Date: Sun, 5 Aug 2018 17:25:03 +0200 From: Polytropon <freebsd@edvax.de> To: thor <thor@irk.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Erase memory on shutdown Message-ID: <20180805172503.e2479108.freebsd@edvax.de> In-Reply-To: <acbb3213-e79e-dfde-038f-b1476925cd4a@irk.ru> References: <acbb3213-e79e-dfde-038f-b1476925cd4a@irk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Aug 2018 22:24:16 +0800, thor wrote: > Just one paranoid question: How to cause FreeBSD to zero all RAM during > shutdown? This would imply that the kernel would finally have to overwrite itself. How can control over zeroing memory be maintained when the control program itself has been overwritten? That would be the result of the "all" in your requirement. Sure, you could add some code to the final shutdown routines to zero the RAM, which is possible, but not trivial: You need a non-optimized call to memset() using a custom function pointer. static void *(* const volatile memset_ptr)(void *, int, size_t) = memset; static void secure_memzero(void *p, size_t len) { (memset_ptr)(p, 0, len); } void *ram = 0x0; /* RAM start address */ size_t amount = 17179869184UL; /* 16 GB RAM */ secure_menzero(ram, amount); /* ouch */ If you add something like this to the kernel, and make sure your compiler isn't too clever (as to optimize it into a NOP), you're going to crash the whole system without actually being sure that at least a part of the RAM has been zeroed. And even then it might not work as intended. See: http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html http://www.daemonology.net/blog/2014-09-05-erratum.html Keep in mind: You're declaring war on intended security mechanisms if you try to do this. :-) However, this is not guaranteed (!) to work, so you cannot be safe. And you must do it from the kernel. You cannot use (a privileged) program like dd to flush /dev/mem and /dev/kmem with /dev/zero output. Your best bet is to assume that RAM will be zeroed as soon as the power-off routine as been completed - no refresh, no content. Not perfectly secure, though... :-) RAM usually isn't zeroed, but marked as "not in use" so it can be overwritten. Address randomization makes it hard to protect where something will appear in RAM, and access to RAM requires certain privileges on a system. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180805172503.e2479108.freebsd>