I have used the raw device mapping (RDM) apporach to put a Self Encrypting Drive SSD in passthrough to my Centos 7.2 guest VM, but it fails to accept the hdparm security-unlock command: "bad/missing sense data". Has anyone encountered this, found resolu

I've a 480G Self Encrypting Solid State Drive that I want to make exclusive passthrough to a centos 7.2 guest VM.  This OS is meant to be the unlocking gate-keeper for data on this SSD which gets NFS and samba made available to other network connected VMs and physical machines.

Following the approach noted in https://www.vm-help.com/esx40i/esx41/creating-rdms-on-sata-drives , I was able to successfully "see" the drive in the booted VM guest:

[root@GPP0 ~]# lsblk

NAME                 MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT

sda                    8:0    0 6G  0 disk

├─sda1 8:1    0   200M 0 part /boot/efi

├─sda2 8:2    0   250M 0 part /boot

└─sda3                 8:3    0 5.6G  0 part

  ├─centos_gpp0-root 253:0 0     5G  0 lvm /

  └─centos_gpp0-swap 253:1    0 616M  0 lvm  [SWAP]

  sdb                    8:16   0 447.1G 0 disk  ß my test drive is a 480G

smartctl works to reveal details of drive:

Model Family:     SandForce Driven SSDs

Device Model:     HR3A2X0480AICC1

 

User Capacity:    480,103,981,056 bytes [480 GB]

 

Sector Size:      512 bytes logical/physical

 

Rotation Rate:    Solid State Device

 

Device is:        In smartctl database [for details use: -P show]

 

ATA Version is:   ATA8-ACS, ACS-2 T13/2015-D revision 3

 

SATA Version is:  SATA 3.0, 6.0 Gb/s (current: 3.0 Gb/s)

 

within the ESXi host its listed this way:

[root@localhost:~] esxcli storage nmp device list

t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR

   Device Display Name: Local ATA Disk (t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR)

   Storage Array Type: VMW_SATP_LOCAL

   Storage Array Type Device Config: SATP VMW_SATP_LOCAL does not support device configuration.

   Path Selection Policy: VMW_PSP_FIXED

   Path Selection Policy Device Config: {preferred=vmhba0:C0:T0:L0;current=vmhba0:C0:T0:L0}

   Path Selection Policy Device Custom Config:

   Working Paths: vmhba0:C0:T0:L0

   Is USB: false

I can use the Hdparm –I /dev/sdb and it returns information.  Including ATA security info:

. . .

Security:

        Master password revision code = 3

                supported

                enabled

                locked

        not     frozen

        not     expired: security count

                supported: enhanced erase

        Security level high

        2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Logical Unit WWN Device Identifier: 538c9a9000001bf4

        NAA             : 5

        IEEE OUI        : 38c9a9

        Unique ID       : 000001bf4

Checksum: correct

BUT issuing the hdparm security unlock command returns:

[root@GPP0 ~]# /usr/sbin/hdparm --user-master u --security-unlock localpassword /dev/sdb

security_password="localpassword"

 

/dev/sdb:

Issuing SECURITY_UNLOCK command, password="localpassword", user=user

SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0b 00 00 00 00 24 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

so no further operations to fdisk, or file, etc. will work and the drive cannot be mounted for use. 

fdisk: cannot open /dev/sdb: Input/output error

I've also attempted steps from

  https://kb.vmware.com/s/article/2013188 to ensure the LUN appears as a SSD, with same results. 

One last capture from the ESXi host, maybe someone can point out if there are other adjustments that this might reveal that should/could be made to allow the unlock command to work.

[root@localhost:~] esxcli storage core device list -d t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR

t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR

   Display Name: Local ATA Disk (t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR)

   Has Settable Display Name: true

   Size: 457862

   Device Type: Direct-Access

   Multipath Plugin: NMP

   Devfs Path: /vmfs/devices/disks/t10.ATA_____HR3A2X0480AICC1_____________________________________6G0005PR

   Vendor: ATA

   Model: HR3A2X0480AICC1

   Revision: 2518

   SCSI Level: 5

   Is Pseudo: false

   Status: on

   Is RDM Capable: false

   Is Local: true

   Is Removable: false

   Is SSD: true

   Is VVOL PE: false

   Is Offline: false

   Is Perennially Reserved: false

   Queue Full Sample Size: 0

   Queue Full Threshold: 0

   Thin Provisioning Status: yes

   Attached Filters:

   VAAI Status: unknown

   Other UIDs: vml.01000000002020202020202020202020203647303030355052485233413258

   Is Shared Clusterwide: false

   Is SAS: false

   Is USB: false

   Is Boot Device: false

   Device Max Queue Depth: 31

   No of outstanding IOs with competing worlds: 31

   Drive Type: unknown

   RAID Level: unknown

   Number of Physical Drives: unknown

   Protection Enabled: false

   PI Activated: false

   PI Type: 0

   PI Protection Mask: NO PROTECTION

   Supported Guard Types: NO GUARD SUPPORT

   DIX Enabled: false

   DIX Guard Type: NO GUARD SUPPORT

   Emulated DIX/DIF Enabled: false

Suggestions or insights?

fdisk: cannot open /dev/sdb: Input/output error