public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: joeyli <jlee@suse.com>
To: Vojtech Pavlik <vojtech@suse.cz>
Cc: Pavel Machek <pavel@ucw.cz>,
	Alan Stern <stern@rowland.harvard.edu>,
	David Howells <dhowells@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
	linux-pm@vger.kernel.org, linux-crypto@vger.kernel.org,
	opensuse-kernel@opensuse.org, "Rafael J. Wysocki" <rjw@sisk.pl>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Len Brown <len.brown@intel.com>, Josh Boyer <jwboyer@redhat.com>,
	Matt Fleming <matt.fleming@intel.com>,
	James Bottomley <james.bottomley@hansenpartnership.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	JKosina@suse.com, Rusty Russell <rusty@rustcorp.com.au>,
	Herbert Xu <herbert@gondor.hengli.com.au>,
	"David S. Miller" <davem@davemloft.net>,
	"H. Peter Anvin" <hpa@zytor.com>, Michal Marek <mmarek@suse.cz>,
	Gary Lin <GLin@suse.com>, Vivek Goyal <vgoyal@redhat.com>
Subject: Re: [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot
Date: Thu, 26 Sep 2013 21:20:38 +0800	[thread overview]
Message-ID: <1380201638.32302.90.camel@linux-s257.site> (raw)
In-Reply-To: <20130926122210.GA30225@suse.cz>

於 四,2013-09-26 於 14:22 +0200,Vojtech Pavlik 提到:
> On Thu, Sep 26, 2013 at 02:06:21PM +0200, Pavel Machek wrote:
> 
> > > For the symmetric key solution, I will try HMAC (Hash Message
> > > Authentication Code). It's already used in networking, hope the
> > > performance is not too bad to a big image.
> > 
> > Kernel already supports crc32 of the hibernation image, you may want
> > to take a look how that is done.
> > 
> > Maybe you want to replace crc32 with cryptographics hash (sha1?) and
> > then use only hash for more crypto? That way speed of whatever
> crypto
> > you do should not be an issue.
> 
> Well, yes, one could skip the CRC when the signing is enabled to gain
> a
> little speedup. 

In current kernel, CRC is for check the integrity of LZO compressed
image, the purpose is different to check the integrity of snapshot
image.
So, CRC will not in non-compress hibernate or userspace hibernate code
path

On the other hand, attacker can easily change the CRC code in the header
of LZO hibernate image.

Thanks a lot!
Joey Lee


  reply	other threads:[~2013-09-26 13:21 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-15  0:56 [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 01/15] asymmetric keys: add interface and skeleton for implement signature generation Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 02/15] asymmetric keys: implement EMSA_PKCS1-v1_5-ENCODE in rsa Lee, Chun-Yi
2013-09-17 21:51   ` Dmitry Kasatkin
2013-09-18  9:08     ` joeyli
2013-09-17 22:29   ` Dmitry Kasatkin
2013-09-23 16:49   ` Phil Carmody
2013-09-26  7:08     ` joeyli
2013-09-15  0:56 ` [PATCH V4 03/15] asymmetric keys: separate the length checking of octet string from RSA_I2OSP Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 04/15] asymmetric keys: implement OS2IP in rsa Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 05/15] asymmetric keys: implement RSASP1 Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 06/15] asymmetric keys: support parsing PKCS #8 private key information Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 07/15] asymmetric keys: explicitly add the leading zero byte to encoded message Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 08/15] Hibernate: introduced RSA key-pair to verify signature of snapshot Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 09/15] Hibernate: generate and " Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH 10/15] Hibernate: Avoid S4 sign key data included in snapshot image Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 11/15] Hibernate: taint kernel when signature check fail Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 12/15] Hibernate: show the verification time for monitor performance Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 13/15] Hibernate: introduced SNAPSHOT_SIG_HASH config for select hash algorithm Lee, Chun-Yi
2013-09-18 13:45   ` Pavel Machek
2013-09-26  1:43     ` joeyli
2013-09-26  8:21       ` Pavel Machek
2013-09-15  0:57 ` [PATCH V4 14/15] Hibernate: notify bootloader regenerate key-pair for snapshot verification Lee, Chun-Yi
2013-09-15  0:57 ` [PATCH V4 15/15] Hibernate: adapt to UEFI secure boot with signature check Lee, Chun-Yi
2013-09-25 21:04 ` [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot David Howells
2013-09-25 21:25   ` Alan Stern
2013-09-25 22:16     ` James Bottomley
2013-09-26  0:27       ` Pavel Machek
2013-09-26  2:32         ` James Bottomley
2013-09-26  6:24           ` Jiri Kosina
2013-09-26 14:44             ` James Bottomley
2013-09-26 14:48               ` Jiri Kosina
2013-09-26 14:56                 ` Vojtech Pavlik
2013-09-26  4:40         ` joeyli
2013-09-26  1:11       ` Alan Stern
2013-09-26  2:19     ` joeyli
2013-09-26 10:43       ` joeyli
2013-09-26 12:06         ` Pavel Machek
2013-09-26 12:21           ` Michal Marek
2013-09-26 12:23             ` Vojtech Pavlik
2013-09-26 12:22           ` Vojtech Pavlik
2013-09-26 13:20             ` joeyli [this message]
2013-09-26 12:56           ` joeyli
2013-09-26  1:36   ` joeyli
2013-10-17 14:18 ` Rafael J. Wysocki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1380201638.32302.90.camel@linux-s257.site \
    --to=jlee@suse.com \
    --cc=GLin@suse.com \
    --cc=JKosina@suse.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.hengli.com.au \
    --cc=hpa@zytor.com \
    --cc=james.bottomley@hansenpartnership.com \
    --cc=jwboyer@redhat.com \
    --cc=len.brown@intel.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pm@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matt.fleming@intel.com \
    --cc=mjg59@srcf.ucam.org \
    --cc=mmarek@suse.cz \
    --cc=opensuse-kernel@opensuse.org \
    --cc=pavel@ucw.cz \
    --cc=rjw@sisk.pl \
    --cc=rusty@rustcorp.com.au \
    --cc=stern@rowland.harvard.edu \
    --cc=vgoyal@redhat.com \
    --cc=vojtech@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox