forked from pool/grub2
33 lines
1.0 KiB
Diff
33 lines
1.0 KiB
Diff
|
From d5a155864230964878280a52dc82392382af1c5d Mon Sep 17 00:00:00 2001
|
||
|
|
From: Maxim Suhanov <dfirblog@gmail.com>
|
||
|
|
Date: Thu, 8 May 2025 19:02:13 +0200
|
||
|
|
Subject: [PATCH 7/8] disk/cryptodisk: Wipe the passphrase from memory
|
||
|
|
|
||
|
|
Switching to another EFI boot application while there are secrets in
|
||
|
|
RAM is dangerous, because not all firmware is wiping memory on free.
|
||
|
|
|
||
|
|
To reduce the attack surface, wipe the passphrase acquired when
|
||
|
|
unlocking an encrypted volume.
|
||
|
|
|
||
|
|
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
|
||
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||
|
|
---
|
||
|
|
grub-core/disk/cryptodisk.c | 1 +
|
||
|
|
1 file changed, 1 insertion(+)
|
||
|
|
|
||
|
|
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||
|
|
index f9ae750f85..cb87d337ac 100644
|
||
|
|
--- a/grub-core/disk/cryptodisk.c
|
||
|
|
+++ b/grub-core/disk/cryptodisk.c
|
||
|
|
@@ -1251,6 +1251,7 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||
|
|
#endif
|
||
|
|
if (askpass)
|
||
|
|
{
|
||
|
|
+ grub_memset (cargs->key_data, 0, cargs->key_len);
|
||
|
|
cargs->key_len = 0;
|
||
|
|
grub_free (cargs->key_data);
|
||
|
|
}
|
||
|
|
--
|
||
|
|
2.49.0
|
||
|
|
|