Feature request: Check CONFIG_RESET_ATTACK_MITIGATION

[hannob]

Thanks for this tool.

I'd propose to add a check for CONFIG_RESET_ATTACK_MITIGATION.
This is a feature that on modern systems will set a flag on boot that signals the BIOS to wipe the memory if an unclean shutdown happened. This can protect against some forms of cold boot attacks where you reboot into another system and try to read out the memory from the previous run.

Here's the Kernel submission with some explanation:
https://lwn.net/Articles/730006/

It's also explained in this talk:
https://www.youtube.com/watch?v=RqvPZnLkP70 (around minute 35)

[Bernhard40]

This option needs userspace support, otherwise it's not recommended for use:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a

https://bugzilla.redhat.com/show_bug.cgi?id=1532058

[hannob]

Interesting, is there any userspace tool to do this? Or is this basically unsupported in current systems?

[anthraxx]

@hannob I wanted to look into this for systemd, but forgot for quite a while. thanks for reminding me, back then there was no userspace support, theoretically you could add a systemd service but doing it properly is bit more tricky. I'm putting this back onto my todo list and take a dive into how to properly implement this into systemd itself at a place that could guarantee that all other services etc. are already properly shut down.

[a13xp0p0v]

Hello @hannob @Bernhard40 @anthraxx,

RESET_ATTACK_MITIGATION is a nice option, I will add this check to the script with a comment about userspace support.

That case will be similar to the STATIC_USERMODEHELPER option, which needs the userspace support as well (but, as I know, enabling it currently breaks systemd workflow on Ubuntu).

[a13xp0p0v]

Hm... By the way Ubuntu 18 has RESET_ATTACK_MITIGATION enabled.