Memory wipe: use kernel config

vadika · brianmcgillion · commit 00bb4e6b0ece · 2025-11-17T15:48:15.000+04:00
- Enable PAGE_POISONING, INIT_ON_ALLOC_DEFAULT_ON, INIT_ON_FREE_DEFAULT_ON
- Enable by default for all x86_64 platforms via hardware module
- Update documentation to reflect build-time kernel configuration approach

This provides runtime memory protection against information disclosure
throughout system operation.

Signed-off-by: vadik likholetov &lt;vadikas@gmail.com&gt;
diff --git a/docs/astro.config.mjs b/docs/astro.config.mjs
@@ -94,6 +94,7 @@ export default defineConfig({
                         "ghaf/dev/ref/idsvm-development",
                         "ghaf/dev/ref/systemd-service-config",
                         "ghaf/dev/ref/dynamic-hostname",
+                        "ghaf/dev/ref/memory-wipe",
                         "ghaf/dev/ref/kill_switch",
                         "ghaf/dev/ref/wireguard-gui",
                       ],
diff --git a/docs/src/content/docs/ghaf/dev/ref/memory-wipe.mdx b/docs/src/content/docs/ghaf/dev/ref/memory-wipe.mdx
@@ -0,0 +1,70 @@
+---
+title: Memory Wipe on Boot and Free
+description: Secure memory initialization and clearing using kernel configuration
+---
+
+This module implements secure memory wiping by configuring the Linux kernel at build time to initialize memory on allocation and free operations.
+
+## How it works
+
+The module configures the kernel by applying kernel configuration patches:
+
+- **`PAGE_POISONING`** - Enables page poisoning to overwrite freed pages
+- **`INIT_ON_ALLOC_DEFAULT_ON`** - Automatically zeroes memory when allocated from the page allocator
+- **`INIT_ON_FREE_DEFAULT_ON`** - Automatically zeroes memory when freed back to the page allocator
+
+These settings are compiled into the kernel, ensuring:
+- Memory is wiped when freed, preventing data leakage between processes
+- Memory is zeroed on allocation, preventing information disclosure from previous allocations
+- The system maintains security throughout its runtime
+
+## Default Behavior
+
+This feature is **enabled by default** for the host kernel on all x86_64 platforms through the `hardware-x86_64-generic` module. Guest VMs do not have this feature enabled by default.
+
+To disable it on x86_64 host platforms:
+
+```nix
+{
+  ghaf.host.kernel.memory-wipe.enable = false;
+}
+```
+
+To enable it on other host platforms:
+
+```nix
+{
+  ghaf.host.kernel.memory-wipe.enable = true;
+}
+```
+
+## Implementation Details
+
+The module uses `boot.kernelPatches` to apply kernel configuration options at build time. This approach:
+- Integrates with the existing kernel build process
+- Works with any kernel package (doesn't force a specific kernel version)
+- Ensures security settings are part of the compiled kernel
+
+## Security Benefits
+
+- **Information Disclosure Prevention**: Prevents processes from reading sensitive data left in memory by previous processes
+- **Runtime Protection**: Active during the entire system operation
+- **Defense in Depth**: Multiple layers of memory clearing (page poisoning + init on free/alloc)
+- **Build-time Configuration**: Security settings are compiled into the kernel and cannot be disabled at runtime
+
+## Performance Impact
+
+Memory initialization on free and allocation operations adds a small performance overhead (typically 1-5%). This is a security vs. performance trade-off that prioritizes data protection. The overhead is generally acceptable for security-focused systems.
+
+## Technical Requirements
+
+- Linux kernel 5.3+ (for `init_on_free` and `init_on_alloc` support)
+- Kernel configuration support for `PAGE_POISONING`, `INIT_ON_ALLOC_DEFAULT_ON`, and `INIT_ON_FREE_DEFAULT_ON`
+- NixOS kernel build infrastructure
+
+## Module Location
+
+- **Module**: `modules/hardware/common/kernel.nix`
+- **Option**: `ghaf.host.kernel.memory-wipe.enable`
+- **Scope**: Host kernel only (guest VMs are not affected)
+- **Default enablement**: `modules/hardware/x86_64-generic/x86_64-linux.nix` (for x86_64 host platforms)
diff --git a/docs/src/content/docs/ghaf/dev/ref/modules.mdx b/docs/src/content/docs/ghaf/dev/ref/modules.mdx
@@ -133,6 +133,18 @@ Ghaf provides 46 specialized NixOS modules that implement the secure edge comput
 
 ### Security and Isolation
 
+#### kernel-memory-wipe
+**Location**: `modules/hardware/common/kernel.nix`
+**Option**: `ghaf.host.kernel.memory-wipe.enable`
+**Purpose**: Secure memory initialization and clearing via kernel configuration
+**Features**:
+- Build-time kernel configuration patches (`INIT_ON_ALLOC_DEFAULT_ON`, `INIT_ON_FREE_DEFAULT_ON`, `PAGE_POISONING`)
+- Enabled by default on x86_64 host platforms (not guest VMs)
+- Runtime memory protection against information disclosure
+- No boot parameters needed - compiled into kernel
+
+See [Memory Wipe on Boot and Free](/ghaf/dev/ref/memory-wipe) for detailed documentation.
+
 #### givc
 **Location**: `modules/givc/`
 **Purpose**: Guest-to-guest inter-VM communication
diff --git a/modules/hardware/common/kernel.nix b/modules/hardware/common/kernel.nix
@@ -41,59 +41,85 @@ in
     };
   };
 
-  config = {
-    # Host kernel configuration
-    boot = optionalAttrs fullVirtualization {
-      initrd = {
-        inherit (config.ghaf.hardware.definition.host.kernelConfig.stage1) kernelModules;
+  options.ghaf.host.kernel.memory-wipe = {
+    enable = lib.mkEnableOption "Memory wipe on boot and free using kernel configuration (host only)";
+  };
+
+  config = lib.mkMerge [
+    # Memory wipe kernel patches (applies to host only)
+    {
+      boot.kernelPatches = lib.optionals config.ghaf.host.kernel.memory-wipe.enable [
+        {
+          name = "memory-wipe-config";
+          patch = null;
+          structuredExtraConfig = with lib.kernel; {
+            # Enable page poisoning for additional security
+            PAGE_POISONING = yes;
+
+            # Enable init-on-alloc and init-on-free support
+            INIT_ON_ALLOC_DEFAULT_ON = option yes;
+            INIT_ON_FREE_DEFAULT_ON = option yes;
+          };
+        }
+      ];
+    }
+
+    # Host kernel configuration (only for full virtualization)
+    {
+      boot = optionalAttrs fullVirtualization {
+        initrd = {
+          inherit (config.ghaf.hardware.definition.host.kernelConfig.stage1) kernelModules;
+        };
+        inherit (config.ghaf.hardware.definition.host.kernelConfig.stage2) kernelModules;
+        kernelParams =
+          let
+            # PCI device passthroughs for vfio
+            filterDevices = builtins.filter (d: d.vendorId != null && d.productId != null);
+            mapPciIdsToString = map (d: "${d.vendorId}:${d.productId}");
+            vfioPciIds = mapPciIdsToString (
+              filterDevices (
+                config.ghaf.hardware.definition.network.pciDevices
+                ++ config.ghaf.hardware.definition.gpu.pciDevices
+                ++ config.ghaf.hardware.definition.audio.pciDevices
+              )
+            );
+          in
+          config.ghaf.hardware.definition.host.kernelConfig.kernelParams
+          ++ [ "vfio-pci.ids=${builtins.concatStringsSep "," vfioPciIds}" ];
       };
-      inherit (config.ghaf.hardware.definition.host.kernelConfig.stage2) kernelModules;
-      kernelParams =
-        let
-          # PCI device passthroughs for vfio
-          filterDevices = builtins.filter (d: d.vendorId != null && d.productId != null);
-          mapPciIdsToString = map (d: "${d.vendorId}:${d.productId}");
-          vfioPciIds = mapPciIdsToString (
-            filterDevices (
-              config.ghaf.hardware.definition.network.pciDevices
-              ++ config.ghaf.hardware.definition.gpu.pciDevices
-              ++ config.ghaf.hardware.definition.audio.pciDevices
-            )
-          );
-        in
-        config.ghaf.hardware.definition.host.kernelConfig.kernelParams
-        ++ [ "vfio-pci.ids=${builtins.concatStringsSep "," vfioPciIds}" ];
-    };
+    }
 
     # Guest kernel configurations
-    ghaf.kernel = optionalAttrs fullVirtualization {
-      guivm = {
-        boot = {
-          initrd = {
-            inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage1) kernelModules;
+    {
+      ghaf.kernel = optionalAttrs fullVirtualization {
+        guivm = {
+          boot = {
+            initrd = {
+              inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage1) kernelModules;
+            };
+            inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage2) kernelModules;
+            inherit (config.ghaf.hardware.definition.gpu.kernelConfig) kernelParams;
           };
-          inherit (config.ghaf.hardware.definition.gpu.kernelConfig.stage2) kernelModules;
-          inherit (config.ghaf.hardware.definition.gpu.kernelConfig) kernelParams;
         };
-      };
-      audiovm = {
-        boot = {
-          initrd = {
-            inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage1) kernelModules;
+        audiovm = {
+          boot = {
+            initrd = {
+              inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage1) kernelModules;
+            };
+            inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage2) kernelModules;
+            inherit (config.ghaf.hardware.definition.audio.kernelConfig) kernelParams;
           };
-          inherit (config.ghaf.hardware.definition.audio.kernelConfig.stage2) kernelModules;
-          inherit (config.ghaf.hardware.definition.audio.kernelConfig) kernelParams;
         };
-      };
-      netvm = {
-        boot = {
-          initrd = {
-            inherit (config.ghaf.hardware.definition.network.kernelConfig.stage1) kernelModules;
+        netvm = {
+          boot = {
+            initrd = {
+              inherit (config.ghaf.hardware.definition.network.kernelConfig.stage1) kernelModules;
+            };
+            inherit (config.ghaf.hardware.definition.network.kernelConfig.stage2) kernelModules;
+            inherit (config.ghaf.hardware.definition.network.kernelConfig) kernelParams;
           };
-          inherit (config.ghaf.hardware.definition.network.kernelConfig.stage2) kernelModules;
-          inherit (config.ghaf.hardware.definition.network.kernelConfig) kernelParams;
         };
       };
-    };
-  };
+    }
+  ];
 }
diff --git a/modules/hardware/flake-module.nix b/modules/hardware/flake-module.nix
@@ -7,12 +7,14 @@
       ./x86_64-generic
       ./common
       ./device-passthrough
+      ./common/kernel.nix
     ];
     hardware-x86_64-generic.imports = [
       ./definition.nix
       ./x86_64-generic
       ./device-passthrough
       ./common/usb/vhotplug.nix
+      ./common/kernel.nix
     ];
     hardware-x86_64-host-kernel.imports = [
       ./x86_64-generic/kernel/host
diff --git a/modules/hardware/x86_64-generic/x86_64-linux.nix b/modules/hardware/x86_64-generic/x86_64-linux.nix
@@ -14,6 +14,8 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Enable memory wiping for x86_64 host platforms
+    ghaf.host.kernel.memory-wipe.enable = lib.mkDefault true;
 
     # Add this for x86_64 hosts to be able to more generically support hardware.
     # For example Intel NUC 11's graphics card needs this in order to be able to
diff --git a/targets/vm/flake-module.nix b/targets/vm/flake-module.nix
@@ -18,6 +18,7 @@ let
         };
         modules = [
           (builtins.getAttr format nixos-generators.nixosModules)
+          self.nixosModules.common
           self.nixosModules.microvm
           self.nixosModules.profiles
           self.nixosModules.reference-appvms
@@ -108,7 +109,9 @@ let
                   guivm.enable = withGraphics;
                 };
 
-                host.networking.enable = true;
+                host = {
+                  networking.enable = true;
+                };
 
                 # Enable all the default UI applications
                 profiles = {
