grsecurity forums

Hi,

could it be possible to run TRESOR disk encryption (http://www1.informatik.uni-erlangen.de/tresor) on a grsecurity patched kernel?
It does compile well but it's just that TRESOR is using cpu's debug registers for holding encryption keys at runtime.
Tresor is setting flags that prevent other functions to use debugregisters and I think that is the reason why it doesn't work with grsecurity.
Grsec kernel work as expected but the encryption does not work.

Latest Tresor patch is for linux kernel 3.0.9 but newer kernels support it aswell, tested it on 3.2.8 may also work on latest 3.4.x
Will it ever work, do you think?

Regards,
franz

Hi franz,

There's nothing in grsecurity that modifies or prevents the modification of debug registers. If there is an incompatibility (and not just a bad merge) it'd have to be due to something else.

-Brad

Hi,

maybe it's just the password prompt that isn't working as expected.
The termios stuff that should be implemented in another way maybe.

Code prompting for password before booting up tresor, not shown using grsecurity (As said already, tresor itself is probably the cause).
Snippet taken from:
http://www1.informatik.uni-erlangen.de/filepool/projects/tresor/tresor-patch-3.0.9_aesni

Code: Select all

* Password prompt
+ *
+ * Returns an error code smaller zero if the terminal
+ * cannot be opened and zero otherwise.
+ */
+int tresor_readkey(const char* terminal, int resume)
+{
+   unsigned char password[54], key[32], key_hash_[32], answer[4], c;
+   struct termios termios;
+   mm_segment_t ofs;
+   int i;
+
+   /* prepare to call systemcalls from kernelspace */
+   ofs = get_fs();
+   set_fs(get_ds());
+   /* try to open terminal */
+   if ((term_fd = sys_open(terminal, O_RDWR, 0)) < 0) {
+      set_fs(ofs);
+      return term_fd;
+   }
+   /* read single characters; no echo */
+   sys_ioctl(term_fd, TCGETS, (long)&termios);
+   termios.c_lflag &= ~(ICANON | ECHO);
+   sys_ioctl(term_fd, TCSETSF, (long)&termios);
+   /* initialize console */
+   cursor_enable();
+   cls();

Anyone?

/franz

Hi franz,

It works fine -- you didn't apply the patch properly (I'm guessing the fuzzed hunk in init/main.c).

Here's a patch that will apply cleanly, which I've tested here to be working:
http://grsecurity.net/~spender/tresor.diff

-Brad

Excellent!

Will have a look again.

Thank you,
franz