Hi,
On Monday, 11 of April 2005 19:02, Andreas Steinmetz wrote:
> Rafael J. Wysocki wrote:
> > Hi,
> >
> > On Monday, 11 of April 2005 12:37, Oliver Neukum wrote:
> >
> >>Am Sonntag, 10. April 2005 22:14 schrieb Pavel Machek:
> >>
> >>>Hi!
> >>>
> >>>
> >>>>>Oliver Neukum wrote:
> >>>>>
> >>>>>>What is the point in doing so after they've rested on the disk for ages?
> >>>>>
> >>>>>The point is not physical access to the disk but data gathering after
> >>>>>resume or reboot.
> >>>>
> >>>>After resume or reboot normal access control mechanisms will work
> >>>>again. Those who can read a swap partition under normal circumstances
> >>>>can also read /dev/kmem. It seems to me like you are putting an extra
> >>>>lock on a window on the third floor while leaving the front door open.
> >>>
> >>>Andreas is right, his patches are needed.
> >>>
> >>>Currently, if your laptop is stolen after resume, they can still data
> >>>in swsusp image.
> >>>
> >>>Zeroing the swsusp pages helps a lot here, because at least they are
> >>>not getting swsusp image data without heavy tools. [Or think root
> >>>compromise month after you used swsusp.]
> >>>
> >>>Encrypting swsusp image is of course even better, because you don't
> >>>have to write large ammounts of zeros to your disks during resume ;-).
> >>
> >>Not only is it better, it completely supercedes wiping the image.
> >>Your laptop being stolen after resume is very much a corner case.
> >>You suspend your laptop while you are not around, don't you?
> >
> >
> > Not necessarily. Some people use suspend instead of shutdown. :-)
>
> Now here's what I'm currently doing:
>
> I do usually suspend instead of shutdown. The suspend partition is the
> only unencrypted swap partition and it is disabled during regular
> operation so it is not used for regular swapping. Except for a small
> boot partition without any valuable data all other partitions are encrypted.
>
> The key for dm-crypt setup is stored on an ide flash disk which isn't
> inserted during travelling and which is transported separately.
>
> Now let's imagine the laptop gets stolen by an average thief which is
> the most common case.Thief needs to know if the laptop is working
> because thief wants to sell it so thief powers on the laptop.
>
> swsusp resumes and with the encryption patch renders the suspend image
> worthless. The suspend/resume script immediately checks for the presence
> of the ide flash disk with the correct key (match is done against the
> in-kernel dm-crypt key). If the ide flash disk is not present or if
> there is a key mismatch the script shuts the system immediately down, so
> the in-kernel key is lost.
>
> The only way for the thief now to access any data on the disk is to come
> back and steal the flash disk, too.
Yes. And if you accidentally lose the flash disk, you are locked out of your
own data. ;-) The same happens if the data on the flash disk is lost (which
occurs, from time to time). You should be _really_ careful doing such things
and IMO it's not to be tried by Joe User.
OTOH, the encryption of the system image during suspend is generally
a very good idea. IMO we should also check the integrity of the image
at that time, which would require computing some checksums on suspend.
Greets,
Rafael
--
- Would you tell me, please, which way I ought to go from here?
- That depends a good deal on where you want to get to.
-- Lewis Carroll "Alice's Adventures in Wonderland"
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
