RESCUE64-1.20.0, Intel 7600p NVMe, Failed Provisioning, PSIDrevert also failed #54
Description
Can you please hint if sedutil-cli is really working? There is not a lot of documentation on the web. I've read carefully and followed the Drive-Trust-Alliance/sedutil guide Encrypting your drive to the letter. There are very little documentation on the web. The few I found just echo the DTA's guide mentioned.
Ultimately, I would like to know what is the reason of the failure to provision an OPAL 2.0 NVMe? Because it seems like a lots of people are having similar issue and there is no clear answer.
Test made on 2023-08-08, hardware:
- Lenovo laptop T580
- Disk:
SSDPEKKF512G8: Intel Pro 7600p Series 512GB TLC PCI Express 3.1 x4 NVMe (AES-256) M.2 2280 - Boot from RESCUE64-1.20.0.img - UEFI mode
- Secure Boot disabled in BIOS. Although I notice the RESCUE image boots perfectly with Secure boot enabled.
The problem
Any sedutil-cli to write on the drive failed with
- One or more header fields have 0 length
- Properties exchange failed
- Session start failed rc = 136
In March 2022, A user having similar hardware and same troubles than what I am having opened an issue #40 in which a solution was suggested using
./sedutil-cli --PSIDrevert "ThePSIDPrintedOnTheLabel" /dev/nvme0
This command doesn't work on my drive. Here is the output I got. The same output is return whether the PSID is correct or intentionally fake (hoping to see NOT_AUTHORIZED response). Nothing happened to the drive. It could boot normally
One or more header fields have 0 length
Properties exchange failed
One or more header fields have 0 length
Session start failed rc = 136
One or more header fields have 0 length
End session failed
sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0 2 INTEL SSDPEKKF512G8L L15P
/dev/sda No
/dev/sdb No
/dev/sdc No
No more disks present ending scan
sedutil-cli --query /dev/nvme0
/dev/nvme0 NVMe INTEL SSDPEKKF512G8L L15P PHHH845300PU512H
TPer function (0x0001)
ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
Max Tables = 10, Max Size Tables = 10485760, Table size alignment = 4096
OPAL 2.0 function (0x0203)
Base comID = 0x0800, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 1 **** Unknown function codes IGNORED
Testing the PBA with linuxpba
DTA LINUX Pre Boot Authorization
Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
- 23:05:49.013 ERR: One or more header fields have 0 length
- 23:05:49.014 ERR: Properties exchange failed
Drive /dev/nvme0 NVMe INTEL SSDPEKKF512G8L is OPAL NOT LOCKED
Drive /dev/sda not OPAL