Date: Fri, 10 Aug 2018 17:51:15 +0200 From: cpghost <cpghost@cordula.ws> To: freebsd-questions@freebsd.org Subject: Re: Erase memory on shutdown Message-ID: <28e094e6-d425-7367-4519-0ae72da54901@cordula.ws> In-Reply-To: <915020aa-65ba-7b8c-8676-40e41dc77c0a@kicp.uchicago.edu> References: <20180805150241.1E186200349F8E@ary.qy> <4e70e969-14f7-c65d-96d2-dd1610499cd0@irk.ru> <63033.108.68.162.197.1533484522.squirrel@cosmo.uchicago.edu> <faff1533-41c9-63a1-1c66-45c194cae140@cordula.ws> <915020aa-65ba-7b8c-8676-40e41dc77c0a@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms060304070202020500010000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 08/10/18 17:24, Valeri Galtsev wrote: >=20 >=20 > On 08/10/18 09:08, cpghost wrote: >> On 08/05/18 17:55, Valeri Galtsev wrote: >>> Another route could be encryption of RAM on-the-fly while system runs= , yet >>> it is questionable where the encryption key itself is kept to be >>> unaccessible for the attacker in the attack above, and boot of such s= ystem >>> may require warm body present. >> >> What about SEV? >> >> https://developer.amd.com/amd-secure-memory-encryption-sme-amd-secure-= encrypted-virtualization-sev/ >> https://github.com/AMDESE/AMDSEV >=20 > I personally am an opponent of the other processor in my machine that h= as almighty access to my machine, can access external hosts via the same = physical network connection though not controllable by me, the sysadmin o= f the machine (or machine owner). It sounds to me that it is in the same = general direction as Intel ME. You're right. Basically, it's all about Trusting Trust[1], all over again= , but now on hardware/firmware. And what's worse: who can audit the crypto,= when done on a closed proprietary hardware design? But still, if we talk about encrypting memory, hardware-assists like thes= e where the (ephemeral) keys are kept in some hidden CPU registers that cle= ar much faster than (cold) DRAM/SRAM seems like a practical way to make cold boot attacks harder. [1] https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomps= on.pdf > Out of two bads I choose the lesser bad. Namely: the possibility of att= ack by the bad guy who has physical access to my machine is lesser bad th= an the possibility of attack through super-system which I have no way to = modify, control, or turn off, that runs on another CPU, has control over = my hardware that runs my system, and my system is a slave to that super-s= ystem. >=20 > Do you think it is your machine? No, it is their machine (whoever they = are). >=20 > There is one (small?) company that tries to rid of all proprietary code= and other means of control, thus giving the owner full possession of his= hardware ("impregnable" for third parties, be it even the main CPU manuf= acturer): >=20 > https://puri.sm/ > https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-ma= nagement-engine/ >=20 > They also implement open source coreboot instead of proprietary EFI or = BIOS. And they do not have in their hardware anything that requires avail= able as binary only "firmware" or "microcode". So, they use famous Athero= s WiFi, but they never use working great but running proprietary firmware= Intel WiFi. Good to know. Thanks for the pointer! > I'd like to hear if anyone knows about similar efforts by other compute= r manufacturers. >=20 > Sorry, this went a bit off the original point (but not quite off of it)= =2E >=20 > Valeri -cpghost. --------------ms060304070202020500010000 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC Cx4wggUwMIIEGKADAgECAhEAxi8czu5BfArXx+KbCt8qNjANBgkqhkiG9w0BAQsFADCBlzEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcxMjIwMDAw MDAwWhcNMTgxMjIwMjM1OTU5WjAjMSEwHwYJKoZIhvcNAQkBFhJjcGdob3N0QGNvcmR1bGEu d3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuV3EBb8py/1yrTdT8cb8h5Ocl h5XDYOn2HNcGCENONWU7Rrz9X+suOufiGCwUzrj+ysDLzM/jfB8EQMFH+uZrt9hi1gb9QvXh jzHvHqrb0P6Bj/HV8VvWyywa+BbuHNxuvOHB+ECpQYs4/Itfyhr4F/08FhweUpP7W+NKK/m8 