Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp4178030rwb; Tue, 20 Sep 2022 09:52:04 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5v8sgLZ9/lQ5YSG4abC9d4LC7Y5i1496FwGiRtJDd3BIzIIIBBIwVDTGDykwuxQqGZQTsc X-Received: by 2002:a50:c8c3:0:b0:44c:5cb6:5484 with SMTP id k3-20020a50c8c3000000b0044c5cb65484mr20941124edh.285.1663692723744; Tue, 20 Sep 2022 09:52:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663692723; cv=none; d=google.com; s=arc-20160816; b=P3IWpXMD0+Yjw0saQD7bM38nNZdjCYcTLoeUcDuLvoiLNx0Heop07YxHZtVRe7tJWF CKRi5plzlzHAo8g+NfWChnsTFtoCzKZvfQTO+QBE3QBnZrhejBzpGXKL4Lk4NkMcKbDa f2wzSFFu52kJ66dsPB1MgGBHDwI7uUeV9N2685sjxVOp+hEqz4CEya7gikajYB8NOcIk qr9hsHOME1lZB92RFWrPxa9wYLJWt45paSuj57d5LhXg3kFH2rjPET4JSH4ffn2NyUf7 YkoU4YckljNNIfqHBeSZKsqhe3217GBwe6VMJCGGkWD/z8EODUkSDC5tCl58ewE8YWe1 NXiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=JMNdVTN29xxheNQ60C0UdJixTzdS2o/Kn71ZSUiC498=; b=PNKJ71dyFxYNWwx8BWfJjonGYDZwZ6OihXzzHbIvVSm7+zlD4zww8U3YDk3qaMZnje lskiyUmOZXXSG75Hq2L0L/xWMIjVlg3ScBO3RWtqO9Hz6jN01WCABigY75SsbKD4SzNg dSB+7f3Ivmii5QWh1zbz0r+xpCnq5fF85DzkMWfCJkYzLWkVr6QUjirT4FjnHBtkIDSJ yNh4XK6RcCDXzsDfPqhYks7eGLOiuuxoeFUs01Qq7hoQpwvjs92OBaSkqdMW7mYGi8sf SeJv38heTReyGVwCQ7YuIpR2yfFPR+xPQT/e0pDN7fzfORhWUcphu0F2Sy1wtNm4g9Pq h9aQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=O0fQbt4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ds17-20020a170907725100b007708370bcaasi131505ejc.903.2022.09.20.09.51.37; Tue, 20 Sep 2022 09:52:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=O0fQbt4H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231187AbiITQkI (ORCPT + 99 others); Tue, 20 Sep 2022 12:40:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229902AbiITQkG (ORCPT ); Tue, 20 Sep 2022 12:40:06 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FBC12980E for ; Tue, 20 Sep 2022 09:40:05 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id bj12so7474038ejb.13 for ; Tue, 20 Sep 2022 09:40:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=JMNdVTN29xxheNQ60C0UdJixTzdS2o/Kn71ZSUiC498=; b=O0fQbt4HqeW76QZSC/Cs+vdBiibzuNSAXu1nr7RuuSsmrTy2AMjiQo3cT9tlr/Oyd3 ToPPH5FZQ40YZ5T/oTqZGvi1FWZELBe65b4byLzhgcbnc/UxHw8t6p1iNUSwOlJRs8oD P3hieH4mgO56j5uNyt13K0pknu/i8ckWVrxjM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=JMNdVTN29xxheNQ60C0UdJixTzdS2o/Kn71ZSUiC498=; b=Wdx/FxGq6oP6n4skQSJjMWf5ubL6GMo7i7sGZPjefi8aKxXgAd3Y8jgkJUuOIE2oKo g7LWxbu1qfHJ81Eun/W6eyr5r0J3fJGigg17p7wpFDwwHTXYtlB796wHMzUls8JFzdAC +ldoUHjmAySBuwtUMBO3W06XaN7HCQQ/cSWtXWWVqm/idbvYPIA7q67cmuy0FgTkY6l4 HmFLhVLlgfDvk+qsr3bW5rMk9xMLyxbc3DgNZFMTAGaRMmnzF4EAnyA1OaPoB5tTXVD2 87KAE+NqtuUi+xzPb5UQw393kS1yFGE8O49pQeHNGp+ID1QZdUcAmAM7if3yG4SYhpcE Rh3A== X-Gm-Message-State: ACrzQf1e2lDdiXQwrUSvQFCQQ1yfEZgxw6gz3KdAfLlphR4dRb0auG5E blXFw9Rn/C39K6REPlm1uVKOw6CezK/PIg== X-Received: by 2002:a17:907:802:b0:781:8017:b2df with SMTP id wv2-20020a170907080200b007818017b2dfmr6101219ejb.606.1663692003726; Tue, 20 Sep 2022 09:40:03 -0700 (PDT) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com. [209.85.221.41]) by smtp.gmail.com with ESMTPSA id ky10-20020a170907778a00b0077826b92d99sm159916ejc.12.2022.09.20.09.40.02 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Sep 2022 09:40:03 -0700 (PDT) Received: by mail-wr1-f41.google.com with SMTP id s14so3298631wro.0 for ; Tue, 20 Sep 2022 09:40:02 -0700 (PDT) X-Received: by 2002:adf:a4ce:0:b0:22a:f5e8:6dcc with SMTP id h14-20020adfa4ce000000b0022af5e86dccmr9099428wrb.445.1663692002281; Tue, 20 Sep 2022 09:40:02 -0700 (PDT) MIME-Version: 1.0 References: <20220823222526.1524851-1-evgreen@chromium.org> <20220920084648.GA17087@duo.ucw.cz> In-Reply-To: <20220920084648.GA17087@duo.ucw.cz> From: Evan Green Date: Tue, 20 Sep 2022 09:39:25 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 00/10] Encrypted Hibernation To: Pavel Machek Cc: LKML , Gwendal Grignou , Eric Biggers , Matthew Garrett , Jarkko Sakkinen , Mimi Zohar , linux-integrity@vger.kernel.org, apronin@chromium.org, Daniil Lunev , "Rafael J. Wysocki" , Linux PM , Jonathan Corbet , "James E.J. Bottomley" , David Howells , Hao Wu , James Morris , Jason Gunthorpe , Len Brown , Paul Moore , Peter Huewe , "Rafael J. Wysocki" , "Serge E. Hallyn" , axelj , keyrings@vger.kernel.org, "open list:DOCUMENTATION" , linux-security-module@vger.kernel.org, Jorge Lucangeli Obes Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 20, 2022 at 1:46 AM Pavel Machek wrote: > > Hi! > > > We are exploring enabling hibernation in some new scenarios. However, > > our security team has a few requirements, listed below: > > 1. The hibernate image must be encrypted with protection derived from > > both the platform (eg TPM) and user authentication data (eg > > password). > > 2. Hibernation must not be a vector by which a malicious userspace can > > escalate to the kernel. > > Why is #2 reasonable requirement? > > We normally allow userspace with appropriate permissions to update the > kernel, for example. I'll take a stab at answering this. I've also CCed one of our security folks to keep me honest and add any needed additional context. ChromeOS takes an approach of attempting to limit the blast radius of any given vulnerability as much as possible. A vulnerable system service may be running as root, but may also still be fairly constrained by sandboxing: it may not have access to all processes, the entire file system, or all capability bits. With Verified Boot [1], our kernel and rootfs are statically signed by Google (or yourself if firmware has been reflashed). Even if a full root compromise occurs, it's difficult for the attacker to persist across a reboot, since they cannot update the kernel or init flow on disk without the signing key. We do our best to lock down other escalation vectors from root to kernel as well. For instance, features like LoadPin help prevent a malicious root from simply loading up a payload via insmod. So in cases like ours, jumping from root execution to kernel execution represents a real escalation in privilege. Hibernate as it exists today represents a wide open door for root to become kernel, so we're forced to disable the Kconfigs for it. This series, along with another patch to restrict unencrypted resume, would add the guardrails we need to prevent arbitrary code from moving into the kernel via resume. -Evan [1] https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot/