Closed ChriMarMe closed 1 year ago
Well, @ChriMarMe, The output of your "sedutil-cli --query" command suggests that the drive you are dealing with has already been configured as TCG Opal encrypted, not booting ("MBRenabled = N"). Therefore its Admin1 password and SID password should already be established. If you know the Admin1 password, you don't have to perform the --initialsetup. However, if you don't know that password then I can't understand how you see this drive unlocked ("Locked = N"). Unless the LockingRange 0 is disabled. But I'm not sure if your "sedutil-cli --query" output would then be exactly as you were quoting. If you do know the password, you can try to perform "sedutil-cli --listLockingRanges yourPassword /dev/nvme0" command to see what locking ranges have been defined. Stay safe and Regards
Hello @JaBoMa and thanks for your answer.
What exactly in the query output does indicate that it is configured already?
I can run ./sedutil-cli --listLockingRanges "$MyPW" /dev/nvme0
and get:
method status code INVALID_PARAMETER
Session start failed rc = 12
One or more header fields have 0 length
EndSession Failed
This indicates something does not work, right?
But if I do ./sedutil-cli --initialsetup "$MyPW" "/dev/nvme0"
I get:
takeOwnership complete
Locking SP Activate Complete
LockingRange0 disabled
LockingRange0 set to RW
method status code NOT_AUTHORIZED
Set Failed
Unable to update table
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow
and repeat ./sedutil-cli --listLockingRanges "$MyPW" /dev/nvme0
, then I get:
Locking Range Configuration for /dev/nvme0
LR0 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR1 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR2 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR3 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR4 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR5 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR6 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR7 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
LR8 Begin 0 for 0
RLKEna = N WLKEna = N RLocked = N WLocked = N
After this I reset the device with :
./sedutil-cli --revertNoErase "$MyPW" "/dev/nvme0"
./sedutil-cli --revertTPer "$MyPW" "/dev/nvme0"
and I get:
Revert LockingSP complete
revertTper completed successfully
I just don't understand how can I claim ownership but not be able to setMBDdone to true.
Best regards
This: "Locking function (0x0002) Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y" and this: "OPAL 2.0 function (0x0203) Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1 Locking Admins = 4, Locking Users = 9," in my opinion indicates that the initial setup has been already done. My current system SSD (Samsung 840 Evo) shows the same, except of "MBREnabled = Y" and "MBRDone = Y" (while unlocked). The result of your listLockingRanges suggests, however, that probably the locking has been disabled.
Could you just try to follow the "Encrypting the Drive" manual (Wiki Tab) from the point just after the --initialsetup command, i.e.:
sedutil-cli --enableLockingRange 0
You are probably missing sedutil-cli --setMBREnable ON
Best regards.
One caution note: If you are not working from security system booted from a USB memory stick, but from THIS drive you are trying to make OPAL encrypted, better don't ever do: "sedutil-cli --setMBRDone OFF
No worries. I didnt do anything yet. :)
I must have made the first quote of --query
in my first description AFTER I run the --initialsetup
.
Now lets assume everything is resetted I run the quote and get:
Locking function (0x0002)
Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
OPAL 2.0 function (0x0203)
Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
Locking Admins = 4, Locking Users = 9, Range Crossing = Y
Best regards
Which revision of sedutil did you use? I am afraid that my knowledge and experience with TCG Opal and sedutil are insufficient to help you.
ATB and Regards
I read the mentioned issue and tried to follow the arugments, yet my --initialsetup fails at a different point.
--PSIDrevert
successful, but --inititalsetup
still fails at the same spot:
takeOwnership complete
Locking SP Activate Complete
LockingRange0 disabled
LockingRange0 set to RW
method status code NOT_AUTHORIZED
Set Failed
Unable to update table
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow
Sedutil was build from this repos master branch, but also tried @ChubbyAnt master, both fail at the same spot. see above.
I run this on a remote machine with coreboot/edk2, CSM not sure, allow_tpm = 0.
What stuns me is the fact, that I can take ownership but not being allowed to set MBRdone.
Anyway: Thank you very much for your time and help.
Best regards
your drive has the same behavior as the CM6 I was (still am) having difficulty with. The error, however, in my case was that the CM6 doesn't support MBR Shadowing (or at least the FIPS 140-2 variant), I am unsure if there's public documentation for the PM1735 locking range features, but I would assume its the same issue. try doing a query to the drive with Amonton's fork, the shadow MBR not supported bit is "MBRAbsent": https://github.com/amotin/sedutil
Thanks for the hint :+1:
Need to ask around about documentation. Not really easy to find.
TPer function (0x0001)
ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MBRAbsent = N, MediaEncrypt = Y
Geometry function (0x0003)
Align = Y, Alignment Granularity = 16 (8192), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
Locking Admins = 4, Locking Users = 9, Range Crossing = Y
Namespace function (0x0403)
Maximum Key Count = 75, Unused Key Count = 74, Maximum Ranges Per Namespace = 0
TPer Properties:
MaxComPacketSize = 66048 MaxResponseComPacketSize = 66048
MaxPacketSize = 66028 MaxIndTokenSize = 65540 MaxPackets = 1
MaxSubpackets = 1 MaxMethods = 1 MaxAuthentications = 5
MaxSessions = 1 MaxTransactionLimit = 1 DefSessionTimeout = 0
Host Properties:
MaxComPacketSize = 2048 MaxResponseComPacketSize = 2048
MaxPacketSize = 2028 MaxIndTokenSize = 1992 MaxPackets = 1
MaxSubpackets = 1 MaxMethods = 1
That is the output. I interpret that the drive technically should support MBD Shadowing then?
Someone with a little more information told me that the drive is set to EOL soonish. I suspect this is an issue with the implementation of OPAL in the device firmware which Samsung simply won't fix and therefore set the device to EOL, but this is pure speculation. I have no idea if 2 to 3 years is the standard lifetime of such devices.
Anyhow: I can close this issue in peace.
One caution note: If you are not working from security system booted from a USB memory stick, but from THIS drive you are trying to make OPAL encrypted, better don't ever do: "sedutil-cli --setMBRDone OFF " ATB and Regards
Indeed! For the sake of others: you don't necessarily need to go into "MBR mode" in order to actually load it into the table - --loadPBAImage without it worked fine on an 870 EVO.
Hi everybody, I got an issue with Samsung PM1735 12.8TB NVMe HHHL:
./sedutil-cli --scan
/sedutil-cli --query /dev/nvme0
Now, I want to run the initial setup (just for testing purposes and get comfy with the tooling and workflow), but the first step already gives me headaches to the maximum. I run:
./sedutil-cli -vvv --initialsetup "$MyPW" "/dev/nvme0"
And this produces the following log ( I reduce to log to the failing part):
I understand that the session does not have the required authority to execute the setMBRDone function, but I cant figure out why. Any help, ideas are welcome.