SlideShare ist ein Scribd-Unternehmen logo

S4 sig-check-lpc-20130918

Als ODP, PDF herunterladen
SUSE Labs Taipei
SUSE Labs Taipei

Signature Verification fo Hibernate Snapshot - Joey Lee, Suse Linux Plumbers Conference 2013

TechnologieBildung
1 von 17
Signature verification of hibernate snapshot September, 2013, LPC 2013, New Orleans Joey Lee
Problem ● ● On a multi-boot machine, hacker use any hole in another UEFI trusted OS to modify the hibernate snapshot image in swap partition. Through uswsusp, userspace can take the snapshot of memory then modify it. Upload it back to memory then trigger the restore. © SUSE, All rights reserved.
Idea ● ● ● Jiri Kosina: Let EFI bootloader generates keypair then pass to kernel for sign hibernate image. Fundamental point: Trust the boot time variable is secure when UEFI secure boot enabled. Attempt to protect snapshot image integrity. © SUSE, All rights reserved.
Steps (when hibernate) ● ● ● ● shim bootloader geneates key-pair and put keys to non-volatile boot time varaibles. EFI stub kernel loads private key before ExitBootServices(). Hibernate subsystem copy the private key to a empty page to keep it for sign snapshot when hibernate launched. Kernel generates signature of snapshot image then put the signature to snapshot header. Current reserved max size of signature is 512 bytes. © SUSE, All rights reserved.
Steps (when hibernate restore) ● ● After hibernate loaded snapshot image from swap to temporary memory space, kernel uses the public key from runtime volatile variable to verify the signature that's stored in snapshot header. Then depend on sig_enforce ● ● OFF: taint kernel and produce complain log when signature check fail ON: fail the hiberntae restore, then finish boot process when signature check fail. © SUSE, All rights reserved.
How to enable sig_enforce? ● ● Use snapshot_sig_enforce kernel parameter. Set kernel config then enable UEFI secure boot: EFI_SECURE_BOOT_SNAPSHOT_SIG_ENFO RCE © SUSE, All rights reserved.
EFI variable name and GUID ● GUID: ● ● S4SignKey [BT][NV]→ private key ● ● fe141863-c070-478e-b8a3-878a5dc9ef21 PKCS#8 _uncompressed_ private key format S4WakeKey [RT][V] → public key ● X.509 format © SUSE, All rights reserved.
When shim should generate keys? ● ● When system boot, and shim didn't find key-pair When shim found GenS4Key EFI variable from kernel: ● ● ● GenS4Key-fe141863-c070-478e-b8a3878a5dc9ef21 [RT][NV] Kernel or userspace write GenS4Key variable to '1' when hibernate launched. Kernel will delete GenS4Key in system boot. © SUSE, All rights reserved.
Implementation Parts ● Key-pair generator in shim ● ● ● Author: Gary Lin https://github.com/lcp/shim/tree/s4-key-upstream Asymmetric Keys in Kernel: ● ● ● Implemented PKCS#8 and PKCS#1 RSA private key parser Add signature generation API and implement signature generation logic in PKCS#1 (RFC3447 sec 8.2.2) Hibernate in Kernel: ● CONFIG_SNAPSHOT_VERIFICATION=y ● Maintain and forward private key. ● Avoid private key included in snapshot image.s ● Sign snapshot image: generate signature then put it to snapshot header. © SUSE, All rights reserved.
Performance of hash (machine 1) ● CPU: ● ● ● Intel(R) Core(TM) i5 CPU x86_64, ssse3 Normal ● SHA1: 150.80 MB/s ● SHA256: 59.19 MB/s ● ● 650 @ 3.20GHz SHA512: 78.44 MB/s Builded ssse3 support (v3.10 later) ● SHA1: 195.60 MB/s ● SHA256: 82.76 MB/s ● SHA512: 120.60 MB/s © SUSE, All rights reserved.
Performance of hash (machine 2) ● CPU: ● ● ● Intel(R) CPU @ 2.60GHz x86_64, ssse3, avx, avx2 Normal ● ● SHA256: 163.23 MB/s ● ● SHA1: 436.42 MB/s SHA512: 228.67 MB/s Builded ssse3, avx, avx2 support (v3.10 later) ● SHA1: 609.66 MB/s <=== fastest ● SHA256: 242.03 MB/s ● SHA512: 344.87 MB/s <=== more secure © SUSE, All rights reserved.
Performance of hash (summary) ● Speed between SHA1, SHA256, SHA512 ● ● SHA1 is 1.8 times of SHA512 ● ● SHA1 is 2.5 times of SHA256 SHA512 is 1.4 times of SHA256 Enabled ssse3 ● ● 39% improved on SHA256 ● ● 29% improved on SHA1 53% improved on SHA512 Enabled ssse3, avx, avx2 ● 39% improved on SHA1 ● 48% improved on SHA256 ● 50% improved on SHA512 © SUSE, All rights reserved.
Performance of hash (summary) ● Machine 1: ● Best performance – – ● SHA1: 195.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 15.7 seconds for hash SHA512's best performance – – ● 120.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 25.4 seconds for hash Machine 2: ● Best performance – – ● SHA1: 609.66 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 5 seconds for hash SHA512's best performasnce – 344.87 MB/s on ssse3, avx, avx2 – snapshot image grown to 3GB, then need 8.9 seconds for hash © SUSE, All rights reserved.
Patch status ● V4 RFC patches sent to kernel upstream and openSUSE kernel for reviewing: ● ● ● [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot https://lkml.org/lkml/2013/9/14/183 Following kernel experts gave suggestions: ● Hibernate ● Matt Fleming <matt@console-pimps.org> EFI ● ● Pavel Machek <pavel@ucw.cz> Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Asymmetric keys Followed Pavel and Matt's suggestions, already fix in V2, V3 patches © SUSE, All rights reserved.
TODO ● V5 patches: ● ● ● Implement Dmitry Kasatkin's suggestions to Asymmetric keys. Should we remove the kernel config to user for select hash algorithms? Function add: ● ● Kernel pass random number seed by EFI variable to shim. Encript snapshot image before sign it? © SUSE, All rights reserved.
Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany © SUSE, All rights reserved. +49 911 740 53 0 (Worldwide) +www.suse.com Join us on: www.opensuse.org
Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Empfohlen

Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
Coscup 2012-urfkill
Coscup 2012-urfkillCoscup 2012-urfkill
Coscup 2012-urfkillSUSE Labs Taipei
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162OpenStack Foundation
 

Empfohlen

Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
Coscup 2012-urfkill
Coscup 2012-urfkillCoscup 2012-urfkill
Coscup 2012-urfkillSUSE Labs Taipei
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162OpenStack Foundation
 
iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6Ashwin Pawar
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOSMoisés Elías Araya
 
DNF Failed To Open Cache
DNF Failed To Open CacheDNF Failed To Open Cache
DNF Failed To Open CacheVCP Muthukrishna
 
Centos
CentosCentos
Centossandyy12
 
Habilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELHabilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELMoisés Elías Araya
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...Pawan Kumar
 
Rhel6 vs rhel7
Rhel6 vs rhel7Rhel6 vs rhel7
Rhel6 vs rhel7Ratna Likhita
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 
Sweden11
Sweden11Sweden11
Sweden11Dru Lavigne
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Shilpa Hemaraj
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013Dru Lavigne
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installationMinh Tran
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging SystemEric Sproul
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupalguest954945a
 
Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshotjoeylikernel
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 

Weitere ähnliche Inhalte

Was ist angesagt?

iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6Ashwin Pawar
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...Pawan Kumar
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Shilpa Hemaraj
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installationMinh Tran
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging SystemEric Sproul
 

Was ist angesagt? (20)

iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOS
 
DNF Failed To Open Cache
DNF Failed To Open CacheDNF Failed To Open Cache
DNF Failed To Open Cache
 
Centos
CentosCentos
Centos
 
Habilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELHabilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHEL
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...
 
Rhel6 vs rhel7
Rhel6 vs rhel7Rhel6 vs rhel7
Rhel6 vs rhel7
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John Hixson
 
Sweden11
Sweden11Sweden11
Sweden11
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentation
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable core
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installation
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging System
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
 

Ähnlich wie S4 sig-check-lpc-20130918

Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshotjoeylikernel
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Eunice Lin
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSELiang Yan
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Vladi Vexler
 
SCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfSCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfFinnJohn2
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Anne Nicolas
 
How to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsHow to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsLiang Yan
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESJan Kalcic
 
A-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfA-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfLiang Yan
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Updateinsydesoftware
 
SCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfSCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfFinnJohn2
 

Ähnlich wie S4 sig-check-lpc-20130918 (20)

Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshot
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
EFI Secure Key
EFI Secure KeyEFI Secure Key
EFI Secure Key
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
 
Sw update elce2017
Sw update elce2017Sw update elce2017
Sw update elce2017
 
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSE
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Safe peak installation guide version 2.1
Safe peak installation guide version 2.1
 
SCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfSCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdf
 
Shareplex Presentation
Shareplex PresentationShareplex Presentation
Shareplex Presentation
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
 
How to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsHow to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boards
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
 
A-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfA-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdf
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Update
 
SCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfSCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdf
 

Mehr von SUSE Labs Taipei

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelSUSE Labs Taipei
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel ModuleSUSE Labs Taipei
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSESUSE Labs Taipei
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSESUSE Labs Taipei
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceSUSE Labs Taipei
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 

Mehr von SUSE Labs Taipei (14)

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernel
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel Module
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event Handing
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSE
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSE
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build Service
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Hands-on ethernet driver
Hands-on ethernet driverHands-on ethernet driver
Hands-on ethernet driver
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
openSUSE12.2 Review
openSUSE12.2 ReviewopenSUSE12.2 Review
openSUSE12.2 Review
 
