cryptsetup fails to format a partition on OPAL 2 device with 4K block size
Issue description
I am trying to set up a system with two small unencrypted partitions and one remaining LVM one, and have that partition encrypted with OPAL (only).
Cryptsetup fails with "Cannot setup OPAL segment.".
I have discussed this issue in the mailing list before narrowing it down to what appears to be the root cause.
In addition to this problem, it appears that my drive is affected by the problem similar to https://github.com/Drive-Trust-Alliance/sedutil/issues/291, but I think it is not related to the actual issue. In short, it seems I need to do PSID revert before performing initial setup.
Steps for reproducing the issue
- Perform just the initialsetup of the drive using sedutil-cli, set Admin1 password.
- Create 3 partitions, 3rd one is to be encrypted.
- Run "cryptsetup --hw-opal-only --debug luksFormat /dev/nvme0n1p3"
- Observe the error. No LRs are created by cryptsetup.
Additional info
Arch installer from Mar 3rd, Crucial T500 2Tb M.2 disk. Downloaded official sedutil-cli binary.
I suspect that the root cause may be the lack of support for eraseLockingRange command. When I run "sedutil-cli --eraseLockingRange 1 PASS /dev/nvme0", I get "eraseLockingRange is not implemented. It is not part of the Opal SSC". If I read the debug output correctly, it seems to be trying to erase the LR.
Some more details: https://lore.kernel.org/cryptsetup/NtJ2omI--3-9@grigr.xyz/T/#t
Worth mentioning that I was able to create an LR myself with sedutil-cli.
Debug log
Output with --debug option:
# cryptsetup 2.7.0 processing "cryptsetup --hw-opal-only --debug luksFormat /dev/nvme0n1p3"
# Verifying parameters for command luksFormat.
# Running command luksFormat.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p3.
# Trying to open and read device /dev/nvme0n1p3 with direct-io.
# Initialising device-mapper backend library.
# Blkid check (filter none).
WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.
Are you sure? (Type 'yes' in capital letters): # Interactive passphrase entry requested.
# Interactive passphrase entry requested.
# Crypto backend (OpenSSL 3.2.1 30 Jan 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.0.
# Detected kernel Linux 6.7.6-arch1-2 x86_64.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Formatting device /dev/nvme0n1p3 as type LUKS2 with OPAL HW encryption.
# OPAL GET_STATUS: flags:119
# Reusing open ro fd on device /dev/nvme0n1p3
# OPAL GET_GEOMETRY: align:1, lb_size:4096, gran:8, lowest_lba:0
# OPAL geometry: alignment: 'y', logical block size: 4096, alignment granularity: 8, lowest aligned LBA: 0
# OPAL alignment (4096/8), offset = 0. Required alignment is 1048576.
# Formatting LUKS2 with JSON metadata area 12288 bytes and keyslots area 16744448 bytes.
# Creating new digest 0 (pbkdf2).
# Setting PBKDF2 type key digest 0.
# Running pbkdf2(sha256) benchmark.
# PBKDF benchmark: memory cost = 0, iterations = 4681142, threads = 0 (took 7 ms)
# PBKDF benchmark: memory cost = 0, iterations = 5518821, threads = 0 (took 95 ms)
# PBKDF benchmark: memory cost = 0, iterations = 5433036, threads = 0 (took 772 ms)
# Benchmark returns pbkdf2(sha256) 5433036 iterations, 0 memory, 0 threads (for 256-bits key).
# Segment 0 assigned to digest 0.
# Adding LUKS2 OPAL requirement flag.
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
# Device size 1997176569856, offset 16777216.
# Wiping LUKS areas (0x000000 - 0x1000000) with zeroes.
# Wiping keyslots area (0x008000 - 0x1000000) with random data.
# Reusing open rw fd on device /dev/nvme0n1p3
# Reusing open ro fd on device /dev/nvme0n1p3
# Acquiring blocking write lock for resource OPAL_259:3.
# Opening lock resource file /run/cryptsetup/LN_OPAL_259:3
# Verifying lock handle for OPAL_259:3.
# WRITE lock for resource OPAL_259:3 taken.
# Reusing open ro fd on device /dev/nvme0n1p3
# Reusing open ro fd on device /dev/nvme0n1p3
# OPAL GET_STATUS: flags:119
# OPAL ERASE_LR: sum:0, who:0, lr:3
# OPAL ERASE_LR failed: not authorized
# Failed to reset (erase) OPAL locking range 3 on device '/dev/nvme0n1p3': not authorized
# OPAL SECURE_ERASE_LR: sum:0, who:0, lr:3
# OPAL SECURE_ERASE_LR failed: not authorized
# Failed to reset (secure erase) OPAL locking range 3 on device '/dev/nvme0n1p3': not authorized
# Unlocking WRITE lock for resource OPAL_259:3.
# Releasing crypt device /dev/nvme0n1p3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/nvme0n1p3.
# Closing read write fd for /dev/nvme0n1p3.
Command failed with code -1 (wrong or missing parameters).