* Re: [PATCH 12/18] Hibernate: generate and verify signature of snapshot
From: joeyli @ 2013-08-27 3:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
JKosina-IBi9RG/b67k, Rusty Russell, Herbert Xu, David S. Miller,
H. Peter Anvin, Michal Marek, Gary Lin, Vivek Goyal
In-Reply-To: <20130825163648.GI5171-tWAi6jLit6GreWDznjuHag@public.gmane.org>
Hi Pavel,
Thanks for your time to review my patches.
於 日,2013-08-25 於 18:36 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:51, Lee, Chun-Yi wrote:
> > This patch add the code for generate/verify signature of snapshot, it
> > put the signature to snapshot header. This approach can support both
> > on userspace hibernate and in-kernel hibernate.
> >
> > v2:
> > - Due to loaded S4 sign key before ExitBootServices, we need forward key from
> > boot kernel to resume target kernel. So this patch add a empty page in
> > snapshot image, then we keep the pfn of this empty page in snapshot header.
> > When system resume from hibernate, we fill new sign key to this empty page
> > space after snapshot image checked pass. This mechanism let boot kernel can
> > forward new sign key to resume target kernel but don't need write new private
> > key to any other storage, e.g. swap.
> >
> > Cc: Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
> > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
> > ---
> > kernel/power/power.h | 6 +
> > kernel/power/snapshot.c | 280 +++++++++++++++++++++++++++++++++++++++++++++-
> > kernel/power/swap.c | 14 +++
> > kernel/power/user.c | 9 ++
> > 4 files changed, 302 insertions(+), 7 deletions(-)
> >
> > diff --git a/kernel/power/power.h b/kernel/power/power.h
> > index 69a81d8..84e0b06 100644
> > --- a/kernel/power/power.h
> > +++ b/kernel/power/power.h
> > @@ -3,6 +3,9 @@
> > #include <linux/utsname.h>
> > #include <linux/freezer.h>
> >
> > +/* The maximum length of snapshot signature */
> > +#define SIG_LENG 512
> > +
> > struct swsusp_info {
> > struct new_utsname uts;
> > u32 version_code;
> > @@ -11,6 +14,8 @@ struct swsusp_info {
> > unsigned long image_pages;
> > unsigned long pages;
> > unsigned long size;
> > + unsigned long skey_data_buf_pfn;
> > + u8 signature[SIG_LENG];
> > } __attribute__((aligned(PAGE_SIZE)));
>
> SIG_LEN or SIG_LENGTH. Select one.
>
I will use SIG_LEN at next version, thanks!
>
> > +static int
> > copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
> > {
> > struct zone *zone;
> > - unsigned long pfn;
> > + unsigned long pfn, dst_pfn;
> ...
> > + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
> > + if (IS_ERR(tfm)) {
> > + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
> > + return PTR_ERR(tfm);
> > + }
> > +
> > + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
> > + digest_size = crypto_shash_digestsize(tfm);
> > + digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
>
> Are you sure GFP_KERNEL allocation is okay at this phase of
> hibernation?
>
> Could the hashing be done at later phase, when writing the image to
> disk?
>
Thanks for you point out!
Yes, call memory allocate here is not a good design due to it causes
garbage in snapshot that will not released by resumed kernel.
I just finished another implementation, the respin patch extracts the
signature generation code to another function then call the function in
swsusp_save() after copy_data_pages() finished. We can write to memory
at that stage.
> >
> > +void **h_buf;
>
> helpfully named.
>
I will change the name to handle_buffers;
> > + ret = verify_signature(s4_wake_key, pks);
> > + if (ret) {
> > + pr_err("snapshot S4 signature verification fail: %d\n", ret);
> > + goto error_verify;
> > + } else
> > + pr_info("snapshot S4 signature verification pass!\n");
> > +
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > + kfree(pks);
>
> ret = 0 and fall through?
>
When verification success, verify_signature() will return 0.
Yes, here have duplicate code, I will clear up it.
> > + return 0;
> > +
> > +error_verify:
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > +error_mpi:
> > + kfree(pks);
> > + return ret;
> > +}
>
>
> > + ret = crypto_shash_final(desc, digest);
> > + if (ret)
> > + goto error_shash;
> > +
> > + ret = snapshot_verify_signature(digest, digest_size);
> > + if (ret)
> > + goto error_verify;
> > +
> > + kfree(h_buf);
> > + kfree(digest);
> > + crypto_free_shash(tfm);
> > + return 0;
>
> These four lines can be deleted.
>
Yes, here also duplicate, I will remove.
> > +
> > +error_verify:
> > +error_shash:
> > + kfree(h_buf);
> > + kfree(digest);
> > +error_digest:
> > + crypto_free_shash(tfm);
> > + return ret;
> > +}
> > +
> Pavel
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 12/18] Hibernate: generate and verify signature of snapshot
From: joeyli @ 2013-08-27 3:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163648.GI5171@amd.pavel.ucw.cz>
Hi Pavel,
Thanks for your time to review my patches.
於 日,2013-08-25 於 18:36 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:51, Lee, Chun-Yi wrote:
> > This patch add the code for generate/verify signature of snapshot, it
> > put the signature to snapshot header. This approach can support both
> > on userspace hibernate and in-kernel hibernate.
> >
> > v2:
> > - Due to loaded S4 sign key before ExitBootServices, we need forward key from
> > boot kernel to resume target kernel. So this patch add a empty page in
> > snapshot image, then we keep the pfn of this empty page in snapshot header.
> > When system resume from hibernate, we fill new sign key to this empty page
> > space after snapshot image checked pass. This mechanism let boot kernel can
> > forward new sign key to resume target kernel but don't need write new private
> > key to any other storage, e.g. swap.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/power.h | 6 +
> > kernel/power/snapshot.c | 280 +++++++++++++++++++++++++++++++++++++++++++++-
> > kernel/power/swap.c | 14 +++
> > kernel/power/user.c | 9 ++
> > 4 files changed, 302 insertions(+), 7 deletions(-)
> >
> > diff --git a/kernel/power/power.h b/kernel/power/power.h
> > index 69a81d8..84e0b06 100644
> > --- a/kernel/power/power.h
> > +++ b/kernel/power/power.h
> > @@ -3,6 +3,9 @@
> > #include <linux/utsname.h>
> > #include <linux/freezer.h>
> >
> > +/* The maximum length of snapshot signature */
> > +#define SIG_LENG 512
> > +
> > struct swsusp_info {
> > struct new_utsname uts;
> > u32 version_code;
> > @@ -11,6 +14,8 @@ struct swsusp_info {
> > unsigned long image_pages;
> > unsigned long pages;
> > unsigned long size;
> > + unsigned long skey_data_buf_pfn;
> > + u8 signature[SIG_LENG];
> > } __attribute__((aligned(PAGE_SIZE)));
>
> SIG_LEN or SIG_LENGTH. Select one.
>
I will use SIG_LEN at next version, thanks!
>
> > +static int
> > copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
> > {
> > struct zone *zone;
> > - unsigned long pfn;
> > + unsigned long pfn, dst_pfn;
> ...
> > + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
> > + if (IS_ERR(tfm)) {
> > + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
> > + return PTR_ERR(tfm);
> > + }
> > +
> > + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
> > + digest_size = crypto_shash_digestsize(tfm);
> > + digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
>
> Are you sure GFP_KERNEL allocation is okay at this phase of
> hibernation?
>
> Could the hashing be done at later phase, when writing the image to
> disk?
>
Thanks for you point out!
Yes, call memory allocate here is not a good design due to it causes
garbage in snapshot that will not released by resumed kernel.
I just finished another implementation, the respin patch extracts the
signature generation code to another function then call the function in
swsusp_save() after copy_data_pages() finished. We can write to memory
at that stage.
> >
> > +void **h_buf;
>
> helpfully named.
>
I will change the name to handle_buffers;
> > + ret = verify_signature(s4_wake_key, pks);
> > + if (ret) {
> > + pr_err("snapshot S4 signature verification fail: %d\n", ret);
> > + goto error_verify;
> > + } else
> > + pr_info("snapshot S4 signature verification pass!\n");
> > +
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > + kfree(pks);
>
> ret = 0 and fall through?
>
When verification success, verify_signature() will return 0.
Yes, here have duplicate code, I will clear up it.
> > + return 0;
> > +
> > +error_verify:
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > +error_mpi:
> > + kfree(pks);
> > + return ret;
> > +}
>
>
> > + ret = crypto_shash_final(desc, digest);
> > + if (ret)
> > + goto error_shash;
> > +
> > + ret = snapshot_verify_signature(digest, digest_size);
> > + if (ret)
> > + goto error_verify;
> > +
> > + kfree(h_buf);
> > + kfree(digest);
> > + crypto_free_shash(tfm);
> > + return 0;
>
> These four lines can be deleted.
