Ben Hutchings <b...@decadent.org.uk> writes: > On Mon, 2019-07-01 at 22:09 +0200, Philip Hands wrote: >> "Karl O. Pinc" <k...@karlpinc.com> writes: >> >> > Package: debian-installer >> > Severity: wishlist >> > Tags: d-i >> > >> > Hello, >> > >> > It would be nice if the debian installer included the option to >> > "secure erase" SSDs before creating a partition table during >> > installation. >> > >> > A used SSD may have been "over-filled", especially a consumer grade >> > device that is not over-provisioned. By this I mean that it has had >> > enough cells written that writing requires erasure, which results in >> > write-amplification and poor performance. A "secure erase" operation >> > restores the original performance of the drive. >> > >> > I have not put any thought into whether this feature is feasible. >> >> I think it's probably rather hard to do safely, as IIRC one often needs >> to try hdparm, then in order to cause the drive not to be locked do >> something like suspend and resume the system, then set an admin >> password, and only then do the secure erase ... which then takes >> quite a while. > > I believe that modern drives (both HD and SSD) often have their own > encryption layer, and secure erase is implemented by erasing the > encryption key and (on an SSD) marking all blocks free in the flash > translation layer.
Ah, good point -- in which case it would at least be quick. It occurs to me that, given that the main thrust of this bug is about performance rather than security, there is the option of using blkdiscard on the device. A quick look at the d-i code suggests that we're building blkdiscard into busybox: .../busybox/debian/config/pkg/udeb:CONFIG_BLKDISCARD=y but I don't seem to find it being called, so I'm guessing we're not currently doing that. BTW This would only seem to be useful in the case where the user had selected to clean the whole drive but leave some fallow (which we don't currently provide). If the drive is fully allocated it looks like the filesystems try to do a 'discard' during mkfs (judging by e.g. the man page for mkfs.ext4), which I'd hope would have pretty-much the same effect as doing a blkdiscard earlier in the process. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
signature.asc
Description: PGP signature
