From 72a022a6f59336153af1cc9b40d768134177ac1e Mon Sep 17 00:00:00 2001 From: Zephyr <35401827+zephyr1x@users.noreply.github.com> Date: Tue, 28 Jun 2022 19:47:53 -0600 Subject: [PATCH 1/3] Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks --- modules.d/40sdmem/module-setup.sh | 19 +++++++++++++++++++ modules.d/40sdmem/wipe.sh | 5 +++++ 2 files changed, 24 insertions(+) create mode 100755 modules.d/40sdmem/module-setup.sh create mode 100755 modules.d/40sdmem/wipe.sh diff --git a/modules.d/40sdmem/module-setup.sh b/modules.d/40sdmem/module-setup.sh new file mode 100755 index 0000000000..6d5c4c5230 --- /dev/null +++ b/modules.d/40sdmem/module-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +check() { +return 0 +} + +depends() { +return 0 +} + +install() { +inst_hook shutdown 40 "$moddir/wipe.sh" +} + +installkernel() { +return 0 +} + diff --git a/modules.d/40sdmem/wipe.sh b/modules.d/40sdmem/wipe.sh new file mode 100755 index 0000000000..7fb2a60702 --- /dev/null +++ b/modules.d/40sdmem/wipe.sh @@ -0,0 +1,5 @@ +echo "Checking for mounted disks..." +dmsetup ls --target crypt +echo "WIPE RAM!" +/bin/sdmem -f +echo "WIPE DONE!" From 9baf4af676ec44b54543e942acef9928d9b9bd4a Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Tue, 28 Jun 2022 19:52:51 -0600 Subject: [PATCH 2/3] Create README.md --- modules.d/40sdmem/README.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 modules.d/40sdmem/README.md diff --git a/modules.d/40sdmem/README.md b/modules.d/40sdmem/README.md new file mode 100644 index 0000000000..d9e7f5eacd --- /dev/null +++ b/modules.d/40sdmem/README.md @@ -0,0 +1,4 @@ +### Make sure sdmem is part of the initramfs +sudo apt-get install secure-delete + +sudo dracut --include /usr/bin/sdmem /etc/sdmem --force From 48ac02c2f79d5f061b1be659f380a1fe9ab5731e Mon Sep 17 00:00:00 2001 From: Friedrich Doku Date: Tue, 28 Jun 2022 19:56:42 -0600 Subject: [PATCH 3/3] Update README.md --- modules.d/40sdmem/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules.d/40sdmem/README.md b/modules.d/40sdmem/README.md index d9e7f5eacd..3ae2595bf9 100644 --- a/modules.d/40sdmem/README.md +++ b/modules.d/40sdmem/README.md @@ -1,4 +1,4 @@ ### Make sure sdmem is part of the initramfs sudo apt-get install secure-delete -sudo dracut --include /usr/bin/sdmem /etc/sdmem --force +sudo dracut --include /usr/bin/sdmem /bin/sdmem --force