Trouble after authentication with UEFI64 LinuxPBA to boot Linux off of SSD about sedutil HOT 9 CLOSED

@grayeul
There are a lot of questions here, let me try and go through them, if I miss one let me know and I'll answer it in a followup.

What is supposed to happen after the PBA is authenticated?

The system is rebooted after the PBA unlocks the drives.

How does boot order come into play?

It should act the same as any other reboot, we don't do anything to the boot order.

I think that after the PBA is done, a reboot effectively happens (but at this point with the drive unlocked), is that right?

Yes

If so, shouldn't that be the equivalent of booting normally after having used rescue mode to disable the locking, and rebooting at that point?

Yes, unless the bios somehow knows the difference between a manual reboot and a programmatic one

It also appears to me that the laptop actually cycles power (the power LED goes off) during the reboot. Could that be happening?

I hope not, but sure, the manufacture is free to customize the bios as they see fit. If your system is power cycling the drive on a reboot then the PBA as currently written will never work.

If so, I'm guessing the disk would still be locked at that point and no valid OS would be found.

Yes and No, the drive will lock on a power cycle, but the shadow MBR should be a bootable OS.

Any ideas?

See if your bios has a "fast boot" setting or something similar and if it does, disable it.
You could try to force the system to reboot to a rescue system after the PBA reboots (hit the del key or whatever key brings up the boot menu) and query the drive to prove/disprove your power cycle theory.

from sedutil.

There is a 'Fastboot' option in the 'POST Behavior' setting area of the BIOS. The options are:

• Minimal - Reduces boot speed by skipping certain configuration and hardware init.
• Thorough - Perform complete hardware/config initialization during boot
• Auto - Allows bios to decide.

I have it set to Thorough, which seems the equivalent of disabling 'fastboot'. I also have secureBoot off.

After looking again, now I do not see the power LED go off, so maybe I was wrong about it power cycling. I think maybe that cycles when I exit from BIOS setup and have changed a parameter.

So - if I setMBREnable on and enableLockingRange 0 from the rescue disk, and then reboot (without a power cycle) -- shouldn't I just do a normal boot at that point? I am ending up seeing the PBA. If I just enter password and continue, I get put back into the same PBA prompt. I did try entering the password, and then when it reboots selecting the 'Single Boot Config' option and booting into the rescue disk. Even though it appears the disk has not power cycled, when I run sedutil-cli --query I see:
Locked=Y, LockingEnabled=Y, LockingSupported=Y, MBRDone=No, MBREnable-Y, MediaEncrypt=Y

I assume the fact that is showing 'Locked' is not what I should be seeing there. I've also noted that when I boot while my USB rescue disk is plugged in, I get an error message (different than the one I get if I enter a bad password) that says: "Identity failed, Invalid argument".

I believe (but at this point, I'm not 100% sure what all I changed when) that in order to get the UEFI PBA to boot, I had to manually enter a new UEFI boot option in the BIOS -- and point it at \EFI\boot\bootx64.efi ( I was a bit surprised that I had to use backslashes, forward slashes did NOT work, though that is what I had seen referenced by someone else). There was an existing UEFI boot entry that was labeled 'ubuntu' and points to \EFI\ubuntu\shimx64.efi (remember, this Dell laptop came pre-installed with ubuntu).

Is the 'shadow' MBR only visible when a) Disk is locked, and b) --setMBREnable on has been done? Are both of these required? When I have the disk unlocked, and I boot into ubuntu normally, and from there run sedutil-cli to enableLockingRange and setMBREnable, I am surprised that a non-power-cycle reboot at that point prompts me for the password and hits the PBA... I would have thought the disk would still be unlocked at that point.

Is there a way to 'unlock' the disk via cmdline from sedutil-cli? Is it possible to do that as a test from the rescue disk?

from sedutil.

After looking again, now I do not see the power LED go off, so maybe I was wrong about it power cycling. I think maybe that cycles when I exit from BIOS setup and have changed a parameter.

That's good.

So - if I setMBREnable on and enableLockingRange 0 from the rescue disk, and then reboot (without a power cycle) -- shouldn't I just do a normal boot at that point? I am ending up seeing the PBA.

No, those two commands tell the drive you want it to lock and show the shadow MBR on a power cycle. To unlock the drive you need to setMBRDone on and setLockingRange 0 RW.

Is the 'shadow' MBR only visible when a) Disk is locked, and b) --setMBREnable on has been done? Are both of these required?

The shadow MBR is controlled by MBREnable and MBRDone. MBREnable tells the drive to show the shadow MBR after a power cycle. MBRDone tells the drive that the shadow MBR should no longer be shown. The PBA sets MBRDone after it has finished unlocking the drive, hiding the shadow MBR, making the real disk visible.

I am surprised that a non-power-cycle reboot at that point prompts me for the password and hits the PBA... I would have thought the disk would still be unlocked at that point.

You have never unlocked the drive, "Locked=Y, and MBRDone=No", you will continue to see the PBA until you do. See my second answer above.

Are you using a non US keyboard? If you are try setting a simple all lowercase password.

from sedutil.

OK -- it sounds like my problem is just that the PBA is not successfully unlocking (and setting MBRDone). I have a regular US keyboard and a medium length pw with a few special chars (but standard keyboard symbols). I'll try a simpler password to see if that helps... any other way to check that? The password seems to work from rescue disk and from an unlocked-booted ubuntu. Is there any other intermediate way to tell of the PBA is doing what it should? Maybe I should load the UEFI_Debug version --- will that provide more info?

from sedutil.

Hmm... I tried the Debug version. I get a message after password that unlocking drive was a success and then it just pauses. Looking at the code, it is waiting for a keystroke. When I hit a key I get a DTAPBA Login: prompt... haven't found how to login in there, or what good it would do me... However, since it reported drive unlocked, I thought a ctrl-alt-del reboot would possibly get me going again -- but it just cycles back to the PBA password prompt again (as before).

I also tried just booting into the rescue image, then running --setMBRDone on and --setLockingRange 0 RW. After this a query shows it is unlocked, and MBRDone is on. I think reboot from the rescue image, and use my one-time boot option to go back into the rescue image again and immediately query. I expected (without a power off) that this would show the same info (unlocked and MBRDone) -- but no, it is back to locked, with MBRDone=N.

from sedutil.

It looks like your bios is power cycling the drive on a reboot. This is the first time I've seen this and unfortunately unless there is a setting in your bios to stop that behavior the PBA will never unlock your system.

from sedutil.

@grayeul Any update on finding a bios setting to stop the power cycling of the drive?

from sedutil.

Sorry -- I've been swamped on some other issues... I did get a contact number for someone at Dell, and I'm intending to follow up with them. I haven't found any other options in the BIOS, but I also haven't had too many chances to go through the reboot dance and make sure I'm not missing something.

from sedutil.

OK, I was just following up. Your issue is strange and I was curious.

from sedutil.