> On Dec 18, 2020, at 04:10, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Wed, Dec 16, 2020 at 09:41:42AM -0800, Chang S. Bae wrote: >> When the system state switches to these sleep states, the internal key gets >> reset. Since this system transition is transparent to userspace, the >> internal key needs to be restored properly. >> >> Key Locker provides a mechanism to back up the internal key in non-volatile >> memory. The kernel requests a backup right after the key loaded at >> boot-time and copies it later when the system wakes up. >> >> The backup during the S5 sleep state is not trusted. It is overwritten by a >> new key at the next boot. >> >> On a system with the S3/4 states, enable the feature only when the backup >> mechanism is supported. >> >> Disable the feature when the copy fails (or the backup corrupts). The >> shutdown is considered too noisy. A new key is considerable only when >> threads can be synchronously suspended. > > Can this backup key be used to decrypt the encoded AES keys without executing > the keylocker instructions on the same CPU? No. The backup key itself is inaccessible to the software. Thanks, Chang