New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

testing LINUXPBARelease.img.gz yields method status code INVALID_PARAMETER #73

Closed
brianjmurrell opened this Issue Jul 1, 2016 · 17 comments

Comments

Projects
None yet
4 participants
@brianjmurrell

brianjmurrell commented Jul 1, 2016

So I have a machine with an OPAL drive in it:

# msed --scan

Scanning for Opal compliant disks
/dev/sda  2  INTEL SSDSC2BF480A5L                     LUDi    
No more disks present ending scan

(yeah, I know, msed is old(er) but it's what's on Fedora 23 at the moment).

But when I try to test the PBA I ender some random value for the pass-phrase and get:

ERR : method status code INVALID_PARAMETER
ERR : Session start Failed
ERR : Unlock failed - unable to set LockingRange 0 RW

And then it reboots only to repeat.

That said, I have a biospba-0.23beta.img around from when I did this the last time. Is that the SYSLINUX based PBA? Is there any reason I would not just use that instead since it seems faster than this LINUXPBARelease.img and doesn't require a reboot?

Is there any reason why the SYSLINUX PBA is not what is being used by this project by default?

Regardless, of course I am hesitant to enable encryption on this drive when the documented test procedure fails out of the gate.

Any ideas?

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 1, 2016

So, looking around a bit more I found the FAQs and one of them describes:

INVALID_PARAMETER: The command sent to the drive is incorrectly formatted. This can be either a program or user error. The most likely error is that you are trying to issue a command to the ADMIN SP before it has been activated. Make sure you have run initialsetup before trying to setup the locking ranges.

But the test procedure does not mention running ... -–initialsetup <password> <drive> until after the place in the document where it suggests testing the PBA first.

Do I have to run ... -–initialsetup <password> <drive> before I can test the PBA?

brianjmurrell commented Jul 1, 2016

So, looking around a bit more I found the FAQs and one of them describes:

INVALID_PARAMETER: The command sent to the drive is incorrectly formatted. This can be either a program or user error. The most likely error is that you are trying to issue a command to the ADMIN SP before it has been activated. Make sure you have run initialsetup before trying to setup the locking ranges.

But the test procedure does not mention running ... -–initialsetup <password> <drive> until after the place in the document where it suggests testing the PBA first.

Do I have to run ... -–initialsetup <password> <drive> before I can test the PBA?

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 4, 2016

I hate to sound impatient but any ideas on this? I have a machine in limbo (i.e. I don't want to do anything on it, encryption-wise or otherwise) until I can be sure the PBA is going to work for me.

I don't really want to go ahead and try to encrypt the drive without knowing I can decrypt it and I don't want to use the machine for anything (i.e. adding data that I don't have anywhere else) else in case some kind of error/failure in the encrypting part of it renders the contents un-decryptable. Right now that machine has the content of the disk it's replacing so any fubars are recoverable although with more than just an insignificant time and effort.

brianjmurrell commented Jul 4, 2016

I hate to sound impatient but any ideas on this? I have a machine in limbo (i.e. I don't want to do anything on it, encryption-wise or otherwise) until I can be sure the PBA is going to work for me.

I don't really want to go ahead and try to encrypt the drive without knowing I can decrypt it and I don't want to use the machine for anything (i.e. adding data that I don't have anywhere else) else in case some kind of error/failure in the encrypting part of it renders the contents un-decryptable. Right now that machine has the content of the disk it's replacing so any fubars are recoverable although with more than just an insignificant time and effort.

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 5, 2016

So I took a chance... Running:

sedutil-cli -–initialSetup <password> <drive>

does not change the output of the PBA test. It still produces the same errors. If I try to run that again I get:

ERR : method status code NOT_AUTHORIZED
ERR : session start failed
ERR : One or more header fields have 0 length
ERR : EndSession Failed
ERR : takeOwnership failed
ERR : Initial setup failed - unable to take ownership

I'm guessing that operation is not idempotent. Perhaps not at least until I can successfully authenticate to the drive, which the PBA test does not seem to be doing.

FWIW, with the PBA test, if I enter the password I previously used with --initialSetup, I get the NOT_AUTHORIZED errors. I am most definitely using the same password I used with --initialSetup. Then the machine reboots and I get the DTA PBA passphrase prompt again.

I'm 90% sure I didn't get this NOT_AUTHORIZED the first time I tried to test the PBA after running --initialSetup but just get getting the PBA passphrase prompt.

brianjmurrell commented Jul 5, 2016

So I took a chance... Running:

sedutil-cli -–initialSetup <password> <drive>

does not change the output of the PBA test. It still produces the same errors. If I try to run that again I get:

ERR : method status code NOT_AUTHORIZED
ERR : session start failed
ERR : One or more header fields have 0 length
ERR : EndSession Failed
ERR : takeOwnership failed
ERR : Initial setup failed - unable to take ownership

I'm guessing that operation is not idempotent. Perhaps not at least until I can successfully authenticate to the drive, which the PBA test does not seem to be doing.

FWIW, with the PBA test, if I enter the password I previously used with --initialSetup, I get the NOT_AUTHORIZED errors. I am most definitely using the same password I used with --initialSetup. Then the machine reboots and I get the DTA PBA passphrase prompt again.

I'm 90% sure I didn't get this NOT_AUTHORIZED the first time I tried to test the PBA after running --initialSetup but just get getting the PBA passphrase prompt.

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 5, 2016

FWIW, it would be nice if the PBA stopped after emitting any errors and allowed one time to read them before rebooting the machine. That's probably a separate ticket though.

brianjmurrell commented Jul 5, 2016

FWIW, it would be nice if the PBA stopped after emitting any errors and allowed one time to read them before rebooting the machine. That's probably a separate ticket though.

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 5, 2016

I feel like I am getting further down a rathole here. So here's some more information about the current state:

# msed --scan

Scanning for Opal compliant disks
/dev/sda  2  INTEL SSDSC2BF480A5L                     LUDi    
No more disks present ending scan
# msed --query /dev/sda

/dev/sda ATA INTEL SSDSC2BF480A5L                     LUDi     CVTRXXXXXXN480EGN  
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = Y, MBREnabled = Y, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 16 (8192), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 5
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x0800, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: 
  MaxMethods = 1  MaxSubpackets = 1
  MaxPacketSize = 8684  MaxPackets = 1  MaxComPacketSize = 8704
  MaxResponseComPacketSize = 8704  MaxSessions = 1  MaxReadSessions = 1
  MaxIndTokenSize = 8648  MaxAggTokenSize = 8648  MaxAuthentications = 3
  MaxTransactionLimit = 1  DefSessionTimeout = 900000  MaxSessionTimeout = 86400000
  MinSessionTimeout = 30000  DefTransTimeout = 1000  MaxTransTimeout = 1000
  MinTransTimeout = 100  MaxComIDTime = 60000  ContinuedTokens = 0
  SequenceNumbers = 1  AckNak = 0  Asynchronous = 0

Host Properties: 
  MaxMethods = 1  MaxSubpackets = 1
  MaxPacketSize = 2028  MaxPackets = 1  MaxComPacketSize = 2048
  MaxIndTokenSize = 1992  MaxAggTokenSize = 1992  SequenceNumbers = 1

Given that I have run --initialsetup <password> /dev/sda" but that the PBA keeps telling me NOT_AUTHORIZED, is there any way I can test if the password that I think should be the password is the password, without using the PBA? Like anmsed``` command that will confirm if the password is as I think it is?

brianjmurrell commented Jul 5, 2016

I feel like I am getting further down a rathole here. So here's some more information about the current state:

# msed --scan

Scanning for Opal compliant disks
/dev/sda  2  INTEL SSDSC2BF480A5L                     LUDi    
No more disks present ending scan
# msed --query /dev/sda

/dev/sda ATA INTEL SSDSC2BF480A5L                     LUDi     CVTRXXXXXXN480EGN  
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = Y, MBREnabled = Y, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 16 (8192), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 5
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x0800, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: 
  MaxMethods = 1  MaxSubpackets = 1
  MaxPacketSize = 8684  MaxPackets = 1  MaxComPacketSize = 8704
  MaxResponseComPacketSize = 8704  MaxSessions = 1  MaxReadSessions = 1
  MaxIndTokenSize = 8648  MaxAggTokenSize = 8648  MaxAuthentications = 3
  MaxTransactionLimit = 1  DefSessionTimeout = 900000  MaxSessionTimeout = 86400000
  MinSessionTimeout = 30000  DefTransTimeout = 1000  MaxTransTimeout = 1000
  MinTransTimeout = 100  MaxComIDTime = 60000  ContinuedTokens = 0
  SequenceNumbers = 1  AckNak = 0  Asynchronous = 0

Host Properties: 
  MaxMethods = 1  MaxSubpackets = 1
  MaxPacketSize = 2028  MaxPackets = 1  MaxComPacketSize = 2048
  MaxIndTokenSize = 1992  MaxAggTokenSize = 1992  SequenceNumbers = 1

Given that I have run --initialsetup <password> /dev/sda" but that the PBA keeps telling me NOT_AUTHORIZED, is there any way I can test if the password that I think should be the password is the password, without using the PBA? Like anmsed``` command that will confirm if the password is as I think it is?

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 5, 2016

Ahhh.

I did try:

# msed --setSIDPwd foobar <my_password> /dev/sda

to see what msed does if i use the wrong password and it reported:

- 23:39:32.811 ERR : method status code NOT_AUTHORIZED
- 23:39:32.811 ERR : Session start failed
- 23:39:32.844 ERR : One or more header fields have 0 length
- 23:39:32.844 ERR : EndSession Failed

Which is good. So I then tried:

# msed --setSIDPwd <my_password> <my_password> /dev/sda

and got no error so that would seem to indicate to me that <my_password> is the correct one. Yet this is the same password that PBA test is reporting NOT_AUTHORIZED.

brianjmurrell commented Jul 5, 2016

Ahhh.

I did try:

# msed --setSIDPwd foobar <my_password> /dev/sda

to see what msed does if i use the wrong password and it reported:

- 23:39:32.811 ERR : method status code NOT_AUTHORIZED
- 23:39:32.811 ERR : Session start failed
- 23:39:32.844 ERR : One or more header fields have 0 length
- 23:39:32.844 ERR : EndSession Failed

Which is good. So I then tried:

# msed --setSIDPwd <my_password> <my_password> /dev/sda

and got no error so that would seem to indicate to me that <my_password> is the correct one. Yet this is the same password that PBA test is reporting NOT_AUTHORIZED.

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 5, 2016

OK. We can stand-down the red-alert on this one.

I bit the bullet, did a PSID revert on the drive and tested the PBA by actually installing it as the process describes. It worked.

I ended up having to configure the drive again and re-copy the data to the drive after encrypting it but it seems to be all working now.

I'd still like to understand the status of the syslinux version of the PBA vs. this Linux based one. I liked that the syslinux one didn't reboot the machine after entering the password.

brianjmurrell commented Jul 5, 2016

OK. We can stand-down the red-alert on this one.

I bit the bullet, did a PSID revert on the drive and tested the PBA by actually installing it as the process describes. It worked.

I ended up having to configure the drive again and re-copy the data to the drive after encrypting it but it seems to be all working now.

I'd still like to understand the status of the syslinux version of the PBA vs. this Linux based one. I liked that the syslinux one didn't reboot the machine after entering the password.

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Jul 6, 2016

Contributor

Sorry for your issues. I also liked that the syslinux PBA didn't reboot the system, I wrote it first and it worked fine on my machine, as sedutil was installed on more machines it became apparent that the SATA interface was not very robust. It has a primitive SATA driver that works for some machines and doesn't for others. I have tried to remote debug issues with it before with little success. So at this point it is available to try and if it works great, if not then you will need to use the Linux based PBA.

We hope to develop a UEFI PBA similar to the syslinux PBA but work on that has not even started.

Contributor

r0m30 commented Jul 6, 2016

Sorry for your issues. I also liked that the syslinux PBA didn't reboot the system, I wrote it first and it worked fine on my machine, as sedutil was installed on more machines it became apparent that the SATA interface was not very robust. It has a primitive SATA driver that works for some machines and doesn't for others. I have tried to remote debug issues with it before with little success. So at this point it is available to try and if it works great, if not then you will need to use the Linux based PBA.

We hope to develop a UEFI PBA similar to the syslinux PBA but work on that has not even started.

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Jul 6, 2016

it is available to try

Is this it here?

Pressumably one can just load it over the LINUXPBA using sedutil-cli –-loadPBAimage <password> <pbafilename> <drive> but what does one do if it fails to work? Does one boot on the Rescue Image and then reload the LINUXPBA again?

Can that be done simply with sedutil-cli –-loadPBAimage <password> <pbafilename> <drive> again or some kind of unlocking need to be done before that?

brianjmurrell commented Jul 6, 2016

it is available to try

Is this it here?

Pressumably one can just load it over the LINUXPBA using sedutil-cli –-loadPBAimage <password> <pbafilename> <drive> but what does one do if it fails to work? Does one boot on the Rescue Image and then reload the LINUXPBA again?

Can that be done simply with sedutil-cli –-loadPBAimage <password> <pbafilename> <drive> again or some kind of unlocking need to be done before that?

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Jul 7, 2016

Contributor

Yes. that's it.

If it failed I'd boot the rescue image, unlock the drive and then reload the othe PBA. I've never tried to write the PBA to a locked drive, so I can't say if it will work or not.

Contributor

r0m30 commented Jul 7, 2016

Yes. that's it.

If it failed I'd boot the rescue image, unlock the drive and then reload the othe PBA. I've never tried to write the PBA to a locked drive, so I can't say if it will work or not.

@dasois

This comment has been minimized.

Show comment
Hide comment
@dasois

dasois Aug 4, 2016

Same issue here.
Tested 1.12 BIOS, 1.12 UEFI64 and 1.10 biosbpa, all produce:

ERR : method status code NOT_AUTHORIZED
ERR : session start failed
ERR : One or more header fields have 0 length
ERR : EndSession Failed

with a reboot

This is a fresh Samsung 850 PRO SSD, that I did not encrypt previously, with a copy of my linux-partitions on it. In a Thinkpad T550 Laptop.

It does not feel right to ignore and start with the encryption process, what shall I do?

dasois commented Aug 4, 2016

Same issue here.
Tested 1.12 BIOS, 1.12 UEFI64 and 1.10 biosbpa, all produce:

ERR : method status code NOT_AUTHORIZED
ERR : session start failed
ERR : One or more header fields have 0 length
ERR : EndSession Failed

with a reboot

This is a fresh Samsung 850 PRO SSD, that I did not encrypt previously, with a copy of my linux-partitions on it. In a Thinkpad T550 Laptop.

It does not feel right to ignore and start with the encryption process, what shall I do?

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Aug 4, 2016

Contributor

I don't think 1.10 biospba produced the same output as the other two. The NOT_AUTHORIZED error means that the password you entered is not the correct password for the Admin1 authority. Have you run intialsetup command?

Contributor

r0m30 commented Aug 4, 2016

I don't think 1.10 biospba produced the same output as the other two. The NOT_AUTHORIZED error means that the password you entered is not the correct password for the Admin1 authority. Have you run intialsetup command?

@brianjmurrell

This comment has been minimized.

Show comment
Hide comment
@brianjmurrell

brianjmurrell Aug 4, 2016

@r0m30 That was part of my bug report above... The instructions for the test procedure don't (or didn't at the time) mention needing to run --initialSetup before doing the test procedure.

Probably some clarification/detailing is needed in the instructions so as not to assume the reader just knows that --initialSetup has to be run first.

brianjmurrell commented Aug 4, 2016

@r0m30 That was part of my bug report above... The instructions for the test procedure don't (or didn't at the time) mention needing to run --initialSetup before doing the test procedure.

Probably some clarification/detailing is needed in the instructions so as not to assume the reader just knows that --initialSetup has to be run first.

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Aug 4, 2016

Contributor

You don't need to run intiialsetup, you really shouldn't run it until AFTER you verify the PBA. Initialsetup sets the MBR shadow on so the drive will not be accessible after a powercycle. I was asking because the messages you get will be different if you have run initialsetup.

Contributor

r0m30 commented Aug 4, 2016

You don't need to run intiialsetup, you really shouldn't run it until AFTER you verify the PBA. Initialsetup sets the MBR shadow on so the drive will not be accessible after a powercycle. I was asking because the messages you get will be different if you have run initialsetup.

@LudiusMaximus

This comment has been minimized.

Show comment
Hide comment
@LudiusMaximus

LudiusMaximus Aug 27, 2016

Hi, I also just tried the "Test the PBA" described in the wiki and got the INVALID_PARAMETER error:

error

UPDATE: I just now read the remaining closed issues and found that this has been discussed before:
#28 and #37

So the documentation is really outdated. Do you want me to write a new one for you?

LudiusMaximus commented Aug 27, 2016

Hi, I also just tried the "Test the PBA" described in the wiki and got the INVALID_PARAMETER error:

error

UPDATE: I just now read the remaining closed issues and found that this has been discussed before:
#28 and #37

So the documentation is really outdated. Do you want me to write a new one for you?

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Nov 29, 2016

Contributor

If you still have the time to update the doc on testing the PBA that would be great.

Contributor

r0m30 commented Nov 29, 2016

If you still have the time to update the doc on testing the PBA that would be great.

@r0m30

This comment has been minimized.

Show comment
Hide comment
@r0m30

r0m30 Jul 19, 2017

Contributor

PBA and doc updated

Contributor

r0m30 commented Jul 19, 2017

PBA and doc updated

@r0m30 r0m30 closed this Jul 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment