[pkg-cryptsetup-devel] Bug#898495: Bug#898495: cryptsetup: [patch] make failsleep configurable
Guilhem Moulin
guilhem at debian.org
Mon May 21 19:30:11 BST 2018
Hi Chris,
On Sat, 12 May 2018 at 19:10:43 +0100, Chris Lamb wrote:
> It would be nice if the sleep-on-failure time was configurable, just
> like tries=N, etc.
>
> Patch attached.
Thanks for the patch! (We discussed about this bug IRL but let me
follow up here for the sake of transparency.) The sleep-on-failure
behavior was added in 2:1.7.3-2 as mitigation for local brute-force
attacks (CVE-2016-4484). See mejo's blogpost about it:
https://blog.freesources.org/posts/2016/12/CVE-2016-4484/
Given that a major refactoring of the initramfs integration is ongoing,
I didn't merge your patch. In fact we all seem to agree that the attack
vector described in the CVE isn't really related to cryptsetup nor its
initramfs integration (if one protects the BIOS and passes the
‘panic=<sec>’ parameter to the kernel command line, the boot script no
longer yields a debug shell after a couple of failed attempts at
unlocking the root device), and that our mitigation gives a marginal
security gain. So we're likely to remove said mitigation as part of our
refactoring. You intended to use the ‘failsleep=<sec>’ boot parameter
to disable it, right?
Of course, since it was our response to the CVE we shouldn't remove it
silently. I guess a follow-up to mejo's blog post and/or an entry in
the NEWS file are appropriate. Either way, we'll keep that bug open
until we either merge your patch, or decide to remove the mitigation.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180521/f316b1f8/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list