-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Lee, Chun-Yi edited this page Jul 29, 2018
·
12 revisions
This is the home page for developing hibernation encryption and authentication in Linux kernel: LKML mail loop
TODO:
- Hibernation snapshot encryption:
- Using AES to encrypt data pages in snapshot image. [WIP]
- Adapt to key retention service:
Using the KMK (Kernel Master Key) in keyring to create encrypted key for encryption and authentication.
- Kernel: Using KMK and Encrypted-key in kernel, put the encrypted key to snapshot header [WIP]
- Support different KMK types:
- Trusted Key and User Key: Modify systemd and dracut, enroll KMK to kernel before S4 resume.
- EFI KMK: Using EFI boot variable to keep/reload 64 bytes KMK
- Rescue mechanism: EFI KMK may lost when firmware update or firmware recovery.
- The rescue mechanism of EFI Root Key:
- Using the public key in kernel strusted keyring (e.g. embedded key or MOK) to encrypt the EFI Root Key for user backup.
- The "5.1 Encryption and decryption primitives" in PKCS#1 must be implemented in RSA in kernel.
- Kernel expose a symmetric key as a session key to encrypt ERK as a envelope.
- The session key will be exposed by a RO sysfs interface.
- The session key will be changed every time after user space read the sysfs interface.
- Export: Using one of kernel trusted public keys to encrypt the ERK envelope to user space.
- Import: User space uses the session key to AES encrypts ERK as a ERK envelope, then sign by private key with PKCS#7 format.
- The backup ERK envelope can only be used for rescue mode.
- Using the public key in kernel strusted keyring (e.g. embedded key or MOK) to encrypt the EFI Root Key for user backup.
Current Result: