NVME Admin command error: INVALID_OPCODE(2001)

[mdp2000]

I purchased Parted Magic to erase the drive in a new X1 Carbon 20FB-004QUS, however, although I can run Erase Disk - NVMe Secure Erase option and see the drive (Samsung MZVKV512HAJH-000L1), the erase process ends with "/dev/nvme0n1: Error! Disk is not erased". I then attempted a command line "nvme format /dev/nvme0n1 --ses=1", as well as "nvme format /dev/nvme0n1" (which a Parted Magic support forum admin confirmed is the command they use), but in both cases I get "Admin command error:INVALID_OPCODE(2001)" as the result. The Parted Magic forum admin requested that I contact you directly for assistance. Any feedback on how to correctly secure erase this drive is appreciated.

Thank you.

[keithbusch]

That doesn't sound right since format is not an optional command to support for any device. It's required. Perhaps the device's status is incorrect, and maybe it doesn't like using the "all namespaces". Do you get the same error from running:

# nvme format /dev/nvme0 -n 1

?

[mdp2000]

Yes, same error.

[keithbusch]

Okay, in this case, I recommend forwarding the error to the controller vendor. It sounds like they require something not defined in the specification, or they simply don't support the nvme format admin command.

[keithbusch]

Closing; this appears to be a device side issue.

[keithbusch]

I think the work-around is to just not issue format commands. The device doesn’t support it according to the status code. From: fuzzydunlop1899 [mailto:notifications@github.com] Sent: Tuesday, May 2, 2017 8:06 PM To: linux-nvme/nvme-cli <nvme-cli@noreply.github.com> Cc: Busch, Keith <keith.busch@intel.com>; State change <state_change@noreply.github.com> Subject: Re: [linux-nvme/nvme-cli] NVME Admin command error: INVALID_OPCODE(2001) (#84) Hi, I have the exact same problem with the Samsung SM951 256 GB NVMe drive (MZVPV256HDGL-00000) and was also routed here via the Parted Magic forum. Since the SM951 is an unsupported OEM-Product I hope there might be a so workaround by now. Thank you! — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub<#84 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AEDXlhtIf_gLHumqcliniPMQ0OmzY27nks5r1-D-gaJpZM4Iak7r>.

[eheiman]

Samsung PM961 128G responds with NVME Admin command error:8193 when nvme_format_ns /dev/nvme0n1 is sent on ASrock Taichi Z270 running CentOS 7.3.1611.el7.
Same SSD/same command/same OS issued on ASUS Maximus Gene VII Z97 completes successfully. Please advise possible problem(s) on Z270 system.

[keithbusch]

That looks like you're using an older version of this tool, so I'm going to assume 8193 is in decimal. That's 2001 in hex, and according to the spec, that's an invalid opcode error. Supporting the format opcode is optional, so it sounds like controller chose not to support it, and that's okay from a specification standpoint.

[eheiman]

Thank you for this reply. Using the very latest version of the tool gives this response: [root@cabench11 Desktop]# nvme format /dev/nvme0n1 NVME Admin command error:INVALID_OPCODE(2001) Issuing this command to this SSD on ASUS Z97 with same OS completes successfully. Same behavior with other Samsung SM/PM version SSDs??? Other thoughts? From: Keith Busch [mailto:notifications@github.com] Sent: Thursday, July 06, 2017 2:10 PM To: linux-nvme/nvme-cli <nvme-cli@noreply.github.com> Cc: Errol Heiman (eheiman) [CONT - Type 2] <eheiman@micron.com>; Comment <comment@noreply.github.com> Subject: [EXT] Re: [linux-nvme/nvme-cli] NVME Admin command error: INVALID_OPCODE(2001) (#84) That looks like you're using an older version of this tool, so I'm going to assume 8193 is in decimal. That's 2001 in hex, and according to the spec, that's an invalid opcode error. Supporting the format opcode is optional, so it sounds like controller chose not to support it, and that's okay from a specification standpoint. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#84 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AckiTHUJKpWIsfxX0F1LDb6E38iGEduMks5sLT78gaJpZM4Iak7r>.

[keithbusch]

If you want to verify if your controller supports the Format NVM command, run nvme id-ctrl /dev/nvme0 | grep oacs. If value does not have bit 1 set, your controller doesn't support the command, and there's nothing wrong with that from an implementation compliance standpoint.

[eheiman]

Both Z270 and Z97 systems yield oacs : 0x7. I suspect OP_CODE is modified by Z270 versus Z97. Comments will be appreciated.
Samsung_format_Z270.txt

[keithbusch]

An oacs of 7 is advertising support for format nvm. If it's not working, you should take this issue to your vendor.

[cbeyls]

I owned 2 laptops with Samsung PM951 and PM961 SSDs and both had the same issue: oacs shows support but the format command returns INVALID_OPCODE(2001).
For both machines, the fix is to put to laptop to sleep, then resume it. After resume, the Samsung SSD accepts the command.

[eheiman]

Your comment is most appreciated. This same remedy also works for a SATA SSD in security frozen state. Based on that observation, I suspect this is a security related issue, present on Z270 but not on Z97. Review of BIOS configurations is in order. From: Christophe Beyls [mailto:notifications@github.com] Sent: Friday, August 04, 2017 3:07 PM To: linux-nvme/nvme-cli <nvme-cli@noreply.github.com> Cc: Errol Heiman (eheiman) [CONT - Type 2] <eheiman@micron.com>; Comment <comment@noreply.github.com> Subject: [EXT] Re: [linux-nvme/nvme-cli] NVME Admin command error: INVALID_OPCODE(2001) (#84) I owned 2 laptops with Samsung PM951 and PM961 SSDs and both had the same issue: oacs shows support but the format command returns INVALID_OPCODE(2001). For both machines, the fix is to put to laptop to sleep, then resume it. After resume, the Samsung SSD accepts the command. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#84 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AckiTGFaGBpPOsximY9B15Z_hsr48ayxks5sU4gMgaJpZM4Iak7r>.

[fallspectrum]

Just confirming that putting the machine to sleep has also resolved this issue for me.

[PeterSurda]

I know it's closed but I'm just adding that I had the same problem and the same solution (suspend + resume) worked. Laptop with Intel HM175 Express Chipset and Samsung SM961 512GB.

[keithbusch]

That sounds like a firmware bug.

In any case, I hope everyone running this command is aware it obliterates your data. :)

[toyg]

Almost a year later, and Samsung NVMEs are still behaving in the same way.

$> sudo nvme format /dev/nvme0n1
NVME Admin command error:INVALID_OPCODE(2001)
$> systemctl suspend
$> sudo nvme format /dev/nvme0n1
Success formatting namespace:1

[trourance]

It's not working for me if I boot on an usb key to format it.

[liveuser@localhost ~]$ sudo nvme list
Node             SN                   Model                                    Namespace Usage                      Format           FW Rev  
---------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- --------
/dev/nvme0n1     S308NAAH500323       SAMSUNG MZSLW1T0HMLH-000L1               1         220.14  GB /   1.02  TB    512   B +  0 B   3L0QCXY7

[liveuser@localhost ~]$ sudo nvme format -s1 /dev/nvme0n1
NVME Admin command error:INVALID_OPCODE(2001)
[liveuser@localhost ~]$ systemctl suspend 
[liveuser@localhost ~]$ sudo nvme format -s1 /dev/nvme0n1
NVME Admin command error:INVALID_OPCODE(2001)

[KaLisdef]

Hi everyone,
I've just tested the nvme format command and it worked with a live debian/gnome on a Samsung 970 EVO.
I did not had to enter in a sleep state.

[nama08]

Hi,
I am having challenges with NVME format on Samsung drive (MZVLB256HAHQ).

Error: NVME Admin command error:INVALID_OPCODE(2001)

Note: I have been contacting Samsung support, and they weren't able to help because this particular NVMe drive was OEM. When contacted Lenovo /OEM, but no luck there as well as they do not provide support for these drives.

[cbeyls]

@nama08 To perform a low-level format on Lenovo Thinkpad machines (both SATA and NVME), you have to use the Lenovo EFI application which allows to reset the cryptographic key and erase the drive: https://support.lenovo.com/be/fr/downloads/ds019026
This tool works with all generations of Thinkpad machines including the most recent ones.

[nama08]

@nama08 To perform a low-level format on Lenovo Thinkpad machines (both SATA and NVME), you have to use the Lenovo EFI application which allows to reset the cryptographic key and erase the drive: https://support.lenovo.com/be/fr/downloads/ds019026
This tool works with all generations of Thinkpad machines including the most recent ones.

Hi and thanks for your valuable reply. I will check this out. As mentioned earlier, I was in contact with Samsung support and they weren't able to help.
By the way is this process is NIST compliant?
Support for Linux based environment?

[cbeyls]

You need to have a Thinkpad machine listed on the Lenovo tool page. I personally own a T480S with a Samsung NVME drive (model MZVLB256, exactly the same as yours) and I can confirm the tool works with this drive (and I could not use nvme format with it either). The Lenovo tool is a bootable USB key image (UEFI application) so the installed OS is irrelevant. After you use the tool, your drive will be wiped clean and you can then install any OS, including Linux.

I was also able to upgrade the firmware of the Samsung drive directly from Linux using the nvme command line tool, by identifying the proper file in the Windows zip archive and following these instructions.

[nama08]

Hi,
I have now checked the EFI shell, and it worked just fine.
However, I wasn't able to save the output (proof that disk is wiped securely). Is there a way to save the output /log?

[comicfans]

I have wd sn 750 1TB, nvme format gives error first,(change block size from 512 to 4096, got error code 0x4001, I'm not sure). then I tried supend/resume and it helped me

[aggieNick02]

Same drive as @comicfans (model number WDBRPG0010BNC-WRSN). On a brand new never touched drive, just running
sudo nvme format /dev/nvme0n1
returned
NVMe status: INVALID_FORMAT: The LBA Format specified is not supported. This may be due to various conditions(0x410a)

Suspend and resume fixed the issue, with the original command running succesfully after resume. So bizarre.

[Lantizia]

Just so @trourance doesn't feel he's not the only one.

I have a Dell XPS 9360 which came with this Samsung PM961 NVMe 512GB drive...

P/N: MZVLW512HMJP - 000D1
Model: MZ - VLW512A
DP/N: 068V6F
Firmware: CXY74D1Q (which is a Dell firmware, fwupd/LVFS doesn't know of anything newer... unless someone knows of one?)

Using the latest nvme-cli version 2.7.1 via the AppImage (and I tried compiling manually too) I get this...

root@trisquel:/# ./nvme-cli-latest-x86_64.AppImage id-ctrl /dev/nvme0n1 | grep oacs
oacs      : 0x17
root@trisquel:/# ./nvme-cli-latest-x86_64.AppImage list
Node                  Generic               SN                   Model                                    Namespace  Usage                      Format           FW Rev  
--------------------- --------------------- -------------------- ---------------------------------------- ---------- -------------------------- ---------------- --------
/dev/nvme0n1          /dev/ng0n1                  S33YNX0J302237 PM961 NVMe SAMSUNG 512GB                 0x1        462.32  GB / 512.11  GB    512   B +  0 B   CXY74D1Q
root@trisquel:/# ./nvme-cli-latest-x86_64.AppImage format -f -s1 /dev/nvme0n1
NVMe status: Invalid Command Opcode: A reserved coded value or an unsupported value in the command opcode field(0x2001)
root@trisquel:/# systemctl suspend
root@trisquel:/# ./nvme-cli-latest-x86_64.AppImage format -f -s1 /dev/nvme0n1
NVMe status: Invalid Command Opcode: A reserved coded value or an unsupported value in the command opcode field(0x2001)
root@trisquel:/# ./nvme-cli-latest-x86_64.AppImage security-recv /dev/nvme0n1 -t 16 -p 0xef -n 0 -x 16
NVME Security Receive Command Success:0
       0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
0000: 00 0e 00 01 00 01 ff fe 00 29 00 00 00 00 00 00 "........)....."

So I guess bit 9 being 29 means it's still frozen... despite me issuing a command to suspend.

The only other things I've seen is this Wiki article from Thomas-Krenn-Wiki.pl which says a BIOS update to their Supermicro fixed it for them... but there are no further BIOS updates for this XPS 9360... it's on the latest.

[Lantizia]

In the end I've found that the Dell BIOS supports a 'data wipe' and it's managed to issue the command instead... the SSD was wiped in only a handful of seconds.

But then that does mean there isn't a problem with the device... so the issue must be how nvme-cli communicates with it?

Should this issue be reopened?

[keithbusch]

The Dell BIOS is more than likely performing some kind of vendor unique sequence to unlock this operation. There's nothing wrong with the nvme-cli tooling from the protocol perspective, but we don't inherently know vendor specific magic. We'd need to know what command sequence the special BIOS updater is doing in order to script up an equivalent with this tool.

[aggieNick02]

I recently had to revisit this issue on a PC where the suspend workaround didn't work, and now have a pretty full understanding of what the real issue is, why the workaround sometimes works, and what can be done when it doesn't.

Quick Summary

• The issue has nothing to do with nvme-cli (as expected)
• The issue is caused by storage devices which behave incorrectly when security operations are blocked
  • motherboards generally block storage device security operations on drives at boot
• The suspend/resume workaround often works because many motherboards fail to block storage device security operations on resume
  • But some motherboards do block these on resume; on such boards, the workaround is ineffective
• If you encounter the issue and the suspend/resume workaround is ineffective, you motherboard likely has an option to disable the storage device security operations block on next boot (on my board, it is Disable Block SID under Security>Trusted Computing), and this will let you nvme format, etc during the next boot

Full Explanation

Most modern PCs, on boot, will use a Trusted Computing Group (TCG) feature called Block SID Authentication on storage devices that support it. For storage devices that support it, this feature will check to see if the storage device's security identifier (SID) password is still set to the default. If it is, the feature will be enabled, and the storage device will block attempts to authenticate until a subsequent device power cycle occurs. This functionality is similar to the ATA FreezeLock command. The goal of this feature is to prevent malware from being able to easily set the password on a disk that has not yet had a password set.

In general, an NVMe device can still be formatted even when SID Authentication is blocked. However, some devices like the WD SN750 (with certain firmware versions) mistakenly block nvme format when SID Authentication is blocked. I imagine the other drives mentioned here behave similarly.

Suspending and resuming the system is an effective workaround in many cases because many systems fail to block SID Authentication when resuming from a suspend. As such, doing a suspend and resume disables the block and avoids the arguably buggy behavior of the SN750 and other drives.

If your motherboard blocks SID Authentication when resuming, the workaround is not effective. What can you do? Most boards have a mechanism to allow you to disable the block on next boot - on mine it is Disable Block SID under Security>Trusted Computing, and only shows up if a drive with blocked SID Authentication is present; You enable Disable Block SID, save and exit BIOS, and the system reboots. It then requires confirmation via specific keyboard button press on the next boot that you really want to boot without blocking SID Authentication. Then you can perform the format, or you can set the SID password to a non-default value, which will prevent the SID Authentication block from ever being set again on the storage device.

Examining the Block SID Authentication state of a drive and changing its password is pretty awkward. The SN750 seems to implement TCG Pyrite, or something like it, and the tools for working with such drives are limited. There is a tool called sedutil-cli, but the official version of it on Github does not support Pyrite, and no version appears to be available via apt in Ubuntu. Fortunately, there are a couple forks that have added support for Pyrite, including one for BSD and one from the owners of sedutil.com. The latter is available on Github with source and precompiled linux/windows binaries: https://github.com/ChubbyAnt/sedutil/releases

After building or copying the prebuilt sedutil-cli, one can examine the state of their drives from within the OS:

:~$ sudo ./sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0     p   WDS100T3X0C-00SJG0                       102000WD
No more disks present ending scan

The p tells us the drive supports pyrite. We can then query the drive:

~$ sudo ./sedutil-cli --query /dev/nvme0

/dev/nvme0 NVMe WDS100T3X0C-00SJG0                       102000WD <serial_number>
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MBRAbsent = Y, MediaEncrypt = N
Block SID Authentication function (0x0402)
    SID Blocked State = Y, SID Value State = N, Hardware Reset = Y
Pyrite 1.0 function (0x0302)
    Base comID = 0x7ffe, comIDs = 1, Initial PIN = 0x0, Reverted PIN = 0x0

Notice the SID Blocked State is Y. After disabling the block (either by using the option in the BIOS or the suspend/resume workaround (if it works)), we see this:

~$ sudo ./sedutil-cli --query /dev/nvme0

/dev/nvme0 NVMe WDS100T3X0C-00SJG0                       102000WD <serial_number>
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MBRAbsent = Y, MediaEncrypt = N
Block SID Authentication function (0x0402)
    SID Blocked State = N, SID Value State = N, Hardware Reset = N
Pyrite 1.0 function (0x0302)
    Base comID = 0x7ffe, comIDs = 1, Initial PIN = 0x0, Reverted PIN = 0x0

