-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Check CONFIG_RESET_ATTACK_MITIGATION #11
Comments
This option needs userspace support, otherwise it's not recommended for use: |
Interesting, is there any userspace tool to do this? Or is this basically unsupported in current systems? |
@hannob I wanted to look into this for systemd, but forgot for quite a while. thanks for reminding me, back then there was no userspace support, theoretically you could add a systemd service but doing it properly is bit more tricky. I'm putting this back onto my todo list and take a dive into how to properly implement this into systemd itself at a place that could guarantee that all other services etc. are already properly shut down. |
Hello @hannob @Bernhard40 @anthraxx,
That case will be similar to the |
…#11 Let's check the RESET_ATTACK_MITIGATION option. The description of this security feature: https://lwn.net/Articles/730006/ It needs support from the userspace side: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a Improve the comments about the userspace support by the way.
…#11 Let's check the RESET_ATTACK_MITIGATION option. The description of this security feature: https://lwn.net/Articles/730006/ It needs support from the userspace side: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a Improve the comments about the userspace support by the way.
Hm... By the way Ubuntu 18 has |
5 years later... Has anyone got the userland support for this feature up and running yet? I'm interested in solutions for either OpenRC or systemd. There's plenty of mentions of the kconfig option, but I can't find any mention of the userland half of this feature. |
Thanks for this tool.
I'd propose to add a check for CONFIG_RESET_ATTACK_MITIGATION.
This is a feature that on modern systems will set a flag on boot that signals the BIOS to wipe the memory if an unclean shutdown happened. This can protect against some forms of cold boot attacks where you reboot into another system and try to read out the memory from the previous run.
Here's the Kernel submission with some explanation:
https://lwn.net/Articles/730006/
It's also explained in this talk:
https://www.youtube.com/watch?v=RqvPZnLkP70 (around minute 35)
The text was updated successfully, but these errors were encountered: