Re: [PATCH 0/10] Add additional security checks when module loadingis restricted
From: Matthew Garrett
Date: Wed Aug 28 2013 - 18:42:03 EST
On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote:
> Did you purposely exclude similar checks for hibernate that were covered
> by earlier versions of your patch set?
Yes, I think it's worth tying it in with the encrypted hibernation
support. The local attack is significantly harder in the hibernation
case - in the face of unknown hardware it basically involves a
pre-generated memory image corresponding to your system or the ability
to force a reboot into an untrusted environment. I think it's probably
more workable to just add a configuration option for forcing encrypted
hibernation when secure boot is in use.
--
Matthew Garrett <matthew.garrett@xxxxxxxxxx>
N§²æìr¸yúèØb²X¬¶ÇvØ^)Þ{.nÇ+·¥{±êçzX§¶¡Ü}©²ÆzÚ&j:+v¨¾«êçzZ+Ê+zf£¢·h§~Ûiÿûàz¹®w¥¢¸?¨èÚ&¢)ßfù^jÇy§m
á@A«a¶Úÿ0¶ìh®åi