From b342ce930ea14a365ba23f37642cc9c098470362 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 5 Jul 2022 10:28:22 -0400 Subject: [PATCH] add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` --- .../grub.d/40_cold_boot_attack_defense.cfg | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/default/grub.d/40_cold_boot_attack_defense.cfg diff --git a/etc/default/grub.d/40_cold_boot_attack_defense.cfg b/etc/default/grub.d/40_cold_boot_attack_defense.cfg new file mode 100644 index 0000000..3cf1c69 --- /dev/null +++ b/etc/default/grub.d/40_cold_boot_attack_defense.cfg @@ -0,0 +1,17 @@ +## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## RAM wipe is enabled by default on real hardware / bare metal. +## RAM wipe is disabled by in virtual machines (VMs). +## https://www.kicksecure.com/wiki/Dev/RAM_Wipe + +## RAM wipe is omitted in virtual machines (VMs) by default because it is +## unclear if that could actually lead to the host operating system using +## swap. Through use of kernel parameter wiperam=force it is possible to +## force RAM wipe inside VMs which is useful for testing, development purposes. +#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force" + +## Kernel parameter wiperam=skip is provided to support disabling RAM wipe +## at shutdown, which might be useful to speed up shutdown or in case should +## there ever be issues. +#GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=skip"