[ubuntu-hardened] Where can I find info about the userspace support for CONFIG_RESET_ATTACK_MITIGATION

[Mike McCracken (mikmccra)]

Hi, I was reviewing our ubuntu kernels wrt. KSPP guidelines recently and saw that CONFIG_RESET_ATTACK_MITIGATION,
which wipes RAM via EFI at reboot in case of unclean shutdown, is enabled in Ubuntu - at least, in Jammy[1].

Per the updated[2] kConfig docs, it says 
> This should only be enabled when userland is configured to
> clear the MemoryOverwriteRequest flag on clean shutdown after secrets
> have been evicted, since otherwise it will trigger even on clean
> reboots.

What clears the flag on clean reboot in ubuntu?

I looked in systemd source but it doesn't seem to do anything related in the systemd-shutdown binary and a few searches of systemd code for MemoryOverwriteRequest or reset_attack yielded nothing.

Thanks,
-mike


[1]: I checked some live systems I am using, and saw that some config in the package in LP has it, e.g. https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy/commit/debian.master/config/annotations?h=master-next--2024.04.01-3&id=29f98055b62531362398e4f27c2524770c0e5d25 but I confess that I didn't follow the organization of the branches for that repo and got lost trying to figure out where that line was really added - so I couldn't see any commit message that might explain it.

[2]: added in this commit: https://github.com/torvalds/linux/commit/a5c03c31af2291f13689d11760c0b59fb70c9a5a