EFI key

openSUSE.Asia Summit

IB201

08/11 11:30 - 12:00

漢語 / Mandarin Chinese

Skilled / 中階

The EFI boot services variable can only be accessed by signed EFI execution when secure boot is enabled by user. We can use the mechanism to store a random number in boot services variable as a root key. The root key can be sused to encrypt and authenticate other keys in key retention service in Linux kernel. It can be a new key type.

This talk introduces the EFI key:

  • EFI key:
  • A new master key type to key retention service.
  • It can be a new option beyond trusted key(TPM) and user key.
  • ERK (EFI Root Key)
  • EFI stub generates a random key and stores in EFI boot services variable.
  • The ERK is secure when secure boot enabled.
  • User must aware and enable secure boot by themself if they want.
  • ERK can be a secret to encrypt a random number for generate a EFI key
  • The EFI key can be used by hibernation encryption/authentication.
  • The EFI key can be a master key to generate a encrypted key for EVM.
  • Rescue mechanism for ERK.

Joey Lee

Joey Lee, SUSE Labs Engineer in Taipei office. He is working on ACPI, EFI, Secure Boot,
Hibernate Signature Verification.

鈦金級贊助

Co-Host Sponsor

鑽石級贊助

黃金級贊助

白銀級贊助

青銅級贊助

合作夥伴

協辦單位

特別感謝