On Tue, 2013-03-19 at 23:17 +0000, Matthew Garrett wrote: > On Tue, Mar 19, 2013 at 11:00:31PM +0000, James Bottomley wrote: > > On Tue, 2013-03-19 at 18:50 +0000, Matthew Garrett wrote: > > > Well, that somewhat complicates implementation - we'd be encrypting the > > > entire contents of memory except for the key that we're using to encrypt > > > memory. Keeping the public key away from userspace avoids having to care > > > about that. > > > > I don't quite understand what you're getting at: the principle of public > > key cryptography is that you can make the public key, well public. You > > only need to guard the private key. > > Ok, so let's just rephrase it as asymmetric cryptography. The aim is to > ensure that there's never a situation where userspace can decrypt a > hibernation file, modify it and reencrypt it. So, shim (or whatever) > generates a keypair. The encryption key is passed to the kernel being > booted. The decryption key is stashed in a variable in order to be > passed to the resume kernel. > > If the decryption key is available to userspace then the kernel needs to > discard the encryption key during image write-out - otherwise the > encryption key will be in the encrypted image. If the decryption key > isn't available to userspace then this isn't a concern. > > If the decryption key *is* available to userspace (as it would be in > your case), there's a requirement to discard the encryption key during > the hibernation process. This isn't impossible, but it does add a little > to the complexity. I agree with this. But I do think the volatile secret key scheme, where you discard the key immediately after use is the more secure one because it relies on fewer secrets (and, indeed, no secrets at all after the event). It's a case where transparency encourages better security architecture. James -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html