From: Andrea Arcangeli <andrea@novell.com>
To: Nigel Cunningham <ncunningham@linuxmail.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
Chris Wright <chrisw@osdl.org>, Jeff Garzik <jgarzik@pobox.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>
Subject: Re: mlock(1)
Date: Sat, 25 Sep 2004 03:07:59 +0200 [thread overview]
Message-ID: <20040925010759.GA3309@dualathlon.random> (raw)
In-Reply-To: <1096069581.3591.23.camel@desktop.cunninghams>
On Sat, Sep 25, 2004 at 09:46:22AM +1000, Nigel Cunningham wrote:
> I plan on making a plugin for suspend2 that will use the cryptoapi to
> encrypt the data. One of the problems with encrypting the swap partition
> wholesale is that suspend implementations need to check whether the
> image exists and get some unencrypted metadata before beginning to read
> the image proper. Currently, they all store the location of the metadata
> in the swap header. If that's encrypted, how will they know whether the
> image exists. If we're working on an abstraction of swap (transparent
> [en|de]cryption), will the actual header still be visible? Will it be
> able to be set up early enough in the boot sequence for resuming? (That
> later shouldn't be a problem for suspend2 as it lets you set things up
> in an initrd before resuming).
My current idea is to have two passwords. the fist if for the swap
device and suspend shouldn't care about it, the end user won't care
about it either, it'll be always different, it will be choosed randomly
by userspace while booting the machine.
the second password has to be asked somehow both during suspend and
later during resume too. Users not using suspend/resume will not notice
the difference but they will stop risking dumping their credit card
into the swap partition in cleartext thanks to the primary random
password. (that is good value even for desktop users, that may
eventually sell their HD thinking they were safe because they used SSL
to transfer the information).
We could use the cryptoloop or dm-crypto and everything would work fine
if we were ok to re-run mkswap after every reboot (right after choosing
the random password). But it sounds just simpler to leave the swap
header in cleartext. The swap header and the swap metadata in general,
are the only thing that can be written in cleartext safely.
So when suspend kicks in, it will have only to write by hand into the
swap device, using the a secondary password asked to the user by the
suspend procedure. This will be the only password asked to the user.
Resume will then ask the user for the same password again. It'd be also
nice to waste 4k of swap space have a check to know if the resume
password is ok and to avoid a kernel crash if I do a typo ;). Not being
able to resume is still nicer than a potentially (though very unlikely)
fs-corrupting kernel crash.
This I believe should work safely. As far as suspend is concerned we
could also use cryptoloop instead of interfacing swap directly with
cryptoapi, then suspend should simply overwrite the swap header and
resume should reistantiate it (could even be saved in encrypted form in
another suspend-block), but then we'd need to run mkswap every boot and
that's not nice. Leaving the swap metadata in cleartext sounds a lot
nicer to avoid mkswap and to still choose random swap password at every
reboot.
