From 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed, 29 Jun 2022 15:17:40 -0400
Subject: [PATCH] improvements

---
 .../modules.d/40sdmem-security-misc/wipe.sh   | 37 ++++++++++++++++---
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
index b881c44..d1a2e56 100755
--- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
+++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
@@ -1,8 +1,33 @@
 #!/bin/sh
 
-echo "Checking for mounted disks..."
-dmsetup ls --target crypt
-echo "WIPE RAM!"
-## TODO: remove -f (fast and insecure mode)
-sdmem -v -f
-echo "WIPE DONE!"
+ram_wipe() {
+   info "$0: START: COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN"
+
+   info "$0: Checking if there are still mounted encrypted disks..."
+
+   local dmsetup_actual_output dmsetup_expected_output
+   dmsetup_actual_output="$(dmsetup ls --target crypt)"
+   dmsetup_expected_output="No devices found"
+
+   if [ "$dmsetup_actual_output" = "$dmsetup_expected_output" ]; then
+      info "$0: Success, there are no more mounted encrypted disks, OK."
+   else
+      warn "\
+$0: There are still mounted encrypted disks! RAM wipe failed!
+
+debugging information:
+dmsetup_expected_output: '$dmsetup_expected_output'
+dmsetup_actual_output: '$dmsetup_actual_output'"
+      return 0
+   fi
+
+   info "$0: Starting RAM wipe..."
+
+   ## TODO: sdmem settings. One pass only. Secure? Configurable?
+   sdmem -l -l -f
+
+   info "$0: RAM wipe completed, OK."
+   info "$0: END COLD BOOT ATTACK DEFENSE - RAM WIPE ON SHUTDOWN"
+}
+
+ram_wipe