VvLyY3kT5T58DYN0AvxgN6LK0ejbKD44wOrjK4EwuZpRmKewuWi+VquqRS04vo6xVE+h2tqq BUmVv4q9S6fHnvDcDCg3Gs4NTc6eujsHK6O9SLcgKB3CkHm5mxMkqGWNvtLb9p3/y9A+/v3n 2GRE07mmRkeJ43ntSytkz5xCiYmpAgMBAAGjggHoMIIB5DAfBgNVHSMEGDAWgBSCr2yM+MX+ lmF86B89K3FIXsSLwDAdBgNVHQ4EFgQUJVBhgnBvX0Bb+4bCJ8KLFjYJ4powDgYDVR0PAQH/ BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUC MBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsG AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBL hklodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlv bmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0 dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAdBgNVHREEFjAUgRJjcGdob3N0QGNvcmR1bGEud3MwDQYJKoZIhvcNAQELBQADggEBAAZ0 otdXgClU/ijwGvnOdARI7LVDD4pPg6BD1kTbMywUE6ti082zAvujveH4DkleGZaVByv1VHGV HAdB8S7P21bm2uGCxwJNdRGl2R8USNmE7OP0EXYlQLTXDQbpBBPoB8k5Tv8WGJfguxIrPpS6 L729xb5d75NoKFMYn8JHTlujcfYt5TZCir0tO5/B9BgfB01tokFQ814wpUWmXplnD+tfRLaJ OChKmyUnOi5qpBntd/PHpUDNFIUJy0QZ3sYt1PyW7ejhtMvGvI/cQLZdDOUXv432nu0dgy2K 8PDGRfhp/NZhW8He7ililwDIu4B229OfiKI3fpPCDtm+xz7V900wggXmMIIDzqADAgECAhBq m+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UE CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTlaMIGXMQswCQYDVQQGEwJHQjEb MBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQK ExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9Olg+nKcxLqf2NHbZhGra0D00 SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUByRjXCA6RQyDMqVaVUkbIr5SU0 RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBlgvnkCos+KQWWCo63OTTqRvaq 8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtVV4/Vwdax720YpMPJQaDaElmO upyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5NATksUsbfJAr7FLUCAwEAAaOC ATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSCr2yM +MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAR BgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9j YS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEE ZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FBZGRU cnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqG SIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz9kkIBtTYLzXN30D+03Hj6OxC DBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/Hv+GTrNI/AhqX2/kiQNxmgUPt /eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2psZaWeEykgzClZlPz1FjTCkk77 ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3I2Y2mkjhk0xQfhNqbzlLWPoT 3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7+1RTWBviN9YJzK8HxzObXYWB f/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr84JHoy+fNLpfvYc/Q9EtFOI5I SYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2PMnXoc7mbrS22XUSeTwxCTP9 bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIvxqith7DoJC91WJ8Lce3CVJqb 1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9cbm/vOYRUM1cWcef20Wkyk5S /GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pWR8p6EjGCBDgwggQ0AgEBMIGt MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAMYvHM7u QXwK18fimwrfKjYwDQYJYIZIAWUDBAIBBQCgggJbMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTE4MDgxMDE1NTExNVowLwYJKoZIhvcNAQkEMSIEIN9RiRwY sGEwqAayxb/npZQ9FyRHmcJVbMzjtgEMKR8vMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUD BAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgb4GCSsGAQQBgjcQBDGBsDCBrTCBlzEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQDGLxzO7kF8CtfH 4psK3yo2MIHABgsqhkiG9w0BCRACCzGBsKCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP IENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9u IGFuZCBTZWN1cmUgRW1haWwgQ0ECEQDGLxzO7kF8CtfH4psK3yo2MA0GCSqGSIb3DQEBAQUA BIIBAERHDujyptctbu8+7o9lPXJZnru5tYFHvNXadkqwdaTu4c2p+AlE5qstrlVq22391sCN VmxISql86tL74bFtvGkgD475OBNvCVD2qJDy92DLseoU8gen021y8Kx/zr/w6PeTtjrRnpyd /8u2AKQ0M8h3BWioSPT486cy6BWDGNsCQjgF7XOWoffeZBa6nq0rqrAutqMnseqvboPO4WTO XHfdJlBjVicP7A8aE/3Tt1gLE5XttnOvOQ+Jk45gVoMXJxYhVLrNPQjD1vAJgN4zgp1viUf8 JgqtlNnZcVJG7k2aYQMMhkCAKftlAIbLO9AJE+hEPraJjHlXrgnepVCqw4gAAAAAAAA= --------------ms060304070202020500010000--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?28e094e6-d425-7367-4519-0ae72da54901>