3

I have asked this question before (here and here )

My problem is that my Self Encrypted Disk (SED) have to NOT spin down even on suspend! I have tried this, but it did not work and the disk spin downs anyway ! The problem is that if the disk spins down, because it is on suspend, it does not show the "de encryption" prompt, and boots back up on RAM, but crashed due to IO error on the disk! (that's what the disk is suposed to do !)

Anyone on how to NOT (as in NEVER) spin down a HDD ? (yes this goes against all logic but this particular case)

Thanks a lot !

Would that be useful ? 

sudo hdparm -I /dev/sda
[sudo] password for xqua: 

/dev/sda:

ATA device, with non-removable media
    Model Number:       ST500LT015-9WU142                       
    Serial Number:      W0VBZQQ7
    Firmware Revision:  0001SDM7
    Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6
Standards:
    Used: unknown (minor revision code 0x0029) 
    Supported: 8 7 6 5 
    Likely used: 8
Configuration:
    Logical     max current
    cylinders   16383   16383
    heads       16  16
    sectors/track   63  63
    --
    CHS current addressable sectors:   16514064
    LBA    user addressable sectors:  268435455
    LBA48  user addressable sectors:  976773168
    Logical  Sector size:                   512 bytes
    Physical Sector size:                  4096 bytes
    Logical Sector-0 offset:                  0 bytes
    device size with M = 1024*1024:      476940 MBytes
    device size with M = 1000*1000:      500107 MBytes (500 GB)
    cache/buffer size  = 16384 KBytes
    Form Factor: 2.5 inch
    Nominal Media Rotation Rate: 5400
Capabilities:
    LBA, IORDY(can be disabled)
    Queue depth: 32
    Standby timer values: spec'd by Standard, no device specific minimum
    R/W multiple sector transfer: Max = 1   Current = 1
    Advanced power management level: 254
    Recommended acoustic management value: 208, current value: 0
    DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 
         Cycle time: min=120ns recommended=120ns
    PIO: pio0 pio1 pio2 pio3 pio4 
         Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
    Enabled Supported:
       *    SMART feature set
       *    Power Management feature set
       *    Write cache
       *    Look-ahead
       *    Host Protected Area feature set
       *    WRITE_BUFFER command
       *    READ_BUFFER command
       *    NOP cmd
       *    DOWNLOAD_MICROCODE
       *    Advanced Power Management feature set
            Power-Up In Standby feature set
       *    SET_FEATURES required to spinup after power up
            SET_MAX security extension
       *    48-bit Address feature set
       *    Device Configuration Overlay feature set
       *    Mandatory FLUSH_CACHE
       *    FLUSH_CACHE_EXT
       *    SMART error logging
       *    SMART self-test
       *    General Purpose Logging feature set
       *    WRITE_{DMA|MULTIPLE}_FUA_EXT
       *    64-bit World wide name
       *    IDLE_IMMEDIATE with UNLOAD
       *    Write-Read-Verify feature set
       *    WRITE_UNCORRECTABLE_EXT command
       *    {READ,WRITE}_DMA_EXT_GPL commands
       *    Segmented DOWNLOAD_MICROCODE
       *    Gen1 signaling speed (1.5Gb/s)
       *    Gen2 signaling speed (3.0Gb/s)
       *    Native Command Queueing (NCQ)
       *    Host-initiated interface power management
       *    Phy event counters
       *    Idle-Unload when NCQ is active
            Device-initiated interface power management
       *    Software settings preservation
       *    SMART Command Transport (SCT) feature set
       *    SCT Write Same (AC2)
       *    SCT Features Control (AC4)
       *    SCT Data Tables (AC5)
            unknown 206[12] (vendor specific)
       *    reserved 69[4]
       *    reserved 69[7]
Logical Unit WWN Device Identifier: 5000c5006a036439
    NAA     : 5
    IEEE OUI    : 000c50
    Unique ID   : 06a036439
Checksum: correct
Community
  • 1
Xqua
  • 99
  • Don't re-post the same question multiple times. – psusi Jan 21 '15 at 23:03
  • possible duplicate of Ubuntu Suspend issue with Self Encrypted Disk – psusi Jan 21 '15 at 23:03
  • yes I have thought about it ! My motherboard does support this, because windaube (french for f**k windows) CAN suspend and keep the disk alive. Any idea how to configure ubuntu to "tell" the motherboard to keep the disk alive ? I've been googling this for ages now and still have found no answer ... – Xqua Jan 21 '15 at 18:28
  • Your OEM version of windows must have a program that manages the disk before it goes into suspend. Today you could write a little pre-suspend hook and tell hdparm to disable the encryption but that's probably not what you want. You might be able to use TPM to store a key in the BIOS to unlock the drive. Whatever the solution is I doubt it's an easy fix, which is typical for this super security stuff. This article was more Linux centric but also appears there's a wide spread of MB support for SED which means more HW for you. http://www.techspot.com/guides/869-self-encrypting-drives/ – ppetraki Jan 21 '15 at 18:57
  • Thanks,

