sedutil
sedutil copied to clipboard
ChubbyAnt
Badicsalex s3 sleep support
code ported to work with @ChubbyAnt 's master branch. Tested on Manjaro Linux with a 5.6.12 kernel on a Thinkpad with a Samsung 970 EVO Plus.
Please comment if you have tested this PR, including system info on test system (OS, brand of motherboard or laptop, etc).
I have tested this on a Lenovo X1 Extreme (Gen 1) with Manjaro having 2 NVME disks with one of them being enabled for SED. Sleep works. Have to admit though, that ultimately I decided not to use SED at all, since on my dual-boot system this would create some complications (especially with sleep not being supported on Windows, AFAIK).
I merged your commit to my local branch and compiled it. But on my Desktop with an SATA Samsung 850 EVO I was not able to get it working (It works with sedutil 1.15.1 from DTA).
I followed the instauctions:
Enter the commands below: (Use the password of debug for this test, it will be changed later)
sedutil-cli --initialsetup debug /dev/sdc
sedutil-cli --enablelockingrange 0 debug /dev/sdc
sedutil-cli --setlockingrange 0 lk debug /dev/sdc
sedutil-cli --setmbrdone off debug /dev/sdc
gunzip /usr/sedutil/UEFI64-n.nn.img.gz <-- Replace n.nn with the release number.
sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sdc <-- Replace n.nn with the release number.
but when I want to test it with
linuxpba
it says is OPAL FAILED instead of is OPAL Unlocked
After a full power down I can boot the drive (not the rescue image) and can revert (see picture) without any data loss.
Can you provide the RESCUE64.img and sedutil-cli binary to let me test?
Frankly, i never used the linuxpba command for testing. I simply skipped thatstep and went on with
sedutil-cli --setmbrdone on yourrealpassword /dev/nvme0 and shut down the laptop.
AFAIK the commits in here do absolutely nothing with the PBA.
After a full power down I can boot the drive (not the rescue image) and can revert (see picture) without any data loss.
But I booted the drive and the debug password did not work (is OPAL Failed). This should work not only with a real custom password, shouldn't it?
@mabachel yeah, it should. The things coming to my mind are an improperly followed procedure, or mismatched version (SHA1 pw hash vs SHA256), missing kernel params for SATA (libata.allow_tpm=1 as you're trying to use /dev/sba whereas in my case it was an NVMe drive). Other than that I am afraid I can't help.
libata.allow_tpm=1
I followed the instructions for SATA devices and enabled that
works. Manjaro 20 & Ryzen & KC2500 NVME. opening dmesg -w to monitor last messages of death, but with this port finally resumes seamlessly. funny something similar has to be done with NIC (igc driver) on all distros except Manjaro. Manjaro is the only OS that actually installs on Ryzen+Nvidia platform without need of safe mode. thanks for this tool. It's very helpful as the FDE performance is inferior. here's what i tried:
- DTA BIOS...........couldn't install OS, disk errors
- DTA BIOS mbrenabled=off...BIOS won't recognize password (sweet to see the blue prompt anyways)
- DTA BIOS with -n (opalctl compatible) mbrenabled=off.....BIOS won't recognize password
- DTA UEFFI.........no UI, no keyboard
- ChubbyANT BIOS...........couldn't install OS, disk errors
- ChubbyANT BIOS mbrenabled=off...BIOS won't recognize password
- ChubbyANT UEFFI.......ok but no resume
- ChubbyANT UEFFI + AUR sedutil-sleep.......ok but the tool won't recognize password
- ChubbyANT UEFFI + this patch........ok, resume working
note: so each fork is not working with another. would love devs cooperate #forkfest note: first revert was needed, no data lost note: libata.allow is needed for prehistoric SATA drives only note: BIOS password typing would be a dream to come, avoid ugly login screen with no feedback and no password reentry and massive re-boot time, but can't get it working. Until now i had SED drives all of the time activated in BIOS (and needed sedutil to revert first), but i have no idea how does it work on non business motherboards like ASUS Strix. I had 2sec boot delay with the BIOS blue prompt til now and complained, now i'm put into a test:) note: i also don't use linuxpba as it's only rebooting, no temporary passwords as it's only takes time and not needed note: at some points sedutil commands can become very slow, like 1 result per minute note: flashing completely wrong PBA is ok, everything can be always reverted, it's likely impossible to screw this operation note: disk performance is same as before, and is generally much slower (sequential r/w -50%) than in Windows, and with LUKS there's yet another -50% haircut on a top AESNI cpu. On Windows, performance was 100% at maximum in each case (ramping from raw -> software Bitlocker -> hardware TCG & software Bitlocker). It's very underutilized in Linux (LUKS / VeraCrypt), the cpu can push 16GB/s of AES. However, 4K regime is perfect. Wonder if it makes sense to buy PCI4 NVME. Defly switched to selective fscrypt.
Tested on Arch Linux on Lenovo T15g with two NVME drives: original WDC PC SN730 SDBQNTY-512G-1001 and additional Crucial CT1000P5SSD8). Worked, the computer was able to wake up from the sleep and continue. Thanks!!!
I actually ended up here because I have made a mistake (?) by using the rescue image and instructions from sedutil.com and, as result, ended up with the version that used the hashing algorithm different from the original DriveTrustAlliance's sedutil. Then I was unable to use the default sedutil-cli or sedutil-sleep-git package from AUR - as I later understood, because of the hashing method, not command worked.
Two comments:
- the main README file for MR contains the argument "Admin1" when running "prepareForS3sleep", which is extra
- it is important to use NVME device names like /dev/nvmeXnY (namespace-aware), if you do not use these names - you get "error -25". Original sedutil does not make a difference between /dev/nvme0 and /dev/nvme0n1, for example.
