Is RAM Wipe possible inside Whonix? Cold Boot Attack Defense

Patrick · October 9, 2020, 12:05pm

Patrick · December 8, 2020, 11:15am

Patrick · December 8, 2020, 11:16am

github.com/systemd/systemd

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

opened 07:30PM - 07 Dec 20 UTC

closed 08:23PM - 07 Dec 20 UTC

adrelanos

cryptsetup already-implemented

**Is your feature request related to a problem? Please describe.** * https://…www.youtube.com/watch?v=JDaicPIgn9U * https://en.wikipedia.org/wiki/Cold_boot_attack * https://blog.f-secure.com/cold-boot-attacks/ * https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf **Describe the solution you'd like** Run `cryptsetup close` at end of shutdown procedure. Quote `cryptsetup close` (previously `cryptsetup lukseClose`) man page (bold added): > close > Removes the existing mapping <name> and **wipes the key from kernel memory**. Maybe `cryptsetup close` could be implemented in [`systemd-shutdown`](https://github.com/systemd/systemd/blob/master/src/shutdown/shutdown.c)? Or a script in folder `/lib/systemd/system-shutdown`? This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key. **Describe alternatives you've considered** This issue can probably not be redirected at the Linux kernel. While a generic solution `Wipe RAM to defeat Cold Boot Attacks` (#17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. `cryptsetup close` does that. `/lib/cryptsetup/cryptdisks-functions` does not run `cryptsetup close` on root device. ``` # Removes all mappings in crypttab, except the ones holding the root # file system or /usr do_stop() { ``` A related systemd feature request is "cryptsetup luksSuspend (wipes encryption key from kernel) on suspend" (#5794). This feature request is not a duplicate. The other ticket is for wiping the LUKS encryption key on suspend. This ticket is for wiping the LUKS encryption key on shutdown.

Patrick · December 29, 2020, 2:47pm

@Patrick:

Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong… Summary:

"cryptsetup close" of root device during shutdown is already implemented.

@poettering:

"cryptsetup close" of root device during shutdown is already implemented.

iff your initrd/distro of choice do so. For the root disk it doesn’t matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

Patrick · December 29, 2020, 3:52pm

Debian feature request:
Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks from Initial Ramdisk (initramfs-tools or dracut)

Patrick · December 29, 2020, 4:38pm

Control: severity -1 wishlist
Control: reassign -1 cryptsetup-initramfs
Control: block -1 by 778849

Hi,

AFAICT dracut has dracut-shutdown(8) which you can extend at will, or
convince the maintainer to ship the required logic for everyone.
However Debian’s default initramfs, namely initramfs-tools(7) currently
has no interface to hook into at shutdown, and init doesn’t even hand
execution over to the initramfs during the shutdown phase (#778849).
When such an interface is available we can ship shutdown scripts into
cryptsetup-initramfs.

cheers
--
Guilhem.

related:
Support restoring initrd on shutdown and pivoting into it (#778849)

Maybe a good reason for replacing initramfs-tools with dracut.

Patrick · December 29, 2020, 5:06pm

Debian dracut feature request:
Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks from Dracut Initramfs

Patrick · December 29, 2020, 5:17pm

dracut upstream feature request:

github.com/dracutdevs/dracut

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

opened 05:18PM - 29 Dec 20 UTC

adrelanos

enhancement

**Is your feature request related to a problem? Please describe.** Defeat Col…d Boot Attacks by wiping LUKS disk encryption during shutdown. What is a Cold Boot Attacks? See: * https://www.youtube.com/watch?v=JDaicPIgn9U * https://en.wikipedia.org/wiki/Cold_boot_attack * https://blog.f-secure.com/cold-boot-attacks/ * https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf **Describe the solution you'd like** Run `cryptsetup close` at end of shutdown procedure. Quote `cryptsetup close` (previously `cryptsetup lukseClose`) man page (bold added): > close > Removes the existing mapping <name> and **wipes the key from kernel memory**. Maybe `cryptsetup close` could be done during `dracut-shutdown`? This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key. **Describe alternatives you've considered** Linux kernel feature: This issue can probably not be redirected at the Linux kernel. While a generic solution `Wipe RAM to defeat Cold Boot Attacks` (https://github.com/systemd/systemd/issues/17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. `cryptsetup close` does that. systemd feature: systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (https://github.com/systemd/systemd/issues/17887) Quote myself (https://github.com/systemd/systemd/issues/17887#issuecomment-750340608): > Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary: > > `"cryptsetup close" of root device during shutdown` is already implemented. Quote systemd developer @poettering Lennart Poettering (https://github.com/systemd/systemd/issues/17887#issuecomment-751252894): > > `"cryptsetup close" of root device during shutdown` is already implemented. > > iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

Patrick · June 29, 2022, 11:26am

dracut upstream pull request:

github.com/dracutdevs/dracut

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

dracutdevs:master ← friedy10:master

opened 11:25AM - 29 Jun 22 UTC

adrelanos

+28 -0

Purpose of this pull request: Receiving some early feedback if this approach loo…ks acceptable. * Work in progress. * Console output are yet to be improved and documentation written. * Untested by me. Will test soon. * Tests I am not sure yet how this could realistically be tested. ## Changes * Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) * Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks. ## Checklist - [ ] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #997

Patrick · June 29, 2022, 8:57pm

Review welcome.

Patrick · June 29, 2022, 9:45pm

Could you please test the sdmem(1) — secure-delete — Debian bullseye — Debian Manpages command. Check the timing. How long the command requires to complete. Because the same time will be required on every reboot / shutdown.

Note: There’s a chance it might freeze a VM or host operating system. It didn’t happen to me yet but better to have this in mind.

Installation:

sudo apt update
sudo apt install secure-delete time

Disabling swap is required. Otherwise smem would fill up all RAM and the system highly likely to permanently freeze.

sudo swapoff --all

To verify that swap is off:

sudo swapon --show ; echo $?

Expected output:

0

Built-in help:

sudo sdmem -h

Default mode:

time sudo sdmem

Verbose mode:

time sudo sdmem -v

Probably better because it shows some progress.

For just a single pass of RAM wipe with zeros:

without verbose mode:
- time sudo sdmem -l -l
with verbose mode:
- time sudo sdmem -l -l -v

The time command is optional. Can be dropped. But useful here to measure how long it takes.

Default mode does, quote:

27 passes with special values defined by Peter Gutmann.

Not sure that is really necessary because if I remember right, Peter Gutmann was about hard drives, not RAM. Is there any research how many passes RAM wipe requires?

Should RAM wipe be skipped inside VMs for faster reboot / shutdown times? I am not sure about the dynamics of RAM wipe in VMs. In worst case, the VM might start use swap file on the host operating system. Therefore I tend to say RAM wipe should be skipped if a VM is detected.

nurmagoz · June 29, 2022, 11:28pm

secure-delete* package name in debian (sdmem: secure-delete memory)

Wipe mode is secure (38 special passes)
Using /dev/urandom for random input.

real 1m40.819s
user 0m0.072s
sys 0m0.163s

Wipe mode is insecure (one pass with 0x00)

real 0m0.503s
user 0m0.008s
sys 0m0.089s

Happen to me, i opened xfce-terminal and start moving it right and left until the screen freezed permanently (play for less than 3 minutes with anything like browse some stuff and open close terminal…).

Patrick · July 2, 2022, 8:43pm

github.com/dracutdevs/dracut

dracut-shutdown.service lacks DRACUT_SYSTEMD=1 environment variable

opened 08:42PM - 02 Jul 22 UTC

adrelanos

bug

**Describe the bug** dracut-shutdown.service lacks DRACUT_SYSTEMD=1 environme…nt variable **Distribution used** Debian but easily seen in dracut upstream source code: https://github.com/dracutdevs/dracut/blob/master/modules.d/98dracut-systemd/dracut-shutdown.service#L11 **Dracut version** latest git **Init system** systemd **To Reproduce** Write a shutdown hook and check for DRACUT_SYSTEMD variable existence. **Expected behavior** DRACUT_SYSTEMD=1 environment variable should be set during **Additional context** dracut-lib.sh looks at the DRACUT_SYSTEMD environment variable. For example, the `info` and `warn` functions of dracut-lib.sh require a properly set DRACUT_SYSTEMD. All other dracut systemd units in https://github.com/dracutdevs/dracut/blob/master/modules.d/98dracut-systemd/ are setting the DRACUT_SYSTEMD environment variable too.

github.com/dracutdevs/dracut

fix(dracut-systemd): set Environment=DRACUT_SYSTEMD=1 environment variable in dracut-shutdown.service

dracutdevs:master ← adrelanos:patch-1

opened 08:42PM - 02 Jul 22 UTC

adrelanos

+1 -0

## Changes * set Environment=DRACUT_SYSTEMD=1 environment variable in dracut-…shutdown.service ## Checklist - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant: none required - [x] I am providing new code and test(s) for it: none required Fixes #1862

Patrick · July 3, 2022, 1:01pm

Huge progress has been made.

Implemented by dracut module cold-boot-attack-defense (by security-misc).

Will in near future be available for Kicksecure hosts. Should be easy to port to other Linux distributions.

See design documentation, review welcome:

More documentation, call for testers coming in near future.

Patrick · July 12, 2022, 5:15pm

Future design (additional kexec based RAM wipe) has been elaborated:
https://www.kicksecure.com/wiki/Dev/RAM_Wipe#Future_Design

Patrick · July 18, 2022, 9:38am

I’ll try to assign this task to implement also the future design to a contractor. Hopefully there will be a good news soon.

Patrick · August 4, 2022, 10:16pm

github.com/dracutdevs/dracut

dracut should unmount the root encrypted disk `cryptsetup luksClose` during shutdown

opened 10:15PM - 04 Aug 22 UTC

adrelanos

bug

**Describe the bug** dracut does not unmount the root encrypted disk on shutdow…n. (Using `cryptsetup luksClose`.) **Distribution used** Debian bullseye **Dracut version** 0.51 **Init system** systemd **To Reproduce** I've wrote a dracut shutdown module that runs `dmsetup ls --target crypt` which reports that an encrypted disk is still open. https://github.com/Kicksecure/security-misc/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh#L57 Also searching inside the dracut source code didn't yield any result for closing the encrypted root disk during shutdown. I am also seeing an error message during shutdown. (These messages are unreadable because shutdown is so quick. So I used a camera to record a video of the shutdown process to see these messages.) > device-mapper: remote ioctl on host--vg-root failed: Device or resource busy > device-mapper: remote ioctl on sda5_crypt failed: Device or resource busy > device-mapper: remote ioctl on host--vg-root failed: Device or resource busy > Powering off. That error message is probably caused by `/usr/lib/systemd/systemd-shutdown` because [`shutdown.c`](https://github.com/systemd/systemd/blob/main/src/shutdown/shutdown.c) includes `dm_detach_all`. `log_info("Powering off.");`. That could be a bug in systemd but indicates that dracut exitrd didn't properly clean up by running `cryptsetup luksClose`. These `Device or resource busy` messages are also reproducible on unmodified systems (no dracut modifications, no custom modules). Please let me know if you need better instructions how to reproduce this. **Expected behavior** dracut performs `cryptsetup luksClose` on shutdown. **Why should dracut perform `cryptsetup luksClose` on shutdown?** * Good style. * Everything dracut does to prepare the system for boot (initrd) should be undone, cleaned up during shutdown (exitrd) if it is reasonable to do so. This includes killing remaining processes, unmounting root and why not also `cryptsetup luksClose`. * Lower chances of data loss. If the root risk could be unmounted as well as the root luks device. By running `cryptsetup luksClose`, it increases chances that the kernel will flush all cashes and write them to the disk. * The time effort for `cryptsetup luksClose` on shutdown is really minimal but nice and clean. * systemd's `/usr/lib/systemd/systemd-shutdown` because [`shutdown.c`](https://github.com/systemd/systemd/blob/main/src/shutdown/shutdown.c) apparently also attempts to unmount the root encrypted luks disk (by calling function `dm_detach_all`). * Important for RAM wipe at shutdown to make sure (or at least increase chances) of releasing the luks disk encryption key - https://github.com/dracutdevs/dracut/issues/997 ---- **Search dracut source code for `luksClose`.** grep -r -i luksclose /usr/lib/dracut `90crypt/crypt-cleanup.sh` > `cryptsetup luksClose $i >/dev/null 2>&1 && do_break=n` `91crypt-loop/crypt-loop-lib.sh` > `printf "%s\n" "cryptsetup luksClose \"$key\"" > ${hookdir}/cleanup/"crypt-loop-cleanup-10-${key##*/}".sh` `90crypt/module-setup.sh` defines `inst_hook cleanup 30 "$moddir/crypt-cleanup.sh"` so that isn't about shutdown. `91crypt-loop/crypt-loop-lib.sh` isn't about shutdown either. I also couldn't find any `inst_hook shutdown` for any crypto related dracut module. grep -r -i hook /usr/lib/dracut | grep --color -i shutdown `99shutdown/shutdown.sh` runs `umount` but nothing related to crypto. In conclusion, I don't think that anything like "`cryptsetup luksClose`" at shutdown is currently implemented in dracut.

Patrick · August 13, 2022, 8:33pm

[systemd-devel] What is the shutdown sequence with systemd and dracut?

Patrick · January 7, 2023, 1:16pm

Patrick · January 9, 2023, 12:03pm

Migration from GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc to

is in process.