From: Yu Chen <yu.c.chen@intel.com>
To: joeyli <jlee@suse.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>,
Pavel Machek <pavel@ucw.cz>, Len Brown <len.brown@intel.com>,
Borislav Petkov <bp@alien8.de>,
linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption
Date: Fri, 6 Jul 2018 21:42:27 +0800 [thread overview]
Message-ID: <20180706134226.GA9631@sandybridge-desktop> (raw)
In-Reply-To: <20180705161637.GK3628@linux-l9pv.suse>
Sorry for late reply.
On Fri, Jul 06, 2018 at 12:16:37AM +0800, joeyli wrote:
> Hi Chen Yu,
>
> On Wed, Jun 20, 2018 at 05:39:37PM +0800, Chen Yu wrote:
> > Hi,
> > As security becomes more and more important, we add the in-kernel
> > encryption support for hibernation.
> >
> > This prototype is a trial version to implement the hibernation
> > encryption in the kernel, so that the users do not have to rely
> > on third-party tools to encrypt the hibernation image. The only
> > dependency on user space is that, the user space should provide
> > a valid key derived from passphrase to the kernel for image encryption.
> >
> > There was a discussion on the mailing list on whether this key should
> > be derived in kernel or in user space. And it turns out to be generating
> > the key by user space is more acceptable[1]. So this patch set is divided
> > into two parts:
> > 1. The hibernation snapshot encryption in kernel space,
> > 2. the key derivation implementation in user space.
> >
> > Please refer to each patch for detail, and feel free to comment on
> > this, thanks.
> >
> > [1] https://www.spinics.net/lists/linux-crypto/msg33145.html
> >
> > Chen Yu (3):
> > PM / Hibernate: Add helper functions for hibernation encryption
> > PM / Hibernate: Encrypt the snapshot pages before submitted to the
> > block device
> > tools: create power/crypto utility
> >
>
> I am trying this patch set.
>
> Could you please tell me how to test the user space crypto utility with
> systemd's hibernation module?
>
Usage:
1. install the kernel module:
modprobe crypto_hibernation
2. run the tool to generate the key from
user provided passphrase:
./crypto_hibernate
3. launch the hibernation process:
echo disk > /sys/power/state
4. The initrd launches cryto_hibernate
to read previous salt from kernel and
probe the user passphrase and generate the same key:
./crypto_hibernate
5. kernel uses this key to decrypt the hibernation
snapshot.
> I have a question about the salt. If the salt is saved in image header,
> does that mean that kernel needs to read the image header before user
> space crypto utility be launched? Otherwise user space can not get
> the salt to produce key? I a bit confused about the resume process.
>
The crypto_hibernate will first read the salt from the kernel
via ioctl(the kernel will first expose the salt for the user
in crypto_restore(), then the crypto_hibernate uses ioctl to
read it) and then uses that salt together with user provided
passphrase to generate the key, and pass that key to the kernel
for decryption.
> Thanks
> Joey Lee
prev parent reply other threads:[~2018-07-06 13:37 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-20 9:39 [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption Chen Yu
2018-06-20 9:39 ` [PATCH 1/3][RFC] PM / Hibernate: Add helper functions for " Chen Yu
2018-06-20 9:40 ` [PATCH 2/3][RFC] PM / Hibernate: Encrypt the snapshot pages before submitted to the block device Chen Yu
2018-06-28 13:07 ` joeyli
2018-06-28 13:50 ` Yu Chen
2018-06-28 14:28 ` joeyli
2018-06-28 14:52 ` Yu Chen
2018-06-29 12:59 ` joeyli
2018-07-06 15:28 ` Yu Chen
2018-07-12 10:10 ` joeyli
2018-07-13 7:34 ` Yu Chen
2018-07-18 15:48 ` joeyli
2018-07-19 9:16 ` Yu Chen
2018-06-20 9:40 ` [PATCH 3/3][RFC] tools: create power/crypto utility Chen Yu
2018-06-20 17:41 ` Eric Biggers
2018-06-22 2:39 ` Yu Chen
2018-06-22 2:59 ` Eric Biggers
2018-06-21 9:01 ` Pavel Machek
2018-06-21 9:01 ` Pavel Machek
2018-06-21 12:10 ` Rafael J. Wysocki
2018-06-21 19:04 ` Pavel Machek
2018-06-25 7:06 ` Rafael J. Wysocki
2018-06-25 11:54 ` Pavel Machek
2018-06-25 21:56 ` Rafael J. Wysocki
2018-06-25 22:16 ` Pavel Machek
[not found] ` <1530009024.20417.5.camel@suse.com>
2018-06-26 11:12 ` Pavel Machek
2018-06-21 8:53 ` [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption Pavel Machek
2018-06-21 12:08 ` Rafael J. Wysocki
2018-06-21 19:14 ` Pavel Machek
2018-06-22 2:14 ` Yu Chen
2018-06-25 11:55 ` Pavel Machek
2018-06-25 7:16 ` Rafael J. Wysocki
2018-06-25 11:59 ` Pavel Machek
2018-06-25 22:14 ` Rafael J. Wysocki
2018-07-05 16:16 ` joeyli
2018-07-06 13:42 ` Yu Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706134226.GA9631@sandybridge-desktop \
--to=yu.c.chen@intel.com \
--cc=bp@alien8.de \
--cc=jlee@suse.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.