From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3881C46471 for ; Sun, 5 Aug 2018 10:02:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9A832217BD for ; Sun, 5 Aug 2018 10:02:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A832217BD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ucw.cz Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726276AbeHEMGE (ORCPT ); Sun, 5 Aug 2018 08:06:04 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:52685 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726130AbeHEMGE (ORCPT ); Sun, 5 Aug 2018 08:06:04 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 92B8A8061C; Sun, 5 Aug 2018 12:02:00 +0200 (CEST) Date: Sun, 5 Aug 2018 12:02:00 +0200 From: Pavel Machek To: Ryan Chen Cc: jlee@suse.com, Chen Yu , oneukum@suse.com, "Rafael J. Wysocki" , ebiggers@google.com, Theodore Ts'o , smueller@chronox.de, denkenz@gmail.com, Linux PM list , linux-crypto@vger.kernel.org, Linux Kernel Mailing List , kookoo.gu@intel.com, Zhang Rui Subject: Re: [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation encryption Message-ID: <20180805100200.GB22948@amd> References: <20180719132003.GA30981@sandybridge-desktop> <20180720102532.GA20284@amd> <1532346156.3057.11.camel@suse.com> <20180723162302.GA4503@sandybridge-desktop> <1532590246.7411.3.camel@suse.com> <20180726081404.GG4244@linux-l9pv.suse> <20180730170415.GQ4244@linux-l9pv.suse> <20180803033702.GB416@sandybridge-desktop> <20180803053445.GC4244@linux-l9pv.suse> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gj572EiMnwbLXET9" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --gj572EiMnwbLXET9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > User space doesn't need to involve. The EFI root key is generated by > > EFI boot stub and be transfer to kernel. It's stored in EFI boot service > > variable that it can only be accessed by trusted EFI binary when > > secure boot is enabled. > > > Okay, this apply to the 'suspend' phase, right? > I'm still a little confused about the 'resume' phase. > Taking encryption as example(not signature), > the purpose of doing hibernation encryption is to prevent other users > from stealing ram content. Say, user A uses a passphrase to generate the No, I don't think that's purpose here. Purpose here is to prevent user from reading/modifying kernel memory content on machine he owns. Strange as it may sound, that is what "secure" boot requires (and what Disney wants). I guess it may have some non-evil uses, too... https://www.linux.com/news/matthew-garrett-explains-how-increase-sec= urity-boot-time =09 Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --gj572EiMnwbLXET9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAltmyxcACgkQMOfwapXb+vLgdgCcCgfNMlQjTf1H5wowJUF9tzdz DiQAn1P1w9iLF/MQ4Ihimsvs1Uhx5WXx =+5iu -----END PGP SIGNATURE----- --gj572EiMnwbLXET9--