On Fri, Apr 23, 2010 at 10:45:34PM +0200, Milan Broz wrote: > I asked how TRIM (and SCSI discard) is handled and it seems that most of drives zeroes > trimmed blocks (or the function is internal to drive - so undefined, we must expect the worst case). > > So it is clear that an attacker can recognize which block was trimmed (reading > zeroed blocks instead of "random" data). If there is some internal drive data > related to TRIM available, it can be even worse. it can be even much worse. The most evil case is a specially crafted device manufactured by a mighty agency which will record every single read/write/trim command. A few weeks ago it was on the news here that most copiers have builtin hard discs and make copies of what people are copying.. so who knows what is in our ordinary hard discs today. The second most evil - and very realistic scenario is that any drive can have a log storing trim states/operations. If its an SSD device that log could be *very* huge if we are unlucky. Although I am not an expert on this devices I would think it is the obvious way to do it. All the information about trimmed blocks must be stored somewhere and in order to keep the "wear" low its likely to be log-structured, not a simple bitmask. There is not an official way to retrieve this backlog but there may be device specific undocumented proprietary ways to do it or someone might open the chip. But there sure is no way to guarantee that any information that is ever entrusted to a blackbox device might not resurface again. Richard _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
