FedericoDiGiuseppe
commented
3 years ago Hello. Did you solved the issue? I had a similar problem with my dell latitude e6420 xfr. The laptop uses bios not uefi. My operating system is linux. Using sedutil after entered the unlocking password the laptop reboot and prompt again asking for the unlocking password and so on. It seemed to me that the problem was a power interruption to the hard disk that put it back in a locked state. To be sure that it wasn't an hardware issue I had installed windows and the dell software to menage full disk encryption. Using it the laptop was able to boot after the password entry. Now I suppose the problem is related to sedutil and is not hardware related. Any update by you? Best regards Federico
mathew-dev
dell latitude E7450 and E7250
Question: Does anyone have a solution that can allow sedutil to chain-load a UEFI bootloader after AUTH, or some other way to accomplish the next stage of boot without the reboot?
Problem: sedutil will not work properly on these model laptops, which are arguably the most common business laptops in use over the past few years.
sedutil in UEFI mode installs successfully, the device boots to PBA, after successful AUTH drive is unlocked, then the machine soft reboots (warm boot)
during the warm boot process the power to the drive is cycled and the drive locks, resulting in an endless loop of rebooting to the PBA.
Research and alternatives: I have confirmed with dell that this is due to an engineering (feature, flaw, mistake?). These 2 models share a common engineering platform that cycles power to the drive when rebooted.
The device has a bios setting that supports a password bypass during reboot, however this only effects the system, user and HDD password features; the drive power is still cycled resulting in the drive being locked and the shadow MBR being exposed.
"Dell Data Protection | Security tools" both personal (standalone) and enterprise (server hosted) versions, are able to activate and manage the SED feature of TCG/opal compliant drives on this E7450 platform. Their PBA solution is built on a Windows PE image, and after AUTH it seems to chainload the windows UEFI bootloader. This product makes the device usable with the SED feature enabled, however remote reboot is obviously not viable because of the power cycle to the drive that happens during reboot. I guess that is better than nothing.
Dell Data Protection | Security Tools was depreciated due to an exploit of a backdoor that was found in the software, approximate version 8.5
The software has been replaced by Dell Encryption which still has both personal and enterprise editions, this newer solution is a dual layer encryption system comprised of a newer version of Dell Data Protection | Security Tools version 10 to manage the SED feature, along with software encryption that has really cool compliance policy support, to ensure everything is just as encrypted as you want it to be.
If you want to use the new version of Dell Data Protection | Security Tools you can extract it from the Dell Encryption installer using the personal edition installation guide. The install file you are looking for will be named dell encryption management agent, and it can function standalone without the Dell Encryption Software. If you want to use the second layer software encryption you will need to obtain a license key from dell for about $30.
As much as this is a workable solution, most dell products are designed to be enterprise managed which inherently means there are administrative back doors, and even though Dell has publicly stated their are against the idea of backdoors in software, they still had them.
I have also tested winmagic securedoc 8.5 in UEFI mode which has a very robust set of configurable features and will work on the E7450 to manage the SED features of the drive. They use a Linux based PBA image that chainloads the next bootloader after authentication, this can be configured to chainload just about any OS bootloader, multi-bootloader, or any other bootloader you got. I feel that solution is likely to be more secure than the solution from dell, however it is still a product that has both standalone and centrally managed versions; meaning that they probably share a common code base with some features hidden or configured different between the 2 versions. Centrally managed software if obviously designed to be centrally managed and inherently will have some type of remote management that increases the attack surface. This solution also supports secureboot after install.
sedutil is a standalone, open source, simple and transparent solution for managing the SED feature of a drive; simple product, small attack surface, great solution to secure the drive at rest. I feel this solution is a much safer alternative to anything else I have found.
in summation; Does anyone have a solution that can allow sedutil to chainload a UEFI bootloader after AUTH, or some other way to accomplish the next stage of boot without the reboot?
Keywords: SED, self encrypting drive, PBA, pre boot authentication, dell, sedutil-cli, dta, drive trust alliance, hardware encryption, dell, DDP, DDP|ST, DDPE, dell data protection | access, DDP|A, DDPA, TCG OPAL, Samsung SSD