>
Yes, here also duplicate, I will remove.
> > +
> > +error_verify:
> > +error_shash:
> > + kfree(h_buf);
> > + kfree(digest);
> > +error_digest:
> > + crypto_free_shash(tfm);
> > + return ret;
> > +}
> > +
> Pavel
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 12/18] Hibernate: generate and verify signature of snapshot
From: joeyli @ 2013-08-27 3:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163648.GI5171@amd.pavel.ucw.cz>
Hi Pavel,
Thanks for your time to review my patches.
於 日,2013-08-25 於 18:36 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:51, Lee, Chun-Yi wrote:
> > This patch add the code for generate/verify signature of snapshot, it
> > put the signature to snapshot header. This approach can support both
> > on userspace hibernate and in-kernel hibernate.
> >
> > v2:
> > - Due to loaded S4 sign key before ExitBootServices, we need forward key from
> > boot kernel to resume target kernel. So this patch add a empty page in
> > snapshot image, then we keep the pfn of this empty page in snapshot header.
> > When system resume from hibernate, we fill new sign key to this empty page
> > space after snapshot image checked pass. This mechanism let boot kernel can
> > forward new sign key to resume target kernel but don't need write new private
> > key to any other storage, e.g. swap.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/power.h | 6 +
> > kernel/power/snapshot.c | 280 +++++++++++++++++++++++++++++++++++++++++++++-
> > kernel/power/swap.c | 14 +++
> > kernel/power/user.c | 9 ++
> > 4 files changed, 302 insertions(+), 7 deletions(-)
> >
> > diff --git a/kernel/power/power.h b/kernel/power/power.h
> > index 69a81d8..84e0b06 100644
> > --- a/kernel/power/power.h
> > +++ b/kernel/power/power.h
> > @@ -3,6 +3,9 @@
> > #include <linux/utsname.h>
> > #include <linux/freezer.h>
> >
> > +/* The maximum length of snapshot signature */
> > +#define SIG_LENG 512
> > +
> > struct swsusp_info {
> > struct new_utsname uts;
> > u32 version_code;
> > @@ -11,6 +14,8 @@ struct swsusp_info {
> > unsigned long image_pages;
> > unsigned long pages;
> > unsigned long size;
> > + unsigned long skey_data_buf_pfn;
> > + u8 signature[SIG_LENG];
> > } __attribute__((aligned(PAGE_SIZE)));
>
> SIG_LEN or SIG_LENGTH. Select one.
>
I will use SIG_LEN at next version, thanks!
>
> > +static int
> > copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
> > {
> > struct zone *zone;
> > - unsigned long pfn;
> > + unsigned long pfn, dst_pfn;
> ...
> > + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
> > + if (IS_ERR(tfm)) {
> > + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
> > + return PTR_ERR(tfm);
> > + }
> > +
> > + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
> > + digest_size = crypto_shash_digestsize(tfm);
> > + digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
>
> Are you sure GFP_KERNEL allocation is okay at this phase of
> hibernation?
>
> Could the hashing be done at later phase, when writing the image to
> disk?
>
Thanks for you point out!
Yes, call memory allocate here is not a good design due to it causes
garbage in snapshot that will not released by resumed kernel.
I just finished another implementation, the respin patch extracts the
signature generation code to another function then call the function in
swsusp_save() after copy_data_pages() finished. We can write to memory
at that stage.
> >
> > +void **h_buf;
>
> helpfully named.
>
I will change the name to handle_buffers;
> > + ret = verify_signature(s4_wake_key, pks);
> > + if (ret) {
> > + pr_err("snapshot S4 signature verification fail: %d\n", ret);
> > + goto error_verify;
> > + } else
> > + pr_info("snapshot S4 signature verification pass!\n");
> > +
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > + kfree(pks);
>
> ret = 0 and fall through?
>
When verification success, verify_signature() will return 0.
Yes, here have duplicate code, I will clear up it.
> > + return 0;
> > +
> > +error_verify:
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > +error_mpi:
> > + kfree(pks);
> > + return ret;
> > +}
>
>
> > + ret = crypto_shash_final(desc, digest);
> > + if (ret)
> > + goto error_shash;
> > +
> > + ret = snapshot_verify_signature(digest, digest_size);
> > + if (ret)
> > + goto error_verify;
> > +
> > + kfree(h_buf);
> > + kfree(digest);
> > + crypto_free_shash(tfm);
> > + return 0;
>
> These four lines can be deleted.
>
Yes, here also duplicate, I will remove.
> > +
> > +error_verify:
> > +error_shash:
> > + kfree(h_buf);
> > + kfree(digest);
> > +error_digest:
> > + crypto_free_shash(tfm);
> > + return ret;
> > +}
> > +
> Pavel
Thanks a lot!
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: [PATCH 12/18] Hibernate: generate and verify signature of snapshot
From: joeyli @ 2013-08-27 3:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163648.GI5171@amd.pavel.ucw.cz>
Hi Pavel,
Thanks for your time to review my patches.
於 日,2013-08-25 於 18:36 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:51, Lee, Chun-Yi wrote:
> > This patch add the code for generate/verify signature of snapshot, it
> > put the signature to snapshot header. This approach can support both
> > on userspace hibernate and in-kernel hibernate.
> >
> > v2:
> > - Due to loaded S4 sign key before ExitBootServices, we need forward key from
> > boot kernel to resume target kernel. So this patch add a empty page in
> > snapshot image, then we keep the pfn of this empty page in snapshot header.
> > When system resume from hibernate, we fill new sign key to this empty page
> > space after snapshot image checked pass. This mechanism let boot kernel can
> > forward new sign key to resume target kernel but don't need write new private
> > key to any other storage, e.g. swap.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/power.h | 6 +
> > kernel/power/snapshot.c | 280 +++++++++++++++++++++++++++++++++++++++++++++-
> > kernel/power/swap.c | 14 +++
> > kernel/power/user.c | 9 ++
> > 4 files changed, 302 insertions(+), 7 deletions(-)
> >
> > diff --git a/kernel/power/power.h b/kernel/power/power.h
> > index 69a81d8..84e0b06 100644
> > --- a/kernel/power/power.h
> > +++ b/kernel/power/power.h
> > @@ -3,6 +3,9 @@
> > #include <linux/utsname.h>
> > #include <linux/freezer.h>
> >
> > +/* The maximum length of snapshot signature */
> > +#define SIG_LENG 512
> > +
> > struct swsusp_info {
> > struct new_utsname uts;
> > u32 version_code;
> > @@ -11,6 +14,8 @@ struct swsusp_info {
> > unsigned long image_pages;
> > unsigned long pages;
> > unsigned long size;
> > + unsigned long skey_data_buf_pfn;
> > + u8 signature[SIG_LENG];
> > } __attribute__((aligned(PAGE_SIZE)));
>
> SIG_LEN or SIG_LENGTH. Select one.
>
I will use SIG_LEN at next version, thanks!
>
> > +static int
> > copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
> > {
> > struct zone *zone;
> > - unsigned long pfn;
> > + unsigned long pfn, dst_pfn;
> ...
> > + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
> > + if (IS_ERR(tfm)) {
> > + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
> > + return PTR_ERR(tfm);
> > + }
> > +
> > + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
> > + digest_size = crypto_shash_digestsize(tfm);
> > + digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
>
> Are you sure GFP_KERNEL allocation is okay at this phase of
> hibernation?
>
> Could the hashing be done at later phase, when writing the image to
> disk?
>
Thanks for you point out!
Yes, call memory allocate here is not a good design due to it causes
garbage in snapshot that will not released by resumed kernel.
I just finished another implementation, the respin patch extracts the
signature generation code to another function then call the function in
swsusp_save() after copy_data_pages() finished. We can write to memory
at that stage.
> >
> > +void **h_buf;
>
> helpfully named.
>
I will change the name to handle_buffers;
> > + ret = verify_signature(s4_wake_key, pks);
> > + if (ret) {
> > + pr_err("snapshot S4 signature verification fail: %d\n", ret);
> > + goto error_verify;
> > + } else
> > + pr_info("snapshot S4 signature verification pass!\n");
> > +
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > + kfree(pks);
>
> ret = 0 and fall through?
>
When verification success, verify_signature() will return 0.
Yes, here have duplicate code, I will clear up it.
> > + return 0;
> > +
> > +error_verify:
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > +error_mpi:
> > + kfree(pks);
> > + return ret;
> > +}
>
>
> > + ret = crypto_shash_final(desc, digest);
> > + if (ret)
> > + goto error_shash;
> > +
> > + ret = snapshot_verify_signature(digest, digest_size);
> > + if (ret)
> > + goto error_verify;
> > +
> > + kfree(h_buf);
> > + kfree(digest);
> > + crypto_free_shash(tfm);
> > + return 0;
>
> These four lines can be deleted.
>
Yes, here also duplicate, I will remove.
> > +
> > +error_verify:
> > +error_shash:
> > + kfree(h_buf);
> > + kfree(digest);
> > +error_digest:
> > + crypto_free_shash(tfm);
> > + return ret;
> > +}
> > +
> Pavel
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 12/18] Hibernate: generate and verify signature of snapshot
From: joeyli @ 2013-08-27 3:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163648.GI5171@amd.pavel.ucw.cz>
Hi Pavel,
Thanks for your time to review my patches.
於 日,2013-08-25 於 18:36 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:51, Lee, Chun-Yi wrote:
> > This patch add the code for generate/verify signature of snapshot, it
> > put the signature to snapshot header. This approach can support both
> > on userspace hibernate and in-kernel hibernate.
> >
> > v2:
> > - Due to loaded S4 sign key before ExitBootServices, we need forward key from
> > boot kernel to resume target kernel. So this patch add a empty page in
> > snapshot image, then we keep the pfn of this empty page in snapshot header.
> > When system resume from hibernate, we fill new sign key to this empty page
> > space after snapshot image checked pass. This mechanism let boot kernel can
> > forward new sign key to resume target kernel but don't need write new private
> > key to any other storage, e.g. swap.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/power.h | 6 +
> > kernel/power/snapshot.c | 280 +++++++++++++++++++++++++++++++++++++++++++++-
> > kernel/power/swap.c | 14 +++
> > kernel/power/user.c | 9 ++
> > 4 files changed, 302 insertions(+), 7 deletions(-)
> >
> > diff --git a/kernel/power/power.h b/kernel/power/power.h
> > index 69a81d8..84e0b06 100644
> > --- a/kernel/power/power.h
> > +++ b/kernel/power/power.h
> > @@ -3,6 +3,9 @@
> > #include <linux/utsname.h>
> > #include <linux/freezer.h>
> >
> > +/* The maximum length of snapshot signature */
> > +#define SIG_LENG 512
> > +
> > struct swsusp_info {
> > struct new_utsname uts;
> > u32 version_code;
> > @@ -11,6 +14,8 @@ struct swsusp_info {
> > unsigned long image_pages;
> > unsigned long pages;
> > unsigned long size;
> > + unsigned long skey_data_buf_pfn;
> > + u8 signature[SIG_LENG];
> > } __attribute__((aligned(PAGE_SIZE)));
>
> SIG_LEN or SIG_LENGTH. Select one.
>
I will use SIG_LEN at next version, thanks!
>
> > +static int
> > copy_data_pages(struct memory_bitmap *copy_bm, struct memory_bitmap *orig_bm)
> > {
> > struct zone *zone;
> > - unsigned long pfn;
> > + unsigned long pfn, dst_pfn;
> ...
> > + tfm = crypto_alloc_shash(SNAPSHOT_HASH, 0, 0);
> > + if (IS_ERR(tfm)) {
> > + pr_err("IS_ERR(tfm): %ld", PTR_ERR(tfm));
> > + return PTR_ERR(tfm);
> > + }
> > +
> > + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
> > + digest_size = crypto_shash_digestsize(tfm);
> > + digest = kzalloc(digest_size + desc_size, GFP_KERNEL);
>
> Are you sure GFP_KERNEL allocation is okay at this phase of
> hibernation?
>
> Could the hashing be done at later phase, when writing the image to
> disk?
>
Thanks for you point out!
Yes, call memory allocate here is not a good design due to it causes
garbage in snapshot that will not released by resumed kernel.
I just finished another implementation, the respin patch extracts the
signature generation code to another function then call the function in
swsusp_save() after copy_data_pages() finished. We can write to memory
at that stage.
> >
> > +void **h_buf;
>
> helpfully named.
>
I will change the name to handle_buffers;
> > + ret = verify_signature(s4_wake_key, pks);
> > + if (ret) {
> > + pr_err("snapshot S4 signature verification fail: %d\n", ret);
> > + goto error_verify;
> > + } else
> > + pr_info("snapshot S4 signature verification pass!\n");
> > +
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > + kfree(pks);
>
> ret = 0 and fall through?
>
When verification success, verify_signature() will return 0.
Yes, here have duplicate code, I will clear up it.
> > + return 0;
> > +
> > +error_verify:
> > + if (pks->rsa.s)
> > + mpi_free(pks->rsa.s);
> > +error_mpi:
> > + kfree(pks);
> > + return ret;
> > +}
>
>
> > + ret = crypto_shash_final(desc, digest);
> > + if (ret)
> > + goto error_shash;
> > +
> > + ret = snapshot_verify_signature(digest, digest_size);
> > + if (ret)
> > + goto error_verify;
> > +
> > + kfree(h_buf);
> > + kfree(digest);
> > + crypto_free_shash(tfm);
> > + return 0;
>
> These four lines can be deleted.
>
Yes, here also duplicate, I will remove.
> > +
> > +error_verify:
> > +error_shash:
> > + kfree(h_buf);
> > + kfree(digest);
> > +error_digest:
> > + crypto_free_shash(tfm);
> > + return ret;
> > +}
> > +
> Pavel
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 13/18] Hibernate: Avoid S4 sign key data included in snapshot image
From: joeyli @ 2013-08-27 8:33 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163931.GJ5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:39 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:52, Lee, Chun-Yi wrote:
> > This patch add swsusp_page_is_sign_key() method to hibernate_key.c and
> > check the page is S4 sign key data when collect saveable page in
> > snapshot.c to avoid sign key data included in snapshot image.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/snapshot.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
> > index 72e2911..9e4c94b 100644
> > --- a/kernel/power/snapshot.c
> > +++ b/kernel/power/snapshot.c
> > @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
> >
> > BUG_ON(!PageHighMem(page));
> >
> > + if (swsusp_page_is_sign_key(page))
> > + return NULL;
> > +
> > if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
> > PageReserved(page))
> > return NULL;
>
> Just do set_page_forbidden() on your page?
Before call swsusp_unset_page_forbidden(), we need make sure the
create_basic_memory_bitmaps() function already called to initial
forbidden_pages_map. That means need careful the timing, otherwise the
page of private key will not register to forbidden pages map.
So, I choice to refuse the page of private key when snapshot finding
which page is saveable. It has clearer code and we don't need worry the
future change of hibernate.c or user.c for when they call
create_basic_memory_bitmaps() and when the code clear forbidden pages
map.
Thanks a lot!
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: [PATCH 13/18] Hibernate: Avoid S4 sign key data included in snapshot image
From: joeyli @ 2013-08-27 8:33 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
JKosina-IBi9RG/b67k, Rusty Russell, Herbert Xu, David S. Miller,
H. Peter Anvin, Michal Marek, Gary Lin, Vivek Goyal
In-Reply-To: <20130825163931.GJ5171-tWAi6jLit6GreWDznjuHag@public.gmane.org>
於 日,2013-08-25 於 18:39 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:52, Lee, Chun-Yi wrote:
> > This patch add swsusp_page_is_sign_key() method to hibernate_key.c and
> > check the page is S4 sign key data when collect saveable page in
> > snapshot.c to avoid sign key data included in snapshot image.
> >
> > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
> > ---
> > kernel/power/snapshot.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
> > index 72e2911..9e4c94b 100644
> > --- a/kernel/power/snapshot.c
> > +++ b/kernel/power/snapshot.c
> > @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
> >
> > BUG_ON(!PageHighMem(page));
> >
> > + if (swsusp_page_is_sign_key(page))
> > + return NULL;
> > +
> > if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
> > PageReserved(page))
> > return NULL;
>
> Just do set_page_forbidden() on your page?
Before call swsusp_unset_page_forbidden(), we need make sure the
create_basic_memory_bitmaps() function already called to initial
forbidden_pages_map. That means need careful the timing, otherwise the
page of private key will not register to forbidden pages map.
So, I choice to refuse the page of private key when snapshot finding
which page is saveable. It has clearer code and we don't need worry the
future change of hibernate.c or user.c for when they call
create_basic_memory_bitmaps() and when the code clear forbidden pages
map.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 13/18] Hibernate: Avoid S4 sign key data included in snapshot image
From: joeyli @ 2013-08-27 8:33 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163931.GJ5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:39 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:52, Lee, Chun-Yi wrote:
> > This patch add swsusp_page_is_sign_key() method to hibernate_key.c and
> > check the page is S4 sign key data when collect saveable page in
> > snapshot.c to avoid sign key data included in snapshot image.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/snapshot.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
> > index 72e2911..9e4c94b 100644
> > --- a/kernel/power/snapshot.c
> > +++ b/kernel/power/snapshot.c
> > @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
> >
> > BUG_ON(!PageHighMem(page));
> >
> > + if (swsusp_page_is_sign_key(page))
> > + return NULL;
> > +
> > if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
> > PageReserved(page))
> > return NULL;
>
> Just do set_page_forbidden() on your page?
Before call swsusp_unset_page_forbidden(), we need make sure the
create_basic_memory_bitmaps() function already called to initial
forbidden_pages_map. That means need careful the timing, otherwise the
page of private key will not register to forbidden pages map.
So, I choice to refuse the page of private key when snapshot finding
which page is saveable. It has clearer code and we don't need worry the
future change of hibernate.c or user.c for when they call
create_basic_memory_bitmaps() and when the code clear forbidden pages
map.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 13/18] Hibernate: Avoid S4 sign key data included in snapshot image
From: joeyli @ 2013-08-27 8:33 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163931.GJ5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:39 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:52, Lee, Chun-Yi wrote:
> > This patch add swsusp_page_is_sign_key() method to hibernate_key.c and
> > check the page is S4 sign key data when collect saveable page in
> > snapshot.c to avoid sign key data included in snapshot image.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/snapshot.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
> > index 72e2911..9e4c94b 100644
> > --- a/kernel/power/snapshot.c
> > +++ b/kernel/power/snapshot.c
> > @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
> >
> > BUG_ON(!PageHighMem(page));
> >
> > + if (swsusp_page_is_sign_key(page))
> > + return NULL;
> > +
> > if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
> > PageReserved(page))
> > return NULL;
>
> Just do set_page_forbidden() on your page?
Before call swsusp_unset_page_forbidden(), we need make sure the
create_basic_memory_bitmaps() function already called to initial
forbidden_pages_map. That means need careful the timing, otherwise the
page of private key will not register to forbidden pages map.
So, I choice to refuse the page of private key when snapshot finding
which page is saveable. It has clearer code and we don't need worry the
future change of hibernate.c or user.c for when they call
create_basic_memory_bitmaps() and when the code clear forbidden pages
map.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 13/18] Hibernate: Avoid S4 sign key data included in snapshot image
From: joeyli @ 2013-08-27 8:33 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825163931.GJ5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:39 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:52, Lee, Chun-Yi wrote:
> > This patch add swsusp_page_is_sign_key() method to hibernate_key.c and
> > check the page is S4 sign key data when collect saveable page in
> > snapshot.c to avoid sign key data included in snapshot image.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/snapshot.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
> > index 72e2911..9e4c94b 100644
> > --- a/kernel/power/snapshot.c
> > +++ b/kernel/power/snapshot.c
> > @@ -860,6 +860,9 @@ static struct page *saveable_highmem_page(struct zone *zone, unsigned long pfn)
> >
> > BUG_ON(!PageHighMem(page));
> >
> > + if (swsusp_page_is_sign_key(page))
> > + return NULL;
> > +
> > if (swsusp_page_is_forbidden(page) || swsusp_page_is_free(page) ||
> > PageReserved(page))
> > return NULL;
>
> Just do set_page_forbidden() on your page?
Before call swsusp_unset_page_forbidden(), we need make sure the
create_basic_memory_bitmaps() function already called to initial
forbidden_pages_map. That means need careful the timing, otherwise the
page of private key will not register to forbidden pages map.
So, I choice to refuse the page of private key when snapshot finding
which page is saveable. It has clearer code and we don't need worry the
future change of hibernate.c or user.c for when they call
create_basic_memory_bitmaps() and when the code clear forbidden pages
map.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 03/18] asymmetric keys: separate the length checking of octet string from RSA_I2OSP
From: Jiri Kosina @ 2013-08-27 8:36 UTC (permalink / raw)
To: Pavel Machek
Cc: joeyli, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
Rusty Russell, Herbert Xu, David S. Miller, H. Peter Anvin,
Michal Marek, Gary Lin, Vivek Goyal
In-Reply-To: <20130826112737.GA18300-tWAi6jLit6GreWDznjuHag@public.gmane.org>
On Mon, 26 Aug 2013, Pavel Machek wrote:
> > > > Due to RSA_I2OSP is not only used by signature verification path but also used
> > > > in signature generation path. So, separate the length checking of octet string
> > > > because it's not for generate 0x00 0x01 leading string when used in signature
> > > > generation.
> > > >
> > > > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > > > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
> > >
> > > > +static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X)
> > > > +{
> > > > + unsigned x_size;
> > > > + unsigned X_size;
> > > > + u8 *X = NULL;
> > >
> > > Is this kernel code or entry into obfuscated C code contest? This is not funny.
> > >
> > The small "x" is the input integer that will transfer to big "X" that is
> > a octet sting.
> >
> > Sorry for I direct give variable name to match with spec, maybe I need
> > use big_X or....
>
> Having variables that differ only in case is confusing. Actually
> RSA_I2OSP is not a good name for function, either.
>
> If it converts x into X, perhaps you can name one input and second output?
The variable naming is according to spec, and I believe it makes sense to
keep it so, no matter how stupid the naming in the spec might be.
Otherwise you have to do mental remapping when looking at the code and the
spec at the same time, which is very inconvenient.
Would a comment next to the variable declaration, that would point this
fact out, be satisfactory for you?
--
Jiri Kosina
SUSE Labs
^ permalink raw reply
* Re: [PATCH 11/18] Hibernate: introduced RSA key-pair to verify signature of snapshot
From: joeyli @ 2013-08-27 9:04 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
JKosina-IBi9RG/b67k, Rusty Russell, Herbert Xu, David S. Miller,
H. Peter Anvin, Michal Marek, Gary Lin, Vivek Goyal, Takashi Iwai
In-Reply-To: <20130825162554.GH5171-tWAi6jLit6GreWDznjuHag@public.gmane.org>
Hi Pavel,
於 日,2013-08-25 於 18:25 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:50, Lee, Chun-Yi wrote:
> > Introduced a hibernate_key.c file to query the key pair from EFI variables
> > and maintain key pair for check signature of S4 snapshot image. We
> > loaded the private key when snapshot image stored success.
> >
> > This patch introduced 2 EFI variables for store the key to sign S4 image and
> > verify signature when S4 wake up. The names and GUID are:
> > S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> > S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> >
> > S4SignKey is used by EFI bootloader to pass the RSA private key that packaged
> > by PKCS#8 format, kernel will read and parser it when system boot and reload
> > it when S4 resume. EFI bootloader need gnerate a new private key when every
> > time system boot.
> >
> > S4WakeKey is used to pass the RSA public key that packaged by X.509
> > certificate, kernel will read and parser it for check the signature of
> > S4 snapshot image when S4 resume.
> >
> > The follow-up patch will remove S4SignKey and S4WakeKey after load them
> > to kernel for avoid anyone can access it through efivarfs.
> >
> > v3:
> > - Load S4 sign key before ExitBootServices.
> > Load private key before ExitBootServices() then bootloader doesn't need
> > generate key-pair for each booting:
> > + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices.
> > + Reserve the memory block of sign key data blob in efi.c
> > - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign
> > key before check hibernate image. It makes sure the new sign key will be
> > transfer to resume target kernel.
> > - Set "depends on EFI_STUB" in Kconfig
> >
> > v2:
> > Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on
> > Kconfig.
> >
> > Cc: Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
> > Cc: Takashi Iwai <tiwai-l3A5Bk7waGM@public.gmane.org>
> > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
>
>
> > --- a/arch/x86/boot/compressed/eboot.c
> > +++ b/arch/x86/boot/compressed/eboot.c
> > @@ -368,6 +368,91 @@ free_handle:
> > return status;
> > }
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > +static efi_status_t setup_s4_keys(struct boot_params *params)
> > +{
> > + struct setup_data *data;
> > + unsigned long datasize;
> > + u32 attr;
> > + struct efi_s4_key *s4key;
> > + efi_status_t status;
> > +
> > + data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
>
> A bit too many casts.
Thanks.
Yes, here is my mistake, I will remove "unsigned long" cast.
>
> > @@ -1205,6 +1290,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
> >
> > setup_efi_pci(boot_params);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + setup_s4_keys(boot_params);
> > +#endif
> > +
>
> Move ifdef inside the function?
OK, I will define a dummy function for non-verification situation.
>
> > @@ -729,6 +792,11 @@ void __init efi_init(void)
> >
> > set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + /* keep s4 key from setup_data */
> > + efi_reserve_s4_skey_data();
> > +#endif
> > +
>
> Here too.
>
I will also use dummy function here.
Thanks
Joey Lee
^ permalink raw reply
* Re: [PATCH 11/18] Hibernate: introduced RSA key-pair to verify signature of snapshot
From: joeyli @ 2013-08-27 9:04 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal, Takashi Iwai
In-Reply-To: <20130825162554.GH5171@amd.pavel.ucw.cz>
Hi Pavel,
於 日,2013-08-25 於 18:25 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:50, Lee, Chun-Yi wrote:
> > Introduced a hibernate_key.c file to query the key pair from EFI variables
> > and maintain key pair for check signature of S4 snapshot image. We
> > loaded the private key when snapshot image stored success.
> >
> > This patch introduced 2 EFI variables for store the key to sign S4 image and
> > verify signature when S4 wake up. The names and GUID are:
> > S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> > S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> >
> > S4SignKey is used by EFI bootloader to pass the RSA private key that packaged
> > by PKCS#8 format, kernel will read and parser it when system boot and reload
> > it when S4 resume. EFI bootloader need gnerate a new private key when every
> > time system boot.
> >
> > S4WakeKey is used to pass the RSA public key that packaged by X.509
> > certificate, kernel will read and parser it for check the signature of
> > S4 snapshot image when S4 resume.
> >
> > The follow-up patch will remove S4SignKey and S4WakeKey after load them
> > to kernel for avoid anyone can access it through efivarfs.
> >
> > v3:
> > - Load S4 sign key before ExitBootServices.
> > Load private key before ExitBootServices() then bootloader doesn't need
> > generate key-pair for each booting:
> > + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices.
> > + Reserve the memory block of sign key data blob in efi.c
> > - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign
> > key before check hibernate image. It makes sure the new sign key will be
> > transfer to resume target kernel.
> > - Set "depends on EFI_STUB" in Kconfig
> >
> > v2:
> > Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on
> > Kconfig.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Cc: Takashi Iwai <tiwai@suse.de>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
>
>
> > --- a/arch/x86/boot/compressed/eboot.c
> > +++ b/arch/x86/boot/compressed/eboot.c
> > @@ -368,6 +368,91 @@ free_handle:
> > return status;
> > }
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > +static efi_status_t setup_s4_keys(struct boot_params *params)
> > +{
> > + struct setup_data *data;
> > + unsigned long datasize;
> > + u32 attr;
> > + struct efi_s4_key *s4key;
> > + efi_status_t status;
> > +
> > + data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
>
> A bit too many casts.
Thanks.
Yes, here is my mistake, I will remove "unsigned long" cast.
>
> > @@ -1205,6 +1290,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
> >
> > setup_efi_pci(boot_params);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + setup_s4_keys(boot_params);
> > +#endif
> > +
>
> Move ifdef inside the function?
OK, I will define a dummy function for non-verification situation.
>
> > @@ -729,6 +792,11 @@ void __init efi_init(void)
> >
> > set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + /* keep s4 key from setup_data */
> > + efi_reserve_s4_skey_data();
> > +#endif
> > +
>
> Here too.
>
I will also use dummy function here.
Thanks
Joey Lee
^ permalink raw reply
* Re: [PATCH 11/18] Hibernate: introduced RSA key-pair to verify signature of snapshot
From: joeyli @ 2013-08-27 9:04 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal, Takashi Iwai
In-Reply-To: <20130825162554.GH5171@amd.pavel.ucw.cz>
Hi Pavel,
於 日,2013-08-25 於 18:25 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:50, Lee, Chun-Yi wrote:
> > Introduced a hibernate_key.c file to query the key pair from EFI variables
> > and maintain key pair for check signature of S4 snapshot image. We
> > loaded the private key when snapshot image stored success.
> >
> > This patch introduced 2 EFI variables for store the key to sign S4 image and
> > verify signature when S4 wake up. The names and GUID are:
> > S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> > S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> >
> > S4SignKey is used by EFI bootloader to pass the RSA private key that packaged
> > by PKCS#8 format, kernel will read and parser it when system boot and reload
> > it when S4 resume. EFI bootloader need gnerate a new private key when every
> > time system boot.
> >
> > S4WakeKey is used to pass the RSA public key that packaged by X.509
> > certificate, kernel will read and parser it for check the signature of
> > S4 snapshot image when S4 resume.
> >
> > The follow-up patch will remove S4SignKey and S4WakeKey after load them
> > to kernel for avoid anyone can access it through efivarfs.
> >
> > v3:
> > - Load S4 sign key before ExitBootServices.
> > Load private key before ExitBootServices() then bootloader doesn't need
> > generate key-pair for each booting:
> > + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices.
> > + Reserve the memory block of sign key data blob in efi.c
> > - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign
> > key before check hibernate image. It makes sure the new sign key will be
> > transfer to resume target kernel.
> > - Set "depends on EFI_STUB" in Kconfig
> >
> > v2:
> > Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on
> > Kconfig.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Cc: Takashi Iwai <tiwai@suse.de>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
>
>
> > --- a/arch/x86/boot/compressed/eboot.c
> > +++ b/arch/x86/boot/compressed/eboot.c
> > @@ -368,6 +368,91 @@ free_handle:
> > return status;
> > }
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > +static efi_status_t setup_s4_keys(struct boot_params *params)
> > +{
> > + struct setup_data *data;
> > + unsigned long datasize;
> > + u32 attr;
> > + struct efi_s4_key *s4key;
> > + efi_status_t status;
> > +
> > + data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
>
> A bit too many casts.
Thanks.
Yes, here is my mistake, I will remove "unsigned long" cast.
>
> > @@ -1205,6 +1290,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
> >
> > setup_efi_pci(boot_params);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + setup_s4_keys(boot_params);
> > +#endif
> > +
>
> Move ifdef inside the function?
OK, I will define a dummy function for non-verification situation.
>
> > @@ -729,6 +792,11 @@ void __init efi_init(void)
> >
> > set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + /* keep s4 key from setup_data */
> > + efi_reserve_s4_skey_data();
> > +#endif
> > +
>
> Here too.
>
I will also use dummy function here.
Thanks
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: [PATCH 11/18] Hibernate: introduced RSA key-pair to verify signature of snapshot
From: joeyli @ 2013-08-27 9:04 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal, Takashi Iwai
In-Reply-To: <20130825162554.GH5171@amd.pavel.ucw.cz>
Hi Pavel,
於 日,2013-08-25 於 18:25 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:50, Lee, Chun-Yi wrote:
> > Introduced a hibernate_key.c file to query the key pair from EFI variables
> > and maintain key pair for check signature of S4 snapshot image. We
> > loaded the private key when snapshot image stored success.
> >
> > This patch introduced 2 EFI variables for store the key to sign S4 image and
> > verify signature when S4 wake up. The names and GUID are:
> > S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> > S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> >
> > S4SignKey is used by EFI bootloader to pass the RSA private key that packaged
> > by PKCS#8 format, kernel will read and parser it when system boot and reload
> > it when S4 resume. EFI bootloader need gnerate a new private key when every
> > time system boot.
> >
> > S4WakeKey is used to pass the RSA public key that packaged by X.509
> > certificate, kernel will read and parser it for check the signature of
> > S4 snapshot image when S4 resume.
> >
> > The follow-up patch will remove S4SignKey and S4WakeKey after load them
> > to kernel for avoid anyone can access it through efivarfs.
> >
> > v3:
> > - Load S4 sign key before ExitBootServices.
> > Load private key before ExitBootServices() then bootloader doesn't need
> > generate key-pair for each booting:
> > + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices.
> > + Reserve the memory block of sign key data blob in efi.c
> > - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign
> > key before check hibernate image. It makes sure the new sign key will be
> > transfer to resume target kernel.
> > - Set "depends on EFI_STUB" in Kconfig
> >
> > v2:
> > Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on
> > Kconfig.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Cc: Takashi Iwai <tiwai@suse.de>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
>
>
> > --- a/arch/x86/boot/compressed/eboot.c
> > +++ b/arch/x86/boot/compressed/eboot.c
> > @@ -368,6 +368,91 @@ free_handle:
> > return status;
> > }
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > +static efi_status_t setup_s4_keys(struct boot_params *params)
> > +{
> > + struct setup_data *data;
> > + unsigned long datasize;
> > + u32 attr;
> > + struct efi_s4_key *s4key;
> > + efi_status_t status;
> > +
> > + data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
>
> A bit too many casts.
Thanks.
Yes, here is my mistake, I will remove "unsigned long" cast.
>
> > @@ -1205,6 +1290,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
> >
> > setup_efi_pci(boot_params);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + setup_s4_keys(boot_params);
> > +#endif
> > +
>
> Move ifdef inside the function?
OK, I will define a dummy function for non-verification situation.
>
> > @@ -729,6 +792,11 @@ void __init efi_init(void)
> >
> > set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + /* keep s4 key from setup_data */
> > + efi_reserve_s4_skey_data();
> > +#endif
> > +
>
> Here too.
>
I will also use dummy function here.
Thanks
Joey Lee
^ permalink raw reply
* Re: [PATCH 11/18] Hibernate: introduced RSA key-pair to verify signature of snapshot
From: joeyli @ 2013-08-27 9:04 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal, Takashi Iwai
In-Reply-To: <20130825162554.GH5171@amd.pavel.ucw.cz>
Hi Pavel,
於 日,2013-08-25 於 18:25 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:50, Lee, Chun-Yi wrote:
> > Introduced a hibernate_key.c file to query the key pair from EFI variables
> > and maintain key pair for check signature of S4 snapshot image. We
> > loaded the private key when snapshot image stored success.
> >
> > This patch introduced 2 EFI variables for store the key to sign S4 image and
> > verify signature when S4 wake up. The names and GUID are:
> > S4SignKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> > S4WakeKey-fe141863-c070-478e-b8a3-878a5dc9ef21
> >
> > S4SignKey is used by EFI bootloader to pass the RSA private key that packaged
> > by PKCS#8 format, kernel will read and parser it when system boot and reload
> > it when S4 resume. EFI bootloader need gnerate a new private key when every
> > time system boot.
> >
> > S4WakeKey is used to pass the RSA public key that packaged by X.509
> > certificate, kernel will read and parser it for check the signature of
> > S4 snapshot image when S4 resume.
> >
> > The follow-up patch will remove S4SignKey and S4WakeKey after load them
> > to kernel for avoid anyone can access it through efivarfs.
> >
> > v3:
> > - Load S4 sign key before ExitBootServices.
> > Load private key before ExitBootServices() then bootloader doesn't need
> > generate key-pair for each booting:
> > + Add setup_s4_keys() to eboot.c to load S4 sign key before ExitBootServices.
> > + Reserve the memory block of sign key data blob in efi.c
> > - In Makefile, moved hibernate_keys.o before hibernate.o for load S4 sign
> > key before check hibernate image. It makes sure the new sign key will be
> > transfer to resume target kernel.
> > - Set "depends on EFI_STUB" in Kconfig
> >
> > v2:
> > Add CONFIG_SNAPSHOT_VERIFICATION for build of hibernate_keys.c depend on
> > Kconfig.
> >
> > Cc: Matthew Garrett <mjg59@srcf.ucam.org>
> > Cc: Takashi Iwai <tiwai@suse.de>
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
>
>
> > --- a/arch/x86/boot/compressed/eboot.c
> > +++ b/arch/x86/boot/compressed/eboot.c
> > @@ -368,6 +368,91 @@ free_handle:
> > return status;
> > }
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > +static efi_status_t setup_s4_keys(struct boot_params *params)
> > +{
> > + struct setup_data *data;
> > + unsigned long datasize;
> > + u32 attr;
> > + struct efi_s4_key *s4key;
> > + efi_status_t status;
> > +
> > + data = (struct setup_data *)(unsigned long)params->hdr.setup_data;
>
> A bit too many casts.
Thanks.
Yes, here is my mistake, I will remove "unsigned long" cast.
>
> > @@ -1205,6 +1290,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,
> >
> > setup_efi_pci(boot_params);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + setup_s4_keys(boot_params);
> > +#endif
> > +
>
> Move ifdef inside the function?
OK, I will define a dummy function for non-verification situation.
>
> > @@ -729,6 +792,11 @@ void __init efi_init(void)
> >
> > set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility);
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + /* keep s4 key from setup_data */
> > + efi_reserve_s4_skey_data();
> > +#endif
> > +
>
> Here too.
>
I will also use dummy function here.
Thanks
Joey Lee
^ permalink raw reply
* Re: [PATCH] kernel/padata.c: Register hotcpu notifier after initialization
From: Steffen Klassert @ 2013-08-27 9:30 UTC (permalink / raw)
To: Richard Weinberger; +Cc: linux-crypto, linux-kernel, herbert, gang.chen
In-Reply-To: <1377256353-7979-1-git-send-email-richard@nod.at>
On Fri, Aug 23, 2013 at 01:12:33PM +0200, Richard Weinberger wrote:
> padata_cpu_callback() takes pinst->lock, to avoid taking
> an uninitialized lock, register the notifier after it's
> initialization.
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
Looks ok,
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
^ permalink raw reply
* Re: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
From: joeyli @ 2013-08-27 10:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164219.GK5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:42 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote:
> > In current solution, the snapshot signature check used the RSA key-pair
> > that are generated by bootloader(e.g. shim) and pass the key-pair to
> > kernel through EFI variables. I choice to binding the snapshot
> > signature check mechanism with UEFI secure boot for provide stronger
> > protection of hibernate. Current behavior is following:
> >
> > + UEFI Secure Boot ON, Kernel found key-pair from shim:
> > Will do the S4 signature check.
> >
> > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
> > Will lock down S4 function.
> >
> > + UEFI Secure Boot OFF
> > Will NOT do the S4 signature check.
> > Ignore any keys from bootloader.
> >
> > v2:
> > Replace sign_key_data_loaded() by skey_data_available() to check sign key data
> > is available for hibernate.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/hibernate.c | 36 +++++++++++++++++-
> > kernel/power/main.c | 11 +++++-
> > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
> > kernel/power/swap.c | 4 +-
> > kernel/power/user.c | 11 +++++
> > 5 files changed, 112 insertions(+), 45 deletions(-)
> >
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index c545b15..0f19f3d 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -29,6 +29,7 @@
> > #include <linux/ctype.h>
> > #include <linux/genhd.h>
> > #include <linux/key.h>
> > +#include <linux/efi.h>
> >
> > #include "power.h"
> >
> > @@ -632,7 +633,14 @@ static void power_down(void)
> > int hibernate(void)
> > {
> > int error;
> > - int skey_error;
> > +
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> >
> > lock_system_sleep();
> > /* The snapshot device should not be opened while we're running */
> > @@ -799,6 +807,15 @@ static int software_resume(void)
> > if (error)
> > goto Unlock;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + mutex_unlock(&pm_mutex);
> > + return -EPERM;
> > + }
> > +
> > /* The snapshot device should not be opened while we're running */
> > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
> > error = -EBUSY;
> > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
> > int i;
> > char *start = buf;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
> > +#else
> > + if (efi_enabled(EFI_SECURE_BOOT)) {
> > +#endif
> > + buf += sprintf(buf, "[%s]\n", "disabled");
> > + return buf-start;
> > + }
> > +
> > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
> > if (!hibernation_modes[i])
> > continue;
> > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > char *p;
> > int mode = HIBERNATION_INVALID;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> > +
> > p = memchr(buf, '\n', n);
> > len = p ? p - buf : n;
> >
>
> You clearly need some helper function.
> Pavel
>
I will use a help function to replace those ifdef block.
Thanks for your suggestion!
Joey Lee
^ permalink raw reply
* Re: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
From: joeyli @ 2013-08-27 10:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
JKosina-IBi9RG/b67k, Rusty Russell, Herbert Xu, David S. Miller,
H. Peter Anvin, Michal Marek, Gary Lin, Vivek Goyal
In-Reply-To: <20130825164219.GK5171-tWAi6jLit6GreWDznjuHag@public.gmane.org>
於 日,2013-08-25 於 18:42 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote:
> > In current solution, the snapshot signature check used the RSA key-pair
> > that are generated by bootloader(e.g. shim) and pass the key-pair to
> > kernel through EFI variables. I choice to binding the snapshot
> > signature check mechanism with UEFI secure boot for provide stronger
> > protection of hibernate. Current behavior is following:
> >
> > + UEFI Secure Boot ON, Kernel found key-pair from shim:
> > Will do the S4 signature check.
> >
> > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
> > Will lock down S4 function.
> >
> > + UEFI Secure Boot OFF
> > Will NOT do the S4 signature check.
> > Ignore any keys from bootloader.
> >
> > v2:
> > Replace sign_key_data_loaded() by skey_data_available() to check sign key data
> > is available for hibernate.
> >
> > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
> > ---
> > kernel/power/hibernate.c | 36 +++++++++++++++++-
> > kernel/power/main.c | 11 +++++-
> > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
> > kernel/power/swap.c | 4 +-
> > kernel/power/user.c | 11 +++++
> > 5 files changed, 112 insertions(+), 45 deletions(-)
> >
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index c545b15..0f19f3d 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -29,6 +29,7 @@
> > #include <linux/ctype.h>
> > #include <linux/genhd.h>
> > #include <linux/key.h>
> > +#include <linux/efi.h>
> >
> > #include "power.h"
> >
> > @@ -632,7 +633,14 @@ static void power_down(void)
> > int hibernate(void)
> > {
> > int error;
> > - int skey_error;
> > +
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> >
> > lock_system_sleep();
> > /* The snapshot device should not be opened while we're running */
> > @@ -799,6 +807,15 @@ static int software_resume(void)
> > if (error)
> > goto Unlock;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + mutex_unlock(&pm_mutex);
> > + return -EPERM;
> > + }
> > +
> > /* The snapshot device should not be opened while we're running */
> > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
> > error = -EBUSY;
> > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
> > int i;
> > char *start = buf;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
> > +#else
> > + if (efi_enabled(EFI_SECURE_BOOT)) {
> > +#endif
> > + buf += sprintf(buf, "[%s]\n", "disabled");
> > + return buf-start;
> > + }
> > +
> > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
> > if (!hibernation_modes[i])
> > continue;
> > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > char *p;
> > int mode = HIBERNATION_INVALID;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> > +
> > p = memchr(buf, '\n', n);
> > len = p ? p - buf : n;
> >
>
> You clearly need some helper function.
> Pavel
>
I will use a help function to replace those ifdef block.
Thanks for your suggestion!
Joey Lee
^ permalink raw reply
* Re: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
From: joeyli @ 2013-08-27 10:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164219.GK5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:42 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote:
> > In current solution, the snapshot signature check used the RSA key-pair
> > that are generated by bootloader(e.g. shim) and pass the key-pair to
> > kernel through EFI variables. I choice to binding the snapshot
> > signature check mechanism with UEFI secure boot for provide stronger
> > protection of hibernate. Current behavior is following:
> >
> > + UEFI Secure Boot ON, Kernel found key-pair from shim:
> > Will do the S4 signature check.
> >
> > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
> > Will lock down S4 function.
> >
> > + UEFI Secure Boot OFF
> > Will NOT do the S4 signature check.
> > Ignore any keys from bootloader.
> >
> > v2:
> > Replace sign_key_data_loaded() by skey_data_available() to check sign key data
> > is available for hibernate.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/hibernate.c | 36 +++++++++++++++++-
> > kernel/power/main.c | 11 +++++-
> > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
> > kernel/power/swap.c | 4 +-
> > kernel/power/user.c | 11 +++++
> > 5 files changed, 112 insertions(+), 45 deletions(-)
> >
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index c545b15..0f19f3d 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -29,6 +29,7 @@
> > #include <linux/ctype.h>
> > #include <linux/genhd.h>
> > #include <linux/key.h>
> > +#include <linux/efi.h>
> >
> > #include "power.h"
> >
> > @@ -632,7 +633,14 @@ static void power_down(void)
> > int hibernate(void)
> > {
> > int error;
> > - int skey_error;
> > +
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> >
> > lock_system_sleep();
> > /* The snapshot device should not be opened while we're running */
> > @@ -799,6 +807,15 @@ static int software_resume(void)
> > if (error)
> > goto Unlock;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + mutex_unlock(&pm_mutex);
> > + return -EPERM;
> > + }
> > +
> > /* The snapshot device should not be opened while we're running */
> > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
> > error = -EBUSY;
> > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
> > int i;
> > char *start = buf;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
> > +#else
> > + if (efi_enabled(EFI_SECURE_BOOT)) {
> > +#endif
> > + buf += sprintf(buf, "[%s]\n", "disabled");
> > + return buf-start;
> > + }
> > +
> > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
> > if (!hibernation_modes[i])
> > continue;
> > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > char *p;
> > int mode = HIBERNATION_INVALID;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> > +
> > p = memchr(buf, '\n', n);
> > len = p ? p - buf : n;
> >
>
> You clearly need some helper function.
> Pavel
>
I will use a help function to replace those ifdef block.
Thanks for your suggestion!
Joey Lee
^ permalink raw reply
* Re: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
From: joeyli @ 2013-08-27 10:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164219.GK5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:42 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote:
> > In current solution, the snapshot signature check used the RSA key-pair
> > that are generated by bootloader(e.g. shim) and pass the key-pair to
> > kernel through EFI variables. I choice to binding the snapshot
> > signature check mechanism with UEFI secure boot for provide stronger
> > protection of hibernate. Current behavior is following:
> >
> > + UEFI Secure Boot ON, Kernel found key-pair from shim:
> > Will do the S4 signature check.
> >
> > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
> > Will lock down S4 function.
> >
> > + UEFI Secure Boot OFF
> > Will NOT do the S4 signature check.
> > Ignore any keys from bootloader.
> >
> > v2:
> > Replace sign_key_data_loaded() by skey_data_available() to check sign key data
> > is available for hibernate.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/hibernate.c | 36 +++++++++++++++++-
> > kernel/power/main.c | 11 +++++-
> > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
> > kernel/power/swap.c | 4 +-
> > kernel/power/user.c | 11 +++++
> > 5 files changed, 112 insertions(+), 45 deletions(-)
> >
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index c545b15..0f19f3d 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -29,6 +29,7 @@
> > #include <linux/ctype.h>
> > #include <linux/genhd.h>
> > #include <linux/key.h>
> > +#include <linux/efi.h>
> >
> > #include "power.h"
> >
> > @@ -632,7 +633,14 @@ static void power_down(void)
> > int hibernate(void)
> > {
> > int error;
> > - int skey_error;
> > +
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> >
> > lock_system_sleep();
> > /* The snapshot device should not be opened while we're running */
> > @@ -799,6 +807,15 @@ static int software_resume(void)
> > if (error)
> > goto Unlock;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + mutex_unlock(&pm_mutex);
> > + return -EPERM;
> > + }
> > +
> > /* The snapshot device should not be opened while we're running */
> > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
> > error = -EBUSY;
> > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
> > int i;
> > char *start = buf;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
> > +#else
> > + if (efi_enabled(EFI_SECURE_BOOT)) {
> > +#endif
> > + buf += sprintf(buf, "[%s]\n", "disabled");
> > + return buf-start;
> > + }
> > +
> > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
> > if (!hibernation_modes[i])
> > continue;
> > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > char *p;
> > int mode = HIBERNATION_INVALID;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> > +
> > p = memchr(buf, '\n', n);
> > len = p ? p - buf : n;
> >
>
> You clearly need some helper function.
> Pavel
>
I will use a help function to replace those ifdef block.
Thanks for your suggestion!
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: [PATCH 15/18] Hibernate: adapt to UEFI secure boot with signature check
From: joeyli @ 2013-08-27 10:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164219.GK5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:42 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:54, Lee, Chun-Yi wrote:
> > In current solution, the snapshot signature check used the RSA key-pair
> > that are generated by bootloader(e.g. shim) and pass the key-pair to
> > kernel through EFI variables. I choice to binding the snapshot
> > signature check mechanism with UEFI secure boot for provide stronger
> > protection of hibernate. Current behavior is following:
> >
> > + UEFI Secure Boot ON, Kernel found key-pair from shim:
> > Will do the S4 signature check.
> >
> > + UEFI Secure Boot ON, Kernel didn't find key-pair from shim:
> > Will lock down S4 function.
> >
> > + UEFI Secure Boot OFF
> > Will NOT do the S4 signature check.
> > Ignore any keys from bootloader.
> >
> > v2:
> > Replace sign_key_data_loaded() by skey_data_available() to check sign key data
> > is available for hibernate.
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/hibernate.c | 36 +++++++++++++++++-
> > kernel/power/main.c | 11 +++++-
> > kernel/power/snapshot.c | 95 ++++++++++++++++++++++++++--------------------
> > kernel/power/swap.c | 4 +-
> > kernel/power/user.c | 11 +++++
> > 5 files changed, 112 insertions(+), 45 deletions(-)
> >
> > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
> > index c545b15..0f19f3d 100644
> > --- a/kernel/power/hibernate.c
> > +++ b/kernel/power/hibernate.c
> > @@ -29,6 +29,7 @@
> > #include <linux/ctype.h>
> > #include <linux/genhd.h>
> > #include <linux/key.h>
> > +#include <linux/efi.h>
> >
> > #include "power.h"
> >
> > @@ -632,7 +633,14 @@ static void power_down(void)
> > int hibernate(void)
> > {
> > int error;
> > - int skey_error;
> > +
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> >
> > lock_system_sleep();
> > /* The snapshot device should not be opened while we're running */
> > @@ -799,6 +807,15 @@ static int software_resume(void)
> > if (error)
> > goto Unlock;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !wkey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + mutex_unlock(&pm_mutex);
> > + return -EPERM;
> > + }
> > +
> > /* The snapshot device should not be opened while we're running */
> > if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
> > error = -EBUSY;
> > @@ -892,6 +909,15 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr,
> > int i;
> > char *start = buf;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (efi_enabled(EFI_SECURE_BOOT) && !skey_data_available()) {
> > +#else
> > + if (efi_enabled(EFI_SECURE_BOOT)) {
> > +#endif
> > + buf += sprintf(buf, "[%s]\n", "disabled");
> > + return buf-start;
> > + }
> > +
> > for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) {
> > if (!hibernation_modes[i])
> > continue;
> > @@ -926,6 +952,14 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > char *p;
> > int mode = HIBERNATION_INVALID;
> >
> > +#ifdef CONFIG_SNAPSHOT_VERIFICATION
> > + if (!capable(CAP_COMPROMISE_KERNEL) && !skey_data_available()) {
> > +#else
> > + if (!capable(CAP_COMPROMISE_KERNEL)) {
> > +#endif
> > + return -EPERM;
> > + }
> > +
> > p = memchr(buf, '\n', n);
> > len = p ? p - buf : n;
> >
>
> You clearly need some helper function.
> Pavel
>
I will use a help function to replace those ifdef block.
Thanks for your suggestion!
Joey Lee
^ permalink raw reply
* Re: [PATCH 17/18] Hibernate: introduced SNAPSHOT_SIG_HASH config for select hash algorithm
From: joeyli @ 2013-08-27 10:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164329.GL5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:43 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:56, Lee, Chun-Yi wrote:
> > This patch introduced SNAPSHOT_SIG_HASH config for user to select which
> > hash algorithm will be used during signature generation of snapshot.
> >
> > v2:
> > Add define check of oCONFIG_SNAPSHOT_VERIFICATION in snapshot.c before
> > declare pkey_hash().
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/Kconfig | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> > kernel/power/snapshot.c | 27 ++++++++++++++++++++++-----
> > 2 files changed, 68 insertions(+), 5 deletions(-)
> >
> > diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
> > index b592d88..79b34fa 100644
> > --- a/kernel/power/Kconfig
> > +++ b/kernel/power/Kconfig
> > @@ -78,6 +78,52 @@ config SNAPSHOT_VERIFICATION
> > dependent on UEFI environment. EFI bootloader should generate the
> > key-pair.
> >
> > +choice
> > + prompt "Which hash algorithm should snapshot be signed with?"
> > + depends on SNAPSHOT_VERIFICATION
> > + help
> > + This determines which sort of hashing algorithm will be used during
> > + signature generation of snapshot. This algorithm _must_ be built into
> > + the kernel directly so that signature verification can take place.
> > + It is not possible to load a signed snapshot containing the algorithm
> > + to check the signature on that module.
>
> Like if 1000 ifdefs you already added to the code are not enough, you
> make some new ones?
> Pavel
>
This SNAPSHOT_SIG_HASH kernel config is to select which SHA algorithms
used for generate digest of snapshot. The configuration will captured by
a const char* in code:
+static const char *snapshot_hash = CONFIG_SNAPSHOT_SIG_HASH;
+
+static int pkey_hash(void)
So, there doesn't have any ifdef block derived from this new config.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 17/18] Hibernate: introduced SNAPSHOT_SIG_HASH config for select hash algorithm
From: joeyli @ 2013-08-27 10:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA,
linux-efi-u79uwXL29TY76Z2rM5mHXA, linux-pm-u79uwXL29TY76Z2rM5mHXA,
linux-crypto-u79uwXL29TY76Z2rM5mHXA,
opensuse-kernel-stAJ6ESoqRxg9hUCZPvPmw, David Howells,
Rafael J. Wysocki, Matthew Garrett, Len Brown, Josh Boyer,
Vojtech Pavlik, Matt Fleming, James Bottomley, Greg KH,
JKosina-IBi9RG/b67k, Rusty Russell, Herbert Xu, David S. Miller,
H. Peter Anvin, Michal Marek, Gary Lin, Vivek Goyal
In-Reply-To: <20130825164329.GL5171-tWAi6jLit6GreWDznjuHag@public.gmane.org>
於 日,2013-08-25 於 18:43 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:56, Lee, Chun-Yi wrote:
> > This patch introduced SNAPSHOT_SIG_HASH config for user to select which
> > hash algorithm will be used during signature generation of snapshot.
> >
> > v2:
> > Add define check of oCONFIG_SNAPSHOT_VERIFICATION in snapshot.c before
> > declare pkey_hash().
> >
> > Reviewed-by: Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>
> > Signed-off-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>
> > ---
> > kernel/power/Kconfig | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> > kernel/power/snapshot.c | 27 ++++++++++++++++++++++-----
> > 2 files changed, 68 insertions(+), 5 deletions(-)
> >
> > diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
> > index b592d88..79b34fa 100644
> > --- a/kernel/power/Kconfig
> > +++ b/kernel/power/Kconfig
> > @@ -78,6 +78,52 @@ config SNAPSHOT_VERIFICATION
> > dependent on UEFI environment. EFI bootloader should generate the
> > key-pair.
> >
> > +choice
> > + prompt "Which hash algorithm should snapshot be signed with?"
> > + depends on SNAPSHOT_VERIFICATION
> > + help
> > + This determines which sort of hashing algorithm will be used during
> > + signature generation of snapshot. This algorithm _must_ be built into
> > + the kernel directly so that signature verification can take place.
> > + It is not possible to load a signed snapshot containing the algorithm
> > + to check the signature on that module.
>
> Like if 1000 ifdefs you already added to the code are not enough, you
> make some new ones?
> Pavel
>
This SNAPSHOT_SIG_HASH kernel config is to select which SHA algorithms
used for generate digest of snapshot. The configuration will captured by
a const char* in code:
+static const char *snapshot_hash = CONFIG_SNAPSHOT_SIG_HASH;
+
+static int pkey_hash(void)
So, there doesn't have any ifdef block derived from this new config.
Thanks a lot!
Joey Lee
^ permalink raw reply
* Re: [PATCH 17/18] Hibernate: introduced SNAPSHOT_SIG_HASH config for select hash algorithm
From: joeyli @ 2013-08-27 10:22 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, linux-security-module, linux-efi, linux-pm,
linux-crypto, opensuse-kernel, David Howells, Rafael J. Wysocki,
Matthew Garrett, Len Brown, Josh Boyer, Vojtech Pavlik,
Matt Fleming, James Bottomley, Greg KH, JKosina, Rusty Russell,
Herbert Xu, David S. Miller, H. Peter Anvin, Michal Marek,
Gary Lin, Vivek Goyal
In-Reply-To: <20130825164329.GL5171@amd.pavel.ucw.cz>
於 日,2013-08-25 於 18:43 +0200,Pavel Machek 提到:
> On Thu 2013-08-22 19:01:56, Lee, Chun-Yi wrote:
> > This patch introduced SNAPSHOT_SIG_HASH config for user to select which
> > hash algorithm will be used during signature generation of snapshot.
> >
> > v2:
> > Add define check of oCONFIG_SNAPSHOT_VERIFICATION in snapshot.c before
> > declare pkey_hash().
> >
> > Reviewed-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
> > ---
> > kernel/power/Kconfig | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> > kernel/power/snapshot.c | 27 ++++++++++++++++++++++-----
> > 2 files changed, 68 insertions(+), 5 deletions(-)
> >
> > diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
> > index b592d88..79b34fa 100644
> > --- a/kernel/power/Kconfig
> > +++ b/kernel/power/Kconfig
> > @@ -78,6 +78,52 @@ config SNAPSHOT_VERIFICATION
> > dependent on UEFI environment. EFI bootloader should generate the
> > key-pair.
> >
> > +choice
> > + prompt "Which hash algorithm should snapshot be signed with?"
> > + depends on SNAPSHOT_VERIFICATION
> > + help
> > + This determines which sort of hashing algorithm will be used during
> > + signature generation of snapshot. This algorithm _must_ be built into
> > + the kernel directly so that signature verification can take place.
> > + It is not possible to load a signed snapshot containing the algorithm
> > + to check the signature on that module.
>
> Like if 1000 ifdefs you already added to the code are not enough, you
> make some new ones?
> Pavel
>
This SNAPSHOT_SIG_HASH kernel config is to select which SHA algorithms
used for generate digest of snapshot. The configuration will captured by
a const char* in code:
+static const char *snapshot_hash = CONFIG_SNAPSHOT_SIG_HASH;
+
+static int pkey_hash(void)
So, there doesn't have any ifdef block derived from this new config.
Thanks a lot!
Joey Lee
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox