mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-27 07:39:25 -05:00
- introduce wiperam=skip
kernel parameter to skip wipe ram
- introduce `wiperam=force` kernel parameter to force wipe ram inside VMs
This commit is contained in:
parent
036f518ddc
commit
32fdcf522b
@ -3,4 +3,35 @@
|
||||
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
need_shutdown
|
||||
ram_wipe_check_needshutdown() {
|
||||
local OLD_DRACUT_QUIET
|
||||
OLD_DRACUT_QUIET="$DRACUT_QUIET"
|
||||
DRACUT_QUIET='no'
|
||||
|
||||
local kernel_wiperam_setting
|
||||
kernel_wiperam_setting=$(getarg wiperam)
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "skip" ]; then
|
||||
info "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK."
|
||||
DRACUT_QUIET="$OLD_DRACUT_QUIET"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "force" ]; then
|
||||
info "wipe-ram-needshutdown.sh: wiperam=force detected, OK."
|
||||
else
|
||||
if systemd-detect-virt &>/dev/null ; then
|
||||
info "wipe-ram-needshutdown.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
|
||||
DRACUT_QUIET="$OLD_DRACUT_QUIET"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
info "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK."
|
||||
need_shutdown
|
||||
|
||||
DRACUT_QUIET="$OLD_DRACUT_QUIET"
|
||||
return 0
|
||||
}
|
||||
|
||||
ram_wipe_check_needshutdown
|
||||
|
@ -13,11 +13,27 @@ ram_wipe() {
|
||||
## check_quiet should show info in console.
|
||||
DRACUT_QUIET='no'
|
||||
|
||||
if systemd-detect-virt &>/dev/null ; then
|
||||
info "wipe-ram.sh: Skip, because VM detected, OK."
|
||||
local kernel_wiperam_setting
|
||||
## getarg returns the last parameter only.
|
||||
## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins.
|
||||
kernel_wiperam_setting=$(getarg wiperam)
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "skip" ]; then
|
||||
info "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK."
|
||||
DRACUT_QUIET="$OLD_DRACUT_QUIET"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "force" ]; then
|
||||
info "wipe-ram.sh: wiperam=force detected, OK."
|
||||
else
|
||||
if systemd-detect-virt &>/dev/null ; then
|
||||
info "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
|
||||
DRACUT_QUIET="$OLD_DRACUT_QUIET"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
info "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..."
|
||||
|
||||
## TODO: sdmem settings. One pass only. Secure? Configurable?
|
||||
|
Loading…
Reference in New Issue
Block a user