From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Thu, 19 May 2011 11:36:08 +0200 (CEST)
Message-ID: <4DD4E484.7090503@redhat.com>
Date: Thu, 19 May 2011 11:36:04 +0200
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <20110518152417.15529442@Haruhi.lan.labor-bochum.net>	
 <1305755598.15947.2.camel@hidalgo> <4DD4C126.3030709@redhat.com>	
 <1305792110.9280.4.camel@oban> <4DD4DA3C.90303@redhat.com>
 <1305796496.9280.10.camel@oban>
In-Reply-To: <1305796496.9280.10.camel@oban>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] DM-Crypt resistance against Cold Boot Attacks
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Yves-Alexis Perez <corsac@debian.org>
Cc: dm-crypt@saout.de

On 05/19/2011 11:14 AM, Yves-Alexis Perez wrote:
>> The logic now works that table line received from dmcrypt
>> is directly usable - cryptsetup uses that e.g. for resize.
>> Replacing the key with zeroes or something will break this.
> 
> I don't know enough dm-crypt arch, but aiui from the paper, everytime
> you use the crypto-api to do stuff, it'll use the key in CPU debug
> registers and not the dummy key. Do you mean cryptsetup resize doesn't
> use the crypto-api (and will thus fail)?

cryptsetup (including resize command) works through DM API (dm-ioctl)
to setup dmcrypt, Only dmcrypt internally uses crypto-api.

(Cryptsetup resize will simple create the whole table again,
submitting key from userspace. This exercise will disappear
with the new table format.)
So it doesn't read key from crypto-api directly but thought that
DM mapping table.

There is already mechanism which ensures that all buffers with key
are wiped when working with dm-ioctl.
So this only slightly extends the window when is the key in memory
(during initial setting).

(Except that mentioned internal dmcrypt structure with plain key -
key is set through crypto-api for tpm _and_ also stored here.)

If you see how luksSuspend (aka key wipe message works):
- it suspends device to stop IO
- it wipes internal dmcrypt key buffer
- it wipes tfm keys through crypto-api (for block cipher, ESSIV etc)
(there is tfm per cpu in recent kernels as well)

Milan