Abstract: A processing device is configured to process an initial set of command types. A command extension module and a digital signature are received. The digital signature is generated based on the command extension module using a private key of a key pair. The command extension module, once installed by the processing device, enables the processing device to process a new command type that is not included in the initial set of command types. The digital signature is verified using a public key of the key pair. Based on a successful verification of the digital signature, the command extension module is temporarily installed by loading the command extension module in a volatile memory device.

Abstract: A processing device initializes a memory device in an unauthenticated state in which the memory device is unable to execute one or more restricted commands. The processing device accesses a security capsule that is digitally signed using a private key. The processing device transitions the memory device to an authenticated state based on verifying that the security capsule is validly signed. The processing device uses a public key corresponding to the private key to verify the security capsule is validly signed. While in the authenticated state, the memory device is able to execute the one or more restricted commands.

Abstract: A processing device receives a command to arm a memory device for self-destruction. In response to the command, a self-destruction countdown timer is commenced. An expiry of the self-destruction countdown timer and based on detecting the expiry of the self-destruction countdown timer, data stored by the memory device is destructed.

Abstract: A method includes receiving signaling indicative of performance of a sanitization operation to a processing device coupled to a memory device and applying a sanitization voltage to a plurality of memory blocks of the memory device. The sanitization voltage can be greater than an erase voltage of the plurality of memory blocks.

Abstract: A processing device is configured to process an initial set of command types. A command extension module and a digital signature are received. The digital signature is generated based on the command extension module using a private key of a key pair. The command extension module, once installed by the processing device, enables the processing device to process a new command type that is not included in the initial set of command types. The digital signature is verified using a public key of the key pair. Based on a successful verification of the digital signature, the command extension module is temporarily installed by loading the command extension module in a volatile memory device.

Abstract: A processing device initializes a memory device in an unauthenticated state in which the memory device is unable to execute one or more restricted commands. The processing device accesses a security capsule that is digitally signed using a private key. The processing device transitions the memory device to an authenticated state based on verifying that the security capsule is validly signed. The processing device uses a public key corresponding to the private key to verify the security capsule is validly signed. While in the authenticated state, the memory device is able to execute the one or more restricted commands.

Abstract: A method includes identifying a target plane in respective planes of a memory die in a non-volatile memory array and identifying, from blocks of non-volatile memory cells coupled to a common bit line in the target plane, at least one target block in the target plane. The method further includes performing an operation to disable at least one gate associated with the at least one target block to prevent access to the blocks of non-volatile memory cells coupled to the common bit line in the target plane.

Abstract: A method includes receiving signaling indicative of performance of a sanitization operation to a processing device coupled to a memory device and applying a sanitization voltage to a plurality of memory blocks of the memory device. The sanitization voltage can be greater than an erase voltage of the plurality of memory blocks.

Abstract: A request for password generation is received from a host system. In response to receiving the request, a password derivation key is generated based on a key derivation seed. A password is derived from the password derivation key, and a wrapping key is derived from the password. The wrapping key is used to wrap an authorization state indication, which is stored in local memory. Encrypted data is generated based on an encryption of the key derivation seed using an asymmetric encryption key. The encrypted data is provided in response to the request.

Abstract: A key delegation request is received from a host system. The key delegation request includes a new public key. A challenge is generated based on the new public key and a root public key, and the challenge is provided to the host system responsive to the request. A first and second digital signature are received from the host system. The first digital signature is generated by cryptographically signing the challenge using a new private key corresponding to the new public key and the second digital signature is generated by cryptographically signing the challenge using a root private key corresponding to the root public key. The first digital signature is validated using the new public key and the second digital signature is validated using the root public key. Based on successful validation of both signatures, the new public key is utilized in one or more cryptographic operations.

Abstract: A request for password generation is received from a host system. In response to receiving the request, a password derivation key is generated based on a key derivation seed. A password is derived from the password derivation key, and a wrapping key is derived from the password. The wrapping key is used to wrap an authorization state indication, which is stored in local memory. Encrypted data is generated based on an encryption of the key derivation seed using an asymmetric encryption key. The encrypted data is provided in response to the request.

Abstract: Methods, systems, and devices for double wrapping for verification are described. In some cases, a memory subsystem can receive a firmware image for the memory subsystem where the firmware image is signed with a first signature according to a first signing procedure. The memory subsystem can then verify an integrity of the firmware image based on the first signing procedure. After verifying the integrity of the firmware image, the memory subsystem can then generate a second signature for the firmware image based on a second signing procedure different from the first signing procedure. The memory subsystem can then write the second signature to the firmware image. The memory subsystem can then perform a verification process to verify the integrity of the firmware image based on one or both of the first signing procedure or the second signing procedure.

Abstract: A method includes identifying a target plane in respective planes of a memory die in a non-volatile memory array and identifying, from blocks of non-volatile memory cells coupled to a common bit line in the target plane, at least one target block in the target plane. The method further includes performing an operation to disable at least one gate associated with the at least one target block to prevent access to the blocks of non-volatile memory cells coupled to the common bit line in the target plane.

Abstract: A method includes receiving signaling indicative of performance of a sanitization operation to a processing device coupled to a memory device and applying a sanitization voltage to a plurality of memory blocks of the memory device. The sanitization voltage can be greater than an erase voltage of the plurality of memory blocks.

Abstract: A method includes detecting an occurrence of an event associated with a memory sub-system comprising blocks of non-volatile memory cells. The method further includes responsive to detecting the occurrence of the event, providing signaling to disable at least a portion of the memory sub-system, an interface coupled to the memory sub-system, or both.

Abstract: The present disclosure includes apparatuses and methods for directed sanitization of memory. One example method comprises, responsive to receiving a sanitization command, performing a deterministic garbage collection operation on a memory, wherein performing the deterministic garbage collection operation results in physical erasure of all invalid data stored on the memory without losing valid data stored on the memory.

Abstract: A data storage device is provided. The data storage device includes a storage medium having a first subset configured to store user data and a second subset configured to store snapshot data. The data storage device further includes a controller configured to (i) receive, from a host operably coupled to the data storage device, a command to configure the second subset, to (ii) verify an authenticity of the command, and to (iii) execute the command in response to the verification of the authenticity of the command.

Abstract: A system includes a memory component and a processing device, operatively coupled with the memory component, to generate a physical presence security identification (PSID) for the memory component using a statistically random number generator. The processing device, operatively coupled with the memory component, can securely retrieve the PSID and revert the memory component to an original state using the PSID.