linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Machek <pavel@ucw.cz>
To: Damien Le Moal <damien.lemoal@wdc.com>
Cc: Philipp Guendisch <philipp.guendisch@fau.de>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-block@vger.kernel.org, axboe@kernel.dk,
	viro@zeniv.linux.org.uk, bart.vanassche@sandisk.com,
	martin.petersen@oracle.com, hare@suse.de, osandov@fb.com,
	dan.j.williams@intel.com, ming.lei@redhat.com,
	linux-kernel@i4.cs.fau.de, Mate Horvath <horvatmate@gmail.com>
Subject: Re: [PATCH] Support for secure erase functionality
Date: Wed, 15 Nov 2017 22:12:42 +0100	[thread overview]
Message-ID: <20171115211242.GE6183@amd> (raw)
In-Reply-To: <2b2d3855-00e9-77d0-7ee4-050c210b718e@wdc.com>

[-- Attachment #1: Type: text/plain, Size: 2109 bytes --]

Hi!

> On 9/14/17 00:37, Philipp Guendisch wrote:
> > This patch adds a software based secure erase option to improve data
> > confidentiality. The CONFIG_BLK_DEV_SECURE_ERASE option enables a mount
> > flag called 'sw_secure_erase'. When you mount a volume with this flag,
> > every discard call is prepended by an explicit write command to overwrite
> > the data before it is discarded. A volume without a discard compatibility
> > can be used as well but the discard calls will be enabled for this device
> > and suppressed after the write call is made.
> 
> Writing once to a sector stored on spinning rust will *not* fully erase
> the previous data. Part of the signal used for storing that data will
> remain on the track (because the disk head is never perfectly aligned on
> the track). With some signal processing work, the old data can be retrieved.
> 
> You will need a *lot* of normal writes to make sure nothing remains of
> the old data signal. Granted, even a single write will make it hard to
> get to the old data, but it is possible nevertheless. Hence the standard
> defined SANITIZE with cryptographic erase option to ensure that the old
> data is really dead.

Single overwrite is enough if you are not defending against with NSA
(or someone with way too much time and osciloscope). Two overwrites
should be enough against them, too.

OTOH... discard is performance optimalizaton. Are they sure it is
always used when they need it?

> I think that a similar problem also exist for SSDs, and it is even worse
> there since writing twice to the same logical sector does not even go to
> the same physical sector. The old data is not even overwritten.

Exactly -- overwrite will not help on SSD. But discard _should_
normally work on SSD, so this actually makes stuff worse on SSDs:
you'll write random data to a new place, and then discard will erase
that... making sure original data is intact.

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

      parent reply	other threads:[~2017-11-15 21:13 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-13 15:37 [PATCH] Support for secure erase functionality Philipp Guendisch
2017-09-14  8:17 ` Johannes Thumshirn
2017-09-22  9:54   ` Máté Horváth
2017-09-14  8:46 ` Damien Le Moal
2017-09-14 12:51   ` Philipp
2017-09-15  2:46     ` Damien Le Moal
2017-11-15 21:12   ` Pavel Machek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171115211242.GE6183@amd \
    --to=pavel@ucw.cz \
    --cc=axboe@kernel.dk \
    --cc=bart.vanassche@sandisk.com \
    --cc=damien.lemoal@wdc.com \
    --cc=dan.j.williams@intel.com \
    --cc=hare@suse.de \
    --cc=horvatmate@gmail.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@i4.cs.fau.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=ming.lei@redhat.com \
    --cc=osandov@fb.com \
    --cc=philipp.guendisch@fau.de \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).