Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp683862yba; Wed, 3 Apr 2019 17:34:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqwIzGGgHsBr1zYIjIF5VKfan6XRMvrhSBlOw7rad2HrusAPTrVQUueLsGSGcYVSIsq8R7BZ X-Received: by 2002:a62:1b03:: with SMTP id b3mr2649412pfb.150.1554338065397; Wed, 03 Apr 2019 17:34:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554338065; cv=none; d=google.com; s=arc-20160816; b=FvuaAPSz6Mm+hYbgsCBX1R6qCFxXUqOH8Y4P25cHo5n9k83OGz67G/MDs84Oj27hcF ji7l/P8AYcLOiPcbK6DkMN36vDDbrZR74mzWT06TurtzufPtRzwBDB88yV4C+bbWog3g B9YnIT2ry4J2uX3EeJQ+D96TepsHlOHwyU8sRlhcksfYom4WI/RW1Hy2oaV8ZPM1eNlT qThwe2ESTMLx0K7DvFKBJTFRl865GRtFlTBWqndrETkCv05ZXv9AZLwnA3UZbd+FJIGf GxQdgwWrLjWnsqPoC3SPxszgz1z2dTeGaz0ss6w6EYNh3RZnOj/SAwB4yjvlgL2knKqn XCrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=gsPTp0Km6HMDWnGVC4ugPVReDJXs/bLdrlK+4U7oQvATk4vcbSuO1klepbKkPiOmtI 5s9YX4B3kOwpLXXuFcbwuLA34NX0n4qQFDi+qeivWqrXUqNP/PkxKik0qW/uS0Wlvuft SEjGZW2cnaN0l/sO5Q++EirOAjcjTA5/NFkWO/+PN4V6atznuFmF/FNKTJ/nwN76OpN1 8b8YUYC3PiPn6hnzP0FxrjOhkZI+P1PwR1skGdBLniKKA8e1q/GhI11hMuZSyVxE5OVn 9UiaS2CllGvV00q3/4KOhi6+trPwnOWFDippySkYUFShh5kNLe3IvVSR+WKjauXIDFuC Xh3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sO21lW7s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y191si14578541pgd.218.2019.04.03.17.34.10; Wed, 03 Apr 2019 17:34:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sO21lW7s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726829AbfDDAdS (ORCPT + 99 others); Wed, 3 Apr 2019 20:33:18 -0400 Received: from mail-ua1-f73.google.com ([209.85.222.73]:40889 "EHLO mail-ua1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726789AbfDDAdQ (ORCPT ); Wed, 3 Apr 2019 20:33:16 -0400 Received: by mail-ua1-f73.google.com with SMTP id a10so142952uan.7 for ; Wed, 03 Apr 2019 17:33:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=sO21lW7sz/ns18hN7SlX/zr3jQmDJ3mtD+apq3GlD6ckhlTw4v2i3gXRCDm5Vs5mYJ LXfNtWylXdBIxsbGmj49dHEtJRQscclkifyUJzoI6tYiqt9G++U1u0mdT4UXu6GRsZrY nO9Xpph8Wlcubg6vFg0+ujbv4AIIyGkcFSBIu6hJLD1aFptXeunfoCHimJHu9ftuCjbj fHNRo8lSHZr1QTwAT2mMO1+TGOTMV08gr5UcjRCX0+XynqvJN1D2NJW1jGd2xgp96M7q YIOcYbi66upbn2IlI0Jyn8gqpwMLkYSB0ynJh9dN0VNKnzLvf6ke3qxidogrCkgeQbgh M0Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=F7gwrLqBhitPmGCH3yDZVQC7NL1DApaJvsgcGKz9XZw=; b=L4ZkU6Hfz+9m0i9as/dr2+85Nu1RR8fAfj8UvcEXYSa75s169fopwQAkKaSOkOd4wP S0WOA6fqkaetgsHgyUgRLzeukuPU0H89X3tFNNZv27v+K21BGOE34nIs3WCq80Bs4YCd bk4/mggg2cFpdG0/P2FSLDyyq72CxyaB+DeTYPLZ2giHuTb1AR1BmzeTQ9aTvpLBDeMT GUxNvgNwcZ4yXquCHvw09K/1WjRaMQlmTqUafRfn1dDKnmlJ5ETKEVSA4oXFm1HROTzK pecculwUDRZ1Hrz3jiDknplscK1B6153QmA/pzIOB6WXgOa9QZ7I/2vQwYdSve6meIGW DoqQ== X-Gm-Message-State: APjAAAWFxvwcnTuffDIy87ZLjSAzfLnCT0E7ecw6K6IwEP5kxuy3AXTc R8O+T+GQGVZN7xLRr7eRl8oQGqiyE+0zTUv7Mo10vw== X-Received: by 2002:ab0:2653:: with SMTP id q19mr418981uao.2.1554337994994; Wed, 03 Apr 2019 17:33:14 -0700 (PDT) Date: Wed, 3 Apr 2019 17:32:30 -0700 In-Reply-To: <20190404003249.14356-1-matthewgarrett@google.com> Message-Id: <20190404003249.14356-9-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190404003249.14356-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V32 08/27] hibernate: Disable when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Josh Boyer , Matthew Garrett , rjw@rjwysocki.net, pavel@ucw.cz, linux-pm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells Signed-off-by: Matthew Garrett Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..928b198cfa26 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,8 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down("Hibernation", + LOCKDOWN_INTEGRITY); } /** -- 2.21.0.392.gf8f6787159e-goog