On Thu, Dec 06, 2018 at 06:14:03PM -0800, Huang, Kai wrote: > On Mon, 2018-12-03 at 23:39 -0800, Alison Schofield wrote: 8< ------------ > > Add an 'mktme_vault' where key data is stored. > > > > Add 'mktme_savekeys' kernel command line parameter that directs > > what key data can be stored. If it is not set, kernel does not > > store users data key or tweak key. > > > > Add 'mktme_bitmap_user_type' to track when USER type keys are in > > use. If no USER type keys are currently in use, a physical package > > may be brought online, despite the absence of 'mktme_savekeys'. > > Overall, I am not sure whether saving key is good idea, since it breaks coldboot attack IMHO. We > need to tradeoff between supporting CPU hotplug and security. I am not sure whether supporting CPU > hotplug is that important, since for some other features such as SGX, we don't support CPU hotplug > anyway. Yes, saving the key data exposes it in a cold boot attack. Here we have 2 conflicting requirements. Do not save the data and support CPU hotplug. I don't think CPU hotplug support is budging! If the risk of offering the mktme_savekeys option is too dangerous, then we can't have user type keys. Is mktme_savekeys options too risky to offer? (That's not just a question for you Kai ;). I'll pursue too.) > > Alternatively, we can choose to use per-socket keyID, but not to program keyID globally across all > sockets, so you don't have to save key while still supporting CPU hotplug. An alternative, with a lot of impact to the core linux support for MKTME. I don't think we need to go there. I'll leave this thought for a Kirill or Dave to perhaps elaborate on. Alison > > Thanks, > -Kai
