Commit 634e5a6d authored by intrigeri's avatar intrigeri

Fix memory erasure on shutdown with systemd v239 (refs: #16097).

Remounting /run with the "exec" option in /lib/systemd/system-shutdown/tails
does not work anymore with systemd v239, while it worked at least until systemd
v237. I could not find out why by reading systemd's NEWS file.

So let's instead do this there:

 - For clean shutdown: in a new, dedicated service, started immediately before
   final.target, which itself is a synchronization point that ensures this
   service is started before the transition to systemd-shutdown and in turn to
   the initramfs, where we finish the unmounting and other clean ups needed to
   erase the memory.

 - For emergency shutdown: in the udev watchdog script, before calling the
   unclean shutdown code, which bypasses final.target and thus won't run
   tails-remount-run-exec.service. Too bad we have to duplicate this mount
   command but it seems that both instances will become unnecessary quickly
   enough, once systemd DTRT™. Another way would be to manually start
   tails-remount-run-exec.service from the udev watchdog script but I'm
   concerned it will be unreliable when the boot medium has been unplugged.
parent c369ace3
......@@ -13,6 +13,7 @@ systemctl enable onion-grater.service
systemctl enable tails-synchronize-data-to-new-persistent-volume-on-shutdown.service
systemctl enable tails-autotest-broken-Xorg.service
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-remount-run-exec.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-shutdown-on-media-removal.service
systemctl enable tails-tor-has-bootstrapped.target
......
......@@ -8,9 +8,6 @@ set -x
# initramfs during shutdown: in the initramfs, this script is
# overwritten with /usr/local/lib/initramfs-pre-shutdown-hook.
# Otherwise systemd-shutdown cannot execute /run/initramfs/shutdown
/bin/mount -o remount,exec /run
# Debugging
/bin/ls -l /run/initramfs
......
# This allows systemd-shutdown to execute /run/initramfs/shutdown.
# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged,
# we can remove this custom code.
[Unit]
Description=Allow executing binaries in /run
Documentation=https://tails.boum.org/contribute/design/memory_erasure/
DefaultDependencies=no
After=shutdown.target umount.target
Requires=shutdown.target umount.target
Before=final.target
[Service]
ExecStart=/bin/mount -o remount,exec /run
[Install]
WantedBy=final.target
......@@ -60,6 +60,11 @@ do_stop() {
/bin/systemctl --signal=9 kill gdm.service || true
/bin/loginctl --signal=9 kill-user Debian-gdm || true
# This allows systemd-shutdown to execute /run/initramfs/shutdown.
# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged,
# we can remove this custom code.
/bin/mount -o remount,exec /run
# Finally, return to the initramfs and poweroff the system
/bin/systemctl --force poweroff
}
......
......@@ -29,6 +29,12 @@ in the initramfs. That one will unmount all filesystems, run
that helps us automatically test this behavior, and finally perform
the requested poweroff/reboot action.
To make this work, `/run` is [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-remount-run-exec.service desc="remounted"]] with
the `exec` option before `final.target` is started.
For details about the underlying systemd mechanisms, see `bootup(7)`
and `systemd-shutdown(8)`.
#### Triggers
Different kinds of events trigger the memory erasure process. All lead
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment