Ultrastar DC SS200 SAS SSDs encrypted (TCG Enterprise?) with SPC-3 PR

[Koop]

Here's an AI generated script that should go through all the steps for the reservation release process for all disks that have them. I used a less refined script that worked so technically this exact one is untested but... Should work I think. apparently it doesn't work.I'm keeping it here because one day when ChatGPT is looking back at our conquered civilization it can have a chuckle at how bad this script was.

#!/bin/bash

# Function to detect all available disks in the system
detect_disks() {
  lsblk -nd -o NAME,TYPE | awk '$2 == "disk" {print $1}'
}

# Function to determine the prout-type based on reservation type
get_prout_type() {
  local res_type=$1
  case "$res_type" in
    "Write Exclusive, all registrants") echo 7 ;;
    "Write Exclusive") echo 1 ;;
    "Exclusive Access") echo 3 ;;
    "Write Exclusive, registrants only") echo 5 ;;
    "Exclusive Access, registrants only") echo 6 ;;
    "Exclusive Access, all registrants") echo 8 ;;
    *) echo "Unknown" ;;
  esac
}

# Function to get reservation type of a disk
get_reservation_type() {
  sg_persist -n -i -r -d /dev/$1 2>/dev/null | grep "type:" | awk -F ": " '{print $2}'
}

# Detect disks and iterate over them
for dev in $(detect_disks); do
  res_type=$(get_reservation_type $dev)

  # If there is no reservation, skip this device
  if [ -z "$res_type" ]; then
    echo "No reservation held on /dev/$dev, skipping..."
    continue
  fi

  prout_type=$(get_prout_type "$res_type")

  if [ "$prout_type" == "Unknown" ]; then
    echo "Unknown reservation type on /dev/$dev, skipping..."
    continue
  fi

  echo "Processing /dev/$dev with reservation type $res_type and prout-type $prout_type"

  echo "Registering key 0xDEADBEEF on /dev/$dev"
  sg_persist --out --register --param-sark=0xDEADBEEF /dev/$dev

  echo "Reserving key 0xDEADBEEF with type $prout_type on /dev/$dev"
  sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=$prout_type /dev/$dev

  echo "Releasing key 0xDEADBEEF with type $prout_type on /dev/$dev"
  sg_persist --out --release --param-rk=0xDEADBEEF --prout-type=$prout_type /dev/$dev

  echo "Clearing key 0xDEADBEEF on /dev/$dev"
  sg_persist --out --clear --param-rk=0xDEADBEEF /dev/$dev
done

# Verify that all keys and reservations are cleared
echo "Verifying that all keys and reservations are cleared"
for dev in $(detect_disks); do
  echo "Checking keys for /dev/$dev"
  sg_persist -n -i -k -d /dev/$dev

  echo "Checking reservations for /dev/$dev"
  sg_persist -n -i -r -d /dev/$dev
done

echo "Process completed. All drives should have no keys or reservations."

 

[nexox]

That script is using a hard coded key rather than reading it with sg_persist, seems like that won't work. It's also kind of funny that even magical AI will pipe grep to awk.

 

[Koop]

That script is using a hard coded key rather than reading it with sg_persist, seems like that won't work. It's also kind of funny that even magical AI will pipe grep to awk.

Funny. I had a totally different script to start with but I had provided it all the outputs of the commands I ran myself to do it.

Well I am assuming that after running --sedutil-cli PSIDrevertAdminSP and getting access to the disks that there's really not much else I can do. I'm just good to go. Just wanted to throw it out there in case there was anything extra I could or should do. Other than format everything to 4k I guess.

The reads be zoomin!

 

[Hard2Reach]

OMG!! I was just searching for this issue. I got hold of a dozen of them exact drives a couple of weeks ago. Just completed my setup using an ICYDock enclosure (https://www.amazon.com/dp/B07K8PK8JP?psc=1&ref=ppx_yo2ov_dt_b_product_details) connected to and lsi 9300-8i yesterday and came to a halt as soon as I was unable to configure and use the drives on windows server 2022 as it failed to get online. Tried different ways of diskpart and would never get to format or partition. Can I use sedutil on a windows machine? Im not really good or familiar with linux (sorry I'm a windows guy).

 

[nabsltd]

Can I use sedutil on a windows machine? Im not really good or familiar with linux (sorry I'm a windows guy).

