Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756000AbbGPO17 (ORCPT ); Thu, 16 Jul 2015 10:27:59 -0400 Received: from mail-pd0-f170.google.com ([209.85.192.170]:32791 "EHLO mail-pd0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755934AbbGPO11 (ORCPT ); Thu, 16 Jul 2015 10:27:27 -0400 From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: linux-kernel@vger.kernel.org Cc: linux-efi@vger.kernel.org, linux-pm@vger.kernel.org, "Rafael J. Wysocki" , Matthew Garrett , Len Brown , Pavel Machek , Josh Boyer , Vojtech Pavlik , Matt Fleming , Jiri Kosina , "H. Peter Anvin" , "Lee, Chun-Yi" Subject: [RFC PATCH 15/16] PM / hibernate: Bypass verification logic on legacy BIOS Date: Thu, 16 Jul 2015 22:25:29 +0800 Message-Id: <1437056730-15247-16-git-send-email-jlee@suse.com> X-Mailer: git-send-email 1.8.4.5 In-Reply-To: <1437056730-15247-1-git-send-email-jlee@suse.com> References: <1437056730-15247-1-git-send-email-jlee@suse.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3270 Lines: 98 Current hibernate signature verification solution relies on EFI stub and efi boot service variable on x86 architecture. So the verification logic was bypassed on legacy BIOS through checking EFI_BOOT flag. Signed-off-by: Lee, Chun-Yi --- drivers/firmware/efi/efi-hibernate_keys.c | 3 +++ kernel/power/Kconfig | 3 ++- kernel/power/snapshot.c | 8 ++++++-- kernel/power/user.c | 6 +++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/efi/efi-hibernate_keys.c b/drivers/firmware/efi/efi-hibernate_keys.c index 90ae912..f33bf70 100644 --- a/drivers/firmware/efi/efi-hibernate_keys.c +++ b/drivers/firmware/efi/efi-hibernate_keys.c @@ -21,6 +21,9 @@ void create_swsusp_key_regen_flag(void) struct efivar_entry *entry = NULL; int err = 0; + if (!efi_enabled(EFI_RUNTIME_SERVICES)) + return; + if (!set_swsusp_key_regen_flag) return; diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig index 7a64bda..5b04ab9 100644 --- a/kernel/power/Kconfig +++ b/kernel/power/Kconfig @@ -78,7 +78,8 @@ config HIBERNATE_VERIFICATION This option provides support for generating and verifying the signature of memory snapshot image by HMAC-SHA1. Current mechanism relies on UEFI secure boot environment, EFI stub generates HMAC - key for hibernate verification. + key for hibernate verification. So, the verification logic will be + bypassed on legacy BIOS. config HIBERNATE_VERIFICATION_FORCE bool "Require hibernate snapshot image to be validly signed" diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c index 3eda715..0d64c3a 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -1469,8 +1470,11 @@ error_digest: forward_ret: if (ret) pr_warn("PM: Signature verifying failed: %d\n", ret); - /* forward check result when verifying pass or not enforce verifying */ - if (!ret || !sigenforce) { + if (ret == -ENODEV && !efi_enabled(EFI_BOOT)) { + pr_warn("PM: Bypass verification on non-EFI machine\n"); + ret = 0; + } else if (!ret || !sigenforce) { + /* forward check result when verifying pass or not enforce verifying */ snapshot_fill_sig_forward_info(ret); ret = 0; } diff --git a/kernel/power/user.c b/kernel/power/user.c index 8bcb051..d7407ef 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -24,6 +24,7 @@ #include #include #include +#include #include @@ -390,7 +391,10 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, break; case SNAPSHOT_REGENERATE_KEY: - set_swsusp_key_regen_flag = !!arg; + if (!efi_enabled(EFI_BOOT)) + error = -ENODEV; + else + set_swsusp_key_regen_flag = !!arg; break; default: -- 1.8.4.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/