Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Mon, 6 Aug 2018 16:45:34 +0800
From:   Yu Chen <yu.c.chen@intel.com>
To:     Pavel Machek <pavel@ucw.cz>
Cc:     Ryan Chen <yu.chen.surf@gmail.com>, jlee@suse.com,
        oneukum@suse.com, "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
        ebiggers@google.com, Theodore Ts'o <tytso@mit.edu>,
        smueller@chronox.de, denkenz@gmail.com,
        Linux PM list <linux-pm@vger.kernel.org>,
        linux-crypto@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        kookoo.gu@intel.com, Zhang Rui <rui.zhang@intel.com>
Subject: Re: [PATCH 0/4][RFC v2] Introduce the in-kernel hibernation
 encryption
Message-ID: <20180806084534.GB12124@chenyu-desktop>
References: <20180720102532.GA20284@amd>
 <1532346156.3057.11.camel@suse.com>
 <20180723162302.GA4503@sandybridge-desktop>
 <1532590246.7411.3.camel@suse.com>
 <20180726081404.GG4244@linux-l9pv.suse>
 <20180730170415.GQ4244@linux-l9pv.suse>
 <20180803033702.GB416@sandybridge-desktop>
 <20180803053445.GC4244@linux-l9pv.suse>
 <CADjb_WSURQz86+E8kakNf7UBDM+aho+uaz3QdDkuGsEgan=szw@mail.gmail.com>
 <20180805100200.GB22948@amd>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180805100200.GB22948@amd>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

Hi Pavel,
On Sun, Aug 05, 2018 at 12:02:00PM +0200, Pavel Machek wrote:
> Hi!
> 
> > > User space doesn't need to involve. The EFI root key is generated by
> > > EFI boot stub and be transfer to kernel. It's stored in EFI boot service
> > > variable that it can only be accessed by trusted EFI binary when
> > > secure boot is enabled.
> > >
> > Okay, this apply to the 'suspend' phase, right?
> > I'm still a little confused about the 'resume' phase.
> > Taking encryption as example(not signature),
> > the purpose of doing hibernation encryption is to prevent other users
> > from stealing ram content. Say, user A uses a  passphrase to generate the
> 
> No, I don't think that's purpose here.
> 
> Purpose here is to prevent user from reading/modifying kernel memory
> content on machine he owns.
>
Say, A puts his laptop into hibernation and walks away,
and B walks by, and opens A's laptop and wakes up the system and he
can do what he wants. Although EFI key/TPM trusted key is enabled,
currently there's no certification during resume, which sounds
unsafe to me. Afterall, the original requirement is to probe
user for password during resume, which sounds more natural.
> Strange as it may sound, that is what "secure" boot requires (and what
> Disney wants).
> 
Ok, I understand this requirement, and I'm also concerning how to
distinguish different users from seeing data of each other.

Joey,
I'm thinking of a possible direction which could take advantage
of the password.  It leverages either EFI key or TPM
trusted key to get it done. Does it make sense?

1. The user space generates a symetric key key_user using
   the password, and passes the key_user to the kernel as the master
   key.
2. The kernel uses the EFI key or TPM trusted key to encrypt
   the key_user thus gets a encrypt_key.
3. Uses the encrypt_key to do snapshot encryption
4. During resume, the same encrypt_key is generated following
   the same steps(I assume the same EFI key or TPM key could be fetched
   during resumed, right?) and do the snapshot decryption.

And this is what fscrypt is doing:
Documentation/filesystems/fscrypt.rst

Best,
Yu
> I guess it may have some non-evil uses,
> too... https://www.linux.com/news/matthew-garrett-explains-how-increase-security-boot-time
> 
> 									
> 									Pavel
> -- 
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html