Re: Trusted kernel patchset
From: joeyli
Date: Wed Mar 18 2015 - 09:25:25 EST
On Mon, Mar 16, 2015 at 10:54:54PM +0100, Jiri Kosina wrote:
> On Mon, 16 Mar 2015, Matthew Garrett wrote:
>
> > > - All suspend/resumes allow modifying the kernel. I can boot Linux
> > > suspend, boot windows, modify the Linux restore image, boot Linux and
> > > own the box. You would need to sign the resume image somehow I think or
> > > just disable all suspend/resume
> >
> > I'm kind of torn on this - yes, there are deployment scenarios where
> > hibernation can be used to circumvent the restrictions, but there are
> > also scenarios where that can be avoided (eg, the bootloader verifies
> > some state with respect to the hibernation image).
>
> [ adding Joey to CC ]
>
> Just for completness -- there is a way around this:
>
> https://lkml.org/lkml/2013/9/14/183
>
> The series is not really the optimal one, as Alan Stern later figured out
> that symmetric cryptography is strong enough to achieve the same goal, but
> I am not sure whether Joey implemented that idea already.
>
> --
> Jiri Kosina
> SUSE Labs
About the symmetric key edition, I developed a prototype the codes on github
are ugly and still need clear up. But it works for using HMAC to generate
signature and verify hibernate image.
There still has a situation need to solve:
There doesn't have enough random entropy for the FIRST TIME boot to generate
HMAC key in EFI stub.
And, I need implement a hash function in EFI stub, at least SHA1, to mess
entropies from difference sources (rdtsc, RdRand... not too many) for generating
new HMAC key. An other idea is sending a random seed from runtime random pool to
boot time to be one of the seed of next HMAC key.
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/