lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 19 Feb 2021 18:20:13 -0800
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Matthew Garrett <matthewgarrett@...gle.com>,
        linux-kernel@...r.kernel.org
Cc:     linux-integrity@...r.kernel.org, linux-pm@...r.kernel.org,
        keyrings@...r.kernel.org, zohar@...ux.ibm.com, jejb@...ux.ibm.com,
        jarkko@...nel.org, corbet@....net, rjw@...ysocki.net,
        Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH 7/9] pm: hibernate: Optionally use TPM-backed keys to
 protect image integrity

Hi--

On 2/19/21 5:32 PM, Matthew Garrett wrote:
> diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
> index a7320f07689d..0279cc10f319 100644
> --- a/kernel/power/Kconfig
> +++ b/kernel/power/Kconfig
> @@ -92,6 +92,21 @@ config HIBERNATION_SNAPSHOT_DEV
>  
>  	  If in doubt, say Y.
>  
> +config SECURE_HIBERNATION
> +       bool "Implement secure hibernation support"
> +       depends on HIBERNATION && TCG_TPM
> +       select KEYS
> +       select TRUSTED_KEYS
> +       select CRYPTO
> +       select CRYPTO_SHA256
> +       select CRYPTO_AES
> +       select TCG_TPM_RESTRICT_PCR
> +       help
> +         Use a TPM-backed key to securely determine whether a hibernation
> +	 image was written out by the kernel and has not been tampered with.
> +	 This requires a TCG-compliant TPM2 device, which is present on most
> +	 modern hardware.

Please follow coding-style for Kconfig files:

from Documentation/process/coding-style.rst, section 10):

  For all of the Kconfig* configuration files throughout the source tree,
  the indentation is somewhat different.  Lines under a ``config`` definition
  are indented with one tab, while help text is indented an additional two
  spaces.


Also, one feature should not be responsible for enabling other "subsystems,"
such as KEYS and CRYPTO. They should instead be listed as dependencies.


-- 
~Randy

Powered by blists - more mailing lists