improvements

usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh

@@ -1,8 +1,33 @@
 #!/bin/sh
 
-echo "Checking for mounted disks..."
-dmsetup ls --target crypt
-echo "WIPE RAM!"
-## TODO: remove -f (fast and insecure mode)
-sdmem -v -f
-echo "WIPE DONE!"
+ram_wipe() {
+   info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN"
+
+   info "$0: Checking if there are still mounted encrypted disks..."
+
+   local dmsetup_actual_output dmsetup_expected_output
+   dmsetup_actual_output="$(dmsetup ls --target crypt)"
+   dmsetup_expected_output="No devices found"
+
+   if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then
+      info "$0: Success, there are no more mounted encrypted disks, OK."
+   else
+      warn "\
+$0: There are still mounted encrypted disks! RAM wipe failed!
+
+debugging information:
+dmsetup_expected_output: '$dmsetup_expected_output'
+dmsetup_actual_output: '$dmsetup_actual_output'"
+      return 0
+   fi
+
+   info "$0: Starting RAM wipe..."
+
+   ## TODO: sdmem settings. One pass only. Secure? Configurable?
+   sdmem -l -l -f
+
+   info "$0: RAM wipe completed, OK."
+   info "$0: END COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN"
+}
+
+ram_wipe