| Message ID | 149142336965.5101.2946578135980499557.stgit@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On Wed, Apr 5, 2017 at 10:16 PM, David Howells <dhowells@redhat.com> wrote: > From: Matthew Garrett <mjg59@srcf.ucam.org> > > uswsusp allows a user process to dump and then restore kernel state, which > makes it possible to modify the running kernel. Disable this if the kernel > is locked down. > > Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> > Signed-off-by: David Howells <dhowells@redhat.com> > cc: linux-pm@vger.kernel.org You probably want to disable hibernation altogether in this case. Thanks, Rafael
Am Donnerstag, den 06.04.2017, 01:38 +0200 schrieb Rafael J. Wysocki: > On Wed, Apr 5, 2017 at 10:16 PM, David Howells <dhowells@redhat.com> wrote: > > > > From: Matthew Garrett <mjg59@srcf.ucam.org> > > > > uswsusp allows a user process to dump and then restore kernel state, which > > makes it possible to modify the running kernel. Disable this if the kernel > > is locked down. > > > > Signed-off-by: Matthew Garrett <mjg59@srcf.ucam.org> > > Signed-off-by: David Howells <dhowells@redhat.com> > > cc: linux-pm@vger.kernel.org > > You probably want to disable hibernation altogether in this case. Your swap partition may be located on an NVDIMM or be encrypted. Isn't this a bit overly drastic? Regards Oliver
Rafael J. Wysocki <rafael@kernel.org> wrote:
> You probably want to disable hibernation altogether in this case.
See patch 10. Does that mean patch 11 is superfluous?
David
Oliver Neukum <oneukum@suse.com> wrote: > Your swap partition may be located on an NVDIMM or be encrypted. An NVDIMM should be considered the same as any other persistent storage. It may be encrypted, but where's the key stored, how easy is it to retrieve and does the swapout code know this? > Isn't this a bit overly drastic? Perhaps, but if it's on disk and it's not encrypted, then maybe not. David
On Thu, Apr 6, 2017 at 8:55 AM, David Howells <dhowells@redhat.com> wrote: > Rafael J. Wysocki <rafael@kernel.org> wrote: > >> You probably want to disable hibernation altogether in this case. > > See patch 10. Does that mean patch 11 is superfluous? Yes, it does. You can't open /dev/snapshot if hibernation_available() returns false. Thanks, Rafael
On Thu, Apr 6, 2017 at 10:41 AM, David Howells <dhowells@redhat.com> wrote: > Oliver Neukum <oneukum@suse.com> wrote: > >> Your swap partition may be located on an NVDIMM or be encrypted. > > An NVDIMM should be considered the same as any other persistent storage. > > It may be encrypted, but where's the key stored, how easy is it to retrieve > and does the swapout code know this? > >> Isn't this a bit overly drastic? > > Perhaps, but if it's on disk and it's not encrypted, then maybe not. Right. Swap encryption is not mandatory and I'm not sure how the hibernate code can verify whether or not it is in use. Thanks, Rafael
On Thu, Apr 6, 2017 at 10:09 PM, Rafael J. Wysocki <rafael@kernel.org> wrote: > On Thu, Apr 6, 2017 at 10:41 AM, David Howells <dhowells@redhat.com> wrote: >> Oliver Neukum <oneukum@suse.com> wrote: >> >>> Your swap partition may be located on an NVDIMM or be encrypted. >> >> An NVDIMM should be considered the same as any other persistent storage. >> >> It may be encrypted, but where's the key stored, how easy is it to retrieve >> and does the swapout code know this? >> >>> Isn't this a bit overly drastic? >> >> Perhaps, but if it's on disk and it's not encrypted, then maybe not. > > Right. > > Swap encryption is not mandatory and I'm not sure how the hibernate > code can verify whether or not it is in use. BTW, SUSE has patches adding secure boot support to the hibernate code and Jiri promised me to post them last year even. :-) Thanks, Rafael
On Thu, 6 Apr 2017, Rafael J. Wysocki wrote: > >>> Your swap partition may be located on an NVDIMM or be encrypted. > >> > >> An NVDIMM should be considered the same as any other persistent storage. > >> > >> It may be encrypted, but where's the key stored, how easy is it to retrieve > >> and does the swapout code know this? > >> > >>> Isn't this a bit overly drastic? > >> > >> Perhaps, but if it's on disk and it's not encrypted, then maybe not. > > > > Right. > > > > Swap encryption is not mandatory and I'm not sure how the hibernate > > code can verify whether or not it is in use. > > BTW, SUSE has patches adding secure boot support to the hibernate code > and Jiri promised me to post them last year even. :-) Oh, thanks for a friendly ping :) Adding Joey Lee to CC.
On 06.04.2017 22:25, Jiri Kosina wrote: > On Thu, 6 Apr 2017, Rafael J. Wysocki wrote: > >>>>> Your swap partition may be located on an NVDIMM or be encrypted. >>>> >>>> An NVDIMM should be considered the same as any other persistent storage. >>>> >>>> It may be encrypted, but where's the key stored, how easy is it to retrieve >>>> and does the swapout code know this? >>>> >>>>> Isn't this a bit overly drastic? >>>> >>>> Perhaps, but if it's on disk and it's not encrypted, then maybe not. >>> >>> Right. >>> >>> Swap encryption is not mandatory and I'm not sure how the hibernate >>> code can verify whether or not it is in use. >> >> BTW, SUSE has patches adding secure boot support to the hibernate code >> and Jiri promised me to post them last year even. :-) > > Oh, thanks for a friendly ping :) Adding Joey Lee to CC. > Rafael J., are you talking about HIBERNATE_VERIFICATION ? Ref. https://github.com/joeyli/linux-s4sign/commits/s4sign-hmac-v2-v4.2-rc8 https://lkml.org/lkml/2015/8/11/47 https://bugzilla.redhat.com/show_bug.cgi?id=1330335
On Sat, Apr 08, 2017 at 05:28:15AM +0200, poma wrote: > On 06.04.2017 22:25, Jiri Kosina wrote: > > On Thu, 6 Apr 2017, Rafael J. Wysocki wrote: > > > >>>>> Your swap partition may be located on an NVDIMM or be encrypted. > >>>> > >>>> An NVDIMM should be considered the same as any other persistent storage. > >>>> > >>>> It may be encrypted, but where's the key stored, how easy is it to retrieve > >>>> and does the swapout code know this? > >>>> > >>>>> Isn't this a bit overly drastic? > >>>> > >>>> Perhaps, but if it's on disk and it's not encrypted, then maybe not. > >>> > >>> Right. > >>> > >>> Swap encryption is not mandatory and I'm not sure how the hibernate > >>> code can verify whether or not it is in use. > >> > >> BTW, SUSE has patches adding secure boot support to the hibernate code > >> and Jiri promised me to post them last year even. :-) > > > > Oh, thanks for a friendly ping :) Adding Joey Lee to CC. > > > > Rafael J., are you talking about HIBERNATE_VERIFICATION ? > > Ref. > https://github.com/joeyli/linux-s4sign/commits/s4sign-hmac-v2-v4.2-rc8 > https://lkml.org/lkml/2015/8/11/47 > https://bugzilla.redhat.com/show_bug.cgi?id=1330335 > I am working on switch to HMAC-SHA512. On the other hand, some mechanisms keep signing/encryption key in memory. e.g. dm-crypt or hibernation verification. Kees Cook suggested that we should add kernel memory reads as a thread model of securelevel to prevent leaking those keys by /dev/kmem, bpf, kdump or hibernation... We still need time to implement it. Thanks a lot! Joey Lee
diff --git a/kernel/power/user.c b/kernel/power/user.c index 22df9f7ff672..e4b926d329b7 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) if (!hibernation_available()) return -EPERM; + if (kernel_is_locked_down()) + return -EPERM; + lock_system_sleep(); if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {