Signature verification of hibernate snapshot
September, 2013, LPC 2013, New Orleans

Joey Lee

Problem

On a multi-boot machine, hacker use any hole in another UEFI trusted OS to modify the hibernate snapshot image in swap partition.

Through uswsusp, userspace can take the snapshot of memory then modify it. Upload it back to memory then trigger the restore.

Idea

Jiri Kosina: Let EFI bootloader generates key-pair then pass to kernel for sign hibernate image.

Fundamental point: Trust the boot time variable is secure when UEFI secure boot enabled.

Attempt to protect snapshot image integrity.

Steps (when hibernate)

shim bootloader geneates key-pair and put keys to non-volatile boot time varaibles.

EFI stub kernel loads private key before ExitBootServices().

Hibernate subsystem copy the private key to a empty page to keep it for sign snapshot when hibernate launched.

Kernel generates signature of snapshot image then put the signature to snapshot header. Current reserved max size of signature is 512 bytes.

Steps (when hibernate restore)

After hibernate loaded snapshot image from swap to temporary memory space, kernel uses the public key from runtime volatile variable to verify the signature that's stored in snapshot header.

Then depend on sig_enforceOFF: taint kernel and produce complain log when signature check fail

ON: fail the hiberntae restore, then finish boot process when signature check fail.

How to enable sig_enforce?

Use snapshot_sig_enforce kernel parameter.

Set kernel config then enable UEFI secure boot: EFI_SECURE_BOOT_SNAPSHOT_SIG_ENFORCE

EFI variable name and GUID

GUID: fe141863-c070-478e-b8a3-878a5dc9ef21

S4SignKey [BT][NV] private keyPKCS#8 _uncompressed_ private key format

S4WakeKey [RT][V] public keyX.509 format

When shim should generate keys?

When system boot, and shim didn't find key-pair

When shim found GenS4Key EFI variable from kernel:GenS4Key-fe141863-c070-478e-b8a3-878a5dc9ef21[RT][NV]

Kernel or userspace write GenS4Key variable to '1' when hibernate launched.

Kernel will delete GenS4Key in system boot.

Implementation Parts

Key-pair generator in shimAuthor: Gary Lin

https://github.com/lcp/shim/tree/s4-key-upstream

Asymmetric Keys in Kernel:Implemented PKCS#8 and PKCS#1 RSA private key parser

Add signature generation API and implement signature generation logic in PKCS#1 (RFC3447 sec 8.2.2)

Hibernate in Kernel:CONFIG_SNAPSHOT_VERIFICATION=y

Maintain and forward private key.

Avoid private key included in snapshot image.s

Sign snapshot image: generate signature then put it to snapshot header.

Performance of hash (machine 1)

CPU:Intel(R) Core(TM) i5 CPU 650 @ 3.20GHz

x86_64, ssse3

NormalSHA1: 150.80 MB/s

SHA256: 59.19 MB/s

SHA512: 78.44 MB/s

Builded ssse3 support (v3.10 later)SHA1: 195.60 MB/s

SHA256: 82.76 MB/s

SHA512: 120.60 MB/s

Performance of hash (machine 2)

CPU:Intel(R) CPU @ 2.60GHz

x86_64, ssse3, avx, avx2

NormalSHA1: 436.42 MB/s

SHA256: 163.23 MB/s

SHA512: 228.67 MB/s

Builded ssse3, avx, avx2 support (v3.10 later)SHA1: 609.66 MB/s