2014-07-31

Hardware FDE with Intel SSD 330 on Intel DH67BL Motherboard

To be able to make full use of the built-in AES encryption on the Intel SSD 330 with the Intel DH67BL desktop motherboard...
  1. Move BIOS block jumper to 'maintenance mode' position.
  2. Boot.
  3. Set hard drive password.
  4. Move BIOS block jumper back to normal position.
  5. Boot.
Notes:
  • To set a longer password than 13 characters, use hdat2 (mhdd seems to have a difficult time with AHCI, and since we're hotplugging...)- boot system without drive powered up, or, hard reset drive when in hdat2 and rescan, and then set password.  The BIOS prompt WILL allow entry of longer passwords, just not setting them. 
  • Removing a drive with a password set causes the option to set password in the BIOS security menu to disappear.  However, once maintenance mode has been entered and a password set, it seems from then on, hooking up a drive with a password set will work. (i.e., reattaching drive gets the initial password prompt on boot and menu entries in setup->security.)

That very simple procedure is the hard won wisdom from a week of exploring many much more difficult divergent tangents, since there's nothing in Intel's documentation about this, and Intel's own 'support' crew (Intel Community) apparently aren't familiar with it.

It might seem like a no brainer, and it should have been.

The BIOS prompt to set a hard drive password does not initially appear in 'normal' mode.

If you hook up a hard drive with a password set on it, the BIOS does not prompt for a password, and the prompt to set a hard drive password does not appear in the BIOS security tab.

The BIOS on this board sets SECURITY FREEZE LOCK and has no option to disable it, so just using mhdd/hdat2/victoria after boot every time isn't an option, nor is hacking out an .efi module. (hdat2 seems to be able to power off the drive; it doesn't reset it; hard resetting really seems to be the only way to do it.)   One can't simply use the atasx extension here --- the nasty frankenstein BIOS (it's even worse than an Insyde one, God help us all) is apparently signed, so even if you figured out how to force a PCI ROM module in it you wouldn't be able to flash it.

Finding the 'maintenance mode' was a lucky discovery; I'd found a tool which would sort of let me extract the .bio file (UEFITool), and trying to figure out how to modify the setup forms to display the menu items to allow setting the hdd password.  Donovan6000's blog, filled with astoundingly useful and indepth tutorials, and his Universal IFR Extractor, were instrumental in this.  However, his tool didn't actually parse the dumped VARSTORE data, which made it harder to pursue the solution I wanted to try before actually attempting to mod the BIOS: just change some nvram variables.  I forked his project to display the information, and make the correlation trivial, but, found the whole 'just set the damn jumper' thing prior to going any deeper.

So, for someone adventurous, in an EFI shell ( Tianocore --- I tried 'refind'; seriously gimped piece of crap; doesn't have any of the built-in help, and doesn't implement dmpstore -s or -l!) just try setting 3DD0DE67-02D7-4129-914A-9F377CC34B0D:IDESecDev:00 to 0x01 and save screwing with the jumper... or, perhaps, there are desktop boards out there with the capability but no jumper.

I did have a save of the nvram before and after 'enabling' the hdd password.  For handy reference for anyone who might care, here's what's different after:
Variable NV+RT+BS 'Efi:MonotonicCounter' DataSize = 4
- Seems to track boots; not relevant.

Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevOrder' DataSize = A
  00000000: 02 00 00 00 06 00 11 00-12 00                    *..........*
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevChecksum' DataSize = 4
  00000000: 11 AC 12 6B                                      *...k*
to
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevOrder' DataSize = A
  00000000: 02 00 00 00 06 00 01 00-11 00                    *..........*
Variable NV+RT+BS 'A56074DB-65FE-45F7-BD21-2D2BDD8E9652:LegacyDevChecksum' DataSize = 4
  00000000: 01 15 11 6B                                      *...k*
Presumably that's part of the SSD being hooked up (wasn't for initial dump).

Variable NV+RT+BS '1B838190-4625-4EAD-ABC9-CD5E6AF18FE0:HiiDB' DataSize = 8
  00000000: 18 C0 8A DA 00 00 00 00-                         *........*
to
Variable NV+RT+BS '1B838190-4625-4EAD-ABC9-CD5E6AF18FE0:HiiDB' DataSize = 8
  00000000: 18 F0 8A DA 00 00 00 00-                         *........*

This looks like it might be related to displaying the setup menu item for hard drive passwords(?). HiiDB: UEFI HII (Part 4): Strings

Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:MaintenanceSetup' DataSize = 29D
  000000B0: 00 00 00 00 00 02 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 59 65  *..............Ye*
  000000E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
to: 
Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:MaintenanceSetup' DataSize = 29D
  000000B0: 00 00 00 00 00 00 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 00 61  *...............a*
  000000E0: 07 AC 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
Since these compares are after the jumper is in the normal position, then this may be relevant. 

Variable NV+RT+BS 'Efi:BootOrder' DataSize = 4
  00000000: 01 00 05 00                                      *....*
to
Variable NV+RT+BS 'Efi:BootOrder' DataSize = 4
  00000000: 01 00 02 00                                      *....*
Seems obvious and not relevant.

Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:Setup' DataSize = 29D
  000000A0: 00 00 00 01 00 20 00 00-00 00 00 01 00 00 00 00  *..... ..........*
  000000B0: 00 00 00 00 00 02 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 9D 9F  *................*
  000000E0: D6 98 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *................*
to
Variable NV+RT+BS 'EC87D643-EBA4-4BB5-A1E5-3F3E36B20DA9:Setup' DataSize = 29D
  000000A0: 00 00 00 01 00 20 00 00-00 00 00 01 00 00 00 00  *..... ..........*
  000000B0: 00 00 00 00 00 00 00 00-00 00 00 01 00 01 00 01  *................*
  000000C0: 00 01 00 01 00 00 00 01-00 00 00 00 00 00 00 00  *................*
  000000D0: 00 07 00 00 00 00 00 00-00 00 00 01 00 01 EC FF  *................*
  000000E0: 2C 4A 00 00 00 00 00 00-00 00 00 00 00 00 00 00  *,J..............*

And for the truly masochistic, here's the relevant(?) form dump (something to pursue might be seeing if the password's actually stored in the nvram when set from the BIOS...):
Form Set: Security {0E 24 43 D6 87 EC A4 EB B5 4B A1 E5 3F 3E 36 B2 0D A9 A5 03 DD 04 00 00 00 00 00 00 00 00 04 00 00 00 9D 02}
0x40FD2 Variable Store (32): {24 20}
Name: [ IDESecDev ] {49 44 45 53 65 63 44 65 76 00}
GUID: [ 3DD0DE67-02D7-4129-914A-9F377CC34B0D ] {67 DE D0 3D D7 02 29 41 91 4A 9F 37 7C C3 4B 0D}
  ID: [ 0xF015 ] {15 F0}
Size: [ 144 ] {90 00}
0x40FF2 Form: Security, Form ID: 0x4 {01 06 04 00 A5 03}
0x40FF8 Suppress If: {0A 03 00}
0x40FFB Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x41002 Not {17 02}
0x41004 Text: Supervisor Password :  {03 0B 20 00 B7 03 B9 03 00 00 00}
0x4100F End If {18 02}
0x41011 Suppress If: {0A 03 00}
0x41014 Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x4101B Text: Supervisor Password :  {03 0B 20 00 B7 03 BB 03 00 00 00}
0x41026 End If {18 02}
0x41028 Suppress If: {0A 03 00}
0x4102B Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x41032 Not {17 02}
0x41034 Text: User Password :  {03 0B 20 00 B8 03 BA 03 00 00 00}
0x4103F End If {18 02}
0x41041 Suppress If: {0A 03 00}
0x41044 Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x4104B Text: User Password :  {03 0B 20 00 B8 03 BC 03 00 00 00}
0x41056 End If {18 02}
0x41058 Suppress If: {0A 03 00}
0x4105B Variable Store Select: 0xF015 {25 04 15 F0}
0x4105F Variable 0xC[2] equals value in list (0x0) {14 09 0C 00 02 01 00 00 00}
0x41068 Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x41071 Variable Store Select: 0x0 {25 04 00 00}
0x41075 Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x4107E Or {16 02}
0x41080 Or {16 02}
0x41082 Text: Master Key Hard Disk Drive Password : {03 0B 04 00 97 04 BB 03 00 00 00}
0x4108D End If {18 02}
0x4108F Suppress If: {0A 03 00}
0x41092 Variable Store Select: 0xF015 {25 04 15 F0}
0x41096 Variable 0xC[2] equals value in list (0x1) {14 09 0C 00 02 01 00 01 00}
0x4109F Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x410A8 Variable Store Select: 0x0 {25 04 00 00}
0x410AC Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x410B5 Or {16 02}
0x410B7 Or {16 02}
0x410B9 Text: Master Key Hard Disk Drive Password : {03 0B 04 00 97 04 B9 03 00 00 00}
0x410C4 End If {18 02}
0x410C6 Suppress If: {0A 03 00}
0x410C9 Variable Store Select: 0xF015 {25 04 15 F0}
0x410CD Variable 0xA[2] equals value in list (0x0) {14 09 0A 00 02 01 00 00 00}
0x410D6 Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x410DF Variable Store Select: 0x0 {25 04 00 00}
0x410E3 Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x410EC Or {16 02}
0x410EE Or {16 02}
0x410F0 Text: Hard Disk Drive Password : {03 0B 04 00 96 04 BB 03 00 00 00}
0x410FB End If {18 02}
0x410FD Suppress If: {0A 03 00}
0x41100 Variable Store Select: 0xF015 {25 04 15 F0}
0x41104 Variable 0xA[2] equals value in list (0x1) {14 09 0A 00 02 01 00 01 00}
0x4110D Variable 0x0[2] equals value in list (0x0) {14 09 00 00 02 01 00 00 00}
0x41116 Variable Store Select: 0x0 {25 04 00 00}
0x4111A Variable 0xB5[1] equals value in list (0x1) {14 09 B5 00 01 01 00 01 00}
0x41123 Or {16 02}
0x41125 Or {16 02}
0x41127 Text: Hard Disk Drive Password : {03 0B 04 00 96 04 B9 03 00 00 00}
0x41132 End If {18 02}
0x41134 Subtitle:  {02 04 20 00}
0x41138 Suppress If: {0A 03 00}
0x4113B Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41141 Variable 0x41 equals 0x2 {22 06 41 00 02 00}
0x41147 Or {16 02}
0x41149 Password: Set Supervisor Password, Variable: 0x3B[40] {08 10 3B 00 28 A8 03 A9 03 04 00 10 02 14 01 00}
0x41159 End If {18 02}
0x4115B Grayout If: {19 03 00}
0x4115E Variable 0x42 equals 0x1 {22 06 42 00 01 00}
0x41164 Password: Set User Password, Variable: 0x13[40] {08 10 13 00 28 A6 03 A7 03 04 01 10 02 14 01 00}
0x41174 End If {18 02}
0x41176 Grayout If: {19 03 00}
0x41179 Variable 0x42 equals 0x1 {22 06 42 00 01 00}
0x4117F Suppress If: {0A 03 00}
0x41182 Variable 0x13[2] equals 0x0 {12 07 13 00 02 00 00}
0x41189 Selectable: Clear User Password, Form ID: 0x4 {0F 0B 04 00 AC 03 AD 03 04 04 10}
0x41194 End If0x41194 End If {18 02}
0x41196 Grayout If: {19 03 00}
0x41199 Variable 0x21E[1] equals 0x2 {12 07 1E 02 01 02 00}
0x411A0 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x411A6 Or {16 02}
0x411A8 Suppress If: {0A 03 00}
0x411AB Variable 0x21E[1] equals 0x1 {12 07 1E 02 01 01 00}
0x411B2 Variable 0x41 equals 0x2 {22 06 41 00 02 00}
0x411B8 Variable 0x3B[2] equals 0x0 {12 07 3B 00 02 00 00}
0x411BF Or {16 02}
0x411C1 Or {16 02}
0x411C3 Setting: User Access Level, Variable: 0x21D[1] {05 09 1D 02 01 BD 03 BE 03}
0x411CC Option: No Access, Value: 0x0 {09 09 BF 03 00 00 10 00 00}
0x411D5 Option: View Only, Value: 0x1 {09 09 C0 03 01 00 13 00 00}
0x411DE Option: Limited, Value: 0x2 {09 09 C1 03 02 00 10 00 00}
0x411E7 Option: Full Access, Value: 0x3 {09 09 C2 03 03 00 10 00 00}
0x411F0 End of Options {10 02}
0x411F2 End If0x411F2 End If {18 02}
0x411F4 Subtitle:  {02 04 20 00}
0x411F8 Suppress If: {0A 03 00}
