On Mon, Mar 16, 2015 at 10:54:54PM +0100, Jiri Kosina wrote: > On Mon, 16 Mar 2015, Matthew Garrett wrote: > > > > - All suspend/resumes allow modifying the kernel. I can boot Linux > > > suspend, boot windows, modify the Linux restore image, boot Linux and > > > own the box. You would need to sign the resume image somehow I think or > > > just disable all suspend/resume > > > > I'm kind of torn on this - yes, there are deployment scenarios where > > hibernation can be used to circumvent the restrictions, but there are > > also scenarios where that can be avoided (eg, the bootloader verifies > > some state with respect to the hibernation image). > > [ adding Joey to CC ] > > Just for completness -- there is a way around this: > > https://lkml.org/lkml/2013/9/14/183 > > The series is not really the optimal one, as Alan Stern later figured out > that symmetric cryptography is strong enough to achieve the same goal, but > I am not sure whether Joey implemented that idea already. > > -- > Jiri Kosina > SUSE Labs
About the symmetric key edition, I developed a prototype the codes on github are ugly and still need clear up. But it works for using HMAC to generate signature and verify hibernate image. There still has a situation need to solve: There doesn't have enough random entropy for the FIRST TIME boot to generate HMAC key in EFI stub. And, I need implement a hash function in EFI stub, at least SHA1, to mess entropies from difference sources (rdtsc, RdRand... not too many) for generating new HMAC key. An other idea is sending a random seed from runtime random pool to boot time to be one of the seed of next HMAC key. Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/