Sleep support

[lulkipvx]

Are there any plans for sedutil to support HDD sleep? This is the single most feature that has got me disabling sedutil currently.

[CySlider]

Hi, since Kubuntu 18.04 finally has a default kernel that should have this change (4.15) I tried to get rid of the S1 mode and finally switch to S3.

Long story short, it does not work yet:-/

After some annoying road blocks (See below) I got everything in place and could successfully set the password (I tried setting an invalid password and it failed with not authorized). But he still does not wake up after going to S3 sleep. Any further hints are appreciated.

One thing that differs in my system is, that I have 2 OPAL drives. Is this a problem? Can he only wake one of them maybe?

Hickups: (Also as reference for helping others)

1) The code from @badicsalex`s3 branch did not build for me right away. I had to add the DtaDevLinuxDrive.cpp to the netbeans config which was missing from it for me. Since noone else seems to have had this issue I wonder if my error already starts here?

I installed gcc-multilib and g++-multilib, did git clone https://github.com/badicsalex/sedutil.git and git checkout s3-sleep-support then went inside linux/CLI and executed make CONF="Release_x86_64". Which caused the error. After adding the missing file in nbproject/configurations.xml it finally compiled.

2) Minor issues. The resulting tool is called sedutils-cli and not sed-util and the command to get the password hash is --printPasswordHash and not --printHashedPassword

3) To make the autostart on boot unit work, add also these lines to the example of @badicsalex

[Install] WantedBy=multi-user.target

and execute systemctl enable <filename> and systemctl start <filename> also the file has to go to /etc/systemd/system and should have the ending .service

[ScottyBauer]

@CySlider

Two drives shouldn't matter. The only thing you need to do is put the password in for the drive that hosts the files systems needed for bootup. Or both passwords, it doesn't matter.

Not sure where the bug would lie. If you could do the following as root:

echo -n 'file sed-opal.c +p' > /sys/kernel/debug/dynamic_debug/control dmesg -n8 then go to a psuedo terminal: ctrl-alt f5 login, sudo su: sysctl suspend

then resume and see if you get any logs.

[CySlider]

I tried. ended using systemctl suspend as your command did not work.

This is the last syslog logs before my force reboot. I can't find anything related to opal.

May 7 09:41:28 I-KNOW-YOU acpid: client 2985[0:0] has disconnected May 7 09:41:34 I-KNOW-YOU NetworkManager[2831]: [1525678894.9414] manager: sleep: sleep requested (sleeping: no enabled: yes) May 7 09:41:34 I-KNOW-YOU NetworkManager[2831]: [1525678894.9415] device (enp5s0): state change: unavailable -> unmanaged (reason 'sleeping', sys-iface-state: 'managed') May 7 09:41:34 I-KNOW-YOU systemd-timesyncd[2663]: Network configuration changed, trying to establish connection. May 7 09:41:34 I-KNOW-YOU NetworkManager[2831]: [1525678894.9436] device (wlp9s0): state change: unavailable -> unmanaged (reason 'sleeping', sys-iface-state: 'managed') May 7 09:41:34 I-KNOW-YOU NetworkManager[2831]: [1525678894.9440] manager: NetworkManager state is now ASLEEP May 7 09:41:34 I-KNOW-YOU whoopsie[3338]: [09:41:34] offline May 7 09:41:34 I-KNOW-YOU systemd-timesyncd[2663]: Synchronized to time server [2001:67c:1560:8003::c8]:123 (ntp.ubuntu.com). May 7 09:41:35 I-KNOW-YOU systemd[1]: Reached target Sleep. May 7 09:41:35 I-KNOW-YOU systemd[1]: Starting Suspend... May 7 09:41:35 I-KNOW-YOU systemd-sleep[6846]: Suspending system... May 7 09:41:35 I-KNOW-YOU kernel: [ 423.699890] PM: suspend entry (deep) May 7 09:45:39 I-KNOW-YOU systemd-modules-load[722]: Inserted module 'lp' May 7 09:45:39 I-KNOW-YOU systemd-modules-load[722]: Inserted module 'ppdev' May 7 09:45:39 I-KNOW-YOU systemd-modules-load[722]: Inserted module 'parport_pc' May 7 09:45:39 I-KNOW-YOU systemd[1]: Starting Flush Journal to Persistent Storage... May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Set the console keyboard layout. May 7 09:45:39 I-KNOW-YOU lvm[712]: 1 logical volume(s) in volume group "kubuntu-vg" monitored May 7 09:45:39 I-KNOW-YOU systemd[1]: Started udev Kernel Device Manager. May 7 09:45:39 I-KNOW-YOU systemd[1]: Starting Network Service... May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling. May 7 09:45:39 I-KNOW-YOU systemd[1]: Started udev Coldplug all Devices. May 7 09:45:39 I-KNOW-YOU systemd[1]: Starting udev Wait for Complete Device Initialization... May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Dispatch Password Requests to Console Directory Watch. May 7 09:45:39 I-KNOW-YOU systemd[1]: Reached target Local Encrypted Volumes. May 7 09:45:39 I-KNOW-YOU systemd[1]: Reached target Local File Systems (Pre). May 7 09:45:39 I-KNOW-YOU systemd-networkd[748]: Enumeration completed May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Network Service. May 7 09:45:39 I-KNOW-YOU systemd[1]: Starting Wait for Network to be Configured... May 7 09:45:39 I-KNOW-YOU systemd-networkd-wait-online[783]: ignoring: lo May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Wait for Network to be Configured. May 7 09:45:39 I-KNOW-YOU systemd[1]: Started Flush Journal to Persistent Storage.

[CySlider]

@ScottyBauer I think I got what you wanted. Instead entering S3 I entered the working S1 (S2?) state from which I can recover. If I try it with S3 I end up wiht @^@^@^@... in the logs.

Here the full logs that I recorded. https://pastebin.com/wU8MMuQF

Here the most interesting bits IMHO:

I'm setting the keys

May  7 15:06:43 I-KNOW-YOU systemd[1]: Starting S3 support for OPAL Drives...
May  7 15:06:43 I-KNOW-YOU systemd[1]: Started S3 support for OPAL Drives.

Suspending

May  7 15:07:31 I-KNOW-YOU systemd[1]: Reached target Sleep.
May  7 15:07:31 I-KNOW-YOU systemd[1]: Starting Suspend...
May  7 15:07:31 I-KNOW-YOU kernel: [  780.600025] PM: suspend entry (s2idle)

OPAL Stufff

May  7 15:07:40 I-KNOW-YOU kernel: [  788.401774] sed_opal:OPAL: Found OPAL feature description: 514
May  7 15:07:40 I-KNOW-YOU kernel: [  788.401775] sed_opal:OPAL: Device doesn't support single user mode
May  7 15:07:40 I-KNOW-YOU kernel: [  788.402110] sed_opal:OPAL: Found OPAL feature description: 514
May  7 15:07:40 I-KNOW-YOU kernel: [  788.402111] sed_opal:OPAL: Device doesn't support single user mode

...

May  7 15:07:40 I-KNOW-YOU kernel: [  788.647648] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.647651] sed_opal:OPAL: Response size: cp: 76, pkt: 52, subpkt: 37
May  7 15:07:40 I-KNOW-YOU kernel: [  788.647996] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.647997] sed_opal:OPAL: Response size: cp: 76, pkt: 52, subpkt: 37
May  7 15:07:40 I-KNOW-YOU kernel: [  788.688801] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.688802] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.688803] sed_opal:OPAL: Response size: cp: 44, pkt: 20, subpkt: 8
May  7 15:07:40 I-KNOW-YOU kernel: [  788.688804] sed_opal:OPAL: Response size: cp: 44, pkt: 20, subpkt: 8
May  7 15:07:40 I-KNOW-YOU kernel: [  788.693415] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.693416] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.693417] sed_opal:OPAL: Response size: cp: 40, pkt: 16, subpkt: 1
May  7 15:07:40 I-KNOW-YOU kernel: [  788.693418] sed_opal:OPAL: Response size: cp: 40, pkt: 16, subpkt: 1
May  7 15:07:40 I-KNOW-YOU kernel: [  788.695295] sed_opal:OPAL: Found OPAL feature description: 514
May  7 15:07:40 I-KNOW-YOU kernel: [  788.695296] sed_opal:OPAL: Found OPAL feature description: 514
May  7 15:07:40 I-KNOW-YOU kernel: [  788.695297] sed_opal:OPAL: Device doesn't support single user mode
May  7 15:07:40 I-KNOW-YOU kernel: [  788.695298] sed_opal:OPAL: Device doesn't support single user mode
May  7 15:07:40 I-KNOW-YOU kernel: [  788.746748] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.746750] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.746751] sed_opal:OPAL: Response size: cp: 76, pkt: 52, subpkt: 37
May  7 15:07:40 I-KNOW-YOU kernel: [  788.746752] sed_opal:OPAL: Response size: cp: 76, pkt: 52, subpkt: 37
May  7 15:07:40 I-KNOW-YOU kernel: [  788.786543] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.786545] sed_opal:OPAL: Response size: cp: 44, pkt: 20, subpkt: 8
May  7 15:07:40 I-KNOW-YOU kernel: [  788.786896] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.786897] sed_opal:OPAL: Response size: cp: 44, pkt: 20, subpkt: 8
May  7 15:07:40 I-KNOW-YOU kernel: [  788.791289] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.791290] sed_opal:OPAL: Sent OPAL command: outstanding=0, minTransfer=0
May  7 15:07:40 I-KNOW-YOU kernel: [  788.791291] sed_opal:OPAL: Response size: cp: 40, pkt: 16, subpkt: 1
May  7 15:07:40 I-KNOW-YOU kernel: [  788.791292] sed_opal:OPAL: Response size: cp: 40, pkt: 16, subpkt: 1

Resuming

May  7 15:07:40 I-KNOW-YOU systemd-sleep[14696]: System resumed.
May  7 15:07:40 I-KNOW-YOU kernel: [  789.465952] PM: suspend exit

Also I now enabled libata.allow_tpm by adding it to grub. But it did not help either

One additional quirk for others as reference: The two disks are labeled randomly on each start. Had to use the data from /dev/disk/by-id/ to find out in my script which disk is labeled how. Would be good if the by-id value would also be accepted by sedutil-cli but it is not.

[Shadow2091]

Hello. Could you write an algorithm, how to make the laptop go out of sleep if the main disk is encrypted OPAL? I tried to execute the instruction from message https://github.com/Drive-Trust-Alliance/sedutil/issues/90#issuecomment-386932471 but I get compilation errors. /usr/bin/ld: build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevOS.o: in functionDtaDevOS::prepareForS3Sleep(unsigned char, char*)': DtaDevOS.cpp:(.text+0xf33): undefined reference to DtaDevLinuxDrive::prepareForS3Sleep(unsigned char, std::vector<unsigned char, std::allocator<unsigned char> > const&)' collect2: ошибка: выполнение ld завершилось с кодом возврата 1 make[2]: *** [nbproject/Makefile-Release_x86_64.mk:84: dist/Release_x86_64/GNU-Linux/sedutil-cli] Ошибка 1 make[2]: выход из каталога «/tmp/sedutil/linux/CLI» make[1]: *** [nbproject/Makefile-Release_x86_64.mk:80: .build-conf] Ошибка 2 make[1]: выход из каталога «/tmp/sedutil/linux/CLI» make: *** [nbproject/Makefile-impl.mk:40: .build-impl] Ошибка 2 My Kernel: uname -a Linux 4.19.5-300.fc29.x86_64 #1 SMP Tue Nov 27 19:29:23 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux cat /boot/config-4.19.5-300.fc29.x86_64 | grep "CONFIG_BLK_SED_OPAL" CONFIG_BLK_SED_OPAL=y

Thank you very much in advance.

[badicsalex]

Hi all,

people who have the DtaDevLinuxDrive linker error: run autoreconf and ./configure again after checking out the branch to regenerate the correct Makefiles, which include the linux/DtaDevLinuxDrive.cpp file.

[dtasupport]

I believe, if i understand you correctly, Microsoft does not provide the appropriate hooks for this. You cannot just write sw...for windows anyway.

On Sat, Dec 8, 2018 at 4:04 AM Shadow2091 notifications@github.com wrote:

Hello. Could you write an algorithm, how to make the laptop go out of sleep if the main disk is encrypted OPAL? I tried to execute the instruction from message #90 (comment) https://github.com/Drive-Trust-Alliance/sedutil/issues/90#issuecomment-386932471 but I get compilation errors. /usr/bin/ld: build/Release_x86_64/GNU-Linux/_ext/5c0/DtaDevOS.o: in function DtaDevOS::prepareForS3Sleep(unsigned char, char*)': DtaDevOS.cpp:(.text+0xf33): undefined reference to DtaDevLinuxDrive::prepareForS3Sleep(unsigned char, std::vector<unsigned char, std::allocator > const&)' collect2: ошибка: выполнение ld завершилось с кодом возврата 1 make[2]: [nbproject/Makefile-Release_x86_64.mk:84: dist/Release_x86_64/GNU-Linux/sedutil-cli] Ошибка 1 make[2]: выход из каталога «/tmp/sedutil/linux/CLI» make[1]: [nbproject/Makefile-Release_x86_64.mk:80: .build-conf] Ошибка 2 make[1]: выход из каталога «/tmp/sedutil/linux/CLI» make: *** [nbproject/Makefile-impl.mk:40: .build-impl] Ошибка 2 My Kernel: uname -a Linux 4.19.5-300.fc29.x86_64 #1 SMP Tue Nov 27 19:29:23 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux cat /boot/config-4.19.5-300.fc29.x86_64 | grep "CONFIG_BLK_SED_OPAL" CONFIG_BLK_SED_OPAL=y

Thank you very much in advance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Drive-Trust-Alliance/sedutil/issues/90#issuecomment-445444258, or mute the thread https://github.com/notifications/unsubscribe-auth/APuplOqGXa6DTu-AtU9FiwssAQtZzPisks5u24C0gaJpZM4J_hmq .

-- regards,

Bob Thibadeau 412 370 1245

[OYTIS]

Greetings everyone,

as far as I understand this thread (correct me if I'm wrong), the best working solution so far was @Venemo's @kylemanna's opalctl. Could you advise me on how to get the password hash from sedutils? I didn't quite understand the comment in opalctl.c. Also would adding it as systemd sleep hook work? I basically want to be able to continue working after closing my laptop's lid and opening it again.

Thanks a lot.

