wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning

by running: `echo 3 > /proc/sys/vm/drop_caches` Inspired by Tails: https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
2024-12-26 15:39:31 -05:00 · 2022-07-02 18:12:36 -04:00 · 2022-07-02 18:12:36 -04:00 · 973f117aa6
commit 973f117aa6
parent e783ddc71e
1 changed files with 4 additions and 0 deletions
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@ -29,6 +29,10 @@ ram_wipe() {

   echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg

+   ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
+   ### Ensure any remaining disk cache is erased by Linux' memory poisoning
+   echo 3 > /proc/sys/vm/drop_caches
+
   ## TODO: sdmem settings. One pass only. Secure? Configurable?
   ## TODO: > /dev/kmsg 2> /dev/kmsg
   sdmem -l -l -v