Merge branch 'bugfix/16097-memory-erasure-on-shutdown' into devel (Fix-committed: #16097)

config/chroot_local-hooks/52-update-rc.d

@@ -18,6 +18,7 @@ systemctl enable tails-shutdown-on-media-removal.service
 systemctl enable tails-tor-has-bootstrapped.target
 systemctl enable tails-wait-until-tor-has-bootstrapped.service
 systemctl enable tails-tor-has-bootstrapped-flag-file.service
+systemctl enable run-initramfs.mount
 systemctl enable var-tmp.mount
 
 # Enable our own systemd user unit files

config/chroot_local-includes/lib/systemd/system-shutdown/tails

@@ -8,9 +8,6 @@ set -x
 # initramfs during shutdown: in the initramfs, this script is
 # overwritten with /usr/local/lib/initramfs-pre-shutdown-hook.
 
-# Otherwise systemd-shutdown cannot execute /run/initramfs/shutdown
-/bin/mount -o remount,exec /run
-
 # Debugging
 /bin/ls -l /run/initramfs
 

config/chroot_local-includes/lib/systemd/system/run-initramfs.mount

+# This allows systemd-shutdown to execute /run/initramfs/shutdown.
+# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged,
+# we can remove this custom code.
+
+[Unit]
+Description=Extracted initrd directory
+ConditionPathIsSymbolicLink=!/run/initramfs
+DefaultDependencies=no
+Before=initramfs-shutdown.service local-fs.target
+
+[Mount]
+What=tmpfs
+Where=/run/initramfs
+Type=tmpfs
+Options=mode=755
+
+[Install]
+WantedBy=local-fs.target

config/chroot_local-includes/usr/local/lib/udev-watchdog-wrapper

@@ -44,13 +44,6 @@ boot_device() {
 
 # First clean the screen, then brutally shutdown the machine.
 do_stop() {
-	# Really make sure that the CD is ejected
-	# FIXME: this might not be necessary with future kernel/udev
-	if [ "${DEV_TYPE}" = "cd" ]; then
-		/usr/bin/eject -i off "${BOOT_DEVICE}" || true
-		/usr/bin/eject -m "${BOOT_DEVICE}" || true
-	fi
-
 	# Kill everything run by amnesia or Debian-gdm, otherwise emergency
 	# shutdown fails for some reason. Incidentally, this also allows
 	# the test suite to look for a known message ("Happy dumping!")

features/emergency_shutdown.feature

 @product
 Feature: Emergency shutdown
+  As a Tails user
+  when I unplug my Tails device to trigger emergency shutdown
+  I want the system memory to be free from sensitive data.
 
   # Test something close to real-world usage, without interfering,
   # i.e. without the "I prepare Tails for memory erasure tests" step;

wiki/src/contribute/design/memory_erasure.mdwn

@@ -29,6 +29,16 @@ in the initramfs. That one will unmount all filesystems, run
 that helps us automatically test this behavior, and finally perform
 the requested poweroff/reboot action.
 
+To make this work, a dedicated `tmpfs` filesystem is [[!tails_gitweb
+config/chroot_local-includes/lib/systemd/system/run-initramfs.mount
+desc="mounted"]] on `/run/initramfs`: `/run` is mounted with the
+`noexec` option and while our attempts to remount it with `exec`
+worked for clean shutdown, they failed for emergency shutdown, i.e.
+when the boot medium is physically removed.
+
+For details about the underlying systemd mechanisms, see `bootup(7)`
+and `systemd-shutdown(8)`.
+
 #### Triggers
 
 Different kinds of events trigger the memory erasure process. All lead