Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2132044imm; Sat, 4 Aug 2018 20:24:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfI1c21TRkV2gI0D/VPi2RmUgfh7X/P6iNgQu13tRAX48DfR++gjiiKgNds1IJi7wiGROAU X-Received: by 2002:a63:5106:: with SMTP id f6-v6mr9312433pgb.95.1533439450611; Sat, 04 Aug 2018 20:24:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533439450; cv=none; d=google.com; s=arc-20160816; b=PQYWS9KbVPNuBqToZ7mlyYrGVKOiLIkK4/8wMXKMOevlgVjvMbI59JVFo+VMIBTgx3 EYllPfqDBYN8V/m6TmPV07nPImwyzLL7z7A9vCyZBj00moYJ8zThKdtooVSMPyZ9yxW6 eME7ubsLUTcSwgaNJy7LCxO8LRTjVuVyYEBz2rV41BebBn/W6n4yk3QQHLtsmZPt++b6 ds0ML0N3eL3zPTgLqsT4ffTmxj5kvR10QsPZyJkscbLbVry5yJyGAfgwdywZ3oQiSbkG Ky51zlJTJLv1FOsw1UlC8sn26hHttpMrcTVPL9AkTY5qVqEJiUOu75xsPBAmtfc60n2o DFUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=xhFVOJthM2Kcd/hhGu+MWtF5+C5N8XfpRNAkYf0VHyM=; b=Jrnd8Yyuv0/GhIqjzjZtHrDNLcvaK5FxUMuyXr0pRiydfQyiU8WEyJ9NJG/wSfBoiS oE+dFb2Nuf6MFifi9wx+44OXLFwR7vhsibLlIf9Uefx75ZrWXWEBByCam2r6A55HWRDL BOwxH47VbtOyYmLP5K78JnssgfXtLQ8Vm2Zh5jywkE9If7w8Q2mRh8DajCLkPSlafbjF RmNa9FiA/bP0bDtMZJ+/JzO6YAwpTUweC0fFbi7GB2OCO/8HMch115x5D1O6g1/Acxwp 2dEuiLD1QhHTueiyMqulSxxN924GOFVRlITI3a8pcTSJq398LeGeZb+F50unapHojyrx zNXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iZt5Obip; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 194-v6si9730912pgc.116.2018.08.04.20.23.21; Sat, 04 Aug 2018 20:24:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iZt5Obip; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726362AbeHEFZS (ORCPT + 99 others); Sun, 5 Aug 2018 01:25:18 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:33628 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726078AbeHEFZS (ORCPT ); Sun, 5 Aug 2018 01:25:18 -0400 Received: by mail-pf1-f196.google.com with SMTP id d4-v6so5199260pfn.0; Sat, 04 Aug 2018 20:22:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=xhFVOJthM2Kcd/hhGu+MWtF5+C5N8XfpRNAkYf0VHyM=; b=iZt5ObipaTLO0jWH5cA2l4NqL5xzWhLsI77iiA6JDd/DBfm74dazcp1DsQtGOxB8fj EF/bzGGTZ4IAtPlMXejTr+uWKfoQ7jd5T1F92A+V9b8Ka7t8Gamvb9Qp+gMQRuRfDmwu /X5uLlliPJAOVcq2qSkPwnLOdX/y9KY9CE2/cNjBfOr21RDgTwLK9sUm25kjyPfQj7q3 GvTEaq2fN7cEYX+9Z6QSJdb1LahMYYT1wfVEj8sSM5l7s1PF2k48utBldkaLb3MK6YMN JAQOOBZiWQWmF6yMuqSEu6T1Fvl1cTgFa8C+fk6Cbf5sXAViLuIwXlTwxAvvnmTtgP3u 2rNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=xhFVOJthM2Kcd/hhGu+MWtF5+C5N8XfpRNAkYf0VHyM=; b=saycqJyOBfN+6KjScNY0t/qqOJxmWmoWR3nDrATOaBykWmznw2fNPiCkk1FFtO1XZA +4YEz1TosorTQPdzkiXRBDBYC1z447wL55NRDVt1Bqpv4AmlxxoEBMkovIh48GqN4YTp TJrw7gFF2NN6kInlV5JlblhvAtOiToQRmf7l+AOmKf7CwCxrqffD4R8zTDuamWq8Yy7e S16Mjj0pB2DrMhN6U4/wetieFYIpGm31+yBF2WshVZf15xQhEMSNrFrRb3Mox46ioswW UNJzPNC9TbARivugrnLnVpx6Yx65R87PQ3WZ2UJTYk7GqfUPpWhpPEb8EFOSWRIFfQKC KyUw== X-Gm-Message-State: AOUpUlFjqrVzmatQQx8fmaRG/9fznajsS1LIze87hBsP+vWRSLw+AKHc awgb9ZkcI2+KY3h2Ax95uXlSfrv3 X-Received: by 2002:a62:90d4:: with SMTP id q81-v6mr11385759pfk.37.1533439338773; Sat, 04 Aug 2018 20:22:18 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id x87-v6sm15971922pfa.143.2018.08.04.20.21.