EFI key

openSUSE.Asia Summit

IB201

08/11 11:30 - 12:00

漢語 / Mandarin Chinese

Skilled / 中階

The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.

This talk introduces the EFI key:

  • EFI key:
  • A new master key type to key retention service.
  • It can be a new option beyond trusted key(TPM) and user key.
  • ERK (EFI Root Key)
  • EFI stub generates a random key and stores in EFI boot services variable.
  • The ERK is secure when secure boot enabled.
  • User must aware and enable secure boot by themself if they want.
  • ERK can be a secret to encrypt a random number for generate a EFI key
  • The EFI key can be used by hibernation encryption/authentication.
  • The EFI key can be a master key to generate a encrypted key for EVM.
  • Rescue mechanism for ERK.

Collaborative notes on HackMD

Joey Lee

Joey Lee, SUSE Labs Engineer in Taipei office. He is working on ACPI, EFI, Secure Boot,
Hibernate Signature Verification.

鈦金級贊助

Co-Host Sponsor

鑽石級贊助

黃金級贊助

白銀級贊助

青銅級贊助

合作夥伴

協辦單位

特別感謝