-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unable to take ownership on 'initialsetup' #316
Comments
You said that: "I have my /boot partition on an unencrypted usb stick where I unlock the drive from." What tool are you using to unlock the drive, because whatever it is (whether it's SEDutil or something else) it apparently has already taken crypto ownership of the drive so the Manufacturer SID (MSID) is already set to something other than the default. SEDutil expects the MSID to be set to default when taking ownership - so you need to (in some way) revert whatever tool you've previously used to take ownership. Does that make sense? If you were previously using SEDutil, then the process to revert back to default MSID would be:
The revertTPer call warns about erasing data, and if it's run without the revertNoErase then it would in fact do a crypto-erase and erase all data. However, if the revertNoErase is run first, then (by design) the revertTPer just restores things to ~near-factory state. However, since you didn't specify I'm guessing you've been unlocking with some other tool (such as hdparm since you're familiar with that. Whatever you've previously done to encrypt the drive needs to be undone before --initialSetup will work.... |
Hi, thanks for your answer. |
I wasn't familiar with the "frozen" state shown in hdparm, but after a look it does appear that the drive being in the frozen state could also be part of the problem ("frozen" is intended to make it impossible to modify security-relevant settings on the drive AFAICT.) Now that you've confirmed that you were using ATA security through hdparm - yep, you'll need to undo that entirely as the TCG Opal functions are essentially orthogonal to ATA security. They are intended to achieve a similar-but-related set of goals, but through a whole different set of commands - so a drive that has ATA Security enabled is fundamentally not in a state where the TCG Opal "take crypto ownership" process can reasonably start. Good luck and keep folks posted - note that I'm a user of SEDutil with my own fork, here only as a volunteer since Drive Trust Alliance hasn't made any code updates since 2017 or answered issue posts since 2018 to my knowledge. |
Hi, unfortunately it didn't work. I detached all availabled drives, got myself a live usb stick, booted from it (with To check whether or not the
Ok, didnt work. Was kind of expecting that.
Maybe disabling the passphrase wasn't enough, so I reset it to the drive's default one:
Bummer! Now trying to revert according these steps: #316 (comment)
Still no luck. So even by disabling all possible ata security stuff (without |
this solved it for me: ChubbyAnt#40 (comment) |
Hi,
I have an already full-encrypted drive, a Crucial MX500 (CT1000MX500SSD1). In order to use this drive as system drive, I have my /boot partition on an unencrypted usb stick where I unlock the drive from. Now I'd like to setup a pba on that drive in order to get rid of the usb stick.
But I'm not succeeding by following the well-known guides.
Now when trying to run
initialsetup
sedutil-cli claims it cannot take the ownership:I'm pretty stuck here, can anyone point me to the right direction please? I'd prefer not to revert the PSID
The text was updated successfully, but these errors were encountered: