Quick secure erase for tamper resistance?

I know during the flashing process in recovery mode the TX2 MMC is erased so at least a host connected to recovery port can accomplish this.

I’m wondering about the features available to the various bootloaders and early boot processes for securely erasing internal flash. An example of a use case for this could be tamper detection. Does anybody have a direction to point me in with respect to the most appropriate place and/or interface with which to accomplish this zeroization process?

Can’t you just open the appropriate block device (as root) and write blocks of zeros to them?
All the /dev/mmcblk0* devices are different partitions of the eMMC.

Wear leveling probably doesn’t make a truly secure erase without some special technique other than writing to blocks (if it were a regular hard drive you could get away with this through a series of writes, e.g., using the srm app…but eMMC is different if you want to stop a pro from extracting old data). I am thinking a true secure erase requires support in the eMMC hardware itself. Is a simple rm of data enough? If so, something as simple as dd could overwrite those blocks via the “/dev/mmcblk0*” mentioned by @snarky (and don’t use srm on eMMC, this would reduce life and not improve security).

snarky and linuxdev thanks. My initial thought was to use dd or build a minimal ramdisk to boot which can be used to erase the entire MMC partition via DD. I wasn’t sure if somebody who has worked with the more sophisticated layers of tegra booting was familiar with a more direct way to erase the MMC via command (maybe in tegraboot or via u-boot?). The eMMC spec for v4.4 looks like it includes secure erase but I’m not sure what the TX2 module is using.

I’ve not tried, but I have a very strong feeling U-Boot could do this. Running on a ramdisk, while technically possible, is probably much more difficult than using U-Boot. On the serial console command line just type “h” to get a list of commands when in U-Boot shell…though a serial console still means connecting an outside PC. If you are ok with recovery mode then just use dd to create a file the same size as the root partition (about 15GB) using all 1s, all 0s, or random data…then flash with the “-r” option to reuse this as the system.img.

U-Boot itself may not understand features of the specific eMMC if there is a secure erase function supported by the eMMC in hardware, but it could likely be added to U-Boot. I have no idea if the Jetson’s eMMC has such a feature.

So I dumped my TX2’s ext_csd register:

ubuntu@tegra-ubuntu:~$ sudo xxd -r -p /sys/kernel/debug/mmc0/mmc0\:0001/ext_csd | xxd
00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000010: 3903 0000 e900 0000 e900 0000 0000 0000  9...............
00000020: 0001 0100 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 0a00 0001  ................
00000040: 0000 0002 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0100 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0090 0e00  ................
000000a0: 0701 0000 0000 151f 2000 0000 0000 0000  ........ .......
000000b0: 0000 0000 0000 0000 0103 000e 0000 0000  ................
000000c0: 0800 0200 571f 0a0a eeee 8888 001e 0f46  ....W..........F
000000d0: 0f78 1401 00e0 a303 1014 0a0a 0801 0109  .x..............
000000e0: 0808 2000 07f4 c855 0100 640a eeee ee99  .. ....U..d.....
000000f0: 011e 1000 0000 0032 0a00 1000 00ee 0400  .......2........
00000100: 0000 0000 0000 0100 0120 2001 0100 0000  .........  .....
00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000130: 0000 001f 0100 0000 0000 0000 0000 0000  ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001e0: 0000 0000 0000 01ff ffff ff00 0001 0300  ................
000001f0: 7f00 0301 3f3f 0101 0100 0000 0000 0000  ....??..........

Looking up the value of register SEC_FEATURE_SUPPORT (from: https://www.jedec.org/sites/default/files/docs/JESD84-B51.pdf page 188) the value is 0x55.

So these bits indicate the TX2’s eMMC supports secure purge features, including support for the Sanitize eMMC command. That’s good news, it just a matter of checking out u-boot from the nv-tegra repos and implementing the support there.