Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4547133img; Tue, 26 Mar 2019 11:32:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFh6+nZHwKzc9cdKANJcOZ4f8XoQ1yn1CmdpI0N7yspDKsHFHiE7tSLxWx1DlFs/khj+I2 X-Received: by 2002:a17:902:9a98:: with SMTP id w24mr32228601plp.247.1553625175623; Tue, 26 Mar 2019 11:32:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553625175; cv=none; d=google.com; s=arc-20160816; b=zHntlQCmfGV3EfjGA1bLfUR2zbtjKSQm53TXbMfpxttr6QwPpSxs4XzZBQTcW4AfmX Be8nq/dLp6HmKO1g586IO2icHaTeQMLlGr+bt5DjG+KEkdUJacEMJVEJZLB7vIdvYAfG FiXwVUcEPkPF4bbRViIxfZ/aOVAI9GLYYIgtmXSpku95VCqE/45D/xFr3+CHEIntFNks T82QGYyeMREhtFItUl4KK5IzcymnNcfp/DO4XlaPDWyg0XjX+OpiPAh4/55DDr9SET+5 QcmajZALm5pFoZykrpprhz07/sDLFEei16uI3e7PyIxi+aqxdzkkd0khzN2PABnerp9m aVKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=z4yrCxUn9BBbc/Kpf3M1aXuSBhlONgD2iFGlpFkGLSG5HSWkMEPuyqYXSEgTzMm/wC 9D9uDtPwrKPzB+mWDHEepIRoHSYFKyNT2r4rOnWvM0eByTscAhrWYK29SC/yRYX108dE g/Q6kprBOIFb73OZJW/ecH4EYQeVL7TM6+N/siMF3TSrP6k6yiW3HgGbw2DQFv5LHxLl KdsjnjyPv+XeePhax+5yCxWAUVBVTJkmoUle5rljIwjFlwJ7gl3RgRiSrLjtzj6UmiJC k7kxvlRrhQ8F260PKLrO0F4DinY3aM6Or+OiC7cNmFus7L7qpMR3IReIRtSEphr6jJ9M duHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="hd/qJI5p"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v10si6905040plo.439.2019.03.26.11.32.40; Tue, 26 Mar 2019 11:32:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="hd/qJI5p"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732950AbfCZSaI (ORCPT + 99 others); Tue, 26 Mar 2019 14:30:08 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:39514 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732649AbfCZS2Q (ORCPT ); Tue, 26 Mar 2019 14:28:16 -0400 Received: by mail-yw1-f73.google.com with SMTP id p1so19966956ywm.6 for ; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=hd/qJI5pj21wdEXiN1GwGQHBvVWEtmSPOfLn12fiaFf2w7nNYsYJpe9u8ow9/Re1Kb FvKsZkCo/b0GsFfWFuz7eAQFgkAyaD1YtMu/MyusFUzAhdYBGkZWIj1S+E8fN9DnaUae L8FwSMa5O7X9SlCg7DEGpzVPkBfeq+h0Wz6MqDxvDPB424xtQc9WmiNTOO+jUGewUNHD lpCXH7AOi+wpEp3OI9bXgjF1sBIcv8UIJnzzt+rmTvkH36pdxeTNEvndnDJ1OpSY/cAA rOexpy+QRByAQot5nHETdAlDEtaJ3PrSaljT6cRrg+ws0ERdZzfzb5mmKZf2MqHgiBKm t7vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=qZ+YzzxeOtuJYzPWdqhbmEpQUFKUA4jc//oDXiHlXZW+bUTGEwBJdY8yBCDTx3GXnF IQ2/n+dtsgscCQ6rU3uEHJxqCJE3ZkCu1W2QNLWYCUDPIKisbvKdPUUGpaEuubsK/cwM f+tpmdEplpcYWm4AiyTkxrtbOFWNbYre0aWv7T0TPl4fRU9SNzg19sVtuL3wBZpvp+yr gD2jXVb8c+uh2Nom9b03Ai8CgYtcoV1DTnNwVMG1MduvI9OhgHolWs5UwtY6qtv9jNbp QSo3yPdQ+g/VqYxL2bKQKMPPKh6/tSTgpkzjJRgwApA7vsfHHjbXWvtdUgYeItfvznGv z8mQ== X-Gm-Message-State: APjAAAWmmby7P7HTcOaNEwE/BhgKG44JUdM+u/kZ6LFCk6wNHQXvnJd4 gjYabUxnDWmj8VcSYFAVut+o5vZStKwQ5/v4AelbhQ== X-Received: by 2002:a81:3c90:: with SMTP id j138mr27011505ywa.276.1553624895457; Tue, 26 Mar 2019 11:28:15 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:24 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 08/25] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..928b198cfa26 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation", + LOCKDOWN_INTEGRITY); } /** -- 2.21.0.392.gf8f6787159e-goog