From: Matthew Garrett <mjg59@srcf.ucam.org>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-efi@vger.kernel.org, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] x86/efi: pull NV+BS variables out before we exit boot services
Date: Tue, 19 Mar 2013 23:17:56 +0000 [thread overview]
Message-ID: <20130319231756.GA21071@srcf.ucam.org> (raw)
In-Reply-To: <1363734031.2377.77.camel@dabdike.int.hansenpartnership.com>
On Tue, Mar 19, 2013 at 11:00:31PM +0000, James Bottomley wrote:
> On Tue, 2013-03-19 at 18:50 +0000, Matthew Garrett wrote:
> > Well, that somewhat complicates implementation - we'd be encrypting the
> > entire contents of memory except for the key that we're using to encrypt
> > memory. Keeping the public key away from userspace avoids having to care
> > about that.
>
> I don't quite understand what you're getting at: the principle of public
> key cryptography is that you can make the public key, well public. You
> only need to guard the private key.
Ok, so let's just rephrase it as asymmetric cryptography. The aim is to
ensure that there's never a situation where userspace can decrypt a
hibernation file, modify it and reencrypt it. So, shim (or whatever)
generates a keypair. The encryption key is passed to the kernel being
booted. The decryption key is stashed in a variable in order to be
passed to the resume kernel.
If the decryption key is available to userspace then the kernel needs to
discard the encryption key during image write-out - otherwise the
encryption key will be in the encrypted image. If the decryption key
isn't available to userspace then this isn't a concern.
If the decryption key *is* available to userspace (as it would be in
your case), there's a requirement to discard the encryption key during
the hibernation process. This isn't impossible, but it does add a little
to the complexity.
--
Matthew Garrett | mjg59@srcf.ucam.org
next prev parent reply other threads:[~2013-03-19 23:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 8:40 [PATCH] x86/efi: pull NV+BS variables out before we exit boot services James Bottomley
2013-03-19 1:48 ` Matthew Garrett
2013-03-19 8:14 ` James Bottomley
2013-03-19 16:35 ` Matthew Garrett
2013-03-19 17:17 ` James Bottomley
2013-03-19 17:25 ` Matthew Garrett
2013-03-19 18:23 ` James Bottomley
2013-03-19 18:28 ` Matthew Garrett
2013-03-19 18:40 ` James Bottomley
2013-03-19 18:50 ` Matthew Garrett
2013-03-19 23:00 ` James Bottomley
2013-03-19 23:17 ` Matthew Garrett [this message]
2013-03-20 8:00 ` James Bottomley
2013-03-20 11:47 ` Matthew Garrett
2013-03-20 11:26 ` Matt Fleming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130319231756.GA21071@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).