From: James Prestwood <prestwoj at gmail.com>
To: iwd at lists.01.org
Subject: Re: [PATCH v3 1/7] storage: implement network profile encryption
Date: Fri, 04 Feb 2022 15:23:08 -0800 [thread overview]
Message-ID: <cfbb2d3a56d271ee240d7e09bb221033a79ec045.camel@gmail.com> (raw)
In-Reply-To: e7e5a0d3-5cfd-be0d-c847-22e91e856e64@benden.us
[-- Attachment #1: Type: text/plain, Size: 1872 bytes --]
Hi Joseph,
On Fri, 2022-02-04 at 15:55 -0700, Joseph Benden wrote:
> Hi!
>
> It is my understanding that all secret data is to be kept as securely
> as
> possible. I'm not really seeing this carried throughout the source
> code.
> Maybe this specific code does not need that level of security?
Currently any profile (e.g. /var/lib/iwd/foo.psk) containing secret
data is unencypted, plaintext. We rely on the file system permissions
to 'secure' this data (which this patch series is 'fixing' for anyone
who wants these encrypted).
>
> If I'm right, then:
>
> The secret data should be kept in a mmap(), and mlock(), structure.
> The
> prevents secret data from hitting swap memory. After every use of the
> secret data; it must be explicit_bzero() and then free(). This is so
> critical and tedious that it should be a macro or something from
> libell.
> And those are just initial thoughts for the basic safety of the
> secret data.
So this is how the systemd feature works: The IWD service is given a
path to a file. This file is decrypted by systemd and contains the
'secret'. IWD then reads this secret in, does some hashing, and stores
the hashed secret in RAM. Once IWD is done it never accesses the file
again.
So I don't think its even possible for IWD to do this mmap/mlock dance
you're describing. It really doesn't own this secret file, nor does it
keep the file contents around long. It just derives a fixed length key
and never uses the file again.
As far as explicit_bzero'ing the hashed secret after every use, then
reading it back in, and hashing it again when needed... this seems a
bit crazy :)
Thanks,
James
>
> Best regards,
> -Joe
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org
next reply other threads:[~2022-02-04 23:23 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-04 23:23 James Prestwood [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-02-07 20:44 [PATCH v3 1/7] storage: implement network profile encryption Denis Kenzior
2022-02-05 2:11 James Prestwood
2022-02-05 0:52 Joseph Benden
2022-02-04 23:35 James Prestwood
2022-02-04 23:00 Joseph Benden
2022-02-04 22:55 Joseph Benden
2022-02-04 17:16 Denis Kenzior
2022-02-03 21:23 James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfbb2d3a56d271ee240d7e09bb221033a79ec045.camel@gmail.com \
--to=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox