oom-is / sedutil

DTA sedutil Self encrypting drive software
3 stars 1 forks source link

UEFI bios not recognizing the pba in the shadow partition #26

Open jojolepirate opened 2 years ago

jojolepirate commented 2 years ago

Hello @oom-is, I am having an issue with an UEFI bios which is not recognizing the pba as a bootable object on an embedded nvme drive. I have an nvme drive (samsung 870 evo plus) correctly set up with sedutil that works correctly on different machines (pba boots up, device unlocks and main os boots correctly. For example it works in a clevo NH55DP with InsydeH2O bios version 1.07.05).

If put the same drive in a clevo PC50HP (InsydeH2O bios 1.07.10), the drive is not displayed in the UEFI device boot prompt. Secure boot is disabled, and uefi boot is enabled in the settings. Bios is up to date (latest 12/2021 revision from clevo). I even tried downgrading to 1.07.05 to match my other clevo's bios, to no avail.

If I flash the same pba to a usb drive, the bios correctly recognizes it, i can select it in the boot prompt and I can proceed to unlock the samsung drive, then after a reboot the os installed on the drive correcly boots up. For now I have a small usb device always attached allowing me to unlock the drive, but it is not very practical.

When I boot to a live cd with the drive locked, I can correctly mount the shadow mbr and i see the pba installed there in the efi\boot folder. It has the same flags than the pba's partition on my usb drive.

When I boot an efi shell, I see the locked drive as a block device "blk0" but even after a map -r, no "fs0" associated with the drive is created. Trying to manually mount it "mount blk0 fs0" then typing fs0: then ls yields an error "Cannot open current directory - Not Found", meaning I cannot even manually boot the pba using the path to the efi image.

I saw on another fork you were having issues with some uefi implementations. Do you have any ideas to debug the problem?

Thanks a lot for your help!

jojolepirate commented 2 years ago

I even tried to add another partition in the UEFI img disk, so that I have one FAT16 pba efi partition and one FAT32 partition on the shadow mbr. gparted sees them all, but no fs0 / fs1 appears in the efi shell.

jojolepirate commented 2 years ago

Here is more details on what I see in the shell manager (booted via an usb drive)

When the ssd drive is locked: blk2 is my nvme drive. It is not associated to any filesystem IMG_20220203_172517

Here is what a partition manager shows: You can see the partition is visible, efi flag, gpt format, browsable! IMG_20220203_173218

When the ssd drive is unlocked: IMG_20220203_172422 BLK4 appears with the GPT format! The windows boot partition appears and booting works, meaning efi booting on my nvme drive is possible.

jojolepirate commented 2 years ago

I did another test: I removed opal lock on my ssd, then performed a dd of the pba directly on the drive. Guess what? the pba correctly boots.

This means the bios has trouble understanding the shadow partition when the drive is locked, regardless of its content.

neo125874 commented 2 years ago

@jojolepirate hello, did you solve the problem? supermicro mb has the same issue.