erase memory when the USB stick is removed

Originally created by Tails on #5687 (Redmine)

Rationale

If running from the USB drive and it is removed, it would be nice to wipe memory and reboot when the USB drive is removed: if you’re in a persecuted country and they are on to you, you can grab the USB and leave.

Current state

Implemented in 0.7.

design documentation: done in memory erasure
end-user documentation: done in cold boot attacks

Inspiration

A simple udev rule should do the job. It should be triggered by ACTION=="remove", and be really careful to detect whether the system is running from the just-removed USB stick.

The implementation difficulty arises from the fact that smem must be permanently kept in RAM after boot, along with what’s needed to make the command run by the udev rule work. Possible solution: run smem on boot, immediately SIGSTOP it, and SIGCONT it when the USB stick is unplugged.

Liberte Linux has some kind of watchdog that does something alike these lines (i.e. at least shutdown the box):

they pre-cache needed programs in a directory in /dev/shm
they have a udev watchdog written in C, which is supposed to be more reliable than udev rules.

_Originally created by Tails on [#5687 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/5687)_

# Rationale

If running from the USB drive and it is removed, it would be nice to
wipe memory and reboot when the USB drive is removed: if you’re in a
persecuted country and they are on to you, you can grab the USB and
leave.

# Current state

Implemented in 0.7.

- design documentation: done in [memory
    erasure](https://tails.boum.org/contribute/design/memory_erasure/)
  - end-user documentation: done in [cold boot
    attacks](https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/)

# Inspiration

A simple udev rule should do the job. It should be triggered by
`ACTION=="remove"`, and be really careful to detect whether the system
is running from the just-removed USB stick.

The implementation difficulty arises from the fact that smem must be
permanently kept in RAM after boot, along with what’s needed to make the
command run by the udev rule work. Possible solution: run smem on boot,
immediately SIGSTOP it, and SIGCONT it when the USB stick is unplugged.

[Liberte Linux](http://dee.su/liberte) has some kind of watchdog that
does something alike these lines (i.e. at least shutdown the box):

- they pre-cache needed programs in a directory in `/dev/shm`
  - they have a udev watchdog written in C, which is supposed to be more
    reliable than udev rules.

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.