https://github.com/joeyli/linux-s4sign/wiki
This is the home page for developing hibernation encryption and authentication in Linux kernel:
TODO:
- Hibernation snapshot encryption:
- Using AES to encrypt data pages in snapshot image. [WIP]
- Adapt to key retention service: Using the KMK (Kernel Master Key) in keyring to create encrypted key for encryption and authentication.
- Kernel: Using KMK and Encrypted-key in kernel, put the encrypted key to snapshot header [WIP]
- Support different KMK types:
- Trusted Key and User Key: Modify systemd and dracut, enroll KMK to kernel before S4 resume.
- EFI KMK: Using EFI boot variable to keep/reload 64 bytes KMK
- Rescue mechanism: EFI KMK may lost when firmware update or firmware recovery.
Currently, the challenges are from EFI key and systemd/dracut. Both of them are important for the secret key source of hibernation encryption/authentication.
