Clearly having a clean state for the installation of a verified Qubes OS is very important to ensure Qubes security is not broken.
Is something like ‘Secure Erase’ for a samsung SSD sufficient to completely rid the disk of potential issues assuming it was in-use within a known compromised laptop, further assuming a high level threat model?
Are there known firmware etc. vectors of persistence in SSD’s that are resistant to something like a Secure Erase?
All answers welcomed.
Secure Erase is done by the firmware as with any other command.
If it’s a Samsung SSD then it is automatically an Opal 2.0 compliant and can be very quickly reset using the sedutil-cli utility. The below command will instantly flip every bit randomly on the drive and change the internal entropy so that any old encryption key can not be used to decrypt anything on that drive and it can not regenerate any older internal keys. The best part is it is reset without involving any wear leveling or rewriting sectors as would normally happen with any other kind of wiping software. The final result should be an unformatted ssd with completely random bits and no data will ever be recoverable.
sudo sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID /dev/sdX
The psid is always printed on the ssd label. It’s purpose is to allow this specific reset mode.
Nowadays, there are different tools for different SSD types (SATA vs. NVMe):
https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing