Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp5981347rwb; Wed, 7 Sep 2022 10:46:08 -0700 (PDT) X-Google-Smtp-Source: AA6agR5lM/gHloRNpdu3F1GuVztHY0+SR/ESCfoD0p4z+2kY0gTHyIVg4Aj2sNBovtplnN8qrouc X-Received: by 2002:a17:902:d485:b0:176:b870:78cf with SMTP id c5-20020a170902d48500b00176b87078cfmr4860575plg.40.1662572768588; Wed, 07 Sep 2022 10:46:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662572768; cv=none; d=google.com; s=arc-20160816; b=npyZaSfDS5QWb+Up+wQrl0Hh/8qp5noqZl/plXiNNcTI6ZmnqO4uPIgeiRkPK2sqR/ zk3TCTX5YTpsFdw//COLRQBsLfh/coko+7ULTlGZ3EUrhahIlx8w9B5c0cO3Mcoy2KgV f17jnDEQdvRX2VeZeDjR4NLxKTI4fGn3rfXbzuqxJGbjn4P5SHHrRq+osNIe5zPmVrT4 3ysiScGMz4dxcWdd2V8uUsV1f9TEdknxtmaituHEwIV3G8d3rj2ukTBW+VDKacElX7Za 9AC5ZYRK1Rh30u+xHIQkB19Ew7d4W4vp4JnaS6Va2ALjXUP7S6CGsabLawxY9jIsj+Zt Ynag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Ro6O+2s9xjG7/14chisnyJusofpe1P/Z+6Ni1HfLglw=; b=hkWVLGrmQlO3VLswFPBC4iNvaXFHJn1YQiTJypN4pQNStpSQI2LyXHRkPkpE7Usk+h pjSSEhCAdMt/RI+m3qLyVzuJvYykD8o84l9iEg8Qhj7LyqRrMge+rtpvurHnKJh+Wy5h T5V+8JuPaWULhvp0I9upC3SONEslu84RcCzRhSEKkfGgbQ8NH2pBiCuGm5OE77MGs+6l zAgTG4b5dy2B+NPQRnPQhPc3Q3IUutqWRdd9jB19muFJAvM6oKejmdxZjC3NxpmcFOqO lS8ZhD3Chv7lhtBGyZzP6QIeTlzQTwjH4+0qJCQAvkc1124z1FK8CStHe34guHJzY4QD i9zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=SFFia7Vr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u6-20020a170903124600b00172de894f52si15558779plh.396.2022.09.07.10.45.55; Wed, 07 Sep 2022 10:46:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=SFFia7Vr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230173AbiIGRMY (ORCPT + 99 others); Wed, 7 Sep 2022 13:12:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230167AbiIGRMA (ORCPT ); Wed, 7 Sep 2022 13:12:00 -0400 Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11FA6BFC59 for ; Wed, 7 Sep 2022 10:11:26 -0700 (PDT) Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-11eab59db71so37546618fac.11 for ; Wed, 07 Sep 2022 10:11:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=Ro6O+2s9xjG7/14chisnyJusofpe1P/Z+6Ni1HfLglw=; b=SFFia7VrpSfHHqK4+wrGcNeHGpCjolBliKK6r1h6XIGRo5GSXMMhxGqrAZd7h/1Z8I fZPHWdG3DVGVcrZh+RMzotY75nbYwZF3yvul2CYa8AlFvlyUYoinzuFbkei+E22aaGaF hAcyyxG/Z+aKkT3k0U/r3XrRUCZZbGhXiEzNA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=Ro6O+2s9xjG7/14chisnyJusofpe1P/Z+6Ni1HfLglw=; b=6xbcRqq44xKOlJ/m0eZJ96j1jmvAByKRNPC5m8M+uGBjl5EZE2OSN3v87g0ti4wpFM fPYLQKnL2Ic2wmQA3uOuLVez2Dn5L2qhX4zbfgotBhfI6sAF+Vju6d0KFOhoqcbF2xue YkMi+2+9t9BSWMG9bUjF1XY46tAXYL4isCSxz9i7DEkvmHbPGCr3GlegxCSVDVhIEF6K H1qqSt3g4T3gDIeeZGxs3ZJB+IBxZAORlAfd705jKuyuWt22IHGC/QFUXueiuDBDMHsA PdWhYAfP1GCrZDfYgfAFNOX6LyLVk24z1LkIDHbeAFRiQW6iZOF1VzEDjoumJLTJLMBS OycA== X-Gm-Message-State: ACgBeo3xnGGKvPwpfyFJxIfk0eQQLAV3hUS5fQFhpBGicmCu3RYXdjXI pEnTANcW1DvOXlbfQP93dX0mtJ1woZaobA== X-Received: by 2002:a05:6870:799:b0:11b:b0d4:81dd with SMTP id en25-20020a056870079900b0011bb0d481ddmr14139377oab.138.1662570681021; Wed, 07 Sep 2022 10:11:21 -0700 (PDT) Received: from mail-oa1-f51.google.com (mail-oa1-f51.google.com. [209.85.160.51]) by smtp.gmail.com with ESMTPSA id x6-20020a056870e38600b00127ba61535fsm2685613oad.15.2022.09.07.10.11.20 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 07 Sep 2022 10:11:20 -0700 (PDT) Received: by mail-oa1-f51.google.com with SMTP id 586e51a60fabf-1278a61bd57so19100765fac.7 for ; Wed, 07 Sep 2022 10:11:20 -0700 (PDT) X-Received: by 2002:a05:6870:b28c:b0:127:ad43:573e with SMTP id c12-20020a056870b28c00b00127ad43573emr2505114oao.174.1662570269627; Wed, 07 Sep 2022 10:04:29 -0700 (PDT) MIME-Version: 1.0 References: <20220823222526.1524851-1-evgreen@chromium.org> In-Reply-To: From: Evan Green Date: Wed, 7 Sep 2022 10:03:53 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 00/10] Encrypted Hibernation To: "Limonciello, Mario" Cc: LKML , Gwendal Grignou , Eric Biggers , Matthew Garrett , Jarkko Sakkinen , zohar@linux.ibm.com, linux-integrity@vger.kernel.org, Pavel Machek , apronin@chromium.org, Daniil Lunev , "Rafael J. Wysocki" , Linux PM , Jonathan Corbet , "James E.J. Bottomley" , David Howells , Hao Wu , James Morris , Jason Gunthorpe , Len Brown , Matthew Garrett , Paul Moore , Peter Huewe , "Rafael J. Wysocki" , "Serge E. Hallyn" , axelj , keyrings@vger.kernel.org, "open list:DOCUMENTATION" , linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 31, 2022 at 11:35 AM Limonciello, Mario wrote: > > On 8/23/2022 17:25, Evan Green wrote: > > We are exploring enabling hibernation in some new scenarios. However, > > our security team has a few requirements, listed below: > > 1. The hibernate image must be encrypted with protection derived from > > both the platform (eg TPM) and user authentication data (eg > > password). > > 2. Hibernation must not be a vector by which a malicious userspace can > > escalate to the kernel. > > > > Requirement #1 can be achieved solely with uswsusp, however requirement > > 2 necessitates mechanisms in the kernel to guarantee integrity of the > > hibernate image. The kernel needs a way to authenticate that it generated > > the hibernate image being loaded, and that the image has not been tampered > > with. Adding support for in-kernel AEAD encryption with a TPM-sealed key > > allows us to achieve both requirements with a single computation pass. > > > > Matthew Garrett published a series [1] that aligns closely with this > > goal. His series utilized the fact that PCR23 is a resettable PCR that > > can be blocked from access by usermode. The TPM can create a sealed key > > tied to PCR23 in two ways. First, the TPM can attest to the value of > > PCR23 when the key was created, which the kernel can use on resume to > > verify that the kernel must have created the key (since it is the only > > one capable of modifying PCR23). It can also create a policy that enforces > > PCR23 be set to a specific value as a condition of unsealing the key, > > preventing usermode from unsealing the key by talking directly to the > > TPM. > > > > This series adopts that primitive as a foundation, tweaking and building > > on it a bit. Where Matthew's series used the TPM-backed key to encrypt a > > hash of the image, this series uses the key directly as a gcm(aes) > > encryption key, which the kernel uses to encrypt and decrypt the > > hibernate image in chunks of 16 pages. This provides both encryption and > > integrity, which turns out to be a noticeable performance improvement over > > separate passes for encryption and hashing. > > > > The series also introduces the concept of mixing user key material into > > the encryption key. This allows usermode to introduce key material > > based on unspecified external authentication data (in our case derived > > from something like the user password or PIN), without requiring > > usermode to do a separate encryption pass. > > > > Matthew also documented issues his series had [2] related to generating > > fake images by booting alternate kernels without the PCR23 limiting. > > With access to PCR23 on the same machine, usermode can create fake > > hibernate images that are indistinguishable to the new kernel from > > genuine ones. His post outlines a solution that involves adding more > > PCRs into the creation data and policy, with some gyrations to make this > > work well on a standard PC. > > > > Our approach would be similar: on our machines PCR 0 indicates whether > > the system is booted in secure/verified mode or developer mode. By > > adding PCR0 to the policy, we can reject hibernate images made in > > developer mode while in verified mode (or vice versa). > > > > Additionally, mixing in the user authentication data limits both > > data exfiltration attacks (eg a stolen laptop) and forged hibernation > > image attacks to attackers that already know the authentication data (eg > > user's password). This, combined with our relatively sealed userspace > > (dm-verity on the rootfs), and some judicious clearing of the hibernate > > image (such as across an OS update) further reduce the risk of an online > > attack. The remaining attack space of a forgery from someone with > > physical access to the device and knowledge of the authentication data > > is out of scope for us, given that flipping to developer mode or > > reflashing RO firmware trivially achieves the same thing. > > > > A couple of patches still need to be written on top of this series. The > > generalized functionality to OR in additional PCRs via Kconfig (like PCR > > 0 or 5) still needs to be added. We'll also need a patch that disallows > > unencrypted forms of resume from hibernation, to fully close the door > > to malicious userspace. However, I wanted to get this series out first > > and get reactions from upstream before continuing to add to it. > > Something else to think about in this series is what happens with > `hibernation_available` in kernel/power/hibernate.c. Currently if the > system is locked down hibernate is disabled, but I would think that > with a setup like that described here that should no longer be necessary. > Correct, I think that would be a reasonable followup to this series. -Evan