lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 01 Jul 2009 22:47:27 -0700 From: Jeremy Maitin-Shepard <jeremy@...emyms.com> To: U Kuehn <ukuehn@....org> Cc: "Rafael J. Wysocki" <rjw@...k.pl>, tuxonice-devel@...ts.tuxonice.net, linux-kernel@...r.kernel.org Subject: Re: [TuxOnIce-devel] RFC: Suspend-to-ram cold boot protection by encrypting page cache U Kuehn <ukuehn@....org> writes: > [snip] > The approach to encrypt the memory contents during suspend-to-ram seems > to be a very fundamental change in the kernel, in order to protect > against a very specific attack. As I have said, I believe that tuxonice already supports almost everything that is needed to implement it, and that the changes would not in fact have to be all that intrusive to the rest of the kernel. It is a very specific attack in some sense, but it is also a very general attack in that it affects practically every computer out there. > And unfortunately it helps only against an cold-boot attack that > happens during suspend-to-ram. It does not protect against the attack > taking place when the machine is just "on". Naturally the protection is only effective when it is actually engaged. However, I think that the cases in which a machine is susceptible to being stolen or tampered often correspond to cases in which it makes sense to have it suspended. For a laptop, for instance, the highest risk is likely when the machine is left unattended or in transit. In either case, it would likely be reasonable to have the machine suspended. Obviously the protection would not help you if you wish to leave the machine unattended while it completes some computational task. Nonetheless, I believe the level of protection offered would still be very useful to many people, myself included. -- Jeremy Maitin-Shepard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists