On 2/3/20 7:12 PM, Chris Laprise wrote:
BTW, have you thought about a threat model where the whole disk uses a single encryption key and partitions exist on top of that... and the possibility that a compromised sys-usb copies some of the blocks from other partitions into the partition of a compromised/coordinating AppVM? What are the chances the compromised AppVM would be able to decrypt the misappropriated blocks? I think many would be inclined to say the disk cipher salt would protect the copied blocks from improper decryption, but how certain is this?
That should be all covered:
Assuming the following single encryption layer structure
sys-usb (compromised)
<-->
appVM (compromised)
your're obviously fully compromised as both the appVM and sys-usb may
simply stop encryption and write plain text data to their attached
volumes. So your additional sys-usb encryption key is totally irrelevant
in that scenario (and thus not in the diagram above; it hides the number
of volumes you use from attackers looking at your external disk though).
The 2 layer encryption
sys-usb (compromised)
<-->
middleVM (not compromised)
<-->
appVM (compromised)
helps against that: appVM may stop encryption to middleVM, but middleVM
will do its job properly to sys-usb (middleVM should be a VM dedicated
to only doing encryption/decryption).
Another 1 layer scenario that you might have thought about:
sys-usb (compromised)
<-->
appVM (compromised)
appVM2 (not compromised)
appVM2 data will remain confidential as it is still doing its own
encryption. Integrity attacks may be attempted by sys-usb (i.e. sys-usb
may change encrypted appVM2 data without looking at the plaintext), but
will be detected by appVM2 (decryption will fail / data be lost) for any
reasonable symmetric cipher mode (mostly non-ECB).
sys-usb may also copy encrypted data from appVM2 to appVM, but neither
sys-usb nor appVM can break the encryption without the key.
Of course all of this assumes perfect VM segregation, no relevant bugs inside cryptsetup, the Qubes block attachment code & some parts of my code. So a rather large TCB unfortunately.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2596d1d0-b21c-3d63-4376-a42676cfe428%40hackingthe.net.
smime.p7s
Description: S/MIME Cryptographic Signature
