How to implement SSD only correspond uniquely to the Industrial Robot
Considering the strict data security, Renice's customers ask the SSD to correspond uniquely to the Host. That is to say, the SSD only can be used in the specified host. Once it is connected to another host PC, the data destruction is triggered automatically. Meanwhile, the specified host must be able to use the non-customized SSD from any other company.
Considering the strict data security, Renice's customers ask the SSD to correspond uniquely to the Host. That is to say, the SSD only can be used in the specified host. Once it is connected to another host PC, the data destruction is triggered automatically. Meanwhile, the specified host must be able to use the non-customized SSD from any other company.
I. Project requirement
1. Host interface: SATA 6.0Gbps
2. Form factor: 2.5"
3. Capacity: 4TB
4. NAND Flash: MLC
5. Operation temperature: -40°C ~ +85°C
6. SSD must correspond uniquely to the host
7. Once been connected to another host PC, the data destruction triggered automatically
8. The host must be able to use the SSD from any other company
II. Renice solution design
1. Renice SSD solution adopts its research & development SSD Controller RS3502-IT, SATAIII 6.0Gbps interface. The single controller supports max. capacity up to 2TB. So here use 2pcs Controller to make RAID0.
2. Adopts Xilinx FPGA as RAID0 chip, TRIM supports.
(The RAID chip on the market normally with below two drawbacks: (1) does not support extend-temp. operation; (2) does not support TRIM, which caused the SSD can only run GC after the SSD is full of data. During the GC process, the write performance would be sharply dropped even to 0MB, which may lead to failure in critical applications. )
3. Self-destruction: Two methods of support, physical destruction and logical destroy (optional or both support).
4. Logical destroy supports quick erase in 10s. With this method, the SSD is re-usable after initialization (all of the data have been erased); Or after logical erase, data cannot be recovered, SSD can be used after returning to the manufacturer for re-planting firmware.
5. Physical destruction: If the SSD is connected to the illegal host, the NAND flash would be breakdown by high voltage. There is no way to recover data information.
III. Detailed of implementation
1. The SSD only corresponds uniquely to the specified host
There is no change on the Pin definition of the customer's host SATA interface, to ensure the host is able to operate with other common SSDs. In Renice SSD solution there adds one FPGA chipset or SCM to achieve signal matching by setting the un-definitely Pin of the SATA disk and the characteristics of the mainboard. If the signal matching failed in 3s (here the trigger time is set by customers), the data destruction will be triggered.
2. Implementation and effect of the self-destruction
The SE is triggered by pulling down the voltage of the GPIO signal and sending the command to Controller. The operation could be realized by HW or SW.
2.1. Logical destruction
The logical destruction refers to the operation of deleting or overwriting the data information, which includes the AES key, Firmware, Mapping table, etc. The logical destruction does not damage the storage media.
In general, customers have the requirement of fast delete as follows list, each requirement is implemented by different firmware means.
2.1.1. After the quick erase, the disk remains visible in OS and reusable after initialization, just all data are read as 0xFF by Winhex.
One problem we have to solve for this delete method: if during the delete operation, the SSD received the program command again, or the data in SDRAM have not been written into NAND flash, the program will be continued after quick erase. Then not all data are read as 0xFF with Winhex.
Renice provides two methods to solve this problem: (1) before SE implementation, purge the data in SDRAM firstly to avoid the data being written into NAND Flash after SE; (2) enable the Write protection function when executing data destruction until power on next time. It prevents the write command received after SE executing and continuing to be written into SSD.
2.1.2. After a quick erase, the disk is invisible in OS, and of course the status of the data inside cannot be checked by software.
2.2. Physical destruction
After the Physical destruction, all the NAND Flash on SSD have been breakdown completely.
2.2.1. Renice developed the solution to ensure all the NAND Flash had been burned during 45s.
2.2.2. The physical destruction is to break down all the Die of each NAND Flash but not only the IO interface to ensure the data cannot be recovered.
2.2.3. The physical destruction will not be stopped until it is finished after being triggered. Even if there is power-off during physical destroy executing, it will be continued once power-on.