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 04 Aug 2018 20:22:18 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: linux-kernel@vger.kernel.org Cc: linux-efi@vger.kernel.org, x86@kernel.org, keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, "Lee, Chun-Yi" , Kees Cook , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "Rafael J. Wysocki" , Pavel Machek , Chen Yu , Oliver Neukum , Ryan Chen , Ard Biesheuvel , David Howells , Mimi Zohar Subject: [PATCH 0/6][RFC] Add EFI secure key to key retention service Date: Sun, 5 Aug 2018 11:21:13 +0800 Message-Id: <20180805032119.20485-1-jlee@suse.com> X-Mailer: git-send-email 2.12.3 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When secure boot is enabled, only signed EFI binary can access EFI boot service variable before ExitBootService. Which means that the EFI boot service variable is secure. This patch set add functions to EFI boot stub to generate a 512-bit random number that it can be used as a root key for encryption and authentication. This root key will be kept in EFI boot service variable. EFI boot stub will read and transfer ERK (efi root key) to kernel. At runtime, the ERK can be used to encrypted/authentication other random number to generate EFI secure key. The EFI secure key can be a new master key type for encrypted key. It's useful for hibernation or evm. Here is the proof of concept for using EFI secure key in hibernation: https://github.com/joeyli/linux-s4sign/commit/6311e97038974bc5de8121769fb4d34470009566 Cc: Kees Cook Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: "Rafael J. Wysocki" Cc: Pavel Machek Cc: Chen Yu Cc: Oliver Neukum Cc: Ryan Chen Cc: Ard Biesheuvel Cc: David Howells Cc: Mimi Zohar Signed-off-by: "Lee, Chun-Yi" Lee, Chun-Yi (6): x86/KASLR: make getting random long number function public efi: the function transfers status to string efi: generate efi root key in EFI boot stub key: add EFI secure key type key: add EFI secure key as a master key type key: enforce the secure boot checking when loading efi root key Documentation/admin-guide/kernel-parameters.txt | 6 + arch/x86/boot/compressed/Makefile | 1 + arch/x86/boot/compressed/cpuflags.c | 2 +- arch/x86/boot/compressed/eboot.c | 2 + arch/x86/boot/compressed/efi_root_key.c | 212 +++++++ arch/x86/boot/compressed/kaslr.c | 21 - arch/x86/boot/compressed/misc.c | 17 + arch/x86/boot/compressed/misc.h | 12 +- arch/x86/include/asm/efi.h | 13 + arch/x86/include/uapi/asm/bootparam.h | 1 + arch/x86/kernel/setup.c | 3 + arch/x86/lib/kaslr.c | 61 +- arch/x86/lib/random.c | 68 +++ drivers/firmware/efi/Kconfig | 31 + drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/efi-secure-key.c | 748 ++++++++++++++++++++++++ include/keys/efi-type.h | 57 ++ include/linux/efi.h | 40 ++ include/linux/kernel.h | 3 +- kernel/panic.c | 1 + security/keys/encrypted-keys/encrypted.c | 10 + 21 files changed, 1226 insertions(+), 84 deletions(-) create mode 100644 arch/x86/boot/compressed/efi_root_key.c create mode 100644 arch/x86/lib/random.c create mode 100644 drivers/firmware/efi/efi-secure-key.c create mode 100644 include/keys/efi-type.h -- 2.13.6