MAAS

Comment 1 for bug 1835954

Revision history for this message

Gabriel Ramirez (gabriel1109) wrote on 2019-08-05:

## This is in relation to customer case 00234532 ##

case is for "release" api call / release device with secure erase which does not fit our requirements.

We wave issue with fallback from secure erase to zero fill.
Our expectation is that secure erase is mandatory and if it cannot be done, device should be marked as broken
or release call should fail.

Additional reason is that zero filling an ssd / nvme drive may not even wipe the data in reality-
(controller may cache the writes and just mark blocks as free to avoid wear and tear).

In addition - I suspect that current wipe script fails to properly verify if secure erase was performed
- Written data is not random
- Write Buffers are not flushed
- Data read after hdparm ioctl secure erase call may be from cache which is not invalidated (bug?) ( echo 3 > /proc/sys/vm/drop_cache helped)
- comparing to all zeros can fail check for drives that were initially empty.
- Flushing caches before and after hdparm commands helped with sporadic failing of secure wipe.

Feature request - wishlist:
- ability to replace or augment default drive wipe scripts with custom release scripts
(commissioning/testing scripts way is great, want same thing for release api call)

Biased opinion:
- hdparm did not work for any drive named /dev/nvme* so that should be ignored by current hdparm wiping script
(I am aware that there are m2 drives which internally use sata interface, not sure if they support ioctl hdparm uses, haven't tested)
- for /dev/nvme*, separate script is needed, using nvme-cli tool to perform secure erase.

NVMe snippet:
NVME_LBAF_512b = 0 # LBAF: format 0 - 512 byte sectors (legacy compatibility?)
NVME_LBAF_4k = 1 # LBAF: format 1 - 4k sectors
NVME_FORMAT_FORGET = 0
NVME_FORMAT_USER = 1
NVME_FORMAT_CRYPTO = 2

def wipe(device,ses,lbaf):
output = subprocess.check_output('nvme format %s --ses=%d --lbaf=%d' % (device, ses, lbaf), shell=True)

# this would wipe just one block device - nvme namespace with Crypto method (replace encryption key)
wipe("/dev/nvme0n1",NVME_FORMAT_CRYPTO, NVME_LBAF_512b);
# and this would wipe the user data on drive
wipe("/dev/nvme0n1",NVME_FORMAT_CRYPTO, NVME_LBAF_512b);

NOTE: some older Intel NVMe drives have physical limit in firmware for total of 100 user data and/or secure wipe cycles. Only SES=0 is supported unlimited number of times (but less secure)
https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/ssd-technical-advisory.pdf

## This is in relation to customer case 00234532 ##

case is for "release" api call / release device with secure erase which does not fit our requirements.

We wave issue with fallback from secure erase to zero fill. 
Our expectation is that secure erase is mandatory and if it cannot be done, device should be marked as broken 
or release call should fail.

Additional reason is that zero filling an ssd / nvme drive may not even wipe the data in reality-
(controller may cache the writes and just mark blocks as free to avoid wear and tear).

Feature request - wishlist:
- ability to replace or augment default drive wipe scripts with custom release scripts
(commissioning/testing scripts way is great, want same thing for release api call)

def wipe(device,ses,lbaf):
output = subprocess.check_output('nvme format %s --ses=%d --lbaf=%d' % (device, ses, lbaf), shell=True)