You are protecting against hardware attackers with TRESOR. So... it only makes sense at the bare-metal / Hypervisor level. -Travis On Wed, Feb 11, 2015 at 3:33 PM, Alfie John <alfiej@fastmail.fm> wrote:
On Thu, Feb 12, 2015, at 03:17 AM, Travis Biehn wrote:
+ cypherpunks
http://en.wikipedia.org/wiki/TRESOR - Keys are stored in debug or SSE registers and never leave the CPU. Use of AES-NI gives you solid performance. [side-channel DPA/timing etc vulnerable, though :(]
That + trusted boot + dm-verity & FDE. Delicious. [Add Xen bare-metal & qubes-esque setup.]
I've never seen TRESOR work, that might be a fun side-project for someone.
Wouldn't running TRESOR under Xen be useless as Xen would need to save/restore SSE registers when switching between VMs (and putting them in memory)?
Alfie
-- Alfie John alfiej@fastmail.fm
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>