On Thu 2018-04-19 15:38:53, David Howells wrote: > Pavel Machek wrote: > > > > There is currently no way to verify the resume image when returning > > > from hibernate. This might compromise the signed modules trust model, > > > so until we can work with signed hibernate images we disable it when the > > > kernel is locked down. > > > > I'd rather see hibernation fixed than disabled like this. > > The problem is that you have to store the hibernated kernel image encrypted, > but you can't store the decryption key on disk unencrypted or you've just > wasted the effort. That's not how the crypto needs to work. Talk to Jiri Kosina, ok? Firmware gives you a key, you keep it secret, use it to sign the hibernation image on suspend, and verify the signature on resume. Or something like that. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html