On Sat, Feb 14, 2009 at 06:13:26PM -0500, Steven M. Bellovin wrote: > I have a powerd script that forcibly unmounts and unconfigures cgd > drive on suspend events. Yeah, that's a fine start for present infrastructure. But I'm talking about leaving the fs mounted, device suspended without keys, in a state that blocks IO requests (or potentially errors some). Together with this at the device level, there would also be ubc/vfs level changes to make it work most effectively. These would involve either also clearing cache (for sensitive data), or forcing some (meta)data to be cached so it's accessible until/for unsuspend, or holding back writes before the device layer (e.g. deferring atime updates). Again, a lot of parallels with power management objectives (like avoiding spinning up 'normal' disks). FYI, cgd(4) zeros its own key data, but nothing from ubc cache or other layers. -- Dan.
Attachment:
pgp23QMzBVG6A.pgp
Description: PGP signature