[Replicant] [Replicant 6] Add basic support for the wipe utility

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Thu Mar 11 17:33:28 UTC 2021


Hi,

Here's a small patch set to add the wipe command line utility.

Without that, it it's way too complicated to securely delete files
from the internal storage:
- On some of the supported devices users would have to port
  GNU/Linux or u-boot[1] to the device to be able to run wipe
  or unsolder and resolder the eMMC.
- On other devices (like the Galaxy SII, Galaxy SIII and Galaxy
  Note II) that have some support in Linux, the bootloader
  isn't compatible with the stock Linux kernel. 
- On other (like with the Galaxy Tab 2) the bootloader seems to
  be compatible with Linux and there is work in progress to make
  a devicetree for it but that work has not been merged in Linux
  yet.

This improves the situation since the partition formatting code
that runs inside the Replicant 6 recovery doesn't wipe the files.

When trying this patch set on the Galaxy SII (GT-I9100), I backed
up the 'DATAFS' partition but forgot to backup the 'UMS' partition,
and I did a full factory reset to install the images I built.

I then tried to recover my data with photorec but found the
previous user's data within the recovered data.

So while this isn't perfect (wipe here runs from /system), it
still enables to wipe all other partitions from within the
recovery.

To do that users need to mount the system partition by using
the Advanced->Mount System menu in the recovery.

Then, wipe should be available in the recovery shell.

The wiki has more information on how to get a root shell
inside the recovery.

In addition, wipe also enable to securely erase individual files.

That can be handy for users wanting to backup their silence
database in a (more) secure way for instance.

Also note that wipe isn't perfect: it relies on probabilistic
luck: Most storage devices (like the eMMC) have nonfree
firmwares. These devices do some block management: the blocks
that are seen by Linux are virtual. Internally the storage
device has some reserve to compensate for broken blocks which
are not visible by Linux or other OS and the nonfree firmware
handles these blocks.

So privacy sensitive may be moved to blocks that are not visible
anymore from Linux or other OS. Though it's still good enough
for most use cases.

In addition to the patch that will follow in a response to
this mail, here's the URLs to the see the patches in a web
interface:
https://git.replicant.us/contrib/GNUtoo/vendor_replicant/commit/?id=70389ac7679961a6a04d34538a7129bd2a347c56
https://git.replicant.us/contrib/GNUtoo/manifest/commit/?id=bf64506b4b5716e3ba59602b95b47dce715e6ce4

And here's how to get them in a git repository.
For vendor/replicant:
  git clone https://git.replicant.us/GNUtoo/vendor_replicant
  cd vendor_replicant
  git show 70389ac7679961a6a04d34538a7129bd2a347c56
and the manifest:
  git clone https://git.replicant.us/GNUtoo/manifest
  cd manifest
  git show bf64506b4b5716e3ba59602b95b47dce715e6ce4

References:
-----------
[1] U-boot has an ums command that can export the eMMC as
    mass storage device. While it doesn't export the
    bootloader and RPMB security hardware partitions, all
    the rest should be available.

Denis.



More information about the Replicant mailing list