Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp646547imm; Fri, 3 Aug 2018 09:11:09 -0700 (PDT) X-Google-Smtp-Source: AAOMgpce4TSRBh6vkOYPW+FmMzu6fzxFK6kFFflxXCMmiAzErjUujUQ0+AjXhhfTl5hdWPTQpVrI X-Received: by 2002:a17:902:758c:: with SMTP id j12-v6mr4187697pll.195.1533312669503; Fri, 03 Aug 2018 09:11:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533312669; cv=none; d=google.com; s=arc-20160816; b=ryzpHZug7tvB7VGzpEhdCIWpxDlph5E4lRsr/xWJb7h7hWbed4HU5DpwEb7z6w37bd adA8+oqvDqEIqNEj3g8rodfi7bT47LK1flB4IRUJsmCBpoI8/Zl8qp0IG6xDPfLbNMW8 V4MY32wa6JtRjl+/0izS8spb2Z43cr45L2At6++Pmyye/wfpm06R4EsmUvOLnZO+83md NAMHdHyXC7Sqa1BJokDObmOoKV0NQbE6n0/Ok2MNWru3um1zagUNFqc7ieNntc+RfOV6 UTYzlvE26VJHXhRBEje1diDey34Mbn4kiqBKLNq0PnzsnvhA+oJ4ChsZqY+Iy32jS2xE 7ZWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=KJ3Jxy0e0+HdwFAZXbi7BkykABkjFBL258HiCCbt7YY=; b=PfeYqUb8qQjzb/oUQpxe3vhT/UAj0uav0DUbL40p+mXXKMdhWSTwq3t/nxXYzTVwUT mO5WppbRaPYSp7eU4PTmGCXHdmUpdVMlYmOm9D22Vyr0510SAllngxczrcLxcXjXIL2A gC1g8CFDs6Enln9P0AKe9x06s0/dif6SdlK/6APF+/3QbHGDhWIrSVjOZHlNheZYevD9 NLhP2JXuQDU6bqpmOhJ2jWtqTSz3Qtiqx9mtNLadF+vwfgG7NhE23fopZDmbi2jUlAE7 ZkErRwi4eYRhcsR44WNgPWM+LtE0c74Q1RWq6fcqSVCetvhgEu0lJ9CUsbPNRYMgoDwP /Hqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pFiwquQx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 200-v6si5381251pgf.378.2018.08.03.09.10.54; Fri, 03 Aug 2018 09:11:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pFiwquQx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728412AbeHCSGU (ORCPT + 99 others); Fri, 3 Aug 2018 14:06:20 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:39253 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727128AbeHCSGU (ORCPT ); Fri, 3 Aug 2018 14:06:20 -0400 Received: by mail-lj1-f195.google.com with SMTP id l15-v6so5365880lji.6; Fri, 03 Aug 2018 09:09:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KJ3Jxy0e0+HdwFAZXbi7BkykABkjFBL258HiCCbt7YY=; b=pFiwquQxdaITpL22bj6iqBwrQzQB3CIpokVGazhUGHuIOYdMHEUQ9ir8bgNxmtrpbk Yfyehzvg5sNTfpNkGBfm3jbPFBsuOXGS3uZpLAN5i5B12QEBDz62a62mm5r+x6kr9oaW rcEoDXfL6C931YID+YjW5ZlQc6qRT/Sspw+V5W36UnN26qBJA2O6f0OdbzqAQ4TgqJOk /Wc4BnR9Ff4YVW8v7U4p9HQh4AJ65UPsVL/C4dJzvBDQKisvnWGcExxQjL+UKUHv2DNd eAOfax9ecvh16ZYEsGoXuqBcboSs0f16q8DBDWVi2PRtqsM+s/ErhDVjii6zrxfnuupA 6sQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KJ3Jxy0e0+HdwFAZXbi7BkykABkjFBL258HiCCbt7YY=; b=Khv0DByHv+tL1VUV5ITcaQ200y078v4hXI4dP+9UFZTgfnhlgbqP0v5Kgs3Bya7L8v z2JMNINARMmx7l+YDebBmTOZwQoXgoCE9koJLfFBOZCr0VQZCpcteX0ZlySWxZbeDblJ KS4vgjSxBWzg4h14u/Kc1DtLhGE1kqPxuAi7A27pEHtFT7mcywvNdk+taGMoVCFRpUSs RmJfY+1Hy80TIw+bnMOQGD9qjIBppMkDodc2BHP2M/UQUypzZRq1JqrcNnrDikpT0ruZ TTU1i9hpLQSUczi17ACE53FtAzbZ4GX4yp458I8THQqr51zreTrnwxibV75n3jQBBp8t 7/9Q== X-Gm-Message-State: AOUpUlExmXrsOxW6Kw3qVBiAQlS4afWsANUu8/mILT8UF/iHOeOt6X7R LwdXqU1IgZ0lsP30yZxl9MrFsHuFhrWszAdPJxs= X-Received: by 2002:a2e:740f:: with SMTP id p15-v6mr6187617ljc.130.1533312560746; Fri, 03 Aug 2018 09:09:20 -0700 (PDT) MIME-Version: 1.0 References: <20180719132003.GA30981@sandybridge-desktop> <20180720102532.GA20284@amd> <1532346156.3057.11.camel@suse.com> <20180723162302.GA4503@sandybridge-desktop> <1532590246.7411.3.camel@suse.com> <20180726081404.GG4244@linux-l9pv.suse> <20180730170415.GQ4244@linux-l9pv.suse> <20180803033702.GB416@sandybridge-desktop> <20180803053445.GC4244@linux-l9pv.suse> <20180803140443.GD4244@linux-l9pv.suse> In-Reply-To: <20180803140443.GD4244@linux-l9pv.suse> From: Ryan Chen Date: Sat, 4 Aug 2018 00:09:08 +0800 Message-ID: Subject: Re: [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation encryption To: jlee@suse.com Cc: Chen Yu , oneukum@suse.com, Pavel Machek , "Rafael J. Wysocki" , ebiggers@google.com, "Theodore Ts'o" , smueller@chronox.de, denkenz@gmail.com, Linux PM list , linux-crypto@vger.kernel.org, Linux Kernel Mailing List , kookoo.gu@intel.com, Zhang Rui Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 3, 2018 at 10:06 PM joeyli wrote: > > On Fri, Aug 03, 2018 at 09:14:22PM +0800, Ryan Chen wrote: > > On Fri, Aug 3, 2018 at 1:35 PM joeyli wrote: > > > > > > On Fri, Aug 03, 2018 at 11:37:02AM +0800, Yu Chen wrote: > > > > Hi Joey, > > > > On Tue, Jul 31, 2018 at 01:04:15AM +0800, joeyli wrote: > > > > > Hi all, > > > > > > > > > > On Thu, Jul 26, 2018 at 04:14:04PM +0800, joeyli wrote: > > > > > > On Thu, Jul 26, 2018 at 09:30:46AM +0200, Oliver Neukum wrote: > > > > > > > On Di, 2018-07-24 at 00:23 +0800, Yu Chen wrote: > > > > > > > > > > > > > > > > Good point, we once tried to generate key in kernel, but people > > > > > > > > suggest to generate key in userspace and provide it to the > > > > > > > > kernel, which is what ecryptfs do currently, so it seems this > > > > > > > > should also be safe for encryption in kernel. > > > > > > > > https://www.spinics.net/lists/linux-crypto/msg33145.html > > > > > > > > Thus Chun-Yi's signature can use EFI key and both the key from > > > > > > > > user space. > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > ecryptfs can trust user space. It is supposed to keep data > > > > > > > safe while the system is inoperative. The whole point of Secure > > > > > > > Boot is a cryptographic system of trust that does not include > > > > > > > user space. > > > > > > > > > > > > > > I seriously doubt we want to use trusted computing here. So the > > > > > > > key needs to be generated in kernel space and stored in a safe > > > > > > > manner. As we have a saolution doing that, can we come to ausable > > > > > > > synthesis? > > > > > > > > > > > > > > Regards > > > > > > > Oliver > > > > > > > > > > > > Crurently there have two solutions, they are trusted key and EFI key. > > > > > > Both of them are generated in kernel and are not visible in user space. > > > > > > > > > > > > The trusted key is generated by kernel then sealed by the TPM's > > > > > > SRK. So the trusted key can be stored in anywhere then be enrolled > > > > > > to kernel when we need it. EVM already uses it. > > > > > > > > > > > > The EFI key is Jiri Kosina's idea. It is stored in boot services > > > > > > variable, which means that it can only be access by signed EFI binary > > > > > > (e.g. signed EFI boot stub) when secure boot be enabled. SLE applied > > > > > > this solution a couple of years. > > > > > > > > > > > > I am working on put the EFI key to key retention service. Then > > > > > > EFI key can be a master key of encrypted key. EVM can also use > > > > > > it: > > > > > > https://github.com/joeyli/linux-s4sign/commit/bae39460393ada4c0226dd07cd5e3afcef86b71f > > > > > > https://github.com/joeyli/linux-s4sign/commit/f552f97cc3cca5acd84f424b7f946ffb5fe8e9ec > > > > > > > > > > > > That's why I want to use key retention service in hibernation > > > > > > encryption/authentication. Which means that we can use key > > > > > > API to access trusted key and EFI key. > > > > > > > > > > > > > > > > Here is a proof of concept for using the key retention service > > > > > to encrypt/sign snapshot image. It's using EFI key now, I will > > > > > add encrypted key support in the key handler later: > > > > > https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566 > > > > > > > > > Thanks for the work, I have two questions here: > > > > > > My EFI key patch set is almost done. I will send it soon. > > > > > Okay, please send them out then we can have further discussion > > on that. > > > > 1. Could you please describe a little more about the scenario on > > > > how the user could use the secret key for hibernation encryption? > > > > A requirement is that, the user should provide a passphrase(for key derivation, i.e.) > > > > during resume. I was thinking how user could interact with > > > > the security key mechanism here. > > > > > > > > > > User space doesn't need to involve. The EFI root key is generated by > > > EFI boot stub and be transfer to kernel. It's stored in EFI boot service > > > variable that it can only be accessed by trusted EFI binary when > > > secure boot is enabled. > > > > > Okay, this apply to the 'suspend' phase, right? > > I'm still a little confused about the 'resume' phase. > > Taking encryption as example(not signature), > > the purpose of doing hibernation encryption is to prevent other users > > from stealing ram content. Say, user A uses a passphrase to generate the > > key and encrypted the hibernation snapshot and stores it on the disk . > > Then if user > > B wants to do a hibernation resume to A's previous environment, B has > > to provide the same passphrase. > > If I understand correctly, the secret key is saved in header and stored > > on the disk. Which means, any one can read the header from the disk > > to get the secret key in trampoline thus decrypt the image, which is not > > safe. > > The secret key that it's saved in snapshot header is a session key which > is encrypted by ERK (EFI root key). The ERK only lives in kernel space. > So the session key is still secure. > > When resume, the session key will be decrypted/verified by ERK. Then > kernel uses the session key to decrypted/verified snapshot image. > OK, I see. > Of course that we can direct use ERK to encrypt/authenticate snapshot > image. Actually the first version of hibernation verification in SLE > direct uses ERK. So the snapshot header only keeps signature but no > encrypted session key. > > I add session key in new version because I want to align with > the use case of TPM trusted key + encrypted key. Then hibernation > can use key retention service API to access EFI key or encrypted key. > > Compare the trusted key with EFI secure key: > > TPM SRK ----seal-----> Trusted key ---encrypt---> Encrypted key > ERK ---encrypt---> EFI secure key ---encrypt---> Encrypted key > > Both of them can be the master key of encrypted key. > So either Trusted key or EFI secure key(session key) could be used for snapshot encryption, right? > If EFI key can not be accepted by kernel community, then the TPM > trusted key + encrypted key will be the only solution. We can very > easy to switch to encrypted key by using key retention service > API. > Back to question raised previously, how could TPM or EFI key be used to prevent user B from resuming to the environment of A? It appears to me that, although A is the user who launches the hibernation, B could resume to the context of A because there's no certification during resume. Is there any way to introduce the password based verification? Best, Yu > Thanks a lot! > Joey Lee