Why doesn’t Qubes OS have ram-wipe already? I feel like Qubes OS should have ram wiping, and I am curious to why it isn’t implemented, or will it be implemented but just hasn’t been done yet. Or maybe memory encryption? Will Qubes ever have memory encryption instead as the other route, and why isn’t it already implemented? I feel like anti cold boot defenses should be implemented, just how anti evil maid is implemented.
You can add this parameter to your qubes kernel command line init_on_free=1, this makes Linux kernel to zero the memory once it’s freed. Expect a 8 to 22% performance regression with this enabled.
5 Likes
I had completely forgetten about init_on_free…
Maybe this thread would be more interesting with a new title like “What methods could be used in Qubes to improve protection of memory contents?”
I’d really like to know more about memory encryption - I thought it was only available in recent high-end hardware, but does it work transparently out-of-the-box, and could it ever be implemented in the kernel?
Then there’s the related swap encryption, and what else ?
[edit: looking back a little I see I had skipped over the recent cold-boot protection thread… which reminds us about Xen memory scrubbing. ]
1 Like
Xen wipes the memory before it’s allocated to a VM, and you can use the scrub-domhead option to force Xen to scrub memory when a domain is destroyed. The default setting is to allow Xen to use idle CPU cycles to scrub the memory, but even with default settings, memory will always be scrubbed before assigned to a VM.
If you want memory encryption you need to buy hardware with the feature, it’s not done with software and mostly found in high-end CPUs. Even if your hardware doesn’t support memory encryption, it should still support memory scrambling. Scrambling is not as effective as encryption, and it has been proven to be possible to reassemble scrambled memory. Still, cold boots attacks on scrambled DDR5 memory is not trivial.
2 Likes
Just a reference to one piece of software which uses memory encryption:
1 Like