oS KDE Repos & MM
oS KDE Repos & MMoS KDE Repos & MM
oS KDE Repos & MM
 

Kürzlich hochgeladen

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

S4 sig-check-lpc-20130918

  • 1. Signature verification of hibernate snapshot September, 2013, LPC 2013, New Orleans Joey Lee
  • 2. Problem ● ● On a multi-boot machine, hacker use any hole in another UEFI trusted OS to modify the hibernate snapshot image in swap partition. Through uswsusp, userspace can take the snapshot of memory then modify it. Upload it back to memory then trigger the restore. © SUSE, All rights reserved.
  • 3. Idea ● ● ● Jiri Kosina: Let EFI bootloader generates keypair then pass to kernel for sign hibernate image. Fundamental point: Trust the boot time variable is secure when UEFI secure boot enabled. Attempt to protect snapshot image integrity. © SUSE, All rights reserved.
  • 4. Steps (when hibernate) ● ● ● ● shim bootloader geneates key-pair and put keys to non-volatile boot time varaibles. EFI stub kernel loads private key before ExitBootServices(). Hibernate subsystem copy the private key to a empty page to keep it for sign snapshot when hibernate launched. Kernel generates signature of snapshot image then put the signature to snapshot header. Current reserved max size of signature is 512 bytes. © SUSE, All rights reserved.
  • 5. Steps (when hibernate restore) ● ● After hibernate loaded snapshot image from swap to temporary memory space, kernel uses the public key from runtime volatile variable to verify the signature that's stored in snapshot header. Then depend on sig_enforce ● ● OFF: taint kernel and produce complain log when signature check fail ON: fail the hiberntae restore, then finish boot process when signature check fail. © SUSE, All rights reserved.
  • 6. How to enable sig_enforce? ● ● Use snapshot_sig_enforce kernel parameter. Set kernel config then enable UEFI secure boot: EFI_SECURE_BOOT_SNAPSHOT_SIG_ENFO RCE © SUSE, All rights reserved.
  • 7. EFI variable name and GUID ● GUID: ● ● S4SignKey [BT][NV]→ private key ● ● fe141863-c070-478e-b8a3-878a5dc9ef21 PKCS#8 _uncompressed_ private key format S4WakeKey [RT][V] → public key ● X.509 format © SUSE, All rights reserved.
  • 8. When shim should generate keys? ● ● When system boot, and shim didn't find key-pair When shim found GenS4Key EFI variable from kernel: ● ● ● GenS4Key-fe141863-c070-478e-b8a3878a5dc9ef21 [RT][NV] Kernel or userspace write GenS4Key variable to '1' when hibernate launched. Kernel will delete GenS4Key in system boot. © SUSE, All rights reserved.
  • 9. Implementation Parts ● Key-pair generator in shim ● ● ● Author: Gary Lin https://github.com/lcp/shim/tree/s4-key-upstream Asymmetric Keys in Kernel: ● ● ● Implemented PKCS#8 and PKCS#1 RSA private key parser Add signature generation API and implement signature generation logic in PKCS#1 (RFC3447 sec 8.2.2) Hibernate in Kernel: ● CONFIG_SNAPSHOT_VERIFICATION=y ● Maintain and forward private key. ● Avoid private key included in snapshot image.s ● Sign snapshot image: generate signature then put it to snapshot header. © SUSE, All rights reserved.
  • 10. Performance of hash (machine 1) ● CPU: ● ● ● Intel(R) Core(TM) i5 CPU x86_64, ssse3 Normal ● SHA1: 150.80 MB/s ● SHA256: 59.19 MB/s ● ● 650 @ 3.20GHz SHA512: 78.44 MB/s Builded ssse3 support (v3.10 later) ● SHA1: 195.60 MB/s ● SHA256: 82.76 MB/s ● SHA512: 120.60 MB/s © SUSE, All rights reserved.
  • 11. Performance of hash (machine 2) ● CPU: ● ● ● Intel(R) CPU @ 2.60GHz x86_64, ssse3, avx, avx2 Normal ● ● SHA256: 163.23 MB/s ● ● SHA1: 436.42 MB/s SHA512: 228.67 MB/s Builded ssse3, avx, avx2 support (v3.10 later) ● SHA1: 609.66 MB/s <=== fastest ● SHA256: 242.03 MB/s ● SHA512: 344.87 MB/s <=== more secure © SUSE, All rights reserved.
  • 12. Performance of hash (summary) ● Speed between SHA1, SHA256, SHA512 ● ● SHA1 is 1.8 times of SHA512 ● ● SHA1 is 2.5 times of SHA256 SHA512 is 1.4 times of SHA256 Enabled ssse3 ● ● 39% improved on SHA256 ● ● 29% improved on SHA1 53% improved on SHA512 Enabled ssse3, avx, avx2 ● 39% improved on SHA1 ● 48% improved on SHA256 ● 50% improved on SHA512 © SUSE, All rights reserved.
  • 13. Performance of hash (summary) ● Machine 1: ● Best performance – – ● SHA1: 195.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 15.7 seconds for hash SHA512's best performance – – ● 120.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 25.4 seconds for hash Machine 2: ● Best performance – – ● SHA1: 609.66 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 5 seconds for hash SHA512's best performasnce – 344.87 MB/s on ssse3, avx, avx2 – snapshot image grown to 3GB, then need 8.9 seconds for hash © SUSE, All rights reserved.
  • 14. Patch status ● V4 RFC patches sent to kernel upstream and openSUSE kernel for reviewing: ● ● ● [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot https://lkml.org/lkml/2013/9/14/183 Following kernel experts gave suggestions: ● Hibernate ● Matt Fleming <matt@console-pimps.org> EFI ● ● Pavel Machek <pavel@ucw.cz> Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Asymmetric keys Followed Pavel and Matt's suggestions, already fix in V2, V3 patches © SUSE, All rights reserved.
  • 15. TODO ● V5 patches: ● ● ● Implement Dmitry Kasatkin's suggestions to Asymmetric keys. Should we remove the kernel config to user for select hash algorithms? Function add: ● ● Kernel pass random number seed by EFI variable to shim. Encript snapshot image before sign it? © SUSE, All rights reserved.
  • 16. Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany © SUSE, All rights reserved. +49 911 740 53 0 (Worldwide) +www.suse.com Join us on: www.opensuse.org
  • 17. Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Hinweis der Redaktion

  1. &lt;編號&gt;
  2. &lt;編號&gt;
  3. &lt;編號&gt;
  4. &lt;編號&gt;
  5. &lt;編號&gt;
  6. &lt;編號&gt;
  7. &lt;編號&gt;
  8. &lt;編號&gt;
  9. &lt;編號&gt;
  10. &lt;編號&gt;
  11. &lt;編號&gt;
  12. &lt;編號&gt;
  13. &lt;編號&gt;
  14. &lt;編號&gt;
  15. &lt;編號&gt;
  16. &lt;編號&gt;
  17. &lt;編號&gt;