Unable to boot from write-locked OPAL SED SSD

Filip_S · June 12, 2024, 9:18pm

I have a NVME SSD encrypted using OPAL SED. I have set up two locking ranges. One (LR2) containing the boot partitions is write-locked but not read-locked, i.e. it can be read without providing a password. This range contains the ESP, GRUB, kernel and a minimal root filesystem to unlock the rest of the drive (LR1) and continue boot.

# sudo sedutil-cli --listLockingRanges $pass /dev/nvme0n1
Locking Range Configuration for /dev/nvme0n1
LR0 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR1 Begin 16777216 for 7797259952
            RLKEna = Y  WLKEna = Y  RLocked = N  WLocked = N 
LR2 Begin 0 for 16777216
            RLKEna = N  WLKEna = Y  RLocked = N  WLocked = N 
LR3 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR4 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR5 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR6 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR7 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR8 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N

This setup has worked perfectly well on several laptops from HP and Lenovo.

The Framework BIOS, however, refuses to boot from the drive in its locked state, despite the drive being freely readable (which I have verified – if I boot from a live USB, I can read files on the NVME boot partition without supplying any password). Instead the bios asks for a drive password (and of course does not accept the correct password, presumably because it is not using OPAL). If I skip the entering the password by pressing escape, the bios claims there is no boot device available.

However, when I boot with a pre-unlocked drive (e.g. boot from a live USB, unlock the drive and a do a warm reboot, which preserves the drive unlock state), then the BIOS happily boots from the drive.

This is currently the only way I can get it to boot. Boot from a USB drive, unlock the disk, do a warm reboot and continue normally. Needless to say, that is very annoying.

And as I mentioned above, all laptops from other vendors that I tried handled this just fine (with the exact same drive, I physically moved it from laptop to laptop).

I have a FW13 with 7840U mainboard with BIOS updated to 3.05. The SSD is Samsung 990 Pro, but I guess that does not matter much.

spyfly · June 13, 2024, 11:26am

I can confirm this issue for the 12th Gen Framework aswell with BIOS Version 3.08.

I wanted to use a partially locked drive (readable boot and EFI partition, but locked root), but the system refuses to boot with a locked drive, as it ends up in the password prompt.

So the only workarounds for the time being are either unlocking the disk via USB boot or adding a PBA image, which unlocks the drive.

But I would much rather have support for partial locking ranges in BIOS, so I can unlock the system without the need for a PBA image.

Filip_S · June 13, 2024, 12:00pm

I actually do not think this requires any special ‘support’ in BIOS. The partially-unlocked SSD normally responds to normal read commands. All we need is for the BIOS to “ignore” the encrypted status of the SSD and not try to unlock it and just bravely go ahead and boot from it. I think that on a “dumb” BIOS that does not know about encrypted drives at all this would work out of the box.

For example, on HP laptops, there is an option in the BIOS that can be used to disable the drive unlock handling. And then this setup just work. If such an option were added to the Framework BIOS, this would fully solve the issue.