Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1046563imu; Wed, 9 Jan 2019 10:36:31 -0800 (PST) X-Google-Smtp-Source: ALg8bN5vKcPB0q9Mm/1mb2GHXANHy/R0zBERKpj+QHXB98ZofRvc8gO5rfjk4ornKUBMvJ8u8+yA X-Received: by 2002:a63:de46:: with SMTP id y6mr6424367pgi.198.1547058991594; Wed, 09 Jan 2019 10:36:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547058991; cv=none; d=google.com; s=arc-20160816; b=Nu90X4tcyR1R9toxt+s+RnyIm3T2ajJ+WGx5Uyt562ohyT3zSkL8AL2xq1JOhQaPVP okddE+FAcIy70vOWHTeikxUS3pxc6QW6iAcUIz4C6hmR/Hv6v+n37CvBEJbbHESsMk+D w0t80eiigt/WMc5XQSV+TMT6ZQlwrxSdVzgCiVs85I1GLo3nJe7lBWxD9vj4HnLeDAG/ Fzu3cex4kxjUNOyEth4L9ThJBXqO3XBLr+6N2igW8PK632Bo3niBWjSh5UKFka4+G3B+ LweKcRnPxdMAqXcBtAoPnqRmOgIVLcJU3zd6tIBjGzP9MuQw3uGyTVq4bXX1cXsw2avC pzNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=EaizvMPKW7nG53qgbILCFrzaRBAz8CGXC0DIUSe8/6A=; b=IgrSO11wvkktbOgYxIxdp/ajmNuj3vOWrqJ5MBkQKdaAa/FBLEWF8I6hZ3YbgGH0yH Uei5UL4qmEWgv7kazh6Sa8JbX4iu/YQujaMJrYjoThL+JoLS0kJCApGUX/SOrotVw1N4 /+fdmsRlv3/VxH1ET2+KI1yENx1c7WYTq5X1eYm77U039wUQKmZEFHwz/YoPOKhqtEAr 9CLR3oMe4h9mTsNLatOPcbljvm8M5Uip+0XOO3rJDlvRnIq1cDnOVre4G1C+lCvcvOAG fMSMn91IDiICutQkYPPS+2/lEafAXapvEfSaQxUYLU2ctrz/arR4x6KNYXuCKFlXusjZ SMIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sPZb257k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1si61157560pgn.502.2019.01.09.10.36.15; Wed, 09 Jan 2019 10:36:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sPZb257k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727664AbfAISe5 (ORCPT + 99 others); Wed, 9 Jan 2019 13:34:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:39612 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726881AbfAISe4 (ORCPT ); Wed, 9 Jan 2019 13:34:56 -0500 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C543B21738 for ; Wed, 9 Jan 2019 18:34:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547058896; bh=dlXnZa3nDJPSZdyMh4hNprdBHQyDydUkpi2tjV8FijI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=sPZb257kSJKe3jMqzACczTBQMlWGX3avvw+lrtZDNFB8aaQT1G4MXlWRVchR5uN3j 8HSPbs8OBPhhiySXg07eKiMNJ7atPPuNedh+M2FCh6UvMOKP0EJjfYDFo6bdVM7ngE tAlnx+b7gpN4ZXfwINMApOaK72/v3bR1QVAZ4tZo= Received: by mail-wm1-f44.google.com with SMTP id d15so8743867wmb.3 for ; Wed, 09 Jan 2019 10:34:55 -0800 (PST) X-Gm-Message-State: AJcUukceBquFu0jgUDznbs5w3mbSqiv2Q6jzSO3JVqmIJgPKm4KrCZ4G jTp3UomtvG/t4IDH5Kq2r586ZpOE/5SXed0tBXdT5A== X-Received: by 2002:a1c:aa0f:: with SMTP id t15mr6597039wme.108.1547058894231; Wed, 09 Jan 2019 10:34:54 -0800 (PST) MIME-Version: 1.0 References: <20190103143227.9138-1-jlee@suse.com> <4499700.LRS4F2YjjC@tauon.chronox.de> <20190108050358.llsox32hggn2jioe@gondor.apana.org.au> <1565399.7ulKdI1fm5@tauon.chronox.de> <1546994671.6077.10.camel@HansenPartnership.com> <1547016579.2789.17.camel@HansenPartnership.com> In-Reply-To: <1547016579.2789.17.camel@HansenPartnership.com> From: Andy Lutomirski Date: Wed, 9 Jan 2019 10:34:42 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler To: James Bottomley Cc: Andy Lutomirski , Jarkko Sakkinen , Stephan Mueller , Herbert Xu , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , LKML , linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> On Jan 8, 2019, at 10:49 PM, James Bottomley wrote: >> >> On Tue, 2019-01-08 at 17:43 -0800, Andy Lutomirski wrote: >> [Adding Jarkko because this stuff relates to the TPM.] > >> Anyway, if we're talking about the TPM, it seems like the entire >> "trusted key" mechanism in the kernel is missing the point. If I >> want to encrypt something like a hibernation image on a machine with >> a TPM, it makes essentially no sense to me that we would get a key >> with a known raw value that is merely TPM-backed (i.e. the "trusted >> key") and use that to decrypt the image. The right way to do it is >> to the use the TPM as it was intended to be used: generate a single- >> use key that protects the hibernation image and seal *that* directly >> on the TPM, such that it can only be unsealed with appropriate PCR >> values. Heck, we could even use one of the fancy NV counters such >> that we *can't* decrypt the image later on. And using HMAC or any AE >> construction the normal way is also wrong -- we should *hash* the >> image and sign the hash directly on the TPM so that the restore code >> can validate the PCR values that were in place when the hibernation >> image was created. [0] > > Well, theoretically, trusted keys can be used for PCR sealed bundles, > at least in 1.2 ... I'm not sure the 2.0 one actually works because you > have to construct the policy session outside the kernel. I suppose I should go read the 2.0 spec. I=E2=80=99ve read the 1.2 spec, bu= t I always assumed that 2.0 was essentially a superset of 1.2 functionality. >> Presumably we should at least try to replay the PCR operations that >> have occurred so that we can massage the PCRs into the same state >> post-hibernation. Also, do we have any way for the kernel to sign >> something with the TPM along with an attestation that the signature >> was requested *by the kernel*? Something like a sub-hierarchy of >> keys that the kernel explicitly prevents userspace from accessing?) > > We're just growing that now with the TPM asymmetric operations. > Attesting that the kernel requested the signature is harder. The TPM > can attest to log entries (as it does for the UEFI log and IMA) and it > can certify keys, but that only proves they're TPM resident not who the > requestor was. Effectively the latter is an assertion about who knows > the key authority, which is hard to prove. Can the kernel filter TPM 2.0 operations? If so, then a signature that the kernel would have prevented user code from generating is de facto an attestation that the kernel generated it (or that the kernel was compromised, which is sort of equivalent). > >> [0] If you take some data, run it through an authenticated encryption >> algorithm, and sign (key, nonce, tag), I think you're operating >> outside of the accepted security definitions if you expect this to >> guarantee that the data wasn't tampered with. I'm reasonably >> confident that there are quite a few excellent AE algorithms that >> completely fail if used this like this. In fact, pretty much all of >> the modern fast ones probably fail. AE is for when the key is >> *secret*. > > Well, I think here, if we were actually trying to solve the problem of > proving the hibernated image were the same one we would need to prove > some log of the kernel operation came to a particular value *after* the > hibernated image were restored ... it's not really possible to > condition key release which must occur before the restore on that > outcome, so it strikes me we need more than a simple release bound to > PCR values. I=E2=80=99m not sure I follow. Here are the two properties I=E2=80=99d like= to see: 1. If you have an encrypted hibernation image, the only thing you should be able to do with it is to restore it. So only an actual Linux kernel in hibernation restore mode ought to be able to restore it. We get this if the image can only be read with appropriate PCRs and then only by the kernel. This way, you can=E2=80=99t just read out secrets from the image if you steal a laptop =E2=80=94 you have to actually boot the thi= ng. 2. You shouldn=E2=80=99t be able to create an intentionally corrupt image t= hat pwns you when you restore it unless you have already pwned the kernel. Maybe the =E2=80=9Ckernel=E2=80=9D bit in #1 can be relaxed to =E2=80=9Croo= t=E2=80=9D without totally defeating the purpose, but if some random non-root process that happens to have access to /dev/tpm* can make a valid-looking TPM image, then I think we fail. Limiting it to the kernel is only dubiously better than limiting it to root until we implement lockdown, in which case it's important. #2 only really matters with lockdown. I suppose that a good summary of my opinion is that there is no point to kernel support for encrypted hibernation images until lockdown is upstream. --Andy