Cold Boot Attack Defense - RAM Wipe Design Documentation

From Kicksecure
< Dev
Jump to navigation Jump to search

ram-wipe wipes the RAM twice during poweroff/reboot.

  • 1. RAM Wipe Pass 1/2: During poweroff/reboot.
  • 2. RAM Wipe Pass 2/2: It kexec's into a new kernel for the purpose of overwriting the first kernel's memory and performs a second ram wipe pass.



Implemented by dracut module (by ram-wipe).

  1. /usr/lib/dracut/modules.d/90crypt/ runs need_shutdown.
  2. TODO: Does dracut run cryptsetup luksClose during shutdown? The 90crypt module does not have a shutdown hook? grep -r hook /usr/lib/dracut/modules.d | grep shutdown
  3. A dracut cleanup hook is declared in /usr/lib/dracut/modules.d/40cold-boot-attack-defense/ (by ram-wipe): inst_hook cleanup 80 "$moddir/" Priority is 80. TODO
  4. During boot, that dracut cleanup hook /usr/lib/dracut/modules.d/40cold-boot-attack-defense/ (by ram-wipe) is calling dracut API function need_shutdown which results in file /run/initramfs/.need_shutdown being created.
  5. In result, at shutdown time when /lib/systemd/system/dracut-shutdown.service (by dracut) runs, /usr/lib/dracut/dracut-initramfs-restore (by dracut), will restore the initramfs and pivot into it.
  6. During shutdown, dracut will run its usual cleanup tasks such as unmounting the root (main) drive.
  7. The shutdown module (by dracut) will source and other shutdown hooks set up by other dracut modules.
  8. At time of writing there were no other dracut modules using the dracut shutdown hook known the the author of this website.
  9. (by ram-wipe) is the dracut shutdown hook.
  10. A alternative description of the mechanism of dropping back to the initramfs during shutdown can be found under The initrd Interface of
  11. At a very late stage during the shutdown process when all disks were already unmounted by dracut, the dracut shutdown hook is executed.
  12. The shutdown hook runs:
  • echo 3 > /proc/sys/vm/drop_caches
    • To ensure any remaining disk cache is erased by Linux' memory poisoning. [1]
  • sdmem -l -l -v: To wipe the ram using sdmem.
    • The parameters -l -l result in a single pass of RAM wiping using zeros.
      • This is to optimize for speed. Otherwise RAM wiping could take several minutes. However, the longer the shutdown process is delayed, the more users would disable this feature. Also after wiping the RAM, it could actually be more important to shutdown to aid decay of RAM contents rather than wiping the RAM over and over for minutes before actually removing power.
      • When run sdmem manually using these command line parameters it will show "Wipe mode is insecure (one pass with 0x00)" but no evidence that this would be actually insecure could be found. The sdmem manpage refers to Peter Gutmann, but the Gutmann method is about hard drives, not about RAM. No research how many times RAM has to be wiped to be non-recoverable has been found by the author of this website.
    • The parameter -v is for verbose output which only results in a progress indicator.
    • Any output (default or verbose) is only visible if a serial console is connected. This is because dracut by default hides output of commands it runs. Redirecting the output of sdmem to /dev/kmsg would result in hundreds or thousands of separate * to be written to the console, each in its own line, which would not actually be useful. For a better progress meter of the RAM wipe process, if needed after user feedback, perhaps some buffer mechanism would have to be implemented.
  • dmsetup ls --target crypt: To check if all encrypted disks are unmounted.
    • Because only if all encrypted disks are unmounted, it will be possible for the kernel to wipe the Full Disk Encryption (FDE) key from the kernel.
    • Deletion of FDE key is considered among the most crucial information to be wiped from RAM because if the FDE key could be recovered from RAM then FDE could be broken.
    • Informs the user if all encrypted disks are unmounted in console output. Otherwise shows a warning.

Quote Tails' Memory

First, most memory is erased at the end of a normal shutdown/reboot sequence. This is implemented by the Linux kernel's freed memory poisoning, more specifically:

  • page_poison
  • passing "P" to slub_debug
  • zeroing heap memory at free time (init_on_free=1)

These kernel parameters are implemented in ram-wipe /etc/default/grub.d/

RAM wipe is omitted in virtual machines (VMs) by default because it is unclear if that could actually lead to the host operating system using swap. Through use of kernel parameter wiperam=force it is possible to force RAM wipe inside VMs which is useful for testing, development purposes.

Kernel parameter wiperam=skip is provided to support disabling RAM wipe at shutdown, which might be useful to speed up shutdown or in case should there ever be issues.

For potential limitations, the same limitations as under Quote Tails' Memory chapter "Limitations" applies.


dracut module ram-wipe-exit:

  • The other module dracut module cold-boot-attack-defense is independent.
    • The first RAM wiping mechanism is useful irrespective of this supplemental kexec based RAM wipe which might be more prone to bugs.
    • The other dracut module cold-boot-attack-defense in its main source code file uses kexec to boot into a new kernel.
    • That new kernel is actually the same kernel image but thanks to kexec, the old kernel stops and a new kernel is run which should result in overwriting the old kernel's RAM.
    • kexec is used with the --reuse-cmdline parameter for simplicity and to keep already existing RAM wipe related kernel parameters (the linux kernel's freed memory poisoning feature mentioned above).
    • Additionally kernel parameter wiperamexit=1 is appended by dracut module cold-boot-attack-defense.
    • kexec is used to load a new kernel into the memory so the old kernel memory is overwritten gets overwritten by the new kernel.
  • Kernel parameter wiperamexit=1 in dracut module ram-wipe-exit results in only wiping the RAM and then rebooting or powering off.
  • It refrains from mounting the root image.
    • In other words, ram-wipe-exit runs at very early boot before mounting the root image. This can is being done using dracut hook pre-udev (because that hook runs before pre-mount).
    • Therefore the full disk encryption (FDE) password entry should is not required.
    • The RAM wipe is be done during dracut initramfs stage before FDE password is requested / before root disk is mounted.
    • The root image is not be mounted at all when kernel parameter wiperamexit=1 is set.
  • When kernel parameter wiperamexit=1 is set, after RAM wipe at early dracut initramfs stage, the system should is rebooted, powered off depending on the wiperamaction setting, which was set by the previous kernel.
  • kexec based wipe cannot be based on systemd with because unmounting the root disk and using cryptsetup luksClose so the full disk encryption (FDE) key gets wiped from RAM is one of the most important points of RAM wipe. It would need to be But at that stage, there is no more disk mounted with tools. Hence, dropping back to initramfs at shutdown is the correct design.
  • Runs reboot, poweroff, halt as instructed by the previous kernel.

Differences of ram-wipe versus Tails Memory Erasure[edit]

Tails memory erasure:


  • based on Linux memory poisoning and and additional run of sdmem
  • requires dracut
  • more generic
  • should work on any Debian
  • should be relatively easy to port to any Linux distribution since implemented as a dracut module
  • should work equally for persistent boot from hard drive, live boot from hard drive or ISO live boot
  • A panic button / panic shutdown / USB kill cord for your feature is not mixed together with this feature. It should be implemented separately as a standalone feature.


(This file would be shipped out commented by default. Only useful for development / debugging.)


## Copyright (C) 2022 - 2023 ENCRYPTED SUPPORT LP <>
## See the file COPYING for copying conditions.

## Untested!

set -e

#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=reboot"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=poweroff"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=halt"

GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=debug"


if test -x /etc/grub.d/10_linux ; then
sudo update-grub

Maybe useful during development:

  • grep -r pre-udev --color /usr/lib/dracut

A panic button / panic shutdown / USB kill cord for your feature is not mixed together with this feature. It should be implemented separately as a standalone feature.

Status of initramfs-tools Support[edit]

Support for initramfs-tools is not planned by the authors of ram-wipe. No progress on initramfs-tools support should be expected.

The problem with initramfs-tools support is, that in contrast to dracut, while initramfs-tools supports initrd (initial ramdisk) it does not support exitrd (exit ramdisk).

dracut supports both, initrd (initial ram disk at boot time) as well as exitrd (dropping back to initial ramdisk at shutdown time). A feature request has been posted against the Debian package Support restoring initrd on shutdown and pivoting into

Contributors wishing to add initramfs-tools support to ram-wipe, should add exitrd support to upstream, original initramfs-tools.

As a starting point, Tails has implemented which might help to look at, provide inspiration when developing the exitrd functionality for initramfs-tools. The Tails initramfs-tools exitrd implementation would have to be made generic, meaning made unspecific to Tails (no code references to other Tails specific code) and made acceptable for the initramfs-tools developers for inclusion into the upstream source code. However using the Tails implementation as a starting point is of course not a strict requirement.

Once initramfs-tools gets exitrd support, it might be easy to add initramfs-tools support to ram-wipe.

Development TODO[edit]

ram-wipe Testing inside a VM[edit]

1. Platform specific notice.

  • Other than Qubes OS: No special notice.
  • Qubes OS: Not for Qubes OS.

2. Install ram-wipe because it's not installed by default in VMs because it's normally not needed there.

Install ram-wipe. To accomplish that, the following steps A. to D. need to be done.

A. Update the package lists.

sudo apt update

B. Upgrade the system.

sudo apt full-upgrade

C. Install the ram-wipe package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends ram-wipe

D. Done.

The procedure of installing ram-wipe is complete.

3. Add the wiperam=force kernel parameter to the grub configuration because otherwise ram-wipe will be skipped inside VMs.

echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"' | sudo tee -a /etc/default/grub.d/50_user.cfg

4. Update the grub configuration.

sudo update-grub

5. Reboot

sudo reboot

6. Set up a virtual serial console.

A virtual serial console helps to read all the journal kernel messages during early boot and shutdown.

Can be set up as per serial console documentation. Only a read-only serial console was somewhat recently tested and should suffice. An interactive serial-console might not be required.

7. Status.

Now a serial console should nicely show the output during boot and shutdown of ram-wipe.

8. Bug dracut should unmount the root encrypted disk `cryptsetup luksClose` during will not be reproducible because Kicksecure images do not use full disk encryption.

As a workaround, install Debian bookworm using Debian DVD (Debian Tips), then install Kicksecure as per distribution morphing Debian into Kicksecure instructions. Then re-apply the instructions listed here.

Forum Discussion[edit]

See Also[edit]


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!