Help needed: Initial setup fails on setMBRDone with Samsung PM1735 12.8TB NVMe

[ChriMarMe]

Hi everybody,
I got an issue with Samsung PM1735 12.8TB NVMe HHHL:
./sedutil-cli --scan

Scanning for Opal compliant disks
/dev/nvme0  2  SAMSUNG MZPLJ12THALA-00007               EPK9CB5Q

/sedutil-cli --query /dev/nvme0

/dev/nvme0 NVMe SAMSUNG MZPLJ12THALA-00007               EPK9CB5Q <SN>      
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 16 (8192), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = Y
**** 1 **** Unknown function codes IGNORED

Now, I want to run the initial setup (just for testing purposes and get comfy with the tooling and workflow), but the first step already gives me headaches to the maximum. I run:
./sedutil-cli -vvv --initialsetup "$MyPW" "/dev/nvme0"

And this produces the following log ( I reduce to log to the failing part):

Entering DtaDevOpal::setMBRDone
Entering DtaDevOpal::setLockingSPvalue
Creating DtaSsession()
Entering DtaSession::startSession 
Entering DtaSession::startSession 
Creating DtaCommand()
Creating  DtaResponse()
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TINY_ATOM)
Entering DtaDev::isEprise 0
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TINY_ATOM)
 Entered DtaHashPwd
 Entered DtaHashPassword
 Exit DtaHashPwd
Entering addToken(vector<uint8_t>)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TINY_ATOM)
Entering addToken(vector<uint8_t>)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaDev::isEprise 0
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaCommand::setcomID()
Entering DtaDevLinuxNvme::sendCmd
Entering DtaDevLinuxNvme::sendCmd
Entering  DtaResponse::init
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Entering  DtaResponse::getUint32
Entering  DtaResponse::getUint64
Destroying DtaCommand
Entering DtaDev::isEprise 0
Destroying DtaResponse
Entering DtaDevOpal::setTable
Creating DtaCommand()
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::changeInvokingUid()
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering addToken(vector<uint8_t>)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaCommand::setcomID()
Entering DtaDevLinuxNvme::sendCmd
Entering DtaDevLinuxNvme::sendCmd
Entering  DtaResponse::init
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::tokenIs
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Entering DtaSession::methodStatus()
method status code NOT_AUTHORIZED
Entering  DtaResponse::getTokenCount()
Entering  DtaResponse::getUint8
Entering  DtaResponse::getUint64
Set Failed 
Destroying DtaCommand
Unable to update table
Destroying DtaSession
Creating  DtaResponse()
Creating DtaCommand()
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaCommand::setcomID()
Entering DtaDevLinuxNvme::sendCmd
Entering DtaDevLinuxNvme::sendCmd
Entering  DtaResponse::init
Entering  DtaResponse::tokenIs
Destroying DtaCommand
Destroying DtaResponse
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow

I understand that the session does not have the required authority to execute the setMBRDone function, but I cant figure out why.
Any help, ideas are welcome.

[JaBoMa]

Well, @ChriMarMe,
The output of your "sedutil-cli --query" command suggests that the drive you are dealing with has already been configured as TCG Opal encrypted, not booting ("MBRenabled = N"). Therefore its Admin1 password and SID password should already be established. If you know the Admin1 password, you don't have to perform the --initialsetup. However, if you don't know that password then I can't understand how you see this drive unlocked ("Locked = N"). Unless the LockingRange 0 is disabled. But I'm not sure if your "sedutil-cli --query" output would then be exactly as you were quoting.
If you do know the password, you can try to perform "sedutil-cli --listLockingRanges yourPassword /dev/nvme0" command to see what locking ranges have been defined.
Stay safe and Regards

[ChriMarMe]

Hello @JaBoMa and thanks for your answer.

What exactly in the query output does indicate that it is configured already?

I can run ./sedutil-cli --listLockingRanges "$MyPW" /dev/nvme0 and get:

method status code INVALID_PARAMETER
Session start failed rc = 12
One or more header fields have 0 length
EndSession Failed

This indicates something does not work, right?
But if I do ./sedutil-cli --initialsetup "$MyPW" "/dev/nvme0" I get:

takeOwnership complete
Locking SP Activate Complete
LockingRange0 disabled 
LockingRange0 set to RW
method status code NOT_AUTHORIZED
Set Failed 
Unable to update table
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow

and repeat ./sedutil-cli --listLockingRanges "$MyPW" /dev/nvme0, then I get:

Locking Range Configuration for /dev/nvme0
LR0 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR1 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR2 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR3 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR4 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR5 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR6 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR7 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 
LR8 Begin 0 for 0
            RLKEna = N  WLKEna = N  RLocked = N  WLocked = N 

After this I reset the device with :

./sedutil-cli --revertNoErase "$MyPW" "/dev/nvme0"
./sedutil-cli --revertTPer "$MyPW" "/dev/nvme0"

and I get:

Revert LockingSP complete
revertTper completed successfully

I just don't understand how can I claim ownership but not be able to setMBDdone to true.

Best regards

[JaBoMa]

This:
"Locking function (0x0002)
Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y"
and this:
"OPAL 2.0 function (0x0203)
Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
Locking Admins = 4, Locking Users = 9,"
in my opinion indicates that the initial setup has been already done. My current system SSD (Samsung 840 Evo) shows the same, except of "MBREnabled = Y" and "MBRDone = Y" (while unlocked).
The result of your listLockingRanges suggests, however, that probably the locking has been disabled.

Could you just try to follow the "Encrypting the Drive" manual (Wiki Tab) from the point just after the --initialsetup command, i.e.:
sedutil-cli --enableLockingRange 0
sedutil-cli --setLockingRange 0 LK
sedutil-cli --setMBREnable ON ;this in addition - initialsetup does it, and your query shows it undone
sedutil-cli --setMBRDone OFF
sedutil-cli --loadPBAimage <pba_image_path&file>
sedutil-cli --setMBRDone ON

You are probably missing sedutil-cli --setMBREnable ON , that's why you cannot make --setMBDdone ON.

Best regards.

[JaBoMa]

One caution note: If you are not working from security system booted from a USB memory stick, but from THIS drive you are trying to make OPAL encrypted, better don't ever do: "sedutil-cli --setMBRDone OFF "
ATB and Regards

[ChriMarMe]

No worries. I didnt do anything yet. :)

I must have made the first quote of --query in my first description AFTER I run the --initialsetup.

Now lets assume everything is resetted I run the quote and get:

Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = Y

Best regards

[JaBoMa]

1. Could you read the following thread: sedutil-cli --initialsetup fails with “NOT_AUTHORIZED” on uniniatilized drive when booting with UEFI. #291 ?
2. Did you try to perform the --PSIDrevert ? Is it possible? (it would erase all data)
3. Which revision of sedutil did you use?
   I am afraid that my knowledge and experience with TCG Opal and sedutil are insufficient to help you.

ATB and Regards

[ChriMarMe]

I read the mentioned issue and tried to follow the arugments, yet my --initialsetup fails at a different point.

--PSIDrevert successful, but --inititalsetup still fails at the same spot:

takeOwnership complete
Locking SP Activate Complete
LockingRange0 disabled 
LockingRange0 set to RW
method status code NOT_AUTHORIZED
Set Failed 
Unable to update table
Unable to set setMBRDone on
Initial setup failed - unable to Enable MBR shadow

Sedutil was build from this repos master branch, but also tried @ChubbyAnt master, both fail at the same spot. see above.

I run this on a remote machine with coreboot/edk2, CSM not sure, allow_tpm = 0.

What stuns me is the fact, that I can take ownership but not being allowed to set MBRdone.

Anyway: Thank you very much for your time and help.

Best regards

[icomrade]

your drive has the same behavior as the CM6 I was (still am) having difficulty with. The error, however, in my case was that the CM6 doesn't support MBR Shadowing (or at least the FIPS 140-2 variant), I am unsure if there's public documentation for the PM1735 locking range features, but I would assume its the same issue. try doing a query to the drive with Amonton's fork, the shadow MBR not supported bit is "MBRAbsent": https://github.com/amotin/sedutil

[ChriMarMe]

Thanks for the hint 👍

Need to ask around about documentation. Not really easy to find.

[ChriMarMe]

TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MBRAbsent = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 16 (8192), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = Y
Namespace function (0x0403)
    Maximum Key Count = 75, Unused Key Count = 74, Maximum Ranges Per Namespace = 0

TPer Properties: 
  MaxComPacketSize = 66048  MaxResponseComPacketSize = 66048
  MaxPacketSize = 66028  MaxIndTokenSize = 65540  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxAuthentications = 5
  MaxSessions = 1  MaxTransactionLimit = 1  DefSessionTimeout = 0

Host Properties: 
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1

That is the output. I interpret that the drive technically should support MBD Shadowing then?

[ChriMarMe]

Someone with a little more information told me that the drive is set to EOL soonish. I suspect this is an issue with the implementation of OPAL in the device firmware which Samsung simply won't fix and therefore set the device to EOL, but this is pure speculation. I have no idea if 2 to 3 years is the standard lifetime of such devices.

Anyhow: I can close this issue in peace.

[GreenReaper]

One caution note: If you are not working from security system booted from a USB memory stick, but from THIS drive you are trying to make OPAL encrypted, better don't ever do: "sedutil-cli --setMBRDone OFF " ATB and Regards

Indeed! For the sake of others: you don't necessarily need to go into "MBR mode" in order to actually load it into the table - --loadPBAImage without it worked fine on an 870 EVO.