[dm-crypt] DM-Crypt resistance against Cold Boot Attacks

Yves-Alexis Perez corsac at debian.org
Thu May 19 10:01:50 CEST 2011


On jeu., 2011-05-19 at 09:05 +0200, Milan Broz wrote:
> On 05/18/2011 11:53 PM, Yves-Alexis Perez wrote:
> > If you read the paper, you'll noticed there's nothing to change to
> > dm-crypt, as the cypher is registered in the Crypto-API, it can be used
> > directly.
> 
> TBH dmcrypt keeps its own copy of key (because key it is still part
> of the device-mapper mapping table so it must be available for
> status commands).

In that case it'll be the “dummy” key.
> 
> So there are some changes needed but basically technicaly unrelated
> to that patch.
> (This will hopefully change with new mapping table format soon.)

Needed for what?
> 
> Anyway, it must be accepted into kernel crypto layer first.

I'm not even sure it'll be submitted though.
> 
> IMHO I think that without strong hw support these implementation
> will have some problems but it is good that someone works on such
> things.
> (E.g. how it works if it is not bare hw but virtualized system?)

For the AES-NI one, if the hypervisor supports it (they tested on KVM)
yes (though the vm registers are stored in the host ram anyway).

If you're interested, I found that the two papers were quite clear and
quick to read, so it might be a good idea to read them.

Regards,
-- 
Yves-Alexis



More information about the dm-crypt mailing list