I gotta say, you're not familiar with Google, either. The first hit for "sedutil windows" got me this: Releases · ChubbyAnt/sedutil

 

[Hard2Reach]

I gotta say, you're not familiar with Google, either. The first hit for "sedutil windows" got me this: Releases · ChubbyAnt/sedutil

Yes I found it earlier and was not able to reply right away due to my excitement to hurry home and try it out.

 

[Hard2Reach]

So i also found sg_util for windows. Based on the script that @Koop provided, running it single commands to the first drive before I can create a powershell script to automate the rest of the drives. I am getting a "Reservation conflict" when sending the sg_persist --reserve command, see below:

Spoiler: Commands executed

E:\SG_Util>sg_scan.exe -s
PD0 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD1 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD2 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD3 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD4 [CD] SAMSUNG MZVKW512HMJP-000H1 CXA74H0Q 0025_38CB_71B0_BBF1.
PD5 T-FORCE TM8FPZ002T EIFM31.6 6479_A77F_9A30_104C.
PD6 [E] SMI USB DISK 1100 AA00000000000489

SCSI0:0,0,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,1,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,2,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,3,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI2:0,0,0 claimed=1 pdt=0h NVMe SAMSUNG MZVKW512 4H0Q
SCSI3:0,0,0 claimed=1 pdt=0h NVMe T-FORCE TM8FPZ00 31.6

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD1
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD2
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD3
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist --out --register --param-sark=0xDEADBEEF PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Reserve): Reservation conflict

am I missing something before this (sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0) line?

 

[Hard2Reach]

So ignoring that Reservation conflict, i moved on to the remaining command lines:

Spoiler: Next few commands

E:\SG_Util>sg_persist --out --release --param-rk=0x5d114d1200000001 --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --release --param-rk=0xdeadbeef --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --clear --param-rk=0xDEADBEEF PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

Spoiler: Checking PD0 again shows no more reservations

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1d, there is NO reservation held

 

[Hard2Reach]

Im still getting Access Denied...

Spoiler: Access denied when trying to format

E:\SG_Util>sg_format.exe --format -v PD0
HGST SDLL1HLR076TCDA1 X150 peripheral_type: disk [0x0]
PROTECT=1
<< supports protection information>>

LU name: 5001173101ab3b88
mode sense (10) cdb: 5a 00 01 00 00 00 00 00 fc 00
Mode Sense (block descriptor) data, prior to changes:
Mode sense number of blocks maxed out, set longlba
mode sense (10) cdb: 5a 10 01 00 00 00 00 00 fc 00
Mode Sense (block descriptor) data, prior to changes:
<<< longlba flag set (64 bit lba) >>>
Number of blocks=15002931888 [0x37e3e92b0]
Block size=512 [0x200]

A FORMAT UNIT will commence in 15 seconds
ALL data on PD0 will be DESTROYED
Press control-C to abort

A FORMAT UNIT will commence in 10 seconds
ALL data on PD0 will be DESTROYED
Press control-C to abort

A FORMAT UNIT will commence in 5 seconds
ALL data on PD0 will be DESTROYED
Press control-C to abort
format unit cdb: 04 18 00 00 00 00
format unit:
Descriptor format, current; Sense key: Data Protect
Additional sense: Access denied - no access rights
Descriptor type: Field replaceable unit code: 0x1
Format unit command: Data protect sense key, write protected media?
FORMAT UNIT failed

Spoiler: Diskpart shows Disk is not Read-Only

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 7153 GB 7153 GB
Disk 1 Online 7153 GB 7153 GB
Disk 2 Online 7153 GB 7153 GB
Disk 3 Online 7153 GB 7153 GB
Disk 4 Online 476 GB 0 B *
Disk 5 Online 1863 GB 0 B *
Disk 6 Online 14 GB 0 B

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

HGST SDLL1HLR076TCDA1 SCSI Disk Device
Disk ID: 00000000
Type : SAS
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(14)#PCI(0000)#PCI(0000)#SAS(P00T00L00)
Current Read-only State : No
Read-only : No
Boot Disk : No
Pagefile Disk : No
Hibernation File Disk : No
Crashdump Disk : No
Clustered Disk : No

There are no volumes.

 

[Koop]

So i also found sg_util for windows. Based on the script that @Koop provided, running it single commands to the first drive before I can create a powershell script to automate the rest of the drives. I am getting a "Reservation conflict" when sending the sg_persist --reserve command, see below:

Spoiler: Commands executed

E:\SG_Util>sg_scan.exe -s
PD0 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD1 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD2 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD3 HGST SDLL1HLR076TCDA1 X150 **sn removed**
PD4 [CD] SAMSUNG MZVKW512HMJP-000H1 CXA74H0Q 0025_38CB_71B0_BBF1.
PD5 T-FORCE TM8FPZ002T EIFM31.6 6479_A77F_9A30_104C.
PD6 [E] SMI USB DISK 1100 AA00000000000489

SCSI0:0,0,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,1,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,2,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI0:0,3,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI2:0,0,0 claimed=1 pdt=0h NVMe SAMSUNG MZVKW512 4H0Q
SCSI3:0,0,0 claimed=1 pdt=0h NVMe T-FORCE TM8FPZ00 31.6

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD1
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD2
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -r -d PD3
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist --out --register --param-sark=0xDEADBEEF PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Reserve): Reservation conflict

am I missing something before this (sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0) line?

Yes you have to do the whole procedure to put your own reservation on the disk, your own key, then clear all other reservations and keys using said created reservation and key. You cannot do anything further with the drive until this is resolved.

If you think about it logically it makes sense. You don't have ownership of the device- a different system has it claimed. So you must manually claim it so you can modify the drive.

 

[Hard2Reach]

Yes you have to do the whole procedure to put your own reservation on the disk, your own key, then clear all other reservations and keys using said created reservation and key. You cannot do anything further with the drive until this is resolved.

If you think about it logically it makes sense. You don't have ownership of the device- a different system has it claimed. So you must manually claim it so you can modify the drive.

ok I got lost on "put your own reservation on the disk, your own key" part. Appreciate any guidance on this... not really familiar with this process.

 

[Koop]

ok I got lost on "put your own reservation on the disk, your own key" part. Appreciate any guidance on this... not really familiar with this process.

SCSI SPC-3 persistent reservations and fencing

This post shows how to exploit SCSI SPC-3 persistent reservations to implement disk fencing on pacemaker high-availability clusters, lowering split brain risks

grimoire.carcano.ch

Gather info on your drive with these commands

sg_persist -n -i -k -d /dev/<DEVICE>
sg_persist -n -i -r -d /dev/</DEVICE>

Register a key on the drive. Here we register 0xDEADBEEF

sg_persist --out --register --param-sark=0xDEADBEEF /dev/<DEVICE>

Reserve a key on same drive

sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=_<number here  that matches the type of reservation on the drive> /dev/<DEVICE>

reservation types:

• 1 = write exclusive
• 3 = exclusive access
• 5 = write exclusive - registrants only
• 6 = exclusive access - registrants only
• 7 = write exclusive - all registrants
• 8 = exclusive access - all registrants

Release your registration

sg_persist --out --release --param-rk=0xDEADBEEF --prout-type=<your reservation type here> /dev/<DEVICE>

unregisters your key

sg_persist --out --register --param-rk=<reservation type> /dev/<DEVICE>

or alternatively you clear both your registration and unregister your key at once along with everyone else's if you use the proper prout-type (all registrants)

sg_persist --out --clear --param-rk=<reservation type> /dev/<DEVICE>

You can't remove the registration/key without first making your own to take ownership of the device- well that's an assumption as to how it works which makes logical sense to me.

Hope the above gets you there

 

[Hard2Reach]

Ah ok... its adding the DEADBEEF line which is registering as my ownership..
ok I think I missed the --prout-type after registering the DEADBEEF line.

Will try it later tonight once I get back home, hopefully it didn't mess up the drive.

 

[Hard2Reach]

This is driving me nuts... still keep on getting Reservation conflict when Reserving Key on the drive. I have tried all 4 drives and keep on getting the same result. Does this command work on linux only?

Spoiler: Reservation Conflict

E:\SG_Util>sg_persist --out --register --param-sark=0xDEADBEEF PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Reserve): Reservation conflict

Spoiler: Checking drive again on the status...

E:\SG_Util>sg_persist -n -i -k -d PD0
PR generation=0x1c, 2 registered reservation keys follow:
0x5d114d1200000001
0xdeadbeef

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1c, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

As you can see on the status, it did register the DEADBEEF but on the second check only 1 key is present..

Edit: Dont I also need to release the first key ( Key=0x5d114d1200000001)?

 

[Koop]

Do it with --prout-type=7 when you --out --clear

 

[Hard2Reach]

Thanks but its still no go...

Spoiler: Commands sequence

E:\SG_Util>sg_scan.exe -s
PD0 HGST SDLL1HLR076TCDA1 X150
PD1 [CD] SAMSUNG MZVKW512HMJP-000H1 CXA74H0Q 0025_38CB_71B0_BBF1.
PD2 T-FORCE TM8FPZ002T EIFM31.6 6479_A77F_9A30_104C.
PD3 [E] SMI USB DISK 1100 AA00000000000489

SCSI0:0,0,0 claimed=1 pdt=0h HGST SDLL1HLR076TCDA1 X150
SCSI2:0,0,0 claimed=1 pdt=0h NVMe SAMSUNG MZVKW512 4H0Q
SCSI3:0,0,0 claimed=1 pdt=0h NVMe T-FORCE TM8FPZ00 31.6

E:\SG_Util>sg_persist -n -i -k -d PD0
PR generation=0x1b, 1 registered reservation key follows:
0x5d114d1200000001

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1b, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist --out --register --param-sark=0xDEADBEEF PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=7 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Reserve): Reservation conflict

E:\SG_Util>sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Reserve): Reservation conflict

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1c, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist -n -i -k -d PD0
PR generation=0x1c, 2 registered reservation keys follow:
0x5d114d1200000001
0xdeadbeef

E:\SG_Util>sg_persist --out --release --param-rk=0x5d114d1200000001 --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist -n -i -k -d PD0
PR generation=0x1c, 2 registered reservation keys follow:
0x5d114d1200000001
0xdeadbeef

E:\SG_Util>sg_persist --out --release --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --clear --param-rk=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Clear): Reservation conflict

E:\SG_Util>sg_persist --out --clear --param-rk=7 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Clear): Reservation conflict

E:\SG_Util>sg_persist --out --register --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Register): Reservation conflict

E:\SG_Util>sg_persist --out --register --prout-type=7 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Register): Reservation conflict


E:\SG_Util>sg_persist --out --register --param-rk=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Register): Reservation conflict

E:\SG_Util>sg_persist --out --register --param-rk=7 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Register): Reservation conflict

E:\SG_Util>sg_persist -n -i -k -d PD0
PR generation=0x1c, 2 registered reservation keys follow:
0x5d114d1200000001
0xdeadbeef

E:\SG_Util>sg_persist -n -i -r -d PD0
PR generation=0x1c, Reservation follows:
Key=0x5d114d1200000001
scope: LU_SCOPE, type: Write Exclusive, registrants only

E:\SG_Util>sg_persist --out --release --param-rk=0xDEADBEEF --prout-type=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk

E:\SG_Util>sg_persist --out --register --param-rk=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Register): Reservation conflict

E:\SG_Util>sg_persist --out --clear --param-rk=5 PD0
HGST SDLL1HLR076TCDA1 X150
Peripheral device type: disk
PR out (Clear): Reservation conflict

Registration Keys still shows up after sg_persist --out --release
Then constantly getting Reservation Conflict for any sg_persist --out --clear, doesn't matter if I use -prout-type= 5 or 7

 

[Koop]

reserve key with

sg_persist --out --reserve --param-rk=0xDEADBEEF --prout-type=1 PD0

clear the reservation with

release with --param-rk=7
sg_persist --out --clear --param-rk=7 PD0


you must reserve the key as the same type on disk, as in your case is type 1, per the command output on checking the disk

scope: LU_SCOPE, type: Write Exclusive, registrants only

Write Exclusive

thus

1 = write exclusive

that allows you to reserve a key

but when releasing you want to release write exclusive of all registrants, thus type 7

7 = write exclusive - all registrants

 

[Hard2Reach]

Does this command

sg_persist --out --clear --param-rk=7 PD0

also clear out the original 0x5d114d1200000001 key?
I will try it out after a few days, I just kick started testing a new 20TB drives for a NAS
Thanks for the help, will be back once I tried it out....

 

[Koop]

Does this command also clear out the original 0x5d114d1200000001 key?
I will try it out after a few days, I just kick started testing a new 20TB drives for a NAS
Thanks for the help, will be back once I tried it out....

Bout to ask you to get on ZOOM or Teams or something if you don't say you figured this out lol

 

[Hard2Reach]

Sorry for the delay, runing an extensive drive test on 2x 20TB drives takes a lot more time than I expected.
I did try to install TrueNas on the system and went thru the steps again.. somehow I see more error messages than in the windows system and still getting the Registration Conflict error with the drive still locked out although the drives no longer have any registrations.
Yeah, maybe a Teams would be helpful as my sanity is slowly drifting away ... lol