From 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 25 Jan 2023 15:20:30 -0500
Subject: [PATCH] comment

---
 etc/sysctl.d/30_security-misc_kexec-disable.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf
index 954a947..39091e9 100644
--- a/etc/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/etc/sysctl.d/30_security-misc_kexec-disable.conf
@@ -8,3 +8,9 @@
 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
 ## Disables kexec which can be used to replace the running kernel.
 kernel.kexec_load_disabled=1
+
+## Why is this in a dedicated config file?
+## Package ram-wipe requires kexec. However, ram-wipe could not ship a config
+## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
+## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
+## it cannot be undone without reboot. This is a upstream Linux security feature.