secure-wipe/secure-wipe.sh - mirrors/cros/chromiumos/platform2 - Git at Google

 #!/bin/sh
 # Copyright 2014 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # This runs from the factory install/reset shim. This MUST be run
 # from USB, in developer mode. This script contains functions to erase
 # securly the disk and verify it has been erased properly.

 # if used inside the test harness, 2 variables are defined:
 # TEST_DELAY: to reduce the amount of time checking for the eMMC to be ready
 #             again,
 # TEST_FIO_OUTPUT: to send the output of fio to a known file. By default,
 #             if the file is generated with $(mktemp fio_output_XXXXXX)

 . /usr/share/misc/chromeos-common.sh

 # Return value for partial success when strict is set.
 STRICT_RETURN_VALUE=100


 # Outputs the NVMe namespace block devices that belong to the given
 # character device.
 # Arguments:
 #  - NVMe character device without preceding /dev/ (ex: nvme0)
 # Outputs NVMe namespaces' block devices (ex: /dev/nvme0n1)
 get_nvme_block_devs() {
   local nvme="$1"
   local block_dev
   for block_dev in /sys/block/${nvme}*; do
     echo "/dev/${block_dev##*/}"
   done
 }

 # Outputs the size of given NVMe character device
 # Arguments:
 #  - NVMe character device (ex: /dev/nvme0)
 get_nvme_char_device_size() {
   local disk="$1"
   local dev_size="$(nvme id-ctrl --output-format=json "${dev}" | jq ".tnvmcap")"
   if [ ${dev_size} -eq 0 ]; then
     # This may not be exact size of the disk because there might be some
     # unused blocks.
     local blk blk_size
     for blk in $(get_nvme_block_devs "${disk##*/}"); do
       blk_size="$(blockdev --getsize64 ${blk})"
       : $(( dev_size += blk_size ))
     done
   fi
   echo "${dev_size}"
 }

 # Get the supported erase mode for ATA disk.
 # Arguments:
 #  - ATA device to query
 # Outputs supported erase mode: "--security-erase" or
 # "--security-erase-enhanced", empty string if not supported or unknown.
 get_ata_supported_erase_mode() {
   local disk="$1"
   local func
   local supported_mode
   for func in "supported" "supported: enhanced erase"; do
     hdparm -I "${disk}" \
       | grep -A10 "^Security" \
       | grep -q "^[[:blank:]]\+${func}$"
     if [ $? -eq 0 ]; then
       if [ "${func}" = "supported" ]; then
         supported_mode="--security-erase"
       else
         supported_mode="--security-erase-enhanced"
       fi
     fi
   done
   echo "${supported_mode}"
 }

 # Check if the ATA device supports block erase sanitize.
 # Arguments:
 #  - device to query
 # Return true if the operation is supported, false if not supported.
 is_sata_sanitize_supported() {
   local dev="$1"
   hdparm -I "${dev}" | grep -q "BLOCK_ERASE_EXT command"
   return $?
 }

 # Check if the most recent sanitize operation was completed successfully
 # Arguments:
 #  - device to query
 # This is blocking until the sanitize has finished. Return true if the most
 # recent sanitize operation was successful, false otherwise.
 is_sata_sanitize_successful() {
   local dev="$1"
   hdparm --sanitize-status "${disk}" \
     | grep -iq "Last Sanitize Operation Completed Without Error"
 }

 # Check if the NVMe device supports block erase sanitize.
 # Arguments:
 #  - device to query (block device or character device)
 # Return true if the operation is supported, false if not supported.
 is_nvme_sanitize_supported() {
   local dev="$1"
   # Check bit #1. If it is set to 1, device supports block erase sanitize.
   local sanicap=$(nvme id-ctrl --output-format=json "${dev}" \
     | jq ".sanicap")
   test $(( sanicap / 2 % 2 )) -eq 1
   return $?
 }

 # Check if the device is currently being sanitized.
 # Arguments:
 #  - device to query
 # Return true if is being sanitized, false otherwise.
 is_nvme_sanitize_in_progress() {
   local dev="$1"
   # Check last 3 bits of the sanitize status value. If it is set to 010, the
   # sanitize operation is in progress.
   local status=$(nvme sanitize-log "${dev}" \
     | grep "(SSTAT)" \
     | grep -oEi "(0x)?[[:xdigit:]]+$")
   test $(( status % 8 )) -eq 2
   return $?
 }

 # Check if the most recent sanitize operation was completed successfully
 # Arguments:
 #  - device to query
 # Return true if the most recent sanitize operation was successful, false
 # otherwise.
 is_nvme_sanitize_successful() {
   local dev="$1"
   # Check last 3 bits of the sanitize status value. If it is set to 001,
   # sanitize operation was successful.
   local status=$(nvme sanitize-log "${dev}" \
     | grep "(SSTAT)" \
     | grep -oEi "(0x)?[[:xdigit:]]+$")
   test $(( status % 8 )) -eq 1
   return $?
 }

 # Output the progress of nvme sanitize command. This value indicates the
 # fraction complete of the sanitize operation. The value is the numerator of
 # the fraction complete that has 65536 as its denominator. This value is set
 # to FFFFh (65536) if there is no sanitize in progress.
 # Arguments:
 #  - device to query
 get_nvme_sanitize_progress() {
   local dev="$1"
   nvme sanitize-log "${dev}" | grep "(SPROG)" | grep -oEi "[[:xdigit:]]+$"
 }

 # Return useful bits of the MMC status
 #
 # Return some status bits that indicates if the device has completed
 # outstanding commands.
 #
 # if 'mmc status get' fails returns 0, which is an invalid status.
 get_mmc_status() {
   local status
   status=$(mmc status get "$1" | sed -nre 's/^SEND_STATUS response: (.*)/\1/p')
   # The state is defined in chapter 6.13 of eMMC rev 5.
   # Ideally, we should check that all the error bits to be set to 0.
   # Now, reading in more details, eMMC device are not garantee to be always
   # valid (see X or R mode) or some bit are reserved.
   # Therefore, we limit only to flags that are always valid:
   # bit 6: EXCEPTION_EVENT: set to 0
   # bit 8: READY_FOR_DATA: set to 1 (0 while sanitizing)
   # bit 9-12: CURRENT_STATE: set to 4 (Tran), set to 7 (Prg while sanitizing)
   printf "0x%08x\n" $((status & 0x00001F40))
 }

 # Erase an MMC device using firmware functions
 #
 # Ask the device to trim all sectors.
 # Then, ask the device to physically erase all trimmed sectors.
 # Arguments:
 #  - block device to erase
 #  - strict: if set to "1", then only returns success if sanitize successfully
 #            physically erases the device when security is supported. If left
 #            empty or set to "0", returns success when sanitize succeeds
 #            whether security is supported or not.
 secure_erase_mmc() {
   local disk="$1"
   local strict="$2"
   local delay=${TEST_DELAY:-5}
   local count
   local secure
   local rc

   # Mark all location as unused -- try secure first.
   for secure in "-s" ""; do
     blkdiscard ${secure} "${disk}"
     rc=$?
     if [ ${rc} -eq 0 ]; then
       break
     fi
   done
   if [ ${rc} -ne 0 ]; then
     echo "security not supported, just doing overwrite"
   fi

   # Physically erase unused locations.
   # 0x00000900 equals to READY_FOR_DATA=1 and CURRENT_STATE=4 (Tran)
   mmc_orig_status=$(get_mmc_status "${disk}")
   if [ "${mmc_orig_status}" != "0x00000900" ]; then
     echo "Not ready for sanitize: status ${mmc_orig_status}."
     return 1
   fi

   mmc sanitize "${disk}" || return $?

   count=120  # wait up to 10 minutes
   mmc_status="0xffffffff"
   while [ "${mmc_status}" != "${mmc_orig_status}" -a ${count} -gt 0 ]; do
     sleep "${delay}"
     mmc_status=$(get_mmc_status "${disk}")
     : $(( count -= 1 ))
   done

   if [ "${mmc_status}" != "${mmc_orig_status}" ]; then
     echo "Device is stuck sanitizing: status ${mmc_status}."
     return 1
   fi

   if [ "${strict}" = "1" ] && [ ${rc} -ne 0 ]; then
     return ${STRICT_RETURN_VALUE}
   else
     return 0
   fi
 }

 # Erase an ATA device using internal firmware function
 #
 # To trigger the ATA SECURE ERASE function, the disk must be
 # in security mode SEC4 (aka locked) or SEC5 (aka secured).
 # Disks are usually in SEC1 (unsecured).
 # First put the disk in SEC5 then Erase it, that put it back in SEC1.
 # Arguments:
 #  - block device to erase
 #  - strict: if set to "1", then only returns success if enhanced security
 #            erase is supported and succeeds. Security-erase does not guarantee
 #            to erase unallocated sectors whereas enhanced security erase does.
 #            If left empty or set to "0", returns success if any of the
 #            security erase succeed.
 secure_erase_sata() {
   local disk="$1"
   local strict="$2"
   local temp_password="chromeos"
   local erase_mode="$(get_ata_supported_erase_mode "${disk}")"
   local partial_success_return_val=0

   if [ "${strict}" = "1" ]; then
     partial_success_return_val=${STRICT_RETURN_VALUE}
   fi

   if is_sata_sanitize_supported "${disk}"; then
     hdparm --yes-i-know-what-i-am-doing --sanitize-block-erase "${disk}"
     is_sata_sanitize_successful "${disk}" && return 0
   fi

   if [ -n "${erase_mode}" ]; then
     hdparm --user-master u --security-set-pass \
             "${temp_password}" "${disk}" || return $?
     hdparm --user-master u "${erase_mode}" \
         "${temp_password}" "${disk}" || return $?
   else
     echo "security not supported, just doing overwrite"
   fi
   return ${partial_success_return_val}
 }

