Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
linux-glibc-devel
0005-efi-generate-secret-key-in-EFI-boot-enviro...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-efi-generate-secret-key-in-EFI-boot-environment.patch of Package linux-glibc-devel
From a52895e103adf8dcaf94f481dec8a6098caccc99 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" <jlee@suse.com> Date: Tue, 12 Dec 2017 12:57:50 +0800 Subject: [PATCH 05/11] efi: generate secret key in EFI boot environment Patch-mainline: Never, SUSE-specific References: fate#316350 When secure boot is enabled, only signed EFI execution can access EFI boot service variable before ExitBootService. Which means the EFI boot service variable is secure. This patch add a function to EFI stub to generate a 512-bit random number that it can be used as a secret key for HMAC or AES. This secret key will be kept in EFI boot service variable. EFI stub reads and transfers secret key to runtime kernel by setup data. At runtime, the secret key will be kept in hidden area to prevent leak from accessing by user space. Hibernation uses EFI secret key to encrypt hidden area and sign the snapshot image. Joey Lee: The EFI secure key mechanism be rejected by kernel upstream because - The entropy inputs in EFI boot stage are too weak for key generation. - SLE applied RDRAND (x86) or EFI_RNG_PROTOCOL to grab stronger entropy. - The UEFI variable store was not designed with confidentiality in mind. Secure boot relies on Microsoft's Business interests. Microsoft doesn't use UEFI variables for confidentiality, so we shouldn't either. References: https://lkml.org/lkml/2018/8/5/10 Signed-off-by: Lee, Chun-Yi <jlee@suse.com> --- arch/x86/include/asm/efi.h | 11 + arch/x86/include/uapi/asm/bootparam.h | 1 arch/x86/kernel/setup.c | 19 ++ drivers/firmware/efi/Kconfig | 16 + drivers/firmware/efi/Makefile | 1 drivers/firmware/efi/efi-secret-key.c | 117 ++++++++++++++ drivers/firmware/efi/libstub/Makefile | 2 drivers/firmware/efi/libstub/efi_secret_key.c | 209 ++++++++++++++++++++++++++ drivers/firmware/efi/libstub/x86-stub.c | 3 include/linux/efi.h | 18 ++ 10 files changed, 396 insertions(+), 1 deletion(-) create mode 100644 arch/x86/boot/compressed/efi_secret_key.c create mode 100644 drivers/firmware/efi/efi-secret-key.c --- a/include/asm/bootparam.h +++ b/include/asm/bootparam.h @@ -10,6 +10,7 @@ #define SETUP_EFI 4 #define SETUP_APPLE_PROPERTIES 5 #define SETUP_JAILHOUSE 6 +#define SETUP_EFI_SECRET_KEY 7 #define SETUP_INDIRECT (1<<31)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
