From 973f117aa6a7418ea29125753f6c6b6f7e7986a4 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat, 2 Jul 2022 18:12:36 -0400
Subject: [PATCH] wipe RAM at shutdown: Ensure any remaining disk cache is
 erased by Linux' memory poisoning

by running:
`echo 3 > /proc/sys/vm/drop_caches`

Inspired by Tails:
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
---
 .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
index 5f72a0d..8a543d8 100755
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@@ -29,6 +29,10 @@ ram_wipe() {
 
    echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
 
+   ## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
+   ### Ensure any remaining disk cache is erased by Linux' memory poisoning
+   echo 3 > /proc/sys/vm/drop_caches
+
    ## TODO: sdmem settings. One pass only. Secure? Configurable?
    ## TODO: > /dev/kmsg 2> /dev/kmsg
    sdmem -l -l -v