eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 10:50:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Do not wipe keys for wrapped key enabled ciphers.

Browse Source 
We can't wipe (overwrite with random noise) wrapped key in
kernel. Such keys are usually structured and not only random
bytes.

Also it doesn't make sense to wipe these keys. They are supposed
to be protected (encrypted) by keys sealed in hardware.

TODO: tests: 1) with header, 2) without header (dm-crypt only),
      3) arch with working paes cipher (at least).
This commit is contained in:
Ondrej Kozina
2018-04-12 11:37:24 +02:00
committed by Milan Broz
parent 34b8a48252
commit 0b849985b2
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/setup.c
View File

@@ -2345,7 +2345,12 @@ int crypt_suspend(struct crypt_device *cd,
key_desc = crypt_get_device_key_description(name);
r = dm_suspend_and_wipe_key(cd, name);
/* we can't simply wipe wrapped keys */
if (crypt_cipher_wrapped_key(crypt_get_cipher(cd)))
r = dm_suspend_device(cd, name);
else
r = dm_suspend_and_wipe_key(cd, name);
if (r == -ENOTSUP)
log_err(cd, _("Suspend is not supported for device %s.\n"), name);
else if (r)