From: Matthew Garrett <mjg59@srcf.ucam.org>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-efi@vger.kernel.org, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services
Date: Tue, 19 Mar 2013 23:17:56 +0000 [thread overview]
Message-ID: <20130319231756.GA21071@srcf.ucam.org> (raw)
In-Reply-To: <1363734031.2377.77.camel@dabdike.int.hansenpartnership.com>
On Tue, Mar 19, 2013 at 11:00:31PM +0000, James Bottomley wrote:
> On Tue, 2013-03-19 at 18:50 +0000, Matthew Garrett wrote:
> > Well, that somewhat complicates implementation - we'd be encrypting the
> > entire contents of memory except for the key that we're using to encrypt
> > memory. Keeping the public key away from userspace avoids having to care
> > about that.
>
> I don't quite understand what you're getting at: the principle of public
> key cryptography is that you can make the public key, well public. You
> only need to guard the private key.
Ok, so let's just rephrase it as asymmetric cryptography. The aim is to
ensure that there's never a situation where userspace can decrypt a
hibernation file, modify it and reencrypt it. So, shim (or whatever)
generates a keypair. The encryption key is passed to the kernel being
booted. The decryption key is stashed in a variable in order to be
passed to the resume kernel.
If the decryption key is available to userspace then the kernel needs to
discard the encryption key during image write-out - otherwise the
encryption key will be in the encrypted image. If the decryption key
isn't available to userspace then this isn't a concern.
If the decryption key *is* available to userspace (as it would be in
your case), there's a requirement to discard the encryption key during
the hibernation process. This isn't impossible, but it does add a little
to the complexity.
--
Matthew Garrett | mjg59@srcf.ucam.org
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
To: James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
Cc: linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services
Date: Tue, 19 Mar 2013 23:17:56 +0000 [thread overview]
Message-ID: <20130319231756.GA21071@srcf.ucam.org> (raw)
In-Reply-To: <1363734031.2377.77.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
On Tue, Mar 19, 2013 at 11:00:31PM +0000, James Bottomley wrote:
> On Tue, 2013-03-19 at 18:50 +0000, Matthew Garrett wrote:
> > Well, that somewhat complicates implementation - we'd be encrypting the
> > entire contents of memory except for the key that we're using to encrypt
> > memory. Keeping the public key away from userspace avoids having to care
> > about that.
>
> I don't quite understand what you're getting at: the principle of public
> key cryptography is that you can make the public key, well public. You
> only need to guard the private key.
Ok, so let's just rephrase it as asymmetric cryptography. The aim is to
ensure that there's never a situation where userspace can decrypt a
hibernation file, modify it and reencrypt it. So, shim (or whatever)
generates a keypair. The encryption key is passed to the kernel being
booted. The decryption key is stashed in a variable in order to be
passed to the resume kernel.
If the decryption key is available to userspace then the kernel needs to
discard the encryption key during image write-out - otherwise the
encryption key will be in the encrypted image. If the decryption key
isn't available to userspace then this isn't a concern.
If the decryption key *is* available to userspace (as it would be in
your case), there's a requirement to discard the encryption key during
the hibernation process. This isn't impossible, but it does add a little
to the complexity.
--
Matthew Garrett | mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org
next prev parent reply other threads:[~2013-03-19 23:18 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 8:40 [PATCH] x86/efi: pull NV+BS variables out before we exit boot services James Bottomley
2013-03-18 8:40 ` James Bottomley
2013-03-19 1:48 ` Matthew Garrett
2013-03-19 1:48 ` Matthew Garrett
2013-03-19 8:14 ` James Bottomley
2013-03-19 8:14 ` James Bottomley
2013-03-19 16:35 ` Matthew Garrett
2013-03-19 16:35 ` Matthew Garrett
2013-03-19 17:17 ` James Bottomley
2013-03-19 17:25 ` Matthew Garrett
2013-03-19 17:25 ` Matthew Garrett
2013-03-19 18:23 ` James Bottomley
2013-03-19 18:23 ` James Bottomley
2013-03-19 18:28 ` Matthew Garrett
2013-03-19 18:28 ` Matthew Garrett
2013-03-19 18:40 ` James Bottomley
2013-03-19 18:40 ` James Bottomley
2013-03-19 18:50 ` Matthew Garrett
2013-03-19 18:50 ` Matthew Garrett
2013-03-19 23:00 ` James Bottomley
2013-03-19 23:00 ` James Bottomley
2013-03-19 23:17 ` Matthew Garrett [this message]
2013-03-19 23:17 ` Matthew Garrett
2013-03-20 8:00 ` James Bottomley
2013-03-20 8:00 ` James Bottomley
2013-03-20 11:47 ` Matthew Garrett
2013-03-20 11:47 ` Matthew Garrett
2013-03-20 11:26 ` Matt Fleming
2013-03-20 11:26 ` Matt Fleming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130319231756.GA21071@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.