hparm -I /dev/sda does not report a Security section - should I be concerned?

Question

I am in the habit of wiping new drives and for SSDs I use hdparm to perform an ATA secure erase.

I just purchased two 44-pin PATA SSDs through an eBay seller in China and hdparm does not report a Security section when querying the drives:

# hdparm -I /dev/sda

/dev/sda:

ATA device, with non-removable media
        Model Number:       KingSpec KSD-PA25.6-032MS
        Serial Number:      xxx
        Firmware Revision:  20131018
Standards:
        Supported: 9 8 7 6 5
        Likely used: 9
Configuration:
        Logical         max     current
        cylinders       16383   16383
        heads           15      15
        sectors/track   63      63
        --
        CHS current addressable sectors:   15481935
        LBA    user addressable sectors:   62377984
        LBA48  user addressable sectors:   62377984
        Logical/Physical Sector size:           512 bytes
        device size with M = 1024*1024:       30458 MBytes
        device size with M = 1000*1000:       31937 MBytes (31 GB)
        cache/buffer size  = 1 KBytes (type=DualPort)
        Nominal Media Rotation Rate: Solid State Device
Capabilities:
        LBA, IORDY(can be disabled)
        Standby timer values: spec'd by Vendor, no device specific minimum
        R/W multiple sector transfer: Max = 1   Current = 0
        DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5 udma6
             Cycle time: min=120ns recommended=120ns
        PIO: pio0 pio1 pio2 pio3 pio4
             Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
        Enabled Supported:
           *    SMART feature set
           *    Power Management feature set
                Write cache
           *    WRITE_BUFFER command
           *    READ_BUFFER command
           *    NOP cmd
           *    48-bit Address feature set
                Mandatory FLUSH_CACHE
                FLUSH_CACHE_EXT
HW reset results:
        CBLID- above Vih
        Device num = 1
Checksum: correct

From a security perspective, is this something I should be concerned about?

I asked a more detailed, non-security question at Super User (no responses): hdparm does not report a Security section

Answer 1

A look at the hdparm source code reveals that the -I option triggers an ATA "identify" command, to which the drive responds with a sequence of 256 16-bit integers, that encode the drive capabilities. Among them are the "security features". hdparm then proceeds to print out these capabilities in human-readable format.

If the integers don't specify support for any of the security features (password, secure erase) then it skips the "Security" section altogether:

    /* security */
    if((eqpt != CDROM) && (like_std > 3) && (val[SECU_STATUS]
       || val[ERASE_TIME] || val[ENH_ERASE_TIME]))
    {
            printf("Security: \n");

Since you don't see a "Security" section, then this means that the drive declares itself completely unable to do security-related things. Namely, you cannot lock the drive with a password, and you cannot do a "secure erase" on it: the drive simply does not know how to do that.

After all, these are (from the protocol point of view) optional features, meaning that any specific drive may lack them. That's what you observe in this case.

---

Now the "secure erase" is about preventing leakage of old data. You don't need it for a drive you just bought; a "secure erase" would not guarantee you against any hardware backdoor either. What you want to do is to logically reset the drive so that it appears to be "clean" from the OS point of view. This is done with a simple dd:

dd if=/dev/zero of=/dev/sdX bs=512 count=1000

(with sdX to be replaced with the appropriate drive letter). This call will bombard the first thousand of sectors with zeros, in particular removing any partition table.

Notes:

• Be extra careful with the dd parameters, because it is easy to wipe out the wrong disk. "dd" is also known as "disk destroyer".
• You may want to reboot (or unplug/replug the disk if it is in some hotplug USB cradle) so that your kernel reloads the partition table (in this case, notices the lack of partition table).