Re: [RFC PATCH 4/8] x86/power: Restore Key Locker internal key from the ACPI S3/4 sleep states

[Bae, Chang Seok]

> On Dec 18, 2020, at 04:10, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> 
> On Wed, Dec 16, 2020 at 09:41:42AM -0800, Chang S. Bae wrote:
>> When the system state switches to these sleep states, the internal key gets
>> reset. Since this system transition is transparent to userspace, the
>> internal key needs to be restored properly.
>> 
>> Key Locker provides a mechanism to back up the internal key in non-volatile
>> memory. The kernel requests a backup right after the key loaded at
>> boot-time and copies it later when the system wakes up.
>> 
>> The backup during the S5 sleep state is not trusted. It is overwritten by a
>> new key at the next boot.
>> 
>> On a system with the S3/4 states, enable the feature only when the backup
>> mechanism is supported.
>> 
>> Disable the feature when the copy fails (or the backup corrupts). The
>> shutdown is considered too noisy. A new key is considerable only when
>> threads can be synchronously suspended.
> 
> Can this backup key be used to decrypt the encoded AES keys without executing
> the keylocker instructions on the same CPU?

No. The backup key itself is inaccessible to the software.

Thanks,
Chang