EFI key

openSUSE.Asia Summit

IB201

08/11 11:30 - 12:00

漢語 / Mandarin Chinese

Skilled / 中階

The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.

This talk introduces the EFI key:

  • EFI key:
  • A new master key type to key retention service.
  • It can be a new option beyond trusted key(TPM) and user key.
  • ERK (EFI Root Key)
  • EFI stub generates a random key and stores in EFI boot services variable.
  • The ERK is secure when secure boot enabled.
  • User must aware and enable secure boot by themself if they want.
  • ERK can be a secret to encrypt a random number for generate a EFI key
  • The EFI key can be used by hibernation encryption/authentication.
  • The EFI key can be a master key to generate a encrypted key for EVM.
  • Rescue mechanism for ERK.

Collaborative notes on HackMD

Joey Lee

Joey Lee, SUSE Labs Engineer in Taipei office. He is working on ACPI, EFI, Secure Boot,
Hibernate Signature Verification.

Titanium Sponsor

Co-Host Sponsor

Diamond Sponsor

Gold Sponsor

Silver Sponsor

Bronze Sponsor

Partner

Co-Organizer

Special Thanks