The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.
This talk introduces the EFI key:
- EFI key:
- A new master key type to key retention service.
- It can be a new option beyond trusted key(TPM) and user key.
- ERK (EFI Root Key)
- EFI stub generates a random key and stores in EFI boot services variable.
- The ERK is secure when secure boot enabled.
- User must aware and enable secure boot by themself if they want.
- ERK can be a secret to encrypt a random number for generate a EFI key
- The EFI key can be used by hibernation encryption/authentication.
- The EFI key can be a master key to generate a encrypted key for EVM.
- Rescue mechanism for ERK.
