Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933564AbdDFGl0 (ORCPT ); Thu, 6 Apr 2017 02:41:26 -0400 Received: from mx2.suse.de ([195.135.220.15]:50354 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932132AbdDFGlS (ORCPT ); Thu, 6 Apr 2017 02:41:18 -0400 Message-ID: <1491460792.1645.1.camel@suse.com> Subject: Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down From: Oliver Neukum To: "Rafael J. Wysocki" , David Howells Cc: Linux Kernel Mailing List , Matthew Garrett , linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, Greg Kroah-Hartman , Linux PM , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Thu, 06 Apr 2017 08:39:52 +0200 In-Reply-To: References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142336965.5101.2946578135980499557.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 724 Lines: 20 Am Donnerstag, den 06.04.2017, 01:38 +0200 schrieb Rafael J. Wysocki: > On Wed, Apr 5, 2017 at 10:16 PM, David Howells wrote: > > > > From: Matthew Garrett > > > > uswsusp allows a user process to dump and then restore kernel state, which > > makes it possible to modify the running kernel. Disable this if the kernel > > is locked down. > > > > Signed-off-by: Matthew Garrett > > Signed-off-by: David Howells > > cc: linux-pm@vger.kernel.org > > You probably want to disable hibernation altogether in this case. Your swap partition may be located on an NVDIMM or be encrypted. Isn't this a bit overly drastic? Regards Oliver