Hi Florian, Thanks for your response. 於 三,2013-08-28 於 23:01 +0200,Florian Weimer 提到: > * Chun-Yi Lee: > > > + EFI bootloader must generate RSA key-pair when system boot: I should add more information on this sentence for mention need GenS4Key runtime variable then re-generate key-pair. Thanks! > > - Bootloader store the public key to EFI boottime variable by itself > > - Bootloader put The private key to S4SignKey EFI variable for forward to > > kernel. > > Is the UEFI NVRAM really suited for such regular updates? > Yes, Matthew raised this concern at before. I modified patch to load private key in efi stub kernel, before ExitBootServices(), that means we don't need generate key-pair at every system boot. So, the above procedure of efi bootloader will only run one time. User can enable SNAPSHOT_REGEN_KEYS kernel config to notify efi booloader regenerate key-pair for every S4 to improve security if he want. So, the key-pair re-generate procedure will only launched when S4 resume, not every system boot. Thanks a lot! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html