From patchwork Tue Aug 11 06:16:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 6988951 Return-Path: X-Original-To: patchwork-linux-pm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id C13989F358 for ; Tue, 11 Aug 2015 06:22:59 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F37E320588 for ; Tue, 11 Aug 2015 06:22:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E76852054E for ; Tue, 11 Aug 2015 06:22:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755327AbbHKGSR (ORCPT ); Tue, 11 Aug 2015 02:18:17 -0400 Received: from mail-pa0-f45.google.com ([209.85.220.45]:35620 "EHLO mail-pa0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755227AbbHKGSN (ORCPT ); Tue, 11 Aug 2015 02:18:13 -0400 Received: by pacgr6 with SMTP id gr6so43541171pac.2; Mon, 10 Aug 2015 23:18:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=RZu3N+ehoRxRo5sX+VPGgUntqRDJyLWGPHGBNp2CGAI=; b=yhy8TAmgJrox2BIXCtNPMrDPgsZvyBCQz1zidKboLkyVos5YCwRrCJnby4yVetL+mG 1kENt8TyNKlyafDc+I4xfQ6U2fjmbQvC5A7qk9Z4Cwybf06wBLKJJGuoaTgITHc8pF6/ 8/WEfLDnYyaZLDEw65T33kqdyTuQhfxbNNDn9WLSXrtlVwl3ADwiIlODXiPAAfhmzaSS LyOed9cukwRK7C7x9dHh88jam1jmZuhfd7zrJcBsMfp/F2pJvCLS+lS+C09TeJK0LZHK ASwe5TaDlb1muk0JJ3FeHm155paKjBMae2gSD/cOzCkldox6gHxWGZyz2+AiA8pWHZZw 2hcg== X-Received: by 10.68.113.194 with SMTP id ja2mr53052070pbb.46.1439273893295; Mon, 10 Aug 2015 23:18:13 -0700 (PDT) Received: from linux-rxt1.site ([130.57.30.250]) by smtp.gmail.com with ESMTPSA id qe3sm1082667pbc.73.2015.08.10.23.18.04 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Aug 2015 23:18:12 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: linux-kernel@vger.kernel.org Cc: linux-efi@vger.kernel.org, linux-pm@vger.kernel.org, "Rafael J. Wysocki" , Matthew Garrett , Len Brown , Pavel Machek , Josh Boyer , Vojtech Pavlik , Matt Fleming , Jiri Kosina , "H. Peter Anvin" , Ingo Molnar , "Lee, Chun-Yi" Subject: [PATCH v2 06/16] x86/efi: Generating random HMAC key for siging hibernate image Date: Tue, 11 Aug 2015 14:16:26 +0800 Message-Id: <1439273796-25359-7-git-send-email-jlee@suse.com> X-Mailer: git-send-email 1.8.4.5 In-Reply-To: <1439273796-25359-1-git-send-email-jlee@suse.com> References: <1439273796-25359-1-git-send-email-jlee@suse.com> Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch adds codes in EFI stub for generating and storing the HMAC key in EFI boot service variable for signing hibernate image. Per rcf2104, the length of HMAC-SHA1 hash result is 20 bytes, and it recommended the length of key the same with hash rsult, means also 20 bytes. Using longer key would not significantly increase the function strength. Due to the nvram space is limited in some UEFI machines, so using the minimal recommended length 20 bytes key that will stored in boot service variable. The HMAC key stored in EFI boot service variable, GUID is HIBERNATIONKey-fe141863-c070-478e-b8a3-878a5dc9ef21. Reviewed-by: Jiri Kosina Tested-by: Jiri Kosina Signed-off-by: Lee, Chun-Yi --- arch/x86/boot/compressed/eboot.c | 60 ++++++++++++++++++++++++++++++++++++++++ arch/x86/include/asm/suspend.h | 9 ++++++ include/linux/suspend.h | 3 ++ 3 files changed, 72 insertions(+) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index 0ffb6db..463aa9b 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "../string.h" #include "eboot.h" @@ -1383,6 +1384,63 @@ free_mem_map: return status; } +#ifdef CONFIG_HIBERNATE_VERIFICATION +#define HIBERNATION_KEY \ + ((efi_char16_t [15]) { 'H', 'I', 'B', 'E', 'R', 'N', 'A', 'T', 'I', 'O', 'N', 'K', 'e', 'y', 0 }) +#define HIBERNATION_KEY_ATTRIBUTE (EFI_VARIABLE_NON_VOLATILE | \ + EFI_VARIABLE_BOOTSERVICE_ACCESS) + +static void setup_hibernation_keys(struct boot_params *params) +{ + unsigned long key_size; + unsigned long attributes; + struct hibernation_keys *keys; + efi_status_t status; + + /* Allocate setup_data to carry keys */ + status = efi_call_early(allocate_pool, EFI_LOADER_DATA, + sizeof(struct hibernation_keys), &keys); + if (status != EFI_SUCCESS) { + efi_printk(sys_table, "Failed to alloc mem for hibernation keys\n"); + return; + } + + memset(keys, 0, sizeof(struct hibernation_keys)); + + status = efi_call_early(get_variable, HIBERNATION_KEY, + &EFI_HIBERNATION_GUID, &attributes, + &key_size, keys->hibernation_key); + if (status == EFI_SUCCESS && attributes != HIBERNATION_KEY_ATTRIBUTE) { + efi_printk(sys_table, "A hibernation key is not boot service variable\n"); + memset(keys->hibernation_key, 0, HIBERNATION_DIGEST_SIZE); + status = efi_call_early(set_variable, HIBERNATION_KEY, + &EFI_HIBERNATION_GUID, attributes, 0, + NULL); + if (status == EFI_SUCCESS) { + efi_printk(sys_table, "Cleaned existing hibernation key\n"); + status = EFI_NOT_FOUND; + } + } + + if (status != EFI_SUCCESS) { + efi_printk(sys_table, "Failed to get existing hibernation key\n"); + + efi_get_random_key(sys_table, params, keys->hibernation_key, + HIBERNATION_DIGEST_SIZE); + + status = efi_call_early(set_variable, HIBERNATION_KEY, + &EFI_HIBERNATION_GUID, + HIBERNATION_KEY_ATTRIBUTE, + HIBERNATION_DIGEST_SIZE, + keys->hibernation_key); + if (status != EFI_SUCCESS) + efi_printk(sys_table, "Failed to set hibernation key\n"); + } +} +#else +static void setup_hibernation_keys(struct boot_params *params) {} +#endif + /* * On success we return a pointer to a boot_params structure, and NULL * on failure. @@ -1420,6 +1478,8 @@ struct boot_params *efi_main(struct efi_config *c, setup_efi_pci(boot_params); + setup_hibernation_keys(boot_params); + status = efi_call_early(allocate_pool, EFI_LOADER_DATA, sizeof(*gdt), (void **)&gdt); if (status != EFI_SUCCESS) { diff --git a/arch/x86/include/asm/suspend.h b/arch/x86/include/asm/suspend.h index 2fab6c2..ab463c4 100644 --- a/arch/x86/include/asm/suspend.h +++ b/arch/x86/include/asm/suspend.h @@ -3,3 +3,12 @@ #else # include #endif + +#ifdef CONFIG_HIBERNATE_VERIFICATION +#include + +struct hibernation_keys { + unsigned long hkey_status; + u8 hibernation_key[HIBERNATION_DIGEST_SIZE]; +}; +#endif diff --git a/include/linux/suspend.h b/include/linux/suspend.h index 56c6de9..aa88b3b 100644 --- a/include/linux/suspend.h +++ b/include/linux/suspend.h @@ -328,6 +328,9 @@ struct platform_hibernation_ops { #ifdef CONFIG_HIBERNATION +#define EFI_HIBERNATION_GUID \ + EFI_GUID(0xfe141863, 0xc070, 0x478e, 0xb8, 0xa3, 0x87, 0x8a, 0x5d, 0xc9, 0xef, 0x21) + /* HMAC Algorithm of Hibernate Signature */ #define HIBERNATION_HMAC "hmac(sha1)" #define HIBERNATION_DIGEST_SIZE 20