mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-29 06:06:13 -05:00
Merge remote-tracking branch 'friedy10/master'
This commit is contained in:
commit
450ff378b0
@ -37,7 +37,8 @@ net.core.bpf_jit_harden=2
|
||||
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
|
||||
|
||||
## Disables kexec which can be used to replace the running kernel.
|
||||
kernel.kexec_load_disabled=1
|
||||
## kexec is required for cold boot attack defense
|
||||
## kernel.kexec_load_disabled=1
|
||||
|
||||
## Hides kernel addresses in various files in /proc.
|
||||
## Kernel addresses can be very useful in certain exploits.
|
||||
|
@ -0,0 +1,15 @@
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
[Unit]
|
||||
Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/bin/true
|
||||
ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
49
usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh
Normal file
49
usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh
Normal file
@ -0,0 +1,49 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
# called by dracut
|
||||
check() {
|
||||
require_binaries sync || return 1
|
||||
require_binaries sleep || return 1
|
||||
require_binaries ls || return 1
|
||||
require_binaries halt || return 1
|
||||
require_binaries poweroff || return 1
|
||||
require_binaries reboot || return 1
|
||||
require_binaries cat || return 1
|
||||
require_binaries sdmem || return 1
|
||||
require_binaries pgrep || return 1
|
||||
require_binaries dmsetup || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
# called by dracut
|
||||
depends() {
|
||||
return 0
|
||||
}
|
||||
|
||||
# called by dracut
|
||||
install() {
|
||||
inst_multiple sync
|
||||
inst_multiple sleep
|
||||
inst_multiple ls
|
||||
inst_multiple halt
|
||||
inst_multiple poweroff
|
||||
inst_multiple reboot
|
||||
inst_multiple cat
|
||||
inst_multiple sdmem
|
||||
inst_multiple pgrep
|
||||
inst_multiple dmsetup
|
||||
inst_hook pre-udev 40 "$moddir/wipe-ram.sh"
|
||||
inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh"
|
||||
}
|
||||
|
||||
# called by dracut
|
||||
installkernel() {
|
||||
return 0
|
||||
}
|
||||
|
@ -0,0 +1,35 @@
|
||||
#!/bin/sh
|
||||
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
|
||||
ram_wipe_check_needshutdown() {
|
||||
local wipe_action
|
||||
wipe_action=$(getarg wiperamaction)
|
||||
|
||||
wait $(pgrep sdmem)
|
||||
info "DONE WAITING..."
|
||||
|
||||
if [ "$wipe_action" = "reboot" ]; then
|
||||
reboot -f
|
||||
fi
|
||||
|
||||
if [ "$wipe_action" = "poweroff" ]; then
|
||||
poweroff -f
|
||||
fi
|
||||
|
||||
if [ "$wipe_action" = "halt" ]; then
|
||||
halt -f
|
||||
fi
|
||||
|
||||
if [ "$wipe_action" = "error" ]; then
|
||||
info "Choice of shutdown option led to an error. Shutting down..."
|
||||
sleep 5
|
||||
poweroff -f
|
||||
fi
|
||||
}
|
||||
|
||||
ram_wipe_check_needshutdown
|
||||
|
28
usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
Normal file
28
usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
Normal file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
ram_wipe_action() {
|
||||
local kernel_wiperam_exit
|
||||
kernel_wiperam_exit=$(getarg wiperamexit)
|
||||
|
||||
|
||||
if [ "$kernel_wiperam_exit" = "no" ]; then
|
||||
info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK."
|
||||
return 0
|
||||
fi
|
||||
|
||||
|
||||
if [ "$kernel_wiperam_exit" != "yes" ]; then
|
||||
info "INFO: Skip, becuase wiperamexit parameter is not used. "
|
||||
return 0
|
||||
fi
|
||||
|
||||
info "INFO: wiperamexit=yes. Running second RAM wipe... "
|
||||
|
||||
sdmem -l -l -v
|
||||
}
|
||||
ram_wipe_action
|
||||
|
@ -2,13 +2,10 @@
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Credits:
|
||||
## First version by @friedy10.
|
||||
## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/module-setup.sh
|
||||
|
||||
# called by dracut
|
||||
check() {
|
||||
require_binaries sync || return 1
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
|
||||
|
@ -1,6 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Credits:
|
||||
@ -22,20 +23,20 @@ ram_wipe() {
|
||||
kernel_wiperam_setting=$(getarg wiperam)
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "skip" ]; then
|
||||
echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK."
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "$kernel_wiperam_setting" = "force" ]; then
|
||||
echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: wiperam=force detected, OK."
|
||||
else
|
||||
if systemd-detect-virt &>/dev/null ; then
|
||||
echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK."
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..."
|
||||
|
||||
drop_caches
|
||||
|
||||
@ -45,33 +46,34 @@ ram_wipe() {
|
||||
|
||||
drop_caches
|
||||
|
||||
echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: RAM wipe completed, OK."
|
||||
|
||||
## In theory might be better to check this beforehand, but the test is
|
||||
## really fast. The user has no chance of reading the console output
|
||||
## without introducing an artificial delay because the sdmem which runs
|
||||
## after this, results in much more console output.
|
||||
echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..."
|
||||
|
||||
local dmsetup_actual_output dmsetup_expected_output
|
||||
dmsetup_actual_output="$(dmsetup ls --target crypt)"
|
||||
dmsetup_expected_output="No devices found"
|
||||
|
||||
if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then
|
||||
echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg
|
||||
info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK."
|
||||
## This should probably be removed in production?
|
||||
sleep 3
|
||||
else
|
||||
echo "\
|
||||
info "\
|
||||
WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed!
|
||||
|
||||
debugging information:
|
||||
dmsetup_expected_output: '$dmsetup_expected_output'
|
||||
dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg
|
||||
dmsetup_actual_output: '$dmsetup_actual_output'"
|
||||
## How else could the user be informed that something is wrong?
|
||||
sleep 5
|
||||
fi
|
||||
|
||||
kexec -e && info "kexec -e succeeded" || info "kexec -e failed"
|
||||
}
|
||||
|
||||
ram_wipe
|
||||
|
55
usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
Executable file
55
usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/bash
|
||||
## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
set -x
|
||||
set -e
|
||||
|
||||
true "env:"
|
||||
env
|
||||
|
||||
## Debugging.
|
||||
## Lets hope $1 is set to reboot, poweroff or halt by systemd.
|
||||
true "1: $1"
|
||||
|
||||
|
||||
# Get the kernel command-line arguments
|
||||
cmdline=$(cat /proc/cmdline)
|
||||
|
||||
# Get the current boot image
|
||||
kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2)
|
||||
initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#")
|
||||
|
||||
kernel="/boot/$kernel"
|
||||
initrd="/boot/$initrd"
|
||||
|
||||
if test -e $initrd; then
|
||||
echo "Initrd File Found"
|
||||
else
|
||||
echo "Initrd File NOT FOUND"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test -e $kernel; then
|
||||
echo "Kernel File Found"
|
||||
else
|
||||
echo "Kernel File NOT FOUND"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then
|
||||
wram="yes"
|
||||
wact="poweroff"
|
||||
elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then
|
||||
wram="yes"
|
||||
wact="reboot"
|
||||
elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then
|
||||
wram="yes"
|
||||
wact="halt"
|
||||
else
|
||||
echo "No shutdown option found!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact"
|
Loading…
Reference in New Issue
Block a user