|
From: | Jakob Bohm |
Subject: | Re: Does reboot clear RAM? |
Date: | Tue, 12 Nov 2019 02:20:34 +0100 |
User-agent: | Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 |
On 11/11/2019 20:27, Joachim Durchholz wrote:
There's a difference between reading faded bits with special analogue equipmentAm 11.11.19 um 15:35 schrieb Jakob Bohm:On physical machines, the following mechanisms are common:1. DRAM chips physically loose their contents after a few seconds of poweroff,I am by no way an expert, but the forensic experts tell me that data can persist for *minutes*. Of course, the first bits flip after a few seconds. But you don't get a guarantee that everything is zeroed.I also hear that temperature plays a really big role here.
after artificially cooling chips way below what the datasheet allows, and reading the digital bits at normal temperature, voltage etc.
3. On x86 and x86_64 PCs, the IBM compatible BIOS typically does a memory test and wipe during actual boot, but not upon a software initiated boot.This PC BIOS rule exists for the following two purposes: 3.1 Older guest operating systems use a software reset to switch the CPU from "protected mode" to "real mode" because the historical 80286 CPUchip had no other way to return to real mode and returning to real modewas needed to invoke BIOS APIs. 3.2 Signalling if such a non-wiping boot is desired (for speed or other reasons) is officially done by writing a magic value in one of the well-known BIOS global addresses, if this global address has not been set to one of those magic values, and the global RTC register with related semantics have not been so set either, the BIOS (in qemu'scase SEABIOS) should do the wipe as part of the POST (Power-On-Self-Test),otherwise it should skip that and most other parts of the POST.How does the BIOS do the wipe? Because zeroing out all memory should take some noteiceable time on today's large RAM, even with GHz machines (RAM bus speed has increased far more slowly than typical RAM size, so the time should have been increasing). I can imagine some fast PCI burst transfers to quickly zero memory, but does anybody have realistic data, or information about how it's being done in practice?
The slowness of manually zeroing and probing all of RAM was the original reason for the rule back in 1981. I suspect modern hardware uses some low level trickery in the DRAM interface controller to speed up zeroing all DRAM cells.
[Prev in Thread] | Current Thread | [Next in Thread] |