Monday, March 23, 2009

FDE for Mac is giving me the blues....again

Back on March 4th I wrote up a post about the trouble I had installing Pointsec for Mac 3.1. After I got past all of that, I was able to function normally and I haven't had any trouble until today. My precious Mac wont boot. I cant even get to the Pre Boot Environment to log in. When I power up the machine, I get a black screen with this message:
Booting devicepath Acpi (PNP0A03,0)/Pci(1Fl2)/?/HD(Part3,Sig3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67)/Pointsec\\ppbe_main_x86_64.efiChanged current root to: 3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67
open file esp:ppc.log
LOG: 0 1 2009-03-23 13:10:37 EFI firmware spec: 1.10

LOG: 0 1 2009-03-23 13:10:37 EFI firmware vendor: Apple

LOG: 0 1 2009-03-23 13:10:37 EFI firmware revision 0x1000a

LOG: 0 1 2009-03-23 13:10:37 failed to open file uninstall.dat - Not Found
LOG: 0 1 2009-03-23 13:10:37 failed to open file recovery.dat - Not Found
LOG: 0 1 2009-03-23 13:10:37 found raw file ppc.db (262144, 2000000)

LOG: 0 1 2009-03-23 13:10:37 found raw file ppc.db (262144, 2000000)

LOG: 0 1 2009-03-23 13:10:37 Couldn't initialize container subsystem from raw:ppc.db
FATAL ERROR: Look above for possible cause!

* Hit any key to continue *


I'm working with Checkpoint support to see if I can get my machine working again without having to do a full reinstall. Now pay attention, noobs! Unlike most of you that write to me asking how to get back into your encrypted machines, my recovery file was saved onto a network share and I have recent backups of all my data. So I will not be out in the cold if I have to do a complete reinstall. However, I'm not looking forward to going through all the work of reinstalling all of my apps and tuning them the way I had them, etc. I'll keep you posted on how things go.

Update 1: After talking to support, I looks like I'm going to need to create my recovery media and decrypt the drive. The problem is that I need to convince someone else to let me use their Mac to install Pointsec so that I can create the recovery drive. Given the rather public nature of my problems with FDE for Mac, that may be a tough sell. It would be nice if there was a standalone utility that was distributed with FDE that could be used to create a recovery file. That would be particuarly helpful if I was a small business that only owned one computer...namely the broken Mac.

Update 2: I have found a guinea pig and installed FDE on his Mac. I have not experienced the problems that I had on my own machine. One possibility that comes to mind is that since this machine has never had an older version of FDE installed, it wasn't as cranky. The recovery USB device has been created, but I can't seem to get the Mac to boot to it.

Update 3: I haven't been able to get the USB drive to boot. I found out that my first problem was that I didn't format it properly. The drive needs to be formatted with Mac OS Extended (Case-Sensitive, Journaled). Then I was able to boot to it by holding down the option key while booting. However, I ran into a new Pointsec error so I am no closer to decrypting my drive.

LOG: 0 1 2009-03-23 18:50:56 open file recovery.dat
LOG: 0 1 2009-03-23 18:50:56 Booting from recovery media
LOG: 0 1 2009-03-23 18:50:56 open file ppc.db
LOG: 0 1 2009-03-23 18:50:56 open file ppc.db
LOG: 0 1 2009-03-23 18:50:56 New container file : ppc.db
LOG: 0 1 2009-03-23 18:50:56 Doing user-acquisition, skipping directly to boot.
LOG: 0 1 2009-03-23 18:50:56 Got roodguid: 0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9
LOG: 0 1 2009-03-23 18:50:56 raw file not found 0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9
LOG: 0 1 2009-03-23 18:50:56 PPBE uuid = 3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67
LOG: 0 1 2009-03-23 18:50:56 Found root-device in DB, installing block-encryption on BlockIO
LOG: 0 1 2009-03-23 18:50:56 Changed current root to: 670E55E1-E341-43A7-A517-07841C49ADF3
LOG: 0 1 2009-03-23 18:50:56 Booting devicepath Acpi(PNP0A03,0)/Pci(1Fl2)/?/HD(Part2,Sig0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9)/\System\Library\CoreServices\boot.efi
Error: Not Found while loading
LOG: 0 1 2009-03-23 18:50:56 Couldn't boot into user-aquisiton mode!
FATAL ERROR: Look above for possible Cause!

* Hit any key to continue *

Checkpoint support said my hard drive must be going bad, so I'm going to have to completely reinstall my OS and restore from backups. Poop.

9 comments:

Anonymous said...

If the drive indeed is going bad, there should be some additional support for this, like S.M.A.R.T. logs etc., shouldn't there?

Unknown said...

@anonymous
I am inclined to agree. The support technician based his decision on the fact that some files appeared to be missing. I would have preferred to see error messages that were more clear about what was happening. Maybe diagnostic information generated by the Operating System can also be written in the unencrypted portion of the disk. This would have to be an option that the user selects since we don't want to make an arbitrary decision about what data a user might find sensitive.

I also think that the boot partition could be made more resilient. There are obviously files in there that are so important that the system won't boot without them. Perhaps there should be multiple copies of these files in case one of them becomes corrupt or missing.

nate said...

i just had the same errors installing (multiple times) on a test macbook. i might just scrap this, reinstall, and look for another test machine. lame…

Anonymous said...

I installed Pointsec on my Mac a couple of days ago. Luckily I didn't experience any problems like you were experiencing, but I did have a full Carbon Copy Cloner backup just in case.

I wasn't very impressed with the Mac version of Pointsec at all. I measured a 19% decrease in disk performance and it's definitely not as configurable as the Windows client.

Great blog, btw!

Anonymous said...

Mac client works on my macbook pro fine, it seemingly ruins my iMac (leaving it in a gray screen before preboot permanently). On the one vista system I've tried, it 1) blue screens on first boot, then hangs out at 0% encryption indefinitely, until I fiddle with the services, then it bumps to 1%, then it dies again.

I'm less than impressed. 2/4 of the machines I've tried have had serious issues.

grr

wes said...

Man I'm glad I found this blog... now I know I'm not the only one. I got that error and a different one on a Mac Pro. I also tried installed Checkpoint FDE for Mac on a new "unibody" MacBook Pro and got an error "failed to init graphics?" which I guess has to do with the dual GPUs in these computers? The recovery disk gives the same error message. I'm waiting to hear back from Checkpoint support on these issues... otherwise it works fine on slightly older Macbooks and Macbook Pros.

Heath said...

Funny how Pointsec "finds" or "reveals" hard drive problems.

Kind of like how not changing the oil in my car "finds" weak rod bearings.

...huh? bitter? No! ;)

Sarah said...

did you have a problem finding usb sticks that worked with FDE? i have 3 and only 1 works consistently... one of the sticks isn't even recognized by FDE as a removable device

Also, on the one stick that did work it doesn't seem to actually boot to the recovery disk properly - i click on it in the boot menu - then it reverts to the mac HD and boots up the mac w/o a preboot login, did you experience this?

I'm familiar with the windows version of Pointsec and i would think that the mac version should work the same and boot to a recovery disk independent of the OS riiight? in case there is an OS or system issue that prevents you to boot up properly?

Unknown said...

@Sarah,

Maybe. I only had a couple USB drives lying around and I couldn't seem to get either of them to work properly. I seem to remember that one of them wasn't recognized at all by the system when I would boot to it, but that might have been because I didn't format it with the proper file system first time around. I can't remember the fine details anymore. I wouldn't be surprised though.

Overall I feel like this is a product that is needed on the Mac because FileVault doesn't go far enough, but this particular version isn't ready for mass deployment yet.