added files

2024-10-01 08:25:45 -04:00 · 2023-01-06 10:50:34 -05:00 · 2023-01-06 10:50:34 -05:00 · a7015f4ddf
commit a7015f4ddf
parent 929f49f333
6 changed files with 151 additions and 0 deletions
--- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service
+++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service
@ -0,0 +1,10 @@
+[Unit]
+Description=My Script
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
+
+[Install]
+WantedBy=multi-user.target
--- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh
+++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Author: friedy10 friedrichdoku@gmail.com
+
+# called by dracut
+check() {
+    require_binaries sync || return 1
+    require_binaries sleep || return 1
+    require_binaries ls || return 1
+    require_binaries halt || return 1
+    require_binaries poweroff || return 1
+    require_binaries reboot || return 1
+    require_binaries cat || return 1
+    require_binaries sdmem || return 1
+    require_binaries pgrep || return 1
+    require_binaries dmsetup || return 1
+    return 0
+}
+
+# called by dracut
+depends() {
+    return 0
+}
+
+# called by dracut
+install() {
+    inst_multiple sync
+    inst_multiple sleep
+    inst_multiple ls
+    inst_multiple halt
+    inst_multiple poweroff
+    inst_multiple reboot
+    inst_multiple cat
+    inst_multiple sdmem
+    inst_multiple pgrep
+    inst_multiple dmsetup
+    inst_hook pre-udev 40 "$moddir/wipe-ram.sh"
+    inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh"
+}
+
+# called by dracut
+installkernel() {
+    return 0
+}
+
--- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh
+++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh
@ -0,0 +1,27 @@
+#!/bin/sh
+
+## Author: friedy10 friedrichdoku@gmail.com
+
+
+ram_wipe_check_needshutdown() {
+   local wipe_action
+   wipe_action=$(getarg wiperamaction)
+
+   wait $(pgrep sdmem)
+   info "DONE WAITING..."
+
+   if [ "$wipe_action" = "reboot" ]; then
+      reboot -f
+   fi
+
+   if [ "$wipe_action" = "poweroff" ]; then
+      poweroff -f
+   fi
+   
+   if [ "$wipe_action" = "halt" ]; then
+      halt -f
+   fi
+}
+
+ram_wipe_check_needshutdown
+
--- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh
@ -0,0 +1,27 @@
+#!/bin/sh
+
+## Author: friedy10 friedrichdoku@gmail.com
+
+ram_wipe_action() {
+   local kernel_wiperam_exit
+   ## getarg returns the last parameter only.
+   ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins.
+   kernel_wiperam_exit=$(getarg wiperamexit)
+
+
+   if [ "$kernel_wiperam_exit" = "no" ]; then
+      info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK."
+      return 0
+   else 
+      if [ "$kernel_wiperam_exit" != "yes" ]; then
+         info "INFO: Skip, becuase wiperamexit parameter is not used. "
+         return 0
+      fi
+   fi
+
+   info "INFO: wiperamexit=yes. Running second RAM wipe... "
+   
+   sdmem -l -l -v
+}
+ram_wipe_action
+
--- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
+++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
@ -72,6 +72,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg
      sleep 5
   fi

+   kexec -e
 }

 ram_wipe
--- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
+++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare
@ -0,0 +1,39 @@
+#!/bin/bash
+## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+## modified by Friedrich Doku <friedrichdoku@gmail.com>
+
+set -x
+set -e
+
+true "env:"
+env
+
+## Debugging.
+## Lets hope $1 is set to reboot, poweroff or halt by systemd.
+true "1: $1"
+
+sudo dbus-monitor --system  |
+    while read -r line; do
+         if [[ $line =~ .*"poweroff.target".* ]]; then
+	    kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff"
+	    break
+	 fi
+
+         if [[ $line =~ .*"reboot.target".* ]]; then
+	    kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot"
+	    break
+	 fi
+	 
+	 if [[ $line =~ .*"halt.target".* ]]; then
+	    kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt"
+	    break
+	 fi
+         
+	 if [[ $line =~ .*"kexec.target".* ]]; then
+	    kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot"
+	    break
+	 fi
+    done
+
+sleep 10