board/common: factory reset using shred and LED indication

This patch greatly improves the security of the Infix factory reset by replacing 'rm' with 'shred'. The shred tool overwrites the contents of files three times. With the -z and -u options the last pass writes zeroes and then uninks the files. On the NanoPi R2S the factory-reset now takes 24 seconds: Aug 11 16:00:34 infix mnt[121]: Resetting to factory defaults. Aug 11 16:00:58 infix mnt[173]: Factory reset complete. A visual aid is also added, setting *all* LEDs to on, that can be found mounted on the device, before starting the file shredders. The LEDs are reset back to off and SYS red blinking as soon as the wipe has completed and iitod has been started. Fixes #158 Signed-off-by: Joachim Wiberg <[email protected]>
kernelkit · Aug 16, 2024 · 8353963 · 8353963
1 parent 9a67a95
commit 8353963
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/board/common/rootfs/usr/libexec/infix/mnt b/board/common/rootfs/usr/libexec/infix/mnt
@@ -42,9 +42,17 @@ check_factory()
 
 factory_reset()
 {
-    # XXX: flash LEDs to confirm factory-reset in progress
+    find /sys/class/leds/ -type l -exec sh -c 'echo 100 > $0/brightness' {} \;
     logger $opt -p user.crit -t "$nm" "Resetting to factory defaults."
+
+    # Shred all files to prevent restoring contents
+    find /mnt/cfg -type f -exec shred -zu {} \;
+    find /mnt/var -type f -exec shred -zu {} \;
+
+    # Remove any lingering directories and symlinks as well
     rm -rf /mnt/cfg/* /mnt/var/*
+
+    logger $opt -p user.crit -t "$nm" "Factory reset complete."
     sync
 }