From 78a4fad6674bb11fa682b908e0d3bc63705e7d20 Mon Sep 17 00:00:00 2001
From: Friedrich Doku <friedrichdoku@gmail.com>
Date: Sat, 7 Jan 2023 11:14:31 -0500
Subject: [PATCH] Change echo to info. Included more reliable way of getting
 initrd and kernel. Allow user custom kexec

---
 etc/sysctl.d/30_security-misc.conf            |  3 ++-
 .../10ram-wipe-exit/wipe-ram-needshutdown.sh  |  6 +-----
 .../modules.d/10ram-wipe-exit/wipe-ram.sh     | 17 +++++++--------
 .../40cold-boot-attack-defense/wipe-ram.sh    | 18 ++++++++--------
 .../cold-boot-attack-defense-kexec-prepare    | 21 +++++++++++--------
 5 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index 3862e1d..c376779 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -37,7 +37,8 @@ net.core.bpf_jit_harden=2
 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
 
 ## Disables kexec which can be used to replace the running kernel.
-kernel.kexec_load_disabled=1
+## kexec is required for cold boot attack defense
+## kernel.kexec_load_disabled=1
 
 ## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.
diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh
index c696284..952e418 100644
--- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh
+++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh
@@ -16,10 +16,6 @@ ram_wipe_check_needshutdown() {
       reboot -f
    fi
    
-   if [ "$wipe_action" = "kexec" ]; then
-      reboot -f
-   fi
-
    if [ "$wipe_action" = "poweroff" ]; then
       poweroff -f
    fi
@@ -29,7 +25,7 @@ ram_wipe_check_needshutdown() {
    fi
    
    if [ "$wipe_action" = "error" ]; then
-	   echo "Choice of shutdown option led to an error. Shutting down..."
+	   info "Choice of shutdown option led to an error. Shutting down..."
 	   sleep 5
 	   poweroff -f
    fi
diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
index 6b35028..e2daa84 100644
--- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
@@ -6,19 +6,18 @@
 
 ram_wipe_action() {
    local kernel_wiperam_exit
-   ## getarg returns the last parameter only.
-   ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins.
    kernel_wiperam_exit=$(getarg wiperamexit)
 
 
    if [ "$kernel_wiperam_exit" = "no" ]; then
-      info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK."
-      return 0
-   else 
-      if [ "$kernel_wiperam_exit" != "yes" ]; then
-         info "INFO: Skip, becuase wiperamexit parameter is not used. "
-         return 0
-      fi
+	   info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK."
+	   return 0
+   fi
+
+
+   if [ "$kernel_wiperam_exit" != "yes" ]; then
+	   info "INFO: Skip, becuase wiperamexit parameter is not used. "
+	   return 0
    fi
 
    info "INFO: wiperamexit=yes. Running second RAM wipe... "
diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
index 5d69f65..a30c285 100755
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@@ -23,20 +23,20 @@ ram_wipe() {
    kernel_wiperam_setting=$(getarg wiperam)
 
    if [ "$kernel_wiperam_setting" = "skip" ]; then
-      echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg
       return 0
    fi
 
    if [ "$kernel_wiperam_setting" = "force" ]; then
-      echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg
    else
       if systemd-detect-virt &>/dev/null ; then
-         echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg
+         info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg
          return 0
       fi
    fi
 
-   echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
+   info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
 
    drop_caches
 
@@ -46,24 +46,24 @@ ram_wipe() {
 
    drop_caches
 
-   echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg
+   info "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg
 
    ## In theory might be better to check this beforehand, but the test is
    ## really fast. The user has no chance of reading the console output
    ## without introducing an artificial delay because the sdmem which runs
    ## after this, results in much more console output.
-   echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg
+   info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg
 
    local dmsetup_actual_output dmsetup_expected_output
    dmsetup_actual_output="$(dmsetup ls --target crypt)"
    dmsetup_expected_output="No devices found"
 
    if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then
-      echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg
+      info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg
       ## This should probably be removed in production?
       sleep 3
    else
-      echo "\
+      info "\
 WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed!
 
 debugging information:
@@ -73,7 +73,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg
       sleep 5
    fi
 
-   kexec -e && echo "kexec -e succeeded" || echo "kexec -e failed"
+   kexec -e && info "kexec -e succeeded" || info "kexec -e failed"
 }
 
 ram_wipe
diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
index 7ae5b8b..83e35f5 100755
--- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
+++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
@@ -12,8 +12,16 @@ env
 ## Lets hope $1 is set to reboot, poweroff or halt by systemd.
 true "1: $1"
 
-initrd=/boot/initrd.img-$(uname -r)
-kernel=/boot/vmlinuz-$(uname -r)
+
+# Get the kernel command-line arguments
+cmdline=$(cat /proc/cmdline)
+
+# Get the current boot image
+kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2)
+initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#")
+
+kernel="/boot/$kernel"
+initrd="/boot/$initrd"
 
 if test -e $initrd; then
   echo "Initrd File Found"
@@ -39,14 +47,9 @@ elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then
 elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then
 	wram="yes"
 	wact="halt"
-elif systemctl list-jobs | grep "kexec.target" | grep -q "start"; then
-	wram="yes"
-	wact="kexec"
 else
-	echo "Error no shutdown option found!"
-	wram="yes"
-	wact="error"
+	echo "No shutdown option found!"
+	exit 0
 fi
 
 kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact"
-