kernel: Clear secrets on reboot

The idea is that when we reboot, we zero out memory written by processes that have the private flag set (such as factotum and keyfs), and also clear the secrmem pool, which contains TLS keys and the state of the random number generator. This is so the newly booted kernel or firmware will not find these secret keys in memory.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2023-04-08 20:30:47 +0000
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2023-04-08 20:30:47 +0000
commit: 60b1a2f82dc96b254d6dec1bfd1c14ca056c21dd (patch)
tree: 1de5c2c26d7f7d0a0def0bbe4c11971a12735730 /sys/src/9/bcm
parent: bd43bd6f1ae1b1ec7ee6873d9fd6766b049802e9 (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/sys/src/9/bcm/main.c b/sys/src/9/bcm/main.c
index a5b32d28f..03eeb51de 100644
--- a/sys/src/9/bcm/main.c
+++ b/sys/src/9/bcm/main.c
@@ -281,9 +281,14 @@ exit(int)
 {
 	cpushutdown();
 	splfhi();
-	if(m->machno == 0)
-		archreboot();
-	rebootjump(0, 0, 0);
+	if(m->machno)
+		rebootjump(0, 0, 0);
+
+	/* clear secrets */
+	zeroprivatepages();
+	poolreset(secrmem);
+
+	archreboot();
 }
 
 /*
@@ -323,6 +328,10 @@ reboot(void *entry, void *code, ulong size)
 	clockshutdown();
 	wdogoff();
 
+	/* clear secrets */
+	zeroprivatepages();
+	poolreset(secrmem);
+
 	/* off we go - never to return */
 	rebootjump(entry, code, size);
 }
author	cinap_lenrek <cinap_lenrek@felloff.net>	2023-04-08 20:30:47 +0000
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2023-04-08 20:30:47 +0000
commit	60b1a2f82dc96b254d6dec1bfd1c14ca056c21dd (patch)
tree	1de5c2c26d7f7d0a0def0bbe4c11971a12735730 /sys/src/9/bcm
parent	bd43bd6f1ae1b1ec7ee6873d9fd6766b049802e9 (diff)