Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4528598imb; Wed, 6 Mar 2019 16:03:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxNS4dwyvy8k//IMqVBKUT8Rr8RJlvMZMYsIh8wmiLlxl4UHi7q41NnfNPxZA3ekjDtW8hD X-Received: by 2002:a63:5961:: with SMTP id j33mr8606962pgm.174.1551916997990; Wed, 06 Mar 2019 16:03:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551916997; cv=none; d=google.com; s=arc-20160816; b=y5PT49/yc+4NJhAwda3645A4DJrwF/keurH0vD14fl2BM8DGEdRW63l6M88B5sbP3S yTDWfnOZ/GpD9yXoc3PkJ2ITMxIainFGGNlIbm9UYPDqsdu8LxyKfjUpXDUp1D0FzeYd Wktn93yqDEEt/VkuSwynpECyu0ofe4C3KPWNqcSwhsyba0EDRsxVqmRN7yT9LxlYdFc7 PVKvs27sY32F+RlTLWEoS/MDaTQctkttXS/ngiUa5dnF8cIXuypx3NbtpnB2tKwWQhgk ArVaHfSnagzC5+B9dOejcVK9J01upBu090CBDG1fQZQ75mJSwuX+FCgndKF3dETlOqdu bopw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=7CZJafxJx5K8s0KTAGx/cb0COJjD1VsMHrphX4q9xHc=; b=lSLmuhR5qWIElh8vfA1SX3yNDiBQa4D8wccvCp3c8AXLUcmWAfrbj9IgV68yZmiRy4 SCjBfp378hyFNKMXhK/rdtDC2pmNc9zxJ2fvPVTO/Eo6CHk4gMP7UvxYwg540AqJAMEF cMwwfsyiyzDHmCxV9ASuWQKxMmKzEPtVqNouwt6uFj1W6XQdzzi9S3ObCzOzQl2mYzMX 9f4BvRc/88ULSW2rKEDfBtdeHPHtLWgpF/EFD6huhkw1GybwxzUbCP0D49Ij+zWFa25e ObLoWI0zPCf6g0lHIAhLL51Se2hkuIyYWgBJftruvkEItLV3BntKa6S7XhtSOtpnVNFk ingQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TwYXtqg9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z62si2512294pgd.22.2019.03.06.16.03.02; Wed, 06 Mar 2019 16:03:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=TwYXtqg9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726471AbfCFX7x (ORCPT + 99 others); Wed, 6 Mar 2019 18:59:53 -0500 Received: from mail-ua1-f73.google.com ([209.85.222.73]:36665 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726408AbfCFX7u (ORCPT ); Wed, 6 Mar 2019 18:59:50 -0500 Received: by mail-ua1-f73.google.com with SMTP id r12so2007347uao.3 for ; Wed, 06 Mar 2019 15:59:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7CZJafxJx5K8s0KTAGx/cb0COJjD1VsMHrphX4q9xHc=; b=TwYXtqg92i8rtVNs3UFbQo0S5dqxiJRdLg7OmvpgqdBn2thEpiMDx7+y3OiyBCyVIK 5bQ5Zlyojb7UvS7jwwD1ssl42j3Z4qHdQQ0UsmCC5Q43XsxM/W8h9yY3LeXnRnx5tTG3 vgxfRjf0bpwIaBBiUmESuUDGqk2QcWgC759lLgs+CAryqFzz3Wpf9NA5dfw2NFyyeKR0 YhQpCufdemS8shSLjEqi9Ak9Wp3laaLwEpjJs9AuK6biLJuyh19Pm60FHWCNSA/D17Z+ N38omPB+Twprj9bOBJGuWP09sRitBmX8+4c0LNb+Yx6osYSt5Zv+q2moX06QpkVc33kW U5GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7CZJafxJx5K8s0KTAGx/cb0COJjD1VsMHrphX4q9xHc=; b=N6JLut3UMLZqxywotcbdphgnyzFV9yz2r7kRR0rFUypGvwGm0yIspCmPIclKSPdrdb g+Tk9l/jAIxel1niXznpLU6LvzJbII9e1aVqAcr5g69XrYaYx7vLmKv0T1unJDStoCfd dcY7d5AeI9yzuFPsk9Y856FulzN5X91SmMcZpo+HUS9hTPzdKigduycel3NWF4cap/Y5 WSkR8HeMOlETxfqf3LPlqCdiAuTdfs9DzyVcpoWyzqYQGHYtCrmvY2EpI/9guh6zp9SR 2Ih52my/VgeA99WaOncotrj/RTkBaCixTJsrqjEBELdiqD/lPAFAh2olWBrnd43zu+AN iMAw== X-Gm-Message-State: APjAAAVSj+/cEg0f6z5asLyizE/E8K/J66Xd6iC5l7BsCTUjI0Z2U+8G EtjK214KiHmU1cFDCXp2e+MTmVmG+p2iF7ZTokQECQ== X-Received: by 2002:a9f:2d84:: with SMTP id v4mr6876735uaj.22.1551916789062; Wed, 06 Mar 2019 15:59:49 -0800 (PST) Date: Wed, 6 Mar 2019 15:58:55 -0800 In-Reply-To: <20190306235913.6631-1-matthewgarrett@google.com> Message-Id: <20190306235913.6631-10-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190306235913.6631-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.352.gf09ad66450-goog Subject: [PATCH 09/27] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Reviewed-by: "Lee, Chun-Yi" cc: linux-pm@vger.kernel.org Signed-off-by: Matthew Garrett --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..802795becb88 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } /** -- 2.21.0.352.gf09ad66450-goog