| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1377734505.19568.39.camel@linux-s257.site> Date: Thu, 29 Aug 2013 08:01:45 +0800 From: joeyli <jlee@...e.com> To: Florian Weimer <fw@...eb.enyo.de> Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org, linux-pm@...r.kernel.org, linux-crypto@...r.kernel.org, opensuse-kernel@...nsuse.org, David Howells <dhowells@...hat.com>, "Rafael J. Wysocki" <rjw@...k.pl>, Matthew Garrett <mjg59@...f.ucam.org>, Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>, Josh Boyer <jwboyer@...hat.com>, Vojtech Pavlik <vojtech@...e.cz>, Matt Fleming <matt.fleming@...el.com>, James Bottomley <james.bottomley@...senpartnership.com>, Greg KH <gregkh@...uxfoundation.org>, JKosina@...e.com, Rusty Russell <rusty@...tcorp.com.au>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, "H. Peter Anvin" <hpa@...or.com>, Michal Marek <mmarek@...e.cz>, Gary Lin <GLin@...e.com>, Vivek Goyal <vgoyal@...hat.com> Subject: Re: [RFC PATCH 00/18 v3] Signature verification of hibernate snapshot Hi Florian, Thanks for your response. 於 三,2013-08-28 於 23:01 +0200,Florian Weimer 提到: > * Chun-Yi Lee: > > > + EFI bootloader must generate RSA key-pair when system boot: I should add more information on this sentence for mention need GenS4Key runtime variable then re-generate key-pair. Thanks! > > - Bootloader store the public key to EFI boottime variable by itself > > - Bootloader put The private key to S4SignKey EFI variable for forward to > > kernel. > > Is the UEFI NVRAM really suited for such regular updates? > Yes, Matthew raised this concern at before. I modified patch to load private key in efi stub kernel, before ExitBootServices(), that means we don't need generate key-pair at every system boot. So, the above procedure of efi bootloader will only run one time. User can enable SNAPSHOT_REGEN_KEYS kernel config to notify efi booloader regenerate key-pair for every S4 to improve security if he want. So, the key-pair re-generate procedure will only launched when S4 resume, not every system boot. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists