SED drives and howto use them with Qubes

i am spend 3 days looking for any fore of information about using SED/opel2 drives with qubes.
i am stuck enabling libata.allow_tpm its set in grub.cfg and built/installed even need to resign the boot files
but when i try sedutil-cli --scan all i get is /dev/sda no the kernel flag libata.allow_tpm is not set correctly
any one know what i am doing wrong?

I never understood why they tied the sedutil-cli utility to the requirement of a TPM when not every system even has one. Their reasoning was probably that the TPM could be used to automatically unlock the drive as long as it is installed in that particular system and then deny access to the drive if it was instead being “analyzed” in somebody else’s system. It only makes sense if your adversary is a three letter agency and they don’t physically have your system sitting in their lab.

To fix your issue in sys-usb try the following qubes specific tweak:
dom0> qvm-prefs --set sys-usb kernelopts libata.allow=1

If you already have some kernel parameters set for that vm then just add them to the libata.allow settings rather than replacing them.

To use sedutil in dom0/Xen you will need to actually modify the grub boot parameters by adding the same libata.allow=1 parameter and then regenerate the grub config in /boot.

If you want to know more about Opal drives I suggest you take the time to read the below linked document. I used to work at APL with the author on a few Opal specific projects. There are so many things you can do with these drives that you would never even think of if you didn’t know their basic capabilities.

A Practical Guide to Use of Opal Drives

Booting from an Opal drive can be a little tricky. See chapters 8/9. The really interesting thing to me is you can have the boot loader partition set to read-only so nothing can tamper with it even when it is stored off-line. Now that is a real Anti-Evil-Maid feature. A warm-boot attack might be possible if you change the read-only attribute to r/w during normal runtime. My advise is to only set /boot to r/w when actually updating dom0/grub boot parameters.

ironcily it was your prev post that got my going down this rabit hole lol, i have read that doc cover to cover,
i have a Librem14 running pureboot so i will need to write the PBA as it cant boot bios or uefi code, but i do have a linux kernal as part of the preboot. i am starting with just a T7 to play with before i start messing with the NVMe tomuch lol

well that fixed the TPM problem but now it is reporting the T7 not opal 2 compliant
all it says is
/dev/sda No
(sda IS the T7 and is the only drive its see’s) any ideas?

It appears that the T7 is merely the shell/case of the Samsung device. I have no information on what SSD is actually inside the case. The online specs I have found for the T7 on the Samsung site is pretty much worthless for figuring out what is inside the shell casing, probably because they use different SSD’s for different storage capacities. I can’t find anywhere on Samsung’s site that says the T7 is Opal compliant. Any marketing pages for the T7 that I have found do not even mention Opal. So, the question is, what is inside the box. Can you interrogate the drive using software utilities to determine what SSD is inside? The drive itself might tell you things like the firmware version which will lend a clue.

When I was still working at APL I do recall being told by Mr Challener that not all USB interfaces will transmit all the commands to the Opal devices. But I never came across one while I was working on that project.

However, I just came across a similar problem yesterday when I found one of my USB/SATA docking stations was not transmitting the smartctl commands to read the state of a failed spinning rust drive. Three other docking stations could see the internal error log but that one docking station clearly can not. If this is the case for the electronics inside the T7 case (usb<->sata) then there is not much that can be done to fix this. Since the T7 is marketed as water resistant it would likely void the warranty to even open the shell to inspect the device inside.

There is not much more I can add without knowing what is inside the shell casing of the T7 device you have. I’m out of ideas at the moment.

yea the webpage is bad, i can say i have a PSID on the side of the drives, but i cant find anything, makes me wonder if they have used the same encryption on the drive but a different command set.
i tried on my windows computer and the tool didnt see any of my drives (i have 2 Opal 2 nvme’s 980 pro’s) and it didnt see the USB drive or the NVMe’s
i only paid 60$ CAD for these so i dont mind taking one apart (looks like i am a bit shaky if you need better pics of anything just let me know i wont put it together for a bit)

| vblimits
February 18 |

  • | - |

yea the webpage is bad, i can say i have a PSID on the side of the drives, but i cant find anything, makes me wonder if they have used the same encryption on the drive but a different command set.
i tried on my windows computer and the tool didnt see any of my drives (i have 2 Opal 2 nvme’s 980 pro’s) and it didnt see the USB drive or the NVMe’s

It’s a good sign that you have a PSID but what you really need is a model number. Somewhere on the web is a website where you can lookup all Opal drives and their current certification status. I looked for close to an hour this morning but never located it. It’s out there, but I certainly couldn’t find it. I’ll look again later when I find the time.

On windows you may have to use the disk manager to format it first, before you will be able to see it. That would be unfortunate because when you create the range for encryption it would need to be formatted again. Is there a partition table on the drive? Maybe Windows is just very picky with devices it has not seen before. You might try creating a partition table on a Linux distribution and formatting it NTFS and see if Windows will recognize it then. I can’t believe Samsung would make a drive that does not work in Windows out of the box, or at least give you a driver. Maybe it’s defective?

I’m working on returning two spinning rust drives where both drives of the same model were defective. One lasted just 22 hours of backups and the second I wrote just one file to it successfully, it died on the second backup file. No, it was not Samsung.

both drives have the same behavior work fine in windows and linux just sedutil --scan isn’t showing them as opal i could be doing something wrong as i have never used that tool before.
on windows i just downloaded the tool run a command as admin and type sedutil --scan, it is connected USB-C to USB-C i havent tried C to A yet
ill blow away the tables and try on an unformatted disk then i ll reformat it on linux (Qubes) and try that see what happens attached are to better pictures with all the model numbers i can find on the drive (inside and out)
and thank you for all your help on this,
i was thinking if i can get this working ill do a writing up on the wiki for others. i also really want to write a PBA that will work on the librum 14 with pureboot (i will still use luks as it is blackbox encryption but it wont hurt to use SED as its already encrypted, my librem has a 980 Pro 2T it also as a PSID)
no change, tried exFAT, no partition, NTFS all the same

For those who like me read this post now, the link shared by @slcoleman is not working anymore. I found it on the wayback machine.

1 Like

You did not say specifically what error you are getting or what you tried. The following is an important kernel parameter that is necessary for the sedutil-cli command to work successfully.

dom0> qvm-prefs --set sys-usb kernelopts libata.allow=1

Your hardware interface to the drive must be able to pass all ATA commands directly to the drive, and sadly there are many usb/sata interfaces that do not. Passing the drive as a block device will likely fail as you need direct attached hardware as far as I know.

Do the above qvm-prefs tweak and then use sedutil-cli in sys-usb/dom0 to enumerate all opal compliant drives directly attached to its controller.