Merge remote-tracking branch 'friedy10/master'

etc/sysctl.d/30_security-misc.conf

@@ -37,7 +37,8 @@ net.core.bpf_jit_harden=2
 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
 
 ## Disables kexec which can be used to replace the running kernel.
-kernel.kexec_load_disabled=1
+## kexec is required for cold boot attack defense
+## kernel.kexec_load_disabled=1
 
 ## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.

lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service

@@ -0,0 +1,15 @@
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
+## See the file COPYING for copying conditions.
+
+[Unit]
+Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
+
+[Install]
+WantedBy=multi-user.target

usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
+## See the file COPYING for copying conditions.
+
+# called by dracut
+check() {
+    require_binaries sync || return 1
+    require_binaries sleep || return 1
+    require_binaries ls || return 1
+    require_binaries halt || return 1
+    require_binaries poweroff || return 1
+    require_binaries reboot || return 1
+    require_binaries cat || return 1
+    require_binaries sdmem || return 1
+    require_binaries pgrep || return 1
+    require_binaries dmsetup || return 1
+    return 0
+}
+
+# called by dracut
+depends() {
+    return 0
+}
+
+# called by dracut
+install() {
+    inst_multiple sync
+    inst_multiple sleep
+    inst_multiple ls
+    inst_multiple halt
+    inst_multiple poweroff
+    inst_multiple reboot
+    inst_multiple cat
+    inst_multiple sdmem
+    inst_multiple pgrep
+    inst_multiple dmsetup
+    inst_hook pre-udev 40 "$moddir/wipe-ram.sh"
+    inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh"
+}
+
+# called by dracut
+installkernel() {
+    return 0
+}
+

usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
+## See the file COPYING for copying conditions.
+
+
+ram_wipe_check_needshutdown() {
+   local wipe_action
+   wipe_action=$(getarg wiperamaction)
+
+   wait $(pgrep sdmem)
+   info "DONE WAITING..."
+
+   if [ "$wipe_action" = "reboot" ]; then
+      reboot -f
+   fi
+   
+   if [ "$wipe_action" = "poweroff" ]; then
+      poweroff -f
+   fi
+   
+   if [ "$wipe_action" = "halt" ]; then
+      halt -f
+   fi
+   
+   if [ "$wipe_action" = "error" ]; then
+	   info "Choice of shutdown option led to an error. Shutting down..."
+	   sleep 5
+	   poweroff -f
+   fi
+}
+
+ram_wipe_check_needshutdown
+

usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
+## See the file COPYING for copying conditions.
+
+ram_wipe_action() {
+   local kernel_wiperam_exit
+   kernel_wiperam_exit=$(getarg wiperamexit)
+
+
+   if [ "$kernel_wiperam_exit" = "no" ]; then
+	   info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK."
+	   return 0
+   fi
+
+
+   if [ "$kernel_wiperam_exit" != "yes" ]; then
+	   info "INFO: Skip, becuase wiperamexit parameter is not used. "
+	   return 0
+   fi
+
+   info "INFO: wiperamexit=yes. Running second RAM wipe... "
+   
+   sdmem -l -l -v
+}
+ram_wipe_action
+

usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh

@@ -2,13 +2,10 @@
 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
 # ex: ts=8 sw=4 sts=4 et filetype=sh
 
-## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
 ## See the file COPYING for copying conditions.
 
-## Credits:
-## First version by @friedy10.
-## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/module-setup.sh
-
 # called by dracut
 check() {
     require_binaries sync || return 1

usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 
-## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
 ## See the file COPYING for copying conditions.
 
 type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh

usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh

@@ -1,6 +1,7 @@
 #!/bin/sh
 
-## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
 ## See the file COPYING for copying conditions.
 
 ## Credits:
@@ -22,20 +23,20 @@ ram_wipe() {
    kernel_wiperam_setting=$(getarg wiperam)
 
    if [ "$kernel_wiperam_setting" = "skip" ]; then
-      echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK."
       return 0
    fi
 
    if [ "$kernel_wiperam_setting" = "force" ]; then
-      echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: wiperam=force detected, OK."
    else
       if systemd-detect-virt &>/dev/null ; then
-         echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg
+         info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
          return 0
       fi
    fi
 
-   echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
+   info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..."
 
    drop_caches
 
@@ -45,33 +46,34 @@ ram_wipe() {
 
    drop_caches
 
-   echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg
+   info "INFO: wipe-ram.sh: RAM wipe completed, OK."
 
    ## In theory might be better to check this beforehand, but the test is
    ## really fast. The user has no chance of reading the console output
    ## without introducing an artificial delay because the sdmem which runs
    ## after this, results in much more console output.
-   echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg
+   info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..."
 
    local dmsetup_actual_output dmsetup_expected_output
    dmsetup_actual_output="$(dmsetup ls --target crypt)"
    dmsetup_expected_output="No devices found"
 
    if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then
-      echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK."
       ## This should probably be removed in production?
       sleep 3
    else
-      echo "\
+      info "\
 WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed!
 
 debugging information:
 dmsetup_expected_output: '$dmsetup_expected_output'
-dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg
+dmsetup_actual_output: '$dmsetup_actual_output'"
       ## How else could the user be informed that something is wrong?
       sleep 5
    fi
 
+   kexec -e && info "kexec -e succeeded" || info "kexec -e failed"
 }
 
 ram_wipe

usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare

@@ -0,0 +1,55 @@
+#!/bin/bash
+## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
+## See the file COPYING for copying conditions.
+set -x
+set -e
+
+true "env:"
+env
+
+## Debugging.
+## Lets hope $1 is set to reboot, poweroff or halt by systemd.
+true "1: $1"
+
+
+# Get the kernel command-line arguments
+cmdline=$(cat /proc/cmdline)
+
+# Get the current boot image
+kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2)
+initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#")
+
+kernel="/boot/$kernel"
+initrd="/boot/$initrd"
+
+if test -e $initrd; then
+  echo "Initrd File Found"
+else
+  echo "Initrd File NOT FOUND"
+  exit 1
+fi
+
+if test -e $kernel; then
+  echo "Kernel File Found"
+else
+  echo "Kernel File NOT FOUND"
+  exit 1
+fi
+
+
+if   systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then
+	wram="yes"
+	wact="poweroff"
+elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then
+	wram="yes"
+	wact="reboot"
+elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then
+	wram="yes"
+	wact="halt"
+else
+	echo "No shutdown option found!"
+	exit 0
+fi
+
+kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact"