From: Matt Mackall <mpm@selenic.com>
To: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Pavel Machek <pavel@ucw.cz>, Andreas Steinmetz <ast@domdv.de>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH encrypted swsusp 1/3] core functionality
Date: Thu, 14 Apr 2005 10:11:27 -0700 [thread overview]
Message-ID: <20050414171127.GL3174@waste.org> (raw)
In-Reply-To: <200504141104.40389.rjw@sisk.pl>
On Thu, Apr 14, 2005 at 11:04:39AM +0200, Rafael J. Wysocki wrote:
> Hi,
>
> On Thursday, 14 of April 2005 10:08, Herbert Xu wrote:
> > On Thu, Apr 14, 2005 at 08:51:25AM +0200, Pavel Machek wrote:
> > >
> > > > This solution is all wrong.
> > > >
> > > > If you want security of the suspend image while "suspended", encrypt
> > > > with dm-crypt. If you want security of the swap image after resume,
> > > > zero out the portion of swap used. If you want both, do both.
> >
> > Pavel, you're not answering our questions.
> >
> > How is the proposed patch any more secure compared to swsusp over dmcrypt?
>
> It is for different purpose. It is to prevent swsusp from leaving a readable
> memory snapshot on the disk _after_ resume, even if the resume has _failed_
> (ie if you encrypt the image during suspend and then destroy the key after
> reading the image during resume, you don't need to zero out the swap partition,
> which you can't do anyway if the resume has failed). IOW, please treat it as
> a more sophisticated method of zeroing out the swap partition. :-)
What is this resume failed case?
If it means the machine has crashed during resume, then so what? The
key is not on disk in the clear -ever- in the dm-crypt case. If the
attacker gets to poke around in the memory contents of the crashed
machine for the key (or the partially loaded suspend image).
If it means we fell back to a normal boot, normal boot can simply dd
over the swap at boot, generate a new ephemeral swap key, or whatever.
> Arguably, using dm-crypt is more secure, but it is also more
> complicated from the Joe User POV. IMHO we should not force users to
> set up dm-crypt, remember passwords etc., to get some basic
> security.
Any sensible solution here is going to require remembering passwords.
And arguably anywhere the user needs encrypted suspend, they'll want
encrypted swap as well.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2005-04-14 17:13 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-10 23:19 [PATCH encrypted swsusp 1/3] core functionality Andreas Steinmetz
2005-04-11 10:25 ` Pavel Machek
2005-04-11 10:36 ` folkert
2005-04-11 11:01 ` Pavel Machek
2005-04-11 11:38 ` folkert
2005-04-11 16:28 ` Andreas Steinmetz
2005-04-11 16:36 ` Pavel Machek
2005-04-11 13:08 ` Andreas Steinmetz
2005-04-11 11:08 ` Pavel Machek
2005-04-11 13:11 ` Andreas Steinmetz
2005-04-11 16:11 ` Andreas Steinmetz
2005-04-11 20:57 ` Rafael J. Wysocki
2005-04-11 21:08 ` Pavel Machek
2005-04-11 21:35 ` Rafael J. Wysocki
2005-04-12 10:07 ` Andreas Steinmetz
2005-04-12 10:52 ` Andreas Steinmetz
2005-04-12 13:17 ` Andreas Steinmetz
2005-04-13 11:59 ` Herbert Xu
2005-04-13 12:59 ` Andreas Steinmetz
2005-04-13 21:27 ` Herbert Xu
2005-04-13 22:29 ` Andreas Steinmetz
2005-04-13 23:10 ` Herbert Xu
2005-04-13 23:24 ` Pavel Machek
2005-04-13 23:39 ` Herbert Xu
2005-04-13 23:46 ` Pavel Machek
2005-04-14 0:35 ` Matt Mackall
2005-04-14 6:51 ` Pavel Machek
2005-04-14 8:08 ` Herbert Xu
2005-04-14 9:04 ` Rafael J. Wysocki
2005-04-14 17:11 ` Matt Mackall [this message]
2005-04-14 19:27 ` Stefan Seyfried
2005-04-14 19:53 ` Matt Mackall
2005-04-14 20:18 ` Pavel Machek
2005-04-14 22:27 ` Matt Mackall
2005-04-14 22:11 ` Andy Isaacson
2005-04-14 22:48 ` Matt Mackall
2005-04-15 9:44 ` Andreas Steinmetz
2005-04-15 9:44 ` Andreas Steinmetz
2005-04-15 17:00 ` Matt Mackall
2005-04-14 20:13 ` Pavel Machek
2005-04-14 9:05 ` Pavel Machek
2005-04-15 9:44 ` Andreas Steinmetz
2005-04-15 9:47 ` Pavel Machek
2005-04-14 1:13 ` Bernd Eckenfels
2005-04-14 8:27 ` Pavel Machek
2005-04-14 8:31 ` encrypted swap (was Re: [PATCH encrypted swsusp 1/3] core functionality) Andy Isaacson
2005-04-14 8:38 ` Herbert Xu
2005-04-14 8:49 ` Arjan van de Ven
2005-04-14 1:11 ` [PATCH encrypted swsusp 1/3] core functionality Bernd Eckenfels
2005-04-13 13:22 ` Pavel Machek
2005-04-13 14:45 ` Andreas Steinmetz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050414171127.GL3174@waste.org \
--to=mpm@selenic.com \
--cc=ast@domdv.de \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=rjw@sisk.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox