Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

General Discussion regarding Sata and SAS SSD support #587

Open
fthobe opened this issue Aug 19, 2024 · 9 comments
Open

General Discussion regarding Sata and SAS SSD support #587

fthobe opened this issue Aug 19, 2024 · 9 comments

Comments

@fthobe
Copy link
Contributor

fthobe commented Aug 19, 2024

Issue

The current documentation does not outline the state of features regarding the process of sanitising SSDs (neither SAS / SCSI nor Sata). Information is scattered across multiple issues leaving a lot of unclarity.

Therefor I pose following questions to later on produce a merge request against the current documentation and where necessary and (if desired) evaluate the sponsoring for the closing eventual gaps in functionality by our organisation.

  1. Can SSDs currently be wiped with the same degree of security as rotating disks?
  2. If not, what are the information lacking?
  3. Plenty of manufacturers offer Linux Tools for sanitisation of SSDs, are those currently utilized?
  4. Should manufacturer tools be implemented if the are provided in a Linux version?
  5. If manufacturer tools should not be implemented what is the reasoning behind it?

Background

SSDs have been a dramatically growing segment within the storage technology space posing new challenges to the sanitisation of storage media when reaching end of life events. Particular challenges are caused by the fact that control over data allocation on the disk is left to intransparent controllers and / or firmwares. Some manufacturers do provide sanitisation tools for linux, while others do not.

By 2022 the situation was following:

Manufacturer Marketshare Wipe Tool
Samsung 53.60% Samsung DC Toolkit 2.1
Intel 15.20% Solidigm™ Storage Tool
Western Digital / Sandisk 7.30% N/A (supports SAS / SCSI format unit command)
SK Hynix 8.60% Unconfirmed for Linux
Kioxia 7.10% Unconfirmed for Linux
Micron 5.60% Unconfirmed for Linux
Kingston 0.20% Unconfirmed for Linux
Others 2.40% N/A

The increase of usage of directly PCI attached storage technologies such as NVME and the growing market share of large size SSD s make lack of documentation and control over sanitisation an ever increasing vector of attack for data theft. Many companies rely therefor on physical destruction (eg shredding) to avoid missuse, but plenty are not sufficiently informed about the neccessaty to approach data sanitisation differently on solid state disks.

Notes

This issue has been crossposted to shredOS.

@fthobe
Copy link
Contributor Author

fthobe commented Aug 19, 2024

@PartialVolume do you want me to add anything to the issue?

@PartialVolume
Copy link
Collaborator

PartialVolume commented Aug 19, 2024

The current documentation does not outline the state of features regarding the process of sanitising SSDs (neither SAS / SCSI nor Sata). Information is scattered across multiple issues leaving a lot of unclarity.

Agreed, some clarification is required. Anybody wishing to submit a PR for review to improve the readme.md is always welcome.

For what it's worth, these are my comments to the questions raised: Some might feel I'm being a bit O.T.T but I'll try to justify my reasoning.

  1. Can SSDs currently be wiped with the same degree of security as rotating disks?
  2. If not, what are the information lacking?

Depends how you are doing it, generally I would say yes, there is more risk, especially if you are not doing it in the way I'm going to suggest. For me, the absolute best method is to use the manufacturers tool to perform a secure erase, or if unavailable hdparm or nvme, THEN follow up with SHREDOS/Nwipe with a single PRNG stream with verification, (NOT Zeros/ones or any of the other methods, this has to do with compression, i.e PRNG data is extremely hard if not impossible to compress THEN finish with a secure erase with the manufacturers tool or hdparm/nvme to reset the drive. For me that would probably be the gold standard, however if the drive was just being reused in the same organisation I probably wouldn't use all three methods. For a drive that is leaving the organisation to be sold on I would not use only ShredOS/nwipe at the current version without also using a secondary method such as the manufacturers tool or hdparm/nvme. While a PRNG stream may write over some of the over-provisioned area (used for garbage collection) it cannot be sure this was overwritten. You have to assume that the manufacturers tool or hdparm/nvme wipes these areas. Trouble is you can't verify that. And that's why I prefer a three step wipe, basically covering all your bases.

  1. Plenty of manufacturers offer Linux Tools for sanitisation of SSDs, are those currently utilized?

See answer to 1. & 2. If they are available they should be used in conjunction with a PRNG wipe & verification using ShredOS/nwipe.

  1. Should manufacturer tools be implemented if the are provided in a Linux version?

Yes, however don't assume the manufacturers tools or hdparm/nvme are flawless as they all assume the drive controller firmware is bug free.

  1. If manufacturer tools should not be implemented what is the reasoning behind it?

If manufacturer tools or third party tools hdparm/nvme are not used, i.e. only doing a ShredOS/nwipe traditional block erase then you can't be sure the entire overprovisioned area is wiped. A person with sufficient skills may be able to remove the memory from the drive and with the right equipment read the chips and find the over-provisioned area.

So risk has to be assessed, is the data valuable. For organisations such as the military, I would expect on-site physical destruction of SSD's, no question. For Finance I would also expect physical destruction. Not necessarily on site but maybe.

This is the current state of play with ShredOS/nwipe. Hopefully in the not to distant future ShredOS/nwipe will integrate secure erase into it's code for a more seamless method that includes a method that automatically does a secure erase followed by prng stream verification and a final secure erase. A second method that only does a prng stream plus
verification followed by secure erase may also be an option.

@PartialVolume
Copy link
Collaborator

One further comment, both nvme and hdparm are included in ShredOS and available in most Linux distributions. Manufacturers tools that are for Linux but are proprietary would have to be sourced and might not work in ShredOS and therefore would have to be used with the Linux distribution they were built for.

@mdcato
Copy link

mdcato commented Aug 19, 2024 via email

@fthobe
Copy link
Contributor Author

fthobe commented Aug 21, 2024

Hey guys,
Soooo... @PartialVolume OTT responses are always appreciated on documentation issues 😉
@mdcato I can reach out to manufacturers if that's of interest.

I can work on the docs, to recap what should be done in any case:

  • stern warning regarding the reliability of nwipe / shredOS for ssds
  • pointer towards manufacturer tools

Regarding secure / enhanced sanitization:
there's some low hanging fruit:

  • Samsung sata SSD: looking at the documentation of Samsung their tool is practically an hdparm gui
  • Samsung SAS ssd: I can confirm from the Samsung internal datasheets that the format command is not accepted nor executed in a fully compliant manner, but I need to ask Samsung what that exactly means, sanitize should be supported on all recent disks
  • Sandisk / WD SAS ssd: should be scsi format command compliant according to their documentation
  • nvmecli is obviously a great step forward regarding standards for sanitization

Problematic Cases:

  • Solidigm / Intel: documentation is a mess, tool is not open source, but at least available as Linux command line cli though in two versions supporting different types of media

I have significant contacts at Samsung and Western Digital and could start mapping out how can be wiped with ATA / SCSI standard commands and do some documentation legwork to establish a compatibility matrix standard sanitization commands and we could take it from there. Would that be interesting?

@PartialVolume
Copy link
Collaborator

Would that be interesting?

Yes, go for it. At some point we will be adding secure erase to ShredOS/nwipe but we can always adjust the documentation when that happens.

@fthobe
Copy link
Contributor Author

fthobe commented Aug 21, 2024

Would that be interesting?

Yes, go for it. At some point we will be adding secure erase to ShredOS/nwipe but we can always adjust the documentation when that happens.

Do you have any idea how far that is down the road?

Basically we are talking about the integration of

  • SATA Sanitize
  • SAS Sanitize
  • NVME Sanitize
    Integrated in the nwipe application, correct?

If you want to go a little into detail I can check for sponsors.

@PartialVolume
Copy link
Collaborator

PartialVolume commented Aug 21, 2024

Do you have any idea how far that is down the road?

Unfortunately, I can't provide a schedule for this. Other things in my life are currently taking priority so if I write the code it will be when i can fit the work in.

Basically we are talking about the integration of

SATA Sanitize
SAS Sanitize
NVME Sanitize
Integrated in the nwipe application, correct?

Yes, all will be integrated so you can select secure erase, secure erase enhanced. In addition to the secure erase, verification of a secure erased drive will require some code to first analyse the pattern used by the firmware. Sometimes the drives firmware will leave all zeros but then on other drives you might get a pattern of some sort, like 0x003F etc, so the verification code needs to be able to handle unknown repeating patterns. I've not come across any drives that leave prng data after a secure erase which is a good thing in terms of verification as it would be impossible to verify without knowing the seed the firmware used.

The code also needs to correctly handle frozen drives, i.e sending the system to sleep and waking after 5 seconds, then initiating the secure erase.

Also code needs to be written to provide progress based on the drives estimation. One of things I really don't like is that you can't interrogate the drive for a progress report after a secure erase has started, as far as I'm aware, so we have to estimate the completion time and then see if it's finished yet. This means the progress code will be different to the way the existing progress code works.

And finally the reports need to be updated with the new methods etc.

Sponsers are ok, but I don't have the time to put 8hrs a day, 5 days a week into this. I tend to write large amounts of code when I can find some free days or a free week. Hence why I can't provide a timeline.

Currently, top of my priority list https://github.com/users/PartialVolume/projects/1 is

  1. Produce a optional host based report.
  2. Integrate SATA/NVMe/SAS secure erase.

fthobe added a commit to fthobe/nwipe-587 that referenced this issue Aug 23, 2024
Added information to readme.md regarding the lack of clarity about SSD wiping.
fthobe added a commit to fthobe/nwipe-587 that referenced this issue Aug 23, 2024
@fthobe fthobe changed the title Documentation: Sata and SAS SSD support General Discussion regarding Sata and SAS SSD support Aug 23, 2024
@fthobe
Copy link
Contributor Author

fthobe commented Aug 23, 2024

I walked through the several block command standards for SAS, NVME and SATA.

Yes, all will be integrated so you can select secure erase, secure erase enhanced.

Secure erase seems to be the older of the two commands and it seems like the certification bodies have made significant effort to standartize around sanitize commands (they were from the get go present on nvme and implemented into SAS / Sata in later revisions). Especially older drives to not seem to treat secure erase reliably in the same way.

Also code needs to be written to provide progress based on the drives estimation.

I absolutely believe in the value of progress bars, but I believe the time varies to largely in between drives. Maybe a continuous polling of the drive would be better.

Sponsers are ok, but I don't have the time to put 8hrs a day, 5 days a week into this. I tend to write large amounts of code
when I can find some free days or a free week. Hence why I can't provide a timeline.

Do you feel there is somebody among past contributors that might help you on that?

PartialVolume pushed a commit that referenced this issue Sep 6, 2024
…media (#597)

* #587 Introduction to SSD wipe

Added information to readme.md regarding the lack of clarity about SSD wiping.

* #587

* Added guide for SSD

* Update README.md

Extended the disclaimer regarding SSD Wipe and fixed two typos

* ssd-guide compatibility note update

Added information regarding Samsung SATA SSD compatibility to sanitize command

* Added Solidigm compatibility for sata sanitize

* formatting (no content change)

* Added .DS_Store to gitignore

Added .DS_Store due for development on mac clients.

* Update ssd-guide.md

Added clarity regarding risks of incomplete sanitization of disks due to intransparency of vendor tools.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants