From a7015f4ddff892cab17f96713ddb0a720ebb7901 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 10:50:34 -0500 Subject: [PATCH 01/26] added files --- ...-boot-attack-defense-kexec-prepare.service | 10 ++++ .../modules.d/10ram-wipe-exit/module-setup.sh | 47 +++++++++++++++++++ .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 27 +++++++++++ .../modules.d/10ram-wipe-exit/wipe-ram.sh | 27 +++++++++++ .../40cold-boot-attack-defense/wipe-ram.sh | 1 + .../cold-boot-attack-defense-kexec-prepare | 39 +++++++++++++++ 6 files changed, 151 insertions(+) create mode 100644 lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh create mode 100644 usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh create mode 100755 usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service new file mode 100644 index 0000000..cfc1887 --- /dev/null +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -0,0 +1,10 @@ +[Unit] +Description=My Script + +[Service] +Type=oneshot +ExecStart=/bin/true +ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare + +[Install] +WantedBy=multi-user.target diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh new file mode 100644 index 0000000..b23bdbf --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +# Author: friedy10 friedrichdoku@gmail.com + +# called by dracut +check() { + require_binaries sync || return 1 + require_binaries sleep || return 1 + require_binaries ls || return 1 + require_binaries halt || return 1 + require_binaries poweroff || return 1 + require_binaries reboot || return 1 + require_binaries cat || return 1 + require_binaries sdmem || return 1 + require_binaries pgrep || return 1 + require_binaries dmsetup || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_multiple sync + inst_multiple sleep + inst_multiple ls + inst_multiple halt + inst_multiple poweroff + inst_multiple reboot + inst_multiple cat + inst_multiple sdmem + inst_multiple pgrep + inst_multiple dmsetup + inst_hook pre-udev 40 "$moddir/wipe-ram.sh" + inst_hook pre-trigger 40 "$moddir/wipe-ram-needshutdown.sh" +} + +# called by dracut +installkernel() { + return 0 +} + diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh new file mode 100644 index 0000000..2f061b7 --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +## Author: friedy10 friedrichdoku@gmail.com + + +ram_wipe_check_needshutdown() { + local wipe_action + wipe_action=$(getarg wiperamaction) + + wait $(pgrep sdmem) + info "DONE WAITING..." + + if [ "$wipe_action" = "reboot" ]; then + reboot -f + fi + + if [ "$wipe_action" = "poweroff" ]; then + poweroff -f + fi + + if [ "$wipe_action" = "halt" ]; then + halt -f + fi +} + +ram_wipe_check_needshutdown + diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh new file mode 100644 index 0000000..78cadef --- /dev/null +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +## Author: friedy10 friedrichdoku@gmail.com + +ram_wipe_action() { + local kernel_wiperam_exit + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. + kernel_wiperam_exit=$(getarg wiperamexit) + + + if [ "$kernel_wiperam_exit" = "no" ]; then + info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." + return 0 + else + if [ "$kernel_wiperam_exit" != "yes" ]; then + info "INFO: Skip, becuase wiperamexit parameter is not used. " + return 0 + fi + fi + + info "INFO: wiperamexit=yes. Running second RAM wipe... " + + sdmem -l -l -v +} +ram_wipe_action + diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 1f7566c..b7aa945 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -72,6 +72,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi + kexec -e } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare new file mode 100755 index 0000000..3865afb --- /dev/null +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -0,0 +1,39 @@ +#!/bin/bash +## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. +## modified by Friedrich Doku + +set -x +set -e + +true "env:" +env + +## Debugging. +## Lets hope $1 is set to reboot, poweroff or halt by systemd. +true "1: $1" + +sudo dbus-monitor --system | + while read -r line; do + if [[ $line =~ .*"poweroff.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" + break + fi + + if [[ $line =~ .*"reboot.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + break + fi + + if [[ $line =~ .*"halt.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" + break + fi + + if [[ $line =~ .*"kexec.target".* ]]; then + kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + break + fi + done + +sleep 10 From 73913ea5afef8354f433f7cf87c7cd64c16be0a0 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:49:34 -0500 Subject: [PATCH 02/26] Added checks --- ...-boot-attack-defense-kexec-prepare.service | 4 ++- .../40cold-boot-attack-defense/wipe-ram.sh | 2 +- .../cold-boot-attack-defense-kexec-prepare | 32 ++++++++++++++----- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index cfc1887..13bf23a 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,5 +1,7 @@ +### Copyrigh (C) 2023 - 2023 Friedrich Doku + [Unit] -Description=My Script +Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense [Service] Type=oneshot diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index b7aa945..d96f32b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -72,7 +72,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi - kexec -e + kexec -e && echo "kexec -e succeeded" || echo "kexec -e failed" } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 3865afb..1e6f7a5 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,8 +1,7 @@ #!/bin/bash ## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. -## modified by Friedrich Doku - set -x set -e @@ -13,27 +12,44 @@ env ## Lets hope $1 is set to reboot, poweroff or halt by systemd. true "1: $1" -sudo dbus-monitor --system | +initrd=/boot/initrd.img-$(uname -r) +kernel=/boot/vmlinuz-$(uname -r) + +if test -e $initrd; then + echo "Initrd File Found" +else + exit 1 + echo "Initrd File NOT FOUND" +fi + +if test -e $kernel; then + echo "Kernel File Found" +else + exit 1 + echo "Kernel File NOT FOUND" +fi + + +dbus-monitor --system | while read -r line; do if [[ $line =~ .*"poweroff.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" break fi if [[ $line =~ .*"reboot.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" break fi if [[ $line =~ .*"halt.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" break fi if [[ $line =~ .*"kexec.target".* ]]; then - kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" + kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" break fi done -sleep 10 From 14c7239681300edc4f715bc96c5235cddf677c60 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:50:42 -0500 Subject: [PATCH 03/26] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index b23bdbf..28482a4 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,7 +2,7 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -# Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku # called by dracut check() { From 7fa64d68423d24668e44eb0d7e19ccf4845ee711 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:50:58 -0500 Subject: [PATCH 04/26] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 2f061b7..72911b2 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku ram_wipe_check_needshutdown() { From d67d3c1d7d788fff589806457ff140e8f82089a0 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:51:18 -0500 Subject: [PATCH 05/26] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 78cadef..e53d03b 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Author: friedy10 friedrichdoku@gmail.com +### Copyrigh (C) 2023 - 2023 Friedrich Doku ram_wipe_action() { local kernel_wiperam_exit From 28687092ef4f57afab5e8d32f68492799694a379 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 12:52:36 -0500 Subject: [PATCH 06/26] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 1e6f7a5..2c895ca 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -18,15 +18,15 @@ kernel=/boot/vmlinuz-$(uname -r) if test -e $initrd; then echo "Initrd File Found" else - exit 1 echo "Initrd File NOT FOUND" + exit 1 fi if test -e $kernel; then echo "Kernel File Found" else - exit 1 echo "Kernel File NOT FOUND" + exit 1 fi From f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:46:40 -0500 Subject: [PATCH 07/26] Update module-setup.sh --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index 0d72a11..eedcf3f 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -2,13 +2,10 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. -## Credits: -## First version by @friedy10. -## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/module-setup.sh - # called by dracut check() { require_binaries sync || return 1 From c5accc5ad191fe54a96e12cd1f1286508da8243c Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:46:51 -0500 Subject: [PATCH 08/26] Update wipe-ram-needshutdown.sh --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 2245fe4..6b94638 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -1,6 +1,7 @@ #!/bin/sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh From 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:01 -0500 Subject: [PATCH 09/26] Update wipe-ram.sh --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index d96f32b..5ac3465 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -1,6 +1,7 @@ #!/bin/sh -## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ## Credits: From 114a37fcd39ff20ddd9e8cca829763a9b96a8115 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:14 -0500 Subject: [PATCH 10/26] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index 28482a4..48e1054 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,7 +2,9 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. # called by dracut check() { From 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:23 -0500 Subject: [PATCH 11/26] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 72911b2..58d496f 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,6 +1,8 @@ #!/bin/sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. ram_wipe_check_needshutdown() { From 37a5264696797c0807570606361e04cb8dcb2395 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:47:34 -0500 Subject: [PATCH 12/26] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index e53d03b..ee2e955 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,6 +1,8 @@ #!/bin/sh -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. ram_wipe_action() { local kernel_wiperam_exit From 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:48:03 -0500 Subject: [PATCH 13/26] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 2c895ca..fe0e2bb 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,5 +1,5 @@ #!/bin/bash -## Copyrigh (C) 2022 - 2022 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## Copyrigh (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. set -x From f4637509205c11eddaa13151b93c961e9d345be6 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:48:22 -0500 Subject: [PATCH 14/26] Update cold-boot-attack-defense-kexec-prepare.service --- .../system/cold-boot-attack-defense-kexec-prepare.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index 13bf23a..d07b932 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,4 +1,6 @@ -### Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyrigh (C) 2023 - 2023 Friedrich Doku +## See the file COPYING for copying conditions. [Unit] Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense From 62dcdcf7649175e0587a84708e8f0aa318a45d30 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:51:45 -0500 Subject: [PATCH 15/26] Update cold-boot-attack-defense-kexec-prepare --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index fe0e2bb..3a43274 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -1,6 +1,6 @@ #!/bin/bash -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. set -x set -e From 014d10b9778907a9282ec337023f8c2b01b0ca6b Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:09 -0500 Subject: [PATCH 16/26] Update cold-boot-attack-defense-kexec-prepare.service --- .../system/cold-boot-attack-defense-kexec-prepare.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index d07b932..67589bc 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -1,5 +1,5 @@ -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. [Unit] From ec68ee6ded7294c161b3d0793bf8874b12262190 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:32 -0500 Subject: [PATCH 17/26] Update module-setup.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh index 48e1054..9785aa9 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/module-setup.sh @@ -2,8 +2,8 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. # called by dracut From 33877250172349cccb2c776c1fa7aed2e8ad716f Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:42 -0500 Subject: [PATCH 18/26] Update wipe-ram-needshutdown.sh --- .../dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 58d496f..0a9e368 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. From b3d4314a069a608380ca9dd01d76c653bdb87078 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:52:51 -0500 Subject: [PATCH 19/26] Update wipe-ram.sh --- usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index ee2e955..6b35028 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ram_wipe_action() { From d45ba826bca6f5efef846de01a34a0a8c7936442 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:10 -0500 Subject: [PATCH 20/26] Update module-setup.sh --- .../modules.d/40cold-boot-attack-defense/module-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh index eedcf3f..194fa8b 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh @@ -2,8 +2,8 @@ # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- # ex: ts=8 sw=4 sts=4 et filetype=sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. # called by dracut From 779ad24b573b83c08e89569e5213e018377d1535 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:18 -0500 Subject: [PATCH 21/26] Update wipe-ram-needshutdown.sh --- .../40cold-boot-attack-defense/wipe-ram-needshutdown.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh index 6b94638..1876294 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh From 4b7053a6353cf0e092a6ef712e955b4318671bfc Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 13:53:28 -0500 Subject: [PATCH 22/26] Update wipe-ram.sh --- .../dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5ac3465..5d69f65 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -1,7 +1,7 @@ #!/bin/sh -## Copyrigh (C) 2023 - 2023 ENCRYPTED SUPPORT LP -## Copyrigh (C) 2023 - 2023 Friedrich Doku +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2023 Friedrich Doku ## See the file COPYING for copying conditions. ## Credits: From 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 21:32:57 -0500 Subject: [PATCH 23/26] Checking job queue instead of dbus --- ...-boot-attack-defense-kexec-prepare.service | 1 + .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 10 +++++ .../cold-boot-attack-defense-kexec-prepare | 39 +++++++++---------- 3 files changed, 29 insertions(+), 21 deletions(-) diff --git a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service index 67589bc..7d78ce0 100644 --- a/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service +++ b/lib/systemd/system/cold-boot-attack-defense-kexec-prepare.service @@ -7,6 +7,7 @@ Description=https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense [Service] Type=oneshot +RemainAfterExit=yes ExecStart=/bin/true ExecStop=/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index 0a9e368..c696284 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -15,6 +15,10 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "reboot" ]; then reboot -f fi + + if [ "$wipe_action" = "kexec" ]; then + reboot -f + fi if [ "$wipe_action" = "poweroff" ]; then poweroff -f @@ -23,6 +27,12 @@ ram_wipe_check_needshutdown() { if [ "$wipe_action" = "halt" ]; then halt -f fi + + if [ "$wipe_action" = "error" ]; then + echo "Choice of shutdown option led to an error. Shutting down..." + sleep 5 + poweroff -f + fi } ram_wipe_check_needshutdown diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 3a43274..dab095d 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -30,26 +30,23 @@ else fi -dbus-monitor --system | - while read -r line; do - if [[ $line =~ .*"poweroff.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=poweroff" - break - fi +if systemctl list-jobs | grep "poweroff.target" | grep -q "start"; then + wram="yes" + wact="poweroff" +elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then + wram="yes" + wact="reboot" +elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then + wram="yes" + wact="halt" +elif systemctl list-jobs | grep "kexec.target" | grep -q "start"; then + wram="yes" + wact="kexec" +else + echo "Error no shutdown option found!" + wram="yes" + wact="error" +fi - if [[ $line =~ .*"reboot.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" - break - fi - - if [[ $line =~ .*"halt.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=halt" - break - fi - - if [[ $line =~ .*"kexec.target".* ]]; then - kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=yes wiperamaction=reboot" - break - fi - done +kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" From 8da3b9c40c6ee073addcc06d5227b3043438b768 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Fri, 6 Jan 2023 21:40:17 -0500 Subject: [PATCH 24/26] fix last line --- .../security-misc/cold-boot-attack-defense-kexec-prepare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index dab095d..7ae5b8b 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -48,5 +48,5 @@ else wact="error" fi -kexec -l /boot/vmlinuz-$(uname -r) --initrd=/boot/initrd.img-$(uname -r) --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" +kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" From 78a4fad6674bb11fa682b908e0d3bc63705e7d20 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Sat, 7 Jan 2023 11:14:31 -0500 Subject: [PATCH 25/26] Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec --- etc/sysctl.d/30_security-misc.conf | 3 ++- .../10ram-wipe-exit/wipe-ram-needshutdown.sh | 6 +----- .../modules.d/10ram-wipe-exit/wipe-ram.sh | 17 +++++++-------- .../40cold-boot-attack-defense/wipe-ram.sh | 18 ++++++++-------- .../cold-boot-attack-defense-kexec-prepare | 21 +++++++++++-------- 5 files changed, 32 insertions(+), 33 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 3862e1d..c376779 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -37,7 +37,8 @@ net.core.bpf_jit_harden=2 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 +## kexec is required for cold boot attack defense +## kernel.kexec_load_disabled=1 ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh index c696284..952e418 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram-needshutdown.sh @@ -16,10 +16,6 @@ ram_wipe_check_needshutdown() { reboot -f fi - if [ "$wipe_action" = "kexec" ]; then - reboot -f - fi - if [ "$wipe_action" = "poweroff" ]; then poweroff -f fi @@ -29,7 +25,7 @@ ram_wipe_check_needshutdown() { fi if [ "$wipe_action" = "error" ]; then - echo "Choice of shutdown option led to an error. Shutting down..." + info "Choice of shutdown option led to an error. Shutting down..." sleep 5 poweroff -f fi diff --git a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh index 6b35028..e2daa84 100644 --- a/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/10ram-wipe-exit/wipe-ram.sh @@ -6,19 +6,18 @@ ram_wipe_action() { local kernel_wiperam_exit - ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'wiperam=skip wiperam=force' the last one wins. kernel_wiperam_exit=$(getarg wiperamexit) if [ "$kernel_wiperam_exit" = "no" ]; then - info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." - return 0 - else - if [ "$kernel_wiperam_exit" != "yes" ]; then - info "INFO: Skip, becuase wiperamexit parameter is not used. " - return 0 - fi + info "INFO: Skip, because wiperamexit=no kernel parameter detected, OK." + return 0 + fi + + + if [ "$kernel_wiperam_exit" != "yes" ]; then + info "INFO: Skip, becuase wiperamexit parameter is not used. " + return 0 fi info "INFO: wiperamexit=yes. Running second RAM wipe... " diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index 5d69f65..a30c285 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -23,20 +23,20 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - echo "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - echo "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg else if systemd-detect-virt &>/dev/null ; then - echo "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg return 0 fi fi - echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg drop_caches @@ -46,24 +46,24 @@ ram_wipe() { drop_caches - echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - echo "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg + info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - echo "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg ## This should probably be removed in production? sleep 3 else - echo "\ + info "\ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: @@ -73,7 +73,7 @@ dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg sleep 5 fi - kexec -e && echo "kexec -e succeeded" || echo "kexec -e failed" + kexec -e && info "kexec -e succeeded" || info "kexec -e failed" } ram_wipe diff --git a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare index 7ae5b8b..83e35f5 100755 --- a/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare +++ b/usr/libexec/security-misc/cold-boot-attack-defense-kexec-prepare @@ -12,8 +12,16 @@ env ## Lets hope $1 is set to reboot, poweroff or halt by systemd. true "1: $1" -initrd=/boot/initrd.img-$(uname -r) -kernel=/boot/vmlinuz-$(uname -r) + +# Get the kernel command-line arguments +cmdline=$(cat /proc/cmdline) + +# Get the current boot image +kernel=$(echo "$cmdline" | grep -o 'BOOT_IMAGE=\S*' | cut -d '=' -f 2) +initrd=$(echo "$kernel" | sed "s#vmlinuz#initrd.img#") + +kernel="/boot/$kernel" +initrd="/boot/$initrd" if test -e $initrd; then echo "Initrd File Found" @@ -39,14 +47,9 @@ elif systemctl list-jobs | grep "reboot.target" | grep -q "start"; then elif systemctl list-jobs | grep "halt.target" | grep -q "start"; then wram="yes" wact="halt" -elif systemctl list-jobs | grep "kexec.target" | grep -q "start"; then - wram="yes" - wact="kexec" else - echo "Error no shutdown option found!" - wram="yes" - wact="error" + echo "No shutdown option found!" + exit 0 fi kexec -l $kernel --initrd=$initrd --reuse-cmdline --append="wiperamexit=$wram wiperamaction=$wact" - From b8e82fffca0138afaf20e1b2faf755ce1533af45 Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Sat, 7 Jan 2023 11:31:02 -0500 Subject: [PATCH 26/26] Get rid of /dev/kmsg --- .../40cold-boot-attack-defense/wipe-ram.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh index a30c285..2346a12 100755 --- a/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh +++ b/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh @@ -23,20 +23,20 @@ ram_wipe() { kernel_wiperam_setting=$(getarg wiperam) if [ "$kernel_wiperam_setting" = "skip" ]; then - info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because wiperam=skip kernel parameter detected, OK." return 0 fi if [ "$kernel_wiperam_setting" = "force" ]; then - info "INFO: wipe-ram.sh: wiperam=force detected, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: wiperam=force detected, OK." else if systemd-detect-virt &>/dev/null ; then - info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Skip, because VM detected and not using wiperam=force kernel parameter, OK." return 0 fi fi - info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg + info "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." drop_caches @@ -46,20 +46,20 @@ ram_wipe() { drop_caches - info "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: RAM wipe completed, OK." ## In theory might be better to check this beforehand, but the test is ## really fast. The user has no chance of reading the console output ## without introducing an artificial delay because the sdmem which runs ## after this, results in much more console output. - info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." > /dev/kmsg + info "INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks..." local dmsetup_actual_output dmsetup_expected_output dmsetup_actual_output="$(dmsetup ls --target crypt)" dmsetup_expected_output="No devices found" if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then - info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." > /dev/kmsg + info "INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK." ## This should probably be removed in production? sleep 3 else @@ -68,7 +68,7 @@ WARNING: wipe-ram.sh:There are still mounted encrypted disks! RAM wipe failed! debugging information: dmsetup_expected_output: '$dmsetup_expected_output' -dmsetup_actual_output: '$dmsetup_actual_output'" > /dev/kmsg +dmsetup_actual_output: '$dmsetup_actual_output'" ## How else could the user be informed that something is wrong? sleep 5 fi