Re: [PATCH v18 22/25] cryptodisk: wipe out the cached keys from protecto

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v18 22/25] cryptodisk: wipe out the cached keys from protecto

From:	Daniel Kiper
Subject:	Re: [PATCH v18 22/25] cryptodisk: wipe out the cached keys from protectors
Date:	Fri, 30 Aug 2024 18:23:35 +0200
User-agent:	NeoMutt/20170113 (1.7.2)

On Fri, Jun 28, 2024 at 04:19:05PM +0800, Gary Lin via Grub-devel wrote:
> An attacker may insert a malicious disk with the same crypto UUID and
> trick grub2 to mount the fake root. Even though the key from the key
> protector fails to unlock the fake root, it's not wiped out cleanly so
> the attacker could dump the memory to retrieve the secret key. To defend
> such attack, wipe out the cached key when we don't need it.
>
> Cc: Fabian Vogt <fvogt@suse.com>
> Signed-off-by: Gary Lin <glin@suse.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v18 22/25] cryptodisk: wipe out the cached keys from protectors, Daniel Kiper <=

Prev by Date: Re: [PATCH v18 21/25] cryptodisk: Fallback to passphrase
Next by Date: Re: [PATCH v18 23/25] diskfilter: look up cryptodisk devices first
Previous by thread: Re: [PATCH v18 21/25] cryptodisk: Fallback to passphrase
Next by thread: Re: [PATCH v18 23/25] diskfilter: look up cryptodisk devices first
Index(es):
- Date
- Thread