RAM wipe after boot

ceomi · December 4, 2023, 10:00am

hi there

i had an discussion with a friend and we talked about RAM wipe after boot to secure the encryption key in kali linux. he told me that it would be possible to do this by a cronjob or rc.local with the tool sdmem.

i thought that this could be a very cool feature for qubes if you could check this in preferences of dom0.
What do you think?
Is that possible to setup in dom0, too?
and could this feautre come in the future?

renehoj · December 4, 2023, 10:13am

Doesn’t Xen already do this?

I thought Xen would sanitize the memory before making it available to any domain.

fsflover · December 7, 2023, 5:41pm

Wipe RAM of VMs synchronously when shut down and killed

opened 01:53PM - 29 Dec 15 UTC

adrelanos

T: enhancement help wanted C: kernel C: Xen P: major release notes security

Some stuff that Tails is having in mind. --- package: http://git.tails.boum.o…rg/wiperam/tree/ --- Tails currently has a few issues with it. 1) https://tails.boum.org/support/known_issues/index.en.html#index23h2 > On rare systems (non-PAE with big amounts of memory), Tails does not consistently erase all system memory as it should. 2) The other issue is an obvious one. If shutdown fails for software or hardware reasons, RAM shutdown won't be executed. 3) https://labs.riseup.net/code/issues/6006 > After following the steps for "erase memory on shutdown it turns out some patterns may survive the wipe which indicates that not all memory was wiped. One theory for this is that the new kernel loaded by kexec may allocate some buffer, which then is filled with the pattern and won't get cleared, since sdmem only wipes unallocated memory. > > Hi, not sure how to comment so I will just add it here. The test is incorrect, since on a 32-bit architecture the address space of a given process is usually limited at 3 GiB (or less, depends on the kernel configuration). It's not easy to change the Python script to fill all available memory (it's possible, but complex due to kernel's OOM killer behavior), but your best bet would be to spawn many pattern filler processes simultaneously, hoping that at least some executions will overlap. Then, on a 4 GiB machine you will see about 1 GiB of non-wiped memory (and on systems with > 4 GiB RAM, with PAE enabled, you won't wipe that extra memory, too, of course). Sorry to burst your bubble -- wiping memory is not easy, and THC's SecureDelete package is mostly badly implemented snake oil based on wrongly interpreted old theoretical papers. Anyway, to see whether the 3 GiB limit has anything to do with the unwiped patterns you have seen thus far, retry on a system with less than 3 GiB RAM. --MK > > In theory, it's supposed to work "most of the time", but it is not reliable as is: sdmem kills itself as soon as it's refused to allocate memory, so there's no guarantee several instances of it will be allocating enough memory at the same time to ensure all memory is erased. In the worst case, this change can make the memory erasure process 32 times longer, with no efficiency improvement. And more. --- Tails blueprint: https://tails.boum.org/blueprint/more_efficient_memory_wipe/ --- Documentation on testing if wiping RAM works: https://tails.boum.org/contribute/release_process/test/erase_memory_on_shutdown/ --- Test suite recipe: https://github.com/vjrj/tails/blob/master/features/erase_memory.feature --- Documentation: https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html --- Related: - #904 - #1563

ceomi · December 8, 2023, 10:45am

this would be cool but i mean direct after login to dom0.

in kali linux for example you install sdmem and than run it with rc.local on boot so the encryption key will hopefully wiped

apparatus · December 8, 2023, 10:54am

And how do you expect encryption to work without encryption key?

ceomi · February 15, 2024, 3:28pm

i believe you don’t know what i mean. please check out sdmem

apparatus · February 15, 2024, 4:05pm

Maybe I don’t know what you mean. Provide some links to understand what you mean.
Sdmem is just a tool to wipe the RAM.
It doesn’t have a magical effect of providing a way to wipe the encryption key from the RAM and still allow for encryption software to somehow still use the key.

ceomi · February 19, 2024, 5:43pm

it is just an idea becuase i have heard about attacks to extract the key out of the ram even a pc is shut down.

In the example i have read the pc was cooled to hold the information in the ram. Normaly the key is load in the ram to decrypt the drive with the password at boot. After the pc is booted and the os is running this key isn’t necessery and not needed anymore in the ram. So this one can be overwritten.

fsflover · February 19, 2024, 5:46pm

github.com/QubesOS/qubes-issues

Wipe RAM on shutdown

opened 01:53PM - 29 Dec 15 UTC

adrelanos

T: enhancement help wanted C: kernel C: Xen P: major release notes security

Some stuff that Tails is having in mind. --- package: http://git.tails.boum.o…rg/wiperam/tree/ --- Tails currently has a few issues with it. 1) https://tails.boum.org/support/known_issues/index.en.html#index23h2 > On rare systems (non-PAE with big amounts of memory), Tails does not consistently erase all system memory as it should. 2) The other issue is an obvious one. If shutdown fails for software or hardware reasons, RAM shutdown won't be executed. 3) https://labs.riseup.net/code/issues/6006 > After following the steps for "erase memory on shutdown it turns out some patterns may survive the wipe which indicates that not all memory was wiped. One theory for this is that the new kernel loaded by kexec may allocate some buffer, which then is filled with the pattern and won't get cleared, since sdmem only wipes unallocated memory. > > Hi, not sure how to comment so I will just add it here. The test is incorrect, since on a 32-bit architecture the address space of a given process is usually limited at 3 GiB (or less, depends on the kernel configuration). It's not easy to change the Python script to fill all available memory (it's possible, but complex due to kernel's OOM killer behavior), but your best bet would be to spawn many pattern filler processes simultaneously, hoping that at least some executions will overlap. Then, on a 4 GiB machine you will see about 1 GiB of non-wiped memory (and on systems with > 4 GiB RAM, with PAE enabled, you won't wipe that extra memory, too, of course). Sorry to burst your bubble -- wiping memory is not easy, and THC's SecureDelete package is mostly badly implemented snake oil based on wrongly interpreted old theoretical papers. Anyway, to see whether the 3 GiB limit has anything to do with the unwiped patterns you have seen thus far, retry on a system with less than 3 GiB RAM. --MK > > In theory, it's supposed to work "most of the time", but it is not reliable as is: sdmem kills itself as soon as it's refused to allocate memory, so there's no guarantee several instances of it will be allocating enough memory at the same time to ensure all memory is erased. In the worst case, this change can make the memory erasure process 32 times longer, with no efficiency improvement. And more. --- Tails blueprint: https://tails.boum.org/blueprint/more_efficient_memory_wipe/ --- Documentation on testing if wiping RAM works: https://tails.boum.org/contribute/release_process/test/erase_memory_on_shutdown/ --- Test suite recipe: https://github.com/vjrj/tails/blob/master/features/erase_memory.feature --- Documentation: https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html --- Related: - #904 - #1563

apparatus · February 19, 2024, 6:29pm

cryptsetup is wiping the key when it’s closing the decrypted drive. So if the system was shut down normally and not by hard reset / power off then the encryption key should be wiped from RAM when encrypted system drive is closed on shut down.

That’s not how decryption works. As long as you need to access the decrypted drive the decryption key must be accessible as well.

apparatus · February 19, 2024, 6:48pm

Seems like I was wrong. The cryptsetup close is not run on dracut shutdown right now:

github.com/dracutdevs/dracut

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

opened 05:18PM - 29 Dec 20 UTC

adrelanos

enhancement crypt shutdown

**Is your feature request related to a problem? Please describe.** Defeat Col…d Boot Attacks by wiping LUKS disk encryption during shutdown. What is a Cold Boot Attacks? See: * https://www.youtube.com/watch?v=JDaicPIgn9U * https://en.wikipedia.org/wiki/Cold_boot_attack * https://blog.f-secure.com/cold-boot-attacks/ * https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf **Describe the solution you'd like** Run `cryptsetup close` at end of shutdown procedure. Quote `cryptsetup close` (previously `cryptsetup lukseClose`) man page (bold added): > close > Removes the existing mapping <name> and **wipes the key from kernel memory**. Maybe `cryptsetup close` could be done during `dracut-shutdown`? This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key. **Describe alternatives you've considered** Linux kernel feature: This issue can probably not be redirected at the Linux kernel. While a generic solution `Wipe RAM to defeat Cold Boot Attacks` (https://github.com/systemd/systemd/issues/17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. `cryptsetup close` does that. systemd feature: systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (https://github.com/systemd/systemd/issues/17887) Quote myself (https://github.com/systemd/systemd/issues/17887#issuecomment-750340608): > Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary: > > `"cryptsetup close" of root device during shutdown` is already implemented. Quote systemd developer @poettering Lennart Poettering (https://github.com/systemd/systemd/issues/17887#issuecomment-751252894): > > `"cryptsetup close" of root device during shutdown` is already implemented. > > iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

barto · February 19, 2024, 6:54pm

[irrelevant comment retracted]

renehoj · February 19, 2024, 7:36pm

You can run Xen with the scrub-domheap option, if you want to force Xen to scrub the memory when a domain is shutdown, it’s better than trying to do it from inside the domain itself.

Even if you force Xen to scrub the memory, you run into the same issue that it only happens during a controlled shutdown, anyone doing a direct memory attack is just going to hard reset the system and negate any shutdown based protection.

If you are worried about this type of attack, you should use a system with memory encryption.

barto · February 19, 2024, 7:53pm

Sorry, this is the whole point. As a QubeOS user, I shouldn’t have to do anything to get this reasonable behavior/expectation of the OS erasing the the LUKS key from memory on normal shutdown.

ceomi · March 14, 2024, 7:48pm

which system has memory encryption

ceomi · March 14, 2024, 7:49pm

true so what can we do?

ceomi · March 14, 2024, 7:54pm

here you can see it RAM Wipe Development Notes

renehoj · March 14, 2024, 7:56pm

The pro version of AMD CPUs has TSME, AMDs memory encryption technology, and the vPro Enterprise CPUs from Intel has TME, which is the Intel encryption tech.

I don’t think AMD sell pro CPUs to consumers, but many of the middle to high-end Intel consumer CPUs support TME

ceomi · March 14, 2024, 8:01pm

nice point but i don’t think would be the solution if you can perhaps implement a script to dom0 that root can choose this in preferences after boot or before shutdown. And this would be the way every qubes user would have profit of it