mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-07 05:50:41 +07:00
Code Issues Packages Projects Releases Wiki Activity

drop_caches before and after sdmem

Browse Source
This commit is contained in:
Patrick Schleizer 2022-07-02 19:10:55 -04:00
parent 67bdd58bf2
commit 69af8be7b8
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh
View File

@ -7,6 +7,14 @@
## First version by @friedy10.
## https://github.com/friedy10/dracut/blob/master/modules.d/40sdmem/wipe.sh
drop_caches() {
sync
## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
### Ensure any remaining disk cache is erased by Linux' memory poisoning
echo 3 > /proc/sys/vm/drop_caches
sync
}
ram_wipe() {
local kernel_wiperam_setting
## getarg returns the last parameter only.
@ -29,18 +37,14 @@ ram_wipe() {
echo "INFO: wipe-ram.sh: Cold boot attack defense... Starting RAM wipe on shutdown..." > /dev/kmsg
sync
## https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
### Ensure any remaining disk cache is erased by Linux' memory poisoning
echo 3 > /proc/sys/vm/drop_caches
sync
drop_caches
## TODO: sdmem settings. One pass only. Secure? Configurable?
## TODO: > /dev/kmsg 2> /dev/kmsg
sdmem -l -l -v
drop_caches
echo "INFO: wipe-ram.sh: RAM wipe completed, OK." > /dev/kmsg
## In theory might be better to check this beforehand, but the test is