Hi! > > > - Bootloader store the public key to EFI boottime variable by itself > > > - Bootloader put The private key to S4SignKey EFI variable for forward to > > > kernel. > > > > Is the UEFI NVRAM really suited for such regular updates? > > > > Yes, Matthew raised this concern at before. I modified patch to load > private key in efi stub kernel, before ExitBootServices(), that means we > don't need generate key-pair at every system boot. So, the above > procedure of efi bootloader will only run one time. > > User can enable SNAPSHOT_REGEN_KEYS kernel config to notify efi > booloader regenerate key-pair for every S4 to improve security if he > want. So, the key-pair re-generate procedure will only launched when S4 > resume, not every system boot. How many writes can UEFI NVRAM survive? (Is it NOR?) "every S4 resume" may be approximately "every boot" for some users... Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
