On Fri, Aug 09, 2013 at 12:37:37PM +0800, Lee, Chun-Yi wrote:
+ When machine resume from hibernate: - EFI bootloader should copy the public key from boottime variable to S4WakeKey EFI variable. - Bootloader need generated a new key-pair for next round S4 usage. It should put new privat ekey to S4SignKey variable.
So, first, this is brilliant. Thank you for putting the work into this. The only potential problem is the generation of a new key pair on every reboot. Some hardware vendors have expressed concerns about writing variables on every boot, so if we can avoid that somehow then life would probably be better. Options for that would seem to be (1) set a flag on S4 and only regenerate keys if that flag has been set (although I need to think about the security considerations of that), or (2) use a magic GUID space that all kernels (including Windows) refuse to expose to userspace. (2) is obviously conditional upon Microsoft, but let's have a chat with them to see if there's already some special-casing in Windows. It wouldn't surprise me. I'll review the rest of these over the next few days. I've been gradually merging in the shim changes to upstream, so do feel free to send me a pull request for the S4 stuff there, too. -- Matthew Garrett | mjg59@srcf.ucam.org -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org