[personal profile] mjg59
Recent Intel-based systems often implement something called Intel Rapid Start Technology. Like many things with the word "Technology" in the name, there's a large part of this that's marketing. The relatively small amount of technical documentation available implies that it's tied to your motherboard chipset and CPU, but as far as I can tell it's entirely implemented in firmware and could work just as well on, say, a Cyrix on a circa 1996 SIS-based motherboard if someone wrote the BIOS code[1]. But since nobody has, we're stuck with the vendors who've met Intel's requirements and licensed the code.

The concept of IRST is pretty simple. There's a firmware mechanism for setting a sleep timeout. If you suspend your computer and this timeout expires, it'll resume. However, instead of handing control back to the OS, the firmware just copies the entire contents of RAM to a special partition and turns the computer off. Next time you hit the power button, the firmware dumps the partition contents back into RAM and resumes as if nothing had changed. This takes a few seconds longer than resume from S3 but is far faster than resume from hibernation since it starts the moment the system gets power.

At a more technical level, it's a little more complicated. The first thing to know about this feature is that it's entirely invisible unless your hard drive is set up correctly. There needs to be a partition that's at least the size of your system's physical RAM. For GPT systems, this needs to have a type GUID of D3BFE2DE-3DAF-11DF-BA-40-E3A556D89593. For MBR systems, you need a partition type of 0x84[2]. If the firmware doesn't find an appropriate partition then the OS will get no indication that the firmware supports it. Boo.

(The second thing is that it seems like it really does have to be on an SSD, and if you try to do this on spinning media your firmware will ignore it anyway)

If all the prerequisites are in place, an ACPI device with an HID of INT3392 will exist. It has four methods associated with it: GFFS, SFFS, GFTV and SFTV. GFFS returns an integer representing the events that will cause the system to wake up from S3 and suspend to SSD. The system will wake after the timeout expires if bit 0 is set, and will wake when the battery becomes critically low if bit 1 is set. The other bits appear to be unused at the moment[3]. SFFS sets the wakeup events, using the same bit values as GFFS. GFTV returns an integer containing the current wakeup timeout in minutes. SFTV sets it. Values above 1440 (ie, 24 hours) seem to be considered invalid - if I set them the value instead ends up as 10 and the timeout flag gets cleared from the wakeup events field.

I've submitted a patch that adds a sysfs interface for setting these values, and unless anyone objects it'll probably end up in 3.11. There's still the remaining question of how userspace should make use of these, and also how installers should behave when it comes to systems that support IRST. As previously mentioned, there's no obvious indication to the OS that the feature is supported unless the appropriate partition already exists. The easiest way to deal with this is for installers to default to retaining any partitions with the magic IDs, but I'm still looking into whether it's possible to get the firmware to cough up some more information so it can be created automatically even if the drive's entirely blank.

And now, having got this working on a test machine, I just need to split my Thinkpad's swap partition in half and make sure it works here as well. Woo.

[1] Note: I am not going to do this.
[2] Conveniently, the same as the partition type that APM systems used for suspend to disk back when dubstep hadn't been invented yet
[3] At least, if you attempt to set them they get ignored.

Re: Threat to dm-crypt

Date: 2013-07-03 07:26 pm (UTC)
From: (Anonymous)
It's unencrypted in RAM before it's suspended too. My point is that the SSD is non-volatile storage. Worse, your keys or private data would likely stay there even if you subsequently rapid-start, unmount, scrub keys from RAM and do a full shutdown.

Encrypting the root file system or whole disk would require scrubbing the keys from RAM before suspend, being able to prompt for credentials on resume, and reattach. One-time keys for encrypted swap would have to be written into that secure storage area too and somehow re-opened. You still have to hope nothing confidential remains anywhere in RAM. And/or do a scrub of the rapid-start partition after resume, hoping the SSD is actually overwriting the same blocks.

In summary, if the machine might be still logged into something non-public, like a website account or email box, or has been used to view/create/store anything since booting that should stay private, this feature is junk and you wouldn't want to use it.