Notice the SID Blocked State is N. We can now format the drive, or set its password to prevent it from ever being blocked again. To do the latter, we run:

~$ sudo ./sedutil-cli --initialSetup my_secret_password /dev/nvme0
SID password changed
takeOwnership complete
Locking SP Activate Complete
LockingRange0 disabled
LockingRange0 set to RW
Initial setup of TPer complete on /dev/nvme0

You'll want to make sure you do not lose that password, as options for being able to perform certain operations on the drive may be limited or nonexistant without it.

After running this, you should be able to format the storage device without any workaround in any machine.

The TCG Storage Opal Integration Guidelines have even more details on all of this.

Finally, the suspend/resume workaround is a common mechanism to be able to bypass a similar "FreezeLock" on ATA devices. Interestingly, that mechanism works just fine on the motherboard I'm using, even though the motherboard stops it from working on NVMe devices.

[keithbusch]

I recently had to revisit this issue on a PC where the suspend workaround didn't work...

Amazing, thank you for writing this up!

[HaroPanosyan]

Amazing, Thank you.

[Lantizia]

Well for any owners of Dell systems out there, this seem to be the trick for disabling the block on SID authentication on them...

https://www.dell.com/support/kbdoc/en-uk/000126083/pre-boot-authentication-will-not-activate-due-to-sed-block-sid-authentication-enabled

Although at least in my case the XPS 9360 doesn't have this option in its BIOS (and it's on the latest version). But like I said previously, they've at least given us a built in option to do this in the BIOS under the menu/screen... Maintenance | Data Wipe

Great to finally understand what the real issue is though, thanks @aggieNick02

[igaw]

I think we should add this info to our documentation, as it seems a very common thing to happen.

BTW, nvme has a very minimalist SED plugin. Not sure if it supports the steps necessary feature this workaround requires though.

[aggieNick02]

I think we should add this info to our documentation, as it seems a very common thing to happen.

BTW, nvme has a very minimalist SED plugin. Not sure if it supports the steps necessary feature this workaround requires though.

Oh nice, thanks for the info. I'll see if I can test it; it looks like it has the necessary commands, I don't know if it works with drives with Pyrite or Opalite, but regardless having support for this appearing in nvme-cli is encouraging since where to find a sedutil with needed fixes is not super obvious.

[aggieNick02]

I think we should add this info to our documentation, as it seems a very common thing to happen.
BTW, nvme has a very minimalist SED plugin. Not sure if it supports the steps necessary feature this workaround requires though.

Oh nice, thanks for the info. I'll see if I can test it; it looks like it has the necessary commands, I don't know if it works with drives with Pyrite or Opalite, but regardless having support for this appearing in nvme-cli is encouraging since where to find a sedutil with needed fixes is not super obvious.

I grabbed Ubuntu 24.04 LTS and quickly tried with the SN750. Unfortunately, it looks like it does not work with Pyrite drives yet. I get an ioctl IOC_OPAL_DISCOVERY failed error message. It looks like Greg Joyce (who added the nvme-cli sed plugin) added the ioctl call to Linux to get the basic information out, and my best guess is that would need to be tweaked before it could work on Pyrite and possibly Opalite.

I've no idea how common Pyrite or Opalite drives are, it just is what the problematic SN750 I was dealing with implemented.

[igaw]

@gjoyce-ibm Maybe Greg has some insights here. I really have no clue when it comes to SED :)

[gjoyce-ibm]

When I started looking at SED, there were two viable CLIs, sedcli and sedutil. Both projects however went dormant and had no support or new development.

Given that state I decided that nvme-cli was the best course. But given no real requirements I chose to implement only a base set of OPALv2 functionality. This subset allows for many use cases but certainly not all. The implementation relies entirely on the ioctl's provided by the kernel block SED Opal driver (block/sed_opal.c).

I'm not sure how Pyrite support works but it may be that sedcli/sedutil use the NVMe pass-through mechanism to access the drives directly without using the block SED Opal driver.

I'm a little surprised that ioctl IOC_OPAL_DISCOVERY just failed. Is it possible that your kernel doesn't have that patch?