next prev parent reply other threads:[~2004-09-25 1:08 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-24 19:57 mlock(1) Jeff Garzik
2004-09-24 20:15 ` mlock(1) Neil Horman
2004-09-24 20:21 ` mlock(1) Neil Horman
2004-09-24 20:31 ` mlock(1) Lee Revell
2004-09-24 20:33 ` mlock(1) Jeff Garzik
2004-09-24 20:39 ` mlock(1) Lee Revell
2004-09-24 20:22 ` mlock(1) Chris Wright
2004-09-24 20:41 ` mlock(1) Chris Friesen
2004-09-24 20:46 ` mlock(1) Chris Wright
2004-09-24 20:54 ` mlock(1) Chris Friesen
2004-09-24 20:59 ` mlock(1) Chris Wright
2004-09-24 22:48 ` mlock(1) Ryan Cumming
2004-09-24 21:07 ` mlock(1) Alan Cox
2004-09-24 22:19 ` mlock(1) Chris Wright
2004-09-24 22:30 ` mlock(1) Jeff Garzik
2004-09-24 23:08 ` mlock(1) Chris Wright
2004-09-24 22:59 ` mlock(1) Andrea Arcangeli
2004-09-24 23:46 ` mlock(1) Nigel Cunningham
2004-09-25 1:07 ` Andrea Arcangeli [this message]
2004-09-25 1:21 ` mlock(1) David Lang
2004-09-25 1:30 ` mlock(1) Andrea Arcangeli
2004-09-25 1:46 ` mlock(1) Valdis.Kletnieks
2004-09-25 2:15 ` mlock(1) Andrea Arcangeli
2004-09-25 2:46 ` mlock(1) Valdis.Kletnieks
2004-09-25 2:58 ` mlock(1) Andrea Arcangeli
2004-09-25 3:29 ` mlock(1) Valdis.Kletnieks
2004-09-25 4:07 ` mlock(1) Andrea Arcangeli
2004-09-25 4:52 ` mlock(1) Valdis.Kletnieks
2004-09-25 17:15 ` mlock(1) Andy Lutomirski
2004-09-25 2:33 ` mlock(1) Bernd Eckenfels
2004-09-25 1:27 ` mlock(1) Andrea Arcangeli
2004-09-28 22:03 ` mlock(1) Robert White
2004-09-28 22:15 ` mlock(1) Andrea Arcangeli
2004-09-28 23:26 ` mlock(1) Robert White
2004-09-29 1:16 ` mlock(1) Jon Masters
2004-09-29 1:23 ` mlock(1) Alan Cox
2004-09-29 3:46 ` mlock(1) Robert White
2004-09-29 12:34 ` mlock(1) Jon Masters
2004-09-29 15:57 ` mlock(1) Lee Revell
2004-09-29 22:56 ` mlock(1) Paul Jackson
2004-09-25 12:21 ` mlock(1) Nigel Cunningham
2004-09-25 14:53 ` mlock(1) Andrea Arcangeli
2004-09-28 8:48 ` mlock(1) Pavel Machek
2004-09-30 17:42 ` mlock(1) Andrea Arcangeli
2004-09-30 18:54 ` mlock(1) Pavel Machek
2004-09-30 19:17 ` mlock(1) Andrea Arcangeli
2004-09-30 19:52 ` mlock(1) Pavel Machek
2004-10-04 12:21 ` mlock(1) Jack Lloyd
2004-09-24 23:59 ` mlock(1) Bernd Eckenfels
2004-09-25 0:25 ` mlock(1) Nigel Cunningham
2004-09-25 1:18 ` mlock(1) Andrea Arcangeli
2004-09-27 6:16 ` mlock(1) Stefan Seyfried
2004-09-27 10:32 ` mlock(1) Nigel Cunningham
2004-09-27 14:29 ` mlock(1) Andrea Arcangeli
2004-09-27 20:32 ` mlock(1) Wolfgang Walter
2004-09-27 14:16 ` mlock(1) Andrea Arcangeli
2004-09-27 13:31 ` mlock(1) Alan Cox
2004-09-29 1:48 ` mlock(1) Andrea Arcangeli
2004-09-27 14:34 ` mlock(1) Stefan Seyfried
2004-09-27 15:07 ` mlock(1) Andrea Arcangeli
2004-09-27 15:25 ` mlock(1) Stefan Seyfried
2004-09-27 15:38 ` mlock(1) Andrea Arcangeli
2004-09-30 13:04 ` mlock(1) Pavel Machek
2004-09-27 22:22 ` mlock(1) Nigel Cunningham
2004-09-27 22:43 ` mlock(1) Andrea Arcangeli
2004-09-28 22:03 ` mlock(1) Nigel Cunningham
2004-09-24 20:24 ` mlock(1) Chris Friesen
2004-09-24 21:17 ` mlock(1) Andrew Morton
2004-09-25 0:26 ` mlock(1) Chris Wright
2004-09-25 1:28 ` mlock(1) Andrew Morton
2004-09-25 1:33 ` mlock(1) Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040925010759.GA3309@dualathlon.random \
--to=andrea@novell.com \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chrisw@osdl.org \
--cc=jgarzik@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncunningham@linuxmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox