Self-encrypting drives

Despite the lack of a TrackPoint, I’ve gone ahead and pre-ordered a DIY edition. However, I skipped the drive. Not because I have a spare gen4 nvme m.2 drive lying around, but because I’m holding out to source an Opal2 SED.

Wanted to put it out there, because I would order an SED with the laptop if it were an option. Does the UEFI firmware support enabling a boot-time unlock of an SED? Was this skipped for perceived lack of demand, or the lack of gen4 m.2 SEDs?

On the crazy side, I’d like to mutter about u.2 support for some truly fast storage, but I know, it wouldn’t fit in the chassis. Or probably the power envelope.

I’d like to know this as well as I contemplate using a PBA with my Samsung SSD. Can someone with knowledge of the firmware comment on this?

The firmware does take a hdd password and claims the SSD encryption has been enabled (rocking a 980 pro): I haven’t bothered to pull the drive and verify state independently. HDD password the firmware takes is relatively short. Maybe 8 characters? What I’m typing is a hell of a lot longer, but it only takes so many characters. One of these days I need to get around to actually stopping/counting that as well…

Have you tried sedutil-cli? I’m planning on using it via rear, as outlined in their guide: https://github.com/rear/rear/blob/master/doc/user-guide/13-tcg-opal-support.adoc

Hey Mark and Jason,

did you manage to have a working setup? I am really stuck now

My setup:

• FW 12th Gen, i5-1240P
• Samsung 980 Pro 1TB
• Kubuntu 22.04.01
• ssd layout (shadowMBR)(BIOS/1MB; EFI/256MB; ext4-root/256GB; ext4-home/~750GB)

Now I’d like to use the ssd’s hardware encryption

• Boot the PBA from the shadowMBR
• Unlock the drive
• Load the regular system from the unlocked drive

What I tried so far

• create a rescue system and PBA with rear (from /user-guide/13-tcg-opal-support.adoc as already suggested by Jason above)
  • The rescue system/OpalPBA combination never booted, neither in qemu nor on the FW nor on my old laptop (same OS, kernel etc. but old hardware)
• Next I created the [Drive-Trust-Alliance] (github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive) rescue system
  • The DTA rescue system booted from USB
  • Then I could setup the encryption (for the samsung drive i needed to do a PSID revert first (see github Drive-Trust-Alliance/sedutil/issues/291) and github Drive-Trust-Alliance/sedutil/wiki/PSID-Revert) following the instructions here github Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive.
  • Also the installation of the PBA on the shadowMBR was sucessful and booted.
  • Next I installed Kubuntu (following step-5-install-the-operating-system from the 13-tcg-opal-support.adoc)
  • After enabling locking again from the DTA rescue system I could sucessfully boot and unlock the ssd in the PBA, at the end the screen said sth like “loading OS”
  • only then… the system rebooted and I ended up in the PBA again. and again
• Again, I made many more attempts to get the whole rear-stuff booting, but no luck
• Then I found that the rear-OpalPBA-raw-img booted in quemu and from USB on the FW
  • so I rebooted my regular Kubuntu installation (after adding libata.allow_tpm=1 to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and running sudo update-grub) and
  • used sedutil-cli to write the rear-PBA into the shadowMBR on the ssd
  • When booting up, the rear-PBA loaded nicely from the ssd shadowMBR - only it never accepted my password and rebooted after 5 failed attempts to unlock
• At least I still had that DTA rescue system to disable the encryption/unlock the drive.

So that’s where I am - no more ideas and hoping for some community insights from more successful installations…

Thanks and best regards,
Raphael

PS: sorry I had to unlink some of the ressources being a new member here

@Mark_Coelho @Raphael Hey! Could you please answer if it worked for you and what you did? I too want to buy an SED for my new Frameworks DIY Laptop and want to use it with Ubuntu.

Could you also comment if you are able to do the firmware updates from Linux?

Hey Lamy,
yes, finally I made it, just didn’t find the time yet to write a detailed answer, hope to do that soon.
Very short hint:
The problem at this

When booting up, the rear-PBA loaded nicely from the ssd shadowMBR - only it never accepted my password and rebooted after 5 failed attempts to unlock

point was, that the function tries to run a partprobe on the character device
crw------- 1 root root 239, 0 Okt 13 19:49 /dev/nvme0
which fails. Instead it should run it on the block device
brw-rw---- 1 root disk 259, 0 Okt 13 19:49 /dev/nvme0n1

This can be fixed in a q’n’d way by editing the rear scripts (before creating the rear-PBA img):

diff /usr/share/rear/lib/opal-functions.sh*
192c192
<     sedutil-cli --setMBRDone on "$password" "$device" && partprobe "${device}n1" || partprobe "$device"
---
>     sedutil-cli --setMBRDone on "$password" "$device" && partprobe "$device"

After that the PBA-unlock-reboot-happy sequence works as intended.

And: what firmware update do you mean? For the SSD or for the laptop?

Best, R.

Hey Lamy,
no I didn’t do any firmware updates yet, seems I already got the latest release installed. Anyhow I collected some information just in case I will have or want to do any updates:

• See info about your NVMe drive:
  sudo smartctl --info /dev/nvme0
  In the output you can also see the number of namespaces, the 980 PRO has 1 - this actually is the number you can see in /dev/nvme0n1

• Find the latest firmware for your Samsung SSD on their support page

• This page here seems pretty helpful for doing the Firmware update Samsung SSD in Linux

@Lamy and @Raphael
I have my 980 Pro encrypted via the BIOS drive password. It appears to be using the underyling SED capabilities, but I haven’t really carefully dug into it. Just verified that sedutil-cli shows “encryption enabled” and the drive appears unreadable when placed in another system.

Basically, I let it become my daily-driver desktop much faster than expected and I haven’t done quite as much tinkering as I expected.