From 3bd71421d109995b8b7e4e11c891ec58111f9ff1 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 14 Feb 2025 12:30:21 -0500 Subject: [PATCH] document early boot free memory zeroing --- static/features.html | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/static/features.html b/static/features.html index 28daaa6b..23bd782a 100644 --- a/static/features.html +++ b/static/features.html @@ -387,6 +387,15 @@ released retains data indefinitely until the memory is handed out for other uses and gets partially or fully overwritten by new data. +
  • In early boot, all the memory not being used by the OS is + zeroed to get rid of any data leftover from a previous boot in + case zero-on-free didn't have the opportunity to clear it as + part of a clean reboot/shutdown. All the devices we support have + a reset attack protection feature we proposed zeroing memory for + firmware-based boot modes, but we need to finish it up by adding + it for the OS boot modes ourselves. Fully encrypted RAM with a + per-boot key cycled on reboots will eventually obsolete these + features for newer devices.
  • Kernel stack allocations are zeroed to make most uninitialized data usage vulnerabilities harmless.
  • Assorted attack surface reduction through disabling