Garrett: Making hibernation work under Linux Lockdown

Matthew Garrett recently posted apatch set enabling hibernation on systems that are running in the UEFIsecure-boot lockdown mode. This blog entry getsinto the details of how it all works. "When we encrypt material withthe TPM, we can ask it to record the PCR state. This is given back to us asmetadata accompanying the encrypted secret. Along with the metadata is anadditional signature created by the TPM, which can be used to prove thatthe metadata is both legitimate and associated with this specific encrypteddata. In our case, that means we know what the value of PCR 23 was when weencrypted the key. That means that if we simply extend PCR 23 with a knownvalue in-kernel before encrypting our key, we can look at the value of PCR23 in the metadata. If it matches, the key was encrypted by the kernel -userland can create its own key, but it has no way to extend PCR 23 to theappropriate value first. We now know that the key was generated by thekernel."