Add fill command to overwrite SD card

CHANGELOG.md

@@ -16,6 +16,8 @@ Unreleased
   - Added `--usb-path` option that restricts the USB path of the device to
     connect to
 - Bumped `structopt` dependency to `0.3.17`
+- Added the `fill` command that fills the SD card of a Nitrokey Storage device
+  with random data
 
 
 0.3.4

doc/nitrocli.1

@@ -131,6 +131,15 @@ open.
 .TP
 \fBnitrocli hidden close
 Close a hidden volume.
+.TP
+\fBnitrocli fill\fR
+Fills the SD card with random data, overwriting all existing data.
+This operation cannot be cancelled, even if the \fBnitrocli\fR process is
+terminated before it finishes.
+
+This command requires the admin PIN.
+To avoid accidental calls of this command, the user has to enter the PIN even
+if it has been cached.
 
 .SS One-time passwords
 The Nitrokey Pro and the Nitrokey Storage support the generation of one-time

src/args.rs

@@ -79,6 +79,8 @@ Command! {
     Config(ConfigArgs) => |ctx, args: ConfigArgs| args.subcmd.execute(ctx),
     /// Interacts with the device's encrypted volume
     Encrypted(EncryptedArgs) => |ctx, args: EncryptedArgs| args.subcmd.execute(ctx),
+    /// Fills the SD card with random data
+    Fill => crate::commands::fill,
     /// Interacts with the device's hidden volume
     Hidden(HiddenArgs) => |ctx, args: HiddenArgs| args.subcmd.execute(ctx),
     /// Lists the attached Nitrokey devices

src/commands.rs

@@ -461,6 +461,41 @@ pub fn list(ctx: &mut Context<'_>, no_connect: bool) -> anyhow::Result<()> {
   Ok(())
 }
 
+/// Fill the SD card with random data
+pub fn fill(ctx: &mut Context<'_>) -> anyhow::Result<()> {
+  with_storage_device(ctx, |ctx, mut device| {
+    let pin_entry = pinentry::PinEntry::from(args::PinType::Admin, &device)?;
+
+    // Similar to reset, we want the user to re-enter the admin PIN even if is cached to avoid
+    // accidental data loss.
+    pinentry::clear(&pin_entry).context("Failed to clear cached secret")?;
+
+    try_with_pin(ctx, &pin_entry, |pin| {
+      device.fill_sd_card(&pin).context("Failed to fill SD card")
+    })?;
+
+    let mut last_progress = 0;
+    loop {
+      use nitrokey::OperationStatus;
+
+      let status = device
+        .get_operation_status()
+        .context("Failed to query operation status")?;
+      match status {
+        OperationStatus::Ongoing(progress) => {
+          if last_progress != progress {
+            println!(ctx, "{}/100", progress)?;
+          }
+          last_progress = progress;
+        }
+        OperationStatus::Idle => break,
+      };
+    }
+
+    Ok(())
+  })
+}
+
 /// Perform a factory reset.
 pub fn reset(ctx: &mut Context<'_>) -> anyhow::Result<()> {
   with_device(ctx, |ctx, mut device| {

src/tests/fill.rs

@@ -0,0 +1,15 @@
+// fill.rs
+
+// Copyright (C) 2020 The Nitrocli Developers
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+use super::*;
+
+// Ignore this test as it takes about one hour to execute
+#[ignore]
+#[test_device(storage)]
+fn fill(model: nitrokey::Model) -> anyhow::Result<()> {
+  let res = Nitrocli::new().model(model).handle(&["fill"]);
+  assert!(res.is_ok());
+  Ok(())
+}

src/tests/mod.rs

@@ -9,6 +9,7 @@ use nitrokey_test::test as test_device;
 
 mod config;
 mod encrypted;
+mod fill;
 mod hidden;
 mod list;
 mod lock;