A new master key type in Linux kernel
Joey Lee is a Linux engineer from SUSE Labs. His working areas are ACPI driver, Hibernate, UEFI.
No video of the event yet, sorry!
The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.
This talk introduces the EFI key: - EFI key: - A new master key type to key retention service. - It can be a new option beyond trusted key(TPM) and user key. - ERK (EFI Root Key) - EFI stub generates a random key and stores in EFI boot services variable. - The ERK is secure when secure boot enabled. - User must aware and enable secure boot by themself if they want. - ERK can be a secret to encrypt a random number for generate a EFI key - The EFI key can be used by hibernation encryption/authentication. - The EFI key can be a master key to generate a encrypted key for EVM. - Rescue mechanism for ERK.