Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1264919imu; Wed, 9 Jan 2019 14:52:56 -0800 (PST) X-Google-Smtp-Source: ALg8bN5hYEGzp658iakgAS4xrQ1O4jV6YuU8U4ZP+HeT4lI6sy4Jew4nCJJA+6hOdN3cpgDC0fXH X-Received: by 2002:a17:902:1122:: with SMTP id d31mr7904179pla.246.1547074376409; Wed, 09 Jan 2019 14:52:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547074376; cv=none; d=google.com; s=arc-20160816; b=NMHUxLZBy1UGtwSBKUF0AOYhKJwI8QI6kxpMZBXuR3gZgPuG20DXgJ6u46sz/mZXkZ 3hE7D0soYLNTkkXGSK7YNM9+xjvPzlIoF+2zOvZfbwBso5i7E8Lv8DXNBAJzdFmNOvR4 LBWj2iDulTp7vqSHH76EFgf2epR7dyjWr0Pln/E/gpOfUKWiieHlt8D2hly/BkDsKN6L Oxf9N3ghZwNoCw4v9Z3tlwRO8bOLyEAv3ih5fuR1zjnUDmcCbGw15meCJAFwkK86wH0C YeIOvmTnJHCVSAYpKHOnfE2e7esLr5xkxBUNxf6DbvV6Qr1z36bi8kw6kcCwTOOuYsHp Dskg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=H7mmsRZ/WqW5BK8rDRLaoy1kWp3jK31X6zSucam76EE=; b=nUbYX6CXVQ338YLAyLR+AjgB4Tus27padLIFFl/oEDzomgVmv5wkTMrTzDpvvY8pWE eLrVD5loH+PPsLeGgHFyOP4nUm7wFEeH6bi46vf2wflE2U/LJ0Dl1yo19qSMEuqMafZR g0OtN+oRxI8aQ6Q1ogHPEHsGwQOp70hCY7Avn4NZ3Jfb592wYLV8INSG+yAUCUdR1++9 GJCq4VmyKSw5glqaUGLytZ+AJ5ZLQ+obV0Ir8ftAVFGt2k/h2XZ1xtoYEYIbZWsrNocI 994NPYm1becBju0O9N5yduJ4nBWFRzemVYAJ7cxCrqCXmljJKKcKJD7vI2S1y57M6tlp rX5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=aPymnYnU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 97si68260867plm.312.2019.01.09.14.52.41; Wed, 09 Jan 2019 14:52:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=aPymnYnU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727333AbfAIVno (ORCPT + 99 others); Wed, 9 Jan 2019 16:43:44 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:50900 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726094AbfAIVno (ORCPT ); Wed, 9 Jan 2019 16:43:44 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id ED4888EE440; Wed, 9 Jan 2019 13:43:42 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqokWAstevh3; Wed, 9 Jan 2019 13:43:42 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 07BD58EE092; Wed, 9 Jan 2019 13:43:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1547070222; bh=4y0HAlPxyNSq430UoE9Yhuk2Gm1oZu4g32HMZwmo6gs=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=aPymnYnUysMjOSyqlmTRNZPIENRspLJ+/ZKZLiCLcNQDUbjRvTeOMQZBYDBBKrJRJ Ao3P1hD3atEDzR/VQTvjHRzFrCtBV5t3OigdJ1K2i6ESVr3U/JUGDPraRW8BLlwg8I Donc56nxkdtPZAK3VXgHPohULuoJz/HggHRbECs4= Message-ID: <1547070220.2758.4.camel@HansenPartnership.com> Subject: Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler From: James Bottomley To: Andy Lutomirski Cc: Jarkko Sakkinen , Stephan Mueller , Herbert Xu , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , LKML , linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn Date: Wed, 09 Jan 2019 13:43:40 -0800 In-Reply-To: References: <20190103143227.9138-1-jlee@suse.com> <4499700.LRS4F2YjjC@tauon.chronox.de> <20190108050358.llsox32hggn2jioe@gondor.apana.org.au> <1565399.7ulKdI1fm5@tauon.chronox.de> <1546994671.6077.10.camel@HansenPartnership.com> <1547016579.2789.17.camel@HansenPartnership.com> <1547063189.2879.47.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2019-01-09 at 12:12 -0800, Andy Lutomirski wrote: > On Wed, Jan 9, 2019 at 11:46 AM James Bottomley > wrote: [...] > > > I’m not sure I follow. Here are the two properties I’d like to > > > see: > > > > > > 1. If you have an encrypted hibernation image, the only thing you > > > should be able to do with it is to restore it. So only an actual > > > Linux kernel in hibernation restore mode ought to be able to > > > restore it. We get this if the image can only be read with > > > appropriate PCRs and then only by the kernel. This way, you > > > can’t just read out secrets from the image if you steal a laptop > > > — you have to actually boot the thing. > > > > Right, this we can do and if you use a TPM sealed encryption key, > > you can guarantee the image will only restore on the same physical > > system. You don't need PCRs for this, just the TPM and the locality > > enforcement. > > > > Note if someone has your laptop and the ability to boot their own > > kernels, they could always corrupt the kernel into decrypting the > > image or giving you the unsealed key, but there's no real way of > > preventing that even with PCR sealing or lockdown, so the basis for > > the threat model is very much my laptop in my possession running my > > kernel. > > I'm not entirely sure I agree. With a TPM-aware bootloader, it > really ought to be possible to seal to PCRs such that a corrupted > kernel can't restore the image. Obviously a *compromised* but > otherwise valid kernel will be able to restore the image. It is possible to seal the key so that only the same booted kernel can restore the image, yes. One of the measurements that goes into the boot log is the hash of the kernel and you can seal to this value ... obviously if you upgrade your kernel RPM (or shim or grub) this value changes and you'd lose the ability to restore the hibernated image, but since the image is very kernel specific, that's probably OK. > But this is all barking up the wrong tree. If you want your laptop > to resist physical theft such that whoever stole it can boot it but > can't directly extract any data, you want to use dm-crypt (or, haha, > OPAL, but I just read a paper about some people who evaluated a bunch > of drives and had a very hard time finding one that actually > implemented OPAL in a usefully secure manner). A LUKS replacement or > wrapper that does something intelligent with the TPM would be > great. This kind of thing IMO does not belong in hibernation. Right, so the simplest way of doing this is to save the image on an encrypted partition or filesystem which must be unlocked by a password on boot. > IOW, I think we do get about as much as we would want if we just seal > with a locality that only allows kernel use and ignore PCRs entirely. > This makes it so that you need the ability to run ring 0 code to > decrypt the image, which means that we get all the nice lockdown > properties. Yes, it's a useful balance of security and ease of implementation, I think. > > > 2. You shouldn’t be able to create an intentionally corrupt image > > > that pwns you when you restore it unless you have already pwned > > > the kernel. > > > > So here there's a problem: the policy stated above governs key > > *use* not key creation, so anyone can create a key that has a > > locality restriction. The way to guarantee that the key was > > created by something that has access to the locality is to have a > > parent key with a locality use policy (key creation requires parent > > key use authorization). Which means every system would have to > > create a persistent parent key for the kernel to use (the kernel > > could do this and it could be made NV resident for persistence, so > > it's not impossible, just complicated). > > Why does anything here need to be persistent? The kernel could > create a locality-restricted key on the fly, use it to sign and/or > seal the hibernation image, and write the wrapped key blob into the > hibernation image. Yes, but so could I as a malicious user with a desire to create a bad hibernation image. I could do it entirely in userspace. I need access to the TPM to seal the key, but I'd get that: All you see in-kernel is a single policy sha256 sum and you can't reverse that back to the actual policy, so the kernel has no idea what policy is being sealed and so can't police the policy. In order to get the security that only the kernel created the hibernation key, you need to have a key parent with a policy that only allows in-kernel locality use so you know the child key was created by the kernel and nothing else. > > I suppose that a good summary of my opinion is that there is no > point > > > to kernel support for encrypted hibernation images until lockdown > > > is upstream. > > > > I really don't think lockdown helps. If we implement locality > > isolation for the kernels use of keys, a properly functioning > > kernel isn't going to be tricked into releasing one of its keys to > > userspace. A buggy kernel might be exploited to cause it to give > > one up but that would happen irrespective of lockdown and, of > > course, all bets are off if the attacker can boot their own kernel. > > > > I'm not saying that lockdown helps. I'm saying that encrypting the > hibernation image in the kernel may be pointless until the kernel > supports lockdown. If we don't support lockdown, then user code can > encrypt the hibernation image all by itself. The code will be easier > to understand, more flexible, and won't require a kernel upgrade :) Well, protection of at-rest images is one reason, but I accept that simply writing them to dm-crypt storage is a better way of doing this and solves the key problem nicely. James > Honestly, no one should be using resume= anyway. Any distro with > hibernation support worth its salt should support having the > hibernation image on a dm-crypt volume, in which case it *must* > support userspace-driven resume. Of course, my laptop that's been > upgraded through many Fedora revisions doesn't survive a > hibernate/resume cycle, but that's not the kernel's fault. > > --Andy > > P.S. One thing I do want to try is encrypted *swap*. The keying for > that is trivial -- the kernel can just make a key, store it in > ordinary kernel memory, and use it to encrypt and decrypt swap pages > as needed. Getting replay protection or authentication may be tricky > due to the need for metadata, but plain old AES-XTS or > HPolyChaChaNotSpeckAnymore would be entirely straightforward and > would > get 90% of the benefit. Sure, swap could live on dm-crypt too, but > that's an administration mess, and offering a strong and cheap > alternative to mlock() for crypto programs to protect their secrets > would be fantastic and encrypted swap plus some API to verify that > anonymous memory is, in fact, backed by encrypted swap would do the > job. >