 # Erase an NVMe device.
 #
 # Use nvme sanitize if it is supported. Otherwise try nvme format with crypto
 # mode, if that fails, then try to do with user data mode with a timeout
 # proportional to the size of the device.
 # Arguments:
 #  - character device to erase
 #  - strict: if set to "1", then only returns success if sanitize successfully
 #            physically erases the device. If left empty or set to "0", returns
 #            success if either sanitize or nvme format succeeds.
 secure_erase_nvme() {
   local disk="$1"
   local strict="$2"
   local ses_user="1"  # 0: no secure, 1: user data erase, 2: cryptographic erase
   local ses_crypto="2"
   local base_timeout_in_ms=$(( 60 * 1000 )) # base timeout for 1 minute
   local dev_size="$(get_nvme_char_device_size "${disk}")"
   local bytes_per_ms=$(( 100 * 1024 )) # 100 MB/s
   # Maximum time without any progress during sanitize operation
   local sanitize_timeout_in_sec=$(( 20 * 60 )) # sanitize timeout for 20 minutes
   # Maximum time to finish format operation. Let timeout be proportional to the
   # size of device.
   local format_timeout_in_ms=$(( base_timeout_in_ms + dev_size / bytes_per_ms ))
   local progress current_progress
   # "During a sanitize operation, the host may periodically examine the
   # Sanitize Status log page to check for progress, however, the host
   # should limit this polling (e.g., to at most once every several minutes)
   # to avoid interfering with the progress of the sanitize operation itself."
   # See section 8.15 in
   # https://www.nvmexpress.org/wp-content/uploads/NVM_Express_Revision_1.3.pdf
   # Because of the reason above need to sleep and check the progress during
   # sanitize operation. We use 10 seconds for sleeping because the device we
   # tested this code on executes the command quite fast. The whole full disk
   # wipe process takes a lot of time so we don't want to increase it even more
   # by picking a larger value.
   local sleep_time_in_sec=10

   # Sanitize is preferred over format because it guarantees physical data
   # destruction.
   if is_nvme_sanitize_supported "${disk}"; then
     nvme sanitize "${disk}" --ause --sanact=0x02
     count="${sanitize_timeout_in_sec}"
     while [ ${count} -gt 0 ] && is_nvme_sanitize_in_progress "${disk}"; do
     # See the comment above.
       sleep "${sleep_time_in_sec}"
       current_progress="$(get_nvme_sanitize_progress "${disk}")"
       if [ "${progress}" = "${current_progress}" ]; then
             : $(( count -= sleep_time_in_sec ))
       else
         count="${sanitize_timeout_in_sec}"
       fi
       progress="${current_progress}"
     done
     is_nvme_sanitize_successful "${disk}" && return 0

     # If block erase sanitize operation fails, issue sanitize command with the
     # 'Exit Failure Mode' action to recover from failure.
     nvme sanitize "${disk}" --sanact=0x01
     count="${sanitize_timeout_in_sec}"
     progress=0
     while [ ${count} -gt 0 ] && is_nvme_sanitize_in_progress "${disk}"; do
     # Check if the sanitize command executed before continuing.
     # Also see the comment above.
       sleep "${sleep_time_in_sec}"
       current_progress="$(get_nvme_sanitize_progress "${disk}")"
       if [ "${progress}" = "${current_progress}" ]; then
             : $(( count -= sleep_time_in_sec ))
       else
         count="${sanitize_timeout_in_sec}"
       fi
       progress="${current_progress}"
     done
   fi

   # If strict is set to 1, only sanitize should return success.
   # We want to be able to distinguish between the successes in strict mode
   # in order to inform users if their device is physically erased or not.
   local success_return_value=0
   if [ "${strict}" = "1" ]; then
     success_return_value=${STRICT_RETURN_VALUE}
   fi

   # Format with crypto mode
   nvme format "${disk}" --ses "${ses_crypto}" && return ${success_return_value}

   # Format with userdata mode
   # 0xffffffff means format all namespaces of the given character device.
   nvme format "${disk}" --namespace-id=0xffffffff --ses "${ses_user}" \
     --timeout "${format_timeout_in_ms}"
   local return_val=$?
   test ${return_val} -eq 0 && return ${success_return_value}
   return ${return_val}
 }

 # Erase a device using its internal firmware function.
 #
 # Arguments:
 #  - device to erase ("/dev/sda", "/dev/mmcblk0", "/dev/nvme0").
 #  - strict: if set to 1 then only returns success if the physical data
 #            destruction is guaranteed by the command set that is used. If unset
 #            or set to "0", returns success if either physical data destruction
 #            is guaranteed or not.
 # Returns:
 #  0 if the erase is either not supported or completed.
 #  !0 if the erase process could not complete or failed.
 secure_erase() {
   local disk="$1"
   local strict="$2"
   local disk_type=$(get_device_type "${disk}")
   # Identify if MMC or SATA.
   case "$disk_type" in
     MMC)
       secure_erase_mmc "${disk}" "${strict}"
     ;;
     ATA)
       secure_erase_sata "${disk}" "${strict}"
     ;;
     NVME)
       secure_erase_nvme "${disk}" "${strict}"
     ;;
     *)
       echo "Unable to identify the type of disk: -${disk_type}-"
       return 1
   esac
 }

 # Use fio to write/verify a pattern.
 #
 # The first and last 1M of the disk are zeroed, the rest is written
 # with a random patter fio can verify latter.
 #
 # Argument
 #  - disk: the device to erase
 #  - disk_size: the size of the device
 #  - disk_op: "write" to write over the SSD, "verify" to check the SSD
 #             has been overwritten properly, "verify_disk_wipe" to check
 #             the SSD has been zeroed.
 # Returns:
 #  fio error code if fio could run, 1 otherwise.
 perform_fio_op() {
   # Globals, used by factory_secure.fio
   local disk="$1"
   local disk_size="$2"
   local disk_op="$3"

   local dev_main_area_end=$(( ${disk_size} - 1048576 ))
   local block_size=1048576
   local fio_err=0
   local fio_output="${TEST_FIO_OUTPUT}"
   local fio_regex='/^(secure|fio)/s/.* err= *([[:digit:]]+).*/\1/p'
   local input

   export FIO_DEV="${disk}"
   export FIO_DEV_MAIN_AREA_SIZE=$(( ${disk_size} - 2097152 ))
   export OFFSET="1m"
   export VERIFY="md5"

   if [ -z "${fio_output}" ]; then
     fio_output="$(mktemp -t fio_output_XXXXXX)"
   fi
   case "$disk_op" in
     write)
       export FIO_VERIFY_ONLY=0
       # Erase the begining an the end of the drive. Write random first
       # to ensure the data is scrambled.
       for input in "urandom" "zero"; do
         dd bs="${block_size}" of="${disk}" oflag=dsync iflag=fullblock \
             if=/dev/${input} count=1
         dd bs="${block_size}" of="${disk}" oflag=dsync iflag=fullblock \
             if=/dev/${input} seek=$(( dev_main_area_end / ${block_size} ))
       done
       ;;
     verify)
       export FIO_VERIFY_ONLY=1
       ;;
     verify_disk_wipe)
       export FIO_VERIFY_ONLY=1
       export VERIFY="pattern"
       export FIO_DEV_MAIN_AREA_SIZE=${disk_size}
       export OFFSET="0"
       ;;
     *)
       echo "Unsupported operation: -${disk_op}-"
       return 1
   esac

   local fio_script="$(mktemp -t fio_config_XXXXXX)"
   cat >"${fio_script}" <<HERE
 [secure]
 filename=\${FIO_DEV}
 ioengine=libaio
 iodepth=32
 direct=1
 readwrite=write
 bs=256k

 offset=\${OFFSET}
 size=\${FIO_DEV_MAIN_AREA_SIZE}
 do_verify=1
 verify=\${VERIFY}
 verify_pattern=0x0
 verify_only=\${FIO_VERIFY_ONLY}
 HERE
   # Write a pattern on the media for future verification.
   # fio configuration file use DEV, DEV_MAIN_AREA_SIZE and VERIFY_ONLY.
   fio "${fio_script}" --output "${fio_output}" --aux-path="${TMPDIR:-/tmp}"
   rm -f "${fio_script}"
   fio_err=$(sed -nr "${fio_regex}" "${fio_output}")
   if [ -z "${fio_err}" ]; then
     echo "-- output of fio not understood --"
     cat "${fio_output}"
     fio_err=1
   elif [ ${fio_err} -ne 0 ]; then
     cat "${fio_output}"
     if [ $FIO_VERIFY_ONLY -eq 0 ]; then
       echo "-- writing pattern failed --"
       echo "The storage device is not working properly."
     else
       # Check if we fail to read the device, or the pattern is wrong.
       echo "-- verifying pattern failed --"
       if [ ${fio_err} -eq 84 ]; then
         echo -n "The storage device has either been tampered with or "
         echo "not securely erased properly."
       else
         echo "Storage device broken: unable to read some sector from it."
       fi
     fi
   else
     rm "${fio_output}"
   fi
   return ${fio_err}
 }
	#!/bin/sh
	# Copyright 2014 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# This runs from the factory install/reset shim. This MUST be run
	# from USB, in developer mode. This script contains functions to erase
	# securly the disk and verify it has been erased properly.

	# if used inside the test harness, 2 variables are defined:
	# TEST_DELAY: to reduce the amount of time checking for the eMMC to be ready
	# again,
	# TEST_FIO_OUTPUT: to send the output of fio to a known file. By default,
	# if the file is generated with $(mktemp fio_output_XXXXXX)

	. /usr/share/misc/chromeos-common.sh

	# Return value for partial success when strict is set.
	STRICT_RETURN_VALUE=100


	# Outputs the NVMe namespace block devices that belong to the given
	# character device.
	# Arguments:
	# - NVMe character device without preceding /dev/ (ex: nvme0)
	# Outputs NVMe namespaces' block devices (ex: /dev/nvme0n1)
	get_nvme_block_devs() {
	local nvme="$1"
	local block_dev
	for block_dev in /sys/block/${nvme}*; do
	echo "/dev/${block_dev##*/}"
	done
	}

	# Outputs the size of given NVMe character device
	# Arguments:
	# - NVMe character device (ex: /dev/nvme0)
	get_nvme_char_device_size() {
	local disk="$1"
	local dev_size="$(nvme id-ctrl --output-format=json "${dev}" \| jq ".tnvmcap")"
	if [ ${dev_size} -eq 0 ]; then
	# This may not be exact size of the disk because there might be some
	# unused blocks.
	local blk blk_size
	for blk in $(get_nvme_block_devs "${disk##*/}"); do
	blk_size="$(blockdev --getsize64 ${blk})"
	: $(( dev_size += blk_size ))
	done
	fi
	echo "${dev_size}"
	}

	# Get the supported erase mode for ATA disk.
	# Arguments:
	# - ATA device to query
	# Outputs supported erase mode: "--security-erase" or
	# "--security-erase-enhanced", empty string if not supported or unknown.
	get_ata_supported_erase_mode() {
	local disk="$1"
	local func
	local supported_mode
	for func in "supported" "supported: enhanced erase"; do
	hdparm -I "${disk}" \
	\| grep -A10 "^Security" \
	\| grep -q "^[[:blank:]]\+${func}$"
	if [ $? -eq 0 ]; then
	if [ "${func}" = "supported" ]; then
	supported_mode="--security-erase"
	else
	supported_mode="--security-erase-enhanced"
	fi
	fi
	done
	echo "${supported_mode}"
	}

	# Check if the ATA device supports block erase sanitize.
	# Arguments:
	# - device to query
	# Return true if the operation is supported, false if not supported.
	is_sata_sanitize_supported() {
	local dev="$1"
	hdparm -I "${dev}" \| grep -q "BLOCK_ERASE_EXT command"
	return $?
	}

	# Check if the most recent sanitize operation was completed successfully
	# Arguments:
	# - device to query
	# This is blocking until the sanitize has finished. Return true if the most
	# recent sanitize operation was successful, false otherwise.
	is_sata_sanitize_successful() {
	local dev="$1"
	hdparm --sanitize-status "${disk}" \
	\| grep -iq "Last Sanitize Operation Completed Without Error"
	}

	# Check if the NVMe device supports block erase sanitize.
	# Arguments:
	# - device to query (block device or character device)
	# Return true if the operation is supported, false if not supported.
	is_nvme_sanitize_supported() {
	local dev="$1"
	# Check bit #1. If it is set to 1, device supports block erase sanitize.
	local sanicap=$(nvme id-ctrl --output-format=json "${dev}" \
	\| jq ".sanicap")
	test $(( sanicap / 2 % 2 )) -eq 1
	return $?
	}

	# Check if the device is currently being sanitized.
	# Arguments:
	# - device to query
	# Return true if is being sanitized, false otherwise.
	is_nvme_sanitize_in_progress() {
	local dev="$1"
	# Check last 3 bits of the sanitize status value. If it is set to 010, the
	# sanitize operation is in progress.
	local status=$(nvme sanitize-log "${dev}" \
	\| grep "(SSTAT)" \
	\| grep -oEi "(0x)?[[:xdigit:]]+$")
	test $(( status % 8 )) -eq 2
	return $?
	}

	# Check if the most recent sanitize operation was completed successfully
	# Arguments:
	# - device to query
	# Return true if the most recent sanitize operation was successful, false
	# otherwise.
	is_nvme_sanitize_successful() {
	local dev="$1"
	# Check last 3 bits of the sanitize status value. If it is set to 001,
	# sanitize operation was successful.
	local status=$(nvme sanitize-log "${dev}" \
	\| grep "(SSTAT)" \
	\| grep -oEi "(0x)?[[:xdigit:]]+$")
	test $(( status % 8 )) -eq 1
	return $?
	}

	# Output the progress of nvme sanitize command. This value indicates the
	# fraction complete of the sanitize operation. The value is the numerator of
	# the fraction complete that has 65536 as its denominator. This value is set
	# to FFFFh (65536) if there is no sanitize in progress.
	# Arguments:
	# - device to query
	get_nvme_sanitize_progress() {
	local dev="$1"
	nvme sanitize-log "${dev}" \| grep "(SPROG)" \| grep -oEi "[[:xdigit:]]+$"
	}

	# Return useful bits of the MMC status
	#
	# Return some status bits that indicates if the device has completed
	# outstanding commands.
	#
	# if 'mmc status get' fails returns 0, which is an invalid status.
	get_mmc_status() {
	local status
	status=$(mmc status get "$1" \| sed -nre 's/^SEND_STATUS response: (.*)/\1/p')
	# The state is defined in chapter 6.13 of eMMC rev 5.
	# Ideally, we should check that all the error bits to be set to 0.
	# Now, reading in more details, eMMC device are not garantee to be always
	# valid (see X or R mode) or some bit are reserved.
	# Therefore, we limit only to flags that are always valid:
	# bit 6: EXCEPTION_EVENT: set to 0
	# bit 8: READY_FOR_DATA: set to 1 (0 while sanitizing)
	# bit 9-12: CURRENT_STATE: set to 4 (Tran), set to 7 (Prg while sanitizing)
	printf "0x%08x\n" $((status & 0x00001F40))
	}

	# Erase an MMC device using firmware functions
	#
	# Ask the device to trim all sectors.
	# Then, ask the device to physically erase all trimmed sectors.
	# Arguments:
	# - block device to erase
	# - strict: if set to "1", then only returns success if sanitize successfully
	# physically erases the device when security is supported. If left
	# empty or set to "0", returns success when sanitize succeeds
	# whether security is supported or not.
	secure_erase_mmc() {
	local disk="$1"
	local strict="$2"
	local delay=${TEST_DELAY:-5}
	local count
	local secure
	local rc

	# Mark all location as unused -- try secure first.
	for secure in "-s" ""; do
	blkdiscard ${secure} "${disk}"
	rc=$?
	if [ ${rc} -eq 0 ]; then
	break
	fi
	done
	if [ ${rc} -ne 0 ]; then
	echo "security not supported, just doing overwrite"
	fi

	# Physically erase unused locations.
	# 0x00000900 equals to READY_FOR_DATA=1 and CURRENT_STATE=4 (Tran)
	mmc_orig_status=$(get_mmc_status "${disk}")
	if [ "${mmc_orig_status}" != "0x00000900" ]; then
	echo "Not ready for sanitize: status ${mmc_orig_status}."
	return 1
	fi

	mmc sanitize "${disk}" \|\| return $?

	count=120 # wait up to 10 minutes
	mmc_status="0xffffffff"
	while [ "${mmc_status}" != "${mmc_orig_status}" -a ${count} -gt 0 ]; do
	sleep "${delay}"
	mmc_status=$(get_mmc_status "${disk}")
	: $(( count -= 1 ))
	done

	if [ "${mmc_status}" != "${mmc_orig_status}" ]; then
	echo "Device is stuck sanitizing: status ${mmc_status}."
	return 1
	fi

	if [ "${strict}" = "1" ] && [ ${rc} -ne 0 ]; then
	return ${STRICT_RETURN_VALUE}
	else
	return 0
	fi
	}

	# Erase an ATA device using internal firmware function
	#
	# To trigger the ATA SECURE ERASE function, the disk must be
	# in security mode SEC4 (aka locked) or SEC5 (aka secured).
	# Disks are usually in SEC1 (unsecured).
	# First put the disk in SEC5 then Erase it, that put it back in SEC1.
	# Arguments:
	# - block device to erase
	# - strict: if set to "1", then only returns success if enhanced security
	# erase is supported and succeeds. Security-erase does not guarantee
	# to erase unallocated sectors whereas enhanced security erase does.
	# If left empty or set to "0", returns success if any of the
	# security erase succeed.
	secure_erase_sata() {
	local disk="$1"
	local strict="$2"
	local temp_password="chromeos"
	local erase_mode="$(get_ata_supported_erase_mode "${disk}")"
	local partial_success_return_val=0

	if [ "${strict}" = "1" ]; then
	partial_success_return_val=${STRICT_RETURN_VALUE}
	fi

	if is_sata_sanitize_supported "${disk}"; then
	hdparm --yes-i-know-what-i-am-doing --sanitize-block-erase "${disk}"
	is_sata_sanitize_successful "${disk}" && return 0
	fi

	if [ -n "${erase_mode}" ]; then
	hdparm --user-master u --security-set-pass \
	"${temp_password}" "${disk}" \|\| return $?
	hdparm --user-master u "${erase_mode}" \
	"${temp_password}" "${disk}" \|\| return $?
	else
	echo "security not supported, just doing overwrite"
	fi
	return ${partial_success_return_val}
	}

	# Erase an NVMe device.
	#
	# Use nvme sanitize if it is supported. Otherwise try nvme format with crypto
	# mode, if that fails, then try to do with user data mode with a timeout
	# proportional to the size of the device.
	# Arguments:
	# - character device to erase
	# - strict: if set to "1", then only returns success if sanitize successfully
	# physically erases the device. If left empty or set to "0", returns
	# success if either sanitize or nvme format succeeds.
	secure_erase_nvme() {
	local disk="$1"
	local strict="$2"
	local ses_user="1" # 0: no secure, 1: user data erase, 2: cryptographic erase
	local ses_crypto="2"
	local base_timeout_in_ms=$(( 60 * 1000 )) # base timeout for 1 minute
	local dev_size="$(get_nvme_char_device_size "${disk}")"
	local bytes_per_ms=$(( 100 * 1024 )) # 100 MB/s
	# Maximum time without any progress during sanitize operation
	local sanitize_timeout_in_sec=$(( 20 * 60 )) # sanitize timeout for 20 minutes
	# Maximum time to finish format operation. Let timeout be proportional to the
	# size of device.
	local format_timeout_in_ms=$(( base_timeout_in_ms + dev_size / bytes_per_ms ))
	local progress current_progress
	# "During a sanitize operation, the host may periodically examine the
	# Sanitize Status log page to check for progress, however, the host
	# should limit this polling (e.g., to at most once every several minutes)
	# to avoid interfering with the progress of the sanitize operation itself."
	# See section 8.15 in
	# https://www.nvmexpress.org/wp-content/uploads/NVM_Express_Revision_1.3.pdf
	# Because of the reason above need to sleep and check the progress during
	# sanitize operation. We use 10 seconds for sleeping because the device we
	# tested this code on executes the command quite fast. The whole full disk
	# wipe process takes a lot of time so we don't want to increase it even more
	# by picking a larger value.
	local sleep_time_in_sec=10

	# Sanitize is preferred over format because it guarantees physical data
	# destruction.
	if is_nvme_sanitize_supported "${disk}"; then
	nvme sanitize "${disk}" --ause --sanact=0x02
	count="${sanitize_timeout_in_sec}"
	while [ ${count} -gt 0 ] && is_nvme_sanitize_in_progress "${disk}"; do
	# See the comment above.
	sleep "${sleep_time_in_sec}"
	current_progress="$(get_nvme_sanitize_progress "${disk}")"
	if [ "${progress}" = "${current_progress}" ]; then
	: $(( count -= sleep_time_in_sec ))
	else
	count="${sanitize_timeout_in_sec}"
	fi
	progress="${current_progress}"
	done
	is_nvme_sanitize_successful "${disk}" && return 0

	# If block erase sanitize operation fails, issue sanitize command with the
	# 'Exit Failure Mode' action to recover from failure.
	nvme sanitize "${disk}" --sanact=0x01
	count="${sanitize_timeout_in_sec}"
	progress=0
	while [ ${count} -gt 0 ] && is_nvme_sanitize_in_progress "${disk}"; do
	# Check if the sanitize command executed before continuing.
	# Also see the comment above.
	sleep "${sleep_time_in_sec}"
	current_progress="$(get_nvme_sanitize_progress "${disk}")"
	if [ "${progress}" = "${current_progress}" ]; then
	: $(( count -= sleep_time_in_sec ))
	else
	count="${sanitize_timeout_in_sec}"
	fi
	progress="${current_progress}"
	done
	fi

	# If strict is set to 1, only sanitize should return success.
	# We want to be able to distinguish between the successes in strict mode
	# in order to inform users if their device is physically erased or not.
	local success_return_value=0
	if [ "${strict}" = "1" ]; then
	success_return_value=${STRICT_RETURN_VALUE}
	fi

	# Format with crypto mode
	nvme format "${disk}" --ses "${ses_crypto}" && return ${success_return_value}

	# Format with userdata mode
	# 0xffffffff means format all namespaces of the given character device.
	nvme format "${disk}" --namespace-id=0xffffffff --ses "${ses_user}" \
	--timeout "${format_timeout_in_ms}"
	local return_val=$?
	test ${return_val} -eq 0 && return ${success_return_value}
	return ${return_val}
	}

