{{Header}}
{{#seo:
|description=ram-wipe - Implementation notes.
}}
{{title|title=
Cold Boot Attack Defense - RAM Wipe Design Documentation
}}
{{fde-mininav}}
{{intro|
[[ram-wipe]] wipes the RAM twice during poweroff/reboot.

* '''1.''' RAM Wipe Pass 1/2: During poweroff/reboot.
* '''2.''' RAM Wipe Pass 2/2: It kexec's into a new kernel for the purpose of overwriting the first kernel's memory and performs a second RAM wipe pass.
}}
= Design =
== cold-boot-attack-defense ==
Implemented by dracut module [https://github.com/{{project_name_short}}/ram-wipe/tree/master/usr/lib/dracut/modules.d/ <code>cold-boot-attack-defense</code>] (by [[ram-wipe]]).

# <code>/usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh</code> runs <code>need_shutdown</code>.
# [https://github.com/dracut-ng/dracut-ng/pull/293 <code>dracut-ng</code> <code>dm-shutdown.sh</code> runs <code>cryptsetup close</code> to release the full disk encryption key during the shutdown process.]
# A dracut <code>cleanup</code> hook is declared in [https://github.com/{{project_name_short}}/ram-wipe/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh <code>/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh</code>] (by ram-wipe): <code>inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh"</code> Priority is <code>80</code>. TODO
# During boot, that dracut <code>cleanup</code> hook [https://github.com/{{project_name_short}}/ram-wipe/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh <code>/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh</code>] (by ram-wipe) is calling dracut API function <code>need_shutdown</code> which results in file <code>/run/initramfs/.need_shutdown</code> being created.
# In result, at shutdown time when <code>/lib/systemd/system/dracut-shutdown.service</code> (by dracut) runs, <code>/usr/lib/dracut/dracut-initramfs-restore</code> (by dracut), will restore the initramfs and pivot into it.
# During shutdown, dracut will run its usual cleanup tasks such as unmounting the root (main) drive.
# The <code>shutdown</code> module (by dracut) will <code>source</code> and other shutdown hooks set up by other dracut modules.
# At time of writing there were no other dracut modules using the dracut shutdown hook known to the author of this website.
# [https://github.com/{{project_name_short}}/ram-wipe/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh <code>wipe-ram.sh</code>] (by ram-wipe) is the dracut shutdown hook.
# An alternative description of the mechanism of dropping back to the initramfs during shutdown can be found under [https://systemd.io/INITRD_INTERFACE/ The initrd Interface of systemd].
# At a very late stage during the shutdown process when all disks were already unmounted by dracut, the <code>wipe-ram.sh</code> dracut shutdown hook is executed.
# The shutdown hook runs:

* <code>echo 3 > /proc/sys/vm/drop_caches</code>
** To ensure any remaining disk cache is erased by Linux' memory poisoning. <ref>Inspired by Tails.
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
</ref>
* <code>sdmem -l -l -v</code>: To wipe the RAM using <code>sdmem</code>.
** The parameters <code>-l -l</code> result in a single pass of RAM wiping using zeros.
*** This is to optimize for speed. Otherwise, RAM wiping could take several minutes. However, the longer the shutdown process is delayed, the more users would disable this feature. Also, after wiping the RAM, it could actually be more important to shutdown to aid decay of RAM contents rather than wiping the RAM over and over for minutes before actually removing power.
*** When run manually, <code>sdmem</code> with these command-line parameters will show "Wipe mode is insecure (one pass with 0x00)," but no evidence that this would be actually insecure could be found. The sdmem manpage refers to Peter Gutmann, but the Gutmann method is about hard drives, not about RAM. No research indicating how many times RAM must be wiped to be non-recoverable has been found by the author of this website.
** The parameter <code>-v</code> is for verbose output, resulting only in a progress indicator.
** Any output (default or verbose) is only visible if a [[Recovery#Serial_Console|serial console]] is connected. This is because dracut by default hides output of commands it runs. Redirecting the output of <code>sdmem</code> to <code>/dev/kmsg</code> would result in hundreds or thousands of separate <code>*</code> characters being written to the console, each in its own line, which would not actually be useful. For a better progress meter of the RAM wipe process, if needed after user feedback, perhaps some buffer mechanism would have to be implemented.
* <code>dmsetup ls --target crypt</code>: To check if all encrypted disks are unmounted.
** Because only if all encrypted disks are unmounted will it be possible for the kernel to wipe the [[Full Disk Encryption]] (FDE) key from the kernel.
** Deletion of the FDE key is considered among the most crucial information to be wiped from RAM because if the FDE key could be recovered from RAM, then FDE could be compromised.
** Informs the user if all encrypted disks are unmounted in console output. Otherwise, shows a warning.

Quote [https://tails.boum.org/contribute/design/memory_erasure/ Tails' Memory erasure]:

<blockquote>
First, most memory is erased at the end of a normal shutdown/reboot sequence. This is implemented by the [https://tails.boum.org/contribute/design/kernel_hardening/ Linux kernel's freed memory poisoning feature], more specifically:

* page_poison
* passing "P" to slub_debug
* zeroing heap memory at free time (init_on_free=1)
</blockquote>

These kernel parameters are implemented in [[security-misc]] file [https://github.com/{{project_name_short}}/security-misc/blob/master/etc/default/grub.d/40_kernel_hardening.cfg <code>/etc/default/grub.d/40_kernel_hardening.cfg</code>].

Kernel parameter <code>wiperam=skip</code> is provided to support disabling RAM wipe at shutdown, which might be useful to speed up shutdown or in case any issues arise.

For potential limitations, the same limitations as under Quote [https://tails.boum.org/contribute/design/memory_erasure/ Tails' Memory erasure] chapter "Limitations" applies.

== ram-wipe-exit ==
dracut module <code>ram-wipe-exit</code>:

* The other dracut module <code>cold-boot-attack-defense</code> is independent.
** The first RAM wiping mechanism is useful irrespective of this supplemental kexec-based RAM wipe, which might be more prone to bugs.
** The other dracut module <code>cold-boot-attack-defense</code> in its main source code file <code>wipe-ram.sh</code> uses kexec to boot into a new kernel.
** That new kernel is actually the same kernel image, but thanks to kexec, the old kernel stops, and a new kernel is run, which should result in overwriting the old kernel's RAM.
** <code>kexec</code> is used with the <code>--reuse-cmdline</code> parameter for simplicity and to keep already existing RAM wipe-related kernel parameters (the Linux kernel's freed memory poisoning feature mentioned above).
** Additionally, kernel parameter <code>wiperamexit=1</code> is appended by dracut module <code>cold-boot-attack-defense</code>.
** <code>kexec</code> is used to load a new kernel into the memory so the old kernel memory is overwritten by the new kernel.
* Kernel parameter <code>wiperamexit=1</code> in dracut module <code>ram-wipe-exit</code> results in only wiping the RAM and then rebooting or powering off.
* It refrains from mounting the root image.
** In other words, <code>ram-wipe-exit</code> runs at very early boot before mounting the root image. This is done using dracut hook <code>pre-udev</code> (because that hook runs before <code>pre-mount</code>).
** Therefore, the full disk encryption (FDE) password entry is not required.
** The RAM wipe is done during the dracut initramfs stage before the FDE password is requested / before the root disk is mounted.
** The root image is not mounted at all when kernel parameter <code>wiperamexit=1</code> is set.
* When kernel parameter <code>wiperamexit=1</code> is set, after RAM wipe at early dracut initramfs stage, the system is rebooted or powered off, depending on the <code>wiperamaction</code> setting, which was set by the previous kernel.
* <code>kexec</code>-based wipe cannot be based on <code>systemd</code> with <code>Before=unmount.target</code> because unmounting the root disk and using <code>cryptsetup luksClose</code> so the full disk encryption (FDE) key gets wiped from RAM is one of the most important points of RAM wipe. It would need to be <code>After=unmount.target</code>. But at that stage, there is no more disk mounted with tools. Hence, dropping back to initramfs at shutdown is the correct design.
* Runs <code>reboot</code>, <code>poweroff</code>, <code>halt</code> as instructed by the previous kernel.

{{Anchor|Differences of security-misc Wipe RAM versus Tails Memory Erasure}}

= Differences of ram-wipe versus Tails Memory Erasure =

Tails memory erasure:

* based on Linux memory poisoning
* requires <code>initramfs-tools</code>
* based on <code>systemd-shutdown</code> <code>/lib/systemd/system-shutdown</code>
* requires Tails specific hook scripts such as [https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-restore <code>/usr/local/lib/initramfs-restore</code>] / <code>/usr/local/lib/udev-watchdog-wrapper</code>
* ISO specific / Live boot specific / squashfs specific
** https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper
** https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
* mixes the panic button / emergency shutdown / ISO removal trigger into the same scripts
* blueprints
** https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe
** https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe/grub
** https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe/memtest86plus

ram-wipe:

* based on Linux memory poisoning, run of <code>sdmem</code> and <code>kexec</code>
* requires <code>dracut</code>
* more generic
* should work on any Debian
* should be relatively easy to port to any Linux distribution since implemented as a <code>dracut</code> module
* should work equally for persistent boot from hard drive, [[grub-live|live boot from hard drive]] or ISO live boot
* A [https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755 panic button / panic shutdown / USB kill cord for your laptop] feature is not mixed together with this feature. It should be implemented separately as a standalone feature.

= Debugging =

* A Kicksecure or Whonix VM using VirtualBox with a virtual [[Recovery#Serial_Console|serial console]] (<-- see this already existing, fully tested, and functional documentation on how to set that up) as this can show/persist <code>echo</code> messages even after the VM was already powered off or rebooted.
* A boot menu entry to run dracut module <code>ram-wipe-exit</code> without needing to power off or reboot (similar to [https://github.com/{{project_name_short}}/grub-live/blob/master/etc/grub.d/11_linux_live grub-live <code>11_linux_live</code>]). File <code>/etc/grub.d/12_linux_wiperamexit</code>
* In Kicksecure / Whonix, package [https://github.com/{{project_name_short}}/debug-misc debug-misc] might be useful (<code>sudo apt update && sudo apt install debug-misc</code>) due to:
** https://github.com/{{project_name_short}}/debug-misc/blob/master/etc/default/grub.d/45_debug-misc.cfg
** https://github.com/{{project_name_short}}/debug-misc/blob/master/etc/sysctl.d/40_debug-misc.conf
** https://github.com/{{project_name_short}}/debug-misc/blob/master/etc/dracut.conf.d/40_debug-misc.conf
** (these files could be used standalone / manually installed or "bulk" installed through installing the debug-misc package)

(This file would be shipped out commented by default. Only useful for development / debugging.)

<pre>
#!/bin/sh

## Copyright (C) 2022 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Untested!

set -e

#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=reboot"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=poweroff"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=halt"

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=debug"

export GRUB_CMDLINE_LINUX

if test -x /etc/grub.d/10_linux ; then
	/etc/grub.d/10_linux
fi
</pre>

<pre>
sudo update-grub
</pre>

Maybe useful during development:

* <code>grep -r pre-udev --color /usr/lib/dracut</code>

A [https://forums.whonix.org/t/panic-button-panic-shutdown-buskill-the-usb-kill-cord-for-your-laptop/13755 panic button / panic shutdown / USB kill cord for your laptop] feature is not mixed together with this feature. It should be implemented separately as a standalone feature.

= Status of initramfs-tools Support =

Support for initramfs-tools is not planned by the authors of ram-wipe. No progress on initramfs-tools support should be expected.

The problem with initramfs-tools support is that, in contrast to dracut, while initramfs-tools supports initrd (initial ramdisk), it does not support exitrd (exit ramdisk).

dracut supports both initrd (initial ram disk at boot time) as well as exitrd (dropping back to initial ramdisk at shutdown time). A feature request has been posted against the [https://packages.debian.org/search?keywords=initramfs-tools Debian initramfs-tools] package [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778849 Support restoring initrd on shutdown and pivoting into it].

Contributors wishing to add initramfs-tools support to ram-wipe should add exitrd support to upstream, original initramfs-tools.

As a starting point, Tails has implemented [https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-restore initramfs-restore], which might help to look at and provide inspiration when developing the exitrd functionality for initramfs-tools. The Tails initramfs-tools exitrd implementation would have to be made generic, meaning unspecific to Tails (no code references to other Tails specific code) and made acceptable for the initramfs-tools developers for inclusion into the upstream source code. However, using the Tails implementation as a starting point is, of course, not a strict requirement.

Once initramfs-tools gets exitrd support, it might be easy to add initramfs-tools support to ram-wipe.

= Development TODO =
* security testing: similar to https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe/memtest86plus
* A number of [[Ram-wipe#ram-wipe_Known_Issues|ram-wipe known issues]] requires fixing.
* <s>SecureBoot breaks kexec</s> (Fixed.)

= ram-wipe Testing inside a VM =

'''1.''' Platform specific notice.

* {{project_name_short}}: No special notice.
* Qubes OS: ram-wipe is unavailable for Qubes OS. <ref>
[https://github.com/QubesOS/qubes-issues/issues/1562 Wipe RAM on shutdown #1562]
</ref>

'''2.''' Install <code>ram-wipe</code>.

<code>ram-wipe</code> is not installed by default in VMs because it's usually not needed there except for testing.

{{Install_Package|package=
ram-wipe
}}

'''3.''' Reboot

{{CodeSelect|code=
sudo reboot
}}

'''4.''' Set up a virtual serial console.

A virtual serial console helps to read all the journal kernel messages during early boot and shutdown.

Can be set up as per [[Recovery#Serial_Console|serial console documentation]]. Only a read-only serial console was somewhat recently tested and should suffice. An interactive serial console might not be required.

'''5.''' Status.

Now a serial console should nicely show the output during boot and shutdown of ram-wipe.

'''6.''' Bug [https://github.com/dracutdevs/dracut/issues/1888 dracut should unmount the root encrypted disk `cryptsetup luksClose` during shutdown] (fixed in dracut-ng, should be fixed in Debian trixie) will not be reproducible because {{project_name_short}} VM images do not use full disk encryption. (The rationale for not using full disk encryption for VM images is documented on the [[Encrypted_Images|Encrypted VM Images]] wiki page.

As a workaround, install Debian bookworm using Debian DVD ([[Debian Tips]]), then install {{project_name_short}} as per [[Debian|distribution morphing Debian into {{project_name_short}}]] instructions. Then re-apply the instructions listed here.

= Forum Discussion =
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596

= See Also =
* [[Dev/RAM Wipe Old Notes|RAM Wipe Archived Development Notes]]
* [[Cold Boot Attack Defense]]
* [[ram-wipe|<code>ram-wipe</code> User Documentation]]
* https://github.com/{{project_name_short}}/ram-wipe

= Footnotes=
<references/>

{{Footer}}

[[Category: Design]]
[[Category: Development]]