On Thu, Jan 10, 2019 at 02:11:55AM +0800, joeyli wrote: > > Well, I think here, if we were actually trying to solve the problem of > > proving the hibernated image were the same one we would need to prove > > some log of the kernel operation came to a particular value *after* the > > hibernated image were restored ... it's not really possible to > > condition key release which must occur before the restore on that > > outcome, so it strikes me we need more than a simple release bound to > > PCR values. > > > > hm... I am studying your information. But I have a question... > > If PCR is not capped and the root be compromised, is it possible that a > sealed bundle also be compromised? > > Is it possible that kernel can produce a sealed key with PCR by TPM when > booting? Then kernel caps a PCR by a constant value before the root is > available for userland. Then the sealed key can be exposed to userland > or be attached on hibernate image. Even the root be compromised, the TPM > trusted key is still secure.
I think this even might be reasonable. Especially when we land James' encrypted sessions patches at some point. /Jarkko