    I know this won't be easy, I just have not even found where to start ... I don't mind recompiling my kernel etc ! I'm not an expert but I'm no noob either ... There's just very very limited information about all of this ! I have read that article a while ago but it does not provide informations about sleep mode (it basically advocate shutdown ...)

    I think that the OEM windows says something to the disk ... or the BIOS but what ^^ that's what I need so that I can tell Ubuntu to do the same !

     – Xqua Jan 21 '15 at 19:44
  • Stumbled over this, https://github.com/r0m30/msed , looks like it uses TPM, which actually is supported on Linux. Does hibernate work? – ppetraki Jan 21 '15 at 19:55
  • Oh that looks interesting ! I will contact the coder about it ! And hiberbate crashes, I have not looked to fix it, but it may be an easier fix. Though I'd love to be able to suspend ! – Xqua Jan 22 '15 at 02:29
  • I have updated my post with hdparm output if that may help ? – Xqua Jan 22 '15 at 18:36

2 Answers2

1

According to,

http://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/

In the case of SEDs, the main downside is that once the drive has been unlocked, it remains so until the power to the drive has been cut. In other words, if you simply reboot the computer or put it into sleep, the drive remains unlocked. It is not until you completely power off the computer that it will again require the Authentication Key to be entered.

And then goes on to talk about motherboards that support SED to go along with the drive.

Now when a system is normally put into suspend, the power to that bus is cut, which explains what's happening in your case as it's supposed to ask you for your password in that event. What the intent appears to be with SED drives is that a SED Motherboard has the smarts to keep the drive alive just enough to stop it from locking.

So given that information. I suspect that either your motherboard doesn't support SED or it's configured incorrectly.

ppetraki
  • 5,483
  • The linked article is incorrect with regards to suspend. During suspend, power to the drive is always cut, so it will need unlocked again. – psusi Jan 23 '15 at 13:43
0

Configure SED to S3 Suspend

We will need to:

  1. Configure the linux kernel to allow access to sed configurations,
  2. Compile a modified version of sedutil
  3. Make a systemd service to store the hash password on the kernel itself, so it is ready to unlock the drive when waking up.

ps.:
I. the drive must have being setup with sedutil first.
II. tested on Debian Stable.
III. Before starting, backup all your data.

Configure linux kernel to allow access to SED:

edit /etc/default/grub and add "libata.allow_tpm=1" as a parameter to boot. Example:
sudo vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="libata.allow_tpm=1"

sudo update-grub

Compile a modified version of sedutil

  • install dependencies
    sudo apt install build-essential autoconf pkg-config libc6-dev make g++-multilib m4 libtool ncurses-dev unzip zip git python zlib1g-dev wget bsdmainutils automake curl bc rsync cpio git nasm
  • open a terminal, and run:
    git clone --branch s3-sleep-support https://github.com/badicsalex/sedutil.git
    cd sedutil
    autoreconf --install
    make all
    sudo mv sedutil-cli /opt/sedutil-cli

Make a Systemd service

  • Find hashed encryption key:
    sedutil-cli --printPasswordHash <password> <device, for example:/dev/sda>

  • Make the file /etc/systemd/system/sedutil-sleep.service, with the following content:

[Unit]
Description=sedutil-sleep

[Service]
Type=oneshot
ExecStart=-+/opt/sedutil-cli -n -x --prepareForS3Sleep 0 <hash> <device>
RemainAfterExit=true

[Install]
WantedBy=multi-user.target

  • Enable and start service
    systemctl enable sedutil-sleep.service
    systemclt start sedutil-sleep.service

References:

sedutil site
Arch Linux Documentation
Issue 90

desgua
  • 32,917