From: Pavel Machek <pavel@ucw.cz>
To: Mike Snitzer <snitzer@redhat.com>
Cc: "Pali Rohár" <pali.rohar@gmail.com>,
"Alasdair Kergon" <agk@redhat.com>, "Neil Brown" <neilb@suse.de>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
"Len Brown" <len.brown@intel.com>,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org
Subject: Why wipe crypto keys during suspend (was Re: [PATCH 0/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation)
Date: Mon, 6 Apr 2015 23:13:41 +0200 [thread overview]
Message-ID: <20150406211341.GA18353@amd> (raw)
In-Reply-To: <20150406205145.GA19677@redhat.com>
On Mon 2015-04-06 16:51:45, Mike Snitzer wrote:
> On Mon, Apr 06 2015 at 9:25am -0400,
> Pavel Machek <pavel@ucw.cz> wrote:
>
> > On Mon 2015-04-06 09:00:46, Mike Snitzer wrote:
> > > On Sun, Apr 05 2015 at 1:20pm -0400,
> > > Pali Rohár <pali.rohar@gmail.com> wrote:
> > >
> > > > This patch series increase security of suspend and hibernate actions. It allows
> > > > user to safely wipe crypto keys before suspend and hibernate actions starts
> > > > without race conditions on userspace process with heavy I/O.
> > > >
> > > > To automatically wipe cryto key for <device> before hibernate action call:
> > > > $ dmsetup message <device> 0 key wipe_on_hibernation 1
> > > >
> > > > To automatically wipe cryto key for <device> before suspend action call:
> > > > $ dmsetup message <device> 0 key wipe_on_suspend 1
> > > >
> > > > (Value 0 after wipe_* string reverts original behaviour - to not wipe key)
> > >
> > > Can you elaborate on the attack vector your changes are meant to protect
> > > against? The user already authorized access, why is it inherently
> > > dangerous to _not_ wipe the associated key across these events?
> >
> > Umm. You are using your notebook. It is unlikely to be stolen at that
> > point. You close the lid and board the airplane, stowing it in
> > overhead bin. There's much better chance of notebook being stolen now.
>
> Yes, pretty straight forward but the thief would need to then login upon
> resume (at least with most common desktop configs)... the barrier then
> is only the strength of the user's password and not the crypt
> passphrase.
Why would he want to do that? :-).
No; at that point, attacker would either wait for something remotely
exploitable to exploit, or attach JTAG debugger to the machine, or use
liquid nitrogen on RAMs and then attach them to running machine.
Yes, it is better when keys are not on your machine when it is stolen.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2015-04-06 21:13 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-05 17:20 [PATCH 0/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-04-05 17:20 ` [PATCH 1/3] PM suspend/hibernate: Call notifier after freezing processes Pali Rohár
2015-04-09 0:28 ` Rafael J. Wysocki
2015-04-09 6:36 ` Pali Rohár
2015-04-09 17:13 ` Rafael J. Wysocki
2015-04-09 16:55 ` Pali Rohár
2015-04-05 17:20 ` [PATCH 2/3] dm: Export function dm_suspend_md() Pali Rohár
2015-04-05 17:20 ` [PATCH 3/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-04-07 13:55 ` [dm-devel] " Alasdair G Kergon
2015-04-06 13:00 ` [PATCH 0/3] " Mike Snitzer
2015-04-06 13:25 ` Pavel Machek
2015-04-06 20:51 ` Mike Snitzer
2015-04-06 21:13 ` Pavel Machek [this message]
2015-04-06 13:29 ` Pali Rohár
2015-04-06 18:17 ` Pavel Machek
2015-04-06 21:27 ` Pali Rohár
2015-04-09 13:12 ` Mike Snitzer
2015-04-09 13:28 ` Pali Rohár
2015-04-09 14:08 ` Mike Snitzer
2015-04-09 14:16 ` Pali Rohár
2015-04-09 14:26 ` Mike Snitzer
2015-04-09 14:38 ` Pali Rohár
2015-04-14 6:50 ` Pavel Machek
2015-04-23 17:02 ` Pali Rohár
[not found] ` <mgnv2g$if5$2@ger.gmane.org>
2015-04-17 7:52 ` Mike Snitzer
2015-04-17 8:52 ` [dm-devel] " Ondrej Kozina
2015-04-17 15:53 ` Alex Elsayed
2015-04-14 6:41 ` Pavel Machek
2015-06-21 11:20 ` [PATCH v2 " Pali Rohár
2015-06-21 11:20 ` [PATCH v2 1/3] PM suspend/hibernate: Call notifier after freezing processes Pali Rohár
2015-07-16 1:02 ` Rafael J. Wysocki
2015-07-16 7:33 ` Pali Rohár
2015-07-17 23:27 ` Rafael J. Wysocki
2015-07-20 7:32 ` Pali Rohár
2015-07-20 21:46 ` Rafael J. Wysocki
2015-07-21 22:08 ` NeilBrown
2015-07-21 23:00 ` Rafael J. Wysocki
2015-07-21 23:03 ` Rafael J. Wysocki
2016-12-27 14:29 ` Pali Rohár
2015-06-21 11:20 ` [PATCH v2 2/3] dm: Export function dm_suspend_md() Pali Rohár
2015-07-17 14:04 ` Mike Snitzer
2015-07-17 14:22 ` Pali Rohár
2015-07-17 15:22 ` Mike Snitzer
2015-07-17 15:30 ` Mike Snitzer
2015-07-17 17:13 ` Pali Rohár
2015-07-17 17:31 ` Mike Snitzer
2015-06-21 11:20 ` [PATCH v2 3/3] dm-crypt: Adds support for wiping key when doing suspend/hibernation Pali Rohár
2015-07-28 14:44 ` Pavel Machek
2015-07-28 14:48 ` Pali Rohár
2015-07-07 7:59 ` [PATCH v2 0/3] " Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150406211341.GA18353@amd \
--to=pavel@ucw.cz \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=neilb@suse.de \
--cc=pali.rohar@gmail.com \
--cc=rjw@rjwysocki.net \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).