Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
intrigeri: > Hi, > > flapflap wrote (25 Jul 2015 23:51:45 GMT) : >> So in this specific case it seems to work correctly (remains >> write-protected). > > Well... my understanding is that in this case, the OS is obeying the > indication the storage device is giving about being read-only. > It's nice from a UX point-of-view, but it does not tell us much about > how the storage device would react if the OS was *not* obeying this > simple bit of information. I'd guess that it simply lets you -o remount,rw the device (if initially mounted -o ro), and then it's a normal writeable SD Card -- because it actually/electrically is and the SD Card has no way to query the "lock switch" status. The case of USB sticks is a bit different since many of them have a separate IC for doing the wear-leveling and USB interface and another plain flash memory IC. And the latter usually has a write protect/inhibit pin where it's possible to solder a switch to. Just look for datasheets of parallel NAND Flash ICs for instance from http://www.skhynix.com/ http://www.micron.com/ (sometimes they want you to register prior to downloading the datasheet, in such cases just look at some electronics distributor like farnell.com or digikey.com and download the datasheet from there) signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
Hi, flapflap wrote (25 Jul 2015 23:51:45 GMT) : > So in this specific case it seems to work correctly (remains > write-protected). Well... my understanding is that in this case, the OS is obeying the indication the storage device is giving about being read-only. It's nice from a UX point-of-view, but it does not tell us much about how the storage device would react if the OS was *not* obeying this simple bit of information. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
spriver: >> Suggestion: It would be great if it were possible to automatically >> > test if a USB storage device is *really* write protected. That >> > test could be executed while booting Tails and the user could be >> > informed about the result. > How can this be performed? I'm interested in the technical procedure > to achieve this. I don't have a device I could test this with, but one possible option to toggle write-protection in software is hdparm(8). $ hdparm -r0 /dev/sdc (hdparm wasn't designed for USB devices, but apparently does because of the many layers of command translation present in the modern disk drivers system) Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
If you take an SD flash card and carefully split it I believe you'll find that the write protect switch is purely an optical interrupt. One position permits writing, one does not, sensed by the reader. There was some recent conversation about this on Twitter, complete with images, I forget which security chatterbox was the source. I suppose there are a variety of paths to get at driver software and firmware so that a card with protection enabled would still permit write access. The world could use something as fast as SD flash, but secure as as finalized CD/DVD. Hardware vendors are going to have to adapt to pressure from the marketplace, and this can not happen soon enough to suit me. On Sat, July 25, 2015 11:04 pm, Andreas Kuckartz wrote: > intrigeri wrote: >> I believe we're telling users about some security benefits of >> booting Tails from a DVD (as opposed to from a USB stick), but apparently >> there are some drawbacks too. Perhaps we need to adjust our doc >> accordingly? > > First steps with Tails > https://tails.boum.org/doc/first_steps/index.en.html > > > Please notice this line: > "Installing onto a USB stick or SD card (recommended)" > > > Choosing between burning a DVD and installing onto a USB stick > or SD card https://tails.boum.org/doc/first_steps/media/index.en.html > > > That second page contains this statement: > "Some USB sticks, SD cards, or SD card adapters have a read-only > switch that can prevent your Tails from being altered, but be aware that > this protection is most probably not ensured by the device itself: do not > rely on untrusted computers to respect this feature." > > Suggestion: It would be great if it were possible to automatically > test if a USB storage device is *really* write protected. That test could > be executed while booting Tails and the user could be informed about the > result. > > Cheers, > Andreas > ___ > Tails-dev mailing list > Tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to > tails-dev-unsubscr...@boum.org. > > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
spriver: > Hi, > > [snip] >> Suggestion: It would be great if it were possible to automatically >> test if a USB storage device is *really* write protected. That >> test could be executed while booting Tails and the user could be >> informed about the result. > > How can this be performed? I'm interested in the technical procedure > to achieve this. Test procedure (Debian Jessie): - Put SD Card *with Lock Switch enabled/locked* into computer - $ sudo mount ... /dev/mmcblk0p1 on /media/myusr/disk type vfat (ro,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,...) - $ cd /media/myusr/disk - $ touch hello touch: cannot touch ‘hello’: Read-only file system - $ sudo mount -o remount,rw /media/myusr/disk mount: cannot remount /dev/mmcblk0p1 read-write, is write-protected So in this specific case it seems to work correctly (remains write-protected). However, I believe to remember that some years ago I was successful in getting a write-protected SD Card remounted read-writeable. Maybe the driver has been fixed in the meantime or I had a strange/uncommon system/setup. The problem is that the "lock switch" on the SD Card is not an electrical write-protect switch and is not connected to the write-inhibit pin on the flash chip. It's merely a mechanical indicator that the SD Card reader has to evaluate and that can be overriden in software at any time (e.g., at the driver level). Here's an open SD Card connector for reference: https://www.reichelt.de/Connectoren-fuer-Speicherkarten/CONNECTOR-SD-21/3/index.html?ACTION=3&GROUPID=3768&ARTICLE=56476&OFFSET=16&; and the datasheet: https://cdn-reichelt.de/documents/datenblatt/C130/CONNECTOR-SD21%23YAMAI.pdf On the other hand, many (all?) NAND flash ICs actually offer an electrical write-protect pin, so it's definetly possible to have a working/effective switch on a USB stick. Example (not accessible via Tor, because blocked by Farnell): http://de.farnell.com/micron/nand01gw3b2cn6e/flash-nand-1gb-tsop48/dp/2065607 datasheet (works via Tor): http://www.farnell.com/datasheets/1508775.pdf "3.8 Write Protect (/WP) The Write Protect pin is an input that gives a hardware protection against unwanted program or erase operations. When Write Protect is Low, VIL, the device does not accept any program or erase operations. It is recommended to keep the Write Protect pin Low, VIL, during power-up and power-down." But of course we don't know for sure whether there is no other way to override the write-protect pin. It would be easy for the manufacturers to add a register to query and set the /WP pin/bit in software... ~flapflap signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, [snip] > Suggestion: It would be great if it were possible to automatically > test if a USB storage device is *really* write protected. That > test could be executed while booting Tails and the user could be > informed about the result. How can this be performed? I'm interested in the technical procedure to achieve this. Cheers, spriver -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVs/CQAAoJEMkUf8VoejgPPe0QAIHeEnBGyOXCcWhp8mMudC9p h0+jQOCCYmvM4qLPP4jmN9kzkYeiVbuTEg4VJzmPx3rNXFQLrwW5kvzNmePCsCYm W85KJn+NA1NVJXdVG2suZV1E71DeOj3K23amJHOf4AcGoiFKsZPO2X66atykvwBf DBM2jsQWH3Q36G7GalHN1+umxsFolgYBeETjDKROSG4VoGYtU1BRi6+Y3jIMedSl aX0+BJBuc+EMrInySP7P9FYorLqZBb2nT5L4pyWrJcpWEVAq0yczbW1muFqTzoE7 au2sJAR5p5h55UrFKbGl6EZVQwUQiCBwZaKVPTHMFnroPxGUTNOt4ICUfSiXsS0g olrzSswdM3Zz2wXwuE4bWNhfV2FfQjgp54QFU63KH6gNmQ7SG1W5YbEyN4bhAOdK NKgocthnDshkx5utOIGL6+TcZBPxrrT8cYCLHS4kax4iuwhDGyqT4xWXhv/MyZ98 KyRctHuGOg3jNINjgQVlUu9Bj+bLoCq9l5PN4yVi3bEr7rrmdtchf+7U8vjSg/W6 vNoPLrl9ULXb/jGQ6Zjh3MNwbkkGdxa9ZZtTTv3oygh06dr6Hbbx9DMSte3NRfYz 1tcOkPev7z8XPwdyAfDNUy5lcH8EAamc7Rl8TydRLOqhZ3IXfmsdaqRYfDTTFVmq sz4alTL83CYiaRwViAXu =9woL -END PGP SIGNATURE- ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Write protection Re: DVD vs. USB: doc needs adjustments? [Fwd: [tor-talk] USB Sticks for Tails -> CCCamp]
intrigeri wrote: > I believe we're telling users about some security benefits of > booting Tails from a DVD (as opposed to from a USB stick), but > apparently there are some drawbacks too. Perhaps we need to adjust > our doc accordingly? First steps with Tails https://tails.boum.org/doc/first_steps/index.en.html Please notice this line: "Installing onto a USB stick or SD card (recommended)" Choosing between burning a DVD and installing onto a USB stick or SD card https://tails.boum.org/doc/first_steps/media/index.en.html That second page contains this statement: "Some USB sticks, SD cards, or SD card adapters have a read-only switch that can prevent your Tails from being altered, but be aware that this protection is most probably not ensured by the device itself: do not rely on untrusted computers to respect this feature." Suggestion: It would be great if it were possible to automatically test if a USB storage device is *really* write protected. That test could be executed while booting Tails and the user could be informed about the result. Cheers, Andreas ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
