diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 85865a3..5218218 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -37,3 +37,6 @@ rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf + +## moved to separate package ram-wipe +/etc/default/grub.d/40_cold_boot_attack_defense.cfg diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg deleted file mode 100644 index 1729c14..0000000 --- a/etc/default/grub.d/40_cold_boot_attack_defense.cfg +++ /dev/null @@ -1,29 +0,0 @@ -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Wiping RAM at shutdown to defeat cold boot attacks. -## -## RAM wipe is enabled by default on host operating systems, real hardware. -## RAM wipe is disabled by in virtual machines (VMs). -## -## Most users should not make any modifications to this config file because -## there is no need for that. -## -## User documentation: -## https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense -## -## Design documentation: -## https://www.kicksecure.com/wiki/Dev/RAM_Wipe - -## RAM wipe is omitted in virtual machines (VMs) by default because it is -## unclear if that could actually lead to the host operating system using -## swap. Through use of kernel parameter wiperam=force it is possible to -## force RAM wipe inside VMs which is useful for testing, development purposes. -## There is no additional security benefit by the wiperam=force setting -## for host operating systems. -#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force" - -## Kernel parameter wiperam=skip is provided to support disabling RAM wipe -## at shutdown, which might be useful to speed up shutdown or in case should -## there ever be issues. -#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=skip"