Cannot boot from partially locked self-encrypting drives #42
Labels
Laptop 13 - AMD Ryzen 7040
Framework Laptop 13 (AMD Ryzen™ 7040 Series)
Laptop 13 - Intel 12th Gen
Framework Laptop 13 (12th Gen Intel® Core™)
Laptop 16 AMD Ryzen 7040
Framework Laptop 16 (AMD Ryzen™ 7040 Series)
Comments
JohnAZoidberg
added
Laptop 13 - Intel 12th Gen
|
Interesting. However I don't use Linux, so I use simple full-disk encryption. The BIOS is unable to update the disk lock status until a full powe cycle and cold boot. E.g., Boot 1, set passwords, save exit reset (warm boot). Boot 2, drive will appear to be "unlocked" or "unencrupted", even though the settings in boot 1 applied successfully. Might be related. |
This was referenced Apr 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
👉 Ported from Framework Community post Unable to boot from write-locked OPAL SED SSD
Device Information
System Model or SKU
All models likely affected. Specifically confirmed on:
BIOS VERSION
All versions likely affected. Specifically confirmed on:
DIY Edition information
All TCG Opal 2.0 Self-Encrypting Drives likely affected. Specifically confirmed on:
Storage: Samsung 990 Pro, Samsung 980 Pro, Samsung PM961
Standalone Operation
Are you running your mainboard as a standalone device. Is standalone mode enabled in the BIOS?
Describe the bug
TCG Opal drives can selectively lock different regions of the disk. For example, the
/bootpartition can be left in cleartext, while the/partition is encrypted.In these setups, sufficient data is available to boot the system, but the Framework BIOS refuses to even attempt to boot, instead trapping the user at a "Harddisk Security" prompt. Laptops from other manufacturers are able to boot from the same drive in the same configuration.
Steps To Reproduce
Alex DeLorenzo's blog post Encrypted Root with LUKS and Opal is a thorough discussion of how to create this kind of configuration, but basically:
cryptsetup luksErase --hw-opal-factory-reset /dev/nvme1n1/boot, and a root partition occupying the rest of the space on the drive.sudo cryptsetup luksFormat /dev/nvme1n1p2 --hw-opal-onlysudo cryptsetup open /dev/nvme1n1p2 root/dev/nvme1n1p1) and the unlocked root partition (/dev/mapper/root)sudo sedutil-cli --listLockingRanges $PASSWORD /dev/nvme1n1Note: It may be necessary to invoke
sudo sedutil-cli --setMBREnable off /dev/nvme1n1to disable the shadow MBR. Check status withsudo sedutil-cli --query /dev/nvme1n1.Expected behavior
The system should attempt to boot. Whether or not it succeeds is another matter, but it should try.
Actual behavior
At power on, the BIOS immediately throws up a "Harddisk security" prompt indicating that the drive is in "(Lock)" status.
If the drive is selected, the BIOS prompts for a decryption key and refuses to proceed.
It does not attempt to boot.
Booting from a Live USB stick shows that the boot partition can be mounted and fully read without unlocking the drive.
Placing the drive in a less sophisticated laptop (a 5th Generation ThinkPad X1 Carbon from 2017) boots up just fine.
Screenshots
(Taken from https://community.frame.work/t/solved-stuck-on-harddisk-security-at-boot/41088, but the prompts are identical for this issue)
Operating System (please complete the following information):
Additional context
This seems like the Framework BIOS is trying to be too smart when it handles TCG Opal drives: If it sees any locked ranges, it refuses to proceed, even if the partition it needs to boot from is not locked.
If there was a way to disable or bypass attempts from the BIOS to handle unlocking, that should solve this issue.
The text was updated successfully, but these errors were encountered: