View previous topic :: View next topic |
Author |
Message |
jpc22 Apprentice
Joined: 29 Jan 2012 Posts: 195
|
Posted: Sat Mar 09, 2013 3:48 pm Post subject: hardened kernel patching (TRESOR) |
|
|
How hard would it be to add a patch designed for a 3.6.2 generic kernel to the 3.8.2 hardened-sources, and could it be done?
Basically this patch keeps cryptographic keys in cpu registers instead of ram to detter cold boot attacks.
http://www1.informatik.uni-erlangen.de/tresor |
|
Back to top |
|
|
_______0 Guru
Joined: 15 Oct 2012 Posts: 521
|
Posted: Sat Mar 09, 2013 5:50 pm Post subject: |
|
|
/me waits for cpu cold boot attack
then, where yus gonna hide them keys? |
|
Back to top |
|
|
jpc22 Apprentice
Joined: 29 Jan 2012 Posts: 195
|
Posted: Sun Mar 10, 2013 7:49 pm Post subject: |
|
|
Well with enough liquid nitrogen one could pull off a ''Cold'' cpu attack on a running computer , but cold boot attacks on cpu wont be possible unless they use resistive memory in the registers like in the reram currently being developped in laboratories.
For now we are mostly safe, since the register memory in cpu is pretty volatile, but that was not the point. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue Mar 12, 2013 11:32 am Post subject: |
|
|
jpc22 ...
Your best bet is to try:
Code: | # patch -p1 --dry-run -d /usr/src/linux-3.8.2-hardened </path/to/tresor.patch |
Note: remove '--dry-run' for the patch to be applied.
If the patch looks like it would apply cleanly then you could add it to /etc/portage/patches/sys-kernel/hardend-sources/tresor.patch and create a 'patch_list' in that directory with 'tresor.patch' listed, and the patch will be applied on future updates.
best ... khay |
|
Back to top |
|
|
unitstep n00b
Joined: 17 Oct 2012 Posts: 9
|
Posted: Tue Mar 12, 2013 7:06 pm Post subject: |
|
|
If the patch does not apply and you know how to use git you could try to merge the two patched sources.
You might need a bit of understanding of the code though, to get it together.
Now, I'm not familiar with hardened sources but I suppose that 3.8.2-hardened is a patch-set that goes on top of 3.8.2?
If so, then you could do something like
1) Clone the kernel repo
2) Check out the 3.6.2 kernel tag
3) Make a branch and apply the crypto patch and commit it
4) Check out 3.8.2 and branch off.
5) Apply the hardened patches and commit
6) Merge the 3.6.2-patched branch into your curren branch
7) Resolve merge conflicts
() create a new patch for the crypto stuff from your merge
Last edited by unitstep on Tue Mar 12, 2013 8:08 pm; edited 1 time in total |
|
Back to top |
|
|
jpc22 Apprentice
Joined: 29 Jan 2012 Posts: 195
|
Posted: Tue Mar 12, 2013 7:53 pm Post subject: |
|
|
Thanks for you input guys, i will try those suggestions soon, got a lot of work to do on my computers with clustering and multiscreen. |
|
Back to top |
|
|
|