Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down
From: Andy Lutomirski
Date: Sun Apr 22 2018 - 10:35:16 EST
On Thu, Apr 19, 2018 at 7:38 AM, David Howells <dhowells@xxxxxxxxxx> wrote:
> Pavel Machek <pavel@xxxxxx> wrote:
>
>> > There is currently no way to verify the resume image when returning
>> > from hibernate. This might compromise the signed modules trust model,
>> > so until we can work with signed hibernate images we disable it when the
>> > kernel is locked down.
>>
>> I'd rather see hibernation fixed than disabled like this.
>
> The problem is that you have to store the hibernated kernel image encrypted,
> but you can't store the decryption key on disk unencrypted or you've just
> wasted the effort.
>
> So the firmware has to unlock the image, asking the user for a password to
> unlock the key.
Why firmware?
Either the boot kernel could figure out how to ask for a password (or
unseal using the TPM) or we could defer this to userspace. The latter
should already work using kexec-jump, no?