Re: Trusted kernel patchset

[joeyli]

On Mon, Mar 16, 2015 at 10:54:54PM +0100, Jiri Kosina wrote:
> On Mon, 16 Mar 2015, Matthew Garrett wrote:
> 
> > > - All suspend/resumes allow modifying the kernel. I can boot Linux
> > >   suspend, boot windows, modify the Linux restore image, boot Linux and
> > >   own the box. You would need to sign the resume image somehow I think or
> > >   just disable all suspend/resume
> > 
> > I'm kind of torn on this - yes, there are deployment scenarios where
> > hibernation can be used to circumvent the restrictions, but there are
> > also scenarios where that can be avoided (eg, the bootloader verifies
> > some state with respect to the hibernation image).
> 
> [ adding Joey to CC ]
> 
> Just for completness -- there is a way around this:
> 
> 	https://lkml.org/lkml/2013/9/14/183
> 
> The series is not really the optimal one, as Alan Stern later figured out 
> that symmetric cryptography is strong enough to achieve the same goal, but 
> I am not sure whether Joey implemented that idea already.
> 
> -- 
> Jiri Kosina
> SUSE Labs

About the symmetric key edition, I developed a prototype the codes on github
are ugly and still need clear up. But it works for using HMAC to generate
signature and verify hibernate image.

There still has a situation need to solve:
 
There doesn't have enough random entropy for the FIRST TIME boot to generate
HMAC key in EFI stub.

And, I need implement a hash function in EFI stub, at least SHA1, to mess
entropies from difference sources (rdtsc, RdRand... not too many) for generating
new HMAC key. An other idea is sending a random seed from runtime random pool to
boot time to be one of the seed of next HMAC key.


Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/