linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Evan Green <evgreen@chromium.org>
To: Pavel Machek <pavel@ucw.cz>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Gwendal Grignou <gwendal@chromium.org>,
	Eric Biggers <ebiggers@kernel.org>,
	Matthew Garrett <mgarrett@aurora.tech>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org, apronin@chromium.org,
	Daniil Lunev <dlunev@google.com>,
	"Rafael J. Wysocki" <rjw@rjwysocki.net>,
	Linux PM <linux-pm@vger.kernel.org>,
	Jonathan Corbet <corbet@lwn.net>,
	"James E.J. Bottomley" <jejb@linux.ibm.com>,
	David Howells <dhowells@redhat.com>, Hao Wu <hao.wu@rubrik.com>,
	James Morris <jmorris@namei.org>, Jason Gunthorpe <jgg@ziepe.ca>,
	Len Brown <len.brown@intel.com>, Paul Moore <paul@paul-moore.com>,
	Peter Huewe <peterhuewe@gmx.de>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	"Serge E. Hallyn" <serge@hallyn.com>, axelj <axelj@axis.com>,
	keyrings@vger.kernel.org,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	linux-security-module@vger.kernel.org,
	Jorge Lucangeli Obes <jorgelo@google.com>
Subject: Re: [PATCH v2 00/10] Encrypted Hibernation
Date: Tue, 20 Sep 2022 09:39:25 -0700	[thread overview]
Message-ID: <CAE=gft65bdcoU-oF1=QK2Pg1-kO5gSXk7jxa99fErHK3osytCQ@mail.gmail.com> (raw)
In-Reply-To: <20220920084648.GA17087@duo.ucw.cz>

On Tue, Sep 20, 2022 at 1:46 AM Pavel Machek <pavel@ucw.cz> wrote:
>
> Hi!
>
> > We are exploring enabling hibernation in some new scenarios. However,
> > our security team has a few requirements, listed below:
> > 1. The hibernate image must be encrypted with protection derived from
> >    both the platform (eg TPM) and user authentication data (eg
> >    password).
> > 2. Hibernation must not be a vector by which a malicious userspace can
> >    escalate to the kernel.
>
> Why is #2 reasonable requirement?
>
> We normally allow userspace with appropriate permissions to update the
> kernel, for example.

I'll take a stab at answering this. I've also CCed one of our security
folks to keep me honest and add any needed additional context.

ChromeOS takes an approach of attempting to limit the blast radius of
any given vulnerability as much as possible. A vulnerable system
service may be running as root, but may also still be fairly
constrained by sandboxing: it may not have access to all processes,
the entire file system, or all capability bits. With Verified Boot
[1], our kernel and rootfs are statically signed by Google (or
yourself if firmware has been reflashed). Even if a full root
compromise occurs, it's difficult for the attacker to persist across a
reboot, since they cannot update the kernel or init flow on disk
without the signing key.

We do our best to lock down other escalation vectors from root to
kernel as well. For instance, features like LoadPin help prevent a
malicious root from simply loading up a payload via insmod.

So in cases like ours, jumping from root execution to kernel execution
represents a real escalation in privilege. Hibernate as it exists
today represents a wide open door for root to become kernel, so we're
forced to disable the Kconfigs for it. This series, along with another
patch to restrict unencrypted resume, would add the guardrails we need
to prevent arbitrary code from moving into the kernel via resume.

-Evan

[1] https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot/

  reply	other threads:[~2022-09-20 16:40 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-23 22:25 [PATCH v2 00/10] Encrypted Hibernation Evan Green
2022-08-23 22:25 ` [PATCH v2 01/10] tpm: Add support for in-kernel resetting of PCRs Evan Green
2022-08-26  2:59   ` Jarkko Sakkinen
2022-09-07 17:02     ` Evan Green
2022-09-08  5:22       ` Jarkko Sakkinen
2022-08-23 22:25 ` [PATCH v2 02/10] tpm: Allow PCR 23 to be restricted to kernel-only use Evan Green
2022-08-26  3:02   ` Jarkko Sakkinen
2022-09-07 17:03     ` Evan Green
2022-09-13 12:26   ` Stefan Berger
2022-09-20  4:50     ` Jarkko Sakkinen
2022-09-21 15:35       ` Evan Green
2022-09-21 18:02         ` Jarkko Sakkinen
2022-09-21 18:05           ` Jarkko Sakkinen
2022-09-21 19:02             ` Evan Green
2022-08-23 22:25 ` [PATCH v2 03/10] security: keys: trusted: Include TPM2 creation data Evan Green
2022-09-20 23:04   ` Kees Cook
2022-09-23 22:22     ` Evan Green
2022-08-23 22:25 ` [PATCH v2 04/10] security: keys: trusted: Allow storage of PCR values in " Evan Green
2022-08-24 11:56   ` Ben Boeckel
2022-08-24 17:34     ` Evan Green
2022-08-23 22:25 ` [PATCH v2 05/10] security: keys: trusted: Verify " Evan Green
2022-09-20 23:06   ` Kees Cook
2022-09-23 22:23     ` Evan Green
2022-08-23 22:25 ` [PATCH v2 06/10] PM: hibernate: Add kernel-based encryption Evan Green
2022-09-20 23:09   ` Kees Cook
2022-08-23 22:25 ` [PATCH v2 07/10] PM: hibernate: Use TPM-backed keys to encrypt image Evan Green
2022-09-20 23:16   ` Kees Cook
2022-09-23 22:23     ` Evan Green
2022-09-24  4:31       ` Kees Cook
2022-08-23 22:25 ` [PATCH v2 08/10] PM: hibernate: Mix user key in encrypted hibernate Evan Green
2022-08-23 22:25 ` [PATCH v2 09/10] PM: hibernate: Verify the digest encryption key Evan Green
2022-08-23 22:25 ` [PATCH v2 10/10] PM: hibernate: seal the encryption key with a PCR policy Evan Green
2022-09-20 23:24   ` Kees Cook
2022-08-31 18:34 ` [PATCH v2 00/10] Encrypted Hibernation Limonciello, Mario
2022-09-07 17:03   ` Evan Green
2022-09-20  8:46 ` Pavel Machek
2022-09-20 16:39   ` Evan Green [this message]
2022-09-21 18:09   ` Jason Gunthorpe
2022-09-20 22:52 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAE=gft65bdcoU-oF1=QK2Pg1-kO5gSXk7jxa99fErHK3osytCQ@mail.gmail.com' \
    --to=evgreen@chromium.org \
    --cc=apronin@chromium.org \
    --cc=axelj@axis.com \
    --cc=corbet@lwn.net \
    --cc=dhowells@redhat.com \
    --cc=dlunev@google.com \
    --cc=ebiggers@kernel.org \
    --cc=gwendal@chromium.org \
    --cc=hao.wu@rubrik.com \
    --cc=jarkko@kernel.org \
    --cc=jejb@linux.ibm.com \
    --cc=jgg@ziepe.ca \
    --cc=jmorris@namei.org \
    --cc=jorgelo@google.com \
    --cc=keyrings@vger.kernel.org \
    --cc=len.brown@intel.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pm@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mgarrett@aurora.tech \
    --cc=paul@paul-moore.com \
    --cc=pavel@ucw.cz \
    --cc=peterhuewe@gmx.de \
    --cc=rafael@kernel.org \
    --cc=rjw@rjwysocki.net \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).