lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210727121009.GC32265@duo.ucw.cz>
Date:   Tue, 27 Jul 2021 14:10:09 +0200
From:   Pavel Machek <pavel@....cz>
To:     Evan Green <evgreen@...omium.org>
Cc:     Michal Hocko <mhocko@...e.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        David Hildenbrand <david@...hat.com>,
        Alex Shi <alexs@...nel.org>,
        Alistair Popple <apopple@...dia.com>,
        Jens Axboe <axboe@...nel.dk>,
        Johannes Weiner <hannes@...xchg.org>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        "Matthew Wilcox (Oracle)" <willy@...radead.org>,
        Miaohe Lin <linmiaohe@...wei.com>,
        Minchan Kim <minchan@...nel.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        LKML <linux-kernel@...r.kernel.org>, linux-mm@...ck.org,
        linux-api@...r.kernel.org
Subject: Re: [PATCH v2] mm: Enable suspend-only swap spaces

Hi!

> > > If I have
> > > different security designs for swap space and hibernate, then even a
> > > chance of some swap leaking into this region is a problem.
> >
> > Could you expand some more about the this part please?
> 
> Offline attacks (ie manipulating storage from underneath the machine)
> are a major concern when enabling both swap and hibernate. But the
> approach of adding integrity to mitigate offline attacks may differ
> between swap and hibernate in the interest of performance. Swap for
> instance essentially needs a per-page dictionary of hashes for
> integrity, since pages can be added and removed arbitrarily. Hibernate
> however just needs a single hash across the entire image to provide
> integrity. If you have swap leaking onto a region where you don't have
> integrity enabled (because say you handled integrity at the image
> level for hibernate, and at the block layer for swap), your swap
> integrity story is compromised.

If you want to encrypt/sign the hibernation, you likely should use
uswsusp, and that means you can store hibernation image where (and
how) you want it, without modifying kernel.

See kernel/power/user.c .

> I don't think this digs the design hole deeper. Yes, the ship on this
> design has long ago sailed. But if we ever did try to dig ourselves
> out of the swap/hibernate hole by providing new APIs to handle them
> separately, this flag would serve as a good cutover to divert out of
> the swap code and into the new shiny hibernate-only code. The APIs are
> never going to be totally disentangled, so a clean cutover opportunity
> is the best one can hope for.

Is uswsusp the place that should provide clean cutover?

Anyway, I acked the patch before, but it looks like it was
mistake. I withdraw the ack.

Best regards,
								Pavel

-- 
http://www.livejournal.com/~pavelmachek

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