cryptodisk: Wipe the passphrase from memory

Vladimir 'phcoder' Serbinenko Fri, 09 May 2025 05:35:37 -0700

Reviewed-by: Vladimir Serbinenko phco...@gmail.com

Regards
Vladimir 'phcoder' Serbinenko


Le jeu. 8 mai 2025, 20:04, Daniel Kiper via Grub-devel <grub-devel@gnu.org>
a écrit :

> From: Maxim Suhanov <dfirb...@gmail.com>
>
> Switching to another EFI boot application while there are secrets in
> RAM is dangerous, because not all firmware is wiping memory on free.
>
> To reduce the attack surface, wipe the passphrase acquired when
> unlocking an encrypted volume.
>
> Signed-off-by: Maxim Suhanov <dfirb...@gmail.com>
> Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
> ---
>  grub-core/disk/cryptodisk.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index 544a30d61..7065bcdcb 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -1302,6 +1302,7 @@ grub_cryptodisk_scan_device_real (const char *name,
>
>    if (askpass)
>      {
> +      grub_memset (cargs->key_data, 0, cargs->key_len);
>        cargs->key_len = 0;
>        grub_free (cargs->key_data);
>      }
> --
> 2.11.0
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [SECURITY PATCH 7/8] disk/cryptodisk: Wipe the passphrase from memory

Reply via email to