Re: [RFC] libata-scsi: introducing SANITIZE translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



To be honest, that sounds like FUD to me.

The exact reason why this can "safely" be introduced to the SATL is
that, it is a "one-shot" command that would only be triggered by the
user through a user space utility. It's nothing like TRIM that would
be triggered by the filesystem layer or so "from time to time", which
might cost users "unexpected" data loss. It is also nothing like
SECURE ERASE (which vendors had to abuse to provide equivalence of
BLOCK ERASE and CRYPTOGRAPHIC ERASE for SSDs and drives that does
hardware encryption) that requires the drive to be locked before you
can issue an erase command.

Certainly you can expect users to pack an ATA PASS-THROUGH command
themselves and issued it with sg_raw or so, or hdparm to be patched to
support the full feature set (including the "optional"
FREEZE/ANTIFREEZE sub-feature), but I don't see how these would be
reasons that the translation should not be introduced to the kernel,
so that we can make good use of its existing SATL infrastructure and
sg_sanitize.

Whether it is "secure" enough to use the implementation would be the
user's call. To be frank, saying that implementing it in the "SAT-way"
would make it untrustable doesn't make any sense to me, especially
when the way the feature set works is considered.

On 8 July 2016 at 00:47, James Bottomley
<James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, 2016-07-08 at 00:32 +0800, tom.ty89@xxxxxxxxx wrote:
>> From: Tom Yan <tom.ty89@xxxxxxxxx>
>>
>> With this patch, users can make use of the SANITIZE DEVICE feature
>> set through utility like sg_sanitize.
>>
>> Support for BLOCK ERASE, CRYPTOGRAPHIC ERASE and EXIT FAILURE MODE
>> has been implemented. Support for OVERWRITE that involves a
>> parameter list has been left out for now.
>>
>> Further support for command with IMMED bit set to zero, REQUEST
>> SENSE translation for user-space status polling, and support
>> checking in IDENTIFY DEVICE data log (return proper sense data
>> when designated method is not supported) should be implemented
>> in the future as well.
>>
>> `sg_sanitize -e -B|-C|-F /dev/sdX` should work fine with this.
>
> Why on earth would you want to do this?  If your intent is to sanitise
> the disk using a cryptographic erase you presumably have a real
> security need for doing it and, knowing what goes into most SAT layers,
> I'd not really trust any SAT for this operation, so for an underlying
> SATA device I'd use ATA_16 to send a real ACS-2 SANITIZE command.
>
> Just as a general note about our SAT layer: Adding little used features
> is an invitation to bloat it with buggy implementations which makes it
> harder to understand and bug prone for odd and unlikely use cases,
> which then take ages to diagnose and track down.  The only things which
> should be in the SAT is what the Linux SCSI subsystem would actually
> use.  For everything else, if the user cares enough, they'll send down
> an encapsulated ATA command.
>
> James
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux