Samsung 960 NVMe drives: can boot from RESCUE64 and unlock, but drive PBA not recognized/bootable #213
Comments
|
I have the same issue with an TUF Z370 Pro gaming. The funny thing is it works on my older asus zabertootgh z77. That old board uses the z77 chipper which does not support booting of pie, but I was able to modify bios and add nvme module from newer z87 chipper bios and boot the m2 drive of a pcie daughter board. It's not the drive is the bios support for your board nothing more. I have a long case open with asus which ended nowhere with the useless low-level tech support you have to deal with upfront that had no idea what an SED drive is and closed the case by saying that the board does not support booting of see drives. The interesting part about the z370 is that like yours while the drive is locked it does not present it in the bios as a Bootable option, but if let's say while drive is locked you boot up a windows install disc and when you get to th drive partition part it actually sees the drive there. Except that you cant do anything to it because it's locked. But let's say you decide to choose the drive either way and you also have other drives plugged into sata port and while you have the locked sed drive chosen choose wipe partition, it gives an error because sed drive is locked of course and can't do anything to it, but it passes the format or partition command to the other drives plugged into the sata ports and wipes them out. Real nasty bug in they're current bios |
|
My MB has full support for booting off PCIe devices. There must be an issue somewhere with the shadow partition for the PBA. Something there is missing. |
|
Mines also , is the new z370 chipper which comes with 2 m2 slots. I was just mentioning the older board to show that even the olivine worms. All I run is SED drives in quite a few systems using this PBA image. The issue is with the bios of the board not the drive. Like I said the drive I can move it to any of my other systems and it works fine. In fact I have placed different vendor SED drive from crucial into that board and smart thing. Any locked SED drive kn that board is not shown as Bootable. Has nothing to do with the 960pro. Get yourself a crucial my series drive to test for yourself, it has Opal 2 support and you will see your board will not boot it either. |
|
Some mainboards simply fail to load the UEFI rescue image because their default boot menu item looks for the bootable image in the wrong (Windows-specific) path under the EFI partition, where there's nothing inside the rescue image. Try to add two UEFI boot entries to your system setup menu (a.k.a BIOS menu), one when the drive is locked and you only have access to the PBA, using the path to the bootable image actually available in the PBA's EFI partition, and another one once the drive is unlocked(you may already have this if you had an OS installed before). Then configure them both to be before any other boot entry. This did the trick for me. |
|
@cristim gave you the answer to your question, but I have a question for you..... Are yo able to access the drives under windows with sedutil-cli? I bought an 1800x and B350MB to after the price drop but the security send command times out (without any error message) and fails to detect/manage the drives under windows. I'm wondering if this is MB specific. The drives can be configured and managed under Linux without issue so its not a HW issue. |
|
I am having similar issues on an ASUS Prime X399-A board with a Samsung 960 pro. I believe the issue is MB realated not related to the SSD. When have the MBR done on and locking enabled, my bios doesnt even show the m.2 connected. |
|
I am also having the same issue with a Samsung 970 Evo on the Gigabyte X470 Ultra Gaming motherboard. I have tried both the UEFI PBA and the BIOS PBA but neither shows up as a bootable entry in the BIOS menu. |
|
I booted into a UEFI shell and when the drive is in a locked state, it doesn't even show up in the device tree. Though if I boot into a Linux live CD, the locked drive is visible there (along with the PBA partition). After unlocking the drive using a PBA image on a USB stick, if I boot into the UEFI shell again, the drive does become visible (and also appears in the BIOS boot menu). So it looks like the NVMe UEFI driver isn't recognizing the locked drive. |
|
GUYS STAAAAP This isnt gonna work. EVER. So no, the bios cant load the bootloader, it diesnt even see a bootloader. thats why it wont show up anything. At least in UEFI its impossible. i didnt test it in Bios mode, but its not very likely. However, even tough your drive might have it, you cant boot from it. However i found a workaround. So now lukyl me, my laptop has 2 nvme slots, one is populated with an cruical SSD, the other has now an 870 EVO NVME. What i did is utilize PBA´s ability to unlock all drives at boot. so i made a fresh install cruical is now only efi partition (plus data) and unlocker. alternatemethod is - get a really tiny thumbdrive and always boot from there. anyhow, thats the only way - at the moment - to have a NVME as OPAL encrypted boot drive for like 99% of all bioses. sidenote. its sad that bitlocker cant do the same. i wasted unbelieveable much time right now the PBA is the only game in town for this workaround |
On some NVME drives it most certainly works. At least the 960 Pro can do it with UEFI. Edit: For clarification, some computers' UEFI can boot the PBA from a locked NVME not all of them. |
|
This is not a question of the NVME drive but the BIOS. And theres nothing a drive manufacturer can do about this. This is verified. only because it works for you means nothing but your bios supports it. Again OPAL on NVME is not a standard, its somthing that should work but doesnt mostly |
|
I just wanted to point it that it can work. So that people don't give up after reading your post without even giving it a try on their hardware. |
|
On some computers it works out of the box, in others it doesn't but it can be fixed from the BIOS/setup configuration menu, while in others it turns out the menu doesn't support changing the configuration to make it work. |
If people would actually read what i had written then this isnt an issue. contrary to you as you have obivisously not read what i had written. @cristim Uhm no, this is not a question of settings. i do not know current new boards and chipssets and maybe were lucky and late 2018boards do, but most 2017 and 2018 boards and ofc earlier dont support that. |
|
@serossi I know pretty well about how OPAL works, what is the difference between NVMe and SATA and what is and is not an SSD. I'm actually typing this comment on a Dell Latitude E7270 laptop made in 2016, having a Samsung 960 NVMe drive running in OPAL mode. It didn't work at first but I figured out how to fix the EFI boot entry and it works like a charm for a lot of time now, including with sleep support as per #90. The fix for my machine had to be done on the setup menu, a.k.a. BIOS. The procedure was pretty easy, didn't take more than 5 minutes. |
|
different issue same symptom, ami bios has a bug, where even the bootentry wont save you |
|
I'm expieriencing something similar with my Asrock X370 Pro Gaming. It worked flawlessly with bios 3.x but I updated now to 5.x and suddenly the system doesn't boot at all when the drive is inserted. I can not even enter the BIOS or Boot menu. So for some the solution could be a downgrade of your BIOS When I reset the device and remove the custom PBA all is working fine again. I'm currently trying different approaches. There are still two more I will try as mentioned here Is there any way to debug such a thing? Unfortunately downgrading my BIOS seems to be only possible from Windows, which is my last resort... |
|
Ah and if you wonder how I manipulate the drive if the system does not boot. I only insert the m.2 drive after the boot selection pops up. |
|
Same thing with Supermicro X11SSH-LN4F and Samung 970 Evo Plus. @cristim Can you describe how you did it, that it works for you (maybe a tutorial) or indicate where to look for the necessary information (without the need to delve too much into the technical aspects of Opal and EFI operation). |
|
I've since switched my main computer to macOS so no longer using this. But if I remember correctly the main problem is that the sedutil PBA stores the UEFI binary image in an uncommon/nonstandard path that many computers can't use. To fix this I had to use the BIOS menu, in particular the part about boot menu options, to first create a UEFI boot menu option for the locked drive, pointing to the UEFI binary path from the PBA. Then used this menu option to boot Sedutil PBA from the locked drive, and typed my password for unlocking it. Once unlocked, I rebooted again(but now with the unlocked drive), and then my computer was able to boot. But if it still fails, you can enter the BIOS menu again and created another UEFI boot menu option for the unlocked drive, pointing to the UEFI binary from the OS installed on the drive. |
|
I am writing from 2024. 2025 is coming soon and Lenovo Yoga Pro 7 (2023 model) with the latest LWCN30WW InsydeH20 UEFI bios is also susceptible to this problem. When enabling opal encryption using the sedutil-cli --readonlylockingrange 1 command only for the esp partition or for any other partition (root, for example), the Uefi shell stops seeing the disk partitions and defines it as "Media Type: Unknown". However, if you boot from a live cd, the esp partition with EFI is visible and successfully mounted, even without unlocking the disk. In conclusion, I want to say that I spent a lot of time thinking that I was doing something wrong before I managed to understand that the problem was in the BIOS itself and I am very unhappy with the purchase of this Lenovo laptop with limited functionality for $ 2,000, to which I also separately bought a Samsung 990 pro ssd in order to then enable encryption on it.. I am also annoyed by the fact that I cannot enter the advanced BIOS settings, since Lenovo carefully hides this function. Also, their technical support is simply terrible, their employees are completely incompetent. My next model will definitely not be this brand and I want to warn everyone against buying it. |
Helping a friend setup his system, with the following specs:
I can successfully initialize OPAL and unlock the drives from the RESCUE64 disk, and boot into it. But this is not working with the PBA flashed in the drives themselves. Nothing is listed as bootable. For now the workaround is to unlock using the RESCUE64 image, using a USB stick. This is not optimal...
I would like to know if there is anything I could have done wrong, as I followed, step by step, the wiki instructions, including the order for the MBREnabled settings.
The text was updated successfully, but these errors were encountered: