Is RAM Wipe possible inside Whonix? Cold Boot Attack Defense

Patrick · December 29, 2020, 5:17pm

dracut upstream feature request:

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

opened 05:18PM - 29 Dec 20 UTC

enhancement

**Is your feature request related to a problem? Please describe.** Defeat Col…d Boot Attacks by wiping LUKS disk encryption during shutdown. What is a Cold Boot Attacks? See: * https://www.youtube.com/watch?v=JDaicPIgn9U * https://en.wikipedia.org/wiki/Cold_boot_attack * https://blog.f-secure.com/cold-boot-attacks/ * https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf **Describe the solution you'd like** Run `cryptsetup close` at end of shutdown procedure. Quote `cryptsetup close` (previously `cryptsetup lukseClose`) man page (bold added): > close > Removes the existing mapping <name> and **wipes the key from kernel memory**. Maybe `cryptsetup close` could be done during `dracut-shutdown`? This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key. **Describe alternatives you've considered** Linux kernel feature: This issue can probably not be redirected at the Linux kernel. While a generic solution `Wipe RAM to defeat Cold Boot Attacks` (https://github.com/systemd/systemd/issues/17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. `cryptsetup close` does that. systemd feature: systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (https://github.com/systemd/systemd/issues/17887) Quote myself (https://github.com/systemd/systemd/issues/17887#issuecomment-750340608): > Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary: > > `"cryptsetup close" of root device during shutdown` is already implemented. Quote systemd developer @poettering Lennart Poettering (https://github.com/systemd/systemd/issues/17887#issuecomment-751252894): > > `"cryptsetup close" of root device during shutdown` is already implemented. > > iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

Patrick · June 29, 2022, 11:26am

dracut upstream pull request:

github.com/dracutdevs/dracut

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

dracutdevs:master ← friedy10:master

opened 11:25AM - 29 Jun 22 UTC

adrelanos

+28 -0

Purpose of this pull request: Receiving some early feedback if this approach loo…ks acceptable. * Work in progress. * Console output are yet to be improved and documentation written. * Untested by me. Will test soon. * Tests I am not sure yet how this could realistically be tested. ## Changes * Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) * Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks. ## Checklist - [ ] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #997

Patrick · June 29, 2022, 8:57pm

Review welcome.

Patrick · June 29, 2022, 9:45pm

Could you please test the sdmem(1) — secure-delete — Debian bookworm — Debian Manpages command. Check the timing. How long the command requires to complete. Because the same time will be required on every reboot / shutdown.

Note: There’s a chance it might freeze a VM or host operating system. It didn’t happen to me yet but better to have this in mind.

Installation:

sudo apt update
sudo apt install secure-delete time

Disabling swap is required. Otherwise smem would fill up all RAM and the system highly likely to permanently freeze.

sudo swapoff --all

To verify that swap is off:

sudo swapon --show ; echo $?

Expected output:

0

Built-in help:

sudo sdmem -h

Default mode:

time sudo sdmem

Verbose mode:

time sudo sdmem -v

Probably better because it shows some progress.

For just a single pass of RAM wipe with zeros:

without verbose mode:
- time sudo sdmem -l -l
with verbose mode:
- time sudo sdmem -l -l -v

The time command is optional. Can be dropped. But useful here to measure how long it takes.

Default mode does, quote:

27 passes with special values defined by Peter Gutmann.

Not sure that is really necessary because if I remember right, Peter Gutmann was about hard drives, not RAM. Is there any research how many passes RAM wipe requires?

Should RAM wipe be skipped inside VMs for faster reboot / shutdown times? I am not sure about the dynamics of RAM wipe in VMs. In worst case, the VM might start use swap file on the host operating system. Therefore I tend to say RAM wipe should be skipped if a VM is detected.

nurmagoz · June 29, 2022, 11:28pm

secure-delete* package name in debian (sdmem: secure-delete memory)

Wipe mode is secure (38 special passes)
Using /dev/urandom for random input.

real 1m40.819s
user 0m0.072s
sys 0m0.163s

Wipe mode is insecure (one pass with 0x00)

real 0m0.503s
user 0m0.008s
sys 0m0.089s

Happen to me, i opened xfce-terminal and start moving it right and left until the screen freezed permanently (play for less than 3 minutes with anything like browse some stuff and open close terminal…).

Patrick · July 2, 2022, 8:43pm

github.com/dracutdevs/dracut

dracut-shutdown.service lacks DRACUT_SYSTEMD=1 environment variable

opened 08:42PM - 02 Jul 22 UTC

adrelanos

bug

**Describe the bug** dracut-shutdown.service lacks DRACUT_SYSTEMD=1 environme…nt variable **Distribution used** Debian but easily seen in dracut upstream source code: https://github.com/dracutdevs/dracut/blob/master/modules.d/98dracut-systemd/dracut-shutdown.service#L11 **Dracut version** latest git **Init system** systemd **To Reproduce** Write a shutdown hook and check for DRACUT_SYSTEMD variable existence. **Expected behavior** DRACUT_SYSTEMD=1 environment variable should be set during **Additional context** dracut-lib.sh looks at the DRACUT_SYSTEMD environment variable. For example, the `info` and `warn` functions of dracut-lib.sh require a properly set DRACUT_SYSTEMD. All other dracut systemd units in https://github.com/dracutdevs/dracut/blob/master/modules.d/98dracut-systemd/ are setting the DRACUT_SYSTEMD environment variable too.

github.com/dracutdevs/dracut

fix(dracut-systemd): set Environment=DRACUT_SYSTEMD=1 environment variable in dracut-shutdown.service

dracutdevs:master ← adrelanos:patch-1

opened 08:42PM - 02 Jul 22 UTC

adrelanos

+1 -0

## Changes * set Environment=DRACUT_SYSTEMD=1 environment variable in dracut-…shutdown.service ## Checklist - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant: none required - [x] I am providing new code and test(s) for it: none required Fixes #1862

Patrick · July 3, 2022, 1:01pm

Huge progress has been made.

Implemented by dracut module cold-boot-attack-defense (by security-misc).

Will in near future be available for Kicksecure hosts. Should be easy to port to other Linux distributions.

See design documentation, review welcome:

More documentation, call for testers coming in near future.

Patrick · July 12, 2022, 5:15pm

Future design (additional kexec based RAM wipe) has been elaborated:
https://www.kicksecure.com/wiki/Dev/RAM_Wipe#Future_Design

Patrick · July 18, 2022, 9:38am

I’ll try to assign this task to implement also the future design to a contractor. Hopefully there will be a good news soon.

Patrick · August 4, 2022, 10:16pm

github.com/dracutdevs/dracut

dracut should unmount the root encrypted disk `cryptsetup luksClose` during shutdown

opened 10:15PM - 04 Aug 22 UTC

adrelanos

bug

**Describe the bug** dracut does not unmount the root encrypted disk on shutdow…n. (Using `cryptsetup luksClose`.) **Distribution used** Debian bullseye **Dracut version** 0.51 **Init system** systemd **To Reproduce** I've wrote a dracut shutdown module that runs `dmsetup ls --target crypt` which reports that an encrypted disk is still open. https://github.com/Kicksecure/security-misc/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh#L57 Also searching inside the dracut source code didn't yield any result for closing the encrypted root disk during shutdown. I am also seeing an error message during shutdown. (These messages are unreadable because shutdown is so quick. So I used a camera to record a video of the shutdown process to see these messages.) > device-mapper: remote ioctl on host--vg-root failed: Device or resource busy > device-mapper: remote ioctl on sda5_crypt failed: Device or resource busy > device-mapper: remote ioctl on host--vg-root failed: Device or resource busy > Powering off. That error message is probably caused by `/usr/lib/systemd/systemd-shutdown` because [`shutdown.c`](https://github.com/systemd/systemd/blob/main/src/shutdown/shutdown.c) includes `dm_detach_all`. `log_info("Powering off.");`. That could be a bug in systemd but indicates that dracut exitrd didn't properly clean up by running `cryptsetup luksClose`. These `Device or resource busy` messages are also reproducible on unmodified systems (no dracut modifications, no custom modules). Please let me know if you need better instructions how to reproduce this. **Expected behavior** dracut performs `cryptsetup luksClose` on shutdown. **Why should dracut perform `cryptsetup luksClose` on shutdown?** * Good style. * Everything dracut does to prepare the system for boot (initrd) should be undone, cleaned up during shutdown (exitrd) if it is reasonable to do so. This includes killing remaining processes, unmounting root and why not also `cryptsetup luksClose`. * Lower chances of data loss. If the root risk could be unmounted as well as the root luks device. By running `cryptsetup luksClose`, it increases chances that the kernel will flush all cashes and write them to the disk. * The time effort for `cryptsetup luksClose` on shutdown is really minimal but nice and clean. * systemd's `/usr/lib/systemd/systemd-shutdown` because [`shutdown.c`](https://github.com/systemd/systemd/blob/main/src/shutdown/shutdown.c) apparently also attempts to unmount the root encrypted luks disk (by calling function `dm_detach_all`). * Important for RAM wipe at shutdown to make sure (or at least increase chances) of releasing the luks disk encryption key - https://github.com/dracutdevs/dracut/issues/997 ---- **Search dracut source code for `luksClose`.** grep -r -i luksclose /usr/lib/dracut `90crypt/crypt-cleanup.sh` > `cryptsetup luksClose $i >/dev/null 2>&1 && do_break=n` `91crypt-loop/crypt-loop-lib.sh` > `printf "%s\n" "cryptsetup luksClose \"$key\"" > ${hookdir}/cleanup/"crypt-loop-cleanup-10-${key##*/}".sh` `90crypt/module-setup.sh` defines `inst_hook cleanup 30 "$moddir/crypt-cleanup.sh"` so that isn't about shutdown. `91crypt-loop/crypt-loop-lib.sh` isn't about shutdown either. I also couldn't find any `inst_hook shutdown` for any crypto related dracut module. grep -r -i hook /usr/lib/dracut | grep --color -i shutdown `99shutdown/shutdown.sh` runs `umount` but nothing related to crypto. In conclusion, I don't think that anything like "`cryptsetup luksClose`" at shutdown is currently implemented in dracut.

Patrick · August 13, 2022, 8:33pm

[systemd-devel] What is the shutdown sequence with systemd and dracut?

Patrick · January 7, 2023, 1:16pm

Patrick · January 9, 2023, 12:03pm

Migration from GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc to

is in process.

Patrick · January 30, 2023, 11:52am

This was done.

Patrick · February 6, 2023, 7:24pm

This was implemented.

ram-wipe wipes the RAM twice during poweroff/reboot.

1. RAM Wipe Pass 1/2: During poweroff/reboot.

2. RAM Wipe Pass 2/2: It kexec’s into a new kernel for the purpose of overwriting the first kernel’s memory and performs a second ram wipe pass.

A dedicated user documentation wiki page has been created:

Patrick · February 8, 2023, 11:38am

If the following feature request gets implemented in memtest86+ that might result in a major security improvement for ram-wipe:

github.com/memtest86plus/memtest86plus

kexec into memtest86+ for RAM Wipe and reboot/poweroff - Cold Boot Attack Defense

opened 11:37AM - 08 Feb 23 UTC

adrelanos

[`ram-wipe`](https://www.kicksecure.com/wiki/Ram-wipe) ([source code](https://gi…thub.com/Kicksecure/ram-wipe)) ([design](https://www.kicksecure.com/wiki/Dev/RAM_Wipe)) is a software package that attempts to mitigate the threat of [cold boot attacks](https://en.wikipedia.org/wiki/Cold_boot_attack) as recently been developed (now primarily maintained by me). `ram-wipe` is currently based on `dracut` and `sdmem`. `dracut` seems very suitable for this task. In essence, `ram-wipe` drops back to initrd ("exitrd") at shutdown when all devices are already unmounted very late in the shutdown process, uses `sdmem` to overwrite all RAM, then `kexec`'s into a new (the same) kernel and does another pass of RAM wipe (to wipe the ram of the previous kernel). However, `sdmem` seems [unmaintained upstream](https://github.com/cryptisk-grs/thc-secure-delete/issues/3#issuecomment-520754476) and [has other issues](https://www.kicksecure.com/wiki/Ram-wipe#ram-wipe_Known_Issues). Research by [Tails](https://tails.boum.org/) seems to indicate that `memtest86+` is very suitable for wiping RAM at shutdown in principle. Much better than `sdmem`. See Tails blueprint [Erase memory: the memtest86+ way](https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe/memtest86plus). What would be need to be done at the memtest86+ side: * Support by memtest86+ to be booted using `kexec`. * Accept kernel command line parameters such as: * `wiperamaction`: * Overwrite all RAM once with zeros. * The action to perform after wiping the RAM. * `wiperamaction="poweroff"` * `wiperamaction="reboot"` * `wiperamaction="halt"` * Show a simple progress meter / messages for user. Such a feature might be appreciated by both [Kicksecure](https://www.kicksecure.com) and Tails, which are derivatives of Debian Linux as well as other users who discussed, requested a wipe RAM at shutdown feature all over the internet over the years. (Note, that I cannot speak on behalf of Tails.) Would you be interested to add a feature to memtest86+ to accommodate this use case or accept a patch?

Patrick · January 6, 2024, 2:31pm

github.com/dracutdevs/dracut

Comment by adrelanos to fix(crypt): close crypt devices to release encryption keys get on shutdown

dracutdevs:master ← DanWin:crypt-shutdown

Works nice with a Debian bookworm installed using Debian Installer, which sets u…p an encrypted LVM with unencrypted /boot. Broken with Debian bookworm (actually Kicksecure) installed with Calamares, which sets up an encrypted /boot but without LVM. Debugged as much as I could. Got some udev issue. Maybe something a simple as a missing dracut module? ``` sudo dracut -f ``` ``` dracut: Executing: /usr/bin/dracut -f dracut: dracut module 'mksh' will not be installed, because command 'mksh' could not be found! dracut: dracut module 'systemd-coredump' will not be installed, because command 'coredumpctl' could not be found! dracut: dracut module 'systemd-coredump' will not be installed, because command '/usr/lib/systemd/systemd-coredump' could not be found! dracut: dracut module 'systemd-portabled' will not be installed, because command 'portablectl' could not be found! dracut: dracut module 'systemd-portabled' will not be installed, because command '/usr/lib/systemd/systemd-portabled' could not be found! dracut: dracut module 'systemd-resolved' will not be installed, because command 'resolvectl' could not be found! dracut: dracut module 'systemd-resolved' will not be installed, because command '/usr/lib/systemd/systemd-resolved' could not be found! dracut: dracut module 'systemd-timesyncd' will not be installed, because command '/usr/lib/systemd/systemd-timesyncd' could not be found! dracut: dracut module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found! dracut: dracut module 'rngd' will not be installed, because command 'rngd' could not be found! dracut: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'! dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut: dracut module 'mdraid' will not be installed, because command 'mdadm' could not be found! dracut: dracut module 'multipath' will not be installed, because command 'multipath' could not be found! dracut: dracut module 'pcsc' will not be installed, because command 'pcscd' could not be found! dracut: dracut module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found! dracut: dracut module 'nvmf' will not be installed, because command 'nvme' could not be found! dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found! dracut: dracut module 'memstrack' will not be installed, because command 'memstrack' could not be found! dracut: memstrack is not available dracut: If you need to use rd.memdebug>=4, please install memstrack and procps-ng dracut: *** Including module: systemd *** dracut: *** Including module: systemd-initrd *** dracut: *** Including module: modsign *** dracut: *** Including module: console-setup *** dracut: *** Including module: i18n *** dracut: *** Including module: ram-wipe-exit *** dracut: *** Including module: cold-boot-attack-defense *** dracut: *** Including module: crypt *** dracut: *** Including module: dm *** dracut: Skipping udev rule: 10-dm.rules dracut: Skipping udev rule: 13-dm-disk.rules dracut: Skipping udev rule: 64-device-mapper.rules dracut: *** Including module: kernel-modules *** dracut: *** Including module: kernel-modules-extra *** dracut: *** Including module: lvm *** dracut: Skipping udev rule: 11-dm-lvm.rules dracut: Skipping udev rule: 64-device-mapper.rules dracut: *** Including module: nvdimm *** dracut: *** Including module: overlay-root *** dracut: *** Including module: qemu *** dracut: *** Including module: lunmask *** dracut: *** Including module: rootfs-block *** dracut: *** Including module: terminfo *** dracut: *** Including module: udev-rules *** dracut: Skipping udev rule: 40-redhat.rules dracut: Skipping udev rule: 91-permissions.rules dracut: Skipping udev rule: 80-drivers-modprobe.rules dracut: *** Including module: virtiofs *** dracut: *** Including module: dracut-systemd *** dracut: *** Including module: usrmount *** dracut: *** Including module: base *** dracut: *** Including module: fs-lib *** dracut: *** Including module: shutdown *** dracut: *** Including modules done *** dracut: *** Installing kernel module dependencies *** dracut: *** Installing kernel module dependencies done *** dracut: *** Resolving executable dependencies *** dracut: *** Resolving executable dependencies done *** dracut: *** Hardlinking files *** dracut: Mode: real dracut: Method: sha256 dracut: Files: 1154 dracut: Linked: 1 files dracut: Compared: 0 xattrs dracut: Compared: 108 files dracut: Saved: 690 B dracut: Duration: 0.012228 seconds dracut: *** Hardlinking files done *** dracut: *** Generating early-microcode cpio