erase_memory.feature 3.92 KB
Newer Older
1
@product @slow @not_release_blocker
2
3
4
5
6
Feature: System memory erasure on shutdown
  As a Tails user
  when I shutdown Tails
  I want the system memory to be free from sensitive data.

7
8
# These tests rely on the Linux kernel's memory poisoning features.
# The feature is called "on shutdown" as this is the security guarantee
9
10
11
# we document, but in practice we test that some important bits of memory
# are erased _before_ shutdown, while for some others we really test
# behavior at shutdown time.
12

13
  Scenario: Erasure of memory freed by killed userspace processes
14
    Given I have started Tails from DVD without network and logged in
15
    And I prepare Tails for memory erasure tests
16
17
18
    When I start a process allocating 128 MiB of memory with a known pattern
    Then patterns cover at least 128 MiB in the guest's memory
    When I kill the allocating process
19
    Then I find very few patterns in the guest's memory
20
21
22
23
24
25

  Scenario: Erasure of tmpfs data on unmount
    Given I have started Tails from DVD without network and logged in
    And I prepare Tails for memory erasure tests
    And I find very few patterns in the guest's memory
    When I mount a 128 MiB tmpfs on "/mnt" and fill it with a known pattern
26
    Then patterns cover at least 99% of the test FS size in the guest's memory
27
28
    When I umount "/mnt"
    Then I find very few patterns in the guest's memory
29

30
  Scenario: Erasure of read and write disk caches on unmount: vfat
31
32
33
34
    Given I have started Tails from DVD without network and logged in
    And I prepare Tails for memory erasure tests
    When I plug and mount a 128 MiB USB drive with a vfat filesystem
    Then I find very few patterns in the guest's memory
35
    # write cache
36
37
38
39
    When I fill the USB drive with a known pattern
    Then patterns cover at least 99% of the test FS size in the guest's memory
    When I umount the USB drive
    Then I find very few patterns in the guest's memory
40
41
42
43
44
45
    # read cache
    When I mount the USB drive again
    And I read the content of the test FS
    Then patterns cover at least 99% of the test FS size in the guest's memory
    When I umount the USB drive
    Then I find very few patterns in the guest's memory
46

47
  Scenario: Erasure of read and write disk caches on unmount: LUKS-encrypted ext4
48
49
50
51
    Given I have started Tails from DVD without network and logged in
    And I prepare Tails for memory erasure tests
    When I plug and mount a 128 MiB USB drive with an ext4 filesystem encrypted with password "asdf"
    Then I find very few patterns in the guest's memory
52
    # write cache
53
54
55
56
    When I fill the USB drive with a known pattern
    Then patterns cover at least 99% of the test FS size in the guest's memory
    When I umount the USB drive
    Then I find very few patterns in the guest's memory
57
58
59
60
61
62
    # read cache
    When I mount the USB drive again
    And I read the content of the test FS
    Then patterns cover at least 99% of the test FS size in the guest's memory
    When I umount the USB drive
    Then I find very few patterns in the guest's memory
63

64
  Scenario: Erasure of the overlayfs read-write branch on shutdown
65
66
67
68
69
70
    Given I have started Tails from DVD without network and logged in
    And I prepare Tails for memory erasure tests
    When I fill a 128 MiB file with a known pattern on the root filesystem
    # ensure the pattern is in memory due to tmpfs, not to disk cache
    And I drop all kernel caches
    Then patterns cover at least 128 MiB in the guest's memory
71
72
    When I trigger shutdown
    And I wait 20 seconds
73
74
75
76
77
78
    Then I find very few patterns in the guest's memory

  Scenario: Erasure of read and write disk caches of persistent data on shutdown
    Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
    And I prepare Tails for memory erasure tests
    When I fill a 128 MiB file with a known pattern on the persistent filesystem
79
80
    When I trigger shutdown
    And I wait 20 seconds
81
    Then I find very few patterns in the guest's memory