search

Drive-Trust-Alliance / sedutil

DTA sedutil Self encrypting drive software
603 stars 232 forks source link

Solidigm P44 Pro - According to sedutil it has OPAL 2? #447

Closed Utini2000 closed 10 months ago

Utini2000 commented 10 months ago

I have a Solidigm P44 Pro which should only support AES TCG Pyrite 2.01. But running sedutil it seems like it also supports OPAL 2.

sudo sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0 2 SOLIDIGM SSDPFKKxxxx 001C
No more disks present ending scan

So am I safe to used sedutil do encrypt this NVME?

Thanks!

JaBoMa commented 10 months ago

And what would be the result of the command: sudo sedutil-cli --query /dev/nvme0 ? BR

Utini2000 commented 10 months ago

The output is:

/dev/nvme0 NVMe SOLIDIGM SSDPFKKW020X7                   001C     Sxxxxxxx   
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = N, Alignment Granularity = 1 (512), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1000, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 2 **** Unknown function codes IGNORED 

TPer Properties: 
  MaxComPacketSize = 65536  MaxResponseComPacketSize = 65536
  MaxPacketSize = 65516  MaxIndTokenSize = 65468  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxSessions = 1
  MaxAuthentications = 14  MaxTransactionLimit = 1  DefSessionTimeout = 0
  MaxSessionTimeout = 0  MinSessionTimeout = 0
Host Properties: 

  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048  MaxPacketSize = 2028
  MaxIndTokenSize = 1992  MaxPackets = 1  MaxSubpackets = 1
  MaxMethods = 1

Does that say anything about OPAL 2 functionality?

JaBoMa commented 10 months ago

Looks not bad. For any case, try another command yet:

sudo linuxpba

and type debug when it asks for the pass-phrase

BR

Utini2000 commented 10 months ago 
Drive /dev/nvme0 SOLIDIGM SSDPFKKW020X7                   is OPAL NOT LOCKED

That looks good I guess?!

JaBoMa commented 10 months ago

Yes, it does look good. Now you can try to follow the "Encrypting your drive" instructions from the "Wiki" tab. E.g.:

sedutil-cli --initialSetup debug /dev/nvme0 sedutil-cli --enableLockingRange 0 debug /dev/nvme0 sedutil-cli --setLockingRange 0 LK debug /dev/nvme0 sedutil-cli --setMBRDone OFF debug /dev/nvme0

Do the two commands (below), if your disk is designed to boot the system. If not, go to ##:

sedutil-cli --loadPBAimage debug <pba-image-path-&-file> /dev/nvme0 sedutil-cli --setMBRDone ON debug /dev/nvme0

## If your disk is not designed to boot the system (don't do the command below, if your disk is to boot the system):

sedutil-cli --setMBREnable OFF debug /dev/nvme0

Note: Try not to reboot your SSD until fulfilling the above step.

It is advised to use the simple pass-phrase, like debug (above) for the initial steps. Then you can change it for the real one, using the commands:

sedutil-cli --setSIDPassword debug new-pass-phrase /dev/nvme0 sedutil-cli --setAdmin1Pwd debug new-pass-phrase /dev/nvme0

Best Regards JBM

Utini2000 commented 10 months ago

Thank you! I am currently using dm-crypt with LUKS2 and will first backup everything, remove the LUKS2 decryption and then try using OPAL 2.0 with sedutil. Although I also just read that dm-crypt got support for OPAL 2.0. So this might be an interesting alternative as well.

Thanks for your help so far!

Blacklands commented 10 months ago

So those Solidigm drives actually have OPAL support? I was looking for that on their website in the past and couldn't find anything about it, so I dismissed them. I wonder if it's just the "Pro" models? Did you find anything on their website about this? It's weird that they would have full OPAL support and not even advertise it anywhere (not even in the spec sheets)...

Utini2000 commented 10 months ago

So those Solidigm drives actually have OPAL support? I was looking for that on their website in the past and couldn't find anything about it, so I dismissed them. I wonder if it's just the "Pro" models? Did you find anything on their website about this? It's weird that they would have full OPAL support and not even advertise it anywhere (not even in the spec sheets)...

Some of their NVME's have official OPAL support according to their website. But since Solidigm = previous Intel NVME (just under a new name) I could imagine that all of them support OPAL but being allowed to name this kind of support requires a paid certification or so?

Same thing applies to many thing e.g. engine oil. Sometimes an engine oil has a higher quality but does not state the required certification for you car brand because being allowed to put that certification on the engine oil bottle requires payment from the oil brand. Some oil brands then just buy the "highest" grade certification (lets say the Ferrari certification) but can't be bothered also buying the "lower" grade certification (e.g. VW, Ford,...). Maybe this applies to NVME's too? :D