Re: [PATCH 0/6][RFC] Add EFI secure key to key retention service

From: Ard Biesheuvel
Date: Sun Aug 05 2018 - 03:26:16 EST


Hello Chun,yi,

On 5 August 2018 at 05:21, Lee, Chun-Yi <joeyli.kernel@xxxxxxxxx> wrote:
> When secure boot is enabled, only signed EFI binary can access
> EFI boot service variable before ExitBootService. Which means that
> the EFI boot service variable is secure.
>

No it, isn't, and this is a very dangerous assumption to make.

'Secure' means different things to different people. 'Secure boot' is
a misnomer, since it is too vague: it should be called 'authenticated
boot', and the catch is that authentication using public-key crypto
does not involve secrets at all. The UEFI variable store was not
designed with confidentiality in mind, and assuming [given the
reputation of EFI on the implementation side] that you can use it to
keep secrets is rather unwise imho.

> This patch set add functions to EFI boot stub to generate a 512-bit
> random number that it can be used as a root key for encryption and
> authentication. This root key will be kept in EFI boot service variable.
> EFI boot stub will read and transfer ERK (efi root key) to kernel.
>
> At runtime, the ERK can be used to encrypted/authentication other
> random number to generate EFI secure key. The EFI secure key can be
> a new master key type for encrypted key. It's useful for hibernation
> or evm.
>
> Here is the proof of concept for using EFI secure key in hibernation:
> https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566
>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
> Cc: "Rafael J. Wysocki" <rafael.j.wysocki@xxxxxxxxx>
> Cc: Pavel Machek <pavel@xxxxxx>
> Cc: Chen Yu <yu.c.chen@xxxxxxxxx>
> Cc: Oliver Neukum <oneukum@xxxxxxxx>
> Cc: Ryan Chen <yu.chen.surf@xxxxxxxxx>
> Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx>
>
> Lee, Chun-Yi (6):
> x86/KASLR: make getting random long number function public
> efi: the function transfers status to string
> efi: generate efi root key in EFI boot stub
> key: add EFI secure key type
> key: add EFI secure key as a master key type
> key: enforce the secure boot checking when loading efi root key
>
> Documentation/admin-guide/kernel-parameters.txt | 6 +
> arch/x86/boot/compressed/Makefile | 1 +
> arch/x86/boot/compressed/cpuflags.c | 2 +-
> arch/x86/boot/compressed/eboot.c | 2 +
> arch/x86/boot/compressed/efi_root_key.c | 212 +++++++
> arch/x86/boot/compressed/kaslr.c | 21 -
> arch/x86/boot/compressed/misc.c | 17 +
> arch/x86/boot/compressed/misc.h | 12 +-
> arch/x86/include/asm/efi.h | 13 +
> arch/x86/include/uapi/asm/bootparam.h | 1 +
> arch/x86/kernel/setup.c | 3 +
> arch/x86/lib/kaslr.c | 61 +-
> arch/x86/lib/random.c | 68 +++
> drivers/firmware/efi/Kconfig | 31 +
> drivers/firmware/efi/Makefile | 1 +
> drivers/firmware/efi/efi-secure-key.c | 748 ++++++++++++++++++++++++
> include/keys/efi-type.h | 57 ++
> include/linux/efi.h | 40 ++
> include/linux/kernel.h | 3 +-
> kernel/panic.c | 1 +
> security/keys/encrypted-keys/encrypted.c | 10 +
> 21 files changed, 1226 insertions(+), 84 deletions(-)
> create mode 100644 arch/x86/boot/compressed/efi_root_key.c
> create mode 100644 arch/x86/lib/random.c
> create mode 100644 drivers/firmware/efi/efi-secure-key.c
> create mode 100644 include/keys/efi-type.h
>
> --
> 2.13.6
>