search

Drive-Trust-Alliance / sedutil

DTA sedutil Self encrypting drive software
603 stars 233 forks source link

NOT_Authorized on initialSetup Kioxia CM6(R) 15.36TB NVMe/U.3 TCG OPAL Enterprise (FIPS 140-2) #407

Closed icomrade closed 1 year ago

icomrade commented 1 year ago

Issue is almost identical to #397 key difference being this is a different Vendor and FIPS certified device - NIST Model: TC58NC1132GTC. I am not sure if other devices using the same controller suffer the same issue, but at least the CM6 does in my case. Model: HPE TCM615T4P5xnFTRI/Kioxia KCM6FRUL15T3

Sedutil-cli seems to be identifying this device as a regular OPAL drive, even though the NIST certification notes that it is TCG Opal Enterprise, other vendor documentation indicates the CM6 drives are OPAL 2.01 R1.00 compliant. I am not sure if this has anything to do with this issue...

I have tried to do a PSID-Revert first, with no change in behavior

One note is there's 192 locking ranges, I am not sure if this is right... Edit: I think this is correct, there are indeed 192 LockingSP users according to the NIST documentation, so it appears to correlate to locking ranges

sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSID> \\.\PhysicalDrive1
revertTper completed successfully

> sedutil-cli -v --query \\.\PhysicalDrive1
Log level set to DBG
sedutil version : 1.20.0
Unknown Feature in Discovery 0 response 304
Unknown Feature in Discovery 0 response 402
Unknown Feature in Discovery 0 response 403
Unknown Feature in Discovery 0 response 304
Unknown Feature in Discovery 0 response 402
Unknown Feature in Discovery 0 response 403
Performing diskquery() on \\.\PhysicalDrive1

> \\.\PhysicalDrive1 ATA TCM615T4P5xnFTRI 3P01
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4160), Logical Block size = 520, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 192
DataStore function (0x0202)
    Max Tables = 193, Max Size Tables = 131072, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x2000, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 2
    Locking Admins = 4, Locking Users = 192, Range Crossing = N
**** 3 **** Unknown function codes IGNORED

Here is the initialSetup command output after PSID-Revert - I have removed most of the output, I can copy the whole of it to a reply, but it's a lot to put in an issue

> sedutil-cli -n -vvvvv --initialSetup debug \\.\PhysicalDrive1
Log level set to DBG4
sedutil version : 1.20.0
Creating  DtaResponse()
Creating  DtaResponse()
Creating DtaDevOS::DtaDevOS() \\.\PhysicalDrive1
Creating DtaDiskNVMe::DtaDiskNVMe() \\.\PhysicalDrive1
Entering DtaDevOS::identify()
Exiting DtaDevOS::identify()
Entering DtaDiskNVMe::identify()
Entering DtaDiskNVMe::sendCmd
Entering DtaDev::discovery0()
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd
Dumping D0Response
Entering hexDump
0000 000000d8 00000001 00000000 00000000  ................
0010 01000047 00010000 00000000 00000000  ...G............
0020 00000000 00000000 00000000 00000000  ................
0030 0001100c 11000000 00000000 00000000  ................
0040 0002200c 49000000 00000000 00000000  .. .I...........
0050 0003101c 01000000 00000000 00000208  ................
0060 00000000 00000008 00000000 00000000  ................
0070 0201100c 000000c0 04000000 00000000  ................
0080 0202100c 000000c1 00020000 00000001  ................
0090 02031010 20000002 00000400 c0000000  .... ...........
00a0 00000000 03041010 20000002 00000400  ........ .......
00b0 c0000000 00000000 0402100c 00000000  ................
00c0 00000000 00000000 04031010 80000000  ................
00d0 000000c0 000000bf                    ........
Unknown Feature in Discovery 0 response 304
Unknown Feature in Discovery 0 response 402
Unknown Feature in Discovery 0 response 403
Entering DtaDev::isPresent() 1
Entering DtaDev::isAnySSC 1
Entering DtaDev::isOpal2 1
Creating  DtaResponse()
Creating  DtaResponse()
Creating DtaDevOS::DtaDevOS() \\.\PhysicalDrive1
Creating DtaDiskNVMe::DtaDiskNVMe() \\.\PhysicalDrive1
Entering DtaDevOS::identify()
Exiting DtaDevOS::identify()
Entering DtaDiskNVMe::identify()
Entering DtaDiskNVMe::sendCmd
Entering DtaDev::discovery0()
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd
Dumping D0Response
Entering hexDump
0000 000000d8 00000001 00000000 00000000  ................
0010 01000047 00010000 00000000 00000000  ...G............
0020 00000000 00000000 00000000 00000000  ................
0030 0001100c 11000000 00000000 00000000  ................
0040 0002200c 49000000 00000000 00000000  .. .I...........
0050 0003101c 01000000 00000000 00000208  ................
0060 00000000 00000008 00000000 00000000  ................
0070 0201100c 000000c0 04000000 00000000  ................
0080 0202100c 000000c1 00020000 00000001  ................
0090 02031010 20000002 00000400 c0000000  .... ...........
00a0 00000000 03041010 20000002 00000400  ........ .......
00b0 c0000000 00000000 0402100c 00000000  ................
00c0 00000000 00000000 04031010 80000000  ................
00d0 000000c0 000000bf                    ........
Unknown Feature in Discovery 0 response 304
Unknown Feature in Discovery 0 response 402
Unknown Feature in Discovery 0 response 403
Entering DtaDevOpal::properties()
Creating DtaSsession()
Creating DtaCommand(ID, InvokingUid, method)
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaCommand::setcomID()

...................................
removed here
...................................

Dumping command buffer
Entering hexDump
0000 00000000 20000000 00000000 00000000  .... ...........
0010 00000048 80000035 00000069 00000000  ...H...5...i....
0020 00000000 00000000 00000030 00000000  ...........0....
0030 00000000 00000024 f8a80000 08030000  .......$........
0040 0001a800 00000600 000017f0 f201f0f2  ................
0050 0201f3f1 f3f1f9f0 000000f1           ............
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd

Dumping reply buffer
Entering hexDump
0000 00000000 20000000 00000000 00000000  .... ...........
0010 0000002c 80000035 00000069 00000000  ...,...5...i....
0020 00000000 00000000 00000014 00000000  ................
0030 00000000 00000008 f0f1f9f0 010000f1  ................
Entering  DtaResponse::init
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering DtaSession::methodStatus()
method status code NOT_AUTHORIZED
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Set Failed
Destroying DtaCommand
Unable to update table
Destroying DtaSession
Creating  DtaResponse()
Creating DtaCommand()
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaCommand::setcomID()

Dumping command buffer
Entering hexDump
0000 00000000 20000000 00000000 00000000  .... ...........
0010 00000028 80000035 00000069 00000000  ...(...5...i....
0020 00000000 00000000 00000010 00000000  ................
0030 00000000 00000001 fa000000           ............
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd
Entering DtaDevOS::sendCmd
Exiting DtaDevOS::sendCmd
Entering DtaDiskNVMe::sendCmd

Dumping reply buffer
Entering hexDump
0000 00000000 20000000 00000000 00000000  .... ...........
0010 00000028 80000035 00000069 00000000  ...(...5...i....
0020 00000000 00000000 00000010 00000000  ................
0030 00000000 00000004 faffffff           ............
Entering  DtaResponse::init
Entering  DtaResponse::tokenIs
Destroying DtaCommand
Destroying DtaResponse
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow
icomrade commented 1 year ago

I should note that the system has CSM enabled and set to legacy, though with UEFI CSM behavior is no different. booting to PartedMagic as BIOS or UEFI produced no change in behavior, the above logs are from Windows 10 however

neo125874 commented 1 year ago

@icomrade did you solve the problem? we tried to psid-revert before initial-setup then enable-lock, and after reboot, the drive successfully locked, then we disable-lock & reboot, the drive's data still there;

no idea whether bug or not & no other people mention it.

icomrade commented 1 year ago

I have not tried to troubleshoot further, unfortunately I have not had a lot of free time to do so.

I am not able to get to the storage volume on the un-setup drive in windows, but in Linux I was able to read and write to the drive though did not boot back into Linux to see if the data was still on the drive after a PSID revert.

icomrade commented 1 year ago

@neo125874 I do not believe that these drives support MBR shadowing (MBR Shadowing Not Supported bit of Locking Range). You can try using Amotin's fork. https://github.com/amotin/sedutil