UEFI64 PBA not working via USB test or installed on SSD about sedutil HOT 21 CLOSED

One crucial question : did you disable secure boot in Bios? 

from sedutil.

Thanks for the reply snow3461.

Yes, Secure Boot is disabled. I should say that it was disabled when I installed Windows 8, and I did enable it for a time while trying to get BitLocker to work with OPAL, until I found sedutil which seems to be a much better solution.

Would turning it on, initializing it and then turning it off later cause any issues? I wouldn't have thought so, and Windows boots fine with it turned off.

from sedutil.

It causes issue because as the UEFI PBA isn't signed, your bios would simply refuse to boot it.
Doesn't matter if your have it enbale when setting up the OPAL device under windows. Only when trying to boot the PBA after locking the device.

from sedutil.

Okay, well it is disabled and the PBA does boot from USB. It just generates those error messages.

So it looks like the BIOS isn't able to read the PBA from the SSD. It seems to have written correctly, it took about five minutes as expected. Is there a way to check if it was correctly installed? What is necessary for the BIOS to recognize and load it?

from sedutil.

The fact that it generates those error messages means that it is booting and running.
NOT_AUTHORIZED means that the password is incorrect.
Are you using a non-US keyboard? That can cause issues, especially if you use special characters.

from sedutil.

Ah, okay. Thanks r0m30. Well, the drive isn't locked at the moment and I just typed some random stuff in to the password field. I'll try again with the password I set. I'm aware of the keyboard issues (mine is non-US).

So that's promising. The only thing to figure out is why I can't boot the PBA from the SSD.

from sedutil.

OK, yes, with the right password it unlocks the drive correctly. So I just need to figure out the issue with installing the PBA on my SSD and booting from it. Any ideas why the procedure wouldn't work?

from sedutil.

Do you have fast boot enabled? Try disabling that.

from sedutil.

I checked and there is no option for fast boot in the BIOS.

from sedutil.

@r0m30 Maybe you meant "Fast Startup" ?

In this case @mojo-chan, see for example http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html

from sedutil.

I can give that a try, but I don't see why it would cause this issue. The problem is that the BIOS doesn't even recognize the drive as bootable.

I've been reading up on UEFI booting and trying to find some information on OPAL and the PBA. My understanding is that the PBA is loaded into a special area of the drive that is only visible when the drive is locked, which is supposed to be bootable by the UEFI. The PBA unlocks the drive, at which point it switches into "normal" mode and the OS can boot.

As it took rather a long time to write the PBA I think that was at least written to the special area correctly, but what about the MBR? My understanding is that UEFI doesn't even use an MBR any more, it needs a UEFI compliant partition like the one on the rescue USB device. So maybe writing to the MBR actually broke that... I'll try just loading the PBA and not the MBR when I get home. It seems like the MBR is only for BIOS systems, right?

from sedutil.

Fast boot is usually a feature of the UEFI/BIOS that stores some system information that is then not checked again, I have had this cause problems in the past. I'm not sure if it is actually part of the spec or an enhancement that vendors use to differentiate their product. I'm guessing that one of the things they store is the name/location of the UEFI startup program, and that is different when the PBA is active.

Fast startup is a Windows feature that shouldn't effect the bootup of the PBA.

Yes, the PBA is loaded into an area called the shadow MBR table. Don't let the name mislead you it is just an area that is provided to write a disk image that is presented to the BIOS/UEFI when the MBREnable bit is set. The UEFI64_Release.img.gz is correctly configured with a GPT partition table and a Kernel compiled with GPT/UEFI support.

We know that the PBA can be booted and unlock the drive when it is loaded to a USB stick on your system, but it is failing to boot when it is in the shadow MBR. There are two things that seem the most likely when you are having PBA boot problems. The first would be that you didn't gunzip the image file before you loaded it, or if you did unzip it you accidentally added the .gz suffix when you entered the loadPBAimage command. The second is that you didn't enter the setMBREnable on command.

To check the first one you can boot the rescue image from a usb stick and look at the locked drive to make sure it is a proper disk image with both the UEFI partition and the linux partition. To check the MBREnable bit you can go a query on the drive and look at the locking section of the display and verify that is says MBREnabled = Y.

from sedutil.

Thanks r0m30. Okay, here is what I have done, going to reboot in a moment...

C:\data\downloads\sedutil>sedutil-cli --scan

Scanning for Opal compliant disks
\\.\PhysicalDrive0 12  Samsung SSD 850 EVO mSATA 500GB          EMT41B6Q
\\.\PhysicalDrive1 No
No more disks present ending scan

C:\data\downloads\sedutil>sedutil-cli --loadPBAimage **** UEFI64_Release-1.10.img \\.\PhysicalDrive0
- 05:00:57.000 INFO: Writing PBA to \\.\PhysicalDrive0
 / [*********************] 7341056 bytes written
- 05:12:22.907 INFO: PBA image  UEFI64_Release-1.10.img written to \\.\PhysicalDrive0

C:\data\downloads\sedutil>sedutil-cli --setMBREnable on **** \\.\PhysicalDrive0
- 05:13:07.000 INFO: MBRDone set on
- 05:13:07.484 INFO: MBREnable set on

C:\data\downloads\sedutil>sedutil-cli --enableLockingRange 0 **** \\.\PhysicalDrive0
- 05:13:30.000 INFO: LockingRange0 enabled ReadLocking,WriteLocking

from sedutil.

Right. Looks like the PBA is definitely installed correctly: https://goo.gl/photos/k9BznMx4y6wj28YS9

MBR is enabled: https://goo.gl/photos/DbMpxzvhdeyxg6G8A

I note it says that MBRDone=N, which presumably means that the MBR was not loaded and executed... I tried setting it to done with sedutil but it made no difference after a reset and reverted after a power cycle.

Thanks for all the assistance. I think I'm close to having it working. I'll keep reading up on fixing UEFI boot problems in Linux.

from sedutil.

The MBRDone flag is the switch that tells the drive to display the shadow MBR (n) or not (y).
Everything looks OK, it must be some issue with the BIOS settings. Can you disable CSM mode completely in your BIOS?

from sedutil.

Unfortunately there is no CSM mode in my BIOS. It's very basic. I tried every option, disabled everything, but it made no difference. You are right, it must be the BIOS, but it's really odd that it just doesn't like the UEFI stuff in the PBA you created. There must be something about it that the BIOS does not like.

What I can't understand is why the BIOS is happy to boot the same thing off the USB drive, but not off the SSD. Gah.

from sedutil.

Unfortunately I don't understand why it works when booting from the USB but not the SSD either. It is something in the BIOS but from what you describe there aren't many options that you can change. Is there a boot options page that you can add new boot managers/options? The system is probably looking for the windows efi bootloader. Do you have a link to the documentation for your bios? It may document a UEFI shell that can manipulate the boot program/order.

from sedutil.

Many, many thanks for looking at this. My BIOS is documented here, Google translate does a good job: https://121ware.com/e-manual/m/nx/ac/201210/bios-siyou/v1/mst/contents/t_3/220/123-16-LVX/3_220_040.htm

Secure boot is disabled. I tired disabling everything else, including Intel Rapid Start. When the SSD is locked it just doesn't appear in the list of bootable devices in UEFI mode.

I'll keep looking for information on booting Linux on this BIOS. Alternatively I'm wondering if I can use a bootable SD card to run the PBA and unlock the SSD for booting.

from sedutil.

Yep, that is a pretty basic bios configuration setup.

They call CSM mode Legacy mode. See the "Start" menu. So make sure that is in UEFI mode. Our discussion so far makes me believe it will be. There doesn't appear to be any way to it what directory to look in for the efi program.

You could probably use a bootable SD card, I'd give it a try.

At this point it looks like the BIOS may not follow the "standard" UEFI search order on the internal drives (assuming that there will always be windows there). The PBA is set up to boot using default UEFI directory structure (EFI/BOOT/bootx64.efi) and the BIOS doesn't appear to be looking there for the internal Drive.

I'm running out of ideas...... sorry.

from sedutil.

Thanks for all your help, r0m30. I'll contact NEC to ask about the BIOS, but I doubt they will be able to help. In any case, I'll try the SD card booting option.

Maybe I'll try swapping in a different SSD and installing Linux. If I can get that to work perhaps I can figure out what the difference between the PBA and install is. It's probably something minor but critical.

from sedutil.

Okay, so my stupid BIOS won't boot off SD card either, but it does work with USB drives. I can unlock the drive via USB and then boot it normally into Windows. I only have two USB ports... But since you can remove the drive once booted, it's not too bad.

Thanks for the assistance.

from sedutil.