From 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Jan 2023 06:34:17 -0500 Subject: [PATCH] move ram-wipe scripts to dedicated ram-wipe package --- ...-boot-attack-defense-kexec-prepare.service | 17 ---- .../modules.d/10ram-wipe-exit/module-setup.sh | 48 ---------- .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 32 ------- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 42 --------- .../module-setup.sh | 38 -------- .../wipe-ram-needshutdown.sh | 40 -------- .../40cold-boot-attack-defense/wipe-ram.sh | 94 ------------------- .../cold-boot-attack-defense-kexec-prepare | 37 -------- 8 files changed, 348 deletions(-) delete mode 100644 lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh delete mode 100755 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh delete mode 100755 usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh delete mode 100755 usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service deleted file mode 100644 index 5e2733c..0000000 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -[Unit] -Description=Cold Boot Attack Defense Reboot RAM Wipe - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/true -ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare -## Debugging. -StandardOutput=journal+console - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh deleted file mode 100755 index 76d4ac2..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -# called by dracut -check() { - require_binaries sync || return 1 - require_binaries sleep || return 1 - require_binaries ls || return 1 - require_binaries halt || return 1 - require_binaries poweroff || return 1 - require_binaries reboot || return 1 - require_binaries cat || return 1 - require_binaries sdmem || return 1 - require_binaries pgrep || return 1 - require_binaries dmsetup || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - inst_multiple sync - inst_multiple sleep - inst_multiple ls - inst_multiple halt - inst_multiple poweroff - inst_multiple reboot - inst_multiple cat - inst_multiple sdmem - inst_multiple pgrep - inst_multiple dmsetup - inst_hook pre-udev 40 "$moddir/wipe-ram.sh" - inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh deleted file mode 100755 index c224cc9..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -DRACUT_QUIET=no - -ram_wipe_check_needshutdown() { - local wipe_action - wipe_action=$(getarg wiperamaction) - - if [ "$wipe_action" = "reboot" ]; then - warn "wipe-ram.sh wiperamexit: reboot..." - ## Why reboot? Why not just continue to boot? - ## To get rid of kernel command line options 'wiperamexit=yes wiperamaction=reboot'? - ## Also RAM wipe using sdmem leads to an OOM and the following error as seen in serial console: - ## [FAILED] Failed to start dracut pre-udev hook. - ## In other words, the system might not boot up cleanly. - reboot --force - elif [ "$wipe_action" = "poweroff" ]; then - warn "wipe-ram.sh wiperamexit: poweroff..." - poweroff --force - elif [ "$wipe_action" = "halt" ]; then - warn "wipe-ram.sh wiperamexit: halt..." - halt --force - else - warn "wipe-ram.sh wiperamexit: normal boot..." - fi -} - -ram_wipe_check_needshutdown diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh deleted file mode 100755 index 7046e7b..0000000 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -## TODO: rename to wipe-ram-exit.sh (so it is different from wipe-ram.sh) - -DRACUT_QUIET=no - -drop_caches() { - sync - ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - ### Ensure any remaining disk cache is erased by Linux' memory poisoning - echo 3 > /proc/sys/vm/drop_caches - sync -} - -ram_wipe_action() { - local kernel_wiperam_exit - kernel_wiperam_exit=$(getarg wiperamexit) - - if [ "$kernel_wiperam_exit" = "no" ]; then - warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit=no kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_exit" != "yes" ]; then - warn "wipe-ram.sh wiperamexit: Skip, because wiperamexit parameter is unset." - return 0 - fi - - warn "wipe-ram.sh wiperamexit: wiperamexit=yes, therefore running second RAM wipe..." - - drop_caches - sdmem -l -l -v - drop_caches - - warn "wipe-ram.sh wiperamexit: Second RAM wipe completed." -} - -ram_wipe_action diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh deleted file mode 100755 index cb679e8..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -# called by dracut -check() { - require_binaries sync || return 1 - require_binaries sleep || return 1 - require_binaries sdmem || return 1 - require_binaries dmsetup || return 1 - require_binaries systemd-detect-virt || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - inst_multiple sync - inst_multiple sleep - inst_multiple sdmem - inst_multiple dmsetup - inst_multiple systemd-detect-virt - inst_hook shutdown 40 "$moddir/wipe-ram.sh" - inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh deleted file mode 100755 index f0a7e0a..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh - -DRACUT_QUIET=no - -ram_wipe_check_needshutdown() { - local kernel_wiperam_setting - kernel_wiperam_setting=$(getarg wiperam) - - if [ "$kernel_wiperam_setting" = "skip" ]; then - warn "wipe-ram-needshutdown.sh: Skip, because wiperam=skip kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_setting" = "force" ]; then - warn "wipe-ram-needshutdown.sh: wiperam=force detected, OK." - else - detect_virt_output="$(systemd-detect-virt 2>&1)" - detect_virt_exit_code="$?" - warn "wipe-ram-needshutdown.sh: detect_virt_output: '$detect_virt_output'" - warn "wipe-ram-needshutdown.sh: detect_virt_exit_code: '$detect_virt_exit_code'" - if [ "$detect_virt_exit_code" = "0" ]; then - warn "wipe-ram-needshutdown.sh: Skip, because running inside a VM detected and not using wiperam=force kernel parameter, OK." - return 0 - fi - warn "wipe-ram-needshutdown.sh: Bare metal (not running inside a VM) detected, OK." - fi - - warn "wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK." - need_shutdown - - return 0 -} - -ram_wipe_check_needshutdown diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh deleted file mode 100755 index fe2aa03..0000000 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -## Credits: -## First version by @friedy10. -## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh - -DRACUT_QUIET=no - -drop_caches() { - sync - ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - ### Ensure any remaining disk cache is erased by Linux' memory poisoning - echo 3 > /proc/sys/vm/drop_caches - sync -} - -ram_wipe() { - local kernel_wiperam_setting - ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. - kernel_wiperam_setting=$(getarg wiperam) - - if [ "$kernel_wiperam_setting" = "skip" ]; then - warn "wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." - return 0 - fi - - if [ "$kernel_wiperam_setting" = "force" ]; then - warn "wipe-ram.sh: wiperam=force detected, OK." - else - if systemd-detect-virt &>/dev/null ; then - warn "wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." - return 0 - fi - fi - - kernel_wiperamexit_setting=$(getarg wiperamexit) - if [ "$kernel_wiperamexit_setting" = "yes" ]; then - warn "wipe-ram.sh: Skip, because wiperamexit=yes to avoid RAM wipe reboot loop." - return 0 - fi - - warn "wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." - - drop_caches - - ## TODO: sdmem settings. One pass only. Secure? Configurable? - ## TODO: > /dev/kmsg 2> /dev/kmsg - sdmem -l -l -v - - drop_caches - - warn "wipe-ram.sh: RAM wipe completed, OK." - - ## In theory might be better to check this beforehand, but the test is - ## really fast. The user has no chance of reading the console output - ## without introducing an artificial delay because the sdmem which runs - ## after this, results in much more console output. - warn "wipe-ram.sh: Checking if there are still mounted encrypted disks..." - - local dmsetup_actual_output dmsetup_expected_output - dmsetup_actual_output="$(dmsetup ls --target crypt)" - dmsetup_expected_output="No devices found" - - if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - warn "wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." - else - ## dracut should unmount the root encrypted disk cryptsetup luksClose during shutdown - ## https://github.com/dracutdevs/dracut/issues/1888 - warn "\ -wipe-ram.sh: There are still mounted encrypted disks! RAM wipe incomplete! - -debugging information: -dmsetup_expected_output: '$dmsetup_expected_output' -dmsetup_actual_output: '$dmsetup_actual_output'" - ## How else could the user be informed that something is wrong? - sleep 5 - fi - - warn "wipe-ram.sh: Now running 'kexec --exec'..." - if kexec --exec ; then - warn "wipe-ram.sh: 'kexec --exec' succeeded." - return 0 - fi - - warn "wipe-ram.sh: 'kexec --exec' failed!" - sleep 5 -} - -ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare deleted file mode 100755 index 8f8b76f..0000000 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyright (C) 2023 - 2023 Friedrich Doku -## See the file COPYING for copying conditions. - -#set -x -set -e - -## provided by helper-scripts -kernel=$(kernel-file-detect) -initrd=$(initrd-file-detect) - -if systemctl list-jobs --no-legend | grep "poweroff.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="poweroff" -elif systemctl list-jobs --no-legend | grep "reboot.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="reboot" -elif systemctl list-jobs --no-legend | grep "halt.target" | grep -q "start"; then - wiperamexit="yes" - wiperamaction="halt" -else - ## Could be kexec.target. - ## Could be run during package installation. - echo "$0: INFO: Neither poweroff, reboot or halt. Therefore skipping 'kexec --load', ok." - exit 0 -fi - -echo "INFO: wiperamaction: $wiperamaction" - -## Debugging. -echo kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" - -kexec --load "$kernel" --initrd="$initrd" --reuse-cmdline --append="wiperamexit=$wiperamexit wiperamaction=$wiperamaction" - -echo "OK."