All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: Sven Eschenberg <sven@eschenberg.eu>
Cc: dm-crypt@saout.de, Ingo Franzki <ifranzki@linux.vnet.ibm.com>
Subject: Re: [dm-crypt] LUKS header recovery attempt, bruteforce detection of AF-keyslot bit errors
Date: Wed, 26 Apr 2017 16:45:03 +0200	[thread overview]
Message-ID: <20170426144503.GC20174@linux.vnet.ibm.com> (raw)
In-Reply-To: <b4622686-3e00-af3e-7cba-5472c69a7a40@eschenberg.eu>

Hi Sven,

On Tue, Apr 25, 2017 at 07:09:35PM +0200, Sven Eschenberg wrote:
> Am 25.04.2017 um 18:30 schrieb Milan Broz:
> >On 04/25/2017 06:16 PM, Sven Eschenberg wrote:
> >>
> >>Furthermore, everyone who had access to /dev/mem and was able to locate
> >>the keys knows, them. On second thought, this holds certainly true for
> >>the 'new central kernel key storage' (Forgot the name), depending on the
> >>allover kernel configuration and userspace, that is.
> >>
> >>At the end of the day dm-crypt (etc.) needs to store the key somewhere,
> >>where it can be accessed at all times when an IO-Request comes in. There
> >>is not that many options for that ;-).
> >
> >Crypto API stores the key in memory as well (even the round keys etc), obviously.
> >
> >We have already support for kernel keyring in dm-crypt (so the key will
> >not be directly visible in dmsetup table), this will be supported in next major
> >version of cryptsetup/LUKS.
> >
> >But as you said, if you have access to the kernel memory, it is there anyway...
> >
> 
> Ah, thanks Milan, kernel keyring it is called. Anyhow, the only
> solution would be, to store the key in some device and retrieve it
> for IO-Ops, but then again, it would make more sense, to pass the io
> blocks to that (secured blackbox) device. Which would in turn mean
> that such a device needs computational power and massive
> IO-bandwidth.

a colleague of mine and I investigated in this kind of topic. For strong
security, having the clear key accessible in the memory is not an option.
Of course, the alternative, is to deal with hardware security modules (HSM)
to perform the cryptographic operations by having the clear never leaving
the HSM.

We worked on this area and provided some cryptsetup enhancements to support
wrapped keys for disk encryption to prevent having keys in clear text in the
memory of the operating system.  Recently, we submitted this merge request:

https://gitlab.com/cryptsetup/cryptsetup/merge_requests/19

Basically, it seamlessly integrates support for ciphers that can use wrapped
keys instead of clear keys.

For Linux on z Systems (our background), there is a tamper-safe hardware
security module (HSM) that provides "secure keys".  Secure keys are BLOBs
containing the clear key wrapped with a master key of the HSM. Of course,
the overhead is typically considerable because each cryptographic operation
comes at the cost of an I/O operation to the HSM.  However, the z Systems
firmware provides acceleration for this by re-wrapping a secure key to a
protected key (that is valid for the Linux instance (LPAR) only).  Then,
you can use some special instructions to perform, for example, AES with a
protected key at CPU speed. In both cases, the clear key resides in the
HSM/firmware only and is exposed to the OS in a wrapped form only.

The merge request above, also introduces this protected-AES (paes) as
sample for a wrapped key cipher. (paes itself is an in-kernel crypto module).

> 
> Maybe crypto acceleration cards with PCIe3 and 8+ Lanes would be an
> option, if they provide a secured keyring storage etc. . I am
> thinking of something like the Intel QA 8950 with respects to the
> concept. (The QA 8950 aims rather at communication streams, AFAIK, I
> am not sure how keys are handled, i.e. if they are passed into the
> adapter during engine initialization or if an additional permanent
> secured keyring service is offered, or if the key needs to be passed
> in for every block together with the data)

I am not familiar with the QA 8950, but there might be a similar approach
possible as we did with paes. Perhaps, another kind of wrapped key cipher
that fits into concept.

Thanks and kind regards,
  Hendrik

-- 
Hendrik Brueckner
brueckner@linux.vnet.ibm.com      | IBM Deutschland Research & Development GmbH
Linux on z Systems Development    | Schoenaicher Str. 220, 71032 Boeblingen


IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martina Koederitz
Geschaeftsfuehrung: Dirk Wittkopp
Sitz der Gesellschaft: Boeblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

  reply	other threads:[~2017-04-26 18:01 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <a6e54426-5188-d4c7-ee7b-6f022b84bf22@depressiverobots.com>
2017-04-21 14:26 ` [dm-crypt] LUKS header recovery attempt from apparently healthy SSD protagonist
2017-04-21 23:25   ` David Christensen
2017-04-22  0:25   ` Arno Wagner
2017-04-22 13:33     ` Robert Nichols
2017-04-22 13:45       ` Arno Wagner
2017-04-22 18:02         ` [dm-crypt] LUKS header recovery attempt, bruteforce detection of bit errors protagonist
2017-04-23 20:03           ` [dm-crypt] LUKS header recovery attempt, bruteforce detection of AF-keyslot " protagonist
2017-04-24  5:50             ` Dominic Raferd
2017-04-24 13:26               ` protagonist
2017-04-24 17:00                 ` Dominic Raferd
2017-04-24 17:44                   ` Michael Kjörling
2017-04-24 23:49                   ` protagonist
2017-04-25 13:14                     ` Robert Nichols
2017-04-25 13:44                       ` Dominic Raferd
2017-04-25 14:37                         ` Robert Nichols
2017-04-25 14:43                           ` Robert Nichols
2017-04-25 14:45                           ` Ondrej Kozina
2017-04-25 16:16                         ` Sven Eschenberg
2017-04-25 16:30                           ` Milan Broz
2017-04-25 17:09                             ` Sven Eschenberg
2017-04-26 14:45                               ` Hendrik Brueckner [this message]
2017-04-26 18:46                                 ` Milan Broz
2017-04-28 15:51             ` protagonist
2017-04-30 15:06               ` protagonist
2017-04-30 18:39                 ` Arno Wagner
2017-11-24 11:57 Jindrich Kolman
2017-11-24 16:15 ` protagonist

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170426144503.GC20174@linux.vnet.ibm.com \
    --to=brueckner@linux.vnet.ibm.com \
    --cc=dm-crypt@saout.de \
    --cc=ifranzki@linux.vnet.ibm.com \
    --cc=sven@eschenberg.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.