Commit 2454d5bd authored by T(A)ILS developers's avatar T(A)ILS developers
Browse files

Erase memory at shutdown/reboot time using kexec and a ramdisk hook.

- build initramfs with sdmem support
- install kexec-tools that are used to run the sdmem-enabled initramfs on
  shutdown
- pass the rebooting/halting status to the kexec'd initramfs using a custom
  /etc/default/kexec
- remove custom live-boot packages to disable previous (buggy and incomplete)
  sdmem implementation
- provide our own tails-kexec initscript to replace /etc/init.d/kexec:
  tails-kexec is more post-eject-time friendly and informs the user s/he can
  remove the boot device before the sdmem process before it happens; hence
  switching live-boot boot parameter to noprompt
- kexec-load, tails-kexec-cache and tails-kexec are run on halt as well as on
  reboot; to achieve this we need to patch the kexec-load initscript LSB header:
  update-rc.d is not enough as insserv uses LSB headers rather than update-rc.d
  arguments
- don't disable init concurrency at shutdown anymore: the initscripts
  dependencies now are be accurate enough to prevent running in
  parallel scripts that should be run sequentially
parent 3cfb80cb
......@@ -11,7 +11,7 @@
# sourced by various other scripts.
# Base for the string that will be passed to "lb config --bootappend-live"
AMNESIA_APPEND="splash vga=788 live-media=removable nopersistent noprompt=usb"
AMNESIA_APPEND="splash vga=788 live-media=removable nopersistent noprompt"
# Options passed to isohybrid
# Default: "-entry 4 -type 1c"
......
......@@ -4,8 +4,19 @@ echo "managing initscripts"
# enable custom initscripts
update-rc.d tails-detect-virtualization start 17 S .
update-rc.d tails-disable-init-concurrency defaults
update-rc.d tails-kexec stop 85 0 6 .
update-rc.d tails-kexec-cache stop 85 0 6 .
update-rc.d tails-wifi start 17 S .
# we run Tor ourselves after HTP via NetworkManager hooks
update-rc.d tor disable
# we reboot/halt using kexec->sdmem
update-rc.d -f halt remove
update-rc.d -f reboot remove
# we provide our own tails-kexec initscript (more friendly to ejected CD/USB)
update-rc.d -f kexec remove
# we use kexec on halt too => enable kexec-load initscript on runlevel 0 as well
update-rc.d kexec-load stop 18 0 6 .
# Defaults for kexec initscript
# sourced by /etc/init.d/kexec and /etc/init.d/kexec-load
# Load a kexec kernel (true/false)
LOAD_KEXEC=true
# Kernel and initrd image
KERNEL_IMAGE="/vmlinuz"
INITRD="/initrd.img"
# If empty, use current /proc/cmdline
APPEND="quiet"
case "$RUNLEVEL" in
6)
APPEND="${APPEND} sdmem=reboot"
;;
*)
APPEND="${APPEND} sdmem=halt"
;;
esac
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-disable-init-concurrency
# Required-Start: gdm3
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Disable init concurrency
# Description: Disable init concurrency
### END INIT INFO
# Author: T(A)ILS developers <amnesia@boum.org>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Disabling init concurrency"
NAME=tails-detect-virtualization
VIRTWHAT=/usr/sbin/virt-what
SCRIPTNAME=/etc/init.d/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
do_start()
{
echo 'CONCURRENCY=none' >> /etc/default/rcS
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "$DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
restart|reload|stop|force-reload)
:
;;
*)
echo "Usage: $SCRIPTNAME start" >&2
exit 3
;;
esac
:
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-kexec
# Required-Start:
# Required-Stop:
# Should-Stop: halt reboot
# X-Stop-After: umountroot live-boot tails-kexec-cache
# Default-Start:
# Default-Stop: 0 6
# X-Interactive: true
# Short-Description: Execute the kexec -e command to reboot system
# Description:
### END INIT INFO
PATH=/sbin:/bin
do_stop () {
test "x`/bin/cat /sys/kernel/kexec_loaded`y" = "x1y" || exit 0
/bin/stty sane < /dev/console
echo "" > /dev/console
echo "You can now remove the boot CD or USB stick." > /dev/console
echo "The system memory is going to be wiped in a few seconds." > /dev/console
/bin/sleep 5
/sbin/kexec -e
}
case "$1" in
start)
# No-op
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
exit 0
#! /bin/sh
### BEGIN INIT INFO
# Provides: tails-kexec-cache
# Required-Start:
# Required-Stop:
# Should-Stop: live-boot tails-kexec
# Default-Start:
# Default-Stop: 0 6
# X-Stop-After: kexec-load umountroot
# Short-Description: Cache files needed by kexec
# Description: Cache files needed by /etc/init.d/tails-kexec
### END INIT INFO
# Author: T(A)ILS developers <amnesia@boum.org>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="Caching files needed by kexec"
NAME=tails-kexec-cache
SCRIPTNAME=/etc/init.d/$NAME
. /lib/lsb/init-functions
cache_path()
{
path="${1}"
if [ -d "${path}" ]
then
find "${path}" -type f | xargs cat > /dev/null 2>&1
elif [ -f "${path}" ]
then
if [ -x "${path}" ]
then
if file -L "${path}" | grep -q 'dynamically linked'
then
for lib in $(ldd "${path}" | awk '{ print $3 }')
do
cache_path "${lib}"
done
fi
fi
cat "${path}" >/dev/null 2>&1
fi
}
do_stop() {
log_action_begin_msg "$DESC"
. /etc/default/kexec
for path in /bin/sh /etc/init.d/tails-kexec /bin/stty /bin/cat /bin/sleep /sbin/kexec "$KERNEL_IMAGE" "$INITRD" ; do
cache_path "$path"
done
log_action_end_msg $?
}
case "$1" in
start)
# No-op
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
exit 0
#!/bin/sh
set -e
# FIXME: what is this used for? dependency-based hooks ordering?
PREREQ=""
prereqs() {
echo "${PREREQ}"
}
case "${1}" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/halt
copy_exec /sbin/reboot
copy_exec /usr/bin/sdmem
#!/bin/sh
PREREQ=""
prereqs() {
echo "${PREREQ}"
}
case ${1} in
prereqs)
prereqs
exit 0
;;
esac
case "$sdmem" in
halt|reboot)
/usr/bin/sdmem -vllf
;;
*)
;;
esac
case "${sdmem}" in
halt)
/sbin/halt -fndp
;;
reboot)
/sbin/reboot -fnd
;;
*)
;;
esac
......@@ -81,6 +81,7 @@ iceweasel-l10n-pt-pt
iceweasel-l10n-zh-cn
inkscape
iptables
kexec-tools
less
laptop-mode-tools
libgfshare-bin
......
--- chroot.orig/etc/init.d/kexec-load 2011-01-14 12:30:05.089859516 +0100
+++ chroot/etc/init.d/kexec-load 2011-01-14 12:30:29.159667183 +0100
@@ -5,7 +5,7 @@
# Required-Stop: $local_fs $remote_fs kexec
# Should-Stop: autofs
# Default-Start:
-# Default-Stop: 6
+# Default-Stop: 0 6
# Short-Description: Load kernel image with kexec
# Description:
### END INIT INFO
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment