On Thu, May 29, 2008 at 09:41:16PM -0400, Rik van Riel wrote: Hi, > Of course, if there are crypto software solutions that somehow > manage to defeat the cold boot attack, that would be even better. > > A future hardware solution to help defeat it could help too, for > example the ability to put a crypto key into a special CPU register > and use that to encrypt and decrypt the memory holding crypto keys, > with a page table bit to indicate that the page is encrypted. that has been already discussed and something similar is perfectly feasible with much of todays stock hardware. On multicore systems all you need is a nonpreemptible kernel thread holding part of the key in its CPU registers. That way you do not have the keys in main memory or they can be in main memory but encrypted. The thread would also do the disk encryption so if designed carefully there would never be sufficient information in main memory to recover any data. > In the mean time - how useful (or useless) is it to raise the bar > a little? good question. The cost of this software only solution should be pretty negligible for anyone who cares and it is much harder to recover CPU registers after reset or powerdown. Richard - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
