From: Maxim Suhanov <[email protected]> Switching to another EFI boot application while there are secrets in RAM is dangerous, because not all firmware is wiping memory on free.
To reduce the attack surface, wipe the passphrase acquired when unlocking an encrypted volume. Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> --- grub-core/disk/cryptodisk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c index 544a30d61..7065bcdcb 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -1302,6 +1302,7 @@ grub_cryptodisk_scan_device_real (const char *name, if (askpass) { + grub_memset (cargs->key_data, 0, cargs->key_len); cargs->key_len = 0; grub_free (cargs->key_data); } -- 2.11.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
