Hi,
could it be possible to run TRESOR disk encryption (http://www1.informatik.uni-erlangen.de/tresor) on a grsecurity patched kernel?
It does compile well but it's just that TRESOR is using cpu's debug registers for holding encryption keys at runtime.
Tresor is setting flags that prevent other functions to use debugregisters and I think that is the reason why it doesn't work with grsecurity.
Grsec kernel work as expected but the encryption does not work.
Latest Tresor patch is for linux kernel 3.0.9 but newer kernels support it aswell, tested it on 3.2.8 may also work on latest 3.4.x
Will it ever work, do you think?
Regards,
franz
TRESOR disk encryption compabiltity
5 posts
• Page 1 of 1
TRESOR disk encryption compabiltity
by franz » Sun Jun 24, 2012 6:32 am
- franz
- Posts: 21
- Joined: Mon Aug 09, 2010 3:32 am
Re: TRESOR disk encryption compabiltity
by spender » Mon Jun 25, 2012 7:33 am
Hi franz,
There's nothing in grsecurity that modifies or prevents the modification of debug registers. If there is an incompatibility (and not just a bad merge) it'd have to be due to something else.
-Brad
There's nothing in grsecurity that modifies or prevents the modification of debug registers. If there is an incompatibility (and not just a bad merge) it'd have to be due to something else.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: TRESOR disk encryption compabiltity
by franz » Mon Jun 25, 2012 3:51 pm
Hi,
maybe it's just the password prompt that isn't working as expected.
The termios stuff that should be implemented in another way maybe.
Code prompting for password before booting up tresor, not shown using grsecurity (As said already, tresor itself is probably the cause).
Snippet taken from:
http://www1.informatik.uni-erlangen.de/filepool/projects/tresor/tresor-patch-3.0.9_aesni
Anyone?
/franz
maybe it's just the password prompt that isn't working as expected.
The termios stuff that should be implemented in another way maybe.
Code prompting for password before booting up tresor, not shown using grsecurity (As said already, tresor itself is probably the cause).
Snippet taken from:
http://www1.informatik.uni-erlangen.de/filepool/projects/tresor/tresor-patch-3.0.9_aesni
- Code: Select all
* Password prompt
+ *
+ * Returns an error code smaller zero if the terminal
+ * cannot be opened and zero otherwise.
+ */
+int tresor_readkey(const char* terminal, int resume)
+{
+ unsigned char password[54], key[32], key_hash_[32], answer[4], c;
+ struct termios termios;
+ mm_segment_t ofs;
+ int i;
+
+ /* prepare to call systemcalls from kernelspace */
+ ofs = get_fs();
+ set_fs(get_ds());
+ /* try to open terminal */
+ if ((term_fd = sys_open(terminal, O_RDWR, 0)) < 0) {
+ set_fs(ofs);
+ return term_fd;
+ }
+ /* read single characters; no echo */
+ sys_ioctl(term_fd, TCGETS, (long)&termios);
+ termios.c_lflag &= ~(ICANON | ECHO);
+ sys_ioctl(term_fd, TCSETSF, (long)&termios);
+ /* initialize console */
+ cursor_enable();
+ cls();
Anyone?
/franz
- franz
- Posts: 21
- Joined: Mon Aug 09, 2010 3:32 am
Re: TRESOR disk encryption compabiltity
by spender » Mon Jun 25, 2012 5:53 pm
Hi franz,
It works fine -- you didn't apply the patch properly (I'm guessing the fuzzed hunk in init/main.c).
Here's a patch that will apply cleanly, which I've tested here to be working:
http://grsecurity.net/~spender/tresor.diff
-Brad
It works fine -- you didn't apply the patch properly (I'm guessing the fuzzed hunk in init/main.c).
Here's a patch that will apply cleanly, which I've tested here to be working:
http://grsecurity.net/~spender/tresor.diff
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: TRESOR disk encryption compabiltity
by franz » Wed Jun 27, 2012 2:39 am
Excellent!
Will have a look again.
Thank you,
franz
Will have a look again.
Thank you,
franz
- franz
- Posts: 21
- Joined: Mon Aug 09, 2010 3:32 am
5 posts
• Page 1 of 1