Re: [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Rafael J. Wysocki" <rjw@sisk.pl>
To: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Cc: linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
	linux-pm@vger.kernel.org, linux-crypto@vger.kernel.org,
	opensuse-kernel@opensuse.org, David Howells <dhowells@redhat.com>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
	Josh Boyer <jwboyer@redhat.com>, Vojtech Pavlik <vojtech@suse.cz>,
	Matt Fleming <matt.fleming@intel.com>,
	James Bottomley <james.bottomley@hansenpartnership.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	JKosina@suse.com, Rusty Russell <rusty@rustcorp.com.au>,
	Herbert Xu <herbert@gondor.hengli.com.au>,
	"David S. Miller" <davem@davemloft.net>,
	"H. Peter Anvin" <hpa@zytor.com>, Michal Marek <mmarek@suse.cz>,
	Gary Lin <GLin@suse.com>, Vivek Goyal <vgoyal@redhat.com>,
	"Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot
Date: Thu, 17 Oct 2013 16:18:47 +0200	[thread overview]
Message-ID: <3744955.cCTmoQ1ejp@vostro.rjw.lan> (raw)
In-Reply-To: <1379206621-18639-1-git-send-email-jlee@suse.com>

On Sunday, September 15, 2013 08:56:46 AM Lee, Chun-Yi wrote:
> Hi experts,
> 
> This patchset is the implementation for signature verification of hibernate
> snapshot image. The origin idea is from Jiri Kosina: Let EFI bootloader
> generate key-pair in UEFI secure boot environment, then pass it to kernel
> for sign/verify S4 image.
> 
> Due to there have potential threat from the S4 image hacked, it may causes
> kernel lost the trust in UEFI secure boot. Hacker attack the S4 snapshot
> image in swap partition through whatever exploit from another trusted OS,
> and the exploit may don't need physical access machine.
> 
> So, this patchset give the ability to kernel for parsing RSA private key
> from EFI bootloader, then using the private key to generate the signature
> of S4 snapshot image. Kernel put the signature to snapshot header, and
> verify the signature when kernel try to recover snapshot image to memory.

I wonder what the status of this work is?  Is it considered ready for inclusion
or are you still going to work on it and resubmit?

Rafael

     prev parent reply	other threads:[~2013-10-17 14:07 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-15  0:56 [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 01/15] asymmetric keys: add interface and skeleton for implement signature generation Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 02/15] asymmetric keys: implement EMSA_PKCS1-v1_5-ENCODE in rsa Lee, Chun-Yi
2013-09-17 21:51   ` Dmitry Kasatkin
2013-09-18  9:08     ` joeyli
2013-09-17 22:29   ` Dmitry Kasatkin
2013-09-23 16:49   ` Phil Carmody
2013-09-26  7:08     ` joeyli
2013-09-15  0:56 ` [PATCH V4 03/15] asymmetric keys: separate the length checking of octet string from RSA_I2OSP Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 04/15] asymmetric keys: implement OS2IP in rsa Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 05/15] asymmetric keys: implement RSASP1 Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 06/15] asymmetric keys: support parsing PKCS #8 private key information Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 07/15] asymmetric keys: explicitly add the leading zero byte to encoded message Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 08/15] Hibernate: introduced RSA key-pair to verify signature of snapshot Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 09/15] Hibernate: generate and " Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH 10/15] Hibernate: Avoid S4 sign key data included in snapshot image Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 11/15] Hibernate: taint kernel when signature check fail Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 12/15] Hibernate: show the verification time for monitor performance Lee, Chun-Yi
2013-09-15  0:56 ` [PATCH V4 13/15] Hibernate: introduced SNAPSHOT_SIG_HASH config for select hash algorithm Lee, Chun-Yi
2013-09-18 13:45   ` Pavel Machek
2013-09-26  1:43     ` joeyli
2013-09-26  8:21       ` Pavel Machek
2013-09-15  0:57 ` [PATCH V4 14/15] Hibernate: notify bootloader regenerate key-pair for snapshot verification Lee, Chun-Yi
2013-09-15  0:57 ` [PATCH V4 15/15] Hibernate: adapt to UEFI secure boot with signature check Lee, Chun-Yi
2013-09-25 21:04 ` [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot David Howells
2013-09-25 21:25   ` Alan Stern
2013-09-25 22:16     ` James Bottomley
2013-09-26  0:27       ` Pavel Machek
2013-09-26  2:32         ` James Bottomley
2013-09-26  6:24           ` Jiri Kosina
2013-09-26 14:44             ` James Bottomley
2013-09-26 14:48               ` Jiri Kosina
2013-09-26 14:56                 ` Vojtech Pavlik
2013-09-26  4:40         ` joeyli
2013-09-26  1:11       ` Alan Stern
2013-09-26  2:19     ` joeyli
2013-09-26 10:43       ` joeyli
2013-09-26 12:06         ` Pavel Machek
2013-09-26 12:21           ` Michal Marek
2013-09-26 12:23             ` Vojtech Pavlik
2013-09-26 12:22           ` Vojtech Pavlik
2013-09-26 13:20             ` joeyli
2013-09-26 12:56           ` joeyli
2013-09-26  1:36   ` joeyli
2013-10-17 14:18 ` Rafael J. Wysocki [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3744955.cCTmoQ1ejp@vostro.rjw.lan \
    --to=rjw@sisk.pl \
    --cc=GLin@suse.com \
    --cc=JKosina@suse.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.hengli.com.au \
    --cc=hpa@zytor.com \
    --cc=james.bottomley@hansenpartnership.com \
    --cc=jlee@suse.com \
    --cc=joeyli.kernel@gmail.com \
    --cc=jwboyer@redhat.com \
    --cc=len.brown@intel.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pm@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matt.fleming@intel.com \
    --cc=mjg59@srcf.ucam.org \
    --cc=mmarek@suse.cz \
    --cc=opensuse-kernel@opensuse.org \
    --cc=pavel@ucw.cz \
    --cc=rusty@rustcorp.com.au \
    --cc=vgoyal@redhat.com \
    --cc=vojtech@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox