From 32fdcf522be994e693f39c347ab1063ccd94255b Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Thu, 30 Jun 2022 14:47:45 -0400
Subject: [PATCH] - introduce `wiperam=skip` kernel parameter to skip wipe ram
 - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs

---
 .../wipe-ram-needshutdown.sh                  | 33 ++++++++++++++++++-
 .../40cold-boot-attack-defense/wipe-ram.sh    | 20 +++++++++--
 2 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
index 723421c..1ab5419 100755
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
@@ -3,4 +3,35 @@
 ## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-need_shutdown
+ram_wipe_check_needshutdown() {
+   local OLD_DRACUT_QUIET
+   OLD_DRACUT_QUIET="$DRACUT_QUIET"
+   DRACUT_QUIET='no'
+
+   local kernel_wiperam_setting
+   kernel_wiperam_setting=$(getarg wiperam)
+
+   if [ "$kernel_wiperam_setting" = "skip" ]; then
+      info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK."
+      DRACUT_QUIET="$OLD_DRACUT_QUIET"
+      return 0
+   fi
+
+   if [ "$kernel_wiperam_setting" = "force" ]; then
+      info "wipe-ram-needshutdown.sh: wiperam=force detected, OK."
+   else
+      if systemd-detect-virt &>/dev/null ; then
+         info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
+         DRACUT_QUIET="$OLD_DRACUT_QUIET"
+         return 0
+      fi
+   fi
+
+   info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK."
+   need_shutdown
+
+   DRACUT_QUIET="$OLD_DRACUT_QUIET"
+   return 0
+}
+
+ram_wipe_check_needshutdown
diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
index 8ea64a1..4b1f773 100755
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@@ -13,11 +13,27 @@ ram_wipe() {
    ## check_quiet should show info in console.
    DRACUT_QUIET='no'
 
-   if systemd-detect-virt &>/dev/null ; then
-      info "wipe-ram.sh: Skip, because VM detected, OK."
+   local kernel_wiperam_setting
+   ## getarg returns the last parameter only.
+   ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins.
+   kernel_wiperam_setting=$(getarg wiperam)
+
+   if [ "$kernel_wiperam_setting" = "skip" ]; then
+      info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK."
+      DRACUT_QUIET="$OLD_DRACUT_QUIET"
       return 0
    fi
 
+   if [ "$kernel_wiperam_setting" = "force" ]; then
+      info "wipe-ram.sh: wiperam=force detected, OK."
+   else
+      if systemd-detect-virt &>/dev/null ; then
+         info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
+         DRACUT_QUIET="$OLD_DRACUT_QUIET"
+         return 0
+      fi
+   fi
+
    info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..."
 
    ## TODO: sdmem settings. One pass only. Secure? Configurable?