From: Yu Chen <yu.c.chen@intel.com>
To: joeyli <jlee@suse.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>,
Pavel Machek <pavel@ucw.cz>, Len Brown <len.brown@intel.com>,
Borislav Petkov <bp@alien8.de>,
linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption
Date: Fri, 6 Jul 2018 21:42:27 +0800 [thread overview]
Message-ID: <20180706134226.GA9631@sandybridge-desktop> (raw)
In-Reply-To: <20180705161637.GK3628@linux-l9pv.suse>
Sorry for late reply.
On Fri, Jul 06, 2018 at 12:16:37AM +0800, joeyli wrote:
> Hi Chen Yu,
>
> On Wed, Jun 20, 2018 at 05:39:37PM +0800, Chen Yu wrote:
> > Hi,
> > As security becomes more and more important, we add the in-kernel
> > encryption support for hibernation.
> >
> > This prototype is a trial version to implement the hibernation
> > encryption in the kernel, so that the users do not have to rely
> > on third-party tools to encrypt the hibernation image. The only
> > dependency on user space is that, the user space should provide
> > a valid key derived from passphrase to the kernel for image encryption.
> >
> > There was a discussion on the mailing list on whether this key should
> > be derived in kernel or in user space. And it turns out to be generating
> > the key by user space is more acceptable[1]. So this patch set is divided
> > into two parts:
> > 1. The hibernation snapshot encryption in kernel space,
> > 2. the key derivation implementation in user space.
> >
> > Please refer to each patch for detail, and feel free to comment on
> > this, thanks.
> >
> > [1] https://www.spinics.net/lists/linux-crypto/msg33145.html
> >
> > Chen Yu (3):
> > PM / Hibernate: Add helper functions for hibernation encryption
> > PM / Hibernate: Encrypt the snapshot pages before submitted to the
> > block device
> > tools: create power/crypto utility
> >
>
> I am trying this patch set.
>
> Could you please tell me how to test the user space crypto utility with
> systemd's hibernation module?
>
Usage:
1. install the kernel module:
modprobe crypto_hibernation
2. run the tool to generate the key from
user provided passphrase:
./crypto_hibernate
3. launch the hibernation process:
echo disk > /sys/power/state
4. The initrd launches cryto_hibernate
to read previous salt from kernel and
probe the user passphrase and generate the same key:
./crypto_hibernate
5. kernel uses this key to decrypt the hibernation
snapshot.
> I have a question about the salt. If the salt is saved in image header,
> does that mean that kernel needs to read the image header before user
> space crypto utility be launched? Otherwise user space can not get
> the salt to produce key? I a bit confused about the resume process.
>
The crypto_hibernate will first read the salt from the kernel
via ioctl(the kernel will first expose the salt for the user
in crypto_restore(), then the crypto_hibernate uses ioctl to
read it) and then uses that salt together with user provided
passphrase to generate the key, and pass that key to the kernel
for decryption.
> Thanks
> Joey Lee
prev parent reply other threads:[~2018-07-06 13:42 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-20 9:39 [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption Chen Yu
2018-06-20 9:39 ` [PATCH 1/3][RFC] PM / Hibernate: Add helper functions for " Chen Yu
2018-06-20 9:40 ` [PATCH 2/3][RFC] PM / Hibernate: Encrypt the snapshot pages before submitted to the block device Chen Yu
2018-06-28 13:07 ` joeyli
2018-06-28 13:50 ` Yu Chen
2018-06-28 14:28 ` joeyli
2018-06-28 14:52 ` Yu Chen
2018-06-29 12:59 ` joeyli
2018-07-06 15:28 ` Yu Chen
2018-07-12 10:10 ` joeyli
2018-07-13 7:34 ` Yu Chen
2018-07-18 15:48 ` joeyli
2018-07-19 9:16 ` Yu Chen
2018-06-20 9:40 ` [PATCH 3/3][RFC] tools: create power/crypto utility Chen Yu
2018-06-20 17:41 ` Eric Biggers
2018-06-22 2:39 ` Yu Chen
2018-06-22 2:59 ` Eric Biggers
2018-06-21 9:01 ` Pavel Machek
2018-06-21 12:10 ` Rafael J. Wysocki
2018-06-21 19:04 ` Pavel Machek
2018-06-25 7:06 ` Rafael J. Wysocki
2018-06-25 11:54 ` Pavel Machek
2018-06-25 21:56 ` Rafael J. Wysocki
2018-06-25 22:16 ` Pavel Machek
[not found] ` <1530009024.20417.5.camel@suse.com>
2018-06-26 11:12 ` Pavel Machek
2018-06-21 8:53 ` [PATCH 0/3][RFC] Introduce the in-kernel hibernation encryption Pavel Machek
2018-06-21 12:08 ` Rafael J. Wysocki
2018-06-21 19:14 ` Pavel Machek
2018-06-22 2:14 ` Yu Chen
2018-06-25 11:55 ` Pavel Machek
2018-06-25 7:16 ` Rafael J. Wysocki
2018-06-25 11:59 ` Pavel Machek
2018-06-25 22:14 ` Rafael J. Wysocki
2018-07-05 16:16 ` joeyli
2018-07-06 13:42 ` Yu Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706134226.GA9631@sandybridge-desktop \
--to=yu.c.chen@intel.com \
--cc=bp@alien8.de \
--cc=jlee@suse.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).