SlideShare a Scribd company logo

S4 sig-check-lpc-20130918

Download as ODP, PDF
SUSE Labs Taipei
SUSE Labs Taipei

Signature Verification fo Hibernate Snapshot - Joey Lee, Suse Linux Plumbers Conference 2013

TechnologyEducation
1 of 17
Signature verification of hibernate snapshot September, 2013, LPC 2013, New Orleans Joey Lee
Problem ● ● On a multi-boot machine, hacker use any hole in another UEFI trusted OS to modify the hibernate snapshot image in swap partition. Through uswsusp, userspace can take the snapshot of memory then modify it. Upload it back to memory then trigger the restore. © SUSE, All rights reserved.
Idea ● ● ● Jiri Kosina: Let EFI bootloader generates keypair then pass to kernel for sign hibernate image. Fundamental point: Trust the boot time variable is secure when UEFI secure boot enabled. Attempt to protect snapshot image integrity. © SUSE, All rights reserved.
Steps (when hibernate) ● ● ● ● shim bootloader geneates key-pair and put keys to non-volatile boot time varaibles. EFI stub kernel loads private key before ExitBootServices(). Hibernate subsystem copy the private key to a empty page to keep it for sign snapshot when hibernate launched. Kernel generates signature of snapshot image then put the signature to snapshot header. Current reserved max size of signature is 512 bytes. © SUSE, All rights reserved.
Steps (when hibernate restore) ● ● After hibernate loaded snapshot image from swap to temporary memory space, kernel uses the public key from runtime volatile variable to verify the signature that's stored in snapshot header. Then depend on sig_enforce ● ● OFF: taint kernel and produce complain log when signature check fail ON: fail the hiberntae restore, then finish boot process when signature check fail. © SUSE, All rights reserved.
How to enable sig_enforce? ● ● Use snapshot_sig_enforce kernel parameter. Set kernel config then enable UEFI secure boot: EFI_SECURE_BOOT_SNAPSHOT_SIG_ENFO RCE © SUSE, All rights reserved.
EFI variable name and GUID ● GUID: ● ● S4SignKey [BT][NV]→ private key ● ● fe141863-c070-478e-b8a3-878a5dc9ef21 PKCS#8 _uncompressed_ private key format S4WakeKey [RT][V] → public key ● X.509 format © SUSE, All rights reserved.
When shim should generate keys? ● ● When system boot, and shim didn't find key-pair When shim found GenS4Key EFI variable from kernel: ● ● ● GenS4Key-fe141863-c070-478e-b8a3878a5dc9ef21 [RT][NV] Kernel or userspace write GenS4Key variable to '1' when hibernate launched. Kernel will delete GenS4Key in system boot. © SUSE, All rights reserved.
Implementation Parts ● Key-pair generator in shim ● ● ● Author: Gary Lin https://github.com/lcp/shim/tree/s4-key-upstream Asymmetric Keys in Kernel: ● ● ● Implemented PKCS#8 and PKCS#1 RSA private key parser Add signature generation API and implement signature generation logic in PKCS#1 (RFC3447 sec 8.2.2) Hibernate in Kernel: ● CONFIG_SNAPSHOT_VERIFICATION=y ● Maintain and forward private key. ● Avoid private key included in snapshot image.s ● Sign snapshot image: generate signature then put it to snapshot header. © SUSE, All rights reserved.
Performance of hash (machine 1) ● CPU: ● ● ● Intel(R) Core(TM) i5 CPU x86_64, ssse3 Normal ● SHA1: 150.80 MB/s ● SHA256: 59.19 MB/s ● ● 650 @ 3.20GHz SHA512: 78.44 MB/s Builded ssse3 support (v3.10 later) ● SHA1: 195.60 MB/s ● SHA256: 82.76 MB/s ● SHA512: 120.60 MB/s © SUSE, All rights reserved.
Performance of hash (machine 2) ● CPU: ● ● ● Intel(R) CPU @ 2.60GHz x86_64, ssse3, avx, avx2 Normal ● ● SHA256: 163.23 MB/s ● ● SHA1: 436.42 MB/s SHA512: 228.67 MB/s Builded ssse3, avx, avx2 support (v3.10 later) ● SHA1: 609.66 MB/s <=== fastest ● SHA256: 242.03 MB/s ● SHA512: 344.87 MB/s <=== more secure © SUSE, All rights reserved.
Performance of hash (summary) ● Speed between SHA1, SHA256, SHA512 ● ● SHA1 is 1.8 times of SHA512 ● ● SHA1 is 2.5 times of SHA256 SHA512 is 1.4 times of SHA256 Enabled ssse3 ● ● 39% improved on SHA256 ● ● 29% improved on SHA1 53% improved on SHA512 Enabled ssse3, avx, avx2 ● 39% improved on SHA1 ● 48% improved on SHA256 ● 50% improved on SHA512 © SUSE, All rights reserved.
Performance of hash (summary) ● Machine 1: ● Best performance – – ● SHA1: 195.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 15.7 seconds for hash SHA512's best performance – – ● 120.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 25.4 seconds for hash Machine 2: ● Best performance – – ● SHA1: 609.66 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 5 seconds for hash SHA512's best performasnce – 344.87 MB/s on ssse3, avx, avx2 – snapshot image grown to 3GB, then need 8.9 seconds for hash © SUSE, All rights reserved.
Patch status ● V4 RFC patches sent to kernel upstream and openSUSE kernel for reviewing: ● ● ● [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot https://lkml.org/lkml/2013/9/14/183 Following kernel experts gave suggestions: ● Hibernate ● Matt Fleming <matt@console-pimps.org> EFI ● ● Pavel Machek <pavel@ucw.cz> Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Asymmetric keys Followed Pavel and Matt's suggestions, already fix in V2, V3 patches © SUSE, All rights reserved.
TODO ● V5 patches: ● ● ● Implement Dmitry Kasatkin's suggestions to Asymmetric keys. Should we remove the kernel config to user for select hash algorithms? Function add: ● ● Kernel pass random number seed by EFI variable to shim. Encript snapshot image before sign it? © SUSE, All rights reserved.
Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany © SUSE, All rights reserved. +49 911 740 53 0 (Worldwide) +www.suse.com Join us on: www.opensuse.org
Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Recommended

Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
Coscup 2012-urfkill
Coscup 2012-urfkillCoscup 2012-urfkill
Coscup 2012-urfkillSUSE Labs Taipei
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162OpenStack Foundation
 

Recommended

Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
Coscup 2012-urfkill
Coscup 2012-urfkillCoscup 2012-urfkill
Coscup 2012-urfkillSUSE Labs Taipei
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
SCAP for openSUSE
SCAP for openSUSESCAP for openSUSE
SCAP for openSUSEKazuki Omo
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162Robert collins openstack on openstack 201304162
Robert collins openstack on openstack 201304162OpenStack Foundation
 
iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6Ashwin Pawar
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOSMoisés Elías Araya
 
DNF Failed To Open Cache
DNF Failed To Open CacheDNF Failed To Open Cache
DNF Failed To Open CacheVCP Muthukrishna
 
Centos
CentosCentos
Centossandyy12
 
Habilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELHabilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELMoisés Elías Araya
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...Pawan Kumar
 
Rhel6 vs rhel7
Rhel6 vs rhel7Rhel6 vs rhel7
Rhel6 vs rhel7Ratna Likhita
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 
Sweden11
Sweden11Sweden11
Sweden11Dru Lavigne
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Shilpa Hemaraj
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013Dru Lavigne
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installationMinh Tran
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging SystemEric Sproul
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupalguest954945a
 
Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshotjoeylikernel
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 

More Related Content

What's hot

iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6Ashwin Pawar
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...Pawan Kumar
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Shilpa Hemaraj
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreThe Linux Foundation
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...The Linux Foundation
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installationMinh Tran
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging SystemEric Sproul
 

What's hot (20)

iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6iscsid remains stopped in redhat EL 6
iscsid remains stopped in redhat EL 6
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOS
 
DNF Failed To Open Cache
DNF Failed To Open CacheDNF Failed To Open Cache
DNF Failed To Open Cache
 
Centos
CentosCentos
Centos
 
Habilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELHabilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHEL
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 
My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...My sql 5.6 master slave and master-master replication.step by step configurat...
My sql 5.6 master slave and master-master replication.step by step configurat...
 
Rhel6 vs rhel7
Rhel6 vs rhel7Rhel6 vs rhel7
Rhel6 vs rhel7
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John Hixson
 
Sweden11
Sweden11Sweden11
Sweden11
 
Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners Install and Configure Ubuntu for Hadoop Installation for beginners
Install and Configure Ubuntu for Hadoop Installation for beginners
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentation
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
CentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable coreCentOS Virt SIG - Community virtualization packages on an immutable core
CentOS Virt SIG - Community virtualization packages on an immutable core
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
 
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
XPDS13: Xenserver-core: What it is, how it is built and how to get involved -...
 
Hadoop single cluster installation
Hadoop single cluster installationHadoop single cluster installation
Hadoop single cluster installation
 
IPS: Image Packaging System
IPS: Image Packaging SystemIPS: Image Packaging System
IPS: Image Packaging System
 
Its3 Drupal
Its3 DrupalIts3 Drupal
Its3 Drupal
 

Similar to S4 sig-check-lpc-20130918

Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshotjoeylikernel
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Eunice Lin
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSELiang Yan
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Vladi Vexler
 
SCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfSCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfFinnJohn2
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Anne Nicolas
 
How to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsHow to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsLiang Yan
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESJan Kalcic
 
A-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfA-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfLiang Yan
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Updateinsydesoftware
 
SCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfSCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfFinnJohn2
 

Similar to S4 sig-check-lpc-20130918 (20)

Signature verification of hibernate snapshot
Signature verification of hibernate snapshotSignature verification of hibernate snapshot
Signature verification of hibernate snapshot
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
EFI Secure Key
EFI Secure KeyEFI Secure Key
EFI Secure Key
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
 
Sw update elce2017
Sw update elce2017Sw update elce2017
Sw update elce2017
 
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
Ubuntu初體驗:脫離邪惡微軟帝國吧!_150606
 
GPU Virtualization in SUSE
GPU Virtualization in SUSEGPU Virtualization in SUSE
GPU Virtualization in SUSE
 
Field installation guide-v3_1
Field installation guide-v3_1Field installation guide-v3_1
Field installation guide-v3_1
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
Safe peak installation guide version 2.1
Safe peak installation guide version 2.1Safe peak installation guide version 2.1
Safe peak installation guide version 2.1
 
SCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdfSCVM_Deployment_VMware_OVA.pdf
SCVM_Deployment_VMware_OVA.pdf
 
Shareplex Presentation
Shareplex PresentationShareplex Presentation
Shareplex Presentation
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
Embedded Recipes 2018 - U-Boot: can I understand it and contribute? - Loïc De...
 
How to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boardsHow to-boot-linuxl-on-your-soc-boards
How to-boot-linuxl-on-your-soc-boards
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
 
A-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdfA-Journney-to-support-vgpu-in-firecracker.pdf
A-Journney-to-support-vgpu-in-firecracker.pdf
 
UEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure UpdateUEFI Spec Version 2.4 Facilitates Secure Update
UEFI Spec Version 2.4 Facilitates Secure Update
 
SCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdfSCVM_Deployment_VMware_ISO.pdf
SCVM_Deployment_VMware_ISO.pdf
 

More from SUSE Labs Taipei

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelSUSE Labs Taipei
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel ModuleSUSE Labs Taipei
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSESUSE Labs Taipei
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSESUSE Labs Taipei
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceSUSE Labs Taipei
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 

More from SUSE Labs Taipei (14)

Locked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernelLocked down openSUSE Tumbleweed kernel
Locked down openSUSE Tumbleweed kernel
 
Multi-signed Kernel Module
Multi-signed Kernel ModuleMulti-signed Kernel Module
Multi-signed Kernel Module
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event Handing
 
Kernel debug log and console on openSUSE
Kernel debug log and console on openSUSEKernel debug log and console on openSUSE
Kernel debug log and console on openSUSE
 
The bright future of SUSE and openSUSE
The bright future of SUSE and openSUSEThe bright future of SUSE and openSUSE
The bright future of SUSE and openSUSE
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Convert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build ServiceConvert your package to multibuild on Open Build Service
Convert your package to multibuild on Open Build Service
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
Hands-on ethernet driver
Hands-on ethernet driverHands-on ethernet driver
Hands-on ethernet driver
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
openSUSE12.2 Review
openSUSE12.2 ReviewopenSUSE12.2 Review
openSUSE12.2 Review
 
oS KDE Repos & MM
oS KDE Repos & MMoS KDE Repos & MM
oS KDE Repos & MM
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

S4 sig-check-lpc-20130918

  • 1. Signature verification of hibernate snapshot September, 2013, LPC 2013, New Orleans Joey Lee
  • 2. Problem ● ● On a multi-boot machine, hacker use any hole in another UEFI trusted OS to modify the hibernate snapshot image in swap partition. Through uswsusp, userspace can take the snapshot of memory then modify it. Upload it back to memory then trigger the restore. © SUSE, All rights reserved.
  • 3. Idea ● ● ● Jiri Kosina: Let EFI bootloader generates keypair then pass to kernel for sign hibernate image. Fundamental point: Trust the boot time variable is secure when UEFI secure boot enabled. Attempt to protect snapshot image integrity. © SUSE, All rights reserved.
  • 4. Steps (when hibernate) ● ● ● ● shim bootloader geneates key-pair and put keys to non-volatile boot time varaibles. EFI stub kernel loads private key before ExitBootServices(). Hibernate subsystem copy the private key to a empty page to keep it for sign snapshot when hibernate launched. Kernel generates signature of snapshot image then put the signature to snapshot header. Current reserved max size of signature is 512 bytes. © SUSE, All rights reserved.
  • 5. Steps (when hibernate restore) ● ● After hibernate loaded snapshot image from swap to temporary memory space, kernel uses the public key from runtime volatile variable to verify the signature that's stored in snapshot header. Then depend on sig_enforce ● ● OFF: taint kernel and produce complain log when signature check fail ON: fail the hiberntae restore, then finish boot process when signature check fail. © SUSE, All rights reserved.
  • 6. How to enable sig_enforce? ● ● Use snapshot_sig_enforce kernel parameter. Set kernel config then enable UEFI secure boot: EFI_SECURE_BOOT_SNAPSHOT_SIG_ENFO RCE © SUSE, All rights reserved.
  • 7. EFI variable name and GUID ● GUID: ● ● S4SignKey [BT][NV]→ private key ● ● fe141863-c070-478e-b8a3-878a5dc9ef21 PKCS#8 _uncompressed_ private key format S4WakeKey [RT][V] → public key ● X.509 format © SUSE, All rights reserved.
  • 8. When shim should generate keys? ● ● When system boot, and shim didn't find key-pair When shim found GenS4Key EFI variable from kernel: ● ● ● GenS4Key-fe141863-c070-478e-b8a3878a5dc9ef21 [RT][NV] Kernel or userspace write GenS4Key variable to '1' when hibernate launched. Kernel will delete GenS4Key in system boot. © SUSE, All rights reserved.
  • 9. Implementation Parts ● Key-pair generator in shim ● ● ● Author: Gary Lin https://github.com/lcp/shim/tree/s4-key-upstream Asymmetric Keys in Kernel: ● ● ● Implemented PKCS#8 and PKCS#1 RSA private key parser Add signature generation API and implement signature generation logic in PKCS#1 (RFC3447 sec 8.2.2) Hibernate in Kernel: ● CONFIG_SNAPSHOT_VERIFICATION=y ● Maintain and forward private key. ● Avoid private key included in snapshot image.s ● Sign snapshot image: generate signature then put it to snapshot header. © SUSE, All rights reserved.
  • 10. Performance of hash (machine 1) ● CPU: ● ● ● Intel(R) Core(TM) i5 CPU x86_64, ssse3 Normal ● SHA1: 150.80 MB/s ● SHA256: 59.19 MB/s ● ● 650 @ 3.20GHz SHA512: 78.44 MB/s Builded ssse3 support (v3.10 later) ● SHA1: 195.60 MB/s ● SHA256: 82.76 MB/s ● SHA512: 120.60 MB/s © SUSE, All rights reserved.
  • 11. Performance of hash (machine 2) ● CPU: ● ● ● Intel(R) CPU @ 2.60GHz x86_64, ssse3, avx, avx2 Normal ● ● SHA256: 163.23 MB/s ● ● SHA1: 436.42 MB/s SHA512: 228.67 MB/s Builded ssse3, avx, avx2 support (v3.10 later) ● SHA1: 609.66 MB/s <=== fastest ● SHA256: 242.03 MB/s ● SHA512: 344.87 MB/s <=== more secure © SUSE, All rights reserved.
  • 12. Performance of hash (summary) ● Speed between SHA1, SHA256, SHA512 ● ● SHA1 is 1.8 times of SHA512 ● ● SHA1 is 2.5 times of SHA256 SHA512 is 1.4 times of SHA256 Enabled ssse3 ● ● 39% improved on SHA256 ● ● 29% improved on SHA1 53% improved on SHA512 Enabled ssse3, avx, avx2 ● 39% improved on SHA1 ● 48% improved on SHA256 ● 50% improved on SHA512 © SUSE, All rights reserved.
  • 13. Performance of hash (summary) ● Machine 1: ● Best performance – – ● SHA1: 195.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 15.7 seconds for hash SHA512's best performance – – ● 120.60 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 25.4 seconds for hash Machine 2: ● Best performance – – ● SHA1: 609.66 MB/s on ssse3, avx, avx2 snapshot image grown to 3GB, then need 5 seconds for hash SHA512's best performasnce – 344.87 MB/s on ssse3, avx, avx2 – snapshot image grown to 3GB, then need 8.9 seconds for hash © SUSE, All rights reserved.
  • 14. Patch status ● V4 RFC patches sent to kernel upstream and openSUSE kernel for reviewing: ● ● ● [RFC V4 PATCH 00/15] Signature verification of hibernate snapshot https://lkml.org/lkml/2013/9/14/183 Following kernel experts gave suggestions: ● Hibernate ● Matt Fleming <matt@console-pimps.org> EFI ● ● Pavel Machek <pavel@ucw.cz> Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Asymmetric keys Followed Pavel and Matt's suggestions, already fix in V2, V3 patches © SUSE, All rights reserved.
  • 15. TODO ● V5 patches: ● ● ● Implement Dmitry Kasatkin's suggestions to Asymmetric keys. Should we remove the kernel config to user for select hash algorithms? Function add: ● ● Kernel pass random number seed by EFI variable to shim. Encript snapshot image before sign it? © SUSE, All rights reserved.
  • 16. Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany © SUSE, All rights reserved. +49 911 740 53 0 (Worldwide) +www.suse.com Join us on: www.opensuse.org
  • 17. Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Editor's Notes

  1. &lt;編號&gt;
  2. &lt;編號&gt;
  3. &lt;編號&gt;
  4. &lt;編號&gt;
  5. &lt;編號&gt;
  6. &lt;編號&gt;
  7. &lt;編號&gt;
  8. &lt;編號&gt;
  9. &lt;編號&gt;
  10. &lt;編號&gt;
  11. &lt;編號&gt;
  12. &lt;編號&gt;
  13. &lt;編號&gt;
  14. &lt;編號&gt;
  15. &lt;編號&gt;
  16. &lt;編號&gt;
  17. &lt;編號&gt;