Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3664127img; Mon, 25 Mar 2019 15:13:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3dVZVS3w1+97JsklGp8Ior6rnhYM6uOCPo3tDMnfDG+mAUB7R+jgjKTXx2EeGIGxSeq4j X-Received: by 2002:a17:902:864b:: with SMTP id y11mr17596702plt.1.1553552031716; Mon, 25 Mar 2019 15:13:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553552031; cv=none; d=google.com; s=arc-20160816; b=Xhg56uxdetFT1WTg/JaTNC4qjE20Gvj7hIsUiq6rfzXbyqDkiFaGjVHqx7R5yvM3YT Pzm0eKg1zCRSRGxkzmUr6iWdLikELtUXt44r2uEmrlHZVC36AszaKviD/YSCVl+xZBdQ GHrp9Kv8pgxbGhxq3V9xlE/WyszDu+g8br+S97c1LXwtgPLzWwwEuUEEBr/74b0eNc/O 1+XuX5flywxNdmLatIJhQaJjaTOVOLh5TzInvzdEZK9oQVa8b9FfJbfM+tBCnk3Ti8aP LgIeLF5VsKAMopkEp4e7CyueUNjVoypF4TmcXPJFM88+sQmAk7l1FE8vn6FE20eELS7J JrTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=; b=x2ft+eHf3PCFNf3+FjHa2HcYUtWXqdFpAu9uu7BVO4TjRiiXHVf2SIDuy//MozcGFN JbOPXchuk7sQ1kzNibXEZQ5IZ+kQ+zgkp2woeq0CV3gLfC3i9+bHKKdcQsFH83iHQm8f 5TmJPNiFpVrtjZkiN3VZMYmZlCXvSGf+TKVMI6n7CgoMWBKuNXAmRPK3clLXI05gFzn0 hzFzgHcKi9CJm7yeyPvbBPZB29ndK3haU1os6EHcxOgd43sXBod3our6UqwZwyazZNKr jr0+LYWmHqDms2EoDuTxPv/OdJ555QSChUW1nvzN7eAe4LKSmWX5B4661Ia1HA8ULLtQ kJDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=U9J1t3Nx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t2si14187679pgu.399.2019.03.25.15.13.36; Mon, 25 Mar 2019 15:13:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=U9J1t3Nx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730847AbfCYWKX (ORCPT + 99 others); Mon, 25 Mar 2019 18:10:23 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:43674 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730795AbfCYWKT (ORCPT ); Mon, 25 Mar 2019 18:10:19 -0400 Received: by mail-ua1-f73.google.com with SMTP id o12so1333518uaj.10 for ; Mon, 25 Mar 2019 15:10:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=; b=U9J1t3NxYbQMopyhw2GE3bLit1uMhrE4YcCM5dJ1VZEcPOPoJohS9muHLwrm4vQlDT 8XvcG/28ok21BF69yNbSQqCw3e6yjQAJUDrd2iaM/KgcHCo2BszrbFw8/6jMPHvtp/yf iWbLAQNCWBLdHGrn8i0OX9YYkOvt9fPMvh7laV3CW1NvPs5u0ovDE4DFMYQzJghhon6V bj6B9ZBfpvxXzkfjlaJuCbNMNi2Thezr5krapkJ9JEX32womUHt1rfjs8e8QB5aKcnQL DtOuGW6wgC0uGu7Lxs3FaIweVocdpEXRME7+Lfg6KE1hn5KohnaCb7igp2IE3uYR8ftF zagQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=uYemRAgVTJFGahU1zMfb1n2EMnLkr+SSlEuKQqgKmLY=; b=ZOjS4WW1/WXWGVON9Yjv/yZluD6WMbGl6k6RFSXPy5conk7lTulSzgWMiNw7Mr3zb6 g4pnTzrsOw99ry7jkGhnnC/QwqCVkG6oc1NCbxfebEgN7j81bs+8DFMweSPuRgJfuMHf ZxvaKSPgOvWizb5osDVSTXaK+Xh9aeabu5VKHsGr7AmEKTWBII/7eNj6e6qTPQJqKMUC YYulah7ce9Jzh/D+VFl2tEHdUAqAJ3ZsIROcZhy9bTxJORn4VKztT0DeNlDZJvU4efKp gaOYxTu+R1lS293gbDreTkX8M1EYNH4zMggHQ/sX37HVrBYTeaoBH72+5gctuqPEiIzk lQ8Q== X-Gm-Message-State: APjAAAW0BTT86ahZNWDkmmR9JiwcqoW2Vz/1iAUVELU0QE9bQzi7SmoI YJ2yMBxudOkVKgHCD4sJD2nN9uEYnQt5SB4RP8pqBA== X-Received: by 2002:ab0:65c7:: with SMTP id n7mr16136307uaq.3.1553551818764; Mon, 25 Mar 2019 15:10:18 -0700 (PDT) Date: Mon, 25 Mar 2019 15:09:35 -0700 In-Reply-To: <20190325220954.29054-1-matthewgarrett@google.com> Message-Id: <20190325220954.29054-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190325220954.29054-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH 08/27] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, Josh Boyer , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org, Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org Signed-off-by: Matthew Garrett --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..802795becb88 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation"); } /** -- 2.21.0.392.gf8f6787159e-goog