NVME Security Command Error:8194 with Samsung 950 PRO M.2

[RichardH-AS]

$ sudo ./sedutil-cli -v --scan
Scanning for Opal compliant disks
NVME Security Command Error:8194
/dev/nvme0 No  Samsung SSD 950 PRO 512GB                2B0QBXX7

.... Likewise:

$ sudo ./sedutil-cli -v -v --query /dev/nvme0n1
NVME Security Command Error:8194
Invalid or unsupported disk /dev/nvme0n1

I had the same error with the original firmware (version 1B0QBXX7), but Samsung confirmed that I needed the new version to add OPAL support to this drive, so I upgraded it.

Compiled sedutil from current clone of source tree on Ubuntu 17.10.1 Motherboard: ASRock X370 Taichi SSD in the M2_1 (PCIe gen3) port.

[noguespi]

@RichardH-AS I have the exact same issue. firmware to latest version too. Ubuntu 16.04 + Asus Maximums GENE VIII.

I did check with samsung magician on Windows and it doesn't detect TCG OPAL too, only class 0 (bios ATA password).

I think 950 pro doesn't support TCG OPAL but only 960 pro...

[noguespi]

I have more information, TCG OPAL it is not supported and it won't be. source : http://downloadcenter.samsung.com/content/UM/201711/20171115102900034/Samsung_SSD_950_PRO_Data_Sheet_Rev_1_2.pdf

The plan to provide a firmware update to enable TCG/OPAL and IEEE1667 has been put on hold due to the currently very restricted availability of commercial security software.

The disk as the ability to support it but Samsung won't update the firmware.

[RichardH-AS]

I just talked to Samsung again, and they reconfirmed that the 950 PRO supports OPAL (specifically version 2) with the latest firmware.

@noguespi Thanks for commenting. It appears the data sheet you quoted is out of date (from June 2016). I am surprised that Samsung Magician is not detecting OPAL, however. I don't have the means of running that myself. You are sure you have firmware version 2B0QBXX7 installed?

[noguespi]

Yes I have 2B0QBXX7 firmware

./nvme list
Node             SN                   Model                                    Namespace Usage                      Format           FW Rev  
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1     S2GMNX0H917657V      Samsung SSD 950 PRO 512GB                1         297,23  GB / 512,11  GB    512   B +  0 B   2B0QBXX7

I don't think the new firmware provide TCG support. I will receive a 960 pro soon I will check this one too using the same OS/hardware.

[paulentzel]

Try this command: nvme security-recv /dev/nvme0n1 --secp=0 --spsp=0 --nssf=0 --size=16 --al=16

If the drive supports security receive (which is must to support Opal) it will return a list of supported security protocols. Byte 7 is the number of protocols, and the list of protocols starts at byte 8. The first protocol must be 0. If it supports TCG Opal, the list will include protocols 0x01 and 0x02.

[noguespi]

# ./nvme version
nvme version 1.5.103.gb1ce
# ./nvme security-recv /dev/nvme0n1 --secp=0 --spsp=0 --nssf=0 --size=16 --al=16
NVME Security Receive Command Success:0
       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
0000: 00 00 00 00 00 00 00 02 00 ef 00 00 00 00 00 00 "................"

[paulentzel]

Yeah, that's not Opal. The 0xef protocol is a vendor specific protocol created by Samsung. It's a lot less complicated than Opal. So if Samsung is willing to share it with you then you will be able to control the encryption directly with nvme security-send and security-recv commands similar to the one you used to get this list.

[RichardH-AS]

@noguespi @paulentzel I get the same response (except that I have nvme version 1.3). That is weird; I wonder why Samsung keeps telling me it supports OPAL when it does not! (I even was put on hold while the rep verified that the new firmware version would add OPAL support to the SSD.) Might they have a version of the firmware that has not been released that does? Rather than just calling again, I'll file a support case on-line with Samsung and see if I get a more useful response.

[RichardH-AS]

I ended up calling Samsung again, because the support website had an error preventing my submission. This time I was told OPAL is not supported, and the only self-encrypting drive option is a Class 0 password set through BIOS, and the new firmware is only for hardware compatibility, and that a future firmware upgrade would add OPAL support. So, Samsung gave wrong information 2 out of 3 times. I would have had a better chance getting a correct answer at first by flipping a coin!

[noguespi]

Received the samsung 960 pro. TCG OPAL is detected on magician and via nvme-cli, looks like it will work with sed-util too (not tested yet) :

$ ./nvme version
nvme version 1.5.103.gb1ce

$ sudo ./nvme list
Node             SN                   Model                                    Namespace Usage                      Format           FW Rev  
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1     S3EWNX0J614070E      Samsung SSD 960 PRO 512GB                1         512,11  GB / 512,11  GB    512   B +  0 B   4B6QCXP7

$ sudo ./nvme security-recv /dev/nvme0n1 --secp=0 --spsp=0 --nssf=0 --size=16 --al=16
NVME Security Receive Command Success:0
       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
0000: 00 00 00 00 00 00 00 04 00 01 02 ef 00 00 00 00 "................"

$ sudo ./sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0  2  Samsung SSD 960 PRO 512GB                4B6QCXP7
/dev/sda   12  Samsung SSD 850 EVO 1TB                  EMT02B6Q
/dev/sdb   No   
No more disks present ending scan

$ sudo ./sedutil-cli -v -v --query /dev/nvme0n1

/dev/nvme0n1 NVMe Samsung SSD 960 PRO 512GB                4B6QCXP7 S3EWNX0J614070E     
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: 
  MaxComPacketSize = 66048  MaxResponseComPacketSize = 66048
  MaxPacketSize = 66028  MaxIndTokenSize = 65540  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxAuthentications = 5
  MaxSessions = 1  MaxTransactionLimit = 1  DefSessionTimeout = 0

Host Properties: 
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize

[hotchkiss87]

I can confirm that sedutil works with the Samsung 960 pro and 960 evo. I have been using it for awhile.

For the Dell-type Samsung drives, the PM961 does not support it, but the SM961 will.

I doubt Samsung will spend too much time on the 950 series. I believe they are working on a 970/980 series, so that's two generations old now.

[ShuaiTony]

Hello @noguespi , Are you trying to send commands to the nvme device? I see that it is not implemented in software (test at windows).I will be very grateful if anyone have made it.