From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-efi@vger.kernel.org, x86@kernel.org,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, "Lee,
Chun-Yi" <jlee@suse.com>, Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Pavel Machek <pavel@ucw.cz>, Chen Yu <yu.c.chen@intel.com>,
Oliver Neukum <oneukum@suse.com>,
Ryan Chen <yu.chen.surf@gmail.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
David Howells <dhowells@redhat.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [PATCH 0/6][RFC] Add EFI secure key to key retention service
Date: Sun, 5 Aug 2018 11:21:13 +0800 [thread overview]
Message-ID: <20180805032119.20485-1-jlee@suse.com> (raw)
When secure boot is enabled, only signed EFI binary can access
EFI boot service variable before ExitBootService. Which means that
the EFI boot service variable is secure.
This patch set add functions to EFI boot stub to generate a 512-bit
random number that it can be used as a root key for encryption and
authentication. This root key will be kept in EFI boot service variable.
EFI boot stub will read and transfer ERK (efi root key) to kernel.
At runtime, the ERK can be used to encrypted/authentication other
random number to generate EFI secure key. The EFI secure key can be
a new master key type for encrypted key. It's useful for hibernation
or evm.
Here is the proof of concept for using EFI secure key in hibernation:
https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Chen Yu <yu.c.chen@intel.com>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Ryan Chen <yu.chen.surf@gmail.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Lee, Chun-Yi (6):
x86/KASLR: make getting random long number function public
efi: the function transfers status to string
efi: generate efi root key in EFI boot stub
key: add EFI secure key type
key: add EFI secure key as a master key type
key: enforce the secure boot checking when loading efi root key
Documentation/admin-guide/kernel-parameters.txt | 6 +
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/boot/compressed/cpuflags.c | 2 +-
arch/x86/boot/compressed/eboot.c | 2 +
arch/x86/boot/compressed/efi_root_key.c | 212 +++++++
arch/x86/boot/compressed/kaslr.c | 21 -
arch/x86/boot/compressed/misc.c | 17 +
arch/x86/boot/compressed/misc.h | 12 +-
arch/x86/include/asm/efi.h | 13 +
arch/x86/include/uapi/asm/bootparam.h | 1 +
arch/x86/kernel/setup.c | 3 +
arch/x86/lib/kaslr.c | 61 +-
arch/x86/lib/random.c | 68 +++
drivers/firmware/efi/Kconfig | 31 +
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/efi-secure-key.c | 748 ++++++++++++++++++++++++
include/keys/efi-type.h | 57 ++
include/linux/efi.h | 40 ++
include/linux/kernel.h | 3 +-
kernel/panic.c | 1 +
security/keys/encrypted-keys/encrypted.c | 10 +
21 files changed, 1226 insertions(+), 84 deletions(-)
create mode 100644 arch/x86/boot/compressed/efi_root_key.c
create mode 100644 arch/x86/lib/random.c
create mode 100644 drivers/firmware/efi/efi-secure-key.c
create mode 100644 include/keys/efi-type.h
--
2.13.6
next reply other threads:[~2018-08-05 5:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-05 3:21 Lee, Chun-Yi [this message]
2018-08-05 3:21 ` [PATCH 1/6] x86/KASLR: make getting random long number function public Lee, Chun-Yi
2018-08-05 8:16 ` Ard Biesheuvel
2018-08-05 14:40 ` joeyli
2018-08-05 3:21 ` [PATCH 2/6] efi: the function transfers status to string Lee, Chun-Yi
2018-08-05 8:17 ` Ard Biesheuvel
2018-08-05 3:21 ` [PATCH 3/6] efi: generate efi root key in EFI boot stub Lee, Chun-Yi
2018-08-05 3:21 ` [PATCH 4/6] key: add EFI secure key type Lee, Chun-Yi
2018-08-05 3:21 ` [PATCH 5/6] key: add EFI secure key as a master " Lee, Chun-Yi
2018-08-05 3:21 ` [PATCH 6/6] key: enforce the secure boot checking when loading efi root key Lee, Chun-Yi
2018-08-05 7:25 ` [PATCH 0/6][RFC] Add EFI secure key to key retention service Ard Biesheuvel
2018-08-05 16:31 ` joeyli
2018-08-05 19:00 ` Ard Biesheuvel
2018-08-05 17:47 ` James Bottomley
2018-08-06 6:00 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180805032119.20485-1-jlee@suse.com \
--to=joeyli.kernel@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=hpa@zytor.com \
--cc=jlee@suse.com \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=oneukum@suse.com \
--cc=pavel@ucw.cz \
--cc=rafael.j.wysocki@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yu.c.chen@intel.com \
--cc=yu.chen.surf@gmail.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox