- introduce wiperam=skip kernel parameter to skip wipe ram

- introduce `wiperam=force` kernel parameter to force wipe ram inside VMs
2024-12-26 16:39:23 -05:00 · 2022-06-30 14:47:45 -04:00 · 2022-06-30 14:47:45 -04:00 · 32fdcf522b
commit 32fdcf522b
parent 036f518ddc
2 changed files with 50 additions and 3 deletions
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
@ -3,4 +3,35 @@
 ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.

-need_shutdown
+ram_wipe_check_needshutdown() {
+   local OLD_DRACUT_QUIET
+   OLD_DRACUT_QUIET="$DRACUT_QUIET"
+   DRACUT_QUIET='no'
+
+   local kernel_wiperam_setting
+   kernel_wiperam_setting=$(getarg wiperam)
+
+   if [ "$kernel_wiperam_setting" = "skip" ]; then
+      info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK."
+      DRACUT_QUIET="$OLD_DRACUT_QUIET"
+      return 0
+   fi
+
+   if [ "$kernel_wiperam_setting" = "force" ]; then
+      info "wipe-ram-needshutdown.sh: wiperam=force detected, OK."
+   else
+      if systemd-detect-virt &>/dev/null ; then
+         info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
+         DRACUT_QUIET="$OLD_DRACUT_QUIET"
+         return 0
+      fi
+   fi
+
+   info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK."
+   need_shutdown
+
+   DRACUT_QUIET="$OLD_DRACUT_QUIET"
+   return 0
+}
+
+ram_wipe_check_needshutdown
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@ -13,11 +13,27 @@ ram_wipe() {
   ## check_quiet should show info in console.
   DRACUT_QUIET='no'

-   if systemd-detect-virt &>/dev/null ; then
-      info "wipe-ram.sh: Skip, because VM detected, OK."
+   local kernel_wiperam_setting
+   ## getarg returns the last parameter only.
+   ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins.
+   kernel_wiperam_setting=$(getarg wiperam)
+
+   if [ "$kernel_wiperam_setting" = "skip" ]; then
+      info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK."
+      DRACUT_QUIET="$OLD_DRACUT_QUIET"
      return 0
   fi

+   if [ "$kernel_wiperam_setting" = "force" ]; then
+      info "wipe-ram.sh: wiperam=force detected, OK."
+   else
+      if systemd-detect-virt &>/dev/null ; then
+         info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
+         DRACUT_QUIET="$OLD_DRACUT_QUIET"
+         return 0
+      fi
+   fi
+
   info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..."

   ## TODO: sdmem settings. One pass only. Secure? Configurable?