sedutil icon indicating copy to clipboard operation
sedutil copied to clipboard
verified publisher icon ChubbyAnt

RESCUE64-1.20.0, Intel 7600p NVMe, Failed Provisioning, PSIDrevert also failed

Open Trikenstein opened this issue 2 years ago • 8 comments

Can you please hint if sedutil-cli is really working? There is not a lot of documentation on the web. I've read carefully and followed the Drive-Trust-Alliance/sedutil guide Encrypting your drive to the letter. There are very little documentation on the web. The few I found just echo the DTA's guide mentioned.

Ultimately, I would like to know what is the reason of the failure to provision an OPAL 2.0 NVMe? Because it seems like a lots of people are having similar issue and there is no clear answer.

Test made on 2023-08-08, hardware:

  • Lenovo laptop T580
  • Disk: SSDPEKKF512G8: Intel Pro 7600p Series 512GB TLC PCI Express 3.1 x4 NVMe (AES-256) M.2 2280
  • Boot from RESCUE64-1.20.0.img - UEFI mode
  • Secure Boot disabled in BIOS. Although I notice the RESCUE image boots perfectly with Secure boot enabled.

The problem

Any sedutil-cli to write on the drive failed with

  • One or more header fields have 0 length
  • Properties exchange failed
  • Session start failed rc = 136

In March 2022, A user having similar hardware and same troubles than what I am having opened an issue https://github.com/ChubbyAnt/sedutil/issues/40 in which a solution was suggested using

./sedutil-cli --PSIDrevert "ThePSIDPrintedOnTheLabel" /dev/nvme0

This command doesn't work on my drive. Here is the output I got. The same output is return whether the PSID is correct or intentionally fake (hoping to see NOT_AUTHORIZED response). Nothing happened to the drive. It could boot normally

One or more header fields have 0 length
Properties exchange failed
One or more header fields have 0 length
Session start failed rc = 136
One or more header fields have 0 length
End session failed

sedutil-cli --scan

Scanning for Opal compliant disks
/dev/nvme0  2  INTEL SSDPEKKF512G8L                     L15P    
/dev/sda   No   
/dev/sdb   No   
/dev/sdc   No   
No more disks present ending scan

sedutil-cli --query /dev/nvme0

/dev/nvme0 NVMe INTEL SSDPEKKF512G8L                     L15P     PHHH845300PU512H    
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 10, Max Size Tables = 10485760, Table size alignment = 4096
OPAL 2.0 function (0x0203)
    Base comID = 0x0800, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 1 **** Unknown function codes IGNORED

Testing the PBA with linuxpba

DTA LINUX Pre Boot Authorization

Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
- 23:05:49.013 ERR: One or more header fields have 0 length
- 23:05:49.014 ERR: Properties exchange failed
Drive /dev/nvme0 NVMe INTEL SSDPEKKF512G8L                     is OPAL NOT LOCKED
Drive /dev/sda                                                 not OPAL

Trikenstein avatar Aug 08 '23 18:08 Trikenstein

@youk you probably post this answer meant to post this answer for a different issue. Because the above answer has nothing to do with the question of this post.

Trikenstein avatar Aug 23 '23 22:08 Trikenstein

This is extremely weird. It won't be possible on a properly secured system since this image is unsigned.

I actually boot RESCUE64-1.20.0.img using Ventoy. Ventoy itself could boot with secureboot enabled. Then I select the Rescue image and somehow it could boot. Not sure how Ventoy could manage booting an unsigned image.

Sorry I didn't update the issue. After many trials to provision my NVMe. I also tried to flash the RESCUE image alone on the USB. With that indeed, secure boot has to be disabled, to be able to boot.

Trikenstein avatar Aug 24 '23 23:08 Trikenstein

This is extremely weird. It won't be possible on a properly secured system since this image is unsigned.

I actually boot RESCUE64-1.20.0.img using Ventoy. Ventoy itself could boot with secureboot enabled. Then I select the Rescue image and somehow it could boot. Not sure how Ventoy could manage booting an unsigned image.

Sorry I didn't update the issue. After many trials to provision my NVMe. I also tried to flash the RESCUE image alone on the USB. With that indeed, secure boot has to be disabled, to be able to boot.

Can Ventoy automatically chainload RESCUE64-1.20.0.img, thereby solving the secure boot issue with SEDutil?

ChubbyAnt avatar Oct 16 '23 15:10 ChubbyAnt

Can Ventoy automatically chainload RESCUE64-1.20.0.img, thereby solving the secure boot issue with SEDutil?

No Ventoy tampers too much with any OS boot process. while it is based off of grub2 it is so far separated it's loading is effectively not the same as a grub2 chainloader command. Ventoy is nice for trying things out but to rely on it for 100% especially in a security context is not a good idea. if I needed to only use 1 flash drive I would format my flash drive into two fat32 partitions. 128mb for RESCUE64.img.gz & remainder for which ever distro you are trying to run. Most motherboards should allow you to pick between the two partitions. If it only shows your flash drive once then try to look for "boot from efi file" and browse the partition to /boot/efi/bootx64.efi

catherinedoyel avatar Nov 10 '23 13:11 catherinedoyel