3

I have an Ubuntu system which boots from a small NVME disk using software encryption, TPM, etc. to mitigate against data loss in case of theft. The system is interfaced with customised PCIe hardware to record data (possibly very large quantities of data).

The end-user interacts with the system via a web-interface and they are not intended to use any user accounts on the system or interact directly with it on keyboard/mouse/monitor. The system has several large drives which are intended to contain the data recorded by the system. These disks are able to be encrypted (or not) at the whim of the end-user.

The large disks are SED capable (not OPAL compliant). When the SED password is set (hdparm --user-master u --security-set-pass "$password" /dev/...) we see that the disks are not accessible without password (hdparm --user-master u --security-unlock "$password" /dev/...) after they are removed and re-inserted to the host system. Excellent, the encryption is working - our data is safe (OK, safer).

However, on power cycle the system pauses during the POST to prompt for a password for each drive (there are 12 of them!). This blocks the boot process. Obviously this is less than ideal for us as we have to connect a monitor and keyboard and tap in the authentication key for each disk. We don't need these disks to be unlocked at boot time. We can unlock them later (with the above unlock command) when the system is up and running and the system user asks for them to be mounted.

Does anyone have any ideas about how we can prevent the password prompt from blocking the boot process?

fishter
  • 131
  • 1
  • Read `man mount;man -a fstab`, and add the `noauto` option to the entry in `/etc/fstab`. – waltinator Oct 27 '21 at 17:48
  • The boot process is blocked during POST. The operating system has not started at this point. – fishter Oct 29 '21 at 21:52
  • So is your question really "How do I ignore drives in Power On Self Test"? Remove power from the encrypted drives until after POST (post POST?). Fixing problems in POST via software before the system boots isn't possible – waltinator Oct 30 '21 at 04:24
  • My question is "how can I stop being prompted for a password for SED drives during POST". If there is a way to ignore them - great. If there is a config option to apply in the BIOS or on the disk hardware to make this happen I'd love to know what it is. – fishter Nov 01 '21 at 16:49
  • If the SED drives are connected to the system, and have power, the BIOS may be looking for a bootable partition. Can you, in the BIOS, remove them from the Boot List? Or change the Boot Order? This is getting too far away from Unix, and probably should be moved to another Stack Exchange Community, after you [edit] your original Question to add all the information you gave in Comments. Potential Answerers should see all the information in the Question, and not have to read a long string of comments to get the whole story. – waltinator Nov 01 '21 at 19:27
  • @fishter, I was about to suggest that you [ask at SuperUser](https://superuser.com/help/on-topic), but I see that [you already have](https://superuser.com/q/1684101/513541), so I'll close this one in favor of that one. – Jeff Schaller Nov 02 '21 at 11:41

0 Answers0