I need to wipe some used hard drives before using them in case they contain malware. Is it safe to remove the host protected area?
Is the HPA used to store spare sectors? It is only 1 MB but might contain malware. Can the HPA be wiped, then restored? If it's gone, will it hurt the operation of the drive? Or is it safer not having an HPA because malware can't hide there?
No, I don't believe spare sectors are stored in the HPA. From Where do replacement hard drive sectors come from? and it's reference Bad sector remapping there's a "spare sector pool" but it seems to be entirely up to the manufacturer exactly where the pool is. Since the HPA, and drive's own DCO, are meant to store data, they couldn't be part of the spare sector pool.
And from the question & answer at What are the differences between Host Protected Area (HPA), Device Configuration Overlay (DCO), and service area of a HDD/SSD? and wikipedia it appears that the protected areas of a drive are difficult at best to read.
The HPA is often used to store utilities or OS backups, so could be much larger than 1M (maybe you're referring to unallocated space around partitions?), and only "hpa-aware" tools can read them or overwrite them (see below). Overwriting the HPA doesn't appear to be damaging to the drive's operation, you just overwrite any utilities/backups it had.
The DCO (Drive Configuration Overlay) appears to be for the drive's use itself, overwriting it could be bad, possibly resulting in a non-working drive.
The HPA could be made accessible via a tool like hdparm (on linux at least), see https://security.stackexchange.com/questions/196071/do-all-hard-drives-support-device-configuration-overlay-dco-and-host-protected . hdparm's man page advises "VERY DANGEROUS, DATA LOSS IS EXTREMELY LIKELY", but luckily erasing data is your goal here. The steps appear to be, for a directly connected drive (no USB):
sudo hdparm -N /dev/sdX to check whether HPA is enabled or disabled.
sudo hdparm -g /dev/sdX to check number of sectors.
sudo hdparm -Np<MAX SECTORS> /dev/sdX to disable HPA.
sudo hdparm --yes-i-know-what-i-am-doing --dco-identify /dev/sdX
sudo hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdX
Afterwards you can overwrite the entire drive with any OS tools (dd for example), along with the normally accessible contents.
The DCO could be restored to factory defaults, although that could have brick-like consequences for the drive, see Harddrive - wipe out "hidden areas" like HPA and DCO after malware infection for info on hdparm's --dco-identify and --dco-restore.
Note, these options are all trusting the drive's own firmware to actually let you overwrite these areas...
If you're worried about malware inside the drive's own firmware, that's something different... Every hard drive, SSD, even USB thumb drives and the tiniest microSD cards have basically tiny computers / microcontrollers that run software ("firmware") inside. An excerpt from How the NSA's Firmware Hacking Works and Why It's So Unsettling:
Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.
If a victim, thinking his or her computer is infected, wipes the computer's operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.
Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.
And about the drive's own service area:
An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted "not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools."
(I'm not entirely sure how a compromised hard drive alone can "reach out to the command server," maybe it sees an executable being read and injects it's own code, but that's another question...)
