Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down

From: Andy Lutomirski
Date: Sun Apr 22 2018 - 10:35:16 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.4 92/97] autofs: mount point create should honour passed in mode"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 94/97] mm/filemap.c: fix NULL pointer in page_cache_tree_insert()"
In reply to: David Howells: "Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 19, 2018 at 7:38 AM, David Howells <dhowells@xxxxxxxxxx> wrote:
> Pavel Machek <pavel@xxxxxx> wrote:
>
>> > There is currently no way to verify the resume image when returning
>> > from hibernate. This might compromise the signed modules trust model,
>> > so until we can work with signed hibernate images we disable it when the
>> > kernel is locked down.
>>
>> I'd rather see hibernation fixed than disabled like this.
>
> The problem is that you have to store the hibernated kernel image encrypted,
> but you can't store the decryption key on disk unencrypted or you've just
> wasted the effort.
>
> So the firmware has to unlock the image, asking the user for a password to
> unlock the key.

Why firmware?

Either the boot kernel could figure out how to ask for a password (or
unseal using the TPM) or we could defer this to userspace. The latter
should already work using kexec-jump, no?

Next message: Greg Kroah-Hartman: "[PATCH 4.4 92/97] autofs: mount point create should honour passed in mode"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 94/97] mm/filemap.c: fix NULL pointer in page_cache_tree_insert()"
In reply to: David Howells: "Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]