|
|
Subscribe / Log in / New account

Garrett: Making hibernation work under Linux Lockdown

Garrett: Making hibernation work under Linux Lockdown

[Kernel] Posted Feb 22, 2021 15:25 UTC (Mon) by corbet

Matthew Garrett recently posted a patch set enabling hibernation on systems that are running in the UEFI secure-boot lockdown mode. This blog entry gets into the details of how it all works. "When we encrypt material with the TPM, we can ask it to record the PCR state. This is given back to us as metadata accompanying the encrypted secret. Along with the metadata is an additional signature created by the TPM, which can be used to prove that the metadata is both legitimate and associated with this specific encrypted data. In our case, that means we know what the value of PCR 23 was when we encrypted the key. That means that if we simply extend PCR 23 with a known value in-kernel before encrypting our key, we can look at the value of PCR 23 in the metadata. If it matches, the key was encrypted by the kernel - userland can create its own key, but it has no way to extend PCR 23 to the appropriate value first. We now know that the key was generated by the kernel."

Comments (15 posted)


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds