my Nvme is not recognized.

Could you be so kind to walk me through the process, I have a new build and I am planning to have Win 10 ENT CB and Win 10 2016 LTSB installed on the 960 Pro and on the 850 Pro I want to install Ubuntu, I would like to lock the SEDs. How would I go about doing this.?

I am a bit of a noob when it comes to this and I do not understand why Samsung is making it so hard to utilize locking on SEDs.... I should have bought Crucial instead.. SOB..

Thanks in advance everyone for your help!

[deyab]

@github6699 try the @jojolepirate build. It worked for a 960 Evo nvme (not pro) card for me. See if the steps in my post helps

[github6699]

Hi deyab

Let me try that. I will try to follow your instructions but I am lost on step

Flash the said PBA to the nvme drive

Any chance you have a blog where you have posted a noob guide for how to do this? I have a feeling I am not the only one, at the overclockers forum there are tons of people returning these drives because they do not support eDrive and tcg/opal is a PITA to implement... lol

I will reboot shortly and check back in and let you know if the drive is being detected

[deyab]

@github6699 "Flash the said PBA to the nvme drive": I mean this step: sedutil-cli –-loadPBAimage <password> <pbafilename> <drive>

Here is some copypasta + some explanations from my notes. Hopefully the notes are helpful for you, but basic linux mounting and copy skills are required. If you need explanation, let me know

Used the release from https://github.com/jojolepirate/sedutil (release 1.12.1-nvmepba) Write Rescue-1.12.1.img to USB and boot from it (I used dd in linux; you can use that or Win32DiskImager in windows) Have UEFI64_Release-1.12.1.img in the SSD or HDD (i.e. whatever drive you have in the machine)

Read the wiki: https://github.com/Drive-Trust-Alliance/sedutil/wiki Understand that you are using software that is barely alpha quality (this fork). Have complete back up before going any further.

In the following notes, /dev/nvme is my nvme ssd, /dev/sda is an additional HDD I have in the laptop. If your nvme is the only drive, that is fine. Just copy the PBA somewhere in the unencrypted nvme drive before you start. The basic idea is this: We have a) the rescue image and b) the PBA image. We boot from the rescue, and then somehow need access to the PBA image to flash it to the nvme drive. So we: 1) copy the PBA to the nvme drive as a regular file 2) Boot from the rescue image in the USB; check that nvme drive is detected as opal capable 3) mount the nvme to copy the PBA to the USB drive; unmount the nvme 4) flash the PBA to the nvme

Booted from USB (with the rescue image), test: # sedutil-cli --scan should see 960 EVO as opal capable; if not, stop. This is not working # sedutil-cli --query /dev/nvme0n1 take note of the flags & drive status

set up the Drive: # sedutil-cli --initialsetup <password> /dev/nvme0n1

Since it is our boot drive: # mount -t ntfs /dev/sda2 /mnt/sda2 copy UEFI64_Release-1.12.1.img to /root/ # cp /mnt/sda2/<wherever_you_have_the_PBA_image> /root # umount /mnt/sda2 # cd /root/ # sedutil-cli --loadPBAimage <password> UEFI64_Release-1.12.1.img /dev/nvme0n1 # sedutil-cli --setMBREnable on <password> /dev/nvme0n1

Enable locking: # sedutil-cli --enableLockingRange 0 <password> /dev/nvme0n1 # poweroff

should get password prompt in next boot. If something got borked, please see the wiki on how to use the rescue image to roll back the changes

[cristim]

For me using the rescue image was cumbersome, because it doesn't have the ability to mount USB devices, not even if the PBA image file was written on the same USB stick so I couldn't get the PBA image available to sedutil-cli running from the rescue image.

But I noticed that if you boot off an USB stick written with the PBA image itself, and enter an incorrect password when asked to decrypt the drive, you are dropped into a root shell which works much as the rescue image. The PBA can also mount USB devices, so that's how I managed to load the PBA image onto my drive.

[cristim]

One thing I forgot to mention, on my Dell e7270 laptop the PBA image flashed to my 960 EVO SSD fails to properly load the bootloader menu and drops to an interactive syslinux shell where I always need to enter the initrd and additional kernel command options manually, which is a PITA. This doesn't happen if I boot from an USB stick containing the same PBA image. Once I enter this correctly the PBA boots and unlocks the drive as expected. For now I am using an USB stick containing the PBA which just works, but I would like to fix it if possible.

I suspect I have an error in the default UEFI boot menu entry, and I don't know how it should be configured. Did anyone notice this issue?

Later edit: the PBA boot can be fixed by adding a UEFI boot entry for it while the drive is locked, and making it the first boot option. When the drive is unlocked the PBA won't be available so this entry will silently fail and the second UEFI boot menu item will load the UEFI bootloader from the unlocked drive.

[github6699]

@deyab

Your write up was EXTREMELY helpful.

I got this to finally work but there are some issues I encountered.

First of all, let me start by explaining why it took me so long to get back to you.

As you know, I just made a new build. It's an X99 Deluxe U3.1 MB, 64GB RAM, 5820K CPU and GTX1080 in SLI with a 960 Pro 1TB nvme, 850 Pro 512GB SSD and a 1TB HDD. This is a gaming, video, photo, 3D CAD rig loaded to the tits with goodies.

It took me a while to setup a triple boot on the 960 Pro with Windows 10 ENT CB for Gaming, Win 10 ENT 2016 LTSB for Business and Ubuntu latest for Linux. For anyone out there trying this setup, do yourself a favor and remove the Nvidia Pascal card(s) and use the on-board graphics (in my case the Asus X99 does not have one, so I used an old 750 Nvidia card) and then I partitioned the 960 Pro 512 GB for Gaming Win 10, 256 GB for Business Win 10 LTSB and 256 GB for Ubuntu Linux. I installed the two Windows versions first and last I installed Ubuntu, this way GRUB boat loader did a nice job of triple booting selection menu at startup. In Ubuntu load the latest Nvidia 1080 drivers, power off, put back the 1080 Nvidia SLI and no more issues with Ubuntu and Nvidia 1080 cards.

Once my hardware and OS were working great, I then started fiddling with deyab instructions above to lock the 960 Pro.

I made three USB thumb drives with the PBA, PBA Debug and Rescue images.

Following deyab's guide, the first issue I encountered with the Rescue image was that after performing the scan command, the 960 pro was not detected, only the 850 Pro opal capable and the 1TB HDD not opal capable and the USB drive were detected. Being the stubborn SOB that I am, I did not give up.

Next, I decided to use the PBA Debug image, I booted, entered a bogus password, the PBA Debug then did an automatic scan (I did not enter any scan commands) and listed all my drives.

Drive /dev/sda not supported (by the way, this drive in Ubuntu is sda1.. not sure why it named it sda) Unlocking /dev/sdb Failed Unlocking /dev/nvme0Failed

I clicked enter and then went into root. I did the scan command and still nothing, the nvme did not show up BUT it did show up on the automatic scan above! So, I tried to use the PBA Debug to continue with deyab instructions but I found the PBA Debug did not allow me to mount! Crap.

So I decided to reboot and use the Rescue image, ignoring the fact that the scan command did not show the nvme, I went through with all the steps in deyab guide, mounting was allowed in the rescue image and long behold IT WORKED!!!

I am now greeted with the password prompt after a power off and on only of course, enter the password, unlock the nvme, boots into GRUB and voila triple boot. If I reset the computer, the password prompt does not show, it only happens when I power off and power on.

Now, I have some questions.

Why doesn't the scan command recognize the 960 Pro nvme but the 960 EVO is?

The 850 Pro SSD is Opal, if I want to lock it, how would that work in my case above after locking the 960 Pro? How would the boot up look like? where would it ask for me to unlock the 850 Pro?

The 1TB HHD, it's not Opal but I have TPM2 on my Asus X99, can I use Bitlocker on the 1TB and store the keys in the TMP2? Will this cause issues with the set up?

If I secure erase the 960 Pro to reinstall fresh my triple boot setup since I played so much with this triple boot, I want to do a fresh install now that I know the process and start nice and clean, if I secure erase, will the 960 Pro go back to factory default including the sedutil changes I a made or do I need to do a PSIDrevert instead? what's the safest, cleanest way to start from scratch?

A big thank you to all of you, hopefully sedutil can get to a state that will be easy to be used by the common folk and enable locking of SDEs easy and intuitive in the future!

Thanks in advance,

Any questions, let me know.

Regards,

[github6699]

Oh, by the way, either one of my Win 10 partitions get the light blue screen of death after coming out from sleep mode....

@kylemanna , were you able to figure out a solution or do for now as a workaround hibernation instead of sleep?

I wonder if I use kylemanna builds if this might solve the sleep issue and get another testing data point to try to solve the S3 sleep mystery :)

I tried Hibernate... oh man... that is not a good workaround... the whole process takes forever, it asks for the password at unlock SED, grub boot menu, select Windows and it skips which Win 10 version I want and goes to the one I had open before going into Hibernation... this process it brutally long... Sleep support specially if you are on a laptop is a MUST for sedutil... Yikes...

[kylemanna]

I'd love to know what caused mine to work as well. Linux threw FS errors and Windows Blue screened until I started to hack together a small C program to call ioctl(IOC_OPAL_SAVE) in the Linux 4.11 kernel. Perhaps it had a side affect of configuring something?

When I reviewed the code It seemed that the IOC_OPAL_SAVE call would just persist my password (or pbkdf derived hash) in memory to later submit it to the drive to unlock it. The drive always asks for a password as expected at power on and shows the correct lock status with sedutil-cli --query.

So, I have no idea how my setup and am skeptical that perhaps it's not locked at all other then the PBA marking an appearance (and how does my dual boot Win10 work!?). I wrote up a post on my blog detailing what little else I know for those brave enough to read my rambling.

I'll try to clean-up hacked together C program that issued the IOC_OPAL_SAVE function, but it's a mess and requires you to extract the derived hash from sedutil-cli using gdb, so I'm not sure how approachable that is.

[kylemanna]

Does anyone know where the formal TCG Opal spec is that documents expected S3 behavior?

[kylemanna]

For my own sanity here's the output of the query command after waking my laptop up to Linux after being in a sleep state for a few hours:

/dev/nvme0n1 OTHER Samsung SSD 960 EVO 1TB                  2B7QCXE7     
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = Y, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: 
  MaxComPacketSize = 66048  MaxResponseComPacketSize = 66048
  MaxPacketSize = 66028  MaxIndTokenSize = 65540  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxAuthentications = 5
  MaxSessions = 1  MaxTransactionLimit = 1  DefSessionTimeout = 0

Host Properties: 
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1

[kylemanna]

Only possible explanations for now non-existent S3 issues:

1. When I performed operations on /dev/nvme0n1 vs /dev/nvme0 something different happens on the drive, perhaps a cached key? I did this to enable the SED NVMe support in the Linux kernel.
2. My Dell UEFI is maintaining power to the drive somehow (I haven't updated/downgraded my UEFI firmware). I'd expect other Dell Precision 5510/5520 and XPS 9550/9560 to behave the same.
3. The IOC_OPAL_SAVE had a side effect of setting some non-volatile bits on the drive that enable it to unlock from both Win10 and Linux.
4. The drive isn't locked despite the PBA showing up at power-on

Would love to find a concrete answer as I think it'll help others as well as add sanity to my mysterious "success".

If my memory serves me correctly, (1) wouldn't make sense as my hacked C IOC_OPAL_SAVE program was wrong for several attempts while I dug through the sedutil to learn how to derive the key/hash from the passphrase I submitted. Each time the kernel would print a message and the system would be inaccessible as the drive was locked.

[cristim]

@kylemanna I also used /dev/nvme0n1 but for me it doesn't seem to work on my Dell E7270.

As for the specs, I couldn't find anything about S3 there, but this is the kernel patch which is said to implement the S3 support: http://lkml.iu.edu/hypermail/linux/kernel/1612.2/01632.html

[kylemanna]

Here's the C code to issue the command: https://github.com/kylemanna/opalctl

You'll need to extract your hashed password from sedutil-cli for now and substitute it in to the source.

[kylemanna]

Before entering sleep on Linux, run dmesg -w in a terminal so that you can read the output when it wakes and read the error messages.

[cristim]

@kylemanna I'm now playing with nvme-cli, which has an unmerged patch that adds support for OPAL: https://github.com/cristim/nvme-cli/tree/sed-opal

[kylemanna]

The nvme-cli path looks to be a much better path forward but it looks quite incomplete. It's not hashing the user password which likely makes the resulting key very weak. The sedutil-cli uses PBKDF to strengthen the password.

Also, since sedutil-cli is hashing and nvme-cli doesn't appear to be hashing, then you'll need to find a separate PBA to unlock the drive as using the tools with the same user password will derive different keys.

I'm watching nvme-cli development with enthusiasm for a better path forward for 4.11 and new Linux kernels.

[cristim]

I agree, but the key could be hashed to match the one used by the sedutil/PBA before being passed to nvme-cli, like for example we could generate it using a tool like grub-mkpasswd-pbkdf2 or whatever other tool may be able to generate PBKDF hashes.

[kylemanna]

It absolutely should be hashed.

[github6699]

I tried to replicate kylemanna S3 sleep success to no avail. The sleep issue still persists... the images with docker support work great, nice and clean boot and it locks the drive properly. The only thing I did different was to use the rc3 latest kernel and I used the /dev/nvme0n1 this time around. S3 is still a huge issue... not so much for me since I use a desktop but on a laptop... oh man... what a PITA!

I'll keep an eye on the development, hopefully you gurus will be able to get this great project to a stable release. It's getting there.... :)

[r0m30]

OK, this thread covers several different topics: NVMe Support: V1.15 should resolve this in both sedutil-cli and the PBA.

S3 Support: S3 is a documented as unsupported, you can use hibernate but some people won't. Newer Linux kernels do appear to have S3 resume support for NVMe OPAL SEDs but I have not had time to test it and figure out what I need to do to support it.

Password hashing: There is on option to not hash the password in sedutil, it's "-n".

I'm closing this. I'd be open to an issue requesting implementation of the Kernel S3 support (ETA unknown).