sshd just got private key shielding https://github.com/openssh/openssh-portable/commit/4f7a56d5e02e3d04ab69eac1213817a7536d0562
"Add protection for private keys at rest in RAM against speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB).” This unfortunately not a solution to the problem as advertised. I've looked at it. There's still a spectre window of opportunity to get the shielded private host keys. sshkey_shield_private => explicit_bzero() from freezero.c It's only using the insecure freezero, which is using the insecure explicit_bzero. Which does a primitive compiler barrier only, not a full memory barrier (mfence, clflush). so it's unsafe against the advertised spectre/meltdown sidechannel attacks, the secrets are still in the caches. And therefore readable on hyper threaded intel systems. similar to the problem described at https://github.com/jedisct1/libsodium/issues/802 Reini Urban [email protected]
