Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp897944pxp; Wed, 16 Mar 2022 20:34:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7zopg09/KyJ+M9h/FaAzYpF7ZQGXE7EwG+WhjU3WIDqspAmbgd9YQrPKGO3Y2/6BpVY4m X-Received: by 2002:a62:15c6:0:b0:4f7:4392:40c7 with SMTP id 189-20020a6215c6000000b004f7439240c7mr2969302pfv.5.1647488041592; Wed, 16 Mar 2022 20:34:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647488041; cv=none; d=google.com; s=arc-20160816; b=mh+fb1KFC5nHlAWAv1+ID0mtgBMvpqdDfzppZT7ONjGaM3XbJrhJA1K1dKCUruyDlZ U7pgPWVGpcpbVLTZaQLGAqe0qv+ux2DDOXt3yn8mD5hxZERIKDfUu1f4LtCEoTDhQ4x5 lS+ce575x9oa2A0NmTt9jRAMEywLTcvipn7m9z2TwoeOeObFzw+cnVztbeqsci4JBzfW UA0fCg6ajZRTOxRA6aijTeeaev7ClZ0aFMF4m90VCD1RuqQrsfAzePwV1L9XFLlq6vTU CF9CANep6J4aAoaDz9GkshRgVf5iuzGGDk7VONBWcGeKrBFejU2YSTCdFyowNseMOZ6s nPxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:content-disposition:mime-version :message-id:subject:cc:to:from:date; bh=V+aFPekYFOm4ct36p4QKtlVo6VF87GDgC7p6zqE+MKY=; b=XTIMuTBK2qjgXeQBCMCrs0/0gzwN99WETRqFBUZdShWpdmO9sYYSSnY8oAE0xQt0yV +utQSW+7/UpxR1ehNLo56Hb90MI3eeBq3u4rfC+5ajaXaFP91Prf2zegKGeoSUOwBj4P +EpUFn8OQ+4lARH1qD3mck49B4FHEZTnNHqWZQjU/zGLvz73rwZMHPcjAx4nQ1Lvhghd ltrFtdCyLVkMTHHgJKamxlb3R+pV6drliIQJJqBLTwObj5N/YpYFfhJQoAmuDd3pZjcX zYXmTAsOSNl44xCsEsvjpOMrnYsKpy09/55Qor0td2DNN9xsFUUh+xWGDgS3mRFQ3VOK mQ1A== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id o17-20020a637e51000000b003816043f0b5si928172pgn.682.2022.03.16.20.34.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 20:34:01 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C9841403EF; Wed, 16 Mar 2022 20:29:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354928AbiCPJi6 (ORCPT + 99 others); Wed, 16 Mar 2022 05:38:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237334AbiCPJi5 (ORCPT ); Wed, 16 Mar 2022 05:38:57 -0400 Received: from verein.lst.de (verein.lst.de [213.95.11.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CB0A2E0A4; Wed, 16 Mar 2022 02:37:44 -0700 (PDT) Received: by verein.lst.de (Postfix, from userid 2407) id 7C37D68AFE; Wed, 16 Mar 2022 10:37:40 +0100 (CET) Date: Wed, 16 Mar 2022 10:37:40 +0100 From: Christoph Hellwig To: axboe@kernel.dk Cc: jaegeuk@kernel.org, chao@kernel.org, ulf.hansson@linaro.org, Adrian Hunter , Daeho Jeong , Eric Biggers , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mmc@vger.kernel.org Subject: security issue: data exposure when using block layer secure erase Message-ID: <20220316093740.GA7714@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.17 (2007-11-01) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, while staring at the block layer code I found what I think is a major security issue with the use of REQ_OP_SECURE_ERASE. The issue is not about the actual protocol implementation, which only exists for eMMC [1], but about we handle issuing the operation in the block layer. That is done through __blkdev_issue_discard, which takes various parameters into account to align the issue discard request to what the hardware prefers. Which is perfectly fine for discard as an advisory operation, but deadly for an operation that wants to make data inaccessible. The problem has existed ever since secure erase support was added to the kernel with commit 8d57a98ccd0b ("block: add secure discard"), which added secure erase support as a REQ_SECURE flag to the discard operation. The ioctl added there also as the only users for a long time, until f2fs added a second (really strange) user that uses secure erase if offered by the device but otherwise plain old discard: 9af846486d78 ("f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl") which seems to treat the secure discard as nice to have but actually is fine with data leaks from the use of discard or an incorrect implementation of secure erase. My preference would be to just remove this ill designed feature entirely. The alternative 1 in this thead does just that. Alternative 2 tries to fix it instead, but I haven't bee nable to get any interested party to actually test in more than three eeks, suggesting we're better off removing the code. [1] which is rather dubious as well, as sector based secure erase in flash based media can't really work due to the lack of in-place write support. At best it is the equivalent for a Write Same or Write Zeroes command without deterministic data on the next read.