how to secure erase Jetson device
 

Hi,

I need to erase internal eMMC 64 GB and external NVM memory in my jetson AgX Xavier hardware which is flashed with linux for tegra flavour of ubuntu 20.04 focal

Theere no steps for secure erase on the vendor NVIdia website.
They have some documentation link for security features as shown below


https://docs.nvidia.com/jetson/archi.../Security.html

I want to know, if there are any particular steps to complete secure erase my memory eMMC and NVM.

Thanks.

if I understand well this is encrypted: https://docs.nvidia.com/jetson/archi...ncryption.html
In that case you only need to remove/destroy/forget the encryption key and nobody will be able to find anything on it any more.

Thanks a lot for your response.

It is not encrypted still, but they have the option for disk encryption as per that link.We haven't tried it.


You mean we can use disk Encryption method as a substitute/alternative method for Secure erase?

I am not sure, if we would be able to convince our customer to agree for disk encryption instead of secure erase.

Not sure after disk encryption, will it ask for the password each time, if you try to mount/copy the contents from the disk. We need to check on this.

disk encryption will make the disk useless without the key, there is no need to wipe it (if encrypted).
disk can be unlocked at boot (or mount), there is no need to type password every time you use it. But obviously it can be different if it is an external disk (for example).
It depends how do you to configure it.
Anyway, you only need to overwrite the whole disk with random numbers (or just with anything, like zero) to erase the content completely.

So it's not encrypted; what then have you actually TRIED to achieve your goals??? Have you done anything??? The nVidia site has ample documentation on how to re-flash/format the device...did you try putting "how to format nvidia jetson" into a search engine???
In order to find out more, you'll actually have to DO something. Related to this thread?
https://www.linuxquestions.org/quest...em-4175735565/

Again: you need to have taken some action, done something, or have some actionable information to work with. Posting things full of speculation without any effort is pointless...until you try something, have some hard information, or know details, there's zero anyone can tell you.

ok. understood.

Now, that we came to know from our hardware team that our external NVM SSD drive supports( but internal eMMC memory does not support as its NVidia jetson product, they have only jetson security feature like secure boot, disk encryption etc ) inbuilt Secure erase feature, we only need to execute there OpCode( 80h - Format nvm) as per the NVM drive vendor's data sheet to erase the NVM drive securely.

I have some queries regarding the same:

1) Suppose this secure erase is triggered with a button connected via a GPIO pin state change, how can we handle this from the user space.
although i have below sample shell script code to check the state of gpio pin as shown below:


2) Any idea how to call the NVM drive tool provided by the vendor from inside this shell script? so that we can execute the oPcode - 80h - from that NVM drive tool/terminal to initiate secure erase.
Any thoughts on this.

Note: I would be running this script infinitely on boot each time in the background by calling this script inside/etc/rc.local file.

Thanks in advance.

Our earlier requirement was just normal flash so I have done normal flash as per the documentation provided by NVidia. Now this new requirement of secure erase has creeped in from the customer, so trying to figure out if Jetson security supports this secure erase inbuilt feature on there ineternal memories like eMMC ( in my case of Jetson AGX Xavier Industrial module).
I have been parallelly discussing with nvidia experts and moderators in there developer forums to gather more information on this.

I have been working on this project from 6 months now referring to NVidia documentation. They have flashing option, but there it not straight forward erase or data recovery tool options. I have tried searching through google also and have gathered information about the same.

sorry. Dont get confused. that thread is completely a new project based of data recording with NAS support, which I am bit new to it.
This thread is for a Nvidia based Jetson device project.

Sure. In coming days, I will try to put more hands on technical information like scripts/code and ask root level doubts than high level which dont have more clarity.

Thanks for all the support.

Since this is an nVidia device under support, dealing with them will get you the answers. And since your 'customer' is paying you to do this, why are you asking us to do your job for you???
If it's taken you six months to contact nVidia about a supported device, there isn't much we can do to help you at all.
Not confused at all, but again you seem to have lots of 'requirements', but little information to share. We can try to help with actual problems, but you're essentially telling us that you can't understand the documentation from the people who built the device, and that you'd like us to read it and explain it to you. If you're dealing with nVidia directly, then nVidia support can easily help you with something as simple as formatting/erasing a disk.

Since the Operating system flashed on Nvidia SOM is Linux for tegra which is again a flavour of Ubunutu 20.04 Focal LTS which is again a type of linux distribution, I am asking this query in this linux platform forum.

I did not taken six months to work on this secure erase feature. This requirement popped up few days back, thats when I posted a query here.
In 6 months i have worked on GPIO,
CAN, Audio, Camera, Serial, Ethernet and other features.

I dont have lot of requirements for this secure erase.


I posted that link just for reference not essentially to read completely and explain me. Just in case, you may have some idea about this secure erase.

With lot of study and interaction with our NVM SSD drive vendor, we came to know, we can perform SECURE ERASE on NVM drive.
Nvidia Jetson does not support Secure erase on there inbuilt eMMC memory inside there SOM.


Below are few steps to perform Secure erase on a NVM SSD drive:

1) Install nvme-cli tool first with
$sudo apt install nvme-cli

2) Next list out all the nvme device on your hardware using below command:
$sudo nvme list

3) Next execute the below erase command to perform secure erase
$sudo nvme format -s1 /de/nvm30n1

It is not a 'flavor of Ubuntu'...it is heavily customized by nVidia for that device specifically. There are a LOT of things based on Linux.
Great...so since it cropped up as a 'requirement',have you (AGAIN) contacted nVidia and asked them for support on their device???
So following the documentation you can easily find on their website. Also, it's odd that you claim to not have a lot of 'requirements', yet seem to have completed the product and shipped it to a customer:

https://forums.developer.nvidia.com/...trial/288457/6

...where you also got a good deal of advice from the people who built it.
Again: this is a PROPRIETARY DEVICE...not a standard Linux PC.
...which can easily work if you put the NVME drive into an external caddy. Or you can use the existing dd command to write random junk to the mounted disk easily, or do any number of other things to render the device unrecoverable. But you either say you have no 'requirements', or you have several...which is it???

Ok. Thanks for the updates.

yes

I meant I asked only secure erase query here and not any other requirements here.


yes


OK.I understand that nvme format command does the same dd command stuff inside and/or cryptographic key erase inside the disk which results in secure erase.


In this thread, I have asked about only secure erase requirement.

I have one more query:
1) Do you have any idea about any commands/method, to recover the data from a secure erased NVMe. so that we can fail in that process and get confirmed that secure erase has happened successfully.

ifyou wantt oeras eyour machi netoh ideit fromu sthet hreel etter agenc ieswe willr eadit anywa yxxxx :)

Sorry, but at what point are you actually going to do the job you were hired to do by your customers???

You need to think about what a 'secure erased' drive is, which will then tell you why your question is pointless. You can then take some of the money they're paying you, and YOU, PERSONALLY, can build a test for YOUR CUSTOMER. Go do your own research on how to do a secure erase, and look up how to test such things.

I dont understand this language

I am not doing customer job, but it is our duty to meet there requirements and implement them.



I have a point in my question. I know once we secure erase, there was nothing left on the NVMe drive and I even remounted it once again to access it after secure erase.

But in order to more deeply prove, that no one in this world can recover any data from the securely erased NVMe drive, I was asking if any experts have some idea.

Also read in some documentation that we have "hexdump" command to check on the secured erase drive and it should display all ZEROS. I tried this command on my secure erased NVMe, but found initally some zeros, but deep down there were some non zero values as it was 2 TB SD drive.

ok. I will try to reasearch outside this forum as per your advise, if there are no experts to answer about recovery methods/tools/commands. Thanks.