Hi, Here's a small patch set to add the wipe command line utility.
Without that, it it's way too complicated to securely delete files from the internal storage: - On some of the supported devices users would have to port GNU/Linux or u-boot[1] to the device to be able to run wipe or unsolder and resolder the eMMC. - On other devices (like the Galaxy SII, Galaxy SIII and Galaxy Note II) that have some support in Linux, the bootloader isn't compatible with the stock Linux kernel. - On other (like with the Galaxy Tab 2) the bootloader seems to be compatible with Linux and there is work in progress to make a devicetree for it but that work has not been merged in Linux yet. This improves the situation since the partition formatting code that runs inside the Replicant 6 recovery doesn't wipe the files. When trying this patch set on the Galaxy SII (GT-I9100), I backed up the 'DATAFS' partition but forgot to backup the 'UMS' partition, and I did a full factory reset to install the images I built. I then tried to recover my data with photorec but found the previous user's data within the recovered data. So while this isn't perfect (wipe here runs from /system), it still enables to wipe all other partitions from within the recovery. To do that users need to mount the system partition by using the Advanced->Mount System menu in the recovery. Then, wipe should be available in the recovery shell. The wiki has more information on how to get a root shell inside the recovery. In addition, wipe also enable to securely erase individual files. That can be handy for users wanting to backup their silence database in a (more) secure way for instance. Also note that wipe isn't perfect: it relies on probabilistic luck: Most storage devices (like the eMMC) have nonfree firmwares. These devices do some block management: the blocks that are seen by Linux are virtual. Internally the storage device has some reserve to compensate for broken blocks which are not visible by Linux or other OS and the nonfree firmware handles these blocks. So privacy sensitive may be moved to blocks that are not visible anymore from Linux or other OS. Though it's still good enough for most use cases. In addition to the patch that will follow in a response to this mail, here's the URLs to the see the patches in a web interface: https://git.replicant.us/contrib/GNUtoo/vendor_replicant/commit/?id=70389ac7679961a6a04d34538a7129bd2a347c56 https://git.replicant.us/contrib/GNUtoo/manifest/commit/?id=bf64506b4b5716e3ba59602b95b47dce715e6ce4 And here's how to get them in a git repository. For vendor/replicant: git clone https://git.replicant.us/GNUtoo/vendor_replicant cd vendor_replicant git show 70389ac7679961a6a04d34538a7129bd2a347c56 and the manifest: git clone https://git.replicant.us/GNUtoo/manifest cd manifest git show bf64506b4b5716e3ba59602b95b47dce715e6ce4 References: ----------- [1] U-boot has an ums command that can export the eMMC as mass storage device. While it doesn't export the bootloader and RPMB security hardware partitions, all the rest should be available. Denis. _______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
