* [PATCH V34 10/29] hibernate: Disable when the kernel is locked down [not found] <20190622000358.19895-1-matthewgarrett@google.com> @ 2019-06-22 0:03 ` Matthew Garrett 2019-06-22 17:52 ` Pavel Machek 2019-06-22 23:55 ` Kees Cook 0 siblings, 2 replies; 5+ messages in thread From: Matthew Garrett @ 2019-06-22 0:03 UTC (permalink / raw) To: jmorris Cc: linux-security-module, linux-kernel, linux-api, Josh Boyer, David Howells, Matthew Garrett, rjw, pavel, linux-pm From: Josh Boyer <jwboyer@fedoraproject.org> There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Cc: rjw@rjwysocki.net Cc: pavel@ucw.cz cc: linux-pm@vger.kernel.org --- include/linux/security.h | 1 + kernel/power/hibernate.c | 3 ++- security/lockdown/lockdown.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/security.h b/include/linux/security.h index 00a31ab2e5ba..a051f21a1144 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -85,6 +85,7 @@ enum lockdown_reason { LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, LOCKDOWN_KEXEC, + LOCKDOWN_HIBERNATION, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX, }; diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index abef759de7c8..3a9cb2d3da4a 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -32,6 +32,7 @@ #include <linux/ctype.h> #include <linux/genhd.h> #include <linux/ktime.h> +#include <linux/security.h> #include <trace/events/power.h> #include "power.h" @@ -70,7 +71,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); } /** diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 08fcd8116db3..ce5b3da9bd09 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_KEXEC] = "kexec of unsigned images", + [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", }; -- 2.22.0.410.gd8fdbe21b5-goog ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down 2019-06-22 0:03 ` [PATCH V34 10/29] hibernate: Disable when the kernel is locked down Matthew Garrett @ 2019-06-22 17:52 ` Pavel Machek 2019-06-24 13:21 ` Jiri Kosina 2019-06-22 23:55 ` Kees Cook 1 sibling, 1 reply; 5+ messages in thread From: Pavel Machek @ 2019-06-22 17:52 UTC (permalink / raw) To: Matthew Garrett Cc: jmorris, linux-security-module, linux-kernel, linux-api, Josh Boyer, David Howells, Matthew Garrett, rjw, linux-pm, jikos [-- Attachment #1: Type: text/plain, Size: 586 bytes --] On Fri 2019-06-21 17:03:39, Matthew Garrett wrote: > From: Josh Boyer <jwboyer@fedoraproject.org> > > There is currently no way to verify the resume image when returning > from hibernate. This might compromise the signed modules trust model, > so until we can work with signed hibernate images we disable it when the > kernel is locked down. I keep getting these... IIRC suse has patches to verify the images. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down 2019-06-22 17:52 ` Pavel Machek @ 2019-06-24 13:21 ` Jiri Kosina 2019-07-11 4:11 ` joeyli 0 siblings, 1 reply; 5+ messages in thread From: Jiri Kosina @ 2019-06-24 13:21 UTC (permalink / raw) To: Pavel Machek Cc: Matthew Garrett, jmorris, linux-security-module, linux-kernel, linux-api, Josh Boyer, David Howells, Matthew Garrett, rjw, Joey Lee, linux-pm On Sat, 22 Jun 2019, Pavel Machek wrote: > > There is currently no way to verify the resume image when returning > > from hibernate. This might compromise the signed modules trust model, > > so until we can work with signed hibernate images we disable it when the > > kernel is locked down. > > I keep getting these... > > IIRC suse has patches to verify the images. Yeah, Joey Lee is taking care of those. CCing. -- Jiri Kosina SUSE Labs ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down 2019-06-24 13:21 ` Jiri Kosina @ 2019-07-11 4:11 ` joeyli 0 siblings, 0 replies; 5+ messages in thread From: joeyli @ 2019-07-11 4:11 UTC (permalink / raw) To: Jiri Kosina Cc: Pavel Machek, Matthew Garrett, jmorris, linux-security-module, linux-kernel, linux-api, Josh Boyer, David Howells, Matthew Garrett, rjw, linux-pm Hi experts, On Mon, Jun 24, 2019 at 03:21:23PM +0200, Jiri Kosina