[SOLVED] Stuck on harddisk security at boot

I was trying to set up self-encryption on the SN850X on my new Framework 13 AMD, using sedutil and a PBA. On booting I’m just getting a “harddisk security” screen, which lets me select the drive and asks for a password, but comes up before anything else (so it’s not the PBA) and doesn’t accept the password I set for encryption with sedutil. The system won’t boot to a USB drive, or accept F2 or F11 to get to settings or the boot menu. If I take the drive out then everything is ok.

This is a Linux problem in that I was using sedutil from Linux, but I can’t boot to anything right now.

Is there anything I can do to get around this, other than presumably getting a NVME enclosure and resetting the drive from a different system? I don’t have anything important on the drive.

Do you have special characters in your password, which are only available when the keyboard language is set correctly? Like Y and Z swapped keys.

No, the password was 314159 (was intending to change it after testing).

It sounds like you have setup a hdd password in the BIOS. Can you double check this?

I haven’t actually been able to find that setting. My BIOS settings (it’s 3.03 and came that way) are showing up as a graphical thing rather than the extended asciiish version shown in the BIOS guide. The security page shows supervisor password not installed, and nothing about a hdd password. (This is with the sdd removed since that’s the only way I can boot to settings, but I don’t remember seeing it before either.)

Would you please post a photo of this harddisk security screen? Which SSD are you using?

Please have a look here, it might help: Clear HDD password
Here is some guidance too: BIOS guide

The SDD is WD SN850X. Here is the initial harddisk security screen and then password screen after I select the drive.

And yes, I’ve looked through both of those, I just can’t find anything like “hdd password” or “storage password” in my bios settings. This is what the bottom of the secutity page looks like (there is more TPM stuff if I scroll up).

I didn’t try the battery disconnect to reset because I don’t have the actual CMOS battery and couldn’t work out what the procedure is without one.

Hold on, I can now get out of the harddisk security screen with escape. I was sure that wasn’t working before so I’m not sure if somehow failed to check that key or if I changed something trying to reset to default bios settings. It doesn’t totally explain things but I can most likely boot to a USB and fix what I did before.

When I boot with the sdd and escape from the harddisk security screen, the bios settings do have a “storage password setup page” with per-disk passwords, and there is one set for the SDD. I can also boot to Linux on USB, which I used to confirm the encryption password I had set in sedutil.

So I still have no idea where the bios hdd password came from or what it is, but I’m not actually stuck and can almost certainly reset the drive from either Linux or the bios. Sorry for the trouble since this was probably just me being careless.

I don’t know about the firmware on AMD systems, but on my 13th gen Intel Framework 13 there definitely were options in the BIOS to enabled the HDD password and (after some initial struggle) I was able to enable it on my Samsung 990PRO.

From what I was able to figure out by comparing the output of sedutil before and after enabling the HDD password, the BIOS basically enables the OPAL locking without enabling PBA; looks like I even still have the relevant files:

--- sedutil-query-nopassword.nvme0      2023-07-28 17:23:31.521142366 -0500
+++ sedutil-query-password.nvme0        2023-07-28 20:45:04.569195032 -0500
@@ -3,7 +3,7 @@
 TPer function (0x0001)
     ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
 Locking function (0x0002)
-    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
+    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
 Geometry function (0x0003)
     Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
 Opal V1.0 function (0x0200)

Also, I seem to remember verifying that the password I entered in the BIOS was usable in sedutil-cli as well, but only with -n option, i.e., no hashing.

As to what happened to you, I’m guessing that the BIOS checks if the OPAL locking is enabled and if so, it presents that prompt – irrespective of how the locking was enabled. Ideally it should at least check if PBA is enabled as well and only prompt for the password if it isn’t…

So we need a BIOS fix for this, because I am also planning to use OPAL PBA with my new Framework. Or can we remove the storage password later from the BIOS settings and it will not ask again, but OPAL PBA is still working?

I set out to try to verify that -n would get a matching password, but instead I discovered that if I start over (--reverttper) and follow the instructions from the sedutil wiki using the sedutil rescue image, everything seems to work. I end up with the linuxpba check failing (“is OPAL Failed”) immediately after installing the PBA, but when I reboot I do not get the harddisk security screen and instead get the PBA.

I haven’t set up an OS yet but the PBA appears to accept the password and then shows “is OPAL Unlocked”.

The first time around I set it up with the instructions from the Arch wiki and was using the Arch installer image to boot, so it seems like probably the BIOS was rejecting that PBA and the harddisk security screen is what happens instead.

After playing around more because I wanted to evaluate the initcpio unlock option, I think it’s having MBREnabled off that triggers the harddisk security screen, although I’m not sure why I would have done that for the setup that led to this post.

Yes, if I set a storage password for the drive in the bios first then it becomes the password for sedutil but I need to use -n. The harddisk security screen still doesn’t seem to accept that password, and least with what I’ve tried.

So a PBR should work fine, but the initcpio unlock (needs MBREnabled off ) or other selective lock ranges may be effectively blocked by the harddisk security screen.