1. Field of the Invention
The invention relates generally to the field of memory devices. More specifically, the invention relates to a solid state memory device in which memory contents are securely erasable upon a predetermined trigger event.
2. Description of the Related Art
It is known that data stored in flash memory such as NAND flash memory can later be recovered by an unauthorized user in the form of “remnant data”, even after data is deleted by the authorized user. Therefore, commercial and government users of solid state drives (“SSD”) have a need to “sanitize”, i.e., render unrecoverable, data such as cryptographic keys stored in flash memory cells.
What is needed is a device and method that provides the ability to store encrypted data and encryption keys in a NAND flash memory device and that provides the user with the assurance that an erase command will render all data in the device unrecoverable. The sanitizing erase operation must address each and all NAND flash cells in the device, including any bad blocks, spare areas, overprovisioning, reserved/hidden partitions, etc.
To address the above concern, a device and method are provided where the erase is performed outside of the SSD controller domain and is therefore not subject to any address remapping, data scrambling, or hidden zones within the cells of the flash memory storage device.
A typical prior art SSD controller uses “abstraction layers” when mapping physical-to-logical blocks in the flash memory which basically map address locations known to the flash controller operating system or “OS” to actual address locations in the flash cell arrays for memory management and usage, which management may include wear-leveling, bad block management, data consolidation, ECC, logical-physical address mapping, and data scrambling.
Prior art file systems in flash memory controllers further abstract data storage with allocation nodes/tables and mapping. Yet further, there is an abstraction layer in the flash device itself in terms of cell array address mapping, MLC (multi-level cell) design, and MLC data decoding.
Through these abstraction layers, user data is modified, relocated, and/or reconstructed in a distributed manner such that no single point in the flash hardware can directly map user data to a physical cell location. Certain flash memory data modification is purely hardware-controlled and cannot be tracked or observed by the external system. For example, wear-leveling algorithms move data around the flash cells and as a result, effectively leave multiple copies of the data in the flash cells. This makes it difficult to control the exact behavior desired at a physical or “raw” cell level needed to maximize the effectiveness of data destruction or to effectively destroy any data remnants in the cells.
The instant invention addresses the above concerns and deficiencies by providing direct raw flash cell access using a separately-provided processor element executing a dedicated secure erase operating system that bypasses and overrides the SSD controller management functions during an erase mode, thus permitting direct, unencumbered access to every flash cell in the device.
Because this dual-hardware device and method of the invention fully bypasses the flash memory controller of a prior art flash memory device, the algorithms and erase techniques are controlled by the separate processor and OS, not by the flash memory controller, and are thus not subject to vendor code modifications or bug.
Another issue present in prior art SSD devices that perform an ATA Secure Erase operation is that the user merely receives an acknowledgment that the erase operation is complete. In many cases this is just a command-line executable that provides little to no feedback to the user.
Information as to how the drive performed the erase, what data was physically erased (e.g. just the key, or all data), what data was erased (e.g. is the over-provisioning area erased), and how the drive verified the erase (e.g. did it just initiate a raw erase command to flash and then assume it's erased) is not conveyed to the user in prior art systems.
In order to provide the end-user with assurance that the erase was fully-executed and that no data remnants remain, that it was successfully run, and that all flash blocks were erased, the invention herein preferably comprises a secure erase assurance operating system function as a built-in OS that resides in the separate hardware processor element within the secure drive.
The separately-provided secure OS is protected as a read-only memory and is only used as a reporting tool; the erase function of the device may be performed with or without a reporting display.
Upon initiation of a secure erase command, the user can reboot the PC and automatically enter the secure operating system which may be configured to report back full status of erase progress and status and display of a map of the entire drive to identify, down to the physical block level of the NAND cells, any blocks with data that are not erased or configured such that the secure OS mode will not exit until flash cells in the drive are fully erased.