Re: Threat to dm-crypt

Date: 2013-07-03 08:07 pm (UTC)
From: (Anonymous)
I just think: Friends wouldn't let friends use this feature.

Zeroing on resume is some comfort, probably reducing the persistence of this on disk.

But whilst appearing to be a convenience, at least temporarily it must write a snapshot of the user's activities since the last cold boot onto non-volatile storage. (Mostly recent, and falling off logarithmically by age). That data might stay there for months until the device is stolen, sent away for repair, sold or disposed of. It might include documents and media, session cookies, password keyrings, random excerpts of keyboard input or copies things from removable media, and probably lots of email and Internet history, even if that was transferred encrypted. And still recoverable if since deleted on-disk with a 'secure erase', or encryption products used for swap, individual files, containers or the whole disk.

Re: Threat to dm-crypt

Date: 2013-07-05 12:02 am (UTC)
From: (Anonymous)
Unencrypted RAM doesn't leave data behind. SSDs do. They are not equivalent except in some scenarios. Using the slippery slope argument here just dodges good discussion. :/

Re: Threat to dm-crypt

Date: 2013-07-05 11:55 am (UTC)
From: (Anonymous)
Of course they do, you can read out RAM by freezing it first, then you can take it out, and read it.

Re: Threat to dm-crypt

Date: 2013-07-08 03:03 am (UTC)
From: (Anonymous)
Unencrypted RAM can be easily read with physical access to the machine, just like the SSD.

See this 2008 paper (https://citp.princeton.edu/research/memory/) or watch the video (http://www.youtube.com/watch?v=JDaicPIgn9U) demonstrating a technique to pull unencrypted passphrases/keys out of RAM from a suspended machine to unlock dm-crypt, TrueCrypt, FileVault, etc.

Re: Threat to dm-crypt

Date: 2013-07-03 08:14 pm (UTC)
From: (Anonymous)
A reasonable compromise would be if the save process used a randomly generated key, and that key was available during the resume. Presumably the TPM or a similar mechanism could be used.

Reading secrets from the disk will generally leave behind no evidence. All the bad guy needs is a screwdriver. Reading them from memory is very likely to leave evidence in the form of scrambled/lost memory. In any event I'd claim the cost to the bad guys is $10 to grab data from disk (leaving no evidence it has been done) versus $1000 to grab from ram but being evident. Not the same order of magnitude as usual crypto gives ("$millions") but a noticeable difference.

Re: Threat to dm-crypt

Date: 2013-07-04 01:08 am (UTC)
From: (Anonymous)
It is only $10 to read from ram also. Google "read ram after power off". You do have a valid point that grabbing the ram leaves evidence.

Re: Threat to dm-crypt

Date: 2013-07-04 10:13 am (UTC)
From: (Anonymous)
The user experience would likely be "I closed the lid... so it's turned off" or "it's shut itself down because I wasn't using it" and they may have to enter a password to log back in. RAM suspend is common, but sooner or later the battery is drained or removed, and within seconds the data is gone. So the attack window is finite. With IRST the same data is going to be copied to persistent storage, staying on the SSD indefinitely even if the device is disassembled, and users are unlikely to know it happened.

You come back from lunch, spill your coffee over the device and it won't switch back on. You send the machine for repair or sell it as spares, but all manner of sensitive data is retrievable from SSD. Even if a person took sensible precautions such as using a master passphrase to protect stored passwords, use a corporate VPN and password-protected authentication keys, encrypt your emails, all removable media, files, swap space or whole disk...

Re: Threat to dm-crypt

Date: 2013-07-16 04:36 am (UTC)
From: [identity profile] flowerpt.myopenid.com
Heck, I'd be OK with it requiring me to enter a passphrase on resume. I'd even be OK with linux having a tunable to hand my root LUKS passphrase to this facility, to keep it easy. Just about everything this runs on should have AES-NI and the on-disk format should be verifyable. This would be a great extension to the service from Intel.

I actually got as far as setting up the partition's GUID before the implications occurred to me. It would be nice, but for now hibernate is my only safe option.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags