Overview

File 0005-efi-generate-secret-key-in-EFI-boot-environment.patch of Package linux-glibc-devel.26130

From a52895e103adf8dcaf94f481dec8a6098caccc99 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 12 Dec 2017 12:57:50 +0800
Subject: [PATCH 05/11] efi: generate secret key in EFI boot environment
Patch-mainline: Never, SUSE-specific
References: fate#316350

When secure boot is enabled, only signed EFI execution can access
EFI boot service variable before ExitBootService. Which means the
EFI boot service variable is secure.

This patch add a function to EFI stub to generate a 512-bit random
number that it can be used as a secret key for HMAC or AES. This
secret key will be kept in EFI boot service variable. EFI stub
reads and transfers secret key to runtime kernel by setup data.

At runtime, the secret key will be kept in hidden area to prevent
leak from accessing by user space. Hibernation uses EFI secret key
to encrypt hidden area and sign the snapshot image.

Joey Lee:
The EFI secure key mechanism be rejected by kernel upstream because
- The entropy inputs in EFI boot stage are too weak for key generation.
  - SLE applied RDRAND (x86) or EFI_RNG_PROTOCOL to grab stronger entropy.
- The UEFI variable store was not designed with confidentiality in mind.
  Secure boot relies on Microsoft's Business interests. Microsoft doesn't
  use UEFI variables for confidentiality, so we shouldn't either.

References: https://lkml.org/lkml/2018/8/5/10
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 arch/x86/include/asm/efi.h                    |   11 +
 arch/x86/include/uapi/asm/bootparam.h         |    1 
 arch/x86/kernel/setup.c                       |   19 ++
 drivers/firmware/efi/Kconfig                  |   16 +
 drivers/firmware/efi/Makefile                 |    1 
 drivers/firmware/efi/efi-secret-key.c         |  117 ++++++++++++++
 drivers/firmware/efi/libstub/Makefile         |    2 
 drivers/firmware/efi/libstub/efi_secret_key.c |  209 ++++++++++++++++++++++++++
 drivers/firmware/efi/libstub/x86-stub.c       |    3 
 include/linux/efi.h                           |   18 ++
 10 files changed, 396 insertions(+), 1 deletion(-)
 create mode 100644 arch/x86/boot/compressed/efi_secret_key.c
 create mode 100644 drivers/firmware/efi/efi-secret-key.c

--- a/include/asm/bootparam.h
+++ b/include/asm/bootparam.h
@@ -10,6 +10,7 @@
 #define SETUP_EFI			4
 #define SETUP_APPLE_PROPERTIES		5
 #define SETUP_JAILHOUSE			6
+#define SETUP_EFI_SECRET_KEY		7
 
 #define SETUP_INDIRECT			(1<<31)
openSUSE Build Service is sponsored by
Places