Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RESCUE64-1.20.0, Intel 7600p NVMe, Failed Provisioning, PSIDrevert also failed #54

Open
Trikenstein opened this issue Aug 8, 2023 · 8 comments
Open

RESCUE64-1.20.0, Intel 7600p NVMe, Failed Provisioning, PSIDrevert also failed #54

Trikenstein opened this issue Aug 8, 2023 · 8 comments

Comments

@Trikenstein
Copy link

Trikenstein commented Aug 8, 2023
edited
Loading

Can you please hint if sedutil-cli is really working? There is not a lot of documentation on the web. I've read carefully and followed the Drive-Trust-Alliance/sedutil guide Encrypting your drive to the letter. There are very little documentation on the web. The few I found just echo the DTA's guide mentioned.

Ultimately, I would like to know what is the reason of the failure to provision an OPAL 2.0 NVMe? Because it seems like a lots of people are having similar issue and there is no clear answer.

Test made on 2023-08-08, hardware:

  • Lenovo laptop T580
  • Disk: SSDPEKKF512G8: Intel Pro 7600p Series 512GB TLC PCI Express 3.1 x4 NVMe (AES-256) M.2 2280
  • Boot from RESCUE64-1.20.0.img - UEFI mode
  • Secure Boot disabled in BIOS. Although I notice the RESCUE image boots perfectly with Secure boot enabled.

The problem

Any sedutil-cli to write on the drive failed with

  • One or more header fields have 0 length
  • Properties exchange failed
  • Session start failed rc = 136

In March 2022, A user having similar hardware and same troubles than what I am having opened an issue #40 in which a solution was suggested using

./sedutil-cli --PSIDrevert "ThePSIDPrintedOnTheLabel" /dev/nvme0

This command doesn't work on my drive. Here is the output I got. The same output is return whether the PSID is correct or intentionally fake (hoping to see NOT_AUTHORIZED response). Nothing happened to the drive. It could boot normally

One or more header fields have 0 length
Properties exchange failed
One or more header fields have 0 length
Session start failed rc = 136
One or more header fields have 0 length
End session failed

sedutil-cli --scan

Scanning for Opal compliant disks
/dev/nvme0  2  INTEL SSDPEKKF512G8L                     L15P    
/dev/sda   No   
/dev/sdb   No   
/dev/sdc   No   
No more disks present ending scan

sedutil-cli --query /dev/nvme0

/dev/nvme0 NVMe INTEL SSDPEKKF512G8L                     L15P     PHHH845300PU512H    
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 10, Max Size Tables = 10485760, Table size alignment = 4096
OPAL 2.0 function (0x0203)
    Base comID = 0x0800, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 1 **** Unknown function codes IGNORED

Testing the PBA with linuxpba

DTA LINUX Pre Boot Authorization

Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
- 23:05:49.013 ERR: One or more header fields have 0 length
- 23:05:49.014 ERR: Properties exchange failed
Drive /dev/nvme0 NVMe INTEL SSDPEKKF512G8L                     is OPAL NOT LOCKED
Drive /dev/sda                                                 not OPAL
@Trikenstein
Copy link
Author

@youk you probably post this answer meant to post this answer for a different issue. Because the above answer has nothing to do with the question of this post.

@youk
Copy link

youk commented Aug 24, 2023

Well, yeah. It was a glitch at my side. Sorry.

@youk
Copy link

youk commented Aug 24, 2023

Although I notice the RESCUE image boots perfectly with Secure boot enabled.

This is extremely weird. It won't be possible on a properly secured system since this image is unsigned.

@Trikenstein
Copy link
Author

This is extremely weird. It won't be possible on a properly secured system since this image is unsigned.

I actually boot RESCUE64-1.20.0.img using Ventoy. Ventoy itself could boot with secureboot enabled. Then I select the Rescue image and somehow it could boot. Not sure how Ventoy could manage booting an unsigned image.

Sorry I didn't update the issue. After many trials to provision my NVMe. I also tried to flash the RESCUE image alone on the USB. With that indeed, secure boot has to be disabled, to be able to boot.

@youk
Copy link

youk commented Aug 25, 2023

Aah, Ventoy.. It's a great tool for quickly booting live ISOs, but as concerns bootloading a supposedly secured system.. The way it circumvents Secure Boot (yes, it circumvents it) is a big security hole.

@ChubbyAnt
Copy link
Owner

This is extremely weird. It won't be possible on a properly secured system since this image is unsigned.

I actually boot RESCUE64-1.20.0.img using Ventoy. Ventoy itself could boot with secureboot enabled. Then I select the Rescue image and somehow it could boot. Not sure how Ventoy could manage booting an unsigned image.

Sorry I didn't update the issue. After many trials to provision my NVMe. I also tried to flash the RESCUE image alone on the USB. With that indeed, secure boot has to be disabled, to be able to boot.

Can Ventoy automatically chainload RESCUE64-1.20.0.img, thereby solving the secure boot issue with SEDutil?

@youk
Copy link

youk commented Oct 16, 2023

Can Ventoy automatically chainload RESCUE64-1.20.0.img, thereby solving the secure boot issue with SEDutil?

I am not that familiar with Ventoy internals, but I doubt that. Each kind of bootable image needs specific support in Ventoy. Even if Ventoy could chainload it, it would only help to circumvent SecureBoot. There's a large discussion regarding SecureBoot in Ventoy – Ventoy should only allow the execution of Secure Boot signed executables when Secure Boot is enabled.

@catherinedoyel
Copy link

Can Ventoy automatically chainload RESCUE64-1.20.0.img, thereby solving the secure boot issue with SEDutil?

No Ventoy tampers too much with any OS boot process. while it is based off of grub2 it is so far separated it's loading is effectively not the same as a grub2 chainloader command. Ventoy is nice for trying things out but to rely on it for 100% especially in a security context is not a good idea.
if I needed to only use 1 flash drive I would format my flash drive into two fat32 partitions.
128mb for RESCUE64.img.gz & remainder for which ever distro you are trying to run. Most motherboards should allow you to pick between the two partitions. If it only shows your flash drive once then try to look for "boot from efi file" and browse the partition to /boot/efi/bootx64.efi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@youk @ChubbyAnt @catherinedoyel @Trikenstein