Allow read-only mode on Linux for ATA drives

[fplk0]

Background:

I was experimenting with portable T7 SSD from Samsung. I wanted to have an encrypted drive on my RPi, and the only viable way forward (given that RPi doesn't have HW crypto exts) was OPAL - compatible ssd. I successfully compiled sedutil, was really surprised when it recognized T7 as Opal 2.0-compatible SSD. Afterwards, I was able to make it work using the regular set of commands to set up Opal (I needed to erase using PSID first before I could set up Opal for the first time though).

After I rebooted though, sedutil stopped to recognize the SSD as Opal-compatible and returned 0 for status.
I spent the next several hours trying to do literally everything to unlock it, including hdparm, requesting factory reset tool from Samsung to no avail. I then tried to debug sedutil, and it turned out it failed because it wasn't able to open device in RDWR mode, but it was operating totally fine & getting device properties correctly opening it just in readonly mode.

I know that my patch right now might open the door for some other issues / data loss, so I'm fine with making the changes for --scan allowing read-only and warning about it, and any other command requiring some special flag like --yesidowanttoallowreadonly.

In case if anyone's wondering, I was able to successfully work with T7 USB SSD both via RPi 4b nad via Ubuntu/VMWare (on top of Windows). Running pure Ubuntu was encountering the same issue with vanilla sedutil; vanill sedutil didn't recognize T7 as Opal-based SSD on Windows even in unlocked state.

Any Samsung tools on any OS were not able to recognize / unlock the device.

[dobo90]

@fpoliakov Thanks for the PR. I had a similar issue with the same disk. But still when I did:

sedutil-cli --PSIDrevert XXXX /dev/sda
sedutil-cli --initialsetup debug /dev/sda
sedutil-cli --query /dev/sda
sedutil-cli --enablelockingrange 0 debug /dev/sda
sedutil-cli --setlockingrange 0 lk debug /dev/sda

When I replugged the disk I'm able to unlock it:

➜ sedutil-cli --setlockingrange 0 rw debug /dev/sda
You do not have permission to access the raw disk in write mode, but you can access it in read mode
Be extra careful trying to operate this device
You do not have permission to access the raw disk in write mode, but you can access it in read mode
Be extra careful trying to operate this device
LockingRange0 set to RW

➜ sedutil-cli --query /dev/sda                     
You do not have permission to access the raw disk in write mode, but you can access it in read mode
Be extra careful trying to operate this device
You do not have permission to access the raw disk in write mode, but you can access it in read mode
Be extra careful trying to operate this device

/dev/sda SAS PSSD T7          0    Samsung 
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = Y, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 1 **** Unknown function codes IGNORED 

TPer Properties: 
  MaxComPacketSize = 33280  MaxResponseComPacketSize = 33280
  MaxPacketSize = 33260  MaxIndTokenSize = 32772  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxAuthentications = 5
  MaxSessions = 1  MaxTransactionLimit = 1  DefSessionTimeout = 0

Host Properties: 
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1

But it's mounted as read-only.

➜ cfdisk /dev/sda         
cfdisk: cannot open /dev/sda: Read-only file system

I've tried invoking partprobe, hdparm -Z, etc and it doesn't help. How do you unlock the device? Thanks!

Edit: the only workaround I've found is (but it requires to suspend the laptop):

➜ sedutil-cli --setlockingrange 0 rw debug /dev/sda
➜ systemctl suspend
# wait for a few seconds and wake up the laptop
➜ echo 6-1 > /sys/bus/usb/drivers/usb/unbind
➜ echo 6-1 > /sys/bus/usb/drivers/usb/bind

To find the 6-1 magic number I've used following script:

for i in /sys/bus/usb/devices/*/idVendor; do
  dir=$(dirname $i)
  if [[ $(cat "${dir}/idVendor") == "04e8" ]] && [[ $(cat "${dir}/idProduct") == "4002" ]]; then
    echo "Found: ${dir}"
  fi
done

Edit2: I've managed to put the SSD into suspend state and then wake it - it also properly unlocks the device. Script that I'm using to unlock it (debug is the current password):

#!/bin/zsh

set -e

for i in /sys/bus/usb/devices/*/idVendor; do
  dir=$(dirname $i)
  if [[ $(cat "${dir}/idVendor") == "04e8" ]] && [[ $(cat "${dir}/idProduct") == "4002" ]]; then
    echo "Found: ${dir}"
  fi
done

sudo sedutil-cli --setlockingrange 0 rw debug /dev/sda

sudo sh -c "echo auto > ${dir}/power/control"
sudo sh -c "echo 0 > ${dir}/power/autosuspend_delay_ms"
sudo sh -c "echo 0 > ${dir}/authorized"

while [[ $(cat ${dir}/power/runtime_status) != "suspended" ]]; do
  sleep 0.5
done

sudo sh -c "echo 1 > ${dir}/authorized"

[fplk0]

@dobo90 Wow, I'm surprised someone found this report so quickly :)

Thanks for your follow-up; personally I stopped after stumbling upon the very same problem that even when unlocked, disk isn't remounted in RW mode so it's impossible to do anything with it. I was fine with it being unbricked. I'll try your script a little later & report back.

Btw, even after the SSD was PSID reverted, samsung magician reports it in a somewhat broken way and doesn't allow it to enable it's built-in encryption. I also noticed than on my other T7 after enabling encryption via magician, sedutil reports it as Opal-locked, so in principle it should be possible to either understand how magician enables the opal encryption without (almost)bricking the device or understand how it derives/hashes the password to be able to unlock it via sedutil, but didn't have a chance to look into it yet.

[sunknudsen]

Hey @fpoliakov, an alternative to using OPAL is to configure biometric credentials on T7 Touch… once unlocked using fingerprint, drive behaves like a regular drive while being self-encrypted.