linux-man.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: joeyli <jlee@suse.com>
To: Jiri Kosina <jikos@kernel.org>
Cc: Pavel Machek <pavel@ucw.cz>, David Howells <dhowells@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-man@vger.kernel.org, linux-api@vger.kernel.org,
	jmorris@namei.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down
Date: Wed, 23 May 2018 16:46:03 +0800	[thread overview]
Message-ID: <20180523084603.GD7474@linux-l9pv.suse> (raw)
In-Reply-To: <nycvar.YFH.7.76.1804261018030.28147@cbobk.fhfr.pm>

Hi experts, 

Sorry for I missed this discussion...

On Thu, Apr 26, 2018 at 10:20:29AM +0200, Jiri Kosina wrote:
> On Thu, 26 Apr 2018, Pavel Machek wrote:
> 
> > That's not how the crypto needs to work. Talk to Jiri Kosina, ok?
> 
> Yeah, Joey Lee (adding to CC) implemented it here:
> 
> 	https://lkml.org/lkml/2015/8/11/47
> 
> I think there have been more respins, Joey definitely knows more details 
> and status quo.
> 
> The design is specifically tailored for secure-boot environments though.
>

I am working on the next version of hibernation encryption and authentication:
    https://github.com/joeyli/linux-s4sign/wiki 

My plan is:

- Hibernation encryption:
  There is a draft patch to encrypt image by ctr(aes). This patch works
  with the first version of hibernation verification:
  https://github.com/joeyli/linux-s4sign/commit/6a9a0113bb221c036ebd0f6321b7191283fe4929

- Adapt hibernation to key retention service:
    - Using the encrypted key to derive encrypt key and auth key to
      encrypt and hmac snapshot image. Put the encrypted key in the image
      header of snapshot.
    - The encrypted key will be encrypted by KMK (kernel master key). Either
      trusted key(sealed by TPM) or EFI key (explain in later) can be the KMK.
      If there have appropriate UI support in initrd, user key can also be
      the KMK.
    - Similar with the enrolling EVM key, but more earler:
      The systemd and dracut must be changed for enrolling kernel master key
      before the swap partition be mounted.

- EFI key:
    - A new master key type to key retention service.
	- It can be a new option beyond trusted key(TPM) and user key.
    - EFI stub generates a random key and stores in EFI boot service
      variable:
	- This random key in boot variable can be called ERK (EFI Root Key)
	- The ERK is secure when secure boot enabled.
	    - User must aware and enable secure boot by themself if they want.
	- ERK can be a secret to encrypt a random number for generate a EFI key
	   - The EFI key can be used by hibernation encryption/authentication.
	   - The EFI key can be a master key to generate a encrypted key for EVM.
    - Rescue mechanism for ERK:
	- The ERK may be regenerated after the old ERK be erased by firmware update
	  or firmware recovery.
	- Current idea is using the public key in first/second trusted keyring
	  to encrypt the ERK for backup. User can enroll the EFI key with old ERK to
	  request kernel to re-encrypt the EFI key with new ERK.


Thanks a lot!
Joey Lee

  reply	other threads:[~2018-05-23  8:46 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-11 16:24 [PATCH 00/24] security: Add kernel lockdown David Howells
2018-04-11 16:24 ` [PATCH 01/24] Add the ability to lock down access to the running kernel image David Howells
2018-04-11 16:44   ` Jann Horn
2018-04-11 17:37   ` Randy Dunlap
2018-04-11 18:50     ` Miguel Ojeda
2018-04-11 19:56       ` Greg KH
2018-04-11 17:49   ` David Howells
2018-04-11 18:09   ` Linus Torvalds
2018-04-11 18:35     ` Justin Forbes
2018-04-11 21:05     ` Jordan Glover
2018-04-11 22:38       ` Linus Torvalds
2018-04-12 13:09         ` Justin Forbes
2018-04-12 16:52           ` Linus Torvalds
2018-04-12  2:57   ` Andy Lutomirski
2018-04-11 16:24 ` [PATCH 02/24] Add a SysRq option to lift kernel lockdown David Howells
2018-04-11 17:05   ` Jann Horn
2018-04-13 20:22   ` Pavel Machek
2018-04-11 16:24 ` [PATCH 03/24] ima: require secure_boot rules in lockdown mode David Howells
2018-04-11 16:25 ` [PATCH 04/24] Enforce module signatures if the kernel is locked down David Howells
2018-04-11 16:25 ` [PATCH 05/24] Restrict /dev/{mem, kmem, port} when " David Howells
2018-04-11 16:25 ` [PATCH 06/24] kexec_load: Disable at runtime if " David Howells
2018-04-11 19:00   ` Eric W. Biederman
2018-04-11 20:09     ` Mimi Zohar
2018-04-12 11:38       ` Mimi Zohar
2018-04-11 20:05   ` David Howells
2018-04-11 16:25 ` [PATCH 07/24] hibernate: Disable when " David Howells
2018-04-13 20:22   ` Pavel Machek
2018-04-19 14:38   ` David Howells
2018-04-22 14:34     ` Andy Lutomirski
2018-04-26  7:26     ` Pavel Machek
2018-04-26  7:34       ` Rafael J. Wysocki
2018-04-26  8:20       ` Jiri Kosina
2018-05-23  8:46         ` joeyli [this message]
2018-04-11 16:25 ` [PATCH 08/24] uswsusp: " David Howells
2018-04-11 16:25 ` [PATCH 09/24] PCI: Lock down BAR access " David Howells
2018-04-11 16:25 ` [PATCH 10/24] x86: Lock down IO port " David Howells
2018-04-11 16:25 ` [PATCH 11/24] x86/msr: Restrict MSR " David Howells
2018-04-11 16:25 ` [PATCH 12/24] ACPI: Limit access to custom_method " David Howells
2018-04-11 16:26 ` [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2018-04-11 16:26 ` [PATCH 14/24] acpi: Disable ACPI table override if the kernel is " David Howells
2018-04-11 16:26 ` [PATCH 15/24] acpi: Disable APEI error injection " David Howells
2018-04-11 16:26 ` [PATCH 16/24] Prohibit PCMCIA CIS storage when " David Howells
2018-04-11 16:26 ` [PATCH 17/24] Lock down TIOCSSERIAL David Howells
2018-04-11 16:26 ` [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2018-04-11 17:22   ` Randy Dunlap
2018-04-11 16:26 ` [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2018-04-11 16:26 ` [PATCH 20/24] Lock down /proc/kcore David Howells
2018-04-11 16:26 ` [PATCH 21/24] Lock down kprobes David Howells
2018-04-11 16:27 ` [PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down David Howells
2018-04-11 16:27 ` [PATCH 23/24] Lock down perf David Howells
2018-04-11 16:27 ` [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down David Howells
2018-04-11 17:26   ` Randy Dunlap
2018-04-11 18:50   ` Eric W. Biederman
2018-04-11 19:54   ` Greg KH
2018-04-11 20:08   ` David Howells
2018-04-11 20:09   ` David Howells
2018-04-11 20:33     ` Greg KH
2018-04-12  2:54       ` Andy Lutomirski
2018-04-12  8:23         ` Greg KH
2018-04-12 14:19           ` Andy Lutomirski
2018-04-13 20:22   ` Pavel Machek
2018-04-19 14:35   ` David Howells
2018-05-10 11:01     ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180523084603.GD7474@linux-l9pv.suse \
    --to=jlee@suse.com \
    --cc=dhowells@redhat.com \
    --cc=jikos@kernel.org \
    --cc=jmorris@namei.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=pavel@ucw.cz \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).