image *** dracut: *** Store current command line parameters *** dracut: *** Stripping files *** dracut: *** Stripping files done *** dracut: *** Creating image file '/boot/initrd.img-6.1.0-17-amd64' *** dracut: Using auto-determined compression method 'pigz' dracut: *** Creating initramfs image file '/boot/initrd.img-6.1.0-17-amd64' done *** ``` Modified the script to gather more debug output. ``` [ 1163.100945] dracut Warning: Killing all remaining processes dracut Warning: Killing all remaining processes [ 1163.277065] dracut Warning: Unmounted /oldroot. dracut Warning: Unmounted /oldroot. [ 1163.287714] dracut Warning: crypt-shutdown: START dracut Warning: crypt-shutdown: START ``` ``` [ 1163.288239] dracut Warning: crypt-shutdown: systemctl status udev.service dracut Warning: crypt-shutdown: systemctl status udev.service Failed to connect to bus: Connection refused ``` ``` [ 1163.293182] dracut Warning: crypt-shutdown: dmsetup ls --target crypt dracut Warning: crypt-shutdown: dmsetup ls --target crypt luks-dabd0f40-88e7-48eb-aa94-88b99ba059da (254, 0) ``` ``` [ 1163.295272] dracut Warning: crypt-shutdown: lsblkl dracut Warning: crypt-shutdown: lsblkl NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 20G 0 disk |-sda1 8:1 0 300M 0 part |-sda2 8:2 0 11.3G 0 part | `-luks-dabd0f40-88e7-48eb-aa94-88b99ba059da | 254:0 0 11.3G 0 crypt `-sda3 8:3 0 8.4G 0 part sr0 11:0 1 1G 0 rom ``` ``` [ 1163.302719] dracut Warning: crypt-shutdown: df -h dracut Warning: crypt-shutdown: df -h ``` No output. Good. ``` Filesystem Size Used Avail[ 1163.304600] dracut Warning: crypt-shutdown: mount Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 2.0G 0 2.0G 0% /oldsys/dev/shm tmpfs 780M 146M 634M 19% /run tmpfs 5.0M 8.0K 5.0M 1% /oldsys/run/lock ``` ``` dracut Warning: crypt-shutdown: mount ``` ``` proc on /oldsys/proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /oldsys/sys type sysfs (rw,nosuid,nodev,noexec,relatime) devtmpfs on /oldsys/dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=492983,mode=755,inode64) securityfs on /oldsys/sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /oldsys/dev/shm type tmpfs (rw,nosuid,nodev,inode64) devpts on /oldsys/dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /oldsys/run type tmpfs (rw,nosuid,nodev,size=798532k,nr_inodes=819200,mode=755,inode64) tmpfs on /oldsys/run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64) cgroup2 on /oldsys/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot) pstore on /oldsys/sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) efivarfs on /oldsys/sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime) bpf on /oldsys/sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700) hugetlbfs on /oldsys/dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M) mqueue on[ 1163.317630] dracut Warning: crypt-shutdown: vgdisplay /oldsys/dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime) tracefs on /oldsys/sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime) configfs on /oldsys/sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime) fusectl on /oldsys/sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime) tmpfs on / type tmpfs (rw,nosuid,nodev,size=798532k,nr_inodes=819200,mode=755,inode64) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) devtmpfs on /dev type devtmpfs (rw,nosuid,size=4096k,nr_inodes=492983,mode=755,inode64) tmpfs on /run type tmpfs (rw,nosuid,nodev,size=798532k,nr_inodes=819200,mode=755,inode64) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) ``` ``` dracut Warning: crypt-shutdown: vgdisplay [ 1163.384809] dracut Warning: crypt-shutdown: lsof /dev/mapper/luks-dabd0f40-88e7-48eb-aa94-88b99ba059da ``` ``` dracut Warning: crypt-shutdown: lsof /dev/mapper/luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ 1163.409785] dracut Warning: crypt-shutdown: findmnt /dev/mapper/luks-dabd0f40-88e7-48eb-aa94-88b99ba059da ``` ``` dracut Warning: crypt-shutdown: findmnt /dev/mapper/luks-dabd0f40-88e7-48eb-aa94-88b99ba059da ``` No output. Good. ``` [ 1163.413033] dracut Warning: crypt-shutdown: cryptsetup status luks-dabd0f40-88e7-48eb-aa94-88b99ba059da dracut Warning: crypt-shutdown: cryptsetup status luks-dabd0f40-88e7-48eb-aa94-88b99ba059da /dev/mapper/luks-dabd0f40-88e7-48eb-aa94-88b99ba059da is active. type: LUKS1 cipher: aes-xts-plain64 keysize: 512 bits key location: dm-crypt device: /dev/sda2 sector size: 512 offset: 4096 sectors size: 23739353 sectors mode: read/write ``` ``` [ 1163.425169] dracut Warning: crypt-shutdown: cryptsetup --debug close luks-dabd0f40-88e7-48eb-aa94-88b99ba059da dracut Warning: crypt-shutdown: cryptsetup --debug close luks-dabd0f40-88e7-48eb-aa94-88b99ba059da # cryptsetup 2.6.1 processing "cryptsetup --debug close luks-dabd0f40-88e7-48eb-aa94-88b99ba059da" # Verifying parameters for command close. # Running command close. # Installing SIGINT/SIGTERM handler. # Unblocking interruption on signal. # Allocating crypt device context by device luks-dabd0f40-88e7-48eb-aa94-88b99ba059da. # Initialising device-mapper backend library. # dm version [ opencount flush ] [16384] (*1) # dm versions [ opencount flush ] [16384] (*1) # Detected dm-ioctl version 4.47.0. # Detected dm-crypt version 1.24.0. # Device-mapper backend running with UDEV support enabled. # dm status luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount noflush ] [16384] (*1) # Releasing device-mapper backend. # Trying to open and read device /dev/sda2 with direct-io. # Allocating context for crypt device /dev/sda2. # Trying to open and read device /dev/sda2 with direct-io. # Initialising device-mapper backend library. # dm versions [ opencount flush ] [16384] (*1) # dm table luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount flush securedata ] [16384] (*1) # Trying to open and read device /dev/sda2 with direct-io. # dm versions [ opencount flush ] [16384] (*1) # dm deps luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount flush ] [16384] (*1) # Crypto backend (OpenSSL 3.0.11 19 Sep 2023 [default][legacy]) initialized in cryptsetup library version 2.6.1. # Detected kernel Linux 6.1.0-17-amd64 x86_64. # PBKDF pbkdf2-sha256, time_ms 2000 (iterations 0). # Reading LUKS header of size 1024 from device /dev/sda2 # Key length 64, device size 23743449 sectors, header size 4036 sectors. # Deactivating volume luks-dabd0f40-88e7-48eb-aa94-88b99ba059da. # dm versions [ opencount flush ] [16384] (*1) # dm status luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount noflush ] [16384] (*1) # dm versions [ opencount flush ] [16384] (*1) # dm table luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount flush securedata ] [16384] (*1) # Trying to open and read device /dev/sda2 with direct-io. # dm versions [ opencount flush ] [16384] (*1) # Udev cookie 0xd4dd417 (semid 3) created # Udev cookie 0xd4dd417 (semid 3) incremented to 1 # Udev cookie 0xd4dd417 (semid 3) incremented to 2 # Udev cookie 0xd4dd417 (semid 3) assigned to REMOVE task(2) with flags DISABLE_LIBRARY_FALLBACK (0x20) # dm remove luks-dabd0f40-88e7-48eb-aa94-88b99ba059da [ opencount flush retryremove ] [16384] (*1) # Udev cookie 0xd4dd417 (semid 3) decremented to 1 # Udev cookie 0xd4dd417 (semid 3) waiting for zero ``` ``` /usr/lib/dracut/modules.d/90crypt/module-setup.sh ``` ``` inst_multiple -o cryptsetup lsblk lsof df findmnt vgdisplay ``` ``` /usr/lib/dracut/modules.d/90crypt/crypt-shutdown.sh ``` ``` #!/bin/sh warn "crypt-shutdown: START" warn "crypt-shutdown: systemctl status udev.service" systemctl status udev.service 2>&1 warn "crypt-shutdown: dmsetup ls --target crypt" dmsetup ls --target crypt 2>&1 warn "crypt-shutdown: lsblkl" lsblk 2>&1 warn "crypt-shutdown: df -h" df -h 2>&1 warn "crypt-shutdown: mount" mount 2>&1 warn "crypt-shutdown: vgdisplay" vgdisplay 2>&1 # Mark crypt devices for deferred removal. # The dm module removes holding devices, so # that the encryption keys can be released. dmsetup ls --target crypt | while read -r name _; do if ! type "cryptsetup" > /dev/null 2>&1; then warn "cryptsetup not installed, skipping closing of encrypted devices" return fi warn "crypt-shutdown: lsof /dev/mapper/$name" lsof "/dev/mapper/$name" 2>&1 warn "crypt-shutdown: findmnt /dev/mapper/$name" findmnt "/dev/mapper/$name" 2>&1 warn "crypt-shutdown: cryptsetup status $name" cryptsetup status "$name" 2>&1 warn "crypt-shutdown: cryptsetup --debug close $name" cryptsetup --debug close "$name" 2>&1 warn "crypt-shutdown: cryptsetup status $name" cryptsetup status "$name" 2>&1 warn "crypt-shutdown: cryptsetup --debug close $name --deferred" cryptsetup --debug close "$name" --deferred 2>&1 warn "crypt-shutdown.s: name: $name - done" done warn "crypt-shutdown.s: END" ``` So there is really nothing still mounted. The issue is `Udev cookie 0xd4dd417 (semid 3) waiting for zero`. Thoughts?

Patrick · March 20, 2024, 3:49pm

https://www.reddit.com/r/Kicksecure/comments/1bi7t98/questions_concerning_ramwipe/

Patrick · March 20, 2024, 3:49pm

Patrick · April 1, 2024, 2:39pm

SecureBoot related issues have been fixed.

This is now in all repositories.