0x411FB Variable Store Select: 0xF015 {25 04 15 F0}
0x411FF Variable 0x0[2] equals 0x0 {12 07 00 00 02 00 00}
0x41206 Variable Store Select: 0x0 {25 04 00 00}
0x4120A Variable 0xB5[1] equals 0x1 {12 07 B5 00 01 01 00}
0x41211 Or {16 02}
0x41213 Grayout If: {19 03 00}
0x41216 Variable Store Select: 0xF015 {25 04 15 F0}
0x4121A Variable 0xE[2] equals 0x0 {12 07 0E 00 02 00 00}
0x41221 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41227 Or {16 02}
0x41229 Password: Set Master Key Hard Disk Drive Password, Variable: 0x50[64] {08 10 50 00 40 9B 04 9C 04 00 00 00 02 20 01 00}
0x41239 End If0x41239 End If {18 02}
0x4123B Suppress If: {0A 03 00}
0x4123E Variable 0x0[2] equals 0x0 {12 07 00 00 02 00 00}
0x41245 Variable Store Select: 0x0 {25 04 00 00}
0x41249 Variable 0xB5[1] equals 0x1 {12 07 B5 00 01 01 00}
0x41250 Or {16 02}
0x41252 Grayout If: {19 03 00}
0x41255 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x4125B Variable Store Select: 0xF015 {25 04 15 F0}
0x4125F Password: Set Hard Disk Drive Password, Variable: 0x10[64] {08 10 10 00 40 99 04 9A 04 04 40 10 02 20 01 00}
0x4126F End If0x4126F End If {18 02}
0x41271 Subtitle:  {02 04 20 00}
0x41275 Grayout If: {19 03 00}
0x41278 Variable Store Select: 0x0 {25 04 00 00}
0x4127C Variable 0x220[1] equals 0x2 {12 07 20 02 01 02 00}
0x41283 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41289 Or {16 02}
0x4128B Suppress If: {0A 03 00}
0x4128E Variable 0x220[1] equals 0x1 {12 07 20 02 01 01 00}
0x41295 Setting: Chassis Intrusion, Variable: 0x21F[1] {05 09 1F 02 01 C3 03 C5 03}
0x4129E Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x412A7 Option: Log Only, Value: 0x1 {09 09 90 04 01 00 13 00 00}
0x412B0 Option: Pause POST, Value: 0x2 {09 09 C4 03 02 00 10 00 00}
0x412B9 End of Options {10 02}
0x412BB End If0x412BB End If {18 02}
0x412BD Grayout If: {19 03 00}
0x412C0 Variable 0x222[1] equals 0x2 {12 07 22 02 01 02 00}
0x412C7 Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x412CD Or {16 02}
0x412CF Suppress If: {0A 03 00}
0x412D2 Variable 0x222[1] equals 0x1 {12 07 22 02 01 01 00}
0x412D9 Variable 0x4E equals 0x0 {22 06 4E 00 00 00}
0x412DF Or {16 02}
0x412E1 Setting: Execute Disable Bit, Variable: 0x221[1] {05 09 21 02 01 C7 03 C8 03}
0x412EA Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x412F3 Option: Enable, Value: 0x1 {09 09 E5 00 01 00 13 00 00}
0x412FC End of Options {10 02}
0x412FE End If0x412FE End If {18 02}
0x41300 Grayout If: {19 03 00}
0x41303 Variable 0x224[1] equals 0x2 {12 07 24 02 01 02 00}
0x4130A Variable 0x41 equals 0x1 {22 06 41 00 01 00}
0x41310 Or {16 02}
0x41312 Suppress If: {0A 03 00}
0x41315 Variable 0x224[1] equals 0x1 {12 07 24 02 01 01 00}
0x4131C Variable 0x6C equals 0x0 {22 06 6C 00 00 00}
0x41322 Or {16 02}
0x41324 Setting: Intel® Virtualization Technology, Variable: 0x223[1] {05 09 23 02 01 AE 03 AF 03}
0x4132D Option: Disable, Value: 0x0 {09 09 E6 00 00 00 10 00 00}
0x41336 Option: Enable, Value: 0x1 {09 09 E5 00 01 00 13 00 00}
0x4133F End of Options {10 02}
0x41341 End If0x41341 End If {18 02}
0x41343 End Form {0B 02}
0x41345 End Form Set {0D 02}

References (Link Dump):

  1. http://vxlabs.com/2012/12/22/ssds-with-usable-built-in-hardware-based-full-disk-encryption/
  2. http://ark.intel.com/products/67288/Intel-SSD-330-Series-180GB-SATA-6Gbs-25nm-MLC
  3. http://www.intel.com/p/en_US/support/highlights/ssdc/ssd-330
  4. http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-dh67bl.html
  5. https://communities.intel.com/thread/53404
  6. http://www.intel.com/support/ssdc/hpssd/sb/CS-034543.htm
  7. https://github.com/NikolajSchlej/UEFITool
  8. http://donovan6000.blogspot.com/2014/02/universal-ifr-extractor.html
  9. http://wiki.phoenix.com/wiki/index.php/EFI_IFR_VARSTORE
  10. http://uefidk.intel.com/blog/accessing-uefi-variables-linux
  11. https://github.com/sstahlman/Universal-IFR-Extractor/releases/tag/v0.6.1a
  12. http://www.thepromisedlan.org/archives/tag/firmware
  13. https://svn.code.sf.net/p/edk2/code/trunk/edk2/EdkShellBinPkg/FullShell/X64/Shell_Full.efi
  14. http://uefi.blogspot.com/2009/10/uefi-hii-part-4-strings.html

3 comments:

  1. Hi @Seth. your post is very helpful. I have a 2012 July bought Intel DH67CL1 mainboard with BIOS updated to latest available release(160). I enabled "UEFI" mode. I have a Intel 330 series 180GB SSD which is connected to the system and need to format GPT and install Linux. But, hdparm shows that although it is not "locked" , but "frozen". from what I get, it is BIOS which security freeze the SSD drive each time it detects SSD. I have once secure erased and "unfrozen" the SSD, but got frozen again on next boot. it is impractical, you know - to remove and reconnect SSD each time to skip BIOS/UEFI(what I understands) . Will you help me how to deal with this BIOS? is there a custom modified BIOS/UEFI with more options including SSD freeze enable/disable options and others. very few actually understands my query when I asked in some computer forums. thank you.
    BTW, please find my queries here:
    https://communities.intel.com/thread/55049
    http://www.neowin.net/forum/topic/1229567-ssd-info-shows-frozen-state-after-secure-erasing-also-shows-frozen-bios-problem/?p=596578565

    ReplyDelete
    Replies
    1. As far as I know, there isn't any way to easily deal with that behavior; I didn't get to the point of modding the BIOS, since my understanding is this one is signed. Intel's position on this seems to be "To hell with the customer" and it's pretty aggravating. However, you shouldn't need to care about any of this just to format it as GPT and install Linux; snag Hiren's or use any Linux boot disc(?).

      What I wanted was to have a password enabled, which this board doesn't allow, unless you go through the gyrations I outlined. Short of actually hacking on the BIOS, the only way to bypass the freeze lock is to disconnect and reconnect the drive after the system is booted.

      Edit: I looked at your question in the forum. No, you don't need to worry about this at all. The FROZEN prevents the drive from having a hdd password set; the logic is that unpleasant sorts can't set a hdd password and then have easy ransomware. The drive in the frozen state also won't allow a SECURE ERASE, which in the case of this drive, means it 'loses' the previous encryption key and creates a new one (assuming we can trust Intel's engineers to tell the truth, the data's always encrypted). This all has nothing to do with normal operation of the drive; the only reason you'd care about this is if you were trying to do what I did, and have a hard drive password set on this board.

      Delete
    2. 1) You should be safe with UEFI, and you won't need a boot partition, as such, instead, you need the layout EFI likes. See this SU thread for some information you'll find helpful: http://superuser.com/questions/496026/what-is-the-difference-in-boot-with-bios-and-boot-with-uefi Linux should work just dandy with it enabled.

      2) The BIOS will freeze the drive no matter whether you're faking SATA in Legacy mode or not; there's really no reason to set it at IDE mode, unless you were using some braindead tools that don't seem to work well with AHCI. (hdat2/mhdd, depending on the hour and status of livestock sacrifices.) Remember, the drive is only 'frozen' as far as doing ata commands like secure erase and the other security (password) commands. Unless you're doing those, it won't affect you. (And if you do want to do them, on this system, you have to unplug the drive and plug it back in, or wait until bios is done with post to plug it in)

      3. You can modify, but my understanding is when you go to flash, it'll fail, and also, the boot block (if not flashed) will refuse to complete loading the bios main because it's not signed. It's worse on some new HP tablets, this whole thing: some really lame ass companies (Cough. Intel. Cough) seem to be in the habit of locking down employee devices, such that bios access is locked, and no boot devices allowed, so no way to even flash the system --- which won't load any .efi files not signed. Just nasty. I'm not an advanced user at all; just poking around in the dark. I thought it'd be stupid to try to do something like truecrypt on an SSD that had hardware encryption, and was miffed there was no way of using it on a desktop, hence this blog post figuring out a way.

      Delete