Garrett: Making hibernation work under Linux Lockdown

Post Syndicated from corbet original

Matthew Garrett recently posted a
patch set
enabling hibernation on systems that are running in the UEFI
secure-boot lockdown mode. This blog entry gets
into the details of how it all works. “When we encrypt material with
the TPM, we can ask it to record the PCR state. This is given back to us as
metadata accompanying the encrypted secret. Along with the metadata is an
additional signature created by the TPM, which can be used to prove that
the metadata is both legitimate and associated with this specific encrypted
data. In our case, that means we know what the value of PCR 23 was when we
encrypted the key. That means that if we simply extend PCR 23 with a known
value in-kernel before encrypting our key, we can look at the value of PCR
23 in the metadata. If it matches, the key was encrypted by the kernel –
userland can create its own key, but it has no way to extend PCR 23 to the
appropriate value first. We now know that the key was generated by the