OS not booting after unlocking disk

Question

OS not booting after unlocking disk

Closed this issue 2 years ago · 3 comments

Hi all,

I have a Samsung 990 Pro 1TB m.2 ssd on an MSI Pro Z790-P wifi board which doesn't offer setting a hard disk password, like almost no desktop mainboard does.
So I was trying to setup a pba to make use of the disk encryption.

I started with booting the rescue image and followed the instructions from https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive. As sedutil-cli --initialsetup debug /dev/nvme0 failed with a permission error I did a reversion of the psid usig sedutil-cli --PSIDrevert bunchofcharacters /dev/nvme0 which worked fine. I was able to complete the guide without any further errors. UEFI64 1.20.0 is now installed.

After a poweroff and -on, the pba booted and asked for a password.
Two things came up here:

when entering the wrong password, the pba does not prompt for another password, it just scans the disks, tells me about all disks that are either is OPAL NOT LOCKED or NOT OPAL, says Starting OS and hangs.
when entering the right password, the right disk gets unlocked (is OPAL Unlocked), then it says Starting OS and … nothing. It just hangs. No keyboard reaction, no leds flashing or whatever.

I started the rescue image again and was able to unlock the disk using

sedutil-cli --setlockingrange 0 rw mypassword /dev/nvme0
sedutil-cli --setmbrdone on mypassword /dev/nvme0

Also I was able to fdisk -l the disk and access at least the efi partition (the rescue image doesn't include many tools). Also when I press the reset button the disk stays unlocked and boots my OS without problems.
So I guess the data was not harmed during the psid reversion.

fwiw:

I am unable to issue a "reboot" from the rescue system. It just says "Requesting system reboot" and hangs. No keyboard input, no blinking cursor, just frozen.
secure boot is off
I have two other encrypted ssds connected via sata that are not locked using opal but by using an ata password (which I unlock using hdparm --security-unlock mypassword /dev/sd{a,b})

Any clues on what I can try to make the pba boot my OS?

Answer 1 · 2022-12-18T16:17:34.000Z

Okay, nevermind. The cause for this issue is the bootcmd.
To solve this, download the UEFI PBA image and gunzip it. Then:

losetup -o 1048576 -f UEFI64.img
mount /dev/loop0 /mnt
sed -i 's/ acpi=off.*//' /mnt/EFI/boot/syslinux.cfg
umount /mnt
losetup -d /dev/loop0
sedutil-cli --loadPBAimage yourpassphrase UEFI64.img /dev/whatever

Answer 2 · 2023-07-10T18:29:34.000Z

Hey @philfry, did you also have to disable Secure Boot?

Answer 3 · 2023-07-15T14:59:21.000Z

Hi @sunknudsen – no, it works fine with secure boot enabled.