Can't Test the PBA

[lucasmaffazioli]

Hello, I followed the guide in this link: https://github.com/Drive-Trust-Alliance/sedutil/wiki/Test-the-PBA, I entered random digits to let Sedutil scan my drives, and this was the result: picture Sorry for the blurred image, as the system reboots very fast after this message. I succeed on checking my device for support, as I used the sedutil-cli.exe --query command. Here is the result:

C:\Windows\system32>c:\temp\sedutil-cli.exe --query .\PhysicalDrive0

.\PhysicalDrive0 ATA Samsung SSD 850 EVO 250GB EMT02B6Q S21NNXCGA01047X TPer function (0x0001) ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement = N, Streaming = Y, SYNC = Y Locking function (0x0002) Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y Geometry function (0x0003) Align = N, Alignment Granularity = 1 (512), Logical Block size = 512, Lowest Aligned LBA = 0 Opal V1.0 function (0x0200) Base comID = 0x1004, comIDs = 1 SingleUser function (0x0201) ALL = N, ANY = N, Policy = Y, Locking Objects = 9 DataStore function (0x0202) Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1 OPAL 2.0 function (0x0203) Base comID = 0x1004, Initial PIN = 0x0 , Reverted PIN = 0x0 , comIDs = 1 Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: MaxComPacketSize = 66048 MaxResponseComPacketSize = 66048 MaxPacketSize = 66028 MaxIndTokenSize = 65992 MaxPackets = 1 MaxSubpackets = 1 MaxMethods = 1 MaxAuthentications = 5 MaxSessions = 1 MaxTransactionLimit = 1 DefSessionTimeout = 0

Host Properties: MaxComPacketSize = 2048 MaxResponseComPacketSize = 65536 MaxPacketSize = 2028 MaxIndTokenSize = 1992 MaxPackets = 1 MaxSubpackets = 1 MaxMethods = 1

Anything that i'm doing wrong? Or as the query command was successful i should ignore the Test PBA step?

[ZJaume]

I can't see your picture but my system also reboots very fast and it doesn't print anything that suposed to be in the test. I have the same device.

[lucasmaffazioli]

Sorry about the picture, the correct one is this one: http://i.imgur.com/X92cxL5.jpg

I guess that Sedutil try to validade the password, instead of trying to search drives with the OPAL feature? [edit3] So, i'vre read the FAQ again, and this is the error that appears on-screen: INVALID_PARAMETER - The command sent to the drive is incorrectly formatted. This can be either a program or user error. The most likely error is that you are trying to issue a command to the ADMIN SP before it has been activated. Make sure you have run initialsetup before trying to setup the locking ranges.

So, that means that I have to run initialsetup BEFORE testing the PBA?

[Edit4] So, after some adventures trying to unsuccessfully enabling SED via Ubuntu, I decided to test it anyway... I followed the "Encrypting your drive" guide step by step, and I finally have enabled SED on my drive. I also noted that when I type the wrong password on my boot, the same message as I have on my print appears. I really don't know why, but I'm REALLY happy that it worked! Thanks for the dev team to make this possible! PS.: Sorry for the english errors!

[r0m30]

@djlucask, I think that part of the doc needs some work. If you can't read the message you can use the Debug version of the PBA which stops and waits for you to press enter before it reboots. The reason it's a good idea to test the PBA is that there may missing kernel support in the PBA so running the cli program isn't 100%.

@ZJaume have you tried the debug PBA? As I said above it pauses.

[gomoku]

Hello, I also did the PBA test, I burned UEFI64_Release.img & UEFI64_Debug.img onto USB Pendrive using Win32DiskImager, booted my PC, as the pass-phrase I entered random letters & digits and have exactly the same "INVALID PARAMETER" bug, here the screenshoot:

As seen on the screenshoots, it seems that there is something wrong with the debug log formatting of the PBA test tool, because the lines of text are ugly scattered around the screen, perhaps the same formatting bug happened to some of PBA-test commands, hence it throws the parsing error "INVALID_PARAMETER" as described in FAQ "The command sent to the drive is incorrectly formatted". And in the FAQ it also says "This can be either a program or user error", but as there is no user interaction (except the entering pass-phrase) it seems that it is a PBA-test tool formatting bug and I am almost sure this, coz what is even funnier, I found another formatting bug in Test the Rescue system guide (I will create a separate bug thread). I don't know as for "initialsetup" thing. And as I also have Samsung 850 EVO, I had the same (positive) result log from sedutil-cli (Rescue-1.12.img or Windows) thus as @djlucask gave a real try and he succeded, I'm also wondering about giving a real shot but am a little afraid.

[Edit 1] OK. I gave a real shot and I also like @djlucask successfully encrypted my SSD. So it's just to fix the PBA-test image formatting bug or if it's not a formatting bug, then it's just a matter of adding "initialsetup" commands documentation to Test the PBA Wiki Guide page.

[r0m30]

The formatting is a side effect of the mixture of cursed and sysout on the screen. It's a cosmetic issue that I hope to get to some day but the info is there so it's not high priority.

What is the state of the drive? The PBA was not able to start a session with the drive, either because OPAL isn't activated yet or the password is not correct. The PBA recognizes the drive and can communicate with it so all the kernel support need for it to work is there and the PBA should be able to unlock the drive after it is set up correctly.

[gomoku]

As on "Encrypting your drive" on WIKI:

Optional but highly recommended: Test the PBA on your machine Prepare and test the rescue image

is mentioned BEFORE the whole "Encrypting your drive" procedure, that misleaded me so I understood as Test the LBA has to be performed BEFORE the encrypting procedure. I booted now LBA TEST after Encryption you drive procedure, and now LBA TEST works... Probably I misunderstood (because I did not go deep enough into the technical details and wanted just to encrypt my SSD or misunderstood English) or the LBA TEST information should be mentioned (placed) after the encryption procedure (or on the LBA TEST wiki guide there should be some info saying to encrypt SSD first)?

[gomoku]

* Thread https://github.com/Drive-Trust-Alliance/sedutil/issues/44 has been marked as a duplicate of this thread. *

[tristan-k]

I hit the same issue. It's really misleading because the wiki states to test the PBA before running the initial-setup but if there is no encryption in place already the PBA will just fails with "INAVLID_PARAMETER" and reboots. That should be more clear.

Boot the USB stick, enter anything when asked for the passphrase and verify that it scans your system correctly identifying your OPAL disks.

[r0m30]

Yes, the documentation is for the older syslinux based PBA. We haven't had the time to make the required changes. What I would like to do is make the rescue system and the PBA run on the same kernel/rootfs so that if the rescue system is able to issue OPAL commands the the PBA will also be able to.

[jesusha123]

Based on gomuku's comments, I skipped the "Optional but highly recommended" parts and continued with the non-optional parts. I enabled locking successfully and now my system asks for a password when I reboot the computer.

[r0m30]

I've updated the doc to reflect the new release.