Hey everyone, I just wanted to add that I am also experiencing the issues shown in this thread. I have a Framework 13 AMD R5 7640U together with an Samsung 990 Pro 4 TB. I want to use hardware encryption as well and I run into the “Boot device not found” issue. I do not yet need my laptop to work on, I bought it for my world trip starting in April. So I have the option to try things out because I don’t mind reinstalling windows a dozen times to test things.
I see now that I am not crazy and that there are firmware bugs in the FW BIOS. I was already almost sending back my SSDs thinking they were broken. The secure erase tool doesn’t work on encrypted drives and just gives a non-descriptive “Error (29)” when trying to erase it. But after finding that I could get them back to life with the PSID revert, I see that they are not broken but just get locked after you applied the encryption.
I did, in my attempt to fix the boot issue, erase all secure boot settings in the BIOS. I am not sure if that was a good move and how to get them back. I will try to reinstall my BIOS and see if that fixes it but if there is a different action I should take I would love to hear it. I am not that versed on the detailed inner workings of BIOS-es and HW encryption. (EDIT: I see I can reset the secure boot settings to factory defaults. No need for reinstall. I guess I am a bit cross-eyed for not seeing that straight away.)
I will keep an eye on this thread to see what people post and if anyone need me to test something.
My guess is that the issue is something closer to a BIOS issue than a firmware issue given that I can successfully use encrypted drive on other machines, but these are complex beasts, so who knows.
I just checked my SSD and for me there is no new firmware. I have the 4TB model which was released in september 2023. Samsung magician says this:
Samsung SSD 990 PRO 4TB | S7DPNJ0WA03036V
Latest Version 0B2QJXG7
You are currently running the latest version of Firmware.
So it is indeed more likely to be a BIOS problem, unless this new drive has the exact same firmware bug. They might share a bit of the code base, but that would probably mean your update is not going to help.
I would guess the reason that it’s not standard in GPO is because it’s not supported by all drives. Getting it to work requires specific steps, but it’s not very hard. I have it working on the 990 Pro on my GPD Pocket3, and the battery and performance advantages on it over software encryption are quite noticeable.
The issue at hand is that the feature is “supported” in the BIOS, but something is keeping it from functioning properly. I won’t say that using the hardware encryption on the drive is a security panacea or fits everyone’s threat model, but for those of us who understand it and want to use it it’s frustrating to have the way blocked by bugs.
I will probabaly switch to a Thinkpad T14s as I now do need WWAN during some days, which Id di not consider when I ordered my FW - still love the FW though…
Assuming this is going to be an issue with older gen Samsung drives (970, 980) due to it being BIOS related? And other drives that support OPAL and eDrive?
For your information, the BIOS version 3.05 for AMD 7040 has not resolved the issue. The Samsung Pro 990 in ‘ready to encrypt’ state still lacks the option to disable block SID in BIOS.
The recent update in the framework newsletter stated that they did not have a dedicated team to work on software updates. They apologized for this and explained why it was so. They have also now committed to a dedicated software team which is going to prioritize issues and resolve them as fast as possible. So depending on where we end up on the priority list, probably not very high, we could maybe see some fix in the next months. Hopefully not years…
Thanks for checking, although this is not diagnostic for this issue. Block SID should only be enabled after the encryption has taken place - its function is to prevent changes to the configuration once the secure configuration is in place. This isn’t encouraging, per se, but it’s not indicative the issue isn’t fixed. Block SID can also be enabled from the OS via the CLI even if the BIOS doesn’t expose it.
I also doubt it’s been fixed, based on the release notes, although this touches intriguingly close to the issue:
It’s not the same issue, but tangentially related. Not enough for me to spend the time wiping/reinstalling/testing right now though.
Part of what makes this issue so difficult to troubleshoot and test is that it requires a long series of steps to reproduce and verify. I’ve half a mind to get another 990 Pro to test with.
Well, I did go all the way with enabling encryption with Magician, secure erasure of the drive, checking for the ‘disable block SID’ in the BIOS, and even tried the “Windows to Go” method to disable the block SID via a PowerShell script. I ended up with an encrypted drive that was not bootable until decrypted.
I just assumed there was no chance of getting this working until the “ready to encrypt” drive is not visible in the BIOS “secure settings” and have “disable block SID” option.
Understood. Thanks for testing! I also realize I misread what you said about the Block SID option - disabling it is indeed what you want to do to encrypt the drive, then re-enable it afterwards. My bad.
I’m having the exact same issue with Intel® Core™ Ultra Series 1…
Also with a Samsung 990 PRO, enabled encryption with Samsung Magician and got no option in the BIOS to manage the storage on the security tab so I can’t change the operation mode.
I thought it might still work so I proceeded to encrypt with BitLocker but now I’m stuck with an unbootable drive…
It’s very upsetting as performance is way better with hardware encryption…
and getting it to work seems still be very messy.