From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933928AbdDEUQZ (ORCPT ); Wed, 5 Apr 2017 16:16:25 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60630 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933681AbdDEUQK (ORCPT ); Wed, 5 Apr 2017 16:16:10 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 743908123F Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=dhowells@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 743908123F Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 10/24] hibernate: Disable when the kernel is locked down From: David Howells To: linux-kernel@vger.kernel.org Cc: gnomes@lxorguk.ukuu.org.uk, Josh Boyer , linux-pm@vger.kernel.org, linux-efi@vger.kernel.org, gregkh@linuxfoundation.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, matthew.garrett@nebula.com Date: Wed, 05 Apr 2017 21:16:02 +0100 Message-ID: <149142336212.5101.1549130885522444701.stgit@warthog.procyon.org.uk> In-Reply-To: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 05 Apr 2017 20:16:04 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Boyer There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it when the kernel is locked down. Signed-off-by: Josh Boyer Signed-off-by: David Howells cc: linux-pm@vger.kernel.org --- kernel/power/hibernate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c index a8b978c35a6a..50cca5dcb62f 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { - return (nohibernate == 0); + return nohibernate == 0 && !kernel_is_locked_down(); } /**