On 2/3/20 7:12 PM, Chris Laprise wrote:
BTW, have you thought about a threat model where the whole disk uses a single encryption key and partitions exist on top of that... and the possibility that a compromised sys-usb copies some of the blocks from other partitions into the partition of a compromised/coordinating AppVM? What are the chances the compromised AppVM would be able to decrypt the misappropriated blocks? I think many would be inclined to say the disk cipher salt would protect the copied blocks from improper decryption, but how certain is this?

That should be all covered:

Assuming the following single encryption layer structure
        sys-usb (compromised)
        <-->
        appVM (compromised)
your're obviously fully compromised as both the appVM and sys-usb may simply stop encryption and write plain text data to their attached volumes. So your additional sys-usb encryption key is totally irrelevant in that scenario (and thus not in the diagram above; it hides the number of volumes you use from attackers looking at your external disk though).

The 2 layer encryption
        sys-usb (compromised)
        <-->
        middleVM (not compromised)
        <-->
        appVM (compromised)
helps against that: appVM may stop encryption to middleVM, but middleVM will do its job properly to sys-usb (middleVM should be a VM dedicated to only doing encryption/decryption).

Another 1 layer scenario that you might have thought about:
        sys-usb (compromised)
        <-->
        appVM (compromised)
        appVM2 (not compromised)

appVM2 data will remain confidential as it is still doing its own encryption. Integrity attacks may be attempted by sys-usb (i.e. sys-usb may change encrypted appVM2 data without looking at the plaintext), but will be detected by appVM2 (decryption will fail / data be lost) for any reasonable symmetric cipher mode (mostly non-ECB). sys-usb may also copy encrypted data from appVM2 to appVM, but neither sys-usb nor appVM can break the encryption without the key.

Of course all of this assumes perfect VM segregation, no relevant bugs inside cryptsetup, the Qubes block attachment code & some parts of my code. So a rather large TCB unfortunately.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2596d1d0-b21c-3d63-4376-a42676cfe428%40hackingthe.net.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to