Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933536AbdDERPm (ORCPT ); Wed, 5 Apr 2017 13:15:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56012 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933660AbdDERLd (ORCPT ); Wed, 5 Apr 2017 13:11:33 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com CBDC480F95 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com CBDC480F95 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 10/24] hibernate: Disable when the kernel is locked down From: David Howells To: linux-kernel@vger.kernel.org Cc: gnomes@lxorguk.ukuu.org.uk, Josh Boyer , matthew.garrett@nebula.com, linux-efi@vger.kernel.org, gregkh@linuxfoundation.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Date: Wed, 05 Apr 2017 18:11:29 +0100 Message-ID: <149141228937.31282.6914904303665606049.stgit@warthog.procyon.org.uk> In-Reply-To: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> References: <149141219387.31282.6648284836568938717.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 05 Apr 2017 17:11:33 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 857 Lines: 27 From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index a8b978c35a6a..50cca5dcb62f 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down(); } /**