wrote: > On Sat, 22 Jun 2019, Pavel Machek wrote: > > > > There is currently no way to verify the resume image when returning > > > from hibernate. This might compromise the signed modules trust model, > > > so until we can work with signed hibernate images we disable it when the > > > kernel is locked down. > > > > I keep getting these... > > > > IIRC suse has patches to verify the images. > > Yeah, Joey Lee is taking care of those. CCing. > The last time that I sent for hibernation encryption and authentication is here: https://lkml.org/lkml/2019/1/3/281 It needs some big changes after review: - Simplify the design: remove keyring dependency and trampoline. - Encrypted whole snapshot image instead of only data pages. - Using TPM: - Direct use TPM API in hibernation instead of keyring - Localities (suggested by James Bottomley) I am still finding enough time to implement those changes, especial TPM parts. Thanks Joey Lee ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down 2019-06-22 0:03 ` [PATCH V34 10/29] hibernate: Disable when the kernel is locked down Matthew Garrett 2019-06-22 17:52 ` Pavel Machek @ 2019-06-22 23:55 ` Kees Cook 1 sibling, 0 replies; 5+ messages in thread From: Kees Cook @ 2019-06-22 23:55 UTC (permalink / raw) To: Matthew Garrett Cc: jmorris, linux-security-module, linux-kernel, linux-api, Josh Boyer, David Howells, Matthew Garrett, rjw, pavel, linux-pm On Fri, Jun 21, 2019 at 05:03:39PM -0700, Matthew Garrett wrote: > From: Josh Boyer <jwboyer@fedoraproject.org> > > There is currently no way to verify the resume image when returning > from hibernate. This might compromise the signed modules trust model, > so until we can work with signed hibernate images we disable it when the > kernel is locked down. > > Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > Signed-off-by: David Howells <dhowells@redhat.com> > Signed-off-by: Matthew Garrett <mjg59@google.com> > Cc: rjw@rjwysocki.net > Cc: pavel@ucw.cz > cc: linux-pm@vger.kernel.org > --- > include/linux/security.h | 1 + > kernel/power/hibernate.c | 3 ++- > security/lockdown/lockdown.c | 1 + > 3 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/linux/security.h b/include/linux/security.h > index 00a31ab2e5ba..a051f21a1144 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -85,6 +85,7 @@ enum lockdown_reason { > LOCKDOWN_MODULE_SIGNATURE, > LOCKDOWN_DEV_MEM, > LOCKDOWN_KEXEC, > + LOCKDOWN_HIBERNATION, > LOCKDOWN_INTEGRITY_MAX, > LOCKDOWN_CONFIDENTIALITY_MAX, > }; > diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c > index abef759de7c8..3a9cb2d3da4a 100644 > --- a/kernel/power/hibernate.c > +++ b/kernel/power/hibernate.c > @@ -32,6 +32,7 @@ > #include <linux/ctype.h> > #include <linux/genhd.h> > #include <linux/ktime.h> > +#include <linux/security.h> > #include <trace/events/power.h> > > #include "power.h" > @@ -70,7 +71,7 @@ static const struct platform_hibernation_ops *hibernation_ops; > > bool hibernation_available(void) > { > - return (nohibernate == 0); > + return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION); > } > > /** > diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c > index 08fcd8116db3..ce5b3da9bd09 100644 > --- a/security/lockdown/lockdown.c > +++ b/security/lockdown/lockdown.c > @@ -21,6 +21,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", > [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", > [LOCKDOWN_KEXEC] = "kexec of unsigned images", > + [LOCKDOWN_HIBERNATION] = "hibernation", > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > }; > -- > 2.22.0.410.gd8fdbe21b5-goog > -- Kees Cook ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-11 4:11 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20190622000358.19895-1-matthewgarrett@google.com> 2019-06-22 0:03 ` [PATCH V34 10/29] hibernate: Disable when the kernel is locked down Matthew Garrett 2019-06-22 17:52 ` Pavel Machek 2019-06-24 13:21 ` Jiri Kosina 2019-07-11 4:11 ` joeyli 2019-06-22 23:55 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).