#19 Request for ATA erase method: Sanitize/Crypto Scramble Ext

open
nobody
None
1
2015-11-05
2014-02-04
No

[Background]

Some recent SED SSDs/HDDs support scrambling the cryptographic key when SECURITY ERASE UNIT (F4h) is invoked (via normal or enhanced, sometimes both). This can be in addition to, or instead of, overwriting/erasing the user data area. However, it's never really clear if this is occurring, as the function is usually a vendor-specific addition to the requirements: some vendors explain that they do this in their specifications, others do not.

[New ATA function called SANITIZE]

There's a newish T13-published function called SANITIZE (B4h), which includes one or more of three possible sub-functions: BLOCK ERASE EXT (0012h), CRYPTO SCRAMBLE EXT (0011h) and OVERWRITE EXT (0014h).

CRYPTO SCRAMBLE EXT explicitly wipes the drive's data key(s) and creates new ones. If you rely on needing to re-key drives for security purposes, this is the function you want to depend on.

IDENTIFY DEVICE has additional flags available to indicate support for SANITIZE and which sub-functions are available.

[Where it exists]

The only software I have run across of that actually implements this is the drive erase function in contemporary Thinkpad BIOSes: the newest ones require a boot CD/floppy + BIOS support for safety reasons, older ones can be done directly through the BIOS alone once permanently activated via a utility CD. The most recent version is here: http://support.lenovo.com/en_US/downloads/detail.page?DocID=DS019026

There may be commercial software out there that also supports this new function.

The only hardware I've come across (in my limited experience) that supports this is the Crucial M500 series. I verified using above lenovo routine, which showed a complete bit-randomization pattern after the cryptographic scramble was invoked (verified via WinHex). I also notified Micron that their specification sheet indicated that the drive only supported OVERWRITE EXT, they agreed that was an error in their specifications which they are updating as it supports CRYPTO SCRAMBLE EXT instead.

-Brendan

PS - I forgot to mention a significant benefit: the routine returns in seconds, not minutes/hours.

Discussion

  • Mark Lord

    Mark Lord - 2014-02-04

    On 14-02-04 01:13 PM, Brendan Hoar wrote:
    ..

    [New ATA function called SANITIZE]
    ..

    Sounds cool.
    Can I interest you in fame and fortune,?
    Or at least the fame part, if you send me a patch or three?

    PS - I forgot to mention a significant benefit: the routine returns in seconds, not minutes/hours.

    Even the regular SECURE ERASE returns in seconds (not minutes/hours) on an SSD.

    Cheers
    -- Mark Lord

     
    Last edit: Mark Lord 2014-02-04
  • Brendan Hoar

    Brendan Hoar - 2014-02-24

    Mark,

    Ok, yeah, good reply. If I get a chance, I'll take a look. What is your recommended build environment? Thanks.

     
  • Mark Lord

    Mark Lord - 2014-02-24

    Just about any Linux system, with the normal build-essential package (or equivalent) installed. hdparm does not use any weird libraries or stuff, so it is mostly self-contained.

    The Source package includes a Makefile, so one just says "make" to build it.

    Also, I do prefer direct email (mlord@pobox.com) rather than having to do this communication through a website that I nearly never check up on.

    Cheers

     
  • Craig

    Craig - 2014-06-03

    Hey guys, was there any progress on this? I'm looking at implementing sanitize and was thinking hdparm might be a good place to work through it since it has framework in place for disk communication.

     
  • Oleg Surfer

    Oleg Surfer - 2015-10-30

    1.5 years was passed, any news on this ticket? We still no utils for 3 sanitize methods.

     
  • Mark Lord

    Mark Lord - 2015-11-04

    For this to move forward, somebody has to step up and volunteer to implement it, and send me a working patch.

    Or.. make it really easy (aka. non time-consuming) for me, and send me the T13 ATA documentation for these new commands and identify data, and I may be able to add it rather quickly. Hunting for the documentation seems to take me longer these days, and my time is less available. :)

    Cheers
    Mark Lord

     

Log in to post a comment.