From: joeyli <jlee@suse.com>
To: Jiri Kosina <jkosina@suse.cz>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
"gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>
Subject: Re: Trusted kernel patchset
Date: Wed, 18 Mar 2015 21:24:50 +0800 [thread overview]
Message-ID: <20150318132450.GA2370@linux-rxt1.site> (raw)
In-Reply-To: <alpine.LRH.2.00.1503162251400.13021@twin.jikos.cz>
On Mon, Mar 16, 2015 at 10:54:54PM +0100, Jiri Kosina wrote:
> On Mon, 16 Mar 2015, Matthew Garrett wrote:
>
> > > - All suspend/resumes allow modifying the kernel. I can boot Linux
> > > suspend, boot windows, modify the Linux restore image, boot Linux and
> > > own the box. You would need to sign the resume image somehow I think or
> > > just disable all suspend/resume
> >
> > I'm kind of torn on this - yes, there are deployment scenarios where
> > hibernation can be used to circumvent the restrictions, but there are
> > also scenarios where that can be avoided (eg, the bootloader verifies
> > some state with respect to the hibernation image).
>
> [ adding Joey to CC ]
>
> Just for completness -- there is a way around this:
>
> https://lkml.org/lkml/2013/9/14/183
>
> The series is not really the optimal one, as Alan Stern later figured out
> that symmetric cryptography is strong enough to achieve the same goal, but
> I am not sure whether Joey implemented that idea already.
>
> --
> Jiri Kosina
> SUSE Labs
About the symmetric key edition, I developed a prototype the codes on github
are ugly and still need clear up. But it works for using HMAC to generate
signature and verify hibernate image.
There still has a situation need to solve:
There doesn't have enough random entropy for the FIRST TIME boot to generate
HMAC key in EFI stub.
And, I need implement a hash function in EFI stub, at least SHA1, to mess
entropies from difference sources (rdtsc, RdRand... not too many) for generating
new HMAC key. An other idea is sending a random seed from runtime random pool to
boot time to be one of the seed of next HMAC key.
Joey Lee
prev parent reply other threads:[~2015-03-18 13:25 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 21:38 Trusted kernel patchset Matthew Garrett
2015-03-13 21:38 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2015-03-13 21:38 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2015-03-13 21:38 ` [PATCH 03/12] PCI: Lock down register access when trusted_kernel is true Matthew Garrett
2015-03-13 21:38 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2015-03-13 21:38 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2015-03-13 21:38 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2015-03-13 21:38 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2015-03-13 21:38 ` [PATCH 08/12] kexec: Disable loading of unverified images Matthew Garrett
2015-03-13 21:38 ` [PATCH 09/12] uswsusp: Disable when trusted_kernel is true Matthew Garrett
2015-03-16 21:36 ` Kees Cook
2015-03-16 21:40 ` Matthew Garrett
2015-03-13 21:38 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2015-03-13 21:38 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2015-03-13 21:38 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2015-04-22 11:36 ` Dan Carpenter
2015-03-15 1:53 ` Trusted kernel patchset Matthew Garrett
2015-03-16 14:45 ` One Thousand Gnomes
2015-03-16 18:15 ` Matthew Garrett
2015-03-16 20:07 ` One Thousand Gnomes
2015-03-16 20:35 ` David Lang
2015-03-16 20:57 ` One Thousand Gnomes
2015-03-16 21:11 ` Matthew Garrett
2015-03-16 21:29 ` Kees Cook
2015-03-17 17:48 ` One Thousand Gnomes
2015-03-17 20:22 ` Simon McVittie
2015-03-17 20:42 ` Matthew Garrett
2015-03-18 11:34 ` Simon McVittie
2015-03-16 21:54 ` Jiri Kosina
2015-03-18 13:24 ` joeyli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150318132450.GA2370@linux-rxt1.site \
--to=jlee@suse.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=hpa@zytor.com \
--cc=james.l.morris@oracle.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.