$! $! $! ENHANCED_ERAPAT.COM $! $! This command procedure creates an Alpha or IA64 SYS$ERAPAT.EXE image that generates $! enhanced security erase patterns. The image can be used to replace the standard $! $ERAPAT system service with this enhanced version. See the comments in the $! source code below for more details. $! $! Replacing the standard $ERAPAT system service is a 4-step process: $! $! 1) Edit the SYS$ERAPAT source code (included in this command procedure below) $! to choose the number and type of enhanced security erase patterns you require. $! $! 2) Compile the source code to produce an object module (SYS$ERAPAT.OBJ). $! $! 3) Link the object module from 2) above to create an executable image (SYS$ERAPAT.EXE). $! $! 4) Install SYS$ERAPAT.EXE as a system loadable image to replace the standard $ERAPAT $! system service. $! $! Steps 2 and 3 are accomplished by executing this command procedure. To compile and link, $! issue: @ENHANCED_ERAPAT LINK. To compile only, issue: @ENHANCED_ERAPAT. $! $! NOTE -- when linking on IA64, please ignore PSCATTIGN informational LINKER messages. $! $! Detailed instructions for Step 4 are found at the end of this command procedure. $! $! $ CALL DEFINE_LOGICALS ! Use logical names to locate files $! $ MACRO /LIST=LIS$:ENHANCED_ERAPAT /OBJ=OBJ$:ENHANCED_ERAPAT - /MACHINE SYS$INPUT $ DECK .TITLE ENHANCED_ERAPAT - Generate enhanced security erase patterns .IDENT 'X-1' ; ************************************************************************* ; * * ; * © Copyright 1978-2012 Hewlett-Packard Development Company, L.P. * ; * * ; * Confidential computer software. Valid license from HP and/or * ; * its subsidiaries required for possession, use, or copying. * ; * * ; * Consistent with FAR 12.211 and 12.212, Commercial Computer Software, * ; * Computer Software Documentation, and Technical Data for Commercial * ; * Items are licensed to the U.S. Government under vendor's standard * ; * commercial license. * ; * * ; * Neither HP nor any of its subsidiaries shall be liable for technical * ; * or editorial errors or omissions contained herein. The information * ; * in this document is provided "as is" without warranty of any kind and * ; * is subject to change without notice. The warranties for HP products * ; * are set forth in the express limited warranty statements accompanying * ; * such products. Nothing herein should be construed as constituting an * ; * additional warranty. * ; * * ; ************************************************************************* ; ;++ ; ; Facility: ; ; VMS Executive ; ; Abstract: ; ; This example system service routine generates security erase patterns which ; could be used by user-written programs to preclude the unauthorized disclosure ; of sensitive or private information. The routine could be customized and used ; as an enhanced replacement for the standard $ERAPAT system service. ; ; Build and install instructions are contained in the file: ; SYS$EXAMPLES:ENHANCED_ERAPAT.COM ; ; Environment: ; ; OpenVMS, Kernel Mode System Service ; ; Author: ; ; Michael T. Rhodes, October 1982 ; ;-- .SBTTL Declarations ; ; Include files: ; .LIBRARY /SYS$LIBRARY:LIB/ ; Automate inclusion of this macro ; library during the assembly. $ERADEF ; Define function codes $PSLDEF ; PSL offsets $SSDEF ; Define status codes ; ; Assumptions: ; ASSUME ERA$K_MINTYPE EQ 1 ; Minimum and maximum values ASSUME ERA$K_MAXTYPE EQ 3 ; for valid types of media. ASSUME ERA$K_MEMORY EQ 1 ; Medium to erase is memory. ASSUME ERA$K_DISK EQ 2 ; Medium to erase is disk. ASSUME ERA$K_TAPE EQ 3 ; Medium to erase is tape. ; ; Equated symbols: ; TYPE = 4 ; Offset to TYPE parameter (value) COUNT = 8 ; Offset to COUNT parameter (value) PATADR = 12 ; Offset to PATADR parameter (address) ; ; Own Storage: ; DECLARE_PSECT EXEC$PAGED_DATA COUNT_VECTOR: ; Iteration counts for medium types .LONG 1 ; Main Memory iteration count .LONG 3 ; Disk Storage iteration count .LONG 2 ; Tape Storage iteration count PATTERNS: ; Erase patterns ; ; There must be as many erase patterns as the largest iteration count above. ; For each call to $ERAPAT which returns SS$_NORMAL status, a new pattern ; is returned in PATADR. Patterns are provided in the sequence shown below. ; When the defined iteration count is exceeded, the SS$_NOTRAN alternate ; success status is returned and a pattern is not provided in PATADR. ; .LONG 0 ; Pattern 1 (Max pattern for Main Memory) .LONG -1 ; Pattern 2 (Max pattern for Tape Storage) .LONG ^XDB6DB6DB ; Pattern 3 (Max pattern for Disk Storage) .SBTTL $ERAPAT System Service ;++ ; $ERAPAT ; ; Functional Description: ; ; To preclude the unauthorized disclosure of sensitive information, ; the caller iteratively invokes the $ERAPAT system service. Upon ; each invocation, the user increments the iteration count and the ; service returns either SS$_NORMAL (along with an erase pattern) ; or SS$_NOTRAN (with no erase pattern). SS$_NOTRAN indicates the ; desensitization procedure is complete. ; ; Calling sequence: ; ; This routine should be called via a CALLS/G to EXE$ERAPAT. ; ; Input: ; ; R2 Previous mode passed by system service dispatch ; ; TYPE(AP) Security erase type. The legal types are ; ; 1. ERA$K_MEMORY : main memory ; (volatile r/w semiconductor) ; 2. ERA$K_DISK : disk storage ; 3. ERA$K_TAPE : tape storage ; ; COUNT(AP) Iteration count. The service should be called ; the first time with the value 1, then 2, etc., ; until the status SS$_NOTRAN is returned. The ; local vector COUNT_VECTOR defines how many times ; this happens for each media type. ; ; Output: ; ; PATADR(AP) Address of a longword into which the security ; erase pattern is to be written. ; ; Routine value: ; ; R0 = SS$_ACCVIO Pattern output area not accessible ; SS$_BADPARAM Invalid security type code ; SS$_NORMAL Normal successful completion ; SS$_NOTRAN Security erase complete (alternate success) ; ;-- DECLARE_PSECT EXEC$PAGED_CODE SYSTEM_SERVICE ERAPAT,- ; $ERAPAT entry point ,- MODE=KERNEL,- NARG=3 MOVQ R2,-(SP) ; Save R2/R3 MOVAB COUNT_VECTOR, R2 ; Get address of the count vector. MOVAB PATTERNS, R3 ; Get the storage type pattern vector. MOVZWL #SS$_BADPARAM, R0 ; Assume bad parameters. MOVL TYPE (AP), R4 ; Get the type code. CMPL R4, #ERA$K_MINTYPE ; Type code too small? BLSS EXIT ; Branch if yes. CMPL R4, #ERA$K_MAXTYPE ; Type code too large? BGTR EXIT ; Branch if it is. MOVL COUNT (AP), R1 ; Get the count. BLEQ EXIT ; Branch if too small. MOVZWL #SS$_NOTRAN, R0 ; Set completion status. SUBL2 #1, R4 ; Set index into the count vector. CMPL R1, (R2) [R4] ; Are we done? BGTR EXIT ; Yes, return completion status. MOVZWL #SS$_ACCVIO, R0 ; Assume access violation. MOVL PATADR (AP) ,R4 ; Get address of user buffer. IFNOWRT #4, (R4), EXIT,,(SP) ; Branch if no write access. MOVZWL #SS$_NORMAL, R0 ; Assume success at this point. SUBL2 #1, R1 ; Set index into the pattern vector. MOVL (R3) [R1], (R4) ; Store the pattern in the user's area. EXIT: MOVQ (SP)+,R2 ; Restore R2/R3 RET ; Return. .END ; End of ENHANCED_ERAPAT source code $ EOD $ IF P1 .EQS. "LINK" $ THEN $! $! Execute LINK step $! $! NOTE -- when linking on IA64, please ignore PSCATTIGN informational LINKER messages. $! $ CALL DEFINE_LOGICALS $ LINK/NATIVE/BPAGE=14/NOTRACE/SECTION/REPLACE/NODEMAND_ZERO/SYSEXE - /MAP=MAP$:SYS$ERAPAT /FULL /CROSS /SHARE=EXE$:SYS$ERAPAT - /SYMBOL=EXE$:SYS$ERAPAT - SYS$INPUT:/OPTION $ DECK SYMBOL_TABLE=GLOBALS CLUSTER=ERAPAT,,,OBJ$:ENHANCED_ERAPAT LIB$:STARLET/INCLUDE:(SYS$DOINIT) VECTOR_TABLE=EXSM:SYS$BASE_IMAGE.EXE,SYS$LIBRARY:SYS$PUBLIC_VECTORS.EXE PSECT_ATTR=$CODE$,PIC,USR,CON,REL,GBL,NOSHR,EXE,RD,NOWRT,NOVEC PSECT_ATTR=$CODE, PIC,USR,CON,REL,GBL,NOSHR,EXE,RD,NOWRT,NOVEC PSECT_ATTR=$LINK$,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=$LINKAGE,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=$LITERAL$,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=$PLIT$,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=$INITIAL$,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=EXEC$INIT_LINKAGE,PIC,USR,CON,REL,GBL,NOSHR,EXE,RD,WRT,NOVEC PSECT_ATTR=EXEC$NONPAGED_LINKAGE,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=EXEC$NONPAGED_DATA,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=EXEC$PAGED_LINKAGE,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,WRT,NOVEC PSECT_ATTR=EXEC$HI_USE_PAGEABLE_LINKAGE,PIC,USR,CON,REL,GBL,NOSHR,NOEXE,RD,- WRT,NOVEC PSECT_ATTR=_LIB$CODE,PIC,USR,CON,REL,GBL,NOSHR,EXE,RD,NOWRT,NOVEC PSECT_ATTR=EXEC$PAGED_CODE,PIC,CON,REL,GBL,NOSHR,EXE,NOWRT,NOVEC,MOD COLLECT=NONPAGED_READONLY_PSECTS/ATTRIBUTES=RESIDENT,- EXEC$HI_USE_PAGEABLE_CODE,- EXEC$NONPAGED_CODE,- $CODE$ COLLECT=NONPAGED_READWRITE_PSECTS/ATTRIBUTES=RESIDENT,- EXEC$HI_USE_PAGEABLE_DATA,- EXEC$HI_USE_PAGEABLE_LINKAGE,- EXEC$NONPAGED_DATA,- EXEC$NONPAGED_LINKAGE,- AES1 ,- AES2 ,- $PLIT$,- $INITIAL$,- $LITERAL$,- $LINK$ COLLECT=PAGED_READONLY_PSECTS,- EXEC$PAGED_CODE,- _LIB$CODE,- $CODE,- $CODE$ COLLECT=PAGED_READWRITE_PSECTS,- EXEC$PAGED_DATA,- EXEC$PAGED_LINKAGE,- $LINKAGE,- $LINK$ COLLECT=INITIALIZATION_PSECTS/ATTRIBUTES=INITIALIZATION_CODE,- EXEC$INIT_CODE,- EXEC$INIT_LINKAGE,- EXEC$INIT_000,- EXEC$INIT_001,- EXEC$INIT_002,- EXEC$INIT_PFNTBL_000,- EXEC$INIT_PFNTBL_001,- EXEC$INIT_PFNTBL_002,- EXEC$INIT_SSTBL_000,- EXEC$INIT_SSTBL_001,- EXEC$INIT_SSTBL_002 $ EOD $ ENDIF $ EXIT $ DEFINE_LOGICALS: SUBROUTINE $! $! Subroutine to define default logical names for source and destination $! directories. $! $! If any of these logical names already exist, their translations will be $! used. If they do not exist, the following defaults will be used. $! $ IF F$TRNLNM("SRC$") .EQS. "" THEN DEFINE/NOLOG SRC$ SYS$DISK:[] $ IF F$TRNLNM("LIB$") .EQS. "" THEN DEFINE/NOLOG LIB$ SYS$LIBRARY: $ IF F$TRNLNM("EXSM") .EQS. "" THEN DEFINE/NOLOG EXSM SYS$LOADABLE_IMAGES: $ IF F$TRNLNM("EXE$") .EQS. "" THEN DEFINE/NOLOG EXE$ SYS$DISK:[] $ IF F$TRNLNM("MAP$") .EQS. "" THEN DEFINE/NOLOG MAP$ SYS$DISK:[] $ IF F$TRNLNM("LIS$") .EQS. "" THEN DEFINE/NOLOG LIS$ SYS$DISK:[] $ IF F$TRNLNM("OBJ$") .EQS. "" THEN DEFINE/NOLOG OBJ$ SYS$DISK:[] $! $! $ ENDSUBROUTINE $ $! $! Step 4 -- Loading the SYS$ERAPAT.EXE image. $! $! Please use the following steps to load the SYS$ERAPAT.EXE image $! on an Alpha or IA64 system. Note that privilege is required. $! $! 1. Copy the SYS$ERAPAT.EXE image produced by the above link command $! to the SYS$LOADABLE_IMAGES directory. $! $! 2. Add an entry for the SYS$ERAPAT.EXE image in the $! SYS$UPDATE:VMS$SYSTEM_IMAGES.IDX data file by issuing $! the following SYSMAN command: $! $! $ RUN SYS$SYSTEM:SYSMAN $! SYS_LOADABLE ADD _LOCAL_ SYS$ERAPAT - $! /LOAD_STEP = SYSINIT - $! /SEVERITY = WARNING - $! /MESSAGE = "failure to load SYS$ERAPAT.EXE" $! $! 3. Invoke the SYS$UPDATE:VMS$SYSTEM_IMAGES.COM command procedure $! to generate a new system image data file (file name $! SYS$LOADABLE_IMAGES:VMS$SYSTEM_IMAGES.DATA). During the $! next bootstrap (and all future bootstraps), the system uses $! this data file to load the appropriate images. $! $! 4. Reboot the system, which will cause the new SYS$ERAPAT.EXE to $! be loaded into the system. Subsequent calls to the $ERAPAT $! system service will generate the enhanced erase patterns, $! rather than the standard pattern. $! $!