From: Pavel Machek <pavel@ucw.cz>
To: Ryan Chen <yu.chen.surf@gmail.com>
Cc: jlee@suse.com, Chen Yu <yu.c.chen@intel.com>,
oneukum@suse.com,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
ebiggers@google.com, Theodore Ts'o <tytso@mit.edu>,
smueller@chronox.de, denkenz@gmail.com,
Linux PM list <linux-pm@vger.kernel.org>,
linux-crypto@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
kookoo.gu@intel.com, Zhang Rui <rui.zhang@intel.com>
Subject: Re: [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation encryption
Date: Sun, 5 Aug 2018 12:02:00 +0200 [thread overview]
Message-ID: <20180805100200.GB22948@amd> (raw)
In-Reply-To: <CADjb_WSURQz86+E8kakNf7UBDM+aho+uaz3QdDkuGsEgan=szw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]
Hi!
> > User space doesn't need to involve. The EFI root key is generated by
> > EFI boot stub and be transfer to kernel. It's stored in EFI boot service
> > variable that it can only be accessed by trusted EFI binary when
> > secure boot is enabled.
> >
> Okay, this apply to the 'suspend' phase, right?
> I'm still a little confused about the 'resume' phase.
> Taking encryption as example(not signature),
> the purpose of doing hibernation encryption is to prevent other users
> from stealing ram content. Say, user A uses a passphrase to generate the
No, I don't think that's purpose here.
Purpose here is to prevent user from reading/modifying kernel memory
content on machine he owns.
Strange as it may sound, that is what "secure" boot requires (and what
Disney wants).
I guess it may have some non-evil uses,
too... https://www.linux.com/news/matthew-garrett-explains-how-increase-security-boot-time
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2018-08-05 10:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-18 16:38 [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation encryption Chen Yu
2018-07-18 16:39 ` [PATCH 1/4][RFC v2] PM / Hibernate: Add helper functions for " Chen Yu
2018-07-18 16:39 ` [PATCH 2/4][RFC v2] PM / hibernate: Install crypto hooks " Chen Yu
2018-07-18 16:40 ` [PATCH 4/4][RFC v2] tools: create power/crypto utility Chen Yu
2018-07-18 20:22 ` [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation encryption Pavel Machek
2018-07-18 23:58 ` Yu Chen
2018-07-19 11:01 ` Pavel Machek
2018-07-19 13:20 ` Yu Chen
2018-07-20 10:25 ` Pavel Machek
2018-07-23 11:42 ` Oliver Neukum
2018-07-23 12:22 ` Pavel Machek
2018-07-23 16:38 ` Yu Chen
2018-07-23 16:38 ` Yu Chen
2018-07-24 12:05 ` Pavel Machek
2018-07-24 11:49 ` Oliver Neukum
2018-07-24 13:04 ` Pavel Machek
2018-07-23 16:23 ` Yu Chen
2018-07-24 11:40 ` Oliver Neukum
2018-07-24 12:01 ` Pavel Machek
2018-07-24 12:47 ` Oliver Neukum
2018-07-24 13:03 ` Pavel Machek
2018-07-24 13:01 ` Oliver Neukum
2018-07-26 7:30 ` Oliver Neukum
2018-07-26 8:14 ` joeyli
2018-07-30 17:04 ` joeyli
2018-08-03 3:37 ` Yu Chen
2018-08-03 5:34 ` joeyli
2018-08-03 13:14 ` Ryan Chen
2018-08-03 14:05 ` joeyli
2018-08-03 16:09 ` Ryan Chen
2018-08-03 18:06 ` joeyli
2018-08-05 10:02 ` Pavel Machek [this message]
2018-08-06 8:45 ` Yu Chen
2018-08-06 10:39 ` joeyli
2018-08-07 7:43 ` Yu Chen
2018-08-07 16:27 ` joeyli
2018-08-08 17:58 ` Pavel Machek
2018-08-09 3:43 ` Yu Chen
2018-08-09 8:12 ` joeyli
2018-08-08 17:50 ` Pavel Machek
2018-08-09 3:01 ` Yu Chen
2018-08-09 6:53 ` Pavel Machek
2018-08-09 9:03 ` Oliver Neukum
2018-08-09 15:55 ` joeyli
2018-08-06 7:57 ` Yu Chen
2018-08-06 9:48 ` joeyli
2018-08-06 10:07 ` Yu Chen
2018-08-06 10:20 ` Oliver Neukum
2018-08-07 7:38 ` Yu Chen
2018-08-07 7:49 ` Ryan Chen
2018-08-07 10:04 ` Oliver Neukum
2018-07-24 14:47 ` joeyli
2018-07-19 14:58 ` joeyli
[not found] ` <edf92acf665b928f02104bb1835fd50723ab9980.1531924968.git.yu.c.chen@intel.com>
2018-07-19 5:32 ` [PATCH 3/4][RFC v2] PM / Hibernate: Encrypt the snapshot pages before submitted to the block device Yu Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180805100200.GB22948@amd \
--to=pavel@ucw.cz \
--cc=denkenz@gmail.com \
--cc=ebiggers@google.com \
--cc=jlee@suse.com \
--cc=kookoo.gu@intel.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=rafael.j.wysocki@intel.com \
--cc=rui.zhang@intel.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
--cc=yu.c.chen@intel.com \
--cc=yu.chen.surf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.