	# Erase a device using its internal firmware function.
	#
	# Arguments:
	# - device to erase ("/dev/sda", "/dev/mmcblk0", "/dev/nvme0").
	# - strict: if set to 1 then only returns success if the physical data
	# destruction is guaranteed by the command set that is used. If unset
	# or set to "0", returns success if either physical data destruction
	# is guaranteed or not.
	# Returns:
	# 0 if the erase is either not supported or completed.
	# !0 if the erase process could not complete or failed.
	secure_erase() {
	local disk="$1"
	local strict="$2"
	local disk_type=$(get_device_type "${disk}")
	# Identify if MMC or SATA.
	case "$disk_type" in
	MMC)
	secure_erase_mmc "${disk}" "${strict}"
	;;
	ATA)
	secure_erase_sata "${disk}" "${strict}"
	;;
	NVME)
	secure_erase_nvme "${disk}" "${strict}"
	;;
	*)
	echo "Unable to identify the type of disk: -${disk_type}-"
	return 1
	esac
	}

	# Use fio to write/verify a pattern.
	#
	# The first and last 1M of the disk are zeroed, the rest is written
	# with a random patter fio can verify latter.
	#
	# Argument
	# - disk: the device to erase
	# - disk_size: the size of the device
	# - disk_op: "write" to write over the SSD, "verify" to check the SSD
	# has been overwritten properly, "verify_disk_wipe" to check
	# the SSD has been zeroed.
	# Returns:
	# fio error code if fio could run, 1 otherwise.
	perform_fio_op() {
	# Globals, used by factory_secure.fio
	local disk="$1"
	local disk_size="$2"
	local disk_op="$3"

	local dev_main_area_end=$(( ${disk_size} - 1048576 ))
	local block_size=1048576
	local fio_err=0
	local fio_output="${TEST_FIO_OUTPUT}"
	local fio_regex='/^(secure\|fio)/s/.* err= ([[:digit:]]+)./\1/p'
	local input

	export FIO_DEV="${disk}"
	export FIO_DEV_MAIN_AREA_SIZE=$(( ${disk_size} - 2097152 ))
	export OFFSET="1m"
	export VERIFY="md5"

	if [ -z "${fio_output}" ]; then
	fio_output="$(mktemp -t fio_output_XXXXXX)"
	fi
	case "$disk_op" in
	write)
	export FIO_VERIFY_ONLY=0
	# Erase the begining an the end of the drive. Write random first
	# to ensure the data is scrambled.
	for input in "urandom" "zero"; do
	dd bs="${block_size}" of="${disk}" oflag=dsync iflag=fullblock \
	if=/dev/${input} count=1
	dd bs="${block_size}" of="${disk}" oflag=dsync iflag=fullblock \
	if=/dev/${input} seek=$(( dev_main_area_end / ${block_size} ))
	done
	;;
	verify)
	export FIO_VERIFY_ONLY=1
	;;
	verify_disk_wipe)
	export FIO_VERIFY_ONLY=1
	export VERIFY="pattern"
	export FIO_DEV_MAIN_AREA_SIZE=${disk_size}
	export OFFSET="0"
	;;
	*)
	echo "Unsupported operation: -${disk_op}-"
	return 1
	esac

	local fio_script="$(mktemp -t fio_config_XXXXXX)"
	cat >"${fio_script}" <<HERE
	[secure]
	filename=\${FIO_DEV}
	ioengine=libaio
	iodepth=32
	direct=1
	readwrite=write
	bs=256k

	offset=\${OFFSET}
	size=\${FIO_DEV_MAIN_AREA_SIZE}
	do_verify=1
	verify=\${VERIFY}
	verify_pattern=0x0
	verify_only=\${FIO_VERIFY_ONLY}
	HERE
	# Write a pattern on the media for future verification.
	# fio configuration file use DEV, DEV_MAIN_AREA_SIZE and VERIFY_ONLY.
	fio "${fio_script}" --output "${fio_output}" --aux-path="${TMPDIR:-/tmp}"
	rm -f "${fio_script}"
	fio_err=$(sed -nr "${fio_regex}" "${fio_output}")
	if [ -z "${fio_err}" ]; then
	echo "-- output of fio not understood --"
	cat "${fio_output}"
	fio_err=1
	elif [ ${fio_err} -ne 0 ]; then
	cat "${fio_output}"
	if [ $FIO_VERIFY_ONLY -eq 0 ]; then
	echo "-- writing pattern failed --"
	echo "The storage device is not working properly."
	else
	# Check if we fail to read the device, or the pattern is wrong.
	echo "-- verifying pattern failed --"
	if [ ${fio_err} -eq 84 ]; then
	echo -n "The storage device has either been tampered with or "
	echo "not securely erased properly."
	else
	echo "Storage device broken: unable to read some sector from it."
	fi
	fi
	else
	rm "${fio_output}"
	fi
	return ${fio_err}
	}