Use windows version to configure NVMe and PBA image password input fail

[tzeru526]

Dear Sir,

I have tried to use Sedutil 1.20 to initialsetup => enablelockingrange=>setlockingrange=>load PBA image UEFI64-1.20.0.img =>it can be work successfully.

But when I power OFF the system and power ON =>boot to uEFI OS => it shows unlock fail after type password.

Could you help me what I have to do next?

Thank you

Tzeru

[r0m30]

This is why you are supposed to use the rescue image. The password hashing is different on NVMe drives because Windows uses Scsi pass-thru and the real device serial number is not available. A new (~21H1) system call will fix this but requires a new/old windows release structure that I haven't had time to document.

If the firmware on your drive properly supports revertnoerase then you can use that to start over and configure the drive from the rescue system.

[neo125874]

@r0m30 Hello, I tried 21H2 to set password then reboot, but it still unlock fail when BIOS popup admin/user password input, any solution?

[r0m30]

The code to use the new function in windows isn't in the current code. I need to integrate it and push the new version.

[neo125874]

@r0m30 thanks, any workaround to avoid BIOS popup? if the TCG function can't be disable in BIOS.

[r0m30]

I'm sorry but I don't quite understand what you're asking. I'm not sure what BIOS pop-up you're referring to.

[neo125874]

@r0m30 we are using intel NUC platform, and its bios couldn't disable the TCG function, so after we lock the nvme drive on windows then reboot, the password-input(popup) couldn't avoid to display, any workaround? thanks.

[youk]

@r0m30 The password hashing is different on NVMe drives because Windows uses Scsi pass-thru and the real device serial number is not available.

I was wondering why did you choose to hash password in principle. Considering this is the default, it must address substantial security threats. However, I can't think of anything tangible.

[r0m30]

@youk I chose to hash the password because every security person/expert says Never store a plaintext password. I chose to use the serial number so that a drive could move from one computer to another and still be unlocked (the hashing salt travels with the drive) this also creates a unique password for each drive so that if one drive leaks it's password the password is only valid for that drive and not your entire system.

[youk]

@r0m30 I don't follow you here. Where and why the password has to be stored? For all I know, the password is only used to derive Authentication Credential. The password is transient.

[r0m30]

@youk the TCG spec defines a table for users that holds the password. It does not specify how that password is to be stored or protected so I took the preemptive step to make sure that if a drive is hacked the hacker only gets a hashed version of the password unique to only that drive. Later people asked to be able to bypass the hashing and so that was added, but I think it reduces the security of the system.