Fdf0e4ed6eea4ec1c476b0e288003e68

by Joey Lee

Joey Lee is a Linux engineer from SUSE Labs. His working areas are ACPI driver, Hibernate, UEFI.

No video of the event yet, sorry!

The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.

This talk introduces the EFI key:
- EFI key:
- A new master key type to key retention service.
- It can be a new option beyond trusted key(TPM) and user key.
- ERK (EFI Root Key)
- EFI stub generates a random key and stores in EFI boot services variable.
- The ERK is secure when secure boot enabled.
- User must aware and enable secure boot by themself if they want.
- ERK can be a secret to encrypt a random number for generate a EFI key
- The EFI key can be used by hibernation encryption/authentication.
- The EFI key can be a master key to generate a encrypted key for EVM.
- Rescue mechanism for ERK.

Date:
2018 August 11 11:30
Duration:
30 min
Room:
Conference Room #201
Conference:
openSUSE.Asia Summit 2018
Language:
Track:
Difficulty:
Medium