[microraptor]

When I run --prepareForS3Sleep with a build from badicsalex's fork I get Errno 25 for an invalid ioctl call. My /boot/config... tells me I have CONFIG_BLK_SED_OPAL enabled and libata allow_tpm is enabled as well. Any ideas where the error could be? When I pass an incorrect hash to the command it returns "Not authorized", so at least that seems to be working. The same behavior occurs on Ubuntu running 4.15, Arch running 4.17 and 4.20.

Edit: Fixed by passing the device with namespace to --prepareForS3Sleep (nvme0n1 instead of nvme0)

[ScottyBauer]

@microraptor

sudo su echo -n 'file block/sed-opal.c +p' > /sys/kernel/debug/dynamic_debug/control

run your command and look at dmesg/paste it somewhere.

[microraptor]

@ScottyBauer Thanks, but there aren't any dmesg entries while running your command and prepareForS3Sleep afterwards. The only journal entry I am getting at all is a sudo message for the session.

These are the exact steps I took to compile the binary. Am I missing something?

git clone -b s3-sleep-support https://github.com/badicsalex/sedutil.git
cd sedutil/linux/CLI/
wget https://github.com/Drive-Trust-Alliance/sedutil/files/2527269/patch.txt
patch --verbose nbproject/Makefile-Release_x86_64.mk < patch.txt
make CONF="Release_x86_64"
sudo cp -vf dist/Release_x86_64/GNU-Linux/sedutil-cli /usr/local/bin/

[Venemo]

@OYTIS I would suggest to look into the solution cooked up by @badicsalex - otherwise if you want you can still use my old code, but you need to run your password through the hashing algorithm that sedutil uses, and provide the resulting hash to that code.

@microraptor Which kernel version are you running? Is it possible that it doesn't have the necessary ioctl call yet?

[microraptor]

@Venemo Ubuntu running 4.15, Arch running 4.17 and 4.20. According to the /boot/config CONFIG_BLK_SED_OPAL is enabled on the Ubuntu install. Same error with every kernel.

[ScottyBauer]

@microraptor Can you please post the output of:

cat /sys/kernel/debug/dynamic_debug/control | grep opal

[microraptor]

@ScottyBauer

block/sed-opal.c:2378 [sed_opal]opal_unlock_from_suspend =_ "Failed to set MBR Done in S3 resume\012"
block/sed-opal.c:2372 [sed_opal]opal_unlock_from_suspend =_ "Failed to unlock LR %hhu with sum %d\012"
block/sed-opal.c:2339 [sed_opal]opal_activate_user =_ "Who was not a valid user: %d\012"
block/sed-opal.c:2147 [sed_opal]opal_add_user_to_lr =_ "%s not supported in sum. Use setup locking range\012"
block/sed-opal.c:2142 [sed_opal]opal_add_user_to_lr =_ "Authority was not within the range of users: %d\012"
block/sed-opal.c:2136 [sed_opal]opal_add_user_to_lr =_ "Locking state was not RO or RW\012"
block/sed-opal.c:2031 [sed_opal]init_opal_dev =_ "Opal is not supported on this device\012"
block/sed-opal.c:1941 [sed_opal]get_msid_cpin_pin =_ "Error building Get MSID CPIN PIN command.\012"
block/sed-opal.c:1899 [sed_opal]get_msid_cpin_pin_cont =_ "%s: Couldn't extract PIN from response\012"
block/sed-opal.c:1880 [sed_opal]get_lsp_lifecycle =_ "Error Building GET Lifecycle Status command\012"
block/sed-opal.c:1843 [sed_opal]get_lsp_lifecycle_cont =_ "Couldn't determine the status of the Lifecycle state\012"
block/sed-opal.c:1823 [sed_opal]activate_lsp =_ "Error building Activate LockingSP command.\012"
block/sed-opal.c:1771 [sed_opal]lock_unlock_locking_range_sum =_ "Error building SET command.\012"
block/sed-opal.c:1764 [sed_opal]lock_unlock_locking_range_sum =_ "Tried to set an invalid locking state.\012"
block/sed-opal.c:1730 [sed_opal]lock_unlock_locking_range =_ "Error building SET command.\012"
block/sed-opal.c:1703 [sed_opal]lock_unlock_locking_range =_ "Tried to set an invalid locking state... returning to uland\012"
block/sed-opal.c:1669 [sed_opal]add_user_to_lr =_ "Error building add user to locking range command.\012"
block/sed-opal.c:1594 [sed_opal]set_sid_cpin_pin =_ "Error building Set SID cpin\012"
block/sed-opal.c:1579 [sed_opal]set_new_pw =_ "Error building set password command.\012"
block/sed-opal.c:1528 [sed_opal]set_mbr_enable_disable =_ "Error Building set MBR done command\012"
block/sed-opal.c:1496 [sed_opal]set_mbr_done =_ "Error Building set MBR Done command\012"
block/sed-opal.c:1465 [sed_opal]erase_locking_range =_ "Error building Erase Locking Range Command.\012"
block/sed-opal.c:1438 [sed_opal]internal_activate_user =_ "Error building Activate UserN command.\012"
block/sed-opal.c:1403 [sed_opal]revert_tper =_ "Error building REVERT TPER command.\012"
block/sed-opal.c:1381 [sed_opal]start_auth_opal_session =_ "Error building STARTSESSION command.\012"
block/sed-opal.c:1290 [sed_opal]start_generic_opal_session =_ "Error building start adminsp session command.\012"
block/sed-opal.c:1232 [sed_opal]setup_locking_range =_ "Error building Setup Locking range command.\012"
block/sed-opal.c:1174 [sed_opal]enable_global_lr =_ "Failed to create enable global lr command\012"
block/sed-opal.c:1118 [sed_opal]get_active_key =_ "Error building get active key command\012"
block/sed-opal.c:1075 [sed_opal]get_active_key_cont =_ "%s: Couldn't extract the Activekey from the response\012"
block/sed-opal.c:1056 [sed_opal]gen_key =_ "Error building gen key command\012"
block/sed-opal.c:1027 [sed_opal]finalize_and_send =_ "Error finalizing command buffer: %d\012"
block/sed-opal.c:990 [sed_opal]start_opal_session_cont =_ "Couldn't authenticate session\012"
block/sed-opal.c:964 [sed_opal]parse_and_check_status =_ "Couldn't parse response.\012"
block/sed-opal.c:917 [sed_opal]response_get_u64 =_ "Atom is not short or tiny: %d\012"
block/sed-opal.c:910 [sed_opal]response_get_u64 =_ "Token is not unsigned it: %d\012"
block/sed-opal.c:904 [sed_opal]response_get_u64 =_ "Response has %d tokens. Can't access %d\012"
block/sed-opal.c:898 [sed_opal]response_get_u64 =_ "Response is NULL\012"
block/sed-opal.c:887 [sed_opal]response_get_string =_ "Token is not a byte string!\012"
block/sed-opal.c:882 [sed_opal]response_get_string =_ "Response has %d tokens. Can't access %d\012"
block/sed-opal.c:876 [sed_opal]response_get_string =_ "Response is NULL\012"
block/sed-opal.c:863 [sed_opal]response_parse =_ "Couldn't parse response.\012"
block/sed-opal.c:830 [sed_opal]response_parse =_ "Bad header length. cp: %u, pkt: %u, subpkt: %u\012"
block/sed-opal.c:825 [sed_opal]response_parse =_ "Response size: cp: %u, pkt: %u, subpkt: %u\012"
block/sed-opal.c:742 [sed_opal]response_parse_short =_ "uint64 with more than 8 bytes\012"
block/sed-opal.c:701 [sed_opal]response_get_token =_ "Token length must be non-zero\012"
block/sed-opal.c:695 [sed_opal]response_get_token =_ "Token number doesn't exist: %d, resp: %d\012"
block/sed-opal.c:675 [sed_opal]cmd_finalize =_ "Error: Buffer overrun\012"
block/sed-opal.c:663 [sed_opal]cmd_finalize =_ "Error finalizing command.\012"
block/sed-opal.c:594 [sed_opal]add_token_bytestring =_ "Error adding bytestring: end of buffer.\012"
block/sed-opal.c:568 [sed_opal]add_token_u64 =_ "Error adding u64: end of buffer.\012"
block/sed-opal.c:518 [sed_opal]add_token_u8 =_ "Error adding u8: end of buffer.\012"
block/sed-opal.c:492 [sed_opal]opal_discovery0_end =_ "Could not find OPAL comid for device. Returning early\012"
block/sed-opal.c:488 [sed_opal]opal_discovery0_end =_ "Device doesn't support single user mode\012"
block/sed-opal.c:483 [sed_opal]opal_discovery0_end =_ "This device is not Opal enabled. Not Supported!\012"
block/sed-opal.c:476 [sed_opal]opal_discovery0_end =_ "OPAL Unknown feature: %d\012"
block/sed-opal.c:461 [sed_opal]opal_discovery0_end =_ "Found OPAL feature description: %d\012"
block/sed-opal.c:433 [sed_opal]opal_discovery0_end =_ "Discovery length overflows buffer (%zu+%u)/%u\012"
block/sed-opal.c:399 [sed_opal]next =_ "Error on step function: %d with error %d: %s\012"
block/sed-opal.c:348 [sed_opal]opal_recv_check =_ "Sent OPAL command: outstanding=%d, minTransfer=%d\012"
block/sed-opal.c:305 [sed_opal]check_sum =_ "Number of locking objects: %d\012"
block/sed-opal.c:301 [sed_opal]check_sum =_ "Need at least one locking object.\012"
block/sed-opal.c:280 [sed_opal]check_tper =_ "TPer sync not supported. flags = %d\012"

[ScottyBauer]

@microraptor Can you re-run the first command

echo -n 'file block/sed-opal.c +p' > /sys/kernel/debug/dynamic_debug/control

then run the

cat /sys/kernel/debug/dynamic_debug/control | grep opal

and let me know if the =_ portion turns into =p

block/sed-opal.c:2395 [sed_opal]opal_unlock_from_suspend =p "Failed to set MBR Done in S3 resume\012"

[microraptor]

@ScottyBauer Yes, all =_ change to =p

[ScottyBauer]

Can you make sure the +p is on, then run again with the bad hash, as well as what you think the normal hash is? The fact that you're getting Not authorized back leads me to believe it's a tooling issue, but I want to make sure we see logs from the kenrel before coming to that conclusion.

[OYTIS]

@Venemo @badicsalex Works like a charm, thanks a lot!

[microraptor]

@ScottyBauer Sorry, I tried it multiple times with a bad and the good hash while +p turned on and am unable to produce any journal or dmesg logs.

[ScottyBauer]

Sorry, I'm dumb sometimes. Can you retry after doing dmesg -n8 as root?

[microraptor]

@ScottyBauer I already tried that. Still no log messages.

I tried changing the password and passing it as plain text without the -x and -n flags. In any case it is still the same behavior with errno 25.

Edit: Even tried it on a fresh install with completely different hardware with the same results.

[p1ng0o]

@microraptor IOCTL shall be set on the partition, not the device. IE: [OK] ./sedutil-cli --prepareForS3Sleep 0 "$PASS" /dev/nvme0n1 [KO] ./sedutil-cli --prepareForS3Sleep 0 "$PASS" /dev/nvme0

[Venemo]

@p1ng0o Actually /dev/nvme0n1 is the device. The partitions would be /dev/nvme0n1p1 or /dev/nvme0n1p2 etc. I'm not sure what /dev/nvme0 is.

[moll]

nvme0 is the device, n1 is the namespace and p1 is the partition within a namespace.

[p1ng0o]

@moll right, I was wrong on the naming.

Just mention that --prepareForS3Sleep from @badicsalex fork require namespace, contrary to other standard sedutil-cli other commands, that work with the device only.

Using just the device in args return an errno 25 ENOTTY, using device and namespace works.

ioctl "IOC_OPAL_SAVE" need to be used on device+namespace filedescriptor.

[microraptor]

Thank you @p1ng0o I finally got it working now! Like you said, I totally overlooked it and I always ran it on the device without the namespace like the other sedutil-cli commands. This should probably be pointed out in the --help text, where it just says to pass a device.

[demini2137]

Is there a guide how to enable sleep using @badicsalex method for complete noobs?

[CySlider]

I'm now on manjaro and finally @badicsalex 's solution worked like a charm. Thank you!! No idea what went wrong before.

Here the steps I performed

cd /usr/local/src
git clone https://github.com/badicsalex/sedutil.git
git checkout s3-sleep-support
autoreconf

This showed an error pointing out I should run automake --add-missing So I continued with it. If you do not get an error. I guess you can skip to ./configure

automake --add-missing
autoreconf
./configure
make

Now you have the tool in the src directory. You can install it with make install I guess. but I did not do it yet as I already have another set of sed-utils installed from AUR. So I continued calling the binary directly

./sedutil-cli --prepareForS3Sleep 0 YOUR_PASSWORD /dev/nvme0n1

Finally, I can get rid of hibernating which was extremely unreliable.

UPDATE: Steps to automate this on boot with systemd on Manjaro

This continues what was done at the top:

Install the binary.

make install

To get the hashed password:

sedutil-cli --printPasswordHash <password> <device>

If you have multiple devices you need to run it multiple times even if the password is the same as the hash will be different. In my case I have /dev/nvme0n1 and /dev/nvme1n1

whereis sedutil-cli

This outputs the location the binary was installed to. In my case /usr/local/sbin/sedutil-cli

Writet the following text (for a single device) to /etc/systemd/system/sedutil.service

[Unit]
Description=Sedutil

[Service]
Type=oneshot
ExecStart=-+/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 0 <HASHED_PASSWORD> /dev/nvme0n1

RemainAfterExit=true

[Install]
WantedBy=multi-user.target

If you have multiple devices, you can add multiple ExecStart commands. But be aware that they might switch positions randomly at start. So I did solve this for now by setting each password once to each device. A better way would be to write and execute a script that handles the error correctly. But it works.

Example for two devices:

[Unit]
Description=Sedutil

[Service]
Type=oneshot
ExecStart=-+/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 0 <HASHED_PASSWORD_1> /dev/nvme0n1
ExecStart=-+/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 0 <HASHED_PASSWORD_2> /dev/nvme0n1

ExecStart=-+/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 0 <HASHED_PASSWORD_1> /dev/nvme1n1
ExecStart=-+/usr/local/sbin/sedutil-cli -n -x --prepareForS3Sleep 0 <HASHED_PASSWORD_2> /dev/nvme1n1

RemainAfterExit=true

[Install]
WantedBy=multi-user.target

the -+ in front of the command executes as root and ignores errors (missing device or password wrong)

the -n -x is for setting the password hash in hexadecimal representation as returned by --printPasswordHash

Finally install the service with

systemctl enable sedutil

Done. On next boot, it should set the password automatically.

UPDATE 2: I forgot one "make" command in the original post. I added it.

[fabiogermann]

@CySlider and @badicsalex Thank you for the work and guide - works like a charm! For convenience I created a fork and a AUR package for this: https://aur.archlinux.org/packages/sedutil-sleep-git/

[badicsalex]

@fabiogermann I was thinking about creating an AUR package too, thanks for doing it.

[fabiogermann]

@badicsalex I added a note on AUR to link to this issue.

[Justas-S]

I followed @CySlider instructions and received an error:

Error saving the password to the kernel errno = 524

Do not all drives support the prepare for s3 sleep option? I am using a ATA KINGSTON SUV500M8480G drive.

If I use an incorrect hash I receive an error:

method status code NOT_AUTHORIZED

[Albert994]

I use the AUR package created by @fabiogermann. Without invoking sedutil-sleep --prepareForS3Sleep I can hibernate the system and it runs after the boot. When I invoke sedutil-sleep the system is frozen after sleep and after hibernate. I guess also after hibernate it tries to unlook the SSD and this fails for any reason.

Update Reason might be: https://github.com/Drive-Trust-Alliance/sedutil/issues/354

[adrian5]

Does the sleep feature require previous use of sedutil to set the password? I set my drive password via the BIOS of my ThinkPad and assumed this utility was just interacting with the OPAL interface, so it wouldn't matter how the password got set (except for the hashing algo used).

Using the above examples, I run into INVALID_PARAMETER:

The command sent to the drive is incorrectly formatted. This can be either a program or user error. The most likely error is that you are trying to issue a command to the ADMIN SP before it has been activated. Make sure you have run initialsetup before trying to setup the locking ranges.

[mauro3]

My (limited) understanding is that the BIOS and the sedutil/OPAL are two completely different ways to set a drive password. So, this code cannot help with BIOS-set drive encryption problems. If you want to use OPAL, then you should probably first disable the BIOS encryption.

[adrian5]

You may be right, that's a bummer. I frankly don't have enough confidence in the PBA-image approach to not break on me in the wrong moment (aside from being complex to set up), but would've used sedutil solely for sleep resumption.

It's really commendable how far volunteers have taken this, and at the same time disappointing that the industry hasn't moved to supply free end-user solutions for something so common. (Even ignoring sleep, which I think OPAL never promised)

[ngrigoriev]

Hi! I can't get this to work :( Tried the original version from AUR and manually built code from @badicsalex - same result. Even when trying to run:

sedutil-sleep --prepareForS3Sleep 0 My_Real_pwd /dev/nvme0n1
method status code NOT_AUTHORIZED
Session start failed rc = 1
One or more header fields have 0 length
EndSession Failed
Unable to authenticate with the given password

Yet, the disks are encrypted, PBA is installed, password is set etc.

Trying with hash results in the same error.

Kernel 5.10.42, Lenovo Tihinkpad T15g Gen1, two NVME drives, both OPAL 2.0.

[badicsalex]

Be sure to use the hash in hex form and the -n -x parameters and use sudo.

Note: I was thinking about writing a quick shellscript to do the steps @CySlider written above, but decided against it, since this operation is preeetty insecure (in the context of a few attack scenarios) and should really be done manually as a kind of consent.

[ngrigoriev]

@badicsalex Yes, I think I tried as carefully following the guide as possible, as root, with proper options etc.

Besides, the command above uses clear password and it is supposed to work...right? Just to be clear - I tried to run it on the system booted from one of these disks after successful unlocking by the PBA. It uses admin1 password and I was using correct cleartext password when trying it. I will get the verbose output a bit later and post it here.

[badicsalex]

Oh yeah, the root cause probably has to do with method status code NOT_AUTHORIZED. Damn, this was so long ago that I didn't remember I put a password check in there. And that it works without hashing.

Does any other command requiring admin1 password even work?

[ngrigoriev]

I have attempted to change my admin1 password to "debug" just to test it. I was unable to do it while under kernel 5.10.42-1-lts - same error, NOT_AUTHORIZED. The same command works just fine under the rescue image based on 4.x kernel. Interesting. It's got to be either the sedutil tool itself OR the kernel.

Same result on 5.12.9. Same result with building the original sedutil from DriveTrustAlliance. So, it is not sedutil, I think.

Tested "sedutil-cli --setmbrdone on my-real-pwd /dev/nvme0" - same result, NOT_AUTHORIZED.

All these commands - they are supposed to work regardless of the state of the disks, right? So, unlocked or locked, does not matter.

I am building 4.14 kernel now to test it - but the fact that the basic sedutil-cli commands seem to work fine under RESCUE 4.x image and do not work at all with 5.x kernels...is there anything fundamentally broken in 5.x ones that breaks sedutil? Or could it be about something similar to https://github.com/Drive-Trust-Alliance/sedutil/issues/357 ? Is there a compatibility issue between different ones? I have configured my system using the one from the RESCUE image from https://github.com/ChubbyAnt/sedutil.

[makadizsolt]

It's working fine for me on both 5.4.x and 5.8.x. Besides double checking the above mentioned libata.allow_tpm, please don't forget that you have to use the password hash for the prepareForS3Sleep command! You can generate the hash with printPasswordHash. An example:

sedutil-cli --printPasswordHash <password> <device> > /etc/enckey/sedkey
sedutil-cli -n -x --prepareForS3Sleep 0 $(cat /etc/enckey/sedkey) <device>

[ngrigoriev]

@youk @makadizsolt Thanks for the feedback. I think I have figured out the "pièce de résistance". Some other issues on github (including the one I quoted above) and the funny comment at the top of README for ChubbyAnt's fork of sedutil caught my attention: "This SEDutil fork includes support for intel and AMD Ryzen systems with SHA-512 password authentication. Note: This version of SEDutil is not compatible with SHA-1 versions of SEDutil". I have compiled his version (which is the same one as I have in my RESCUE image and, obviously, in the PBA too) and the command I used for testing (--setmbrdone) started to work.

So, now I am certainly lost. It seems we have at least two incompatible (!) clones of sedutil out there. First, it is somewhat unclear which version should the people use. Second, I need to decide if I should try to migrate to another version, which will reuquire, I imagine, first to disable everything and then get new RESCUE and PBA and lock. Or stay on another fork and try their backported dev support for sleep...

P.S. I tried to build that port of sleep support (https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support) and it worked. So, indeed, it is all about the incompatible hashing method!

[fornellas]

OK... so I've read through the years long thread here, and thanks @ScottyBauer & @badicsalex for doing the heavy lifting here.

sedutil ioctl(IOC_OPAL_SAVE) support state

• @badicsalex 's s3-sleep-support branch seems to be a fully functional version.
  • It seems @fabiogermann has an old fork of it which is lagging behind upstream. This is referred by the AUR
  • Both contain a small BUG regarding locking regions, so I've cut PRs for both: badicsalex and fabiogermann (as it seems both are being used by different people).

I didn't spot any PRs against https://github.com/Drive-Trust-Alliance/sedutil, @badicsalex , I suppose your fork could be turned into a PR here, right? I suppose this would be the way to get this 6 years old issue to be closed :-D

Tangent to this issue: Encrypting without PBA

It seems a good chunk of the conversations above are related to issues with PBA password, saving it to disk, and using it for S3 sleep preparations and issues with MBR shadow.

I found an alternative for that, which I'm sharing here. TLDR: do not encrypt the boot partition, only the root:

• Initial setup
  • sedutil-cli --initialsetup $PASS $DEVICE
  • sedutil-cli --setMBREnable off $PASS $DEVICE
• Partition your disk like this:
  • 1: EFI
  • 2: /boot
  • 3: /
• Use fdisk -l to fetch the exact sectors of the root partition (/).
  • RANGE_START would be device 3 Start.
  • RANGE_LENGTH would be device 3 Sectors.
• Create a locking range only for /:
  • sedutil-cli --setupLockingRange 1 $RANGE_START $RANGE_LENGTH $PASS $DEVICE
  • sedutil-cli --enablelockingrange 1 $PASS $DEVICE
• Update initrd to very early do:
  • Ask for $PASS.
  • sedutil-cli --setlockingrange 1 rw $PASS $DEVICE
  • sedutil-cli --prepareForS3Sleep 1 $PASS $DEVICE

I tested the whole model, it works fine. I'm gonna do the initrd changes at my system now.

Advantages:

• No "dual reboot" required by PBA.
• No saving encryption key at rest.

Disadvantages:

• Works for Linux only (PBA + MBR shadow works for any OS).

Thoughts:

• In principle a locking range for EFI and /boot to be set as read-only could be setup as well, yielding a bit more security. In this case, the initrd would just have to do an extra step to set this range to RW.

References:

• https://develop.trustedcomputinggroup.org/2019/05/28/a-practical-guide-to-use-of-opal-drives/ > put some sense into the high complexity of OPAL stuff.

[badicsalex]

Huh, 6 years. I have an open PR by the way: https://github.com/Drive-Trust-Alliance/sedutil/pull/190

This main projects seems unmaintained though? At least PRs and issues do not seem to be actively pursued.

[tarruda]

@fornellas awesome, thanks for sharing this nice solution.

Also this is not vulnerable to cold boot attacks, since keys are never stored in RAM

[badicsalex]

--prepareForS3Sleep does store the key in kernel memory.

[fornellas]

D'ough, GH PR search is not auto-completing @badicsalex 's user, no wonder I missed it #190: It is a pitty this has been sitting for accept / reject for ~5 years... Left a friendly ping at #190, one can dream this will get merged :-P

[Venemo]

@adrian5 Did you ever find a good solution for your Thinkpad? I am in the same boat as you. I would seem that the Thinkpad just uses OPAL, but maybe has a different hashing scheme than sedutil.