Command setLockingRange failed with INVALID_PARAMETER and missing instructions/documentation under Wiki section. about sedutil HOT 2 CLOSED

Hi,

It looks like you are having an Alignment Granularity issue. If you look at the output of a query command you will see the locking range alignment requirements. The Crucial drives I have tested are usually Alignment granularity 8, so you need to define your locking ranges on 8 block boundaries (start AND end).

The setuplockingrange command is startblock, number of blocks. This means that to protect blocks 0-2047 you would need to use startblock 0 and number of blocks 2048, this would also probably fix your alignment issue.

The PBA only unlocks the global range (0), if you want to protect the mbr and partition table, I would recommend that you use the readonlyLockingRange command it has the same syntax as the setupLockingRange but only activates write locking. Then the mbr and partition table will be readable but not writable until you manually unlock the range. If you do use this method then you want to make sure you unlock the range before you proceed with an OS install and do not power cycle the drive until you have finished the disk configuration.

from sedutil.

Thank you so much. It's working now!

I had simply misunderstood the setuplockingrange command. It is indeed startblock, number of blocks and NOT startblock, endblock (like in most apps out there).
So, startblock 0 and number of blocks 2048 works with my Crucial boot drive (Alignment granularity 8).

An enhanced Wiki section about locking ranges and user management would be much appreciated.

For the record, booting Rescue.img:
sedutil-cli --reverttper password /dev/sda
sedutil-cli --initialsetup password /dev/sda
sedutil-cli --setupLockingRange 1 0 2048 password /dev/sda
sedutil-cli --loadPBAimage password pbafilename /dev/sda
sedutil-cli --setMBREnable on password /dev/sda
sedutil-cli --enableLockingRange 0 password /dev/sda
sedutil-cli --readonlyLockingRange 1 password /dev/sda

Power off the computer to lock the drive.

Power the computer on. The PBA ask for the password and unlocks the global range (LR0) if password is right.

LR1 (blocks 0-2047) is still write protected (read only), booting Rescue.img:
sedutil-cli --setLockingRange 1 rw password /dev/sda

Proceed with all OS installs.

Power off the computer to lock the drive OR booting Rescue.img:
sedutil-cli --setLockingRange 1 ro password /dev/sda

Great stuff. :-)

from sedutil.