| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Aug 2018 11:21:13 +0800
From: "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To: linux-kernel@...r.kernel.org
Cc: linux-efi@...r.kernel.org, x86@...nel.org,
keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
"Lee, Chun-Yi" <jlee@...e.com>, Kees Cook <keescook@...omium.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@...el.com>,
Pavel Machek <pavel@....cz>, Chen Yu <yu.c.chen@...el.com>,
Oliver Neukum <oneukum@...e.com>,
Ryan Chen <yu.chen.surf@...il.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
David Howells <dhowells@...hat.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>
Subject: [PATCH 0/6][RFC] Add EFI secure key to key retention service
When secure boot is enabled, only signed EFI binary can access
EFI boot service variable before ExitBootService. Which means that
the EFI boot service variable is secure.
This patch set add functions to EFI boot stub to generate a 512-bit
random number that it can be used as a root key for encryption and
authentication. This root key will be kept in EFI boot service variable.
EFI boot stub will read and transfer ERK (efi root key) to kernel.
At runtime, the ERK can be used to encrypted/authentication other
random number to generate EFI secure key. The EFI secure key can be
a new master key type for encrypted key. It's useful for hibernation
or evm.
Here is the proof of concept for using EFI secure key in hibernation:
https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566
Cc: Kees Cook <keescook@...omium.org>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Pavel Machek <pavel@....cz>
Cc: Chen Yu <yu.c.chen@...el.com>
Cc: Oliver Neukum <oneukum@...e.com>
Cc: Ryan Chen <yu.chen.surf@...il.com>
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: David Howells <dhowells@...hat.com>
Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>
Lee, Chun-Yi (6):
x86/KASLR: make getting random long number function public
efi: the function transfers status to string
efi: generate efi root key in EFI boot stub
key: add EFI secure key type
key: add EFI secure key as a master key type
key: enforce the secure boot checking when loading efi root key
Documentation/admin-guide/kernel-parameters.txt | 6 +
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/boot/compressed/cpuflags.c | 2 +-
arch/x86/boot/compressed/eboot.c | 2 +
arch/x86/boot/compressed/efi_root_key.c | 212 +++++++
arch/x86/boot/compressed/kaslr.c | 21 -
arch/x86/boot/compressed/misc.c | 17 +
arch/x86/boot/compressed/misc.h | 12 +-
arch/x86/include/asm/efi.h | 13 +
arch/x86/include/uapi/asm/bootparam.h | 1 +
arch/x86/kernel/setup.c | 3 +
arch/x86/lib/kaslr.c | 61 +-
arch/x86/lib/random.c | 68 +++
drivers/firmware/efi/Kconfig | 31 +
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/efi-secure-key.c | 748 ++++++++++++++++++++++++
include/keys/efi-type.h | 57 ++
include/linux/efi.h | 40 ++
include/linux/kernel.h | 3 +-
kernel/panic.c | 1 +
security/keys/encrypted-keys/encrypted.c | 10 +
21 files changed, 1226 insertions(+), 84 deletions(-)
create mode 100644 arch/x86/boot/compressed/efi_root_key.c
create mode 100644 arch/x86/lib/random.c
create mode 100644 drivers/firmware/efi/efi-secure-key.c
create mode 100644 include/keys/efi-type.h
--
2.13.6
Powered by blists - more mailing lists