Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp623539imu; Fri, 11 Jan 2019 06:22:35 -0800 (PST) X-Google-Smtp-Source: ALg8bN5TWtJqkAWZzmk17mPSsBJ2K6ANz3Ag45BZbbU+Art8XrCqnuTzJH2HGfbrZw0UphhzxBcM X-Received: by 2002:a17:902:d911:: with SMTP id c17mr15245077plz.151.1547216555758; Fri, 11 Jan 2019 06:22:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547216555; cv=none; d=google.com; s=arc-20160816; b=LBByznq48Lwqz+SIs+gxqF+SQcYCH2++3dW3jHmXeYgKP8+7+P7mz1aLn3OVHe5qrb k8TwY01kN6vExE1xcm/iyNeAifdS2eKi5wybCTwmdaFreAKms504dSHcIO73vyaFQvCJ 2MieIjzIbjcXEeDScwxcXbDe0FeNKxK9hYQivmIkEyoAbqIrJjBlW1qsZVDprkwtebHG MUsuKKWqUnGxjfshniP7LPF2FxSANa5G8bFCXb7ZV8/DQ49AGnn0O9PqJGP9LDJA8F+Q GdlYWymvL9Se3smZzjFYrlENNxb7uc3yIQp2MJk215U1emjXIET3fgLFcCN1i8txlfeM MBDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=8Z/2lZKSZUr/UqnausqVj3z39Buf/O9/sRKoC3FpY0U=; b=rturZjNRsnqFnVyMPs/+cn0YpPpdXBZsXp5jsBkv+EApg9yF9qPkI6ekiHreMbzxaL fzwOCT2mLMA8wge+oOqnD+mcMYuvzAd3lFrojoJdVenFujHyN0N5nUctNtgdUkzQwJUa RvrxwQdgr19EwAopGhJmzagWwExtVNcAq7tQ3MPEgD9Uuw3my0WYWSo2bZUGkl2AcLfA NE2y53YQU95UVWNPXf53wnnqJni0fcH5MHOFbo3cl2z9icnMb8TWufCUTKKB+x8KF0Jk ELNhcyD1UszmzF2ygt7qGI2/bmzeOpZiIDS43mkqb5UHFfjS79COR0pH3v7qBiLK6hm2 rQGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r27si72888966pgl.494.2019.01.11.06.22.20; Fri, 11 Jan 2019 06:22:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732999AbfAKOCi (ORCPT + 99 others); Fri, 11 Jan 2019 09:02:38 -0500 Received: from mga14.intel.com ([192.55.52.115]:47234 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729247AbfAKOCh (ORCPT ); Fri, 11 Jan 2019 09:02:37 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jan 2019 06:02:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,465,1539673200"; d="scan'208";a="107502868" Received: from gandrejc-mobl1.ger.corp.intel.com (HELO localhost) ([10.249.254.144]) by orsmga006.jf.intel.com with ESMTP; 11 Jan 2019 06:02:28 -0800 Date: Fri, 11 Jan 2019 16:02:26 +0200 From: Jarkko Sakkinen To: Andy Lutomirski Cc: James Bottomley , Stephan Mueller , Herbert Xu , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , LKML , linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn Subject: Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler Message-ID: <20190111140226.GA6448@linux.intel.com> References: <20190103143227.9138-1-jlee@suse.com> <4499700.LRS4F2YjjC@tauon.chronox.de> <20190108050358.llsox32hggn2jioe@gondor.apana.org.au> <1565399.7ulKdI1fm5@tauon.chronox.de> <1546994671.6077.10.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 08, 2019 at 05:43:53PM -0800, Andy Lutomirski wrote: > (Also, do we have a sensible story of how the TPM interacts with > hibernation at all? Presumably we should at least try to replay the > PCR operations that have occurred so that we can massage the PCRs into > the same state post-hibernation. Also, do we have any way for the > kernel to sign something with the TPM along with an attestation that > the signature was requested *by the kernel*? Something like a > sub-hierarchy of keys that the kernel explicitly prevents userspace > from accessing?) Kernel can keep it is own key hierarchy in memory as TPM2 chips allow to offload data in encrypted form and load it to TPM when it needs to use it. The in-kernel resource manager that I initiated couple years ago provides this type of functionality. /Jarkko