Received: by 10.223.185.116 with SMTP id b49csp643863wrg;
        Wed, 14 Feb 2018 04:53:31 -0800 (PST)
X-Google-Smtp-Source: AH8x225XqPL/kNIG9GxAHrrheZKXxGR/4cYUwEUg2NmStT9uXQL9AhvBY8WtqeQindfWFrBZDtPC
X-Received: by 10.99.95.15 with SMTP id t15mr3783149pgb.183.1518612811675;
        Wed, 14 Feb 2018 04:53:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518612811; cv=none;
        d=google.com; s=arc-20160816;
        b=FlDpzgfl+0dJ3vk16HZ8t0EPIaLav3rZLb+R5O+9sGFzc3pzvZ/tR0BES0WqGWFoPb
         7tVXEbGm9jFpbfEJuiknX2p2Q0dhkxa9UL7Fqcp+cte2Z38CBWrwRjvb/TzyLe6Ib8IS
         aL785biba546uymNX/abG9RETD2yKvZr2KWLIfcUZwy83gS/njBPPKxNPukWbVsQjlwF
         CmAiUm+1FIurzMPV3bi+mbZWngNYM40C4W8tub06yHZrwMPxEwmh+yAmJcXqXr62e3wP
         gpT+DSZrZyDzmCTe/iQFb9Vm74aqX4ooLZqEvbm0xPlPjghBe/ysHDMkWPBAi3k05sPC
         W4vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :date:to:from:subject:message-id:dkim-signature
         :arc-authentication-results;
        bh=p4kJfQpKODSr4XrlCDw+s7nlYuexAzOrQbIE/SHJMdU=;
        b=ymZQNVB/G7wvfyBNHZLmTkGeez7FBFjtzmaew42GB6lHmMclLVu2804rtzYBAbEkxL
         Zexg4aby0rQXHJbHvwArbbwgRl9zTZF3l8S5QzBzQxs5JUC82AOqwwEanUrbEgQfayj6
         kE78iCX/w1wseYxCrBjLRh6+YtCyJXm7QQIN7k/TFZHod/y24queDYS1nLkYo/28rteU
         7F3rmWvwhImkfZBrLIsyNKLMb5cPrEuES2CNmHVzNhczVvnh9zbQBjMsF0tzNRTakr20
         7W4o1qbVJh/w7Hos94oI39ZmyJc22snV/UVT2EqefiawdBuDOsnb0RaXfqnFPFCMg1Ze
         hYgw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@profitbricks-com.20150623.gappssmtp.com header.s=20150623 header.b=gX7LXc57;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d12si1331794pgv.538.2018.02.14.04.53.17;
        Wed, 14 Feb 2018 04:53:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@profitbricks-com.20150623.gappssmtp.com header.s=20150623 header.b=gX7LXc57;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S967757AbeBNMwg (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Wed, 14 Feb 2018 07:52:36 -0500
Received: from mail-wm0-f41.google.com ([74.125.82.41]:36174 "EHLO
        mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S967589AbeBNMwa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Feb 2018 07:52:30 -0500
Received: by mail-wm0-f41.google.com with SMTP id f3so21830945wmc.1
        for <linux-kernel@vger.kernel.org>; Wed, 14 Feb 2018 04:52:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=profitbricks-com.20150623.gappssmtp.com; s=20150623;
        h=message-id:subject:from:to:date:mime-version
         :content-transfer-encoding;
        bh=p4kJfQpKODSr4XrlCDw+s7nlYuexAzOrQbIE/SHJMdU=;
        b=gX7LXc571Ki7KCQK0/nwV1Df7EDO7QEy7XJbJ2fU47XPdDMb3vRY4UEE1CYJCyUB1E
         2qNppYp47QRzUy76FWbHKklH5VXzzcu2EbmUth4TcRIBh681KsFcjgify07njOX/PSKn
         5v9cv1BpHb131xjGY6jPyVjo2abefqLYnYG+nkQOv0IyxHb0NK3L9csNYpnX9Vg1JWyX
         H1TGXLFCuxpHOFt9c96PIhfYp+Me31iyeyumqS1ToEQvcfiEpY6i5Zxqc6HlbGnHENoi
         +ROTkKoApDmqYWFNjqdv0L6oDhNzyfGhX7fypj3Y4SQ7xzItYGDlSalnOcB+mzNONPPj
         /Low==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:subject:from:to:date:mime-version
         :content-transfer-encoding;
        bh=p4kJfQpKODSr4XrlCDw+s7nlYuexAzOrQbIE/SHJMdU=;
        b=YQcXGXSmHHkMwzFUPkTYAI4WnZAjo0AUXPpmeIwdLWUZ4yTe2aqKxY8D2X//ZYAIqI
         0AbGGqqoynl4WB+WyYCGVmSX2P0fLnPnoyXfQ9i+N5B7QLCQgNAzBD0239Bja5LoGKZG
         JcmnzGtMrdFSr5xH4jbnfYv/vtC0ItXQsP4k7DrBvOSjGEv/McO8KRQlAl1QhMT/ez6x
         MDzX9DMrT3HzxLboQN/6qudAPUKts4Rr6FtwUhDp9s1xezy+v/v0W7qy8FavkW/mVwwd
         FvjBFI1GjL16ZXPUCOorHgYQHp0QYL3HglQABRzDmrgbL87OE8ygu8baZ47SoPjnBoc9
         Mofw==
X-Gm-Message-State: APf1xPCiNzxiIEMILrqNzPGBCQxZn08jg1BOJQ796L5V5F4DVT9CBATC
        g6O3O1OkPkmvOPy0AfsCh3rneg==
X-Received: by 10.80.163.245 with SMTP id t50mr661412edb.312.1518612749727;
        Wed, 14 Feb 2018 04:52:29 -0800 (PST)
Received: from konstrukt ([62.217.45.26])
        by smtp.googlemail.com with ESMTPSA id x9sm3194158edd.21.2018.02.14.04.52.28
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 14 Feb 2018 04:52:29 -0800 (PST)
Message-ID: <1518612748.4749.29.camel@profitbricks.com>
Subject: Read-protected UEFI variables
From:   Benjamin Drung <benjamin.drung@profitbricks.com>
To:     Matthew Garrett <matthew.garrett@nebula.com>,
        Jeremy Kerr <jk@ozlabs.org>,
        Matt Fleming <matt@codeblueprint.co.uk>,
        linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org
Date:   Wed, 14 Feb 2018 13:52:28 +0100
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.1-1 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

I am exploring the possibility to store SSH and other keys in UEFI
variables for systems that do not have persistent storage. These
systems boot via network and need individual SSH keys which ideally
should not be distributed via network.

The plan is to write a small daemon that starts at boot and gets the
SSH keys from EFI variables to individualize the system with SSH keys. 
I plan to release the code as free software. Simple proof-of-concept
code:

mount -t efivarfs none /sys/firmware/efi/efivars
for key in ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_rsa_key; do
  dd ibs=1 skip=4 if=/sys/firmware/efi/efivars/${key}-89df11f4-38e6-473e-ab43-b4406b76fba9 of=/etc/ssh/$key
done

I am not the first person having the idea to use UEFI variables to
store keys:
https://www.usenix.org/conference/srecon17asia/program/presentation/korgachin

There is one problem: The keys should be readable only by root. When
mounting efivarfs, all variables have the permission 644 which makes
them readable by all users. I have different ideas how to solve it:

1) Hard-code a list of GUIDs that should be only readable by root in
the kernel module. These modules would also be not set to immutable.

2) Instead of hard-coding GUIDs, add a kernel module parameter to
specify the GUIDs. Maybe have a default list in the kernel module.

3) Add a mount option to specify the protected GUIDs.

Feedback is welcome.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg