Hello Chun,yi, On 5 August 2018 at 05:21, Lee, Chun-Yi <joeyli.kernel@xxxxxxxxx> wrote: > When secure boot is enabled, only signed EFI binary can access > EFI boot service variable before ExitBootService. Which means that > the EFI boot service variable is secure. > No it, isn't, and this is a very dangerous assumption to make. 'Secure' means different things to different people. 'Secure boot' is a misnomer, since it is too vague: it should be called 'authenticated boot', and the catch is that authentication using public-key crypto does not involve secrets at all. The UEFI variable store was not designed with confidentiality in mind, and assuming [given the reputation of EFI on the implementation side] that you can use it to keep secrets is rather unwise imho. > This patch set add functions to EFI boot stub to generate a 512-bit > random number that it can be used as a root key for encryption and > authentication. This root key will be kept in EFI boot service variable. > EFI boot stub will read and transfer ERK (efi root key) to kernel. > > At runtime, the ERK can be used to encrypted/authentication other > random number to generate EFI secure key. The EFI secure key can be > a new master key type for encrypted key. It's useful for hibernation > or evm. > > Here is the proof of concept for using EFI secure key in hibernation: > https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566 > > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> > Cc: "Rafael J. Wysocki" <rafael.j.wysocki@xxxxxxxxx> > Cc: Pavel Machek <pavel@xxxxxx> > Cc: Chen Yu <yu.c.chen@xxxxxxxxx> > Cc: Oliver Neukum <oneukum@xxxxxxxx> > Cc: Ryan Chen <yu.chen.surf@xxxxxxxxx> > Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx> > > Lee, Chun-Yi (6): > x86/KASLR: make getting random long number function public > efi: the function transfers status to string > efi: generate efi root key in EFI boot stub > key: add EFI secure key type > key: add EFI secure key as a master key type > key: enforce the secure boot checking when loading efi root key > > Documentation/admin-guide/kernel-parameters.txt | 6 + > arch/x86/boot/compressed/Makefile | 1 + > arch/x86/boot/compressed/cpuflags.c | 2 +- > arch/x86/boot/compressed/eboot.c | 2 + > arch/x86/boot/compressed/efi_root_key.c | 212 +++++++ > arch/x86/boot/compressed/kaslr.c | 21 - > arch/x86/boot/compressed/misc.c | 17 + > arch/x86/boot/compressed/misc.h | 12 +- > arch/x86/include/asm/efi.h | 13 + > arch/x86/include/uapi/asm/bootparam.h | 1 + > arch/x86/kernel/setup.c | 3 + > arch/x86/lib/kaslr.c | 61 +- > arch/x86/lib/random.c | 68 +++ > drivers/firmware/efi/Kconfig | 31 + > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/efi-secure-key.c | 748 ++++++++++++++++++++++++ > include/keys/efi-type.h | 57 ++ > include/linux/efi.h | 40 ++ > include/linux/kernel.h | 3 +- > kernel/panic.c | 1 + > security/keys/encrypted-keys/encrypted.c | 10 + > 21 files changed, 1226 insertions(+), 84 deletions(-) > create mode 100644 arch/x86/boot/compressed/efi_root_key.c > create mode 100644 arch/x86/lib/random.c > create mode 100644 drivers/firmware/efi/efi-secure-key.c > create mode 100644 include/keys/efi-type.h > > -- > 2.13.6 >