All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Indan Zupancic" <indan@nul.nu>
To: "Pavel Machek" <pavel@ucw.cz>
Cc: "Oliver Neukum" <oliver@neukum.org>,
	"Pekka Enberg" <penberg@cs.helsinki.fi>,
	"Nigel Cunningham" <nigel@nigel.suspend2.net>,
	"Linus Torvalds" <torvalds@linux-foundation.org>,
	"LKML" <linux-kernel@vger.kernel.org>
Subject: Re: Back to the future.
Date: Sat, 5 May 2007 14:02:33 +0200 (CEST)	[thread overview]
Message-ID: <2470.81.207.0.53.1178366553.squirrel@secure.samage.net> (raw)
In-Reply-To: <20070505091643.GA25704@elf.ucw.cz>

Hello,

On Sat, May 5, 2007 11:16, Pavel Machek wrote:
>> But the same functionality can be achieved by doing:
>>
>> 1) Define a user password (e.g. /etc/shadow thing). (Once)
>>
>> 2) When a user logs in: get random data and encrypt it with the password,
>> this becomes the AES key. Store both the data and key in a secure way in
>> memory, e.g. using the existing kernel key infrastructure.
>
>
>
>> Advantage of this scheme is that it only need AES and can be done (mostly)
>> in kernel space. It's also faster and simpler than the current RSA scheme.
>> Disadvantage is that it wastes at least 32 bytes of memory when the system
>> is running, to store the data and key.
>
> Another disadvantage is that you need to hack into PAM infrastructure,
> that your suspend password needs to be same as someone's login
> password, and that it will really only work with single-user machine.

The first two are only true if you want to integrate it with user login, so
that a user only needs to sign in once, which seems like a convenient thing.
But if you don't want to integrate with the existing login infrastructure,
then just don't. And those disadvantages are true for any system that wants
users to login once.

Then the disadvantage is reduced to a user needing to provide the password
at suspend if the system wasn't booted from a snapshot. But no need for
users to generate any files, just to choose a resume password.

If the resume key is stored per user instead of a single global instance, it
will work with a multi-user system too. A more interesting question is what
should happen when one user did the suspend and the other wants to resume.
Throw away the snapshot? Refuse booting? Or boot and switch "active user"?

If you don't want people to resume each other's suspends then a key per user
works. If you want them to, then it becomes a bit tricky, especially if you
don't integrate with the login system. You don't want that a user can resume
someone else's snapshot and have access to everything that other user left
open. Nor do you want users to give a password twice.

If you want users to be able to resume each other's snapshots, you probably
also want the system to switch users after the resume. No matter what scheme
is used, this becomes hairy and hard to get watertight. (Perhaps "impossible"
is more realistic: how to be able to read the suspend image and copying it
to RAM again, without having access to all data within?)

But if it's an "us" against "them" case, and you want users to resume each
other's snapshots, you're right that the scheme I proposed will fall apart.
In which case it needs to be adjusted a bit to handle this case:

Have one global suspend/resume key, and for each user store it on disk,
encrypted with that user's password. Also store the key in memory as
before. Now when the system is suspended any user needs to have provided
his password once for everyone to be able to suspend without giving a
password. Also everyone can resume, if they have access to the file with
the list of encrypted keys and provide the right password. (Notice that
this looks more like the current scheme, where the private part of the
RSA key is encrypted with a passphrase and all stored in a file.)

Though it seems that using suspend to disk on a real multi-user system is
always asking for problems, because the suspend image may contain valuable
data which shouldn't be thrown away, but easily can by other users. Nor do
you want users to claim the machine, so it's a lose/lose situation. Also
with resume every user effectively gets root access, because of all the
memory access. So inter-user security is down the drain anyway.

Only sane usage I can see is when the users trust each other, in which case
they can as well agree on one resume password. ;-)

Greetings,

Indan



  reply	other threads:[~2007-05-05 16:05 UTC|newest]

Thread overview: 136+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-26  6:04 Back to the future Nigel Cunningham
2007-04-26  7:28 ` Pekka Enberg
     [not found]   ` <1177573348.50 25.224.camel@nigel.suspend2.net>
2007-04-26  7:42   ` Nigel Cunningham
2007-04-26  8:17     ` Pekka Enberg
2007-04-26  9:28       ` Nigel Cunningham
2007-04-26 17:29         ` Luca Tettamanti
2007-04-26 16:56     ` Linus Torvalds
2007-04-26 17:03       ` Xavier Bestel
2007-04-26 17:34         ` Linus Torvalds
2007-04-26 20:08           ` Nigel Cunningham
2007-04-26 20:45             ` Linus Torvalds
2007-04-26 20:50               ` Nigel Cunningham
2007-04-27  0:10                 ` Olivier Galibert
2007-04-27 10:21                   ` Daniel Pittman
2007-04-27 23:19                   ` Nigel Cunningham
2007-04-26 21:38             ` Theodore Tso
2007-04-27 10:10               ` Christoph Hellwig
2007-04-26 22:08             ` Rafael J. Wysocki
2007-04-26 22:20               ` Nigel Cunningham
2007-04-26 23:15               ` Linus Torvalds
2007-04-27  7:51           ` Pekka Enberg
2007-04-26 17:07       ` Linus Torvalds
2007-04-26 18:22       ` Chase Venters
2007-04-26 18:50         ` David Lang
2007-04-26 19:56       ` Nigel Cunningham
2007-04-27  4:52         ` Pekka J Enberg
2007-04-27  6:08           ` Nigel Cunningham
2007-04-27  6:18             ` Pekka J Enberg
2007-04-27  6:29               ` Pekka J Enberg
2007-04-27  6:34               ` Nigel Cunningham
2007-04-27  6:50                 ` Pekka J Enberg
2007-04-27  7:03                   ` Nigel Cunningham
2007-04-27  7:24                     ` Pekka J Enberg
2007-04-27  9:50               ` Oliver Neukum
2007-04-27 10:12                 ` Pekka J Enberg
2007-04-27 19:07                   ` Oliver Neukum
2007-04-28  9:22                     ` Pekka Enberg
2007-04-28 13:37                       ` Oliver Neukum
2007-05-03 12:06                         ` Pavel Machek
2007-05-04 21:52                           ` Indan Zupancic
2007-05-05  9:16                             ` Pavel Machek
2007-05-05 12:02                               ` Indan Zupancic [this message]
2007-04-28 10:35                   ` Rafael J. Wysocki
2007-04-28 18:43                     ` David Lang
2007-04-28 19:37                       ` Rafael J. Wysocki
2007-04-27 21:24               ` Rafael J. Wysocki
2007-04-27 21:44                 ` Linus Torvalds
2007-04-27 22:04                   ` Rafael J. Wysocki
2007-04-27 22:08                     ` Linus Torvalds
2007-04-27 22:41                       ` Rafael J. Wysocki
2007-04-27 22:26                         ` David Lang
2007-04-27 23:21                           ` Rafael J. Wysocki
2007-04-27 23:01                             ` David Lang
2007-04-28  0:02                               ` Rafael J. Wysocki
2007-04-27 23:17                         ` Linus Torvalds
2007-04-27 23:45                           ` Rafael J. Wysocki
2007-04-27 23:57                             ` Nigel Cunningham
2007-04-27 23:50                               ` David Lang
2007-04-28  0:40                                 ` Linus Torvalds
2007-04-28  6:58                                 ` Oliver Neukum
2007-04-28  9:16                                   ` Pekka J Enberg
2007-04-28 18:28                                   ` David Lang
2007-05-03 17:18                                 ` Pavel Machek
2007-05-07  2:13                                   ` David Lang
2007-05-07  3:33                                     ` Kyle Moffett
2007-05-07 12:48                                     ` Pavel Machek
2007-05-07 12:52                                       ` Oliver Neukum
2007-05-07 14:37                                         ` david
2007-05-07 19:51                                           ` Pavel Machek
2007-05-07 19:55                                             ` david
2007-05-07 20:38                                               ` Pavel Machek
2007-05-08 17:36                                                 ` Disconnect
2007-04-27 23:59                             ` Linus Torvalds
2007-04-28  0:18                               ` Linus Torvalds
2007-05-05 11:42                                 ` Pavel Machek
2007-04-28  0:50                               ` Paul Mackerras
2007-04-28  1:00                               ` Rafael J. Wysocki
2007-04-28  1:12                                 ` Linus Torvalds
2007-04-28  0:54                                   ` David Lang
2007-04-28  1:44                                   ` Rafael J. Wysocki
2007-04-28  2:51                                     ` Daniel Hazelton
2007-04-28  7:00                                       ` progress meter in s2disk (was Re: Back to the future.) Pavel Machek
2007-04-28  8:50                                     ` Back to the future Pavel Machek
2007-04-28  9:24                                       ` Rafael J. Wysocki
2007-04-28 16:28                                       ` Linus Torvalds
2007-04-28 17:50                                         ` Rafael J. Wysocki
2007-04-28 21:25                                           ` Linus Torvalds
2007-04-28 23:03                                             ` Rafael J. Wysocki
2007-04-28 23:45                                               ` Linus Torvalds
2007-04-29  0:01                                                 ` Nigel Cunningham
2007-04-29  5:01                                                   ` Bojan Smojver
2007-04-29  3:43                                                 ` Kyle Moffett
2007-04-29  8:57                                                 ` Rafael J. Wysocki
2007-04-29  8:59                                                   ` Pavel Machek
2007-04-29  9:32                                                     ` Rafael J. Wysocki
2007-04-29  8:23                                             ` Pavel Machek
2007-04-29  9:22                                               ` Rafael J. Wysocki
2007-04-28 18:32                                       ` David Lang
2007-04-28 19:14                                         ` Rafael J. Wysocki
2007-04-28 18:44                                           ` David Lang
2007-05-03 15:25                           ` Pavel Machek
2007-04-27 22:07                   ` Nigel Cunningham
2007-04-28  1:03                     ` Kyle Moffett
2007-04-28  1:15                       ` Rafael J. Wysocki
2007-04-28  0:51                         ` David Lang
2007-04-28  1:25                         ` Kyle Moffett
2007-05-03 15:10                       ` Pavel Machek
2007-05-03 16:53                         ` Kyle Moffett
2007-05-04  7:52                           ` David Greaves
2007-05-04 13:27                             ` Kyle Moffett
2007-04-28  0:18                   ` Jeremy Fitzhardinge
2007-04-28  1:00                     ` Matthew Garrett
2007-04-28  1:05                       ` Jeremy Fitzhardinge
2007-05-03 15:14                         ` Pavel Machek
2007-06-01 19:00                           ` Eric W. Biederman
2007-04-28  1:08                       ` Rafael J. Wysocki
2007-04-27 20:44           ` Rafael J. Wysocki
2007-04-28 19:09         ` Bill Davidsen
2007-04-26 22:40       ` Pavel Machek
2007-04-27  5:41         ` Pekka Enberg
2007-04-27 14:55           ` Pavel Machek
2007-04-27 21:39             ` Nigel Cunningham
2007-04-26 22:42       ` Pavel Machek
2007-04-26 22:24         ` David Lang
2007-04-26 23:12           ` Pavel Machek
2007-04-26 22:49             ` David Lang
2007-04-26 23:27               ` Pavel Machek
2007-04-26 22:56                 ` David Lang
2007-04-27  0:23               ` Olivier Galibert
2007-04-27 12:49       ` Pavel Machek
2007-04-27 21:26         ` Rafael J. Wysocki
2007-04-27 22:12           ` David Lang
2007-04-26  8:38 ` Jan Engelhardt
2007-04-26  9:33   ` Nigel Cunningham
2007-04-28  0:28 ` Bojan Smojver
     [not found] <8e5l8-7SD-21@gated-at.bofh.it>
     [not found] ` <8e6Ka-1uR-3@gated-at.bofh.it>
     [not found]   ` <8e6TS-1Id-11@gated-at.bofh.it>
     [not found]     ` <8efu9-6mF-1@gated-at.bofh.it>
     [not found]       ` <8ekWV-6FF-33@gated-at.bofh.it>
     [not found]         ` <8el6y-6Sj-5@gated-at.bofh.it>
     [not found]           ` <8elpT-7wY-21@gated-at.bofh.it>
2007-04-28 11:04             ` Bodo Eggert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2470.81.207.0.53.1178366553.squirrel@secure.samage.net \
    --to=indan@nul.nu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nigel@nigel.suspend2.net \
    --cc=oliver@neukum.org \
    --cc=pavel@ucw.cz \
    --cc=penberg@cs.helsinki.fi \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.