Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 5 Aug 2018 17:25:03 +0200
From:      Polytropon <freebsd@edvax.de>
To:        thor <thor@irk.ru>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Erase memory on shutdown
Message-ID:  <20180805172503.e2479108.freebsd@edvax.de>
In-Reply-To: <acbb3213-e79e-dfde-038f-b1476925cd4a@irk.ru>
References:  <acbb3213-e79e-dfde-038f-b1476925cd4a@irk.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, 5 Aug 2018 22:24:16 +0800, thor wrote:
> Just one paranoid question: How to cause FreeBSD to zero all RAM during 
> shutdown?

This would imply that the kernel would finally have to
overwrite itself. How can control over zeroing memory
be maintained when the control program itself has been
overwritten? That would be the result of the "all" in
your requirement.

Sure, you could add some code to the final shutdown
routines to zero the RAM, which is possible, but not
trivial: You need a non-optimized call to memset()
using a custom function pointer.

	static void *(* const volatile memset_ptr)(void *, int, size_t) = memset;
	static void secure_memzero(void *p, size_t len)
	{
	        (memset_ptr)(p, 0, len);
	}

	void *ram = 0x0; 		/* RAM start address */
	size_t amount = 17179869184UL;	/* 16 GB RAM */

	secure_menzero(ram, amount);	/* ouch */

If you add something like this to the kernel, and make
sure your compiler isn't too clever (as to optimize it
into a NOP), you're going to crash the whole system
without actually being sure that at least a part of
the RAM has been zeroed. And even then it might not
work as intended.

See:

http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html

http://www.daemonology.net/blog/2014-09-05-erratum.html

Keep in mind: You're declaring war on intended security
mechanisms if you try to do this. :-)

However, this is not guaranteed (!) to work, so you
cannot be safe. And you must do it from the kernel.
You cannot use (a privileged) program like dd to
flush /dev/mem and /dev/kmem with /dev/zero output.

Your best bet is to assume that RAM will be zeroed as soon
as the power-off routine as been completed - no refresh,
no content. Not perfectly secure, though... :-)

RAM usually isn't zeroed, but marked as "not in use" so
it can be overwritten. Address randomization makes it
hard to protect where something will appear in RAM, and
access to RAM requires certain privileges on a system.


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20180805172503.e2479108.freebsd>