lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180805032119.20485-1-jlee@suse.com>
Date:   Sun,  5 Aug 2018 11:21:13 +0800
From:   "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     linux-efi@...r.kernel.org, x86@...nel.org,
        keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
        "Lee, Chun-Yi" <jlee@...e.com>, Kees Cook <keescook@...omium.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>,
        Pavel Machek <pavel@....cz>, Chen Yu <yu.c.chen@...el.com>,
        Oliver Neukum <oneukum@...e.com>,
        Ryan Chen <yu.chen.surf@...il.com>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        David Howells <dhowells@...hat.com>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>
Subject: [PATCH 0/6][RFC] Add EFI secure key to key retention service 

When secure boot is enabled, only signed EFI binary can access
EFI boot service variable before ExitBootService. Which means that
the EFI boot service variable is secure.
   
This patch set add functions to EFI boot stub to generate a 512-bit
random number that it can be used as a root key for encryption and
authentication. This root key will be kept in EFI boot service variable.
EFI boot stub will read and transfer ERK (efi root key) to kernel.
    
At runtime, the ERK can be used to encrypted/authentication other
random number to generate EFI secure key. The EFI secure key can be
a new master key type for encrypted key. It's useful for hibernation
or evm.

Here is the proof of concept for using EFI secure key in hibernation:
  https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566

Cc: Kees Cook <keescook@...omium.org>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Pavel Machek <pavel@....cz>
Cc: Chen Yu <yu.c.chen@...el.com>
Cc: Oliver Neukum <oneukum@...e.com>
Cc: Ryan Chen <yu.chen.surf@...il.com>
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: David Howells <dhowells@...hat.com>
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>

Lee, Chun-Yi (6):
  x86/KASLR: make getting random long number function public
  efi: the function transfers status to string
  efi: generate efi root key in EFI boot stub
  key: add EFI secure key type
  key: add EFI secure key as a master key type
  key: enforce the secure boot checking when loading efi root key

 Documentation/admin-guide/kernel-parameters.txt |   6 +
 arch/x86/boot/compressed/Makefile               |   1 +
 arch/x86/boot/compressed/cpuflags.c             |   2 +-
 arch/x86/boot/compressed/eboot.c                |   2 +
 arch/x86/boot/compressed/efi_root_key.c         | 212 +++++++
 arch/x86/boot/compressed/kaslr.c                |  21 -
 arch/x86/boot/compressed/misc.c                 |  17 +
 arch/x86/boot/compressed/misc.h                 |  12 +-
 arch/x86/include/asm/efi.h                      |  13 +
 arch/x86/include/uapi/asm/bootparam.h           |   1 +
 arch/x86/kernel/setup.c                         |   3 +
 arch/x86/lib/kaslr.c                            |  61 +-
 arch/x86/lib/random.c                           |  68 +++
 drivers/firmware/efi/Kconfig                    |  31 +
 drivers/firmware/efi/Makefile                   |   1 +
 drivers/firmware/efi/efi-secure-key.c           | 748 ++++++++++++++++++++++++
 include/keys/efi-type.h                         |  57 ++
 include/linux/efi.h                             |  40 ++
 include/linux/kernel.h                          |   3 +-
 kernel/panic.c                                  |   1 +
 security/keys/encrypted-keys/encrypted.c        |  10 +
 21 files changed, 1226 insertions(+), 84 deletions(-)
 create mode 100644 arch/x86/boot/compressed/efi_root_key.c
 create mode 100644 arch/x86/lib/random.c
 create mode 100644 drivers/firmware/efi/efi-secure-key.c
 create mode 100644 include/keys/efi-type.h

-- 
2.13.6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