From 8353963b405ffc6082911e910b57d4d74fb67cdf Mon Sep 17 00:00:00 2001 From: Joachim Wiberg Date: Sun, 11 Aug 2024 18:01:45 +0200 Subject: [PATCH] board/common: factory reset using shred and LED indication This patch greatly improves the security of the Infix factory reset by replacing 'rm' with 'shred'. The shred tool overwrites the contents of files three times. With the -z and -u options the last pass writes zeroes and then uninks the files. On the NanoPi R2S the factory-reset now takes 24 seconds: Aug 11 16:00:34 infix mnt[121]: Resetting to factory defaults. Aug 11 16:00:58 infix mnt[173]: Factory reset complete. A visual aid is also added, setting *all* LEDs to on, that can be found mounted on the device, before starting the file shredders. The LEDs are reset back to off and SYS red blinking as soon as the wipe has completed and iitod has been started. Fixes #158 Signed-off-by: Joachim Wiberg --- board/common/rootfs/usr/libexec/infix/mnt | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/board/common/rootfs/usr/libexec/infix/mnt b/board/common/rootfs/usr/libexec/infix/mnt index 56d6b7aad..82dd4e50d 100755 --- a/board/common/rootfs/usr/libexec/infix/mnt +++ b/board/common/rootfs/usr/libexec/infix/mnt @@ -42,9 +42,17 @@ check_factory() factory_reset() { - # XXX: flash LEDs to confirm factory-reset in progress + find /sys/class/leds/ -type l -exec sh -c 'echo 100 > $0/brightness' {} \; logger $opt -p user.crit -t "$nm" "Resetting to factory defaults." + + # Shred all files to prevent restoring contents + find /mnt/cfg -type f -exec shred -zu {} \; + find /mnt/var -type f -exec shred -zu {} \; + + # Remove any lingering directories and symlinks as well rm -rf /mnt/cfg/* /mnt/var/* + + logger $opt -p user.crit -t "$nm" "Factory reset complete." sync }