Re: [TuxOnIce-devel] RFC: Suspend-to-ram cold boot protection byencrypting page cache

From: Pavel Machek
Date: Sun Jul 12 2009 - 07:45:10 EST

Next message: Boaz Harrosh: "Re: [PATCH 2/4] block: use the same failfast bits for bio and request"
Previous message: Pavel Machek: "Re: [RFC/PATCH 2.6.32] Simple Firmware Interface (SFI): initialsupport"
In reply to: Jeremy Maitin-Shepard: "Re: [TuxOnIce-devel] RFC: Suspend-to-ram cold boot protection by encrypting page cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri 2009-07-10 00:05:23, Jeremy Maitin-Shepard wrote:
> Pavel Machek <pavel@xxxxxx> writes:
>
> > On Wed 2009-07-08 04:09:41, Jeremy Maitin-Shepard wrote:
> >> Pavel Machek <pavel@xxxxxx> writes:
> >>
> >> > On Wed 2009-07-08 03:47:53, Jeremy Maitin-Shepard wrote:
> >> >> Pavel Machek <pavel@xxxxxx> writes:
> >> >>
> >> >> [snip]
> >> >>
> >> >> > I believe uswsusp could be used rather easily. Just modify s2disk to
> >> >> > encrypt image in ram without writing it out, then decrypt it from ram
> >> >> > and resume... it should be interesting hack.
> >> >>
> >> >> As far as I understand, that would be completely useless since the image
> >> >> that would be encrypted would just be a copy of what would still remain
> >> >> in memory.
> >>
> >> > Yes... so next step would be kernel call that would erase all the
> >> > pagecache and anonymous pages. You would still leave some data in
> >> > kernel structures, but that would be quite hard to fix.
> >>
> >> Okay. (This does still require the same assumption as TuxOnIce
> >> regarding the page cache, though.)
>
> > (Not sure; clearing the page cache could be done atomically, from
> > interrupts disabled. But I'm no mm expert.)
>
> But surely it wouldn't work to leave interrupts disabled after that
> until the page cache is restored. After the page cache (and other
> sensitive memory) is encrypted, after possibly entering and resuming
> from S3, the page cache needs to be decrypted. Userspace will be
> doing

I see no need for that. You'd do something like 'kill -9 -1; echo 3 >
drop_caches' after snapshot, then scrub free ram. At that point you
should have no sensitive data in the memory, and encrypted image you
can restore.

(Now, kill -9 -1 with frozen tasks may be tricky to implement....)
Pavel

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Boaz Harrosh: "Re: [PATCH 2/4] block: use the same failfast bits for bio and request"
Previous message: Pavel Machek: "Re: [RFC/PATCH 2.6.32] Simple Firmware Interface (SFI): initialsupport"
In reply to: Jeremy Maitin-Shepard: "Re: [TuxOnIce-devel] RFC: Suspend-to-ram cold boot protection by encrypting page cache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]