2009-04-16 23:50:58

by Robert Nicholson

[permalink] [raw]
Subject: Does the linux kernel contain support for ATA Security feature set?

So, I've got an X-25M that I want to securely erase and it turns out
on a Mac I'm not going to be able to issue the command because it
doesn't support legacy IDE mode from what I understand. So the idea of
a any boot CD that I could boot and run a program that can issue a
SECURE_ERASE (SE) to the drive is only applicable to PC's.

So does the Linux kernel support the ATA security set then? or does
it, like OSX have protective measures to stop abuse of those features.


2009-04-17 00:49:04

by Matthew Garrett

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

On Thu, Apr 16, 2009 at 06:49:59PM -0500, Robert Nicholson wrote:
> So, I've got an X-25M that I want to securely erase and it turns out
> on a Mac I'm not going to be able to issue the command because it
> doesn't support legacy IDE mode from what I understand. So the idea of
> a any boot CD that I could boot and run a program that can issue a
> SECURE_ERASE (SE) to the drive is only applicable to PC's.

Why is the lack of legacy IDE an issue? hdparm works fine with SATA
setups.
--
Matthew Garrett | [email protected]

2009-04-17 00:50:43

by Robert Nicholson

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

So you're implying that it is possible to do a SECURE_ERASE using
hdparm then.

I don't know why but HDDERASE tool requires legacy IDE mode.

On Apr 16, 2009, at 7:46 PM, Matthew Garrett wrote:

> On Thu, Apr 16, 2009 at 06:49:59PM -0500, Robert Nicholson wrote:
>> So, I've got an X-25M that I want to securely erase and it turns out
>> on a Mac I'm not going to be able to issue the command because it
>> doesn't support legacy IDE mode from what I understand. So the idea
>> of
>> a any boot CD that I could boot and run a program that can issue a
>> SECURE_ERASE (SE) to the drive is only applicable to PC's.
>
> Why is the lack of legacy IDE an issue? hdparm works fine with SATA
> setups.
> --
> Matthew Garrett | [email protected]

2009-04-17 00:55:39

by Matthew Garrett

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

On Thu, Apr 16, 2009 at 07:50:14PM -0500, Robert Nicholson wrote:
> So you're implying that it is possible to do a SECURE_ERASE using
> hdparm then.

The manpage says so. I've never tried.

--
Matthew Garrett | [email protected]

2009-04-17 09:28:45

by Alan

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

> So does the Linux kernel support the ATA security set then? or does

It supports pass through of ATA commands: See man hdparm

> it, like OSX have protective measures to stop abuse of those features.

The kernel doesn't but your BIOS or in some distributions early boot
scripts may well issue a security freeze.

Alan

2009-04-17 16:37:39

by Krzysztof Halasa

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

Alan Cox <[email protected]> writes:

>> it, like OSX have protective measures to stop abuse of those features.
>
> The kernel doesn't but your BIOS or in some distributions early boot
> scripts may well issue a security freeze.

A hot-plugged disk should not be affected then.
Not very safe with IDE/PATA, at least in theory.
--
Krzysztof Halasa

2009-04-19 19:32:33

by Robert Nicholson

[permalink] [raw]
Subject: Re: Does the linux kernel contain support for ATA Security feature set?

So when I do a hdparm --security-set-pass NULL /dev/sda

I get a

SECURITY_ERASE: Input/output error

This is with a kernel that doesn't have CONFIG_IDE_TASK_IOCTL=y defined

I'm also told that for SATA drives that's not necessary anyway. Is
that correct?

What should the response be for hdparm if CONFIG_IDE_TASK_IOCTL isn't
defined for a drive that needs it?

The drive is an Intel X-25M

HDDERASE won't work since I'm on a Mac.

I don't want to create a customized lived CD witth a new kernel unless
it's necessary.

On Apr 16, 2009, at 7:50 PM, Robert Nicholson wrote:

> So you're implying that it is possible to do a SECURE_ERASE using
> hdparm then.
>
> I don't know why but HDDERASE tool requires legacy IDE mode.
>
> On Apr 16, 2009, at 7:46 PM, Matthew Garrett wrote:
>
>> On Thu, Apr 16, 2009 at 06:49:59PM -0500, Robert Nicholson wrote:
>>> So, I've got an X-25M that I want to securely erase and it turns out
>>> on a Mac I'm not going to be able to issue the command because it
>>> doesn't support legacy IDE mode from what I understand. So the
>>> idea of
>>> a any boot CD that I could boot and run a program that can issue a
>>> SECURE_ERASE (SE) to the drive is only applicable to PC's.
>>
>> Why is the lack of legacy IDE an issue? hdparm works fine with SATA
>> setups.
>> --
>> Matthew Garrett | [email protected]
>