migrate ram-wipe to dedicated package

This commit is contained in:
Patrick Schleizer 2023-01-09 06:54:04 -05:00
parent ad5d0d4b12
commit 6faa050dd8
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -398,37 +398,6 @@ information that shouldn't be accessible to unprivileged users. As this will
break many things, it is disabled by default and can optionally be enabled by
executing `systemctl enable hide-hardware-info.service` as root.
## Cold Boot Attack Defense
Wiping RAM at shutdown to defeat cold boot attacks.
Implemented as `dracut` module `cold-boot-attack-defense`.
Requires `dracut`. In other words, RAM wipe is incompatible with systems
using `initramfs-tools`. To switch to, install dracut:
sudo apt update
sudo apt install --no-install-recommends dracut
`dracut` is intentionally not declared as a dependency of `security-misc` to
avoid making all of `security-misc` dependent on `dracut` only for the sake of
the wipe RAM at shutdown feature. Linux distribution such as Kicksecure are
advised to (and Kicksecure is planning to) install `dracut` instead of
`initramfs-tools` by default.
Only tested on `systemd` enabled systems.
User documentation:
https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
Design documentation:
https://www.kicksecure.com/wiki/Dev/RAM_Wipe
Source code:
* `/usr/lib/dracut/modules.d/40cold-boot-attack-defense`
* `/etc/default/grub.d/40_cold_boot_attack_defense.cfg`
## miscellaneous
* hardened malloc compatibility for haveged workaround