security-misc/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh

#!/bin/sh

## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

ram_wipe_check_needshutdown() {
   local OLD_DRACUT_QUIET
   OLD_DRACUT_QUIET="$DRACUT_QUIET"
   DRACUT_QUIET='no'

   local kernel_wiperam_setting
   kernel_wiperam_setting=$(getarg wiperam)

   if [ "$kernel_wiperam_setting" = "skip" ]; then
      info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK."
      DRACUT_QUIET="$OLD_DRACUT_QUIET"
      return 0
   fi

   if [ "$kernel_wiperam_setting" = "force" ]; then
      info "wipe-ram-needshutdown.sh: wiperam=force detected, OK."
   else
      if systemd-detect-virt &>/dev/null ; then
         info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
         DRACUT_QUIET="$OLD_DRACUT_QUIET"
         return 0
      fi
   fi

   info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK."
   need_shutdown

   DRACUT_QUIET="$OLD_DRACUT_QUIET"
   return 0
}

ram_wipe_check_needshutdown
ram wipe on shutdown: fix, added `need_shutdown` hook Otherwise dracut does not run on shutdown. Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. And without that file `/usr/lib/dracut/dracut-initramfs-restore`, which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. 2022-06-29 14:13:30 -04:00			`#!/bin/sh`

copyright 2022-06-29 15:24:27 -04:00			`## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
copyright 2022-06-29 15:19:56 -04:00			`## See the file COPYING for copying conditions.`

- introduce `wiperam=skip` kernel parameter to skip wipe ram - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs 2022-06-30 14:47:45 -04:00			`ram_wipe_check_needshutdown() {`
			`local OLD_DRACUT_QUIET`
			`OLD_DRACUT_QUIET="$DRACUT_QUIET"`
			`DRACUT_QUIET='no'`

			`local kernel_wiperam_setting`
			`kernel_wiperam_setting=$(getarg wiperam)`

			`if [ "$kernel_wiperam_setting" = "skip" ]; then`
			`info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK."`
			`DRACUT_QUIET="$OLD_DRACUT_QUIET"`
			`return 0`
			`fi`

			`if [ "$kernel_wiperam_setting" = "force" ]; then`
			`info "wipe-ram-needshutdown.sh: wiperam=force detected, OK."`
			`else`
			`if systemd-detect-virt &>/dev/null ; then`
			`info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."`
			`DRACUT_QUIET="$OLD_DRACUT_QUIET"`
			`return 0`
			`fi`
			`fi`

			`info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK."`
			`need_shutdown`

			`DRACUT_QUIET="$OLD_DRACUT_QUIET"`
			`return 0`
			`}`

			`ram_wipe_check_needshutdown`