Re: [PATCH 09/27] hibernate: Disable when the kernel is locked down

[PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 03/27] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 04/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 07/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-02-28
[PATCH 09/27] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
Re: [PATCH 09/27] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2019-03-19
[PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
Re: [PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
[PATCH 11/27] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 12/27] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 13/27] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 18/27] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 19/27] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-02-28
[PATCH 22/27] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-02-28
[PATCH 23/27] Lock down kprobes · Matthew Garrett <hidden> · 2019-02-28
[PATCH 25/27] Lock down perf · Matthew Garrett <hidden> · 2019-02-28
[PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 27/27] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-02-28
[PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 20/27] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-02-28
[PATCH 21/27] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-02-28
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 10/27] uswsusp: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 05/27] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Randy Dunlap <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-04

From: Pavel Machek <hidden>
Date: 2019-03-19 22:15:08
Also in: lkml

On Thu 2019-02-28 15:11:45, Matthew Garrett wrote:

From: Josh Boyer <redacted>

There is currently no way to verify the resume image when returning
from hibernate.  This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.

Signed-off-by: Josh Boyer <redacted>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
cc: linux-pm@vger.kernel.org

It would be good to cc hibernation maintainers here.

quoted hunk ↗ jump to hunk

---
 kernel/power/hibernate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index abef759de7c8..802795becb88 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c

@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
 
 bool hibernation_available(void)
 {
-	return (nohibernate == 0);
+	return nohibernate == 0 && !kernel_is_locked_down("Hibernation");
 }
 
 /**

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachments

signature.asc [application/pgp-signature] 181 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help