Re: [PATCH encrypted swsusp 1/3] core functionality

From: Matt Mackall
Date: Thu Apr 14 2005 - 17:51:54 EST

Next message: Franco \"Sensei\": "Re: [INFO] Kernel strict versioning"
Previous message: abonilla: "Re: Linux support for IBM ThinkPad Disk shock prevention update..."
In reply to: Andy Isaacson: "Re: [PATCH encrypted swsusp 1/3] core functionality"
Next in thread: Andreas Steinmetz: "Re: [PATCH encrypted swsusp 1/3] core functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 14, 2005 at 03:11:53PM -0700, Andy Isaacson wrote:
> On Thu, Apr 14, 2005 at 12:53:52PM -0700, Matt Mackall wrote:
> > On Thu, Apr 14, 2005 at 09:27:22PM +0200, Stefan Seyfried wrote:
> > > Matt Mackall wrote:
> > > > Any sensible solution here is going to require remembering passwords.
> > > > And arguably anywhere the user needs encrypted suspend, they'll want
> > > > encrypted swap as well.
> > >
> > > But after entering the password and resuming, the encrypted swap is
> > > accessible again and my ssh-key may be lying around in it, right?
> >
> > No. Because it's been zeroed in the resume process.
>
> Zeroing the entire swsusp region is a big job, especially if you want to
> do it in a FIPS-conformant manner. Hard to test that you've done it
> right and not missed any bits.
>
> Much much easier to securely erase just the key storage.
>
> And unless I'm missing something, you meant to say "it will have been
> zeroed" (after the patch under discussion is merged), right? The
> current state of the art (as of 2.6.12-rc2) is that mlocked regions are
> written to the swsusp region and may linger there indefinitely after
> resume.

I was referring not to the current implementation but to an ideal
solution. Which is:

- use dm-crypt for swap and suspend
- overwrite mlocked regions on resume
- use per-boot session keys for the swap partition
- password protect the session key on suspend

This doesn't have great FIPS-secure deletion properties if the
attacker can steal the box after resume but while it's still running
(though it's not too bad). As we currently have no solution for
protecting the in-memory ssh-agent, as opposed to the one in the
suspend image, this attack vector is not all that important.

A much more likely vector is stealing the laptop while it's suspended.
And the encrypted swsusp patch has -zero- security here: it writes the
key in the header in the clear. It's rather odd that everyone's hung
up on the "box rooted after resume" attack and completely ignoring the
much more common "stole my laptop" attack.

--
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Franco \"Sensei\": "Re: [INFO] Kernel strict versioning"
Previous message: abonilla: "Re: Linux support for IBM ThinkPad Disk shock prevention update..."
In reply to: Andy Isaacson: "Re: [PATCH encrypted swsusp 1/3] core functionality"
Next in thread: Andreas Steinmetz: "Re: [PATCH encrypted swsusp 1/3] core functionality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]