Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5059537imb; Thu, 7 Mar 2019 06:56:14 -0800 (PST) X-Google-Smtp-Source: APXvYqyqZn6E/Jw9K0SmHrPABBssbRz01eJj3XU9036mS3cv9p/NBV7NpDR6S0wRLi2f14GVqvqk X-Received: by 2002:a65:5c02:: with SMTP id u2mr4550871pgr.120.1551970574293; Thu, 07 Mar 2019 06:56:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551970574; cv=none; d=google.com; s=arc-20160816; b=banJR/MRIIR0ThEdEB7DBCSzfY5BxPr5b8hJgjDq5Lqu1BUl8wWl+47Tge5+YFT9r8 peA8QMNi9EFUgTnfVMJN4/Dqt2bmGOl1n1dYWBehAFMQu5b+C5x0kWIE/wiTxwxVNg8a Q6ExAXSyDfMGiwtz12l61x433oM6AVUvpl6pe7ZsmJpErk2Hcc9riwRxpkHzWbDguSd1 rR3KimVKCyQ406goiKURAw/MRMKR3NKu/H6zLfD6pxkM70aWaFntADz+WC1QNV19Vxv2 PHXyvQUN25MKEuVTm1PEyXApzTiXcp9dz04ehd4qo4gqsptdkuDwddl0tZ7tAdtdAKtd hasw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=zC2g7boVTKlrRv3PXqlwHGvWT58AycxAa8Rd3b6AlYE=; b=QhRH+Vqb5rZmShNb3ECGAwG3GSffxq3FO9Eq6vGObARPxjqewoHFug1JSJWPzrbf0Y NL+7wiQqrl1ieMKLfGJpolM562eOIY91Gmb/ebaWm4QrtWSRWo83tJNNfN5I0D8BHVr1 74+kVi7O2X+WwDuSPfWa6A4KOKzkHV0/DaP+2A92MDBj7NMb/2FdL0LNHVZBH1ot6+Sk HToYldE5AC8dK+kOen8ptcp5Fb6Hums1RwmxaXbL9wD4i5mt0tWeWxE630tnvxQw+Rm1 Rss9gEIGT8JkTUEMwhxFDQDiDD7bMcQjITf16I2WLlytGzT5VMlTPw/ikz/lIcRa1wIJ ur/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6si4430434plq.243.2019.03.07.06.55.58; Thu, 07 Mar 2019 06:56:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726299AbfCGOzj (ORCPT + 99 others); Thu, 7 Mar 2019 09:55:39 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:34908 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726196AbfCGOzj (ORCPT ); Thu, 7 Mar 2019 09:55:39 -0500 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id x27EtTLg005783; Thu, 7 Mar 2019 14:55:29 GMT Date: Thu, 7 Mar 2019 14:55:28 +0000 From: Alan Cox To: Matthew Garrett Cc: jmorris@namei.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com Subject: Re: [PATCH 09/27] hibernate: Disable when the kernel is locked down Message-ID: <20190307145528.24c1b4d3@alans-desktop> In-Reply-To: <20190306235913.6631-10-matthewgarrett@google.com> References: <20190306235913.6631-1-matthewgarrett@google.com> <20190306235913.6631-10-matthewgarrett@google.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 6 Mar 2019 15:58:55 -0800 Matthew Garrett wrote: > From: Josh Boyer > > There is currently no way to verify the resume image when returning > from hibernate. This might compromise the signed modules trust model, > so until we can work with signed hibernate images we disable it when the > kernel is locked down. That one is a bit worrying since whilst the other stuff may be useful in some business environments, mandatory hibernate not suspend to RAM is a common corporate IT policy because of concerns about theft and recovery of memory contents. Alan