[RFC v2 12/13] keys/mktme: Save MKTME data if kernel cmdline parameter allows
Alison Schofield
alison.schofield at intel.com
Fri Dec 7 03:42:17 UTC 2018
On Thu, Dec 06, 2018 at 06:14:03PM -0800, Huang, Kai wrote:
> On Mon, 2018-12-03 at 23:39 -0800, Alison Schofield wrote:
8< ------------
> > Add an 'mktme_vault' where key data is stored.
> >
> > Add 'mktme_savekeys' kernel command line parameter that directs
> > what key data can be stored. If it is not set, kernel does not
> > store users data key or tweak key.
> >
> > Add 'mktme_bitmap_user_type' to track when USER type keys are in
> > use. If no USER type keys are currently in use, a physical package
> > may be brought online, despite the absence of 'mktme_savekeys'.
>
> Overall, I am not sure whether saving key is good idea, since it breaks coldboot attack IMHO. We
> need to tradeoff between supporting CPU hotplug and security. I am not sure whether supporting CPU
> hotplug is that important, since for some other features such as SGX, we don't support CPU hotplug
> anyway.
Yes, saving the key data exposes it in a cold boot attack.
Here we have 2 conflicting requirements. Do not save the data and
support CPU hotplug. I don't think CPU hotplug support is budging!
If the risk of offering the mktme_savekeys option is too dangerous,
then we can't have user type keys.
Is mktme_savekeys options too risky to offer?
(That's not just a question for you Kai ;). I'll pursue too.)
>
> Alternatively, we can choose to use per-socket keyID, but not to program keyID globally across all
> sockets, so you don't have to save key while still supporting CPU hotplug.
An alternative, with a lot of impact to the core linux support for
MKTME. I don't think we need to go there. I'll leave this thought for
a Kirill or Dave to perhaps elaborate on.
Alison
>
> Thanks,
> -Kai
More information about the Linux-security-module-archive
mailing list